ITU X.509/RFC 3281 Attribute Certificate Toolkit for OpenSSLDaniel Díaz-Sánchezhttp://www.it.uc3m.es/ddsUniversidad Carlos III de Madridddsit.uc3m.esAndrés Marín Lópezhttp://www.it.uc3m.es/amarinUniversidad Carlos III de Madridamarinit.uc3m.esFlorina Almenarezhttp://www.it.uc3m.es/florinaUniversidad Carlos III de Madridflorinait.uc3m.es09/10/2006Released v.0.1This source code provides a toolkit to issue attribute certificates as defined in ITU X.509 Recommendation and RFC3281The library has been tested with OpenSSL 0.9.8a and some earlier versions and it works. The Zip files of section Downloads contains also a test program that demonstrates the library. Note that this is a BETA version and any help and collaboration is welcomed. Thanks to OpenSSL people for the answers in the mailing list.Now we are working on a Privilege verifier that will be available soon!Please read OpenSSL license.The code has been developed under Windows using Visual Studio 2005. But it can be used in Linux also.Functions to get information#define PEM_read_X509AC(fp,x,cb,u) (X509AC *)PEM_ASN1_read( \
(char *(*)())d2i_X509AC,PEM_STRING_X509AC,fp,(char **)x,cb,u)Reads an attribute certificate in PEM format from a file pointer.X509AC_ISSUER_SERIAL* X509_get_basecertID(X509 *x)Takes a X509 certificate and extracts the X509AC_ISSUER_SERIAL structure (or base cert ID)X509_NAME *X509AC_get_issuer_name(X509AC *a)Obtains the X509_NAME of the issuer placed in a-info->issuer->d.v1Form when the attribute certificate is version 1, and from a->info->issuer->d.v2Form->issuer when the attribute certificate is version 2.X509_NAME *X509AC_get_holder_entity_name(X509AC *a)Searches a-info->holder->entity (stack of GENERAL_NAME) for a valid Directory NameX509AC_ISSUER_SERIAL *X509AC_get_holder_baseCertID(X509AC *a)Returns a->info->holder->baseCertID structure of type X509AC_ISSUER_SERIAL.ASN1_BIT_STRING *X509AC_get_holder_objectDigestInfo(X509AC *a)Returns a->info->holder->objectDigestInfo structure of type ASN1_BIT_STRING.X509AC_ISSUER_SERIAL *X509AC_get_issuer_baseCertID(X509AC *a)Returns a->info->issuer->d.v2Form->baseCertID. This parameter is only available when the certificate is of version 2. For version 1 this parameter is not present.ASN1_BIT_STRING *X509AC_get_issuer_objectDigestInfo(X509AC *a)Returns a->info->issuer->d.v2Form->digest. This parameter is only available when the certificate is of version 2. For version 1 this parameter is not present.long X509AC_get_version(X509AC *a); int X509AC_set_version(X509AC *a, long version)Get and set the version of the certificate.Functions to set informationint X509AC_set_holder_entity_name(X509AC* a, X509_NAME *name)Places a X509_NAME into a->info->holder->entity.int X509AC_set_holder_serialNumber(X509AC *x, ASN1_INTEGER *serial)Sets the serial number in x->info->holder->baseCertID->serial.int X509AC_set_holder_name(X509AC* a, X509_NAME *name)Sets the name into a->info->holder->baseCertID->issuer structure.int X509AC_set_holder_objectDigestInfo(X509AC *a, X509AC_OBJECT_DIGESTINFO *odig)Sets the object digest info of the basecertID structure for the holder of the attribute certificate.int X509AC_set_holder_baseCertID(X509AC* a, X509AC_ISSUER_SERIAL *bci)Sets the whole Base Cert ID structure.int X509AC_set_issuer_baseCertID(X509AC* a, X509AC_ISSUER_SERIAL *bci)Takes a baseCertID structure and sets the issuer info of the attribute certificate.int X509AC_set_issuer_name(X509AC* a, X509_NAME *name)Sets the name into the issuer information space. Depending on the version of the certificate it will be inserted in v1Form or in v2From->issuer.General tools to fill up some of the necessary structures:int X509AC_set_GENERAL_NAME_name(GENERAL_NAMES *gens, X509_NAME *name)Puts a X509_NAME into a GENERAL_NAMES structure.int X509AC_set_baseCertID_name(X509AC_ISSUER_SERIAL *bci, X509_NAME *name)Puts a X509_NAME into a BaseCertId structure.int X509AC_set_baseCertID_serial(X509AC_ISSUER_SERIAL *bci, ASN1_INTEGER *serial)Puts the serial number into a BaseCertId structure.int X509AC_set_baseCertID_issuerUniqueID(X509AC_ISSUER_SERIAL *bci, ASN1_BIT_STRING *uid)Sets an unique id into a BaseCertId structure.Attribute functionsX509_ATTRIBUTE * X509AC_get_attr( X509AC *a, int idx )Gets the X509_ATTRIBUTE that occupies the position idx in the stack.int X509AC_add_attribute_by_NID(X509AC *a, int nid, int atrtype, void *value)Creates and add an attribute based in its NID.int X509AC_add_attribute(X509AC *a, X509_ATTRIBUTE *attr);
int X509AC_add_X509_ATTRIBUTE(X509AC *a, X509_ATTRIBUTE *attr)Adds an attribute to the stack in the attribute certificate.ASN1_TYPE *X509AC_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)Get a pointer to the ASN1_TYPE structure of the first attribute value of the attribute placed in the position idx.void *X509AC_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype, void *data)Gets a pointer to the data of the first attribute value of the attribute placed in the position idx.int X509AC_get_attributecount(X509AC *a)Gets the number of attributes present in a attribute certificate.Extensionsint X509AC_add_extension(X509AC *a, X509_EXTENSION *ex, int loc)Adds a X509_EXTENSION to the certificate X509_EXTENSION stack.Signatureint X509AC_sign_rsa(X509AC *a, RSA *rsa, EVP_MD *md); int X509AC_sign_pkey(X509AC *a, EVP_PKEY *pkey, EVP_MD *md)These functions sign the attribute certificate using a RSA key or a EVP_PKEY.Presentationvoid X509AC_print(X509AC *ac)Prints to stdout the information present in a attribute certificate.int GENERAL_NAMES_print(FILE *out, GENERAL_NAMES *gens)Prints GENERAL_NAMES structures.int GENERAL_NAME_print(FILE *out, GENERAL_NAME *gen)Prints GENERAL_NAME structures.Miscint X509AC_X509_NAME_dup(X509_NAME **xn, X509_NAME *name)Duplicates a X509_NAME structure.Support for RFC3281 attributesxxx* xxx_new(); xxx* xxx_dup(xxx*); void xxx_free(xxx*); d2i_xxx(...); i2d_xxx(...);General functions to alloc, free... attributes described in RFC3281. With xxx: SvceAuthInfo (for Service Authentication Information [id-aca-authenticationInfo] and Acess Identity [id-aca-accessIdentity]) , IetfAttrSyntax (for Charging Identity [id-aca-chargingIdentity] and Group [id-aca-group]) and RoleSyntax (for Role [id-at-role])X509attr_xxx_add_value(...)Functions to add values to attributes. With xxx: SvceAuthInfo, IetfAttrSyntax, RoleSyntax and attribute (GENERAL).OpenSSL projectwww.openssl.orgBlog of Daniel Diazhttp://rubinstein.gast.it.uc3m.es/research/ddsAttribute Certificates Toolkit Windows Version (Visual Studio 2005) (version 0.1)Attribute Certificates Toolkit (Zip file)AC.PMI.it.uc3m.es.ziphttp://www.it.uc3m.es/dds/swRelease/pmi/AC.PMI.it.uc3m.es.v.0.1.zipv0.1 BetaAttribute Certificates Toolkit for LinuxAttribute Certificates Toolkit (tar.gz) (version 0.1)openSSLAC.tar.gzhttp://www.it.uc3m.es/dds/swRelease/pmi/openSSLAC.tar.gzv0.1 BetaAttribute Certificates Toolkit Windows Version 0.2 (Visual Studio 2005) Includes ISSUING PROGRAMAttribute Certificates Toolkit and issuing program (zip) (version 0.2). API changes not covered in documentation yetAC.PMI.it.uc3m.es.v.0.2.ziphttp://www.it.uc3m.es/dds/swRelease/pmi/AC.PMI.it.uc3m.es.v.0.2.zipv0.2 Beta