mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-01-12 13:36:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

CMP: Clean up internal message creation API and its documentation

Browse Source 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15879)
This commit is contained in:
Dr. David von Oheimb 2021-06-23 13:40:50 +02:00 committed by Dr. David von Oheimb
parent 0f7a4ca5d6
commit 7b3990e3f8
6 changed files with 135 additions and 84 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
crypto/cmp/cmp_local.h
View File

@ -864,13 +864,14 @@ OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
const OSSL_CRMF_MSG *crm);
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, OSSL_CMP_PKISI *si,
X509 *cert, STACK_OF(X509) *chain,
STACK_OF(X509) *caPubs, int encrypted,
int certReqId, const OSSL_CMP_PKISI *si,
X509 *cert, const X509 *encryption_recip,
STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
OSSL_CRMF_CERTID *certId, int unprot_err);
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
const OSSL_CRMF_CERTID *cid,
int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
int64_t poll_after);
@ -880,9 +881,9 @@ int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
const STACK_OF(OSSL_CMP_ITAV) *itavs);
OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
int errorCode,
const char *details, int unprotected);
OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
int errorCode, const char *details,
int unprotected);
int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
ASN1_OCTET_STRING *hash);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,

22
crypto/cmp/cmp_msg.c
View File

@ -454,9 +454,9 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
}
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, OSSL_CMP_PKISI *si,
X509 *cert, STACK_OF(X509) *chain,
STACK_OF(X509) *caPubs, int encrypted,
int certReqId, const OSSL_CMP_PKISI *si,
X509 *cert, const X509 *encryption_recip,
STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
int unprotectedErrors)
{
OSSL_CMP_MSG *msg = NULL;
@ -486,8 +486,8 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
status = ossl_cmp_pkisi_get_status(resp->status);
if (status != OSSL_CMP_PKISTATUS_rejection
&& status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
if (encrypted) {
ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
if (encryption_recip != NULL) {
ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED);
goto err;
}
@ -579,8 +579,8 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
return NULL;
}
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
OSSL_CRMF_CERTID *cid, int unprot_err)
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
const OSSL_CRMF_CERTID *cid, int unprotectedErrors)
{
OSSL_CMP_REVREPCONTENT *rep = NULL;
OSSL_CMP_PKISI *si1 = NULL;
@ -613,7 +613,7 @@ OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
}
}
if (!unprot_err
if (!unprotectedErrors
|| ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
if (!ossl_cmp_msg_protect(ctx, msg))
goto err;
@ -726,9 +726,9 @@ OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
}
OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
int errorCode,
const char *details, int unprotected)
OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
int errorCode, const char *details,
int unprotected)
{
OSSL_CMP_MSG *msg = NULL;
OSSL_CMP_PKIFREETEXT *ft;

2
crypto/cmp/cmp_server.c
View File

@ -226,7 +226,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
}
msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
certOut, chainOut, caPubs, 0 /* encrypted */,
certOut, NULL /* enc */, chainOut, caPubs,
srv_ctx->sendUnprotectedErrors);
if (msg == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);

97
doc/internal/man3/ossl_cmp_certreq_new.pod
View File

@ -17,46 +17,19 @@ ossl_cmp_error_new
=head1 SYNOPSIS
#include <openssl/cmp.h>
# define OSSL_CMP_PKIBODY_IR 0
# define OSSL_CMP_PKIBODY_IP 1
# define OSSL_CMP_PKIBODY_CR 2
# define OSSL_CMP_PKIBODY_CP 3
# define OSSL_CMP_PKIBODY_P10CR 4
# define OSSL_CMP_PKIBODY_POPDECC 5
# define OSSL_CMP_PKIBODY_POPDECR 6
# define OSSL_CMP_PKIBODY_KUR 7
# define OSSL_CMP_PKIBODY_KUP 8
# define OSSL_CMP_PKIBODY_KRR 9
# define OSSL_CMP_PKIBODY_KRP 10
# define OSSL_CMP_PKIBODY_RR 11
# define OSSL_CMP_PKIBODY_RP 12
# define OSSL_CMP_PKIBODY_CCR 13
# define OSSL_CMP_PKIBODY_CCP 14
# define OSSL_CMP_PKIBODY_CKUANN 15
# define OSSL_CMP_PKIBODY_CANN 16
# define OSSL_CMP_PKIBODY_RANN 17
# define OSSL_CMP_PKIBODY_CRLANN 18
# define OSSL_CMP_PKIBODY_PKICONF 19
# define OSSL_CMP_PKIBODY_NESTED 20
# define OSSL_CMP_PKIBODY_GENM 21
# define OSSL_CMP_PKIBODY_GENP 22
# define OSSL_CMP_PKIBODY_ERROR 23
# define OSSL_CMP_PKIBODY_CERTCONF 24
# define OSSL_CMP_PKIBODY_POLLREQ 25
# define OSSL_CMP_PKIBODY_POLLREP 26
#include "cmp_local.h"
OSSL_ossl_cmp_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
const OSSL_CRMF_MSG *crm);
OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, OSSL_CMP_PKISI *si,
X509 *cert, STACK_OF(X509) *chain,
STACK_OF(X509) *caPubs,
int encrypted, int unprotectedErrors);
int certReqId, const OSSL_CMP_PKISI *si,
X509 *cert, const X509 *encryption_recip,
STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
OSSL_CRMF_CERTID *cid, int unprot_err);
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
const OSSL_CRMF_CERTID *cid,
int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
const char *text);
OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx);
@ -64,23 +37,23 @@ ossl_cmp_error_new
OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid, int poll_after);
OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
int errorCode,
OSSL_CMP_PKIFREETEXT *errorDetails,
OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
int errorCode, const char *details,
int unprotected);
=head1 DESCRIPTION
This is the API for creating various CMP PKIMESSAGES. The
functions allocate a new message, fill it with the relevant data derived from
the given OSSL_CMP_CTX, and create the applicable protection.
This is the internal API for creating various CMP PKIMESSAGES.
All functions are based on L<ossl_cmp_msg_create(3)>.
The allocate a new message, fill it with the relevant data derived from
the given B<OSSL_CMP_CTX>, and create the applicable protection.
ossl_cmp_certreq_new() creates a PKIMessage for requesting a certificate,
which can be either of IR/CR/KUR/P10CR, depending on the given B<bodytype>.
The CRMF message to use may be given via the B<crm> argument;
else (if B<crm> is NULL) it is created from the information in the B<ctx>.
which can be either of IR/CR/KUR/P10CR, depending on the given I<bodytype>.
The CRMF message to use may be given explicitly via a non-NULL I<crm> argument,
otherwise it is created from the information in the I<ctx>.
Available CMP certificate request PKIMessage B<bodytype>s are:
Available CMP certificate request PKIMessage I<bodytype>s are:
=over 4
@ -94,10 +67,16 @@ Available CMP certificate request PKIMessage B<bodytype>s are:
=back
ossl_cmp_certrep_new() creates a PKIMessage for certificate response, which can
be either of IP/CP/KUP, depending on the given B<bodytype>.
ossl_cmp_certrep_new() creates a PKIMessage for certificate response,
which can be either of IP/CP/KUP, depending on the given I<bodytype>,
with the given I<certReqId> and I<si> values and optionally with I<cert>,
I<chain>, and I<caPubs>. The I<cert>, I<chain>, and I<caPubs> arguments
are not consumed if present but their internal reference counter is increased.
The I<encryption_recip> is currently unsupported.
The function does not protect the message if the B<status> value in I<si>
is B<rejected> and I<unprotectedErrors> is nonzero.
Available CMP certificate response PKIMessage B<bodytype>s are:
Available CMP certificate response PKIMessage I<bodytype>s are:
=over 4
@ -109,7 +88,7 @@ Available CMP certificate response PKIMessage B<bodytype>s are:
=back
The list of all CMP PKIMessage B<bodytype>s is:
The list of all CMP PKIMessage I<bodytype>s is:
#define OSSL_CMP_PKIBODY_IR 0
#define OSSL_CMP_PKIBODY_IP 1
@ -140,29 +119,30 @@ The list of all CMP PKIMessage B<bodytype>s is:
ossl_cmp_rr_new() creates a Revocation Request message from the
information set via OSSL_CMP_CTX_set1_oldClCert().
ossl_cmp_rp_new() creates a Revocation Response message with status set to
B<si> and CertID set to B<cid>. Consumes B<cid>.
Accepts unprotected errors if B<uprot_err> != 0.
ossl_cmp_rp_new() creates a Revocation Response message with I<si> and I<cid>.
It does not protect the message if the B<status> value in I<si> is B<rejected>
and I<unprotectedErrors> is nonzero.
ossl_cmp_certConf_new() creates a Certificate Confirmation message for the last
received certificate. PKIStatus defaults to B<accepted> if the B<fail_info> bit
received certificate. PKIStatus defaults to B<accepted> if the I<fail_info> bit
field is 0. Else it is taken as the failInfo of the PKIStatusInfo, PKIStatus is
set to B<rejected>, and B<text> is copied to statusString unless it is NULL.
set to B<rejected>, and I<text> is copied to statusString unless it is NULL.
ossl_cmp_pkiconf_new() creates a PKI Confirmation message.
ossl_cmp_pollReq_new() creates a Polling Request message with certReqId set to
B<crid>.
I<crid>.
ossl_cmp_pollRep_new() creates a Polling Response message with certReqId set to
B<crid> and pollAfter to B<poll_after>.
I<crid> and pollAfter to I<poll_after>.
ossl_cmp_genm_new() creates a new General Message with an empty ITAV stack.
ossl_cmp_genp_new() creates a new General Response with an empty ITAV stack.
ossl_cmp_error_new() creates a new Error Message with the given contents,
copying B<si> and B<errorDetails>.
ossl_cmp_error_new() creates a new Error Message with the given contents
with the given I<si>, I<errorCode> (if nonnegative), and optional I<details>.
It does not protect the message if I<unprotectedErrors> is nonzero.
=head1 NOTES
@ -175,6 +155,7 @@ the generated message on success, or NULL on error.
=head1 SEE ALSO
L<ossl_cmp_msg_create(3)>,
L<OSSL_CMP_CTX_new(3)>, L<ERR_load_strings(3)>
=head1 HISTORY

12
doc/internal/man3/ossl_cmp_hdr_init.pod
View File

@ -17,8 +17,9 @@ ossl_cmp_hdr_generalinfo_item_push0,
ossl_cmp_hdr_generalinfo_items_push1,
ossl_cmp_hdr_set_implicitConfirm,
ossl_cmp_hdr_has_implicitConfirm,
ossl_cmp_hdr_set_transactionID,
ossl_cmp_hdr_init
- functions manipulating CMP message headers
- functions handling CMP message headers
=head1 SYNOPSIS
@ -46,6 +47,7 @@ ossl_cmp_hdr_init
ASN1_UTF8STRING *text);
int ossl_cmp_hdr_set_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
int ossl_cmp_hdr_has_implicitConfirm(OSSL_CMP_PKIHEADER *hdr);
int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
int ossl_cmp_hdr_init(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr);
=head1 DESCRIPTION
@ -98,6 +100,10 @@ of the PKIMessage header.
ossl_cmp_hdr_has_implicitConfirm() returns 1 if implicitConfirm is
set int generalInfo field of the given PKIMessage header, 0 if not.
ossl_cmp_hdr_set_transactionID() sets the B<transactionID> field in C<hdr>.
In case ctx->transactionID is NULL, it starts a new transaction
by creating and storing a new random valuee with 128 bits length.
ossl_cmp_hdr_init() initializes a PKIHeader structure based on the
values in the given OSSL_CMP_CTX structure.
This starts a new transaction in case ctx->transactionID is NULL.
@ -125,6 +131,10 @@ All other functions return 1 on success, 0 on error.
See the individual functions above.
=head1 SEE ALSO
L<ossl_cmp_msg_create(3)>
=head1 HISTORY
The OpenSSL CMP support was added in OpenSSL 3.0.

69
doc/internal/man3/ossl_cmp_msg_create.pod
View File

@ -2,17 +2,72 @@
=head1 NAME
OSSL_CMP_PKIBODY_IR,
OSSL_CMP_PKIBODY_IP,
OSSL_CMP_PKIBODY_CR,
OSSL_CMP_PKIBODY_CP,
OSSL_CMP_PKIBODY_P10CR,
OSSL_CMP_PKIBODY_POPDECC,
OSSL_CMP_PKIBODY_POPDECR,
OSSL_CMP_PKIBODY_KUR,
OSSL_CMP_PKIBODY_KUP,
OSSL_CMP_PKIBODY_KRR,
OSSL_CMP_PKIBODY_KRP,
OSSL_CMP_PKIBODY_RR,
OSSL_CMP_PKIBODY_RP,
OSSL_CMP_PKIBODY_CCR,
OSSL_CMP_PKIBODY_CCP,
OSSL_CMP_PKIBODY_CKUANN,
OSSL_CMP_PKIBODY_CANN,
OSSL_CMP_PKIBODY_RANN,
OSSL_CMP_PKIBODY_CRLANN,
OSSL_CMP_PKIBODY_PKICONF,
OSSL_CMP_PKIBODY_NESTED,
OSSL_CMP_PKIBODY_GENM,
OSSL_CMP_PKIBODY_GENP,
OSSL_CMP_PKIBODY_ERROR,
OSSL_CMP_PKIBODY_CERTCONF,
OSSL_CMP_PKIBODY_POLLREQ,
OSSL_CMP_PKIBODY_POLLREP,
ossl_cmp_bodytype_to_string,
ossl_cmp_msg_get_bodytype,
ossl_cmp_msg_set_bodytype,
ossl_cmp_msg_create,
ossl_cmp_msg_gen_ITAV_push0,
ossl_cmp_msg_gen_ITAVs_push1
- functions manipulating CMP messages
- functions handling CMP messages
=head1 SYNOPSIS
#include "cmp_local.h"
#include "cmp_local.h"
#define OSSL_CMP_PKIBODY_IR 0
#define OSSL_CMP_PKIBODY_IP 1
#define OSSL_CMP_PKIBODY_CR 2
#define OSSL_CMP_PKIBODY_CP 3
#define OSSL_CMP_PKIBODY_P10CR 4
#define OSSL_CMP_PKIBODY_POPDECC 5
#define OSSL_CMP_PKIBODY_POPDECR 6
#define OSSL_CMP_PKIBODY_KUR 7
#define OSSL_CMP_PKIBODY_KUP 8
#define OSSL_CMP_PKIBODY_KRR 9
#define OSSL_CMP_PKIBODY_KRP 10
#define OSSL_CMP_PKIBODY_RR 11
#define OSSL_CMP_PKIBODY_RP 12
#define OSSL_CMP_PKIBODY_CCR 13
#define OSSL_CMP_PKIBODY_CCP 14
#define OSSL_CMP_PKIBODY_CKUANN 15
#define OSSL_CMP_PKIBODY_CANN 16
#define OSSL_CMP_PKIBODY_RANN 17
#define OSSL_CMP_PKIBODY_CRLANN 18
#define OSSL_CMP_PKIBODY_PKICONF 19
#define OSSL_CMP_PKIBODY_NESTED 20
#define OSSL_CMP_PKIBODY_GENM 21
#define OSSL_CMP_PKIBODY_GENP 22
#define OSSL_CMP_PKIBODY_ERROR 23
#define OSSL_CMP_PKIBODY_CERTCONF 24
#define OSSL_CMP_PKIBODY_POLLREQ 25
#define OSSL_CMP_PKIBODY_POLLREP 26
const char *ossl_cmp_bodytype_to_string(int type);
int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg);
@ -34,9 +89,12 @@ ossl_cmp_msg_set_bodytype() sets the type of the message contained in
the PKIMessage body field.
Returns 1 on success, 0 on error.
ossl_cmp_msg_create() creates and initializes a OSSL_CMP_MSG structure,
using B<ctx> for the header and B<bodytype> for the body.
Returns pointer to created OSSL_CMP_MSG on success, NULL on error.
ossl_cmp_msg_create() creates and initializes an B<OSSL_CMP_MSG> structure,
using fields of B<ctx> for the header and B<bodytype> for the body.
If the current B<transactionID> field in I<ctx> indicates that there is no
current transaction, it creates and stores a random one with 128 bits length.
Thus, the I<ctx> may be modified by this and related ossl_cmp_*_new() functions.
Returns pointer to created B<OSSL_CMP_MSG> on success, NULL on error.
ossl_cmp_msg_gen_ITAV_push0() pushes the B<itav> to the body of the
PKIMessage B<msg> of GenMsg or GenRep type. Consumes the B<itavs> pointer.
@ -57,6 +115,7 @@ See the individual functions above.
=head1 SEE ALSO
L<ossl_cmp_hdr_init(3)>,
L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_certreq(3)>
=head1 HISTORY