A local copy of OpenSSL from GitHub
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1089 lines
33 KiB

  1. /*
  2. * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* CMP functions for PKIMessage construction */
  12. #include "cmp_local.h"
  13. /* explicit #includes not strictly needed since implied by the above: */
  14. #include <openssl/asn1t.h>
  15. #include <openssl/cmp.h>
  16. #include <openssl/crmf.h>
  17. #include <openssl/err.h>
  18. #include <openssl/x509.h>
  19. #include "crypto/x509.h" /* for x509_set0_libctx() */
  20. OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
  21. {
  22. if (msg == NULL) {
  23. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  24. return NULL;
  25. }
  26. return msg->header;
  27. }
  28. const char *ossl_cmp_bodytype_to_string(int type)
  29. {
  30. static const char *type_names[] = {
  31. "IR", "IP", "CR", "CP", "P10CR",
  32. "POPDECC", "POPDECR", "KUR", "KUP",
  33. "KRR", "KRP", "RR", "RP", "CCR", "CCP",
  34. "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
  35. "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
  36. };
  37. if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
  38. return "illegal body type";
  39. return type_names[type];
  40. }
  41. int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
  42. {
  43. if (!ossl_assert(msg != NULL && msg->body != NULL))
  44. return 0;
  45. msg->body->type = type;
  46. return 1;
  47. }
  48. int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
  49. {
  50. if (!ossl_assert(msg != NULL && msg->body != NULL))
  51. return -1;
  52. return msg->body->type;
  53. }
  54. /* Add an extension to the referenced extension stack, which may be NULL */
  55. static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
  56. {
  57. X509_EXTENSION *ext;
  58. int res;
  59. if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
  60. return 0;
  61. if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
  62. return 0;
  63. res = X509v3_add_ext(pexts, ext, 0) != NULL;
  64. X509_EXTENSION_free(ext);
  65. return res;
  66. }
  67. /* Add extension list to the referenced extension stack, which may be NULL */
  68. static int add_extensions(STACK_OF(X509_EXTENSION) **target,
  69. const STACK_OF(X509_EXTENSION) *exts)
  70. {
  71. int i;
  72. if (target == NULL)
  73. return 0;
  74. for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
  75. X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
  76. ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
  77. int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
  78. /* Does extension exist in target? */
  79. if (idx != -1) {
  80. /* Delete all extensions of same type */
  81. do {
  82. X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
  83. idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
  84. } while (idx != -1);
  85. }
  86. if (!X509v3_add_ext(target, ext, -1))
  87. return 0;
  88. }
  89. return 1;
  90. }
  91. /* Add a CRL revocation reason code to extension stack, which may be NULL */
  92. static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
  93. {
  94. ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
  95. int res = 0;
  96. if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
  97. res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
  98. ASN1_ENUMERATED_free(val);
  99. return res;
  100. }
  101. OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
  102. {
  103. OSSL_CMP_MSG *msg = NULL;
  104. if (!ossl_assert(ctx != NULL))
  105. return NULL;
  106. if ((msg = OSSL_CMP_MSG_new()) == NULL)
  107. return NULL;
  108. if (!ossl_cmp_hdr_init(ctx, msg->header)
  109. || !ossl_cmp_msg_set_bodytype(msg, bodytype))
  110. goto err;
  111. if (ctx->geninfo_ITAVs != NULL
  112. && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
  113. ctx->geninfo_ITAVs))
  114. goto err;
  115. switch (bodytype) {
  116. case OSSL_CMP_PKIBODY_IR:
  117. case OSSL_CMP_PKIBODY_CR:
  118. case OSSL_CMP_PKIBODY_KUR:
  119. if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
  120. goto err;
  121. return msg;
  122. case OSSL_CMP_PKIBODY_P10CR:
  123. if (ctx->p10CSR == NULL) {
  124. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_P10CSR);
  125. goto err;
  126. }
  127. if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
  128. goto err;
  129. return msg;
  130. case OSSL_CMP_PKIBODY_IP:
  131. case OSSL_CMP_PKIBODY_CP:
  132. case OSSL_CMP_PKIBODY_KUP:
  133. if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
  134. goto err;
  135. return msg;
  136. case OSSL_CMP_PKIBODY_RR:
  137. if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
  138. goto err;
  139. return msg;
  140. case OSSL_CMP_PKIBODY_RP:
  141. if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
  142. goto err;
  143. return msg;
  144. case OSSL_CMP_PKIBODY_CERTCONF:
  145. if ((msg->body->value.certConf =
  146. sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
  147. goto err;
  148. return msg;
  149. case OSSL_CMP_PKIBODY_PKICONF:
  150. if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
  151. goto err;
  152. ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
  153. return msg;
  154. case OSSL_CMP_PKIBODY_POLLREQ:
  155. if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
  156. goto err;
  157. return msg;
  158. case OSSL_CMP_PKIBODY_POLLREP:
  159. if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
  160. goto err;
  161. return msg;
  162. case OSSL_CMP_PKIBODY_GENM:
  163. case OSSL_CMP_PKIBODY_GENP:
  164. if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
  165. goto err;
  166. return msg;
  167. case OSSL_CMP_PKIBODY_ERROR:
  168. if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
  169. goto err;
  170. return msg;
  171. default:
  172. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  173. goto err;
  174. }
  175. err:
  176. OSSL_CMP_MSG_free(msg);
  177. return NULL;
  178. }
  179. #define HAS_SAN(ctx) \
  180. (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
  181. || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
  182. static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx,
  183. const X509_NAME *ref_subj,
  184. int for_KUR)
  185. {
  186. if (ctx->subjectName != NULL)
  187. return ctx->subjectName;
  188. if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx)))
  189. /*
  190. * For KUR, copy subject from the reference.
  191. * For IR or CR, do the same only if there is no subjectAltName.
  192. */
  193. return ref_subj;
  194. return NULL;
  195. }
  196. OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
  197. {
  198. OSSL_CRMF_MSG *crm = NULL;
  199. X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
  200. /* refcert defaults to current client cert */
  201. EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
  202. STACK_OF(GENERAL_NAME) *default_sans = NULL;
  203. const X509_NAME *ref_subj =
  204. ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) :
  205. refcert != NULL ? X509_get_subject_name(refcert) : NULL;
  206. const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR);
  207. const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
  208. ? ctx->issuer : X509_get_issuer_name(refcert);
  209. int crit = ctx->setSubjectAltNameCritical || subject == NULL;
  210. /* RFC5280: subjectAltName MUST be critical if subject is null */
  211. X509_EXTENSIONS *exts = NULL;
  212. if (rkey == NULL && ctx->p10CSR != NULL)
  213. rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
  214. if (rkey == NULL)
  215. rkey = ctx->pkey; /* default is independent of ctx->oldCert */
  216. if (rkey == NULL) {
  217. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  218. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  219. return NULL;
  220. #endif
  221. }
  222. if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
  223. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
  224. return NULL;
  225. }
  226. if ((crm = OSSL_CRMF_MSG_new()) == NULL)
  227. return NULL;
  228. if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
  229. /*
  230. * fill certTemplate, corresponding to CertificationRequestInfo
  231. * of PKCS#10. The rkey param cannot be NULL so far -
  232. * it could be NULL if centralized key creation was supported
  233. */
  234. || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
  235. subject, issuer, NULL /* serial */))
  236. goto err;
  237. if (ctx->days != 0) {
  238. time_t now = time(NULL);
  239. ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
  240. ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
  241. if (notBefore == NULL
  242. || notAfter == NULL
  243. || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
  244. ASN1_TIME_free(notBefore);
  245. ASN1_TIME_free(notAfter);
  246. goto err;
  247. }
  248. }
  249. /* extensions */
  250. if (refcert != NULL && !ctx->SubjectAltName_nodefault)
  251. default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
  252. NID_subject_alt_name, NULL, NULL);
  253. if (ctx->p10CSR != NULL
  254. && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
  255. goto err;
  256. if (ctx->reqExtensions != NULL /* augment/override existing ones */
  257. && !add_extensions(&exts, ctx->reqExtensions))
  258. goto err;
  259. if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
  260. && !add1_extension(&exts, NID_subject_alt_name,
  261. crit, ctx->subjectAltNames))
  262. goto err;
  263. if (!HAS_SAN(ctx) && default_sans != NULL
  264. && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
  265. goto err;
  266. if (ctx->policies != NULL
  267. && !add1_extension(&exts, NID_certificate_policies,
  268. ctx->setPoliciesCritical, ctx->policies))
  269. goto err;
  270. if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
  271. goto err;
  272. exts = NULL;
  273. /* end fill certTemplate, now set any controls */
  274. /* for KUR, set OldCertId according to D.6 */
  275. if (for_KUR && refcert != NULL) {
  276. OSSL_CRMF_CERTID *cid =
  277. OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
  278. X509_get0_serialNumber(refcert));
  279. int ret;
  280. if (cid == NULL)
  281. goto err;
  282. ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
  283. OSSL_CRMF_CERTID_free(cid);
  284. if (ret == 0)
  285. goto err;
  286. }
  287. goto end;
  288. err:
  289. OSSL_CRMF_MSG_free(crm);
  290. crm = NULL;
  291. end:
  292. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  293. sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
  294. return crm;
  295. }
  296. OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
  297. const OSSL_CRMF_MSG *crm)
  298. {
  299. OSSL_CMP_MSG *msg;
  300. OSSL_CRMF_MSG *local_crm = NULL;
  301. if (!ossl_assert(ctx != NULL))
  302. return NULL;
  303. if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
  304. && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
  305. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  306. return NULL;
  307. }
  308. if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
  309. goto err;
  310. /* header */
  311. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  312. goto err;
  313. /* body */
  314. /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
  315. if (type != OSSL_CMP_PKIBODY_P10CR) {
  316. EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
  317. /*
  318. * privkey is NULL in case ctx->newPkey does not include a private key.
  319. * We then may try to use ctx->pkey as fallback/default, but only
  320. * if ctx-> newPkey does not include a (non-matching) public key:
  321. */
  322. if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
  323. privkey = ctx->pkey; /* default is independent of ctx->oldCert */
  324. if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
  325. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
  326. goto err;
  327. }
  328. if (crm == NULL) {
  329. local_crm = OSSL_CMP_CTX_setup_CRM(ctx,
  330. type == OSSL_CMP_PKIBODY_KUR,
  331. OSSL_CMP_CERTREQID);
  332. if (local_crm == NULL
  333. || !OSSL_CRMF_MSG_create_popo(ctx->popoMethod, local_crm,
  334. privkey, ctx->digest,
  335. ctx->libctx, ctx->propq))
  336. goto err;
  337. } else {
  338. if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
  339. goto err;
  340. }
  341. /* value.ir is same for cr and kur */
  342. if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
  343. goto err;
  344. local_crm = NULL;
  345. /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
  346. }
  347. if (!ossl_cmp_msg_protect(ctx, msg))
  348. goto err;
  349. return msg;
  350. err:
  351. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREQ);
  352. OSSL_CRMF_MSG_free(local_crm);
  353. OSSL_CMP_MSG_free(msg);
  354. return NULL;
  355. }
  356. OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
  357. int certReqId, OSSL_CMP_PKISI *si,
  358. X509 *cert, STACK_OF(X509) *chain,
  359. STACK_OF(X509) *caPubs, int encrypted,
  360. int unprotectedErrors)
  361. {
  362. OSSL_CMP_MSG *msg = NULL;
  363. OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
  364. OSSL_CMP_CERTRESPONSE *resp = NULL;
  365. int status = -1;
  366. if (!ossl_assert(ctx != NULL && si != NULL))
  367. return NULL;
  368. if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
  369. goto err;
  370. repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
  371. /* header */
  372. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  373. goto err;
  374. /* body */
  375. if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
  376. goto err;
  377. OSSL_CMP_PKISI_free(resp->status);
  378. if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
  379. || !ASN1_INTEGER_set(resp->certReqId, certReqId))
  380. goto err;
  381. status = ossl_cmp_pkisi_get_status(resp->status);
  382. if (status != OSSL_CMP_PKISTATUS_rejection
  383. && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
  384. if (encrypted) {
  385. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  386. goto err;
  387. }
  388. if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
  389. == NULL)
  390. goto err;
  391. resp->certifiedKeyPair->certOrEncCert->type =
  392. OSSL_CMP_CERTORENCCERT_CERTIFICATE;
  393. if (!X509_up_ref(cert))
  394. goto err;
  395. resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
  396. }
  397. if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
  398. goto err;
  399. resp = NULL;
  400. /* TODO: here optional 2nd certrep could be pushed to the stack */
  401. if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
  402. && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
  403. goto err;
  404. if (sk_X509_num(chain) > 0) {
  405. msg->extraCerts = sk_X509_new_reserve(NULL, sk_X509_num(chain));
  406. if (msg->extraCerts == NULL
  407. || !X509_add_certs(msg->extraCerts, chain,
  408. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
  409. goto err;
  410. }
  411. if (!unprotectedErrors
  412. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  413. if (!ossl_cmp_msg_protect(ctx, msg))
  414. goto err;
  415. return msg;
  416. err:
  417. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
  418. OSSL_CMP_CERTRESPONSE_free(resp);
  419. OSSL_CMP_MSG_free(msg);
  420. return NULL;
  421. }
  422. OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
  423. {
  424. OSSL_CMP_MSG *msg = NULL;
  425. OSSL_CMP_REVDETAILS *rd;
  426. int ret;
  427. if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
  428. || ctx->p10CSR != NULL)))
  429. return NULL;
  430. if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
  431. goto err;
  432. /* Fill the template from the contents of the certificate to be revoked */
  433. ret = ctx->oldCert != NULL
  434. ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
  435. NULL /* pubkey would be redundant */,
  436. NULL /* subject would be redundant */,
  437. X509_get_issuer_name(ctx->oldCert),
  438. X509_get0_serialNumber(ctx->oldCert))
  439. : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
  440. X509_REQ_get0_pubkey(ctx->p10CSR),
  441. X509_REQ_get_subject_name(ctx->p10CSR),
  442. NULL, NULL);
  443. if (!ret)
  444. goto err;
  445. /* revocation reason code is optional */
  446. if (ctx->revocationReason != CRL_REASON_NONE
  447. && !add_crl_reason_extension(&rd->crlEntryDetails,
  448. ctx->revocationReason))
  449. goto err;
  450. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
  451. goto err;
  452. if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
  453. goto err;
  454. rd = NULL;
  455. /*
  456. * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
  457. * set here if set in ctx
  458. */
  459. if (!ossl_cmp_msg_protect(ctx, msg))
  460. goto err;
  461. return msg;
  462. err:
  463. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
  464. OSSL_CMP_MSG_free(msg);
  465. OSSL_CMP_REVDETAILS_free(rd);
  466. return NULL;
  467. }
  468. OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  469. OSSL_CRMF_CERTID *cid, int unprot_err)
  470. {
  471. OSSL_CMP_REVREPCONTENT *rep = NULL;
  472. OSSL_CMP_PKISI *si1 = NULL;
  473. OSSL_CRMF_CERTID *cid_copy = NULL;
  474. OSSL_CMP_MSG *msg = NULL;
  475. if (!ossl_assert(ctx != NULL && si != NULL))
  476. return NULL;
  477. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
  478. goto err;
  479. rep = msg->body->value.rp;
  480. if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
  481. goto err;
  482. if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
  483. OSSL_CMP_PKISI_free(si1);
  484. goto err;
  485. }
  486. if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
  487. goto err;
  488. if (cid != NULL) {
  489. if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
  490. goto err;
  491. if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
  492. OSSL_CRMF_CERTID_free(cid_copy);
  493. goto err;
  494. }
  495. }
  496. if (!unprot_err
  497. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  498. if (!ossl_cmp_msg_protect(ctx, msg))
  499. goto err;
  500. return msg;
  501. err:
  502. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RP);
  503. OSSL_CMP_MSG_free(msg);
  504. return NULL;
  505. }
  506. OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
  507. {
  508. OSSL_CMP_MSG *msg;
  509. if (!ossl_assert(ctx != NULL))
  510. return NULL;
  511. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
  512. goto err;
  513. if (ossl_cmp_msg_protect(ctx, msg))
  514. return msg;
  515. err:
  516. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
  517. OSSL_CMP_MSG_free(msg);
  518. return NULL;
  519. }
  520. int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
  521. {
  522. int bodytype;
  523. if (!ossl_assert(msg != NULL && itav != NULL))
  524. return 0;
  525. bodytype = ossl_cmp_msg_get_bodytype(msg);
  526. if (bodytype != OSSL_CMP_PKIBODY_GENM
  527. && bodytype != OSSL_CMP_PKIBODY_GENP) {
  528. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  529. return 0;
  530. }
  531. /* value.genp has the same structure, so this works for genp as well */
  532. return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
  533. }
  534. int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
  535. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  536. {
  537. int i;
  538. OSSL_CMP_ITAV *itav = NULL;
  539. if (!ossl_assert(msg != NULL))
  540. return 0;
  541. for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
  542. itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
  543. if (itav == NULL
  544. || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
  545. OSSL_CMP_ITAV_free(itav);
  546. return 0;
  547. }
  548. }
  549. return 1;
  550. }
  551. /*
  552. * Creates a new General Message/Response with an empty itav stack
  553. * returns a pointer to the PKIMessage on success, NULL on error
  554. */
  555. static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
  556. const STACK_OF(OSSL_CMP_ITAV) *itavs,
  557. int body_type, int err_code)
  558. {
  559. OSSL_CMP_MSG *msg = NULL;
  560. if (!ossl_assert(ctx != NULL))
  561. return NULL;
  562. if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
  563. return NULL;
  564. if (ctx->genm_ITAVs != NULL
  565. && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
  566. goto err;
  567. if (!ossl_cmp_msg_protect(ctx, msg))
  568. goto err;
  569. return msg;
  570. err:
  571. ERR_raise(ERR_LIB_CMP, err_code);
  572. OSSL_CMP_MSG_free(msg);
  573. return NULL;
  574. }
  575. OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
  576. {
  577. return gen_new(ctx, ctx->genm_ITAVs,
  578. OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
  579. }
  580. OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
  581. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  582. {
  583. return gen_new(ctx, itavs,
  584. OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
  585. }
  586. OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  587. int errorCode,
  588. const char *details, int unprotected)
  589. {
  590. OSSL_CMP_MSG *msg = NULL;
  591. OSSL_CMP_PKIFREETEXT *ft;
  592. if (!ossl_assert(ctx != NULL && si != NULL))
  593. return NULL;
  594. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
  595. goto err;
  596. OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
  597. if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
  598. == NULL)
  599. goto err;
  600. if (errorCode >= 0) {
  601. if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
  602. goto err;
  603. if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
  604. goto err;
  605. }
  606. if (details != NULL) {
  607. if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
  608. goto err;
  609. msg->body->value.error->errorDetails = ft;
  610. if (!ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
  611. goto err;
  612. }
  613. if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
  614. goto err;
  615. return msg;
  616. err:
  617. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_ERROR);
  618. OSSL_CMP_MSG_free(msg);
  619. return NULL;
  620. }
  621. /*
  622. * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
  623. * This is used in the certConf message, for example,
  624. * to confirm that the certificate was received successfully.
  625. */
  626. int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
  627. ASN1_OCTET_STRING *hash)
  628. {
  629. if (!ossl_assert(certStatus != NULL))
  630. return 0;
  631. ASN1_OCTET_STRING_free(certStatus->certHash);
  632. certStatus->certHash = hash;
  633. return 1;
  634. }
  635. /*
  636. * TODO: handle potential 2nd certificate when signing and encrypting
  637. * certificates have been requested/received
  638. */
  639. OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
  640. const char *text)
  641. {
  642. OSSL_CMP_MSG *msg = NULL;
  643. OSSL_CMP_CERTSTATUS *certStatus = NULL;
  644. ASN1_OCTET_STRING *certHash = NULL;
  645. OSSL_CMP_PKISI *sinfo;
  646. if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
  647. return NULL;
  648. if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
  649. ERR_raise(ERR_LIB_CMP, CMP_R_FAIL_INFO_OUT_OF_RANGE);
  650. return NULL;
  651. }
  652. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
  653. goto err;
  654. if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
  655. goto err;
  656. /* consume certStatus into msg right away so it gets deallocated with msg */
  657. if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
  658. goto err;
  659. /* set the ID of the certReq */
  660. if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
  661. goto err;
  662. /*
  663. * the hash of the certificate, using the same hash algorithm
  664. * as is used to create and verify the certificate signature
  665. */
  666. if ((certHash = X509_digest_sig(ctx->newCert)) == NULL)
  667. goto err;
  668. if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
  669. goto err;
  670. certHash = NULL;
  671. /*
  672. * For any particular CertStatus, omission of the statusInfo field
  673. * indicates ACCEPTANCE of the specified certificate. Alternatively,
  674. * explicit status details (with respect to acceptance or rejection) MAY
  675. * be provided in the statusInfo field, perhaps for auditing purposes at
  676. * the CA/RA.
