diff --git a/apps/cmp.c b/apps/cmp.c index f1c60254e08f88..66356baefae9b0 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -200,6 +200,8 @@ static char *opt_srv_trusted = NULL; static char *opt_srv_untrusted = NULL; static char *opt_ref_cert = NULL; static char *opt_rsp_cert = NULL; +static char *opt_rsp_cert_key = NULL; +static char *opt_rsp_keypass = NULL; static char *opt_rsp_crl = NULL; static char *opt_rsp_extracerts = NULL; static char *opt_rsp_capubs = NULL; @@ -284,7 +286,8 @@ typedef enum OPTION_choice { OPT_SRV_REF, OPT_SRV_SECRET, OPT_SRV_CERT, OPT_SRV_KEY, OPT_SRV_KEYPASS, OPT_SRV_TRUSTED, OPT_SRV_UNTRUSTED, - OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS, + OPT_REF_CERT, OPT_RSP_CERT, OPT_RSP_CERT_KEY, OPT_RSP_KEYPASS, + OPT_RSP_CRL, OPT_RSP_EXTRACERTS, OPT_RSP_CAPUBS, OPT_RSP_NEWWITHNEW, OPT_RSP_NEWWITHOLD, OPT_RSP_OLDWITHNEW, OPT_POLL_COUNT, OPT_CHECK_AFTER, OPT_GRANT_IMPLICITCONF, @@ -577,6 +580,12 @@ const OPTIONS cmp_options[] = { "Certificate to be expected for rr and any oldCertID in kur messages"}, {"rsp_cert", OPT_RSP_CERT, 's', "Certificate to be returned as mock enrollment result"}, + {"rsp_cert_key", OPT_RSP_CERT_KEY, 's', + "Private key for the certificate to be returned as mock enrollment result"}, + {OPT_MORE_STR, 0, 0, + "Key to be returned for central key pair generation"}, + {"rsp_keypass", OPT_RSP_KEYPASS, 's', + "Response private key (and cert) pass phrase source"}, {"rsp_crl", OPT_RSP_CRL, 's', "CRL to be returned in genp of type crls"}, {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's', @@ -689,8 +698,8 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_srv_ref}, {&opt_srv_secret}, {&opt_srv_cert}, {&opt_srv_key}, {&opt_srv_keypass}, {&opt_srv_trusted}, {&opt_srv_untrusted}, - {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_crl}, - {&opt_rsp_extracerts}, {&opt_rsp_capubs}, + {&opt_ref_cert}, {&opt_rsp_cert}, {&opt_rsp_cert_key}, {&opt_rsp_keypass}, + {&opt_rsp_crl}, {&opt_rsp_extracerts}, {&opt_rsp_capubs}, {&opt_rsp_newwithnew}, {&opt_rsp_newwithold}, {&opt_rsp_oldwithnew}, {(char **)&opt_poll_count}, {(char **)&opt_check_after}, @@ -1203,11 +1212,25 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_rsp_cert == NULL) { CMP_warn("no -rsp_cert given for mock server"); } else { - if (!setup_cert(srv_ctx, opt_rsp_cert, opt_keypass, + if (!setup_cert(srv_ctx, opt_rsp_cert, opt_rsp_keypass, "cert the mock server returns on certificate requests", (add_X509_fn_t)ossl_cmp_mock_srv_set1_certOut)) goto err; } + if (opt_rsp_cert_key != NULL) { + EVP_PKEY *pkey = load_key_pwd(opt_rsp_cert_key, opt_keyform, + opt_rsp_keypass, engine, + "private key for enrollment cert"); + + if (pkey == NULL + || !ossl_cmp_mock_srv_set1_certOutKey(srv_ctx, pkey)) { + EVP_PKEY_free(pkey); + goto err; + } + EVP_PKEY_free(pkey); + } + cleanse(opt_rsp_keypass); + if (!setup_mock_crlout(srv_ctx, opt_rsp_crl, "CRL to be returned by the mock server")) goto err; @@ -3118,6 +3141,12 @@ static int get_opts(int argc, char **argv) case OPT_RSP_CERT: opt_rsp_cert = opt_str(); break; + case OPT_RSP_CERT_KEY: + opt_rsp_cert_key = opt_str(); + break; + case OPT_RSP_KEYPASS: + opt_rsp_keypass = opt_str(); + break; case OPT_RSP_CRL: opt_rsp_crl = opt_str(); break; diff --git a/apps/include/cmp_mock_srv.h b/apps/include/cmp_mock_srv.h index 6b4290460aa6cc..86bbac217b5e4e 100644 --- a/apps/include/cmp_mock_srv.h +++ b/apps/include/cmp_mock_srv.h @@ -22,6 +22,8 @@ void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx); int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert); +int ossl_cmp_mock_srv_set1_certOutKey(OSSL_CMP_SRV_CTX *srv_ctx, + EVP_PKEY *pkey); int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl); int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx, STACK_OF(X509) *chain); diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index d98d4598a9750c..7004086026352a 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -19,6 +19,7 @@ typedef struct { X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */ X509 *certOut; /* certificate to be returned in cp/ip/kup msg */ + EVP_PKEY *certOutKey; /* Private key to be returned for central keygen */ X509_CRL *crlOut; /* CRL to be returned in genp for crls */ STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */ STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */ @@ -87,6 +88,22 @@ static mock_srv_ctx *mock_srv_ctx_new(void) DEFINE_OSSL_SET1_CERT(refCert) DEFINE_OSSL_SET1_CERT(certOut) +int ossl_cmp_mock_srv_set1_certOutKey(OSSL_CMP_SRV_CTX *srv_ctx, + EVP_PKEY *pkey) +{ + mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); + + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + if (pkey != NULL && !EVP_PKEY_up_ref(pkey)) + return 0; + EVP_PKEY_free(ctx->certOutKey); + ctx->certOutKey = pkey; + return 1; +} + int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl) { @@ -275,6 +292,7 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); int bodytype; OSSL_CMP_PKISI *si = NULL; + EVP_PKEY *certOutKey = NULL; if (ctx == NULL || cert_req == NULL || certOut == NULL || chainOut == NULL || caPubs == NULL) { @@ -358,6 +376,13 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, && (*certOut = X509_dup(ctx->certOut)) == NULL) /* Should return a cert produced from request template, see FR #16054 */ goto err; + if (ctx->certOutKey != NULL + && OSSL_CMP_SRV_CTX_centralKeygen_req(crm, (X509_REQ *) p10cr) + /* using newPkey to return the private key */ + && (((certOutKey = EVP_PKEY_dup(ctx->certOutKey)) == NULL) + || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), + 1 /* priv */, certOutKey))) + goto err; if (ctx->chainOut != NULL && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL) goto err; diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 4ebbbbfd1462de..8da454e644a92a 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -952,7 +952,8 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype, const OSSL_CRMF_MSG *crm); OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, - X509 *cert, const X509 *encryption_recip, + X509 *cert, EVP_PKEY *certkey, + const X509 *encryption_recip, STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors); OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx); diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 8d74c74e493afc..78b97b792ab851 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -19,6 +19,9 @@ #include #include #include +#include +#include +#include OSSL_CMP_MSG *OSSL_CMP_MSG_new(OSSL_LIB_CTX *libctx, const char *propq) { @@ -449,9 +452,45 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, return NULL; } +#ifndef OPENSSL_NO_CMS +static OSSL_CRMF_ENCRYPTEDKEY *encprivatekey(OSSL_CMP_CTX *ctx, EVP_PKEY *privKey) +{ + OSSL_CRMF_ENCRYPTEDKEY *ek = NULL; + CMS_EnvelopedData *envData = NULL; + STACK_OF(X509) *encryption_recips = NULL; + BIO *privbio = NULL; + int res = 0; + X509 *recip = X509_dup(ctx->validatedSrvCert); + + encryption_recips = sk_X509_new_null(); + if (encryption_recips == NULL || recip == NULL + || !sk_X509_push(encryption_recips, recip)) + goto err; + + privbio = BIO_new(BIO_s_mem()); + if (privbio == NULL || i2d_PrivateKey_bio(privbio, privKey) <= 0) + goto err; + envData = CMS_env_sign_data(privbio, ctx->cert, ctx->pkey, + encryption_recips, ctx->libctx, ctx->propq); + if (envData == NULL) + goto err; + if ((ek = OSSL_CRMF_ENCRYPTEDKEY_init_envdata(envData)) == NULL) + goto err; + res = 1; + + err: + sk_X509_pop_free(encryption_recips, X509_free); + if (!res) + M_ASN1_free_of(envData, CMS_EnvelopedData); + + return ek; +} +#endif + OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, int certReqId, const OSSL_CMP_PKISI *si, - X509 *cert, const X509 *encryption_recip, + X509 *cert, EVP_PKEY *certkey, + const X509 *encryption_recip, STACK_OF(X509) *chain, STACK_OF(X509) *caPubs, int unprotectedErrors) { @@ -495,6 +534,15 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype, if (!X509_up_ref(cert)) goto err; resp->certifiedKeyPair->certOrEncCert->value.certificate = cert; + + if (certkey != NULL) { +#ifndef OPENSSL_NO_CMS + resp->certifiedKeyPair->privateKey = encprivatekey(ctx, certkey); +#else + ERR_raise(ERR_LIB_CMP, ERR_R_UNSUPPORTED); + goto err; +#endif + } } if (!sk_OSSL_CMP_CERTRESPONSE_push(repMsg->response, resp)) diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index 84bddcec0907ad..3a0a94110b3b03 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -205,6 +205,27 @@ static OSSL_CMP_MSG *delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, return msg; } +int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, + X509_REQ *p10cr) +{ + X509_PUBKEY *pubkey = NULL; + const unsigned char *pk = NULL; + int pklen, ret = 0; + + if (crm != NULL) + pubkey = OSSL_CRMF_CERTTEMPLATE_get0_publicKey(OSSL_CRMF_MSG_get0_tmpl(crm)); + else if (p10cr != NULL) + pubkey = X509_REQ_get_X509_PUBKEY(p10cr); + + if (pubkey == NULL + || (X509_PUBKEY_get0_param(NULL, &pk, &pklen, NULL, pubkey) + && pklen == 0)) + ret = 1; + + pk = NULL; + return ret; +} + /* * Processes an ir/cr/p10cr/kur and returns a certification response. * Only handles the first certification request contained in req @@ -216,9 +237,10 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, OSSL_CMP_MSG *msg = NULL; OSSL_CMP_PKISI *si = NULL; X509 *certOut = NULL; + EVP_PKEY *certOutKey = NULL; STACK_OF(X509) *chainOut = NULL, *caPubs = NULL; const OSSL_CRMF_MSG *crm = NULL; - const X509_REQ *p10cr = NULL; + X509_REQ *p10cr = NULL; int bodytype; int certReqId; @@ -263,7 +285,8 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, } srv_ctx->certReqId = certReqId; - if (!ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified)) { + if (!(OSSL_CMP_SRV_CTX_centralKeygen_req(crm, p10cr) + || ossl_cmp_verify_popo(srv_ctx->ctx, req, srv_ctx->acceptRAVerified))) { /* Proof of possession could not be verified */ si = OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_rejection, 1 << OSSL_CMP_PKIFAILUREINFO_badPOP, @@ -287,10 +310,13 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, /* do not set if polling starts: */ && certOut != NULL)) goto err; + if (OSSL_CMP_SRV_CTX_centralKeygen_req(crm, p10cr) + && srv_ctx->ctx->newPkey_priv && srv_ctx->ctx->newPkey != NULL) + certOutKey = srv_ctx->ctx->newPkey; } msg = ossl_cmp_certrep_new(srv_ctx->ctx, bodytype, certReqId, si, - certOut, NULL /* enc */, chainOut, caPubs, + certOut, certOutKey, NULL /* enc */, chainOut, caPubs, srv_ctx->sendUnprotectedErrors); /* When supporting OSSL_CRMF_POPO_KEYENC, "enc" will need to be set */ if (msg == NULL) @@ -299,6 +325,7 @@ static OSSL_CMP_MSG *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, err: OSSL_CMP_PKISI_free(si); X509_free(certOut); + OSSL_CMP_CTX_set0_newPkey(srv_ctx->ctx, 0, NULL); OSSL_STACK_OF_X509_free(chainOut); OSSL_STACK_OF_X509_free(caPubs); return msg; diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index 9ac848e448b941..e02c8e90e39393 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -243,6 +243,7 @@ ASN1_NDEF_SEQUENCE(CMS_EnvelopedData) = { ASN1_SIMPLE(CMS_EnvelopedData, encryptedContentInfo, CMS_EncryptedContentInfo), ASN1_IMP_SET_OF_OPT(CMS_EnvelopedData, unprotectedAttrs, X509_ATTRIBUTE, 1) } ASN1_NDEF_SEQUENCE_END(CMS_EnvelopedData) +IMPLEMENT_ASN1_DUP_FUNCTION(CMS_EnvelopedData) ASN1_NDEF_SEQUENCE(CMS_DigestedData) = { ASN1_EMBED(CMS_DigestedData, version, INT32), diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index b09985ad3e27fe..aa5fd8e84fdc9b 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -739,3 +739,42 @@ int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) *pkeyid = keyid; return 1; } + +CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signkey, + STACK_OF(X509) *encryption_recip, + OSSL_LIB_CTX *libctx, const char *propq) +{ + CMS_EnvelopedData *evd = NULL; + BIO *privbio = NULL, *signbio = NULL, *envelopbio = NULL; + CMS_ContentInfo *signcms = NULL, *evpcms = NULL; + + if (data == NULL || signkey == NULL || signcert == NULL || encryption_recip == NULL) { + ERR_raise(ERR_LIB_CMS, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } + + signcms = CMS_sign_ex(signcert, signkey, NULL, data, CMS_BINARY, + libctx, propq); + if (signcms == NULL) + goto err; + + signbio = BIO_new(BIO_s_mem()); + if (signbio == NULL + || ASN1_item_i2d_bio(ASN1_ITEM_rptr(CMS_SignedData), signbio, signcms->d.signedData) <= 0) + goto err; + + evpcms = CMS_encrypt_ex(encryption_recip, signbio, + EVP_aes_256_cbc(), CMS_BINARY, libctx, propq); + if (evpcms == NULL) + goto err; + evd = CMS_EnvelopedData_dup(evpcms->d.envelopedData); + + err: + BIO_free(privbio); + BIO_free(signbio); + BIO_free(envelopbio); + CMS_ContentInfo_free(signcms); + CMS_ContentInfo_free(evpcms); + + return evd; +} diff --git a/crypto/crmf/crmf_asn.c b/crypto/crmf/crmf_asn.c index 8a8f47f57885bf..bcce050c90bbf3 100644 --- a/crypto/crmf/crmf_asn.c +++ b/crypto/crmf/crmf_asn.c @@ -67,7 +67,9 @@ IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE) */ ASN1_CHOICE(OSSL_CRMF_ENCRYPTEDKEY) = { ASN1_SIMPLE(OSSL_CRMF_ENCRYPTEDKEY, value.encryptedValue, OSSL_CRMF_ENCRYPTEDVALUE), +#ifndef OPENSSL_NO_CMS ASN1_IMP(OSSL_CRMF_ENCRYPTEDKEY, value.envelopedData, CMS_EnvelopedData, 0), +#endif } ASN1_CHOICE_END(OSSL_CRMF_ENCRYPTEDKEY) IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDKEY) diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index d2d3e0fd9be0aa..9c474f41f5dd9d 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -38,6 +38,7 @@ #include #include #include +#include /*- * atyp = Attribute Type @@ -627,18 +628,8 @@ static int check_cmKGA(ossl_unused const X509_PURPOSE *purpose, return ret; ekus = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL); for (i = 0; i < sk_ASN1_OBJECT_num(ekus); i++) { -# if OPENSSL_VERSION_NUMBER >= 0x30000000L if (OBJ_obj2nid(sk_ASN1_OBJECT_value(ekus, i)) == NID_cmKGA) goto end; -# else - { - char txt[100]; - - if (OBJ_obj2txt(txt, sizeof(txt), sk_ASN1_OBJECT_value(ekus, i), 1) - && strcmp(txt, "1.3.6.1.5.5.7.3.32") == 0) /* OID cmKGA */ - goto end; - } -# endif } ret = 0; @@ -912,3 +903,17 @@ X509 return NULL; #endif /* OPENSSL_NO_CMS */ } + +#ifndef OPENSSL_NO_CMS +OSSL_CRMF_ENCRYPTEDKEY +*OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata) +{ + OSSL_CRMF_ENCRYPTEDKEY *ek = OSSL_CRMF_ENCRYPTEDKEY_new(); + + if (ek == NULL) + return NULL; + ek->type = OSSL_CRMF_ENCRYPTEDKEY_ENVELOPEDDATA; + ek->value.envelopedData = envdata; + return ek; +} +#endif diff --git a/crypto/crmf/crmf_local.h b/crypto/crmf/crmf_local.h index e47f137b1926e8..a7ef94e1bd022c 100644 --- a/crypto/crmf/crmf_local.h +++ b/crypto/crmf/crmf_local.h @@ -66,7 +66,9 @@ struct ossl_crmf_encryptedkey_st { int type; union { OSSL_CRMF_ENCRYPTEDVALUE *encryptedValue; /* 0 */ /* Deprecated */ +# ifndef OPENSSL_NO_CMS CMS_EnvelopedData *envelopedData; /* 1 */ +# endif } value; } /* OSSL_CRMF_ENCRYPTEDKEY */; diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in index d659331fa38fa7..13a059266b2727 100644 --- a/include/openssl/cmp.h.in +++ b/include/openssl/cmp.h.in @@ -542,6 +542,8 @@ int OSSL_CMP_SRV_CTX_set_accept_unprotected(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_accept_raverified(OSSL_CMP_SRV_CTX *srv_ctx, int val); int OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(OSSL_CMP_SRV_CTX *srv_ctx, int val); +int OSSL_CMP_SRV_CTX_centralKeygen_req(const OSSL_CRMF_MSG *crm, + X509_REQ *p10cr); /* from cmp_client.c */ X509 *OSSL_CMP_exec_certreq(OSSL_CMP_CTX *ctx, int req_type, diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index 239667700aacd2..2e7464e721573c 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -57,6 +57,8 @@ DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo) DECLARE_ASN1_FUNCTIONS(CMS_ReceiptRequest) DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo) +DECLARE_ASN1_DUP_FUNCTION(CMS_EnvelopedData) + CMS_ContentInfo *CMS_ContentInfo_new_ex(OSSL_LIB_CTX *libctx, const char *propq); # define CMS_SIGNERINFO_ISSUER_SERIAL 0 @@ -397,6 +399,9 @@ int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, ASN1_OCTET_STRING *ukm, int keylen); +CMS_EnvelopedData *CMS_env_sign_data(BIO *data, X509 *signcert, EVP_PKEY *signkey, + STACK_OF(X509) *encryption_recip, + OSSL_LIB_CTX *libctx, const char *propq); /* Backward compatibility for spelling errors. */ # define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM diff --git a/include/openssl/crmf.h.in b/include/openssl/crmf.h.in index c474ba2080ddc8..3fc9cf74d49411 100644 --- a/include/openssl/crmf.h.in +++ b/include/openssl/crmf.h.in @@ -27,6 +27,7 @@ use OpenSSL::stackhash qw(generate_stack_macros); # include # include # include /* for GENERAL_NAME etc. */ +# include /* explicit #includes not strictly needed since implied by the above: */ # include @@ -198,7 +199,10 @@ EVP_PKEY EVP_PKEY *pkey, X509 *cert, ASN1_OCTET_STRING *secret, OSSL_LIB_CTX *libctx, const char *propq); - +# ifndef OPENSSL_NO_CMS +OSSL_CRMF_ENCRYPTEDKEY +*OSSL_CRMF_ENCRYPTEDKEY_init_envdata(CMS_EnvelopedData *envdata); +# endif # ifdef __cplusplus } diff --git a/test/recipes/80-test_cmp_http.t b/test/recipes/80-test_cmp_http.t index 62ce1bd169063e..92de36cbfdd240 100644 --- a/test/recipes/80-test_cmp_http.t +++ b/test/recipes/80-test_cmp_http.t @@ -32,6 +32,8 @@ plan skip_all => "These tests are not supported in a no-sock build" if disabled("sock"); plan skip_all => "These tests are not supported in a no-http build" if disabled("http"); +plan skip_all => "These tests are not supported in a no-cms build" + if disabled("cms"); # central key pair generation plan skip_all => "Tests involving local HTTP server not available on Windows or VMS" if $^O =~ /^(VMS|MSWin32|msys)$/; diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.cnf b/test/recipes/80-test_cmp_http_data/Mock/server.cnf index 86a11f6a368297..fbd4d418b882bf 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.cnf +++ b/test/recipes/80-test_cmp_http_data/Mock/server.cnf @@ -12,6 +12,7 @@ no_cache_extracerts = 1 ref_cert = signer_only.crt rsp_cert = signer_only.crt +rsp_cert_key = signer.key rsp_crl = newcrl.pem rsp_capubs = trusted.crt rsp_extracerts = signer_issuing.crt diff --git a/test/recipes/80-test_cmp_http_data/Mock/server.crt b/test/recipes/80-test_cmp_http_data/Mock/server.crt index 07eab2e63b8e29..d49b846995f240 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/server.crt +++ b/test/recipes/80-test_cmp_http_data/Mock/server.crt @@ -1,24 +1,25 @@ Issuer: CN=Root CA Validity - Not Before: Jan 14 22:29:46 2016 GMT - Not After : Jan 15 22:29:46 2116 GMT + Not Before: Aug 8 13:28:36 2024 GMT + Not After : Apr 11 13:28:36 2127 GMT Subject: CN=server.example -----BEGIN CERTIFICATE----- -MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD -DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9 -o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV -3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/ -8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1 -rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71 -cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS -T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud -EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4 -YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI -RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk -iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK -8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi -X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q -YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk= +MIIDVDCCAjygAwIBAgIUMoDahWpYk1B1WIjOwkom4s27V/EwDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAgFw0yNDA4MDgxMzI4MzZaGA8yMTI3MDQx +MTEzMjgzNlowGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDVXWBq3/xh7kiqjBFIQ6VttlJdqphJsWGSNbH8 +OgQlDG15/7TVyelcHDvgq7O4faPebb3g3ddavxRHEUJepoLQYcF/3RNG5gmFBw7y +1PwaZNIKrSCrIGuW8K3MxBlTVdwBHaSz74q0SVNdigUc8dzhRL/F1+J3GVdclwt1 +7ohDcQ/KbMG0slCnd0ZsWA8Rv/F2JFquOUK3UWcp4dBVMG8X5JHqrfgowkNvomSp ++52YkmJIPusNT4JKiv8/cu6Wta6hwZi6732QdW3/WlKeq/XAftCHQ9uFBwcPfTh6 +/dHT7mUd0+o5aoc37krT4A1u9XCswr3xbvOSlV6p8KFllZONAgMBAAGjgZgwgZUw +CQYDVR0TBAIwADAdBgNVHQ4EFgQUwOeEv+hZJzMQsFJPUVIvBtbAes0wHwYDVR0j +BBgwFoAUcH8uroNoWZgEIyrN6z4XzSTdAUkwDgYDVR0PAQH/BAQDAgWgMB0GA1Ud +JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDIDAZBgNVHREEEjAQgg5zZXJ2ZXIuZXhh +bXBsZTANBgkqhkiG9w0BAQsFAAOCAQEAPRQ87zMFGrcQau8h8wDULU2PPgo1nifQ +1Vs+4WD7bPzk5GHl3M3OE2ZwhzYfO+ACcJa29Ahu7GRC660lXKlwONnQYuTTLqPD +KylY9ZJQUyP+CA5oZsDtnOcfrTy837jKq18NQ3ZxbRDpoVIATNHf9J2qe9yIkxYe +9p+aXGdvfDsNrhkz/m76V+KmioventOEKsRg64FfGKEZP8EfoBiNJipBdmN1I+GE +VTW91jjpgBTdCmyncmVn/CaV1d5S4ed4oQMLlLc+KsqDe97bF2TssFxcMmnyxgqb +bKDZOfzPI1HTs22tj6eLcZTIkcAuFET+uxcmFQcDsjYEf0G+iZLGWw== -----END CERTIFICATE----- diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 26b985bf65d32a..014eef596bb991 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -132,8 +132,15 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 1,rspin, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der _RESULT_DIR/pkiConf.der,,BLANK,,BLANK 0,rspin too few files - server must reject, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK,-secret,_PBM_SECRET 0,rspin too few files - no server, -section,, -cmd,ir,,BLANK,,,-rspin,_RESULT_DIR/ip.der,,BLANK,,BLANK, -server,"""" -1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,"""" +1,reqout_only ir - no server, -section,, -cmd,ir,,-reqout_only,_RESULT_DIR/ir2.der,,BLANK,,BLANK, -server,"""",-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem 0,reqout_only non-existing directory and file, -section,, -cmd,ir,,-reqout_only,idontexist/idontexist,,BLANK,,BLANK, -server,"""" 0,reqin ir - no newkey, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-newkey,"""",-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET -1,reqin ir and rspout - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""",--key,"""",-cert,"""",-secret,_PBM_SECRET,-popo,-1 -1,reqin ip and rspin - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-key,"""",-cert,"""",-secret,_PBM_SECRET,-popo,-1, -server,"""",-disable_confirm +1,reqin ir and rspout - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspout,_RESULT_DIR/ip2.der,-newkey,"""",-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem +1,reqin ip and rspin - no newkey but -popo -1, -section,, -cmd,ir,,-reqin,_RESULT_DIR/ir2.der,,-rspin,_RESULT_DIR/ip2.der,,-newkey,"""",-server,"""",-disable_confirm,-popo,-1,-newkeyout,_RESULT_DIR/newkeyout.pem +,,,,,,,,,,,,,,,,,,, +1,central key generation, -section,, -cmd,cr,, -centralkeygen, -newkeyout,_RESULT_DIR/newkeyout.pem +0,central key generation missing newkeyout, -section,, -cmd,cr,, -centralkeygen,,BLANK,,BLANK,,BLANK,,BLANK, +0,using popo=1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,1, -newkeyout,_RESULT_DIR/newkeyout.pem +1, using popo=-1 with central key generation, -section,, -cmd,cr,, -centralkeygen, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem +1, uisng popo=-1 instead of central key generation, -section,, -cmd,cr,, -popo,-1, -newkeyout,_RESULT_DIR/newkeyout.pem +0, using popo=-1 instead of central key generation without newkeyout, -section,, -cmd,cr,, -popo,-1,,BLANK,,BLANK,,BLANK,,BLANK, \ No newline at end of file diff --git a/util/libcrypto.num b/util/libcrypto.num index 9a018b7fc78ee2..acdb0504218953 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5576,6 +5576,7 @@ i2d_OSSL_CMP_ATAVS ? 3_4_0 EXIST::FUNCTION:CMP OSSL_CMP_ATAVS_free ? 3_4_0 EXIST::FUNCTION:CMP OSSL_CMP_ATAVS_new ? 3_4_0 EXIST::FUNCTION:CMP OSSL_CMP_ATAVS_it ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_SRV_CTX_centralKeygen_req ? 3_4_0 EXIST::FUNCTION:CMP OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free ? 3_4_0 EXIST::FUNCTION:CRMF OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup ? 3_4_0 EXIST::FUNCTION:CRMF OSSL_CRMF_CERTTEMPLATE_dup ? 3_4_0 EXIST::FUNCTION:CRMF @@ -5665,6 +5666,9 @@ OSSL_IETF_ATTR_SYNTAX_get0_value ? 3_4_0 EXIST::FUNCTION: OSSL_IETF_ATTR_SYNTAX_add1_value ? 3_4_0 EXIST::FUNCTION: OSSL_IETF_ATTR_SYNTAX_print ? 3_4_0 EXIST::FUNCTION: X509_ACERT_add_attr_nconf ? 3_4_0 EXIST::FUNCTION: +CMS_env_sign_data ? 3_4_0 EXIST::FUNCTION:CMS +CMS_EnvelopedData_dup ? 3_4_0 EXIST::FUNCTION:CMS +OSSL_CRMF_ENCRYPTEDKEY_init_envdata ? 3_4_0 EXIST::FUNCTION:CMS,CRMF d2i_OSSL_CRMF_ENCRYPTEDKEY ? 3_4_0 EXIST::FUNCTION:CRMF i2d_OSSL_CRMF_ENCRYPTEDKEY ? 3_4_0 EXIST::FUNCTION:CRMF OSSL_CRMF_ENCRYPTEDKEY_free ? 3_4_0 EXIST::FUNCTION:CRMF