Coverage Report

Created: 2025-06-13 06:56

/src/openssl/crypto/x509/x_req.c
Line
Count
Source (jump to first uncovered line)
1
/*
2
 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9
10
#include <stdio.h>
11
#include "internal/cryptlib.h"
12
#include <openssl/asn1t.h>
13
#include <openssl/x509.h>
14
#include "crypto/x509.h"
15
16
/*-
17
 * X509_REQ_INFO is handled in an unusual way to get round
18
 * invalid encodings. Some broken certificate requests don't
19
 * encode the attributes field if it is empty. This is in
20
 * violation of PKCS#10 but we need to tolerate it. We do
21
 * this by making the attributes field OPTIONAL then using
22
 * the callback to initialise it to an empty STACK.
23
 *
24
 * This means that the field will be correctly encoded unless
25
 * we NULL out the field.
26
 *
27
 * As a result we no longer need the req_kludge field because
28
 * the information is now contained in the attributes field:
29
 * 1. If it is NULL then it's the invalid omission.
30
 * 2. If it is empty it is the correct encoding.
31
 * 3. If it is not empty then some attributes are present.
32
 *
33
 */
34
35
static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
36
                   void *exarg)
37
12.9k
{
38
12.9k
    X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
39
40
12.9k
    if (operation == ASN1_OP_NEW_POST) {
41
2.15k
        rinf->attributes = sk_X509_ATTRIBUTE_new_null();
42
2.15k
        if (!rinf->attributes)
43
0
            return 0;
44
2.15k
    }
45
12.9k
    return 1;
46
12.9k
}
47
48
static int req_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
49
                  void *exarg)
50
25.9k
{
51
25.9k
    X509_REQ *ret = (X509_REQ *)*pval;
52
53
25.9k
    switch (operation) {
54
2.15k
    case ASN1_OP_D2I_PRE:
55
2.15k
        ASN1_OCTET_STRING_free(ret->distinguishing_id);
56
        /* fall through */
57
4.30k
    case ASN1_OP_NEW_POST:
58
4.30k
        ret->distinguishing_id = NULL;
59
4.30k
        break;
60
61
2.15k
    case ASN1_OP_FREE_POST:
62
2.15k
        ASN1_OCTET_STRING_free(ret->distinguishing_id);
63
2.15k
        OPENSSL_free(ret->propq);
64
2.15k
        break;
65
0
    case ASN1_OP_DUP_POST:
66
0
        {
67
0
            X509_REQ *old = exarg;
68
69
0
            if (!ossl_x509_req_set0_libctx(ret, old->libctx, old->propq))
70
0
                return 0;
71
0
            if (old->req_info.pubkey != NULL) {
72
0
                EVP_PKEY *pkey = X509_PUBKEY_get0(old->req_info.pubkey);
73
74
0
                if (pkey != NULL) {
75
0
                    pkey = EVP_PKEY_dup(pkey);
76
0
                    if (pkey == NULL) {
77
0
                        ERR_raise(ERR_LIB_X509, ERR_R_EVP_LIB);
78
0
                        return 0;
79
0
                    }
80
0
                    if (!X509_PUBKEY_set(&ret->req_info.pubkey, pkey)) {
81
0
                        EVP_PKEY_free(pkey);
82
0
                        ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
83
0
                        return 0;
84
0
                    }
85
0
                    EVP_PKEY_free(pkey);
86
0
                }
87
0
            }
88
0
        }
89
0
        break;
90
0
    case ASN1_OP_GET0_LIBCTX:
91
0
        {
92
0
            OSSL_LIB_CTX **libctx = exarg;
93
94
0
            *libctx = ret->libctx;
95
0
        }
96
0
        break;
97
0
    case ASN1_OP_GET0_PROPQ:
98
0
        {
99
0
            const char **propq = exarg;
100
101
0
            *propq = ret->propq;
102
0
        }
103
0
        break;
104
25.9k
    }
105
106
25.9k
    return 1;
107
25.9k
}
108
109
ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
110
        ASN1_SIMPLE(X509_REQ_INFO, version, ASN1_INTEGER),
111
        ASN1_SIMPLE(X509_REQ_INFO, subject, X509_NAME),
112
        ASN1_SIMPLE(X509_REQ_INFO, pubkey, X509_PUBKEY),
113
        /* This isn't really OPTIONAL but it gets round invalid
114
         * encodings
115
         */
116
        ASN1_IMP_SET_OF_OPT(X509_REQ_INFO, attributes, X509_ATTRIBUTE, 0)
117
} ASN1_SEQUENCE_END_enc(X509_REQ_INFO, X509_REQ_INFO)
118
119
IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
120
121
ASN1_SEQUENCE_ref(X509_REQ, req_cb) = {
122
        ASN1_EMBED(X509_REQ, req_info, X509_REQ_INFO),
123
        ASN1_EMBED(X509_REQ, sig_alg, X509_ALGOR),
124
        ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
125
} ASN1_SEQUENCE_END_ref(X509_REQ, X509_REQ)
126
127
IMPLEMENT_ASN1_FUNCTIONS(X509_REQ)
128
129
IMPLEMENT_ASN1_DUP_FUNCTION(X509_REQ)
130
131
void X509_REQ_set0_distinguishing_id(X509_REQ *x, ASN1_OCTET_STRING *d_id)
132
0
{
133
0
    ASN1_OCTET_STRING_free(x->distinguishing_id);
134
0
    x->distinguishing_id = d_id;
135
0
}
136
137
ASN1_OCTET_STRING *X509_REQ_get0_distinguishing_id(X509_REQ *x)
138
0
{
139
0
    return x->distinguishing_id;
140
0
}
141
142
/*
143
 * This should only be used if the X509_REQ object was embedded inside another
144
 * asn1 object and it needs a libctx to operate.
145
 * Use X509_REQ_new_ex() instead if possible.
146
 */
147
int ossl_x509_req_set0_libctx(X509_REQ *x, OSSL_LIB_CTX *libctx,
148
                              const char *propq)
149
0
{
150
0
    if (x != NULL) {
151
0
        x->libctx = libctx;
152
0
        OPENSSL_free(x->propq);
153
0
        x->propq = NULL;
154
0
        if (propq != NULL) {
155
0
            x->propq = OPENSSL_strdup(propq);
156
0
            if (x->propq == NULL)
157
0
                return 0;
158
0
        }
159
0
    }
160
0
    return 1;
161
0
}
162
163
X509_REQ *X509_REQ_new_ex(OSSL_LIB_CTX *libctx, const char *propq)
164
0
{
165
0
    X509_REQ *req = NULL;
166
167
0
    req = (X509_REQ *)ASN1_item_new((X509_REQ_it()));
168
0
    if (!ossl_x509_req_set0_libctx(req, libctx, propq)) {
169
0
        X509_REQ_free(req);
170
0
        req = NULL;
171
0
    }
172
0
    return req;
173
0
}