fixup! CMP: add support for requesting cert template using genm/genp

siemens · May 17, 2024 · 27e0b1e · 27e0b1e
1 parent c201043
commit 27e0b1e
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 10 deletions.
diff --git a/apps/cmp.c b/apps/cmp.c
@@ -3276,7 +3276,7 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec)
             }
             break;
         case NID_id_regCtrl_rsaKeyLen:
-            BIO_printf(mem, "Key algorithm: RSA %d \n",
+            BIO_printf(mem, "Key algorithm: RSA %d\n",
                        OSSL_CMP_ATAV_get_rsaKeyLen(atav));
             break;
         default:

diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
@@ -495,6 +495,8 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
             OSSL_CRMF_CERTTEMPLATE *reqtemp;
             OSSL_CMP_ATAVS *keyspec = NULL;
             X509_ALGOR *keyalg = NULL;
+            OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
+            int ok = 0;
 
             if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
                 return NULL;
@@ -504,18 +506,21 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
                                              NULL))
                 goto crt_err;
 
-            if ((keyspec = OSSL_CMP_ATAVS_new()) == NULL)
-                goto crt_err;
-
             if ((keyalg = X509_ALGOR_new()) == NULL)
                 goto crt_err;
 
             (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
                                   V_ASN1_UNDEF, NULL); /* cannot fail */
 
-            if (!sk_OSSL_CMP_ATAV_push(keyspec, OSSL_CMP_ATAV_new_algId(keyalg))
-                || !sk_OSSL_CMP_ATAV_push(keyspec,
-                                          OSSL_CMP_ATAV_new_rsaKeyLen(4096)))
+            eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
+            rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
+            ok = (OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
+                  && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen));
+            OSSL_CMP_ATAV_free(eckeyalg);
+            OSSL_CMP_ATAV_free(rsakeylen);
+            X509_ALGOR_free(keyalg);
+
+            if (!ok)
                 goto crt_err;
 
             rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
@@ -524,7 +529,6 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
         crt_err:
             OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
             OSSL_CMP_ATAVS_free(keyspec);
-            X509_ALGOR_free(keyalg);
             return NULL;
         }
         break;

diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
@@ -546,7 +546,7 @@ int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav)
     if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_rsaKeyLen
             || !ASN1_INTEGER_get_int64(&val, atav->value.rsaKeyLen))
         return -1;
-    if (val <= 0)
+    if (val <= 0 || val > INT_MAX)
         return -2;
     return (int)val;
 }

diff --git a/doc/man3/OSSL_CMP_ATAV_set0.pod b/doc/man3/OSSL_CMP_ATAV_set0.pod
@@ -71,7 +71,7 @@ B<rsaKeyLen> and fills it in with the given I<len>, which must be positive.
 OSSL_CMP_ATAV_get_rsaKeyLen() returns
 the RSA key length in rsaKeyLen infoValue in the I<atav>,
 -1 if I<atav> is NULL or does not contain an rsaKeyLen or cannot be parsed,
-or -2 if the value is less than 1.
+or -2 if the value is less than 1 or is greater than INT_MAX.
 
 OSSL_CMP_ATAV_push1() pushes a copy of I<atav> to the stack of B<OSSL_CMP_ATAV>
 pointed to by I<*sk_p>. It creates a new stack if I<*sk_p> points to NULL.

diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -98,6 +98,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 ,,,,,,,,,,,,,,,,,,,,,,
 1,genm certReqTemplate, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """"
 0,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK,
+0,genm certReqTemplate without template option, -section,, -cmd,genm,,,, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK,
 1,genm certReqTemplate without optional keyspec option, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,"""",, -infotype,certReqTemplate,,BLANK,,BLANK,
 0,genm certReqTemplate missing template arg   , -section,, -cmd,genm,, -template,BLANK, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK,
 0,genm certReqTemplate template extra arg     , -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der,_RESULT_DIR/test.template.der, -infotype,certReqTemplate,,BLANK,,BLANK,