VirtualBox

source: vbox/trunk/src/libs/openssl-3.0.7/crypto/cmp/cmp_msg.c@ 98103

最後變更 在這個檔案從98103是 97372,由 vboxsync 提交於 2 年 前

libs: Switch to openssl-3.0.7, bugref:10317
檔案大小: 35.6 KB
 
1/*
2 * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12/* CMP functions for PKIMessage construction */
13
14#include "cmp_local.h"
15
16/* explicit #includes not strictly needed since implied by the above: */
17#include <openssl/asn1t.h>
18#include <openssl/cmp.h>
19#include <openssl/crmf.h>
20#include <openssl/err.h>
21#include <openssl/x509.h>
22
23OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq)
24{
25 OSSL_CMP_MSG *msg = NULL;
26
27 msg = (OSSL_CMP_MSG *)ASN1_item_new_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG),
28 libctx, propq);
29 if (!ossl_cmp_msg_set0_libctx(msg, libctx, propq)) {
30 OSSL_CMP_MSG_free(msg);
31 msg = NULL;
32 }
33 return msg;
34}
35
36void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg)
37{
38 ASN1_item_free((ASN1_VALUE *)msg, ASN1_ITEM_rptr(OSSL_CMP_MSG));
39}
40
41/*
42 * This should only be used if the X509 object was embedded inside another
43 * asn1 object and it needs a libctx to operate.
44 * Use OSSL_CMP_MSG_new() instead if possible.
45 */
46int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
47 const char *propq)
48{
49 if (msg != NULL) {
50 msg->libctx = libctx;
51 OPENSSL_free(msg->propq);
52 msg->propq = NULL;
53 if (propq != NULL) {
54 msg->propq = OPENSSL_strdup(propq);
55 if (msg->propq == NULL)
56 return 0;
57 }
58 }
59 return 1;
60}
61
62
63OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
64{
65 if (msg == NULL) {
66 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
67 return NULL;
68 }
69 return msg->header;
70}
71
72const char *ossl_cmp_bodytype_to_string(int type)
73{
74 static const char *type_names[] = {
75 "IR", "IP", "CR", "CP", "P10CR",
76 "POPDECC", "POPDECR", "KUR", "KUP",
77 "KRR", "KRP", "RR", "RP", "CCR", "CCP",
78 "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
79 "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
80 };
81
82 if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
83 return "illegal body type";
84 return type_names[type];
85}
86
87int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
88{
89 if (!ossl_assert(msg != NULL && msg->body != NULL))
90 return 0;
91
92 msg->body->type = type;
93 return 1;
94}
95
96int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg)
97{
98 if (!ossl_assert(msg != NULL && msg->body != NULL))
99 return -1;
100
101 return msg->body->type;
102}
103
104/* Add an extension to the referenced extension stack, which may be NULL */
105static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
106{
107 X509_EXTENSION *ext;
108 int res;
109
110 if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
111 return 0;
112
113 if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
114 return 0;
115
116 res = X509v3_add_ext(pexts, ext, 0) != NULL;
117 X509_EXTENSION_free(ext);
118 return res;
119}
120
121/* Add extension list to the referenced extension stack, which may be NULL */
122static int add_extensions(STACK_OF(X509_EXTENSION) **target,
123 const STACK_OF(X509_EXTENSION) *exts)
124{
125 int i;
126
127 if (target == NULL)
128 return 0;
129
130 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
131 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
132 ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
133 int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
134
135 /* Does extension exist in target? */
136 if (idx != -1) {
137 /* Delete all extensions of same type */
138 do {
139 X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
