diff --git a/apps/cmp.c b/apps/cmp.c index 83ba513219c2c5..af847cfbaf3c8e 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -3872,8 +3872,8 @@ int cmp_main(int argc, char **argv) } CMP_info1("saving centrally generated key to file '%s'", opt_newkeyout); - if (PEM_write_bio_PKCS8PrivateKey(out, new_key, cipher, NULL, 0, NULL, - (void *)pass_string) <= 0) + if (PEM_write_bio_PrivateKey(out, new_key, cipher, NULL, 0, NULL, + (void *)pass_string) <= 0) goto err; BIO_free(out); clear_free(pass_string); diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 61becd710249b4..36ba4242799d91 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -19,9 +19,9 @@ #include #include #include -#include #include #include +#include OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq) { @@ -458,30 +458,26 @@ static OSSL_CRMF_ENCRYPTEDKEY *enc_privkey(OSSL_CMP_CTX *ctx, const EVP_PKEY *pk OSSL_CRMF_ENCRYPTEDKEY *ek = NULL; CMS_EnvelopedData *envData = NULL; BIO *privbio = NULL; - X509 *recip = X509_dup(ctx->validatedSrvCert); - STACK_OF(X509) * encryption_recips = sk_X509_new_null(); + X509 *recip = ctx->validatedSrvCert; /* this is the client cert */ + STACK_OF(X509) *encryption_recips = sk_X509_new_reserve(NULL, 1); - if (encryption_recips == NULL || recip == NULL) + if (encryption_recips == NULL + || !X509_add_cert(encryption_recips, recip, X509_ADD_FLAG_UP_REF)) goto err; - if (!sk_X509_push(encryption_recips, recip)) - goto err; - recip = NULL; - privbio = BIO_new(BIO_s_mem()); if (privbio == NULL || i2d_PrivateKey_bio(privbio, pkey) <= 0) goto err; ossl_cmp_set_own_chain(ctx); - envData = CMS_sign_encrypt(privbio, ctx->cert, ctx->chain, ctx->pkey, CMS_BINARY, - encryption_recips, EVP_aes_256_cbc(), CMS_BINARY, - ctx->libctx, ctx->propq); + envData = ossl_cms_sign_encrypt(privbio, ctx->cert, ctx->chain, ctx->pkey, CMS_BINARY, + encryption_recips, EVP_aes_256_cbc(), CMS_BINARY, + ctx->libctx, ctx->propq); if (envData == NULL) goto err; ek = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(envData); err: sk_X509_pop_free(encryption_recips, X509_free); - X509_free(recip); BIO_free(privbio); if (ek == NULL) M_ASN1_free_of(envData, CMS_EnvelopedData); diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index a67d0f9c406750..fcca08ef4ebf51 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -136,8 +136,7 @@ void ossl_cmp_set_own_chain(OSSL_CMP_CTX *ctx) return; /* if not yet done try to build chain using available untrusted certs */ if (ctx->chain == NULL) { - ossl_cmp_debug(ctx, - "trying to build chain for own CMP signer cert"); + ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); ctx->chain = X509_build_chain(ctx->cert, ctx->untrusted, NULL, 0, ctx->libctx, ctx->propq); if (ctx->chain != NULL) { diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index e8a225d5120679..116aed606f6b61 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -245,7 +245,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *keyOut = NULL; STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; const OSSL_CRMF_MSG *crm = NULL; - X509_REQ *p10cr = NULL; + const X509_REQ *p10cr = NULL; int bodytype; int certReqId; diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index c6a93341338bb4..73c97e409f9fcd 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -17,6 +17,7 @@ #include "internal/sizes.h" #include "crypto/x509.h" #include "cms_local.h" +#include "internal/cms.h" static STACK_OF(CMS_CertificateChoices) **cms_get0_certificate_choices(CMS_ContentInfo *cms); @@ -736,10 +737,11 @@ int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) return 1; } -CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, - EVP_PKEY *sign_key, unsigned int sign_flags, - STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, - unsigned int enc_flags, OSSL_LIB_CTX *libctx, const char *propq) +CMS_EnvelopedData *ossl_cms_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, + EVP_PKEY *sign_key, unsigned int sign_flags, + STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, + unsigned int enc_flags, OSSL_LIB_CTX *libctx, + const char *propq) { CMS_EnvelopedData *evd = NULL; BIO *privbio = NULL, *signbio = NULL; diff --git a/doc/internal/man3/ossl_cms_sign_encrypt.pod b/doc/internal/man3/ossl_cms_sign_encrypt.pod