]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/crmf/crmf_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
CMP+CRMF: fix formatting nits in crypto/, include/, and test/
[thirdparty/openssl.git] / crypto / crmf / crmf_lib.c
CommitLineData
a61b7f2f 1/*-
f5afac4b 2 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
a61b7f2f 3 * Copyright Nokia 2007-2018
8869ad4a 4 * Copyright Siemens AG 2015-2019
a61b7f2f 5 *
ce9b9964 6 * Licensed under the Apache License 2.0 (the "License"). You may not use
a61b7f2f
DO		 7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 *
11 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
12 */
13
14/*
15 * This file contains the functions that handle the individual items inside
16 * the CRMF structures
17 */
18
19/*
20 * NAMING
21 *
22 * The 0 functions use the supplied structure pointer directly in the parent and
23 * it will be freed up when the parent is freed.
24 *
25 * The 1 functions use a copy of the supplied structure pointer (or in some
26 * cases increases its link count) in the parent and so both should be freed up.
27 */
28
29#include <openssl/asn1t.h>
30
706457b7
DMSP		 31#include "crmf_local.h"
32#include "internal/constant_time.h"
eaf8a40d 33#include "internal/sizes.h"
293ab820 34#include "crypto/x509.h"
a61b7f2f
DO		 35
36/* explicit #includes not strictly needed since implied by the above: */
37#include <openssl/crmf.h>
38#include <openssl/err.h>
39#include <openssl/evp.h>
40
41/*-
42 * atyp = Attribute Type
43 * valt = Value Type
44 * ctrlinf = "regCtrl" or "regInfo"
45 */
7df56ada
DDO		 46#define IMPLEMENT_CRMF_CTRL_FUNC(atyp, valt, ctrlinf) \
47valt *OSSL_CRMF_MSG_get0_##ctrlinf##_##atyp(const OSSL_CRMF_MSG *msg) \
48{ \
49 int i; \
50 STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls; \
51 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL; \
52 \
53 if (msg == NULL || msg->certReq == NULL) \
54 return NULL; \
55 controls = msg->certReq->controls; \
56 for (i = 0; i < sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num(controls); i++) { \
57 atav = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value(controls, i); \
58 if (OBJ_obj2nid(atav->type) == NID_id_##ctrlinf##_##atyp) \
59 return atav->value.atyp; \
60 } \
61 return NULL; \
62} \
63 \
64int OSSL_CRMF_MSG_set1_##ctrlinf##_##atyp(OSSL_CRMF_MSG *msg, const valt *in) \
a61b7f2f
DO		 65{ \
66 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL; \
67 \
7df56ada 68 if (msg == NULL || in == NULL) \
a61b7f2f
DO		 69 goto err; \
70 if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL) \
71 goto err; \
72 if ((atav->type = OBJ_nid2obj(NID_id_##ctrlinf##_##atyp)) == NULL) \
73 goto err; \
74 if ((atav->value.atyp = valt##_dup(in)) == NULL) \
75 goto err; \
76 if (!OSSL_CRMF_MSG_push0_##ctrlinf(msg, atav)) \
77 goto err; \
78 return 1; \
79 err: \
80 OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(atav); \
81 return 0; \
82}
83
a61b7f2f
DO		 84/*-
85 * Pushes the given control attribute into the controls stack of a CertRequest
86 * (section 6)
87 * returns 1 on success, 0 on error
88 */
89static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm,
90 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ctrl)
91{
92 int new = 0;
93
94 if (crm == NULL || crm->certReq == NULL || ctrl == NULL) {
9311d0c4 95 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 96 return 0;
97 }
98
99 if (crm->certReq->controls == NULL) {
100 crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
101 if (crm->certReq->controls == NULL)
7960dbec 102 goto err;
a61b7f2f
DO		 103 new = 1;
104 }
105 if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl))
7960dbec 106 goto err;
a61b7f2f
DO		 107
108 return 1;
7960dbec 109 err:
a61b7f2f
DO		 110 if (new != 0) {
111 sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls);
112 crm->certReq->controls = NULL;
113 }
114 return 0;
115}
116
3dbc5156 117/* id-regCtrl-regToken Control (section 6.1) */
a61b7f2f
DO		 118IMPLEMENT_CRMF_CTRL_FUNC(regToken, ASN1_STRING, regCtrl)
119
3dbc5156 120/* id-regCtrl-authenticator Control (section 6.2) */
a61b7f2f
DO		 121#define ASN1_UTF8STRING_dup ASN1_STRING_dup
122IMPLEMENT_CRMF_CTRL_FUNC(authenticator, ASN1_UTF8STRING, regCtrl)
123
124int OSSL_CRMF_MSG_set0_SinglePubInfo(OSSL_CRMF_SINGLEPUBINFO *spi,
125 int method, GENERAL_NAME *nm)
126{
127 if (spi == NULL
128 || method < OSSL_CRMF_PUB_METHOD_DONTCARE
129 || method > OSSL_CRMF_PUB_METHOD_LDAP) {
9311d0c4 130 ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT);
a61b7f2f
DO		 131 return 0;
132 }
133
134 if (!ASN1_INTEGER_set(spi->pubMethod, method))
135 return 0;
136 GENERAL_NAME_free(spi->pubLocation);
137 spi->pubLocation = nm;
138 return 1;
139}
140
235595c4
DDO		 141int
142OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
143 OSSL_CRMF_SINGLEPUBINFO *spi)
a61b7f2f
DO		 144{
145 if (pi == NULL || spi == NULL) {
9311d0c4 146 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 147 return 0;
148 }
149 if (pi->pubInfos == NULL)
150 pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null();
151 if (pi->pubInfos == NULL)
7960dbec 152 return 0;
a61b7f2f 153
7960dbec 154 return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi);
a61b7f2f
DO		 155}
156
235595c4
DDO		 157int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
158 int action)
a61b7f2f
DO		 159{
160 if (pi == NULL
161 || action < OSSL_CRMF_PUB_ACTION_DONTPUBLISH
162 || action > OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH) {
9311d0c4 163 ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT);
a61b7f2f
DO		 164 return 0;
165 }
166
167 return ASN1_INTEGER_set(pi->action, action);
168}
169
3dbc5156 170/* id-regCtrl-pkiPublicationInfo Control (section 6.3) */
a61b7f2f
DO		 171IMPLEMENT_CRMF_CTRL_FUNC(pkiPublicationInfo, OSSL_CRMF_PKIPUBLICATIONINFO,
172 regCtrl)
173
3dbc5156 174/* id-regCtrl-oldCertID Control (section 6.5) from the given */
a61b7f2f
DO		 175IMPLEMENT_CRMF_CTRL_FUNC(oldCertID, OSSL_CRMF_CERTID, regCtrl)
176
177OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
178 const ASN1_INTEGER *serial)
179{
180 OSSL_CRMF_CERTID *cid = NULL;
181
182 if (issuer == NULL || serial == NULL) {
9311d0c4 183 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 184 return NULL;
185 }
186
187 if ((cid = OSSL_CRMF_CERTID_new()) == NULL)
7960dbec 188 goto err;
a61b7f2f
DO		 189
190 if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer))
7960dbec 191 goto err;
a61b7f2f
DO		 192 cid->issuer->type = GEN_DIRNAME;
193
194 ASN1_INTEGER_free(cid->serialNumber);
195 if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
7960dbec 196 goto err;
a61b7f2f
DO		 197
198 return cid;
199
7960dbec 200 err:
a61b7f2f
DO		 201 OSSL_CRMF_CERTID_free(cid);
202 return NULL;
203}
204
3dbc5156
DDO		 205/*
206 * id-regCtrl-protocolEncrKey Control (section 6.6)
207 */
a61b7f2f
DO		 208IMPLEMENT_CRMF_CTRL_FUNC(protocolEncrKey, X509_PUBKEY, regCtrl)
209
210/*-
211 * Pushes the attribute given in regInfo in to the CertReqMsg->regInfo stack.
212 * (section 7)
213 * returns 1 on success, 0 on error
214 */
215static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm,
216 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ri)
217{
218 STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *info = NULL;
219
220 if (crm == NULL || ri == NULL) {
9311d0c4 221 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 222 return 0;
223 }
224
225 if (crm->regInfo == NULL)
226 crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
227 if (crm->regInfo == NULL)
7960dbec 228 goto err;
a61b7f2f 229 if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri))
7960dbec 230 goto err;
a61b7f2f
DO		 231 return 1;
232
7960dbec 233 err:
a61b7f2f
DO		 234 if (info != NULL)
235 crm->regInfo = NULL;
236 sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info);
237 return 0;
238}
239
240/* id-regInfo-utf8Pairs to regInfo (section 7.1) */
241IMPLEMENT_CRMF_CTRL_FUNC(utf8Pairs, ASN1_UTF8STRING, regInfo)
242
243/* id-regInfo-certReq to regInfo (section 7.2) */
244IMPLEMENT_CRMF_CTRL_FUNC(certReq, OSSL_CRMF_CERTREQUEST, regInfo)
245
a61b7f2f
DO		 246/* retrieves the certificate template of crm */
247OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm)
248{
249 if (crm == NULL || crm->certReq == NULL) {
9311d0c4 250 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 251 return NULL;
252 }
253 return crm->certReq->certTemplate;
254}
255
11baa470
DDO		 256int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
257 ASN1_TIME *notBefore, ASN1_TIME *notAfter)
a61b7f2f 258{
11baa470 259 OSSL_CRMF_OPTIONALVALIDITY *vld;
a61b7f2f
DO		 260 OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
261
262 if (tmpl == NULL) { /* also crm == NULL implies this */
9311d0c4 263 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 264 return 0;
265 }
266
a61b7f2f 267 if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL)
11baa470
DDO		 268 return 0;
269 vld->notBefore = notBefore;
270 vld->notAfter = notAfter;
a61b7f2f 271 tmpl->validity = vld;
a61b7f2f 272 return 1;
a61b7f2f
DO		 273}
274
a61b7f2f
DO		 275int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid)
276{
277 if (crm == NULL || crm->certReq == NULL || crm->certReq->certReqId == NULL) {
9311d0c4 278 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 279 return 0;
280 }
281
282 return ASN1_INTEGER_set(crm->certReq->certReqId, rid);
283}
284
285/* get ASN.1 encoded integer, return -1 on error */
aac96e27 286static int crmf_asn1_get_int(const ASN1_INTEGER *a)
a61b7f2f
DO		 287{
288 int64_t res;
289
290 if (!ASN1_INTEGER_get_int64(&res, a)) {
9311d0c4 291 ERR_raise(ERR_LIB_CRMF, ASN1_R_INVALID_NUMBER);
a61b7f2f
DO		 292 return -1;
293 }
294 if (res < INT_MIN) {
9311d0c4 295 ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_SMALL);
a61b7f2f
DO		 296 return -1;
297 }
298 if (res > INT_MAX) {
9311d0c4 299 ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_LARGE);
a61b7f2f
DO		 300 return -1;
301 }
302 return (int)res;
303}
304
62dcd2aa 305int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm)
a61b7f2f
DO		 306{
307 if (crm == NULL || /* not really needed: */ crm->certReq == NULL) {
9311d0c4 308 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 309 return -1;
310 }
aac96e27 311 return crmf_asn1_get_int(crm->certReq->certReqId);
a61b7f2f
DO		 312}
313
a61b7f2f
DO		 314int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
315 X509_EXTENSIONS *exts)
316{
317 OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
318
319 if (tmpl == NULL) { /* also crm == NULL implies this */
9311d0c4 320 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 321 return 0;
322 }
323
324 if (sk_X509_EXTENSION_num(exts) == 0) {
325 sk_X509_EXTENSION_free(exts);
326 exts = NULL; /* do not include empty extensions list */
327 }
328
329 sk_X509_EXTENSION_pop_free(tmpl->extensions, X509_EXTENSION_free);
330 tmpl->extensions = exts;
331 return 1;
332}
333
a61b7f2f 334int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
7960dbec 335 X509_EXTENSION *ext)
a61b7f2f
DO		 336{
337 int new = 0;
338 OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
339
340 if (tmpl == NULL || ext == NULL) { /* also crm == NULL implies this */
9311d0c4 341 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 342 return 0;
343 }
344
345 if (tmpl->extensions == NULL) {
346 if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL)
7960dbec 347 goto err;
a61b7f2f
DO		 348 new = 1;
349 }
350
7960dbec
DDO		 351 if (!sk_X509_EXTENSION_push(tmpl->extensions, ext))
352 goto err;
a61b7f2f 353 return 1;
7960dbec 354 err:
a61b7f2f
DO		 355 if (new != 0) {
356 sk_X509_EXTENSION_free(tmpl->extensions);
357 tmpl->extensions = NULL;
358 }
359 return 0;
360}
361
6d1f50b5
DDO		 362static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps,
363 const OSSL_CRMF_CERTREQUEST *cr,
364 EVP_PKEY *pkey, const EVP_MD *digest,
b4250010 365 OSSL_LIB_CTX *libctx, const char *propq)
a61b7f2f 366{
de56f726 367 char name[80] = "";
293ab820 368 EVP_PKEY *pub;
de56f726 369
a61b7f2f 370 if (ps == NULL || cr == NULL || pkey == NULL) {
9311d0c4 371 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 372 return 0;
373 }
293ab820
DDO		 374 pub = X509_PUBKEY_get0(cr->certTemplate->publicKey);
375 if (!ossl_x509_check_private_key(pub, pkey))
376 return 0;
377
6d1f50b5 378 if (ps->poposkInput != NULL) {
e0a7ef0b 379 /* We do not support cases 1+2 defined in RFC 4211, section 4.1 */
9311d0c4 380 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPOSKINPUT_NOT_SUPPORTED);
db4b3d83 381 return 0;
a61b7f2f 382 }
a61b7f2f 383
de56f726
DDO		 384 if (EVP_PKEY_get_default_digest_name(pkey, name, sizeof(name)) > 0
385 && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */
386 digest = NULL;
387
d8652be0
MC		 388 return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST),
389 ps->algorithmIdentifier, NULL, ps->signature, cr,
390 NULL, pkey, digest, libctx, propq);
a61b7f2f
DO		 391}
392
6d1f50b5
DDO		 393int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,
394 EVP_PKEY *pkey, const EVP_MD *digest,
b4250010 395 OSSL_LIB_CTX *libctx, const char *propq)
a61b7f2f
DO		 396{
397 OSSL_CRMF_POPO *pp = NULL;
398 ASN1_INTEGER *tag = NULL;
399
6d1f50b5 400 if (crm == NULL || (meth == OSSL_CRMF_POPO_SIGNATURE && pkey == NULL)) {
9311d0c4 401 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 402 return 0;
403 }
404
6d1f50b5 405 if (meth == OSSL_CRMF_POPO_NONE)
a61b7f2f
DO		 406 goto end;
407 if ((pp = OSSL_CRMF_POPO_new()) == NULL)
7960dbec 408 goto err;
6d1f50b5 409 pp->type = meth;
a61b7f2f 410
6d1f50b5 411 switch (meth) {
a61b7f2f
DO		 412 case OSSL_CRMF_POPO_RAVERIFIED:
413 if ((pp->value.raVerified = ASN1_NULL_new()) == NULL)
7960dbec 414 goto err;
a61b7f2f
DO		 415 break;
416
417 case OSSL_CRMF_POPO_SIGNATURE:
418 {
419 OSSL_CRMF_POPOSIGNINGKEY *ps = OSSL_CRMF_POPOSIGNINGKEY_new();
6d1f50b5
DDO		 420
421 if (ps == NULL)
422 goto err;
423 if (!create_popo_signature(ps, crm->certReq, pkey, digest,
424 libctx, propq)) {
a61b7f2f
DO		 425 OSSL_CRMF_POPOSIGNINGKEY_free(ps);
426 goto err;
427 }
428 pp->value.signature = ps;
429 }
430 break;
431
432 case OSSL_CRMF_POPO_KEYENC:
433 if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL)
7960dbec 434 goto err;
a61b7f2f
DO		 435 tag = ASN1_INTEGER_new();
436 pp->value.keyEncipherment->type =
437 OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE;
438 pp->value.keyEncipherment->value.subsequentMessage = tag;
439 if (tag == NULL
440 || !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT))
7960dbec 441 goto err;
a61b7f2f
DO		 442 break;
443
444 default:
9311d0c4 445 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO);
a61b7f2f
DO		 446 goto err;
447 }
448
449 end:
450 OSSL_CRMF_POPO_free(crm->popo);
451 crm->popo = pp;
452
453 return 1;
a61b7f2f
DO		 454 err:
455 OSSL_CRMF_POPO_free(pp);
456 return 0;
457}
458
a61b7f2f
DO		 459/* verifies the Proof-of-Possession of the request with the given rid in reqs */
460int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
6d1f50b5 461 int rid, int acceptRAVerified,
b4250010 462 OSSL_LIB_CTX *libctx, const char *propq)
a61b7f2f
DO		 463{
464 OSSL_CRMF_MSG *req = NULL;
465 X509_PUBKEY *pubkey = NULL;
466 OSSL_CRMF_POPOSIGNINGKEY *sig = NULL;
6d1f50b5
DDO		 467 const ASN1_ITEM *it;
468 void *asn;
a61b7f2f 469
7269071e 470 if (reqs == NULL || (req = sk_OSSL_CRMF_MSG_value(reqs, rid)) == NULL) {
9311d0c4 471 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
7269071e
DDO		 472 return 0;
473 }
474
475 if (req->popo == NULL) {
9311d0c4 476 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING);
a61b7f2f
DO		 477 return 0;
478 }
479
480 switch (req->popo->type) {
481 case OSSL_CRMF_POPO_RAVERIFIED:
62dcd2aa 482 if (!acceptRAVerified) {
9311d0c4 483 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED);
62dcd2aa
DDO		 484 return 0;
485 }
a61b7f2f
DO		 486 break;
487 case OSSL_CRMF_POPO_SIGNATURE:
488 pubkey = req->certReq->certTemplate->publicKey;
62dcd2aa 489 if (pubkey == NULL) {
9311d0c4 490 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY);
62dcd2aa
DDO		 491 return 0;
492 }
a61b7f2f
DO		 493 sig = req->popo->value.signature;
494 if (sig->poposkInput != NULL) {
495 /*
496 * According to RFC 4211: publicKey contains a copy of
497 * the public key from the certificate template. This MUST be
498 * exactly the same value as contained in the certificate template.
499 */
62dcd2aa 500 if (sig->poposkInput->publicKey == NULL) {
9311d0c4 501 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY);
62dcd2aa
DDO		 502 return 0;
503 }
93f99b68 504 if (X509_PUBKEY_eq(pubkey, sig->poposkInput->publicKey) != 1) {
9311d0c4 505 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY);
62dcd2aa
DDO		 506 return 0;
507 }
6d1f50b5
DDO		 508 it = ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT);
509 asn = sig->poposkInput;
a61b7f2f 510 } else {
62dcd2aa 511 if (req->certReq->certTemplate->subject == NULL) {
9311d0c4 512 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_SUBJECT);
62dcd2aa
DDO		 513 return 0;
514 }
6d1f50b5
DDO		 515 it = ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST);
516 asn = req->certReq;
a61b7f2f 517 }
d8652be0
MC		 518 if (ASN1_item_verify_ex(it, sig->algorithmIdentifier, sig->signature,
519 asn, NULL, X509_PUBKEY_get0(pubkey), libctx,
520 propq) < 1)
6d1f50b5 521 return 0;
62dcd2aa 522 break;
a61b7f2f 523 case OSSL_CRMF_POPO_KEYENC:
a61b7f2f
DO		 524 case OSSL_CRMF_POPO_KEYAGREE:
525 default:
9311d0c4 526 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_POPO_METHOD);
a61b7f2f
DO		 527 return 0;
528 }
62dcd2aa 529 return 1;
a61b7f2f
DO		 530}
531
c0f6792b 532const X509_PUBKEY
357bfe73 533*OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl)
c0f6792b
DDO		 534{
535 return tmpl != NULL ? tmpl->publicKey : NULL;
536}
537
a61b7f2f 538/* retrieves the serialNumber of the given cert template or NULL on error */
1986f615 539const ASN1_INTEGER
62dcd2aa 540*OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl)
a61b7f2f
DO		 541{
542 return tmpl != NULL ? tmpl->serialNumber : NULL;
543}
544
7df56ada 545const X509_NAME
357bfe73 546*OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl)
7df56ada
DDO		 547{
548 return tmpl != NULL ? tmpl->subject : NULL;
549}
550
a61b7f2f 551/* retrieves the issuer name of the given cert template or NULL on error */
8cc86b81 552const X509_NAME
357bfe73 553*OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl)
a61b7f2f
DO		 554{
555 return tmpl != NULL ? tmpl->issuer : NULL;
556}
557
7df56ada 558X509_EXTENSIONS
357bfe73 559*OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl)
7df56ada
DDO		 560{
561 return tmpl != NULL ? tmpl->extensions : NULL;
562}
563
7960dbec 564/* retrieves the issuer name of the given CertId or NULL on error */
8cc86b81 565const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
7960dbec
DDO		 566{
567 return cid != NULL && cid->issuer->type == GEN_DIRNAME ?
568 cid->issuer->d.directoryName : NULL;
569}
570
571/* retrieves the serialNumber of the given CertId or NULL on error */
357bfe73
DDO		 572const ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID
573 *cid)
7960dbec
DDO		 574{
575 return cid != NULL ? cid->serialNumber : NULL;
576}
577
578/*-
a61b7f2f
DO		 579 * fill in certificate template.
580 * Any value argument that is NULL will leave the respective field unchanged.
581 */
582int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
583 EVP_PKEY *pubkey,
584 const X509_NAME *subject,
585 const X509_NAME *issuer,
586 const ASN1_INTEGER *serial)
587{
588 if (tmpl == NULL) {
9311d0c4 589 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 590 return 0;
591 }
8cc86b81 592 if (subject != NULL && !X509_NAME_set((X509_NAME **)&tmpl->subject, subject))
7960dbec 593 return 0;
8cc86b81 594 if (issuer != NULL && !X509_NAME_set((X509_NAME **)&tmpl->issuer, issuer))
7960dbec 595 return 0;
a61b7f2f
DO		 596 if (serial != NULL) {
597 ASN1_INTEGER_free(tmpl->serialNumber);
598 if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
7960dbec 599 return 0;
a61b7f2f
DO		 600 }
601 if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey))
7960dbec 602 return 0;
a61b7f2f 603 return 1;
a61b7f2f
DO		 604}
605
a61b7f2f 606/*-
7960dbec
DDO		 607 * Decrypts the certificate in the given encryptedValue using private key pkey.
608 * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
a61b7f2f
DO		 609 *
610 * returns a pointer to the decrypted certificate
611 * returns NULL on error or if no certificate available
612 */
6d1f50b5
DDO		 613X509
614*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert,
b4250010 615 OSSL_LIB_CTX *libctx, const char *propq,
6d1f50b5 616 EVP_PKEY *pkey)
a61b7f2f
DO		 617{
618 X509 *cert = NULL; /* decrypted certificate */
619 EVP_CIPHER_CTX *evp_ctx = NULL; /* context for symmetric encryption */
620 unsigned char *ek = NULL; /* decrypted symmetric encryption key */
f3f3318a 621 size_t eksize = 0; /* size of decrypted symmetric encryption key */
eaf8a40d 622 EVP_CIPHER *cipher = NULL; /* used cipher */
f3f3318a 623 int cikeysize = 0; /* key size from cipher */
a61b7f2f
DO		 624 unsigned char *iv = NULL; /* initial vector for symmetric encryption */
625 unsigned char *outbuf = NULL; /* decryption output buffer */
626 const unsigned char *p = NULL; /* needed for decoding ASN1 */
a61b7f2f
DO		 627 int n, outlen = 0;
628 EVP_PKEY_CTX *pkctx = NULL; /* private key context */
eaf8a40d 629 char name[OSSL_MAX_NAME_SIZE];
a61b7f2f
DO		 630
631 if (ecert == NULL || ecert->symmAlg == NULL || ecert->encSymmKey == NULL
632 || ecert->encValue == NULL || pkey == NULL) {
9311d0c4 633 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 634 return NULL;
635 }
eaf8a40d 636
f3f3318a 637 /* select symmetric cipher based on algorithm given in message */
eaf8a40d
TM		 638 OBJ_obj2txt(name, sizeof(name), ecert->symmAlg->algorithm, 0);
639
640 (void)ERR_set_mark();
641 cipher = EVP_CIPHER_fetch(NULL, name, NULL);
642
643 if (cipher == NULL)
644 cipher = (EVP_CIPHER *)EVP_get_cipherbyname(name);
645
646 if (cipher == NULL) {
647 (void)ERR_clear_last_mark();
9311d0c4 648 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER);
f3f3318a
AK		 649 goto end;
650 }
eaf8a40d
TM		 651 (void)ERR_pop_to_mark();
652
ed576acd 653 cikeysize = EVP_CIPHER_get_key_length(cipher);
a61b7f2f 654 /* first the symmetric key needs to be decrypted */
6d1f50b5 655 pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
a61b7f2f
DO		 656 if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx)) {
657 ASN1_BIT_STRING *encKey = ecert->encSymmKey;
f3f3318a
AK		 658 size_t failure;
659 int retval;
a61b7f2f 660
f3f3318a
AK		 661 if (EVP_PKEY_decrypt(pkctx, NULL, &eksize,
662 encKey->data, encKey->length) <= 0
663 || (ek = OPENSSL_malloc(eksize)) == NULL)
7960dbec 664 goto end;
f3f3318a
AK		 665 retval = EVP_PKEY_decrypt(pkctx, ek, &eksize,
666 encKey->data, encKey->length);
667 ERR_clear_error(); /* error state may have sensitive information */
668 failure = ~constant_time_is_zero_s(constant_time_msb(retval)
669 | constant_time_is_zero(retval));
670 failure |= ~constant_time_eq_s(eksize, (size_t)cikeysize);
671 if (failure) {
9311d0c4 672 ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY);
a61b7f2f
DO		 673 goto end;
674 }
675 } else {
7960dbec 676 goto end;
a61b7f2f 677 }
ed576acd 678 if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
7960dbec 679 goto end;
a61b7f2f 680 if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
ed576acd
TM		 681 EVP_CIPHER_get_iv_length(cipher))
682 != EVP_CIPHER_get_iv_length(cipher)) {
9311d0c4 683 ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
a61b7f2f
DO		 684 goto end;
685 }
686
687 /*
688 * d2i_X509 changes the given pointer, so use p for decoding the message and
689 * keep the original pointer in outbuf so the memory can be freed later
690 */
691 if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length +
ed576acd 692 EVP_CIPHER_get_block_size(cipher))) == NULL
a61b7f2f 693 || (evp_ctx = EVP_CIPHER_CTX_new()) == NULL)
7960dbec 694 goto end;
a61b7f2f
DO		 695 EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
696
697 if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv)
698 || !EVP_DecryptUpdate(evp_ctx, outbuf, &outlen,
699 ecert->encValue->data,
700 ecert->encValue->length)
701 || !EVP_DecryptFinal(evp_ctx, outbuf + outlen, &n)) {
9311d0c4 702 ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_CERTIFICATE);
a61b7f2f
DO		 703 goto end;
704 }
705 outlen += n;
706
707 /* convert decrypted certificate from DER to internal ASN.1 structure */
d8652be0 708 if ((cert = X509_new_ex(libctx, propq)) == NULL)
6d1f50b5
DDO		 709 goto end;
710 if (d2i_X509(&cert, &p, outlen) == NULL)
9311d0c4 711 ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_CERTIFICATE);
a61b7f2f
DO		 712 end:
713 EVP_PKEY_CTX_free(pkctx);
714 OPENSSL_free(outbuf);
715 EVP_CIPHER_CTX_free(evp_ctx);
eaf8a40d 716 EVP_CIPHER_free(cipher);
f3f3318a 717 OPENSSL_clear_free(ek, eksize);
a61b7f2f
DO		 718 OPENSSL_free(iv);
719 return cert;
720}
A mirror of the official openssl repository