Document or unexport some more of x509.h

davidben · nebeid · commit 68b9d6bbb113 · 2024-05-22T17:48:51.000-04:00
Get the remaining config APIs, extensions accessors, and the get1_email family. I'm not sure yet whether the various remaining extension-specific functions should get their own sections (probably), in which case, maybe we should move the accessors these into their sections? Put them with the rest of the certificate getters for now. As part of this, deduplicate the X509v3_KU_* and KU_* constants. See openssl/openssl#22955 Bug: 426 Change-Id: I31a9b887eb1e6cfa272f04d2ee80dbb5a9ed98f7 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64256 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com> (cherry picked from commit 314c2520eab450615d8e78df21169c090d6f51e5)
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
@@ -543,6 +543,16 @@ OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a,
 // |name|, or NULL if no such name is defined.
 const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name);
 
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
+                               const X509V3_CTX *ctx, const CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+                                  const X509V3_EXT_METHOD *method,
+                                  const X509V3_CTX *ctx, const CONF_VALUE *cnf,
+                                  int is_nc);
+GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
+                                 const X509V3_CTX *ctx,
+                                 const STACK_OF(CONF_VALUE) *nval);
+
 
 #if defined(__cplusplus)
 }  // extern C
diff --git a/crypto/x509/v3_alt.c b/crypto/x509/v3_alt.c
@@ -446,10 +446,10 @@ GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method,
   return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
 }
 
-GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-                               const X509V3_EXT_METHOD *method,
-                               const X509V3_CTX *ctx, int gen_type,
-                               const char *value, int is_nc) {
+static GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
+                                      const X509V3_EXT_METHOD *method,
+                                      const X509V3_CTX *ctx, int gen_type,
+                                      const char *value, int is_nc) {
   if (!value) {
     OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE);
     return NULL;
diff --git a/crypto/x509/v3_info.c b/crypto/x509/v3_info.c
@@ -67,6 +67,9 @@
 #include <openssl/obj.h>
 #include <openssl/x509.h>
 
+#include "internal.h"
+
+
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
     const X509V3_EXT_METHOD *method, void *ext, STACK_OF(CONF_VALUE) *ret);
 static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
@@ -206,8 +209,3 @@ static void *v2i_AUTHORITY_INFO_ACCESS(const X509V3_EXT_METHOD *method,
   sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
   return NULL;
 }
-
-int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION *a) {
-  i2a_ASN1_OBJECT(bp, a->method);
-  return 2;
-}
diff --git a/crypto/x509/v3_purp.c b/crypto/x509/v3_purp.c
@@ -500,7 +500,7 @@ int x509v3_cache_extensions(X509 *x) {
     x->ex_flags |= EXFLAG_SI;
     // If SKID matches AKID also indicate self signed
     if (X509_check_akid(x, x->akid) == X509_V_OK &&
-        !ku_reject(x, KU_KEY_CERT_SIGN)) {
+        !ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) {
       x->ex_flags |= EXFLAG_SS;
     }
   }
@@ -539,7 +539,7 @@ int x509v3_cache_extensions(X509 *x) {
 // otherwise.
 static int check_ca(const X509 *x) {
   // keyUsage if present should allow cert signing
-  if (ku_reject(x, KU_KEY_CERT_SIGN)) {
+  if (ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) {
     return 0;
   }
   // Version 1 certificates are considered CAs and don't have extensions.
@@ -566,7 +566,7 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
     return check_ca(x);
   }
   // We need to do digital signatures or key agreement
-  if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_KEY_AGREEMENT)) {
+  if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_AGREEMENT)) {
     return 0;
   }
   // nsCertType if present should allow SSL client use
@@ -579,7 +579,9 @@ static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
 // Key usage needed for TLS/SSL server: digital signature, encipherment or
 // key agreement. The ssl code can check this more thoroughly for individual
 // key types.
-#define KU_TLS (KU_DIGITAL_SIGNATURE | KU_KEY_ENCIPHERMENT | KU_KEY_AGREEMENT)
+#define X509v3_KU_TLS                                         \
+  (X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_KEY_ENCIPHERMENT | \
+   X509v3_KU_KEY_AGREEMENT)
 
 static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
                                     int ca) {
@@ -593,7 +595,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
   if (ns_reject(x, NS_SSL_SERVER)) {
     return 0;
   }
-  if (ku_reject(x, KU_TLS)) {
+  if (ku_reject(x, X509v3_KU_TLS)) {
     return 0;
   }
 
@@ -608,7 +610,7 @@ static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
     return ret;
   }
   // We need to encipher or Netscape complains
-  if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {
+  if (ku_reject(x, X509v3_KU_KEY_ENCIPHERMENT)) {
     return 0;
   }
   return ret;
@@ -641,7 +643,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
   if (!ret || ca) {
     return ret;
   }
-  if (ku_reject(x, KU_DIGITAL_SIGNATURE | KU_NON_REPUDIATION)) {
+  if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE | X509v3_KU_NON_REPUDIATION)) {
     return 0;
   }
   return ret;
@@ -654,7 +656,7 @@ static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
   if (!ret || ca) {
     return ret;
   }
-  if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {
+  if (ku_reject(x, X509v3_KU_KEY_ENCIPHERMENT)) {
     return 0;
   }
   return ret;
@@ -665,7 +667,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
   if (ca) {
     return check_ca(x);
   }
-  if (ku_reject(x, KU_CRL_SIGN)) {
+  if (ku_reject(x, X509v3_KU_CRL_SIGN)) {
     return 0;
   }
   return 1;
@@ -696,8 +698,10 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
   // and/or nonRepudiation (other values are not consistent and shall
   // be rejected).
   if ((x->ex_flags & EXFLAG_KUSAGE) &&
-      ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
-       !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)))) {
+      ((x->ex_kusage &
+        ~(X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)) ||
+       !(x->ex_kusage &
+         (X509v3_KU_NON_REPUDIATION | X509v3_KU_DIGITAL_SIGNATURE)))) {
     return 0;
   }
 
@@ -744,7 +748,7 @@ int X509_check_issued(X509 *issuer, X509 *subject) {
     }
   }
 
-  if (ku_reject(issuer, KU_KEY_CERT_SIGN)) {
+  if (ku_reject(issuer, X509v3_KU_KEY_CERT_SIGN)) {
     return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
   }
   return X509_V_OK;
@@ -803,6 +807,9 @@ uint32_t X509_get_key_usage(X509 *x) {
   if (x->ex_flags & EXFLAG_KUSAGE) {
     return x->ex_kusage;
   }
+  // If there is no extension, key usage is unconstrained, so set all bits to
+  // one. Note that, although we use |UINT32_MAX|, |ex_kusage| only contains the
+  // first 16 bits when the extension is present.
   return UINT32_MAX;
 }
 
@@ -813,6 +820,8 @@ uint32_t X509_get_extended_key_usage(X509 *x) {
   if (x->ex_flags & EXFLAG_XKUSAGE) {
     return x->ex_xkusage;
   }
+  // If there is no extension, extended key usage is unconstrained, so set all
+  // bits to one.
   return UINT32_MAX;
 }
 
diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c
@@ -555,7 +555,7 @@ static int sk_strcmp(const char *const *a, const char *const *b) {
   return strcmp(*a, *b);
 }
 
-STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) {
+STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x) {
   GENERAL_NAMES *gens;
   STACK_OF(OPENSSL_STRING) *ret;
 
@@ -565,7 +565,7 @@ STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) {
   return ret;
 }
 
-STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) {
+STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x) {
   AUTHORITY_INFO_ACCESS *info;
   STACK_OF(OPENSSL_STRING) *ret = NULL;
   size_t i;
@@ -588,7 +588,7 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) {
   return ret;
 }
 
-STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) {
+STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(const X509_REQ *x) {
   GENERAL_NAMES *gens;
   STACK_OF(X509_EXTENSION) *exts;
   STACK_OF(OPENSSL_STRING) *ret;
@@ -1155,12 +1155,8 @@ ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc) {
   return ret;
 
 err:
-  if (iptmp) {
-    OPENSSL_free(iptmp);
-  }
-  if (ret) {
-    ASN1_OCTET_STRING_free(ret);
-  }
+  OPENSSL_free(iptmp);
+  ASN1_OCTET_STRING_free(ret);
   return NULL;
 }
 
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
@@ -123,7 +123,7 @@ int X509_REQ_extension_nid(int req_nid) {
   return req_nid == NID_ext_req || req_nid == NID_ms_ext_req;
 }
 
-STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) {
+STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(const X509_REQ *req) {
   if (req == NULL || req->req_info == NULL) {
     return NULL;
   }
@@ -136,8 +136,10 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req) {
     return NULL;
   }
 
-  X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx);
-  ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type(attr, 0);
+  const X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx);
+  // TODO(davidben): |X509_ATTRIBUTE_get0_type| is not const-correct. It should
+  // take and return a const pointer.
+  const ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type((X509_ATTRIBUTE *)attr, 0);
   if (!ext || ext->type != V_ASN1_SEQUENCE) {
     return NULL;
   }
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
@@ -1209,7 +1209,7 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) {
   if (issuer) {
     // Check for cRLSign bit if keyUsage present
     if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
-        !(issuer->ex_kusage & KU_CRL_SIGN)) {
+        !(issuer->ex_kusage & X509v3_KU_CRL_SIGN)) {
       ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
       ok = ctx->verify_cb(0, ctx);
       if (!ok) {
diff --git a/include/openssl/base.h b/include/openssl/base.h
@@ -378,6 +378,7 @@ typedef struct trust_token_client_st TRUST_TOKEN_CLIENT;
 typedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER;
 typedef struct trust_token_method_st TRUST_TOKEN_METHOD;
 typedef struct v3_ext_ctx X509V3_CTX;
+typedef struct v3_ext_method X509V3_EXT_METHOD;
 typedef struct x509_attributes_st X509_ATTRIBUTE;
 typedef struct x509_lookup_st X509_LOOKUP;
 typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
diff --git a/include/openssl/x509.h b/include/openssl/x509.h

Original file line number	Diff line number	Diff line change
`@@ -500,7 +500,7 @@ int x509v3_cache_extensions(X509 *x) {`
`500`	`500`	`x->ex_flags \|= EXFLAG_SI;`
`501`	`501`	`// If SKID matches AKID also indicate self signed`
`502`	`502`	`if (X509_check_akid(x, x->akid) == X509_V_OK &&`
`503`		`- !ku_reject(x, KU_KEY_CERT_SIGN)) {`
	`503`	`+ !ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) {`
`504`	`504`	`x->ex_flags \|= EXFLAG_SS;`
`505`	`505`	`}`
`506`	`506`	`}`
`@@ -539,7 +539,7 @@ int x509v3_cache_extensions(X509 *x) {`
`539`	`539`	`// otherwise.`
`540`	`540`	`static int check_ca(const X509 *x) {`
`541`	`541`	`// keyUsage if present should allow cert signing`
`542`		`- if (ku_reject(x, KU_KEY_CERT_SIGN)) {`
	`542`	`+ if (ku_reject(x, X509v3_KU_KEY_CERT_SIGN)) {`
`543`	`543`	`return 0;`
`544`	`544`	`}`
`545`	`545`	`// Version 1 certificates are considered CAs and don't have extensions.`
`@@ -566,7 +566,7 @@ static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x,`
`566`	`566`	`return check_ca(x);`
`567`	`567`	`}`
`568`	`568`	`// We need to do digital signatures or key agreement`
`569`		`- if (ku_reject(x, KU_DIGITAL_SIGNATURE \| KU_KEY_AGREEMENT)) {`
	`569`	`+ if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE \| X509v3_KU_KEY_AGREEMENT)) {`
`570`	`570`	`return 0;`
`571`	`571`	`}`
`572`	`572`	`// nsCertType if present should allow SSL client use`
`@@ -579,7 +579,9 @@ static int check_purpose_ssl_client(const X509_PURPOSE xp, const X509 x,`
`579`	`579`	`// Key usage needed for TLS/SSL server: digital signature, encipherment or`
`580`	`580`	`// key agreement. The ssl code can check this more thoroughly for individual`
`581`	`581`	`// key types.`
`582`		`-#define KU_TLS (KU_DIGITAL_SIGNATURE \| KU_KEY_ENCIPHERMENT \| KU_KEY_AGREEMENT)`
	`582`	`+#define X509v3_KU_TLS \`
	`583`	`+ (X509v3_KU_DIGITAL_SIGNATURE \| X509v3_KU_KEY_ENCIPHERMENT \| \`
	`584`	`+ X509v3_KU_KEY_AGREEMENT)`
`583`	`585`
`584`	`586`	`static int check_purpose_ssl_server(const X509_PURPOSE xp, const X509 x,`
`585`	`587`	`int ca) {`
`@@ -593,7 +595,7 @@ static int check_purpose_ssl_server(const X509_PURPOSE xp, const X509 x,`
`593`	`595`	`if (ns_reject(x, NS_SSL_SERVER)) {`
`594`	`596`	`return 0;`
`595`	`597`	`}`
`596`		`- if (ku_reject(x, KU_TLS)) {`
	`598`	`+ if (ku_reject(x, X509v3_KU_TLS)) {`
`597`	`599`	`return 0;`
`598`	`600`	`}`
`599`	`601`
`@@ -608,7 +610,7 @@ static int check_purpose_ns_ssl_server(const X509_PURPOSE xp, const X509 x,`
`608`	`610`	`return ret;`
`609`	`611`	`}`
`610`	`612`	`// We need to encipher or Netscape complains`
`611`		`- if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {`
	`613`	`+ if (ku_reject(x, X509v3_KU_KEY_ENCIPHERMENT)) {`
`612`	`614`	`return 0;`
`613`	`615`	`}`
`614`	`616`	`return ret;`
`@@ -641,7 +643,7 @@ static int check_purpose_smime_sign(const X509_PURPOSE xp, const X509 x,`
`641`	`643`	`if (!ret \|\| ca) {`
`642`	`644`	`return ret;`
`643`	`645`	`}`
`644`		`- if (ku_reject(x, KU_DIGITAL_SIGNATURE \| KU_NON_REPUDIATION)) {`
	`646`	`+ if (ku_reject(x, X509v3_KU_DIGITAL_SIGNATURE \| X509v3_KU_NON_REPUDIATION)) {`
`645`	`647`	`return 0;`
`646`	`648`	`}`
`647`	`649`	`return ret;`
`@@ -654,7 +656,7 @@ static int check_purpose_smime_encrypt(const X509_PURPOSE xp, const X509 x,`
`654`	`656`	`if (!ret \|\| ca) {`
`655`	`657`	`return ret;`
`656`	`658`	`}`
`657`		`- if (ku_reject(x, KU_KEY_ENCIPHERMENT)) {`
	`659`	`+ if (ku_reject(x, X509v3_KU_KEY_ENCIPHERMENT)) {`
`658`	`660`	`return 0;`
`659`	`661`	`}`
`660`	`662`	`return ret;`
`@@ -665,7 +667,7 @@ static int check_purpose_crl_sign(const X509_PURPOSE xp, const X509 x,`
`665`	`667`	`if (ca) {`
`666`	`668`	`return check_ca(x);`
`667`	`669`	`}`
`668`		`- if (ku_reject(x, KU_CRL_SIGN)) {`
	`670`	`+ if (ku_reject(x, X509v3_KU_CRL_SIGN)) {`
`669`	`671`	`return 0;`
`670`	`672`	`}`
`671`	`673`	`return 1;`
`@@ -696,8 +698,10 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE xp, const X509 x,`
`696`	`698`	`// and/or nonRepudiation (other values are not consistent and shall`
`697`	`699`	`// be rejected).`
`698`	`700`	`if ((x->ex_flags & EXFLAG_KUSAGE) &&`
`699`		`- ((x->ex_kusage & ~(KU_NON_REPUDIATION \| KU_DIGITAL_SIGNATURE)) \|\|`
`700`		`- !(x->ex_kusage & (KU_NON_REPUDIATION \| KU_DIGITAL_SIGNATURE)))) {`
	`701`	`+ ((x->ex_kusage &`
	`702`	`+ ~(X509v3_KU_NON_REPUDIATION \| X509v3_KU_DIGITAL_SIGNATURE)) \|\|`
	`703`	`+ !(x->ex_kusage &`
	`704`	`+ (X509v3_KU_NON_REPUDIATION \| X509v3_KU_DIGITAL_SIGNATURE)))) {`
`701`	`705`	`return 0;`
`702`	`706`	`}`
`703`	`707`
`@@ -744,7 +748,7 @@ int X509_check_issued(X509 issuer, X509 subject) {`
`744`	`748`	`}`
`745`	`749`	`}`
`746`	`750`
`747`		`- if (ku_reject(issuer, KU_KEY_CERT_SIGN)) {`
	`751`	`+ if (ku_reject(issuer, X509v3_KU_KEY_CERT_SIGN)) {`
`748`	`752`	`return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;`
`749`	`753`	`}`
`750`	`754`	`return X509_V_OK;`
`@@ -803,6 +807,9 @@ uint32_t X509_get_key_usage(X509 *x) {`
`803`	`807`	`if (x->ex_flags & EXFLAG_KUSAGE) {`
`804`	`808`	`return x->ex_kusage;`
`805`	`809`	`}`
	`810`	`+ // If there is no extension, key usage is unconstrained, so set all bits to`
	`811`	`+ // one. Note that, although we use \|UINT32_MAX\|, \|ex_kusage\| only contains the`
	`812`	`+ // first 16 bits when the extension is present.`
`806`	`813`	`return UINT32_MAX;`
`807`	`814`	`}`
`808`	`815`
`@@ -813,6 +820,8 @@ uint32_t X509_get_extended_key_usage(X509 *x) {`
`813`	`820`	`if (x->ex_flags & EXFLAG_XKUSAGE) {`
`814`	`821`	`return x->ex_xkusage;`
`815`	`822`	`}`
	`823`	`+ // If there is no extension, extended key usage is unconstrained, so set all`
	`824`	`+ // bits to one.`
`816`	`825`	`return UINT32_MAX;`
`817`	`826`	`}`
`818`	`827`
Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ int X509_REQ_extension_nid(int req_nid) {`
`123`	`123`	`return req_nid == NID_ext_req \|\| req_nid == NID_ms_ext_req;`
`124`	`124`	`}`
`125`	`125`
`126`		`-STACK_OF(X509_EXTENSION) X509_REQ_get_extensions(X509_REQ req) {`
	`126`	`+STACK_OF(X509_EXTENSION) X509_REQ_get_extensions(const X509_REQ req) {`
`127`	`127`	`if (req == NULL \|\| req->req_info == NULL) {`
`128`	`128`	`return NULL;`
`129`	`129`	`}`
`@@ -136,8 +136,10 @@ STACK_OF(X509_EXTENSION) X509_REQ_get_extensions(X509_REQ req) {`
`136`	`136`	`return NULL;`
`137`	`137`	`}`
`138`	`138`
`139`		`- X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx);`
`140`		`- ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type(attr, 0);`
	`139`	`+ const X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx);`
	`140`	`+ // TODO(davidben): \|X509_ATTRIBUTE_get0_type\| is not const-correct. It should`
	`141`	`+ // take and return a const pointer.`
	`142`	`+ const ASN1_TYPE ext = X509_ATTRIBUTE_get0_type((X509_ATTRIBUTE )attr, 0);`
`141`	`143`	`if (!ext \|\| ext->type != V_ASN1_SEQUENCE) {`
`142`	`144`	`return NULL;`
`143`	`145`	`}`