mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-04-06 20:20:50 +08:00
Code Issues Packages Projects Releases Wiki Activity

OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted

Browse Source 
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12788)
This commit is contained in:
Dr. David von Oheimb 2020-08-28 12:42:47 +02:00
parent 15076c26d7
commit 0b86eefd43
12 changed files with 46 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
apps/cmp.c
View File

@ -1234,8 +1234,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
}
if (!setup_certs(opt_srv_untrusted,
"untrusted certificates for mock server", ctx,
(add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted_certs,
NULL))
(add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted, NULL))
goto err;
if (opt_rsp_cert == NULL) {
@ -1316,7 +1315,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
{
if (!setup_certs(opt_untrusted, "untrusted certificates", ctx,
(add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted_certs,
(add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted,
NULL))
goto err;
@ -1413,7 +1412,7 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
*/
static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
STACK_OF(X509) *untrusted_certs = OSSL_CMP_CTX_get0_untrusted_certs(ctx);
STACK_OF(X509) *untrusted_certs = OSSL_CMP_CTX_get0_untrusted(ctx);
EVP_PKEY *pkey = NULL;
X509_STORE *trust_store = NULL;
SSL_CTX *ssl_ctx;

2
crypto/cmp/cmp_client.c
View File

@ -469,7 +469,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype,
/*-
* Callback fn validating that the new certificate can be verified, using
* ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and
* ctx->untrusted_certs, which at this point already contains ctx->extraCertsIn.
* ctx->untrusted, which at this point already contains ctx->extraCertsIn.
* Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo.
* Quoting from RFC 4210 section 5.1. Overall PKI Message:
* The extraCerts field can contain certificates that may be useful to

30
crypto/cmp/cmp_ctx.c
View File

@ -57,36 +57,36 @@ int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
}
/* Get current list of non-trusted intermediate certs */
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->untrusted_certs;
return ctx->untrusted;
}
/*
* Set untrusted certificates for path construction in authentication of
* the CMP server and potentially others (TLS server, newly enrolled cert).
*/
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
{
STACK_OF(X509) *untrusted_certs;
STACK_OF(X509) *untrusted;
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if ((untrusted_certs = sk_X509_new_null()) == NULL)
if ((untrusted = sk_X509_new_null()) == NULL)
return 0;
if (X509_add_certs(untrusted_certs, certs,
if (X509_add_certs(untrusted, certs,
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) != 1)
goto err;
sk_X509_pop_free(ctx->untrusted_certs, X509_free);
ctx->untrusted_certs = untrusted_certs;
sk_X509_pop_free(ctx->untrusted, X509_free);
ctx->untrusted = untrusted;
return 1;
err:
sk_X509_pop_free(untrusted_certs, X509_free);
sk_X509_pop_free(untrusted, X509_free);
return 0;
}
@ -126,7 +126,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OPENSSL_CTX *libctx, const char *propq)
ctx->msg_timeout = 2 * 60;
if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL)
if ((ctx->untrusted = sk_X509_new_null()) == NULL)
goto err;
ctx->pbm_slen = 16;
@ -186,7 +186,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
X509_free(ctx->validatedSrvCert);
X509_NAME_free(ctx->expected_sender);
X509_STORE_free(ctx->trusted);
sk_X509_pop_free(ctx->untrusted_certs, X509_free);
sk_X509_pop_free(ctx->untrusted, X509_free);
X509_free(ctx->cert);
EVP_PKEY_free(ctx->pkey);
@ -752,15 +752,15 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
return 0;
}
if (ctx->untrusted_certs != NULL ?
!X509_add_certs(ctx->untrusted_certs, candidates,
if (ctx->untrusted != NULL ?
!X509_add_certs(ctx->untrusted, candidates,
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP) :
!OSSL_CMP_CTX_set1_untrusted_certs(ctx, candidates))
!OSSL_CMP_CTX_set1_untrusted(ctx, candidates))
return 0;
ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted,
ctx->untrusted_certs, ctx->cert);
ctx->untrusted, ctx->cert);
if (chain == NULL) {
CMPerr(0, CMP_R_FAILED_BUILDING_OWN_CHAIN);
return 0;

2
crypto/cmp/cmp_local.h
View File

@ -60,7 +60,7 @@ struct ossl_cmp_ctx_st {
X509 *validatedSrvCert; /* caches any already validated server cert */
X509_NAME *expected_sender; /* expected sender in header of response */
X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */
STACK_OF(X509) *untrusted; /* untrusted (intermediate CA) certs */
int ignore_keyusage; /* ignore key usage entry when validating certs */
/*
* permitTAInExtraCertsForIR allows use of root certs in extracerts

6
crypto/cmp/cmp_protect.c
View File

@ -146,14 +146,14 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
| X509_ADD_FLAG_PREPEND))
return 0;
/* if we have untrusted certs, try to add intermediate certs */
if (ctx->untrusted_certs != NULL) {
if (ctx->untrusted != NULL) {
STACK_OF(X509) *chain;
int res;
ossl_cmp_debug(ctx,
"trying to build chain for own CMP signer cert");
chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL,
ctx->untrusted_certs, ctx->cert);
ctx->untrusted, ctx->cert);
res = X509_add_certs(msg->extraCerts, chain,
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_NO_SS);
@ -298,7 +298,7 @@ int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
/*
* will add ctx->cert followed, if possible, by its chain built
* from ctx->untrusted_certs, and then ctx->extraCertsOut
* from ctx->untrusted, and then ctx->extraCertsOut
*/
} else {
CMPerr(0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION);

16
crypto/cmp/cmp_vfy.c
View File

@ -122,7 +122,7 @@ int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
if ((csc = X509_STORE_CTX_new_with_libctx(ctx->libctx, ctx->propq)) == NULL
|| !X509_STORE_CTX_init(csc, trusted_store,
cert, ctx->untrusted_certs))
cert, ctx->untrusted))
goto err;
valid = X509_verify_cert(csc) > 0;
@ -398,7 +398,7 @@ static int check_msg_with_certs(OSSL_CMP_CTX *ctx, const STACK_OF(X509) *certs,
}
/*-
* Verify msg trying first ctx->untrusted_certs, which should include extraCerts
* Verify msg trying first ctx->untrusted, which should include extraCerts
* at its front, then trying the trusted certs in truststore (if any) of ctx.
* On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
*/
@ -418,7 +418,7 @@ static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
if (check_msg_with_certs(ctx, msg->extraCerts, "extraCerts",
NULL, NULL, msg, mode_3gpp))
return 1;
if (check_msg_with_certs(ctx, ctx->untrusted_certs, "untrusted certs",
if (check_msg_with_certs(ctx, ctx->untrusted, "untrusted certs",
msg->extraCerts, NULL, msg, mode_3gpp))
return 1;
@ -430,7 +430,7 @@ static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
ret = check_msg_with_certs(ctx, trusted,
mode_3gpp ? "self-issued extraCerts"
: "certs in trusted store",
msg->extraCerts, ctx->untrusted_certs,
msg->extraCerts, ctx->untrusted,
msg, mode_3gpp);
sk_X509_pop_free(trusted, X509_free);
}
@ -536,7 +536,7 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
* Validate the protection of the given PKIMessage using either password-
* based mac (PBM) or a signature algorithm. In the case of signature algorithm,
* the sender certificate can have been pinned by providing it in ctx->srvCert,
* else it is searched in msg->extraCerts, ctx->untrusted_certs, in ctx->trusted
* else it is searched in msg->extraCerts, ctx->untrusted, in ctx->trusted
* (in this order) and is path is validated against ctx->trusted.
* On success cache the found cert using ossl_cmp_ctx_set0_validatedSrvCert().
*
@ -636,7 +636,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
/*-
* Check received message (i.e., response by server or request from client)
* Any msg->extraCerts are prepended to ctx->untrusted_certs.
* Any msg->extraCerts are prepended to ctx->untrusted.
*
* Ensures that:
* its sender is of appropriate type (curently only X509_NAME) and
@ -693,7 +693,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
* extraCerts because they do not belong to the protected msg part anyway.
* For efficiency, the extraCerts are prepended so they get used first.
*/
if (!X509_add_certs(ctx->untrusted_certs, msg->extraCerts,
if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
/* this allows self-signed certs */
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_PREPEND))
@ -775,7 +775,7 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
* the peer does not need to send them again in the same transaction.
* For efficiency, the extraCerts are prepended so they get used first.
*/
if (!X509_add_certs(ctx->untrusted_certs, msg->extraCerts,
if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
/* this allows self-signed certs */
X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
| X509_ADD_FLAG_PREPEND))

15
doc/man3/OSSL_CMP_CTX_new.pod
View File

@ -26,8 +26,8 @@ OSSL_CMP_CTX_set1_srvCert,
OSSL_CMP_CTX_set1_expected_sender,
OSSL_CMP_CTX_set0_trustedStore,
OSSL_CMP_CTX_get0_trustedStore,
OSSL_CMP_CTX_set1_untrusted_certs,
OSSL_CMP_CTX_get0_untrusted_certs,
OSSL_CMP_CTX_set1_untrusted,
OSSL_CMP_CTX_get0_untrusted,
OSSL_CMP_CTX_set1_cert,
OSSL_CMP_CTX_build_cert_chain,
OSSL_CMP_CTX_set1_pkey,
@ -99,9 +99,8 @@ OSSL_CMP_CTX_set1_senderNonce
const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx);
/* client authentication: */
int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert);
@ -420,13 +419,13 @@ When given a NULL parameter the entry is cleared.
OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the currently set
certificate store containing trusted cert etc., or an empty store if unset.
OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates
OSSL_CMP_CTX_set1_untrusted() sets up a list of non-trusted certificates
of intermediate CAs that may be useful for path construction for the CMP client
certificate, for the TLS client certificate (if any), when verifying
the CMP server certificate, and when verifying newly enrolled certificates.
The reference counts of those certificates handled successfully are increased.
OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the
OSSL_CMP_CTX_get0_untrusted(OSSL_CMP_CTX *ctx) returns a pointer to the
list of untrusted certs, which may be empty if unset.
OSSL_CMP_CTX_set1_cert() sets the certificate used for CMP message protection.
@ -629,7 +628,7 @@ OSSL_CMP_CTX_new(),
OSSL_CMP_CTX_get_http_cb_arg(),
OSSL_CMP_CTX_get_transfer_cb_arg(),
OSSL_CMP_CTX_get0_trustedStore(),
OSSL_CMP_CTX_get0_untrusted_certs(),
OSSL_CMP_CTX_get0_untrusted(),
OSSL_CMP_CTX_get0_newPkey(),
OSSL_CMP_CTX_get_certConf_cb_arg(),
OSSL_CMP_CTX_get0_statusString(),

2
doc/man3/OSSL_CMP_validate_msg.pod
View File

@ -26,7 +26,7 @@ In case of signature algorithm, the certificate to use for the signature check
is preferably the one provided by a call to L<OSSL_CMP_CTX_set1_srvCert(3)>.
If no such sender cert has been pinned then candidate sender certificates are
taken from the list of certificates received in the C<msg> extraCerts, then any
certificates provided before via L<OSSL_CMP_CTX_set1_untrusted_certs(3)>, and
certificates provided before via L<OSSL_CMP_CTX_set1_untrusted(3)>, and
then all trusted certificates provided via L<OSSL_CMP_CTX_set0_trustedStore(3)>,
where a candidate is acceptable only if has not expired, its subject DN matches
the C<msg> sender DN (as far as present), and its subject key identifier

4
include/openssl/cmp.h
View File

@ -291,8 +291,8 @@ int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx);
/* client authentication: */
int OSSL_CMP_CTX_set1_cert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,

4
test/cmp_ctx_test.c
View File

@ -746,7 +746,7 @@ DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, expected_sender, X509_NAME)
DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trustedStore,
X509_STORE *, NULL,
DEFAULT_STORE, X509_STORE_new_1(), X509_STORE_free)
DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted_certs)
DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, cert, X509)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, pkey, EVP_PKEY)
@ -830,7 +830,7 @@ int setup_tests(void)
ADD_TEST(test_CTX_set0_get0_validatedSrvCert);
ADD_TEST(test_CTX_set1_get0_expected_sender);
ADD_TEST(test_CTX_set0_get0_trustedStore);
ADD_TEST(test_CTX_set1_get0_untrusted_certs);
ADD_TEST(test_CTX_set1_get0_untrusted);
/* client authentication: */
ADD_TEST(test_CTX_set1_get0_cert);
ADD_TEST(test_CTX_set1_get0_pkey);

2
test/cmp_vfy_test.c
View File

@ -191,7 +191,7 @@ static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert)
static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert)
{
return X509_add_cert(OSSL_CMP_CTX_get0_untrusted_certs(ctx), cert,
return X509_add_cert(OSSL_CMP_CTX_get0_untrusted(ctx), cert,
X509_ADD_FLAG_UP_REF);
}

4
util/libcrypto.num
View File

@ -4770,8 +4770,8 @@ OSSL_CMP_CTX_set1_srvCert ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_expected_sender ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_trustedStore ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_untrusted_certs ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_untrusted_certs ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_untrusted ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_untrusted ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_cert ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_pkey ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_build_cert_chain ? 3_0_0 EXIST::FUNCTION:CMP