cmp_genm.c

Last change on this file was 109052, checked in by vboxsync, 3 weeks ago
openssl-3.4.1: Applied our changes, regenerated files, added missing files and functions. This time with a three way merge. bugref:10890
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 14.1 KB

Line
1	/*
2	* Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright Siemens AG 2022
4	*
5	* Licensed under the Apache License 2.0 (the "License"). You may not use
6	* this file except in compliance with the License. You can obtain a copy
7	* in the file LICENSE in the source distribution or at
8	* https://www.openssl.org/source/license.html
9	*/
10
11	#include "cmp_local.h"
12	#include <openssl/cmp_util.h>
13
14	static const X509_VERIFY_PARAM get0_trustedStore_vpm(const OSSL_CMP_CTX ctx)
15	{
16	const X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(ctx);
17
18	return ts == NULL ? NULL : X509_STORE_get0_param(ts);
19	}
20
21	static void cert_msg(const char func, const char file, int lineno,
22	OSSL_CMP_severity level, OSSL_CMP_CTX *ctx,
23	const char source, X509 cert, const char *msg)
24	{
25	char *subj = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
26
27	ossl_cmp_print_log(level, ctx, func, file, lineno,
28	level == OSSL_CMP_LOG_WARNING ? "WARN" : "ERR",
29	"certificate from '%s' with subject '%s' %s",
30	source, subj, msg);
31	OPENSSL_free(subj);
32	}
33
34	/* use \|type_CA\| -1 (no CA type check) or 0 (must be EE) or 1 (must be CA) */
35	static int ossl_X509_check(OSSL_CMP_CTX ctx, const char source, X509 *cert,
36	int type_CA, const X509_VERIFY_PARAM *vpm)
37	{
38	uint32_t ex_flags = X509_get_extension_flags(cert);
39	int res = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
40	X509_get0_notAfter(cert));
41	int ret = res == 0;
42	OSSL_CMP_severity level =
43	vpm == NULL ? OSSL_CMP_LOG_WARNING : OSSL_CMP_LOG_ERR;
44
45	if (!ret)
46	cert_msg(OPENSSL_FUNC, OPENSSL_FILE, OPENSSL_LINE, level, ctx,
47	source, cert, res > 0 ? "has expired" : "not yet valid");
48	if (type_CA >= 0 && (ex_flags & EXFLAG_V1) == 0) {
49	int is_CA = (ex_flags & EXFLAG_CA) != 0;
50
51	if ((type_CA != 0) != is_CA) {
52	cert_msg(OPENSSL_FUNC, OPENSSL_FILE, OPENSSL_LINE, level, ctx,
53	source, cert,
54	is_CA ? "is not an EE cert" : "is not a CA cert");
55	ret = 0;
56	}
57	}
58	return ret;
59	}
60
61	static int ossl_X509_check_all(OSSL_CMP_CTX ctx, const char source,
62	STACK_OF(X509) *certs,
63	int type_CA, const X509_VERIFY_PARAM *vpm)
64	{
65	int i;
66	int ret = 1;
67
68	for (i = 0; i < sk_X509_num(certs /* may be NULL */); i++)
69	ret = ossl_X509_check(ctx, source,
70	sk_X509_value(certs, i), type_CA, vpm)
71	&& ret; /* Having 'ret' after the '&&', all certs are checked. */
72	return ret;
73	}
74
75	static OSSL_CMP_ITAV get_genm_itav(OSSL_CMP_CTX ctx,
76	OSSL_CMP_ITAV req, / gets consumed */
77	int expected, const char *desc)
78	{
79	STACK_OF(OSSL_CMP_ITAV) *itavs = NULL;
80	int i, n;
81
82	if (ctx == NULL) {
83	ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
84	goto err;
85	}
86	if (OSSL_CMP_CTX_get_status(ctx) != OSSL_CMP_PKISTATUS_unspecified) {
87	ERR_raise_data(ERR_LIB_CMP, CMP_R_UNCLEAN_CTX,
88	"client context in unsuitable state; should call CMPclient_reinit() before");
89	goto err;
90	}
91
92	if (!OSSL_CMP_CTX_push0_genm_ITAV(ctx, req))
93	goto err;
94	req = NULL;
95	itavs = OSSL_CMP_exec_GENM_ses(ctx);
96	if (itavs == NULL) {
97	if (OSSL_CMP_CTX_get_status(ctx) != OSSL_CMP_PKISTATUS_request)
98	ERR_raise_data(ERR_LIB_CMP, CMP_R_GETTING_GENP,
99	"with infoType %s", desc);
100	return NULL;
101	}
102
103	if ((n = sk_OSSL_CMP_ITAV_num(itavs)) <= 0) {
104	ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_GENP,
105	"response on genm requesting infoType %s does not include suitable value", desc);
106	sk_OSSL_CMP_ITAV_free(itavs);
107	return NULL;
108	}
109
110	if (n > 1)
111	ossl_cmp_log2(WARN, ctx,
112	"response on genm contains %d ITAVs; will use the first ITAV with infoType id-it-%s",
113	n, desc);
114	for (i = 0; i < n; i++) {
115	OSSL_CMP_ITAV *itav = sk_OSSL_CMP_ITAV_shift(itavs);
116	ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(itav);
117	char name[128] = "genp contains InfoType '";
118	size_t offset = strlen(name);
119
120	if (OBJ_obj2nid(obj) == expected) {
121	for (i++; i < n; i++)
122	OSSL_CMP_ITAV_free(sk_OSSL_CMP_ITAV_shift(itavs));
123	sk_OSSL_CMP_ITAV_free(itavs);
124	return itav;
125	}
126
127	if (OBJ_obj2txt(name + offset, sizeof(name) - offset, obj, 0) < 0)
128	strcat(name, "<unknown>");
129	ossl_cmp_log2(WARN, ctx, "%s' while expecting 'id-it-%s'", name, desc);
130	OSSL_CMP_ITAV_free(itav);
131	}
132	ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_GENP,
133	"could not find any ITAV for %s", desc);
134
135	err:
136	sk_OSSL_CMP_ITAV_free(itavs);
137	OSSL_CMP_ITAV_free(req);
138	return NULL;
139	}
140
141	int OSSL_CMP_get1_caCerts(OSSL_CMP_CTX ctx, STACK_OF(X509) *out)
142	{
143	OSSL_CMP_ITAV req, itav;
144	STACK_OF(X509) *certs = NULL;
145	int ret = 0;
146
147	if (out == NULL) {
148	ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
149	return 0;
150	}
151	*out = NULL;
152
153	if ((req = OSSL_CMP_ITAV_new_caCerts(NULL)) == NULL)
154	return 0;
155	if ((itav = get_genm_itav(ctx, req, NID_id_it_caCerts, "caCerts")) == NULL)
156	return 0;
157	if (!OSSL_CMP_ITAV_get0_caCerts(itav, &certs))
158	goto end;
159	ret = 1;
160	if (certs == NULL) /* no CA certificate available */
161	goto end;
162
163	if (!ossl_X509_check_all(ctx, "genp", certs, 1 /* CA */,
164	get0_trustedStore_vpm(ctx))) {
165	ret = 0;
166	goto end;
167	}
168	*out = sk_X509_new_reserve(NULL, sk_X509_num(certs));
169	if (!X509_add_certs(*out, certs,
170	X509_ADD_FLAG_UP_REF \| X509_ADD_FLAG_NO_DUP)) {
171	sk_X509_pop_free(*out, X509_free);
172	*out = NULL;
173	ret = 0;
174	}
175
176	end:
177	OSSL_CMP_ITAV_free(itav);
178	return ret;
179	}
180
181	static int selfsigned_verify_cb(int ok, X509_STORE_CTX *store_ctx)
182	{
183	if (ok == 0
184	&& X509_STORE_CTX_get_error_depth(store_ctx) == 0
185	&& X509_STORE_CTX_get_error(store_ctx)
186	== X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
187	/* in this case, custom chain building */
188	int i;
189	STACK_OF(X509) *trust;
190	STACK_OF(X509) *chain = X509_STORE_CTX_get0_chain(store_ctx);
191	STACK_OF(X509) *untrusted = X509_STORE_CTX_get0_untrusted(store_ctx);
192	X509_STORE_CTX_check_issued_fn check_issued =
193	X509_STORE_CTX_get_check_issued(store_ctx);
194	X509 cert = sk_X509_value(chain, 0); / target cert */
195	X509 *issuer;
196
197	for (i = 0; i < sk_X509_num(untrusted); i++) {
198	cert = sk_X509_value(untrusted, i);
199	if (!X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF))
200	return 0;
201	}
202
203	trust = X509_STORE_get1_all_certs(X509_STORE_CTX_get0_store(store_ctx));
204	for (i = 0; i < sk_X509_num(trust); i++) {
205	issuer = sk_X509_value(trust, i);
206	if ((*check_issued)(store_ctx, cert, issuer)) {
207	if (X509_add_cert(chain, cert, X509_ADD_FLAG_UP_REF))
208	ok = 1;
209	break;
210	}
211	}
212	sk_X509_pop_free(trust, X509_free);
213	return ok;
214	} else {
215	X509_STORE *ts = X509_STORE_CTX_get0_store(store_ctx);
216	X509_STORE_CTX_verify_cb verify_cb;
217
218	if (ts == NULL \|\| (verify_cb = X509_STORE_get_verify_cb(ts)) == NULL)
219	return ok;
220	return (*verify_cb)(ok, store_ctx);
221	}
222	}
223
224	/* vanilla X509_verify_cert() does not support self-signed certs as target */
225	static int verify_ss_cert(OSSL_LIB_CTX libctx, const char propq,
226	X509_STORE ts, STACK_OF(X509) untrusted,
227	X509 *target)
228	{
229	X509_STORE_CTX *csc = NULL;
230	int ok = 0;
231
232	if (ts == NULL \|\| target == NULL) {
233	ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
234	return 0;
235	}
236
237	if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL
238	\|\| !X509_STORE_CTX_init(csc, ts, target, untrusted))
239	goto err;
240	X509_STORE_CTX_set_verify_cb(csc, selfsigned_verify_cb);
241	ok = X509_verify_cert(csc) > 0;
242
243	err:
244	X509_STORE_CTX_free(csc);
245	return ok;
246	}
247
248	static int
249	verify_ss_cert_trans(OSSL_CMP_CTX ctx, X509 trusted /* may be NULL */,
250	X509 trans / the only untrusted cert, may be NULL */,
251	X509 target, const char desc)
252	{
253	X509_STORE *ts = OSSL_CMP_CTX_get0_trusted(ctx);
254	STACK_OF(X509) *untrusted = NULL;
255	int res = 0;
256
257	if (trusted != NULL) {
258	X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts);
259
260	if ((ts = X509_STORE_new()) == NULL)
261	return 0;
262	if (!X509_STORE_set1_param(ts, vpm)
263	\|\| !X509_STORE_add_cert(ts, trusted))
264	goto err;
265	}
266
267	if (trans != NULL
268	&& !ossl_x509_add_cert_new(&untrusted, trans, X509_ADD_FLAG_UP_REF))
269	goto err;
270
271	res = verify_ss_cert(OSSL_CMP_CTX_get0_libctx(ctx),
272	OSSL_CMP_CTX_get0_propq(ctx),
273	ts, untrusted, target);
274	if (!res)
275	ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE,
276	"failed to validate %s certificate received in genp %s",
277	desc, trusted == NULL ? "using trust store"
278	: "with given certificate as trust anchor");
279
280	err:
281	sk_X509_pop_free(untrusted, X509_free);
282	if (trusted != NULL)
283	X509_STORE_free(ts);
284	return res;
285	}
286
287	int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
288	const X509 oldWithOld, X509 *newWithNew,
289	X509 newWithOld, X509 oldWithNew)
290	{
291	X509 oldWithOld_copy = NULL, my_newWithOld, *my_oldWithNew;
292	OSSL_CMP_ITAV req, itav;
293	int res = 0;
294
295	if (newWithNew == NULL) {
296	ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
297	return 0;
298	}
299	*newWithNew = NULL;
300
301	if ((req = OSSL_CMP_ITAV_new_rootCaCert(oldWithOld)) == NULL)
302	return 0;
303	itav = get_genm_itav(ctx, req, NID_id_it_rootCaKeyUpdate, "rootCaKeyUpdate");
304	if (itav == NULL)
305	return 0;
306
307	if (!OSSL_CMP_ITAV_get0_rootCaKeyUpdate(itav, newWithNew,
308	&my_newWithOld, &my_oldWithNew))
309	goto end;
310	/* no root CA cert update available */
311	if (*newWithNew == NULL) {
312	res = 1;
313	goto end;
314	}
315	if ((oldWithOld_copy = X509_dup(oldWithOld)) == NULL && oldWithOld != NULL)
316	goto end;
317	if (!verify_ss_cert_trans(ctx, oldWithOld_copy, my_newWithOld,
318	*newWithNew, "newWithNew")) {
319	ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
320	goto end;
321	}
322	if (oldWithOld != NULL && my_oldWithNew != NULL
323	&& !verify_ss_cert_trans(ctx, *newWithNew, my_oldWithNew,
324	oldWithOld_copy, "oldWithOld")) {
325	ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ROOTCAKEYUPDATE);
326	goto end;
327	}
328
329	if (!X509_up_ref(*newWithNew))
330	goto end;
331	if (newWithOld != NULL &&
332	(newWithOld = my_newWithOld) != NULL && !X509_up_ref(newWithOld))
333	goto free;
334	if (oldWithNew == NULL \|\|
335	(oldWithNew = my_oldWithNew) == NULL \|\| X509_up_ref(oldWithNew)) {
336	res = 1;
337	goto end;
338	}
339	if (newWithOld != NULL)
340	X509_free(*newWithOld);
341	free:
342	X509_free(*newWithNew);
343
344	end:
345	OSSL_CMP_ITAV_free(itav);
346	X509_free(oldWithOld_copy);
347	return res;
348	}
349
350	int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX ctx, const X509 crlcert,
351	const X509_CRL *last_crl,
352	X509_CRL **crl)
353	{
354	OSSL_CMP_CRLSTATUS *status = NULL;
355	STACK_OF(OSSL_CMP_CRLSTATUS) *list = NULL;
356	OSSL_CMP_ITAV req = NULL, itav = NULL;
357	STACK_OF(X509_CRL) *crls = NULL;
358	int res = 0;
359
360	if (crl == NULL) {
361	ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
362	return 0;
363	}
364	*crl = NULL;
365
366	if ((status = OSSL_CMP_CRLSTATUS_create(last_crl, crlcert, 1)) == NULL) {
367	ERR_raise(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS);
368	goto end;
369	}
370	if ((list = sk_OSSL_CMP_CRLSTATUS_new_reserve(NULL, 1)) == NULL) {
371	ERR_raise(ERR_LIB_CMP, CMP_R_GENERATE_CRLSTATUS);
372	goto end;
373	}
374	(void)sk_OSSL_CMP_CRLSTATUS_push(list, status); /* cannot fail */
375
376	if ((req = OSSL_CMP_ITAV_new0_crlStatusList(list)) == NULL)
377	goto end;
378	status = NULL;
379	list = NULL;
380
381	if ((itav = get_genm_itav(ctx, req, NID_id_it_crls, "crl")) == NULL)
382	goto end;
383
384	if (!OSSL_CMP_ITAV_get0_crls(itav, &crls))
385	goto end;
386
387	if (crls == NULL) { /* no CRL update available */
388	res = 1;
389	goto end;
390	}
391	if (sk_X509_CRL_num(crls) != 1) {
392	ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_GENP,
393	"Unexpected number of CRLs in genp: %d",
394	sk_X509_CRL_num(crls));
395	goto end;
396	}
397
398	if ((crl = sk_X509_CRL_value(crls, 0)) == NULL \|\| !X509_CRL_up_ref(crl)) {
399	*crl = NULL;
400	goto end;
401	}
402	res = 1;
403	end:
404	OSSL_CMP_CRLSTATUS_free(status);
405	sk_OSSL_CMP_CRLSTATUS_free(list);
406	OSSL_CMP_ITAV_free(itav);
407	return res;
408	}
409
410	int OSSL_CMP_get1_certReqTemplate(OSSL_CMP_CTX *ctx,
411	OSSL_CRMF_CERTTEMPLATE **certTemplate,
412	OSSL_CMP_ATAVS **keySpec)
413	{
414	OSSL_CMP_ITAV req, itav = NULL;
415	int res = 0;
416
417	if (keySpec != NULL)
418	*keySpec = NULL;
419	if (certTemplate == NULL) {
420	ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
421	return 0;
422	}
423	*certTemplate = NULL;
424
425	if ((req = OSSL_CMP_ITAV_new0_certReqTemplate(NULL, NULL)) == NULL) {
426	ERR_raise(ERR_LIB_CMP, CMP_R_GENERATE_CERTREQTEMPLATE);
427	return 0;
428	}
429
430	if ((itav = get_genm_itav(ctx, req, NID_id_it_certReqTemplate,
431	"certReqTemplate")) == NULL)
432	return 0;
433
434	if (!OSSL_CMP_ITAV_get1_certReqTemplate(itav, certTemplate, keySpec))
435	goto end;
436
437	res = 1;
438	end:
439	OSSL_CMP_ITAV_free(itav);
440	return res;
441	}

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/libs/openssl-3.4.1/crypto/cmp/cmp_genm.c

Download in other formats: