fixup! CMP: add support for requesting cert template using genm/genp

siemens · May 16, 2024 · c201043 · c201043
1 parent 61f0006
commit c201043
Show file tree

Hide file tree

Showing 14 changed files with 60 additions and 64 deletions.
diff --git a/apps/cmp.c b/apps/cmp.c
@@ -2191,6 +2191,9 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
             CMP_warn1("-template %s", msg);
         if (opt_keyspec != NULL)
             CMP_warn1("-keyspec %s", msg);
+    } else {
+        if (opt_template == NULL)
+            CMP_err("missing -template option for genm with infotype certReqTemplate");
     }
 
     if (!setup_verification_ctx(ctx))
@@ -3235,8 +3238,10 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec)
     const char *p;
     long len;
 
-    if (keySpec == NULL)
+    if (keySpec == NULL) {
+        CMP_info1("No %s", desc);
         return;
+    }
 
     mem = BIO_new(BIO_s_mem());
     if (mem == NULL) {
@@ -3271,7 +3276,7 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec)
             }
             break;
         case NID_id_regCtrl_rsaKeyLen:
-            BIO_printf(mem, "Key algorithm: RSA %d bit\n",
+            BIO_printf(mem, "Key algorithm: RSA %d \n",
                        OSSL_CMP_ATAV_get_rsaKeyLen(atav));
             break;
         default:
@@ -3448,11 +3453,15 @@ static int do_genm(OSSL_CMP_CTX *ctx)
             CMP_warn("no certificate request template available");
             if (!delete_file(opt_template, "certTemplate from genp"))
                 return 0;
+            if (opt_keyspec != NULL
+                && !delete_file(opt_keyspec, "keySpec from genp"))
+                return 0;
             return 1;
         }
         if (!save_template(opt_template, certTemplate))
             goto tmpl_end;
 
+        print_keyspec(keySpec);
         if (opt_keyspec != NULL) {
             if (keySpec == NULL) {
                 CMP_warn("no key specifications available");
@@ -3462,7 +3471,7 @@ static int do_genm(OSSL_CMP_CTX *ctx)
                 goto tmpl_end;
             }
         }
-        print_keyspec(keySpec);
+
         res = 1;
     tmpl_end:
         OSSL_CRMF_CERTTEMPLATE_free(certTemplate);

diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
@@ -520,6 +520,7 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
 
             rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
             return rsp;
+
         crt_err:
             OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
             OSSL_CMP_ATAVS_free(keyspec);

diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
@@ -406,36 +406,34 @@ int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav,
                                        OSSL_CRMF_CERTTEMPLATE **certTemplate,
                                        OSSL_CMP_ATAVS **keySpec)
 {
-    OSSL_CMP_CERTREQTEMPLATE *req;
+    OSSL_CMP_CERTREQTEMPLATE *tpl;
 
     if (itav == NULL || certTemplate == NULL) {
         ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
         return 0;
     }
 
-    if (certTemplate != NULL)
-        *certTemplate = NULL;
     if (keySpec != NULL)
         *keySpec = NULL;
 
     if (OBJ_obj2nid(itav->infoType) != NID_id_it_certReqTemplate) {
         ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
         return 0;
     }
-    req = itav->infoValue.certReqTemplate;
-    if (req == NULL) /* no requirements available */
+    tpl = itav->infoValue.certReqTemplate;
+    if (tpl == NULL) /* no requirements available */
         return 1;
 
-    if ((*certTemplate = OSSL_CRMF_CERTTEMPLATE_dup(req->certTemplate)) == NULL)
+    if ((*certTemplate = OSSL_CRMF_CERTTEMPLATE_dup(tpl->certTemplate)) == NULL)
         return 0;
-    if (keySpec != NULL && req->keySpec != NULL) {
-        int i, n = sk_OSSL_CMP_ATAV_num(req->keySpec);
+    if (keySpec != NULL && tpl->keySpec != NULL) {
+        int i, n = sk_OSSL_CMP_ATAV_num(tpl->keySpec);
 
