]>
Commit | Line | Data |
---|---|---|
7e765f46 | 1 | /* |
da1c088f | 2 | * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. |
7e765f46 DDO |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 | |
5 | * | |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
7 | * this file except in compliance with the License. You can obtain a copy | |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | */ | |
11 | ||
12 | #include "cmp_local.h" | |
13 | #include "internal/cryptlib.h" | |
14 | ||
15 | /* explicit #includes not strictly needed since implied by the above: */ | |
16 | #include <openssl/bio.h> | |
17 | #include <openssl/cmp.h> | |
18 | #include <openssl/err.h> | |
19 | #include <openssl/evp.h> | |
20 | #include <openssl/x509v3.h> | |
6229815a | 21 | #include <openssl/cmp_util.h> |
7e765f46 DDO |
22 | |
23 | #define IS_CREP(t) ((t) == OSSL_CMP_PKIBODY_IP || (t) == OSSL_CMP_PKIBODY_CP \ | |
24 | || (t) == OSSL_CMP_PKIBODY_KUP) | |
25 | ||
26 | /*- | |
27 | * Evaluate whether there's an exception (violating the standard) configured for | |
28 | * handling negative responses without protection or with invalid protection. | |
29 | * Returns 1 on acceptance, 0 on rejection, or -1 on (internal) error. | |
30 | */ | |
31 | static int unprotected_exception(const OSSL_CMP_CTX *ctx, | |
32 | const OSSL_CMP_MSG *rep, | |
33 | int invalid_protection, | |
afe7a431 | 34 | ossl_unused int expected_type) |
7e765f46 | 35 | { |
7df56ada | 36 | int rcvd_type = OSSL_CMP_MSG_get_bodytype(rep /* may be NULL */); |
7e765f46 DDO |
37 | const char *msg_type = NULL; |
38 | ||
39 | if (!ossl_assert(ctx != NULL && rep != NULL)) | |
40 | return -1; | |
41 | ||
42 | if (!ctx->unprotectedErrors) | |
43 | return 0; | |
44 | ||
45 | switch (rcvd_type) { | |
46 | case OSSL_CMP_PKIBODY_ERROR: | |
47 | msg_type = "error response"; | |
48 | break; | |
49 | case OSSL_CMP_PKIBODY_RP: | |
50 | { | |
51 | OSSL_CMP_PKISI *si = | |
52 | ossl_cmp_revrepcontent_get_pkisi(rep->body->value.rp, | |
53 | OSSL_CMP_REVREQSID); | |
54 | ||
55 | if (si == NULL) | |
56 | return -1; | |
57 | if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_rejection) | |
58 | msg_type = "revocation response message with rejection status"; | |
59 | break; | |
60 | } | |
61 | case OSSL_CMP_PKIBODY_PKICONF: | |
62 | msg_type = "PKI Confirmation message"; | |
63 | break; | |
64 | default: | |
65 | if (IS_CREP(rcvd_type)) { | |
25b18e62 | 66 | int any_rid = OSSL_CMP_CERTREQID_NONE; |
7e765f46 DDO |
67 | OSSL_CMP_CERTREPMESSAGE *crepmsg = rep->body->value.ip; |
68 | OSSL_CMP_CERTRESPONSE *crep = | |
25b18e62 | 69 | ossl_cmp_certrepmessage_get0_certresponse(crepmsg, any_rid); |
7e765f46 DDO |
70 | |
71 | if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) | |
72 | return -1; | |
7e765f46 DDO |
73 | if (crep == NULL) |
74 | return -1; | |
75 | if (ossl_cmp_pkisi_get_status(crep->status) | |
76 | == OSSL_CMP_PKISTATUS_rejection) | |
77 | msg_type = "CertRepMessage with rejection status"; | |
78 | } | |
79 | } | |
80 | if (msg_type == NULL) | |
81 | return 0; | |
82 | ossl_cmp_log2(WARN, ctx, "ignoring %s protection of %s", | |
83 | invalid_protection ? "invalid" : "missing", msg_type); | |
84 | return 1; | |
85 | } | |
86 | ||
7e765f46 DDO |
87 | /* Save error info from PKIStatusInfo field of a certresponse into ctx */ |
88 | static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si) | |
89 | { | |
90 | int i; | |
91 | OSSL_CMP_PKIFREETEXT *ss; | |
92 | ||
93 | if (!ossl_assert(ctx != NULL && si != NULL)) | |
94 | return 0; | |
95 | ||
19ddcc4c DDO |
96 | ctx->status = ossl_cmp_pkisi_get_status(si); |
97 | if (ctx->status < OSSL_CMP_PKISTATUS_accepted) | |
7e765f46 DDO |
98 | return 0; |
99 | ||
cba0e2af | 100 | ctx->failInfoCode = ossl_cmp_pkisi_get_pkifailureinfo(si); |
7e765f46 DDO |
101 | |
102 | if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null()) | |
103 | || (ctx->statusString == NULL)) | |
104 | return 0; | |
105 | ||
106 | ss = si->statusString; /* may be NULL */ | |
107 | for (i = 0; i < sk_ASN1_UTF8STRING_num(ss); i++) { | |
108 | ASN1_UTF8STRING *str = sk_ASN1_UTF8STRING_value(ss, i); | |
109 | ||
110 | if (!sk_ASN1_UTF8STRING_push(ctx->statusString, ASN1_STRING_dup(str))) | |
111 | return 0; | |
112 | } | |
113 | return 1; | |
114 | } | |
115 | ||
bedffe17 | 116 | static int is_crep_with_waiting(const OSSL_CMP_MSG *resp, int rid) |
192bfec4 RR |
117 | { |
118 | OSSL_CMP_CERTREPMESSAGE *crepmsg; | |
119 | OSSL_CMP_CERTRESPONSE *crep; | |
120 | int bt = OSSL_CMP_MSG_get_bodytype(resp); | |
121 | ||
122 | if (!IS_CREP(bt)) | |
123 | return 0; | |
124 | ||
125 | crepmsg = resp->body->value.ip; /* same for cp and kup */ | |
126 | crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid); | |
127 | ||
128 | return (crep != NULL | |
129 | && ossl_cmp_pkisi_get_status(crep->status) | |
130 | == OSSL_CMP_PKISTATUS_waiting); | |
131 | } | |
132 | ||
7e765f46 DDO |
133 | /*- |
134 | * Perform the generic aspects of sending a request and receiving a response. | |
135 | * Returns 1 on success and provides the received PKIMESSAGE in *rep. | |
136 | * Returns 0 on error. | |
137 | * Regardless of success, caller is responsible for freeing *rep (unless NULL). | |
138 | */ | |
139 | static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, | |
140 | OSSL_CMP_MSG **rep, int expected_type) | |
141 | { | |
d7d1d092 DDO |
142 | int begin_transaction = |
143 | expected_type != OSSL_CMP_PKIBODY_POLLREP | |
144 | && expected_type != OSSL_CMP_PKIBODY_PKICONF; | |
7e765f46 | 145 | const char *req_type_str = |
7df56ada | 146 | ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req)); |
7e765f46 | 147 | const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type); |
d7d1d092 | 148 | int bak_msg_timeout = ctx->msg_timeout; |
7e765f46 DDO |
149 | int bt; |
150 | time_t now = time(NULL); | |
151 | int time_left; | |
152 | OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb; | |
153 | ||
3ca28c9e | 154 | #ifndef OPENSSL_NO_HTTP |
7e765f46 | 155 | if (transfer_cb == NULL) |
afe554c2 | 156 | transfer_cb = OSSL_CMP_MSG_http_perform; |
3ca28c9e | 157 | #endif |
7e765f46 | 158 | *rep = NULL; |
d7d1d092 DDO |
159 | |
160 | if (ctx->total_timeout != 0 /* not waiting indefinitely */) { | |
161 | if (begin_transaction) | |
162 | ctx->end_time = now + ctx->total_timeout; | |
7e765f46 | 163 | if (now >= ctx->end_time) { |
9311d0c4 | 164 | ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); |
7e765f46 DDO |
165 | return 0; |
166 | } | |
d7d1d092 | 167 | if (!ossl_assert(ctx->end_time - now < INT_MAX)) { |
5e128ed1 | 168 | /* actually cannot happen due to assignment in initial_certreq() */ |
9311d0c4 | 169 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
7e765f46 DDO |
170 | return 0; |
171 | } | |
172 | time_left = (int)(ctx->end_time - now); | |
173 | if (ctx->msg_timeout == 0 || time_left < ctx->msg_timeout) | |
174 | ctx->msg_timeout = time_left; | |
175 | } | |
176 | ||
177 | /* should print error queue since transfer_cb may call ERR_clear_error() */ | |
178 | OSSL_CMP_CTX_print_errors(ctx); | |
179 | ||
180 | ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str); | |
181 | ||
182 | *rep = (*transfer_cb)(ctx, req); | |
d7d1d092 | 183 | ctx->msg_timeout = bak_msg_timeout; |
7e765f46 DDO |
184 | |
185 | if (*rep == NULL) { | |
5e128ed1 | 186 | ERR_raise_data(ERR_LIB_CMP, |
b908ec0f | 187 | ctx->total_timeout != 0 && time(NULL) >= ctx->end_time ? |
5e128ed1 | 188 | CMP_R_TOTAL_TIMEOUT : CMP_R_TRANSFER_ERROR, |
a150f8e1 RL |
189 | "request sent: %s, expected response: %s", |
190 | req_type_str, expected_type_str); | |
7e765f46 DDO |
191 | return 0; |
192 | } | |
193 | ||
7df56ada | 194 | bt = OSSL_CMP_MSG_get_bodytype(*rep); |
7e765f46 DDO |
195 | /* |
196 | * The body type in the 'bt' variable is not yet verified. | |
197 | * Still we use this preliminary value already for a progress report because | |
198 | * the following msg verification may also produce log entries and may fail. | |
199 | */ | |
192bfec4 RR |
200 | ossl_cmp_log2(INFO, ctx, "received %s%s", ossl_cmp_bodytype_to_string(bt), |
201 | ossl_cmp_is_error_with_waiting(*rep) ? " (waiting)" : ""); | |
7e765f46 | 202 | |
bb30bce2 DDO |
203 | /* copy received extraCerts to ctx->extraCertsIn so they can be retrieved */ |
204 | if (bt != OSSL_CMP_PKIBODY_POLLREP && bt != OSSL_CMP_PKIBODY_PKICONF | |
205 | && !ossl_cmp_ctx_set1_extraCertsIn(ctx, (*rep)->extraCerts)) | |
206 | return 0; | |
207 | ||
430efff1 DDO |
208 | if (!ossl_cmp_msg_check_update(ctx, *rep, unprotected_exception, |
209 | expected_type)) | |
7e765f46 DDO |
210 | return 0; |
211 | ||
192bfec4 | 212 | /* |
bedffe17 DDO |
213 | * rep can have the expected response type, which during polling is pollRep. |
214 | * When polling, also any other non-error response (the final response) | |
215 | * is fine here. When not yet polling, delayed delivery may be initiated | |
216 | * by the server returning an error message with 'waiting' status (or a | |
217 | * response message of expected type ip/cp/kup with 'waiting' status). | |
192bfec4 | 218 | */ |
7e765f46 | 219 | if (bt == expected_type |
192bfec4 RR |
220 | || (expected_type == OSSL_CMP_PKIBODY_POLLREP |
221 | ? bt != OSSL_CMP_PKIBODY_ERROR | |
222 | : ossl_cmp_is_error_with_waiting(*rep))) | |
7e765f46 DDO |
223 | return 1; |
224 | ||
225 | /* received message type is not one of the expected ones (e.g., error) */ | |
9311d0c4 | 226 | ERR_raise(ERR_LIB_CMP, bt == OSSL_CMP_PKIBODY_ERROR ? CMP_R_RECEIVED_ERROR : |
4c0d49ed | 227 | CMP_R_UNEXPECTED_PKIBODY); /* in next line for mkerr.pl */ |
7e765f46 DDO |
228 | |
229 | if (bt != OSSL_CMP_PKIBODY_ERROR) { | |
230 | ERR_add_error_data(3, "message type is '", | |
231 | ossl_cmp_bodytype_to_string(bt), "'"); | |
232 | } else { | |
233 | OSSL_CMP_ERRORMSGCONTENT *emc = (*rep)->body->value.error; | |
234 | OSSL_CMP_PKISI *si = emc->pKIStatusInfo; | |
235 | char buf[OSSL_CMP_PKISI_BUFLEN]; | |
236 | ||
237 | if (save_statusInfo(ctx, si) | |
143be474 DDO |
238 | && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, |
239 | sizeof(buf)) != NULL) | |
7e765f46 DDO |
240 | ERR_add_error_data(1, buf); |
241 | if (emc->errorCode != NULL | |
991519ae | 242 | && BIO_snprintf(buf, sizeof(buf), "; errorCode: %08lX", |
7e765f46 DDO |
243 | ASN1_INTEGER_get(emc->errorCode)) > 0) |
244 | ERR_add_error_data(1, buf); | |
245 | if (emc->errorDetails != NULL) { | |
adf7e6d1 SL |
246 | char *text = ossl_sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ", |
247 | OSSL_CMP_PKISI_BUFLEN - 1); | |
7e765f46 | 248 | |
991519ae | 249 | if (text != NULL && *text != '\0') |
7e765f46 DDO |
250 | ERR_add_error_data(2, "; errorDetails: ", text); |
251 | OPENSSL_free(text); | |
252 | } | |
253 | if (ctx->status != OSSL_CMP_PKISTATUS_rejection) { | |
9311d0c4 | 254 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); |
7e765f46 DDO |
255 | if (ctx->status == OSSL_CMP_PKISTATUS_waiting) |
256 | ctx->status = OSSL_CMP_PKISTATUS_rejection; | |
257 | } | |
258 | } | |
259 | return 0; | |
260 | } | |
261 | ||
262 | /*- | |
263 | * When a 'waiting' PKIStatus has been received, this function is used to | |
192bfec4 | 264 | * poll, which should yield a pollRep or the final response. |
7e765f46 DDO |
265 | * On receiving a pollRep, which includes a checkAfter value, it return this |
