1 /*
2 * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include <openssl/trace.h>
13 #include <openssl/bio.h>
14 #include <openssl/ocsp.h> /* for OCSP_REVOKED_STATUS_* */
15
16 #include "cmp_local.h"
17
18 /* explicit #includes not strictly needed since implied by the above: */
19 #include <openssl/cmp.h>
20 #include <openssl/crmf.h>
21 #include <openssl/err.h>
22
23 /*
24 * Get current certificate store containing trusted root CA certs
25 */
OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX * ctx)26 X509_STORE *OSSL_CMP_CTX_get0_trustedStore(const OSSL_CMP_CTX *ctx)
27 {
28 if (ctx == NULL) {
29 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
30 return NULL;
31 }
32 return ctx->trusted;
33 }
34
35 /*
36 * Set certificate store containing trusted (root) CA certs and possibly CRLs
37 * and a cert verification callback function used for CMP server authentication.
38 * Any already existing store entry is freed. Given NULL, the entry is reset.
39 */
OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX * ctx,X509_STORE * store)40 int OSSL_CMP_CTX_set0_trustedStore(OSSL_CMP_CTX *ctx, X509_STORE *store)
41 {
42 if (ctx == NULL) {
43 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
44 return 0;
45 }
46 X509_STORE_free(ctx->trusted);
47 ctx->trusted = store;
48 return 1;
49 }
50
51 /* Get current list of non-trusted intermediate certs */
STACK_OF(X509)52 STACK_OF(X509) *OSSL_CMP_CTX_get0_untrusted(const OSSL_CMP_CTX *ctx)
53 {
54 if (ctx == NULL) {
55 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
56 return NULL;
57 }
58 return ctx->untrusted;
59 }
60
61 /*
62 * Set untrusted certificates for path construction in authentication of
63 * the CMP server and potentially others (TLS server, newly enrolled cert).
64 */
OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX * ctx,STACK_OF (X509)* certs)65 int OSSL_CMP_CTX_set1_untrusted(OSSL_CMP_CTX *ctx, STACK_OF(X509) *certs)
66 {
67 STACK_OF(X509) *untrusted = NULL;
68
69 if (ctx == NULL) {
70 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
71 return 0;
72 }
73 if (!ossl_x509_add_certs_new(&untrusted, certs,
74 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
75 goto err;
76 sk_X509_pop_free(ctx->untrusted, X509_free);
77 ctx->untrusted = untrusted;
78 return 1;
79 err:
80 sk_X509_pop_free(untrusted, X509_free);
81 return 0;
82 }
83
cmp_ctx_set_md(OSSL_CMP_CTX * ctx,EVP_MD ** pmd,int nid)84 static int cmp_ctx_set_md(OSSL_CMP_CTX *ctx, EVP_MD **pmd, int nid)
85 {
86 EVP_MD *md = EVP_MD_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propq);
87 /* fetching in advance to be able to throw error early if unsupported */
88
89 if (md == NULL) {
90 ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_ALGORITHM);
91 return 0;
92 }
93 EVP_MD_free(*pmd);
94 *pmd = md;
95 return 1;
96 }
97
98 /*
99 * Allocates and initializes OSSL_CMP_CTX context structure with default values.
100 * Returns new context on success, NULL on error
101 */
OSSL_CMP_CTX_new(OSSL_LIB_CTX * libctx,const char * propq)102 OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
103 {
104 OSSL_CMP_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
105
106 if (ctx == NULL)
107 goto err;
108
109 ctx->libctx = libctx;
110 if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
111 goto oom;
112
113 ctx->log_verbosity = OSSL_CMP_LOG_INFO;
114
115 ctx->status = OSSL_CMP_PKISTATUS_unspecified;
116 ctx->failInfoCode = -1;
117
118 ctx->keep_alive = 1;
119 ctx->msg_timeout = -1;
120
121 if ((ctx->untrusted = sk_X509_new_null()) == NULL)
122 goto oom;
123
124 ctx->pbm_slen = 16;
125 if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
126 goto err;
127 ctx->pbm_itercnt = 500;
128 ctx->pbm_mac = NID_hmac_sha1;
129
130 if (!cmp_ctx_set_md(ctx, &ctx->digest, NID_sha256))
131 goto err;
132 ctx->popoMethod = OSSL_CRMF_POPO_SIGNATURE;
133 ctx->revocationReason = CRL_REASON_NONE;
134
135 /* all other elements are initialized to 0 or NULL, respectively */
136 return ctx;
137
138 oom:
139 ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
140 err:
141 OSSL_CMP_CTX_free(ctx);
142 return NULL;
143 }
144
145 #define OSSL_CMP_ITAVs_free(itavs) \
146 sk_OSSL_CMP_ITAV_pop_free(itavs, OSSL_CMP_ITAV_free);
147 #define X509_EXTENSIONS_free(exts) \
148 sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free)
149 #define OSSL_CMP_PKIFREETEXT_free(text) \
150 sk_ASN1_UTF8STRING_pop_free(text, ASN1_UTF8STRING_free)
151
152 /* Prepare the OSSL_CMP_CTX for next use, partly re-initializing OSSL_CMP_CTX */
OSSL_CMP_CTX_reinit(OSSL_CMP_CTX * ctx)153 int OSSL_CMP_CTX_reinit(OSSL_CMP_CTX *ctx)
154 {
155 if (ctx == NULL) {
156 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
157 return 0;
158 }
159
160 if (ctx->http_ctx != NULL) {
161 (void)OSSL_HTTP_close(ctx->http_ctx, 1);
162 ossl_cmp_debug(ctx, "disconnected from CMP server");
163 ctx->http_ctx = NULL;
164 }
165 ctx->status = OSSL_CMP_PKISTATUS_unspecified;
