Hello, I developed a beta API code for OpenSSL that may help you. Find a description. Tell me if you are interested or anybody wants to help me to improve it. Take into account that is a very very beta code.
Apart from that, Jose Antonio Montenegro and Javier Lopez from Malaga University have been working on authorization for a very long time with very good results. I think that OpenPMI is not an unmaintained project. Try to contact the authors through http://www.lcc.uma.es/LCC?-f=indexlang.lcc&-l=english Regards, Daniel Attribute Certificates APIs ------------------------------------ Attribute Certificate Generation API Library Functions ****Functions to get information ********************************* #define PEM_read_X509AC(fp,x,cb,u) (X509AC *)PEM_ASN1_read( \ (char *(*)())d2i_X509AC,PEM_STRING_X509AC,fp,(char **)x,cb,u) Read an attribute certificate in PEM format from a file pointer. X509AC_ISSUER_SERIAL* X509_get_basecertID(X509 *x) Takes a X509 certificate and extracts the X509AC_ISSUER_SERIAL structure (or base cert ID) X509_NAME *X509AC_get_issuer_name(X509AC *a) Obtain the X509_NAME of the issuer placed in a->info->issuer->d.v1Form when the attribute certificate is version 1, and from a->info->issuer->d.v2Form->issuer when the attribute certificate is version 2. X509_NAME *X509AC_get_holder_entity_name(X509AC *a) Search a->info->holder->entity (stack of GENERAL_NAME) for a valid DirectoryName X509AC_ISSUER_SERIAL *X509AC_get_holder_baseCertID(X509AC *a) Returns a->info->holder->baseCertID structure of type X509AC_ISSUER_SERIAL. ASN1_BIT_STRING *X509AC_get_holder_objectDigestInfo(X509AC *a) Returns a->info->holder->objectDigestInfo structure of type ASN1_BIT_STRING. X509AC_ISSUER_SERIAL *X509AC_get_issuer_baseCertID(X509AC *a) Returns a->info->issuer->d.v2Form->baseCertID. This parameter is only available when the certificate is of version 2. For version 1 this parameter is not present. ASN1_BIT_STRING *X509AC_get_issuer_objectDigestInfo(X509AC *a) Returns a->info->issuer->d.v2Form->digest. This parameter is only available when the certificate is of version 2. For version 1 this parameter is not present. long X509AC_get_version(X509AC *a) int X509AC_set_version(X509AC *a, long version) Get and set the version of the certificate. ***Functions to set information ******************************* There are three ways of providing holder information. The first one is to set the entity (GENERAL_NAME) structure with a valid directory name (X509_NAME), the second one is to set the BaseCertId structure that contains a name (X509_NAME), serial number and/or UniqueID info of the certificate that belongs to the holder the third is to set the ObjectDigestInfo. ASN1_SEQUENCE(X509AC_HOLDER) = { ASN1_IMP_OPT(X509AC_HOLDER, baseCertID, X509AC_ISSUER_SERIAL, 0), ASN1_IMP_SEQUENCE_OF_OPT(X509AC_HOLDER, entity, GENERAL_NAME, 1), ASN1_IMP_OPT(X509AC_HOLDER, objectDigestInfo, X509AC_OBJECT_DIGESTINFO, 2) } ASN1_SEQUENCE_END(X509AC_HOLDER) int X509AC_set_holder_entity_name(X509AC* a, X509_NAME *name) Places a X509_NAME into a->info->holder->entity. int X509AC_set_holder_serialNumber(X509AC *x, ASN1_INTEGER *serial) Set the serial number in a->info->holder->baseCertID->serial. int X509AC_set_holder_name(X509AC* a, X509_NAME *name) Set the name into a->info->holder->baseCertID->issuer structure. int X509AC_set_holder_objectDigestInfo(X509AC *a, X509AC_OBJECT_DIGESTINFO *odig) Set the object digest info of the basecertID structure for the holder of the attribute certificate. int X509AC_set_holder_baseCertID(X509AC* a, X509AC_ISSUER_SERIAL *bci) Set the whole Base Cert ID structure. There are two ways of providing issuer information that depends on the version of the attribute certificate. The first one is to set the v1Form (GENERAL_NAME) structure with a valid directory name (X509_NAME), the other one is to set the v2Form that can be a BaseCertId structure that contains a name (X509_NAME), serial number and/or uniqueID info of the certificate that belongs to the holder or a X509_NAME or an objectDigestInfo. ASN1_CHOICE(X509AC_ISSUER) = { ASN1_SEQUENCE_OF(X509AC_ISSUER, d.v1Form, GENERAL_NAME), ASN1_IMP(X509AC_ISSUER, d.v2Form, X509AC_V2FORM, 0) } ASN1_CHOICE_END(X509AC_ISSUER) ASN1_SEQUENCE(X509AC_V2FORM) = { ASN1_SEQUENCE_OF_OPT(X509AC_V2FORM, issuer, GENERAL_NAME), ASN1_IMP_OPT(X509AC_V2FORM, baseCertID, X509AC_ISSUER_SERIAL, 0), ASN1_IMP_OPT(X509AC_V2FORM, digest, X509AC_OBJECT_DIGESTINFO, 