]>
Commit | Line | Data |
---|---|---|
a61b7f2f | 1 | /*- |
da1c088f | 2 | * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. |
a61b7f2f | 3 | * Copyright Nokia 2007-2018 |
8869ad4a | 4 | * Copyright Siemens AG 2015-2019 |
a61b7f2f | 5 | * |
ce9b9964 | 6 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
a61b7f2f DO |
7 | * this file except in compliance with the License. You can obtain a copy |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | * | |
11 | * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb. | |
12 | */ | |
13 | ||
14 | /* | |
15 | * This file contains the functions that handle the individual items inside | |
16 | * the CRMF structures | |
17 | */ | |
18 | ||
19 | /* | |
20 | * NAMING | |
21 | * | |
22 | * The 0 functions use the supplied structure pointer directly in the parent and | |
23 | * it will be freed up when the parent is freed. | |
24 | * | |
25 | * The 1 functions use a copy of the supplied structure pointer (or in some | |
26 | * cases increases its link count) in the parent and so both should be freed up. | |
27 | */ | |
28 | ||
29 | #include <openssl/asn1t.h> | |
30 | ||
706457b7 | 31 | #include "crmf_local.h" |
eaf8a40d | 32 | #include "internal/sizes.h" |
36b91a19 | 33 | #include "crypto/evp.h" |
293ab820 | 34 | #include "crypto/x509.h" |
a61b7f2f DO |
35 | |
36 | /* explicit #includes not strictly needed since implied by the above: */ | |
37 | #include <openssl/crmf.h> | |
38 | #include <openssl/err.h> | |
39 | #include <openssl/evp.h> | |
40 | ||
41 | /*- | |
42 | * atyp = Attribute Type | |
43 | * valt = Value Type | |
44 | * ctrlinf = "regCtrl" or "regInfo" | |
45 | */ | |
7df56ada DDO |
46 | #define IMPLEMENT_CRMF_CTRL_FUNC(atyp, valt, ctrlinf) \ |
47 | valt *OSSL_CRMF_MSG_get0_##ctrlinf##_##atyp(const OSSL_CRMF_MSG *msg) \ | |
48 | { \ | |
49 | int i; \ | |
50 | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls; \ | |
51 | OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL; \ | |
52 | \ | |
53 | if (msg == NULL || msg->certReq == NULL) \ | |
54 | return NULL; \ | |
55 | controls = msg->certReq->controls; \ | |
56 | for (i = 0; i < sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_num(controls); i++) { \ | |
57 | atav = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_value(controls, i); \ | |
58 | if (OBJ_obj2nid(atav->type) == NID_id_##ctrlinf##_##atyp) \ | |
59 | return atav->value.atyp; \ | |
60 | } \ | |
61 | return NULL; \ | |
62 | } \ | |
63 | \ | |
64 | int OSSL_CRMF_MSG_set1_##ctrlinf##_##atyp(OSSL_CRMF_MSG *msg, const valt *in) \ | |
a61b7f2f DO |
65 | { \ |
66 | OSSL_CRMF_ATTRIBUTETYPEANDVALUE *atav = NULL; \ | |
67 | \ | |
7df56ada | 68 | if (msg == NULL || in == NULL) \ |
a61b7f2f DO |
69 | goto err; \ |
70 | if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL) \ | |
71 | goto err; \ | |
72 | if ((atav->type = OBJ_nid2obj(NID_id_##ctrlinf##_##atyp)) == NULL) \ | |
73 | goto err; \ | |
74 | if ((atav->value.atyp = valt##_dup(in)) == NULL) \ | |
75 | goto err; \ | |
76 | if (!OSSL_CRMF_MSG_push0_##ctrlinf(msg, atav)) \ | |
77 | goto err; \ | |
78 | return 1; \ | |
79 | err: \ | |
80 | OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(atav); \ | |
81 | return 0; \ | |
82 | } | |
83 | ||
a61b7f2f DO |
84 | /*- |
85 | * Pushes the given control attribute into the controls stack of a CertRequest | |
86 | * (section 6) | |
87 | * returns 1 on success, 0 on error | |
88 | */ | |
89 | static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm, | |
90 | OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ctrl) | |
91 | { | |
92 | int new = 0; | |
93 | ||
94 | if (crm == NULL || crm->certReq == NULL || ctrl == NULL) { | |
9311d0c4 | 95 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
96 | return 0; |
97 | } | |
98 | ||
99 | if (crm->certReq->controls == NULL) { | |
100 | crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null(); | |
101 | if (crm->certReq->controls == NULL) | |
7960dbec | 102 | goto err; |
a61b7f2f DO |
103 | new = 1; |
104 | } | |
105 | if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl)) | |
7960dbec | 106 | goto err; |
a61b7f2f DO |
107 | |
108 | return 1; | |
7960dbec | 109 | err: |
a61b7f2f DO |
110 | if (new != 0) { |
111 | sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls); | |
112 | crm->certReq->controls = NULL; | |
113 | } | |
114 | return 0; | |
115 | } | |
116 | ||
3dbc5156 | 117 | /* id-regCtrl-regToken Control (section 6.1) */ |
a61b7f2f DO |
118 | IMPLEMENT_CRMF_CTRL_FUNC(regToken, ASN1_STRING, regCtrl) |
119 | ||
3dbc5156 | 120 | /* id-regCtrl-authenticator Control (section 6.2) */ |
a61b7f2f DO |
121 | #define ASN1_UTF8STRING_dup ASN1_STRING_dup |
122 | IMPLEMENT_CRMF_CTRL_FUNC(authenticator, ASN1_UTF8STRING, regCtrl) | |
123 | ||
124 | int OSSL_CRMF_MSG_set0_SinglePubInfo(OSSL_CRMF_SINGLEPUBINFO *spi, | |
125 | int method, GENERAL_NAME *nm) | |
126 | { | |
127 | if (spi == NULL | |
128 | || method < OSSL_CRMF_PUB_METHOD_DONTCARE | |
129 | || method > OSSL_CRMF_PUB_METHOD_LDAP) { | |
9311d0c4 | 130 | ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT); |
a61b7f2f DO |
131 | return 0; |
132 | } | |
133 | ||
134 | if (!ASN1_INTEGER_set(spi->pubMethod, method)) | |
135 | return 0; | |
136 | GENERAL_NAME_free(spi->pubLocation); | |
137 | spi->pubLocation = nm; | |
138 | return 1; | |
139 | } | |
140 | ||
235595c4 DDO |
141 | int |
142 | OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(OSSL_CRMF_PKIPUBLICATIONINFO *pi, | |
143 | OSSL_CRMF_SINGLEPUBINFO *spi) | |
a61b7f2f DO |
144 | { |
145 | if (pi == NULL || spi == NULL) { | |
9311d0c4 | 146 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
147 | return 0; |
148 | } | |
149 | if (pi->pubInfos == NULL) | |
150 | pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null(); | |
151 | if (pi->pubInfos == NULL) | |
7960dbec | 152 | return 0; |
a61b7f2f | 153 | |
7960dbec | 154 | return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi); |
a61b7f2f DO |
155 | } |
156 | ||
235595c4 DDO |
157 | int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(OSSL_CRMF_PKIPUBLICATIONINFO *pi, |
158 | int action) | |
a61b7f2f DO |
159 | { |
160 | if (pi == NULL | |
161 | || action < OSSL_CRMF_PUB_ACTION_DONTPUBLISH | |
162 | || action > OSSL_CRMF_PUB_ACTION_PLEASEPUBLISH) { | |
9311d0c4 | 163 | ERR_raise(ERR_LIB_CRMF, ERR_R_PASSED_INVALID_ARGUMENT); |
a61b7f2f DO |
164 | return 0; |
165 | } | |
166 | ||
167 | return ASN1_INTEGER_set(pi->action, action); | |
168 | } | |
169 | ||
3dbc5156 | 170 | /* id-regCtrl-pkiPublicationInfo Control (section 6.3) */ |
a61b7f2f DO |
171 | IMPLEMENT_CRMF_CTRL_FUNC(pkiPublicationInfo, OSSL_CRMF_PKIPUBLICATIONINFO, |
172 | regCtrl) | |
173 | ||
3dbc5156 | 174 | /* id-regCtrl-oldCertID Control (section 6.5) from the given */ |
a61b7f2f DO |
175 | IMPLEMENT_CRMF_CTRL_FUNC(oldCertID, OSSL_CRMF_CERTID, regCtrl) |
176 | ||
177 | OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer, | |
178 | const ASN1_INTEGER *serial) | |
179 | { | |
180 | OSSL_CRMF_CERTID *cid = NULL; | |
181 | ||
182 | if (issuer == NULL || serial == NULL) { | |
9311d0c4 | 183 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
184 | return NULL; |
185 | } | |
186 | ||
187 | if ((cid = OSSL_CRMF_CERTID_new()) == NULL) | |
7960dbec | 188 | goto err; |
a61b7f2f DO |
189 | |
190 | if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer)) | |
7960dbec | 191 | goto err; |
a61b7f2f DO |
192 | cid->issuer->type = GEN_DIRNAME; |
193 | ||
194 | ASN1_INTEGER_free(cid->serialNumber); | |
195 | if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL) | |
7960dbec | 196 | goto err; |
a61b7f2f DO |
197 | |
198 | return cid; | |
199 | ||
7960dbec | 200 | err: |
a61b7f2f DO |
201 | OSSL_CRMF_CERTID_free(cid); |
202 | return NULL; | |
203 | } | |
204 | ||
3dbc5156 DDO |
205 | /* |
206 | * id-regCtrl-protocolEncrKey Control (section 6.6) | |
207 | */ | |
a61b7f2f DO |
208 | IMPLEMENT_CRMF_CTRL_FUNC(protocolEncrKey, X509_PUBKEY, regCtrl) |
209 | ||
210 | /*- | |
211 | * Pushes the attribute given in regInfo in to the CertReqMsg->regInfo stack. | |
212 | * (section 7) | |
213 | * returns 1 on success, 0 on error | |
214 | */ | |
215 | static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm, | |
216 | OSSL_CRMF_ATTRIBUTETYPEANDVALUE *ri) | |
217 | { | |
218 | STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *info = NULL; | |
219 | ||
220 | if (crm == NULL || ri == NULL) { | |
9311d0c4 | 221 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
222 | return 0; |
223 | } | |
224 | ||
225 | if (crm->regInfo == NULL) | |
226 | crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null(); | |
227 | if (crm->regInfo == NULL) | |
7960dbec | 228 | goto err; |
a61b7f2f | 229 | if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri)) |
7960dbec | 230 | goto err; |
a61b7f2f DO |
231 | return 1; |
232 | ||
7960dbec | 233 | err: |
a61b7f2f DO |
234 | if (info != NULL) |
235 | crm->regInfo = NULL; | |
236 | sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info); | |
237 | return 0; | |
238 | } | |
239 | ||
240 | /* id-regInfo-utf8Pairs to regInfo (section 7.1) */ | |
241 | IMPLEMENT_CRMF_CTRL_FUNC(utf8Pairs, ASN1_UTF8STRING, regInfo) | |
242 | ||
243 | /* id-regInfo-certReq to regInfo (section 7.2) */ | |
244 | IMPLEMENT_CRMF_CTRL_FUNC(certReq, OSSL_CRMF_CERTREQUEST, regInfo) | |
245 | ||
a61b7f2f DO |
246 | /* retrieves the certificate template of crm */ |
247 | OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm) | |
248 | { | |
249 | if (crm == NULL || crm->certReq == NULL) { | |
9311d0c4 | 250 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
251 | return NULL; |
252 | } | |
253 | return crm->certReq->certTemplate; | |
254 | } | |
255 | ||
11baa470 DDO |
256 | int OSSL_CRMF_MSG_set0_validity(OSSL_CRMF_MSG *crm, |
257 | ASN1_TIME *notBefore, ASN1_TIME *notAfter) | |
a61b7f2f | 258 | { |
11baa470 | 259 | OSSL_CRMF_OPTIONALVALIDITY *vld; |
a61b7f2f DO |
260 | OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm); |
261 | ||
262 | if (tmpl == NULL) { /* also crm == NULL implies this */ | |
9311d0c4 | 263 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
264 | return 0; |
265 | } | |
266 | ||
a61b7f2f | 267 | if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL) |
11baa470 DDO |
268 | return 0; |
269 | vld->notBefore = notBefore; | |
270 | vld->notAfter = notAfter; | |
a61b7f2f | 271 | tmpl->validity = vld; |
a61b7f2f | 272 | return 1; |
a61b7f2f DO |
273 | } |
274 | ||
a61b7f2f DO |
275 | int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid) |
276 | { | |
277 | if (crm == NULL || crm->certReq == NULL || crm->certReq->certReqId == NULL) { | |
9311d0c4 | 278 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
279 | return 0; |
280 | } | |
281 | ||
282 | return ASN1_INTEGER_set(crm->certReq->certReqId, rid); | |
283 | } | |
284 | ||
285 | /* get ASN.1 encoded integer, return -1 on error */ | |
aac96e27 | 286 | static int crmf_asn1_get_int(const ASN1_INTEGER *a) |
a61b7f2f DO |
287 | { |
288 | int64_t res; | |
289 | ||
290 | if (!ASN1_INTEGER_get_int64(&res, a)) { | |
9311d0c4 | 291 | ERR_raise(ERR_LIB_CRMF, ASN1_R_INVALID_NUMBER); |
a61b7f2f DO |
292 | return -1; |
293 | } | |
294 | if (res < INT_MIN) { | |
9311d0c4 | 295 | ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_SMALL); |
a61b7f2f DO |
296 | return -1; |
297 | } | |
298 | if (res > INT_MAX) { | |
9311d0c4 | 299 | ERR_raise(ERR_LIB_CRMF, ASN1_R_TOO_LARGE); |
a61b7f2f DO |
300 | return -1; |
301 | } | |
302 | return (int)res; | |
303 | } | |
304 | ||
62dcd2aa | 305 | int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm) |
a61b7f2f DO |
306 | { |
307 | if (crm == NULL || /* not really needed: */ crm->certReq == NULL) { | |
9311d0c4 | 308 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
309 | return -1; |
310 | } | |
aac96e27 | 311 | return crmf_asn1_get_int(crm->certReq->certReqId); |
a61b7f2f DO |
312 | } |
313 | ||
a61b7f2f DO |
314 | int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, |
315 | X509_EXTENSIONS *exts) | |
316 | { | |
317 | OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm); | |
318 | ||
319 | if (tmpl == NULL) { /* also crm == NULL implies this */ | |
9311d0c4 | 320 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
321 | return 0; |
322 | } | |
323 | ||
324 | if (sk_X509_EXTENSION_num(exts) == 0) { | |
325 | sk_X509_EXTENSION_free(exts); | |
326 | exts = NULL; /* do not include empty extensions list */ | |
327 | } | |
328 | ||
329 | sk_X509_EXTENSION_pop_free(tmpl->extensions, X509_EXTENSION_free); | |
330 | tmpl->extensions = exts; | |
331 | return 1; | |
332 | } | |
333 | ||
a61b7f2f | 334 | int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, |
7960dbec | 335 | X509_EXTENSION *ext) |
a61b7f2f DO |
336 | { |
337 | int new = 0; | |
338 | OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm); | |
339 | ||
340 | if (tmpl == NULL || ext == NULL) { /* also crm == NULL implies this */ | |
9311d0c4 | 341 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
342 | return 0; |
343 | } | |
344 | ||
345 | if (tmpl->extensions == NULL) { | |
346 | if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL) | |
7960dbec | 347 | goto err; |
a61b7f2f DO |
348 | new = 1; |
349 | } | |
350 | ||
7960dbec DDO |
351 | if (!sk_X509_EXTENSION_push(tmpl->extensions, ext)) |
352 | goto err; | |
a61b7f2f | 353 | return 1; |
7960dbec | 354 | err: |
a61b7f2f DO |
355 | if (new != 0) { |
356 | sk_X509_EXTENSION_free(tmpl->extensions); | |
357 | tmpl->extensions = NULL; | |
358 | } | |
359 | return 0; | |
360 | } | |
361 | ||
6d1f50b5 DDO |
362 | static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps, |
363 | const OSSL_CRMF_CERTREQUEST *cr, | |
364 | EVP_PKEY *pkey, const EVP_MD *digest, | |
b4250010 | 365 | OSSL_LIB_CTX *libctx, const char *propq) |
a61b7f2f | 366 | { |
de56f726 | 367 | char name[80] = ""; |
293ab820 | 368 | EVP_PKEY *pub; |
de56f726 | 369 | |
a61b7f2f | 370 | if (ps == NULL || cr == NULL || pkey == NULL) { |
9311d0c4 | 371 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
372 | return 0; |
373 | } | |
293ab820 DDO |
374 | pub = X509_PUBKEY_get0(cr->certTemplate->publicKey); |
375 | if (!ossl_x509_check_private_key(pub, pkey)) | |
376 | return 0; | |
377 | ||
6d1f50b5 | 378 | if (ps->poposkInput != NULL) { |
e0a7ef0b | 379 | /* We do not support cases 1+2 defined in RFC 4211, section 4.1 */ |
9311d0c4 | 380 | ERR_raise(ERR_LIB_CRMF, CRMF_R_POPOSKINPUT_NOT_SUPPORTED); |
db4b3d83 | 381 | return 0; |
a61b7f2f | 382 | } |
a61b7f2f | 383 | |
de56f726 DDO |
384 | if (EVP_PKEY_get_default_digest_name(pkey, name, sizeof(name)) > 0 |
385 | && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */ | |
386 | digest = NULL; | |
387 | ||
d8652be0 | 388 | return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), |
e664ef78 DDO |
389 | ps->algorithmIdentifier, /* sets this X509_ALGOR */ |
390 | NULL, ps->signature, /* sets the ASN1_BIT_STRING */ | |
391 | cr, NULL, pkey, digest, libctx, propq); | |
a61b7f2f DO |
392 | } |
393 | ||
6d1f50b5 DDO |
394 | int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, |
395 | EVP_PKEY *pkey, const EVP_MD *digest, | |
b4250010 | 396 | OSSL_LIB_CTX *libctx, const char *propq) |
a61b7f2f DO |
397 | { |
398 | OSSL_CRMF_POPO *pp = NULL; | |
399 | ASN1_INTEGER *tag = NULL; | |
400 | ||
6d1f50b5 | 401 | if (crm == NULL || (meth == OSSL_CRMF_POPO_SIGNATURE && pkey == NULL)) { |
9311d0c4 | 402 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
403 | return 0; |
404 | } | |
405 | ||
6d1f50b5 | 406 | if (meth == OSSL_CRMF_POPO_NONE) |
a61b7f2f DO |
407 | goto end; |
408 | if ((pp = OSSL_CRMF_POPO_new()) == NULL) | |
7960dbec | 409 | goto err; |
6d1f50b5 | 410 | pp->type = meth; |
a61b7f2f | 411 | |
6d1f50b5 | 412 | switch (meth) { |
a61b7f2f DO |
413 | case OSSL_CRMF_POPO_RAVERIFIED: |
414 | if ((pp->value.raVerified = ASN1_NULL_new()) == NULL) | |
7960dbec | 415 | goto err; |
a61b7f2f DO |
416 | break; |
417 | ||
418 | case OSSL_CRMF_POPO_SIGNATURE: | |
419 | { | |
420 | OSSL_CRMF_POPOSIGNINGKEY *ps = OSSL_CRMF_POPOSIGNINGKEY_new(); | |
6d1f50b5 DDO |
421 | |
422 | if (ps == NULL) | |
423 | goto err; | |
424 | if (!create_popo_signature(ps, crm->certReq, pkey, digest, | |
425 | libctx, propq)) { | |
a61b7f2f DO |
426 | OSSL_CRMF_POPOSIGNINGKEY_free(ps); |
427 | goto err; | |
428 | } | |
429 | pp->value.signature = ps; | |
430 | } | |
431 | break; | |
432 | ||
433 | case OSSL_CRMF_POPO_KEYENC: | |
434 | if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL) | |
7960dbec | 435 | goto err; |
a61b7f2f DO |
436 | tag = ASN1_INTEGER_new(); |
437 | pp->value.keyEncipherment->type = | |
438 | OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE; | |
439 | pp->value.keyEncipherment->value.subsequentMessage = tag; | |
440 | if (tag == NULL | |
441 | || !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT)) | |
7960dbec | 442 | goto err; |
a61b7f2f DO |
443 | break; |
444 | ||
445 | default: | |
9311d0c4 | 446 | ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO); |
a61b7f2f DO |
447 | goto err; |
448 | } | |
449 | ||
450 | end: | |
451 | OSSL_CRMF_POPO_free(crm->popo); | |
452 | crm->popo = pp; | |
453 | ||
454 | return 1; | |
a61b7f2f DO |
455 | err: |
456 | OSSL_CRMF_POPO_free(pp); | |
457 | return 0; | |
458 | } | |
459 | ||
a61b7f2f DO |
460 | /* verifies the Proof-of-Possession of the request with the given rid in reqs */ |
461 | int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, | |
6d1f50b5 | 462 | int rid, int acceptRAVerified, |
b4250010 | 463 | OSSL_LIB_CTX *libctx, const char *propq) |
a61b7f2f DO |
464 | { |
465 | OSSL_CRMF_MSG *req = NULL; | |
466 | X509_PUBKEY *pubkey = NULL; | |
467 | OSSL_CRMF_POPOSIGNINGKEY *sig = NULL; | |
6d1f50b5 DDO |
468 | const ASN1_ITEM *it; |
469 | void *asn; | |
a61b7f2f | 470 | |
7269071e | 471 | if (reqs == NULL || (req = sk_OSSL_CRMF_MSG_value(reqs, rid)) == NULL) { |
9311d0c4 | 472 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
7269071e DDO |
473 | return 0; |
474 | } | |
475 | ||
476 | if (req->popo == NULL) { | |
9311d0c4 | 477 | ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING); |
a61b7f2f DO |
478 | return 0; |
479 | } | |
480 | ||
481 | switch (req->popo->type) { | |
482 | case OSSL_CRMF_POPO_RAVERIFIED: | |
62dcd2aa | 483 | if (!acceptRAVerified) { |
9311d0c4 | 484 | ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED); |
62dcd2aa DDO |
485 | return 0; |
486 | } | |
a61b7f2f DO |
487 | break; |
488 | case OSSL_CRMF_POPO_SIGNATURE: | |
489 | pubkey = req->certReq->certTemplate->publicKey; | |
62dcd2aa | 490 | if (pubkey == NULL) { |
9311d0c4 | 491 | ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY); |
62dcd2aa DDO |
492 | return 0; |
493 | } | |
a61b7f2f DO |
494 | sig = req->popo->value.signature; |
495 | if (sig->poposkInput != NULL) { | |
496 | /* | |
497 | * According to RFC 4211: publicKey contains a copy of | |
498 | * the public key from the certificate template. This MUST be | |
499 | * exactly the same value as contained in the certificate template. | |
500 | */ | |
62dcd2aa | 501 | if (sig->poposkInput->publicKey == NULL) { |
9311d0c4 | 502 | ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_PUBLIC_KEY); |
62dcd2aa DDO |
503 | return 0; |
504 | } | |
93f99b68 | 505 | if (X509_PUBKEY_eq(pubkey, sig->poposkInput->publicKey) != 1) { |
9311d0c4 | 506 | ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY); |
62dcd2aa DDO |
507 | return 0; |
508 | } | |
084d3afd DDO |
509 | |
510 | /* | |
511 | * Should check at this point the contents of the authInfo sub-field | |
512 | * as requested in FR #19807 according to RFC 4211 section 4.1. | |
513 | */ | |
514 | ||
6d1f50b5 DDO |
515 | it = ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT); |
516 | asn = sig->poposkInput; | |
a61b7f2f | 517 | } else { |
62dcd2aa | 518 | if (req->certReq->certTemplate->subject == NULL) { |
9311d0c4 | 519 | ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_SUBJECT); |
62dcd2aa DDO |
520 | return 0; |
521 | } | |
6d1f50b5 DDO |
522 | it = ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST); |
523 | asn = req->certReq; | |
a61b7f2f | 524 | } |
d8652be0 MC |
525 | if (ASN1_item_verify_ex(it, sig->algorithmIdentifier, sig->signature, |
526 | asn, NULL, X509_PUBKEY_get0(pubkey), libctx, | |
527 | propq) < 1) | |
6d1f50b5 | 528 | return 0; |
62dcd2aa | 529 | break; |
a61b7f2f | 530 | case OSSL_CRMF_POPO_KEYENC: |
084d3afd DDO |
531 | /* |
532 | * When OSSL_CMP_certrep_new() supports encrypted certs, | |
533 | * should return 1 if the type of req->popo->value.keyEncipherment | |
534 | * is OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE and | |
535 | * its value.subsequentMessage == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT | |
536 | */ | |
a61b7f2f DO |
537 | case OSSL_CRMF_POPO_KEYAGREE: |
538 | default: | |
9311d0c4 | 539 | ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_POPO_METHOD); |
a61b7f2f DO |
540 | return 0; |
541 | } | |
62dcd2aa | 542 | return 1; |
a61b7f2f DO |
543 | } |
544 | ||
09f30b0c | 545 | X509_PUBKEY |
357bfe73 | 546 | *OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl) |
c0f6792b DDO |
547 | { |
548 | return tmpl != NULL ? tmpl->publicKey : NULL; | |
549 | } | |
550 | ||
1986f615 | 551 | const ASN1_INTEGER |
62dcd2aa | 552 | *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(const OSSL_CRMF_CERTTEMPLATE *tmpl) |
a61b7f2f DO |
553 | { |
554 | return tmpl != NULL ? tmpl->serialNumber : NULL; | |
555 | } | |
556 | ||
7df56ada | 557 | const X509_NAME |
357bfe73 | 558 | *OSSL_CRMF_CERTTEMPLATE_get0_subject(const OSSL_CRMF_CERTTEMPLATE *tmpl) |
7df56ada DDO |
559 | { |
560 | return tmpl != NULL ? tmpl->subject : NULL; | |
561 | } | |
562 | ||
8cc86b81 | 563 | const X509_NAME |
357bfe73 | 564 | *OSSL_CRMF_CERTTEMPLATE_get0_issuer(const OSSL_CRMF_CERTTEMPLATE *tmpl) |
a61b7f2f DO |
565 | { |
566 | return tmpl != NULL ? tmpl->issuer : NULL; | |
567 | } | |
568 | ||
7df56ada | 569 | X509_EXTENSIONS |
357bfe73 | 570 | *OSSL_CRMF_CERTTEMPLATE_get0_extensions(const OSSL_CRMF_CERTTEMPLATE *tmpl) |
7df56ada DDO |
571 | { |
572 | return tmpl != NULL ? tmpl->extensions : NULL; | |
573 | } | |
574 | ||
8cc86b81 | 575 | const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid) |
7960dbec DDO |
576 | { |
577 | return cid != NULL && cid->issuer->type == GEN_DIRNAME ? | |
578 | cid->issuer->d.directoryName : NULL; | |
579 | } | |
580 | ||
357bfe73 DDO |
581 | const ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID |
582 | *cid) | |
7960dbec DDO |
583 | { |
584 | return cid != NULL ? cid->serialNumber : NULL; | |
585 | } | |
586 | ||
587 | /*- | |
8b6bbcaa DDO |
588 | * Fill in the certificate template |tmpl|. |
589 | * Any other NULL argument will leave the respective field unchanged. | |
a61b7f2f DO |
590 | */ |
591 | int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, | |
592 | EVP_PKEY *pubkey, | |
593 | const X509_NAME *subject, | |
594 | const X509_NAME *issuer, | |
595 | const ASN1_INTEGER *serial) | |
596 | { | |
597 | if (tmpl == NULL) { | |
9311d0c4 | 598 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
599 | return 0; |
600 | } | |
8cc86b81 | 601 | if (subject != NULL && !X509_NAME_set((X509_NAME **)&tmpl->subject, subject)) |
7960dbec | 602 | return 0; |
8cc86b81 | 603 | if (issuer != NULL && !X509_NAME_set((X509_NAME **)&tmpl->issuer, issuer)) |
7960dbec | 604 | return 0; |
a61b7f2f DO |
605 | if (serial != NULL) { |
606 | ASN1_INTEGER_free(tmpl->serialNumber); | |
607 | if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL) | |
7960dbec | 608 | return 0; |
a61b7f2f DO |
609 | } |
610 | if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey)) | |
7960dbec | 611 | return 0; |
a61b7f2f | 612 | return 1; |
a61b7f2f DO |
613 | } |
614 | ||
a61b7f2f | 615 | /*- |
7960dbec DDO |
616 | * Decrypts the certificate in the given encryptedValue using private key pkey. |
617 | * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2. | |
a61b7f2f DO |
618 | * |
619 | * returns a pointer to the decrypted certificate | |
620 | * returns NULL on error or if no certificate available | |
621 | */ | |
6d1f50b5 DDO |
622 | X509 |
623 | *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, | |
b4250010 | 624 | OSSL_LIB_CTX *libctx, const char *propq, |
6d1f50b5 | 625 | EVP_PKEY *pkey) |
a61b7f2f DO |
626 | { |
627 | X509 *cert = NULL; /* decrypted certificate */ | |
628 | EVP_CIPHER_CTX *evp_ctx = NULL; /* context for symmetric encryption */ | |
629 | unsigned char *ek = NULL; /* decrypted symmetric encryption key */ | |
f3f3318a | 630 | size_t eksize = 0; /* size of decrypted symmetric encryption key */ |
eaf8a40d | 631 | EVP_CIPHER *cipher = NULL; /* used cipher */ |
f3f3318a | 632 | int cikeysize = 0; /* key size from cipher */ |
a61b7f2f DO |
633 | unsigned char *iv = NULL; /* initial vector for symmetric encryption */ |
634 | unsigned char *outbuf = NULL; /* decryption output buffer */ | |
635 | const unsigned char *p = NULL; /* needed for decoding ASN1 */ | |
a61b7f2f DO |
636 | int n, outlen = 0; |
637 | EVP_PKEY_CTX *pkctx = NULL; /* private key context */ | |
eaf8a40d | 638 | char name[OSSL_MAX_NAME_SIZE]; |
a61b7f2f DO |
639 | |
640 | if (ecert == NULL || ecert->symmAlg == NULL || ecert->encSymmKey == NULL | |
641 | || ecert->encValue == NULL || pkey == NULL) { | |
9311d0c4 | 642 | ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); |
a61b7f2f DO |
643 | return NULL; |
644 | } | |
eaf8a40d | 645 | |
f3f3318a | 646 | /* select symmetric cipher based on algorithm given in message */ |
eaf8a40d TM |
647 | OBJ_obj2txt(name, sizeof(name), ecert->symmAlg->algorithm, 0); |
648 | ||
649 | (void)ERR_set_mark(); | |
650 | cipher = EVP_CIPHER_fetch(NULL, name, NULL); | |
651 | ||
652 | if (cipher == NULL) | |
653 | cipher = (EVP_CIPHER *)EVP_get_cipherbyname(name); | |
654 | ||
655 | if (cipher == NULL) { | |
656 | (void)ERR_clear_last_mark(); | |
9311d0c4 | 657 | ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_CIPHER); |
f3f3318a AK |
658 | goto end; |
659 | } | |
eaf8a40d TM |
660 | (void)ERR_pop_to_mark(); |
661 | ||
ed576acd | 662 | cikeysize = EVP_CIPHER_get_key_length(cipher); |
a61b7f2f | 663 | /* first the symmetric key needs to be decrypted */ |
6d1f50b5 | 664 | pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); |
36b91a19 DDO |
665 | if (pkctx == NULL || EVP_PKEY_decrypt_init(pkctx) <= 0 |
666 | || evp_pkey_decrypt_alloc(pkctx, &ek, &eksize, (size_t)cikeysize, | |
667 | ecert->encSymmKey->data, | |
668 | ecert->encSymmKey->length) <= 0) | |
7960dbec | 669 | goto end; |
36b91a19 | 670 | |
ed576acd | 671 | if ((iv = OPENSSL_malloc(EVP_CIPHER_get_iv_length(cipher))) == NULL) |
7960dbec | 672 | goto end; |
a61b7f2f | 673 | if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv, |
ed576acd TM |
674 | EVP_CIPHER_get_iv_length(cipher)) |
675 | != EVP_CIPHER_get_iv_length(cipher)) { | |
9311d0c4 | 676 | ERR_raise(ERR_LIB_CRMF, CRMF_R_MALFORMED_IV); |
a61b7f2f DO |
677 | goto end; |
678 | } | |
679 | ||
680 | /* | |
681 | * d2i_X509 changes the given pointer, so use p for decoding the message and | |
682 | * keep the original pointer in outbuf so the memory can be freed later | |
683 | */ | |
684 | if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length + | |
ed576acd | 685 | EVP_CIPHER_get_block_size(cipher))) == NULL |
a61b7f2f | 686 | || (evp_ctx = EVP_CIPHER_CTX_new()) == NULL) |
7960dbec | 687 | goto end; |
a61b7f2f DO |
688 | EVP_CIPHER_CTX_set_padding(evp_ctx, 0); |
689 | ||
690 | if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv) | |
691 | || !EVP_DecryptUpdate(evp_ctx, outbuf, &outlen, | |
692 | ecert->encValue->data, | |
693 | ecert->encValue->length) | |
694 | || !EVP_DecryptFinal(evp_ctx, outbuf + outlen, &n)) { | |
9311d0c4 | 695 | ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_CERTIFICATE); |
a61b7f2f DO |
696 | goto end; |
697 | } | |
698 | outlen += n; | |
699 | ||
700 | /* convert decrypted certificate from DER to internal ASN.1 structure */ | |
d8652be0 | 701 | if ((cert = X509_new_ex(libctx, propq)) == NULL) |
6d1f50b5 DDO |
702 | goto end; |
703 | if (d2i_X509(&cert, &p, outlen) == NULL) | |
9311d0c4 | 704 | ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_CERTIFICATE); |
a61b7f2f DO |
705 | end: |
706 | EVP_PKEY_CTX_free(pkctx); | |
707 | OPENSSL_free(outbuf); | |
708 | EVP_CIPHER_CTX_free(evp_ctx); | |
eaf8a40d | 709 | EVP_CIPHER_free(cipher); |
f3f3318a | 710 | OPENSSL_clear_free(ek, eksize); |
a61b7f2f DO |
711 | OPENSSL_free(iv); |
712 | return cert; | |
713 | } |