140 idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
141 } while (idx != -1);
142 }
143 if (!X509v3_add_ext(target, ext, -1))
144 return 0;
145 }
146 return 1;
147}
148
149/* Add a CRL revocation reason code to extension stack, which may be NULL */
150static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
151{
152 ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
153 int res = 0;
154
155 if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
156 res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
157 ASN1_ENUMERATED_free(val);
158 return res;
159}
160
161OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
162{
163 OSSL_CMP_MSG *msg = NULL;
164
165 if (!ossl_assert(ctx != NULL))
166 return NULL;
167
168 if ((msg = OSSL_CMP_MSG_new(ctx->libctx, ctx->propq)) == NULL)
169 return NULL;
170 if (!ossl_cmp_hdr_init(ctx, msg->header)
171 || !ossl_cmp_msg_set_bodytype(msg, bodytype))
172 goto err;
173 if (ctx->geninfo_ITAVs != NULL
174 && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
175 ctx->geninfo_ITAVs))
176 goto err;
177
178 switch (bodytype) {
179 case OSSL_CMP_PKIBODY_IR:
180 case OSSL_CMP_PKIBODY_CR:
181 case OSSL_CMP_PKIBODY_KUR:
182 if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
183 goto err;
184 return msg;
185
186 case OSSL_CMP_PKIBODY_P10CR:
187 if (ctx->p10CSR == NULL) {
188 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_P10CSR);
189 goto err;
190 }
191 if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
192 goto err;
193 return msg;
194
195 case OSSL_CMP_PKIBODY_IP:
196 case OSSL_CMP_PKIBODY_CP:
197 case OSSL_CMP_PKIBODY_KUP:
198 if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
199 goto err;
200 return msg;
201
202 case OSSL_CMP_PKIBODY_RR:
203 if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
204 goto err;
205 return msg;
206 case OSSL_CMP_PKIBODY_RP:
207 if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
208 goto err;
209 return msg;
210
211 case OSSL_CMP_PKIBODY_CERTCONF:
212 if ((msg->body->value.certConf =
213 sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
214 goto err;
215 return msg;
216 case OSSL_CMP_PKIBODY_PKICONF:
217 if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
218 goto err;
219 ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
220 return msg;
221
222 case OSSL_CMP_PKIBODY_POLLREQ:
223 if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
224 goto err;
225 return msg;
226 case OSSL_CMP_PKIBODY_POLLREP:
227 if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
228 goto err;
229 return msg;
230
231 case OSSL_CMP_PKIBODY_GENM:
232 case OSSL_CMP_PKIBODY_GENP:
233 if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
234 goto err;
235 return msg;
236
237 case OSSL_CMP_PKIBODY_ERROR:
238 if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
239 goto err;
240 return msg;
241
242 default:
243 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
244 goto err;
245 }
246
247 err:
248 OSSL_CMP_MSG_free(msg);
249 return NULL;
250}
251
252#define HAS_SAN(ctx) \
253 (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
254 || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
255
256static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, int for_KUR,
257 const X509_NAME *ref_subj)
258{
259 if (ctx->subjectName != NULL)
260 return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName;
261 if (ctx->p10CSR != NULL) /* first default is from any given CSR */
262 return X509_REQ_get_subject_name(ctx->p10CSR);
263 if (for_KUR || !HAS_SAN(ctx))
264 /*
265 * For KUR, copy subject from any reference cert as fallback.
266 * For IR or CR, do the same only if there is no subjectAltName.
