ASN1_EX_COMBINE in OpenSSL 1.1.1c?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

ASN1_EX_COMBINE in OpenSSL 1.1.1c?

weber
Dear users,

during migration from version 1.0.2s to 1.1.1c we are missing the makro
ASN1_EX_COMBINE.

It was used to embed a choice in a sequence as follows:

> ASN1_CHOICE(X509AT_ATTRIBUTE_SET) = {
>     ASN1_SET_OF(X509AT_ATTRIBUTE, value.set, ASN1_ANY),
>     ASN1_SIMPLE(X509AT_ATTRIBUTE, value.single, ASN1_ANY)
> } ASN1_CHOICE_END_selector(X509AT_ATTRIBUTE, X509AT_ATTRIBUTE_SET, single)
>
> ASN1_SEQUENCE(X509AT_ATTRIBUTE) = {
>     ASN1_SIMPLE(X509AT_ATTRIBUTE, object, ASN1_OBJECT),
>     /* CHOICE type merged with parent */
>     ASN1_EX_COMBINE(0, 0, X509AT_ATTRIBUTE_SET)
> } ASN1_SEQUENCE_END(X509AT_ATTRIBUTE)

What's the proper substitute in 1.1.1c?

Thanks in advance
-- Christian Weber
Reply | Threaded
Open this post in threaded view
|

Re: ASN1_EX_COMBINE in OpenSSL 1.1.1c?

Matt Caswell-2


On 27/08/2019 17:24, [hidden email] wrote:

> Dear users,
>
> during migration from version 1.0.2s to 1.1.1c we are missing the makro
> ASN1_EX_COMBINE.
>
> It was used to embed a choice in a sequence as follows:
>> ASN1_CHOICE(X509AT_ATTRIBUTE_SET) = {
>>     ASN1_SET_OF(X509AT_ATTRIBUTE, value.set, ASN1_ANY),
>>     ASN1_SIMPLE(X509AT_ATTRIBUTE, value.single, ASN1_ANY)
>> } ASN1_CHOICE_END_selector(X509AT_ATTRIBUTE, X509AT_ATTRIBUTE_SET, single)
>>
>> ASN1_SEQUENCE(X509AT_ATTRIBUTE) = {
>>     ASN1_SIMPLE(X509AT_ATTRIBUTE, object, ASN1_OBJECT),
>>     /* CHOICE type merged with parent */
>>     ASN1_EX_COMBINE(0, 0, X509AT_ATTRIBUTE_SET)
>> } ASN1_SEQUENCE_END(X509AT_ATTRIBUTE)
>
> What's the proper substitute in 1.1.1c?

Support for ASN1_EX_COMBINE was removed by commit ee9d76371ae which had this
description:

    Remove combine option from ASN.1 code.

    Remove the combine option. This was used for compatibility with some
    non standard behaviour in ancient versions of OpenSSL: specifically
    the X509_ATTRIBUTE and DSAPublicKey handling. Since these have now
    been revised it is no longer needed.

For your application you might draw some inspiration from commit e20b57270d
which removed the use of this from X509_ATTRIBUTE internally in OpenSSL:

commit e20b57270dece66ce2c68aeb5d14dd6d9f3c5d68
Author:     Dr. Stephen Henson <[hidden email]>
AuthorDate: Wed Mar 25 15:08:55 2015 +0000
Commit:     Dr. Stephen Henson <[hidden email]>
CommitDate: Wed Mar 25 15:46:54 2015 +0000

    Remove X509_ATTRIBUTE hack.

    The X509_ATTRIBUTE structure includes a hack to tolerate malformed
    attributes that encode as the type instead of SET OF type. This form
    is never created by OpenSSL and shouldn't be needed any more.

    Reviewed-by: Rich Salz <[hidden email]>
    Reviewed-by: Richard Levitte <[hidden email]>

You might also look at commit ea6b07b54 which removed it for the DSAPublicKey
handling.

Regards

Matt