2
0

cmp.c 105 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084
  1. /*
  2. * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* This app is disabled when OPENSSL_NO_CMP is defined. */
  12. #include <string.h>
  13. #include <ctype.h>
  14. #include "apps.h"
  15. #include "http_server.h"
  16. #include "s_apps.h"
  17. #include "progs.h"
  18. #include "cmp_mock_srv.h"
  19. /* tweaks needed due to missing unistd.h on Windows */
  20. #if defined(_WIN32) && !defined(__BORLANDC__)
  21. # define access _access
  22. #endif
  23. #ifndef F_OK
  24. # define F_OK 0
  25. #endif
  26. #include <openssl/ui.h>
  27. #include <openssl/pkcs12.h>
  28. #include <openssl/ssl.h>
  29. /* explicit #includes not strictly needed since implied by the above: */
  30. #include <stdlib.h>
  31. #include <openssl/cmp.h>
  32. #include <openssl/cmp_util.h>
  33. #include <openssl/crmf.h>
  34. #include <openssl/crypto.h>
  35. #include <openssl/err.h>
  36. #include <openssl/store.h>
  37. #include <openssl/objects.h>
  38. #include <openssl/x509.h>
  39. static char *prog;
  40. static char *opt_config = NULL;
  41. #define CMP_SECTION "cmp"
  42. #define SECTION_NAME_MAX 40 /* max length of section name */
  43. #define DEFAULT_SECTION "default"
  44. static char *opt_section = CMP_SECTION;
  45. static int opt_verbosity = OSSL_CMP_LOG_INFO;
  46. static int read_config(void);
  47. static CONF *conf = NULL; /* OpenSSL config file context structure */
  48. static OSSL_CMP_CTX *cmp_ctx = NULL; /* the client-side CMP context */
  49. /* the type of cmp command we want to send */
  50. typedef enum {
  51. CMP_IR,
  52. CMP_KUR,
  53. CMP_CR,
  54. CMP_P10CR,
  55. CMP_RR,
  56. CMP_GENM
  57. } cmp_cmd_t;
  58. /* message transfer */
  59. #ifndef OPENSSL_NO_SOCK
  60. static char *opt_server = NULL;
  61. static char *opt_proxy = NULL;
  62. static char *opt_no_proxy = NULL;
  63. #endif
  64. static char *opt_recipient = NULL;
  65. static char *opt_path = NULL;
  66. static int opt_keep_alive = 1;
  67. static int opt_msg_timeout = -1;
  68. static int opt_total_timeout = -1;
  69. /* server authentication */
  70. static char *opt_trusted = NULL;
  71. static char *opt_untrusted = NULL;
  72. static char *opt_srvcert = NULL;
  73. static char *opt_expect_sender = NULL;
  74. static int opt_ignore_keyusage = 0;
  75. static int opt_unprotected_errors = 0;
  76. static char *opt_extracertsout = NULL;
  77. static char *opt_cacertsout = NULL;
  78. /* client authentication */
  79. static char *opt_ref = NULL;
  80. static char *opt_secret = NULL;
  81. static char *opt_cert = NULL;
  82. static char *opt_own_trusted = NULL;
  83. static char *opt_key = NULL;
  84. static char *opt_keypass = NULL;
  85. static char *opt_digest = NULL;
  86. static char *opt_mac = NULL;
  87. static char *opt_extracerts = NULL;
  88. static int opt_unprotected_requests = 0;
  89. /* generic message */
  90. static char *opt_cmd_s = NULL;
  91. static int opt_cmd = -1;
  92. static char *opt_geninfo = NULL;
  93. static char *opt_infotype_s = NULL;
  94. static int opt_infotype = NID_undef;
  95. /* certificate enrollment */
  96. static char *opt_newkey = NULL;
  97. static char *opt_newkeypass = NULL;
  98. static char *opt_subject = NULL;
  99. static char *opt_issuer = NULL;
  100. static int opt_days = 0;
  101. static char *opt_reqexts = NULL;
  102. static char *opt_sans = NULL;
  103. static int opt_san_nodefault = 0;
  104. static char *opt_policies = NULL;
  105. static char *opt_policy_oids = NULL;
  106. static int opt_policy_oids_critical = 0;
  107. static int opt_popo = OSSL_CRMF_POPO_NONE - 1;
  108. static char *opt_csr = NULL;
  109. static char *opt_out_trusted = NULL;
  110. static int opt_implicit_confirm = 0;
  111. static int opt_disable_confirm = 0;
  112. static char *opt_certout = NULL;
  113. static char *opt_chainout = NULL;
  114. /* certificate enrollment and revocation */
  115. static char *opt_oldcert = NULL;
  116. static int opt_revreason = CRL_REASON_NONE;
  117. /* credentials format */
  118. static char *opt_certform_s = "PEM";
  119. static int opt_certform = FORMAT_PEM;
  120. static char *opt_keyform_s = NULL;
  121. static int opt_keyform = FORMAT_UNDEF;
  122. static char *opt_otherpass = NULL;
  123. static char *opt_engine = NULL;
  124. #ifndef OPENSSL_NO_SOCK
  125. /* TLS connection */
  126. static int opt_tls_used = 0;
  127. static char *opt_tls_cert = NULL;
  128. static char *opt_tls_key = NULL;
  129. static char *opt_tls_keypass = NULL;
  130. static char *opt_tls_extra = NULL;
  131. static char *opt_tls_trusted = NULL;
  132. static char *opt_tls_host = NULL;
  133. #endif
  134. /* client-side debugging */
  135. static int opt_batch = 0;
  136. static int opt_repeat = 1;
  137. static char *opt_reqin = NULL;
  138. static int opt_reqin_new_tid = 0;
  139. static char *opt_reqout = NULL;
  140. static char *opt_rspin = NULL;
  141. static int rspin_in_use = 0;
  142. static char *opt_rspout = NULL;
  143. static int opt_use_mock_srv = 0;
  144. /* mock server */
  145. #ifndef OPENSSL_NO_SOCK
  146. static char *opt_port = NULL;
  147. static int opt_max_msgs = 0;
  148. #endif
  149. static char *opt_srv_ref = NULL;
  150. static char *opt_srv_secret = NULL;
  151. static char *opt_srv_cert = NULL;
  152. static char *opt_srv_key = NULL;
  153. static char *opt_srv_keypass = NULL;
  154. static char *opt_srv_trusted = NULL;
  155. static char *opt_srv_untrusted = NULL;
  156. static char *opt_rsp_cert = NULL;
  157. static char *opt_rsp_extracerts = NULL;
  158. static char *opt_rsp_capubs = NULL;
  159. static int opt_poll_count = 0;
  160. static int opt_check_after = 1;
  161. static int opt_grant_implicitconf = 0;
  162. static int opt_pkistatus = OSSL_CMP_PKISTATUS_accepted;
  163. static int opt_failure = INT_MIN;
  164. static int opt_failurebits = 0;
  165. static char *opt_statusstring = NULL;
  166. static int opt_send_error = 0;
  167. static int opt_send_unprotected = 0;
  168. static int opt_send_unprot_err = 0;
  169. static int opt_accept_unprotected = 0;
  170. static int opt_accept_unprot_err = 0;
  171. static int opt_accept_raverified = 0;
  172. static X509_VERIFY_PARAM *vpm = NULL;
  173. typedef enum OPTION_choice {
  174. OPT_COMMON,
  175. OPT_CONFIG, OPT_SECTION, OPT_VERBOSITY,
  176. OPT_CMD, OPT_INFOTYPE, OPT_GENINFO,
  177. OPT_NEWKEY, OPT_NEWKEYPASS, OPT_SUBJECT, OPT_ISSUER,
  178. OPT_DAYS, OPT_REQEXTS,
  179. OPT_SANS, OPT_SAN_NODEFAULT,
  180. OPT_POLICIES, OPT_POLICY_OIDS, OPT_POLICY_OIDS_CRITICAL,
  181. OPT_POPO, OPT_CSR,
  182. OPT_OUT_TRUSTED, OPT_IMPLICIT_CONFIRM, OPT_DISABLE_CONFIRM,
  183. OPT_CERTOUT, OPT_CHAINOUT,
  184. OPT_OLDCERT, OPT_REVREASON,
  185. #ifndef OPENSSL_NO_SOCK
  186. OPT_SERVER, OPT_PROXY, OPT_NO_PROXY,
  187. #endif
  188. OPT_RECIPIENT, OPT_PATH,
  189. OPT_KEEP_ALIVE, OPT_MSG_TIMEOUT, OPT_TOTAL_TIMEOUT,
  190. OPT_TRUSTED, OPT_UNTRUSTED, OPT_SRVCERT,
  191. OPT_EXPECT_SENDER,
  192. OPT_IGNORE_KEYUSAGE, OPT_UNPROTECTED_ERRORS,
  193. OPT_EXTRACERTSOUT, OPT_CACERTSOUT,
  194. OPT_REF, OPT_SECRET, OPT_CERT, OPT_OWN_TRUSTED, OPT_KEY, OPT_KEYPASS,
  195. OPT_DIGEST, OPT_MAC, OPT_EXTRACERTS,
  196. OPT_UNPROTECTED_REQUESTS,
  197. OPT_CERTFORM, OPT_KEYFORM,
  198. OPT_OTHERPASS,
  199. #ifndef OPENSSL_NO_ENGINE
  200. OPT_ENGINE,
  201. #endif
  202. OPT_PROV_ENUM,
  203. OPT_R_ENUM,
  204. #ifndef OPENSSL_NO_SOCK
  205. OPT_TLS_USED, OPT_TLS_CERT, OPT_TLS_KEY,
  206. OPT_TLS_KEYPASS,
  207. OPT_TLS_EXTRA, OPT_TLS_TRUSTED, OPT_TLS_HOST,
  208. #endif
  209. OPT_BATCH, OPT_REPEAT,
  210. OPT_REQIN, OPT_REQIN_NEW_TID, OPT_REQOUT, OPT_RSPIN, OPT_RSPOUT,
  211. OPT_USE_MOCK_SRV,
  212. #ifndef OPENSSL_NO_SOCK
  213. OPT_PORT, OPT_MAX_MSGS,
  214. #endif
  215. OPT_SRV_REF, OPT_SRV_SECRET,
  216. OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS,
  217. OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED,
  218. OPT_RSP_CERT, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS,
  219. OPT_POLL_COUNT, OPT_CHECK_AFTER,
  220. OPT_GRANT_IMPLICITCONF,
  221. OPT_PKISTATUS, OPT_FAILURE,
  222. OPT_FAILUREBITS, OPT_STATUSSTRING,
  223. OPT_SEND_ERROR, OPT_SEND_UNPROTECTED,
  224. OPT_SEND_UNPROT_ERR, OPT_ACCEPT_UNPROTECTED,
  225. OPT_ACCEPT_UNPROT_ERR, OPT_ACCEPT_RAVERIFIED,
  226. OPT_V_ENUM
  227. } OPTION_CHOICE;
  228. const OPTIONS cmp_options[] = {
  229. /* entries must be in the same order as enumerated above!! */
  230. {"help", OPT_HELP, '-', "Display this summary"},
  231. {"config", OPT_CONFIG, 's',
  232. "Configuration file to use. \"\" = none. Default from env variable OPENSSL_CONF"},
  233. {"section", OPT_SECTION, 's',
  234. "Section(s) in config file to get options from. \"\" = 'default'. Default 'cmp'"},
  235. {"verbosity", OPT_VERBOSITY, 'N',
  236. "Log level; 3=ERR, 4=WARN, 6=INFO, 7=DEBUG, 8=TRACE. Default 6 = INFO"},
  237. OPT_SECTION("Generic message"),
  238. {"cmd", OPT_CMD, 's', "CMP request to send: ir/cr/kur/p10cr/rr/genm"},
  239. {"infotype", OPT_INFOTYPE, 's',
  240. "InfoType name for requesting specific info in genm, e.g. 'signKeyPairTypes'"},
  241. {"geninfo", OPT_GENINFO, 's',
  242. "generalInfo integer values to place in request PKIHeader with given OID"},
  243. {OPT_MORE_STR, 0, 0,
  244. "specified in the form <OID>:int:<n>, e.g. \"1.2.3.4:int:56789\""},
  245. OPT_SECTION("Certificate enrollment"),
  246. {"newkey", OPT_NEWKEY, 's',
  247. "Private or public key for the requested cert. Default: CSR key or client key"},
  248. {"newkeypass", OPT_NEWKEYPASS, 's', "New private key pass phrase source"},
  249. {"subject", OPT_SUBJECT, 's',
  250. "Distinguished Name (DN) of subject to use in the requested cert template"},
  251. {OPT_MORE_STR, 0, 0,
  252. "For kur, default is subject of -csr arg or reference cert (see -oldcert)"},
  253. {OPT_MORE_STR, 0, 0,
  254. "this default is used for ir and cr only if no Subject Alt Names are set"},
  255. {"issuer", OPT_ISSUER, 's',
  256. "DN of the issuer to place in the requested certificate template"},
  257. {OPT_MORE_STR, 0, 0,
  258. "also used as recipient if neither -recipient nor -srvcert are given"},
  259. {"days", OPT_DAYS, 'N',
  260. "Requested validity time of the new certificate in number of days"},
  261. {"reqexts", OPT_REQEXTS, 's',
  262. "Name of config file section defining certificate request extensions."},
  263. {OPT_MORE_STR, 0, 0,
  264. "Augments or replaces any extensions contained CSR given with -csr"},
  265. {"sans", OPT_SANS, 's',
  266. "Subject Alt Names (IPADDR/DNS/URI) to add as (critical) cert req extension"},
  267. {"san_nodefault", OPT_SAN_NODEFAULT, '-',
  268. "Do not take default SANs from reference certificate (see -oldcert)"},
  269. {"policies", OPT_POLICIES, 's',
  270. "Name of config file section defining policies certificate request extension"},
  271. {"policy_oids", OPT_POLICY_OIDS, 's',
  272. "Policy OID(s) to add as policies certificate request extension"},
  273. {"policy_oids_critical", OPT_POLICY_OIDS_CRITICAL, '-',
  274. "Flag the policy OID(s) given with -policy_oids as critical"},
  275. {"popo", OPT_POPO, 'n',
  276. "Proof-of-Possession (POPO) method to use for ir/cr/kur where"},
  277. {OPT_MORE_STR, 0, 0,
  278. "-1 = NONE, 0 = RAVERIFIED, 1 = SIGNATURE (default), 2 = KEYENC"},
  279. {"csr", OPT_CSR, 's',
  280. "PKCS#10 CSR file in PEM or DER format to convert or to use in p10cr"},
  281. {"out_trusted", OPT_OUT_TRUSTED, 's',
  282. "Certificates to trust when verifying newly enrolled certificates"},
  283. {"implicit_confirm", OPT_IMPLICIT_CONFIRM, '-',
  284. "Request implicit confirmation of newly enrolled certificates"},
  285. {"disable_confirm", OPT_DISABLE_CONFIRM, '-',
  286. "Do not confirm newly enrolled certificate w/o requesting implicit"},
  287. {OPT_MORE_STR, 0, 0,
  288. "confirmation. WARNING: This leads to behavior violating RFC 4210"},
  289. {"certout", OPT_CERTOUT, 's',
  290. "File to save newly enrolled certificate"},
  291. {"chainout", OPT_CHAINOUT, 's',
  292. "File to save the chain of newly enrolled certificate"},
  293. OPT_SECTION("Certificate enrollment and revocation"),
  294. {"oldcert", OPT_OLDCERT, 's',
  295. "Certificate to be updated (defaulting to -cert) or to be revoked in rr;"},
  296. {OPT_MORE_STR, 0, 0,
  297. "also used as reference (defaulting to -cert) for subject DN and SANs."},
  298. {OPT_MORE_STR, 0, 0,
  299. "Issuer is used as recipient unless -recipient, -srvcert, or -issuer given"},
  300. {"revreason", OPT_REVREASON, 'n',
  301. "Reason code to include in revocation request (rr); possible values:"},
  302. {OPT_MORE_STR, 0, 0,
  303. "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
  304. OPT_SECTION("Message transfer"),
  305. #ifdef OPENSSL_NO_SOCK
  306. {OPT_MORE_STR, 0, 0,
  307. "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock build"},
  308. #else
  309. {"server", OPT_SERVER, 's',
  310. "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."},
  311. {OPT_MORE_STR, 0, 0,
  312. "address may be a DNS name or an IP address; path can be overridden by -path"},
  313. {"proxy", OPT_PROXY, 's',
  314. "[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is ignored"},
  315. {"no_proxy", OPT_NO_PROXY, 's',
  316. "List of addresses of servers not to use HTTP(S) proxy for"},
  317. {OPT_MORE_STR, 0, 0,
  318. "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
  319. #endif
  320. {"recipient", OPT_RECIPIENT, 's',
  321. "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"},
  322. {"path", OPT_PATH, 's',
  323. "HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
  324. {"keep_alive", OPT_KEEP_ALIVE, 'N',
  325. "Persistent HTTP connections. 0: no, 1 (the default): request, 2: require"},
  326. {"msg_timeout", OPT_MSG_TIMEOUT, 'N',
  327. "Number of seconds allowed per CMP message round trip, or 0 for infinite"},
  328. {"total_timeout", OPT_TOTAL_TIMEOUT, 'N',
  329. "Overall time an enrollment incl. polling may take. Default 0 = infinite"},
  330. OPT_SECTION("Server authentication"),
  331. {"trusted", OPT_TRUSTED, 's',
  332. "Certificates to use as trust anchors when verifying signed CMP responses"},
  333. {OPT_MORE_STR, 0, 0, "unless -srvcert is given"},
  334. {"untrusted", OPT_UNTRUSTED, 's',
  335. "Intermediate CA certs for chain construction for CMP/TLS/enrolled certs"},
  336. {"srvcert", OPT_SRVCERT, 's',
  337. "Server cert to pin and trust directly when verifying signed CMP responses"},
  338. {"expect_sender", OPT_EXPECT_SENDER, 's',
  339. "DN of expected sender of responses. Defaults to subject of -srvcert, if any"},
  340. {"ignore_keyusage", OPT_IGNORE_KEYUSAGE, '-',
  341. "Ignore CMP signer cert key usage, else 'digitalSignature' must be allowed"},
  342. {"unprotected_errors", OPT_UNPROTECTED_ERRORS, '-',
  343. "Accept missing or invalid protection of regular error messages and negative"},
  344. {OPT_MORE_STR, 0, 0,
  345. "certificate responses (ip/cp/kup), revocation responses (rp), and PKIConf"},
  346. {OPT_MORE_STR, 0, 0,
  347. "WARNING: This setting leads to behavior allowing violation of RFC 4210"},
  348. {"extracertsout", OPT_EXTRACERTSOUT, 's',
  349. "File to save extra certificates received in the extraCerts field"},
  350. {"cacertsout", OPT_CACERTSOUT, 's',
  351. "File to save CA certificates received in the caPubs field of 'ip' messages"},
  352. OPT_SECTION("Client authentication"),
  353. {"ref", OPT_REF, 's',
  354. "Reference value to use as senderKID in case no -cert is given"},
  355. {"secret", OPT_SECRET, 's',
  356. "Prefer PBM (over signatures) for protecting msgs with given password source"},
  357. {"cert", OPT_CERT, 's',
  358. "Client's CMP signer certificate; its public key must match the -key argument"},
  359. {OPT_MORE_STR, 0, 0,
  360. "This also used as default reference for subject DN and SANs."},
  361. {OPT_MORE_STR, 0, 0,
  362. "Any further certs included are appended to the untrusted certs"},
  363. {"own_trusted", OPT_OWN_TRUSTED, 's',
  364. "Optional certs to verify chain building for own CMP signer cert"},
  365. {"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"},
  366. {"keypass", OPT_KEYPASS, 's',
  367. "Client private key (and cert and old cert) pass phrase source"},
  368. {"digest", OPT_DIGEST, 's',
  369. "Digest to use in message protection and POPO signatures. Default \"sha256\""},
  370. {"mac", OPT_MAC, 's',
  371. "MAC algorithm to use in PBM-based message protection. Default \"hmac-sha1\""},
  372. {"extracerts", OPT_EXTRACERTS, 's',
  373. "Certificates to append in extraCerts field of outgoing messages."},
  374. {OPT_MORE_STR, 0, 0,
  375. "This can be used as the default CMP signer cert chain to include"},
  376. {"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-',
  377. "Send request messages without CMP-level protection"},
  378. OPT_SECTION("Credentials format"),
  379. {"certform", OPT_CERTFORM, 's',
  380. "Format (PEM or DER) to use when saving a certificate to a file. Default PEM"},
  381. {"keyform", OPT_KEYFORM, 's',
  382. "Format of the key input (ENGINE, other values ignored)"},
  383. {"otherpass", OPT_OTHERPASS, 's',
  384. "Pass phrase source potentially needed for loading certificates of others"},
  385. #ifndef OPENSSL_NO_ENGINE
  386. {"engine", OPT_ENGINE, 's',
  387. "Use crypto engine with given identifier, possibly a hardware device."},
  388. {OPT_MORE_STR, 0, 0,
  389. "Engines may also be defined in OpenSSL config file engine section."},
  390. #endif
  391. OPT_PROV_OPTIONS,
  392. OPT_R_OPTIONS,
  393. OPT_SECTION("TLS connection"),
  394. #ifdef OPENSSL_NO_SOCK
  395. {OPT_MORE_STR, 0, 0,
  396. "NOTE: -tls_used and all other TLS options not supported due to no-sock build"},
  397. #else
  398. {"tls_used", OPT_TLS_USED, '-',
  399. "Enable using TLS (also when other TLS options are not set)"},
  400. {"tls_cert", OPT_TLS_CERT, 's',
  401. "Client's TLS certificate. May include chain to be provided to TLS server"},
  402. {"tls_key", OPT_TLS_KEY, 's',
  403. "Private key for the client's TLS certificate"},
  404. {"tls_keypass", OPT_TLS_KEYPASS, 's',
  405. "Pass phrase source for the client's private TLS key (and TLS cert)"},
  406. {"tls_extra", OPT_TLS_EXTRA, 's',
  407. "Extra certificates to provide to TLS server during TLS handshake"},
  408. {"tls_trusted", OPT_TLS_TRUSTED, 's',
  409. "Trusted certificates to use for verifying the TLS server certificate;"},
  410. {OPT_MORE_STR, 0, 0, "this implies host name validation"},
  411. {"tls_host", OPT_TLS_HOST, 's',
  412. "Address to be checked (rather than -server) during TLS host name validation"},
  413. #endif
  414. OPT_SECTION("Client-side debugging"),
  415. {"batch", OPT_BATCH, '-',
  416. "Do not interactively prompt for input when a password is required etc."},
  417. {"repeat", OPT_REPEAT, 'p',
  418. "Invoke the transaction the given positive number of times. Default 1"},
  419. {"reqin", OPT_REQIN, 's',
  420. "Take sequence of CMP requests to send to server from file(s)"},
  421. {"reqin_new_tid", OPT_REQIN_NEW_TID, '-',
  422. "Use fresh transactionID for CMP requests read from -reqin"},
  423. {"reqout", OPT_REQOUT, 's',
  424. "Save sequence of CMP requests created by the client to file(s)"},
  425. {"rspin", OPT_RSPIN, 's',
  426. "Process sequence of CMP responses provided in file(s), skipping server"},
  427. {"rspout", OPT_RSPOUT, 's',
  428. "Save sequence of actually used CMP responses to file(s)"},
  429. {"use_mock_srv", OPT_USE_MOCK_SRV, '-',
  430. "Use internal mock server at API level, bypassing socket-based HTTP"},
  431. OPT_SECTION("Mock server"),
  432. #ifdef OPENSSL_NO_SOCK
  433. {OPT_MORE_STR, 0, 0,
  434. "NOTE: -port and -max_msgs not supported due to no-sock build"},
  435. #else
  436. {"port", OPT_PORT, 's',
  437. "Act as HTTP-based mock server listening on given port"},
  438. {"max_msgs", OPT_MAX_MSGS, 'N',
  439. "max number of messages handled by HTTP mock server. Default: 0 = unlimited"},
  440. #endif
  441. {"srv_ref", OPT_SRV_REF, 's',
  442. "Reference value to use as senderKID of server in case no -srv_cert is given"},
  443. {"srv_secret", OPT_SRV_SECRET, 's',
  444. "Password source for server authentication with a pre-shared key (secret)"},
  445. {"srv_cert", OPT_SRV_CERT, 's', "Certificate of the server"},
  446. {"srv_key", OPT_SRV_KEY, 's',
  447. "Private key used by the server for signing messages"},
  448. {"srv_keypass", OPT_SRV_KEYPASS, 's',
  449. "Server private key (and cert) pass phrase source"},
  450. {"srv_trusted", OPT_SRV_TRUSTED, 's',
  451. "Trusted certificates for client authentication"},
  452. {"srv_untrusted", OPT_SRV_UNTRUSTED, 's',
  453. "Intermediate certs that may be useful for verifying CMP protection"},
  454. {"rsp_cert", OPT_RSP_CERT, 's',
  455. "Certificate to be returned as mock enrollment result"},
  456. {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's',
  457. "Extra certificates to be included in mock certification responses"},
  458. {"rsp_capubs", OPT_RSP_CAPUBS, 's',
  459. "CA certificates to be included in mock ip response"},
  460. {"poll_count", OPT_POLL_COUNT, 'N',
  461. "Number of times the client must poll before receiving a certificate"},
  462. {"check_after", OPT_CHECK_AFTER, 'N',
  463. "The check_after value (time to wait) to include in poll response"},
  464. {"grant_implicitconf", OPT_GRANT_IMPLICITCONF, '-',
  465. "Grant implicit confirmation of newly enrolled certificate"},
  466. {"pkistatus", OPT_PKISTATUS, 'N',
  467. "PKIStatus to be included in server response. Possible values: 0..6"},
  468. {"failure", OPT_FAILURE, 'N',
  469. "A single failure info bit number to include in server response, 0..26"},
  470. {"failurebits", OPT_FAILUREBITS, 'N',
  471. "Number representing failure bits to include in server response, 0..2^27 - 1"},
  472. {"statusstring", OPT_STATUSSTRING, 's',
  473. "Status string to be included in server response"},
  474. {"send_error", OPT_SEND_ERROR, '-',
  475. "Force server to reply with error message"},
  476. {"send_unprotected", OPT_SEND_UNPROTECTED, '-',
  477. "Send response messages without CMP-level protection"},
  478. {"send_unprot_err", OPT_SEND_UNPROT_ERR, '-',
  479. "In case of negative responses, server shall send unprotected error messages,"},
  480. {OPT_MORE_STR, 0, 0,
  481. "certificate responses (ip/cp/kup), and revocation responses (rp)."},
  482. {OPT_MORE_STR, 0, 0,
  483. "WARNING: This setting leads to behavior violating RFC 4210"},
  484. {"accept_unprotected", OPT_ACCEPT_UNPROTECTED, '-',
  485. "Accept missing or invalid protection of requests"},
  486. {"accept_unprot_err", OPT_ACCEPT_UNPROT_ERR, '-',
  487. "Accept unprotected error messages from client"},
  488. {"accept_raverified", OPT_ACCEPT_RAVERIFIED, '-',
  489. "Accept RAVERIFIED as proof-of-possession (POPO)"},
  490. OPT_V_OPTIONS,
  491. {NULL}
  492. };
  493. typedef union {
  494. char **txt;
  495. int *num;
  496. long *num_long;
  497. } varref;
  498. static varref cmp_vars[] = { /* must be in same order as enumerated above! */
  499. {&opt_config}, {&opt_section}, {(char **)&opt_verbosity},
  500. {&opt_cmd_s}, {&opt_infotype_s}, {&opt_geninfo},
  501. {&opt_newkey}, {&opt_newkeypass}, {&opt_subject}, {&opt_issuer},
  502. {(char **)&opt_days}, {&opt_reqexts},
  503. {&opt_sans}, {(char **)&opt_san_nodefault},
  504. {&opt_policies}, {&opt_policy_oids}, {(char **)&opt_policy_oids_critical},
  505. {(char **)&opt_popo}, {&opt_csr},
  506. {&opt_out_trusted},
  507. {(char **)&opt_implicit_confirm}, {(char **)&opt_disable_confirm},
  508. {&opt_certout}, {&opt_chainout},
  509. {&opt_oldcert}, {(char **)&opt_revreason},
  510. #ifndef OPENSSL_NO_SOCK
  511. {&opt_server}, {&opt_proxy}, {&opt_no_proxy},
  512. #endif
  513. {&opt_recipient}, {&opt_path}, {(char **)&opt_keep_alive},
  514. {(char **)&opt_msg_timeout}, {(char **)&opt_total_timeout},
  515. {&opt_trusted}, {&opt_untrusted}, {&opt_srvcert},
  516. {&opt_expect_sender},
  517. {(char **)&opt_ignore_keyusage}, {(char **)&opt_unprotected_errors},
  518. {&opt_extracertsout}, {&opt_cacertsout},
  519. {&opt_ref}, {&opt_secret},
  520. {&opt_cert}, {&opt_own_trusted}, {&opt_key}, {&opt_keypass},
  521. {&opt_digest}, {&opt_mac}, {&opt_extracerts},
  522. {(char **)&opt_unprotected_requests},
  523. {&opt_certform_s}, {&opt_keyform_s},
  524. {&opt_otherpass},
  525. #ifndef OPENSSL_NO_ENGINE
  526. {&opt_engine},
  527. #endif
  528. #ifndef OPENSSL_NO_SOCK
  529. {(char **)&opt_tls_used}, {&opt_tls_cert}, {&opt_tls_key},
  530. {&opt_tls_keypass},
  531. {&opt_tls_extra}, {&opt_tls_trusted}, {&opt_tls_host},
  532. #endif
  533. {(char **)&opt_batch}, {(char **)&opt_repeat},
  534. {&opt_reqin}, {(char **)&opt_reqin_new_tid},
  535. {&opt_reqout}, {&opt_rspin}, {&opt_rspout},
  536. {(char **)&opt_use_mock_srv},
  537. #ifndef OPENSSL_NO_SOCK
  538. {&opt_port}, {(char **)&opt_max_msgs},
  539. #endif
  540. {&opt_srv_ref}, {&opt_srv_secret},
  541. {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass},
  542. {&opt_srv_trusted}, {&opt_srv_untrusted},
  543. {&opt_rsp_cert}, {&opt_rsp_extracerts}, {&opt_rsp_capubs},
