2 * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
12 #include <openssl/asn1t.h>
14 #include "cmp_local.h"
16 /* explicit #includes not strictly needed since implied by the above: */
17 #include <openssl/cmp.h>
18 #include <openssl/crmf.h>
20 /* ASN.1 declarations from RFC4210 */
21 ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
22 /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
23 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
24 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
25 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
26 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
27 ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
28 } ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
29 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
31 ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
32 ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
33 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
34 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
35 } ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
36 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
38 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) =
39 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
40 OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
41 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
43 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) =
44 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
45 OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
46 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
48 ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
49 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
50 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
51 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
52 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
53 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
54 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
55 } ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
56 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
58 ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
59 ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
60 ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
61 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
62 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails,
64 } ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
65 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
67 ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
70 /* ITAV means InfoTypeAndValue */
71 ASN1_ADB(OSSL_CMP_ITAV) = {
72 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
73 ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV,
74 infoValue.caProtEncCert, X509)),
75 ADB_ENTRY(NID_id_it_signKeyPairTypes,
76 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
77 infoValue.signKeyPairTypes, X509_ALGOR)),
78 ADB_ENTRY(NID_id_it_encKeyPairTypes,
79 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
80 infoValue.encKeyPairTypes, X509_ALGOR)),
81 ADB_ENTRY(NID_id_it_preferredSymmAlg,
82 ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
84 ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
85 ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
86 OSSL_CMP_CAKEYUPDANNCONTENT)),
87 ADB_ENTRY(NID_id_it_currentCRL,
88 ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
89 ADB_ENTRY(NID_id_it_unsupportedOIDs,
90 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
91 infoValue.unsupportedOIDs, ASN1_OBJECT)),
92 ADB_ENTRY(NID_id_it_keyPairParamReq,
93 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
95 ADB_ENTRY(NID_id_it_keyPairParamRep,
96 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
98 ADB_ENTRY(NID_id_it_revPassphrase,
99 ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
100 OSSL_CRMF_ENCRYPTEDVALUE)),
101 ADB_ENTRY(NID_id_it_implicitConfirm,
102 ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
104 ADB_ENTRY(NID_id_it_confirmWaitTime,
105 ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
106 ASN1_GENERALIZEDTIME)),
107 ADB_ENTRY(NID_id_it_origPKIMessage,
108 ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
110 ADB_ENTRY(NID_id_it_suppLangTags,
111 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
113 ADB_ENTRY(NID_id_it_caCerts,
114 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.caCerts, X509)),
115 ADB_ENTRY(NID_id_it_rootCaCert,
116 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaCert, X509)),
117 ADB_ENTRY(NID_id_it_rootCaKeyUpdate,
118 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaKeyUpdate,
119 OSSL_CMP_ROOTCAKEYUPDATE)),
120 ADB_ENTRY(NID_id_it_certProfile,
121 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.certProfile,
123 ADB_ENTRY(NID_id_it_crlStatusList,
124 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crlStatusList,
125 OSSL_CMP_CRLSTATUS)),
126 ADB_ENTRY(NID_id_it_crls,
127 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crls, X509_CRL))
128 } ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0,
129 &infotypeandvalue_default_tt, NULL);
131 ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
132 ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
133 ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
134 } ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
135 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
136 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
138 ASN1_SEQUENCE(OSSL_CMP_ROOTCAKEYUPDATE) = {
139 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
140 ASN1_SIMPLE(OSSL_CMP_ROOTCAKEYUPDATE, newWithNew, X509),
141 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, newWithOld, X509, 0),
142 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, oldWithNew, X509, 1)
143 } ASN1_SEQUENCE_END(OSSL_CMP_ROOTCAKEYUPDATE)
144 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE)
146 ASN1_CHOICE(OSSL_CMP_CRLSOURCE) = {
147 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.dpn, DIST_POINT_NAME, 0),
148 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.issuer, GENERAL_NAMES, 1),
149 } ASN1_CHOICE_END(OSSL_CMP_CRLSOURCE)
150 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSOURCE)
151 #define OSSL_CMP_CRLSOURCE_DPN 0
152 #define OSSL_CMP_CRLSOURCE_ISSUER 1
154 ASN1_SEQUENCE(OSSL_CMP_CRLSTATUS) = {
155 ASN1_SIMPLE(OSSL_CMP_CRLSTATUS, source, OSSL_CMP_CRLSOURCE),
156 ASN1_OPT(OSSL_CMP_CRLSTATUS, thisUpdate, ASN1_TIME)
157 } ASN1_SEQUENCE_END(OSSL_CMP_CRLSTATUS)
158 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSTATUS)
160 OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
