cmp_msg.c 33 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090
  1. /*
  2. * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2019
  4. * Copyright Siemens AG 2015-2019
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* CMP functions for PKIMessage construction */
  12. #include "cmp_local.h"
  13. /* explicit #includes not strictly needed since implied by the above: */
  14. #include <openssl/asn1t.h>
  15. #include <openssl/cmp.h>
  16. #include <openssl/crmf.h>
  17. #include <openssl/err.h>
  18. #include <openssl/x509.h>
  19. OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
  20. {
  21. if (msg == NULL) {
  22. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  23. return NULL;
  24. }
  25. return msg->header;
  26. }
  27. const char *ossl_cmp_bodytype_to_string(int type)
  28. {
  29. static const char *type_names[] = {
  30. "IR", "IP", "CR", "CP", "P10CR",
  31. "POPDECC", "POPDECR", "KUR", "KUP",
  32. "KRR", "KRP", "RR", "RP", "CCR", "CCP",
  33. "CKUANN", "CANN", "RANN", "CRLANN", "PKICONF", "NESTED",
  34. "GENM", "GENP", "ERROR", "CERTCONF", "POLLREQ", "POLLREP",
  35. };
  36. if (type < 0 || type > OSSL_CMP_PKIBODY_TYPE_MAX)
  37. return "illegal body type";
  38. return type_names[type];
  39. }
  40. int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type)
  41. {
  42. if (!ossl_assert(msg != NULL && msg->body != NULL))
  43. return 0;
  44. msg->body->type = type;
  45. return 1;
  46. }
  47. int ossl_cmp_msg_get_bodytype(const OSSL_CMP_MSG *msg)
  48. {
  49. if (!ossl_assert(msg != NULL && msg->body != NULL))
  50. return -1;
  51. return msg->body->type;
  52. }
  53. /* Add an extension to the referenced extension stack, which may be NULL */
  54. static int add1_extension(X509_EXTENSIONS **pexts, int nid, int crit, void *ex)
  55. {
  56. X509_EXTENSION *ext;
  57. int res;
  58. if (!ossl_assert(pexts != NULL)) /* pointer to var must not be NULL */
  59. return 0;
  60. if ((ext = X509V3_EXT_i2d(nid, crit, ex)) == NULL)
  61. return 0;
  62. res = X509v3_add_ext(pexts, ext, 0) != NULL;
  63. X509_EXTENSION_free(ext);
  64. return res;
  65. }
  66. /* Add extension list to the referenced extension stack, which may be NULL */
  67. static int add_extensions(STACK_OF(X509_EXTENSION) **target,
  68. const STACK_OF(X509_EXTENSION) *exts)
  69. {
  70. int i;
  71. if (target == NULL)
  72. return 0;
  73. for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
  74. X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
  75. ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
  76. int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
  77. /* Does extension exist in target? */
  78. if (idx != -1) {
  79. /* Delete all extensions of same type */
  80. do {
  81. X509_EXTENSION_free(sk_X509_EXTENSION_delete(*target, idx));
  82. idx = X509v3_get_ext_by_OBJ(*target, obj, -1);
  83. } while (idx != -1);
  84. }
  85. if (!X509v3_add_ext(target, ext, -1))
  86. return 0;
  87. }
  88. return 1;
  89. }
  90. /* Add a CRL revocation reason code to extension stack, which may be NULL */
  91. static int add_crl_reason_extension(X509_EXTENSIONS **pexts, int reason_code)
  92. {
  93. ASN1_ENUMERATED *val = ASN1_ENUMERATED_new();
  94. int res = 0;
  95. if (val != NULL && ASN1_ENUMERATED_set(val, reason_code))
  96. res = add1_extension(pexts, NID_crl_reason, 0 /* non-critical */, val);
  97. ASN1_ENUMERATED_free(val);
  98. return res;
  99. }
  100. OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype)
  101. {
  102. OSSL_CMP_MSG *msg = NULL;
  103. if (!ossl_assert(ctx != NULL))
  104. return NULL;
  105. if ((msg = OSSL_CMP_MSG_new()) == NULL)
  106. return NULL;
  107. if (!ossl_cmp_hdr_init(ctx, msg->header)
  108. || !ossl_cmp_msg_set_bodytype(msg, bodytype))
  109. goto err;
  110. if (ctx->geninfo_ITAVs != NULL
  111. && !ossl_cmp_hdr_generalInfo_push1_items(msg->header,
  112. ctx->geninfo_ITAVs))
  113. goto err;
  114. switch (bodytype) {
  115. case OSSL_CMP_PKIBODY_IR:
  116. case OSSL_CMP_PKIBODY_CR:
  117. case OSSL_CMP_PKIBODY_KUR:
  118. if ((msg->body->value.ir = OSSL_CRMF_MSGS_new()) == NULL)
  119. goto err;
  120. return msg;
  121. case OSSL_CMP_PKIBODY_P10CR:
  122. if (ctx->p10CSR == NULL) {
  123. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_P10CSR);
  124. goto err;
  125. }
  126. if ((msg->body->value.p10cr = X509_REQ_dup(ctx->p10CSR)) == NULL)
  127. goto err;
  128. return msg;
  129. case OSSL_CMP_PKIBODY_IP:
  130. case OSSL_CMP_PKIBODY_CP:
  131. case OSSL_CMP_PKIBODY_KUP:
  132. if ((msg->body->value.ip = OSSL_CMP_CERTREPMESSAGE_new()) == NULL)
  133. goto err;
  134. return msg;
  135. case OSSL_CMP_PKIBODY_RR:
  136. if ((msg->body->value.rr = sk_OSSL_CMP_REVDETAILS_new_null()) == NULL)
  137. goto err;
  138. return msg;
  139. case OSSL_CMP_PKIBODY_RP:
  140. if ((msg->body->value.rp = OSSL_CMP_REVREPCONTENT_new()) == NULL)
  141. goto err;
  142. return msg;
  143. case OSSL_CMP_PKIBODY_CERTCONF:
  144. if ((msg->body->value.certConf =
  145. sk_OSSL_CMP_CERTSTATUS_new_null()) == NULL)
  146. goto err;
  147. return msg;
  148. case OSSL_CMP_PKIBODY_PKICONF:
  149. if ((msg->body->value.pkiconf = ASN1_TYPE_new()) == NULL)
  150. goto err;
  151. ASN1_TYPE_set(msg->body->value.pkiconf, V_ASN1_NULL, NULL);
  152. return msg;
  153. case OSSL_CMP_PKIBODY_POLLREQ:
  154. if ((msg->body->value.pollReq = sk_OSSL_CMP_POLLREQ_new_null()) == NULL)
  155. goto err;
  156. return msg;
  157. case OSSL_CMP_PKIBODY_POLLREP:
  158. if ((msg->body->value.pollRep = sk_OSSL_CMP_POLLREP_new_null()) == NULL)
  159. goto err;
  160. return msg;
  161. case OSSL_CMP_PKIBODY_GENM:
  162. case OSSL_CMP_PKIBODY_GENP:
  163. if ((msg->body->value.genm = sk_OSSL_CMP_ITAV_new_null()) == NULL)
  164. goto err;
  165. return msg;
  166. case OSSL_CMP_PKIBODY_ERROR:
  167. if ((msg->body->value.error = OSSL_CMP_ERRORMSGCONTENT_new()) == NULL)
  168. goto err;
  169. return msg;
  170. default:
  171. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  172. goto err;
  173. }
  174. err:
  175. OSSL_CMP_MSG_free(msg);
  176. return NULL;
  177. }
  178. #define HAS_SAN(ctx) \
  179. (sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
  180. || OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
  181. static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx,
  182. const X509_NAME *ref_subj,
  183. int for_KUR)
  184. {
  185. if (ctx->subjectName != NULL)
  186. return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName;
  187. if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx)))
  188. /*
  189. * For KUR, copy subject from the reference.
  190. * For IR or CR, do the same only if there is no subjectAltName.
  191. */
  192. return ref_subj;
  193. return NULL;
  194. }
  195. OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid)
  196. {
  197. OSSL_CRMF_MSG *crm = NULL;
  198. X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
  199. /* refcert defaults to current client cert */
  200. EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
  201. STACK_OF(GENERAL_NAME) *default_sans = NULL;
  202. const X509_NAME *ref_subj =
  203. ctx->p10CSR != NULL ? X509_REQ_get_subject_name(ctx->p10CSR) :
  204. refcert != NULL ? X509_get_subject_name(refcert) : NULL;
  205. const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR);
  206. const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL
  207. ? (IS_NULL_DN(ctx->issuer) ? NULL : ctx->issuer)
  208. : X509_get_issuer_name(refcert);
  209. int crit = ctx->setSubjectAltNameCritical || subject == NULL;
  210. /* RFC5280: subjectAltName MUST be critical if subject is null */
  211. X509_EXTENSIONS *exts = NULL;
  212. if (rkey == NULL && ctx->p10CSR != NULL)
  213. rkey = X509_REQ_get0_pubkey(ctx->p10CSR);
  214. if (rkey == NULL)
  215. rkey = ctx->pkey; /* default is independent of ctx->oldCert */
  216. if (rkey == NULL) {
  217. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  218. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  219. return NULL;
  220. #endif
  221. }
  222. if (for_KUR && refcert == NULL && ctx->p10CSR == NULL) {
  223. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
  224. return NULL;
  225. }
  226. if ((crm = OSSL_CRMF_MSG_new()) == NULL)
  227. return NULL;
  228. if (!OSSL_CRMF_MSG_set_certReqId(crm, rid)
  229. /*
  230. * fill certTemplate, corresponding to CertificationRequestInfo
  231. * of PKCS#10. The rkey param cannot be NULL so far -
  232. * it could be NULL if centralized key creation was supported
  233. */
  234. || !OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_MSG_get0_tmpl(crm), rkey,
  235. subject, issuer, NULL /* serial */))
  236. goto err;
  237. if (ctx->days != 0) {
  238. time_t now = time(NULL);
  239. ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
  240. ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
  241. if (notBefore == NULL
  242. || notAfter == NULL
  243. || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
  244. ASN1_TIME_free(notBefore);
  245. ASN1_TIME_free(notAfter);
  246. goto err;
  247. }
  248. }
  249. /* extensions */
  250. if (refcert != NULL && !ctx->SubjectAltName_nodefault)
  251. default_sans = X509V3_get_d2i(X509_get0_extensions(refcert),
  252. NID_subject_alt_name, NULL, NULL);
  253. if (ctx->p10CSR != NULL
  254. && (exts = X509_REQ_get_extensions(ctx->p10CSR)) == NULL)
  255. goto err;
  256. if (ctx->reqExtensions != NULL /* augment/override existing ones */
  257. && !add_extensions(&exts, ctx->reqExtensions))
  258. goto err;
  259. if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0
  260. && !add1_extension(&exts, NID_subject_alt_name,
  261. crit, ctx->subjectAltNames))
  262. goto err;
  263. if (!HAS_SAN(ctx) && default_sans != NULL
  264. && !add1_extension(&exts, NID_subject_alt_name, crit, default_sans))
  265. goto err;
  266. if (ctx->policies != NULL
  267. && !add1_extension(&exts, NID_certificate_policies,
  268. ctx->setPoliciesCritical, ctx->policies))
  269. goto err;
  270. if (!OSSL_CRMF_MSG_set0_extensions(crm, exts))
  271. goto err;
  272. exts = NULL;
  273. /* end fill certTemplate, now set any controls */
  274. /* for KUR, set OldCertId according to D.6 */
  275. if (for_KUR && refcert != NULL) {
  276. OSSL_CRMF_CERTID *cid =
  277. OSSL_CRMF_CERTID_gen(X509_get_issuer_name(refcert),
  278. X509_get0_serialNumber(refcert));
  279. int ret;
  280. if (cid == NULL)
  281. goto err;
  282. ret = OSSL_CRMF_MSG_set1_regCtrl_oldCertID(crm, cid);
  283. OSSL_CRMF_CERTID_free(cid);
  284. if (ret == 0)
  285. goto err;
  286. }
  287. goto end;
  288. err:
  289. OSSL_CRMF_MSG_free(crm);
  290. crm = NULL;
  291. end:
  292. sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
  293. sk_GENERAL_NAME_pop_free(default_sans, GENERAL_NAME_free);
  294. return crm;
  295. }
  296. OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
  297. const OSSL_CRMF_MSG *crm)
  298. {
  299. OSSL_CMP_MSG *msg;
  300. OSSL_CRMF_MSG *local_crm = NULL;
  301. if (!ossl_assert(ctx != NULL))
  302. return NULL;
  303. if (type != OSSL_CMP_PKIBODY_IR && type != OSSL_CMP_PKIBODY_CR
  304. && type != OSSL_CMP_PKIBODY_KUR && type != OSSL_CMP_PKIBODY_P10CR) {
  305. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  306. return NULL;
  307. }
  308. if (type == OSSL_CMP_PKIBODY_P10CR && crm != NULL) {
  309. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  310. return NULL;
  311. }
  312. if ((msg = ossl_cmp_msg_create(ctx, type)) == NULL)
  313. goto err;
  314. /* header */
  315. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  316. goto err;
  317. /* body */
  318. /* For P10CR the content has already been set in OSSL_CMP_MSG_create */
  319. if (type != OSSL_CMP_PKIBODY_P10CR) {
  320. EVP_PKEY *privkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
  321. /*
  322. * privkey is NULL in case ctx->newPkey does not include a private key.