  544. {(char **)&opt_poll_count}, {(char **)&opt_check_after},
  545. {(char **)&opt_grant_implicitconf},
  546. {(char **)&opt_pkistatus}, {(char **)&opt_failure},
  547. {(char **)&opt_failurebits}, {&opt_statusstring},
  548. {(char **)&opt_send_error}, {(char **)&opt_send_unprotected},
  549. {(char **)&opt_send_unprot_err}, {(char **)&opt_accept_unprotected},
  550. {(char **)&opt_accept_unprot_err}, {(char **)&opt_accept_raverified},
  551. {NULL}
  552. };
  553. #define FUNC (strcmp(OPENSSL_FUNC, "(unknown function)") == 0 \
  554. ? "CMP" : OPENSSL_FUNC)
  555. #define CMP_print(bio, level, prefix, msg, a1, a2, a3) \
  556. ((void)(level > opt_verbosity ? 0 : \
  557. (BIO_printf(bio, "%s:%s:%d:CMP %s: " msg "\n", \
  558. FUNC, OPENSSL_FILE, OPENSSL_LINE, prefix, a1, a2, a3))))
  559. #define CMP_DEBUG(m, a1, a2, a3) \
  560. CMP_print(bio_out, OSSL_CMP_LOG_DEBUG, "debug", m, a1, a2, a3)
  561. #define CMP_debug(msg) CMP_DEBUG(msg"%s%s%s", "", "", "")
  562. #define CMP_debug1(msg, a1) CMP_DEBUG(msg"%s%s", a1, "", "")
  563. #define CMP_debug2(msg, a1, a2) CMP_DEBUG(msg"%s", a1, a2, "")
  564. #define CMP_debug3(msg, a1, a2, a3) CMP_DEBUG(msg, a1, a2, a3)
  565. #define CMP_INFO(msg, a1, a2, a3) \
  566. CMP_print(bio_out, OSSL_CMP_LOG_INFO, "info", msg, a1, a2, a3)
  567. #define CMP_info(msg) CMP_INFO(msg"%s%s%s", "", "", "")
  568. #define CMP_info1(msg, a1) CMP_INFO(msg"%s%s", a1, "", "")
  569. #define CMP_info2(msg, a1, a2) CMP_INFO(msg"%s", a1, a2, "")
  570. #define CMP_info3(msg, a1, a2, a3) CMP_INFO(msg, a1, a2, a3)
  571. #define CMP_WARN(m, a1, a2, a3) \
  572. CMP_print(bio_out, OSSL_CMP_LOG_WARNING, "warning", m, a1, a2, a3)
  573. #define CMP_warn(msg) CMP_WARN(msg"%s%s%s", "", "", "")
  574. #define CMP_warn1(msg, a1) CMP_WARN(msg"%s%s", a1, "", "")
  575. #define CMP_warn2(msg, a1, a2) CMP_WARN(msg"%s", a1, a2, "")
  576. #define CMP_warn3(msg, a1, a2, a3) CMP_WARN(msg, a1, a2, a3)
  577. #define CMP_ERR(msg, a1, a2, a3) \
  578. CMP_print(bio_err, OSSL_CMP_LOG_ERR, "error", msg, a1, a2, a3)
  579. #define CMP_err(msg) CMP_ERR(msg"%s%s%s", "", "", "")
  580. #define CMP_err1(msg, a1) CMP_ERR(msg"%s%s", a1, "", "")
  581. #define CMP_err2(msg, a1, a2) CMP_ERR(msg"%s", a1, a2, "")
  582. #define CMP_err3(msg, a1, a2, a3) CMP_ERR(msg, a1, a2, a3)
  583. static int print_to_bio_out(const char *func, const char *file, int line,
  584. OSSL_CMP_severity level, const char *msg)
  585. {
  586. return OSSL_CMP_print_to_bio(bio_out, func, file, line, level, msg);
  587. }
  588. static int print_to_bio_err(const char *func, const char *file, int line,
  589. OSSL_CMP_severity level, const char *msg)
  590. {
  591. return OSSL_CMP_print_to_bio(bio_err, func, file, line, level, msg);
  592. }
  593. static int set_verbosity(int level)
  594. {
  595. if (level < OSSL_CMP_LOG_EMERG || level > OSSL_CMP_LOG_MAX) {
  596. CMP_err1("Logging verbosity level %d out of range (0 .. 8)", level);
  597. return 0;
  598. }
  599. opt_verbosity = level;
  600. return 1;
  601. }
  602. static EVP_PKEY *load_key_pwd(const char *uri, int format,
  603. const char *pass, ENGINE *eng, const char *desc)
  604. {
  605. char *pass_string = get_passwd(pass, desc);
  606. EVP_PKEY *pkey = load_key(uri, format, 0, pass_string, eng, desc);
  607. clear_free(pass_string);
  608. return pkey;
  609. }
  610. static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc)
  611. {
  612. X509 *cert;
  613. char *pass_string = get_passwd(pass, desc);
  614. cert = load_cert_pass(uri, FORMAT_UNDEF, 0, pass_string, desc);
  615. clear_free(pass_string);
  616. return cert;
  617. }
  618. static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
  619. {
  620. X509_REQ *csr;
  621. BIO *bio_bak = bio_err;
  622. bio_err = NULL; /* do not show errors on more than one try */
  623. csr = load_csr(infile, FORMAT_PEM, desc);
  624. bio_err = bio_bak;
  625. if (csr == NULL) {
  626. ERR_clear_error();
  627. csr = load_csr(infile, FORMAT_ASN1, desc);
  628. }
  629. if (csr == NULL) {
  630. ERR_print_errors(bio_err);
  631. BIO_printf(bio_err, "error: unable to load %s from file '%s'\n", desc,
  632. infile);
  633. } else {
  634. EVP_PKEY *pkey = X509_REQ_get0_pubkey(csr);
  635. int ret = do_X509_REQ_verify(csr, pkey, NULL /* vfyopts */);
  636. if (pkey == NULL || ret < 0)
  637. CMP_warn("error while verifying CSR self-signature");
  638. else if (ret == 0)
  639. CMP_warn("CSR self-signature does not match the contents");
  640. }
  641. return csr;
  642. }
  643. /* set expected host name/IP addr and clears the email addr in the given ts */
  644. static int truststore_set_host_etc(X509_STORE *ts, const char *host)
  645. {
  646. X509_VERIFY_PARAM *ts_vpm = X509_STORE_get0_param(ts);
  647. /* first clear any host names, IP, and email addresses */
  648. if (!X509_VERIFY_PARAM_set1_host(ts_vpm, NULL, 0)
  649. || !X509_VERIFY_PARAM_set1_ip(ts_vpm, NULL, 0)
  650. || !X509_VERIFY_PARAM_set1_email(ts_vpm, NULL, 0))
  651. return 0;
  652. X509_VERIFY_PARAM_set_hostflags(ts_vpm,
  653. X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT |
  654. X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
  655. return (host != NULL && X509_VERIFY_PARAM_set1_ip_asc(ts_vpm, host))
  656. || X509_VERIFY_PARAM_set1_host(ts_vpm, host, 0);
  657. }
  658. /* write OSSL_CMP_MSG DER-encoded to the specified file name item */
  659. static int write_PKIMESSAGE(const OSSL_CMP_MSG *msg, char **filenames)
  660. {
  661. char *file;
  662. if (msg == NULL || filenames == NULL) {
  663. CMP_err("NULL arg to write_PKIMESSAGE");
  664. return 0;
  665. }
  666. if (*filenames == NULL) {
  667. CMP_err("not enough file names provided for writing PKIMessage");
  668. return 0;
  669. }
  670. file = *filenames;
  671. *filenames = next_item(file);
  672. if (OSSL_CMP_MSG_write(file, msg) < 0) {
  673. CMP_err1("cannot write PKIMessage to file '%s'", file);
  674. return 0;
  675. }
  676. return 1;
  677. }
  678. /* read DER-encoded OSSL_CMP_MSG from the specified file name item */
  679. static OSSL_CMP_MSG *read_PKIMESSAGE(const char *desc, char **filenames)
  680. {
  681. char *file;
  682. OSSL_CMP_MSG *ret;
  683. if (filenames == NULL || desc == NULL) {
  684. CMP_err("NULL arg to read_PKIMESSAGE");
  685. return NULL;
  686. }
  687. if (*filenames == NULL) {
  688. CMP_err("not enough file names provided for reading PKIMessage");
  689. return NULL;
  690. }
  691. file = *filenames;
  692. *filenames = next_item(file);
  693. ret = OSSL_CMP_MSG_read(file, app_get0_libctx(), app_get0_propq());
  694. if (ret == NULL)
  695. CMP_err1("cannot read PKIMessage from file '%s'", file);
  696. else
  697. CMP_info2("%s %s", desc, file);
  698. return ret;
  699. }
  700. /*-
  701. * Sends the PKIMessage req and on success place the response in *res
  702. * basically like OSSL_CMP_MSG_http_perform(), but in addition allows
  703. * to dump the sequence of requests and responses to files and/or
  704. * to take the sequence of requests and responses from files.
  705. */
  706. static OSSL_CMP_MSG *read_write_req_resp(OSSL_CMP_CTX *ctx,
  707. const OSSL_CMP_MSG *req)
  708. {
  709. OSSL_CMP_MSG *req_new = NULL;
  710. OSSL_CMP_MSG *res = NULL;
  711. OSSL_CMP_PKIHEADER *hdr;
  712. const char *prev_opt_rspin = opt_rspin;
  713. if (req != NULL && opt_reqout != NULL
  714. && !write_PKIMESSAGE(req, &opt_reqout))
  715. goto err;
  716. if (opt_reqin != NULL && opt_rspin == NULL) {
  717. if ((req_new = read_PKIMESSAGE("actually sending", &opt_reqin)) == NULL)
  718. goto err;
  719. /*-
  720. * The transaction ID in req_new read from opt_reqin may not be fresh.
  721. * In this case the server may complain "Transaction id already in use."
  722. * The following workaround unfortunately requires re-protection.
  723. */
  724. if (opt_reqin_new_tid
  725. && !OSSL_CMP_MSG_update_transactionID(ctx, req_new))
  726. goto err;
  727. /*
  728. * Except for first request, need to satisfy recipNonce check by server.
  729. * Unfortunately requires re-protection if protection is required.
  730. */
  731. if (!OSSL_CMP_MSG_update_recipNonce(ctx, req_new))
  732. goto err;
  733. }
  734. if (opt_rspin != NULL) {
  735. res = read_PKIMESSAGE("actually using", &opt_rspin);
  736. } else {
  737. const OSSL_CMP_MSG *actual_req = req_new != NULL ? req_new : req;
  738. if (opt_use_mock_srv) {
  739. if (rspin_in_use)
  740. CMP_warn("too few -rspin filename arguments; resorting to using mock server");
  741. res = OSSL_CMP_CTX_server_perform(ctx, actual_req);
  742. } else {
  743. #ifndef OPENSSL_NO_SOCK
  744. if (opt_server == NULL) {
  745. CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments");
  746. goto err;
  747. }
  748. if (rspin_in_use)
  749. CMP_warn("too few -rspin filename arguments; resorting to contacting server");
  750. res = OSSL_CMP_MSG_http_perform(ctx, actual_req);
  751. #else
  752. CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin filename arguments");
  753. #endif
  754. }
  755. rspin_in_use = 0;
  756. }
  757. if (res == NULL)
  758. goto err;
  759. if (req_new != NULL || prev_opt_rspin != NULL) {
  760. /* need to satisfy nonce and transactionID checks by client */
  761. ASN1_OCTET_STRING *nonce;
  762. ASN1_OCTET_STRING *tid;
  763. hdr = OSSL_CMP_MSG_get0_header(res);
  764. nonce = OSSL_CMP_HDR_get0_recipNonce(hdr);
  765. tid = OSSL_CMP_HDR_get0_transactionID(hdr);
  766. if (!OSSL_CMP_CTX_set1_senderNonce(ctx, nonce)
  767. || !OSSL_CMP_CTX_set1_transactionID(ctx, tid)) {
  768. OSSL_CMP_MSG_free(res);
  769. res = NULL;
  770. goto err;
  771. }
  772. }
  773. if (opt_rspout != NULL && !write_PKIMESSAGE(res, &opt_rspout)) {
  774. OSSL_CMP_MSG_free(res);
  775. res = NULL;
  776. }
  777. err:
  778. OSSL_CMP_MSG_free(req_new);
  779. return res;
  780. }
  781. static int set_name(const char *str,
  782. int (*set_fn) (OSSL_CMP_CTX *ctx, const X509_NAME *name),
  783. OSSL_CMP_CTX *ctx, const char *desc)
  784. {
  785. if (str != NULL) {
  786. X509_NAME *n = parse_name(str, MBSTRING_ASC, 1, desc);
  787. if (n == NULL)
  788. return 0;
  789. if (!(*set_fn) (ctx, n)) {
  790. X509_NAME_free(n);
  791. CMP_err("out of memory");
  792. return 0;
  793. }
  794. X509_NAME_free(n);
  795. }
  796. return 1;
  797. }
  798. static int set_gennames(OSSL_CMP_CTX *ctx, char *names, const char *desc)
  799. {
  800. char *next;
  801. for (; names != NULL; names = next) {
  802. GENERAL_NAME *n;
  803. next = next_item(names);
  804. if (strcmp(names, "critical") == 0) {
  805. (void)OSSL_CMP_CTX_set_option(ctx,
  806. OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL,
  807. 1);
  808. continue;
  809. }
  810. /* try IP address first, then URI or domain name */
  811. (void)ERR_set_mark();
  812. n = a2i_GENERAL_NAME(NULL, NULL, NULL, GEN_IPADD, names, 0);
  813. if (n == NULL)
  814. n = a2i_GENERAL_NAME(NULL, NULL, NULL,
  815. strchr(names, ':') != NULL ? GEN_URI : GEN_DNS,
  816. names, 0);
  817. (void)ERR_pop_to_mark();
  818. if (n == NULL) {
  819. CMP_err2("bad syntax of %s '%s'", desc, names);
  820. return 0;
  821. }
  822. if (!OSSL_CMP_CTX_push1_subjectAltName(ctx, n)) {
  823. GENERAL_NAME_free(n);
  824. CMP_err("out of memory");
  825. return 0;
  826. }
  827. GENERAL_NAME_free(n);
  828. }
  829. return 1;
  830. }
  831. static X509_STORE *load_trusted(char *input, int for_new_cert, const char *desc)
  832. {
  833. X509_STORE *ts = load_certstore(input, opt_otherpass, desc, vpm);
  834. if (ts == NULL)
  835. return NULL;
  836. X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
  837. /* copy vpm to store */
  838. if (X509_STORE_set1_param(ts, vpm /* may be NULL */)
  839. && (for_new_cert || truststore_set_host_etc(ts, NULL)))
  840. return ts;
  841. BIO_printf(bio_err, "error setting verification parameters for %s\n", desc);
  842. OSSL_CMP_CTX_print_errors(cmp_ctx);
  843. X509_STORE_free(ts);
  844. return NULL;
  845. }
  846. typedef int (*add_X509_stack_fn_t)(void *ctx, const STACK_OF(X509) *certs);
  847. static int setup_certs(char *files, const char *desc, void *ctx,
  848. add_X509_stack_fn_t set1_fn)
  849. {
  850. STACK_OF(X509) *certs;
  851. int ok;
  852. if (files == NULL)
  853. return 1;
  854. if ((certs = load_certs_multifile(files, opt_otherpass, desc, vpm)) == NULL)
  855. return 0;
  856. ok = (*set1_fn)(ctx, certs);
  857. sk_X509_pop_free(certs, X509_free);
  858. return ok;
  859. }
  860. /*
  861. * parse and transform some options, checking their syntax.
