/src/openssl35/crypto/cmp/cmp_client.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright Nokia 2007-2019 |
4 | | * Copyright Siemens AG 2015-2019 |
5 | | * |
6 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
7 | | * this file except in compliance with the License. You can obtain a copy |
8 | | * in the file LICENSE in the source distribution or at |
9 | | * https://www.openssl.org/source/license.html |
10 | | */ |
11 | | |
12 | | #include "cmp_local.h" |
13 | | #include "internal/cryptlib.h" |
14 | | |
15 | | /* explicit #includes not strictly needed since implied by the above: */ |
16 | | #include <openssl/bio.h> |
17 | | #include <openssl/cmp.h> |
18 | | #include <openssl/err.h> |
19 | | #include <openssl/evp.h> |
20 | | #include <openssl/x509v3.h> |
21 | | #include <openssl/cmp_util.h> |
22 | | |
23 | 0 | #define IS_CREP(t) ((t) == OSSL_CMP_PKIBODY_IP || (t) == OSSL_CMP_PKIBODY_CP \ |
24 | 0 | || (t) == OSSL_CMP_PKIBODY_KUP) |
25 | | |
26 | | /*- |
27 | | * Evaluate whether there's an exception (violating the standard) configured for |
28 | | * handling negative responses without protection or with invalid protection. |
29 | | * Returns 1 on acceptance, 0 on rejection, or -1 on (internal) error. |
30 | | */ |
31 | | static int unprotected_exception(const OSSL_CMP_CTX *ctx, |
32 | | const OSSL_CMP_MSG *rep, |
33 | | int invalid_protection, |
34 | | ossl_unused int expected_type) |
35 | 0 | { |
36 | 0 | int rcvd_type = OSSL_CMP_MSG_get_bodytype(rep /* may be NULL */); |
37 | 0 | const char *msg_type = NULL; |
38 | |
|
39 | 0 | if (!ossl_assert(ctx != NULL && rep != NULL)) |
40 | 0 | return -1; |
41 | | |
42 | 0 | if (!ctx->unprotectedErrors) |
43 | 0 | return 0; |
44 | | |
45 | 0 | switch (rcvd_type) { |
46 | 0 | case OSSL_CMP_PKIBODY_ERROR: |
47 | 0 | msg_type = "error response"; |
48 | 0 | break; |
49 | 0 | case OSSL_CMP_PKIBODY_RP: { |
50 | 0 | OSSL_CMP_PKISI *si = ossl_cmp_revrepcontent_get_pkisi(rep->body->value.rp, |
51 | 0 | OSSL_CMP_REVREQSID); |
52 | |
|
53 | 0 | if (si == NULL) |
54 | 0 | return -1; |
55 | 0 | if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_rejection) |
56 | 0 | msg_type = "revocation response message with rejection status"; |
57 | 0 | break; |
58 | 0 | } |
59 | 0 | case OSSL_CMP_PKIBODY_PKICONF: |
60 | 0 | msg_type = "PKI Confirmation message"; |
61 | 0 | break; |
62 | 0 | default: |
63 | 0 | if (IS_CREP(rcvd_type)) { |
64 | 0 | int any_rid = OSSL_CMP_CERTREQID_NONE; |
65 | 0 | OSSL_CMP_CERTREPMESSAGE *crepmsg = rep->body->value.ip; |
66 | 0 | OSSL_CMP_CERTRESPONSE *crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, any_rid); |
67 | |
|
68 | 0 | if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) |
69 | 0 | return -1; |
70 | 0 | if (crep == NULL) |
71 | 0 | return -1; |
72 | 0 | if (ossl_cmp_pkisi_get_status(crep->status) |
73 | 0 | == OSSL_CMP_PKISTATUS_rejection) |
74 | 0 | msg_type = "CertRepMessage with rejection status"; |
75 | 0 | } |
76 | 0 | } |
77 | 0 | if (msg_type == NULL) |
78 | 0 | return 0; |
79 | 0 | ossl_cmp_log2(WARN, ctx, "ignoring %s protection of %s", |
80 | 0 | invalid_protection ? "invalid" : "missing", msg_type); |
81 | 0 | return 1; |
82 | 0 | } |
83 | | |
84 | | /* Save error info from PKIStatusInfo field of a certresponse into ctx */ |
85 | | static int save_statusInfo(OSSL_CMP_CTX *ctx, OSSL_CMP_PKISI *si) |
86 | 0 | { |
87 | 0 | int i; |
88 | 0 | OSSL_CMP_PKIFREETEXT *ss; |
89 | |
|
90 | 0 | if (!ossl_assert(ctx != NULL && si != NULL)) |
91 | 0 | return 0; |
92 | | |
93 | 0 | ctx->status = ossl_cmp_pkisi_get_status(si); |
94 | 0 | if (ctx->status < OSSL_CMP_PKISTATUS_accepted) |
95 | 0 | return 0; |
96 | | |
97 | 0 | ctx->failInfoCode = ossl_cmp_pkisi_get_pkifailureinfo(si); |
98 | |
|
99 | 0 | if (!ossl_cmp_ctx_set0_statusString(ctx, sk_ASN1_UTF8STRING_new_null()) |
100 | 0 | || (ctx->statusString == NULL)) |
101 | 0 | return 0; |
102 | | |
103 | 0 | ss = si->statusString; /* may be NULL */ |
104 | 0 | for (i = 0; i < sk_ASN1_UTF8STRING_num(ss); i++) { |
105 | 0 | ASN1_UTF8STRING *str = sk_ASN1_UTF8STRING_value(ss, i); |
106 | 0 | ASN1_UTF8STRING *dup = ASN1_STRING_dup(str); |
107 | |
|
108 | 0 | if (dup == NULL || !sk_ASN1_UTF8STRING_push(ctx->statusString, dup)) { |
109 | 0 | ASN1_UTF8STRING_free(dup); |
110 | 0 | return 0; |
111 | 0 | } |
112 | 0 | } |
113 | 0 | return 1; |
114 | 0 | } |
115 | | |
116 | | static int is_crep_with_waiting(const OSSL_CMP_MSG *resp, int rid) |
117 | 0 | { |
118 | 0 | OSSL_CMP_CERTREPMESSAGE *crepmsg; |
119 | 0 | OSSL_CMP_CERTRESPONSE *crep; |
120 | 0 | int bt = OSSL_CMP_MSG_get_bodytype(resp); |
121 | |
|
122 | 0 | if (!IS_CREP(bt)) |
123 | 0 | return 0; |
124 | | |
125 | 0 | crepmsg = resp->body->value.ip; /* same for cp and kup */ |
126 | 0 | crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid); |
127 | |
|
128 | 0 | return (crep != NULL |
129 | 0 | && ossl_cmp_pkisi_get_status(crep->status) |
130 | 0 | == OSSL_CMP_PKISTATUS_waiting); |
131 | 0 | } |
132 | | |
133 | | /*- |
134 | | * Perform the generic aspects of sending a request and receiving a response. |
135 | | * Returns 1 on success and provides the received PKIMESSAGE in *rep. |
136 | | * Returns 0 on error. |
137 | | * Regardless of success, caller is responsible for freeing *rep (unless NULL). |
138 | | */ |
139 | | static int send_receive_check(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, |
140 | | OSSL_CMP_MSG **rep, int expected_type) |
141 | 0 | { |
142 | 0 | int begin_transaction = expected_type != OSSL_CMP_PKIBODY_POLLREP |
