Lines Matching +full:hdr +full:- +full:engine
2 * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
58 static OSSL_CMP_CTX *cmp_ctx = NULL; /* the client-side CMP context */
79 static int opt_msg_timeout = -1;
80 static int opt_total_timeout = -1;
106 static int opt_cmd = -1;
123 static int opt_popo = OSSL_CRMF_POPO_NONE - 1;
154 /* client-side debugging */
267 {"help", OPT_HELP, '-', "Display this summary"},
291 "For kur, default is subject of -csr arg or reference cert (see -oldcert)"},
297 "also used as recipient if neither -recipient nor -srvcert are given"},
303 "Augments or replaces any extensions contained CSR given with -csr"},
306 {"san_nodefault", OPT_SAN_NODEFAULT, '-',
307 "Do not take default SANs from reference certificate (see -oldcert)"},
312 {"policy_oids_critical", OPT_POLICY_OIDS_CRITICAL, '-',
313 "Flag the policy OID(s) given with -policy_oids as critical"},
315 "Proof-of-Possession (POPO) method to use for ir/cr/kur where"},
317 "-1 = NONE, 0 = RAVERIFIED, 1 = SIGNATURE (default), 2 = KEYENC"},
322 {"implicit_confirm", OPT_IMPLICIT_CONFIRM, '-',
324 {"disable_confirm", OPT_DISABLE_CONFIRM, '-',
336 "Certificate to be updated (defaulting to -cert) or to be revoked in rr;"},
338 "also used as reference (defaulting to -cert) for subject DN and SANs."},
340 "Issuer is used as recipient unless -recipient, -srvcert, or -issuer given"},
344 "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
349 "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock build"},
354 "address may be a DNS name or an IP address; path can be overridden by -path"},
363 "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"},
365 "HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
376 {OPT_MORE_STR, 0, 0, "unless -srvcert is given"},
382 "DN of expected sender of responses. Defaults to subject of -srvcert, if any"},
383 {"ignore_keyusage", OPT_IGNORE_KEYUSAGE, '-',
385 {"unprotected_errors", OPT_UNPROTECTED_ERRORS, '-',
398 "Reference value to use as senderKID in case no -cert is given"},
402 "Client's CMP signer certificate; its public key must match the -key argument"},
409 {"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"},
415 "MAC algorithm to use in PBM-based message protection. Default \"hmac-sha1\""},
420 {"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-',
421 "Send request messages without CMP-level protection"},
427 "Format of the key input (ENGINE, other values ignored)"},
431 {"engine", OPT_ENGINE, 's',
432 "Use crypto engine with given identifier, possibly a hardware device."},
434 "Engines may also be defined in OpenSSL config file engine section."},
442 "NOTE: -tls_used and all other TLS options not supported due to no-sock build"},
444 {"tls_used", OPT_TLS_USED, '-',
458 "Address to be checked (rather than -server) during TLS host name validation"},
461 OPT_SECTION("Client-side debugging"),
462 {"batch", OPT_BATCH, '-',
468 {"reqin_new_tid", OPT_REQIN_NEW_TID, '-',
469 "Use fresh transactionID for CMP requests read from -reqin"},
477 {"use_mock_srv", OPT_USE_MOCK_SRV, '-',
478 "Use internal mock server at API level, bypassing socket-based HTTP"},
483 "NOTE: -port and -max_msgs not supported due to no-sock build"},
486 "Act as HTTP-based mock server listening on given port"},
492 "Reference value to use as senderKID of server in case no -srv_cert is given"},
494 "Password source for server authentication with a pre-shared key (secret)"},
515 {"grant_implicitconf", OPT_GRANT_IMPLICITCONF, '-',
523 "Number representing failure bits to include in server response, 0..2^27 - 1"},
526 {"send_error", OPT_SEND_ERROR, '-',
528 {"send_unprotected", OPT_SEND_UNPROTECTED, '-',
529 "Send response messages without CMP-level protection"},
530 {"send_unprot_err", OPT_SEND_UNPROT_ERR, '-',
536 {"accept_unprotected", OPT_ACCEPT_UNPROTECTED, '-',
538 {"accept_unprot_err", OPT_ACCEPT_UNPROT_ERR, '-',
540 {"accept_raverified", OPT_ACCEPT_RAVERIFIED, '-',
541 "Accept RAVERIFIED as proof-of-possession (POPO)"},
673 const char *pass, ENGINE *eng, const char *desc) in load_key_pwd()
713 CMP_warn("error while verifying CSR self-signature"); in load_csr_autofmt()
715 CMP_warn("CSR self-signature does not match the contents"); in load_csr_autofmt()
737 /* write OSSL_CMP_MSG DER-encoded to the specified file name item */
760 /* read DER-encoded OSSL_CMP_MSG from the specified file name item */
786 /*-
797 OSSL_CMP_PKIHEADER *hdr; in read_write_req_resp() local
806 /*- in read_write_req_resp()
809 * The following workaround unfortunately requires re-protection. in read_write_req_resp()
817 * Unfortunately requires re-protection if protection is required. in read_write_req_resp()
830 CMP_warn("too few -rspin filename arguments; resorting to using mock server"); in read_write_req_resp()
835 … CMP_err("missing -server or -use_mock_srv option, or too few -rspin filename arguments"); in read_write_req_resp()
839 CMP_warn("too few -rspin filename arguments; resorting to contacting server"); in read_write_req_resp()
842 …CMP_err("-server not supported on no-sock build; missing -use_mock_srv option or too few -rspin fi… in read_write_req_resp()
855 hdr = OSSL_CMP_MSG_get0_header(res); in read_write_req_resp()
856 nonce = OSSL_CMP_HDR_get0_recipNonce(hdr); in read_write_req_resp()
857 tid = OSSL_CMP_HDR_get0_transactionID(hdr); in read_write_req_resp()
1020 static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) in setup_srv_ctx() argument
1033 CMP_err("must give -srv_ref for mock server if no -srv_cert given"); in setup_srv_ctx()
1055 …CMP_err("server credentials (-srv_secret or -srv_cert) must be given if -use_mock_srv or -port is … in setup_srv_ctx()
1058 …CMP_warn("server will not be able to handle PBM-protected requests since -srv_secret is not given"… in setup_srv_ctx()
1063 CMP_err("must give both -srv_cert and -srv_key options or neither"); in setup_srv_ctx()
1079 engine, "private key for mock server cert"); in setup_srv_ctx()
1098 …CMP_warn("mock server will not be able to handle signature-protected requests since -srv_trusted i… in setup_srv_ctx()
1106 CMP_warn("no -rsp_cert given for mock server"); in setup_srv_ctx()
1134 CMP_err1("-failure out of range, should be >= 0 and <= %d", in setup_srv_ctx()
1139 CMP_warn("-failurebits overrides -failure"); in setup_srv_ctx()
1144 CMP_err("-failurebits out of range"); in setup_srv_ctx()
1189 CMP_warn("-trusted option is ignored since -srvcert option is present"); in setup_verification_ctx()
1193 CMP_warn("-recipient option is ignored since -srvcert option is present"); in setup_verification_ctx()
1231 /* ignore any -attime here, new certs are current anyway */ in setup_verification_ctx()
1253 ENGINE *engine) in setup_ssl_ctx() argument
1356 engine, "TLS client private key"); in setup_ssl_ctx()
1400 static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) in setup_protection_ctx() argument
1403 CMP_err("must give -key or -secret unless -unprotected_requests is used"); in setup_protection_ctx()
1409 CMP_err("must give -ref if no -cert and no -subject given"); in setup_protection_ctx()
1413 CMP_err("must give both -cert and -key options or neither"); in setup_protection_ctx()
1430 CMP_warn("-cert and -key not used for protection since -secret is given"); in setup_protection_ctx()
1438 EVP_PKEY *pkey = load_key_pwd(opt_key, opt_keyform, opt_keypass, engine, in setup_protection_ctx()
1448 CMP_warn("will not authenticate server due to missing -secret, -trusted, or -srvcert"); in setup_protection_ctx()
1478 CMP_warn("-own_trusted option is ignored without -cert"); in setup_protection_ctx()
1519 static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) in setup_request_ctx() argument
1528 CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); in setup_request_ctx()
1533 …CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallb… in setup_request_ctx()
1540 …CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%… in setup_request_ctx()
1542 ", and -key option superseded by by -csr"); in setup_request_ctx()
1546 CMP_err("missing -newkey (or -key) option for POPO"); in setup_request_ctx()
1551 CMP_err("-certout not given, nowhere to save newly enrolled certificate"); in setup_request_ctx()
1566 CMP_warn1("-subject %s since -ref or -cert is given", msg); in setup_request_ctx()
1570 CMP_warn1("-issuer %s", msg); in setup_request_ctx()
1572 CMP_warn1("-reqexts %s", msg); in setup_request_ctx()
1574 CMP_warn1("-san_nodefault %s", msg); in setup_request_ctx()
1576 CMP_warn1("-sans %s", msg); in setup_request_ctx()
1578 CMP_warn1("-policies %s", msg); in setup_request_ctx()
1580 CMP_warn1("-policy_oids %s", msg); in setup_request_ctx()
1586 CMP_err("missing -oldcert for certificate to be updated and no -csr given"); in setup_request_ctx()
1590 CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR", in setup_request_ctx()
1595 CMP_err("missing -oldcert for certificate to be revoked and no -csr given"); in setup_request_ctx()
1599 CMP_warn("ignoring -csr since certificate to be revoked is given"); in setup_request_ctx()
1608 …CMP_warn("missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to \"NUL… in setup_request_ctx()
1614 CMP_warn1("-newkeytype %s", msg); in setup_request_ctx()
1616 CMP_warn1("-newkey %s", msg); in setup_request_ctx()
1618 CMP_warn1("-days %s", msg); in setup_request_ctx()
1619 if (opt_popo != OSSL_CRMF_POPO_NONE - 1) in setup_request_ctx()
1620 CMP_warn1("-popo %s", msg); in setup_request_ctx()
1631 pkey = load_key_pwd(file, format, pass, engine, desc); in setup_request_ctx()
1638 pkey = load_pubkey(file, format, 0, pass, engine, desc); in setup_request_ctx()
1656 CMP_err("cannot have policies both via -policies and via -policy_oids"); in setup_request_ctx()
1662 CMP_warn("-csr option is ignored for command 'genm'"); in setup_request_ctx()
1693 CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); in setup_request_ctx()
1701 CMP_warn("-opt_san_nodefault has no effect when -sans is used"); in setup_request_ctx()
1708 CMP_warn("-opt_policy_oids_critical has no effect unless -policy_oids is given"); in setup_request_ctx()
1726 pinfo->policyid = policy; in setup_request_ctx()
1741 CMP_warn("-oldcert option is ignored for command 'genm'"); in setup_request_ctx()
1787 CMP_err("missing ':' in -geninfo option"); in handle_opt_geninfo()
1794 CMP_err("missing 'int:' in -geninfo option"); in handle_opt_geninfo()
1801 CMP_err("cannot parse int in -geninfo option"); in handle_opt_geninfo()
1807 CMP_err("cannot parse OID in -geninfo option"); in handle_opt_geninfo()
1840 * set up the client-side OSSL_CMP_CTX based on options from config file/CLI
1845 static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) in setup_client_ctx() argument
1857 if (!opt_use_mock_srv && opt_rspin == NULL) { /* note: -port is not given */ in setup_client_ctx()
1860 CMP_err("missing -server or -use_mock_srv or -rspin option"); in setup_client_ctx()
