From 7960dbec6801c1c98c848b81ca00e73625e8970b Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Sat, 10 Aug 2019 14:07:22 +0200 Subject: [PATCH] Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712) CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI. Adds extensive man pages and tests. Integration into build scripts. Incremental pull request based on OpenSSL commit 8869ad4a39f of 2019-04-02 4th chunk: CMP context/parameters and utilities in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files Reviewed-by: Bernd Edlinger Reviewed-by: Matt Caswell (Merged from https://github.com/openssl/openssl/pull/9107) --- crypto/cmp/build.info | 2 +- crypto/cmp/cmp_asn.c | 26 +- crypto/cmp/cmp_ctx.c | 1086 +++++++++++++++++ crypto/cmp/cmp_err.c | 10 +- crypto/cmp/cmp_int.h | 180 ++- crypto/cmp/cmp_util.c | 449 +++++++ crypto/crmf/crmf_int.h | 38 +- crypto/crmf/crmf_lib.c | 113 +- crypto/crmf/crmf_pbm.c | 16 +- crypto/err/openssl.txt | 4 + crypto/init.c | 6 + .../man3/ossl_cmp_asn1_octet_string_set1.pod | 101 ++ .../man3/ossl_cmp_ctx_set1_caPubs.pod | 76 ++ .../man3/ossl_cmp_sk_X509_add1_cert.pod | 60 + doc/man3/OSSL_CMP_CTX_new.pod | 662 ++++++++++ doc/man3/OSSL_CMP_ITAV_set0.pod | 6 + doc/man3/OSSL_CMP_log_open.pod | 140 +++ doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod | 15 + .../OSSL_CRMF_MSG_set1_regCtrl_regToken.pod | 6 +- .../OSSL_CRMF_MSG_set1_regInfo_certReq.pod | 4 + doc/man3/OSSL_CRMF_MSG_set_validity.pod | 17 +- doc/man3/OSSL_CRMF_pbmp_new.pod | 4 + doc/man3/X509_dup.pod | 9 +- include/openssl/cmp.h | 131 +- include/openssl/cmp_util.h | 79 ++ include/openssl/cmperr.h | 4 + include/openssl/crmf.h | 26 +- include/openssl/ocsp.h | 7 +- include/openssl/trace.h | 3 +- test/build.info | 13 + test/cmp_asn_test.c | 132 ++ test/cmp_ctx_test.c | 859 +++++++++++++ test/cmp_testlib.c | 120 ++ test/cmp_testlib.h | 34 + test/recipes/65-test_cmp_asn.t | 22 + test/recipes/65-test_cmp_ctx.t | 22 + util/libcrypto.num | 294 +++-- util/private.num | 23 +- 38 files changed, 4512 insertions(+), 287 deletions(-) create mode 100644 crypto/cmp/cmp_ctx.c create mode 100644 crypto/cmp/cmp_util.c create mode 100644 doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod create mode 100644 doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod create mode 100644 doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod create mode 100644 doc/man3/OSSL_CMP_CTX_new.pod create mode 100644 doc/man3/OSSL_CMP_log_open.pod create mode 100644 include/openssl/cmp_util.h create mode 100644 test/cmp_asn_test.c create mode 100644 test/cmp_ctx_test.c create mode 100644 test/cmp_testlib.c create mode 100644 test/cmp_testlib.h create mode 100644 test/recipes/65-test_cmp_asn.t create mode 100644 test/recipes/65-test_cmp_ctx.t diff --git a/crypto/cmp/build.info b/crypto/cmp/build.info index 6b6ccaaf49..d5ce60e040 100644 --- a/crypto/cmp/build.info +++ b/crypto/cmp/build.info @@ -1,2 +1,2 @@ LIBS=../../libcrypto -SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c +SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 8555586dfd..e764e532d5 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -7,8 +7,6 @@ * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html - * - * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. */ #include @@ -166,8 +164,10 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p, { int created = 0; - if (itav_sk_p == NULL) + if (itav_sk_p == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); goto err; + } if (*itav_sk_p == NULL) { if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL) @@ -187,6 +187,26 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p, return 0; } +/* get ASN.1 encoded integer, return -1 on error */ +int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a) +{ + int64_t res; + + if (!ASN1_INTEGER_get_int64(&res, a)) { + CMPerr(0, ASN1_R_INVALID_NUMBER); + return -1; + } + if (res < INT_MIN) { + CMPerr(0, ASN1_R_TOO_SMALL); + return -1; + } + if (res > INT_MAX) { + CMPerr(0, ASN1_R_TOO_LARGE); + return -1; + } + return (int)res; +} + ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = { /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0), diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c new file mode 100644 index 0000000000..4bec73c3b7 --- /dev/null +++ b/crypto/cmp/cmp_ctx.c @@ -0,0 +1,1086 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include /* for OCSP_REVOKED_STATUS_* */ + +#include "cmp_int.h" + +/* explicit #includes not strictly needed since implied by the above: */ +#include +#include +#include + +/* + * Get current certificate store containing trusted root CA certs + */ +X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + return ctx->trusted; +} + +/* + * Set certificate store containing trusted (root) CA certs and possibly CRLs + * and a cert verification callback function used for CMP server authentication. + * Any already existing store entry is freed. Given NULL, the entry is reset. + * returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + X509_STORE_free(ctx->trusted); + ctx->trusted = store; + return 1; +} + +/* + * Get current list of non-trusted intermediate certs + */ +STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + return ctx->untrusted_certs; +} + +/* + * Set untrusted certificates for path construction in authentication of + * the CMP server and potentially others (TLS server, newly enrolled cert). + * returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + sk_X509_pop_free(ctx->untrusted_certs, X509_free); + if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL) + return 0; + return ossl_cmp_sk_X509_add1_certs(ctx->untrusted_certs, certs, 0, 1, 0); +} + +/* + * Allocates and initializes OSSL_CMP_CTX context structure with default values. + * Returns new context on success, NULL on error + */ +OSSL_CMP_CTX *OSSL_CMP_CTX_new(void) +{ + OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); + + if (ctx == NULL) + return NULL; + + ctx->log_verbosity = OSSL_CMP_LOG_INFO; + + ctx->status = -1; + ctx->failInfoCode = -1; + + ctx->serverPort = OSSL_CMP_DEFAULT_PORT; + ctx->proxyPort = OSSL_CMP_DEFAULT_PORT; + ctx->msgtimeout = 2 * 60; + + if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL) + goto err; + + ctx->pbm_slen = 16; + ctx->pbm_owf = NID_sha256; + ctx->pbm_itercnt = 500; + ctx->pbm_mac = NID_hmac_sha1; + + ctx->digest = NID_sha256; + ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE; + ctx->revocationReason = CRL_REASON_NONE; + + /* all other elements are initialized to 0 or NULL, respectively */ + return ctx; + + err: + OSSL_CMP_CTX_free(ctx); + return NULL; +} + +/* + * Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX + */ +int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + ctx->status = -1; + ctx->failInfoCode = -1; + + return ossl_cmp_ctx_set0_statusString(ctx, NULL) + && ossl_cmp_ctx_set0_newCert(ctx, NULL) + && ossl_cmp_ctx_set1_caPubs(ctx, NULL) + && ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL) + && ossl_cmp_ctx_set0_validatedSrvCert(ctx, NULL) + && OSSL_CMP_CTX_set1_transactionID(ctx, NULL) + && OSSL_CMP_CTX_set1_senderNonce(ctx, NULL) + && ossl_cmp_ctx_set1_recipNonce(ctx, NULL); +} + +/* + * Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() + */ +void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) + return; + + OPENSSL_free(ctx->serverPath); + OPENSSL_free(ctx->serverName); + OPENSSL_free(ctx->proxyName); + + X509_free(ctx->srvCert); + X509_free(ctx->validatedSrvCert); + X509_NAME_free(ctx->expected_sender); + X509_STORE_free(ctx->trusted); + sk_X509_pop_free(ctx->untrusted_certs, X509_free); + + X509_free(ctx->clCert); + EVP_PKEY_free(ctx->pkey); + ASN1_OCTET_STRING_free(ctx->referenceValue); + if (ctx->secretValue != NULL) + OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length); + ASN1_OCTET_STRING_free(ctx->secretValue); + + X509_NAME_free(ctx->recipient); + ASN1_OCTET_STRING_free(ctx->transactionID); + ASN1_OCTET_STRING_free(ctx->senderNonce); + ASN1_OCTET_STRING_free(ctx->recipNonce); + sk_OSSL_CMP_ITAV_pop_free(ctx->geninfo_ITAVs, OSSL_CMP_ITAV_free); + sk_X509_pop_free(ctx->extraCertsOut, X509_free); + + EVP_PKEY_free(ctx->newPkey); + X509_NAME_free(ctx->issuer); + X509_NAME_free(ctx->subjectName); + sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free); + sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free); + sk_POLICYINFO_pop_free(ctx->policies, POLICYINFO_free); + X509_free(ctx->oldCert); + X509_REQ_free(ctx->p10CSR); + + sk_OSSL_CMP_ITAV_pop_free(ctx->genm_ITAVs, OSSL_CMP_ITAV_free); + + sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free); + X509_free(ctx->newCert); + sk_X509_pop_free(ctx->caPubs, X509_free); + sk_X509_pop_free(ctx->extraCertsIn, X509_free); + + OPENSSL_free(ctx); +} + +int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + ctx->status = status; + return 1; +} + +/* + * Returns the PKIStatus from the last CertRepMessage + * or Revocation Response or error message, -1 on error + */ +int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return -1; + } + return ctx->status; +} + +/* + * Returns the statusString from the last CertRepMessage + * or Revocation Response or error message, NULL on error + */ +OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + return ctx->statusString; +} + +int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, + OSSL_CMP_PKIFREETEXT *text) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free); + ctx->statusString = text; + return 1; +} + +int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + X509_free(ctx->validatedSrvCert); + ctx->validatedSrvCert = cert; + return 1; +} + +/* + * Set callback function for checking if the cert is ok or should + * it be rejected. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->certConf_cb = cb; + return 1; +} + +/* + * Set argument, respectively a pointer to a structure containing arguments, + * optionally to be used by the certConf callback. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->certConf_cb_arg = arg; + return 1; +} + +/* + * Get argument, respectively the pointer to a structure containing arguments, + * optionally to be used by certConf callback. + * Returns callback argument set previously (NULL if not set or on error) + */ +void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + return ctx->certConf_cb_arg; +} + +#ifndef OPENSSL_NO_TRACE +static size_t ossl_cmp_log_trace_cb(const char *buf, size_t cnt, + int category, int cmd, void *vdata) +{ + OSSL_CMP_CTX *ctx = vdata; + const char *prefix_msg; + OSSL_CMP_severity level = -1; + char *func = NULL; + char *file = NULL; + int line = 0; + + if (buf == NULL || cnt == 0 || cmd != OSSL_TRACE_CTRL_WRITE || ctx == NULL) + return 0; + if (ctx->log_cb == NULL) + return 1; /* silently drop message */ + + prefix_msg = ossl_cmp_log_parse_metadata(buf, &level, &func, &file, &line); + + if (level > ctx->log_verbosity) /* excludes the case level is unknown */ + goto end; /* suppress output since severity is not sufficient */ + + if (!ctx->log_cb(func != NULL ? func : "(no func)", + file != NULL ? file : "(no file)", + line, level, prefix_msg)) + cnt = 0; + + end: + OPENSSL_free(func); + OPENSSL_free(file); + return cnt; +} +#endif + +/* + * Set a callback function for error reporting and logging messages. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->log_cb = cb; + +#ifndef OPENSSL_NO_TRACE + /* do also in case cb == NULL, to switch off logging output: */ + if (!OSSL_trace_set_callback(OSSL_TRACE_CATEGORY_CMP, + ossl_cmp_log_trace_cb, ctx)) + return 0; +#endif + + return 1; +} + +/* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */ +void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx) +{ + OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb); +} + +/* + * Set or clear the reference value to be used for identification + * (i.e., the user name) when using PBMAC. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, + const unsigned char *ref, int len) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref, + len); +} + +/* + * Set or clear the password to be used for protecting messages with PBMAC. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, + const int len) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + if (ctx->secretValue != NULL) + OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length); + return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->secretValue, sec, len); +} + +/* + * Returns the stack of certificates received in a response message. + * The stack is duplicated so the caller must handle freeing it! + * Returns pointer to created stack on success, NULL on error + */ +STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + if (ctx->extraCertsIn == NULL) + return sk_X509_new_null(); + return X509_chain_up_ref(ctx->extraCertsIn); +} + +/* + * Copies any given stack of inbound X509 certificates to extraCertsIn + * of the OSSL_CMP_CTX structure so that they may be retrieved later. + * Returns 1 on success, 0 on error. + */ +int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, + STACK_OF(X509) *extraCertsIn) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + + sk_X509_pop_free(ctx->extraCertsIn, X509_free); + ctx->extraCertsIn = NULL; + if (extraCertsIn == NULL) + return 1; + return (ctx->extraCertsIn = X509_chain_up_ref(extraCertsIn)) != NULL; +} + +/* + * Duplicate and set the given stack as the new stack of X509 + * certificates to send out in the extraCerts field. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, + STACK_OF(X509) *extraCertsOut) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + sk_X509_pop_free(ctx->extraCertsOut, X509_free); + ctx->extraCertsOut = NULL; + if (extraCertsOut == NULL) + return 1; + return (ctx->extraCertsOut = X509_chain_up_ref(extraCertsOut)) != NULL; +} + +/* + * Add the given policy info object + * to the X509_EXTENSIONS of the requested certificate template. + * Returns 1 on success, 0 on error. + */ +int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo) +{ + if (ctx == NULL || pinfo == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + if (ctx->policies == NULL + && (ctx->policies = CERTIFICATEPOLICIES_new()) == NULL) + return 0; + + return sk_POLICYINFO_push(ctx->policies, pinfo); +} + +/* + * Add an ITAV for geninfo of the PKI message header + */ +int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav); +} + +/* + * Add an itav for the body of outgoing general messages + */ +int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav); +} + +/* + * Returns a duplicate of the stack of X509 certificates that + * were received in the caPubs field of the last CertRepMessage. + * Returns NULL on error + */ +STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + if (ctx->caPubs == NULL) + return sk_X509_new_null(); + return X509_chain_up_ref(ctx->caPubs); +} + +/* + * Duplicate and copy the given stack of certificates to the given + * OSSL_CMP_CTX structure so that they may be retrieved later. + * Returns 1 on success, 0 on error + */ +int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + + sk_X509_pop_free(ctx->caPubs, X509_free); + ctx->caPubs = NULL; + if (caPubs == NULL) + return 1; + return (ctx->caPubs = X509_chain_up_ref(caPubs)) != NULL; +} + +#define char_dup OPENSSL_strdup +#define char_free OPENSSL_free +#define DEFINE_OSSL_CMP_CTX_set1(FIELD, TYPE) /* this uses _dup */ \ +int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \ +{ \ + TYPE *val_dup = NULL; \ + \ + if (ctx == NULL) { \ + CMPerr(0, CMP_R_NULL_ARGUMENT); \ + return 0; \ + } \ + \ + if (val != NULL && (val_dup = TYPE##_dup(val)) == NULL) \ + return 0; \ + TYPE##_free(ctx->FIELD); \ + ctx->FIELD = val_dup; \ + return 1; \ +} + +#define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \ +int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \ +{ \ + if (ctx == NULL) { \ + CMPerr(0, CMP_R_NULL_ARGUMENT); \ + return 0; \ + } \ + \ + if (val != NULL && !TYPE##_up_ref(val)) \ + return 0; \ + TYPE##_free(ctx->FIELD); \ + ctx->FIELD = val; \ + return 1; \ +} + +/* + * Pins the server certificate to be directly trusted (even if it is expired) + * for verifying response messages. + * Cert pointer is not consumed. It may be NULL to clear the entry. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509) + +/* + * Set the X509 name of the recipient. Set in the PKIHeader. + * returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME) + +/* + * Store the X509 name of the expected sender in the PKIHeader of responses. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME) + +/* + * Set the X509 name of the issuer. Set in the PKIHeader. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME) + +/* + * Set the subject name that will be placed in the certificate + * request. This will be the subject name on the received certificate. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME) + +/* + * Set the X.509v3 certificate request extensions to be used in IR/CR/KUR. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL + && X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) { + CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES); + return 0; + } + sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free); + ctx->reqExtensions = exts; + return 1; +} + +/* returns 1 if ctx contains a Subject Alternative Name extension, else 0 */ +int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return -1; + } + /* if one of the following conditions 'fail' this is not an error */ + return ctx->reqExtensions != NULL + && X509v3_get_ext_by_NID(ctx->reqExtensions, + NID_subject_alt_name, -1) >= 0; +} + +/* + * Add a GENERAL_NAME structure that will be added to the CRMF + * request's extensions field to request subject alternative names. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, + const GENERAL_NAME *name) +{ + GENERAL_NAME *name_dup; + + if (ctx == NULL || name == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) { + CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES); + return 0; + } + + if (ctx->subjectAltNames == NULL + && (ctx->subjectAltNames = sk_GENERAL_NAME_new_null()) == NULL) + return 0; + if ((name_dup = GENERAL_NAME_dup(name)) == NULL) + return 0; + if (!sk_GENERAL_NAME_push(ctx->subjectAltNames, name_dup)) { + GENERAL_NAME_free(name_dup); + return 0; + } + return 1; +} + +/* + * Set our own client certificate, used for example in KUR and when + * doing the IR with existing certificate. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1_up_ref(clCert, X509) + +/* + * Set the old certificate that we are updating in KUR + * or the certificate to be revoked in RR, respectively. + * Also used as reference cert (defaulting to clCert) for deriving subject DN + * and SANs. Its issuer is used as default recipient in the CMP message header. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509) + +/* + * Set the PKCS#10 CSR to be sent in P10CR. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ) + +/* + * Sets the (newly received in IP/KUP/CP) certificate in the context. + * Returns 1 on success, 0 on error + * TODO: this only permits for one cert to be enrolled at a time. + */ +int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + + X509_free(ctx->newCert); + ctx->newCert = cert; + return 1; +} + +/* + * Get the (newly received in IP/KUP/CP) client certificate from the context + * TODO: this only permits for one client cert to be received... + */ +X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + return ctx->newCert; +} + +/* + * Set the client's current private key. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY) + +/* + * Set new key pair. Used e.g. when doing Key Update. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + EVP_PKEY_free(ctx->newPkey); + ctx->newPkey = pkey; + ctx->newPkey_priv = priv; + return 1; +} + +/* + * gets the private/public key to use for certificate enrollment, NULL on error + */ +EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + + if (ctx->newPkey != NULL) + return priv && !ctx->newPkey_priv ? NULL : ctx->newPkey; + if (ctx->p10CSR != NULL) + return priv ? NULL : X509_REQ_get0_pubkey(ctx->p10CSR); + return ctx->pkey; /* may be NULL */ +} + +/* + * Sets the given transactionID to the context. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *id) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id); +} + +/* + * sets the given nonce to be used for the recipNonce in the next message to be + * created. + * returns 1 on success, 0 on error + */ +int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *nonce) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce); +} + +/* + * Stores the given nonce as the last senderNonce sent out. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *nonce) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce); +} + +/* + * Set the host name of the (HTTP) proxy server to use for all connections + * returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(proxyName, char) + +/* + * Set the (HTTP) host name of the CA server. + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(serverName, char) + +/* + * Sets the (HTTP) proxy port to be used. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->proxyPort = port; + return 1; +} + +/* + * sets the http connect/disconnect callback function to be used for HTTP(S) + * returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->http_cb = cb; + return 1; +} + +/* + * Set argument optionally to be used by the http connect/disconnect callback. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->http_cb_arg = arg; + return 1; +} + +/* + * Get argument optionally to be used by the http connect/disconnect callback + * Returns callback argument set previously (NULL if not set or on error) + */ +void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + return ctx->http_cb_arg; +} + +/* + * Set callback function for sending CMP request and receiving response. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->transfer_cb = cb; + return 1; +} + +/* + * Set argument optionally to be used by the transfer callback. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->transfer_cb_arg = arg; + return 1; +} + +/* + * Get argument optionally to be used by the transfer callback. + * Returns callback argument set previously (NULL if not set or on error) + */ +void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; + } + return ctx->transfer_cb_arg; +} + +/* + * Sets the (HTTP) server port to be used. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + ctx->serverPort = port; + return 1; +} + +/* + * Sets the HTTP path to be used on the server (e.g "pkix/"). + * Returns 1 on success, 0 on error + */ +DEFINE_OSSL_CMP_CTX_set1(serverPath, char) + +/* + * Set the failInfo error code as bit encoding in OSSL_CMP_CTX. + * Returns 1 on success, 0 on error + */ +int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info) +{ + if (!ossl_assert(ctx != NULL)) + return 0; + ctx->failInfoCode = fail_info; + return 1; +} + +/* + * Get the failInfo error code in OSSL_CMP_CTX as bit encoding. + * Returns bit string as integer on success, -1 on error + */ +int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx) +{ + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return -1; + } + return ctx->failInfoCode; +} + +/* + * Sets a Boolean or integer option of the context to the "val" arg. + * Returns 1 on success, 0 on error + */ +int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val) { + int min_val; + + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + + switch (opt) { + case OSSL_CMP_OPT_REVOCATION_REASON: + min_val = OCSP_REVOKED_STATUS_NOSTATUS; + break; + case OSSL_CMP_OPT_POPOMETHOD: + min_val = OSSL_CRMF_POPO_NONE; + break; + default: + min_val = 0; + break; + } + if (val < min_val) { + CMPerr(0, CMP_R_INVALID_ARGS); + return 0; + } + + switch (opt) { + case OSSL_CMP_OPT_LOG_VERBOSITY: + if (val > OSSL_CMP_LOG_DEBUG) { + CMPerr(0, CMP_R_INVALID_ARGS); + return 0; + } + ctx->log_verbosity = val; + break; + case OSSL_CMP_OPT_IMPLICITCONFIRM: + ctx->implicitConfirm = val; + break; + case OSSL_CMP_OPT_DISABLECONFIRM: + ctx->disableConfirm = val; + break; + case OSSL_CMP_OPT_UNPROTECTED_SEND: + ctx->unprotectedSend = val; + break; + case OSSL_CMP_OPT_UNPROTECTED_ERRORS: + ctx->unprotectedErrors = val; + break; + case OSSL_CMP_OPT_VALIDITYDAYS: + ctx->days = val; + break; + case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT: + ctx->SubjectAltName_nodefault = val; + break; + case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL: + ctx->setSubjectAltNameCritical = val; + break; + case OSSL_CMP_OPT_POLICIES_CRITICAL: + ctx->setPoliciesCritical = val; + break; + case OSSL_CMP_OPT_IGNORE_KEYUSAGE: + ctx->ignore_keyusage = val; + break; + case OSSL_CMP_OPT_POPOMETHOD: + if (val > OSSL_CRMF_POPO_KEYAGREE) { + CMPerr(0, CMP_R_INVALID_ARGS); + return 0; + } + ctx->popoMethod = val; + break; + case OSSL_CMP_OPT_DIGEST_ALGNID: + ctx->digest = val; + break; + case OSSL_CMP_OPT_OWF_ALGNID: + ctx->pbm_owf = val; + break; + case OSSL_CMP_OPT_MAC_ALGNID: + ctx->pbm_mac = val; + break; + case OSSL_CMP_OPT_MSGTIMEOUT: + ctx->msgtimeout = val; + break; + case OSSL_CMP_OPT_TOTALTIMEOUT: + ctx->totaltimeout = val; + break; + case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: + ctx->permitTAInExtraCertsForIR = val; + break; + case OSSL_CMP_OPT_REVOCATION_REASON: + if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) { + CMPerr(0, CMP_R_INVALID_ARGS); + return 0; + } + ctx->revocationReason = val; + break; + default: + CMPerr(0, CMP_R_INVALID_ARGS); + return 0; + } + + return 1; +} + +/* + * Reads a Boolean or integer option value from the context. + * Returns -1 on error (which is the default OSSL_CMP_OPT_REVOCATION_REASON) + */ +int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt) { + if (ctx == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return -1; + } + + switch (opt) { + case OSSL_CMP_OPT_LOG_VERBOSITY: + return ctx->log_verbosity; + case OSSL_CMP_OPT_IMPLICITCONFIRM: + return ctx->implicitConfirm; + case OSSL_CMP_OPT_DISABLECONFIRM: + return ctx->disableConfirm; + case OSSL_CMP_OPT_UNPROTECTED_SEND: + return ctx->unprotectedSend; + case OSSL_CMP_OPT_UNPROTECTED_ERRORS: + return ctx->unprotectedErrors; + case OSSL_CMP_OPT_VALIDITYDAYS: + return ctx->days; + case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT: + return ctx->SubjectAltName_nodefault; + case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL: + return ctx->setSubjectAltNameCritical; + case OSSL_CMP_OPT_POLICIES_CRITICAL: + return ctx->setPoliciesCritical; + case OSSL_CMP_OPT_IGNORE_KEYUSAGE: + return ctx->ignore_keyusage; + case OSSL_CMP_OPT_POPOMETHOD: + return ctx->popoMethod; + case OSSL_CMP_OPT_DIGEST_ALGNID: + return ctx->digest; + case OSSL_CMP_OPT_OWF_ALGNID: + return ctx->pbm_owf; + case OSSL_CMP_OPT_MAC_ALGNID: + return ctx->pbm_mac; + case OSSL_CMP_OPT_MSGTIMEOUT: + return ctx->msgtimeout; + case OSSL_CMP_OPT_TOTALTIMEOUT: + return ctx->totaltimeout; + case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: + return ctx->permitTAInExtraCertsForIR; + case OSSL_CMP_OPT_REVOCATION_REASON: + return ctx->revocationReason; + default: + CMPerr(0, CMP_R_INVALID_ARGS); + return -1; + } +} diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c index 4e3a5c347e..4086d5220b 100644 --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -1,6 +1,7 @@ /* - * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,6 +15,11 @@ #ifndef OPENSSL_NO_ERR static const ERR_STRING_DATA CMP_str_reasons[] = { + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_ARGS), "invalid args"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MULTIPLE_SAN_SOURCES), + "multiple san sources"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NO_STDIO), "no stdio"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NULL_ARGUMENT), "null argument"}, {0, NULL} }; diff --git a/crypto/cmp/cmp_int.h b/crypto/cmp/cmp_int.h index e78968aaa1..1f47dca0d0 100644 --- a/crypto/cmp/cmp_int.h +++ b/crypto/cmp/cmp_int.h @@ -7,8 +7,6 @@ * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html - * - * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. */ #ifndef OSSL_HEADER_CMP_INT_H @@ -26,6 +24,100 @@ # include # include +/* + * this structure is used to store the context for CMP sessions + */ +struct ossl_cmp_ctx_st { + OSSL_cmp_log_cb_t log_cb; /* log callback for error/debug/etc. output */ + OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */ + + /* message transfer */ + OSSL_cmp_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */ + void *transfer_cb_arg; /* allows to store optional argument to cb */ + /* HTTP-based transfer */ + char *serverPath; + char *serverName; + int serverPort; + char *proxyName; + int proxyPort; + int msgtimeout; /* max seconds to wait for each CMP message round trip */ + int totaltimeout; /* maximum number seconds an enrollment may take, incl. */ + /* attempts polling for a response if a 'waiting' PKIStatus is received */ + time_t end_time; /* session start time + totaltimeout */ + OSSL_cmp_http_cb_t http_cb; + void *http_cb_arg; /* allows to store optional argument to cb */ + + /* server authentication */ + int unprotectedErrors; /* accept neg. response with no/invalid protection */ + /* to cope with broken server */ + X509 *srvCert; /* certificate used to identify the server */ + X509 *validatedSrvCert; /* caches any already validated server cert */ + X509_NAME *expected_sender; /* expected sender in pkiheader of response */ + X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */ + STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */ + int ignore_keyusage; /* ignore key usage entry when validating certs */ + int permitTAInExtraCertsForIR; /* allow use of root certs in extracerts */ + /* when validating message protection; used for 3GPP-style E.7 */ + + /* client authentication */ + int unprotectedSend; /* send unprotected PKI messages */ + X509 *clCert; /* client cert used to identify and sign for MSG_SIG_ALG */ + EVP_PKEY *pkey; /* the key pair corresponding to clCert */ + ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */ + ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */ + /* PBMParameters for MSG_MAC_ALG */ + size_t pbm_slen; /* currently fixed to 16 */ + int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */ + int pbm_itercnt; /* currently fixed to 500 */ + int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */ + + /* CMP message header and extra certificates */ + X509_NAME *recipient; /* to set in recipient in pkiheader */ + int digest; /* NID of digest used in MSG_SIG_ALG and POPO, default SHA256 */ + ASN1_OCTET_STRING *transactionID; /* the current transaction ID */ + ASN1_OCTET_STRING *senderNonce; /* last nonce sent */ + ASN1_OCTET_STRING *recipNonce; /* last nonce received */ + STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs; + int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */ + int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */ + STACK_OF(X509) *extraCertsOut; /* to be included in request messages */ + + /* certificate template */ + EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */ + int newPkey_priv; /* flag indicating if newPkey contains private key */ + X509_NAME *issuer; /* issuer name to used in cert template */ + int days; /* Number of days new certificates are asked to be valid for */ + X509_NAME *subjectName; /* subject name to be used in the cert template */ + STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */ + int SubjectAltName_nodefault; + int setSubjectAltNameCritical; + X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */ + CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */ + int setPoliciesCritical; + int popoMethod; /* Proof-of-possession mechanism; default: signature */ + X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */ + X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */ + + /* misc body contents */ + int revocationReason; /* revocation reason code to be included in RR */ + STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */ + + /* result returned in responses */ + int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */ + /* TODO: this should be a stack since there could be more than one */ + OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */ + int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */ + /* TODO: this should be a stack since there could be more than one */ + X509 *newCert; /* newly enrolled cert received from the CA */ + /* TODO: this should be a stack since there could be more than one */ + STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */ + STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */ + + /* certificate confirmation */ + OSSL_cmp_certConf_cb_t certConf_cb; /* callback for app checking new cert */ + void *certConf_cb_arg; /* allows to store an argument individual to cb */ +} /* OSSL_CMP_CTX */; + /* * ########################################################################## * ASN.1 DECLARATIONS @@ -42,7 +134,7 @@ * -- extra CRL details (e.g., crl number, reason, location, etc.) * } */ -typedef struct OSSL_cmp_revanncontent_st { +typedef struct ossl_cmp_revanncontent_st { ASN1_INTEGER *status; OSSL_CRMF_CERTID *certId; ASN1_GENERALIZEDTIME *willBeRevokedAt; @@ -75,7 +167,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT) * -- } * } */ -typedef struct OSSL_cmp_challenge_st { +typedef struct ossl_cmp_challenge_st { X509_ALGOR *owf; ASN1_OCTET_STRING *witness; ASN1_OCTET_STRING *challenge; @@ -89,7 +181,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE) * newWithNew Certificate * } */ -typedef struct OSSL_cmp_cakeyupdanncontent_st { +typedef struct ossl_cmp_cakeyupdanncontent_st { X509 *oldWithNew; X509 *newWithOld; X509 *newWithNew; @@ -109,7 +201,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS) * infoValue ANY DEFINED BY infoType OPTIONAL * } */ -struct OSSL_cmp_itav_st { +struct ossl_cmp_itav_st { ASN1_OBJECT *infoType; union { char *ptr; @@ -148,8 +240,7 @@ struct OSSL_cmp_itav_st { DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV) DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV) - -typedef struct OSSL_cmp_certorenccert_st { +typedef struct ossl_cmp_certorenccert_st { int type; union { X509 *certificate; @@ -166,7 +257,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) * publicationInfo [1] PKIPublicationInfo OPTIONAL * } */ -typedef struct OSSL_cmp_certifiedkeypair_st { +typedef struct ossl_cmp_certifiedkeypair_st { OSSL_CMP_CERTORENCCERT *certOrEncCert; OSSL_CRMF_ENCRYPTEDVALUE *privateKey; OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; @@ -180,7 +271,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) * failInfo PKIFailureInfo OPTIONAL * } */ -struct OSSL_cmp_pkisi_st { +struct ossl_cmp_pkisi_st { OSSL_CMP_PKISTATUS *status; OSSL_CMP_PKIFREETEXT *statusString; OSSL_CMP_PKIFAILUREINFO *failInfo; @@ -196,7 +287,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) * crlEntryDetails Extensions OPTIONAL * } */ -typedef struct OSSL_cmp_revdetails_st { +typedef struct ossl_cmp_revdetails_st { OSSL_CRMF_CERTTEMPLATE *certDetails; X509_EXTENSIONS *crlEntryDetails; } OSSL_CMP_REVDETAILS; @@ -216,7 +307,7 @@ DEFINE_STACK_OF(OSSL_CMP_REVDETAILS) * -- the resulting CRLs (there may be more than one) * } */ -struct OSSL_cmp_revrepcontent_st { +struct ossl_cmp_revrepcontent_st { STACK_OF(OSSL_CMP_PKISI) *status; STACK_OF(OSSL_CRMF_CERTID) *revCerts; STACK_OF(X509_CRL) *crls; @@ -233,7 +324,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT) * CertifiedKeyPair OPTIONAL * } */ -typedef struct OSSL_cmp_keyrecrepcontent_st { +typedef struct ossl_cmp_keyrecrepcontent_st { OSSL_CMP_PKISI *status; X509 *newSigCert; STACK_OF(X509) *caCerts; @@ -250,7 +341,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT) * -- implementation-specific error details * } */ -typedef struct OSSL_cmp_errormsgcontent_st { +typedef struct ossl_cmp_errormsgcontent_st { OSSL_CMP_PKISI *pKIStatusInfo; ASN1_INTEGER *errorCode; OSSL_CMP_PKIFREETEXT *errorDetails; @@ -269,7 +360,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) * statusInfo PKIStatusInfo OPTIONAL * } */ -struct OSSL_cmp_certstatus_st { +struct ossl_cmp_certstatus_st { ASN1_OCTET_STRING *certHash; ASN1_INTEGER *certReqId; OSSL_CMP_PKISI *statusInfo; @@ -292,7 +383,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT) * -- for regInfo in CertReqMsg [CRMF] * } */ -struct OSSL_cmp_certresponse_st { +struct ossl_cmp_certresponse_st { ASN1_INTEGER *certReqId; OSSL_CMP_PKISI *status; OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair; @@ -307,7 +398,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE) * response SEQUENCE OF CertResponse * } */ -struct OSSL_cmp_certrepmessage_st { +struct ossl_cmp_certrepmessage_st { STACK_OF(X509) *caPubs; STACK_OF(OSSL_CMP_CERTRESPONSE) *response; } /* OSSL_CMP_CERTREPMESSAGE */; @@ -318,7 +409,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE) * certReqId INTEGER * } */ -typedef struct OSSL_cmp_pollreq_st { +typedef struct ossl_cmp_pollreq_st { ASN1_INTEGER *certReqId; } OSSL_CMP_POLLREQ; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ) @@ -333,7 +424,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT) * reason PKIFreeText OPTIONAL * } */ -struct OSSL_cmp_pollrep_st { +struct ossl_cmp_pollrep_st { ASN1_INTEGER *certReqId; ASN1_INTEGER *checkAfter; OSSL_CMP_PKIFREETEXT *reason; @@ -377,7 +468,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT) * -- (this field not primarily intended for human consumption) * } */ -struct OSSL_cmp_pkiheader_st { +struct ossl_cmp_pkiheader_st { ASN1_INTEGER *pvno; GENERAL_NAME *sender; GENERAL_NAME *recipient; @@ -435,7 +526,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT) * pollReq [25] PollReqContent, --Polling request * pollRep [26] PollRepContent --Polling response */ -typedef struct OSSL_cmp_pkibody_st { +typedef struct ossl_cmp_pkibody_st { int type; union { OSSL_CRMF_MSGS *ir; /* 0 */ @@ -521,7 +612,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY) * OPTIONAL * } */ -struct OSSL_cmp_msg_st { +struct ossl_cmp_msg_st { OSSL_CMP_PKIHEADER *header; OSSL_CMP_PKIBODY *body; ASN1_BIT_STRING *protection; /* 0 */ @@ -529,6 +620,7 @@ struct OSSL_cmp_msg_st { STACK_OF(X509) *extraCerts; /* 1 */ } /* OSSL_CMP_MSG */; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG) +DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG) /*- * ProtectedPart ::= SEQUENCE { @@ -586,4 +678,48 @@ DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART) * } */ +/* + * functions + */ + +/* from cmp_asn.c */ +int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a); + +/* from cmp_util.c */ +const char *ossl_cmp_log_parse_metadata(const char *buf, + OSSL_CMP_severity *level, char **func, + char **file, int *line); +/* workaround for 4096 bytes limitation of ERR_print_errors_cb() */ +void ossl_cmp_add_error_txt(const char *separator, const char *txt); +# define ossl_cmp_add_error_data(txt) ossl_cmp_add_error_txt(" : ", txt) +# define ossl_cmp_add_error_line(txt) ossl_cmp_add_error_txt("\n", txt) +/* functions manipulating lists of certificates etc could be generally useful */ +int ossl_cmp_sk_X509_add1_cert (STACK_OF(X509) *sk, X509 *cert, + int no_dup, int prepend); +int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, + int no_self_signed, int no_dups, int prepend); +int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, + int only_self_signed); +STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); +int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, + const ASN1_OCTET_STRING *src); +int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, + const unsigned char *bytes, int len); +STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert); + +/* from cmp_ctx.c */ +int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert); +int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status); +int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, + OSSL_CMP_PKIFREETEXT *text); +int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info); +int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert); +int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs); +int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, + STACK_OF(X509) *extraCertsIn); +int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *nonce); + +# define OSSL_CMP_TRANSACTIONID_LENGTH 16 + #endif /* !defined OSSL_HEADER_CMP_INT_H */ diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c new file mode 100644 index 0000000000..1ca981bf7b --- /dev/null +++ b/crypto/cmp/cmp_util.c @@ -0,0 +1,449 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include "cmp_int.h" /* just for decls of internal functions defined here */ +#include +#include /* should be implied by cmperr.h */ +#include + +/* + * use trace API for CMP-specific logging, prefixed by "CMP " and severity + */ + +int OSSL_CMP_log_open(void) /* is designed to be idempotent */ +{ +#ifndef OPENSSL_NO_STDIO + BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE); + + if (bio != NULL && OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, bio)) + return 1; + BIO_free(bio); +#endif + CMPerr(0, CMP_R_NO_STDIO); + return 0; +} + +void OSSL_CMP_log_close(void) /* is designed to be idempotent */ +{ + (void)OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, NULL); +} + +/* return >= 0 if level contains logging level, possibly preceded by "CMP " */ +#define max_level_len 5 /* = max length of the below strings, e.g., "EMERG" */ +static OSSL_CMP_severity parse_level(const char *level) +{ + const char *end_level = strchr(level, ':'); + int len; + char level_copy[max_level_len + 1]; + + if (end_level == NULL) + return -1; + + if (strncmp(level, OSSL_CMP_LOG_PREFIX, + strlen(OSSL_CMP_LOG_PREFIX)) == 0) + level += strlen(OSSL_CMP_LOG_PREFIX); + len = end_level - level; + if (len > max_level_len) + return -1; + OPENSSL_strlcpy(level_copy, level, len + 1); + return + strcmp(level_copy, "EMERG") == 0 ? OSSL_CMP_LOG_EMERG : + strcmp(level_copy, "ALERT") == 0 ? OSSL_CMP_LOG_ALERT : + strcmp(level_copy, "CRIT") == 0 ? OSSL_CMP_LOG_CRIT : + strcmp(level_copy, "ERROR") == 0 ? OSSL_CMP_LOG_ERR : + strcmp(level_copy, "WARN") == 0 ? OSSL_CMP_LOG_WARNING : + strcmp(level_copy, "NOTE") == 0 ? OSSL_CMP_LOG_NOTICE : + strcmp(level_copy, "INFO") == 0 ? OSSL_CMP_LOG_INFO : + strcmp(level_copy, "DEBUG") == 0 ? OSSL_CMP_LOG_DEBUG : + -1; +} + +const char *ossl_cmp_log_parse_metadata(const char *buf, + OSSL_CMP_severity *level, char **func, char **file, int *line) +{ + const char *p_func = buf; + const char *p_file = buf == NULL ? NULL : strchr(buf, ':'); + const char *p_level = buf; + const char *msg = buf; + + *level = -1; + *func = NULL; + *file = NULL; + *line = 0; + + if (p_file != NULL) { + const char *p_line = strchr(++p_file, ':'); + + if ((*level = parse_level(buf)) < 0 && p_line != NULL) { + /* check if buf contains location info and logging level */ + char *p_level_tmp = (char *)p_level; + const long line_number = strtol(++p_line, &p_level_tmp, 10); + + p_level = p_level_tmp; + if (p_level > p_line && *(p_level++) == ':') { + if ((*level = parse_level(p_level)) >= 0) { + *func = OPENSSL_strndup(p_func, p_file - 1 - p_func); + *file = OPENSSL_strndup(p_file, p_line - 1 - p_file); + /* no real problem if OPENSSL_strndup() returns NULL */ + *line = (int)line_number; + msg = strchr(p_level, ':') + 1; + if (*msg == ' ') + msg++; + } + } + } + } + return msg; +} + + +/* + * auxiliary function for incrementally reporting texts via the error queue + */ +static void put_error(int lib, const char *func, int reason, + const char *file, int line) +{ + ERR_new(); + ERR_set_debug(file, line, func); + ERR_set_error(lib, reason, NULL /* no data here, so fmt is NULL */); +} + +#define ERR_print_errors_cb_LIMIT 4096 /* size of char buf[] variable there */ +#define TYPICAL_MAX_OUTPUT_BEFORE_DATA 100 +#define MAX_DATA_LEN (ERR_print_errors_cb_LIMIT-TYPICAL_MAX_OUTPUT_BEFORE_DATA) +void ossl_cmp_add_error_txt(const char *separator, const char *txt) +{ + const char *file = NULL; + int line; + const char *func = NULL; + const char *data = NULL; + int flags; + unsigned long err = ERR_peek_last_error(); + + if (separator == NULL) + separator = ""; + if (err == 0) + put_error(ERR_LIB_CMP, NULL, 0, "", 0); + + do { + size_t available_len, data_len; + const char *curr = txt, *next = txt; + char *tmp; + + ERR_peek_last_error_all(&file, &line, &func, &data, &flags); + if ((flags & ERR_TXT_STRING) == 0) { + data = ""; + separator = ""; + } + data_len = strlen(data); + + /* workaround for limit of ERR_print_errors_cb() */ + if (data_len >= MAX_DATA_LEN + || strlen(separator) >= (size_t)(MAX_DATA_LEN - data_len)) + available_len = 0; + else + available_len = MAX_DATA_LEN - data_len - strlen(separator) - 1; + /* MAX_DATA_LEN > available_len >= 0 */ + + if (separator[0] == '\0') { + const size_t len_next = strlen(next); + + if (len_next <= available_len) { + next += len_next; + curr = NULL; /* no need to split */ + } + else { + next += available_len; + curr = next; /* will split at this point */ + } + } else { + while (*next != '\0' && (size_t)(next - txt) <= available_len) { + curr = next; + next = strstr(curr, separator); + if (next != NULL) + next += strlen(separator); + else + next = curr + strlen(curr); + } + if ((size_t)(next - txt) <= available_len) + curr = NULL; /* the above loop implies *next == '\0' */ + } + if (curr != NULL) { + /* split error msg at curr since error data would get too long */ + if (curr != txt) { + tmp = OPENSSL_strndup(txt, curr - txt); + if (tmp == NULL) + return; + ERR_add_error_data(2, separator, tmp); + OPENSSL_free(tmp); + } + put_error(ERR_LIB_CMP, func, err, file, line); + txt = curr; + } else { + ERR_add_error_data(2, separator, txt); + txt = next; /* finished */ + } + } while (*txt != '\0'); +} + +/* this is similar to ERR_print_errors_cb, but uses the CMP-specific cb type */ +void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn) +{ + unsigned long err; + char msg[ERR_print_errors_cb_LIMIT]; + const char *file = NULL, *func = NULL, *data = NULL; + int line, flags; + + if (log_fn == NULL) { +#ifndef OPENSSL_NO_STDIO + ERR_print_errors_fp(stderr); +#else + /* CMPerr(0, CMP_R_NO_STDIO) makes no sense during error printing */ +#endif + return; + } + + while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) != 0) { + char component[128]; + const char *func_ = func != NULL && *func != '\0' ? func : ""; + + if (!