2 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
12 #include "cmp_local.h"
14 /* explicit #includes not strictly needed since implied by the above: */
15 #include <openssl/asn1t.h>
16 #include <openssl/cmp.h>
17 #include <openssl/crmf.h>
18 #include <openssl/err.h>
19 #include <openssl/x509.h>
22 * This function is also used for verification from cmp_vfy.
24 * Calculate protection for given PKImessage utilizing the given credentials
25 * and the algorithm parameters set inside the message header's protectionAlg.
27 * Either secret or pkey must be set, the other must be NULL. Attempts doing
28 * PBMAC in case 'secret' is set and signature if 'pkey' is set - but will only
29 * do the protection already marked in msg->header->protectionAlg.
31 * returns ptr to ASN1_BIT_STRING containing protection on success, else NULL
33 ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_MSG *msg,
34 const ASN1_OCTET_STRING *secret,
37 ASN1_BIT_STRING *prot = NULL;
38 CMP_PROTECTEDPART prot_part;
39 const ASN1_OBJECT *algorOID = NULL;
41 size_t prot_part_der_len;
42 unsigned char *prot_part_der = NULL;
44 unsigned char *protection = NULL;
45 const void *ppval = NULL;
47 OSSL_CRMF_PBMPARAMETER *pbm = NULL;
48 ASN1_STRING *pbm_str = NULL;
49 const unsigned char *pbm_str_uc = NULL;
50 EVP_MD_CTX *evp_ctx = NULL;
52 const EVP_MD *md = NULL;
54 if (!ossl_assert(msg != NULL))
57 /* construct data to be signed */
58 prot_part.header = msg->header;
59 prot_part.body = msg->body;
61 len = i2d_CMP_PROTECTEDPART(&prot_part, &prot_part_der);
62 if (len < 0 || prot_part_der == NULL) {
63 CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION);
66 prot_part_der_len = (size_t) len;
68 if (msg->header->protectionAlg == NULL) {
69 CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID);
72 X509_ALGOR_get0(&algorOID, &pptype, &ppval, msg->header->protectionAlg);
74 if (secret != NULL && pkey == NULL) {
76 CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION);
79 if (NID_id_PasswordBasedMAC != OBJ_obj2nid(algorOID)) {
80 CMPerr(0, CMP_R_WRONG_ALGORITHM_OID);
83 pbm_str = (ASN1_STRING *)ppval;
84 pbm_str_uc = pbm_str->data;
85 pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, pbm_str->length);
87 CMPerr(0, CMP_R_WRONG_ALGORITHM_OID);
91 if (!OSSL_CRMF_pbm_new(pbm, prot_part_der, prot_part_der_len,
92 secret->data, secret->length,
93 &protection, &sig_len))
95 } else if (secret == NULL && pkey != NULL) {
96 /* TODO combine this with large parts of CRMF_poposigningkey_init() */
97 /* EVP_DigestSignInit() checks that pkey type is correct for the alg */
99 if (!OBJ_find_sigid_algs(OBJ_obj2nid(algorOID), &md_NID, NULL)
100 || (md = EVP_get_digestbynid(md_NID)) == NULL
101 || (evp_ctx = EVP_MD_CTX_new()) == NULL) {
102 CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID);
105 if (EVP_DigestSignInit(evp_ctx, NULL, md, NULL, pkey) <= 0
106 || EVP_DigestSignUpdate(evp_ctx, prot_part_der,
107 prot_part_der_len) <= 0
108 || EVP_DigestSignFinal(evp_ctx, NULL, &sig_len) <= 0
109 || (protection = OPENSSL_malloc(sig_len)) == NULL
110 || EVP_DigestSignFinal(evp_ctx, protection, &sig_len) <= 0) {
111 CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION);
115 CMPerr(0, CMP_R_INVALID_ARGS);
119 if ((prot = ASN1_BIT_STRING_new()) == NULL)
121 /* OpenSSL defaults all bit strings to be encoded as ASN.1 NamedBitList */
122 prot->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
123 prot->flags |= ASN1_STRING_FLAG_BITS_LEFT;
124 if (!ASN1_BIT_STRING_set(prot, protection, sig_len)) {
125 ASN1_BIT_STRING_free(prot);
130 OSSL_CRMF_PBMPARAMETER_free(pbm);
131 EVP_MD_CTX_free(evp_ctx);
132 OPENSSL_free(protection);
133 OPENSSL_free(prot_part_der);
137 int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
139 if (!ossl_assert(ctx != NULL && msg != NULL))
142 if (msg->extraCerts == NULL
143 && (msg->extraCerts = sk_X509_new_null()) == NULL)
146 if (ctx->clCert != NULL) {
147 /* Make sure that our own cert gets sent, in the first position */
148 if (!X509_up_ref(ctx->clCert))
150 if (!sk_X509_push(msg->extraCerts, ctx->clCert)) {
151 X509_free(ctx->clCert);
154 /* if we have untrusted store, try to add intermediate certs */
155 if (ctx->untrusted_certs != NULL) {
156 STACK_OF(X509) *chain =
157 ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->clCert);
158 int res = ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain,
159 1 /* no self-issued */,
160 1 /* no duplicates */, 0);
161 sk_X509_pop_free(chain, X509_free);
167 /* add any additional certificates from ctx->extraCertsOut */
168 if (!ossl_cmp_sk_X509_add1_certs(msg->extraCerts, ctx->extraCertsOut, 0,
169 1 /* no duplicates */, 0))
172 /* if none was found avoid empty ASN.1 sequence */
173 if (sk_X509_num(msg->extraCerts) == 0) {
174 sk_X509_free(msg->extraCerts);
175 msg->extraCerts = NULL;
181 * Create an X509_ALGOR structure for PasswordBasedMAC protection based on
182 * the pbm settings in the context
183 * returns pointer to X509_ALGOR on success, NULL on error
185 static X509_ALGOR *create_pbmac_algor(OSSL_CMP_CTX *ctx)
187 X509_ALGOR *alg = NULL;
188 OSSL_CRMF_PBMPARAMETER *pbm = NULL;
189 unsigned char *pbm_der = NULL;
191 ASN1_STRING *pbm_str = NULL;
193 if (!ossl_assert(ctx != NULL))
196 alg = X509_ALGOR_new();
197 pbm = OSSL_CRMF_pbmp_new(ctx->pbm_slen, ctx->pbm_owf, ctx->pbm_itercnt,
199 pbm_str = ASN1_STRING_new();
200 if (alg == NULL || pbm == NULL || pbm_str == NULL)
203 if ((pbm_der_len = i2d_OSSL_CRMF_PBMPARAMETER(pbm, &pbm_der)) < 0)
206 if (!ASN1_STRING_set(pbm_str, pbm_der, pbm_der_len))
208 OPENSSL_free(pbm_der);
210 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_id_PasswordBasedMAC),
211 V_ASN1_SEQUENCE, pbm_str);
212 OSSL_CRMF_PBMPARAMETER_free(pbm);
216 ASN1_STRING_free(pbm_str);
217 X509_ALGOR_free(alg);
218 OPENSSL_free(pbm_der);
219 OSSL_CRMF_PBMPARAMETER_free(pbm);
223 int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
225 if (!ossl_assert(ctx != NULL && msg != NULL))
228 if (ctx->unprotectedSend)
231 /* use PasswordBasedMac according to 5.1.3.1 if secretValue is given */
232 if (ctx->secretValue != NULL) {
233 if ((msg->header->protectionAlg = create_pbmac_algor(ctx)) == NULL)
235 if (ctx->referenceValue != NULL
236 && !ossl_cmp_hdr_set1_senderKID(msg->header,
237 ctx->referenceValue))
241 * add any additional certificates from ctx->extraCertsOut
242 * while not needed to validate the signing cert, the option to do
243 * this might be handy for certain use cases
245 if (!ossl_cmp_msg_add_extraCerts(ctx, msg))
248 if ((msg->protection =
249 ossl_cmp_calc_protection(msg, ctx->secretValue, NULL)) == NULL)
253 * use MSG_SIG_ALG according to 5.1.3.3 if client Certificate and
254 * private key is given
256 if (ctx->clCert != NULL && ctx->pkey != NULL) {
257 const ASN1_OCTET_STRING *subjKeyIDStr = NULL;
259 ASN1_OBJECT *alg = NULL;
261 /* make sure that key and certificate match */
262 if (!X509_check_private_key(ctx->clCert, ctx->pkey)) {
263 CMPerr(0, CMP_R_CERT_AND_KEY_DO_NOT_MATCH);
267 if (msg->header->protectionAlg == NULL)
268 if ((msg->header->protectionAlg = X509_ALGOR_new()) == NULL)
271 if (!OBJ_find_sigid_by_algs(&algNID, ctx->digest,
272 EVP_PKEY_id(ctx->pkey))) {
273 CMPerr(0, CMP_R_UNSUPPORTED_KEY_TYPE);
276 if ((alg = OBJ_nid2obj(algNID)) == NULL)
278 if (!X509_ALGOR_set0(msg->header->protectionAlg,
279 alg, V_ASN1_UNDEF, NULL)) {
280 ASN1_OBJECT_free(alg);
285 * set senderKID to keyIdentifier of the used certificate according
288 subjKeyIDStr = X509_get0_subject_key_id(ctx->clCert);
289 if (subjKeyIDStr == NULL)
290 subjKeyIDStr = ctx->referenceValue; /* fallback */
291 if (subjKeyIDStr != NULL
292 && !ossl_cmp_hdr_set1_senderKID(msg->header, subjKeyIDStr))
296 * Add ctx->clCert followed, if possible, by its chain built
297 * from ctx->untrusted_certs, and then ctx->extraCertsOut
299 if (!ossl_cmp_msg_add_extraCerts(ctx, msg))
302 if ((msg->protection =
303 ossl_cmp_calc_protection(msg, NULL, ctx->pkey)) == NULL)
306 CMPerr(0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION);
312 * As required by RFC 4210 section 5.1.1., if the sender name is not known
313 * to the client it set to NULL-DN. In this case for identification at least
314 * the senderKID must be set, where we took the referenceValue as fallback.
317 if (ossl_cmp_general_name_is_NULL_DN(msg->header->sender)
318 && msg->header->senderKID == NULL)
319 CMPerr(0, CMP_R_MISSING_SENDER_IDENTIFICATION);
324 CMPerr(0, CMP_R_ERROR_PROTECTING_MESSAGE);