NAME
X509_ATTRIBUTE_new
,
X509_ATTRIBUTE_create
,
X509_ATTRIBUTE_dup
,
X509_ATTRIBUTE_free
—
generic X.501 Attribute
SYNOPSIS
#include
<openssl/x509.h>
X509_ATTRIBUTE *
X509_ATTRIBUTE_new
(void);
X509_ATTRIBUTE *
X509_ATTRIBUTE_create
(int
nid, int type,
void *value);
X509_ATTRIBUTE *
X509_ATTRIBUTE_dup
(X509_ATTRIBUTE
*attr);
void
X509_ATTRIBUTE_free
(X509_ATTRIBUTE
*attr);
DESCRIPTION
In the X.501 standard, an Attribute is the fundamental ASN.1 data type used to represent any kind of property of any kind of directory entry. In OpenSSL, very few objects use it directly, most notably the X509_REQ_INFO object used for PKCS#10 certification requests described in X509_REQ_new(3), the PKCS8_PRIV_KEY_INFO object used for PKCS#8 private key information described in PKCS8_PRIV_KEY_INFO_new(3), and the PKCS12_SAFEBAG container object described in PKCS12_SAFEBAG_new(3).
X509_ATTRIBUTE_new
()
allocates and initializes an empty X509_ATTRIBUTE
object.
X509_ATTRIBUTE_create
()
allocates a new multi-valued X509_ATTRIBUTE object of
the type nid and initializes its set of values to
contain one new ASN.1 ANY object with the given value
and type. The type usually is
one of the V_ASN1_*
constants defined in
<openssl/asn1.h>
; it is
stored without validating it. If the function succeeds, ownership of the
value is transferred to the new
X509_ATTRIBUTE object.
Be careful to not confuse the type of the attribute and the type of the value.
X509_ATTRIBUTE_dup
()
creates a deep copy of attr.
X509_ATTRIBUTE_free
()
frees attr.
RETURN VALUES
X509_ATTRIBUTE_new
(),
X509_ATTRIBUTE_create
(), and
X509_ATTRIBUTE_dup
() return the new
X509_ATTRIBUTE object or NULL
if an error occurs.
In particular, these functions fail if memory allocation fails.
X509_ATTRIBUTE_create
() also fails if
OBJ_nid2obj(3) fails on nid.
SEE ALSO
d2i_X509_ATTRIBUTE(3), OBJ_nid2obj(3), PKCS12_SAFEBAG_new(3), PKCS7_add_attribute(3), PKCS8_pkey_get0_attrs(3), PKCS8_PRIV_KEY_INFO_new(3), X509_ATTRIBUTE_get0_object(3), X509_ATTRIBUTE_set1_object(3), X509_EXTENSION_new(3), X509_new(3), X509_REQ_add1_attr(3), X509_REQ_new(3)
STANDARDS
- For the general definition of the Attribute data type:
- ITU-T Recommendation X.501, also known as ISO/IEC 9594-2: Information Technology – Open Systems Interconnection – The Directory: Models, section 8.2: Overall structure
- For the specific definition in the context of certification requests:
- RFC 2986: PKCS #10: Certification Request Syntax Specification, section 4.1: CertificationRequestInfo
- For the specific use in the context of private key information:
- RFC 5208: Public-Key Cryptography Standards (PKCS) #8: Private-Key Information Syntax Specification
- For the specific definition in the context of PFX:
- RFC 7292: PKCS #12: Personal Information Exchange Syntax, section 4.2: The SafeBag Type
HISTORY
X509_ATTRIBUTE_new
() and
X509_ATTRIBUTE_free
() first appeared in SSLeay 0.5.1
and have been available since OpenBSD 2.4.
X509_ATTRIBUTE_create
() and
X509_ATTRIBUTE_dup
() first appeared in SSLeay 0.9.1
and have been available since OpenBSD 2.6.
BUGS
A data type designed to hold arbitrary data is an oxymoron.
While it may occasionally be useful for abstract syntax specification or for generic container objects, using it for the representation of specific data in a specific data structure feels like dubious design.
Having two distinct data types to hold arbitrary data – in this case, X509_ATTRIBUTE on the X.501 language level and X509_EXTENSION as described in X509_EXTENSION_new(3) on the X.509 language level – feels even more questionable, in particular considering that Attributes in certification requests can be used to ask for Extensions in certificates.
At the very least, the direct use of the low-level generic X509_ATTRIBUTE type in specific data types like certification requests or private key information looks like a layering violation and appears to put type safety into jeopardy.