(flags & ERR_TXT_STRING)) + data = NULL; +#ifdef OSSL_CMP_PRINT_LIBINFO + BIO_snprintf(component, sizeof(component), "OpenSSL:%s:%s", + ERR_lib_error_string(err), func_); +#else + BIO_snprintf(component, sizeof(component), "%s",func_); +#endif + BIO_snprintf(msg, sizeof(msg), "%s%s%s", ERR_reason_error_string(err), + data == NULL ? "" : " : ", data == NULL ? "" : data); + if (log_fn(component, file, line, OSSL_CMP_LOG_ERR, msg) <= 0) + break; /* abort outputting the error report */ + } +} + +/* + * functions manipulating lists of certificates etc. + * these functions could be generally useful. + */ + +int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert, + int no_dup, int prepend) +{ + if (sk == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + if (no_dup) { + /* + * not using sk_X509_set_cmp_func() and sk_X509_find() + * because this re-orders the certs on the stack + */ + int i; + + for (i = 0; i < sk_X509_num(sk); i++) { + if (X509_cmp(sk_X509_value(sk, i), cert) == 0) + return 1; + } + } + if (!X509_up_ref(cert)) + return 0; + if (!sk_X509_insert(sk, cert, prepend ? 0 : -1)) { + X509_free(cert); + return 0; + } + return 1; +} + +int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, + int no_self_signed, int no_dups, int prepend) +/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */ +{ + int i; + + if (sk == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + for (i = 0; i < sk_X509_num(certs); i++) { /* certs may be NULL */ + X509 *cert = sk_X509_value(certs, i); + + if (!no_self_signed || X509_check_issued(cert, cert) != X509_V_OK) { + if (!ossl_cmp_sk_X509_add1_cert(sk, cert, no_dups, prepend)) + return 0; + } + } + return 1; +} + +int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, + int only_self_signed) +{ + int i; + + if (store == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + if (certs == NULL) + return 1; + for (i = 0; i < sk_X509_num(certs); i++) { + X509 *cert = sk_X509_value(certs, i); + + if (!only_self_signed || X509_check_issued(cert, cert) == X509_V_OK) + if (!X509_STORE_add_cert(store, cert)) /* ups cert ref counter */ + return 0; + } + return 1; +} + +STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store) +{ + int i; + STACK_OF(X509) *sk; + STACK_OF(X509_OBJECT) *objs; + + if (store == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + if ((sk = sk_X509_new_null()) == NULL) + return NULL; + objs = X509_STORE_get0_objects(store); + for (i = 0; i < sk_X509_OBJECT_num(objs); i++) { + X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i)); + + if (cert != NULL) { + if (!sk_X509_push(sk, cert)) + goto err; + if (!X509_up_ref(cert)) { + (void)sk_X509_pop(sk); + goto err; + } + } + } + return sk; + + err: + sk_X509_pop_free(sk, X509_free); + return NULL; +} + +/*- + * Builds up the certificate chain of certs as high up as possible using + * the given list of certs containing all possible intermediate certificates and + * optionally the (possible) trust anchor(s). See also ssl_add_cert_chain(). + * + * Intended use of this function is to find all the certificates above the trust + * anchor needed to verify an EE's own certificate. Those are supposed to be + * included in the ExtraCerts field of every first sent message of a transaction + * when MSG_SIG_ALG is utilized. + * + * NOTE: This allocates a stack and increments the reference count of each cert, + * so when not needed any more the stack and all its elements should be freed. + * NOTE: in case there is more than one possibility for the chain, + * OpenSSL seems to take the first one, check X509_verify_cert() for details. + * + * returns a pointer to a stack of (up_ref'ed) X509 certificates containing: + * - the EE certificate given in the function arguments (cert) + * - all intermediate certificates up the chain toward the trust anchor + * whereas the (self-signed) trust anchor is not included + * returns NULL on error + */ +STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert) +{ + STACK_OF(X509) *chain = NULL, *result = NULL; + X509_STORE *store = X509_STORE_new(); + X509_STORE_CTX *csc = NULL; + + if (certs == NULL || cert == NULL || store == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + goto err; + } + + csc = X509_STORE_CTX_new(); + if (csc == NULL) + goto err; + + if (!ossl_cmp_X509_STORE_add1_certs(store, certs, 0) + || !X509_STORE_CTX_init(csc, store, cert, NULL)) + goto err; + + (void)ERR_set_mark(); + /* + * ignore return value as it would fail without trust anchor given in store + */ + (void)X509_verify_cert(csc); + + /* don't leave any new errors in the queue */ + (void)ERR_pop_to_mark(); + + chain = X509_STORE_CTX_get0_chain(csc); + + /* result list to store the up_ref'ed not self-signed certificates */ + if ((result = sk_X509_new_null()) == NULL) + goto err; + if (!ossl_cmp_sk_X509_add1_certs(result, chain, 1 /* no self-signed */, + 1 /* no duplicates */, 0)) { + sk_X509_free(result); + result = NULL; + } + + err: + X509_STORE_free(store); + X509_STORE_CTX_free(csc); + return result; +} + +int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, + const ASN1_OCTET_STRING *src) +{ + if (tgt == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + if (*tgt == src) /* self-assignment */ + return 1; + ASN1_OCTET_STRING_free(*tgt); + + if (src != NULL) { + if ((*tgt = ASN1_OCTET_STRING_dup(src)) == NULL) + return 0; + } else { + *tgt = NULL; + } + + return 1; +} + +int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, + const unsigned char *bytes, int len) +{ + ASN1_OCTET_STRING *new = NULL; + + if (tgt == NULL) { + CMPerr(0, CMP_R_NULL_ARGUMENT); + return 0; + } + if (bytes != NULL) { + if ((new = ASN1_OCTET_STRING_new()) == NULL + || !(ASN1_OCTET_STRING_set(new, bytes, len))) { + ASN1_OCTET_STRING_free(new); + return 0; + } + } + + ASN1_OCTET_STRING_free(*tgt); + *tgt = new; + return 1; +} diff --git a/crypto/crmf/crmf_int.h b/crypto/crmf/crmf_int.h index b76205784b..54f9a4a225 100644 --- a/crypto/crmf/crmf_int.h +++ b/crypto/crmf/crmf_int.h @@ -42,7 +42,7 @@ * -- the encrypted value itself * } */ -struct OSSL_crmf_encryptedvalue_st { +struct ossl_crmf_encryptedvalue_st { X509_ALGOR *intendedAlg; /* 0 */ X509_ALGOR *symmAlg; /* 1 */ ASN1_BIT_STRING *encSymmKey; /* 2 */ @@ -62,7 +62,7 @@ struct OSSL_crmf_encryptedvalue_st { * attributes [0] IMPLICIT Attributes OPTIONAL * } */ -typedef struct OSSL_crmf_privatekeyinfo_st { +typedef struct ossl_crmf_privatekeyinfo_st { ASN1_INTEGER *version; X509_ALGOR *privateKeyAlgorithm; ASN1_OCTET_STRING *privateKey; @@ -82,7 +82,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO) * } OPTIONAL * } */ -typedef struct OSSL_crmf_enckeywithid_identifier_st { +typedef struct ossl_crmf_enckeywithid_identifier_st { int type; union { ASN1_UTF8STRING *string; @@ -91,7 +91,7 @@ typedef struct OSSL_crmf_enckeywithid_identifier_st { } OSSL_CRMF_ENCKEYWITHID_IDENTIFIER; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) -typedef struct OSSL_crmf_enckeywithid_st { +typedef struct ossl_crmf_enckeywithid_st { OSSL_CRMF_PRIVATEKEYINFO *privateKey; /* [0] */ OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier; @@ -104,7 +104,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID) * serialNumber INTEGER * } */ -struct OSSL_crmf_certid_st { +struct ossl_crmf_certid_st { GENERAL_NAME *issuer; ASN1_INTEGER *serialNumber; } /* OSSL_CRMF_CERTID */; @@ -120,7 +120,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID) * pubLocation GeneralName OPTIONAL * } */ -struct OSSL_crmf_singlepubinfo_st { +struct ossl_crmf_singlepubinfo_st { ASN1_INTEGER *pubMethod; GENERAL_NAME *pubLocation; } /* OSSL_CRMF_SINGLEPUBINFO */; @@ -139,7 +139,7 @@ typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS; * -- "dontCare" is assumed) * } */ -struct OSSL_crmf_pkipublicationinfo_st { +struct ossl_crmf_pkipublicationinfo_st { ASN1_INTEGER *action; OSSL_CRMF_PUBINFOS *pubInfos; } /* OSSL_CRMF_PKIPUBLICATIONINFO */; @@ -153,7 +153,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO) * value BIT STRING * } */ -typedef struct OSSL_crmf_pkmacvalue_st { +typedef struct ossl_crmf_pkmacvalue_st { X509_ALGOR *algId; ASN1_BIT_STRING *value; } OSSL_CRMF_PKMACVALUE; @@ -182,7 +182,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE) * } */ -typedef struct OSSL_crmf_popoprivkey_st { +typedef struct ossl_crmf_popoprivkey_st { int type; union { ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */ @@ -211,7 +211,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY) * -- or HMAC [HMAC, RFC2202]) * } */ -struct OSSL_crmf_pbmparameter_st { +struct ossl_crmf_pbmparameter_st { ASN1_OCTET_STRING *salt; X509_ALGOR *owf; ASN1_INTEGER *iterationCount; @@ -233,7 +233,7 @@ struct OSSL_crmf_pbmparameter_st { * publicKey SubjectPublicKeyInfo -- from CertTemplate * } */ -typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st { +typedef struct ossl_crmf_poposigningkeyinput_authinfo_st { int type; union { /* 0 */ GENERAL_NAME *sender; @@ -242,7 +242,7 @@ typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st { } OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) -typedef struct OSSL_crmf_poposigningkeyinput_st { +typedef struct ossl_crmf_poposigningkeyinput_st { OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo; X509_PUBKEY *publicKey; } OSSL_CRMF_POPOSIGNINGKEYINPUT; @@ -255,7 +255,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT) * signature BIT STRING * } */ -struct OSSL_crmf_poposigningkey_st { +struct ossl_crmf_poposigningkey_st { OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput; X509_ALGOR *algorithmIdentifier; ASN1_BIT_STRING *signature; @@ -272,7 +272,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY) * keyAgreement [3] POPOPrivKey * } */ -typedef struct OSSL_crmf_popo_st { +typedef struct ossl_crmf_popo_st { int type; union { ASN1_NULL *raVerified; /* 0 */ @@ -289,7 +289,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO) * notAfter [1] Time OPTIONAL -- at least one MUST be present * } */ -struct OSSL_crmf_optionalvalidity_st { +struct ossl_crmf_optionalvalidity_st { /* 0 */ ASN1_TIME *notBefore; /* 1 */ ASN1_TIME *notAfter; } /* OSSL_CRMF_OPTIONALVALIDITY */; @@ -309,7 +309,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY) * extensions [9] Extensions OPTIONAL * } */ -struct OSSL_crmf_certtemplate_st { +struct ossl_crmf_certtemplate_st { ASN1_INTEGER *version; /* 0 */ ASN1_INTEGER *serialNumber; /* 1 */ /* serialNumber MUST be omitted */ /* This field is assigned by the CA during certificate creation */ @@ -333,7 +333,7 @@ struct OSSL_crmf_certtemplate_st { * controls Controls OPTIONAL -- Attributes affecting issuance * } */ -struct OSSL_crmf_certrequest_st { +struct ossl_crmf_certrequest_st { ASN1_INTEGER *certReqId; OSSL_CRMF_CERTTEMPLATE *certTemplate; /* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */ @@ -343,7 +343,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST) DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST) /* TODO: isn't there a better way to have this for ANY type? */ -struct OSSL_crmf_attributetypeandvalue_st { +struct ossl_crmf_attributetypeandvalue_st { ASN1_OBJECT *type; union { /* NID_id_regCtrl_regToken */ @@ -383,7 +383,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) * regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL * } */ -struct OSSL_crmf_msg_st { +struct ossl_crmf_msg_st { OSSL_CRMF_CERTREQUEST *certReq; /* 0 */ OSSL_CRMF_POPO *popo; diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 2974341446..85444017ff 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -82,16 +82,14 @@ static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm, if (crm->certReq->controls == NULL) { crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null(); if (crm->certReq->controls == NULL) - goto oom; + goto err; new = 1; } if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl)) - goto oom; + goto err; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGCTRL, ERR_R_MALLOC_FAILURE); - + err: if (new != 0) { sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls); crm->certReq->controls = NULL; @@ -136,16 +134,9 @@ int OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo( if (pi->pubInfos == NULL) pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null(); if (pi->pubInfos == NULL) - goto oom; - - if (!sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi)) - goto oom; - return 1; + return 0; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PKIPUBLICATIONINFO_PUSH0_SINGLEPUBINFO, - ERR_R_MALLOC_FAILURE); - return 0; + return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi); } int OSSL_CRMF_MSG_set_PKIPublicationInfo_action( @@ -180,20 +171,19 @@ OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer, } if ((cid = OSSL_CRMF_CERTID_new()) == NULL) - goto oom; + goto err; if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer)) - goto oom; + goto err; cid->issuer->type = GEN_DIRNAME; ASN1_INTEGER_free(cid->serialNumber); if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL) - goto oom; + goto err; return cid; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_CERTID_GEN, ERR_R_MALLOC_FAILURE); + err: OSSL_CRMF_CERTID_free(cid); return NULL; } @@ -222,13 +212,12 @@ static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm, if (crm->regInfo == NULL) crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null(); if (crm->regInfo == NULL) - goto oom; + goto err; if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri)) - goto oom; + goto err; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGINFO, ERR_R_MALLOC_FAILURE); + err: if (info != NULL) crm->regInfo = NULL; sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info); @@ -266,11 +255,11 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to) } if (from != 0 && ((from_asn = ASN1_TIME_set(NULL, from)) == NULL)) - goto oom; + goto err; if (to != 0 && ((to_asn = ASN1_TIME_set(NULL, to)) == NULL)) - goto oom; + goto err; if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL) - goto oom; + goto err; vld->notBefore = from_asn; vld->notAfter = to_asn; @@ -278,8 +267,7 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to) tmpl->validity = vld; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY, ERR_R_MALLOC_FAILURE); + err: ASN1_TIME_free(from_asn); ASN1_TIME_free(to_asn); return 0; @@ -348,7 +336,7 @@ int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, - const X509_EXTENSION *ext) + X509_EXTENSION *ext) { int new = 0; OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm); @@ -360,16 +348,14 @@ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, if (tmpl->extensions == NULL) { if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL) - goto oom; + goto err; new = 1; } - if (!sk_X509_EXTENSION_push(tmpl->extensions, (X509_EXTENSION *)ext)) - goto oom; + if (!sk_X509_EXTENSION_push(tmpl->extensions, ext)) + goto err; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_EXTENSION, ERR_R_MALLOC_FAILURE); - + err: if (new != 0) { sk_X509_EXTENSION_free(tmpl->extensions); tmpl->extensions = NULL; @@ -428,10 +414,8 @@ static int CRMF_poposigningkey_init(OSSL_CRMF_POPOSIGNINGKEY *ps, CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR); goto err; } - if ((sig = OPENSSL_malloc(siglen)) == NULL) { - CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, ERR_R_MALLOC_FAILURE); + if ((sig = OPENSSL_malloc(siglen)) == NULL) goto err; - } if (EVP_DigestSignFinal(ctx, sig, &siglen) <= 0 || !ASN1_BIT_STRING_set(ps->signature, sig, siglen)) { CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR); @@ -461,13 +445,13 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, if (ppmtd == OSSL_CRMF_POPO_NONE) goto end; if ((pp = OSSL_CRMF_POPO_new()) == NULL) - goto oom; + goto err; pp->type = ppmtd; switch (ppmtd) { case OSSL_CRMF_POPO_RAVERIFIED: if ((pp->value.raVerified = ASN1_NULL_new()) == NULL) - goto oom; + goto err; break; case OSSL_CRMF_POPO_SIGNATURE: @@ -484,14 +468,14 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, case OSSL_CRMF_POPO_KEYENC: if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL) - goto oom; + goto err; tag = ASN1_INTEGER_new(); pp->value.keyEncipherment->type = OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE; pp->value.keyEncipherment->value.subsequentMessage = tag; if (tag == NULL || !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT)) - goto oom; + goto err; break; default: @@ -505,8 +489,6 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, crm->popo = pp; return 1; - oom: - CRMFerr(CRMF_F_OSSL_CRMF_MSG_CREATE_POPO, ERR_R_MALLOC_FAILURE); err: OSSL_CRMF_POPO_free(pp); return 0; @@ -609,7 +591,20 @@ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl) return tmpl != NULL ? tmpl->issuer : NULL; } -/* +/* retrieves the issuer name of the given CertId or NULL on error */ +X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid) +{ + return cid != NULL && cid->issuer->type == GEN_DIRNAME ? + cid->issuer->d.directoryName : NULL; +} + +/* retrieves the serialNumber of the given CertId or NULL on error */ +ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid) +{ + return cid != NULL ? cid->serialNumber : NULL; +} + +/*- * fill in certificate template. * Any value argument that is NULL will leave the respective field unchanged. */ @@ -624,27 +619,23 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, return 0; } if (subject != NULL && !X509_NAME_set(&tmpl->subject, subject)) - goto oom; + return 0; if (issuer != NULL && !X509_NAME_set(&tmpl->issuer, issuer)) - goto oom; + return 0; if (serial != NULL) { ASN1_INTEGER_free(tmpl->serialNumber); if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL) - goto oom; + return 0; } if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey)) - goto oom; + return 0; return 1; - - oom: - CRMFerr(CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL, ERR_R_MALLOC_FAILURE); - return 0; } /*- - * Decrypts the certificate in the given encryptedValue - * this is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2 + * Decrypts the certificate in the given encryptedValue using private key pkey. + * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2. * * returns a pointer to the decrypted certificate * returns NULL on error or if no certificate available @@ -693,7 +684,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, if (EVP_PKEY_decrypt(pkctx, NULL, &eksize, encKey->data, encKey->length) <= 0 || (ek = OPENSSL_malloc(eksize)) == NULL) - goto oom; + goto end; retval = EVP_PKEY_decrypt(pkctx, ek, &eksize, encKey->data, encKey->length); ERR_clear_error(); /* error state may have sensitive information */ @@ -706,10 +697,10 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, goto end; } } else { - goto oom; + goto end; } if ((iv = OPENSSL_malloc(EVP_CIPHER_iv_length(cipher))) == NULL) - goto oom; + goto end; if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, EVP_CIPHER_iv_length(cipher)) != EVP_CIPHER_iv_length(cipher)) { @@ -725,7 +716,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length + EVP_CIPHER_block_size(cipher))) == NULL || (evp_ctx = EVP_CIPHER_CTX_new()) == NULL) - goto oom; + goto end; EVP_CIPHER_CTX_set_padding(evp_ctx, 0); if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv) @@ -744,10 +735,6 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, CRMF_R_ERROR_DECODING_CERTIFICATE); } - goto end; - - oom: - CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, ERR_R_MALLOC_FAILURE); end: EVP_PKEY_CTX_free(pkctx); OPENSSL_free(outbuf); diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c index a3ac45557d..47dc86a550 100644 --- a/crypto/crmf/crmf_pbm.c +++ b/crypto/crmf/crmf_pbm.c @@ -41,20 +41,16 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, OSSL_CRMF_PBMPARAMETER *pbm = NULL; unsigned char *salt = NULL; - if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE); + if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) goto err; - } /* * salt contains a randomly generated value used in computing the key * of the MAC process. The salt SHOULD be at least 8 octets (64 * bits) long. */ - if ((salt = OPENSSL_malloc(slen)) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE); + if ((salt = OPENSSL_malloc(slen)) == NULL) goto err; - } if (RAND_bytes(salt, (int)slen) <= 0) { CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM); goto err; @@ -145,10 +141,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT); goto err; } - if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE); + if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) goto err; - } /* * owf identifies the hash algorithm and associated parameters used to @@ -160,10 +154,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, goto err; } - if ((ctx = EVP_MD_CTX_new()) == NULL) { - CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE); + if ((ctx = EVP_MD_CTX_new()) == NULL) goto err; - } /* compute the basekey of the salted secret */ if (!EVP_DigestInit_ex(ctx, m, NULL)) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index bca1c7b71d..284f16418a 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -2063,6 +2063,10 @@ BN_R_PRIVATE_KEY_TOO_LARGE:117:private key too large BN_R_P_IS_NOT_PRIME:112:p is not prime BN_R_TOO_MANY_ITERATIONS:113:too many iterations BN_R_TOO_MANY_TEMPORARY_VARIABLES:109:too many temporary variables +CMP_R_INVALID_ARGS:100:invalid args +CMP_R_MULTIPLE_SAN_SOURCES:102:multiple san sources +CMP_R_NO_STDIO:194:no stdio +CMP_R_NULL_ARGUMENT:103:null argument CMS_R_ADD_SIGNER_ERROR:99:add signer error CMS_R_ATTRIBUTE_ERROR:161:attribute error CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present diff --git a/crypto/init.c b/crypto/init.c index 6536bd5266..32162c3874 100644 --- a/crypto/init.c +++ b/crypto/init.c @@ -27,6 +27,7 @@ #include "internal/dso_conf.h" #include "internal/dso.h" #include "internal/store.h" +#include /* for OSSL_CMP_log_close() */ #include static int stopped = 0; @@ -431,6 +432,11 @@ void OPENSSL_cleanup(void) OSSL_TRACE(INIT, "OPENSSL_cleanup: CRYPTO_secure_malloc_done()\n"); CRYPTO_secure_malloc_done(); +#ifndef OPENSSL_NO_CMP + OSSL_TRACE(INIT, "OPENSSL_cleanup: OSSL_CMP_log_close()\n"); + OSSL_CMP_log_close(); +#endif + OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_trace_cleanup()\n"); ossl_trace_cleanup(); diff --git a/doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod b/doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod new file mode 100644 index 0000000000..647125dc7e --- /dev/null +++ b/doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod @@ -0,0 +1,101 @@ +=pod + +=head1 NAME + +ossl_cmp_log_parse_metadata, +ossl_cmp_add_error_txt, +ossl_cmp_add_error_data, +ossl_cmp_add_error_line, +ossl_cmp_asn1_octet_string_set1, +ossl_cmp_asn1_octet_string_set1_bytes, +ossl_cmp_build_cert_chain +- misc internal utility functions + +=head1 SYNOPSIS + + #include "cmp_int.h" + + const char *ossl_cmp_log_parse_metadata(const char *buf, + OSSL_CMP_severity *level, char **func, + char **file, int *line); + + void ossl_cmp_add_error_txt(const char *separator, const char *txt); + #define ossl_cmp_add_error_data(txt) + #define ossl_cmp_add_error_line(txt) + + int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt, + const ASN1_OCTET_STRING *src); + int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt, + const unsigned char *bytes, int len); + + STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert); + +=head1 DESCRIPTION + +ossl_cmp_log_parse_metadata() parses the given message buffer C populated +by L etc. +according to the pattern OSSL_CMP_LOG_START#level ": %s\n", filling in +the variable pointed to by C with the severity level or -1, +the variable pointed to by C with the function name string or NULL, +the variable pointed to by C with the file name string or NULL, and +the variable pointed to by C with the line number or -1. +Any string returned via C<*func> and C<*file> must be freeed by the caller. + +ossl_cmp_add_error_txt() appends text to the extra data field of the last +error message in the OpenSSL error queue, after adding the optional separator +unless data has been empty so far. The text can be of arbitrary length, +which is not possible when using L in conjunction with +L. + +ossl_cmp_add_error_data() is a macro calling +B with the separator being ":". + +ossl_cmp_add_error_line() is a macro calling +B with the separator being "\n". + +ossl_cmp_asn1_octet_string_set1() frees any previous value of the variable +referenced via the C argument and assigns either a copy of +the ASN1_OCTET_STRING given as the C argument or C. +It returns 1 on success, 0 on error. + +ossl_cmp_asn1_octet_string_set1_bytes() frees any previous value of the variable +referenced via the C argument and assigns either a copy of the given byte +string (with the given length) or NULL. It returns 1 on success, 0 on error. + +ossl_cmp_build_cert_chain() builds up the certificate chain of cert as high up +as possible using the given X509_STORE containing all possible intermediate +certificates and optionally the (possible) trust anchor(s). + +=head1 RETURN VALUES + +ossl_cmp_log_parse_metadata() returns the pointer to the actual message text +after the OSSL_CMP_LOG_PREFIX and level and ':' if found in the buffer, +else the beginning of the buffer. + +ossl_cmp_add_error_txt() +ossl_cmp_add_error_data(), and +ossl_cmp_add_error_line() +do not return anything. + +ossl_cmp_build_cert_chain() +returns NULL on error, else a pointer to a stack of (up_ref'ed) certificates +containing the EE certificate given in the function arguments (cert) +and all intermediate certificates up the chain toward the trust anchor. +The (self-signed) trust anchor is not included. + +All other functions return 1 on success, 0 on error. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod b/doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod new file mode 100644 index 0000000000..f3c45ed56c --- /dev/null +++ b/doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod @@ -0,0 +1,76 @@ +=pod + +=head1 NAME + +ossl_cmp_ctx_set1_caPubs, +ossl_cmp_ctx_set0_validatedSrvCert, +ossl_cmp_ctx_set_status, +ossl_cmp_ctx_set0_statusString, +ossl_cmp_ctx_set_failInfoCode, +ossl_cmp_ctx_set0_newCert, +ossl_cmp_ctx_set1_extraCertsIn, +ossl_cmp_ctx_set1_recipNonce +- internal functions for managing the CMP client context datastructure + +=head1 SYNOPSIS + + #include + + int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs); + int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert); + int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status); + int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, + OSSL_CMP_PKIFREETEXT *text); + int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info); + int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert); + int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx, + STACK_OF(X509) *extraCertsIn); + int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *nonce); + +=head1 DESCRIPTION + +ossl_cmp_ctx_set1_caPubs() copies the given stack of CA certificates +to the caPubs field of the context. +The reference counts of those certificates handled successfully are increased. + +ossl_cmp_ctx_set0_validatedSrvCert() sets the validatedSrvCert of the context, +which caches any already validated server cert, or NULL if not available. + +ossl_cmp_ctx_set_status() sets the status field of the context. + +ossl_cmp_ctx_set0_statusString() sets the statusString field of the context. + +ossl_cmp_ctx_set_failInfoCode() sets the error code bits in the failInfoCode +field of the context based on the given OSSL_CMP_PKIFAILUREINFO structure. + +ossl_cmp_ctx_set0_newCert() sets the given (newly enrolled) certificate +in the context. + +ossl_cmp_ctx_set1_extraCertsIn() sets the extraCertsIn field of the context. +The reference counts of those certificates handled successfully are increased. + +ossl_cmp_ctx_set1_recipNonce() sets the given recipient nonce in the context. + +=head1 NOTES + +CMP is defined in RFC 4210 (and CRMF in RFC 4211). + +=head1 RETURN VALUES + +All functions return 1 on success, 0 on error. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod b/doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod new file mode 100644 index 0000000000..20ba218d0a --- /dev/null +++ b/doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod @@ -0,0 +1,60 @@ +=pod + +=head1 NAME + +ossl_cmp_sk_X509_add1_cert, +ossl_cmp_sk_X509_add1_certs, +ossl_cmp_X509_STORE_add1_certs, +ossl_cmp_X509_STORE_get1_certs +- functions manipulating lists of certificates + +=head1 SYNOPSIS + + #include + + int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert, + int no_dup, int prepend); + int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, + int no_self_signed, int no_dups, int prepend); + int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs, + int only_self_signed); + STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store); + +=head1 DESCRIPTION + +ossl_cmp_sk_X509_add1_cert() appends or prepends (depending on the B +argument) a certificate to the given list, +optionally only if it is not already contained. +On success the reference count of the certificate is increased. + +ossl_cmp_sk_X509_add1_certs() appends or prepends (depending on the B +argument) a list of certificates to the given list, +optionally only if not self-signed and optionally only if not already contained. +The reference counts of those certificates appended successfully are increased. + +ossl_cmp_X509_STORE_add1_certs() adds all or only self-signed certificates from +the given stack to given store. The C parameter may be NULL. + +ossl_cmp_X509_STORE_get1_certs() retrieves a copy of all certificates in the +given store. + +=head1 RETURN VALUES + +ossl_cmp_X509_STORE_get1_certs() returns a list of certificates, NULL on error. + +All other functions return 1 on success, 0 on error. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod new file mode 100644 index 0000000000..4e96c4a7e9 --- /dev/null +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -0,0 +1,662 @@ +=pod + +=head1 NAME + +OSSL_CMP_CTX_new, +OSSL_CMP_CTX_free, +OSSL_CMP_CTX_reinit, +OSSL_CMP_CTX_set_option, +OSSL_CMP_CTX_get_option, +OSSL_CMP_CTX_set_log_cb, +OSSL_CMP_CTX_set_log_verbosity, +OSSL_CMP_CTX_print_errors, +OSSL_CMP_CTX_set1_serverPath, +OSSL_CMP_CTX_set1_serverName, +OSSL_CMP_CTX_set_serverPort, +OSSL_CMP_CTX_set1_proxyName, +OSSL_CMP_CTX_set_proxyPort, +OSSL_CMP_DEFAULT_PORT, +OSSL_CMP_CTX_set_http_cb, +OSSL_CMP_CTX_set_http_cb_arg, +OSSL_CMP_CTX_get_http_cb_arg, +OSSL_CMP_CTX_set_transfer_cb, +OSSL_CMP_CTX_set_transfer_cb_arg, +OSSL_CMP_CTX_get_transfer_cb_arg, +OSSL_CMP_CTX_set1_srvCert, +OSSL_CMP_CTX_set1_expected_sender, +OSSL_CMP_CTX_set0_trustedStore, +OSSL_CMP_CTX_get0_trustedStore, +OSSL_CMP_CTX_set1_untrusted_certs, +OSSL_CMP_CTX_get0_untrusted_certs, +OSSL_CMP_CTX_set1_clCert, +OSSL_CMP_CTX_set1_pkey, +OSSL_CMP_CTX_set1_referenceValue, +OSSL_CMP_CTX_set1_secretValue, +OSSL_CMP_CTX_set1_recipient, +OSSL_CMP_CTX_push0_geninfo_ITAV, +OSSL_CMP_CTX_set1_extraCertsOut, +OSSL_CMP_CTX_set0_newPkey, +OSSL_CMP_CTX_get0_newPkey, +OSSL_CMP_CTX_set1_issuer, +OSSL_CMP_CTX_set1_subjectName, +OSSL_CMP_CTX_push1_subjectAltName, +OSSL_CMP_CTX_set0_reqExtensions, +OSSL_CMP_CTX_reqExtensions_have_SAN, +OSSL_CMP_CTX_push0_policy, +OSSL_CMP_CTX_set1_oldCert, +OSSL_CMP_CTX_set1_p10CSR, +OSSL_CMP_CTX_push0_genm_ITAV, +OSSL_CMP_CTX_set_certConf_cb, +OSSL_CMP_CTX_set_certConf_cb_arg, +OSSL_CMP_CTX_get_certConf_cb_arg, +OSSL_CMP_CTX_get_status, +OSSL_CMP_CTX_get0_statusString, +OSSL_CMP_CTX_get_failInfoCode, +OSSL_CMP_CTX_get0_newCert, +OSSL_CMP_CTX_get1_caPubs, +OSSL_CMP_CTX_get1_extraCertsIn, +OSSL_CMP_CTX_set1_transactionID, +OSSL_CMP_CTX_set1_senderNonce +- functions for managing the CMP client context data structure + +=head1 SYNOPSIS + + #include + + OSSL_CMP_CTX *OSSL_CMP_CTX_new(void); + void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx); + int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx); + int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val); + int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt); + + /* logging and error reporting: */ + int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb); + #define OSSL_CMP_CTX_set_log_verbosity(ctx, level) + void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx); + + /* message transfer: */ + int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path); + int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name); + int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port); + int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name); + int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port); + #define OSSL_CMP_DEFAULT_PORT 80 + typedef BIO (*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio, + unsigned long detail); + int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb); + int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg); + void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx); + typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx, + const OSSL_CMP_MSG *req, + OSSL_CMP_MSG **res); + int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, + OSSL_cmp_transfer_cb_t cb); + int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg); + void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx); + + /* server authentication: */ + int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert); + int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, + const X509_NAME *name); + int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store); + X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx); + int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, + STACK_OF(X509) *certs); + STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx); + + /* client authentication: */ + int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert); + int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); + int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, + const unsigned char *ref, int len); + int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, + const int len); + + /* CMP message header and extra certificates: */ + int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); + int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); + int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, + STACK_OF(X509) *extraCertsOut); + + /* certificate template: */ + int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey); + EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv); + int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name); + int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name); + int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, + const GENERAL_NAME *name); + int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts); + int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx); + int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo); + int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert); + int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr); + + /* misc body contents: */ + int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); + + /* certificate confirmation: */ + typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert, + int fail_info, const char **txt); + int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb); + int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg); + void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx); + + /* result fetching: */ + int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx); + OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx); + int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx); + + X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx); + STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx); + STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx); + + /* for test purposes only: */ + int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *id); + int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *nonce); + +=head1 DESCRIPTION + +This is the context API for using CMP (Certificate Management Protocol) with +OpenSSL. + +OSSL_CMP_CTX_new() allocates and initializes an OSSL_CMP_CTX structure to +default values, e.g., proof-of-possession method is set to POPOSigningKey. + +OSSL_CMP_CTX_free() deallocates an OSSL_CMP_CTX structure. + +OSSL_CMP_CTX_reinit() prepares the given B for a further transaction by +clearing the internal CMP transaction (aka session) status, PKIStatusInfo, +and any previous results (newCert, caPubs, and extraCertsIn) +from the last executed transaction. +All other field values (i.e., CMP options) are retained for potential re-use. + +OSSL_CMP_CTX_set_option() sets the given value for the given option +(e.g., OSSL_CMP_OPT_IMPLICITCONFIRM) in the given OSSL_CMP_CTX structure. + +The following options can be set: + +=over 4 + +=item B + + The level of severity needed for actually outputting log messages + due to errors, warnings, general info, debugging, etc. + Default is OSSL_CMP_LOG_INFO. See also L. + +=item B + + Number of seconds (or 0 for infinite) a CMP message round trip is + allowed to take before a timeout error is returned. Default is 120. + +=item B + + Maximum total number of seconds an enrollment (including polling) + may take. Default is 0 (infinite). + +=item B + + Number of days new certificates are asked to be valid for. + +=item B + + Do not take default Subject Alternative Names + from the reference certificate. + +=item B + + Demand that the given Subject Alternative Names are flagged as critical. + +=item B + + Demand that the given policies are flagged as critical. + +=item B + + Select the proof of possession method to use. Possible values are: + + OSSL_CRMF_POPO_NONE - ProofOfPossession field omitted + OSSL_CRMF_POPO_RAVERIFIED - assert that the RA has already + verified the PoPo + OSSL_CRMF_POPO_SIGNATURE - sign a value with private key, + which is the default. + OSSL_CRMF_POPO_KEYENC - decrypt the encrypted certificate + ("indirect method") + + Note that a signature-based POPO can only be produced if a private key + is provided as the newPkey or client pkey component of the CMP context. + +=item B + + The digest algorithm NID to be used in RFC 4210's MSG_SIG_ALG, + if applicable used for message protection and Proof-of-Possession. + Default is SHA256. + + OSSL_CMP_OPT_OWF_ALGNID + The digest algorithm NID to be used as one-way function (OWF) + in RFC 4210's MSG_MAC_ALG, if applicable used for message protection. + Default is SHA256. + + OSSL_CMP_OPT_MAC_ALGNID + The MAC algorithm NID to be used in RFC 4210's MSG_MAC_ALG, + if applicable used for message protection. + Default is HMAC-SHA1 as per RFC 4210. + +=item B + + The reason code to be included in a Revocation Request (RR); + values: 0..10 (RFC 5210, 5.3.1) or -1 for none, which is the default. + +=item B + + Request server to enable implicit confirm mode, where the client + does not need to send confirmation upon receiving the + certificate. If the server does not enable implicit confirmation + in the return message, then confirmation is sent anyway. + +=item B + + Do not confirm enrolled certificates, to cope with broken servers + not supporting implicit confirmation correctly. +B This setting leads to unspecified behavior and it is meant +exclusively to allow interoperability with server implementations violating +RFC 4210. + +=item B + + Send messages without CMP-level protection. + +=item B + + Accept unprotected error responses which are either explicitly + unprotected or where protection verification failed. Applies to regular + error messages as well as certificate responses (IP/CP/KUP) and + revocation responses (RP) with rejection. +B This setting leads to unspecified behavior and it is meant +exclusively to allow interoperability with server implementations violating +RFC 4210. + +=item B + + Ignore key usage restrictions in signer certificate when + validating signature-based protection in received CMP messages. + Else, 'digitalSignature' must be allowed by CMP signer certificates. + +=item B + + Allow retrieving a trust anchor from extraCerts and using that + to validate the certificate chain of an IP message. + +=back + +OSSL_CMP_CTX_get_option() reads the current value of the given option +(e.g., OSSL_CMP_OPT_IMPLICITCONFIRM) from the given OSSL_CMP_CTX structure. + +OSSL_CMP_CTX_set_log_cb() sets in B the callback function C +for handling error queue entries and logging messages. +When C is NULL errors are printed to STDERR (if available, else ignored) +any log messages are ignored. +Alternatively, L may be used to direct logging to STDOUT. + +OSSL_CMP_CTX_set_log_verbosity() is a macro setting the +OSSL_CMP_OPT_LOG_VERBOSITY context option to the given level. + +OSSL_CMP_CTX_print_errors() outputs any entries in the OpenSSL error queue. +It is similar to B but uses the CMP log callback function +if set in the C for uniformity with CMP logging if given. Otherwise it uses +B to print to STDERR (unless OPENSSL_NO_STDIO is defined). + +OSSL_CMP_CTX_set1_serverPath() sets the HTTP path of the CMP server on the host. + +OSSL_CMP_CTX_set1_serverName() sets the given server Address (as IP or name) +in the given OSSL_CMP_CTX structure. + +OSSL_CMP_CTX_set_serverPort() sets the port of the CMP server to connect to. +Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly. + +OSSL_CMP_CTX_set1_proxyName() sets the host name of the HTTP proxy to be used +for connecting to the CA server. + +OSSL_CMP_CTX_set_proxyPort() sets the port of the HTTP proxy. +Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly. + +OSSL_CMP_CTX_set_http_cb() sets the optional http connect/disconnect callback +function, which has the prototype + + typedef BIO *(*OSSL_cmp_http_cb_t)(OSSL_CMP_CTX *ctx, BIO *hbio, + unsigned long detail); + +It may modify the HTTP BIO given in the B argument +used by OSSL_CMP_MSG_http_perform(). +On connect the B argument is 1. +On disconnect it is 0 if no error occurred or else the last error code. +For instance, on connect a TLS BIO may be prepended to implement HTTPS, +and on disconnect some error diagnostics and/or cleanup may be done. +The callback function should return NULL to indicate failure. +It may make use of a custom defined argument stored in the ctx +by means of OSSL_CMP_CTX_set_http_cb_arg(), +which may be retrieved again through OSSL_CMP_CTX_get_http_cb_arg(). + +OSSL_CMP_CTX_set_http_cb_arg() sets an argument, respectively a pointer to +a structure containing arguments, +optionally to be used by the http connect/disconnect callback function. +B is not consumed, and it must therefore explicitly be freed when not +needed any more. B may be NULL to clear the entry. + +OSSL_CMP_CTX_get_http_cb_arg() gets the argument, respectively the pointer to a +structure containing arguments, previously set by +OSSL_CMP_CTX_set_http_cb_arg() or NULL if unset. + +OSSL_CMP_CTX_set_transfer_cb() sets the message transfer callback function, +which has the type + + typedef int (*OSSL_cmp_transfer_cb_t)(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_MSG *req, + OSSL_CMP_MSG **res); +Returns 1 on success, 0 on error. + +Default is NULL, which implies the use of L. +The callback should send the CMP request it obtains via the B parameter +and on success place the response in the B<*res> output parameter. +The transfer callback may make use of a custom defined argument stored in +the ctx by means of OSSL_CMP_CTX_set_transfer_cb_arg(), which may be retrieved +again through OSSL_CMP_CTX_get_transfer_cb_arg(). +On success the cb must return 0, else a CMP error reason code defined in cmp.h. + + +OSSL_CMP_CTX_set_transfer_cb_arg() sets an argument, respectively a pointer to a +structure containing arguments, optionally to be used by the transfer callback. +B is not consumed, and it must therefore explicitly be freed when not +needed any more. B may be NULL to clear the entry. + +OSSL_CMP_CTX_get_transfer_cb_arg() gets the argument, respectively the pointer +to a structure containing arguments, previously set by +OSSL_CMP_CTX_set_transfer_cb_arg() or NULL if unset. + +OSSL_CMP_CTX_set1_srvCert() pins the server certificate to be directly trusted +(even if it is expired) for verifying response messages. +The cert pointer is not consumed. It may be NULL to clear the entry. + +OSSL_CMP_CTX_set1_expected_sender() sets the Distinguished Name (DN) expected to +be given in the sender response for messages protected with MSG_SIG_ALG. This +may be used to enforce that during validation of received messages the given DN +matches the sender field of the PKIMessage header, which in turn is used to +identify the server certificate. +This can be used to ensure that only a particular entity is accepted to act as +CMP server, and attackers are not able to use arbitrary certificates of a +trusted PKI hierarchy to fraudulently pose as server. +This defaults to the subject DN of the certificate set via +OSSL_CMP_CTX_set1_srvCert(), if any. + +OSSL_CMP_CTX_set0_trustedStore() sets the X509_STORE type certificate store +containing trusted (root) CA certificates. The certificate store may also hold +CRLs and a certificate verification callback function used for CMP server +authentication. Any already existing store entry is freed. When given a NULL +parameter the entry is cleared. + +OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store +containing trusted root CA certificates, which may be empty if unset. + +OSSL_CMP_CTX_set1_untrusted_certs() takes over a list of certificates containing +non-trusted intermediate certs used for path construction in authentication +of the CMP server and potentially others (TLS server, newly enrolled cert). +The reference counts of those certificates handled successfully are increased. + +OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the +list of untrusted certs, which my be empty if unset. + +OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given +OSSL_CMP_CTX structure. The client certificate will then be used by the +functions to set the "sender" field for outgoing messages and it will be +included in the extraCerts field. + +OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to the client +certificate set with B in the given CMP context. +Used to create the protection in case of MSG_SIG_ALG. + +OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue in the given +B or clears it if the B argument is NULL. + +OSSL_CMP_CTX_set1_secretValue() sets the B with the length B in the +given B or clears it if the B argument is NULL. + +OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the +PKIHeader of a request message, i.e. the X509 name of the (CA) server. +Setting is overruled by subject of srvCert if set. +If neither srvCert nor recipient are set, the recipient of the PKI message is +determined in the following order: issuer, issuer of old cert (oldCert), +issuer of client cert (clCert), else NULL-DN. +When a response is received, its sender must match the recipient of the request. + +OSSL_CMP_CTX_push0_geninfo_ITAV() adds B to the stack in the B to be +added to the GeneralInfo field of the CMP PKIMessage header of a request +message sent with this context. Consumes the pointer to B. + +OSSL_CMP_CTX_set1_extraCertsOut() sets the stack of extraCerts that will be +sent to remote. + +OSSL_CMP_CTX_set0_newPkey() can be used to explicitly set the given EVP_PKEY +structure as the private or public key to be certified in the CMP context. +The B parameter must be 0 if and only if the given key is a public key. + +OSSL_CMP_CTX_get0_newPkey() gives the key to use for certificate enrollment +dependent on fields of the CMP context structure: +the newPkey (which may be a private or public key) if present, +else the public key in the p10CSR if present, else the client private key. +If the B parameter is not 0 and the selected key does not have a +private component then NULL is returned. + +OSSL_CMP_CTX_set1_issuer() sets the name of the intended issuer that +will be set in the CertTemplate, i.e., the X509 name of the CA server. + +OSSL_CMP_CTX_set1_subjectName() sets the subject DN that will be used in +the CertTemplate structure when requesting a new cert. For Key Update Requests +(KUR), it defaults to the subject DN of the reference certificate, +see B. This default is used for Initialization +Requests (IR) and Certification Requests (CR) only if no SANs are set. + +If clCert is not set (e.g. in case of IR with MSG_MAC_ALG), the subject DN +is also used as sender of the PKI message. + +OSSL_CMP_CTX_push1_subjectAltName() adds the given X509 name to the list of +alternate names on the certificate template request. This cannot be used if +any Subject Alternative Name extension is set via +OSSL_CMP_CTX_set0_reqExtensions(). +By default, unless OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT has been set, +the Subject Alternative Names are copied from the reference certificate, +see OSSL_CMP_CTX_set1_oldCert(). + +If set and the subject DN is not set with OSSL_CMP_CTX_set1_subjectName(), then +the certificate template of an IR and CR will not be filled with the default +subject DN from the reference certificate (see OSSL_CMP_CTX_set1_oldCert(). +If a subject DN is desired it needs to be set explicitly with +OSSL_CMP_CTX_set1_subjectName(). + +OSSL_CMP_CTX_set0_reqExtensions() sets the X.509v3 extensions to be used in +IR/CR/KUR. + +OSSL_CMP_CTX_reqExtensions_have_SAN() returns 1 if the context contains +a Subject Alternative Name extension, else 0 or -1 on error. + +OSSL_CMP_CTX_push0_policy() adds the certificate policy info object +to the X509_EXTENSIONS of the requested certificate template. + +OSSL_CMP_CTX_set1_oldCert() sets the old certificate to be updated in +Key Update Requests (KUR) or to be revoked in Revocation Requests (RR). +It must be given for RR, else it defaults to B. +The reference certificate determined in this way, if any, is also used for +deriving default subject DN and Subject Alternative Names for IR, CR, and KUR. +Its issuer, if any, is used as default recipient in the CMP message header. + +OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR. + +OSSL_CMP_CTX_push0_genm_ITAV() adds B to the stack in the B which +will be the body of a General Message sent with this context. +Consumes the pointer to B. + +OSSL_CMP_CTX_set_certConf_cb() sets the callback used for evaluating the newly +enrolled certificate before the library sends, depending on its result, +a positive or negative certConf message to the server. The callback has type + + typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert, + int fail_info, const char **txt); + +and should inspect the certificate it obtains via the B parameter and may +overrule the pre-decision given in the B and B<*txt> parameters. +If it accepts the certificate it must return 0, indicating success. Else it must +return a bit field reflecting PKIFailureInfo with at least one failure bit and +may set the B<*txt> output parameter to point to a string constant with more +detail. The transfer callback may make use of a custom defined argument stored +in the B by means of OSSL_CMP_CTX_set_certConf_cb_arg(), which may be +retrieved again through OSSL_CMP_CTX_get_certConf_cb_arg(). +Typically, the callback will check at least that the certificate can be verified +using a set of trusted certificates. +It also could compare the subject DN and other fields of the newly +enrolled certificate with the certificate template of the request. + +OSSL_CMP_CTX_set_certConf_cb_arg() sets an argument, respectively a pointer to a +structure containing arguments, optionally to be used by the certConf callback. +B is not consumed, and it must therefore explicitly be freed when not +needed any more. B may be NULL to clear the entry. + +OSSL_CMP_CTX_get_certConf_cb_arg() gets the argument, respectively the pointer +to a structure containing arguments, previously set by +OSSL_CMP_CTX_set_certConf_cb_arg(), or NULL if unset. + +OSSL_CMP_CTX_get_status() returns the PKIstatus from the last received +CertRepMessage or Revocation Response or error message, or -1 if unset. + +OSSL_CMP_CTX_get0_statusString() returns the statusString from the last received +CertRepMessage or Revocation Response or error message, or NULL if unset. + +OSSL_CMP_CTX_get_failInfoCode() returns the error code from the failInfo field +of the last received CertRepMessage or Revocation Response or error message. +This is a bit field and the flags for it are specified in L. +The flags start with OSSL_CMP_CTX_FAILINFO, for example: +OSSL_CMP_CTX_FAILINFO_badAlg. Returns -1 if the failInfoCode field is unset. + +OSSL_CMP_CTX_get0_newCert() returns the pointer to the newly obtained +certificate in case it is available, else NULL. + +OSSL_CMP_CTX_get1_caPubs() returns a pointer to a duplicate of the stack of +X.509 certificates received in the caPubs field of last received certificate +response message IP/CP/KUP. + +OSSL_CMP_CTX_get1_extraCertsIn() returns a pointer to a duplicate of the stack +of X.509 certificates received in the last received non-empty extraCerts field. +Returns an empty stack if no extraCerts have been received in the current +transaction. + +OSSL_CMP_CTX_set1_transactionID() sets the given transaction ID in the given +OSSL_CMP_CTX structure. + +OSSL_CMP_CTX_set1_senderNonce() stores the last sent sender B in +the B. This will be used to validate the recipNonce in incoming messages. + +=head1 NOTES + +CMP is defined in RFC 4210 (and CRMF in RFC 4211). + +=head1 RETURN VALUES + +OSSL_CMP_CTX_free() and OSSL_CMP_CTX_print_errors() do not return anything. + +OSSL_CMP_CTX_new(), +OSSL_CMP_CTX_get_http_cb_arg(), +OSSL_CMP_CTX_get_transfer_cb_arg(), +OSSL_CMP_CTX_get0_trustedStore(), +OSSL_CMP_CTX_get0_untrusted_certs(), +OSSL_CMP_CTX_get0_newPkey(), +OSSL_CMP_CTX_get_certConf_cb_arg(), +OSSL_CMP_CTX_get0_statusString(), +OSSL_CMP_CTX_get0_newCert(), +OSSL_CMP_CTX_get1_caPubs(), and +OSSL_CMP_CTX_get1_extraCertsIn() +return the intended pointer value as described above or NULL on error. + +OSSL_CMP_CTX_get_option(), +OSSL_CMP_CTX_reqExtensions_have_SAN(), +OSSL_CMP_CTX_get_status(), and +OSSL_CMP_CTX_get_failInfoCode() +return the intended value as described above or -1 on error. + +All other functions return 1 on success, 0 on error. + +=head1 EXAMPLES + +The following code does an Initialization Request: + + cmp_ctx = OSSL_CMP_CTX_new(); + OSSL_CMP_CTX_set1_serverName(cmp_ctx, opt_serverName); + OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len); + OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len); + OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1); + OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert); + + initialClCert = OSSL_CMP_exec_IR_ses(cmp_ctx); + +The following code does an Initialization Request using an +external identity certificate (RFC 4210, Appendix E.7): + + cmp_ctx = OSSL_CMP_CTX_new(); + OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname); + OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert); + OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey); + OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1); + OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert); + + initialClCert = OSSL_CMP_exec_IR_ses(cmp_ctx); + +Here externalCert is an X509 certificate granted to the EE by another CA +which is trusted by the current CA the code will connect to. + + +The following code does a Key Update Request: + + cmp_ctx = OSSL_CMP_CTX_new(); + OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname); + OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey); + OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1); + OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert); + OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert); + + updatedClCert = OSSL_CMP_exec_KUR_ses(cmp_ctx); + +The following code (which omits error handling) sends a General Message +including, as an example, the id-it-signKeyPairTypes OID and prints info on +the General Response contents. + + cmp_ctx = OSSL_CMP_CTX_new(); + OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname); + OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len); + OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len); + + ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1); + OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new(type, NULL); + OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav); + + STACK_OF(OSSL_CMP_ITAV) *itavs; + itavs = OSSL_CMP_exec_GENM_ses(cmp_ctx); + print_itavs(itavs); + sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); + +=head1 SEE ALSO + +L, L, +L + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/OSSL_CMP_ITAV_set0.pod b/doc/man3/OSSL_CMP_ITAV_set0.pod index 348f47f1b6..276daa7d51 100644 --- a/doc/man3/OSSL_CMP_ITAV_set0.pod +++ b/doc/man3/OSSL_CMP_ITAV_set0.pod @@ -23,6 +23,8 @@ OSSL_CMP_ITAV_push0_stack_item =head1 DESCRIPTION +Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL + ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210 section 5.3.19 and Appendix F. It is used at various places in CMP messages, e.g., in the generalInfo PKIHeader field, to hold a key-value pair. @@ -93,6 +95,10 @@ included in the requests' PKIHeader's genInfo field. L, L, L +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CMP_log_open.pod b/doc/man3/OSSL_CMP_log_open.pod new file mode 100644 index 0000000000..cbd5096cd8 --- /dev/null +++ b/doc/man3/OSSL_CMP_log_open.pod @@ -0,0 +1,140 @@ +=pod + +=head1 NAME + +OSSL_CMP_log_open, +OSSL_CMP_log_close, +OSSL_CMP_alert, +OSSL_CMP_err, +OSSL_CMP_warn, +OSSL_CMP_info, +OSSL_CMP_debug, +OSSL_CMP_log, +OSSL_CMP_log1, +OSSL_CMP_log2, +OSSL_CMP_log3, +OSSL_CMP_log4, +OSSL_CMP_severity, +OSSL_CMP_LOG_EMERG, +OSSL_CMP_LOG_ALERT, +OSSL_CMP_LOG_CRIT, +OSSL_CMP_LOG_ERR, +OSSL_CMP_LOG_WARNING, +OSSL_CMP_LOG_NOTICE, +OSSL_CMP_LOG_INFO, +OSSL_CMP_LOG_DEBUG, +OSSL_CMP_print_errors_cb +- functions for logging and error reporting + +=head1 SYNOPSIS + + #include + + int OSSL_CMP_log_open(void); + void OSSL_CMP_log_close(void); + #define OSSL_CMP_alert(msg) + #define OSSL_CMP_err(msg) + #define OSSL_CMP_warn(msg) + #define OSSL_CMP_info(msg) + #define OSSL_CMP_debug(msg) + #define OSSL_CMP_log(level, msg) + #define OSSL_CMP_log1(level, fmt, arg1) + #define OSSL_CMP_log2(level, fmt, arg1, arg2) + #define OSSL_CMP_log3(level, fmt, arg1, arg2, arg3) + #define OSSL_CMP_log4(level, fmt, arg1, arg2, arg3, arg4) + + /* severity level declarations resemble those from syslog.h */ + typedef int OSSL_CMP_severity; + #define OSSL_CMP_LOG_EMERG 0 + #define OSSL_CMP_LOG_ALERT 1 + #define OSSL_CMP_LOG_CRIT 2 + #define OSSL_CMP_LOG_ERR 3 + #define OSSL_CMP_LOG_WARNING 4 + #define OSSL_CMP_LOG_NOTICE 5 + #define OSSL_CMP_LOG_INFO 6 + #define OSSL_CMP_LOG_DEBUG 7 + typedef int (*OSSL_cmp_log_cb_t) (const char *component, + const char *file, int line, + OSSL_CMP_severity level, const char *msg); + + void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn); + +=head1 DESCRIPTION + +The logging and error reporting facility described here contains +convenience functions for CMP-specific logging via the trace API, +including a string prefix mirroring the severity levels of syslog.h, +and enhancements of the error queue mechanism needed for large diagnostic +messages produced by the CMP library in case of certificate validation failures. + +When an interesting activity is performed or an error occurs, some detail +should be provided for user information, debugging, and auditing purposes. +A CMP application can obtain this information by providing a callback function +with the following type: + + typedef void (*OSSL_cmp_log_cb_t)(const char *component, + const char *file, int line, + OSSL_CMP_severity level, const char *msg); + +The parameters may provide +a component identifier (which may be a library name or function name) or NULL, +a file path name or NULL, +a line number or 0 indicating the source code location, +a severity level, and +a message string describing the nature of the event, terminated by '\n'. + +Even when an activity is successful some warnings may be useful and some degree +of auditing may be required. Therefore the logging facility supports a severity +level and the callback function has a B parameter indicating such a +level, such that error, warning, info, debug, etc. can be treated differently. +The callback is activated only when the severity level is sufficient according +to the current level of verbosity, which by default is OSSL_CMP_LOG_INFO. + +The callback function may itself do non-trivial tasks like writing to +a log file or remote stream, which in turn may fail. +Therefore the function should return 1 on success and 0 on failure. + +OSSL_CMP_log_open() initializes the CMP-specific logging facility to output +everything to STDOUT. It fails if the integrated tracing is disabled or STDIO +is not available. It may be called during application startup. +Alternatively, L can be used for more flexibility. +As long as neither if the two is used any logging output is ignored. + +OSSL_CMP_log_close() may be called when all activities are finished to flush +any pending CMP-specific log output and deallocate related resources. +It may be called multiple times. It does get called at OpenSSL stutdown. + +OSSL_CMP_alert() outputs a simple alert message via the trace API. +OSSL_CMP_err() outputs a simple error message via the trace API. +OSSL_CMP_warn() outputs a simple warning message via the trace API. +OSSL_CMP_info() outputs a simple info message via the trace API. +OSSL_CMP_debug() outputs a simple debug message via the trace API. + +Note that due to the design of the trace API used, the log functions have no +effect unless the B option is used during build configuration. + +OSSL_CMP_print_errors_cb() outputs any entries in the OpenSSL error queue. +It is similar to B but uses the CMP log callback function +C for uniformity with CMP logging if not B. Otherwise it uses +B to print to STDERR (unless OPENSSL_NO_STDIO is defined). + +=head1 RETURN VALUES + +OSSL_CMP_log_close() and OSSL_CMP_print_errors_cb() do not return anything. + +All other functions return 1 on success, 0 on error. + +=head1 HISTORY + +The OpenSSL CMP support was added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index 1ca79bc944..8a85f30cf9 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -5,6 +5,8 @@ OSSL_CRMF_MSG_get0_tmpl, OSSL_CRMF_CERTTEMPLATE_get0_serialNumber, OSSL_CRMF_CERTTEMPLATE_get0_issuer, +OSSL_CRMF_CERTID_get0_serialNumber, +OSSL_CRMF_CERTID_get0_issuer, OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert, OSSL_CRMF_MSG_get_certReqId - functions reading from CRMF CertReqMsg structures @@ -18,6 +20,9 @@ OSSL_CRMF_MSG_get_certReqId *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *tmpl); X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl); + ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid); + X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid); + X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert, EVP_PKEY *pkey); @@ -34,6 +39,12 @@ given certificate template B. OSSL_CRMF_CERTTEMPLATE_get0_issuer() retrieves the issuer name of the given certificate template B. +OSSL_CRMF_CERTID_get0_serialNumber retrieves the serialNumber +of the given CertId B. + +OSSL_CRMF_CERTID_get0_issuer retrieves the issuer name +of the given CertId B, which must be of ASN.1 type GEN_DIRNAME. + OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given encryptedValue B, using the private key B. This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2. @@ -54,6 +65,10 @@ All other functions return a pointer with the intended result or NULL on error. B +=head1 HISTORY + +The OpenSSL CRMF support was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod index e73a490583..78423c7001 100644 --- a/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod +++ b/doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod @@ -69,7 +69,7 @@ control in the given B copying the given B as value. See RFC 4211, section 6.3. OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey() sets the protocolEncrKey control in -the given B copying the given B as value. See RFC 4211, section 6.6. +the given B copying the given B as value. See RFC 4211 section 6.6. OSSL_CRMF_MSG_set1_regCtrl_oldCertID() sets the oldCertID control in the given B copying the given B as value. See RFC 4211, section 6.5. @@ -94,6 +94,10 @@ create the needed OSSL_CRMF_PKIARCHIVEOPTINS content. RFC 4211 +=head1 HISTORY + +The OpenSSL CRMF support was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod index 3d895a41d6..32a4933e7d 100644 --- a/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod +++ b/doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod @@ -37,6 +37,10 @@ multiple utf8Pairs in one regInfo structure, it does not allow multiple certReq. RFC 4211 +=head1 HISTORY + +The OpenSSL CRMF support was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CRMF_MSG_set_validity.pod b/doc/man3/OSSL_CRMF_MSG_set_validity.pod index 80f2366148..2544c65775 100644 --- a/doc/man3/OSSL_CRMF_MSG_set_validity.pod +++ b/doc/man3/OSSL_CRMF_MSG_set_validity.pod @@ -25,11 +25,9 @@ OSSL_CRMF_MSGS_verify_popo const X509_NAME *issuer, const ASN1_INTEGER *serial); - int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, - X509_EXTENSIONS *exts); + int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts); - int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, - const X509_EXTENSION *ext); + int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext); int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, int dgst, int ppmtd); @@ -56,9 +54,10 @@ certTemplate of B. Frees any pre-existing ones and consumes B. OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B to the extensions in the certTemplate of B. Consumes B. -OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POP) -according to the method B for B to B. In case the method is -OSSL_CRMF_POPO_SIGNATURE, POP is calculated using the B. +OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POPO) +according to the method B in B. +In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated +using the private B and the digest algorithm NID B. B can be one of the following: @@ -93,6 +92,10 @@ All functions return 1 on success, 0 on error. RFC 4211 +=head1 HISTORY + +The OpenSSL CRMF support was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CRMF_pbmp_new.pod b/doc/man3/OSSL_CRMF_pbmp_new.pod index 4ebfa69d46..8e07032cd1 100644 --- a/doc/man3/OSSL_CRMF_pbmp_new.pod +++ b/doc/man3/OSSL_CRMF_pbmp_new.pod @@ -66,6 +66,10 @@ structure, or NULL on error. RFC 4211 section 4.4 +=head1 HISTORY + +The OpenSSL CRMF support was added in OpenSSL 3.0. + =head1 COPYRIGHT Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index e6ee557e8f..12675c454f 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -123,13 +123,13 @@ OCSP_SIGNATURE_new, OCSP_SINGLERESP_free, OCSP_SINGLERESP_new, OSSL_CMP_ITAV_free, -OSSL_CMP_MSG_dup, -OSSL_CMP_MSG_free, OSSL_CMP_MSG_it, +OSSL_CMP_MSG_free, OSSL_CMP_PKIHEADER_free, OSSL_CMP_PKIHEADER_it, OSSL_CMP_PKIHEADER_new, OSSL_CMP_PKISI_free, +OSSL_CMP_PKISI_new, OSSL_CMP_PKISTATUS_it, OSSL_CRMF_CERTID_free, OSSL_CRMF_CERTID_it, @@ -252,13 +252,10 @@ X509_ALGOR_new, X509_ATTRIBUTE_dup, X509_ATTRIBUTE_free, X509_ATTRIBUTE_new, -X509_CERT_AUX_dup, X509_CERT_AUX_free, X509_CERT_AUX_new, -X509_CINF_dup, X509_CINF_free, X509_CINF_new, -X509_CRL_INFO_dup, X509_CRL_INFO_free, X509_CRL_INFO_new, X509_CRL_dup, @@ -273,7 +270,6 @@ X509_NAME_ENTRY_new, X509_NAME_dup, X509_NAME_free, X509_NAME_new, -X509_REQ_INFO_dup, X509_REQ_INFO_free, X509_REQ_INFO_new, X509_REQ_dup, @@ -282,7 +278,6 @@ X509_REQ_new, X509_REVOKED_dup, X509_REVOKED_free, X509_REVOKED_new, -X509_SIG_dup, X509_SIG_free, X509_SIG_new, X509_VAL_free, diff --git a/include/openssl/cmp.h b/include/openssl/cmp.h index 3d9c3d4d37..1a628dbd62 100644 --- a/include/openssl/cmp.h +++ b/include/openssl/cmp.h @@ -1,4 +1,4 @@ -/*- +/* * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 @@ -7,8 +7,6 @@ * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html - * - * CMP (RFC 4210) implementation by M. Peylo, M. Viljanen, and D. von Oheimb. */ #ifndef OSSL_HEADER_CMP_H @@ -19,6 +17,7 @@ # include # include +# include /* explicit #includes not strictly needed since implied by the above: */ # include @@ -203,26 +202,30 @@ DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS) # define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1 /* data type declarations */ -typedef struct OSSL_cmp_ctx_st OSSL_CMP_CTX; -typedef struct OSSL_cmp_pkiheader_st OSSL_CMP_PKIHEADER; +typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX; +typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER) -typedef struct OSSL_cmp_msg_st OSSL_CMP_MSG; +typedef struct ossl_cmp_msg_st OSSL_CMP_MSG; DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG) -typedef struct OSSL_cmp_certstatus_st OSSL_CMP_CERTSTATUS; +typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS; DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS) -typedef struct OSSL_cmp_itav_st OSSL_CMP_ITAV; +typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV; DEFINE_STACK_OF(OSSL_CMP_ITAV) -typedef struct OSSL_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT; -typedef struct OSSL_cmp_pkisi_st OSSL_CMP_PKISI; +typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT; +typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI; DEFINE_STACK_OF(OSSL_CMP_PKISI) -typedef