Changeset View
Changeset View
Standalone View
Standalone View
crypto/cmp/cmp_msg.c
/* | /* | ||||
* Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved. | * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. | ||||
* Copyright Nokia 2007-2019 | * Copyright Nokia 2007-2019 | ||||
* Copyright Siemens AG 2015-2019 | * Copyright Siemens AG 2015-2019 | ||||
* | * | ||||
Context not available. | |||||
OSSL_CRMF_MSG *crm = NULL; | OSSL_CRMF_MSG *crm = NULL; | ||||
X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert; | X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert; | ||||
/* refcert defaults to current client cert */ | /* refcert defaults to current client cert */ | ||||
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0); | EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx); | ||||
STACK_OF(GENERAL_NAME) *default_sans = NULL; | STACK_OF(GENERAL_NAME) *default_sans = NULL; | ||||
const X509_NAME *ref_subj = | const X509_NAME *ref_subj = | ||||
refcert != NULL ? X509_get_subject_name(refcert) : NULL; | refcert != NULL ? X509_get_subject_name(refcert) : NULL; | ||||
Context not available. | |||||
/* RFC5280: subjectAltName MUST be critical if subject is null */ | /* RFC5280: subjectAltName MUST be critical if subject is null */ | ||||
X509_EXTENSIONS *exts = NULL; | X509_EXTENSIONS *exts = NULL; | ||||
if (rkey == NULL && ctx->p10CSR != NULL) | |||||
rkey = X509_REQ_get0_pubkey(ctx->p10CSR); | |||||
if (rkey == NULL && refcert != NULL) | |||||
rkey = X509_get0_pubkey(refcert); | |||||
if (rkey == NULL) | |||||
rkey = ctx->pkey; /* default is independent of ctx->oldCert */ | |||||
if (rkey == NULL) { | if (rkey == NULL) { | ||||
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION | ||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PUBLIC_KEY); | ||||
return NULL; | return NULL; | ||||
#endif | #endif | ||||
} | } | ||||
Context not available. | |||||
if (type != OSSL_CMP_PKIBODY_P10CR) { | if (type != OSSL_CMP_PKIBODY_P10CR) { | ||||
EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); | EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); | ||||
/* | /* privkey is ctx->newPkey (if private, else NULL) or ctx->pkey */ | ||||
* privkey is NULL in case ctx->newPkey does not include a private key. | if (ctx->popoMethod >= OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { | ||||
* We then may try to use ctx->pkey as fallback/default, but only | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO); | ||||
* if ctx-> newPkey does not include a (non-matching) public key: | |||||
*/ | |||||
if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL) | |||||
privkey = ctx->pkey; /* default is independent of ctx->oldCert */ | |||||
if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { | |||||
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); | |||||
goto err; | goto err; | ||||
} | } | ||||
if (crm == NULL) { | if (crm == NULL) { | ||||
Context not available. | |||||
return 1; | return 1; | ||||
} | } | ||||
OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, | OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId, | ||||
const char *text) | int fail_info, const char *text) | ||||
{ | { | ||||
OSSL_CMP_MSG *msg = NULL; | OSSL_CMP_MSG *msg = NULL; | ||||
OSSL_CMP_CERTSTATUS *certStatus = NULL; | OSSL_CMP_CERTSTATUS *certStatus = NULL; | ||||
ASN1_OCTET_STRING *certHash = NULL; | ASN1_OCTET_STRING *certHash = NULL; | ||||
OSSL_CMP_PKISI *sinfo; | OSSL_CMP_PKISI *sinfo; | ||||
if (!ossl_assert(ctx != NULL && ctx->newCert != NULL)) | if (!ossl_assert(ctx != NULL && ctx->newCert != NULL | ||||
&& (certReqId == OSSL_CMP_CERTREQID | |||||
|| certReqId == OSSL_CMP_CERTREQID_NONE))) | |||||
return NULL; | return NULL; | ||||
if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) { | if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) { | ||||
Context not available. | |||||
if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL) | if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL) | ||||
goto err; | goto err; | ||||
/* consume certStatus into msg right away so it gets deallocated with msg */ | /* consume certStatus into msg right away so it gets deallocated with msg */ | ||||
if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus)) | if (sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus) < 1) { | ||||
OSSL_CMP_CERTSTATUS_free(certStatus); | |||||
goto err; | goto err; | ||||
} | |||||
/* set the ID of the certReq */ | /* set the ID of the certReq */ | ||||
if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID)) | if (!ASN1_INTEGER_set(certStatus->certReqId, certReqId)) | ||||
goto err; | goto err; | ||||
/* | /* | ||||
* The hash of the certificate, using the same hash algorithm | * The hash of the certificate, using the same hash algorithm | ||||
Context not available. | |||||
{ | { | ||||
int trid; | int trid; | ||||
if (rid == -1) | if (rid == OSSL_CMP_CERTREQID_NONE) | ||||
return 1; | return 1; | ||||
trid = ossl_cmp_asn1_get_int(certReqId); | trid = ossl_cmp_asn1_get_int(certReqId); | ||||
if (trid == -1) { | if (trid == OSSL_CMP_CERTREQID_NONE) { | ||||
ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); | ||||
return 0; | return 0; | ||||
} | } | ||||
Context not available. | |||||
/*- | /*- | ||||
* Retrieve the newly enrolled certificate from the given certResponse crep. | * Retrieve the newly enrolled certificate from the given certResponse crep. | ||||
* In case of indirect POPO uses the libctx and propq from ctx and private key. | * Uses libctx and propq from ctx, in case of indirect POPO also private key. | ||||
* Returns a pointer to a copy of the found certificate, or NULL if not found. | * Returns a pointer to a copy of the found certificate, or NULL if not found. | ||||
*/ | */ | ||||
X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep, | X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, | ||||
const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey) | const OSSL_CMP_CERTRESPONSE *crep) | ||||
{ | { | ||||
OSSL_CMP_CERTORENCCERT *coec; | OSSL_CMP_CERTORENCCERT *coec; | ||||
X509 *crt = NULL; | X509 *crt = NULL; | ||||
EVP_PKEY *pkey; | |||||
if (!ossl_assert(crep != NULL && ctx != NULL)) | if (!ossl_assert(crep != NULL && ctx != NULL)) | ||||
return NULL; | return NULL; | ||||
Context not available. | |||||
break; | break; | ||||
case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT: | case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT: | ||||
/* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */ | /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */ | ||||
pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); | |||||
/* pkey is ctx->newPkey (if private, else NULL) or ctx->pkey */ | |||||
if (pkey == NULL) { | if (pkey == NULL) { | ||||
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); | ||||
return NULL; | return NULL; | ||||
Context not available. | |||||
|| ossl_cmp_msg_protect(ctx, msg); | || ossl_cmp_msg_protect(ctx, msg); | ||||
} | } | ||||
int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) | |||||
{ | |||||
if (ctx == NULL || msg == NULL || msg->header == NULL) { | |||||
ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); | |||||
return 0; | |||||
} | |||||
if (ctx->recipNonce == NULL) /* nothing to do for 1st msg in transaction */ | |||||
return 1; | |||||
if (!ossl_cmp_asn1_octet_string_set1(&msg->header->recipNonce, | |||||
ctx->recipNonce)) | |||||
return 0; | |||||
return msg->header->protectionAlg == NULL || ossl_cmp_msg_protect(ctx, msg); | |||||
} | |||||
OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, | OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx, | ||||
const char *propq) | const char *propq) | ||||
{ | { | ||||
Context not available. |