Add X509_get0_authority_key_id() function

  This function makes it easier to retrieve a reference to the
  authority key identifier (akid->keyid) inside a certificate.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5271)

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 2ff8854ca3c629d1daee2d0ba8301222a75cbf72..6c780414da675660103bdd3821eb748644504895 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -848,6 +848,13 @@ const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x)
     return x->skid;
 }
 
+const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x)
+{
+    /* Call for side-effect of computing hash and caching extensions */
+    X509_check_purpose(x, -1, -1);
+    return (x->akid != NULL ? x->akid->keyid : NULL);
+}
+
 long X509_get_pathlen(X509 *x)
 {
     /* Called for side effect of caching extensions */

diff --git a/doc/man3/X509_get_extension_flags.pod b/doc/man3/X509_get_extension_flags.pod
index 9aec918f24de0b5e644aa5474575e17469a73527..fc4ebbb31d8d39941167a1ff8922e010a7f88a5a 100644 (file)
--- a/doc/man3/X509_get_extension_flags.pod
+++ b/doc/man3/X509_get_extension_flags.pod
@@ -3,6 +3,7 @@
 =head1 NAME
 
 X509_get0_subject_key_id,
+X509_get0_authority_key_id,
 X509_get_pathlen,
 X509_get_extension_flags,
 X509_get_key_usage,
@@ -20,6 +21,7 @@ X509_get_proxy_pathlen - retrieve certificate extension data
  uint32_t X509_get_key_usage(X509 *x);
  uint32_t X509_get_extended_key_usage(X509 *x);
  const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
+ const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
  void X509_set_proxy_flag(X509 *x);
  void X509_set_proxy_pathlen(int l);
  long X509_get_proxy_pathlen(X509 *x);
@@ -109,6 +111,10 @@ X509_get0_subject_key_id() returns an internal pointer to the subject key
 identifier of B<x> as an B<ASN1_OCTET_STRING> or B<NULL> if the extension
 is not present or cannot be parsed.
 
+X509_get0_authority_key_id() returns an internal pointer to the authority key
+identifier of B<x> as an B<ASN1_OCTET_STRING> or B<NULL> if the extension
+is not present or cannot be parsed.
+
 X509_set_proxy_flag() marks the certificate with the B<EXFLAG_PROXY> flag.
 This is for the users who need to mark non-RFC3820 proxy certificates as
 such, as OpenSSL only detects RFC3820 compliant ones.

diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 94f556134172cf20ebb0e5fb51c6810da2b2cbf1..fe1791c6819af5a3cfb4876541ef8106283ba19a 100644 (file)
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -660,6 +660,7 @@ uint32_t X509_get_extension_flags(X509 *x);
 uint32_t X509_get_key_usage(X509 *x);
 uint32_t X509_get_extended_key_usage(X509 *x);
 const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x);
+const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x);
 
 int X509_PURPOSE_get_count(void);
 X509_PURPOSE *X509_PURPOSE_get0(int idx);

diff --git a/util/libcrypto.num b/util/libcrypto.num
index 54560632bc90b109227d53c887dbfab45bf52651..b1dd6a09c6c19273d8890477d4436113560c822c 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4503,3 +4503,4 @@ OCSP_basic_sign_ctx                     4444      1_1_1   EXIST::FUNCTION:OCSP
 RAND_DRBG_bytes                         4445   1_1_1   EXIST::FUNCTION:
 RAND_DRBG_secure_new                    4446   1_1_1   EXIST::FUNCTION:
 OSSL_STORE_vctrl                        4447   1_1_1   EXIST::FUNCTION:
+X509_get0_authority_key_id              4448   1_1_0h  EXIST::FUNCTION: