fixup! fixup! fixup! fixup! CMP: add documentation

siemens · Oct 4, 2024 · 9f38def · 9f38def
1 parent 8fe017e
commit 9f38def
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 53 deletions.
diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
@@ -289,7 +289,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
                                             STACK_OF(X509) **caPubs)
 {
     mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
-    int bodytype;
+    int bodytype, central_keygen;
     OSSL_CMP_PKISI *si = NULL;
     EVP_PKEY *keyOut = NULL;
 
@@ -375,7 +375,12 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
             && (*certOut = X509_dup(ctx->certOut)) == NULL)
         /* Should return a cert produced from request template, see FR #16054 */
         goto err;
-    if (OSSL_CRMF_MSG_centralKeygen_requested(crm, p10cr)
+
+    central_keygen = OSSL_CRMF_MSG_centralKeygen_requested(crm, p10cr);
+    if (central_keygen < 0)
+        goto err;
+
+    if (central_keygen == 1
         && (ctx->keyOut == NULL
             || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL
             || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),

diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
@@ -165,38 +165,6 @@ int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx,
     return 1;
 }
 
-int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm,
-                                          const X509_REQ *p10cr)
-{
-    X509_PUBKEY *pubkey = NULL;
-    const unsigned char *pk = NULL;
-    int pklen, ret = 0;
-
-    if (crm == NULL && p10cr == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        return -1;
-    }
-
-    if (crm != NULL)
-        pubkey = OSSL_CRMF_CERTTEMPLATE_get0_publicKey(OSSL_CRMF_MSG_get0_tmpl(crm));
-    else
-        pubkey = p10cr->req_info.pubkey;
-
-    if (pubkey == NULL
-        || (X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey)
-            && pklen == 0))
-        ret = 1;
-
-    /*
-     * In case of CRMF, POPO MUST be absent if central key generation
-     * is requested, otherwise MUST be present
-     */
-    if (crm != NULL && ret != OSSL_CRMF_MSG_popo_present(crm))
-        return -2;
-
-    return ret;
-}
-
 /* return error msg with waiting status if polling is initiated, else NULL */
 static OSSL_CMP_MSG *delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx,
                                       const OSSL_CMP_MSG *req)

diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
@@ -544,11 +544,36 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
     return 1;
 }
 
-int OSSL_CRMF_MSG_popo_present(const OSSL_CRMF_MSG *crm)
+int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr)
 {
-    if (crm != NULL)
+    X509_PUBKEY *pubkey = NULL;
+    const unsigned char *pk = NULL;
+    int pklen, ret = 0;
+
+    if (crm == NULL && p10cr == NULL) {
+        ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT);
         return -1;
-    return crm->popo != NULL;
+    }
+
+    if (crm != NULL)
+        pubkey = OSSL_CRMF_CERTTEMPLATE_get0_publicKey(OSSL_CRMF_MSG_get0_tmpl(crm));
+    else
+        pubkey = p10cr->req_info.pubkey;
+
+    if (pubkey == NULL
+        || (X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey)
+            && pklen == 0))
+        ret = 1;
+
+    /*
+     * In case of CRMF, POPO MUST be absent if central key generation
+     * is requested, otherwise MUST be present
+     */
+    if (crm != NULL && ret != (crm->popo == NULL)) {
+        ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_CENTRAL_KEYGEN);
+        return -2;
+    }
+    return ret;
 }
 
 X509_PUBKEY

diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@@ -127,8 +127,8 @@ OSSL_CRMF_MSG_get_certReqId() retrieves the certReqId of I<crm>.
 OSSL_CRMF_MSG_centralKeygen_requested() returns 1 if central key generation
 is requested i.e., the public key in the certificate request (I<crm> is taken if it is non-NULL, 
 otherwise I<p10cr>) is NULL or has an empty key value (with length zero).
-In case I<crm> is non-NULL, this is checked for consistency with its B<popo> field (must be
-NULL if central key generation is requested else must be present).
+In case I<crm> is non-NULL, this is checked for consistency with its B<popo> field 
+(must be NULL if and only if central key generation is requested).
 Otherwise it returns 0, and on error a negative value.
 