struct OSSL_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE; +typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE; DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE) -typedef struct OSSL_cmp_pollrep_st OSSL_CMP_POLLREP; +typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP; typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT; -typedef struct OSSL_cmp_certresponse_st OSSL_CMP_CERTRESPONSE; +typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE; DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE) typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT; +/* + * function DECLARATIONS + */ + /* from cmp_asn.c */ OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value); void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type, @@ -233,8 +236,106 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p, OSSL_CMP_ITAV *itav); void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav); void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg); -void OSSL_CMP_PKISI_free(OSSL_CMP_PKISI *si); -DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG) + +/* from cmp_ctx.c */ +OSSL_CMP_CTX *OSSL_CMP_CTX_new(void); +void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx); +int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx); +/* various CMP options: */ +# define OSSL_CMP_OPT_LOG_VERBOSITY 0 +# define OSSL_CMP_OPT_MSGTIMEOUT 1 +# define OSSL_CMP_OPT_TOTALTIMEOUT 2 +# define OSSL_CMP_OPT_VALIDITYDAYS 3 +# define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 4 +# define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 5 +# define OSSL_CMP_OPT_POLICIES_CRITICAL 6 +# define OSSL_CMP_OPT_POPOMETHOD 7 +# define OSSL_CMP_OPT_DIGEST_ALGNID 8 +# define OSSL_CMP_OPT_OWF_ALGNID 9 +# define OSSL_CMP_OPT_MAC_ALGNID 10 +# define OSSL_CMP_OPT_REVOCATION_REASON 11 +# define OSSL_CMP_OPT_IMPLICITCONFIRM 12 +# define OSSL_CMP_OPT_DISABLECONFIRM 13 +# define OSSL_CMP_OPT_UNPROTECTED_SEND 14 +# define OSSL_CMP_OPT_UNPROTECTED_ERRORS 15 +# define OSSL_CMP_OPT_IGNORE_KEYUSAGE 16 +# define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 17 +int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val); +int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt); +/* CMP-specific callback for logging and outputting the error queue: */ +int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb); +#define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \ + OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level) +void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx); +/* message transfer: */ +int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path); +int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name); +int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port); +int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name); +int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port); +# define OSSL_CMP_DEFAULT_PORT 80 +typedef BIO *(*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio, + unsigned long detail); +int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb); +int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg); +void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx); +typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx, + const OSSL_CMP_MSG *req, + OSSL_CMP_MSG **res); +int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb); +int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg); +void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx); +/* server authentication: */ +int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert); +int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name); +int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store); +X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx); +int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs); +STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx); +/* client authentication: */ +int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert); +int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); +int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, + const unsigned char *ref, int len); +int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec, + const int len); +/* CMP message header and extra certificates: */ +int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name); +int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); +int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, + STACK_OF(X509) *extraCertsOut); +/* certificate template: */ +int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey); +EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv); +int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name); +int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name); +int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name); +int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts); +int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx); +int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo); +int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert); +int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr); +/* misc body contents: */ +int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav); +/* certificate confirmation: */ +typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert, + int fail_info, const char **txt); +int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb); +int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg); +void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx); +/* result fetching: */ +int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx); +OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx); +int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx); +# define OSSL_CMP_PKISI_BUFLEN 1024 +X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx); +STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx); +STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx); +/* support application-level CMP debugging in cmp.c: */ +int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *id); +int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx, + const ASN1_OCTET_STRING *nonce); # ifdef __cplusplus } diff --git a/include/openssl/cmp_util.h b/include/openssl/cmp_util.h new file mode 100644 index 0000000000..5e06a3aaae --- /dev/null +++ b/include/openssl/cmp_util.h @@ -0,0 +1,79 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef OSSL_HEADER_CMP_UTIL_H +# define OSSL_HEADER_CMP_UTIL_H + +# include +# ifndef OPENSSL_NO_CMP + +# include +# include +# include + +# ifdef __cplusplus +extern "C" { +# endif + +/* + * convenience functions for CMP-specific logging via the trace API + */ + +int OSSL_CMP_log_open(void); +void OSSL_CMP_log_close(void); +# define OSSL_CMP_LOG_PREFIX "CMP " +/* in OSSL_CMP_LOG_START, cannot use OPENSSL_FUNC when expands to __func__ */ +# define OSSL_CMP_LOG_START "%s:" OPENSSL_FILE ":" \ + OPENSSL_MSTR(OPENSSL_LINE) ":" OSSL_CMP_LOG_PREFIX +# define OSSL_CMP_alert(msg) OSSL_CMP_log(ALERT, msg) +# define OSSL_CMP_err(msg) OSSL_CMP_log(ERROR, msg) +# define OSSL_CMP_warn(msg) OSSL_CMP_log(WARN, msg) +# define OSSL_CMP_info(msg) OSSL_CMP_log(INFO, msg) +# define OSSL_CMP_debug(msg) OSSL_CMP_log(DEBUG, msg) +# define OSSL_CMP_log(level, msg) \ + OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": %s\n", \ + OPENSSL_FUNC, msg)) +# define OSSL_CMP_log1(level, fmt, arg1) \ + OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \ + OPENSSL_FUNC, arg1)) +# define OSSL_CMP_log2(level, fmt, arg1, arg2) \ + OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \ + OPENSSL_FUNC, arg1, arg2)) +# define OSSL_CMP_log3(level, fmt, arg1, arg2, arg3) \ + OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \ + OPENSSL_FUNC, arg1, arg2, arg3)) +# define OSSL_CMP_log4(level, fmt, arg1, arg2, arg3, arg4) \ + OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \ + OPENSSL_FUNC, arg1, arg2, arg3, arg4)) + +/* + * generalized logging/error callback mirroring the severity levels of syslog.h + */ +typedef int OSSL_CMP_severity; +# define OSSL_CMP_LOG_EMERG 0 +# define OSSL_CMP_LOG_ALERT 1 +# define OSSL_CMP_LOG_CRIT 2 +# define OSSL_CMP_LOG_ERR 3 +# define OSSL_CMP_LOG_WARNING 4 +# define OSSL_CMP_LOG_NOTICE 5 +# define OSSL_CMP_LOG_INFO 6 +# define OSSL_CMP_LOG_DEBUG 7 +typedef int (*OSSL_cmp_log_cb_t)(const char *func, const char *file, int line, + OSSL_CMP_severity level, const char *msg); + +/* use of the logging callback for outputting error queue */ +void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn); + +# ifdef __cplusplus +} +# endif +# endif /* !defined OPENSSL_NO_CMP */ +#endif /* !defined OSSL_HEADER_CMP_UTIL_H */ diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h index 7b864c6b9c..18c56efbef 100644 --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -33,6 +33,10 @@ int ERR_load_CMP_strings(void); /* * CMP reason codes. */ +# define CMP_R_INVALID_ARGS 100 +# define CMP_R_MULTIPLE_SAN_SOURCES 102 +# define CMP_R_NO_STDIO 194 +# define CMP_R_NULL_ARGUMENT 103 # endif #endif diff --git a/include/openssl/crmf.h b/include/openssl/crmf.h index bc0c891cd6..1e34e56996 100644 --- a/include/openssl/crmf.h +++ b/include/openssl/crmf.h @@ -39,30 +39,30 @@ extern "C" { # define OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT 0 # define OSSL_CRMF_SUBSEQUENTMESSAGE_CHALLENGERESP 1 -typedef struct OSSL_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE; +typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE) -typedef struct OSSL_crmf_msg_st OSSL_CRMF_MSG; +typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG) DEFINE_STACK_OF(OSSL_CRMF_MSG) -typedef struct OSSL_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE; -typedef struct OSSL_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER; +typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE; +typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER) -typedef struct OSSL_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY; -typedef struct OSSL_crmf_certrequest_st OSSL_CRMF_CERTREQUEST; -typedef struct OSSL_crmf_certid_st OSSL_CRMF_CERTID; +typedef struct ossl_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY; +typedef struct ossl_crmf_certrequest_st OSSL_CRMF_CERTREQUEST; +typedef struct ossl_crmf_certid_st OSSL_CRMF_CERTID; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTID) DEFINE_STACK_OF(OSSL_CRMF_CERTID) -typedef struct OSSL_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO; +typedef struct ossl_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO) -typedef struct OSSL_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO; +typedef struct ossl_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_SINGLEPUBINFO) -typedef struct OSSL_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE; +typedef struct ossl_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTTEMPLATE) typedef STACK_OF(OSSL_CRMF_MSG) OSSL_CRMF_MSGS; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSGS) -typedef struct OSSL_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY; +typedef struct ossl_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY; /* crmf_pbm.c */ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid, @@ -109,7 +109,7 @@ int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid); int OSSL_CRMF_MSG_get_certReqId(OSSL_CRMF_MSG *crm); int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts); -int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, const X509_EXTENSION *ext); +int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext); # define OSSL_CRMF_POPO_NONE -1 # define OSSL_CRMF_POPO_RAVERIFIED 0 # define OSSL_CRMF_POPO_SIGNATURE 1 @@ -122,6 +122,8 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm); ASN1_INTEGER *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *t); X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl); +X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid); +ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid); int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, EVP_PKEY *pubkey, const X509_NAME *subject, diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index 5fdff0884b..3a37f613ed 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -26,7 +26,10 @@ * superseded (4), * cessationOfOperation (5), * certificateHold (6), - * removeFromCRL (8) } + * -- value 7 is not used + * removeFromCRL (8), + * privilegeWithdrawn (9), + * aACompromise (10) } */ # define OCSP_REVOKED_STATUS_NOSTATUS -1 # define OCSP_REVOKED_STATUS_UNSPECIFIED 0 @@ -37,6 +40,8 @@ # define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5 # define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6 # define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8 +# define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9 +# define OCSP_REVOKED_STATUS_AACOMPROMISE 10 # ifndef OPENSSL_NO_OCSP diff --git a/include/openssl/trace.h b/include/openssl/trace.h index 79598ab63e..cc1888b579 100644 --- a/include/openssl/trace.h +++ b/include/openssl/trace.h @@ -49,7 +49,8 @@ extern "C" { # define OSSL_TRACE_CATEGORY_PKCS12_DECRYPT 10 # define OSSL_TRACE_CATEGORY_X509V3_POLICY 11 # define OSSL_TRACE_CATEGORY_BN_CTX 12 -# define OSSL_TRACE_CATEGORY_NUM 13 +# define OSSL_TRACE_CATEGORY_CMP 13 +# define OSSL_TRACE_CATEGORY_NUM 14 /* Returns the trace category number for the given |name| */ int OSSL_trace_get_category_num(const char *name); diff --git a/test/build.info b/test/build.info index f41c72c21e..caa70da821 100644 --- a/test/build.info +++ b/test/build.info @@ -302,6 +302,7 @@ IF[{- !$disabled{tests} -}] INCLUDE[ssl_test_ctx.o]=../include INCLUDE[handshake_helper.o]=.. ../include INCLUDE[ssltestlib.o]=.. ../include + INCLUDE[cmp_testlib.o]=.. ../include ../apps/include SOURCE[x509aux]=x509aux.c INCLUDE[x509aux]=../include ../apps/include @@ -468,6 +469,18 @@ IF[{- !$disabled{tests} -}] INCLUDE[conf_include_test]=../include ../apps/include DEPEND[conf_include_test]=../libcrypto libtestutil.a + IF[{- !$disabled{cmp} -}] + PROGRAMS{noinst}=cmp_asn_test cmp_ctx_test + ENDIF + + SOURCE[cmp_asn_test]=cmp_asn_test.c cmp_testlib.c + INCLUDE[cmp_asn_test]=.. ../include ../apps/include + DEPEND[cmp_asn_test]=../libcrypto.a libtestutil.a + + SOURCE[cmp_ctx_test]=cmp_ctx_test.c cmp_testlib.c + INCLUDE[cmp_ctx_test]=.. ../include ../apps/include + DEPEND[cmp_ctx_test]=../libcrypto.a libtestutil.a + # Internal test programs. These are essentially a collection of internal # test routines. Some of them need to reach internal symbols that aren't # available through the shared library (at least on Linux, Solaris, Windows diff --git a/test/cmp_asn_test.c b/test/cmp_asn_test.c new file mode 100644 index 0000000000..70439bf0af --- /dev/null +++ b/test/cmp_asn_test.c @@ -0,0 +1,132 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cmp_testlib.h" + +static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH]; + +typedef struct test_fixture { + const char *test_case_name; + int expected; + ASN1_OCTET_STRING *src_string; + ASN1_OCTET_STRING *tgt_string; + +} CMP_ASN_TEST_FIXTURE; + +static CMP_ASN_TEST_FIXTURE *set_up(const char *const test_case_name) +{ + CMP_ASN_TEST_FIXTURE *fixture; + int setup_ok = 0; + + /* Allocate memory owned by the fixture, exit on error */ + if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) + goto err; + fixture->test_case_name = test_case_name; + setup_ok = 1; + + err: + if (!setup_ok) { +#ifndef OPENSSL_NO_STDIO + ERR_print_errors_fp(stderr); +#endif + exit(EXIT_FAILURE); + } + return fixture; +} + +static void tear_down(CMP_ASN_TEST_FIXTURE *fixture) +{ + ASN1_OCTET_STRING_free(fixture->src_string); + if (fixture->tgt_string != fixture->src_string) + ASN1_OCTET_STRING_free(fixture->tgt_string); + + OPENSSL_free(fixture); +} + +static int execute_cmp_asn1_get_int_test(CMP_ASN_TEST_FIXTURE * + fixture) +{ + ASN1_INTEGER *asn1integer = ASN1_INTEGER_new(); + ASN1_INTEGER_set(asn1integer, 77); + if (!TEST_int_eq(77, ossl_cmp_asn1_get_int(asn1integer))) + return 0; + ASN1_INTEGER_free(asn1integer); + return 1; +} + +static int test_cmp_asn1_get_int(void) +{ + SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up); + fixture->expected = 1; + EXECUTE_TEST(execute_cmp_asn1_get_int_test, tear_down); + return result; +} + +static int execute_CMP_ASN1_OCTET_STRING_set1_test(CMP_ASN_TEST_FIXTURE * + fixture) +{ + if (!TEST_int_eq(fixture->expected, + ossl_cmp_asn1_octet_string_set1(&fixture->tgt_string, + fixture->src_string))) + return 0; + if (fixture->expected != 0) + return TEST_int_eq(0, ASN1_OCTET_STRING_cmp(fixture->tgt_string, + fixture->src_string)); + return 1; +} + +static int test_ASN1_OCTET_STRING_set(void) +{ + SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up); + fixture->expected = 1; + if (!TEST_ptr(fixture->tgt_string = ASN1_OCTET_STRING_new()) + || !TEST_ptr(fixture->src_string = ASN1_OCTET_STRING_new()) + || !TEST_true(ASN1_OCTET_STRING_set(fixture->src_string, rand_data, + sizeof(rand_data)))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_CMP_ASN1_OCTET_STRING_set1_test, tear_down); + return result; +} + +static int test_ASN1_OCTET_STRING_set_tgt_is_src(void) +{ + SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up); + fixture->expected = 1; + if (!TEST_ptr(fixture->src_string = ASN1_OCTET_STRING_new()) + || !(fixture->tgt_string = fixture->src_string) + || !TEST_true(ASN1_OCTET_STRING_set(fixture->src_string, rand_data, + sizeof(rand_data)))) { + tear_down(fixture); + fixture = NULL; + } + EXECUTE_TEST(execute_CMP_ASN1_OCTET_STRING_set1_test, tear_down); + return result; +} + + +void cleanup_tests(void) +{ + return; +} + +int setup_tests(void) +{ + /* ASN.1 related tests */ + ADD_TEST(test_cmp_asn1_get_int); + ADD_TEST(test_ASN1_OCTET_STRING_set); + ADD_TEST(test_ASN1_OCTET_STRING_set_tgt_is_src); + /* TODO make sure that total number of tests (here currently 24) is shown, + also for other cmp_*text.c. Currently the test drivers always show 1. */ + + return 1; +} diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c new file mode 100644 index 0000000000..4bcab69ab0 --- /dev/null +++ b/test/cmp_ctx_test.c @@ -0,0 +1,859 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cmp_testlib.h" + +#include + +typedef struct test_fixture { + const char *test_case_name; + OSSL_CMP_CTX *ctx; +} OSSL_CMP_CTX_TEST_FIXTURE; + +static void tear_down(OSSL_CMP_CTX_TEST_FIXTURE *fixture) +{ + if (fixture != NULL) + OSSL_CMP_CTX_free(fixture->ctx); + OPENSSL_free(fixture); +} + +static OSSL_CMP_CTX_TEST_FIXTURE *set_up(const char *const test_case_name) +{ + OSSL_CMP_CTX_TEST_FIXTURE *fixture; + + if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))) + || !TEST_ptr(fixture->ctx = OSSL_CMP_CTX_new())) { + tear_down(fixture); + return NULL; + } + fixture->test_case_name = test_case_name; + return fixture; +} + +static STACK_OF(X509) *sk_X509_new_1(void) { + STACK_OF(X509) *sk = sk_X509_new_null(); + X509 *x = X509_new(); + + if (x == NULL || !sk_X509_push(sk, x)) { + sk_X509_free(sk); + X509_free(x); + sk = NULL; + } + return sk; +} + +static void sk_X509_pop_X509_free(STACK_OF(X509) *sk) { + sk_X509_pop_free(sk, X509_free); +} + +static int execute_CTX_reinit_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) +{ + OSSL_CMP_CTX *ctx = fixture->ctx; + ASN1_OCTET_STRING *bytes = NULL; + STACK_OF(X509) *certs = NULL; + int res = 0; + + /* set non-default values in all relevant fields */ + ctx->status = 1; + ctx->failInfoCode = 1; + if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null()) + || !ossl_cmp_ctx_set0_newCert(ctx, X509_new()) + || !TEST_ptr(certs = sk_X509_new_1()) + || !ossl_cmp_ctx_set1_caPubs(ctx, certs) + || !ossl_cmp_ctx_set1_extraCertsIn(ctx, certs) + || !ossl_cmp_ctx_set0_validatedSrvCert(ctx, X509_new()) + || !TEST_ptr(bytes = ASN1_OCTET_STRING_new()) + || !OSSL_CMP_CTX_set1_transactionID(ctx, bytes) + || !OSSL_CMP_CTX_set1_senderNonce(ctx, bytes) + || !ossl_cmp_ctx_set1_recipNonce(ctx, bytes)) + + goto err; + + if (!TEST_true(OSSL_CMP_CTX_reinit(ctx))) + goto err; + + /* check whether values have been reset to default in all relevant fields */ + if (!TEST_true(ctx->status == -1 + && ctx->failInfoCode == -1 + && ctx->statusString == NULL + && ctx->newCert == NULL + && ctx->caPubs == NULL + && ctx->extraCertsIn == NULL + && ctx->validatedSrvCert == NULL + && ctx->transactionID == NULL + && ctx->senderNonce == NULL + && ctx->recipNonce == NULL)) + goto err; + + /* this does not check that all remaining fields are untouched */ + res = 1; + + err: + sk_X509_pop_X509_free(certs); + ASN1_OCTET_STRING_free(bytes); + return res; +} + +static int test_CTX_reinit(void) +{ + SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); + EXECUTE_TEST(execute_CTX_reinit_test, tear_down); + return result; +} + +static int msg_total_size = 0; +static int msg_total_size_log_cb(const char *func, const char *file, int line, + OSSL_CMP_severity level, const char *msg) +{ + msg_total_size += strlen(msg); + return 1; +} + +#define STR64 "This is a 64 bytes looooooooooooooooooooooooooooooooong string.\n" +/* max string length ISO C90 compilers are required to support is 509. */ +#define STR509 STR64 STR64 STR64 STR64 STR64 STR64 STR64 \ + "This is a 61 bytes loooooooooooooooooooooooooooooong string.