/*
- * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
*/
DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trusted, trusted, X509_STORE)
+DEFINE_OSSL_CMP_CTX_get0(libctx, OSSL_LIB_CTX)
+DEFINE_OSSL_CMP_CTX_get0(propq, const char)
+
/* Get current list of non-trusted intermediate certs */
DEFINE_OSSL_CMP_CTX_get0(untrusted, STACK_OF(X509))
ctx->libctx = libctx;
if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
- goto oom;
+ goto err;
ctx->log_verbosity = OSSL_CMP_LOG_INFO;
- ctx->status = -1;
+ ctx->status = OSSL_CMP_PKISTATUS_unspecified;
ctx->failInfoCode = -1;
ctx->keep_alive = 1;
ctx->msg_timeout = -1;
+ ctx->tls_used = -1; /* default for backward compatibility */
- if ((ctx->untrusted = sk_X509_new_null()) == NULL)
- goto oom;
+ if ((ctx->untrusted = sk_X509_new_null()) == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
+ goto err;
+ }
ctx->pbm_slen = 16;
if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
- oom:
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
err:
OSSL_CMP_CTX_free(ctx);
return NULL;
}
+#define OSSL_CMP_ITAVs_free(itavs) \
+ sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+#define X509_EXTENSIONS_free(exts) \
+ sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
+#define OSSL_CMP_PKIFREETEXT_free(text) \
+ sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
+
/* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
{
return 0;
}
+#ifndef OPENSSL_NO_HTTP
if (ctx->http_ctx != NULL) {
(void)OSSL_HTTP_close(ctx->http_ctx, 1);
ossl_cmp_debug(ctx, "disconnected from CMP server");
ctx->http_ctx = NULL;
}
- ctx->status = -1;
+#endif
+ ctx->status = OSSL_CMP_PKISTATUS_unspecified;
ctx->failInfoCode = -1;
+ OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
+ ctx->genm_ITAVs = NULL;
+
return ossl_cmp_ctx_set0_statusString(ctx, NULL)
&& ossl_cmp_ctx_set0_newCert(ctx, NULL)
&& ossl_cmp_ctx_set1_newChain(ctx, NULL)
&& ossl_cmp_ctx_set1_caPubs(ctx, NULL)
&& ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
&& ossl_cmp_ctx_set1_validatedSrvCert(ctx, NULL)
+ && ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL)
&& OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
&& OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)
&& ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
}
-#define OSSL_CMP_ITAVs_free(itavs) \
- sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
-#define X509_EXTENSIONS_free(exts) \
- sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
-#define OSSL_CMP_PKIFREETEXT_free(text) \
- sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
-
/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL)
return;
+#ifndef OPENSSL_NO_HTTP
if (ctx->http_ctx != NULL) {
(void)OSSL_HTTP_close(ctx->http_ctx, 1);
ossl_cmp_debug(ctx, "disconnected from CMP server");
}
+#endif
OPENSSL_free(ctx->propq);
OPENSSL_free(ctx->serverPath);
OPENSSL_free(ctx->server);
ASN1_OCTET_STRING_free(ctx->transactionID);
ASN1_OCTET_STRING_free(ctx->senderNonce);
ASN1_OCTET_STRING_free(ctx->recipNonce);
+ ASN1_OCTET_STRING_free(ctx->first_senderNonce);
OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
OSSL_STACK_OF_X509_free(ctx->extraCertsOut);
EVP_PKEY_free(ctx->newPkey);
X509_NAME_free(ctx->issuer);
+ ASN1_INTEGER_free(ctx->serialNumber);
X509_NAME_free(ctx->subjectName);
sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free);
X509_EXTENSIONS_free(ctx->reqExtensions);
}
/* Set or clear the password to be used for protecting messages with PBMAC */
-int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
- int len)
+int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx,
+ const unsigned char *sec, int len)
{
ASN1_OCTET_STRING *secretValue = NULL;
return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
}
+int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx)
+{
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+ OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
+ ctx->geninfo_ITAVs = NULL;
+ return 1;
+}
+
+DEFINE_OSSL_CMP_CTX_get0(geninfo_ITAVs, STACK_OF(OSSL_CMP_ITAV))
+
/* Add an itav for the body of outgoing general messages */
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
*/
DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, srvCert, X509)
-/* Set the X509 name of the recipient. Set in the PKIHeader */
+/* Set the X509 name of the recipient to be placed in the PKIHeader */
DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
/* Store the X509 name of the expected sender in the PKIHeader of responses */
DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
-/* Set the X509 name of the issuer. Set in the PKIHeader */
+/* Set the X509 name of the issuer to be placed in the certTemplate */
DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
+/* Set the ASN1_INTEGER serial to be placed in the certTemplate for rr */
+DEFINE_OSSL_CMP_CTX_set1(serialNumber, ASN1_INTEGER)
/*
* Set the subject name that will be placed in the certificate
* request. This will be the subject name on the received certificate.
}
/* Get the private/public key to use for cert enrollment, or NULL on error */
+/* In case |priv| == 0, better use ossl_cmp_ctx_get0_newPubkey() below */
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
{
if (ctx == NULL) {
return ctx->pkey; /* may be NULL */
}
+EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx)
+{
+ if (!ossl_assert(ctx != NULL))
+ return NULL;
+ if (ctx->newPkey != NULL)
+ return ctx->newPkey;
+ if (ctx->p10CSR != NULL)
+ return X509_REQ_get0_pubkey(ctx->p10CSR);
+ if (ctx->oldCert != NULL)
+ return X509_get0_pubkey(ctx->oldCert);
+ if (ctx->cert != NULL)
+ return X509_get0_pubkey(ctx->cert);
+ return ctx->pkey;
+}
+
#define DEFINE_set1_ASN1_OCTET_STRING(PREFIX, FIELD) \
int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \
{ \
/* Stores the given nonce as the last senderNonce sent out */
DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, senderNonce)
+/* store the first req sender nonce for verifying delayed delivery */
+DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, first_senderNonce)
+
/* Set the proxy server to use for HTTP(S) connections */
DEFINE_OSSL_CMP_CTX_set1(proxy, char)
-/* Set the (HTTP) host name of the CMP server */
+/* Set the (HTTP) hostname of the CMP server */
DEFINE_OSSL_CMP_CTX_set1(server, char)
/* Set the server exclusion list of the HTTP proxy server */
DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
+#ifndef OPENSSL_NO_HTTP
/* Set the http connect/disconnect callback function to be used for HTTP(S) */
DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb, OSSL_HTTP_bio_cb_t)
* Returns callback argument set previously (NULL if not set or on error)
*/
DEFINE_OSSL_get(OSSL_CMP_CTX, http_cb_arg, void *, NULL)
+#endif
/* Set callback function for sending CMP request and receiving response */
DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb, OSSL_CMP_transfer_cb_t)
case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
ctx->unprotectedErrors = val;
break;
+ case OSSL_CMP_OPT_NO_CACHE_EXTRACERTS:
+ ctx->noCacheExtraCerts = val;
+ break;
case OSSL_CMP_OPT_VALIDITY_DAYS:
ctx->days = val;
break;
case OSSL_CMP_OPT_TOTAL_TIMEOUT:
ctx->total_timeout = val;
break;
+ case OSSL_CMP_OPT_USE_TLS:
+ ctx->tls_used = val;
+ break;
case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
ctx->permitTAInExtraCertsForIR = val;
break;
return ctx->unprotectedSend;
case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
return ctx->unprotectedErrors;
+ case OSSL_CMP_OPT_NO_CACHE_EXTRACERTS:
+ return ctx->noCacheExtraCerts;
case OSSL_CMP_OPT_VALIDITY_DAYS:
return ctx->days;
case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
return ctx->msg_timeout;
case OSSL_CMP_OPT_TOTAL_TIMEOUT:
return ctx->total_timeout;
+ case OSSL_CMP_OPT_USE_TLS:
+ return ctx->tls_used;
case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
return ctx->permitTAInExtraCertsForIR;
case OSSL_CMP_OPT_REVOCATION_REASON:
projects / thirdparty / openssl.git / blobdiff