mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-19 19:50:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL

Browse Source 
Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712)

    CMP and CRMF API is added to libcrypto, and the "cmp" app to the openssl CLI.
        Adds extensive man pages and tests.  Integration into build scripts.

    Incremental pull request based on OpenSSL commit 8869ad4a39f of 2019-04-02

    4th chunk: CMP context/parameters and utilities
    in crypto/cmp/cmp_ctx.c, crypto/cmp/cmp_util.c, and related files

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9107)
This commit is contained in:
Dr. David von Oheimb 2019-08-10 14:07:22 +02:00 committed by Matt Caswell
parent 0c452a51a5
commit 7960dbec68
38 changed files with 4512 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/cmp/build.info
View File

@ -1,2 +1,2 @@
LIBS=../../libcrypto
SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c
SOURCE[../../libcrypto]= cmp_asn.c cmp_ctx.c cmp_err.c cmp_util.c

26
crypto/cmp/cmp_asn.c
View File

@ -7,8 +7,6 @@
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*
* CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
*/
#include <openssl/asn1t.h>
@ -166,8 +164,10 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
{
int created = 0;
if (itav_sk_p == NULL)
if (itav_sk_p == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
goto err;
}
if (*itav_sk_p == NULL) {
if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
@ -187,6 +187,26 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
return 0;
}
/* get ASN.1 encoded integer, return -1 on error */
int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
{
int64_t res;
if (!ASN1_INTEGER_get_int64(&res, a)) {
CMPerr(0, ASN1_R_INVALID_NUMBER);
return -1;
}
if (res < INT_MIN) {
CMPerr(0, ASN1_R_TOO_SMALL);
return -1;
}
if (res > INT_MAX) {
CMPerr(0, ASN1_R_TOO_LARGE);
return -1;
}
return (int)res;
}
ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
/* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),

1086
crypto/cmp/cmp_ctx.c Normal file
View File

File diff suppressed because it is too large Load Diff

10
crypto/cmp/cmp_err.c
View File

@ -1,6 +1,7 @@
/*
* Generated by util/mkerr.pl DO NOT EDIT
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -14,6 +15,11 @@
#ifndef OPENSSL_NO_ERR
static const ERR_STRING_DATA CMP_str_reasons[] = {
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_INVALID_ARGS), "invalid args"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MULTIPLE_SAN_SOURCES),
"multiple san sources"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NO_STDIO), "no stdio"},
{ERR_PACK(ERR_LIB_CMP, 0, CMP_R_NULL_ARGUMENT), "null argument"},
{0, NULL}
};

180
crypto/cmp/cmp_int.h
View File

@ -7,8 +7,6 @@
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*
* CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
*/
#ifndef OSSL_HEADER_CMP_INT_H
@ -26,6 +24,100 @@
# include <openssl/x509.h>
# include <openssl/x509v3.h>
/*
* this structure is used to store the context for CMP sessions
*/
struct ossl_cmp_ctx_st {
OSSL_cmp_log_cb_t log_cb; /* log callback for error/debug/etc. output */
OSSL_CMP_severity log_verbosity; /* level of verbosity of log output */
/* message transfer */
OSSL_cmp_transfer_cb_t transfer_cb; /* default: OSSL_CMP_MSG_http_perform */
void *transfer_cb_arg; /* allows to store optional argument to cb */
/* HTTP-based transfer */
char *serverPath;
char *serverName;
int serverPort;
char *proxyName;
int proxyPort;
int msgtimeout; /* max seconds to wait for each CMP message round trip */
int totaltimeout; /* maximum number seconds an enrollment may take, incl. */
/* attempts polling for a response if a 'waiting' PKIStatus is received */
time_t end_time; /* session start time + totaltimeout */
OSSL_cmp_http_cb_t http_cb;
void *http_cb_arg; /* allows to store optional argument to cb */
/* server authentication */
int unprotectedErrors; /* accept neg. response with no/invalid protection */
/* to cope with broken server */
X509 *srvCert; /* certificate used to identify the server */
X509 *validatedSrvCert; /* caches any already validated server cert */
X509_NAME *expected_sender; /* expected sender in pkiheader of response */
X509_STORE *trusted; /* trust store maybe w CRLs and cert verify callback */
STACK_OF(X509) *untrusted_certs; /* untrusted (intermediate) certs */
int ignore_keyusage; /* ignore key usage entry when validating certs */
int permitTAInExtraCertsForIR; /* allow use of root certs in extracerts */
/* when validating message protection; used for 3GPP-style E.7 */
/* client authentication */
int unprotectedSend; /* send unprotected PKI messages */
X509 *clCert; /* client cert used to identify and sign for MSG_SIG_ALG */
EVP_PKEY *pkey; /* the key pair corresponding to clCert */
ASN1_OCTET_STRING *referenceValue; /* optional user name for MSG_MAC_ALG */
ASN1_OCTET_STRING *secretValue; /* password/shared secret for MSG_MAC_ALG */
/* PBMParameters for MSG_MAC_ALG */
size_t pbm_slen; /* currently fixed to 16 */
int pbm_owf; /* NID of one-way function (OWF), default: SHA256 */
int pbm_itercnt; /* currently fixed to 500 */
int pbm_mac; /* NID of MAC algorithm, default: HMAC-SHA1 as per RFC 4210 */
/* CMP message header and extra certificates */
X509_NAME *recipient; /* to set in recipient in pkiheader */
int digest; /* NID of digest used in MSG_SIG_ALG and POPO, default SHA256 */
ASN1_OCTET_STRING *transactionID; /* the current transaction ID */
ASN1_OCTET_STRING *senderNonce; /* last nonce sent */
ASN1_OCTET_STRING *recipNonce; /* last nonce received */
STACK_OF(OSSL_CMP_ITAV) *geninfo_ITAVs;
int implicitConfirm; /* set implicitConfirm in IR/KUR/CR messages */
int disableConfirm; /* disable certConf in IR/KUR/CR for broken servers */
STACK_OF(X509) *extraCertsOut; /* to be included in request messages */
/* certificate template */
EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
int newPkey_priv; /* flag indicating if newPkey contains private key */
X509_NAME *issuer; /* issuer name to used in cert template */
int days; /* Number of days new certificates are asked to be valid for */
X509_NAME *subjectName; /* subject name to be used in the cert template */
STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
int SubjectAltName_nodefault;
int setSubjectAltNameCritical;
X509_EXTENSIONS *reqExtensions; /* exts to be added to cert template */
CERTIFICATEPOLICIES *policies; /* policies to be included in extensions */
int setPoliciesCritical;
int popoMethod; /* Proof-of-possession mechanism; default: signature */
X509 *oldCert; /* cert to be updated (via KUR) or to be revoked (via RR) */
X509_REQ *p10CSR; /* for P10CR: PKCS#10 CSR to be sent */
/* misc body contents */
int revocationReason; /* revocation reason code to be included in RR */
STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
/* result returned in responses */
int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
/* TODO: this should be a stack since there could be more than one */
OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
/* TODO: this should be a stack since there could be more than one */
X509 *newCert; /* newly enrolled cert received from the CA */
/* TODO: this should be a stack since there could be more than one */
STACK_OF(X509) *caPubs; /* CA certs received from server (in IP message) */
STACK_OF(X509) *extraCertsIn; /* extraCerts received from server */
/* certificate confirmation */
OSSL_cmp_certConf_cb_t certConf_cb; /* callback for app checking new cert */
void *certConf_cb_arg; /* allows to store an argument individual to cb */
} /* OSSL_CMP_CTX */;
/*
* ##########################################################################
* ASN.1 DECLARATIONS
@ -42,7 +134,7 @@
* -- extra CRL details (e.g., crl number, reason, location, etc.)
* }
*/
typedef struct OSSL_cmp_revanncontent_st {
typedef struct ossl_cmp_revanncontent_st {
ASN1_INTEGER *status;
OSSL_CRMF_CERTID *certId;
ASN1_GENERALIZEDTIME *willBeRevokedAt;
@ -75,7 +167,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
* -- }
* }
*/
typedef struct OSSL_cmp_challenge_st {
typedef struct ossl_cmp_challenge_st {
X509_ALGOR *owf;
ASN1_OCTET_STRING *witness;
ASN1_OCTET_STRING *challenge;
@ -89,7 +181,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
* newWithNew Certificate
* }
*/
typedef struct OSSL_cmp_cakeyupdanncontent_st {
typedef struct ossl_cmp_cakeyupdanncontent_st {
X509 *oldWithNew;
X509 *newWithOld;
X509 *newWithNew;
@ -109,7 +201,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
* infoValue ANY DEFINED BY infoType OPTIONAL
* }
*/
struct OSSL_cmp_itav_st {
struct ossl_cmp_itav_st {
ASN1_OBJECT *infoType;
union {
char *ptr;
@ -148,8 +240,7 @@ struct OSSL_cmp_itav_st {
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
typedef struct OSSL_cmp_certorenccert_st {
typedef struct ossl_cmp_certorenccert_st {
int type;
union {
X509 *certificate;
@ -166,7 +257,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
* publicationInfo [1] PKIPublicationInfo OPTIONAL
* }
*/
typedef struct OSSL_cmp_certifiedkeypair_st {
typedef struct ossl_cmp_certifiedkeypair_st {
OSSL_CMP_CERTORENCCERT *certOrEncCert;
OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
@ -180,7 +271,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
* failInfo PKIFailureInfo OPTIONAL
* }
*/
struct OSSL_cmp_pkisi_st {
struct ossl_cmp_pkisi_st {
OSSL_CMP_PKISTATUS *status;
OSSL_CMP_PKIFREETEXT *statusString;
OSSL_CMP_PKIFAILUREINFO *failInfo;
@ -196,7 +287,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
* crlEntryDetails Extensions OPTIONAL
* }
*/
typedef struct OSSL_cmp_revdetails_st {
typedef struct ossl_cmp_revdetails_st {
OSSL_CRMF_CERTTEMPLATE *certDetails;
X509_EXTENSIONS *crlEntryDetails;
} OSSL_CMP_REVDETAILS;
@ -216,7 +307,7 @@ DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
* -- the resulting CRLs (there may be more than one)
* }
*/
struct OSSL_cmp_revrepcontent_st {
struct ossl_cmp_revrepcontent_st {
STACK_OF(OSSL_CMP_PKISI) *status;
STACK_OF(OSSL_CRMF_CERTID) *revCerts;
STACK_OF(X509_CRL) *crls;
@ -233,7 +324,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
* CertifiedKeyPair OPTIONAL
* }
*/
typedef struct OSSL_cmp_keyrecrepcontent_st {
typedef struct ossl_cmp_keyrecrepcontent_st {
OSSL_CMP_PKISI *status;
X509 *newSigCert;
STACK_OF(X509) *caCerts;
@ -250,7 +341,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
* -- implementation-specific error details
* }
*/
typedef struct OSSL_cmp_errormsgcontent_st {
typedef struct ossl_cmp_errormsgcontent_st {
OSSL_CMP_PKISI *pKIStatusInfo;
ASN1_INTEGER *errorCode;
OSSL_CMP_PKIFREETEXT *errorDetails;
@ -269,7 +360,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
* statusInfo PKIStatusInfo OPTIONAL
* }
*/
struct OSSL_cmp_certstatus_st {
struct ossl_cmp_certstatus_st {
ASN1_OCTET_STRING *certHash;
ASN1_INTEGER *certReqId;
OSSL_CMP_PKISI *statusInfo;
@ -292,7 +383,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
* -- for regInfo in CertReqMsg [CRMF]
* }
*/
struct OSSL_cmp_certresponse_st {
struct ossl_cmp_certresponse_st {
ASN1_INTEGER *certReqId;
OSSL_CMP_PKISI *status;
OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair;
@ -307,7 +398,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
* response SEQUENCE OF CertResponse
* }
*/
struct OSSL_cmp_certrepmessage_st {
struct ossl_cmp_certrepmessage_st {
STACK_OF(X509) *caPubs;
STACK_OF(OSSL_CMP_CERTRESPONSE) *response;
} /* OSSL_CMP_CERTREPMESSAGE */;
@ -318,7 +409,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
* certReqId INTEGER
* }
*/
typedef struct OSSL_cmp_pollreq_st {
typedef struct ossl_cmp_pollreq_st {
ASN1_INTEGER *certReqId;
} OSSL_CMP_POLLREQ;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
@ -333,7 +424,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREQCONTENT)
* reason PKIFreeText OPTIONAL
* }
*/
struct OSSL_cmp_pollrep_st {
struct ossl_cmp_pollrep_st {
ASN1_INTEGER *certReqId;
ASN1_INTEGER *checkAfter;
OSSL_CMP_PKIFREETEXT *reason;
@ -377,7 +468,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
* -- (this field not primarily intended for human consumption)
* }
*/
struct OSSL_cmp_pkiheader_st {
struct ossl_cmp_pkiheader_st {
ASN1_INTEGER *pvno;
GENERAL_NAME *sender;
GENERAL_NAME *recipient;
@ -435,7 +526,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_GENREPCONTENT)
* pollReq [25] PollReqContent, --Polling request
* pollRep [26] PollRepContent --Polling response
*/
typedef struct OSSL_cmp_pkibody_st {
typedef struct ossl_cmp_pkibody_st {
int type;
union {
OSSL_CRMF_MSGS *ir; /* 0 */
@ -521,7 +612,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
* OPTIONAL
* }
*/
struct OSSL_cmp_msg_st {
struct ossl_cmp_msg_st {
OSSL_CMP_PKIHEADER *header;
OSSL_CMP_PKIBODY *body;
ASN1_BIT_STRING *protection; /* 0 */
@ -529,6 +620,7 @@ struct OSSL_cmp_msg_st {
STACK_OF(X509) *extraCerts; /* 1 */
} /* OSSL_CMP_MSG */;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSG)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
/*-
* ProtectedPart ::= SEQUENCE {
@ -586,4 +678,48 @@ DECLARE_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
* }
*/
/*
* functions
*/
/* from cmp_asn.c */
int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a);
/* from cmp_util.c */
const char *ossl_cmp_log_parse_metadata(const char *buf,
OSSL_CMP_severity *level, char **func,
char **file, int *line);
/* workaround for 4096 bytes limitation of ERR_print_errors_cb() */
void ossl_cmp_add_error_txt(const char *separator, const char *txt);
# define ossl_cmp_add_error_data(txt) ossl_cmp_add_error_txt(" : ", txt)
# define ossl_cmp_add_error_line(txt) ossl_cmp_add_error_txt("\n", txt)
/* functions manipulating lists of certificates etc could be generally useful */
int ossl_cmp_sk_X509_add1_cert (STACK_OF(X509) *sk, X509 *cert,
int no_dup, int prepend);
int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
int no_self_signed, int no_dups, int prepend);
int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
int only_self_signed);
STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src);
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
const unsigned char *bytes, int len);
STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
/* from cmp_ctx.c */
int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIFREETEXT *text);
int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsIn);
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
# define OSSL_CMP_TRANSACTIONID_LENGTH 16
#endif /* !defined OSSL_HEADER_CMP_INT_H */

449
crypto/cmp/cmp_util.c Normal file
View File

@ -0,0 +1,449 @@
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <string.h>
#include <openssl/cmp_util.h>
#include "cmp_int.h" /* just for decls of internal functions defined here */
#include <openssl/cmperr.h>
#include <openssl/err.h> /* should be implied by cmperr.h */
#include <openssl/x509v3.h>
/*
* use trace API for CMP-specific logging, prefixed by "CMP " and severity
*/
int OSSL_CMP_log_open(void) /* is designed to be idempotent */
{
#ifndef OPENSSL_NO_STDIO
BIO *bio = BIO_new_fp(stdout, BIO_NOCLOSE);
if (bio != NULL && OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, bio))
return 1;
BIO_free(bio);
#endif
CMPerr(0, CMP_R_NO_STDIO);
return 0;
}
void OSSL_CMP_log_close(void) /* is designed to be idempotent */
{
(void)OSSL_trace_set_channel(OSSL_TRACE_CATEGORY_CMP, NULL);
}
/* return >= 0 if level contains logging level, possibly preceded by "CMP " */
#define max_level_len 5 /* = max length of the below strings, e.g., "EMERG" */
static OSSL_CMP_severity parse_level(const char *level)
{
const char *end_level = strchr(level, ':');
int len;
char level_copy[max_level_len + 1];
if (end_level == NULL)
return -1;
if (strncmp(level, OSSL_CMP_LOG_PREFIX,
strlen(OSSL_CMP_LOG_PREFIX)) == 0)
level += strlen(OSSL_CMP_LOG_PREFIX);
len = end_level - level;
if (len > max_level_len)
return -1;
OPENSSL_strlcpy(level_copy, level, len + 1);
return
strcmp(level_copy, "EMERG") == 0 ? OSSL_CMP_LOG_EMERG :
strcmp(level_copy, "ALERT") == 0 ? OSSL_CMP_LOG_ALERT :
strcmp(level_copy, "CRIT") == 0 ? OSSL_CMP_LOG_CRIT :
strcmp(level_copy, "ERROR") == 0 ? OSSL_CMP_LOG_ERR :
strcmp(level_copy, "WARN") == 0 ? OSSL_CMP_LOG_WARNING :
strcmp(level_copy, "NOTE") == 0 ? OSSL_CMP_LOG_NOTICE :
strcmp(level_copy, "INFO") == 0 ? OSSL_CMP_LOG_INFO :
strcmp(level_copy, "DEBUG") == 0 ? OSSL_CMP_LOG_DEBUG :
-1;
}
const char *ossl_cmp_log_parse_metadata(const char *buf,
OSSL_CMP_severity *level, char **func, char **file, int *line)
{
const char *p_func = buf;
const char *p_file = buf == NULL ? NULL : strchr(buf, ':');
const char *p_level = buf;
const char *msg = buf;
*level = -1;
*func = NULL;
*file = NULL;
*line = 0;
if (p_file != NULL) {
const char *p_line = strchr(++p_file, ':');
if ((*level = parse_level(buf)) < 0 && p_line != NULL) {
/* check if buf contains location info and logging level */
char *p_level_tmp = (char *)p_level;
const long line_number = strtol(++p_line, &p_level_tmp, 10);
p_level = p_level_tmp;
if (p_level > p_line && *(p_level++) == ':') {
if ((*level = parse_level(p_level)) >= 0) {
*func = OPENSSL_strndup(p_func, p_file - 1 - p_func);
*file = OPENSSL_strndup(p_file, p_line - 1 - p_file);
/* no real problem if OPENSSL_strndup() returns NULL */
*line = (int)line_number;
msg = strchr(p_level, ':') + 1;
if (*msg == ' ')
msg++;
}
}
}
}
return msg;
}
/*
* auxiliary function for incrementally reporting texts via the error queue
*/
static void put_error(int lib, const char *func, int reason,
const char *file, int line)
{
ERR_new();
ERR_set_debug(file, line, func);
ERR_set_error(lib, reason, NULL /* no data here, so fmt is NULL */);
}
#define ERR_print_errors_cb_LIMIT 4096 /* size of char buf[] variable there */
#define TYPICAL_MAX_OUTPUT_BEFORE_DATA 100
#define MAX_DATA_LEN (ERR_print_errors_cb_LIMIT-TYPICAL_MAX_OUTPUT_BEFORE_DATA)
void ossl_cmp_add_error_txt(const char *separator, const char *txt)
{
const char *file = NULL;
int line;
const char *func = NULL;
const char *data = NULL;
int flags;
unsigned long err = ERR_peek_last_error();
if (separator == NULL)
separator = "";
if (err == 0)
put_error(ERR_LIB_CMP, NULL, 0, "", 0);
do {
size_t available_len, data_len;
const char *curr = txt, *next = txt;
char *tmp;
ERR_peek_last_error_all(&file, &line, &func, &data, &flags);
if ((flags & ERR_TXT_STRING) == 0) {
data = "";
separator = "";
}
data_len = strlen(data);
/* workaround for limit of ERR_print_errors_cb() */
if (data_len >= MAX_DATA_LEN
|| strlen(separator) >= (size_t)(MAX_DATA_LEN - data_len))
available_len = 0;
else
available_len = MAX_DATA_LEN - data_len - strlen(separator) - 1;
/* MAX_DATA_LEN > available_len >= 0 */
if (separator[0] == '\0') {
const size_t len_next = strlen(next);
if (len_next <= available_len) {
next += len_next;
curr = NULL; /* no need to split */
}
else {
next += available_len;
curr = next; /* will split at this point */
}
} else {
while (*next != '\0' && (size_t)(next - txt) <= available_len) {
curr = next;
next = strstr(curr, separator);
if (next != NULL)
next += strlen(separator);
else
next = curr + strlen(curr);
}
if ((size_t)(next - txt) <= available_len)
curr = NULL; /* the above loop implies *next == '\0' */
}
if (curr != NULL) {
/* split error msg at curr since error data would get too long */
if (curr != txt) {
tmp = OPENSSL_strndup(txt, curr - txt);
if (tmp == NULL)
return;
ERR_add_error_data(2, separator, tmp);
OPENSSL_free(tmp);
}
put_error(ERR_LIB_CMP, func, err, file, line);
txt = curr;
} else {
ERR_add_error_data(2, separator, txt);
txt = next; /* finished */
}
} while (*txt != '\0');
}
/* this is similar to ERR_print_errors_cb, but uses the CMP-specific cb type */
void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn)
{
unsigned long err;
char msg[ERR_print_errors_cb_LIMIT];
const char *file = NULL, *func = NULL, *data = NULL;
int line, flags;
if (log_fn == NULL) {
#ifndef OPENSSL_NO_STDIO
ERR_print_errors_fp(stderr);
#else
/* CMPerr(0, CMP_R_NO_STDIO) makes no sense during error printing */
#endif
return;
}
while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) != 0) {
char component[128];
const char *func_ = func != NULL && *func != '\0' ? func : "<unknown>";
if (!(flags & ERR_TXT_STRING))
data = NULL;
#ifdef OSSL_CMP_PRINT_LIBINFO
BIO_snprintf(component, sizeof(component), "OpenSSL:%s:%s",
ERR_lib_error_string(err), func_);
#else
BIO_snprintf(component, sizeof(component), "%s",func_);
#endif
BIO_snprintf(msg, sizeof(msg), "%s%s%s", ERR_reason_error_string(err),
data == NULL ? "" : " : ", data == NULL ? "" : data);
if (log_fn(component, file, line, OSSL_CMP_LOG_ERR, msg) <= 0)
break; /* abort outputting the error report */
}
}
/*
* functions manipulating lists of certificates etc.
* these functions could be generally useful.
*/
int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert,
int no_dup, int prepend)
{
if (sk == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (no_dup) {
/*
* not using sk_X509_set_cmp_func() and sk_X509_find()
* because this re-orders the certs on the stack
*/
int i;
for (i = 0; i < sk_X509_num(sk); i++) {
if (X509_cmp(sk_X509_value(sk, i), cert) == 0)
return 1;
}
}
if (!X509_up_ref(cert))
return 0;
if (!sk_X509_insert(sk, cert, prepend ? 0 : -1)) {
X509_free(cert);
return 0;
}
return 1;
}
int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
int no_self_signed, int no_dups, int prepend)
/* compiler would allow 'const' for the list of certs, yet they are up-ref'ed */
{
int i;
if (sk == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
for (i = 0; i < sk_X509_num(certs); i++) { /* certs may be NULL */
X509 *cert = sk_X509_value(certs, i);
if (!no_self_signed || X509_check_issued(cert, cert) != X509_V_OK) {
if (!ossl_cmp_sk_X509_add1_cert(sk, cert, no_dups, prepend))
return 0;
}
}
return 1;
}
int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
int only_self_signed)
{
int i;
if (store == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (certs == NULL)
return 1;
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *cert = sk_X509_value(certs, i);
if (!only_self_signed || X509_check_issued(cert, cert) == X509_V_OK)
if (!X509_STORE_add_cert(store, cert)) /* ups cert ref counter */
return 0;
}
return 1;
}
STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store)
{
int i;
STACK_OF(X509) *sk;
STACK_OF(X509_OBJECT) *objs;
if (store == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if ((sk = sk_X509_new_null()) == NULL)
return NULL;
objs = X509_STORE_get0_objects(store);
for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
if (cert != NULL) {
if (!sk_X509_push(sk, cert))
goto err;
if (!X509_up_ref(cert)) {
(void)sk_X509_pop(sk);
goto err;
}
}
}
return sk;
err:
sk_X509_pop_free(sk, X509_free);
return NULL;
}
/*-
* Builds up the certificate chain of certs as high up as possible using
* the given list of certs containing all possible intermediate certificates and
* optionally the (possible) trust anchor(s). See also ssl_add_cert_chain().
*
* Intended use of this function is to find all the certificates above the trust
* anchor needed to verify an EE's own certificate. Those are supposed to be
* included in the ExtraCerts field of every first sent message of a transaction
* when MSG_SIG_ALG is utilized.
*
* NOTE: This allocates a stack and increments the reference count of each cert,
* so when not needed any more the stack and all its elements should be freed.
* NOTE: in case there is more than one possibility for the chain,
* OpenSSL seems to take the first one, check X509_verify_cert() for details.
*
* returns a pointer to a stack of (up_ref'ed) X509 certificates containing:
* - the EE certificate given in the function arguments (cert)
* - all intermediate certificates up the chain toward the trust anchor
* whereas the (self-signed) trust anchor is not included
* returns NULL on error
*/
STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert)
{
STACK_OF(X509) *chain = NULL, *result = NULL;
X509_STORE *store = X509_STORE_new();
X509_STORE_CTX *csc = NULL;
if (certs == NULL || cert == NULL || store == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
goto err;
}
csc = X509_STORE_CTX_new();
if (csc == NULL)
goto err;
if (!ossl_cmp_X509_STORE_add1_certs(store, certs, 0)
|| !X509_STORE_CTX_init(csc, store, cert, NULL))
goto err;
(void)ERR_set_mark();
/*
* ignore return value as it would fail without trust anchor given in store
*/
(void)X509_verify_cert(csc);
/* don't leave any new errors in the queue */
(void)ERR_pop_to_mark();
chain = X509_STORE_CTX_get0_chain(csc);
/* result list to store the up_ref'ed not self-signed certificates */
if ((result = sk_X509_new_null()) == NULL)
goto err;
if (!ossl_cmp_sk_X509_add1_certs(result, chain, 1 /* no self-signed */,
1 /* no duplicates */, 0)) {
sk_X509_free(result);
result = NULL;
}
err:
X509_STORE_free(store);
X509_STORE_CTX_free(csc);
return result;
}
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src)
{
if (tgt == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (*tgt == src) /* self-assignment */
return 1;
ASN1_OCTET_STRING_free(*tgt);
if (src != NULL) {
if ((*tgt = ASN1_OCTET_STRING_dup(src)) == NULL)
return 0;
} else {
*tgt = NULL;
}
return 1;
}
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
const unsigned char *bytes, int len)
{
ASN1_OCTET_STRING *new = NULL;
if (tgt == NULL) {
CMPerr(0, CMP_R_NULL_ARGUMENT);
return 0;
}
if (bytes != NULL) {
if ((new = ASN1_OCTET_STRING_new()) == NULL
|| !(ASN1_OCTET_STRING_set(new, bytes, len))) {
ASN1_OCTET_STRING_free(new);
return 0;
}
}
ASN1_OCTET_STRING_free(*tgt);
*tgt = new;
return 1;
}

38
crypto/crmf/crmf_int.h
View File

@ -42,7 +42,7 @@
* -- the encrypted value itself
* }
*/
struct OSSL_crmf_encryptedvalue_st {
struct ossl_crmf_encryptedvalue_st {
X509_ALGOR *intendedAlg; /* 0 */
X509_ALGOR *symmAlg; /* 1 */
ASN1_BIT_STRING *encSymmKey; /* 2 */
@ -62,7 +62,7 @@ struct OSSL_crmf_encryptedvalue_st {
* attributes [0] IMPLICIT Attributes OPTIONAL
* }
*/
typedef struct OSSL_crmf_privatekeyinfo_st {
typedef struct ossl_crmf_privatekeyinfo_st {
ASN1_INTEGER *version;
X509_ALGOR *privateKeyAlgorithm;
ASN1_OCTET_STRING *privateKey;
@ -82,7 +82,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
* } OPTIONAL
* }
*/
typedef struct OSSL_crmf_enckeywithid_identifier_st {
typedef struct ossl_crmf_enckeywithid_identifier_st {
int type;
union {
ASN1_UTF8STRING *string;
@ -91,7 +91,7 @@ typedef struct OSSL_crmf_enckeywithid_identifier_st {
} OSSL_CRMF_ENCKEYWITHID_IDENTIFIER;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
typedef struct OSSL_crmf_enckeywithid_st {
typedef struct ossl_crmf_enckeywithid_st {
OSSL_CRMF_PRIVATEKEYINFO *privateKey;
/* [0] */
OSSL_CRMF_ENCKEYWITHID_IDENTIFIER *identifier;
@ -104,7 +104,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
* serialNumber INTEGER
* }
*/
struct OSSL_crmf_certid_st {
struct ossl_crmf_certid_st {
GENERAL_NAME *issuer;
ASN1_INTEGER *serialNumber;
} /* OSSL_CRMF_CERTID */;
@ -120,7 +120,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID)
* pubLocation GeneralName OPTIONAL
* }
*/
struct OSSL_crmf_singlepubinfo_st {
struct ossl_crmf_singlepubinfo_st {
ASN1_INTEGER *pubMethod;
GENERAL_NAME *pubLocation;
} /* OSSL_CRMF_SINGLEPUBINFO */;
@ -139,7 +139,7 @@ typedef STACK_OF(OSSL_CRMF_SINGLEPUBINFO) OSSL_CRMF_PUBINFOS;
* -- "dontCare" is assumed)
* }
*/
struct OSSL_crmf_pkipublicationinfo_st {
struct ossl_crmf_pkipublicationinfo_st {
ASN1_INTEGER *action;
OSSL_CRMF_PUBINFOS *pubInfos;
} /* OSSL_CRMF_PKIPUBLICATIONINFO */;
@ -153,7 +153,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
* value BIT STRING
* }
*/
typedef struct OSSL_crmf_pkmacvalue_st {
typedef struct ossl_crmf_pkmacvalue_st {
X509_ALGOR *algId;
ASN1_BIT_STRING *value;
} OSSL_CRMF_PKMACVALUE;
@ -182,7 +182,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
* }
*/
typedef struct OSSL_crmf_popoprivkey_st {
typedef struct ossl_crmf_popoprivkey_st {
int type;
union {
ASN1_BIT_STRING *thisMessage; /* 0 */ /* Deprecated */
@ -211,7 +211,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
* -- or HMAC [HMAC, RFC2202])
* }
*/
struct OSSL_crmf_pbmparameter_st {
struct ossl_crmf_pbmparameter_st {
ASN1_OCTET_STRING *salt;
X509_ALGOR *owf;
ASN1_INTEGER *iterationCount;
@ -233,7 +233,7 @@ struct OSSL_crmf_pbmparameter_st {
* publicKey SubjectPublicKeyInfo -- from CertTemplate
* }
*/
typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st {
typedef struct ossl_crmf_poposigningkeyinput_authinfo_st {
int type;
union {
/* 0 */ GENERAL_NAME *sender;
@ -242,7 +242,7 @@ typedef struct OSSL_crmf_poposigningkeyinput_authinfo_st {
} OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
typedef struct OSSL_crmf_poposigningkeyinput_st {
typedef struct ossl_crmf_poposigningkeyinput_st {
OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO *authInfo;
X509_PUBKEY *publicKey;
} OSSL_CRMF_POPOSIGNINGKEYINPUT;
@ -255,7 +255,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
* signature BIT STRING
* }
*/
struct OSSL_crmf_poposigningkey_st {
struct ossl_crmf_poposigningkey_st {
OSSL_CRMF_POPOSIGNINGKEYINPUT *poposkInput;
X509_ALGOR *algorithmIdentifier;
ASN1_BIT_STRING *signature;
@ -272,7 +272,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
* keyAgreement [3] POPOPrivKey
* }
*/
typedef struct OSSL_crmf_popo_st {
typedef struct ossl_crmf_popo_st {
int type;
union {
ASN1_NULL *raVerified; /* 0 */
@ -289,7 +289,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
* notAfter [1] Time OPTIONAL -- at least one MUST be present
* }
*/
struct OSSL_crmf_optionalvalidity_st {
struct ossl_crmf_optionalvalidity_st {
/* 0 */ ASN1_TIME *notBefore;
/* 1 */ ASN1_TIME *notAfter;
} /* OSSL_CRMF_OPTIONALVALIDITY */;
@ -309,7 +309,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
* extensions [9] Extensions OPTIONAL
* }
*/
struct OSSL_crmf_certtemplate_st {
struct ossl_crmf_certtemplate_st {
ASN1_INTEGER *version; /* 0 */
ASN1_INTEGER *serialNumber; /* 1 */ /* serialNumber MUST be omitted */
/* This field is assigned by the CA during certificate creation */
@ -333,7 +333,7 @@ struct OSSL_crmf_certtemplate_st {
* controls Controls OPTIONAL -- Attributes affecting issuance
* }
*/
struct OSSL_crmf_certrequest_st {
struct ossl_crmf_certrequest_st {
ASN1_INTEGER *certReqId;
OSSL_CRMF_CERTTEMPLATE *certTemplate;
/* TODO: make OSSL_CRMF_CONTROLS out of that - but only cosmetical */
@ -343,7 +343,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
/* TODO: isn't there a better way to have this for ANY type? */
struct OSSL_crmf_attributetypeandvalue_st {
struct ossl_crmf_attributetypeandvalue_st {
ASN1_OBJECT *type;
union {
/* NID_id_regCtrl_regToken */
@ -383,7 +383,7 @@ DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
* regInfo SEQUENCE SIZE(1..MAX) OF AttributeTypeAndValue OPTIONAL
* }
*/
struct OSSL_crmf_msg_st {
struct ossl_crmf_msg_st {
OSSL_CRMF_CERTREQUEST *certReq;
/* 0 */
OSSL_CRMF_POPO *popo;

113
crypto/crmf/crmf_lib.c
View File

@ -82,16 +82,14 @@ static int OSSL_CRMF_MSG_push0_regCtrl(OSSL_CRMF_MSG *crm,
if (crm->certReq->controls == NULL) {
crm->certReq->controls = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
if (crm->certReq->controls == NULL)
goto oom;
goto err;
new = 1;
}
if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->certReq->controls, ctrl))
goto oom;
goto err;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGCTRL, ERR_R_MALLOC_FAILURE);
err:
if (new != 0) {
sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(crm->certReq->controls);
crm->certReq->controls = NULL;
@ -136,16 +134,9 @@ int OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo(
if (pi->pubInfos == NULL)
pi->pubInfos = sk_OSSL_CRMF_SINGLEPUBINFO_new_null();
if (pi->pubInfos == NULL)
goto oom;
return 0;
if (!sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi))
goto oom;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PKIPUBLICATIONINFO_PUSH0_SINGLEPUBINFO,
ERR_R_MALLOC_FAILURE);
return 0;
return sk_OSSL_CRMF_SINGLEPUBINFO_push(pi->pubInfos, spi);
}
int OSSL_CRMF_MSG_set_PKIPublicationInfo_action(
@ -180,20 +171,19 @@ OSSL_CRMF_CERTID *OSSL_CRMF_CERTID_gen(const X509_NAME *issuer,
}
if ((cid = OSSL_CRMF_CERTID_new()) == NULL)
goto oom;
goto err;
if (!X509_NAME_set(&cid->issuer->d.directoryName, issuer))
goto oom;
goto err;
cid->issuer->type = GEN_DIRNAME;
ASN1_INTEGER_free(cid->serialNumber);
if ((cid->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
goto oom;
goto err;
return cid;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_CERTID_GEN, ERR_R_MALLOC_FAILURE);
err:
OSSL_CRMF_CERTID_free(cid);
return NULL;
}
@ -222,13 +212,12 @@ static int OSSL_CRMF_MSG_push0_regInfo(OSSL_CRMF_MSG *crm,
if (crm->regInfo == NULL)
crm->regInfo = info = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null();
if (crm->regInfo == NULL)
goto oom;
goto err;
if (!sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(crm->regInfo, ri))
goto oom;
goto err;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_REGINFO, ERR_R_MALLOC_FAILURE);
err:
if (info != NULL)
crm->regInfo = NULL;
sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(info);
@ -266,11 +255,11 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to)
}
if (from != 0 && ((from_asn = ASN1_TIME_set(NULL, from)) == NULL))
goto oom;
goto err;
if (to != 0 && ((to_asn = ASN1_TIME_set(NULL, to)) == NULL))
goto oom;
goto err;
if ((vld = OSSL_CRMF_OPTIONALVALIDITY_new()) == NULL)
goto oom;
goto err;
vld->notBefore = from_asn;
vld->notAfter = to_asn;
@ -278,8 +267,7 @@ int OSSL_CRMF_MSG_set_validity(OSSL_CRMF_MSG *crm, time_t from, time_t to)
tmpl->validity = vld;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_SET_VALIDITY, ERR_R_MALLOC_FAILURE);
err:
ASN1_TIME_free(from_asn);
ASN1_TIME_free(to_asn);
return 0;
@ -348,7 +336,7 @@ int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
const X509_EXTENSION *ext)
X509_EXTENSION *ext)
{
int new = 0;
OSSL_CRMF_CERTTEMPLATE *tmpl = OSSL_CRMF_MSG_get0_tmpl(crm);
@ -360,16 +348,14 @@ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
if (tmpl->extensions == NULL) {
if ((tmpl->extensions = sk_X509_EXTENSION_new_null()) == NULL)
goto oom;
goto err;
new = 1;
}
if (!sk_X509_EXTENSION_push(tmpl->extensions, (X509_EXTENSION *)ext))
goto oom;
if (!sk_X509_EXTENSION_push(tmpl->extensions, ext))
goto err;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_PUSH0_EXTENSION, ERR_R_MALLOC_FAILURE);
err:
if (new != 0) {
sk_X509_EXTENSION_free(tmpl->extensions);
tmpl->extensions = NULL;
@ -428,10 +414,8 @@ static int CRMF_poposigningkey_init(OSSL_CRMF_POPOSIGNINGKEY *ps,
CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR);
goto err;
}
if ((sig = OPENSSL_malloc(siglen)) == NULL) {
CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, ERR_R_MALLOC_FAILURE);
if ((sig = OPENSSL_malloc(siglen)) == NULL)
goto err;
}
if (EVP_DigestSignFinal(ctx, sig, &siglen) <= 0
|| !ASN1_BIT_STRING_set(ps->signature, sig, siglen)) {
CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_ERROR);
@ -461,13 +445,13 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
if (ppmtd == OSSL_CRMF_POPO_NONE)
goto end;
if ((pp = OSSL_CRMF_POPO_new()) == NULL)
goto oom;
goto err;
pp->type = ppmtd;
switch (ppmtd) {
case OSSL_CRMF_POPO_RAVERIFIED:
if ((pp->value.raVerified = ASN1_NULL_new()) == NULL)
goto oom;
goto err;
break;
case OSSL_CRMF_POPO_SIGNATURE:
@ -484,14 +468,14 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
case OSSL_CRMF_POPO_KEYENC:
if ((pp->value.keyEncipherment = OSSL_CRMF_POPOPRIVKEY_new()) == NULL)
goto oom;
goto err;
tag = ASN1_INTEGER_new();
pp->value.keyEncipherment->type =
OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE;
pp->value.keyEncipherment->value.subsequentMessage = tag;
if (tag == NULL
|| !ASN1_INTEGER_set(tag, OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT))
goto oom;
goto err;
break;
default:
@ -505,8 +489,6 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
crm->popo = pp;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_MSG_CREATE_POPO, ERR_R_MALLOC_FAILURE);
err:
OSSL_CRMF_POPO_free(pp);
return 0;
@ -609,7 +591,20 @@ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl)
return tmpl != NULL ? tmpl->issuer : NULL;
}
/*
/* retrieves the issuer name of the given CertId or NULL on error */
X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid)
{
return cid != NULL && cid->issuer->type == GEN_DIRNAME ?
cid->issuer->d.directoryName : NULL;
}
/* retrieves the serialNumber of the given CertId or NULL on error */
ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid)
{
return cid != NULL ? cid->serialNumber : NULL;
}
/*-
* fill in certificate template.
* Any value argument that is NULL will leave the respective field unchanged.
*/
@ -624,27 +619,23 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
return 0;
}
if (subject != NULL && !X509_NAME_set(&tmpl->subject, subject))
goto oom;
return 0;
if (issuer != NULL && !X509_NAME_set(&tmpl->issuer, issuer))
goto oom;
return 0;
if (serial != NULL) {
ASN1_INTEGER_free(tmpl->serialNumber);
if ((tmpl->serialNumber = ASN1_INTEGER_dup(serial)) == NULL)
goto oom;
return 0;
}
if (pubkey != NULL && !X509_PUBKEY_set(&tmpl->publicKey, pubkey))
goto oom;
return 0;
return 1;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_CERTTEMPLATE_FILL, ERR_R_MALLOC_FAILURE);
return 0;
}
/*-
* Decrypts the certificate in the given encryptedValue
* this is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2
* Decrypts the certificate in the given encryptedValue using private key pkey.
* This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
*
* returns a pointer to the decrypted certificate
* returns NULL on error or if no certificate available
@ -693,7 +684,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
if (EVP_PKEY_decrypt(pkctx, NULL, &eksize,
encKey->data, encKey->length) <= 0
|| (ek = OPENSSL_malloc(eksize)) == NULL)
goto oom;
goto end;
retval = EVP_PKEY_decrypt(pkctx, ek, &eksize,
encKey->data, encKey->length);
ERR_clear_error(); /* error state may have sensitive information */
@ -706,10 +697,10 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
goto end;
}
} else {
goto oom;
goto end;
}
if ((iv = OPENSSL_malloc(EVP_CIPHER_iv_length(cipher))) == NULL)
goto oom;
goto end;
if (ASN1_TYPE_get_octetstring(ecert->symmAlg->parameter, iv,
EVP_CIPHER_iv_length(cipher))
!= EVP_CIPHER_iv_length(cipher)) {
@ -725,7 +716,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
if ((p = outbuf = OPENSSL_malloc(ecert->encValue->length +
EVP_CIPHER_block_size(cipher))) == NULL
|| (evp_ctx = EVP_CIPHER_CTX_new()) == NULL)
goto oom;
goto end;
EVP_CIPHER_CTX_set_padding(evp_ctx, 0);
if (!EVP_DecryptInit(evp_ctx, cipher, ek, iv)
@ -744,10 +735,6 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT,
CRMF_R_ERROR_DECODING_CERTIFICATE);
}
goto end;
oom:
CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, ERR_R_MALLOC_FAILURE);
end:
EVP_PKEY_CTX_free(pkctx);
OPENSSL_free(outbuf);

