]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/cmp/cmp_msg.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add CMP error reason 'missing reference cert'
[thirdparty/openssl.git] / crypto / cmp / cmp_msg.c
CommitLineData
3dbc5156
DDO		 1/*
2 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12/* CMP functions for PKIMessage construction */
13
14#include "cmp_local.h"
15
16/* explicit #includes not strictly needed since implied by the above: */
17#include <openssl/asn1t.h>
18#include <openssl/cmp.h>
19#include <openssl/crmf.h>
20#include <openssl/err.h>
21#include <openssl/x509.h>
22
23OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
24{
25 if (msg == NULL) {
26 CMPerr(0, CMP_R_NULL_ARGUMENT);
27 return NULL;
28 }
29 return msg->header;
30}
31
32const char *ossl_cmp_bodytype_to_string(int type)
33{
34 static const char *type_names[] = {
35 "IR", "IP", "CR", "CP", "P10CR",
36 "POPDECC", "POPDECR", "KUR", "KUP",
37 "KRR", "KRP", "RR", "RP", "CCR", "CCP",
38 "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
39 "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
40 };
41
42 if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
43 return "illegal body type";
44 return type_names[type];
45}
46
47int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
48{
49 if (!ossl_assert(msg != NULL && msg->body != NULL))
50 return 0;
51
52 msg->body->type = type;
53 return 1;
54}
55
56int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
57{
58 if (!ossl_assert(msg != NULL && msg->body != NULL))
59 return -1;
60
61 return msg->body->type;
62}
63
64/* Add an extension to the referenced extension stack, which may be NULL */
65static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
66{
67 X509_EXTENSION *ext;
68 int res;
69
70 if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
71 return 0;
72
73 if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
74 return 0;
75
76 res = X509v3_add_ext(pexts, ext, 0) != NULL;
77 X509_EXTENSION_free(ext);
78 return res;
79}
80
81/* Add a CRL revocation reason code to extension stack, which may be NULL */
82static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
83{
84 ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
85 int res = 0;
86
87 if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
88 res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
89 ASN1_ENUMERATED_free(val);
90 return res;
91}
92
93OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
94{
95 OSSL_CMP_MSG *msg = NULL;
96
97 if (!ossl_assert(ctx != NULL))
98 return NULL;
99
100 if ((msg = OSSL_CMP_MSG_new()) == NULL)
101 return NULL;
102 if (!ossl_cmp_hdr_init(ctx, msg->header)
103 || !ossl_cmp_msg_set_bodytype(msg, bodytype))
104 goto err;
105 if (ctx->geninfo_ITAVs != NULL
106 && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
107 ctx->geninfo_ITAVs))
108 goto err;
109
110 switch (bodytype) {
111 case OSSL_CMP_PKIBODY_IR:
112 case OSSL_CMP_PKIBODY_CR:
113 case OSSL_CMP_PKIBODY_KUR:
114 if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
115 goto err;
116 return msg;
117
118 case OSSL_CMP_PKIBODY_P10CR:
119 if (ctx->p10CSR == NULL) {
120 CMPerr(0, CMP_R_ERROR_CREATING_P10CR);
121 goto err;
122 }
123 if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
124 goto err;
125 return msg;
126
127 case OSSL_CMP_PKIBODY_IP:
128 case OSSL_CMP_PKIBODY_CP:
129 case OSSL_CMP_PKIBODY_KUP:
130 if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
131 goto err;
132 return msg;
133
134 case OSSL_CMP_PKIBODY_RR:
135 if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
136 goto err;
137 return msg;
138 case OSSL_CMP_PKIBODY_RP:
139 if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
140 goto err;
141 return msg;
142
143 case OSSL_CMP_PKIBODY_CERTCONF:
144 if ((msg->body->value.certConf =
145 sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
146 goto err;
147 return msg;
148 case OSSL_CMP_PKIBODY_PKICONF:
149 if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
150 goto err;
151 ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
152 return msg;
153
154 case OSSL_CMP_PKIBODY_POLLREQ:
155 if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
156 goto err;
157 return msg;
158 case OSSL_CMP_PKIBODY_POLLREP:
159 if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
160 goto err;
161 return msg;
162
163 case OSSL_CMP_PKIBODY_GENM:
164 case OSSL_CMP_PKIBODY_GENP:
165 if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
166 goto err;
167 return msg;
168
169 case OSSL_CMP_PKIBODY_ERROR:
170 if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
171 goto err;
172 return msg;
173
174 default:
175 CMPerr(0, CMP_R_UNEXPECTED_PKIBODY);
176 goto err;
177 }
178
179 err:
180 OSSL_CMP_MSG_free(msg);
181 return NULL;
182}
183
184#define HAS_SAN(ctx) \
185 (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
186 || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
187
8cc86b81
DDO		 188static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
189 int bodytype)
3dbc5156
DDO		 190{
191 if (ctx->subjectName != NULL)
192 return ctx->subjectName;
193
194 if (refcert != NULL
195 && (bodytype == OSSL_CMP_PKIBODY_KUR || !HAS_SAN(ctx)))
196 /*
197 * For KUR, copy subjectName from reference certificate.
