/src/openssl34/crypto/cmp/cmp_ctx.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright Nokia 2007-2019 |
4 | | * Copyright Siemens AG 2015-2019 |
5 | | * |
6 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | | * this file except in compliance with the License. You can obtain a copy |
8 | | * in the file LICENSE in the source distribution or at |
9 | | * https://www.openssl.org/source/license.html |
10 | | */ |
11 | | |
12 | | #include <openssl/trace.h> |
13 | | #include <openssl/bio.h> |
14 | | #include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */ |
15 | | |
16 | | #include "cmp_local.h" |
17 | | |
18 | | /* explicit #includes not strictly needed since implied by the above: */ |
19 | | #include <openssl/cmp.h> |
20 | | #include <openssl/crmf.h> |
21 | | #include <openssl/err.h> |
22 | | |
23 | | #define DEFINE_OSSL_CMP_CTX_get0(FIELD, TYPE) \ |
24 | | DEFINE_OSSL_CMP_CTX_get0_NAME(FIELD, FIELD, TYPE) |
25 | | #define DEFINE_OSSL_CMP_CTX_get0_NAME(NAME, FIELD, TYPE) \ |
26 | 0 | TYPE *OSSL_CMP_CTX_get0_##NAME(const OSSL_CMP_CTX *ctx) \ |
27 | 0 | { \ |
28 | 0 | if (ctx == NULL) { \ |
29 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
30 | 0 | return NULL; \ |
31 | 0 | } \ |
32 | 0 | return ctx->FIELD; \ |
33 | 0 | } Unexecuted instantiation: OSSL_CMP_CTX_get0_trustedStore Unexecuted instantiation: OSSL_CMP_CTX_get0_libctx Unexecuted instantiation: OSSL_CMP_CTX_get0_propq Unexecuted instantiation: OSSL_CMP_CTX_get0_untrusted Unexecuted instantiation: OSSL_CMP_CTX_get0_statusString Unexecuted instantiation: OSSL_CMP_CTX_get0_geninfo_ITAVs Unexecuted instantiation: OSSL_CMP_CTX_get0_validatedSrvCert Unexecuted instantiation: OSSL_CMP_CTX_get0_newCert |
34 | | |
35 | | /* |
36 | | * Get current certificate store containing trusted root CA certs |
37 | | */ |
38 | | DEFINE_OSSL_CMP_CTX_get0_NAME(trusted, trusted, X509_STORE) |
39 | | |
40 | | #define DEFINE_OSSL_set0(PREFIX, FIELD, TYPE) \ |
41 | | DEFINE_OSSL_set0_NAME(PREFIX, FIELD, FIELD, TYPE) |
42 | | #define DEFINE_OSSL_set0_NAME(PREFIX, NAME, FIELD, TYPE) \ |
43 | 1.13k | int PREFIX##_set0##_##NAME(OSSL_CMP_CTX *ctx, TYPE *val) \ |
44 | 1.13k | { \ |
45 | 1.13k | if (ctx == NULL) { \ |
46 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
47 | 0 | return 0; \ |
48 | 0 | } \ |
49 | 1.13k | TYPE##_free(ctx->FIELD); \ |
50 | 1.13k | ctx->FIELD = val; \ |
51 | 1.13k | return 1; \ |
52 | 1.13k | } Unexecuted instantiation: OSSL_CMP_CTX_set0_trustedStore Unexecuted instantiation: ossl_cmp_ctx_set0_statusString ossl_cmp_ctx_set0_newCert Line | Count | Source | 43 | 1.13k | int PREFIX##_set0##_##NAME(OSSL_CMP_CTX *ctx, TYPE *val) \ | 44 | 1.13k | { \ | 45 | 1.13k | if (ctx == NULL) { \ | 46 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 47 | 0 | return 0; \ | 48 | 0 | } \ | 49 | 1.13k | TYPE##_free(ctx->FIELD); \ | 50 | 1.13k | ctx->FIELD = val; \ | 51 | 1.13k | return 1; \ | 52 | 1.13k | } |
|
53 | | |
54 | | /* |
55 | | * Set certificate store containing trusted (root) CA certs and possibly CRLs |
56 | | * and a cert verification callback function used for CMP server authentication. |
57 | | * Any already existing store entry is freed. Given NULL, the entry is reset. |
58 | | */ |
59 | | DEFINE_OSSL_set0_NAME(OSSL_CMP_CTX, trusted, trusted, X509_STORE) |
60 | | |
61 | | DEFINE_OSSL_CMP_CTX_get0(libctx, OSSL_LIB_CTX) |
62 | | DEFINE_OSSL_CMP_CTX_get0(propq, const char) |
63 | | |
64 | | /* Get current list of non-trusted intermediate certs */ |
65 | | DEFINE_OSSL_CMP_CTX_get0(untrusted, STACK_OF(X509)) |
66 | | |
67 | | /* |
68 | | * Set untrusted certificates for path construction in authentication of |
69 | | * the CMP server and potentially others (TLS server, newly enrolled cert). |
70 | | */ |
71 | | int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) |
72 | 0 | { |
73 | 0 | STACK_OF(X509) *untrusted = NULL; |
74 | |
|
75 | 0 | if (ctx == NULL) { |
76 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
77 | 0 | return 0; |
78 | 0 | } |
79 | 0 | if (!ossl_x509_add_certs_new(&untrusted, certs, |
80 | 0 | X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) |
81 | 0 | goto err; |
82 | 0 | OSSL_STACK_OF_X509_free(ctx->untrusted); |
83 | 0 | ctx->untrusted = untrusted; |
84 | 0 | return 1; |
85 | 0 | err: |
86 | 0 | OSSL_STACK_OF_X509_free(untrusted); |
87 | 0 | return 0; |
88 | 0 | } |
89 | | |
90 | | static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid) |
91 | 151k | { |
92 | 151k | EVP_MD *md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propq); |
93 | | /* fetching in advance to be able to throw error early if unsupported */ |
94 | | |
95 | 151k | if (md == NULL) { |
96 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_ALGORITHM); |
97 | 0 | return 0; |
98 | 0 | } |
99 | 151k | EVP_MD_free(*pmd); |
100 | 151k | *pmd = md; |
101 | 151k | return 1; |
102 | 151k | } |
103 | | |
104 | | /* |
105 | | * Allocates and initializes OSSL_CMP_CTX context structure with default values. |
106 | | * Returns new context on success, NULL on error |
107 | | */ |
108 | | OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) |
109 | 62.5k | { |
110 | 62.5k | OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); |
111 | | |
112 | 62.5k | if (ctx == NULL) |
113 | 0 | goto err; |
114 | | |
115 | 62.5k | ctx->libctx = libctx; |
116 | 62.5k | if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL) |
117 | 0 | goto err; |
118 | | |
119 | 62.5k | ctx->log_verbosity = OSSL_CMP_LOG_INFO; |
120 | | |
121 | 62.5k | ctx->status = OSSL_CMP_PKISTATUS_unspecified; |
122 | 62.5k | ctx->failInfoCode = -1; |
123 | | |
124 | 62.5k | ctx->keep_alive = 1; |
125 | 62.5k | ctx->msg_timeout = -1; |
126 | 62.5k | ctx->tls_used = -1; /* default for backward compatibility */ |
127 | | |
128 | 62.5k | if ((ctx->untrusted = sk_X509_new_null()) == NULL) { |
129 | 0 | ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB); |
130 | 0 | goto err; |
131 | 0 | } |
132 | | |
133 | 62.5k | ctx->pbm_slen = 16; |
134 | 62.5k | if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256)) |
135 | 0 | goto err; |
136 | 62.5k | ctx->pbm_itercnt = 500; |
137 | 62.5k | ctx->pbm_mac = NID_hmac_sha1; |
138 | | |
139 | 62.5k | if (!cmp_ctx_set_md(ctx, &ctx->digest, NID_sha256)) |
140 | 0 | goto err; |
141 | 62.5k | ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE; |
142 | 62.5k | ctx->revocationReason = CRL_REASON_NONE; |
143 | | |
144 | | /* all other elements are initialized to 0 or NULL, respectively */ |
145 | 62.5k | return ctx; |
146 | | |
147 | 0 | err: |
148 | 0 | OSSL_CMP_CTX_free(ctx); |
149 | 0 | return NULL; |
150 | 62.5k | } |
151 | | |
152 | | #define OSSL_CMP_ITAVs_free(itavs) \ |
153 | 151k | sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); |
154 | | #define X509_EXTENSIONS_free(exts) \ |
155 | 75.7k | sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free) |
156 | | #define OSSL_CMP_PKIFREETEXT_free(text) \ |
157 | 75.7k | sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free) |
158 | | |
159 | | /* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */ |
160 | | int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx) |
161 | 0 | { |
162 | 0 | if (ctx == NULL) { |
163 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
164 | 0 | return 0; |
165 | 0 | } |
166 | | |
167 | 0 | #ifndef OPENSSL_NO_HTTP |
168 | 0 | if (ctx->http_ctx != NULL) { |
169 | 0 | (void)OSSL_HTTP_close(ctx->http_ctx, 1); |
170 | 0 | ossl_cmp_debug(ctx, "disconnected from CMP server"); |
171 | 0 | ctx->http_ctx = NULL; |
172 | 0 | } |
173 | 0 | #endif |
174 | 0 | ctx->status = OSSL_CMP_PKISTATUS_unspecified; |
175 | 0 | ctx->failInfoCode = -1; |
176 | |
|
177 | 0 | OSSL_CMP_ITAVs_free(ctx->genm_ITAVs); |
178 | 0 | ctx->genm_ITAVs = NULL; |
179 | |
|
180 | 0 | return ossl_cmp_ctx_set0_statusString(ctx, NULL) |
181 | 0 | && ossl_cmp_ctx_set0_newCert(ctx, NULL) |
182 | 0 | && ossl_cmp_ctx_set1_newChain(ctx, NULL) |
183 | 0 | && ossl_cmp_ctx_set1_caPubs(ctx, NULL) |
184 | 0 | && ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL) |
185 | 0 | && ossl_cmp_ctx_set1_validatedSrvCert(ctx, NULL) |
186 | 0 | && ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL) |
187 | 0 | && OSSL_CMP_CTX_set1_transactionID(ctx, NULL) |
188 | 0 | && OSSL_CMP_CTX_set1_senderNonce(ctx, NULL) |
189 | 0 | && ossl_cmp_ctx_set1_recipNonce(ctx, NULL); |
190 | 0 | } |
191 | | |
192 | | /* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */ |
193 | | void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx) |
194 | 75.7k | { |
195 | 75.7k | if (ctx == NULL) |
196 | 0 | return; |
197 | | |
198 | 75.7k | #ifndef OPENSSL_NO_HTTP |
199 | 75.7k | if (ctx->http_ctx != NULL) { |
200 | 0 | (void)OSSL_HTTP_close(ctx->http_ctx, 1); |
201 | 0 | ossl_cmp_debug(ctx, "disconnected from CMP server"); |
202 | 0 | } |
203 | 75.7k | #endif |
204 | 75.7k | OPENSSL_free(ctx->propq); |
205 | 75.7k | OPENSSL_free(ctx->serverPath); |
206 | 75.7k | OPENSSL_free(ctx->server); |
207 | 75.7k | OPENSSL_free(ctx->proxy); |
208 | 75.7k | OPENSSL_free(ctx->no_proxy); |
209 | | |
210 | 75.7k | X509_free(ctx->srvCert); |
211 | 75.7k | X509_free(ctx->validatedSrvCert); |
212 | 75.7k | X509_NAME_free(ctx->expected_sender); |
213 | 75.7k | X509_STORE_free(ctx->trusted); |
214 | 75.7k | OSSL_STACK_OF_X509_free(ctx->untrusted); |
215 | | |
216 | 75.7k | X509_free(ctx->cert); |
217 | 75.7k | OSSL_STACK_OF_X509_free(ctx->chain); |
218 | 75.7k | EVP_PKEY_free(ctx->pkey); |
219 | 75.7k | ASN1_OCTET_STRING_free(ctx->referenceValue); |
220 | 75.7k | if (ctx->secretValue != NULL) |
221 | 37.8k | OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length); |
222 | 75.7k | ASN1_OCTET_STRING_free(ctx->secretValue); |
223 | 75.7k | EVP_MD_free(ctx->pbm_owf); |
224 | | |
225 | 75.7k | X509_NAME_free(ctx->recipient); |
226 | 75.7k | EVP_MD_free(ctx->digest); |
227 | 75.7k | ASN1_OCTET_STRING_free(ctx->transactionID); |
228 | 75.7k | ASN1_OCTET_STRING_free(ctx->senderNonce); |
229 | 75.7k | ASN1_OCTET_STRING_free(ctx->recipNonce); |
230 | 75.7k | ASN1_OCTET_STRING_free(ctx->first_senderNonce); |
231 | 75.7k | OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs); |
232 | 75.7k | OSSL_STACK_OF_X509_free(ctx->extraCertsOut); |
233 | | |
234 | 75.7k | EVP_PKEY_free(ctx->newPkey); |
235 | 75.7k | X509_NAME_free(ctx->issuer); |
236 | 75.7k | ASN1_INTEGER_free(ctx->serialNumber); |
237 | 75.7k | X509_NAME_free(ctx->subjectName); |
238 | 75.7k | sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free); |
239 | 75.7k | X509_EXTENSIONS_free(ctx->reqExtensions); |
240 | 75.7k | sk_POLICYINFO_pop_free(ctx->policies, POLICYINFO_free); |
241 | 75.7k | X509_free(ctx->oldCert); |
242 | 75.7k | X509_REQ_free(ctx->p10CSR); |
243 | | |
244 | 75.7k | OSSL_CMP_ITAVs_free(ctx->genm_ITAVs); |
245 | | |
246 | 75.7k | OSSL_CMP_PKIFREETEXT_free(ctx->statusString); |
247 | 75.7k | X509_free(ctx->newCert); |
248 | 75.7k | OSSL_STACK_OF_X509_free(ctx->newChain); |
249 | 75.7k | OSSL_STACK_OF_X509_free(ctx->caPubs); |
250 | 75.7k | OSSL_STACK_OF_X509_free(ctx->extraCertsIn); |
251 | | |
252 | 75.7k | OPENSSL_free(ctx); |
253 | 75.7k | } |
254 | | |
255 | | #define DEFINE_OSSL_set(PREFIX, FIELD, TYPE) \ |
256 | 75.7k | int PREFIX##_set_##FIELD(OSSL_CMP_CTX *ctx, TYPE val) \ |
257 | 75.7k | { \ |
258 | 75.7k | if (ctx == NULL) { \ |
259 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
260 | 0 | return 0; \ |
261 | 0 | } \ |
262 | 75.7k | ctx->FIELD = val; \ |
263 | 75.7k | return 1; \ |
