/src/openssl/crypto/x509/x_req.c

Source
/*
 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include "crypto/x509.h"

/*-
 * X509_REQ_INFO is handled in an unusual way to get round
 * invalid encodings. Some broken certificate requests don't
 * encode the attributes field if it is empty. This is in
 * violation of PKCS#10 but we need to tolerate it. We do
 * this by making the attributes field OPTIONAL then using
 * the callback to initialise it to an empty STACK.
 *
 * This means that the field will be correctly encoded unless
 * we NULL out the field.
 *
 * As a result we no longer need the req_kludge field because
 * the information is now contained in the attributes field:
 * 1. If it is NULL then it's the invalid omission.
 * 2. If it is empty it is the correct encoding.
 * 3. If it is not empty then some attributes are present.
 *
 */

static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
    void *exarg)
{
    X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;

    if (operation == ASN1_OP_NEW_POST) {
        rinf->attributes = sk_X509_ATTRIBUTE_new_null();
        if (!rinf->attributes)
            return 0;
    }
    return 1;
}

static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
    void *exarg)
{
    X509_REQ *ret = (X509_REQ *)*pval;

    switch (operation) {
    case ASN1_OP_D2I_PRE:
        ASN1_OCTET_STRING_free(ret->distinguishing_id);
        /* fall through */
    case ASN1_OP_NEW_POST:
        ret->distinguishing_id = NULL;
        break;

    case ASN1_OP_FREE_POST:
        ASN1_OCTET_STRING_free(ret->distinguishing_id);
        OPENSSL_free(ret->propq);
        break;
    case ASN1_OP_DUP_POST: {
        X509_REQ *old = exarg;

        if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq))
            return 0;
        if (old->req_info.pubkey != NULL) {
            EVP_PKEY *pkey = X509_PUBKEY_get0(old->req_info.pubkey);

            if (pkey != NULL) {
                pkey = EVP_PKEY_dup(pkey);
                if (pkey == NULL) {
                    ERR_raise(ERR_LIB_X509, ERR_R_EVP_LIB);
                    return 0;
                }
                if (!X509_PUBKEY_set(&ret->req_info.pubkey, pkey)) {
                    EVP_PKEY_free(pkey);
                    ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
                    return 0;
                }
                EVP_PKEY_free(pkey);
            }
        }
    } break;
    case ASN1_OP_GET0_LIBCTX: {
        OSSL_LIB_CTX **libctx = exarg;

        *libctx = ret->libctx;
    } break;
    case ASN1_OP_GET0_PROPQ: {
        const char **propq = exarg;

        *propq = ret->propq;
    } break;
    }

    return 1;
}

ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
    ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
    ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
    ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
    /* This isn't really OPTIONAL but it gets round invalid
     * encodings
     */
    ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)

IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)

ASN1_SEQUENCE_ref(X509_REQ, req_cb) = {
    ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO),
    ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR),
    ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)

IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)

IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)

void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id)
{
    ASN1_OCTET_STRING_free(x->distinguishing_id);
    x->distinguishing_id = d_id;
}

ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x)
{
    return x->distinguishing_id;
}

/*
 * This should only be used if the X509_REQ object was embedded inside another
 * asn1 object and it needs a libctx to operate.
 * Use X509_REQ_new_ex() instead if possible.
 */
int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
    const char *propq)
{
    if (x != NULL) {
        x->libctx = libctx;
        OPENSSL_free(x->propq);
        x->propq = NULL;
        if (propq != NULL) {
            x->propq = OPENSSL_strdup(propq);
            if (x->propq == NULL)
                return 0;
        }
    }
    return 1;
}

X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
{
    X509_REQ *req = NULL;

    req = (X509_REQ *)ASN1_item_new((X509_REQ_it()));
    if (!ossl_x509_req_set0_libctx(req, libctx, propq)) {
        X509_REQ_free(req);
        req = NULL;
    }
    return req;
}

Line	Count	Source
1		/*
2		* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include "internal/cryptlib.h"
12		#include <openssl/asn1t.h>
13		#include <openssl/x509.h>
14		#include "crypto/x509.h"
15
16		/*-
17		* X509_REQ_INFO is handled in an unusual way to get round
18		* invalid encodings. Some broken certificate requests don't
19		* encode the attributes field if it is empty. This is in
20		* violation of PKCS#10 but we need to tolerate it. We do
21		* this by making the attributes field OPTIONAL then using
22		* the callback to initialise it to an empty STACK.
23		*
24		* This means that the field will be correctly encoded unless
25		* we NULL out the field.
26		*
27		* As a result we no longer need the req_kludge field because
28		* the information is now contained in the attributes field:
29		* 1. If it is NULL then it's the invalid omission.
30		* 2. If it is empty it is the correct encoding.
31		* 3. If it is not empty then some attributes are present.
32		*
33		*/
34
35		static int rinf_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
36		void *exarg)
37	0	{
38	0	X509_REQ_INFO rinf = (X509_REQ_INFO )*pval;
39
40	0	if (operation == ASN1_OP_NEW_POST) {
41	0	rinf->attributes = sk_X509_ATTRIBUTE_new_null();
42	0	if (!rinf->attributes)
43	0	return 0;
44	0	}
45	0	return 1;
46	0	}
47
48		static int req_cb(int operation, ASN1_VALUE *pval, const ASN1_ITEM it,
49		void *exarg)
50	0	{
51	0	X509_REQ ret = (X509_REQ )*pval;
52
53	0	switch (operation) {
54	0	case ASN1_OP_D2I_PRE:
55	0	ASN1_OCTET_STRING_free(ret->distinguishing_id);
56		/* fall through */
57	0	case ASN1_OP_NEW_POST:
58	0	ret->distinguishing_id = NULL;
59	0	break;
60
61	0	case ASN1_OP_FREE_POST:
62	0	ASN1_OCTET_STRING_free(ret->distinguishing_id);
63	0	OPENSSL_free(ret->propq);
64	0	break;
65	0	case ASN1_OP_DUP_POST: {
66	0	X509_REQ *old = exarg;
67
68	0	if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq))
69	0	return 0;
70	0	if (old->req_info.pubkey != NULL) {
71	0	EVP_PKEY *pkey = X509_PUBKEY_get0(old->req_info.pubkey);
72
73	0	if (pkey != NULL) {
74	0	pkey = EVP_PKEY_dup(pkey);
75	0	if (pkey == NULL) {
76	0	ERR_raise(ERR_LIB_X509, ERR_R_EVP_LIB);
77	0	return 0;
78	0	}
79	0	if (!X509_PUBKEY_set(&ret->req_info.pubkey, pkey)) {
80	0	EVP_PKEY_free(pkey);
81	0	ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
82	0	return 0;
83	0	}
84	0	EVP_PKEY_free(pkey);
85	0	}
86	0	}
87	0	} break;
88	0	case ASN1_OP_GET0_LIBCTX: {
89	0	OSSL_LIB_CTX **libctx = exarg;
90
91	0	*libctx = ret->libctx;
92	0	} break;
93	0	case ASN1_OP_GET0_PROPQ: {
94	0	const char **propq = exarg;
95
96	0	*propq = ret->propq;
97	0	} break;
98	0	}
99
100	0	return 1;
101	0	}
102
103		ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
104		ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
105		ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
106		ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
107		/* This isn't really OPTIONAL but it gets round invalid
108		* encodings
109		*/
110		ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
111		} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
112
113		IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
114
115		ASN1_SEQUENCE_ref(X509_REQ, req_cb) = {
116		ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO),
117		ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR),
118		ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
119		} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
120
121		IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
122
123		IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)
124
125		void X509_REQ_set0_distinguishing_id(X509_REQ x, ASN1_OCTET_STRING d_id)
126	0	{
127	0	ASN1_OCTET_STRING_free(x->distinguishing_id);
128	0	x->distinguishing_id = d_id;
129	0	}
130
131		ASN1_OCTET_STRING X509_REQ_get0_distinguishing_id(X509_REQ x)
132	0	{
133	0	return x->distinguishing_id;
134	0	}
135
136		/*
137		* This should only be used if the X509_REQ object was embedded inside another
138		* asn1 object and it needs a libctx to operate.
139		* Use X509_REQ_new_ex() instead if possible.
140		*/
141		int ossl_x509_req_set0_libctx(X509_REQ x, OSSL_LIB_CTX libctx,
142		const char *propq)
143	0	{
144	0	if (x != NULL) {
145	0	x->libctx = libctx;
146	0	OPENSSL_free(x->propq);
147	0	x->propq = NULL;
148	0	if (propq != NULL) {
149	0	x->propq = OPENSSL_strdup(propq);
150	0	if (x->propq == NULL)
151	0	return 0;
152	0	}
153	0	}
154	0	return 1;
155	0	}
156
157		X509_REQ X509_REQ_new_ex(OSSL_LIB_CTX libctx, const char *propq)
158	0	{
159	0	X509_REQ *req = NULL;
160
161	0	req = (X509_REQ *)ASN1_item_new((X509_REQ_it()));
162	0	if (!ossl_x509_req_set0_libctx(req, libctx, propq)) {
163	0	X509_REQ_free(req);
164		req = NULL;
165	0	}
166	0	return req;
167	0	}

Coverage Report

Created: 2025-12-10 06:24