164 if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
166 OSSL_CMP_ITAV_set0(itav, type, value);
170 void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
173 itav->infoType = type;
174 itav->infoValue.other = value;
177 ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
181 return itav->infoType;
184 ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
188 return itav->infoValue.other;
191 int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
196 if (itav_sk_p == NULL || itav == NULL) {
197 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
201 if (*itav_sk_p == NULL) {
202 if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
206 if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
212 sk_OSSL_CMP_ITAV_free(*itav_sk_p);
219 *OSSL_CMP_ITAV_new0_certProfile(STACK_OF(ASN1_UTF8STRING) *certProfile)
223 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
225 itav->infoType = OBJ_nid2obj(NID_id_it_certProfile);
226 itav->infoValue.certProfile = certProfile;
230 int OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV *itav,
231 STACK_OF(ASN1_UTF8STRING) **out)
233 if (itav == NULL || out == NULL) {
234 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
237 if (OBJ_obj2nid(itav->infoType) != NID_id_it_certProfile) {
238 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
241 *out = itav->infoValue.certProfile;
245 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts)
247 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
251 if (sk_X509_num(caCerts) > 0
252 && (itav->infoValue.caCerts =
253 sk_X509_deep_copy(caCerts, X509_dup, X509_free)) == NULL) {
254 OSSL_CMP_ITAV_free(itav);
257 itav->infoType = OBJ_nid2obj(NID_id_it_caCerts);
261 int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out)
263 if (itav == NULL || out == NULL) {
264 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
267 if (OBJ_obj2nid(itav->infoType) != NID_id_it_caCerts) {
268 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
271 *out = sk_X509_num(itav->infoValue.caCerts) > 0
272 ? itav->infoValue.caCerts : NULL;
276 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert)
278 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
282 if (rootCaCert != NULL
283 && (itav->infoValue.rootCaCert = X509_dup(rootCaCert)) == NULL) {
284 OSSL_CMP_ITAV_free(itav);
287 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaCert);
291 int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out)
293 if (itav == NULL || out == NULL) {
294 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
297 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaCert) {
298 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
301 *out = itav->infoValue.rootCaCert;
304 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
305 const X509 *newWithOld,
306 const X509 *oldWithNew)
309 OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;
311 if (newWithNew != NULL) {
312 upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
316 if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
318 if (newWithOld != NULL
319 && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
321 if (oldWithNew != NULL
322 && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
326 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
328 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
329 itav->infoValue.rootCaKeyUpdate = upd;
333 OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
337 int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
342 OSSL_CMP_ROOTCAKEYUPDATE *upd;
344 if (itav == NULL || newWithNew == NULL) {
345 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
348 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaKeyUpdate) {
349 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
352 upd = itav->infoValue.rootCaKeyUpdate;
353 *newWithNew = upd != NULL ? upd->newWithNew : NULL;
354 if (newWithOld != NULL)
355 *newWithOld = upd != NULL ? upd->newWithOld : NULL;
356 if (oldWithNew != NULL)
357 *oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
362 *OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList)
366 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
368 itav->infoType = OBJ_nid2obj(NID_id_it_crlStatusList);
369 itav->infoValue.crlStatusList = crlStatusList;
373 int OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV *itav,
374 STACK_OF(OSSL_CMP_CRLSTATUS) **out)
376 if (itav == NULL || out == NULL) {
377 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
380 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crlStatusList) {
381 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
384 *out = itav->infoValue.crlStatusList;
388 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn,
389 const GENERAL_NAMES *issuer,
390 const ASN1_TIME *thisUpdate)
392 OSSL_CMP_CRLSOURCE *crlsource;
393 OSSL_CMP_CRLSTATUS *crlstatus;
395 if (dpn == NULL && issuer == NULL) {
396 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
399 if (dpn != NULL && issuer != NULL) {
400 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
404 if ((crlstatus = OSSL_CMP_CRLSTATUS_new()) == NULL)
406 crlsource = crlstatus->source;
409 crlsource->type = OSSL_CMP_CRLSOURCE_DPN;
410 if ((crlsource->value.dpn = DIST_POINT_NAME_dup(dpn)) == NULL)
413 crlsource->type = OSSL_CMP_CRLSOURCE_ISSUER;
414 if ((crlsource->value.issuer =
415 sk_GENERAL_NAME_deep_copy(issuer, GENERAL_NAME_dup,
416 GENERAL_NAME_free)) == NULL)
420 if (thisUpdate != NULL
421 && (crlstatus->thisUpdate = ASN1_TIME_dup(thisUpdate)) == NULL)
426 OSSL_CMP_CRLSTATUS_free(crlstatus);
430 static GENERAL_NAMES *gennames_new(const X509_NAME *nm)
432 GENERAL_NAMES *names;
433 GENERAL_NAME *name = NULL;
435 if ((names = sk_GENERAL_NAME_new_reserve(NULL, 1)) == NULL)
437 if (!GENERAL_NAME_set1_X509_NAME(&name, nm)) {
438 sk_GENERAL_NAME_free(names);
441 (void)sk_GENERAL_NAME_push(names, name); /* cannot fail */
445 static int gennames_allowed(GENERAL_NAMES *names, int only_DN)
451 return sk_GENERAL_NAME_num(names) == 1
452 && sk_GENERAL_NAME_value(names, 0)->type == GEN_DIRNAME;
455 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl,
456 const X509 *cert, int only_DN)
458 STACK_OF(DIST_POINT) *crldps = NULL;
459 ISSUING_DIST_POINT *idp = NULL;
460 DIST_POINT_NAME *dpn = NULL;
461 AUTHORITY_KEYID *akid = NULL;
462 GENERAL_NAMES *issuers = NULL;
463 const GENERAL_NAMES *CRLissuer = NULL;
464 const ASN1_TIME *last = crl == NULL ? NULL : X509_CRL_get0_lastUpdate(crl);
465 OSSL_CMP_CRLSTATUS *status = NULL;
466 int i, NID_akid = NID_authority_key_identifier;
470 * X509{,_CRL}_get_ext_d2i(..., NID, ..., NULL) return the 1st extension with
471 * given NID that is available, if any. If there are more, this is an error.