198 * For IR or CR, do the same only if there is no subjectAltName.
199 */
200 return X509_get_subject_name(refcert);
201 return NULL;
202}
203
204/*
205 * Create CRMF certificate request message for IR/CR/KUR
206 * returns a pointer to the OSSL_CRMF_MSG on success, NULL on error
207 */
62dcd2aa 208static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
3dbc5156
DDO		 209{
210 OSSL_CRMF_MSG *crm = NULL;
211 X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->clCert;
212 /* refcert defaults to current client cert */
62dcd2aa 213 EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
3dbc5156 214 STACK_OF(GENERAL_NAME) *default_sans = NULL;
8cc86b81 215 const X509_NAME *subject = determine_subj(ctx, refcert, bodytype);
3dbc5156
DDO		 216 int crit = ctx->setSubjectAltNameCritical || subject == NULL;
217 /* RFC5280: subjectAltName MUST be critical if subject is null */
218 X509_EXTENSIONS *exts = NULL;
219
62dcd2aa
DDO		 220 if (rkey == NULL)
221 rkey = ctx->pkey; /* default is independent of ctx->oldClCert */
e599d0ae
DDO		 222 if (rkey == NULL) {
223#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
224 CMPerr(0, CMP_R_NULL_ARGUMENT);
225 return NULL;
226#endif
227 }
228 if (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL) {
753283cd 229 CMPerr(0, CMP_R_MISSING_REFERENCE_CERT);
3dbc5156
DDO		 230 return NULL;
231 }
232 if ((crm = OSSL_CRMF_MSG_new()) == NULL)
233 return NULL;
234 if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
235 /*
236 * fill certTemplate, corresponding to CertificationRequestInfo
237 * of PKCS#10. The rkey param cannot be NULL so far -
238 * it could be NULL if centralized key creation was supported
239 */
240 || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
241 subject, ctx->issuer,
235595c4 242 NULL /* serial */))
3dbc5156
DDO		 243 goto err;
244 if (ctx->days != 0) {
245 time_t notBefore, notAfter;
246
247 notBefore = time(NULL);
248 notAfter = notBefore + 60 * 60 * 24 * ctx->days;
249 if (!OSSL_CRMF_MSG_set_validity(crm, notBefore, notAfter))
250 goto err;
251 }
252
253 /* extensions */
254 if (refcert != NULL && !ctx->SubjectAltName_nodefault)
255 default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
256 NID_subject_alt_name, NULL, NULL);
257 /* exts are copied from ctx to allow reuse */
258 if (ctx->reqExtensions != NULL) {
259 exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
260 X509_EXTENSION_dup,
261 X509_EXTENSION_free);
262 if (exts == NULL)
263 goto err;
264 }
265 if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
266 && !add1_extension(&exts, NID_subject_alt_name,
267 crit, ctx->subjectAltNames))
268 goto err;
269 if (!HAS_SAN(ctx) && default_sans != NULL
270 && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
271 goto err;
272 if (ctx->policies != NULL
273 && !add1_extension(&exts, NID_certificate_policies,
274 ctx->setPoliciesCritical, ctx->policies))
275 goto err;
276 if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
277 goto err;
278 exts = NULL;
279 /* end fill certTemplate, now set any controls */
280
281 /* for KUR, set OldCertId according to D.6 */
282 if (bodytype == OSSL_CMP_PKIBODY_KUR) {
283 OSSL_CRMF_CERTID *cid =
284 OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
285 X509_get_serialNumber(refcert));
286 int ret;
287
288 if (cid == NULL)
289 goto err;
290 ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
291 OSSL_CRMF_CERTID_free(cid);
292 if (ret == 0)
293 goto err;
294 }
295
296 goto end;
297
298 err:
299 OSSL_CRMF_MSG_free(crm);
300 crm = NULL;
301
302 end:
303 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
304 sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
305 return crm;
306}
307
308OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
309{
3dbc5156
DDO		 310 OSSL_CMP_MSG *msg;
311 OSSL_CRMF_MSG *crm = NULL;
312
313 if (!ossl_assert(ctx != NULL))
314 return NULL;
315
3dbc5156
DDO		 316 if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
317 && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
318 CMPerr(0, CMP_R_INVALID_ARGS);
319 return NULL;
320 }
321
322 if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
323 goto err;
324
325 /* header */
326 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
327 goto err;
328
329 /* body */
330 /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
331 if (type != OSSL_CMP_PKIBODY_P10CR) {
62dcd2aa
DDO		 332 EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
333
334 if (privkey == NULL)
335 privkey = ctx->pkey; /* default is independent of ctx->oldCert */
3dbc5156
DDO		 336 if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
337 CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
338 goto err;
339 }
62dcd2aa
DDO		 340 if ((crm = crm_new(ctx, type, OSSL_CMP_CERTREQID)) == NULL
341 || !OSSL_CRMF_MSG_create_popo(crm, privkey, ctx->digest,
342 ctx->popoMethod)
343 /* value.ir is same for cr and kur */
344 || !sk_OSSL_CRMF_MSG_push(msg->body->value.ir, crm))
3dbc5156
DDO		 345 goto err;
346 crm = NULL;
347 /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
348 }
349
350 if (!ossl_cmp_msg_protect(ctx, msg))
351 goto err;
352
353 return msg;
354
355 err:
7e765f46
DDO		 356 if (err_code != 0)
357 CMPerr(0, err_code);
3dbc5156
DDO		 358 OSSL_CRMF_MSG_free(crm);
359 OSSL_CMP_MSG_free(msg);
360 return NULL;
361}
362
363OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
364 int certReqId, OSSL_CMP_PKISI *si,
365 X509 *cert, STACK_OF(X509) *chain,
366 STACK_OF(X509) *caPubs, int encrypted,
367 int unprotectedErrors)
368{
369 OSSL_CMP_MSG *msg = NULL;
370 OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
371 OSSL_CMP_CERTRESPONSE *resp = NULL;
372 int status = -1;
373
374 if (!ossl_assert(ctx != NULL && si != NULL))
375 return NULL;
376
377 if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
378 goto err;
379 repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
380
381 /* header */
382 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
383 goto err;
384
385 /* body */
386 if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
387 goto err;
388 OSSL_CMP_PKISI_free(resp->status);
389 if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
390 || !ASN1_INTEGER_set(resp->certReqId, certReqId))
391 goto err;
392
62dcd2aa 393 status = ossl_cmp_pkisi_get_status(resp->status);
3dbc5156
DDO		 394 if (status != OSSL_CMP_PKISTATUS_rejection
395 && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
396 if (encrypted) {
397 CMPerr(0, CMP_R_INVALID_ARGS);
398 goto err;
399 }
400
401 if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
402 == NULL)
403 goto err;
404 resp->certifiedKeyPair->certOrEncCert->type =
405 OSSL_CMP_CERTORENCCERT_CERTIFICATE;
406 if (!X509_up_ref(cert))
407 goto err;
408 resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
409 }
410
411 if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
412 goto err;
413 resp = NULL;
414 /* TODO: here optional 2nd certrep could be pushed to the stack */
415
416 if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
417 && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
418 goto err;
419 if (chain != NULL
420 && !ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain, 0, 1, 0))
421 goto err;
422
423 if (!unprotectedErrors
62dcd2aa 424 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
3dbc5156
DDO		 425 if (!ossl_cmp_msg_protect(ctx, msg))
426 goto err;
427
428 return msg;
429
430 err:
431 CMPerr(0, CMP_R_ERROR_CREATING_CERTREP);
432 OSSL_CMP_CERTRESPONSE_free(resp);
433 OSSL_CMP_MSG_free(msg);
434 return NULL;
435}
436
437OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
438{
439 OSSL_CMP_MSG *msg = NULL;
440 OSSL_CMP_REVDETAILS *rd;
441
442 if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
443 return NULL;
444
445 if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
446 goto err;
447
448 /* Fill the template from the contents of the certificate to be revoked */
449 if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
235595c4
DDO		 450 NULL /* pubkey would be redundant */,
451 NULL /* subject would be redundant */,
3dbc5156