  677. */
  678. sinfo = fail_info != 0 ?
  679. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
  680. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
  681. if (sinfo == NULL)
  682. goto err;
  683. certStatus->statusInfo = sinfo;
  684. if (!ossl_cmp_msg_protect(ctx, msg))
  685. goto err;
  686. return msg;
  687. err:
  688. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTCONF);
  689. OSSL_CMP_MSG_free(msg);
  690. ASN1_OCTET_STRING_free(certHash);
  691. return NULL;
  692. }
  693. OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
  694. {
  695. OSSL_CMP_MSG *msg = NULL;
  696. OSSL_CMP_POLLREQ *preq = NULL;
  697. if (!ossl_assert(ctx != NULL))
  698. return NULL;
  699. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
  700. goto err;
  701. /* TODO: support multiple cert request IDs to poll */
  702. if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
  703. || !ASN1_INTEGER_set(preq->certReqId, crid)
  704. || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
  705. goto err;
  706. preq = NULL;
  707. if (!ossl_cmp_msg_protect(ctx, msg))
  708. goto err;
  709. return msg;
  710. err:
  711. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREQ);
  712. OSSL_CMP_POLLREQ_free(preq);
  713. OSSL_CMP_MSG_free(msg);
  714. return NULL;
  715. }
  716. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  717. int64_t poll_after)
  718. {
  719. OSSL_CMP_MSG *msg;
  720. OSSL_CMP_POLLREP *prep;
  721. if (!ossl_assert(ctx != NULL))
  722. return NULL;
  723. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
  724. goto err;
  725. if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
  726. goto err;
  727. if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
  728. goto err;
  729. if (!ASN1_INTEGER_set(prep->certReqId, crid))
  730. goto err;
  731. if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
  732. goto err;
  733. if (!ossl_cmp_msg_protect(ctx, msg))
  734. goto err;
  735. return msg;
  736. err:
  737. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
  738. OSSL_CMP_MSG_free(msg);
  739. return NULL;
  740. }
  741. /*-
  742. * returns the status field of the RevRepContent with the given
  743. * request/sequence id inside a revocation response.
  744. * RevRepContent has the revocation statuses in same order as they were sent in
  745. * RevReqContent.
  746. * returns NULL on error
  747. */
  748. OSSL_CMP_PKISI *
  749. ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  750. {
  751. OSSL_CMP_PKISI *status;
  752. if (!ossl_assert(rrep != NULL))
  753. return NULL;
  754. if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
  755. return status;
  756. ERR_raise(ERR_LIB_CMP, CMP_R_PKISTATUSINFO_NOT_FOUND);
  757. return NULL;
  758. }
  759. /*
  760. * returns the CertId field in the revCerts part of the RevRepContent
  761. * with the given request/sequence id inside a revocation response.
  762. * RevRepContent has the CertIds in same order as they were sent in
  763. * RevReqContent.
