add encrepted cert response for indirect POP

siemens · Jun 18, 2024 · c99807d · c99807d
1 parent 102bcc0
commit c99807d
Show file tree

Hide file tree

Showing 26 changed files with 741 additions and 195 deletions.
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
@@ -999,8 +999,9 @@ int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type);
 OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype);
 OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    const OSSL_CRMF_MSG *crm);
-OSSL_CMP_CERTIFIEDKEYPAIR *ossl_cmp_Enccert_init(X509* cert,
-                                                 const X509* encryption_recip);
+OSSL_CMP_CERTIFIEDKEYPAIR *
+ossl_cmp_Enccert_init(X509 *cert, const X509 *encryption_recip,
+                      OSSL_LIB_CTX *libctx, const char *propq);
 OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    int certReqId, const OSSL_CMP_PKISI *si,
                                    X509 *cert, const X509 *encryption_recip,

diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
@@ -19,6 +19,9 @@
 #include <openssl/crmf.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
+#include <openssl/cms.h>
+#include <openssl/pem.h>
+#include <openssl/bio.h>
 
 OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq)
 {
@@ -449,6 +452,57 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
     return NULL;
 }
 
+OSSL_CMP_CERTIFIEDKEYPAIR *
+ossl_cmp_Enccert_init(X509 *cert, const X509 *encryption_recip,
+                      OSSL_LIB_CTX *libctx, const char *propq)
+{
+    OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair = NULL;
+    CMS_EnvelopedData *env = NULL;
+    CMS_ContentInfo *cms;
+    EVP_CIPHER *cipher;
+    OSSL_CRMF_ENCRYPTEDKEY *encKey = NULL;
+    BIO *data;
+
+    if ((certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new()) == NULL)
+        goto err;
+
+    if ((cipher = EVP_CIPHER_fetch(NULL, "aes-256-cbc", NULL)) == NULL)
+        goto err;
+
+    if ((data = BIO_new(BIO_s_mem())) == NULL
+        || !i2d_X509_bio(data, cert))
+        goto err;
+
+    cms = CMS_EnvelopedData_create_ex(cipher, libctx, propq);
+    if (!CMS_add1_recipient_cert(cms, (X509 *)encryption_recip, 0)) {
+        ERR_raise(ERR_LIB_CMS, CMS_R_RECIPIENT_ERROR);
+        goto err;
+    }
+    CMS_set_detached(cms, 0);
+    if (CMS_final(cms, data, NULL, SMIME_BINARY) == 0)
+        goto err;
+
+    if ((env = CMS_EnvelopedData_dup(OSSL_CMS_get0_enveloped(cms))) == NULL)
+        goto err;
+
+    BIO_free(data);
+    CMS_ContentInfo_free(cms);
+
+    if ((encKey = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(env)) == NULL)
+        goto err;
+
+    certifiedKeyPair->certOrEncCert->type = OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT;
+    certifiedKeyPair->certOrEncCert->value.encryptedCert = encKey;
+    return certifiedKeyPair;
+
+ err:
+    BIO_free(data);
+    OSSL_CMP_CERTIFIEDKEYPAIR_free(certifiedKeyPair);
+    EVP_CIPHER_free(cipher);
+    CMS_ContentInfo_free(cms);
+    return NULL;
+}
+
 OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    int certReqId, const OSSL_CMP_PKISI *si,
                                    X509 *cert, const X509 *encryption_recip,
@@ -483,18 +537,20 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
     if (status != OSSL_CMP_PKISTATUS_rejection
             && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) {
         if (encryption_recip != NULL) {
-            ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED);
-            goto err;
+            if ((resp->certifiedKeyPair
+                 = ossl_cmp_Enccert_init(cert, encryption_recip,
+                                         ctx->libctx, ctx->propq)) == NULL)
+                goto err;
+        } else {
+            if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
+                == NULL)
+                goto err;
+            resp->certifiedKeyPair->certOrEncCert->type =
+                OSSL_CMP_CERTORENCCERT_CERTIFICATE;
+            if (!X509_up_ref(cert))
+                goto err;
+            resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
         }
-
-        if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new())
-            == NULL)
-            goto err;
-        resp->certifiedKeyPair->certOrEncCert->type =
-            OSSL_CMP_CERTORENCCERT_CERTIFICATE;
-        if (!X509_up_ref(cert))
-            goto err;
-        resp->certifiedKeyPair->certOrEncCert->value.certificate = cert;
     }
 
     if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp))
@@ -550,8 +606,7 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
     } else if (ctx->p10CSR != NULL) {
         pubkey = X509_REQ_get0_pubkey(ctx->p10CSR);
         subject = X509_REQ_get_subject_name(ctx->p10CSR);
-    }
-    else {
+    } else {
         goto err;
     }
 

diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
@@ -217,6 +217,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
     OSSL_CMP_MSG *msg = NULL;
     OSSL_CMP_PKISI *si = NULL;
     X509 *certOut = NULL;
+    X509 *encryption_recip = NULL;
     STACK_OF(X509) *chainOut = NULL, *caPubs = NULL;
     const OSSL_CRMF_MSG *crm = NULL;
     const X509_REQ *p10cr = NULL;
@@ -309,12 +310,16 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
             goto err;
     }
 
+    if (OSSL_CRMF_MSG_certreq_encrcert_popo(crm))
+        encryption_recip = certOut; /* for indirect POP */
+
     msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si,
-                               certOut, NULL /* enc */, chainOut, caPubs,
+                               certOut, encryption_recip, chainOut, caPubs,
                                srv_ctx->sendUnprotectedErrors);
     /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */
     if (msg == NULL)
         ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP);
+    encryption_recip = NULL;
 
  err:
     OSSL_CMP_PKISI_free(si);

diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c
@@ -298,3 +298,17 @@ int ossl_cmp_x509_algor_set0(X509_ALGOR **tgt, X509_ALGOR *src)
     *tgt = src;
     return 1;
 }
+
+int ossl_cmp_set0_ASN1_INTEGER(ASN1_INTEGER **tgt, ASN1_INTEGER *src)
+{
+    if (tgt == NULL || src == NULL) {
+        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
+        return 0;
+    }
+    if (*tgt == src) /* self-assignment */
+        return 1;
+
+    ASN1_INTEGER_free(*tgt);
+    *tgt = src;
+    return 1;
+}
diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c
@@ -190,10 +190,51 @@ ASN1_SEQUENCE(CMS_PasswordRecipientInfo) = {
         ASN1_SIMPLE(CMS_PasswordRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
 } ASN1_SEQUENCE_END(CMS_PasswordRecipientInfo)
 
+ASN1_ADB_TEMPLATE(oritypeandvalue_default) = ASN1_OPT(CMS_OtherRecipientInfo,
+                                                       oriValue.other,
+                                                       ASN1_ANY);
+ASN1_ADB(CMS_OtherRecipientInfo) = {
+      ADB_ENTRY(NID_id_smime_ori_kem,
+              ASN1_OPT(CMS_OtherRecipientInfo, oriValue.kemri,
+                       CMS_KEMRecipientInfo)),
+} ASN1_ADB_END(CMS_OtherRecipientInfo, 0, oriType, 0,
+               &oritypeandvalue_default_tt, NULL);
+
 ASN1_SEQUENCE(CMS_OtherRecipientInfo) = {
-  ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT),
-  ASN1_OPT(CMS_OtherRecipientInfo, oriValue, ASN1_ANY)
-} static_ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+    ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT),
+    ASN1_ADB_OBJECT(CMS_OtherRecipientInfo)
+} ASN1_SEQUENCE_END(CMS_OtherRecipientInfo)
+
+ASN1_SEQUENCE(CMC_ORIforKEMOtherInfo) = {
+    ASN1_SIMPLE(CMC_ORIforKEMOtherInfo, wrap, X509_ALGOR),
+    ASN1_SIMPLE(CMC_ORIforKEMOtherInfo, kekLength, ASN1_INTEGER),
+    ASN1_EXP_OPT(CMC_ORIforKEMOtherInfo, ukm, ASN1_OCTET_STRING, 0),
+} ASN1_SEQUENCE_END(CMC_ORIforKEMOtherInfo)
+IMPLEMENT_ASN1_FUNCTIONS(CMC_ORIforKEMOtherInfo)
+
+/* Free up KEMRecipientInfo additional data */
+static int cms_kemri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
+                       void *exarg)
+{
+    CMS_KEMRecipientInfo *kemri = (CMS_KEMRecipientInfo *)*pval;
+
+    if (operation == ASN1_OP_FREE_POST) {
+        OPENSSL_clear_free(kemri->secret, kemri->secret_len);
+    }
+    return 1;
+}
+
+ASN1_SEQUENCE_cb(CMS_KEMRecipientInfo, cms_kemri_cb) = {
+        ASN1_EMBED(CMS_KEMRecipientInfo, version, INT32),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, rid, CMS_SignerIdentifier),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kem, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kemct, ASN1_OCTET_STRING),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kdf, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, kekLength, ASN1_INTEGER),
+        ASN1_EXP_OPT(CMS_KEMRecipientInfo, ukm, ASN1_OCTET_STRING, 0),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, wrap, X509_ALGOR),
+        ASN1_SIMPLE(CMS_KEMRecipientInfo, encryptedKey, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END_cb(CMS_KEMRecipientInfo, CMS_KEMRecipientInfo)
 
 /* Free up RecipientInfo additional data */
 static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
@@ -232,6 +273,7 @@ ASN1_NDEF_SEQUENCE(CMS_EnvelopedData) = {
         ASN1_SIMPLE(CMS_EnvelopedData, encryptedContentInfo, CMS_EncryptedContentInfo),
         ASN1_IMP_SET_OF_OPT(CMS_EnvelopedData, unprotectedAttrs, X509_ATTRIBUTE, 1)
 } ASN1_NDEF_SEQUENCE_END(CMS_EnvelopedData)
+IMPLEMENT_ASN1_DUP_FUNCTION(CMS_EnvelopedData)
 
 ASN1_NDEF_SEQUENCE(CMS_DigestedData) = {
         ASN1_EMBED(CMS_DigestedData, version, INT32),