From: Rajeev Ranjan Date: Tue, 11 Apr 2023 08:19:15 +0000 (+0200) Subject: CMP: support specifying certificate to be revoked via issuer and serial number X-Git-Tag: openssl-3.2.0-alpha1~483 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d32ec20feae7320ddb2b929441688377b912a40;p=thirdparty%2Fopenssl.git CMP: support specifying certificate to be revoked via issuer and serial number Reviewed-by: Tomas Mraz Reviewed-by: Dmitry Belyavskiy Reviewed-by: David von Oheimb (Merged from https://github.com/openssl/openssl/pull/21116) --- diff --git a/apps/cmp.c b/apps/cmp.c index aaee740e5a8..38f665ae74d 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -113,7 +113,6 @@ static int opt_infotype = NID_undef; static char *opt_newkey = NULL; static char *opt_newkeypass = NULL; static char *opt_subject = NULL; -static char *opt_issuer = NULL; static int opt_days = 0; static char *opt_reqexts = NULL; static char *opt_sans = NULL; @@ -131,6 +130,8 @@ static char *opt_chainout = NULL; /* certificate enrollment and revocation */ static char *opt_oldcert = NULL; +static char *opt_issuer = NULL; +static char *opt_serial = NULL; static int opt_revreason = CRL_REASON_NONE; /* credentials format */ @@ -203,7 +204,7 @@ typedef enum OPTION_choice { OPT_CMD, OPT_INFOTYPE, OPT_GENINFO, - OPT_NEWKEY, OPT_NEWKEYPASS, OPT_SUBJECT, OPT_ISSUER, + OPT_NEWKEY, OPT_NEWKEYPASS, OPT_SUBJECT, OPT_DAYS, OPT_REQEXTS, OPT_SANS, OPT_SAN_NODEFAULT, OPT_POLICIES, OPT_POLICY_OIDS, OPT_POLICY_OIDS_CRITICAL, @@ -211,7 +212,7 @@ typedef enum OPTION_choice { OPT_OUT_TRUSTED, OPT_IMPLICIT_CONFIRM, OPT_DISABLE_CONFIRM, OPT_CERTOUT, OPT_CHAINOUT, - OPT_OLDCERT, OPT_REVREASON, + OPT_OLDCERT, OPT_ISSUER, OPT_SERIAL, OPT_REVREASON, #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP) OPT_SERVER, OPT_PROXY, OPT_NO_PROXY, @@ -293,10 +294,6 @@ const OPTIONS cmp_options[] = { "For kur, default is subject of -csr arg or reference cert (see -oldcert)"}, {OPT_MORE_STR, 0, 0, "this default is used for ir and cr only if no Subject Alt Names are set"}, - {"issuer", OPT_ISSUER, 's', - "DN of the issuer to place in the requested certificate template"}, - {OPT_MORE_STR, 0, 0, - "also used as recipient if neither -recipient nor -srvcert are given"}, {"days", OPT_DAYS, 'N', "Requested validity time of the new certificate in number of days"}, {"reqexts", OPT_REQEXTS, 's', @@ -340,6 +337,12 @@ const OPTIONS cmp_options[] = { "also used as reference (defaulting to -cert) for subject DN and SANs."}, {OPT_MORE_STR, 0, 0, "Issuer is used as recipient unless -recipient, -srvcert, or -issuer given"}, + {"issuer", OPT_ISSUER, 's', + "DN of the issuer to place in the certificate template of ir/cr/kur/rr;"}, + {OPT_MORE_STR, 0, 0, + "also used as recipient if neither -recipient nor -srvcert are given"}, + {"serial", OPT_SERIAL, 's', + "Serial number of certificate to be revoked in revocation request (rr)"}, {"revreason", OPT_REVREASON, 'n', "Reason code to include in revocation request (rr); possible values:"}, {OPT_MORE_STR, 0, 0, @@ -560,7 +563,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_cmd_s}, {&opt_infotype_s}, {&opt_geninfo}, - {&opt_newkey}, {&opt_newkeypass}, {&opt_subject}, {&opt_issuer}, + {&opt_newkey}, {&opt_newkeypass}, {&opt_subject}, {(char **)&opt_days}, {&opt_reqexts}, {&opt_sans}, {(char **)&opt_san_nodefault}, {&opt_policies}, {&opt_policy_oids}, {(char **)&opt_policy_oids_critical}, @@ -569,7 +572,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {(char **)&opt_implicit_confirm}, {(char **)&opt_disable_confirm}, {&opt_certout}, {&opt_chainout}, - {&opt_oldcert}, {(char **)&opt_revreason}, + {&opt_oldcert}, {&opt_issuer}, {&opt_serial}, {(char **)&opt_revreason}, #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP) {&opt_server}, {&opt_proxy}, {&opt_no_proxy}, @@ -1509,9 +1512,9 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) } /* - * set up IR/CR/KUR/CertConf/RR specific parts of the OSSL_CMP_CTX - * based on options from config file/CLI. - * Returns pointer on success, NULL on error + * Set up IR/CR/P10CR/KUR/CertConf/RR/GENM specific parts of the OSSL_CMP_CTX + * based on options from CLI and/or config file. + * Returns 1 on success, 0 on error */ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) { @@ -1524,6 +1527,8 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) && opt_cmd != CMP_RR && opt_cmd != CMP_GENM) CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); + if (!set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer")) + return 0; if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) { if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) { @@ -1548,8 +1553,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_err("-certout not given, nowhere to save newly enrolled certificate"); return 0; } - if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject") - || !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer")) + if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")) return 0; } else { const char *msg = "option is ignored for commands other than 'ir', 'cr', and 'kur'"; @@ -1563,8 +1567,8 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn1("-subject %s since sender is taken from -ref or -cert", msg); } } - if (opt_issuer != NULL) - CMP_warn1("-issuer %s", msg); + if (opt_issuer != NULL && opt_cmd != CMP_RR) + CMP_warn1("-issuer %s and 'rr'", msg); if (opt_reqexts != NULL) CMP_warn1("-reqexts %s", msg); if (opt_san_nodefault) @@ -1598,12 +1602,44 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) opt_subject, ref_cert != NULL ? ref_cert : opt_csr); } if (opt_cmd == CMP_RR) { - if (opt_oldcert == NULL && opt_csr == NULL) { - CMP_err("missing -oldcert for certificate to be revoked and no -csr given"); - return 0; + if (opt_issuer == NULL && opt_serial == NULL) { + if (opt_oldcert == NULL && opt_csr == NULL) { + CMP_err("missing -oldcert or -issuer and -serial for certificate to be revoked and no -csr given"); + return 0; + } + if (opt_oldcert != NULL && opt_csr != NULL) + CMP_warn("ignoring -csr since certificate to be revoked is given"); + } else { +#define OSSL_CMP_RR_MSG "since -issuer and -serial is given for command 'rr'" + if (opt_issuer == NULL || opt_serial == NULL) { + CMP_err("Must give both -issuer and -serial options or neither"); + return 0; + } + if (opt_oldcert != NULL) + CMP_warn("Ignoring -oldcert " OSSL_CMP_RR_MSG); + if (opt_csr != NULL) + CMP_warn("Ignoring -csr " OSSL_CMP_RR_MSG); + } + if (opt_serial != NULL) { + ASN1_INTEGER *sno; + + if ((sno = s2i_ASN1_INTEGER(NULL, opt_serial)) == NULL) { + CMP_err1("cannot read serial number: '%s'", opt_serial); + return 0; + } + if (!OSSL_CMP_CTX_set1_serialNumber(ctx, sno)) { + ASN1_INTEGER_free(sno); + CMP_err("out of memory"); + return 0; + } + ASN1_INTEGER_free(sno); } - if (opt_oldcert != NULL && opt_csr != NULL) - CMP_warn("ignoring -csr since certificate to be revoked is given"); + if (opt_revreason > CRL_REASON_NONE) + (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_REVOCATION_REASON, + opt_revreason); + } else { + if (opt_serial != NULL) + CMP_warn("Ignoring -serial for command other than 'rr'"); } if (opt_cmd == CMP_P10CR && opt_csr == NULL) { CMP_err("missing PKCS#10 CSR for p10cr"); @@ -1769,9 +1805,6 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) } } cleanse(opt_keypass); - if (opt_revreason > CRL_REASON_NONE) - (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_REVOCATION_REASON, - opt_revreason); return 1; @@ -2540,9 +2573,6 @@ static int get_opts(int argc, char **argv) case OPT_SUBJECT: opt_subject = opt_str(); break; - case OPT_ISSUER: - opt_issuer = opt_str(); - break; case OPT_DAYS: opt_days = opt_int_arg(); break; @@ -2602,6 +2632,12 @@ static int get_opts(int argc, char **argv) goto opthelp; } break; + case OPT_ISSUER: + opt_issuer = opt_str(); + break; + case OPT_SERIAL: + opt_serial = opt_arg(); + break; case OPT_CERTFORM: opt_certform_s = opt_str(); break; diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 071c02b1876..fbbcdd21d29 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -776,7 +776,8 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) return 0; } ctx->status = OSSL_CMP_PKISTATUS_request; - if (ctx->oldCert == NULL && ctx->p10CSR == NULL) { + if (ctx->oldCert == NULL && ctx->p10CSR == NULL + && (ctx->serialNumber == NULL || ctx->issuer == NULL)) { ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT); return 0; } diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c index 2b8bd2bd2e0..ce8e94662e7 100644 --- a/crypto/cmp/cmp_ctx.c +++ b/crypto/cmp/cmp_ctx.c @@ -230,6 +230,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) EVP_PKEY_free(ctx->newPkey); X509_NAME_free(ctx->issuer); + ASN1_INTEGER_free(ctx->serialNumber); X509_NAME_free(ctx->subjectName); sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free); X509_EXTENSIONS_free(ctx->reqExtensions); @@ -615,6 +616,8 @@ DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME) /* Set the X509 name of the issuer to be placed in the certTemplate */ DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME) +/* Set the ASN1_INTEGER serial to be placed in the certTemplate for rr */ +DEFINE_OSSL_CMP_CTX_set1(serialNumber, ASN1_INTEGER) /* * Set the subject name that will be placed in the certificate * request. This will be the subject name on the received certificate. diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index b8168af06fb..18401ddb607 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -103,7 +103,8 @@ struct ossl_cmp_ctx_st { /* certificate template */ EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */ int newPkey_priv; /* flag indicating if newPkey contains private key */ - X509_NAME *issuer; /* issuer name to used in cert template */ + X509_NAME *issuer; /* issuer name to used in cert template, also in rr */ + ASN1_INTEGER *serialNumber; /* certificate serial number to use in rr */ int days; /* Number of days new certificates are asked to be valid for */ X509_NAME *subjectName; /* subject name to be used in cert template */ STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */ diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 806abe599d6..242ba866d5e 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -518,27 +518,38 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx) { OSSL_CMP_MSG *msg = NULL; + const X509_NAME *issuer = NULL; + const X509_NAME *subject = NULL; + const ASN1_INTEGER *serialNumber = NULL; + EVP_PKEY *pubkey = NULL; OSSL_CMP_REVDETAILS *rd; int ret; - if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL - || ctx->p10CSR != NULL))) + if (!ossl_assert(ctx != NULL + && (ctx->oldCert != NULL || ctx->p10CSR != NULL + || (ctx->serialNumber != NULL && ctx->issuer != NULL)))) return NULL; if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL) goto err; + if (ctx->serialNumber != NULL && ctx->issuer != NULL) { + issuer = ctx->issuer; + serialNumber = ctx->serialNumber; + } else if (ctx->oldCert != NULL) { + issuer = X509_get_issuer_name(ctx->oldCert); + serialNumber = X509_get0_serialNumber(ctx->oldCert); + } else if (ctx->p10CSR != NULL) { + pubkey = X509_REQ_get0_pubkey(ctx->p10CSR); + subject = X509_REQ_get_subject_name(ctx->p10CSR); + } + else { + goto err; + } + /* Fill the template from the contents of the certificate to be revoked */ - ret = ctx->oldCert != NULL - ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, - NULL /* pubkey would be redundant */, - NULL /* subject would be redundant */, - X509_get_issuer_name(ctx->oldCert), - X509_get0_serialNumber(ctx->oldCert)) - : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, - X509_REQ_get0_pubkey(ctx->p10CSR), - X509_REQ_get_subject_name(ctx->p10CSR), - NULL, NULL); + ret = OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, pubkey, subject, + issuer, serialNumber); if (!ret) goto err; diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 252d2a82ebe..8ec87170feb 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -24,7 +24,6 @@ Certificate enrollment options: [B<-newkey> I|I] [B<-newkeypass> I] [B<-subject> I] -[B<-issuer> I] [B<-days> I] [B<-reqexts> I] [B<-sans> I] @@ -43,6 +42,8 @@ Certificate enrollment options: Certificate enrollment and revocation options: [B<-oldcert> I|I] +[B<-issuer> I] +[B<-serial> I] [B<-revreason> I] Message transfer options: @@ -292,18 +293,6 @@ Example: C -=item B<-issuer> I - -X.509 Distinguished Name (DN) use as issuer field -in the requested certificate template in IR/CR/KUR messages. -If the NULL-DN (C) is given then no issuer is placed in the template. - -If provided and neither B<-recipient> nor B<-srvcert> is given, -the issuer DN is used as fallback recipient of outgoing CMP messages. - -The argument must be formatted as I. -For details see the description of the B<-subject> option. - =item B<-days> I Number of days the new certificate is requested to be valid for, counting from @@ -421,6 +410,7 @@ The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request For KUR the certificate to be updated defaults to B<-cert>, and the resulting certificate is called I. For RR the certificate to be revoked can also be specified using B<-csr>. +B<-oldcert> and B<-csr> is ignored if B<-issuer> and B<-serial> is provided. The reference certificate, if any, is also used for deriving default subject DN and Subject Alternative Names and the @@ -430,6 +420,23 @@ Its subject is used as sender of outgoing messages if B<-cert> is not given. Its issuer is used as default recipient in CMP message headers if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. +=item B<-issuer> I + +X.509 Distinguished Name (DN) use as issuer field +in the requested certificate template in IR/CR/KUR/RR messages. +If the NULL-DN (C) is given then no issuer is placed in the template. + +If provided and neither B<-recipient> nor B<-srvcert> is given, +the issuer DN is used as fallback recipient of outgoing CMP messages. + +The argument must be formatted as I. +For details see the description of the B<-subject> option. + +=item B<-serial> I + +Specify the Serial number of certificate to be revoked in revocation request. +The serial number can be decimal or hex (if preceded by C<0x>) + =item B<-revreason> I Set CRLReason to be included in revocation request (RR); values: C<0>..C<10> diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 9c1aa6f88a5..b5cca827b25 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -43,6 +43,7 @@ OSSL_CMP_CTX_set1_extraCertsOut, OSSL_CMP_CTX_set0_newPkey, OSSL_CMP_CTX_get0_newPkey, OSSL_CMP_CTX_set1_issuer, +OSSL_CMP_CTX_set1_serialNumber, OSSL_CMP_CTX_set1_subjectName, OSSL_CMP_CTX_push1_subjectAltName, OSSL_CMP_CTX_set0_reqExtensions, @@ -133,6 +134,7 @@ OSSL_CMP_CTX_set1_senderNonce int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey); EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv); int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name); + int OSSL_CMP_CTX_set1_serialNumber(OSSL_CMP_CTX *ctx, const ASN1_INTEGER *sn); int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name); @@ -467,7 +469,7 @@ The reference counts of those certificates handled successfully are increased. OSSL_CMP_CTX_get0_untrusted() returns a pointer to the list of untrusted certs in I, which may be empty if unset. -OSSL_CMP_CTX_set1_cert() sets the CMP signer certificate +OSSL_CMP_CTX_set1_cert() sets the CMP I related to the private key used for CMP message protection. Therefore the public key of this I must correspond to the private key set before or thereafter via OSSL_CMP_CTX_set1_pkey(). @@ -556,6 +558,9 @@ private component then NULL is returned. OSSL_CMP_CTX_set1_issuer() sets the name of the intended issuer that will be set in the CertTemplate, i.e., the X509 name of the CA server. +OSSL_CMP_CTX_set1_serialNumber() sets the serial number optionally used to +select the certificate to be revoked in Revocation Requests (RR). + OSSL_CMP_CTX_set1_subjectName() sets the subject DN that will be used in the CertTemplate structure when requesting a new cert. For Key Update Requests (KUR), it defaults to the subject DN of the reference certificate, @@ -588,17 +593,22 @@ to the X509_EXTENSIONS of the requested certificate template. OSSL_CMP_CTX_set1_oldCert() sets the old certificate to be updated in Key Update Requests (KUR) or to be revoked in Revocation Requests (RR). -It must be given for RR, else it defaults to the CMP signer certificate. -The I determined in this way, if any, is also used for -deriving default subject DN, public key, Subject Alternative Names, and the -default issuer entry in the requested certificate template of IR/CR/KUR. +For RR, this is ignored if an issuer name and a serial number are provided using +OSSL_CMP_CTX_set1_issuer() and OSSL_CMP_CTX_set1_serialNumber(), respectively. +For IR/CR/KUR this sets the I, +which otherwise defaults to the CMP signer certificate. +The I determined this way, if any, is used for providing +default public key, subject DN, Subject Alternative Names, and issuer DN entries +in the requested certificate template of IR/CR/KUR messages. + The subject of the reference certificate is used as the sender field value in CMP message headers. Its issuer is used as default recipient in CMP message headers. OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to use in P10CR messages. -If such a CSR is provided, its subject, public key, and extension fields are -also used as fallback values for the certificate template of IR/CR/KUR messages. +If such a CSR is provided, its subject and public key fields are also +used as fallback values for the certificate template of IR/CR/KUR/RR messages, +and any extensions included are added to the template of IR/CR/KUR messages. OSSL_CMP_CTX_push0_genm_ITAV() adds I to the stack in the I which will be the body of a General Message sent with this context. @@ -829,6 +839,8 @@ OSSL_CMP_CTX_reset_geninfo_ITAVs() was added in OpenSSL 3.0.8. OSSL_CMP_CTX_get0_libctx(), OSSL_CMP_CTX_get0_propq(), and OSSL_CMP_CTX_get0_validatedSrvCert() were added in OpenSSL 3.2. +OSSL_CMP_CTX_set1_serialNumber() was added in OpenSSL 3.2. + =head1 COPYRIGHT Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index a418657e3c4..b13a5058b0b 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -101,7 +101,12 @@ a negative value as the I argument then OSSL_CMP_try_certreq() aborts the CMP transaction by sending an error message to the server. OSSL_CMP_exec_RR_ses() requests the revocation of the certificate -specified in the I using L. +specified in the I using the issuer DN and serial number set by +OSSL_CMP_CTX_set1_issuer(3) and OSSL_CMP_CTX_set1_serialNumber(3), respectively, +otherwise the issuer DN and serial number +of the certificate set by L, +otherwise the subject DN and public key +of the certificate signing request set by L. RFC 4210 is vague in which PKIStatus should be returned by the server. We take "accepted" and "grantedWithMods" as clear success and handle "revocationWarning" and "revocationNotification" just as warnings because CAs diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index 7fb74f45609..b072eb5b37e 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -346,6 +346,7 @@ int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx, int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey); EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv); int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name); +int OSSL_CMP_CTX_set1_serialNumber(OSSL_CMP_CTX *ctx, const ASN1_INTEGER *sn); int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name); int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name); diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 03b20fcc749..dc2e922aaaf 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -33,15 +33,23 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 1, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, 1,revreason AACompromise, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,10 1, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, -1, --- use csr for revocation ----, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,0, -csr,csr.pem -1, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, -0,without oldcert, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, -0,oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK, -0,empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK, -0,oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0 0,revreason 11 (invalid), -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,11 0,revreason string, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,abc 0,revreason out of integer range, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,_RESULT_DIR/test.cert.pem, -revreason,010000000000000000000 +1,use csr for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,0, -csr,csr.pem +1, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, +1,use issuer and serial for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""",-issuer,/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=subinterCA,-serial,0xA44DB0329A714A8D +1, --- get certificate for revocation ----, -section,, -cmd,cr,,BLANK,,,BLANK,,,BLANK,,BLANK, +0,use issuer but no serial for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""",-issuer,/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=subinterCA,BLANK, +0,use serial but no issuer for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""", -issuer, """", -serial, 0xA44DB0329A714A8D +0,wrong issuer for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""", -issuer, /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=wrongCA, -serial, 0xA44DB0329A714A8D +0,bad issuer DN for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""", -issuer, "'XYZ'", -serial, 0xA44DB0329A714A8D +0,wrong serial for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""", -issuer, /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=subinterCA, -serial, 0xA44DB0329A714A00 +0,bad serial for revocation, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,, -revreason,-1,BLANK,,, -expect_sender,"""", -issuer, /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=subinterCA, -serial, xyz +0,rr without oldcert/csr/issuer/serial, -section,, -cmd,rr,,BLANK,,,BLANK,,,BLANK,,BLANK, +0,rr with oldcert file nonexistent, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,idontexist,BLANK, +0,rr with empty oldcert file, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,empty.txt,BLANK, +0,rr where oldcert and key do not match, -section,, -cmd,rr,,BLANK,,,BLANK,,, -oldcert,trusted.crt, -revreason,0 ,,,,,,,,,,,,,,,,, 1,ir + infotype, -section,, -cmd,ir,,BLANK,,, -infotype,signKeyPairTypes,,BLANK,,BLANK, 1,genm without -infotype, -section,, -cmd,genm,,BLANK,,, BLANK,,,BLANK,,BLANK, diff --git a/util/libcrypto.num b/util/libcrypto.num index 3195ccfbd89..de4c2b4fec6 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5452,6 +5452,7 @@ OSSL_CMP_CTX_get0_libctx ? 3_2_0 EXIST::FUNCTION:CMP OSSL_CMP_CTX_get0_propq ? 3_2_0 EXIST::FUNCTION:CMP OSSL_CMP_CTX_reset_geninfo_ITAVs ? 3_0_8 EXIST::FUNCTION:CMP OSSL_CMP_CTX_get0_validatedSrvCert ? 3_2_0 EXIST::FUNCTION:CMP +OSSL_CMP_CTX_set1_serialNumber ? 3_2_0 EXIST::FUNCTION:CMP OSSL_CMP_MSG_update_recipNonce ? 3_0_9 EXIST::FUNCTION:CMP OSSL_CRMF_CERTTEMPLATE_get0_publicKey ? 3_2_0 EXIST::FUNCTION:CRMF CMS_final_digest ? 3_2_0 EXIST::FUNCTION:CMS