A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1134 lines
33 KiB

  1. /*
  2. * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. #include <openssl/trace.h>
  12. #include <openssl/bio.h>
  13. #include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */
  14. #include "crypto/x509.h" /* for x509v3_cache_extensions() */
  15. #include "cmp_local.h"
  16. /* explicit #includes not strictly needed since implied by the above: */
  17. #include <openssl/cmp.h>
  18. #include <openssl/crmf.h>
  19. #include <openssl/err.h>
  20. /*
  21. * Get current certificate store containing trusted root CA certs
  22. */
  23. X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
  24. {
  25. if (ctx == NULL) {
  26. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  27. return NULL;
  28. }
  29. return ctx->trusted;
  30. }
  31. /*
  32. * Set certificate store containing trusted (root) CA certs and possibly CRLs
  33. * and a cert verification callback function used for CMP server authentication.
  34. * Any already existing store entry is freed. Given NULL, the entry is reset.
  35. */
  36. int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
  37. {
  38. if (ctx == NULL) {
  39. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  40. return 0;
  41. }
  42. X509_STORE_free(ctx->trusted);
  43. ctx->trusted = store;
  44. return 1;
  45. }
  46. /* Get current list of non-trusted intermediate certs */
  47. STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
  48. {
  49. if (ctx == NULL) {
  50. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  51. return NULL;
  52. }
  53. return ctx->untrusted;
  54. }
  55. /*
  56. * Set untrusted certificates for path construction in authentication of
  57. * the CMP server and potentially others (TLS server, newly enrolled cert).
  58. */
  59. int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
  60. {
  61. STACK_OF(X509) *untrusted;
  62. if (ctx == NULL) {
  63. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  64. return 0;
  65. }
  66. if ((untrusted = sk_X509_new_null()) == NULL)
  67. return 0;
  68. if (X509_add_certs(untrusted, certs,
  69. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1)
  70. goto err;
  71. sk_X509_pop_free(ctx->untrusted, X509_free);
  72. ctx->untrusted = untrusted;
  73. return 1;
  74. err:
  75. sk_X509_pop_free(untrusted, X509_free);
  76. return 0;
  77. }
  78. static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid)
  79. {
  80. EVP_MD *md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propq);
  81. /* fetching in advance to be able to throw error early if unsupported */
  82. if (md == NULL) {
  83. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_ALGORITHM);
  84. return 0;
  85. }
  86. EVP_MD_free(*pmd);
  87. *pmd = md;
  88. return 1;
  89. }
  90. /*
  91. * Allocates and initializes OSSL_CMP_CTX context structure with default values.
  92. * Returns new context on success, NULL on error
  93. */
  94. OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
  95. {
  96. OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
  97. if (ctx == NULL)
  98. goto err;
  99. ctx->libctx = libctx;
  100. if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
  101. goto err;
  102. ctx->log_verbosity = OSSL_CMP_LOG_INFO;
  103. ctx->status = -1;
  104. ctx->failInfoCode = -1;
  105. ctx->msg_timeout = 2 * 60;
  106. if ((ctx->untrusted = sk_X509_new_null()) == NULL)
  107. goto err;
  108. ctx->pbm_slen = 16;
  109. if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
  110. goto err;
  111. ctx->pbm_itercnt = 500;
  112. ctx->pbm_mac = NID_hmac_sha1;
  113. if (!cmp_ctx_set_md(ctx, &ctx->digest, NID_sha256))
  114. goto err;
  115. ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE;
  116. ctx->revocationReason = CRL_REASON_NONE;
  117. /* all other elements are initialized to 0 or NULL, respectively */
  118. return ctx;
  119. err:
  120. OSSL_CMP_CTX_free(ctx);
  121. ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
  122. return NULL;
  123. }
  124. /* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
  125. int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
  126. {
  127. if (ctx == NULL) {
  128. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  129. return 0;
  130. }
  131. ctx->status = -1;
  132. ctx->failInfoCode = -1;