DDO		 452 X509_get_issuer_name(ctx->oldCert),
453 X509_get_serialNumber(ctx->oldCert)))
454 goto err;
455
456 /* revocation reason code is optional */
457 if (ctx->revocationReason != CRL_REASON_NONE
458 && !add_crl_reason_extension(&rd->crlEntryDetails,
459 ctx->revocationReason))
460 goto err;
461
462 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
463 goto err;
464
465 if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
466 goto err;
467 rd = NULL;
468
469 /*
470 * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
471 * set here if set in ctx
472 */
473
474 if (!ossl_cmp_msg_protect(ctx, msg))
475 goto err;
476
477 return msg;
478
479 err:
480 CMPerr(0, CMP_R_ERROR_CREATING_RR);
481 OSSL_CMP_MSG_free(msg);
482 OSSL_CMP_REVDETAILS_free(rd);
483 return NULL;
484}
485
486OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
487 OSSL_CRMF_CERTID *cid, int unprot_err)
488{
489 OSSL_CMP_REVREPCONTENT *rep = NULL;
490 OSSL_CMP_PKISI *si1 = NULL;
491 OSSL_CRMF_CERTID *cid_copy = NULL;
492 OSSL_CMP_MSG *msg = NULL;
493
494 if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
495 return NULL;
496
497 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
498 goto err;
499 rep = msg->body->value.rp;
500
501 if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
502 goto err;
503
504 if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
505 OSSL_CMP_PKISI_free(si1);
506 goto err;
507 }
508
509 if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
510 goto err;
511 if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
512 goto err;
513 if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
514 OSSL_CRMF_CERTID_free(cid_copy);
515 goto err;
516 }
517
518 if (!unprot_err
62dcd2aa 519 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
3dbc5156
DDO		 520 if (!ossl_cmp_msg_protect(ctx, msg))
521 goto err;
522
523 return msg;
524
525 err:
526 CMPerr(0, CMP_R_ERROR_CREATING_RP);
527 OSSL_CMP_MSG_free(msg);
528 return NULL;
529}
530
531OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
532{
533 OSSL_CMP_MSG *msg;
534
535 if (!ossl_assert(ctx != NULL))
536 return NULL;
537
538 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
539 goto err;
540 if (ossl_cmp_msg_protect(ctx, msg))
541 return msg;
542
543 err:
544 CMPerr(0, CMP_R_ERROR_CREATING_PKICONF);
545 OSSL_CMP_MSG_free(msg);
546 return NULL;
547}
548
549int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
550{
551 int bodytype;
552
553 if (!ossl_assert(msg != NULL && itav != NULL))
554 return 0;
555
556 bodytype = ossl_cmp_msg_get_bodytype(msg);
557 if (bodytype != OSSL_CMP_PKIBODY_GENM
558 && bodytype != OSSL_CMP_PKIBODY_GENP) {
559 CMPerr(0, CMP_R_INVALID_ARGS);
560 return 0;
561 }
562
563 /* value.genp has the same structure, so this works for genp as well */
564 return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
565}
566
567int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
62dcd2aa 568 const STACK_OF(OSSL_CMP_ITAV) *itavs)
3dbc5156
DDO		 569{
570 int i;
571 OSSL_CMP_ITAV *itav = NULL;
572
573 if (!ossl_assert(msg != NULL))
574 return 0;
575
576 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
235595c4 577 if ((itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i))) == NULL)
3dbc5156
DDO		 578 return 0;
579 if (!ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
580 OSSL_CMP_ITAV_free(itav);
581 return 0;
582 }
583 }
584 return 1;
585}
586
587/*
588 * Creates a new General Message/Response with an empty itav stack
589 * returns a pointer to the PKIMessage on success, NULL on error
590 */
62dcd2aa
DDO		 591static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
592 const STACK_OF(OSSL_CMP_ITAV) *itavs,
593 int body_type, int err_code)
3dbc5156
DDO		 594{
595 OSSL_CMP_MSG *msg = NULL;
596
597 if (!ossl_assert(ctx != NULL))
598 return NULL;
599
600 if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
601 return NULL;
602
603 if (ctx->genm_ITAVs != NULL
62dcd2aa 604 && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
3dbc5156
DDO		 605 goto err;
606
607 if (!ossl_cmp_msg_protect(ctx, msg))