  323. * We then may try to use ctx->pkey as fallback/default, but only
  324. * if ctx-> newPkey does not include a (non-matching) public key:
  325. */
  326. if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL)
  327. privkey = ctx->pkey; /* default is independent of ctx->oldCert */
  328. if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) {
  329. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
  330. goto err;
  331. }
  332. if (crm == NULL) {
  333. local_crm = OSSL_CMP_CTX_setup_CRM(ctx,
  334. type == OSSL_CMP_PKIBODY_KUR,
  335. OSSL_CMP_CERTREQID);
  336. if (local_crm == NULL
  337. || !OSSL_CRMF_MSG_create_popo(ctx->popoMethod, local_crm,
  338. privkey, ctx->digest,
  339. ctx->libctx, ctx->propq))
  340. goto err;
  341. } else {
  342. if ((local_crm = OSSL_CRMF_MSG_dup(crm)) == NULL)
  343. goto err;
  344. }
  345. /* value.ir is same for cr and kur */
  346. if (!sk_OSSL_CRMF_MSG_push(msg->body->value.ir, local_crm))
  347. goto err;
  348. local_crm = NULL;
  349. /* TODO: here optional 2nd certreqmsg could be pushed to the stack */
  350. }
  351. if (!ossl_cmp_msg_protect(ctx, msg))
  352. goto err;
  353. return msg;
  354. err:
  355. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREQ);
  356. OSSL_CRMF_MSG_free(local_crm);
  357. OSSL_CMP_MSG_free(msg);
  358. return NULL;
  359. }
  360. OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
  361. int certReqId, OSSL_CMP_PKISI *si,
  362. X509 *cert, STACK_OF(X509) *chain,
  363. STACK_OF(X509) *caPubs, int encrypted,
  364. int unprotectedErrors)
  365. {
  366. OSSL_CMP_MSG *msg = NULL;
  367. OSSL_CMP_CERTREPMESSAGE *repMsg = NULL;
  368. OSSL_CMP_CERTRESPONSE *resp = NULL;
  369. int status = -1;
  370. if (!ossl_assert(ctx != NULL && si != NULL))
  371. return NULL;
  372. if ((msg = ossl_cmp_msg_create(ctx, bodytype)) == NULL)
  373. goto err;
  374. repMsg = msg->body->value.ip; /* value.ip is same for cp and kup */
  375. /* header */
  376. if (ctx->implicitConfirm && !ossl_cmp_hdr_set_implicitConfirm(msg->header))
  377. goto err;
  378. /* body */
  379. if ((resp = OSSL_CMP_CERTRESPONSE_new()) == NULL)
  380. goto err;
  381. OSSL_CMP_PKISI_free(resp->status);
  382. if ((resp->status = OSSL_CMP_PKISI_dup(si)) == NULL
  383. || !ASN1_INTEGER_set(resp->certReqId, certReqId))
  384. goto err;
  385. status = ossl_cmp_pkisi_get_status(resp->status);
  386. if (status != OSSL_CMP_PKISTATUS_rejection
  387. && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
  388. if (encrypted) {
  389. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  390. goto err;
  391. }
  392. if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
  393. == NULL)
  394. goto err;
  395. resp->certifiedKeyPair->certOrEncCert->type =
  396. OSSL_CMP_CERTORENCCERT_CERTIFICATE;
  397. if (!X509_up_ref(cert))
  398. goto err;
  399. resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
  400. }
  401. if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
  402. goto err;
  403. resp = NULL;
  404. /* TODO: here optional 2nd certrep could be pushed to the stack */
  405. if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
  406. && (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
  407. goto err;
  408. if (sk_X509_num(chain) > 0
  409. && !ossl_x509_add_certs_new(&msg->extraCerts, chain,
  410. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
  411. goto err;
  412. if (!unprotectedErrors
  413. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  414. if (!ossl_cmp_msg_protect(ctx, msg))
  415. goto err;
  416. return msg;
  417. err:
  418. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
  419. OSSL_CMP_CERTRESPONSE_free(resp);
  420. OSSL_CMP_MSG_free(msg);
  421. return NULL;
  422. }
  423. OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
  424. {
  425. OSSL_CMP_MSG *msg = NULL;
  426. OSSL_CMP_REVDETAILS *rd;
  427. int ret;
  428. if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
  429. || ctx->p10CSR != NULL)))
  430. return NULL;
  431. if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
  432. goto err;
  433. /* Fill the template from the contents of the certificate to be revoked */
  434. ret = ctx->oldCert != NULL
  435. ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
  436. NULL /* pubkey would be redundant */,
  437. NULL /* subject would be redundant */,
  438. X509_get_issuer_name(ctx->oldCert),
  439. X509_get0_serialNumber(ctx->oldCert))
  440. : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
  441. X509_REQ_get0_pubkey(ctx->p10CSR),
  442. X509_REQ_get_subject_name(ctx->p10CSR),
  443. NULL, NULL);
  444. if (!ret)
  445. goto err;
  446. /* revocation reason code is optional */
  447. if (ctx->revocationReason != CRL_REASON_NONE
  448. && !add_crl_reason_extension(&rd->crlEntryDetails,
  449. ctx->revocationReason))
  450. goto err;
  451. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RR)) == NULL)
  452. goto err;
  453. if (!sk_OSSL_CMP_REVDETAILS_push(msg->body->value.rr, rd))
  454. goto err;
  455. rd = NULL;
  456. /*
  457. * TODO: the Revocation Passphrase according to section 5.3.19.9 could be
  458. * set here if set in ctx
  459. */
  460. if (!ossl_cmp_msg_protect(ctx, msg))
  461. goto err;
  462. return msg;
  463. err:
  464. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR);
  465. OSSL_CMP_MSG_free(msg);
  466. OSSL_CMP_REVDETAILS_free(rd);
  467. return NULL;
  468. }
  469. OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  470. OSSL_CRMF_CERTID *cid, int unprot_err)
  471. {
  472. OSSL_CMP_REVREPCONTENT *rep = NULL;
  473. OSSL_CMP_PKISI *si1 = NULL;
  474. OSSL_CRMF_CERTID *cid_copy = NULL;
  475. OSSL_CMP_MSG *msg = NULL;
  476. if (!ossl_assert(ctx != NULL && si != NULL))
  477. return NULL;
  478. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_RP)) == NULL)
  479. goto err;
  480. rep = msg->body->value.rp;
  481. if ((si1 = OSSL_CMP_PKISI_dup(si)) == NULL)
  482. goto err;
  483. if (!sk_OSSL_CMP_PKISI_push(rep->status, si1)) {
  484. OSSL_CMP_PKISI_free(si1);
  485. goto err;
  486. }
  487. if ((rep->revCerts = sk_OSSL_CRMF_CERTID_new_null()) == NULL)
  488. goto err;
  489. if (cid != NULL) {
  490. if ((cid_copy = OSSL_CRMF_CERTID_dup(cid)) == NULL)
  491. goto err;
  492. if (!sk_OSSL_CRMF_CERTID_push(rep->revCerts, cid_copy)) {
  493. OSSL_CRMF_CERTID_free(cid_copy);
  494. goto err;
  495. }
  496. }
  497. if (!unprot_err
  498. || ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
  499. if (!ossl_cmp_msg_protect(ctx, msg))
  500. goto err;
  501. return msg;
  502. err:
  503. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RP);
  504. OSSL_CMP_MSG_free(msg);
  505. return NULL;
  506. }
  507. OSSL_CMP_MSG *ossl_cmp_pkiconf_new(OSSL_CMP_CTX *ctx)
  508. {
  509. OSSL_CMP_MSG *msg;
  510. if (!ossl_assert(ctx != NULL))
  511. return NULL;
  512. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_PKICONF)) == NULL)
  513. goto err;
  514. if (ossl_cmp_msg_protect(ctx, msg))
  515. return msg;
  516. err:
  517. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF);
  518. OSSL_CMP_MSG_free(msg);
  519. return NULL;
  520. }
  521. int ossl_cmp_msg_gen_push0_ITAV(OSSL_CMP_MSG *msg, OSSL_CMP_ITAV *itav)
  522. {
  523. int bodytype;
  524. if (!ossl_assert(msg != NULL && itav != NULL))
  525. return 0;
  526. bodytype = ossl_cmp_msg_get_bodytype(msg);
  527. if (bodytype != OSSL_CMP_PKIBODY_GENM
  528. && bodytype != OSSL_CMP_PKIBODY_GENP) {
  529. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  530. return 0;
  531. }
  532. /* value.genp has the same structure, so this works for genp as well */
  533. return OSSL_CMP_ITAV_push0_stack_item(&msg->body->value.genm, itav);
  534. }
  535. int ossl_cmp_msg_gen_push1_ITAVs(OSSL_CMP_MSG *msg,
  536. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  537. {
  538. int i;
  539. OSSL_CMP_ITAV *itav = NULL;
  540. if (!ossl_assert(msg != NULL))
  541. return 0;
  542. for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
  543. itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
  544. if (itav == NULL
  545. || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
  546. OSSL_CMP_ITAV_free(itav);
  547. return 0;
  548. }
  549. }
  550. return 1;
  551. }
  552. /*
  553. * Creates a new General Message/Response with an empty itav stack
  554. * returns a pointer to the PKIMessage on success, NULL on error
  555. */
  556. static OSSL_CMP_MSG *gen_new(OSSL_CMP_CTX *ctx,
  557. const STACK_OF(OSSL_CMP_ITAV) *itavs,
  558. int body_type, int err_code)
  559. {
  560. OSSL_CMP_MSG *msg = NULL;
  561. if (!ossl_assert(ctx != NULL))
  562. return NULL;
