#include "cmp_local.h"
#include "internal/cryptlib.h"
+#include "e_os.h" /* ossl_sleep() */
/* explicit #includes not strictly needed since implied by the above: */
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509v3.h>
-
-#include "openssl/cmp_util.h"
+#include <openssl/cmp_util.h>
#define IS_CREP(t) ((t) == OSSL_CMP_PKIBODY_IP || (t) == OSSL_CMP_PKIBODY_CP \
|| (t) == OSSL_CMP_PKIBODY_KUP)
int invalid_protection,
int expected_type /* ignored here */)
{
- int rcvd_type = ossl_cmp_msg_get_bodytype(rep /* may be NULL */);
+ int rcvd_type = OSSL_CMP_MSG_get_bodytype(rep /* may be NULL */);
const char *msg_type = NULL;
if (!ossl_assert(ctx != NULL && rep != NULL))
if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1)
return -1;
- /* TODO: handle potentially multiple CertResponses in CertRepMsg */
if (crep == NULL)
return -1;
if (ossl_cmp_pkisi_get_status(crep->status)
|| expected_type == OSSL_CMP_PKIBODY_POLLREP
|| expected_type == OSSL_CMP_PKIBODY_PKICONF;
const char *req_type_str =
- ossl_cmp_bodytype_to_string(ossl_cmp_msg_get_bodytype(req));
+ ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req));
const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type);
int msg_timeout;
int bt;
return 0;
}
- bt = ossl_cmp_msg_get_bodytype(*rep);
+ bt = OSSL_CMP_MSG_get_bodytype(*rep);
/*
* The body type in the 'bt' variable is not yet verified.
* Still we use this preliminary value already for a progress report because
sizeof(buf)) != NULL)
ERR_add_error_data(1, buf);
if (emc->errorCode != NULL
- && BIO_snprintf(buf, sizeof(buf), "; errorCode: %ld",
+ && BIO_snprintf(buf, sizeof(buf), "; errorCode: %08lX",
ASN1_INTEGER_get(emc->errorCode)) > 0)
ERR_add_error_data(1, buf);
if (emc->errorDetails != NULL) {
char *text = ossl_sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ",
OSSL_CMP_PKISI_BUFLEN - 1);
- if (text != NULL)
+ if (text != NULL && *text != '\0')
ERR_add_error_data(2, "; errorDetails: ", text);
OPENSSL_free(text);
}
"received 'waiting' PKIStatus, starting to poll for response");
*rep = NULL;
for (;;) {
- /* TODO: handle potentially multiple poll requests per message */
if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL)
goto err;
goto err;
/* handle potential pollRep */
- if (ossl_cmp_msg_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
+ if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
OSSL_CMP_POLLREPCONTENT *prc = prep->body->value.pollRep;
OSSL_CMP_POLLREP *pollRep = NULL;
int64_t check_after;
char str[OSSL_CMP_PKISI_BUFLEN];
int len;
- /* TODO: handle potentially multiple elements in pollRep */
if (sk_OSSL_CMP_POLLREP_num(prc) > 1) {
ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
goto err;
ERR_add_error_data(1, str);
goto err;
}
- if (ctx->total_timeout > 0) { /* timeout is not infinite */
- const int exp = 5; /* expected max time per msg round trip */
- int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
-
- if (time_left <= 0) {
- ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
- goto err;
- }
- if (time_left < check_after)
- check_after = time_left;
- /* poll one last time just when timeout was reached */
- }
if (pollRep->reason == NULL
|| (len = BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN,
"received polling response%s; checkAfter = %ld seconds",
str, check_after);
+ if (ctx->total_timeout > 0) { /* timeout is not infinite */
+ const int exp = 5; /* expected max time per msg round trip */
+ int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
+
+ if (time_left <= 0) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
+ goto err;
+ }
+ if (time_left < check_after)
+ check_after = time_left;
+ /* poll one last time just when timeout was reached */
+ }
+
OSSL_CMP_MSG_free(preq);
preq = NULL;
OSSL_CMP_MSG_free(prep);
return fail_info;
ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
- chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
- out_trusted /* may be NULL */,
- ctx->untrusted, cert);
+ chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */,
+ 0, ctx->libctx, ctx->propq);
if (sk_X509_num(chain) > 0)
X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */
if (out_trusted != NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
return 0;
}
- /* TODO: handle potentially multiple CertResponses in CertRepMsg */
crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid);
if (crep == NULL)
return 0;
if (fail_info != 0) /* immediately log error before any certConf exchange */
ossl_cmp_log1(ERROR, ctx,
"rejecting newly enrolled cert with subject: %s", subj);
-
- /*
- * TODO: better move certConf exchange to do_certreq_seq() such that
- * also more low-level errors with CertReqMessages get reported to server
- */
if (!ctx->disableConfirm
&& !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) {
if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt))
} else {
if (req_type < 0)
return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection,
- 0 /* TODO better fail_info value? */,
- "polling aborted", 0 /* errorCode */,
- "by application");
+ 0, "polling aborted",
+ 0 /* errorCode */, "by application");
res = poll_for_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter);
if (res <= 0) /* waiting or error */
return res;
* certConf, PKIconf, and polling if required.
* Will sleep as long as indicated by the server (according to checkAfter).
* All enrollment options need to be present in the context.
- * TODO: another function to request two certificates at once should be created.
* Returns pointer to received certificate, or NULL if none was received.
*/
X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
goto err;
}
if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
ret = 0;
goto err;
}