Browse Source

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL

Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)

    CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
        Adds extensive man pages and tests.  Integration into build scripts.

    Incremental pull request based on OpenSSL commit 8869ad4a39 of 2019-04-02

    4th chunk: CMP context/parameters and utilities
    in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9107)
master
Dr. David von Oheimb 3 years ago
committed by Matt Caswell
parent
commit
7960dbec68
38 changed files with 4512 additions and 287 deletions
  1. +1
    -1
      crypto/cmp/build.info
  2. +23
    -3
      crypto/cmp/cmp_asn.c
  3. +1086
    -0
      crypto/cmp/cmp_ctx.c
  4. +8
    -2
      crypto/cmp/cmp_err.c
  5. +158
    -22
      crypto/cmp/cmp_int.h
  6. +449
    -0
      crypto/cmp/cmp_util.c
  7. +19
    -19
      crypto/crmf/crmf_int.h
  8. +50
    -63
      crypto/crmf/crmf_lib.c
  9. +4
    -12
      crypto/crmf/crmf_pbm.c
  10. +4
    -0
      crypto/err/openssl.txt
  11. +6
    -0
      crypto/init.c
  12. +101
    -0
      doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod
  13. +76
    -0
      doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod
  14. +60
    -0
      doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod
  15. +662
    -0
      doc/man3/OSSL_CMP_CTX_new.pod
  16. +6
    -0
      doc/man3/OSSL_CMP_ITAV_set0.pod
  17. +140
    -0
      doc/man3/OSSL_CMP_log_open.pod
  18. +15
    -0
      doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
  19. +5
    -1
      doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
  20. +4
    -0
      doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
  21. +10
    -7
      doc/man3/OSSL_CRMF_MSG_set_validity.pod
  22. +4
    -0
      doc/man3/OSSL_CRMF_pbmp_new.pod
  23. +2
    -7
      doc/man3/X509_dup.pod
  24. +116
    -15
      include/openssl/cmp.h
  25. +79
    -0
      include/openssl/cmp_util.h
  26. +4
    -0
      include/openssl/cmperr.h
  27. +14
    -12
      include/openssl/crmf.h
  28. +6
    -1
      include/openssl/ocsp.h
  29. +2
    -1
      include/openssl/trace.h
  30. +13
    -0
      test/build.info
  31. +132
    -0
      test/cmp_asn_test.c
  32. +859
    -0
      test/cmp_ctx_test.c
  33. +120
    -0
      test/cmp_testlib.c
  34. +34
    -0
      test/cmp_testlib.h
  35. +22
    -0
      test/recipes/65-test_cmp_asn.t
  36. +22
    -0
      test/recipes/65-test_cmp_ctx.t
  37. +175
    -119
      util/libcrypto.num
  38. +21
    -2
      util/private.num

+ 1
- 1
crypto/cmp/build.info View File

@ -1,2 +1,2 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c
SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c

+ 23
- 3
crypto/cmp/cmp_asn.c View File

@ -7,8 +7,6 @@
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*
* CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
*/
#include <openssl/asn1t.h>
@ -166,8 +164,10 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
{
int created = 0;
if (itav_sk_p == NULL)
if (itav_sk_p == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
goto err;
}
if (*itav_sk_p == NULL) {
if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
@ -187,6 +187,26 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
return 0;
}
/* get ASN.1 encoded integer, return -1 on error */
int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
{
int64_t res;
if (!ASN1_INTEGER_get_int64(&res, a)) {
CMPerr(0, ASN1_R_INVALID_NUMBER);
return -1;
}
if (res < INT_MIN) {
CMPerr(0, ASN1_R_TOO_SMALL);
return -1;
}
if (res > INT_MAX) {
CMPerr(0, ASN1_R_TOO_LARGE);
return -1;
}
return (int)res;
}
ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
/* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),


+ 1086
- 0
crypto/cmp/cmp_ctx.c
File diff suppressed because it is too large
View File


+ 8
- 2
crypto/cmp/cmp_err.c View File

@ -1,6 +1,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -14,6 +15,11 @@
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA CMP_str_reasons[] = {
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_ARGS), "invalid args"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MULTIPLE_SAN_SOURCES),
"multiple san sources"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NO_STDIO), "no stdio"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NULL_ARGUMENT), "null argument"},
{0, NULL}
};


+ 158
- 22
crypto/cmp/cmp_int.h View File

@ -7,8 +7,6 @@
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*
* CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
*/
#ifndef OSSL_HEADER_CMP_INT_H
@ -26,6 +24,100 @@
# include <openssl/x509.h>
# include <openssl/x509v3.h>
/*
* this structure is used to store the context for CMP sessions
*/
struct ossl_cmp_ctx_st {
OSSL_cmp_log_cb_t log_cb; /* log callback for error/debug/etc. output */
OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */
/* message transfer */
OSSL_cmp_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */
void *transfer_cb_arg; /* allows to store optional argument to cb */
/* HTTP-based transfer */
char *serverPath;
char *serverName;
int serverPort;
char *proxyName;
int proxyPort;
int msgtimeout; /* max seconds to wait for each CMP message round trip */
int totaltimeout; /* maximum number seconds an enrollment may take, incl. */
/* attempts polling for a response if a 'waiting' PKIStatus is received */
time_t end_time; /* session start time + totaltimeout */
OSSL_cmp_http_cb_t http_cb;
void *http_cb_arg; /* allows to store optional argument to cb */
/* server authentication */
int unprotectedErrors; /* accept neg. response with no/invalid protection */
/* to cope with broken server */
X509 *srvCert; /* certificate used to identify the server */
X509 *validatedSrvCert; /* caches any already validated server cert */
X509_NAME *expected_sender; /* expected sender in pkiheader of response */
X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */
int ignore_keyusage; /* ignore key usage entry when validating certs */
int permitTAInExtraCertsForIR; /* allow use of root certs in extracerts */
/* when validating message protection; used for 3GPP-style E.7 */
/* client authentication */
int unprotectedSend; /* send unprotected PKI messages */
X509 *clCert; /* client cert used to identify and sign for MSG_SIG_ALG */
EVP_PKEY *pkey; /* the key pair corresponding to clCert */
ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
/* PBMParameters for MSG_MAC_ALG */
size_t pbm_slen; /* currently fixed to 16 */
int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */
int pbm_itercnt; /* currently fixed to 500 */
int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
/* CMP message header and extra certificates */
X509_NAME *recipient; /* to set in recipient in pkiheader */
int digest; /* NID of digest used in MSG_SIG_ALG and POPO, default SHA256 */
ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
ASN1_OCTET_STRING *recipNonce; /* last nonce received */
STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */
STACK_OF(X509) *extraCertsOut; /* to be included in request messages */
/* certificate template */
EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
int newPkey_priv; /* flag indicating if newPkey contains private key */
X509_NAME *issuer; /* issuer name to used in cert template */
int days; /* Number of days new certificates are asked to be valid for */
X509_NAME *subjectName; /* subject name to be used in the cert template */
STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
int SubjectAltName_nodefault;
int setSubjectAltNameCritical;
X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */
CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */
int setPoliciesCritical;
int popoMethod; /* Proof-of-possession mechanism; default: signature */
X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */
X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */
/* misc body contents */
int revocationReason; /* revocation reason code to be included in RR */
STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
/* result returned in responses */
int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
/* TODO: this should be a stack since there could be more than one */
OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
/* TODO: this should be a stack since there could be more than one */
X509 *newCert; /* newly enrolled cert received from the CA */
/* TODO: this should be a stack since there could be more than one */
STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */
STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */
/* certificate confirmation */
OSSL_cmp_certConf_cb_t certConf_cb; /* callback for app checking new cert */
void *certConf_cb_arg; /* allows to store an argument individual to cb */
} /* OSSL_CMP_CTX */;
/*
* ##########################################################################
* ASN.1 DECLARATIONS
@ -42,7 +134,7 @@
* -- extra CRL details (e.g., crl number, reason, location, etc.)
* }
*/
typedef struct OSSL_cmp_revanncontent_st {
typedef struct ossl_cmp_revanncontent_st {
ASN1_INTEGER *status;
OSSL_CRMF_CERTID *certId;
ASN1_GENERALIZEDTIME *willBeRevokedAt;
@ -75,7 +167,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
* -- }
* }
*/
typedef struct OSSL_cmp_challenge_st {
typedef struct ossl_cmp_challenge_st {
X509_ALGOR *owf;
ASN1_OCTET_STRING *witness;
ASN1_OCTET_STRING *challenge;
@ -89,7 +181,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
* newWithNew Certificate
* }
*/
typedef struct OSSL_cmp_cakeyupdanncontent_st {
typedef struct ossl_cmp_cakeyupdanncontent_st {
X509 *oldWithNew;
X509 *newWithOld;
X509 *newWithNew;
@ -109,7 +201,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
* infoValue ANY DEFINED BY infoType OPTIONAL
* }
*/
struct OSSL_cmp_itav_st {
struct ossl_cmp_itav_st {
ASN1_OBJECT *infoType;
union {
char *ptr;
@ -148,8 +240,7 @@ struct OSSL_cmp_itav_st {
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
typedef struct OSSL_cmp_certorenccert_st {