1) } ASN1_SEQUENCE_END(X509AC_V2FORM) int X509AC_set_issuer_baseCertID(X509AC* a, X509AC_ISSUER_SERIAL *bci) Takes a baseCertID structure and set the issuer info of the attribute certificate. int X509AC_set_issuer_name(X509AC* a, X509_NAME *name) Set the name into the issuer information space. Depending on the version of the certificate it will be inserted in v1Form or in v2From->issuer. ***General tools to fill up some of the necessary structures: ************************************************************* int X509AC_set_GENERAL_NAME_name(GENERAL_NAMES *gens, X509_NAME *name) Introduce a X509_NAME into a GENERAL_NAMES structure. int X509AC_set_baseCertID_name(X509AC_ISSUER_SERIAL *bci, X509_NAME *name) Introduce a X509_NAME into a BaseCertId structure. int X509AC_set_baseCertID_serial(X509AC_ISSUER_SERIAL *bci, ASN1_INTEGER *serial) Introduce the serial number into a BaseCertId structure. int X509AC_set_baseCertID_issuerUniqueID(X509AC_ISSUER_SERIAL *bci, ASN1_BIT_STRING *uid) Introduce a unique id into a BaseCertId structure. ****Attribute functions *********************** X509_ATTRIBUTE * X509AC_get_attr( X509AC *a, int idx ) Get the X509_ATTRIBUTE that occupies the position idx in the stack. int X509AC_add_attribute_by_NID(X509AC *a, int nid, int atrtype, void *value) Create and add an attribute based in its NID. int X509AC_add_attribute(X509AC *a, X509_ATTRIBUTE *attr) int X509AC_add_X509_ATTRIBUTE(X509AC *a, X509_ATTRIBUTE *attr) Add an attribute to the stack in the attribute certificate. ASN1_TYPE *X509AC_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx) Get a pointer to the ASN1_TYPE structure of the first attribute value of the attribute placed in the position idx. void *X509AC_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype, void *data) Get a pointer to the data of the first attribute value of the attribute placed in the position idx. int X509AC_get_attributecount(X509AC *a) Get the attribute count present in a attribute certificate. ****Extensions: *************** int X509AC_add_extension(X509AC *a, X509_EXTENSION *ex, int loc) Add a X509_EXTENSION to the certificate X509_EXTENSION stack. ****Signature ************* int X509AC_sign_rsa(X509AC *a, RSA *rsa, EVP_MD *md) int X509AC_sign_pkey(X509AC *a, EVP_PKEY *pkey, EVP_MD *md) These functions sign the attribute certificate using a RSA key or a EVP_PKEY. ****Presentation **************** void X509AC_print(X509AC *ac) Prints to stdout the information present in a attribute certificate. int GENERAL_NAMES_print(FILE *out, GENERAL_NAMES *gens) int GENERAL_NAME_print(FILE *out, GENERAL_NAME *gen) ****Other: ********** int X509AC_X509_NAME_dup(X509_NAME **xn, X509_NAME *name) -- Daniel Diaz Sanchez Telecommunication Engineer Researcher / Teaching Assistant Dep. Ing. Telemática Universidad Carlos III de Madrid Av. Universidad, 30 28911 Leganés (Madrid/Spain) Tel: (+34) 91-624-8817, Fax: -8749 Web: www.it.uc3m.es/dds web: http://www.it.uc3m.es/pervasive Mail: dds[at].it.uc3m.es Skype: dds.it.uc3m.es -----Mensaje original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Mouse Enviado el: jueves, 14 de septiembre de 2006 15:49 Para: openssl-users@openssl.org Asunto: RE: Attribute Certificate with OpenSSL? First - thank you! At least it was something. I went through the Web sit and the code distro itself. Web site shows how to use their command x509AT. Great. There's no AT-related README though, no documentation, no edits or patch-format changes. Thus hard to figure out the scope of changes involved. The Web page states that it is beta code. References to Lopez and Montenegro pages are dead. I.e. dead unmaintained project. So OpenSSL did not pick the Attribute Certificate extensions that Lopez and Montenegro added? Is there an alternative distro supporting AT? Is there ("official"?) work going on on (cleanly :-) adding support for Attribute Certs to OpenSSL? > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Saurabh Arora > Sent: Wednesday, September 13, 2006 17:58 > To: openssl-users@openssl.org > Subject: Re: Attribute Certificate with OpenSSL? > > On 9/14/06, Mouse <[EMAIL PROTECTED]> wrote: > > Did anybody use OpenSSL successfully for creating and processing > > Attribute Certificates? > > very much .. chek dis link.. http://openpmi.sourceforge.net/ > > > Is there any helpful HOWTO or TFM? > > download openssl distro(patched to support AC) frm d same link. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