608 goto err;
609
610 return msg;
611
612 err:
613 CMPerr(0, err_code);
614 OSSL_CMP_MSG_free(msg);
615 return NULL;
616}
617
618OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
619{
62dcd2aa
DDO		 620 return gen_new(ctx, ctx->genm_ITAVs,
621 OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
3dbc5156
DDO		 622}
623
62dcd2aa
DDO		 624OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
625 const STACK_OF(OSSL_CMP_ITAV) *itavs)
3dbc5156 626{
62dcd2aa
DDO		 627 return gen_new(ctx, itavs,
628 OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
3dbc5156
DDO		 629}
630
631OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
632 int errorCode,
62dcd2aa 633 const char *details, int unprotected)
3dbc5156
DDO		 634{
635 OSSL_CMP_MSG *msg = NULL;
62dcd2aa 636 OSSL_CMP_PKIFREETEXT *ft;
3dbc5156
DDO		 637
638 if (!ossl_assert(ctx != NULL && si != NULL))
639 return NULL;
640
641 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
642 goto err;
643
644 OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
645 if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
646 == NULL)
647 goto err;
648 if (errorCode >= 0) {
649 if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
650 goto err;
651 if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
652 goto err;
653 }
62dcd2aa
DDO		 654 if (details != NULL) {
655 if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
656 goto err;
657 msg->body->value.error->errorDetails = ft;
658 if (!ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
3dbc5156 659 goto err;
62dcd2aa 660 }
3dbc5156
DDO		 661
662 if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
663 goto err;
664 return msg;
665
666 err:
667 CMPerr(0, CMP_R_ERROR_CREATING_ERROR);
668 OSSL_CMP_MSG_free(msg);
669 return NULL;
670}
671
672/*
62dcd2aa
DDO		 673 * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
674 * This is used in the certConf message, for example,
675 * to confirm that the certificate was received successfully.
3dbc5156 676 */
62dcd2aa
DDO		 677int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
678 ASN1_OCTET_STRING *hash)
3dbc5156 679{
62dcd2aa 680 if (!ossl_assert(certStatus != NULL))
3dbc5156 681 return 0;
62dcd2aa
DDO		 682 ASN1_OCTET_STRING_free(certStatus->certHash);
683 certStatus->certHash = hash;
3dbc5156 684 return 1;
3dbc5156
DDO		 685}
686
687/*
688 * TODO: handle potential 2nd certificate when signing and encrypting
689 * certificates have been requested/received
690 */
691OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
692 const char *text)
693{
694 OSSL_CMP_MSG *msg = NULL;
695 OSSL_CMP_CERTSTATUS *certStatus = NULL;
62dcd2aa 696 ASN1_OCTET_STRING *certHash = NULL;
3dbc5156
DDO		 697 OSSL_CMP_PKISI *sinfo;
698
699 if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
700 return NULL;
701
702 if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
703 CMPerr(0, CMP_R_FAIL_INFO_OUT_OF_RANGE);
704 return NULL;
705 }
706
707 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
708 goto err;
709
710 if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
711 goto err;
712 /* consume certStatus into msg right away so it gets deallocated with msg */
713 if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
714 goto err;
715 /* set the ID of the certReq */
716 if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
717 goto err;
718 /*
719 * the hash of the certificate, using the same hash algorithm
720 * as is used to create and verify the certificate signature
721 */
44387c90 722 if ((certHash = X509_digest_sig(ctx->newCert)) == NULL)
62dcd2aa
DDO		 723 goto err;
724
725 if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
3dbc5156 726 goto err;
62dcd2aa 727 certHash = NULL;
3dbc5156
DDO		 728 /*
729 * For any particular CertStatus, omission of the statusInfo field
730 * indicates ACCEPTANCE of the specified certificate. Alternatively,
731 * explicit status details (with respect to acceptance or rejection) MAY
732 * be provided in the statusInfo field, perhaps for auditing purposes at
733 * the CA/RA.
734 */
735 sinfo = fail_info != 0 ?
62dcd2aa
DDO		 736 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
737 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
3dbc5156
DDO		 738 if (sinfo == NULL)
739 goto err;
740 certStatus->statusInfo = sinfo;
741
742 if (!ossl_cmp_msg_protect(ctx, msg))
743 goto err;
744
745 return msg;
746
747 err:
748 CMPerr(0, CMP_R_ERROR_CREATING_CERTCONF);
749 OSSL_CMP_MSG_free(msg);
62dcd2aa 750 ASN1_OCTET_STRING_free(certHash);
3dbc5156
DDO		 751 return NULL;
752}
753
754OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
755{
756 OSSL_CMP_MSG *msg = NULL;
757 OSSL_CMP_POLLREQ *preq = NULL;
758
759 if (!ossl_assert(ctx != NULL))
760 return NULL;
761
762 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
763 goto err;
764
765 /* TODO: support multiple cert request IDs to poll */
766 if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
767 || !ASN1_INTEGER_set(preq->certReqId, crid)
768 || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
769 goto err;
770
771 preq = NULL;
772 if (!ossl_cmp_msg_protect(ctx, msg))
773 goto err;
774
775 return msg;
776
777 err:
778 CMPerr(0, CMP_R_ERROR_CREATING_POLLREQ);
779 OSSL_CMP_POLLREQ_free(preq);
780 OSSL_CMP_MSG_free(msg);
781 return NULL;
782}
783
784OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
785 int64_t poll_after)
786{
787 OSSL_CMP_MSG *msg;
788 OSSL_CMP_POLLREP *prep;
789
790 if (!ossl_assert(ctx != NULL))
791 return NULL;
792
793 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
794 goto err;
795 if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
796 goto err;
797 if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
798 goto err;
799 if (!ASN1_INTEGER_set(prep->certReqId, crid))
800 goto err;
801 if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
802 goto err;
803
804 if (!ossl_cmp_msg_protect(ctx, msg))
805 goto err;
806 return msg;
807
808 err:
809 CMPerr(0, CMP_R_ERROR_CREATING_POLLREP);
810 OSSL_CMP_MSG_free(msg);
811 return NULL;
812}
813
814/*-
815 * returns the status field of the RevRepContent with the given
816 * request/sequence id inside a revocation response.
817 * RevRepContent has the revocation statuses in same order as they were sent in
818 * RevReqContent.
819 * returns NULL on error
820 */
821OSSL_CMP_PKISI *
62dcd2aa 822ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
3dbc5156
DDO		 823{
824 OSSL_CMP_PKISI *status;
825
826 if (!ossl_assert(rrep != NULL))
827 return NULL;
828
829 if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
830 return status;
831
832 CMPerr(0, CMP_R_PKISTATUSINFO_NOT_FOUND);
833 return NULL;
834}
835
836/*
837 * returns the CertId field in the revCerts part of the RevRepContent
838 * with the given request/sequence id inside a revocation response.
839 * RevRepContent has the CertIds in same order as they were sent in
840 * RevReqContent.
841 * returns NULL on error
842 */
843OSSL_CRMF_CERTID *
844ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
845{
846 OSSL_CRMF_CERTID *cid = NULL;
847
848 if (!ossl_assert(rrep != NULL))
849 return NULL;
850
851 if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
852 return cid;
853
854 CMPerr(0, CMP_R_CERTID_NOT_FOUND);
855 return NULL;
856}
857
858static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
859{
860 int trid;
861
862 if (rid == -1)
863 return 1;
864
865 trid = ossl_cmp_asn1_get_int(certReqId);
866
867 if (trid == -1) {
868 CMPerr(0, CMP_R_BAD_REQUEST_ID);
869 return 0;
870 }
871 return rid == trid;
872}
873
874static void add_expected_rid(int rid)
875{
876 char str[DECIMAL_SIZE(rid) + 1];
877
878 BIO_snprintf(str, sizeof(str), "%d", rid);
879 ERR_add_error_data(2, "expected certReqId = ", str);
880}
881
882/*
883 * returns a pointer to the PollResponse with the given CertReqId
884 * (or the first one in case -1) inside a PollRepContent
885 * returns NULL on error or if no suitable PollResponse available
886 */
887OSSL_CMP_POLLREP *
888ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
889 int rid)
890{
891 OSSL_CMP_POLLREP *pollRep = NULL;
892 int i;
893
894 if (!ossl_assert(prc != NULL))
895 return NULL;
896
897 for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
898 pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
899 if (suitable_rid(pollRep->certReqId, rid))
900 return pollRep;
901 }
902
903 CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
904 add_expected_rid(rid);
905 return NULL;
906}
907
908/*
909 * returns a pointer to the CertResponse with the given CertReqId
910 * (or the first one in case -1) inside a CertRepMessage
911 * returns NULL on error or if no suitable CertResponse available
912 */
913OSSL_CMP_CERTRESPONSE *
914ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
915 int rid)
916{
917 OSSL_CMP_CERTRESPONSE *crep = NULL;
918 int i;
919
920 if (!ossl_assert(crm != NULL && crm->response != NULL))
921 return NULL;
922
923 for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
924 crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
925 if (suitable_rid(crep->certReqId, rid))
926 return crep;
927 }
928
929 CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
930 add_expected_rid(rid);
931 return NULL;
932}
933
934/*
935 * CMP_CERTRESPONSE_get1_certificate() attempts to retrieve the returned
936 * certificate from the given certResponse B<crep>.
937 * Uses the privkey in case of indirect POP from B<ctx>.
938 * Returns a pointer to a copy of the found certificate, or NULL if not found.
939 */
940X509 *ossl_cmp_certresponse_get1_certificate(EVP_PKEY *privkey,
941 const OSSL_CMP_CERTRESPONSE *crep)
942{
943 OSSL_CMP_CERTORENCCERT *coec;
944 X509 *crt = NULL;
945
946 if (!ossl_assert(crep != NULL))
947 return NULL;
948
949 if (crep->certifiedKeyPair
950 && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
951 switch (coec->type) {
952 case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
953 crt = X509_dup(coec->value.certificate);
954 break;
955 case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
956 /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
957 if (privkey == NULL) {
958 CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
959 return NULL;
960 }
961 crt =
962 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
963 privkey);
964 break;
965 default:
966 CMPerr(0, CMP_R_UNKNOWN_CERT_TYPE);
967 return NULL;
968 }
969 }
970 if (crt == NULL)
971 CMPerr(0, CMP_R_CERTIFICATE_NOT_FOUND);
972 return crt;
973}
974
975OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file)
976{
977 OSSL_CMP_MSG *msg = NULL;
978 BIO *bio = NULL;
979
980 if (!ossl_assert(file != NULL))
981 return NULL;
982
983 if ((bio = BIO_new_file(file, "rb")) == NULL)
984 return NULL;
ae8483d2 985 msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
3dbc5156
DDO		 986 BIO_free(bio);
987 return msg;
988}
62dcd2aa 989
ae8483d2 990OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
62dcd2aa
DDO		 991{
992 return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
993 d2i_OSSL_CMP_MSG, bio, msg);
994}
995
ae8483d2 996int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
62dcd2aa
DDO		 997{
998 return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
999}
A mirror of the official openssl repository