 =head1 RETURN VALUES

diff --git a/doc/man3/OSSL_CRMF_MSG_set0_validity.pod b/doc/man3/OSSL_CRMF_MSG_set0_validity.pod
@@ -8,8 +8,7 @@ OSSL_CRMF_CERTTEMPLATE_fill,
 OSSL_CRMF_MSG_set0_extensions,
 OSSL_CRMF_MSG_push0_extension,
 OSSL_CRMF_MSG_create_popo,
-OSSL_CRMF_MSGS_verify_popo,
-OSSL_CRMF_MSG_popo_present
+OSSL_CRMF_MSGS_verify_popo
 - functions populating and verifying CRMF CertReqMsg structures
 
 =head1 SYNOPSIS
@@ -38,7 +37,6 @@ OSSL_CRMF_MSG_popo_present
  int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
                                 int rid, int acceptRAVerified,
                                 OSSL_LIB_CTX *libctx, const char *propq);
- int OSSL_CRMF_MSG_popo_present(const OSSL_CRMF_MSG *crm);
 
 =head1 DESCRIPTION
 
@@ -98,15 +96,9 @@ OSSL_CRMF_MSGS_verify_popo verifies the Proof-of-Possession of the request with
 the given I<rid> in the list of I<reqs>. Optionally accepts RAVerified. It can
 make use of the library context I<libctx> and property query string I<propq>.
 
-OSSL_CRMF_MSG_popo_present returns 1 if the Proof-of-Possession is present in I<crm>.
-Otherwise it returns 0 and negative value on error.
-
 =head1 RETURN VALUES
 
-OSSL_CRMF_MSG_popo_present returns 1 if popo is present, otherwise 0
-and negative value on error.
-
-All other functions return 1 on success, 0 on error.
+All functions return 1 on success, 0 on error.
 
 =head1 SEE ALSO
 

diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in
@@ -161,7 +161,6 @@ int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,
 int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
                                int rid, int acceptRAVerified,
                                OSSL_LIB_CTX *libctx, const char *propq);
-int OSSL_CRMF_MSG_popo_present(const OSSL_CRMF_MSG *crm);
 OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
 X509_PUBKEY
 *OSSL_CRMF_CERTTEMPLATE_get0_publicKey(const OSSL_CRMF_CERTTEMPLATE *tmpl);
@@ -195,8 +194,7 @@ EVP_PKEY *OSSL_CRMF_ENCRYPTEDKEY_get1_pkey(const OSSL_CRMF_ENCRYPTEDKEY *encrypt
                                            X509_STORE *ts, STACK_OF(X509) *extra, EVP_PKEY *pkey,
                                            X509 *cert, ASN1_OCTET_STRING *secret,
                                            OSSL_LIB_CTX *libctx, const char *propq);
-int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm,
-                                          const X509_REQ *p10cr);
+int OSSL_CRMF_MSG_centralKeygen_requested(const OSSL_CRMF_MSG *crm, const X509_REQ *p10cr);
 #  ifndef OPENSSL_NO_CMS
 OSSL_CRMF_ENCRYPTEDKEY *OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata);
 #  endif

diff --git a/util/libcrypto.num b/util/libcrypto.num
@@ -5742,7 +5742,6 @@ OSSL_CRMF_ENCRYPTEDKEY_it               ?	3_5_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDKEY_get1_encCert     ?	3_5_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDVALUE_decrypt        ?	3_5_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_ENCRYPTEDKEY_get1_pkey        ?	3_5_0	EXIST::FUNCTION:CRMF
-OSSL_CRMF_MSG_popo_present              ?	3_5_0	EXIST::FUNCTION:CRMF
 OSSL_CRMF_MSG_centralKeygen_requested   ?	3_5_0	EXIST::FUNCTION:CRMF
 CMS_EnvelopedData_dup                   ?	3_5_0	EXIST::FUNCTION:CMS
 OSSL_CRMF_ENCRYPTEDKEY_init_envdata     ?	3_5_0	EXIST::FUNCTION:CMS,CRMF