/*
- * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
#include <openssl/err.h>
#include <openssl/x509.h>
+DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
+DEFINE_STACK_OF(OSSL_CMP_ITAV)
+DEFINE_STACK_OF(GENERAL_NAME)
+DEFINE_STACK_OF(X509)
+DEFINE_STACK_OF(X509_EXTENSION)
+DEFINE_STACK_OF(OSSL_CMP_PKISI)
+DEFINE_STACK_OF(OSSL_CRMF_MSG)
+DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
+DEFINE_STACK_OF(OSSL_CRMF_CERTID)
+DEFINE_STACK_OF(ASN1_UTF8STRING)
+
OSSL_CMP_PKIHEADER *OSSL_CMP_MSG_get0_header(const OSSL_CMP_MSG *msg)
{
if (msg == NULL) {
(sk_GENERAL_NAME_num((ctx)->subjectAltNames) > 0 \
|| OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1)
-static X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
- int bodytype)
+static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, X509 *refcert,
+ int bodytype)
{
if (ctx->subjectName != NULL)
return ctx->subjectName;
static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
{
OSSL_CRMF_MSG *crm = NULL;
- X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->clCert;
+ X509 *refcert = ctx->oldCert != NULL ? ctx->oldCert : ctx->cert;
/* refcert defaults to current client cert */
EVP_PKEY *rkey = OSSL_CMP_CTX_get0_newPkey(ctx, 0);
STACK_OF(GENERAL_NAME) *default_sans = NULL;
- X509_NAME *subject = determine_subj(ctx, refcert, bodytype);
+ const X509_NAME *subject = determine_subj(ctx, refcert, bodytype);
int crit = ctx->setSubjectAltNameCritical || subject == NULL;
/* RFC5280: subjectAltName MUST be critical if subject is null */
X509_EXTENSIONS *exts = NULL;
if (rkey == NULL)
- rkey = ctx->pkey; /* default is independent of ctx->oldClCert */
- if (rkey == NULL
- || (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL)) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ rkey = ctx->pkey; /* default is independent of ctx->oldCert */
+ if (rkey == NULL) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+ CMPerr(0, CMP_R_NULL_ARGUMENT);
+ return NULL;
+#endif
+ }
+ if (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL) {
+ CMPerr(0, CMP_R_MISSING_REFERENCE_CERT);
return NULL;
}
if ((crm = OSSL_CRMF_MSG_new()) == NULL)
NULL /* serial */))
goto err;
if (ctx->days != 0) {
- time_t notBefore, notAfter;
-
- notBefore = time(NULL);
- notAfter = notBefore + 60 * 60 * 24 * ctx->days;
- if (!OSSL_CRMF_MSG_set_validity(crm, notBefore, notAfter))
+ time_t now = time(NULL);
+ ASN1_TIME *notBefore = ASN1_TIME_adj(NULL, now, 0, 0);
+ ASN1_TIME *notAfter = ASN1_TIME_adj(NULL, now, ctx->days, 0);
+
+ if (notBefore == NULL
+ || notAfter == NULL
+ || !OSSL_CRMF_MSG_set0_validity(crm, notBefore, notAfter)) {
+ ASN1_TIME_free(notBefore);
+ ASN1_TIME_free(notAfter);
goto err;
+ }
}
/* extensions */
return msg;
err:
- CMPerr(0, err_code);
+ if (err_code != 0)
+ CMPerr(0, err_code);
OSSL_CRMF_MSG_free(crm);
OSSL_CMP_MSG_free(msg);
return NULL;
if (bodytype == OSSL_CMP_PKIBODY_IP && caPubs != NULL
&& (repMsg->caPubs = X509_chain_up_ref(caPubs)) == NULL)
goto err;
- if (chain != NULL
- && !ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain, 0, 1, 0))
+ if (sk_X509_num(chain) > 0) {
+ msg->extraCerts = sk_X509_new_reserve(NULL, sk_X509_num(chain));
+ if (msg->extraCerts == NULL
+ || !ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain, 0, 1, 0))
goto err;
+ }
if (!unprotectedErrors
|| ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_rejection)
return 0;
for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
- if ((itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i))) == NULL)
- return 0;
- if (!ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
+ itav = OSSL_CMP_ITAV_dup(sk_OSSL_CMP_ITAV_value(itavs, i));
+ if (itav == NULL
+ || !ossl_cmp_msg_gen_push0_ITAV(msg, itav)) {
OSSL_CMP_ITAV_free(itav);
return 0;
}
return crt;
}
+int OSSL_CMP_MSG_update_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
+{
+ if (ctx == NULL || msg == NULL) {
+ CMPerr(0, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+ if (!ossl_cmp_hdr_set_transactionID(ctx, msg->header))
+ return 0;
+ return msg->header->protectionAlg == NULL
+ || ossl_cmp_msg_protect(ctx, msg);
+}
+
OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file)
{
OSSL_CMP_MSG *msg = NULL;
if ((bio = BIO_new_file(file, "rb")) == NULL)
return NULL;
- msg = OSSL_d2i_CMP_MSG_bio(bio, NULL);
+ msg = d2i_OSSL_CMP_MSG_bio(bio, NULL);
BIO_free(bio);
return msg;
}
-OSSL_CMP_MSG *OSSL_d2i_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
+OSSL_CMP_MSG *d2i_OSSL_CMP_MSG_bio(BIO *bio, OSSL_CMP_MSG **msg)
{
return ASN1_d2i_bio_of(OSSL_CMP_MSG, OSSL_CMP_MSG_new,
d2i_OSSL_CMP_MSG, bio, msg);
}
-int OSSL_i2d_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
+int i2d_OSSL_CMP_MSG_bio(BIO *bio, const OSSL_CMP_MSG *msg)
{
return ASN1_i2d_bio_of(OSSL_CMP_MSG, i2d_OSSL_CMP_MSG, bio, msg);
}