Browse Source

CMP: Allow PKCS#10 input also for ir, cr, kur, and rr messages

Also update documentation regarding sources of certs and keys,
improve type of OSSL_CMP_exec_RR_ses(),
add tests for CSR-based cert revocation

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13841)
master
Dr. David von Oheimb 1 year ago
committed by Dr. David von Oheimb
parent
commit
3d46c81a7d
11 changed files with 195 additions and 133 deletions
  1. +38
    -29
      apps/cmp.c
  2. +5
    -1
      apps/cmp_mock_srv.c
  3. +16
    -16
      crypto/cmp/cmp_client.c
  4. +69
    -27
      crypto/cmp/cmp_msg.c
  5. +3
    -3
      crypto/cmp/cmp_server.c
  6. +56
    -49
      doc/man1/openssl-cmp.pod.in
  7. +2
    -4
      doc/man3/OSSL_CMP_exec_certreq.pod
  8. +1
    -1
      include/openssl/cmp.h.in
  9. +1
    -1
      test/cmp_client_test.c
  10. +3
    -1
      test/recipes/81-test_cmp_cli_data/test_commands.csv
  11. +1
    -1
      test/recipes/81-test_cmp_cli_data/test_enrollment.csv

+ 38
- 29
apps/cmp.c View File

@ -272,7 +272,7 @@ const OPTIONS cmp_options[] = {
{"subject", OPT_SUBJECT, 's',
"Distinguished Name (DN) of subject to use in the requested cert template"},
{OPT_MORE_STR, 0, 0,
"For kur, default is the subject DN of the reference cert (see -oldcert);"},
"For kur, default is subject of -csr arg or else of reference cert (see -oldcert)"},
{OPT_MORE_STR, 0, 0,
"this default is used for ir and cr only if no Subject Alt Names are set"},
{"issuer", OPT_ISSUER, 's',
@ -282,7 +282,9 @@ const OPTIONS cmp_options[] = {
{"days", OPT_DAYS, 'n',
"Requested validity time of the new certificate in number of days"},
{"reqexts", OPT_REQEXTS, 's',
"Name of config file section defining certificate request extensions"},
"Name of config file section defining certificate request extensions."},
{OPT_MORE_STR, 0, 0,
"Augments or replaces any extensions contained CSR given with -csr"},
{"sans", OPT_SANS, 's',
"Subject Alt Names (IPADDR/DNS/URI) to add as (critical) cert req extension"},
{"san_nodefault", OPT_SAN_NODEFAULT, '-',
@ -298,7 +300,7 @@ const OPTIONS cmp_options[] = {
{OPT_MORE_STR, 0, 0,
"-1 = NONE, 0 = RAVERIFIED, 1 = SIGNATURE (default), 2 = KEYENC"},
{"csr", OPT_CSR, 's',
"PKCS#10 CSR file in PEM or DER format to use in p10cr for legacy support"},
"PKCS#10 CSR file in PEM or DER format to convert or to use in p10cr"},
{"out_trusted", OPT_OUT_TRUSTED, 's',
"Certificates to trust when verifying newly enrolled certificates"},
{"implicit_confirm", OPT_IMPLICIT_CONFIRM, '-',
@ -383,7 +385,7 @@ const OPTIONS cmp_options[] = {
"Optional certs to verify chain building for own CMP signer cert"},
{"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"},
{"keypass", OPT_KEYPASS, 's',
"Client private key (and cert and old cert file) pass phrase source"},
"Client private key (and cert and old cert) pass phrase source"},
{"digest", OPT_DIGEST, 's',
"Digest to use in message protection and POPO signatures. Default \"sha256\""},
{"mac", OPT_MAC, 's',
@ -418,7 +420,7 @@ const OPTIONS cmp_options[] = {
{"tls_key", OPT_TLS_KEY, 's',
"Private key for the client's TLS certificate"},
{"tls_keypass", OPT_TLS_KEYPASS, 's',
"Pass phrase source for the client's private TLS key (and TLS cert file)"},
"Pass phrase source for the client's private TLS key (and TLS cert)"},
{"tls_extra", OPT_TLS_EXTRA, 's',
"Extra certificates to provide to TLS server during TLS handshake"},
{"tls_trusted", OPT_TLS_TRUSTED, 's',
@ -455,7 +457,7 @@ const OPTIONS cmp_options[] = {
{"srv_key", OPT_SRV_KEY, 's',
"Private key used by the server for signing messages"},
{"srv_keypass", OPT_SRV_KEYPASS, 's',
"Server private key (and cert) file pass phrase source"},
"Server private key (and cert) pass phrase source"},
{"srv_trusted", OPT_SRV_TRUSTED, 's',
"Trusted certificates for client authentication"},
@ -1599,9 +1601,10 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
*/
static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
if (opt_subject == NULL && opt_oldcert == NULL && opt_cert == NULL
if (opt_subject == NULL
&& opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL
&& opt_cmd != CMP_RR && opt_cmd != CMP_GENM)
CMP_warn("no -subject given, neither -oldcert nor -cert available as default");
CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
|| !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
return 0;
@ -1718,11 +1721,10 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo);
if (opt_csr != NULL) {
if (opt_cmd != CMP_P10CR) {
CMP_warn("-csr option is ignored for command other than p10cr");
if (opt_cmd == CMP_GENM) {
CMP_warn("-csr option is ignored for genm command");
} else {
X509_REQ *csr =
load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
X509_REQ *csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
if (csr == NULL)
return 0;
@ -1735,17 +1737,21 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
}
if (opt_oldcert != NULL) {
X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
"certificate to be updated/revoked");
/* opt_keypass is needed if opt_oldcert is an encrypted PKCS#12 file */
if (opt_cmd == CMP_GENM) {
CMP_warn("-oldcert option is ignored for genm command");
} else {
X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
"certificate to be updated/revoked");
/* opt_keypass needed if opt_oldcert is an encrypted PKCS#12 file */
if (oldcert == NULL)
return 0;
if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
if (oldcert == NULL)
return 0;
if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
X509_free(oldcert);
goto oom;
}
X509_free(oldcert);
goto oom;
}
X509_free(oldcert);
}
cleanse(opt_keypass);
if (opt_revreason > CRL_REASON_NONE)
@ -1883,17 +1889,21 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_cmd == CMP_KUR) {
char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert;
if (ref_cert == NULL) {
CMP_err("missing -oldcert option for certificate to be updated");
if (ref_cert == NULL && opt_csr == NULL) {
CMP_err("missing -oldcert or -csr option for certificate to be updated");
goto err;
}
if (opt_subject != NULL)
CMP_warn2("-subject '%s' given, which overrides the subject of '%s' in KUR",
opt_subject, ref_cert);
CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR",
opt_subject, ref_cert != NULL ? ref_cert : opt_csr);
}
if (opt_cmd == CMP_RR && opt_oldcert == NULL) {
CMP_err("missing certificate to be revoked");
goto err;
if (opt_cmd == CMP_RR) {
if (opt_oldcert == NULL && opt_csr == NULL) {
CMP_err("missing certificate to be revoked and no fallback -csr given");
goto err;
}
if (opt_oldcert != NULL && opt_csr != NULL)
CMP_warn("Ignoring -csr since certificate to be revoked is given");
}
if (opt_cmd == CMP_P10CR && opt_csr == NULL) {
CMP_err("missing PKCS#10 CSR for p10cr");
@ -2845,8 +2855,7 @@ int cmp_main(int argc, char **argv)
ret = 1;
break;
case CMP_RR:
if (OSSL_CMP_exec_RR_ses(cmp_ctx) != NULL)
ret = 1;
ret = OSSL_CMP_exec_RR_ses(cmp_ctx);
break;
case CMP_GENM:
{


+ 5
- 1
apps/cmp_mock_srv.c View File

@ -234,7 +234,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
{
mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
if (ctx == NULL || rr == NULL || issuer == NULL || serial == NULL) {
if (ctx == NULL || rr == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
@ -243,6 +243,10 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
return NULL;
}
/* Allow any RR derived from CSR, which may include subject and serial */
if (issuer == NULL || serial == NULL)
return OSSL_CMP_PKISI_dup(ctx->statusOut);
/* accept revocation only for the certificate we sent in ir/cr/kur */
if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
|| ASN1_INTEGER_cmp(serial,


+ 16
- 16
crypto/cmp/cmp_client.c View File

@ -742,7 +742,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
return result;
}
X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
{
OSSL_CMP_MSG *rr = NULL;
OSSL_CMP_MSG *rp = NULL;
@ -751,13 +751,13 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
OSSL_CMP_REVREPCONTENT *rrep = NULL;
OSSL_CMP_PKISI *si = NULL;
char buf[OSSL_CMP_PKISI_BUFLEN];
X509 *result = NULL;
int ret = 0;
if (ctx == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return 0;
}
if (ctx->oldCert == NULL) {
if (ctx->oldCert == NULL && ctx->p10CSR == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
return 0;
}
@ -790,24 +790,24 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
switch (ossl_cmp_pkisi_get_status(si)) {
case OSSL_CMP_PKISTATUS_accepted:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)");
result = ctx->oldCert;
ret = 1;
break;
case OSSL_CMP_PKISTATUS_grantedWithMods:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)");
result = ctx->oldCert;
ret = 1;
break;
case OSSL_CMP_PKISTATUS_rejection:
ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER);
goto err;
case OSSL_CMP_PKISTATUS_revocationWarning:
ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)");
result = ctx->oldCert;
ret = 1;
break;
case OSSL_CMP_PKISTATUS_revocationNotification:
/* interpretation as warning or error depends on CA */
ossl_cmp_warn(ctx,
"revocation accepted (PKIStatus=revocationNotification)");
result = ctx->oldCert;
ret = 1;
break;
case OSSL_CMP_PKISTATUS_waiting:
case OSSL_CMP_PKISTATUS_keyUpdateWarning:
@ -818,8 +818,8 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
goto err;
}
/* check any present CertId in optional revCerts field */
if (rrep->revCerts != NULL) {
/* check any pretent CertId in optional revCerts field */
if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) {
OSSL_CRMF_CERTID *cid;
OSSL_CRMF_CERTTEMPLATE *tmpl =
sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails;
@ -828,17 +828,17 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
result = NULL;
ret = 0;
goto err;
}
if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) {
result = NULL;
ret = 0;
goto err;
}
if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP);
result = NULL;
ret = 0;
goto err;
#endif
}
@ -846,7 +846,7 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP);
result = NULL;
ret = 0;
goto err;
#endif
}
@ -855,19 +855,19 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
/* check number of any optionally present crls */
if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) {
ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT);
result = NULL;
ret = 0;
goto err;
}
err:
if (result == NULL
if (ret == 0
&& OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL)
ERR_add_error_data(1, buf);
end:
OSSL_CMP_MSG_free(rr);
OSSL_CMP_MSG_free(rp);
return result;
return ret;
}
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx)


+ 69
- 27
crypto/cmp/cmp_msg.c View File

@ -79,6 +79,34 @@ static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
return res;
}
/* Add extension list to the referenced extension stack, which may be NULL */
static int add_extensions(STACK_OF(X509_EXTENSION) **target,
const STACK_OF(X509_EXTENSION) *exts)
{
int i;
if (target == NULL)
return 0;
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
/* Does extension exist in target? */
if (idx != -1) {
/* Delete all extensions of same type */
do {
X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
} while (idx != -1);
}
if (!X509v3_add_ext(target, ext, -1))
return 0;
}
return 1;
}
/* Add a CRL revocation reason code to extension stack, which may be NULL */
static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
{
@ -186,18 +214,19 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
(sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
|| OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx,
const X509_NAME *ref_subj,
int for_KUR)
{
if (ctx->subjectName != NULL)
return ctx->subjectName;
if (refcert != NULL && (for_KUR || !HAS_SAN(ctx)))
if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx)))
/*
* For KUR, copy subjectName from reference certificate.
* For KUR, copy subject from the reference.
* For IR or CR, do the same only if there is no subjectAltName.
*/
return X509_get_subject_name(refcert);
return ref_subj;
return NULL;
}
@ -208,13 +237,18 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
/* refcert defaults to current client cert */
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
STACK_OF(GENERAL_NAME) *default_sans = NULL;
const X509_NAME *subject = determine_subj(ctx, refcert, for_KUR);
const X509_NAME *ref_subj =
ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) :
refcert != NULL ? X509_get_subject_name(refcert) : NULL;
const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR);
const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
? ctx->issuer : X509_get_issuer_name(refcert);
int crit = ctx->setSubjectAltNameCritical || subject == NULL;
/* RFC5280: subjectAltName MUST be critical if subject is null */
X509_EXTENSIONS *exts = NULL;
if (rkey == NULL && ctx->p10CSR != NULL)
rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
if (rkey == NULL)
rkey = ctx->pkey; /* default is independent of ctx->oldCert */
if (rkey == NULL) {
@ -223,7 +257,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
return NULL;
#endif
}
if (for_KUR && refcert == NULL) {
if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
return NULL;
}
@ -256,14 +290,12 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
if (refcert != NULL && !ctx->SubjectAltName_nodefault)
default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
NID_subject_alt_name, NULL, NULL);
/* exts are copied from ctx to allow reuse */
if (ctx->reqExtensions != NULL) {
exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
X509_EXTENSION_dup,
X509_EXTENSION_free);
if (exts == NULL)
goto err;
}
if (ctx->p10CSR != NULL
&& (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
goto err;
if (ctx->reqExtensions != NULL /* augment/override existing ones */
&& !add_extensions(&exts, ctx->reqExtensions))
goto err;
if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
&& !add1_extension(&exts, NID_subject_alt_name,
crit, ctx->subjectAltNames))
@ -281,7 +313,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
/* end fill certTemplate, now set any controls */
/* for KUR, set OldCertId according to D.6 */
if (for_KUR) {
if (for_KUR && refcert != NULL) {
OSSL_CRMF_CERTID *cid =
OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
X509_get0_serialNumber(refcert));
@ -460,19 +492,27 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_REVDETAILS *rd;
int ret;
if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
|| ctx->p10CSR != NULL)))
return NULL;
if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
goto err;
/* Fill the template from the contents of the certificate to be revoked */
if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
NULL /* pubkey would be redundant */,
NULL /* subject would be redundant */,
X509_get_issuer_name(ctx->oldCert),
X509_get0_serialNumber(ctx->oldCert)))
ret = ctx->oldCert != NULL
? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
NULL /* pubkey would be redundant */,
NULL /* subject would be redundant */,
X509_get_issuer_name(ctx->oldCert),
X509_get0_serialNumber(ctx->oldCert))
: OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
X509_REQ_get0_pubkey(ctx->p10CSR),
X509_REQ_get_subject_name(ctx->p10CSR),
NULL, NULL);
if (!ret)
goto err;
/* revocation reason code is optional */
@ -513,7 +553,7 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
OSSL_CRMF_CERTID *cid_copy = NULL;
OSSL_CMP_MSG *msg = NULL;
if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
if (!ossl_assert(ctx != NULL && si != NULL))
return NULL;
if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
@ -530,11 +570,13 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
goto err;
if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
goto err;
if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
OSSL_CRMF_CERTID_free(cid_copy);
goto err;
if (cid != NULL) {
if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
goto err;
if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
OSSL_CRMF_CERTID_free(cid_copy);
goto err;
}
}
if (!unprot_err


+ 3
- 3
crypto/cmp/cmp_server.c View File

@ -248,7 +248,7 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_REVDETAILS *details;
OSSL_CRMF_CERTID *certId;
OSSL_CRMF_CERTID *certId = NULL;
OSSL_CRMF_CERTTEMPLATE *tmpl;
const X509_NAME *issuer;
ASN1_INTEGER *serial;
@ -272,8 +272,8 @@ static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
tmpl = details->certDetails;
issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl);
serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl);
/* here issuer and serial may safely be NULL */
if ((certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
if (issuer != NULL && serial != NULL
&& (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL)
return NULL;
if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL)
goto err;


+ 56
- 49
doc/man1/openssl-cmp.pod.in View File

@ -34,7 +34,7 @@ Certificate enrollment options:
[B<-policy_oids_critical>]
[B<-popo> I<number>]
[B<-csr> I<filename>]
[B<-out_trusted> I<filenames>]
[B<-out_trusted> I<filenames>|I<uris>]
[B<-implicit_confirm>]
[B<-disable_confirm>]
[B<-certout> I<filename>]
@ -42,7 +42,7 @@ Certificate enrollment options:
Certificate enrollment and revocation options:
[B<-oldcert> I<filename>]
[B<-oldcert> I<filename>|I<uri>]
[B<-revreason> I<number>]
Message transfer options:
@ -56,9 +56,9 @@ Message transfer options:
Server authentication options:
[B<-trusted> I<filenames>]
[B<-trusted> I<filenames>|I<uris>]
[B<-untrusted> I<sources>]
[B<-srvcert> I<filename>]
[B<-srvcert> I<filename>|I<uri>]
[B<-recipient> I<name>]
[B<-expect_sender> I<name>]
[B<-ignore_keyusage>]
@ -70,9 +70,9 @@ Client authentication options:
[B<-ref> I<value>]
[B<-secret> I<arg>]
[B<-cert> I<filename>]
[B<-own_trusted> I<filenames>]
[B<-key> I<filename>]
[B<-cert> I<filename>|I<uri>]
[B<-own_trusted> I<filenames>|I<uris>]
[B<-key> I<filename>|I<uri>]
[B<-keypass> I<arg>]
[B<-digest> I<name>]
[B<-mac> I<name>]
@ -89,11 +89,11 @@ Credentials format options:
TLS connection options:
[B<-tls_used>]
[B<-tls_cert> I<filename>]
[B<-tls_cert> I<filename>|I<uri>]
[B<-tls_key> I<filename>|I<uri>]
[B<-tls_keypass> I<arg>]
[B<-tls_extra> I<filenames>]
[B<-tls_trusted> I<filenames>]
[B<-tls_extra> I<filenames>|I<uris>]
[B<-tls_trusted> I<filenames>|I<uris>]
[B<-tls_host> I<name>]
Client-side debugging options:
@ -113,14 +113,14 @@ Mock server options:
[B<-max_msgs> I<number>]
[B<-srv_ref> I<value>]
[B<-srv_secret> I<arg>]
[B<-srv_cert> I<filename>]
[B<-srv_key> I<filename>]
[B<-srv_cert> I<filename>|I<uri>]
[B<-srv_key> I<filename>|I<uri>]
[B<-srv_keypass> I<arg>]
[B<-srv_trusted> I<filenames>]
[B<-srv_untrusted> I<filenames>]
[B<-rsp_cert> I<filename>]
[B<-rsp_extracerts> I<filenames>]
[B<-rsp_capubs> I<filenames>]
[B<-srv_trusted> I<filenames>|I<uris>]
[B<-srv_untrusted> I<filenames>|I<uris>]
[B<-rsp_cert> I<filename>|I<uri>]
[B<-rsp_extracerts> I<filenames>|I<uris>]
[B<-rsp_capubs> I<filenames>|I<uris>]
[B<-poll_count> I<number>]
[B<-check_after> I<number>]
[B<-grant_implicitconf>]
@ -216,7 +216,7 @@ B<cr> requests issuing an additional certificate for an End Entity already
initialized to the PKI hierarchy.
B<p10cr> requests issuing an additional certificate similarly to B<cr>
but uses PKCS#10 CSR format.
but using PKCS#10 CSR format.
B<kur> requests a (key) update for an existing, given certificate.
@ -263,11 +263,11 @@ L<openssl-passphrase-options(1)>.
X509 Distinguished Name (DN) of subject to use in the requested certificate
template.
For KUR, it defaults to the subject DN of the reference certificate
(see B<-oldcert>).
For KUR, it defaults to the subject DN of any given CSR
or of the reference certificate (see B<-oldcert>) if provided.
This default is used for IR and CR only if no SANs are set.
The subject DN is also used as fallback sender of outgoing CMP messages
The provided subject DN is also used as fallback sender of outgoing CMP messages
if no B<-cert> and no B<-oldcert> are given.
The argument must be formatted as I</type0=value0/type1=value1/type2=...>.
@ -341,13 +341,18 @@ is provided via the B<-newkey> or B<-key> options.
=item B<-csr> I<filename>
PKCS#10 CSR in PEM or DER format to use in legacy P10CR messages.
PKCS#10 CSR in PEM or DER format containing a certificate request.
When used with a with B<-cmd> I<p10cr> used directly in a legacy P10CR message.
When used with B<-cmd> I<ir>, I<cr>, or I<kur>, it is tranformed into the
respective regular CMP request.
It may also be used with B<-cmd> I<rr> to specifiy the certificate to be revoked
via the included subject and public key.
=item B<-out_trusted> I<filenames>
=item B<-out_trusted> I<filenames>|I<uris>
Trusted certificate(s) to use for verifying the newly enrolled certificate.
Multiple filenames may be given, separated by commas and/or whitespace
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@ -380,15 +385,17 @@ The file where the chain of the newly enrolled certificate should be saved.
=over 4
=item B<-oldcert> I<filename>
=item B<-oldcert> I<filename>|I<uri>]
The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
(KUR) messages or to be revoked in Revocation Request (RR) messages.
It must be given for RR, while for KUR it defaults to B<-cert>.
For RR the certificate to be revoked can also be specified using B<-csr>.
For KUR certificate to be updated defaults to B<-cert>, and the resulting certificate is called
I<reference certificate>.
The reference certificate determined in this way, if any, is also used for
The reference certificate, if any, is also used for
deriving default subject DN and Subject Alternative Names and the
default issuer entry in the requested certificate template of IR/CR/KUR.
default issuer entry in the requested certificate template of a IR/CR/KUR.
Its subject is used as sender of outgoing messages if B<-cert> is not given.
Its issuer is used as default recipient in CMP message headers
if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given.
@ -465,7 +472,7 @@ Default is 0 (infinite).
=over 4
=item B<-trusted> I<filenames>
=item B<-trusted> I<filenames>|I<uris>
When verifying signature-based protection of CMP response messages,