  563. if ((msg = ossl_cmp_msg_create(ctx, body_type)) == NULL)
  564. return NULL;
  565. if (ctx->genm_ITAVs != NULL
  566. && !ossl_cmp_msg_gen_push1_ITAVs(msg, itavs))
  567. goto err;
  568. if (!ossl_cmp_msg_protect(ctx, msg))
  569. goto err;
  570. return msg;
  571. err:
  572. ERR_raise(ERR_LIB_CMP, err_code);
  573. OSSL_CMP_MSG_free(msg);
  574. return NULL;
  575. }
  576. OSSL_CMP_MSG *ossl_cmp_genm_new(OSSL_CMP_CTX *ctx)
  577. {
  578. return gen_new(ctx, ctx->genm_ITAVs,
  579. OSSL_CMP_PKIBODY_GENM, CMP_R_ERROR_CREATING_GENM);
  580. }
  581. OSSL_CMP_MSG *ossl_cmp_genp_new(OSSL_CMP_CTX *ctx,
  582. const STACK_OF(OSSL_CMP_ITAV) *itavs)
  583. {
  584. return gen_new(ctx, itavs,
  585. OSSL_CMP_PKIBODY_GENP, CMP_R_ERROR_CREATING_GENP);
  586. }
  587. OSSL_CMP_MSG *ossl_cmp_error_new(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si,
  588. int errorCode,
  589. const char *details, int unprotected)
  590. {
  591. OSSL_CMP_MSG *msg = NULL;
  592. OSSL_CMP_PKIFREETEXT *ft;
  593. if (!ossl_assert(ctx != NULL && si != NULL))
  594. return NULL;
  595. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_ERROR)) == NULL)
  596. goto err;
  597. OSSL_CMP_PKISI_free(msg->body->value.error->pKIStatusInfo);
  598. if ((msg->body->value.error->pKIStatusInfo = OSSL_CMP_PKISI_dup(si))
  599. == NULL)
  600. goto err;
  601. if (errorCode >= 0) {
  602. if ((msg->body->value.error->errorCode = ASN1_INTEGER_new()) == NULL)
  603. goto err;
  604. if (!ASN1_INTEGER_set(msg->body->value.error->errorCode, errorCode))
  605. goto err;
  606. }
  607. if (details != NULL) {
  608. if ((ft = sk_ASN1_UTF8STRING_new_null()) == NULL)
  609. goto err;
  610. msg->body->value.error->errorDetails = ft;
  611. if (!ossl_cmp_sk_ASN1_UTF8STRING_push_str(ft, details))
  612. goto err;
  613. }
  614. if (!unprotected && !ossl_cmp_msg_protect(ctx, msg))
  615. goto err;
  616. return msg;
  617. err:
  618. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_ERROR);
  619. OSSL_CMP_MSG_free(msg);
  620. return NULL;
  621. }
  622. /*
  623. * Set the certHash field of a OSSL_CMP_CERTSTATUS structure.
  624. * This is used in the certConf message, for example,
  625. * to confirm that the certificate was received successfully.
  626. */
  627. int ossl_cmp_certstatus_set0_certHash(OSSL_CMP_CERTSTATUS *certStatus,
  628. ASN1_OCTET_STRING *hash)
  629. {
  630. if (!ossl_assert(certStatus != NULL))
  631. return 0;
  632. ASN1_OCTET_STRING_free(certStatus->certHash);
  633. certStatus->certHash = hash;
  634. return 1;
  635. }
  636. /*
  637. * TODO: handle potential 2nd certificate when signing and encrypting
  638. * certificates have been requested/received
  639. */
  640. OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info,
  641. const char *text)
  642. {
  643. OSSL_CMP_MSG *msg = NULL;
  644. OSSL_CMP_CERTSTATUS *certStatus = NULL;
  645. ASN1_OCTET_STRING *certHash = NULL;
  646. OSSL_CMP_PKISI *sinfo;
  647. if (!ossl_assert(ctx != NULL && ctx->newCert != NULL))
  648. return NULL;
  649. if ((unsigned)fail_info > OSSL_CMP_PKIFAILUREINFO_MAX_BIT_PATTERN) {
  650. ERR_raise(ERR_LIB_CMP, CMP_R_FAIL_INFO_OUT_OF_RANGE);
  651. return NULL;
  652. }
  653. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_CERTCONF)) == NULL)
  654. goto err;
  655. if ((certStatus = OSSL_CMP_CERTSTATUS_new()) == NULL)
  656. goto err;
  657. /* consume certStatus into msg right away so it gets deallocated with msg */
  658. if (!sk_OSSL_CMP_CERTSTATUS_push(msg->body->value.certConf, certStatus))
  659. goto err;
  660. /* set the ID of the certReq */
  661. if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID))
  662. goto err;
  663. /*
  664. * the hash of the certificate, using the same hash algorithm
  665. * as is used to create and verify the certificate signature
  666. */
  667. if ((certHash = X509_digest_sig(ctx->newCert)) == NULL)
  668. goto err;
  669. if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash))
  670. goto err;
  671. certHash = NULL;
  672. /*
  673. * For any particular CertStatus, omission of the statusInfo field
  674. * indicates ACCEPTANCE of the specified certificate. Alternatively,
  675. * explicit status details (with respect to acceptance or rejection) MAY
  676. * be provided in the statusInfo field, perhaps for auditing purposes at
  677. * the CA/RA.