16
crypto/crmf/crmf_pbm.c
View File

@ -41,20 +41,16 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
OSSL_CRMF_PBMPARAMETER *pbm = NULL;
unsigned char *salt = NULL;
if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE);
if ((pbm = OSSL_CRMF_PBMPARAMETER_new()) == NULL)
goto err;
}
/*
* salt contains a randomly generated value used in computing the key
* of the MAC process. The salt SHOULD be at least 8 octets (64
* bits) long.
*/
if ((salt = OPENSSL_malloc(slen)) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, ERR_R_MALLOC_FAILURE);
if ((salt = OPENSSL_malloc(slen)) == NULL)
goto err;
}
if (RAND_bytes(salt, (int)slen) <= 0) {
CRMFerr(CRMF_F_OSSL_CRMF_PBMP_NEW, CRMF_R_FAILURE_OBTAINING_RANDOM);
goto err;
@ -145,10 +141,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_NULL_ARGUMENT);
goto err;
}
if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE);
if ((mac_res = OPENSSL_malloc(EVP_MAX_MD_SIZE)) == NULL)
goto err;
}
/*
* owf identifies the hash algorithm and associated parameters used to
@ -160,10 +154,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp,
goto err;
}
if ((ctx = EVP_MD_CTX_new()) == NULL) {
CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, ERR_R_MALLOC_FAILURE);
if ((ctx = EVP_MD_CTX_new()) == NULL)
goto err;
}
/* compute the basekey of the salted secret */
if (!EVP_DigestInit_ex(ctx, m, NULL))

4
crypto/err/openssl.txt
View File

@ -2063,6 +2063,10 @@ BN_R_PRIVATE_KEY_TOO_LARGE:117:private key too large
BN_R_P_IS_NOT_PRIME:112:p is not prime
BN_R_TOO_MANY_ITERATIONS:113:too many iterations
BN_R_TOO_MANY_TEMPORARY_VARIABLES:109:too many temporary variables
CMP_R_INVALID_ARGS:100:invalid args
CMP_R_MULTIPLE_SAN_SOURCES:102:multiple san sources
CMP_R_NO_STDIO:194:no stdio
CMP_R_NULL_ARGUMENT:103:null argument
CMS_R_ADD_SIGNER_ERROR:99:add signer error
CMS_R_ATTRIBUTE_ERROR:161:attribute error
CMS_R_CERTIFICATE_ALREADY_PRESENT:175:certificate already present

6
crypto/init.c
View File

@ -27,6 +27,7 @@
#include "internal/dso_conf.h"
#include "internal/dso.h"
#include "internal/store.h"
#include <openssl/cmp_util.h> /* for OSSL_CMP_log_close() */
#include <openssl/trace.h>
static int stopped = 0;
@ -431,6 +432,11 @@ void OPENSSL_cleanup(void)
OSSL_TRACE(INIT, "OPENSSL_cleanup: CRYPTO_secure_malloc_done()\n");
CRYPTO_secure_malloc_done();
#ifndef OPENSSL_NO_CMP
OSSL_TRACE(INIT, "OPENSSL_cleanup: OSSL_CMP_log_close()\n");
OSSL_CMP_log_close();
#endif
OSSL_TRACE(INIT, "OPENSSL_cleanup: ossl_trace_cleanup()\n");
ossl_trace_cleanup();

101
doc/internal/man3/ossl_cmp_asn1_octet_string_set1.pod Normal file
View File

@ -0,0 +1,101 @@
=pod
=head1 NAME
ossl_cmp_log_parse_metadata,
ossl_cmp_add_error_txt,
ossl_cmp_add_error_data,
ossl_cmp_add_error_line,
ossl_cmp_asn1_octet_string_set1,
ossl_cmp_asn1_octet_string_set1_bytes,
ossl_cmp_build_cert_chain
- misc internal utility functions
=head1 SYNOPSIS
#include "cmp_int.h"
const char *ossl_cmp_log_parse_metadata(const char *buf,
OSSL_CMP_severity *level, char **func,
char **file, int *line);
void ossl_cmp_add_error_txt(const char *separator, const char *txt);
#define ossl_cmp_add_error_data(txt)
#define ossl_cmp_add_error_line(txt)
int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
const ASN1_OCTET_STRING *src);
int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
const unsigned char *bytes, int len);
STACK_OF(X509) *ossl_cmp_build_cert_chain(STACK_OF(X509) *certs, X509 *cert);
=head1 DESCRIPTION
ossl_cmp_log_parse_metadata() parses the given message buffer C<buf> populated
by L<OSSL_CMP_log()> etc.
according to the pattern OSSL_CMP_LOG_START#level ": %s\n", filling in
the variable pointed to by C<level> with the severity level or -1,
the variable pointed to by C<func> with the function name string or NULL,
the variable pointed to by C<file> with the file name string or NULL, and
the variable pointed to by C<line> with the line number or -1.
Any string returned via C<*func> and C<*file> must be freeed by the caller.
ossl_cmp_add_error_txt() appends text to the extra data field of the last
error message in the OpenSSL error queue, after adding the optional separator
unless data has been empty so far. The text can be of arbitrary length,
which is not possible when using L<ERR_add_error_data(3)> in conjunction with
L<ERR_print_errors_cb(3)>.
ossl_cmp_add_error_data() is a macro calling
B<ossl_cmp_add_error_txt()> with the separator being ":".
ossl_cmp_add_error_line() is a macro calling
B<ossl_cmp_add_error_txt()> with the separator being "\n".
ossl_cmp_asn1_octet_string_set1() frees any previous value of the variable
referenced via the C<tgt> argument and assigns either a copy of
the ASN1_OCTET_STRING given as the C<src> argument or C<NULL>.
It returns 1 on success, 0 on error.
ossl_cmp_asn1_octet_string_set1_bytes() frees any previous value of the variable
referenced via the C<tgt> argument and assigns either a copy of the given byte
string (with the given length) or NULL. It returns 1 on success, 0 on error.
ossl_cmp_build_cert_chain() builds up the certificate chain of cert as high up
as possible using the given X509_STORE containing all possible intermediate
certificates and optionally the (possible) trust anchor(s).
=head1 RETURN VALUES
ossl_cmp_log_parse_metadata() returns the pointer to the actual message text
after the OSSL_CMP_LOG_PREFIX and level and ':' if found in the buffer,
else the beginning of the buffer.
ossl_cmp_add_error_txt()
ossl_cmp_add_error_data(), and
ossl_cmp_add_error_line()
do not return anything.
ossl_cmp_build_cert_chain()
returns NULL on error, else a pointer to a stack of (up_ref'ed) certificates
containing the EE certificate given in the function arguments (cert)
and all intermediate certificates up the chain toward the trust anchor.
The (self-signed) trust anchor is not included.
All other functions return 1 on success, 0 on error.
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

76
doc/internal/man3/ossl_cmp_ctx_set1_caPubs.pod Normal file
View File

@ -0,0 +1,76 @@
=pod
=head1 NAME
ossl_cmp_ctx_set1_caPubs,
ossl_cmp_ctx_set0_validatedSrvCert,
ossl_cmp_ctx_set_status,
ossl_cmp_ctx_set0_statusString,
ossl_cmp_ctx_set_failInfoCode,
ossl_cmp_ctx_set0_newCert,
ossl_cmp_ctx_set1_extraCertsIn,
ossl_cmp_ctx_set1_recipNonce
- internal functions for managing the CMP client context datastructure
=head1 SYNOPSIS
#include <openssl/cmp.h>
int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs);
int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status);
int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIFREETEXT *text);
int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info);
int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert);
int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsIn);
int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
=head1 DESCRIPTION
ossl_cmp_ctx_set1_caPubs() copies the given stack of CA certificates
to the caPubs field of the context.
The reference counts of those certificates handled successfully are increased.
ossl_cmp_ctx_set0_validatedSrvCert() sets the validatedSrvCert of the context,
which caches any already validated server cert, or NULL if not available.
ossl_cmp_ctx_set_status() sets the status field of the context.
ossl_cmp_ctx_set0_statusString() sets the statusString field of the context.
ossl_cmp_ctx_set_failInfoCode() sets the error code bits in the failInfoCode
field of the context based on the given OSSL_CMP_PKIFAILUREINFO structure.
ossl_cmp_ctx_set0_newCert() sets the given (newly enrolled) certificate
in the context.
ossl_cmp_ctx_set1_extraCertsIn() sets the extraCertsIn field of the context.
The reference counts of those certificates handled successfully are increased.
ossl_cmp_ctx_set1_recipNonce() sets the given recipient nonce in the context.
=head1 NOTES
CMP is defined in RFC 4210 (and CRMF in RFC 4211).
=head1 RETURN VALUES
All functions return 1 on success, 0 on error.
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

60
doc/internal/man3/ossl_cmp_sk_X509_add1_cert.pod Normal file
View File

@ -0,0 +1,60 @@
=pod
=head1 NAME
ossl_cmp_sk_X509_add1_cert,
ossl_cmp_sk_X509_add1_certs,
ossl_cmp_X509_STORE_add1_certs,
ossl_cmp_X509_STORE_get1_certs
- functions manipulating lists of certificates
=head1 SYNOPSIS
#include <openssl/cmp_util.h>
int ossl_cmp_sk_X509_add1_cert(STACK_OF(X509) *sk, X509 *cert,
int no_dup, int prepend);
int ossl_cmp_sk_X509_add1_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs,
int no_self_signed, int no_dups, int prepend);
int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
int only_self_signed);
STACK_OF(X509) *ossl_cmp_X509_STORE_get1_certs(X509_STORE *store);
=head1 DESCRIPTION
ossl_cmp_sk_X509_add1_cert() appends or prepends (depending on the B<prepend>
argument) a certificate to the given list,
optionally only if it is not already contained.
On success the reference count of the certificate is increased.
ossl_cmp_sk_X509_add1_certs() appends or prepends (depending on the B<prepend>
argument) a list of certificates to the given list,
optionally only if not self-signed and optionally only if not already contained.
The reference counts of those certificates appended successfully are increased.
ossl_cmp_X509_STORE_add1_certs() adds all or only self-signed certificates from
the given stack to given store. The C<certs> parameter may be NULL.
ossl_cmp_X509_STORE_get1_certs() retrieves a copy of all certificates in the
given store.
=head1 RETURN VALUES
ossl_cmp_X509_STORE_get1_certs() returns a list of certificates, NULL on error.
All other functions return 1 on success, 0 on error.
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