typedef struct ossl_cmp_certorenccert_st {
int type;
union {
X509 *certificate;
@ -166,7 +257,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
* publicationInfo [1] PKIPublicationInfo OPTIONAL
* }
*/
typedef struct OSSL_cmp_certifiedkeypair_st {
typedef struct ossl_cmp_certifiedkeypair_st {
OSSL_CMP_CERTORENCCERT *certOrEncCert;
OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
@ -180,7 +271,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
* failInfo PKIFailureInfo OPTIONAL
* }
*/
struct OSSL_cmp_pkisi_st {
struct ossl_cmp_pkisi_st {
OSSL_CMP_PKISTATUS *status;
OSSL_CMP_PKIFREETEXT *statusString;
OSSL_CMP_PKIFAILUREINFO *failInfo;
@ -196,7 +287,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
* crlEntryDetails Extensions OPTIONAL
* }
*/
typedef struct OSSL_cmp_revdetails_st {
typedef struct ossl_cmp_revdetails_st {
OSSL_CRMF_CERTTEMPLATE *certDetails;
X509_EXTENSIONS *crlEntryDetails;
} OSSL_CMP_REVDETAILS;
@ -216,7 +307,7 @@ DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
* -- the resulting CRLs (there may be more than one)
* }
*/
struct OSSL_cmp_revrepcontent_st {
struct ossl_cmp_revrepcontent_st {
STACK_OF(OSSL_CMP_PKISI) *status;
STACK_OF(OSSL_CRMF_CERTID) *revCerts;
STACK_OF(X509_CRL) *crls;
@ -233,7 +324,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
* CertifiedKeyPair OPTIONAL
* }
*/
typedef struct OSSL_cmp_keyrecrepcontent_st {
typedef struct ossl_cmp_keyrecrepcontent_st {
OSSL_CMP_PKISI *status;
X509 *newSigCert;
STACK_OF(X509) *caCerts;
@ -250,7 +341,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
* -- implementation-specific error details
* }
*/
typedef struct OSSL_cmp_errormsgcontent_st {
typedef struct ossl_cmp_errormsgcontent_st {
OSSL_CMP_PKISI *pKIStatusInfo;
ASN1_INTEGER *errorCode;
OSSL_CMP_PKIFREETEXT *errorDetails;
@ -269,7 +360,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
* statusInfo PKIStatusInfo OPTIONAL
* }
*/
struct OSSL_cmp_certstatus_st {
struct ossl_cmp_certstatus_st {
ASN1_OCTET_STRING *certHash;
ASN1_INTEGER *certReqId;
OSSL_CMP_PKISI *statusInfo;
@ -292,7 +383,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
* -- for regInfo in CertReqMsg [CRMF]
* }
*/
struct OSSL_cmp_certresponse_st {
struct ossl_cmp_certresponse_st {
ASN1_INTEGER *certReqId;
OSSL_CMP_PKISI *status;
OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
@ -307,7 +398,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
* response SEQUENCE OF CertResponse
* }
*/
struct OSSL_cmp_certrepmessage_st {
struct ossl_cmp_certrepmessage_st {
STACK_OF(X509) *caPubs;
STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
} /* OSSL_CMP_CERTREPMESSAGE */;
@ -318,7 +409,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
* certReqId INTEGER
* }
*/
typedef struct OSSL_cmp_pollreq_st {
typedef struct ossl_cmp_pollreq_st {
ASN1_INTEGER *certReqId;
} OSSL_CMP_POLLREQ;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
@ -333,7 +424,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
* reason PKIFreeText OPTIONAL
* }
*/
struct OSSL_cmp_pollrep_st {
struct ossl_cmp_pollrep_st {
ASN1_INTEGER *certReqId;
ASN1_INTEGER *checkAfter;
OSSL_CMP_PKIFREETEXT *reason;
@ -377,7 +468,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
* -- (this field not primarily intended for human consumption)
* }
*/
struct OSSL_cmp_pkiheader_st {
struct ossl_cmp_pkiheader_st {
ASN1_INTEGER *pvno;
GENERAL_NAME *sender;
GENERAL_NAME *recipient;
@ -435,7 +526,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
* pollReq [25] PollReqContent, --Polling request
* pollRep [26] PollRepContent --Polling response
*/
typedef struct OSSL_cmp_pkibody_st {
typedef struct ossl_cmp_pkibody_st {
int type;
union {
OSSL_CRMF_MSGS *ir; /* 0 */
@ -521,7 +612,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
* OPTIONAL
* }
*/
struct OSSL_cmp_msg_st {
struct ossl_cmp_msg_st {
OSSL_CMP_PKIHEADER *header;
OSSL_CMP_PKIBODY *body;
ASN1_BIT_STRING *protection; /* 0 */
@ -529,6 +620,7 @@ struct OSSL_cmp_msg_st {
STACK_OF(X509) *extraCerts; /* 1 */
} /* OSSL_CMP_MSG */;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
/*-
* ProtectedPart ::= SEQUENCE {
@ -586,4 +678,48 @@ DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
* }
*/
/*
* functions
*/
/* from cmp_asn.c */
int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a);
/* from cmp_util.c */
const char *ossl_cmp_log_parse_metadata(const char *buf,
OSSL_CMP_severity *level, char **func,
char **file, int *line);
/* workaround for 4096 bytes limitation of ERR_print_errors_cb() */
void ossl_cmp_add_error_txt(const char *separator, const char *txt);
# define ossl_cmp_add_error_data(txt) ossl_cmp_add_error_txt(" : ", txt)
# define ossl_cmp_add_error_line(txt) ossl_cmp_add_error_txt("\n", txt)
/* functions manipulating lists of certificates etc could be generally useful */
int ossl_cmp_sk_X509_add1_cert (STACK_OF(X509) *sk, X509 *cert,
int no_dup, int prepend);
int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
int no_self_signed, int no_dups, int prepend);
int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
int only_self_signed);
STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src);
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
const unsigned char *bytes, int len);
STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
/* from cmp_ctx.c */
int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIFREETEXT *text);
int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsIn);
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
# define OSSL_CMP_TRANSACTIONID_LENGTH 16
#endif /* !defined OSSL_HEADER_CMP_INT_H */