new file mode 100644 index 00000000000000..3043120ac8c4e3 --- /dev/null +++ b/doc/internal/man3/ossl_cms_sign_encrypt.pod @@ -0,0 +1,56 @@ +=pod + +=head1 NAME + +ossl_cms_sign_encrypt +- Create CMS envelope + +=head1 SYNOPSIS + + #include + + CMS_EnvelopedData *ossl_cms_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, + EVP_PKEY *sign_key, unsigned int sign_flags, + STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, + unsigned int enc_flags, OSSL_LIB_CTX *libctx, + const char *propq); + +=head1 DESCRIPTION + +ossl_cms_sign_encrypt() creates a B structure for recipients in +I. + +I is signed using I and I to create B +and then encrypted using I to create B. +The library context I and the property query I are used +when retrieving algorithms from providers. + +I is an optional additional set of certificates to include in the +B structure (e.g., any intermediate CAs in the chain of the signer certificate). + +I is an optional set of flags for the signing operation. +See L for more information. + +I is an optional set of flags for the encryption operation. +See L for more information. + +=head1 RETURN VALUES + +If the allocation fails, ossl_cms_sign_encrypt() return NULL and +set an error code that can be obtained by L. +Otherwise, they return a pointer to the newly allocated structure. + +=head1 HISTORY + +ossl_cms_sign_encrypt() was added in OpenSSL 3.5. + +=head1 COPYRIGHT + +Copyright 2023 - 2024 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index e1f711821ea839..fd07f8e7364cc2 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -1214,7 +1214,7 @@ Private key to be returned as central key generation result. =item B<-rsp_keypass> I -Pass phrase source for B and B. +Pass phrase source for B and B. =item B<-rsp_crl> I|I diff --git a/doc/man3/CMS_EnvelopedData_create.pod b/doc/man3/CMS_EnvelopedData_create.pod index f48f86f560fc56..f7ed9dde8cc4e8 100644 --- a/doc/man3/CMS_EnvelopedData_create.pod +++ b/doc/man3/CMS_EnvelopedData_create.pod @@ -3,8 +3,7 @@ =head1 NAME CMS_EnvelopedData_create_ex, CMS_EnvelopedData_create, -CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex, -CMS_sign_encrypt +CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex - Create CMS envelope =head1 SYNOPSIS @@ -21,11 +20,6 @@ CMS_sign_encrypt const char *propq); CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher); - CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, - EVP_PKEY *sign_key, unsigned int sign_flags, - STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, - unsigned int enc_flags, OSSL_LIB_CTX *libctx, const char *propq); - =head1 DESCRIPTION CMS_EnvelopedData_create_ex() creates a B structure @@ -53,24 +47,6 @@ CMS_EnvelopedData_create_ex() and CMS_AuthEnvelopedData_create_ex() but use default values of NULL for the library context I and the property query I. -CMS_sign_encrypt() creates a B structure for recipients in -I. - -I is signed using I and I to -create B and then encrypted using I to -create B. The library context I and the property -query I are used when retrieving algorithms from providers. - -I is an optional additional set of certificates to include in the -B structure (e.g., any intermediate CAs in the chain of the signer certificate). - -I is an optional set of flags for the signing operation. -see L for more information. - -I is an optional set of flags for the encryption operation. -see L for more information. - - =head1 NOTES Although CMS_EnvelopedData_create_ex(), and CMS_EnvelopedData_create(), @@ -82,10 +58,10 @@ The wrappers L and L are often used instead. If the allocation fails, CMS_EnvelopedData_create_ex(), CMS_EnvelopedData_create(), CMS_AuthEnvelopedData_create_ex() -CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create(), -CMS_AuthEnvelopedData_create_ex() and CMS_sign_encrypt() return NULL and set an error code -that can be obtained by L. Otherwise they return a pointer to the newly -allocated structure. +CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create() +and CMS_AuthEnvelopedData_create_ex() return NULL and set an +error code that can be obtained by L. +Otherwise, they return a pointer to the newly allocated structure. =head1 SEE ALSO @@ -96,8 +72,8 @@ L, L The