474 crldps = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
475 /* if available, take the first suitable element */
476 for (i = 0; i < sk_DIST_POINT_num(crldps); i++) {
477 DIST_POINT *dp = sk_DIST_POINT_value(crldps, i);
481 if ((dpn = dp->distpoint) != NULL) {
485 if (gennames_allowed(dp->CRLissuer, only_DN) && CRLissuer == NULL)
486 /* don't break because any dp->distpoint in list is preferred */
487 CRLissuer = dp->CRLissuer;
491 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
494 idp = X509_CRL_get_ext_d2i(crl,
495 NID_issuing_distribution_point, NULL, NULL);
496 if (idp != NULL && idp->distpoint != NULL)
497 dpn = idp->distpoint;
500 if (dpn == NULL && CRLissuer == NULL) {
502 akid = X509_get_ext_d2i(cert, NID_akid, NULL, NULL);
503 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
504 CRLissuer = akid->issuer;
506 CRLissuer = issuers = gennames_new(X509_get_issuer_name(cert));
508 if (CRLissuer == NULL && crl != NULL) {
509 akid = X509_CRL_get_ext_d2i(crl, NID_akid, NULL, NULL);
510 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
511 CRLissuer = akid->issuer;
513 CRLissuer = issuers = gennames_new(X509_CRL_get_issuer(crl));
515 if (CRLissuer == NULL)
519 status = OSSL_CMP_CRLSTATUS_new1(dpn, CRLissuer, last);
521 sk_DIST_POINT_pop_free(crldps, DIST_POINT_free);
522 ISSUING_DIST_POINT_free(idp);
523 AUTHORITY_KEYID_free(akid);
524 sk_GENERAL_NAME_pop_free(issuers, GENERAL_NAME_free);
528 int OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS *crlstatus,
529 DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer,
530 ASN1_TIME **thisUpdate)
532 OSSL_CMP_CRLSOURCE *crlsource;
534 if (crlstatus == NULL || dpn == NULL || issuer == NULL) {
535 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
538 if ((crlsource = crlstatus->source) == NULL) {
539 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
543 if (crlsource->type == OSSL_CMP_CRLSOURCE_DPN) {
544 *dpn = crlsource->value.dpn;
546 } else if (crlsource->type == OSSL_CMP_CRLSOURCE_ISSUER) {
548 *issuer = crlsource->value.issuer;
550 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
553 if (thisUpdate != NULL)
554 *thisUpdate = crlstatus->thisUpdate;
558 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl)
561 X509_CRL *crl_copy = NULL;
562 STACK_OF(X509_CRL) *crls = NULL;
564 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
568 if ((crls = sk_X509_CRL_new_reserve(NULL, 1)) == NULL
569 || (crl_copy = X509_CRL_dup(crl)) == NULL)
571 (void)sk_X509_CRL_push(crls, crl_copy); /* cannot fail */
574 itav->infoType = OBJ_nid2obj(NID_id_it_crls);
575 itav->infoValue.crls = crls;
579 sk_X509_CRL_free(crls);
580 OSSL_CMP_ITAV_free(itav);
584 int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *itav, STACK_OF(X509_CRL) **out)
586 if (itav == NULL || out == NULL) {
587 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
590 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crls) {
591 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
594 *out = itav->infoValue.crls;
598 /* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */
599 int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
603 if (!ASN1_INTEGER_get_int64(&res, a)) {
604 ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
608 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
612 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
618 static int ossl_cmp_msg_cb(int operation, ASN1_VALUE **pval,
619 ossl_unused const ASN1_ITEM *it, void *exarg)
621 OSSL_CMP_MSG *msg = (OSSL_CMP_MSG *)*pval;
624 case ASN1_OP_FREE_POST:
625 OPENSSL_free(msg->propq);
628 case ASN1_OP_DUP_POST:
630 OSSL_CMP_MSG *old = exarg;
632 if (!ossl_cmp_msg_set0_libctx(msg, old->libctx, old->propq))
636 case ASN1_OP_GET0_LIBCTX:
638 OSSL_LIB_CTX **libctx = exarg;
640 *libctx = msg->libctx;
643 case ASN1_OP_GET0_PROPQ:
645 const char **propq = exarg;
657 ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
658 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
659 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
660 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
661 OSSL_CRMF_ENCRYPTEDVALUE, 1),
662 } ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
663 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
665 ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
666 ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
667 OSSL_CMP_CERTORENCCERT),
668 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
669 OSSL_CRMF_ENCRYPTEDVALUE, 0),
670 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
671 OSSL_CRMF_PKIPUBLICATIONINFO, 1)
672 } ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
673 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
675 ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
676 ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
677 ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
678 } ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
679 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
681 ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) =
682 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
684 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
686 ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
687 ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
688 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
690 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
691 } ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
692 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
694 ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
695 ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
696 ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
697 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
698 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
699 OSSL_CMP_CERTIFIEDKEYPAIR, 2)
700 } ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
701 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
703 ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) =
704 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
705 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
707 ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
708 ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
709 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
710 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
711 /* OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING, used directly */
712 ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
713 } ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
714 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