264 | 75.7k | } Unexecuted instantiation: ossl_cmp_ctx_set_status Unexecuted instantiation: OSSL_CMP_CTX_set_certConf_cb Unexecuted instantiation: OSSL_CMP_CTX_set_certConf_cb_arg Unexecuted instantiation: OSSL_CMP_CTX_set_http_cb Unexecuted instantiation: OSSL_CMP_CTX_set_http_cb_arg OSSL_CMP_CTX_set_transfer_cb Line | Count | Source | 256 | 37.8k | int PREFIX##_set_##FIELD(OSSL_CMP_CTX *ctx, TYPE val) \ | 257 | 37.8k | { \ | 258 | 37.8k | if (ctx == NULL) { \ | 259 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 260 | 0 | return 0; \ | 261 | 0 | } \ | 262 | 37.8k | ctx->FIELD = val; \ | 263 | 37.8k | return 1; \ | 264 | 37.8k | } |
OSSL_CMP_CTX_set_transfer_cb_arg Line | Count | Source | 256 | 37.8k | int PREFIX##_set_##FIELD(OSSL_CMP_CTX *ctx, TYPE val) \ | 257 | 37.8k | { \ | 258 | 37.8k | if (ctx == NULL) { \ | 259 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 260 | 0 | return 0; \ | 261 | 0 | } \ | 262 | 37.8k | ctx->FIELD = val; \ | 263 | 37.8k | return 1; \ | 264 | 37.8k | } |
Unexecuted instantiation: OSSL_CMP_CTX_set_serverPort Unexecuted instantiation: ossl_cmp_ctx_set_failInfoCode |
265 | | |
266 | | DEFINE_OSSL_set(ossl_cmp_ctx, status, int) |
267 | | |
268 | | #define DEFINE_OSSL_get(PREFIX, FIELD, TYPE, ERR_RET) \ |
269 | 0 | TYPE PREFIX##_get_##FIELD(const OSSL_CMP_CTX *ctx) \ |
270 | 0 | { \ |
271 | 0 | if (ctx == NULL) { \ |
272 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
273 | 0 | return ERR_RET; \ |
274 | 0 | } \ |
275 | 0 | return ctx->FIELD; \ |
276 | 0 | } Unexecuted instantiation: OSSL_CMP_CTX_get_status Unexecuted instantiation: OSSL_CMP_CTX_get_certConf_cb_arg Unexecuted instantiation: OSSL_CMP_CTX_get_http_cb_arg Unexecuted instantiation: OSSL_CMP_CTX_get_transfer_cb_arg Unexecuted instantiation: OSSL_CMP_CTX_get_failInfoCode |
277 | | |
278 | | /* |
279 | | * Returns the PKIStatus from the last CertRepMessage |
280 | | * or Revocation Response or error message, -1 on error |
281 | | */ |
282 | | DEFINE_OSSL_get(OSSL_CMP_CTX, status, int, -1) |
283 | | |
284 | | /* |
285 | | * Returns the statusString from the last CertRepMessage |
286 | | * or Revocation Response or error message, NULL on error |
287 | | */ |
288 | | DEFINE_OSSL_CMP_CTX_get0(statusString, OSSL_CMP_PKIFREETEXT) |
289 | | |
290 | | DEFINE_OSSL_set0(ossl_cmp_ctx, statusString, OSSL_CMP_PKIFREETEXT) |
291 | | |
292 | | /* Set callback function for checking if the cert is ok or should be rejected */ |
293 | | DEFINE_OSSL_set(OSSL_CMP_CTX, certConf_cb, OSSL_CMP_certConf_cb_t) |
294 | | |
295 | | /* |
296 | | * Set argument, respectively a pointer to a structure containing arguments, |
297 | | * optionally to be used by the certConf callback. |
298 | | */ |
299 | | DEFINE_OSSL_set(OSSL_CMP_CTX, certConf_cb_arg, void *) |
300 | | |
301 | | /* |
302 | | * Get argument, respectively the pointer to a structure containing arguments, |
303 | | * optionally to be used by certConf callback. |
304 | | * Returns callback argument set previously (NULL if not set or on error) |
305 | | */ |
306 | | DEFINE_OSSL_get(OSSL_CMP_CTX, certConf_cb_arg, void *, NULL) |
307 | | |
308 | | #ifndef OPENSSL_NO_TRACE |
309 | | static size_t ossl_cmp_log_trace_cb(const char *buf, size_t cnt, |
310 | | int category, int cmd, void *vdata) |
311 | | { |
312 | | OSSL_CMP_CTX *ctx = vdata; |
313 | | const char *msg; |
314 | | OSSL_CMP_severity level = -1; |
315 | | char *func = NULL; |
316 | | char *file = NULL; |
317 | | int line = 0; |
318 | | |
319 | | if (buf == NULL || cnt == 0 || cmd != OSSL_TRACE_CTRL_WRITE || ctx == NULL) |
320 | | return 0; |
321 | | if (ctx->log_cb == NULL) |
322 | | return 1; /* silently drop message */ |
323 | | |
324 | | msg = ossl_cmp_log_parse_metadata(buf, &level, &func, &file, &line); |
325 | | |
326 | | if (level > ctx->log_verbosity) /* excludes the case level is unknown */ |
327 | | goto end; /* suppress output since severity is not sufficient */ |
328 | | |
329 | | if (!ctx->log_cb(func != NULL ? func : "(no func)", |
330 | | file != NULL ? file : "(no file)", |
331 | | line, level, msg)) |
332 | | cnt = 0; |
333 | | |
334 | | end: |
335 | | OPENSSL_free(func); |
336 | | OPENSSL_free(file); |
337 | | return cnt; |
338 | | } |
339 | | #endif |
340 | | |
341 | | /* Print CMP log messages (i.e., diagnostic info) via the log cb of the ctx */ |
342 | | int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, |
343 | | const char *func, const char *file, int line, |
344 | | const char *level_str, const char *format, ...) |
345 | 296k | { |
346 | 296k | va_list args; |
347 | 296k | char hugebuf[1024 * 2]; |
348 | 296k | int res = 0; |
349 | | |
350 | 296k | if (ctx == NULL || ctx->log_cb == NULL) |
351 | 70.2k | return 1; /* silently drop message */ |
352 | | |
353 | 226k | if (level > ctx->log_verbosity) /* excludes the case level is unknown */ |
354 | 84.5k | return 1; /* suppress output since severity is not sufficient */ |
355 | | |
356 | 141k | if (format == NULL) |
357 | 0 | return 0; |
358 | | |
359 | 141k | va_start(args, format); |
360 | | |
361 | 141k | if (func == NULL) |
362 | 0 | func = "(unset function name)"; |
363 | 141k | if (file == NULL) |
364 | 0 | file = "(unset file name)"; |
365 | 141k | if (level_str == NULL) |
366 | 0 | level_str = "(unset level string)"; |
367 | | |
368 | | #ifndef OPENSSL_NO_TRACE |
369 | | if (OSSL_TRACE_ENABLED(CMP)) { |
370 | | OSSL_TRACE_BEGIN(CMP) { |
371 | | int printed = |
372 | | BIO_snprintf(hugebuf, sizeof(hugebuf), |
373 | | "%s:%s:%d:" OSSL_CMP_LOG_PREFIX "%s: ", |
374 | | func, file, line, level_str); |
375 | | if (printed > 0 && (size_t)printed < sizeof(hugebuf)) { |
376 | | if (BIO_vsnprintf(hugebuf + printed, |
377 | | sizeof(hugebuf) - printed, format, args) > 0) |
378 | | res = BIO_puts(trc_out, hugebuf) > 0; |
379 | | } |
380 | | } OSSL_TRACE_END(CMP); |
381 | | } |
382 | | #else /* compensate for disabled trace API */ |
383 | 141k | { |
384 | 141k | if (BIO_vsnprintf(hugebuf, sizeof(hugebuf), format, args) > 0) |
