Add AKID fetching functions

10 months ago · 6126735703
parent 6adb12c2cf
commit 6126735703
6 changed files with 50 additions and 4 deletions
--- a/src/core/tsi/ssl_transport_security_utils.cc
+++ b/src/core/tsi/ssl_transport_security_utils.cc
@ -294,6 +294,42 @@ bool HasCrlSignBit(X509* cert) {
 #endif  // OPENSSL_VERSION_NUMBEr < 0x10100000
 }

+absl::StatusOr<std::string> AkidFromCertificate(X509* cert) {
+  ASN1_OCTET_STRING* akid = nullptr;
+  int j = X509_get_ext_by_NID(cert, NID_authority_key_identifier, -1);
+  // Can't have multiple occurrences
+  if (j >= 0) {
+    if (X509_get_ext_by_NID(cert, NID_authority_key_identifier, j) != -1) {
+      return absl::InvalidArgumentError("Could not get AKID from certificate.");
+    }
+    akid = X509_EXTENSION_get_data(X509_get_ext(cert, j));
+  }
+  unsigned char* buf = nullptr;
+  int len = i2d_ASN1_OCTET_STRING(akid, &buf);
+  if (len <= 0) {
+    return absl::InvalidArgumentError("Could not get AKID from certificate.");
+  }
+  return std::string(reinterpret_cast<char const*>(buf), len);
+}
+
+absl::StatusOr<std::string> AkidFromCrl(X509_CRL* crl) {
+  ASN1_OCTET_STRING* akid = nullptr;
+  int j = X509_CRL_get_ext_by_NID(crl, NID_authority_key_identifier, -1);
+  // Can't have multiple occurrences
+  if (j >= 0) {
+    if (X509_CRL_get_ext_by_NID(crl, NID_authority_key_identifier, j) != -1) {
+      return absl::InvalidArgumentError("Could not get AKID from crlificate.");
+    }
+    akid = X509_EXTENSION_get_data(X509_CRL_get_ext(crl, j));
+  }
+  unsigned char* buf = nullptr;
+  int len = i2d_ASN1_OCTET_STRING(akid, &buf);
+  if (len <= 0) {
+    return absl::InvalidArgumentError("Could not get AKID from crlificate.");
+  }
+  return std::string(reinterpret_cast<char const*>(buf), len);
+}
+
 bool VerifyAKIDMatch(X509_CRL* crl, X509* issuer) {
  ASN1_OCTET_STRING* crl_akid = nullptr;
  ASN1_OCTET_STRING* cert_akid = nullptr;
--- a/src/core/tsi/ssl_transport_security_utils.h
+++ b/src/core/tsi/ssl_transport_security_utils.h
@ -165,6 +165,16 @@ bool VerifyAKIDMatch(X509_CRL* crl, X509* issuer);
 // return: a std::string of the DER encoding of the X509_NAME issuer name.
 absl::StatusOr<std::string> IssuerFromCert(X509* cert);

+// Gets a stable representation of the authority key identifier from an X509
+// certificate.
+// return: a std::string of the DER encoding of the AKID or a status on failure.
+absl::StatusOr<std::string> AkidFromCertificate(X509* cert);
+
+// Gets a stable representation of the authority key identifier from an X509
+// crl.
+// return: a std::string of the DER encoding of the AKID or a status on failure.
+absl::StatusOr<std::string> AkidFromCrl(X509_CRL* crl);
+
 }  // namespace grpc_core

 #endif  // GRPC_SRC_CORE_TSI_SSL_TRANSPORT_SECURITY_UTILS_H
--- a/third_party/abseil-cpp
+++ b/third_party/abseil-cpp
@ -1 +1 @@
-Subproject commit 4a2c63365eff8823a5221db86ef490e828306f9d
+Subproject commit 29bf8085f3bf17b84d30e34b3d7ff8248fda404e
--- a/third_party/boringssl-with-bazel
+++ b/third_party/boringssl-with-bazel
@ -1 +1 @@
-Subproject commit ae72a4514c7afd150596b0a80947f3ca9b8363b5
+Subproject commit 2ff4b968a7e0cfee66d9f151cb95635b43dc1d5b
--- a/third_party/envoy-api
+++ b/third_party/envoy-api
@ -1 +1 @@
-Subproject commit 78f198cf96ecdc7120ef640406770aa01af775c4
+Subproject commit 9d6ffa70677c4dbf23f6ed569676206c4e2edff4
--- a/third_party/xds
+++ b/third_party/xds
@ -1 +1 @@
-Subproject commit 3a472e524827f72d1ad621c4983dd5af54c46776
+Subproject commit e9ce68804cb4e64cab5a52e3c8baf840d4ff87b7