From ac351bc2ba1574a7039f78d918ca09cac9f6298f Mon Sep 17 00:00:00 2001 From: Rajeev Ranjan Date: Wed, 7 Aug 2024 16:06:36 +0200 Subject: [PATCH] CMP: add testcase for central keygen --- apps/cmp.c | 38 ++++++++++++++++++++++++++---- apps/include/cmp_mock_srv.h | 2 ++ apps/lib/cmp_mock_srv.c | 46 +++++++++++++++++++++++++++++++++++++ crypto/cmp/cmp_local.h | 3 ++- crypto/cmp/cmp_msg.c | 42 ++++++++++++++++++++++++++++++++- crypto/cmp/cmp_server.c | 6 ++++- crypto/cms/cms_asn1.c | 1 + crypto/cms/cms_lib.c | 40 ++++++++++++++++++++++++++++++++ crypto/crmf/crmf_lib.c | 24 +++++++++++-------- include/openssl/cms.h.in | 6 +++++ include/openssl/crmf.h.in | 3 +++ util/libcrypto.num | 2 ++ 12 files changed, 196 insertions(+), 17 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 06996f29f31aa0..93454f62a9df76 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -201,6 +201,8 @@ static char *opt_srv_trusted = NULL; static char *opt_srv_untrusted = NULL; static char *opt_ref_cert = NULL; static char *opt_rsp_cert = NULL; +static char *opt_rsp_cert_key = NULL; +static char *opt_rsp_keypass = NULL; static char *opt_rsp_crl = NULL; static char *opt_rsp_extracerts = NULL; static char *opt_rsp_capubs = NULL; @@ -285,7 +287,8 @@ typedef enum OPTION_choice { OPT_SRV_REF, OPT_SRV_SECRET, OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS, OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED, - OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS, + OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CERT_KEY, OPT_RSP_KEYPASS, + OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS, OPT_RSP_NEWWITHNEW, OPT_RSP_NEWWITHOLD, OPT_RSP_OLDWITHNEW, OPT_POLL_COUNT, OPT_CHECK_AFTER, OPT_GRANT_IMPLICITCONF, @@ -580,6 +583,12 @@ const OPTIONS cmp_options[] = { "Certificate to be expected for rr and any oldCertID in kur messages"}, {"rsp_cert", OPT_RSP_CERT, 's', "Certificate to be returned as mock enrollment result"}, + {"rsp_cert_key", OPT_RSP_CERT_KEY, 's', + "Private key for the certificate to be returned as mock enrollment result"}, + {OPT_MORE_STR, 0, 0, + "Key to be returned for central key pair generation"}, + {"rsp_keypass", OPT_RSP_KEYPASS, 's', + "Response private key (and cert) pass phrase source"}, {"rsp_crl", OPT_RSP_CRL, 's', "CRL to be returned in genp of type crls"}, {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's', @@ -692,8 +701,8 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_srv_ref}, {&opt_srv_secret}, {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass}, {&opt_srv_trusted}, {&opt_srv_untrusted}, - {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_crl}, - {&opt_rsp_extracerts}, {&opt_rsp_capubs}, + {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_cert_key}, {&opt_rsp_keypass}, + {&opt_rsp_crl}, {&opt_rsp_extracerts}, {&opt_rsp_capubs}, {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, {&opt_rsp_oldwithnew}, {(char **)&opt_poll_count}, {(char **)&opt_check_after}, @@ -1206,11 +1215,26 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_rsp_cert == NULL) { CMP_warn("no -rsp_cert given for mock server"); } else { - if (!setup_cert(srv_ctx, opt_rsp_cert, opt_keypass, + if (!setup_cert(srv_ctx, opt_rsp_cert, opt_rsp_keypass, "cert the mock server returns on certificate requests", (add_X509_fn_t)ossl_cmp_mock_srv_set1_certOut)) goto err; } + if (opt_rsp_cert_key != NULL) { + EVP_PKEY *pkey = load_key_pwd(opt_rsp_cert_key, opt_keyform, + opt_rsp_keypass, + engine, + "private key for enrollment cert"); + + if (pkey == NULL + || !ossl_cmp_mock_srv_set1_certOutKey(srv_ctx, pkey)) { + EVP_PKEY_free(pkey); + goto err; + } + EVP_PKEY_free(pkey); + } + cleanse(opt_rsp_keypass); + if (!setup_mock_crlout(srv_ctx, opt_rsp_crl, "CRL to be returned by the mock server")) goto err; @@ -3126,6 +3150,12 @@ static int get_opts(int argc, char **argv) case OPT_RSP_CERT: opt_rsp_cert = opt_str(); break; + case OPT_RSP_CERT_KEY: + opt_rsp_cert_key = opt_str(); + break; + case OPT_RSP_KEYPASS: + opt_rsp_keypass = opt_str(); + break; case OPT_RSP_CRL: opt_rsp_crl = opt_str(); break; diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h index 6b4290460aa6cc..86bbac217b5e4e 100644 --- a/apps/include/cmp_mock_srv.h +++ b/apps/include/cmp_mock_srv.h @@ -22,6 +22,8 @@ void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx); int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); +int ossl_cmp_mock_srv_set1_certOutKey(OSSL_CMP_SRV_CTX *srv_ctx, + EVP_PKEY *pkey); int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl); int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx, STACK_OF(X509) *chain); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index d98d4598a9750c..9766a2d411c970 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -19,6 +19,7 @@ typedef struct { X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */ X509 *certOut; /* certificate to be returned in cp/ip/kup msg */ + EVP_PKEY *certOutKey; /* Private key to be returned for central keygen */ X509_CRL *crlOut; /* CRL to be returned in genp for crls */ STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */ STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */ @@ -87,6 +88,22 @@ static mock_srv_ctx *mock_srv_ctx_new(void) DEFINE_OSSL_SET1_CERT(refCert) DEFINE_OSSL_SET1_CERT(certOut) +int ossl_cmp_mock_srv_set1_certOutKey(OSSL_CMP_SRV_CTX *srv_ctx, + EVP_PKEY *pkey) +{ + mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); + + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + if (pkey != NULL && !EVP_PKEY_up_ref(pkey)) + return 0; + EVP_PKEY_free(ctx->certOutKey); + ctx->certOutKey = pkey; + return 1; +} + int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl) { @@ -263,6 +280,27 @@ static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx, return 1; } +static int centralKeygen_req(const OSSL_CRMF_MSG *crm, + X509_REQ *p10cr) +{ + X509_PUBKEY *pubkey = NULL; + const unsigned char *pk = NULL; + int pklen, ret = 0; + + if (crm != NULL ) { + pubkey = OSSL_CRMF_CERTTEMPLATE_get0_publicKey(OSSL_CRMF_MSG_get0_tmpl(crm)); + } else if (p10cr != NULL) { + pubkey = X509_REQ_get_X509_PUBKEY(p10cr); + } + if (pubkey == NULL + || (X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey) + && pklen == 0)) + ret = 1; + + pk = NULL; + return ret; +} + static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *cert_req, ossl_unused int certReqId, @@ -275,6 +313,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); int bodytype; OSSL_CMP_PKISI *si = NULL; + EVP_PKEY *certOutKey = NULL; if (ctx == NULL || cert_req == NULL || certOut == NULL || chainOut == NULL || caPubs == NULL) { @@ -358,6 +397,13 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, && (*certOut = X509_dup(ctx->certOut)) == NULL) /* Should return a cert produced from request template, see FR #16054 */ goto err; + if (ctx->certOutKey != NULL + && centralKeygen_req(crm, (X509_REQ *) p10cr) + /* using newPkey to return the private key without modifying API */ + && (((certOutKey = EVP_PKEY_dup(ctx->certOutKey)) == NULL) + || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), + 1/*priv*/, certOutKey))) + goto err; if (ctx->chainOut != NULL && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL) goto err; diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 4ebbbbfd1462de..8da454e644a92a 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -952,7 +952,8 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, const OSSL_CRMF_MSG *crm); OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, - X509 *cert, const X509 *encryption_recip, + X509 *cert, EVP_PKEY *certkey, + const X509 *encryption_recip, STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors); OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index fdd6bc23815739..f3c54cfbb044c7 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -19,6 +19,9 @@ #include #include #include +#include +#include +#include OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq) { @@ -449,9 +452,40 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, return NULL; } + +static OSSL_CRMF_ENCRYPTEDKEY *enveloped_signedprivatekey(OSSL_CMP_CTX *ctx, EVP_PKEY *privKey) +{ + OSSL_CRMF_ENCRYPTEDKEY *ek = NULL; + CMS_EnvelopedData *envData = NULL; + STACK_OF(X509) *encryption_recips = NULL; + int res = 0; + X509 *recip = ctx->validatedSrvCert; + + encryption_recips = sk_X509_new_null(); + if (encryption_recips == NULL || recip == NULL + || !sk_X509_push(encryption_recips, recip)) + goto err; + + envData = OSSL_CMS_env_sign_key(privKey, ctx->cert, ctx->pkey, + encryption_recips, ctx->libctx, ctx->propq); + if (envData == NULL) + goto err; + if ((ek = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(envData)) == NULL) + goto err; + res = 1; + + err: + sk_X509_pop_free(encryption_recips, X509_free); + if (!res) + M_ASN1_free_of(envData, CMS_EnvelopedData); + + return ek; +} + OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, - X509 *cert, const X509 *encryption_recip, + X509 *cert, EVP_PKEY *certkey, + const X509 *encryption_recip, STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors) { @@ -495,6 +529,12 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, if (!X509_up_ref(cert)) goto err; resp->certifiedKeyPair->certOrEncCert->value.certificate = cert; + + if (certkey != NULL) { + /* if (!EVP_PKEY_up_ref(certkey)) + goto err; */ + resp->certifiedKeyPair->privateKey = enveloped_signedprivatekey(ctx, certkey); + } } if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp)) diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 84bddcec0907ad..b0f7fa2107022a 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -216,6 +216,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, OSSL_CMP_MSG *msg = NULL; OSSL_CMP_PKISI *si = NULL; X509 *certOut = NULL; + EVP_PKEY *certOutKey = NULL; STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; const OSSL_CRMF_MSG *crm = NULL; const X509_REQ *p10cr = NULL; @@ -287,10 +288,12 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, /* do not set if polling starts: */ && certOut != NULL)) goto err; + if (srv_ctx->ctx->newPkey != NULL && srv_ctx->ctx->newPkey_priv) + certOutKey = srv_ctx->ctx->newPkey; } msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, - certOut, NULL /* enc */, chainOut, caPubs, + certOut, certOutKey, NULL /* enc */, chainOut, caPubs, srv_ctx->sendUnprotectedErrors); /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */ if (msg == NULL) @@ -299,6 +302,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, err: OSSL_CMP_PKISI_free(si); X509_free(certOut); + OSSL_CMP_CTX_set0_newPkey(srv_ctx->ctx, 0, NULL); OSSL_STACK_OF_X509_free(chainOut); OSSL_STACK_OF_X509_free(caPubs); return msg; diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 9ac848e448b941..e02c8e90e39393 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -243,6 +243,7 @@ ASN1_NDEF_SEQUENCE(CMS_EnvelopedData) = { ASN1_SIMPLE(CMS_EnvelopedData, encryptedContentInfo, CMS_EncryptedContentInfo), ASN1_IMP_SET_OF_OPT(CMS_EnvelopedData, unprotectedAttrs, X509_ATTRIBUTE, 1) } ASN1_NDEF_SEQUENCE_END(CMS_EnvelopedData) +IMPLEMENT_ASN1_DUP_FUNCTION(CMS_EnvelopedData) ASN1_NDEF_SEQUENCE(CMS_DigestedData) = { ASN1_EMBED(CMS_DigestedData, version, INT32), diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index b09985ad3e27fe..8c1443c09ff3b5 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -739,3 +739,43 @@ int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) *pkeyid = keyid; return 1; } + +CMS_EnvelopedData *OSSL_CMS_env_sign_key(EVP_PKEY *privKey, /* TODO - take bio as input*/ + X509 *signcert, EVP_PKEY *signkey, + STACK_OF(X509) *encryption_recip, + OSSL_LIB_CTX *libctx, const char *propq) +{ + CMS_EnvelopedData *evd = NULL; + BIO *privbio = NULL, *signbio = NULL, *envelopbio = NULL; + CMS_ContentInfo *signcms = NULL, *evpcms = NULL; + + privbio = BIO_new(BIO_s_mem()); + if (privbio == NULL || i2d_PrivateKey_bio(privbio, privKey) <= 0) + goto err; + + signcms = CMS_sign_ex(signcert, signkey, NULL, privbio, CMS_BINARY, + libctx, propq); + if (signcms == NULL) + goto err; + + signbio = BIO_new(BIO_s_mem()); + if (signbio == NULL + || ASN1_item_i2d_bio(ASN1_ITEM_rptr(CMS_SignedData), signbio, signcms->d.signedData) <= 0) + goto err; + + + evpcms = CMS_encrypt_ex(encryption_recip, signbio, EVP_aes_256_cbc(), CMS_BINARY, libctx, propq); + if (evpcms == NULL) + goto err; + + evd = CMS_EnvelopedData_dup(evpcms->d.envelopedData); + + err: + BIO_free(privbio); + BIO_free(signbio); + BIO_free(envelopbio); + CMS_ContentInfo_free(signcms); + CMS_ContentInfo_free(evpcms); + + return evd; +} \ No newline at end of file diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index d1b417eb6c154f..4d261a77258bb2 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -38,6 +38,7 @@ #include #include #include +#include /*- * atyp = Attribute Type @@ -627,18 +628,8 @@ static int check_cmKGA(ossl_unused const X509_PURPOSE *purpose, return ret; ekus = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL); for (i = 0; i < sk_ASN1_OBJECT_num(ekus); i++) { -# if OPENSSL_VERSION_NUMBER >= 0x30000000L if (OBJ_obj2nid(sk_ASN1_OBJECT_value(ekus, i)) == NID_cmKGA) goto end; -# else - { - char txt[100]; - - if (OBJ_obj2txt(txt, sizeof(txt), sk_ASN1_OBJECT_value(ekus, i), 1) - && strcmp(txt, "1.3.6.1.5.5.7.3.32") == 0) /* OID cmKGA */ - goto end; - } -# endif } ret = 0; @@ -913,3 +904,16 @@ X509 return NULL; #endif /* OPENSSL_NO_CMS */ } + +OSSL_CRMF_ENCRYPTEDKEY +*OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata) +{ + OSSL_CRMF_ENCRYPTEDKEY *ek = OSSL_CRMF_ENCRYPTEDKEY_new(); + if (ek == NULL) + return NULL; + + ek->type = OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA; + ek->value.envelopedData = envdata; + + return ek; +} diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index 239667700aacd2..7c57b7b9a90f41 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -57,6 +57,8 @@ DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo) DECLARE_ASN1_FUNCTIONS(CMS_ReceiptRequest) DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo) +DECLARE_ASN1_DUP_FUNCTION(CMS_EnvelopedData) + CMS_ContentInfo *CMS_ContentInfo_new_ex(OSSL_LIB_CTX *libctx, const char *propq); # define CMS_SIGNERINFO_ISSUER_SERIAL 0 @@ -397,6 +399,10 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, ASN1_OCTET_STRING *ukm, int keylen); +CMS_EnvelopedData *OSSL_CMS_env_sign_key(EVP_PKEY *privKey, /* TODO - take bio as input*/ + X509 *signcert, EVP_PKEY *signkey, + STACK_OF(X509) *encryption_recip, + OSSL_LIB_CTX *libctx, const char *propq); /* Backward compatibility for spelling errors. */ # define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index 6f183b828e6366..609c942c267211 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -27,6 +27,7 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include # include /* for GENERAL_NAME etc. */ +# include /* explicit #includes not strictly needed since implied by the above: */ # include @@ -198,6 +199,8 @@ EVP_PKEY EVP_PKEY *pkey, X509 *cert, ASN1_OCTET_STRING *secret, OSSL_LIB_CTX *libctx, const char *propq); +OSSL_CRMF_ENCRYPTEDKEY +*OSSL_CRMF_ENCRYPTEDKEY_init_envdata( CMS_EnvelopedData *envdata); # ifdef __cplusplus } diff --git a/util/libcrypto.num b/util/libcrypto.num index 9a018b7fc78ee2..336f129b96261e 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5716,3 +5716,5 @@ i2d_OSSL_BASIC_ATTR_CONSTRAINTS ? 3_4_0 EXIST::FUNCTION: OSSL_BASIC_ATTR_CONSTRAINTS_free ? 3_4_0 EXIST::FUNCTION: OSSL_BASIC_ATTR_CONSTRAINTS_new ? 3_4_0 EXIST::FUNCTION: OSSL_BASIC_ATTR_CONSTRAINTS_it ? 3_4_0 EXIST::FUNCTION: +OSSL_CMS_env_sign_key ? 3_4_0 EXIST::FUNCTION:CMS +OSSL_CRMF_ENCRYPTEDKEY_init_envdata ? 3_4_0 EXIST::FUNCTION:CRMF