166 ctx->failInfoCode = -1;
167
168 OSSL_CMP_ITAVs_free(ctx->genm_ITAVs);
169 ctx->genm_ITAVs = NULL;
170
171 return ossl_cmp_ctx_set0_statusString(ctx, NULL)
172 && ossl_cmp_ctx_set0_newCert(ctx, NULL)
173 && ossl_cmp_ctx_set1_newChain(ctx, NULL)
174 && ossl_cmp_ctx_set1_caPubs(ctx, NULL)
175 && ossl_cmp_ctx_set1_extraCertsIn(ctx, NULL)
176 && ossl_cmp_ctx_set0_validatedSrvCert(ctx, NULL)
177 && OSSL_CMP_CTX_set1_transactionID(ctx, NULL)
178 && OSSL_CMP_CTX_set1_senderNonce(ctx, NULL)
179 && ossl_cmp_ctx_set1_recipNonce(ctx, NULL);
180 }
181
182 /* Frees OSSL_CMP_CTX variables allocated in OSSL_CMP_CTX_new() */
OSSL_CMP_CTX_free(OSSL_CMP_CTX * ctx)183 void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
184 {
185 if (ctx == NULL)
186 return;
187
188 if (ctx->http_ctx != NULL) {
189 (void)OSSL_HTTP_close(ctx->http_ctx, 1);
190 ossl_cmp_debug(ctx, "disconnected from CMP server");
191 }
192 OPENSSL_free(ctx->propq);
193 OPENSSL_free(ctx->serverPath);
194 OPENSSL_free(ctx->server);
195 OPENSSL_free(ctx->proxy);
196 OPENSSL_free(ctx->no_proxy);
197
198 X509_free(ctx->srvCert);
199 X509_free(ctx->validatedSrvCert);
200 X509_NAME_free(ctx->expected_sender);
201 X509_STORE_free(ctx->trusted);
202 sk_X509_pop_free(ctx->untrusted, X509_free);
203
204 X509_free(ctx->cert);
205 sk_X509_pop_free(ctx->chain, X509_free);
206 EVP_PKEY_free(ctx->pkey);
207 ASN1_OCTET_STRING_free(ctx->referenceValue);
208 if (ctx->secretValue != NULL)
209 OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
210 ASN1_OCTET_STRING_free(ctx->secretValue);
211 EVP_MD_free(ctx->pbm_owf);
212
213 X509_NAME_free(ctx->recipient);
214 EVP_MD_free(ctx->digest);
215 ASN1_OCTET_STRING_free(ctx->transactionID);
216 ASN1_OCTET_STRING_free(ctx->senderNonce);
217 ASN1_OCTET_STRING_free(ctx->recipNonce);
218 sk_OSSL_CMP_ITAV_pop_free(ctx->geninfo_ITAVs, OSSL_CMP_ITAV_free);
219 sk_X509_pop_free(ctx->extraCertsOut, X509_free);
220
221 EVP_PKEY_free(ctx->newPkey);
222 X509_NAME_free(ctx->issuer);
223 X509_NAME_free(ctx->subjectName);
224 sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free);
225 sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
226 sk_POLICYINFO_pop_free(ctx->policies, POLICYINFO_free);
227 X509_free(ctx->oldCert);
228 X509_REQ_free(ctx->p10CSR);
229
230 sk_OSSL_CMP_ITAV_pop_free(ctx->genm_ITAVs, OSSL_CMP_ITAV_free);
231
232 sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
233 X509_free(ctx->newCert);
234 sk_X509_pop_free(ctx->newChain, X509_free);
235 sk_X509_pop_free(ctx->caPubs, X509_free);
236 sk_X509_pop_free(ctx->extraCertsIn, X509_free);
237
238 OPENSSL_free(ctx);
239 }
240
ossl_cmp_ctx_set_status(OSSL_CMP_CTX * ctx,int status)241 int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status)
242 {
243 if (!ossl_assert(ctx != NULL))
244 return 0;
245 ctx->status = status;
246 return 1;
247 }
248
249 /*
250 * Returns the PKIStatus from the last CertRepMessage
251 * or Revocation Response or error message, -1 on error
252 */
OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX * ctx)253 int OSSL_CMP_CTX_get_status(const OSSL_CMP_CTX *ctx)
254 {
255 if (ctx == NULL) {
256 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
257 return -1;
258 }
259 return ctx->status;
260 }
261
262 /*
263 * Returns the statusString from the last CertRepMessage
264 * or Revocation Response or error message, NULL on error
265 */
OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX * ctx)266 OSSL_CMP_PKIFREETEXT *OSSL_CMP_CTX_get0_statusString(const OSSL_CMP_CTX *ctx)
267 {
268 if (ctx == NULL) {
269 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
270 return NULL;
271 }
272 return ctx->statusString;
273 }
274
ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX * ctx,OSSL_CMP_PKIFREETEXT * text)275 int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx,
276 OSSL_CMP_PKIFREETEXT *text)
277 {
278 if (!ossl_assert(ctx != NULL))
279 return 0;
280 sk_ASN1_UTF8STRING_pop_free(ctx->statusString, ASN1_UTF8STRING_free);
281 ctx->statusString = text;
282 return 1;
283 }
284
ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX * ctx,X509 * cert)285 int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert)
286 {
287 if (!ossl_assert(ctx != NULL))
288 return 0;
289 X509_free(ctx->validatedSrvCert);
290 ctx->validatedSrvCert = cert;
291 return 1;
292 }
293
294 /* Set callback function for checking if the cert is ok or should be rejected */
OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX * ctx,OSSL_CMP_certConf_cb_t cb)295 int OSSL_CMP_CTX_set_certConf_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_certConf_cb_t cb)
296 {
297 if (ctx == NULL) {
298 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
299 return 0;
300 }
301 ctx->certConf_cb = cb;
302 return 1;
303 }
304
305 /*
306 * Set argument, respectively a pointer to a structure containing arguments,
307 * optionally to be used by the certConf callback.
308 */
OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX * ctx,void * arg)309 int OSSL_CMP_CTX_set_certConf_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
310 {
311 if (ctx == NULL) {
312 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
313 return 0;
314 }
315 ctx->certConf_cb_arg = arg;
316 return 1;
317 }
318
319 /*
320 * Get argument, respectively the pointer to a structure containing arguments,
321 * optionally to be used by certConf callback.
322 * Returns callback argument set previously (NULL if not set or on error)
323 */
OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX * ctx)324 void *OSSL_CMP_CTX_get_certConf_cb_arg(const OSSL_CMP_CTX *ctx)
325 {
326 if (ctx == NULL) {
327 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
328 return NULL;
329 }
330 return ctx->certConf_cb_arg;
331 }
332
333 #ifndef OPENSSL_NO_TRACE
ossl_cmp_log_trace_cb(const char * buf,size_t cnt,int category,int cmd,void * vdata)334 static size_t ossl_cmp_log_trace_cb(const char *buf, size_t cnt,
335 int category, int cmd, void *vdata)
336 {
337 OSSL_CMP_CTX *ctx = vdata;
338 const char *msg;
339 OSSL_CMP_severity level = -1;
340 char *func = NULL;
341 char *file = NULL;
342 int line = 0;
343
344 if (buf == NULL || cnt == 0 || cmd != OSSL_TRACE_CTRL_WRITE || ctx == NULL)
345 return 0;
346 if (ctx->log_cb == NULL)
347 return 1; /* silently drop message */
348
349 msg = ossl_cmp_log_parse_metadata(buf, &level, &func, &file, &line);
350
351 if (level > ctx->log_verbosity) /* excludes the case level is unknown */
352 goto end; /* suppress output since severity is not sufficient */
353
354 if (!ctx->log_cb(func != NULL ? func : "(no func)",
355 file != NULL ? file : "(no file)",
356 line, level, msg))
357 cnt = 0;
358
359 end:
360 OPENSSL_free(func);
361 OPENSSL_free(file);
362 return cnt;
363 }
364 #endif
365
366 /* Print CMP log messages (i.e., diagnostic info) via the log cb of the ctx */
ossl_cmp_print_log(OSSL_CMP_severity level,const OSSL_CMP_CTX * ctx,const char * func,const char * file,int line,const char * level_str,const char * format,...)367 int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
368 const char *func, const char *file, int line,
369 const char *level_str, const char *format, ...)
370 {
371 va_list args;
372 char hugebuf[1024 * 2];
373 int res = 0;
374
375 if (ctx == NULL || ctx->log_cb == NULL)
376 return 1; /* silently drop message */
377
378 if (level > ctx->log_verbosity) /* excludes the case level is unknown */
379 return 1; /* suppress output since severity is not sufficient */
380
381 if (format == NULL)
382 return 0;
383
384 va_start(args, format);
385
386 if (func == NULL)
387 func = "(unset function name)";
388 if (file == NULL)
389 file = "(unset file name)";
390 if (level_str == NULL)
391 level_str = "(unset level string)";
392
393 #ifndef OPENSSL_NO_TRACE
394 if (OSSL_TRACE_ENABLED(CMP)) {
395 OSSL_TRACE_BEGIN(CMP) {
396 int printed =
397 BIO_snprintf(hugebuf, sizeof(hugebuf),
398 "%s:%s:%d:" OSSL_CMP_LOG_PREFIX "%s: ",
399 func, file, line, level_str);
400 if (printed > 0 && (size_t)printed < sizeof(hugebuf)) {
401 if (BIO_vsnprintf(hugebuf + printed,
402 sizeof(hugebuf) - printed, format, args) > 0)
403 res = BIO_puts(trc_out, hugebuf) > 0;
404 }
405 } OSSL_TRACE_END(CMP);
406 }
407 #else /* compensate for disabled trace API */
408 {
409 if (BIO_vsnprintf(hugebuf, sizeof(hugebuf), format, args) > 0)
410 res = ctx->log_cb(func, file, line, level, hugebuf);
411 }
412 #endif
413 va_end(args);
414 return res;
415 }
416
417 /* Set a callback function for error reporting and logging messages */
OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX * ctx,OSSL_CMP_log_cb_t cb)418 int OSSL_CMP_CTX_set_log_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_log_cb_t cb)
419 {
420 if (ctx == NULL) {
421 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
422 return 0;
423 }
424 ctx->log_cb = cb;
425
426 #ifndef OPENSSL_NO_TRACE
427 /* do also in case cb == NULL, to switch off logging output: */
428 if (!OSSL_trace_set_callback(OSSL_TRACE_CATEGORY_CMP,
429 ossl_cmp_log_trace_cb, ctx))
430 return 0;
431 #endif
432
433 return 1;
434 }
435
436 /* Print OpenSSL and CMP errors via the log cb of the ctx or ERR_print_errors */
OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX * ctx)437 void OSSL_CMP_CTX_print_errors(const OSSL_CMP_CTX *ctx)
438 {
439 if (ctx != NULL && OSSL_CMP_LOG_ERR > ctx->log_verbosity)
440 return; /* suppress output since severity is not sufficient */
441 OSSL_CMP_print_errors_cb(ctx == NULL ? NULL : ctx->log_cb);
442 }
443
444 /*
445 * Set or clear the reference value to be used for identification
446 * (i.e., the user name) when using PBMAC.
447 */
OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX * ctx,const unsigned char * ref,int len)448 int OSSL_CMP_CTX_set1_referenceValue(OSSL_CMP_CTX *ctx,
449 const unsigned char *ref, int len)
450 {
451 if (ctx == NULL) {
452 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
453 return 0;
454 }
455 return ossl_cmp_asn1_octet_string_set1_bytes(&ctx->referenceValue, ref,
456 len);
457 }
458
459 /* Set or clear the password to be used for protecting messages with PBMAC */
OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX * ctx,const unsigned char * sec,int len)460 int OSSL_CMP_CTX_set1_secretValue(OSSL_CMP_CTX *ctx,
461 const unsigned char *sec, int len)
462 {
463 ASN1_OCTET_STRING *secretValue = NULL;
464 if (ctx == NULL) {
465 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
466 return 0;
467 }
468 if (ossl_cmp_asn1_octet_string_set1_bytes(&secretValue, sec, len) != 1)
469 return 0;
470 if (ctx->secretValue != NULL) {
471 OPENSSL_cleanse(ctx->secretValue->data, ctx->secretValue->length);
472 ASN1_OCTET_STRING_free(ctx->secretValue);
473 }
474 ctx->secretValue = secretValue;
475 return 1;
476 }
477
478 /* Returns the cert chain computed by OSSL_CMP_certConf_cb(), NULL on error */
STACK_OF(X509)479 STACK_OF(X509) *OSSL_CMP_CTX_get1_newChain(const OSSL_CMP_CTX *ctx)
480 {
481 if (ctx == NULL) {
482 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
483 return NULL;
484 }
485 return X509_chain_up_ref(ctx->newChain);
486 }
487
488 /*
489 * Copies any given stack of inbound X509 certificates to newChain
490 * of the OSSL_CMP_CTX structure so that they may be retrieved later.
491 */
ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX * ctx,STACK_OF (X509)* newChain)492 int ossl_cmp_ctx_set1_newChain(OSSL_CMP_CTX *ctx, STACK_OF(X509) *newChain)
493 {
494 if (!ossl_assert(ctx != NULL))
495 return 0;
496
497 sk_X509_pop_free(ctx->newChain, X509_free);
498 ctx->newChain = NULL;
499 return newChain == NULL ||
500 (ctx->newChain = X509_chain_up_ref(newChain)) != NULL;
501 }
502
503 /* Returns the stack of extraCerts received in CertRepMessage, NULL on error */
STACK_OF(X509)504 STACK_OF(X509) *OSSL_CMP_CTX_get1_extraCertsIn(const OSSL_CMP_CTX *ctx)
505 {
506 if (ctx == NULL) {
507 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
508 return NULL;
509 }
510 return X509_chain_up_ref(ctx->extraCertsIn);
511 }
512
513 /*
514 * Copies any given stack of inbound X509 certificates to extraCertsIn
515 * of the OSSL_CMP_CTX structure so that they may be retrieved later.
516 */
ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX * ctx,STACK_OF (X509)* extraCertsIn)517 int ossl_cmp_ctx_set1_extraCertsIn(OSSL_CMP_CTX *ctx,
518 STACK_OF(X509) *extraCertsIn)
519 {
520 if (!ossl_assert(ctx != NULL))
521 return 0;
522
523 sk_X509_pop_free(ctx->extraCertsIn, X509_free);
524 ctx->extraCertsIn = NULL;
525 return extraCertsIn == NULL
526 || (ctx->extraCertsIn = X509_chain_up_ref(extraCertsIn)) != NULL;
527 }
528
529 /*
530 * Copies any given stack as the new stack of X509
531 * certificates to send out in the extraCerts field.
532 */
OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX * ctx,STACK_OF (X509)* extraCertsOut)533 int OSSL_CMP_CTX_set1_extraCertsOut(OSSL_CMP_CTX *ctx,
534 STACK_OF(X509) *extraCertsOut)
535 {
536 if (ctx == NULL) {
537 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
538 return 0;
539 }
540
541 sk_X509_pop_free(ctx->extraCertsOut, X509_free);
542 ctx->extraCertsOut = NULL;
543 return extraCertsOut == NULL
544 || (ctx->extraCertsOut = X509_chain_up_ref(extraCertsOut)) != NULL;
545 }
546
547 /*
548 * Add the given policy info object
549 * to the X509_EXTENSIONS of the requested certificate template.
550 */
OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX * ctx,POLICYINFO * pinfo)551 int OSSL_CMP_CTX_push0_policy(OSSL_CMP_CTX *ctx, POLICYINFO *pinfo)
552 {
553 if (ctx == NULL || pinfo == NULL) {
554 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
555 return 0;
556 }
557
558 if (ctx->policies == NULL
559 && (ctx->policies = CERTIFICATEPOLICIES_new()) == NULL)
560 return 0;
561
562 return sk_POLICYINFO_push(ctx->policies, pinfo);
563 }
564
565 /* Add an ITAV for geninfo of the PKI message header */
OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX * ctx,OSSL_CMP_ITAV * itav)566 int OSSL_CMP_CTX_push0_geninfo_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
567 {
568 if (ctx == NULL) {
569 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
570 return 0;
571 }
572 return OSSL_CMP_ITAV_push0_stack_item(&ctx->geninfo_ITAVs, itav);
573 }
574
OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX * ctx)575 int OSSL_CMP_CTX_reset_geninfo_ITAVs(OSSL_CMP_CTX *ctx)
576 {
577 if (ctx == NULL) {
578 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
579 return 0;
580 }
581 OSSL_CMP_ITAVs_free(ctx->geninfo_ITAVs);
582 ctx->geninfo_ITAVs = NULL;
583 return 1;
584 }
585
586 /* Add an itav for the body of outgoing general messages */
OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX * ctx,OSSL_CMP_ITAV * itav)587 int OSSL_CMP_CTX_push0_genm_ITAV(OSSL_CMP_CTX *ctx, OSSL_CMP_ITAV *itav)
588 {
589 if (ctx == NULL) {
590 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
591 return 0;
592 }
593 return OSSL_CMP_ITAV_push0_stack_item(&ctx->genm_ITAVs, itav);
594 }
595
596 /*
597 * Returns a duplicate of the stack of X509 certificates that
598 * were received in the caPubs field of the last CertRepMessage.
