1 /*
2 * Copyright 2007-2025 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 #include <openssl/asn1t.h>
13
14 #include "cmp_local.h"
15 #include "internal/crmf.h"
16
17 /* explicit #includes not strictly needed since implied by the above: */
18 #include <openssl/cmp.h>
19 #include <openssl/crmf.h>
20
21 /* ASN.1 declarations from RFC 9810 */
22 ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
23 /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
24 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
25 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
26 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
27 ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
28 ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
29 } ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
30 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
31
32 ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
33 ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
34 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
35 ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
36 } ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
37 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
38
39 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
40 OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
41 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
42
43 ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
44 OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
45 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
46
47 ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
48 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
49 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
50 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
51 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
52 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
53 ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
54 } ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
55 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
56
57 ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
58 ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
59 ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
60 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
61 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails,
62 ASN1_UTF8STRING)
63 } ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
64 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
65
66 ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
67 infoValue.other,
68 ASN1_ANY);
69 /* ITAV means InfoTypeAndValue */
70 ASN1_ADB(OSSL_CMP_ITAV) = {
71 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
72 ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV, infoValue.caProtEncCert, X509)),
73 ADB_ENTRY(NID_id_it_signKeyPairTypes,
74 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
75 infoValue.signKeyPairTypes, X509_ALGOR)),
76 ADB_ENTRY(NID_id_it_encKeyPairTypes,
77 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
78 infoValue.encKeyPairTypes, X509_ALGOR)),
79 ADB_ENTRY(NID_id_it_preferredSymmAlg,
80 ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
81 X509_ALGOR)),
82 ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
83 ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
84 OSSL_CMP_CAKEYUPDANNCONTENT)),
85 ADB_ENTRY(NID_id_it_currentCRL,
86 ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
87 ADB_ENTRY(NID_id_it_unsupportedOIDs,
88 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
89 infoValue.unsupportedOIDs, ASN1_OBJECT)),
90 ADB_ENTRY(NID_id_it_keyPairParamReq,
91 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
92 ASN1_OBJECT)),
93 ADB_ENTRY(NID_id_it_keyPairParamRep,
94 ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
95 X509_ALGOR)),
96 ADB_ENTRY(NID_id_it_revPassphrase,
97 ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
98 OSSL_CRMF_ENCRYPTEDVALUE)),
99 ADB_ENTRY(NID_id_it_implicitConfirm,
100 ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
101 ASN1_NULL)),
102 ADB_ENTRY(NID_id_it_confirmWaitTime,
103 ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
104 ASN1_GENERALIZEDTIME)),
105 ADB_ENTRY(NID_id_it_origPKIMessage,
106 ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
107 OSSL_CMP_MSGS)),
108 ADB_ENTRY(NID_id_it_suppLangTags,
109 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
110 ASN1_UTF8STRING)),
111 ADB_ENTRY(NID_id_it_caCerts,
112 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.caCerts, X509)),
113 ADB_ENTRY(NID_id_it_rootCaCert,
114 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaCert, X509)),
115 ADB_ENTRY(NID_id_it_rootCaKeyUpdate,
116 ASN1_OPT(OSSL_CMP_ITAV, infoValue.rootCaKeyUpdate,
117 OSSL_CMP_ROOTCAKEYUPDATE)),
118 ADB_ENTRY(NID_id_it_certReqTemplate,
119 ASN1_OPT(OSSL_CMP_ITAV, infoValue.certReqTemplate,
120 OSSL_CMP_CERTREQTEMPLATE)),
121 ADB_ENTRY(NID_id_it_certProfile,
122 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.certProfile,
123 ASN1_UTF8STRING)),
124 ADB_ENTRY(NID_id_it_crlStatusList,
125 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crlStatusList,
126 OSSL_CMP_CRLSTATUS)),
127 ADB_ENTRY(NID_id_it_crls,
128 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.crls, X509_CRL))
129 } ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0, &infotypeandvalue_default_tt, NULL);
130
131 ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
132 ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
133 ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
134 } ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
135 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
136 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
137
138 ASN1_SEQUENCE(OSSL_CMP_ROOTCAKEYUPDATE) = {
139 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
140 ASN1_SIMPLE(OSSL_CMP_ROOTCAKEYUPDATE, newWithNew, X509),
141 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, newWithOld, X509, 0),
142 ASN1_EXP_OPT(OSSL_CMP_ROOTCAKEYUPDATE, oldWithNew, X509, 1)
143 } ASN1_SEQUENCE_END(OSSL_CMP_ROOTCAKEYUPDATE)
144 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ROOTCAKEYUPDATE)
145
146 ASN1_ITEM_TEMPLATE(OSSL_CMP_ATAVS) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
147 OSSL_CMP_ATAVS, OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
148 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_ATAVS)
149 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ATAVS)
150
151 ASN1_SEQUENCE(OSSL_CMP_CERTREQTEMPLATE) = {
152 ASN1_SIMPLE(OSSL_CMP_CERTREQTEMPLATE, certTemplate, OSSL_CRMF_CERTTEMPLATE),
153 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_CERTREQTEMPLATE, keySpec,
154 OSSL_CRMF_ATTRIBUTETYPEANDVALUE)
155 } ASN1_SEQUENCE_END(OSSL_CMP_CERTREQTEMPLATE)
156 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREQTEMPLATE)
157
158 ASN1_CHOICE(OSSL_CMP_CRLSOURCE) = {
159 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.dpn, DIST_POINT_NAME, 0),
160 ASN1_EXP(OSSL_CMP_CRLSOURCE, value.issuer, GENERAL_NAMES, 1),
161 } ASN1_CHOICE_END(OSSL_CMP_CRLSOURCE)
162 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSOURCE)
163 #define OSSL_CMP_CRLSOURCE_DPN 0
164 #define OSSL_CMP_CRLSOURCE_ISSUER 1
165
166 ASN1_SEQUENCE(OSSL_CMP_CRLSTATUS) = {
167 ASN1_SIMPLE(OSSL_CMP_CRLSTATUS, source, OSSL_CMP_CRLSOURCE),
168 ASN1_OPT(OSSL_CMP_CRLSTATUS, thisUpdate, ASN1_TIME)
169 } ASN1_SEQUENCE_END(OSSL_CMP_CRLSTATUS)
170 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CRLSTATUS)
171
172 OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
173 {
174 OSSL_CMP_ITAV *itav;
175
176 if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
177 return NULL;
178 OSSL_CMP_ITAV_set0(itav, type, value);
179 return itav;
180 }
181
OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV * itav,ASN1_OBJECT * type,ASN1_TYPE * value)182 void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
183 ASN1_TYPE *value)
184 {
185 itav->infoType = type;
186 itav->infoValue.other = value;
187 }
188
OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV * itav)189 ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
190 {
191 if (itav == NULL)
192 return NULL;
193 return itav->infoType;
194 }
195
OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV * itav)196 ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
197 {
198 if (itav == NULL)
199 return NULL;
200 return itav->infoValue.other;
201 }
202
OSSL_CMP_ITAV_push0_stack_item(STACK_OF (OSSL_CMP_ITAV)** itav_sk_p,OSSL_CMP_ITAV * itav)203 int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
204 OSSL_CMP_ITAV *itav)
205 {
206 int created = 0;
207
208 if (itav_sk_p == NULL || itav == NULL) {
209 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
210 goto err;
211 }
212
213 if (*itav_sk_p == NULL) {
214 if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
215 goto err;
216 created = 1;
217 }
218 if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
219 goto err;
220 return 1;
221
222 err:
223 if (created) {
224 sk_OSSL_CMP_ITAV_free(*itav_sk_p);
225 *itav_sk_p = NULL;
226 }
227 return 0;
228 }
229
230 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_certProfile(STACK_OF (ASN1_UTF8STRING)* certProfile)231 *OSSL_CMP_ITAV_new0_certProfile(STACK_OF(ASN1_UTF8STRING) *certProfile)
232 {
233 OSSL_CMP_ITAV *itav;
234
235 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
236 return NULL;
237 itav->infoType = OBJ_nid2obj(NID_id_it_certProfile);
238 itav->infoValue.certProfile = certProfile;
239 return itav;
240 }
241
OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV * itav,STACK_OF (ASN1_UTF8STRING)** out)242 int OSSL_CMP_ITAV_get0_certProfile(const OSSL_CMP_ITAV *itav,
243 STACK_OF(ASN1_UTF8STRING) **out)
244 {
245 if (itav == NULL || out == NULL) {
246 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
247 return 0;
248 }
249 if (OBJ_obj2nid(itav->infoType) != NID_id_it_certProfile) {
250 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
251 return 0;
252 }
253 *out = itav->infoValue.certProfile;
254 return 1;
255 }
256
OSSL_CMP_ITAV_new_caCerts(const STACK_OF (X509)* caCerts)257 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_caCerts(const STACK_OF(X509) *caCerts)
258 {
259 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
260
261 if (itav == NULL)
262 return NULL;
263 if (sk_X509_num(caCerts) > 0
264 && (itav->infoValue.caCerts = sk_X509_deep_copy(caCerts, X509_dup, X509_free)) == NULL) {
265 OSSL_CMP_ITAV_free(itav);
266 return NULL;
267 }
268 itav->infoType = OBJ_nid2obj(NID_id_it_caCerts);
269 return itav;
270 }
271
OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV * itav,STACK_OF (X509)** out)272 int OSSL_CMP_ITAV_get0_caCerts(const OSSL_CMP_ITAV *itav, STACK_OF(X509) **out)
273 {
274 if (itav == NULL || out == NULL) {
275 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
276 return 0;
277 }
278 if (OBJ_obj2nid(itav->infoType) != NID_id_it_caCerts) {
279 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
280 return 0;
281 }
282 *out = sk_X509_num(itav->infoValue.caCerts) > 0
283 ? itav->infoValue.caCerts
284 : NULL;
285 return 1;
286 }
287
OSSL_CMP_ITAV_new_rootCaCert(const X509 * rootCaCert)288 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaCert(const X509 *rootCaCert)
289 {
290 OSSL_CMP_ITAV *itav = OSSL_CMP_ITAV_new();
291
292 if (itav == NULL)
293 return NULL;
294 if (rootCaCert != NULL
295 && (itav->infoValue.rootCaCert = X509_dup(rootCaCert)) == NULL) {
296 OSSL_CMP_ITAV_free(itav);
297 return NULL;
298 }
299 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaCert);
300 return itav;
301 }
302
OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV * itav,X509 ** out)303 int OSSL_CMP_ITAV_get0_rootCaCert(const OSSL_CMP_ITAV *itav, X509 **out)
304 {
305 if (itav == NULL || out == NULL) {
306 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
307 return 0;
308 }
309 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaCert) {
310 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
311 return 0;
312 }
313 *out = itav->infoValue.rootCaCert;
314 return 1;
315 }
OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 * newWithNew,const X509 * newWithOld,const X509 * oldWithNew)316 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
317 const X509 *newWithOld,
318 const X509 *oldWithNew)
319 {
320 OSSL_CMP_ITAV *itav;
321 OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;
322
323 if (newWithNew != NULL) {
324 upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
325 if (upd == NULL)
326 return NULL;
327
328 if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
329 goto err;
330 if (newWithOld != NULL
331 && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
332 goto err;
333 if (oldWithNew != NULL
334 && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
335 goto err;
336 }
337
338 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
339 goto err;
340 itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
341 itav->infoValue.rootCaKeyUpdate = upd;
342 return itav;
343
344 err:
345 OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
346 return NULL;
347 }
348
OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV * itav,X509 ** newWithNew,X509 ** newWithOld,X509 ** oldWithNew)349 int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
350 X509 **newWithNew,
351 X509 **newWithOld,
352 X509 **oldWithNew)
353 {
354 OSSL_CMP_ROOTCAKEYUPDATE *upd;
355
356 if (itav == NULL || newWithNew == NULL) {
357 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
358 return 0;
359 }
360 if (OBJ_obj2nid(itav->infoType) != NID_id_it_rootCaKeyUpdate) {
361 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
362 return 0;
363 }
364 upd = itav->infoValue.rootCaKeyUpdate;
365 *newWithNew = upd != NULL ? upd->newWithNew : NULL;
366 if (newWithOld != NULL)
367 *newWithOld = upd != NULL ? upd->newWithOld : NULL;
368 if (oldWithNew != NULL)
369 *oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
370 return 1;
371 }
372
373 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE * certTemplate,OSSL_CMP_ATAVS * keySpec)374 *OSSL_CMP_ITAV_new0_certReqTemplate(OSSL_CRMF_CERTTEMPLATE *certTemplate,
375 OSSL_CMP_ATAVS *keySpec)
376 {
377 OSSL_CMP_ITAV *itav;
378 OSSL_CMP_CERTREQTEMPLATE *tmpl;
379
380 if (certTemplate == NULL && keySpec != NULL) {
381 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
382 return NULL;
383 }
384 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
385 return NULL;
386 itav->infoType = OBJ_nid2obj(NID_id_it_certReqTemplate);
387 if (certTemplate == NULL)
388 return itav;
389
390 if ((tmpl = OSSL_CMP_CERTREQTEMPLATE_new()) == NULL) {
391 OSSL_CMP_ITAV_free(itav);
392 return NULL;
