/src/openssl36/crypto/cmp/cmp_server.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright Nokia 2007-2019 |
4 | | * Copyright Siemens AG 2015-2019 |
5 | | * |
6 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | | * this file except in compliance with the License. You can obtain a copy |
8 | | * in the file LICENSE in the source distribution or at |
9 | | * https://www.openssl.org/source/license.html |
10 | | */ |
11 | | |
12 | | /* general CMP server functions */ |
13 | | |
14 | | #include "cmp_local.h" |
15 | | |
16 | | /* the context for the generic CMP server */ |
17 | | struct ossl_cmp_srv_ctx_st { |
18 | | OSSL_CMP_CTX *ctx; /* CMP client context reused for transactionID etc. */ |
19 | | void *custom_ctx; /* application-specific server context */ |
20 | | int certReqId; /* of ir/cr/kur, OSSL_CMP_CERTREQID_NONE for p10cr */ |
21 | | int polling; /* current transaction is in polling mode */ |
22 | | |
23 | | OSSL_CMP_SRV_cert_request_cb_t process_cert_request; |
24 | | OSSL_CMP_SRV_rr_cb_t process_rr; |
25 | | OSSL_CMP_SRV_genm_cb_t process_genm; |
26 | | OSSL_CMP_SRV_error_cb_t process_error; |
27 | | OSSL_CMP_SRV_certConf_cb_t process_certConf; |
28 | | OSSL_CMP_SRV_pollReq_cb_t process_pollReq; |
29 | | OSSL_CMP_SRV_delayed_delivery_cb_t delayed_delivery; |
30 | | OSSL_CMP_SRV_clean_transaction_cb_t clean_transaction; |
31 | | |
32 | | int sendUnprotectedErrors; /* Send error and rejection msgs unprotected */ |
33 | | int acceptUnprotected; /* Accept requests with no/invalid prot. */ |
34 | | int acceptRAVerified; /* Accept ir/cr/kur with POPO RAVerified */ |
35 | | int grantImplicitConfirm; /* Grant implicit confirmation if requested */ |
36 | | |
37 | | }; /* OSSL_CMP_SRV_CTX */ |
38 | | |
39 | | void OSSL_CMP_SRV_CTX_free(OSSL_CMP_SRV_CTX *srv_ctx) |
40 | 39.3k | { |
41 | 39.3k | if (srv_ctx == NULL) |
42 | 0 | return; |
43 | | |
44 | 39.3k | OSSL_CMP_CTX_free(srv_ctx->ctx); |
45 | 39.3k | OPENSSL_free(srv_ctx); |
46 | 39.3k | } |
47 | | |
48 | | OSSL_CMP_SRV_CTX *OSSL_CMP_SRV_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) |
49 | 39.3k | { |
50 | 39.3k | OSSL_CMP_SRV_CTX *ctx = OPENSSL_zalloc(sizeof(OSSL_CMP_SRV_CTX)); |
51 | | |
52 | 39.3k | if (ctx == NULL) |
53 | 0 | goto err; |
54 | | |
55 | 39.3k | if ((ctx->ctx = OSSL_CMP_CTX_new(libctx, propq)) == NULL) |
56 | 0 | goto err; |
57 | 39.3k | ctx->certReqId = OSSL_CMP_CERTREQID_INVALID; |
58 | 39.3k | ctx->polling = 0; |
59 | | |
60 | | /* all other elements are initialized to 0 or NULL, respectively */ |
61 | 39.3k | return ctx; |
62 | 0 | err: |
63 | 0 | OSSL_CMP_SRV_CTX_free(ctx); |
64 | 0 | return NULL; |
65 | 39.3k | } |
66 | | |
67 | | int OSSL_CMP_SRV_CTX_init(OSSL_CMP_SRV_CTX *srv_ctx, void *custom_ctx, |
68 | | OSSL_CMP_SRV_cert_request_cb_t process_cert_request, |
69 | | OSSL_CMP_SRV_rr_cb_t process_rr, |
70 | | OSSL_CMP_SRV_genm_cb_t process_genm, |
71 | | OSSL_CMP_SRV_error_cb_t process_error, |
72 | | OSSL_CMP_SRV_certConf_cb_t process_certConf, |
73 | | OSSL_CMP_SRV_pollReq_cb_t process_pollReq) |
74 | 39.3k | { |
75 | 39.3k | if (srv_ctx == NULL) { |
76 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
77 | 0 | return 0; |
78 | 0 | } |
79 | 39.3k | srv_ctx->custom_ctx = custom_ctx; |
80 | 39.3k | srv_ctx->process_cert_request = process_cert_request; |
81 | 39.3k | srv_ctx->process_rr = process_rr; |
82 | 39.3k | srv_ctx->process_genm = process_genm; |
83 | 39.3k | srv_ctx->process_error = process_error; |
84 | 39.3k | srv_ctx->process_certConf = process_certConf; |
85 | 39.3k | srv_ctx->process_pollReq = process_pollReq; |
86 | 39.3k | return 1; |
87 | 39.3k | } |
88 | | |
89 | | int OSSL_CMP_SRV_CTX_init_trans(OSSL_CMP_SRV_CTX *srv_ctx, |
90 | | OSSL_CMP_SRV_delayed_delivery_cb_t delay, |
91 | | OSSL_CMP_SRV_clean_transaction_cb_t clean) |
92 | 32.2k | { |
93 | 32.2k | if (srv_ctx == NULL) { |
94 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
95 | 0 | return 0; |
96 | 0 | } |
97 | 32.2k | srv_ctx->delayed_delivery = delay; |
98 | 32.2k | srv_ctx->clean_transaction = clean; |
99 | 32.2k | return 1; |
100 | 32.2k | } |
101 | | |
102 | | OSSL_CMP_CTX *OSSL_CMP_SRV_CTX_get0_cmp_ctx(const OSSL_CMP_SRV_CTX *srv_ctx) |
103 | 39.3k | { |
104 | 39.3k | if (srv_ctx == NULL) { |
105 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
106 | 0 | return NULL; |
107 | 0 | } |
108 | 39.3k | return srv_ctx->ctx; |
109 | 39.3k | } |
110 | | |
111 | | void *OSSL_CMP_SRV_CTX_get0_custom_ctx(const OSSL_CMP_SRV_CTX *srv_ctx) |
112 | 0 | { |
113 | 0 | if (srv_ctx == NULL) { |
114 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
115 | 0 | return NULL; |
116 | 0 | } |
117 | 0 | return srv_ctx->custom_ctx; |
118 | 0 | } |
119 | | |
120 | | int OSSL_CMP_SRV_CTX_set_send_unprotected_errors(OSSL_CMP_SRV_CTX *srv_ctx, |
121 | | int val) |
122 | 0 | { |
123 | 0 | if (srv_ctx == NULL) { |
124 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
125 | 0 | return 0; |
126 | 0 | } |
127 | 0 | srv_ctx->sendUnprotectedErrors = val != 0; |
128 | 0 | return 1; |
129 | 0 | } |
130 | | |
131 | | int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val) |
132 | 0 | { |
133 | 0 | if (srv_ctx == NULL) { |
134 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
135 | 0 | return 0; |
136 | 0 | } |
137 | 0 | srv_ctx->acceptUnprotected = val != 0; |
138 | 0 | return 1; |
139 | 0 | } |
140 | | |
141 | | int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val) |
142 | 0 | { |
143 | 0 | if (srv_ctx == NULL) { |
144 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
145 | 0 | return 0; |
146 | 0 | } |
147 | 0 | srv_ctx->acceptRAVerified = val != 0; |
148 | 0 | return 1; |
149 | 0 | } |
150 | | |
151 | | int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, |
152 | | int val) |
153 | 0 | { |
154 | 0 | if (srv_ctx == NULL) { |
155 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
156 | 0 | return 0; |
157 | 0 | } |
158 | 0 | srv_ctx->grantImplicitConfirm = val != 0; |
159 | 0 | return 1; |
160 | 0 | } |
161 | | |
162 | | /* return error msg with waiting status if polling is initiated, else NULL */ |
163 | | static OSSL_CMP_MSG *delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, |
164 | | const OSSL_CMP_MSG *req) |
165 | 10.6k | { |
166 | 10.6k | int ret; |
167 | 10.6k | unsigned long err; |
168 | 10.6k | int status = OSSL_CMP_PKISTATUS_waiting, |
169 | 10.6k | fail_info = 0, errorCode = 0; |
170 | 10.6k | const char *txt = NULL, *details = NULL; |
171 | 10.6k | OSSL_CMP_PKISI *si; |
172 | 10.6k | OSSL_CMP_MSG *msg; |
173 | | |
174 | 10.6k | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL |
175 | 10.6k | && srv_ctx->delayed_delivery != NULL)) |
176 | 0 | return NULL; |
177 | | |
178 | 10.6k | ret = srv_ctx->delayed_delivery(srv_ctx, req); |
179 | 10.6k | if (ret == 0) |
180 | 10.6k | return NULL; |
181 | 0 | if (ret == 1) { |
182 | 0 | srv_ctx->polling = 1; |
183 | 0 | } else { |
184 | 0 | status = OSSL_CMP_PKISTATUS_rejection; |
185 | 0 | fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_systemFailure; |
186 | 0 | txt = "server application error"; |
187 | 0 | err = ERR_peek_error(); |
188 | 0 | errorCode = ERR_GET_REASON(err); |
189 | 0 | details = ERR_reason_error_string(err); |
190 | 0 | } |
191 | |
|
192 | 0 | si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt); |
193 | 0 | if (si == NULL) |
194 | 0 | return NULL; |
195 | | |
196 | 0 | msg = ossl_cmp_error_new(srv_ctx->ctx, si, errorCode, details, |
197 | 0 | srv_ctx->sendUnprotectedErrors); |
198 | 0 | OSSL_CMP_PKISI_free(si); |
199 | 0 | return msg; |
200 | 0 | } |
201 | | |
202 | | /* |
203 | | * Processes an ir/cr/p10cr/kur and returns a certification response. |
204 | | * Only handles the first certification request contained in req |
205 | | * returns an ip/cp/kup on success and NULL on error |
206 | | */ |
207 | | static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, |
208 | | const OSSL_CMP_MSG *req) |
209 | 3.64k | { |
210 | 3.64k | OSSL_CMP_MSG *msg = NULL; |
211 | 3.64k | OSSL_CMP_PKISI *si = NULL; |
212 | 3.64k | X509 *certOut = NULL; |
213 | 3.64k | EVP_PKEY *keyOut = NULL; |
214 | 3.64k | STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; |
215 | 3.64k | const OSSL_CRMF_MSG *crm = NULL; |
216 | 3.64k | const X509_REQ *p10cr = NULL; |
217 | 3.64k | int bodytype; |
218 | 3.64k | int certReqId, central_keygen; |
219 | | |
220 | 3.64k | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) |
221 | 0 | return NULL; |
222 | | |
223 | 3.64k | switch (OSSL_CMP_MSG_get_bodytype(req)) { |
224 | 1.89k | case OSSL_CMP_PKIBODY_P10CR: |
225 | 2.60k | case OSSL_CMP_PKIBODY_CR: |
226 | 2.60k | bodytype = OSSL_CMP_PKIBODY_CP; |
227 | 2.60k | break; |
228 | 795 | case OSSL_CMP_PKIBODY_IR: |
229 | 795 | bodytype = OSSL_CMP_PKIBODY_IP; |
230 | 795 | break; |
231 | 246 | case OSSL_CMP_PKIBODY_KUR: |
232 | 246 | bodytype = OSSL_CMP_PKIBODY_KUP; |
233 | 246 | break; |
234 | 0 | default: |
235 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
236 | 0 | return NULL; |
237 | 3.64k | } |
238 | | |
239 | 3.64k | if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_P10CR) { |
240 | 1.89k | certReqId = OSSL_CMP_CERTREQID_NONE; /* p10cr does not include an Id */ |
241 | 1.89k | p10cr = req->body->value.p10cr; |
242 | 1.89k | } else { |
243 | 1.74k | OSSL_CRMF_MSGS *reqs = req->body->value.ir; /* same for cr and kur */ |
244 | | |
245 | 1.74k | if (sk_OSSL_CRMF_MSG_num(reqs) != 1) { |
246 | 33 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); |
247 | 33 | return NULL; |
248 | 33 | } |
249 | 1.71k | if ((crm = sk_OSSL_CRMF_MSG_value(reqs, 0)) == NULL) { |
250 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_CERTREQMSG_NOT_FOUND); |
251 | 0 | return NULL; |
252 | 0 | } |
253 | 1.71k | certReqId = OSSL_CRMF_MSG_get_certReqId(crm); |
254 | 1.71k | if (certReqId != OSSL_CMP_CERTREQID) { /* so far, only possible value */ |
255 | 164 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); |
256 | 164 | return NULL; |
257 | 164 | } |
258 | 1.71k | } |
259 | 3.44k | srv_ctx->certReqId = certReqId; |
260 | | |
261 | 3.44k | central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr); |
262 | 3.44k | if (central_keygen < 0) |
263 | 3 | return NULL; |
264 | 3.44k | if (central_keygen == 0 |
265 | 3.44k | && !ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { |
266 | | /* Proof of possession could not be verified */ |
267 | 0 | si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, |
268 | 0 | 1 << OSSL_CMP_PKIFAILUREINFO_badPOP, |
269 | 0 | ERR_reason_error_string(ERR_peek_error())); |
270 | 0 | if (si == NULL) |
271 | 0 | return NULL; |
272 | 3.44k | } else { |
273 | 3.44k | OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(req); |
274 | | |
275 | 3.44k | si = srv_ctx->process_cert_request(srv_ctx, req, certReqId, crm, p10cr, |
276 | 3.44k | &certOut, &chainOut, &caPubs); |
277 | 3.44k | if (si == NULL) |
278 | 3.44k | goto err; |
279 | 0 | if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_waiting) |
280 | 0 | srv_ctx->polling = 1; |
281 | | /* set OSSL_CMP_OPT_IMPLICIT_CONFIRM if and only if transaction ends */ |
282 | 0 | if (!OSSL_CMP_CTX_set_option(srv_ctx->ctx, |
283 | 0 | OSSL_CMP_OPT_IMPLICIT_CONFIRM, |
284 | 0 | ossl_cmp_hdr_has_implicitConfirm(hdr) |
285 | 0 | && srv_ctx->grantImplicitConfirm |
286 | | /* do not set if polling starts: */ |
287 | 0 | && certOut != NULL)) |
288 | 0 | goto err; |
289 | 0 | if (central_keygen == 1 |
290 | 0 | && srv_ctx->ctx->newPkey_priv && srv_ctx->ctx->newPkey != NULL) |
291 | 0 | keyOut = srv_ctx->ctx->newPkey; |
292 | 0 | } |
293 | | |
294 | 0 | msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, |
295 | 0 | certOut, keyOut, NULL /* enc */, chainOut, caPubs, |
296 | 0 | srv_ctx->sendUnprotectedErrors); |
297 | | /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */ |
298 | 0 | if (msg == NULL) |
299 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP); |
300 | |
|
301 | 3.44k | err: |
302 | 3.44k | OSSL_CMP_PKISI_free(si); |
303 | 3.44k | X509_free(certOut); |
304 | 3.44k | OSSL_CMP_CTX_set0_newPkey(srv_ctx->ctx, 0, NULL); |
305 | 3.44k | OSSL_STACK_OF_X509_free(chainOut); |
306 | 3.44k | OSSL_STACK_OF_X509_free(caPubs); |
307 | 3.44k | return msg; |
308 | 0 | } |
309 | | |
310 | | static OSSL_CMP_MSG *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, |
311 | | const OSSL_CMP_MSG *req) |
312 | 151 | { |
313 | 151 | OSSL_CMP_MSG *msg = NULL; |
314 | 151 | OSSL_CMP_REVDETAILS *details; |
315 | 151 | OSSL_CRMF_CERTID *certId = NULL; |
316 | 151 | OSSL_CRMF_CERTTEMPLATE *tmpl; |
317 | 151 | const X509_NAME *issuer; |
318 | 151 | const ASN1_INTEGER *serial; |
319 | 151 | OSSL_CMP_PKISI *si; |
320 | | |
321 | 151 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) |
322 | 0 | return NULL; |
323 | | |
324 | 151 | if (sk_OSSL_CMP_REVDETAILS_num(req->body->value.rr) != 1) { |
325 | 78 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); |
326 | 78 | return NULL; |
327 | 78 | } |
328 | 73 | details = sk_OSSL_CMP_REVDETAILS_value(req->body->value.rr, 0); |
329 | 73 | if (details == NULL) { |
330 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
331 | 0 | return NULL; |
332 | 0 | } |
333 | | |
334 | 73 | tmpl = details->certDetails; |
335 | 73 | issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl); |
336 | 73 | serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl); |
337 | 73 | if (issuer != NULL && serial != NULL |
338 | 50 | && (certId = OSSL_CRMF_CERTID_gen(issuer, serial)) == NULL) |
339 | 0 | return NULL; |
340 | 73 | if ((si = srv_ctx->process_rr(srv_ctx, req, issuer, serial)) == NULL) |
341 | 73 | goto err; |
342 | | |
343 | 0 | if ((msg = ossl_cmp_rp_new(srv_ctx->ctx, si, certId, |
344 | 0 | srv_ctx->sendUnprotectedErrors)) |
345 | 0 | == NULL) |
346 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_RR); |
347 | |
|
348 | 73 | err: |
349 | 73 | OSSL_CRMF_CERTID_free(certId); |
350 | 73 | OSSL_CMP_PKISI_free(si); |
351 | 73 | return msg; |
352 | 0 | } |
353 | | |
354 | | /* |
355 | | * Processes genm and creates a genp message mirroring the contents of the |
356 | | * incoming message |
357 | | */ |
358 | | static OSSL_CMP_MSG *process_genm(OSSL_CMP_SRV_CTX *srv_ctx, |
359 | | const OSSL_CMP_MSG *req) |
360 | 396 | { |
361 | 396 | OSSL_CMP_GENMSGCONTENT *itavs; |
362 | 396 | OSSL_CMP_MSG *msg; |
363 | | |
364 | 396 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) |
365 | 0 | return NULL; |
366 | | |
367 | 396 | if (!srv_ctx->process_genm(srv_ctx, req, req->body->value.genm, &itavs)) |
368 | 396 | return NULL; |
369 | | |
370 | 0 | msg = ossl_cmp_genp_new(srv_ctx->ctx, itavs); |
371 | 0 | sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free); |
372 | 0 | return msg; |
373 | 396 | } |
374 | | |
375 | | static OSSL_CMP_MSG *process_error(OSSL_CMP_SRV_CTX *srv_ctx, |
376 | | const OSSL_CMP_MSG *req) |
377 | 896 | { |
378 | 896 | OSSL_CMP_ERRORMSGCONTENT *errorContent; |
379 | 896 | OSSL_CMP_MSG *msg; |
380 | | |
381 | 896 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) |
382 | 0 | return NULL; |
383 | 896 | errorContent = req->body->value.error; |
384 | 896 | srv_ctx->process_error(srv_ctx, req, errorContent->pKIStatusInfo, |
385 | 896 | errorContent->errorCode, errorContent->errorDetails); |
386 | | |
387 | 896 | if ((msg = ossl_cmp_pkiconf_new(srv_ctx->ctx)) == NULL) |
388 | 896 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF); |
389 | 896 | return msg; |
390 | 896 | } |
391 | | |
392 | | static OSSL_CMP_MSG *process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, |
393 | | const OSSL_CMP_MSG *req) |
394 | 251 | { |
395 | 251 | OSSL_CMP_CTX *ctx; |
396 | 251 | OSSL_CMP_CERTCONFIRMCONTENT *ccc; |
397 | 251 | int num; |
398 | 251 | OSSL_CMP_MSG *msg = NULL; |
399 | 251 | OSSL_CMP_CERTSTATUS *status = NULL; |
400 | | |
401 | 251 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) |
402 | 0 | return NULL; |
403 | | |
404 | 251 | ctx = srv_ctx->ctx; |
405 | 251 | ccc = req->body->value.certConf; |
406 | 251 | num = sk_OSSL_CMP_CERTSTATUS_num(ccc); |
407 | | |
408 | 251 | if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 1 |
409 | 251 | || ctx->status != OSSL_CMP_PKISTATUS_trans) { |
410 | 251 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_UNEXPECTED_CERTCONF); |
411 | 251 | return NULL; |
412 | 251 | } |
413 | | |
414 | 0 | if (num == 0) { |
415 | 0 | ossl_cmp_err(ctx, "certificate rejected by client"); |
416 | 0 | } else { |
417 | 0 | if (num > 1) |
418 | 0 | ossl_cmp_warn(ctx, "All CertStatus but the first will be ignored"); |
419 | 0 | status = sk_OSSL_CMP_CERTSTATUS_value(ccc, 0); |
420 | 0 | } |
421 | |
|
422 | 0 | if (status != NULL) { |
423 | 0 | int certReqId = ossl_cmp_asn1_get_int(status->certReqId); |
424 | 0 | ASN1_OCTET_STRING *certHash = status->certHash; |
425 | 0 | OSSL_CMP_PKISI *si = status->statusInfo; |
426 | |
|
427 | 0 | if (certReqId != srv_ctx->certReqId) { |
428 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); |
429 | 0 | return NULL; |
430 | 0 | } |
431 | 0 | if (!srv_ctx->process_certConf(srv_ctx, req, certReqId, certHash, si)) |
432 | 0 | return NULL; /* reason code may be: CMP_R_CERTHASH_UNMATCHED */ |
433 | | |
434 | 0 | if (si != NULL |
435 | 0 | && ossl_cmp_pkisi_get_status(si) != OSSL_CMP_PKISTATUS_accepted) { |
436 | 0 | int pki_status = ossl_cmp_pkisi_get_status(si); |
437 | 0 | const char *str = ossl_cmp_PKIStatus_to_string(pki_status); |
438 | |
|
439 | 0 | ossl_cmp_log2(INFO, ctx, "certificate rejected by client %s %s", |
440 | 0 | str == NULL ? "without" : "with", |
441 | 0 | str == NULL ? "PKIStatus" : str); |
442 | 0 | } |
443 | 0 | } |
444 | | |
445 | 0 | if ((msg = ossl_cmp_pkiconf_new(ctx)) == NULL) |
446 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_PKICONF); |
447 | 0 | return msg; |
448 | 0 | } |
449 | | |
450 | | /* pollReq is handled separately, to avoid recursive call */ |
451 | | static OSSL_CMP_MSG *process_non_polling_request(OSSL_CMP_SRV_CTX *srv_ctx, |
452 | | const OSSL_CMP_MSG *req) |
453 | 10.6k | { |
454 | 10.6k | OSSL_CMP_MSG *rsp = NULL; |
455 | | |
456 | 10.6k | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL |
457 | 10.6k | && req->body != NULL)) |
458 | 0 | return NULL; |
459 | | |
460 | 10.6k | switch (OSSL_CMP_MSG_get_bodytype(req)) { |
461 | 1.46k | case OSSL_CMP_PKIBODY_IR: |
462 | 2.62k | case OSSL_CMP_PKIBODY_CR: |
463 | 6.03k | case OSSL_CMP_PKIBODY_P10CR: |
464 | 6.32k | case OSSL_CMP_PKIBODY_KUR: |
465 | 6.32k | if (srv_ctx->process_cert_request == NULL) |
466 | 6.32k | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); |
467 | 6.32k | else |
468 | 6.32k | rsp = process_cert_request(srv_ctx, req); |
469 | 6.32k | break; |
470 | 129 | case OSSL_CMP_PKIBODY_RR: |
471 | 129 | if (srv_ctx->process_rr == NULL) |
472 | 129 | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); |
473 | 129 | else |
474 | 129 | rsp = process_rr(srv_ctx, req); |
475 | 129 | break; |
476 | 354 | case OSSL_CMP_PKIBODY_GENM: |
477 | 354 | if (srv_ctx->process_genm == NULL) |
478 | 354 | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); |
479 | 354 | else |
480 | 354 | rsp = process_genm(srv_ctx, req); |
481 | 354 | break; |
482 | 772 | case OSSL_CMP_PKIBODY_ERROR: |
483 | 772 | if (srv_ctx->process_error == NULL) |
484 | 772 | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); |
485 | 772 | else |
486 | 772 | rsp = process_error(srv_ctx, req); |
487 | 772 | break; |
488 | 232 | case OSSL_CMP_PKIBODY_CERTCONF: |
489 | 232 | if (srv_ctx->process_certConf == NULL) |
490 | 232 | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); |
491 | 232 | else |
492 | 232 | rsp = process_certConf(srv_ctx, req); |
493 | 232 | break; |
494 | | |
495 | 0 | case OSSL_CMP_PKIBODY_POLLREQ: |
496 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
497 | 0 | break; |
498 | 2.87k | default: |
499 | 2.87k | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); |
500 | 2.87k | break; |
501 | 10.6k | } |
502 | | |
503 | 10.6k | return rsp; |
504 | 10.6k | } |
505 | | |
506 | | static OSSL_CMP_MSG *process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, |
507 | | const OSSL_CMP_MSG *req) |
508 | 122 | { |
509 | 122 | OSSL_CMP_POLLREQCONTENT *prc; |
510 | 122 | OSSL_CMP_POLLREQ *pr; |
511 | 122 | int certReqId; |
512 | 122 | OSSL_CMP_MSG *orig_req; |
513 | 122 | int64_t check_after = 0; |
514 | 122 | OSSL_CMP_MSG *msg = NULL; |
515 | | |
516 | 122 | if (!ossl_assert(srv_ctx != NULL && srv_ctx->ctx != NULL && req != NULL)) |
517 | 0 | return NULL; |
518 | | |
519 | 122 | if (!srv_ctx->polling) { |
520 | 122 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
521 | 122 | return NULL; |
522 | 122 | } |
523 | | |
524 | 0 | prc = req->body->value.pollReq; |
525 | 0 | if (sk_OSSL_CMP_POLLREQ_num(prc) != 1) { |
526 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_REQUESTS_NOT_SUPPORTED); |
527 | 0 | return NULL; |
528 | 0 | } |
529 | | |
530 | 0 | pr = sk_OSSL_CMP_POLLREQ_value(prc, 0); |
531 | 0 | certReqId = ossl_cmp_asn1_get_int(pr->certReqId); |
532 | 0 | if (!srv_ctx->process_pollReq(srv_ctx, req, certReqId, |
533 | 0 | &orig_req, &check_after)) |
534 | 0 | return NULL; |
535 | | |
536 | 0 | if (orig_req != NULL) { |
537 | 0 | srv_ctx->polling = 0; |
538 | 0 | msg = process_non_polling_request(srv_ctx, orig_req); |
539 | 0 | OSSL_CMP_MSG_free(orig_req); |
540 | 0 | } else { |
541 | 0 | if ((msg = ossl_cmp_pollRep_new(srv_ctx->ctx, certReqId, |
542 | 0 | check_after)) |
543 | 0 | == NULL) |
544 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_POLLREP); |
545 | 0 | } |
546 | 0 | return msg; |
547 | 0 | } |
548 | | |
549 | | /* |
550 | | * Determine whether missing/invalid protection of request message is allowed. |
551 | | * Return 1 on acceptance, 0 on rejection, or -1 on (internal) error. |
552 | | */ |
553 | | static int unprotected_exception(const OSSL_CMP_CTX *ctx, |
554 | | const OSSL_CMP_MSG *req, |
555 | | int invalid_protection, |
556 | | int accept_unprotected_requests) |
557 | 13.6k | { |
558 | 13.6k | if (!ossl_assert(ctx != NULL && req != NULL)) |
559 | 0 | return -1; |
560 | | |
561 | 13.6k | if (accept_unprotected_requests) { |
562 | 0 | ossl_cmp_log1(WARN, ctx, "ignoring %s protection of request message", |
563 | 0 | invalid_protection ? "invalid" : "missing"); |
564 | 0 | return 1; |
565 | 0 | } |
566 | 13.6k | if (OSSL_CMP_MSG_get_bodytype(req) == OSSL_CMP_PKIBODY_ERROR |
567 | 896 | && OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_UNPROTECTED_ERRORS) == 1) { |
568 | 0 | ossl_cmp_warn(ctx, "ignoring missing protection of error message"); |
569 | 0 | return 1; |
570 | 0 | } |
571 | 13.6k | return 0; |
572 | 13.6k | } |
573 | | |
574 | | /* |
575 | | * returns created message and NULL on internal error |
576 | | */ |
577 | | OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, |
578 | | const OSSL_CMP_MSG *req) |
579 | 32.2k | { |
580 | 32.2k | OSSL_CMP_CTX *ctx; |
581 | 32.2k | ASN1_OCTET_STRING *backup_secret; |
582 | 32.2k | OSSL_CMP_PKIHEADER *hdr; |
583 | 32.2k | int req_type, rsp_type; |
584 | 32.2k | int req_verified = 0; |
585 | 32.2k | OSSL_CMP_MSG *rsp = NULL; |
586 | | |
587 | 32.2k | if (srv_ctx == NULL || srv_ctx->ctx == NULL |
588 | 32.2k | || req == NULL || req->body == NULL |
589 | 32.2k | || (hdr = OSSL_CMP_MSG_get0_header(req)) == NULL) { |
590 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
591 | 0 | return 0; |
592 | 0 | } |
593 | 32.2k | ctx = srv_ctx->ctx; |
594 | 32.2k | backup_secret = ctx->secretValue; |
595 | 32.2k | req_type = OSSL_CMP_MSG_get_bodytype(req); |
596 | 32.2k | ossl_cmp_log1(DEBUG, ctx, |
597 | 32.2k | "received %s", ossl_cmp_bodytype_to_string(req_type)); |
598 | | |
599 | | /* |
600 | | * Some things need to be done already before validating the message in |
601 | | * order to be able to send an error message as far as needed and possible. |
602 | | */ |
603 | 32.2k | if (hdr->sender->type != GEN_DIRNAME) { |
604 | 21.4k | ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED); |
605 | 21.4k | goto err; |
606 | 21.4k | } |
607 | 10.8k | if (!OSSL_CMP_CTX_set1_recipient(ctx, hdr->sender->d.directoryName)) |
608 | 4 | goto err; |
609 | | |
610 | 10.8k | if (srv_ctx->polling && req_type != OSSL_CMP_PKIBODY_POLLREQ |
611 | 0 | && req_type != OSSL_CMP_PKIBODY_ERROR) { |
612 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_EXPECTED_POLLREQ); |
613 | 0 | goto err; |
614 | 0 | } |
615 | | |
616 | 10.8k | switch (req_type) { |
617 | 1.46k | case OSSL_CMP_PKIBODY_IR: |
618 | 2.62k | case OSSL_CMP_PKIBODY_CR: |
619 | 6.03k | case OSSL_CMP_PKIBODY_P10CR: |
620 | 6.32k | case OSSL_CMP_PKIBODY_KUR: |
621 | 6.44k | case OSSL_CMP_PKIBODY_RR: |
622 | 6.80k | case OSSL_CMP_PKIBODY_GENM: |
623 | 7.57k | case OSSL_CMP_PKIBODY_ERROR: |
624 | 7.57k | if (ctx->transactionID != NULL) { |
625 | 0 | char *tid = i2s_ASN1_OCTET_STRING(NULL, ctx->transactionID); |
626 | |
|
627 | 0 | if (tid != NULL) |
628 | 0 | ossl_cmp_log1(WARN, ctx, |
629 | 0 | "Assuming that last transaction with ID=%s got aborted", |
630 | 0 | tid); |
631 | 0 | OPENSSL_free(tid); |
632 | 0 | } |
633 | | /* start of a new transaction, reset transactionID and senderNonce */ |
634 | 7.57k | if (!OSSL_CMP_CTX_set1_transactionID(ctx, NULL) |
635 | 7.57k | || !OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)) |
636 | 0 | goto err; |
637 | | |
638 | 7.57k | if (srv_ctx->clean_transaction != NULL |
639 | 7.57k | && !srv_ctx->clean_transaction(srv_ctx, NULL)) { |
640 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
641 | 0 | goto err; |
642 | 0 | } |
643 | | |
644 | 7.57k | break; |
645 | 7.57k | default: |
646 | | /* transactionID should be already initialized */ |
647 | 3.23k | if (ctx->transactionID == NULL) { |
648 | | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
649 | | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
650 | | goto err; |
651 | | #endif |
652 | 3.23k | } |
653 | 10.8k | } |
654 | | |
655 | 10.8k | req_verified = ossl_cmp_msg_check_update(ctx, req, unprotected_exception, |
656 | 10.8k | srv_ctx->acceptUnprotected); |
657 | 10.8k | if (ctx->secretValue != NULL && ctx->pkey != NULL |
658 | 0 | && ossl_cmp_hdr_get_protection_nid(hdr) != NID_id_PasswordBasedMAC) |
659 | 0 | ctx->secretValue = NULL; /* use MSG_SIG_ALG when protecting rsp */ |
660 | 10.8k | if (!req_verified) |
661 | 0 | goto err; |
662 | | |
663 | 10.8k | if (req_type == OSSL_CMP_PKIBODY_POLLREQ) { |
664 | 122 | if (srv_ctx->process_pollReq == NULL) |
665 | 122 | ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PKIBODY); |
666 | 122 | else |
667 | 122 | rsp = process_pollReq(srv_ctx, req); |
668 | 10.6k | } else { |
669 | 10.6k | if (srv_ctx->delayed_delivery != NULL |
670 | 10.6k | && (rsp = delayed_delivery(srv_ctx, req)) != NULL) { |
671 | 0 | goto err; |
672 | 0 | } |
673 | 10.6k | rsp = process_non_polling_request(srv_ctx, req); |
674 | 10.6k | } |
675 | | |
676 | 32.2k | err: |
677 | 32.2k | if (rsp == NULL) { |
678 | | /* on error, try to respond with CMP error message to client */ |
679 | 32.2k | const char *data = NULL, *reason = NULL; |
680 | 32.2k | int flags = 0; |
681 | 32.2k | unsigned long err = ERR_peek_error_data(&data, &flags); |
682 | 32.2k | int fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_badRequest; |
683 | | /* fail_info is not very specific */ |
684 | 32.2k | OSSL_CMP_PKISI *si = NULL; |
685 | | |
686 | 32.2k | if (!req_verified) { |
687 | | /* |
688 | | * Above ossl_cmp_msg_check_update() was not successfully executed, |
689 | | * which normally would set ctx->transactionID and ctx->recipNonce. |
690 | | * So anyway try to provide the right transactionID and recipNonce, |
691 | | * while ignoring any (extra) error in next two function calls. |
692 | | */ |
693 | 21.4k | if (ctx->transactionID == NULL) |
694 | 21.4k | (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); |
695 | 21.4k | (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); |
696 | 21.4k | } |
697 | | |
698 | 32.2k | if ((flags & ERR_TXT_STRING) == 0 || *data == '\0') |
699 | 29.5k | data = NULL; |
700 | 32.2k | reason = ERR_reason_error_string(err); |
701 | 32.2k | if ((si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, |
702 | 32.2k | fail_info, reason)) |
703 | 32.2k | != NULL) { |
704 | 32.2k | rsp = ossl_cmp_error_new(srv_ctx->ctx, si, err, |
705 | 32.2k | data, srv_ctx->sendUnprotectedErrors); |
706 | 32.2k | OSSL_CMP_PKISI_free(si); |
707 | 32.2k | } |
708 | 32.2k | } |
709 | 32.2k | OSSL_CMP_CTX_print_errors(ctx); |
710 | 32.2k | ctx->secretValue = backup_secret; |
711 | | |
712 | 32.2k | rsp_type = rsp != NULL ? OSSL_CMP_MSG_get_bodytype(rsp) : OSSL_CMP_PKIBODY_ERROR; |
713 | 32.2k | if (rsp != NULL) |
714 | 0 | ossl_cmp_log1(DEBUG, ctx, |
715 | 32.2k | "sending %s", ossl_cmp_bodytype_to_string(rsp_type)); |
716 | 32.2k | else |
717 | 32.2k | ossl_cmp_log(ERR, ctx, "cannot send proper CMP response"); |
718 | | |
719 | | /* determine whether to keep the transaction open or not */ |
720 | 32.2k | ctx->status = OSSL_CMP_PKISTATUS_trans; |
721 | 32.2k | switch (rsp_type) { |
722 | 0 | case OSSL_CMP_PKIBODY_IP: |
723 | 0 | case OSSL_CMP_PKIBODY_CP: |
724 | 0 | case OSSL_CMP_PKIBODY_KUP: |
725 | 0 | if (OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_IMPLICIT_CONFIRM) == 0) |
726 | 0 | break; |
727 | | /* fall through */ |
728 | | |
729 | 32.2k | case OSSL_CMP_PKIBODY_ERROR: |
730 | 32.2k | if (rsp != NULL && ossl_cmp_is_error_with_waiting(rsp)) |
731 | 0 | break; |
732 | | /* fall through */ |
733 | | |
734 | 32.2k | case OSSL_CMP_PKIBODY_RP: |
735 | 32.2k | case OSSL_CMP_PKIBODY_PKICONF: |
736 | 32.2k | case OSSL_CMP_PKIBODY_GENP: |
737 | | /* Other terminating response message types are not supported */ |
738 | 32.2k | srv_ctx->certReqId = OSSL_CMP_CERTREQID_INVALID; |
739 | | /* Prepare for next transaction, ignoring any errors here: */ |
740 | 32.2k | if (srv_ctx->clean_transaction != NULL) |
741 | 32.2k | (void)srv_ctx->clean_transaction(srv_ctx, ctx->transactionID); |
742 | 32.2k | (void)OSSL_CMP_CTX_set1_transactionID(ctx, NULL); |
743 | 32.2k | (void)OSSL_CMP_CTX_set1_senderNonce(ctx, NULL); |
744 | 32.2k | ctx->status = OSSL_CMP_PKISTATUS_unspecified; /* transaction closed */ |
745 | | |
746 | 32.2k | default: /* not closing transaction in other cases */ |
747 | 32.2k | break; |
748 | 32.2k | } |
749 | 32.2k | return rsp; |
750 | 32.2k | } |
751 | | |
752 | | /* |
753 | | * Server interface that may substitute OSSL_CMP_MSG_http_perform at the client. |
754 | | * The OSSL_CMP_SRV_CTX must be set as client_ctx->transfer_cb_arg. |
755 | | * returns received message on success, else NULL and pushes an element on the |
756 | | * error stack. |
757 | | */ |
758 | | OSSL_CMP_MSG *OSSL_CMP_CTX_server_perform(OSSL_CMP_CTX *client_ctx, |
759 | | const OSSL_CMP_MSG *req) |
760 | 0 | { |
761 | 0 | OSSL_CMP_SRV_CTX *srv_ctx = NULL; |
762 | |
|
763 | 0 | if (client_ctx == NULL || req == NULL) { |
764 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
765 | 0 | return NULL; |
766 | 0 | } |
767 | | |
768 | 0 | if ((srv_ctx = OSSL_CMP_CTX_get_transfer_cb_arg(client_ctx)) == NULL) { |
769 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_TRANSFER_ERROR); |
770 | 0 | return NULL; |
771 | 0 | } |
772 | | |
773 | 0 | return OSSL_CMP_SRV_process_request(srv_ctx, req); |
774 | 0 | } |