\n" +static const char *const max_str_literal = STR509; +#define STR_SEP "" + +static int execute_CTX_print_errors_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) +{ + OSSL_CMP_CTX *ctx = fixture->ctx; + int base_err_msg_size, expected_size; + int res = 1; + + if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, NULL))) + res = 0; + if (!TEST_true(ctx->log_cb == NULL)) + res = 0; + +#ifndef OPENSSL_NO_STDIO + CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES); + OSSL_CMP_CTX_print_errors(ctx); /* should print above error to STDERR */ +#endif + + /* this should work regardless of OPENSSL_NO_STDIO and OPENSSL_NO_TRACE: */ + if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, msg_total_size_log_cb))) + res = 0; + if (!TEST_true(ctx->log_cb == msg_total_size_log_cb)) { + res = 0; + } else { + CMPerr(0, CMP_R_INVALID_ARGS); + base_err_msg_size = strlen("INVALID_ARGS"); + CMPerr(0, CMP_R_NULL_ARGUMENT); + base_err_msg_size += strlen("NULL_ARGUMENT"); + expected_size = base_err_msg_size; + ossl_cmp_add_error_data("data1"); /* should prepend separator " : " */ + expected_size += strlen(" : " "data1"); + ossl_cmp_add_error_data("data2"); /* should prepend separator " : " */ + expected_size += strlen(" : " "data2"); + ossl_cmp_add_error_line("new line"); /* should prepend separator "\n" */ + expected_size += strlen("\n" "new line"); + OSSL_CMP_CTX_print_errors(ctx); + if (!TEST_int_eq(msg_total_size, expected_size)) + res = 0; + + CMPerr(0, CMP_R_INVALID_ARGS); + base_err_msg_size = strlen("INVALID_ARGS") + strlen(" : "); + expected_size = base_err_msg_size; + while (expected_size < 4096) { /* force split */ + ossl_cmp_add_error_txt(STR_SEP, max_str_literal); + expected_size += strlen(STR_SEP) + strlen(max_str_literal); + } + expected_size += base_err_msg_size - 2 * strlen(STR_SEP); + msg_total_size = 0; + OSSL_CMP_CTX_print_errors(ctx); + if (!TEST_int_eq(msg_total_size, expected_size)) + res = 0; + } + + return res; +} + +static int test_CTX_print_errors(void) +{ + SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); + EXECUTE_TEST(execute_CTX_print_errors_test, tear_down); + return result; +} + +static int execute_CTX_reqExtensions_have_SAN_test( + OSSL_CMP_CTX_TEST_FIXTURE *fixture) +{ + OSSL_CMP_CTX *ctx = fixture->ctx; + const int len = 16; + unsigned char str[16 /* = len */ ]; + ASN1_OCTET_STRING *data = NULL; + X509_EXTENSION *ext = NULL; + X509_EXTENSIONS *exts = NULL; + int res = 0; + + if (!TEST_false(OSSL_CMP_CTX_reqExtensions_have_SAN(ctx))) + return 0; + + if (!TEST_int_eq(1, RAND_bytes(str, len)) + || !TEST_ptr(data = ASN1_OCTET_STRING_new()) + || !TEST_true(ASN1_OCTET_STRING_set(data, str, len))) + goto err; + ext = X509_EXTENSION_create_by_NID(NULL, NID_subject_alt_name, 0, data); + if (!TEST_ptr(ext) + || !TEST_ptr(exts = sk_X509_EXTENSION_new_null()) + || !TEST_true(sk_X509_EXTENSION_push(exts, ext)) + || !TEST_true(OSSL_CMP_CTX_set0_reqExtensions(ctx, exts))) { + X509_EXTENSION_free(ext); + sk_X509_EXTENSION_free(exts); + goto err; + } + if (TEST_int_eq(OSSL_CMP_CTX_reqExtensions_have_SAN(ctx), 1)) { + ext = sk_X509_EXTENSION_pop(exts); + res = TEST_false(OSSL_CMP_CTX_reqExtensions_have_SAN(ctx)); + X509_EXTENSION_free(ext); + } + err: + ASN1_OCTET_STRING_free(data); + return res; +} + +static int test_CTX_reqExtensions_have_SAN(void) +{ + SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); + EXECUTE_TEST(execute_CTX_reqExtensions_have_SAN_test, tear_down); + return result; +} + +#ifndef OPENSSL_NO_TRACE +static int test_log_line; +static int test_log_cb_res = 0; +static int test_log_cb(const char *func, const char *file, int line, + OSSL_CMP_severity level, const char *msg) +{ + test_log_cb_res = +# ifndef PEDANTIC + strcmp(func, "execute_cmp_ctx_log_cb_test") == 0 && +# endif + (strcmp(file, OPENSSL_FILE) == 0 || strcmp(file, "(no file)") == 0) + && (line == test_log_line || line == 0) + && (level == OSSL_CMP_LOG_INFO || level == -1) + && strcmp(msg, "ok\n") == 0; + return 1; +} +#endif + +static int execute_cmp_ctx_log_cb_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture) +{ + int res = 1; +#if !defined OPENSSL_NO_TRACE && !defined OPENSSL_NO_STDIO + OSSL_CMP_CTX *ctx = fixture->ctx; + + OSSL_TRACE(ALL, "this general trace message is not shown by default\n"); + + OSSL_CMP_log_open(); + OSSL_CMP_log_open(); /* multiple calls should be harmless */ + + if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, NULL))) { + res = 0; + } else { + OSSL_CMP_err("this should be printed as CMP error message"); + OSSL_CMP_warn("this should be printed as CMP warning message"); + OSSL_CMP_debug("this should not be printed"); + TEST_true(OSSL_CMP_CTX_set_log_verbosity(ctx, OSSL_CMP_LOG_DEBUG)); + OSSL_CMP_debug("this should be printed as CMP debug message"); + TEST_true(OSSL_CMP_CTX_set_log_verbosity(ctx, OSSL_CMP_LOG_INFO)); + } + if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, test_log_cb))) { + res = 0; + } else { + test_log_line = OPENSSL_LINE + 1; + OSSL_CMP_log2(INFO, "%s%c", "o", 'k'); + if (!TEST_int_eq(test_log_cb_res, 1)) + res = 0; + OSSL_CMP_CTX_set_log_verbosity(ctx, OSSL_CMP_LOG_ERR); + test_log_cb_res = -1; /* callback should not be called at all */ + test_log_line = OPENSSL_LINE + 1; + OSSL_CMP_log2(INFO, "%s%c", "o", 'k'); + if (!TEST_int_eq(test_log_cb_res, -1)) + res = 0; + } + OSSL_CMP_log_close(); + OSSL_CMP_log_close(); /* multiple calls should be harmless */ +#endif + return res; +} + +static int test_cmp_ctx_log_cb(void) +{ + SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); + EXECUTE_TEST(execute_cmp_ctx_log_cb_test, tear_down); + return result; +} + +static BIO *test_http_cb(OSSL_CMP_CTX *ctx, BIO *hbio, unsigned long detail) +{ + return NULL; +} + +static int test_transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, + OSSL_CMP_MSG **res) +{ + return 0; +} + +static int test_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, + const char **txt) +{ + return 0; +} + +typedef OSSL_CMP_CTX CMP_CTX; /* prevents rewriting type name by below macro */ +#define OSSL_CMP_CTX 1 /* name prefix for exported setter functions */ +#define ossl_cmp_ctx 0 /* name prefix for internal setter functions */ +#define set 0 +#define set0 0 +#define set1 1 +#define get 0 +#define get0 0 +#define get1 1 + +#define DEFINE_SET_GET_BASE_TEST(PREFIX, SETN, GETN, DUP, FIELD, TYPE, ERR, \ + DEFAULT, NEW, FREE) \ +static int execute_CTX_##SETN##_##GETN##_##FIELD( \ + OSSL_CMP_CTX_TEST_FIXTURE *fixture) \ +{ \ + CMP_CTX *ctx = fixture->ctx; \ + int (*set_fn)(CMP_CTX *ctx, TYPE) = \ + (int (*)(CMP_CTX *ctx, TYPE))PREFIX##_##SETN##_##FIELD; \ + /* need type cast in above assignment because TYPE arg sometimes is const */ \ + TYPE (*get_fn)(const CMP_CTX *ctx) = OSSL_CMP_CTX_##GETN##_##FIELD; \ + TYPE val1_to_free = NEW; \ + TYPE val1 = val1_to_free; \ + TYPE val1_read = 0; /* 0 works for any type */ \ + TYPE val2_to_free = NEW; \ + TYPE val2 = val2_to_free; \ + TYPE val2_read = 0; \ + TYPE val3_read = 0; \ + int res = 1; \ + \ + if (!TEST_int_eq(ERR_peek_error(), 0)) \ + res = 0; \ + if (PREFIX == 1) { /* exported setter functions must test ctx == NULL */ \ + if ((*set_fn)(NULL, val1) || ERR_peek_error() == 0) { \ + TEST_error("setter did not return error on ctx == NULL"); \ + res = 0; \ + } \ + } \ + ERR_clear_error(); \ + \ + if ((*get_fn)(NULL) != ERR || ERR_peek_error() == 0) { \ + TEST_error("getter did not return error on ctx == NULL"); \ + res = 0; \ + } \ + ERR_clear_error(); \ + \ + val1_read = (*get_fn)(ctx); \ + if (!DEFAULT(val1_read)) { \ + TEST_error("did not get default value"); \ + res = 0; \ + } \ + if (!(*set_fn)(ctx, val1)) { \ + TEST_error("setting first value failed"); \ + res = 0; \ + } \ + if (SETN == 0) \ + val1_to_free = 0; /* 0 works for any type */ \ + \ + if (GETN == 1) \ + FREE(val1_read); \ + val1_read = (*get_fn)(ctx); \ + if (SETN == 0) { \ + if (val1_read != val1) { \ + TEST_error("set/get first value did not match"); \ + res = 0; \ + } \ + } else { \ + if (DUP && val1_read == val1) { \ + TEST_error("first set did not dup the value"); \ + res = 0; \ + } \ + if (DEFAULT(val1_read)) { \ + TEST_error("first set had no effect"); \ + res = 0; \ + } \ + } \ + \ + if (!(*set_fn)(ctx, val2)) { \ + TEST_error("setting second value failed"); \ + res = 0; \ + } \ + if (SETN == 0) \ + val2_to_free = 0; \ + \ + val2_read = (*get_fn)(ctx); \ + if (DEFAULT(val2_read)) { \ + TEST_error("second set reset the value"); \ + res = 0; \ + } \ + if (SETN == 0 && GETN == 0) { \ + if (val2_read != val2) { \ + TEST_error("set/get second value did not match"); \ + res = 0; \ + } \ + } else { \ + if (DUP && val2_read == val2) { \ + TEST_error("second set did not dup the value"); \ + res = 0; \ + } \ + if (val2 == val1) { \ + TEST_error("second value is same as first value"); \ + res = 0; \ + } \ + if (GETN == 1 && val2_read == val1_read) { \ + /* \ + * Note that if GETN == 0 then possibly val2_read == val1_read \ + * because set1 may allocate the new copy at the same location. \ + */ \ + TEST_error("second get returned same as first get"); \ + res = 0; \ + } \ + } \ + \ + val3_read = (*get_fn)(ctx); \ + if (DEFAULT(val3_read)) { \ + TEST_error("third set reset the value"); \ + res = 0; \ + } \ + if (GETN == 0) { \ + if (val3_read != val2_read) { \ + TEST_error("third get gave different value"); \ + res = 0; \ + } \ + } else { \ + if (DUP && val3_read == val2_read) { \ + TEST_error("third get did not create a new dup"); \ + res = 0; \ + } \ + } \ + /* this does not check that all remaining fields are untouched */ \ + \ + if (!TEST_int_eq(ERR_peek_error(), 0)) \ + res = 0; \ + \ + FREE(val1_to_free); \ + FREE(val2_to_free); \ + if (GETN == 1) { \ + FREE(val1_read); \ + FREE(val2_read); \ + FREE(val3_read); \ + } \ + return TEST_true(res); \ +} \ +\ +static int test_CTX_##SETN##_##GETN##_##FIELD(void) \ +{ \ + SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); \ + EXECUTE_TEST(execute_CTX_##SETN##_##GETN##_##FIELD, tear_down); \ + return result; \ +} + +static char *char_new(void) { + return OPENSSL_strdup("test"); +} + +static void char_free(char *val) { + OPENSSL_free(val); +} + +#define EMPTY_SK_X509(x) ((x) == NULL || sk_X509_num(x) == 0) + +static X509_STORE *X509_STORE_new_1(void) { + X509_STORE *store = X509_STORE_new(); + + if (store != NULL) + X509_VERIFY_PARAM_set_flags(X509_STORE_get0_param(store), 1); + return store; +} + +#define DEFAULT_STORE(x) ((x) == NULL \ + || X509_VERIFY_PARAM_get_flags(X509_STORE_get0_param(x)) == 0) + +#define IS_NEG(x) ((x) < 0) +#define IS_0(x) ((x) == 0) /* for any type */ +#define IS_DEFAULT_PORT(x) ((x) == OSSL_CMP_DEFAULT_PORT) +#define DROP(x) (void)(x) /* dummy free() for non-pointer and function types */ + +#define ERR(x) (CMPerr(0, CMP_R_NULL_ARGUMENT), x) + +#define DEFINE_SET_GET_TEST(OSSL_CMP, CTX, N, M, DUP, FIELD, TYPE) \ + DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get##M, DUP, FIELD, \ + TYPE*, NULL, IS_0, TYPE##_new(), TYPE##_free) + +#define DEFINE_SET_GET_SK_TEST_DEFAULT(OSSL_CMP, CTX, N, M, FIELD, ELEM_TYPE, \ + DEFAULT, NEW, FREE) \ + DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get##M, 1, FIELD, \ + STACK_OF(ELEM_TYPE)*, NULL, DEFAULT, NEW, FREE) +#define DEFINE_SET_GET_SK_TEST(OSSL_CMP, CTX, N, M, FIELD, T) \ + DEFINE_SET_GET_SK_TEST_DEFAULT(OSSL_CMP, CTX, N, M, FIELD, T, \ + IS_0, sk_##T##_new_null(), sk_##T##_free) +#define DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, N, M, FNAME) \ + DEFINE_SET_GET_SK_TEST_DEFAULT(OSSL_CMP, CTX, N, M, FNAME, X509, \ + EMPTY_SK_X509, \ + sk_X509_new_1(), sk_X509_pop_X509_free) + +#define DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, N, M, DUP, FIELD, TYPE, \ + DEFAULT) \ + DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get##M, DUP, FIELD, \ + TYPE*, NULL, DEFAULT, TYPE##_new(), TYPE##_free) +#define DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, N, DUP, FIELD, TYPE, DEFAULT) \ + static TYPE *OSSL_CMP_CTX_get0_##FIELD(const CMP_CTX *ctx) \ + { \ + return ctx == NULL ? ERR(NULL) : ctx->FIELD; \ + } \ + DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, N, 0, DUP, FIELD, TYPE, DEFAULT) +#define DEFINE_SET_TEST(OSSL_CMP, CTX, N, DUP, FIELD, TYPE) \ + DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, N, DUP, FIELD, TYPE, IS_0) + +#define DEFINE_SET_SK_TEST(OSSL_CMP, CTX, N, FIELD, TYPE) \ + static STACK_OF(TYPE) *OSSL_CMP_CTX_get0_##FIELD(const CMP_CTX *ctx) \ + { \ + return ctx == NULL ? ERR(NULL) : ctx->FIELD; \ + } \ + DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get0, 1, FIELD, \ + STACK_OF(TYPE)*, NULL, IS_0, \ + sk_##TYPE##_new_null(), sk_##TYPE##_free) + +#define DEFINE_SET_CB_TEST(FIELD) \ + static OSSL_cmp_##FIELD##_t \ + OSSL_CMP_CTX_get_##FIELD(const CMP_CTX *ctx) \ + { \ + if (ctx == NULL) \ + CMPerr(0, CMP_R_NULL_ARGUMENT); \ + return ctx == NULL ? NULL /* cannot use ERR(NULL) here */ : ctx->FIELD;\ + } \ + DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set, get, 0, FIELD, \ + OSSL_cmp_##FIELD##_t, NULL, IS_0, \ + test_##FIELD, DROP) +#define DEFINE_SET_GET_P_VOID_TEST(FIELD) \ + DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set, get, 0, FIELD, void*, \ + NULL, IS_0, ((void *)1), DROP) + +#define DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, DEFAULT) \ + DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set, get, 0, FIELD, int, -1, \ + DEFAULT, 1, DROP) +#define DEFINE_SET_GET_INT_TEST(OSSL_CMP, CTX, FIELD) \ + DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, IS_NEG) +#define DEFINE_SET_PORT_TEST(FIELD) \ + static int OSSL_CMP_CTX_get_##FIELD(const CMP_CTX *ctx) \ + { \ + return ctx == NULL ? ERR(-1) : ctx->FIELD; \ + } \ + DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, IS_DEFAULT_PORT) + +#define DEFINE_SET_GET_ARG_FN(SETN, GETN, FIELD, ARG, T) \ + static int OSSL_CMP_CTX_##SETN##_##FIELD##_##ARG(CMP_CTX *ctx, T val) \ + { \ + return OSSL_CMP_CTX_##SETN##_##FIELD(ctx, ARG, val); \ + } \ + \ + static T OSSL_CMP_CTX_##GETN##_##FIELD##_##ARG(const CMP_CTX *ctx) \ + { \ + return OSSL_CMP_CTX_##GETN##_##FIELD(ctx, ARG); \ + } + +#define DEFINE_SET_GET1_STR_FN(SETN, FIELD) \ + static int OSSL_CMP_CTX_##SETN##_##FIELD##_str(CMP_CTX *ctx, char *val)\ + { \ + return OSSL_CMP_CTX_##SETN##_##FIELD(ctx, (unsigned char *)val, \ + strlen(val)); \ + } \ + \ + static char *OSSL_CMP_CTX_get1_##FIELD##_str(const CMP_CTX *ctx) \ + { \ + const ASN1_OCTET_STRING *bytes = ctx == NULL ? ERR(NULL) : ctx->FIELD; \ + \ + return bytes == NULL ? NULL : \ + OPENSSL_strndup((char *)bytes->data, bytes->length); \ + } + +#define push 0 +#define push0 0 +#define push1 1 +#define DEFINE_PUSH_BASE_TEST(PUSHN, DUP, FIELD, ELEM, TYPE, T, \ + DEFAULT, NEW, FREE) \ +static TYPE sk_top_##FIELD(const CMP_CTX *ctx) { \ + return sk_##T##_value(ctx->FIELD, sk_##T##_num(ctx->FIELD) - 1); \ +} \ +\ +static int execute_CTX_##PUSHN##_##ELEM(OSSL_CMP_CTX_TEST_FIXTURE *fixture) \ +{ \ + CMP_CTX *ctx = fixture->ctx; \ + int (*push_fn)(CMP_CTX *ctx, TYPE) = \ + (int (*)(CMP_CTX *ctx, TYPE))OSSL_CMP_CTX_##PUSHN##_##ELEM; \ + /* need type cast in above assignment because TYPE arg sometimes is const */ \ + int n_elem = sk_##T##_num(ctx->FIELD); \ + STACK_OF(TYPE) field_read; \ + TYPE val1_to_free = NEW; \ + TYPE val1 = val1_to_free; \ + TYPE val1_read = 0; /* 0 works for any type */ \ + TYPE val2_to_free = NEW; \ + TYPE val2 = val2_to_free; \ + TYPE val2_read = 0; \ + int res = 1; \ + \ + if (!TEST_int_eq(ERR_peek_error(), 0)) \ + res = 0; \ + if ((*push_fn)(NULL, val1) || ERR_peek_error() == 0) { \ + TEST_error("pusher did not return error on ctx == NULL"); \ + res = 0; \ + } \ + ERR_clear_error(); \ + \ + if (n_elem < 0) /* can happen for NULL stack */ \ + n_elem = 0; \ + field_read = ctx->FIELD; \ + if (!DEFAULT(field_read)) { \ + TEST_error("did not get default value for stack field"); \ + res = 0; \ + } \ + if (!(*push_fn)(ctx, val1)) { \ + TEST_error("pushing first value failed"); \ + res = 0; \ + } \ + if (PUSHN == 0) \ + val1_to_free = 0; /* 0 works for any type */ \ + \ + if (sk_##T##_num(ctx->FIELD) != ++n_elem) { \ + TEST_error("pushing first value did not increment number"); \ + res = 0; \ + } \ + val1_read = sk_top_##FIELD(ctx); \ + if (PUSHN == 0) { \ + if (val1_read != val1) { \ + TEST_error("push/sk_top first value did not match"); \ + res = 0; \ + } \ + } else { \ + if (DUP && val1_read == val1) { \ + TEST_error("first push did not dup the value"); \ + res = 0; \ + } \ + } \ + \ + if (!(*push_fn)(ctx, val2)) { \ + TEST_error("pushting second value failed"); \ + res = 0; \ + } \ + if (PUSHN == 0) \ + val2_to_free = 0; \ + \ + if (sk_##T##_num(ctx->FIELD) != ++n_elem) { \ + TEST_error("pushing second value did not increment number"); \ + res = 0; \ + } \ + val2_read = sk_top_##FIELD(ctx); \ + if (PUSHN == 0) { \ + if (val2_read != val2) { \ + TEST_error("push/sk_top second value did not match"); \ + res = 0; \ + } \ + } else { \ + if (DUP && val2_read == val2) { \ + TEST_error("second push did not dup the value"); \ + res = 0; \ + } \ + if (val2 == val1) { \ + TEST_error("second value is same as first value"); \ + res = 0; \ + } \ + } \ + /* this does not check that all remaining fields and elems are untouched */\ + \ + if (!TEST_int_eq(ERR_peek_error(), 0)) \ + res = 0; \ + \ + FREE(val1_to_free); \ + FREE(val2_to_free); \ + return TEST_true(res); \ +} \ +\ +static int test_CTX_##PUSHN##_##ELEM(void) \ +{ \ + SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); \ + EXECUTE_TEST(execute_CTX_##PUSHN##_##ELEM, tear_down); \ + return result; \ +} \ + +#define DEFINE_PUSH_TEST(N, DUP, FIELD, ELEM, TYPE) \ + DEFINE_PUSH_BASE_TEST(push##N, DUP, FIELD, ELEM, TYPE*, TYPE, \ + IS_0, TYPE##_new(), TYPE##_free) + +void cleanup_tests(void) +{ + return; +} + +DEFINE_SET_GET_ARG_FN(set, get, option, 16, int) + /* option == OSSL_CMP_OPT_IGNORE_KEYUSAGE */ +DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set, get, 0, option_16, int, -1, IS_0, \ + 1 /* true */, DROP) + +#ifndef OPENSSL_NO_TRACE +DEFINE_SET_CB_TEST(log_cb) +#endif + +DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, serverPath, char, IS_0) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, serverName, char) +DEFINE_SET_PORT_TEST(serverPort) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, proxyName, char) +DEFINE_SET_PORT_TEST(proxyPort) +DEFINE_SET_CB_TEST(http_cb) +DEFINE_SET_GET_P_VOID_TEST(http_cb_arg) +DEFINE_SET_CB_TEST(transfer_cb) +DEFINE_SET_GET_P_VOID_TEST(transfer_cb_arg) + +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, srvCert, X509) +DEFINE_SET_TEST(ossl_cmp, ctx, 0, 0, validatedSrvCert, X509) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, expected_sender, X509_NAME) +DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trustedStore, + X509_STORE*, NULL, + DEFAULT_STORE, X509_STORE_new_1(), X509_STORE_free) +DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted_certs) + +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, clCert, X509) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, pkey, EVP_PKEY) + +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, recipient, X509_NAME) +DEFINE_PUSH_TEST(0, 0, geninfo_ITAVs, geninfo_ITAV, OSSL_CMP_ITAV) +DEFINE_SET_SK_TEST(OSSL_CMP, CTX, 1, extraCertsOut, X509) +DEFINE_SET_GET_ARG_FN(set0, get0, newPkey, 1, EVP_PKEY*) /* priv == 1 */ +DEFINE_SET_GET_TEST(OSSL_CMP, CTX, 0, 0, 0, newPkey_1, EVP_PKEY) +DEFINE_SET_GET_ARG_FN(set0, get0, newPkey, 0, EVP_PKEY*) /* priv == 0 */ +DEFINE_SET_GET_TEST(OSSL_CMP, CTX, 0, 0, 0, newPkey_0, EVP_PKEY) +DEFINE_SET_GET1_STR_FN(set1, referenceValue) +DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, 1, referenceValue_str, + char, IS_0) +DEFINE_SET_GET1_STR_FN(set1, secretValue) +DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, 1, secretValue_str, + char, IS_0) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, issuer, X509_NAME) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, subjectName, X509_NAME) +#ifdef ISSUE_9504_RESOLVED +DEFINE_PUSH_TEST(1, 1, subjectAltNames, subjectAltName, GENERAL_NAME) +#endif +DEFINE_SET_SK_TEST(OSSL_CMP, CTX, 0, reqExtensions, X509_EXTENSION) +DEFINE_PUSH_TEST(0, 0, policies, policy, POLICYINFO) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, oldCert, X509) +#ifdef ISSUE_9504_RESOLVED +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, p10CSR, X509_REQ) +#endif +DEFINE_PUSH_TEST(0, 0, genm_ITAVs, genm_ITAV, OSSL_CMP_ITAV) +DEFINE_SET_CB_TEST(certConf_cb) +DEFINE_SET_GET_P_VOID_TEST(certConf_cb_arg) + +DEFINE_SET_GET_INT_TEST(ossl_cmp, ctx, status) +DEFINE_SET_GET_SK_TEST(ossl_cmp, ctx, 0, 0, statusString, ASN1_UTF8STRING) +DEFINE_SET_GET_INT_TEST(ossl_cmp, ctx, failInfoCode) +DEFINE_SET_GET_TEST(ossl_cmp, ctx, 0, 0, 0, newCert, X509) +DEFINE_SET_GET_SK_X509_TEST(ossl_cmp, ctx, 1, 1, caPubs) +DEFINE_SET_GET_SK_X509_TEST(ossl_cmp, ctx, 1, 1, extraCertsIn) + +DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, transactionID, + ASN1_OCTET_STRING, IS_0) +DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, senderNonce, ASN1_OCTET_STRING) +DEFINE_SET_TEST(ossl_cmp, ctx, 1, 1, recipNonce, ASN1_OCTET_STRING) + +int setup_tests(void) +{ + /* OSSL_CMP_CTX_new() is tested by set_up() */ + /* OSSL_CMP_CTX_free() is tested by tear_down() */ + ADD_TEST(test_CTX_reinit); + +/* various CMP options: */ + ADD_TEST(test_CTX_set_get_option_16); +/* CMP-specific callback for logging and outputting the error queue: */ +#ifndef OPENSSL_NO_TRACE + ADD_TEST(test_CTX_set_get_log_cb); +#endif + /* + * also tests OSSL_CMP_log_open(), OSSL_CMP_CTX_set_log_verbosity(), + * OSSL_CMP_err(), OSSL_CMP_warn(), * OSSL_CMP_debug(), + * OSSL_CMP_log2(), ossl_cmp_log_parse_metadata(), and OSSL_CMP_log_close() + * with OSSL_CMP_severity OSSL_CMP_LOG_ERR/WARNING/DEBUG/INFO: + */ + ADD_TEST(test_cmp_ctx_log_cb); + /* also tests OSSL_CMP_CTX_set_log_cb(), OSSL_CMP_print_errors_cb(), + ossl_cmp_add_error_txt(), and the macros + ossl_cmp_add_error_data and ossl_cmp_add_error_line: + */ + ADD_TEST(test_CTX_print_errors); +/* message transfer: */ + ADD_TEST(test_CTX_set1_get0_serverPath); + ADD_TEST(test_CTX_set1_get0_serverName); + ADD_TEST(test_CTX_set_get_serverPort); + ADD_TEST(test_CTX_set1_get0_proxyName); + ADD_TEST(test_CTX_set_get_proxyPort); + ADD_TEST(test_CTX_set_get_http_cb); + ADD_TEST(test_CTX_set_get_http_cb_arg); + ADD_TEST(test_CTX_set_get_transfer_cb); + ADD_TEST(test_CTX_set_get_transfer_cb_arg); +/* server authentication: */ + ADD_TEST(test_CTX_set1_get0_srvCert); + ADD_TEST(test_CTX_set0_get0_validatedSrvCert); + ADD_TEST(test_CTX_set1_get0_expected_sender); + ADD_TEST(test_CTX_set0_get0_trustedStore); + ADD_TEST(test_CTX_set1_get0_untrusted_certs); +/* client authentication: */ + ADD_TEST(test_CTX_set1_get0_clCert); + ADD_TEST(test_CTX_set1_get0_pkey); + /* the following two also test ossl_cmp_asn1_octet_string_set1_bytes(): */ + ADD_TEST(test_CTX_set1_get1_referenceValue_str); + ADD_TEST(test_CTX_set1_get1_secretValue_str); +/* CMP message header and extra certificates: */ + ADD_TEST(test_CTX_set1_get0_recipient); + ADD_TEST(test_CTX_push0_geninfo_ITAV); + ADD_TEST(test_CTX_set1_get0_extraCertsOut); +/* certificate template: */ + ADD_TEST(test_CTX_set0_get0_newPkey_1); + ADD_TEST(test_CTX_set0_get0_newPkey_0); + ADD_TEST(test_CTX_set1_get0_issuer); + ADD_TEST(test_CTX_set1_get0_subjectName); +#ifdef ISSUE_9504_RESOLVED +/* test currently fails, see https://github.com/openssl/openssl/issues/9504 */ + ADD_TEST(test_CTX_push1_subjectAltName); +#endif + ADD_TEST(test_CTX_set0_get0_reqExtensions); + ADD_TEST(test_CTX_reqExtensions_have_SAN); + ADD_TEST(test_CTX_push0_policy); + ADD_TEST(test_CTX_set1_get0_oldCert); +#ifdef ISSUE_9504_RESOLVED +/* test currently fails, see https://github.com/openssl/openssl/issues/9504 */ + ADD_TEST(test_CTX_set1_get0_p10CSR); +#endif +/* misc body contents: */ + ADD_TEST(test_CTX_push0_genm_ITAV); +/* certificate confirmation: */ + ADD_TEST(test_CTX_set_get_certConf_cb); + ADD_TEST(test_CTX_set_get_certConf_cb_arg); +/* result fetching: */ + ADD_TEST(test_CTX_set_get_status); + ADD_TEST(test_CTX_set0_get0_statusString); + ADD_TEST(test_CTX_set_get_failInfoCode); + ADD_TEST(test_CTX_set0_get0_newCert); + ADD_TEST(test_CTX_set1_get1_caPubs); + ADD_TEST(test_CTX_set1_get1_extraCertsIn); +/* exported for testing and debugging purposes: */ + /* the following three also test ossl_cmp_asn1_octet_string_set1(): */ + ADD_TEST(test_CTX_set1_get0_transactionID); + ADD_TEST(test_CTX_set1_get0_senderNonce); + ADD_TEST(test_CTX_set1_get0_recipNonce); + + /* TODO ossl_cmp_build_cert_chain() will be tested with cmp_protect.c*/ + + return 1; +} diff --git a/test/cmp_testlib.c b/test/cmp_testlib.c new file mode 100644 index 0000000000..d632424272 --- /dev/null +++ b/test/cmp_testlib.c @@ -0,0 +1,120 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include "cmp_testlib.h" +#include /* needed in case config no-deprecated */ + +EVP_PKEY *load_pem_key(const char *file) +{ + EVP_PKEY *key = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0)) + (void)TEST_ptr(key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)); + + BIO_free(bio); + return key; +} + +X509 *load_pem_cert(const char *file) +{ + X509 *cert = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(bio = BIO_new(BIO_s_file()))) + return NULL; + if (TEST_int_gt(BIO_read_filename(bio, file), 0)) + (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)); + + BIO_free(bio); + return cert; +} + +X509_REQ *load_csr(const char *file) +{ + X509_REQ *csr = NULL; + BIO *bio = NULL; + + if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb"))) + return NULL; + (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL)); + BIO_free(bio); + return csr; +} + +EVP_PKEY *gen_rsa(void) +{ + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; + + (void)(TEST_ptr(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) + && TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0) + && TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048), 0) + && TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0)); + EVP_PKEY_CTX_free(ctx); + return pkey; +} + +/* + * Checks whether the syntax of msg conforms to ASN.1 + */ +int valid_asn1_encoding(const OSSL_CMP_MSG *msg) +{ + return msg != NULL ? i2d_OSSL_CMP_MSG(msg, NULL) > 0 : 0; +} + +/* + * Compares two stacks of certificates in the order of their elements. + * Returns 0 if sk1 and sk2 are equal and another value otherwise + */ +int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2) +{ + int i, res; + X509 *a, *b; + + if (sk1 == sk2) + return 0; + if (sk1 == NULL) + return -1; + if (sk2 == NULL) + return 1; + if ((res = sk_X509_num(sk1) - sk_X509_num(sk2))) + return res; + for (i = 0; i < sk_X509_num(sk1); i++) { + a = sk_X509_value(sk1, i); + b = sk_X509_value(sk2, i); + if (a != b) + if ((res = X509_cmp(a, b)) != 0) + return res; + } + return 0; +} + +/* + * Up refs and push a cert onto sk. + * Returns the number of certificates on the stack on success + * Returns -1 or 0 on error + */ +int STACK_OF_X509_push1(STACK_OF(X509) *sk, X509 *cert) +{ + int res; + + if (sk == NULL || cert == NULL) + return -1; + if (!X509_up_ref(cert)) + return -1; + res = sk_X509_push(sk, cert); + if (res <= 0) + X509_free(cert); /* down-ref */ + return res; +} diff --git a/test/cmp_testlib.h b/test/cmp_testlib.h new file mode 100644 index 0000000000..afd32b7ce3 --- /dev/null +++ b/test/cmp_testlib.h @@ -0,0 +1,34 @@ +/* + * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright Nokia 2007-2019 + * Copyright Siemens AG 2015-2019 + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_CMP_TEST_LIB_H +# define HEADER_CMP_TEST_LIB_H + +# include +# include +# include + +#include "../crypto/cmp/cmp_int.h" + +# include "testutil.h" + +# ifndef OPENSSL_NO_CMP +# define CMP_TEST_REFVALUE_LENGTH 15 /* arbitrary value */ +EVP_PKEY *load_pem_key(const char *file); +X509 *load_pem_cert(const char *file); +X509_REQ *load_csr(const char *file); +int valid_asn1_encoding(const OSSL_CMP_MSG *msg); +EVP_PKEY *gen_rsa(void); +int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2); +int STACK_OF_X509_push1(STACK_OF(X509) *sk, X509 *cert); +# endif + +#endif /* HEADER_CMP_TEST_LIB_H */ diff --git a/test/recipes/65-test_cmp_asn.t b/test/recipes/65-test_cmp_asn.t new file mode 100644 index 0000000000..80f6414319 --- /dev/null +++ b/test/recipes/65-test_cmp_asn.t @@ -0,0 +1,22 @@ +#! /usr/bin/env perl +# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright Nokia 2007-2019 +# Copyright Siemens AG 2015-2019 +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test qw/:DEFAULT data_file/; +use OpenSSL::Test::Utils; + +setup("test_cmp_asn"); + +plan skip_all => "This test is not supported in a no-cmp build" + if disabled("cmp"); + +plan tests => 1; + +ok(run(test(["cmp_asn_test"]))); diff --git a/test/recipes/65-test_cmp_ctx.t b/test/recipes/65-test_cmp_ctx.t new file mode 100644 index 0000000000..93f26ea994 --- /dev/null +++ b/test/recipes/65-test_cmp_ctx.t @@ -0,0 +1,22 @@ +#! /usr/bin/env perl +# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. +# Copyright Nokia 2007-2019 +# Copyright Siemens AG 2015-2019 +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use strict; +use OpenSSL::Test; # get 'plan' +use OpenSSL::Test::Simple; +use OpenSSL::Test::Utils; + +setup("test_cmp_ctx"); + +plan skip_all => "This test is not supported in a no-cmp build" + if disabled("cmp"); + +simple_test("test_cmp_ctx", "cmp_ctx_test", "cmp_ctx"); diff --git a/util/libcrypto.num b/util/libcrypto.num index 567b00631f..7c448932f8 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -4647,122 +4647,178 @@ OSSL_CMP_ITAV_get0_value 4763 3_0_0 EXIST::FUNCTION:CMP OSSL_CMP_ITAV_push0_stack_item 4764 3_0_0 EXIST::FUNCTION:CMP OSSL_CMP_ITAV_free 4765 3_0_0 EXIST::FUNCTION:CMP OSSL_CMP_MSG_free 4766 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_PKISI_free 4767 3_0_0 EXIST::FUNCTION:CMP -OSSL_CMP_MSG_dup 4768 3_0_0 EXIST::FUNCTION:CMP -ERR_load_CMP_strings 4769 3_0_0 EXIST::FUNCTION:CMP -EVP_MD_CTX_set_params 4770 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_get_params 4771 3_0_0 EXIST::FUNCTION: -RAND_DRBG_new_ex 4772 3_0_0 EXIST::FUNCTION: -RAND_DRBG_secure_new_ex 4773 3_0_0 EXIST::FUNCTION: -OPENSSL_CTX_get0_master_drbg 4774 3_0_0 EXIST::FUNCTION: -OPENSSL_CTX_get0_public_drbg 4775 3_0_0 EXIST::FUNCTION: -OPENSSL_CTX_get0_private_drbg 4776 3_0_0 EXIST::FUNCTION: -BN_CTX_new_ex 4777 3_0_0 EXIST::FUNCTION: -BN_CTX_secure_new_ex 4778 3_0_0 EXIST::FUNCTION: -OPENSSL_thread_stop_ex 4779 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_locate_const 4780 3_0_0 EXIST::FUNCTION: -X509_REQ_set0_sm2_id 4781 3_0_0 EXIST::FUNCTION:SM2 -X509_REQ_get0_sm2_id 4782 3_0_0 EXIST::FUNCTION:SM2 -BN_rand_ex 4783 3_0_0 EXIST::FUNCTION: -BN_priv_rand_ex 4784 3_0_0 EXIST::FUNCTION: -BN_rand_range_ex 4785 3_0_0 EXIST::FUNCTION: -BN_priv_rand_range_ex 4786 3_0_0 EXIST::FUNCTION: -BN_generate_prime_ex2 4787 3_0_0 EXIST::FUNCTION: -EVP_PKEY_derive_init_ex 4788 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_free 4789 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_up_ref 4790 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_fetch 4791 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_dh_pad 4792 3_0_0 EXIST::FUNCTION:DH -EVP_PKEY_CTX_set_params 4793 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_fetch 4794 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_up_ref 4795 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_free 4796 3_0_0 EXIST::FUNCTION: -EVP_KEYMGMT_provider 4797 3_0_0 EXIST::FUNCTION: -X509_PUBKEY_dup 4798 3_0_0 EXIST::FUNCTION: -ERR_put_func_error 4799 3_0_0 NOEXIST::FUNCTION: -EVP_MD_name 4800 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_name 4801 3_0_0 EXIST::FUNCTION: -EVP_MD_provider 4802 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_provider 4803 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_name 4804 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_do_all_ex 4805 3_0_0 EXIST::FUNCTION: -EVP_MD_do_all_ex 4806 3_0_0 EXIST::FUNCTION: -EVP_KEYEXCH_provider 4807 3_0_0 EXIST::FUNCTION: -OSSL_PROVIDER_available 4808 3_0_0 EXIST::FUNCTION: -ERR_new 4809 3_0_0 EXIST::FUNCTION: -ERR_set_debug 4810 3_0_0 EXIST::FUNCTION: -ERR_set_error 4811 3_0_0 EXIST::FUNCTION: -ERR_vset_error 4812 3_0_0 EXIST::FUNCTION: -X509_get0_authority_issuer 4813 3_0_0 EXIST::FUNCTION: -X509_get0_authority_serial 4814 3_0_0 EXIST::FUNCTION: -EC_GROUP_new_ex 4815 3_0_0 EXIST::FUNCTION:EC -EC_GROUP_new_by_curve_name_ex 4816 3_0_0 EXIST::FUNCTION:EC -EC_KEY_new_ex 4817 3_0_0 EXIST::FUNCTION:EC -EC_KEY_new_by_curve_name_ex 4818 3_0_0 EXIST::FUNCTION:EC -OPENSSL_hexstr2buf_ex 4819 3_0_0 EXIST::FUNCTION: -OPENSSL_buf2hexstr_ex 4820 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_construct_from_text 4821 3_0_0 EXIST::FUNCTION: -OSSL_PARAM_allocate_from_text 4822 3_0_0 EXIST::FUNCTION: -EVP_MD_gettable_params 4823 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_settable_params 4824 3_0_0 EXIST::FUNCTION: -EVP_MD_CTX_gettable_params 4825 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_get_params 4826 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_set_params 4827 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_get_params 4828 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_gettable_params 4829 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_settable_params 4830 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_gettable_params 4831 3_0_0 EXIST::FUNCTION: -EVP_MD_get_params 4832 3_0_0 EXIST::FUNCTION: -EVP_MAC_fetch 4833 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_settable_params 4834 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_set_params 4835 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_get_params 4836 3_0_0 EXIST::FUNCTION: -EVP_MAC_CTX_gettable_params 4837 3_0_0 EXIST::FUNCTION: -EVP_MAC_free 4838 3_0_0 EXIST::FUNCTION: -EVP_MAC_up_ref 4839 3_0_0 EXIST::FUNCTION: -EVP_MAC_name 4840 3_0_0 EXIST::FUNCTION: -EVP_MAC_get_params 4841 3_0_0 EXIST::FUNCTION: -EVP_MAC_gettable_params 4842 3_0_0 EXIST::FUNCTION: -EVP_MAC_provider 4843 3_0_0 EXIST::FUNCTION: -EVP_MAC_do_all_ex 4844 3_0_0 EXIST::FUNCTION: -EVP_MD_free 4845 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_free 4846 3_0_0 EXIST::FUNCTION: -EVP_KDF_up_ref 4847 3_0_0 EXIST::FUNCTION: -EVP_KDF_free 4848 3_0_0 EXIST::FUNCTION: -EVP_KDF_fetch 4849 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_dup 4850 3_0_0 EXIST::FUNCTION: -EVP_KDF_name 4851 3_0_0 EXIST::FUNCTION: -EVP_KDF_provider 4852 3_0_0 EXIST::FUNCTION: -EVP_KDF_get_params 4853 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_get_params 4854 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_set_params 4855 3_0_0 EXIST::FUNCTION: -EVP_KDF_gettable_params 4856 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_gettable_params 4857 3_0_0 EXIST::FUNCTION: -EVP_KDF_CTX_settable_params 4858 3_0_0 EXIST::FUNCTION: -EVP_KDF_do_all_ex 4859 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_free 4860 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_up_ref 4861 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_provider 4862 3_0_0 EXIST::FUNCTION: -EVP_SIGNATURE_fetch 4863 3_0_0 EXIST::FUNCTION: -EVP_PKEY_sign_init_ex 4864 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_set_signature_md 4865 3_0_0 EXIST::FUNCTION: -EVP_PKEY_verify_init_ex 4866 3_0_0 EXIST::FUNCTION: -EVP_PKEY_verify_recover_init_ex 4867 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_signature_md 4868 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_get_params 4869 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_gettable_params 4870 3_0_0 EXIST::FUNCTION: -EVP_PKEY_CTX_settable_params 4871 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_CTX_tag_length 4872 3_0_0 EXIST::FUNCTION: -ERR_get_error_func 4873 3_0_0 EXIST::FUNCTION: -ERR_get_error_data 4874 3_0_0 EXIST::FUNCTION: -ERR_get_error_all 4875 3_0_0 EXIST::FUNCTION: -ERR_peek_error_func 4876 3_0_0 EXIST::FUNCTION: -ERR_peek_error_data 4877 3_0_0 EXIST::FUNCTION: -ERR_peek_error_all 4878 3_0_0 EXIST::FUNCTION: -ERR_peek_last_error_func 4879 3_0_0 EXIST::FUNCTION: -ERR_peek_last_error_data 4880 3_0_0 EXIST::FUNCTION: -ERR_peek_last_error_all 4881 3_0_0 EXIST::FUNCTION: -EVP_CIPHER_is_a 4882 3_0_0 EXIST::FUNCTION: -EVP_MAC_is_a 4883 3_0_0 EXIST::FUNCTION: -EVP_MD_settable_ctx_params 4884 3_0_0 EXIST::FUNCTION: -EVP_MD_gettable_ctx_params 4885 3_0_0 EXIST::FUNCTION: +ERR_load_CMP_strings 4767 3_0_0 EXIST::FUNCTION:CMP +EVP_MD_CTX_set_params 4768 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_get_params 4769 3_0_0 EXIST::FUNCTION: +RAND_DRBG_new_ex 4770 3_0_0 EXIST::FUNCTION: +RAND_DRBG_secure_new_ex 4771 3_0_0 EXIST::FUNCTION: +OPENSSL_CTX_get0_master_drbg 4772 3_0_0 EXIST::FUNCTION: +OPENSSL_CTX_get0_public_drbg 4773 3_0_0 EXIST::FUNCTION: +OPENSSL_CTX_get0_private_drbg 4774 3_0_0 EXIST::FUNCTION: +BN_CTX_new_ex 4775 3_0_0 EXIST::FUNCTION: +BN_CTX_secure_new_ex 4776 3_0_0 EXIST::FUNCTION: +OPENSSL_thread_stop_ex 4777 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_locate_const 4778 3_0_0 EXIST::FUNCTION: +X509_REQ_set0_sm2_id 4779 3_0_0 EXIST::FUNCTION:SM2 +X509_REQ_get0_sm2_id 4780 3_0_0 EXIST::FUNCTION:SM2 +BN_rand_ex 4781 3_0_0 EXIST::FUNCTION: +BN_priv_rand_ex 4782 3_0_0 EXIST::FUNCTION: +BN_rand_range_ex 4783 3_0_0 EXIST::FUNCTION: +BN_priv_rand_range_ex 4784 3_0_0 EXIST::FUNCTION: +BN_generate_prime_ex2 4785 3_0_0 EXIST::FUNCTION: +EVP_PKEY_derive_init_ex 4786 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_free 4787 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_up_ref 4788 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_fetch 4789 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_dh_pad 4790 3_0_0 EXIST::FUNCTION:DH +EVP_PKEY_CTX_set_params 4791 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_fetch 4792 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_up_ref 4793 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_free 4794 3_0_0 EXIST::FUNCTION: +EVP_KEYMGMT_provider 4795 3_0_0 EXIST::FUNCTION: +X509_PUBKEY_dup 4796 3_0_0 EXIST::FUNCTION: +ERR_put_func_error 4797 3_0_0 NOEXIST::FUNCTION: +EVP_MD_name 4798 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_name 4799 3_0_0 EXIST::FUNCTION: +EVP_MD_provider 4800 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_provider 4801 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_name 4802 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_do_all_ex 4803 3_0_0 EXIST::FUNCTION: +EVP_MD_do_all_ex 4804 3_0_0 EXIST::FUNCTION: +EVP_KEYEXCH_provider 4805 3_0_0 EXIST::FUNCTION: +OSSL_PROVIDER_available 4806 3_0_0 EXIST::FUNCTION: +ERR_new 4807 3_0_0 EXIST::FUNCTION: +ERR_set_debug 4808 3_0_0 EXIST::FUNCTION: +ERR_set_error 4809 3_0_0 EXIST::FUNCTION: +ERR_vset_error 4810 3_0_0 EXIST::FUNCTION: +X509_get0_authority_issuer 4811 3_0_0 EXIST::FUNCTION: +X509_get0_authority_serial 4812 3_0_0 EXIST::FUNCTION: +EC_GROUP_new_ex 4813 3_0_0 EXIST::FUNCTION:EC +EC_GROUP_new_by_curve_name_ex 4814 3_0_0 EXIST::FUNCTION:EC +EC_KEY_new_ex 4815 3_0_0 EXIST::FUNCTION:EC +EC_KEY_new_by_curve_name_ex 4816 3_0_0 EXIST::FUNCTION:EC +OPENSSL_hexstr2buf_ex 4817 3_0_0 EXIST::FUNCTION: +OPENSSL_buf2hexstr_ex 4818 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_construct_from_text 4819 3_0_0 EXIST::FUNCTION: +OSSL_PARAM_allocate_from_text 4820 3_0_0 EXIST::FUNCTION: +EVP_MD_gettable_params 4821 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_settable_params 4822 3_0_0 EXIST::FUNCTION: +EVP_MD_CTX_gettable_params 4823 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_get_params 4824 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_set_params 4825 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_get_params 4826 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_gettable_params 4827 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_settable_params 4828 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_gettable_params 4829 3_0_0 EXIST::FUNCTION: +EVP_MD_get_params 4830 3_0_0 EXIST::FUNCTION: +EVP_MAC_fetch 4831 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_settable_params 4832 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_set_params 4833 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_get_params 4834 3_0_0 EXIST::FUNCTION: +EVP_MAC_CTX_gettable_params 4835 3_0_0 EXIST::FUNCTION: +EVP_MAC_free 4836 3_0_0 EXIST::FUNCTION: +EVP_MAC_up_ref 4837 3_0_0 EXIST::FUNCTION: +EVP_MAC_name 4838 3_0_0 EXIST::FUNCTION: +EVP_MAC_get_params 4839 3_0_0 EXIST::FUNCTION: +EVP_MAC_gettable_params 4840 3_0_0 EXIST::FUNCTION: +EVP_MAC_provider 4841 3_0_0 EXIST::FUNCTION: +EVP_MAC_do_all_ex 4842 3_0_0 EXIST::FUNCTION: +EVP_MD_free 4843 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_free 4844 3_0_0 EXIST::FUNCTION: +EVP_KDF_up_ref 4845 3_0_0 EXIST::FUNCTION: +EVP_KDF_free 4846 3_0_0 EXIST::FUNCTION: +EVP_KDF_fetch 4847 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_dup 4848 3_0_0 EXIST::FUNCTION: +EVP_KDF_name 4849 3_0_0 EXIST::FUNCTION: +EVP_KDF_provider 4850 3_0_0 EXIST::FUNCTION: +EVP_KDF_get_params 4851 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_get_params 4852 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_set_params 4853 3_0_0 EXIST::FUNCTION: +EVP_KDF_gettable_params 4854 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_gettable_params 4855 3_0_0 EXIST::FUNCTION: +EVP_KDF_CTX_settable_params 4856 3_0_0 EXIST::FUNCTION: +EVP_KDF_do_all_ex 4857 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_free 4858 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_up_ref 4859 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_provider 4860 3_0_0 EXIST::FUNCTION: +EVP_SIGNATURE_fetch 4861 3_0_0 EXIST::FUNCTION: +EVP_PKEY_sign_init_ex 4862 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_set_signature_md 4863 3_0_0 EXIST::FUNCTION: +EVP_PKEY_verify_init_ex 4864 3_0_0 EXIST::FUNCTION: +EVP_PKEY_verify_recover_init_ex 4865 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_signature_md 4866 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_get_params 4867 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_gettable_params 4868 3_0_0 EXIST::FUNCTION: +EVP_PKEY_CTX_settable_params 4869 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_CTX_tag_length 4870 3_0_0 EXIST::FUNCTION: +ERR_get_error_func 4871 3_0_0 EXIST::FUNCTION: +ERR_get_error_data 4872 3_0_0 EXIST::FUNCTION: +ERR_get_error_all 4873 3_0_0 EXIST::FUNCTION: +ERR_peek_error_func 4874 3_0_0 EXIST::FUNCTION: +ERR_peek_error_data 4875 3_0_0 EXIST::FUNCTION: +ERR_peek_error_all 4876 3_0_0 EXIST::FUNCTION: +ERR_peek_last_error_func 4877 3_0_0 EXIST::FUNCTION: +ERR_peek_last_error_data 4878 3_0_0 EXIST::FUNCTION: +ERR_peek_last_error_all 4879 3_0_0 EXIST::FUNCTION: +EVP_CIPHER_is_a 4880 3_0_0 EXIST::FUNCTION: +EVP_MAC_is_a 4881 3_0_0 EXIST::FUNCTION: +EVP_MD_settable_ctx_params 4882 3_0_0 EXIST::FUNCTION: +EVP_MD_gettable_ctx_params 4883 3_0_0 EXIST::FUNCTION: +OSSL_CMP_CTX_new 4884 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_free 4885 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_reinit 4886 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_option 4887 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_option 4888 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_log_cb 4889 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_print_errors 4890 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_serverPath 4891 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_serverName 4892 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_serverPort 4893 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_proxyName 4894 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_proxyPort 4895 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_http_cb 4896 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_http_cb_arg 4897 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_http_cb_arg 4898 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_transfer_cb 4899 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_transfer_cb_arg 4900 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_transfer_cb_arg 4901 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_srvCert 4902 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_expected_sender 4903 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set0_trustedStore 4904 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_trustedStore 4905 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_untrusted_certs 4906 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_untrusted_certs 4907 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_clCert 4908 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_pkey 4909 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_referenceValue 4910 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_secretValue 4911 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_recipient 4912 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push0_geninfo_ITAV 4913 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_extraCertsOut 4914 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set0_newPkey 4915 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_newPkey 4916 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_issuer 4917 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_subjectName 4918 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push1_subjectAltName 4919 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set0_reqExtensions 4920 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_reqExtensions_have_SAN 4921 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push0_policy 4922 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_oldCert 4923 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_p10CSR 4924 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_push0_genm_ITAV 4925 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_certConf_cb 4926 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set_certConf_cb_arg 4927 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_certConf_cb_arg 4928 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_status 4929 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_statusString 4930 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get_failInfoCode 4931 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get0_newCert 4932 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get1_caPubs 4933 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_get1_extraCertsIn 4934 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_transactionID 4935 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_senderNonce 4936 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_log_open 4937 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_log_close 4938 3_0_0 EXIST::FUNCTION:CMP +OSSL_CMP_print_errors_cb 4939 3_0_0 EXIST::FUNCTION:CMP +OSSL_CRMF_CERTID_get0_issuer 4940 3_0_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_CERTID_get0_serialNumber 4941 3_0_0 EXIST::FUNCTION:CRMF diff --git a/util/private.num b/util/private.num index 4d57795c5e..8cb980ef8c 100644 --- a/util/private.num +++ b/util/private.num @@ -331,6 +331,27 @@ OpenSSL_add_all_algorithms define deprecated 1.1.0 OpenSSL_add_all_ciphers define deprecated 1.1.0 OpenSSL_add_all_digests define deprecated 1.1.0 OpenSSL_add_ssl_algorithms define +OSSL_CMP_CTX_set_log_verbosity define +OSSL_CMP_DEFAULT_PORT define +OSSL_CMP_LOG_ALERT define +OSSL_CMP_LOG_CRIT define +OSSL_CMP_LOG_DEBUG define +OSSL_CMP_LOG_EMERG define +OSSL_CMP_LOG_ERR define +OSSL_CMP_LOG_INFO define +OSSL_CMP_LOG_NOTICE define +OSSL_CMP_LOG_WARNING define +OSSL_CMP_alert define +OSSL_CMP_debug define +OSSL_CMP_err define +OSSL_CMP_info define +OSSL_CMP_log define +OSSL_CMP_log1 define +OSSL_CMP_log2 define +OSSL_CMP_log3 define +OSSL_CMP_log4 define +OSSL_CMP_severity datatype +OSSL_CMP_warn define OSSL_PARAM_TYPE define OSSL_PARAM_octet_ptr define OSSL_PARAM_octet_string define @@ -338,9 +359,7 @@ OSSL_PARAM_utf8_ptr define OSSL_PARAM_BN define OSSL_PARAM_TYPE generic OSSL_PARAM_construct_TYPE generic -OSSL_PARAM_octet_string define OSSL_PARAM_utf8_string define -OSSL_PARAM_octet_ptr define OSSL_PARAM_get_TYPE generic OSSL_PARAM_END define OSSL_PARAM_set_TYPE generic -- 2.39.2