these are the CA certificate(s) to trust while checking certificate chains
@ -477,7 +484,7 @@ for which a chain to one of the given trusted certificates can be constructed.
If no B<-trusted>, B<-srvcert>, and B<-secret> option is given
then protected response messages from the server are not authenticated.
Multiple filenames may be given, separated by commas and/or whitespace
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@ -496,10 +503,10 @@ as well as for chain building
when verifying the CMP server certificate (checking signature-based
CMP message protection) and when verifying newly enrolled certificates.
Multiple filenames may be given, separated by commas and/or whitespace.
Multiple sources may be given, separated by commas and/or whitespace.
Each file may contain multiple certificates.
=item B<-srvcert> I<filename>
=item B<-srvcert> I<filename>|I<uri>]
The specific CMP server certificate to expect and directly trust (even if it is
expired) when verifying signature-based protection of CMP response messages.
@ -609,7 +616,7 @@ This takes precedence over the B<-cert> and B<-key> options.
For more information about the format of B<arg> see
L<openssl-passphrase-options(1)>.
=item B<-cert> I<filename>
=item B<-cert> I<filename>|I<uri>]
The client's current CMP signer certificate.
Requires the corresponding key to be given with B<-key>.
@ -628,13 +635,13 @@ If the file includes further certs, they are appended to the untrusted certs
because they typically constitute the chain of the client certificate, which
is included in the extraCerts field in signature-protected request messages.
=item B<-own_trusted> I<filenames>
=item B<-own_trusted> I<filenames>|I<uris>
If this list of certificates is provided then the chain built for
the client-side CMP signer certificate given with the B<-cert> option
is verified using the given certificates as trust anchors.
Multiple filenames may be given, separated by commas and/or whitespace
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@ -642,7 +649,7 @@ The certificate verification options
B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
have no effect on the certificate verification enabled via this option.
=item B<-key> I<filename>
=item B<-key> I<filename>|I<uri>]
The corresponding private key file for the client's current certificate given in
the B<-cert> option.
@ -680,7 +687,7 @@ Defaults to C<hmac-sha1> as per RFC 4210.
Certificates to append in the extraCerts field when sending messages.
They can be used as the default CMP signer certificate chain to include.
Multiple filenames or URLs may be given, separated by commas and/or whitespace
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@ -743,10 +750,10 @@ B<-tls_key>.
Enable using TLS (even when other TLS_related options are not set)
when connecting to CMP server.
=item B<-tls_cert> I<filename>
=item B<-tls_cert> I<filename>|I<uri>]
Client's TLS certificate.
If the file includes further certs they are used (along with B<-untrusted>
If the source includes further certs they are used (along with B<-untrusted>
certs) for constructing the client cert chain provided to the TLS server.
=item B<-tls_key> I<filename>|I<uri>
@ -762,16 +769,16 @@ If not given here, the password will be prompted for if needed.
For more information about the format of B<arg> see
L<openssl-passphrase-options(1)>.
=item B<-tls_extra> I<filenames>
=item B<-tls_extra> I<filenames>|I<uris>
Extra certificates to provide to TLS server during TLS handshake
=item B<-tls_trusted> I<filenames>
=item B<-tls_trusted> I<filenames>|I<uris>
Trusted certificate(s) to use for verifying the TLS server certificate.
This implies hostname validation.
Multiple filenames may be given, separated by commas and/or whitespace
Multiple sources may be given, separated by commas and/or whitespace
(where in the latter case the whole argument must be enclosed in "...").
Each source may contain multiple certificates.
@ -868,11 +875,11 @@ Reference value to use as senderKID of server in case no B<-srv_cert> is given.
Password source for server authentication with a pre-shared key (secret).
=item B<-srv_cert> I<filename>
=item B<-srv_cert> I<filename>|I<uri>]
Certificate of the server.
=item B<-srv_key> I<filename>
=item B<-srv_key> I<filename>|I<uri>]
Private key used by the server for signing messages.
@ -880,7 +887,7 @@ Private key used by the server for signing messages.
Server private key (and cert) file pass phrase source.
=item B<-srv_trusted> I<filenames>
=item B<-srv_trusted> I<filenames>|I<uris>
Trusted certificates for client authentication.
@ -888,19 +895,19 @@ The certificate verification options
B<-verify_hostname>, B<-verify_ip>, and B<-verify_email>
have no effect on the certificate verification enabled via this option.
=item B<-srv_untrusted> I<filenames>
=item B<-srv_untrusted> I<filenames>|I<uris>
Intermediate CA certs that may be useful when verifying client certificates.
=item B<-rsp_cert> I<filename>
=item B<-rsp_cert> I<filename>|I<uri>]
Certificate to be returned as mock enrollment result.
=item B<-rsp_extracerts> I<filenames>
=item B<-rsp_extracerts> I<filenames>|I<uris>
Extra certificates to be included in mock certification responses.
=item B<-rsp_capubs> I<filenames>
=item B<-rsp_capubs> I<filenames>|I<uris>
CA certificates to be included in mock Initialization Response (IP) message.