1864 …CMP_err("missing -use_mock_srv or -rspin option; -server option is not supported due to no-sock bu… in setup_client_ctx()
1871 CMP_warn("ignoring -proxy option since -server is not given"); in setup_client_ctx()
1873 CMP_warn("ignoring -no_proxy option since -server is not given"); in setup_client_ctx()
1875 CMP_warn("ignoring -tls_used option since -server is not given"); in setup_client_ctx()
1882 CMP_err1("cannot parse -server URL: %s", opt_server); in setup_client_ctx()
1886 CMP_err("missing -tls_used option since -server URL indicates https"); in setup_client_ctx()
1917 char id_buf[100] = "id-it-"; in setup_client_ctx()
1919 strncat(id_buf, opt_infotype_s, sizeof(id_buf) - strlen(id_buf) - 1); in setup_client_ctx()
1921 CMP_err("unknown OID name in -infotype option"); in setup_client_ctx()
1934 CMP_err2("-total_timeout argument = %d must not be < %d (-msg_timeout)", in setup_client_ctx()
1948 CMP_warn("-reqin is ignored since -rspin is present"); in setup_client_ctx()
1951 CMP_warn("-reqin_new_tid is ignored since -reqin is not present"); in setup_client_ctx()
1963 CMP_err("missing -tls_key option"); in setup_client_ctx()
1966 CMP_err("missing -tls_cert option"); in setup_client_ctx()
1974 info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); in setup_client_ctx()
1975 info->server = host; in setup_client_ctx()
1977 if ((info->port = OPENSSL_strdup(server_port)) == NULL) in setup_client_ctx()
1980 info->use_proxy = proxy_host != NULL; in setup_client_ctx()
1981 info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT); in setup_client_ctx()
1983 if (info->ssl_ctx == NULL) in setup_client_ctx()
1989 if (!setup_protection_ctx(ctx, engine)) in setup_client_ctx()
1992 if (!setup_request_ctx(ctx, engine)) in setup_client_ctx()
2006 "only if -rspin argument gives too few filenames", in setup_client_ctx()
2045 * Returns number of written certificates on success, -1 on error.
2059 CMP_warn("saving more than one certificate in non-PEM format"); in save_free_certs()
2064 n = -1; in save_free_certs()
2071 n = -1; in save_free_certs()
2107 /* get previous name from a comma or space-separated list of names */
2117 --beg; in prev_item()
2123 len = end - beg; in prev_item()
2132 --beg; in prev_item()
2141 /* get str value for name from a comma-separated hierarchy of config sections */
2156 /* get long val for name from a comma-separated hierarchy of config sections */
2186 int start_opt = OPT_VERBOSITY - OPT_HELP; in read_config()
2187 int start_idx = OPT_VERBOSITY - 2; in read_config()
2192 int n_options = OSSL_NELEM(cmp_options) - 1; in read_config()
2195 opt->name != NULL; i++, opt++) in read_config()
2196 if (!strcmp(opt->name, OPT_SECTION_STR) in read_config()
2197 || !strcmp(opt->name, OPT_MORE_STR)) in read_config()
2198 n_options--; in read_config()
2200 + OPT_PROV__FIRST + 1 - OPT_PROV__LAST in read_config()
2201 + OPT_R__FIRST + 1 - OPT_R__LAST in read_config()
2202 + OPT_V__FIRST + 1 - OPT_V__LAST); in read_config()
2204 opt->name != NULL; i++, opt++) { in read_config()
2205 int provider_option = (OPT_PROV__FIRST <= opt->retval in read_config()
2206 && opt->retval < OPT_PROV__LAST); in read_config()
2207 int rand_state_option = (OPT_R__FIRST <= opt->retval in read_config()
2208 && opt->retval < OPT_R__LAST); in read_config()
2209 int verification_option = (OPT_V__FIRST <= opt->retval in read_config()
2210 && opt->retval < OPT_V__LAST); in read_config()
2212 if (strcmp(opt->name, OPT_SECTION_STR) == 0 in read_config()
2213 || strcmp(opt->name, OPT_MORE_STR) == 0) { in read_config()
2214 i--; in read_config()
2218 i--; in read_config()
2219 switch (opt->valtype) { in read_config()
2220 case '-': in read_config()
2225 if (!conf_get_number_e(conf, opt_section, opt->name, &num)) { in read_config()
2229 if (opt->valtype == 'p' && num <= 0) { in read_config()
2230 opt_printf_stderr("Non-positive number \"%ld\" for config option -%s\n", in read_config()
2231 num, opt->name); in read_config()
2232 return -1; in read_config()
2234 if (opt->valtype == 'N' && num < 0) { in read_config()
2235 opt_printf_stderr("Negative number \"%ld\" for config option -%s\n", in read_config()
2236 num, opt->name); in read_config()
2237 return -1; in read_config()
2243 txt = conf_get_string(conf, opt_section, opt->name); in read_config()
2251 opt->valtype, opt->name); in read_config()
2260 BIO_snprintf(arg1, 81, "-%s", (char *)opt->name); in read_config()
2263 if (opt->valtype == '-') { in read_config()
2268 conf_argv[2] = conf_get_string(conf, opt_section, opt->name); in read_config()
2278 opt->name, opt_section); in read_config()
2283 switch (opt->valtype) { in read_config()
2284 case '-': in read_config()
2291 opt->name); in read_config()
2319 } else if (arg[0] == '-') { in opt_str()
2325 /* returns 1 on success, 0 on error, -1 on -help (i.e., stop with success) */
2337 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); in get_opts()
2341 return -1; in get_opts()
2369 CMP_err("-keep_alive argument must be 0, 1, or 2"); in get_opts()
2510 CMP_err("invalid popo spec. Valid values are -1 .. 2"); in get_opts()
2540 CMP_err("invalid revreason. Valid values are -1 .. 6, 8 .. 10"); in get_opts()
2709 if (ret++ == -1) /* fatal error */ in cmp_server()
2792 ENGINE *engine = NULL; in cmp_main() local
2803 * handle options -config, -section, and -verbosity upfront in cmp_main()
2806 for (i = 1; i < argc - 1; i++) { in cmp_main()
2807 if (*argv[i] == '-') { in cmp_main()
2808 if (!strcmp(argv[i] + 1, cmp_options[OPT_CONFIG - OPT_HELP].name)) in cmp_main()
2811 cmp_options[OPT_SECTION - OPT_HELP].name)) in cmp_main()
2814 cmp_options[OPT_VERBOSITY - OPT_HELP].name) == 0 in cmp_main()
2830 if (configfile != NULL && configfile[0] != '\0' /* non-empty string */ in cmp_main()
2831 && (configfile != default_config_file || access(configfile, F_OK) != -1)) { in cmp_main()
2855 ret = -1; in cmp_main()
2857 if (ret == -1) in cmp_main()
2858 BIO_printf(bio_err, "Use -help for summary.\n"); in cmp_main()
2876 engine = setup_engine_methods(opt_engine, 0 /* not: ENGINE_METHOD_ALL */, 0); in cmp_main()
2877 if (engine == NULL) { in cmp_main()
2878 CMP_err1("cannot load engine %s", opt_engine); in cmp_main()
2897 CMP_warn("Ingnoring TLS options(s) since -tls_used is not given"); in cmp_main()
2900 CMP_err("-tls_used option not supported with -port option"); in cmp_main()
2904 CMP_err("The -port option excludes -server and -use_mock_srv"); in cmp_main()
2908 CMP_err("The -port option does not support -reqin and -reqout"); in cmp_main()
2912 CMP_err("The -port option does not support -rspin and -rspout"); in cmp_main()
2917 CMP_err("cannot use both -server and -use_mock_srv options"); in cmp_main()
2929 if ((srv_ctx = setup_srv_ctx(engine)) == NULL) in cmp_main()
2942 CMP_warn("ignoring -tls_used option since -use_mock_srv is given or -server is not given"); in cmp_main()
2955 CMP_warn("-server option is not used if enough filenames given for -rspin"); in cmp_main()
2957 CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin"); in cmp_main()
2961 if (!setup_client_ctx(cmp_ctx, engine)) { in cmp_main()
3071 OPENSSL_free((char *)info->server); in cmp_main()
3072 OPENSSL_free((char *)info->port); in cmp_main()
3078 release_engine(engine); in cmp_main()
3083 return ret == 0 ? EXIT_FAILURE : EXIT_SUCCESS; /* ret == -1 for -help */ in cmp_main()