1 /*
2 * Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include <openssl/asn1t.h>
13
14 #include "cmp_local.h"
15 #include "internal/crmf.h"
16
17 /* explicit #includes not strictly needed since implied by the above: */
18 #include <openssl/cmp.h>
19 #include <openssl/crmf.h>
20
21 /* ASN.1 declarations from RFC4210 */
22 ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
23 /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
24 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
25 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
26 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
27 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
28 ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
29 } ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
30 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
31
32 ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
33 ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
34 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
35 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
36 } ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
37 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
38
39 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) =
40 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
41 OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
42 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
43
44 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) =
45 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
46 OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
47 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
48
49 ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
50 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
51 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
52 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
53 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
54 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
55 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
56 } ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
57 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
58
59 ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
60 ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
61 ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
62 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
63 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails,
64 ASN1_UTF8STRING)
65 } ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
66 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
67
68 ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
69 infoValue.other,
70 ASN1_ANY);
71 /* ITAV means InfoTypeAndValue */
72 ASN1_ADB(OSSL_CMP_ITAV) = {
73 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
74 ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV,
75 infoValue.caProtEncCert, X509)),
76 ADB_ENTRY(NID_id_it_signKeyPairTypes,
77 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
78 infoValue.signKeyPairTypes, X509_ALGOR)),
79 ADB_ENTRY(NID_id_it_encKeyPairTypes,
80 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
81 infoValue.encKeyPairTypes, X509_ALGOR)),
82 ADB_ENTRY(NID_id_it_preferredSymmAlg,
83 ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
84 X509_ALGOR)),
85 ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
86 ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
87 OSSL_CMP_CAKEYUPDANNCONTENT)),
88 ADB_ENTRY(NID_id_it_currentCRL,
89 ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
90 ADB_ENTRY(NID_id_it_unsupportedOIDs,
91 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
92 infoValue.unsupportedOIDs, ASN1_OBJECT)),
93 ADB_ENTRY(NID_id_it_keyPairParamReq,
94 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
95 ASN1_OBJECT)),
96 ADB_ENTRY(NID_id_it_keyPairParamRep,
97 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
98 X509_ALGOR)),
99 ADB_ENTRY(NID_id_it_revPassphrase,
100 ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
101 OSSL_CRMF_ENCRYPTEDVALUE)),
102 ADB_ENTRY(NID_id_it_implicitConfirm,
103 ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
104 ASN1_NULL)),
105 ADB_ENTRY(NID_id_it_confirmWaitTime,
106 ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
107 ASN1_GENERALIZEDTIME)),
108 ADB_ENTRY(NID_id_it_origPKIMessage,
109 ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
110 OSSL_CMP_MSGS)),
111 ADB_ENTRY(NID_id_it_suppLangTags,
112 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
113 ASN1_UTF8STRING)),
114 ADB_ENTRY(NID_id_it_caCerts,
115 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.caCerts, X509)),
116 ADB_ENTRY(NID_id_it_rootCaCert,
117 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaCert, X509)),
118 ADB_ENTRY(NID_id_it_rootCaKeyUpdate,
119 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaKeyUpdate,
120 OSSL_CMP_ROOTCAKEYUPDATE)),
121 ADB_ENTRY(NID_id_it_certReqTemplate,
122 ASN1_OPT(OSSL_CMP_ITAV, infoValue.certReqTemplate,
123 OSSL_CMP_CERTREQTEMPLATE)),
124 ADB_ENTRY(NID_id_it_certProfile,
125 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.certProfile,
126 ASN1_UTF8STRING)),
127 ADB_ENTRY(NID_id_it_crlStatusList,
128 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crlStatusList,
129 OSSL_CMP_CRLSTATUS)),
130 ADB_ENTRY(NID_id_it_crls,
131 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crls, X509_CRL))
132 } ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0,
133 &infotypeandvalue_default_tt, NULL);
134
135 ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
136 ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
137 ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
138 } ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
139 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
140 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
141
142 ASN1_SEQUENCE(OSSL_CMP_ROOTCAKEYUPDATE) = {
143 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
144 ASN1_SIMPLE(OSSL_CMP_ROOTCAKEYUPDATE, newWithNew, X509),
145 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, newWithOld, X509, 0),
146 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, oldWithNew, X509, 1)
147 } ASN1_SEQUENCE_END(OSSL_CMP_ROOTCAKEYUPDATE)
148 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE)
149
150 ASN1_ITEM_TEMPLATE(OSSL_CMP_ATAVS) =
151 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
152 OSSL_CMP_ATAVS, OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
153 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_ATAVS)
154 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ATAVS)
155
156 ASN1_SEQUENCE(OSSL_CMP_CERTREQTEMPLATE) = {
157 ASN1_SIMPLE(OSSL_CMP_CERTREQTEMPLATE, certTemplate, OSSL_CRMF_CERTTEMPLATE),
158 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_CERTREQTEMPLATE, keySpec,
159 OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
160 } ASN1_SEQUENCE_END(OSSL_CMP_CERTREQTEMPLATE)
161 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREQTEMPLATE)
162
163 ASN1_CHOICE(OSSL_CMP_CRLSOURCE) = {
164 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.dpn, DIST_POINT_NAME, 0),
165 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.issuer, GENERAL_NAMES, 1),
166 } ASN1_CHOICE_END(OSSL_CMP_CRLSOURCE)
167 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSOURCE)
168 #define OSSL_CMP_CRLSOURCE_DPN 0
169 #define OSSL_CMP_CRLSOURCE_ISSUER 1
170
171 ASN1_SEQUENCE(OSSL_CMP_CRLSTATUS) = {
172 ASN1_SIMPLE(OSSL_CMP_CRLSTATUS, source, OSSL_CMP_CRLSOURCE),
173 ASN1_OPT(OSSL_CMP_CRLSTATUS, thisUpdate, ASN1_TIME)
174 } ASN1_SEQUENCE_END(OSSL_CMP_CRLSTATUS)
175 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSTATUS)
176
177 OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
178 {
179 OSSL_CMP_ITAV *itav;
180
181 if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
182 return NULL;
183 OSSL_CMP_ITAV_set0(itav, type, value);
184 return itav;
185 }
186
OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV * itav,ASN1_OBJECT * type,ASN1_TYPE * value)187 void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
188 ASN1_TYPE *value)
189 {
190 itav->infoType = type;
191 itav->infoValue.other = value;
192 }
193
OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV * itav)194 ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
195 {
196 if (itav == NULL)
197 return NULL;
198 return itav->infoType;
199 }
200
OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV * itav)201 ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
202 {
203 if (itav == NULL)
204 return NULL;
205 return itav->infoValue.other;
206 }
207
OSSL_CMP_ITAV_push0_stack_item(STACK_OF (OSSL_CMP_ITAV)** itav_sk_p,OSSL_CMP_ITAV * itav)208 int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
209 OSSL_CMP_ITAV *itav)
210 {
211 int created = 0;
212
213 if (itav_sk_p == NULL || itav == NULL) {
214 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
215 goto err;
216 }
217
218 if (*itav_sk_p == NULL) {
219 if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
220 goto err;
221 created = 1;
222 }
223 if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
224 goto err;
225 return 1;
226
227 err:
228 if (created) {
229 sk_OSSL_CMP_ITAV_free(*itav_sk_p);
230 *itav_sk_p = NULL;
231 }
232 return 0;
233 }
234
235 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_certProfile(STACK_OF (ASN1_UTF8STRING)* certProfile)236 *OSSL_CMP_ITAV_new0_certProfile(STACK_OF(ASN1_UTF8STRING) *certProfile)
237 {
238 OSSL_CMP_ITAV *itav;
239
240 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
241 return NULL;
242 itav->infoType = OBJ_nid2obj(NID_id_it_certProfile);
243 itav->infoValue.certProfile = certProfile;
244 return itav;
245 }
246
OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV * itav,STACK_OF (ASN1_UTF8STRING)** out)247 int OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV *itav,
248 STACK_OF(ASN1_UTF8STRING) **out)
249 {
250 if (itav == NULL || out == NULL) {
251 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
252 return 0;
253 }
254 if (OBJ_obj2nid(itav->infoType) != NID_id_it_certProfile) {
255 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
256 return 0;
257 }
258 *out = itav->infoValue.certProfile;
259 return 1;
260 }
261
OSSL_CMP_ITAV_new_caCerts(const STACK_OF (X509)* caCerts)262 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts)
263 {
264 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
265
266 if (itav == NULL)
267 return NULL;
268 if (sk_X509_num(caCerts) > 0
269 && (itav->infoValue.caCerts =
270 sk_X509_deep_copy(caCerts, X509_dup, X509_free)) == NULL) {
271 OSSL_CMP_ITAV_free(itav);
272 return NULL;
273 }
274 itav->infoType = OBJ_nid2obj(NID_id_it_caCerts);
275 return itav;
276 }
277
OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV * itav,STACK_OF (X509)** out)278 int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out)
279 {
280 if (itav == NULL || out == NULL) {
281 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
282 return 0;
283 }
284 if (OBJ_obj2nid(itav->infoType) != NID_id_it_caCerts) {
285 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
286 return 0;
287 }
288 *out = sk_X509_num(itav->infoValue.caCerts) > 0
289 ? itav->infoValue.caCerts : NULL;
290 return 1;
291 }
292
OSSL_CMP_ITAV_new_rootCaCert(const X509 * rootCaCert)293 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert)
294 {
295 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
296
297 if (itav == NULL)
298 return NULL;
299 if (rootCaCert != NULL
300 && (itav->infoValue.rootCaCert = X509_dup(rootCaCert)) == NULL) {
301 OSSL_CMP_ITAV_free(itav);
302 return NULL;
303 }
304 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaCert);
305 return itav;
306 }
307
OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV * itav,X509 ** out)308 int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out)
309 {
310 if (itav == NULL || out == NULL) {
311 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
312 return 0;
313 }
314 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaCert) {
315 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
316 return 0;
317 }
318 *out = itav->infoValue.rootCaCert;
319 return 1;
320 }
OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 * newWithNew,const X509 * newWithOld,const X509 * oldWithNew)321 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
322 const X509 *newWithOld,
323 const X509 *oldWithNew)
324 {
325 OSSL_CMP_ITAV *itav;
326 OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;
327
328 if (newWithNew != NULL) {
329 upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
330 if (upd == NULL)
331 return NULL;
332
333 if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
334 goto err;
335 if (newWithOld != NULL
336 && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
337 goto err;
338 if (oldWithNew != NULL
339 && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
340 goto err;
341 }
342
343 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
344 goto err;
345 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
346 itav->infoValue.rootCaKeyUpdate = upd;
347 return itav;
348
349 err:
350 OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
351 return NULL;
352 }
353
OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV * itav,X509 ** newWithNew,X509 ** newWithOld,X509 ** oldWithNew)354 int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
355 X509 **newWithNew,
356 X509 **newWithOld,
357 X509 **oldWithNew)
358 {
359 OSSL_CMP_ROOTCAKEYUPDATE *upd;
360
361 if (itav == NULL || newWithNew == NULL) {
362 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
363 return 0;
364 }
365 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaKeyUpdate) {
366 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
367 return 0;
368 }
369 upd = itav->infoValue.rootCaKeyUpdate;
370 *newWithNew = upd != NULL ? upd->newWithNew : NULL;
371 if (newWithOld != NULL)
372 *newWithOld = upd != NULL ? upd->newWithOld : NULL;
373 if (oldWithNew != NULL)
374 *oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
375 return 1;
376 }
377
378 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE * certTemplate,OSSL_CMP_ATAVS * keySpec)379 *OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE *certTemplate,
380 OSSL_CMP_ATAVS *keySpec)
381 {
382 OSSL_CMP_ITAV *itav;
383 OSSL_CMP_CERTREQTEMPLATE *tmpl;
384
385 if (certTemplate == NULL && keySpec != NULL) {
386 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
387 return NULL;
388 }
389 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
390 return NULL;
391 itav->infoType = OBJ_nid2obj(NID_id_it_certReqTemplate);
392 if (certTemplate == NULL)
393 return itav;
394
395 if ((tmpl = OSSL_CMP_CERTREQTEMPLATE_new()) == NULL) {
396 OSSL_CMP_ITAV_free(itav);
397 return NULL;
398 }
399 itav->infoValue.certReqTemplate = tmpl;
400 tmpl->certTemplate = certTemplate;
401 tmpl->keySpec = keySpec;
402 return itav;
403 }
404
OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV * itav,OSSL_CRMF_CERTTEMPLATE ** certTemplate,OSSL_CMP_ATAVS ** keySpec)405 int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav,
406 OSSL_CRMF_CERTTEMPLATE **certTemplate,
407 OSSL_CMP_ATAVS **keySpec)
408 {
409 OSSL_CMP_CERTREQTEMPLATE *tpl;
410
411 if (itav == NULL || certTemplate == NULL) {
412 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
413 return 0;
414 }
415
416 *certTemplate = NULL;
417 if (keySpec != NULL)
418 *keySpec = NULL;
419
420 if (OBJ_obj2nid(itav->infoType) != NID_id_it_certReqTemplate) {
421 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
422 return 0;
423 }
424 tpl = itav->infoValue.certReqTemplate;
425 if (tpl == NULL) /* no requirements available */
426 return 1;
427
428 if ((*certTemplate = OSSL_CRMF_CERTTEMPLATE_dup(tpl->certTemplate)) == NULL)
429 return 0;
430 if (keySpec != NULL && tpl->keySpec != NULL) {
431 int i, n = sk_OSSL_CMP_ATAV_num(tpl->keySpec);
432
433 *keySpec = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_reserve(NULL, n);
434 if (*keySpec == NULL)
435 goto err;
436 for (i = 0; i < n; i++) {
437 OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(tpl->keySpec, i);
438 ASN1_OBJECT *type = OSSL_CMP_ATAV_get0_type(atav /* may be NULL */);
439 int nid;
440 const char *name;
441
442 if (type == NULL) {
443 ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_KEYSPEC,
444 "keySpec with index %d in certReqTemplate does not exist",
445 i);
446 goto err;
447 }
448 nid = OBJ_obj2nid(type);
449
450 if (nid != NID_id_regCtrl_algId
451 && nid != NID_id_regCtrl_rsaKeyLen) {
452 name = OBJ_nid2ln(nid);
453 if (name == NULL)
454 name = OBJ_nid2sn(nid);
455 if (name == NULL)
456 name = "<undef>";
457 ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_KEYSPEC,
458 "keySpec with index %d in certReqTemplate has invalid type %s",
459 i, name);
460 goto err;
461 }
462 OSSL_CMP_ATAV_push1(keySpec, atav);
463 }
464 }
465 return 1;
466
467 err:
468 OSSL_CRMF_CERTTEMPLATE_free(*certTemplate);
469 *certTemplate = NULL;
470 sk_OSSL_CMP_ATAV_pop_free(*keySpec, OSSL_CMP_ATAV_free);
471 if (keySpec != NULL)
472 *keySpec = NULL;
473 return 0;
474 }
475
OSSL_CMP_ATAV_create(ASN1_OBJECT * type,ASN1_TYPE * value)476 OSSL_CMP_ATAV *OSSL_CMP_ATAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
477 {
478 OSSL_CMP_ATAV *atav;
479
480 if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL)
481 return NULL;
482 OSSL_CMP_ATAV_set0(atav, type, value);
483 return atav;
484 }
485
OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV * atav,ASN1_OBJECT * type,ASN1_TYPE * value)486 void OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV *atav, ASN1_OBJECT *type,
487 ASN1_TYPE *value)
488 {
489 atav->type = type;
490 atav->value.other = value;
491 }
492
OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV * atav)493 ASN1_OBJECT *OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV *atav)
494 {
495 if (atav == NULL)
496 return NULL;
497 return atav->type;
498 }
499
OSSL_CMP_ATAV_new_algId(const X509_ALGOR * alg)500 OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg)
501 {
502 X509_ALGOR *dup;
503 OSSL_CMP_ATAV *res;
504
505 if (alg == NULL) {
506 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
507 return NULL;
508 }
509 if ((dup = X509_ALGOR_dup(alg)) == NULL)
510 return NULL;
511 res = OSSL_CMP_ATAV_create(OBJ_nid2obj(NID_id_regCtrl_algId),
512 (ASN1_TYPE *)dup);
513 if (res == NULL)
514 X509_ALGOR_free(dup);
515 return res;
516 }
517
OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV * atav)518 X509_ALGOR *OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV *atav)
519 {
520 if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_algId)
521 return NULL;
522 return atav->value.algId;
523 }
524
OSSL_CMP_ATAV_new_rsaKeyLen(int len)525 OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_rsaKeyLen(int len)
526 {
527 ASN1_INTEGER *aint;
528 OSSL_CMP_ATAV *res = NULL;
529
530 if (len <= 0) {
531 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
532 return NULL;
533 }
534 if ((aint = ASN1_INTEGER_new()) == NULL)
535 return NULL;
536 if (!ASN1_INTEGER_set(aint, len)
537 || (res = OSSL_CMP_ATAV_create(OBJ_nid2obj(NID_id_regCtrl_rsaKeyLen),
538 (ASN1_TYPE *)aint)) == NULL)
539 ASN1_INTEGER_free(aint);
540 return res;
541 }
542
OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV * atav)543 int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav)
544 {
545 int64_t val;
546
547 if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_rsaKeyLen
548 || !ASN1_INTEGER_get_int64(&val, atav->value.rsaKeyLen))
549 return -1;
550 if (val <= 0 || val > INT_MAX)
551 return -2;
552 return (int)val;
553 }
554
OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV * atav)555 ASN1_TYPE *OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV *atav)
556 {
557 if (atav == NULL)
558 return NULL;
559 return atav->value.other;
560 }
561
OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS ** sk_p,const OSSL_CMP_ATAV * atav)562 int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav)
563 {
564 int created = 0;
565 OSSL_CMP_ATAV *dup;
566
567 if (sk_p == NULL || atav == NULL) {
568 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
569 goto err;
570 }
571
572 if (*sk_p == NULL) {
573 if ((*sk_p = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null()) == NULL)
574 goto err;
575 created = 1;
576 }
577
578 if ((dup = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup((OSSL_CRMF_ATTRIBUTETYPEANDVALUE *)atav)) == NULL)
579 goto err;
580 if (sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(*sk_p, dup))
581 return 1;
582 OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(dup);
583
584 err:
585 if (created) {
586 sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(*sk_p);
587 *sk_p = NULL;
588 }
589 return 0;
590 }
591
592 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF (OSSL_CMP_CRLSTATUS)* crlStatusList)593 *OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList)
594 {
595 OSSL_CMP_ITAV *itav;
596
597 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
598 return NULL;
599 itav->infoType = OBJ_nid2obj(NID_id_it_crlStatusList);
600 itav->infoValue.crlStatusList = crlStatusList;
601 return itav;
602 }
603
OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV * itav,STACK_OF (OSSL_CMP_CRLSTATUS)** out)604 int OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV *itav,
605 STACK_OF(OSSL_CMP_CRLSTATUS) **out)
606 {
607 if (itav == NULL || out == NULL) {
608 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
609 return 0;
610 }
611 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crlStatusList) {
612 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
613 return 0;
614 }
615 *out = itav->infoValue.crlStatusList;
616 return 1;
617 }
618
OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME * dpn,const GENERAL_NAMES * issuer,const ASN1_TIME * thisUpdate)619 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn,
620 const GENERAL_NAMES *issuer,
621 const ASN1_TIME *thisUpdate)
622 {
623 OSSL_CMP_CRLSOURCE *crlsource;
624 OSSL_CMP_CRLSTATUS *crlstatus;
625
626 if (dpn == NULL && issuer == NULL) {
627 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
628 return NULL;
629 }
630 if (dpn != NULL && issuer != NULL) {
631 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
632 return NULL;
633 }
634
635 if ((crlstatus = OSSL_CMP_CRLSTATUS_new()) == NULL)
636 return NULL;
637 crlsource = crlstatus->source;
638
639 if (dpn != NULL) {
640 crlsource->type = OSSL_CMP_CRLSOURCE_DPN;
641 if ((crlsource->value.dpn = DIST_POINT_NAME_dup(dpn)) == NULL)
642 goto err;
643 } else {
644 crlsource->type = OSSL_CMP_CRLSOURCE_ISSUER;
645 if ((crlsource->value.issuer =
646 sk_GENERAL_NAME_deep_copy(issuer, GENERAL_NAME_dup,
647 GENERAL_NAME_free)) == NULL)
648 goto err;
649 }
650
651 if (thisUpdate != NULL
652 && (crlstatus->thisUpdate = ASN1_TIME_dup(thisUpdate)) == NULL)
653 goto err;
654 return crlstatus;
655
656 err:
657 OSSL_CMP_CRLSTATUS_free(crlstatus);
658 return NULL;
659 }
660
gennames_new(const X509_NAME * nm)661 static GENERAL_NAMES *gennames_new(const X509_NAME *nm)
662 {
663 GENERAL_NAMES *names;
664 GENERAL_NAME *name = NULL;
665
666 if ((names = sk_GENERAL_NAME_new_reserve(NULL, 1)) == NULL)
667 return NULL;
668 if (!GENERAL_NAME_set1_X509_NAME(&name, nm)) {
669 sk_GENERAL_NAME_free(names);
670 return NULL;
671 }
672 (void)sk_GENERAL_NAME_push(names, name); /* cannot fail */
673 return names;
674 }
675
gennames_allowed(GENERAL_NAMES * names,int only_DN)676 static int gennames_allowed(GENERAL_NAMES *names, int only_DN)
677 {
678 if (names == NULL)
679 return 0;
680 if (!only_DN)
681 return 1;
682 return sk_GENERAL_NAME_num(names) == 1
683 && sk_GENERAL_NAME_value(names, 0)->type == GEN_DIRNAME;
684 }
685
OSSL_CMP_CRLSTATUS_create(const X509_CRL * crl,const X509 * cert,int only_DN)686 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl,
687 const X509 *cert, int only_DN)
688 {
689 STACK_OF(DIST_POINT) *crldps = NULL;
690 ISSUING_DIST_POINT *idp = NULL;
691 DIST_POINT_NAME *dpn = NULL;
692 AUTHORITY_KEYID *akid = NULL;
693 GENERAL_NAMES *issuers = NULL;
694 const GENERAL_NAMES *CRLissuer = NULL;
695 const ASN1_TIME *last = crl == NULL ? NULL : X509_CRL_get0_lastUpdate(crl);
696 OSSL_CMP_CRLSTATUS *status = NULL;
697 int i, NID_akid = NID_authority_key_identifier;
698
699 /*
700 * Note:
701 * X509{,_CRL}_get_ext_d2i(..., NID, ..., NULL) return the 1st extension with
702 * given NID that is available, if any. If there are more, this is an error.
703 */
704 if (cert != NULL) {
705 crldps = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
706 /* if available, take the first suitable element */
707 for (i = 0; i < sk_DIST_POINT_num(crldps); i++) {
708 DIST_POINT *dp = sk_DIST_POINT_value(crldps, i);
709
710 if (dp == NULL)
711 continue;
712 if ((dpn = dp->distpoint) != NULL) {
713 CRLissuer = NULL;
714 break;
715 }
716 if (gennames_allowed(dp->CRLissuer, only_DN) && CRLissuer == NULL)
717 /* don't break because any dp->distpoint in list is preferred */
718 CRLissuer = dp->CRLissuer;
719 }
720 } else {
721 if (crl == NULL) {
722 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
723 return NULL;
724 }
725 idp = X509_CRL_get_ext_d2i(crl,
726 NID_issuing_distribution_point, NULL, NULL);
727 if (idp != NULL && idp->distpoint != NULL)
728 dpn = idp->distpoint;
729 }
730
731 if (dpn == NULL && CRLissuer == NULL) {
732 if (cert != NULL) {
733 akid = X509_get_ext_d2i(cert, NID_akid, NULL, NULL);
734 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
735 CRLissuer = akid->issuer;
736 else
737 CRLissuer = issuers = gennames_new(X509_get_issuer_name(cert));
738 }
739 if (CRLissuer == NULL && crl != NULL) {
740 akid = X509_CRL_get_ext_d2i(crl, NID_akid, NULL, NULL);
741 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
742 CRLissuer = akid->issuer;
743 else
744 CRLissuer = issuers = gennames_new(X509_CRL_get_issuer(crl));
745 }
746 if (CRLissuer == NULL)
747 goto end;
748 }
749
750 status = OSSL_CMP_CRLSTATUS_new1(dpn, CRLissuer, last);
751 end:
752 sk_DIST_POINT_pop_free(crldps, DIST_POINT_free);
753 ISSUING_DIST_POINT_free(idp);
754 AUTHORITY_KEYID_free(akid);
755 sk_GENERAL_NAME_pop_free(issuers, GENERAL_NAME_free);
756 return status;
757 }
758
OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS * crlstatus,DIST_POINT_NAME ** dpn,GENERAL_NAMES ** issuer,ASN1_TIME ** thisUpdate)759 int OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS *crlstatus,
760 DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer,
761 ASN1_TIME **thisUpdate)
762 {
763 OSSL_CMP_CRLSOURCE *crlsource;
764
765 if (crlstatus == NULL || dpn == NULL || issuer == NULL) {
766 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
767 return 0;
768 }
769 if ((crlsource = crlstatus->source) == NULL) {
770 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
771 return 0;
772 }
773
774 if (crlsource->type == OSSL_CMP_CRLSOURCE_DPN) {
775 *dpn = crlsource->value.dpn;
776 *issuer = NULL;
777 } else if (crlsource->type == OSSL_CMP_CRLSOURCE_ISSUER) {
778 *dpn = NULL;
779 *issuer = crlsource->value.issuer;
780 } else {
781 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
782 return 0;
783 }
784 if (thisUpdate != NULL)
785 *thisUpdate = crlstatus->thisUpdate;
786 return 1;
787 }
788
OSSL_CMP_ITAV_new_crls(const X509_CRL * crl)789 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl)
790 {
791 OSSL_CMP_ITAV *itav;
792 X509_CRL *crl_copy = NULL;
793 STACK_OF(X509_CRL) *crls = NULL;
794
795 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
796 return NULL;
797
798 if (crl != NULL) {
799 if ((crls = sk_X509_CRL_new_reserve(NULL, 1)) == NULL
800 || (crl_copy = X509_CRL_dup(crl)) == NULL)
801 goto err;
802 (void)sk_X509_CRL_push(crls, crl_copy); /* cannot fail */
803 }
804
805 itav->infoType = OBJ_nid2obj(NID_id_it_crls);
806 itav->infoValue.crls = crls;
807 return itav;
808
809 err:
810 sk_X509_CRL_free(crls);
811 OSSL_CMP_ITAV_free(itav);
812 return NULL;
813 }
814
OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV * itav,STACK_OF (X509_CRL)** out)815 int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *itav, STACK_OF(X509_CRL) **out)
816 {
817 if (itav == NULL || out == NULL) {
818 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
819 return 0;
820 }
821 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crls) {
822 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
823 return 0;
824 }
825 *out = itav->infoValue.crls;
826 return 1;
827 }
828
829 /* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */
ossl_cmp_asn1_get_int(const ASN1_INTEGER * a)830 int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
831 {
832 int64_t res;
833
834 if (!ASN1_INTEGER_get_int64(&res, a)) {
835 ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
836 return -2;
837 }
838 if (res < INT_MIN) {
839 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
840 return -2;
841 }
842 if (res > INT_MAX) {
843 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
844 return -2;
845 }
846 return (int)res;
847 }
848
ossl_cmp_msg_cb(int operation,ASN1_VALUE ** pval,ossl_unused const ASN1_ITEM * it,void * exarg)849 static int ossl_cmp_msg_cb(int operation, ASN1_VALUE **pval,
850 ossl_unused const ASN1_ITEM *it, void *exarg)
851 {
852 OSSL_CMP_MSG *msg = (OSSL_CMP_MSG *)*pval;
853
854 switch (operation) {
855 case ASN1_OP_FREE_POST:
856 OPENSSL_free(msg->propq);
857 break;
858
859 case ASN1_OP_DUP_POST:
860 {
861 OSSL_CMP_MSG *old = exarg;
862
863 if (!ossl_cmp_msg_set0_libctx(msg, old->libctx, old->propq))
864 return 0;
865 }
866 break;
867 case ASN1_OP_GET0_LIBCTX:
868 {
869 OSSL_LIB_CTX **libctx = exarg;
870
871 *libctx = msg->libctx;
872 }
873 break;
874 case ASN1_OP_GET0_PROPQ:
875 {