+ 449
- 0
crypto/cmp/cmp_util.c View File

@ -0,0 +1,449 @@
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include <openssl/cmp_util.h>
#include "cmp_int.h" /* just for decls of internal functions defined here */
#include <openssl/cmperr.h>
#include <openssl/err.h> /* should be implied by cmperr.h */
#include <openssl/x509v3.h>
/*
* use trace API for CMP-specific logging, prefixed by "CMP " and severity
*/
int OSSL_CMP_log_open(void) /* is designed to be idempotent */
{
#ifndef OPENSSL_NO_STDIO
BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
if (bio != NULL && OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, bio))
return 1;
BIO_free(bio);
#endif
CMPerr(0, CMP_R_NO_STDIO);
return 0;
}
void OSSL_CMP_log_close(void) /* is designed to be idempotent */
{
(void)OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, NULL);
}
/* return >= 0 if level contains logging level, possibly preceded by "CMP " */
#define max_level_len 5 /* = max length of the below strings, e.g., "EMERG" */
static OSSL_CMP_severity parse_level(const char *level)
{
const char *end_level = strchr(level, ':');
int len;
char level_copy[max_level_len + 1];
if (end_level == NULL)
return -1;
if (strncmp(level, OSSL_CMP_LOG_PREFIX,
strlen(OSSL_CMP_LOG_PREFIX)) == 0)
level += strlen(OSSL_CMP_LOG_PREFIX);
len = end_level - level;
if (len > max_level_len)
return -1;
OPENSSL_strlcpy(level_copy, level, len + 1);
return
strcmp(level_copy, "EMERG") == 0 ? OSSL_CMP_LOG_EMERG :
strcmp(level_copy, "ALERT") == 0 ? OSSL_CMP_LOG_ALERT :
strcmp(level_copy, "CRIT") == 0 ? OSSL_CMP_LOG_CRIT :
strcmp(level_copy, "ERROR") == 0 ? OSSL_CMP_LOG_ERR :
strcmp(level_copy, "WARN") == 0 ? OSSL_CMP_LOG_WARNING :
strcmp(level_copy, "NOTE") == 0 ? OSSL_CMP_LOG_NOTICE :
strcmp(level_copy, "INFO") == 0 ? OSSL_CMP_LOG_INFO :
strcmp(level_copy, "DEBUG") == 0 ? OSSL_CMP_LOG_DEBUG :
-1;
}
const char *ossl_cmp_log_parse_metadata(const char *buf,
OSSL_CMP_severity *level, char **func, char **file, int *line)
{
const char *p_func = buf;
const char *p_file = buf == NULL ? NULL : strchr(buf, ':');
const char *p_level = buf;
const char *msg = buf;
*level = -1;
*func = NULL;
*file = NULL;
*line = 0;
if (p_file != NULL) {
const char *p_line = strchr(++p_file, ':');
if ((*level = parse_level(buf)) < 0 && p_line != NULL) {
/* check if buf contains location info and logging level */
char *p_level_tmp = (char *)p_level;
const long line_number = strtol(++p_line, &p_level_tmp, 10);
p_level = p_level_tmp;
if (p_level > p_line && *(p_level++) == ':') {
if ((*level = parse_level(p_level)) >= 0) {
*func = OPENSSL_strndup(p_func, p_file - 1 - p_func);
*file = OPENSSL_strndup(p_file, p_line - 1 - p_file);
/* no real problem if OPENSSL_strndup() returns NULL */
*line = (int)line_number;
msg = strchr(p_level, ':') + 1;
if (*msg == ' ')
msg++;
}
}
}
}
return msg;
}
/*
* auxiliary function for incrementally reporting texts via the error queue
*/
static void put_error(int lib, const char *func, int reason,
const char *file, int line)
{
ERR_new();
ERR_set_debug(file, line, func);
ERR_set_error(lib, reason, NULL /* no data here, so fmt is NULL */);
}
#define ERR_print_errors_cb_LIMIT 4096 /* size of char buf[] variable there */
#define TYPICAL_MAX_OUTPUT_BEFORE_DATA 100
#define MAX_DATA_LEN (ERR_print_errors_cb_LIMIT-TYPICAL_MAX_OUTPUT_BEFORE_DATA)
void ossl_cmp_add_error_txt(const char *separator, const char *txt)
{
const char *file = NULL;
int line;
const char *func = NULL;
const char *data = NULL;
int flags;
unsigned long err = ERR_peek_last_error();
if (separator == NULL)
separator = "";
if (err == 0)
put_error(ERR_LIB_CMP, NULL, 0, "", 0);
do {
size_t available_len, data_len;
const char *curr = txt, *next = txt;
char *tmp;
ERR_peek_last_error_all(&file, &line, &func, &data, &flags);
if ((flags & ERR_TXT_STRING) == 0) {
data = "";
separator = "";
}
data_len = strlen(data);
/* workaround for limit of ERR_print_errors_cb() */
if (data_len >= MAX_DATA_LEN
|| strlen(separator) >= (size_t)(MAX_DATA_LEN - data_len))
available_len = 0;
else
available_len = MAX_DATA_LEN - data_len - strlen(separator) - 1;
/* MAX_DATA_LEN > available_len >= 0 */
if (separator[0] == '\0') {
const size_t len_next = strlen(next);
if (len_next <= available_len) {
next += len_next;
curr = NULL; /* no need to split */
}
else {
next += available_len;
curr = next; /* will split at this point */
}
} else {
while (*next != '\0' && (size_t)(next - txt) <= available_len) {
curr = next;
next = strstr(curr, separator);
if (next != NULL)
next += strlen(separator);
else
next = curr + strlen(curr);
}
if ((size_t)(next - txt) <= available_len)
curr = NULL; /* the above loop implies *next == '\0' */
}
if (curr != NULL) {
/* split error msg at curr since error data would get too long */
if (curr != txt) {
tmp = OPENSSL_strndup(txt, curr - txt);
if (tmp == NULL)
return;
ERR_add_error_data(2, separator, tmp);
OPENSSL_free(tmp);
}
put_error(ERR_LIB_CMP, func, err, file, line);
txt = curr;
} else {
ERR_add_error_data(2, separator, txt);
txt = next; /* finished */
}
} while (*txt != '\0');
}
/* this is similar to ERR_print_errors_cb, but uses the CMP-specific cb type */
void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn)
{
unsigned long err;
char msg[ERR_print_errors_cb_LIMIT];
const char *file = NULL, *func = NULL, *data = NULL;
int line, flags;
if (log_fn == NULL) {
#ifndef OPENSSL_NO_STDIO
ERR_print_errors_fp(stderr);
#else
/* CMPerr(0, CMP_R_NO_STDIO) makes no sense during error printing */
#endif
return;
}