  862. * Returns 1 on success, 0 on error
  863. */
  864. static int transform_opts(void)
  865. {
  866. if (opt_cmd_s != NULL) {
  867. if (!strcmp(opt_cmd_s, "ir")) {
  868. opt_cmd = CMP_IR;
  869. } else if (!strcmp(opt_cmd_s, "kur")) {
  870. opt_cmd = CMP_KUR;
  871. } else if (!strcmp(opt_cmd_s, "cr")) {
  872. opt_cmd = CMP_CR;
  873. } else if (!strcmp(opt_cmd_s, "p10cr")) {
  874. opt_cmd = CMP_P10CR;
  875. } else if (!strcmp(opt_cmd_s, "rr")) {
  876. opt_cmd = CMP_RR;
  877. } else if (!strcmp(opt_cmd_s, "genm")) {
  878. opt_cmd = CMP_GENM;
  879. } else {
  880. CMP_err1("unknown cmp command '%s'", opt_cmd_s);
  881. return 0;
  882. }
  883. } else {
  884. CMP_err("no cmp command to execute");
  885. return 0;
  886. }
  887. #ifndef OPENSSL_NO_ENGINE
  888. # define FORMAT_OPTIONS (OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_ENGINE)
  889. #else
  890. # define FORMAT_OPTIONS (OPT_FMT_PEMDER | OPT_FMT_PKCS12)
  891. #endif
  892. if (opt_keyform_s != NULL
  893. && !opt_format(opt_keyform_s, FORMAT_OPTIONS, &opt_keyform)) {
  894. CMP_err("unknown option given for key loading format");
  895. return 0;
  896. }
  897. #undef FORMAT_OPTIONS
  898. if (opt_certform_s != NULL
  899. && !opt_format(opt_certform_s, OPT_FMT_PEMDER, &opt_certform)) {
  900. CMP_err("unknown option given for certificate storing format");
  901. return 0;
  902. }
  903. return 1;
  904. }
  905. static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
  906. {
  907. OSSL_CMP_CTX *ctx; /* extra CMP (client) ctx partly used by server */
  908. OSSL_CMP_SRV_CTX *srv_ctx = ossl_cmp_mock_srv_new(app_get0_libctx(),
  909. app_get0_propq());
  910. if (srv_ctx == NULL)
  911. return NULL;
  912. ctx = OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx);
  913. if (opt_srv_ref == NULL) {
  914. if (opt_srv_cert == NULL) {
  915. /* opt_srv_cert should determine the sender */
  916. CMP_err("must give -srv_ref for mock server if no -srv_cert given");
  917. goto err;
  918. }
  919. } else {
  920. if (!OSSL_CMP_CTX_set1_referenceValue(ctx, (unsigned char *)opt_srv_ref,
  921. strlen(opt_srv_ref)))
  922. goto err;
  923. }
  924. if (opt_srv_secret != NULL) {
  925. int res;
  926. char *pass_str = get_passwd(opt_srv_secret, "PBMAC secret of mock server");
  927. if (pass_str != NULL) {
  928. cleanse(opt_srv_secret);
  929. res = OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)pass_str,
  930. strlen(pass_str));
  931. clear_free(pass_str);
  932. if (res == 0)
  933. goto err;
  934. }
  935. } else if (opt_srv_cert == NULL) {
  936. CMP_err("server credentials (-srv_secret or -srv_cert) must be given if -use_mock_srv or -port is used");
  937. goto err;
  938. } else {
  939. CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given");
  940. }
  941. if (opt_srv_secret == NULL
  942. && ((opt_srv_cert == NULL) != (opt_srv_key == NULL))) {
  943. CMP_err("must give both -srv_cert and -srv_key options or neither");
  944. goto err;
  945. }
  946. if (opt_srv_cert != NULL) {
  947. X509 *srv_cert = load_cert_pwd(opt_srv_cert, opt_srv_keypass,
  948. "certificate of the mock server");
  949. if (srv_cert == NULL || !OSSL_CMP_CTX_set1_cert(ctx, srv_cert)) {
  950. X509_free(srv_cert);
  951. goto err;
  952. }
  953. X509_free(srv_cert);
  954. }
  955. if (opt_srv_key != NULL) {
  956. EVP_PKEY *pkey = load_key_pwd(opt_srv_key, opt_keyform,
  957. opt_srv_keypass,
  958. engine, "private key for mock server cert");
  959. if (pkey == NULL || !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) {
  960. EVP_PKEY_free(pkey);
  961. goto err;
  962. }
  963. EVP_PKEY_free(pkey);
  964. }
  965. cleanse(opt_srv_keypass);
  966. if (opt_srv_trusted != NULL) {
  967. X509_STORE *ts =
  968. load_trusted(opt_srv_trusted, 0, "certs trusted by mock server");
  969. if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
  970. X509_STORE_free(ts);
  971. goto err;
  972. }
  973. } else {
  974. CMP_warn("mock server will not be able to handle signature-protected requests since -srv_trusted is not given");
  975. }
  976. if (!setup_certs(opt_srv_untrusted,
  977. "untrusted certificates for mock server", ctx,
  978. (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted))
  979. goto err;
  980. if (opt_rsp_cert == NULL) {
  981. CMP_warn("no -rsp_cert given for mock server");
  982. } else {
  983. X509 *cert = load_cert_pwd(opt_rsp_cert, opt_keypass,
  984. "cert to be returned by the mock server");
  985. if (cert == NULL)
  986. goto err;
  987. /* from server perspective the server is the client */
  988. if (!ossl_cmp_mock_srv_set1_certOut(srv_ctx, cert)) {
  989. X509_free(cert);
  990. goto err;
  991. }
  992. X509_free(cert);
  993. }
  994. if (!setup_certs(opt_rsp_extracerts,
  995. "CMP extra certificates for mock server", srv_ctx,
  996. (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_chainOut))
  997. goto err;
  998. if (!setup_certs(opt_rsp_capubs, "caPubs for mock server", srv_ctx,
  999. (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_caPubsOut))
  1000. goto err;
  1001. (void)ossl_cmp_mock_srv_set_pollCount(srv_ctx, opt_poll_count);
  1002. (void)ossl_cmp_mock_srv_set_checkAfterTime(srv_ctx, opt_check_after);
  1003. if (opt_grant_implicitconf)
  1004. (void)OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(srv_ctx, 1);
  1005. if (opt_failure != INT_MIN) { /* option has been set explicity */
  1006. if (opt_failure < 0 || OSSL_CMP_PKIFAILUREINFO_MAX < opt_failure) {
  1007. CMP_err1("-failure out of range, should be >= 0 and <= %d",
  1008. OSSL_CMP_PKIFAILUREINFO_MAX);
  1009. goto err;
  1010. }
  1011. if (opt_failurebits != 0)
  1012. CMP_warn("-failurebits overrides -failure");
  1013. else
  1014. opt_failurebits = 1 << opt_failure;
  1015. }
  1016. if ((unsigned)opt_failurebits > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
  1017. CMP_err("-failurebits out of range");
  1018. goto err;
  1019. }
  1020. if (!ossl_cmp_mock_srv_set_statusInfo(srv_ctx, opt_pkistatus,
  1021. opt_failurebits, opt_statusstring))
  1022. goto err;
  1023. if (opt_send_error)
  1024. (void)ossl_cmp_mock_srv_set_sendError(srv_ctx, 1);
  1025. if (opt_send_unprotected)
  1026. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1);
  1027. if (opt_send_unprot_err)
  1028. (void)OSSL_CMP_SRV_CTX_set_send_unprotected_errors(srv_ctx, 1);
  1029. if (opt_accept_unprotected)
  1030. (void)OSSL_CMP_SRV_CTX_set_accept_unprotected(srv_ctx, 1);
  1031. if (opt_accept_unprot_err)
  1032. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1);
  1033. if (opt_accept_raverified)
  1034. (void)OSSL_CMP_SRV_CTX_set_accept_raverified(srv_ctx, 1);
  1035. return srv_ctx;
  1036. err:
  1037. ossl_cmp_mock_srv_free(srv_ctx);
  1038. return NULL;
  1039. }
  1040. /*
  1041. * set up verification aspects of OSSL_CMP_CTX w.r.t. opts from config file/CLI.
  1042. * Returns pointer on success, NULL on error
  1043. */
  1044. static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
  1045. {
  1046. if (!setup_certs(opt_untrusted, "untrusted certificates", ctx,
  1047. (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted))
  1048. return 0;
  1049. if (opt_srvcert != NULL || opt_trusted != NULL) {
  1050. X509 *srvcert;
  1051. X509_STORE *ts;
  1052. int ok;
  1053. if (opt_srvcert != NULL) {
  1054. if (opt_trusted != NULL) {
  1055. CMP_warn("-trusted option is ignored since -srvcert option is present");
  1056. opt_trusted = NULL;
  1057. }
  1058. if (opt_recipient != NULL) {
  1059. CMP_warn("-recipient option is ignored since -srvcert option is present");
  1060. opt_recipient = NULL;
  1061. }
  1062. srvcert = load_cert_pwd(opt_srvcert, opt_otherpass,
  1063. "directly trusted CMP server certificate");
  1064. ok = srvcert != NULL && OSSL_CMP_CTX_set1_srvCert(ctx, srvcert);
  1065. X509_free(srvcert);
  1066. if (!ok)
  1067. return 0;
  1068. }
  1069. if (opt_trusted != NULL) {
  1070. /*
  1071. * the 0 arg below clears any expected host/ip/email address;
  1072. * opt_expect_sender is used instead
  1073. */
  1074. ts = load_trusted(opt_trusted, 0, "certs trusted by client");
  1075. if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
  1076. X509_STORE_free(ts);
  1077. return 0;
  1078. }
  1079. }
  1080. }
  1081. if (opt_ignore_keyusage)
  1082. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IGNORE_KEYUSAGE, 1);
  1083. if (opt_unprotected_errors)
  1084. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS, 1);
  1085. if (opt_out_trusted != NULL) { /* for use in OSSL_CMP_certConf_cb() */
  1086. X509_VERIFY_PARAM *out_vpm = NULL;
  1087. X509_STORE *out_trusted =
  1088. load_trusted(opt_out_trusted, 1,
  1089. "trusted certs for verifying newly enrolled cert");
  1090. if (out_trusted == NULL)
  1091. return 0;
  1092. /* ignore any -attime here, new certs are current anyway */
  1093. out_vpm = X509_STORE_get0_param(out_trusted);
  1094. X509_VERIFY_PARAM_clear_flags(out_vpm, X509_V_FLAG_USE_CHECK_TIME);
  1095. (void)OSSL_CMP_CTX_set_certConf_cb_arg(ctx, out_trusted);
  1096. }
  1097. if (opt_disable_confirm)
  1098. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_DISABLE_CONFIRM, 1);
  1099. if (opt_implicit_confirm)
  1100. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM, 1);
  1101. return 1;
  1102. }
  1103. #ifndef OPENSSL_NO_SOCK
  1104. /*
  1105. * set up ssl_ctx for the OSSL_CMP_CTX based on options from config file/CLI.
  1106. * Returns pointer on success, NULL on error
  1107. */
  1108. static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
  1109. ENGINE *engine)
  1110. {
  1111. STACK_OF(X509) *untrusted = OSSL_CMP_CTX_get0_untrusted(ctx);
  1112. EVP_PKEY *pkey = NULL;
  1113. X509_STORE *trust_store = NULL;
  1114. SSL_CTX *ssl_ctx;
  1115. int i;
  1116. ssl_ctx = SSL_CTX_new(TLS_client_method());
  1117. if (ssl_ctx == NULL)
  1118. return NULL;
  1119. if (opt_tls_trusted != NULL) {
  1120. trust_store = load_trusted(opt_tls_trusted, 0, "trusted TLS certs");
  1121. if (trust_store == NULL)
  1122. goto err;
  1123. SSL_CTX_set_cert_store(ssl_ctx, trust_store);
  1124. }
  1125. if (opt_tls_cert != NULL && opt_tls_key != NULL) {
  1126. X509 *cert;
  1127. STACK_OF(X509) *certs = NULL;
  1128. int ok;
  1129. if (!load_cert_certs(opt_tls_cert, &cert, &certs, 0, opt_tls_keypass,
  1130. "TLS client certificate (optionally with chain)",
  1131. vpm))
  1132. /* need opt_tls_keypass if opt_tls_cert is encrypted PKCS#12 file */
  1133. goto err;
  1134. ok = SSL_CTX_use_certificate(ssl_ctx, cert) > 0;
  1135. X509_free(cert);
  1136. /*
  1137. * Any further certs and any untrusted certs are used for constructing
  1138. * the chain to be provided with the TLS client cert to the TLS server.
  1139. */
  1140. if (!ok || !SSL_CTX_set0_chain(ssl_ctx, certs)) {
  1141. CMP_err1("unable to use client TLS certificate file '%s'",
  1142. opt_tls_cert);
  1143. sk_X509_pop_free(certs, X509_free);
  1144. goto err;
  1145. }
  1146. for (i = 0; i < sk_X509_num(untrusted); i++) {
  1147. cert = sk_X509_value(untrusted, i);
  1148. if (!SSL_CTX_add1_chain_cert(ssl_ctx, cert)) {
  1149. CMP_err("could not add untrusted cert to TLS client cert chain");
  1150. goto err;
  1151. }
  1152. }
  1153. {
  1154. X509_VERIFY_PARAM *tls_vpm = NULL;
  1155. unsigned long bak_flags = 0; /* compiler warns without init */
  1156. if (trust_store != NULL) {
  1157. tls_vpm = X509_STORE_get0_param(trust_store);
  1158. bak_flags = X509_VERIFY_PARAM_get_flags(tls_vpm);
  1159. /* disable any cert status/revocation checking etc. */
  1160. X509_VERIFY_PARAM_clear_flags(tls_vpm,
  1161. ~(X509_V_FLAG_USE_CHECK_TIME
  1162. | X509_V_FLAG_NO_CHECK_TIME
  1163. | X509_V_FLAG_PARTIAL_CHAIN
  1164. | X509_V_FLAG_POLICY_CHECK));
  1165. }
  1166. CMP_debug("trying to build cert chain for own TLS cert");
  1167. if (SSL_CTX_build_cert_chain(ssl_ctx,
  1168. SSL_BUILD_CHAIN_FLAG_UNTRUSTED |
  1169. SSL_BUILD_CHAIN_FLAG_NO_ROOT)) {
  1170. CMP_debug("success building cert chain for own TLS cert");
  1171. } else {
  1172. OSSL_CMP_CTX_print_errors(ctx);
  1173. CMP_warn("could not build cert chain for own TLS cert");
  1174. }
  1175. if (trust_store != NULL)
  1176. X509_VERIFY_PARAM_set_flags(tls_vpm, bak_flags);
  1177. }
  1178. /* If present we append to the list also the certs from opt_tls_extra */
  1179. if (opt_tls_extra != NULL) {
  1180. STACK_OF(X509) *tls_extra = load_certs_multifile(opt_tls_extra,
  1181. opt_otherpass,
  1182. "extra certificates for TLS",
  1183. vpm);
  1184. int res = 1;
  1185. if (tls_extra == NULL)
  1186. goto err;
  1187. for (i = 0; i < sk_X509_num(tls_extra); i++) {
  1188. cert = sk_X509_value(tls_extra, i);
  1189. if (res != 0)
  1190. res = SSL_CTX_add_extra_chain_cert(ssl_ctx, cert);
  1191. if (res == 0)
  1192. X509_free(cert);
  1193. }
  1194. sk_X509_free(tls_extra);
  1195. if (res == 0) {
  1196. BIO_printf(bio_err, "error: unable to add TLS extra certs\n");
  1197. goto err;
  1198. }
  1199. }
  1200. pkey = load_key_pwd(opt_tls_key, opt_keyform, opt_tls_keypass,
  1201. engine, "TLS client private key");
  1202. cleanse(opt_tls_keypass);
  1203. if (pkey == NULL)
  1204. goto err;
  1205. /*
  1206. * verify the key matches the cert,
  1207. * not using SSL_CTX_check_private_key(ssl_ctx)
  1208. * because it gives poor and sometimes misleading diagnostics
  1209. */
  1210. if (!X509_check_private_key(SSL_CTX_get0_certificate(ssl_ctx),
  1211. pkey)) {
  1212. CMP_err2("TLS private key '%s' does not match the TLS certificate '%s'\n",
  1213. opt_tls_key, opt_tls_cert);
  1214. EVP_PKEY_free(pkey);
  1215. pkey = NULL; /* otherwise, for some reason double free! */
  1216. goto err;
  1217. }
  1218. if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) <= 0) {
  1219. CMP_err1("unable to use TLS client private key '%s'", opt_tls_key);
  1220. EVP_PKEY_free(pkey);
  1221. pkey = NULL; /* otherwise, for some reason double free! */
  1222. goto err;
  1223. }
  1224. EVP_PKEY_free(pkey); /* we do not need the handle any more */
  1225. }
  1226. if (opt_tls_trusted != NULL) {
  1227. /* enable and parameterize server hostname/IP address check */
  1228. if (!truststore_set_host_etc(trust_store,
  1229. opt_tls_host != NULL ? opt_tls_host : host))
  1230. goto err;
  1231. SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
  1232. }
  1233. return ssl_ctx;
  1234. err:
  1235. SSL_CTX_free(ssl_ctx);
  1236. return NULL;
  1237. }
  1238. #endif /* OPENSSL_NO_SOCK */
  1239. /*
  1240. * set up protection aspects of OSSL_CMP_CTX based on options from config
  1241. * file/CLI while parsing options and checking their consistency.