  764. * returns NULL on error
  765. */
  766. OSSL_CRMF_CERTID *
  767. ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  768. {
  769. OSSL_CRMF_CERTID *cid = NULL;
  770. if (!ossl_assert(rrep != NULL))
  771. return NULL;
  772. if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
  773. return cid;
  774. ERR_raise(ERR_LIB_CMP, CMP_R_CERTID_NOT_FOUND);
  775. return NULL;
  776. }
  777. static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
  778. {
  779. int trid;
  780. if (rid == -1)
  781. return 1;
  782. trid = ossl_cmp_asn1_get_int(certReqId);
  783. if (trid == -1) {
  784. ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
  785. return 0;
  786. }
  787. return rid == trid;
  788. }
  789. /*
  790. * returns a pointer to the PollResponse with the given CertReqId
  791. * (or the first one in case -1) inside a PollRepContent
  792. * returns NULL on error or if no suitable PollResponse available
  793. */
  794. OSSL_CMP_POLLREP *
  795. ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
  796. int rid)
  797. {
  798. OSSL_CMP_POLLREP *pollRep = NULL;
  799. int i;
  800. if (!ossl_assert(prc != NULL))
  801. return NULL;
  802. for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
  803. pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
  804. if (suitable_rid(pollRep->certReqId, rid))
  805. return pollRep;
  806. }
  807. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  808. "expected certReqId = %d", rid);
  809. return NULL;
  810. }
  811. /*
  812. * returns a pointer to the CertResponse with the given CertReqId
  813. * (or the first one in case -1) inside a CertRepMessage
  814. * returns NULL on error or if no suitable CertResponse available
  815. */
  816. OSSL_CMP_CERTRESPONSE *
  817. ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
  818. int rid)
  819. {
  820. OSSL_CMP_CERTRESPONSE *crep = NULL;
  821. int i;
  822. if (!ossl_assert(crm != NULL && crm->response != NULL))
  823. return NULL;
  824. for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
  825. crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
  826. if (suitable_rid(crep->certReqId, rid))
  827. return crep;
  828. }
  829. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  830. "expected certReqId = %d", rid);
  831. return NULL;
  832. }
  833. /*-
  834. * Retrieve the newly enrolled certificate from the given certResponse crep.
  835. * In case of indirect POPO uses the libctx and propq from ctx and private key.
  836. * Returns a pointer to a copy of the found certificate, or NULL if not found.
  837. */
  838. X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
  839. const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey)
  840. {
  841. OSSL_CMP_CERTORENCCERT *coec;
  842. X509 *crt = NULL;
  843. if (!ossl_assert(crep != NULL && ctx != NULL))
  844. return NULL;
  845. if (crep->certifiedKeyPair
  846. && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
  847. switch (coec->type) {
  848. case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
  849. crt = X509_dup(coec->value.certificate);
  850. break;
  851. case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
  852. /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
  853. if (pkey == NULL) {
  854. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
  855. return NULL;
  856. }
  857. crt =
  858. OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
  859. ctx->libctx, ctx->propq,
  860. pkey);
  861. break;
  862. default:
  863. ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE);
  864. return NULL;
  865. }
  866. }
  867. if (crt == NULL)
  868. ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
  869. else
  870. (void)x509_set0_libctx(crt, ctx->libctx, ctx->propq);
  871. return crt;
  872. }
  873. int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
  874. {
  875. if (ctx == NULL || msg == NULL) {
  876. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  877. return 0;
  878. }
  879. if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
  880. return 0;
  881. return msg->header->protectionAlg == NULL
  882. || ossl_cmp_msg_protect(ctx, msg);
  883. }
  884. OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file)
  885. {
  886. OSSL_CMP_MSG *msg = NULL;
  887. BIO *bio = NULL;
  888. if (file == NULL) {
  889. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  890. return NULL;
  891. }
  892. if ((bio = BIO_new_file(file, "rb")) == NULL)
  893. return NULL;
  894. msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
  895. BIO_free(bio);
  896. return msg;
  897. }
  898. int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
  899. {
  900. BIO *bio;
  901. int res;
  902. if (file == NULL || msg == NULL) {
  903. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  904. return -1;
  905. }
  906. bio = BIO_new_file(file, "wb");
  907. if (bio == NULL)
  908. return -2;
  909. res = i2d_OSSL_CMP_MSG_bio(bio, msg);
  910. BIO_free(bio);
  911. return res;
  912. }
  913. OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
  914. {
  915. return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
  916. d2i_OSSL_CMP_MSG, bio, msg);
  917. }
  918. int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
  919. {
  920. return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
  921. }