]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/cmp/cmp_msg.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Chunk 9 of CMP contribution to OpenSSL: CMP client and related tests
[thirdparty/openssl.git] / crypto / cmp / cmp_msg.c
1 /*
2 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 /* CMP functions for PKIMessage construction */
13
14 #include "cmp_local.h"
15
16 /* explicit #includes not strictly needed since implied by the above: */
17 #include <openssl/asn1t.h>
18 #include <openssl/cmp.h>
19 #include <openssl/crmf.h>
20 #include <openssl/err.h>
21 #include <openssl/x509.h>
22
23 OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
24 {
25 if (msg == NULL) {
26 CMPerr(0, CMP_R_NULL_ARGUMENT);
27 return NULL;
28 }
29 return msg->header;
30 }
31
32 const char *ossl_cmp_bodytype_to_string(int type)
33 {
34 static const char *type_names[] = {
35 "IR", "IP", "CR", "CP", "P10CR",
36 "POPDECC", "POPDECR", "KUR", "KUP",
37 "KRR", "KRP", "RR", "RP", "CCR", "CCP",
38 "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
39 "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
40 };
41
42 if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
43 return "illegal body type";
44 return type_names[type];
45 }
46
47 int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
48 {
49 if (!ossl_assert(msg != NULL && msg->body != NULL))
50 return 0;
51
52 msg->body->type = type;
53 return 1;
54 }
55
56 int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
57 {
58 if (!ossl_assert(msg != NULL && msg->body != NULL))
59 return -1;
60
61 return msg->body->type;
62 }
63
64 /* Add an extension to the referenced extension stack, which may be NULL */
65 static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
66 {
67 X509_EXTENSION *ext;
68 int res;
69
70 if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
71 return 0;
72
73 if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
74 return 0;
75
76 res = X509v3_add_ext(pexts, ext, 0) != NULL;
77 X509_EXTENSION_free(ext);
78 return res;
79 }
80
81 /* Add a CRL revocation reason code to extension stack, which may be NULL */
82 static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
83 {
84 ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
85 int res = 0;
86
87 if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
88 res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
89 ASN1_ENUMERATED_free(val);
90 return res;
91 }
92
93 OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
94 {
95 OSSL_CMP_MSG *msg = NULL;
96
97 if (!ossl_assert(ctx != NULL))
98 return NULL;
99
100 if ((msg = OSSL_CMP_MSG_new()) == NULL)
101 return NULL;
102 if (!ossl_cmp_hdr_init(ctx, msg->header)
103 || !ossl_cmp_msg_set_bodytype(msg, bodytype))
104 goto err;
105 if (ctx->geninfo_ITAVs != NULL
106 && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
107 ctx->geninfo_ITAVs))
108 goto err;
109
110 switch (bodytype) {
111 case OSSL_CMP_PKIBODY_IR:
112 case OSSL_CMP_PKIBODY_CR:
113 case OSSL_CMP_PKIBODY_KUR:
114 if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
115 goto err;
116 return msg;
117
118 case OSSL_CMP_PKIBODY_P10CR:
119 if (ctx->p10CSR == NULL) {
120 CMPerr(0, CMP_R_ERROR_CREATING_P10CR);
121 goto err;
122 }
123 if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
124 goto err;
125 return msg;
126
127 case OSSL_CMP_PKIBODY_IP:
128 case OSSL_CMP_PKIBODY_CP:
129 case OSSL_CMP_PKIBODY_KUP:
130 if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
131 goto err;
132 return msg;
133
134 case OSSL_CMP_PKIBODY_RR:
135 if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
136 goto err;
137 return msg;
138 case OSSL_CMP_PKIBODY_RP:
139 if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
140 goto err;
141 return msg;
142
143 case OSSL_CMP_PKIBODY_CERTCONF:
144 if ((msg->body->value.certConf =
145 sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
146 goto err;
147 return msg;
148 case OSSL_CMP_PKIBODY_PKICONF:
149 if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
150 goto err;
151 ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
152 return msg;
153
154 case OSSL_CMP_PKIBODY_POLLREQ:
155 if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
156 goto err;
157 return msg;
158 case OSSL_CMP_PKIBODY_POLLREP:
159 if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
160 goto err;
161 return msg;
162
163 case OSSL_CMP_PKIBODY_GENM:
164 case OSSL_CMP_PKIBODY_GENP:
165 if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
166 goto err;
167 return msg;
168
169 case OSSL_CMP_PKIBODY_ERROR:
170 if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
171 goto err;
172 return msg;
173
174 default:
175 CMPerr(0, CMP_R_UNEXPECTED_PKIBODY);
176 goto err;
177 }
178
179 err:
180 OSSL_CMP_MSG_free(msg);
181 return NULL;
182 }
183
184 #define HAS_SAN(ctx) \
185 (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
186 || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
187
188 static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
189 int bodytype)
190 {
191 if (ctx->subjectName != NULL)
192 return ctx->subjectName;
193
194 if (refcert != NULL
195 && (bodytype == OSSL_CMP_PKIBODY_KUR || !HAS_SAN(ctx)))
196 /*
197 * For KUR, copy subjectName from reference certificate.
