/*
- * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
#include "cmp_local.h"
#include "internal/cryptlib.h"
+#include "e_os.h" /* ossl_sleep() */
/* explicit #includes not strictly needed since implied by the above: */
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509v3.h>
-
-#include "openssl/cmp_util.h"
+#include <openssl/cmp_util.h>
#define IS_CREP(t) ((t) == OSSL_CMP_PKIBODY_IP || (t) == OSSL_CMP_PKIBODY_CP \
|| (t) == OSSL_CMP_PKIBODY_KUP)
int invalid_protection,
int expected_type /* ignored here */)
{
- int rcvd_type = ossl_cmp_msg_get_bodytype(rep /* may be NULL */);
+ int rcvd_type = OSSL_CMP_MSG_get_bodytype(rep /* may be NULL */);
const char *msg_type = NULL;
if (!ossl_assert(ctx != NULL && rep != NULL))
if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1)
return -1;
- /* TODO: handle potentially multiple CertResponses in CertRepMsg */
if (crep == NULL)
return -1;
if (ossl_cmp_pkisi_get_status(crep->status)
static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
OSSL_CMP_MSG **rep, int expected_type)
{
+ int is_enrollment = IS_CREP(expected_type)
+ || expected_type == OSSL_CMP_PKIBODY_POLLREP
+ || expected_type == OSSL_CMP_PKIBODY_PKICONF;
const char *req_type_str =
- ossl_cmp_bodytype_to_string(ossl_cmp_msg_get_bodytype(req));
+ ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req));
const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type);
int msg_timeout;
int bt;
*rep = NULL;
msg_timeout = ctx->msg_timeout; /* backup original value */
- if ((IS_CREP(expected_type) || expected_type == OSSL_CMP_PKIBODY_POLLREP)
- && ctx->total_timeout > 0 /* timeout is not infinite */) {
+ if (is_enrollment && ctx->total_timeout > 0 /* timeout is not infinite */) {
if (now >= ctx->end_time) {
ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
return 0;
}
if (!ossl_assert(ctx->end_time - time(NULL) < INT_MAX)) {
- /* cannot really happen due to the assignment in do_certreq_seq() */
+ /* actually cannot happen due to assignment in initial_certreq() */
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
return 0;
}
ctx->msg_timeout = msg_timeout; /* restore original value */
if (*rep == NULL) {
- ERR_raise_data(ERR_LIB_CMP, CMP_R_TRANSFER_ERROR, /* or receiving response */
+ ERR_raise_data(ERR_LIB_CMP,
+ ctx->total_timeout > 0 && time(NULL) >= ctx->end_time ?
+ CMP_R_TOTAL_TIMEOUT : CMP_R_TRANSFER_ERROR,
"request sent: %s, expected response: %s",
req_type_str, expected_type_str);
return 0;
}
- bt = ossl_cmp_msg_get_bodytype(*rep);
+ bt = OSSL_CMP_MSG_get_bodytype(*rep);
/*
* The body type in the 'bt' variable is not yet verified.
* Still we use this preliminary value already for a progress report because
sizeof(buf)) != NULL)
ERR_add_error_data(1, buf);
if (emc->errorCode != NULL
- && BIO_snprintf(buf, sizeof(buf), "; errorCode: %ld",
+ && BIO_snprintf(buf, sizeof(buf), "; errorCode: %08lX",
ASN1_INTEGER_get(emc->errorCode)) > 0)
ERR_add_error_data(1, buf);
if (emc->errorDetails != NULL) {
- char *text = sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ",
- OSSL_CMP_PKISI_BUFLEN - 1);
+ char *text = ossl_sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ",
+ OSSL_CMP_PKISI_BUFLEN - 1);
- if (text != NULL)
+ if (text != NULL && *text != '\0')
ERR_add_error_data(2, "; errorDetails: ", text);
OPENSSL_free(text);
}
"received 'waiting' PKIStatus, starting to poll for response");
*rep = NULL;
for (;;) {
- /* TODO: handle potentially multiple poll requests per message */
if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL)
goto err;
goto err;
/* handle potential pollRep */
- if (ossl_cmp_msg_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
+ if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) {
OSSL_CMP_POLLREPCONTENT *prc = prep->body->value.pollRep;
OSSL_CMP_POLLREP *pollRep = NULL;
int64_t check_after;
char str[OSSL_CMP_PKISI_BUFLEN];
int len;
- /* TODO: handle potentially multiple elements in pollRep */
if (sk_OSSL_CMP_POLLREP_num(prc) > 1) {
ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
goto err;
ERR_add_error_data(1, str);
goto err;
}
- if (ctx->total_timeout > 0) { /* timeout is not infinite */
- const int exp = 5; /* expected max time per msg round trip */
- int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
-
- if (time_left <= 0) {
- ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
- goto err;
- }
- if (time_left < check_after)
- check_after = time_left;
- /* poll one last time just when timeout was reached */
- }
if (pollRep->reason == NULL
|| (len = BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN,
" with reason = '")) < 0) {
*str = '\0';
} else {
- char *text = sk_ASN1_UTF8STRING2text(pollRep->reason, ", ",
- sizeof(str) - len - 2);
+ char *text = ossl_sk_ASN1_UTF8STRING2text(pollRep->reason, ", ",
+ sizeof(str) - len - 2);
if (text == NULL
|| BIO_snprintf(str + len, sizeof(str) - len,
"received polling response%s; checkAfter = %ld seconds",
str, check_after);
+ if (ctx->total_timeout > 0) { /* timeout is not infinite */
+ const int exp = 5; /* expected max time per msg round trip */
+ int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL));
+
+ if (time_left <= 0) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT);
+ goto err;
+ }
+ if (time_left < check_after)
+ check_after = time_left;
+ /* poll one last time just when timeout was reached */
+ }
+
OSSL_CMP_MSG_free(preq);
preq = NULL;
OSSL_CMP_MSG_free(prep);
return fail_info;
ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
- chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
- out_trusted /* may be NULL */,
- ctx->untrusted, cert);
+ chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */,
+ 0, ctx->libctx, ctx->propq);
if (sk_X509_num(chain) > 0)
X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */
if (out_trusted != NULL) {
ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED);
return 0;
}
- /* TODO: handle potentially multiple CertResponses in CertRepMsg */
crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid);
if (crep == NULL)
return 0;
if (fail_info != 0) /* immediately log error before any certConf exchange */
ossl_cmp_log1(ERROR, ctx,
"rejecting newly enrolled cert with subject: %s", subj);
-
- /*
- * TODO: better move certConf exchange to do_certreq_seq() such that
- * also more low-level errors with CertReqMessages get reported to server
- */
if (!ctx->disableConfirm
&& !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) {
if (!ossl_cmp_exchange_certConf(ctx, fail_info, txt))
return ret;
}
+static int initial_certreq(OSSL_CMP_CTX *ctx,
+ int req_type, const OSSL_CRMF_MSG *crm,
+ OSSL_CMP_MSG **p_rep, int rep_type)
+{
+ OSSL_CMP_MSG *req;
+ int res;
+
+ ctx->status = -1;
+ if (!ossl_cmp_ctx_set0_newCert(ctx, NULL))
+ return 0;
+
+ if (ctx->total_timeout > 0) /* else ctx->end_time is not used */
+ ctx->end_time = time(NULL) + ctx->total_timeout;
+
+ /* also checks if all necessary options are set */
+ if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL)
+ return 0;
+
+ res = send_receive_check(ctx, req, p_rep, rep_type);
+ OSSL_CMP_MSG_free(req);
+ return res;
+}
+
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter)
{
- OSSL_CMP_MSG *req = NULL;
OSSL_CMP_MSG *rep = NULL;
int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
}
if (ctx->status != OSSL_CMP_PKISTATUS_waiting) { /* not polling already */
- ctx->status = -1;
- if (!ossl_cmp_ctx_set0_newCert(ctx, NULL))
- return 0;
-
- if (ctx->total_timeout > 0) /* else ctx->end_time is not used */
- ctx->end_time = time(NULL) + ctx->total_timeout;
-
- req = ossl_cmp_certreq_new(ctx, req_type, crm);
- if (req == NULL) /* also checks if all necessary options are set */
- return 0;
-
- if (!send_receive_check(ctx, req, &rep, rep_type))
+ if (!initial_certreq(ctx, req_type, crm, &rep, rep_type))
goto err;
} else {
if (req_type < 0)
return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection,
- 0 /* TODO better fail_info value? */,
- "polling aborted", 0 /* errorCode */,
- "by application");
+ 0, "polling aborted",
+ 0 /* errorCode */, "by application");
res = poll_for_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter);
if (res <= 0) /* waiting or error */
return res;
req_type, rep_type);
err:
- OSSL_CMP_MSG_free(req);
OSSL_CMP_MSG_free(rep);
return res;
}
* certConf, PKIconf, and polling if required.
* Will sleep as long as indicated by the server (according to checkAfter).
* All enrollment options need to be present in the context.
- * TODO: another function to request two certificates at once should be created.
* Returns pointer to received certificate, or NULL if none was received.
*/
X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm)
{
- OSSL_CMP_MSG *req = NULL;
OSSL_CMP_MSG *rep = NULL;
int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
- if (is_p10 && crm != NULL) {
- ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
- return NULL;
- }
-
- ctx->status = -1;
- if (!ossl_cmp_ctx_set0_newCert(ctx, NULL))
- return NULL;
-
- if (ctx->total_timeout > 0) /* else ctx->end_time is not used */
- ctx->end_time = time(NULL) + ctx->total_timeout;
- /* OSSL_CMP_certreq_new() also checks if all necessary options are set */
- if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL)
- goto err;
-
- if (!send_receive_check(ctx, req, &rep, rep_type))
+ if (!initial_certreq(ctx, req_type, crm, &rep, rep_type))
goto err;
if (cert_response(ctx, 1 /* sleep */, rid, &rep, NULL, req_type, rep_type)
result = ctx->newCert;
err:
- OSSL_CMP_MSG_free(req);
OSSL_CMP_MSG_free(rep);
return result;
}
goto err;
}
- /* check any pretent CertId in optional revCerts field */
+ /* check any present CertId in optional revCerts field */
if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) {
OSSL_CRMF_CERTID *cid;
OSSL_CRMF_CERTTEMPLATE *tmpl =
goto err;
}
if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
ret = 0;
goto err;
}