  678. */
  679. sinfo = fail_info != 0 ?
  680. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, fail_info, text) :
  681. OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_accepted, 0, text);
  682. if (sinfo == NULL)
  683. goto err;
  684. certStatus->statusInfo = sinfo;
  685. if (!ossl_cmp_msg_protect(ctx, msg))
  686. goto err;
  687. return msg;
  688. err:
  689. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTCONF);
  690. OSSL_CMP_MSG_free(msg);
  691. ASN1_OCTET_STRING_free(certHash);
  692. return NULL;
  693. }
  694. OSSL_CMP_MSG *ossl_cmp_pollReq_new(OSSL_CMP_CTX *ctx, int crid)
  695. {
  696. OSSL_CMP_MSG *msg = NULL;
  697. OSSL_CMP_POLLREQ *preq = NULL;
  698. if (!ossl_assert(ctx != NULL))
  699. return NULL;
  700. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREQ)) == NULL)
  701. goto err;
  702. /* TODO: support multiple cert request IDs to poll */
  703. if ((preq = OSSL_CMP_POLLREQ_new()) == NULL
  704. || !ASN1_INTEGER_set(preq->certReqId, crid)
  705. || !sk_OSSL_CMP_POLLREQ_push(msg->body->value.pollReq, preq))
  706. goto err;
  707. preq = NULL;
  708. if (!ossl_cmp_msg_protect(ctx, msg))
  709. goto err;
  710. return msg;
  711. err:
  712. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREQ);
  713. OSSL_CMP_POLLREQ_free(preq);
  714. OSSL_CMP_MSG_free(msg);
  715. return NULL;
  716. }
  717. OSSL_CMP_MSG *ossl_cmp_pollRep_new(OSSL_CMP_CTX *ctx, int crid,
  718. int64_t poll_after)
  719. {
  720. OSSL_CMP_MSG *msg;
  721. OSSL_CMP_POLLREP *prep;
  722. if (!ossl_assert(ctx != NULL))
  723. return NULL;
  724. if ((msg = ossl_cmp_msg_create(ctx, OSSL_CMP_PKIBODY_POLLREP)) == NULL)
  725. goto err;
  726. if ((prep = OSSL_CMP_POLLREP_new()) == NULL)
  727. goto err;
  728. if (!sk_OSSL_CMP_POLLREP_push(msg->body->value.pollRep, prep))
  729. goto err;
  730. if (!ASN1_INTEGER_set(prep->certReqId, crid))
  731. goto err;
  732. if (!ASN1_INTEGER_set_int64(prep->checkAfter, poll_after))
  733. goto err;
  734. if (!ossl_cmp_msg_protect(ctx, msg))
  735. goto err;
  736. return msg;
  737. err:
  738. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP);
  739. OSSL_CMP_MSG_free(msg);
  740. return NULL;
  741. }
  742. /*-
  743. * returns the status field of the RevRepContent with the given
  744. * request/sequence id inside a revocation response.
  745. * RevRepContent has the revocation statuses in same order as they were sent in
  746. * RevReqContent.
  747. * returns NULL on error
  748. */
  749. OSSL_CMP_PKISI *
  750. ossl_cmp_revrepcontent_get_pkisi(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  751. {
  752. OSSL_CMP_PKISI *status;
  753. if (!ossl_assert(rrep != NULL))
  754. return NULL;
  755. if ((status = sk_OSSL_CMP_PKISI_value(rrep->status, rsid)) != NULL)
  756. return status;
  757. ERR_raise(ERR_LIB_CMP, CMP_R_PKISTATUSINFO_NOT_FOUND);
  758. return NULL;
  759. }
  760. /*
  761. * returns the CertId field in the revCerts part of the RevRepContent
  762. * with the given request/sequence id inside a revocation response.
  763. * RevRepContent has the CertIds in same order as they were sent in
  764. * RevReqContent.
