if (ctx->certOut != NULL
&& (*certOut = X509_dup(ctx->certOut)) == NULL)
+ /* Should better return a cert produced from data in request template */
goto err;
if (ctx->chainOut != NULL
&& (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
if (i > 0)
BIO_printf(bio_err, ", ");
- BIO_printf(bio_err, "\"");
- ASN1_STRING_print(bio_err,
- sk_ASN1_UTF8STRING_value(errorDetails, i));
- BIO_printf(bio_err, "\"");
+ ASN1_STRING_print_ex(bio_err,
+ sk_ASN1_UTF8STRING_value(errorDetails, i),
+ ASN1_STRFLGS_ESC_QUOTE);
}
BIO_printf(bio_err, "\n");
}
int revocationReason; /* revocation reason code to be included in RR */
STACK_OF(OSSL_CMP_ITAV) *genm_ITAVs; /* content of general message */
- /* result returned in responses */
+ /* result returned in responses, so far supporting only one certResponse */
int status; /* PKIStatus of last received IP/CP/KUP/RP/error or -1 */
OSSL_CMP_PKIFREETEXT *statusString; /* of last IP/CP/KUP/RP/error */
int failInfoCode; /* failInfoCode of last received IP/CP/KUP/error, or -1 */
* } -- or HMAC [RFC2104, RFC2202])
*/
/*-
+ * Not supported:
* id-DHBasedMac OBJECT IDENTIFIER ::= {1 2 840 113533 7 66 30}
* DHBMParameter ::= SEQUENCE {
* owf AlgorithmIdentifier,
/*
* For the case of re-protection remove pre-existing protection.
+ * Does not remove any pre-existing extraCerts.
*/
X509_ALGOR_free(msg->header->protectionAlg);
msg->header->protectionAlg = NULL;
msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
certOut, NULL /* enc */, chainOut, caPubs,
srv_ctx->sendUnprotectedErrors);
+ /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */
if (msg == NULL)
ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
rsp = process_pollReq(srv_ctx, req);
break;
default:
+ /* Other request message types are not supported */
ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
break;
}
int flags = 0;
unsigned long err = ERR_peek_error_data(&data, &flags);
int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest;
+ /* fail_info is not very specific */
OSSL_CMP_PKISI *si = NULL;
if (ctx->transactionID == NULL) {
case OSSL_CMP_PKIBODY_PKICONF:
case OSSL_CMP_PKIBODY_GENP:
case OSSL_CMP_PKIBODY_ERROR:
+ /* Other terminating response message types are not supported */
+ /* Prepare for next transaction, ignoring any errors here: */
(void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL);
(void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL);
ctx->status = OSSL_CMP_PKISTATUS_unspecified; /* transaction closed */
if (sender == NULL || msg->body == NULL)
return 0; /* other NULL cases already have been checked */
if (sender->type != GEN_DIRNAME) {
+ /* So far, only X509_NAME is supported */
ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
return 0;
}
ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.dhMAC, ASN1_BIT_STRING, 2),
ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.agreeMAC, OSSL_CRMF_PKMACVALUE, 3),
ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.encryptedKey, ASN1_NULL, 4),
+ /* When supported, ASN1_NULL needs to be replaced by CMS_ENVELOPEDDATA */
} ASN1_CHOICE_END(OSSL_CRMF_POPOPRIVKEY)
IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY);
return 0;
}
+
+ /*
+ * Should check at this point the contents of the authInfo sub-field
+ * as requested in FR #19807 according to RFC 4211 section 4.1.
+ */
+
it = ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT);
asn = sig->poposkInput;
} else {
return 0;
break;
case OSSL_CRMF_POPO_KEYENC:
+ /*
+ * When OSSL_CMP_certrep_new() supports encrypted certs,
+ * should return 1 if the type of req->popo->value.keyEncipherment
+ * is OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE and
+ * its value.subsequentMessage == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT
+ */
case OSSL_CRMF_POPO_KEYAGREE:
default:
ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_POPO_METHOD);
ASN1_BIT_STRING *dhMAC; /* 2 */ /* Deprecated */
OSSL_CRMF_PKMACVALUE *agreeMAC; /* 3 */
ASN1_NULL *encryptedKey; /* 4 */
+ /* When supported, ASN1_NULL needs to be replaced by CMS_ENVELOPEDDATA */
} value;
} OSSL_CRMF_POPOPRIVKEY;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
struct ossl_crmf_certrequest_st {
ASN1_INTEGER *certReqId;
OSSL_CRMF_CERTTEMPLATE *certTemplate;
- STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) *controls;
+ STACK_OF(OSSL_CRMF_ATTRIBUTETYPEANDVALUE /* Controls expanded */) *controls;
} /* OSSL_CRMF_CERTREQUEST */;
DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
* |outlen| if not NULL, will set variable to the length of the mac on success
* returns 1 on success, 0 on error
*/
+/* could be combined with other MAC calculations in the library */
int OSSL_CRMF_pbm_new(OSSL_LIB_CTX *libctx, const char *propq,
const OSSL_CRMF_PBMPARAMETER *pbmp,
const unsigned char *msg, size_t msglen,
ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_ALGORITHM);
goto err;
}
+ /* could be generalized to allow non-HMAC: */
if (EVP_Q_mac(libctx, "HMAC", propq, hmac_mdname, NULL, basekey, bklen,
msg, msglen, mac_res, EVP_MAX_MD_SIZE, outlen) == NULL)
goto err;