From f45e5c6f57f54283ccc4bdbb696b2fbbf9b9b57f Mon Sep 17 00:00:00 2001 From: Rajeev Ranjan Date: Fri, 17 May 2024 00:30:56 +0200 Subject: [PATCH] fixup! CMP: add support for requesting cert template using genm/genp --- apps/cmp.c | 2 +- apps/lib/cmp_mock_srv.c | 18 +++++++++++------- crypto/cmp/cmp_asn.c | 2 +- doc/man3/OSSL_CMP_ATAV_set0.pod | 2 +- .../80-test_cmp_http_data/test_commands.csv | 1 + 5 files changed, 15 insertions(+), 10 deletions(-) diff --git a/apps/cmp.c b/apps/cmp.c index 78a2d5c7e821f6..067aa26f71b2fa 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -3276,7 +3276,7 @@ static void print_keyspec(OSSL_CMP_ATAVS *keySpec) } break; case NID_id_regCtrl_rsaKeyLen: - BIO_printf(mem, "Key algorithm: RSA %d \n", + BIO_printf(mem, "Key algorithm: RSA %d\n", OSSL_CMP_ATAV_get_rsaKeyLen(atav)); break; default: diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index c3ce137ad10eac..2b3522a0250097 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -495,6 +495,8 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, OSSL_CRMF_CERTTEMPLATE *reqtemp; OSSL_CMP_ATAVS *keyspec = NULL; X509_ALGOR *keyalg = NULL; + OSSL_CMP_ATAV *rsakeylen, *eckeyalg; + int ok = 0; if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL) return NULL; @@ -504,18 +506,21 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, NULL)) goto crt_err; - if ((keyspec = OSSL_CMP_ATAVS_new()) == NULL) - goto crt_err; - if ((keyalg = X509_ALGOR_new()) == NULL) goto crt_err; (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), V_ASN1_UNDEF, NULL); /* cannot fail */ - if (!sk_OSSL_CMP_ATAV_push(keyspec, OSSL_CMP_ATAV_new_algId(keyalg)) - || !sk_OSSL_CMP_ATAV_push(keyspec, - OSSL_CMP_ATAV_new_rsaKeyLen(4096))) + eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg); + rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096); + ok = (OSSL_CMP_ATAV_push1(&keyspec, eckeyalg) + && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen)); + OSSL_CMP_ATAV_free(eckeyalg); + OSSL_CMP_ATAV_free(rsakeylen); + X509_ALGOR_free(keyalg); + + if (!ok) goto crt_err; rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec); @@ -524,7 +529,6 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, crt_err: OSSL_CRMF_CERTTEMPLATE_free(reqtemp); OSSL_CMP_ATAVS_free(keyspec); - X509_ALGOR_free(keyalg); return NULL; } break; diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index c8d6719b1c7906..4174f51a24401b 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -546,7 +546,7 @@ int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav) if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_rsaKeyLen || !ASN1_INTEGER_get_int64(&val, atav->value.rsaKeyLen)) return -1; - if (val <= 0) + if (val <= 0 || val > INT_MAX) return -2; return (int)val; } diff --git a/doc/man3/OSSL_CMP_ATAV_set0.pod b/doc/man3/OSSL_CMP_ATAV_set0.pod index 905c93b9c69e67..8ab11df260cc20 100644 --- a/doc/man3/OSSL_CMP_ATAV_set0.pod +++ b/doc/man3/OSSL_CMP_ATAV_set0.pod @@ -71,7 +71,7 @@ B and fills it in with the given I, which must be positive. OSSL_CMP_ATAV_get_rsaKeyLen() returns the RSA key length in rsaKeyLen infoValue in the I, -1 if I is NULL or does not contain an rsaKeyLen or cannot be parsed, -or -2 if the value is less than 1. +or -2 if the value is less than 1 or is greater than INT_MAX. OSSL_CMP_ATAV_push1() pushes a copy of I to the stack of B pointed to by I<*sk_p>. It creates a new stack if I<*sk_p> points to NULL. diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 460e80b940922a..65e23210fe4297 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -98,6 +98,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty ,,,,,,,,,,,,,,,,,,,,,, 1,genm certReqTemplate, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK,,BLANK,,, -expect_sender, """" 0,genm certReqTemplate missing template option, -section,, -cmd,genm,, -template,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, +0,genm certReqTemplate without template option, -section,, -cmd,genm,,,, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK, 1,genm certReqTemplate without optional keyspec option, -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der, -keyspec,"""",, -infotype,certReqTemplate,,BLANK,,BLANK, 0,genm certReqTemplate missing template arg , -section,, -cmd,genm,, -template,BLANK, -keyspec,_RESULT_DIR/test.keyspec.der, -infotype,certReqTemplate,,BLANK,,BLANK, 0,genm certReqTemplate template extra arg , -section,, -cmd,genm,, -template,_RESULT_DIR/test.template.der,_RESULT_DIR/test.template.der, -infotype,certReqTemplate,,BLANK,,BLANK,