Skip to content

Commit

Permalink
fix sending error when no root CA cert update available
Browse files Browse the repository at this point in the history
Reviewed-by: David von Oheimb <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#24169)
  • Loading branch information
rajeev-0 authored and DDvO committed Apr 22, 2024
1 parent 6594baf commit fc9649f
Show file tree
Hide file tree
Showing 5 changed files with 45 additions and 20 deletions.
19 changes: 16 additions & 3 deletions apps/lib/cmp_mock_srv.c
Original file line number Diff line number Diff line change
Expand Up @@ -401,9 +401,22 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
break;
case NID_id_it_rootCaCert:
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
{
X509 *rootcacert = NULL;

if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
return NULL;

if (rootcacert != NULL
&& X509_NAME_cmp(X509_get_subject_name(rootcacert),
X509_get_subject_name(ctx->newWithNew)) != 0)
/* The subjects do not match */
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
else
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
}
break;
default:
rsp = OSSL_CMP_ITAV_dup(req);
Expand Down
33 changes: 20 additions & 13 deletions crypto/cmp/cmp_asn.c
Original file line number Diff line number Diff line change
Expand Up @@ -287,23 +287,30 @@ OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
const X509 *oldWithNew)
{
OSSL_CMP_ITAV *itav;
OSSL_CMP_ROOTCAKEYUPDATE *upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;

if (newWithNew != NULL) {
upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
if (upd == NULL)
return NULL;

if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
goto err;
if (newWithOld != NULL
&& (upd->newWithOld = X509_dup(newWithOld)) == NULL)
goto err;
if (oldWithNew != NULL
&& (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
goto err;
}

if (upd == NULL)
return NULL;
if (newWithNew != NULL && (upd->newWithNew = X509_dup(newWithNew)) == NULL)
goto err;
if (newWithOld != NULL && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
goto err;
if (oldWithNew != NULL && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
goto err;
if ((itav = OSSL_CMP_ITAV_new()) == NULL)
goto err;
itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
itav->infoValue.rootCaKeyUpdate = upd;
return itav;

err:
err:
OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
return NULL;
}
Expand All @@ -324,11 +331,11 @@ int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
return 0;
}
upd = itav->infoValue.rootCaKeyUpdate;
*newWithNew = upd->newWithNew;
*newWithNew = upd != NULL ? upd->newWithNew : NULL;
if (newWithOld != NULL)
*newWithOld = upd->newWithOld;
*newWithOld = upd != NULL ? upd->newWithOld : NULL;
if (oldWithNew != NULL)
*oldWithNew = upd->oldWithNew;
*oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
return 1;
}

Expand Down
6 changes: 4 additions & 2 deletions crypto/cmp/cmp_genm.c
Original file line number Diff line number Diff line change
Expand Up @@ -307,9 +307,11 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
if (!OSSL_CMP_ITAV_get0_rootCaKeyUpdate(itav, newWithNew,
&my_newWithOld, &my_oldWithNew))
goto end;

if (*newWithNew == NULL) /* no root CA cert update available */
/* no root CA cert update available */
if (*newWithNew == NULL) {
res = 1;
goto end;
}
if ((oldWithOld_copy = X509_dup(oldWithOld)) == NULL && oldWithOld != NULL)
goto end;
if (!verify_ss_cert_trans(ctx, oldWithOld_copy, my_newWithOld,
Expand Down
5 changes: 4 additions & 1 deletion doc/man3/OSSL_CMP_ITAV_new_caCerts.pod
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ the internal pointer to the certificate contained in the infoValue field.
OSSL_CMP_ITAV_new_rootCaKeyUpdate() creates a new B<OSSL_CMP_ITAV> structure
of type B<rootCaKeyUpdate> that includes an RootCaKeyUpdateContent structure
with the optional I<newWithNew>, I<newWithOld>, and I<oldWithNew> certificates.
An RootCaKeyUpdateContent structure is included only if I<newWithNew>
is not NULL.

OSSL_CMP_ITAV_get0_rootCaKeyUpdate() requires that I<itav> has infoType
B<rootCaKeyUpdate>.
Expand All @@ -59,7 +61,8 @@ If I<newWithOld> is not NULL, it assigns to I<*newWithOld> the internal pointer
to the certificate contained in the newWithOld infoValue sub-field of I<itav>.
If I<oldWithNew> is not NULL, it assigns to I<*oldWithNew> the internal pointer
to the certificate contained in the oldWithNew infoValue sub-field of I<itav>.
Each of these pointers will be NULL if the respective sub-field is not set.
Each of these pointers will be set to NULL if no root CA certificate update
is present or the respective sub-field is not included.

=head1 NOTES

Expand Down
2 changes: 1 addition & 1 deletion test/recipes/80-test_cmp_http_data/test_commands.csv
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
0,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, empty.txt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
0,genm rootCaCert oldwithold random file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, random.bin , -newwithnew, _RESULT_DIR/test.newwithnew.pem
0,genm rootCaCert oldwithold nonexistent , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, idontexist , -newwithnew, _RESULT_DIR/test.newwithnew.pem
0,genm rootCaCert oldwithold wrong , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
1,genm rootCaCert oldwithold different , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
0,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, BLANK ,,
0,genm rootCaCert newwithnew missing arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew,,
1,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew, _RESULT_DIR/test.newwithnew1.pem, -oldwithnew, _RESULT_DIR/test.oldwithnew1.pem
Expand Down

0 comments on commit fc9649f

Please sign in to comment.