From: Dr. David von Oheimb Date: Wed, 23 Jun 2021 11:40:50 +0000 (+0200) Subject: CMP: Clean up internal message creation API and its documentation X-Git-Tag: openssl-3.0.0-beta2~197 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b3990e3f8c1d68c2afeb02a8f08f18f08916b95;p=thirdparty%2Fopenssl.git CMP: Clean up internal message creation API and its documentation Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/15879) --- diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 9dba9e81699..e63150bcf6c 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -864,13 +864,14 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype); OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, const OSSL_CRMF_MSG *crm); OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, - int certReqId, OSSL_CMP_PKISI *si, - X509 *cert, STACK_OF(X509) *chain, - STACK_OF(X509) *caPubs, int encrypted, + int certReqId, const OSSL_CMP_PKISI *si, + X509 *cert, const X509 *encryption_recip, + STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors); OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); -OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, - OSSL_CRMF_CERTID *certId, int unprot_err); +OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, + const OSSL_CRMF_CERTID *cid, + int unprotectedErrors); OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int64_t poll_after); @@ -880,9 +881,9 @@ int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg, OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx); OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx, const STACK_OF(OSSL_CMP_ITAV) *itavs); -OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, - int errorCode, - const char *details, int unprotected); +OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, + int errorCode, const char *details, + int unprotected); int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus, ASN1_OCTET_STRING *hash); OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index cfe96f516de..ee501447264 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -454,9 +454,9 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, } OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, - int certReqId, OSSL_CMP_PKISI *si, - X509 *cert, STACK_OF(X509) *chain, - STACK_OF(X509) *caPubs, int encrypted, + int certReqId, const OSSL_CMP_PKISI *si, + X509 *cert, const X509 *encryption_recip, + STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors) { OSSL_CMP_MSG *msg = NULL; @@ -486,8 +486,8 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, status = ossl_cmp_pkisi_get_status(resp->status); if (status != OSSL_CMP_PKISTATUS_rejection && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) { - if (encrypted) { - ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); + if (encryption_recip != NULL) { + ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED); goto err; } @@ -579,8 +579,8 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx) return NULL; } -OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, - OSSL_CRMF_CERTID *cid, int unprot_err) +OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, + const OSSL_CRMF_CERTID *cid, int unprotectedErrors) { OSSL_CMP_REVREPCONTENT *rep = NULL; OSSL_CMP_PKISI *si1 = NULL; @@ -613,7 +613,7 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, } } - if (!unprot_err + if (!unprotectedErrors || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection) if (!ossl_cmp_msg_protect(ctx, msg)) goto err; @@ -726,9 +726,9 @@ OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP); } -OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, - int errorCode, - const char *details, int unprotected) +OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, + int errorCode, const char *details, + int unprotected) { OSSL_CMP_MSG *msg = NULL; OSSL_CMP_PKIFREETEXT *ft; diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index a7cc38da5af..345f312df45 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -226,7 +226,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, } msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, - certOut, chainOut, caPubs, 0 /* encrypted */, + certOut, NULL /* enc */, chainOut, caPubs, srv_ctx->sendUnprotectedErrors); if (msg == NULL) ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP); diff --git a/doc/internal/man3/ossl_cmp_certreq_new.pod b/doc/internal/man3/ossl_cmp_certreq_new.pod index 3c9654c18fe..ced9f01fc70 100644 --- a/doc/internal/man3/ossl_cmp_certreq_new.pod +++ b/doc/internal/man3/ossl_cmp_certreq_new.pod @@ -17,46 +17,19 @@ ossl_cmp_error_new =head1 SYNOPSIS - #include - -# define OSSL_CMP_PKIBODY_IR 0 -# define OSSL_CMP_PKIBODY_IP 1 -# define OSSL_CMP_PKIBODY_CR 2 -# define OSSL_CMP_PKIBODY_CP 3 -# define OSSL_CMP_PKIBODY_P10CR 4 -# define OSSL_CMP_PKIBODY_POPDECC 5 -# define OSSL_CMP_PKIBODY_POPDECR 6 -# define OSSL_CMP_PKIBODY_KUR 7 -# define OSSL_CMP_PKIBODY_KUP 8 -# define OSSL_CMP_PKIBODY_KRR 9 -# define OSSL_CMP_PKIBODY_KRP 10 -# define OSSL_CMP_PKIBODY_RR 11 -# define OSSL_CMP_PKIBODY_RP 12 -# define OSSL_CMP_PKIBODY_CCR 13 -# define OSSL_CMP_PKIBODY_CCP 14 -# define OSSL_CMP_PKIBODY_CKUANN 15 -# define OSSL_CMP_PKIBODY_CANN 16 -# define OSSL_CMP_PKIBODY_RANN 17 -# define OSSL_CMP_PKIBODY_CRLANN 18 -# define OSSL_CMP_PKIBODY_PKICONF 19 -# define OSSL_CMP_PKIBODY_NESTED 20 -# define OSSL_CMP_PKIBODY_GENM 21 -# define OSSL_CMP_PKIBODY_GENP 22 -# define OSSL_CMP_PKIBODY_ERROR 23 -# define OSSL_CMP_PKIBODY_CERTCONF 24 -# define OSSL_CMP_PKIBODY_POLLREQ 25 -# define OSSL_CMP_PKIBODY_POLLREP 26 + #include "cmp_local.h" OSSL_ossl_cmp_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, const OSSL_CRMF_MSG *crm); OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, - int certReqId, OSSL_CMP_PKISI *si, - X509 *cert, STACK_OF(X509) *chain, - STACK_OF(X509) *caPubs, - int encrypted, int unprotectedErrors); + int certReqId, const OSSL_CMP_PKISI *si, + X509 *cert, const X509 *encryption_recip, + STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, + int unprotectedErrors); OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); - OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, - OSSL_CRMF_CERTID *cid, int unprot_err); + OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, + const OSSL_CRMF_CERTID *cid, + int unprotectedErrors); OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, const char *text); OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx); @@ -64,23 +37,23 @@ ossl_cmp_error_new OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int poll_after); OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx); OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx); - OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si, - int errorCode, - OSSL_CMP_PKIFREETEXT *errorDetails, + OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si, + int errorCode, const char *details, int unprotected); =head1 DESCRIPTION -This is the API for creating various CMP PKIMESSAGES. The -functions allocate a new message, fill it with the relevant data derived from -the given OSSL_CMP_CTX, and create the applicable protection. +This is the internal API for creating various CMP PKIMESSAGES. +All functions are based on L. +The allocate a new message, fill it with the relevant data derived from +the given B, and create the applicable protection. ossl_cmp_certreq_new() creates a PKIMessage for requesting a certificate, -which can be either of IR/CR/KUR/P10CR, depending on the given B. -The CRMF message to use may be given via the B argument; -else (if B is NULL) it is created from the information in the B. +which can be either of IR/CR/KUR/P10CR, depending on the given I. +The CRMF message to use may be given explicitly via a non-NULL I argument, +otherwise it is created from the information in the I. -Available CMP certificate request PKIMessage Bs are: +Available CMP certificate request PKIMessage Is are: =over 4 @@ -94,10 +67,16 @@ Available CMP certificate request PKIMessage Bs are: =back -ossl_cmp_certrep_new() creates a PKIMessage for certificate response, which can -be either of IP/CP/KUP, depending on the given B. +ossl_cmp_certrep_new() creates a PKIMessage for certificate response, +which can be either of IP/CP/KUP, depending on the given I, +with the given I and I values and optionally with I, +I, and I. The I, I, and I arguments +are not consumed if present but their internal reference counter is increased. +The I is currently unsupported. +The function does not protect the message if the B value in I +is B and I is nonzero. -Available CMP certificate response PKIMessage Bs are: +Available CMP certificate response PKIMessage Is are: =over 4 @@ -109,7 +88,7 @@ Available CMP certificate response PKIMessage Bs are: =back -The list of all CMP PKIMessage Bs is: +The list of all CMP PKIMessage Is is: #define OSSL_CMP_PKIBODY_IR 0 #define OSSL_CMP_PKIBODY_IP 1 @@ -140,29 +119,30 @@ The list of all CMP PKIMessage Bs is: ossl_cmp_rr_new() creates a Revocation Request message from the information set via OSSL_CMP_CTX_set1_oldClCert(). -ossl_cmp_rp_new() creates a Revocation Response message with status set to -B and CertID set to B. Consumes B. -Accepts unprotected errors if B != 0. +ossl_cmp_rp_new() creates a Revocation Response message with I and I. +It does not protect the message if the B value in I is B +and I is nonzero. ossl_cmp_certConf_new() creates a Certificate Confirmation message for the last -received certificate. PKIStatus defaults to B if the B bit +received certificate. PKIStatus defaults to B if the I bit field is 0. Else it is taken as the failInfo of the PKIStatusInfo, PKIStatus is -set to B, and B is copied to statusString unless it is NULL. +set to B, and I is copied to statusString unless it is NULL. ossl_cmp_pkiconf_new() creates a PKI Confirmation message. ossl_cmp_pollReq_new() creates a Polling Request message with certReqId set to -B. +I. ossl_cmp_pollRep_new() creates a Polling Response message with certReqId set to -B and pollAfter to B. +I and pollAfter to I. ossl_cmp_genm_new() creates a new General Message with an empty ITAV stack. ossl_cmp_genp_new() creates a new General Response with an empty ITAV stack. -ossl_cmp_error_new() creates a new Error Message with the given contents, -copying B and B. +ossl_cmp_error_new() creates a new Error Message with the given contents +with the given I, I (if nonnegative), and optional I
. +It does not protect the message if I is nonzero. =head1 NOTES @@ -175,6 +155,7 @@ the generated message on success, or NULL on error. =head1 SEE ALSO +L, L, L =head1 HISTORY diff --git a/doc/internal/man3/ossl_cmp_hdr_init.pod b/doc/internal/man3/ossl_cmp_hdr_init.pod index 60259dd4bda..7bc87a253ae 100644 --- a/doc/internal/man3/ossl_cmp_hdr_init.pod +++ b/doc/internal/man3/ossl_cmp_hdr_init.pod @@ -17,8 +17,9 @@ ossl_cmp_hdr_generalinfo_item_push0, ossl_cmp_hdr_generalinfo_items_push1, ossl_cmp_hdr_set_implicitConfirm, ossl_cmp_hdr_has_implicitConfirm, +ossl_cmp_hdr_set_transactionID, ossl_cmp_hdr_init -- functions manipulating CMP message headers +- functions handling CMP message headers =head1 SYNOPSIS @@ -46,6 +47,7 @@ ossl_cmp_hdr_init ASN1_UTF8STRING *text); int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); int ossl_cmp_hdr_has_implicitConfirm(OSSL_CMP_PKIHEADER *hdr); + int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr); =head1 DESCRIPTION @@ -98,6 +100,10 @@ of the PKIMessage header. ossl_cmp_hdr_has_implicitConfirm() returns 1 if implicitConfirm is set int generalInfo field of the given PKIMessage header, 0 if not. +ossl_cmp_hdr_set_transactionID() sets the B field in C. +In case ctx->transactionID is NULL, it starts a new transaction +by creating and storing a new random valuee with 128 bits length. + ossl_cmp_hdr_init() initializes a PKIHeader structure based on the values in the given OSSL_CMP_CTX structure. This starts a new transaction in case ctx->transactionID is NULL. @@ -125,6 +131,10 @@ All other functions return 1 on success, 0 on error. See the individual functions above. +=head1 SEE ALSO + +L + =head1 HISTORY The OpenSSL CMP support was added in OpenSSL 3.0. diff --git a/doc/internal/man3/ossl_cmp_msg_create.pod b/doc/internal/man3/ossl_cmp_msg_create.pod index aca0a996f48..60f425b96e9 100644 --- a/doc/internal/man3/ossl_cmp_msg_create.pod +++ b/doc/internal/man3/ossl_cmp_msg_create.pod @@ -2,17 +2,72 @@ =head1 NAME +OSSL_CMP_PKIBODY_IR, +OSSL_CMP_PKIBODY_IP, +OSSL_CMP_PKIBODY_CR, +OSSL_CMP_PKIBODY_CP, +OSSL_CMP_PKIBODY_P10CR, +OSSL_CMP_PKIBODY_POPDECC, +OSSL_CMP_PKIBODY_POPDECR, +OSSL_CMP_PKIBODY_KUR, +OSSL_CMP_PKIBODY_KUP, +OSSL_CMP_PKIBODY_KRR, +OSSL_CMP_PKIBODY_KRP, +OSSL_CMP_PKIBODY_RR, +OSSL_CMP_PKIBODY_RP, +OSSL_CMP_PKIBODY_CCR, +OSSL_CMP_PKIBODY_CCP, +OSSL_CMP_PKIBODY_CKUANN, +OSSL_CMP_PKIBODY_CANN, +OSSL_CMP_PKIBODY_RANN, +OSSL_CMP_PKIBODY_CRLANN, +OSSL_CMP_PKIBODY_PKICONF, +OSSL_CMP_PKIBODY_NESTED, +OSSL_CMP_PKIBODY_GENM, +OSSL_CMP_PKIBODY_GENP, +OSSL_CMP_PKIBODY_ERROR, +OSSL_CMP_PKIBODY_CERTCONF, +OSSL_CMP_PKIBODY_POLLREQ, +OSSL_CMP_PKIBODY_POLLREP, ossl_cmp_bodytype_to_string, ossl_cmp_msg_get_bodytype, ossl_cmp_msg_set_bodytype, ossl_cmp_msg_create, ossl_cmp_msg_gen_ITAV_push0, ossl_cmp_msg_gen_ITAVs_push1 -- functions manipulating CMP messages +- functions handling CMP messages =head1 SYNOPSIS - #include "cmp_local.h" + #include "cmp_local.h" + + #define OSSL_CMP_PKIBODY_IR 0 + #define OSSL_CMP_PKIBODY_IP 1 + #define OSSL_CMP_PKIBODY_CR 2 + #define OSSL_CMP_PKIBODY_CP 3 + #define OSSL_CMP_PKIBODY_P10CR 4 + #define OSSL_CMP_PKIBODY_POPDECC 5 + #define OSSL_CMP_PKIBODY_POPDECR 6 + #define OSSL_CMP_PKIBODY_KUR 7 + #define OSSL_CMP_PKIBODY_KUP 8 + #define OSSL_CMP_PKIBODY_KRR 9 + #define OSSL_CMP_PKIBODY_KRP 10 + #define OSSL_CMP_PKIBODY_RR 11 + #define OSSL_CMP_PKIBODY_RP 12 + #define OSSL_CMP_PKIBODY_CCR 13 + #define OSSL_CMP_PKIBODY_CCP 14 + #define OSSL_CMP_PKIBODY_CKUANN 15 + #define OSSL_CMP_PKIBODY_CANN 16 + #define OSSL_CMP_PKIBODY_RANN 17 + #define OSSL_CMP_PKIBODY_CRLANN 18 + #define OSSL_CMP_PKIBODY_PKICONF 19 + #define OSSL_CMP_PKIBODY_NESTED 20 + #define OSSL_CMP_PKIBODY_GENM 21 + #define OSSL_CMP_PKIBODY_GENP 22 + #define OSSL_CMP_PKIBODY_ERROR 23 + #define OSSL_CMP_PKIBODY_CERTCONF 24 + #define OSSL_CMP_PKIBODY_POLLREQ 25 + #define OSSL_CMP_PKIBODY_POLLREP 26 const char *ossl_cmp_bodytype_to_string(int type); int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg); @@ -34,9 +89,12 @@ ossl_cmp_msg_set_bodytype() sets the type of the message contained in the PKIMessage body field. Returns 1 on success, 0 on error. -ossl_cmp_msg_create() creates and initializes a OSSL_CMP_MSG structure, -using B for the header and B for the body. -Returns pointer to created OSSL_CMP_MSG on success, NULL on error. +ossl_cmp_msg_create() creates and initializes an B structure, +using fields of B for the header and B for the body. +If the current B field in I indicates that there is no +current transaction, it creates and stores a random one with 128 bits length. +Thus, the I may be modified by this and related ossl_cmp_*_new() functions. +Returns pointer to created B on success, NULL on error. ossl_cmp_msg_gen_ITAV_push0() pushes the B to the body of the PKIMessage B of GenMsg or GenRep type. Consumes the B pointer. @@ -57,6 +115,7 @@ See the individual functions above. =head1 SEE ALSO +L, L, L =head1 HISTORY