diff --git a/CHANGES.md b/CHANGES.md index cc6baa6934cd41..d0f588d7d8627e 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -25,6 +25,17 @@ OpenSSL Releases - [OpenSSL 1.0.0](#openssl-100) - [OpenSSL 0.9.x](#openssl-09x) +OpenSSL 3.5 +----------- + +### Changes between 3.4 and 3.5 [xx XXX xxxx] + + * Added support for central key generation in CMP. + + This work was sponsored by Siemens AG. + + *Rajeev Ranjan* + OpenSSL 3.4 ----------- diff --git a/apps/cmp.c b/apps/cmp.c index efdbaf05a49996..83ba513219c2c5 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -201,7 +201,7 @@ static char *opt_srv_trusted = NULL; static char *opt_srv_untrusted = NULL; static char *opt_ref_cert = NULL; static char *opt_rsp_cert = NULL; -static char *opt_rsp_cert_key = NULL; +static char *opt_rsp_key = NULL; static char *opt_rsp_keypass = NULL; static char *opt_rsp_crl = NULL; static char *opt_rsp_extracerts = NULL; @@ -287,7 +287,7 @@ typedef enum OPTION_choice { OPT_SRV_REF, OPT_SRV_SECRET, OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS, OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED, - OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CERT_KEY, OPT_RSP_KEYPASS, + OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_KEY, OPT_RSP_KEYPASS, OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS, OPT_RSP_NEWWITHNEW, OPT_RSP_NEWWITHOLD, OPT_RSP_OLDWITHNEW, OPT_POLL_COUNT, OPT_CHECK_AFTER, @@ -335,7 +335,7 @@ const OPTIONS cmp_options[] = { {"centralkeygen", OPT_CENTRALKEYGEN, '-', "Request central (server-side) key generation. Default is local generation"}, {"newkeyout", OPT_NEWKEYOUT, 's', - "File to save new key generated in central key generation"}, + "File to save centrally generated key, in PEM format"}, {"subject", OPT_SUBJECT, 's', "Distinguished Name (DN) of subject to use in the requested cert template"}, {OPT_MORE_STR, 0, 0, @@ -581,7 +581,7 @@ const OPTIONS cmp_options[] = { "Certificate to be expected for rr and any oldCertID in kur messages"}, {"rsp_cert", OPT_RSP_CERT, 's', "Certificate to be returned as mock enrollment result"}, - {"rsp_cert_key", OPT_RSP_CERT_KEY, 's', + {"rsp_key", OPT_RSP_KEY, 's', "Private key for the certificate to be returned as mock enrollment result"}, {OPT_MORE_STR, 0, 0, "Key to be returned for central key pair generation"}, @@ -699,7 +699,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_srv_ref}, {&opt_srv_secret}, {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass}, {&opt_srv_trusted}, {&opt_srv_untrusted}, - {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_cert_key}, {&opt_rsp_keypass}, + {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_key}, {&opt_rsp_keypass}, {&opt_rsp_crl}, {&opt_rsp_extracerts}, {&opt_rsp_capubs}, {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, {&opt_rsp_oldwithnew}, @@ -1218,13 +1218,13 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) (add_X509_fn_t)ossl_cmp_mock_srv_set1_certOut)) goto err; } - if (opt_rsp_cert_key != NULL) { - EVP_PKEY *pkey = load_key_pwd(opt_rsp_cert_key, opt_keyform, + if (opt_rsp_key != NULL) { + EVP_PKEY *pkey = load_key_pwd(opt_rsp_key, opt_keyform, opt_rsp_keypass, engine, "private key for enrollment cert"); if (pkey == NULL - || !ossl_cmp_mock_srv_set1_certOutKey(srv_ctx, pkey)) { + || !ossl_cmp_mock_srv_set1_keyOut(srv_ctx, pkey)) { EVP_PKEY_free(pkey); goto err; } @@ -1705,11 +1705,11 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) if (opt_reqin == NULL && opt_newkey == NULL && !opt_centralkeygen && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) { CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, -cert, or -reqin option given, which could provide fallback public key." - "Neither central key generation is requested."); + " Neither central key generation is requested."); return 0; } if (opt_popo == OSSL_CRMF_POPO_NONE && !opt_centralkeygen) { - CMP_info("POPO is disabled, using -centralkeygen"); + CMP_info("POPO is disabled, which implies -centralkeygen"); opt_centralkeygen = 1; } if (opt_centralkeygen) { @@ -1718,7 +1718,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) return 0; } if (opt_newkeyout == NULL) { - CMP_err("-newkeyout not given, nowhere to save newly generated key"); + CMP_err("-newkeyout not given, nowhere to save centrally generated key"); return 0; } opt_popo = OSSL_CRMF_POPO_NONE; @@ -1770,8 +1770,10 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn1("-policies %s", msg); if (opt_policy_oids != NULL) CMP_warn1("-policy_oids %s", msg); + if (opt_popo != OSSL_CRMF_POPO_NONE - 1) + CMP_warn1("-popo %s", msg); if (opt_centralkeygen) - CMP_warn1("-centralkeygen %s", msg); + CMP_warn1("-popo -1 or -centralkeygen %s", msg); if (opt_newkeyout != NULL) CMP_warn1("-newkeyout %s", msg); if (opt_cmd != CMP_P10CR) { @@ -1878,7 +1880,7 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) pkey = load_pubkey(file, format, 0, pass, engine, desc); priv = 0; } - cleanse(opt_newkeypass); + if (pkey == NULL || !OSSL_CMP_CTX_set0_newPkey(ctx, priv, pkey)) { EVP_PKEY_free(pkey); return 0; @@ -3142,8 +3144,8 @@ static int get_opts(int argc, char **argv) case OPT_RSP_CERT: opt_rsp_cert = opt_str(); break; - case OPT_RSP_CERT_KEY: - opt_rsp_cert_key = opt_str(); + case OPT_RSP_KEY: + opt_rsp_key = opt_str(); break; case OPT_RSP_KEYPASS: opt_rsp_keypass = opt_str(); @@ -3856,17 +3858,25 @@ int cmp_main(int argc, char **argv) opt_cacertsout, "CA") < 0) goto err; if (opt_centralkeygen) { + const EVP_CIPHER *cipher = NULL; + char *pass_string = NULL; EVP_PKEY *new_key = OSSL_CMP_CTX_get0_newPkey(cmp_ctx, 1 /* priv */); BIO *out = bio_open_owner(opt_newkeyout, FORMAT_PEM, 1); - if (out == NULL) + if (new_key == NULL || out == NULL) goto err; - CMP_info1("received central (server) generated key, saving to file '%s'", - opt_newkeyout); - if (PEM_write_bio_PrivateKey(out, new_key, NULL, NULL, 0, NULL, - NULL) <= 0) + if (opt_newkeypass != NULL) { + pass_string = get_passwd(opt_newkeypass, + "Centrally generated private key password"); + cipher = EVP_aes_256_cbc(); + } + + CMP_info1("saving centrally generated key to file '%s'", opt_newkeyout); + if (PEM_write_bio_PKCS8PrivateKey(out, new_key, cipher, NULL, 0, NULL, + (void *)pass_string) <= 0) goto err; BIO_free(out); + clear_free(pass_string); } } if (!OSSL_CMP_CTX_reinit(cmp_ctx)) diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h index a42d57ab8b3639..776318fa8baaa0 100644 --- a/apps/include/cmp_mock_srv.h +++ b/apps/include/cmp_mock_srv.h @@ -22,8 +22,7 @@ void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx); int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); -int ossl_cmp_mock_srv_set1_certOutKey(OSSL_CMP_SRV_CTX *srv_ctx, - EVP_PKEY *pkey); +int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey); int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl); int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx, STACK_OF(X509) *chain); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index b7a7313a36ca31..fd65d81525a127 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -19,7 +19,7 @@ typedef struct { X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */ X509 *certOut; /* certificate to be returned in cp/ip/kup msg */ - EVP_PKEY *certOutKey; /* Private key to be returned for central keygen */ + EVP_PKEY *keyOut; /* Private key to be returned for central keygen */ X509_CRL *crlOut; /* CRL to be returned in genp for crls */ STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */ STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */ @@ -88,8 +88,7 @@ static mock_srv_ctx *mock_srv_ctx_new(void) DEFINE_OSSL_SET1_CERT(refCert) DEFINE_OSSL_SET1_CERT(certOut) -int ossl_cmp_mock_srv_set1_certOutKey(OSSL_CMP_SRV_CTX *srv_ctx, - EVP_PKEY *pkey) +int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey) { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); @@ -99,8 +98,8 @@ int ossl_cmp_mock_srv_set1_certOutKey(OSSL_CMP_SRV_CTX *srv_ctx, } if (pkey != NULL && !EVP_PKEY_up_ref(pkey)) return 0; - EVP_PKEY_free(ctx->certOutKey); - ctx->certOutKey = pkey; + EVP_PKEY_free(ctx->keyOut); + ctx->keyOut = pkey; return 1; } @@ -292,7 +291,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); int bodytype; OSSL_CMP_PKISI *si = NULL; - EVP_PKEY *certOutKey = NULL; + EVP_PKEY *keyOut = NULL; if (ctx == NULL || cert_req == NULL || certOut == NULL || chainOut == NULL || caPubs == NULL) { @@ -376,13 +375,16 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, && (*certOut = X509_dup(ctx->certOut)) == NULL) /* Should return a cert produced from request template, see FR #16054 */ goto err; - if (ctx->certOutKey != NULL - && OSSL_CMP_SRV_CTX_centralKeygen_req(crm, (X509_REQ *) p10cr) - /* using newPkey to return the private key */ - && (((certOutKey = EVP_PKEY_dup(ctx->certOutKey)) == NULL) + if (OSSL_CMP_SRV_CTX_centralKeygen_req(crm, p10cr) + && (ctx->keyOut == NULL + || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), - 1 /* priv */, certOutKey))) + 1 /* priv */, keyOut))) goto err; + /* + * Note that this uses newPkey to return the private key + * and does not check whether the 'popo' field is absent. + */ if (ctx->chainOut != NULL && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL) goto err; diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index f362527c7d6b47..d6c6b81fd398a3 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -505,7 +505,6 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, { char buf[OSSL_CMP_PKISI_BUFLEN]; X509 *crt = NULL; - EVP_PKEY *privkey = NULL; if (!ossl_assert(ctx != NULL && crep != NULL)) return NULL; @@ -547,7 +546,7 @@ static X509 *get1_cert_status(OSSL_CMP_CTX *ctx, int bodytype, ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_PKISTATUS); goto err; } - crt = ossl_cmp_certresponse_get1_cert_key(crep, ctx, privkey); + crt = ossl_cmp_certresponse_get1_cert(ctx, crep); if (crt == NULL) /* according to PKIStatus, we can expect a cert */ ERR_raise(ERR_LIB_CMP, CMP_R_CERTIFICATE_NOT_FOUND); diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 8da454e644a92a..da616e668a12ea 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -952,7 +952,7 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, const OSSL_CRMF_MSG *crm); OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, - X509 *cert, EVP_PKEY *certkey, + X509 *cert, const EVP_PKEY *pkey, const X509 *encryption_recip, STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors); @@ -989,12 +989,13 @@ ossl_cmp_pollrepcontent_get0_pollrep(const OSSL_CMP_POLLREPCONTENT *prc, OSSL_CMP_CERTRESPONSE * ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, int rid); -X509 *ossl_cmp_certresponse_get1_cert_key(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey); +X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, + const OSSL_CMP_CERTRESPONSE *crep); OSSL_CMP_MSG *ossl_cmp_msg_load(const char *file); int ossl_cmp_is_error_with_waiting(const OSSL_CMP_MSG *msg); /* from cmp_protect.c */ +void ossl_cmp_set_own_chain(OSSL_CMP_CTX *ctx); int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg); ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg); diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 78b97b792ab851..61becd710249b4 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -453,34 +453,37 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, } #ifndef OPENSSL_NO_CMS -static OSSL_CRMF_ENCRYPTEDKEY *encprivatekey(OSSL_CMP_CTX *ctx, EVP_PKEY *privKey) +static OSSL_CRMF_ENCRYPTEDKEY *enc_privkey(OSSL_CMP_CTX *ctx, const EVP_PKEY *pkey) { OSSL_CRMF_ENCRYPTEDKEY *ek = NULL; CMS_EnvelopedData *envData = NULL; - STACK_OF(X509) *encryption_recips = NULL; BIO *privbio = NULL; - int res = 0; X509 *recip = X509_dup(ctx->validatedSrvCert); + STACK_OF(X509) * encryption_recips = sk_X509_new_null(); + + if (encryption_recips == NULL || recip == NULL) + goto err; - encryption_recips = sk_X509_new_null(); - if (encryption_recips == NULL || recip == NULL - || !sk_X509_push(encryption_recips, recip)) + if (!sk_X509_push(encryption_recips, recip)) goto err; + recip = NULL; privbio = BIO_new(BIO_s_mem()); - if (privbio == NULL || i2d_PrivateKey_bio(privbio, privKey) <= 0) + if (privbio == NULL || i2d_PrivateKey_bio(privbio, pkey) <= 0) goto err; - envData = CMS_env_sign_data(privbio, ctx->cert, ctx->pkey, - encryption_recips, ctx->libctx, ctx->propq); + ossl_cmp_set_own_chain(ctx); + envData = CMS_sign_encrypt(privbio, ctx->cert, ctx->chain, ctx->pkey, CMS_BINARY, + encryption_recips, EVP_aes_256_cbc(), CMS_BINARY, + ctx->libctx, ctx->propq); if (envData == NULL) goto err; - if ((ek = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(envData)) == NULL) - goto err; - res = 1; + ek = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(envData); err: sk_X509_pop_free(encryption_recips, X509_free); - if (!res) + X509_free(recip); + BIO_free(privbio); + if (ek == NULL) M_ASN1_free_of(envData, CMS_EnvelopedData); return ek; @@ -489,7 +492,7 @@ static OSSL_CRMF_ENCRYPTEDKEY *encprivatekey(OSSL_CMP_CTX *ctx, EVP_PKEY *privKe OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, - X509 *cert, EVP_PKEY *certkey, + X509 *cert, const EVP_PKEY *pkey, const X509 *encryption_recip, STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors) @@ -535,9 +538,10 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, goto err; resp->certifiedKeyPair->certOrEncCert->value.certificate = cert; - if (certkey != NULL) { + if (pkey != NULL) { #ifndef OPENSSL_NO_CMS - resp->certifiedKeyPair->privateKey = encprivatekey(ctx, certkey); + if ((resp->certifiedKeyPair->privateKey = enc_privkey(ctx, pkey)) == NULL) + goto err; #else ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED); goto err; @@ -1100,16 +1104,16 @@ ossl_cmp_certrepmessage_get0_certresponse(const OSSL_CMP_CERTREPMESSAGE *crm, /*- * Retrieve newly enrolled certificate and key from the given certResponse crep. - * In case of indirect POPO uses the libctx and propq from ctx and private key. - * In case of central key generation, updates ctx->newPkey. + * Stores any centrally generated key in ctx->newPkey. + * In case of indirect POPO uses ctx->newPkey to decrypt the new certificate. * Returns a pointer to a copy of the found certificate, or NULL if not found. */ -X509 *ossl_cmp_certresponse_get1_cert_key(const OSSL_CMP_CERTRESPONSE *crep, - const OSSL_CMP_CTX *ctx, EVP_PKEY *pkey) +X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, const OSSL_CMP_CERTRESPONSE *crep) { OSSL_CMP_CERTORENCCERT *coec; X509 *crt = NULL; OSSL_CRMF_ENCRYPTEDKEY *encr_key; + EVP_PKEY *pkey = NULL; int central_keygen = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_POPO_METHOD) == OSSL_CRMF_POPO_NONE; @@ -1156,9 +1160,8 @@ X509 *ossl_cmp_certresponse_get1_cert_key(const OSSL_CMP_CERTRESPONSE *crep, ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); return NULL; } - crt = OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(coec->value.encryptedCert, - ctx->libctx, ctx->propq, - pkey, 0); + crt = OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(coec->value.encryptedCert, pkey, 0, + ctx->libctx, ctx->propq); break; default: ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE); diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c