393 }
394 itav->infoValue.certReqTemplate = tmpl;
395 tmpl->certTemplate = certTemplate;
396 tmpl->keySpec = keySpec;
397 return itav;
398 }
399
OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV * itav,OSSL_CRMF_CERTTEMPLATE ** certTemplate,OSSL_CMP_ATAVS ** keySpec)400 int OSSL_CMP_ITAV_get1_certReqTemplate(const OSSL_CMP_ITAV *itav,
401 OSSL_CRMF_CERTTEMPLATE **certTemplate,
402 OSSL_CMP_ATAVS **keySpec)
403 {
404 OSSL_CMP_CERTREQTEMPLATE *tpl;
405
406 if (itav == NULL || certTemplate == NULL) {
407 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
408 return 0;
409 }
410
411 *certTemplate = NULL;
412 if (keySpec != NULL)
413 *keySpec = NULL;
414
415 if (OBJ_obj2nid(itav->infoType) != NID_id_it_certReqTemplate) {
416 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
417 return 0;
418 }
419 tpl = itav->infoValue.certReqTemplate;
420 if (tpl == NULL) /* no requirements available */
421 return 1;
422
423 if ((*certTemplate = OSSL_CRMF_CERTTEMPLATE_dup(tpl->certTemplate)) == NULL)
424 return 0;
425 if (keySpec != NULL && tpl->keySpec != NULL) {
426 int i, n = sk_OSSL_CMP_ATAV_num(tpl->keySpec);
427
428 *keySpec = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_reserve(NULL, n);
429 if (*keySpec == NULL)
430 goto err;
431 for (i = 0; i < n; i++) {
432 OSSL_CMP_ATAV *atav = sk_OSSL_CMP_ATAV_value(tpl->keySpec, i);
433 ASN1_OBJECT *type = OSSL_CMP_ATAV_get0_type(atav /* may be NULL */);
434 int nid;
435 const char *name;
436
437 if (type == NULL) {
438 ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_KEYSPEC,
439 "keySpec with index %d in certReqTemplate does not exist",
440 i);
441 goto err;
442 }
443 nid = OBJ_obj2nid(type);
444
445 if (nid != NID_id_regCtrl_algId
446 && nid != NID_id_regCtrl_rsaKeyLen) {
447 name = OBJ_nid2ln(nid);
448 if (name == NULL)
449 name = OBJ_nid2sn(nid);
450 if (name == NULL)
451 name = "<undef>";
452 ERR_raise_data(ERR_LIB_CMP, CMP_R_INVALID_KEYSPEC,
453 "keySpec with index %d in certReqTemplate has invalid type %s",
454 i, name);
455 goto err;
456 }
457 OSSL_CMP_ATAV_push1(keySpec, atav);
458 }
459 }
460 return 1;
461
462 err:
463 OSSL_CRMF_CERTTEMPLATE_free(*certTemplate);
464 *certTemplate = NULL;
465 sk_OSSL_CMP_ATAV_pop_free(*keySpec, OSSL_CMP_ATAV_free);
466 if (keySpec != NULL)
467 *keySpec = NULL;
468 return 0;
469 }
470
OSSL_CMP_ATAV_create(ASN1_OBJECT * type,ASN1_TYPE * value)471 OSSL_CMP_ATAV *OSSL_CMP_ATAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
472 {
473 OSSL_CMP_ATAV *atav;
474
475 if ((atav = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new()) == NULL)
476 return NULL;
477 OSSL_CMP_ATAV_set0(atav, type, value);
478 return atav;
479 }
480
OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV * atav,ASN1_OBJECT * type,ASN1_TYPE * value)481 void OSSL_CMP_ATAV_set0(OSSL_CMP_ATAV *atav, ASN1_OBJECT *type,
482 ASN1_TYPE *value)
483 {
484 atav->type = type;
485 atav->value.other = value;
486 }
487
OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV * atav)488 ASN1_OBJECT *OSSL_CMP_ATAV_get0_type(const OSSL_CMP_ATAV *atav)
489 {
490 if (atav == NULL)
491 return NULL;
492 return atav->type;
493 }
494
OSSL_CMP_ATAV_new_algId(const X509_ALGOR * alg)495 OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_algId(const X509_ALGOR *alg)
496 {
497 X509_ALGOR *dup;
498 OSSL_CMP_ATAV *res;
499
500 if (alg == NULL) {
501 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
502 return NULL;
503 }
504 if ((dup = X509_ALGOR_dup(alg)) == NULL)
505 return NULL;
506 res = OSSL_CMP_ATAV_create(OBJ_nid2obj(NID_id_regCtrl_algId),
507 (ASN1_TYPE *)dup);
508 if (res == NULL)
509 X509_ALGOR_free(dup);
510 return res;
511 }
512
OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV * atav)513 X509_ALGOR *OSSL_CMP_ATAV_get0_algId(const OSSL_CMP_ATAV *atav)
514 {
515 if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_algId)
516 return NULL;
517 return atav->value.algId;
518 }
519
OSSL_CMP_ATAV_new_rsaKeyLen(int len)520 OSSL_CMP_ATAV *OSSL_CMP_ATAV_new_rsaKeyLen(int len)
521 {
522 ASN1_INTEGER *aint;
523 OSSL_CMP_ATAV *res = NULL;
524
525 if (len <= 0) {
526 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
527 return NULL;
528 }
529 if ((aint = ASN1_INTEGER_new()) == NULL)
530 return NULL;
531 if (!ASN1_INTEGER_set(aint, len)
532 || (res = OSSL_CMP_ATAV_create(OBJ_nid2obj(NID_id_regCtrl_rsaKeyLen),
533 (ASN1_TYPE *)aint))
534 == NULL)
535 ASN1_INTEGER_free(aint);
536 return res;
537 }
538
OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV * atav)539 int OSSL_CMP_ATAV_get_rsaKeyLen(const OSSL_CMP_ATAV *atav)
540 {
541 int64_t val;
542
543 if (atav == NULL || OBJ_obj2nid(atav->type) != NID_id_regCtrl_rsaKeyLen
544 || !ASN1_INTEGER_get_int64(&val, atav->value.rsaKeyLen))
545 return -1;
546 if (val <= 0 || val > INT_MAX)
547 return -2;
548 return (int)val;
549 }
550
OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV * atav)551 ASN1_TYPE *OSSL_CMP_ATAV_get0_value(const OSSL_CMP_ATAV *atav)
552 {
553 if (atav == NULL)
554 return NULL;
555 return atav->value.other;
556 }
557
OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS ** sk_p,const OSSL_CMP_ATAV * atav)558 int OSSL_CMP_ATAV_push1(OSSL_CMP_ATAVS **sk_p, const OSSL_CMP_ATAV *atav)
559 {
560 int created = 0;
561 OSSL_CMP_ATAV *dup;
562
563 if (sk_p == NULL || atav == NULL) {
564 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
565 goto err;
566 }
567
568 if (*sk_p == NULL) {
569 if ((*sk_p = sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_new_null()) == NULL)
570 goto err;
571 created = 1;
572 }
573
574 if ((dup = OSSL_CRMF_ATTRIBUTETYPEANDVALUE_dup((OSSL_CRMF_ATTRIBUTETYPEANDVALUE *)atav)) == NULL)
575 goto err;
576 if (sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_push(*sk_p, dup))
577 return 1;
578 OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(dup);
579
580 err:
581 if (created) {
582 sk_OSSL_CRMF_ATTRIBUTETYPEANDVALUE_free(*sk_p);
583 *sk_p = NULL;
584 }
585 return 0;
586 }
587
588 OSSL_CMP_ITAV
OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF (OSSL_CMP_CRLSTATUS)* crlStatusList)589 *OSSL_CMP_ITAV_new0_crlStatusList(STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList)
590 {
591 OSSL_CMP_ITAV *itav;
592
593 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
594 return NULL;
595 itav->infoType = OBJ_nid2obj(NID_id_it_crlStatusList);
596 itav->infoValue.crlStatusList = crlStatusList;
597 return itav;
598 }
599
OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV * itav,STACK_OF (OSSL_CMP_CRLSTATUS)** out)600 int OSSL_CMP_ITAV_get0_crlStatusList(const OSSL_CMP_ITAV *itav,
601 STACK_OF(OSSL_CMP_CRLSTATUS) **out)
602 {
603 if (itav == NULL || out == NULL) {
604 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
605 return 0;
606 }
607 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crlStatusList) {
608 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
609 return 0;
610 }
611 *out = itav->infoValue.crlStatusList;
612 return 1;
613 }
614
OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME * dpn,const GENERAL_NAMES * issuer,const ASN1_TIME * thisUpdate)615 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_new1(const DIST_POINT_NAME *dpn,
616 const GENERAL_NAMES *issuer,
617 const ASN1_TIME *thisUpdate)
618 {
619 OSSL_CMP_CRLSOURCE *crlsource;
620 OSSL_CMP_CRLSTATUS *crlstatus;
621
622 if (dpn == NULL && issuer == NULL) {
623 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
624 return NULL;
625 }
626 if (dpn != NULL && issuer != NULL) {
627 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
628 return NULL;
629 }
630
631 if ((crlstatus = OSSL_CMP_CRLSTATUS_new()) == NULL)
632 return NULL;
633 crlsource = crlstatus->source;
634
635 if (dpn != NULL) {
636 crlsource->type = OSSL_CMP_CRLSOURCE_DPN;
637 if ((crlsource->value.dpn = DIST_POINT_NAME_dup(dpn)) == NULL)
638 goto err;
639 } else {
640 crlsource->type = OSSL_CMP_CRLSOURCE_ISSUER;
641 if ((crlsource->value.issuer = sk_GENERAL_NAME_deep_copy(issuer, GENERAL_NAME_dup,
642 GENERAL_NAME_free))
643 == NULL)
644 goto err;
645 }
646
647 if (thisUpdate != NULL
648 && (crlstatus->thisUpdate = ASN1_TIME_dup(thisUpdate)) == NULL)
649 goto err;
650 return crlstatus;
651
652 err:
653 OSSL_CMP_CRLSTATUS_free(crlstatus);
654 return NULL;
655 }
656
gennames_new(const X509_NAME * nm)657 static GENERAL_NAMES *gennames_new(const X509_NAME *nm)
658 {
659 GENERAL_NAMES *names;
660 GENERAL_NAME *name = NULL;
661
662 if ((names = sk_GENERAL_NAME_new_reserve(NULL, 1)) == NULL)
663 return NULL;
664 if (!GENERAL_NAME_set1_X509_NAME(&name, nm)) {
665 sk_GENERAL_NAME_free(names);
666 return NULL;
667 }
668 (void)sk_GENERAL_NAME_push(names, name); /* cannot fail */
669 return names;
670 }
671
gennames_allowed(GENERAL_NAMES * names,int only_DN)672 static int gennames_allowed(GENERAL_NAMES *names, int only_DN)
673 {
674 if (names == NULL)
675 return 0;
676 if (!only_DN)
677 return 1;
678 return sk_GENERAL_NAME_num(names) == 1
679 && sk_GENERAL_NAME_value(names, 0)->type == GEN_DIRNAME;
680 }
681
OSSL_CMP_CRLSTATUS_create(const X509_CRL * crl,const X509 * cert,int only_DN)682 OSSL_CMP_CRLSTATUS *OSSL_CMP_CRLSTATUS_create(const X509_CRL *crl,
683 const X509 *cert, int only_DN)
684 {
685 STACK_OF(DIST_POINT) *crldps = NULL;
686 ISSUING_DIST_POINT *idp = NULL;
687 DIST_POINT_NAME *dpn = NULL;
688 AUTHORITY_KEYID *akid = NULL;
689 GENERAL_NAMES *issuers = NULL;
690 const GENERAL_NAMES *CRLissuer = NULL;
691 const ASN1_TIME *last = crl == NULL ? NULL : X509_CRL_get0_lastUpdate(crl);
692 OSSL_CMP_CRLSTATUS *status = NULL;
693 int i, NID_akid = NID_authority_key_identifier;
694
695 /*
696 * Note:
697 * X509{,_CRL}_get_ext_d2i(..., NID, ..., NULL) return the 1st extension with
698 * given NID that is available, if any. If there are more, this is an error.
699 */
700 if (cert != NULL) {
701 crldps = X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL);
702 /* if available, take the first suitable element */
703 for (i = 0; i < sk_DIST_POINT_num(crldps); i++) {
704 DIST_POINT *dp = sk_DIST_POINT_value(crldps, i);
705
706 if (dp == NULL)
707 continue;
708 if ((dpn = dp->distpoint) != NULL) {
709 CRLissuer = NULL;
710 break;
711 }
712 if (gennames_allowed(dp->CRLissuer, only_DN) && CRLissuer == NULL)
713 /* don't break because any dp->distpoint in list is preferred */
714 CRLissuer = dp->CRLissuer;
715 }
716 } else {
717 if (crl == NULL) {
718 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
719 return NULL;
720 }
721 idp = X509_CRL_get_ext_d2i(crl,
722 NID_issuing_distribution_point, NULL, NULL);
723 if (idp != NULL && idp->distpoint != NULL)
724 dpn = idp->distpoint;
725 }
726
727 if (dpn == NULL && CRLissuer == NULL) {
728 if (cert != NULL) {
729 akid = X509_get_ext_d2i(cert, NID_akid, NULL, NULL);
730 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
731 CRLissuer = akid->issuer;
732 else
733 CRLissuer = issuers = gennames_new(X509_get_issuer_name(cert));
734 }
735 if (CRLissuer == NULL && crl != NULL) {
736 akid = X509_CRL_get_ext_d2i(crl, NID_akid, NULL, NULL);
737 if (akid != NULL && gennames_allowed(akid->issuer, only_DN))
738 CRLissuer = akid->issuer;
739 else
740 CRLissuer = issuers = gennames_new(X509_CRL_get_issuer(crl));
741 }
742 if (CRLissuer == NULL)
743 goto end;
744 }
745
746 status = OSSL_CMP_CRLSTATUS_new1(dpn, CRLissuer, last);
747 end:
748 sk_DIST_POINT_pop_free(crldps, DIST_POINT_free);
749 ISSUING_DIST_POINT_free(idp);
750 AUTHORITY_KEYID_free(akid);
751 sk_GENERAL_NAME_pop_free(issuers, GENERAL_NAME_free);
752 return status;
753 }
754
OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS * crlstatus,DIST_POINT_NAME ** dpn,GENERAL_NAMES ** issuer,ASN1_TIME ** thisUpdate)755 int OSSL_CMP_CRLSTATUS_get0(const OSSL_CMP_CRLSTATUS *crlstatus,
756 DIST_POINT_NAME **dpn, GENERAL_NAMES **issuer,
757 ASN1_TIME **thisUpdate)
758 {
759 OSSL_CMP_CRLSOURCE *crlsource;
760
761 if (crlstatus == NULL || dpn == NULL || issuer == NULL) {
762 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
763 return 0;
764 }
765 if ((crlsource = crlstatus->source) == NULL) {
766 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
767 return 0;
768 }
769
770 if (crlsource->type == OSSL_CMP_CRLSOURCE_DPN) {
771 *dpn = crlsource->value.dpn;
772 *issuer = NULL;
773 } else if (crlsource->type == OSSL_CMP_CRLSOURCE_ISSUER) {
774 *dpn = NULL;
775 *issuer = crlsource->value.issuer;
776 } else {
777 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
778 return 0;
779 }
780 if (thisUpdate != NULL)
781 *thisUpdate = crlstatus->thisUpdate;
782 return 1;
783 }
784
OSSL_CMP_ITAV_new_crls(const X509_CRL * crl)785 OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_crls(const X509_CRL *crl)
786 {
787 OSSL_CMP_ITAV *itav;
788 X509_CRL *crl_copy = NULL;
789 STACK_OF(X509_CRL) *crls = NULL;
790
791 if ((itav = OSSL_CMP_ITAV_new()) == NULL)
792 return NULL;
793
794 if (crl != NULL) {
795 if ((crls = sk_X509_CRL_new_reserve(NULL, 1)) == NULL
796 || (crl_copy = X509_CRL_dup(crl)) == NULL
797 || !sk_X509_CRL_push(crls, crl_copy))
798 goto err;
799 crl_copy = NULL; /* ownership transferred to crls */
800 }
801
802 itav->infoType = OBJ_nid2obj(NID_id_it_crls);
803 itav->infoValue.crls = crls;
804 return itav;
805
806 err:
807 OPENSSL_free(crl_copy);
808 sk_X509_CRL_free(crls);
809 OSSL_CMP_ITAV_free(itav);
810 return NULL;
811 }
812
OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV * itav,STACK_OF (X509_CRL)** out)813 int OSSL_CMP_ITAV_get0_crls(const OSSL_CMP_ITAV *itav, STACK_OF(X509_CRL) **out)
814 {
815 if (itav == NULL || out == NULL) {
816 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_NULL_PARAMETER);
817 return 0;
818 }
819 if (OBJ_obj2nid(itav->infoType) != NID_id_it_crls) {
820 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
821 return 0;
822 }
823 *out = itav->infoValue.crls;
824 return 1;
825 }
826
827 /* get ASN.1 encoded integer, return -2 on error; -1 is valid for certReqId */
ossl_cmp_asn1_get_int(const ASN1_INTEGER * a)828 int ossl_cmp_asn1_get_int(const ASN1_INTEGER *a)
829 {
830 int64_t res;
831
832 if (!ASN1_INTEGER_get_int64(&res, a)) {
833 ERR_raise(ERR_LIB_CMP, ASN1_R_INVALID_NUMBER);
834 return -2;
835 }
836 if (res < INT_MIN) {
837 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_SMALL);
838 return -2;
839 }
840 if (res > INT_MAX) {
841 ERR_raise(ERR_LIB_CMP, ASN1_R_TOO_LARGE);
842 return -2;
843 }
844 return (int)res;
845 }
846
ossl_cmp_msg_cb(int operation,ASN1_VALUE ** pval,ossl_unused const ASN1_ITEM * it,void * exarg)847 static int ossl_cmp_msg_cb(int operation, ASN1_VALUE **pval,
848 ossl_unused const ASN1_ITEM *it, void *exarg)
849 {
850 OSSL_CMP_MSG *msg = (OSSL_CMP_MSG *)*pval;
851
852 switch (operation) {
853 case ASN1_OP_FREE_POST:
854 OPENSSL_free(msg->propq);
855 break;
856
857 case ASN1_OP_DUP_POST: {
858 OSSL_CMP_MSG *old = exarg;
859
860 if (!ossl_cmp_msg_set0_libctx(msg, old->libctx, old->propq))
861 return 0;
862 } break;
863 case ASN1_OP_GET0_LIBCTX: {
864 OSSL_LIB_CTX **libctx = exarg;
865
866 *libctx = msg->libctx;
867 } break;
868 case ASN1_OP_GET0_PROPQ: {
869 const char **propq = exarg;
870
871 *propq = msg->propq;
872 } break;
873 default:
874 break;
875 }
876
877 return 1;
878 }
879
880 ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
881 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
882 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
883 ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
884 OSSL_CRMF_ENCRYPTEDKEY, 1),
885 } ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
886 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
887
888 ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
889 ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
890 OSSL_CMP_CERTORENCCERT),
891 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
892 OSSL_CRMF_ENCRYPTEDKEY, 0),
893 ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
894 OSSL_CRMF_PKIPUBLICATIONINFO, 1)
895 } ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
896 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
897
898 ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
899 ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
900 ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
901 } ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
902 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
903
904 ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
905 OSSL_CMP_REVDETAILS)
906 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
907
908 ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
909 ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
910 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
911 0),
912 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
913 } ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
914 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
915
916 ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
917 ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
918 ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
919 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
920 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
921 OSSL_CMP_CERTIFIEDKEYPAIR, 2)
922 } ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
923 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
924
925 ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
926 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
927
928 ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
929 ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
930 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
931 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
932 /* OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING, used directly */
933 ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
934 } ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
935 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
936 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
937
938 ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
939 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
940 ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
941 ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI),
942 ASN1_EXP_OPT(OSSL_CMP_CERTSTATUS, hashAlg, X509_ALGOR, 0)
943 } ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
944 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
945
946 ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
947 OSSL_CMP_CERTSTATUS)
948 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
949
950 ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
951 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
952 ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
953 ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
954 OSSL_CMP_CERTIFIEDKEYPAIR),
955 ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
956 } ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
957 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
958
959 ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
960 ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
961 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
962 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
963
964 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
965 OSSL_CMP_POLLREQ)
966 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
967
968 ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
969 ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
970 ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
971 ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
972 } ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
973 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
974
975 ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
976 OSSL_CMP_POLLREPCONTENT,
977 OSSL_CMP_POLLREP)
978 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
979
980 ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
981 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
982 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
983 ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
984 } ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
985 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
986
987 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
988 OSSL_CMP_ITAV)
989 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
990
991 ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
992 OSSL_CMP_ITAV)
993 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
994
995 ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
996 OSSL_CMP_CRLANNCONTENT, X509_CRL)
997 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
998
999 ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
1000 ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
1001 ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
1002 ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
1003 ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
1004 ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
1005 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc,
1006 OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
1007 ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr,
1008 OSSL_CMP_POPODECKEYRESPCONTENT, 6),
1009 ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
1010 ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
1011 ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
1012 ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
1013 ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
1014 ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
1015 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
1016 ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
1017 ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
1018 ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
1019 ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
1020 ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
1021 ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
1022 ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
1023 ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
1024 ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
1025 ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
1026 ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
1027 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
1028 ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
1029 } ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
1030 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
1031
1032 ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
1033 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
1034 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
1035 ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
1036 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
1037 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
1038 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
1039 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
1040 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
1041 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
1042 ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
1043 /* OSSL_CMP_PKIFREETEXT is a ASN1_UTF8STRING sequence, so used directly */
1044 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
1045 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
1046 OSSL_CMP_ITAV, 8)
1047 } ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
1048 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
1049
1050 ASN1_SEQUENCE(OSSL_CMP_PROTECTEDPART) = {
1051 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
1052 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
1053 } ASN1_SEQUENCE_END(OSSL_CMP_PROTECTEDPART)
1054 IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PROTECTEDPART)
1055
1056 ASN1_SEQUENCE_cb(OSSL_CMP_MSG, ossl_cmp_msg_cb) = {
1057 ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
1058 ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
1059 ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
1060 /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
1061 ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
1062 } ASN1_SEQUENCE_END_cb(OSSL_CMP_MSG, OSSL_CMP_MSG)
1063 IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
1064
1065 ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) = ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
1066 OSSL_CMP_MSG)
1067 ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)
1068