]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/cmp/cmp_msg.c
projects / thirdparty / openssl.git / blob
? search:


d7f0e1fff74c83f95a4d825ded052a0b15d4d7e0
[thirdparty/openssl.git] / crypto / cmp / cmp_msg.c
1 /*
2 * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 /* CMP functions for PKIMessage construction */
13
14 #include "cmp_local.h"
15
16 /* explicit #includes not strictly needed since implied by the above: */
17 #include <openssl/asn1t.h>
18 #include <openssl/cmp.h>
19 #include <openssl/crmf.h>
20 #include <openssl/err.h>
21 #include <openssl/x509.h>
22 #include "crypto/x509.h" /* for x509_set0_libctx() */
23
24 DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
25 DEFINE_STACK_OF(OSSL_CMP_ITAV)
26 DEFINE_STACK_OF(OSSL_CMP_PKISI)
27 DEFINE_STACK_OF(OSSL_CRMF_MSG)
28 DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
29 DEFINE_STACK_OF(OSSL_CRMF_CERTID)
30 DEFINE_STACK_OF(ASN1_UTF8STRING)
31
32 OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
33 {
34 if (msg == NULL) {
35 CMPerr(0, CMP_R_NULL_ARGUMENT);
36 return NULL;
37 }
38 return msg->header;
39 }
40
41 const char *ossl_cmp_bodytype_to_string(int type)
42 {
43 static const char *type_names[] = {
44 "IR", "IP", "CR", "CP", "P10CR",
45 "POPDECC", "POPDECR", "KUR", "KUP",
46 "KRR", "KRP", "RR", "RP", "CCR", "CCP",
47 "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
48 "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
49 };
50
51 if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
52 return "illegal body type";
53 return type_names[type];
54 }
55
56 int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
57 {
58 if (!ossl_assert(msg != NULL && msg->body != NULL))
59 return 0;
60
61 msg->body->type = type;
62 return 1;
63 }
64
65 int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
66 {
67 if (!ossl_assert(msg != NULL && msg->body != NULL))
68 return -1;
69
70 return msg->body->type;
71 }
72
73 /* Add an extension to the referenced extension stack, which may be NULL */
74 static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
75 {
76 X509_EXTENSION *ext;
77 int res;
78
79 if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
80 return 0;
81
82 if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
83 return 0;
84
85 res = X509v3_add_ext(pexts, ext, 0) != NULL;
86 X509_EXTENSION_free(ext);
87 return res;
88 }
89
90 /* Add a CRL revocation reason code to extension stack, which may be NULL */
91 static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
92 {
93 ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
94 int res = 0;
95
96 if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
97 res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
98 ASN1_ENUMERATED_free(val);
99 return res;
100 }
101
102 OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
103 {
104 OSSL_CMP_MSG *msg = NULL;
105
106 if (!ossl_assert(ctx != NULL))
107 return NULL;
108
109 if ((msg = OSSL_CMP_MSG_new()) == NULL)
110 return NULL;
111 if (!ossl_cmp_hdr_init(ctx, msg->header)
112 || !ossl_cmp_msg_set_bodytype(msg, bodytype))
113 goto err;
114 if (ctx->geninfo_ITAVs != NULL
115 && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
116 ctx->geninfo_ITAVs))
117 goto err;
118
119 switch (bodytype) {
120 case OSSL_CMP_PKIBODY_IR:
121 case OSSL_CMP_PKIBODY_CR:
122 case OSSL_CMP_PKIBODY_KUR:
123 if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
124 goto err;
125 return msg;
126
127 case OSSL_CMP_PKIBODY_P10CR:
128 if (ctx->p10CSR == NULL) {
129 CMPerr(0, CMP_R_MISSING_P10CSR);
130 goto err;
131 }
132 if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
133 goto err;
134 return msg;
135
136 case OSSL_CMP_PKIBODY_IP:
137 case OSSL_CMP_PKIBODY_CP:
138 case OSSL_CMP_PKIBODY_KUP:
139 if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
140 goto err;
141 return msg;
142
143 case OSSL_CMP_PKIBODY_RR:
144 if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
145 goto err;
146 return msg;
147 case OSSL_CMP_PKIBODY_RP:
148 if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
149 goto err;
150 return msg;
151
152 case OSSL_CMP_PKIBODY_CERTCONF:
153 if ((msg->body->value.certConf =
154 sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
155 goto err;
156 return msg;
157 case OSSL_CMP_PKIBODY_PKICONF:
158 if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
159 goto err;
160 ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
161 return msg;
162
163 case OSSL_CMP_PKIBODY_POLLREQ:
164 if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
165 goto err;
166 return msg;
167 case OSSL_CMP_PKIBODY_POLLREP:
168 if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
169 goto err;
170 return msg;
171
172 case OSSL_CMP_PKIBODY_GENM:
173 case OSSL_CMP_PKIBODY_GENP:
174 if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
175 goto err;
176 return msg;
177
178 case OSSL_CMP_PKIBODY_ERROR:
179 if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
180 goto err;
181 return msg;
182
183 default:
184 CMPerr(0, CMP_R_UNEXPECTED_PKIBODY);
185 goto err;
186 }
187
188 err:
189 OSSL_CMP_MSG_free(msg);
190 return NULL;
191 }
192
193 #define HAS_SAN(ctx) \
194 (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
195 || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
196
197 static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
198 int for_KUR)
199 {
200 if (ctx->subjectName != NULL)
201 return ctx->subjectName;
202
203 if (refcert != NULL && (for_KUR || !HAS_SAN(ctx)))
204 /*
205 * For KUR, copy subjectName from reference certificate.
206 * For IR or CR, do the same only if there is no subjectAltName.
207 */
208 return X509_get_subject_name(refcert);
209 return NULL;
210 }
211
212 OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
213 {
214 OSSL_CRMF_MSG *crm = NULL;
215 X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
216 /* refcert defaults to current client cert */
217 EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
218 STACK_OF(GENERAL_NAME) *default_sans = NULL;
219 const X509_NAME *subject = determine_subj(ctx, refcert, for_KUR);
220 int crit = ctx->setSubjectAltNameCritical || subject == NULL;
221 /* RFC5280: subjectAltName MUST be critical if subject is null */
222 X509_EXTENSIONS *exts = NULL;
223
224 if (rkey == NULL)
225 rkey = ctx->pkey; /* default is independent of ctx->oldCert */
226 if (rkey == NULL) {
227 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
228 CMPerr(0, CMP_R_NULL_ARGUMENT);
229 return NULL;
230 #endif
231 }
232 if (for_KUR && refcert == NULL) {
233 CMPerr(0, CMP_R_MISSING_REFERENCE_CERT);
234 return NULL;
235 }
236 if ((crm = OSSL_CRMF_MSG_new()) == NULL)
237 return NULL;
238 if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
239 /*
240 * fill certTemplate, corresponding to CertificationRequestInfo
241 * of PKCS#10. The rkey param cannot be NULL so far -
242 * it could be NULL if centralized key creation was supported
243 */
244 || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
245 subject, ctx->issuer,
246 NULL /* serial */))
247 goto err;
248 if (ctx->days != 0) {
249 time_t now = time(NULL);
250 ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
251 ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
252
253 if (notBefore == NULL
254 || notAfter == NULL
255 || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
256 ASN1_TIME_free(notBefore);
257 ASN1_TIME_free(notAfter);
258 goto err;
259 }
260 }
261
262 /* extensions */
263 if (refcert != NULL && !ctx->SubjectAltName_nodefault)
264 default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
265 NID_subject_alt_name, NULL, NULL);
266 /* exts are copied from ctx to allow reuse */
267 if (ctx->reqExtensions != NULL) {
268 exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
269 X509_EXTENSION_dup,
270 X509_EXTENSION_free);
271 if (exts == NULL)
272 goto err;
273 }
274 if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
275 && !add1_extension(&exts, NID_subject_alt_name,
276 crit, ctx->subjectAltNames))
277 goto err;
278 if (!HAS_SAN(ctx) && default_sans != NULL
279 && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
280 goto err;
281 if (ctx->policies != NULL
282 && !add1_extension(&exts, NID_certificate_policies,
283 ctx->setPoliciesCritical, ctx->policies))
284 goto err;
285 if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
286 goto err;
287 exts = NULL;
288 /* end fill certTemplate, now set any controls */
289
290 /* for KUR, set OldCertId according to D.6 */
291 if (for_KUR) {
292 OSSL_CRMF_CERTID *cid =
293 OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
294 X509_get0_serialNumber(refcert));
295 int ret;
296
297 if (cid == NULL)
298 goto err;
299 ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
300 OSSL_CRMF_CERTID_free(cid);
301 if (ret == 0)
302 goto err;
303 }
304
305 goto end;
306
307 err:
308 OSSL_CRMF_MSG_free(crm);
309 crm = NULL;
310
311 end:
312 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
313 sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
314 return crm;
315 }
316
317 OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
318 const OSSL_CRMF_MSG *crm)
319 {
320 OSSL_CMP_MSG *msg;
321 OSSL_CRMF_MSG *local_crm = NULL;
322
323 if (!ossl_assert(ctx != NULL))
324 return NULL;
325
326 if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
327 && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
328 CMPerr(0, CMP_R_INVALID_ARGS);
329 return NULL;
330 }
331
332 if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
333 goto err;
334
335 /* header */
336 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
337 goto err;
338
339 /* body */
340 /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
341 if (type != OSSL_CMP_PKIBODY_P10CR) {
342 EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
343
344 if (privkey == NULL)
345 privkey = ctx->pkey; /* default is independent of ctx->oldCert */
346 if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
347 CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
348 goto err;
349 }
350 if (crm == NULL) {
351 local_crm = OSSL_CMP_CTX_setup_CRM(ctx,
352 type == OSSL_CMP_PKIBODY_KUR,
353 OSSL_CMP_CERTREQID);
354 if (local_crm == NULL
355 || !OSSL_CRMF_MSG_create_popo(ctx->popoMethod, local_crm,
356 privkey, ctx->digest,
357 ctx->libctx, ctx->propq))
358 goto err;
359 } else {
360 if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
361 goto err;
362 }
363
364 /* value.ir is same for cr and kur */
365 if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
366 goto err;
367 local_crm = NULL;
368 /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
369 }
370
371 if (!ossl_cmp_msg_protect(ctx, msg))
372 goto err;
373
374 return msg;
375
376 err:
377 CMPerr(0, CMP_R_ERROR_CREATING_CERTREQ);
378 OSSL_CRMF_MSG_free(local_crm);
379 OSSL_CMP_MSG_free(msg);
380 return NULL;
381 }
382
383 OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
384 int certReqId, OSSL_CMP_PKISI *si,
385 X509 *cert, STACK_OF(X509) *chain,
386 STACK_OF(X509) *caPubs, int encrypted,
387 int unprotectedErrors)
388 {
389 OSSL_CMP_MSG *msg = NULL;
390 OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
391 OSSL_CMP_CERTRESPONSE *resp = NULL;
392 int status = -1;
393
394 if (!ossl_assert(ctx != NULL && si != NULL))
395 return NULL;
396
397 if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
398 goto err;
399 repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
400
401 /* header */
402 if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
403 goto err;
404
405 /* body */
406 if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
407 goto err;
408 OSSL_CMP_PKISI_free(resp->status);
409 if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
410 || !ASN1_INTEGER_set(resp->certReqId, certReqId))
411 goto err;
412
413 status = ossl_cmp_pkisi_get_status(resp->status);
414 if (status != OSSL_CMP_PKISTATUS_rejection
415 && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
416 if (encrypted) {
417 CMPerr(0, CMP_R_INVALID_ARGS);
418 goto err;
419 }
420
421 if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
422 == NULL)
423 goto err;
424 resp->certifiedKeyPair->certOrEncCert->type =
425 OSSL_CMP_CERTORENCCERT_CERTIFICATE;
426 if (!X509_up_ref(cert))
427 goto err;
428 resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
429 }
430
431 if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
432 goto err;
433 resp = NULL;
434 /* TODO: here optional 2nd certrep could be pushed to the stack */
435
436 if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
437 && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
438 goto err;
439 if (sk_X509_num(chain) > 0) {
440 msg->extraCerts = sk_X509_new_reserve(NULL, sk_X509_num(chain));
441 if (msg->extraCerts == NULL
442 || !X509_add_certs(msg->extraCerts, chain,
443 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
444 goto err;
445 }
446
447 if (!unprotectedErrors
448 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
449 if (!ossl_cmp_msg_protect(ctx, msg))
450 goto err;
451
452 return msg;
453
454 err:
455 CMPerr(0, CMP_R_ERROR_CREATING_CERTREP);
456 OSSL_CMP_CERTRESPONSE_free(resp);
457 OSSL_CMP_MSG_free(msg);
458 return NULL;
459 }
460
461 OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
462 {
463 OSSL_CMP_MSG *msg = NULL;
464 OSSL_CMP_REVDETAILS *rd;
465
466 if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
467 return NULL;
468
469 if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
470 goto err;
471
472 /* Fill the template from the contents of the certificate to be revoked */
473 if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
474 NULL /* pubkey would be redundant */,
475 NULL /* subject would be redundant */,
476 X509_get_issuer_name(ctx->oldCert),
477 X509_get0_serialNumber(ctx->oldCert)))
478 goto err;
479
480 /* revocation reason code is optional */
481 if (ctx->revocationReason != CRL_REASON_NONE
482 && !add_crl_reason_extension(&rd->crlEntryDetails,
483 ctx->revocationReason))
484 goto err;
485
486 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
487 goto err;
488
489 if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
490 goto err;
491 rd = NULL;
492
493 /*
494 * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
495 * set here if set in ctx
496 */
497
498 if (!ossl_cmp_msg_protect(ctx, msg))
499 goto err;
500
501 return msg;
502
503 err:
504 CMPerr(0, CMP_R_ERROR_CREATING_RR);
505 OSSL_CMP_MSG_free(msg);
506 OSSL_CMP_REVDETAILS_free(rd);
507 return NULL;
508 }
509
510 OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
511 OSSL_CRMF_CERTID *cid, int unprot_err)
512 {
513 OSSL_CMP_REVREPCONTENT *rep = NULL;
514 OSSL_CMP_PKISI *si1 = NULL;
515 OSSL_CRMF_CERTID *cid_copy = NULL;
516 OSSL_CMP_MSG *msg = NULL;
517
518 if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
519 return NULL;
520
521 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
522 goto err;
523 rep = msg->body->value.rp;
524
525 if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
526 goto err;
527
528 if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
529 OSSL_CMP_PKISI_free(si1);
530 goto err;
531 }
532
533 if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
534 goto err;
535 if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
536 goto err;
537 if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
538 OSSL_CRMF_CERTID_free(cid_copy);
539 goto err;
540 }
541
542 if (!unprot_err
543 || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
544 if (!ossl_cmp_msg_protect(ctx, msg))
545 goto err;
546
547 return msg;
548
549 err:
550 CMPerr(0, CMP_R_ERROR_CREATING_RP);
551 OSSL_CMP_MSG_free(msg);
552 return NULL;
553 }
554
555 OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
556 {
557 OSSL_CMP_MSG *msg;
558
559 if (!ossl_assert(ctx != NULL))
560 return NULL;
561
562 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
563 goto err;
564 if (ossl_cmp_msg_protect(ctx, msg))
565 return msg;
566
567 err:
568 CMPerr(0, CMP_R_ERROR_CREATING_PKICONF);
569 OSSL_CMP_MSG_free(msg);
570 return NULL;
571 }
572
573 int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
574 {
575 int bodytype;
576
577 if (!ossl_assert(msg != NULL && itav != NULL))
578 return 0;
579
580 bodytype = ossl_cmp_msg_get_bodytype(msg);
581 if (bodytype != OSSL_CMP_PKIBODY_GENM
582 && bodytype != OSSL_CMP_PKIBODY_GENP) {
583 CMPerr(0, CMP_R_INVALID_ARGS);
584 return 0;
585 }
586
587 /* value.genp has the same structure, so this works for genp as well */
588 return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
589 }
590
591 int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
592 const STACK_OF(OSSL_CMP_ITAV) *itavs)
593 {
594 int i;
595 OSSL_CMP_ITAV *itav = NULL;
596
597 if (!ossl_assert(msg != NULL))
598 return 0;
599
600 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
601 itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
602 if (itav == NULL
603 || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
604 OSSL_CMP_ITAV_free(itav);
605 return 0;
606 }
607 }
608 return 1;
609 }
610
611 /*
612 * Creates a new General Message/Response with an empty itav stack
613 * returns a pointer to the PKIMessage on success, NULL on error
614 */
615 static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
616 const STACK_OF(OSSL_CMP_ITAV) *itavs,
617 int body_type, int err_code)
618 {
619 OSSL_CMP_MSG *msg = NULL;
620
621 if (!ossl_assert(ctx != NULL))
622 return NULL;
623
624 if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
625 return NULL;
626
627 if (ctx->genm_ITAVs != NULL
628 && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
629 goto err;
630
631 if (!ossl_cmp_msg_protect(ctx, msg))
632 goto err;
633
634 return msg;
635
636 err:
637 CMPerr(0, err_code);
638 OSSL_CMP_MSG_free(msg);
639 return NULL;
640 }
641
642 OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
643 {
644 return gen_new(ctx, ctx->genm_ITAVs,
645 OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
646 }
647
648 OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
649 const STACK_OF(OSSL_CMP_ITAV) *itavs)
650 {
651 return gen_new(ctx, itavs,
652 OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
653 }
654
655 OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
656 int errorCode,
657 const char *details, int unprotected)
658 {
659 OSSL_CMP_MSG *msg = NULL;
660 OSSL_CMP_PKIFREETEXT *ft;
661
662 if (!ossl_assert(ctx != NULL && si != NULL))
663 return NULL;
664
665 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
666 goto err;
667
668 OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
669 if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
670 == NULL)
671 goto err;
672 if (errorCode >= 0) {
673 if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
674 goto err;
675 if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
676 goto err;
677 }
678 if (details != NULL) {
679 if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
680 goto err;
681 msg->body->value.error->errorDetails = ft;
682 if (!ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
683 goto err;
684 }
685
686 if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
687 goto err;
688 return msg;
689
690 err:
691 CMPerr(0, CMP_R_ERROR_CREATING_ERROR);
692 OSSL_CMP_MSG_free(msg);
693 return NULL;
694 }
695
696 /*
697 * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
698 * This is used in the certConf message, for example,
699 * to confirm that the certificate was received successfully.
700 */
701 int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
702 ASN1_OCTET_STRING *hash)
703 {
704 if (!ossl_assert(certStatus != NULL))
705 return 0;
706 ASN1_OCTET_STRING_free(certStatus->certHash);
707 certStatus->certHash = hash;
708 return 1;
709 }
710
711 /*
712 * TODO: handle potential 2nd certificate when signing and encrypting
713 * certificates have been requested/received
714 */
715 OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
716 const char *text)
717 {
718 OSSL_CMP_MSG *msg = NULL;
719 OSSL_CMP_CERTSTATUS *certStatus = NULL;
720 ASN1_OCTET_STRING *certHash = NULL;
721 OSSL_CMP_PKISI *sinfo;
722
723 if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
724 return NULL;
725
726 if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
727 CMPerr(0, CMP_R_FAIL_INFO_OUT_OF_RANGE);
728 return NULL;
729 }
730
731 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
732 goto err;
733
734 if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
735 goto err;
736 /* consume certStatus into msg right away so it gets deallocated with msg */
737 if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
738 goto err;
739 /* set the ID of the certReq */
740 if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
741 goto err;
742 /*
743 * the hash of the certificate, using the same hash algorithm
744 * as is used to create and verify the certificate signature
745 */
746 if ((certHash = X509_digest_sig(ctx->newCert)) == NULL)
747 goto err;
748
749 if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
750 goto err;
751 certHash = NULL;
752 /*
753 * For any particular CertStatus, omission of the statusInfo field
754 * indicates ACCEPTANCE of the specified certificate. Alternatively,
755 * explicit status details (with respect to acceptance or rejection) MAY
756 * be provided in the statusInfo field, perhaps for auditing purposes at
757 * the CA/RA.
758 */
759 sinfo = fail_info != 0 ?
760 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
761 OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
762 if (sinfo == NULL)
763 goto err;
764 certStatus->statusInfo = sinfo;
765
766 if (!ossl_cmp_msg_protect(ctx, msg))
767 goto err;
768
769 return msg;
770
771 err:
772 CMPerr(0, CMP_R_ERROR_CREATING_CERTCONF);
773 OSSL_CMP_MSG_free(msg);
774 ASN1_OCTET_STRING_free(certHash);
775 return NULL;
776 }
777
778 OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
779 {
780 OSSL_CMP_MSG *msg = NULL;
781 OSSL_CMP_POLLREQ *preq = NULL;
782
783 if (!ossl_assert(ctx != NULL))
784 return NULL;
785
786 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
787 goto err;
788
789 /* TODO: support multiple cert request IDs to poll */
790 if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
791 || !ASN1_INTEGER_set(preq->certReqId, crid)
792 || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
793 goto err;
794
795 preq = NULL;
796 if (!ossl_cmp_msg_protect(ctx, msg))
797 goto err;
798
799 return msg;
800
801 err:
802 CMPerr(0, CMP_R_ERROR_CREATING_POLLREQ);
803 OSSL_CMP_POLLREQ_free(preq);
804 OSSL_CMP_MSG_free(msg);
805 return NULL;
806 }
807
808 OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
809 int64_t poll_after)
810 {
811 OSSL_CMP_MSG *msg;
812 OSSL_CMP_POLLREP *prep;
813
814 if (!ossl_assert(ctx != NULL))
815 return NULL;
816
817 if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
818 goto err;
819 if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
820 goto err;
821 if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
822 goto err;
823 if (!ASN1_INTEGER_set(prep->certReqId, crid))
824 goto err;
825 if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
826 goto err;
827
828 if (!ossl_cmp_msg_protect(ctx, msg))
829 goto err;
830 return msg;
831
832 err:
833 CMPerr(0, CMP_R_ERROR_CREATING_POLLREP);
834 OSSL_CMP_MSG_free(msg);
835 return NULL;
836 }
837
838 /*-
839 * returns the status field of the RevRepContent with the given
840 * request/sequence id inside a revocation response.
841 * RevRepContent has the revocation statuses in same order as they were sent in
842 * RevReqContent.
843 * returns NULL on error
844 */
845 OSSL_CMP_PKISI *
846 ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
847 {
848 OSSL_CMP_PKISI *status;
849
850 if (!ossl_assert(rrep != NULL))
851 return NULL;
852
853 if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
854 return status;
855
856 CMPerr(0, CMP_R_PKISTATUSINFO_NOT_FOUND);
857 return NULL;
858 }
859
860 /*
861 * returns the CertId field in the revCerts part of the RevRepContent
862 * with the given request/sequence id inside a revocation response.
863 * RevRepContent has the CertIds in same order as they were sent in
864 * RevReqContent.
865 * returns NULL on error
866 */
867 OSSL_CRMF_CERTID *
868 ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
869 {
870 OSSL_CRMF_CERTID *cid = NULL;
871
872 if (!ossl_assert(rrep != NULL))
873 return NULL;
874
875 if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
876 return cid;
877
878 CMPerr(0, CMP_R_CERTID_NOT_FOUND);
879 return NULL;
880 }
881
882 static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
883 {
884 int trid;
885
886 if (rid == -1)
887 return 1;
888
889 trid = ossl_cmp_asn1_get_int(certReqId);
890
891 if (trid == -1) {
892 CMPerr(0, CMP_R_BAD_REQUEST_ID);
893 return 0;
894 }
895 return rid == trid;
896 }
897
898 static void add_expected_rid(int rid)
899 {
900 char str[DECIMAL_SIZE(rid) + 1];
901
902 BIO_snprintf(str, sizeof(str), "%d", rid);
903 ERR_add_error_data(2, "expected certReqId = ", str);
904 }
905
906 /*
907 * returns a pointer to the PollResponse with the given CertReqId
908 * (or the first one in case -1) inside a PollRepContent
909 * returns NULL on error or if no suitable PollResponse available
910 */
911 OSSL_CMP_POLLREP *
912 ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
913 int rid)
914 {
915 OSSL_CMP_POLLREP *pollRep = NULL;
916 int i;
917
918 if (!ossl_assert(prc != NULL))
919 return NULL;
920
921 for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
922 pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
923 if (suitable_rid(pollRep->certReqId, rid))
924 return pollRep;
925 }
926
927 CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
928 add_expected_rid(rid);
929 return NULL;
930 }
931
932 /*
933 * returns a pointer to the CertResponse with the given CertReqId
934 * (or the first one in case -1) inside a CertRepMessage
935 * returns NULL on error or if no suitable CertResponse available
936 */
937 OSSL_CMP_CERTRESPONSE *
938 ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
939 int rid)
940 {
941 OSSL_CMP_CERTRESPONSE *crep = NULL;
942 int i;
943
944 if (!ossl_assert(crm != NULL && crm->response != NULL))
945 return NULL;
946
947 for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
948 crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
949 if (suitable_rid(crep->certReqId, rid))
950 return crep;
951 }
952
953 CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
954 add_expected_rid(rid);
955 return NULL;
956 }
957
958 /*-
959 * Retrieve the newly enrolled certificate from the given certResponse crep.
960 * In case of indirect POPO uses the libctx and propq from ctx and private key.
961 * Returns a pointer to a copy of the found certificate, or NULL if not found.
962 */
963 X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
964 const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey)
965 {
966 OSSL_CMP_CERTORENCCERT *coec;
967 X509 *crt = NULL;
968
969 if (!ossl_assert(crep != NULL && ctx != NULL))
970 return NULL;
971
972 if (crep->certifiedKeyPair
973 && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
974 switch (coec->type) {
975 case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
976 crt = X509_dup(coec->value.certificate);
977 break;
978 case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
979 /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
980 if (pkey == NULL) {
981 CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
982 return NULL;
983 }
984 crt =
985 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
986 ctx->libctx, ctx->propq,
987 pkey);
988 break;
989 default:
990 CMPerr(0, CMP_R_UNKNOWN_CERT_TYPE);
991 return NULL;
992 }
993 }
994 if (crt == NULL)
995 CMPerr(0, CMP_R_CERTIFICATE_NOT_FOUND);
996 else
997 (void)x509_set0_libctx(crt, ctx->libctx, ctx->propq);
998 return crt;
999 }
1000
1001 int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
1002 {
1003 if (ctx == NULL || msg == NULL) {
1004 CMPerr(0, CMP_R_NULL_ARGUMENT);
1005 return 0;
1006 }
1007 if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
1008 return 0;
1009 return msg->header->protectionAlg == NULL
1010 || ossl_cmp_msg_protect(ctx, msg);
1011 }
1012
1013 OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file)
1014 {
1015 OSSL_CMP_MSG *msg = NULL;
1016 BIO *bio = NULL;
1017
1018 if (file == NULL) {
1019 CMPerr(0, CMP_R_NULL_ARGUMENT);
1020 return NULL;
1021 }
1022
1023 if ((bio = BIO_new_file(file, "rb")) == NULL)
1024 return NULL;
1025 msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
1026 BIO_free(bio);
1027 return msg;
1028 }
1029
1030 int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
1031 {
1032 BIO *bio;
1033 int res;
1034
1035 if (file == NULL || msg == NULL) {
1036 CMPerr(0, CMP_R_NULL_ARGUMENT);
1037 return -1;
1038 }
1039
1040 bio = BIO_new_file(file, "wb");
1041 if (bio == NULL)
1042 return -2;
1043 res = i2d_OSSL_CMP_MSG_bio(bio, msg);
1044 BIO_free(bio);
1045 return res;
1046 }
1047
1048 OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
1049 {
1050 return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
1051 d2i_OSSL_CMP_MSG, bio, msg);
1052 }
1053
1054 int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
1055 {
1056 return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
1057 }
A mirror of the official openssl repository