  1242. * Returns 1 on success, 0 on error
  1243. */
  1244. static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
  1245. {
  1246. if (!opt_unprotected_requests && opt_secret == NULL && opt_key == NULL) {
  1247. CMP_err("must give -key or -secret unless -unprotected_requests is used");
  1248. return 0;
  1249. }
  1250. if (opt_ref == NULL && opt_cert == NULL && opt_subject == NULL) {
  1251. /* cert or subject should determine the sender */
  1252. CMP_err("must give -ref if no -cert and no -subject given");
  1253. return 0;
  1254. }
  1255. if (!opt_secret && ((opt_cert == NULL) != (opt_key == NULL))) {
  1256. CMP_err("must give both -cert and -key options or neither");
  1257. return 0;
  1258. }
  1259. if (opt_secret != NULL) {
  1260. char *pass_string = get_passwd(opt_secret, "PBMAC");
  1261. int res;
  1262. if (pass_string != NULL) {
  1263. cleanse(opt_secret);
  1264. res = OSSL_CMP_CTX_set1_secretValue(ctx,
  1265. (unsigned char *)pass_string,
  1266. strlen(pass_string));
  1267. clear_free(pass_string);
  1268. if (res == 0)
  1269. return 0;
  1270. }
  1271. if (opt_cert != NULL || opt_key != NULL)
  1272. CMP_warn("-cert and -key not used for protection since -secret is given");
  1273. }
  1274. if (opt_ref != NULL
  1275. && !OSSL_CMP_CTX_set1_referenceValue(ctx, (unsigned char *)opt_ref,
  1276. strlen(opt_ref)))
  1277. return 0;
  1278. if (opt_key != NULL) {
  1279. EVP_PKEY *pkey = load_key_pwd(opt_key, opt_keyform, opt_keypass, engine,
  1280. "private key for CMP client certificate");
  1281. if (pkey == NULL || !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) {
  1282. EVP_PKEY_free(pkey);
  1283. return 0;
  1284. }
  1285. EVP_PKEY_free(pkey);
  1286. }
  1287. if (opt_secret == NULL && opt_srvcert == NULL && opt_trusted == NULL)
  1288. CMP_warn("will not authenticate server due to missing -secret, -trusted, or -srvcert");
  1289. if (opt_cert != NULL) {
  1290. X509 *cert;
  1291. STACK_OF(X509) *certs = NULL;
  1292. X509_STORE *own_trusted = NULL;
  1293. int ok;
  1294. if (!load_cert_certs(opt_cert, &cert, &certs, 0, opt_keypass,
  1295. "CMP client certificate (optionally with chain)",
  1296. vpm))
  1297. /* opt_keypass is needed if opt_cert is an encrypted PKCS#12 file */
  1298. return 0;
  1299. ok = OSSL_CMP_CTX_set1_cert(ctx, cert);
  1300. X509_free(cert);
  1301. if (!ok) {
  1302. CMP_err("out of memory");
  1303. } else {
  1304. if (opt_own_trusted != NULL) {
  1305. own_trusted = load_trusted(opt_own_trusted, 0,
  1306. "trusted certs for verifying own CMP signer cert");
  1307. ok = own_trusted != NULL;
  1308. }
  1309. ok = ok && OSSL_CMP_CTX_build_cert_chain(ctx, own_trusted, certs);
  1310. }
  1311. X509_STORE_free(own_trusted);
  1312. sk_X509_pop_free(certs, X509_free);
  1313. if (!ok)
  1314. return 0;
  1315. } else if (opt_own_trusted != NULL) {
  1316. CMP_warn("-own_trusted option is ignored without -cert");
  1317. }
  1318. if (!setup_certs(opt_extracerts, "extra certificates for CMP", ctx,
  1319. (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_extraCertsOut))
  1320. return 0;
  1321. cleanse(opt_otherpass);
  1322. if (opt_unprotected_requests)
  1323. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_UNPROTECTED_SEND, 1);
  1324. if (opt_digest != NULL) {
  1325. int digest = OBJ_ln2nid(opt_digest);
  1326. if (digest == NID_undef) {
  1327. CMP_err1("digest algorithm name not recognized: '%s'", opt_digest);
  1328. return 0;
  1329. }
  1330. if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_DIGEST_ALGNID, digest)
  1331. || !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_OWF_ALGNID, digest)) {
  1332. CMP_err1("digest algorithm name not supported: '%s'", opt_digest);
  1333. return 0;
  1334. }
  1335. }
  1336. if (opt_mac != NULL) {
  1337. int mac = OBJ_ln2nid(opt_mac);
  1338. if (mac == NID_undef) {
  1339. CMP_err1("MAC algorithm name not recognized: '%s'", opt_mac);
  1340. return 0;
  1341. }
  1342. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_MAC_ALGNID, mac);
  1343. }
  1344. return 1;
  1345. }
  1346. /*
  1347. * set up IR/CR/KUR/CertConf/RR specific parts of the OSSL_CMP_CTX
  1348. * based on options from config file/CLI.
  1349. * Returns pointer on success, NULL on error
  1350. */
  1351. static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
  1352. {
  1353. X509_REQ *csr = NULL;
  1354. X509_EXTENSIONS *exts = NULL;
  1355. X509V3_CTX ext_ctx;
  1356. if (opt_subject == NULL
  1357. && opt_csr == NULL && opt_oldcert == NULL && opt_cert == NULL
  1358. && opt_cmd != CMP_RR && opt_cmd != CMP_GENM)
  1359. CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback");
  1360. if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) {
  1361. if (opt_newkey == NULL
  1362. && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) {
  1363. CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key");
  1364. return 0;
  1365. }
  1366. if (opt_newkey == NULL
  1367. && opt_popo != OSSL_CRMF_POPO_NONE
  1368. && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) {
  1369. if (opt_csr != NULL) {
  1370. CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s",
  1371. opt_key == NULL ? "" :
  1372. ", and -key option superseded by by -csr");
  1373. return 0;
  1374. }
  1375. if (opt_key == NULL) {
  1376. CMP_err("missing -newkey (or -key) option for POPO");
  1377. return 0;
  1378. }
  1379. }
  1380. if (opt_certout == NULL) {
  1381. CMP_err("-certout not given, nowhere to save newly enrolled certificate");
  1382. return 0;
  1383. }
  1384. if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
  1385. || !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
  1386. return 0;
  1387. } else {
  1388. const char *msg = "option is ignored for commands other than 'ir', 'cr', and 'kur'";
  1389. if (opt_subject != NULL) {
  1390. if (opt_ref == NULL && opt_cert == NULL) {
  1391. /* use subject as default sender unless oldcert subject is used */
  1392. if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject"))
  1393. return 0;
  1394. } else {
  1395. CMP_warn1("-subject %s since -ref or -cert is given", msg);
  1396. }
  1397. }
  1398. if (opt_issuer != NULL)
  1399. CMP_warn1("-issuer %s", msg);
  1400. if (opt_reqexts != NULL)
  1401. CMP_warn1("-reqexts %s", msg);
  1402. if (opt_san_nodefault)
  1403. CMP_warn1("-san_nodefault %s", msg);
  1404. if (opt_sans != NULL)
  1405. CMP_warn1("-sans %s", msg);
  1406. if (opt_policies != NULL)
  1407. CMP_warn1("-policies %s", msg);
  1408. if (opt_policy_oids != NULL)
  1409. CMP_warn1("-policy_oids %s", msg);
  1410. }
  1411. if (opt_cmd == CMP_KUR) {
  1412. char *ref_cert = opt_oldcert != NULL ? opt_oldcert : opt_cert;
  1413. if (ref_cert == NULL && opt_csr == NULL) {
  1414. CMP_err("missing -oldcert for certificate to be updated and no -csr given");
  1415. return 0;
  1416. }
  1417. if (opt_subject != NULL)
  1418. CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR",
  1419. opt_subject, ref_cert != NULL ? ref_cert : opt_csr);
  1420. }
  1421. if (opt_cmd == CMP_RR) {
  1422. if (opt_oldcert == NULL && opt_csr == NULL) {
  1423. CMP_err("missing -oldcert for certificate to be revoked and no -csr given");
  1424. return 0;
  1425. }
  1426. if (opt_oldcert != NULL && opt_csr != NULL)
  1427. CMP_warn("ignoring -csr since certificate to be revoked is given");
  1428. }
  1429. if (opt_cmd == CMP_P10CR && opt_csr == NULL) {
  1430. CMP_err("missing PKCS#10 CSR for p10cr");
  1431. return 0;
  1432. }
  1433. if (opt_recipient == NULL && opt_srvcert == NULL && opt_issuer == NULL
  1434. && opt_oldcert == NULL && opt_cert == NULL)
  1435. CMP_warn("missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to \"NULL-DN\"");
  1436. if (opt_cmd == CMP_P10CR || opt_cmd == CMP_RR) {
  1437. const char *msg = "option is ignored for 'p10cr' and 'rr' commands";
  1438. if (opt_newkeypass != NULL)
  1439. CMP_warn1("-newkeytype %s", msg);
  1440. if (opt_newkey != NULL)
  1441. CMP_warn1("-newkey %s", msg);
  1442. if (opt_days != 0)
  1443. CMP_warn1("-days %s", msg);
  1444. if (opt_popo != OSSL_CRMF_POPO_NONE - 1)
  1445. CMP_warn1("-popo %s", msg);
  1446. } else if (opt_newkey != NULL) {
  1447. const char *file = opt_newkey;
  1448. const int format = opt_keyform;
  1449. const char *pass = opt_newkeypass;
  1450. const char *desc = "new private key for cert to be enrolled";
  1451. EVP_PKEY *pkey;
  1452. int priv = 1;
  1453. BIO *bio_bak = bio_err;
  1454. bio_err = NULL; /* suppress diagnostics on first try loading key */
  1455. pkey = load_key_pwd(file, format, pass, engine, desc);
  1456. bio_err = bio_bak;
  1457. if (pkey == NULL) {
  1458. ERR_clear_error();
  1459. desc = opt_csr == NULL
  1460. ? "fallback public key for cert to be enrolled"
  1461. : "public key for checking cert resulting from p10cr";
  1462. pkey = load_pubkey(file, format, 0, pass, engine, desc);
  1463. priv = 0;
  1464. }
  1465. cleanse(opt_newkeypass);
  1466. if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, priv, pkey)) {
  1467. EVP_PKEY_free(pkey);
  1468. return 0;
  1469. }
  1470. }
  1471. if (opt_days > 0
  1472. && !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
  1473. opt_days)) {
  1474. CMP_err("could not set requested cert validity period");
  1475. return 0;
  1476. }
  1477. if (opt_policies != NULL && opt_policy_oids != NULL) {
  1478. CMP_err("cannot have policies both via -policies and via -policy_oids");
  1479. return 0;
  1480. }
  1481. if (opt_csr != NULL) {
  1482. if (opt_cmd == CMP_GENM) {
  1483. CMP_warn("-csr option is ignored for command 'genm'");
  1484. } else {
  1485. if ((csr = load_csr_autofmt(opt_csr, "PKCS#10 CSR")) == NULL)
  1486. return 0;
  1487. if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr))
  1488. goto oom;
  1489. }
  1490. }
  1491. if (opt_reqexts != NULL || opt_policies != NULL) {
  1492. if ((exts = sk_X509_EXTENSION_new_null()) == NULL)
  1493. goto oom;
  1494. X509V3_set_ctx(&ext_ctx, NULL, NULL, csr, NULL, X509V3_CTX_REPLACE);
  1495. X509V3_set_nconf(&ext_ctx, conf);
  1496. if (opt_reqexts != NULL
  1497. && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_reqexts, &exts)) {
  1498. CMP_err1("cannot load certificate request extension section '%s'",
  1499. opt_reqexts);
  1500. goto exts_err;
  1501. }
  1502. if (opt_policies != NULL
  1503. && !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) {
  1504. CMP_err1("cannot load policy cert request extension section '%s'",
  1505. opt_policies);
  1506. goto exts_err;
  1507. }
  1508. OSSL_CMP_CTX_set0_reqExtensions(ctx, exts);
  1509. }
  1510. X509_REQ_free(csr);
  1511. /* After here, must not goto oom/exts_err */
  1512. if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) {
  1513. CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans");
  1514. return 0;
  1515. }
  1516. if (!set_gennames(ctx, opt_sans, "Subject Alternative Name"))
  1517. return 0;
  1518. if (opt_san_nodefault) {
  1519. if (opt_sans != NULL)
  1520. CMP_warn("-opt_san_nodefault has no effect when -sans is used");
  1521. (void)OSSL_CMP_CTX_set_option(ctx,
  1522. OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT, 1);
  1523. }
  1524. if (opt_policy_oids_critical) {
  1525. if (opt_policy_oids == NULL)
  1526. CMP_warn("-opt_policy_oids_critical has no effect unless -policy_oids is given");
  1527. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POLICIES_CRITICAL, 1);
  1528. }
  1529. while (opt_policy_oids != NULL) {
  1530. ASN1_OBJECT *policy;
  1531. POLICYINFO *pinfo;
  1532. char *next = next_item(opt_policy_oids);
  1533. if ((policy = OBJ_txt2obj(opt_policy_oids, 1)) == 0) {
  1534. CMP_err1("unknown policy OID '%s'", opt_policy_oids);
  1535. return 0;
  1536. }
  1537. if ((pinfo = POLICYINFO_new()) == NULL) {
  1538. ASN1_OBJECT_free(policy);
  1539. return 0;
  1540. }
  1541. pinfo->policyid = policy;
  1542. if (!OSSL_CMP_CTX_push0_policy(ctx, pinfo)) {
  1543. CMP_err1("cannot add policy with OID '%s'", opt_policy_oids);
  1544. POLICYINFO_free(pinfo);
  1545. return 0;
  1546. }
  1547. opt_policy_oids = next;
  1548. }
  1549. if (opt_popo >= OSSL_CRMF_POPO_NONE)
  1550. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo);
  1551. if (opt_oldcert != NULL) {
  1552. if (opt_cmd == CMP_GENM) {
  1553. CMP_warn("-oldcert option is ignored for command 'genm'");
  1554. } else {
  1555. X509 *oldcert = load_cert_pwd(opt_oldcert, opt_keypass,
  1556. opt_cmd == CMP_KUR ?
  1557. "certificate to be updated" :
  1558. opt_cmd == CMP_RR ?
  1559. "certificate to be revoked" :
  1560. "reference certificate (oldcert)");
  1561. /* opt_keypass needed if opt_oldcert is an encrypted PKCS#12 file */
  1562. if (oldcert == NULL)
  1563. return 0;
  1564. if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
  1565. X509_free(oldcert);
  1566. CMP_err("out of memory");
  1567. return 0;
  1568. }
  1569. X509_free(oldcert);
  1570. }
  1571. }
  1572. cleanse(opt_keypass);
  1573. if (opt_revreason > CRL_REASON_NONE)
  1574. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_REVOCATION_REASON,
  1575. opt_revreason);
  1576. return 1;
  1577. oom:
  1578. CMP_err("out of memory");
  1579. exts_err:
  1580. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  1581. X509_REQ_free(csr);
  1582. return 0;
  1583. }
  1584. static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
  1585. {
  1586. long value;
  1587. ASN1_OBJECT *type;
  1588. ASN1_INTEGER *aint;
  1589. ASN1_TYPE *val;
  1590. OSSL_CMP_ITAV *itav;
  1591. char *endstr;
  1592. char *valptr = strchr(opt_geninfo, ':');
  1593. if (valptr == NULL) {
  1594. CMP_err("missing ':' in -geninfo option");
  1595. return 0;
  1596. }
  1597. valptr[0] = '\0';
  1598. valptr++;
  1599. if (OPENSSL_strncasecmp(valptr, "int:", 4) != 0) {
  1600. CMP_err("missing 'int:' in -geninfo option");
  1601. return 0;
  1602. }
  1603. valptr += 4;
  1604. value = strtol(valptr, &endstr, 10);
  1605. if (endstr == valptr || *endstr != '\0') {
  1606. CMP_err("cannot parse int in -geninfo option");
  1607. return 0;
  1608. }
  1609. type = OBJ_txt2obj(opt_geninfo, 1);
  1610. if (type == NULL) {
  1611. CMP_err("cannot parse OID in -geninfo option");
  1612. return 0;
  1613. }
  1614. if ((aint = ASN1_INTEGER_new()) == NULL)
  1615. goto oom;
  1616. val = ASN1_TYPE_new();
  1617. if (!ASN1_INTEGER_set(aint, value) || val == NULL) {
  1618. ASN1_INTEGER_free(aint);
  1619. goto oom;
  1620. }
  1621. ASN1_TYPE_set(val, V_ASN1_INTEGER, aint);
  1622. itav = OSSL_CMP_ITAV_create(type, val);
  1623. if (itav == NULL) {
  1624. ASN1_TYPE_free(val);
  1625. goto oom;
  1626. }
  1627. if (!OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav)) {
  1628. OSSL_CMP_ITAV_free(itav);
  1629. return 0;
  1630. }
  1631. return 1;
  1632. oom:
  1633. ASN1_OBJECT_free(type);
  1634. CMP_err("out of memory");
  1635. return 0;
  1636. }
  1637. /*
  1638. * set up the client-side OSSL_CMP_CTX based on options from config file/CLI
  1639. * while parsing options and checking their consistency.
  1640. * Prints reason for error to bio_err.
  1641. * Returns 1 on success, 0 on error
  1642. */
  1643. static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
  1644. {
  1645. int ret = 0;
  1646. char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path;
  1647. #ifndef OPENSSL_NO_SOCK
  1648. int portnum, ssl;
  1649. static char server_port[32] = { '\0' };
  1650. const char *proxy_host = NULL;
  1651. #endif
  1652. char server_buf[200] = "mock server";
  1653. char proxy_buf[200] = "";
  1654. if (!opt_use_mock_srv && opt_rspin == NULL) { /* note: -port is not given */
  1655. #ifndef OPENSSL_NO_SOCK
  1656. if (opt_server == NULL) {
  1657. CMP_err("missing -server or -use_mock_srv or -rspin option");
  1658. goto err;
  1659. }
  1660. #else
  1661. CMP_err("missing -use_mock_srv or -rspin option; -server option is not supported due to no-sock build");
  1662. goto err;
  1663. #endif
  1664. }
  1665. #ifndef OPENSSL_NO_SOCK
  1666. if (opt_server == NULL) {
  1667. if (opt_proxy != NULL)
  1668. CMP_warn("ignoring -proxy option since -server is not given");
  1669. if (opt_no_proxy != NULL)
  1670. CMP_warn("ignoring -no_proxy option since -server is not given");
  1671. if (opt_tls_used) {
  1672. CMP_warn("ignoring -tls_used option since -server is not given");
  1673. opt_tls_used = 0;
  1674. }
  1675. goto set_path;
  1676. }
  1677. if (!OSSL_HTTP_parse_url(opt_server, &ssl, NULL /* user */, &host, &port,
  1678. &portnum, &path, NULL /* q */, NULL /* frag */)) {
  1679. CMP_err1("cannot parse -server URL: %s", opt_server);
  1680. goto err;
  1681. }
  1682. if (ssl && !opt_tls_used) {
  1683. CMP_err("missing -tls_used option since -server URL indicates https");
  1684. goto err;
  1685. }
  1686. BIO_snprintf(server_port, sizeof(server_port), "%s", port);
  1687. if (opt_path == NULL)
  1688. used_path = path;
  1689. if (!OSSL_CMP_CTX_set1_server(ctx, host)
  1690. || !OSSL_CMP_CTX_set_serverPort(ctx, portnum))
  1691. goto oom;
  1692. if (opt_proxy != NULL && !OSSL_CMP_CTX_set1_proxy(ctx, opt_proxy))
  1693. goto oom;
  1694. if (opt_no_proxy != NULL && !OSSL_CMP_CTX_set1_no_proxy(ctx, opt_no_proxy))
  1695. goto oom;
  1696. (void)BIO_snprintf(server_buf, sizeof(server_buf), "http%s://%s:%s/%s",
  1697. opt_tls_used ? "s" : "", host, port,
  1698. *used_path == '/' ? used_path + 1 : used_path);
  1699. proxy_host = OSSL_HTTP_adapt_proxy(opt_proxy, opt_no_proxy, host, ssl);
  1700. if (proxy_host != NULL)
  1701. (void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", proxy_host);
  1702. set_path:
  1703. #endif
  1704. if (!OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
  1705. goto oom;
  1706. if (!transform_opts())
  1707. goto err;
  1708. if (opt_infotype_s != NULL) {
  1709. char id_buf[100] = "id-it-";
  1710. strncat(id_buf, opt_infotype_s, sizeof(id_buf) - strlen(id_buf) - 1);
  1711. if ((opt_infotype = OBJ_sn2nid(id_buf)) == NID_undef) {
  1712. CMP_err("unknown OID name in -infotype option");
  1713. goto err;
  1714. }
  1715. }
  1716. if (!setup_verification_ctx(ctx))
  1717. goto err;
  1718. if (opt_keep_alive != 1)
  1719. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_KEEP_ALIVE,
  1720. opt_keep_alive);
  1721. if (opt_total_timeout > 0 && opt_msg_timeout > 0
  1722. && opt_total_timeout < opt_msg_timeout) {
  1723. CMP_err2("-total_timeout argument = %d must not be < %d (-msg_timeout)",
  1724. opt_total_timeout, opt_msg_timeout);
  1725. goto err;
  1726. }
  1727. if (opt_msg_timeout >= 0) /* must do this before setup_ssl_ctx() */
  1728. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT,
  1729. opt_msg_timeout);
  1730. if (opt_total_timeout >= 0)
  1731. (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_TOTAL_TIMEOUT,
  1732. opt_total_timeout);
  1733. if (opt_rspin != NULL) {
  1734. rspin_in_use = 1;
  1735. if (opt_reqin != NULL)
  1736. CMP_warn("-reqin is ignored since -rspin is present");
  1737. }
  1738. if (opt_reqin_new_tid && opt_reqin == NULL)
  1739. CMP_warn("-reqin_new_tid is ignored since -reqin is not present");
  1740. if (opt_reqin != NULL || opt_reqout != NULL
  1741. || opt_rspin != NULL || opt_rspout != NULL || opt_use_mock_srv)
  1742. (void)OSSL_CMP_CTX_set_transfer_cb(ctx, read_write_req_resp);
  1743. #ifndef OPENSSL_NO_SOCK
  1744. if (opt_tls_used) {
  1745. APP_HTTP_TLS_INFO *info;
  1746. if (opt_tls_cert != NULL
  1747. || opt_tls_key != NULL || opt_tls_keypass != NULL) {
  1748. if (opt_tls_key == NULL) {
  1749. CMP_err("missing -tls_key option");
  1750. goto err;
  1751. } else if (opt_tls_cert == NULL) {
  1752. CMP_err("missing -tls_cert option");
  1753. goto err;
  1754. }
  1755. }
  1756. if ((info = OPENSSL_zalloc(sizeof(*info))) == NULL)
  1757. goto err;
  1758. (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info);
  1759. info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
  1760. info->server = host;
  1761. host = NULL; /* prevent deallocation */
  1762. if ((info->port = OPENSSL_strdup(server_port)) == NULL)
  1763. goto err;
  1764. /* workaround for callback design flaw, see #17088: */
  1765. info->use_proxy = proxy_host != NULL;
  1766. info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
  1767. if (info->ssl_ctx == NULL)
  1768. goto err;
  1769. (void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
  1770. }
  1771. #endif
  1772. if (!setup_protection_ctx(ctx, engine))
  1773. goto err;
  1774. if (!setup_request_ctx(ctx, engine))
  1775. goto err;
  1776. if (!set_name(opt_recipient, OSSL_CMP_CTX_set1_recipient, ctx, "recipient")
  1777. || !set_name(opt_expect_sender, OSSL_CMP_CTX_set1_expected_sender,
  1778. ctx, "expected sender"))
  1779. goto err;
  1780. if (opt_geninfo != NULL && !handle_opt_geninfo(ctx))
  1781. goto err;
  1782. /* not printing earlier, to minimize confusion in case setup fails before */
  1783. if (opt_rspin != NULL)
  1784. CMP_info2("will contact %s%s "
  1785. "only if -rspin argument gives too few filenames",
  1786. server_buf, proxy_buf);
  1787. else
  1788. CMP_info2("will contact %s%s", server_buf, proxy_buf);
  1789. ret = 1;
  1790. err:
  1791. OPENSSL_free(host);
  1792. OPENSSL_free(port);
  1793. OPENSSL_free(path);
  1794. return ret;
  1795. oom:
  1796. CMP_err("out of memory");
  1797. goto err;
  1798. }
  1799. /*
  1800. * write out the given certificate to the output specified by bio.
  1801. * Depending on options use either PEM or DER format.
  1802. * Returns 1 on success, 0 on error
  1803. */
  1804. static int write_cert(BIO *bio, X509 *cert)
  1805. {
  1806. if ((opt_certform == FORMAT_PEM && PEM_write_bio_X509(bio, cert))
  1807. || (opt_certform == FORMAT_ASN1 && i2d_X509_bio(bio, cert)))
  1808. return 1;
  1809. if (opt_certform != FORMAT_PEM && opt_certform != FORMAT_ASN1)
  1810. BIO_printf(bio_err,
  1811. "error: unsupported type '%s' for writing certificates\n",
  1812. opt_certform_s);
  1813. return 0;
  1814. }
  1815. /*
  1816. * If destFile != NULL writes out a stack of certs to the given file.
  1817. * In any case frees the certs.
  1818. * Depending on options use either PEM or DER format,
  1819. * where DER does not make much sense for writing more than one cert!
  1820. * Returns number of written certificates on success, -1 on error.
  1821. */
  1822. static int save_free_certs(OSSL_CMP_CTX *ctx,
  1823. STACK_OF(X509) *certs, char *destFile, char *desc)
  1824. {
  1825. BIO *bio = NULL;
  1826. int i;
  1827. int n = sk_X509_num(certs);
  1828. if (destFile == NULL)
  1829. goto end;
  1830. CMP_info3("received %d %s certificate(s), saving to file '%s'",
  1831. n, desc, destFile);
  1832. if (n > 1 && opt_certform != FORMAT_PEM)
  1833. CMP_warn("saving more than one certificate in non-PEM format");
  1834. if (destFile == NULL || (bio = BIO_new(BIO_s_file())) == NULL
  1835. || !BIO_write_filename(bio, (char *)destFile)) {
  1836. CMP_err1("could not open file '%s' for writing", destFile);
  1837. n = -1;
  1838. goto end;
  1839. }
  1840. for (i = 0; i < n; i++) {
  1841. if (!write_cert(bio, sk_X509_value(certs, i))) {
  1842. CMP_err1("cannot write certificate to file '%s'", destFile);
  1843. n = -1;
  1844. goto end;
  1845. }
  1846. }
  1847. end:
  1848. BIO_free(bio);
  1849. sk_X509_pop_free(certs, X509_free);
  1850. return n;
  1851. }
  1852. static void print_itavs(STACK_OF(OSSL_CMP_ITAV) *itavs)
  1853. {
  1854. OSSL_CMP_ITAV *itav = NULL;
  1855. char buf[128];
  1856. int i, r;
  1857. int n = sk_OSSL_CMP_ITAV_num(itavs); /* itavs == NULL leads to 0 */
  1858. if (n == 0) {
  1859. CMP_info("genp contains no ITAV");
  1860. return;
  1861. }
  1862. for (i = 0; i < n; i++) {
  1863. itav = sk_OSSL_CMP_ITAV_value(itavs, i);
  1864. r = OBJ_obj2txt(buf, 128, OSSL_CMP_ITAV_get0_type(itav), 0);
  1865. if (r < 0)
  1866. CMP_err("could not get ITAV details");
  1867. else if (r == 0)
  1868. CMP_info("genp contains empty ITAV");
  1869. else
  1870. CMP_info1("genp contains ITAV of type: %s", buf);
  1871. }
  1872. }
  1873. static char opt_item[SECTION_NAME_MAX + 1];
  1874. /* get previous name from a comma or space-separated list of names */
  1875. static const char *prev_item(const char *opt, const char *end)
  1876. {
  1877. const char *beg;
  1878. size_t len;
  1879. if (end == opt)
  1880. return NULL;
  1881. beg = end;
  1882. while (beg > opt) {
  1883. --beg;
  1884. if (beg[0] == ',' || isspace(_UC(beg[0]))) {
  1885. ++beg;
  1886. break;
  1887. }
  1888. }
  1889. len = end - beg;
  1890. if (len > SECTION_NAME_MAX) {
  1891. CMP_warn3("using only first %d characters of section name starting with \"%.*s\"",
  1892. SECTION_NAME_MAX, SECTION_NAME_MAX, beg);
  1893. len = SECTION_NAME_MAX;
  1894. }
  1895. memcpy(opt_item, beg, len);
  1896. opt_item[len] = '\0';
  1897. while (beg > opt) {
  1898. --beg;
  1899. if (beg[0] != ',' && !isspace(_UC(beg[0]))) {
  1900. ++beg;
  1901. break;
  1902. }
  1903. }
  1904. return beg;
  1905. }
  1906. /* get str value for name from a comma-separated hierarchy of config sections */
  1907. static char *conf_get_string(const CONF *src_conf, const char *groups,
  1908. const char *name)
  1909. {
  1910. char *res = NULL;
  1911. const char *end = groups + strlen(groups);
  1912. while ((end = prev_item(groups, end)) != NULL) {
  1913. if ((res = NCONF_get_string(src_conf, opt_item, name)) != NULL)
  1914. return res;
  1915. ERR_clear_error();
  1916. }
  1917. return res;
  1918. }
  1919. /* get long val for name from a comma-separated hierarchy of config sections */
  1920. static int conf_get_number_e(const CONF *conf_, const char *groups,
  1921. const char *name, long *result)
  1922. {
  1923. char *str = conf_get_string(conf_, groups, name);
  1924. char *tailptr;
  1925. long res;
  1926. if (str == NULL || *str == '\0')
  1927. return 0;
  1928. res = strtol(str, &tailptr, 10);
  1929. if (res == LONG_MIN || res == LONG_MAX || *tailptr != '\0')
  1930. return 0;
  1931. *result = res;
  1932. return 1;
  1933. }
  1934. /*
  1935. * use the command line option table to read values from the CMP section
  1936. * of openssl.cnf. Defaults are taken from the config file, they can be
  1937. * overwritten on the command line.
  1938. */
  1939. static int read_config(void)
  1940. {
  1941. unsigned int i;
  1942. long num = 0;
  1943. char *txt = NULL;
  1944. const OPTIONS *opt;
  1945. int start_opt = OPT_VERBOSITY - OPT_HELP;
  1946. int start_idx = OPT_VERBOSITY - 2;
  1947. /*
  1948. * starting with offset OPT_VERBOSITY because OPT_CONFIG and OPT_SECTION
  1949. * would not make sense within the config file.
  1950. */
  1951. int n_options = OSSL_NELEM(cmp_options) - 1;
  1952. for (opt = &cmp_options[start_opt], i = start_idx;
  1953. opt->name != NULL; i++, opt++)
  1954. if (!strcmp(opt->name, OPT_SECTION_STR)
  1955. || !strcmp(opt->name, OPT_MORE_STR))
  1956. n_options--;
  1957. OPENSSL_assert(OSSL_NELEM(cmp_vars) == n_options
  1958. + OPT_PROV__FIRST + 1 - OPT_PROV__LAST
  1959. + OPT_R__FIRST + 1 - OPT_R__LAST
  1960. + OPT_V__FIRST + 1 - OPT_V__LAST);
  1961. for (opt = &cmp_options[start_opt], i = start_idx;
  1962. opt->name != NULL; i++, opt++) {
  1963. int provider_option = (OPT_PROV__FIRST <= opt->retval
  1964. && opt->retval < OPT_PROV__LAST);
  1965. int rand_state_option = (OPT_R__FIRST <= opt->retval
  1966. && opt->retval < OPT_R__LAST);
  1967. int verification_option = (OPT_V__FIRST <= opt->retval
  1968. && opt->retval < OPT_V__LAST);
  1969. if (strcmp(opt->name, OPT_SECTION_STR) == 0
  1970. || strcmp(opt->name, OPT_MORE_STR) == 0) {
  1971. i--;
  1972. continue;
  1973. }
  1974. if (provider_option || rand_state_option || verification_option)
  1975. i--;
  1976. switch (opt->valtype) {
  1977. case '-':
  1978. case 'p':
  1979. case 'n':
  1980. case 'N':
  1981. case 'l':
  1982. if (!conf_get_number_e(conf, opt_section, opt->name, &num)) {
  1983. ERR_clear_error();
  1984. continue; /* option not provided */
  1985. }
  1986. if (opt->valtype == 'p' && num <= 0) {
  1987. opt_printf_stderr("Non-positive number \"%ld\" for config option -%s\n",
  1988. num, opt->name);
  1989. return -1;
  1990. }
  1991. if (opt->valtype == 'N' && num < 0) {
  1992. opt_printf_stderr("Negative number \"%ld\" for config option -%s\n",
  1993. num, opt->name);
  1994. return -1;
  1995. }
  1996. break;
  1997. case 's':
  1998. case '>':
  1999. case 'M':
  2000. txt = conf_get_string(conf, opt_section, opt->name);
  2001. if (txt == NULL) {
  2002. ERR_clear_error();
  2003. continue; /* option not provided */
  2004. }
  2005. break;
  2006. default:
  2007. CMP_err2("internal: unsupported type '%c' for option '%s'",
  2008. opt->valtype, opt->name);
  2009. return 0;
  2010. break;
  2011. }
  2012. if (provider_option || verification_option) {
  2013. int conf_argc = 1;
  2014. char *conf_argv[3];
  2015. char arg1[82];
  2016. BIO_snprintf(arg1, 81, "-%s", (char *)opt->name);
  2017. conf_argv[0] = prog;
  2018. conf_argv[1] = arg1;
  2019. if (opt->valtype == '-') {
  2020. if (num != 0)
  2021. conf_argc = 2;
  2022. } else {
  2023. conf_argc = 3;
  2024. conf_argv[2] = conf_get_string(conf, opt_section, opt->name);
  2025. /* not NULL */
  2026. }
  2027. if (conf_argc > 1) {
  2028. (void)opt_init(conf_argc, conf_argv, cmp_options);
  2029. if (provider_option
  2030. ? !opt_provider(opt_next())
  2031. : !opt_verify(opt_next(), vpm)) {
  2032. CMP_err2("for option '%s' in config file section '%s'",
  2033. opt->name, opt_section);
  2034. return 0;
  2035. }
  2036. }
  2037. } else {
  2038. switch (opt->valtype) {
  2039. case '-':
  2040. case 'p':
  2041. case 'n':
  2042. case 'N':
  2043. if (num < INT_MIN || INT_MAX < num) {
  2044. BIO_printf(bio_err,
  2045. "integer value out of range for option '%s'\n",
  2046. opt->name);
  2047. return 0;
  2048. }
  2049. *cmp_vars[i].num = (int)num;
  2050. break;
  2051. case 'l':
  2052. *cmp_vars[i].num_long = num;
  2053. break;
  2054. default:
  2055. if (txt != NULL && txt[0] == '\0')
  2056. txt = NULL; /* reset option on empty string input */
  2057. *cmp_vars[i].txt = txt;
  2058. break;
  2059. }
  2060. }
  2061. }
  2062. return 1;
  2063. }
  2064. static char *opt_str(void)
  2065. {
  2066. char *arg = opt_arg();
  2067. if (arg[0] == '\0') {
  2068. CMP_warn1("%s option argument is empty string, resetting option",
  2069. opt_flag());
  2070. arg = NULL;
  2071. } else if (arg[0] == '-') {
  2072. CMP_warn1("%s option argument starts with hyphen", opt_flag());
  2073. }
  2074. return arg;
  2075. }
  2076. /* returns 1 on success, 0 on error, -1 on -help (i.e., stop with success) */
  2077. static int get_opts(int argc, char **argv)
  2078. {
  2079. OPTION_CHOICE o;
  2080. prog = opt_init(argc, argv, cmp_options);
  2081. while ((o = opt_next()) != OPT_EOF) {
  2082. switch (o) {
  2083. case OPT_EOF:
  2084. case OPT_ERR:
  2085. opthelp:
  2086. BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
  2087. return 0;
  2088. case OPT_HELP:
  2089. opt_help(cmp_options);
  2090. return -1;
  2091. case OPT_CONFIG: /* has already been handled */
  2092. case OPT_SECTION: /* has already been handled */
  2093. break;
  2094. case OPT_VERBOSITY:
  2095. if (!set_verbosity(opt_int_arg()))
  2096. goto opthelp;
  2097. break;
  2098. #ifndef OPENSSL_NO_SOCK
  2099. case OPT_SERVER:
  2100. opt_server = opt_str();
  2101. break;
  2102. case OPT_PROXY:
  2103. opt_proxy = opt_str();
  2104. break;
  2105. case OPT_NO_PROXY:
  2106. opt_no_proxy = opt_str();
  2107. break;
  2108. #endif
  2109. case OPT_RECIPIENT:
  2110. opt_recipient = opt_str();
  2111. break;
  2112. case OPT_PATH:
  2113. opt_path = opt_str();
  2114. break;
  2115. case OPT_KEEP_ALIVE:
  2116. opt_keep_alive = opt_int_arg();
  2117. if (opt_keep_alive > 2) {
  2118. CMP_err("-keep_alive argument must be 0, 1, or 2");
  2119. goto opthelp;
  2120. }
  2121. break;
  2122. case OPT_MSG_TIMEOUT:
  2123. opt_msg_timeout = opt_int_arg();
  2124. break;
  2125. case OPT_TOTAL_TIMEOUT:
  2126. opt_total_timeout = opt_int_arg();
  2127. break;
  2128. #ifndef OPENSSL_NO_SOCK
  2129. case OPT_TLS_USED:
  2130. opt_tls_used = 1;
  2131. break;
  2132. case OPT_TLS_CERT:
  2133. opt_tls_cert = opt_str();
  2134. break;
  2135. case OPT_TLS_KEY:
  2136. opt_tls_key = opt_str();
  2137. break;
  2138. case OPT_TLS_KEYPASS:
  2139. opt_tls_keypass = opt_str();
  2140. break;
  2141. case OPT_TLS_EXTRA:
  2142. opt_tls_extra = opt_str();
  2143. break;
  2144. case OPT_TLS_TRUSTED:
  2145. opt_tls_trusted = opt_str();
  2146. break;
  2147. case OPT_TLS_HOST:
  2148. opt_tls_host = opt_str();
  2149. break;
  2150. #endif
  2151. case OPT_REF:
  2152. opt_ref = opt_str();
  2153. break;
  2154. case OPT_SECRET:
  2155. opt_secret = opt_str();
  2156. break;
  2157. case OPT_CERT:
  2158. opt_cert = opt_str();
  2159. break;
  2160. case OPT_OWN_TRUSTED:
  2161. opt_own_trusted = opt_str();
  2162. break;
  2163. case OPT_KEY:
  2164. opt_key = opt_str();
  2165. break;
  2166. case OPT_KEYPASS:
  2167. opt_keypass = opt_str();
  2168. break;
  2169. case OPT_DIGEST:
  2170. opt_digest = opt_str();
  2171. break;
  2172. case OPT_MAC:
  2173. opt_mac = opt_str();
  2174. break;
  2175. case OPT_EXTRACERTS:
  2176. opt_extracerts = opt_str();
  2177. break;
  2178. case OPT_UNPROTECTED_REQUESTS:
  2179. opt_unprotected_requests = 1;
  2180. break;
  2181. case OPT_TRUSTED:
  2182. opt_trusted = opt_str();
  2183. break;
  2184. case OPT_UNTRUSTED:
  2185. opt_untrusted = opt_str();
  2186. break;
  2187. case OPT_SRVCERT:
  2188. opt_srvcert = opt_str();
  2189. break;
  2190. case OPT_EXPECT_SENDER:
  2191. opt_expect_sender = opt_str();
  2192. break;
  2193. case OPT_IGNORE_KEYUSAGE:
  2194. opt_ignore_keyusage = 1;
  2195. break;
  2196. case OPT_UNPROTECTED_ERRORS:
  2197. opt_unprotected_errors = 1;
  2198. break;
  2199. case OPT_EXTRACERTSOUT:
  2200. opt_extracertsout = opt_str();
  2201. break;
  2202. case OPT_CACERTSOUT:
  2203. opt_cacertsout = opt_str();
  2204. break;
  2205. case OPT_V_CASES:
  2206. if (!opt_verify(o, vpm))
  2207. goto opthelp;
  2208. break;
  2209. case OPT_CMD:
  2210. opt_cmd_s = opt_str();
  2211. break;
  2212. case OPT_INFOTYPE:
  2213. opt_infotype_s = opt_str();
  2214. break;
  2215. case OPT_GENINFO:
  2216. opt_geninfo = opt_str();
  2217. break;
  2218. case OPT_NEWKEY:
  2219. opt_newkey = opt_str();
  2220. break;
  2221. case OPT_NEWKEYPASS:
  2222. opt_newkeypass = opt_str();
  2223. break;
  2224. case OPT_SUBJECT:
  2225. opt_subject = opt_str();
  2226. break;
  2227. case OPT_ISSUER:
  2228. opt_issuer = opt_str();
  2229. break;
  2230. case OPT_DAYS:
  2231. opt_days = opt_int_arg();
  2232. break;
  2233. case OPT_REQEXTS:
  2234. opt_reqexts = opt_str();
  2235. break;
  2236. case OPT_SANS:
  2237. opt_sans = opt_str();
  2238. break;
  2239. case OPT_SAN_NODEFAULT:
  2240. opt_san_nodefault = 1;
  2241. break;
  2242. case OPT_POLICIES:
  2243. opt_policies = opt_str();
  2244. break;
  2245. case OPT_POLICY_OIDS:
  2246. opt_policy_oids = opt_str();
  2247. break;
  2248. case OPT_POLICY_OIDS_CRITICAL:
  2249. opt_policy_oids_critical = 1;
  2250. break;
  2251. case OPT_POPO:
  2252. opt_popo = opt_int_arg();
  2253. if (opt_popo < OSSL_CRMF_POPO_NONE
  2254. || opt_popo > OSSL_CRMF_POPO_KEYENC) {
  2255. CMP_err("invalid popo spec. Valid values are -1 .. 2");
  2256. goto opthelp;
  2257. }
  2258. break;
  2259. case OPT_CSR:
  2260. opt_csr = opt_str();
  2261. break;
  2262. case OPT_OUT_TRUSTED:
  2263. opt_out_trusted = opt_str();
  2264. break;
  2265. case OPT_IMPLICIT_CONFIRM:
  2266. opt_implicit_confirm = 1;
  2267. break;
  2268. case OPT_DISABLE_CONFIRM:
  2269. opt_disable_confirm = 1;
  2270. break;
  2271. case OPT_CERTOUT:
  2272. opt_certout = opt_str();
  2273. break;
  2274. case OPT_CHAINOUT:
  2275. opt_chainout = opt_str();
  2276. break;
  2277. case OPT_OLDCERT:
  2278. opt_oldcert = opt_str();
  2279. break;
  2280. case OPT_REVREASON:
  2281. opt_revreason = opt_int_arg();
  2282. if (opt_revreason < CRL_REASON_NONE
  2283. || opt_revreason > CRL_REASON_AA_COMPROMISE
  2284. || opt_revreason == 7) {
  2285. CMP_err("invalid revreason. Valid values are -1 .. 6, 8 .. 10");
  2286. goto opthelp;
  2287. }
  2288. break;
  2289. case OPT_CERTFORM:
  2290. opt_certform_s = opt_str();
  2291. break;
  2292. case OPT_KEYFORM:
  2293. opt_keyform_s = opt_str();
  2294. break;
  2295. case OPT_OTHERPASS:
  2296. opt_otherpass = opt_str();
  2297. break;
  2298. #ifndef OPENSSL_NO_ENGINE
  2299. case OPT_ENGINE:
  2300. opt_engine = opt_str();
  2301. break;
  2302. #endif
  2303. case OPT_PROV_CASES:
  2304. if (!opt_provider(o))
  2305. goto opthelp;
  2306. break;
  2307. case OPT_R_CASES:
  2308. if (!opt_rand(o))
  2309. goto opthelp;
  2310. break;
  2311. case OPT_BATCH:
  2312. opt_batch = 1;
  2313. break;
  2314. case OPT_REPEAT:
  2315. opt_repeat = opt_int_arg();
  2316. break;
  2317. case OPT_REQIN:
  2318. opt_reqin = opt_str();
  2319. break;
  2320. case OPT_REQIN_NEW_TID:
  2321. opt_reqin_new_tid = 1;
  2322. break;
  2323. case OPT_REQOUT:
  2324. opt_reqout = opt_str();
  2325. break;
  2326. case OPT_RSPIN:
  2327. opt_rspin = opt_str();
  2328. break;
  2329. case OPT_RSPOUT:
  2330. opt_rspout = opt_str();
  2331. break;
  2332. case OPT_USE_MOCK_SRV:
  2333. opt_use_mock_srv = 1;
  2334. break;
  2335. #ifndef OPENSSL_NO_SOCK
  2336. case OPT_PORT:
  2337. opt_port = opt_str();
  2338. break;
  2339. case OPT_MAX_MSGS:
  2340. opt_max_msgs = opt_int_arg();
  2341. break;
  2342. #endif
  2343. case OPT_SRV_REF:
  2344. opt_srv_ref = opt_str();
  2345. break;
  2346. case OPT_SRV_SECRET:
  2347. opt_srv_secret = opt_str();
  2348. break;
  2349. case OPT_SRV_CERT:
  2350. opt_srv_cert = opt_str();
  2351. break;
  2352. case OPT_SRV_KEY:
  2353. opt_srv_key = opt_str();
  2354. break;
  2355. case OPT_SRV_KEYPASS:
  2356. opt_srv_keypass = opt_str();
  2357. break;
  2358. case OPT_SRV_TRUSTED:
  2359. opt_srv_trusted = opt_str();
  2360. break;
  2361. case OPT_SRV_UNTRUSTED:
  2362. opt_srv_untrusted = opt_str();
  2363. break;
  2364. case OPT_RSP_CERT:
  2365. opt_rsp_cert = opt_str();
  2366. break;
  2367. case OPT_RSP_EXTRACERTS:
  2368. opt_rsp_extracerts = opt_str();
  2369. break;
  2370. case OPT_RSP_CAPUBS:
  2371. opt_rsp_capubs = opt_str();
  2372. break;
  2373. case OPT_POLL_COUNT:
  2374. opt_poll_count = opt_int_arg();
  2375. break;
  2376. case OPT_CHECK_AFTER:
  2377. opt_check_after = opt_int_arg();
  2378. break;
  2379. case OPT_GRANT_IMPLICITCONF:
  2380. opt_grant_implicitconf = 1;
  2381. break;
  2382. case OPT_PKISTATUS:
  2383. opt_pkistatus = opt_int_arg();
  2384. break;
  2385. case OPT_FAILURE:
  2386. opt_failure = opt_int_arg();
  2387. break;
  2388. case OPT_FAILUREBITS:
  2389. opt_failurebits = opt_int_arg();
  2390. break;
  2391. case OPT_STATUSSTRING:
  2392. opt_statusstring = opt_str();
  2393. break;
  2394. case OPT_SEND_ERROR:
  2395. opt_send_error = 1;
  2396. break;
  2397. case OPT_SEND_UNPROTECTED:
  2398. opt_send_unprotected = 1;
  2399. break;
  2400. case OPT_SEND_UNPROT_ERR:
  2401. opt_send_unprot_err = 1;
  2402. break;
  2403. case OPT_ACCEPT_UNPROTECTED:
  2404. opt_accept_unprotected = 1;
  2405. break;
  2406. case OPT_ACCEPT_UNPROT_ERR:
  2407. opt_accept_unprot_err = 1;
  2408. break;
  2409. case OPT_ACCEPT_RAVERIFIED:
  2410. opt_accept_raverified = 1;
  2411. break;
  2412. }
  2413. }
  2414. /* No extra args. */
  2415. argc = opt_num_rest();
  2416. argv = opt_rest();
  2417. if (argc != 0)
  2418. goto opthelp;
  2419. return 1;
  2420. }
  2421. #ifndef OPENSSL_NO_SOCK
