/*
- * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2019
* Copyright Siemens AG 2015-2019
*
#include <openssl/crmf.h>
#include <openssl/err.h>
-DEFINE_STACK_OF(X509)
-DEFINE_STACK_OF(X509_EXTENSION)
-DEFINE_STACK_OF(POLICYINFO)
-DEFINE_STACK_OF(ASN1_UTF8STRING)
-DEFINE_STACK_OF(GENERAL_NAME)
-DEFINE_STACK_OF(OSSL_CMP_ITAV)
+#define DEFINE_OSSL_CMP_CTX_get0(FIELD, TYPE) \
+ DEFINE_OSSL_CMP_CTX_get0_NAME(FIELD, FIELD, TYPE)
+#define DEFINE_OSSL_CMP_CTX_get0_NAME(NAME, FIELD, TYPE) \
+TYPE *OSSL_CMP_CTX_get0_##NAME(const OSSL_CMP_CTX *ctx) \
+{ \
+ if (ctx == NULL) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+ return NULL; \
+ } \
+ return ctx->FIELD; \
+}
/*
* Get current certificate store containing trusted root CA certs
*/
-X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- return ctx->trusted;
+DEFINE_OSSL_CMP_CTX_get0_NAME(trustedStore, trusted, X509_STORE)
+
+#define DEFINE_OSSL_set0(PREFIX, FIELD, TYPE) \
+ DEFINE_OSSL_set0_NAME(PREFIX, FIELD, FIELD, TYPE)
+#define DEFINE_OSSL_set0_NAME(PREFIX, NAME, FIELD, TYPE) \
+int PREFIX##_set0##_##NAME(OSSL_CMP_CTX *ctx, TYPE *val) \
+{ \
+ if (ctx == NULL) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+ return 0; \
+ } \
+ TYPE##_free(ctx->FIELD); \
+ ctx->FIELD = val; \
+ return 1; \
}
/*
* and a cert verification callback function used for CMP server authentication.
* Any already existing store entry is freed. Given NULL, the entry is reset.
*/
-int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- X509_STORE_free(ctx->trusted);
- ctx->trusted = store;
- return 1;
-}
+DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trustedStore, trusted, X509_STORE)
/* Get current list of non-trusted intermediate certs */
-STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted_certs(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- return ctx->untrusted_certs;
-}
+DEFINE_OSSL_CMP_CTX_get0(untrusted, STACK_OF(X509))
/*
* Set untrusted certificates for path construction in authentication of
* the CMP server and potentially others (TLS server, newly enrolled cert).
*/
-int OSSL_CMP_CTX_set1_untrusted_certs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
+int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
{
- STACK_OF(X509) *untrusted_certs;
+ STACK_OF(X509) *untrusted = NULL;
+
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
- if ((untrusted_certs = sk_X509_new_null()) == NULL)
- return 0;
- if (ossl_cmp_sk_X509_add1_certs(untrusted_certs, certs, 0, 1, 0) != 1)
+ if (!ossl_x509_add_certs_new(&untrusted, certs,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
goto err;
- sk_X509_pop_free(ctx->untrusted_certs, X509_free);
- ctx->untrusted_certs = untrusted_certs;
+ OSSL_STACK_OF_X509_free(ctx->untrusted);
+ ctx->untrusted = untrusted;
return 1;
err:
- sk_X509_pop_free(untrusted_certs, X509_free);
+ OSSL_STACK_OF_X509_free(untrusted);
return 0;
}
+static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid)
+{
+ EVP_MD *md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propq);
+ /* fetching in advance to be able to throw error early if unsupported */
+
+ if (md == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_ALGORITHM);
+ return 0;
+ }
+ EVP_MD_free(*pmd);
+ *pmd = md;
+ return 1;
+}
+
/*
* Allocates and initializes OSSL_CMP_CTX context structure with default values.
* Returns new context on success, NULL on error
*/
-OSSL_CMP_CTX *OSSL_CMP_CTX_new(void)
+OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
{
OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
if (ctx == NULL)
- return NULL;
+ goto err;
+
+ ctx->libctx = libctx;
+ if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
+ goto oom;
ctx->log_verbosity = OSSL_CMP_LOG_INFO;
ctx->status = -1;
ctx->failInfoCode = -1;
- ctx->msg_timeout = 2 * 60;
+ ctx->keep_alive = 1;
+ ctx->msg_timeout = -1;
- if ((ctx->untrusted_certs = sk_X509_new_null()) == NULL)
- goto err;
+ if ((ctx->untrusted = sk_X509_new_null()) == NULL)
+ goto oom;
ctx->pbm_slen = 16;
- ctx->pbm_owf = NID_sha256;
+ if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
+ goto err;
ctx->pbm_itercnt = 500;
ctx->pbm_mac = NID_hmac_sha1;
- ctx->digest = NID_sha256;
+ if (!cmp_ctx_set_md(ctx, &ctx->digest, NID_sha256))
+ goto err;
ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE;
ctx->revocationReason = CRL_REASON_NONE;
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
+ oom:
+ ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
err:
OSSL_CMP_CTX_free(ctx);
return NULL;
int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
+ if (ctx->http_ctx != NULL) {
+ (void)OSSL_HTTP_close(ctx->http_ctx, 1);
+ ossl_cmp_debug(ctx, "disconnected from CMP server");
+ ctx->http_ctx = NULL;
+ }
ctx->status = -1;
ctx->failInfoCode = -1;
return ossl_cmp_ctx_set0_statusString(ctx, NULL)
&& ossl_cmp_ctx_set0_newCert(ctx, NULL)
+ && ossl_cmp_ctx_set1_newChain(ctx, NULL)
&& ossl_cmp_ctx_set1_caPubs(ctx, NULL)
&& ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
&& ossl_cmp_ctx_set0_validatedSrvCert(ctx, NULL)
&& ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
}
+#define OSSL_CMP_ITAVs_free(itavs) \
+ sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
+#define X509_EXTENSIONS_free(exts) \
+ sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
+#define OSSL_CMP_PKIFREETEXT_free(text) \
+ sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
+
/* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL)
return;
+ if (ctx->http_ctx != NULL) {
+ (void)OSSL_HTTP_close(ctx->http_ctx, 1);
+ ossl_cmp_debug(ctx, "disconnected from CMP server");
+ }
+ OPENSSL_free(ctx->propq);
OPENSSL_free(ctx->serverPath);
OPENSSL_free(ctx->server);
OPENSSL_free(ctx->proxy);
X509_free(ctx->validatedSrvCert);
X509_NAME_free(ctx->expected_sender);
X509_STORE_free(ctx->trusted);
- sk_X509_pop_free(ctx->untrusted_certs, X509_free);
+ OSSL_STACK_OF_X509_free(ctx->untrusted);
X509_free(ctx->cert);
+ OSSL_STACK_OF_X509_free(ctx->chain);
EVP_PKEY_free(ctx->pkey);
ASN1_OCTET_STRING_free(ctx->referenceValue);
if (ctx->secretValue != NULL)
OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
ASN1_OCTET_STRING_free(ctx->secretValue);
+ EVP_MD_free(ctx->pbm_owf);
X509_NAME_free(ctx->recipient);
+ EVP_MD_free(ctx->digest);
ASN1_OCTET_STRING_free(ctx->transactionID);
ASN1_OCTET_STRING_free(ctx->senderNonce);
ASN1_OCTET_STRING_free(ctx->recipNonce);
- sk_OSSL_CMP_ITAV_pop_free(ctx->geninfo_ITAVs, OSSL_CMP_ITAV_free);
- sk_X509_pop_free(ctx->extraCertsOut, X509_free);
+ OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
+ OSSL_STACK_OF_X509_free(ctx->extraCertsOut);
EVP_PKEY_free(ctx->newPkey);
X509_NAME_free(ctx->issuer);
X509_NAME_free(ctx->subjectName);
sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free);
- sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
+ X509_EXTENSIONS_free(ctx->reqExtensions);
sk_POLICYINFO_pop_free(ctx->policies, POLICYINFO_free);
X509_free(ctx->oldCert);
X509_REQ_free(ctx->p10CSR);
- sk_OSSL_CMP_ITAV_pop_free(ctx->genm_ITAVs, OSSL_CMP_ITAV_free);
+ OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
- sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
+ OSSL_CMP_PKIFREETEXT_free(ctx->statusString);
X509_free(ctx->newCert);
- sk_X509_pop_free(ctx->caPubs, X509_free);
- sk_X509_pop_free(ctx->extraCertsIn, X509_free);
+ OSSL_STACK_OF_X509_free(ctx->newChain);
+ OSSL_STACK_OF_X509_free(ctx->caPubs);
+ OSSL_STACK_OF_X509_free(ctx->extraCertsIn);
OPENSSL_free(ctx);
}
-int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status)
-{
- if (!ossl_assert(ctx != NULL))
- return 0;
- ctx->status = status;
- return 1;
+#define DEFINE_OSSL_set(PREFIX, FIELD, TYPE) \
+int PREFIX##_set_##FIELD(OSSL_CMP_CTX *ctx, TYPE val) \
+{ \
+ if (ctx == NULL) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+ return 0; \
+ } \
+ ctx->FIELD = val; \
+ return 1; \
+}
+
+DEFINE_OSSL_set(ossl_cmp_ctx, status, int)
+
+#define DEFINE_OSSL_get(PREFIX, FIELD, TYPE, ERR_RET) \
+TYPE PREFIX##_get_##FIELD(const OSSL_CMP_CTX *ctx) \
+{ \
+ if (ctx == NULL) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+ return ERR_RET; \
+ } \
+ return ctx->FIELD; \
}
/*
* Returns the PKIStatus from the last CertRepMessage
* or Revocation Response or error message, -1 on error
*/
-int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return -1;
- }
- return ctx->status;
-}
+DEFINE_OSSL_get(OSSL_CMP_CTX, status, int, -1)
/*
* Returns the statusString from the last CertRepMessage
* or Revocation Response or error message, NULL on error
*/
-OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- return ctx->statusString;
-}
+DEFINE_OSSL_CMP_CTX_get0(statusString, OSSL_CMP_PKIFREETEXT)
-int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
- OSSL_CMP_PKIFREETEXT *text)
-{
- if (!ossl_assert(ctx != NULL))
- return 0;
- sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
- ctx->statusString = text;
- return 1;
-}
+DEFINE_OSSL_set0(ossl_cmp_ctx, statusString, OSSL_CMP_PKIFREETEXT)
int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert)
{
}
/* Set callback function for checking if the cert is ok or should be rejected */
-int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->certConf_cb = cb;
- return 1;
-}
+DEFINE_OSSL_set(OSSL_CMP_CTX, certConf_cb, OSSL_CMP_certConf_cb_t)
/*
* Set argument, respectively a pointer to a structure containing arguments,
* optionally to be used by the certConf callback.
*/
-int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->certConf_cb_arg = arg;
- return 1;
-}
+DEFINE_OSSL_set(OSSL_CMP_CTX, certConf_cb_arg, void *)
/*
* Get argument, respectively the pointer to a structure containing arguments,
* optionally to be used by certConf callback.
* Returns callback argument set previously (NULL if not set or on error)
*/
-void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- return ctx->certConf_cb_arg;
-}
+DEFINE_OSSL_get(OSSL_CMP_CTX, certConf_cb_arg, void *, NULL)
#ifndef OPENSSL_NO_TRACE
static size_t ossl_cmp_log_trace_cb(const char *buf, size_t cnt,
int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
ctx->log_cb = cb;
}
/* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */
-void OSSL_CMP_CTX_print_errors(OSSL_CMP_CTX *ctx)
+void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx)
{
+ if (ctx != NULL && OSSL_CMP_LOG_ERR > ctx->log_verbosity)
+ return; /* suppress output since severity is not sufficient */
OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb);
}
const unsigned char *ref, int len)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
- return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref,
- len);
+ return
+ ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref, len);
}
/* Set or clear the password to be used for protecting messages with PBMAC */
int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, const unsigned char *sec,
- const int len)
+ int len)
{
ASN1_OCTET_STRING *secretValue = NULL;
+
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1)
return 1;
}
+#define DEFINE_OSSL_CMP_CTX_get1_certs(FIELD) \
+STACK_OF(X509) *OSSL_CMP_CTX_get1_##FIELD(const OSSL_CMP_CTX *ctx) \
+{ \
+ if (ctx == NULL) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+ return NULL; \
+ } \
+ return X509_chain_up_ref(ctx->FIELD); \
+}
+
+/* Returns the cert chain computed by OSSL_CMP_certConf_cb(), NULL on error */
+DEFINE_OSSL_CMP_CTX_get1_certs(newChain)
+
+#define DEFINE_OSSL_set1_certs(PREFIX, FIELD) \
+int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) \
+{ \
+ if (ctx == NULL) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+ return 0; \
+ } \
+ OSSL_STACK_OF_X509_free(ctx->FIELD); \
+ ctx->FIELD = NULL; \
+ return certs == NULL || (ctx->FIELD = X509_chain_up_ref(certs)) != NULL; \
+}
+
/*
- * Returns the stack of certificates received in a response message.
- * The stack is duplicated so the caller must handle freeing it!
- * Returns pointer to created stack on success, NULL on error
+ * Copies any given stack of inbound X509 certificates to newChain
+ * of the OSSL_CMP_CTX structure so that they may be retrieved later.
*/
-STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- if (ctx->extraCertsIn == NULL)
- return sk_X509_new_null();
- return X509_chain_up_ref(ctx->extraCertsIn);
-}
+DEFINE_OSSL_set1_certs(ossl_cmp_ctx, newChain)
+
+/* Returns the stack of extraCerts received in CertRepMessage, NULL on error */
+DEFINE_OSSL_CMP_CTX_get1_certs(extraCertsIn)
/*
* Copies any given stack of inbound X509 certificates to extraCertsIn
* of the OSSL_CMP_CTX structure so that they may be retrieved later.
*/
-int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
- STACK_OF(X509) *extraCertsIn)
-{
- if (!ossl_assert(ctx != NULL))
- return 0;
-
- sk_X509_pop_free(ctx->extraCertsIn, X509_free);
- ctx->extraCertsIn = NULL;
- if (extraCertsIn == NULL)
- return 1;
- return (ctx->extraCertsIn = X509_chain_up_ref(extraCertsIn)) != NULL;
-}
+DEFINE_OSSL_set1_certs(ossl_cmp_ctx, extraCertsIn)
/*
- * Duplicate and set the given stack as the new stack of X509
+ * Copies any given stack as the new stack of X509
* certificates to send out in the extraCerts field.
*/
-int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
- STACK_OF(X509) *extraCertsOut)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
-
- sk_X509_pop_free(ctx->extraCertsOut, X509_free);
- ctx->extraCertsOut = NULL;
- if (extraCertsOut == NULL)
- return 1;
- return (ctx->extraCertsOut = X509_chain_up_ref(extraCertsOut)) != NULL;
-}
+DEFINE_OSSL_set1_certs(OSSL_CMP_CTX, extraCertsOut)
/*
* Add the given policy info object
int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
{
if (ctx == NULL || pinfo == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav);
* were received in the caPubs field of the last CertRepMessage.
* Returns NULL on error
*/
-STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- if (ctx->caPubs == NULL)
- return sk_X509_new_null();
- return X509_chain_up_ref(ctx->caPubs);
-}
+DEFINE_OSSL_CMP_CTX_get1_certs(caPubs)
/*
- * Duplicate and copy the given stack of certificates to the given
+ * Copies any given stack of certificates to the given
* OSSL_CMP_CTX structure so that they may be retrieved later.
*/
-int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
-{
- if (!ossl_assert(ctx != NULL))
- return 0;
-
- sk_X509_pop_free(ctx->caPubs, X509_free);
- ctx->caPubs = NULL;
- if (caPubs == NULL)
- return 1;
- return (ctx->caPubs = X509_chain_up_ref(caPubs)) != NULL;
-}
+DEFINE_OSSL_set1_certs(ossl_cmp_ctx, caPubs)
#define char_dup OPENSSL_strdup
#define char_free OPENSSL_free
TYPE *val_dup = NULL; \
\
if (ctx == NULL) { \
- CMPerr(0, CMP_R_NULL_ARGUMENT); \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
\
return 1; \
}
-#define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \
-int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
+#define X509_invalid(cert) (!ossl_x509v3_cache_extensions(cert))
+#define EVP_PKEY_invalid(key) 0
+
+#define DEFINE_OSSL_set1_up_ref(PREFIX, FIELD, TYPE) \
+int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
{ \
if (ctx == NULL) { \
- CMPerr(0, CMP_R_NULL_ARGUMENT); \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
return 0; \
} \
\
+ /* prevent misleading error later on malformed cert or provider issue */ \
+ if (val != NULL && TYPE##_invalid(val)) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
+ return 0; \
+ } \
if (val != NULL && !TYPE##_up_ref(val)) \
return 0; \
TYPE##_free(ctx->FIELD); \
* for verifying response messages.
* Cert pointer is not consumed. It may be NULL to clear the entry.
*/
-DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
+DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, srvCert, X509)
/* Set the X509 name of the recipient. Set in the PKIHeader */
DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL
&& X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) {
- CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
return 0;
}
- sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
+ X509_EXTENSIONS_free(ctx->reqExtensions);
ctx->reqExtensions = exts;
return 1;
}
int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return -1;
}
/* if one of the following conditions 'fail' this is not an error */
GENERAL_NAME *name_dup;
if (ctx == NULL || name == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) {
- CMPerr(0, CMP_R_MULTIPLE_SAN_SOURCES);
+ ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
return 0;
}
* Set our own client certificate, used for example in KUR and when
* doing the IR with existing certificate.
*/
-DEFINE_OSSL_CMP_CTX_set1_up_ref(cert, X509)
+DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, cert, X509)
+
+int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
+ STACK_OF(X509) *candidates)
+{
+ STACK_OF(X509) *chain;
+
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+ return 0;
+ }
+
+ if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates,
+ X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
+ return 0;
+
+ ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
+ chain = X509_build_chain(ctx->cert, ctx->untrusted, own_trusted, 0,
+ ctx->libctx, ctx->propq);
+ if (chain == NULL) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN);
+ return 0;
+ }
+ ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
+ ctx->chain = chain;
+ return 1;
+}
/*
* Set the old certificate that we are updating in KUR
* Also used as reference cert (defaulting to cert) for deriving subject DN
* and SANs. Its issuer is used as default recipient in the CMP message header.
*/
-DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
+DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, oldCert, X509)
/* Set the PKCS#10 CSR to be sent in P10CR */
DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
/*
* Set the (newly received in IP/KUP/CP) certificate in the context.
- * TODO: this only permits for one cert to be enrolled at a time.
+ * This only permits for one cert to be enrolled at a time.
*/
-int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
-{
- if (!ossl_assert(ctx != NULL))
- return 0;
-
- X509_free(ctx->newCert);
- ctx->newCert = cert;
- return 1;
-}
+DEFINE_OSSL_set0(ossl_cmp_ctx, newCert, X509)
/*
* Get the (newly received in IP/KUP/CP) client certificate from the context
- * TODO: this only permits for one client cert to be received...
+ * This only permits for one client cert to be received...
*/
-X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- return ctx->newCert;
-}
+DEFINE_OSSL_CMP_CTX_get0(newCert, X509)
/* Set the client's current private key */
-DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
+DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, pkey, EVP_PKEY)
/* Set new key pair. Used e.g. when doing Key Update */
int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return NULL;
}
return ctx->pkey; /* may be NULL */
}
-/* Set the given transactionID to the context */
-int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
- const ASN1_OCTET_STRING *id)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
+#define DEFINE_set1_ASN1_OCTET_STRING(PREFIX, FIELD) \
+int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \
+{ \
+ if (ctx == NULL) { \
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
+ return 0; \
+ } \
+ return ossl_cmp_asn1_octet_string_set1(&ctx->FIELD, id); \
}
+/* Set the given transactionID to the context */
+DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, transactionID)
+
/* Set the nonce to be used for the recipNonce in the message created next */
-int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
- const ASN1_OCTET_STRING *nonce)
-{
- if (!ossl_assert(ctx != NULL))
- return 0;
- return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce);
-}
+DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, recipNonce)
/* Stores the given nonce as the last senderNonce sent out */
-int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
- const ASN1_OCTET_STRING *nonce)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
-}
+DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, senderNonce)
/* Set the proxy server to use for HTTP(S) connections */
DEFINE_OSSL_CMP_CTX_set1(proxy, char)
DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
/* Set the http connect/disconnect callback function to be used for HTTP(S) */
-int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->http_cb = cb;
- return 1;
-}
+DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb, OSSL_HTTP_bio_cb_t)
/* Set argument optionally to be used by the http connect/disconnect callback */
-int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->http_cb_arg = arg;
- return 1;
-}
+DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb_arg, void *)
/*
* Get argument optionally to be used by the http connect/disconnect callback
* Returns callback argument set previously (NULL if not set or on error)
*/
-void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- return ctx->http_cb_arg;
-}
+DEFINE_OSSL_get(OSSL_CMP_CTX, http_cb_arg, void *, NULL)
/* Set callback function for sending CMP request and receiving response */
-int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->transfer_cb = cb;
- return 1;
-}
+DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb, OSSL_CMP_transfer_cb_t)
/* Set argument optionally to be used by the transfer callback */
-int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->transfer_cb_arg = arg;
- return 1;
-}
+DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb_arg, void *)
/*
* Get argument optionally to be used by the transfer callback.
* Returns callback argument set previously (NULL if not set or on error)
*/
-void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return NULL;
- }
- return ctx->transfer_cb_arg;
-}
+DEFINE_OSSL_get(OSSL_CMP_CTX, transfer_cb_arg, void *, NULL)
/** Set the HTTP server port to be used */
-int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return 0;
- }
- ctx->serverPort = port;
- return 1;
-}
+DEFINE_OSSL_set(OSSL_CMP_CTX, serverPort, int)
/* Set the HTTP path to be used on the server (e.g "pkix/") */
DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
/* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
-int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
-{
- if (!ossl_assert(ctx != NULL))
- return 0;
- ctx->failInfoCode = fail_info;
- return 1;
-}
+DEFINE_OSSL_set(ossl_cmp_ctx, failInfoCode, int)
/*
* Get the failInfo error code in OSSL_CMP_CTX as bit encoding.
* Returns bit string as integer on success, -1 on error
*/
-int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx)
-{
- if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
- return -1;
- }
- return ctx->failInfoCode;
-}
+DEFINE_OSSL_get(OSSL_CMP_CTX, failInfoCode, int, -1)
/* Set a Boolean or integer option of the context to the "val" arg */
int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
int min_val;
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return 0;
}
break;
}
if (val < min_val) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_SMALL);
return 0;
}
switch (opt) {
case OSSL_CMP_OPT_LOG_VERBOSITY:
- if (val > OSSL_CMP_LOG_DEBUG) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ if (val > OSSL_CMP_LOG_MAX) {
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->log_verbosity = val;
break;
case OSSL_CMP_OPT_POPO_METHOD:
if (val > OSSL_CRMF_POPO_KEYAGREE) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->popoMethod = val;
break;
case OSSL_CMP_OPT_DIGEST_ALGNID:
- ctx->digest = val;
+ if (!cmp_ctx_set_md(ctx, &ctx->digest, val))
+ return 0;
break;
case OSSL_CMP_OPT_OWF_ALGNID:
- ctx->pbm_owf = val;
+ if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, val))
+ return 0;
break;
case OSSL_CMP_OPT_MAC_ALGNID:
ctx->pbm_mac = val;
break;
+ case OSSL_CMP_OPT_KEEP_ALIVE:
+ ctx->keep_alive = val;
+ break;
case OSSL_CMP_OPT_MSG_TIMEOUT:
ctx->msg_timeout = val;
break;
break;
case OSSL_CMP_OPT_REVOCATION_REASON:
if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
return 0;
}
ctx->revocationReason = val;
break;
default:
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
return 0;
}
int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
{
if (ctx == NULL) {
- CMPerr(0, CMP_R_NULL_ARGUMENT);
+ ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
return -1;
}
case OSSL_CMP_OPT_POPO_METHOD:
return ctx->popoMethod;
case OSSL_CMP_OPT_DIGEST_ALGNID:
- return ctx->digest;
+ return EVP_MD_get_type(ctx->digest);
case OSSL_CMP_OPT_OWF_ALGNID:
- return ctx->pbm_owf;
+ return EVP_MD_get_type(ctx->pbm_owf);
case OSSL_CMP_OPT_MAC_ALGNID:
return ctx->pbm_mac;
+ case OSSL_CMP_OPT_KEEP_ALIVE:
+ return ctx->keep_alive;
case OSSL_CMP_OPT_MSG_TIMEOUT:
return ctx->msg_timeout;
case OSSL_CMP_OPT_TOTAL_TIMEOUT:
case OSSL_CMP_OPT_REVOCATION_REASON:
return ctx->revocationReason;
default:
- CMPerr(0, CMP_R_INVALID_ARGS);
+ ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
return -1;
}
}
projects / openssl.git / blobdiff