while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) != 0) {
char component[128];
const char *func_ = func != NULL && *func != '\0' ? func : "<unknown>";
if (!(flags & ERR_TXT_STRING))
data = NULL;
#ifdef OSSL_CMP_PRINT_LIBINFO
BIO_snprintf(component, sizeof(component), "OpenSSL:%s:%s",
ERR_lib_error_string(err), func_);
#else
BIO_snprintf(component, sizeof(component), "%s",func_);
#endif
BIO_snprintf(msg, sizeof(msg), "%s%s%s", ERR_reason_error_string(err),
data == NULL ? "" : " : ", data == NULL ? "" : data);
if (log_fn(component, file, line, OSSL_CMP_LOG_ERR, msg) <= 0)
break; /* abort outputting the error report */
}
}
/*
* functions manipulating lists of certificates etc.
* these functions could be generally useful.
*/
int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert,
int no_dup, int prepend)
{
if (sk == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (no_dup) {
/*
* not using sk_X509_set_cmp_func() and sk_X509_find()
* because this re-orders the certs on the stack
*/
int i;
for (i = 0; i < sk_X509_num(sk); i++) {
if (X509_cmp(sk_X509_value(sk, i), cert) == 0)
return 1;
}
}
if (!X509_up_ref(cert))
return 0;
if (!sk_X509_insert(sk, cert, prepend ? 0 : -1)) {
X509_free(cert);
return 0;
}
return 1;
}
int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
int no_self_signed, int no_dups, int prepend)
/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
{
int i;
if (sk == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
for (i = 0; i < sk_X509_num(certs); i++) { /* certs may be NULL */
X509 *cert = sk_X509_value(certs, i);
if (!no_self_signed || X509_check_issued(cert, cert) != X509_V_OK) {
if (!ossl_cmp_sk_X509_add1_cert(sk, cert, no_dups, prepend))
return 0;
}
}
return 1;
}
int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
int only_self_signed)
{
int i;
if (store == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (certs == NULL)
return 1;
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *cert = sk_X509_value(certs, i);
if (!only_self_signed || X509_check_issued(cert, cert) == X509_V_OK)
if (!X509_STORE_add_cert(store, cert)) /* ups cert ref counter */
return 0;
}
return 1;
}
STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store)
{
int i;
STACK_OF(X509) *sk;
STACK_OF(X509_OBJECT) *objs;
if (store == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if ((sk = sk_X509_new_null()) == NULL)
return NULL;
objs = X509_STORE_get0_objects(store);
for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
if (cert != NULL) {
if (!sk_X509_push(sk, cert))
goto err;
if (!X509_up_ref(cert)) {
(void)sk_X509_pop(sk);
goto err;
}
}
}
return sk;
err:
sk_X509_pop_free(sk, X509_free);
return NULL;
}
/*-
* Builds up the certificate chain of certs as high up as possible using
* the given list of certs containing all possible intermediate certificates and
* optionally the (possible) trust anchor(s). See also ssl_add_cert_chain().
*
* Intended use of this function is to find all the certificates above the trust
* anchor needed to verify an EE's own certificate. Those are supposed to be
* included in the ExtraCerts field of every first sent message of a transaction
* when MSG_SIG_ALG is utilized.
*
* NOTE: This allocates a stack and increments the reference count of each cert,
* so when not needed any more the stack and all its elements should be freed.
* NOTE: in case there is more than one possibility for the chain,
* OpenSSL seems to take the first one, check X509_verify_cert() for details.
*
* returns a pointer to a stack of (up_ref'ed) X509 certificates containing:
* - the EE certificate given in the function arguments (cert)
* - all intermediate certificates up the chain toward the trust anchor
* whereas the (self-signed) trust anchor is not included
* returns NULL on error
*/
STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert)
{
STACK_OF(X509) *chain = NULL, *result = NULL;
X509_STORE *store = X509_STORE_new();
X509_STORE_CTX *csc = NULL;
if (certs == NULL || cert == NULL || store == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
goto err;
}
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto err;
if (!ossl_cmp_X509_STORE_add1_certs(store, certs, 0)
|| !X509_STORE_CTX_init(csc, store, cert, NULL))
goto err;
(void)ERR_set_mark();
/*
* ignore return value as it would fail without trust anchor given in store
*/
(void)X509_verify_cert(csc);
/* don't leave any new errors in the queue */
(void)ERR_pop_to_mark();
chain = X509_STORE_CTX_get0_chain(csc);
/* result list to store the up_ref'ed not self-signed certificates */
if ((result = sk_X509_new_null()) == NULL)
goto err;
if (!ossl_cmp_sk_X509_add1_certs(result, chain, 1 /* no self-signed */,
1 /* no duplicates */, 0)) {
sk_X509_free(result);
result = NULL;
}
err:
X509_STORE_free(store);
X509_STORE_CTX_free(csc);
return result;
}
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src)
{
if (tgt == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (*tgt == src) /* self-assignment */
return 1;
ASN1_OCTET_STRING_free(*tgt);
if (src != NULL) {
if ((*tgt = ASN1_OCTET_STRING_dup(src)) == NULL)
return 0;
} else {
*tgt = NULL;
}
return 1;
}
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
const unsigned char *bytes, int len)
{
ASN1_OCTET_STRING *new = NULL;
if (tgt == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (bytes != NULL) {
if ((new = ASN1_OCTET_STRING_new()) == NULL
|| !(ASN1_OCTET_STRING_set(new, bytes, len))) {
ASN1_OCTET_STRING_free(new);
return 0;
}
}
ASN1_OCTET_STRING_free(*tgt);
*tgt = new;
return 1;
}

+ 19
- 19
crypto/crmf/crmf_int.h View File

@ -42,7 +42,7 @@
* -- the encrypted value itself
* }
*/
struct OSSL_crmf_encryptedvalue_st {
struct ossl_crmf_encryptedvalue_st {
X509_ALGOR *intendedAlg; /* 0 */
X509_ALGOR *symmAlg; /* 1 */
ASN1_BIT_STRING *encSymmKey; /* 2 */
@ -62,7 +62,7 @@ struct OSSL_crmf_encryptedvalue_st {
* attributes [0] IMPLICIT Attributes OPTIONAL
* }
*/
typedef struct OSSL_crmf_privatekeyinfo_st {
typedef struct ossl_crmf_privatekeyinfo_st {
ASN1_INTEGER *version;
X509_ALGOR *privateKeyAlgorithm;
ASN1_OCTET_STRING *privateKey;
@ -82,7 +82,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
* } OPTIONAL
* }
*/
typedef struct OSSL_crmf_enckeywithid_identifier_st {
typedef struct ossl_crmf_enckeywithid_identifier_st {
int type;
union {
ASN1_UTF8STRING *string;
@ -91,7 +91,7 @@ typedef struct OSSL_crmf_enckeywithid_identifier_st {
} OSSL_CRMF_ENCKEYWITHID_IDENTIFIER;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
typedef struct OSSL_crmf_enckeywithid_st {
typedef struct ossl_crmf_enckeywithid_st {
OSSL_CRMF_PRIVATEKEYINFO *privateKey;
/* [0] */
OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier;
@ -104,7 +104,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
* serialNumber INTEGER
* }
*/
struct OSSL_crmf_certid_st {
struct ossl_crmf_certid_st {
GENERAL_NAME *issuer;
ASN1_INTEGER *serialNumber;
} /* OSSL_CRMF_CERTID */;
@ -120,7 +120,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID)
* pubLocation GeneralName OPTIONAL
* }
*/
struct OSSL_crmf_singlepubinfo_st {
struct ossl_crmf_singlepubinfo_st {
ASN1_INTEGER *pubMethod;
GENERAL_NAME *pubLocation;
} /* OSSL_CRMF_SINGLEPUBINFO */;
@ -139,7 +139,7 @@ typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS;
* -- "dontCare" is assumed)
* }
*/
struct OSSL_crmf_pkipublicationinfo_st {
struct ossl_crmf_pkipublicationinfo_st {
ASN1_INTEGER *action;
OSSL_CRMF_PUBINFOS *pubInfos;
} /* OSSL_CRMF_PKIPUBLICATIONINFO */;
@ -153,7 +153,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
* value BIT STRING
* }
*/
typedef struct OSSL_crmf_pkmacvalue_st {
typedef struct ossl_crmf_pkmacvalue_st {
X509_ALGOR *algId;
ASN1_BIT_STRING *value;
} OSSL_CRMF_PKMACVALUE;
@ -182,7 +182,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
* }
*/
typedef struct OSSL_crmf_popoprivkey_st {
typedef struct ossl_crmf_popoprivkey_st {
int type;
union {
ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */
@ -211,7 +211,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
* -- or HMAC [HMAC, RFC2202])
* }
*/
struct OSSL_crmf_pbmparameter_st {
struct ossl_crmf_pbmparameter_st {
ASN1_OCTET_STRING *salt;
X509_ALGOR *owf;
ASN1_INTEGER *iterationCount;
@ -233,7 +233,7 @@ struct OSSL_crmf_pbmparameter_st {
* publicKey SubjectPublicKeyInfo -- from CertTemplate
* }
*/
typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st {
typedef struct ossl_crmf_poposigningkeyinput_authinfo_st {
int type;
union {
/* 0 */ GENERAL_NAME *sender;
@ -242,7 +242,7 @@ typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st {
} OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
typedef struct OSSL_crmf_poposigningkeyinput_st {
typedef struct ossl_crmf_poposigningkeyinput_st {
OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo;
X509_PUBKEY *publicKey;
} OSSL_CRMF_POPOSIGNINGKEYINPUT;
@ -255,7 +255,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
* signature BIT STRING
* }
*/
struct OSSL_crmf_poposigningkey_st {
struct ossl_crmf_poposigningkey_st {
OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput;
X509_ALGOR *algorithmIdentifier;
ASN1_BIT_STRING *signature;
@ -272,7 +272,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
* keyAgreement [3] POPOPrivKey
* }
*/
typedef struct OSSL_crmf_popo_st {
typedef struct ossl_crmf_popo_st {
int type;
union {
ASN1_NULL *raVerified; /* 0 */
@ -289,7 +289,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
* notAfter [1] Time OPTIONAL -- at least one MUST be present
* }
*/
struct OSSL_crmf_optionalvalidity_st {
struct ossl_crmf_optionalvalidity_st {
/* 0 */ ASN1_TIME *notBefore;
/* 1 */ ASN1_TIME *notAfter;
} /* OSSL_CRMF_OPTIONALVALIDITY */;
@ -309,7 +309,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
* extensions [9] Extensions OPTIONAL
* }
*/
struct OSSL_crmf_certtemplate_st {
struct ossl_crmf_certtemplate_st {
ASN1_INTEGER *version; /* 0 */
ASN1_INTEGER *serialNumber; /* 1 */ /* serialNumber MUST be omitted */
/* This field is assigned by the CA during certificate creation */
@ -333,7 +333,7 @@ struct OSSL_crmf_certtemplate_st {
* controls Controls OPTIONAL -- Attributes affecting issuance
* }
*/
struct OSSL_crmf_certrequest_st {
struct ossl_crmf_certrequest_st {
ASN1_INTEGER *certReqId;
OSSL_CRMF_CERTTEMPLATE *certTemplate;
/* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */
@ -343,7 +343,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
/* TODO: isn't there a better way to have this for ANY type? */
struct OSSL_crmf_attributetypeandvalue_st {
struct ossl_crmf_attributetypeandvalue_st {
ASN1_OBJECT *type;
union {
/* NID_id_regCtrl_regToken */
@ -383,7 +383,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
* regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL
* }
*/
struct OSSL_crmf_msg_st {
struct ossl_crmf_msg_st {
OSSL_CRMF_CERTREQUEST *certReq;
/* 0 */
OSSL_CRMF_POPO *popo;


