Matt Caswell
798f932980
Fix safestack issues in cmp.h
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781 )
2020-09-13 11:10:40 +01:00
Matt Caswell
b4780134df
Fix safestack issues in asn1.h
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781 )
2020-09-13 11:10:40 +01:00
Matt Caswell
e144fd36ce
Fix safestack issues in x509v3.h
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781 )
2020-09-13 11:09:45 +01:00
Matt Caswell
e6623cfbff
Fix safestack issues in x509.h
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12781 )
2020-09-13 11:09:45 +01:00
Dr. David von Oheimb
bb30bce22b
bugfix in apps/cmp.c and cmp_client.c: inconsistencies on retrieving extraCerts in code and doc
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822 )
2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
543a802fab
bugfix in ossl_cmp_msg_protect(): set senderKID and extend extraCerts also for unprotected CMP requests
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822 )
2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
6199478101
bugfix in ossl_cmp_msg_add_extraCerts(): should include cert chain when using PBM
...
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12822 )
2020-09-10 07:40:45 +02:00
Dr. David von Oheimb
a0745e2be6
Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
...
* Use strenghtened cert chain building, verifying chain using optional trust store
while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741 )
2020-09-10 07:07:55 +02:00
Dr. David von Oheimb
b434b2c08d
Allow unauthenticated CMP server if missing -trusted, -srvcert, and -secret options
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12806 )
2020-09-08 23:24:42 +02:00
Dr. David von Oheimb
0b86eefd43
OSSL_CMP_CTX: rename field and its getter/setter from 'untrusted_certs' to 'untrusted
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12788 )
2020-09-05 19:33:33 +02:00
Dr. David von Oheimb
15076c26d7
Strengthen chain building for CMP
...
* Add -own_trusted option to CMP app
* Add OSSL_CMP_CTX_build_cert_chain()
* Add optional trust store arg to ossl_cmp_build_cert_chain()
* Extend the tests in cmp_protect_test.c and the documentation accordingly
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12791 )
2020-09-05 18:11:12 +02:00
Dr. David von Oheimb
39082af2fa
Add OSSL_CMP_CTX_get1_newChain() and related CLI option -chainout
...
Also simplify certificate saving in apps/cmp.c
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12790 )
2020-09-05 18:10:03 +02:00
Dr. David von Oheimb
1a5ae1da14
Add -verbosity option to apps/cmp.c and add log output also in crypto/cmp
...
* In the cmp app so far the -verbosity option had been missing.
* Extend log output helpful for debugging CMP applications
in setup_ssl_ctx() of the cmp app, ossl_cmp_msg_add_extraCerts(),
OSSL_CMP_validate_msg(), and OSSL_CMP_MSG_http_perform().
* Correct suppression of log output with insufficient severity.
* Add logging/severity level OSSL_CMP_LOG_TRACE = OSSL_CMP_LOG_MAX.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12739 )
2020-09-01 18:53:41 +02:00
Dr. David von Oheimb
6d1f50b520
Use in CMP+CRMF libctx and propq param added to sign/verify/HMAC/decrypt
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:13 +02:00
Dr. David von Oheimb
cac30a69bc
cmp_msg.c: Copy libctx and propq of CMP_CTX to newly enrolled certificate
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:12 +02:00
Dr. David von Oheimb
28e9f62b2d
cmp_util.c: Add OPENSSL_CTX parameter to ossl_cmp_build_cert_chain(), improve its doc
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:12 +02:00
Dr. David von Oheimb
1930b58642
cmp_hdr.c: Adapt ossl_cmp_hdr_init() to use OPENSSL_CTX for random number generation
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:12 +02:00
Dr. David von Oheimb
2300083887
crypto/cmp: Prevent misleading errors in case x509v3_cache_extensions() fails
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:11 +02:00
Dr. David von Oheimb
97e00da902
Add OPENSSL_CTX parameter to OSSL_CRMF_pbmp_new() and improve its doc
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:11 +02:00
Dr. David von Oheimb
1a7cd250ad
Add libctx and propq parameters to OSSL_CMP_{SRV_},CTX_new() and ossl_cmp_mock_srv_new()
...
Also remove not really to-the-point error message if call fails in apps/cmp.c
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:11 +02:00
Dr. David von Oheimb
7b1a3a5062
cmp_vfy.c: Fix bug: must verify msg signature also in 3GPP mode
...
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808 )
2020-08-21 09:04:10 +02:00
Dr. David von Oheimb
eeccc23723
Introduce X509_add_cert[s] simplifying various additions to cert lists
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12615 )
2020-08-12 13:54:37 +02:00
Dr. David von Oheimb
1202de4481
Add OSSL_CMP_MSG_write(), use it in apps/cmp.c
...
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421 )
2020-07-30 20:14:51 +02:00
Dr. David von Oheimb
fafa56a14f
Export ossl_cmp_msg_load() as OSSL_CMP_MSG_read(), use it in apps/cmp.c
...
Fixes #12403
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12421 )
2020-07-30 20:14:49 +02:00
Dr. David von Oheimb
593d6554f8
Export crm_new() of cmp_msg.c under the name OSSL_CMP_CTX_setup_CRM()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431 )
2020-07-30 09:38:08 +02:00
Dr. David von Oheimb
299e0f1eae
Streamline the CMP request session API, adding the generalized OSSL_CMP_exec_certreq()
...
Fixes #12395
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12431 )
2020-07-30 09:38:08 +02:00
Dr. David von Oheimb
1337a3a998
Constify X509_check_akid and prefer using X509_get0_serialNumber over X509_get_serialNumber
...
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12375 )
2020-07-16 15:48:53 +02:00
Dr. David von Oheimb
0d8dbb52e3
Add X509_self_signed(), extending and improving documenation and tests
...
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587 )
2020-07-01 11:14:54 +02:00
Dr. David von Oheimb
11baa470a2
Fix CMP -days option range checking and test failing with enable-ubsan
...
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12175 )
2020-06-22 16:39:26 +02:00
Dr. David von Oheimb
c4a9e3ebbb
Move part of OSSL_CMP_validate_msg() to ossl_cmp_msg_check_update()
...
as checking expected_sender and adding caPubs is not part of msg validation.
Also constify a couple of internal and public functions related to cmp_vfy.c
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
7e8dbb7462
Bug fix in ossl_cmp_hdr_init(): sould not remember recipient as expected sender
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
1a27fe4be2
Bug fix in ossl_cmp_certRep_new(): must allocate empty extraCerts stack
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
12bbcee21b
Make CMP server use same protection for response as for request
...
Also adds ossl_cmp_hdr_get_protection_nid() simplifying cmp_vfy.c
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
5aed1786fc
Fill in transactionID on any error in OSSL_CMP_SRV_process_request()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
430efff1b9
Improve ossl_cmp_msg_check_received() and rename to ossl_cmp_msg_check_update()
...
Bugfix: allow using extraCerts contained in msg already while checking signature
Improve function name, simplify its return value, and update its documentation
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
ca6f1ba903
Improve cert checking diagnostics of OSSL_CMP_validate_msg()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
7aa70fd5e1
Remove misleading diagnostics on pinned sender cert in OSSL_CMP_validate_msg()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
032b13c784
Correct error reason of verify_signature() in cmp_vfy.c
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
1693135564
Allow subject of CMP -oldcert as sender unless protection cert is given
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
6d934add34
Check expected sender not only for signature-protected CMP messages
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
b27ff9b87c
Streamline the approach to set CMP message recipient and expected sender
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
ce0465edc7
Fix too strict checks of ossl_cmp_calc_protection()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11998 )
2020-06-13 15:13:21 +02:00
Dr. David von Oheimb
6e15b81c34
Move decl of OSSL_CRMF_CERTID_dup from {crmf,cmp}_local.h to include/openssl/crmf.h
...
fixes #11818
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11911 )
2020-05-24 17:39:37 +02:00
Dr. David von Oheimb
63f1883dca
Rename OSSL_CMP_CTX_set1_clCert() to OSSL_CMP_CTX_set1_cert()
...
Also update documentation and example code in openssl-cmp.pod.in
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470 )
2020-05-13 19:42:00 +02:00
Dr. David von Oheimb
143be4748e
Add -reqin_new_tid option to apps/cmp.c and OSSL_CMP_MSG_update_transactionID()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470 )
2020-05-13 19:42:00 +02:00
Dr. David von Oheimb
9253f8346a
Constify 'req' parameter of OSSL_HTTP_post_asn1()
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11736 )
2020-05-09 16:57:08 +02:00
Dr. David von Oheimb
045229cfe8
Fix bug in OSSL_CMP_SRV_process_request() on transaction renewal
...
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11736 )
2020-05-09 16:57:08 +02:00
Rich Salz
852c2ed260
In OpenSSL builds, declare STACK for datatypes ...
...
... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.
Deprecate stack-of-block
Better documentation
Move some ASN1 struct typedefs to types.h
Update ParseC to handle this. Most of all, ParseC needed to be more
consistent. The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns. There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669 )
2020-04-24 16:42:46 +02:00
Matt Caswell
33388b44b6
Update copyright year
...
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11616 )
2020-04-23 13:55:52 +01:00
Matt Caswell
555ed96812
Fix no-err
...
This fixes an assertion failure that can occur in the CMP code in the
event of a no-err build. The "improve_location_name" function assumed
that the fallback argument was always populated with something. However
in a no-err build this is not the case.
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/11584 )
2020-04-22 10:41:58 +01:00