mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-12 13:36:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()

Browse Source 
Fixes #12395

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431)
This commit is contained in:
Dr. David von Oheimb 2020-07-13 14:12:02 +02:00
parent cfae32c69a
commit 299e0f1eae
22 changed files with 139 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
crypto/cmp/cmp_client.c
View File

@ -630,7 +630,8 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid,
return ret;
}
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter)
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter)
{
OSSL_CMP_MSG *req = NULL;
OSSL_CMP_MSG *rep = NULL;
@ -652,7 +653,7 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter)
if (ctx->total_timeout > 0) /* else ctx->end_time is not used */
ctx->end_time = time(NULL) + ctx->total_timeout;
req = ossl_cmp_certReq_new(ctx, req_type, 0 /* req_err */);
req = ossl_cmp_certreq_new(ctx, req_type, crm);
if (req == NULL) /* also checks if all necessary options are set */
return 0;
@ -685,18 +686,26 @@ int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter)
* TODO: another function to request two certificates at once should be created.
* Returns pointer to received certificate, or NULL if none was received.
*/
static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err,
int rep_type)
X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm)
{
OSSL_CMP_MSG *req = NULL;
OSSL_CMP_MSG *rep = NULL;
int rid = (req_type == OSSL_CMP_PKIBODY_P10CR) ? -1 : OSSL_CMP_CERTREQID;
int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR;
int rid = is_p10 ? -1 : OSSL_CMP_CERTREQID;
int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1;
X509 *result = NULL;
if (ctx == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return NULL;
}
if (is_p10 && crm != NULL) {
CMPerr(0, CMP_R_INVALID_ARGS);
return NULL;
}
ctx->status = -1;
if (!ossl_cmp_ctx_set0_newCert(ctx, NULL))
return NULL;
@ -705,7 +714,7 @@ static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err,
ctx->end_time = time(NULL) + ctx->total_timeout;
/* OSSL_CMP_certreq_new() also checks if all necessary options are set */
if ((req = ossl_cmp_certReq_new(ctx, req_type, req_err)) == NULL)
if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL)
goto err;
if (!send_receive_check(ctx, req, &rep, rep_type))
@ -722,30 +731,6 @@ static X509 *do_certreq_seq(OSSL_CMP_CTX *ctx, int req_type, int req_err,
return result;
}
X509 *OSSL_CMP_exec_IR_ses(OSSL_CMP_CTX *ctx)
{
return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_IR,
CMP_R_ERROR_CREATING_IR, OSSL_CMP_PKIBODY_IP);
}
X509 *OSSL_CMP_exec_CR_ses(OSSL_CMP_CTX *ctx)
{
return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_CR,
CMP_R_ERROR_CREATING_CR, OSSL_CMP_PKIBODY_CP);
}
X509 *OSSL_CMP_exec_KUR_ses(OSSL_CMP_CTX *ctx)
{
return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_KUR,
CMP_R_ERROR_CREATING_KUR, OSSL_CMP_PKIBODY_KUP);
}
X509 *OSSL_CMP_exec_P10CR_ses(OSSL_CMP_CTX *ctx)
{
return do_certreq_seq(ctx, OSSL_CMP_PKIBODY_P10CR,
CMP_R_ERROR_CREATING_P10CR, OSSL_CMP_PKIBODY_CP);
}
X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
{
OSSL_CMP_MSG *rr = NULL;

8
crypto/cmp/cmp_err.c
View File

@ -45,17 +45,14 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
"error creating certconf"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_CERTREP),
"error creating certrep"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_CR), "error creating cr"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_CERTREQ),
"error creating certreq"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_ERROR),
"error creating error"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_GENM),
"error creating genm"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_GENP),
"error creating genp"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_IR), "error creating ir"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_KUR), "error creating kur"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_P10CR),
"error creating p10cr"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_PKICONF),
"error creating pkiconf"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_ERROR_CREATING_POLLREP),
@ -90,6 +87,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = {
"missing key input for creating protection"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE),
"missing key usage digitalsignature"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_P10CSR), "missing p10csr"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY),
"missing private key"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PROTECTION), "missing protection"},

6
crypto/cmp/cmp_local.h
View File

@ -855,9 +855,9 @@ const char *ossl_cmp_bodytype_to_string(int type);
int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type);
int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg);
OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int bodytype,
int err_code);
OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
const OSSL_CRMF_MSG *crm);
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, OSSL_CMP_PKISI *si,
X509 *cert, STACK_OF(X509) *chain,
STACK_OF(X509) *caPubs, int encrypted,

33
crypto/cmp/cmp_msg.c
View File

@ -128,7 +128,7 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
case OSSL_CMP_PKIBODY_P10CR:
if (ctx->p10CSR == NULL) {
CMPerr(0, CMP_R_ERROR_CREATING_P10CR);
CMPerr(0, CMP_R_MISSING_P10CSR);
goto err;
}
if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
@ -321,10 +321,11 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
return crm;
}
OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
const OSSL_CRMF_MSG *crm)
{
OSSL_CMP_MSG *msg;
OSSL_CRMF_MSG *crm = NULL;
OSSL_CRMF_MSG *local_crm = NULL;
if (!ossl_assert(ctx != NULL))
return NULL;
@ -353,13 +354,20 @@ OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
goto err;
}
if ((crm = crm_new(ctx, type, OSSL_CMP_CERTREQID)) == NULL
|| !OSSL_CRMF_MSG_create_popo(crm, privkey, ctx->digest,
ctx->popoMethod)
/* value.ir is same for cr and kur */
|| !sk_OSSL_CRMF_MSG_push(msg->body->value.ir, crm))
if (crm == NULL) {
if ((local_crm = crm_new(ctx, type, OSSL_CMP_CERTREQID)) == NULL
|| !OSSL_CRMF_MSG_create_popo(local_crm, privkey, ctx->digest,
ctx->popoMethod))
goto err;
} else {
if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
goto err;
}
/* value.ir is same for cr and kur */
if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
goto err;
crm = NULL;
local_crm = NULL;
/* TODO: here optional 2nd certreqmsg could be pushed to the stack */
}
@ -369,14 +377,13 @@ OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
return msg;
err:
if (err_code != 0)
CMPerr(0, err_code);
OSSL_CRMF_MSG_free(crm);
CMPerr(0, CMP_R_ERROR_CREATING_CERTREQ);
OSSL_CRMF_MSG_free(local_crm);
OSSL_CMP_MSG_free(msg);
return NULL;
}
OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, OSSL_CMP_PKISI *si,
X509 *cert, STACK_OF(X509) *chain,
STACK_OF(X509) *caPubs, int encrypted,

2
crypto/cmp/cmp_server.c
View File

@ -230,7 +230,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
goto err;
}
msg = ossl_cmp_certRep_new(srv_ctx->ctx, bodytype, certReqId, si,
msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
certOut, chainOut, caPubs, 0 /* encrypted */,
srv_ctx->sendUnprotectedErrors);
/*

2
crypto/crmf/crmf_asn.c
View File

@ -230,7 +230,7 @@ ASN1_SEQUENCE(OSSL_CRMF_MSG) = {
OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
} ASN1_SEQUENCE_END(OSSL_CRMF_MSG)
IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG)
ASN1_ITEM_TEMPLATE(OSSL_CRMF_MSGS) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,

6
crypto/err/openssl.txt
View File

@ -2098,13 +2098,10 @@ CMP_R_ENCOUNTERED_WAITING:162:encountered waiting
CMP_R_ERROR_CALCULATING_PROTECTION:115:error calculating protection
CMP_R_ERROR_CREATING_CERTCONF:116:error creating certconf
CMP_R_ERROR_CREATING_CERTREP:117:error creating certrep
CMP_R_ERROR_CREATING_CR:163:error creating cr
CMP_R_ERROR_CREATING_CERTREQ:163:error creating certreq
CMP_R_ERROR_CREATING_ERROR:118:error creating error
CMP_R_ERROR_CREATING_GENM:119:error creating genm
CMP_R_ERROR_CREATING_GENP:120:error creating genp
CMP_R_ERROR_CREATING_IR:164:error creating ir
CMP_R_ERROR_CREATING_KUR:165:error creating kur
CMP_R_ERROR_CREATING_P10CR:121:error creating p10cr
CMP_R_ERROR_CREATING_PKICONF:122:error creating pkiconf
CMP_R_ERROR_CREATING_POLLREP:123:error creating pollrep
CMP_R_ERROR_CREATING_POLLREQ:124:error creating pollreq
@ -2125,6 +2122,7 @@ CMP_R_INVALID_OPTION:174:invalid option
CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION:130:\
missing key input for creating protection
CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature
CMP_R_MISSING_P10CSR:121:missing p10csr
CMP_R_MISSING_PRIVATE_KEY:131:missing private key
CMP_R_MISSING_PROTECTION:143:missing protection
CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert

16
doc/internal/man3/ossl_cmp_certReq_new.pod → doc/internal/man3/ossl_cmp_certreq_new.pod
View File

@ -2,8 +2,8 @@
=head1 NAME
ossl_cmp_certReq_new,
ossl_cmp_certRep_new,
ossl_cmp_certreq_new,
ossl_cmp_certrep_new,
ossl_cmp_rr_new,
ossl_cmp_rp_new,
ossl_cmp_certConf_new,
@ -47,9 +47,9 @@ ossl_cmp_error_new
# define OSSL_CMP_PKIBODY_POLLREQ 25
# define OSSL_CMP_PKIBODY_POLLREP 26
OSSL_ossl_cmp_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int bodytype,
int err_code);
OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
OSSL_ossl_cmp_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
const OSSL_CRMF_MSG *crm);
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, OSSL_CMP_PKISI *si,
X509 *cert, STACK_OF(X509) *chain,
STACK_OF(X509) *caPubs,
@ -75,10 +75,10 @@ This is the API for creating various CMP PKIMESSAGES. The
functions allocate a new message, fill it with the relevant data derived from
the given OSSL_CMP_CTX, and create the applicable protection.
ossl_cmp_certReq_new() creates a PKIMessage for requesting a certificate,
ossl_cmp_certreq_new() creates a PKIMessage for requesting a certificate,
which can be either of IR/CR/KUR/P10CR, depending on the given B<bodytype>.
The OpenSSL error reason code defined in err.h to use on error is given as
B<err_code>.
The CRMF message to use may be given via the B<crm> argument;
else (if B<crm> is NULL) it is created from the information in the B<ctx>.
Available CMP certificate request PKIMessage B<bodytype>s are:

2
doc/internal/man3/ossl_cmp_msg_create.pod
View File

@ -62,7 +62,7 @@ See the individual functions above.
=head1 SEE ALSO
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_IR_ses(3)>
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>
=head1 HISTORY

2
doc/internal/man3/ossl_cmp_pkisi_get_status.pod
View File

@ -74,7 +74,7 @@ See the individual functions above.
=head1 SEE ALSO
L<OSSL_CMP_CTX_new(3)>, L<ossl_cmp_certReq_new(3)>
L<OSSL_CMP_CTX_new(3)>, L<ossl_cmp_certreq_new(3)>
=head1 HISTORY

5
doc/man3/OSSL_CMP_CTX_new.pod
View File

@ -682,8 +682,9 @@ the id-it-signKeyPairTypes OID and prints info on the General Response contents:
=head1 SEE ALSO
L<OSSL_CMP_exec_IR_ses(3)>, L<OSSL_CMP_exec_KUR_ses(3)>,
L<OSSL_CMP_exec_GENM_ses(3)>
L<OSSL_CMP_exec_IR_ses(3)>, L<OSSL_CMP_exec_CR_ses(3)>,
L<OSSL_CMP_exec_KUR_ses(3)>, L<OSSL_CMP_exec_GENM_ses(3)>,
L<OSSL_CMP_exec_certreq(3)>
=head1 HISTORY

43
doc/man3/OSSL_CMP_exec_IR_ses.pod → doc/man3/OSSL_CMP_exec_certreq.pod
View File

@ -2,6 +2,7 @@
=head1 NAME
OSSL_CMP_exec_certreq,
OSSL_CMP_exec_IR_ses,
OSSL_CMP_exec_CR_ses,
OSSL_CMP_exec_P10CR_ses,
@ -20,6 +21,8 @@ OSSL_CMP_certConf_cb
#include <openssl/cmp.h>
X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm);
X509 *OSSL_CMP_exec_IR_ses(OSSL_CMP_CTX *ctx);
X509 *OSSL_CMP_exec_CR_ses(OSSL_CMP_CTX *ctx);
X509 *OSSL_CMP_exec_P10CR_ses(OSSL_CMP_CTX *ctx);
@ -28,7 +31,8 @@ OSSL_CMP_certConf_cb
#define OSSL_CMP_CR
#define OSSL_CMP_P10CR
#define OSSL_CMP_KUR
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter);
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
const char **text);
X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);
@ -43,8 +47,6 @@ All functions take a populated OSSL_CMP_CTX structure as their first argument.
Usually the server name, port, and path ("CMP alias") need to be set, as well as
credentials the client can use for authenticating itself to the client.
In order to authenticate the server the client typically needs a trust store.
For performing certificate enrollment requests the certificate template needs
to be sufficiently filled in, giving at least the subject name and key.
The functions return their respective main results directly, while there are
also accessor functions for retrieving various results and status information
from the B<ctx>. See L<OSSL_CMP_CTX_new(3)> etc. for details.
@ -61,21 +63,30 @@ OSSL_CMP_exec_P10CR_ses() conveys a legacy PKCS#10 CSR requesting a certificate.
OSSL_CMP_exec_KUR_ses() obtains an updated certificate.
All these four types of certificate enrollment may be blocked by sleeping until the
CAs or an intermedate PKI component can fully process and answer the request.
These four types of certificate enrollment are implemented as macros
calling OSSL_CMP_exec_certreq().
OSSL_CMP_try_certreq() is an alternative to these four functions that is
more uniform regarding the type of the certificate request to use and
OSSL_CMP_exec_certreq() performs a certificate request of the type specified
by the B<req_type> parameter, which may be IR, CR, P10CR, or KUR.
For IR, CR, and KUR, the certificate template to be used in the request
may be supplied via the B<crm> parameter pointing to a CRMF structure.
Typically B<crm> is NULL, then the template ingredients are taken from B<ctx>
and need to be filled in using L<OSSL_CMP_CTX_set1_subjectName(3)>,
L<OSSL_CMP_CTX_set0_newPkey(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>, etc.
For P10CR, L<OSSL_CMP_CTX_set1_p10CSR(3)> needs to be used instead.
The enrollment session may be blocked by sleeping until the addressed
CA (or an intermedate PKI component) can fully process and answer the request.
OSSL_CMP_try_certreq() is an alternative to the above functions that is
more flexible regarding what to do after receiving a checkAfter value.
When called for the first time (with no certificate request in progress for
the given B<ctx>) it starts a new transaction by sending a certificate request
of the given type,
which may be IR, CR, P10CR, or KUR as specified by the B<req_type> parameter.
constructed as stated above using the B<req_type> and optional B<crm> parameter.
Otherwise (when according to B<ctx> a 'waiting' status has been received before)
it continues polling for the pending request
unless the B<req_type> argument is < 0, which aborts the request.
If the requested certificate is available the function returns 1 and the
caller can use B<OSSL_CMP_CTX_get0_newCert()> to retrieve the new certificate.
caller can use L<OSSL_CMP_CTX_get0_newCert(3)> to retrieve the new certificate.
If no error occurred but no certificate is available yet then
OSSL_CMP_try_certreq() remembers in the CMP context that it should be retried
and returns -1 after assigning the received checkAfter value
@ -121,17 +132,17 @@ So far the CMP client implementation is limited to one request per CMP message
=head1 RETURN VALUES
OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(),
OSSL_CMP_exec_certreq(), OSSL_CMP_exec_IR_ses(), OSSL_CMP_exec_CR_ses(),
OSSL_CMP_exec_P10CR_ses(), and OSSL_CMP_exec_KUR_ses() return a
pointer to the newly obtained X509 certificate on success, B<NULL> on error.
This pointer will be freed implicitly by OSSL_CMP_CTX_free() or
CSSL_CMP_CTX_reinit().
OSSL_CMP_try_certreq() returns 1 if the requested certificate is available
via B<OSSL_CMP_CTX_get0_newCert()>
via L<OSSL_CMP_CTX_get0_newCert(3)>
or on successfully aborting a pending certificate request, 0 on error, and -1
in case a 'waiting' status has been received and checkAfter value is available.
In the latter case B<OSSL_CMP_CTX_get0_newCert()> yields NULL
In the latter case L<OSSL_CMP_CTX_get0_newCert(3)> yields NULL
and the output parameter B<checkAfter> has been used to
assign the received value unless B<checkAfter> is NULL.
@ -154,7 +165,11 @@ functions.
=head1 SEE ALSO
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_MSG_http_perform(3)>
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_CTX_free(3)>,
L<OSSL_CMP_CTX_set1_subjectName(3)>, L<OSSL_CMP_CTX_set0_newPkey(3)>,
L<OSSL_CMP_CTX_set1_p10CSR(3)>, L<OSSL_CMP_CTX_set1_oldCert(3)>,
L<OSSL_CMP_CTX_get0_newCert(3)>, L<OSSL_CMP_CTX_push0_genm_ITAV(3)>,
L<OSSL_CMP_MSG_http_perform(3)>
=head1 HISTORY

2
doc/man3/OSSL_CMP_validate_msg.pod
View File

@ -61,7 +61,7 @@ return 1 on success, 0 on error or validation failed.
=head1 SEE ALSO
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_IR_ses(3)>
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>
=head1 HISTORY

1
doc/man3/X509_dup.pod
View File

@ -152,6 +152,7 @@ OSSL_CRMF_ENCRYPTEDVALUE_new,
OSSL_CRMF_MSGS_free,
OSSL_CRMF_MSGS_it,
OSSL_CRMF_MSGS_new,
OSSL_CRMF_MSG_dup,
OSSL_CRMF_MSG_free,
OSSL_CRMF_MSG_it,
OSSL_CRMF_MSG_new,

2
fuzz/cmp.c
View File

@ -84,7 +84,7 @@ static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
break;
case OSSL_CMP_PKIBODY_POLLREP:
ctx->status = OSSL_CMP_PKISTATUS_waiting;
(void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL);
(void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL);
break;
case OSSL_CMP_PKIBODY_RP:
(void)OSSL_CMP_exec_RR_ses(ctx);

25
include/openssl/cmp.h
View File

@ -417,15 +417,22 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
int val);
/* from cmp_client.c */
X509 *OSSL_CMP_exec_IR_ses(OSSL_CMP_CTX *ctx);
X509 *OSSL_CMP_exec_CR_ses(OSSL_CMP_CTX *ctx);
X509 *OSSL_CMP_exec_P10CR_ses(OSSL_CMP_CTX *ctx);
X509 *OSSL_CMP_exec_KUR_ses(OSSL_CMP_CTX *ctx);
# define OSSL_CMP_IR OSSL_CMP_PKIBODY_IR
# define OSSL_CMP_CR OSSL_CMP_PKIBODY_CR
# define OSSL_CMP_P10CR OSSL_CMP_PKIBODY_P10CR
# define OSSL_CMP_KUR OSSL_CMP_PKIBODY_KUR
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, int *checkAfter);
X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm);
# define OSSL_CMP_IR 0
# define OSSL_CMP_CR 2
# define OSSL_CMP_P10CR 4
# define OSSL_CMP_KUR 7
# define OSSL_CMP_exec_IR_ses(ctx) \
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_IR, NULL)
# define OSSL_CMP_exec_CR_ses(ctx) \
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_CR, NULL)
# define OSSL_CMP_exec_P10CR_ses(ctx) \
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_P10CR, NULL)
# define OSSL_CMP_exec_KUR_ses(ctx) \
OSSL_CMP_exec_certreq(ctx, OSSL_CMP_KUR, NULL)
int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type,
const OSSL_CRMF_MSG *crm, int *checkAfter);
int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
const char **text);
X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx);

6
include/openssl/cmperr.h
View File

@ -51,13 +51,10 @@ int ERR_load_CMP_strings(void);
# define CMP_R_ERROR_CALCULATING_PROTECTION 115
# define CMP_R_ERROR_CREATING_CERTCONF 116
# define CMP_R_ERROR_CREATING_CERTREP 117
# define CMP_R_ERROR_CREATING_CR 163
# define CMP_R_ERROR_CREATING_CERTREQ 163
# define CMP_R_ERROR_CREATING_ERROR 118
# define CMP_R_ERROR_CREATING_GENM 119
# define CMP_R_ERROR_CREATING_GENP 120
# define CMP_R_ERROR_CREATING_IR 164
# define CMP_R_ERROR_CREATING_KUR 165
# define CMP_R_ERROR_CREATING_P10CR 121
# define CMP_R_ERROR_CREATING_PKICONF 122
# define CMP_R_ERROR_CREATING_POLLREP 123
# define CMP_R_ERROR_CREATING_POLLREQ 124
@ -77,6 +74,7 @@ int ERR_load_CMP_strings(void);
# define CMP_R_INVALID_OPTION 174
# define CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION 130
# define CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE 142
# define CMP_R_MISSING_P10CSR 121
# define CMP_R_MISSING_PRIVATE_KEY 131
# define CMP_R_MISSING_PROTECTION 143
# define CMP_R_MISSING_REFERENCE_CERT 168

1
include/openssl/crmf.h
View File

@ -43,6 +43,7 @@ typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG)
DEFINE_OR_DECLARE_STACK_OF(OSSL_CRMF_MSG)
typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;

38
test/cmp_client_test.c
View File

@ -28,8 +28,8 @@ typedef struct test_fixture {
const char *test_case_name;
OSSL_CMP_CTX *cmp_ctx;
OSSL_CMP_SRV_CTX *srv_ctx;
int req_type;
int expected;
X509 *(*exec_cert_ses_cb) (OSSL_CMP_CTX *);
STACK_OF(X509) *caPubs;
} CMP_SES_TEST_FIXTURE;
@ -81,7 +81,7 @@ static CMP_SES_TEST_FIXTURE *set_up(const char *const test_case_name)
|| !OSSL_CMP_CTX_set1_srvCert(ctx, server_cert)
|| !OSSL_CMP_CTX_set1_referenceValue(ctx, ref, sizeof(ref)))
goto err;
fixture->exec_cert_ses_cb = NULL;
fixture->req_type = -1;
return fixture;
err:
@ -107,13 +107,13 @@ static int execute_exec_GENM_ses_test(CMP_SES_TEST_FIXTURE *fixture)
static int execute_exec_certrequest_ses_test(CMP_SES_TEST_FIXTURE *fixture)
{
X509 *res;
X509 *res = OSSL_CMP_exec_certreq(fixture->cmp_ctx,
fixture->req_type, NULL);
if (fixture->expected == 0)
return TEST_ptr_null(fixture->exec_cert_ses_cb(fixture->cmp_ctx));
return TEST_ptr_null(res);
if (!TEST_ptr(res = fixture->exec_cert_ses_cb(fixture->cmp_ctx))
|| !TEST_int_eq(X509_cmp(res, client_cert), 0))
if (!TEST_ptr(res) || !TEST_int_eq(X509_cmp(res, client_cert), 0))
return 0;
/* TODO: check that cerfConf has been exchanged unless implicitConfirm */
if (fixture->caPubs != NULL) {
@ -150,7 +150,7 @@ static int test_exec_RR_ses_receive_error(void)
static int test_exec_IR_ses(void)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->exec_cert_ses_cb = OSSL_CMP_exec_IR_ses;
fixture->req_type = OSSL_CMP_IR;
fixture->expected = 1;
fixture->caPubs = sk_X509_new_null();
sk_X509_push(fixture->caPubs, server_cert);
@ -164,7 +164,7 @@ static const int checkAfter = 1;
static int test_exec_IR_ses_poll(void)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->exec_cert_ses_cb = OSSL_CMP_exec_IR_ses;
fixture->req_type = OSSL_CMP_IR;
fixture->expected = 1;
ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 2);
ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, checkAfter);
@ -179,7 +179,7 @@ static int test_exec_IR_ses_poll_timeout(void)
const int tout = pollCount * checkAfter;
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->exec_cert_ses_cb = OSSL_CMP_exec_IR_ses;
fixture->req_type = OSSL_CMP_IR;
fixture->expected = 0;
ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, pollCount + 1);
ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, checkAfter);
@ -192,7 +192,7 @@ static int test_exec_IR_ses_poll_timeout(void)
static int test_exec_CR_ses(void)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->exec_cert_ses_cb = OSSL_CMP_exec_CR_ses;
fixture->req_type = OSSL_CMP_CR;
fixture->expected = 1;
EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
return result;
@ -201,7 +201,7 @@ static int test_exec_CR_ses(void)
static int test_exec_CR_ses_implicit_confirm(void)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->exec_cert_ses_cb = OSSL_CMP_exec_CR_ses;
fixture->req_type = OSSL_CMP_CR;
fixture->expected = 1;
OSSL_CMP_CTX_set_option(fixture->cmp_ctx,
OSSL_CMP_OPT_IMPLICIT_CONFIRM, 1);
@ -213,7 +213,7 @@ static int test_exec_CR_ses_implicit_confirm(void)
static int test_exec_KUR_ses(void)
{
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->exec_cert_ses_cb = OSSL_CMP_exec_KUR_ses;
fixture->req_type = OSSL_CMP_KUR;
fixture->expected = 1;
EXECUTE_TEST(execute_exec_certrequest_ses_test, tear_down);
return result;
@ -224,7 +224,7 @@ static int test_exec_P10CR_ses(void)
X509_REQ *req = NULL;
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->exec_cert_ses_cb = OSSL_CMP_exec_P10CR_ses;
fixture->req_type = OSSL_CMP_P10CR;
fixture->expected = 1;
if (!TEST_ptr(req = load_csr(pkcs10_f))
|| !TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, req))) {
@ -245,13 +245,14 @@ static int execute_try_certreq_poll_test(CMP_SES_TEST_FIXTURE *fixture)
ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 3);
ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, CHECK_AFTER);
return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, &check_after))
return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, NULL, &check_after))
&& check_after == CHECK_AFTER
&& TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(ctx), NULL)
&& TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, &check_after))
&& TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, NULL, &check_after))
&& check_after == CHECK_AFTER
&& TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(ctx), NULL)
&& TEST_int_eq(fixture->expected, OSSL_CMP_try_certreq(ctx, TYPE, NULL))
&& TEST_int_eq(fixture->expected,
OSSL_CMP_try_certreq(ctx, TYPE, NULL, NULL))
&& TEST_int_eq(0,
X509_cmp(OSSL_CMP_CTX_get0_newCert(ctx), client_cert));
}
@ -273,10 +274,11 @@ static int execute_try_certreq_poll_abort_test(CMP_SES_TEST_FIXTURE *fixture)
ossl_cmp_mock_srv_set_pollCount(fixture->srv_ctx, 3);
ossl_cmp_mock_srv_set_checkAfterTime(fixture->srv_ctx, CHECK_AFTER);
return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, &check_after))
return TEST_int_eq(-1, OSSL_CMP_try_certreq(ctx, TYPE, NULL, &check_after))
&& check_after == CHECK_AFTER
&& TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(ctx), NULL)
&& TEST_int_eq(fixture->expected, OSSL_CMP_try_certreq(ctx, -1, NULL))
&& TEST_int_eq(fixture->expected,
OSSL_CMP_try_certreq(ctx, -1, NULL, NULL))
&& TEST_ptr_eq(OSSL_CMP_CTX_get0_newCert(fixture->cmp_ctx), NULL);
}

8
test/cmp_msg_test.c
View File

@ -84,9 +84,9 @@ static X509 *cert = NULL;
*/
static int execute_certreq_create_test(CMP_MSG_TEST_FIXTURE *fixture)
{
EXECUTE_MSG_CREATION_TEST(ossl_cmp_certReq_new(fixture->cmp_ctx,
EXECUTE_MSG_CREATION_TEST(ossl_cmp_certreq_new(fixture->cmp_ctx,
fixture->bodytype,
fixture->err_code));
NULL));
}
static int execute_errormsg_create_test(CMP_MSG_TEST_FIXTURE *fixture)
@ -218,7 +218,7 @@ static int test_cmp_create_p10cr(void)
X509_REQ *p10cr = NULL;
fixture->bodytype = OSSL_CMP_PKIBODY_P10CR;
fixture->err_code = CMP_R_ERROR_CREATING_P10CR;
fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ;
fixture->expected = 1;
if (!TEST_ptr(p10cr = load_csr(pkcs10_f))
|| !TEST_true(set1_newPkey(ctx, newkey))
@ -235,7 +235,7 @@ static int test_cmp_create_p10cr_null(void)
{
SETUP_TEST_FIXTURE(CMP_MSG_TEST_FIXTURE, set_up);
fixture->bodytype = OSSL_CMP_PKIBODY_P10CR;
fixture->err_code = CMP_R_ERROR_CREATING_P10CR;
fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ;
fixture->expected = 0;
if (!TEST_true(set1_newPkey(fixture->cmp_ctx, newkey))) {
tear_down(fixture);

6
util/libcrypto.num
View File

@ -4498,6 +4498,7 @@ OSSL_CRMF_ENCRYPTEDVALUE_new ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_ENCRYPTEDVALUE_it ? 3_0_0 EXIST::FUNCTION:CRMF
d2i_OSSL_CRMF_MSG ? 3_0_0 EXIST::FUNCTION:CRMF
i2d_OSSL_CRMF_MSG ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_dup ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_free ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_new ? 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_MSG_it ? 3_0_0 EXIST::FUNCTION:CRMF
@ -4985,10 +4986,7 @@ OSSL_CMP_SRV_CTX_set_send_unprotected_errors ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_SRV_CTX_set_accept_unprotected ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_SRV_CTX_set_accept_raverified ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_SRV_CTX_set_grant_implicit_confirm ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_IR_ses ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_CR_ses ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_P10CR_ses ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_KUR_ses ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_certreq ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_try_certreq ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_certConf_cb ? 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_exec_RR_ses ? 3_0_0 EXIST::FUNCTION:CMP

4
util/other.syms
View File

@ -368,6 +368,10 @@ OpenSSL_add_all_algorithms define deprecated 1.1.0
OpenSSL_add_all_ciphers define deprecated 1.1.0
OpenSSL_add_all_digests define deprecated 1.1.0
OpenSSL_add_ssl_algorithms define
OSSL_CMP_exec_IR_ses define
OSSL_CMP_exec_CR_ses define
OSSL_CMP_exec_P10CR_ses define
OSSL_CMP_exec_KUR_ses define
OSSL_CMP_CTX_set_log_verbosity define
OSSL_CMP_CR define
OSSL_CMP_IR define