diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 091c78c460691b..56914302ef5749 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -999,8 +999,9 @@ int ossl_cmp_msg_set_bodytype(OSSL_CMP_MSG *msg, int type); OSSL_CMP_MSG *ossl_cmp_msg_create(OSSL_CMP_CTX *ctx, int bodytype); OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, const OSSL_CRMF_MSG *crm); -OSSL_CMP_CERTIFIEDKEYPAIR *ossl_cmp_Enccert_init(X509* cert, - const X509* encryption_recip); +OSSL_CMP_CERTIFIEDKEYPAIR * +ossl_cmp_Enccert_init(X509 *cert, const X509 *encryption_recip, + OSSL_LIB_CTX *libctx, const char *propq); OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, X509 *cert, const X509 *encryption_recip, diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 659c1774ec5174..a6a4a84020da74 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -19,6 +19,9 @@ #include #include #include +#include +#include +#include OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq) { @@ -449,6 +452,57 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, return NULL; } +OSSL_CMP_CERTIFIEDKEYPAIR * +ossl_cmp_Enccert_init(X509 *cert, const X509 *encryption_recip, + OSSL_LIB_CTX *libctx, const char *propq) +{ + OSSL_CMP_CERTIFIEDKEYPAIR *certifiedKeyPair = NULL; + CMS_EnvelopedData *env = NULL; + CMS_ContentInfo *cms; + EVP_CIPHER *cipher; + OSSL_CRMF_ENCRYPTEDKEY *encKey = NULL; + BIO *data; + + if ((certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new()) == NULL) + goto err; + + if ((cipher = EVP_CIPHER_fetch(NULL, "aes-256-cbc", NULL)) == NULL) + goto err; + + if ((data = BIO_new(BIO_s_mem())) == NULL + || !i2d_X509_bio(data, cert)) + goto err; + + cms = CMS_EnvelopedData_create_ex(cipher, libctx, propq); + if (!CMS_add1_recipient_cert(cms, (X509 *)encryption_recip, 0)) { + ERR_raise(ERR_LIB_CMS, CMS_R_RECIPIENT_ERROR); + goto err; + } + CMS_set_detached(cms, 0); + if (CMS_final(cms, data, NULL, SMIME_BINARY) == 0) + goto err; + + if ((env = CMS_EnvelopedData_dup(OSSL_CMS_get0_enveloped(cms))) == NULL) + goto err; + + BIO_free(data); + CMS_ContentInfo_free(cms); + + if ((encKey = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(env)) == NULL) + goto err; + + certifiedKeyPair->certOrEncCert->type = OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT; + certifiedKeyPair->certOrEncCert->value.encryptedCert = encKey; + return certifiedKeyPair; + + err: + BIO_free(data); + OSSL_CMP_CERTIFIEDKEYPAIR_free(certifiedKeyPair); + EVP_CIPHER_free(cipher); + CMS_ContentInfo_free(cms); + return NULL; +} + OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, X509 *cert, const X509 *encryption_recip, @@ -483,18 +537,20 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, if (status != OSSL_CMP_PKISTATUS_rejection && status != OSSL_CMP_PKISTATUS_waiting && cert != NULL) { if (encryption_recip != NULL) { - ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED); - goto err; + if ((resp->certifiedKeyPair + = ossl_cmp_Enccert_init(cert, encryption_recip, + ctx->libctx, ctx->propq)) == NULL) + goto err; + } else { + if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new()) + == NULL) + goto err; + resp->certifiedKeyPair->certOrEncCert->type = + OSSL_CMP_CERTORENCCERT_CERTIFICATE; + if (!X509_up_ref(cert)) + goto err; + resp->certifiedKeyPair->certOrEncCert->value.certificate = cert; } - - if ((resp->certifiedKeyPair = OSSL_CMP_CERTIFIEDKEYPAIR_new()) - == NULL) - goto err; - resp->certifiedKeyPair->certOrEncCert->type = - OSSL_CMP_CERTORENCCERT_CERTIFICATE; - if (!X509_up_ref(cert)) - goto err; - resp->certifiedKeyPair->certOrEncCert->value.certificate = cert; } if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp)) @@ -550,8 +606,7 @@ OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx) } else if (ctx->p10CSR != NULL) { pubkey = X509_REQ_get0_pubkey(ctx->p10CSR); subject = X509_REQ_get_subject_name(ctx->p10CSR); - } - else { + } else { goto err; } diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index a002faa8c27319..45159e094563a8 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -217,6 +217,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, OSSL_CMP_MSG *msg = NULL; OSSL_CMP_PKISI *si = NULL; X509 *certOut = NULL; + X509 *encryption_recip = NULL; STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; const OSSL_CRMF_MSG *crm = NULL; const X509_REQ *p10cr = NULL; @@ -309,12 +310,16 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, goto err; } + if (OSSL_CRMF_MSG_certreq_encrcert_popo(crm)) + encryption_recip = certOut; /* for indirect POP */ + msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, - certOut, NULL /* enc */, chainOut, caPubs, + certOut, encryption_recip, chainOut, caPubs, srv_ctx->sendUnprotectedErrors); /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */ if (msg == NULL) ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_CREATING_CERTREP); + encryption_recip = NULL; err: OSSL_CMP_PKISI_free(si); diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c index b1817ff9b16547..d1f9ac8b9a6ca9 100644 --- a/crypto/cmp/cmp_util.c +++ b/crypto/cmp/cmp_util.c @@ -298,3 +298,17 @@ int ossl_cmp_x509_algor_set0(X509_ALGOR **tgt, X509_ALGOR *src) *tgt = src; return 1; } + +int ossl_cmp_set0_ASN1_INTEGER(ASN1_INTEGER **tgt, ASN1_INTEGER *src) +{ + if (tgt == NULL || src == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + if (*tgt == src) /* self-assignment */ + return 1; + + ASN1_INTEGER_free(*tgt); + *tgt = src; + return 1; +} \ No newline at end of file diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index bc6b2769f98cdf..17e05446666cd9 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -190,10 +190,51 @@ ASN1_SEQUENCE(CMS_PasswordRecipientInfo) = { ASN1_SIMPLE(CMS_PasswordRecipientInfo, encryptedKey, ASN1_OCTET_STRING) } ASN1_SEQUENCE_END(CMS_PasswordRecipientInfo) +ASN1_ADB_TEMPLATE(oritypeandvalue_default) = ASN1_OPT(CMS_OtherRecipientInfo, + oriValue.other, + ASN1_ANY); +ASN1_ADB(CMS_OtherRecipientInfo) = { + ADB_ENTRY(NID_id_smime_ori_kem, + ASN1_OPT(CMS_OtherRecipientInfo, oriValue.kemri, + CMS_KEMRecipientInfo)), +} ASN1_ADB_END(CMS_OtherRecipientInfo, 0, oriType, 0, + &oritypeandvalue_default_tt, NULL); + ASN1_SEQUENCE(CMS_OtherRecipientInfo) = { - ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT), - ASN1_OPT(CMS_OtherRecipientInfo, oriValue, ASN1_ANY) -} static_ASN1_SEQUENCE_END(CMS_OtherRecipientInfo) + ASN1_SIMPLE(CMS_OtherRecipientInfo, oriType, ASN1_OBJECT), + ASN1_ADB_OBJECT(CMS_OtherRecipientInfo) +} ASN1_SEQUENCE_END(CMS_OtherRecipientInfo) + +ASN1_SEQUENCE(CMC_ORIforKEMOtherInfo) = { + ASN1_SIMPLE(CMC_ORIforKEMOtherInfo, wrap, X509_ALGOR), + ASN1_SIMPLE(CMC_ORIforKEMOtherInfo, kekLength, ASN1_INTEGER), + ASN1_EXP_OPT(CMC_ORIforKEMOtherInfo, ukm, ASN1_OCTET_STRING, 0), +} ASN1_SEQUENCE_END(CMC_ORIforKEMOtherInfo) +IMPLEMENT_ASN1_FUNCTIONS(CMC_ORIforKEMOtherInfo) + +/* Free up KEMRecipientInfo additional data */ +static int cms_kemri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, + void *exarg) +{ + CMS_KEMRecipientInfo *kemri = (CMS_KEMRecipientInfo *)*pval; + + if (operation == ASN1_OP_FREE_POST) { + OPENSSL_clear_free(kemri->secret, kemri->secret_len); + } + return 1; +} + +ASN1_SEQUENCE_cb(CMS_KEMRecipientInfo, cms_kemri_cb) = { + ASN1_EMBED(CMS_KEMRecipientInfo, version, INT32), + ASN1_SIMPLE(CMS_KEMRecipientInfo, rid, CMS_SignerIdentifier), + ASN1_SIMPLE(CMS_KEMRecipientInfo, kem, X509_ALGOR), + ASN1_SIMPLE(CMS_KEMRecipientInfo, kemct, ASN1_OCTET_STRING), + ASN1_SIMPLE(CMS_KEMRecipientInfo, kdf, X509_ALGOR), + ASN1_SIMPLE(CMS_KEMRecipientInfo, kekLength, ASN1_INTEGER), + ASN1_EXP_OPT(CMS_KEMRecipientInfo, ukm, ASN1_OCTET_STRING, 0), + ASN1_SIMPLE(CMS_KEMRecipientInfo, wrap, X509_ALGOR), + ASN1_SIMPLE(CMS_KEMRecipientInfo, encryptedKey, ASN1_OCTET_STRING) +} ASN1_SEQUENCE_END_cb(CMS_KEMRecipientInfo, CMS_KEMRecipientInfo) /* Free up RecipientInfo additional data */ static int cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, @@ -232,6 +273,7 @@ ASN1_NDEF_SEQUENCE(CMS_EnvelopedData) = { ASN1_SIMPLE(CMS_EnvelopedData, encryptedContentInfo, CMS_EncryptedContentInfo), ASN1_IMP_SET_OF_OPT(CMS_EnvelopedData, unprotectedAttrs, X509_ATTRIBUTE, 1) } ASN1_NDEF_SEQUENCE_END(CMS_EnvelopedData) +IMPLEMENT_ASN1_DUP_FUNCTION(CMS_EnvelopedData) ASN1_NDEF_SEQUENCE(CMS_DigestedData) = { ASN1_EMBED(CMS_DigestedData, version, INT32), diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index b877e106199aee..8b4370a4316171 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -18,6 +18,7 @@ #include "crypto/asn1.h" #include "crypto/evp.h" #include "crypto/x509.h" +#include "internal/cmp.h" #include "cms_local.h" /* CMS EnvelopedData Utilities */ @@ -60,7 +61,7 @@ void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf) } } -CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms) +CMS_EnvelopedData *OSSL_CMS_get0_enveloped(CMS_ContentInfo *cms) { if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) { ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA); @@ -93,7 +94,7 @@ static CMS_EnvelopedData *cms_enveloped_data_init(CMS_ContentInfo *cms) cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped); return cms->d.envelopedData; } - return ossl_cms_get0_enveloped(cms); + return OSSL_CMS_get0_enveloped(cms); } static CMS_AuthEnvelopedData * @@ -329,6 +330,113 @@ CMS_ContentInfo *CMS_AuthEnvelopedData_create(const EVP_CIPHER *cipher) return CMS_AuthEnvelopedData_create_ex(cipher, NULL, NULL); } +int cms_ORIforKEMOtherInfo_new(CMS_KEMRecipientInfo *kemri, + unsigned char **out, int *len) +{ + int ret = 0; + CMC_ORIforKEMOtherInfo *kemorinfo = NULL; + + if (kemri == NULL || out == NULL || len == NULL) + return 0; + + if ((kemorinfo = CMC_ORIforKEMOtherInfo_new()) == NULL + || !ossl_cmp_x509_algor_set0(&kemorinfo->wrap, + X509_ALGOR_dup(kemri->wrap)) + || !ossl_cmp_set0_ASN1_INTEGER(&kemorinfo->kekLength, + ASN1_INTEGER_dup(kemri->kekLength)) + || (kemri->ukm != NULL + && !ossl_cmp_asn1_octet_string_set1(&kemorinfo->ukm, kemri->ukm))) + goto err; + + if ((*len = i2d_CMC_ORIforKEMOtherInfo(kemorinfo, out)) <= 0) + goto err; + + ret = 1; + + err: + M_ASN1_free_of(kemorinfo, CMC_ORIforKEMOtherInfo); + return ret; +} + +/* perform kem encapsulation and create SSK */ +static int cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip, + EVP_PKEY *pk, unsigned int flags, + const CMS_CTX *ctx) +{ + CMS_KEMRecipientInfo *kemri; + unsigned char *ss = NULL, *ct = NULL, *info = NULL; + size_t sslen, ctlen; + int idtype, infolen = 0; + int ret = 0; + + ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo); + if (ri->d.ori == NULL) + return 0; + ri->type = CMS_RECIPINFO_OTHER; + + ri->d.ori->oriType = OBJ_nid2obj(NID_id_smime_ori_kem); + kemri = M_ASN1_new_of(CMS_KEMRecipientInfo); + if (kemri == NULL) + goto err; + ri->d.ori->oriValue.kemri = kemri; + + kemri->version = 0; + + if (flags & CMS_USE_KEYID) + idtype = CMS_RECIPINFO_KEYIDENTIFIER; + else + idtype = CMS_RECIPINFO_ISSUER_SERIAL; + + if (!ossl_cmp_kem_performKemEncapsulation(pk, + &sslen, &ss, + &ctlen, &ct, + ctx->libctx, ctx->propq)) + goto err; + + /* + * Not a typo: RecipientIdentifier and SignerIdentifier are the same + * structure. + */ + if (!ossl_cms_set1_SignerIdentifier(kemri->rid, recip, idtype, ctx) + || !ossl_cmp_asn1_octet_string_set1_bytes(&kemri->kemct, + ct, ctlen) + || !ossl_cmp_x509_algor_set0(&kemri->kem, + ossl_cmp_kem_algor(pk, ctx->libctx, + ctx->propq)) + || !ossl_cmp_x509_algor_set0(&kemri->kdf, + ossl_cmp_kem_kdf_algor(NID_hkdfWithSHA256, + ctx->libctx, + ctx->propq)) + || !ASN1_INTEGER_set(kemri->kekLength, 32)) /* hard code for testing*/ + goto err; + + kemri->secret_len = 32; + /* hard coded for KEK of length 32 */ + (void)X509_ALGOR_set0(kemri->wrap, OBJ_nid2obj(NID_id_aes256_wrap), + V_ASN1_UNDEF, NULL); /* cannot fail */ + + if (!cms_ORIforKEMOtherInfo_new(kemri, &info, &infolen)) + goto err; + + if (!ossl_cmp_kem_derive_ssk_HKDF(ss, sslen, NULL, 0, info, infolen, + &kemri->secret, kemri->secret_len, + ctx->libctx, ctx->propq)) + goto err; + + ret = 1; + + err: + if (!ret) { + M_ASN1_free_of(kemri, CMS_KEMRecipientInfo); + M_ASN1_free_of(ri->d.ori, CMS_OtherRecipientInfo); + } + OPENSSL_clear_free(ss, sslen); + OPENSSL_clear_free(ct, ctlen); + OPENSSL_clear_free(info, infolen); + + return ret; +} + /* Key Transport Recipient Info (KTRI) routines */ /* Initialise a ktri based on passed certificate and key */ @@ -426,6 +534,11 @@ CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, goto err; break; + case CMS_RECIPINFO_OTHER_KEM: + if (!cms_RecipientInfo_kemri_init(ri, recip, pk, flags, ctx)) + goto err; + break; + default: ERR_raise(ERR_LIB_CMS, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); goto err; @@ -1016,6 +1129,166 @@ static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, return r; } +static int cms_RecipientInfo_kemri_encrypt(const CMS_ContentInfo *cms, + CMS_KEMRecipientInfo *kemri) +{ + CMS_EncryptedContentInfo *ec; + unsigned char *wkey = NULL; + int wkeylen; + int r = 0; + EVP_CIPHER *cipher = NULL; + int outlen = 0; + EVP_CIPHER_CTX *ctx = NULL; + const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms); + + ec = ossl_cms_get0_env_enc_content(cms); + if (ec == NULL) + return 0; + + if (kemri->secret == NULL) { + ERR_raise(ERR_LIB_CMS, CMS_R_NO_KEY); + return 0; + } + + cipher = cms_get_key_wrap_cipher(kemri->secret_len, cms_ctx); + if (cipher == NULL) { + ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + /* 8 byte prefix for AES wrap ciphers */ + wkey = OPENSSL_malloc(ec->keylen + 8); + if (wkey == NULL) + goto err; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB); + goto err; + } + + EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + if (!EVP_EncryptInit_ex(ctx, cipher, NULL, kemri->secret, NULL) + || !EVP_EncryptUpdate(ctx, wkey, &wkeylen, ec->key, ec->keylen) + || !EVP_EncryptFinal_ex(ctx, wkey + wkeylen, &outlen)) { + ERR_raise(ERR_LIB_CMS, CMS_R_WRAP_ERROR); + goto err; + } + wkeylen += outlen; + if (!ossl_assert((size_t)wkeylen == ec->keylen + 8)) { + ERR_raise(ERR_LIB_CMS, CMS_R_WRAP_ERROR); + goto err; + } + + ASN1_STRING_set0(kemri->encryptedKey, wkey, wkeylen); + + r = 1; + err: + EVP_CIPHER_free(cipher); + if (!r) + OPENSSL_free(wkey); + EVP_CIPHER_CTX_free(ctx); + + return r; +} + +int cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms, + CMS_KEMRecipientInfo *kemri) +{ + CMS_EncryptedContentInfo *ec; + unsigned char *ukey = NULL; + int ukeylen; + int r = 0, wrap_nid; + EVP_CIPHER *cipher = NULL; + int outlen = 0; + EVP_CIPHER_CTX *ctx = NULL; + const CMS_CTX *cms_ctx = ossl_cms_get0_cmsctx(cms); + + ec = ossl_cms_get0_env_enc_content(cms); + if (ec == NULL) + return 0; + + if (!kemri->secret) { + ERR_raise(ERR_LIB_CMS, CMS_R_NO_KEY); + return 0; + } + + kemri->secret_len = ASN1_INTEGER_get(kemri->kekLength); + wrap_nid = OBJ_obj2nid(kemri->wrap->algorithm); + if (aes_wrap_keylen(wrap_nid) != kemri->secret_len) { + ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH); + return 0; + } + + /* If encrypted key length is invalid don't bother */ + if (kemri->encryptedKey->length < 16) { + ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_ENCRYPTED_KEY_LENGTH); + goto err; + } + + cipher = cms_get_key_wrap_cipher(kemri->secret_len, cms_ctx); + if (cipher == NULL) { + ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + ukey = OPENSSL_malloc(kemri->encryptedKey->length - 8); + if (ukey == NULL) + goto err; + + ctx = EVP_CIPHER_CTX_new(); + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMS, ERR_R_EVP_LIB); + goto err; + } + + if (!EVP_DecryptInit_ex(ctx, cipher, NULL, kemri->secret, NULL) + || !EVP_DecryptUpdate(ctx, ukey, &ukeylen, + kemri->encryptedKey->data, + kemri->encryptedKey->length) + || !EVP_DecryptFinal_ex(ctx, ukey + ukeylen, &outlen)) { + ERR_raise(ERR_LIB_CMS, CMS_R_UNWRAP_ERROR); + goto err; + } + ukeylen += outlen; + + OPENSSL_clear_free(ec->key, ec->keylen); + ec->key = ukey; + ec->keylen = ukeylen; + + r = 1; + + err: + EVP_CIPHER_free(cipher); + if (!r) + OPENSSL_free(ukey); + EVP_CIPHER_CTX_free(ctx); + + return r; +} + +static int cms_RecipientInfo_ori_encrypt(const CMS_ContentInfo *cms, + CMS_OtherRecipientInfo *ori) +{ + if (ori != NULL && ori->oriType == OBJ_nid2obj(NID_id_smime_ori_kem)) + return cms_RecipientInfo_kemri_encrypt(cms, + (CMS_KEMRecipientInfo*) ori->oriValue.kemri); + + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENT_TYPE); + return 0; +} + +static int cms_RecipientInfo_ori_decrypt(CMS_ContentInfo *cms, + CMS_OtherRecipientInfo *ori) +{ + if (ori != NULL && ori->oriType == OBJ_nid2obj(NID_id_smime_ori_kem)) + return cms_RecipientInfo_kemri_decrypt(cms, + (CMS_KEMRecipientInfo*) ori->oriValue.kemri); + + ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENT_TYPE); + return 0; +} + int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) { switch (ri->type) { @@ -1027,6 +1300,9 @@ int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) case CMS_RECIPINFO_PASS: return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 0); + + case CMS_RECIPINFO_OTHER: + return cms_RecipientInfo_ori_decrypt(cms, ri->d.ori); default: ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE); @@ -1048,6 +1324,9 @@ int CMS_RecipientInfo_encrypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri) case CMS_RECIPINFO_PASS: return ossl_cms_RecipientInfo_pwri_crypt(cms, ri, 1); + + case CMS_RECIPINFO_OTHER: + return cms_RecipientInfo_ori_encrypt(cms, ri->d.ori); default: ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_RECIPIENT_TYPE); @@ -1264,7 +1543,7 @@ int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain) EVP_CIPHER_CTX *ctx = NULL; BIO *mbio = BIO_find_type(chain, BIO_TYPE_CIPHER); - env = ossl_cms_get0_enveloped(cms); + env = OSSL_CMS_get0_enveloped(cms); if (env == NULL) return 0; @@ -1350,7 +1629,7 @@ int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk) else if (EVP_PKEY_is_a(pk, "EC")) return CMS_RECIPINFO_AGREE; else if (EVP_PKEY_is_a(pk, "RSA")) - return CMS_RECIPINFO_TRANS; + return CMS_RECIPINFO_OTHER_KEM; /* for testing RSA KEM */ /* * Otherwise this might ben an engine implementation, so see if we can get diff --git a/crypto/cms/cms_local.h b/crypto/cms/cms_local.h index 7069021267defa..dfbc23ddcb9aa0 100644 --- a/crypto/cms/cms_local.h +++ b/crypto/cms/cms_local.h @@ -41,6 +41,8 @@ typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier; typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo; typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo; typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo; +typedef struct CMS_KEMRecipientInfo_st CMS_KEMRecipientInfo; +typedef struct CMC_ORIforKEMOtherInfo_st CMC_ORIforKEMOtherInfo; typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom; typedef struct CMS_CTX_st CMS_CTX; @@ -241,9 +243,54 @@ struct CMS_PasswordRecipientInfo_st { const CMS_CTX *cms_ctx; }; +/* +CMSORIforKEMOtherInfo ::= SEQUENCE { + wrap KeyEncryptionAlgorithmIdentifier, + kekLength INTEGER (1..65535), + ukm [0] EXPLICIT UserKeyingMaterial OPTIONAL } +*/ +struct CMC_ORIforKEMOtherInfo_st { + X509_ALGOR *wrap; + ASN1_INTEGER *kekLength; + ASN1_OCTET_STRING *ukm; +}; + +/* + KEMRecipientInfo ::= SEQUENCE { + version CMSVersion, -- always set to 0 + rid RecipientIdentifier, + kem KEMAlgorithmIdentifier, + kemct OCTET STRING, + kdf KeyDerivationAlgorithmIdentifier, + kekLength INTEGER (1..65535), + ukm [0] EXPLICIT UserKeyingMaterial OPTIONAL, + wrap KeyEncryptionAlgorithmIdentifier, + encryptedKey EncryptedKey } +*/ +struct CMS_KEMRecipientInfo_st { + int32_t version; + CMS_RecipientIdentifier *rid; + X509_ALGOR *kem; + ASN1_OCTET_STRING *kemct; + X509_ALGOR *kdf; + ASN1_INTEGER *kekLength; + ASN1_OCTET_STRING *ukm; + X509_ALGOR *wrap; + ASN1_OCTET_STRING *encryptedKey; + /* generated KEK */ + size_t secret_len; + unsigned char *secret; +}; + struct CMS_OtherRecipientInfo_st { ASN1_OBJECT *oriType; - ASN1_TYPE *oriValue; + union { + char *ptr; + /* NID_id_smime_ori_kem */ + CMS_KEMRecipientInfo *kemri; + /* this is to be used for so far undeclared objects */ + ASN1_TYPE *other; + } oriValue; }; struct CMS_DigestedData_st { @@ -448,7 +495,7 @@ int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain); BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms); int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio); void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf); -CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms); +/* CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms); */ CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms); CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms); @@ -485,6 +532,11 @@ int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt); int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt); int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify); +int cms_RecipientInfo_kemri_decrypt(const CMS_ContentInfo *cms, + CMS_KEMRecipientInfo *kemri); +int cms_ORIforKEMOtherInfo_new(CMS_KEMRecipientInfo *kemri, + unsigned char **out, int *len); + DECLARE_ASN1_ITEM(CMS_CertificateChoices) DECLARE_ASN1_ITEM(CMS_DigestedData) DECLARE_ASN1_ITEM(CMS_EncryptedData) @@ -493,6 +545,8 @@ DECLARE_ASN1_ITEM(CMS_AuthEnvelopedData) DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo) DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo) DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo) +DECLARE_ASN1_ITEM(CMS_OtherRecipientInfo) +DECLARE_ASN1_ITEM(CMS_KEMRecipientInfo) DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey) DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute) DECLARE_ASN1_ITEM(CMS_Receipt) @@ -503,4 +557,6 @@ DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice) DECLARE_ASN1_ITEM(CMS_SignedData) DECLARE_ASN1_ITEM(CMS_CompressedData) +DECLARE_ASN1_FUNCTIONS(CMC_ORIforKEMOtherInfo) + #endif diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 99a72f4dffe3cf..d5e9d99b6fb883 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -8,6 +8,7 @@ */ #include "internal/cryptlib.h" +#include "internal/cmp.h" #include #include #include @@ -696,6 +697,35 @@ static int cms_kari_set1_pkey_and_peer(CMS_ContentInfo *cms, return 0; } +static int cms_kemri_set1_pkey(CMS_ContentInfo *cms, + CMS_KEMRecipientInfo *kemri, + EVP_PKEY *pk) +{ + unsigned char *ss = NULL, *info = NULL; + size_t sslen = 0; + int ret = 0, infolen = 0; + + if (!ossl_cmp_kem_performKemDecapsulation(pk, + ASN1_STRING_get0_data(kemri->kemct), + ASN1_STRING_length(kemri->kemct), + &ss, &sslen, + cms->ctx.libctx, cms->ctx.propq) + || !cms_ORIforKEMOtherInfo_new(kemri, &info, &infolen) + || !ossl_cmp_kem_derive_ssk_HKDF(ss, sslen, NULL, 0, info, infolen, + &kemri->secret, + ASN1_INTEGER_get(kemri->kekLength), + cms->ctx.libctx, cms->ctx.propq)) + goto err; + + if (!cms_RecipientInfo_kemri_decrypt(cms, kemri)) + goto err; + ret = 1; + err: + OPENSSL_clear_free(ss, sslen); + OPENSSL_clear_free(info, infolen); + return ret; +} + int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) { return CMS_decrypt_set1_pkey_and_peer(cms, pk, cert, NULL); @@ -731,7 +761,8 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, ri = sk_CMS_RecipientInfo_value(ris, i); ri_type = CMS_RecipientInfo_type(ri); - if (!ossl_cms_pkey_is_ri_type_supported(pk, ri_type)) + if (ri_type != CMS_RECIPINFO_OTHER + && !ossl_cms_pkey_is_ri_type_supported(pk, ri_type)) continue; match_ri = 1; if (ri_type == CMS_RECIPINFO_AGREE) { @@ -740,9 +771,15 @@ int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, return 1; if (r < 0) return 0; + } else if (ri_type == CMS_RECIPINFO_OTHER) { + if (OBJ_obj2nid(ri->d.ori->oriType) == NID_id_smime_ori_kem) { + if (cms_kemri_set1_pkey(cms, ri->d.ori->oriValue.kemri, pk)) + return 1; + return 0; + } } /* If we have a cert, try matching RecipientInfo, else try them all */ - else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + else if (cert == NULL || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { //TODO: function return -2 EVP_PKEY_up_ref(pk); CMS_RecipientInfo_set0_pkey(ri, pk); r = CMS_RecipientInfo_decrypt(cms, ri); diff --git a/crypto/crmf/crmf_err.c b/crypto/crmf/crmf_err.c index 48543cb41a7029..86cbc8f594c7a6 100644 --- a/crypto/crmf/crmf_err.c +++ b/crypto/crmf/crmf_err.c @@ -19,6 +19,7 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = { {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_BAD_PBM_ITERATIONCOUNT), "bad pbm iterationcount"}, + {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_CMS_NOT_SUPPORTED), "cms not supported"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_CRMFERROR), "crmferror"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR), "error"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_DECODING_CERTIFICATE), diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 37dc0cc939ce49..c1d84881e802c3 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -457,6 +457,28 @@ int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, return 0; } +int OSSL_CRMF_MSG_certreq_encrcert_popo(const OSSL_CRMF_MSG *req) +{ + OSSL_CRMF_POPOPRIVKEY *keyEnc; + + if (req == NULL || req->popo == NULL) { + ERR_raise(ERR_LIB_CRMF, CRMF_R_NULL_ARGUMENT); + return 0; + } + + keyEnc = req->popo->value.keyEncipherment; + if (keyEnc == NULL) { + ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_KEYENCIPHERMENT); + return 0; + } + if( keyEnc->type == OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE + && keyEnc->value.subsequentMessage != NULL + && ASN1_INTEGER_get(keyEnc->value.subsequentMessage) + == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT) + return 1; + return 0; +} + /* verifies the Proof-of-Possession of the request with the given rid in reqs */ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, int rid, int acceptRAVerified, @@ -528,23 +550,14 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, return 0; break; case OSSL_CRMF_POPO_KEYENC: - { /* * When OSSL_CMP_certrep_new() supports encrypted certs, * should return 1 if the type of req->popo->value.keyEncipherment * is OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE and * its value.subsequentMessage == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT */ - OSSL_CRMF_POPOPRIVKEY *keyEnc = req->popo->value.keyEncipherment; - if (keyEnc == NULL) { - ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_KEYENCIPHERMENT); - return 0; - } - if( keyEnc->type == OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE - && keyEnc->value.subsequentMessage != NULL - && ASN1_INTEGER_get(keyEnc->value.subsequentMessage) == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT) + if (OSSL_CRMF_MSG_certreq_encrcert_popo(req)) return 1; - } /* fall through */ case OSSL_CRMF_POPO_KEYAGREE: default: @@ -760,4 +773,18 @@ X509 ERR_raise(ERR_LIB_CRMF, CRMF_R_CMS_NOT_SUPPORTED); return NULL; #endif /* OPENSSL_NO_CMS */ -} \ No newline at end of file +} + +OSSL_CRMF_ENCRYPTEDKEY +*OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata) +{ + OSSL_CRMF_ENCRYPTEDKEY *ek = OSSL_CRMF_ENCRYPTEDKEY_new(); + if (ek == NULL) + return NULL; + + ek->type = OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA; + ek->value.envelopedData = envdata; + + return ek; +} + diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index a432d789ee2440..d6fc0d72e4eae0 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -441,6 +441,7 @@ CONF_R_UNKNOWN_MODULE_NAME:113:unknown module name CONF_R_VARIABLE_EXPANSION_TOO_LONG:116:variable expansion too long CONF_R_VARIABLE_HAS_NO_VALUE:104:variable has no value CRMF_R_BAD_PBM_ITERATIONCOUNT:100:bad pbm iterationcount +CRMF_R_CMS_NOT_SUPPORTED:123:cms not supported CRMF_R_CRMFERROR:102:crmferror CRMF_R_ERROR:103:error CRMF_R_ERROR_DECODING_CERTIFICATE:104:error decoding certificate diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 78e690aa59e0b9..1247b8b9e83fa0 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/obj_dat.pl * - * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at @@ -10,7 +10,7 @@ */ /* Serialized OID's */ -static const unsigned char so[8518] = { +static const unsigned char so[8539] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1187,9 +1187,11 @@ static const unsigned char so[8518] = { 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x03,0x1C, /* [ 8492] OBJ_hkdfWithSHA256 */ 0x28,0x81,0x8C,0x71,0x02,0x02,0x04, /* [ 8503] OBJ_id_kem_rsa */ 0x28,0x81,0x8C,0x71,0x02,0x05,0x02, /* [ 8510] OBJ_id_kdf_kdf2 */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D, /* [ 8517] OBJ_id_smime_ori */ + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x0D,0x03, /* [ 8527] OBJ_id_smime_ori_kem */ }; -#define NUM_NID 1325 +#define NUM_NID 1327 static const ASN1_OBJECT nid_objs[NUM_NID] = { {"UNDEF", "undefined", NID_undef}, {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, @@ -2516,9 +2518,11 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { {"hkdfWithSHA256", "HKDF with SHA256", NID_hkdfWithSHA256, 11, &so[8492]}, {"id-kem-rsa", "id-kem-rsa", NID_id_kem_rsa, 7, &so[8503]}, {"id-kdf-kdf2", "id-kdf-kdf2", NID_id_kdf_kdf2, 7, &so[8510]}, + {"id-smime-ori", "id-smime-ori", NID_id_smime_ori, 10, &so[8517]}, + {"id-smime-ori-kem", "id-smime-ori-kem", NID_id_smime_ori_kem, 11, &so[8527]}, }; -#define NUM_SN 1316 +#define NUM_SN 1318 static const unsigned int sn_objs[NUM_SN] = { 364, /* "AD_DVCS" */ 419, /* "AES-128-CBC" */ @@ -3362,6 +3366,8 @@ static const unsigned int sn_objs[NUM_SN] = { 201, /* "id-smime-mod-ets-eSignature-97" */ 199, /* "id-smime-mod-msg-v3" */ 198, /* "id-smime-mod-oid" */ + 1325, /* "id-smime-ori" */ + 1326, /* "id-smime-ori-kem" */ 194, /* "id-smime-spq" */ 250, /* "id-smime-spq-ets-sqt-unotice" */ 249, /* "id-smime-spq-ets-sqt-uri" */ @@ -3838,7 +3844,7 @@ static const unsigned int sn_objs[NUM_SN] = { 1289, /* "zstd" */ }; -#define NUM_LN 1316 +#define NUM_LN 1318 static const unsigned int ln_objs[NUM_LN] = { 363, /* "AD Time Stamping" */ 405, /* "ANSI X9.62" */ @@ -4682,6 +4688,8 @@ static const unsigned int ln_objs[NUM_LN] = { 201, /* "id-smime-mod-ets-eSignature-97" */ 199, /* "id-smime-mod-msg-v3" */ 198, /* "id-smime-mod-oid" */ + 1325, /* "id-smime-ori" */ + 1326, /* "id-smime-ori-kem" */ 194, /* "id-smime-spq" */ 250, /* "id-smime-spq-ets-sqt-unotice" */ 249, /* "id-smime-spq-ets-sqt-uri" */ @@ -5158,7 +5166,7 @@ static const unsigned int ln_objs[NUM_LN] = { 125, /* "zlib compression" */ }; -#define NUM_OBJ 1182 +#define NUM_OBJ 1184 static const unsigned int obj_objs[NUM_OBJ] = { 0, /* OBJ_undef 0 */ 181, /* OBJ_iso 1 */ @@ -6203,6 +6211,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 193, /* OBJ_id_smime_cd 1 2 840 113549 1 9 16 4 */ 194, /* OBJ_id_smime_spq 1 2 840 113549 1 9 16 5 */ 195, /* OBJ_id_smime_cti 1 2 840 113549 1 9 16 6 */ + 1325, /* OBJ_id_smime_ori 1 2 840 113549 1 9 16 13 */ 158, /* OBJ_x509Certificate 1 2 840 113549 1 9 22 1 */ 159, /* OBJ_sdsiCertificate 1 2 840 113549 1 9 22 2 */ 160, /* OBJ_x509Crl 1 2 840 113549 1 9 23 1 */ @@ -6318,6 +6327,7 @@ static const unsigned int obj_objs[NUM_OBJ] = { 254, /* OBJ_id_smime_cti_ets_proofOfSender 1 2 840 113549 1 9 16 6 4 */ 255, /* OBJ_id_smime_cti_ets_proofOfApproval 1 2 840 113549 1 9 16 6 5 */ 256, /* OBJ_id_smime_cti_ets_proofOfCreation 1 2 840 113549 1 9 16 6 6 */ + 1326, /* OBJ_id_smime_ori_kem 1 2 840 113549 1 9 16 13 3 */ 150, /* OBJ_keyBag 1 2 840 113549 1 12 10 1 1 */ 151, /* OBJ_pkcs8ShroudedKeyBag 1 2 840 113549 1 12 10 1 2 */ 152, /* OBJ_certBag 1 2 840 113549 1 12 10 1 3 */ diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num index 36d45cb5e68bc9..47b63545d66220 100644 --- a/crypto/objects/obj_mac.num +++ b/crypto/objects/obj_mac.num @@ -1322,3 +1322,5 @@ id_KemBasedMac 1321 hkdfWithSHA256 1322 id_kem_rsa 1323 id_kdf_kdf2 1324 +id_smime_ori 1325 +id_smime_ori_kem 1326 diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h index 913606f1754d46..01339d9da088d1 100644 --- a/crypto/objects/obj_xref.h +++ b/crypto/objects/obj_xref.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by objxref.pl * - * Copyright 1998-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1998-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt index fccd47767ee8a3..93d56d16196d59 100644 --- a/crypto/objects/objects.txt +++ b/crypto/objects/objects.txt @@ -257,6 +257,7 @@ SMIME 3 : id-smime-alg SMIME 4 : id-smime-cd SMIME 5 : id-smime-spq SMIME 6 : id-smime-cti +SMIME 13 : id-smime-ori # S/MIME Modules id-smime-mod 1 : id-smime-mod-cms @@ -357,6 +358,8 @@ id-smime-cti 4 : id-smime-cti-ets-proofOfSender id-smime-cti 5 : id-smime-cti-ets-proofOfApproval id-smime-cti 6 : id-smime-cti-ets-proofOfCreation +id-smime-ori 3 : id-smime-ori-kem + pkcs9 20 : : friendlyName pkcs9 21 : : localKeyID !Alias ms-corp 1 3 6 1 4 1 311 diff --git a/fuzz/oids.txt b/fuzz/oids.txt index 9e01c6b66f2a1f..125c878ca1985e 100644 --- a/fuzz/oids.txt +++ b/fuzz/oids.txt @@ -1,7 +1,7 @@ # WARNING: do not edit! # Generated by fuzz/mkfuzzoids.pl # -# Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1183,3 +1183,5 @@ OBJ_id_KemBasedMac="\x2A\x86\x48\x86\xF6\x7D\x07\x42\x10" OBJ_hkdfWithSHA256="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x03\x1C" OBJ_id_kem_rsa="\x28\x81\x8C\x71\x02\x02\x04" OBJ_id_kdf_kdf2="\x28\x81\x8C\x71\x02\x05\x02" +OBJ_id_smime_ori="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x0D" +OBJ_id_smime_ori_kem="\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x0D\x03" diff --git a/include/crypto/crmferr.h b/include/crypto/crmferr.h index f1a27e04993b60..89f80eee6b1545 100644 --- a/include/crypto/crmferr.h +++ b/include/crypto/crmferr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index 239667700aacd2..5608adb4768f83 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -57,6 +57,8 @@ DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo) DECLARE_ASN1_FUNCTIONS(CMS_ReceiptRequest) DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo) +DECLARE_ASN1_DUP_FUNCTION(CMS_EnvelopedData) + CMS_ContentInfo *CMS_ContentInfo_new_ex(OSSL_LIB_CTX *libctx, const char *propq); # define CMS_SIGNERINFO_ISSUER_SERIAL 0 @@ -68,6 +70,7 @@ CMS_ContentInfo *CMS_ContentInfo_new_ex(OSSL_LIB_CTX *libctx, const char *propq) # define CMS_RECIPINFO_KEK 2 # define CMS_RECIPINFO_PASS 3 # define CMS_RECIPINFO_OTHER 4 +# define CMS_RECIPINFO_OTHER_KEM 5 /* S/MIME related flags */ @@ -209,7 +212,7 @@ BIO *CMS_EnvelopedData_decrypt(CMS_EnvelopedData *env, BIO *detached_data, EVP_PKEY *pkey, X509 *cert, ASN1_OCTET_STRING *secret, unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq); - +CMS_EnvelopedData *OSSL_CMS_get0_enveloped(CMS_ContentInfo *cms); CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, unsigned int flags); CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip, diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index 34b1d05277715f..0d131fa6a6eeb5 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -27,6 +27,7 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include # include /* for GENERAL_NAME etc. */ +# include /* explicit #includes not strictly needed since implied by the above: */ # include @@ -151,6 +152,7 @@ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, X509_EXTENSION *ext); int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, const EVP_MD *digest, OSSL_LIB_CTX *libctx, const char *propq); +int OSSL_CRMF_MSG_certreq_encrcert_popo(const OSSL_CRMF_MSG *req); int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, int rid, int acceptRAVerified, OSSL_LIB_CTX *libctx, const char *propq); @@ -182,6 +184,8 @@ X509 *OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert, OSSL_LIB_CTX *libctx, const char *propq, EVP_PKEY *pkey, unsigned int flags); +OSSL_CRMF_ENCRYPTEDKEY +*OSSL_CRMF_ENCRYPTEDKEY_init_envdata( CMS_EnvelopedData *envdata); # ifdef __cplusplus } diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h index 410dec5b609a8d..2b3f7ce0baa666 100644 --- a/include/openssl/crmferr.h +++ b/include/openssl/crmferr.h @@ -24,6 +24,7 @@ * CRMF reason codes. */ # define CRMF_R_BAD_PBM_ITERATIONCOUNT 100 +# define CRMF_R_CMS_NOT_SUPPORTED 123 # define CRMF_R_CRMFERROR 102 # define CRMF_R_ERROR 103 # define CRMF_R_ERROR_DECODING_CERTIFICATE 104 diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 27ee80f7c53724..bb6e59772e5d06 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -2,7 +2,7 @@ * WARNING: do not edit! * Generated by crypto/objects/objects.pl * - * Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved. * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at @@ -791,6 +791,10 @@ #define NID_id_smime_cti 195 #define OBJ_id_smime_cti OBJ_SMIME,6L +#define SN_id_smime_ori "id-smime-ori" +#define NID_id_smime_ori 1325 +#define OBJ_id_smime_ori OBJ_SMIME,13L + #define SN_id_smime_mod_cms "id-smime-mod-cms" #define NID_id_smime_mod_cms 196 #define OBJ_id_smime_mod_cms OBJ_id_smime_mod,1L @@ -1107,6 +1111,10 @@ #define NID_id_smime_cti_ets_proofOfCreation 256 #define OBJ_id_smime_cti_ets_proofOfCreation OBJ_id_smime_cti,6L +#define SN_id_smime_ori_kem "id-smime-ori-kem" +#define NID_id_smime_ori_kem 1326 +#define OBJ_id_smime_ori_kem OBJ_id_smime_ori,3L + #define LN_friendlyName "friendlyName" #define NID_friendlyName 156 #define OBJ_friendlyName OBJ_pkcs9,20L diff --git a/test/recipes/80-test_cmp_http_data/Mock/kem.crt b/test/recipes/80-test_cmp_http_data/Mock/kem.crt index 3af72d02f46bf1..682e062f138093 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/kem.crt +++ b/test/recipes/80-test_cmp_http_data/Mock/kem.crt @@ -1,48 +1,22 @@ -----BEGIN CERTIFICATE----- -MIIIbTCCB1WgAwIBAgIUenD0adt4paVWXXt99SFndc81IlgwDQYJKoZIhvcNAQEL +MIIDkjCCAnqgAwIBAgIUCIoReKKPB6Yh4B0HEeykhscAQ68wDQYJKoZIhvcNAQEL BQAwWjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoT GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAxMKc3ViaW50ZXJDQTAe -Fw0yNDAxMTAxMjIwMjBaFw0yNDAyMDkxMjIwMjBaMBMxETAPBgNVBAMMCEtFTV9D -RVJUMIIGNDANBgsrBgEEAYGwGgUGAwOCBiEAgnCeD2wSfUcRVHJyW3a7EkiGw3dj -IRhld6QbJOE02BYn5zyqIBWsKgYo4vVIafwA45lujTjCTQFSkLy7z3panly5u4qw -J6zINNOb5/PEuDtk07l/65OAAYW8erGwPrazaGxnwCEVIRCK5WW7tFUSoTMQ9Zef -fcNnVTVl1RIMSXvB9eIVv8J2eMN7VNrKnPcliUAALrC6lVeWMGOa1Bghs3VB1NXM -+iGKHFlqeoZ153CLNvSuqyaIGYRNv2p9q4bKKuGL97u6DbtBdFFKpCTGiqKTahcB -aRFjGBAb61S3Riun7ssgqSEv/zKGEFbOuBBaxQnGqWTBWJt9OoYg06xgSqWmE7in -JmZLdaGxCLg26rdnCCwz5lB25aCD0WBxHFIX+7d4/BXN9wmdW9aaBBpZHjnBDAcu -+AwN5suYpMScVtldFTlHLqoRzlIWEjVVAePIHBwBkQM2COYn4BSdIksLa/gtWqI8 -IjhCDxOJ/eVwPBim7Qcpnjeerjd19+arcYFuE/tresctWrVob5XFDqCFPesmTMpF -fWxpZ+CU3pqSf1ZsnmVxyKuCvbAohSxCDWCgpGygP8RQ7ySpAfRAYpUsGquS4zVK -CJKicqWjZKCOqGNCp6Ut2gKbx6w60vKsqIJL0QGklUzJxkM1cJx7kiCuXoOqlrrO -kbqAtDdVJco40eXFf1U3Dho1MrzNvTeDVLkc8mBRUMw6wXbHIqyvuAzKlrRZhPO5 -jfOrqyTI/HqzPjYbl6h11ytu28hda9wRRbLEFBgmqawWUFUXGQZCQBsX11KTpKG1 -V1Jj30YCmSJmSBZKaqK8bUVFHEkoBEuaXxCpxqJocxEtSXGuhPUJl7Y4B+NVtoN9 -UFKZQqgqQIEgYvALjGKHyKFw5ty4C1eF0/dm6Tg47Og2lpEz3IyRrNswWEWAyveh -4PXO24AIxjiJdGWjz+CZsHDOEdoouDINc3QKxvBxHQozvmQwlmC20JnIZ3OXBDIk -i3DNg+lJ/OZ6QYs4buhzHBiqRqgMSMKuJ5K1qfKN21m+RuOGAJY8LKWPpJYK9Ve8 -jToszoi3k8WpRqRHhKcTOdKcdGVXnBxcFeCfrQHQpdmG8Dme8yGpFfErV9e3mjEV -CTgx1buQLSS0bfQZeMOnGrkUkcWAl1YdO1k0NZWre5t/vzCoyrKK4fYdiEVWbGuJ -a+yEYowCC5Eiz1EhKayzMhND0roHqyeAFtIf07wezcoqYRLOPWYArlDHDFmYgCw+ -LdVvgSKZ8GpvVlVYmzh8V0Yj/0CSzlex+EMGqmKNOVd+uUF5KFvBSDZgcSZzrVgN -SKlmskNrVTlR5jRJ9IcqpUIYaDq6AgR5GGOTLqFfIHbFMxglTfBXTptzunNqTUsQ -8BqDuhCHgqmgH5uPPUHLRBtNaHUh7Gkk/1QrHeEL/TUucOx1U8l/aYEr3FhYkKZU -exYSXrrLItOylKyxW6BOESeSUaq3ofp6KcuBS2oCdJVqoYGlZyCbssqYWiqKshWS -B6Ua15FgPchlJ8iyNxqK9hlASBkMsKvDntPCpmuFK/R0QycNlMR/m2dnIHdESQiu -N5mJQhoL/kusDcGGtVuV56axRbXEw6ACoShY/lBReIJzurO1sUqLAoO3bWrGOvqJ -hnQGsgBSUZs0jqA73NHJzrd9bvlI3TOYdEgzdqZVabnKPzR8qTuxDglnFBiQiJmO -4jefp+fB3XALNJh379OTH0Wngppt15SxOAEk+guTPDEy4pNUxFW9IrzFWiKZmVdb -+tQdVXBb4lSGxugP3fUyKjEaEnCy6tbHCopcPsi126RK4QnKmqlwaSHHyvyYTQgD -/2pnf2IpPJFB3IS0Bcm5TQE3PfcLSkPOopF17DrGoWmW/SiTT2dJbOky7pgHA9xX -VEF2NCtMWMgJ4PmC8ci58hFJyLmmNZBSy9LC/NSs9JYHAYJ0HmGpUoSBV8E7OHB3 -ZACsxwMkwzYxfjtmpiyvUSlAgdjOXGcamLhsMaxbk4MDC0xSZzRLQ3i6emOPt6NY -7JMq6jhb6Uu/k2COZleIUsQ6G0rBQSeJECVW3vdWHxK6zsDsbCzn8yj5gwOPEHNv -aIB6gLtYUaoe7bGjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgUgMB0G -A1UdDgQWBBTIXhEhWdEMkDP+XTfpHgk5OT4PEzAfBgNVHSMEGDAWgBTpZ30QdMGa -rrhMPwk+HHAV3R8aTzANBgkqhkiG9w0BAQsFAAOCAQEAwOJPi4A9GoKmo3oOSRkQ -clW+16bFPPpmyi5cmdxDgG1fJPRAj25dk7qGIY2dMIZIOJBNuQz4D/VboIx53dqG -b6jJ2G1fsXbOqrcsn5AngHJOr4zHuEO1q3737MQ8wIBRX15cPyLPBiAFEqmR902N -STvD/XbAJmuIqRAOZKa1iyS6CLu9/Z768YaaM/hS6mS3/9r8upefO4rUbFt+3na9 -D+NSHpAvgmA6DOQWdPiDChdqW2UPBeoif7jqbBUKwR55HiCWcSxhRsXACY7FlHBk -6VFF+DO+pfjxONgC5q1eu0ELzfWBNdzuW/csRY9nOyCMnqm+U4Ait4Zrw0WcE1Ps -Cg== +Fw0yMzA3MTMxNDM5NDVaFw0zMzA3MTAxNDM5NDVaMFgxCzAJBgNVBAYTAkFVMRMw +EQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0 +eSBMdGQxETAPBgNVBAMMCGxlYWYtS0VNMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAw9GYW2QMjkZ3UJOJL3y65cQoXD9/1J5BEPGjuJKBETnxK8xnRMta +FQiDAg5qwxvRilPk38hYmvbVbvGmrGwWpwC4y9eHeF0GL39wGzWW4oY7kqi+D9jv +y5knBpvB6dn0DQjAm01uigU26YtCAZ7Va8+/Ankwp41+sVKzwgKBn19oBMHU1YNd +UCFEPR5d2yM72MEeHGhjTZybBm4+ueCNSNzyC/jZMpy3oHXlmlJE2mvEsOQZA4n6 +xIUe+RwokfAXlwYFl19pbdj5G42IhLzr9ZSu6uvjm5RvCxoPdmtQZ6FxaBUNfRMG +jqEOkYuwCJ2718yaURgbRqfmlKNdECyy4QIDAQABo1IwUDAOBgNVHQ8BAf8EBAMC +BSAwHQYDVR0OBBYEFEQ91872uHULE2j0VfkvlMW56822MB8GA1UdIwQYMBaAFOln +fRB0wZquuEw/CT4ccBXdHxpPMA0GCSqGSIb3DQEBCwUAA4IBAQBZIyZsem85ca5U +Fzz88Bvvl2oKsIW8ixlhXkc4fA4pzcuXmgt0l31dO6NTEkxfDWfIinENB7kEmNmE +XD6Cll/uvtKICViAZMdrYZZZYkToyrN6Jkrf+svdjfk4Bjr1ufixYSzj6NIb1KIa +9vgyG0LGLEzDbUH3XCnmgYHc/c/6nt6ZoN/iVROmgcTafOv3S9/2ertAFPEpdRxX +Axj3V2qgguBJCyhJ7VuaBhJhpWgHUjtzH61etyLoCMVKTaR9L8ocS217LeGCHKto +d3tuL7nQctvpTqG7jvvujUlPs2uKY0Fzsqw66ez51mWVyop9rkvudkZIZ0ftMYli +DcOpACyZ -----END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/kem.key b/test/recipes/80-test_cmp_http_data/Mock/kem.key index 1977ebf10b5520..deb103ad68826a 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/kem.key +++ b/test/recipes/80-test_cmp_http_data/Mock/kem.key @@ -1,102 +1,28 @@ -----BEGIN PRIVATE KEY----- -MIISmgIBADANBgsrBgEEAYGwGgUGAwSCEoQEghKAKPxbIfWzBZUJDKBIVLpE9cax -8qFDRMlyeNeZyohP4sdaM4k4uOtWxkeTqGGobsVeLMMtiuCeRvRIL0zOKWCKyeKD -5mPA8JDPbmM8EjpX98uv30Cq6hwRuOxQPJxMnNWMveY2B6WiFEiSvaVDMBHA2/Fa -BokxdLOB0wqLnJpEuHxPRQKOWRaPmIy0p9q9P6sXUdW+rwE6Qwp8F6pNWmRW++gq -DixKc6ZtSKEijDVRWfgqZJixo5yL10SS2lNrRyFi3IsARpJriznNhejDcrYAufEg -8gWwMEAn49sRLrwU3JBGk4tfE0F5OcE+nvrAy3a+fjOkSytnmPeL1/RzrMZ5QmOL -rtIOLtugTJYJGxlArKAEtKiZyrOUa2Y0ltpyINap9RhZ4wg/k8CqBUlIetddZ5BN -fzDB9gEHETl3HHmVychszoovpOqi0xkifeK1z+sDgBPNsFZF2AGMqLzJ1ntWRKGa -9tAlrfWJL6AvXvAb7KKCqOZeXYJFLThQVNxD3+Z01KbA4GFKteOiMUKHmYS89QNW -/NskyiYMJduP/3SlwQS5Hix2PsCyZwR2dVIXdfGZX1EJ9IJFBik/LSRSdLlD2WUJ -zoRqSUUI0mYG3nd8fKq5iLkCYBCWhdQOODzNkQupKsV94vg++SOee+cfrXvNuoxN -blUsVsYgWSyegJAFkYsBfVyz83pkphpLzmJiQyoogkYVu9SI8hA2fBU+QbNRCiOe -aKVRzftFN4pEbFmVnNNkA8SyUzBqUmwYAGgl5cY4YHAkorpdMteRkRWjxGGxAHY7 -BOy658ixCNJtFPAG+7ptD0m/FrTEI+tx+fQnp+liS8lbcxBqIVI4vEe4H6msmqF7 -U9kfzbBkBUuF+NG7yLkJ/QKkmuQfAM1og/UNtJtLj4moKmeNzRnE/EaaSdxIBCxT -xpIATAcRXtCPPxV2z3kMLqZAiwEMSwo9r9lqxGLIWNso22tSf7gcObd2LKrOoflX -zdrPqXymWZqEHnCf1BlKzBlT1JMDZtaw1XUlMmQDsHNZFGC1wuRS7juWjOYkm5hn -3KNFw6cCVznCsrWxosjF2SAAdkoGJsG423tmRCvLggl5xyGqCbR63BkiXedDI7y5 -FDhLK7Z3zGm87oAsPxGVlAqt+XpCHLBQ9hKCAWHFaNQ13dIv72CIxEYg72eCDHGp -FpJJIfKwBAabnrpu9mWMrrpoiSE2vUZ3fQSBxzhm+XmsGaB0nRELh+XCoRsEfdYb -Y3WQZrolXIIfIKsR9tnCn6VGrQjLgkyB7bCAuhSVkPzPA2S5oVqAszxigeawHJaG -9SUnvLtffvie10A5sRISz0R5U6qui1kSyNJ5VQy9i5ZhCWUuyDbAz7MyvPITgTzK -PmIcLbxPAdgkb5aMovi377EKFTVhflw8dFQ2AlWPrWyBZIc66YNPs6Krd8Fozpab -AEFjCDg66WwDquIkcNVIOFJOXJszotkSEDoBUIGobsEYdilNKyMeIPU4ZFu/oDbE -gNSVorahT1WwdIt2BbgpJfhFOsF4k0WH8ONCThizPTOH5hiyHfdbhJBZmtFVNLM4 -YfzHxXU/blm6A8KBPjQo3VgyqhsLgXdQjlvJOTeA2kw8MWIatyFdW1PJsuVM79sH -NRHFTlu1K8M/FrnNLPMyqobPzleqK+N1ujaJFzeyimh3WPl23qkIXjZ9HbO38dFD -l6J4xSdZ9iMwbPZjZ4DO62c0IQZkqQwqB9OLRoBxh9h/p2QHaAE9EhLF+3YYXkYy -GXaE7atMBkQSahNnGkgMQolkLAGPcxIwyDKx+3vBpYLFbpB7MRC7qRddJ4mMziuk -kHvNoVIvReBGVbCh2ByLLiM1O/lU8ZNeKwEMwlF9BBLDjnafhFXD3Bm2xStu9Xqf -i+YLlVpYxuwqNNlvOLKAx7o8GFubTqlFqaNrj6S+GgwKgjs256JlUmIF7mAn9pKY -t4xDp9qrOkUp4vqCnpUZgowg0HE2JqJn3hzLPoRBP7M8XzwjJGl2+TJUKAEl90m2 -DLqRwwEDG4EB5AuKhHSe1Qcqned6FQSGIxmh9GeXgnCeD2wSfUcRVHJyW3a7EkiG -w3djIRhld6QbJOE02BYn5zyqIBWsKgYo4vVIafwA45lujTjCTQFSkLy7z3panly5 -u4qwJ6zINNOb5/PEuDtk07l/65OAAYW8erGwPrazaGxnwCEVIRCK5WW7tFUSoTMQ -9ZeffcNnVTVl1RIMSXvB9eIVv8J2eMN7VNrKnPcliUAALrC6lVeWMGOa1Bghs3VB -1NXM+iGKHFlqeoZ153CLNvSuqyaIGYRNv2p9q4bKKuGL97u6DbtBdFFKpCTGiqKT -ahcBaRFjGBAb61S3Riun7ssgqSEv/zKGEFbOuBBaxQnGqWTBWJt9OoYg06xgSqWm -E7inJmZLdaGxCLg26rdnCCwz5lB25aCD0WBxHFIX+7d4/BXN9wmdW9aaBBpZHjnB -DAcu+AwN5suYpMScVtldFTlHLqoRzlIWEjVVAePIHBwBkQM2COYn4BSdIksLa/gt -WqI8IjhCDxOJ/eVwPBim7Qcpnjeerjd19+arcYFuE/tresctWrVob5XFDqCFPesm -TMpFfWxpZ+CU3pqSf1ZsnmVxyKuCvbAohSxCDWCgpGygP8RQ7ySpAfRAYpUsGquS -4zVKCJKicqWjZKCOqGNCp6Ut2gKbx6w60vKsqIJL0QGklUzJxkM1cJx7kiCuXoOq -lrrOkbqAtDdVJco40eXFf1U3Dho1MrzNvTeDVLkc8mBRUMw6wXbHIqyvuAzKlrRZ -hPO5jfOrqyTI/HqzPjYbl6h11ytu28hda9wRRbLEFBgmqawWUFUXGQZCQBsX11KT -pKG1V1Jj30YCmSJmSBZKaqK8bUVFHEkoBEuaXxCpxqJocxEtSXGuhPUJl7Y4B+NV -toN9UFKZQqgqQIEgYvALjGKHyKFw5ty4C1eF0/dm6Tg47Og2lpEz3IyRrNswWEWA -yveh4PXO24AIxjiJdGWjz+CZsHDOEdoouDINc3QKxvBxHQozvmQwlmC20JnIZ3OX -BDIki3DNg+lJ/OZ6QYs4buhzHBiqRqgMSMKuJ5K1qfKN21m+RuOGAJY8LKWPpJYK -9Ve8jToszoi3k8WpRqRHhKcTOdKcdGVXnBxcFeCfrQHQpdmG8Dme8yGpFfErV9e3 -mjEVCTgx1buQLSS0bfQZeMOnGrkUkcWAl1YdO1k0NZWre5t/vzCoyrKK4fYdiEVW -bGuJa+yEYowCC5Eiz1EhKayzMhND0roHqyeAFtIf07wezcoqYRLOPWYArlDHDFmY -gCw+LdVvgSKZ8GpvVlVYmzh8V0Yj/0CSzlex+EMGqmKNOVd+uUF5KFvBSDZgcSZz -rVgNSKlmskNrVTlR5jRJ9IcqpUIYaDq6AgR5GGOTLqFfIHbFMxglTfBXTptzunNq -TUsQ8BqDuhCHgqmgH5uPPUHLRBtNaHUh7Gkk/1QrHeEL/TUucOx1U8l/aYEr3FhY -kKZUexYSXrrLItOylKyxW6BOESeSUaq3ofp6KcuBS2oCdJVqoYGlZyCbssqYWiqK -shWSB6Ua15FgPchlJ8iyNxqK9hlASBkMsKvDntPCpmuFK/R0QycNlMR/m2dnIHdE -SQiuN5mJQhoL/kusDcGGtVuV56axRbXEw6ACoShY/lBReIJzurO1sUqLAoO3bWrG -OvqJhnQGsgBSUZs0jqA73NHJzrd9bvlI3TOYdEgzdqZVabnKPzR8qTuxDglnFBiQ -iJmO4jefp+fB3XALNJh379OTH0Wngppt15SxOAEk+guTPDEy4pNUxFW9IrzFWiKZ -mVdb+tQdVXBb4lSGxugP3fUyKjEaEnCy6tbHCopcPsi126RK4QnKmqlwaSHHyvyY -TQgD/2pnf2IpPJFB3IS0Bcm5TQE3PfcLSkPOopF17DrGoWmW/SiTT2dJbOky7pgH -A9xXVEF2NCtMWMgJ4PmC8ci58hFJyLmmNZBSy9LC/NSs9JYHAYJ0HmGpUoSBV8E7 -OHB3ZACsxwMkwzYxfjtmpiyvUSlAgdjOXGcamLhsMaxbk4MDC0xSZzRLQ3i6emOP -t6NY7JMq6jhb6Uu/k2COZleIUsQ6G0rBQSeJECVW3vdWHxK6zsDsbCzn8yj5gwOP -EHNvaIB6gLtYUaoe7bEdH/Mi3ixboZPkdqNBb8PmY2dQkaypdNCOLWGUE2AWAOQJ -dhdBHk3xbolBhviBIdMUhH6svdfNP4+YD7Hz+MsggnCeD2wSfUcRVHJyW3a7EkiG -w3djIRhld6QbJOE02BYn5zyqIBWsKgYo4vVIafwA45lujTjCTQFSkLy7z3panly5 -u4qwJ6zINNOb5/PEuDtk07l/65OAAYW8erGwPrazaGxnwCEVIRCK5WW7tFUSoTMQ -9ZeffcNnVTVl1RIMSXvB9eIVv8J2eMN7VNrKnPcliUAALrC6lVeWMGOa1Bghs3VB -1NXM+iGKHFlqeoZ153CLNvSuqyaIGYRNv2p9q4bKKuGL97u6DbtBdFFKpCTGiqKT -ahcBaRFjGBAb61S3Riun7ssgqSEv/zKGEFbOuBBaxQnGqWTBWJt9OoYg06xgSqWm -E7inJmZLdaGxCLg26rdnCCwz5lB25aCD0WBxHFIX+7d4/BXN9wmdW9aaBBpZHjnB -DAcu+AwN5suYpMScVtldFTlHLqoRzlIWEjVVAePIHBwBkQM2COYn4BSdIksLa/gt -WqI8IjhCDxOJ/eVwPBim7Qcpnjeerjd19+arcYFuE/tresctWrVob5XFDqCFPesm -TMpFfWxpZ+CU3pqSf1ZsnmVxyKuCvbAohSxCDWCgpGygP8RQ7ySpAfRAYpUsGquS -4zVKCJKicqWjZKCOqGNCp6Ut2gKbx6w60vKsqIJL0QGklUzJxkM1cJx7kiCuXoOq -lrrOkbqAtDdVJco40eXFf1U3Dho1MrzNvTeDVLkc8mBRUMw6wXbHIqyvuAzKlrRZ -hPO5jfOrqyTI/HqzPjYbl6h11ytu28hda9wRRbLEFBgmqawWUFUXGQZCQBsX11KT -pKG1V1Jj30YCmSJmSBZKaqK8bUVFHEkoBEuaXxCpxqJocxEtSXGuhPUJl7Y4B+NV -toN9UFKZQqgqQIEgYvALjGKHyKFw5ty4C1eF0/dm6Tg47Og2lpEz3IyRrNswWEWA -yveh4PXO24AIxjiJdGWjz+CZsHDOEdoouDINc3QKxvBxHQozvmQwlmC20JnIZ3OX -BDIki3DNg+lJ/OZ6QYs4buhzHBiqRqgMSMKuJ5K1qfKN21m+RuOGAJY8LKWPpJYK -9Ve8jToszoi3k8WpRqRHhKcTOdKcdGVXnBxcFeCfrQHQpdmG8Dme8yGpFfErV9e3 -mjEVCTgx1buQLSS0bfQZeMOnGrkUkcWAl1YdO1k0NZWre5t/vzCoyrKK4fYdiEVW -bGuJa+yEYowCC5Eiz1EhKayzMhND0roHqyeAFtIf07wezcoqYRLOPWYArlDHDFmY -gCw+LdVvgSKZ8GpvVlVYmzh8V0Yj/0CSzlex+EMGqmKNOVd+uUF5KFvBSDZgcSZz -rVgNSKlmskNrVTlR5jRJ9IcqpUIYaDq6AgR5GGOTLqFfIHbFMxglTfBXTptzunNq -TUsQ8BqDuhCHgqmgH5uPPUHLRBtNaHUh7Gkk/1QrHeEL/TUucOx1U8l/aYEr3FhY -kKZUexYSXrrLItOylKyxW6BOESeSUaq3ofp6KcuBS2oCdJVqoYGlZyCbssqYWiqK -shWSB6Ua15FgPchlJ8iyNxqK9hlASBkMsKvDntPCpmuFK/R0QycNlMR/m2dnIHdE -SQiuN5mJQhoL/kusDcGGtVuV56axRbXEw6ACoShY/lBReIJzurO1sUqLAoO3bWrG -OvqJhnQGsgBSUZs0jqA73NHJzrd9bvlI3TOYdEgzdqZVabnKPzR8qTuxDglnFBiQ -iJmO4jefp+fB3XALNJh379OTH0Wngppt15SxOAEk+guTPDEy4pNUxFW9IrzFWiKZ -mVdb+tQdVXBb4lSGxugP3fUyKjEaEnCy6tbHCopcPsi126RK4QnKmqlwaSHHyvyY -TQgD/2pnf2IpPJFB3IS0Bcm5TQE3PfcLSkPOopF17DrGoWmW/SiTT2dJbOky7pgH -A9xXVEF2NCtMWMgJ4PmC8ci58hFJyLmmNZBSy9LC/NSs9JYHAYJ0HmGpUoSBV8E7 -OHB3ZACsxwMkwzYxfjtmpiyvUSlAgdjOXGcamLhsMaxbk4MDC0xSZzRLQ3i6emOP -t6NY7JMq6jhb6Uu/k2COZleIUsQ6G0rBQSeJECVW3vdWHxK6zsDsbCzn8yj5gwOP -EHNvaIB6gLtYUaoe7bE= +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDD0ZhbZAyORndQ +k4kvfLrlxChcP3/UnkEQ8aO4koEROfErzGdEy1oVCIMCDmrDG9GKU+TfyFia9tVu +8aasbBanALjL14d4XQYvf3AbNZbihjuSqL4P2O/LmScGm8Hp2fQNCMCbTW6KBTbp +i0IBntVrz78CeTCnjX6xUrPCAoGfX2gEwdTVg11QIUQ9Hl3bIzvYwR4caGNNnJsG +bj654I1I3PIL+NkynLegdeWaUkTaa8Sw5BkDifrEhR75HCiR8BeXBgWXX2lt2Pkb +jYiEvOv1lK7q6+OblG8LGg92a1BnoXFoFQ19EwaOoQ6Ri7AInbvXzJpRGBtGp+aU +o10QLLLhAgMBAAECggEAJQLhnCx93wpclOM947bckH8R7dWmsKY0wCIcAs/WC057 +Uf7xaeRRo3YXZPUaosQIR+/xa4avkKKk1rJgAWjwoyIUy5pyJYLXn3Sj2NC5MxmR ++vdf7Rjgwgexg6M+9JdYdHo6BWCOSxIPPfcvQ6Uky5rZjHshghnRX2y1Qy88FsYZ +5TUMa7qQjbtzZPM7dePCvHy0Euw3ggjyzwN4n/TUm9U9AlEUfNWvjP56RjLHrUBc +kiBbdMgvipu5/MMq5V63WpWxUrCOFnyofOsfuZ632CVfxy4d6fiBX0KrD0I96A1Z +GrelDpuyq7/GL6khiO3IBkOUJgsZO/lgTCq/gd4iEQKBgQDqlv82MGDWaX2tSszW +l/tvTR1y1aV9IcqLi32r9cuLIVNA7aJoWQLAtt5KRiE7pT6BZ4OEGbhAS+t+jXON +UTqc8ixa9/TRhEA4aVrhevLfOIJfaT2TNCivuuAHXKmXPM8IqArfnZyat7p8Xfp6 +vNxYxWIga8CZ0ogLB+RUmqhx7QKBgQDVsL4Z8q1XF6kgL8oRyiA+IA81Jw1qL4f5 +Hpg1nJlY29ajQqBz6RPJmMN/X5Pt5/xD9WOGZwFxATkUXzwSQw1hfHdggOonVuNc +SONCBinUtq5TdpB4H7LFqbaVgSrU1YZPiQekTyv+hfsYN4IOLCDuQxgxZ4moiHf5 +sQP7+/Y2RQKBgGyWeIwc2LZnHkWY2jh7IWfjyj3dpzzE53ywlPuESzObuW3Ukdi7 +WwrZmwvGapuxYb2ErNv5C9C3U8rArzw63WbIsr9pB2n0TcXO/sJgpwusnKyNinMZ +MbwmRI0j11yqSSs4nc/kpRj48tmeptMpmNV+iG15cy3AxjhU7tw6ur4BAoGBAIU8 ++Zs2PCyEnThrc8QZ0nbKCJFssymVT2PeVqt+5AKKuE79eQwstODLNoJR9uus7Rb2 +h0LDMRvj1lJEezEry8kQEWMDnnw+6e6dp82ACE8QRKvXzoaHxTEH+8dGTY19QYyP +9UrW7qh5o7Fa0uXBUBsfjJMpaqTByoTOgZx5YvA9AoGAUsqA4GdiBt+HCJv+uwP3 +21XcxdhwmT9PYMh7MdONpe9kEZUu1o/MVuCSascsF5qIewIlynqnACoS/E3yILxy +/Q4IyxJpvaocvO94xvHYa1T//FQG+JO7gOjLyF5c8IK7V3O+luxRy1I99Y87ePlq +aPBrRRPu2ZIxrPmdPmdNp1s= -----END PRIVATE KEY----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.cnf b/test/recipes/80-test_cmp_http_data/Mock/server.cnf index 04b612cde2d078..c01487c3ad0848 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/server.cnf @@ -18,4 +18,6 @@ rsp_newwithnew = newWithNew.pem rsp_newwithold = newWithOld.pem rsp_oldwithnew = oldWithNew.pem +#max_msgs = 2 + verbosity = 7 diff --git a/test/recipes/80-test_cmp_http_data/Mock/test.cnf b/test/recipes/80-test_cmp_http_data/Mock/test.cnf index 35060297970706..2e5957b6f33042 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/test.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/test.cnf @@ -119,8 +119,8 @@ policyIdentifier = 1.2.3.4 [reqexts] basicConstraints = CA:FALSE #basicConstraints = critical, CA:TRUE -keyUsage = critical, digitalSignature # keyAgreement, keyEncipherment, nonRepudiation -extendedKeyUsage = critical, clientAuth # serverAuth, codeSigning +keyUsage = critical, keyEncipherment # digitalSignature keyAgreement, keyEncipherment, nonRepudiation +#extendedKeyUsage = critical, clientAuth serverAuth, codeSigning #crlDistributionPoints = URI:http: #authorityInfoAccess = URI:http: subjectAltName = @alt_names diff --git a/util/libcrypto.num b/util/libcrypto.num index 3ef2f18ac1cd2a..3e7d4cdd38e61e 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5546,3 +5546,96 @@ OSSL_CMP_get_ssk ? 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_SRV_kem_get_ss ? 3_3_0 EXIST::FUNCTION:CMP EVP_DigestSqueeze ? 3_3_0 EXIST::FUNCTION: ERR_pop ? 3_3_0 EXIST::FUNCTION: +d2i_OSSL_CRMF_ENCRYPTEDKEY ? 3_3_0 EXIST::FUNCTION:CRMF +i2d_OSSL_CRMF_ENCRYPTEDKEY ? 3_3_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_free ? 3_3_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_new ? 3_3_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_it ? 3_3_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_get1_encCert ? 3_3_0 EXIST::FUNCTION:CRMF +d2i_X509_ACERT ? 3_3_0 EXIST::FUNCTION: +i2d_X509_ACERT ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_free ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_new ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_it ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_dup ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_INFO_it ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_INFO_free ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_INFO_new ? 3_3_0 EXIST::FUNCTION: +OSSL_OBJECT_DIGEST_INFO_free ? 3_3_0 EXIST::FUNCTION: +OSSL_OBJECT_DIGEST_INFO_new ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_free ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_new ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_ISSUER_V2FORM_free ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_ISSUER_V2FORM_new ? 3_3_0 EXIST::FUNCTION: +d2i_X509_ACERT_fp ? 3_3_0 EXIST::FUNCTION:STDIO +i2d_X509_ACERT_fp ? 3_3_0 EXIST::FUNCTION:STDIO +PEM_read_X509_ACERT ? 3_3_0 EXIST::FUNCTION:STDIO +PEM_write_X509_ACERT ? 3_3_0 EXIST::FUNCTION:STDIO +PEM_read_bio_X509_ACERT ? 3_3_0 EXIST::FUNCTION: +PEM_write_bio_X509_ACERT ? 3_3_0 EXIST::FUNCTION: +d2i_X509_ACERT_bio ? 3_3_0 EXIST::FUNCTION: +i2d_X509_ACERT_bio ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_sign ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_sign_ctx ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_verify ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_holder_entityName ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_holder_baseCertId ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_holder_digest ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_issuerName ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get_version ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_signature ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get_signature_nid ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_info_sigalg ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_serialNumber ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_notBefore ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_notAfter ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_issuerUID ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_print ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_print_ex ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get_attr_count ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get_attr_by_NID ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get_attr_by_OBJ ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get_attr ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_delete_attr ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get_ext_d2i ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_add1_ext_i2d ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_get0_extensions ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set_version ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set0_holder_entityName ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set0_holder_baseCertId ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set0_holder_digest ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_add1_attr ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_add1_attr_by_OBJ ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_add1_attr_by_NID ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_add1_attr_by_txt ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_add_attr_nconf ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set1_issuerName ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set1_serialNumber ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set1_notBefore ? 3_3_0 EXIST::FUNCTION: +X509_ACERT_set1_notAfter ? 3_3_0 EXIST::FUNCTION: +OSSL_OBJECT_DIGEST_INFO_get0_digest ? 3_3_0 EXIST::FUNCTION: +OSSL_OBJECT_DIGEST_INFO_set1_digest ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_get0_issuer ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_get0_serial ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_get0_issuerUID ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_set1_issuer ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_set1_serial ? 3_3_0 EXIST::FUNCTION: +OSSL_ISSUER_SERIAL_set1_issuerUID ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_VALUE_it ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_VALUE_free ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_VALUE_new ? 3_3_0 EXIST::FUNCTION: +d2i_OSSL_IETF_ATTR_SYNTAX ? 3_3_0 EXIST::FUNCTION: +i2d_OSSL_IETF_ATTR_SYNTAX ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_free ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_new ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_it ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_get0_policyAuthority ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_set0_policyAuthority ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_get_value_num ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_get0_value ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_add1_value ? 3_3_0 EXIST::FUNCTION: +OSSL_IETF_ATTR_SYNTAX_print ? 3_3_0 EXIST::FUNCTION: +CMS_EnvelopedData_dup ? 3_3_0 EXIST::FUNCTION:CMS +OSSL_CMS_get0_enveloped ? 3_3_0 EXIST::FUNCTION:CMS +OSSL_CRMF_MSG_certreq_encrcert_popo ? 3_3_0 EXIST::FUNCTION:CRMF +OSSL_CRMF_ENCRYPTEDKEY_init_envdata ? 3_3_0 EXIST::FUNCTION:CRMF