198 * For IR or CR, do the same only if there is no subjectAltName.
199 */
200 return X509_get_subject_name(refcert);
201 return NULL;
202 }
203
204 /*
205 * Create CRMF certificate request message for IR/CR/KUR
206 * returns a pointer to the OSSL_CRMF_MSG on success, NULL on error
207 */
208 static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
209 {
210 OSSL_CRMF_MSG *crm = NULL;
211 X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->clCert;
212 /* refcert defaults to current client cert */
213 EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
214 STACK_OF(GENERAL_NAME) *default_sans = NULL;
215 const X509_NAME *subject = determine_subj(ctx, refcert, bodytype);
216 int crit = ctx->setSubjectAltNameCritical || subject == NULL;
217 /* RFC5280: subjectAltName MUST be critical if subject is null */
218 X509_EXTENSIONS *exts = NULL;
219
220 if (rkey == NULL)
221 rkey = ctx->pkey; /* default is independent of ctx->oldClCert */
222 if (rkey == NULL
223 || (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL)) {
224 CMPerr(0, CMP_R_INVALID_ARGS);
225 return NULL;
226 }
227 if ((crm = OSSL_CRMF_MSG_new()) == NULL)
228 return NULL;
229 if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
230 /*
231 * fill certTemplate, corresponding to CertificationRequestInfo
232 * of PKCS#10. The rkey param cannot be NULL so far -
233 * it could be NULL if centralized key creation was supported
234 */
235 || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
236 subject, ctx->issuer,
237 NULL /* serial */))
238 goto err;
239 if (ctx->days != 0) {
240 time_t notBefore, notAfter;
241
242 notBefore = time(NULL);
243 notAfter = notBefore + 60 * 60 * 24 * ctx->days;
244 if (!OSSL_CRMF_MSG_set_validity(crm, notBefore, notAfter))
245 goto err;
246 }
247
248 /* extensions */
249 if (refcert != NULL && !ctx->SubjectAltName_nodefault)
250 default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
251 NID_subject_alt_name, NULL, NULL);
252 /* exts are copied from ctx to allow reuse */
253 if (ctx->reqExtensions != NULL) {
254 exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
255 X509_EXTENSION_dup,
256 X509_EXTENSION_free);
257 if (exts == NULL)
258 goto err;
259 }
260 if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
261 && !add1_extension(&exts, NID_subject_alt_name,
262 crit, ctx->subjectAltNames))
263 goto err;
264 if (!HAS_SAN(ctx) && default_sans != NULL
265 && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
266 goto err;
267 if (ctx->policies != NULL
268 && !add1_extension(&exts, NID_certificate_policies,
269 ctx->setPoliciesCritical, ctx->policies))
270 goto err;
271 if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
272 goto err;
273 exts = NULL;
274 /* end fill certTemplate, now set any controls */
275
276 /* for KUR, set OldCertId according to D.6 */
277 if (bodytype == OSSL_CMP_PKIBODY_KUR) {
278 OSSL_CRMF_CERTID *cid =
279 OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
280 X509_get_serialNumber(refcert));
281 int ret;
282
283 if (cid == NULL)
284 goto err;
285 ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
286 OSSL_CRMF_CERTID_free(cid);
287 if (ret == 0)
288 goto err;
289 }
290
291 goto end;
292
293 err:
294 OSSL_CRMF_MSG_free(crm);
295 crm = NULL;
296
297 end:
298 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
299 sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
300 return crm;
301 }
302
303 OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
304 {
305 OSSL_CMP_MSG *msg;
306 OSSL_CRMF_MSG *crm = NULL;
307
308 if (!ossl_assert(ctx != NULL))
309 return NULL;
310
311 if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
312 && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
313 CMPerr(0, CMP_R_INVALID_ARGS);
314 return NULL;
315 }
316
317 if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
318 goto err;
319
320 /* header */
321 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
322 goto err;
323
324 /* body */
325 /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
326 if (type != OSSL_CMP_PKIBODY_P10CR) {
327 EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
328
329 if (privkey == NULL)
330 privkey = ctx->pkey; /* default is independent of ctx->oldCert */
331 if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
332 CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
333 goto err;
334 }
335 if ((crm = crm_new(ctx, type, OSSL_CMP_CERTREQID)) == NULL
336 || !OSSL_CRMF_MSG_create_popo(crm, privkey, ctx->digest,
