add Indirect POPO in certreqmsg

siemens · Jun 7, 2024 · f32090c · f32090c
1 parent 1ea3fd1
commit f32090c
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 5 deletions.
diff --git a/crypto/crmf/crmf_err.c b/crypto/crmf/crmf_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -38,6 +38,8 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = {
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY),
     "popo inconsistent public key"},
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING), "popo missing"},
+    {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING_KEYENCIPHERMENT),
+    "popo missing keyencipherment"},
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING_PUBLIC_KEY),
     "popo missing public key"},
     {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING_SUBJECT),

diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c
@@ -528,12 +528,24 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs,
             return 0;
         break;
     case OSSL_CRMF_POPO_KEYENC:
+    {
         /*
          * When OSSL_CMP_certrep_new() supports encrypted certs,
          * should return 1 if the type of req->popo->value.keyEncipherment
          * is OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE and
          * its value.subsequentMessage == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT
          */
+        OSSL_CRMF_POPOPRIVKEY *keyEnc = req->popo->value.keyEncipherment;
+        if (keyEnc == NULL) {
+            ERR_raise(ERR_LIB_CRMF, CRMF_R_POPO_MISSING_KEYENCIPHERMENT);
+            return 0;
+        } 
+        if( keyEnc->type == OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE
+                && keyEnc->value.subsequentMessage != NULL
+                && ASN1_INTEGER_get(keyEnc->value.subsequentMessage) == OSSL_CRMF_SUBSEQUENTMESSAGE_ENCRCERT)
+            return 1;
+    }
+        /* fall through */
     case OSSL_CRMF_POPO_KEYAGREE:
     default:
         ERR_raise(ERR_LIB_CRMF, CRMF_R_UNSUPPORTED_POPO_METHOD);
@@ -711,3 +723,41 @@ X509
     OPENSSL_free(iv);
     return cert;
 }
+
+/*-
+ * Decrypts the certificate in the given encryptedKey using private key pkey.
+ * This is needed for the indirect PoP method as in RFC 4210 section 5.2.8.2.
+ *
+ * returns a pointer to the decrypted certificate
+ * returns NULL on error or if no certificate available
+ */
+X509
+*OSSL_CRMF_ENCRYPTEDKEY_get1_encCert(const OSSL_CRMF_ENCRYPTEDKEY *ecert,
+                                     OSSL_LIB_CTX *libctx, const char *propq,
+                                     EVP_PKEY *pkey, unsigned int flags)
+{
+#ifndef OPENSSL_NO_CMS
+    BIO *bio;
+    X509 *cert = NULL;
+#endif
+
+    if (ecert->type != OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA)
+        return OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(ecert->value.encryptedValue,
+                                                     libctx, propq, pkey);
+#ifndef OPENSSL_NO_CMS
+    bio = CMS_EnvelopedData_decrypt(ecert->value.envelopedData, NULL,
+                                    pkey, NULL /* cert */, NULL, flags,
+                                    libctx, propq);
+    if (bio == NULL)
+        return NULL;
+    cert = d2i_X509_bio(bio, NULL);
+    if (cert == NULL)
+        ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_CERTIFICATE);
+    BIO_free(bio);
+    return cert;
+#else
+    (void)flags; /* prevent warning on unused parameter */
+    ERR_raise(ERR_LIB_CRMF, CRMF_R_CMS_NOT_SUPPORTED);
+    return NULL;
+#endif /* OPENSSL_NO_CMS */
+}
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the Apache License 2.0 (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -220,6 +220,7 @@ CMP_R_ERROR_CREATING_POLLREP:123:error creating pollrep
 CMP_R_ERROR_CREATING_POLLREQ:124:error creating pollreq
 CMP_R_ERROR_CREATING_RP:125:error creating rp
 CMP_R_ERROR_CREATING_RR:126:error creating rr
+CMP_R_ERROR_DERIVING_KBM_SSK:198:error deriving ssk
 CMP_R_ERROR_PARSING_PKISTATUS:107:error parsing pkistatus
 CMP_R_ERROR_PROCESSING_MESSAGE:158:error processing message
 CMP_R_ERROR_PROTECTING_MESSAGE:127:error protecting message
@@ -228,7 +229,6 @@ CMP_R_ERROR_UNEXPECTED_CERTCONF:160:error unexpected certconf
 CMP_R_ERROR_VALIDATING_PROTECTION:140:error validating protection
 CMP_R_ERROR_VALIDATING_SIGNATURE:171:error validating signature
 CMP_R_EXPECTED_POLLREQ:104:expected pollreq
-CMP_R_ERROR_DERIVING_KBM_SSK:198:error deriving ssk
 CMP_R_FAILED_BUILDING_OWN_CHAIN:164:failed building own chain
 CMP_R_FAILED_EXTRACTING_PUBKEY:141:failed extracting pubkey
 CMP_R_FAILURE_OBTAINING_RANDOM:110:failure obtaining random
@@ -292,8 +292,8 @@ CMP_R_VALUE_TOO_SMALL:177:value too small
 CMP_R_WRONG_ALGORITHM_OID:138:wrong algorithm oid
 CMP_R_WRONG_CERTID:189:wrong certid
 CMP_R_WRONG_CERTID_IN_RP:187:wrong certid in rp
-CMP_R_WRONG_PBM_VALUE:155:wrong pbm value
 CMP_R_WRONG_KBM_VALUE:197:wrong kbm value
+CMP_R_WRONG_PBM_VALUE:155:wrong pbm value
 CMP_R_WRONG_RP_COMPONENT_COUNT:188:wrong rp component count
 CMP_R_WRONG_SERIAL_IN_RP:173:wrong serial in rp
 CMS_R_ADD_SIGNER_ERROR:99:add signer error
@@ -453,6 +453,7 @@ CRMF_R_NULL_ARGUMENT:109:null argument
 CRMF_R_POPOSKINPUT_NOT_SUPPORTED:113:poposkinput not supported
 CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY:117:popo inconsistent public key
 CRMF_R_POPO_MISSING:121:popo missing
+CRMF_R_POPO_MISSING_KEYENCIPHERMENT:122:popo missing keyencipherment
 CRMF_R_POPO_MISSING_PUBLIC_KEY:118:popo missing public key
 CRMF_R_POPO_MISSING_SUBJECT:119:popo missing subject
 CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED:120:popo raverified not accepted

diff --git a/include/openssl/crmferr.h b/include/openssl/crmferr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -36,6 +36,7 @@
 #  define CRMF_R_POPOSKINPUT_NOT_SUPPORTED                 113
 #  define CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY              117
 #  define CRMF_R_POPO_MISSING                              121
+#  define CRMF_R_POPO_MISSING_KEYENCIPHERMENT              122
 #  define CRMF_R_POPO_MISSING_PUBLIC_KEY                   118
 #  define CRMF_R_POPO_MISSING_SUBJECT                      119
 #  define CRMF_R_POPO_RAVERIFIED_NOT_ACCEPTED              120