mirror of
https://github.com/openssl/openssl.git
synced 2024-12-03 05:41:46 +08:00
3dbc5156b0
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10297)
302 lines
10 KiB
C
302 lines
10 KiB
C
/*
|
|
* Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
* Copyright Nokia 2007-2019
|
|
* Copyright Siemens AG 2015-2019
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
/* CMP functions for PKIStatusInfo handling and PKIMessage decomposition */
|
|
|
|
#include <string.h>
|
|
|
|
#include "cmp_local.h"
|
|
|
|
/* explicit #includes not strictly needed since implied by the above: */
|
|
#include <time.h>
|
|
#include <openssl/cmp.h>
|
|
#include <openssl/crmf.h>
|
|
#include <openssl/err.h> /* needed in case config no-deprecated */
|
|
#include <openssl/engine.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/objects.h>
|
|
#include <openssl/x509.h>
|
|
#include <openssl/asn1err.h> /* for ASN1_R_TOO_SMALL and ASN1_R_TOO_LARGE */
|
|
|
|
/* CMP functions related to PKIStatus */
|
|
|
|
int ossl_cmp_pkisi_get_pkistatus(const OSSL_CMP_PKISI *si)
|
|
{
|
|
if (!ossl_assert(si != NULL && si->status != NULL))
|
|
return -1;
|
|
return ossl_cmp_asn1_get_int(si->status);
|
|
}
|
|
|
|
/*
|
|
* return the declared identifier and a short explanation for the PKIStatus
|
|
* value as specified in RFC4210, Appendix F.
|
|
*/
|
|
const char *ossl_cmp_PKIStatus_to_string(int status)
|
|
{
|
|
switch (status) {
|
|
case OSSL_CMP_PKISTATUS_accepted:
|
|
return "PKIStatus: accepted";
|
|
case OSSL_CMP_PKISTATUS_grantedWithMods:
|
|
return "PKIStatus: granted with modifications";
|
|
case OSSL_CMP_PKISTATUS_rejection:
|
|
return "PKIStatus: rejection";
|
|
case OSSL_CMP_PKISTATUS_waiting:
|
|
return "PKIStatus: waiting";
|
|
case OSSL_CMP_PKISTATUS_revocationWarning:
|
|
return "PKIStatus: revocation warning - a revocation of the cert is imminent";
|
|
case OSSL_CMP_PKISTATUS_revocationNotification:
|
|
return "PKIStatus: revocation notification - a revocation of the cert has occurred";
|
|
case OSSL_CMP_PKISTATUS_keyUpdateWarning:
|
|
return "PKIStatus: key update warning - update already done for the cert";
|
|
default:
|
|
{
|
|
char buf[40];
|
|
BIO_snprintf(buf, sizeof(buf), "PKIStatus: invalid=%d", status);
|
|
CMPerr(0, CMP_R_ERROR_PARSING_PKISTATUS);
|
|
ossl_cmp_add_error_data(buf);
|
|
return NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
/*
|
|
* returns a pointer to the statusString contained in a PKIStatusInfo
|
|
* returns NULL on error
|
|
*/
|
|
OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusstring(const OSSL_CMP_PKISI *si)
|
|
{
|
|
if (!ossl_assert(si != NULL))
|
|
return NULL;
|
|
return si->statusString;
|
|
}
|
|
|
|
/*
|
|
* returns the FailureInfo bits of the given PKIStatusInfo
|
|
* returns -1 on error
|
|
*/
|
|
int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si)
|
|
{
|
|
int i;
|
|
int res = 0;
|
|
|
|
if (!ossl_assert(si != NULL && si->failInfo != NULL))
|
|
return -1;
|
|
for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++)
|
|
if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
|
|
res |= 1 << i;
|
|
return res;
|
|
}
|
|
|
|
/*
|
|
* internal function
|
|
* convert PKIFailureInfo number to human-readable string
|
|
*
|
|
* returns pointer to static string
|
|
* returns NULL on error
|
|
*/
|
|
static const char *CMP_PKIFAILUREINFO_to_string(int number)
|
|
{
|
|
switch (number) {
|
|
case OSSL_CMP_PKIFAILUREINFO_badAlg:
|
|
return "badAlg";
|
|
case OSSL_CMP_PKIFAILUREINFO_badMessageCheck:
|
|
return "badMessageCheck";
|
|
case OSSL_CMP_PKIFAILUREINFO_badRequest:
|
|
return "badRequest";
|
|
case OSSL_CMP_PKIFAILUREINFO_badTime:
|
|
return "badTime";
|
|
case OSSL_CMP_PKIFAILUREINFO_badCertId:
|
|
return "badCertId";
|
|
case OSSL_CMP_PKIFAILUREINFO_badDataFormat:
|
|
return "badDataFormat";
|
|
case OSSL_CMP_PKIFAILUREINFO_wrongAuthority:
|
|
return "wrongAuthority";
|
|
case OSSL_CMP_PKIFAILUREINFO_incorrectData:
|
|
return "incorrectData";
|
|
case OSSL_CMP_PKIFAILUREINFO_missingTimeStamp:
|
|
return "missingTimeStamp";
|
|
case OSSL_CMP_PKIFAILUREINFO_badPOP:
|
|
return "badPOP";
|
|
case OSSL_CMP_PKIFAILUREINFO_certRevoked:
|
|
return "certRevoked";
|
|
case OSSL_CMP_PKIFAILUREINFO_certConfirmed:
|
|
return "certConfirmed";
|
|
case OSSL_CMP_PKIFAILUREINFO_wrongIntegrity:
|
|
return "wrongIntegrity";
|
|
case OSSL_CMP_PKIFAILUREINFO_badRecipientNonce:
|
|
return "badRecipientNonce";
|
|
case OSSL_CMP_PKIFAILUREINFO_timeNotAvailable:
|
|
return "timeNotAvailable";
|
|
case OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy:
|
|
return "unacceptedPolicy";
|
|
case OSSL_CMP_PKIFAILUREINFO_unacceptedExtension:
|
|
return "unacceptedExtension";
|
|
case OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable:
|
|
return "addInfoNotAvailable";
|
|
case OSSL_CMP_PKIFAILUREINFO_badSenderNonce:
|
|
return "badSenderNonce";
|
|
case OSSL_CMP_PKIFAILUREINFO_badCertTemplate:
|
|
return "badCertTemplate";
|
|
case OSSL_CMP_PKIFAILUREINFO_signerNotTrusted:
|
|
return "signerNotTrusted";
|
|
case OSSL_CMP_PKIFAILUREINFO_transactionIdInUse:
|
|
return "transactionIdInUse";
|
|
case OSSL_CMP_PKIFAILUREINFO_unsupportedVersion:
|
|
return "unsupportedVersion";
|
|
case OSSL_CMP_PKIFAILUREINFO_notAuthorized:
|
|
return "notAuthorized";
|
|
case OSSL_CMP_PKIFAILUREINFO_systemUnavail:
|
|
return "systemUnavail";
|
|
case OSSL_CMP_PKIFAILUREINFO_systemFailure:
|
|
return "systemFailure";
|
|
case OSSL_CMP_PKIFAILUREINFO_duplicateCertReq:
|
|
return "duplicateCertReq";
|
|
default:
|
|
return NULL; /* illegal failure number */
|
|
}
|
|
}
|
|
|
|
/*
|
|
* checks PKIFailureInfo bits in a given PKIStatusInfo
|
|
* returns 1 if a given bit is set, 0 if not, -1 on error
|
|
*/
|
|
int ossl_cmp_pkisi_pkifailureinfo_check(const OSSL_CMP_PKISI *si, int bit_index)
|
|
{
|
|
if (!ossl_assert(si != NULL && si->failInfo != NULL))
|
|
return -1;
|
|
if (bit_index < 0 || bit_index > OSSL_CMP_PKIFAILUREINFO_MAX) {
|
|
CMPerr(0, CMP_R_INVALID_ARGS);
|
|
return -1;
|
|
}
|
|
|
|
return ASN1_BIT_STRING_get_bit(si->failInfo, bit_index);
|
|
}
|
|
|
|
/*
|
|
* place human-readable error string created from PKIStatusInfo in given buffer
|
|
* returns pointer to the same buffer containing the string, or NULL on error
|
|
*/
|
|
char *OSSL_CMP_CTX_snprint_PKIStatus(OSSL_CMP_CTX *ctx, char *buf,
|
|
size_t bufsize)
|
|
{
|
|
int status, failure, fail_info;
|
|
const char *status_string, *failure_string;
|
|
OSSL_CMP_PKIFREETEXT *status_strings;
|
|
ASN1_UTF8STRING *text;
|
|
int i;
|
|
int printed_chars;
|
|
int failinfo_found = 0;
|
|
int n_status_strings;
|
|
char* write_ptr = buf;
|
|
|
|
#define ADVANCE_BUFFER \
|
|
if (printed_chars < 0 || (size_t)printed_chars >= bufsize) \
|
|
return NULL; \
|
|
write_ptr += printed_chars; \
|
|
bufsize -= printed_chars;
|
|
|
|
if (ctx == NULL
|
|
|| buf == NULL
|
|
|| (status = OSSL_CMP_CTX_get_status(ctx)) < 0
|
|
|| (status_string = ossl_cmp_PKIStatus_to_string(status)) == NULL)
|
|
return NULL;
|
|
printed_chars = BIO_snprintf(write_ptr, bufsize, "%s", status_string);
|
|
ADVANCE_BUFFER;
|
|
|
|
/* failInfo is optional and may be empty */
|
|
if ((fail_info = OSSL_CMP_CTX_get_failInfoCode(ctx)) > 0) {
|
|
printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: ");
|
|
ADVANCE_BUFFER;
|
|
for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
|
|
if ((fail_info & (1 << failure)) != 0) {
|
|
failure_string = CMP_PKIFAILUREINFO_to_string(failure);
|
|
if (failure_string != NULL) {
|
|
printed_chars = BIO_snprintf(write_ptr, bufsize, "%s%s",
|
|
failure > 0 ? ", " : "",
|
|
failure_string);
|
|
ADVANCE_BUFFER;
|
|
failinfo_found = 1;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
if (!failinfo_found && status != OSSL_CMP_PKISTATUS_accepted
|
|
&& status != OSSL_CMP_PKISTATUS_grantedWithMods) {
|
|
printed_chars = BIO_snprintf(write_ptr, bufsize, "; <no failure info>");
|
|
ADVANCE_BUFFER;
|
|
}
|
|
|
|
/* statusString sequence is optional and may be empty */
|
|
status_strings = OSSL_CMP_CTX_get0_statusString(ctx);
|
|
n_status_strings = sk_ASN1_UTF8STRING_num(status_strings);
|
|
if (n_status_strings > 0) {
|
|
printed_chars = BIO_snprintf(write_ptr, bufsize, "; StatusString%s: ",
|
|
n_status_strings > 1 ? "s" : "");
|
|
ADVANCE_BUFFER;
|
|
for (i = 0; i < n_status_strings; i++) {
|
|
text = sk_ASN1_UTF8STRING_value(status_strings, i);
|
|
printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%s\"%s",
|
|
ASN1_STRING_get0_data(text),
|
|
i < n_status_strings - 1 ? ", " : "");
|
|
ADVANCE_BUFFER;
|
|
}
|
|
}
|
|
#undef ADVANCE_BUFFER
|
|
return buf;
|
|
}
|
|
|
|
/*
|
|
* Creates a new PKIStatusInfo structure and fills it in
|
|
* returns a pointer to the structure on success, NULL on error
|
|
* note: strongly overlaps with TS_RESP_CTX_set_status_info()
|
|
* and TS_RESP_CTX_add_failure_info() in ../ts/ts_rsp_sign.c
|
|
*/
|
|
OSSL_CMP_PKISI *ossl_cmp_statusinfo_new(int status, int fail_info,
|
|
const char *text)
|
|
{
|
|
OSSL_CMP_PKISI *si = OSSL_CMP_PKISI_new();
|
|
ASN1_UTF8STRING *utf8_text = NULL;
|
|
int failure;
|
|
|
|
if (si == NULL)
|
|
goto err;
|
|
if (!ASN1_INTEGER_set(si->status, status))
|
|
goto err;
|
|
|
|
if (text != NULL) {
|
|
if ((utf8_text = ASN1_UTF8STRING_new()) == NULL
|
|
|| !ASN1_STRING_set(utf8_text, text, -1))
|
|
goto err;
|
|
if ((si->statusString = sk_ASN1_UTF8STRING_new_null()) == NULL)
|
|
goto err;
|
|
if (!sk_ASN1_UTF8STRING_push(si->statusString, utf8_text))
|
|
goto err;
|
|
/* Ownership is lost. */
|
|
utf8_text = NULL;
|
|
}
|
|
|
|
for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
|
|
if ((fail_info & (1 << failure)) != 0) {
|
|
if (si->failInfo == NULL
|
|
&& (si->failInfo = ASN1_BIT_STRING_new()) == NULL)
|
|
goto err;
|
|
if (!ASN1_BIT_STRING_set_bit(si->failInfo, failure, 1))
|
|
goto err;
|
|
}
|
|
}
|
|
return si;
|
|
|
|
err:
|
|
OSSL_CMP_PKISI_free(si);
|
|
ASN1_UTF8STRING_free(utf8_text);
|
|
return NULL;
|
|
}
|