266 | * value if sleep == 0, else it sleeps as long as indicated and retries. | |
267 | * | |
b908ec0f | 268 | * A transaction timeout is enabled if ctx->total_timeout is != 0. |
7e765f46 DDO |
269 | * In this case polling will continue until the timeout is reached and then |
270 | * polling is done a last time even if this is before the "checkAfter" time. | |
271 | * | |
272 | * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. | |
273 | * Returns 1 on success and provides the received PKIMESSAGE in *rep. | |
274 | * In this case the caller is responsible for freeing *rep. | |
bedffe17 DDO |
275 | * Returns 0 on error (which includes the cases that timeout has been reached |
276 | * or a response with 'waiting' status has been received). | |
7e765f46 DDO |
277 | */ |
278 | static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, | |
279 | OSSL_CMP_MSG **rep, int *checkAfter) | |
280 | { | |
281 | OSSL_CMP_MSG *preq = NULL; | |
282 | OSSL_CMP_MSG *prep = NULL; | |
283 | ||
284 | ossl_cmp_info(ctx, | |
285 | "received 'waiting' PKIStatus, starting to poll for response"); | |
286 | *rep = NULL; | |
287 | for (;;) { | |
7e765f46 DDO |
288 | if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL) |
289 | goto err; | |
290 | ||
291 | if (!send_receive_check(ctx, preq, &prep, OSSL_CMP_PKIBODY_POLLREP)) | |
292 | goto err; | |
293 | ||
294 | /* handle potential pollRep */ | |
7df56ada | 295 | if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) { |
7e765f46 DDO |
296 | OSSL_CMP_POLLREPCONTENT *prc = prep->body->value.pollRep; |
297 | OSSL_CMP_POLLREP *pollRep = NULL; | |
298 | int64_t check_after; | |
299 | char str[OSSL_CMP_PKISI_BUFLEN]; | |
300 | int len; | |
301 | ||
7e765f46 | 302 | if (sk_OSSL_CMP_POLLREP_num(prc) > 1) { |
9311d0c4 | 303 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED); |
7e765f46 DDO |
304 | goto err; |
305 | } | |
306 | pollRep = ossl_cmp_pollrepcontent_get0_pollrep(prc, rid); | |
307 | if (pollRep == NULL) | |
308 | goto err; | |
309 | ||
310 | if (!ASN1_INTEGER_get_int64(&check_after, pollRep->checkAfter)) { | |
9311d0c4 | 311 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_CHECKAFTER_IN_POLLREP); |
7e765f46 DDO |
312 | goto err; |
313 | } | |
314 | if (check_after < 0 || (uint64_t)check_after | |
315 | > (sleep ? ULONG_MAX / 1000 : INT_MAX)) { | |
9311d0c4 | 316 | ERR_raise(ERR_LIB_CMP, CMP_R_CHECKAFTER_OUT_OF_RANGE); |
b5f7aa5c | 317 | if (BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, "value = %jd", |
7e765f46 DDO |
318 | check_after) >= 0) |
319 | ERR_add_error_data(1, str); | |
320 | goto err; | |
321 | } | |
7e765f46 DDO |
322 | |
323 | if (pollRep->reason == NULL | |
324 | || (len = BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, | |
325 | " with reason = '")) < 0) { | |
326 | *str = '\0'; | |
327 | } else { | |
adf7e6d1 SL |
328 | char *text = ossl_sk_ASN1_UTF8STRING2text(pollRep->reason, ", ", |
329 | sizeof(str) - len - 2); | |
7e765f46 DDO |
330 | |
331 | if (text == NULL | |
332 | || BIO_snprintf(str + len, sizeof(str) - len, | |
333 | "%s'", text) < 0) | |
334 | *str = '\0'; | |
335 | OPENSSL_free(text); | |
336 | } | |
337 | ossl_cmp_log2(INFO, ctx, | |
338 | "received polling response%s; checkAfter = %ld seconds", | |
339 | str, check_after); | |
340 | ||
b908ec0f | 341 | if (ctx->total_timeout != 0) { /* timeout is not infinite */ |
192bfec4 | 342 | const int exp = OSSL_CMP_EXPECTED_RESP_TIME; |
3c28aa85 DDO |
343 | int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL)); |
344 | ||
345 | if (time_left <= 0) { | |
346 | ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); | |
347 | goto err; | |
348 | } | |
349 | if (time_left < check_after) | |
350 | check_after = time_left; | |
351 | /* poll one last time just when timeout was reached */ | |
352 | } | |
353 | ||
7e765f46 DDO |
354 | OSSL_CMP_MSG_free(preq); |
355 | preq = NULL; | |
356 | OSSL_CMP_MSG_free(prep); | |
357 | prep = NULL; | |
358 | if (sleep) { | |
5139dec2 | 359 | OSSL_sleep((unsigned long)(1000 * check_after)); |
7e765f46 DDO |
360 | } else { |
361 | if (checkAfter != NULL) | |
362 | *checkAfter = (int)check_after; | |
363 | return -1; /* exits the loop */ | |
364 | } | |
192bfec4 RR |
365 | } else if (is_crep_with_waiting(prep, rid) |
366 | || ossl_cmp_is_error_with_waiting(prep)) { | |
bedffe17 | 367 | /* received status must not be 'waiting' */ |
192bfec4 RR |
368 | (void)ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection, |
369 | OSSL_CMP_CTX_FAILINFO_badRequest, | |
370 | "polling already started", | |
371 | 0 /* errorCode */, NULL); | |
372 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); | |
373 | goto err; | |
7e765f46 | 374 | } else { |
192bfec4 RR |
375 | ossl_cmp_info(ctx, "received final response after polling"); |
376 | if (!ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL)) | |
377 | return 0; | |
7e765f46 DDO |
378 | break; |
379 | } | |
380 | } | |
381 | if (prep == NULL) | |
382 | goto err; | |
383 | ||
384 | OSSL_CMP_MSG_free(preq); | |
385 | *rep = prep; | |
386 | ||
387 | return 1; | |
388 | err: | |
192bfec4 | 389 | (void)ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL); |
7e765f46 DDO |
390 | OSSL_CMP_MSG_free(preq); |
391 | OSSL_CMP_MSG_free(prep); | |
392 | return 0; | |
393 | } | |
394 | ||
192bfec4 | 395 | static int save_senderNonce_if_waiting(OSSL_CMP_CTX *ctx, |
bedffe17 | 396 | const OSSL_CMP_MSG *rep, int rid) |
192bfec4 RR |
397 | { |
398 | /* | |
bedffe17 DDO |
399 | * Lightweight CMP Profile section 4.4 states: the senderNonce of the |
400 | * preceding request message because this value will be needed for checking | |
401 | * the recipNonce of the final response to be received after polling. | |
192bfec4 RR |
402 | */ |
403 | if ((is_crep_with_waiting(rep, rid) | |
404 | || ossl_cmp_is_error_with_waiting(rep)) | |
405 | && !ossl_cmp_ctx_set1_first_senderNonce(ctx, ctx->senderNonce)) | |
406 | return 0; | |
407 | ||
408 | return 1; | |
409 | } | |
410 | ||
411 | /* | |
bedffe17 DDO |
412 | * Send request and get response possibly with polling initiated by error msg. |
413 | * Polling for ip/cp/kup/ with 'waiting' status is handled by cert_response(). | |
192bfec4 RR |
414 | */ |
415 | static int send_receive_also_delayed(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, | |
416 | OSSL_CMP_MSG **rep, int expected_type) | |
417 | { | |
418 | ||
419 | if (!send_receive_check(ctx, req, rep, expected_type)) | |
420 | return 0; | |
421 | ||
422 | if (ossl_cmp_is_error_with_waiting(*rep)) { | |
bedffe17 | 423 | if (!save_senderNonce_if_waiting(ctx, *rep, OSSL_CMP_CERTREQID_NONE)) |
192bfec4 | 424 | return 0; |
bedffe17 | 425 | /* not modifying ctx->status during certConf and error exchanges */ |
192bfec4 RR |
426 | if (expected_type != OSSL_CMP_PKIBODY_PKICONF |
427 | && !save_statusInfo(ctx, (*rep)->body->value.error->pKIStatusInfo)) | |
428 | return 0; | |
429 | ||
430 | OSSL_CMP_MSG_free(*rep); | |
431 | *rep = NULL; | |
432 | ||
bedffe17 | 433 | if (poll_for_response(ctx, 1 /* can sleep */, OSSL_CMP_CERTREQID_NONE, |
192bfec4 RR |
434 | rep, NULL /* checkAfter */) <= 0) { |
435 | ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED); | |
436 | return 0; | |
437 | } | |
438 | } | |
439 | if (OSSL_CMP_MSG_get_bodytype(*rep) != expected_type) { | |
440 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); | |
441 | return 0; | |
442 | } | |
443 | ||
444 | return 1; | |
445 | } | |
19ddcc4c DDO |
446 | /* |
447 | * Send certConf for IR, CR or KUR sequences and check response, | |
448 | * not modifying ctx->status during the certConf exchange | |
449 | */ | |
25b18e62 DDO |
450 | int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, |
451 | int fail_info, const char *txt) | |
7e765f46 DDO |
452 | { |
453 | OSSL_CMP_MSG *certConf; | |
454 | OSSL_CMP_MSG *PKIconf = NULL; | |
455 | int res = 0; | |
456 | ||
457 | /* OSSL_CMP_certConf_new() also checks if all necessary options are set */ | |
25b18e62 DDO |
458 | certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt); |
459 | if (certConf == NULL) | |
7e765f46 DDO |
460 | goto err; |
461 | ||
bedffe17 DDO |
462 | res = send_receive_also_delayed(ctx, certConf, &PKIconf, |
463 | OSSL_CMP_PKIBODY_PKICONF); | |
7e765f46 DDO |
464 | |
465 | err: | |
466 | OSSL_CMP_MSG_free(certConf); | |
467 | OSSL_CMP_MSG_free(PKIconf); | |
468 | return res; | |
469 | } | |
470 | ||
471 | /* Send given error and check response */ | |
472 | int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, | |
473 | const char *txt, int errorCode, const char *details) | |
474 | { | |
475 | OSSL_CMP_MSG *error = NULL; | |
476 | OSSL_CMP_PKISI *si = NULL; | |
477 | OSSL_CMP_MSG *PKIconf = NULL; | |
478 | int res = 0; | |
479 | ||
19ddcc4c | 480 | /* not overwriting ctx->status on error exchange */ |
7e765f46 DDO |
481 | if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL) |
482 | goto err; | |
483 | /* ossl_cmp_error_new() also checks if all necessary options are set */ | |
484 | if ((error = ossl_cmp_error_new(ctx, si, errorCode, details, 0)) == NULL) | |
485 | goto err; | |
486 | ||
192bfec4 RR |
487 | res = send_receive_also_delayed(ctx, error, |
488 | &PKIconf, OSSL_CMP_PKIBODY_PKICONF); | |
7e765f46 DDO |
489 | |
490 | err: | |
491 | OSSL_CMP_MSG_free(error); | |
492 | OSSL_CMP_PKISI_free(si); | |
493 | OSSL_CMP_MSG_free(PKIconf); | |
494 | return res; | |
495 | } | |
496 | ||
497 | /*- | |
498 | * Retrieve a copy of the certificate, if any, from the given CertResponse. | |
499 | * Take into account PKIStatusInfo of CertResponse in ctx, report it on error. | |
500 | * Returns NULL if not found or on error. | |
501 | */ | |
502 | static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, | |
503 | OSSL_CMP_CERTRESPONSE *crep) | |
504 | { | |
505 | char buf[OSSL_CMP_PKISI_BUFLEN]; | |
506 | X509 *crt = NULL; | |
7e765f46 DDO |
507 | |
508 | if (!ossl_assert(ctx != NULL && crep != NULL)) | |
509 | return NULL; | |
510 | ||
7e765f46 DDO |
511 | switch (ossl_cmp_pkisi_get_status(crep->status)) { |
512 | case OSSL_CMP_PKISTATUS_waiting: | |
513 | ossl_cmp_err(ctx, | |
514 | "received \"waiting\" status for cert when actually aiming to extract cert"); | |
9311d0c4 | 515 | ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_WAITING); |
7e765f46 DDO |
516 | goto err; |
517 | case OSSL_CMP_PKISTATUS_grantedWithMods: | |
518 | ossl_cmp_warn(ctx, "received \"grantedWithMods\" for certificate"); | |
7e765f46 DDO |
519 | break; |
520 | case OSSL_CMP_PKISTATUS_accepted: | |
7e765f46 DDO |
521 | break; |
522 | /* get all information in case of a rejection before going to error */ | |
523 | case OSSL_CMP_PKISTATUS_rejection: | |
524 | ossl_cmp_err(ctx, "received \"rejection\" status rather than cert"); | |
9311d0c4 | 525 | ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER); |
7e765f46 DDO |
526 | goto err; |
527 | case OSSL_CMP_PKISTATUS_revocationWarning: | |
528 | ossl_cmp_warn(ctx, | |
529 | "received \"revocationWarning\" - a revocation of the cert is imminent"); | |
7e765f46 DDO |
530 | break; |
531 | case OSSL_CMP_PKISTATUS_revocationNotification: | |
532 | ossl_cmp_warn(ctx, | |
533 | "received \"revocationNotification\" - a revocation of the cert has occurred"); | |
7e765f46 DDO |
534 | break; |
535 | case OSSL_CMP_PKISTATUS_keyUpdateWarning: | |
536 | if (bodytype != OSSL_CMP_PKIBODY_KUR) { | |
9311d0c4 | 537 | ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_KEYUPDATEWARNING); |
7e765f46 DDO |
538 | goto err; |
539 | } | |
7e765f46 DDO |
540 | break; |
541 | default: | |
542 | ossl_cmp_log1(ERROR, ctx, | |
543 | "received unsupported PKIStatus %d for certificate", | |
544 | ctx->status); | |
9311d0c4 | 545 | ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); |
7e765f46 DDO |
546 | goto err; |
547 | } | |
e0f1ec3b | 548 | crt = ossl_cmp_certresponse_get1_cert(ctx, crep); |
7e765f46 | 549 | if (crt == NULL) /* according to PKIStatus, we can expect a cert */ |
9311d0c4 | 550 | ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND); |
7e765f46 DDO |
551 | |
552 | return crt; | |
553 | ||
554 | err: | |
555 | if (OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL) | |
556 | ERR_add_error_data(1, buf); | |
557 | return NULL; | |
558 | } | |
559 | ||
560 | /*- | |
561 | * Callback fn validating that the new certificate can be verified, using | |
562 | * ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and | |
bb30bce2 | 563 | * ctx->untrusted, which at this point already contains msg->extraCerts. |
7e765f46 DDO |
564 | * Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo. |
565 | * Quoting from RFC 4210 section 5.1. Overall PKI Message: | |
566 | * The extraCerts field can contain certificates that may be useful to | |
567 | * the recipient. For example, this can be used by a CA or RA to | |
568 | * present an end entity with certificates that it needs to verify its | |
569 | * own new certificate (if, for example, the CA that issued the end | |
570 | * entity's certificate is not a root CA for the end entity). Note that | |
571 | * this field does not necessarily contain a certification path; the | |
572 | * recipient may have to sort, select from, or otherwise process the | |
573 | * extra certificates in order to use them. | |
574 | * Note: While often handy, there is no hard requirement by CMP that | |
575 | * an EE must be able to validate the certificates it gets enrolled. | |
576 | */ | |
577 | int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, | |
578 | const char **text) | |
579 | { | |
580 | X509_STORE *out_trusted = OSSL_CMP_CTX_get_certConf_cb_arg(ctx); | |
a0745e2b | 581 | STACK_OF(X509) *chain = NULL; |
357bfe73 | 582 | |
7e765f46 DDO |
583 | (void)text; /* make (artificial) use of var to prevent compiler warning */ |
584 | ||
585 | if (fail_info != 0) /* accept any error flagged by CMP core library */ | |
586 | return fail_info; | |
587 | ||
6b58f498 DDO |
588 | if (out_trusted == NULL) { |
589 | ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); | |
590 | chain = X509_build_chain(cert, ctx->untrusted, out_trusted, | |
591 | 0, ctx->libctx, ctx->propq); | |
592 | } else { | |
593 | X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq); | |
594 | ||
595 | ossl_cmp_debug(ctx, "validating newly enrolled cert"); | |
596 | if (csc == NULL) | |
597 | goto err; | |
598 | if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted)) | |
599 | goto err; | |
600 | /* disable any cert status/revocation checking etc. */ | |
601 | X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc), | |
602 | ~(X509_V_FLAG_USE_CHECK_TIME | |
603 | | X509_V_FLAG_NO_CHECK_TIME | |
604 | | X509_V_FLAG_PARTIAL_CHAIN | |
605 | | X509_V_FLAG_POLICY_CHECK)); | |
606 | if (X509_verify_cert(csc) <= 0) | |
607 | goto err; | |
608 | ||
192bfec4 | 609 | if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc), |
6b58f498 DDO |
610 | X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP |
611 | | X509_ADD_FLAG_NO_SS)) { | |
612 | sk_X509_free(chain); | |
613 | chain = NULL; | |
614 | } | |
615 | err: | |
616 | X509_STORE_CTX_free(csc); | |
617 | } | |
618 | ||
a0745e2b DDO |
619 | if (sk_X509_num(chain) > 0) |
620 | X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ | |
621 | if (out_trusted != NULL) { | |
622 | if (chain == NULL) { | |
6b58f498 | 623 | ossl_cmp_err(ctx, "failed to validate newly enrolled cert"); |
a0745e2b DDO |
624 | fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; |
625 | } else { | |
626 | ossl_cmp_debug(ctx, | |
6b58f498 | 627 | "success validating newly enrolled cert"); |
a0745e2b DDO |
628 | } |
629 | } else if (chain == NULL) { | |
630 | ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); | |
631 | chain = OSSL_CMP_CTX_get1_extraCertsIn(ctx); | |
632 | } else { | |
633 | ossl_cmp_debug(ctx, | |
634 | "success building approximate chain for newly enrolled cert"); | |
635 | } | |
636 | (void)ossl_cmp_ctx_set1_newChain(ctx, chain); | |
79b2a2f2 | 637 | OSSL_STACK_OF_X509_free(chain); |
7e765f46 DDO |
638 | |
639 | return fail_info; | |
640 | } | |
641 | ||
642 | /*- | |
643 | * Perform the generic handling of certificate responses for IR/CR/KUR/P10CR. | |
25b18e62 | 644 | * |rid| must be OSSL_CMP_CERTREQID_NONE if not available, namely for p10cr |
7e765f46 DDO |
645 | * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. |
646 | * Returns 1 on success and provides the received PKIMESSAGE in *resp. | |
647 | * Returns 0 on error (which includes the case that timeout has been reached). | |
648 | * Regardless of success, caller is responsible for freeing *resp (unless NULL). | |
649 | */ | |
650 | static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, | |
651 | OSSL_CMP_MSG **resp, int *checkAfter, | |
afe7a431 DDO |
652 | ossl_unused int req_type, |
653 | ossl_unused int expected_type) | |
7e765f46 | 654 | { |
e0f1ec3b | 655 | EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx); |
7e765f46 DDO |
656 | int fail_info = 0; /* no failure */ |
657 | const char *txt = NULL; | |
192bfec4 RR |
658 | OSSL_CMP_CERTREPMESSAGE *crepmsg = NULL; |
659 | OSSL_CMP_CERTRESPONSE *crep = NULL; | |
a0745e2b | 660 | OSSL_CMP_certConf_cb_t cb; |
7e765f46 DDO |
661 | X509 *cert; |
662 | char *subj = NULL; | |
663 | int ret = 1; | |
192bfec4 RR |
664 | int rcvd_type; |
665 | OSSL_CMP_PKISI *si; | |
7e765f46 | 666 | |
a0745e2b DDO |
667 | if (!ossl_assert(ctx != NULL)) |
668 | return 0; | |
669 | ||
7e765f46 | 670 | retry: |
192bfec4 RR |
671 | rcvd_type = OSSL_CMP_MSG_get_bodytype(*resp); |
672 | if (IS_CREP(rcvd_type)) { | |
673 | crepmsg = (*resp)->body->value.ip; /* same for cp and kup */ | |
674 | if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) { | |
675 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED); | |
7e765f46 DDO |
676 | return 0; |
677 | } | |
192bfec4 RR |
678 | crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid); |
679 | if (crep == NULL) | |
680 | return 0; | |
681 | si = crep->status; | |
682 | ||
bedffe17 | 683 | if (rid == OSSL_CMP_CERTREQID_NONE) { |
192bfec4 RR |
684 | /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */ |
685 | rid = ossl_cmp_asn1_get_int(crep->certReqId); | |
bedffe17 | 686 | if (rid != OSSL_CMP_CERTREQID_NONE) { |
192bfec4 RR |
687 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); |
688 | return 0; | |
689 | } | |
690 | } | |
691 | } else if (rcvd_type == OSSL_CMP_PKIBODY_ERROR) { | |
692 | si = (*resp)->body->value.error->pKIStatusInfo; | |
693 | } else { | |
694 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); | |
695 | return 0; | |
7e765f46 DDO |
696 | } |
697 | ||
192bfec4 RR |
698 | if (!save_statusInfo(ctx, si)) |
699 | return 0; | |
700 | ||
701 | if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_waiting) { | |
bedffe17 DDO |
702 | /* |
703 | * Here we allow both and error message with waiting indication | |
704 | * as well as a certificate response with waiting indication, where | |
705 | * its flavor (ip, cp, or kup) may not strictly match ir/cr/p10cr/kur. | |
706 | */ | |
7e765f46 DDO |
707 | OSSL_CMP_MSG_free(*resp); |
708 | *resp = NULL; | |
709 | if ((ret = poll_for_response(ctx, sleep, rid, resp, checkAfter)) != 0) { | |
710 | if (ret == -1) /* at this point implies sleep == 0 */ | |
711 | return ret; /* waiting */ | |
192bfec4 | 712 | goto retry; /* got some response other than pollRep */ |
7e765f46 | 713 | } else { |
9311d0c4 | 714 | ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED); |
7e765f46 DDO |
715 | return 0; |
716 | } | |
717 | } | |
718 | ||
bedffe17 | 719 | /* at this point, we have received ip/cp/kup/error without waiting */ |
192bfec4 RR |
720 | if (rcvd_type == OSSL_CMP_PKIBODY_ERROR) { |
721 | ERR_raise(ERR_LIB_CMP, CMP_R_RECEIVED_ERROR); | |
722 | return 0; | |
723 | } | |
bedffe17 | 724 | /* here we are strict on the flavor of ip/cp/kup: must match request */ |
192bfec4 RR |
725 | if (rcvd_type != expected_type) { |
726 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); | |
727 | return 0; | |
728 | } | |
729 | ||
7e765f46 DDO |
730 | cert = get1_cert_status(ctx, (*resp)->body->type, crep); |
731 | if (cert == NULL) { | |
732 | ERR_add_error_data(1, "; cannot extract certificate from response"); | |
733 | return 0; | |
734 | } | |
735 | if (!ossl_cmp_ctx_set0_newCert(ctx, cert)) | |
736 | return 0; | |
737 | ||
738 | /* | |
739 | * if the CMP server returned certificates in the caPubs field, copy them | |
740 | * to the context so that they can be retrieved if necessary | |
741 | */ | |
bedffe17 | 742 | if (crepmsg != NULL && crepmsg->caPubs != NULL |
7e765f46 DDO |
743 | && !ossl_cmp_ctx_set1_caPubs(ctx, crepmsg->caPubs)) |
744 | return 0; | |
745 | ||
7e765f46 DDO |
746 | subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); |
747 | if (rkey != NULL | |
748 | /* X509_check_private_key() also works if rkey is just public key */ | |
749 | && !(X509_check_private_key(ctx->newCert, rkey))) { | |
750 | fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; | |
751 | txt = "public key in new certificate does not match our enrollment key"; | |
752 | /*- | |
bb30bce2 DDO |
753 | * not calling (void)ossl_cmp_exchange_error(ctx, |
754 | * OSSL_CMP_PKISTATUS_rejection, fail_info, txt) | |
7e765f46 DDO |
755 | * not throwing CMP_R_CERTIFICATE_NOT_ACCEPTED with txt |
756 | * not returning 0 | |
a0745e2b | 757 | * since we better leave this for the certConf_cb to decide |
7e765f46 DDO |
758 | */ |
759 | } | |
760 | ||
761 | /* | |
a0745e2b | 762 | * Execute the certification checking callback function, |
7e765f46 DDO |
763 | * which can determine whether to accept a newly enrolled certificate. |
764 | * It may overrule the pre-decision reflected in 'fail_info' and '*txt'. | |
765 | */ | |
a0745e2b DDO |
766 | cb = ctx->certConf_cb != NULL ? ctx->certConf_cb : OSSL_CMP_certConf_cb; |
767 | if ((fail_info = cb(ctx, ctx->newCert, fail_info, &txt)) != 0 | |
768 | && txt == NULL) | |
769 | txt = "CMP client did not accept it"; | |
7e765f46 DDO |
770 | if (fail_info != 0) /* immediately log error before any certConf exchange */ |
771 | ossl_cmp_log1(ERROR, ctx, | |
772 | "rejecting newly enrolled cert with subject: %s", subj); | |
afe7a431 DDO |
773 | /* |
774 | * certConf exchange should better be moved to do_certreq_seq() such that | |
775 | * also more low-level errors with CertReqMessages get reported to server | |
776 | */ | |
7e765f46 DDO |
777 | if (!ctx->disableConfirm |
778 | && !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) { | |
25b18e62 | 779 | if (!ossl_cmp_exchange_certConf(ctx, rid, fail_info, txt)) |
7e765f46 DDO |
780 | ret = 0; |
781 | } | |
782 | ||
783 | /* not throwing failure earlier as transfer_cb may call ERR_clear_error() */ | |
784 | if (fail_info != 0) { | |
a676c53c | 785 | ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED, |
4c0d49ed AS |
786 | "rejecting newly enrolled cert with subject: %s; %s", |
787 | subj, txt); | |
e7041bfe | 788 | ctx->status = OSSL_CMP_PKISTATUS_rejection; |
7e765f46 DDO |
789 | ret = 0; |
790 | } | |
791 | OPENSSL_free(subj); | |
792 | return ret; | |
793 | } | |
794 | ||
5e128ed1 DDO |
795 | static int initial_certreq(OSSL_CMP_CTX *ctx, |
796 | int req_type, const OSSL_CRMF_MSG *crm, | |
797 | OSSL_CMP_MSG **p_rep, int rep_type) | |
798 | { | |
799 | OSSL_CMP_MSG *req; | |
800 | int res; | |
801 | ||
19ddcc4c | 802 | ctx->status = OSSL_CMP_PKISTATUS_request; |
5e128ed1 DDO |
803 | if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) |
804 | return 0; | |
805 | ||
5e128ed1 DDO |
806 | /* also checks if all necessary options are set */ |
807 | if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) | |
808 | return 0; | |
809 | ||
19ddcc4c | 810 | ctx->status = OSSL_CMP_PKISTATUS_trans; |
5e128ed1 DDO |
811 | res = send_receive_check(ctx, req, p_rep, rep_type); |
812 | OSSL_CMP_MSG_free(req); | |
813 | return res; | |
814 | } | |
815 | ||
299e0f1e DDO |
816 | int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, |
817 | const OSSL_CRMF_MSG *crm, int *checkAfter) | |
7e765f46 | 818 | { |
7e765f46 DDO |
819 | OSSL_CMP_MSG *rep = NULL; |
820 | int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; | |
25b18e62 | 821 | int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; |
7e765f46 DDO |
822 | int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; |
823 | int res = 0; | |
824 | ||
825 | if (ctx == NULL) { | |
9311d0c4 | 826 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
7e765f46 DDO |
827 | return 0; |
828 | } | |
829 | ||
830 | if (ctx->status != OSSL_CMP_PKISTATUS_waiting) { /* not polling already */ | |
5e128ed1 | 831 | if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) |
7e765f46 | 832 | goto err; |
192bfec4 RR |
833 | |
834 | if (!save_senderNonce_if_waiting(ctx, rep, rid)) | |
835 | return 0; | |
7e765f46 DDO |
836 | } else { |
837 | if (req_type < 0) | |
838 | return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection, | |
6f6c8b0e P |
839 | 0, "polling aborted", |
840 | 0 /* errorCode */, "by application"); | |
7e765f46 DDO |
841 | res = poll_for_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter); |
842 | if (res <= 0) /* waiting or error */ | |
843 | return res; | |
844 | } | |
845 | res = cert_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter, | |
846 | req_type, rep_type); | |
847 | ||
848 | err: | |
7e765f46 DDO |
849 | OSSL_CMP_MSG_free(rep); |
850 | return res; | |
851 | } | |
852 | ||
853 | /*- | |
854 | * Do the full sequence CR/IR/KUR/P10CR, CP/IP/KUP/CP, | |
855 | * certConf, PKIconf, and polling if required. | |
856 | * Will sleep as long as indicated by the server (according to checkAfter). | |
857 | * All enrollment options need to be present in the context. | |
7e765f46 DDO |
858 | * Returns pointer to received certificate, or NULL if none was received. |
859 | */ | |
299e0f1e DDO |
860 | X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, |
861 | const OSSL_CRMF_MSG *crm) | |
7e765f46 | 862 | { |
7e765f46 | 863 | OSSL_CMP_MSG *rep = NULL; |
299e0f1e | 864 | int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; |
25b18e62 | 865 | int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; |
299e0f1e | 866 | int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; |
7e765f46 DDO |
867 | X509 *result = NULL; |
868 | ||
869 | if (ctx == NULL) { | |
9311d0c4 | 870 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
7e765f46 DDO |
871 | return NULL; |
872 | } | |
7e765f46 | 873 | |
5e128ed1 | 874 | if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) |
7e765f46 DDO |
875 | goto err; |
876 | ||
192bfec4 RR |
877 | if (!save_senderNonce_if_waiting(ctx, rep, rid)) |
878 | return 0; | |
879 | ||
7e765f46 DDO |
880 | if (cert_response(ctx, 1 /* sleep */, rid, &rep, NULL, req_type, rep_type) |
881 | <= 0) | |
882 | goto err; | |
883 | ||
884 | result = ctx->newCert; | |
885 | err: | |
7e765f46 DDO |
886 | OSSL_CMP_MSG_free(rep); |
887 | return result; | |
888 | } | |
889 | ||
3d46c81a | 890 | int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) |
7e765f46 DDO |
891 | { |
892 | OSSL_CMP_MSG *rr = NULL; | |
893 | OSSL_CMP_MSG *rp = NULL; | |
894 | const int num_RevDetails = 1; | |
895 | const int rsid = OSSL_CMP_REVREQSID; | |
896 | OSSL_CMP_REVREPCONTENT *rrep = NULL; | |
897 | OSSL_CMP_PKISI *si = NULL; | |
898 | char buf[OSSL_CMP_PKISI_BUFLEN]; | |
3d46c81a | 899 | int ret = 0; |
7e765f46 DDO |
900 | |
901 | if (ctx == NULL) { | |
9311d0c4 | 902 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
7e765f46 DDO |
903 | return 0; |
904 | } | |
19ddcc4c | 905 | ctx->status = OSSL_CMP_PKISTATUS_request; |
1d32ec20 RR |
906 | if (ctx->oldCert == NULL && ctx->p10CSR == NULL |
907 | && (ctx->serialNumber == NULL || ctx->issuer == NULL)) { | |
9311d0c4 | 908 | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT); |
753283cd DDO |
909 | return 0; |
910 | } | |
7e765f46 DDO |
911 | |
912 | /* OSSL_CMP_rr_new() also checks if all necessary options are set */ | |
913 | if ((rr = ossl_cmp_rr_new(ctx)) == NULL) | |
914 | goto end; | |
915 | ||
19ddcc4c | 916 | ctx->status = OSSL_CMP_PKISTATUS_trans; |
192bfec4 | 917 | if (!send_receive_also_delayed(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP)) |
7e765f46 DDO |
918 | goto end; |
919 | ||
920 | rrep = rp->body->value.rp; | |
e599d0ae | 921 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
7e765f46 | 922 | if (sk_OSSL_CMP_PKISI_num(rrep->status) != num_RevDetails) { |
9311d0c4 | 923 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
7e765f46 DDO |
924 | goto end; |
925 | } | |
e599d0ae DDO |
926 | #else |
927 | if (sk_OSSL_CMP_PKISI_num(rrep->status) < 1) { | |
9311d0c4 | 928 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
e599d0ae DDO |
929 | goto end; |
930 | } | |
931 | #endif | |
7e765f46 DDO |
932 | |
933 | /* evaluate PKIStatus field */ | |
934 | si = ossl_cmp_revrepcontent_get_pkisi(rrep, rsid); | |
935 | if (!save_statusInfo(ctx, si)) | |
936 | goto err; | |
937 | switch (ossl_cmp_pkisi_get_status(si)) { | |
938 | case OSSL_CMP_PKISTATUS_accepted: | |
939 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)"); | |
3d46c81a | 940 | ret = 1; |
7e765f46 DDO |
941 | break; |
942 | case OSSL_CMP_PKISTATUS_grantedWithMods: | |
943 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)"); | |
3d46c81a | 944 | ret = 1; |
7e765f46 DDO |
945 | break; |
946 | case OSSL_CMP_PKISTATUS_rejection: | |
9311d0c4 | 947 | ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER); |
7e765f46 DDO |
948 | goto err; |
949 | case OSSL_CMP_PKISTATUS_revocationWarning: | |
950 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)"); | |
3d46c81a | 951 | ret = 1; |
7e765f46 DDO |
952 | break; |
953 | case OSSL_CMP_PKISTATUS_revocationNotification: | |
954 | /* interpretation as warning or error depends on CA */ | |
955 | ossl_cmp_warn(ctx, | |
956 | "revocation accepted (PKIStatus=revocationNotification)"); | |
3d46c81a | 957 | ret = 1; |
7e765f46 DDO |
958 | break; |
959 | case OSSL_CMP_PKISTATUS_waiting: | |
960 | case OSSL_CMP_PKISTATUS_keyUpdateWarning: | |
9311d0c4 | 961 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); |
7e765f46 DDO |
962 | goto err; |
963 | default: | |
9311d0c4 | 964 | ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); |
7e765f46 DDO |
965 | goto err; |
966 | } | |
967 | ||
5e128ed1 | 968 | /* check any present CertId in optional revCerts field */ |
3d46c81a | 969 | if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) { |
7e765f46 DDO |
970 | OSSL_CRMF_CERTID *cid; |
971 | OSSL_CRMF_CERTTEMPLATE *tmpl = | |
972 | sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails; | |
973 | const X509_NAME *issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl); | |
357bfe73 DDO |
974 | const ASN1_INTEGER *serial = |
975 | OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl); | |
7e765f46 DDO |
976 | |
977 | if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) { | |
9311d0c4 | 978 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
3d46c81a | 979 | ret = 0; |
7e765f46 DDO |
980 | goto err; |
981 | } | |
982 | if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) { | |
7df56ada | 983 | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID); |
3d46c81a | 984 | ret = 0; |
7e765f46 DDO |
985 | goto err; |
986 | } | |
987 | if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) { | |
e599d0ae | 988 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
9311d0c4 | 989 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP); |
3d46c81a | 990 | ret = 0; |
7e765f46 | 991 | goto err; |
e599d0ae | 992 | #endif |
7e765f46 DDO |
993 | } |
994 | if (ASN1_INTEGER_cmp(serial, | |
995 | OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) { | |
e599d0ae | 996 | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
9311d0c4 | 997 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP); |
3d46c81a | 998 | ret = 0; |
7e765f46 | 999 | goto err; |
e599d0ae | 1000 | #endif |
7e765f46 DDO |
1001 | } |
1002 | } | |
1003 | ||
1004 | /* check number of any optionally present crls */ | |
1005 | if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) { | |
9311d0c4 | 1006 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
3d46c81a | 1007 | ret = 0; |
7e765f46 DDO |
1008 | goto err; |
1009 | } | |
1010 | ||
1011 | err: | |
3d46c81a | 1012 | if (ret == 0 |
7e765f46 DDO |
1013 | && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL) |
1014 | ERR_add_error_data(1, buf); | |
1015 | ||
1016 | end: | |
1017 | OSSL_CMP_MSG_free(rr); | |
1018 | OSSL_CMP_MSG_free(rp); | |
3d46c81a | 1019 | return ret; |
7e765f46 DDO |
1020 | } |
1021 | ||
1022 | STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx) | |
1023 | { | |
1024 | OSSL_CMP_MSG *genm; | |
1025 | OSSL_CMP_MSG *genp = NULL; | |
19ddcc4c | 1026 | STACK_OF(OSSL_CMP_ITAV) *itavs = NULL; |
7e765f46 DDO |
1027 | |
1028 | if (ctx == NULL) { | |
9311d0c4 | 1029 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
19ddcc4c | 1030 | return NULL; |
7e765f46 | 1031 | } |
19ddcc4c | 1032 | ctx->status = OSSL_CMP_PKISTATUS_request; |
7e765f46 DDO |
1033 | |
1034 | if ((genm = ossl_cmp_genm_new(ctx)) == NULL) | |
1035 | goto err; | |
1036 | ||
19ddcc4c | 1037 | ctx->status = OSSL_CMP_PKISTATUS_trans; |
192bfec4 | 1038 | if (!send_receive_also_delayed(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP)) |
7e765f46 | 1039 | goto err; |
19ddcc4c | 1040 | ctx->status = OSSL_CMP_PKISTATUS_accepted; |
7e765f46 | 1041 | |
19ddcc4c DDO |
1042 | itavs = genp->body->value.genp; |
1043 | if (itavs == NULL) | |
1044 | itavs = sk_OSSL_CMP_ITAV_new_null(); | |
7e765f46 | 1045 | /* received stack of itavs not to be freed with the genp */ |
7e765f46 DDO |
1046 | genp->body->value.genp = NULL; |
1047 | ||
1048 | err: | |
1049 | OSSL_CMP_MSG_free(genm); | |
1050 | OSSL_CMP_MSG_free(genp); | |
1051 | ||
19ddcc4c | 1052 | return itavs; /* NULL indicates error case */ |
7e765f46 | 1053 | } |