cmp_msg.c 38 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238
  1. /*
  2. * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* CMP functions for PKIMessage construction */
  12. #include "cmp_local.h"
  13. /* explicit #includes not strictly needed since implied by the above: */
  14. #include <openssl/asn1t.h>
  15. #include <openssl/cmp.h>
  16. #include <openssl/crmf.h>
  17. #include <openssl/err.h>
  18. #include <openssl/x509.h>
  19. OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq)
  20. {
  21. OSSL_CMP_MSG *msg = NULL;
  22. msg = (OSSL_CMP_MSG *)ASN1_item_new_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG),
  23. libctx, propq);
  24. if (!ossl_cmp_msg_set0_libctx(msg, libctx, propq)) {
  25. OSSL_CMP_MSG_free(msg);
  26. msg = NULL;
  27. }
  28. return msg;
  29. }
  30. void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg)
  31. {
  32. ASN1_item_free((ASN1_VALUE *)msg, ASN1_ITEM_rptr(OSSL_CMP_MSG));
  33. }
  34. /*
  35. * This should only be used if the X509 object was embedded inside another
  36. * asn1 object and it needs a libctx to operate.
  37. * Use OSSL_CMP_MSG_new() instead if possible.
  38. */
  39. int ossl_cmp_msg_set0_libctx(OSSL_CMP_MSG *msg, OSSL_LIB_CTX *libctx,
  40. const char *propq)
  41. {
  42. if (msg != NULL) {
  43. msg->libctx = libctx;
  44. OPENSSL_free(msg->propq);
  45. msg->propq = NULL;
  46. if (propq != NULL) {
  47. msg->propq = OPENSSL_strdup(propq);
  48. if (msg->propq == NULL)
  49. return 0;
  50. }
  51. }
  52. return 1;
  53. }
  54. OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
  55. {
  56. if (msg == NULL) {
  57. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  58. return NULL;
  59. }
  60. return msg->header;
  61. }
  62. const char *ossl_cmp_bodytype_to_string(int type)
  63. {
  64. static const char *type_names[] = {
  65. "IR", "IP", "CR", "CP", "P10CR",
  66. "POPDECC", "POPDECR", "KUR", "KUP",
  67. "KRR", "KRP", "RR", "RP", "CCR", "CCP",
  68. "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
  69. "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
  70. };
  71. if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
  72. return "illegal body type";
  73. return type_names[type];
  74. }
  75. int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
  76. {
  77. if (!ossl_assert(msg != NULL && msg->body != NULL))
  78. return 0;
  79. msg->body->type = type;
  80. return 1;
  81. }
  82. int OSSL_CMP_MSG_get_bodytype(const OSSL_CMP_MSG *msg)
  83. {
  84. if (!ossl_assert(msg != NULL && msg->body != NULL))
  85. return -1;
  86. return msg->body->type;
  87. }
  88. X509_PUBKEY *OSSL_CMP_MSG_get0_certreq_publickey(const OSSL_CMP_MSG *msg)
  89. {
  90. const OSSL_CRMF_MSGS *reqs;
  91. const OSSL_CRMF_MSG *crm;
  92. const OSSL_CRMF_CERTTEMPLATE *tmpl;
  93. X509_PUBKEY *pubkey;
  94. switch (OSSL_CMP_MSG_get_bodytype(msg)) {
  95. case OSSL_CMP_PKIBODY_IR:
  96. case OSSL_CMP_PKIBODY_CR:
  97. case OSSL_CMP_PKIBODY_KUR:
  98. reqs = msg->body->value.ir; /* value.ir is same for cr and kur */
  99. if ((crm = sk_OSSL_CRMF_MSG_value(reqs, 0)) == NULL) {
  100. ERR_raise(ERR_LIB_CMP, CMP_R_CERTREQMSG_NOT_FOUND);
  101. return NULL;
  102. }
  103. if ((tmpl = OSSL_CRMF_MSG_get0_tmpl(crm)) == NULL
  104. || (pubkey = OSSL_CRMF_CERTTEMPLATE_get0_publicKey(tmpl)) == NULL) {
  105. ERR_raise(ERR_LIB_CMP, CRMF_R_POPO_MISSING_PUBLIC_KEY);
  106. return NULL;
  107. }
  108. return pubkey;
  109. default:
  110. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  111. return NULL;
  112. }
  113. }
  114. /* Add an extension to the referenced extension stack, which may be NULL */
  115. static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
  116. {
  117. X509_EXTENSION *ext;
  118. int res;
  119. if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
  120. return 0;
  121. if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
  122. return 0;
  123. res = X509v3_add_ext(pexts, ext, 0) != NULL;
  124. X509_EXTENSION_free(ext);
  125. return res;
  126. }
  127. /* Add extension list to the referenced extension stack, which may be NULL */
  128. static int add_extensions(STACK_OF(X509_EXTENSION) **target,
  129. const STACK_OF(X509_EXTENSION) *exts)
  130. {
  131. int i;
  132. if (target == NULL)
  133. return 0;
  134. for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
  135. X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
  136. ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
  137. int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
  138. /* Does extension exist in target? */
  139. if (idx != -1) {
  140. /* Delete all extensions of same type */
  141. do {
  142. X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
  143. idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
  144. } while (idx != -1);
  145. }
  146. if (!X509v3_add_ext(target, ext, -1))
  147. return 0;
  148. }
  149. return 1;
  150. }
  151. /* Add a CRL revocation reason code to extension stack, which may be NULL */
  152. static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
  153. {
  154. ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
  155. int res = 0;
  156. if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
  157. res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
  158. ASN1_ENUMERATED_free(val);
  159. return res;
  160. }
  161. OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
  162. {
  163. OSSL_CMP_MSG *msg = NULL;
  164. if (!ossl_assert(ctx != NULL))
  165. return NULL;
  166. if ((msg = OSSL_CMP_MSG_new(ctx->libctx, ctx->propq)) == NULL)
  167. return NULL;
  168. if (!ossl_cmp_hdr_init(ctx, msg->header)
  169. || !ossl_cmp_msg_set_bodytype(msg, bodytype))
  170. goto err;
  171. if (ctx->geninfo_ITAVs != NULL
  172. && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
  173. ctx->geninfo_ITAVs))
  174. goto err;
  175. switch (bodytype) {
  176. case OSSL_CMP_PKIBODY_IR:
  177. case OSSL_CMP_PKIBODY_CR:
  178. case OSSL_CMP_PKIBODY_KUR:
  179. if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
  180. goto err;
  181. return msg;
  182. case OSSL_CMP_PKIBODY_P10CR:
  183. if (ctx->p10CSR == NULL) {
  184. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_P10CSR);
  185. goto err;
  186. }
  187. if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
  188. goto err;
  189. return msg;
  190. case OSSL_CMP_PKIBODY_IP:
  191. case OSSL_CMP_PKIBODY_CP:
  192. case OSSL_CMP_PKIBODY_KUP:
  193. if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
  194. goto err;
  195. return msg;
  196. case OSSL_CMP_PKIBODY_RR:
  197. if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
  198. goto err;
  199. return msg;
  200. case OSSL_CMP_PKIBODY_RP:
  201. if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
  202. goto err;
  203. return msg;
  204. case OSSL_CMP_PKIBODY_CERTCONF:
  205. if ((msg->body->value.certConf =
  206. sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
  207. goto err;
  208. return msg;
  209. case OSSL_CMP_PKIBODY_PKICONF:
  210. if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
  211. goto err;
  212. ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
  213. return msg;
  214. case OSSL_CMP_PKIBODY_POLLREQ:
  215. if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
  216. goto err;
  217. return msg;
  218. case OSSL_CMP_PKIBODY_POLLREP:
  219. if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
  220. goto err;
  221. return msg;
  222. case OSSL_CMP_PKIBODY_GENM:
  223. case OSSL_CMP_PKIBODY_GENP:
  224. if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
  225. goto err;
  226. return msg;
  227. case OSSL_CMP_PKIBODY_ERROR:
  228. if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
  229. goto err;
  230. return msg;
  231. default:
  232. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  233. goto err;
  234. }
  235. err:
  236. OSSL_CMP_MSG_free(msg);
  237. return NULL;
  238. }
  239. #define HAS_SAN(ctx) \
  240. (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
  241. || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
  242. static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, int for_KUR,
  243. const X509_NAME *ref_subj)
  244. {
  245. if (ctx->subjectName != NULL)
  246. return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName;
  247. if (ctx->p10CSR != NULL) /* first default is from any given CSR */
  248. return X509_REQ_get_subject_name(ctx->p10CSR);
  249. if (for_KUR || !HAS_SAN(ctx))
  250. /*
  251. * For KUR, copy subject from any reference cert as fallback.
  252. * For IR or CR, do the same only if there is no subjectAltName.
  253. */
  254. return ref_subj;
  255. return NULL;
  256. }
  257. OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
  258. {
  259. OSSL_CRMF_MSG *crm = NULL;
  260. X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
  261. /* refcert defaults to current client cert */
  262. EVP_PKEY *rkey = ossl_cmp_ctx_get0_newPubkey(ctx);
  263. STACK_OF(GENERAL_NAME) *default_sans = NULL;
  264. const X509_NAME *ref_subj =
  265. refcert != NULL ? X509_get_subject_name(refcert) : NULL;
  266. const X509_NAME *subject = determine_subj(ctx, for_KUR, ref_subj);
  267. const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
  268. ? (IS_NULL_DN(ctx->issuer) ? NULL : ctx->issuer)
  269. : X509_get_issuer_name(refcert);
  270. int crit = ctx->setSubjectAltNameCritical || subject == NULL;
  271. /* RFC5280: subjectAltName MUST be critical if subject is null */
  272. X509_EXTENSIONS *exts = NULL;
  273. if (rkey == NULL) {
  274. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  275. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PUBLIC_KEY);
  276. return NULL;
  277. #endif
  278. }
  279. if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
  280. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
  281. return NULL;
  282. }
  283. if ((crm = OSSL_CRMF_MSG_new()) == NULL)
  284. return NULL;
  285. if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
  286. /*
  287. * fill certTemplate, corresponding to CertificationRequestInfo
  288. * of PKCS#10. The rkey param cannot be NULL so far -
  289. * it could be NULL if centralized key creation was supported
  290. */
  291. || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
  292. subject, issuer, NULL /* serial */))
  293. goto err;
  294. if (ctx->days != 0) {
  295. time_t now = time(NULL);
  296. ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
  297. ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
  298. if (notBefore == NULL
  299. || notAfter == NULL
  300. || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
  301. ASN1_TIME_free(notBefore);
  302. ASN1_TIME_free(notAfter);
  303. goto err;
  304. }
  305. }
  306. /* extensions */
  307. if (ctx->p10CSR != NULL
  308. && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
  309. goto err;
  310. if (!ctx->SubjectAltName_nodefault && !HAS_SAN(ctx) && refcert != NULL
  311. && (default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
  312. NID_subject_alt_name, NULL, NULL))
  313. != NULL
  314. && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
  315. goto err;
  316. if (ctx->reqExtensions != NULL /* augment/override existing ones */
  317. && !add_extensions(&exts, ctx->reqExtensions))
  318. goto err;
  319. if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
  320. && !add1_extension(&exts, NID_subject_alt_name,
  321. crit, ctx->subjectAltNames))
  322. goto err;
  323. if (ctx->policies != NULL
  324. && !add1_extension(&exts, NID_certificate_policies,
  325. ctx->setPoliciesCritical, ctx->policies))
  326. goto err;
  327. if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
  328. goto err;
  329. exts = NULL;
  330. /* end fill certTemplate, now set any controls */
  331. /* for KUR, set OldCertId according to D.6 */
  332. if (for_KUR && refcert != NULL) {
  333. OSSL_CRMF_CERTID *cid =
  334. OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
  335. X509_get0_serialNumber(refcert));
  336. int ret;
  337. if (cid == NULL)
  338. goto err;
  339. ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
  340. OSSL_CRMF_CERTID_free(cid);
  341. if (ret == 0)
  342. goto err;
  343. }
  344. goto end;
  345. err:
  346. OSSL_CRMF_MSG_free(crm);
  347. crm = NULL;
  348. end:
  349. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  350. sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
  351. return crm;
  352. }
  353. OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
  354. const OSSL_CRMF_MSG *crm)
  355. {
  356. OSSL_CMP_MSG *msg;
  357. OSSL_CRMF_MSG *local_crm = NULL;
  358. if (!ossl_assert(ctx != NULL))
  359. return NULL;
  360. if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
  361. && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
  362. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  363. return NULL;
  364. }
  365. if (type == OSSL_CMP_PKIBODY_P10CR && crm != NULL) {
  366. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  367. return NULL;
  368. }
  369. if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
  370. goto err;
  371. /* header */
  372. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  373. goto err;
  374. /* body */
  375. /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
  376. if (type != OSSL_CMP_PKIBODY_P10CR) {
  377. EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
  378. /* privkey is ctx->newPkey (if private, else NULL) or ctx->pkey */
  379. if (ctx->popoMethod >= OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
  380. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO);
  381. goto err;
  382. }
  383. if (crm == NULL) {
  384. local_crm = OSSL_CMP_CTX_setup_CRM(ctx,
  385. type == OSSL_CMP_PKIBODY_KUR,
  386. OSSL_CMP_CERTREQID);
  387. if (local_crm == NULL
  388. || !OSSL_CRMF_MSG_create_popo(ctx->popoMethod, local_crm,
  389. privkey, ctx->digest,
  390. ctx->libctx, ctx->propq))
  391. goto err;
  392. } else {
  393. if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
  394. goto err;
  395. }
  396. /* value.ir is same for cr and kur */
  397. if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
  398. goto err;
  399. local_crm = NULL;
  400. }
  401. if (!ossl_cmp_msg_protect(ctx, msg))
  402. goto err;
  403. return msg;
  404. err:
  405. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREQ);
  406. OSSL_CRMF_MSG_free(local_crm);
  407. OSSL_CMP_MSG_free(msg);
  408. return NULL;
  409. }
  410. OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
  411. int certReqId, const OSSL_CMP_PKISI *si,
  412. X509 *cert, const X509 *encryption_recip,
  413. STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
  414. int unprotectedErrors)
  415. {
  416. OSSL_CMP_MSG *msg = NULL;
  417. OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
  418. OSSL_CMP_CERTRESPONSE *resp = NULL;
  419. int status = OSSL_CMP_PKISTATUS_unspecified;
  420. if (!ossl_assert(ctx != NULL && si != NULL))
  421. return NULL;
  422. if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
  423. goto err;
  424. repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
  425. /* header */
  426. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  427. goto err;
  428. /* body */
  429. if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
  430. goto err;
  431. OSSL_CMP_PKISI_free(resp->status);
  432. if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
  433. || !ASN1_INTEGER_set(resp->certReqId, certReqId))
  434. goto err;
  435. status = ossl_cmp_pkisi_get_status(resp->status);
  436. if (status != OSSL_CMP_PKISTATUS_rejection
  437. && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
  438. if (encryption_recip != NULL) {
  439. ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED);
  440. goto err;
  441. }
  442. if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
  443. == NULL)
  444. goto err;
  445. resp->certifiedKeyPair->certOrEncCert->type =
  446. OSSL_CMP_CERTORENCCERT_CERTIFICATE;
  447. if (!X509_up_ref(cert))
  448. goto err;
  449. resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
  450. }
  451. if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
  452. goto err;
  453. resp = NULL;
  454. if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
  455. && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
  456. goto err;
  457. if (sk_X509_num(chain) > 0
  458. && !ossl_x509_add_certs_new(&msg->extraCerts, chain,
  459. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
  460. goto err;
  461. if (!unprotectedErrors
  462. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  463. if (!ossl_cmp_msg_protect(ctx, msg))
  464. goto err;
  465. return msg;
  466. err:
  467. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
  468. OSSL_CMP_CERTRESPONSE_free(resp);
  469. OSSL_CMP_MSG_free(msg);
  470. return NULL;
  471. }
  472. OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
  473. {
  474. OSSL_CMP_MSG *msg = NULL;
  475. const X509_NAME *issuer = NULL;
  476. const X509_NAME *subject = NULL;
  477. const ASN1_INTEGER *serialNumber = NULL;
  478. EVP_PKEY *pubkey = NULL;
  479. OSSL_CMP_REVDETAILS *rd;
  480. int ret;
  481. if (!ossl_assert(ctx != NULL
  482. && (ctx->oldCert != NULL || ctx->p10CSR != NULL
  483. || (ctx->serialNumber != NULL && ctx->issuer != NULL))))
  484. return NULL;
  485. if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
  486. goto err;
  487. if (ctx->serialNumber != NULL && ctx->issuer != NULL) {
  488. issuer = ctx->issuer;
  489. serialNumber = ctx->serialNumber;
  490. } else if (ctx->oldCert != NULL) {
  491. issuer = X509_get_issuer_name(ctx->oldCert);
  492. serialNumber = X509_get0_serialNumber(ctx->oldCert);
  493. } else if (ctx->p10CSR != NULL) {
  494. pubkey = X509_REQ_get0_pubkey(ctx->p10CSR);
  495. subject = X509_REQ_get_subject_name(ctx->p10CSR);
  496. } else {
  497. goto err;
  498. }
  499. /* Fill the template from the contents of the certificate to be revoked */
  500. ret = OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, pubkey, subject,
  501. issuer, serialNumber);
  502. if (!ret)
  503. goto err;
  504. /* revocation reason code is optional */
  505. if (ctx->revocationReason != CRL_REASON_NONE
  506. && !add_crl_reason_extension(&rd->crlEntryDetails,
  507. ctx->revocationReason))
  508. goto err;
  509. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
  510. goto err;
  511. if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
  512. goto err;
  513. rd = NULL;
  514. /* Revocation Passphrase according to section 5.3.19.9 could be set here */
  515. if (!ossl_cmp_msg_protect(ctx, msg))
  516. goto err;
  517. return msg;
  518. err:
  519. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
  520. OSSL_CMP_MSG_free(msg);
  521. OSSL_CMP_REVDETAILS_free(rd);
  522. return NULL;
  523. }
  524. OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
  525. const OSSL_CRMF_CERTID *cid, int unprotectedErrors)
  526. {
  527. OSSL_CMP_REVREPCONTENT *rep = NULL;
  528. OSSL_CMP_PKISI *si1 = NULL;
  529. OSSL_CRMF_CERTID *cid_copy = NULL;
  530. OSSL_CMP_MSG *msg = NULL;
  531. if (!ossl_assert(ctx != NULL && si != NULL))
  532. return NULL;
  533. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
  534. goto err;
  535. rep = msg->body->value.rp;
  536. if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
  537. goto err;
  538. if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
  539. OSSL_CMP_PKISI_free(si1);
  540. goto err;
  541. }
  542. if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
  543. goto err;
  544. if (cid != NULL) {
  545. if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
  546. goto err;
  547. if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
  548. OSSL_CRMF_CERTID_free(cid_copy);
  549. goto err;
  550. }
  551. }
  552. if (!unprotectedErrors
  553. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  554. if (!ossl_cmp_msg_protect(ctx, msg))
  555. goto err;
  556. return msg;
  557. err:
  558. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RP);
  559. OSSL_CMP_MSG_free(msg);
  560. return NULL;
  561. }
  562. OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
  563. {
  564. OSSL_CMP_MSG *msg;
  565. if (!ossl_assert(ctx != NULL))
  566. return NULL;
  567. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
  568. goto err;
  569. if (ossl_cmp_msg_protect(ctx, msg))
  570. return msg;
  571. err:
  572. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
  573. OSSL_CMP_MSG_free(msg);
  574. return NULL;
  575. }
  576. int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
  577. {
  578. int bodytype;
  579. if (!ossl_assert(msg != NULL && itav != NULL))
  580. return 0;
  581. bodytype = OSSL_CMP_MSG_get_bodytype(msg);
  582. if (bodytype != OSSL_CMP_PKIBODY_GENM
  583. && bodytype != OSSL_CMP_PKIBODY_GENP) {
  584. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  585. return 0;
  586. }
  587. /* value.genp has the same structure, so this works for genp as well */
  588. return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
  589. }
  590. int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
  591. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  592. {
  593. int i;
  594. OSSL_CMP_ITAV *itav = NULL;
  595. if (!ossl_assert(msg != NULL))
  596. return 0;
  597. for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
  598. itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
  599. if (itav == NULL
  600. || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
  601. OSSL_CMP_ITAV_free(itav);
  602. return 0;
  603. }
  604. }
  605. return 1;
  606. }
  607. /*
  608. * Creates a new General Message/Response with a copy of the given itav stack
  609. * returns a pointer to the PKIMessage on success, NULL on error
  610. */
  611. static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
  612. const STACK_OF(OSSL_CMP_ITAV) *itavs,
  613. int body_type, int err_code)
  614. {
  615. OSSL_CMP_MSG *msg = NULL;
  616. if (!ossl_assert(ctx != NULL))
  617. return NULL;
  618. if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
  619. return NULL;
  620. if (itavs != NULL && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
  621. goto err;
  622. if (!ossl_cmp_msg_protect(ctx, msg))
  623. goto err;
  624. return msg;
  625. err:
  626. ERR_raise(ERR_LIB_CMP, err_code);
  627. OSSL_CMP_MSG_free(msg);
  628. return NULL;
  629. }
  630. OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
  631. {
  632. return gen_new(ctx, ctx->genm_ITAVs,
  633. OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
  634. }
  635. OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
  636. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  637. {
  638. return gen_new(ctx, itavs,
  639. OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
  640. }
  641. OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
  642. int64_t errorCode, const char *details,
  643. int unprotected)
  644. {
  645. OSSL_CMP_MSG *msg = NULL;
  646. const char *lib = NULL, *reason = NULL;
  647. OSSL_CMP_PKIFREETEXT *ft;
  648. if (!ossl_assert(ctx != NULL && si != NULL))
  649. return NULL;
  650. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
  651. goto err;
  652. OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
  653. if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
  654. == NULL)
  655. goto err;
  656. if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
  657. goto err;
  658. if (!ASN1_INTEGER_set_int64(msg->body->value.error->errorCode, errorCode))
  659. goto err;
  660. if (errorCode > 0
  661. && (uint64_t)errorCode < ((uint64_t)ERR_SYSTEM_FLAG << 1)) {
  662. lib = ERR_lib_error_string((unsigned long)errorCode);
  663. reason = ERR_reason_error_string((unsigned long)errorCode);
  664. }
  665. if (lib != NULL || reason != NULL || details != NULL) {
  666. if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
  667. goto err;
  668. msg->body->value.error->errorDetails = ft;
  669. if (lib != NULL && *lib != '\0'
  670. && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, lib, -1))
  671. goto err;
  672. if (reason != NULL && *reason != '\0'
  673. && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, reason, -1))
  674. goto err;
  675. if (details != NULL
  676. && !ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details, -1))
  677. goto err;
  678. }
  679. if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
  680. goto err;
  681. return msg;
  682. err:
  683. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_ERROR);
  684. OSSL_CMP_MSG_free(msg);
  685. return NULL;
  686. }
  687. /*
  688. * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
  689. * This is used in the certConf message, for example,
  690. * to confirm that the certificate was received successfully.
  691. */
  692. int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
  693. ASN1_OCTET_STRING *hash)
  694. {
  695. if (!ossl_assert(certStatus != NULL))
  696. return 0;
  697. ASN1_OCTET_STRING_free(certStatus->certHash);
  698. certStatus->certHash = hash;
  699. return 1;
  700. }
  701. OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int certReqId,
  702. int fail_info, const char *text)
  703. {
  704. OSSL_CMP_MSG *msg = NULL;
  705. OSSL_CMP_CERTSTATUS *certStatus = NULL;
  706. EVP_MD *md;
  707. int is_fallback;
  708. ASN1_OCTET_STRING *certHash = NULL;
  709. OSSL_CMP_PKISI *sinfo;
  710. if (!ossl_assert(ctx != NULL && ctx->newCert != NULL
  711. && (certReqId == OSSL_CMP_CERTREQID
  712. || certReqId == OSSL_CMP_CERTREQID_NONE)))
  713. return NULL;
  714. if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
  715. ERR_raise(ERR_LIB_CMP, CMP_R_FAIL_INFO_OUT_OF_RANGE);
  716. return NULL;
  717. }
  718. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
  719. goto err;
  720. if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
  721. goto err;
  722. /* consume certStatus into msg right away so it gets deallocated with msg */
  723. if (sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus) < 1) {
  724. OSSL_CMP_CERTSTATUS_free(certStatus);
  725. goto err;
  726. }
  727. /* set the ID of the certReq */
  728. if (!ASN1_INTEGER_set(certStatus->certReqId, certReqId))
  729. goto err;
  730. certStatus->hashAlg = NULL;
  731. /*
  732. * The hash of the certificate, using the same hash algorithm
  733. * as is used to create and verify the certificate signature.
  734. * If not available, a fallback hash algorithm is used.
  735. */
  736. if ((certHash = X509_digest_sig(ctx->newCert, &md, &is_fallback)) == NULL)
  737. goto err;
  738. if (is_fallback) {
  739. if (!ossl_cmp_hdr_set_pvno(msg->header, OSSL_CMP_PVNO_3))
  740. goto err;
  741. if ((certStatus->hashAlg = X509_ALGOR_new()) == NULL)
  742. goto err;
  743. X509_ALGOR_set_md(certStatus->hashAlg, md);
  744. }
  745. EVP_MD_free(md);
  746. if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
  747. goto err;
  748. certHash = NULL;
  749. /*
  750. * For any particular CertStatus, omission of the statusInfo field
  751. * indicates ACCEPTANCE of the specified certificate. Alternatively,
  752. * explicit status details (with respect to acceptance or rejection) MAY
  753. * be provided in the statusInfo field, perhaps for auditing purposes at
  754. * the CA/RA.
  755. */
  756. sinfo = fail_info != 0 ?
  757. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
  758. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
  759. if (sinfo == NULL)
  760. goto err;
  761. certStatus->statusInfo = sinfo;
  762. if (!ossl_cmp_msg_protect(ctx, msg))
  763. goto err;
  764. return msg;
  765. err:
  766. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTCONF);
  767. OSSL_CMP_MSG_free(msg);
  768. ASN1_OCTET_STRING_free(certHash);
  769. return NULL;
  770. }
  771. OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
  772. {
  773. OSSL_CMP_MSG *msg = NULL;
  774. OSSL_CMP_POLLREQ *preq = NULL;
  775. if (!ossl_assert(ctx != NULL))
  776. return NULL;
  777. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
  778. goto err;
  779. if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
  780. || !ASN1_INTEGER_set(preq->certReqId, crid)
  781. || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
  782. goto err;
  783. preq = NULL;
  784. if (!ossl_cmp_msg_protect(ctx, msg))
  785. goto err;
  786. return msg;
  787. err:
  788. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREQ);
  789. OSSL_CMP_POLLREQ_free(preq);
  790. OSSL_CMP_MSG_free(msg);
  791. return NULL;
  792. }
  793. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  794. int64_t poll_after)
  795. {
  796. OSSL_CMP_MSG *msg;
  797. OSSL_CMP_POLLREP *prep;
  798. if (!ossl_assert(ctx != NULL))
  799. return NULL;
  800. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
  801. goto err;
  802. if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
  803. goto err;
  804. if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
  805. goto err;
  806. if (!ASN1_INTEGER_set(prep->certReqId, crid))
  807. goto err;
  808. if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
  809. goto err;
  810. if (!ossl_cmp_msg_protect(ctx, msg))
  811. goto err;
  812. return msg;
  813. err:
  814. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
  815. OSSL_CMP_MSG_free(msg);
  816. return NULL;
  817. }
  818. /*-
  819. * returns the status field of the RevRepContent with the given
  820. * request/sequence id inside a revocation response.
  821. * RevRepContent has the revocation statuses in same order as they were sent in
  822. * RevReqContent.
  823. * returns NULL on error
  824. */
  825. OSSL_CMP_PKISI *
  826. ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  827. {
  828. OSSL_CMP_PKISI *status;
  829. if (!ossl_assert(rrep != NULL))
  830. return NULL;
  831. if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
  832. return status;
  833. ERR_raise(ERR_LIB_CMP, CMP_R_PKISTATUSINFO_NOT_FOUND);
  834. return NULL;
  835. }
  836. /*
  837. * returns the CertId field in the revCerts part of the RevRepContent
  838. * with the given request/sequence id inside a revocation response.
  839. * RevRepContent has the CertIds in same order as they were sent in
  840. * RevReqContent.
  841. * returns NULL on error
  842. */
  843. OSSL_CRMF_CERTID *
  844. ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  845. {
  846. OSSL_CRMF_CERTID *cid = NULL;
  847. if (!ossl_assert(rrep != NULL))
  848. return NULL;
  849. if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
  850. return cid;
  851. ERR_raise(ERR_LIB_CMP, CMP_R_CERTID_NOT_FOUND);
  852. return NULL;
  853. }
  854. static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
  855. {
  856. int trid;
  857. if (rid == OSSL_CMP_CERTREQID_NONE)
  858. return 1;
  859. trid = ossl_cmp_asn1_get_int(certReqId);
  860. if (trid <= OSSL_CMP_CERTREQID_INVALID) {
  861. ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
  862. return 0;
  863. }
  864. return rid == trid;
  865. }
  866. /*
  867. * returns a pointer to the PollResponse with the given CertReqId
  868. * (or the first one in case -1) inside a PollRepContent
  869. * returns NULL on error or if no suitable PollResponse available
  870. */
  871. OSSL_CMP_POLLREP *
  872. ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
  873. int rid)
  874. {
  875. OSSL_CMP_POLLREP *pollRep = NULL;
  876. int i;
  877. if (!ossl_assert(prc != NULL))
  878. return NULL;
  879. for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
  880. pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
  881. if (suitable_rid(pollRep->certReqId, rid))
  882. return pollRep;
  883. }
  884. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  885. "expected certReqId = %d", rid);
  886. return NULL;
  887. }
  888. /*
  889. * returns a pointer to the CertResponse with the given CertReqId
  890. * (or the first one in case -1) inside a CertRepMessage
  891. * returns NULL on error or if no suitable CertResponse available
  892. */
  893. OSSL_CMP_CERTRESPONSE *
  894. ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
  895. int rid)
  896. {
  897. OSSL_CMP_CERTRESPONSE *crep = NULL;
  898. int i;
  899. if (!ossl_assert(crm != NULL && crm->response != NULL))
  900. return NULL;
  901. for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
  902. crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
  903. if (suitable_rid(crep->certReqId, rid))
  904. return crep;
  905. }
  906. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  907. "expected certReqId = %d", rid);
  908. return NULL;
  909. }
  910. /*-
  911. * Retrieve the newly enrolled certificate from the given certResponse crep.
  912. * Uses libctx and propq from ctx, in case of indirect POPO also private key.
  913. * Returns a pointer to a copy of the found certificate, or NULL if not found.
  914. */
  915. X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx,
  916. const OSSL_CMP_CERTRESPONSE *crep)
  917. {
  918. OSSL_CMP_CERTORENCCERT *coec;
  919. X509 *crt = NULL;
  920. EVP_PKEY *pkey;
  921. if (!ossl_assert(crep != NULL && ctx != NULL))
  922. return NULL;
  923. if (crep->certifiedKeyPair
  924. && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
  925. switch (coec->type) {
  926. case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
  927. crt = X509_dup(coec->value.certificate);
  928. break;
  929. case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
  930. /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
  931. pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
  932. /* pkey is ctx->newPkey (if private, else NULL) or ctx->pkey */
  933. if (pkey == NULL) {
  934. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
  935. return NULL;
  936. }
  937. crt =
  938. OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
  939. ctx->libctx, ctx->propq,
  940. pkey);
  941. break;
  942. default:
  943. ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE);
  944. return NULL;
  945. }
  946. }
  947. if (crt == NULL)
  948. ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
  949. else
  950. (void)ossl_x509_set0_libctx(crt, ctx->libctx, ctx->propq);
  951. return crt;
  952. }
  953. int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
  954. {
  955. if (ctx == NULL || msg == NULL) {
  956. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  957. return 0;
  958. }
  959. if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
  960. return 0;
  961. return msg->header->protectionAlg == NULL
  962. || ossl_cmp_msg_protect(ctx, msg);
  963. }
  964. int OSSL_CMP_MSG_update_recipNonce(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
  965. {
  966. if (ctx == NULL || msg == NULL || msg->header == NULL) {
  967. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  968. return 0;
  969. }
  970. if (ctx->recipNonce == NULL) /* nothing to do for 1st msg in transaction */
  971. return 1;
  972. if (!ossl_cmp_asn1_octet_string_set1(&msg->header->recipNonce,
  973. ctx->recipNonce))
  974. return 0;
  975. return msg->header->protectionAlg == NULL || ossl_cmp_msg_protect(ctx, msg);
  976. }
  977. OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file, OSSL_LIB_CTX *libctx,
  978. const char *propq)
  979. {
  980. OSSL_CMP_MSG *msg;
  981. BIO *bio = NULL;
  982. if (file == NULL) {
  983. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  984. return NULL;
  985. }
  986. msg = OSSL_CMP_MSG_new(libctx, propq);
  987. if (msg == NULL) {
  988. ERR_raise(ERR_LIB_CMP, ERR_R_CMP_LIB);
  989. return NULL;
  990. }
  991. if ((bio = BIO_new_file(file, "rb")) == NULL
  992. || d2i_OSSL_CMP_MSG_bio(bio, &msg) == NULL) {
  993. OSSL_CMP_MSG_free(msg);
  994. msg = NULL;
  995. }
  996. BIO_free(bio);
  997. return msg;
  998. }
  999. int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
  1000. {
  1001. BIO *bio;
  1002. int res;
  1003. if (file == NULL || msg == NULL) {
  1004. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  1005. return -1;
  1006. }
  1007. bio = BIO_new_file(file, "wb");
  1008. if (bio == NULL)
  1009. return -2;
  1010. res = i2d_OSSL_CMP_MSG_bio(bio, msg);
  1011. BIO_free(bio);
  1012. return res;
  1013. }
  1014. OSSL_CMP_MSG *d2i_OSSL_CMP_MSG(OSSL_CMP_MSG **msg, const unsigned char **in,
  1015. long len)
  1016. {
  1017. OSSL_LIB_CTX *libctx = NULL;
  1018. const char *propq = NULL;
  1019. if (msg != NULL && *msg != NULL) {
  1020. libctx = (*msg)->libctx;
  1021. propq = (*msg)->propq;
  1022. }
  1023. return (OSSL_CMP_MSG *)ASN1_item_d2i_ex((ASN1_VALUE **)msg, in, len,
  1024. ASN1_ITEM_rptr(OSSL_CMP_MSG),
  1025. libctx, propq);
  1026. }
  1027. int i2d_OSSL_CMP_MSG(const OSSL_CMP_MSG *msg, unsigned char **out)
  1028. {
  1029. return ASN1_item_i2d((const ASN1_VALUE *)msg, out,
  1030. ASN1_ITEM_rptr(OSSL_CMP_MSG));
  1031. }
  1032. OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
  1033. {
  1034. OSSL_LIB_CTX *libctx = NULL;
  1035. const char *propq = NULL;
  1036. if (msg != NULL && *msg != NULL) {
  1037. libctx = (*msg)->libctx;
  1038. propq = (*msg)->propq;
  1039. }
  1040. return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(OSSL_CMP_MSG), bio, msg, libctx,
  1041. propq);
  1042. }
  1043. int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
  1044. {
  1045. return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
  1046. }
  1047. int ossl_cmp_is_error_with_waiting(const OSSL_CMP_MSG *msg)
  1048. {
  1049. if (!ossl_assert(msg != NULL))
  1050. return 0;
  1051. return (OSSL_CMP_MSG_get_bodytype(msg) == OSSL_CMP_PKIBODY_ERROR
  1052. && ossl_cmp_pkisi_get_status(msg->body->value.error->pKIStatusInfo)
  1053. == OSSL_CMP_PKISTATUS_waiting);
  1054. }