diff --git a/apps/cmp.c b/apps/cmp.c index 3b10a6941e0c74..3979eb37ce84fe 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -94,6 +94,7 @@ static char *opt_oldwithold = NULL; static char *opt_newwithnew = NULL; static char *opt_newwithold = NULL; static char *opt_oldwithnew = NULL; +static char *opt_crlcert = NULL; static char *opt_oldcrl = NULL; static char *opt_crlout = NULL; @@ -238,7 +239,7 @@ typedef enum OPTION_choice { OPT_IGNORE_KEYUSAGE, OPT_UNPROTECTED_ERRORS, OPT_NO_CACHE_EXTRACERTS, OPT_SRVCERTOUT, OPT_EXTRACERTSOUT, OPT_CACERTSOUT, OPT_OLDWITHOLD, OPT_NEWWITHNEW, OPT_NEWWITHOLD, OPT_OLDWITHNEW, - OPT_OLDCRL, OPT_CRLOUT, + OPT_CRLCERT, OPT_OLDCRL, OPT_CRLOUT, OPT_REF, OPT_SECRET, OPT_CERT, OPT_OWN_TRUSTED, OPT_KEY, OPT_KEYPASS, OPT_DIGEST, OPT_MAC, OPT_EXTRACERTS, @@ -268,9 +269,9 @@ typedef enum OPTION_choice { OPT_SRV_REF, OPT_SRV_SECRET, OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS, OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED, - OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CRL, OPT_RSP_EXTRACERTS, - OPT_RSP_CAPUBS, OPT_RSP_NEWWITHNEW, OPT_RSP_NEWWITHOLD, - OPT_RSP_OLDWITHNEW, OPT_POLL_COUNT, OPT_CHECK_AFTER, + OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS, + OPT_RSP_NEWWITHNEW, OPT_RSP_NEWWITHOLD, OPT_RSP_OLDWITHNEW, + OPT_POLL_COUNT, OPT_CHECK_AFTER, OPT_GRANT_IMPLICITCONF, OPT_PKISTATUS, OPT_FAILURE, OPT_FAILUREBITS, OPT_STATUSSTRING, @@ -429,6 +430,8 @@ const OPTIONS cmp_options[] = { "File to save NewWithOld cert received in genp of type rootCaKeyUpdate"}, { "oldwithnew", OPT_OLDWITHNEW, 's', "File to save OldWithNew cert received in genp of type rootCaKeyUpdate"}, + { "crlcert", OPT_CRLCERT, 's', + "certificate to request CRL update for in genm of type crlStatusList"}, { "oldcrl", OPT_OLDCRL, 's', "CRL to request update for in genm of type crlStatusList"}, { "crlout", OPT_CRLOUT, 's', @@ -628,7 +631,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {(char **)&opt_no_cache_extracerts}, {&opt_srvcertout}, {&opt_extracertsout}, {&opt_cacertsout}, {&opt_oldwithold}, {&opt_newwithnew}, {&opt_newwithold}, {&opt_oldwithnew}, - {&opt_oldcrl}, {&opt_crlout}, + {&opt_crlcert}, {&opt_oldcrl}, {&opt_crlout}, {&opt_ref}, {&opt_secret}, {&opt_cert}, {&opt_own_trusted}, {&opt_key}, {&opt_keypass}, @@ -658,9 +661,9 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_srv_ref}, {&opt_srv_secret}, {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass}, {&opt_srv_trusted}, {&opt_srv_untrusted}, - {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_crl}, {&opt_rsp_extracerts}, - {&opt_rsp_capubs}, {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, - {&opt_rsp_oldwithnew}, + {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_crl}, + {&opt_rsp_extracerts}, {&opt_rsp_capubs}, + {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, {&opt_rsp_oldwithnew}, {(char **)&opt_poll_count}, {(char **)&opt_check_after}, {(char **)&opt_grant_implicitconf}, @@ -1009,9 +1012,7 @@ static int setup_certs(char *files, const char *desc, void *ctx, return ok; } -typedef int (*add_X509_CRL_fn_t)(void *ctx, const X509_CRL *crl); -static int setup_crl(void *ctx, const char *file, const char *desc, - add_X509_CRL_fn_t set1_fn) +static int setup_mock_crlout(void *ctx, const char *file, const char *desc) { X509_CRL *crl; int ok; @@ -1020,7 +1021,7 @@ static int setup_crl(void *ctx, const char *file, const char *desc, return 1; if ((crl = load_crl(file, FORMAT_UNDEF, 0, desc)) == NULL) return 0; - ok = (*set1_fn)(ctx, crl); + ok = ossl_cmp_mock_srv_set1_crlOut(ctx, crl); X509_CRL_free(crl); return ok; } @@ -1166,8 +1167,8 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) (add_X509_fn_t)ossl_cmp_mock_srv_set1_certOut)) goto err; } - if (!setup_crl(srv_ctx, opt_rsp_crl, "CRL the mock server returns", - (add_X509_CRL_fn_t)ossl_cmp_mock_srv_set1_crlOut)) + if (!setup_mock_crlout(srv_ctx, opt_rsp_crl, + "CRL to be returned by the mock server")) goto err; if (!setup_certs(opt_rsp_extracerts, "CMP extra certificates for mock server", srv_ctx, @@ -1849,8 +1850,8 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) (void)OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_POPO_METHOD, opt_popo); if (opt_oldcert != NULL) { - if (opt_cmd == CMP_GENM && opt_infotype != NID_id_it_crlStatusList) { - CMP_warn("-oldcert option is ignored for 'genm' command except with -infotype crlStatusList"); + if (opt_cmd == CMP_GENM) { + CMP_warn("-oldcert option is ignored for 'genm' command"); } else { if (!setup_cert(ctx, opt_oldcert, opt_keypass, /* needed if opt_oldcert is encrypted PKCS12 file */ @@ -2219,14 +2220,14 @@ static int write_cert(BIO *bio, X509 *cert) static int write_crl(BIO *bio, X509_CRL *crl) { - if ((opt_certform == FORMAT_PEM && PEM_write_bio_X509_CRL(bio, crl)) - || (opt_certform == FORMAT_ASN1 && i2d_X509_CRL_bio(bio, crl))) - return 1; - if (opt_certform != FORMAT_PEM && opt_certform != FORMAT_ASN1) - BIO_printf(bio_err, - "error: unsupported type '%s' for writing CRLs\n", + if (opt_certform != FORMAT_PEM && opt_certform != FORMAT_ASN1) { + BIO_printf(bio_err, "error: unsupported type '%s' for writing CRLs\n", opt_certform_s); - return 0; + return 0; + } + + return opt_certform == FORMAT_PEM ? PEM_write_bio_X509_CRL(bio, crl) + : i2d_X509_CRL_bio(bio, crl); } /* @@ -2289,8 +2290,8 @@ static int save_free_crl(X509_CRL *crl, if ((bio = BIO_new(BIO_s_file())) == NULL || !BIO_write_filename(bio, (char *)file)) { - CMP_err3("could not open file '%s' for %s %s CRL", - file, crl == NULL ? "deleting" : "writing", desc); + CMP_err2("could not open file '%s' for writing %s CRL", + file, desc); goto end; } @@ -2345,7 +2346,7 @@ static int save_crl_or_delete(X509_CRL *crl, const char *file, const char *desc) if (crl == NULL) { char desc_crl[80]; - BIO_snprintf(desc_crl, sizeof(desc_crl), "%s CRL", desc); + BIO_snprintf(desc_crl, sizeof(desc_crl), "%s", desc); return delete_file(file, desc_crl); } else { return save_free_crl(crl, file, desc); @@ -2751,6 +2752,9 @@ static int get_opts(int argc, char **argv) case OPT_OLDWITHNEW: opt_oldwithnew = opt_str(); break; + case OPT_CRLCERT: + opt_crlcert = opt_str(); + break; case OPT_OLDCRL: opt_oldcrl = opt_str(); break; @@ -3172,10 +3176,12 @@ static int do_genm(OSSL_CMP_CTX *ctx) return res; } else if (opt_infotype == NID_id_it_crlStatusList) { X509_CRL *oldcrl = NULL, *crl = NULL; + X509 *crlcert = NULL; int res = 0; + const char *desc = "CRL from genp of type 'crls'"; - if (opt_oldcrl == NULL && opt_oldcert == NULL) { - CMP_err("Missing -oldcrl and no -oldcert given for -infotype crlStatusList"); + if (opt_oldcrl == NULL && opt_crlcert == NULL) { + CMP_err("Missing -oldcrl and no -crlcert given for -infotype crlStatusList"); return 0; } if (opt_crlout == NULL) { @@ -3183,28 +3189,43 @@ static int do_genm(OSSL_CMP_CTX *ctx) return 0; } + if (opt_crlcert == NULL) { + CMP_warn("No -crlcert given, will use data from -oldcrl"); + } else { + crlcert = load_cert_pwd(opt_crlcert, opt_otherpass, + "Cert for genm with -infotype crlStatusList"); + if (crlcert == NULL) + goto end_crlupd; + } + if (opt_oldcrl == NULL) { - CMP_warn("No -oldcrl given, will use data from -oldcert"); + CMP_warn("No -oldcrl given, will use data from -crlcert"); } else { oldcrl = load_crl(opt_oldcrl, FORMAT_UNDEF, 0, "CRL for genm with -infotype crlStatusList"); if (oldcrl == NULL) goto end_crlupd; } - if (!OSSL_CMP_get1_crlUpdate(ctx, oldcrl, &crl)) + + if (opt_oldcrl != NULL && opt_crlcert != NULL) { + if (X509_NAME_cmp(X509_CRL_get_issuer(oldcrl), + X509_get_issuer_name(crlcert)) + != 0) + CMP_warn("-oldcrl and -crlcert have different issuer"); + } + + if (!OSSL_CMP_get1_crlUpdate(ctx, crlcert, oldcrl, &crl)) goto end_crlupd; - const char *desc = "CRL from genp of type 'crls'"; - if (crl == NULL) { + if (crl == NULL) CMP_info("no CRL update available"); - if (!delete_file(opt_crlout, desc)) - goto end_crlupd; - } else if (!save_crl_or_delete(crl, opt_crlout, desc)) { + if (!save_crl_or_delete(crl, opt_crlout, desc)) goto end_crlupd; - } + res = 1; end_crlupd: + X509_free(crlcert); X509_CRL_free(oldcrl); X509_CRL_free(crl); return res; diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index 5116d5ae528f74..9129572341b2f7 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -408,25 +408,41 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, return OSSL_CMP_PKISI_dup(ctx->statusOut); } +/* return -1 for error, 0 for no update available */ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList, const X509_CRL *crl) { OSSL_CMP_CRLSTATUS *crlstatus; DIST_POINT_NAME *distpoint; GENERAL_NAMES *gen; - ASN1_TIME *thisupd; + ASN1_TIME *thisupd = NULL; - if (crlStatusList == NULL || crl == NULL) - return 0; - if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) + if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) { + ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CRLSTATUSLIST); + return -1; + } + if (crl == NULL) return 0; + crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0); if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &distpoint, &gen, &thisupd)) - return 0; - if (ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) >= 0) - return 0; + return -1; - return 1; + if (gen != NULL) { + GENERAL_NAME *gn = sk_GENERAL_NAME_value(gen, 0); + + if (gn != NULL && gn->type == GEN_DIRNAME) { + X509_NAME *gen_name = gn->d.dirn; + + if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) { + ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER); + return -1; + } + } + } + + return thisupd == NULL + || ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) < 0; } static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, @@ -446,12 +462,18 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, case NID_id_it_crlStatusList: { STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist; - - rsp = OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist) - ? check_client_crl(crlstatuslist, ctx->crlOut) - ? OSSL_CMP_ITAV_new_crls(ctx->crlOut) - : OSSL_CMP_ITAV_new_crls(NULL) - : OSSL_CMP_ITAV_new_crls(NULL); + int res = 0; + + if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist)) + return NULL; + + res = check_client_crl(crlstatuslist, ctx->crlOut); + if (res < 0) + rsp = NULL; + else if (res == 0) + rsp = OSSL_CMP_ITAV_new_crls(NULL); + else + rsp = OSSL_CMP_ITAV_new_crls(ctx->crlOut); } break; default: diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index d46fb2df5498ef..2123ccb460fa69 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -157,8 +157,6 @@ ASN1_SEQUENCE(OSSL_CMP_CRLSTATUS) = { } ASN1_SEQUENCE_END(OSSL_CMP_CRLSTATUS) IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSTATUS) -IMPLEMENT_ASN1_DUP_FUNCTION(DIST_POINT_NAME) - OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value) { OSSL_CMP_ITAV *itav; @@ -429,7 +427,7 @@ static GENERAL_NAMES *gennames_new(const X509_NAME *nm) if ((names = sk_GENERAL_NAME_new_reserve(NULL, 1)) == NULL) return NULL; - if (!GENERAL_NAME_create(&name, nm)) { + if (!GENERAL_NAME_set1_X509_NAME(&name, nm)) { sk_GENERAL_NAME_free(names); return NULL; } @@ -461,11 +459,11 @@ OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl, int i, NID_akid = NID_authority_key_identifier; /* - * Note: X509{,_CRL}_get_ext_d2i(..., NID, &i, ...) return the 1st extension - * with the given NID that is available, if any. There might be more such. + * Note: X509{,_CRL}_get_ext_d2i(..., NID, ..., NULL) return the 1st extension + * with the given NID that is available, if any. If there are more, this is an error. */ if (cert != NULL) { - crldps = X509_get_ext_d2i(cert, NID_crl_distribution_points, &i, NULL); + crldps = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL); /* if available, take the first suitable element */ for (i = 0; i < sk_DIST_POINT_num(crldps); i++) { DIST_POINT *dp = sk_DIST_POINT_value(crldps, i); @@ -486,21 +484,21 @@ OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl, return NULL; } idp = X509_CRL_get_ext_d2i(crl, - NID_issuing_distribution_point, &i, NULL); + NID_issuing_distribution_point, NULL, NULL); if (idp != NULL && idp->distpoint != NULL) dpn = idp->distpoint; } if (dpn == NULL && CRLissuer == NULL) { if (cert != NULL) { - akid = X509_get_ext_d2i(cert, NID_akid, &i, NULL); + akid = X509_get_ext_d2i(cert, NID_akid, NULL, NULL); if (akid != NULL && gennames_allowed(akid->issuer, only_DN)) CRLissuer = akid->issuer; else CRLissuer = issuers = gennames_new(X509_get_issuer_name(cert)); } if (CRLissuer == NULL && crl != NULL) { - akid = X509_CRL_get_ext_d2i(crl, NID_akid, &i, NULL); + akid = X509_CRL_get_ext_d2i(crl, NID_akid, NULL, NULL); if (akid != NULL && gennames_allowed(akid->issuer, only_DN)) CRLissuer = akid->issuer; else @@ -558,11 +556,12 @@ OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl) if ((itav = OSSL_CMP_ITAV_new()) == NULL) return NULL; - if (crl != NULL - && ((crls = sk_X509_CRL_new_reserve(NULL, 1)) == NULL - || (crl_copy = X509_CRL_dup(crl)) == NULL - || !sk_X509_CRL_push(crls, crl_copy))) - goto err; + if (crl != NULL) { + if ((crls = sk_X509_CRL_new_reserve(NULL, 1)) == NULL + || (crl_copy = X509_CRL_dup(crl)) == NULL) + goto err; + (void)sk_X509_CRL_push(crls, crl_copy); /* cannot fail */ + } itav->infoType = OBJ_nid2obj(NID_id_it_crls); itav->infoValue.crls = crls; @@ -588,7 +587,7 @@ int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *itav, STACK_OF(X509_CRL) **out) return 1; } -/* get ASN.1 encoded integer, return -1 on error */ +/* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */ int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a) { int64_t res; diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c index 31a062f86ceebb..689aa6a9520f71 100644 --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -150,6 +150,8 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNCLEAN_CTX), "unclean ctx"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_CERTPROFILE), "unexpected certprofile"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_CRLSTATUSLIST), + "unexpected crlstatuslist"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PKIBODY), "unexpected pkibody"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNEXPECTED_PKISTATUS), "unexpected pkistatus"}, @@ -159,6 +161,7 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_ALGORITHM_ID), "unknown algorithm id"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_CERT_TYPE), "unknown cert type"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_CRL_ISSUER), "unknown crl issuer"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNKNOWN_PKISTATUS), "unknown pkistatus"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_UNSUPPORTED_ALGORITHM), "unsupported algorithm"}, diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c index e524e19e69a8b9..ec14cc2aed80f4 100644 --- a/crypto/cmp/cmp_genm.c +++ b/crypto/cmp/cmp_genm.c @@ -345,7 +345,8 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx, return res; } -int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl, +int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert, + const X509_CRL *last_crl, X509_CRL **crl) { OSSL_CMP_CRLSTATUS *status = NULL; @@ -355,20 +356,17 @@ int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl, int res = 0; if (crl == NULL) { - ERR_raise_data(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT, - "No crl output parameter given"); + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); return 0; } *crl = NULL; - if ((status = OSSL_CMP_CRLSTATUS_create(last_crl, ctx->oldCert, 1)) == NULL) { - ERR_raise_data(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS, - "Cannot set up CRLStatus structure"); + if ((status = OSSL_CMP_CRLSTATUS_create(last_crl, crlcert, 1)) == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS); goto end; } if ((list = sk_OSSL_CMP_CRLSTATUS_new_reserve(NULL, 1)) == NULL) { - ERR_raise_data(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS, - "Cannot set up CRLStatus list"); + ERR_raise(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS); goto end; } (void)sk_OSSL_CMP_CRLSTATUS_push(list, status); /* cannot fail */ @@ -386,8 +384,10 @@ int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl, if (!OSSL_CMP_ITAV_get0_crls(itav, &crls)) goto end; - if (crls == NULL) /* no CRL update available */ + if (crls == NULL) { /* no CRL update available */ + res = 1; goto end; + } if (sk_X509_CRL_num(crls) != 1) { ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_GENP, "Unexpected number of CRLs in genp: %d", diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c index c319beedb6fc8d..59205ef8c72e42 100644 --- a/crypto/cmp/cmp_hdr.c +++ b/crypto/cmp/cmp_hdr.c @@ -89,35 +89,6 @@ int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name) || (name->type == GEN_DIRNAME && IS_NULL_DN(name->d.directoryName)); } -/* assign to *tgt a copy of src (which may be NULL to indicate an empty DN) */ -/* TODO move to ../x509/ and use also for OCSP, ESS, etc. */ -int GENERAL_NAME_create(GENERAL_NAME **tgt, const X509_NAME *src) -{ - GENERAL_NAME *name; - - if (!ossl_assert(tgt != NULL)) - return 0; - if ((name = GENERAL_NAME_new()) == NULL) - goto err; - name->type = GEN_DIRNAME; - - if (src == NULL) { /* NULL-DN */ - if ((name->d.directoryName = X509_NAME_new()) == NULL) - goto err; - } else if (!X509_NAME_set(&name->d.directoryName, src)) { - goto err; - } - - GENERAL_NAME_free(*tgt); - *tgt = name; - - return 1; - - err: - GENERAL_NAME_free(name); - return 0; -} - /* * Set the sender name in PKIHeader. * when nm is NULL, sender is set to an empty string @@ -127,14 +98,14 @@ int ossl_cmp_hdr_set1_sender(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm) { if (!ossl_assert(hdr != NULL)) return 0; - return GENERAL_NAME_create(&hdr->sender, nm); + return GENERAL_NAME_set1_X509_NAME(&hdr->sender, nm); } int ossl_cmp_hdr_set1_recipient(OSSL_CMP_PKIHEADER *hdr, const X509_NAME *nm) { if (!ossl_assert(hdr != NULL)) return 0; - return GENERAL_NAME_create(&hdr->recipient, nm); + return GENERAL_NAME_set1_X509_NAME(&hdr->recipient, nm); } int ossl_cmp_hdr_update_messageTime(OSSL_CMP_PKIHEADER *hdr) diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index ca8533640504c4..2ad7d6aebf7e56 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -278,6 +278,7 @@ CMP_R_TRANSACTIONID_UNMATCHED:152:transactionid unmatched CMP_R_TRANSFER_ERROR:159:transfer error CMP_R_UNCLEAN_CTX:191:unclean ctx CMP_R_UNEXPECTED_CERTPROFILE:196:unexpected certprofile +CMP_R_UNEXPECTED_CRLSTATUSLIST:201:unexpected crlstatuslist CMP_R_UNEXPECTED_PKIBODY:133:unexpected pkibody CMP_R_UNEXPECTED_PKISTATUS:185:unexpected pkistatus CMP_R_UNEXPECTED_POLLREQ:105:unexpected pollreq @@ -285,6 +286,7 @@ CMP_R_UNEXPECTED_PVNO:153:unexpected pvno CMP_R_UNEXPECTED_SENDER:197:unexpected sender CMP_R_UNKNOWN_ALGORITHM_ID:134:unknown algorithm id CMP_R_UNKNOWN_CERT_TYPE:135:unknown cert type +CMP_R_UNKNOWN_CRL_ISSUER:200:unknown crl issuer CMP_R_UNKNOWN_PKISTATUS:186:unknown pkistatus CMP_R_UNSUPPORTED_ALGORITHM:136:unsupported algorithm CMP_R_UNSUPPORTED_KEY_TYPE:137:unsupported key type diff --git a/crypto/x509/v3_crld.c b/crypto/x509/v3_crld.c index e9f6e08e27a7cc..110c80ac01f445 100644 --- a/crypto/x509/v3_crld.c +++ b/crypto/x509/v3_crld.c @@ -327,6 +327,7 @@ ASN1_CHOICE_cb(DIST_POINT_NAME, dpn_cb) = { IMPLEMENT_ASN1_FUNCTIONS(DIST_POINT_NAME) +IMPLEMENT_ASN1_DUP_FUNCTION(DIST_POINT_NAME) ASN1_SEQUENCE(DIST_POINT) = { ASN1_EXP_OPT(DIST_POINT, distpoint, DIST_POINT_NAME, 0), diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c index 1f67bf2f63ab87..c71e5b91116d23 100644 --- a/crypto/x509/v3_genn.c +++ b/crypto/x509/v3_genn.c @@ -58,6 +58,35 @@ GENERAL_NAME *GENERAL_NAME_dup(const GENERAL_NAME *a) (char *)a); } +int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME **tgt, const X509_NAME *src) +{ + GENERAL_NAME *name; + + if (tgt == NULL){ + ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_ARGUMENT); + return 0; + } + + if ((name = GENERAL_NAME_new()) == NULL) + return 0; + name->type = GEN_DIRNAME; + + if (src == NULL) { /* NULL-DN */ + if ((name->d.directoryName = X509_NAME_new()) == NULL) + goto err; + } else if (!X509_NAME_set(&name->d.directoryName, src)) { + goto err; + } + + GENERAL_NAME_free(*tgt); + *tgt = name; + return 1; + + err: + GENERAL_NAME_free(name); + return 0; +} + static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) { int res; diff --git a/doc/build.info b/doc/build.info index b4815fcf23a795..2135c962d804c6 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1471,6 +1471,10 @@ DEPEND[html/man3/EVP_whirlpool.html]=man3/EVP_whirlpool.pod GENERATE[html/man3/EVP_whirlpool.html]=man3/EVP_whirlpool.pod DEPEND[man/man3/EVP_whirlpool.3]=man3/EVP_whirlpool.pod GENERATE[man/man3/EVP_whirlpool.3]=man3/EVP_whirlpool.pod +DEPEND[html/man3/GENERAL_NAME.html]=man3/GENERAL_NAME.pod +GENERATE[html/man3/GENERAL_NAME.html]=man3/GENERAL_NAME.pod +DEPEND[man/man3/GENERAL_NAME.3]=man3/GENERAL_NAME.pod +GENERATE[man/man3/GENERAL_NAME.3]=man3/GENERAL_NAME.pod DEPEND[html/man3/HMAC.html]=man3/HMAC.pod GENERATE[html/man3/HMAC.html]=man3/HMAC.pod DEPEND[man/man3/HMAC.3]=man3/HMAC.pod @@ -3299,6 +3303,7 @@ html/man3/EVP_sha3_224.html \ html/man3/EVP_sm3.html \ html/man3/EVP_sm4_cbc.html \ html/man3/EVP_whirlpool.html \ +html/man3/GENERAL_NAME.html \ html/man3/HMAC.html \ html/man3/MD5.html \ html/man3/MDC2_Init.html \ @@ -3944,6 +3949,7 @@ man/man3/EVP_sha3_224.3 \ man/man3/EVP_sm3.3 \ man/man3/EVP_sm4_cbc.3 \ man/man3/EVP_whirlpool.3 \ +man/man3/GENERAL_NAME.3 \ man/man3/HMAC.3 \ man/man3/MD5.3 \ man/man3/MDC2_Init.3 \ diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index c222dd129e54d1..a458568c024944 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -74,6 +74,9 @@ Server authentication options: [B<-newwithnew> I] [B<-newwithold> I] [B<-oldwithnew> I] +[B<-crlcert> I] +[B<-oldcrl> I] +[B<-crlout> I] Client authentication and protection options: @@ -133,6 +136,7 @@ Mock server options: [B<-srv_untrusted> I|I] [B<-ref_cert> I|I] [B<-rsp_cert> I|I] +[B<-rsp_crl> I|I] [B<-rsp_extracerts> I|I] [B<-rsp_capubs> I|I] [B<-rsp_newwithnew> I|I] @@ -732,6 +736,21 @@ The file to save any oldWithNew certificate received in a genp message of infoType C. If on success no such cert was received, this is indicated by deleting the file. +=item B<-crlcert> I + +Certificate used for specifying a CRL issuer when requesting a CRL +in a genm message with infoType C. + +=item B<-oldcrl> I + +CRL used for specifying a CRL issuer when requesting a CRL +in a genm message with infoType C. + +=item B<-crlout> I + +The file to save CRL received in a genp message of infoType C. +If on success no such CRL was received, this is indicated by deleting the file. + =back =head2 Client authentication options @@ -865,7 +884,7 @@ See L for details. =item B<-otherpass> I Pass phrase source for certificate given with the B<-trusted>, B<-untrusted>, -B<-own_trusted>, B<-srvcert>, B<-out_trusted>, B<-extracerts>, +B<-own_trusted>, B<-srvcert>, B<-crlcert>, B<-out_trusted>, B<-extracerts>, B<-srv_trusted>, B<-srv_untrusted>, B<-ref_cert>, B<-rsp_cert>, B<-rsp_extracerts>, B<-rsp_capubs>, B<-rsp_newwithnew>, B<-rsp_newwithold>, B<-rsp_oldwithnew>, @@ -1112,6 +1131,10 @@ Certificate to be expected for RR messages and any oldCertID in KUR messages. Certificate to be returned as mock enrollment result. +=item B<-rsp_crl> I|I + +CRL to be returned in genp of type crls. + =item B<-rsp_extracerts> I|I Extra certificates to be included in mock certification responses. diff --git a/doc/man3/GENERAL_NAME.pod b/doc/man3/GENERAL_NAME.pod new file mode 100644 index 00000000000000..b8032669318617 --- /dev/null +++ b/doc/man3/GENERAL_NAME.pod @@ -0,0 +1,43 @@ +=pod + +=head1 NAME + +GENERAL_NAME, +GENERAL_NAME_set1_X509_NAME +- GENERAL_NAME method routines + +=head1 SYNOPSIS + + #include + + typedef struct GENERAL_NAME_st GENERAL_NAME; + + int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME **tgt, const X509_NAME *src); + +=head1 DESCRIPTION + +GENERAL_NAME_set1_X509_NAME() creates a new GENERAL_NAME of type GEN_DIRNAME +and populates it based on provided X509_NAME I which can be NULL. +I must not be NULL. If successful, I<*tgt> will be set to point +to the newly created GENERAL_NAME. + +=head1 NOTES +=head1 RETURN VALUES + +GENERAL_NAME_set1_X509_NAME() return 1 on success, 0 on error. + +=head1 SEE ALSO +=head1 HISTORY + +GENERAL_NAME_set1_X509_NAME() was added in OpenSSL 3.3. + +=head1 COPYRIGHT + +Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod index 54c09972a75b4b..00b520840154be 100644 --- a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod +++ b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod @@ -8,8 +8,6 @@ OSSL_CMP_ITAV_new_rootCaCert, OSSL_CMP_ITAV_get0_rootCaCert, OSSL_CMP_ITAV_new_rootCaKeyUpdate, OSSL_CMP_ITAV_get0_rootCaKeyUpdate, -OSSL_CMP_ITAV_new0_certReqTemplate, -OSSL_CMP_ITAV_get1_certReqTemplate, OSSL_CMP_CRLSTATUS_new1, OSSL_CMP_CRLSTATUS_create, OSSL_CMP_CRLSTATUS_get0, @@ -25,6 +23,7 @@ OSSL_CMP_ITAV_get0_crls OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts); int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out); + OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert); int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out); OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew, @@ -34,6 +33,7 @@ OSSL_CMP_ITAV_get0_crls X509 **newWithNew, X509 **newWithOld, X509 **oldWithNew); + OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn, const GENERAL_NAMES *issuer, const ASN1_TIME *thisUpdate); @@ -89,9 +89,10 @@ that contains either a copy of the distribution point name I or a copy of the certificate issuer I, while giving both is an error. If given, a copy of the CRL issuance time I is also included. -OSSL_CMP_CRLSTATUS_create() is a high-level variant of OSSL_CMP_CRLSTATUS_new1() -using data obtained from the I and/or I parameters. -The thisUpdate field is filled with the thisUpdate field of I if present. +OSSL_CMP_CRLSTATUS_create() is a high-level variant of OSSL_CMP_CRLSTATUS_new1(). +It fills the thisUpdate field with a copy of the thisUpdate field of I if present. +It fills the CRLSource field with a copy of the first data item found using the I +and/or I parameters as follows. The CRLSource field is filled with the first data item found in them as follows. Any available distribution point name is preferred over issuer names. Data from I, if present, is preferred over data from I. @@ -132,8 +133,8 @@ The pointer may be NULL if no CRL status data is included. It is an error if the infoType of I is not B. OSSL_CMP_ITAV_new_crls() creates a new B structure -of type B and fills it with a copy of the provided CRL. -The I argument may be NULL. +of type B including an empty list of CRLs if the I argument is NULL +or including a singleton list a with copy of the provided CRL otherwise. OSSL_CMP_ITAV_get0_crls() on success assigns to I<*out> an internal pointer to the list of CRLs contained in the infoValue field of I. @@ -168,6 +169,11 @@ OSSL_CMP_ITAV_new_rootCaCert(), OSSL_CMP_ITAV_get0_rootCaCert(), OSSL_CMP_ITAV_new_rootCaKeyUpdate(), and OSSL_CMP_ITAV_get0_rootCaKeyUpdate() were added in OpenSSL 3.2. +OSSL_CMP_CRLSTATUS_new1(), OSSL_CMP_CRLSTATUS_create(), +OSSL_CMP_CRLSTATUS_get0(), OSSL_CMP_ITAV_new0_crlStatusList(), +OSSL_CMP_ITAV_get0_crlStatusList(), OSSL_CMP_ITAV_new_crls() +and OSSL_CMP_ITAV_get0_crls() were added in OpenSSL 3.3. + =head1 COPYRIGHT Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 54632ce93697bc..0a09ae3881678b 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -15,7 +15,8 @@ OSSL_CMP_try_certreq, OSSL_CMP_exec_RR_ses, OSSL_CMP_exec_GENM_ses, OSSL_CMP_get1_caCerts, -OSSL_CMP_get1_rootCaKeyUpdate +OSSL_CMP_get1_rootCaKeyUpdate, +OSSL_CMP_get1_crlUpdate - functions implementing CMP client transactions =head1 SYNOPSIS @@ -41,6 +42,8 @@ OSSL_CMP_get1_rootCaKeyUpdate int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx, const X509 *oldWithOld, X509 **newWithNew, X509 **newWithOld, X509 **oldWithNew); + int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl, + X509_CRL **crl); =head1 DESCRIPTION @@ -157,6 +160,13 @@ The trust placed in it cannot be stronger than the trust placed in the I certificate if present, otherwise it cannot be stronger than the weakest trust in any of the certificates in the trust store of I. +OSSL_CMP_get1_crlUpdate() uses a genm request message with infoType crlStatusList +to obtain CRL from the CMP server referenced by I in a genp response message +with infoType crls. It uses oldcert referenced by I and I to create +request. On success it assigns to I<*crl> the CRL received. +NULL means that no CRL was provided by the server. +The CRL obtained this way must be freed by the caller. + =head1 NOTES CMP is defined in RFC 4210 (and CRMF in RFC 4211). @@ -193,7 +203,7 @@ and the output parameter I has been used to assign the received value unless I is NULL. OSSL_CMP_exec_RR_ses(), OSSL_CMP_get1_caCerts(), -and OSSL_CMP_get1_rootCaKeyUpdate() +OSSL_CMP_get1_rootCaKeyUpdate() and OSSL_CMP_get1_crlUpdate() return 1 on success, 0 on error. OSSL_CMP_exec_GENM_ses() returns NULL on error, @@ -220,8 +230,8 @@ The OpenSSL CMP support was added in OpenSSL 3.0. OSSL_CMP_get1_caCerts() and OSSL_CMP_get1_rootCaKeyUpdate() were added in OpenSSL 3.2. -Support for delayed delivery of all types of response messages -was added in OpenSSL 3.3. +OSSL_CMP_get1_crlUpdate() and support for delayed delivery +of all types of response messages was added in OpenSSL 3.3. =head1 COPYRIGHT diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index c6206e1759093f..2c9758522e158d 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -44,6 +44,7 @@ DISPLAYTEXT_free, DISPLAYTEXT_new, DIST_POINT_NAME_free, DIST_POINT_NAME_new, +DIST_POINT_NAME_dup, DIST_POINT_free, DIST_POINT_new, DSAparams_dup, @@ -132,6 +133,7 @@ OCSP_SIGNATURE_free, OCSP_SIGNATURE_new, OCSP_SINGLERESP_free, OCSP_SINGLERESP_new, +OSSL_CMP_CRLSTATUS_free, OSSL_CMP_ITAV_dup, OSSL_CMP_ITAV_free, OSSL_CMP_MSG_dup, diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index 7ac67bd018d5e2..99a2f29d12b705 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -32,9 +32,6 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include -/* TODO move to x509v3.h.in and use also for OCSP, ESS, etc. */ -int GENERAL_NAME_create(GENERAL_NAME **tgt, const X509_NAME *src); - # ifdef __cplusplus extern "C" { # endif @@ -591,7 +588,8 @@ int OSSL_CMP_get1_caCerts(OSSL_CMP_CTX *ctx, STACK_OF(X509) **out); int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx, const X509 *oldWithOld, X509 **newWithNew, X509 **newWithOld, X509 **oldWithNew); -int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509_CRL *last_crl, +int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert, + const X509_CRL *last_crl, X509_CRL **crl); # ifdef __cplusplus diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h index b509a5a49e8182..ae10f6edb272e3 100644 --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -102,6 +102,7 @@ # define CMP_R_TRANSFER_ERROR 159 # define CMP_R_UNCLEAN_CTX 191 # define CMP_R_UNEXPECTED_CERTPROFILE 196 +# define CMP_R_UNEXPECTED_CRLSTATUSLIST 201 # define CMP_R_UNEXPECTED_PKIBODY 133 # define CMP_R_UNEXPECTED_PKISTATUS 185 # define CMP_R_UNEXPECTED_POLLREQ 105 @@ -109,6 +110,7 @@ # define CMP_R_UNEXPECTED_SENDER 197 # define CMP_R_UNKNOWN_ALGORITHM_ID 134 # define CMP_R_UNKNOWN_CERT_TYPE 135 +# define CMP_R_UNKNOWN_CRL_ISSUER 200 # define CMP_R_UNKNOWN_PKISTATUS 186 # define CMP_R_UNSUPPORTED_ALGORITHM 136 # define CMP_R_UNSUPPORTED_KEY_TYPE 137 diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in index 569680378dfd03..e49dcfa6140796 100644 --- a/include/openssl/x509v3.h.in +++ b/include/openssl/x509v3.h.in @@ -178,6 +178,8 @@ typedef struct ACCESS_DESCRIPTION_st { GENERAL_NAME *location; } ACCESS_DESCRIPTION; +int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME **tgt, const X509_NAME *src); + {- generate_stack_macros("ACCESS_DESCRIPTION") .generate_stack_macros("GENERAL_NAME"); @@ -201,6 +203,7 @@ typedef struct DIST_POINT_NAME_st { /* If relativename then this contains the full distribution point name */ X509_NAME *dpname; } DIST_POINT_NAME; +DECLARE_ASN1_DUP_FUNCTION(DIST_POINT_NAME) /* All existing reasons */ # define CRLDP_ALL_REASONS 0x807f diff --git a/test/recipes/80-test_cmp_http_data/Mock/crl.pem b/test/recipes/80-test_cmp_http_data/Mock/crl.pem deleted file mode 100644 index 2645c087c2e961..00000000000000 --- a/test/recipes/80-test_cmp_http_data/Mock/crl.pem +++ /dev/null @@ -1,12 +0,0 @@ ------BEGIN X509 CRL----- -MIIBvDCBpQIBATANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQGEwJERTEKMAgGA1UE -CgwBVDEMMAoGA1UECwwDQ1NUMRgwFgYDVQQDDA9JbnRlcm1lZGlhdGUtQ0EXDTI0 -MDIyMTEzMzI1M1oXDTI0MDMyMjEzMzI1M1qgMDAuMB8GA1UdIwQYMBaAFBDZZKAn -y+b1L603J/y1BOJ02UqAMAsGA1UdFAQEAgIQADANBgkqhkiG9w0BAQsFAAOCAQEA -Jll0byISsqxLXZEIKUhzP+li/iuwERTP/8YpAI99aKOZdlFALlIrSeEPV1cf00we -FGtFdkRYLIomnv5pMln+54SvA3QZ0dIUHflkFGcBnpCvQT9cFo6LyH9cYhzWBEG9 -bSswnPYjA12wNQGg5ZthAlxq7RdxAWtILm1sfxQGKxZ0xkMV+kFA4+DykwXZ28DH -XD/lR9XmlZiQFDdVtQ5X4wresOoai3ISjLriq9CjtJPjNlXwNtz++olMFficyDgM -Qhz9j+2ybXITf1EQeccO5u1oBxo3neFV/IqWHOUXPUUFffEX3LAc4wm6hovJzQuj -C8Tq5E61cKTCpXRfptp7gg== ------END X509 CRL----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/newcrl.pem b/test/recipes/80-test_cmp_http_data/Mock/newcrl.pem new file mode 100644 index 00000000000000..101d7cd67c5184 --- /dev/null +++ b/test/recipes/80-test_cmp_http_data/Mock/newcrl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBtDCBnQIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJBVTETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRMwEQYDVQQDEwpzdWJpbnRlckNBFw0yNDAyMjMxNTQ3NTFaFw0zNzA5MTIxNTQ3 +NTFaoA8wDTALBgNVHRQEBAICEAcwDQYJKoZIhvcNAQELBQADggEBAFyUvxWlxjLA +DjTq/N26EXH6GZxmDyr5tjPk1KQBRY/jPNWvxloXFIH7PAtzInJmEoF2PCDw290Z +BRuftPaxVW1tcHAsZzL5QFSGa2wWSLGCHpZCg9twcLQbGrOq7+S2M2ZjOVxSMN1u +ok/QLhuqniPieOUetzafqUNknYJahILnomLhPoQBzko9EdtBJkygOGdj/3T07iLy +hicW0QlBA5B9oCIUmknnx4kCh6VlsSq9FJTs2HXZhJHF0VVFbAlbjHMFkwjTh31r +Bc8u1D35T0kqwbTbVmtPghdpW2uJ+9LsWXdrlTGGlRJXA+3d13hKlFMFcQEavf4h +wVlABZ6eEPo= +-----END X509 CRL----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/oldcrl.pem b/test/recipes/80-test_cmp_http_data/Mock/oldcrl.pem new file mode 100644 index 00000000000000..f596289d1db6f5 --- /dev/null +++ b/test/recipes/80-test_cmp_http_data/Mock/oldcrl.pem @@ -0,0 +1,12 @@ +-----BEGIN X509 CRL----- +MIIBtDCBnQIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJBVTETMBEGA1UE +CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk +MRMwEQYDVQQDEwpzdWJpbnRlckNBFw0yNDAyMjMxNTQ3MzhaFw0zNDEyMTcxNTQ3 +MzhaoA8wDTALBgNVHRQEBAICEAYwDQYJKoZIhvcNAQELBQADggEBANfH339j7LXB +9X+Vpk1xjTSRwoIQ7C/LZbOJ4tiVaNsBd+3rlOgJEnYPuB883ylAy3TOPn9taMXe +kmPebHC4WDhESNbwm8kdFNz6Ghvvn4TuDcSgWV8xxtw5AHVfnCs8801KI8pcn7K6 +MwGdJ7CPvB38SFn5ssKQueLySRfL+bRWXpgB79hjFE7J1ukaUr2xg3q4YFQwexld +xuaIR0AiFyTVKWTWLEdAKRzPiYTmx1ZMyYEdwh17l6nWh/UgfUEqmK9ub2Mqh20h +g7/Nwf0iaQS7bui7DgzkW76dbXcmAmTkU8VLznOLIheus8uj6Kl2TewO5PvjVGeu +Fgt7CED5epw= +-----END X509 CRL----- diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.cnf b/test/recipes/80-test_cmp_http_data/Mock/server.cnf index e35277c54fc156..86a11f6a368297 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/server.cnf @@ -12,7 +12,7 @@ no_cache_extracerts = 1 ref_cert = signer_only.crt rsp_cert = signer_only.crt -rsp_crl = crl.pem +rsp_crl = newcrl.pem rsp_capubs = trusted.crt rsp_extracerts = signer_issuing.crt diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 554f29cc29248b..dae2a9d6e04cc7 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -86,6 +86,15 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 0,genm rootCaCert newwithold missig arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew, _RESULT_DIR/test.newwithnew.pem, -oldwithnew, _RESULT_DIR/test.oldwithnew.pem, -newwithold,, 1,genm rootCaCert newwithnew newwithold , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew, _RESULT_DIR/test.newwithnew3.pem, -newwithold, _RESULT_DIR/test.newwithold2.pem ,,,,,,,,,,,,,,,,,,,,,, +1,genm crlStatusList with crlcert , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -crlcert, signer_only.crt,,,,, -crlout, _RESULT_DIR/test.crlout1.pem +1,genm crlStatusList with old crl , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, oldcrl.pem,,,,, -crlout, _RESULT_DIR/test.crlout2.pem +1,genm crlStatusList with crlcert and old crl , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -crlcert, signer_only.crt, -oldcrl, oldcrl.pem,,, -crlout, _RESULT_DIR/test.crlout3.pem +1,genm crlStatusList with latest crl , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, _RESULT_DIR/test.crlout3.pem,,,,, -crlout, _RESULT_DIR/test.crlout4.pem +0,genm crlStatusList with -oldcrl nonexistent, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, _RESULT_DIR/test.crlout4.pem,,,,, -crlout, _RESULT_DIR/test.crlout.pem +0,genm crlStatusList with -crlcert nonexistent, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -crlcert, idontexist,,,,, -crlout, _RESULT_DIR/test.crlout.pem +0,genm crlStatusList with wrong issuer, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -crlcert, server.crt,,,,, -crlout, _RESULT_DIR/test.crlout.pem +0,genm crlStatusList missing -crlcert & -oldcrl, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,,,,,,,, -crlout, _RESULT_DIR/test.crlout.pem +,,,,,,,,,,,,,,,,,,,,,, 1,profile, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile1,BLANK,,BLANK, 0,profile wrong value, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile2,BLANK,,BLANK, 0,profile missing argument, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,,,,, diff --git a/util/libcrypto.num b/util/libcrypto.num index ce3cd0faa83ae4..6a325470318e59 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5546,13 +5546,14 @@ ERR_pop ? 3_3_0 EXIST::FUNCTION: X509_STORE_get1_objects ? 3_3_0 EXIST::FUNCTION: OPENSSL_LH_set_thunks ? 3_3_0 EXIST::FUNCTION: OPENSSL_LH_doall_arg_thunk ? 3_3_0 EXIST::FUNCTION: -GENERAL_NAME_create ? 3_3_0 EXIST::FUNCTION:CMP +DIST_POINT_NAME_dup ? 3_3_0 EXIST::FUNCTION: +GENERAL_NAME_set1_X509_NAME ? 3_3_0 EXIST::FUNCTION: OSSL_CMP_CRLSTATUS_create ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_CRLSTATUS_new1 ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_CRLSTATUS_get0 ? 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_CRLSTATUS_free ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_new0_crlStatusList ? 3_3_0 EXIST::FUNCTION:CMP +OSSL_CMP_CRLSTATUS_get0 ? 3_3_0 EXIST::FUNCTION:CMP +OSSL_CMP_CRLSTATUS_new1 ? 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_ITAV_get0_crlStatusList ? 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_ITAV_get0_crls ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_get1_crlUpdate ? 3_3_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_new0_crlStatusList ? 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_ITAV_new_crls ? 3_3_0 EXIST::FUNCTION:CMP +OSSL_CMP_get1_crlUpdate ? 3_3_0 EXIST::FUNCTION:CMP diff --git a/util/other.syms b/util/other.syms index b45ba45bb58719..5e164a76acb229 100644 --- a/util/other.syms +++ b/util/other.syms @@ -53,6 +53,7 @@ EVP_RAND datatype EVP_RAND_CTX datatype EVP_SIGNATURE datatype GEN_SESSION_CB datatype +GENERAL_NAME datatype NAMING_AUTHORITY datatype OPENSSL_Applink external OSSL_ALGORITHM datatype