static char server_port[32] = { '\0' };
static char *opt_proxy = NULL;
static char *opt_no_proxy = NULL;
-static char *opt_path = "/";
+static char *opt_path = NULL;
static int opt_msg_timeout = -1;
static int opt_total_timeout = -1;
OPT_SECTION("Message transfer"),
{"server", OPT_SERVER, 's',
- "[http[s]://]address[:port] of CMP server. Default port 80 or 443."},
+ "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."},
{OPT_MORE_STR, 0, 0,
- "The address may be a DNS name or an IP address"},
+ "address may be a DNS name or an IP address; path can be overridden by -path"},
{"proxy", OPT_PROXY, 's',
"[http[s]://]address[:port][/path] of HTTP(S) proxy to use; path is ignored"},
{"no_proxy", OPT_NO_PROXY, 's',
{OPT_MORE_STR, 0, 0,
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
{"path", OPT_PATH, 's',
- "HTTP path (aka CMP alias) at the CMP server. Default \"/\""},
+ "HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
{"msg_timeout", OPT_MSG_TIMEOUT, 'n',
"Timeout per CMP message round trip (or 0 for none). Default 120 seconds"},
{"total_timeout", OPT_TOTAL_TIMEOUT, 'n',
return res;
}
-static int set1_store_parameters(X509_STORE *ts)
-{
- if (ts == NULL)
- return 0;
-
- /* copy vpm to store */
- if (!X509_STORE_set1_param(ts, vpm /* may be NULL */)) {
- BIO_printf(bio_err, "error setting verification parameters\n");
- OSSL_CMP_CTX_print_errors(cmp_ctx);
- return 0;
- }
-
- X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
-
- return 1;
-}
-
static int set_name(const char *str,
int (*set_fn) (OSSL_CMP_CTX *ctx, const X509_NAME *name),
OSSL_CMP_CTX *ctx, const char *desc)
return store;
}
+static X509_STORE *load_trusted(char *input, int for_new_cert, const char *desc)
+{
+ X509_STORE *ts = load_certstore(input, desc);
+
+ if (ts == NULL)
+ return NULL;
+ X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb);
+
+ /* copy vpm to store */
+ if (X509_STORE_set1_param(ts, vpm /* may be NULL */)
+ && (for_new_cert || truststore_set_host_etc(ts, NULL)))
+ return ts;
+ BIO_printf(bio_err, "error setting verification parameters\n");
+ OSSL_CMP_CTX_print_errors(cmp_ctx);
+ X509_STORE_free(ts);
+ return NULL;
+}
+
/* TODO potentially move to apps/lib/apps.c */
static STACK_OF(X509) *load_certs_multifile(char *files,
const char *pass, const char *desc)
}
typedef int (*add_X509_stack_fn_t)(void *ctx, const STACK_OF(X509) *certs);
-typedef int (*add_X509_fn_t)(void *ctx, const X509 *cert);
static int setup_certs(char *files, const char *desc, void *ctx,
- add_X509_stack_fn_t addn_fn, add_X509_fn_t add1_fn)
+ add_X509_stack_fn_t set1_fn)
{
- int ret = 1;
+ STACK_OF(X509) *certs;
+ int ok;
- if (files != NULL) {
- STACK_OF(X509) *certs = load_certs_multifile(files, opt_otherpass,
- desc);
- if (certs == NULL) {
- ret = 0;
- } else {
- if (addn_fn != NULL) {
- ret = (*addn_fn)(ctx, certs);
- } else {
- int i;
-
- for (i = 0; i < sk_X509_num(certs /* may be NULL */); i++)
- ret &= (*add1_fn)(ctx, sk_X509_value(certs, i));
- }
- sk_X509_pop_free(certs, X509_free);
- }
- }
- return ret;
+ if (files == NULL)
+ return 1;
+ if ((certs = load_certs_multifile(files, opt_otherpass, desc)) == NULL)
+ return 0;
+ ok = (*set1_fn)(ctx, certs);
+ sk_X509_pop_free(certs, X509_free);
+ return ok;
}
if (opt_srv_trusted != NULL) {
X509_STORE *ts =
- load_certstore(opt_srv_trusted, "certificates trusted by server");
+ load_trusted(opt_srv_trusted, 0, "certs trusted by server");
- if (ts == NULL)
- goto err;
- if (!set1_store_parameters(ts)
- || !truststore_set_host_etc(ts, NULL)
- || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+ if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
X509_STORE_free(ts);
goto err;
}
}
if (!setup_certs(opt_srv_untrusted,
"untrusted certificates for mock server", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted, NULL))
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted))
goto err;
if (opt_rsp_cert == NULL) {
/* TODO find a cleaner solution not requiring type casts */
if (!setup_certs(opt_rsp_extracerts,
"CMP extra certificates for mock server", srv_ctx,
- (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_chainOut,
- NULL))
+ (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_chainOut))
goto err;
if (!setup_certs(opt_rsp_capubs, "caPubs for mock server", srv_ctx,
- (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_caPubsOut,
- NULL))
+ (add_X509_stack_fn_t)ossl_cmp_mock_srv_set1_caPubsOut))
goto err;
(void)ossl_cmp_mock_srv_set_pollCount(srv_ctx, opt_poll_count);
(void)ossl_cmp_mock_srv_set_checkAfterTime(srv_ctx, opt_check_after);
static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
{
if (!setup_certs(opt_untrusted, "untrusted certificates", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted,
- NULL))
- goto err;
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_untrusted))
+ return 0;
if (opt_srvcert != NULL || opt_trusted != NULL) {
- X509_STORE *ts = NULL;
+ X509 *srvcert;
+ X509_STORE *ts;
+ int ok;
if (opt_srvcert != NULL) {
- X509 *srvcert;
-
if (opt_trusted != NULL) {
CMP_warn("-trusted option is ignored since -srvcert option is present");
opt_trusted = NULL;
}
srvcert = load_cert_pwd(opt_srvcert, opt_otherpass,
"directly trusted CMP server certificate");
- if (srvcert == NULL)
- /*
- * opt_otherpass is needed in case
- * opt_srvcert is an encrypted PKCS#12 file
- */
- goto err;
- if (!OSSL_CMP_CTX_set1_srvCert(ctx, srvcert)) {
- X509_free(srvcert);
- goto oom;
- }
+ ok = srvcert != NULL && OSSL_CMP_CTX_set1_srvCert(ctx, srvcert);
X509_free(srvcert);
- if ((ts = X509_STORE_new()) == NULL)
- goto oom;
- }
- if (opt_trusted != NULL
- && (ts = load_certstore(opt_trusted, "trusted certificates"))
- == NULL)
- goto err;
- if (!set1_store_parameters(ts) /* also copies vpm */
- /*
- * clear any expected host/ip/email address;
- * opt_expect_sender is used instead
- */
- || !truststore_set_host_etc(ts, NULL)
- || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
- X509_STORE_free(ts);
- goto oom;
+ if (!ok)
+ return 0;
+ }
+ if (opt_trusted != NULL) {
+ /*
+ * the 0 arg below clears any expected host/ip/email address;
+ * opt_expect_sender is used instead
+ */
+ ts = load_trusted(opt_trusted, 0, "certs trusted by client");
+
+ if (ts == NULL || !OSSL_CMP_CTX_set0_trustedStore(ctx, ts)) {
+ X509_STORE_free(ts);
+ return 0;
+ }
}
}
if (opt_out_trusted != NULL) { /* for use in OSSL_CMP_certConf_cb() */
X509_VERIFY_PARAM *out_vpm = NULL;
X509_STORE *out_trusted =
- load_certstore(opt_out_trusted,
- "trusted certs for verifying newly enrolled cert");
+ load_trusted(opt_out_trusted, 1,
+ "trusted certs for verifying newly enrolled cert");
if (out_trusted == NULL)
- goto err;
- /* any -verify_hostname, -verify_ip, and -verify_email apply here */
- if (!set1_store_parameters(out_trusted))
- goto oom;
+ return 0;
/* ignore any -attime here, new certs are current anyway */
out_vpm = X509_STORE_get0_param(out_trusted);
X509_VERIFY_PARAM_clear_flags(out_vpm, X509_V_FLAG_USE_CHECK_TIME);
if (opt_implicit_confirm)
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM, 1);
- (void)OSSL_CMP_CTX_set_certConf_cb(ctx, OSSL_CMP_certConf_cb);
-
return 1;
-
- oom:
- CMP_err("out of memory");
- err:
- return 0;
}
#ifndef OPENSSL_NO_SOCK
*/
static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
- STACK_OF(X509) *untrusted_certs = OSSL_CMP_CTX_get0_untrusted(ctx);
+ STACK_OF(X509) *untrusted = OSSL_CMP_CTX_get0_untrusted(ctx);
EVP_PKEY *pkey = NULL;
X509_STORE *trust_store = NULL;
SSL_CTX *ssl_ctx;
sk_X509_pop_free(certs, X509_free);
goto err;
}
- for (i = 0; i < sk_X509_num(untrusted_certs); i++) {
- cert = sk_X509_value(untrusted_certs, i);
+ for (i = 0; i < sk_X509_num(untrusted); i++) {
+ cert = sk_X509_value(untrusted, i);
if (!SSL_CTX_add1_chain_cert(ssl_ctx, cert)) {
CMP_err("could not add untrusted cert to TLS client cert chain");
goto err;
}
}
- CMP_debug("trying to build cert chain for own TLS cert");
- if (SSL_CTX_build_cert_chain(ssl_ctx,
- SSL_BUILD_CHAIN_FLAG_UNTRUSTED |
- SSL_BUILD_CHAIN_FLAG_NO_ROOT)) {
- CMP_debug("succeeded building cert chain for own TLS cert");
- } else {
- OSSL_CMP_CTX_print_errors(ctx);
- CMP_warn("could not build cert chain for own TLS cert");
+
+ {
+ X509_VERIFY_PARAM *tls_vpm = NULL;
+ unsigned long bak_flags = 0; /* compiler warns without init */
+
+ if (trust_store != NULL) {
+ tls_vpm = X509_STORE_get0_param(trust_store);
+ bak_flags = X509_VERIFY_PARAM_get_flags(tls_vpm);
+ /* disable any cert status/revocation checking etc. */
+ X509_VERIFY_PARAM_clear_flags(tls_vpm,
+ ~(X509_V_FLAG_USE_CHECK_TIME
+ | X509_V_FLAG_NO_CHECK_TIME));
+ }
+ CMP_debug("trying to build cert chain for own TLS cert");
+ if (SSL_CTX_build_cert_chain(ssl_ctx,
+ SSL_BUILD_CHAIN_FLAG_UNTRUSTED |
+ SSL_BUILD_CHAIN_FLAG_NO_ROOT)) {
+ CMP_debug("success building cert chain for own TLS cert");
+ } else {
+ OSSL_CMP_CTX_print_errors(ctx);
+ CMP_warn("could not build cert chain for own TLS cert");
+ }
+ if (trust_store != NULL)
+ X509_VERIFY_PARAM_set_flags(tls_vpm, bak_flags);
}
/* If present we append to the list also the certs from opt_tls_extra */
{
if (!opt_unprotected_requests && opt_secret == NULL && opt_cert == NULL) {
CMP_err("must give client credentials unless -unprotected_requests is set");
- goto err;
+ return 0;
}
if (opt_ref == NULL && opt_cert == NULL && opt_subject == NULL) {
/* cert or subject should determine the sender */
CMP_err("must give -ref if no -cert and no -subject given");
- goto err;
+ return 0;
}
if (!opt_secret && ((opt_cert == NULL) != (opt_key == NULL))) {
CMP_err("must give both -cert and -key options or neither");
- goto err;
+ return 0;
}
if (opt_secret != NULL) {
char *pass_string = get_passwd(opt_secret, "PBMAC");
strlen(pass_string));
clear_free(pass_string);
if (res == 0)
- goto err;
+ return 0;
}
if (opt_cert != NULL || opt_key != NULL)
CMP_warn("no signature-based protection used since -secret is given");
if (opt_ref != NULL
&& !OSSL_CMP_CTX_set1_referenceValue(ctx, (unsigned char *)opt_ref,
strlen(opt_ref)))
- goto err;
+ return 0;
if (opt_key != NULL) {
EVP_PKEY *pkey = load_key_pwd(opt_key, opt_keyform, opt_keypass, engine,
if (pkey == NULL || !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) {
EVP_PKEY_free(pkey);
- goto err;
+ return 0;
}
EVP_PKEY_free(pkey);
}
- if (opt_secret == NULL && opt_srvcert == NULL && opt_trusted == NULL) {
- CMP_err("missing -secret or -srvcert or -trusted");
- goto err;
- }
+ if (opt_secret == NULL && opt_srvcert == NULL && opt_trusted == NULL)
+ CMP_warn("will not authenticate server due to missing -secret, -trusted, or -srvcert");
if (opt_cert != NULL) {
X509 *cert;
STACK_OF(X509) *certs = NULL;
X509_STORE *own_trusted = NULL;
- int ok = 0;
+ int ok;
if (!load_cert_certs(opt_cert, &cert, &certs, 0, opt_keypass,
"CMP client certificate (optionally with chain)"))
/* opt_keypass is needed if opt_cert is an encrypted PKCS#12 file */
- goto err;
+ return 0;
ok = OSSL_CMP_CTX_set1_cert(ctx, cert);
X509_free(cert);
if (!ok) {
CMP_err("out of memory");
} else {
if (opt_own_trusted != NULL) {
- own_trusted = load_certstore(opt_own_trusted,
- "trusted certs for verifying own CMP signer cert");
- ok = own_trusted != NULL
- && set1_store_parameters(own_trusted)
- && truststore_set_host_etc(own_trusted, NULL);
+ own_trusted = load_trusted(opt_own_trusted, 0,
+ "trusted certs for verifying own CMP signer cert");
+ ok = own_trusted != NULL;
}
ok = ok && OSSL_CMP_CTX_build_cert_chain(ctx, own_trusted, certs);
}
X509_STORE_free(own_trusted);
sk_X509_pop_free(certs, X509_free);
if (!ok)
- goto err;
+ return 0;
} else if (opt_own_trusted != NULL) {
CMP_warn("-own_trusted option is ignored without -cert");
}
if (!setup_certs(opt_extracerts, "extra certificates for CMP", ctx,
- (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_extraCertsOut,
- NULL))
- goto err;
+ (add_X509_stack_fn_t)OSSL_CMP_CTX_set1_extraCertsOut))
+ return 0;
cleanse(opt_otherpass);
if (opt_unprotected_requests)
if (digest == NID_undef) {
CMP_err1("digest algorithm name not recognized: '%s'", opt_digest);
- goto err;
+ return 0;
}
if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_DIGEST_ALGNID, digest)
|| !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_OWF_ALGNID, digest)) {
CMP_err1("digest algorithm name not supported: '%s'", opt_digest);
- goto err;
+ return 0;
}
}
int mac = OBJ_ln2nid(opt_mac);
if (mac == NID_undef) {
CMP_err1("MAC algorithm name not recognized: '%s'", opt_mac);
- goto err;
+ return 0;
}
(void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_MAC_ALGNID, mac);
}
return 1;
-
- err:
- return 0;
}
/*
CMP_warn("no -subject given, neither -oldcert nor -cert available as default");
if (!set_name(opt_subject, OSSL_CMP_CTX_set1_subjectName, ctx, "subject")
|| !set_name(opt_issuer, OSSL_CMP_CTX_set1_issuer, ctx, "issuer"))
- goto err;
+ return 0;
if (opt_newkey != NULL) {
const char *file = opt_newkey;
cleanse(opt_newkeypass);
if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, priv, pkey)) {
EVP_PKEY_free(pkey);
- goto err;
+ return 0;
}
}
&& !OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_VALIDITY_DAYS,
opt_days)) {
CMP_err("could not set requested cert validity period");
- goto err;
+ return 0;
}
if (opt_policies != NULL && opt_policy_oids != NULL) {
CMP_err("cannot have policies both via -policies and via -policy_oids");
- goto err;
+ return 0;
}
if (opt_reqexts != NULL || opt_policies != NULL) {
X509_EXTENSIONS *exts = sk_X509_EXTENSION_new_null();
if (exts == NULL)
- goto err;
+ return 0;
X509V3_set_ctx(&ext_ctx, NULL, NULL, NULL, NULL, 0);
X509V3_set_nconf(&ext_ctx, conf);
if (opt_reqexts != NULL
CMP_err1("cannot load certificate request extension section '%s'",
opt_reqexts);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
- goto err;
+ return 0;
}
if (opt_policies != NULL
&& !X509V3_EXT_add_nconf_sk(conf, &ext_ctx, opt_policies, &exts)) {
CMP_err1("cannot load policy cert request extension section '%s'",
opt_policies);
sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
- goto err;
+ return 0;
}
OSSL_CMP_CTX_set0_reqExtensions(ctx, exts);
}
if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) && opt_sans != NULL) {
CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans");
- goto err;
+ return 0;
}
if (!set_gennames(ctx, opt_sans, "Subject Alternative Name"))
- goto err;
+ return 0;
if (opt_san_nodefault) {
if (opt_sans != NULL)
if ((policy = OBJ_txt2obj(opt_policy_oids, 1)) == 0) {
CMP_err1("unknown policy OID '%s'", opt_policy_oids);
- goto err;
+ return 0;
}
if ((pinfo = POLICYINFO_new()) == NULL) {
ASN1_OBJECT_free(policy);
- goto err;
+ return 0;
}
pinfo->policyid = policy;
if (!OSSL_CMP_CTX_push0_policy(ctx, pinfo)) {
CMP_err1("cannot add policy with OID '%s'", opt_policy_oids);
POLICYINFO_free(pinfo);
- goto err;
+ return 0;
}
opt_policy_oids = next;
}
load_csr_autofmt(opt_csr, "PKCS#10 CSR for p10cr");
if (csr == NULL)
- goto err;
+ return 0;
if (!OSSL_CMP_CTX_set1_p10CSR(ctx, csr)) {
X509_REQ_free(csr);
goto oom;
/* opt_keypass is needed if opt_oldcert is an encrypted PKCS#12 file */
if (oldcert == NULL)
- goto err;
+ return 0;
if (!OSSL_CMP_CTX_set1_oldCert(ctx, oldcert)) {
X509_free(oldcert);
goto oom;
oom:
CMP_err("out of memory");
- err:
return 0;
}
static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
int ret = 0;
- char *server = NULL, *port = NULL, *path = NULL;
+ char *server = NULL, *port = NULL, *path = NULL, *used_path;
int portnum, ssl;
char server_buf[200] = { '\0' };
char proxy_buf[200] = { '\0' };
char *proxy_port_str = NULL;
if (opt_server == NULL) {
- CMP_err("missing server address[:port]");
+ CMP_err("missing -server option");
goto err;
}
if (!OSSL_HTTP_parse_url(opt_server, &server, &port, &portnum, &path, &ssl))
goto err;
}
strncpy(server_port, port, sizeof(server_port));
+ used_path = opt_path != NULL ? opt_path : path;
if (!OSSL_CMP_CTX_set1_server(ctx, server)
|| !OSSL_CMP_CTX_set_serverPort(ctx, portnum)
- || !OSSL_CMP_CTX_set1_serverPath(ctx, opt_path))
+ || !OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
goto oom;
if (opt_proxy != NULL && !OSSL_CMP_CTX_set1_proxy(ctx, opt_proxy))
goto oom;
goto oom;
(void)BIO_snprintf(server_buf, sizeof(server_buf), "http%s://%s:%s/%s",
opt_tls_used ? "s" : "", server, port,
- opt_path[0] == '/' ? opt_path + 1 : opt_path);
+ *used_path == '/' ? used_path + 1 : used_path);
if (opt_proxy != NULL)
(void)BIO_snprintf(proxy_buf, sizeof(proxy_buf), " via %s", opt_proxy);
}
opt_server = mock_server;
opt_proxy = "API";
- } else {
- if (opt_server == NULL) {
- CMP_err("missing -server option");
- goto err;
- }
}
if (!setup_client_ctx(cmp_ctx, engine)) {
projects / openssl.git / blobdiff