cmp_msg.c 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047
  1. /*
  2. * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* CMP functions for PKIMessage construction */
  12. #include "cmp_local.h"
  13. /* explicit #includes not strictly needed since implied by the above: */
  14. #include <openssl/asn1t.h>
  15. #include <openssl/cmp.h>
  16. #include <openssl/crmf.h>
  17. #include <openssl/err.h>
  18. #include <openssl/x509.h>
  19. #include "crypto/x509.h" /* for x509_set0_libctx() */
  20. OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
  21. {
  22. if (msg == NULL) {
  23. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  24. return NULL;
  25. }
  26. return msg->header;
  27. }
  28. const char *ossl_cmp_bodytype_to_string(int type)
  29. {
  30. static const char *type_names[] = {
  31. "IR", "IP", "CR", "CP", "P10CR",
  32. "POPDECC", "POPDECR", "KUR", "KUP",
  33. "KRR", "KRP", "RR", "RP", "CCR", "CCP",
  34. "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
  35. "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
  36. };
  37. if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
  38. return "illegal body type";
  39. return type_names[type];
  40. }
  41. int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
  42. {
  43. if (!ossl_assert(msg != NULL && msg->body != NULL))
  44. return 0;
  45. msg->body->type = type;
  46. return 1;
  47. }
  48. int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
  49. {
  50. if (!ossl_assert(msg != NULL && msg->body != NULL))
  51. return -1;
  52. return msg->body->type;
  53. }
  54. /* Add an extension to the referenced extension stack, which may be NULL */
  55. static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
  56. {
  57. X509_EXTENSION *ext;
  58. int res;
  59. if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
  60. return 0;
  61. if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
  62. return 0;
  63. res = X509v3_add_ext(pexts, ext, 0) != NULL;
  64. X509_EXTENSION_free(ext);
  65. return res;
  66. }
  67. /* Add a CRL revocation reason code to extension stack, which may be NULL */
  68. static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
  69. {
  70. ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
  71. int res = 0;
  72. if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
  73. res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
  74. ASN1_ENUMERATED_free(val);
  75. return res;
  76. }
  77. OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
  78. {
  79. OSSL_CMP_MSG *msg = NULL;
  80. if (!ossl_assert(ctx != NULL))
  81. return NULL;
  82. if ((msg = OSSL_CMP_MSG_new()) == NULL)
  83. return NULL;
  84. if (!ossl_cmp_hdr_init(ctx, msg->header)
  85. || !ossl_cmp_msg_set_bodytype(msg, bodytype))
  86. goto err;
  87. if (ctx->geninfo_ITAVs != NULL
  88. && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
  89. ctx->geninfo_ITAVs))
  90. goto err;
  91. switch (bodytype) {
  92. case OSSL_CMP_PKIBODY_IR:
  93. case OSSL_CMP_PKIBODY_CR:
  94. case OSSL_CMP_PKIBODY_KUR:
  95. if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
  96. goto err;
  97. return msg;
  98. case OSSL_CMP_PKIBODY_P10CR:
  99. if (ctx->p10CSR == NULL) {
  100. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_P10CSR);
  101. goto err;
  102. }
  103. if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
  104. goto err;
  105. return msg;
  106. case OSSL_CMP_PKIBODY_IP:
  107. case OSSL_CMP_PKIBODY_CP:
  108. case OSSL_CMP_PKIBODY_KUP:
  109. if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
  110. goto err;
  111. return msg;
  112. case OSSL_CMP_PKIBODY_RR:
  113. if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
  114. goto err;
  115. return msg;
  116. case OSSL_CMP_PKIBODY_RP:
  117. if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
  118. goto err;
  119. return msg;
  120. case OSSL_CMP_PKIBODY_CERTCONF:
  121. if ((msg->body->value.certConf =
  122. sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
  123. goto err;
  124. return msg;
  125. case OSSL_CMP_PKIBODY_PKICONF:
  126. if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
  127. goto err;
  128. ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
  129. return msg;
  130. case OSSL_CMP_PKIBODY_POLLREQ:
  131. if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
  132. goto err;
  133. return msg;
  134. case OSSL_CMP_PKIBODY_POLLREP:
  135. if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
  136. goto err;
  137. return msg;
  138. case OSSL_CMP_PKIBODY_GENM:
  139. case OSSL_CMP_PKIBODY_GENP:
  140. if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
  141. goto err;
  142. return msg;
  143. case OSSL_CMP_PKIBODY_ERROR:
  144. if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
  145. goto err;
  146. return msg;
  147. default:
  148. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  149. goto err;
  150. }
  151. err:
  152. OSSL_CMP_MSG_free(msg);
  153. return NULL;
  154. }
  155. #define HAS_SAN(ctx) \
  156. (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
  157. || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
  158. static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
  159. int for_KUR)
  160. {
  161. if (ctx->subjectName != NULL)
  162. return ctx->subjectName;
  163. if (refcert != NULL && (for_KUR || !HAS_SAN(ctx)))
  164. /*
  165. * For KUR, copy subjectName from reference certificate.
  166. * For IR or CR, do the same only if there is no subjectAltName.
  167. */
  168. return X509_get_subject_name(refcert);
  169. return NULL;
  170. }
  171. OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
  172. {
  173. OSSL_CRMF_MSG *crm = NULL;
  174. X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
  175. /* refcert defaults to current client cert */
  176. EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
  177. STACK_OF(GENERAL_NAME) *default_sans = NULL;
  178. const X509_NAME *subject = determine_subj(ctx, refcert, for_KUR);
  179. const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
  180. ? ctx->issuer : X509_get_issuer_name(refcert);
  181. int crit = ctx->setSubjectAltNameCritical || subject == NULL;
  182. /* RFC5280: subjectAltName MUST be critical if subject is null */
  183. X509_EXTENSIONS *exts = NULL;
  184. if (rkey == NULL)
  185. rkey = ctx->pkey; /* default is independent of ctx->oldCert */
  186. if (rkey == NULL) {
  187. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  188. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  189. return NULL;
  190. #endif
  191. }
  192. if (for_KUR && refcert == NULL) {
  193. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
  194. return NULL;
  195. }
  196. if ((crm = OSSL_CRMF_MSG_new()) == NULL)
  197. return NULL;
  198. if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
  199. /*
  200. * fill certTemplate, corresponding to CertificationRequestInfo
  201. * of PKCS#10. The rkey param cannot be NULL so far -
  202. * it could be NULL if centralized key creation was supported
  203. */
  204. || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
  205. subject, issuer, NULL /* serial */))
  206. goto err;
  207. if (ctx->days != 0) {
  208. time_t now = time(NULL);
  209. ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
  210. ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
  211. if (notBefore == NULL
  212. || notAfter == NULL
  213. || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
  214. ASN1_TIME_free(notBefore);
  215. ASN1_TIME_free(notAfter);
  216. goto err;
  217. }
  218. }
  219. /* extensions */
  220. if (refcert != NULL && !ctx->SubjectAltName_nodefault)
  221. default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
  222. NID_subject_alt_name, NULL, NULL);
  223. /* exts are copied from ctx to allow reuse */
  224. if (ctx->reqExtensions != NULL) {
  225. exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
  226. X509_EXTENSION_dup,
  227. X509_EXTENSION_free);
  228. if (exts == NULL)
  229. goto err;
  230. }
  231. if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
  232. && !add1_extension(&exts, NID_subject_alt_name,
  233. crit, ctx->subjectAltNames))
  234. goto err;
  235. if (!HAS_SAN(ctx) && default_sans != NULL
  236. && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
  237. goto err;
  238. if (ctx->policies != NULL
  239. && !add1_extension(&exts, NID_certificate_policies,
  240. ctx->setPoliciesCritical, ctx->policies))
  241. goto err;
  242. if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
  243. goto err;
  244. exts = NULL;
  245. /* end fill certTemplate, now set any controls */
  246. /* for KUR, set OldCertId according to D.6 */
  247. if (for_KUR) {
  248. OSSL_CRMF_CERTID *cid =
  249. OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
  250. X509_get0_serialNumber(refcert));
  251. int ret;
  252. if (cid == NULL)
  253. goto err;
  254. ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
  255. OSSL_CRMF_CERTID_free(cid);
  256. if (ret == 0)
  257. goto err;
  258. }
  259. goto end;
  260. err:
  261. OSSL_CRMF_MSG_free(crm);
  262. crm = NULL;
  263. end:
  264. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  265. sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
  266. return crm;
  267. }
  268. OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
  269. const OSSL_CRMF_MSG *crm)
  270. {
  271. OSSL_CMP_MSG *msg;
  272. OSSL_CRMF_MSG *local_crm = NULL;
  273. if (!ossl_assert(ctx != NULL))
  274. return NULL;
  275. if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
  276. && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
  277. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  278. return NULL;
  279. }
  280. if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
  281. goto err;
  282. /* header */
  283. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  284. goto err;
  285. /* body */
  286. /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
  287. if (type != OSSL_CMP_PKIBODY_P10CR) {
  288. EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
  289. /*
  290. * privkey is NULL in case ctx->newPkey does not include a private key.
  291. * We then may try to use ctx->pkey as fallback/default, but only
  292. * if ctx-> newPkey does not include a (non-matching) public key:
  293. */
  294. if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
  295. privkey = ctx->pkey; /* default is independent of ctx->oldCert */
  296. if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
  297. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
  298. goto err;
  299. }
  300. if (crm == NULL) {
  301. local_crm = OSSL_CMP_CTX_setup_CRM(ctx,
  302. type == OSSL_CMP_PKIBODY_KUR,
  303. OSSL_CMP_CERTREQID);
  304. if (local_crm == NULL
  305. || !OSSL_CRMF_MSG_create_popo(ctx->popoMethod, local_crm,
  306. privkey, ctx->digest,
  307. ctx->libctx, ctx->propq))
  308. goto err;
  309. } else {
  310. if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
  311. goto err;
  312. }
  313. /* value.ir is same for cr and kur */
  314. if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
  315. goto err;
  316. local_crm = NULL;
  317. /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
  318. }
  319. if (!ossl_cmp_msg_protect(ctx, msg))
  320. goto err;
  321. return msg;
  322. err:
  323. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREQ);
  324. OSSL_CRMF_MSG_free(local_crm);
  325. OSSL_CMP_MSG_free(msg);
  326. return NULL;
  327. }
  328. OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
  329. int certReqId, OSSL_CMP_PKISI *si,
  330. X509 *cert, STACK_OF(X509) *chain,
  331. STACK_OF(X509) *caPubs, int encrypted,
  332. int unprotectedErrors)
  333. {
  334. OSSL_CMP_MSG *msg = NULL;
  335. OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
  336. OSSL_CMP_CERTRESPONSE *resp = NULL;
  337. int status = -1;
  338. if (!ossl_assert(ctx != NULL && si != NULL))
  339. return NULL;
  340. if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
  341. goto err;
  342. repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
  343. /* header */
  344. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  345. goto err;
  346. /* body */
  347. if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
  348. goto err;
  349. OSSL_CMP_PKISI_free(resp->status);
  350. if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
  351. || !ASN1_INTEGER_set(resp->certReqId, certReqId))
  352. goto err;
  353. status = ossl_cmp_pkisi_get_status(resp->status);
  354. if (status != OSSL_CMP_PKISTATUS_rejection
  355. && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
  356. if (encrypted) {
  357. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  358. goto err;
  359. }
  360. if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
  361. == NULL)
  362. goto err;
  363. resp->certifiedKeyPair->certOrEncCert->type =
  364. OSSL_CMP_CERTORENCCERT_CERTIFICATE;
  365. if (!X509_up_ref(cert))
  366. goto err;
  367. resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
  368. }
  369. if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
  370. goto err;
  371. resp = NULL;
  372. /* TODO: here optional 2nd certrep could be pushed to the stack */
  373. if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
  374. && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
  375. goto err;
  376. if (sk_X509_num(chain) > 0) {
  377. msg->extraCerts = sk_X509_new_reserve(NULL, sk_X509_num(chain));
  378. if (msg->extraCerts == NULL
  379. || !X509_add_certs(msg->extraCerts, chain,
  380. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
  381. goto err;
  382. }
  383. if (!unprotectedErrors
  384. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  385. if (!ossl_cmp_msg_protect(ctx, msg))
  386. goto err;
  387. return msg;
  388. err:
  389. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
  390. OSSL_CMP_CERTRESPONSE_free(resp);
  391. OSSL_CMP_MSG_free(msg);
  392. return NULL;
  393. }
  394. OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
  395. {
  396. OSSL_CMP_MSG *msg = NULL;
  397. OSSL_CMP_REVDETAILS *rd;
  398. if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
  399. return NULL;
  400. if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
  401. goto err;
  402. /* Fill the template from the contents of the certificate to be revoked */
  403. if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
  404. NULL /* pubkey would be redundant */,
  405. NULL /* subject would be redundant */,
  406. X509_get_issuer_name(ctx->oldCert),
  407. X509_get0_serialNumber(ctx->oldCert)))
  408. goto err;
  409. /* revocation reason code is optional */
  410. if (ctx->revocationReason != CRL_REASON_NONE
  411. && !add_crl_reason_extension(&rd->crlEntryDetails,
  412. ctx->revocationReason))
  413. goto err;
  414. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
  415. goto err;
  416. if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
  417. goto err;
  418. rd = NULL;
  419. /*
  420. * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
  421. * set here if set in ctx
  422. */
  423. if (!ossl_cmp_msg_protect(ctx, msg))
  424. goto err;
  425. return msg;
  426. err:
  427. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
  428. OSSL_CMP_MSG_free(msg);
  429. OSSL_CMP_REVDETAILS_free(rd);
  430. return NULL;
  431. }
  432. OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  433. OSSL_CRMF_CERTID *cid, int unprot_err)
  434. {
  435. OSSL_CMP_REVREPCONTENT *rep = NULL;
  436. OSSL_CMP_PKISI *si1 = NULL;
  437. OSSL_CRMF_CERTID *cid_copy = NULL;
  438. OSSL_CMP_MSG *msg = NULL;
  439. if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
  440. return NULL;
  441. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
  442. goto err;
  443. rep = msg->body->value.rp;
  444. if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
  445. goto err;
  446. if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
  447. OSSL_CMP_PKISI_free(si1);
  448. goto err;
  449. }
  450. if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
  451. goto err;
  452. if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
  453. goto err;
  454. if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
  455. OSSL_CRMF_CERTID_free(cid_copy);
  456. goto err;
  457. }
  458. if (!unprot_err
  459. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  460. if (!ossl_cmp_msg_protect(ctx, msg))
  461. goto err;
  462. return msg;
  463. err:
  464. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RP);
  465. OSSL_CMP_MSG_free(msg);
  466. return NULL;
  467. }
  468. OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
  469. {
  470. OSSL_CMP_MSG *msg;
  471. if (!ossl_assert(ctx != NULL))
  472. return NULL;
  473. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
  474. goto err;
  475. if (ossl_cmp_msg_protect(ctx, msg))
  476. return msg;
  477. err:
  478. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
  479. OSSL_CMP_MSG_free(msg);
  480. return NULL;
  481. }
  482. int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
  483. {
  484. int bodytype;
  485. if (!ossl_assert(msg != NULL && itav != NULL))
  486. return 0;
  487. bodytype = ossl_cmp_msg_get_bodytype(msg);
  488. if (bodytype != OSSL_CMP_PKIBODY_GENM
  489. && bodytype != OSSL_CMP_PKIBODY_GENP) {
  490. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  491. return 0;
  492. }
  493. /* value.genp has the same structure, so this works for genp as well */
  494. return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
  495. }
  496. int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
  497. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  498. {
  499. int i;
  500. OSSL_CMP_ITAV *itav = NULL;
  501. if (!ossl_assert(msg != NULL))
  502. return 0;
  503. for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
  504. itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
  505. if (itav == NULL
  506. || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
  507. OSSL_CMP_ITAV_free(itav);
  508. return 0;
  509. }
  510. }
  511. return 1;
  512. }
  513. /*
  514. * Creates a new General Message/Response with an empty itav stack
  515. * returns a pointer to the PKIMessage on success, NULL on error
  516. */
  517. static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
  518. const STACK_OF(OSSL_CMP_ITAV) *itavs,
  519. int body_type, int err_code)
  520. {
  521. OSSL_CMP_MSG *msg = NULL;
  522. if (!ossl_assert(ctx != NULL))
  523. return NULL;
  524. if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
  525. return NULL;
  526. if (ctx->genm_ITAVs != NULL
  527. && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
  528. goto err;
  529. if (!ossl_cmp_msg_protect(ctx, msg))
  530. goto err;
  531. return msg;
  532. err:
  533. ERR_raise(ERR_LIB_CMP, err_code);
  534. OSSL_CMP_MSG_free(msg);
  535. return NULL;
  536. }
  537. OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
  538. {
  539. return gen_new(ctx, ctx->genm_ITAVs,
  540. OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
  541. }
  542. OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
  543. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  544. {
  545. return gen_new(ctx, itavs,
  546. OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
  547. }
  548. OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  549. int errorCode,
  550. const char *details, int unprotected)
  551. {
  552. OSSL_CMP_MSG *msg = NULL;
  553. OSSL_CMP_PKIFREETEXT *ft;
  554. if (!ossl_assert(ctx != NULL && si != NULL))
  555. return NULL;
  556. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
  557. goto err;
  558. OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
  559. if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
  560. == NULL)
  561. goto err;
  562. if (errorCode >= 0) {
  563. if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
  564. goto err;
  565. if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
  566. goto err;
  567. }
  568. if (details != NULL) {
  569. if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
  570. goto err;
  571. msg->body->value.error->errorDetails = ft;
  572. if (!ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
  573. goto err;
  574. }
  575. if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
  576. goto err;
  577. return msg;
  578. err:
  579. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_ERROR);
  580. OSSL_CMP_MSG_free(msg);
  581. return NULL;
  582. }
  583. /*
  584. * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
  585. * This is used in the certConf message, for example,
  586. * to confirm that the certificate was received successfully.
  587. */
  588. int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
  589. ASN1_OCTET_STRING *hash)
  590. {
  591. if (!ossl_assert(certStatus != NULL))
  592. return 0;
  593. ASN1_OCTET_STRING_free(certStatus->certHash);
  594. certStatus->certHash = hash;
  595. return 1;
  596. }
  597. /*
  598. * TODO: handle potential 2nd certificate when signing and encrypting
  599. * certificates have been requested/received
  600. */
  601. OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
  602. const char *text)
  603. {
  604. OSSL_CMP_MSG *msg = NULL;
  605. OSSL_CMP_CERTSTATUS *certStatus = NULL;
  606. ASN1_OCTET_STRING *certHash = NULL;
  607. OSSL_CMP_PKISI *sinfo;
  608. if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
  609. return NULL;
  610. if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
  611. ERR_raise(ERR_LIB_CMP, CMP_R_FAIL_INFO_OUT_OF_RANGE);
  612. return NULL;
  613. }
  614. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
  615. goto err;
  616. if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
  617. goto err;
  618. /* consume certStatus into msg right away so it gets deallocated with msg */
  619. if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
  620. goto err;
  621. /* set the ID of the certReq */
  622. if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
  623. goto err;
  624. /*
  625. * the hash of the certificate, using the same hash algorithm
  626. * as is used to create and verify the certificate signature
  627. */
  628. if ((certHash = X509_digest_sig(ctx->newCert)) == NULL)
  629. goto err;
  630. if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
  631. goto err;
  632. certHash = NULL;
  633. /*
  634. * For any particular CertStatus, omission of the statusInfo field
  635. * indicates ACCEPTANCE of the specified certificate. Alternatively,
  636. * explicit status details (with respect to acceptance or rejection) MAY
  637. * be provided in the statusInfo field, perhaps for auditing purposes at
  638. * the CA/RA.
  639. */
  640. sinfo = fail_info != 0 ?
  641. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
  642. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
  643. if (sinfo == NULL)
  644. goto err;
  645. certStatus->statusInfo = sinfo;
  646. if (!ossl_cmp_msg_protect(ctx, msg))
  647. goto err;
  648. return msg;
  649. err:
  650. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTCONF);
  651. OSSL_CMP_MSG_free(msg);
  652. ASN1_OCTET_STRING_free(certHash);
  653. return NULL;
  654. }
  655. OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
  656. {
  657. OSSL_CMP_MSG *msg = NULL;
  658. OSSL_CMP_POLLREQ *preq = NULL;
  659. if (!ossl_assert(ctx != NULL))
  660. return NULL;
  661. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
  662. goto err;
  663. /* TODO: support multiple cert request IDs to poll */
  664. if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
  665. || !ASN1_INTEGER_set(preq->certReqId, crid)
  666. || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
  667. goto err;
  668. preq = NULL;
  669. if (!ossl_cmp_msg_protect(ctx, msg))
  670. goto err;
  671. return msg;
  672. err:
  673. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREQ);
  674. OSSL_CMP_POLLREQ_free(preq);
  675. OSSL_CMP_MSG_free(msg);
  676. return NULL;
  677. }
  678. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  679. int64_t poll_after)
  680. {
  681. OSSL_CMP_MSG *msg;
  682. OSSL_CMP_POLLREP *prep;
  683. if (!ossl_assert(ctx != NULL))
  684. return NULL;
  685. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
  686. goto err;
  687. if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
  688. goto err;
  689. if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
  690. goto err;
  691. if (!ASN1_INTEGER_set(prep->certReqId, crid))
  692. goto err;
  693. if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
  694. goto err;
  695. if (!ossl_cmp_msg_protect(ctx, msg))
  696. goto err;
  697. return msg;
  698. err:
  699. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
  700. OSSL_CMP_MSG_free(msg);
  701. return NULL;
  702. }
  703. /*-
  704. * returns the status field of the RevRepContent with the given
  705. * request/sequence id inside a revocation response.
  706. * RevRepContent has the revocation statuses in same order as they were sent in
  707. * RevReqContent.
  708. * returns NULL on error
  709. */
  710. OSSL_CMP_PKISI *
  711. ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  712. {
  713. OSSL_CMP_PKISI *status;
  714. if (!ossl_assert(rrep != NULL))
  715. return NULL;
  716. if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
  717. return status;
  718. ERR_raise(ERR_LIB_CMP, CMP_R_PKISTATUSINFO_NOT_FOUND);
  719. return NULL;
  720. }
  721. /*
  722. * returns the CertId field in the revCerts part of the RevRepContent
  723. * with the given request/sequence id inside a revocation response.
  724. * RevRepContent has the CertIds in same order as they were sent in
  725. * RevReqContent.
  726. * returns NULL on error
  727. */
  728. OSSL_CRMF_CERTID *
  729. ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  730. {
  731. OSSL_CRMF_CERTID *cid = NULL;
  732. if (!ossl_assert(rrep != NULL))
  733. return NULL;
  734. if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
  735. return cid;
  736. ERR_raise(ERR_LIB_CMP, CMP_R_CERTID_NOT_FOUND);
  737. return NULL;
  738. }
  739. static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
  740. {
  741. int trid;
  742. if (rid == -1)
  743. return 1;
  744. trid = ossl_cmp_asn1_get_int(certReqId);
  745. if (trid == -1) {
  746. ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
  747. return 0;
  748. }
  749. return rid == trid;
  750. }
  751. /*
  752. * returns a pointer to the PollResponse with the given CertReqId
  753. * (or the first one in case -1) inside a PollRepContent
  754. * returns NULL on error or if no suitable PollResponse available
  755. */
  756. OSSL_CMP_POLLREP *
  757. ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
  758. int rid)
  759. {
  760. OSSL_CMP_POLLREP *pollRep = NULL;
  761. int i;
  762. if (!ossl_assert(prc != NULL))
  763. return NULL;
  764. for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
  765. pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
  766. if (suitable_rid(pollRep->certReqId, rid))
  767. return pollRep;
  768. }
  769. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  770. "expected certReqId = %d", rid);
  771. return NULL;
  772. }
  773. /*
  774. * returns a pointer to the CertResponse with the given CertReqId
  775. * (or the first one in case -1) inside a CertRepMessage
  776. * returns NULL on error or if no suitable CertResponse available
  777. */
  778. OSSL_CMP_CERTRESPONSE *
  779. ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
  780. int rid)
  781. {
  782. OSSL_CMP_CERTRESPONSE *crep = NULL;
  783. int i;
  784. if (!ossl_assert(crm != NULL && crm->response != NULL))
  785. return NULL;
  786. for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
  787. crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
  788. if (suitable_rid(crep->certReqId, rid))
  789. return crep;
  790. }
  791. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  792. "expected certReqId = %d", rid);
  793. return NULL;
  794. }
  795. /*-
  796. * Retrieve the newly enrolled certificate from the given certResponse crep.
  797. * In case of indirect POPO uses the libctx and propq from ctx and private key.
  798. * Returns a pointer to a copy of the found certificate, or NULL if not found.
  799. */
  800. X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
  801. const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey)
  802. {
  803. OSSL_CMP_CERTORENCCERT *coec;
  804. X509 *crt = NULL;
  805. if (!ossl_assert(crep != NULL && ctx != NULL))
  806. return NULL;
  807. if (crep->certifiedKeyPair
  808. && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
  809. switch (coec->type) {
  810. case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
  811. crt = X509_dup(coec->value.certificate);
  812. break;
  813. case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
  814. /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
  815. if (pkey == NULL) {
  816. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
  817. return NULL;
  818. }
  819. crt =
  820. OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
  821. ctx->libctx, ctx->propq,
  822. pkey);
  823. break;
  824. default:
  825. ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE);
  826. return NULL;
  827. }
  828. }
  829. if (crt == NULL)
  830. ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
  831. else
  832. (void)x509_set0_libctx(crt, ctx->libctx, ctx->propq);
  833. return crt;
  834. }
  835. int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
  836. {
  837. if (ctx == NULL || msg == NULL) {
  838. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  839. return 0;
  840. }
  841. if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
  842. return 0;
  843. return msg->header->protectionAlg == NULL
  844. || ossl_cmp_msg_protect(ctx, msg);
  845. }
  846. OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file)
  847. {
  848. OSSL_CMP_MSG *msg = NULL;
  849. BIO *bio = NULL;
  850. if (file == NULL) {
  851. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  852. return NULL;
  853. }
  854. if ((bio = BIO_new_file(file, "rb")) == NULL)
  855. return NULL;
  856. msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
  857. BIO_free(bio);
  858. return msg;
  859. }
  860. int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
  861. {
  862. BIO *bio;
  863. int res;
  864. if (file == NULL || msg == NULL) {
  865. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  866. return -1;
  867. }
  868. bio = BIO_new_file(file, "wb");
  869. if (bio == NULL)
  870. return -2;
  871. res = i2d_OSSL_CMP_MSG_bio(bio, msg);
  872. BIO_free(bio);
  873. return res;
  874. }
  875. OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
  876. {
  877. return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
  878. d2i_OSSL_CMP_MSG, bio, msg);
  879. }
  880. int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
  881. {
  882. return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
  883. }