  133. return ossl_cmp_ctx_set0_statusString(ctx, NULL)
  134. && ossl_cmp_ctx_set0_newCert(ctx, NULL)
  135. && ossl_cmp_ctx_set1_newChain(ctx, NULL)
  136. && ossl_cmp_ctx_set1_caPubs(ctx, NULL)
  137. && ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
  138. && ossl_cmp_ctx_set0_validatedSrvCert(ctx, NULL)
  139. && OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
  140. && OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)
  141. && ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
  142. }
  143. /* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
  144. void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
  145. {
  146. if (ctx == NULL)
  147. return;
  148. OPENSSL_free(ctx->serverPath);
  149. OPENSSL_free(ctx->server);
  150. OPENSSL_free(ctx->proxy);
  151. OPENSSL_free(ctx->no_proxy);
  152. X509_free(ctx->srvCert);
  153. X509_free(ctx->validatedSrvCert);
  154. X509_NAME_free(ctx->expected_sender);
  155. X509_STORE_free(ctx->trusted);
  156. sk_X509_pop_free(ctx->untrusted, X509_free);
  157. X509_free(ctx->cert);
  158. sk_X509_pop_free(ctx->chain, X509_free);
  159. EVP_PKEY_free(ctx->pkey);
  160. ASN1_OCTET_STRING_free(ctx->referenceValue);
  161. if (ctx->secretValue != NULL)
  162. OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
  163. ASN1_OCTET_STRING_free(ctx->secretValue);
  164. EVP_MD_free(ctx->pbm_owf);
  165. X509_NAME_free(ctx->recipient);
  166. EVP_MD_free(ctx->digest);
  167. ASN1_OCTET_STRING_free(ctx->transactionID);
  168. ASN1_OCTET_STRING_free(ctx->senderNonce);
  169. ASN1_OCTET_STRING_free(ctx->recipNonce);
  170. sk_OSSL_CMP_ITAV_pop_free(ctx->geninfo_ITAVs, OSSL_CMP_ITAV_free);
  171. sk_X509_pop_free(ctx->extraCertsOut, X509_free);
  172. EVP_PKEY_free(ctx->newPkey);
  173. X509_NAME_free(ctx->issuer);
  174. X509_NAME_free(ctx->subjectName);
  175. sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free);
  176. sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
  177. sk_POLICYINFO_pop_free(ctx->policies, POLICYINFO_free);
  178. X509_free(ctx->oldCert);
  179. X509_REQ_free(ctx->p10CSR);
  180. sk_OSSL_CMP_ITAV_pop_free(ctx->genm_ITAVs, OSSL_CMP_ITAV_free);
  181. sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
  182. X509_free(ctx->newCert);
  183. sk_X509_pop_free(ctx->newChain, X509_free);
  184. sk_X509_pop_free(ctx->caPubs, X509_free);
  185. sk_X509_pop_free(ctx->extraCertsIn, X509_free);
  186. OPENSSL_free(ctx);
  187. }
  188. int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status)
  189. {
  190. if (!ossl_assert(ctx != NULL))
  191. return 0;
  192. ctx->status = status;
  193. return 1;
  194. }
  195. /*
  196. * Returns the PKIStatus from the last CertRepMessage
  197. * or Revocation Response or error message, -1 on error
  198. */
  199. int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx)
  200. {
  201. if (ctx == NULL) {
  202. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  203. return -1;
  204. }
  205. return ctx->status;
  206. }
  207. /*
  208. * Returns the statusString from the last CertRepMessage
  209. * or Revocation Response or error message, NULL on error
  210. */
  211. OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx)
  212. {
  213. if (ctx == NULL) {
  214. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  215. return NULL;
  216. }
  217. return ctx->statusString;
  218. }
  219. int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
  220. OSSL_CMP_PKIFREETEXT *text)
  221. {
  222. if (!ossl_assert(ctx != NULL))
  223. return 0;
  224. sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
  225. ctx->statusString = text;
  226. return 1;
  227. }
  228. int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert)
  229. {
  230. if (!ossl_assert(ctx != NULL))
  231. return 0;
  232. X509_free(ctx->validatedSrvCert);
  233. ctx->validatedSrvCert = cert;
  234. return 1;
  235. }
  236. /* Set callback function for checking if the cert is ok or should be rejected */
  237. int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
  238. {
  239. if (ctx == NULL) {
  240. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  241. return 0;
  242. }
  243. ctx->certConf_cb = cb;
  244. return 1;
  245. }
  246. /*
  247. * Set argument, respectively a pointer to a structure containing arguments,
  248. * optionally to be used by the certConf callback.
  249. */
  250. int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
  251. {
  252. if (ctx == NULL) {
  253. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  254. return 0;
  255. }
  256. ctx->certConf_cb_arg = arg;
  257. return 1;
  258. }
  259. /*
  260. * Get argument, respectively the pointer to a structure containing arguments,
  261. * optionally to be used by certConf callback.
  262. * Returns callback argument set previously (NULL if not set or on error)
  263. */
  264. void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx)
  265. {
  266. if (ctx == NULL) {
  267. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  268. return NULL;
  269. }
  270. return ctx->certConf_cb_arg;
  271. }
  272. #ifndef OPENSSL_NO_TRACE
  273. static size_t ossl_cmp_log_trace_cb(const char *buf, size_t cnt,
  274. int category, int cmd, void *vdata)
  275. {
  276. OSSL_CMP_CTX *ctx = vdata;
  277. const char *msg;
  278. OSSL_CMP_severity level = -1;
  279. char *func = NULL;
  280. char *file = NULL;
  281. int line = 0;
  282. if (buf == NULL || cnt == 0 || cmd != OSSL_TRACE_CTRL_WRITE || ctx == NULL)
  283. return 0;
  284. if (ctx->log_cb == NULL)
  285. return 1; /* silently drop message */
  286. msg = ossl_cmp_log_parse_metadata(buf, &level, &func, &file, &line);
  287. if (level > ctx->log_verbosity) /* excludes the case level is unknown */
  288. goto end; /* suppress output since severity is not sufficient */
  289. if (!ctx->log_cb(func != NULL ? func : "(no func)",
  290. file != NULL ? file : "(no file)",
  291. line, level, msg))
  292. cnt = 0;
  293. end:
  294. OPENSSL_free(func);
  295. OPENSSL_free(file);
  296. return cnt;
  297. }
  298. #endif
  299. /* Print CMP log messages (i.e., diagnostic info) via the log cb of the ctx */
  300. int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
  301. const char *func, const char *file, int line,
  302. const char *level_str, const char *format, ...)
  303. {
  304. va_list args;
  305. char hugebuf[1024 * 2];
  306. int res = 0;
  307. if (ctx == NULL || ctx->log_cb == NULL)
  308. return 1; /* silently drop message */
  309. if (level > ctx->log_verbosity) /* excludes the case level is unknown */
  310. return 1; /* suppress output since severity is not sufficient */
  311. if (format == NULL)
  312. return 0;
  313. va_start(args, format);
  314. if (func == NULL)
  315. func = "(unset function name)";
  316. if (file == NULL)
  317. file = "(unset file name)";
  318. if (level_str == NULL)
  319. level_str = "(unset level string)";
  320. #ifndef OPENSSL_NO_TRACE
  321. if (OSSL_TRACE_ENABLED(CMP)) {
  322. OSSL_TRACE_BEGIN(CMP) {
  323. int printed =
  324. BIO_snprintf(hugebuf, sizeof(hugebuf),
  325. "%s:%s:%d:" OSSL_CMP_LOG_PREFIX "%s: ",
  326. func, file, line, level_str);
  327. if (printed > 0 && (size_t)printed < sizeof(hugebuf)) {
  328. if (BIO_vsnprintf(hugebuf + printed,
  329. sizeof(hugebuf) - printed, format, args) > 0)
  330. res = BIO_puts(trc_out, hugebuf) > 0;
  331. }
  332. } OSSL_TRACE_END(CMP);
  333. }
  334. #else /* compensate for disabled trace API */
  335. {
  336. if (BIO_vsnprintf(hugebuf, sizeof(hugebuf), format, args) > 0)
  337. res = ctx->log_cb(func, file, line, level, hugebuf);
  338. }
  339. #endif
  340. va_end(args);
  341. return res;
  342. }
  343. /* Set a callback function for error reporting and logging messages */
  344. int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
  345. {
  346. if (ctx == NULL) {
  347. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  348. return 0;
  349. }
  350. ctx->log_cb = cb;
  351. #ifndef OPENSSL_NO_TRACE
  352. /* do also in case cb == NULL, to switch off logging output: */
  353. if (!OSSL_trace_set_callback(OSSL_TRACE_CATEGORY_CMP,
  354. ossl_cmp_log_trace_cb, ctx))
  355. return 0;
  356. #endif
  357. return 1;
  358. }
  359. /* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */
  360. void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx)
  361. {
  362. if (ctx != NULL && OSSL_CMP_LOG_ERR > ctx->log_verbosity)
  363. return; /* suppress output since severity is not sufficient */
  364. OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb);
  365. }
  366. /*
  367. * Set or clear the reference value to be used for identification
  368. * (i.e., the user name) when using PBMAC.
  369. */
  370. int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
  371. const unsigned char *ref, int len)
  372. {
  373. if (ctx == NULL) {
  374. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  375. return 0;
  376. }
  377. return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref,
  378. len);
  379. }
  380. /* Set or clear the password to be used for protecting messages with PBMAC */
  381. int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
  382. const int len)
  383. {
  384. ASN1_OCTET_STRING *secretValue = NULL;
  385. if (ctx == NULL) {
  386. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  387. return 0;
  388. }
  389. if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1)
  390. return 0;
  391. if (ctx->secretValue != NULL) {
  392. OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
  393. ASN1_OCTET_STRING_free(ctx->secretValue);
  394. }
  395. ctx->secretValue = secretValue;
  396. return 1;
  397. }
  398. /* Returns the cert chain computed by OSSL_CMP_certConf_cb(), NULL on error */
  399. STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx)
  400. {
  401. if (ctx == NULL) {
  402. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  403. return NULL;
  404. }
  405. if (ctx->newChain == NULL)
  406. return sk_X509_new_null();
  407. return X509_chain_up_ref(ctx->newChain);
  408. }
  409. /*
  410. * Copies any given stack of inbound X509 certificates to newChain
  411. * of the OSSL_CMP_CTX structure so that they may be retrieved later.
  412. */
  413. int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain)
  414. {
  415. if (!ossl_assert(ctx != NULL))
  416. return 0;
  417. sk_X509_pop_free(ctx->newChain, X509_free);
  418. ctx->newChain= NULL;
  419. if (newChain == NULL)
  420. return 1;
  421. return (ctx->newChain = X509_chain_up_ref(newChain)) != NULL;
  422. }
  423. /* Returns the stack of extraCerts received in CertRepMessage, NULL on error */
  424. STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
  425. {
  426. if (ctx == NULL) {
  427. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  428. return NULL;
  429. }
  430. if (ctx->extraCertsIn == NULL)
  431. return sk_X509_new_null();
  432. return X509_chain_up_ref(ctx->extraCertsIn);
  433. }
  434. /*
  435. * Copies any given stack of inbound X509 certificates to extraCertsIn
  436. * of the OSSL_CMP_CTX structure so that they may be retrieved later.
  437. */
  438. int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
  439. STACK_OF(X509) *extraCertsIn)
  440. {
  441. if (!ossl_assert(ctx != NULL))
  442. return 0;
  443. sk_X509_pop_free(ctx->extraCertsIn, X509_free);
  444. ctx->extraCertsIn = NULL;
  445. if (extraCertsIn == NULL)
  446. return 1;
  447. return (ctx->extraCertsIn = X509_chain_up_ref(extraCertsIn)) != NULL;
  448. }
  449. /*
  450. * Copies any given stack as the new stack of X509
  451. * certificates to send out in the extraCerts field.
  452. */
  453. int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
  454. STACK_OF(X509) *extraCertsOut)
  455. {
  456. if (ctx == NULL) {
  457. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  458. return 0;
  459. }
  460. sk_X509_pop_free(ctx->extraCertsOut, X509_free);
  461. ctx->extraCertsOut = NULL;
  462. if (extraCertsOut == NULL)
  463. return 1;
  464. return (ctx->extraCertsOut = X509_chain_up_ref(extraCertsOut)) != NULL;
  465. }
  466. /*
  467. * Add the given policy info object
  468. * to the X509_EXTENSIONS of the requested certificate template.
  469. */
  470. int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
  471. {
  472. if (ctx == NULL || pinfo == NULL) {
  473. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  474. return 0;
  475. }
  476. if (ctx->policies == NULL
  477. && (ctx->policies = CERTIFICATEPOLICIES_new()) == NULL)
  478. return 0;
  479. return sk_POLICYINFO_push(ctx->policies, pinfo);
  480. }
  481. /* Add an ITAV for geninfo of the PKI message header */
  482. int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
  483. {
  484. if (ctx == NULL) {
  485. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  486. return 0;
  487. }
  488. return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
  489. }
  490. /* Add an itav for the body of outgoing general messages */
  491. int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
  492. {
  493. if (ctx == NULL) {
  494. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  495. return 0;
  496. }
  497. return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav);
  498. }
  499. /*
  500. * Returns a duplicate of the stack of X509 certificates that
  501. * were received in the caPubs field of the last CertRepMessage.
  502. * Returns NULL on error
  503. */
  504. STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
  505. {
  506. if (ctx == NULL) {
  507. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  508. return NULL;
  509. }
  510. if (ctx->caPubs == NULL)
  511. return sk_X509_new_null();
  512. return X509_chain_up_ref(ctx->caPubs);
  513. }
  514. /*
  515. * Copies any given stack of certificates to the given
  516. * OSSL_CMP_CTX structure so that they may be retrieved later.
  517. */
  518. int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
  519. {
  520. if (!ossl_assert(ctx != NULL))
  521. return 0;
  522. sk_X509_pop_free(ctx->caPubs, X509_free);
  523. ctx->caPubs = NULL;
  524. if (caPubs == NULL)
  525. return 1;
  526. return (ctx->caPubs = X509_chain_up_ref(caPubs)) != NULL;
  527. }
  528. #define char_dup OPENSSL_strdup
  529. #define char_free OPENSSL_free
  530. #define DEFINE_OSSL_CMP_CTX_set1(FIELD, TYPE) /* this uses _dup */ \
  531. int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \
  532. { \
  533. TYPE *val_dup = NULL; \
  534. \
  535. if (ctx == NULL) { \
  536. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
  537. return 0; \
  538. } \
  539. \
  540. if (val != NULL && (val_dup = TYPE##_dup(val)) == NULL) \
  541. return 0; \
  542. TYPE##_free(ctx->FIELD); \
  543. ctx->FIELD = val_dup; \
  544. return 1; \
  545. }
  546. #define X509_invalid(cert) (!x509v3_cache_extensions(cert))
  547. #define EVP_PKEY_invalid(key) 0
  548. #define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \
  549. int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
  550. { \
  551. if (ctx == NULL) { \
  552. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
  553. return 0; \
  554. } \
  555. \
  556. /* prevent misleading error later on malformed cert or provider issue */ \
  557. if (val != NULL && TYPE##_invalid(val)) { \
  558. ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
  559. return 0; \
  560. } \
  561. if (val != NULL && !TYPE##_up_ref(val)) \
  562. return 0; \
  563. TYPE##_free(ctx->FIELD); \
  564. ctx->FIELD = val; \
  565. return 1; \
  566. }
  567. /*
  568. * Pins the server certificate to be directly trusted (even if it is expired)
  569. * for verifying response messages.
  570. * Cert pointer is not consumed. It may be NULL to clear the entry.
  571. */
  572. DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
  573. /* Set the X509 name of the recipient. Set in the PKIHeader */
  574. DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
  575. /* Store the X509 name of the expected sender in the PKIHeader of responses */
  576. DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
  577. /* Set the X509 name of the issuer. Set in the PKIHeader */
  578. DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
  579. /*
  580. * Set the subject name that will be placed in the certificate
  581. * request. This will be the subject name on the received certificate.
  582. */
  583. DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
  584. /* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */
  585. int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
  586. {
  587. if (ctx == NULL) {
  588. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  589. return 0;
  590. }
  591. if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL
  592. && X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) {
  593. ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
  594. return 0;
  595. }
  596. sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
  597. ctx->reqExtensions = exts;
  598. return 1;
  599. }
  600. /* returns 1 if ctx contains a Subject Alternative Name extension, else 0 */
  601. int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
  602. {
  603. if (ctx == NULL) {
  604. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  605. return -1;
  606. }
  607. /* if one of the following conditions 'fail' this is not an error */
  608. return ctx->reqExtensions != NULL
  609. && X509v3_get_ext_by_NID(ctx->reqExtensions,
  610. NID_subject_alt_name, -1) >= 0;
  611. }
  612. /*
  613. * Add a GENERAL_NAME structure that will be added to the CRMF
  614. * request's extensions field to request subject alternative names.
  615. */
  616. int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
  617. const GENERAL_NAME *name)
  618. {
  619. GENERAL_NAME *name_dup;
  620. if (ctx == NULL || name == NULL) {
  621. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  622. return 0;
  623. }
  624. if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) {
  625. ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
  626. return 0;
  627. }
  628. if (ctx->subjectAltNames == NULL
  629. && (ctx->subjectAltNames = sk_GENERAL_NAME_new_null()) == NULL)
  630. return 0;
  631. if ((name_dup = GENERAL_NAME_dup(name)) == NULL)
  632. return 0;
  633. if (!sk_GENERAL_NAME_push(ctx->subjectAltNames, name_dup)) {
  634. GENERAL_NAME_free(name_dup);
  635. return 0;
  636. }
  637. return 1;
  638. }
  639. /*
  640. * Set our own client certificate, used for example in KUR and when
  641. * doing the IR with existing certificate.
  642. */
  643. DEFINE_OSSL_CMP_CTX_set1_up_ref(cert, X509)
  644. int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
  645. STACK_OF(X509) *candidates)
  646. {
  647. STACK_OF(X509) *chain;
  648. if (ctx == NULL) {
  649. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  650. return 0;
  651. }
  652. if (ctx->untrusted != NULL ?
  653. !X509_add_certs(ctx->untrusted, candidates,
  654. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) :
  655. !OSSL_CMP_CTX_set1_untrusted(ctx, candidates))
  656. return 0;
  657. ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
  658. chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted,
  659. ctx->untrusted, ctx->cert);
  660. if (chain == NULL) {
  661. ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN);
  662. return 0;
  663. }
  664. ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
  665. ctx->chain = chain;
  666. return 1;
  667. }
  668. /*
  669. * Set the old certificate that we are updating in KUR
  670. * or the certificate to be revoked in RR, respectively.
  671. * Also used as reference cert (defaulting to cert) for deriving subject DN
  672. * and SANs. Its issuer is used as default recipient in the CMP message header.
  673. */
  674. DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
  675. /* Set the PKCS#10 CSR to be sent in P10CR */
  676. DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
  677. /*
  678. * Set the (newly received in IP/KUP/CP) certificate in the context.
  679. * TODO: this only permits for one cert to be enrolled at a time.
  680. */
  681. int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
  682. {
  683. if (!ossl_assert(ctx != NULL))
  684. return 0;
  685. X509_free(ctx->newCert);
  686. ctx->newCert = cert;
  687. return 1;
  688. }
  689. /*
  690. * Get the (newly received in IP/KUP/CP) client certificate from the context
  691. * TODO: this only permits for one client cert to be received...
  692. */
  693. X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
  694. {
  695. if (ctx == NULL) {
  696. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  697. return NULL;
  698. }
  699. return ctx->newCert;
  700. }
  701. /* Set the client's current private key */
  702. DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
  703. /* Set new key pair. Used e.g. when doing Key Update */
  704. int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
  705. {
  706. if (ctx == NULL) {
  707. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  708. return 0;
  709. }
  710. EVP_PKEY_free(ctx->newPkey);
  711. ctx->newPkey = pkey;
  712. ctx->newPkey_priv = priv;
  713. return 1;
  714. }
  715. /* Get the private/public key to use for cert enrollment, or NULL on error */
  716. EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
  717. {
  718. if (ctx == NULL) {
  719. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  720. return NULL;
  721. }
  722. if (ctx->newPkey != NULL)
  723. return priv && !ctx->newPkey_priv ? NULL : ctx->newPkey;
  724. if (ctx->p10CSR != NULL)
  725. return priv ? NULL : X509_REQ_get0_pubkey(ctx->p10CSR);
  726. return ctx->pkey; /* may be NULL */
  727. }
  728. /* Set the given transactionID to the context */
  729. int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
  730. const ASN1_OCTET_STRING *id)
  731. {
  732. if (ctx == NULL) {
  733. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  734. return 0;
  735. }
  736. return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
  737. }
  738. /* Set the nonce to be used for the recipNonce in the message created next */
  739. int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
  740. const ASN1_OCTET_STRING *nonce)
  741. {
  742. if (!ossl_assert(ctx != NULL))
  743. return 0;
  744. return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce);
  745. }
  746. /* Stores the given nonce as the last senderNonce sent out */
  747. int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
  748. const ASN1_OCTET_STRING *nonce)
  749. {
  750. if (ctx == NULL) {
  751. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  752. return 0;
  753. }
  754. return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
  755. }
  756. /* Set the proxy server to use for HTTP(S) connections */
  757. DEFINE_OSSL_CMP_CTX_set1(proxy, char)
  758. /* Set the (HTTP) host name of the CMP server */
  759. DEFINE_OSSL_CMP_CTX_set1(server, char)
  760. /* Set the server exclusion list of the HTTP proxy server */
  761. DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
  762. /* Set the http connect/disconnect callback function to be used for HTTP(S) */
  763. int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
  764. {
  765. if (ctx == NULL) {
  766. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  767. return 0;
  768. }
  769. ctx->http_cb = cb;
  770. return 1;
  771. }
  772. /* Set argument optionally to be used by the http connect/disconnect callback */
  773. int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
  774. {
  775. if (ctx == NULL) {
  776. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  777. return 0;
  778. }
  779. ctx->http_cb_arg = arg;
  780. return 1;
  781. }
  782. /*
  783. * Get argument optionally to be used by the http connect/disconnect callback
  784. * Returns callback argument set previously (NULL if not set or on error)
  785. */
  786. void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
  787. {
  788. if (ctx == NULL) {
  789. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  790. return NULL;
  791. }
  792. return ctx->http_cb_arg;
  793. }
  794. /* Set callback function for sending CMP request and receiving response */
  795. int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
  796. {
  797. if (ctx == NULL) {
  798. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  799. return 0;
  800. }
  801. ctx->transfer_cb = cb;
  802. return 1;
  803. }
  804. /* Set argument optionally to be used by the transfer callback */
  805. int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
  806. {
  807. if (ctx == NULL) {
  808. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  809. return 0;
  810. }
  811. ctx->transfer_cb_arg = arg;
  812. return 1;
  813. }
  814. /*
  815. * Get argument optionally to be used by the transfer callback.
  816. * Returns callback argument set previously (NULL if not set or on error)
  817. */
  818. void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
  819. {
  820. if (ctx == NULL) {
  821. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  822. return NULL;
  823. }
  824. return ctx->transfer_cb_arg;
  825. }
  826. /** Set the HTTP server port to be used */
  827. int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
  828. {
  829. if (ctx == NULL) {
  830. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  831. return 0;
  832. }
  833. ctx->serverPort = port;
  834. return 1;
  835. }
  836. /* Set the HTTP path to be used on the server (e.g "pkix/") */
  837. DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
  838. /* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
  839. int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
  840. {
  841. if (!ossl_assert(ctx != NULL))
  842. return 0;
  843. ctx->failInfoCode = fail_info;
  844. return 1;
  845. }
  846. /*
  847. * Get the failInfo error code in OSSL_CMP_CTX as bit encoding.
  848. * Returns bit string as integer on success, -1 on error
  849. */
  850. int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx)
  851. {
  852. if (ctx == NULL) {
  853. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  854. return -1;
  855. }
  856. return ctx->failInfoCode;
  857. }
  858. /* Set a Boolean or integer option of the context to the "val" arg */
  859. int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
  860. {
  861. int min_val;
  862. if (ctx == NULL) {
  863. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  864. return 0;
  865. }
  866. switch (opt) {
  867. case OSSL_CMP_OPT_REVOCATION_REASON:
  868. min_val = OCSP_REVOKED_STATUS_NOSTATUS;
  869. break;
  870. case OSSL_CMP_OPT_POPO_METHOD:
  871. min_val = OSSL_CRMF_POPO_NONE;
  872. break;
  873. default:
  874. min_val = 0;
  875. break;
  876. }
  877. if (val < min_val) {
  878. ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_SMALL);
  879. return 0;
  880. }
  881. switch (opt) {
  882. case OSSL_CMP_OPT_LOG_VERBOSITY:
  883. if (val > OSSL_CMP_LOG_MAX) {
  884. ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
  885. return 0;
  886. }
  887. ctx->log_verbosity = val;
  888. break;
  889. case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
  890. ctx->implicitConfirm = val;
  891. break;
  892. case OSSL_CMP_OPT_DISABLE_CONFIRM:
  893. ctx->disableConfirm = val;
  894. break;
  895. case OSSL_CMP_OPT_UNPROTECTED_SEND:
  896. ctx->unprotectedSend = val;
  897. break;
  898. case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
  899. ctx->unprotectedErrors = val;
  900. break;
  901. case OSSL_CMP_OPT_VALIDITY_DAYS:
  902. ctx->days = val;
  903. break;
  904. case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
  905. ctx->SubjectAltName_nodefault = val;
  906. break;
  907. case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
  908. ctx->setSubjectAltNameCritical = val;
  909. break;
  910. case OSSL_CMP_OPT_POLICIES_CRITICAL:
  911. ctx->setPoliciesCritical = val;
  912. break;
  913. case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
  914. ctx->ignore_keyusage = val;
  915. break;
  916. case OSSL_CMP_OPT_POPO_METHOD:
  917. if (val > OSSL_CRMF_POPO_KEYAGREE) {
  918. ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
  919. return 0;
  920. }
  921. ctx->popoMethod = val;
  922. break;
  923. case OSSL_CMP_OPT_DIGEST_ALGNID:
  924. if (!cmp_ctx_set_md(ctx, &ctx->digest, val))
  925. return 0;
  926. break;
  927. case OSSL_CMP_OPT_OWF_ALGNID:
  928. if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, val))
  929. return 0;
  930. break;
  931. case OSSL_CMP_OPT_MAC_ALGNID:
  932. ctx->pbm_mac = val;
  933. break;
  934. case OSSL_CMP_OPT_MSG_TIMEOUT:
  935. ctx->msg_timeout = val;
  936. break;
  937. case OSSL_CMP_OPT_TOTAL_TIMEOUT:
  938. ctx->total_timeout = val;
  939. break;
  940. case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
  941. ctx->permitTAInExtraCertsForIR = val;
  942. break;
  943. case OSSL_CMP_OPT_REVOCATION_REASON:
  944. if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
  945. ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
  946. return 0;
  947. }
  948. ctx->revocationReason = val;
  949. break;
  950. default:
  951. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
  952. return 0;
  953. }
  954. return 1;
  955. }
  956. /*
  957. * Reads a Boolean or integer option value from the context.
  958. * Returns -1 on error (which is the default OSSL_CMP_OPT_REVOCATION_REASON)
  959. */
  960. int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
  961. {
  962. if (ctx == NULL) {
  963. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  964. return -1;
  965. }
  966. switch (opt) {
  967. case OSSL_CMP_OPT_LOG_VERBOSITY:
  968. return ctx->log_verbosity;
  969. case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
  970. return ctx->implicitConfirm;
  971. case OSSL_CMP_OPT_DISABLE_CONFIRM:
  972. return ctx->disableConfirm;
  973. case OSSL_CMP_OPT_UNPROTECTED_SEND:
  974. return ctx->unprotectedSend;
  975. case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
  976. return ctx->unprotectedErrors;
  977. case OSSL_CMP_OPT_VALIDITY_DAYS:
  978. return ctx->days;
  979. case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
  980. return ctx->SubjectAltName_nodefault;
  981. case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
  982. return ctx->setSubjectAltNameCritical;
  983. case OSSL_CMP_OPT_POLICIES_CRITICAL:
  984. return ctx->setPoliciesCritical;
  985. case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
  986. return ctx->ignore_keyusage;
  987. case OSSL_CMP_OPT_POPO_METHOD:
  988. return ctx->popoMethod;
  989. case OSSL_CMP_OPT_DIGEST_ALGNID:
  990. return EVP_MD_type(ctx->digest);
  991. case OSSL_CMP_OPT_OWF_ALGNID:
  992. return EVP_MD_type(ctx->pbm_owf);
  993. case OSSL_CMP_OPT_MAC_ALGNID:
  994. return ctx->pbm_mac;
  995. case OSSL_CMP_OPT_MSG_TIMEOUT:
  996. return ctx->msg_timeout;
  997. case OSSL_CMP_OPT_TOTAL_TIMEOUT:
  998. return ctx->total_timeout;
  999. case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
  1000. return ctx->permitTAInExtraCertsForIR;
  1001. case OSSL_CMP_OPT_REVOCATION_REASON:
  1002. return ctx->revocationReason;
  1003. default:
  1004. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
  1005. return -1;
  1006. }
  1007. }