index f59fee44ec26c8..a67d0f9c406750 100644 --- a/crypto/cmp/cmp_protect.c +++ b/crypto/cmp/cmp_protect.c @@ -130,6 +130,26 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx, } } +void ossl_cmp_set_own_chain(OSSL_CMP_CTX *ctx) +{ + if (!ossl_assert(ctx != NULL)) + return; + /* if not yet done try to build chain using available untrusted certs */ + if (ctx->chain == NULL) { + ossl_cmp_debug(ctx, + "trying to build chain for own CMP signer cert"); + ctx->chain = X509_build_chain(ctx->cert, ctx->untrusted, NULL, 0, + ctx->libctx, ctx->propq); + if (ctx->chain != NULL) { + ossl_cmp_debug(ctx, "success building chain for own CMP signer cert"); + } else { + /* dump errors to avoid confusion when printing further ones */ + OSSL_CMP_CTX_print_errors(ctx); + ossl_cmp_warn(ctx, "could not build chain for own CMP signer cert"); + } + } +} + /* ctx is not const just because ctx->chain may get adapted */ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) { @@ -142,22 +162,7 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) int prepend = X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_PREPEND | X509_ADD_FLAG_NO_SS; - /* if not yet done try to build chain using available untrusted certs */ - if (ctx->chain == NULL) { - ossl_cmp_debug(ctx, - "trying to build chain for own CMP signer cert"); - ctx->chain = X509_build_chain(ctx->cert, ctx->untrusted, NULL, 0, - ctx->libctx, ctx->propq); - if (ctx->chain != NULL) { - ossl_cmp_debug(ctx, - "success building chain for own CMP signer cert"); - } else { - /* dump errors to avoid confusion when printing further ones */ - OSSL_CMP_CTX_print_errors(ctx); - ossl_cmp_warn(ctx, - "could not build chain for own CMP signer cert"); - } - } + ossl_cmp_set_own_chain(ctx); if (ctx->chain != NULL) { if (!ossl_x509_add_certs_new(&msg->extraCerts, ctx->chain, prepend)) return 0; diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index c549b769f2b18b..e8a225d5120679 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -166,7 +166,7 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, } int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, - X509_REQ *p10cr) + const X509_REQ *p10cr) { X509_PUBKEY *pubkey = NULL; const unsigned char *pk = NULL; @@ -180,7 +180,7 @@ int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, if (crm != NULL) pubkey = OSSL_CRMF_CERTTEMPLATE_get0_publicKey(OSSL_CRMF_MSG_get0_tmpl(crm)); else - pubkey = X509_REQ_get_X509_PUBKEY(p10cr); + pubkey = p10cr->req_info.pubkey; if (pubkey == NULL || (X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey) @@ -242,7 +242,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, OSSL_CMP_MSG *msg = NULL; OSSL_CMP_PKISI *si = NULL; X509 *certOut = NULL; - EVP_PKEY *certOutKey = NULL; + EVP_PKEY *keyOut = NULL; STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; const OSSL_CRMF_MSG *crm = NULL; X509_REQ *p10cr = NULL; @@ -317,11 +317,11 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, goto err; if (OSSL_CMP_SRV_CTX_centralKeygen_req(crm, p10cr) && srv_ctx->ctx->newPkey_priv && srv_ctx->ctx->newPkey != NULL) - certOutKey = srv_ctx->ctx->newPkey; + keyOut = srv_ctx->ctx->newPkey; } msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, - certOut, certOutKey, NULL /* enc */, chainOut, caPubs, + certOut, keyOut, NULL /* enc */, chainOut, caPubs, srv_ctx->sendUnprotectedErrors); /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */ if (msg == NULL) diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index f27bc533ec0b5a..47bf38b2af5dab 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -347,11 +347,10 @@ static int check_cert_path_3gpp(const OSSL_CMP_CTX *ctx, * verify that the newly enrolled certificate (which assumed rid == * OSSL_CMP_CERTREQID) can also be validated with the same trusted store */ - EVP_PKEY *pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1); OSSL_CMP_CERTRESPONSE *crep = ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip, OSSL_CMP_CERTREQID); - X509 *newcrt = ossl_cmp_certresponse_get1_cert_key(crep, ctx, pkey); + X509 *newcrt = ossl_cmp_certresponse_get1_cert(ctx, crep); /* * maybe better use get_cert_status() from cmp_client.c, which catches diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 9d7da978ded01a..c6a93341338bb4 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -736,21 +736,20 @@ int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) return 1; } -CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signkey, - STACK_OF(X509) *encryption_recip, - OSSL_LIB_CTX *libctx, const char *propq) +CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, + EVP_PKEY *sign_key, unsigned int sign_flags, + STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, + unsigned int enc_flags, OSSL_LIB_CTX *libctx, const char *propq) { CMS_EnvelopedData *evd = NULL; - BIO *privbio = NULL, *signbio = NULL, *envelopbio = NULL; + BIO *privbio = NULL, *signbio = NULL; CMS_ContentInfo *signcms = NULL, *evpcms = NULL; - if (data == NULL || signkey == NULL || signcert == NULL || encryption_recip == NULL) { + if (data == NULL || sign_key == NULL || sign_cert == NULL || enc_recip == NULL) { ERR_raise(ERR_LIB_CMS, ERR_R_PASSED_NULL_PARAMETER); return NULL; } - - signcms = CMS_sign_ex(signcert, signkey, NULL, data, CMS_BINARY, - libctx, propq); + signcms = CMS_sign_ex(sign_cert, sign_key, certs, data, sign_flags, libctx, propq); if (signcms == NULL) goto err; @@ -759,8 +758,7 @@ CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signke || ASN1_item_i2d_bio(ASN1_ITEM_rptr(CMS_SignedData), signbio, signcms->d.signedData) <= 0) goto err; - evpcms = CMS_encrypt_ex(encryption_recip, signbio, - EVP_aes_256_cbc(), CMS_BINARY, libctx, propq); + evpcms = CMS_encrypt_ex(enc_recip, signbio, cipher, enc_flags, libctx, propq); if (evpcms == NULL) goto err; evd = CMS_EnvelopedData_dup(evpcms->d.envelopedData); @@ -768,7 +766,6 @@ CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signke err: BIO_free(privbio); BIO_free(signbio); - BIO_free(envelopbio); CMS_ContentInfo_free(signcms); CMS_ContentInfo_free(evpcms); diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 9c474f41f5dd9d..3a8deb3b6e5f17 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -618,8 +618,7 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, DECLARE_ASN1_ITEM(CMS_SignedData) /* copied from cms_local.h */ /* check for KGA authorization implied by CA flag or by explicit EKU cmKGA */ -static int check_cmKGA(ossl_unused const X509_PURPOSE *purpose, - const X509 *x, int ca) +static int check_cmKGA(ossl_unused const X509_PURPOSE *purpose, const X509 *x, int ca) { STACK_OF(ASN1_OBJECT) *ekus; int i, ret = 1; @@ -639,12 +638,10 @@ static int check_cmKGA(ossl_unused const X509_PURPOSE *purpose, } #endif /* OPENSSL_NO_CMS */ -EVP_PKEY -*OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(OSSL_CRMF_ENCRYPTEDKEY *encryptedKey, - X509_STORE *ts, STACK_OF(X509) *extra, - EVP_PKEY *pkey, X509 *cert, - ASN1_OCTET_STRING *secret, - OSSL_LIB_CTX *libctx, const char *propq) +EVP_PKEY *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(const OSSL_CRMF_ENCRYPTEDKEY *encryptedKey, + X509_STORE *ts, STACK_OF(X509) *extra, EVP_PKEY *pkey, + X509 *cert, ASN1_OCTET_STRING *secret, + OSSL_LIB_CTX *libctx, const char *propq) { #ifndef OPENSSL_NO_CMS BIO *bio = NULL; @@ -660,7 +657,7 @@ EVP_PKEY return NULL; } if (encryptedKey->type != OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA) { - unsigned char *p = NULL; + unsigned char *p; const unsigned char *p_copy; int len; @@ -684,10 +681,8 @@ EVP_PKEY goto end; } sd = ASN1_item_d2i_bio(ASN1_ITEM_rptr(CMS_SignedData), bio, NULL); - if (sd == NULL) { - ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY); + if (sd == NULL) goto end; - } if ((ts_vpm = X509_STORE_get0_param(ts)) == NULL || (bak_vpm = X509_VERIFY_PARAM_new()) == NULL /* copy of VPMs of ts */ @@ -700,8 +695,6 @@ EVP_PKEY goto end; } - /* workaround for CMS_add0_cert() in cms_lib.c not allowing duplicate untrusted certs */ - extra = NULL; pkey_bio = CMS_SignedData_verify(sd, NULL, NULL /* scerts */, ts, extra, NULL, 0, libctx, propq); @@ -776,7 +769,7 @@ unsigned char cikeysize = EVP_CIPHER_get_key_length(cipher); /* first the symmetric key needs to be decrypted */ pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); - if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx)) { + if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx) > 0) { ASN1_BIT_STRING *encKey = enc->encSymmKey; size_t failure; int retval; @@ -785,13 +778,12 @@ unsigned char encKey->data, encKey->length) <= 0 || (ek = OPENSSL_malloc(eksize)) == NULL) goto end; - retval = EVP_PKEY_decrypt(pkctx, ek, &eksize, - encKey->data, encKey->length); - ERR_clear_error(); /* error state may have sensitive information */ + retval = EVP_PKEY_decrypt(pkctx, ek, &eksize, encKey->data, encKey->length); failure = ~constant_time_is_zero_s(constant_time_msb(retval) | constant_time_is_zero(retval)); failure |= ~constant_time_eq_s(eksize, (size_t)cikeysize); if (failure) { + ERR_clear_error(); /* error state may have sensitive information */ ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY); goto end; } @@ -842,10 +834,8 @@ unsigned char * returns a pointer to the decrypted certificate * returns NULL on error or if no certificate available */ -X509 -*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey) +X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const char *propq) { unsigned char *buf = NULL; const unsigned char *p; @@ -853,9 +843,9 @@ X509 X509 *cert = NULL; buf = OSSL_CRMF_ENCRYPTEDVALUE_decrypt(ecert, pkey, &len, libctx, propq); - if ((p = buf) == NULL - || (cert = X509_new_ex(libctx, propq)) == NULL) + if ((p = buf) == NULL || (cert = X509_new_ex(libctx, propq)) == NULL) goto end; + if (d2i_X509(&cert, &p, len) == NULL) { ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_CERTIFICATE); X509_free(cert); @@ -873,10 +863,9 @@ X509 * returns a pointer to the decrypted certificate * returns NULL on error or if no certificate available */ -X509 -*OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey, unsigned int flags) +X509 *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, + EVP_PKEY *pkey, unsigned int flags, + OSSL_LIB_CTX *libctx, const char *propq) { #ifndef OPENSSL_NO_CMS BIO *bio; @@ -884,8 +873,8 @@ X509 #endif if (ecert->type != OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA) - return OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(ecert->value.encryptedValue, - libctx, propq, pkey); + return OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(ecert->value.encryptedValue, pkey, + libctx, propq); #ifndef OPENSSL_NO_CMS bio = CMS_EnvelopedData_decrypt(ecert->value.envelopedData, NULL, pkey, NULL /* cert */, NULL, flags, @@ -905,8 +894,7 @@ X509 } #ifndef OPENSSL_NO_CMS -OSSL_CRMF_ENCRYPTEDKEY -*OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata) +OSSL_CRMF_ENCRYPTEDKEY *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata) { OSSL_CRMF_ENCRYPTEDKEY *ek = OSSL_CRMF_ENCRYPTEDKEY_new(); diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 11614e327a2a29..e1f711821ea839 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -142,7 +142,7 @@ Mock server options: [B<-srv_untrusted> I|I] [B<-ref_cert> I|I] [B<-rsp_cert> I|I] -[B<-rsp_cert_key> I|I] +[B<-rsp_key> I|I] [B<-rsp_keypass> I|I] [B<-rsp_crl> I|I] [B<-rsp_extracerts> I|I] @@ -319,7 +319,7 @@ This applies to B<-cmd> I. =item B<-newkeyout> I -File to save private key generated by central key generation. +File to save centrally generated private key, in PEM format. =item B<-subject> I @@ -393,7 +393,8 @@ Flag the policies given with B<-policy_oids> as critical. =item B<-popo> I Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where -C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. +C<-1> = NONE, which implies central key generation, +C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. Note that a signature-based POPO can only be produced if a private key is provided via the B<-newkey> or B<-key> options. @@ -1207,7 +1208,7 @@ Certificate to be expected for RR messages and any oldCertID in KUR messages. Certificate to be returned as mock enrollment result. -=item B<-rsp_cert_key> I|I +=item B<-rsp_key> I|I Private key to be returned as central key generation result. @@ -1521,6 +1522,9 @@ The B<-profile> option was added in OpenSSL 3.3. B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform> and B<-rsp_crl> options were added in OpenSSL 3.4. +B<-centralkeygen>, b<-newkeyout>. B<-rsp_key> and +B<-rsp_keypass> were added in OpenSSL 3.5. + =head1 COPYRIGHT Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/CMS_EnvelopedData_create.pod b/doc/man3/CMS_EnvelopedData_create.pod index a5a24ff1fd186d..f48f86f560fc56 100644 --- a/doc/man3/CMS_EnvelopedData_create.pod +++ b/doc/man3/CMS_EnvelopedData_create.pod @@ -4,7 +4,7 @@ CMS_EnvelopedData_create_ex, CMS_EnvelopedData_create, CMS_AuthEnvelopedData_create, CMS_AuthEnvelopedData_create_ex, -CMS_env_sign_data +CMS_sign_encrypt - Create CMS envelope =head1 SYNOPSIS @@ -20,9 +20,11 @@ CMS_env_sign_data CMS_AuthEnvelopedData_create_ex(const EVP_CIPHER *cipher, OSSL_LIB_CTX *libctx, const char *propq); CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher); - CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signkey, - STACK_OF(X509) *encryption_recip, - OSSL_LIB_CTX *libctx, const char *propq); + + CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, + EVP_PKEY *sign_key, unsigned int sign_flags, + STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, + unsigned int enc_flags, OSSL_LIB_CTX *libctx, const char *propq); =head1 DESCRIPTION @@ -51,12 +53,24 @@ CMS_EnvelopedData_create_ex() and CMS_AuthEnvelopedData_create_ex() but use default values of NULL for the library context I and the property query I. -CMS_env_sign_data() creates a B structure for recipients in -I. I is signed using I and I to -create B and then encrypted using I to +CMS_sign_encrypt() creates a B structure for recipients in +I. + +I is signed using I and I to +create B and then encrypted using I to create B. The library context I and the property query I are used when retrieving algorithms from providers. +I is an optional additional set of certificates to include in the +B structure (e.g., any intermediate CAs in the chain of the signer certificate). + +I is an optional set of flags for the signing operation. +see L for more information. + +I is an optional set of flags for the encryption operation. +see L for more information. + + =head1 NOTES Although CMS_EnvelopedData_create_ex(), and CMS_EnvelopedData_create(), @@ -67,19 +81,24 @@ The wrappers L and L are often used instead. =head1 RETURN VALUES If the allocation fails, CMS_EnvelopedData_create_ex(), -CMS_EnvelopedData_create(), CMS_AuthEnvelopedData_create_ex(), and -CMS_AuthEnvelopedData_create() return NULL and set an error code that can be -obtained by L. Otherwise they return a pointer to the newly +CMS_EnvelopedData_create(), CMS_AuthEnvelopedData_create_ex() +CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create(), +CMS_AuthEnvelopedData_create_ex() and CMS_sign_encrypt() return NULL and set an error code +that can be obtained by L. Otherwise they return a pointer to the newly allocated structure. =head1 SEE ALSO -L, L, L, L +L, L, L, L, +L, L =head1 HISTORY The CMS_EnvelopedData_create_ex() method was added in OpenSSL 3.0. +CMS_AuthEnvelopedData_create(), CMS_AuthEnvelopedData_create_ex() +and CMS_sign_encrypt() were added in OpenSSL 3.5. + =head1 COPYRIGHT Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index 01474ee0ba1ccf..483524981a5c1d 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -273,7 +273,8 @@ The following options can be set: Select the proof of possession method to use. Possible values are: - OSSL_CRMF_POPO_NONE - ProofOfPossession field omitted + OSSL_CRMF_POPO_NONE - ProofOfPossession field omitted, + which implies central key generation OSSL_CRMF_POPO_RAVERIFIED - assert that the RA has already verified the PoPo OSSL_CRMF_POPO_SIGNATURE - sign a value with private key, diff --git a/doc/man3/OSSL_CMP_SRV_CTX_new.pod b/doc/man3/OSSL_CMP_SRV_CTX_new.pod index 052a44a240e0da..3472bfbf366d7f 100644 --- a/doc/man3/OSSL_CMP_SRV_CTX_new.pod +++ b/doc/man3/OSSL_CMP_SRV_CTX_new.pod @@ -93,7 +93,7 @@ OSSL_CMP_SRV_CTX_centralKeygen_req int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, - X509_REQ *p10cr); + const X509_REQ *p10cr); =head1 DESCRIPTION @@ -158,10 +158,10 @@ messages with POPO 'RAVerified'. OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() enables granting implicit confirmation of newly enrolled certificates if requested. -OSSL_CMP_SRV_CTX_centralKeygen_req() returns I if central key generaion -is requested i.e, public key in certificate request (I or I) is NULL -or have zero length. - +OSSL_CMP_SRV_CTX_centralKeygen_req() returns 1 if central key generation +is requested i.e., the public key in the certificate request (I if non-NULL, +otherwise I) is NULL or has an empty key value (with length zero). +Otherwise or on error it returns 0. =head1 NOTES @@ -193,6 +193,9 @@ OSSL_CMP_SRV_CTX_init_trans() supporting delayed delivery of all types of response messages was added in OpenSSL 3.3. +OSSL_CMP_SRV_CTX_set_grant_implicit_confirm() and OSSL_CMP_SRV_CTX_centralKeygen_req() +were added in OpenSSL 3.5. + =head1 COPYRIGHT Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index 8ad24b7c7ed23d..cf5cd9c085180b 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -38,10 +38,9 @@ OSSL_CRMF_MSG_get_certReqId *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid); const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid); - X509 - *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey, unsigned int flags); + X509 *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, + EVP_PKEY *pkey, unsigned int flags + OSSL_LIB_CTX *libctx, const char *propq); EVP_PKEY *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(OSSL_CRMF_ENCRYPTEDKEY *encryptedKey, X509_STORE *ts, STACK_OF(X509) *extra, @@ -56,9 +55,8 @@ OSSL_CRMF_MSG_get_certReqId EVP_PKEY *pkey, int *outlen, OSSL_LIB_CTX *libctx, const char *propq); X509 - *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey); + *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, EVP_PKEY *pkey + OSSL_LIB_CTX *libctx, const char *propq); int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm); @@ -136,7 +134,7 @@ OSSL_CRMF_CERTTEMPLATE_get0_publicKey() was added in OpenSSL 3.2. OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(), OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(), OSSL_CRMF_ENCRYPTEDKEY_init_envdata() and OSSL_CRMF_ENCRYPTEDVALUE_decrypt() -were added in OpenSSL 3.4. +were added in OpenSSL 3.5. =head1 COPYRIGHT diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index bc13f6fef4f322..39abe3a2cfb329 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -462,7 +462,7 @@ The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were deprecated in 3.0. The function CMS_EnvelopedData_dup(), OSSL_CRMF_ENCRYPTEDKEY_free(), -OSSL_CRMF_ENCRYPTEDKEY_it() and OSSL_CRMF_ENCRYPTEDKEY_new() were added in OpenSSL 3.4. +OSSL_CRMF_ENCRYPTEDKEY_it() and OSSL_CRMF_ENCRYPTEDKEY_new() were added in OpenSSL 3.5. =head1 COPYRIGHT diff --git a/include/crypto/cmperr.h b/include/crypto/cmperr.h index 89512baabb9def..2bd1637384661b 100644 --- a/include/crypto/cmperr.h +++ b/include/crypto/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/crypto/crmferr.h b/include/crypto/crmferr.h index 89f80eee6b1545..f1a27e04993b60 100644 --- a/include/crypto/crmferr.h +++ b/include/crypto/crmferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index 13a059266b2727..5866dcec6952e5 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -543,7 +543,7 @@ int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, - X509_REQ *p10cr); + const X509_REQ *p10cr); /* from cmp_client.c */ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index 2e7464e721573c..8149e431eed3e5 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -399,9 +399,11 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, ASN1_OCTET_STRING *ukm, int keylen); -CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signkey, - STACK_OF(X509) *encryption_recip, - OSSL_LIB_CTX *libctx, const char *propq); +CMS_EnvelopedData *CMS_sign_encrypt(BIO *data, X509 *sign_cert, STACK_OF(X509) *certs, + EVP_PKEY *sign_key, unsigned int sign_flags, + STACK_OF(X509) *enc_recip, const EVP_CIPHER *cipher, + unsigned int enc_flags, OSSL_LIB_CTX *libctx, + const char *propq); /* Backward compatibility for spelling errors. */ # define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index 71d25c374a02ab..f47445791b4ba9 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -181,27 +181,21 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, const X509_NAME *subject, const X509_NAME *issuer, const ASN1_INTEGER *serial); -X509 -*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey); -X509 -*OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, - OSSL_LIB_CTX *libctx, const char *propq, - EVP_PKEY *pkey, unsigned int flags); +X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, EVP_PKEY *pkey, + OSSL_LIB_CTX *libctx, const char *propq); +X509 *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, + EVP_PKEY *pkey, unsigned int flags, + OSSL_LIB_CTX *libctx, const char *propq); unsigned char *OSSL_CRMF_ENCRYPTEDVALUE_decrypt(const OSSL_CRMF_ENCRYPTEDVALUE *enc, EVP_PKEY *pkey, int *outlen, OSSL_LIB_CTX *libctx, const char *propq); -EVP_PKEY -*OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(OSSL_CRMF_ENCRYPTEDKEY *encryptedKey, - X509_STORE *ts, STACK_OF(X509) *extra, - EVP_PKEY *pkey, X509 *cert, - ASN1_OCTET_STRING *secret, - OSSL_LIB_CTX *libctx, const char *propq); +EVP_PKEY *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(const OSSL_CRMF_ENCRYPTEDKEY *encryptedKey, + X509_STORE *ts, STACK_OF(X509) *extra, EVP_PKEY *pkey, + X509 *cert, ASN1_OCTET_STRING *secret, + OSSL_LIB_CTX *libctx, const char *propq); # ifndef OPENSSL_NO_CMS -OSSL_CRMF_ENCRYPTEDKEY -*OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata); +OSSL_CRMF_ENCRYPTEDKEY *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata); # endif # ifdef __cplusplus diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h index 47ac046c57633f..8fcabee78714b7 100644 --- a/include/openssl/crmferr.h +++ b/include/openssl/crmferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c index ba1fc58854c79a..e98b5624285b53 100644 --- a/test/cmp_msg_test.c +++ b/test/cmp_msg_test.c @@ -403,7 +403,7 @@ static int execute_certrep_create(CMP_MSG_TEST_FIXTURE *fixture) goto err; if (!TEST_ptr_null(ossl_cmp_certrepmessage_get0_certresponse(crepmsg, 88))) goto err; - certfromresp = ossl_cmp_certresponse_get1_cert_key(read_cresp, ctx, NULL); + certfromresp = ossl_cmp_certresponse_get1_cert(ctx, read_cresp); if (certfromresp == NULL || !TEST_int_eq(X509_cmp(cert, certfromresp), 0)) goto err; diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.cnf b/test/recipes/80-test_cmp_http_data/Mock/server.cnf index fbd4d418b882bf..e2a47ff62edfa0 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/server.cnf @@ -12,7 +12,7 @@ no_cache_extracerts = 1 ref_cert = signer_only.crt rsp_cert = signer_only.crt -rsp_cert_key = signer.key +rsp_key = new.key rsp_crl = newcrl.pem rsp_capubs = trusted.crt rsp_extracerts = signer_issuing.crt diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 014eef596bb991..e3162ae0042705 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -138,9 +138,11 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 1,reqin ir and rspout - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""",-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem 1,reqin ip and rspin - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-server,"""",-disable_confirm,-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem ,,,,,,,,,,,,,,,,,,, -1,central key generation, -section,, -cmd,cr,, -centralkeygen, -newkeyout,_RESULT_DIR/newkeyout.pem +1,central key generation, -section,, -cmd,cr,, -centralkeygen, -newkeyout,_RESULT_DIR/newkeyout1.pem 0,central key generation missing newkeyout, -section,, -cmd,cr,, -centralkeygen,,BLANK,,BLANK,,BLANK,,BLANK, 0,using popo=1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,1, -newkeyout,_RESULT_DIR/newkeyout.pem -1, using popo=-1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem -1, uisng popo=-1 instead of central key generation, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem +1, using popo=-1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout2.pem +1, using popo=-1 instead of central key generation, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout3.pem, -newkeypass,pass:12345, -certout,_RESULT_DIR/test.cert3.pem +1, using centrally generated credentials , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:12345 +0, using centrally generated credentials with wrong password , -section,, -cmd,cr,,-cert,_RESULT_DIR/test.cert3.pem, -key,_RESULT_DIR/newkeyout3.pem, -keypass,pass:wrong 0, using popo=-1 instead of central key generation without newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK, \ No newline at end of file