337 ctx->popoMethod)
338 /* value.ir is same for cr and kur */
339 || !sk_OSSL_CRMF_MSG_push(msg->body->value.ir, crm))
340 goto err;
341 crm = NULL;
342 /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
343 }
344
345 if (!ossl_cmp_msg_protect(ctx, msg))
346 goto err;
347
348 return msg;
349
350 err:
351 if (err_code != 0)
352 CMPerr(0, err_code);
353 OSSL_CRMF_MSG_free(crm);
354 OSSL_CMP_MSG_free(msg);
355 return NULL;
356 }
357
358 OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
359 int certReqId, OSSL_CMP_PKISI *si,
360 X509 *cert, STACK_OF(X509) *chain,
361 STACK_OF(X509) *caPubs, int encrypted,
362 int unprotectedErrors)
363 {
364 OSSL_CMP_MSG *msg = NULL;
365 OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
366 OSSL_CMP_CERTRESPONSE *resp = NULL;
367 int status = -1;
368
369 if (!ossl_assert(ctx != NULL && si != NULL))
370 return NULL;
371
372 if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
373 goto err;
374 repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
375
376 /* header */
377 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
378 goto err;
379
380 /* body */
381 if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
382 goto err;
383 OSSL_CMP_PKISI_free(resp->status);
384 if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
385 || !ASN1_INTEGER_set(resp->certReqId, certReqId))
386 goto err;
387
388 status = ossl_cmp_pkisi_get_status(resp->status);
389 if (status != OSSL_CMP_PKISTATUS_rejection
390 && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
391 if (encrypted) {
392 CMPerr(0, CMP_R_INVALID_ARGS);
393 goto err;
394 }
395
396 if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
397 == NULL)
398 goto err;
399 resp->certifiedKeyPair->certOrEncCert->type =
400 OSSL_CMP_CERTORENCCERT_CERTIFICATE;
401 if (!X509_up_ref(cert))
402 goto err;
403 resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
404 }
405
406 if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
407 goto err;
408 resp = NULL;
409 /* TODO: here optional 2nd certrep could be pushed to the stack */
410
411 if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
412 && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
413 goto err;
414 if (chain != NULL
415 && !ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain, 0, 1, 0))
416 goto err;
417
418 if (!unprotectedErrors
419 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
420 if (!ossl_cmp_msg_protect(ctx, msg))
421 goto err;
422
423 return msg;
424
425 err:
426 CMPerr(0, CMP_R_ERROR_CREATING_CERTREP);
427 OSSL_CMP_CERTRESPONSE_free(resp);
428 OSSL_CMP_MSG_free(msg);
429 return NULL;
430 }
431
432 OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
433 {
434 OSSL_CMP_MSG *msg = NULL;
435 OSSL_CMP_REVDETAILS *rd;
436
437 if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
438 return NULL;
439
440 if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
441 goto err;
442
443 /* Fill the template from the contents of the certificate to be revoked */
444 if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
445 NULL /* pubkey would be redundant */,
446 NULL /* subject would be redundant */,
447 X509_get_issuer_name(ctx->oldCert),
448 X509_get_serialNumber(ctx->oldCert)))
449 goto err;
450
451 /* revocation reason code is optional */
452 if (ctx->revocationReason != CRL_REASON_NONE
453 && !add_crl_reason_extension(&rd->crlEntryDetails,
454 ctx->revocationReason))
455 goto err;
456
457 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
458 goto err;
459
460 if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
461 goto err;
462 rd = NULL;
463
464 /*
465 * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
466 * set here if set in ctx
467 */
468
469 if (!ossl_cmp_msg_protect(ctx, msg))
470 goto err;
471
472 return msg;
473
474 err:
475 CMPerr(0, CMP_R_ERROR_CREATING_RR);
476 OSSL_CMP_MSG_free(msg);
477 OSSL_CMP_REVDETAILS_free(rd);
478 return NULL;
479 }
480
481 OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
482 OSSL_CRMF_CERTID *cid, int unprot_err)
483 {
484 OSSL_CMP_REVREPCONTENT *rep = NULL;
485 OSSL_CMP_PKISI *si1 = NULL;
486 OSSL_CRMF_CERTID *cid_copy = NULL;
487 OSSL_CMP_MSG *msg = NULL;
488
489 if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
490 return NULL;
491
492 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
493 goto err;
494 rep = msg->body->value.rp;
495
496 if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
497 goto err;