267 */
268 return ref_subj;
269 return NULL;
270}
271
272OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
273{
274 OSSL_CRMF_MSG *crm = NULL;
275 X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
276 /* refcert defaults to current client cert */
277 EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
278 STACK_OF(GENERAL_NAME) *default_sans = NULL;
279 const X509_NAME *ref_subj =
280 refcert != NULL ? X509_get_subject_name(refcert) : NULL;
281 const X509_NAME *subject = determine_subj(ctx, for_KUR, ref_subj);
282 const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
283 ? (IS_NULL_DN(ctx->issuer) ? NULL : ctx->issuer)
284 : X509_get_issuer_name(refcert);
285 int crit = ctx->setSubjectAltNameCritical || subject == NULL;
286 /* RFC5280: subjectAltName MUST be critical if subject is null */
287 X509_EXTENSIONS *exts = NULL;
288
289 if (rkey == NULL && ctx->p10CSR != NULL)
290 rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
291 if (rkey == NULL && refcert != NULL)
292 rkey = X509_get0_pubkey(refcert);
293 if (rkey == NULL)
294 rkey = ctx->pkey; /* default is independent of ctx->oldCert */
295 if (rkey == NULL) {
296#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
297 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
298 return NULL;
299#endif
300 }
301 if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
302 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
303 return NULL;
304 }
305 if ((crm = OSSL_CRMF_MSG_new()) == NULL)
306 return NULL;
307 if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
308 /*
309 * fill certTemplate, corresponding to CertificationRequestInfo
310 * of PKCS#10. The rkey param cannot be NULL so far -
311 * it could be NULL if centralized key creation was supported
312 */
313 || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
314 subject, issuer, NULL /* serial */))
315 goto err;
316 if (ctx->days != 0) {
317 time_t now = time(NULL);
318 ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
319 ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
320
321 if (notBefore == NULL
322 || notAfter == NULL
323 || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
324 ASN1_TIME_free(notBefore);
325 ASN1_TIME_free(notAfter);
326 goto err;
327 }
328 }
329
330 /* extensions */
331 if (ctx->p10CSR != NULL
332 && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
333 goto err;
334 if (!ctx->SubjectAltName_nodefault && !HAS_SAN(ctx) && refcert != NULL
335 && (default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
336 NID_subject_alt_name, NULL, NULL))
337 != NULL
338 && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
339 goto err;
340 if (ctx->reqExtensions != NULL /* augment/override existing ones */
341 && !add_extensions(&exts, ctx->reqExtensions))
342 goto err;
343 if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
344 && !add1_extension(&exts, NID_subject_alt_name,
345 crit, ctx->subjectAltNames))
346 goto err;
347 if (ctx->policies != NULL
348 && !add1_extension(&exts, NID_certificate_policies,
349 ctx->setPoliciesCritical, ctx->policies))
350 goto err;
351 if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
352 goto err;
353 exts = NULL;
354 /* end fill certTemplate, now set any controls */
355
356 /* for KUR, set OldCertId according to D.6 */
357 if (for_KUR && refcert != NULL) {
358 OSSL_CRMF_CERTID *cid =
359 OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
360 X509_get0_serialNumber(refcert));
361 int ret;
362
363 if (cid == NULL)
364 goto err;
365 ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
366 OSSL_CRMF_CERTID_free(cid);
367 if (ret == 0)
368 goto err;
369 }
370
371 goto end;
372
373 err:
374 OSSL_CRMF_MSG_free(crm);
375 crm = NULL;
376
377 end:
378 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
379 sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
380 return crm;
381}
382
383OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
384 const OSSL_CRMF_MSG *crm)
385{
386 OSSL_CMP_MSG *msg;
387 OSSL_CRMF_MSG *local_crm = NULL;
388
389 if (!ossl_assert(ctx != NULL))
390 return NULL;
391
392 if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
393 && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
394 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
395 return NULL;
396 }
397 if (type == OSSL_CMP_PKIBODY_P10CR && crm != NULL) {
398 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
399 return NULL;
400 }
401
402 if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
403 goto err;
404
405 /* header */
406 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
407 goto err;
408
409 /* body */
410 /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
411 if (type != OSSL_CMP_PKIBODY_P10CR) {
412 EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
413
414 /*
415 * privkey is NULL in case ctx->newPkey does not include a private key.
416 * We then may try to use ctx->pkey as fallback/default, but only
417 * if ctx-> newPkey does not include a (non-matching) public key:
418 */
419 if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
420 privkey = ctx->pkey; /* default is independent of ctx->oldCert */
421 if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
422 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
423 goto err;
424 }
425 if (crm == NULL) {
426 local_crm = OSSL_CMP_CTX_setup_CRM(ctx,
427 type == OSSL_CMP_PKIBODY_KUR,
428 OSSL_CMP_CERTREQID);
429 if (local_crm == NULL
430 || !OSSL_CRMF_MSG_create_popo(ctx->popoMethod, local_crm,
431 privkey, ctx->digest,
432 ctx->libctx, ctx->propq))
433 goto err;
434 } else {
435 if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
436 goto err;
437 }
438
439 /* value.ir is same for cr and kur */
440 if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
441 goto err;
442 local_crm = NULL;
443 }
444
445 if (!ossl_cmp_msg_protect(ctx, msg))
446 goto err;
447
448 return msg;
449
450 err:
451 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREQ);
452 OSSL_CRMF_MSG_free(local_crm);
453 OSSL_CMP_MSG_free(msg);
454 return NULL;
455}
456
457OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
458 int certReqId, const OSSL_CMP_PKISI *si,
459 X509 *cert, const X509 *encryption_recip,
460 STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
461 int unprotectedErrors)
462{
463 OSSL_CMP_MSG *msg = NULL;
464 OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
465 OSSL_CMP_CERTRESPONSE *resp = NULL;
466 int status = -1;
467
468 if (!ossl_assert(ctx != NULL && si != NULL))
469 return NULL;
470
471 if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
472 goto err;
473 repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
474
475 /* header */
476 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
477 goto err;
478
479 /* body */
480 if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
481 goto err;
482 OSSL_CMP_PKISI_free(resp->status);
483 if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
484 || !ASN1_INTEGER_set(resp->certReqId, certReqId))
485 goto err;
486
487 status = ossl_cmp_pkisi_get_status(resp->status);
488 if (status != OSSL_CMP_PKISTATUS_rejection
489 && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
490 if (encryption_recip != NULL) {
491 ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED);
492 goto err;
493 }
494
495 if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
496 == NULL)
497 goto err;
498 resp->certifiedKeyPair->certOrEncCert->type =
499 OSSL_CMP_CERTORENCCERT_CERTIFICATE;
500 if (!X509_up_ref(cert))
501 goto err;
502 resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
503 }
504
505 if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
506 goto err;
507 resp = NULL;
508
509 if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
510 && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
511 goto err;
512 if (sk_X509_num(chain) > 0
513 && !ossl_x509_add_certs_new(&msg->extraCerts, chain,
514 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
515 goto err;
516
517 if (!unprotectedErrors
518 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
519 if (!ossl_cmp_msg_protect(ctx, msg))
520 goto err;
521
522 return msg;
523
524 err:
525 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
526 OSSL_CMP_CERTRESPONSE_free(resp);
527 OSSL_CMP_MSG_free(msg);
528 return NULL;
529}
530
531OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
532{
533 OSSL_CMP_MSG *msg = NULL;
534 OSSL_CMP_REVDETAILS *rd;
535 int ret;
536
537 if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
538 || ctx->p10CSR != NULL)))
539 return NULL;
540
541 if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
542 goto err;
543
544 /* Fill the template from the contents of the certificate to be revoked */
545 ret = ctx->oldCert != NULL
546 ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
547 NULL /* pubkey would be redundant */,
548 NULL /* subject would be redundant */,
549 X509_get_issuer_name(ctx->oldCert),
550 X509_get0_serialNumber(ctx->oldCert))
551 : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
552 X509_REQ_get0_pubkey(ctx->p10CSR),
553 X509_REQ_get_subject_name(ctx->p10CSR),
554 NULL, NULL);
555 if (!ret)
556 goto err;
557
558 /* revocation reason code is optional */
559 if (ctx->revocationReason != CRL_REASON_NONE
560 && !add_crl_reason_extension(&rd->crlEntryDetails,
561 ctx->revocationReason))
562 goto err;
563
564 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
565 goto err;
566
567 if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
568 goto err;
569 rd = NULL;
570 /* Revocation Passphrase according to section 5.3.19.9 could be set here */
571
572 if (!ossl_cmp_msg_protect(ctx, msg))
573 goto err;
574
575 return msg;
576
577 err:
578 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
579 OSSL_CMP_MSG_free(msg);
580 OSSL_CMP_REVDETAILS_free(rd);
581 return NULL;
582}
583
584OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
585 const OSSL_CRMF_CERTID *cid, int unprotectedErrors)
586{
587 OSSL_CMP_REVREPCONTENT *rep = NULL;
588 OSSL_CMP_PKISI *si1 = NULL;
589 OSSL_CRMF_CERTID *cid_copy = NULL;
590 OSSL_CMP_MSG *msg = NULL;
591
592 if (!ossl_assert(ctx != NULL && si != NULL))
593 return NULL;
594
595 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
596 goto err;
597 rep = msg->body->value.rp;
598
599 if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
600 goto err;
601
602 if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
603 OSSL_CMP_PKISI_free(si1);
604 goto err;
605 }
606
607 if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
608 goto err;
609 if (cid != NULL) {
610 if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
611 goto err;
612 if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
613 OSSL_CRMF_CERTID_free(cid_copy);
614 goto err;
615 }
616 }
617
618 if (!unprotectedErrors
619 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
620 if (!ossl_cmp_msg_protect(ctx, msg))
621 goto err;
622
623 return msg;
624
625 err:
626 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RP);
627 OSSL_CMP_MSG_free(msg);
628 return NULL;
629}
630
631OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
632{
633 OSSL_CMP_MSG *msg;
634
635 if (!ossl_assert(ctx != NULL))
636 return NULL;
637
638 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
639 goto err;
640 if (ossl_cmp_msg_protect(ctx, msg))
641 return msg;
642
643 err:
644 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
645 OSSL_CMP_MSG_free(msg);
646 return NULL;
647}
648
649int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
650{
651 int bodytype;
652
653 if (!ossl_assert(msg != NULL && itav != NULL))
654 return 0;
655
656 bodytype = OSSL_CMP_MSG_get_bodytype(msg);
657 if (bodytype != OSSL_CMP_PKIBODY_GENM
658 && bodytype != OSSL_CMP_PKIBODY_GENP) {
659 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
660 return 0;
661 }
662
663 /* value.genp has the same structure, so this works for genp as well */
664 return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
665}
666
667int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
668 const STACK_OF(OSSL_CMP_ITAV) *itavs)
669{
670 int i;
671 OSSL_CMP_ITAV *itav = NULL;
672
673 if (!ossl_assert(msg != NULL))
674 return 0;
675
676 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
677 itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
678 if (itav == NULL
679 || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
680 OSSL_CMP_ITAV_free(itav);
681 return 0;
682 }
683 }
684 return 1;
685}
686
687/*
688 * Creates a new General Message/Response with an empty itav stack
689 * returns a pointer to the PKIMessage on success, NULL on error
690 */
691static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
692 const STACK_OF(OSSL_CMP_ITAV) *itavs,
693 int body_type, int err_code)
694{
695 OSSL_CMP_MSG *msg = NULL;
696
697 if (!ossl_assert(ctx != NULL))
698 return NULL;
699
700 if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
701 return NULL;
702
703 if (ctx->genm_ITAVs != NULL
704 && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
705 goto err;
706
707 if (!ossl_cmp_msg_protect(ctx, msg))
708 goto err;
709
710 return msg;
711
712 err:
713 ERR_raise(ERR_LIB_CMP, err_code);
714 OSSL_CMP_MSG_free(msg);
715 return NULL;
716}
717
718OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
719{
720 return gen_new(ctx, ctx->genm_ITAVs,
721 OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
722}
723
724OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
725 const STACK_OF(OSSL_CMP_ITAV) *itavs)
726{
727 return gen_new(ctx, itavs,
728 OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
729}
730
731OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
732 int64_t errorCode, const char *details,
733 int unprotected)
734{
735 OSSL_CMP_MSG *msg = NULL;
736 const char *lib = NULL, *reason = NULL;
737 OSSL_CMP_PKIFREETEXT *ft;
738
739 if (!ossl_assert(ctx != NULL && si != NULL))
740 return NULL;
741
742 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
743 goto err;
744
745 OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
746 if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
747 == NULL)
748 goto err;
749 if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
750 goto err;
751 if (!ASN1_INTEGER_set_int64(msg->body->value.error->errorCode, errorCode))
752 goto err;
753 if (errorCode > 0
754 && (uint64_t)errorCode < ((uint64_t)ERR_SYSTEM_FLAG << 1)) {
755 lib = ERR_lib_error_string((unsigned long)errorCode);
756 reason = ERR_reason_error_string((unsigned long)errorCode);
757 }
758 if (lib != NULL || reason != NULL || details != NULL) {
759 if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
760 goto err;
761 msg->body->value.error->errorDetails = ft;
762 if (lib != NULL && *lib != '\0'
763 && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1))
764 goto err;
765 if (reason != NULL && *reason != '\0'
766 && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1))
767 goto err;
768 if (details != NULL
769 && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1))
770 goto err;
771 }
772
773 if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
774 goto err;
775 return msg;
776
777 err:
778 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_ERROR);
779 OSSL_CMP_MSG_free(msg);
780 return NULL;
781}
782
783/*
784 * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
785 * This is used in the certConf message, for example,
786 * to confirm that the certificate was received successfully.
787 */
788int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
789 ASN1_OCTET_STRING *hash)
790{
791 if (!ossl_assert(certStatus != NULL))
792 return 0;
793 ASN1_OCTET_STRING_free(certStatus->certHash);
794 certStatus->certHash = hash;
795 return 1;
796}
797
798OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
799 const char *text)
800{
801 OSSL_CMP_MSG *msg = NULL;
802 OSSL_CMP_CERTSTATUS *certStatus = NULL;
803 ASN1_OCTET_STRING *certHash = NULL;
804 OSSL_CMP_PKISI *sinfo;
805
806 if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
807 return NULL;
808
809 if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
810 ERR_raise(ERR_LIB_CMP, CMP_R_FAIL_INFO_OUT_OF_RANGE);
811 return NULL;
812 }
813
814 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
815 goto err;
816
817 if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
818 goto err;
819 /* consume certStatus into msg right away so it gets deallocated with msg */
820 if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
821 goto err;
822 /* set the ID of the certReq */
823 if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
824 goto err;
825 /*
826 * The hash of the certificate, using the same hash algorithm
827 * as is used to create and verify the certificate signature.
828 * If not available, a default hash algorithm is used.
829 */
830 if ((certHash = X509_digest_sig(ctx->newCert, NULL, NULL)) == NULL)
831 goto err;
832
833 if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
834 goto err;
835 certHash = NULL;
836 /*
837 * For any particular CertStatus, omission of the statusInfo field
838 * indicates ACCEPTANCE of the specified certificate. Alternatively,
839 * explicit status details (with respect to acceptance or rejection) MAY
840 * be provided in the statusInfo field, perhaps for auditing purposes at
841 * the CA/RA.
842 */
843 sinfo = fail_info != 0 ?
844 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
845 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
846 if (sinfo == NULL)
847 goto err;
848 certStatus->statusInfo = sinfo;
849
850 if (!ossl_cmp_msg_protect(ctx, msg))
851 goto err;
852
853 return msg;
854
855 err:
856 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTCONF);
857 OSSL_CMP_MSG_free(msg);
858 ASN1_OCTET_STRING_free(certHash);
859 return NULL;
860}
861
862OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
863{
864 OSSL_CMP_MSG *msg = NULL;
865 OSSL_CMP_POLLREQ *preq = NULL;
866
867 if (!ossl_assert(ctx != NULL))
868 return NULL;
869
870 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
871 goto err;
872
873 if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
874 || !ASN1_INTEGER_set(preq->certReqId, crid)
875 || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
876 goto err;
877
878 preq = NULL;
879 if (!ossl_cmp_msg_protect(ctx, msg))
880 goto err;
881
882 return msg;
883
884 err:
885 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREQ);
886 OSSL_CMP_POLLREQ_free(preq);
887 OSSL_CMP_MSG_free(msg);
888 return NULL;
889}
890
891OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
892 int64_t poll_after)
893{
894 OSSL_CMP_MSG *msg;
895 OSSL_CMP_POLLREP *prep;
896
897 if (!ossl_assert(ctx != NULL))
898 return NULL;
899
900 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
901 goto err;
902 if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
903 goto err;
904 if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
905 goto err;
906 if (!ASN1_INTEGER_set(prep->certReqId, crid))
907 goto err;
908 if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
909 goto err;
910
911 if (!ossl_cmp_msg_protect(ctx, msg))
912 goto err;
913 return msg;
914
915 err:
916 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
917 OSSL_CMP_MSG_free(msg);
918 return NULL;
919}
920
921/*-
922 * returns the status field of the RevRepContent with the given
923 * request/sequence id inside a revocation response.
924 * RevRepContent has the revocation statuses in same order as they were sent in
925 * RevReqContent.
926 * returns NULL on error
927 */
928OSSL_CMP_PKISI *
929ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
930{
931 OSSL_CMP_PKISI *status;
932
933 if (!ossl_assert(rrep != NULL))
934 return NULL;
935
936 if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
937 return status;
938
939 ERR_raise(ERR_LIB_CMP, CMP_R_PKISTATUSINFO_NOT_FOUND);
940 return NULL;
941}
942
943/*
944 * returns the CertId field in the revCerts part of the RevRepContent
945 * with the given request/sequence id inside a revocation response.
946 * RevRepContent has the CertIds in same order as they were sent in
947 * RevReqContent.
948 * returns NULL on error
949 */
950OSSL_CRMF_CERTID *
951ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
952{
953 OSSL_CRMF_CERTID *cid = NULL;
954
955 if (!ossl_assert(rrep != NULL))
956 return NULL;
957
958 if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
959 return cid;
960
961 ERR_raise(ERR_LIB_CMP, CMP_R_CERTID_NOT_FOUND);
962 return NULL;
963}
964
965static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
966{
967 int trid;
968
969 if (rid == -1)
970 return 1;
971
972 trid = ossl_cmp_asn1_get_int(certReqId);
973
974 if (trid == -1) {
975 ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
976 return 0;
977 }
978 return rid == trid;
979}
980
981/*
982 * returns a pointer to the PollResponse with the given CertReqId
983 * (or the first one in case -1) inside a PollRepContent
984 * returns NULL on error or if no suitable PollResponse available
985 */
986OSSL_CMP_POLLREP *
987ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
988 int rid)
989{
990 OSSL_CMP_POLLREP *pollRep = NULL;
991 int i;
992
993 if (!ossl_assert(prc != NULL))
994 return NULL;
995
996 for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
997 pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
998 if (suitable_rid(pollRep->certReqId, rid))
999 return pollRep;
1000 }
1001
1002 ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
1003 "expected certReqId = %d", rid);
1004 return NULL;
1005}
1006
1007/*
1008 * returns a pointer to the CertResponse with the given CertReqId
1009 * (or the first one in case -1) inside a CertRepMessage
1010 * returns NULL on error or if no suitable CertResponse available
1011 */
1012OSSL_CMP_CERTRESPONSE *
1013ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
1014 int rid)
1015{
1016 OSSL_CMP_CERTRESPONSE *crep = NULL;
1017 int i;
1018
1019 if (!ossl_assert(crm != NULL && crm->response != NULL))
1020 return NULL;
1021
1022 for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
1023 crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
1024 if (suitable_rid(crep->certReqId, rid))
1025 return crep;
1026 }
1027
1028 ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
1029 "expected certReqId = %d", rid);
1030 return NULL;
1031}
1032
1033/*-
1034 * Retrieve the newly enrolled certificate from the given certResponse crep.
1035 * In case of indirect POPO uses the libctx and propq from ctx and private key.
1036 * Returns a pointer to a copy of the found certificate, or NULL if not found.
1037 */
1038X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
1039 const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey)
1040{
1041 OSSL_CMP_CERTORENCCERT *coec;
1042 X509 *crt = NULL;
1043
1044 if (!ossl_assert(crep != NULL && ctx != NULL))
1045 return NULL;
1046
1047 if (crep->certifiedKeyPair
1048 && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
1049 switch (coec->type) {
1050 case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
1051 crt = X509_dup(coec->value.certificate);
1052 break;
1053 case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
1054 /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
1055 if (pkey == NULL) {
1056 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
1057 return NULL;
1058 }
1059 crt =
1060 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
1061 ctx->libctx, ctx->propq,
1062 pkey);
1063 break;
1064 default:
1065 ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE);
1066 return NULL;
1067 }
1068 }
1069 if (crt == NULL)
1070 ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
1071 else
1072 (void)ossl_x509_set0_libctx(crt, ctx->libctx, ctx->propq);
1073 return crt;
1074}
1075
1076int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
1077{
1078 if (ctx == NULL || msg == NULL) {
1079 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
1080 return 0;
1081 }
1082 if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
1083 return 0;
1084 return msg->header->protectionAlg == NULL
1085 || ossl_cmp_msg_protect(ctx, msg);
1086}
1087
1088OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
1089 const char *propq)
1090{
1091 OSSL_CMP_MSG *msg;
1092 BIO *bio = NULL;
1093
1094 if (file == NULL) {
1095 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
1096 return NULL;
1097 }
1098
1099 msg = OSSL_CMP_MSG_new(libctx, propq);
1100 if (msg == NULL){
1101 ERR_raise(ERR_LIB_CMP, ERR_R_MALLOC_FAILURE);
1102 return NULL;
1103 }
1104
1105 if ((bio = BIO_new_file(file, "rb")) == NULL
1106 || d2i_OSSL_CMP_MSG_bio(bio, &msg) == NULL) {
1107 OSSL_CMP_MSG_free(msg);
1108 msg = NULL;
1109 }
1110 BIO_free(bio);
1111 return msg;
1112}
1113
1114int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
1115{
1116 BIO *bio;
1117 int res;
1118
1119 if (file == NULL || msg == NULL) {
1120 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
1121 return -1;
1122 }
1123
1124 bio = BIO_new_file(file, "wb");
1125 if (bio == NULL)
1126 return -2;
1127 res = i2d_OSSL_CMP_MSG_bio(bio, msg);
1128 BIO_free(bio);
1129 return res;
1130}
1131
1132OSSL_CMP_MSG *d2i_OSSL_CMP_MSG(OSSL_CMP_MSG **msg, const unsigned char **in,
1133 long len)
1134{
1135 OSSL_LIB_CTX *libctx = NULL;
1136 const char *propq = NULL;
1137
1138 if (msg != NULL && *msg != NULL) {
1139 libctx = (*msg)->libctx;
1140 propq = (*msg)->propq;
1141 }
1142
1143 return (OSSL_CMP_MSG *)ASN1_item_d2i_ex((ASN1_VALUE **)msg, in, len,
1144 ASN1_ITEM_rptr(OSSL_CMP_MSG),
1145 libctx, propq);
1146}
1147
1148int i2d_OSSL_CMP_MSG(const OSSL_CMP_MSG *msg, unsigned char **out)
1149{
1150 return ASN1_item_i2d((const ASN1_VALUE *)msg, out,
1151 ASN1_ITEM_rptr(OSSL_CMP_MSG));
1152}
1153
1154OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
1155{
1156 OSSL_LIB_CTX *libctx = NULL;
1157 const char *propq = NULL;
1158
1159 if (msg != NULL && *msg != NULL) {
1160 libctx = (*msg)->libctx;
1161 propq = (*msg)->propq;
1162 }
1163
1164 return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG), bio, msg, libctx,
1165 propq);
1166}
1167
1168int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
1169{
1170 return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
1171}
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette