diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 87258635f1d7e..ae4c7536d1d76 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -494,7 +494,7 @@ ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = { /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */ ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0), ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert, - OSSL_CRMF_ENCRYPTEDVALUE, 1), + OSSL_CRMF_ENCRYPTEDKEY, 1), } ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT) IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) @@ -502,7 +502,7 @@ ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = { ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert, OSSL_CMP_CERTORENCCERT), ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey, - OSSL_CRMF_ENCRYPTEDVALUE, 0), + OSSL_CRMF_ENCRYPTEDKEY, 0), ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo, OSSL_CRMF_PKIPUBLICATIONINFO, 1) } ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR) diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index b09930a2563a4..7bfe4e3efcc7b 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -342,7 +342,7 @@ typedef struct ossl_cmp_certorenccert_st { int type; union { X509 *certificate; - OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert; + OSSL_CRMF_ENCRYPTEDKEY *encryptedCert; } value; } OSSL_CMP_CERTORENCCERT; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) @@ -350,14 +350,14 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT) /*- * CertifiedKeyPair ::= SEQUENCE { * certOrEncCert CertOrEncCert, - * privateKey [0] EncryptedValue OPTIONAL, + * privateKey [0] EncryptedKey OPTIONAL, * -- see [CRMF] for comment on encoding * publicationInfo [1] PKIPublicationInfo OPTIONAL * } */ typedef struct ossl_cmp_certifiedkeypair_st { OSSL_CMP_CERTORENCCERT *certOrEncCert; - OSSL_CRMF_ENCRYPTEDVALUE *privateKey; + OSSL_CRMF_ENCRYPTEDKEY *privateKey; OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo; } OSSL_CMP_CERTIFIEDKEYPAIR; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR) diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 56bf31257045f..659c1774ec517 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -1080,10 +1080,9 @@ X509 *ossl_cmp_certresponse_get1_cert(const OSSL_CMP_CTX *ctx, ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); return NULL; } - crt = - OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(coec->value.encryptedCert, + crt = OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(coec->value.encryptedCert, ctx->libctx, ctx->propq, - pkey); + pkey, 0); break; default: ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CERT_TYPE); diff --git a/crypto/crmf/crmf_asn.c b/crypto/crmf/crmf_asn.c index 85b4213934a92..02da2f9d9050e 100644 --- a/crypto/crmf/crmf_asn.c +++ b/crypto/crmf/crmf_asn.c @@ -58,6 +58,19 @@ ASN1_SEQUENCE(OSSL_CRMF_ENCRYPTEDVALUE) = { } ASN1_SEQUENCE_END(OSSL_CRMF_ENCRYPTEDVALUE) IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE) +/* + * Note from CMP Updates defining CMPv3: + * The EncryptedKey structure defined in CRMF [RFC4211] is reused + * here, which makes the update backward compatible. Using the new + * syntax with the untagged default choice EncryptedValue is bits-on- + * the-wire compatible with the old syntax. + */ +ASN1_CHOICE(OSSL_CRMF_ENCRYPTEDKEY) = { + ASN1_SIMPLE(OSSL_CRMF_ENCRYPTEDKEY, value.encryptedValue, OSSL_CRMF_ENCRYPTEDVALUE), + ASN1_IMP(OSSL_CRMF_ENCRYPTEDKEY, value.envelopedData, CMS_EnvelopedData, 0), +} ASN1_CHOICE_END(OSSL_CRMF_ENCRYPTEDKEY) +IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDKEY) + ASN1_SEQUENCE(OSSL_CRMF_SINGLEPUBINFO) = { ASN1_SIMPLE(OSSL_CRMF_SINGLEPUBINFO, pubMethod, ASN1_INTEGER), ASN1_SIMPLE(OSSL_CRMF_SINGLEPUBINFO, pubLocation, GENERAL_NAME) diff --git a/crypto/crmf/crmf_local.h b/crypto/crmf/crmf_local.h index e8937b4231e64..f34a67be40a39 100644 --- a/crypto/crmf/crmf_local.h +++ b/crypto/crmf/crmf_local.h @@ -15,6 +15,7 @@ # define OSSL_CRYPTO_CRMF_LOCAL_H # include +# include /* for CMS_EnvelopedData and CMS_SignedData */ # include /* explicit #includes not strictly needed since implied by the above: */ @@ -51,6 +52,23 @@ struct ossl_crmf_encryptedvalue_st { ASN1_BIT_STRING *encValue; } /* OSSL_CRMF_ENCRYPTEDVALUE */; +/* + * EncryptedKey ::= CHOICE { + * encryptedValue EncryptedValue, -- Deprecated + * envelopedData [0] EnvelopedData } + * -- The encrypted private key MUST be placed in the envelopedData + * -- encryptedContentInfo encryptedContent OCTET STRING. + */ +# define OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA 1 + +struct ossl_crmf_encryptedkey_st { + int type; + union { + OSSL_CRMF_ENCRYPTEDVALUE *encryptedValue; /* 0 */ /* Deprecated */ + CMS_EnvelopedData *envelopedData; /* 1 */ + } value; +} /* OSSL_CRMF_ENCRYPTEDKEY */; + /*- * Attributes ::= SET OF Attribute * => X509_ATTRIBUTE diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index 43411fa42f66f..34b1d05277715 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -47,6 +47,10 @@ extern "C" { typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE) + +typedef struct ossl_crmf_encryptedkey_st OSSL_CRMF_ENCRYPTEDKEY; +DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDKEY) + typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG; DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG) DECLARE_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG) @@ -174,6 +178,10 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, OSSL_LIB_CTX *libctx, const char *propq, EVP_PKEY *pkey); +X509 +*OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, + OSSL_LIB_CTX *libctx, const char *propq, + EVP_PKEY *pkey, unsigned int flags); # ifdef __cplusplus }