X509: Rename X509_set0_sm2_id() and friends
authorRichard Levitte <levitte@openssl.org>
Tue, 10 Mar 2020 21:50:22 +0000 (22:50 +0100)
committerRichard Levitte <levitte@openssl.org>
Sun, 15 Mar 2020 18:42:04 +0000 (19:42 +0100)
- X509_set0_sm2_id() -> X509_set0_distinguishing_id()
- X509_get0_sm2_id() -> X509_get0_distinguishing_id()
- X509_REQ_set0_sm2_id -> X509_REQ_set0_distinguishing_id()
- X509_REQ_get0_sm2_id -> X509_REQ_get0_distinguishing_id()

The reason for this rename is that the SM2 ID isn't really a unique
SM2 data item, but rather a re-use of the Distinguished that is
defined in ISO/IEC 15946-3 as well as in FIPS 196, with no special
attribution toward any algorithm in particular.

Fixes #11293

Reviewed-by: Paul Yang <kaishen.yy@antfin.com>
(Merged from https://github.com/openssl/openssl/pull/11302)

crypto/x509/x_all.c
crypto/x509/x_req.c
crypto/x509/x_x509.c
doc/man3/X509_get0_distinguishing_id.pod [new file with mode: 0644]
doc/man3/X509_get0_sm2_id.pod [deleted file]
include/crypto/x509.h
include/openssl/x509.h
util/libcrypto.num

index 2d7387b..ca9d3db 100644 (file)
@@ -71,10 +71,7 @@ int X509_verify(X509 *a, EVP_PKEY *r)
     if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature))
         return 0;
 
-#ifndef OPENSSL_NO_SM2
-    id = a->sm2_id;
-#endif
-
+    id = a->distinguishing_id;
     if ((ctx = make_id_ctx(r, id)) != NULL) {
         rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg,
                                   &a->signature, &a->cert_info, ctx);
@@ -89,10 +86,7 @@ int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r)
     EVP_MD_CTX *ctx = NULL;
     ASN1_OCTET_STRING *id = NULL;
 
-#ifndef OPENSSL_NO_SM2
-    id = a->sm2_id;
-#endif
-
+    id = a->distinguishing_id;
     if ((ctx = make_id_ctx(r, id)) != NULL) {
         rv = ASN1_item_verify_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg,
                                   a->signature, &a->req_info, ctx);
index e9cc9ba..d8a8901 100644 (file)
@@ -53,14 +53,14 @@ static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
     switch (operation) {
     case ASN1_OP_D2I_PRE:
-        ASN1_OCTET_STRING_free(ret->sm2_id);
+        ASN1_OCTET_STRING_free(ret->distinguishing_id);
         /* fall thru */
     case ASN1_OP_NEW_POST:
-        ret->sm2_id = NULL;
+        ret->distinguishing_id = NULL;
         break;
 
     case ASN1_OP_FREE_POST:
-        ASN1_OCTET_STRING_free(ret->sm2_id);
+        ASN1_OCTET_STRING_free(ret->distinguishing_id);
         break;
     }
 #endif
@@ -90,15 +90,13 @@ IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
 
 IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)
 
-#ifndef OPENSSL_NO_SM2
-void X509_REQ_set0_sm2_id(X509_REQ *x, ASN1_OCTET_STRING *sm2_id)
+void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id)
 {
-    ASN1_OCTET_STRING_free(x->sm2_id);
-    x->sm2_id = sm2_id;
+    ASN1_OCTET_STRING_free(x->distinguishing_id);
+    x->distinguishing_id = d_id;
 }
 
-ASN1_OCTET_STRING *X509_REQ_get0_sm2_id(X509_REQ *x)
+ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x)
 {
-    return x->sm2_id;
+    return x->distinguishing_id;
 }
-#endif
index 7b41ce0..e3caf8d 100644 (file)
@@ -53,9 +53,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
         ASIdentifiers_free(ret->rfc3779_asid);
 #endif
-#ifndef OPENSSL_NO_SM2
-        ASN1_OCTET_STRING_free(ret->sm2_id);
-#endif
+        ASN1_OCTET_STRING_free(ret->distinguishing_id);
 
         /* fall thru */
 
@@ -76,9 +74,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         ret->rfc3779_addr = NULL;
         ret->rfc3779_asid = NULL;
 #endif
-#ifndef OPENSSL_NO_SM2
-        ret->sm2_id = NULL;
-#endif
+        ret->distinguishing_id = NULL;
         ret->aux = NULL;
         ret->crldp = NULL;
         if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data))
@@ -98,9 +94,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
         sk_IPAddressFamily_pop_free(ret->rfc3779_addr, IPAddressFamily_free);
         ASIdentifiers_free(ret->rfc3779_asid);
 #endif
-#ifndef OPENSSL_NO_SM2
-        ASN1_OCTET_STRING_free(ret->sm2_id);
-#endif
+        ASN1_OCTET_STRING_free(ret->distinguishing_id);
         break;
 
