Startsida Utforska Hjälp
Logga in
OWEALs
/
openssl
spegling av git://git.openssl.org/openssl.git
2
0
Fork 0
Filer Ärenden 1 Wiki
Träd: 62c3fed0cd
Grenar Taggar
openssl
/
crypto
/
cmp
/
cmp_msg.c

cmp_msg.c 29 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996 
  1. /*
    2. 

  2.  * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
    3. 

  3.  * Copyright Nokia 2007-2019
    4. 

  4.  * Copyright Siemens AG 2015-2019
    5. 

  5.  *
    6. 

  6.  * Licensed under the Apache License 2.0 (the "License").  You may not use
    7. 

  7.  * this file except in compliance with the License.  You can obtain a copy
    8. 

  8.  * in the file LICENSE in the source distribution or at
    9. 

  9.  * https://www.openssl.org/source/license.html
    10. 

  10.  */
    11. 

  11. 

  12. /* CMP functions for PKIMessage construction */
    13. 

  13. 

  14. #include "cmp_local.h"
    15. 

  15. 

  16. /* explicit #includes not strictly needed since implied by the above: */
    17. 

  17. #include <openssl/asn1t.h>
    18. 

  18. #include <openssl/cmp.h>
    19. 

  19. #include <openssl/crmf.h>
    20. 

  20. #include <openssl/err.h>
    21. 

  21. #include <openssl/x509.h>
    22. 

  22. 

  23. OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
    24. 

  24. {
    25. 

  25.     if (msg == NULL) {
    26. 

  26.         CMPerr(0, CMP_R_NULL_ARGUMENT);
    27. 

  27.         return NULL;
    28. 

  28.     }
    29. 

  29.     return msg->header;
    30. 

  30. }
    31. 

  31. 

  32. const char *ossl_cmp_bodytype_to_string(int type)
    33. 

  33. {
    34. 

  34.     static const char *type_names[] = {
    35. 

  35.         "IR", "IP", "CR", "CP", "P10CR",
    36. 

  36.         "POPDECC", "POPDECR", "KUR", "KUP",
    37. 

  37.         "KRR", "KRP", "RR", "RP", "CCR", "CCP",
    38. 

  38.         "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
    39. 

  39.         "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
    40. 

  40.     };
    41. 

  41. 

  42.     if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
    43. 

  43.         return "illegal body type";
    44. 

  44.     return type_names[type];
    45. 

  45. }
    46. 

  46. 

  47. int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
    48. 

  48. {
    49. 

  49.     if (!ossl_assert(msg != NULL && msg->body != NULL))
    50. 

  50.         return 0;
    51. 

  51. 

  52.     msg->body->type = type;
    53. 

  53.     return 1;
    54. 

  54. }
    55. 

  55. 

  56. int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
    57. 

  57. {
    58. 

  58.     if (!ossl_assert(msg != NULL && msg->body != NULL))
    59. 

  59.         return -1;
    60. 

  60. 

  61.     return msg->body->type;
    62. 

  62. }
    63. 

  63. 

  64. /* Add an extension to the referenced extension stack, which may be NULL */
    65. 

  65. static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
    66. 

  66. {
    67. 

  67.     X509_EXTENSION *ext;
    68. 

  68.     int res;
    69. 

  69. 

  70.     if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
    71. 

  71.         return 0;
    72. 

  72. 

  73.     if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
    74. 

  74.         return 0;
    75. 

  75. 

  76.     res = X509v3_add_ext(pexts, ext, 0) != NULL;
    77. 

  77.     X509_EXTENSION_free(ext);
    78. 

  78.     return res;
    79. 

  79. }
    80. 

  80. 

  81. /* Add a CRL revocation reason code to extension stack, which may be NULL */
    82. 

  82. static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
    83. 

  83. {
    84. 

  84.     ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
    85. 

  85.     int res = 0;
    86. 

  86. 

  87.     if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
    88. 

  88.         res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
    89. 

  89.     ASN1_ENUMERATED_free(val);
    90. 

  90.     return res;
    91. 

  91. }
    92. 

  92. 

  93. OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
    94. 

  94. {
    95. 

  95.     OSSL_CMP_MSG *msg = NULL;
    96. 

  96. 

  97.     if (!ossl_assert(ctx != NULL))
    98. 

  98.         return NULL;
    99. 

  99. 

  100.     if ((msg = OSSL_CMP_MSG_new()) == NULL)
    101. 

  101.         return NULL;
    102. 

  102.     if (!ossl_cmp_hdr_init(ctx, msg->header)
    103. 

  103.             || !ossl_cmp_msg_set_bodytype(msg, bodytype))
    104. 

  104.         goto err;
    105. 

  105.     if (ctx->geninfo_ITAVs != NULL
    106. 

  106.             && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
    107. 

  107.                                                      ctx->geninfo_ITAVs))
    108. 

  108.         goto err;
    109. 

  109. 

  110.     switch (bodytype) {
    111. 

  111.     case OSSL_CMP_PKIBODY_IR:
    112. 

  112.     case OSSL_CMP_PKIBODY_CR:
    113. 

  113.     case OSSL_CMP_PKIBODY_KUR:
    114. 

  114.         if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
    115. 

  115.             goto err;
    116. 

  116.         return msg;
    117. 

  117. 

  118.     case OSSL_CMP_PKIBODY_P10CR:
    119. 

  119.         if (ctx->p10CSR == NULL) {
    120. 

  120.             CMPerr(0, CMP_R_ERROR_CREATING_P10CR);
    121. 

  121.             goto err;
    122. 

  122.         }
    123. 

  123.         if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
    124. 

  124.             goto err;
    125. 

  125.         return msg;
    126. 

  126. 

  127.     case OSSL_CMP_PKIBODY_IP:
    128. 

  128.     case OSSL_CMP_PKIBODY_CP:
    129. 

  129.     case OSSL_CMP_PKIBODY_KUP:
    130. 

  130.         if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
    131. 

  131.             goto err;
    132. 

  132.         return msg;
    133. 

  133. 

  134.     case OSSL_CMP_PKIBODY_RR:
    135. 

  135.         if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
    136. 

  136.             goto err;
    137. 

  137.         return msg;
    138. 

  138.     case OSSL_CMP_PKIBODY_RP:
    139. 

  139.         if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
    140. 

  140.             goto err;
    141. 

  141.         return msg;
    142. 

  142. 

  143.     case OSSL_CMP_PKIBODY_CERTCONF:
    144. 

  144.         if ((msg->body->value.certConf =
    145. 

  145.              sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
    146. 

  146.             goto err;
    147. 

  147.         return msg;
    148. 

  148.     case OSSL_CMP_PKIBODY_PKICONF:
    149. 

  149.         if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
    150. 

  150.             goto err;
    151. 

  151.         ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
    152. 

  152.         return msg;
    153. 

  153. 

  154.     case OSSL_CMP_PKIBODY_POLLREQ:
    155. 

  155.         if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
    156. 

  156.             goto err;
    157. 

  157.         return msg;
    158. 

  158.     case OSSL_CMP_PKIBODY_POLLREP:
    159. 

  159.         if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
    160. 

  160.             goto err;
    161. 

  161.         return msg;
    162. 

  162. 

  163.     case OSSL_CMP_PKIBODY_GENM:
    164. 

  164.     case OSSL_CMP_PKIBODY_GENP:
    165. 

  165.         if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
    166. 

  166.             goto err;
    167. 

  167.         return msg;
    168. 

  168. 

  169.     case OSSL_CMP_PKIBODY_ERROR:
    170. 

  170.         if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
    171. 

  171.             goto err;
    172. 

  172.         return msg;
    173. 

  173. 

  174.     default:
    175. 

  175.         CMPerr(0, CMP_R_UNEXPECTED_PKIBODY);
    176. 

  176.         goto err;
    177. 

  177.     }
    178. 

  178. 

  179.  err:
    180. 

  180.     OSSL_CMP_MSG_free(msg);
    181. 

  181.     return NULL;
    182. 

  182. }
    183. 

  183. 

  184. #define HAS_SAN(ctx) \
    185. 

  185.     (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
    186. 

  186.          || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
    187. 

  187. 

  188. static X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
    189. 

  189.                                  int bodytype)
    190. 

  190. {
    191. 

  191.     if (ctx->subjectName != NULL)
    192. 

  192.         return ctx->subjectName;
    193. 

  193. 

  194.     if (refcert != NULL
    195. 

  195.             && (bodytype == OSSL_CMP_PKIBODY_KUR || !HAS_SAN(ctx)))
    196. 

  196.         /*
    197. 

  197.          * For KUR, copy subjectName from reference certificate.
    198. 

  198.          * For IR or CR, do the same only if there is no subjectAltName.
    199. 

  199.          */
    200. 

  200.         return X509_get_subject_name(refcert);
    201. 

  201.     return NULL;
    202. 

  202. }
    203. 

  203. 

  204. /*
    205. 

  205.  * Create CRMF certificate request message for IR/CR/KUR
    206. 

  206.  * returns a pointer to the OSSL_CRMF_MSG on success, NULL on error
    207. 

  207.  */
    208. 

  208. static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype,
    209. 

  209.                               int rid, EVP_PKEY *rkey)
    210. 

  210. {
    211. 

  211.     OSSL_CRMF_MSG *crm = NULL;
    212. 

  212.     X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->clCert;
    213. 

  213.     /* refcert defaults to current client cert */
    214. 

  214.     STACK_OF(GENERAL_NAME) *default_sans = NULL;
    215. 

  215.     X509_NAME *subject = determine_subj(ctx, refcert, bodytype);
    216. 

  216.     int crit = ctx->setSubjectAltNameCritical || subject == NULL;
    217. 

  217.     /* RFC5280: subjectAltName MUST be critical if subject is null */
    218. 

  218.     X509_EXTENSIONS *exts = NULL;
    219. 

  219. 

  220.     if (rkey == NULL
    221. 

  221.             || (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL)) {
    222. 

  222.         CMPerr(0, CMP_R_INVALID_ARGS);
    223. 

  223.         return NULL;
    224. 

  224.     }
    225. 

  225.     if ((crm = OSSL_CRMF_MSG_new()) == NULL)
    226. 

  226.         return NULL;
    227. 

  227.     if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
    228. 

  228.             /*
    229. 

  229.              * fill certTemplate, corresponding to CertificationRequestInfo
    230. 

  230.              * of PKCS#10. The rkey param cannot be NULL so far -
    231. 

  231.              * it could be NULL if centralized key creation was supported
    232. 

  232.              */
    233. 

  233.             || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
    234. 

  234.                                             subject, ctx->issuer,
    235. 

  235.                                             NULL/* serial */))
    236. 

  236.         goto err;
    237. 

  237.     if (ctx->days != 0) {
    238. 

  238.         time_t notBefore, notAfter;
    239. 

  239. 

  240.         notBefore = time(NULL);
    241. 

  241.         notAfter = notBefore + 60 * 60 * 24 * ctx->days;
    242. 

  242.         if (!OSSL_CRMF_MSG_set_validity(crm, notBefore, notAfter))
    243. 

  243.             goto err;
    244. 

  244.     }
    245. 

  245. 

  246.     /* extensions */
    247. 

  247.     if (refcert != NULL && !ctx->SubjectAltName_nodefault)
    248. 

  248.         default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
    249. 

  249.                                       NID_subject_alt_name, NULL, NULL);
    250. 

  250.     /* exts are copied from ctx to allow reuse */
    251. 

  251.     if (ctx->reqExtensions != NULL) {
    252. 

  252.         exts = sk_X509_EXTENSION_deep_copy(ctx->reqExtensions,
    253. 

  253.                                            X509_EXTENSION_dup,
    254. 

  254.                                            X509_EXTENSION_free);
    255. 

  255.         if (exts == NULL)
    256. 

  256.             goto err;
    257. 

  257.     }
    258. 

  258.     if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
    259. 

  259.             && !add1_extension(&exts, NID_subject_alt_name,
    260. 

  260.                                crit, ctx->subjectAltNames))
    261. 

  261.         goto err;
    262. 

  262.     if (!HAS_SAN(ctx) && default_sans != NULL
    263. 

  263.             && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
    264. 

  264.         goto err;
    265. 

  265.     if (ctx->policies != NULL
    266. 

  266.             && !add1_extension(&exts, NID_certificate_policies,
    267. 

  267.                                ctx->setPoliciesCritical, ctx->policies))
    268. 

  268.         goto err;
    269. 

  269.     if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
    270. 

  270.         goto err;
    271. 

  271.     exts = NULL;
    272. 

  272.     /* end fill certTemplate, now set any controls */
    273. 

  273. 

  274.     /* for KUR, set OldCertId according to D.6 */
    275. 

  275.     if (bodytype == OSSL_CMP_PKIBODY_KUR) {
    276. 

  276.         OSSL_CRMF_CERTID *cid =
    277. 

  277.             OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
    278. 

  278.                                  X509_get_serialNumber(refcert));
    279. 

  279.         int ret;
    280. 

  280. 

  281.         if (cid == NULL)
    282. 

  282.             goto err;
    283. 

  283.         ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
    284. 

  284.         OSSL_CRMF_CERTID_free(cid);
    285. 

  285.         if (ret == 0)
    286. 

  286.             goto err;
    287. 

  287.     }
    288. 

  288. 

  289.     goto end;
    290. 

  290. 

  291.  err:
    292. 

  292.     OSSL_CRMF_MSG_free(crm);
    293. 

  293.     crm = NULL;
    294. 

  294. 

  295.  end:
    296. 

  296.     sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
    297. 

  297.     sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
    298. 

  298.     return crm;
    299. 

  299. }
    300. 

  300. 

  301. OSSL_CMP_MSG *ossl_cmp_certReq_new(OSSL_CMP_CTX *ctx, int type, int err_code)
    302. 

  302. {
    303. 

  303.     EVP_PKEY *rkey;
    304. 

  304.     EVP_PKEY *privkey;
    305. 

  305.     OSSL_CMP_MSG *msg;
    306. 

  306.     OSSL_CRMF_MSG *crm = NULL;
    307. 

  307. 

  308.     if (!ossl_assert(ctx != NULL))
    309. 

  309.         return NULL;
    310. 

  310. 

  311.     rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
    312. 

  312.     if (rkey == NULL)
    313. 

  313.         return NULL;
    314. 

  314.     privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
    315. 

  315. 

  316.     if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
    317. 

  317.             && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
    318. 

  318.         CMPerr(0, CMP_R_INVALID_ARGS);
    319. 

  319.         return NULL;
    320. 

  320.     }
    321. 

  321. 

  322.     if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
    323. 

  323.         goto err;
    324. 

  324. 

  325.     /* header */
    326. 

  326.     if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
    327. 

  327.         goto err;
    328. 

  328. 

  329.     /* body */
    330. 

  330.     /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
    331. 

  331.     if (type != OSSL_CMP_PKIBODY_P10CR) {
    332. 

  332.         if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
    333. 

  333.             CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
    334. 

  334.             goto err;
    335. 

  335.         }
    336. 

  336.         if ((crm = crm_new(ctx, type, OSSL_CMP_CERTREQID, rkey)) == NULL
    337. 

  337.                 || !OSSL_CRMF_MSG_create_popo(crm, privkey, ctx->digest,
    338. 

  338.                                               ctx->popoMethod)
    339. 

  339.                 /* value.ir is same for cr and kur */
    340. 

  340.                 || !sk_OSSL_CRMF_MSG_push(msg->body->value.ir, crm))
    341. 

  341.             goto err;
    342. 

  342.         crm = NULL;
    343. 

  343.         /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
    344. 

  344.     }
    345. 

  345. 

  346.     if (!ossl_cmp_msg_protect(ctx, msg))
    347. 

  347.         goto err;
    348. 

  348. 

  349.     return msg;
    350. 

  350. 

  351.  err:
    352. 

  352.     CMPerr(0, err_code);
    353. 

  353.     OSSL_CRMF_MSG_free(crm);
    354. 

  354.     OSSL_CMP_MSG_free(msg);
    355. 

  355.     return NULL;
    356. 

  356. }
    357. 

  357. 

  358. OSSL_CMP_MSG *ossl_cmp_certRep_new(OSSL_CMP_CTX *ctx, int bodytype,
    359. 

  359.                                    int certReqId, OSSL_CMP_PKISI *si,
    360. 

  360.                                    X509 *cert, STACK_OF(X509) *chain,
    361. 

  361.                                    STACK_OF(X509) *caPubs, int encrypted,
    362. 

  362.                                    int unprotectedErrors)
    363. 

  363. {
    364. 

  364.     OSSL_CMP_MSG *msg = NULL;
    365. 

  365.     OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
    366. 

  366.     OSSL_CMP_CERTRESPONSE *resp = NULL;
    367. 

  367.     int status = -1;
    368. 

  368. 

  369.     if (!ossl_assert(ctx != NULL && si != NULL))
    370. 

  370.         return NULL;
    371. 

  371. 

  372.     if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
    373. 

  373.         goto err;
    374. 

  374.     repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
    375. 

  375. 

  376.     /* header */
    377. 

  377.     if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
    378. 

  378.         goto err;
    379. 

  379. 

  380.     /* body */
    381. 

  381.     if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
    382. 

  382.         goto err;
    383. 

  383.     OSSL_CMP_PKISI_free(resp->status);
    384. 

  384.     if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
    385. 

  385.             || !ASN1_INTEGER_set(resp->certReqId, certReqId))
    386. 

  386.         goto err;
    387. 

  387. 

  388.     status = ossl_cmp_pkisi_get_pkistatus(resp->status);
    389. 

  389.     if (status != OSSL_CMP_PKISTATUS_rejection
    390. 

  390.             && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
    391. 

  391.         if (encrypted) {
    392. 

  392.             CMPerr(0, CMP_R_INVALID_ARGS);
    393. 

  393.             goto err;
    394. 

  394.         }
    395. 

  395. 

  396.         if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
    397. 

  397.             == NULL)
    398. 

  398.             goto err;
    399. 

  399.         resp->certifiedKeyPair->certOrEncCert->type =
    400. 

  400.             OSSL_CMP_CERTORENCCERT_CERTIFICATE;
    401. 

  401.         if (!X509_up_ref(cert))
    402. 

  402.             goto err;
    403. 

  403.         resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
    404. 

  404.     }
    405. 

  405. 

  406.     if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
    407. 

  407.         goto err;
    408. 

  408.     resp = NULL;
    409. 

  409.     /* TODO: here optional 2nd certrep could be pushed to the stack */
    410. 

  410. 

  411.     if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
    412. 

  412.             && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
    413. 

  413.         goto err;
    414. 

  414.     if (chain != NULL
    415. 

  415.             && !ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain, 0, 1, 0))
    416. 

  416.         goto err;
    417. 

  417. 

  418.     if (!unprotectedErrors
    419. 

  419.             || ossl_cmp_pkisi_get_pkistatus(si) != OSSL_CMP_PKISTATUS_rejection)
    420. 

  420.         if (!ossl_cmp_msg_protect(ctx, msg))
    421. 

  421.             goto err;
    422. 

  422. 

  423.     return msg;
    424. 

  424. 

  425.  err:
    426. 

  426.     CMPerr(0, CMP_R_ERROR_CREATING_CERTREP);
    427. 

  427.     OSSL_CMP_CERTRESPONSE_free(resp);
    428. 

  428.     OSSL_CMP_MSG_free(msg);
    429. 

  429.     return NULL;
    430. 

  430. }
    431. 

  431. 

  432. OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
    433. 

  433. {
    434. 

  434.     OSSL_CMP_MSG *msg = NULL;
    435. 

  435.     OSSL_CMP_REVDETAILS *rd;
    436. 

  436. 

  437.     if (!ossl_assert(ctx != NULL && ctx->oldCert != NULL))
    438. 

  438.         return NULL;
    439. 

  439. 

  440.     if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
    441. 

  441.         goto err;
    442. 

  442. 

  443.     /* Fill the template from the contents of the certificate to be revoked */
    444. 

  444.     if (!OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
    445. 

  445.                                      NULL/* pubkey would be redundant */,
    446. 

  446.                                      NULL/* subject would be redundant */,
    447. 

  447.                                      X509_get_issuer_name(ctx->oldCert),
    448. 

  448.                                      X509_get_serialNumber(ctx->oldCert)))
    449. 

  449.         goto err;
    450. 

  450. 

  451.     /* revocation reason code is optional */
    452. 

  452.     if (ctx->revocationReason != CRL_REASON_NONE
    453. 

  453.             && !add_crl_reason_extension(&rd->crlEntryDetails,
    454. 

  454.                                          ctx->revocationReason))
    455. 

  455.         goto err;
    456. 

  456. 

  457.     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
    458. 

  458.         goto err;
    459. 

  459. 

  460.     if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
    461. 

  461.         goto err;
    462. 

  462.     rd = NULL;
    463. 

  463. 

  464.     /*
    465. 

  465.      * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
    466. 

  466.      *       set here if set in ctx
    467. 

  467.      */
    468. 

  468. 

  469.     if (!ossl_cmp_msg_protect(ctx, msg))
    470. 

  470.         goto err;
    471. 

  471. 

  472.     return msg;
    473. 

  473. 

  474.  err:
    475. 

  475.     CMPerr(0, CMP_R_ERROR_CREATING_RR);
    476. 

  476.     OSSL_CMP_MSG_free(msg);
    477. 

  477.     OSSL_CMP_REVDETAILS_free(rd);
    478. 

  478.     return NULL;
    479. 

  479. }
    480. 

  480. 

  481. OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
    482. 

  482.                               OSSL_CRMF_CERTID *cid, int unprot_err)
    483. 

  483. {
    484. 

  484.     OSSL_CMP_REVREPCONTENT *rep = NULL;
    485. 

  485.     OSSL_CMP_PKISI *si1 = NULL;
    486. 

  486.     OSSL_CRMF_CERTID *cid_copy = NULL;
    487. 

  487.     OSSL_CMP_MSG *msg = NULL;
    488. 

  488. 

  489.     if (!ossl_assert(ctx != NULL && si != NULL && cid != NULL))
    490. 

  490.         return NULL;
    491. 

  491. 

  492.     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
    493. 

  493.         goto err;
    494. 

  494.     rep = msg->body->value.rp;
    495. 

  495. 

  496.     if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
    497. 

  497.         goto err;
    498. 

  498. 

  499.     if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
    500. 

  500.         OSSL_CMP_PKISI_free(si1);
    501. 

  501.         goto err;
    502. 

  502.     }
    503. 

  503. 

  504.     if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
    505. 

  505.         goto err;
    506. 

  506.     if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
    507. 

  507.         goto err;
    508. 

  508.     if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
    509. 

  509.         OSSL_CRMF_CERTID_free(cid_copy);
    510. 

  510.         goto err;
    511. 

  511.     }
    512. 

  512. 

  513.     if (!unprot_err
    514. 

  514.             || ossl_cmp_pkisi_get_pkistatus(si) != OSSL_CMP_PKISTATUS_rejection)
    515. 

  515.         if (!ossl_cmp_msg_protect(ctx, msg))
    516. 

  516.             goto err;
    517. 

  517. 

  518.     return msg;
    519. 

  519. 

  520.  err:
    521. 

  521.     CMPerr(0, CMP_R_ERROR_CREATING_RP);
    522. 

  522.     OSSL_CMP_MSG_free(msg);
    523. 

  523.     return NULL;
    524. 

  524. }
    525. 

  525. 

  526. OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
    527. 

  527. {
    528. 

  528.     OSSL_CMP_MSG *msg;
    529. 

  529. 

  530.     if (!ossl_assert(ctx != NULL))
    531. 

  531.         return NULL;
    532. 

  532. 

  533.     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
    534. 

  534.         goto err;
    535. 

  535.     if (ossl_cmp_msg_protect(ctx, msg))
    536. 

  536.         return msg;
    537. 

  537. 

  538.  err:
    539. 

  539.     CMPerr(0, CMP_R_ERROR_CREATING_PKICONF);
    540. 

  540.     OSSL_CMP_MSG_free(msg);
    541. 

  541.     return NULL;
    542. 

  542. }
    543. 

  543. 

  544. int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
    545. 

  545. {
    546. 

  546.     int bodytype;
    547. 

  547. 

  548.     if (!ossl_assert(msg != NULL && itav != NULL))
    549. 

  549.         return 0;
    550. 

  550. 

  551.     bodytype = ossl_cmp_msg_get_bodytype(msg);
    552. 

  552.     if (bodytype != OSSL_CMP_PKIBODY_GENM
    553. 

  553.             && bodytype != OSSL_CMP_PKIBODY_GENP) {
    554. 

  554.         CMPerr(0, CMP_R_INVALID_ARGS);
    555. 

  555.         return 0;
    556. 

  556.     }
    557. 

  557. 

  558.     /* value.genp has the same structure, so this works for genp as well */
    559. 

  559.     return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
    560. 

  560. }
    561. 

  561. 

  562. int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
    563. 

  563.                                  STACK_OF(OSSL_CMP_ITAV) *itavs)
    564. 

  564. {
    565. 

  565.     int i;
    566. 

  566.     OSSL_CMP_ITAV *itav = NULL;
    567. 

  567. 

  568.     if (!ossl_assert(msg != NULL))
    569. 

  569.         return 0;
    570. 

  570. 

  571.     for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
    572. 

  572.         if ((itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs,i))) == NULL)
    573. 

  573.             return 0;
    574. 

  574.         if (!ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
    575. 

  575.             OSSL_CMP_ITAV_free(itav);
    576. 

  576.             return 0;
    577. 

  577.         }
    578. 

  578.     }
    579. 

  579.     return 1;
    580. 

  580. }
    581. 

  581. 

  582. /*
    583. 

  583.  * Creates a new General Message/Response with an empty itav stack
    584. 

  584.  * returns a pointer to the PKIMessage on success, NULL on error
    585. 

  585.  */
    586. 

  586. static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx, int body_type, int err_code)
    587. 

  587. {
    588. 

  588.     OSSL_CMP_MSG *msg = NULL;
    589. 

  589. 

  590.     if (!ossl_assert(ctx != NULL))
    591. 

  591.         return NULL;
    592. 

  592. 

  593.     if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
    594. 

  594.         return NULL;
    595. 

  595. 

  596.     if (ctx->genm_ITAVs != NULL
    597. 

  597.             && !ossl_cmp_msg_gen_push1_ITAVs(msg, ctx->genm_ITAVs))
    598. 

  598.         goto err;
    599. 

  599. 

  600.     if (!ossl_cmp_msg_protect(ctx, msg))
    601. 

  601.         goto err;
    602. 

  602. 

  603.     return msg;
    604. 

  604. 

  605.  err:
    606. 

  606.     CMPerr(0, err_code);
    607. 

  607.     OSSL_CMP_MSG_free(msg);
    608. 

  608.     return NULL;
    609. 

  609. }
    610. 

  610. 

  611. OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
    612. 

  612. {
    613. 

  613.     return gen_new(ctx, OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
    614. 

  614. }
    615. 

  615. 

  616. OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx)
    617. 

  617. {
    618. 

  618.     return gen_new(ctx, OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
    619. 

  619. }
    620. 

  620. 

  621. OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
    622. 

  622.                                  int errorCode,
    623. 

  623.                                  OSSL_CMP_PKIFREETEXT *errorDetails,
    624. 

  624.                                  int unprotected)
    625. 

  625. {
    626. 

  626.     OSSL_CMP_MSG *msg = NULL;
    627. 

  627. 

  628.     if (!ossl_assert(ctx != NULL && si != NULL))
    629. 

  629.         return NULL;
    630. 

  630. 

  631.     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
    632. 

  632.         goto err;
    633. 

  633. 

  634.     OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
    635. 

  635.     if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
    636. 

  636.         == NULL)
    637. 

  637.         goto err;
    638. 

  638.     if (errorCode >= 0) {
    639. 

  639.         if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
    640. 

  640.             goto err;
    641. 

  641.         if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
    642. 

  642.             goto err;
    643. 

  643.     }
    644. 

  644.     if (errorDetails != NULL)
    645. 

  645.         if ((msg->body->value.error->errorDetails =
    646. 

  646.             sk_ASN1_UTF8STRING_deep_copy(errorDetails, ASN1_STRING_dup,
    647. 

  647.                                          ASN1_STRING_free)) == NULL)
    648. 

  648.             goto err;
    649. 

  649. 

  650.     if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
    651. 

  651.         goto err;
    652. 

  652.     return msg;
    653. 

  653. 

  654.  err:
    655. 

  655.     CMPerr(0, CMP_R_ERROR_CREATING_ERROR);
    656. 

  656.     OSSL_CMP_MSG_free(msg);
    657. 

  657.     return NULL;
    658. 

  658. }
    659. 

  659. 

  660. /*
    661. 

  661.  * OSSL_CMP_CERTSTATUS_set_certHash() calculates a hash of the certificate,
    662. 

  662.  * using the same hash algorithm as is used to create and verify the
    663. 

  663.  * certificate signature, and places the hash into the certHash field of a
    664. 

  664.  * OSSL_CMP_CERTSTATUS structure. This is used in the certConf message,
    665. 

  665.  * for example, to confirm that the certificate was received successfully.
    666. 

  666.  */
    667. 

  667. int ossl_cmp_certstatus_set_certHash(OSSL_CMP_CERTSTATUS *certStatus,
    668. 

  668.                                      const X509 *cert)
    669. 

  669. {
    670. 

  670.     unsigned int len;
    671. 

  671.     unsigned char hash[EVP_MAX_MD_SIZE];
    672. 

  672.     int md_NID;
    673. 

  673.     const EVP_MD *md = NULL;
    674. 

  674. 

  675.     if (!ossl_assert(certStatus != NULL && cert != NULL))
    676. 

  676.         return 0;
    677. 

  677. 

  678.     /*-
    679. 

  679.      * select hash algorithm, as stated in Appendix F. Compilable ASN.1 defs:
    680. 

  680.      * the hash of the certificate, using the same hash algorithm
    681. 

  681.      * as is used to create and verify the certificate signature
    682. 

  682.      */
    683. 

  683.     if (OBJ_find_sigid_algs(X509_get_signature_nid(cert), &md_NID, NULL)
    684. 

  684.             && (md = EVP_get_digestbynid(md_NID)) != NULL) {
    685. 

  685.         if (!X509_digest(cert, md, hash, &len))
    686. 

  686.             goto err;
    687. 

  687.         if (!ossl_cmp_asn1_octet_string_set1_bytes(&certStatus->certHash, hash,
    688. 

  688.                                                    len))
    689. 

  689.             goto err;
    690. 

  690.     } else {
    691. 

  691.         CMPerr(0, CMP_R_UNSUPPORTED_ALGORITHM);
    692. 

  692.         return 0;
    693. 

  693.     }
    694. 

  694. 

  695.     return 1;
    696. 

  696.  err:
    697. 

  697.     CMPerr(0, CMP_R_ERROR_SETTING_CERTHASH);
    698. 

  698.     return 0;
    699. 

  699. }
    700. 

  700. 

  701. /*
    702. 

  702.  * TODO: handle potential 2nd certificate when signing and encrypting
    703. 

  703.  * certificates have been requested/received
    704. 

  704.  */
    705. 

  705. OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
    706. 

  706.                                     const char *text)
    707. 

  707. {
    708. 

  708.     OSSL_CMP_MSG *msg = NULL;
    709. 

  709.     OSSL_CMP_CERTSTATUS *certStatus = NULL;
    710. 

  710.     OSSL_CMP_PKISI *sinfo;
    711. 

  711. 

  712.     if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
    713. 

  713.         return NULL;
    714. 

  714. 

  715.     if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
    716. 

  716.         CMPerr(0, CMP_R_FAIL_INFO_OUT_OF_RANGE);
    717. 

  717.         return NULL;
    718. 

  718.     }
    719. 

  719. 

  720.     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
    721. 

  721.         goto err;
    722. 

  722. 

  723.     if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
    724. 

  724.         goto err;
    725. 

  725.     /* consume certStatus into msg right away so it gets deallocated with msg */
    726. 

  726.     if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
    727. 

  727.         goto err;
    728. 

  728.     /* set the ID of the certReq */
    729. 

  729.     if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
    730. 

  730.         goto err;
    731. 

  731.     /*
    732. 

  732.      * the hash of the certificate, using the same hash algorithm
    733. 

  733.      * as is used to create and verify the certificate signature
    734. 

  734.      */
    735. 

  735.     if (!ossl_cmp_certstatus_set_certHash(certStatus, ctx->newCert))
    736. 

  736.         goto err;
    737. 

  737.     /*
    738. 

  738.      * For any particular CertStatus, omission of the statusInfo field
    739. 

  739.      * indicates ACCEPTANCE of the specified certificate.  Alternatively,
    740. 

  740.      * explicit status details (with respect to acceptance or rejection) MAY
    741. 

  741.      * be provided in the statusInfo field, perhaps for auditing purposes at
    742. 

  742.      * the CA/RA.
    743. 

  743.      */
    744. 

  744.     sinfo = fail_info != 0 ?
    745. 

  745.         ossl_cmp_statusinfo_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
    746. 

  746.         ossl_cmp_statusinfo_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
    747. 

  747.     if (sinfo == NULL)
    748. 

  748.         goto err;
    749. 

  749.     certStatus->statusInfo = sinfo;
    750. 

  750. 

  751.     if (!ossl_cmp_msg_protect(ctx, msg))
    752. 

  752.         goto err;
    753. 

  753. 

  754.     return msg;
    755. 

  755. 

  756.  err:
    757. 

  757.     CMPerr(0, CMP_R_ERROR_CREATING_CERTCONF);
    758. 

  758.     OSSL_CMP_MSG_free(msg);
    759. 

  759.     return NULL;
    760. 

  760. }
    761. 

  761. 

  762. OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
    763. 

  763. {
    764. 

  764.     OSSL_CMP_MSG *msg = NULL;
    765. 

  765.     OSSL_CMP_POLLREQ *preq = NULL;
    766. 

  766. 

  767.     if (!ossl_assert(ctx != NULL))
    768. 

  768.         return NULL;
    769. 

  769. 

  770.     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
    771. 

  771.         goto err;
    772. 

  772. 

  773.     /* TODO: support multiple cert request IDs to poll */
    774. 

  774.     if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
    775. 

  775.             || !ASN1_INTEGER_set(preq->certReqId, crid)
    776. 

  776.             || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
    777. 

  777.         goto err;
    778. 

  778. 

  779.     preq = NULL;
    780. 

  780.     if (!ossl_cmp_msg_protect(ctx, msg))
    781. 

  781.         goto err;
    782. 

  782. 

  783.     return msg;
    784. 

  784. 

  785.  err:
    786. 

  786.     CMPerr(0, CMP_R_ERROR_CREATING_POLLREQ);
    787. 

  787.     OSSL_CMP_POLLREQ_free(preq);
    788. 

  788.     OSSL_CMP_MSG_free(msg);
    789. 

  789.     return NULL;
    790. 

  790. }
    791. 

  791. 

  792. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
    793. 

  793.                                    int64_t poll_after)
    794. 

  794. {
    795. 

  795.     OSSL_CMP_MSG *msg;
    796. 

  796.     OSSL_CMP_POLLREP *prep;
    797. 

  797. 

  798.     if (!ossl_assert(ctx != NULL))
    799. 

  799.         return NULL;
    800. 

  800. 

  801.     if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
    802. 

  802.         goto err;
    803. 

  803.     if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
    804. 

  804.         goto err;
    805. 

  805.     if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
    806. 

  806.         goto err;
    807. 

  807.     if (!ASN1_INTEGER_set(prep->certReqId, crid))
    808. 

  808.         goto err;
    809. 

  809.     if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
    810. 

  810.         goto err;
    811. 

  811. 

  812.     if (!ossl_cmp_msg_protect(ctx, msg))
    813. 

  813.         goto err;
    814. 

  814.     return msg;
    815. 

  815. 

  816.  err:
    817. 

  817.     CMPerr(0, CMP_R_ERROR_CREATING_POLLREP);
    818. 

  818.     OSSL_CMP_MSG_free(msg);
    819. 

  819.     return NULL;
    820. 

  820. }
    821. 

  821. 

  822. /*-
    823. 

  823.  * returns the status field of the RevRepContent with the given
    824. 

  824.  * request/sequence id inside a revocation response.
    825. 

  825.  * RevRepContent has the revocation statuses in same order as they were sent in
    826. 

  826.  * RevReqContent.
    827. 

  827.  * returns NULL on error
    828. 

  828.  */
    829. 

  829. OSSL_CMP_PKISI *
    830. 

  830. ossl_cmp_revrepcontent_get_pkistatusinfo(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
    831. 

  831. {
    832. 

  832.     OSSL_CMP_PKISI *status;
    833. 

  833. 

  834.     if (!ossl_assert(rrep != NULL))
    835. 

  835.         return NULL;
    836. 

  836. 

  837.     if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
    838. 

  838.         return status;
    839. 

  839. 

  840.     CMPerr(0, CMP_R_PKISTATUSINFO_NOT_FOUND);
    841. 

  841.     return NULL;
    842. 

  842. }
    843. 

  843. 

  844. /*
    845. 

  845.  * returns the CertId field in the revCerts part of the RevRepContent
    846. 

  846.  * with the given request/sequence id inside a revocation response.
    847. 

  847.  * RevRepContent has the CertIds in same order as they were sent in
    848. 

  848.  * RevReqContent.
    849. 

  849.  * returns NULL on error
    850. 

  850.  */
    851. 

  851. OSSL_CRMF_CERTID *
    852. 

  852. ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
    853. 

  853. {
    854. 

  854.     OSSL_CRMF_CERTID *cid = NULL;
    855. 

  855. 

  856.     if (!ossl_assert(rrep != NULL))
    857. 

  857.         return NULL;
    858. 

  858. 

  859.     if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
    860. 

  860.         return cid;
    861. 

  861. 

  862.     CMPerr(0, CMP_R_CERTID_NOT_FOUND);
    863. 

  863.     return NULL;
    864. 

  864. }
    865. 

  865. 

  866. static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
    867. 

  867. {
    868. 

  868.     int trid;
    869. 

  869. 

  870.     if (rid == -1)
    871. 

  871.         return 1;
    872. 

  872. 

  873.     trid = ossl_cmp_asn1_get_int(certReqId);
    874. 

  874. 

  875.     if (trid == -1) {
    876. 

  876.         CMPerr(0, CMP_R_BAD_REQUEST_ID);
    877. 

  877.         return 0;
    878. 

  878.     }
    879. 

  879.     return rid == trid;
    880. 

  880. }
    881. 

  881. 

  882. static void add_expected_rid(int rid)
    883. 

  883. {
    884. 

  884.     char str[DECIMAL_SIZE(rid) + 1];
    885. 

  885. 

  886.     BIO_snprintf(str, sizeof(str), "%d", rid);
    887. 

  887.     ERR_add_error_data(2, "expected certReqId = ", str);
    888. 

  888. }
    889. 

  889. 

  890. /*
    891. 

  891.  * returns a pointer to the PollResponse with the given CertReqId
    892. 

  892.  * (or the first one in case -1) inside a PollRepContent
    893. 

  893.  * returns NULL on error or if no suitable PollResponse available
    894. 

  894.  */
    895. 

  895. OSSL_CMP_POLLREP *
    896. 

  896. ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
    897. 

  897.                                      int rid)
    898. 

  898. {
    899. 

  899.     OSSL_CMP_POLLREP *pollRep = NULL;
    900. 

  900.     int i;
    901. 

  901. 

  902.     if (!ossl_assert(prc != NULL))
    903. 

  903.         return NULL;
    904. 

  904. 

  905.     for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
    906. 

  906.         pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
    907. 

  907.         if (suitable_rid(pollRep->certReqId, rid))
    908. 

  908.             return pollRep;
    909. 

  909.     }
    910. 

  910. 

  911.     CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
    912. 

  912.     add_expected_rid(rid);
    913. 

  913.     return NULL;
    914. 

  914. }
    915. 

  915. 

  916. /*
    917. 

  917.  * returns a pointer to the CertResponse with the given CertReqId
    918. 

  918.  * (or the first one in case -1) inside a CertRepMessage
    919. 

  919.  * returns NULL on error or if no suitable CertResponse available
    920. 

  920.  */
    921. 

  921. OSSL_CMP_CERTRESPONSE *
    922. 

  922. ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
    923. 

  923.                                           int rid)
    924. 

  924. {
    925. 

  925.     OSSL_CMP_CERTRESPONSE *crep = NULL;
    926. 

  926.     int i;
    927. 

  927. 

  928.     if (!ossl_assert(crm != NULL && crm->response != NULL))
    929. 

  929.         return NULL;
    930. 

  930. 

  931.     for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
    932. 

  932.         crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
    933. 

  933.         if (suitable_rid(crep->certReqId, rid))
    934. 

  934.             return crep;
    935. 

  935.     }
    936. 

  936. 

  937.     CMPerr(0, CMP_R_CERTRESPONSE_NOT_FOUND);
    938. 

  938.     add_expected_rid(rid);
    939. 

  939.     return NULL;
    940. 

  940. }
    941. 

  941. 

  942. /*
    943. 

  943.  * CMP_CERTRESPONSE_get1_certificate() attempts to retrieve the returned
    944. 

  944.  * certificate from the given certResponse B<crep>.
    945. 

  945.  * Uses the privkey in case of indirect POP from B<ctx>.
    946. 

  946.  * Returns a pointer to a copy of the found certificate, or NULL if not found.
    947. 

  947.  */
    948. 

  948. X509 *ossl_cmp_certresponse_get1_certificate(EVP_PKEY *privkey,
    949. 

  949.                                              const OSSL_CMP_CERTRESPONSE *crep)
    950. 

  950. {
    951. 

  951.     OSSL_CMP_CERTORENCCERT *coec;
    952. 

  952.     X509 *crt = NULL;
    953. 

  953. 

  954.     if (!ossl_assert(crep != NULL))
    955. 

  955.         return NULL;
    956. 

  956. 

  957.     if (crep->certifiedKeyPair
    958. 

  958.             && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
    959. 

  959.         switch (coec->type) {
    960. 

  960.         case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
    961. 

  961.             crt = X509_dup(coec->value.certificate);
    962. 

  962.             break;
    963. 

  963.         case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
    964. 

  964.             /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
    965. 

  965.             if (privkey == NULL) {
    966. 

  966.                 CMPerr(0, CMP_R_MISSING_PRIVATE_KEY);
    967. 

  967.                 return NULL;
    968. 

  968.             }
    969. 

  969.             crt =
    970. 

  970.                 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
    971. 

  971.                                                       privkey);
    972. 

  972.             break;
    973. 

  973.         default:
    974. 

  974.             CMPerr(0, CMP_R_UNKNOWN_CERT_TYPE);
    975. 

  975.             return NULL;
    976. 

  976.         }
    977. 

  977.     }
    978. 

  978.     if (crt == NULL)
    979. 

  979.         CMPerr(0, CMP_R_CERTIFICATE_NOT_FOUND);
    980. 

  980.     return crt;
    981. 

  981. }
    982. 

  982. 

  983. OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file)
    984. 

  984. {
    985. 

  985.     OSSL_CMP_MSG *msg = NULL;
    986. 

  986.     BIO *bio = NULL;
    987. 

  987. 

  988.     if (!ossl_assert(file != NULL))
    989. 

  989.         return NULL;
    990. 

  990. 

  991.     if ((bio = BIO_new_file(file, "rb")) == NULL)
    992. 

  992.         return NULL;
    993. 

  993.     msg = OSSL_d2i_CMP_MSG_bio(bio, NULL);
    994. 

  994.     BIO_free(bio);
    995. 

  995.     return msg;
    996. 

  996. }
    997.