715 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
717 ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
718 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
719 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
720 ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI),
721 ASN1_EXP_OPT(OSSL_CMP_CERTSTATUS, hashAlg, X509_ALGOR, 0)
722 } ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
723 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
725 ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) =
726 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
728 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
730 ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
731 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
732 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
733 ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
734 OSSL_CMP_CERTIFIEDKEYPAIR),
735 ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
736 } ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
737 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
739 ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
740 ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
741 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
742 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
744 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) =
745 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
747 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
749 ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
750 ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
751 ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
752 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
753 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
754 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
756 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) =
757 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
758 OSSL_CMP_POLLREPCONTENT,
760 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
762 ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
763 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
764 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
765 ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
766 } ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
767 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
769 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) =
770 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
772 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
774 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) =
775 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
777 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
779 ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) =
780 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
781 OSSL_CMP_CRLANNCONTENT, X509_CRL)
782 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
784 ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
785 ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
786 ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
787 ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
788 ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
789 ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
790 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc,
791 OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
792 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr,
793 OSSL_CMP_POPODECKEYRESPCONTENT, 6),
794 ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
795 ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
796 ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
797 ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
798 ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
799 ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
800 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
801 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
802 ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
803 ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
804 ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
805 ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
806 ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
807 ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
808 ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
809 ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
810 ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
811 ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
812 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
813 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
814 } ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
815 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
817 ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
818 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
819 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
820 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
821 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
822 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
823 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
824 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
825 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
826 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
827 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
828 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
829 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
830 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
832 } ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
833 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
835 ASN1_SEQUENCE(OSSL_CMP_PROTECTEDPART) = {
836 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
837 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
838 } ASN1_SEQUENCE_END(OSSL_CMP_PROTECTEDPART)
839 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
841 ASN1_SEQUENCE_cb(OSSL_CMP_MSG, ossl_cmp_msg_cb) = {
842 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
843 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
844 ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
845 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
846 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
847 } ASN1_SEQUENCE_END_cb(OSSL_CMP_MSG, OSSL_CMP_MSG)
848 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
850 ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =
851 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
853 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)