     }
@@ -254,15 +248,13 @@ int X509_get_signature_nid(const X509 *x)
     return OBJ_obj2nid(x->sig_alg.algorithm);
 }
 
-#ifndef OPENSSL_NO_SM2
-void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id)
+void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *d_id)
 {
-    ASN1_OCTET_STRING_free(x->sm2_id);
-    x->sm2_id = sm2_id;
+    ASN1_OCTET_STRING_free(x->distinguishing_id);
+    x->distinguishing_id = d_id;
 }
 
-ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x)
+ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x)
 {
-    return x->sm2_id;
+    return x->distinguishing_id;
 }
-#endif
diff --git a/doc/man3/X509_get0_distinguishing_id.pod b/doc/man3/X509_get0_distinguishing_id.pod
new file mode 100644 (file)
index 0000000..2dd06e7
--- /dev/null
@@ -0,0 +1,71 @@
+=pod
+
+=head1 NAME
+
+X509_get0_distinguishing_id, X509_set0_distinguishing_id,
+X509_REQ_get0_distinguishing_id, X509_REQ_set0_distinguishing_id
+- get or set the Distinguishing ID for certificate operations
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509.h>
+
+ ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x);
+ void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *distid);
+ ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x);
+ void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *distid);
+
+=head1 DESCRIPTION
+
+The Distinguishing ID is defined in FIPS 196 as follows:
+
+=over 4
+
+I<Distinguishing  identifier>: information which unambiguously distinguishes
+an entity in the authentication process.
+
+=back
+
+The SM2 signature algorithm requires a Distinguishing ID value when generating
+and verifying a signature, but the Ddistinguishing ID may also find other uses.
+In the context of SM2, the Distinguishing ID is often referred to as the "SM2
+ID".
+
+For the purpose off verifying a certificate or a certification request, a
+Distinguishing ID may be attached to it, so functions like L<X509_verify(3)>
+or L<X509_REQ_verify(3)> have easy access to that identity for signature
+verification.
+
+X509_get0_distinguishing_id() gets the Distinguishing ID value of a certificate
+B<x> by returning an B<ASN1_OCTET_STRING> object which should not be freed by
+the caller.
+
+X509_set0_distinguishing_id() assigns B<distid> to the certificate B<x>.
+Calling this function transfers the memory management of the value to the X509
+object, and therefore the value that has been passed in should not be freed by
+the caller after this function has been called.
+
+X509_REQ_get0_distinguishing_id() and X509_REQ_set0_distinguishing_id()
+have the same functionality as X509_get0_distinguishing_id() and
+X509_set0_distinguishing_id() except that they deal with  B<X509_REQ>
+objects instead of B<X509>.
+
+=head1 RETURN VALUES
+
+X509_set0_distinguishing_id() and X509_REQ_set0_distinguishing_id() do not
+return a value.
+
+=head1 SEE ALSO
+
+L<X509_verify(3)>, L<SM2(7)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_get0_sm2_id.pod b/doc/man3/X509_get0_sm2_id.pod
deleted file mode 100644 (file)
index d8a85d7..0000000
+++ /dev/null
@@ -1,55 +0,0 @@
-=pod
-
-=head1 NAME
-
-X509_get0_sm2_id, X509_set0_sm2_id,
-X509_REQ_get0_sm2_id, X509_REQ_set0_sm2_id
-- get or set SM2 ID for certificate operations
-
-=head1 SYNOPSIS
-
- #include <openssl/x509.h>
-
- ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
- void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
- ASN1_OCTET_STRING *X509_REQ_get0_sm2_id(X509_REQ *x);
- void X509_REQ_set0_sm2_id(X509_REQ *x, ASN1_OCTET_STRING *sm2_id);
-
-=head1 DESCRIPTION
-
-X509_get0_sm2_id() gets the ID value of an SM2 certificate B<x> by returning an
-B<ASN1_OCTET_STRING> object which should not be freed by the caller.
-
-X509_set0_sm2_id() sets the B<sm2_id> value to an SM2 certificate B<x>. Calling
-this function transfers the memory management of the value to the X509 object,
-and therefore the value that has been passed in should not be freed by the
-caller after this function has been called.
-
-X509_REQ_get0_sm2_id() and X509_REQ_set0_sm2_id() have the same functionality
-as X509_get0_sm2_id() and X509_set0_sm2_id() except that they deal with
-B<X509_REQ> objects instead of B<X509>.
-
-=head1 NOTES
-
-SM2 signature algorithm requires an ID value when generating and verifying a
-signature. The functions described in this manual provide the user with the
-ability to set and retrieve the SM2 ID value.
-
-=head1 RETURN VALUES
-
-X509_set0_sm2_id() and X509_REQ_set0_sm2_id() do not return a value.
-
-=head1 SEE ALSO
-
-L<X509_verify(3)>, L<SM2(7)>
-
-=head1 COPYRIGHT
-
-Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License").  You may not use
-this file except in compliance with the License.  You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
index 602a72f..edd85b6 100644 (file)
@@ -71,9 +71,9 @@ struct X509_req_st {
     ASN1_BIT_STRING *signature; /* signature */
     CRYPTO_REF_COUNT references;
     CRYPTO_RWLOCK *lock;
-# ifndef OPENSSL_NO_SM2
-    ASN1_OCTET_STRING *sm2_id;
-# endif
+
+    /* Set on live certificates for authentication purposes */
+    ASN1_OCTET_STRING *distinguishing_id;
 };
 
 struct X509_crl_info_st {
@@ -186,9 +186,9 @@ struct x509_st {
     X509_CERT_AUX *aux;
     CRYPTO_RWLOCK *lock;
     volatile int ex_cached;
-# ifndef OPENSSL_NO_SM2
-    ASN1_OCTET_STRING *sm2_id;
-# endif
+
+    /* Set on live certificates for authentication purposes */
+    ASN1_OCTET_STRING *distinguishing_id;
 } /* X509 */ ;
 
 /*
index 80328cb..82feb75 100644 (file)
@@ -581,12 +581,10 @@ void X509_get0_signature(const ASN1_BIT_STRING **psig,
                          const X509_ALGOR **palg, const X509 *x);
 int X509_get_signature_nid(const X509 *x);
 
-# ifndef OPENSSL_NO_SM2
-void X509_set0_sm2_id(X509 *x, ASN1_OCTET_STRING *sm2_id);
-ASN1_OCTET_STRING *X509_get0_sm2_id(X509 *x);
-void X509_REQ_set0_sm2_id(X509_REQ *x, ASN1_OCTET_STRING *sm2_id);
-ASN1_OCTET_STRING *X509_REQ_get0_sm2_id(X509_REQ *x);
-# endif
+void X509_set0_distinguishing_id(X509 *x, ASN1_OCTET_STRING *d_id);
+ASN1_OCTET_STRING *X509_get0_distinguishing_id(X509 *x);
+void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id);
+ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x);
 
 int X509_trusted(const X509 *x);
 int X509_alias_set1(X509 *x, const unsigned char *name, int len);
index 30978d2..5f30a77 100644 (file)
@@ -4604,8 +4604,8 @@ OSSL_PARAM_get_utf8_ptr                 ? 3_0_0   EXIST::FUNCTION:
 OSSL_PARAM_set_utf8_ptr                 ?      3_0_0   EXIST::FUNCTION:
 OSSL_PARAM_get_octet_ptr                ?      3_0_0   EXIST::FUNCTION:
 OSSL_PARAM_set_octet_ptr                ?      3_0_0   EXIST::FUNCTION:
-X509_set0_sm2_id                        ?      3_0_0   EXIST::FUNCTION:SM2
-X509_get0_sm2_id                        ?      3_0_0   EXIST::FUNCTION:SM2
+X509_set0_distinguishing_id             ?      3_0_0   EXIST::FUNCTION:
+X509_get0_distinguishing_id             ?      3_0_0   EXIST::FUNCTION:
 EVP_PKEY_get0_engine                    ?      3_0_0   EXIST::FUNCTION:ENGINE
 EVP_MD_up_ref                           ?      3_0_0   EXIST::FUNCTION:
 EVP_MD_fetch                            ?      3_0_0   EXIST::FUNCTION:
@@ -4650,8 +4650,8 @@ BN_CTX_new_ex                           ? 3_0_0   EXIST::FUNCTION:
 BN_CTX_secure_new_ex                    ?      3_0_0   EXIST::FUNCTION:
 OPENSSL_thread_stop_ex                  ?      3_0_0   EXIST::FUNCTION:
 OSSL_PARAM_locate_const                 ?      3_0_0   EXIST::FUNCTION:
-X509_REQ_set0_sm2_id                    ?      3_0_0   EXIST::FUNCTION:SM2
-X509_REQ_get0_sm2_id                    ?      3_0_0   EXIST::FUNCTION:SM2
+X509_REQ_set0_distinguishing_id         ?      3_0_0   EXIST::FUNCTION:
+X509_REQ_get0_distinguishing_id         ?      3_0_0   EXIST::FUNCTION:
 BN_rand_ex                              ?      3_0_0   EXIST::FUNCTION:
 BN_priv_rand_ex                         ?      3_0_0   EXIST::FUNCTION:
 BN_rand_range_ex                        ?      3_0_0   EXIST::FUNCTION: