]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/crmf/crmf_lib.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
threads_pthread.c: change inline to ossl_inline
[thirdparty/openssl.git] / crypto / crmf / crmf_lib.c
CommitLineData
a61b7f2f 1/*-
da1c088f 2 * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
a61b7f2f 3 * Copyright Nokia 2007-2018
8869ad4a 4 * Copyright Siemens AG 2015-2019
a61b7f2f 5 *
ce9b9964 6 * Licensed under the Apache License 2.0 (the "License"). You may not use
a61b7f2f
DO		 7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 *
11 * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
12 */
13
14/*
15 * This file contains the functions that handle the individual items inside
16 * the CRMF structures
17 */
18
19/*
20 * NAMING
21 *
22 * The 0 functions use the supplied structure pointer directly in the parent and
23 * it will be freed up when the parent is freed.
24 *
25 * The 1 functions use a copy of the supplied structure pointer (or in some
26 * cases increases its link count) in the parent and so both should be freed up.
27 */
28
29#include <openssl/asn1t.h>
30
706457b7 31#include "crmf_local.h"
eaf8a40d 32#include "internal/sizes.h"
36b91a19 33#include "crypto/evp.h"
293ab820 34#include "crypto/x509.h"
a61b7f2f
DO		 35
36/* explicit #includes not strictly needed since implied by the above: */
37#include <openssl/crmf.h>
38#include <openssl/err.h>
39#include <openssl/evp.h>
40
41/*-
42 * atyp = Attribute Type
43 * valt = Value Type
44 * ctrlinf = "regCtrl" or "regInfo"
45 */
7df56ada
DDO		 46#define IMPLEMENT_CRMF_CTRL_FUNC(atyp, valt, ctrlinf) \
47valt *OSSL_CRMF_MSG_get0_##ctrlinf##_##atyp(const OSSL_CRMF_MSG *msg) \
48{ \
49 int i; \
50 STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls; \
51 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL; \
52 \
53 if (msg == NULL || msg->certReq == NULL) \
54 return NULL; \
55 controls = msg->certReq->controls; \
56 for (i = 0; i < sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num(controls); i++) { \
57 atav = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value(controls, i); \
58 if (OBJ_obj2nid(atav->type) == NID_id_##ctrlinf##_##atyp) \
59 return atav->value.atyp; \
60 } \
61 return NULL; \
62} \
63 \
64int OSSL_CRMF_MSG_set1_##ctrlinf##_##atyp(OSSL_CRMF_MSG *msg, const valt *in) \
a61b7f2f
DO		 65{ \
66 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL; \
67 \
7df56ada 68 if (msg == NULL || in == NULL) \
a61b7f2f
DO		 69 goto err; \
70 if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL) \
71 goto err; \
72 if ((atav->type = OBJ_nid2obj(NID_id_##ctrlinf##_##atyp)) == NULL) \
73 goto err; \
74 if ((atav->value.atyp = valt##_dup(in)) == NULL) \
75 goto err; \
76 if (!OSSL_CRMF_MSG_push0_##ctrlinf(msg, atav)) \
77 goto err; \
78 return 1; \
79 err: \
80 OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(atav); \
81 return 0; \
82}
83
a61b7f2f
DO		 84/*-
85 * Pushes the given control attribute into the controls stack of a CertRequest
86 * (section 6)
87 * returns 1 on success, 0 on error
88 */
89static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm,
90 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ctrl)
91{
92 int new = 0;
93
94 if (crm == NULL || crm->certReq == NULL || ctrl == NULL) {
9311d0c4 95 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 96 return 0;
97 }
98
99 if (crm->certReq->controls == NULL) {
100 crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
101 if (crm->certReq->controls == NULL)
7960dbec 102 goto err;
a61b7f2f
DO		 103 new = 1;
104 }
105 if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl))
7960dbec 106 goto err;
a61b7f2f
DO		 107
108 return 1;
7960dbec 109 err:
a61b7f2f
DO		 110 if (new != 0) {
111 sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls);
112 crm->certReq->controls = NULL;
113 }
114 return 0;
115}
116
3dbc5156 117/* id-regCtrl-regToken Control (section 6.1) */
a61b7f2f
DO		 118IMPLEMENT_CRMF_CTRL_FUNC(regToken, ASN1_STRING, regCtrl)
119
3dbc5156 120/* id-regCtrl-authenticator Control (section 6.2) */
a61b7f2f
DO		 121#define ASN1_UTF8STRING_dup ASN1_STRING_dup
122IMPLEMENT_CRMF_CTRL_FUNC(authenticator, ASN1_UTF8STRING, regCtrl)
123
124int OSSL_CRMF_MSG_set0_SinglePubInfo(OSSL_CRMF_SINGLEPUBINFO *spi,
125 int method, GENERAL_NAME *nm)
126{
127 if (spi == NULL
128 || method < OSSL_CRMF_PUB_METHOD_DONTCARE
129 || method > OSSL_CRMF_PUB_METHOD_LDAP) {
9311d0c4 130 ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT);
a61b7f2f
DO		 131 return 0;
132 }
133
134 if (!ASN1_INTEGER_set(spi->pubMethod, method))
135 return 0;
136 GENERAL_NAME_free(spi->pubLocation);
137 spi->pubLocation = nm;
138 return 1;
139}
140
235595c4
DDO		 141int
142OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
143 OSSL_CRMF_SINGLEPUBINFO *spi)
a61b7f2f
DO		 144{
145 if (pi == NULL || spi == NULL) {
9311d0c4 146 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 147 return 0;
148 }
149 if (pi->pubInfos == NULL)
150 pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null();
151 if (pi->pubInfos == NULL)
7960dbec 152 return 0;
a61b7f2f 153
7960dbec 154 return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi);
a61b7f2f
DO		 155}
156
235595c4
DDO		 157int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi,
158 int action)
a61b7f2f
DO		 159{
160 if (pi == NULL
161 || action < OSSL_CRMF_PUB_ACTION_DONTPUBLISH
162 || action > OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH) {
9311d0c4 163 ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT);
a61b7f2f
DO		 164 return 0;
165 }
166
167 return ASN1_INTEGER_set(pi->action, action);
168}
169
3dbc5156 170/* id-regCtrl-pkiPublicationInfo Control (section 6.3) */
a61b7f2f
DO		 171IMPLEMENT_CRMF_CTRL_FUNC(pkiPublicationInfo, OSSL_CRMF_PKIPUBLICATIONINFO,
172 regCtrl)
173
3dbc5156 174/* id-regCtrl-oldCertID Control (section 6.5) from the given */
a61b7f2f
DO		 175IMPLEMENT_CRMF_CTRL_FUNC(oldCertID, OSSL_CRMF_CERTID, regCtrl)
176
177OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
178 const ASN1_INTEGER *serial)
179{
180 OSSL_CRMF_CERTID *cid = NULL;
181
182 if (issuer == NULL || serial == NULL) {
9311d0c4 183 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 184 return NULL;
185 }
186
187 if ((cid = OSSL_CRMF_CERTID_new()) == NULL)
7960dbec 188 goto err;
a61b7f2f
DO		 189
190 if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer))
7960dbec 191 goto err;
a61b7f2f
DO		 192 cid->issuer->type = GEN_DIRNAME;
193
194 ASN1_INTEGER_free(cid->serialNumber);
195 if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
7960dbec 196 goto err;
a61b7f2f
DO		 197
198 return cid;
199
7960dbec 200 err:
a61b7f2f
DO		 201 OSSL_CRMF_CERTID_free(cid);
202 return NULL;
203}
204
3dbc5156
DDO		 205/*
206 * id-regCtrl-protocolEncrKey Control (section 6.6)
207 */
a61b7f2f
DO		 208IMPLEMENT_CRMF_CTRL_FUNC(protocolEncrKey, X509_PUBKEY, regCtrl)
209
210/*-
211 * Pushes the attribute given in regInfo in to the CertReqMsg->regInfo stack.
212 * (section 7)
213 * returns 1 on success, 0 on error
214 */
215static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm,
216 OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ri)
217{
218 STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *info = NULL;
219
220 if (crm == NULL || ri == NULL) {
9311d0c4 221 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 222 return 0;
223 }
224
225 if (crm->regInfo == NULL)
226 crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
227 if (crm->regInfo == NULL)
7960dbec 228 goto err;
a61b7f2f 229 if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri))
7960dbec 230 goto err;
a61b7f2f
DO		 231 return 1;
232
7960dbec 233 err:
a61b7f2f
DO		 234 if (info != NULL)
235 crm->regInfo = NULL;
236 sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info);
237 return 0;
238}
239
240/* id-regInfo-utf8Pairs to regInfo (section 7.1) */
241IMPLEMENT_CRMF_CTRL_FUNC(utf8Pairs, ASN1_UTF8STRING, regInfo)
242
243/* id-regInfo-certReq to regInfo (section 7.2) */
244IMPLEMENT_CRMF_CTRL_FUNC(certReq, OSSL_CRMF_CERTREQUEST, regInfo)
245
a61b7f2f
DO		 246/* retrieves the certificate template of crm */
247OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm)
248{
249 if (crm == NULL || crm->certReq == NULL) {
9311d0c4 250 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 251 return NULL;
252 }
253 return crm->certReq->certTemplate;
254}
255
11baa470
DDO		 256int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm,
257 ASN1_TIME *notBefore, ASN1_TIME *notAfter)
a61b7f2f 258{
11baa470 259 OSSL_CRMF_OPTIONALVALIDITY *vld;
a61b7f2f
DO		 260 OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
261
262 if (tmpl == NULL) { /* also crm == NULL implies this */
9311d0c4 263 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 264 return 0;
265 }
266
a61b7f2f 267 if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL)
11baa470
DDO		 268 return 0;
269 vld->notBefore = notBefore;
270 vld->notAfter = notAfter;
a61b7f2f 271 tmpl->validity = vld;
a61b7f2f 272 return 1;
a61b7f2f
DO		 273}
274
a61b7f2f
DO		 275int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid)
276{
277 if (crm == NULL || crm->certReq == NULL || crm->certReq->certReqId == NULL) {
9311d0c4 278 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 279 return 0;
280 }
281
282 return ASN1_INTEGER_set(crm->certReq->certReqId, rid);
283}
284
285/* get ASN.1 encoded integer, return -1 on error */
aac96e27 286static int crmf_asn1_get_int(const ASN1_INTEGER *a)
a61b7f2f
DO		 287{
288 int64_t res;
289
290 if (!ASN1_INTEGER_get_int64(&res, a)) {
9311d0c4 291 ERR_raise(ERR_LIB_CRMF, ASN1_R_INVALID_NUMBER);
a61b7f2f
DO		 292 return -1;
293 }
294 if (res < INT_MIN) {
9311d0c4 295 ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_SMALL);
a61b7f2f
DO		 296 return -1;
297 }
298 if (res > INT_MAX) {
9311d0c4 299 ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_LARGE);
a61b7f2f
DO		 300 return -1;
301 }
302 return (int)res;
303}
304
62dcd2aa 305int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm)
a61b7f2f
DO		 306{
307 if (crm == NULL || /* not really needed: */ crm->certReq == NULL) {
9311d0c4 308 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 309 return -1;
310 }
aac96e27 311 return crmf_asn1_get_int(crm->certReq->certReqId);
a61b7f2f
DO		 312}
313
a61b7f2f
DO		 314int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
315 X509_EXTENSIONS *exts)
316{
317 OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
318
319 if (tmpl == NULL) { /* also crm == NULL implies this */
9311d0c4 320 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 321 return 0;
322 }
323
324 if (sk_X509_EXTENSION_num(exts) == 0) {
325 sk_X509_EXTENSION_free(exts);
326 exts = NULL; /* do not include empty extensions list */
327 }
328
329 sk_X509_EXTENSION_pop_free(tmpl->extensions, X509_EXTENSION_free);
330 tmpl->extensions = exts;
331 return 1;
332}
333
a61b7f2f 334int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
7960dbec 335 X509_EXTENSION *ext)
a61b7f2f
DO		 336{
337 int new = 0;
338 OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
339
340 if (tmpl == NULL || ext == NULL) { /* also crm == NULL implies this */
9311d0c4 341 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 342 return 0;
343 }
344
345 if (tmpl->extensions == NULL) {
346 if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL)
7960dbec 347 goto err;
a61b7f2f
DO		 348 new = 1;
349 }
350
7960dbec
DDO		 351 if (!sk_X509_EXTENSION_push(tmpl->extensions, ext))
352 goto err;
a61b7f2f 353 return 1;
7960dbec 354 err:
a61b7f2f
DO		 355 if (new != 0) {
356 sk_X509_EXTENSION_free(tmpl->extensions);
357 tmpl->extensions = NULL;
358 }
359 return 0;
360}
361
6d1f50b5
DDO		 362static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps,
363 const OSSL_CRMF_CERTREQUEST *cr,
364 EVP_PKEY *pkey, const EVP_MD *digest,
b4250010 365 OSSL_LIB_CTX *libctx, const char *propq)
a61b7f2f 366{
de56f726 367 char name[80] = "";
293ab820 368 EVP_PKEY *pub;
de56f726 369
a61b7f2f 370 if (ps == NULL || cr == NULL || pkey == NULL) {
9311d0c4 371 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 372 return 0;
373 }
293ab820
DDO		 374 pub = X509_PUBKEY_get0(cr->certTemplate->publicKey);
375 if (!ossl_x509_check_private_key(pub, pkey))
376 return 0;
377
6d1f50b5 378 if (ps->poposkInput != NULL) {
e0a7ef0b 379 /* We do not support cases 1+2 defined in RFC 4211, section 4.1 */
9311d0c4 380 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPOSKINPUT_NOT_SUPPORTED);
db4b3d83 381 return 0;
a61b7f2f 382 }
a61b7f2f 383
de56f726
DDO		 384 if (EVP_PKEY_get_default_digest_name(pkey, name, sizeof(name)) > 0
385 && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */
386 digest = NULL;
387
d8652be0 388 return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST),
e664ef78
DDO		 389 ps->algorithmIdentifier, /* sets this X509_ALGOR */
390 NULL, ps->signature, /* sets the ASN1_BIT_STRING */
391 cr, NULL, pkey, digest, libctx, propq);
a61b7f2f
DO		 392}
393
6d1f50b5
DDO		 394int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,
395 EVP_PKEY *pkey, const EVP_MD *digest,
b4250010 396 OSSL_LIB_CTX *libctx, const char *propq)
a61b7f2f
DO		 397{
398 OSSL_CRMF_POPO *pp = NULL;
399 ASN1_INTEGER *tag = NULL;
400
6d1f50b5 401 if (crm == NULL || (meth == OSSL_CRMF_POPO_SIGNATURE && pkey == NULL)) {
9311d0c4 402 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 403 return 0;
404 }
405
6d1f50b5 406 if (meth == OSSL_CRMF_POPO_NONE)
a61b7f2f
DO		 407 goto end;
408 if ((pp = OSSL_CRMF_POPO_new()) == NULL)
7960dbec 409 goto err;
6d1f50b5 410 pp->type = meth;
a61b7f2f 411
6d1f50b5 412 switch (meth) {
a61b7f2f
DO		 413 case OSSL_CRMF_POPO_RAVERIFIED:
414 if ((pp->value.raVerified = ASN1_NULL_new()) == NULL)
7960dbec 415 goto err;
a61b7f2f
DO		 416 break;
417
418 case OSSL_CRMF_POPO_SIGNATURE:
419 {
420 OSSL_CRMF_POPOSIGNINGKEY *ps = OSSL_CRMF_POPOSIGNINGKEY_new();
6d1f50b5
DDO		 421
422 if (ps == NULL)
423 goto err;
424 if (!create_popo_signature(ps, crm->certReq, pkey, digest,
425 libctx, propq)) {
a61b7f2f
DO		 426 OSSL_CRMF_POPOSIGNINGKEY_free(ps);
427 goto err;
428 }
429 pp->value.signature = ps;
430 }
431 break;
432
433 case OSSL_CRMF_POPO_KEYENC:
434 if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL)
7960dbec 435 goto err;
a61b7f2f
DO		 436 tag = ASN1_INTEGER_new();
437 pp->value.keyEncipherment->type =
438 OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE;
439 pp->value.keyEncipherment->value.subsequentMessage = tag;
440 if (tag == NULL
441 || !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT))
7960dbec 442 goto err;
a61b7f2f
DO		 443 break;
444
445 default:
9311d0c4 446 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO);
a61b7f2f
DO		 447 goto err;
448 }
449
450 end:
451 OSSL_CRMF_POPO_free(crm->popo);
452 crm->popo = pp;
453
454 return 1;
a61b7f2f
DO		 455 err:
456 OSSL_CRMF_POPO_free(pp);
457 return 0;
458}
459
a61b7f2f
DO		 460/* verifies the Proof-of-Possession of the request with the given rid in reqs */
461int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
6d1f50b5 462 int rid, int acceptRAVerified,
b4250010 463 OSSL_LIB_CTX *libctx, const char *propq)
a61b7f2f
DO		 464{
465 OSSL_CRMF_MSG *req = NULL;
466 X509_PUBKEY *pubkey = NULL;
467 OSSL_CRMF_POPOSIGNINGKEY *sig = NULL;
6d1f50b5
DDO		 468 const ASN1_ITEM *it;
469 void *asn;
a61b7f2f 470
7269071e 471 if (reqs == NULL || (req = sk_OSSL_CRMF_MSG_value(reqs, rid)) == NULL) {
9311d0c4 472 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
7269071e
DDO		 473 return 0;
474 }
475
476 if (req->popo == NULL) {
9311d0c4 477 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING);
a61b7f2f
DO		 478 return 0;
479 }
480
481 switch (req->popo->type) {
482 case OSSL_CRMF_POPO_RAVERIFIED:
62dcd2aa 483 if (!acceptRAVerified) {
9311d0c4 484 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED);
62dcd2aa
DDO		 485 return 0;
486 }
a61b7f2f
DO		 487 break;
488 case OSSL_CRMF_POPO_SIGNATURE:
489 pubkey = req->certReq->certTemplate->publicKey;
62dcd2aa 490 if (pubkey == NULL) {
9311d0c4 491 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY);
62dcd2aa
DDO		 492 return 0;
493 }
a61b7f2f
DO		 494 sig = req->popo->value.signature;
495 if (sig->poposkInput != NULL) {
496 /*
497 * According to RFC 4211: publicKey contains a copy of
498 * the public key from the certificate template. This MUST be
499 * exactly the same value as contained in the certificate template.
500 */
62dcd2aa 501 if (sig->poposkInput->publicKey == NULL) {
9311d0c4 502 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY);
62dcd2aa
DDO		 503 return 0;
504 }
93f99b68 505 if (X509_PUBKEY_eq(pubkey, sig->poposkInput->publicKey) != 1) {
9311d0c4 506 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY);
62dcd2aa
DDO		 507 return 0;
508 }
084d3afd
DDO		 509
510 /*
511 * Should check at this point the contents of the authInfo sub-field
512 * as requested in FR #19807 according to RFC 4211 section 4.1.
513 */
514
6d1f50b5
DDO		 515 it = ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT);
516 asn = sig->poposkInput;
a61b7f2f 517 } else {
62dcd2aa 518 if (req->certReq->certTemplate->subject == NULL) {
9311d0c4 519 ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_SUBJECT);
62dcd2aa
DDO		 520 return 0;
521 }
6d1f50b5
DDO		 522 it = ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST);
523 asn = req->certReq;
a61b7f2f 524 }
d8652be0
MC		 525 if (ASN1_item_verify_ex(it, sig->algorithmIdentifier, sig->signature,
526 asn, NULL, X509_PUBKEY_get0(pubkey), libctx,
527 propq) < 1)
6d1f50b5 528 return 0;
62dcd2aa 529 break;
a61b7f2f 530 case OSSL_CRMF_POPO_KEYENC:
084d3afd
DDO		 531 /*
532 * When OSSL_CMP_certrep_new() supports encrypted certs,
533 * should return 1 if the type of req->popo->value.keyEncipherment
534 * is OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE and
535 * its value.subsequentMessage == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT
536 */
a61b7f2f
DO		 537 case OSSL_CRMF_POPO_KEYAGREE:
538 default:
9311d0c4 539 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_POPO_METHOD);
a61b7f2f
DO		 540 return 0;
541 }
62dcd2aa 542 return 1;
a61b7f2f
DO		 543}
544
09f30b0c 545X509_PUBKEY
357bfe73 546*OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl)
c0f6792b
DDO		 547{
548 return tmpl != NULL ? tmpl->publicKey : NULL;
549}
550
1986f615 551const ASN1_INTEGER
62dcd2aa 552*OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl)
a61b7f2f
DO		 553{
554 return tmpl != NULL ? tmpl->serialNumber : NULL;
555}
556
7df56ada 557const X509_NAME
357bfe73 558*OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl)
7df56ada
DDO		 559{
560 return tmpl != NULL ? tmpl->subject : NULL;
561}
562
8cc86b81 563const X509_NAME
357bfe73 564*OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl)
a61b7f2f
DO		 565{
566 return tmpl != NULL ? tmpl->issuer : NULL;
567}
568
7df56ada 569X509_EXTENSIONS
357bfe73 570*OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl)
7df56ada
DDO		 571{
572 return tmpl != NULL ? tmpl->extensions : NULL;
573}
574
8cc86b81 575const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
7960dbec
DDO		 576{
577 return cid != NULL && cid->issuer->type == GEN_DIRNAME ?
578 cid->issuer->d.directoryName : NULL;
579}
580
357bfe73
DDO		 581const ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID
582 *cid)
7960dbec
DDO		 583{
584 return cid != NULL ? cid->serialNumber : NULL;
585}
586
587/*-
8b6bbcaa
DDO		 588 * Fill in the certificate template |tmpl|.
589 * Any other NULL argument will leave the respective field unchanged.
a61b7f2f
DO		 590 */
591int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
592 EVP_PKEY *pubkey,
593 const X509_NAME *subject,
594 const X509_NAME *issuer,
595 const ASN1_INTEGER *serial)
596{
597 if (tmpl == NULL) {
9311d0c4 598 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 599 return 0;
600 }
8cc86b81 601 if (subject != NULL && !X509_NAME_set((X509_NAME **)&tmpl->subject, subject))
7960dbec 602 return 0;
8cc86b81 603 if (issuer != NULL && !X509_NAME_set((X509_NAME **)&tmpl->issuer, issuer))
7960dbec 604 return 0;
a61b7f2f
DO		 605 if (serial != NULL) {
606 ASN1_INTEGER_free(tmpl->serialNumber);
607 if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
7960dbec 608 return 0;
a61b7f2f
DO		 609 }
610 if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey))
7960dbec 611 return 0;
a61b7f2f 612 return 1;
a61b7f2f
DO		 613}
614
a61b7f2f 615/*-
7960dbec
DDO		 616 * Decrypts the certificate in the given encryptedValue using private key pkey.
617 * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
a61b7f2f
DO		 618 *
619 * returns a pointer to the decrypted certificate
620 * returns NULL on error or if no certificate available
621 */
6d1f50b5
DDO		 622X509
623*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert,
b4250010 624 OSSL_LIB_CTX *libctx, const char *propq,
6d1f50b5 625 EVP_PKEY *pkey)
a61b7f2f
DO		 626{
627 X509 *cert = NULL; /* decrypted certificate */
628 EVP_CIPHER_CTX *evp_ctx = NULL; /* context for symmetric encryption */
629 unsigned char *ek = NULL; /* decrypted symmetric encryption key */
f3f3318a 630 size_t eksize = 0; /* size of decrypted symmetric encryption key */
eaf8a40d 631 EVP_CIPHER *cipher = NULL; /* used cipher */
f3f3318a 632 int cikeysize = 0; /* key size from cipher */
a61b7f2f
DO		 633 unsigned char *iv = NULL; /* initial vector for symmetric encryption */
634 unsigned char *outbuf = NULL; /* decryption output buffer */
635 const unsigned char *p = NULL; /* needed for decoding ASN1 */
a61b7f2f
DO		 636 int n, outlen = 0;
637 EVP_PKEY_CTX *pkctx = NULL; /* private key context */
eaf8a40d 638 char name[OSSL_MAX_NAME_SIZE];
a61b7f2f
DO		 639
640 if (ecert == NULL || ecert->symmAlg == NULL || ecert->encSymmKey == NULL
641 || ecert->encValue == NULL || pkey == NULL) {
9311d0c4 642 ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
a61b7f2f
DO		 643 return NULL;
644 }
eaf8a40d 645
f3f3318a 646 /* select symmetric cipher based on algorithm given in message */
eaf8a40d
TM		 647 OBJ_obj2txt(name, sizeof(name), ecert->symmAlg->algorithm, 0);
648
649 (void)ERR_set_mark();
650 cipher = EVP_CIPHER_fetch(NULL, name, NULL);
651
652 if (cipher == NULL)
653 cipher = (EVP_CIPHER *)EVP_get_cipherbyname(name);
654
655 if (cipher == NULL) {
656 (void)ERR_clear_last_mark();
9311d0c4 657 ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER);
f3f3318a
AK		 658 goto end;
659 }
eaf8a40d
TM		 660 (void)ERR_pop_to_mark();
661
ed576acd 662 cikeysize = EVP_CIPHER_get_key_length(cipher);
a61b7f2f 663 /* first the symmetric key needs to be decrypted */
6d1f50b5 664 pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq);
36b91a19
DDO		 665 if (pkctx == NULL || EVP_PKEY_decrypt_init(pkctx) <= 0
666 || evp_pkey_decrypt_alloc(pkctx, &ek, &eksize, (size_t)cikeysize,
667 ecert->encSymmKey->data,
668 ecert->encSymmKey->length) <= 0)
7960dbec 669 goto end;
36b91a19 670
ed576acd 671 if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL)
7960dbec 672 goto end;
a61b7f2f 673 if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
ed576acd
TM		 674 EVP_CIPHER_get_iv_length(cipher))
675 != EVP_CIPHER_get_iv_length(cipher)) {
9311d0c4 676 ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV);
a61b7f2f
DO		 677 goto end;
678 }
679
680 /*
681 * d2i_X509 changes the given pointer, so use p for decoding the message and
682 * keep the original pointer in outbuf so the memory can be freed later
683 */
684 if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length +
ed576acd 685 EVP_CIPHER_get_block_size(cipher))) == NULL
a61b7f2f 686 || (evp_ctx = EVP_CIPHER_CTX_new()) == NULL)
7960dbec 687 goto end;
a61b7f2f
DO		 688 EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
689
690 if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv)
691 || !EVP_DecryptUpdate(evp_ctx, outbuf, &outlen,
692 ecert->encValue->data,
693 ecert->encValue->length)
694 || !EVP_DecryptFinal(evp_ctx, outbuf + outlen, &n)) {
9311d0c4 695 ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_CERTIFICATE);
a61b7f2f
DO		 696 goto end;
697 }
698 outlen += n;
699
700 /* convert decrypted certificate from DER to internal ASN.1 structure */
d8652be0 701 if ((cert = X509_new_ex(libctx, propq)) == NULL)
6d1f50b5
DDO		 702 goto end;
703 if (d2i_X509(&cert, &p, outlen) == NULL)
9311d0c4 704 ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_CERTIFICATE);
a61b7f2f
DO		 705 end:
706 EVP_PKEY_CTX_free(pkctx);
707 OPENSSL_free(outbuf);
708 EVP_CIPHER_CTX_free(evp_ctx);
eaf8a40d 709 EVP_CIPHER_free(cipher);
f3f3318a 710 OPENSSL_clear_free(ek, eksize);
a61b7f2f
DO		 711 OPENSSL_free(iv);
712 return cert;
713}
A mirror of the official openssl repository