xref: /freebsd/crypto/openssl/crypto/cmp/cmp_status.c (revision 6f1af0d7d2af54b339b5212434cd6d4fda628d80)
1 /*
2  * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright Nokia 2007-2019
4  * Copyright Siemens AG 2015-2019
5  *
6  * Licensed under the Apache License 2.0 (the "License").  You may not use
7  * this file except in compliance with the License.  You can obtain a copy
8  * in the file LICENSE in the source distribution or at
9  * https://www.openssl.org/source/license.html
10  */
11 
12 /* CMP functions for PKIStatusInfo handling and PKIMessage decomposition */
13 
14 #include <string.h>
15 
16 #include "cmp_local.h"
17 
18 /* explicit #includes not strictly needed since implied by the above: */
19 #include <time.h>
20 #include <openssl/cmp.h>
21 #include <openssl/crmf.h>
22 #include <openssl/err.h> /* needed in case config no-deprecated */
23 #include <openssl/engine.h>
24 #include <openssl/evp.h>
25 #include <openssl/objects.h>
26 #include <openssl/x509.h>
27 #include <openssl/asn1err.h> /* for ASN1_R_TOO_SMALL and ASN1_R_TOO_LARGE */
28 
29 /* CMP functions related to PKIStatus */
30 
ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI * si)31 int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si)
32 {
33     int res ;
34 
35     if (!ossl_assert(si != NULL && si->status != NULL))
36         return -1;
37     res = ossl_cmp_asn1_get_int(si->status);
38     return res == -2 ? -1 : res;
39 }
40 
ossl_cmp_PKIStatus_to_string(int status)41 const char *ossl_cmp_PKIStatus_to_string(int status)
42 {
43     switch (status) {
44     case OSSL_CMP_PKISTATUS_accepted:
45         return "PKIStatus: accepted";
46     case OSSL_CMP_PKISTATUS_grantedWithMods:
47         return "PKIStatus: granted with modifications";
48     case OSSL_CMP_PKISTATUS_rejection:
49         return "PKIStatus: rejection";
50     case OSSL_CMP_PKISTATUS_waiting:
51         return "PKIStatus: waiting";
52     case OSSL_CMP_PKISTATUS_revocationWarning:
53         return "PKIStatus: revocation warning - a revocation of the cert is imminent";
54     case OSSL_CMP_PKISTATUS_revocationNotification:
55         return "PKIStatus: revocation notification - a revocation of the cert has occurred";
56     case OSSL_CMP_PKISTATUS_keyUpdateWarning:
57         return "PKIStatus: key update warning - update already done for the cert";
58     default:
59         ERR_raise_data(ERR_LIB_CMP, CMP_R_ERROR_PARSING_PKISTATUS,
60                        "PKIStatus: invalid=%d", status);
61         return NULL;
62     }
63 }
64 
ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI * si)65 OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si)
66 {
67     if (!ossl_assert(si != NULL))
68         return NULL;
69     return si->statusString;
70 }
71 
ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI * si)72 int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si)
73 {
74     int i;
75     int res = 0;
76 
77     if (!ossl_assert(si != NULL))
78         return -1;
79     if (si->failInfo != NULL)
80         for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++)
81             if (ASN1_BIT_STRING_get_bit(si->failInfo, i))
82                 res |= 1 << i;
83     return res;
84 }
85 
86 /*-
87  * convert PKIFailureInfo number to human-readable string
88  * returns pointer to static string, or NULL on error
89  */
CMP_PKIFAILUREINFO_to_string(int number)90 static const char *CMP_PKIFAILUREINFO_to_string(int number)
91 {
92     switch (number) {
93     case OSSL_CMP_PKIFAILUREINFO_badAlg:
94         return "badAlg";
95     case OSSL_CMP_PKIFAILUREINFO_badMessageCheck:
96         return "badMessageCheck";
97     case OSSL_CMP_PKIFAILUREINFO_badRequest:
98         return "badRequest";
99     case OSSL_CMP_PKIFAILUREINFO_badTime:
100         return "badTime";
101     case OSSL_CMP_PKIFAILUREINFO_badCertId:
102         return "badCertId";
103     case OSSL_CMP_PKIFAILUREINFO_badDataFormat:
104         return "badDataFormat";
105     case OSSL_CMP_PKIFAILUREINFO_wrongAuthority:
106         return "wrongAuthority";
107     case OSSL_CMP_PKIFAILUREINFO_incorrectData:
108         return "incorrectData";
109     case OSSL_CMP_PKIFAILUREINFO_missingTimeStamp:
110         return "missingTimeStamp";
111     case OSSL_CMP_PKIFAILUREINFO_badPOP:
112         return "badPOP";
113     case OSSL_CMP_PKIFAILUREINFO_certRevoked:
114         return "certRevoked";
115     case OSSL_CMP_PKIFAILUREINFO_certConfirmed:
116         return "certConfirmed";
117     case OSSL_CMP_PKIFAILUREINFO_wrongIntegrity:
118         return "wrongIntegrity";
119     case OSSL_CMP_PKIFAILUREINFO_badRecipientNonce:
120         return "badRecipientNonce";
121     case OSSL_CMP_PKIFAILUREINFO_timeNotAvailable:
122         return "timeNotAvailable";
123     case OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy:
124         return "unacceptedPolicy";
125     case OSSL_CMP_PKIFAILUREINFO_unacceptedExtension:
126         return "unacceptedExtension";
127     case OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable:
128         return "addInfoNotAvailable";
129     case OSSL_CMP_PKIFAILUREINFO_badSenderNonce:
130         return "badSenderNonce";
131     case OSSL_CMP_PKIFAILUREINFO_badCertTemplate:
132         return "badCertTemplate";
133     case OSSL_CMP_PKIFAILUREINFO_signerNotTrusted:
134         return "signerNotTrusted";
135     case OSSL_CMP_PKIFAILUREINFO_transactionIdInUse:
136         return "transactionIdInUse";
137     case OSSL_CMP_PKIFAILUREINFO_unsupportedVersion:
138         return "unsupportedVersion";
139     case OSSL_CMP_PKIFAILUREINFO_notAuthorized:
140         return "notAuthorized";
141     case OSSL_CMP_PKIFAILUREINFO_systemUnavail:
142         return "systemUnavail";
143     case OSSL_CMP_PKIFAILUREINFO_systemFailure:
144         return "systemFailure";
145     case OSSL_CMP_PKIFAILUREINFO_duplicateCertReq:
146         return "duplicateCertReq";
147     default:
148         return NULL; /* illegal failure number */
149     }
150 }
151 
ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI * si,int bit_index)152 int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int bit_index)
153 {
154     if (!ossl_assert(si != NULL && si->failInfo != NULL))
155         return -1;
156     if (bit_index < 0 || bit_index > OSSL_CMP_PKIFAILUREINFO_MAX) {
157         ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
158         return -1;
159     }
160 
161     return ASN1_BIT_STRING_get_bit(si->failInfo, bit_index);
162 }
163 
164 /*-
165  * place human-readable error string created from PKIStatusInfo in given buffer
166  * returns pointer to the same buffer containing the string, or NULL on error
167  */
168 static
snprint_PKIStatusInfo_parts(int status,int fail_info,const OSSL_CMP_PKIFREETEXT * status_strings,char * buf,size_t bufsize)169 char *snprint_PKIStatusInfo_parts(int status, int fail_info,
170                                   const OSSL_CMP_PKIFREETEXT *status_strings,
171                                   char *buf, size_t bufsize)
172 {
173     int failure;
174     const char *status_string, *failure_string;
175     ASN1_UTF8STRING *text;
176     int i;
177     int printed_chars;
178     int failinfo_found = 0;
179     int n_status_strings;
180     char *write_ptr = buf;
181 
182     if (buf == NULL
183             || status < 0
184             || (status_string = ossl_cmp_PKIStatus_to_string(status)) == NULL)
185         return NULL;
186 
187 #define ADVANCE_BUFFER                                         \
188         if (printed_chars < 0 || (size_t)printed_chars >= bufsize) \
189             return NULL; \
190         write_ptr += printed_chars; \
191         bufsize -= printed_chars;
192 
193     printed_chars = BIO_snprintf(write_ptr, bufsize, "%s", status_string);
194     ADVANCE_BUFFER;
195 
196     /*
197      * failInfo is optional and may be empty;
198      * if present, print failInfo before statusString because it is more concise
199      */
200     if (fail_info != -1 && fail_info != 0) {
201         printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: ");
202         ADVANCE_BUFFER;
203         for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
204             if ((fail_info & (1 << failure)) != 0) {
205                 failure_string = CMP_PKIFAILUREINFO_to_string(failure);
206                 if (failure_string != NULL) {
207                     printed_chars = BIO_snprintf(write_ptr, bufsize, "%s%s",
208                                                  failinfo_found ? ", " : "",
209                                                  failure_string);
210                     ADVANCE_BUFFER;
211                     failinfo_found = 1;
212                 }
213             }
214         }
215     }
216     if (!failinfo_found && status != OSSL_CMP_PKISTATUS_accepted
217             && status != OSSL_CMP_PKISTATUS_grantedWithMods) {
218         printed_chars = BIO_snprintf(write_ptr, bufsize, "; <no failure info>");
219         ADVANCE_BUFFER;
220     }
221 
222     /* statusString sequence is optional and may be empty */
223     n_status_strings = sk_ASN1_UTF8STRING_num(status_strings);
224     if (n_status_strings > 0) {
225         printed_chars = BIO_snprintf(write_ptr, bufsize, "; StatusString%s: ",
226                                      n_status_strings > 1 ? "s" : "");
227         ADVANCE_BUFFER;
228         for (i = 0; i < n_status_strings; i++) {
229             text = sk_ASN1_UTF8STRING_value(status_strings, i);
230             printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s",
231                                          ASN1_STRING_length(text),
232                                          ASN1_STRING_get0_data(text),
233                                          i < n_status_strings - 1 ? ", " : "");
234             ADVANCE_BUFFER;
235         }
236     }
237 #undef ADVANCE_BUFFER
238     return buf;
239 }
240 
OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI * statusInfo,char * buf,size_t bufsize)241 char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo,
242                                      char *buf, size_t bufsize)
243 {
244     int failure_info;
245 
246     if (statusInfo == NULL) {
247         ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
248         return NULL;
249     }
250 
251     failure_info = ossl_cmp_pkisi_get_pkifailureinfo(statusInfo);
252 
253     return snprint_PKIStatusInfo_parts(ASN1_INTEGER_get(statusInfo->status),
254                                        failure_info,
255                                        statusInfo->statusString, buf, bufsize);
256 }
257 
OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX * ctx,char * buf,size_t bufsize)258 char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf,
259                                      size_t bufsize)
260 {
261     if (ctx == NULL) {
262         ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
263         return NULL;
264     }
265 
266     return snprint_PKIStatusInfo_parts(OSSL_CMP_CTX_get_status(ctx),
267                                        OSSL_CMP_CTX_get_failInfoCode(ctx),
268                                        OSSL_CMP_CTX_get0_statusString(ctx),
269                                        buf, bufsize);
270 }
271 
272 /*-
273  * Creates a new PKIStatusInfo structure and fills it in
274  * returns a pointer to the structure on success, NULL on error
275  * note: strongly overlaps with TS_RESP_CTX_set_status_info()
276  * and TS_RESP_CTX_add_failure_info() in ../ts/ts_rsp_sign.c
277  */
OSSL_CMP_STATUSINFO_new(int status,int fail_info,const char * text)278 OSSL_CMP_PKISI *OSSL_CMP_STATUSINFO_new(int status, int fail_info,
279                                         const char *text)
280 {
281     OSSL_CMP_PKISI *si = OSSL_CMP_PKISI_new();
282     ASN1_UTF8STRING *utf8_text = NULL;
283     int failure;
284 
285     if (si == NULL)
286         goto err;
287     if (!ASN1_INTEGER_set(si->status, status))
288         goto err;
289 
290     if (text != NULL) {
291         if ((utf8_text = ASN1_UTF8STRING_new()) == NULL
292                 || !ASN1_STRING_set(utf8_text, text, -1))
293             goto err;
294         if ((si->statusString = sk_ASN1_UTF8STRING_new_null()) == NULL)
295             goto err;
296         if (!sk_ASN1_UTF8STRING_push(si->statusString, utf8_text))
297             goto err;
298         /* Ownership is lost. */
299         utf8_text = NULL;
300     }
301 
302     for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) {
303         if ((fail_info & (1 << failure)) != 0) {
304             if (si->failInfo == NULL
305                     && (si->failInfo = ASN1_BIT_STRING_new()) == NULL)
306                 goto err;
307             if (!ASN1_BIT_STRING_set_bit(si->failInfo, failure, 1))
308                 goto err;
309         }
310     }
311     return si;
312 
313  err:
314     OSSL_CMP_PKISI_free(si);
315     ASN1_UTF8STRING_free(utf8_text);
316     return NULL;
317 }
318