1 /*
2 * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include <openssl/asn1t.h>
13
14 #include "cmp_local.h"
15 #include "internal/crmf.h"
16
17 /* explicit #includes not strictly needed since implied by the above: */
18 #include <openssl/cmp.h>
19 #include <openssl/crmf.h>
20
21 /* ASN.1 declarations from RFC4210 */
22 ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
23 /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
24 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
25 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
26 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
27 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
28 ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
29 } ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
30 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
31
32 ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
33 ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
34 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
35 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
36 } ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
37 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
38
39 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) =
40 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
41 OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
42 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
43
44 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) =
45 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
46 OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
47 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
48
49 ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
50 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
51 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
52 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
53 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
54 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
55 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
56 } ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
57 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
58
59 ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
60 ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
61 ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
62 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
63 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails,
64 ASN1_UTF8STRING)
65 } ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
66 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
67
68 ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
69 infoValue.other,
70 ASN1_ANY);
71 /* ITAV means InfoTypeAndValue */
72 ASN1_ADB(OSSL_CMP_ITAV) = {
73 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
74 ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV,
75 infoValue.caProtEncCert, X509)),
76 ADB_ENTRY(NID_id_it_signKeyPairTypes,
77 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
78 infoValue.signKeyPairTypes, X509_ALGOR)),
79 ADB_ENTRY(NID_id_it_encKeyPairTypes,
80 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
81 infoValue.encKeyPairTypes, X509_ALGOR)),
82 ADB_ENTRY(NID_id_it_preferredSymmAlg,
83 ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
84 X509_ALGOR)),
85 ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
86 ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
87 OSSL_CMP_CAKEYUPDANNCONTENT)),
88 ADB_ENTRY(NID_id_it_currentCRL,
89 ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
90 ADB_ENTRY(NID_id_it_unsupportedOIDs,
91 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
92 infoValue.unsupportedOIDs, ASN1_OBJECT)),
93 ADB_ENTRY(NID_id_it_keyPairParamReq,
94 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
95 ASN1_OBJECT)),
96 ADB_ENTRY(NID_id_it_keyPairParamRep,
97 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
98 X509_ALGOR)),
99 ADB_ENTRY(NID_id_it_revPassphrase,
100 ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
101 OSSL_CRMF_ENCRYPTEDVALUE)),
102 ADB_ENTRY(NID_id_it_implicitConfirm,
103 ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
104 ASN1_NULL)),
105 ADB_ENTRY(NID_id_it_confirmWaitTime,
106 ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
107 ASN1_GENERALIZEDTIME)),
108 ADB_ENTRY(NID_id_it_origPKIMessage,
109 ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
110 OSSL_CMP_MSGS)),
111 ADB_ENTRY(NID_id_it_suppLangTags,
112 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
113 ASN1_UTF8STRING)),
114 ADB_ENTRY(NID_id_it_caCerts,
115 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.caCerts, X509)),
116 ADB_ENTRY(NID_id_it_rootCaCert,
117 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaCert, X509)),
118 ADB_ENTRY(NID_id_it_rootCaKeyUpdate,
119 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaKeyUpdate,
120 OSSL_CMP_ROOTCAKEYUPDATE)),
121 ADB_ENTRY(NID_id_it_certReqTemplate,
122 ASN1_OPT(OSSL_CMP_ITAV, infoValue.certReqTemplate,
123 OSSL_CMP_CERTREQTEMPLATE)),
124 ADB_ENTRY(NID_id_it_certProfile,
125 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.certProfile,
126 ASN1_UTF8STRING)),
127 ADB_ENTRY(NID_id_it_crlStatusList,
128 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crlStatusList,
129 OSSL_CMP_CRLSTATUS)),
130 ADB_ENTRY(NID_id_it_crls,
131 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crls, X509_CRL))
132 } ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0,
133 &infotypeandvalue_default_tt, NULL);
134
135 ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
136 ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
137 ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
138 } ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
139 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
140 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
141
142 ASN1_SEQUENCE(OSSL_CMP_ROOTCAKEYUPDATE) = {
143 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
144 ASN1_SIMPLE(OSSL_CMP_ROOTCAKEYUPDATE, newWithNew, X509),
145 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, newWithOld, X509, 0),
146 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, oldWithNew, X509, 1)
147 } ASN1_SEQUENCE_END(OSSL_CMP_ROOTCAKEYUPDATE)
148 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE)
149
150 ASN1_ITEM_TEMPLATE(OSSL_CMP_ATAVS) =
151 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
152 OSSL_CMP_ATAVS, OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
153 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_ATAVS)
154 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ATAVS)
155
156 ASN1_SEQUENCE(OSSL_CMP_CERTREQTEMPLATE) = {
157 ASN1_SIMPLE(OSSL_CMP_CERTREQTEMPLATE, certTemplate, OSSL_CRMF_CERTTEMPLATE),
158 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_CERTREQTEMPLATE, keySpec,
159 OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
160 } ASN1_SEQUENCE_END(OSSL_CMP_CERTREQTEMPLATE)
161 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREQTEMPLATE)
162
163 ASN1_CHOICE(OSSL_CMP_CRLSOURCE) = {
164 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.dpn, DIST_POINT_NAME, 0),
165 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.issuer, GENERAL_NAMES, 1),
166 } ASN1_CHOICE_END(OSSL_CMP_CRLSOURCE)
167 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSOURCE)
168 #define OSSL_CMP_CRLSOURCE_DPN 0
169 #define OSSL_CMP_CRLSOURCE_ISSUER 1
170
171 ASN1_SEQUENCE(OSSL_CMP_CRLSTATUS) = {
172 ASN1_SIMPLE(OSSL_CMP_CRLSTATUS, source, OSSL_CMP_CRLSOURCE),
173 ASN1_OPT(OSSL_CMP_CRLSTATUS, thisUpdate, ASN1_TIME)
174 } ASN1_SEQUENCE_END(OSSL_CMP_CRLSTATUS)
175 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSTATUS)
176
177 OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
178 {
179 OSSL_CMP_ITAV *itav;
180
181 if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
182 return NULL;
183 OSSL_CMP_ITAV_set0(itav, type, value);
184 return itav;
185 }
186
OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV * itav,ASN1_OBJECT * type,ASN1_TYPE * value)187 void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
188 ASN1_TYPE *value)
189 {
190 itav->infoType = type;
191 itav->infoValue.other = value;
192 }
193
OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV * itav)194 ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
195 {
196 if (itav == NULL)
197 return NULL;
198 return itav->infoType;
199 }
200
OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV * itav)201 ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
202 {
203 if (itav == NULL)
204 return NULL;
205 return itav->infoValue.other;
206 }
207
OSSL_CMP_ITAV_push0_stack_item(STACK_OF (OSSL_CMP_ITAV)** itav_sk_p,OSSL_CMP_ITAV * itav)208 int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
209 OSSL_CMP_ITAV *itav)
210 {
211 int created = 0;
212
213 if (itav_sk_p == NULL || itav == NULL) {
214 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
215 goto err;
216 }
217
218 if (*itav_sk_p == NULL) {
219 if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
220 goto err;
221 created = 1;
222 }
223 if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
224 goto err;
225 return 1;
226
227 err:
228 if (created) {
229 sk_OSSL_CMP_ITAV_free(*itav_sk_p);
230 *itav_sk_p = NULL;
231 }
232 return 0;
233 }
234
235 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_certProfile(STACK_OF (ASN1_UTF8STRING)* certProfile)236 *OSSL_CMP_ITAV_new0_certProfile(STACK_OF(ASN1_UTF8STRING) *certProfile)
237 {
238 OSSL_CMP_ITAV *itav;
239
240 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
241 return NULL;
242 itav->infoType = OBJ_nid2obj(NID_id_it_certProfile);
243 itav->infoValue.certProfile = certProfile;
244 return itav;
245 }
246
OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV * itav,STACK_OF (ASN1_UTF8STRING)** out)247 int OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV *itav,
248 STACK_OF(ASN1_UTF8STRING) **out)
249 {
250 if (itav == NULL || out == NULL) {
251 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
252 return 0;
253 }
254 if (OBJ_obj2nid(itav->infoType) != NID_id_it_certProfile) {
255 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
256 return 0;
257 }
258 *out = itav->infoValue.certProfile;
259 return 1;
260 }
261
OSSL_CMP_ITAV_new_caCerts(const STACK_OF (X509)* caCerts)262 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts)
263 {
264 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
265
266 if (itav == NULL)
267 return NULL;
268 if (sk_X509_num(caCerts) > 0
269 && (itav->infoValue.caCerts =
270 sk_X509_deep_copy(caCerts, X509_dup, X509_free)) == NULL) {
271 OSSL_CMP_ITAV_free(itav);
272 return NULL;
273 }
274 itav->infoType = OBJ_nid2obj(NID_id_it_caCerts);
275 return itav;
276 }
277
OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV * itav,STACK_OF (X509)** out)278 int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out)
279 {
280 if (itav == NULL || out == NULL) {
281 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
282 return 0;
283 }
284 if (OBJ_obj2nid(itav->infoType) != NID_id_it_caCerts) {
285 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
286 return 0;
287 }
288 *out = sk_X509_num(itav->infoValue.caCerts) > 0
289 ? itav->infoValue.caCerts : NULL;
290 return 1;
291 }
292
OSSL_CMP_ITAV_new_rootCaCert(const X509 * rootCaCert)293 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert)
294 {
295 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
296
297 if (itav == NULL)
298 return NULL;
299 if (rootCaCert != NULL
300 && (itav->infoValue.rootCaCert = X509_dup(rootCaCert)) == NULL) {
301 OSSL_CMP_ITAV_free(itav);
302 return NULL;
303 }
304 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaCert);
305 return itav;
306 }
307
OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV * itav,X509 ** out)308 int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out)
309 {
310 if (itav == NULL || out == NULL) {
311 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
312 return 0;
313 }
314 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaCert) {
315 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
316 return 0;
317 }
318 *out = itav->infoValue.rootCaCert;
319 return 1;
320 }
OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 * newWithNew,const X509 * newWithOld,const X509 * oldWithNew)321 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
322 const X509 *newWithOld,
323 const X509 *oldWithNew)
324 {
325 OSSL_CMP_ITAV *itav;
326 OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;
327
328 if (newWithNew != NULL) {
329 upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
330 if (upd == NULL)
331 return NULL;
332
333 if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
334 goto err;
335 if (newWithOld != NULL
336 && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
337 goto err;
338 if (oldWithNew != NULL
339 && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
340 goto err;
341 }
342
343 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
344 goto err;
345 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
346 itav->infoValue.rootCaKeyUpdate = upd;
347 return itav;
348
349 err:
350 OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
351 return NULL;
352 }
353
OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV * itav,X509 ** newWithNew,X509 ** newWithOld,X509 ** oldWithNew)354 int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
355 X509 **newWithNew,
356 X509 **newWithOld,
357 X509 **oldWithNew)
358 {
359 OSSL_CMP_ROOTCAKEYUPDATE *upd;
360
361 if (itav == NULL || newWithNew == NULL) {
362 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
363 return 0;
364 }
365 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaKeyUpdate) {
366 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
367 return 0;
368 }
369 upd = itav->infoValue.rootCaKeyUpdate;
370 *newWithNew = upd != NULL ? upd->newWithNew : NULL;
371 if (newWithOld != NULL)
372 *newWithOld = upd != NULL ? upd->newWithOld : NULL;
373 if (oldWithNew != NULL)
374 *oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
375 return 1;
376 }
377
378 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE * certTemplate,OSSL_CMP_ATAVS * keySpec)379 *OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE *certTemplate,
380 OSSL_CMP_ATAVS *keySpec)
381 {
382 OSSL_CMP_ITAV *itav;
383 OSSL_CMP_CERTREQTEMPLATE *tmpl;
384
385 if (certTemplate == NULL && keySpec != NULL) {
386 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
387 return NULL;
388 }
389 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
390 return NULL;
391 itav->infoType = OBJ_nid2obj(NID_id_it_certReqTemplate);
392 if (certTemplate == NULL)
393 return itav;
394
395 if ((tmpl = OSSL_CMP_CERTREQTEMPLATE_new()) == NULL) {
396 OSSL_CMP_ITAV_free(itav);
397 return NULL;
398 }
399 itav->infoValue.certReqTemplate = tmpl;
400 tmpl->certTemplate = certTemplate;
401 tmpl->keySpec = keySpec;
402 return itav;
403 }
404
OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV * itav,OSSL_CRMF_CERTTEMPLATE ** certTemplate,OSSL_CMP_ATAVS ** keySpec)405 int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav,
406 OSSL_CRMF_CERTTEMPLATE **certTemplate,
407 OSSL_CMP_ATAVS **keySpec)
408 {
409 OSSL_CMP_CERTREQTEMPLATE *tpl;
410
411 if (itav == NULL || certTemplate == NULL) {
412 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
413 return 0;
414 }
415
416 *certTemplate = NULL;
417 if (keySpec != NULL)
418 *keySpec = NULL;
419
420 if (OBJ_obj2nid(itav->infoType) != NID_id_it_certReqTemplate) {
421 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
422 return 0;
423 }
424 tpl = itav->infoValue.certReqTemplate;
425 if (tpl == NULL) /* no requirements available */
426 return 1;
427
428 if ((*certTemplate = OSSL_CRMF_CERTTEMPLATE_dup(tpl->certTemplate)) == NULL)
429 return 0;
430 if (keySpec != NULL && tpl->keySpec != NULL) {
431 int i, n = sk_OSSL_CMP_ATAV_num(tpl->keySpec);
432
433 *keySpec = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_reserve(NULL, n);
434 if (*keySpec == NULL)
435 goto err;
436 for (i = 0; i < n; i++) {
437 OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(tpl->keySpec, i);
438 ASN1_OBJECT *type = OSSL_CMP_ATAV_get0_type(atav /* may be NULL */);
439 int nid;
440 const char *name;
441
442 if (type == NULL) {
443 ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_KEYSPEC,
444 "keySpec with index %d in certReqTemplate does not exist",
445 i);
446 goto err;
447 }
448 nid = OBJ_obj2nid(type);
449
450 if (nid != NID_id_regCtrl_algId
451 && nid != NID_id_regCtrl_rsaKeyLen) {
452 name = OBJ_nid2ln(nid);
453 if (name == NULL)
454 name = OBJ_nid2sn(nid);
455 if (name == NULL)
456 name = "<undef>";
457 ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_KEYSPEC,
458 "keySpec with index %d in certReqTemplate has invalid type %s",
459 i, name);
460 goto err;
461 }
462 OSSL_CMP_ATAV_push1(keySpec, atav);
463 }
464 }
465 return 1;
466
467 err:
468 OSSL_CRMF_CERTTEMPLATE_free(*certTemplate);
469 *certTemplate = NULL;
470 sk_OSSL_CMP_ATAV_pop_free(*keySpec, OSSL_CMP_ATAV_free);
471 if (keySpec != NULL)
472 *keySpec = NULL;
473 return 0;
474 }
475
OSSL_CMP_ATAV_create(ASN1_OBJECT * type,ASN1_TYPE * value)476 OSSL_CMP_ATAV *OSSL_CMP_ATAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
477 {
478 OSSL_CMP_ATAV *atav;
479
480 if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL)
481 return NULL;
482 OSSL_CMP_ATAV_set0(atav, type, value);
483 return atav;
484 }
485
OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV * atav,ASN1_OBJECT * type,ASN1_TYPE * value)486 void OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV *atav, ASN1_OBJECT *type,
487 ASN1_TYPE *value)
488 {
489 atav->type = type;
490 atav->value.other = value;
491 }
492
OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV * atav)493 ASN1_OBJECT *OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV *atav)
494 {
495 if (atav == NULL)
496 return NULL;
497 return atav->type;
498 }
499
OSSL_CMP_ATAV_new_algId(const X509_ALGOR * alg)500 OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg)
501 {
502 X509_ALGOR *dup;
503 OSSL_CMP_ATAV *res;
504
505 if (alg == NULL) {
506 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
507 return NULL;
508 }
509 if ((dup = X509_ALGOR_dup(alg)) == NULL)
510 return NULL;
511 res = OSSL_CMP_ATAV_create(OBJ_nid2obj(NID_id_regCtrl_algId),
512 (ASN1_TYPE *)dup);
513 if (res == NULL)
514 X509_ALGOR_free(dup);
515 return res;
516 }
517
OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV * atav)518 X509_ALGOR *OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV *atav)
519 {
520 if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_algId)
521 return NULL;
522 return atav->value.algId;
523 }
524
OSSL_CMP_ATAV_new_rsaKeyLen(int len)525 OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_rsaKeyLen(int len)
526 {
527 ASN1_INTEGER *aint;
528 OSSL_CMP_ATAV *res = NULL;
529
530 if (len <= 0) {
531 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
532 return NULL;
533 }
534 if ((aint = ASN1_INTEGER_new()) == NULL)
535 return NULL;
536 if (!ASN1_INTEGER_set(aint, len)
537 || (res = OSSL_CMP_ATAV_create(OBJ_nid2obj(NID_id_regCtrl_rsaKeyLen),
538 (ASN1_TYPE *)aint)) == NULL)
539 ASN1_INTEGER_free(aint);
540 return res;
541 }
542
OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV * atav)543 int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav)
544 {
545 int64_t val;
546
547 if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_rsaKeyLen
548 || !ASN1_INTEGER_get_int64(&val, atav->value.rsaKeyLen))
549 return -1;
550 if (val <= 0 || val > INT_MAX)
551 return -2;
552 return (int)val;
553 }
554
OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV * atav)555 ASN1_TYPE *OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV *atav)
556 {
557 if (atav == NULL)
558 return NULL;
559 return atav->value.other;
560 }
561
OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS ** sk_p,const OSSL_CMP_ATAV * atav)562 int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav)
563 {
564 int created = 0;
565 OSSL_CMP_ATAV *dup;
566
567 if (sk_p == NULL || atav == NULL) {
568 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
569 goto err;
570 }
571
572 if (*sk_p == NULL) {
573 if ((*sk_p = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null()) == NULL)
574 goto err;
575 created = 1;
576 }
577
578 if ((dup = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup((OSSL_CRMF_ATTRIBUTETYPEANDVALUE *)atav)) == NULL)
579 goto err;
580 if (sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(*sk_p, dup))
581 return 1;
582 OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(dup);
583
584 err:
585 if (created) {
586 sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(*sk_p);
587 *sk_p = NULL;
588 }
589 return 0;
590 }
591
592 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF (OSSL_CMP_CRLSTATUS)* crlStatusList)593 *OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList)
594 {
595 OSSL_CMP_ITAV *itav;
596
597 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
598 return NULL;
599 itav->infoType = OBJ_nid2obj(NID_id_it_crlStatusList);
600 itav->infoValue.crlStatusList = crlStatusList;
601 return itav;
602 }
603
OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV * itav,STACK_OF (OSSL_CMP_CRLSTATUS)** out)604 int OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV *itav,
605 STACK_OF(OSSL_CMP_CRLSTATUS) **out)
606 {
607 if (itav == NULL || out == NULL) {
608 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
609 return 0;
610 }
611 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crlStatusList) {
612 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
613 return 0;
614 }
615 *out = itav->infoValue.crlStatusList;
616 return 1;
617 }
618
OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME * dpn,const GENERAL_NAMES * issuer,const ASN1_TIME * thisUpdate)619 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn,
620 const GENERAL_NAMES *issuer,
621 const ASN1_TIME *thisUpdate)
622 {
623 OSSL_CMP_CRLSOURCE *crlsource;
624 OSSL_CMP_CRLSTATUS *crlstatus;
625
626 if (dpn == NULL && issuer == NULL) {
627 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
628 return NULL;
629 }
630 if (dpn != NULL && issuer != NULL) {
631 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
632 return NULL;
633 }
634
635 if ((crlstatus = OSSL_CMP_CRLSTATUS_new()) == NULL)
636 return NULL;
637 crlsource = crlstatus->source;
638
639 if (dpn != NULL) {
640 crlsource->type = OSSL_CMP_CRLSOURCE_DPN;
641 if ((crlsource->value.dpn = DIST_POINT_NAME_dup(dpn)) == NULL)
642 goto err;
643 } else {
644 crlsource->type = OSSL_CMP_CRLSOURCE_ISSUER;
645 if ((crlsource->value.issuer =
646 sk_GENERAL_NAME_deep_copy(issuer, GENERAL_NAME_dup,
647 GENERAL_NAME_free)) == NULL)
648 goto err;
649 }
650
651 if (thisUpdate != NULL
652 && (crlstatus->thisUpdate = ASN1_TIME_dup(thisUpdate)) == NULL)
653 goto err;
654 return crlstatus;
655
656 err:
657 OSSL_CMP_CRLSTATUS_free(crlstatus);
658 return NULL;
659 }
660
gennames_new(const X509_NAME * nm)661 static GENERAL_NAMES *gennames_new(const X509_NAME *nm)
662 {
663 GENERAL_NAMES *names;
664 GENERAL_NAME *name = NULL;
665
666 if ((names = sk_GENERAL_NAME_new_reserve(NULL, 1)) == NULL)
667 return NULL;
668 if (!GENERAL_NAME_set1_X509_NAME(&name, nm)) {
669 sk_GENERAL_NAME_free(names);
670 return NULL;
671 }
672 (void)sk_GENERAL_NAME_push(names, name); /* cannot fail */
673 return names;
674 }
675
gennames_allowed(GENERAL_NAMES * names,int only_DN)676 static int gennames_allowed(GENERAL_NAMES *names, int only_DN)
677 {
678 if (names == NULL)
679 return 0;
680 if (!only_DN)
681 return 1;
682 return sk_GENERAL_NAME_num(names) == 1
683 && sk_GENERAL_NAME_value(names, 0)->type == GEN_DIRNAME;
684 }
685
OSSL_CMP_CRLSTATUS_create(const X509_CRL * crl,const X509 * cert,int only_DN)686 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl,
687 const X509 *cert, int only_DN)
688 {
689 STACK_OF(DIST_POINT) *crldps = NULL;
690 ISSUING_DIST_POINT *idp = NULL;
691 DIST_POINT_NAME *dpn = NULL;
692 AUTHORITY_KEYID *akid = NULL;
693 GENERAL_NAMES *issuers = NULL;
694 const GENERAL_NAMES *CRLissuer = NULL;
695 const ASN1_TIME *last = crl == NULL ? NULL : X509_CRL_get0_lastUpdate(crl);
696 OSSL_CMP_CRLSTATUS *status = NULL;
697 int i, NID_akid = NID_authority_key_identifier;
698
699 /*
700 * Note:
701 * X509{,_CRL}_get_ext_d2i(..., NID, ..., NULL) return the 1st extension with
702 * given NID that is available, if any. If there are more, this is an error.
703 */
704 if (cert != NULL) {
705 crldps = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
706 /* if available, take the first suitable element */
707 for (i = 0; i < sk_DIST_POINT_num(crldps); i++) {
708 DIST_POINT *dp = sk_DIST_POINT_value(crldps, i);
709
710 if (dp == NULL)
711 continue;
712 if ((dpn = dp->distpoint) != NULL) {
713 CRLissuer = NULL;
714 break;
715 }
716 if (gennames_allowed(dp->CRLissuer, only_DN) && CRLissuer == NULL)
717 /* don't break because any dp->distpoint in list is preferred */
718 CRLissuer = dp->CRLissuer;
719 }
720 } else {
721 if (crl == NULL) {
722 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
723 return NULL;
724 }
725 idp = X509_CRL_get_ext_d2i(crl,
726 NID_issuing_distribution_point, NULL, NULL);
727 if (idp != NULL && idp->distpoint != NULL)
728 dpn = idp->distpoint;
729 }
730
731 if (dpn == NULL && CRLissuer == NULL) {
732 if (cert != NULL) {
733 akid = X509_get_ext_d2i(cert, NID_akid, NULL, NULL);
734 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
735 CRLissuer = akid->issuer;
736 else
737 CRLissuer = issuers = gennames_new(X509_get_issuer_name(cert));
738 }
739 if (CRLissuer == NULL && crl != NULL) {
740 akid = X509_CRL_get_ext_d2i(crl, NID_akid, NULL, NULL);
741 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
742 CRLissuer = akid->issuer;
743 else
744 CRLissuer = issuers = gennames_new(X509_CRL_get_issuer(crl));
745 }
746 if (CRLissuer == NULL)
747 goto end;
748 }
749
750 status = OSSL_CMP_CRLSTATUS_new1(dpn, CRLissuer, last);
751 end:
752 sk_DIST_POINT_pop_free(crldps, DIST_POINT_free);
753 ISSUING_DIST_POINT_free(idp);
754 AUTHORITY_KEYID_free(akid);
755 sk_GENERAL_NAME_pop_free(issuers, GENERAL_NAME_free);
756 return status;
757 }
758
OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS * crlstatus,DIST_POINT_NAME ** dpn,GENERAL_NAMES ** issuer,ASN1_TIME ** thisUpdate)759 int OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS *crlstatus,
760 DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer,
761 ASN1_TIME **thisUpdate)
762 {
763 OSSL_CMP_CRLSOURCE *crlsource;
764
765 if (crlstatus == NULL || dpn == NULL || issuer == NULL) {
766 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
767 return 0;
768 }
769 if ((crlsource = crlstatus->source) == NULL) {
770 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
771 return 0;
772 }
773
774 if (crlsource->type == OSSL_CMP_CRLSOURCE_DPN) {
775 *dpn = crlsource->value.dpn;
776 *issuer = NULL;
777 } else if (crlsource->type == OSSL_CMP_CRLSOURCE_ISSUER) {
778 *dpn = NULL;
779 *issuer = crlsource->value.issuer;
780 } else {
781 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
782 return 0;
783 }
784 if (thisUpdate != NULL)
785 *thisUpdate = crlstatus->thisUpdate;
786 return 1;
787 }
788
OSSL_CMP_ITAV_new_crls(const X509_CRL * crl)789 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl)
790 {
791 OSSL_CMP_ITAV *itav;
792 X509_CRL *crl_copy = NULL;
793 STACK_OF(X509_CRL) *crls = NULL;
794
795 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
796 return NULL;
797
798 if (crl != NULL) {
799 if ((crls = sk_X509_CRL_new_reserve(NULL, 1)) == NULL
800 || (crl_copy = X509_CRL_dup(crl)) == NULL
801 || !sk_X509_CRL_push(crls, crl_copy))
802 goto err;
803 crl_copy = NULL; /* ownership transferred to crls */
804 }
805
806 itav->infoType = OBJ_nid2obj(NID_id_it_crls);
807 itav->infoValue.crls = crls;
808 return itav;
809
810 err:
811 OPENSSL_free(crl_copy);
812 sk_X509_CRL_free(crls);
813 OSSL_CMP_ITAV_free(itav);
814 return NULL;
815 }
816
OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV * itav,STACK_OF (X509_CRL)** out)817 int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *itav, STACK_OF(X509_CRL) **out)
818 {
819 if (itav == NULL || out == NULL) {
820 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
821 return 0;
822 }
823 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crls) {
824 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
825 return 0;
826 }
827 *out = itav->infoValue.crls;
828 return 1;
829 }
830
831 /* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */
ossl_cmp_asn1_get_int(const ASN1_INTEGER * a)832 int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
833 {
834 int64_t res;
835
836 if (!ASN1_INTEGER_get_int64(&res, a)) {
837 ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
838 return -2;
839 }
840 if (res < INT_MIN) {
841 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
842 return -2;
843 }
844 if (res > INT_MAX) {
845 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
846 return -2;
847 }
848 return (int)res;
849 }
850
ossl_cmp_msg_cb(int operation,ASN1_VALUE ** pval,ossl_unused const ASN1_ITEM * it,void * exarg)851 static int ossl_cmp_msg_cb(int operation, ASN1_VALUE **pval,
852 ossl_unused const ASN1_ITEM *it, void *exarg)
853 {
854 OSSL_CMP_MSG *msg = (OSSL_CMP_MSG *)*pval;
855
856 switch (operation) {
857 case ASN1_OP_FREE_POST:
858 OPENSSL_free(msg->propq);
859 break;
860
861 case ASN1_OP_DUP_POST:
862 {
863 OSSL_CMP_MSG *old = exarg;
864
865 if (!ossl_cmp_msg_set0_libctx(msg, old->libctx, old->propq))
866 return 0;
867 }
868 break;
869 case ASN1_OP_GET0_LIBCTX:
870 {
871 OSSL_LIB_CTX **libctx = exarg;
872
873 *libctx = msg->libctx;
874 }
875 break;
876 case ASN1_OP_GET0_PROPQ:
877 {
878 const char **propq = exarg;
879
880 *propq = msg->propq;
881 }
882 break;
883 default:
884 break;
885 }
886
887 return 1;
888 }
889
890 ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
891 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
892 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
893 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
894 OSSL_CRMF_ENCRYPTEDKEY, 1),
895 } ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
896 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
897
898 ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
899 ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
900 OSSL_CMP_CERTORENCCERT),
901 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
902 OSSL_CRMF_ENCRYPTEDKEY, 0),
903 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
904 OSSL_CRMF_PKIPUBLICATIONINFO, 1)
905 } ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
906 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
907
908 ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
909 ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
910 ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
911 } ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
912 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
913
914 ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) =
915 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
916 OSSL_CMP_REVDETAILS)
917 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
918
919 ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
920 ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
921 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
922 0),
923 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
924 } ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
925 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
926
927 ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
928 ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
929 ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
930 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
931 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
932 OSSL_CMP_CERTIFIEDKEYPAIR, 2)
933 } ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
934 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
935
936 ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) =
937 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
938 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
939
940 ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
941 ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
942 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
943 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
944 /* OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING, used directly */
945 ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
946 } ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
947 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
948 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
949
950 ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
951 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
952 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
953 ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI),
954 ASN1_EXP_OPT(OSSL_CMP_CERTSTATUS, hashAlg, X509_ALGOR, 0)
955 } ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
956 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
957
958 ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) =
959 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
960 OSSL_CMP_CERTSTATUS)
961 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
962
963 ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
964 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
965 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
966 ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
967 OSSL_CMP_CERTIFIEDKEYPAIR),
968 ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
969 } ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
970 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
971
972 ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
973 ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
974 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
975 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
976
977 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) =
978 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
979 OSSL_CMP_POLLREQ)
980 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
981
982 ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
983 ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
984 ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
985 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
986 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
987 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
988
989 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) =
990 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
991 OSSL_CMP_POLLREPCONTENT,
992 OSSL_CMP_POLLREP)
993 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
994
995 ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
996 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
997 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
998 ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
999 } ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
1000 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
1001
1002 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) =
1003 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
1004 OSSL_CMP_ITAV)
1005 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
1006
1007 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) =
1008 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
1009 OSSL_CMP_ITAV)
1010 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
1011
1012 ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) =
1013 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
1014 OSSL_CMP_CRLANNCONTENT, X509_CRL)
1015 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
1016
1017 ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
1018 ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
1019 ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
1020 ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
1021 ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
1022 ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
1023 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc,
1024 OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
1025 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr,
1026 OSSL_CMP_POPODECKEYRESPCONTENT, 6),
1027 ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
1028 ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
1029 ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
1030 ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
1031 ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
1032 ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
1033 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
1034 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
1035 ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
1036 ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
1037 ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
1038 ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
1039 ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
1040 ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
1041 ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
1042 ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
1043 ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
1044 ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
1045 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
1046 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
1047 } ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
1048 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
1049
1050 ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
1051 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
1052 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
1053 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
1054 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
1055 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
1056 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
1057 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
1058 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
1059 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
1060 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
1061 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
1062 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
1063 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
1064 OSSL_CMP_ITAV, 8)
1065 } ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
1066 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
1067
1068 ASN1_SEQUENCE(OSSL_CMP_PROTECTEDPART) = {
1069 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
1070 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
1071 } ASN1_SEQUENCE_END(OSSL_CMP_PROTECTEDPART)
1072 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
1073
1074 ASN1_SEQUENCE_cb(OSSL_CMP_MSG, ossl_cmp_msg_cb) = {
1075 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
1076 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
1077 ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
1078 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
1079 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
1080 } ASN1_SEQUENCE_END_cb(OSSL_CMP_MSG, OSSL_CMP_MSG)
1081 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
1082
1083 ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =
1084 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
1085 OSSL_CMP_MSG)
1086 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)
1087