2019-08-10 20:07:22 +08:00
|
|
|
/*
|
2023-09-07 16:59:15 +08:00
|
|
|
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
|
2019-08-10 20:07:22 +08:00
|
|
|
* Copyright Nokia 2007-2019
|
|
|
|
|
* Copyright Siemens AG 2015-2019
|
|
|
|
|
*
|
|
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <openssl/trace.h>
|
|
|
|
|
#include <openssl/bio.h>
|
|
|
|
|
#include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */
|
|
|
|
|
|
2019-09-28 06:45:40 +08:00
|
|
|
#include "cmp_local.h"
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/* explicit #includes not strictly needed since implied by the above: */
|
|
|
|
|
#include <openssl/cmp.h>
|
|
|
|
|
#include <openssl/crmf.h>
|
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
#define DEFINE_OSSL_CMP_CTX_get0(FIELD, TYPE) \
|
|
|
|
|
DEFINE_OSSL_CMP_CTX_get0_NAME(FIELD, FIELD, TYPE)
|
|
|
|
|
#define DEFINE_OSSL_CMP_CTX_get0_NAME(NAME, FIELD, TYPE) \
|
|
|
|
|
TYPE *OSSL_CMP_CTX_get0_##NAME(const OSSL_CMP_CTX *ctx) \
|
|
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
|
|
|
|
return NULL; \
|
|
|
|
|
} \
|
|
|
|
|
return ctx->FIELD; \
|
|
|
|
|
}
|
|
|
|
|
|
2019-12-20 06:30:24 +08:00
|
|
|
/*
|
|
|
|
|
* Get current certificate store containing trusted root CA certs
|
|
|
|
|
*/
|
2021-12-16 03:28:34 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get0_NAME(trusted, trusted, X509_STORE)
|
2021-12-15 15:37:49 +08:00
|
|
|
|
|
|
|
|
#define DEFINE_OSSL_set0(PREFIX, FIELD, TYPE) \
|
|
|
|
|
DEFINE_OSSL_set0_NAME(PREFIX, FIELD, FIELD, TYPE)
|
|
|
|
|
#define DEFINE_OSSL_set0_NAME(PREFIX, NAME, FIELD, TYPE) \
|
|
|
|
|
int PREFIX##_set0##_##NAME(OSSL_CMP_CTX *ctx, TYPE *val) \
|
|
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
|
|
|
|
return 0; \
|
|
|
|
|
} \
|
|
|
|
|
TYPE##_free(ctx->FIELD); \
|
|
|
|
|
ctx->FIELD = val; \
|
|
|
|
|
return 1; \
|
2019-08-10 20:07:22 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set certificate store containing trusted (root) CA certs and possibly CRLs
|
|
|
|
|
* and a cert verification callback function used for CMP server authentication.
|
|
|
|
|
* Any already existing store entry is freed. Given NULL, the entry is reset.
|
|
|
|
|
*/
|
2021-12-16 03:28:34 +08:00
|
|
|
DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trusted, trusted, X509_STORE)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2022-09-21 23:56:41 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get0(libctx, OSSL_LIB_CTX)
|
|
|
|
|
DEFINE_OSSL_CMP_CTX_get0(propq, const char)
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Get current list of non-trusted intermediate certs */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get0(untrusted, STACK_OF(X509))
|
|
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
/*
|
|
|
|
|
* Set untrusted certificates for path construction in authentication of
|
|
|
|
|
* the CMP server and potentially others (TLS server, newly enrolled cert).
|
|
|
|
|
*/
|
2020-08-28 18:42:47 +08:00
|
|
|
int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
|
2019-08-10 20:07:22 +08:00
|
|
|
{
|
2020-12-23 23:06:05 +08:00
|
|
|
STACK_OF(X509) *untrusted = NULL;
|
|
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
2020-12-23 23:06:05 +08:00
|
|
|
if (!ossl_x509_add_certs_new(&untrusted, certs,
|
|
|
|
|
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
|
2019-12-03 17:31:49 +08:00
|
|
|
goto err;
|
2021-12-18 23:15:49 +08:00
|
|
|
OSSL_STACK_OF_X509_free(ctx->untrusted);
|
2020-08-28 18:42:47 +08:00
|
|
|
ctx->untrusted = untrusted;
|
2019-12-03 17:31:49 +08:00
|
|
|
return 1;
|
2019-12-14 03:07:08 +08:00
|
|
|
err:
|
2021-12-18 23:15:49 +08:00
|
|
|
OSSL_STACK_OF_X509_free(untrusted);
|
2019-12-03 17:31:49 +08:00
|
|
|
return 0;
|
2019-08-10 20:07:22 +08:00
|
|
|
}
|
|
|
|
|
|
2020-08-13 23:44:54 +08:00
|
|
|
static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid)
|
|
|
|
|
{
|
|
|
|
|
EVP_MD *md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propq);
|
|
|
|
|
/* fetching in advance to be able to throw error early if unsupported */
|
|
|
|
|
|
|
|
|
|
if (md == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_ALGORITHM);
|
2020-08-13 23:44:54 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EVP_MD_free(*pmd);
|
|
|
|
|
*pmd = md;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
/*
|
|
|
|
|
* Allocates and initializes OSSL_CMP_CTX context structure with default values.
|
|
|
|
|
* Returns new context on success, NULL on error
|
|
|
|
|
*/
|
2020-10-15 17:55:50 +08:00
|
|
|
OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
|
2019-08-10 20:07:22 +08:00
|
|
|
{
|
|
|
|
|
OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL)
|
2020-05-13 15:28:24 +08:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
ctx->libctx = libctx;
|
|
|
|
|
if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
|
2022-09-29 19:57:34 +08:00
|
|
|
goto err;
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
ctx->log_verbosity = OSSL_CMP_LOG_INFO;
|
|
|
|
|
|
2022-09-13 21:43:59 +08:00
|
|
|
ctx->status = OSSL_CMP_PKISTATUS_unspecified;
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->failInfoCode = -1;
|
|
|
|
|
|
HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.
For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.
If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.
This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.
Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.
Update the documentation and extend the tests accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-04-28 06:26:14 +08:00
|
|
|
ctx->keep_alive = 1;
|
|
|
|
|
ctx->msg_timeout = -1;
|
2023-06-11 23:41:03 +08:00
|
|
|
ctx->tls_used = -1; /* default for backward compatibility */
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2022-09-29 19:57:34 +08:00
|
|
|
if ((ctx->untrusted = sk_X509_new_null()) == NULL) {
|
|
|
|
|
ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
ctx->pbm_slen = 16;
|
2020-08-13 23:44:54 +08:00
|
|
|
if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
|
|
|
|
|
goto err;
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->pbm_itercnt = 500;
|
|
|
|
|
ctx->pbm_mac = NID_hmac_sha1;
|
|
|
|
|
|
2020-08-13 23:44:54 +08:00
|
|
|
if (!cmp_ctx_set_md(ctx, &ctx->digest, NID_sha256))
|
|
|
|
|
goto err;
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE;
|
|
|
|
|
ctx->revocationReason = CRL_REASON_NONE;
|
|
|
|
|
|
|
|
|
|
/* all other elements are initialized to 0 or NULL, respectively */
|
|
|
|
|
return ctx;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
OSSL_CMP_CTX_free(ctx);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-14 23:37:27 +08:00
|
|
|
#define OSSL_CMP_ITAVs_free(itavs) \
|
|
|
|
|
sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
|
|
|
|
|
#define X509_EXTENSIONS_free(exts) \
|
|
|
|
|
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
|
|
|
|
|
#define OSSL_CMP_PKIFREETEXT_free(text) \
|
|
|
|
|
sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
|
2019-08-10 20:07:22 +08:00
|
|
|
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-02 01:55:54 +08:00
|
|
|
#ifndef OPENSSL_NO_HTTP
|
HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.
For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.
If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.
This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.
Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.
Update the documentation and extend the tests accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-04-28 06:26:14 +08:00
|
|
|
if (ctx->http_ctx != NULL) {
|
|
|
|
|
(void)OSSL_HTTP_close(ctx->http_ctx, 1);
|
|
|
|
|
ossl_cmp_debug(ctx, "disconnected from CMP server");
|
|
|
|
|
ctx->http_ctx = NULL;
|
|
|
|
|
}
|
2023-06-02 01:55:54 +08:00
|
|
|
#endif
|
2022-09-13 21:43:59 +08:00
|
|
|
ctx->status = OSSL_CMP_PKISTATUS_unspecified;
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->failInfoCode = -1;
|
|
|
|
|
|
2022-09-14 23:37:27 +08:00
|
|
|
OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
|
|
|
|
|
ctx->genm_ITAVs = NULL;
|
|
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
return ossl_cmp_ctx_set0_statusString(ctx, NULL)
|
|
|
|
|
&& ossl_cmp_ctx_set0_newCert(ctx, NULL)
|
2020-09-04 15:29:01 +08:00
|
|
|
&& ossl_cmp_ctx_set1_newChain(ctx, NULL)
|
2019-08-10 20:07:22 +08:00
|
|
|
&& ossl_cmp_ctx_set1_caPubs(ctx, NULL)
|
|
|
|
|
&& ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
|
2021-12-14 18:29:19 +08:00
|
|
|
&& ossl_cmp_ctx_set1_validatedSrvCert(ctx, NULL)
|
2023-03-13 16:16:57 +08:00
|
|
|
&& ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL)
|
2019-08-10 20:07:22 +08:00
|
|
|
&& OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
|
|
|
|
|
&& OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)
|
|
|
|
|
&& ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
|
2019-08-10 20:07:22 +08:00
|
|
|
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL)
|
|
|
|
|
return;
|
|
|
|
|
|
2023-06-02 01:55:54 +08:00
|
|
|
#ifndef OPENSSL_NO_HTTP
|
HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.
For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.
If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.
This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.
Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.
Update the documentation and extend the tests accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-04-28 06:26:14 +08:00
|
|
|
if (ctx->http_ctx != NULL) {
|
|
|
|
|
(void)OSSL_HTTP_close(ctx->http_ctx, 1);
|
|
|
|
|
ossl_cmp_debug(ctx, "disconnected from CMP server");
|
|
|
|
|
}
|
2023-06-02 01:55:54 +08:00
|
|
|
#endif
|
2021-05-25 21:39:01 +08:00
|
|
|
OPENSSL_free(ctx->propq);
|
2019-08-10 20:07:22 +08:00
|
|
|
OPENSSL_free(ctx->serverPath);
|
2020-03-25 20:46:02 +08:00
|
|
|
OPENSSL_free(ctx->server);
|
2020-02-20 01:00:26 +08:00
|
|
|
OPENSSL_free(ctx->proxy);
|
|
|
|
|
OPENSSL_free(ctx->no_proxy);
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
X509_free(ctx->srvCert);
|
|
|
|
|
X509_free(ctx->validatedSrvCert);
|
|
|
|
|
X509_NAME_free(ctx->expected_sender);
|
|
|
|
|
X509_STORE_free(ctx->trusted);
|
2021-12-18 23:15:49 +08:00
|
|
|
OSSL_STACK_OF_X509_free(ctx->untrusted);
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-05-08 19:30:44 +08:00
|
|
|
X509_free(ctx->cert);
|
2021-12-18 23:15:49 +08:00
|
|
|
OSSL_STACK_OF_X509_free(ctx->chain);
|
2019-08-10 20:07:22 +08:00
|
|
|
EVP_PKEY_free(ctx->pkey);
|
|
|
|
|
ASN1_OCTET_STRING_free(ctx->referenceValue);
|
|
|
|
|
if (ctx->secretValue != NULL)
|
|
|
|
|
OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
|
|
|
|
|
ASN1_OCTET_STRING_free(ctx->secretValue);
|
2020-08-13 23:44:54 +08:00
|
|
|
EVP_MD_free(ctx->pbm_owf);
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
X509_NAME_free(ctx->recipient);
|
2020-08-13 23:44:54 +08:00
|
|
|
EVP_MD_free(ctx->digest);
|
2019-08-10 20:07:22 +08:00
|
|
|
ASN1_OCTET_STRING_free(ctx->transactionID);
|
|
|
|
|
ASN1_OCTET_STRING_free(ctx->senderNonce);
|
|
|
|
|
ASN1_OCTET_STRING_free(ctx->recipNonce);
|
2023-03-13 16:16:57 +08:00
|
|
|
ASN1_OCTET_STRING_free(ctx->first_senderNonce);
|
2021-12-15 15:37:49 +08:00
|
|
|
OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
|
2021-12-18 23:15:49 +08:00
|
|
|
OSSL_STACK_OF_X509_free(ctx->extraCertsOut);
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
EVP_PKEY_free(ctx->newPkey);
|
|
|
|
|
X509_NAME_free(ctx->issuer);
|
2023-04-11 16:19:15 +08:00
|
|
|
ASN1_INTEGER_free(ctx->serialNumber);
|
2019-08-10 20:07:22 +08:00
|
|
|
X509_NAME_free(ctx->subjectName);
|
|
|
|
|
sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free);
|
2021-12-15 15:37:49 +08:00
|
|
|
X509_EXTENSIONS_free(ctx->reqExtensions);
|
2019-08-10 20:07:22 +08:00
|
|
|
sk_POLICYINFO_pop_free(ctx->policies, POLICYINFO_free);
|
|
|
|
|
X509_free(ctx->oldCert);
|
|
|
|
|
X509_REQ_free(ctx->p10CSR);
|
|
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
OSSL_CMP_PKIFREETEXT_free(ctx->statusString);
|
2019-08-10 20:07:22 +08:00
|
|
|
X509_free(ctx->newCert);
|
2021-12-18 23:15:49 +08:00
|
|
|
OSSL_STACK_OF_X509_free(ctx->newChain);
|
|
|
|
|
OSSL_STACK_OF_X509_free(ctx->caPubs);
|
|
|
|
|
OSSL_STACK_OF_X509_free(ctx->extraCertsIn);
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
OPENSSL_free(ctx);
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
#define DEFINE_OSSL_set(PREFIX, FIELD, TYPE) \
|
|
|
|
|
int PREFIX##_set_##FIELD(OSSL_CMP_CTX *ctx, TYPE val) \
|
|
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
|
|
|
|
return 0; \
|
|
|
|
|
} \
|
|
|
|
|
ctx->FIELD = val; \
|
|
|
|
|
return 1; \
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
DEFINE_OSSL_set(ossl_cmp_ctx, status, int)
|
|
|
|
|
|
|
|
|
|
#define DEFINE_OSSL_get(PREFIX, FIELD, TYPE, ERR_RET) \
|
|
|
|
|
TYPE PREFIX##_get_##FIELD(const OSSL_CMP_CTX *ctx) \
|
|
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
|
|
|
|
return ERR_RET; \
|
|
|
|
|
} \
|
|
|
|
|
return ctx->FIELD; \
|
2019-08-10 20:07:22 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns the PKIStatus from the last CertRepMessage
|
|
|
|
|
* or Revocation Response or error message, -1 on error
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_get(OSSL_CMP_CTX, status, int, -1)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns the statusString from the last CertRepMessage
|
|
|
|
|
* or Revocation Response or error message, NULL on error
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get0(statusString, OSSL_CMP_PKIFREETEXT)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set0(ossl_cmp_ctx, statusString, OSSL_CMP_PKIFREETEXT)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set callback function for checking if the cert is ok or should be rejected */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(OSSL_CMP_CTX, certConf_cb, OSSL_CMP_certConf_cb_t)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set argument, respectively a pointer to a structure containing arguments,
|
|
|
|
|
* optionally to be used by the certConf callback.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(OSSL_CMP_CTX, certConf_cb_arg, void *)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get argument, respectively the pointer to a structure containing arguments,
|
|
|
|
|
* optionally to be used by certConf callback.
|
|
|
|
|
* Returns callback argument set previously (NULL if not set or on error)
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_get(OSSL_CMP_CTX, certConf_cb_arg, void *, NULL)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_TRACE
|
|
|
|
|
static size_t ossl_cmp_log_trace_cb(const char *buf, size_t cnt,
|
|
|
|
|
int category, int cmd, void *vdata)
|
|
|
|
|
{
|
|
|
|
|
OSSL_CMP_CTX *ctx = vdata;
|
2019-12-14 02:50:20 +08:00
|
|
|
const char *msg;
|
2019-08-10 20:07:22 +08:00
|
|
|
OSSL_CMP_severity level = -1;
|
|
|
|
|
char *func = NULL;
|
|
|
|
|
char *file = NULL;
|
|
|
|
|
int line = 0;
|
|
|
|
|
|
|
|
|
|
if (buf == NULL || cnt == 0 || cmd != OSSL_TRACE_CTRL_WRITE || ctx == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
if (ctx->log_cb == NULL)
|
|
|
|
|
return 1; /* silently drop message */
|
|
|
|
|
|
2019-12-14 02:50:20 +08:00
|
|
|
msg = ossl_cmp_log_parse_metadata(buf, &level, &func, &file, &line);
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
if (level > ctx->log_verbosity) /* excludes the case level is unknown */
|
|
|
|
|
goto end; /* suppress output since severity is not sufficient */
|
|
|
|
|
|
|
|
|
|
if (!ctx->log_cb(func != NULL ? func : "(no func)",
|
|
|
|
|
file != NULL ? file : "(no file)",
|
2019-12-14 02:50:20 +08:00
|
|
|
line, level, msg))
|
2019-08-10 20:07:22 +08:00
|
|
|
cnt = 0;
|
|
|
|
|
|
|
|
|
|
end:
|
|
|
|
|
OPENSSL_free(func);
|
|
|
|
|
OPENSSL_free(file);
|
|
|
|
|
return cnt;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2019-12-14 02:50:20 +08:00
|
|
|
/* Print CMP log messages (i.e., diagnostic info) via the log cb of the ctx */
|
|
|
|
|
int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
|
|
|
|
|
const char *func, const char *file, int line,
|
|
|
|
|
const char *level_str, const char *format, ...)
|
|
|
|
|
{
|
|
|
|
|
va_list args;
|
|
|
|
|
char hugebuf[1024 * 2];
|
|
|
|
|
int res = 0;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL || ctx->log_cb == NULL)
|
|
|
|
|
return 1; /* silently drop message */
|
|
|
|
|
|
|
|
|
|
if (level > ctx->log_verbosity) /* excludes the case level is unknown */
|
|
|
|
|
return 1; /* suppress output since severity is not sufficient */
|
|
|
|
|
|
|
|
|
|
if (format == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
va_start(args, format);
|
|
|
|
|
|
|
|
|
|
if (func == NULL)
|
|
|
|
|
func = "(unset function name)";
|
|
|
|
|
if (file == NULL)
|
|
|
|
|
file = "(unset file name)";
|
|
|
|
|
if (level_str == NULL)
|
|
|
|
|
level_str = "(unset level string)";
|
|
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_TRACE
|
|
|
|
|
if (OSSL_TRACE_ENABLED(CMP)) {
|
|
|
|
|
OSSL_TRACE_BEGIN(CMP) {
|
|
|
|
|
int printed =
|
|
|
|
|
BIO_snprintf(hugebuf, sizeof(hugebuf),
|
|
|
|
|
"%s:%s:%d:" OSSL_CMP_LOG_PREFIX "%s: ",
|
|
|
|
|
func, file, line, level_str);
|
|
|
|
|
if (printed > 0 && (size_t)printed < sizeof(hugebuf)) {
|
|
|
|
|
if (BIO_vsnprintf(hugebuf + printed,
|
|
|
|
|
sizeof(hugebuf) - printed, format, args) > 0)
|
|
|
|
|
res = BIO_puts(trc_out, hugebuf) > 0;
|
|
|
|
|
}
|
|
|
|
|
} OSSL_TRACE_END(CMP);
|
|
|
|
|
}
|
|
|
|
|
#else /* compensate for disabled trace API */
|
|
|
|
|
{
|
|
|
|
|
if (BIO_vsnprintf(hugebuf, sizeof(hugebuf), format, args) > 0)
|
|
|
|
|
res = ctx->log_cb(func, file, line, level, hugebuf);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
va_end(args);
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set a callback function for error reporting and logging messages */
|
2020-03-11 00:32:57 +08:00
|
|
|
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
|
2019-08-10 20:07:22 +08:00
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
ctx->log_cb = cb;
|
|
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_TRACE
|
|
|
|
|
/* do also in case cb == NULL, to switch off logging output: */
|
|
|
|
|
if (!OSSL_trace_set_callback(OSSL_TRACE_CATEGORY_CMP,
|
|
|
|
|
ossl_cmp_log_trace_cb, ctx))
|
|
|
|
|
return 0;
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */
|
2020-05-29 23:14:14 +08:00
|
|
|
void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx)
|
2019-08-10 20:07:22 +08:00
|
|
|
{
|
2020-08-26 16:11:14 +08:00
|
|
|
if (ctx != NULL && OSSL_CMP_LOG_ERR > ctx->log_verbosity)
|
|
|
|
|
return; /* suppress output since severity is not sufficient */
|
2019-08-10 20:07:22 +08:00
|
|
|
OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set or clear the reference value to be used for identification
|
|
|
|
|
* (i.e., the user name) when using PBMAC.
|
|
|
|
|
*/
|
|
|
|
|
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
|
|
|
|
|
const unsigned char *ref, int len)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
2021-12-15 15:37:49 +08:00
|
|
|
return
|
|
|
|
|
ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref, len);
|
2019-08-10 20:07:22 +08:00
|
|
|
}
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set or clear the password to be used for protecting messages with PBMAC */
|
2023-03-10 22:21:05 +08:00
|
|
|
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx,
|
|
|
|
|
const unsigned char *sec, int len)
|
2019-08-10 20:07:22 +08:00
|
|
|
{
|
2019-12-03 17:31:49 +08:00
|
|
|
ASN1_OCTET_STRING *secretValue = NULL;
|
2021-12-15 15:37:49 +08:00
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
2019-12-03 17:31:49 +08:00
|
|
|
if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1)
|
|
|
|
|
return 0;
|
|
|
|
|
if (ctx->secretValue != NULL) {
|
2019-08-10 20:07:22 +08:00
|
|
|
OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
|
2019-12-03 17:31:49 +08:00
|
|
|
ASN1_OCTET_STRING_free(ctx->secretValue);
|
|
|
|
|
}
|
|
|
|
|
ctx->secretValue = secretValue;
|
|
|
|
|
return 1;
|
2019-08-10 20:07:22 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
#define DEFINE_OSSL_CMP_CTX_get1_certs(FIELD) \
|
|
|
|
|
STACK_OF(X509) *OSSL_CMP_CTX_get1_##FIELD(const OSSL_CMP_CTX *ctx) \
|
|
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
|
|
|
|
return NULL; \
|
|
|
|
|
} \
|
|
|
|
|
return X509_chain_up_ref(ctx->FIELD); \
|
|
|
|
|
}
|
|
|
|
|
|
2020-09-04 15:29:01 +08:00
|
|
|
/* Returns the cert chain computed by OSSL_CMP_certConf_cb(), NULL on error */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get1_certs(newChain)
|
|
|
|
|
|
|
|
|
|
#define DEFINE_OSSL_set1_certs(PREFIX, FIELD) \
|
|
|
|
|
int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) \
|
|
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
|
|
|
|
return 0; \
|
|
|
|
|
} \
|
2021-12-18 23:15:49 +08:00
|
|
|
OSSL_STACK_OF_X509_free(ctx->FIELD); \
|
2021-12-15 15:37:49 +08:00
|
|
|
ctx->FIELD = NULL; \
|
|
|
|
|
return certs == NULL || (ctx->FIELD = X509_chain_up_ref(certs)) != NULL; \
|
2020-09-04 15:29:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copies any given stack of inbound X509 certificates to newChain
|
|
|
|
|
* of the OSSL_CMP_CTX structure so that they may be retrieved later.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_certs(ossl_cmp_ctx, newChain)
|
2020-09-04 15:29:01 +08:00
|
|
|
|
2020-08-28 18:11:31 +08:00
|
|
|
/* Returns the stack of extraCerts received in CertRepMessage, NULL on error */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get1_certs(extraCertsIn)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Copies any given stack of inbound X509 certificates to extraCertsIn
|
|
|
|
|
* of the OSSL_CMP_CTX structure so that they may be retrieved later.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_certs(ossl_cmp_ctx, extraCertsIn)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
2020-08-28 18:11:31 +08:00
|
|
|
* Copies any given stack as the new stack of X509
|
2019-08-10 20:07:22 +08:00
|
|
|
* certificates to send out in the extraCerts field.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_certs(OSSL_CMP_CTX, extraCertsOut)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Add the given policy info object
|
|
|
|
|
* to the X509_EXTENSIONS of the requested certificate template.
|
|
|
|
|
*/
|
|
|
|
|
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL || pinfo == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ctx->policies == NULL
|
|
|
|
|
&& (ctx->policies = CERTIFICATEPOLICIES_new()) == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
return sk_POLICYINFO_push(ctx->policies, pinfo);
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Add an ITAV for geninfo of the PKI message header */
|
2019-08-10 20:07:22 +08:00
|
|
|
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-19 19:15:04 +08:00
|
|
|
int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
|
|
|
|
|
ctx->geninfo_ITAVs = NULL;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-14 03:56:57 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get0(geninfo_ITAVs, STACK_OF(OSSL_CMP_ITAV))
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Add an itav for the body of outgoing general messages */
|
2019-08-10 20:07:22 +08:00
|
|
|
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns a duplicate of the stack of X509 certificates that
|
|
|
|
|
* were received in the caPubs field of the last CertRepMessage.
|
|
|
|
|
* Returns NULL on error
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get1_certs(caPubs)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
2020-08-28 18:11:31 +08:00
|
|
|
* Copies any given stack of certificates to the given
|
2019-08-10 20:07:22 +08:00
|
|
|
* OSSL_CMP_CTX structure so that they may be retrieved later.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_certs(ossl_cmp_ctx, caPubs)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
#define char_dup OPENSSL_strdup
|
|
|
|
|
#define char_free OPENSSL_free
|
|
|
|
|
#define DEFINE_OSSL_CMP_CTX_set1(FIELD, TYPE) /* this uses _dup */ \
|
|
|
|
|
int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \
|
|
|
|
|
{ \
|
|
|
|
|
TYPE *val_dup = NULL; \
|
|
|
|
|
\
|
|
|
|
|
if (ctx == NULL) { \
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0; \
|
|
|
|
|
} \
|
|
|
|
|
\
|
|
|
|
|
if (val != NULL && (val_dup = TYPE##_dup(val)) == NULL) \
|
|
|
|
|
return 0; \
|
|
|
|
|
TYPE##_free(ctx->FIELD); \
|
|
|
|
|
ctx->FIELD = val_dup; \
|
|
|
|
|
return 1; \
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-09 12:18:03 +08:00
|
|
|
#define X509_invalid(cert) (!ossl_x509v3_cache_extensions(cert))
|
2020-08-13 01:16:03 +08:00
|
|
|
#define EVP_PKEY_invalid(key) 0
|
2021-12-15 15:37:49 +08:00
|
|
|
|
|
|
|
|
#define DEFINE_OSSL_set1_up_ref(PREFIX, FIELD, TYPE) \
|
|
|
|
|
int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
|
2019-08-10 20:07:22 +08:00
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0; \
|
|
|
|
|
} \
|
|
|
|
|
\
|
2020-08-13 01:16:03 +08:00
|
|
|
/* prevent misleading error later on malformed cert or provider issue */ \
|
|
|
|
|
if (val != NULL && TYPE##_invalid(val)) { \
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
|
2020-08-13 01:16:03 +08:00
|
|
|
return 0; \
|
|
|
|
|
} \
|
2019-08-10 20:07:22 +08:00
|
|
|
if (val != NULL && !TYPE##_up_ref(val)) \
|
|
|
|
|
return 0; \
|
|
|
|
|
TYPE##_free(ctx->FIELD); \
|
|
|
|
|
ctx->FIELD = val; \
|
|
|
|
|
return 1; \
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-14 18:29:19 +08:00
|
|
|
DEFINE_OSSL_set1_up_ref(ossl_cmp_ctx, validatedSrvCert, X509)
|
|
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
/*
|
|
|
|
|
* Pins the server certificate to be directly trusted (even if it is expired)
|
|
|
|
|
* for verifying response messages.
|
|
|
|
|
* Cert pointer is not consumed. It may be NULL to clear the entry.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, srvCert, X509)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2023-02-01 22:39:52 +08:00
|
|
|
/* Set the X509 name of the recipient to be placed in the PKIHeader */
|
2019-08-10 20:07:22 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Store the X509 name of the expected sender in the PKIHeader of responses */
|
2019-08-10 20:07:22 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
|
|
|
|
|
|
2023-02-01 22:39:52 +08:00
|
|
|
/* Set the X509 name of the issuer to be placed in the certTemplate */
|
2019-08-10 20:07:22 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
|
|
|
|
|
|
2023-04-11 16:19:15 +08:00
|
|
|
/* Set the ASN1_INTEGER serial to be placed in the certTemplate for rr */
|
|
|
|
|
DEFINE_OSSL_CMP_CTX_set1(serialNumber, ASN1_INTEGER)
|
2019-08-10 20:07:22 +08:00
|
|
|
/*
|
|
|
|
|
* Set the subject name that will be placed in the certificate
|
|
|
|
|
* request. This will be the subject name on the received certificate.
|
|
|
|
|
*/
|
|
|
|
|
DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */
|
2019-08-10 20:07:22 +08:00
|
|
|
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL
|
|
|
|
|
&& X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
2021-12-15 15:37:49 +08:00
|
|
|
X509_EXTENSIONS_free(ctx->reqExtensions);
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->reqExtensions = exts;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* returns 1 if ctx contains a Subject Alternative Name extension, else 0 */
|
|
|
|
|
int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
/* if one of the following conditions 'fail' this is not an error */
|
|
|
|
|
return ctx->reqExtensions != NULL
|
|
|
|
|
&& X509v3_get_ext_by_NID(ctx->reqExtensions,
|
|
|
|
|
NID_subject_alt_name, -1) >= 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Add a GENERAL_NAME structure that will be added to the CRMF
|
|
|
|
|
* request's extensions field to request subject alternative names.
|
|
|
|
|
*/
|
|
|
|
|
int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
|
|
|
|
|
const GENERAL_NAME *name)
|
|
|
|
|
{
|
|
|
|
|
GENERAL_NAME *name_dup;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL || name == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ctx->subjectAltNames == NULL
|
|
|
|
|
&& (ctx->subjectAltNames = sk_GENERAL_NAME_new_null()) == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
if ((name_dup = GENERAL_NAME_dup(name)) == NULL)
|
|
|
|
|
return 0;
|
|
|
|
|
if (!sk_GENERAL_NAME_push(ctx->subjectAltNames, name_dup)) {
|
|
|
|
|
GENERAL_NAME_free(name_dup);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set our own client certificate, used for example in KUR and when
|
|
|
|
|
* doing the IR with existing certificate.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, cert, X509)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-09-04 21:24:14 +08:00
|
|
|
int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
|
|
|
|
|
STACK_OF(X509) *candidates)
|
|
|
|
|
{
|
|
|
|
|
STACK_OF(X509) *chain;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2020-09-04 21:24:14 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-23 23:06:05 +08:00
|
|
|
if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates,
|
|
|
|
|
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
|
2020-09-04 21:24:14 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
|
2020-12-29 04:33:09 +08:00
|
|
|
chain = X509_build_chain(ctx->cert, ctx->untrusted, own_trusted, 0,
|
|
|
|
|
ctx->libctx, ctx->propq);
|
2020-09-04 21:24:14 +08:00
|
|
|
if (chain == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN);
|
2020-09-04 21:24:14 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
|
2020-08-28 18:11:31 +08:00
|
|
|
ctx->chain = chain;
|
2020-09-04 21:24:14 +08:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
/*
|
|
|
|
|
* Set the old certificate that we are updating in KUR
|
|
|
|
|
* or the certificate to be revoked in RR, respectively.
|
2020-05-08 19:30:44 +08:00
|
|
|
* Also used as reference cert (defaulting to cert) for deriving subject DN
|
2019-08-10 20:07:22 +08:00
|
|
|
* and SANs. Its issuer is used as default recipient in the CMP message header.
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, oldCert, X509)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the PKCS#10 CSR to be sent in P10CR */
|
2019-08-10 20:07:22 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
|
|
|
|
|
|
|
|
|
|
/*
|
2020-02-20 01:00:26 +08:00
|
|
|
* Set the (newly received in IP/KUP/CP) certificate in the context.
|
2021-05-31 12:29:33 +08:00
|
|
|
* This only permits for one cert to be enrolled at a time.
|
2019-08-10 20:07:22 +08:00
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set0(ossl_cmp_ctx, newCert, X509)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2021-12-14 18:29:19 +08:00
|
|
|
/* Get successfully validated server cert, if any, of current transaction */
|
|
|
|
|
DEFINE_OSSL_CMP_CTX_get0(validatedSrvCert, X509)
|
|
|
|
|
|
2019-08-10 20:07:22 +08:00
|
|
|
/*
|
|
|
|
|
* Get the (newly received in IP/KUP/CP) client certificate from the context
|
2021-05-31 12:29:33 +08:00
|
|
|
* This only permits for one client cert to be received...
|
2019-08-10 20:07:22 +08:00
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_get0(newCert, X509)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the client's current private key */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, pkey, EVP_PKEY)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set new key pair. Used e.g. when doing Key Update */
|
2019-08-10 20:07:22 +08:00
|
|
|
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
EVP_PKEY_free(ctx->newPkey);
|
|
|
|
|
ctx->newPkey = pkey;
|
|
|
|
|
ctx->newPkey_priv = priv;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Get the private/public key to use for cert enrollment, or NULL on error */
|
2023-04-26 01:26:36 +08:00
|
|
|
/* In case |priv| == 0, better use ossl_cmp_ctx_get0_newPubkey() below */
|
2019-08-10 20:07:22 +08:00
|
|
|
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
|
|
|
|
|
{
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ctx->newPkey != NULL)
|
|
|
|
|
return priv && !ctx->newPkey_priv ? NULL : ctx->newPkey;
|
|
|
|
|
if (ctx->p10CSR != NULL)
|
|
|
|
|
return priv ? NULL : X509_REQ_get0_pubkey(ctx->p10CSR);
|
|
|
|
|
return ctx->pkey; /* may be NULL */
|
|
|
|
|
}
|
|
|
|
|
|
2023-04-26 01:26:36 +08:00
|
|
|
EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx)
|
|
|
|
|
{
|
|
|
|
|
if (!ossl_assert(ctx != NULL))
|
|
|
|
|
return NULL;
|
|
|
|
|
if (ctx->newPkey != NULL)
|
|
|
|
|
return ctx->newPkey;
|
|
|
|
|
if (ctx->p10CSR != NULL)
|
|
|
|
|
return X509_REQ_get0_pubkey(ctx->p10CSR);
|
|
|
|
|
if (ctx->oldCert != NULL)
|
|
|
|
|
return X509_get0_pubkey(ctx->oldCert);
|
|
|
|
|
if (ctx->cert != NULL)
|
|
|
|
|
return X509_get0_pubkey(ctx->cert);
|
|
|
|
|
return ctx->pkey;
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
#define DEFINE_set1_ASN1_OCTET_STRING(PREFIX, FIELD) \
|
|
|
|
|
int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \
|
|
|
|
|
{ \
|
|
|
|
|
if (ctx == NULL) { \
|
|
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
|
|
|
|
|
return 0; \
|
|
|
|
|
} \
|
|
|
|
|
return ossl_cmp_asn1_octet_string_set1(&ctx->FIELD, id); \
|
2019-08-10 20:07:22 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-15 15:37:49 +08:00
|
|
|
/* Set the given transactionID to the context */
|
|
|
|
|
DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, transactionID)
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the nonce to be used for the recipNonce in the message created next */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, recipNonce)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Stores the given nonce as the last senderNonce sent out */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, senderNonce)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2023-03-13 16:16:57 +08:00
|
|
|
/* store the first req sender nonce for verifying delayed delivery */
|
|
|
|
|
DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, first_senderNonce)
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the proxy server to use for HTTP(S) connections */
|
|
|
|
|
DEFINE_OSSL_CMP_CTX_set1(proxy, char)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2022-08-24 02:33:58 +08:00
|
|
|
/* Set the (HTTP) hostname of the CMP server */
|
2020-03-25 20:46:02 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_set1(server, char)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the server exclusion list of the HTTP proxy server */
|
|
|
|
|
DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2023-06-02 01:55:54 +08:00
|
|
|
#ifndef OPENSSL_NO_HTTP
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the http connect/disconnect callback function to be used for HTTP(S) */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb, OSSL_HTTP_bio_cb_t)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set argument optionally to be used by the http connect/disconnect callback */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb_arg, void *)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get argument optionally to be used by the http connect/disconnect callback
|
|
|
|
|
* Returns callback argument set previously (NULL if not set or on error)
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_get(OSSL_CMP_CTX, http_cb_arg, void *, NULL)
|
2023-06-02 01:55:54 +08:00
|
|
|
#endif
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set callback function for sending CMP request and receiving response */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb, OSSL_CMP_transfer_cb_t)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set argument optionally to be used by the transfer callback */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb_arg, void *)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get argument optionally to be used by the transfer callback.
|
|
|
|
|
* Returns callback argument set previously (NULL if not set or on error)
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_get(OSSL_CMP_CTX, transfer_cb_arg, void *, NULL)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/** Set the HTTP server port to be used */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(OSSL_CMP_CTX, serverPort, int)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the HTTP path to be used on the server (e.g "pkix/") */
|
2019-08-10 20:07:22 +08:00
|
|
|
DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
|
|
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_set(ossl_cmp_ctx, failInfoCode, int)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get the failInfo error code in OSSL_CMP_CTX as bit encoding.
|
|
|
|
|
* Returns bit string as integer on success, -1 on error
|
|
|
|
|
*/
|
2021-12-15 15:37:49 +08:00
|
|
|
DEFINE_OSSL_get(OSSL_CMP_CTX, failInfoCode, int, -1)
|
2019-08-10 20:07:22 +08:00
|
|
|
|
2020-02-20 01:00:26 +08:00
|
|
|
/* Set a Boolean or integer option of the context to the "val" arg */
|
2019-11-05 16:56:59 +08:00
|
|
|
int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
|
|
|
|
|
{
|
2019-08-10 20:07:22 +08:00
|
|
|
int min_val;
|
|
|
|
|
|
|
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (opt) {
|
|
|
|
|
case OSSL_CMP_OPT_REVOCATION_REASON:
|
|
|
|
|
min_val = OCSP_REVOKED_STATUS_NOSTATUS;
|
|
|
|
|
break;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_POPO_METHOD:
|
2019-08-10 20:07:22 +08:00
|
|
|
min_val = OSSL_CRMF_POPO_NONE;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
min_val = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (val < min_val) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_SMALL);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (opt) {
|
|
|
|
|
case OSSL_CMP_OPT_LOG_VERBOSITY:
|
2020-08-26 16:11:14 +08:00
|
|
|
if (val > OSSL_CMP_LOG_MAX) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
ctx->log_verbosity = val;
|
|
|
|
|
break;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->implicitConfirm = val;
|
|
|
|
|
break;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_DISABLE_CONFIRM:
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->disableConfirm = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_UNPROTECTED_SEND:
|
|
|
|
|
ctx->unprotectedSend = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
|
|
|
|
|
ctx->unprotectedErrors = val;
|
|
|
|
|
break;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_VALIDITY_DAYS:
|
2019-08-10 20:07:22 +08:00
|
|
|
ctx->days = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
|
|
|
|
|
ctx->SubjectAltName_nodefault = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
|
|
|
|
|
ctx->setSubjectAltNameCritical = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_POLICIES_CRITICAL:
|
|
|
|
|
ctx->setPoliciesCritical = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
|
|
|
|
|
ctx->ignore_keyusage = val;
|
|
|
|
|
break;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_POPO_METHOD:
|
2019-08-10 20:07:22 +08:00
|
|
|
if (val > OSSL_CRMF_POPO_KEYAGREE) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
ctx->popoMethod = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_DIGEST_ALGNID:
|
2020-08-13 23:44:54 +08:00
|
|
|
if (!cmp_ctx_set_md(ctx, &ctx->digest, val))
|
|
|
|
|
return 0;
|
2019-08-10 20:07:22 +08:00
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_OWF_ALGNID:
|
2020-08-13 23:44:54 +08:00
|
|
|
if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, val))
|
|
|
|
|
return 0;
|
2019-08-10 20:07:22 +08:00
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_MAC_ALGNID:
|
|
|
|
|
ctx->pbm_mac = val;
|
|
|
|
|
break;
|
HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.
For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.
If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.
This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.
Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.
Update the documentation and extend the tests accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-04-28 06:26:14 +08:00
|
|
|
case OSSL_CMP_OPT_KEEP_ALIVE:
|
|
|
|
|
ctx->keep_alive = val;
|
|
|
|
|
break;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_MSG_TIMEOUT:
|
|
|
|
|
ctx->msg_timeout = val;
|
2019-08-10 20:07:22 +08:00
|
|
|
break;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_TOTAL_TIMEOUT:
|
|
|
|
|
ctx->total_timeout = val;
|
2019-08-10 20:07:22 +08:00
|
|
|
break;
|
2023-06-11 23:41:03 +08:00
|
|
|
case OSSL_CMP_OPT_USE_TLS:
|
|
|
|
|
ctx->tls_used = val;
|
|
|
|
|
break;
|
2019-08-10 20:07:22 +08:00
|
|
|
case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
|
|
|
|
|
ctx->permitTAInExtraCertsForIR = val;
|
|
|
|
|
break;
|
|
|
|
|
case OSSL_CMP_OPT_REVOCATION_REASON:
|
|
|
|
|
if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
ctx->revocationReason = val;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
|
2019-08-10 20:07:22 +08:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Reads a Boolean or integer option value from the context.
|
|
|
|
|
* Returns -1 on error (which is the default OSSL_CMP_OPT_REVOCATION_REASON)
|
|
|
|
|
*/
|
2019-11-05 16:56:59 +08:00
|
|
|
int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
|
|
|
|
|
{
|
2019-08-10 20:07:22 +08:00
|
|
|
if (ctx == NULL) {
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
|
2019-08-10 20:07:22 +08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (opt) {
|
|
|
|
|
case OSSL_CMP_OPT_LOG_VERBOSITY:
|
|
|
|
|
return ctx->log_verbosity;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
|
2019-08-10 20:07:22 +08:00
|
|
|
return ctx->implicitConfirm;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_DISABLE_CONFIRM:
|
2019-08-10 20:07:22 +08:00
|
|
|
return ctx->disableConfirm;
|
|
|
|
|
case OSSL_CMP_OPT_UNPROTECTED_SEND:
|
|
|
|
|
return ctx->unprotectedSend;
|
|
|
|
|
case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
|
|
|
|
|
return ctx->unprotectedErrors;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_VALIDITY_DAYS:
|
2019-08-10 20:07:22 +08:00
|
|
|
return ctx->days;
|
|
|
|
|
case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
|
|
|
|
|
return ctx->SubjectAltName_nodefault;
|
|
|
|
|
case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
|
|
|
|
|
return ctx->setSubjectAltNameCritical;
|
|
|
|
|
case OSSL_CMP_OPT_POLICIES_CRITICAL:
|
|
|
|
|
return ctx->setPoliciesCritical;
|
|
|
|
|
case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
|
|
|
|
|
return ctx->ignore_keyusage;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_POPO_METHOD:
|
2019-08-10 20:07:22 +08:00
|
|
|
return ctx->popoMethod;
|
|
|
|
|
case OSSL_CMP_OPT_DIGEST_ALGNID:
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
return EVP_MD_get_type(ctx->digest);
|
2019-08-10 20:07:22 +08:00
|
|
|
case OSSL_CMP_OPT_OWF_ALGNID:
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 22:58:08 +08:00
|
|
|
return EVP_MD_get_type(ctx->pbm_owf);
|
2019-08-10 20:07:22 +08:00
|
|
|
case OSSL_CMP_OPT_MAC_ALGNID:
|
|
|
|
|
return ctx->pbm_mac;
|
HTTP: Implement persistent connections (keep-alive)
Both at API and at CLI level (for the CMP app only, so far)
there is a new parameter/option: keep_alive.
* 0 means HTTP connections are not kept open after
receiving a response, which is the default behavior for HTTP 1.0.
* 1 means that persistent connections are requested.
* 2 means that persistent connections are required, i.e.,
in case the server does not grant them an error occurs.
For the CMP app the default value is 1, which means preferring to keep
the connection open. For all other internal uses of the HTTP client
(fetching an OCSP response, a cert, or a CRL) it does not matter
because these operations just take one round trip.
If the client application requested or required a persistent connection
and this was granted by the server, it can keep the OSSL_HTTP_REQ_CTX *
as long as it wants to send further requests and OSSL_HTTP_is_alive()
returns nonzero,
else it should call OSSL_HTTP_REQ_CTX_free() or OSSL_HTTP_close().
In case the client application keeps the OSSL_HTTP_REQ_CTX *
but the connection then dies for any reason at the server side, it will
notice this obtaining an I/O error when trying to send the next request.
This requires extending the HTTP header parsing and
rearranging the high-level HTTP client API. In particular:
* Split the monolithic OSSL_HTTP_transfer() into OSSL_HTTP_open(),
OSSL_HTTP_set_request(), a lean OSSL_HTTP_transfer(), and OSSL_HTTP_close().
* Split the timeout functionality accordingly and improve default behavior.
* Extract part of OSSL_HTTP_REQ_CTX_new() to OSSL_HTTP_REQ_CTX_set_expected().
* Extend struct ossl_http_req_ctx_st accordingly.
Use the new feature for the CMP client, which requires extending
related transaction management of CMP client and test server.
Update the documentation and extend the tests accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15053)
2021-04-28 06:26:14 +08:00
|
|
|
case OSSL_CMP_OPT_KEEP_ALIVE:
|
|
|
|
|
return ctx->keep_alive;
|
2020-03-11 00:32:57 +08:00
|
|
|
case OSSL_CMP_OPT_MSG_TIMEOUT:
|
|
|
|
|
return ctx->msg_timeout;
|
|
|
|
|
case OSSL_CMP_OPT_TOTAL_TIMEOUT:
|
|
|
|
|
return ctx->total_timeout;
|
2023-06-11 23:41:03 +08:00
|
|
|
case OSSL_CMP_OPT_USE_TLS:
|
|
|
|
|
return ctx->tls_used;
|
2019-08-10 20:07:22 +08:00
|
|
|
case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
|
|
|
|
|
return ctx->permitTAInExtraCertsForIR;
|
|
|
|
|
case OSSL_CMP_OPT_REVOCATION_REASON:
|
|
|
|
|
return ctx->revocationReason;
|
|
|
|
|
default:
|
2020-11-04 19:23:19 +08:00
|
|
|
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
|
2019-08-10 20:07:22 +08:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