  2422. static int cmp_server(OSSL_CMP_CTX *srv_cmp_ctx) {
  2423. BIO *acbio;
  2424. BIO *cbio = NULL;
  2425. int keep_alive = 0;
  2426. int msgs = 0;
  2427. int retry = 1;
  2428. int ret = 1;
  2429. if ((acbio = http_server_init_bio(prog, opt_port)) == NULL)
  2430. return 0;
  2431. while (opt_max_msgs <= 0 || msgs < opt_max_msgs) {
  2432. char *path = NULL;
  2433. OSSL_CMP_MSG *req = NULL;
  2434. OSSL_CMP_MSG *resp = NULL;
  2435. ret = http_server_get_asn1_req(ASN1_ITEM_rptr(OSSL_CMP_MSG),
  2436. (ASN1_VALUE **)&req, &path,
  2437. &cbio, acbio, &keep_alive,
  2438. prog, opt_port, 0, 0);
  2439. if (ret == 0) { /* no request yet */
  2440. if (retry) {
  2441. ossl_sleep(1000);
  2442. retry = 0;
  2443. continue;
  2444. }
  2445. ret = 0;
  2446. goto next;
  2447. }
  2448. if (ret++ == -1) /* fatal error */
  2449. break;
  2450. ret = 0;
  2451. msgs++;
  2452. if (req != NULL) {
  2453. if (strcmp(path, "") != 0 && strcmp(path, "pkix/") != 0) {
  2454. (void)http_server_send_status(cbio, 404, "Not Found");
  2455. CMP_err1("expecting empty path or 'pkix/' but got '%s'",
  2456. path);
  2457. OPENSSL_free(path);
  2458. OSSL_CMP_MSG_free(req);
  2459. goto next;
  2460. }
  2461. OPENSSL_free(path);
  2462. resp = OSSL_CMP_CTX_server_perform(cmp_ctx, req);
  2463. OSSL_CMP_MSG_free(req);
  2464. if (resp == NULL) {
  2465. (void)http_server_send_status(cbio,
  2466. 500, "Internal Server Error");
  2467. break; /* treated as fatal error */
  2468. }
  2469. ret = http_server_send_asn1_resp(cbio, keep_alive,
  2470. "application/pkixcmp",
  2471. ASN1_ITEM_rptr(OSSL_CMP_MSG),
  2472. (const ASN1_VALUE *)resp);
  2473. OSSL_CMP_MSG_free(resp);
  2474. if (!ret)
  2475. break; /* treated as fatal error */
  2476. }
  2477. next:
  2478. if (!ret) { /* on transmission error, cancel CMP transaction */
  2479. (void)OSSL_CMP_CTX_set1_transactionID(srv_cmp_ctx, NULL);
  2480. (void)OSSL_CMP_CTX_set1_senderNonce(srv_cmp_ctx, NULL);
  2481. }
  2482. if (!ret || !keep_alive
  2483. || OSSL_CMP_CTX_get_status(srv_cmp_ctx) != OSSL_CMP_PKISTATUS_trans
  2484. /* transaction closed by OSSL_CMP_CTX_server_perform() */) {
  2485. BIO_free_all(cbio);
  2486. cbio = NULL;
  2487. }
  2488. }
  2489. BIO_free_all(cbio);
  2490. BIO_free_all(acbio);
  2491. return ret;
  2492. }
  2493. #endif
  2494. static void print_status(void)
  2495. {
  2496. /* print PKIStatusInfo */
  2497. int status = OSSL_CMP_CTX_get_status(cmp_ctx);
  2498. char *buf = app_malloc(OSSL_CMP_PKISI_BUFLEN, "PKIStatusInfo buf");
  2499. const char *string =
  2500. OSSL_CMP_CTX_snprint_PKIStatus(cmp_ctx, buf, OSSL_CMP_PKISI_BUFLEN);
  2501. const char *from = "", *server = "";
  2502. #ifndef OPENSSL_NO_SOCK
  2503. if (opt_server != NULL) {
  2504. from = " from ";
  2505. server = opt_server;
  2506. }
  2507. #endif
  2508. CMP_print(bio_err,
  2509. status == OSSL_CMP_PKISTATUS_accepted
  2510. ? OSSL_CMP_LOG_INFO :
  2511. status == OSSL_CMP_PKISTATUS_rejection
  2512. || status == OSSL_CMP_PKISTATUS_waiting
  2513. ? OSSL_CMP_LOG_ERR : OSSL_CMP_LOG_WARNING,
  2514. status == OSSL_CMP_PKISTATUS_accepted ? "info" :
  2515. status == OSSL_CMP_PKISTATUS_rejection ? "server error" :
  2516. status == OSSL_CMP_PKISTATUS_waiting ? "internal error"
  2517. : "warning", "received%s%s %s", from, server,
  2518. string != NULL ? string : "<unknown PKIStatus>");
  2519. OPENSSL_free(buf);
  2520. }
  2521. int cmp_main(int argc, char **argv)
  2522. {
  2523. char *configfile = NULL;
  2524. int i;
  2525. X509 *newcert = NULL;
  2526. ENGINE *engine = NULL;
  2527. OSSL_CMP_CTX *srv_cmp_ctx = NULL;
  2528. int ret = 0; /* default: failure */
  2529. prog = opt_appname(argv[0]);
  2530. if (argc <= 1) {
  2531. opt_help(cmp_options);
  2532. goto err;
  2533. }
  2534. /*
  2535. * handle options -config, -section, and -verbosity upfront
  2536. * to take effect for other options
  2537. */
  2538. for (i = 1; i < argc - 1; i++) {
  2539. if (*argv[i] == '-') {
  2540. if (!strcmp(argv[i] + 1, cmp_options[OPT_CONFIG - OPT_HELP].name))
  2541. opt_config = argv[++i];
  2542. else if (!strcmp(argv[i] + 1,
  2543. cmp_options[OPT_SECTION - OPT_HELP].name))
  2544. opt_section = argv[++i];
  2545. else if (strcmp(argv[i] + 1,
  2546. cmp_options[OPT_VERBOSITY - OPT_HELP].name) == 0
  2547. && !set_verbosity(atoi(argv[++i])))
  2548. goto err;
  2549. }
  2550. }
  2551. if (opt_section[0] == '\0') /* empty string */
  2552. opt_section = DEFAULT_SECTION;
  2553. vpm = X509_VERIFY_PARAM_new();
  2554. if (vpm == NULL) {
  2555. CMP_err("out of memory");
  2556. goto err;
  2557. }
  2558. /* read default values for options from config file */
  2559. configfile = opt_config != NULL ? opt_config : default_config_file;
  2560. if (configfile != NULL && configfile[0] != '\0' /* non-empty string */
  2561. && (configfile != default_config_file || access(configfile, F_OK) != -1)) {
  2562. CMP_info2("using section(s) '%s' of OpenSSL configuration file '%s'",
  2563. opt_section, configfile);
  2564. conf = app_load_config(configfile);
  2565. if (conf == NULL) {
  2566. goto err;
  2567. } else {
  2568. if (strcmp(opt_section, CMP_SECTION) == 0) { /* default */
  2569. if (!NCONF_get_section(conf, opt_section))
  2570. CMP_info2("no [%s] section found in config file '%s';"
  2571. " will thus use just [default] and unnamed section if present",
  2572. opt_section, configfile);
  2573. } else {
  2574. const char *end = opt_section + strlen(opt_section);
  2575. while ((end = prev_item(opt_section, end)) != NULL) {
  2576. if (!NCONF_get_section(conf, opt_item)) {
  2577. CMP_err2("no [%s] section found in config file '%s'",
  2578. opt_item, configfile);
  2579. goto err;
  2580. }
  2581. }
  2582. }
  2583. ret = read_config();
  2584. if (!set_verbosity(opt_verbosity)) /* just for checking range */
  2585. ret = -1;
  2586. if (ret <= 0) {
  2587. if (ret == -1)
  2588. BIO_printf(bio_err, "Use -help for summary.\n");
  2589. goto err;
  2590. }
  2591. }
  2592. }
  2593. (void)BIO_flush(bio_err); /* prevent interference with opt_help() */
  2594. ret = get_opts(argc, argv);
  2595. if (ret <= 0)
  2596. goto err;
  2597. ret = 0;
  2598. if (!app_RAND_load())
  2599. goto err;
  2600. if (opt_batch)
  2601. set_base_ui_method(UI_null());
  2602. if (opt_engine != NULL) {
  2603. engine = setup_engine_methods(opt_engine, 0 /* not: ENGINE_METHOD_ALL */, 0);
  2604. if (engine == NULL) {
  2605. CMP_err1("cannot load engine %s", opt_engine);
  2606. goto err;
  2607. }
  2608. }
  2609. cmp_ctx = OSSL_CMP_CTX_new(app_get0_libctx(), app_get0_propq());
  2610. if (cmp_ctx == NULL)
  2611. goto err;
  2612. OSSL_CMP_CTX_set_log_verbosity(cmp_ctx, opt_verbosity);
  2613. if (!OSSL_CMP_CTX_set_log_cb(cmp_ctx, print_to_bio_out)) {
  2614. CMP_err1("cannot set up error reporting and logging for %s", prog);
  2615. goto err;
  2616. }
  2617. #ifndef OPENSSL_NO_SOCK
  2618. if ((opt_tls_cert != NULL || opt_tls_key != NULL
  2619. || opt_tls_keypass != NULL || opt_tls_extra != NULL
  2620. || opt_tls_trusted != NULL || opt_tls_host != NULL)
  2621. && !opt_tls_used)
  2622. CMP_warn("Ingnoring TLS options(s) since -tls_used is not given");
  2623. if (opt_port != NULL) {
  2624. if (opt_tls_used) {
  2625. CMP_err("-tls_used option not supported with -port option");
  2626. goto err;
  2627. }
  2628. if (opt_server != NULL || opt_use_mock_srv) {
  2629. CMP_err("The -port option excludes -server and -use_mock_srv");
  2630. goto err;
  2631. }
  2632. if (opt_reqin != NULL || opt_reqout != NULL) {
  2633. CMP_err("The -port option does not support -reqin and -reqout");
  2634. goto err;
  2635. }
  2636. if (opt_rspin != NULL || opt_rspout != NULL) {
  2637. CMP_err("The -port option does not support -rspin and -rspout");
  2638. goto err;
  2639. }
  2640. }
  2641. if (opt_server != NULL && opt_use_mock_srv) {
  2642. CMP_err("cannot use both -server and -use_mock_srv options");
  2643. goto err;
  2644. }
  2645. #endif
  2646. if (opt_use_mock_srv
  2647. #ifndef OPENSSL_NO_SOCK
  2648. || opt_port != NULL
  2649. #endif
  2650. ) {
  2651. OSSL_CMP_SRV_CTX *srv_ctx;
  2652. if ((srv_ctx = setup_srv_ctx(engine)) == NULL)
  2653. goto err;
  2654. srv_cmp_ctx = OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx);
  2655. OSSL_CMP_CTX_set_transfer_cb_arg(cmp_ctx, srv_ctx);
  2656. if (!OSSL_CMP_CTX_set_log_cb(srv_cmp_ctx, print_to_bio_err)) {
  2657. CMP_err1("cannot set up error reporting and logging for %s", prog);
  2658. goto err;
  2659. }
  2660. OSSL_CMP_CTX_set_log_verbosity(srv_cmp_ctx, opt_verbosity);
  2661. }
  2662. #ifndef OPENSSL_NO_SOCK
  2663. if (opt_tls_used && (opt_use_mock_srv || opt_server == NULL)) {
  2664. CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given");
  2665. opt_tls_used = 0;
  2666. }
  2667. if (opt_port != NULL) { /* act as very basic CMP HTTP server */
  2668. ret = cmp_server(srv_cmp_ctx);
  2669. goto err;
  2670. }
  2671. /* act as CMP client, possibly using internal mock server */
  2672. if (opt_rspin != NULL) {
  2673. if (opt_server != NULL)
  2674. CMP_warn("-server option is not used if enough filenames given for -rspin");
  2675. if (opt_use_mock_srv)
  2676. CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin");
  2677. }
  2678. #endif
  2679. if (!setup_client_ctx(cmp_ctx, engine)) {
  2680. CMP_err("cannot set up CMP context");
  2681. goto err;
  2682. }
  2683. for (i = 0; i < opt_repeat; i++) {
  2684. /* everything is ready, now connect and perform the command! */
  2685. switch (opt_cmd) {
  2686. case CMP_IR:
  2687. newcert = OSSL_CMP_exec_IR_ses(cmp_ctx);
  2688. if (newcert != NULL)
  2689. ret = 1;
  2690. break;
  2691. case CMP_KUR:
  2692. newcert = OSSL_CMP_exec_KUR_ses(cmp_ctx);
  2693. if (newcert != NULL)
  2694. ret = 1;
  2695. break;
  2696. case CMP_CR:
  2697. newcert = OSSL_CMP_exec_CR_ses(cmp_ctx);
  2698. if (newcert != NULL)
  2699. ret = 1;
  2700. break;
  2701. case CMP_P10CR:
  2702. newcert = OSSL_CMP_exec_P10CR_ses(cmp_ctx);
  2703. if (newcert != NULL)
  2704. ret = 1;
  2705. break;
  2706. case CMP_RR:
  2707. ret = OSSL_CMP_exec_RR_ses(cmp_ctx);
  2708. break;
  2709. case CMP_GENM:
  2710. {
  2711. STACK_OF(OSSL_CMP_ITAV) *itavs;
  2712. if (opt_infotype != NID_undef) {
  2713. OSSL_CMP_ITAV *itav =
  2714. OSSL_CMP_ITAV_create(OBJ_nid2obj(opt_infotype), NULL);
  2715. if (itav == NULL)
  2716. goto err;
  2717. OSSL_CMP_CTX_push0_genm_ITAV(cmp_ctx, itav);
  2718. }
  2719. if ((itavs = OSSL_CMP_exec_GENM_ses(cmp_ctx)) != NULL) {
  2720. print_itavs(itavs);
  2721. sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
  2722. ret = 1;
  2723. }
  2724. break;
  2725. }
  2726. default:
  2727. break;
  2728. }
  2729. if (OSSL_CMP_CTX_get_status(cmp_ctx) < OSSL_CMP_PKISTATUS_accepted)
  2730. goto err; /* we got no response, maybe even did not send request */
  2731. print_status();
  2732. if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_extraCertsIn(cmp_ctx),
  2733. opt_extracertsout, "extra") < 0)
  2734. ret = 0;
  2735. if (!ret)
  2736. goto err;
  2737. ret = 0;
  2738. if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_caPubs(cmp_ctx),
  2739. opt_cacertsout, "CA") < 0)
  2740. goto err;
  2741. if (newcert != NULL) {
  2742. STACK_OF(X509) *certs = sk_X509_new_null();
  2743. if (!X509_add_cert(certs, newcert, X509_ADD_FLAG_UP_REF)) {
  2744. sk_X509_free(certs);
  2745. goto err;
  2746. }
  2747. if (save_free_certs(cmp_ctx, certs, opt_certout, "enrolled") < 0)
  2748. goto err;
  2749. }
  2750. if (save_free_certs(cmp_ctx, OSSL_CMP_CTX_get1_newChain(cmp_ctx),
  2751. opt_chainout, "chain") < 0)
  2752. goto err;
  2753. if (!OSSL_CMP_CTX_reinit(cmp_ctx))
  2754. goto err;
  2755. }
  2756. ret = 1;
  2757. err:
  2758. /* in case we ended up here on error without proper cleaning */
  2759. cleanse(opt_keypass);
  2760. cleanse(opt_newkeypass);
  2761. cleanse(opt_otherpass);
  2762. #ifndef OPENSSL_NO_SOCK
  2763. cleanse(opt_tls_keypass);
  2764. #endif
  2765. cleanse(opt_secret);
  2766. cleanse(opt_srv_keypass);
  2767. cleanse(opt_srv_secret);
  2768. if (ret != 1)
  2769. OSSL_CMP_CTX_print_errors(cmp_ctx);
  2770. if (cmp_ctx != NULL) {
  2771. #ifndef OPENSSL_NO_SOCK
  2772. APP_HTTP_TLS_INFO *info = OSSL_CMP_CTX_get_http_cb_arg(cmp_ctx);
  2773. #endif
  2774. ossl_cmp_mock_srv_free(OSSL_CMP_CTX_get_transfer_cb_arg(cmp_ctx));
  2775. X509_STORE_free(OSSL_CMP_CTX_get_certConf_cb_arg(cmp_ctx));
  2776. /* cannot free info already here, as it may be used indirectly by: */
  2777. OSSL_CMP_CTX_free(cmp_ctx);
  2778. #ifndef OPENSSL_NO_SOCK
  2779. if (info != NULL) {
  2780. OPENSSL_free((char *)info->server);
  2781. OPENSSL_free((char *)info->port);
  2782. APP_HTTP_TLS_INFO_free(info);
  2783. }
  2784. #endif
  2785. }
  2786. X509_VERIFY_PARAM_free(vpm);
  2787. release_engine(engine);
  2788. NCONF_free(conf); /* must not do as long as opt_... variables are used */
  2789. OSSL_CMP_log_close();
  2790. return ret == 0 ? EXIT_FAILURE : EXIT_SUCCESS; /* ret == -1 for -help */
  2791. }