599 * Returns NULL on error
600 */
STACK_OF(X509)601 STACK_OF(X509) *OSSL_CMP_CTX_get1_caPubs(const OSSL_CMP_CTX *ctx)
602 {
603 if (ctx == NULL) {
604 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
605 return NULL;
606 }
607 return X509_chain_up_ref(ctx->caPubs);
608 }
609
610 /*
611 * Copies any given stack of certificates to the given
612 * OSSL_CMP_CTX structure so that they may be retrieved later.
613 */
ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX * ctx,STACK_OF (X509)* caPubs)614 int ossl_cmp_ctx_set1_caPubs(OSSL_CMP_CTX *ctx, STACK_OF(X509) *caPubs)
615 {
616 if (!ossl_assert(ctx != NULL))
617 return 0;
618
619 sk_X509_pop_free(ctx->caPubs, X509_free);
620 ctx->caPubs = NULL;
621 return caPubs == NULL || (ctx->caPubs = X509_chain_up_ref(caPubs)) != NULL;
622 }
623
624 #define char_dup OPENSSL_strdup
625 #define char_free OPENSSL_free
626 #define DEFINE_OSSL_CMP_CTX_set1(FIELD, TYPE) /* this uses _dup */ \
627 int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, const TYPE *val) \
628 { \
629 TYPE *val_dup = NULL; \
630 \
631 if (ctx == NULL) { \
632 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
633 return 0; \
634 } \
635 \
636 if (val != NULL && (val_dup = TYPE##_dup(val)) == NULL) \
637 return 0; \
638 TYPE##_free(ctx->FIELD); \
639 ctx->FIELD = val_dup; \
640 return 1; \
641 }
642
643 #define X509_invalid(cert) (!ossl_x509v3_cache_extensions(cert))
644 #define EVP_PKEY_invalid(key) 0
645 #define DEFINE_OSSL_CMP_CTX_set1_up_ref(FIELD, TYPE) \
646 int OSSL_CMP_CTX_set1_##FIELD(OSSL_CMP_CTX *ctx, TYPE *val) \
647 { \
648 if (ctx == NULL) { \
649 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
650 return 0; \
651 } \
652 \
653 /* prevent misleading error later on malformed cert or provider issue */ \
654 if (val != NULL && TYPE##_invalid(val)) { \
655 ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE); \
656 return 0; \
657 } \
658 if (val != NULL && !TYPE##_up_ref(val)) \
659 return 0; \
660 TYPE##_free(ctx->FIELD); \
661 ctx->FIELD = val; \
662 return 1; \
663 }
664
665 /*
666 * Pins the server certificate to be directly trusted (even if it is expired)
667 * for verifying response messages.
668 * Cert pointer is not consumed. It may be NULL to clear the entry.
669 */
DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert,X509)670 DEFINE_OSSL_CMP_CTX_set1_up_ref(srvCert, X509)
671
672 /* Set the X509 name of the recipient to be placed in the PKIHeader */
673 DEFINE_OSSL_CMP_CTX_set1(recipient, X509_NAME)
674
675 /* Store the X509 name of the expected sender in the PKIHeader of responses */
676 DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
677
678 /* Set the X509 name of the issuer to be placed in the certTemplate */
679 DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
680
681 /*
682 * Set the subject name that will be placed in the certificate
683 * request. This will be the subject name on the received certificate.
684 */
685 DEFINE_OSSL_CMP_CTX_set1(subjectName, X509_NAME)
686
687 /* Set the X.509v3 certificate request extensions to be used in IR/CR/KUR */
688 int OSSL_CMP_CTX_set0_reqExtensions(OSSL_CMP_CTX *ctx, X509_EXTENSIONS *exts)
689 {
690 if (ctx == NULL) {
691 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
692 return 0;
693 }
694
695 if (sk_GENERAL_NAME_num(ctx->subjectAltNames) > 0 && exts != NULL
696 && X509v3_get_ext_by_NID(exts, NID_subject_alt_name, -1) >= 0) {
697 ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
698 return 0;
699 }
700 sk_X509_EXTENSION_pop_free(ctx->reqExtensions, X509_EXTENSION_free);
701 ctx->reqExtensions = exts;
702 return 1;
703 }
704
705 /* returns 1 if ctx contains a Subject Alternative Name extension, else 0 */
OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX * ctx)706 int OSSL_CMP_CTX_reqExtensions_have_SAN(OSSL_CMP_CTX *ctx)
707 {
708 if (ctx == NULL) {
709 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
710 return -1;
711 }
712 /* if one of the following conditions 'fail' this is not an error */
713 return ctx->reqExtensions != NULL
714 && X509v3_get_ext_by_NID(ctx->reqExtensions,
715 NID_subject_alt_name, -1) >= 0;
716 }
717
718 /*
719 * Add a GENERAL_NAME structure that will be added to the CRMF
720 * request's extensions field to request subject alternative names.
721 */
OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX * ctx,const GENERAL_NAME * name)722 int OSSL_CMP_CTX_push1_subjectAltName(OSSL_CMP_CTX *ctx,
723 const GENERAL_NAME *name)
724 {
725 GENERAL_NAME *name_dup;
726
727 if (ctx == NULL || name == NULL) {
728 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
729 return 0;
730 }
731
732 if (OSSL_CMP_CTX_reqExtensions_have_SAN(ctx) == 1) {
733 ERR_raise(ERR_LIB_CMP, CMP_R_MULTIPLE_SAN_SOURCES);
734 return 0;
735 }
736
737 if (ctx->subjectAltNames == NULL
738 && (ctx->subjectAltNames = sk_GENERAL_NAME_new_null()) == NULL)
739 return 0;
740 if ((name_dup = GENERAL_NAME_dup(name)) == NULL)
741 return 0;
742 if (!sk_GENERAL_NAME_push(ctx->subjectAltNames, name_dup)) {
743 GENERAL_NAME_free(name_dup);
744 return 0;
745 }
746 return 1;
747 }
748
749 /*
750 * Set our own client certificate, used for example in KUR and when
751 * doing the IR with existing certificate.
752 */
DEFINE_OSSL_CMP_CTX_set1_up_ref(cert,X509)753 DEFINE_OSSL_CMP_CTX_set1_up_ref(cert, X509)
754
755 int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
756 STACK_OF(X509) *candidates)
757 {
758 STACK_OF(X509) *chain;
759
760 if (ctx == NULL) {
761 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
762 return 0;
763 }
764
765 if (!ossl_x509_add_certs_new(&ctx->untrusted, candidates,
766 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP))
767 return 0;
768
769 ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
770 chain = X509_build_chain(ctx->cert, ctx->untrusted, own_trusted, 0,
771 ctx->libctx, ctx->propq);
772 if (chain == NULL) {
773 ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN);
774 return 0;
775 }
776 ossl_cmp_debug(ctx, "success building chain for own CMP signer cert");
777 ctx->chain = chain;
778 return 1;
779 }
780
781 /*
782 * Set the old certificate that we are updating in KUR
783 * or the certificate to be revoked in RR, respectively.
784 * Also used as reference cert (defaulting to cert) for deriving subject DN
785 * and SANs. Its issuer is used as default recipient in the CMP message header.
786 */
DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert,X509)787 DEFINE_OSSL_CMP_CTX_set1_up_ref(oldCert, X509)
788
789 /* Set the PKCS#10 CSR to be sent in P10CR */
790 DEFINE_OSSL_CMP_CTX_set1(p10CSR, X509_REQ)
791
792 /*
793 * Set the (newly received in IP/KUP/CP) certificate in the context.
794 * This only permits for one cert to be enrolled at a time.
795 */
796 int ossl_cmp_ctx_set0_newCert(OSSL_CMP_CTX *ctx, X509 *cert)
797 {
798 if (!ossl_assert(ctx != NULL))
799 return 0;
800
801 X509_free(ctx->newCert);
802 ctx->newCert = cert;
803 return 1;
804 }
805
806 /*
807 * Get the (newly received in IP/KUP/CP) client certificate from the context
808 * This only permits for one client cert to be received...
809 */
OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX * ctx)810 X509 *OSSL_CMP_CTX_get0_newCert(const OSSL_CMP_CTX *ctx)
811 {
812 if (ctx == NULL) {
813 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
814 return NULL;
815 }
816 return ctx->newCert;
817 }
818
819 /* Set the client's current private key */
DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey,EVP_PKEY)820 DEFINE_OSSL_CMP_CTX_set1_up_ref(pkey, EVP_PKEY)
821
822 /* Set new key pair. Used e.g. when doing Key Update */
823 int OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_CTX *ctx, int priv, EVP_PKEY *pkey)
824 {
825 if (ctx == NULL) {
826 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
827 return 0;
828 }
829
830 EVP_PKEY_free(ctx->newPkey);
831 ctx->newPkey = pkey;
832 ctx->newPkey_priv = priv;
833 return 1;
834 }
835
836 /* Get the private/public key to use for cert enrollment, or NULL on error */
837 /* In case |priv| == 0, better use ossl_cmp_ctx_get0_newPubkey() below */
OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX * ctx,int priv)838 EVP_PKEY *OSSL_CMP_CTX_get0_newPkey(const OSSL_CMP_CTX *ctx, int priv)
839 {
840 if (ctx == NULL) {
841 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
842 return NULL;
843 }
844
845 if (ctx->newPkey != NULL)
846 return priv && !ctx->newPkey_priv ? NULL : ctx->newPkey;
847 if (ctx->p10CSR != NULL)
848 return priv ? NULL : X509_REQ_get0_pubkey(ctx->p10CSR);
849 return ctx->pkey; /* may be NULL */
850 }
851
ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX * ctx)852 EVP_PKEY *ossl_cmp_ctx_get0_newPubkey(const OSSL_CMP_CTX *ctx)
853 {
854 if (!ossl_assert(ctx != NULL))
855 return NULL;
856 if (ctx->newPkey != NULL)
857 return ctx->newPkey;
858 if (ctx->p10CSR != NULL)
859 return X509_REQ_get0_pubkey(ctx->p10CSR);
860 if (ctx->oldCert != NULL)
861 return X509_get0_pubkey(ctx->oldCert);
862 if (ctx->cert != NULL)
863 return X509_get0_pubkey(ctx->cert);
864 return ctx->pkey;
865 }
866
867 /* Set the given transactionID to the context */
OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX * ctx,const ASN1_OCTET_STRING * id)868 int OSSL_CMP_CTX_set1_transactionID(OSSL_CMP_CTX *ctx,
869 const ASN1_OCTET_STRING *id)
870 {
871 if (ctx == NULL) {
872 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
873 return 0;
874 }
875 return ossl_cmp_asn1_octet_string_set1(&ctx->transactionID, id);
876 }
877
878 /* Set the nonce to be used for the recipNonce in the message created next */
ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX * ctx,const ASN1_OCTET_STRING * nonce)879 int ossl_cmp_ctx_set1_recipNonce(OSSL_CMP_CTX *ctx,
880 const ASN1_OCTET_STRING *nonce)
881 {
882 if (!ossl_assert(ctx != NULL))
883 return 0;
884 return ossl_cmp_asn1_octet_string_set1(&ctx->recipNonce, nonce);
885 }
886
887 /* Stores the given nonce as the last senderNonce sent out */
OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX * ctx,const ASN1_OCTET_STRING * nonce)888 int OSSL_CMP_CTX_set1_senderNonce(OSSL_CMP_CTX *ctx,
889 const ASN1_OCTET_STRING *nonce)
890 {
891 if (ctx == NULL) {
892 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
893 return 0;
894 }
895 return ossl_cmp_asn1_octet_string_set1(&ctx->senderNonce, nonce);
896 }
897
898 /* Set the proxy server to use for HTTP(S) connections */
DEFINE_OSSL_CMP_CTX_set1(proxy,char)899 DEFINE_OSSL_CMP_CTX_set1(proxy, char)
900
901 /* Set the (HTTP) host name of the CMP server */
902 DEFINE_OSSL_CMP_CTX_set1(server, char)
903
904 /* Set the server exclusion list of the HTTP proxy server */
905 DEFINE_OSSL_CMP_CTX_set1(no_proxy, char)
906
907 /* Set the http connect/disconnect callback function to be used for HTTP(S) */
908 int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, OSSL_HTTP_bio_cb_t cb)
909 {
910 if (ctx == NULL) {
911 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
912 return 0;
913 }
914 ctx->http_cb = cb;
915 return 1;
916 }
917
918 /* Set argument optionally to be used by the http connect/disconnect callback */
OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX * ctx,void * arg)919 int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
920 {
921 if (ctx == NULL) {
922 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
923 return 0;
924 }
925 ctx->http_cb_arg = arg;
926 return 1;
927 }
928
929 /*
930 * Get argument optionally to be used by the http connect/disconnect callback
931 * Returns callback argument set previously (NULL if not set or on error)
932 */
OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX * ctx)933 void *OSSL_CMP_CTX_get_http_cb_arg(const OSSL_CMP_CTX *ctx)
934 {
935 if (ctx == NULL) {
936 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
937 return NULL;
938 }
939 return ctx->http_cb_arg;
940 }
941
942 /* Set callback function for sending CMP request and receiving response */
OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX * ctx,OSSL_CMP_transfer_cb_t cb)943 int OSSL_CMP_CTX_set_transfer_cb(OSSL_CMP_CTX *ctx, OSSL_CMP_transfer_cb_t cb)
944 {
945 if (ctx == NULL) {
946 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
947 return 0;
948 }
949 ctx->transfer_cb = cb;
950 return 1;
951 }
952
953 /* Set argument optionally to be used by the transfer callback */
OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX * ctx,void * arg)954 int OSSL_CMP_CTX_set_transfer_cb_arg(OSSL_CMP_CTX *ctx, void *arg)
955 {
956 if (ctx == NULL) {
957 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
958 return 0;
959 }
960 ctx->transfer_cb_arg = arg;
961 return 1;
962 }
963
964 /*
965 * Get argument optionally to be used by the transfer callback.
966 * Returns callback argument set previously (NULL if not set or on error)
967 */
OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX * ctx)968 void *OSSL_CMP_CTX_get_transfer_cb_arg(const OSSL_CMP_CTX *ctx)
969 {
970 if (ctx == NULL) {
971 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
972 return NULL;
973 }
974 return ctx->transfer_cb_arg;
975 }
976
977 /** Set the HTTP server port to be used */
OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX * ctx,int port)978 int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port)
979 {
980 if (ctx == NULL) {
981 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
982 return 0;
983 }
984 ctx->serverPort = port;
985 return 1;
986 }
987
988 /* Set the HTTP path to be used on the server (e.g "pkix/") */
DEFINE_OSSL_CMP_CTX_set1(serverPath,char)989 DEFINE_OSSL_CMP_CTX_set1(serverPath, char)
990
991 /* Set the failInfo error code as bit encoding in OSSL_CMP_CTX */
992 int ossl_cmp_ctx_set_failInfoCode(OSSL_CMP_CTX *ctx, int fail_info)
993 {
994 if (!ossl_assert(ctx != NULL))
995 return 0;
996 ctx->failInfoCode = fail_info;
997 return 1;
998 }
999
1000 /*
1001 * Get the failInfo error code in OSSL_CMP_CTX as bit encoding.
1002 * Returns bit string as integer on success, -1 on error
1003 */
OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX * ctx)1004 int OSSL_CMP_CTX_get_failInfoCode(const OSSL_CMP_CTX *ctx)
1005 {
1006 if (ctx == NULL) {
1007 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
1008 return -1;
1009 }
1010 return ctx->failInfoCode;
1011 }
1012
1013 /* Set a Boolean or integer option of the context to the "val" arg */
OSSL_CMP_CTX_set_option(OSSL_CMP_CTX * ctx,int opt,int val)1014 int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
1015 {
1016 int min_val;
1017
1018 if (ctx == NULL) {
1019 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
1020 return 0;
1021 }
1022
1023 switch (opt) {
1024 case OSSL_CMP_OPT_REVOCATION_REASON:
1025 min_val = OCSP_REVOKED_STATUS_NOSTATUS;
1026 break;
1027 case OSSL_CMP_OPT_POPO_METHOD:
1028 min_val = OSSL_CRMF_POPO_NONE;
1029 break;
1030 default:
1031 min_val = 0;
1032 break;
1033 }
1034 if (val < min_val) {
1035 ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_SMALL);
1036 return 0;
1037 }
1038
1039 switch (opt) {
1040 case OSSL_CMP_OPT_LOG_VERBOSITY:
1041 if (val > OSSL_CMP_LOG_MAX) {
1042 ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
1043 return 0;
1044 }
1045 ctx->log_verbosity = val;
1046 break;
1047 case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
1048 ctx->implicitConfirm = val;
1049 break;
1050 case OSSL_CMP_OPT_DISABLE_CONFIRM:
1051 ctx->disableConfirm = val;
1052 break;
1053 case OSSL_CMP_OPT_UNPROTECTED_SEND:
1054 ctx->unprotectedSend = val;
1055 break;
1056 case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
1057 ctx->unprotectedErrors = val;
1058 break;
1059 case OSSL_CMP_OPT_VALIDITY_DAYS:
1060 ctx->days = val;
1061 break;
1062 case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
1063 ctx->SubjectAltName_nodefault = val;
1064 break;
1065 case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
1066 ctx->setSubjectAltNameCritical = val;
1067 break;
1068 case OSSL_CMP_OPT_POLICIES_CRITICAL:
1069 ctx->setPoliciesCritical = val;
1070 break;
1071 case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
1072 ctx->ignore_keyusage = val;
1073 break;
1074 case OSSL_CMP_OPT_POPO_METHOD:
1075 if (val > OSSL_CRMF_POPO_KEYAGREE) {
1076 ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
1077 return 0;
1078 }
1079 ctx->popoMethod = val;
1080 break;
1081 case OSSL_CMP_OPT_DIGEST_ALGNID:
1082 if (!cmp_ctx_set_md(ctx, &ctx->digest, val))
1083 return 0;
1084 break;
1085 case OSSL_CMP_OPT_OWF_ALGNID:
1086 if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, val))
1087 return 0;
1088 break;
1089 case OSSL_CMP_OPT_MAC_ALGNID:
1090 ctx->pbm_mac = val;
1091 break;
1092 case OSSL_CMP_OPT_KEEP_ALIVE:
1093 ctx->keep_alive = val;
1094 break;
1095 case OSSL_CMP_OPT_MSG_TIMEOUT:
1096 ctx->msg_timeout = val;
1097 break;
1098 case OSSL_CMP_OPT_TOTAL_TIMEOUT:
1099 ctx->total_timeout = val;
1100 break;
1101 case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
1102 ctx->permitTAInExtraCertsForIR = val;
1103 break;
1104 case OSSL_CMP_OPT_REVOCATION_REASON:
1105 if (val > OCSP_REVOKED_STATUS_AACOMPROMISE) {
1106 ERR_raise(ERR_LIB_CMP, CMP_R_VALUE_TOO_LARGE);
1107 return 0;
1108 }
1109 ctx->revocationReason = val;
1110 break;
1111 default:
1112 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
1113 return 0;
1114 }
1115
1116 return 1;
1117 }
1118
1119 /*
1120 * Reads a Boolean or integer option value from the context.
1121 * Returns -1 on error (which is the default OSSL_CMP_OPT_REVOCATION_REASON)
1122 */
OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX * ctx,int opt)1123 int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
1124 {
1125 if (ctx == NULL) {
1126 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
1127 return -1;
1128 }
1129
1130 switch (opt) {
1131 case OSSL_CMP_OPT_LOG_VERBOSITY:
1132 return ctx->log_verbosity;
1133 case OSSL_CMP_OPT_IMPLICIT_CONFIRM:
1134 return ctx->implicitConfirm;
1135 case OSSL_CMP_OPT_DISABLE_CONFIRM:
1136 return ctx->disableConfirm;
1137 case OSSL_CMP_OPT_UNPROTECTED_SEND:
1138 return ctx->unprotectedSend;
1139 case OSSL_CMP_OPT_UNPROTECTED_ERRORS:
1140 return ctx->unprotectedErrors;
1141 case OSSL_CMP_OPT_VALIDITY_DAYS:
1142 return ctx->days;
1143 case OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT:
1144 return ctx->SubjectAltName_nodefault;
1145 case OSSL_CMP_OPT_SUBJECTALTNAME_CRITICAL:
1146 return ctx->setSubjectAltNameCritical;
1147 case OSSL_CMP_OPT_POLICIES_CRITICAL:
1148 return ctx->setPoliciesCritical;
1149 case OSSL_CMP_OPT_IGNORE_KEYUSAGE:
1150 return ctx->ignore_keyusage;
1151 case OSSL_CMP_OPT_POPO_METHOD:
1152 return ctx->popoMethod;
1153 case OSSL_CMP_OPT_DIGEST_ALGNID:
1154 return EVP_MD_get_type(ctx->digest);
1155 case OSSL_CMP_OPT_OWF_ALGNID:
1156 return EVP_MD_get_type(ctx->pbm_owf);
1157 case OSSL_CMP_OPT_MAC_ALGNID:
1158 return ctx->pbm_mac;
1159 case OSSL_CMP_OPT_KEEP_ALIVE:
1160 return ctx->keep_alive;
1161 case OSSL_CMP_OPT_MSG_TIMEOUT:
1162 return ctx->msg_timeout;
1163 case OSSL_CMP_OPT_TOTAL_TIMEOUT:
1164 return ctx->total_timeout;
1165 case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
1166 return ctx->permitTAInExtraCertsForIR;
1167 case OSSL_CMP_OPT_REVOCATION_REASON:
1168 return ctx->revocationReason;
1169 default:
1170 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_OPTION);
1171 return -1;
1172 }
1173 }
1174