         *keySpec = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_reserve(NULL, n);
         if (*keySpec == NULL)
-            return 0;
+            goto err;
         for (i = 0; i < n; i++) {
-            OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(req->keySpec, i);
+            OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(tpl->keySpec, i);
             ASN1_OBJECT *type = OSSL_CMP_ATAV_get0_type(atav /* may be NULL */);
             int nid;
             const char *name;
@@ -460,8 +458,7 @@ int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav,
                                i, name);
                 goto err;
             }
-            sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(*keySpec, atav);
-            sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_set(req->keySpec, i, NULL);
+            OSSL_CMP_ATAV_push1(keySpec, atav);
         }
     }
     return 1;
@@ -549,7 +546,7 @@ int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav)
     if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_rsaKeyLen
             || !ASN1_INTEGER_get_int64(&val, atav->value.rsaKeyLen))
         return -1;
-    if (val < 0 || val > INT_MAX)
+    if (val <= 0)
         return -2;
     return (int)val;
 }

diff --git a/crypto/crmf/crmf_asn.c b/crypto/crmf/crmf_asn.c
@@ -146,18 +146,18 @@ ASN1_ADB(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) = {
     ADB_ENTRY(NID_id_regCtrl_protocolEncrKey,
               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
                           value.protocolEncrKey, X509_PUBKEY)),
-    ADB_ENTRY(NID_id_regInfo_utf8Pairs,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.utf8Pairs, ASN1_UTF8STRING)),
-    ADB_ENTRY(NID_id_regInfo_certReq,
-              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
-                          value.certReq, OSSL_CRMF_CERTREQUEST)),
     ADB_ENTRY(NID_id_regCtrl_algId,
               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
                           value.algId, X509_ALGOR)),
     ADB_ENTRY(NID_id_regCtrl_rsaKeyLen,
               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
                           value.rsaKeyLen, ASN1_INTEGER)),
+    ADB_ENTRY(NID_id_regInfo_utf8Pairs,
+              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
+                          value.utf8Pairs, ASN1_UTF8STRING)),
+    ADB_ENTRY(NID_id_regInfo_certReq,
+              ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
+                          value.certReq, OSSL_CRMF_CERTREQUEST)),
 } ASN1_ADB_END(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, 0, type, 0,
                &attributetypeandvalue_default_tt, NULL);
 

diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
@@ -254,8 +254,8 @@ ITAV B<infoType>s is printed to stdout.
 
 Set InfoType name to use for requesting specific info in B<genm>,
 e.g., C<signKeyPairTypes>.
-So far, there is specific support for C<caCerts>, C<rootCaCert>
-and C<crlStatusList>.
+There is specific support for C<caCerts>, C<rootCaCert>,  
+C<certReqTemplate>, and C<crlStatusList> (CRL update retrieval).
 
 =item B<-profile> I<name>
 
@@ -277,7 +277,7 @@ received in a genp message with id-it-certReqTemplate.
 
 =item B<-keyspec> I<filename>
 
-It is optioanl and used to specify the file to save any keySpec if
+It is optional and used to specify the file to save any keySpec if
 present in a genp message with id-it-keyGenParameters.
 
 Note: any keySpec field contents received are logged as INFO.

diff --git a/doc/man3/OSSL_CMP_ATAV_set0.pod b/doc/man3/OSSL_CMP_ATAV_set0.pod
@@ -13,12 +13,7 @@ OSSL_CMP_ATAV_new_rsaKeyLen,
 OSSL_CMP_ATAV_get_rsaKeyLen,
 OSSL_CMP_ATAVS,
 OSSL_CMP_ATAV_push1,
-OSSL_CMP_ATAV_free,
-OSSL_CMP_ATAVS_new,
-OSSL_CMP_ATAVS_free,
-OSSL_CMP_ATAVS_it,
-d2i_OSSL_CMP_ATAVS,
-i2d_OSSL_CMP_ATAVS
+OSSL_CMP_ATAV_free
 - OSSL_CMP_ATAV utility functions
 
 =head1 SYNOPSIS
@@ -41,12 +36,6 @@ i2d_OSSL_CMP_ATAVS
  int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav);
  void OSSL_CMP_ATAV_free(OSSL_CMP_ATAV *atav);
 
- OSSL_CMP_ATAVS *OSSL_CMP_ATAVS_new(void);
- void OSSL_CMP_ATAVS_free(OSSL_CMP_ATAVS *a);
- const ASN1_ITEM * OSSL_CMP_ATAVS_it(void);
- OSSL_CMP_ATAVS *d2i_OSSL_CMP_ATAVS(OSSL_CMP_ATAVS **a, const unsigned char **in, long len);
- int i2d_OSSL_CMP_ATAVS(const OSSL_CMP_ATAVS *a, unsigned char **out);
-
 =head1 DESCRIPTION
 
 B<OSSL_CMP_ATAV> is a short hand of B<OSSL_CRMF_ATTRIBUTETYPEANDVALUE>,
@@ -60,8 +49,8 @@ It combines OSSL_CMP_ATAV_new() and OSSL_CMP_ATAV_set0().
 OSSL_CMP_ATAV_set0() sets the I<atav> with an infoType of I<type> and an
 infoValue of I<value>.
 The pointers I<type> and I<value> may be NULL, otherwise
-they must B<not> be freed up after the call because they are used internally.
-The I<itav> pointer must not be NULL.
+they must B<not> be freed up after the call because their ownership
+is transferred to I<atav>. The I<itav> pointer must not be NULL.
 
 OSSL_CMP_ATAV_get0_type() returns a direct pointer to the infoType
 in the I<atav> unless it is NULL.
@@ -82,7 +71,7 @@ B<rsaKeyLen> and fills it in with the given I<len>, which must be positive.
 OSSL_CMP_ATAV_get_rsaKeyLen() returns
 the RSA key length in rsaKeyLen infoValue in the I<atav>,
 -1 if I<atav> is NULL or does not contain an rsaKeyLen or cannot be parsed,
-or -2 if the value is less than 0 or is greater than INT_MAX.
+or -2 if the value is less than 1.
 
 OSSL_CMP_ATAV_push1() pushes a copy of I<atav> to the stack of B<OSSL_CMP_ATAV>
 pointed to by I<*sk_p>. It creates a new stack if I<*sk_p> points to NULL.

diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod
@@ -175,10 +175,11 @@ The CRL obtained this way must be freed by the caller.
 OSSL_CMP_get1_certReqTemplate() uses a genm request message with
 infoType certReqTemplate to obtain a certificate request template from the
 CMP server referenced by I<ctx>. On success it assigns to I<*certTemplate>
-the certificate template received. The optional I<keySpec> output parameter
-is assigned the key specification if received, otherwise it set to NULL.
+the certificate template received. NULL output means that no certificate
+request template was provided by the server.
+The optional I<keySpec> output parameter is assigned the key specification
+if received, otherwise it set to NULL.
 Both must be freed by the caller.
-NULL output means that no certificate request template was provided by the server.
 
 =head1 NOTES
 
@@ -248,7 +249,7 @@ Support for delayed delivery of all types of response messages
 was added in OpenSSL 3.3.
 
 OSSL_CMP_get1_crlUpdate() and OSSL_CMP_get1_certReqTemplate()
-was added in OpenSSL 3.4.
+were added in OpenSSL 3.4.
 
 =head1 COPYRIGHT
 

diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@@ -11,10 +11,7 @@ OSSL_CRMF_CERTTEMPLATE_get0_extensions,
 OSSL_CRMF_CERTID_get0_serialNumber,
 OSSL_CRMF_CERTID_get0_issuer,
 OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert,
-OSSL_CRMF_MSG_get_certReqId,
-OSSL_CRMF_CERTTEMPLATE_dup,
-OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup,
-OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free
+OSSL_CRMF_MSG_get_certReqId
 - functions reading from CRMF CertReqMsg structures
 
 =head1 SYNOPSIS
@@ -43,12 +40,6 @@ OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free
                                         EVP_PKEY *pkey);
 
  int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm);
- OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_CERTTEMPLATE_dup(const OSSL_CRMF_CERTTEMPLATE *a);
-
- OSSL_CRMF_ATTRIBUTETYPEANDVALUE 
- *OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup(const OSSL_CRMF_ATTRIBUTETYPEANDVALUE *a);
- void OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(OSSL_CRMF_ATTRIBUTETYPEANDVALUE *a);
-
 
 =head1 DESCRIPTION
 

diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
@@ -136,6 +136,9 @@ OCSP_SIGNATURE_free,
 OCSP_SIGNATURE_new,
 OCSP_SINGLERESP_free,
 OCSP_SINGLERESP_new,
+OSSL_CMP_ATAVS_new,
+OSSL_CMP_ATAVS_free,
+OSSL_CMP_ATAVS_it,
 OSSL_CMP_CRLSTATUS_free,
 OSSL_CMP_ITAV_dup,
 OSSL_CMP_ITAV_free,
@@ -157,6 +160,9 @@ OSSL_CRMF_CERTID_new,
 OSSL_CRMF_CERTTEMPLATE_free,
 OSSL_CRMF_CERTTEMPLATE_it,
 OSSL_CRMF_CERTTEMPLATE_new,
+OSSL_CRMF_CERTTEMPLATE_dup,
+OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup,
+OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free,
 OSSL_CRMF_ENCRYPTEDVALUE_free,
 OSSL_CRMF_ENCRYPTEDVALUE_it,
 OSSL_CRMF_ENCRYPTEDVALUE_new,

diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
@@ -89,6 +89,7 @@ d2i_OCSP_REVOKEDINFO,
 d2i_OCSP_SERVICELOC,
 d2i_OCSP_SIGNATURE,
 d2i_OCSP_SINGLERESP,
+d2i_OSSL_CMP_ATAVS,
 d2i_OSSL_CMP_MSG,
 d2i_OSSL_CMP_PKIHEADER,
 d2i_OSSL_CMP_PKISI,
@@ -264,6 +265,7 @@ i2d_OCSP_REVOKEDINFO,
 i2d_OCSP_SERVICELOC,
 i2d_OCSP_SIGNATURE,
 i2d_OCSP_SINGLERESP,
+i2d_OSSL_CMP_ATAVS,
 i2d_OSSL_CMP_MSG,
 i2d_OSSL_CMP_PKIHEADER,
 i2d_OSSL_CMP_PKISI,

diff --git a/include/internal/crmf.h b/include/internal/crmf.h
@@ -30,18 +30,18 @@ struct ossl_crmf_attributetypeandvalue_st {
         /* NID_id_regCtrl_protocolEncrKey */
         X509_PUBKEY *protocolEncrKey;
 
-        /* NID_id_regInfo_utf8Pairs */
-        ASN1_UTF8STRING *utf8Pairs;
-
-        /* NID_id_regInfo_certReq */
-        OSSL_CRMF_CERTREQUEST *certReq;
-
         /* NID_id_regCtrl_algId */
         X509_ALGOR *algId;
 
         /* NID_id_regCtrl_rsaKeyLen */
         ASN1_INTEGER *rsaKeyLen;
 
+        /* NID_id_regInfo_utf8Pairs */
+        ASN1_UTF8STRING *utf8Pairs;
+
+        /* NID_id_regInfo_certReq */
+        OSSL_CRMF_CERTREQUEST *certReq;
+
         ASN1_TYPE *other;
     } value;
 } /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */;

diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in
@@ -325,7 +325,7 @@ OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg);
 X509_ALGOR *OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV *atav);
 OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_rsaKeyLen(int len);
 int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav);
-int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *itav);
+int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav);
 
 void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg);
 

diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -98,11 +98,11 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 ,,,,,,,,,,,,,,,,,,,,,,
 1,genm certReqTemplate, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """"
 0,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK,
-1,genm certReqTemplate missing optional keyspec option, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,"""",, -infotype,certReqTemplate,,BLANK,,BLANK,
-0,genm certReqTemplate keyspec arg non-ex dir, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK,
+1,genm certReqTemplate without optional keyspec option, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,"""",, -infotype,certReqTemplate,,BLANK,,BLANK,
 0,genm certReqTemplate missing template arg   , -section,, -cmd,genm,, -template,BLANK, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK,
 0,genm certReqTemplate template extra arg     , -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der,_RESULT_DIR/test.template.der, -infotype,certReqTemplate,,BLANK,,BLANK,
 0,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK,
+0,genm certReqTemplate keyspec arg non-ex dir, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK,
 ,,,,,,,,,,,,,,,,,,,,,,
 1,profile, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile1,BLANK,,BLANK,
 0,profile wrong value, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile2,BLANK,,BLANK,

diff --git a/util/other.syms b/util/other.syms
@@ -462,7 +462,7 @@ OSSL_CMP_MSTR                           define
 OSSL_CMP_P10CR                          define
 OSSL_CMP_ATAV                           define
 OSSL_CMP_ATAV_free                      define
-OSSL_CMP_ATAVS                           define
+OSSL_CMP_ATAVS                          define
 OSSL_CMP_certConf_cb_t                  datatype
 OSSL_CMP_log_cb_t                       datatype
 OSSL_CMP_severity                       datatype