return res;
}
-static int set1_store_parameters(X509_STORE *ts)
-{
- if (ts == NULL)
- return 0;
-
- /* copy vpm to store */
- if (!X509_STORE_set1_param(ts, vpm /* may be NULL */)) {
- BIO_printf(bio_err, "error setting verification parameters\n");
- OSSL_CMP_CTX_print_errors(cmp_ctx);
- return 0;
- }
-
- X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
-
- return 1;
-}
-
static int set_name(const char *str,
int (*set_fn) (OSSL_CMP_CTX *ctx, const X509_NAME *name),
OSSL_CMP_CTX *ctx, const char *desc)
return store;
}
+static X509_STORE *load_trusted(char *input, int for_new_cert, const char *desc)
+{
+ X509_STORE *ts = load_certstore(input, desc);
+
+ if (ts == NULL)
+ return NULL;
+ X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
+
+ /* copy vpm to store */
+ if (X509_STORE_set1_param(ts, vpm /* may be NULL */)
+ && (for_new_cert || truststore_set_host_etc(ts, NULL)))
+ return ts;
+ BIO_printf(bio_err, "error setting verification parameters\n");
+ OSSL_CMP_CTX_print_errors(cmp_ctx);
+ X509_STORE_free(ts);
+ return NULL;
+}
+
/* TODO potentially move to apps/lib/apps.c */
static STACK_OF(X509) *load_certs_multifile(char *files,
const char *pass, const char *desc)
}
typedef int (*add_X509_stack_fn_t)(void *ctx, const STACK_OF(X509) *certs);
-typedef int (*add_X509_fn_t)(void *ctx, const X509 *cert);
static int setup_certs(char *files, const char *desc, void *ctx,
- add_X509_stack_fn_t addn_fn, add_X509_fn_t add1_fn)
+ add_X509_stack_fn_t set1_fn)
{
- int ret = 1;
+ STACK_OF(X509) *certs;
+ int ok;
- if (files != NULL) {
- STACK_OF(X509) *certs = load_certs_multifile(files, opt_otherpass,
- desc);
- if (certs == NULL) {
- ret = 0;
- } else {
- if (addn_fn != NULL) {
- ret = (*addn_fn)(ctx, certs);
- } else {
- int i;
-
- for (i = 0; i < sk_X509_num(certs /* may be NULL */); i++)
- ret &= (*add1_fn)(ctx, sk_X509_value(certs, i));
- }
- sk_X509_pop_free(certs, X509_free);
- }
- }
- return ret;
+ if (files == NULL)
+ return 1;
+ if ((certs = load_certs_multifile(files, opt_otherpass, desc)) == NULL)
+ return 0;
+ ok = (*set1_fn)(ctx, certs);
+ sk_X509_pop_free(certs, X509_free);
+ return ok;
}
if (opt_srv_trusted != NULL) {
X509_STORE *ts =
- load_certstore(opt_srv_trusted, "certificates trusted by server");
+ load_trusted(opt_srv_trusted, 0, "certs trusted by server");
- if (ts == NULL)
- goto err;
- if (!set1_store_parameters(ts)
- || !truststore_set_host_etc(ts, NULL)
- || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+ if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
X509_STORE_free(ts);
goto err;
}
}
if (!setup_certs(opt_srv_untrusted,
"untrusted certificates for mock server", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted, NULL))
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted))
goto err;
if (opt_rsp_cert == NULL) {
/* TODO find a cleaner solution not requiring type casts */
if (!setup_certs(opt_rsp_extracerts,
"CMP extra certificates for mock server", srv_ctx,
- (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_chainOut,
- NULL))
+ (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_chainOut))
goto err;
if (!setup_certs(opt_rsp_capubs, "caPubs for mock server", srv_ctx,
- (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_caPubsOut,
- NULL))
+ (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_caPubsOut))
goto err;
(void)ossl_cmp_mock_srv_set_pollCount(srv_ctx, opt_poll_count);
(void)ossl_cmp_mock_srv_set_checkAfterTime(srv_ctx, opt_check_after);
static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
{
if (!setup_certs(opt_untrusted, "untrusted certificates", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted,
- NULL))
- goto err;
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted))
+ return 0;
if (opt_srvcert != NULL || opt_trusted != NULL) {
- X509_STORE *ts = NULL;
+ X509 *srvcert;
+ X509_STORE *ts;
+ int ok;
if (opt_srvcert != NULL) {
- X509 *srvcert;
-
if (opt_trusted != NULL) {
CMP_warn("-trusted option is ignored since -srvcert option is present");
opt_trusted = NULL;
}
srvcert = load_cert_pwd(opt_srvcert, opt_otherpass,
"directly trusted CMP server certificate");
- if (srvcert == NULL)
- /*
- * opt_otherpass is needed in case
- * opt_srvcert is an encrypted PKCS#12 file
- */
- goto err;
- if (!OSSL_CMP_CTX_set1_srvCert(ctx, srvcert)) {
- X509_free(srvcert);
- goto oom;
- }
+ ok = srvcert != NULL && OSSL_CMP_CTX_set1_srvCert(ctx, srvcert);
X509_free(srvcert);
- if ((ts = X509_STORE_new()) == NULL)
- goto oom;
+ if (!ok)
+ return 0;
}
- if (opt_trusted != NULL
- && (ts = load_certstore(opt_trusted, "trusted certificates"))
- == NULL)
- goto err;
- if (!set1_store_parameters(ts) /* also copies vpm */
- /*
- * clear any expected host/ip/email address;
- * opt_expect_sender is used instead
- */
- || !truststore_set_host_etc(ts, NULL)
- || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
- X509_STORE_free(ts);
- goto oom;
+ if (opt_trusted != NULL) {
+ /*
+ * the 0 arg below clears any expected host/ip/email address;
+ * opt_expect_sender is used instead
+ */
+ ts = load_trusted(opt_trusted, 0, "certs trusted by client");
+
+ if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+ X509_STORE_free(ts);
+ return 0;
+ }
}
}
if (opt_out_trusted != NULL) { /* for use in OSSL_CMP_certConf_cb() */
X509_VERIFY_PARAM *out_vpm = NULL;
X509_STORE *out_trusted =
- load_certstore(opt_out_trusted,
- "trusted certs for verifying newly enrolled cert");
+ load_trusted(opt_out_trusted, 1,
+ "trusted certs for verifying newly enrolled cert");
if (out_trusted == NULL)
- goto err;
- /* any -verify_hostname, -verify_ip, and -verify_email apply here */
- if (!set1_store_parameters(out_trusted))
- goto oom;
+ return 0;
/* ignore any -attime here, new certs are current anyway */
out_vpm = X509_STORE_get0_param(out_trusted);
X509_VERIFY_PARAM_clear_flags(out_vpm, X509_V_FLAG_USE_CHECK_TIME);
if (opt_implicit_confirm)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM, 1);
- (void)OSSL_CMP_CTX_set_certConf_cb(ctx, OSSL_CMP_certConf_cb);
-
return 1;
-
- oom:
- CMP_err("out of memory");
- err:
- return 0;
}
#ifndef OPENSSL_NO_SOCK
*/
static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
- STACK_OF(X509) *untrusted_certs = OSSL_CMP_CTX_get0_untrusted(ctx);
+ STACK_OF(X509) *untrusted = OSSL_CMP_CTX_get0_untrusted(ctx);
EVP_PKEY *pkey = NULL;
X509_STORE *trust_store = NULL;
SSL_CTX *ssl_ctx;
sk_X509_pop_free(certs, X509_free);
goto err;
}
- for (i = 0; i < sk_X509_num(untrusted_certs); i++) {
- cert = sk_X509_value(untrusted_certs, i);
+ for (i = 0; i < sk_X509_num(untrusted); i++) {
+ cert = sk_X509_value(untrusted, i);
if (!SSL_CTX_add1_chain_cert(ssl_ctx, cert)) {
CMP_err("could not add untrusted cert to TLS client cert chain");
goto err;
}
}
- CMP_debug("trying to build cert chain for own TLS cert");
- if (SSL_CTX_build_cert_chain(ssl_ctx,
- SSL_BUILD_CHAIN_FLAG_UNTRUSTED |
- SSL_BUILD_CHAIN_FLAG_NO_ROOT)) {
- CMP_debug("succeeded building cert chain for own TLS cert");
- } else {
- OSSL_CMP_CTX_print_errors(ctx);
- CMP_warn("could not build cert chain for own TLS cert");
+
+ {
+ X509_VERIFY_PARAM *tls_vpm = NULL;
+ unsigned long bak_flags = 0; /* compiler warns without init */
+
+ if (trust_store != NULL) {
+ tls_vpm = X509_STORE_get0_param(trust_store);
+ bak_flags = X509_VERIFY_PARAM_get_flags(tls_vpm);
+ /* disable any cert status/revocation checking etc. */
+ X509_VERIFY_PARAM_clear_flags(tls_vpm,
+ ~(X509_V_FLAG_USE_CHECK_TIME
+ | X509_V_FLAG_NO_CHECK_TIME));
+ }
+ CMP_debug("trying to build cert chain for own TLS cert");
+ if (SSL_CTX_build_cert_chain(ssl_ctx,
+ SSL_BUILD_CHAIN_FLAG_UNTRUSTED |
+ SSL_BUILD_CHAIN_FLAG_NO_ROOT)) {
+ CMP_debug("success building cert chain for own TLS cert");
+ } else {
+ OSSL_CMP_CTX_print_errors(ctx);
+ CMP_warn("could not build cert chain for own TLS cert");
+ }
+ if (trust_store != NULL)
+ X509_VERIFY_PARAM_set_flags(tls_vpm, bak_flags);
}
/* If present we append to the list also the certs from opt_tls_extra */
{
if (!opt_unprotected_requests && opt_secret == NULL && opt_cert == NULL) {
CMP_err("must give client credentials unless -unprotected_requests is set");
- goto err;
+ return 0;
}
if (opt_ref == NULL && opt_cert == NULL && opt_subject == NULL) {
/* cert or subject should determine the sender */
CMP_err("must give -ref if no -cert and no -subject given");
- goto err;
+ return 0;
}
if (!opt_secret && ((opt_cert == NULL) != (opt_key == NULL))) {
CMP_err("must give both -cert and -key options or neither");
- goto err;
+ return 0;
}
if (opt_secret != NULL) {
char *pass_string = get_passwd(opt_secret, "PBMAC");
strlen(pass_string));
clear_free(pass_string);
if (res == 0)
- goto err;
+ return 0;
}
if (opt_cert != NULL || opt_key != NULL)
CMP_warn("no signature-based protection used since -secret is given");
if (opt_ref != NULL
&& !OSSL_CMP_CTX_set1_referenceValue(ctx, (unsigned char *)opt_ref,
strlen(opt_ref)))
- goto err;
+ return 0;
if (opt_key != NULL) {
EVP_PKEY *pkey = load_key_pwd(opt_key, opt_keyform, opt_keypass, engine,
if (pkey == NULL || !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) {
EVP_PKEY_free(pkey);
- goto err;
+ return 0;
}
EVP_PKEY_free(pkey);
}
X509 *cert;
STACK_OF(X509) *certs = NULL;
X509_STORE *own_trusted = NULL;
- int ok = 0;
+ int ok;
if (!load_cert_certs(opt_cert, &cert, &certs, 0, opt_keypass,
"CMP client certificate (optionally with chain)"))
/* opt_keypass is needed if opt_cert is an encrypted PKCS#12 file */
- goto err;
+ return 0;
ok = OSSL_CMP_CTX_set1_cert(ctx, cert);
X509_free(cert);
if (!ok) {
CMP_err("out of memory");
} else {
if (opt_own_trusted != NULL) {
- own_trusted = load_certstore(opt_own_trusted,
- "trusted certs for verifying own CMP signer cert");
- ok = own_trusted != NULL
- && set1_store_parameters(own_trusted)
- && truststore_set_host_etc(own_trusted, NULL);
+ own_trusted = load_trusted(opt_own_trusted, 0,
+ "trusted certs for verifying own CMP signer cert");
+ ok = own_trusted != NULL;
}
ok = ok && OSSL_CMP_CTX_build_cert_chain(ctx, own_trusted, certs);
}
X509_STORE_free(own_trusted);
sk_X509_pop_free(certs, X509_free);
if (!ok)
- goto err;
+ return 0;
} else if (opt_own_trusted != NULL) {
CMP_warn("-own_trusted option is ignored without -cert");
}
if (!setup_certs(opt_extracerts, "extra certificates for CMP", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_extraCertsOut,
- NULL))
- goto err;
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_extraCertsOut))
+ return 0;
cleanse(opt_otherpass);
if (opt_unprotected_requests)
if (digest == NID_undef) {
CMP_err1("digest algorithm name not recognized: '%s'", opt_digest);
- goto err;
+ return 0;
}
if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_DIGEST_ALGNID, digest)
|| !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_OWF_ALGNID, digest)) {
CMP_err1("digest algorithm name not supported: '%s'", opt_digest);
- goto err;
+ return 0;
}
}
int mac = OBJ_ln2nid(opt_mac);
if (mac == NID_undef) {
CMP_err1("MAC algorithm name not recognized: '%s'", opt_mac);
- goto err;
+ return 0;
}
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_MAC_ALGNID, mac);
}
return 1;
-
- err:
- return 0;
}
/*
CMP_warn("no -subject given, neither -oldcert nor -cert available as default");
if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
|| !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
- goto err;
+ return 0;
if (opt_newkey != NULL) {
const char *file = opt_newkey;
cleanse(opt_newkeypass);
if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, priv, pkey)) {
EVP_PKEY_free(pkey);
- goto err;
+ return 0;
}
}
&& !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
opt_days)) {
CMP_err("could not set requested cert validity period");
- goto err;
+ return 0;
}
if (opt_policies != NULL && opt_policy_oids != NULL) {
CMP_err("cannot have policies both via -policies and via -policy_oids");
- goto err;
+ return 0;
}
if (opt_reqexts != NULL || opt_policies != NULL) {
X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null();
if (exts == NULL)
- goto err;
+ return 0;
X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0);
X509V3_set_nconf(&ext_ctx, conf);
if (opt_reqexts != NULL
CMP_err1("cannot load certificate request extension section '%s'",
opt_reqexts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
- goto err;
+ return 0;
}
if (opt_policies != NULL
&& !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) {
CMP_err1("cannot load policy cert request extension section '%s'",
opt_policies);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
- goto err;
+ return 0;
}
OSSL_CMP_CTX_set0_reqExtensions(ctx, exts);
}
if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) {
CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans");
- goto err;
+ return 0;
}
if (!set_gennames(ctx, opt_sans, "Subject Alternative Name"))
- goto err;
+ return 0;
if (opt_san_nodefault) {
if (opt_sans != NULL)
if ((policy = OBJ_txt2obj(opt_policy_oids, 1)) == 0) {
CMP_err1("unknown policy OID '%s'", opt_policy_oids);
- goto err;
+ return 0;
}
if ((pinfo = POLICYINFO_new()) == NULL) {
ASN1_OBJECT_free(policy);
- goto err;
+ return 0;
}
pinfo->policyid = policy;
if (!OSSL_CMP_CTX_push0_policy(ctx, pinfo)) {
CMP_err1("cannot add policy with OID '%s'", opt_policy_oids);
POLICYINFO_free(pinfo);
- goto err;
+ return 0;
}
opt_policy_oids = next;
}
load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
if (csr == NULL)
- goto err;
+ return 0;
if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) {
X509_REQ_free(csr);
goto oom;
/* opt_keypass is needed if opt_oldcert is an encrypted PKCS#12 file */
if (oldcert == NULL)
- goto err;
+ return 0;
if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
X509_free(oldcert);
goto oom;
oom:
CMP_err("out of memory");
- err:
return 0;
}
#include "openssl/cmp_util.h"
DEFINE_STACK_OF(ASN1_UTF8STRING)
+DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_CRL)
DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
DEFINE_STACK_OF(OSSL_CMP_PKISI)
const char **text)
{
X509_STORE *out_trusted = OSSL_CMP_CTX_get_certConf_cb_arg(ctx);
+ STACK_OF(X509) *chain = NULL;
(void)text; /* make (artificial) use of var to prevent compiler warning */
if (fail_info != 0) /* accept any error flagged by CMP core library */
return fail_info;
- if (out_trusted != NULL
- && !OSSL_CMP_validate_cert_path(ctx, out_trusted, cert))
- fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
+ ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
+ chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
+ out_trusted /* may be NULL */,
+ ctx->untrusted, cert);
+ if (sk_X509_num(chain) > 0)
+ X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */
+ if (out_trusted != NULL) {
+ if (chain == NULL) {
+ ossl_cmp_err(ctx, "failed building chain for newly enrolled cert");
+ fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData;
+ } else {
+ ossl_cmp_debug(ctx,
+ "succeeded building proper chain for newly enrolled cert");
+ }
+ } else if (chain == NULL) {
+ ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts");
+ chain = OSSL_CMP_CTX_get1_extraCertsIn(ctx);
+ } else {
+ ossl_cmp_debug(ctx,
+ "success building approximate chain for newly enrolled cert");
+ }
+ (void)ossl_cmp_ctx_set1_newChain(ctx, chain);
+ sk_X509_pop_free(chain, X509_free);
return fail_info;
}
const char *txt = NULL;
OSSL_CMP_CERTREPMESSAGE *crepmsg;
OSSL_CMP_CERTRESPONSE *crep;
+ OSSL_CMP_certConf_cb_t cb;
X509 *cert;
char *subj = NULL;
int ret = 1;
+ if (!ossl_assert(ctx != NULL))
+ return 0;
+
retry:
crepmsg = (*resp)->body->value.ip; /* same for cp and kup */
if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) {
* OSSL_CMP_PKISTATUS_rejection, fail_info, txt)
* not throwing CMP_R_CERTIFICATE_NOT_ACCEPTED with txt
* not returning 0
- * since we better leave this for any ctx->certConf_cb to decide
+ * since we better leave this for the certConf_cb to decide
*/
}
/*
- * Execute the certification checking callback function possibly set in ctx,
+ * Execute the certification checking callback function,
* which can determine whether to accept a newly enrolled certificate.
* It may overrule the pre-decision reflected in 'fail_info' and '*txt'.
*/
- if (ctx->certConf_cb
- && (fail_info = ctx->certConf_cb(ctx, ctx->newCert,
- fail_info, &txt)) != 0) {
- if (txt == NULL)
- txt = "CMP client application did not accept it";
- }
+ cb = ctx->certConf_cb != NULL ? ctx->certConf_cb : OSSL_CMP_certConf_cb;
+ if ((fail_info = cb(ctx, ctx->newCert, fail_info, &txt)) != 0
+ && txt == NULL)
+ txt = "CMP client did not accept it";
if (fail_info != 0) /* immediately log error before any certConf exchange */
ossl_cmp_log1(ERROR, ctx,
"rejecting newly enrolled cert with subject: %s", subj);