cmp_status.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310
  1. /*
  2. * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* CMP functions for PKIStatusInfo handling and PKIMessage decomposition */
  12. #include <string.h>
  13. #include "cmp_local.h"
  14. /* explicit #includes not strictly needed since implied by the above: */
  15. #include <time.h>
  16. #include <openssl/cmp.h>
  17. #include <openssl/crmf.h>
  18. #include <openssl/err.h> /* needed in case config no-deprecated */
  19. #include <openssl/engine.h>
  20. #include <openssl/evp.h>
  21. #include <openssl/objects.h>
  22. #include <openssl/x509.h>
  23. #include <openssl/asn1err.h> /* for ASN1_R_TOO_SMALL and ASN1_R_TOO_LARGE */
  24. /* CMP functions related to PKIStatus */
  25. int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si)
  26. {
  27. if (!ossl_assert(si != NULL && si->status != NULL))
  28. return -1;
  29. return ossl_cmp_asn1_get_int(si->status);
  30. }
  31. const char *ossl_cmp_PKIStatus_to_string(int status)
  32. {
  33. switch (status) {
  34. case OSSL_CMP_PKISTATUS_accepted:
  35. return "PKIStatus: accepted";
  36. case OSSL_CMP_PKISTATUS_grantedWithMods:
  37. return "PKIStatus: granted with modifications";
  38. case OSSL_CMP_PKISTATUS_rejection:
  39. return "PKIStatus: rejection";
  40. case OSSL_CMP_PKISTATUS_waiting:
  41. return "PKIStatus: waiting";
  42. case OSSL_CMP_PKISTATUS_revocationWarning:
  43. return "PKIStatus: revocation warning - a revocation of the cert is imminent";
  44. case OSSL_CMP_PKISTATUS_revocationNotification:
  45. return "PKIStatus: revocation notification - a revocation of the cert has occurred";
  46. case OSSL_CMP_PKISTATUS_keyUpdateWarning:
  47. return "PKIStatus: key update warning - update already done for the cert";
  48. default:
  49. ERR_raise_data(ERR_LIB_CMP, CMP_R_ERROR_PARSING_PKISTATUS,
  50. "PKIStatus: invalid=%d", status);
  51. return NULL;
  52. }
  53. }
  54. OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si)
  55. {
  56. if (!ossl_assert(si != NULL))
  57. return NULL;
  58. return si->statusString;
  59. }
  60. int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si)
  61. {
  62. int i;
  63. int res = 0;
  64. if (!ossl_assert(si != NULL))
  65. return -1;
  66. for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++)
  67. if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
  68. res |= 1 << i;
  69. return res;
  70. }
  71. /*-
  72. * convert PKIFailureInfo number to human-readable string
  73. * returns pointer to static string, or NULL on error
  74. */
  75. static const char *CMP_PKIFAILUREINFO_to_string(int number)
  76. {
  77. switch (number) {
  78. case OSSL_CMP_PKIFAILUREINFO_badAlg:
  79. return "badAlg";
  80. case OSSL_CMP_PKIFAILUREINFO_badMessageCheck:
  81. return "badMessageCheck";
  82. case OSSL_CMP_PKIFAILUREINFO_badRequest:
  83. return "badRequest";
  84. case OSSL_CMP_PKIFAILUREINFO_badTime:
  85. return "badTime";
  86. case OSSL_CMP_PKIFAILUREINFO_badCertId:
  87. return "badCertId";
  88. case OSSL_CMP_PKIFAILUREINFO_badDataFormat:
  89. return "badDataFormat";
  90. case OSSL_CMP_PKIFAILUREINFO_wrongAuthority:
  91. return "wrongAuthority";
  92. case OSSL_CMP_PKIFAILUREINFO_incorrectData:
  93. return "incorrectData";
  94. case OSSL_CMP_PKIFAILUREINFO_missingTimeStamp:
  95. return "missingTimeStamp";
  96. case OSSL_CMP_PKIFAILUREINFO_badPOP:
  97. return "badPOP";
  98. case OSSL_CMP_PKIFAILUREINFO_certRevoked:
  99. return "certRevoked";
  100. case OSSL_CMP_PKIFAILUREINFO_certConfirmed:
  101. return "certConfirmed";
  102. case OSSL_CMP_PKIFAILUREINFO_wrongIntegrity:
  103. return "wrongIntegrity";
  104. case OSSL_CMP_PKIFAILUREINFO_badRecipientNonce:
  105. return "badRecipientNonce";
  106. case OSSL_CMP_PKIFAILUREINFO_timeNotAvailable:
  107. return "timeNotAvailable";
  108. case OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy:
  109. return "unacceptedPolicy";
  110. case OSSL_CMP_PKIFAILUREINFO_unacceptedExtension:
  111. return "unacceptedExtension";
  112. case OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable:
  113. return "addInfoNotAvailable";
  114. case OSSL_CMP_PKIFAILUREINFO_badSenderNonce:
  115. return "badSenderNonce";
  116. case OSSL_CMP_PKIFAILUREINFO_badCertTemplate:
  117. return "badCertTemplate";
  118. case OSSL_CMP_PKIFAILUREINFO_signerNotTrusted:
  119. return "signerNotTrusted";
  120. case OSSL_CMP_PKIFAILUREINFO_transactionIdInUse:
  121. return "transactionIdInUse";
  122. case OSSL_CMP_PKIFAILUREINFO_unsupportedVersion:
  123. return "unsupportedVersion";
  124. case OSSL_CMP_PKIFAILUREINFO_notAuthorized:
  125. return "notAuthorized";
  126. case OSSL_CMP_PKIFAILUREINFO_systemUnavail:
  127. return "systemUnavail";
  128. case OSSL_CMP_PKIFAILUREINFO_systemFailure:
  129. return "systemFailure";
  130. case OSSL_CMP_PKIFAILUREINFO_duplicateCertReq:
  131. return "duplicateCertReq";
  132. default:
  133. return NULL; /* illegal failure number */
  134. }
  135. }
  136. int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int bit_index)
  137. {
  138. if (!ossl_assert(si != NULL && si->failInfo != NULL))
  139. return -1;
  140. if (bit_index < 0 || bit_index > OSSL_CMP_PKIFAILUREINFO_MAX) {
  141. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  142. return -1;
  143. }
  144. return ASN1_BIT_STRING_get_bit(si->failInfo, bit_index);
  145. }
  146. /*-
  147. * place human-readable error string created from PKIStatusInfo in given buffer
  148. * returns pointer to the same buffer containing the string, or NULL on error
  149. */
  150. static
  151. char *snprint_PKIStatusInfo_parts(int status, int fail_info,
  152. const OSSL_CMP_PKIFREETEXT *status_strings,
  153. char *buf, size_t bufsize)
  154. {
  155. int failure;
  156. const char *status_string, *failure_string;
  157. ASN1_UTF8STRING *text;
  158. int i;
  159. int printed_chars;
  160. int failinfo_found = 0;
  161. int n_status_strings;
  162. char *write_ptr = buf;
  163. if (buf == NULL
  164. || status < 0
  165. || (status_string = ossl_cmp_PKIStatus_to_string(status)) == NULL)
  166. return NULL;
  167. #define ADVANCE_BUFFER \
  168. if (printed_chars < 0 || (size_t)printed_chars >= bufsize) \
  169. return NULL; \
  170. write_ptr += printed_chars; \
  171. bufsize -= printed_chars;
  172. printed_chars = BIO_snprintf(write_ptr, bufsize, "%s", status_string);
  173. ADVANCE_BUFFER;
  174. /* failInfo is optional and may be empty */
  175. if (fail_info != 0) {
  176. printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: ");
  177. ADVANCE_BUFFER;
  178. for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
  179. if ((fail_info & (1 << failure)) != 0) {
  180. failure_string = CMP_PKIFAILUREINFO_to_string(failure);
  181. if (failure_string != NULL) {
  182. printed_chars = BIO_snprintf(write_ptr, bufsize, "%s%s",
  183. failinfo_found ? ", " : "",
  184. failure_string);
  185. ADVANCE_BUFFER;
  186. failinfo_found = 1;
  187. }
  188. }
  189. }
  190. }
  191. if (!failinfo_found && status != OSSL_CMP_PKISTATUS_accepted
  192. && status != OSSL_CMP_PKISTATUS_grantedWithMods) {
  193. printed_chars = BIO_snprintf(write_ptr, bufsize, "; <no failure info>");
  194. ADVANCE_BUFFER;
  195. }
  196. /* statusString sequence is optional and may be empty */
  197. n_status_strings = sk_ASN1_UTF8STRING_num(status_strings);
  198. if (n_status_strings > 0) {
  199. printed_chars = BIO_snprintf(write_ptr, bufsize, "; StatusString%s: ",
  200. n_status_strings > 1 ? "s" : "");
  201. ADVANCE_BUFFER;
  202. for (i = 0; i < n_status_strings; i++) {
  203. text = sk_ASN1_UTF8STRING_value(status_strings, i);
  204. printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s",
  205. ASN1_STRING_length(text),
  206. ASN1_STRING_get0_data(text),
  207. i < n_status_strings - 1 ? ", " : "");
  208. ADVANCE_BUFFER;
  209. }
  210. }
  211. #undef ADVANCE_BUFFER
  212. return buf;
  213. }
  214. char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo,
  215. char *buf, size_t bufsize)
  216. {
  217. int failure_info;
  218. if (statusInfo == NULL) {
  219. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  220. return NULL;
  221. }
  222. failure_info = ossl_cmp_pkisi_get_pkifailureinfo(statusInfo);
  223. return snprint_PKIStatusInfo_parts(ASN1_INTEGER_get(statusInfo->status),
  224. failure_info,
  225. statusInfo->statusString, buf, bufsize);
  226. }
  227. char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf,
  228. size_t bufsize)
  229. {
  230. if (ctx == NULL) {
  231. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  232. return NULL;
  233. }
  234. return snprint_PKIStatusInfo_parts(OSSL_CMP_CTX_get_status(ctx),
  235. OSSL_CMP_CTX_get_failInfoCode(ctx),
  236. OSSL_CMP_CTX_get0_statusString(ctx),
  237. buf, bufsize);
  238. }
  239. /*-
  240. * Creates a new PKIStatusInfo structure and fills it in
  241. * returns a pointer to the structure on success, NULL on error
  242. * note: strongly overlaps with TS_RESP_CTX_set_status_info()
  243. * and TS_RESP_CTX_add_failure_info() in ../ts/ts_rsp_sign.c
  244. */
  245. OSSL_CMP_PKISI *OSSL_CMP_STATUSINFO_new(int status, int fail_info,
  246. const char *text)
  247. {
  248. OSSL_CMP_PKISI *si = OSSL_CMP_PKISI_new();
  249. ASN1_UTF8STRING *utf8_text = NULL;
  250. int failure;
  251. if (si == NULL)
  252. goto err;
  253. if (!ASN1_INTEGER_set(si->status, status))
  254. goto err;
  255. if (text != NULL) {
  256. if ((utf8_text = ASN1_UTF8STRING_new()) == NULL
  257. || !ASN1_STRING_set(utf8_text, text, -1))
  258. goto err;
  259. if ((si->statusString = sk_ASN1_UTF8STRING_new_null()) == NULL)
  260. goto err;
  261. if (!sk_ASN1_UTF8STRING_push(si->statusString, utf8_text))
  262. goto err;
  263. /* Ownership is lost. */
  264. utf8_text = NULL;
  265. }
  266. for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
  267. if ((fail_info & (1 << failure)) != 0) {
  268. if (si->failInfo == NULL
  269. && (si->failInfo = ASN1_BIT_STRING_new()) == NULL)
  270. goto err;
  271. if (!ASN1_BIT_STRING_set_bit(si->failInfo, failure, 1))
  272. goto err;
  273. }
  274. }
  275. return si;
  276. err:
  277. OSSL_CMP_PKISI_free(si);
  278. ASN1_UTF8STRING_free(utf8_text);
  279. return NULL;
  280. }