OpenBSD manual page server

Manual Page Search Parameters

X509_ATTRIBUTE_NEW(3) Library Functions Manual X509_ATTRIBUTE_NEW(3)

X509_ATTRIBUTE_new, X509_ATTRIBUTE_create, X509_ATTRIBUTE_dup, X509_ATTRIBUTE_freegeneric X.501 Attribute

#include <openssl/x509.h>


X509_ATTRIBUTE_create(int nid, int type, void *value);

X509_ATTRIBUTE_dup(X509_ATTRIBUTE *attr);

X509_ATTRIBUTE_free(X509_ATTRIBUTE *attr);

In the X.501 standard, an Attribute is the fundamental ASN.1 data type used to represent any kind of property of any kind of directory entry. In OpenSSL, very few objects use it directly, most notably the X509_REQ_INFO object used for PKCS#10 certification requests described in X509_REQ_new(3), the PKCS8_PRIV_KEY_INFO object used for PKCS#8 private key information described in PKCS8_PRIV_KEY_INFO_new(3), and the PKCS12_SAFEBAG container object described in PKCS12_SAFEBAG_new(3).

() allocates and initializes an empty X509_ATTRIBUTE object.

() allocates a new multi-valued X509_ATTRIBUTE object of the type nid and initializes its set of values to contain one new ASN.1 ANY object with the given value and type. The type usually is one of the V_ASN1_* constants defined in <openssl/asn1.h>; it is stored without validating it. If the function succeeds, ownership of the value is transferred to the new X509_ATTRIBUTE object.

Be careful to not confuse the type of the attribute and the type of the value.

() creates a deep copy of attr.

() frees attr.

X509_ATTRIBUTE_new(), X509_ATTRIBUTE_create(), and X509_ATTRIBUTE_dup() return the new X509_ATTRIBUTE object or NULL if an error occurs.

In particular, these functions fail if memory allocation fails. X509_ATTRIBUTE_create() also fails if OBJ_nid2obj(3) fails on nid.

d2i_X509_ATTRIBUTE(3), EVP_PKEY_add1_attr(3), OBJ_nid2obj(3), PKCS12_SAFEBAG_new(3), PKCS7_add_attribute(3), PKCS8_pkey_get0_attrs(3), PKCS8_PRIV_KEY_INFO_new(3), X509_ATTRIBUTE_get0_object(3), X509_ATTRIBUTE_set1_object(3), X509_EXTENSION_new(3), X509_new(3), X509_REQ_add1_attr(3), X509_REQ_new(3), X509at_add1_attr(3), X509at_get_attr(3)

For the general definition of the Attribute data type:
ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information Technology – Open Systems Interconnection – The Directory: Models, section 8.2: Overall structure
For the specific definition in the context of certification requests:
RFC 2986: PKCS #10: Certification Request Syntax Specification, section 4.1: CertificationRequestInfo
For the specific use in the context of private key information:
RFC 5208: Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification
For the specific definition in the context of PFX:
RFC 7292: PKCS #12: Personal Information Exchange Syntax, section 4.2: The SafeBag Type

X509_ATTRIBUTE_new() and X509_ATTRIBUTE_free() first appeared in SSLeay 0.5.1 and have been available since OpenBSD 2.4.

X509_ATTRIBUTE_create() and X509_ATTRIBUTE_dup() first appeared in SSLeay 0.9.1 and have been available since OpenBSD 2.6.

A data type designed to hold arbitrary data is an oxymoron.

While it may occasionally be useful for abstract syntax specification or for generic container objects, using it for the representation of specific data in a specific data structure feels like dubious design.

Having two distinct data types to hold arbitrary data – in this case, X509_ATTRIBUTE on the X.501 language level and X509_EXTENSION as described in X509_EXTENSION_new(3) on the X.509 language level – feels even more questionable, in particular considering that Attributes in certification requests can be used to ask for Extensions in certificates.

At the very least, the direct use of the low-level generic X509_ATTRIBUTE type in specific data types like certification requests or private key information looks like a layering violation and appears to put type safety into jeopardy.

October 26, 2021 OpenBSD-current