diff --git a/apps/cmp.c b/apps/cmp.c index a853913d0306f..78a2d5c7e821f 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -2191,6 +2191,9 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn1("-template %s", msg); if (opt_keyspec != NULL) CMP_warn1("-keyspec %s", msg); + } else { + if (opt_template == NULL) + CMP_err("missing -template option for genm with infotype certReqTemplate"); } if (!setup_verification_ctx(ctx)) @@ -3235,8 +3238,10 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec) const char *p; long len; - if (keySpec == NULL) + if (keySpec == NULL) { + CMP_info1("No %s", desc); return; + } mem = BIO_new(BIO_s_mem()); if (mem == NULL) { @@ -3271,7 +3276,7 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec) } break; case NID_id_regCtrl_rsaKeyLen: - BIO_printf(mem, "Key algorithm: RSA %d bit\n", + BIO_printf(mem, "Key algorithm: RSA %d \n", OSSL_CMP_ATAV_get_rsaKeyLen(atav)); break; default: @@ -3448,11 +3453,15 @@ static int do_genm(OSSL_CMP_CTX *ctx) CMP_warn("no certificate request template available"); if (!delete_file(opt_template, "certTemplate from genp")) return 0; + if (opt_keyspec != NULL + && !delete_file(opt_keyspec, "keySpec from genp")) + return 0; return 1; } if (!save_template(opt_template, certTemplate)) goto tmpl_end; + print_keyspec(keySpec); if (opt_keyspec != NULL) { if (keySpec == NULL) { CMP_warn("no key specifications available"); @@ -3462,7 +3471,7 @@ static int do_genm(OSSL_CMP_CTX *ctx) goto tmpl_end; } } - print_keyspec(keySpec); + res = 1; tmpl_end: OSSL_CRMF_CERTTEMPLATE_free(certTemplate); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index 128f971395f89..c3ce137ad10ea 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -520,6 +520,7 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec); return rsp; + crt_err: OSSL_CRMF_CERTTEMPLATE_free(reqtemp); OSSL_CMP_ATAVS_free(keyspec); diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 2f067cb73a83d..c8d6719b1c790 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -406,15 +406,13 @@ int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav, OSSL_CRMF_CERTTEMPLATE **certTemplate, OSSL_CMP_ATAVS **keySpec) { - OSSL_CMP_CERTREQTEMPLATE *req; + OSSL_CMP_CERTREQTEMPLATE *tpl; if (itav == NULL || certTemplate == NULL) { ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } - if (certTemplate != NULL) - *certTemplate = NULL; if (keySpec != NULL) *keySpec = NULL; @@ -422,20 +420,20 @@ int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav, ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT); return 0; } - req = itav->infoValue.certReqTemplate; - if (req == NULL) /* no requirements available */ + tpl = itav->infoValue.certReqTemplate; + if (tpl == NULL) /* no requirements available */ return 1; - if ((*certTemplate = OSSL_CRMF_CERTTEMPLATE_dup(req->certTemplate)) == NULL) + if ((*certTemplate = OSSL_CRMF_CERTTEMPLATE_dup(tpl->certTemplate)) == NULL) return 0; - if (keySpec != NULL && req->keySpec != NULL) { - int i, n = sk_OSSL_CMP_ATAV_num(req->keySpec); + if (keySpec != NULL && tpl->keySpec != NULL) { + int i, n = sk_OSSL_CMP_ATAV_num(tpl->keySpec); *keySpec = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_reserve(NULL, n); if (*keySpec == NULL) - return 0; + goto err; for (i = 0; i < n; i++) { - OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(req->keySpec, i); + OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(tpl->keySpec, i); ASN1_OBJECT *type = OSSL_CMP_ATAV_get0_type(atav /* may be NULL */); int nid; const char *name; @@ -460,8 +458,7 @@ int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav, i, name); goto err; } - sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(*keySpec, atav); - sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_set(req->keySpec, i, NULL); + OSSL_CMP_ATAV_push1(keySpec, atav); } } return 1; @@ -549,7 +546,7 @@ int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav) if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_rsaKeyLen || !ASN1_INTEGER_get_int64(&val, atav->value.rsaKeyLen)) return -1; - if (val < 0 || val > INT_MAX) + if (val <= 0) return -2; return (int)val; } diff --git a/crypto/crmf/crmf_asn.c b/crypto/crmf/crmf_asn.c index f1b2df365e8a8..55b0c39bf82d6 100644 --- a/crypto/crmf/crmf_asn.c +++ b/crypto/crmf/crmf_asn.c @@ -146,18 +146,18 @@ ASN1_ADB(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) = { ADB_ENTRY(NID_id_regCtrl_protocolEncrKey, ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, value.protocolEncrKey, X509_PUBKEY)), - ADB_ENTRY(NID_id_regInfo_utf8Pairs, - ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, - value.utf8Pairs, ASN1_UTF8STRING)), - ADB_ENTRY(NID_id_regInfo_certReq, - ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, - value.certReq, OSSL_CRMF_CERTREQUEST)), ADB_ENTRY(NID_id_regCtrl_algId, ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, value.algId, X509_ALGOR)), ADB_ENTRY(NID_id_regCtrl_rsaKeyLen, ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, value.rsaKeyLen, ASN1_INTEGER)), + ADB_ENTRY(NID_id_regInfo_utf8Pairs, + ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, + value.utf8Pairs, ASN1_UTF8STRING)), + ADB_ENTRY(NID_id_regInfo_certReq, + ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, + value.certReq, OSSL_CRMF_CERTREQUEST)), } ASN1_ADB_END(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, 0, type, 0, &attributetypeandvalue_default_tt, NULL); diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 1a996a9af85a2..0939bbd08a795 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -254,8 +254,8 @@ ITAV Bs is printed to stdout. Set InfoType name to use for requesting specific info in B, e.g., C. -So far, there is specific support for C, C -and C. +There is specific support for C, C, +C, and C (CRL update retrieval). =item B<-profile> I @@ -277,7 +277,7 @@ received in a genp message with id-it-certReqTemplate. =item B<-keyspec> I -It is optioanl and used to specify the file to save any keySpec if +It is optional and used to specify the file to save any keySpec if present in a genp message with id-it-keyGenParameters. Note: any keySpec field contents received are logged as INFO. diff --git a/doc/man3/OSSL_CMP_ATAV_set0.pod b/doc/man3/OSSL_CMP_ATAV_set0.pod index 4df639e1af8dc..905c93b9c69e6 100644 --- a/doc/man3/OSSL_CMP_ATAV_set0.pod +++ b/doc/man3/OSSL_CMP_ATAV_set0.pod @@ -13,12 +13,7 @@ OSSL_CMP_ATAV_new_rsaKeyLen, OSSL_CMP_ATAV_get_rsaKeyLen, OSSL_CMP_ATAVS, OSSL_CMP_ATAV_push1, -OSSL_CMP_ATAV_free, -OSSL_CMP_ATAVS_new, -OSSL_CMP_ATAVS_free, -OSSL_CMP_ATAVS_it, -d2i_OSSL_CMP_ATAVS, -i2d_OSSL_CMP_ATAVS +OSSL_CMP_ATAV_free - OSSL_CMP_ATAV utility functions =head1 SYNOPSIS @@ -41,12 +36,6 @@ i2d_OSSL_CMP_ATAVS int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav); void OSSL_CMP_ATAV_free(OSSL_CMP_ATAV *atav); - OSSL_CMP_ATAVS *OSSL_CMP_ATAVS_new(void); - void OSSL_CMP_ATAVS_free(OSSL_CMP_ATAVS *a); - const ASN1_ITEM * OSSL_CMP_ATAVS_it(void); - OSSL_CMP_ATAVS *d2i_OSSL_CMP_ATAVS(OSSL_CMP_ATAVS **a, const unsigned char **in, long len); - int i2d_OSSL_CMP_ATAVS(const OSSL_CMP_ATAVS *a, unsigned char **out); - =head1 DESCRIPTION B is a short hand of B, @@ -60,8 +49,8 @@ It combines OSSL_CMP_ATAV_new() and OSSL_CMP_ATAV_set0(). OSSL_CMP_ATAV_set0() sets the I with an infoType of I and an infoValue of I. The pointers I and I may be NULL, otherwise -they must B be freed up after the call because they are used internally. -The I pointer must not be NULL. +they must B be freed up after the call because their ownership +is transferred to I. The I pointer must not be NULL. OSSL_CMP_ATAV_get0_type() returns a direct pointer to the infoType in the I unless it is NULL. @@ -82,7 +71,7 @@ B and fills it in with the given I, which must be positive. OSSL_CMP_ATAV_get_rsaKeyLen() returns the RSA key length in rsaKeyLen infoValue in the I, -1 if I is NULL or does not contain an rsaKeyLen or cannot be parsed, -or -2 if the value is less than 0 or is greater than INT_MAX. +or -2 if the value is less than 1. OSSL_CMP_ATAV_push1() pushes a copy of I to the stack of B pointed to by I<*sk_p>. It creates a new stack if I<*sk_p> points to NULL. diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index c82aa948de4cf..c1428be90e1d1 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -175,10 +175,11 @@ The CRL obtained this way must be freed by the caller. OSSL_CMP_get1_certReqTemplate() uses a genm request message with infoType certReqTemplate to obtain a certificate request template from the CMP server referenced by I. On success it assigns to I<*certTemplate> -the certificate template received. The optional I output parameter -is assigned the key specification if received, otherwise it set to NULL. +the certificate template received. NULL output means that no certificate +request template was provided by the server. +The optional I output parameter is assigned the key specification +if received, otherwise it set to NULL. Both must be freed by the caller. -NULL output means that no certificate request template was provided by the server. =head1 NOTES @@ -248,7 +249,7 @@ Support for delayed delivery of all types of response messages was added in OpenSSL 3.3. OSSL_CMP_get1_crlUpdate() and OSSL_CMP_get1_certReqTemplate() -was added in OpenSSL 3.4. +were added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod index 08a04ad2eab0a..9d57719a485ab 100644 --- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod +++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod @@ -11,10 +11,7 @@ OSSL_CRMF_CERTTEMPLATE_get0_extensions, OSSL_CRMF_CERTID_get0_serialNumber, OSSL_CRMF_CERTID_get0_issuer, OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert, -OSSL_CRMF_MSG_get_certReqId, -OSSL_CRMF_CERTTEMPLATE_dup, -OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup, -OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free +OSSL_CRMF_MSG_get_certReqId - functions reading from CRMF CertReqMsg structures =head1 SYNOPSIS @@ -43,12 +40,6 @@ OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free EVP_PKEY *pkey); int OSSL_CRMF_MSG_get_certReqId(const OSSL_CRMF_MSG *crm); - OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_CERTTEMPLATE_dup(const OSSL_CRMF_CERTTEMPLATE *a); - - OSSL_CRMF_ATTRIBUTETYPEANDVALUE - *OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup(const OSSL_CRMF_ATTRIBUTETYPEANDVALUE *a); - void OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(OSSL_CRMF_ATTRIBUTETYPEANDVALUE *a); - =head1 DESCRIPTION diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index 17100a45ffb5e..567b467806947 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -136,6 +136,9 @@ OCSP_SIGNATURE_free, OCSP_SIGNATURE_new, OCSP_SINGLERESP_free, OCSP_SINGLERESP_new, +OSSL_CMP_ATAVS_new, +OSSL_CMP_ATAVS_free, +OSSL_CMP_ATAVS_it, OSSL_CMP_CRLSTATUS_free, OSSL_CMP_ITAV_dup, OSSL_CMP_ITAV_free, @@ -157,6 +160,9 @@ OSSL_CRMF_CERTID_new, OSSL_CRMF_CERTTEMPLATE_free, OSSL_CRMF_CERTTEMPLATE_it, OSSL_CRMF_CERTTEMPLATE_new, +OSSL_CRMF_CERTTEMPLATE_dup, +OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup, +OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free, OSSL_CRMF_ENCRYPTEDVALUE_free, OSSL_CRMF_ENCRYPTEDVALUE_it, OSSL_CRMF_ENCRYPTEDVALUE_new, diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index 06f764ef8bb8c..9abe014071a39 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -89,6 +89,7 @@ d2i_OCSP_REVOKEDINFO, d2i_OCSP_SERVICELOC, d2i_OCSP_SIGNATURE, d2i_OCSP_SINGLERESP, +d2i_OSSL_CMP_ATAVS, d2i_OSSL_CMP_MSG, d2i_OSSL_CMP_PKIHEADER, d2i_OSSL_CMP_PKISI, @@ -264,6 +265,7 @@ i2d_OCSP_REVOKEDINFO, i2d_OCSP_SERVICELOC, i2d_OCSP_SIGNATURE, i2d_OCSP_SINGLERESP, +i2d_OSSL_CMP_ATAVS, i2d_OSSL_CMP_MSG, i2d_OSSL_CMP_PKIHEADER, i2d_OSSL_CMP_PKISI, diff --git a/include/internal/crmf.h b/include/internal/crmf.h index a2d831633ddad..9e37320d83305 100644 --- a/include/internal/crmf.h +++ b/include/internal/crmf.h @@ -30,18 +30,18 @@ struct ossl_crmf_attributetypeandvalue_st { /* NID_id_regCtrl_protocolEncrKey */ X509_PUBKEY *protocolEncrKey; - /* NID_id_regInfo_utf8Pairs */ - ASN1_UTF8STRING *utf8Pairs; - - /* NID_id_regInfo_certReq */ - OSSL_CRMF_CERTREQUEST *certReq; - /* NID_id_regCtrl_algId */ X509_ALGOR *algId; /* NID_id_regCtrl_rsaKeyLen */ ASN1_INTEGER *rsaKeyLen; + /* NID_id_regInfo_utf8Pairs */ + ASN1_UTF8STRING *utf8Pairs; + + /* NID_id_regInfo_certReq */ + OSSL_CRMF_CERTREQUEST *certReq; + ASN1_TYPE *other; } value; } /* OSSL_CRMF_ATTRIBUTETYPEANDVALUE */; diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index e0637f9c27d45..d659331fa38fa 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -325,7 +325,7 @@ OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg); X509_ALGOR *OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV *atav); OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_rsaKeyLen(int len); int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav); -int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *itav); +int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav); void OSSL_CMP_MSG_free(OSSL_CMP_MSG *msg); diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 4c7d385fa3ec9..460e80b940922 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -98,11 +98,11 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty ,,,,,,,,,,,,,,,,,,,,,, 1,genm certReqTemplate, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" 0,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, -1,genm certReqTemplate missing optional keyspec option, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, -0,genm certReqTemplate keyspec arg non-ex dir, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, +1,genm certReqTemplate without optional keyspec option, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, 0,genm certReqTemplate missing template arg , -section,, -cmd,genm,, -template,BLANK, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK, 0,genm certReqTemplate template extra arg , -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der,_RESULT_DIR/test.template.der, -infotype,certReqTemplate,,BLANK,,BLANK, 0,genm certReqTemplate template arg non-ex dir, -section,, -cmd,genm,, -template,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, +0,genm certReqTemplate keyspec arg non-ex dir, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,idontexist/idontexist,, -infotype,certReqTemplate,,BLANK,,BLANK, ,,,,,,,,,,,,,,,,,,,,,, 1,profile, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile1,BLANK,,BLANK, 0,profile wrong value, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile2,BLANK,,BLANK, diff --git a/util/other.syms b/util/other.syms index 87ef03fe335c5..0581680a1a6fb 100644 --- a/util/other.syms +++ b/util/other.syms @@ -462,7 +462,7 @@ OSSL_CMP_MSTR define OSSL_CMP_P10CR define OSSL_CMP_ATAV define OSSL_CMP_ATAV_free define -OSSL_CMP_ATAVS define +OSSL_CMP_ATAVS define OSSL_CMP_certConf_cb_t datatype OSSL_CMP_log_cb_t datatype OSSL_CMP_severity datatype