385 | 141k | res = ctx->log_cb(func, file, line, level, hugebuf); |
386 | 141k | } |
387 | 141k | #endif |
388 | 141k | va_end(args); |
389 | 141k | return res; |
390 | 141k | } |
391 | | |
392 | | /* Set a callback function for error reporting and logging messages */ |
393 | | int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb) |
394 | 75.7k | { |
395 | 75.7k | if (ctx == NULL) { |
396 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
397 | 0 | return 0; |
398 | 0 | } |
399 | 75.7k | ctx->log_cb = cb; |
400 | | |
401 | | #ifndef OPENSSL_NO_TRACE |
402 | | /* do also in case cb == NULL, to switch off logging output: */ |
403 | | if (!OSSL_trace_set_callback(OSSL_TRACE_CATEGORY_CMP, |
404 | | ossl_cmp_log_trace_cb, ctx)) |
405 | | return 0; |
406 | | #endif |
407 | | |
408 | 75.7k | return 1; |
409 | 75.7k | } |
410 | | |
411 | | /* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */ |
412 | | void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx) |
413 | 41.8k | { |
414 | 41.8k | if (ctx != NULL && OSSL_CMP_LOG_ERR > ctx->log_verbosity) |
415 | 0 | return; /* suppress output since severity is not sufficient */ |
416 | 41.8k | OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb); |
417 | 41.8k | } |
418 | | |
419 | | /* |
420 | | * Set or clear the reference value to be used for identification |
421 | | * (i.e., the user name) when using PBMAC. |
422 | | */ |
423 | | int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx, |
424 | | const unsigned char *ref, int len) |
425 | 0 | { |
426 | 0 | if (ctx == NULL) { |
427 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
428 | 0 | return 0; |
429 | 0 | } |
430 | 0 | return |
431 | 0 | ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref, len); |
432 | 0 | } |
433 | | |
434 | | /* Set or clear the password to be used for protecting messages with PBMAC */ |
435 | | int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx, |
436 | | const unsigned char *sec, int len) |
437 | 37.8k | { |
438 | 37.8k | ASN1_OCTET_STRING *secretValue = NULL; |
439 | | |
440 | 37.8k | if (ctx == NULL) { |
441 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
442 | 0 | return 0; |
443 | 0 | } |
444 | 37.8k | if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1) |
445 | 0 | return 0; |
446 | 37.8k | if (ctx->secretValue != NULL) { |
447 | 0 | OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length); |
448 | 0 | ASN1_OCTET_STRING_free(ctx->secretValue); |
449 | 0 | } |
450 | 37.8k | ctx->secretValue = secretValue; |
451 | 37.8k | return 1; |
452 | 37.8k | } |
453 | | |
454 | | #define DEFINE_OSSL_CMP_CTX_get1_certs(FIELD) \ |
455 | 0 | STACK_OF(X509) *OSSL_CMP_CTX_get1_##FIELD(const OSSL_CMP_CTX *ctx) \ |
456 | 0 | { \ |
457 | 0 | if (ctx == NULL) { \ |
458 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
459 | 0 | return NULL; \ |
460 | 0 | } \ |
461 | 0 | return X509_chain_up_ref(ctx->FIELD); \ |
462 | 0 | } Unexecuted instantiation: OSSL_CMP_CTX_get1_newChain Unexecuted instantiation: OSSL_CMP_CTX_get1_extraCertsIn Unexecuted instantiation: OSSL_CMP_CTX_get1_caPubs |
463 | | |
464 | | /* Returns the cert chain computed by OSSL_CMP_certConf_cb(), NULL on error */ |
465 | | DEFINE_OSSL_CMP_CTX_get1_certs(newChain) |
466 | | |
467 | | #define DEFINE_OSSL_set1_certs(PREFIX, FIELD) \ |
468 | 0 | int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs) \ |
469 | 0 | { \ |
470 | 0 | if (ctx == NULL) { \ |
471 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
472 | 0 | return 0; \ |
473 | 0 | } \ |
474 | 0 | OSSL_STACK_OF_X509_free(ctx->FIELD); \ |
475 | 0 | ctx->FIELD = NULL; \ |
476 | 0 | return certs == NULL || (ctx->FIELD = X509_chain_up_ref(certs)) != NULL; \ |
477 | 0 | } Unexecuted instantiation: ossl_cmp_ctx_set1_newChain Unexecuted instantiation: ossl_cmp_ctx_set1_extraCertsIn Unexecuted instantiation: OSSL_CMP_CTX_set1_extraCertsOut Unexecuted instantiation: ossl_cmp_ctx_set1_caPubs |
478 | | |
479 | | /* |
480 | | * Copies any given stack of inbound X509 certificates to newChain |
481 | | * of the OSSL_CMP_CTX structure so that they may be retrieved later. |
482 | | */ |
483 | | DEFINE_OSSL_set1_certs(ossl_cmp_ctx, newChain) |
484 | | |
485 | | /* Returns the stack of extraCerts received in CertRepMessage, NULL on error */ |
486 | | DEFINE_OSSL_CMP_CTX_get1_certs(extraCertsIn) |
487 | | |
488 | | /* |
489 | | * Copies any given stack of inbound X509 certificates to extraCertsIn |
490 | | * of the OSSL_CMP_CTX structure so that they may be retrieved later. |
491 | | */ |
492 | | DEFINE_OSSL_set1_certs(ossl_cmp_ctx, extraCertsIn) |
493 | | |
494 | | /* |
495 | | * Copies any given stack as the new stack of X509 |
496 | | * certificates to send out in the extraCerts field. |
497 | | */ |
498 | | DEFINE_OSSL_set1_certs(OSSL_CMP_CTX, extraCertsOut) |
499 | | |
500 | | /* |
501 | | * Add the given policy info object |
502 | | * to the X509_EXTENSIONS of the requested certificate template. |
503 | | */ |
504 | | int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo) |
505 | 0 | { |
506 | 0 | if (ctx == NULL || pinfo == NULL) { |
507 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
508 | 0 | return 0; |
509 | 0 | } |
510 | | |
511 | 0 | if (ctx->policies == NULL |
512 | 0 | && (ctx->policies = CERTIFICATEPOLICIES_new()) == NULL) |
513 | 0 | return 0; |
514 | | |
515 | 0 | return sk_POLICYINFO_push(ctx->policies, pinfo); |
516 | 0 | } |
517 | | |
518 | | /* Add an ITAV for geninfo of the PKI message header */ |
519 | | int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) |
520 | 0 | { |
521 | 0 | if (ctx == NULL) { |
522 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
523 | 0 | return 0; |
524 | 0 | } |
525 | 0 | return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav); |
526 | 0 | } |
527 | | |
528 | | int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx) |
529 | 0 | { |
530 | 0 | if (ctx == NULL) { |
531 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
532 | 0 | return 0; |
533 | 0 | } |
534 | 0 | OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs); |
535 | 0 | ctx->geninfo_ITAVs = NULL; |
536 | 0 | return 1; |
537 | 0 | } |
538 | | |
539 | | DEFINE_OSSL_CMP_CTX_get0(geninfo_ITAVs, STACK_OF(OSSL_CMP_ITAV)) |
540 | | |
541 | | /* Add an itav for the body of outgoing general messages */ |
542 | | int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav) |
543 | 0 | { |
544 | 0 | if (ctx == NULL) { |
545 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
546 | 0 | return 0; |
547 | 0 | } |
548 | 0 | return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav); |
549 | 0 | } |
550 | | |
551 | | /* |
552 | | * Returns a duplicate of the stack of X509 certificates that |
553 | | * were received in the caPubs field of the last CertRepMessage. |
554 | | * Returns NULL on error |
555 | | */ |
556 | | DEFINE_OSSL_CMP_CTX_get1_certs(caPubs) |
557 | | |
558 | | /* |
559 | | * Copies any given stack of certificates to the given |
560 | | * OSSL_CMP_CTX structure so that they may be retrieved later. |
561 | | */ |
562 | | DEFINE_OSSL_set1_certs(ossl_cmp_ctx, caPubs) |
563 | | |
564 | 0 | #define char_dup OPENSSL_strdup |
565 | 0 | #define char_free OPENSSL_free |
566 | | #define DEFINE_OSSL_CMP_CTX_set1(FIELD, TYPE) /* this uses _dup */ \ |
567 | 13.1k | int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \ |
568 | 13.1k | { \ |
569 | 13.1k | TYPE *val_dup = NULL; \ |
570 | 13.1k | \ |
571 | 13.1k | if (ctx == NULL) { \ |
572 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
573 | 0 | return 0; \ |
574 | 0 | } \ |
575 | 13.1k | \ |
576 | 13.1k | if (val != NULL && (val_dup = TYPE##_dup(val)) == NULL) \ |
577 | 13.1k | return 0; \ |
578 | 13.1k | TYPE##_free(ctx->FIELD); \ |
579 | 13.1k | ctx->FIELD = val_dup; \ |
580 | 13.1k | return 1; \ |
581 | 13.1k | } OSSL_CMP_CTX_set1_recipient Line | Count | Source | 567 | 13.1k | int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \ | 568 | 13.1k | { \ | 569 | 13.1k | TYPE *val_dup = NULL; \ | 570 | 13.1k | \ | 571 | 13.1k | if (ctx == NULL) { \ | 572 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 573 | 0 | return 0; \ | 574 | 0 | } \ | 575 | 13.1k | \ | 576 | 13.1k | if (val != NULL && (val_dup = TYPE##_dup(val)) == NULL) \ | 577 | 13.1k | return 0; \ | 578 | 13.1k | TYPE##_free(ctx->FIELD); \ | 579 | 13.1k | ctx->FIELD = val_dup; \ | 580 | 13.1k | return 1; \ | 581 | 13.1k | } |
Unexecuted instantiation: OSSL_CMP_CTX_set1_expected_sender Unexecuted instantiation: OSSL_CMP_CTX_set1_issuer Unexecuted instantiation: OSSL_CMP_CTX_set1_serialNumber Unexecuted instantiation: OSSL_CMP_CTX_set1_subjectName Unexecuted instantiation: OSSL_CMP_CTX_set1_p10CSR Unexecuted instantiation: OSSL_CMP_CTX_set1_proxy Unexecuted instantiation: OSSL_CMP_CTX_set1_server Unexecuted instantiation: OSSL_CMP_CTX_set1_no_proxy Unexecuted instantiation: OSSL_CMP_CTX_set1_serverPath |
582 | | |
583 | 0 | #define X509_invalid(cert) (!ossl_x509v3_cache_extensions(cert)) |
584 | 0 | #define EVP_PKEY_invalid(key) 0 |
585 | | |
586 | | #define DEFINE_OSSL_set1_up_ref(PREFIX, FIELD, TYPE) \ |
587 | 0 | int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \ |
588 | 0 | { \ |
589 | 0 | if (ctx == NULL) { \ |
590 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
591 | 0 | return 0; \ |
592 | 0 | } \ |
593 | 0 | \ |
594 | 0 | /* prevent misleading error later on malformed cert or provider issue */ \ |
595 | 0 | if (val != NULL && TYPE##_invalid(val)) { \ |
596 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \ |
597 | 0 | return 0; \ |
598 | 0 | } \ |
599 | 0 | if (val != NULL && !TYPE##_up_ref(val)) \ |
600 | 0 | return 0; \ |
601 | 0 | TYPE##_free(ctx->FIELD); \ |
602 | 0 | ctx->FIELD = val; \ |
603 | 0 | return 1; \ |
604 | 0 | } Unexecuted instantiation: ossl_cmp_ctx_set1_validatedSrvCert Unexecuted instantiation: OSSL_CMP_CTX_set1_srvCert Unexecuted instantiation: OSSL_CMP_CTX_set1_cert Unexecuted instantiation: OSSL_CMP_CTX_set1_oldCert Unexecuted instantiation: OSSL_CMP_CTX_set1_pkey |
605 | | |
606 | | DEFINE_OSSL_set1_up_ref(ossl_cmp_ctx, validatedSrvCert, X509) |
607 | | |
608 | | /* |
609 | | * Pins the server certificate to be directly trusted (even if it is expired) |
610 | | * for verifying response messages. |
611 | | * Cert pointer is not consumed. It may be NULL to clear the entry. |
612 | | */ |
613 | | DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, srvCert, X509) |
614 | | |
615 | | /* Set the X509 name of the recipient to be placed in the PKIHeader */ |
616 | | DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME) |
617 | | |
618 | | /* Store the X509 name of the expected sender in the PKIHeader of responses */ |
619 | | DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME) |
620 | | |
621 | | /* Set the X509 name of the issuer to be placed in the certTemplate */ |
622 | | DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME) |
623 | | |
624 | | /* Set the ASN1_INTEGER serial to be placed in the certTemplate for rr */ |
625 | | DEFINE_OSSL_CMP_CTX_set1(serialNumber, ASN1_INTEGER) |
626 | | /* |
627 | | * Set the subject name that will be placed in the certificate |
628 | | * request. This will be the subject name on the received certificate. |
629 | | */ |
630 | | DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME) |
631 | | |
632 | | /* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */ |
633 | | int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts) |
634 | 0 | { |
635 | 0 | if (ctx == NULL) { |
636 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
637 | 0 | return 0; |
638 | 0 | } |
639 | | |
640 | 0 | if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL |
641 | 0 | && X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) { |
642 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES); |
643 | 0 | return 0; |
644 | 0 | } |
645 | 0 | X509_EXTENSIONS_free(ctx->reqExtensions); |
646 | 0 | ctx->reqExtensions = exts; |
647 | 0 | return 1; |
648 | 0 | } |
649 | | |
650 | | /* returns 1 if ctx contains a Subject Alternative Name extension, else 0 */ |
651 | | int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx) |
652 | 2.31k | { |
653 | 2.31k | if (ctx == NULL) { |
654 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
655 | 0 | return -1; |
656 | 0 | } |
657 | | /* if one of the following conditions 'fail' this is not an error */ |
658 | 2.31k | return ctx->reqExtensions != NULL |
659 | 2.31k | && X509v3_get_ext_by_NID(ctx->reqExtensions, |
660 | 0 | NID_subject_alt_name, -1) >= 0; |
661 | 2.31k | } |
662 | | |
663 | | /* |
664 | | * Add a GENERAL_NAME structure that will be added to the CRMF |
665 | | * request's extensions field to request subject alternative names. |
666 | | */ |
667 | | int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx, |
668 | | const GENERAL_NAME *name) |
669 | 0 | { |
670 | 0 | GENERAL_NAME *name_dup; |
671 | |
|
672 | 0 | if (ctx == NULL || name == NULL) { |
673 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
674 | 0 | return 0; |
675 | 0 | } |
676 | | |
677 | 0 | if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) { |
678 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES); |
679 | 0 | return 0; |
680 | 0 | } |
681 | | |
682 | 0 | if (ctx->subjectAltNames == NULL |
683 | 0 | && (ctx->subjectAltNames = sk_GENERAL_NAME_new_null()) == NULL) |
684 | 0 | return 0; |
685 | 0 | if ((name_dup = GENERAL_NAME_dup(name)) == NULL) |
686 | 0 | return 0; |
687 | 0 | if (!sk_GENERAL_NAME_push(ctx->subjectAltNames, name_dup)) { |
688 | 0 | GENERAL_NAME_free(name_dup); |
689 | 0 | return 0; |
690 | 0 | } |
691 | 0 | return 1; |
692 | 0 | } |
693 | | |
694 | | /* |
695 | | * Set our own client certificate, used for example in KUR and when |
696 | | * doing the IR with existing certificate. |
697 | | */ |
698 | | DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, cert, X509) |
699 | | |
700 | | int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted, |
701 | | STACK_OF(X509) *candidates) |
702 | 0 | { |
703 | 0 | STACK_OF(X509) *chain; |
704 | |
|
705 | 0 | if (ctx == NULL) { |
706 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
707 | 0 | return 0; |
708 | 0 | } |
709 | | |
710 | 0 | if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates, |
711 | 0 | X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) |
712 | 0 | return 0; |
713 | | |
714 | 0 | ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert"); |
715 | 0 | chain = X509_build_chain(ctx->cert, ctx->untrusted, own_trusted, 0, |
716 | 0 | ctx->libctx, ctx->propq); |
717 | 0 | if (chain == NULL) { |
718 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN); |
719 | 0 | return 0; |
720 | 0 | } |
721 | 0 | ossl_cmp_debug(ctx, "success building chain for own CMP signer cert"); |
722 | 0 | ctx->chain = chain; |
723 | 0 | return 1; |
724 | 0 | } |
725 | | |
726 | | /* |
727 | | * Set the old certificate that we are updating in KUR |
728 | | * or the certificate to be revoked in RR, respectively. |
729 | | * Also used as reference cert (defaulting to cert) for deriving subject DN |
730 | | * and SANs. Its issuer is used as default recipient in the CMP message header. |
731 | | */ |
732 | | DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, oldCert, X509) |
733 | | |
734 | | /* Set the PKCS#10 CSR to be sent in P10CR */ |
735 | | DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ) |
736 | | |
737 | | /* |
738 | | * Set the (newly received in IP/KUP/CP) certificate in the context. |
739 | | * This only permits for one cert to be enrolled at a time. |
740 | | */ |
741 | | DEFINE_OSSL_set0(ossl_cmp_ctx, newCert, X509) |
742 | | |
743 | | /* Get successfully validated server cert, if any, of current transaction */ |
744 | | DEFINE_OSSL_CMP_CTX_get0(validatedSrvCert, X509) |
745 | | |
746 | | /* |
747 | | * Get the (newly received in IP/KUP/CP) client certificate from the context |
748 | | * This only permits for one client cert to be received... |
749 | | */ |
750 | | DEFINE_OSSL_CMP_CTX_get0(newCert, X509) |
751 | | |
752 | | /* Set the client's current private key */ |
753 | | DEFINE_OSSL_set1_up_ref(OSSL_CMP_CTX, pkey, EVP_PKEY) |
754 | | |
755 | | /* Set new key pair. Used e.g. when doing Key Update */ |
756 | | int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey) |
757 | 1.93k | { |
758 | 1.93k | if (ctx == NULL) { |
759 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
760 | 0 | return 0; |
761 | 0 | } |
762 | | |
763 | 1.93k | EVP_PKEY_free(ctx->newPkey); |
764 | 1.93k | ctx->newPkey = pkey; |
765 | 1.93k | ctx->newPkey_priv = priv; |
766 | 1.93k | return 1; |
767 | 1.93k | } |
768 | | |
769 | | /* Get the private/public key to use for cert enrollment, or NULL on error */ |
770 | | /* In case |priv| == 0, better use ossl_cmp_ctx_get0_newPubkey() below */ |
771 | | EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv) |
772 | 1.18k | { |
773 | 1.18k | if (ctx == NULL) { |
774 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
775 | 0 | return NULL; |
776 | 0 | } |
777 | | |
778 | 1.18k | if (ctx->newPkey != NULL) |
779 | 0 | return priv && !ctx->newPkey_priv ? NULL : ctx->newPkey; |
780 | 1.18k | if (ctx->p10CSR != NULL) |
781 | 0 | return priv ? NULL : X509_REQ_get0_pubkey(ctx->p10CSR); |
782 | 1.18k | return ctx->pkey; /* may be NULL */ |
783 | 1.18k | } |
784 | | |
785 | | EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx) |
786 | 1.18k | { |
787 | 1.18k | if (!ossl_assert(ctx != NULL)) |
788 | 0 | return NULL; |
789 | 1.18k | if (ctx->newPkey != NULL) |
790 | 0 | return ctx->newPkey; |
791 | 1.18k | if (ctx->p10CSR != NULL) |
792 | 0 | return X509_REQ_get0_pubkey(ctx->p10CSR); |
793 | 1.18k | if (ctx->oldCert != NULL) |
794 | 1.18k | return X509_get0_pubkey(ctx->oldCert); |
795 | 0 | if (ctx->cert != NULL) |
796 | 0 | return X509_get0_pubkey(ctx->cert); |
797 | 0 | return ctx->pkey; |
798 | 0 | } |
799 | | |
800 | | #define DEFINE_set1_ASN1_OCTET_STRING(PREFIX, FIELD) \ |
801 | 254k | int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \ |
802 | 254k | { \ |
803 | 254k | if (ctx == NULL) { \ |
804 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ |
805 | 0 | return 0; \ |
806 | 0 | } \ |
807 | 254k | return ossl_cmp_asn1_octet_string_set1(&ctx->FIELD, id); \ |
808 | 254k | } OSSL_CMP_CTX_set1_transactionID Line | Count | Source | 801 | 110k | int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \ | 802 | 110k | { \ | 803 | 110k | if (ctx == NULL) { \ | 804 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 805 | 0 | return 0; \ | 806 | 0 | } \ | 807 | 110k | return ossl_cmp_asn1_octet_string_set1(&ctx->FIELD, id); \ | 808 | 110k | } |
ossl_cmp_ctx_set1_recipNonce Line | Count | Source | 801 | 56.1k | int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \ | 802 | 56.1k | { \ | 803 | 56.1k | if (ctx == NULL) { \ | 804 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 805 | 0 | return 0; \ | 806 | 0 | } \ | 807 | 56.1k | return ossl_cmp_asn1_octet_string_set1(&ctx->FIELD, id); \ | 808 | 56.1k | } |
OSSL_CMP_CTX_set1_senderNonce Line | Count | Source | 801 | 87.6k | int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \ | 802 | 87.6k | { \ | 803 | 87.6k | if (ctx == NULL) { \ | 804 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 805 | 0 | return 0; \ | 806 | 0 | } \ | 807 | 87.6k | return ossl_cmp_asn1_octet_string_set1(&ctx->FIELD, id); \ | 808 | 87.6k | } |
ossl_cmp_ctx_set1_first_senderNonce Line | Count | Source | 801 | 110 | int PREFIX##_set1_##FIELD(OSSL_CMP_CTX *ctx, const ASN1_OCTET_STRING *id) \ | 802 | 110 | { \ | 803 | 110 | if (ctx == NULL) { \ | 804 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ | 805 | 0 | return 0; \ | 806 | 0 | } \ | 807 | 110 | return ossl_cmp_asn1_octet_string_set1(&ctx->FIELD, id); \ | 808 | 110 | } |
|
809 | | |
810 | | /* Set the given transactionID to the context */ |
811 | | DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, transactionID) |
812 | | |
813 | | /* Set the nonce to be used for the recipNonce in the message created next */ |
814 | | DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, recipNonce) |
815 | | |
816 | | /* Stores the given nonce as the last senderNonce sent out */ |
817 | | DEFINE_set1_ASN1_OCTET_STRING(OSSL_CMP_CTX, senderNonce) |
818 | | |
819 | | /* store the first req sender nonce for verifying delayed delivery */ |
820 | | DEFINE_set1_ASN1_OCTET_STRING(ossl_cmp_ctx, first_senderNonce) |
821 | | |
822 | | /* Set the proxy server to use for HTTP(S) connections */ |
823 | | DEFINE_OSSL_CMP_CTX_set1(proxy, char) |
824 | | |
825 | | /* Set the (HTTP) hostname of the CMP server */ |
826 | | DEFINE_OSSL_CMP_CTX_set1(server, char) |
827 | | |
828 | | /* Set the server exclusion list of the HTTP proxy server */ |
829 | | DEFINE_OSSL_CMP_CTX_set1(no_proxy, char) |
830 | | |
831 | | #ifndef OPENSSL_NO_HTTP |
832 | | /* Set the http connect/disconnect callback function to be used for HTTP(S) */ |
833 | | DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb, OSSL_HTTP_bio_cb_t) |
834 | | |
835 | | /* Set argument optionally to be used by the http connect/disconnect callback */ |
836 | | DEFINE_OSSL_set(OSSL_CMP_CTX, http_cb_arg, void *) |
837 | | |
838 | | /* |
839 | | * Get argument optionally to be used by the http connect/disconnect callback |
840 | | * Returns callback argument set previously (NULL if not set or on error) |
841 | | */ |
842 | | DEFINE_OSSL_get(OSSL_CMP_CTX, http_cb_arg, void *, NULL) |
843 | | #endif |
844 | | |
845 | | /* Set callback function for sending CMP request and receiving response */ |
846 | | DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb, OSSL_CMP_transfer_cb_t) |
847 | | |
848 | | /* Set argument optionally to be used by the transfer callback */ |
849 | | DEFINE_OSSL_set(OSSL_CMP_CTX, transfer_cb_arg, void *) |
850 | | |
851 | | /* |
852 | | * Get argument optionally to be used by the transfer callback. |
853 | | * Returns callback argument set previously (NULL if not set or on error) |
854 | | */ |
855 | | DEFINE_OSSL_get(OSSL_CMP_CTX, transfer_cb_arg, void *, NULL) |
856 | | |
857 | | /** Set the HTTP server port to be used */ |
858 | | DEFINE_OSSL_set(OSSL_CMP_CTX, serverPort, int) |
859 | | |
860 | | /* Set the HTTP path to be used on the server (e.g "pkix/") */ |
861 | | DEFINE_OSSL_CMP_CTX_set1(serverPath, char) |
862 | | |
863 | | /* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */ |
864 | | DEFINE_OSSL_set(ossl_cmp_ctx, failInfoCode, int) |
865 | | |
866 | | /* |
867 | | * Get the failInfo error code in OSSL_CMP_CTX as bit encoding. |
868 | | * Returns bit string as integer on success, -1 on error |
869 | | */ |
870 | | DEFINE_OSSL_get(OSSL_CMP_CTX, failInfoCode, int, -1) |
871 | | |
872 | | /* Set a Boolean or integer option of the context to the "val" arg */ |
873 | | int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val) |
874 | 0 | { |
875 | 0 | int min_val; |
876 | |
|
877 | 0 | if (ctx == NULL) { |
878 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
879 | 0 | return 0; |
880 | 0 | } |
881 | | |
882 | 0 | switch (opt) { |
883 | 0 | case OSSL_CMP_OPT_REVOCATION_REASON: |
884 | 0 | min_val = OCSP_REVOKED_STATUS_NOSTATUS; |
885 | 0 | break; |
886 | 0 | case OSSL_CMP_OPT_POPO_METHOD: |
887 | 0 | min_val = OSSL_CRMF_POPO_NONE; |
888 | 0 | break; |
889 | 0 | default: |
890 | 0 | min_val = 0; |
891 | 0 | break; |
892 | 0 | } |
893 | 0 | if (val < min_val) { |
894 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_SMALL); |
895 | 0 | return 0; |
896 | 0 | } |
897 | | |
898 | 0 | switch (opt) { |
899 | 0 | case OSSL_CMP_OPT_LOG_VERBOSITY: |
900 | 0 | if (val > OSSL_CMP_LOG_MAX) { |
901 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE); |
902 | 0 | return 0; |
903 | 0 | } |
904 | 0 | ctx->log_verbosity = val; |
905 | 0 | break; |
906 | 0 | case OSSL_CMP_OPT_IMPLICIT_CONFIRM: |
907 | 0 | ctx->implicitConfirm = val; |
908 | 0 | break; |
909 | 0 | case OSSL_CMP_OPT_DISABLE_CONFIRM: |
910 | 0 | ctx->disableConfirm = val; |
911 | 0 | break; |
912 | 0 | case OSSL_CMP_OPT_UNPROTECTED_SEND: |
913 | 0 | ctx->unprotectedSend = val; |
914 | 0 | break; |
915 | 0 | case OSSL_CMP_OPT_UNPROTECTED_ERRORS: |
916 | 0 | ctx->unprotectedErrors = val; |
917 | 0 | break; |
918 | 0 | case OSSL_CMP_OPT_NO_CACHE_EXTRACERTS: |
919 | 0 | ctx->noCacheExtraCerts = val; |
920 | 0 | break; |
921 | 0 | case OSSL_CMP_OPT_VALIDITY_DAYS: |
922 | 0 | ctx->days = val; |
923 | 0 | break; |
924 | 0 | case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT: |
925 | 0 | ctx->SubjectAltName_nodefault = val; |
926 | 0 | break; |
927 | 0 | case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL: |
928 | 0 | ctx->setSubjectAltNameCritical = val; |
929 | 0 | break; |
930 | 0 | case OSSL_CMP_OPT_POLICIES_CRITICAL: |
931 | 0 | ctx->setPoliciesCritical = val; |
932 | 0 | break; |
933 | 0 | case OSSL_CMP_OPT_IGNORE_KEYUSAGE: |
934 | 0 | ctx->ignore_keyusage = val; |
935 | 0 | break; |
936 | 0 | case OSSL_CMP_OPT_POPO_METHOD: |
937 | 0 | if (val > OSSL_CRMF_POPO_KEYAGREE) { |
938 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE); |
939 | 0 | return 0; |
940 | 0 | } |
941 | 0 | ctx->popoMethod = val; |
942 | 0 | break; |
943 | 0 | case OSSL_CMP_OPT_DIGEST_ALGNID: |
944 | 0 | if (!cmp_ctx_set_md(ctx, &ctx->digest, val)) |
945 | 0 | return 0; |
946 | 0 | break; |
947 | 0 | case OSSL_CMP_OPT_OWF_ALGNID: |
948 | 0 | if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, val)) |
949 | 0 | return 0; |
950 | 0 | break; |
951 | 0 | case OSSL_CMP_OPT_MAC_ALGNID: |
952 | 0 | ctx->pbm_mac = val; |
953 | 0 | break; |
954 | 0 | case OSSL_CMP_OPT_KEEP_ALIVE: |
955 | 0 | ctx->keep_alive = val; |
956 | 0 | break; |
957 | 0 | case OSSL_CMP_OPT_MSG_TIMEOUT: |
958 | 0 | ctx->msg_timeout = val; |
959 | 0 | break; |
960 | 0 | case OSSL_CMP_OPT_TOTAL_TIMEOUT: |
961 | 0 | ctx->total_timeout = val; |
962 | 0 | break; |
963 | 0 | case OSSL_CMP_OPT_USE_TLS: |
964 | 0 | ctx->tls_used = val; |
965 | 0 | break; |
966 | 0 | case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: |
967 | 0 | ctx->permitTAInExtraCertsForIR = val; |
968 | 0 | break; |
969 | 0 | case OSSL_CMP_OPT_REVOCATION_REASON: |
970 | 0 | if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) { |
971 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE); |
972 | 0 | return 0; |
973 | 0 | } |
974 | 0 | ctx->revocationReason = val; |
975 | 0 | break; |
976 | 0 | default: |
977 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION); |
978 | 0 | return 0; |
979 | 0 | } |
980 | | |
981 | 0 | return 1; |
982 | 0 | } |
983 | | |
984 | | /* |
985 | | * Reads a Boolean or integer option value from the context. |
986 | | * Returns -1 on error (which is the default OSSL_CMP_OPT_REVOCATION_REASON) |
987 | | */ |
988 | | int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt) |
989 | 1.22k | { |
990 | 1.22k | if (ctx == NULL) { |
991 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
992 | 0 | return -1; |
993 | 0 | } |
994 | | |
995 | 1.22k | switch (opt) { |
996 | 0 | case OSSL_CMP_OPT_LOG_VERBOSITY: |
997 | 0 | return ctx->log_verbosity; |
998 | 189 | case OSSL_CMP_OPT_IMPLICIT_CONFIRM: |
999 | 189 | return ctx->implicitConfirm; |
1000 | 0 | case OSSL_CMP_OPT_DISABLE_CONFIRM: |
1001 | 0 | return ctx->disableConfirm; |
1002 | 0 | case OSSL_CMP_OPT_UNPROTECTED_SEND: |
1003 | 0 | return ctx->unprotectedSend; |
1004 | 581 | case OSSL_CMP_OPT_UNPROTECTED_ERRORS: |
1005 | 581 | return ctx->unprotectedErrors; |
1006 | 0 | case OSSL_CMP_OPT_NO_CACHE_EXTRACERTS: |
1007 | 0 | return ctx->noCacheExtraCerts; |
1008 | 0 | case OSSL_CMP_OPT_VALIDITY_DAYS: |
1009 | 0 | return ctx->days; |
1010 | 0 | case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT: |
1011 | 0 | return ctx->SubjectAltName_nodefault; |
1012 | 0 | case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL: |
1013 | 0 | return ctx->setSubjectAltNameCritical; |
1014 | 0 | case OSSL_CMP_OPT_POLICIES_CRITICAL: |
1015 | 0 | return ctx->setPoliciesCritical; |
1016 | 0 | case OSSL_CMP_OPT_IGNORE_KEYUSAGE: |
1017 | 0 | return ctx->ignore_keyusage; |
1018 | 451 | case OSSL_CMP_OPT_POPO_METHOD: |
1019 | 451 | return ctx->popoMethod; |
1020 | 0 | case OSSL_CMP_OPT_DIGEST_ALGNID: |
1021 | 0 | return EVP_MD_get_type(ctx->digest); |
1022 | 0 | case OSSL_CMP_OPT_OWF_ALGNID: |
1023 | 0 | return EVP_MD_get_type(ctx->pbm_owf); |
1024 | 0 | case OSSL_CMP_OPT_MAC_ALGNID: |
1025 | 0 | return ctx->pbm_mac; |
1026 | 0 | case OSSL_CMP_OPT_KEEP_ALIVE: |
1027 | 0 | return ctx->keep_alive; |
1028 | 0 | case OSSL_CMP_OPT_MSG_TIMEOUT: |
1029 | 0 | return ctx->msg_timeout; |
1030 | 0 | case OSSL_CMP_OPT_TOTAL_TIMEOUT: |
1031 | 0 | return ctx->total_timeout; |
1032 | 0 | case OSSL_CMP_OPT_USE_TLS: |
1033 | 0 | return ctx->tls_used; |
1034 | 0 | case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR: |
1035 | 0 | return ctx->permitTAInExtraCertsForIR; |
1036 | 0 | case OSSL_CMP_OPT_REVOCATION_REASON: |
1037 | 0 | return ctx->revocationReason; |
1038 | 0 | default: |
1039 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION); |
1040 | 0 | return -1; |
1041 | 1.22k | } |
1042 | 1.22k | } |