xref: /freebsd/crypto/openssl/crypto/crmf/crmf_asn.c (revision e7be843b4a162e68651d3911f0357ed464915629) 
1 /*-
2  * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
3  * Copyright Nokia 2007-2019
4  * Copyright Siemens AG 2015-2019
5  *
6  * Licensed under the Apache License 2.0 (the "License").  You may not use
7  * this file except in compliance with the License.  You can obtain a copy
8  * in the file LICENSE in the source distribution or at
9  * https://www.openssl.org/source/license.html
10  *
11  * CRMF implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
12  */
13 
14 #include <openssl/asn1t.h>
15 
16 #include "crmf_local.h"
17 
18 /* explicit #includes not strictly needed since implied by the above: */
19 #include <openssl/crmf.h>
20 
21 ASN1_SEQUENCE(OSSL_CRMF_PRIVATEKEYINFO) = {
22     ASN1_SIMPLE(OSSL_CRMF_PRIVATEKEYINFO, version, ASN1_INTEGER),
23     ASN1_SIMPLE(OSSL_CRMF_PRIVATEKEYINFO, privateKeyAlgorithm, X509_ALGOR),
24     ASN1_SIMPLE(OSSL_CRMF_PRIVATEKEYINFO, privateKey, ASN1_OCTET_STRING),
25     ASN1_IMP_SET_OF_OPT(OSSL_CRMF_PRIVATEKEYINFO, attributes, X509_ATTRIBUTE, 0)
26 } ASN1_SEQUENCE_END(OSSL_CRMF_PRIVATEKEYINFO)
27 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PRIVATEKEYINFO)
28 
29 ASN1_CHOICE(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER) = {
30     ASN1_SIMPLE(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER,
31                 value.string, ASN1_UTF8STRING),
32     ASN1_SIMPLE(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER,
33                 value.generalName, GENERAL_NAME)
34 } ASN1_CHOICE_END(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
35 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
36 
37 ASN1_SEQUENCE(OSSL_CRMF_ENCKEYWITHID) = {
38     ASN1_SIMPLE(OSSL_CRMF_ENCKEYWITHID, privateKey, OSSL_CRMF_PRIVATEKEYINFO),
39     ASN1_OPT(OSSL_CRMF_ENCKEYWITHID, identifier,
40              OSSL_CRMF_ENCKEYWITHID_IDENTIFIER)
41 } ASN1_SEQUENCE_END(OSSL_CRMF_ENCKEYWITHID)
42 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCKEYWITHID)
43 
44 ASN1_SEQUENCE(OSSL_CRMF_CERTID) = {
45     ASN1_SIMPLE(OSSL_CRMF_CERTID, issuer, GENERAL_NAME),
46     ASN1_SIMPLE(OSSL_CRMF_CERTID, serialNumber, ASN1_INTEGER)
47 } ASN1_SEQUENCE_END(OSSL_CRMF_CERTID)
48 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_CERTID)
49 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTID)
50 
51 ASN1_SEQUENCE(OSSL_CRMF_ENCRYPTEDVALUE) = {
52     ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, intendedAlg, X509_ALGOR, 0),
53     ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, symmAlg, X509_ALGOR, 1),
54     ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, encSymmKey, ASN1_BIT_STRING, 2),
55     ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, keyAlg, X509_ALGOR, 3),
56     ASN1_IMP_OPT(OSSL_CRMF_ENCRYPTEDVALUE, valueHint, ASN1_OCTET_STRING, 4),
57     ASN1_SIMPLE(OSSL_CRMF_ENCRYPTEDVALUE, encValue, ASN1_BIT_STRING)
58 } ASN1_SEQUENCE_END(OSSL_CRMF_ENCRYPTEDVALUE)
59 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
60 
61 /*
62  * Note from CMP Updates defining CMPv3:
63  * The EncryptedKey structure defined in CRMF [RFC4211] is reused
64  * here, which makes the update backward compatible.  Using the new
65  * syntax with the untagged default choice EncryptedValue is bits-on-
66  * the-wire compatible with the old syntax.
67  */
68 ASN1_CHOICE(OSSL_CRMF_ENCRYPTEDKEY) = {
69     ASN1_SIMPLE(OSSL_CRMF_ENCRYPTEDKEY, value.encryptedValue, OSSL_CRMF_ENCRYPTEDVALUE),
70 #ifndef OPENSSL_NO_CMS
71     ASN1_IMP(OSSL_CRMF_ENCRYPTEDKEY, value.envelopedData, CMS_EnvelopedData, 0),
72 #endif
73 } ASN1_CHOICE_END(OSSL_CRMF_ENCRYPTEDKEY)
74 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDKEY)
75 
76 ASN1_SEQUENCE(OSSL_CRMF_SINGLEPUBINFO) = {
77     ASN1_SIMPLE(OSSL_CRMF_SINGLEPUBINFO, pubMethod, ASN1_INTEGER),
78     ASN1_SIMPLE(OSSL_CRMF_SINGLEPUBINFO, pubLocation, GENERAL_NAME)
79 } ASN1_SEQUENCE_END(OSSL_CRMF_SINGLEPUBINFO)
80 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_SINGLEPUBINFO)
81 
82 ASN1_SEQUENCE(OSSL_CRMF_PKIPUBLICATIONINFO) = {
83     ASN1_SIMPLE(OSSL_CRMF_PKIPUBLICATIONINFO, action, ASN1_INTEGER),
84     ASN1_SEQUENCE_OF_OPT(OSSL_CRMF_PKIPUBLICATIONINFO, pubInfos,
85                          OSSL_CRMF_SINGLEPUBINFO)
86 } ASN1_SEQUENCE_END(OSSL_CRMF_PKIPUBLICATIONINFO)
87 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
88 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_PKIPUBLICATIONINFO)
89 
90 ASN1_SEQUENCE(OSSL_CRMF_PKMACVALUE) = {
91     ASN1_SIMPLE(OSSL_CRMF_PKMACVALUE, algId, X509_ALGOR),
92     ASN1_SIMPLE(OSSL_CRMF_PKMACVALUE, value, ASN1_BIT_STRING)
93 } ASN1_SEQUENCE_END(OSSL_CRMF_PKMACVALUE)
94 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PKMACVALUE)
95 
96 ASN1_CHOICE(OSSL_CRMF_POPOPRIVKEY) = {
97     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.thisMessage, ASN1_BIT_STRING, 0),
98     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.subsequentMessage, ASN1_INTEGER, 1),
99     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.dhMAC, ASN1_BIT_STRING, 2),
100     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.agreeMAC, OSSL_CRMF_PKMACVALUE, 3),
101     ASN1_IMP(OSSL_CRMF_POPOPRIVKEY, value.encryptedKey, ASN1_NULL, 4),
102     /* When supported, ASN1_NULL needs to be replaced by CMS_ENVELOPEDDATA */
103 } ASN1_CHOICE_END(OSSL_CRMF_POPOPRIVKEY)
104 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOPRIVKEY)
105 
106 ASN1_SEQUENCE(OSSL_CRMF_PBMPARAMETER) = {
107     ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, salt, ASN1_OCTET_STRING),
108     ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, owf, X509_ALGOR),
109     ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, iterationCount, ASN1_INTEGER),
110     ASN1_SIMPLE(OSSL_CRMF_PBMPARAMETER, mac, X509_ALGOR)
111 } ASN1_SEQUENCE_END(OSSL_CRMF_PBMPARAMETER)
112 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER)
113 
114 ASN1_CHOICE(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO) = {
115     ASN1_EXP(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO, value.sender,
116              GENERAL_NAME, 0),
117     ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO, value.publicKeyMAC,
118                 OSSL_CRMF_PKMACVALUE)
119 } ASN1_CHOICE_END(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
120 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO)
121 
122 ASN1_SEQUENCE(OSSL_CRMF_POPOSIGNINGKEYINPUT) = {
123     ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEYINPUT, authInfo,
124                 OSSL_CRMF_POPOSIGNINGKEYINPUT_AUTHINFO),
125     ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEYINPUT, publicKey, X509_PUBKEY)
126 } ASN1_SEQUENCE_END(OSSL_CRMF_POPOSIGNINGKEYINPUT)
127 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEYINPUT)
128 
129 ASN1_SEQUENCE(OSSL_CRMF_POPOSIGNINGKEY) = {
130     ASN1_IMP_OPT(OSSL_CRMF_POPOSIGNINGKEY, poposkInput,
131                  OSSL_CRMF_POPOSIGNINGKEYINPUT, 0),
132     ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEY, algorithmIdentifier, X509_ALGOR),
133     ASN1_SIMPLE(OSSL_CRMF_POPOSIGNINGKEY, signature, ASN1_BIT_STRING)
134 } ASN1_SEQUENCE_END(OSSL_CRMF_POPOSIGNINGKEY)
135 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPOSIGNINGKEY)
136 
137 ASN1_CHOICE(OSSL_CRMF_POPO) = {
138     ASN1_IMP(OSSL_CRMF_POPO, value.raVerified, ASN1_NULL, 0),
139     ASN1_IMP(OSSL_CRMF_POPO, value.signature, OSSL_CRMF_POPOSIGNINGKEY, 1),
140     ASN1_EXP(OSSL_CRMF_POPO, value.keyEncipherment, OSSL_CRMF_POPOPRIVKEY, 2),
141     ASN1_EXP(OSSL_CRMF_POPO, value.keyAgreement, OSSL_CRMF_POPOPRIVKEY, 3)
142 } ASN1_CHOICE_END(OSSL_CRMF_POPO)
143 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_POPO)
144 
145 ASN1_ADB_TEMPLATE(attributetypeandvalue_default) =
146     ASN1_OPT(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, value.other, ASN1_ANY);
147 ASN1_ADB(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) = {
148     ADB_ENTRY(NID_id_regCtrl_regToken,
149               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
150                           value.regToken, ASN1_UTF8STRING)),
151     ADB_ENTRY(NID_id_regCtrl_authenticator,
152               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
153                           value.authenticator, ASN1_UTF8STRING)),
154     ADB_ENTRY(NID_id_regCtrl_pkiPublicationInfo,
155               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
156                           value.pkiPublicationInfo,
157                           OSSL_CRMF_PKIPUBLICATIONINFO)),
158     ADB_ENTRY(NID_id_regCtrl_oldCertID,
159               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
160                           value.oldCertID, OSSL_CRMF_CERTID)),
161     ADB_ENTRY(NID_id_regCtrl_protocolEncrKey,
162               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
163                           value.protocolEncrKey, X509_PUBKEY)),
164     ADB_ENTRY(NID_id_regCtrl_algId,
165               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
166                           value.algId, X509_ALGOR)),
167     ADB_ENTRY(NID_id_regCtrl_rsaKeyLen,
168               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
169                           value.rsaKeyLen, ASN1_INTEGER)),
170     ADB_ENTRY(NID_id_regInfo_utf8Pairs,
171               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
172                           value.utf8Pairs, ASN1_UTF8STRING)),
173     ADB_ENTRY(NID_id_regInfo_certReq,
174               ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE,
175                           value.certReq, OSSL_CRMF_CERTREQUEST)),
176 } ASN1_ADB_END(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, 0, type, 0,
177                &attributetypeandvalue_default_tt, NULL);
178 
179 ASN1_SEQUENCE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE) = {
180     ASN1_SIMPLE(OSSL_CRMF_ATTRIBUTETYPEANDVALUE, type, ASN1_OBJECT),
181     ASN1_ADB_OBJECT(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
182 } ASN1_SEQUENCE_END(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
183 
184 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
185 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
186 
187 ASN1_SEQUENCE(OSSL_CRMF_OPTIONALVALIDITY) = {
188     ASN1_EXP_OPT(OSSL_CRMF_OPTIONALVALIDITY, notBefore, ASN1_TIME, 0),
189     ASN1_EXP_OPT(OSSL_CRMF_OPTIONALVALIDITY, notAfter,  ASN1_TIME, 1)
190 } ASN1_SEQUENCE_END(OSSL_CRMF_OPTIONALVALIDITY)
191 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_OPTIONALVALIDITY)
192 
193 ASN1_SEQUENCE(OSSL_CRMF_CERTTEMPLATE) = {
194     ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, version, ASN1_INTEGER, 0),
195     /*
196      * serialNumber MUST be omitted. This field is assigned by the CA
197      * during certificate creation.
198      */
199     ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, serialNumber, ASN1_INTEGER, 1),
200     /*
201      * signingAlg MUST be omitted. This field is assigned by the CA
202      * during certificate creation.
203      */
204     ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, signingAlg, X509_ALGOR, 2),
205     ASN1_EXP_OPT(OSSL_CRMF_CERTTEMPLATE, issuer, X509_NAME, 3),
206     ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, validity,
207                  OSSL_CRMF_OPTIONALVALIDITY, 4),
208     ASN1_EXP_OPT(OSSL_CRMF_CERTTEMPLATE, subject, X509_NAME, 5),
209     ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, publicKey, X509_PUBKEY, 6),
210     /* issuerUID is deprecated in version 2 */
211     ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, issuerUID, ASN1_BIT_STRING, 7),
212     /* subjectUID is deprecated in version 2 */
213     ASN1_IMP_OPT(OSSL_CRMF_CERTTEMPLATE, subjectUID, ASN1_BIT_STRING, 8),
214     ASN1_IMP_SEQUENCE_OF_OPT(OSSL_CRMF_CERTTEMPLATE, extensions,
215                              X509_EXTENSION, 9),
216 } ASN1_SEQUENCE_END(OSSL_CRMF_CERTTEMPLATE)
217 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_CERTTEMPLATE)
218 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTTEMPLATE)
219 
220 ASN1_SEQUENCE(OSSL_CRMF_CERTREQUEST) = {
221     ASN1_SIMPLE(OSSL_CRMF_CERTREQUEST, certReqId, ASN1_INTEGER),
222     ASN1_SIMPLE(OSSL_CRMF_CERTREQUEST, certTemplate, OSSL_CRMF_CERTTEMPLATE),
223     ASN1_SEQUENCE_OF_OPT(OSSL_CRMF_CERTREQUEST, controls,
224                          OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
225 } ASN1_SEQUENCE_END(OSSL_CRMF_CERTREQUEST)
226 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_CERTREQUEST)
227 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_CERTREQUEST)
228 
229 ASN1_SEQUENCE(OSSL_CRMF_MSG) = {
230     ASN1_SIMPLE(OSSL_CRMF_MSG, certReq, OSSL_CRMF_CERTREQUEST),
231     ASN1_OPT(OSSL_CRMF_MSG, popo, OSSL_CRMF_POPO),
232     ASN1_SEQUENCE_OF_OPT(OSSL_CRMF_MSG, regInfo,
233                          OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
234 } ASN1_SEQUENCE_END(OSSL_CRMF_MSG)
235 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
236 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CRMF_MSG)
237 
238 ASN1_ITEM_TEMPLATE(OSSL_CRMF_MSGS) =
239     ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
240                           OSSL_CRMF_MSGS, OSSL_CRMF_MSG)
241 ASN1_ITEM_TEMPLATE_END(OSSL_CRMF_MSGS)
242 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CRMF_MSGS)
243