ESS_SIGNING_CERT_V2 *ssv2 = NULL;
int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0
&& ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0
- && ossl_ess_check_signing_certs(ss, ssv2, chain, 1);
+ && OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
ESS_SIGNING_CERT_free(ss);
ESS_SIGNING_CERT_V2_free(ssv2);
int add_sc;
if (md == NULL || EVP_MD_is_a(md, SN_sha1)) {
- if ((sc = ossl_ess_signing_cert_new_init(signer,
+ if ((sc = OSSL_ESS_signing_cert_new_init(signer,
NULL, 1)) == NULL)
goto err;
add_sc = ossl_cms_add1_signing_cert(si, sc);
ESS_SIGNING_CERT_free(sc);
} else {
- if ((sc2 = ossl_ess_signing_cert_v2_new_init(md, signer,
+ if ((sc2 = OSSL_ESS_signing_cert_v2_new_init(md, signer,
NULL, 1)) == NULL)
goto err;
add_sc = ossl_cms_add1_signing_cert_v2(si, sc2);
IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
+/* TODO the following two functions should be moved to ../cms/ */
/* No cms support means no CMS_SignerInfo* definitions */
#ifndef OPENSSL_NO_CMS
/*
- * Returns < 0 if attribute is not found, 1 if found, or
- * -1 on attribute parsing failure.
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
*/
int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
ESS_SIGNING_CERT_V2 **psc)
}
/*
- * Returns < 0 if attribute is not found, 1 if found, or
- * -1 on attribute parsing failure.
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
*/
int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
ESS_SIGNING_CERT **psc)
#include "crypto/ess.h"
#include "crypto/x509.h"
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
+ int set_issuer_serial);
static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
- X509 *cert, int issuer_needed);
+ const X509 *cert,
+ int set_issuer_serial);
-ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
- STACK_OF(X509) *certs,
- int issuer_needed)
+ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
+ const STACK_OF(X509) *certs,
+ int set_issuer_serial)
{
ESS_CERT_ID *cid = NULL;
ESS_SIGNING_CERT *sc;
&& (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
goto err;
- if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL
+ if ((cid = ESS_CERT_ID_new_init(signcert, set_issuer_serial)) == NULL
|| !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
goto err;
for (i = 0; i < sk_X509_num(certs); ++i) {
X509 *cert = sk_X509_value(certs, i);
+
if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL
|| !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
goto err;
return NULL;
}
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
+ int set_issuer_serial)
{
ESS_CERT_ID *cid = NULL;
GENERAL_NAME *name = NULL;
unsigned char cert_sha1[SHA_DIGEST_LENGTH];
- /* Call for side-effect of computing hash and caching extensions */
- if (!ossl_x509v3_cache_extensions(cert))
- return NULL;
-
if ((cid = ESS_CERT_ID_new()) == NULL)
goto err;
- /* TODO(3.0): fetch sha1 algorithm from providers */
if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
goto err;
if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
goto err;
/* Setting the issuer/serial if requested. */
- if (!issuer_needed)
+ if (!set_issuer_serial)
return cid;
if (cid->issuer_serial == NULL
return NULL;
}
-ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
- X509 *signcert,
+ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+ const X509 *signcert,
+ const
STACK_OF(X509) *certs,
- int issuer_needed)
+ int set_issuer_serial)
{
ESS_CERT_ID_V2 *cid = NULL;
ESS_SIGNING_CERT_V2 *sc;
if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
goto err;
- if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL)
+ cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, set_issuer_serial);
+ if (cid == NULL)
goto err;
if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
goto err;
}
static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
- X509 *cert, int issuer_needed)
+ const X509 *cert,
+ int set_issuer_serial)
{
ESS_CERT_ID_V2 *cid;
GENERAL_NAME *name = NULL;
cid->hash_alg = NULL;
}
- /* TODO(3.0): fetch sha1 algorithm from providers */
if (!X509_digest(cert, hash_alg, hash, &hash_len))
goto err;
if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
goto err;
- if (!issuer_needed)
+ if (!set_issuer_serial)
return cid;
if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
return NULL;
}
+/* TODO the following four functions should be moved to ../ts/ */
ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
{
ASN1_TYPE *attr;
}
/*
- * Find cert referenced by |cid| (if not NULL, else |cidv2|) in |certs|.
- * If the cid{,v2} index is 0, the cert must be in the first in |certs| list.
+ * Find the cert in |certs| referenced by |cid| if not NULL, else by |cid_v2|.
+ * The cert must be the first one in |certs| if and only if |index| is 0.
* Return 0 on not found, -1 on error, else 1 + the position in |certs|.
*/
static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
}
(void)ERR_pop_to_mark();
- /* Look for cert with cid in the certs. */
for (i = 0; i < sk_X509_num(certs); ++i) {
cert = sk_X509_value(certs, i);
return ret;
}
-/*
- * If ESSCertID and/or ESSCertIDv2 exist, which must be non-empty if given,
- * check if their first ID entry matches the signer cert first in chain
- * and each further ID entry matches any further cert in the chain.
- */
-int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
+int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain,
int require_signing_cert)
{
int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids);
int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids);
- int i;
+ int i, ret;
if (require_signing_cert && ss == NULL && ssv2 == NULL) {
ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
- return 0;
+ return -1;
}
if (n_v1 == 0 || n_v2 == 0) {
ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST);
- return 0;
+ return -1;
}
/* If both ss and ssv2 exist, as required evaluate them independently. */
- for (i = 0; i < n_v1; i++)
- if (find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain) <= 0)
- return 0;
- for (i = 0; i < n_v2; i++)
- if (find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain) <= 0)
- return 0;
+ for (i = 0; i < n_v1; i++) {
+ ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain);
+ if (ret <= 0)
+ return ret;
+ }
+ for (i = 0; i < n_v2; i++) {
+ ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain);
+ if (ret <= 0)
+ return ret;
+ }
return 1;
}
certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
if (ctx->ess_cert_id_digest == NULL
|| EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) {
- if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert,
+ if ((sc = OSSL_ESS_signing_cert_new_init(ctx->signer_cert,
certs, 0)) == NULL)
goto err;
goto err;
}
} else {
- sc2 = ossl_ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
+ sc2 = OSSL_ESS_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
ctx->signer_cert, certs, 0);
if (sc2 == NULL)
goto err;
{
ESS_SIGNING_CERT *ss = ossl_ess_get_signing_cert(si);
ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_get_signing_cert_v2(si);
- int ret = ossl_ess_check_signing_certs(ss, ssv2, chain, 1);
+ int ret = OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
ESS_SIGNING_CERT_free(ss);
ESS_SIGNING_CERT_V2_free(ssv2);
GENERATE[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod
DEPEND[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
GENERATE[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
+DEPEND[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
+GENERATE[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
+DEPEND[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
+GENERATE[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod
html/man3/OSSL_ENCODER_CTX.html \
html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \
html/man3/OSSL_ENCODER_to_bio.html \
+html/man3/OSSL_ESS_check_signing_certs.html \
html/man3/OSSL_HTTP_REQ_CTX.html \
html/man3/OSSL_HTTP_parse_url.html \
html/man3/OSSL_HTTP_transfer.html \
man/man3/OSSL_ENCODER_CTX.3 \
man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \
man/man3/OSSL_ENCODER_to_bio.3 \
+man/man3/OSSL_ESS_check_signing_certs.3 \
man/man3/OSSL_HTTP_REQ_CTX.3 \
man/man3/OSSL_HTTP_parse_url.3 \
man/man3/OSSL_HTTP_transfer.3 \
=head1 SEE ALSO
+L<OSSL_ESS_check_signing_certs(3)>,
L<ERR_get_error(3)>, L<CMS_sign(3)>
=head1 COPYRIGHT
--- /dev/null
+=pod
+
+=head1 NAME
+
+OSSL_ESS_signing_cert_new_init,
+OSSL_ESS_signing_cert_v2_new_init,
+OSSL_ESS_check_signing_certs
+- Enhanced Security Services (ESS) functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ess.h>
+
+ ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
+ const STACK_OF(X509) *certs,
+ int set_issuer_serial);
+ ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+ const X509 *signcert,
+ const
+ STACK_OF(X509) *certs,
+ int set_issuer_serial);
+ int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
+ const ESS_SIGNING_CERT_V2 *ssv2,
+ const STACK_OF(X509) *chain,
+ int require_signing_cert);
+
+=head1 DESCRIPTION
+
+OSSL_ESS_signing_cert_new_init() generates a new B<ESS_SIGNING_CERT> structure
+referencing the given I<signcert> and any given further I<certs>
+using their SHA-1 fingerprints.
+If I<set_issuer_serial> is nonzero then also the issuer and serial number
+of I<signcert> are included in the B<ESS_CERT_ID> as the B<issuerSerial> field.
+For all members of I<certs> the B<issuerSerial> field is always included.
+
+OSSL_ESS_signing_cert_v2_new_init() is the same as
+OSSL_ESS_signing_cert_new_init() except that it uses the given I<hash_alg> and
+generates a B<ESS_SIGNING_CERT_V2> structure with B<ESS_CERT_ID_V2> elements.
+
+OSSL_ESS_check_signing_certs() checks if the validation chain I<chain> contains
+the certificates required by the identifiers given in I<ss> and/or I<ssv2>.
+If I<require_signing_cert> is nonzero, I<ss> or I<ssv2> must not be NULL.
+If both I<ss> and I<ssv2> are not NULL, they are evaluated independently.
+The list of certificate identifiers in I<ss> is of type B<ESS_CERT_ID>,
+while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
+As far as these lists are present, they must be nonempty.
+The certificate identified by their first entry must be the first element of
+I<chain>, i.e. the signer certificate.
+Any further certficates referenced in the list must also be found in I<chain>.
+The matching is done using the given certificate hash algorithm and value.
+In addition to the checks required by RFCs 2624 and 5035,
+if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
+it must match the certificate issuer and serial number attributes.
+
+=head1 NOTES
+
+ESS has been defined in RFC 2634, which has been updated in RFC 5035
+(ESS version 2) to support hash algorithms other than SHA-1.
+This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126).
+
+=head1 RETURN VALUES
+
+OSSL_ESS_signing_cert_new_init() and OSSL_ESS_signing_cert_v2_new_init()
+return a pointer to the new structure or NULL on malloc failure.
+
+OSSL_ESS_check_signing_certs() returns 1 on success,
+0 if a required certificate cannot be found, -1 on other error.
+
+=head1 SEE ALSO
+
+L<TS_VERIFY_CTX_set_certs(3)>,
+L<CMS_verify(3)>
+
+=head1 HISTORY
+
+OSSL_ESS_signing_cert_new_init(), OSSL_ESS_signing_cert_v2_new_init(), and
+OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
TS_VERIFY_CTX_set_certs() returns the stack of B<X509> certificates the user
passes in via parameter B<certs>.
+=head1 SEE ALSO
+
+L<OSSL_ESS_check_signing_certs(3)>
+
=head1 HISTORY
The spelling of TS_VERIFY_CTX_set_certs() was corrected in OpenSSL 3.0.0.
# define OSSL_CRYPTO_ESS_H
# pragma once
-/* internal ESS related stuff */
+/* internal ESS related functions used for TS */
+/* TODO move these four decls to a new include/crypto/ts.h */
ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si);
int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
-ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
- STACK_OF(X509) *certs,
- int issuer_needed);
-
ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si);
int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc);
-ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
- X509 *signcert,
- STACK_OF(X509) *certs,
- int issuer_needed);
-
-int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
- const ESS_SIGNING_CERT_V2 *ssv2,
- const STACK_OF(X509) *chain,
- int require_signing_cert);
+/* internal ESS stuff */
/*-
* IssuerSerial ::= SEQUENCE {
generate_stack_macros("ESS_CERT_ID_V2");
-}
-
DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL)
DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL)
DECLARE_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT_V2, ESS_SIGNING_CERT_V2)
DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
+ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
+ const STACK_OF(X509) *certs,
+ int set_issuer_serial);
+ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+ const X509 *signcert,
+ const
+ STACK_OF(X509) *certs,
+ int set_issuer_serial);
+int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
+ const ESS_SIGNING_CERT_V2 *ssv2,
+ const STACK_OF(X509) *chain,
+ int require_signing_cert);
+
# ifdef __cplusplus
}
# endif
# include <openssl/symhacks.h>
# include <openssl/cryptoerr_legacy.h>
-
-
/*
* ESS reason codes.
*/
[ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-certfile", catfile($smdir, "smroot.pem"),
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
- "fail to verify token because requiring CAdES-BES compatibility",
+ "fail to verify token since requiring CAdES-BES compatibility",
[ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
\&final_compare
RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION:
BN_mod_exp_mont_consttime_x2 ? 3_0_0 EXIST::FUNCTION:
BIO_f_readbuffer ? 3_0_0 EXIST::FUNCTION:
+OSSL_ESS_check_signing_certs ? 3_0_0 EXIST::FUNCTION:
+OSSL_ESS_signing_cert_new_init ? 3_0_0 EXIST::FUNCTION:
+OSSL_ESS_signing_cert_v2_new_init ? 3_0_0 EXIST::FUNCTION:
EVP_DigestInit_ex2 ? 3_0_0 EXIST::FUNCTION:
EVP_EncryptInit_ex2 ? 3_0_0 EXIST::FUNCTION:
EVP_DecryptInit_ex2 ? 3_0_0 EXIST::FUNCTION:
projects / thirdparty / openssl.git / commitdiff
