Issuer Sign Tool extention support
authorNikolay Morozov <nmorozoff77@yandex.ru>
Mon, 2 Mar 2020 07:17:30 +0000 (10:17 +0300)
committerDmitry Belyavskiy <beldmit@gmail.com>
Wed, 25 Mar 2020 12:33:53 +0000 (15:33 +0300)
Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
This extention is required to obtain the status of a qualified certificate at Russian Federation.
RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11216)

14 files changed:
crypto/asn1/asn1_item_list.h
crypto/err/openssl.txt
crypto/x509/build.info
crypto/x509/ext_dat.h
crypto/x509/standard_exts.h
crypto/x509/v3_ist.c [new file with mode: 0644]
doc/man3/ISSUER_SIGN_TOOL_new.pod [new file with mode: 0644]
include/openssl/x509v3.h
include/openssl/x509v3err.h
test/certs/grfc.pem [new file with mode: 0644]
test/recipes/25-test_rusext.t [new file with mode: 0644]
test/recipes/25-test_rusext_data/grfc.msb [new file with mode: 0644]
test/recipes/25-test_rusext_data/grfc.utf8 [new file with mode: 0644]
util/libcrypto.num

index c8727e5..4cdf1d2 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -145,6 +145,7 @@ static ASN1_ITEM_EXP *asn1_item_list[] = {
 #endif
     ASN1_ITEM_ref(SXNETID),
     ASN1_ITEM_ref(SXNET),
+    ASN1_ITEM_ref(ISSUER_SIGN_TOOL),
     ASN1_ITEM_ref(USERNOTICE),
     ASN1_ITEM_ref(X509_ALGORS),
     ASN1_ITEM_ref(X509_ALGOR),
index 090d0f3..50fb57b 100644 (file)
@@ -1770,6 +1770,7 @@ X509V3_F_DO_DIRNAME:144:do_dirname
 X509V3_F_DO_EXT_I2D:135:do_ext_i2d
 X509V3_F_DO_EXT_NCONF:151:do_ext_nconf
 X509V3_F_GNAMES_FROM_SECTNAME:156:gnames_from_sectname
+X509V3_F_I2R_ISSUER_SIGN_TOOL:176:
 X509V3_F_I2S_ASN1_ENUMERATED:121:i2s_ASN1_ENUMERATED
 X509V3_F_I2S_ASN1_IA5STRING:149:i2s_ASN1_IA5STRING
 X509V3_F_I2S_ASN1_INTEGER:120:i2s_ASN1_INTEGER
@@ -1809,6 +1810,7 @@ X509V3_F_V2I_GENERAL_NAME_EX:117:v2i_GENERAL_NAME_ex
 X509V3_F_V2I_IDP:157:v2i_idp
 X509V3_F_V2I_IPADDRBLOCKS:159:v2i_IPAddrBlocks
 X509V3_F_V2I_ISSUER_ALT:153:v2i_issuer_alt
+X509V3_F_V2I_ISSUER_SIGN_TOOL:175:
 X509V3_F_V2I_NAME_CONSTRAINTS:147:v2i_NAME_CONSTRAINTS
 X509V3_F_V2I_POLICY_CONSTRAINTS:146:v2i_POLICY_CONSTRAINTS
 X509V3_F_V2I_POLICY_MAPPINGS:145:v2i_POLICY_MAPPINGS
index c836ef1..04b63d0 100644 (file)
@@ -12,6 +12,6 @@ SOURCE[../../libcrypto]=\
         v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c \
         v3_pku.c v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c \
         v3_info.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c \
-        v3_pcia.c v3_pci.c \
+        v3_pcia.c v3_pci.c v3_ist.c \
         pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
         v3_asid.c v3_addr.c v3_tlsf.c v3_admis.c
index 4329c44..b2fecaa 100644 (file)
@@ -24,3 +24,4 @@ extern const X509V3_EXT_METHOD v3_ct_scts[3];
 extern const X509V3_EXT_METHOD v3_tls_feature;
 extern const X509V3_EXT_METHOD v3_ext_admission;
 extern const X509V3_EXT_METHOD v3_utf8_list[1];
+extern const X509V3_EXT_METHOD v3_issuer_sign_tool;
index d66b655..18f2c32 100644 (file)
@@ -69,6 +69,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &v3_ct_scts[2],
 #endif
     &v3_utf8_list[0],
+    &v3_issuer_sign_tool,
     &v3_tls_feature,
     &v3_ext_admission
 };
diff --git a/crypto/x509/v3_ist.c b/crypto/x509/v3_ist.c
new file mode 100644 (file)
index 0000000..6db4f19
--- /dev/null
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include "internal/cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+#include "ext_dat.h"
+
+/*
+ * Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
+ * This extention is required to obtain the status of a qualified certificate at Russian Federation.
+ * RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
+ * Russian Federal Law 63 "Digital Sign" is available here:  http://www.consultant.ru/document/cons_doc_LAW_112701/
+ */
+
+ASN1_SEQUENCE(ISSUER_SIGN_TOOL) = {
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, signTool, ASN1_UTF8STRING),
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, cATool, ASN1_UTF8STRING),
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, signToolCert, ASN1_UTF8STRING),
+        ASN1_SIMPLE(ISSUER_SIGN_TOOL, cAToolCert, ASN1_UTF8STRING)
+} ASN1_SEQUENCE_END(ISSUER_SIGN_TOOL)
+
+IMPLEMENT_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
+
+
+static ISSUER_SIGN_TOOL *v2i_issuer_sign_tool(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+                        STACK_OF(CONF_VALUE) *nval)
+{
+    ISSUER_SIGN_TOOL *ist = ISSUER_SIGN_TOOL_new();
+    int i;
+
+    if (ist == NULL) {
+        X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    for (i = 0; i < sk_CONF_VALUE_num(nval); ++i) {
+        CONF_VALUE *cnf = sk_CONF_VALUE_value(nval, i);
+
+        if (cnf == NULL) {
+            continue;
+        }
+        if (strcmp(cnf->name, "signTool") == 0) {
+            ist->signTool = ASN1_UTF8STRING_new();
+            if (ist->signTool == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->signTool, cnf->value, strlen(cnf->value));
+        } else if (strcmp(cnf->name, "cATool") == 0) {
+            ist->cATool = ASN1_UTF8STRING_new();
+            if (ist->cATool == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->cATool, cnf->value, strlen(cnf->value));
+        } else if (strcmp(cnf->name, "signToolCert") == 0) {
+            ist->signToolCert = ASN1_UTF8STRING_new();
+            if (ist->signToolCert == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->signToolCert, cnf->value, strlen(cnf->value));
+        } else if (strcmp(cnf->name, "cAToolCert") == 0) {
+            ist->cAToolCert = ASN1_UTF8STRING_new();
+            if (ist->cAToolCert == NULL) {
+                X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_MALLOC_FAILURE);
+                ISSUER_SIGN_TOOL_free(ist);
+                return NULL;
+            }
+            ASN1_STRING_set(ist->cAToolCert, cnf->value, strlen(cnf->value));
+        } else {
+            X509V3err(X509V3_F_V2I_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT);
+            ISSUER_SIGN_TOOL_free(ist);
+            return NULL;
+        }
+    }
+    return ist;
+}
+
+static int i2r_issuer_sign_tool(X509V3_EXT_METHOD *method,
+                                 ISSUER_SIGN_TOOL *ist, BIO *out,
+                                 int indent)
+{
+    int new_line = 0;
+
+    if (ist == NULL) {
+        X509V3err(X509V3_F_I2R_ISSUER_SIGN_TOOL, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+    if (ist->signTool != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*ssignTool    : ", indent, "");
+        BIO_write(out, ist->signTool->data, ist->signTool->length);
+        new_line = 1;
+    }
+    if (ist->cATool != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*scATool      : ", indent, "");
+        BIO_write(out, ist->cATool->data, ist->cATool->length);
+        new_line = 1;
+    }
+    if (ist->signToolCert != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*ssignToolCert: ", indent, "");
+        BIO_write(out, ist->signToolCert->data, ist->signToolCert->length);
+        new_line = 1;
+    }
+    if (ist->cAToolCert != NULL) {
+        if (new_line == 1) {
+            BIO_write(out, "\n", 1);
+        }
+        BIO_printf(out, "%*scAToolCert  : ", indent, "");
+        BIO_write(out, ist->cAToolCert->data, ist->cAToolCert->length);
+        new_line = 1;
+    }
+    return 1;
+}
+
+const X509V3_EXT_METHOD v3_issuer_sign_tool = {
+    NID_issuerSignTool,                   /* nid */
+    X509V3_EXT_MULTILINE,                 /* flags */
+    ASN1_ITEM_ref(ISSUER_SIGN_TOOL),      /* template */
+    0, 0, 0, 0,                           /* old functions, ignored */
+    0,                                    /* i2s */
+    0,                                    /* s2i */
+    0,                                    /* i2v */
+    (X509V3_EXT_V2I)v2i_issuer_sign_tool, /* v2i */
+    (X509V3_EXT_I2R)i2r_issuer_sign_tool, /* i2r */
+    0,                                    /* r2i */
+    NULL                                  /* extension-specific data */
+};
diff --git a/doc/man3/ISSUER_SIGN_TOOL_new.pod b/doc/man3/ISSUER_SIGN_TOOL_new.pod
new file mode 100644 (file)
index 0000000..4fb1f70
--- /dev/null
@@ -0,0 +1,51 @@
+=pod
+
+=head1 NAME
+
+ISSUER_SIGN_TOOL_new, ISSUER_SIGN_TOOL_free,ISSUER_SIGN_TOOL_it,
+d2i_ISSUER_SIGN_TOOL, i2d_ISSUER_SIGN_TOOL
+
+=head1 SYNOPSIS
+
+=for openssl generic
+
+ #include <openssl/x509v3.h>
+
+ extern const ISSUER_SIGN_TOOL_it;
+
+ ISSUER_SIGN_TOOL *ISSUER_SIGN_TOOL_new(void);
+ void ISSUER_SIGN_TOOL_free(ISSUER_SIGN_TOOL *v);
+
+ ISSUER_SIGN_TOOL *d2i_ISSUER_SIGN_TOOL(ISSUER_SIGN_TOOL **a, const unsigned char **pp, long length);
+ int i2d_ISSUER_SIGN_TOOL(const ISSUER_SIGN_TOOL *a, unsigned char **pp);
+
+=head1 DESCRIPTION
+
+The ISSUER_SIGN_TOOL_new() function returns a new ISSUER_SIGN_TOOL.
+
+ISSUER_SIGN_TOOL_free() frees up a single ISSUER_SIGN_TOOL object.
+
+=head1 RETURN VALUES
+
+ISSUER_SIGN_TOOL_new() returns a newly created ISSUER_SIGN_TOOL or NULL if the call fails.
+
+ISSUER_SIGN_TOOL_free() does not return values.
+
+d2i_ISSUER_SIGN_TOOL() and i2d_ISSUER_SIGN_TOOL() decode and encode an B<ISSUER_SIGN_TOOL>
+structure. They otherwise follow the conventions of other ASN.1 functions such as d2i_X509().
+
+=head1 HISTORY
+
+The ISSUER_SIGN_TOOL_up_ref(), ISSUER_SIGN_TOOL_lock() and ISSUER_SIGN_TOOL_unlock()
+functions were added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
index 4a96aad..63903ef 100644 (file)
@@ -230,6 +230,13 @@ typedef struct SXNET_st {
     STACK_OF(SXNETID) *ids;
 } SXNET;
 
+typedef struct ISSUER_SIGN_TOOL_st {
+    ASN1_UTF8STRING *signTool;
+    ASN1_UTF8STRING *cATool;
+    ASN1_UTF8STRING *signToolCert;
+    ASN1_UTF8STRING *cAToolCert;
+} ISSUER_SIGN_TOOL;
+
 typedef struct NOTICEREF_st {
     ASN1_STRING *organization;
     STACK_OF(ASN1_INTEGER) *noticenos;
@@ -458,6 +465,8 @@ DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
 DECLARE_ASN1_FUNCTIONS(SXNET)
 DECLARE_ASN1_FUNCTIONS(SXNETID)
 
+DECLARE_ASN1_FUNCTIONS(ISSUER_SIGN_TOOL)
+
 int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen);
 int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
                        int userlen);
index 6e73337..4a30585 100644 (file)
@@ -41,6 +41,7 @@ int ERR_load_X509V3_strings(void);
 #  define X509V3_F_DO_EXT_I2D                              0
 #  define X509V3_F_DO_EXT_NCONF                            0
 #  define X509V3_F_GNAMES_FROM_SECTNAME                    0
+#  define X509V3_F_I2R_ISSUER_SIGN_TOOL                    0
 #  define X509V3_F_I2S_ASN1_ENUMERATED                     0
 #  define X509V3_F_I2S_ASN1_IA5STRING                      0
 #  define X509V3_F_I2S_ASN1_INTEGER                        0
@@ -80,6 +81,7 @@ int ERR_load_X509V3_strings(void);
 #  define X509V3_F_V2I_IDP                                 0
 #  define X509V3_F_V2I_IPADDRBLOCKS                        0
 #  define X509V3_F_V2I_ISSUER_ALT                          0
+#  define X509V3_F_V2I_ISSUER_SIGN_TOOL                    0
 #  define X509V3_F_V2I_NAME_CONSTRAINTS                    0
 #  define X509V3_F_V2I_POLICY_CONSTRAINTS                  0
 #  define X509V3_F_V2I_POLICY_MAPPINGS                     0
diff --git a/test/certs/grfc.pem b/test/certs/grfc.pem
new file mode 100644 (file)
index 0000000..9528182
--- /dev/null
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw
+FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4
+MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ
+tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1
+MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG
+A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi
+MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz
+ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3
+OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx
+0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq
+hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI
+DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa
+BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj
+0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA
+BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W
+eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/
+0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB
+KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu
+NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa
+0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR
+gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv
+MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR
+gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw
+MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE
+HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f
+Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j
+KW64bgG0AywHjyc3
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_rusext.t b/test/recipes/25-test_rusext.t
new file mode 100644 (file)
index 0000000..05727f9
--- /dev/null
@@ -0,0 +1,33 @@
+#! /usr/bin/env perl
+# Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use File::Spec;
+use OpenSSL::Test::Utils;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_rusext");
+
+plan tests => 5;
+
+require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
+my $pem = srctop_file("test/certs", "grfc.pem");
+my $out_msb = "grfc.msb";
+my $out_utf8 = "grfc.utf8";
+
+ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_msb,
+            "-nameopt", "esc_msb", "-certopt", "no_pubkey"])));
+is(cmp_text($out_msb, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.msb')),
+   0, 'Comparing esc_msb output');
+ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
+            "-nameopt", "utf8", "-certopt", "no_pubkey"])));
+is(cmp_text($out_utf8, srctop_file('test', 'recipes', '25-test_rusext_data', 'grfc.utf8')),
+   0, 'Comparing utf8 output');
diff --git a/test/recipes/25-test_rusext_data/grfc.msb b/test/recipes/25-test_rusext_data/grfc.msb
new file mode 100644 (file)
index 0000000..68ebff6
--- /dev/null
@@ -0,0 +1,67 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0c:8c:40:93:bb:e6:93:bd:43:0b:f5:18:26:03:1d:05
+        Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
+        Issuer: OGRN=1027739334479, INN=007706228218, street=\U0414\U0435\U0440\U0431\U0435\U043D\U0435\U0432\U0441\U043A\U0430\U044F \U043D\U0430\U0431. \U0434. 7 \U0441\U0442\U0440. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 \U0433. \U041C\U043E\U0441\U043A\U0432\U0430, L=\U041C\U043E\U0441\U043A\U0432\U0430, O=\U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426", CN=\U0423\U0426 \U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426"
+        Validity
+            Not Before: Mar 12 07:38:26 2013 GMT
+            Not After : Mar 12 07:46:00 2028 GMT
+        Subject: OGRN=1027739334479, INN=007706228218, street=\U0414\U0435\U0440\U0431\U0435\U043D\U0435\U0432\U0441\U043A\U0430\U044F \U043D\U0430\U0431. \U0434. 7 \U0441\U0442\U0440. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 \U0433. \U041C\U043E\U0441\U043A\U0432\U0430, L=\U041C\U043E\U0441\U043A\U0432\U0430, O=\U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426", CN=\U0423\U0426 \U0424\U0413\U0423\U041F "\U0413\U0420\U0427\U0426"
+        X509v3 extensions:
+            Signing Tool of Subject: 
+                "КриптоПро CSP" (версия 3.6)
+            Signing Tool of Issuer: 
+                signTool    : "КриптоПро CSP" (версия 3.6)
+                cATool      : "Удостоверяющий центр "КриптоПро УЦ" версии 1.5
+                signToolCert: Сертификат соответствия № СФ/121-1859 от 17.06.2012
+                cAToolCert  : Сертификат соответствия № СФ/128-1822 от 01.06.2012
+            X509v3 Key Usage: 
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                6B:00:86:83:89:D2:00:CF:56:B8:6B:E4:E3:36:10:1E:1F:72:AE:C3
+            1.3.6.1.4.1.311.21.1: 
+                ...
+            X509v3 Certificate Policies: 
+                Policy: 1.2.643.100.113.1
+                Policy: 1.2.643.100.113.2
+                Policy: X509v3 Any Policy
+    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
+    Signature Value:
+        bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0:13:1a:
+        21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9:79:09:15:a2:
+        41:c0:60:e1:1d:3f:25:8d:88:f4:4c:60:f3:0f:4e:e3:29:6e:
+        b8:6e:01:b4:03:2c:07:8f:27:37
+-----BEGIN CERTIFICATE-----
+MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw
+FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4
+MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ
+tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1
+MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG
+A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi
+MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz
+ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3
+OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx
+0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq
+hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI
+DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa
+BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj
+0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA
+BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W
+eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/
+0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB
+KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu
+NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa
+0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR
+gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv
+MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR
+gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw
+MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE
+HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f
+Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j
+KW64bgG0AywHjyc3
+-----END CERTIFICATE-----
diff --git a/test/recipes/25-test_rusext_data/grfc.utf8 b/test/recipes/25-test_rusext_data/grfc.utf8
new file mode 100644 (file)
index 0000000..ebca5d6
--- /dev/null
@@ -0,0 +1,67 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            0c:8c:40:93:bb:e6:93:bd:43:0b:f5:18:26:03:1d:05
+        Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
+        Issuer: OGRN=1027739334479, INN=007706228218, street=Дербеневская наб. д. 7 стр. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 г. Москва, L=Москва, O=ФГУП "ГРЧЦ", CN=УЦ ФГУП "ГРЧЦ"
+        Validity
+            Not Before: Mar 12 07:38:26 2013 GMT
+            Not After : Mar 12 07:46:00 2028 GMT
+        Subject: OGRN=1027739334479, INN=007706228218, street=Дербеневская наб. д. 7 стр. 15, emailAddress=pki-grfc@grfc.ru, C=RU, ST=77 г. Москва, L=Москва, O=ФГУП "ГРЧЦ", CN=УЦ ФГУП "ГРЧЦ"
+        X509v3 extensions:
+            Signing Tool of Subject: 
+                "КриптоПро CSP" (версия 3.6)
+            Signing Tool of Issuer: 
+                signTool    : "КриптоПро CSP" (версия 3.6)
+                cATool      : "Удостоверяющий центр "КриптоПро УЦ" версии 1.5
+                signToolCert: Сертификат соответствия № СФ/121-1859 от 17.06.2012
+                cAToolCert  : Сертификат соответствия № СФ/128-1822 от 01.06.2012
+            X509v3 Key Usage: 
+                Digital Signature, Certificate Sign, CRL Sign
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                6B:00:86:83:89:D2:00:CF:56:B8:6B:E4:E3:36:10:1E:1F:72:AE:C3
+            1.3.6.1.4.1.311.21.1: 
+                ...
+            X509v3 Certificate Policies: 
+                Policy: 1.2.643.100.113.1
+                Policy: 1.2.643.100.113.2
+                Policy: X509v3 Any Policy
+    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
+    Signature Value:
+        bd:95:dd:5f:3a:2b:74:a5:29:62:20:c2:24:a8:8b:a0:13:1a:
+        21:f5:4a:d6:2e:b1:3f:f5:50:e9:96:a0:a2:c9:79:09:15:a2:
+        41:c0:60:e1:1d:3f:25:8d:88:f4:4c:60:f3:0f:4e:e3:29:6e:
+        b8:6e:01:b4:03:2c:07:8f:27:37
+-----BEGIN CERTIFICATE-----
+MIIFGDCCBMegAwIBAgIQDIxAk7vmk71DC/UYJgMdBTAIBgYqhQMCAgMwggEWMRgw
+FgYFKoUDZAESDTEwMjc3MzkzMzQ0NzkxGjAYBggqhQMDgQMBARIMMDA3NzA2MjI4
+MjE4MTowOAYDVQQJDDHQlNC10YDQsdC10L3QtdCy0YHQutCw0Y8g0L3QsNCxLiDQ
+tC4gNyDRgdGC0YAuIDE1MR8wHQYJKoZIhvcNAQkBFhBwa2ktZ3JmY0BncmZjLnJ1
+MQswCQYDVQQGEwJSVTEcMBoGA1UECAwTNzcg0LMuINCc0L7RgdC60LLQsDEVMBMG
+A1UEBwwM0JzQvtGB0LrQstCwMRwwGgYDVQQKDBPQpNCT0KPQnyAi0JPQoNCn0KYi
+MSEwHwYDVQQDDBjQo9CmINCk0JPQo9CfICLQk9Cg0KfQpiIwHhcNMTMwMzEyMDcz
+ODI2WhcNMjgwMzEyMDc0NjAwWjCCARYxGDAWBgUqhQNkARINMTAyNzczOTMzNDQ3
+OTEaMBgGCCqFAwOBAwEBEgwwMDc3MDYyMjgyMTgxOjA4BgNVBAkMMdCU0LXRgNCx
+0LXQvdC10LLRgdC60LDRjyDQvdCw0LEuINC0LiA3INGB0YLRgC4gMTUxHzAdBgkq
+hkiG9w0BCQEWEHBraS1ncmZjQGdyZmMucnUxCzAJBgNVBAYTAlJVMRwwGgYDVQQI
+DBM3NyDQsy4g0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxHDAa
+BgNVBAoME9Ck0JPQo9CfICLQk9Cg0KfQpiIxITAfBgNVBAMMGNCj0KYg0KTQk9Cj
+0J8gItCT0KDQp9CmIjBjMBwGBiqFAwICEzASBgcqhQMCAiMBBgcqhQMCAh4BA0MA
+BECWU7YnkJgff0sdJ+i50FXAYZlpcSz8wO/2AnfCzGC+PMj/NGOKMMWcv8I9eN7W
+eEXwIuRc96StDM8zJigQGd/1o4IB6TCCAeUwNgYFKoUDZG8ELQwrItCa0YDQuNC/
+0YLQvtCf0YDQviBDU1AiICjQstC10YDRgdC40Y8gMy42KTCCATMGBSqFA2RwBIIB
+KDCCASQMKyLQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQIiAo0LLQtdGA0YHQuNGPIDMu
+NikMUyLQo9C00L7RgdGC0L7QstC10YDRj9GO0YnQuNC5INGG0LXQvdGC0YAgItCa
+0YDQuNC/0YLQvtCf0YDQviDQo9CmIiDQstC10YDRgdC40LggMS41DE/QodC10YDR
+gtC40YTQuNC60LDRgiDRgdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQv
+MTIxLTE4NTkg0L7RgiAxNy4wNi4yMDEyDE/QodC10YDRgtC40YTQuNC60LDRgiDR
+gdC+0L7RgtCy0LXRgtGB0YLQstC40Y8g4oSWINCh0KQvMTI4LTE4MjIg0L7RgiAw
+MS4wNi4yMDEyMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
+BBRrAIaDidIAz1a4a+TjNhAeH3KuwzAQBgkrBgEEAYI3FQEEAwIBADAlBgNVHSAE
+HjAcMAgGBiqFA2RxATAIBgYqhQNkcQIwBgYEVR0gADAIBgYqhQMCAgMDQQC9ld1f
+Oit0pSliIMIkqIugExoh9UrWLrE/9VDplqCiyXkJFaJBwGDhHT8ljYj0TGDzD07j
+KW64bgG0AywHjyc3
+-----END CERTIFICATE-----
index 0e27508..ba27450 100644 (file)
@@ -4950,6 +4950,11 @@ EVP_PKEY_CTX_set0_ecdh_kdf_ukm          ?        3_0_0   EXIST::FUNCTION:EC
 EVP_PKEY_CTX_get0_ecdh_kdf_ukm          ?      3_0_0   EXIST::FUNCTION:EC
 EVP_PKEY_CTX_set_rsa_pss_saltlen        ?      3_0_0   EXIST::FUNCTION:RSA
 EVP_PKEY_CTX_get_rsa_pss_saltlen        ?      3_0_0   EXIST::FUNCTION:RSA
+d2i_ISSUER_SIGN_TOOL                    ?      3_0_0   EXIST::FUNCTION:
+i2d_ISSUER_SIGN_TOOL                    ?      3_0_0   EXIST::FUNCTION:
+ISSUER_SIGN_TOOL_free                   ?      3_0_0   EXIST::FUNCTION:
+ISSUER_SIGN_TOOL_new                    ?      3_0_0   EXIST::FUNCTION:
+ISSUER_SIGN_TOOL_it                     ?      3_0_0   EXIST::FUNCTION:
 OSSL_SELF_TEST_new                      ?      3_0_0   EXIST::FUNCTION:
 OSSL_SELF_TEST_free                     ?      3_0_0   EXIST::FUNCTION:
 OSSL_SELF_TEST_onbegin                  ?      3_0_0   EXIST::FUNCTION: