Make X509_ATTRIBUTE opaque.

Reviewed-by: Rich Salz <rsalz@openssl.org>

apps/pkcs12.c

@@ -993,17 +993,19 @@ int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst,
     }
     BIO_printf(out, "%s\n", name);
     for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
+        ASN1_OBJECT *attr_obj;
         attr = sk_X509_ATTRIBUTE_value(attrlst, i);
-        attr_nid = OBJ_obj2nid(attr->object);
+        attr_obj = X509_ATTRIBUTE_get0_object(attr);
+        attr_nid = OBJ_obj2nid(attr_obj);
         BIO_printf(out, "    ");
         if (attr_nid == NID_undef) {
-            i2a_ASN1_OBJECT(out, attr->object);
+            i2a_ASN1_OBJECT(out, attr_obj);
             BIO_printf(out, ": ");
         } else
             BIO_printf(out, "%s: ", OBJ_nid2ln(attr_nid));
 
-        if (sk_ASN1_TYPE_num(attr->value.set)) {
+        if (X509_ATTRIBUTE_count(attr)) {
-            av = sk_ASN1_TYPE_value(attr->value.set, 0);
+            av = X509_ATTRIBUTE_get0_type(attr, 0);
             switch (av->type) {
             case V_ASN1_BMPSTRING:
                 value = OPENSSL_uni2asc(av->value.bmpstring->data,

crypto/asn1/Makefile

@@ -20,7 +20,7 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
 	a_print.c a_type.c a_set.c a_dup.c a_d2i_fp.c a_i2d_fp.c \
 	a_enum.c a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c \
-	x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_attrib.c x_bignum.c \
+	x_algor.c x_val.c x_pubkey.c x_sig.c x_req.c x_bignum.c \
 	x_long.c x_name.c x_x509.c x_x509a.c x_crl.c x_info.c x_spki.c nsseq.c \
 	x_nx509.c d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\
 	t_req.c t_x509.c t_x509a.c t_crl.c t_pkey.c t_spki.c t_bitst.c \
@@ -34,7 +34,7 @@ LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
 LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
 	a_print.o a_type.o a_set.o a_dup.o a_d2i_fp.o a_i2d_fp.o \
 	a_enum.o a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o a_strex.o \
-	x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_attrib.o x_bignum.o \
+	x_algor.o x_val.o x_pubkey.o x_sig.o x_req.o x_bignum.o \
 	x_long.o x_name.o x_x509.o x_x509a.o x_crl.o x_info.o x_spki.o nsseq.o \
 	x_nx509.o d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \
 	t_req.o t_x509.o t_x509a.o t_crl.o t_pkey.o t_spki.o t_bitst.o \
@@ -759,19 +759,6 @@ x_algor.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 x_algor.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 x_algor.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
 x_algor.o: ../../include/openssl/x509_vfy.h x_algor.c
-x_attrib.o: ../../e_os.h ../../include/openssl/asn1.h
-x_attrib.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-x_attrib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-x_attrib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
-x_attrib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
-x_attrib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-x_attrib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-x_attrib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-x_attrib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-x_attrib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-x_attrib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-x_attrib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-x_attrib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h x_attrib.c
 x_bignum.o: ../../e_os.h ../../include/openssl/asn1.h
 x_bignum.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
 x_bignum.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h

crypto/asn1/t_req.c

@@ -161,27 +161,22 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags,
                 ASN1_TYPE *at;
                 X509_ATTRIBUTE *a;
                 ASN1_BIT_STRING *bs = NULL;
-                ASN1_TYPE *t;
+                ASN1_OBJECT *aobj;
                 int j, type = 0, count = 1, ii = 0;
 
                 a = sk_X509_ATTRIBUTE_value(sk, i);
-                if (X509_REQ_extension_nid(OBJ_obj2nid(a->object)))
+                aobj = X509_ATTRIBUTE_get0_object(a);
+                if (X509_REQ_extension_nid(OBJ_obj2nid(aobj)))
                     continue;
                 if (BIO_printf(bp, "%12s", "") <= 0)
                     goto err;
-                if ((j = i2a_ASN1_OBJECT(bp, a->object)) > 0) {
+                if ((j = i2a_ASN1_OBJECT(bp, aobj)) > 0) {
-                    if (a->single) {
+                    ii = 0;
-                        t = a->value.single;
+                    count = X509_ATTRIBUTE_count(a);
-                        type = t->type;
-                        bs = t->value.bit_string;
-                    } else {
-                        ii = 0;
-                        count = sk_ASN1_TYPE_num(a->value.set);
  get_next:
-                        at = sk_ASN1_TYPE_value(a->value.set, ii);
+                    at = X509_ATTRIBUTE_get0_type(a, ii);
-                        type = at->type;
+                    type = at->type;
-                        bs = at->value.asn1_string;
+                    bs = at->value.asn1_string;
-                    }
                 }
                 for (j = 25 - j; j > 0; j--)
                     if (BIO_write(bp, " ", 1) != 1)

crypto/pkcs12/p12_attr.c

@@ -121,18 +121,9 @@ ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
 {
     X509_ATTRIBUTE *attrib;
     int i;
-    if (!attrs)
+    i = X509at_get_attr_by_NID(attrs, attr_nid, -1);
-        return NULL;
+    attrib = X509at_get_attr(attrs, i);
-    for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) {
+    return X509_ATTRIBUTE_get0_type(attrib, 0);
-        attrib = sk_X509_ATTRIBUTE_value(attrs, i);
-        if (OBJ_obj2nid(attrib->object) == attr_nid) {
-            if (sk_ASN1_TYPE_num(attrib->value.set))
-                return sk_ASN1_TYPE_value(attrib->value.set, 0);
-            else
-                return NULL;
-        }
-    }
-    return NULL;
 }
 
 char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)

crypto/pkcs7/pk7_doit.c

@@ -1067,23 +1067,11 @@ ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
 
 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
 {
-    int i;
+    int idx;
     X509_ATTRIBUTE *xa;
-    ASN1_OBJECT *o;
+    idx = X509at_get_attr_by_NID(sk, nid, -1);
-
+    xa = X509at_get_attr(sk, idx);
-    o = OBJ_nid2obj(nid);
+    return X509_ATTRIBUTE_get0_type(xa, 0);
-    if (!o || !sk)
-        return (NULL);
-    for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
-        xa = sk_X509_ATTRIBUTE_value(sk, i);
-        if (OBJ_cmp(xa->object, o) == 0) {
-            if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
-                return (sk_ASN1_TYPE_value(xa->value.set, 0));
-            else
-                return (NULL);
-        }
-    }
-    return (NULL);
 }
 
 ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
@@ -1167,7 +1155,7 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
 
         for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
             attr = sk_X509_ATTRIBUTE_value(*sk, i);
-            if (OBJ_obj2nid(attr->object) == nid) {
+            if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) {
                 X509_ATTRIBUTE_free(attr);
                 attr = X509_ATTRIBUTE_create(nid, atrtype, value);
                 if (attr == NULL)

crypto/x509/Makefile

@@ -22,13 +22,13 @@ LIBSRC=	x509_def.c x509_d2.c x509_r2x.c x509_cmp.c \
 	x509_set.c x509cset.c x509rset.c x509_err.c \
 	x509name.c x509_v3.c x509_ext.c x509_att.c \
 	x509type.c x509_lu.c x_all.c x509_txt.c \
-	x509_trs.c by_file.c by_dir.c x509_vpm.c
+	x509_trs.c by_file.c by_dir.c x509_vpm.c x_attrib.c
 LIBOBJ= x509_def.o x509_d2.o x509_r2x.o x509_cmp.o \
 	x509_obj.o x509_req.o x509spki.o x509_vfy.o \
 	x509_set.o x509cset.o x509rset.o x509_err.o \
 	x509name.o x509_v3.o x509_ext.o x509_att.o \
 	x509type.o x509_lu.o x_all.o x509_txt.o \
-	x509_trs.o by_file.o by_dir.o x509_vpm.o
+	x509_trs.o by_file.o by_dir.o x509_vpm.o x_attrib.o
 
 SRC= $(LIBSRC)
 

crypto/x509/x509.h

@@ -181,21 +181,7 @@ typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
 
 DECLARE_STACK_OF(X509_EXTENSION)
 
-/* a sequence of these are used */
+typedef struct x509_attributes_st X509_ATTRIBUTE;
-typedef struct x509_attributes_st {
-    ASN1_OBJECT *object;
-    int single;                 /* 0 for a set, 1 for a single item (which is
-                                 * wrong) */
-    union {
-        char *ptr;
-        /*
-         * 0
-         */ STACK_OF(ASN1_TYPE) *set;
-        /*
-         * 1
-         */ ASN1_TYPE *single;
-    } value;
-} X509_ATTRIBUTE;
 
 DECLARE_STACK_OF(X509_ATTRIBUTE)
 

crypto/x509/x509_att.c

@@ -64,6 +64,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "x509_lcl.h"
 
 int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
 {

crypto/x509/x509_lcl.h

@@ -70,3 +70,19 @@ struct X509_VERIFY_PARAM_ID_st {
 };
 
 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
+
+/* a sequence of these are used */
+struct x509_attributes_st {
+    ASN1_OBJECT *object;
+    int single;                 /* 0 for a set, 1 for a single item (which is
+                                 * wrong) */
+    union {
+        char *ptr;
+        /*
+         * 0
+         */ STACK_OF(ASN1_TYPE) *set;
+        /*
+         * 1
+         */ ASN1_TYPE *single;
+    } value;
+};

crypto/x509/x509_req.c

@@ -201,10 +201,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
         if (idx == -1)
             continue;
         attr = X509_REQ_get_attr(req, idx);
-        if (attr->single)
+        ext = X509_ATTRIBUTE_get0_type(attr, 0);
-            ext = attr->value.single;
-        else if (sk_ASN1_TYPE_num(attr->value.set))
-            ext = sk_ASN1_TYPE_value(attr->value.set, 0);
         break;
     }
     if (!ext || (ext->type != V_ASN1_SEQUENCE))
@@ -223,37 +220,17 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
 int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
                                 int nid)
 {
-    ASN1_TYPE *at = NULL;
+    int extlen;
-    X509_ATTRIBUTE *attr = NULL;
+    int rv = 0;
-    if (!(at = ASN1_TYPE_new()) || !(at->value.sequence = ASN1_STRING_new()))
+    unsigned char *ext = NULL;
-        goto err;
-
-    at->type = V_ASN1_SEQUENCE;
     /* Generate encoding of extensions */
-    at->value.sequence->length =
+    extlen = ASN1_item_i2d((ASN1_VALUE *)exts, &ext,
-        ASN1_item_i2d((ASN1_VALUE *)exts,
+                           ASN1_ITEM_rptr(X509_EXTENSIONS));
-                      &at->value.sequence->data,
+    if (extlen <= 0)
-                      ASN1_ITEM_rptr(X509_EXTENSIONS));
+        return 0;
-    if (!(attr = X509_ATTRIBUTE_new()))
+    rv = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen);
-        goto err;
+    OPENSSL_free(ext);
-    if (!(attr->value.set = sk_ASN1_TYPE_new_null()))
+    return rv;
-        goto err;
-    if (!sk_ASN1_TYPE_push(attr->value.set, at))
-        goto err;
-    at = NULL;
-    attr->single = 0;
-    attr->object = OBJ_nid2obj(nid);
-    if (!req->req_info->attributes) {
-        if (!(req->req_info->attributes = sk_X509_ATTRIBUTE_new_null()))
-            goto err;
-    }
-    if (!sk_X509_ATTRIBUTE_push(req->req_info->attributes, attr))
-        goto err;
-    return 1;
- err:
-    X509_ATTRIBUTE_free(attr);
-    ASN1_TYPE_free(at);
-    return 0;
 }
 
 /* This is the normal usage: use the "official" OID */

crypto/x509/x_attrib.c

@@ -61,6 +61,7 @@
 #include <openssl/objects.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#include "x509_lcl.h"
 
 /*-
  * X509_ATTRIBUTE: this has the following form: