2 * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
12 /* CMP functions for PKIStatusInfo handling and PKIMessage decomposition */
16 #include "cmp_local.h"
18 /* explicit #includes not strictly needed since implied by the above: */
20 #include <openssl/cmp.h>
21 #include <openssl/crmf.h>
22 #include <openssl/err.h> /* needed in case config no-deprecated */
23 #include <openssl/engine.h>
24 #include <openssl/evp.h>
25 #include <openssl/objects.h>
26 #include <openssl/x509.h>
27 #include <openssl/asn1err.h> /* for ASN1_R_TOO_SMALL and ASN1_R_TOO_LARGE */
29 DEFINE_STACK_OF(ASN1_UTF8STRING
)
31 /* CMP functions related to PKIStatus */
33 int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI
*si
)
35 if (!ossl_assert(si
!= NULL
&& si
->status
!= NULL
))
37 return ossl_cmp_asn1_get_int(si
->status
);
40 const char *ossl_cmp_PKIStatus_to_string(int status
)
43 case OSSL_CMP_PKISTATUS_accepted
:
44 return "PKIStatus: accepted";
45 case OSSL_CMP_PKISTATUS_grantedWithMods
:
46 return "PKIStatus: granted with modifications";
47 case OSSL_CMP_PKISTATUS_rejection
:
48 return "PKIStatus: rejection";
49 case OSSL_CMP_PKISTATUS_waiting
:
50 return "PKIStatus: waiting";
51 case OSSL_CMP_PKISTATUS_revocationWarning
:
52 return "PKIStatus: revocation warning - a revocation of the cert is imminent";
53 case OSSL_CMP_PKISTATUS_revocationNotification
:
54 return "PKIStatus: revocation notification - a revocation of the cert has occurred";
55 case OSSL_CMP_PKISTATUS_keyUpdateWarning
:
56 return "PKIStatus: key update warning - update already done for the cert";
60 BIO_snprintf(buf
, sizeof(buf
), "PKIStatus: invalid=%d", status
);
61 CMPerr(0, CMP_R_ERROR_PARSING_PKISTATUS
);
62 ERR_add_error_data(1, buf
);
68 OSSL_CMP_PKIFREETEXT
*ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI
*si
)
70 if (!ossl_assert(si
!= NULL
))
72 return si
->statusString
;
75 int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI
*si
)
80 if (!ossl_assert(si
!= NULL
))
82 for (i
= 0; i
<= OSSL_CMP_PKIFAILUREINFO_MAX
; i
++)
83 if (ASN1_BIT_STRING_get_bit(si
->failInfo
, i
))
89 * convert PKIFailureInfo number to human-readable string
90 * returns pointer to static string, or NULL on error
92 static const char *CMP_PKIFAILUREINFO_to_string(int number
)
95 case OSSL_CMP_PKIFAILUREINFO_badAlg
:
97 case OSSL_CMP_PKIFAILUREINFO_badMessageCheck
:
98 return "badMessageCheck";
99 case OSSL_CMP_PKIFAILUREINFO_badRequest
:
101 case OSSL_CMP_PKIFAILUREINFO_badTime
:
103 case OSSL_CMP_PKIFAILUREINFO_badCertId
:
105 case OSSL_CMP_PKIFAILUREINFO_badDataFormat
:
106 return "badDataFormat";
107 case OSSL_CMP_PKIFAILUREINFO_wrongAuthority
:
108 return "wrongAuthority";
109 case OSSL_CMP_PKIFAILUREINFO_incorrectData
:
110 return "incorrectData";
111 case OSSL_CMP_PKIFAILUREINFO_missingTimeStamp
:
112 return "missingTimeStamp";
113 case OSSL_CMP_PKIFAILUREINFO_badPOP
:
115 case OSSL_CMP_PKIFAILUREINFO_certRevoked
:
116 return "certRevoked";
117 case OSSL_CMP_PKIFAILUREINFO_certConfirmed
:
118 return "certConfirmed";
119 case OSSL_CMP_PKIFAILUREINFO_wrongIntegrity
:
120 return "wrongIntegrity";
121 case OSSL_CMP_PKIFAILUREINFO_badRecipientNonce
:
122 return "badRecipientNonce";
123 case OSSL_CMP_PKIFAILUREINFO_timeNotAvailable
:
124 return "timeNotAvailable";
125 case OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy
:
126 return "unacceptedPolicy";
127 case OSSL_CMP_PKIFAILUREINFO_unacceptedExtension
:
128 return "unacceptedExtension";
129 case OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable
:
130 return "addInfoNotAvailable";
131 case OSSL_CMP_PKIFAILUREINFO_badSenderNonce
:
132 return "badSenderNonce";
133 case OSSL_CMP_PKIFAILUREINFO_badCertTemplate
:
134 return "badCertTemplate";
135 case OSSL_CMP_PKIFAILUREINFO_signerNotTrusted
:
136 return "signerNotTrusted";
137 case OSSL_CMP_PKIFAILUREINFO_transactionIdInUse
:
138 return "transactionIdInUse";
139 case OSSL_CMP_PKIFAILUREINFO_unsupportedVersion
:
140 return "unsupportedVersion";
141 case OSSL_CMP_PKIFAILUREINFO_notAuthorized
:
142 return "notAuthorized";
143 case OSSL_CMP_PKIFAILUREINFO_systemUnavail
:
144 return "systemUnavail";
145 case OSSL_CMP_PKIFAILUREINFO_systemFailure
:
146 return "systemFailure";
147 case OSSL_CMP_PKIFAILUREINFO_duplicateCertReq
:
148 return "duplicateCertReq";
150 return NULL
; /* illegal failure number */
154 int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI
*si
, int bit_index
)
156 if (!ossl_assert(si
!= NULL
&& si
->failInfo
!= NULL
))
158 if (bit_index
< 0 || bit_index
> OSSL_CMP_PKIFAILUREINFO_MAX
) {
159 CMPerr(0, CMP_R_INVALID_ARGS
);
163 return ASN1_BIT_STRING_get_bit(si
->failInfo
, bit_index
);
167 * place human-readable error string created from PKIStatusInfo in given buffer
168 * returns pointer to the same buffer containing the string, or NULL on error
171 char *snprint_PKIStatusInfo_parts(int status
, int fail_info
,
172 const OSSL_CMP_PKIFREETEXT
*status_strings
,
173 char *buf
, size_t bufsize
)
176 const char *status_string
, *failure_string
;
177 ASN1_UTF8STRING
*text
;
180 int failinfo_found
= 0;
181 int n_status_strings
;
182 char *write_ptr
= buf
;
186 || (status_string
= ossl_cmp_PKIStatus_to_string(status
)) == NULL
)
189 #define ADVANCE_BUFFER \
190 if (printed_chars < 0 || (size_t)printed_chars >= bufsize) \
192 write_ptr += printed_chars; \
193 bufsize -= printed_chars;
195 printed_chars
= BIO_snprintf(write_ptr
, bufsize
, "%s", status_string
);
198 /* failInfo is optional and may be empty */
199 if (fail_info
!= 0) {
200 printed_chars
= BIO_snprintf(write_ptr
, bufsize
, "; PKIFailureInfo: ");
202 for (failure
= 0; failure
<= OSSL_CMP_PKIFAILUREINFO_MAX
; failure
++) {
203 if ((fail_info
& (1 << failure
)) != 0) {
204 failure_string
= CMP_PKIFAILUREINFO_to_string(failure
);
205 if (failure_string
!= NULL
) {
206 printed_chars
= BIO_snprintf(write_ptr
, bufsize
, "%s%s",
207 failinfo_found
? ", " : "",
215 if (!failinfo_found
&& status
!= OSSL_CMP_PKISTATUS_accepted
216 && status
!= OSSL_CMP_PKISTATUS_grantedWithMods
) {
217 printed_chars
= BIO_snprintf(write_ptr
, bufsize
, "; <no failure info>");
221 /* statusString sequence is optional and may be empty */
222 n_status_strings
= sk_ASN1_UTF8STRING_num(status_strings
);
223 if (n_status_strings
> 0) {
224 printed_chars
= BIO_snprintf(write_ptr
, bufsize
, "; StatusString%s: ",
225 n_status_strings
> 1 ? "s" : "");
227 for (i
= 0; i
< n_status_strings
; i
++) {
228 text
= sk_ASN1_UTF8STRING_value(status_strings
, i
);
229 printed_chars
= BIO_snprintf(write_ptr
, bufsize
, "\"%s\"%s",
230 ASN1_STRING_get0_data(text
),
231 i
< n_status_strings
- 1 ? ", " : "");
235 #undef ADVANCE_BUFFER
239 char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI
*statusInfo
,
240 char *buf
, size_t bufsize
)
244 if (statusInfo
== NULL
) {
245 CMPerr(0, CMP_R_NULL_ARGUMENT
);
249 failure_info
= ossl_cmp_pkisi_get_pkifailureinfo(statusInfo
);
251 return snprint_PKIStatusInfo_parts(ASN1_INTEGER_get(statusInfo
->status
),
253 statusInfo
->statusString
, buf
, bufsize
);
256 char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX
*ctx
, char *buf
,
260 CMPerr(0, CMP_R_NULL_ARGUMENT
);
264 return snprint_PKIStatusInfo_parts(OSSL_CMP_CTX_get_status(ctx
),
265 OSSL_CMP_CTX_get_failInfoCode(ctx
),
266 OSSL_CMP_CTX_get0_statusString(ctx
),
271 * Creates a new PKIStatusInfo structure and fills it in
272 * returns a pointer to the structure on success, NULL on error
273 * note: strongly overlaps with TS_RESP_CTX_set_status_info()
274 * and TS_RESP_CTX_add_failure_info() in ../ts/ts_rsp_sign.c
276 OSSL_CMP_PKISI
*OSSL_CMP_STATUSINFO_new(int status
, int fail_info
,
279 OSSL_CMP_PKISI
*si
= OSSL_CMP_PKISI_new();
280 ASN1_UTF8STRING
*utf8_text
= NULL
;
285 if (!ASN1_INTEGER_set(si
->status
, status
))
289 if ((utf8_text
= ASN1_UTF8STRING_new()) == NULL
290 || !ASN1_STRING_set(utf8_text
, text
, -1))
292 if ((si
->statusString
= sk_ASN1_UTF8STRING_new_null()) == NULL
)
294 if (!sk_ASN1_UTF8STRING_push(si
->statusString
, utf8_text
))
296 /* Ownership is lost. */
300 for (failure
= 0; failure
<= OSSL_CMP_PKIFAILUREINFO_MAX
; failure
++) {
301 if ((fail_info
& (1 << failure
)) != 0) {
302 if (si
->failInfo
== NULL
303 && (si
->failInfo
= ASN1_BIT_STRING_new()) == NULL
)
305 if (!ASN1_BIT_STRING_set_bit(si
->failInfo
, failure
, 1))
312 OSSL_CMP_PKISI_free(si
);
313 ASN1_UTF8STRING_free(utf8_text
);