143 | 0 | && expected_type != OSSL_CMP_PKIBODY_PKICONF; |
144 | 0 | const char *req_type_str = ossl_cmp_bodytype_to_string(OSSL_CMP_MSG_get_bodytype(req)); |
145 | 0 | const char *expected_type_str = ossl_cmp_bodytype_to_string(expected_type); |
146 | 0 | int bak_msg_timeout = ctx->msg_timeout; |
147 | 0 | int bt; |
148 | 0 | time_t now = time(NULL); |
149 | 0 | int time_left; |
150 | 0 | OSSL_CMP_transfer_cb_t transfer_cb = ctx->transfer_cb; |
151 | |
|
152 | 0 | ctx->status = OSSL_CMP_PKISTATUS_trans; |
153 | 0 | #ifndef OPENSSL_NO_HTTP |
154 | 0 | if (transfer_cb == NULL) |
155 | 0 | transfer_cb = OSSL_CMP_MSG_http_perform; |
156 | 0 | #endif |
157 | 0 | *rep = NULL; |
158 | |
|
159 | 0 | if (ctx->total_timeout != 0 /* not waiting indefinitely */) { |
160 | 0 | if (begin_transaction) |
161 | 0 | ctx->end_time = now + ctx->total_timeout; |
162 | 0 | if (now >= ctx->end_time) { |
163 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); |
164 | 0 | return 0; |
165 | 0 | } |
166 | 0 | if (!ossl_assert(ctx->end_time - now < INT_MAX)) { |
167 | | /* actually cannot happen due to assignment in initial_certreq() */ |
168 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
169 | 0 | return 0; |
170 | 0 | } |
171 | 0 | time_left = (int)(ctx->end_time - now); |
172 | 0 | if (ctx->msg_timeout == 0 || time_left < ctx->msg_timeout) |
173 | 0 | ctx->msg_timeout = time_left; |
174 | 0 | } |
175 | | |
176 | | /* should print error queue since transfer_cb may call ERR_clear_error() */ |
177 | 0 | OSSL_CMP_CTX_print_errors(ctx); |
178 | |
|
179 | 0 | if (ctx->server != NULL || ctx->transfer_cb != NULL) |
180 | 0 | ossl_cmp_log1(INFO, ctx, "sending %s", req_type_str); |
181 | |
|
182 | 0 | *rep = (*transfer_cb)(ctx, req); |
183 | 0 | ctx->msg_timeout = bak_msg_timeout; |
184 | |
|
185 | 0 | if (*rep == NULL) { |
186 | 0 | ERR_raise_data(ERR_LIB_CMP, |
187 | 0 | ctx->total_timeout != 0 && time(NULL) >= ctx->end_time ? CMP_R_TOTAL_TIMEOUT : CMP_R_TRANSFER_ERROR, |
188 | 0 | "request sent: %s, expected response: %s", |
189 | 0 | req_type_str, expected_type_str); |
190 | 0 | return 0; |
191 | 0 | } |
192 | | |
193 | 0 | ctx->status = OSSL_CMP_PKISTATUS_checking_response; |
194 | 0 | bt = OSSL_CMP_MSG_get_bodytype(*rep); |
195 | | /* |
196 | | * The body type in the 'bt' variable is not yet verified. |
197 | | * Still we use this preliminary value already for a progress report because |
198 | | * the following msg verification may also produce log entries and may fail. |
199 | | */ |
200 | 0 | ossl_cmp_log2(INFO, ctx, "received %s%s", ossl_cmp_bodytype_to_string(bt), |
201 | 0 | ossl_cmp_is_error_with_waiting(*rep) ? " (waiting)" : ""); |
202 | | |
203 | | /* copy received extraCerts to ctx->extraCertsIn so they can be retrieved */ |
204 | 0 | if (bt != OSSL_CMP_PKIBODY_POLLREP && bt != OSSL_CMP_PKIBODY_PKICONF |
205 | 0 | && !ossl_cmp_ctx_set1_extraCertsIn(ctx, (*rep)->extraCerts)) |
206 | 0 | return 0; |
207 | | |
208 | 0 | if (!ossl_cmp_msg_check_update(ctx, *rep, unprotected_exception, |
209 | 0 | expected_type)) |
210 | 0 | return 0; |
211 | | |
212 | | /* |
213 | | * rep can have the expected response type, which during polling is pollRep. |
214 | | * When polling, also any other non-error response (the final response) |
215 | | * is fine here. When not yet polling, delayed delivery may be initiated |
216 | | * by the server returning an error message with 'waiting' status (or a |
217 | | * response message of expected type ip/cp/kup with 'waiting' status). |
218 | | */ |
219 | 0 | if (bt == expected_type |
220 | 0 | || (expected_type == OSSL_CMP_PKIBODY_POLLREP |
221 | 0 | ? bt != OSSL_CMP_PKIBODY_ERROR |
222 | 0 | : ossl_cmp_is_error_with_waiting(*rep))) |
223 | 0 | return 1; |
224 | | |
225 | | /* received message type is not one of the expected ones (e.g., error) */ |
226 | 0 | ERR_raise(ERR_LIB_CMP, bt == OSSL_CMP_PKIBODY_ERROR ? CMP_R_RECEIVED_ERROR : CMP_R_UNEXPECTED_PKIBODY); /* in next line for mkerr.pl */ |
227 | |
|
228 | 0 | if (bt != OSSL_CMP_PKIBODY_ERROR) { |
229 | 0 | ERR_add_error_data(3, "message type is '", |
230 | 0 | ossl_cmp_bodytype_to_string(bt), "'"); |
231 | 0 | } else { |
232 | 0 | OSSL_CMP_ERRORMSGCONTENT *emc = (*rep)->body->value.error; |
233 | 0 | OSSL_CMP_PKISI *si = emc->pKIStatusInfo; |
234 | 0 | char buf[OSSL_CMP_PKISI_BUFLEN]; |
235 | |
|
236 | 0 | if (save_statusInfo(ctx, si) |
237 | 0 | && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, |
238 | 0 | sizeof(buf)) |
239 | 0 | != NULL) |
240 | 0 | ERR_add_error_data(1, buf); |
241 | 0 | if (emc->errorCode != NULL |
242 | 0 | && BIO_snprintf(buf, sizeof(buf), "; errorCode: %08lX", |
243 | 0 | ASN1_INTEGER_get(emc->errorCode)) |
244 | 0 | > 0) |
245 | 0 | ERR_add_error_data(1, buf); |
246 | 0 | if (emc->errorDetails != NULL) { |
247 | 0 | char *text = ossl_sk_ASN1_UTF8STRING2text(emc->errorDetails, ", ", |
248 | 0 | OSSL_CMP_PKISI_BUFLEN - 1); |
249 | |
|
250 | 0 | if (text != NULL && *text != '\0') |
251 | 0 | ERR_add_error_data(2, "; errorDetails: ", text); |
252 | 0 | OPENSSL_free(text); |
253 | 0 | } |
254 | 0 | if (ctx->status != OSSL_CMP_PKISTATUS_rejection) { |
255 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); |
256 | 0 | if (ctx->status == OSSL_CMP_PKISTATUS_waiting) |
257 | 0 | ctx->status = OSSL_CMP_PKISTATUS_rejection; |
258 | 0 | } |
259 | 0 | } |
260 | 0 | return 0; |
261 | 0 | } |
262 | | |
263 | | /*- |
264 | | * When a 'waiting' PKIStatus has been received, this function is used to |
265 | | * poll, which should yield a pollRep or the final response. |
266 | | * On receiving a pollRep, which includes a checkAfter value, it return this |
267 | | * value if sleep == 0, else it sleeps as long as indicated and retries. |
268 | | * |
269 | | * A transaction timeout is enabled if ctx->total_timeout is != 0. |
270 | | * In this case polling will continue until the timeout is reached and then |
271 | | * polling is done a last time even if this is before the "checkAfter" time. |
272 | | * |
273 | | * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. |
274 | | * Returns 1 on success and provides the received PKIMESSAGE in *rep. |
275 | | * In this case the caller is responsible for freeing *rep. |
276 | | * Returns 0 on error (which includes the cases that timeout has been reached |
277 | | * or a response with 'waiting' status has been received). |
278 | | */ |
279 | | static int poll_for_response(OSSL_CMP_CTX *ctx, int sleep, int rid, |
280 | | OSSL_CMP_MSG **rep, int *checkAfter) |
281 | 186 | { |
282 | 186 | OSSL_CMP_MSG *preq = NULL; |
283 | 186 | OSSL_CMP_MSG *prep = NULL; |
284 | | |
285 | 186 | ossl_cmp_info(ctx, |
286 | 186 | "received 'waiting' PKIStatus, starting to poll for response"); |
287 | 186 | *rep = NULL; |
288 | 186 | for (;;) { |
289 | 186 | int bak = ctx->status; |
290 | | |
291 | 186 | ctx->status = OSSL_CMP_PKISTATUS_request; |
292 | 186 | if ((preq = ossl_cmp_pollReq_new(ctx, rid)) == NULL) |
293 | 186 | goto err; |
294 | | |
295 | 0 | if (!send_receive_check(ctx, preq, &prep, OSSL_CMP_PKIBODY_POLLREP)) |
296 | 0 | goto err; |
297 | 0 | ctx->status = bak; |
298 | | |
299 | | /* handle potential pollRep */ |
300 | 0 | if (OSSL_CMP_MSG_get_bodytype(prep) == OSSL_CMP_PKIBODY_POLLREP) { |
301 | 0 | OSSL_CMP_POLLREPCONTENT *prc = prep->body->value.pollRep; |
302 | 0 | OSSL_CMP_POLLREP *pollRep = NULL; |
303 | 0 | int64_t check_after; |
304 | 0 | char str[OSSL_CMP_PKISI_BUFLEN]; |
305 | 0 | int len; |
306 | |
|
307 | 0 | if (sk_OSSL_CMP_POLLREP_num(prc) > 1) { |
308 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED); |
309 | 0 | goto err; |
310 | 0 | } |
311 | 0 | pollRep = ossl_cmp_pollrepcontent_get0_pollrep(prc, rid); |
312 | 0 | if (pollRep == NULL) |
313 | 0 | goto err; |
314 | | |
315 | 0 | if (!ASN1_INTEGER_get_int64(&check_after, pollRep->checkAfter)) { |
316 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_CHECKAFTER_IN_POLLREP); |
317 | 0 | goto err; |
318 | 0 | } |
319 | 0 | if (check_after < 0 || (uint64_t)check_after > (sleep ? ULONG_MAX / 1000 : INT_MAX)) { |
320 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_CHECKAFTER_OUT_OF_RANGE); |
321 | 0 | if (BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, "value = %jd", |
322 | 0 | check_after) |
323 | 0 | >= 0) |
324 | 0 | ERR_add_error_data(1, str); |
325 | 0 | goto err; |
326 | 0 | } |
327 | | |
328 | 0 | if (pollRep->reason == NULL |
329 | 0 | || (len = BIO_snprintf(str, OSSL_CMP_PKISI_BUFLEN, |
330 | 0 | " with reason = '")) |
331 | 0 | < 0) { |
332 | 0 | *str = '\0'; |
333 | 0 | } else { |
334 | 0 | char *text = ossl_sk_ASN1_UTF8STRING2text(pollRep->reason, ", ", |
335 | 0 | sizeof(str) - len - 2); |
336 | |
|
337 | 0 | if (text == NULL |
338 | 0 | || BIO_snprintf(str + len, sizeof(str) - len, |
339 | 0 | "%s'", text) |
340 | 0 | < 0) |
341 | 0 | *str = '\0'; |
342 | 0 | OPENSSL_free(text); |
343 | 0 | } |
344 | 0 | ossl_cmp_log2(INFO, ctx, |
345 | 0 | "received polling response%s; checkAfter = %ld seconds", |
346 | 0 | str, check_after); |
347 | |
|
348 | 0 | if (ctx->total_timeout != 0) { /* timeout is not infinite */ |
349 | 0 | const int exp = OSSL_CMP_EXPECTED_RESP_TIME; |
350 | 0 | int64_t time_left = (int64_t)(ctx->end_time - exp - time(NULL)); |
351 | |
|
352 | 0 | if (time_left <= 0) { |
353 | 0 | ctx->status = OSSL_CMP_PKISTATUS_trans; |
354 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_TOTAL_TIMEOUT); |
355 | 0 | goto err; |
356 | 0 | } |
357 | 0 | if (time_left < check_after) |
358 | 0 | check_after = time_left; |
359 | | /* poll one last time just when timeout was reached */ |
360 | 0 | } |
361 | | |
362 | 0 | OSSL_CMP_MSG_free(preq); |
363 | 0 | preq = NULL; |
364 | 0 | OSSL_CMP_MSG_free(prep); |
365 | 0 | prep = NULL; |
366 | 0 | if (sleep) { |
367 | 0 | OSSL_sleep((unsigned long)(1000 * check_after)); |
368 | 0 | } else { |
369 | 0 | if (checkAfter != NULL) |
370 | 0 | *checkAfter = (int)check_after; |
371 | 0 | return -1; /* exits the loop */ |
372 | 0 | } |
373 | 0 | } else if (is_crep_with_waiting(prep, rid) |
374 | 0 | || ossl_cmp_is_error_with_waiting(prep)) { |
375 | | /* received status must not be 'waiting' */ |
376 | 0 | (void)ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection, |
377 | 0 | OSSL_CMP_CTX_FAILINFO_badRequest, |
378 | 0 | "polling already started", |
379 | 0 | 0 /* errorCode */, NULL); |
380 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); |
381 | 0 | goto err; |
382 | 0 | } else { |
383 | 0 | ossl_cmp_info(ctx, "received final response after polling"); |
384 | 0 | if (!ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL)) |
385 | 0 | goto err; |
386 | 0 | break; |
387 | 0 | } |
388 | 0 | } |
389 | 0 | if (prep == NULL) |
390 | 0 | goto err; |
391 | | |
392 | 0 | OSSL_CMP_MSG_free(preq); |
393 | 0 | *rep = prep; |
394 | |
|
395 | 0 | return 1; |
396 | 186 | err: |
397 | 186 | (void)ossl_cmp_ctx_set1_first_senderNonce(ctx, NULL); |
398 | 186 | OSSL_CMP_MSG_free(preq); |
399 | 186 | OSSL_CMP_MSG_free(prep); |
400 | 186 | return 0; |
401 | 0 | } |
402 | | |
403 | | static int save_senderNonce_if_waiting(OSSL_CMP_CTX *ctx, |
404 | | const OSSL_CMP_MSG *rep, int rid) |
405 | 0 | { |
406 | | /* |
407 | | * Lightweight CMP Profile section 4.4 states: the senderNonce of the |
408 | | * preceding request message because this value will be needed for checking |
409 | | * the recipNonce of the final response to be received after polling. |
410 | | */ |
411 | 0 | if ((is_crep_with_waiting(rep, rid) |
412 | 0 | || ossl_cmp_is_error_with_waiting(rep)) |
413 | 0 | && !ossl_cmp_ctx_set1_first_senderNonce(ctx, ctx->senderNonce)) |
414 | 0 | return 0; |
415 | | |
416 | 0 | return 1; |
417 | 0 | } |
418 | | |
419 | | /* |
420 | | * Send request and get response possibly with polling initiated by error msg. |
421 | | * Polling for ip/cp/kup/ with 'waiting' status is handled by cert_response(). |
422 | | */ |
423 | | static int send_receive_also_delayed(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req, |
424 | | OSSL_CMP_MSG **rep, int expected_type) |
425 | 0 | { |
426 | |
|
427 | 0 | if (!send_receive_check(ctx, req, rep, expected_type)) |
428 | 0 | return 0; |
429 | | |
430 | 0 | if (ossl_cmp_is_error_with_waiting(*rep)) { |
431 | 0 | if (!save_senderNonce_if_waiting(ctx, *rep, OSSL_CMP_CERTREQID_NONE)) |
432 | 0 | return 0; |
433 | | /* not modifying ctx->status during certConf and error exchanges */ |
434 | 0 | if (expected_type != OSSL_CMP_PKIBODY_PKICONF |
435 | 0 | && !save_statusInfo(ctx, (*rep)->body->value.error->pKIStatusInfo)) |
436 | 0 | return 0; |
437 | | |
438 | 0 | OSSL_CMP_MSG_free(*rep); |
439 | 0 | *rep = NULL; |
440 | |
|
441 | 0 | if (poll_for_response(ctx, 1 /* can sleep */, OSSL_CMP_CERTREQID_NONE, |
442 | 0 | rep, NULL /* checkAfter */) |
443 | 0 | <= 0) { |
444 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED); |
445 | 0 | return 0; |
446 | 0 | } |
447 | 0 | } |
448 | 0 | if (OSSL_CMP_MSG_get_bodytype(*rep) != expected_type) { |
449 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
450 | 0 | return 0; |
451 | 0 | } |
452 | | |
453 | 0 | return 1; |
454 | 0 | } |
455 | | /* |
456 | | * Send certConf for IR, CR or KUR sequences and check response, |
457 | | * not modifying ctx->status during the certConf exchange |
458 | | */ |
459 | | int ossl_cmp_exchange_certConf(OSSL_CMP_CTX *ctx, int certReqId, |
460 | | int fail_info, const char *txt) |
461 | 0 | { |
462 | 0 | OSSL_CMP_MSG *certConf; |
463 | 0 | OSSL_CMP_MSG *PKIconf = NULL; |
464 | 0 | int res = 0; |
465 | 0 | int bak = ctx->status; |
466 | |
|
467 | 0 | ctx->status = OSSL_CMP_PKISTATUS_request; |
468 | | /* OSSL_CMP_certConf_new() also checks if all necessary options are set */ |
469 | 0 | certConf = ossl_cmp_certConf_new(ctx, certReqId, fail_info, txt); |
470 | 0 | if (certConf == NULL) |
471 | 0 | goto err; |
472 | | |
473 | 0 | res = send_receive_also_delayed(ctx, certConf, &PKIconf, |
474 | 0 | OSSL_CMP_PKIBODY_PKICONF); |
475 | |
|
476 | 0 | if (res) |
477 | 0 | ctx->status = bak; |
478 | |
|
479 | 0 | err: |
480 | 0 | OSSL_CMP_MSG_free(certConf); |
481 | 0 | OSSL_CMP_MSG_free(PKIconf); |
482 | 0 | return res; |
483 | 0 | } |
484 | | |
485 | | /* Send given error and check response */ |
486 | | int ossl_cmp_exchange_error(OSSL_CMP_CTX *ctx, int status, int fail_info, |
487 | | const char *txt, int errorCode, const char *details) |
488 | 0 | { |
489 | 0 | OSSL_CMP_MSG *error = NULL; |
490 | 0 | OSSL_CMP_PKISI *si = NULL; |
491 | 0 | OSSL_CMP_MSG *PKIconf = NULL; |
492 | 0 | int res = 0; |
493 | |
|
494 | 0 | ctx->status = OSSL_CMP_PKISTATUS_request; |
495 | | /* not overwriting ctx->status on error exchange */ |
496 | 0 | if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, txt)) == NULL) |
497 | 0 | goto err; |
498 | | /* ossl_cmp_error_new() also checks if all necessary options are set */ |
499 | 0 | if ((error = ossl_cmp_error_new(ctx, si, errorCode, details, 0)) == NULL) |
500 | 0 | goto err; |
501 | | |
502 | 0 | res = send_receive_also_delayed(ctx, error, |
503 | 0 | &PKIconf, OSSL_CMP_PKIBODY_PKICONF); |
504 | 0 | ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client; |
505 | |
|
506 | 0 | err: |
507 | 0 | OSSL_CMP_MSG_free(error); |
508 | 0 | OSSL_CMP_PKISI_free(si); |
509 | 0 | OSSL_CMP_MSG_free(PKIconf); |
510 | 0 | return res; |
511 | 0 | } |
512 | | |
513 | | /*- |
514 | | * Retrieve a copy of the certificate, if any, from the given CertResponse. |
515 | | * Take into account PKIStatusInfo of CertResponse in ctx, report it on error. |
516 | | * Returns NULL if not found or on error. |
517 | | */ |
518 | | static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, |
519 | | OSSL_CMP_CERTRESPONSE *crep) |
520 | 0 | { |
521 | 0 | char buf[OSSL_CMP_PKISI_BUFLEN]; |
522 | 0 | X509 *crt = NULL; |
523 | |
|
524 | 0 | if (!ossl_assert(ctx != NULL && crep != NULL)) |
525 | 0 | return NULL; |
526 | | |
527 | 0 | switch (ossl_cmp_pkisi_get_status(crep->status)) { |
528 | 0 | case OSSL_CMP_PKISTATUS_waiting: |
529 | 0 | ossl_cmp_err(ctx, |
530 | 0 | "received \"waiting\" status for cert when actually aiming to extract cert"); |
531 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_WAITING); |
532 | 0 | goto err; |
533 | 0 | case OSSL_CMP_PKISTATUS_grantedWithMods: |
534 | 0 | ossl_cmp_warn(ctx, "received \"grantedWithMods\" for certificate"); |
535 | 0 | break; |
536 | 0 | case OSSL_CMP_PKISTATUS_accepted: |
537 | 0 | break; |
538 | | /* get all information in case of a rejection before going to error */ |
539 | 0 | case OSSL_CMP_PKISTATUS_rejection: |
540 | 0 | ossl_cmp_err(ctx, "received \"rejection\" status rather than cert"); |
541 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER); |
542 | 0 | goto err; |
543 | 0 | case OSSL_CMP_PKISTATUS_revocationWarning: |
544 | 0 | ossl_cmp_warn(ctx, |
545 | 0 | "received \"revocationWarning\" - a revocation of the cert is imminent"); |
546 | 0 | break; |
547 | 0 | case OSSL_CMP_PKISTATUS_revocationNotification: |
548 | 0 | ossl_cmp_warn(ctx, |
549 | 0 | "received \"revocationNotification\" - a revocation of the cert has occurred"); |
550 | 0 | break; |
551 | 0 | case OSSL_CMP_PKISTATUS_keyUpdateWarning: |
552 | 0 | if (bodytype != OSSL_CMP_PKIBODY_KUR) { |
553 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ENCOUNTERED_KEYUPDATEWARNING); |
554 | 0 | goto err; |
555 | 0 | } |
556 | 0 | break; |
557 | 0 | default: |
558 | 0 | ossl_cmp_log1(ERROR, ctx, |
559 | 0 | "received unsupported PKIStatus %d for certificate", |
560 | 0 | ctx->status); |
561 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); |
562 | 0 | goto err; |
563 | 0 | } |
564 | 0 | crt = ossl_cmp_certresponse_get1_cert(ctx, crep); |
565 | 0 | if (crt == NULL) /* according to PKIStatus, we can expect a cert */ |
566 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND); |
567 | |
|
568 | 0 | return crt; |
569 | | |
570 | 0 | err: |
571 | 0 | if (OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL) |
572 | 0 | ERR_add_error_data(1, buf); |
573 | 0 | return NULL; |
574 | 0 | } |
575 | | |
576 | | /*- |
577 | | * Callback fn validating that the new certificate can be verified, using |
578 | | * ctx->certConf_cb_arg, which has been initialized using opt_out_trusted, and |
579 | | * ctx->untrusted, which at this point already contains msg->extraCerts. |
580 | | * Returns 0 on acceptance, else a bit field reflecting PKIFailureInfo. |
581 | | * Quoting from RFC 9810 section 5.1. Overall PKI Message: |
582 | | * The extraCerts field can contain certificates that may be useful to |
583 | | * the recipient. For example, this can be used by a CA or RA to |
584 | | * present an end entity with certificates that it needs to verify its |
585 | | * own new certificate (for example, if the CA that issued the end |
586 | | * entity's certificate is not a root CA for the end entity). Note that |
587 | | * this field does not necessarily contain a certification path; the |
588 | | * recipient may have to sort, select from, or otherwise process the |
589 | | * extra certificates in order to use them. |
590 | | * Note: While often handy, there is no hard requirement by CMP that |
591 | | * an EE must be able to validate the certificates it gets enrolled. |
592 | | */ |
593 | | int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, |
594 | | const char **text) |
595 | 0 | { |
596 | 0 | X509_STORE *out_trusted = OSSL_CMP_CTX_get_certConf_cb_arg(ctx); |
597 | 0 | STACK_OF(X509) *chain = NULL; |
598 | |
|
599 | 0 | (void)text; /* make (artificial) use of var to prevent compiler warning */ |
600 | |
|
601 | 0 | if (fail_info != 0) /* accept any error flagged by CMP core library */ |
602 | 0 | return fail_info; |
603 | | |
604 | 0 | if (out_trusted == NULL) { |
605 | 0 | ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); |
606 | 0 | chain = X509_build_chain(cert, ctx->untrusted, out_trusted, |
607 | 0 | 0, ctx->libctx, ctx->propq); |
608 | 0 | } else { |
609 | 0 | X509_STORE_CTX *csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq); |
610 | |
|
611 | 0 | ossl_cmp_debug(ctx, "validating newly enrolled cert"); |
612 | 0 | if (csc == NULL) |
613 | 0 | goto err; |
614 | 0 | if (!X509_STORE_CTX_init(csc, out_trusted, cert, ctx->untrusted)) |
615 | 0 | goto err; |
616 | | /* disable any cert status/revocation checking etc. */ |
617 | 0 | X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc), |
618 | 0 | ~(X509_V_FLAG_USE_CHECK_TIME |
619 | 0 | | X509_V_FLAG_NO_CHECK_TIME |
620 | 0 | | X509_V_FLAG_PARTIAL_CHAIN |
621 | 0 | | X509_V_FLAG_POLICY_CHECK)); |
622 | 0 | if (X509_verify_cert(csc) <= 0) |
623 | 0 | goto err; |
624 | | |
625 | 0 | if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc), |
626 | 0 | X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP |
627 | 0 | | X509_ADD_FLAG_NO_SS)) { |
628 | 0 | sk_X509_free(chain); |
629 | 0 | chain = NULL; |
630 | 0 | } |
631 | 0 | err: |
632 | 0 | X509_STORE_CTX_free(csc); |
633 | 0 | } |
634 | | |
635 | 0 | if (sk_X509_num(chain) > 0) |
636 | 0 | X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ |
637 | 0 | if (out_trusted != NULL) { |
638 | 0 | if (chain == NULL) { |
639 | 0 | ossl_cmp_err(ctx, "failed to validate newly enrolled cert"); |
640 | 0 | fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; |
641 | 0 | } else { |
642 | 0 | ossl_cmp_debug(ctx, |
643 | 0 | "success validating newly enrolled cert"); |
644 | 0 | } |
645 | 0 | } else if (chain == NULL) { |
646 | 0 | ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); |
647 | 0 | chain = OSSL_CMP_CTX_get1_extraCertsIn(ctx); |
648 | 0 | } else { |
649 | 0 | ossl_cmp_debug(ctx, |
650 | 0 | "success building approximate chain for newly enrolled cert"); |
651 | 0 | } |
652 | 0 | (void)ossl_cmp_ctx_set1_newChain(ctx, chain); |
653 | 0 | OSSL_STACK_OF_X509_free(chain); |
654 | |
|
655 | 0 | return fail_info; |
656 | 0 | } |
657 | | |
658 | | /*- |
659 | | * Perform the generic handling of certificate responses for IR/CR/KUR/P10CR. |
660 | | * |rid| must be OSSL_CMP_CERTREQID_NONE if not available, namely for p10cr |
661 | | * Returns -1 on receiving pollRep if sleep == 0, setting the checkAfter value. |
662 | | * Returns 1 on success and provides the received PKIMESSAGE in *resp. |
663 | | * Returns 0 on error (which includes the case that timeout has been reached). |
664 | | * Regardless of success, caller is responsible for freeing *resp (unless NULL). |
665 | | */ |
666 | | static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, |
667 | | OSSL_CMP_MSG **resp, int *checkAfter, |
668 | | ossl_unused int req_type, |
669 | | ossl_unused int expected_type) |
670 | 0 | { |
671 | 0 | EVP_PKEY *rkey = NULL; |
672 | 0 | int fail_info = 0; /* no failure */ |
673 | 0 | const char *txt = NULL; |
674 | 0 | OSSL_CMP_CERTREPMESSAGE *crepmsg = NULL; |
675 | 0 | OSSL_CMP_CERTRESPONSE *crep = NULL; |
676 | 0 | OSSL_CMP_certConf_cb_t cb; |
677 | 0 | X509 *cert; |
678 | 0 | char *subj = NULL; |
679 | 0 | int ret = 1; |
680 | 0 | int rcvd_type; |
681 | 0 | OSSL_CMP_PKISI *si; |
682 | |
|
683 | 0 | if (!ossl_assert(ctx != NULL)) |
684 | 0 | return 0; |
685 | | |
686 | 0 | retry: |
687 | 0 | rcvd_type = OSSL_CMP_MSG_get_bodytype(*resp); |
688 | 0 | if (IS_CREP(rcvd_type)) { |
689 | 0 | crepmsg = (*resp)->body->value.ip; /* same for cp and kup */ |
690 | 0 | if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) { |
691 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_RESPONSES_NOT_SUPPORTED); |
692 | 0 | return 0; |
693 | 0 | } |
694 | 0 | crep = ossl_cmp_certrepmessage_get0_certresponse(crepmsg, rid); |
695 | 0 | if (crep == NULL) |
696 | 0 | return 0; |
697 | 0 | si = crep->status; |
698 | |
|
699 | 0 | if (rid == OSSL_CMP_CERTREQID_NONE) { |
700 | | /* for OSSL_CMP_PKIBODY_P10CR learn CertReqId from response */ |
701 | 0 | rid = ossl_cmp_asn1_get_int(crep->certReqId); |
702 | 0 | if (rid < OSSL_CMP_CERTREQID_NONE) { |
703 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID); |
704 | 0 | return 0; |
705 | 0 | } |
706 | 0 | } |
707 | 0 | } else if (rcvd_type == OSSL_CMP_PKIBODY_ERROR) { |
708 | 0 | si = (*resp)->body->value.error->pKIStatusInfo; |
709 | 0 | } else { |
710 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
711 | 0 | return 0; |
712 | 0 | } |
713 | | |
714 | 0 | if (!save_statusInfo(ctx, si)) |
715 | 0 | return 0; |
716 | | |
717 | 0 | if (ossl_cmp_pkisi_get_status(si) == OSSL_CMP_PKISTATUS_waiting) { |
718 | | /* |
719 | | * Here we allow both and error message with waiting indication |
720 | | * as well as a certificate response with waiting indication, where |
721 | | * its flavor (ip, cp, or kup) may not strictly match ir/cr/p10cr/kur. |
722 | | */ |
723 | 0 | OSSL_CMP_MSG_free(*resp); |
724 | 0 | *resp = NULL; |
725 | 0 | if ((ret = poll_for_response(ctx, sleep, rid, resp, checkAfter)) != 0) { |
726 | 0 | if (ret == -1) /* at this point implies sleep == 0 */ |
727 | 0 | return ret; /* waiting */ |
728 | 0 | goto retry; /* got some response other than pollRep */ |
729 | 0 | } else { |
730 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_POLLING_FAILED); |
731 | 0 | return 0; |
732 | 0 | } |
733 | 0 | } |
734 | | |
735 | | /* at this point, we have received ip/cp/kup/error without waiting */ |
736 | 0 | if (rcvd_type == OSSL_CMP_PKIBODY_ERROR) { |
737 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_RECEIVED_ERROR); |
738 | 0 | return 0; |
739 | 0 | } |
740 | | /* here we are strict on the flavor of ip/cp/kup: must match request */ |
741 | 0 | if (rcvd_type != expected_type) { |
742 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY); |
743 | 0 | return 0; |
744 | 0 | } |
745 | | |
746 | 0 | cert = get1_cert_status(ctx, (*resp)->body->type, crep); |
747 | 0 | if (cert == NULL) { |
748 | 0 | ERR_add_error_data(1, "; cannot extract certificate from response"); |
749 | 0 | return 0; |
750 | 0 | } |
751 | 0 | if (!ossl_cmp_ctx_set0_newCert(ctx, cert)) { |
752 | 0 | X509_free(cert); |
753 | 0 | return 0; |
754 | 0 | } |
755 | | |
756 | | /* |
757 | | * if the CMP server returned certificates in the caPubs field, copy them |
758 | | * to the context so that they can be retrieved if necessary |
759 | | */ |
760 | 0 | if (crepmsg != NULL && crepmsg->caPubs != NULL |
761 | 0 | && !ossl_cmp_ctx_set1_caPubs(ctx, crepmsg->caPubs)) |
762 | 0 | return 0; |
763 | | |
764 | 0 | subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0); |
765 | 0 | rkey = ossl_cmp_ctx_get0_newPubkey(ctx); |
766 | 0 | if (rkey != NULL |
767 | | /* X509_check_private_key() also works if rkey is just public key */ |
768 | 0 | && !(X509_check_private_key(ctx->newCert, rkey))) { |
769 | 0 | fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; |
770 | 0 | txt = "public key in new certificate does not match our enrollment key"; |
771 | | /*- |
772 | | * not calling (void)ossl_cmp_exchange_error(ctx, |
773 | | * OSSL_CMP_PKISTATUS_rejection, fail_info, txt) |
774 | | * not throwing CMP_R_CERTIFICATE_NOT_ACCEPTED with txt |
775 | | * not returning 0 |
776 | | * since we better leave this for the certConf_cb to decide |
777 | | */ |
778 | 0 | } |
779 | | |
780 | | /* |
781 | | * Execute the certification checking callback function, |
782 | | * which can determine whether to accept a newly enrolled certificate. |
783 | | * It may overrule the pre-decision reflected in 'fail_info' and '*txt'. |
784 | | */ |
785 | 0 | cb = ctx->certConf_cb != NULL ? ctx->certConf_cb : OSSL_CMP_certConf_cb; |
786 | 0 | if ((fail_info = cb(ctx, ctx->newCert, fail_info, &txt)) != 0 |
787 | 0 | && txt == NULL) |
788 | 0 | txt = "CMP client did not accept it"; |
789 | 0 | if (fail_info != 0) /* immediately log error before any certConf exchange */ |
790 | 0 | ossl_cmp_log1(ERROR, ctx, |
791 | 0 | "rejecting newly enrolled cert with subject: %s", subj); |
792 | | /* |
793 | | * certConf exchange should better be moved to do_certreq_seq() such that |
794 | | * also more low-level errors with CertReqMessages get reported to server |
795 | | */ |
796 | 0 | if (!ctx->disableConfirm |
797 | 0 | && !ossl_cmp_hdr_has_implicitConfirm((*resp)->header)) { |
798 | 0 | if (!ossl_cmp_exchange_certConf(ctx, rid, fail_info, txt)) |
799 | 0 | ret = 0; |
800 | 0 | } |
801 | | |
802 | | /* not throwing failure earlier as transfer_cb may call ERR_clear_error() */ |
803 | 0 | if (fail_info != 0) { |
804 | 0 | ERR_raise_data(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_ACCEPTED, |
805 | 0 | "rejecting newly enrolled cert with subject: %s; %s", |
806 | 0 | subj, txt); |
807 | 0 | ctx->status = OSSL_CMP_PKISTATUS_rejected_by_client; |
808 | 0 | ret = 0; |
809 | 0 | } |
810 | 0 | OPENSSL_free(subj); |
811 | 0 | return ret; |
812 | 0 | } |
813 | | |
814 | | static int initial_certreq(OSSL_CMP_CTX *ctx, |
815 | | int req_type, const OSSL_CRMF_MSG *crm, |
816 | | OSSL_CMP_MSG **p_rep, int rep_type) |
817 | 1.38k | { |
818 | 1.38k | OSSL_CMP_MSG *req; |
819 | 1.38k | int res; |
820 | | |
821 | 1.38k | ctx->status = OSSL_CMP_PKISTATUS_request; |
822 | 1.38k | if (!ossl_cmp_ctx_set0_newCert(ctx, NULL)) |
823 | 0 | return 0; |
824 | | |
825 | | /* also checks if all necessary options are set */ |
826 | 1.38k | if ((req = ossl_cmp_certreq_new(ctx, req_type, crm)) == NULL) |
827 | 1.38k | return 0; |
828 | | |
829 | 0 | res = send_receive_check(ctx, req, p_rep, rep_type); |
830 | 0 | OSSL_CMP_MSG_free(req); |
831 | 0 | return res; |
832 | 1.38k | } |
833 | | |
834 | | int OSSL_CMP_try_certreq(OSSL_CMP_CTX *ctx, int req_type, |
835 | | const OSSL_CRMF_MSG *crm, int *checkAfter) |
836 | 186 | { |
837 | 186 | OSSL_CMP_MSG *rep = NULL; |
838 | 186 | int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; |
839 | 186 | int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; |
840 | 186 | int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; |
841 | 186 | int res = 0; |
842 | | |
843 | 186 | if (ctx == NULL) { |
844 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
845 | 0 | return 0; |
846 | 0 | } |
847 | | |
848 | 186 | if (ctx->status != OSSL_CMP_PKISTATUS_waiting) { /* not polling already */ |
849 | 0 | if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) |
850 | 0 | goto err; |
851 | | |
852 | 0 | if (!save_senderNonce_if_waiting(ctx, rep, rid)) |
853 | 0 | goto err; |
854 | 186 | } else { |
855 | 186 | if (req_type < 0) |
856 | 0 | return ossl_cmp_exchange_error(ctx, OSSL_CMP_PKISTATUS_rejection, |
857 | 0 | 0, "polling aborted", |
858 | 0 | 0 /* errorCode */, "by application"); |
859 | 186 | res = poll_for_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter); |
860 | 186 | if (res <= 0) /* waiting or error */ |
861 | 186 | return res; |
862 | 186 | } |
863 | 0 | res = cert_response(ctx, 0 /* no sleep */, rid, &rep, checkAfter, |
864 | 0 | req_type, rep_type); |
865 | |
|
866 | 0 | err: |
867 | 0 | OSSL_CMP_MSG_free(rep); |
868 | 0 | return res; |
869 | 0 | } |
870 | | |
871 | | /*- |
872 | | * Do the full sequence CR/IR/KUR/P10CR, CP/IP/KUP/CP, |
873 | | * certConf, PKIconf, and polling if required. |
874 | | * Will sleep as long as indicated by the server (according to checkAfter). |
875 | | * All enrollment options need to be present in the context. |
876 | | * Returns pointer to received certificate, or NULL if none was received. |
877 | | */ |
878 | | X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, |
879 | | const OSSL_CRMF_MSG *crm) |
880 | 1.19k | { |
881 | 1.19k | OSSL_CMP_MSG *rep = NULL; |
882 | 1.19k | int is_p10 = req_type == OSSL_CMP_PKIBODY_P10CR; |
883 | 1.19k | int rid = is_p10 ? OSSL_CMP_CERTREQID_NONE : OSSL_CMP_CERTREQID; |
884 | 1.19k | int rep_type = is_p10 ? OSSL_CMP_PKIBODY_CP : req_type + 1; |
885 | 1.19k | X509 *result = NULL; |
886 | | |
887 | 1.19k | if (ctx == NULL) { |
888 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); |
889 | 0 | return NULL; |
890 | 0 | } |
891 | | |
892 | 1.19k | if (!initial_certreq(ctx, req_type, crm, &rep, rep_type)) |
893 | 1.19k | goto err; |
894 | | |
895 | 0 | if (!save_senderNonce_if_waiting(ctx, rep, rid)) |
896 | 0 | goto err; |
897 | | |
898 | 0 | if (cert_response(ctx, 1 /* sleep */, rid, &rep, NULL, req_type, rep_type) |
899 | 0 | <= 0) |
900 | 0 | goto err; |
901 | | |
902 | 0 | result = ctx->newCert; |
903 | 1.19k | err: |
904 | 1.19k | OSSL_CMP_MSG_free(rep); |
905 | 1.19k | return result; |
906 | 0 | } |
907 | | |
908 | | int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) |
909 | 155 | { |
910 | 155 | OSSL_CMP_MSG *rr = NULL; |
911 | 155 | OSSL_CMP_MSG *rp = NULL; |
912 | 155 | const int num_RevDetails = 1; |
913 | 155 | const int rsid = OSSL_CMP_REVREQSID; |
914 | 155 | OSSL_CMP_REVREPCONTENT *rrep = NULL; |
915 | 155 | OSSL_CMP_PKISI *si = NULL; |
916 | 155 | char buf[OSSL_CMP_PKISI_BUFLEN]; |
917 | 155 | int ret = 0; |
918 | | |
919 | 155 | if (ctx == NULL) { |
920 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
921 | 0 | return 0; |
922 | 0 | } |
923 | 155 | ctx->status = OSSL_CMP_PKISTATUS_request; |
924 | 155 | if (ctx->oldCert == NULL && ctx->p10CSR == NULL |
925 | 0 | && (ctx->serialNumber == NULL || ctx->issuer == NULL)) { |
926 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT); |
927 | 0 | return 0; |
928 | 0 | } |
929 | | |
930 | | /* OSSL_CMP_rr_new() also checks if all necessary options are set */ |
931 | 155 | if ((rr = ossl_cmp_rr_new(ctx)) == NULL) |
932 | 155 | goto end; |
933 | | |
934 | 0 | if (!send_receive_also_delayed(ctx, rr, &rp, OSSL_CMP_PKIBODY_RP)) |
935 | 0 | goto end; |
936 | | |
937 | 0 | rrep = rp->body->value.rp; |
938 | | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
939 | | if (sk_OSSL_CMP_PKISI_num(rrep->status) != num_RevDetails) { |
940 | | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
941 | | goto end; |
942 | | } |
943 | | #else |
944 | 0 | if (sk_OSSL_CMP_PKISI_num(rrep->status) < 1) { |
945 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
946 | 0 | goto end; |
947 | 0 | } |
948 | 0 | #endif |
949 | | |
950 | | /* evaluate PKIStatus field */ |
951 | 0 | si = ossl_cmp_revrepcontent_get_pkisi(rrep, rsid); |
952 | 0 | if (!save_statusInfo(ctx, si)) |
953 | 0 | goto err; |
954 | 0 | switch (ossl_cmp_pkisi_get_status(si)) { |
955 | 0 | case OSSL_CMP_PKISTATUS_accepted: |
956 | 0 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=accepted)"); |
957 | 0 | ret = 1; |
958 | 0 | break; |
959 | 0 | case OSSL_CMP_PKISTATUS_grantedWithMods: |
960 | 0 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=grantedWithMods)"); |
961 | 0 | ret = 1; |
962 | 0 | break; |
963 | 0 | case OSSL_CMP_PKISTATUS_rejection: |
964 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_REJECTED_BY_SERVER); |
965 | 0 | goto err; |
966 | 0 | case OSSL_CMP_PKISTATUS_revocationWarning: |
967 | 0 | ossl_cmp_info(ctx, "revocation accepted (PKIStatus=revocationWarning)"); |
968 | 0 | ret = 1; |
969 | 0 | break; |
970 | 0 | case OSSL_CMP_PKISTATUS_revocationNotification: |
971 | | /* interpretation as warning or error depends on CA */ |
972 | 0 | ossl_cmp_warn(ctx, |
973 | 0 | "revocation accepted (PKIStatus=revocationNotification)"); |
974 | 0 | ret = 1; |
975 | 0 | break; |
976 | 0 | case OSSL_CMP_PKISTATUS_waiting: |
977 | 0 | case OSSL_CMP_PKISTATUS_keyUpdateWarning: |
978 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKISTATUS); |
979 | 0 | goto err; |
980 | 0 | default: |
981 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); |
982 | 0 | goto err; |
983 | 0 | } |
984 | | |
985 | | /* check any present CertId in optional revCerts field */ |
986 | 0 | if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) >= 1) { |
987 | 0 | OSSL_CRMF_CERTID *cid; |
988 | 0 | OSSL_CRMF_CERTTEMPLATE *tmpl = sk_OSSL_CMP_REVDETAILS_value(rr->body->value.rr, rsid)->certDetails; |
989 | 0 | const X509_NAME *issuer = OSSL_CRMF_CERTTEMPLATE_get0_issuer(tmpl); |
990 | 0 | const ASN1_INTEGER *serial = OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(tmpl); |
991 | |
|
992 | 0 | if (sk_OSSL_CRMF_CERTID_num(rrep->revCerts) != num_RevDetails) { |
993 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
994 | 0 | ret = 0; |
995 | 0 | goto err; |
996 | 0 | } |
997 | 0 | if ((cid = ossl_cmp_revrepcontent_get_CertId(rrep, rsid)) == NULL) { |
998 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID); |
999 | 0 | ret = 0; |
1000 | 0 | goto err; |
1001 | 0 | } |
1002 | 0 | if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) { |
1003 | | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
1004 | | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID_IN_RP); |
1005 | | ret = 0; |
1006 | | goto err; |
1007 | | #endif |
1008 | 0 | } |
1009 | 0 | if (ASN1_INTEGER_cmp(serial, |
1010 | 0 | OSSL_CRMF_CERTID_get0_serialNumber(cid)) |
1011 | 0 | != 0) { |
1012 | | #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION |
1013 | | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_SERIAL_IN_RP); |
1014 | | ret = 0; |
1015 | | goto err; |
1016 | | #endif |
1017 | 0 | } |
1018 | 0 | } |
1019 | | |
1020 | | /* check number of any optionally present crls */ |
1021 | 0 | if (rrep->crls != NULL && sk_X509_CRL_num(rrep->crls) != num_RevDetails) { |
1022 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_RP_COMPONENT_COUNT); |
1023 | 0 | ret = 0; |
1024 | 0 | goto err; |
1025 | 0 | } |
1026 | | |
1027 | 0 | err: |
1028 | 0 | if (ret == 0 |
1029 | 0 | && OSSL_CMP_CTX_snprint_PKIStatus(ctx, buf, sizeof(buf)) != NULL) |
1030 | 0 | ERR_add_error_data(1, buf); |
1031 | |
|
1032 | 155 | end: |
1033 | 155 | OSSL_CMP_MSG_free(rr); |
1034 | 155 | OSSL_CMP_MSG_free(rp); |
1035 | 155 | return ret; |
1036 | 0 | } |
1037 | | |
1038 | | STACK_OF(OSSL_CMP_ITAV) *OSSL_CMP_exec_GENM_ses(OSSL_CMP_CTX *ctx) |
1039 | 1.03k | { |
1040 | 1.03k | OSSL_CMP_MSG *genm; |
1041 | 1.03k | OSSL_CMP_MSG *genp = NULL; |
1042 | 1.03k | STACK_OF(OSSL_CMP_ITAV) *itavs = NULL; |
1043 | | |
1044 | 1.03k | if (ctx == NULL) { |
1045 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); |
1046 | 0 | return NULL; |
1047 | 0 | } |
1048 | 1.03k | ctx->status = OSSL_CMP_PKISTATUS_request; |
1049 | | |
1050 | 1.03k | if ((genm = ossl_cmp_genm_new(ctx)) == NULL) |
1051 | 1.03k | goto err; |
1052 | | |
1053 | 0 | if (!send_receive_also_delayed(ctx, genm, &genp, OSSL_CMP_PKIBODY_GENP)) |
1054 | 0 | goto err; |
1055 | 0 | ctx->status = OSSL_CMP_PKISTATUS_accepted; |
1056 | |
|
1057 | 0 | itavs = genp->body->value.genp; |
1058 | 0 | if (itavs == NULL) |
1059 | 0 | itavs = sk_OSSL_CMP_ITAV_new_null(); |
1060 | | /* received stack of itavs not to be freed with the genp */ |
1061 | 0 | genp->body->value.genp = NULL; |
1062 | |
|
1063 | 1.03k | err: |
1064 | 1.03k | OSSL_CMP_MSG_free(genm); |
1065 | 1.03k | OSSL_CMP_MSG_free(genp); |
1066 | | |
1067 | 1.03k | return itavs; /* NULL indicates error case */ |
1068 | 0 | } |