498
499 if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
500 OSSL_CMP_PKISI_free(si1);
501 goto err;
502 }
503
504 if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
505 goto err;
506 if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
507 goto err;
508 if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
509 OSSL_CRMF_CERTID_free(cid_copy);
510 goto err;
511 }
512
513 if (!unprot_err
514 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
515 if (!ossl_cmp_msg_protect(ctx, msg))
516 goto err;
517
518 return msg;
519
520 err:
521 CMPerr(0, CMP_R_ERROR_CREATING_RP);
522 OSSL_CMP_MSG_free(msg);
523 return NULL;
524 }
525
526 OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
527 {
528 OSSL_CMP_MSG *msg;
529
530 if (!ossl_assert(ctx != NULL))
531 return NULL;
532
533 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
534 goto err;
535 if (ossl_cmp_msg_protect(ctx, msg))
536 return msg;
537
538 err:
539 CMPerr(0, CMP_R_ERROR_CREATING_PKICONF);
540 OSSL_CMP_MSG_free(msg);
541 return NULL;
542 }
543
544 int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
545 {
546 int bodytype;
547
548 if (!ossl_assert(msg != NULL && itav != NULL))
549 return 0;
550
551 bodytype = ossl_cmp_msg_get_bodytype(msg);
552 if (bodytype != OSSL_CMP_PKIBODY_GENM
553 && bodytype != OSSL_CMP_PKIBODY_GENP) {
554 CMPerr(0, CMP_R_INVALID_ARGS);
555 return 0;
556 }
557
558 /* value.genp has the same structure, so this works for genp as well */
559 return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
560 }
561
562 int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
563 const STACK_OF(OSSL_CMP_ITAV) *itavs)
564 {
565 int i;
566 OSSL_CMP_ITAV *itav = NULL;
567
568 if (!ossl_assert(msg != NULL))
569 return 0;
570
571 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
572 if ((itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i))) == NULL)
573 return 0;
574 if (!ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
575 OSSL_CMP_ITAV_free(itav);
576 return 0;
577 }
578 }
579 return 1;
580 }
581
582 /*
583 * Creates a new General Message/Response with an empty itav stack
584 * returns a pointer to the PKIMessage on success, NULL on error
585 */
586 static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
587 const STACK_OF(OSSL_CMP_ITAV) *itavs,
588 int body_type, int err_code)
589 {
590 OSSL_CMP_MSG *msg = NULL;
591
592 if (!ossl_assert(ctx != NULL))
593 return NULL;
594
595 if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
596 return NULL;
597
598 if (ctx->genm_ITAVs != NULL
599 && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
600 goto err;
601
602 if (!ossl_cmp_msg_protect(ctx, msg))
603 goto err;
604
605 return msg;
606
607 err:
608 CMPerr(0, err_code);
609 OSSL_CMP_MSG_free(msg);
610 return NULL;
611 }
612
613 OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
614 {
615 return gen_new(ctx, ctx->genm_ITAVs,
616 OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
617 }
618
619 OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
620 const STACK_OF(OSSL_CMP_ITAV) *itavs)
621 {
622 return gen_new(ctx, itavs,
623 OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
624 }
625
626 OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
627 int errorCode,
628 const char *details, int unprotected)
629 {
630 OSSL_CMP_MSG *msg = NULL;
631 OSSL_CMP_PKIFREETEXT *ft;
632
633 if (!ossl_assert(ctx != NULL && si != NULL))
634 return NULL;
635
636 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
637 goto err;
638
639 OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
640 if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
641 == NULL)
642 goto err;
643 if (errorCode >= 0) {
644 if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
645 goto err;
646 if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
647 goto err;
648 }
649 if (details != NULL) {
650 if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
651 goto err;
652 msg->body->value.error->errorDetails = ft;
653 if (!ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
654 goto err;
655 }
656
657 if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
658 goto err;
659 return msg;
660
661 err:
662 CMPerr(0, CMP_R_ERROR_CREATING_ERROR);
663 OSSL_CMP_MSG_free(msg);
664 return NULL;
665 }
666
667 /*
668 * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
669 * This is used in the certConf message, for example,
670 * to confirm that the certificate was received successfully.
671 */
672 int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
673 ASN1_OCTET_STRING *hash)
674 {
675 if (!ossl_assert(certStatus != NULL))
676 return 0;
677 ASN1_OCTET_STRING_free(certStatus->certHash);
678 certStatus->certHash = hash;
679 return 1;
680 }
681
682 /*
683 * TODO: handle potential 2nd certificate when signing and encrypting
684 * certificates have been requested/received
685 */
686 OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
687 const char *text)
688 {
689 OSSL_CMP_MSG *msg = NULL;
690 OSSL_CMP_CERTSTATUS *certStatus = NULL;
691 ASN1_OCTET_STRING *certHash = NULL;
692 OSSL_CMP_PKISI *sinfo;
693
694 if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
695 return NULL;
696
697 if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
698 CMPerr(0, CMP_R_FAIL_INFO_OUT_OF_RANGE);
699 return NULL;
700 }
701
702 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
703 goto err;
704
705 if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
706 goto err;
707 /* consume certStatus into msg right away so it gets deallocated with msg */
708 if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
709 goto err;
710 /* set the ID of the certReq */
711 if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
712 goto err;
713 /*
714 * the hash of the certificate, using the same hash algorithm
715 * as is used to create and verify the certificate signature
716 */
717 if ((certHash = X509_digest_sig(ctx->newCert)) == NULL)
718 goto err;
719
720 if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
721 goto err;
722 certHash = NULL;
723 /*
724 * For any particular CertStatus, omission of the statusInfo field
725 * indicates ACCEPTANCE of the specified certificate. Alternatively,
726 * explicit status details (with respect to acceptance or rejection) MAY
727 * be provided in the statusInfo field, perhaps for auditing purposes at
728 * the CA/RA.
729 */
730 sinfo = fail_info != 0 ?
731 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
732 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
733 if (sinfo == NULL)
734 goto err;
735 certStatus->statusInfo = sinfo;
736
737 if (!ossl_cmp_msg_protect(ctx, msg))
738 goto err;
739
740 return msg;
741
742 err:
743 CMPerr(0, CMP_R_ERROR_CREATING_CERTCONF);
744 OSSL_CMP_MSG_free(msg);
745 ASN1_OCTET_STRING_free(certHash);
746 return NULL;
747 }
748
749 OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
750 {
751 OSSL_CMP_MSG *msg = NULL;
752 OSSL_CMP_POLLREQ *preq = NULL;
753
754 if (!ossl_assert(ctx != NULL))
755 return NULL;
756
757 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
758 goto err;
759
760 /* TODO: support multiple cert request IDs to poll */
761 if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
762 || !ASN1_INTEGER_set(preq->certReqId, crid)
763 || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
764 goto err;
765
766 preq = NULL;
767 if (!ossl_cmp_msg_protect(ctx, msg))
768 goto err;
769
770 return msg;
771
772 err:
773 CMPerr(0, CMP_R_ERROR_CREATING_POLLREQ);
774 OSSL_CMP_POLLREQ_free(preq);
775 OSSL_CMP_MSG_free(msg);
776 return NULL;
777 }
778
779 OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
780 int64_t poll_after)
781 {
782 OSSL_CMP_MSG *msg;
783 OSSL_CMP_POLLREP *prep;
784
785 if (!ossl_assert(ctx != NULL))
786 return NULL;
787
788 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
789 goto err;
790 if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
791 goto err;
792 if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
793 goto err;
794 if (!ASN1_INTEGER_set(prep->certReqId, crid))
795 goto err;
796 if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
797 goto err;
798
799 if (!ossl_cmp_msg_protect(ctx, msg))
800 goto err;
801 return msg;
802
803 err:
804 CMPerr(0, CMP_R_ERROR_CREATING_POLLREP);
805 OSSL_CMP_MSG_free(msg);
806 return NULL;
807 }
808
809 /*-
810 * returns the status field of the RevRepContent with the given
811 * request/sequence id inside a revocation response.
812 * RevRepContent has the revocation statuses in same order as they were sent in
813 * RevReqContent.
814 * returns NULL on error
815 */
816 OSSL_CMP_PKISI *
817 ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
818 {
819 OSSL_CMP_PKISI *status;
820
821 if (!ossl_assert(rrep != NULL))
822 return NULL;
823
824 if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
825 return status;
826
827 CMPerr(0, CMP_R_PKISTATUSINFO_NOT_FOUND);
828 return NULL;
829 }
830
831 /*
832 * returns the CertId field in the revCerts part of the RevRepContent
833 * with the given request/sequence id inside a revocation response.