CMS_EnvelopedData_create_ex() method was added in OpenSSL 3.0. -CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create_ex() -and CMS_sign_encrypt() were added in OpenSSL 3.5. +CMS_AuthEnvelopedData_create() and CMS_AuthEnvelopedData_create_ex() +were added in OpenSSL 3.5. =head1 COPYRIGHT diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index 3472bfbf366d7f..4ec198f2f9fdf1 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -183,6 +183,9 @@ NULL on error. OSSL_CMP_SRV_CTX_get0_custom_ctx() returns the custom server context that has been set using OSSL_CMP_SRV_CTX_init(). +OSSL_CMP_SRV_CTX_centralKeygen_req() returns 0 if central key generation +is not requested or in case of error, 1 if it is requested. + All other functions return 1 on success, 0 on error. =head1 HISTORY diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index cf5cd9c085180b..aa3839d09dd9f8 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -92,12 +92,18 @@ This is needed for the indirect POPO method as in RFC 4210 section 5.2.8.2. The function returns the decrypted certificate as a copy, leaving its ownership with the caller, who is responsible for freeing it. -OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in the given -encryptedKey I, using the I or private key I -and certificate I. -It verifies the signed data using the trusted certificates in I and untrusted -certificates in I,if envelopedata is present. -library context I and property query string I (see L). +OSSL_CRMF_ENCRYPTEDKEY_get1_pkey() decrypts the private key in I. +If `encryptedKey` is not of type B, +decryption uses the private key I. +The library context I and property query I are taken into account as usual. +The rest of this paragraph is relevant only if CMS support not disabled for the OpenSSL build +and `encryptedKey` is of type case B. +Decryption uses the I parameter if not NULL; +otherwise uses the private key and the certificate I +related to I, where I is recommended to be given if available. +On success, the function verifies the decrypted data as signed data, +using the trust store I and any untrusted certificates in I. +Doing so, it checks for the purpose "CMP Key Generation Authority" (cmKGA). OSSL_CRMF_ENCRYPTEDKEY_init_envdata() returns I, intialized with the enveloped data I. diff --git a/include/internal/cms.h b/include/internal/cms.h new file mode 100644 index 00000000000000..192abaaa4e945d --- /dev/null +++ b/include/internal/cms.h @@ -0,0 +1,23 @@ +/* + * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ +#ifndef OSSL_INTERNAL_CMS_H +# define OSSL_INTERNAL_CMS_H +# pragma once + +# include + +# ifndef OPENSSL_NO_CMS + +CMS_EnvelopedData *ossl_cms_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, + EVP_PKEY *sign_key, unsigned int sign_flags, + STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, + unsigned int enc_flags, OSSL_LIB_CTX *libctx, + const char *propq); +# endif /* OPENSSL_NO_CMS */ +#endif /* OSSL_INTERNAL_CMS_H */ diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index 8149e431eed3e5..137a485d8cb86d 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -399,11 +399,6 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, ASN1_OCTET_STRING *ukm, int keylen); -CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, - EVP_PKEY *sign_key, unsigned int sign_flags, - STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, - unsigned int enc_flags, OSSL_LIB_CTX *libctx, - const char *propq); /* Backward compatibility for spelling errors. */ # define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index e3162ae0042705..aacb624937edf9 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -132,17 +132,20 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der _RESULT_DIR/pkiConf.der,,BLANK,,BLANK 0,rspin too few files - server must reject, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK,-secret,_PBM_SECRET 0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,"""" -1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,"""",-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem +1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,"""" 0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,"""" 0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET -1,reqin ir and rspout - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""",-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem -1,reqin ip and rspin - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-server,"""",-disable_confirm,-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem +1,reqin ir and rspout - using no newkey and -popo 0 as workaround, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""", -popo,0 +1,reqin ip and rspin - using no newkey and -popo 0 as workaround, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-server,"""",-disable_confirm, -popo,0 +1,reqout_only ir - no server with -popo -1, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir3.der,,BLANK,,BLANK, -server,"""", -popo,-1, -newkeyout,_RESULT_DIR/dummyout.pem +1,reqin ir and rspout - using no newkey and -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspout,_RESULT_DIR/ip3.der,-newkey,"""", -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem +1,reqin ip and rspin - using no newkey and -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir3.der,,-rspin,_RESULT_DIR/ip3.der,,-newkey,"""",-server,"""",-disable_confirm, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem ,,,,,,,,,,,,,,,,,,, 1,central key generation, -section,, -cmd,cr,, -centralkeygen, -newkeyout,_RESULT_DIR/newkeyout1.pem 0,central key generation missing newkeyout, -section,, -cmd,cr,, -centralkeygen,,BLANK,,BLANK,,BLANK,,BLANK, -0,using popo=1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,1, -newkeyout,_RESULT_DIR/newkeyout.pem -1, using popo=-1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout2.pem -1, using popo=-1 instead of central key generation, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout3.pem, -newkeypass,pass:12345, -certout,_RESULT_DIR/test.cert3.pem -1, using centrally generated credentials , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345 -0, using centrally generated credentials with wrong password , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:wrong -0, using popo=-1 instead of central key generation without newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK, \ No newline at end of file +0,using popo 1 with -centralkeygen, -section,, -cmd,cr,, -centralkeygen, -popo,1, -newkeyout,_RESULT_DIR/newkeyout.pem +1, using popo -1 redundantly with -centralkeygen, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout2.pem +1, using popo -1 alternatively to -centralkeygen, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout3.pem, -newkeypass,pass:12345, -certout,_RESULT_DIR/test.cert3.pem +1, using centrally generated key (and cert) , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345 +0, using centrally generated key with wrong password, -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:wrong +0, using popo -1 (instead of -centralkeygen) without -newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK, \ No newline at end of file diff --git a/util/libcrypto.num b/util/libcrypto.num index 8cb36536aadd78..4bf1867cd9886b 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5734,6 +5734,17 @@ EVP_CIPHER_CTX_get_algor 5861 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_set_algor_params 5862 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_algor_params 5863 3_4_0 EXIST::FUNCTION: EVP_PKEY_CTX_get_algor 5864 3_4_0 EXIST::FUNCTION: +OSSL_CMP_SRV_CTX_centralKeygen_req ? 3_5_0 EXIST::FUNCTION:CMP +CMS_EnvelopedData_dup ? 3_5_0 EXIST::FUNCTION:CMS +d2i_OSSL_CRMF_ENCRYPTEDKEY ? 3_5_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_ENCRYPTEDKEY ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_free ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_new ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_it ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_get1_encCert ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDVALUE_decrypt ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_get1_pkey ? 3_5_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_init_envdata ? 3_5_0 EXIST::FUNCTION:CMS,CRMF EVP_get1_default_properties ? 3_5_0 EXIST::FUNCTION: d2i_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX ? 3_5_0 EXIST::FUNCTION: i2d_OSSL_AUTHORITY_ATTRIBUTE_ID_SYNTAX ? 3_5_0 EXIST::FUNCTION: