OpenBSD manual page server

Manual Page Search Parameters

X509_ATTRIBUTE_NEW(3) Library Functions Manual X509_ATTRIBUTE_NEW(3)

X509_ATTRIBUTE_new, X509_ATTRIBUTE_freegeneric X.501 Attribute

#include <openssl/x509.h>


X509_ATTRIBUTE_free(X509_ATTRIBUTE *attr);

In the X.501 standard, an Attribute is the fundamental ASN.1 data type used to represent any kind of property of any kind of directory entry. In OpenSSL, very few objects use it directly, most notably the X509_REQ_INFO object used for PKCS#10 certification requests described in X509_REQ_new(3), the PKCS8_PRIV_KEY_INFO object used for PKCS#8 private key information described in PKCS8_PRIV_KEY_INFO_new(3), and the PKCS12_SAFEBAG container object described in PKCS12_SAFEBAG_new(3).

() allocates and initializes an empty X509_ATTRIBUTE object. () frees attr.

X509_ATTRIBUTE_new() returns the new X509_ATTRIBUTE object or NULL if an error occurs.

d2i_X509_ATTRIBUTE(3), PKCS12_SAFEBAG_new(3), PKCS8_PRIV_KEY_INFO_new(3), X509_EXTENSION_new(3), X509_new(3), X509_REQ_new(3)

For the general definition of the Attribute data type:
ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information Technology – Open Systems Interconnection – The Directory: Models, section 8.2: Overall structure
For the specific definition in the context of certification requests:
RFC 2986: PKCS #10: Certification Request Syntax Specification, section 4.1: CertificationRequestInfo
For the specific use in the context of private key information:
RFC 5208: Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification
For the specific definition in the context of PFX:
RFC 7292: PKCS #12: Personal Information Exchange Syntax, section 4.2: The SafeBag Type

X509_ATTRIBUTE_new() and X509_ATTRIBUTE_free() first appeared in SSLeay 0.5.1 and have been available since OpenBSD 2.4.

A data type designed to hold arbitrary data is an oxymoron.

While it may occasionally be useful for abstract syntax specification or for generic container objects, using it for the representation of specific data in a specific data structure feels like dubious design.

Having two distinct data types to hold arbitrary data – in this case, X509_ATTRIBUTE on the X.501 language level and X509_EXTENSION as described in X509_EXTENSION_new(3) on the X.509 language level – feels even more questionable, in particular considering that Attributes in certification requests can be used to ask for Extensions in certificates.

At the very least, the direct use of the low-level generic X509_ATTRIBUTE type in specific data types like certification requests or private key information looks like a layering violation and appears to put type safety into jeopardy.

June 6, 2019 OpenBSD-6.7