+ 2
- 4
doc/man3/OSSL_CMP_exec_certreq.pod View File

@ -32,7 +32,7 @@ OSSL_CMP_exec_GENM_ses
#define OSSL_CMP_KUR
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
=head1 DESCRIPTION
@ -137,9 +137,7 @@ In the latter case L<OSSL_CMP_CTX_get0_newCert(3)> yields NULL
and the output parameter I<checkAfter> has been used to
assign the received value unless I<checkAfter> is NULL.
OSSL_CMP_exec_RR_ses() returns the
pointer to the revoked certificate on success, NULL on error.
This pointer will be freed implicitly by OSSL_CMP_CTX_free().
OSSL_CMP_exec_RR_ses() returns 1 on success, 0 on error.
OSSL_CMP_exec_GENM_ses() returns a
pointer to the received B<ITAV> sequence on success, NULL on error.


+ 1
- 1
include/openssl/cmp.h.in View File

@ -457,7 +457,7 @@ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL)
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx);
# ifdef __cplusplus


+ 1
- 1
test/cmp_client_test.c View File

@ -92,7 +92,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
static int execute_exec_RR_ses_test(CMP_SES_TEST_FIXTURE *fixture)
{
return TEST_int_eq(fixture->expected,
OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == client_cert);
OSSL_CMP_exec_RR_ses(fixture->cmp_ctx) == 1);
}
static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)


+ 3
- 1
test/recipes/81-test_cmp_cli_data/test_commands.csv View File

@ -33,8 +33,10 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
0,revreason AACompromise, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,10
0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
0, --- use csr for revocation ----, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -revreason,0, -csr,csr.pem
0, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK,
1,without oldcert, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK,
1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,
1,oldcert is directory, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,dir/,BLANK,cmp
1,oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK,
1,empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK,
1,oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0


+ 1
- 1
test/recipes/81-test_cmp_cli_data/test_enrollment.csv View File

@ -85,7 +85,7 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val,
1,oldcert empty file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert4.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,,
1,oldcert random contents, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert5.pem,, -out_trusted,root.crt,, -oldcert,random.bin,BLANK,,,
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
0,csr ignored for ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,idontexist,,
0,csr used in ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr_ignored.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,,
0,p10cr csr, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,,
1,p10cr csr missing, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
1,p10cr csr missing arg, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,, -csr,,,


Loading…
Cancel
Save