662
doc/man3/OSSL_CMP_CTX_new.pod Normal file
View File

@ -0,0 +1,662 @@
=pod
=head1 NAME
OSSL_CMP_CTX_new,
OSSL_CMP_CTX_free,
OSSL_CMP_CTX_reinit,
OSSL_CMP_CTX_set_option,
OSSL_CMP_CTX_get_option,
OSSL_CMP_CTX_set_log_cb,
OSSL_CMP_CTX_set_log_verbosity,
OSSL_CMP_CTX_print_errors,
OSSL_CMP_CTX_set1_serverPath,
OSSL_CMP_CTX_set1_serverName,
OSSL_CMP_CTX_set_serverPort,
OSSL_CMP_CTX_set1_proxyName,
OSSL_CMP_CTX_set_proxyPort,
OSSL_CMP_DEFAULT_PORT,
OSSL_CMP_CTX_set_http_cb,
OSSL_CMP_CTX_set_http_cb_arg,
OSSL_CMP_CTX_get_http_cb_arg,
OSSL_CMP_CTX_set_transfer_cb,
OSSL_CMP_CTX_set_transfer_cb_arg,
OSSL_CMP_CTX_get_transfer_cb_arg,
OSSL_CMP_CTX_set1_srvCert,
OSSL_CMP_CTX_set1_expected_sender,
OSSL_CMP_CTX_set0_trustedStore,
OSSL_CMP_CTX_get0_trustedStore,
OSSL_CMP_CTX_set1_untrusted_certs,
OSSL_CMP_CTX_get0_untrusted_certs,
OSSL_CMP_CTX_set1_clCert,
OSSL_CMP_CTX_set1_pkey,
OSSL_CMP_CTX_set1_referenceValue,
OSSL_CMP_CTX_set1_secretValue,
OSSL_CMP_CTX_set1_recipient,
OSSL_CMP_CTX_push0_geninfo_ITAV,
OSSL_CMP_CTX_set1_extraCertsOut,
OSSL_CMP_CTX_set0_newPkey,
OSSL_CMP_CTX_get0_newPkey,
OSSL_CMP_CTX_set1_issuer,
OSSL_CMP_CTX_set1_subjectName,
OSSL_CMP_CTX_push1_subjectAltName,
OSSL_CMP_CTX_set0_reqExtensions,
OSSL_CMP_CTX_reqExtensions_have_SAN,
OSSL_CMP_CTX_push0_policy,
OSSL_CMP_CTX_set1_oldCert,
OSSL_CMP_CTX_set1_p10CSR,
OSSL_CMP_CTX_push0_genm_ITAV,
OSSL_CMP_CTX_set_certConf_cb,
OSSL_CMP_CTX_set_certConf_cb_arg,
OSSL_CMP_CTX_get_certConf_cb_arg,
OSSL_CMP_CTX_get_status,
OSSL_CMP_CTX_get0_statusString,
OSSL_CMP_CTX_get_failInfoCode,
OSSL_CMP_CTX_get0_newCert,
OSSL_CMP_CTX_get1_caPubs,
OSSL_CMP_CTX_get1_extraCertsIn,
OSSL_CMP_CTX_set1_transactionID,
OSSL_CMP_CTX_set1_senderNonce
- functions for managing the CMP client context data structure
=head1 SYNOPSIS
#include <openssl/cmp.h>
OSSL_CMP_CTX *OSSL_CMP_CTX_new(void);
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
/* logging and error reporting: */
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb);
#define OSSL_CMP_CTX_set_log_verbosity(ctx, level)
void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
/* message transfer: */
int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
#define OSSL_CMP_DEFAULT_PORT 80
typedef BIO (*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio,
unsigned long detail);
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb);
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx,
const OSSL_CMP_MSG *req,
OSSL_CMP_MSG **res);
int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx,
OSSL_cmp_transfer_cb_t cb);
int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx);
/* server authentication: */
int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx,
const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
/* client authentication: */
int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
const unsigned char *ref, int len);
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
const int len);
/* CMP message header and extra certificates: */
int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsOut);
/* certificate template: */
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey);
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv);
int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
const GENERAL_NAME *name);
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts);
int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo);
int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr);
/* misc body contents: */
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
/* certificate confirmation: */
typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
int fail_info, const char **txt);
int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb);
int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
/* result fetching: */
int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx);
OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx);
STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx);
STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx);
/* for test purposes only: */
int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *id);
int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
=head1 DESCRIPTION
This is the context API for using CMP (Certificate Management Protocol) with
OpenSSL.
OSSL_CMP_CTX_new() allocates and initializes an OSSL_CMP_CTX structure to
default values, e.g., proof-of-possession method is set to POPOSigningKey.
OSSL_CMP_CTX_free() deallocates an OSSL_CMP_CTX structure.
OSSL_CMP_CTX_reinit() prepares the given B<ctx> for a further transaction by
clearing the internal CMP transaction (aka session) status, PKIStatusInfo,
and any previous results (newCert, caPubs, and extraCertsIn)
from the last executed transaction.
All other field values (i.e., CMP options) are retained for potential re-use.
OSSL_CMP_CTX_set_option() sets the given value for the given option
(e.g., OSSL_CMP_OPT_IMPLICITCONFIRM) in the given OSSL_CMP_CTX structure.
The following options can be set:
=over 4
=item B<OSSL_CMP_OPT_LOG_VERBOSITY>
The level of severity needed for actually outputting log messages
due to errors, warnings, general info, debugging, etc.
Default is OSSL_CMP_LOG_INFO. See also L<OSSL_CMP_log_open(3)>.
=item B<OSSL_CMP_OPT_MSGTIMEOUT>
Number of seconds (or 0 for infinite) a CMP message round trip is
allowed to take before a timeout error is returned. Default is 120.
=item B<OSSL_CMP_OPT_TOTALTIMEOUT>
Maximum total number of seconds an enrollment (including polling)
may take. Default is 0 (infinite).
=item B<OSSL_CMP_OPT_VALIDITYDAYS>
Number of days new certificates are asked to be valid for.
=item B<OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT>
Do not take default Subject Alternative Names
from the reference certificate.
=item B<OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL>
Demand that the given Subject Alternative Names are flagged as critical.
=item B<OSSL_CMP_OPT_POLICIES_CRITICAL>
Demand that the given policies are flagged as critical.
=item B<OSSL_CMP_OPT_POPOMETHOD>
Select the proof of possession method to use. Possible values are:
OSSL_CRMF_POPO_NONE - ProofOfPossession field omitted
OSSL_CRMF_POPO_RAVERIFIED - assert that the RA has already
verified the PoPo
OSSL_CRMF_POPO_SIGNATURE - sign a value with private key,
which is the default.
OSSL_CRMF_POPO_KEYENC - decrypt the encrypted certificate
("indirect method")
Note that a signature-based POPO can only be produced if a private key
is provided as the newPkey or client pkey component of the CMP context.
=item B<OSSL_CMP_OPT_DIGEST_ALGNID>
The digest algorithm NID to be used in RFC 4210's MSG_SIG_ALG,
if applicable used for message protection and Proof-of-Possession.
Default is SHA256.
OSSL_CMP_OPT_OWF_ALGNID
The digest algorithm NID to be used as one-way function (OWF)
in RFC 4210's MSG_MAC_ALG, if applicable used for message protection.
Default is SHA256.
OSSL_CMP_OPT_MAC_ALGNID
The MAC algorithm NID to be used in RFC 4210's MSG_MAC_ALG,
if applicable used for message protection.
Default is HMAC-SHA1 as per RFC 4210.
=item B<OSSL_CMP_OPT_REVOCATION_REASON>
The reason code to be included in a Revocation Request (RR);
values: 0..10 (RFC 5210, 5.3.1) or -1 for none, which is the default.
=item B<OSSL_CMP_OPT_IMPLICITCONFIRM>
Request server to enable implicit confirm mode, where the client
does not need to send confirmation upon receiving the
certificate. If the server does not enable implicit confirmation
in the return message, then confirmation is sent anyway.
=item B<OSSL_CMP_OPT_DISABLECONFIRM>
Do not confirm enrolled certificates, to cope with broken servers
not supporting implicit confirmation correctly.
B<WARNING:> This setting leads to unspecified behavior and it is meant
exclusively to allow interoperability with server implementations violating
RFC 4210.
=item B<OSSL_CMP_OPT_UNPROTECTED_SEND>
Send messages without CMP-level protection.
=item B<OSSL_CMP_OPT_UNPROTECTED_ERRORS>
Accept unprotected error responses which are either explicitly
unprotected or where protection verification failed. Applies to regular
error messages as well as certificate responses (IP/CP/KUP) and
revocation responses (RP) with rejection.
B<WARNING:> This setting leads to unspecified behavior and it is meant
exclusively to allow interoperability with server implementations violating
RFC 4210.
=item B<OSSL_CMP_OPT_IGNORE_KEYUSAGE>
Ignore key usage restrictions in signer certificate when
validating signature-based protection in received CMP messages.
Else, 'digitalSignature' must be allowed by CMP signer certificates.
=item B<OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR>
Allow retrieving a trust anchor from extraCerts and using that
to validate the certificate chain of an IP message.
=back
OSSL_CMP_CTX_get_option() reads the current value of the given option
(e.g., OSSL_CMP_OPT_IMPLICITCONFIRM) from the given OSSL_CMP_CTX structure.
OSSL_CMP_CTX_set_log_cb() sets in B<ctx> the callback function C<cb>
for handling error queue entries and logging messages.
When C<cb> is NULL errors are printed to STDERR (if available, else ignored)
any log messages are ignored.
Alternatively, L<OSSL_CMP_log_open(3)> may be used to direct logging to STDOUT.
OSSL_CMP_CTX_set_log_verbosity() is a macro setting the
OSSL_CMP_OPT_LOG_VERBOSITY context option to the given level.
OSSL_CMP_CTX_print_errors() outputs any entries in the OpenSSL error queue.
It is similar to B<ERR_print_errors_cb()> but uses the CMP log callback function
if set in the C<ctx> for uniformity with CMP logging if given. Otherwise it uses
B<ERR_print_errors(3)> to print to STDERR (unless OPENSSL_NO_STDIO is defined).
OSSL_CMP_CTX_set1_serverPath() sets the HTTP path of the CMP server on the host.
OSSL_CMP_CTX_set1_serverName() sets the given server Address (as IP or name)
in the given OSSL_CMP_CTX structure.
OSSL_CMP_CTX_set_serverPort() sets the port of the CMP server to connect to.
Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
OSSL_CMP_CTX_set1_proxyName() sets the host name of the HTTP proxy to be used
for connecting to the CA server.
OSSL_CMP_CTX_set_proxyPort() sets the port of the HTTP proxy.
Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
OSSL_CMP_CTX_set_http_cb() sets the optional http connect/disconnect callback
function, which has the prototype
typedef BIO *(*OSSL_cmp_http_cb_t)(OSSL_CMP_CTX *ctx, BIO *hbio,
unsigned long detail);
It may modify the HTTP BIO given in the B<hbio> argument
used by OSSL_CMP_MSG_http_perform().
On connect the B<detail> argument is 1.
On disconnect it is 0 if no error occurred or else the last error code.
For instance, on connect a TLS BIO may be prepended to implement HTTPS,
and on disconnect some error diagnostics and/or cleanup may be done.
The callback function should return NULL to indicate failure.
It may make use of a custom defined argument stored in the ctx
by means of OSSL_CMP_CTX_set_http_cb_arg(),
which may be retrieved again through OSSL_CMP_CTX_get_http_cb_arg().
OSSL_CMP_CTX_set_http_cb_arg() sets an argument, respectively a pointer to
a structure containing arguments,
optionally to be used by the http connect/disconnect callback function.
B<arg> is not consumed, and it must therefore explicitly be freed when not
needed any more. B<arg> may be NULL to clear the entry.
OSSL_CMP_CTX_get_http_cb_arg() gets the argument, respectively the pointer to a
structure containing arguments, previously set by
OSSL_CMP_CTX_set_http_cb_arg() or NULL if unset.
OSSL_CMP_CTX_set_transfer_cb() sets the message transfer callback function,
which has the type
typedef int (*OSSL_cmp_transfer_cb_t)(const OSSL_CMP_CTX *ctx,
const OSSL_CMP_MSG *req,
OSSL_CMP_MSG **res);
Returns 1 on success, 0 on error.
Default is NULL, which implies the use of L<OSSL_CMP_MSG_http_perform(3)>.
The callback should send the CMP request it obtains via the B<req> parameter
and on success place the response in the B<*res> output parameter.
The transfer callback may make use of a custom defined argument stored in
the ctx by means of OSSL_CMP_CTX_set_transfer_cb_arg(), which may be retrieved
again through OSSL_CMP_CTX_get_transfer_cb_arg().
On success the cb must return 0, else a CMP error reason code defined in cmp.h.
OSSL_CMP_CTX_set_transfer_cb_arg() sets an argument, respectively a pointer to a
structure containing arguments, optionally to be used by the transfer callback.
B<arg> is not consumed, and it must therefore explicitly be freed when not
needed any more. B<arg> may be NULL to clear the entry.
OSSL_CMP_CTX_get_transfer_cb_arg() gets the argument, respectively the pointer
to a structure containing arguments, previously set by
OSSL_CMP_CTX_set_transfer_cb_arg() or NULL if unset.
OSSL_CMP_CTX_set1_srvCert() pins the server certificate to be directly trusted
(even if it is expired) for verifying response messages.
The cert pointer is not consumed. It may be NULL to clear the entry.
OSSL_CMP_CTX_set1_expected_sender() sets the Distinguished Name (DN) expected to
be given in the sender response for messages protected with MSG_SIG_ALG. This
may be used to enforce that during validation of received messages the given DN
matches the sender field of the PKIMessage header, which in turn is used to
identify the server certificate.
This can be used to ensure that only a particular entity is accepted to act as
CMP server, and attackers are not able to use arbitrary certificates of a
trusted PKI hierarchy to fraudulently pose as server.
This defaults to the subject DN of the certificate set via
OSSL_CMP_CTX_set1_srvCert(), if any.
OSSL_CMP_CTX_set0_trustedStore() sets the X509_STORE type certificate store
containing trusted (root) CA certificates. The certificate store may also hold
CRLs and a certificate verification callback function used for CMP server
authentication. Any already existing store entry is freed. When given a NULL
parameter the entry is cleared.
OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store
containing trusted root CA certificates, which may be empty if unset.
OSSL_CMP_CTX_set1_untrusted_certs() takes over a list of certificates containing
non-trusted intermediate certs used for path construction in authentication
of the CMP server and potentially others (TLS server, newly enrolled cert).
The reference counts of those certificates handled successfully are increased.
OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the
list of untrusted certs, which my be empty if unset.
OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given
OSSL_CMP_CTX structure. The client certificate will then be used by the
functions to set the "sender" field for outgoing messages and it will be
included in the extraCerts field.
OSSL_CMP_CTX_set1_pkey() sets the private key corresponding to the client
certificate set with B<OSSL_CMP_CTX_set1_clCert()> in the given CMP context.
Used to create the protection in case of MSG_SIG_ALG.
OSSL_CMP_CTX_set1_referenceValue() sets the given referenceValue in the given
B<ctx> or clears it if the B<ref> argument is NULL.
OSSL_CMP_CTX_set1_secretValue() sets the B<sec> with the length B<len> in the
given B<ctx> or clears it if the B<sec> argument is NULL.
OSSL_CMP_CTX_set1_recipient() sets the recipient name that will be used in the
PKIHeader of a request message, i.e. the X509 name of the (CA) server.
Setting is overruled by subject of srvCert if set.
If neither srvCert nor recipient are set, the recipient of the PKI message is
determined in the following order: issuer, issuer of old cert (oldCert),
issuer of client cert (clCert), else NULL-DN.
When a response is received, its sender must match the recipient of the request.
OSSL_CMP_CTX_push0_geninfo_ITAV() adds B<itav> to the stack in the B<ctx> to be
added to the GeneralInfo field of the CMP PKIMessage header of a request
message sent with this context. Consumes the pointer to B<itav>.
OSSL_CMP_CTX_set1_extraCertsOut() sets the stack of extraCerts that will be
sent to remote.
OSSL_CMP_CTX_set0_newPkey() can be used to explicitly set the given EVP_PKEY
structure as the private or public key to be certified in the CMP context.
The B<priv> parameter must be 0 if and only if the given key is a public key.
OSSL_CMP_CTX_get0_newPkey() gives the key to use for certificate enrollment
dependent on fields of the CMP context structure:
the newPkey (which may be a private or public key) if present,
else the public key in the p10CSR if present, else the client private key.
If the B<priv> parameter is not 0 and the selected key does not have a
private component then NULL is returned.
OSSL_CMP_CTX_set1_issuer() sets the name of the intended issuer that
will be set in the CertTemplate, i.e., the X509 name of the CA server.
OSSL_CMP_CTX_set1_subjectName() sets the subject DN that will be used in
the CertTemplate structure when requesting a new cert. For Key Update Requests
(KUR), it defaults to the subject DN of the reference certificate,
see B<OSSL_CMP_CTX_set1_oldCert()>. This default is used for Initialization
Requests (IR) and Certification Requests (CR) only if no SANs are set.
If clCert is not set (e.g. in case of IR with MSG_MAC_ALG), the subject DN
is also used as sender of the PKI message.
OSSL_CMP_CTX_push1_subjectAltName() adds the given X509 name to the list of
alternate names on the certificate template request. This cannot be used if
any Subject Alternative Name extension is set via
OSSL_CMP_CTX_set0_reqExtensions().
By default, unless OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT has been set,
the Subject Alternative Names are copied from the reference certificate,
see OSSL_CMP_CTX_set1_oldCert().
If set and the subject DN is not set with OSSL_CMP_CTX_set1_subjectName(), then
the certificate template of an IR and CR will not be filled with the default
subject DN from the reference certificate (see OSSL_CMP_CTX_set1_oldCert().
If a subject DN is desired it needs to be set explicitly with
OSSL_CMP_CTX_set1_subjectName().
OSSL_CMP_CTX_set0_reqExtensions() sets the X.509v3 extensions to be used in
IR/CR/KUR.
OSSL_CMP_CTX_reqExtensions_have_SAN() returns 1 if the context contains
a Subject Alternative Name extension, else 0 or -1 on error.
OSSL_CMP_CTX_push0_policy() adds the certificate policy info object
to the X509_EXTENSIONS of the requested certificate template.
OSSL_CMP_CTX_set1_oldCert() sets the old certificate to be updated in
Key Update Requests (KUR) or to be revoked in Revocation Requests (RR).
It must be given for RR, else it defaults to B<clCert>.
The reference certificate determined in this way, if any, is also used for
deriving default subject DN and Subject Alternative Names for IR, CR, and KUR.
Its issuer, if any, is used as default recipient in the CMP message header.
OSSL_CMP_CTX_set1_p10CSR() sets the PKCS#10 CSR to be used in P10CR.
OSSL_CMP_CTX_push0_genm_ITAV() adds B<itav> to the stack in the B<ctx> which
will be the body of a General Message sent with this context.
Consumes the pointer to B<itav>.
OSSL_CMP_CTX_set_certConf_cb() sets the callback used for evaluating the newly
enrolled certificate before the library sends, depending on its result,
a positive or negative certConf message to the server. The callback has type
typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
int fail_info, const char **txt);
and should inspect the certificate it obtains via the B<cert> parameter and may
overrule the pre-decision given in the B<fail_info> and B<*txt> parameters.
If it accepts the certificate it must return 0, indicating success. Else it must
return a bit field reflecting PKIFailureInfo with at least one failure bit and
may set the B<*txt> output parameter to point to a string constant with more
detail. The transfer callback may make use of a custom defined argument stored
in the B<ctx> by means of OSSL_CMP_CTX_set_certConf_cb_arg(), which may be
retrieved again through OSSL_CMP_CTX_get_certConf_cb_arg().
Typically, the callback will check at least that the certificate can be verified
using a set of trusted certificates.
It also could compare the subject DN and other fields of the newly
enrolled certificate with the certificate template of the request.
OSSL_CMP_CTX_set_certConf_cb_arg() sets an argument, respectively a pointer to a
structure containing arguments, optionally to be used by the certConf callback.
B<arg> is not consumed, and it must therefore explicitly be freed when not
needed any more. B<arg> may be NULL to clear the entry.
OSSL_CMP_CTX_get_certConf_cb_arg() gets the argument, respectively the pointer
to a structure containing arguments, previously set by
OSSL_CMP_CTX_set_certConf_cb_arg(), or NULL if unset.
OSSL_CMP_CTX_get_status() returns the PKIstatus from the last received
CertRepMessage or Revocation Response or error message, or -1 if unset.
OSSL_CMP_CTX_get0_statusString() returns the statusString from the last received
CertRepMessage or Revocation Response or error message, or NULL if unset.
OSSL_CMP_CTX_get_failInfoCode() returns the error code from the failInfo field
of the last received CertRepMessage or Revocation Response or error message.
This is a bit field and the flags for it are specified in L<cmp.h>.
The flags start with OSSL_CMP_CTX_FAILINFO, for example:
OSSL_CMP_CTX_FAILINFO_badAlg. Returns -1 if the failInfoCode field is unset.
OSSL_CMP_CTX_get0_newCert() returns the pointer to the newly obtained
certificate in case it is available, else NULL.
OSSL_CMP_CTX_get1_caPubs() returns a pointer to a duplicate of the stack of
X.509 certificates received in the caPubs field of last received certificate
response message IP/CP/KUP.
OSSL_CMP_CTX_get1_extraCertsIn() returns a pointer to a duplicate of the stack
of X.509 certificates received in the last received non-empty extraCerts field.
Returns an empty stack if no extraCerts have been received in the current
transaction.
OSSL_CMP_CTX_set1_transactionID() sets the given transaction ID in the given
OSSL_CMP_CTX structure.
OSSL_CMP_CTX_set1_senderNonce() stores the last sent sender B<nonce> in
the B<ctx>. This will be used to validate the recipNonce in incoming messages.
=head1 NOTES
CMP is defined in RFC 4210 (and CRMF in RFC 4211).
=head1 RETURN VALUES
OSSL_CMP_CTX_free() and OSSL_CMP_CTX_print_errors() do not return anything.
OSSL_CMP_CTX_new(),
OSSL_CMP_CTX_get_http_cb_arg(),
OSSL_CMP_CTX_get_transfer_cb_arg(),
OSSL_CMP_CTX_get0_trustedStore(),
OSSL_CMP_CTX_get0_untrusted_certs(),
OSSL_CMP_CTX_get0_newPkey(),
OSSL_CMP_CTX_get_certConf_cb_arg(),
OSSL_CMP_CTX_get0_statusString(),
OSSL_CMP_CTX_get0_newCert(),
OSSL_CMP_CTX_get1_caPubs(), and
OSSL_CMP_CTX_get1_extraCertsIn()
return the intended pointer value as described above or NULL on error.
OSSL_CMP_CTX_get_option(),
OSSL_CMP_CTX_reqExtensions_have_SAN(),
OSSL_CMP_CTX_get_status(), and
OSSL_CMP_CTX_get_failInfoCode()
return the intended value as described above or -1 on error.
All other functions return 1 on success, 0 on error.
=head1 EXAMPLES
The following code does an Initialization Request:
cmp_ctx = OSSL_CMP_CTX_new();
OSSL_CMP_CTX_set1_serverName(cmp_ctx, opt_serverName);
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert);
initialClCert = OSSL_CMP_exec_IR_ses(cmp_ctx);
The following code does an Initialization Request using an
external identity certificate (RFC 4210, Appendix E.7):
cmp_ctx = OSSL_CMP_CTX_new();
OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname);
OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert);
OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey);
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert);
initialClCert = OSSL_CMP_exec_IR_ses(cmp_ctx);
Here externalCert is an X509 certificate granted to the EE by another CA
which is trusted by the current CA the code will connect to.
The following code does a Key Update Request:
cmp_ctx = OSSL_CMP_CTX_new();
OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname);
OSSL_CMP_CTX_set1_pkey(cmp_ctx, pkey);
OSSL_CMP_CTX_set0_newPkey(cmp_ctx, new_pkey, 1);
OSSL_CMP_CTX_set1_clCert(cmp_ctx, cl_cert);
OSSL_CMP_CTX_set1_caCert(cmp_ctx, ca_cert);
updatedClCert = OSSL_CMP_exec_KUR_ses(cmp_ctx);
The following code (which omits error handling) sends a General Message
including, as an example, the id-it-signKeyPairTypes OID and prints info on
the General Response contents.
cmp_ctx = OSSL_CMP_CTX_new();
OSSL_CMP_CTX_set1_serverName(cmp_ctx, sname);
OSSL_CMP_CTX_set1_referenceValue(cmp_ctx, ref, ref_len);
OSSL_CMP_CTX_set1_secretValue(cmp_ctx, sec, sec_len);
ASN1_OBJECT *type = OBJ_txt2obj("1.3.6.1.5.5.7.4.2", 1);
OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new(type, NULL);
OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav);
STACK_OF(OSSL_CMP_ITAV) *itavs;
itavs = OSSL_CMP_exec_GENM_ses(cmp_ctx);
print_itavs(itavs);
sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
=head1 SEE ALSO
L<OSSL_CMP_exec_IR_ses(3)>, L<OSSL_CMP_exec_KUR_ses(3)>,
L<OSSL_CMP_exec_GENM_ses(3)>
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

6
doc/man3/OSSL_CMP_ITAV_set0.pod
View File

@ -23,6 +23,8 @@ OSSL_CMP_ITAV_push0_stack_item
=head1 DESCRIPTION
Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL
ITAV is short for InfoTypeAndValue. This type is defined in RFC 4210
section 5.3.19 and Appendix F. It is used at various places in CMP messages,
e.g., in the generalInfo PKIHeader field, to hold a key-value pair.
@ -93,6 +95,10 @@ included in the requests' PKIHeader's genInfo field.
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_CTX_free(3)>, L<ASN1_TYPE_set(3)>
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

140
doc/man3/OSSL_CMP_log_open.pod Normal file
View File

@ -0,0 +1,140 @@
=pod
=head1 NAME
OSSL_CMP_log_open,
OSSL_CMP_log_close,
OSSL_CMP_alert,
OSSL_CMP_err,
OSSL_CMP_warn,
OSSL_CMP_info,
OSSL_CMP_debug,
OSSL_CMP_log,
OSSL_CMP_log1,
OSSL_CMP_log2,
OSSL_CMP_log3,
OSSL_CMP_log4,
OSSL_CMP_severity,
OSSL_CMP_LOG_EMERG,
OSSL_CMP_LOG_ALERT,
OSSL_CMP_LOG_CRIT,
OSSL_CMP_LOG_ERR,
OSSL_CMP_LOG_WARNING,
OSSL_CMP_LOG_NOTICE,
OSSL_CMP_LOG_INFO,
OSSL_CMP_LOG_DEBUG,
OSSL_CMP_print_errors_cb
- functions for logging and error reporting
=head1 SYNOPSIS
#include <openssl/cmp_util.h>
int OSSL_CMP_log_open(void);
void OSSL_CMP_log_close(void);
#define OSSL_CMP_alert(msg)
#define OSSL_CMP_err(msg)
#define OSSL_CMP_warn(msg)
#define OSSL_CMP_info(msg)
#define OSSL_CMP_debug(msg)
#define OSSL_CMP_log(level, msg)
#define OSSL_CMP_log1(level, fmt, arg1)
#define OSSL_CMP_log2(level, fmt, arg1, arg2)
#define OSSL_CMP_log3(level, fmt, arg1, arg2, arg3)
#define OSSL_CMP_log4(level, fmt, arg1, arg2, arg3, arg4)
/* severity level declarations resemble those from syslog.h */
typedef int OSSL_CMP_severity;
#define OSSL_CMP_LOG_EMERG 0
#define OSSL_CMP_LOG_ALERT 1
#define OSSL_CMP_LOG_CRIT 2
#define OSSL_CMP_LOG_ERR 3
#define OSSL_CMP_LOG_WARNING 4
#define OSSL_CMP_LOG_NOTICE 5
#define OSSL_CMP_LOG_INFO 6
#define OSSL_CMP_LOG_DEBUG 7
typedef int (*OSSL_cmp_log_cb_t) (const char *component,
const char *file, int line,
OSSL_CMP_severity level, const char *msg);
void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn);
=head1 DESCRIPTION
The logging and error reporting facility described here contains
convenience functions for CMP-specific logging via the trace API,
including a string prefix mirroring the severity levels of syslog.h,
and enhancements of the error queue mechanism needed for large diagnostic
messages produced by the CMP library in case of certificate validation failures.
When an interesting activity is performed or an error occurs, some detail
should be provided for user information, debugging, and auditing purposes.
A CMP application can obtain this information by providing a callback function
with the following type:
typedef void (*OSSL_cmp_log_cb_t)(const char *component,
const char *file, int line,
OSSL_CMP_severity level, const char *msg);
The parameters may provide
a component identifier (which may be a library name or function name) or NULL,
a file path name or NULL,
a line number or 0 indicating the source code location,
a severity level, and
a message string describing the nature of the event, terminated by '\n'.
Even when an activity is successful some warnings may be useful and some degree
of auditing may be required. Therefore the logging facility supports a severity
level and the callback function has a B<level> parameter indicating such a
level, such that error, warning, info, debug, etc. can be treated differently.
The callback is activated only when the severity level is sufficient according
to the current level of verbosity, which by default is OSSL_CMP_LOG_INFO.
The callback function may itself do non-trivial tasks like writing to
a log file or remote stream, which in turn may fail.
Therefore the function should return 1 on success and 0 on failure.
OSSL_CMP_log_open() initializes the CMP-specific logging facility to output
everything to STDOUT. It fails if the integrated tracing is disabled or STDIO
is not available. It may be called during application startup.
Alternatively, L<OSSL_CMP_CTX_set_log_cb(3)> can be used for more flexibility.
As long as neither if the two is used any logging output is ignored.
OSSL_CMP_log_close() may be called when all activities are finished to flush
any pending CMP-specific log output and deallocate related resources.
It may be called multiple times. It does get called at OpenSSL stutdown.
OSSL_CMP_alert() outputs a simple alert message via the trace API.
OSSL_CMP_err() outputs a simple error message via the trace API.
OSSL_CMP_warn() outputs a simple warning message via the trace API.
OSSL_CMP_info() outputs a simple info message via the trace API.
OSSL_CMP_debug() outputs a simple debug message via the trace API.
Note that due to the design of the trace API used, the log functions have no
effect unless the B<enable-trace> option is used during build configuration.
OSSL_CMP_print_errors_cb() outputs any entries in the OpenSSL error queue.
It is similar to B<ERR_print_errors_cb()> but uses the CMP log callback function
C<log_fn> for uniformity with CMP logging if not B<NULL>. Otherwise it uses
B<ERR_print_errors(3)> to print to STDERR (unless OPENSSL_NO_STDIO is defined).
=head1 RETURN VALUES
OSSL_CMP_log_close() and OSSL_CMP_print_errors_cb() do not return anything.
All other functions return 1 on success, 0 on error.
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

15
doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
View File

@ -5,6 +5,8 @@
OSSL_CRMF_MSG_get0_tmpl,
OSSL_CRMF_CERTTEMPLATE_get0_serialNumber,
OSSL_CRMF_CERTTEMPLATE_get0_issuer,
OSSL_CRMF_CERTID_get0_serialNumber,
OSSL_CRMF_CERTID_get0_issuer,
OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert,
OSSL_CRMF_MSG_get_certReqId
- functions reading from CRMF CertReqMsg structures
@ -18,6 +20,9 @@ OSSL_CRMF_MSG_get_certReqId
*OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *tmpl);
X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(OSSL_CRMF_ENCRYPTEDVALUE *ecert,
EVP_PKEY *pkey);
@ -34,6 +39,12 @@ given certificate template B<tmpl>.
OSSL_CRMF_CERTTEMPLATE_get0_issuer() retrieves the issuer name of the
given certificate template B<tmpl>.
OSSL_CRMF_CERTID_get0_serialNumber retrieves the serialNumber
of the given CertId B<cid>.
OSSL_CRMF_CERTID_get0_issuer retrieves the issuer name
of the given CertId B<cid>, which must be of ASN.1 type GEN_DIRNAME.
OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert() decrypts the certificate in the given
encryptedValue B<ecert>, using the private key B<pkey>.
This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
@ -54,6 +65,10 @@ All other functions return a pointer with the intended result or NULL on error.
B<RFC 4211>
=head1 HISTORY
The OpenSSL CRMF support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

6
doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod
View File

@ -69,7 +69,7 @@ control in the given B<msg> copying the given B<tok> as value. See RFC 4211,
section 6.3.
OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey() sets the protocolEncrKey control in
the given B<msg> copying the given B<pubkey> as value. See RFC 4211, section 6.6.
the given B<msg> copying the given B<pubkey> as value. See RFC 4211 section 6.6.
OSSL_CRMF_MSG_set1_regCtrl_oldCertID() sets the oldCertID control in the given
B<msg> copying the given B<cid> as value. See RFC 4211, section 6.5.
@ -94,6 +94,10 @@ create the needed OSSL_CRMF_PKIARCHIVEOPTINS content.
RFC 4211
=head1 HISTORY
The OpenSSL CRMF support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

4
doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod
View File

@ -37,6 +37,10 @@ multiple utf8Pairs in one regInfo structure, it does not allow multiple certReq.
RFC 4211
=head1 HISTORY
The OpenSSL CRMF support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

17
doc/man3/OSSL_CRMF_MSG_set_validity.pod
View File

@ -25,11 +25,9 @@ OSSL_CRMF_MSGS_verify_popo
const X509_NAME *issuer,
const ASN1_INTEGER *serial);
int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm,
X509_EXTENSIONS *exts);
int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm,
const X509_EXTENSION *ext);
int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey,
int dgst, int ppmtd);
@ -56,9 +54,10 @@ certTemplate of B<crm>. Frees any pre-existing ones and consumes B<exts>.
OSSL_CRMF_MSG_push0_extension() pushes the X509 extension B<ext> to the
extensions in the certTemplate of B<crm>. Consumes B<ext>.
OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POP)
according to the method B<ppmtd> for B<pkey> to B<crm>. In case the method is
OSSL_CRMF_POPO_SIGNATURE, POP is calculated using the B<dgst>.
OSSL_CRMF_MSG_create_popo() creates and sets the Proof-of-Possession (POPO)
according to the method B<ppmtd> in B<crm>.
In case the method is OSSL_CRMF_POPO_SIGNATURE the POPO is calculated
using the private B<pkey> and the digest algorithm NID B<dgst>.
B<ppmtd> can be one of the following:
@ -93,6 +92,10 @@ All functions return 1 on success, 0 on error.
RFC 4211
=head1 HISTORY
The OpenSSL CRMF support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

4
doc/man3/OSSL_CRMF_pbmp_new.pod
View File

@ -66,6 +66,10 @@ structure, or NULL on error.
RFC 4211 section 4.4
=head1 HISTORY
The OpenSSL CRMF support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.

9
doc/man3/X509_dup.pod
View File

@ -123,13 +123,13 @@ OCSP_SIGNATURE_new,
OCSP_SINGLERESP_free,
OCSP_SINGLERESP_new,
OSSL_CMP_ITAV_free,
OSSL_CMP_MSG_dup,
OSSL_CMP_MSG_free,
OSSL_CMP_MSG_it,
OSSL_CMP_MSG_free,
OSSL_CMP_PKIHEADER_free,
OSSL_CMP_PKIHEADER_it,
OSSL_CMP_PKIHEADER_new,
OSSL_CMP_PKISI_free,
OSSL_CMP_PKISI_new,
OSSL_CMP_PKISTATUS_it,
OSSL_CRMF_CERTID_free,
OSSL_CRMF_CERTID_it,
@ -252,13 +252,10 @@ X509_ALGOR_new,
X509_ATTRIBUTE_dup,
X509_ATTRIBUTE_free,
X509_ATTRIBUTE_new,
X509_CERT_AUX_dup,
X509_CERT_AUX_free,
X509_CERT_AUX_new,
X509_CINF_dup,
X509_CINF_free,
X509_CINF_new,
X509_CRL_INFO_dup,
X509_CRL_INFO_free,
X509_CRL_INFO_new,
X509_CRL_dup,
@ -273,7 +270,6 @@ X509_NAME_ENTRY_new,
X509_NAME_dup,
X509_NAME_free,
X509_NAME_new,
X509_REQ_INFO_dup,
X509_REQ_INFO_free,
X509_REQ_INFO_new,
X509_REQ_dup,
@ -282,7 +278,6 @@ X509_REQ_new,
X509_REVOKED_dup,
X509_REVOKED_free,
X509_REVOKED_new,
X509_SIG_dup,
X509_SIG_free,
X509_SIG_new,
X509_VAL_free,

131
include/openssl/cmp.h
View File

@ -1,4 +1,4 @@
/*-
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
@ -7,8 +7,6 @@
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*
* CMP (RFC 4210) implementation by M. Peylo, M. Viljanen, and D. von Oheimb.
*/
#ifndef OSSL_HEADER_CMP_H
@ -19,6 +17,7 @@
# include <openssl/crmf.h>
# include <openssl/cmperr.h>
# include <openssl/cmp_util.h>
/* explicit #includes not strictly needed since implied by the above: */
# include <openssl/ossl_typ.h>
@ -203,26 +202,30 @@ DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
# define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
/* data type declarations */
typedef struct OSSL_cmp_ctx_st OSSL_CMP_CTX;
typedef struct OSSL_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX;
typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
typedef struct OSSL_cmp_msg_st OSSL_CMP_MSG;
typedef struct ossl_cmp_msg_st OSSL_CMP_MSG;
DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
typedef struct OSSL_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
typedef struct OSSL_cmp_itav_st OSSL_CMP_ITAV;
typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV;
DEFINE_STACK_OF(OSSL_CMP_ITAV)
typedef struct OSSL_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
typedef struct OSSL_cmp_pkisi_st OSSL_CMP_PKISI;
typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI;
DEFINE_STACK_OF(OSSL_CMP_PKISI)
typedef struct OSSL_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
typedef struct OSSL_cmp_pollrep_st OSSL_CMP_POLLREP;
typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP;
typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
typedef struct OSSL_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
/*
* function DECLARATIONS
*/
/* from cmp_asn.c */
OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value);
void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
@ -233,8 +236,106 @@ int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
OSSL_CMP_ITAV *itav);
void OSSL_CMP_ITAV_free(OSSL_CMP_ITAV *itav);
void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
void OSSL_CMP_PKISI_free(OSSL_CMP_PKISI *si);
DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
/* from cmp_ctx.c */
OSSL_CMP_CTX *OSSL_CMP_CTX_new(void);
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx);
/* various CMP options: */
# define OSSL_CMP_OPT_LOG_VERBOSITY 0
# define OSSL_CMP_OPT_MSGTIMEOUT 1
# define OSSL_CMP_OPT_TOTALTIMEOUT 2
# define OSSL_CMP_OPT_VALIDITYDAYS 3
# define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 4
# define OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL 5
# define OSSL_CMP_OPT_POLICIES_CRITICAL 6
# define OSSL_CMP_OPT_POPOMETHOD 7
# define OSSL_CMP_OPT_DIGEST_ALGNID 8
# define OSSL_CMP_OPT_OWF_ALGNID 9
# define OSSL_CMP_OPT_MAC_ALGNID 10
# define OSSL_CMP_OPT_REVOCATION_REASON 11
# define OSSL_CMP_OPT_IMPLICITCONFIRM 12
# define OSSL_CMP_OPT_DISABLECONFIRM 13
# define OSSL_CMP_OPT_UNPROTECTED_SEND 14
# define OSSL_CMP_OPT_UNPROTECTED_ERRORS 15
# define OSSL_CMP_OPT_IGNORE_KEYUSAGE 16
# define OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR 17
int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val);
int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt);
/* CMP-specific callback for logging and outputting the error queue: */
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_log_cb_t cb);
#define OSSL_CMP_CTX_set_log_verbosity(ctx, level) \
OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_LOG_VERBOSITY, level)
void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx);
/* message transfer: */
int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
# define OSSL_CMP_DEFAULT_PORT 80
typedef BIO *(*OSSL_cmp_http_cb_t) (OSSL_CMP_CTX *ctx, BIO *hbio,
unsigned long detail);
int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_http_cb_t cb);
int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx);
typedef int (*OSSL_cmp_transfer_cb_t) (OSSL_CMP_CTX *ctx,
const OSSL_CMP_MSG *req,
OSSL_CMP_MSG **res);
int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_transfer_cb_t cb);
int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx);
/* server authentication: */
int OSSL_CMP_CTX_set1_srvCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_expected_sender(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store);
X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs);
STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx);
/* client authentication: */
int OSSL_CMP_CTX_set1_clCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_pkey(OSSL_CMP_CTX *ctx, EVP_PKEY *pkey);
int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
const unsigned char *ref, int len);
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
const int len);
/* CMP message header and extra certificates: */
int OSSL_CMP_CTX_set1_recipient(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
STACK_OF(X509) *extraCertsOut);
/* certificate template: */
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey);
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv);
int OSSL_CMP_CTX_set1_issuer(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_set1_subjectName(OSSL_CMP_CTX *ctx, const X509_NAME *name);
int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, const GENERAL_NAME *name);
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts);
int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo);
int OSSL_CMP_CTX_set1_oldCert(OSSL_CMP_CTX *ctx, X509 *cert);
int OSSL_CMP_CTX_set1_p10CSR(OSSL_CMP_CTX *ctx, const X509_REQ *csr);
/* misc body contents: */
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav);
/* certificate confirmation: */
typedef int (*OSSL_cmp_certConf_cb_t) (OSSL_CMP_CTX *ctx, X509 *cert,
int fail_info, const char **txt);
int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_cmp_certConf_cb_t cb);
int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx);
/* result fetching: */
int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx);
OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx);
int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx);
# define OSSL_CMP_PKISI_BUFLEN 1024
X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx);
STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx);
STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx);
/* support application-level CMP debugging in cmp.c: */
int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *id);
int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
const ASN1_OCTET_STRING *nonce);
# ifdef __cplusplus
}

79
include/openssl/cmp_util.h Normal file
View File

@ -0,0 +1,79 @@
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef OSSL_HEADER_CMP_UTIL_H
# define OSSL_HEADER_CMP_UTIL_H
# include <openssl/opensslconf.h>
# ifndef OPENSSL_NO_CMP
# include <openssl/macros.h>
# include <openssl/trace.h>
# include <openssl/x509.h>
# ifdef __cplusplus
extern "C" {
# endif
/*
* convenience functions for CMP-specific logging via the trace API
*/
int OSSL_CMP_log_open(void);
void OSSL_CMP_log_close(void);
# define OSSL_CMP_LOG_PREFIX "CMP "
/* in OSSL_CMP_LOG_START, cannot use OPENSSL_FUNC when expands to __func__ */
# define OSSL_CMP_LOG_START "%s:" OPENSSL_FILE ":" \
OPENSSL_MSTR(OPENSSL_LINE) ":" OSSL_CMP_LOG_PREFIX
# define OSSL_CMP_alert(msg) OSSL_CMP_log(ALERT, msg)
# define OSSL_CMP_err(msg) OSSL_CMP_log(ERROR, msg)
# define OSSL_CMP_warn(msg) OSSL_CMP_log(WARN, msg)
# define OSSL_CMP_info(msg) OSSL_CMP_log(INFO, msg)
# define OSSL_CMP_debug(msg) OSSL_CMP_log(DEBUG, msg)
# define OSSL_CMP_log(level, msg) \
OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": %s\n", \
OPENSSL_FUNC, msg))
# define OSSL_CMP_log1(level, fmt, arg1) \
OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
OPENSSL_FUNC, arg1))
# define OSSL_CMP_log2(level, fmt, arg1, arg2) \
OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
OPENSSL_FUNC, arg1, arg2))
# define OSSL_CMP_log3(level, fmt, arg1, arg2, arg3) \
OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
OPENSSL_FUNC, arg1, arg2, arg3))
# define OSSL_CMP_log4(level, fmt, arg1, arg2, arg3, arg4) \
OSSL_TRACEV(CMP, (trc_out, OSSL_CMP_LOG_START#level ": " fmt "\n", \
OPENSSL_FUNC, arg1, arg2, arg3, arg4))
/*
* generalized logging/error callback mirroring the severity levels of syslog.h
*/
typedef int OSSL_CMP_severity;
# define OSSL_CMP_LOG_EMERG 0
# define OSSL_CMP_LOG_ALERT 1
# define OSSL_CMP_LOG_CRIT 2
# define OSSL_CMP_LOG_ERR 3
# define OSSL_CMP_LOG_WARNING 4
# define OSSL_CMP_LOG_NOTICE 5
# define OSSL_CMP_LOG_INFO 6
# define OSSL_CMP_LOG_DEBUG 7
typedef int (*OSSL_cmp_log_cb_t)(const char *func, const char *file, int line,
OSSL_CMP_severity level, const char *msg);
/* use of the logging callback for outputting error queue */
void OSSL_CMP_print_errors_cb(OSSL_cmp_log_cb_t log_fn);
# ifdef __cplusplus
}
# endif
# endif /* !defined OPENSSL_NO_CMP */
#endif /* !defined OSSL_HEADER_CMP_UTIL_H */

4
include/openssl/cmperr.h
View File

@ -33,6 +33,10 @@ int ERR_load_CMP_strings(void);
/*
* CMP reason codes.
*/
# define CMP_R_INVALID_ARGS 100
# define CMP_R_MULTIPLE_SAN_SOURCES 102
# define CMP_R_NO_STDIO 194
# define CMP_R_NULL_ARGUMENT 103
# endif
#endif

26
include/openssl/crmf.h
View File

@ -39,30 +39,30 @@ extern "C" {
# define OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT 0
# define OSSL_CRMF_SUBSEQUENTMESSAGE_CHALLENGERESP 1
typedef struct OSSL_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
typedef struct OSSL_crmf_msg_st OSSL_CRMF_MSG;
typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
DEFINE_STACK_OF(OSSL_CRMF_MSG)
typedef struct OSSL_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
typedef struct OSSL_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;
typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER)
typedef struct OSSL_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY;
typedef struct OSSL_crmf_certrequest_st OSSL_CRMF_CERTREQUEST;
typedef struct OSSL_crmf_certid_st OSSL_CRMF_CERTID;
typedef struct ossl_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY;
typedef struct ossl_crmf_certrequest_st OSSL_CRMF_CERTREQUEST;
typedef struct ossl_crmf_certid_st OSSL_CRMF_CERTID;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTID)
DEFINE_STACK_OF(OSSL_CRMF_CERTID)
typedef struct OSSL_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO;
typedef struct ossl_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
typedef struct OSSL_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO;
typedef struct ossl_crmf_singlepubinfo_st OSSL_CRMF_SINGLEPUBINFO;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_SINGLEPUBINFO)
typedef struct OSSL_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE;
typedef struct ossl_crmf_certtemplate_st OSSL_CRMF_CERTTEMPLATE;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTTEMPLATE)
typedef STACK_OF(OSSL_CRMF_MSG) OSSL_CRMF_MSGS;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSGS)
typedef struct OSSL_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY;
typedef struct ossl_crmf_optionalvalidity_st OSSL_CRMF_OPTIONALVALIDITY;
/* crmf_pbm.c */
OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(size_t slen, int owfnid,
@ -109,7 +109,7 @@ int OSSL_CRMF_MSG_set_certReqId(OSSL_CRMF_MSG *crm, int rid);
int OSSL_CRMF_MSG_get_certReqId(OSSL_CRMF_MSG *crm);
int OSSL_CRMF_MSG_set0_extensions(OSSL_CRMF_MSG *crm, X509_EXTENSIONS *exts);
int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, const X509_EXTENSION *ext);
int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext);
# define OSSL_CRMF_POPO_NONE -1
# define OSSL_CRMF_POPO_RAVERIFIED 0
# define OSSL_CRMF_POPO_SIGNATURE 1
@ -122,6 +122,8 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
ASN1_INTEGER *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *t);
X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl,
EVP_PKEY *pubkey,
const X509_NAME *subject,

7
include/openssl/ocsp.h
View File

@ -26,7 +26,10 @@
* superseded (4),
* cessationOfOperation (5),
* certificateHold (6),
* removeFromCRL (8) }
* -- value 7 is not used
* removeFromCRL (8),
* privilegeWithdrawn (9),
* aACompromise (10) }
*/
# define OCSP_REVOKED_STATUS_NOSTATUS -1
# define OCSP_REVOKED_STATUS_UNSPECIFIED 0
@ -37,6 +40,8 @@
# define OCSP_REVOKED_STATUS_CESSATIONOFOPERATION 5
# define OCSP_REVOKED_STATUS_CERTIFICATEHOLD 6
# define OCSP_REVOKED_STATUS_REMOVEFROMCRL 8
# define OCSP_REVOKED_STATUS_PRIVILEGEWITHDRAWN 9
# define OCSP_REVOKED_STATUS_AACOMPROMISE 10
# ifndef OPENSSL_NO_OCSP

3
include/openssl/trace.h
View File

@ -49,7 +49,8 @@ extern "C" {
# define OSSL_TRACE_CATEGORY_PKCS12_DECRYPT 10
# define OSSL_TRACE_CATEGORY_X509V3_POLICY 11
# define OSSL_TRACE_CATEGORY_BN_CTX 12
# define OSSL_TRACE_CATEGORY_NUM 13
# define OSSL_TRACE_CATEGORY_CMP 13
# define OSSL_TRACE_CATEGORY_NUM 14
/* Returns the trace category number for the given |name| */
int OSSL_trace_get_category_num(const char *name);

13
test/build.info
View File

@ -302,6 +302,7 @@ IF[{- !$disabled{tests} -}]
INCLUDE[ssl_test_ctx.o]=../include
INCLUDE[handshake_helper.o]=.. ../include
INCLUDE[ssltestlib.o]=.. ../include
INCLUDE[cmp_testlib.o]=.. ../include ../apps/include
SOURCE[x509aux]=x509aux.c
INCLUDE[x509aux]=../include ../apps/include
@ -468,6 +469,18 @@ IF[{- !$disabled{tests} -}]
INCLUDE[conf_include_test]=../include ../apps/include
DEPEND[conf_include_test]=../libcrypto libtestutil.a
IF[{- !$disabled{cmp} -}]
PROGRAMS{noinst}=cmp_asn_test cmp_ctx_test
ENDIF
SOURCE[cmp_asn_test]=cmp_asn_test.c cmp_testlib.c
INCLUDE[cmp_asn_test]=.. ../include ../apps/include
DEPEND[cmp_asn_test]=../libcrypto.a libtestutil.a
SOURCE[cmp_ctx_test]=cmp_ctx_test.c cmp_testlib.c
INCLUDE[cmp_ctx_test]=.. ../include ../apps/include
DEPEND[cmp_ctx_test]=../libcrypto.a libtestutil.a
# Internal test programs. These are essentially a collection of internal
# test routines. Some of them need to reach internal symbols that aren't
# available through the shared library (at least on Linux, Solaris, Windows

132
test/cmp_asn_test.c Normal file
View File

@ -0,0 +1,132 @@
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "cmp_testlib.h"
static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH];
typedef struct test_fixture {
const char *test_case_name;
int expected;
ASN1_OCTET_STRING *src_string;
ASN1_OCTET_STRING *tgt_string;
} CMP_ASN_TEST_FIXTURE;
static CMP_ASN_TEST_FIXTURE *set_up(const char *const test_case_name)
{
CMP_ASN_TEST_FIXTURE *fixture;
int setup_ok = 0;
/* Allocate memory owned by the fixture, exit on error */
if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
goto err;
fixture->test_case_name = test_case_name;
setup_ok = 1;
err:
if (!setup_ok) {
#ifndef OPENSSL_NO_STDIO
ERR_print_errors_fp(stderr);
#endif
exit(EXIT_FAILURE);
}
return fixture;
}
static void tear_down(CMP_ASN_TEST_FIXTURE *fixture)
{
ASN1_OCTET_STRING_free(fixture->src_string);
if (fixture->tgt_string != fixture->src_string)
ASN1_OCTET_STRING_free(fixture->tgt_string);
OPENSSL_free(fixture);
}
static int execute_cmp_asn1_get_int_test(CMP_ASN_TEST_FIXTURE *
fixture)
{
ASN1_INTEGER *asn1integer = ASN1_INTEGER_new();
ASN1_INTEGER_set(asn1integer, 77);
if (!TEST_int_eq(77, ossl_cmp_asn1_get_int(asn1integer)))
return 0;
ASN1_INTEGER_free(asn1integer);
return 1;
}
static int test_cmp_asn1_get_int(void)
{
SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up);
fixture->expected = 1;
EXECUTE_TEST(execute_cmp_asn1_get_int_test, tear_down);
return result;
}
static int execute_CMP_ASN1_OCTET_STRING_set1_test(CMP_ASN_TEST_FIXTURE *
fixture)
{
if (!TEST_int_eq(fixture->expected,
ossl_cmp_asn1_octet_string_set1(&fixture->tgt_string,
fixture->src_string)))
return 0;
if (fixture->expected != 0)
return TEST_int_eq(0, ASN1_OCTET_STRING_cmp(fixture->tgt_string,
fixture->src_string));
return 1;
}
static int test_ASN1_OCTET_STRING_set(void)
{
SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up);
fixture->expected = 1;
if (!TEST_ptr(fixture->tgt_string = ASN1_OCTET_STRING_new())
|| !TEST_ptr(fixture->src_string = ASN1_OCTET_STRING_new())
|| !TEST_true(ASN1_OCTET_STRING_set(fixture->src_string, rand_data,
sizeof(rand_data)))) {
tear_down(fixture);
fixture = NULL;
}
EXECUTE_TEST(execute_CMP_ASN1_OCTET_STRING_set1_test, tear_down);
return result;
}
static int test_ASN1_OCTET_STRING_set_tgt_is_src(void)
{
SETUP_TEST_FIXTURE(CMP_ASN_TEST_FIXTURE, set_up);
fixture->expected = 1;
if (!TEST_ptr(fixture->src_string = ASN1_OCTET_STRING_new())
|| !(fixture->tgt_string = fixture->src_string)
|| !TEST_true(ASN1_OCTET_STRING_set(fixture->src_string, rand_data,
sizeof(rand_data)))) {
tear_down(fixture);
fixture = NULL;
}
EXECUTE_TEST(execute_CMP_ASN1_OCTET_STRING_set1_test, tear_down);
return result;
}
void cleanup_tests(void)
{
return;
}
int setup_tests(void)
{
/* ASN.1 related tests */
ADD_TEST(test_cmp_asn1_get_int);
ADD_TEST(test_ASN1_OCTET_STRING_set);
ADD_TEST(test_ASN1_OCTET_STRING_set_tgt_is_src);
/* TODO make sure that total number of tests (here currently 24) is shown,
also for other cmp_*text.c. Currently the test drivers always show 1. */
return 1;
}

859
test/cmp_ctx_test.c Normal file
View File

@ -0,0 +1,859 @@
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "cmp_testlib.h"
#include <openssl/x509_vfy.h>
typedef struct test_fixture {
const char *test_case_name;
OSSL_CMP_CTX *ctx;
} OSSL_CMP_CTX_TEST_FIXTURE;
static void tear_down(OSSL_CMP_CTX_TEST_FIXTURE *fixture)
{
if (fixture != NULL)
OSSL_CMP_CTX_free(fixture->ctx);
OPENSSL_free(fixture);
}
static OSSL_CMP_CTX_TEST_FIXTURE *set_up(const char *const test_case_name)
{
OSSL_CMP_CTX_TEST_FIXTURE *fixture;
if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))
|| !TEST_ptr(fixture->ctx = OSSL_CMP_CTX_new())) {
tear_down(fixture);
return NULL;
}
fixture->test_case_name = test_case_name;
return fixture;
}
static STACK_OF(X509) *sk_X509_new_1(void) {
STACK_OF(X509) *sk = sk_X509_new_null();
X509 *x = X509_new();
if (x == NULL || !sk_X509_push(sk, x)) {
sk_X509_free(sk);
X509_free(x);
sk = NULL;
}
return sk;
}
static void sk_X509_pop_X509_free(STACK_OF(X509) *sk) {
sk_X509_pop_free(sk, X509_free);
}
static int execute_CTX_reinit_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture)
{
OSSL_CMP_CTX *ctx = fixture->ctx;
ASN1_OCTET_STRING *bytes = NULL;
STACK_OF(X509) *certs = NULL;
int res = 0;
/* set non-default values in all relevant fields */
ctx->status = 1;
ctx->failInfoCode = 1;
if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null())
|| !ossl_cmp_ctx_set0_newCert(ctx, X509_new())
|| !TEST_ptr(certs = sk_X509_new_1())
|| !ossl_cmp_ctx_set1_caPubs(ctx, certs)
|| !ossl_cmp_ctx_set1_extraCertsIn(ctx, certs)
|| !ossl_cmp_ctx_set0_validatedSrvCert(ctx, X509_new())
|| !TEST_ptr(bytes = ASN1_OCTET_STRING_new())
|| !OSSL_CMP_CTX_set1_transactionID(ctx, bytes)
|| !OSSL_CMP_CTX_set1_senderNonce(ctx, bytes)
|| !ossl_cmp_ctx_set1_recipNonce(ctx, bytes))
goto err;
if (!TEST_true(OSSL_CMP_CTX_reinit(ctx)))
goto err;
/* check whether values have been reset to default in all relevant fields */
if (!TEST_true(ctx->status == -1
&& ctx->failInfoCode == -1
&& ctx->statusString == NULL
&& ctx->newCert == NULL
&& ctx->caPubs == NULL
&& ctx->extraCertsIn == NULL
&& ctx->validatedSrvCert == NULL
&& ctx->transactionID == NULL
&& ctx->senderNonce == NULL
&& ctx->recipNonce == NULL))
goto err;
/* this does not check that all remaining fields are untouched */
res = 1;
err:
sk_X509_pop_X509_free(certs);
ASN1_OCTET_STRING_free(bytes);
return res;
}
static int test_CTX_reinit(void)
{
SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up);
EXECUTE_TEST(execute_CTX_reinit_test, tear_down);
return result;
}
static int msg_total_size = 0;
static int msg_total_size_log_cb(const char *func, const char *file, int line,
OSSL_CMP_severity level, const char *msg)
{
msg_total_size += strlen(msg);
return 1;
}
#define STR64 "This is a 64 bytes looooooooooooooooooooooooooooooooong string.\n"
/* max string length ISO C90 compilers are required to support is 509. */
#define STR509 STR64 STR64 STR64 STR64 STR64 STR64 STR64 \
"This is a 61 bytes loooooooooooooooooooooooooooooong string.\n"
static const char *const max_str_literal = STR509;
#define STR_SEP "<SEP>"
static int execute_CTX_print_errors_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture)
{
OSSL_CMP_CTX *ctx = fixture->ctx;
int base_err_msg_size, expected_size;
int res = 1;
if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, NULL)))
res = 0;
if (!TEST_true(ctx->log_cb == NULL))
res = 0;
#ifndef OPENSSL_NO_STDIO
CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES);
OSSL_CMP_CTX_print_errors(ctx); /* should print above error to STDERR */
#endif
/* this should work regardless of OPENSSL_NO_STDIO and OPENSSL_NO_TRACE: */
if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, msg_total_size_log_cb)))
res = 0;
if (!TEST_true(ctx->log_cb == msg_total_size_log_cb)) {
res = 0;
} else {
CMPerr(0, CMP_R_INVALID_ARGS);
base_err_msg_size = strlen("INVALID_ARGS");
CMPerr(0, CMP_R_NULL_ARGUMENT);
base_err_msg_size += strlen("NULL_ARGUMENT");
expected_size = base_err_msg_size;
ossl_cmp_add_error_data("data1"); /* should prepend separator " : " */
expected_size += strlen(" : " "data1");
ossl_cmp_add_error_data("data2"); /* should prepend separator " : " */
expected_size += strlen(" : " "data2");
ossl_cmp_add_error_line("new line"); /* should prepend separator "\n" */
expected_size += strlen("\n" "new line");
OSSL_CMP_CTX_print_errors(ctx);
if (!TEST_int_eq(msg_total_size, expected_size))
res = 0;
CMPerr(0, CMP_R_INVALID_ARGS);
base_err_msg_size = strlen("INVALID_ARGS") + strlen(" : ");
expected_size = base_err_msg_size;
while (expected_size < 4096) { /* force split */
ossl_cmp_add_error_txt(STR_SEP, max_str_literal);
expected_size += strlen(STR_SEP) + strlen(max_str_literal);
}
expected_size += base_err_msg_size - 2 * strlen(STR_SEP);
msg_total_size = 0;
OSSL_CMP_CTX_print_errors(ctx);
if (!TEST_int_eq(msg_total_size, expected_size))
res = 0;
}
return res;
}
static int test_CTX_print_errors(void)
{
SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up);
EXECUTE_TEST(execute_CTX_print_errors_test, tear_down);
return result;
}
static int execute_CTX_reqExtensions_have_SAN_test(
OSSL_CMP_CTX_TEST_FIXTURE *fixture)
{
OSSL_CMP_CTX *ctx = fixture->ctx;
const int len = 16;
unsigned char str[16 /* = len */ ];
ASN1_OCTET_STRING *data = NULL;
X509_EXTENSION *ext = NULL;
X509_EXTENSIONS *exts = NULL;
int res = 0;
if (!TEST_false(OSSL_CMP_CTX_reqExtensions_have_SAN(ctx)))
return 0;
if (!TEST_int_eq(1, RAND_bytes(str, len))
|| !TEST_ptr(data = ASN1_OCTET_STRING_new())
|| !TEST_true(ASN1_OCTET_STRING_set(data, str, len)))
goto err;
ext = X509_EXTENSION_create_by_NID(NULL, NID_subject_alt_name, 0, data);
if (!TEST_ptr(ext)
|| !TEST_ptr(exts = sk_X509_EXTENSION_new_null())
|| !TEST_true(sk_X509_EXTENSION_push(exts, ext))
|| !TEST_true(OSSL_CMP_CTX_set0_reqExtensions(ctx, exts))) {
X509_EXTENSION_free(ext);
sk_X509_EXTENSION_free(exts);
goto err;
}
if (TEST_int_eq(OSSL_CMP_CTX_reqExtensions_have_SAN(ctx), 1)) {
ext = sk_X509_EXTENSION_pop(exts);
res = TEST_false(OSSL_CMP_CTX_reqExtensions_have_SAN(ctx));
X509_EXTENSION_free(ext);
}
err:
ASN1_OCTET_STRING_free(data);
return res;
}
static int test_CTX_reqExtensions_have_SAN(void)
{
SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up);
EXECUTE_TEST(execute_CTX_reqExtensions_have_SAN_test, tear_down);
return result;
}
#ifndef OPENSSL_NO_TRACE
static int test_log_line;
static int test_log_cb_res = 0;
static int test_log_cb(const char *func, const char *file, int line,
OSSL_CMP_severity level, const char *msg)
{
test_log_cb_res =
# ifndef PEDANTIC
strcmp(func, "execute_cmp_ctx_log_cb_test") == 0 &&
# endif
(strcmp(file, OPENSSL_FILE) == 0 || strcmp(file, "(no file)") == 0)
&& (line == test_log_line || line == 0)
&& (level == OSSL_CMP_LOG_INFO || level == -1)
&& strcmp(msg, "ok\n") == 0;
return 1;
}
#endif
static int execute_cmp_ctx_log_cb_test(OSSL_CMP_CTX_TEST_FIXTURE *fixture)
{
int res = 1;
#if !defined OPENSSL_NO_TRACE && !defined OPENSSL_NO_STDIO
OSSL_CMP_CTX *ctx = fixture->ctx;
OSSL_TRACE(ALL, "this general trace message is not shown by default\n");
OSSL_CMP_log_open();
OSSL_CMP_log_open(); /* multiple calls should be harmless */
if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, NULL))) {
res = 0;
} else {
OSSL_CMP_err("this should be printed as CMP error message");
OSSL_CMP_warn("this should be printed as CMP warning message");
OSSL_CMP_debug("this should not be printed");
TEST_true(OSSL_CMP_CTX_set_log_verbosity(ctx, OSSL_CMP_LOG_DEBUG));
OSSL_CMP_debug("this should be printed as CMP debug message");
TEST_true(OSSL_CMP_CTX_set_log_verbosity(ctx, OSSL_CMP_LOG_INFO));
}
if (!TEST_true(OSSL_CMP_CTX_set_log_cb(ctx, test_log_cb))) {
res = 0;
} else {
test_log_line = OPENSSL_LINE + 1;
OSSL_CMP_log2(INFO, "%s%c", "o", 'k');
if (!TEST_int_eq(test_log_cb_res, 1))
res = 0;
OSSL_CMP_CTX_set_log_verbosity(ctx, OSSL_CMP_LOG_ERR);
test_log_cb_res = -1; /* callback should not be called at all */
test_log_line = OPENSSL_LINE + 1;
OSSL_CMP_log2(INFO, "%s%c", "o", 'k');
if (!TEST_int_eq(test_log_cb_res, -1))
res = 0;
}
OSSL_CMP_log_close();
OSSL_CMP_log_close(); /* multiple calls should be harmless */
#endif
return res;
}
static int test_cmp_ctx_log_cb(void)
{
SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up);
EXECUTE_TEST(execute_cmp_ctx_log_cb_test, tear_down);
return result;
}
static BIO *test_http_cb(OSSL_CMP_CTX *ctx, BIO *hbio, unsigned long detail)
{
return NULL;
}
static int test_transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req,
OSSL_CMP_MSG **res)
{
return 0;
}
static int test_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
const char **txt)
{
return 0;
}
typedef OSSL_CMP_CTX CMP_CTX; /* prevents rewriting type name by below macro */
#define OSSL_CMP_CTX 1 /* name prefix for exported setter functions */
#define ossl_cmp_ctx 0 /* name prefix for internal setter functions */
#define set 0
#define set0 0
#define set1 1
#define get 0
#define get0 0
#define get1 1
#define DEFINE_SET_GET_BASE_TEST(PREFIX, SETN, GETN, DUP, FIELD, TYPE, ERR, \
DEFAULT, NEW, FREE) \
static int execute_CTX_##SETN##_##GETN##_##FIELD( \
OSSL_CMP_CTX_TEST_FIXTURE *fixture) \
{ \
CMP_CTX *ctx = fixture->ctx; \
int (*set_fn)(CMP_CTX *ctx, TYPE) = \
(int (*)(CMP_CTX *ctx, TYPE))PREFIX##_##SETN##_##FIELD; \
/* need type cast in above assignment because TYPE arg sometimes is const */ \
TYPE (*get_fn)(const CMP_CTX *ctx) = OSSL_CMP_CTX_##GETN##_##FIELD; \
TYPE val1_to_free = NEW; \
TYPE val1 = val1_to_free; \
TYPE val1_read = 0; /* 0 works for any type */ \
TYPE val2_to_free = NEW; \
TYPE val2 = val2_to_free; \
TYPE val2_read = 0; \
TYPE val3_read = 0; \
int res = 1; \
\
if (!TEST_int_eq(ERR_peek_error(), 0)) \
res = 0; \
if (PREFIX == 1) { /* exported setter functions must test ctx == NULL */ \
if ((*set_fn)(NULL, val1) || ERR_peek_error() == 0) { \
TEST_error("setter did not return error on ctx == NULL"); \
res = 0; \
} \
} \
ERR_clear_error(); \
\
if ((*get_fn)(NULL) != ERR || ERR_peek_error() == 0) { \
TEST_error("getter did not return error on ctx == NULL"); \
res = 0; \
} \
ERR_clear_error(); \
\
val1_read = (*get_fn)(ctx); \
if (!DEFAULT(val1_read)) { \
TEST_error("did not get default value"); \
res = 0; \
} \
if (!(*set_fn)(ctx, val1)) { \
TEST_error("setting first value failed"); \
res = 0; \
} \
if (SETN == 0) \
val1_to_free = 0; /* 0 works for any type */ \
\
if (GETN == 1) \
FREE(val1_read); \
val1_read = (*get_fn)(ctx); \
if (SETN == 0) { \
if (val1_read != val1) { \
TEST_error("set/get first value did not match"); \
res = 0; \
} \
} else { \
if (DUP && val1_read == val1) { \
TEST_error("first set did not dup the value"); \
res = 0; \
} \
if (DEFAULT(val1_read)) { \
TEST_error("first set had no effect"); \
res = 0; \
} \
} \
\
if (!(*set_fn)(ctx, val2)) { \
TEST_error("setting second value failed"); \
res = 0; \
} \
if (SETN == 0) \
val2_to_free = 0; \
\
val2_read = (*get_fn)(ctx); \
if (DEFAULT(val2_read)) { \
TEST_error("second set reset the value"); \
res = 0; \
} \
if (SETN == 0 && GETN == 0) { \
if (val2_read != val2) { \
TEST_error("set/get second value did not match"); \
res = 0; \
} \
} else { \
if (DUP && val2_read == val2) { \
TEST_error("second set did not dup the value"); \
res = 0; \
} \
if (val2 == val1) { \
TEST_error("second value is same as first value"); \
res = 0; \
} \
if (GETN == 1 && val2_read == val1_read) { \
/* \
* Note that if GETN == 0 then possibly val2_read == val1_read \
* because set1 may allocate the new copy at the same location. \
*/ \
TEST_error("second get returned same as first get"); \
res = 0; \
} \
} \
\
val3_read = (*get_fn)(ctx); \
if (DEFAULT(val3_read)) { \
TEST_error("third set reset the value"); \
res = 0; \
} \
if (GETN == 0) { \
if (val3_read != val2_read) { \
TEST_error("third get gave different value"); \
res = 0; \
} \
} else { \
if (DUP && val3_read == val2_read) { \
TEST_error("third get did not create a new dup"); \
res = 0; \
} \
} \
/* this does not check that all remaining fields are untouched */ \
\
if (!TEST_int_eq(ERR_peek_error(), 0)) \
res = 0; \
\
FREE(val1_to_free); \
FREE(val2_to_free); \
if (GETN == 1) { \
FREE(val1_read); \
FREE(val2_read); \
FREE(val3_read); \
} \
return TEST_true(res); \
} \
\
static int test_CTX_##SETN##_##GETN##_##FIELD(void) \
{ \
SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); \
EXECUTE_TEST(execute_CTX_##SETN##_##GETN##_##FIELD, tear_down); \
return result; \
}
static char *char_new(void) {
return OPENSSL_strdup("test");
}
static void char_free(char *val) {
OPENSSL_free(val);
}
#define EMPTY_SK_X509(x) ((x) == NULL || sk_X509_num(x) == 0)
static X509_STORE *X509_STORE_new_1(void) {
X509_STORE *store = X509_STORE_new();
if (store != NULL)
X509_VERIFY_PARAM_set_flags(X509_STORE_get0_param(store), 1);
return store;
}
#define DEFAULT_STORE(x) ((x) == NULL \
|| X509_VERIFY_PARAM_get_flags(X509_STORE_get0_param(x)) == 0)
#define IS_NEG(x) ((x) < 0)
#define IS_0(x) ((x) == 0) /* for any type */
#define IS_DEFAULT_PORT(x) ((x) == OSSL_CMP_DEFAULT_PORT)
#define DROP(x) (void)(x) /* dummy free() for non-pointer and function types */
#define ERR(x) (CMPerr(0, CMP_R_NULL_ARGUMENT), x)
#define DEFINE_SET_GET_TEST(OSSL_CMP, CTX, N, M, DUP, FIELD, TYPE) \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get##M, DUP, FIELD, \
TYPE*, NULL, IS_0, TYPE##_new(), TYPE##_free)
#define DEFINE_SET_GET_SK_TEST_DEFAULT(OSSL_CMP, CTX, N, M, FIELD, ELEM_TYPE, \
DEFAULT, NEW, FREE) \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get##M, 1, FIELD, \
STACK_OF(ELEM_TYPE)*, NULL, DEFAULT, NEW, FREE)
#define DEFINE_SET_GET_SK_TEST(OSSL_CMP, CTX, N, M, FIELD, T) \
DEFINE_SET_GET_SK_TEST_DEFAULT(OSSL_CMP, CTX, N, M, FIELD, T, \
IS_0, sk_##T##_new_null(), sk_##T##_free)
#define DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, N, M, FNAME) \
DEFINE_SET_GET_SK_TEST_DEFAULT(OSSL_CMP, CTX, N, M, FNAME, X509, \
EMPTY_SK_X509, \
sk_X509_new_1(), sk_X509_pop_X509_free)
#define DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, N, M, DUP, FIELD, TYPE, \
DEFAULT) \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get##M, DUP, FIELD, \
TYPE*, NULL, DEFAULT, TYPE##_new(), TYPE##_free)
#define DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, N, DUP, FIELD, TYPE, DEFAULT) \
static TYPE *OSSL_CMP_CTX_get0_##FIELD(const CMP_CTX *ctx) \
{ \
return ctx == NULL ? ERR(NULL) : ctx->FIELD; \
} \
DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, N, 0, DUP, FIELD, TYPE, DEFAULT)
#define DEFINE_SET_TEST(OSSL_CMP, CTX, N, DUP, FIELD, TYPE) \
DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, N, DUP, FIELD, TYPE, IS_0)
#define DEFINE_SET_SK_TEST(OSSL_CMP, CTX, N, FIELD, TYPE) \
static STACK_OF(TYPE) *OSSL_CMP_CTX_get0_##FIELD(const CMP_CTX *ctx) \
{ \
return ctx == NULL ? ERR(NULL) : ctx->FIELD; \
} \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set##N, get0, 1, FIELD, \
STACK_OF(TYPE)*, NULL, IS_0, \
sk_##TYPE##_new_null(), sk_##TYPE##_free)
#define DEFINE_SET_CB_TEST(FIELD) \
static OSSL_cmp_##FIELD##_t \
OSSL_CMP_CTX_get_##FIELD(const CMP_CTX *ctx) \
{ \
if (ctx == NULL) \
CMPerr(0, CMP_R_NULL_ARGUMENT); \
return ctx == NULL ? NULL /* cannot use ERR(NULL) here */ : ctx->FIELD;\
} \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set, get, 0, FIELD, \
OSSL_cmp_##FIELD##_t, NULL, IS_0, \
test_##FIELD, DROP)
#define DEFINE_SET_GET_P_VOID_TEST(FIELD) \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set, get, 0, FIELD, void*, \
NULL, IS_0, ((void *)1), DROP)
#define DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, DEFAULT) \
DEFINE_SET_GET_BASE_TEST(OSSL_CMP##_##CTX, set, get, 0, FIELD, int, -1, \
DEFAULT, 1, DROP)
#define DEFINE_SET_GET_INT_TEST(OSSL_CMP, CTX, FIELD) \
DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, IS_NEG)
#define DEFINE_SET_PORT_TEST(FIELD) \
static int OSSL_CMP_CTX_get_##FIELD(const CMP_CTX *ctx) \
{ \
return ctx == NULL ? ERR(-1) : ctx->FIELD; \
} \
DEFINE_SET_GET_INT_TEST_DEFAULT(OSSL_CMP, CTX, FIELD, IS_DEFAULT_PORT)
#define DEFINE_SET_GET_ARG_FN(SETN, GETN, FIELD, ARG, T) \
static int OSSL_CMP_CTX_##SETN##_##FIELD##_##ARG(CMP_CTX *ctx, T val) \
{ \
return OSSL_CMP_CTX_##SETN##_##FIELD(ctx, ARG, val); \
} \
\
static T OSSL_CMP_CTX_##GETN##_##FIELD##_##ARG(const CMP_CTX *ctx) \
{ \
return OSSL_CMP_CTX_##GETN##_##FIELD(ctx, ARG); \
}
#define DEFINE_SET_GET1_STR_FN(SETN, FIELD) \
static int OSSL_CMP_CTX_##SETN##_##FIELD##_str(CMP_CTX *ctx, char *val)\
{ \
return OSSL_CMP_CTX_##SETN##_##FIELD(ctx, (unsigned char *)val, \
strlen(val)); \
} \
\
static char *OSSL_CMP_CTX_get1_##FIELD##_str(const CMP_CTX *ctx) \
{ \
const ASN1_OCTET_STRING *bytes = ctx == NULL ? ERR(NULL) : ctx->FIELD; \
\
return bytes == NULL ? NULL : \
OPENSSL_strndup((char *)bytes->data, bytes->length); \
}
#define push 0
#define push0 0
#define push1 1
#define DEFINE_PUSH_BASE_TEST(PUSHN, DUP, FIELD, ELEM, TYPE, T, \
DEFAULT, NEW, FREE) \
static TYPE sk_top_##FIELD(const CMP_CTX *ctx) { \
return sk_##T##_value(ctx->FIELD, sk_##T##_num(ctx->FIELD) - 1); \
} \
\
static int execute_CTX_##PUSHN##_##ELEM(OSSL_CMP_CTX_TEST_FIXTURE *fixture) \
{ \
CMP_CTX *ctx = fixture->ctx; \
int (*push_fn)(CMP_CTX *ctx, TYPE) = \
(int (*)(CMP_CTX *ctx, TYPE))OSSL_CMP_CTX_##PUSHN##_##ELEM; \
/* need type cast in above assignment because TYPE arg sometimes is const */ \
int n_elem = sk_##T##_num(ctx->FIELD); \
STACK_OF(TYPE) field_read; \
TYPE val1_to_free = NEW; \
TYPE val1 = val1_to_free; \
TYPE val1_read = 0; /* 0 works for any type */ \
TYPE val2_to_free = NEW; \
TYPE val2 = val2_to_free; \
TYPE val2_read = 0; \
int res = 1; \
\
if (!TEST_int_eq(ERR_peek_error(), 0)) \
res = 0; \
if ((*push_fn)(NULL, val1) || ERR_peek_error() == 0) { \
TEST_error("pusher did not return error on ctx == NULL"); \
res = 0; \
} \
ERR_clear_error(); \
\
if (n_elem < 0) /* can happen for NULL stack */ \
n_elem = 0; \
field_read = ctx->FIELD; \
if (!DEFAULT(field_read)) { \
TEST_error("did not get default value for stack field"); \
res = 0; \
} \
if (!(*push_fn)(ctx, val1)) { \
TEST_error("pushing first value failed"); \
res = 0; \
} \
if (PUSHN == 0) \
val1_to_free = 0; /* 0 works for any type */ \
\
if (sk_##T##_num(ctx->FIELD) != ++n_elem) { \
TEST_error("pushing first value did not increment number"); \
res = 0; \
} \
val1_read = sk_top_##FIELD(ctx); \
if (PUSHN == 0) { \
if (val1_read != val1) { \
TEST_error("push/sk_top first value did not match"); \
res = 0; \
} \
} else { \
if (DUP && val1_read == val1) { \
TEST_error("first push did not dup the value"); \
res = 0; \
} \
} \
\
if (!(*push_fn)(ctx, val2)) { \
TEST_error("pushting second value failed"); \
res = 0; \
} \
if (PUSHN == 0) \
val2_to_free = 0; \
\
if (sk_##T##_num(ctx->FIELD) != ++n_elem) { \
TEST_error("pushing second value did not increment number"); \
res = 0; \
} \
val2_read = sk_top_##FIELD(ctx); \
if (PUSHN == 0) { \
if (val2_read != val2) { \
TEST_error("push/sk_top second value did not match"); \
res = 0; \
} \
} else { \
if (DUP && val2_read == val2) { \
TEST_error("second push did not dup the value"); \
res = 0; \
} \
if (val2 == val1) { \
TEST_error("second value is same as first value"); \
res = 0; \
} \
} \
/* this does not check that all remaining fields and elems are untouched */\
\
if (!TEST_int_eq(ERR_peek_error(), 0)) \
res = 0; \
\
FREE(val1_to_free); \
FREE(val2_to_free); \
return TEST_true(res); \
} \
\
static int test_CTX_##PUSHN##_##ELEM(void) \
{ \
SETUP_TEST_FIXTURE(OSSL_CMP_CTX_TEST_FIXTURE, set_up); \
EXECUTE_TEST(execute_CTX_##PUSHN##_##ELEM, tear_down); \
return result; \
} \
#define DEFINE_PUSH_TEST(N, DUP, FIELD, ELEM, TYPE) \
DEFINE_PUSH_BASE_TEST(push##N, DUP, FIELD, ELEM, TYPE*, TYPE, \
IS_0, TYPE##_new(), TYPE##_free)
void cleanup_tests(void)
{
return;
}
DEFINE_SET_GET_ARG_FN(set, get, option, 16, int)
/* option == OSSL_CMP_OPT_IGNORE_KEYUSAGE */
DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set, get, 0, option_16, int, -1, IS_0, \
1 /* true */, DROP)
#ifndef OPENSSL_NO_TRACE
DEFINE_SET_CB_TEST(log_cb)
#endif
DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, serverPath, char, IS_0)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, serverName, char)
DEFINE_SET_PORT_TEST(serverPort)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, proxyName, char)
DEFINE_SET_PORT_TEST(proxyPort)
DEFINE_SET_CB_TEST(http_cb)
DEFINE_SET_GET_P_VOID_TEST(http_cb_arg)
DEFINE_SET_CB_TEST(transfer_cb)
DEFINE_SET_GET_P_VOID_TEST(transfer_cb_arg)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, srvCert, X509)
DEFINE_SET_TEST(ossl_cmp, ctx, 0, 0, validatedSrvCert, X509)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, expected_sender, X509_NAME)
DEFINE_SET_GET_BASE_TEST(OSSL_CMP_CTX, set0, get0, 0, trustedStore,
X509_STORE*, NULL,
DEFAULT_STORE, X509_STORE_new_1(), X509_STORE_free)
DEFINE_SET_GET_SK_X509_TEST(OSSL_CMP, CTX, 1, 0, untrusted_certs)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, clCert, X509)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, pkey, EVP_PKEY)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, recipient, X509_NAME)
DEFINE_PUSH_TEST(0, 0, geninfo_ITAVs, geninfo_ITAV, OSSL_CMP_ITAV)
DEFINE_SET_SK_TEST(OSSL_CMP, CTX, 1, extraCertsOut, X509)
DEFINE_SET_GET_ARG_FN(set0, get0, newPkey, 1, EVP_PKEY*) /* priv == 1 */
DEFINE_SET_GET_TEST(OSSL_CMP, CTX, 0, 0, 0, newPkey_1, EVP_PKEY)
DEFINE_SET_GET_ARG_FN(set0, get0, newPkey, 0, EVP_PKEY*) /* priv == 0 */
DEFINE_SET_GET_TEST(OSSL_CMP, CTX, 0, 0, 0, newPkey_0, EVP_PKEY)
DEFINE_SET_GET1_STR_FN(set1, referenceValue)
DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, 1, referenceValue_str,
char, IS_0)
DEFINE_SET_GET1_STR_FN(set1, secretValue)
DEFINE_SET_GET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, 1, secretValue_str,
char, IS_0)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, issuer, X509_NAME)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, subjectName, X509_NAME)
#ifdef ISSUE_9504_RESOLVED
DEFINE_PUSH_TEST(1, 1, subjectAltNames, subjectAltName, GENERAL_NAME)
#endif
DEFINE_SET_SK_TEST(OSSL_CMP, CTX, 0, reqExtensions, X509_EXTENSION)
DEFINE_PUSH_TEST(0, 0, policies, policy, POLICYINFO)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 0, oldCert, X509)
#ifdef ISSUE_9504_RESOLVED
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, p10CSR, X509_REQ)
#endif
DEFINE_PUSH_TEST(0, 0, genm_ITAVs, genm_ITAV, OSSL_CMP_ITAV)
DEFINE_SET_CB_TEST(certConf_cb)
DEFINE_SET_GET_P_VOID_TEST(certConf_cb_arg)
DEFINE_SET_GET_INT_TEST(ossl_cmp, ctx, status)
DEFINE_SET_GET_SK_TEST(ossl_cmp, ctx, 0, 0, statusString, ASN1_UTF8STRING)
DEFINE_SET_GET_INT_TEST(ossl_cmp, ctx, failInfoCode)
DEFINE_SET_GET_TEST(ossl_cmp, ctx, 0, 0, 0, newCert, X509)
DEFINE_SET_GET_SK_X509_TEST(ossl_cmp, ctx, 1, 1, caPubs)
DEFINE_SET_GET_SK_X509_TEST(ossl_cmp, ctx, 1, 1, extraCertsIn)
DEFINE_SET_TEST_DEFAULT(OSSL_CMP, CTX, 1, 1, transactionID,
ASN1_OCTET_STRING, IS_0)
DEFINE_SET_TEST(OSSL_CMP, CTX, 1, 1, senderNonce, ASN1_OCTET_STRING)
DEFINE_SET_TEST(ossl_cmp, ctx, 1, 1, recipNonce, ASN1_OCTET_STRING)
int setup_tests(void)
{
/* OSSL_CMP_CTX_new() is tested by set_up() */
/* OSSL_CMP_CTX_free() is tested by tear_down() */
ADD_TEST(test_CTX_reinit);
/* various CMP options: */
ADD_TEST(test_CTX_set_get_option_16);
/* CMP-specific callback for logging and outputting the error queue: */
#ifndef OPENSSL_NO_TRACE
ADD_TEST(test_CTX_set_get_log_cb);
#endif
/*
* also tests OSSL_CMP_log_open(), OSSL_CMP_CTX_set_log_verbosity(),
* OSSL_CMP_err(), OSSL_CMP_warn(), * OSSL_CMP_debug(),
* OSSL_CMP_log2(), ossl_cmp_log_parse_metadata(), and OSSL_CMP_log_close()
* with OSSL_CMP_severity OSSL_CMP_LOG_ERR/WARNING/DEBUG/INFO:
*/
ADD_TEST(test_cmp_ctx_log_cb);
/* also tests OSSL_CMP_CTX_set_log_cb(), OSSL_CMP_print_errors_cb(),
ossl_cmp_add_error_txt(), and the macros
ossl_cmp_add_error_data and ossl_cmp_add_error_line:
*/
ADD_TEST(test_CTX_print_errors);
/* message transfer: */
ADD_TEST(test_CTX_set1_get0_serverPath);
ADD_TEST(test_CTX_set1_get0_serverName);
ADD_TEST(test_CTX_set_get_serverPort);
ADD_TEST(test_CTX_set1_get0_proxyName);
ADD_TEST(test_CTX_set_get_proxyPort);
ADD_TEST(test_CTX_set_get_http_cb);
ADD_TEST(test_CTX_set_get_http_cb_arg);
ADD_TEST(test_CTX_set_get_transfer_cb);
ADD_TEST(test_CTX_set_get_transfer_cb_arg);
/* server authentication: */
ADD_TEST(test_CTX_set1_get0_srvCert);
ADD_TEST(test_CTX_set0_get0_validatedSrvCert);
ADD_TEST(test_CTX_set1_get0_expected_sender);
ADD_TEST(test_CTX_set0_get0_trustedStore);
ADD_TEST(test_CTX_set1_get0_untrusted_certs);
/* client authentication: */
ADD_TEST(test_CTX_set1_get0_clCert);
ADD_TEST(test_CTX_set1_get0_pkey);
/* the following two also test ossl_cmp_asn1_octet_string_set1_bytes(): */
ADD_TEST(test_CTX_set1_get1_referenceValue_str);
ADD_TEST(test_CTX_set1_get1_secretValue_str);
/* CMP message header and extra certificates: */
ADD_TEST(test_CTX_set1_get0_recipient);
ADD_TEST(test_CTX_push0_geninfo_ITAV);
ADD_TEST(test_CTX_set1_get0_extraCertsOut);
/* certificate template: */
ADD_TEST(test_CTX_set0_get0_newPkey_1);
ADD_TEST(test_CTX_set0_get0_newPkey_0);
ADD_TEST(test_CTX_set1_get0_issuer);
ADD_TEST(test_CTX_set1_get0_subjectName);
#ifdef ISSUE_9504_RESOLVED
/* test currently fails, see https://github.com/openssl/openssl/issues/9504 */
ADD_TEST(test_CTX_push1_subjectAltName);
#endif
ADD_TEST(test_CTX_set0_get0_reqExtensions);
ADD_TEST(test_CTX_reqExtensions_have_SAN);
ADD_TEST(test_CTX_push0_policy);
ADD_TEST(test_CTX_set1_get0_oldCert);
#ifdef ISSUE_9504_RESOLVED
/* test currently fails, see https://github.com/openssl/openssl/issues/9504 */
ADD_TEST(test_CTX_set1_get0_p10CSR);
#endif
/* misc body contents: */
ADD_TEST(test_CTX_push0_genm_ITAV);
/* certificate confirmation: */
ADD_TEST(test_CTX_set_get_certConf_cb);
ADD_TEST(test_CTX_set_get_certConf_cb_arg);
/* result fetching: */
ADD_TEST(test_CTX_set_get_status);
ADD_TEST(test_CTX_set0_get0_statusString);
ADD_TEST(test_CTX_set_get_failInfoCode);
ADD_TEST(test_CTX_set0_get0_newCert);
ADD_TEST(test_CTX_set1_get1_caPubs);
ADD_TEST(test_CTX_set1_get1_extraCertsIn);
/* exported for testing and debugging purposes: */
/* the following three also test ossl_cmp_asn1_octet_string_set1(): */
ADD_TEST(test_CTX_set1_get0_transactionID);
ADD_TEST(test_CTX_set1_get0_senderNonce);
ADD_TEST(test_CTX_set1_get0_recipNonce);
/* TODO ossl_cmp_build_cert_chain() will be tested with cmp_protect.c*/
return 1;
}

120
test/cmp_testlib.c Normal file
View File

@ -0,0 +1,120 @@
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include "cmp_testlib.h"
#include <openssl/rsa.h> /* needed in case config no-deprecated */
EVP_PKEY *load_pem_key(const char *file)
{
EVP_PKEY *key = NULL;
BIO *bio = NULL;
if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
return NULL;
if (TEST_int_gt(BIO_read_filename(bio, file), 0))
(void)TEST_ptr(key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL));
BIO_free(bio);
return key;
}
X509 *load_pem_cert(const char *file)
{
X509 *cert = NULL;
BIO *bio = NULL;
if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
return NULL;
if (TEST_int_gt(BIO_read_filename(bio, file), 0))
(void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL));
BIO_free(bio);
return cert;
}
X509_REQ *load_csr(const char *file)
{
X509_REQ *csr = NULL;
BIO *bio = NULL;
if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb")))
return NULL;
(void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL));
BIO_free(bio);
return csr;
}
EVP_PKEY *gen_rsa(void)
{
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *pkey = NULL;
(void)(TEST_ptr(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL))
&& TEST_int_gt(EVP_PKEY_keygen_init(ctx), 0)
&& TEST_int_gt(EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048), 0)
&& TEST_int_gt(EVP_PKEY_keygen(ctx, &pkey), 0));
EVP_PKEY_CTX_free(ctx);
return pkey;
}
/*
* Checks whether the syntax of msg conforms to ASN.1
*/
int valid_asn1_encoding(const OSSL_CMP_MSG *msg)
{
return msg != NULL ? i2d_OSSL_CMP_MSG(msg, NULL) > 0 : 0;
}
/*
* Compares two stacks of certificates in the order of their elements.
* Returns 0 if sk1 and sk2 are equal and another value otherwise
*/
int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2)
{
int i, res;
X509 *a, *b;
if (sk1 == sk2)
return 0;
if (sk1 == NULL)
return -1;
if (sk2 == NULL)
return 1;
if ((res = sk_X509_num(sk1) - sk_X509_num(sk2)))
return res;
for (i = 0; i < sk_X509_num(sk1); i++) {
a = sk_X509_value(sk1, i);
b = sk_X509_value(sk2, i);
if (a != b)
if ((res = X509_cmp(a, b)) != 0)
return res;
}
return 0;
}
/*
* Up refs and push a cert onto sk.
* Returns the number of certificates on the stack on success
* Returns -1 or 0 on error
*/
int STACK_OF_X509_push1(STACK_OF(X509) *sk, X509 *cert)
{
int res;
if (sk == NULL || cert == NULL)
return -1;
if (!X509_up_ref(cert))
return -1;
res = sk_X509_push(sk, cert);
if (res <= 0)
X509_free(cert); /* down-ref */
return res;
}

34
test/cmp_testlib.h Normal file
View File

@ -0,0 +1,34 @@
/*
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#ifndef HEADER_CMP_TEST_LIB_H
# define HEADER_CMP_TEST_LIB_H
# include <openssl/cmp.h>
# include <openssl/pem.h>
# include <openssl/rand.h>
#include "../crypto/cmp/cmp_int.h"
# include "testutil.h"
# ifndef OPENSSL_NO_CMP
# define CMP_TEST_REFVALUE_LENGTH 15 /* arbitrary value */
EVP_PKEY *load_pem_key(const char *file);
X509 *load_pem_cert(const char *file);
X509_REQ *load_csr(const char *file);
int valid_asn1_encoding(const OSSL_CMP_MSG *msg);
EVP_PKEY *gen_rsa(void);
int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2);
int STACK_OF_X509_push1(STACK_OF(X509) *sk, X509 *cert);
# endif
#endif /* HEADER_CMP_TEST_LIB_H */

22
test/recipes/65-test_cmp_asn.t Normal file
View File

@ -0,0 +1,22 @@
#! /usr/bin/env perl
# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright Nokia 2007-2019
# Copyright Siemens AG 2015-2019
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test qw/:DEFAULT data_file/;
use OpenSSL::Test::Utils;
setup("test_cmp_asn");
plan skip_all => "This test is not supported in a no-cmp build"
if disabled("cmp");
plan tests => 1;
ok(run(test(["cmp_asn_test"])));

22
test/recipes/65-test_cmp_ctx.t Normal file
View File

@ -0,0 +1,22 @@
#! /usr/bin/env perl
# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright Nokia 2007-2019
# Copyright Siemens AG 2015-2019
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use OpenSSL::Test; # get 'plan'
use OpenSSL::Test::Simple;
use OpenSSL::Test::Utils;
setup("test_cmp_ctx");
plan skip_all => "This test is not supported in a no-cmp build"
if disabled("cmp");
simple_test("test_cmp_ctx", "cmp_ctx_test", "cmp_ctx");

294
util/libcrypto.num
View File

@ -4647,122 +4647,178 @@ OSSL_CMP_ITAV_get0_value 4763 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_ITAV_push0_stack_item 4764 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_ITAV_free 4765 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_MSG_free 4766 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_PKISI_free 4767 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_MSG_dup 4768 3_0_0 EXIST::FUNCTION:CMP
ERR_load_CMP_strings 4769 3_0_0 EXIST::FUNCTION:CMP
EVP_MD_CTX_set_params 4770 3_0_0 EXIST::FUNCTION:
EVP_MD_CTX_get_params 4771 3_0_0 EXIST::FUNCTION:
RAND_DRBG_new_ex 4772 3_0_0 EXIST::FUNCTION:
RAND_DRBG_secure_new_ex 4773 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_master_drbg 4774 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_public_drbg 4775 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_private_drbg 4776 3_0_0 EXIST::FUNCTION:
BN_CTX_new_ex 4777 3_0_0 EXIST::FUNCTION:
BN_CTX_secure_new_ex 4778 3_0_0 EXIST::FUNCTION:
OPENSSL_thread_stop_ex 4779 3_0_0 EXIST::FUNCTION:
OSSL_PARAM_locate_const 4780 3_0_0 EXIST::FUNCTION:
X509_REQ_set0_sm2_id 4781 3_0_0 EXIST::FUNCTION:SM2
X509_REQ_get0_sm2_id 4782 3_0_0 EXIST::FUNCTION:SM2
BN_rand_ex 4783 3_0_0 EXIST::FUNCTION:
BN_priv_rand_ex 4784 3_0_0 EXIST::FUNCTION:
BN_rand_range_ex 4785 3_0_0 EXIST::FUNCTION:
BN_priv_rand_range_ex 4786 3_0_0 EXIST::FUNCTION:
BN_generate_prime_ex2 4787 3_0_0 EXIST::FUNCTION:
EVP_PKEY_derive_init_ex 4788 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_free 4789 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_up_ref 4790 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_fetch 4791 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_set_dh_pad 4792 3_0_0 EXIST::FUNCTION:DH
EVP_PKEY_CTX_set_params 4793 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_fetch 4794 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_up_ref 4795 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_free 4796 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_provider 4797 3_0_0 EXIST::FUNCTION:
X509_PUBKEY_dup 4798 3_0_0 EXIST::FUNCTION:
ERR_put_func_error 4799 3_0_0 NOEXIST::FUNCTION:
EVP_MD_name 4800 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_name 4801 3_0_0 EXIST::FUNCTION:
EVP_MD_provider 4802 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_provider 4803 3_0_0 EXIST::FUNCTION:
OSSL_PROVIDER_name 4804 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_do_all_ex 4805 3_0_0 EXIST::FUNCTION:
EVP_MD_do_all_ex 4806 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_provider 4807 3_0_0 EXIST::FUNCTION:
OSSL_PROVIDER_available 4808 3_0_0 EXIST::FUNCTION:
ERR_new 4809 3_0_0 EXIST::FUNCTION:
ERR_set_debug 4810 3_0_0 EXIST::FUNCTION:
ERR_set_error 4811 3_0_0 EXIST::FUNCTION:
ERR_vset_error 4812 3_0_0 EXIST::FUNCTION:
X509_get0_authority_issuer 4813 3_0_0 EXIST::FUNCTION:
X509_get0_authority_serial 4814 3_0_0 EXIST::FUNCTION:
EC_GROUP_new_ex 4815 3_0_0 EXIST::FUNCTION:EC
EC_GROUP_new_by_curve_name_ex 4816 3_0_0 EXIST::FUNCTION:EC
EC_KEY_new_ex 4817 3_0_0 EXIST::FUNCTION:EC
EC_KEY_new_by_curve_name_ex 4818 3_0_0 EXIST::FUNCTION:EC
OPENSSL_hexstr2buf_ex 4819 3_0_0 EXIST::FUNCTION:
OPENSSL_buf2hexstr_ex 4820 3_0_0 EXIST::FUNCTION:
OSSL_PARAM_construct_from_text 4821 3_0_0 EXIST::FUNCTION:
OSSL_PARAM_allocate_from_text 4822 3_0_0 EXIST::FUNCTION:
EVP_MD_gettable_params 4823 3_0_0 EXIST::FUNCTION:
EVP_MD_CTX_settable_params 4824 3_0_0 EXIST::FUNCTION:
EVP_MD_CTX_gettable_params 4825 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_get_params 4826 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_set_params 4827 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_get_params 4828 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_gettable_params 4829 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_settable_params 4830 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_gettable_params 4831 3_0_0 EXIST::FUNCTION:
EVP_MD_get_params 4832 3_0_0 EXIST::FUNCTION:
EVP_MAC_fetch 4833 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_settable_params 4834 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_set_params 4835 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_get_params 4836 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_gettable_params 4837 3_0_0 EXIST::FUNCTION:
EVP_MAC_free 4838 3_0_0 EXIST::FUNCTION:
EVP_MAC_up_ref 4839 3_0_0 EXIST::FUNCTION:
EVP_MAC_name 4840 3_0_0 EXIST::FUNCTION:
EVP_MAC_get_params 4841 3_0_0 EXIST::FUNCTION:
EVP_MAC_gettable_params 4842 3_0_0 EXIST::FUNCTION:
EVP_MAC_provider 4843 3_0_0 EXIST::FUNCTION:
EVP_MAC_do_all_ex 4844 3_0_0 EXIST::FUNCTION:
EVP_MD_free 4845 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_free 4846 3_0_0 EXIST::FUNCTION:
EVP_KDF_up_ref 4847 3_0_0 EXIST::FUNCTION:
EVP_KDF_free 4848 3_0_0 EXIST::FUNCTION:
EVP_KDF_fetch 4849 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_dup 4850 3_0_0 EXIST::FUNCTION:
EVP_KDF_name 4851 3_0_0 EXIST::FUNCTION:
EVP_KDF_provider 4852 3_0_0 EXIST::FUNCTION:
EVP_KDF_get_params 4853 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_get_params 4854 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_set_params 4855 3_0_0 EXIST::FUNCTION:
EVP_KDF_gettable_params 4856 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_gettable_params 4857 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_settable_params 4858 3_0_0 EXIST::FUNCTION:
EVP_KDF_do_all_ex 4859 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_free 4860 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_up_ref 4861 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_provider 4862 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_fetch 4863 3_0_0 EXIST::FUNCTION:
EVP_PKEY_sign_init_ex 4864 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_set_signature_md 4865 3_0_0 EXIST::FUNCTION:
EVP_PKEY_verify_init_ex 4866 3_0_0 EXIST::FUNCTION:
EVP_PKEY_verify_recover_init_ex 4867 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_get_signature_md 4868 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_get_params 4869 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_gettable_params 4870 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_settable_params 4871 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_tag_length 4872 3_0_0 EXIST::FUNCTION:
ERR_get_error_func 4873 3_0_0 EXIST::FUNCTION:
ERR_get_error_data 4874 3_0_0 EXIST::FUNCTION:
ERR_get_error_all 4875 3_0_0 EXIST::FUNCTION:
ERR_peek_error_func 4876 3_0_0 EXIST::FUNCTION:
ERR_peek_error_data 4877 3_0_0 EXIST::FUNCTION:
ERR_peek_error_all 4878 3_0_0 EXIST::FUNCTION:
ERR_peek_last_error_func 4879 3_0_0 EXIST::FUNCTION:
ERR_peek_last_error_data 4880 3_0_0 EXIST::FUNCTION:
ERR_peek_last_error_all 4881 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_is_a 4882 3_0_0 EXIST::FUNCTION:
EVP_MAC_is_a 4883 3_0_0 EXIST::FUNCTION:
EVP_MD_settable_ctx_params 4884 3_0_0 EXIST::FUNCTION:
EVP_MD_gettable_ctx_params 4885 3_0_0 EXIST::FUNCTION:
ERR_load_CMP_strings 4767 3_0_0 EXIST::FUNCTION:CMP
EVP_MD_CTX_set_params 4768 3_0_0 EXIST::FUNCTION:
EVP_MD_CTX_get_params 4769 3_0_0 EXIST::FUNCTION:
RAND_DRBG_new_ex 4770 3_0_0 EXIST::FUNCTION:
RAND_DRBG_secure_new_ex 4771 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_master_drbg 4772 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_public_drbg 4773 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_get0_private_drbg 4774 3_0_0 EXIST::FUNCTION:
BN_CTX_new_ex 4775 3_0_0 EXIST::FUNCTION:
BN_CTX_secure_new_ex 4776 3_0_0 EXIST::FUNCTION:
OPENSSL_thread_stop_ex 4777 3_0_0 EXIST::FUNCTION:
OSSL_PARAM_locate_const 4778 3_0_0 EXIST::FUNCTION:
X509_REQ_set0_sm2_id 4779 3_0_0 EXIST::FUNCTION:SM2
X509_REQ_get0_sm2_id 4780 3_0_0 EXIST::FUNCTION:SM2
BN_rand_ex 4781 3_0_0 EXIST::FUNCTION:
BN_priv_rand_ex 4782 3_0_0 EXIST::FUNCTION:
BN_rand_range_ex 4783 3_0_0 EXIST::FUNCTION:
BN_priv_rand_range_ex 4784 3_0_0 EXIST::FUNCTION:
BN_generate_prime_ex2 4785 3_0_0 EXIST::FUNCTION:
EVP_PKEY_derive_init_ex 4786 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_free 4787 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_up_ref 4788 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_fetch 4789 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_set_dh_pad 4790 3_0_0 EXIST::FUNCTION:DH
EVP_PKEY_CTX_set_params 4791 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_fetch 4792 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_up_ref 4793 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_free 4794 3_0_0 EXIST::FUNCTION:
EVP_KEYMGMT_provider 4795 3_0_0 EXIST::FUNCTION:
X509_PUBKEY_dup 4796 3_0_0 EXIST::FUNCTION:
ERR_put_func_error 4797 3_0_0 NOEXIST::FUNCTION:
EVP_MD_name 4798 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_name 4799 3_0_0 EXIST::FUNCTION:
EVP_MD_provider 4800 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_provider 4801 3_0_0 EXIST::FUNCTION:
OSSL_PROVIDER_name 4802 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_do_all_ex 4803 3_0_0 EXIST::FUNCTION:
EVP_MD_do_all_ex 4804 3_0_0 EXIST::FUNCTION:
EVP_KEYEXCH_provider 4805 3_0_0 EXIST::FUNCTION:
OSSL_PROVIDER_available 4806 3_0_0 EXIST::FUNCTION:
ERR_new 4807 3_0_0 EXIST::FUNCTION:
ERR_set_debug 4808 3_0_0 EXIST::FUNCTION:
ERR_set_error 4809 3_0_0 EXIST::FUNCTION:
ERR_vset_error 4810 3_0_0 EXIST::FUNCTION:
X509_get0_authority_issuer 4811 3_0_0 EXIST::FUNCTION:
X509_get0_authority_serial 4812 3_0_0 EXIST::FUNCTION:
EC_GROUP_new_ex 4813 3_0_0 EXIST::FUNCTION:EC
EC_GROUP_new_by_curve_name_ex 4814 3_0_0 EXIST::FUNCTION:EC
EC_KEY_new_ex 4815 3_0_0 EXIST::FUNCTION:EC
EC_KEY_new_by_curve_name_ex 4816 3_0_0 EXIST::FUNCTION:EC
OPENSSL_hexstr2buf_ex 4817 3_0_0 EXIST::FUNCTION:
OPENSSL_buf2hexstr_ex 4818 3_0_0 EXIST::FUNCTION:
OSSL_PARAM_construct_from_text 4819 3_0_0 EXIST::FUNCTION:
OSSL_PARAM_allocate_from_text 4820 3_0_0 EXIST::FUNCTION:
EVP_MD_gettable_params 4821 3_0_0 EXIST::FUNCTION:
EVP_MD_CTX_settable_params 4822 3_0_0 EXIST::FUNCTION:
EVP_MD_CTX_gettable_params 4823 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_get_params 4824 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_set_params 4825 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_get_params 4826 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_gettable_params 4827 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_settable_params 4828 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_gettable_params 4829 3_0_0 EXIST::FUNCTION:
EVP_MD_get_params 4830 3_0_0 EXIST::FUNCTION:
EVP_MAC_fetch 4831 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_settable_params 4832 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_set_params 4833 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_get_params 4834 3_0_0 EXIST::FUNCTION:
EVP_MAC_CTX_gettable_params 4835 3_0_0 EXIST::FUNCTION:
EVP_MAC_free 4836 3_0_0 EXIST::FUNCTION:
EVP_MAC_up_ref 4837 3_0_0 EXIST::FUNCTION:
EVP_MAC_name 4838 3_0_0 EXIST::FUNCTION:
EVP_MAC_get_params 4839 3_0_0 EXIST::FUNCTION:
EVP_MAC_gettable_params 4840 3_0_0 EXIST::FUNCTION:
EVP_MAC_provider 4841 3_0_0 EXIST::FUNCTION:
EVP_MAC_do_all_ex 4842 3_0_0 EXIST::FUNCTION:
EVP_MD_free 4843 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_free 4844 3_0_0 EXIST::FUNCTION:
EVP_KDF_up_ref 4845 3_0_0 EXIST::FUNCTION:
EVP_KDF_free 4846 3_0_0 EXIST::FUNCTION:
EVP_KDF_fetch 4847 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_dup 4848 3_0_0 EXIST::FUNCTION:
EVP_KDF_name 4849 3_0_0 EXIST::FUNCTION:
EVP_KDF_provider 4850 3_0_0 EXIST::FUNCTION:
EVP_KDF_get_params 4851 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_get_params 4852 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_set_params 4853 3_0_0 EXIST::FUNCTION:
EVP_KDF_gettable_params 4854 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_gettable_params 4855 3_0_0 EXIST::FUNCTION:
EVP_KDF_CTX_settable_params 4856 3_0_0 EXIST::FUNCTION:
EVP_KDF_do_all_ex 4857 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_free 4858 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_up_ref 4859 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_provider 4860 3_0_0 EXIST::FUNCTION:
EVP_SIGNATURE_fetch 4861 3_0_0 EXIST::FUNCTION:
EVP_PKEY_sign_init_ex 4862 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_set_signature_md 4863 3_0_0 EXIST::FUNCTION:
EVP_PKEY_verify_init_ex 4864 3_0_0 EXIST::FUNCTION:
EVP_PKEY_verify_recover_init_ex 4865 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_get_signature_md 4866 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_get_params 4867 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_gettable_params 4868 3_0_0 EXIST::FUNCTION:
EVP_PKEY_CTX_settable_params 4869 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_tag_length 4870 3_0_0 EXIST::FUNCTION:
ERR_get_error_func 4871 3_0_0 EXIST::FUNCTION:
ERR_get_error_data 4872 3_0_0 EXIST::FUNCTION:
ERR_get_error_all 4873 3_0_0 EXIST::FUNCTION:
ERR_peek_error_func 4874 3_0_0 EXIST::FUNCTION:
ERR_peek_error_data 4875 3_0_0 EXIST::FUNCTION:
ERR_peek_error_all 4876 3_0_0 EXIST::FUNCTION:
ERR_peek_last_error_func 4877 3_0_0 EXIST::FUNCTION:
ERR_peek_last_error_data 4878 3_0_0 EXIST::FUNCTION:
ERR_peek_last_error_all 4879 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_is_a 4880 3_0_0 EXIST::FUNCTION:
EVP_MAC_is_a 4881 3_0_0 EXIST::FUNCTION:
EVP_MD_settable_ctx_params 4882 3_0_0 EXIST::FUNCTION:
EVP_MD_gettable_ctx_params 4883 3_0_0 EXIST::FUNCTION:
OSSL_CMP_CTX_new 4884 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_free 4885 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_reinit 4886 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_option 4887 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get_option 4888 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_log_cb 4889 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_print_errors 4890 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_serverPath 4891 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_serverName 4892 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_serverPort 4893 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_proxyName 4894 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_proxyPort 4895 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_http_cb 4896 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_http_cb_arg 4897 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get_http_cb_arg 4898 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_transfer_cb 4899 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_transfer_cb_arg 4900 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get_transfer_cb_arg 4901 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_srvCert 4902 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_expected_sender 4903 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set0_trustedStore 4904 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_trustedStore 4905 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_untrusted_certs 4906 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_untrusted_certs 4907 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_clCert 4908 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_pkey 4909 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_referenceValue 4910 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_secretValue 4911 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_recipient 4912 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_push0_geninfo_ITAV 4913 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_extraCertsOut 4914 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set0_newPkey 4915 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_newPkey 4916 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_issuer 4917 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_subjectName 4918 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_push1_subjectAltName 4919 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set0_reqExtensions 4920 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_reqExtensions_have_SAN 4921 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_push0_policy 4922 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_oldCert 4923 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_p10CSR 4924 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_push0_genm_ITAV 4925 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_certConf_cb 4926 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set_certConf_cb_arg 4927 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get_certConf_cb_arg 4928 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get_status 4929 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_statusString 4930 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get_failInfoCode 4931 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get0_newCert 4932 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get1_caPubs 4933 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_get1_extraCertsIn 4934 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_transactionID 4935 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_CTX_set1_senderNonce 4936 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_log_open 4937 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_log_close 4938 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_print_errors_cb 4939 3_0_0 EXIST::FUNCTION:CMP
OSSL_CRMF_CERTID_get0_issuer 4940 3_0_0 EXIST::FUNCTION:CRMF
OSSL_CRMF_CERTID_get0_serialNumber 4941 3_0_0 EXIST::FUNCTION:CRMF

23
util/private.num
View File

@ -331,6 +331,27 @@ OpenSSL_add_all_algorithms define deprecated 1.1.0
OpenSSL_add_all_ciphers define deprecated 1.1.0
OpenSSL_add_all_digests define deprecated 1.1.0
OpenSSL_add_ssl_algorithms define
OSSL_CMP_CTX_set_log_verbosity define
OSSL_CMP_DEFAULT_PORT define
OSSL_CMP_LOG_ALERT define
OSSL_CMP_LOG_CRIT define
OSSL_CMP_LOG_DEBUG define
OSSL_CMP_LOG_EMERG define
OSSL_CMP_LOG_ERR define
OSSL_CMP_LOG_INFO define
OSSL_CMP_LOG_NOTICE define
OSSL_CMP_LOG_WARNING define
OSSL_CMP_alert define
OSSL_CMP_debug define
OSSL_CMP_err define
OSSL_CMP_info define
OSSL_CMP_log define
OSSL_CMP_log1 define
OSSL_CMP_log2 define
OSSL_CMP_log3 define
OSSL_CMP_log4 define
OSSL_CMP_severity datatype
OSSL_CMP_warn define
OSSL_PARAM_TYPE define
OSSL_PARAM_octet_ptr define
OSSL_PARAM_octet_string define
@ -338,9 +359,7 @@ OSSL_PARAM_utf8_ptr define
OSSL_PARAM_BN define
OSSL_PARAM_TYPE generic
OSSL_PARAM_construct_TYPE generic
OSSL_PARAM_octet_string define
OSSL_PARAM_utf8_string define
OSSL_PARAM_octet_ptr define
OSSL_PARAM_get_TYPE generic
OSSL_PARAM_END define
OSSL_PARAM_set_TYPE generic