  765. * returns NULL on error
  766. */
  767. OSSL_CRMF_CERTID *
  768. ossl_cmp_revrepcontent_get_CertId(OSSL_CMP_REVREPCONTENT *rrep, int rsid)
  769. {
  770. OSSL_CRMF_CERTID *cid = NULL;
  771. if (!ossl_assert(rrep != NULL))
  772. return NULL;
  773. if ((cid = sk_OSSL_CRMF_CERTID_value(rrep->revCerts, rsid)) != NULL)
  774. return cid;
  775. ERR_raise(ERR_LIB_CMP, CMP_R_CERTID_NOT_FOUND);
  776. return NULL;
  777. }
  778. static int suitable_rid(const ASN1_INTEGER *certReqId, int rid)
  779. {
  780. int trid;
  781. if (rid == -1)
  782. return 1;
  783. trid = ossl_cmp_asn1_get_int(certReqId);
  784. if (trid == -1) {
  785. ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
  786. return 0;
  787. }
  788. return rid == trid;
  789. }
  790. /*
  791. * returns a pointer to the PollResponse with the given CertReqId
  792. * (or the first one in case -1) inside a PollRepContent
  793. * returns NULL on error or if no suitable PollResponse available
  794. */
  795. OSSL_CMP_POLLREP *
  796. ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc,
  797. int rid)
  798. {
  799. OSSL_CMP_POLLREP *pollRep = NULL;
  800. int i;
  801. if (!ossl_assert(prc != NULL))
  802. return NULL;
  803. for (i = 0; i < sk_OSSL_CMP_POLLREP_num(prc); i++) {
  804. pollRep = sk_OSSL_CMP_POLLREP_value(prc, i);
  805. if (suitable_rid(pollRep->certReqId, rid))
  806. return pollRep;
  807. }
  808. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  809. "expected certReqId = %d", rid);
  810. return NULL;
  811. }
  812. /*
  813. * returns a pointer to the CertResponse with the given CertReqId
  814. * (or the first one in case -1) inside a CertRepMessage
  815. * returns NULL on error or if no suitable CertResponse available
  816. */
  817. OSSL_CMP_CERTRESPONSE *
  818. ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm,
  819. int rid)
  820. {
  821. OSSL_CMP_CERTRESPONSE *crep = NULL;
  822. int i;
  823. if (!ossl_assert(crm != NULL && crm->response != NULL))
  824. return NULL;
  825. for (i = 0; i < sk_OSSL_CMP_CERTRESPONSE_num(crm->response); i++) {
  826. crep = sk_OSSL_CMP_CERTRESPONSE_value(crm->response, i);
  827. if (suitable_rid(crep->certReqId, rid))
  828. return crep;
  829. }
  830. ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTRESPONSE_NOT_FOUND,
  831. "expected certReqId = %d", rid);
  832. return NULL;
  833. }
  834. /*-
  835. * Retrieve the newly enrolled certificate from the given certResponse crep.
  836. * In case of indirect POPO uses the libctx and propq from ctx and private key.
  837. * Returns a pointer to a copy of the found certificate, or NULL if not found.
  838. */
  839. X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CERTRESPONSE *crep,
  840. const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey)
  841. {
  842. OSSL_CMP_CERTORENCCERT *coec;
  843. X509 *crt = NULL;
  844. if (!ossl_assert(crep != NULL && ctx != NULL))
  845. return NULL;
  846. if (crep->certifiedKeyPair
  847. && (coec = crep->certifiedKeyPair->certOrEncCert) != NULL) {
  848. switch (coec->type) {
  849. case OSSL_CMP_CERTORENCCERT_CERTIFICATE:
  850. crt = X509_dup(coec->value.certificate);
  851. break;
  852. case OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT:
  853. /* cert encrypted for indirect PoP; RFC 4210, 5.2.8.2 */
  854. if (pkey == NULL) {
  855. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY);
  856. return NULL;
  857. }
  858. crt =
  859. OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert,
  860. ctx->libctx, ctx->propq,
  861. pkey);
  862. break;
  863. default:
  864. ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE);
  865. return NULL;
  866. }
  867. }
  868. if (crt == NULL)
  869. ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND);
  870. else
  871. (void)ossl_x509_set0_libctx(crt, ctx->libctx, ctx->propq);
  872. return crt;
  873. }
  874. int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
  875. {
  876. if (ctx == NULL || msg == NULL) {
  877. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  878. return 0;
  879. }
  880. if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
  881. return 0;
  882. return msg->header->protectionAlg == NULL
  883. || ossl_cmp_msg_protect(ctx, msg);
  884. }
  885. OSSL_CMP_MSG *OSSL_CMP_MSG_read(const char *file)
  886. {
  887. OSSL_CMP_MSG *msg = NULL;
  888. BIO *bio = NULL;
  889. if (file == NULL) {
  890. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  891. return NULL;
  892. }
  893. if ((bio = BIO_new_file(file, "rb")) == NULL)
  894. return NULL;
  895. msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
  896. BIO_free(bio);
  897. return msg;
  898. }
  899. int OSSL_CMP_MSG_write(const char *file, const OSSL_CMP_MSG *msg)
  900. {
  901. BIO *bio;
  902. int res;
  903. if (file == NULL || msg == NULL) {
  904. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  905. return -1;
  906. }
  907. bio = BIO_new_file(file, "wb");
  908. if (bio == NULL)
  909. return -2;
  910. res = i2d_OSSL_CMP_MSG_bio(bio, msg);
  911. BIO_free(bio);
  912. return res;
  913. }
  914. OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
  915. {
  916. return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
  917. d2i_OSSL_CMP_MSG, bio, msg);
  918. }
  919. int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
  920. {
  921. return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
  922. }