834 * RevRepContent has the CertIds in same order as they were sent in
835 * RevReqContent.
836 * returns NULL on error
837 */
838 OSSL_CRMF_CERTID *
839 ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
840 {
841 OSSL_CRMF_CERTID *cid = NULL;
842
843 if (!ossl_assert(rrep != NULL))
844 return NULL;
845
846 if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
847 return cid;
848
849 CMPerr(0, CMP_R_CERTID_NOT_FOUND);
850 return NULL;
851 }
852
853 static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
854 {
855 int trid;
856
857 if (rid == -1)
858 return 1;
859
860 trid = ossl_cmp_asn1_get_int(certReqId);
861
862 if (trid == -1) {
863 CMPerr(0, CMP_R_BAD_REQUEST_ID);
864 return 0;
865 }
866 return rid == trid;
867 }
868
869 static void add_expected_rid(int rid)
870 {
871 char str[DECIMAL_SIZE(rid) + 1];
872
873 BIO_snprintf(str, sizeof(str), "%d", rid);
874 ERR_add_error_data(2, "expected certReqId = ", str);
875 }
876
877 /*
878 * returns a pointer to the PollResponse with the given CertReqId
879 * (or the first one in case -1) inside a PollRepContent
880 * returns NULL on error or if no suitable PollResponse available
881 */
882 OSSL_CMP_POLLREP *
883 ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
884 int rid)
885 {
886 OSSL_CMP_POLLREP *pollRep = NULL;
887 int i;
888
889 if (!ossl_assert(prc != NULL))
890 return NULL;
891
892 for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
893 pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
894 if (suitable_rid(pollRep->certReqId, rid))
895 return pollRep;
896 }
897
898 CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
899 add_expected_rid(rid);
900 return NULL;
901 }
902
903 /*
904 * returns a pointer to the CertResponse with the given CertReqId
905 * (or the first one in case -1) inside a CertRepMessage
906 * returns NULL on error or if no suitable CertResponse available
907 */
908 OSSL_CMP_CERTRESPONSE *
909 ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
910 int rid)
911 {
912 OSSL_CMP_CERTRESPONSE *crep = NULL;
913 int i;
914
915 if (!ossl_assert(crm != NULL && crm->response != NULL))
916 return NULL;
917
918 for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
919 crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
920 if (suitable_rid(crep->certReqId, rid))
921 return crep;
922 }
923
924 CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
925 add_expected_rid(rid);
926 return NULL;
927 }
928
929 /*
930 * CMP_CERTRESPONSE_get1_certificate() attempts to retrieve the returned
931 * certificate from the given certResponse B<crep>.
932 * Uses the privkey in case of indirect POP from B<ctx>.
933 * Returns a pointer to a copy of the found certificate, or NULL if not found.
934 */
935 X509 *ossl_cmp_certresponse_get1_certificate(EVP_PKEY *privkey,
936 const OSSL_CMP_CERTRESPONSE *crep)
937 {
938 OSSL_CMP_CERTORENCCERT *coec;
939 X509 *crt = NULL;
940
941 if (!ossl_assert(crep != NULL))
942 return NULL;
943
944 if (crep->certifiedKeyPair
945 && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
946 switch (coec->type) {
947 case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
948 crt = X509_dup(coec->value.certificate);
949 break;
950 case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
951 /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
952 if (privkey == NULL) {
953 CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
954 return NULL;
955 }
956 crt =
957 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
958 privkey);
959 break;
960 default:
961 CMPerr(0, CMP_R_UNKNOWN_CERT_TYPE);
962 return NULL;
963 }
964 }
965 if (crt == NULL)
966 CMPerr(0, CMP_R_CERTIFICATE_NOT_FOUND);
967 return crt;
968 }
969
970 OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file)
971 {
972 OSSL_CMP_MSG *msg = NULL;
973 BIO *bio = NULL;
974
975 if (!ossl_assert(file != NULL))
976 return NULL;
977
978 if ((bio = BIO_new_file(file, "rb")) == NULL)
979 return NULL;
980 msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
981 BIO_free(bio);
982 return msg;
983 }
984
985 OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
986 {
987 return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
988 d2i_OSSL_CMP_MSG, bio, msg);
989 }
990
991 int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
992 {
993 return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
994 }
A mirror of the official openssl repository