+ 50
- 63
crypto/crmf/crmf_lib.c View File

@ -82,16 +82,14 @@ static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm,
if (crm->certReq->controls == NULL) {
crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
if (crm->certReq->controls == NULL)
goto oom;
goto err;
new = 1;
}
if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl))
goto oom;
goto err;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGCTRL, ERR_R_MALLOC_FAILURE);
err:
if (new != 0) {
sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls);
crm->certReq->controls = NULL;
@ -136,16 +134,9 @@ int OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(
if (pi->pubInfos == NULL)
pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null();
if (pi->pubInfos == NULL)
goto oom;
if (!sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi))
goto oom;
return 1;
return 0;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PKIPUBLICATIONINFO_PUSH0_SINGLEPUBINFO,
ERR_R_MALLOC_FAILURE);
return 0;
return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi);
}
int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(
@ -180,20 +171,19 @@ OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
}
if ((cid = OSSL_CRMF_CERTID_new()) == NULL)
goto oom;
goto err;
if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer))
goto oom;
goto err;
cid->issuer->type = GEN_DIRNAME;
ASN1_INTEGER_free(cid->serialNumber);
if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
goto oom;
goto err;
return cid;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_CERTID_GEN, ERR_R_MALLOC_FAILURE);
err:
OSSL_CRMF_CERTID_free(cid);
return NULL;
}
@ -222,13 +212,12 @@ static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm,
if (crm->regInfo == NULL)
crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
if (crm->regInfo == NULL)
goto oom;
goto err;
if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri))
goto oom;
goto err;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGINFO, ERR_R_MALLOC_FAILURE);
err:
if (info != NULL)
crm->regInfo = NULL;
sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info);
@ -266,11 +255,11 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to)
}
if (from != 0 && ((from_asn = ASN1_TIME_set(NULL, from)) == NULL))
goto oom;
goto err;
if (to != 0 && ((to_asn = ASN1_TIME_set(NULL, to)) == NULL))
goto oom;
goto err;
if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL)
goto oom;
goto err;
vld->notBefore = from_asn;
vld->notAfter = to_asn;
@ -278,8 +267,7 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to)
tmpl->validity = vld;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY, ERR_R_MALLOC_FAILURE);
err:
ASN1_TIME_free(from_asn);
ASN1_TIME_free(to_asn);
return 0;
@ -348,7 +336,7 @@ int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
const X509_EXTENSION *ext)
X509_EXTENSION *ext)
{
int new = 0;
OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
@ -360,16 +348,14 @@ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
if (tmpl->extensions == NULL) {
if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL)
goto oom;
goto err;
new = 1;
}
if (!sk_X509_EXTENSION_push(tmpl->extensions, (X509_EXTENSION *)ext))
goto oom;
if (!sk_X509_EXTENSION_push(tmpl->extensions, ext))
goto err;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_EXTENSION, ERR_R_MALLOC_FAILURE);
err:
if (new != 0) {
sk_X509_EXTENSION_free(tmpl->extensions);
tmpl->extensions = NULL;
@ -428,10 +414,8 @@ static int CRMF_poposigningkey_init(OSSL_CRMF_POPOSIGNINGKEY *ps,
CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR);
goto err;
}
if ((sig = OPENSSL_malloc(siglen)) == NULL) {
CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, ERR_R_MALLOC_FAILURE);
if ((sig = OPENSSL_malloc(siglen)) == NULL)
goto err;
}
if (EVP_DigestSignFinal(ctx, sig, &siglen) <= 0
|| !ASN1_BIT_STRING_set(ps->signature, sig, siglen)) {
CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR);
@ -461,13 +445,13 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
if (ppmtd == OSSL_CRMF_POPO_NONE)
goto end;
if ((pp = OSSL_CRMF_POPO_new()) == NULL)
goto oom;
goto err;
pp->type = ppmtd;
switch (ppmtd) {
case OSSL_CRMF_POPO_RAVERIFIED:
if ((pp->value.raVerified = ASN1_NULL_new()) == NULL)
goto oom;
goto err;
break;
case OSSL_CRMF_POPO_SIGNATURE:
@ -484,14 +468,14 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
case OSSL_CRMF_POPO_KEYENC:
if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL)
goto oom;
goto err;
tag = ASN1_INTEGER_new();
pp->value.keyEncipherment->type =
OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE;
pp->value.keyEncipherment->value.subsequentMessage = tag;
if (tag == NULL
|| !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT))
goto oom;
goto err;
break;
default:
@ -505,8 +489,6 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
crm->popo = pp;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_CREATE_POPO, ERR_R_MALLOC_FAILURE);
err:
OSSL_CRMF_POPO_free(pp);
return 0;
@ -609,7 +591,20 @@ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl)
return tmpl != NULL ? tmpl->issuer : NULL;
}
/*
/* retrieves the issuer name of the given CertId or NULL on error */
X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
{
return cid != NULL && cid->issuer->type == GEN_DIRNAME ?
cid->issuer->d.directoryName : NULL;
}
/* retrieves the serialNumber of the given CertId or NULL on error */
ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid)
{
return cid != NULL ? cid->serialNumber : NULL;
}
/*-
* fill in certificate template.
* Any value argument that is NULL will leave the respective field unchanged.
*/
@ -624,27 +619,23 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
return 0;
}
if (subject != NULL && !X509_NAME_set(&tmpl->subject, subject))
goto oom;
return 0;
if (issuer != NULL && !X509_NAME_set(&tmpl->issuer, issuer))
goto oom;
return 0;
if (serial != NULL) {
ASN1_INTEGER_free(tmpl->serialNumber);
if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
goto oom;
return 0;
}
if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey))
goto oom;
return 0;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL, ERR_R_MALLOC_FAILURE);
return 0;
}
/*-
* Decrypts the certificate in the given encryptedValue
* this is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2
* Decrypts the certificate in the given encryptedValue using private key pkey.
* This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
*
* returns a pointer to the decrypted certificate
* returns NULL on error or if no certificate available
@ -693,7 +684,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
if (EVP_PKEY_decrypt(pkctx, NULL, &eksize,
encKey->data, encKey->length) <= 0
|| (ek = OPENSSL_malloc(eksize)) == NULL)
goto oom;
goto end;
retval = EVP_PKEY_decrypt(pkctx, ek, &eksize,
encKey->data, encKey->length);
ERR_clear_error(); /* error state may have sensitive information */
@ -706,10 +697,10 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
goto end;
}
} else {
goto oom;
goto end;
}
if ((iv = OPENSSL_malloc(EVP_CIPHER_iv_length(cipher))) == NULL)
goto oom;
goto end;
if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
EVP_CIPHER_iv_length(cipher))
!= EVP_CIPHER_iv_length(cipher)) {
@ -725,7 +716,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length +
EVP_CIPHER_block_size(cipher))) == NULL
|| (evp_ctx = EVP_CIPHER_CTX_new()) == NULL)
goto oom;
goto end;
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv)
@ -744,10 +735,6 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT,
CRMF_R_ERROR_DECODING_CERTIFICATE);
}
goto end;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, ERR_R_MALLOC_FAILURE);
end:
EVP_PKEY_CTX_free(pkctx);
OPENSSL_free(outbuf);