876 const char **propq = exarg;
877
878 *propq = msg->propq;
879 }
880 break;
881 default:
882 break;
883 }
884
885 return 1;
886 }
887
888 ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
889 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
890 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
891 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
892 OSSL_CRMF_ENCRYPTEDVALUE, 1),
893 } ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
894 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
895
896 ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
897 ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
898 OSSL_CMP_CERTORENCCERT),
899 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
900 OSSL_CRMF_ENCRYPTEDVALUE, 0),
901 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
902 OSSL_CRMF_PKIPUBLICATIONINFO, 1)
903 } ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
904 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
905
906 ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
907 ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
908 ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
909 } ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
910 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
911
912 ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) =
913 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
914 OSSL_CMP_REVDETAILS)
915 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
916
917 ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
918 ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
919 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
920 0),
921 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
922 } ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
923 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
924
925 ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
926 ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
927 ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
928 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
929 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
930 OSSL_CMP_CERTIFIEDKEYPAIR, 2)
931 } ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
932 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
933
934 ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) =
935 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
936 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
937
938 ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
939 ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
940 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
941 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
942 /* OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING, used directly */
943 ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
944 } ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
945 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
946 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
947
948 ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
949 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
950 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
951 ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI),
952 ASN1_EXP_OPT(OSSL_CMP_CERTSTATUS, hashAlg, X509_ALGOR, 0)
953 } ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
954 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
955
956 ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) =
957 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
958 OSSL_CMP_CERTSTATUS)
959 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
960
961 ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
962 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
963 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
964 ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
965 OSSL_CMP_CERTIFIEDKEYPAIR),
966 ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
967 } ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
968 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
969
970 ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
971 ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
972 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
973 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
974
975 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) =
976 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
977 OSSL_CMP_POLLREQ)
978 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
979
980 ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
981 ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
982 ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
983 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
984 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
985 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
986
987 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) =
988 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
989 OSSL_CMP_POLLREPCONTENT,
990 OSSL_CMP_POLLREP)
991 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
992
993 ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
994 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
995 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
996 ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
997 } ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
998 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
999
1000 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) =
1001 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
1002 OSSL_CMP_ITAV)
1003 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
1004
1005 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) =
1006 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
1007 OSSL_CMP_ITAV)
1008 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
1009
1010 ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) =
1011 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
1012 OSSL_CMP_CRLANNCONTENT, X509_CRL)
1013 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
1014
1015 ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
1016 ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
1017 ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
1018 ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
1019 ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
1020 ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
1021 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc,
1022 OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
1023 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr,
1024 OSSL_CMP_POPODECKEYRESPCONTENT, 6),
1025 ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
1026 ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
1027 ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
1028 ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
1029 ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
1030 ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
1031 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
1032 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
1033 ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
1034 ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
1035 ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
1036 ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
1037 ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
1038 ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
1039 ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
1040 ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
1041 ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
1042 ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
1043 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
1044 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
1045 } ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
1046 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
1047
1048 ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
1049 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
1050 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
1051 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
1052 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
1053 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
1054 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
1055 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
1056 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
1057 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
1058 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
1059 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
1060 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
1061 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
1062 OSSL_CMP_ITAV, 8)
1063 } ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
1064 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
1065
1066 ASN1_SEQUENCE(OSSL_CMP_PROTECTEDPART) = {
1067 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
1068 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
1069 } ASN1_SEQUENCE_END(OSSL_CMP_PROTECTEDPART)
1070 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
1071
1072 ASN1_SEQUENCE_cb(OSSL_CMP_MSG, ossl_cmp_msg_cb) = {
1073 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
1074 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
1075 ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
1076 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
1077 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
1078 } ASN1_SEQUENCE_END_cb(OSSL_CMP_MSG, OSSL_CMP_MSG)
1079 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
1080
1081 ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =
1082 ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
1083 OSSL_CMP_MSG)
1084 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)
1085