+ 4
- 12
crypto/crmf/crmf_pbm.c View File

@ -41,20 +41,16 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
OSSL_CRMF_PBMPARAMETER *pbm = NULL;
unsigned char *salt = NULL;
if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE);
if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
goto err;
}
/*
* salt contains a randomly generated value used in computing the key
* of the MAC process. The salt SHOULD be at least 8 octets (64
* bits) long.
*/
if ((salt = OPENSSL_malloc(slen)) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE);
if ((salt = OPENSSL_malloc(slen)) == NULL)
goto err;
}
if (RAND_bytes(salt, (int)slen) <= 0) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
goto err;
@ -145,10 +141,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT);
goto err;
}
if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE);
if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
goto err;
}
/*
* owf identifies the hash algorithm and associated parameters used to
@ -160,10 +154,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
goto err;
}
if ((ctx = EVP_MD_CTX_new()) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE);
if ((ctx = EVP_MD_CTX_new()) == NULL)
goto err;
}
/* compute the basekey of the salted secret */
if (!EVP_DigestInit_ex(ctx, m, NULL))


+ 4
- 0
crypto/err/openssl.txt View File

@ -2063,6 +2063,10 @@ BN_R_PRIVATE_KEY_TOO_LARGE:117:private key too large
BN_R_P_IS_NOT_PRIME:112:p is not prime
BN_R_TOO_MANY_ITERATIONS:113:too many iterations
BN_R_TOO_MANY_TEMPORARY_VARIABLES:109:too many temporary variables
CMP_R_INVALID_ARGS:100:invalid args
CMP_R_MULTIPLE_SAN_SOURCES:102:multiple san sources
CMP_R_NO_STDIO:194:no stdio
CMP_R_NULL_ARGUMENT:103:null argument
CMS_R_ADD_SIGNER_ERROR:99:add signer error
CMS_R_ATTRIBUTE_ERROR:161:attribute error
CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present


+ 6
- 0
crypto/init.c View File

@ -27,6 +27,7 @@
#include "internal/dso_conf.h"
#include "internal/dso.h"
#include "internal/store.h"
#include <openssl/cmp_util.h> /* for OSSL_CMP_log_close() */
#include <openssl/trace.h>
static int stopped = 0;
@ -431,6 +432,11 @@ void OPENSSL_cleanup(void)
OSSL_TRACE(INIT, "OPENSSL_cleanup: CRYPTO_secure_malloc_done()\n");
CRYPTO_secure_malloc_done();
#ifndef OPENSSL_NO_CMP
OSSL_TRACE(INIT, "OPENSSL_cleanup: OSSL_CMP_log_close()\n");
OSSL_CMP_log_close();
#endif
OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_trace_cleanup()\n");
ossl_trace_cleanup();


+ 101
- 0
doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod View File

@ -0,0 +1,101 @@
=pod
=head1 NAME
ossl_cmp_log_parse_metadata,
ossl_cmp_add_error_txt,
ossl_cmp_add_error_data,
ossl_cmp_add_error_line,
ossl_cmp_asn1_octet_string_set1,
ossl_cmp_asn1_octet_string_set1_bytes,
ossl_cmp_build_cert_chain
- misc internal utility functions
=head1 SYNOPSIS
#include "cmp_int.h"
const char *ossl_cmp_log_parse_metadata(const char *buf,
OSSL_CMP_severity *level, char **func,
char **file, int *line);
void ossl_cmp_add_error_txt(const char *separator, const char *txt);
#define ossl_cmp_add_error_data(txt)
#define ossl_cmp_add_error_line(txt)
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src);
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
const unsigned char *bytes, int len);
STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
=head1 DESCRIPTION
ossl_cmp_log_parse_metadata() parses the given message buffer C<buf> populated
by L<OSSL_CMP_log()> etc.
according to the pattern OSSL_CMP_LOG_START#level ": %s\n", filling in
the variable pointed to by C<level> with the severity level or -1,
the variable pointed to by C<func> with the function name string or NULL,
the variable pointed to by C<file> with the file name string or NULL, and
the variable pointed to by C<line> with the line number or -1.
Any string returned via C<*func> and C<*file> must be freeed by the caller.
ossl_cmp_add_error_txt() appends text to the extra data field of the last
error message in the OpenSSL error queue, after adding the optional separator
unless data has been empty so far. The text can be of arbitrary length,
which is not possible when using L<ERR_add_error_data(3)> in conjunction with
L<ERR_print_errors_cb(3)>.