1/* 2 * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright Nokia 2007-2019 4 * Copyright Siemens AG 2015-2019 5 * 6 * Licensed under the Apache License 2.0 (the "License"). You may not use 7 * this file except in compliance with the License. You can obtain a copy 8 * in the file LICENSE in the source distribution or at 9 * https://www.openssl.org/source/license.html 10 */ 11 12/* CMP functions for PKIStatusInfo handling and PKIMessage decomposition */ 13 14#include <string.h> 15 16#include "cmp_local.h" 17 18/* explicit #includes not strictly needed since implied by the above: */ 19#include <time.h> 20#include <openssl/cmp.h> 21#include <openssl/crmf.h> 22#include <openssl/err.h> /* needed in case config no-deprecated */ 23#include <openssl/engine.h> 24#include <openssl/evp.h> 25#include <openssl/objects.h> 26#include <openssl/x509.h> 27#include <openssl/asn1err.h> /* for ASN1_R_TOO_SMALL and ASN1_R_TOO_LARGE */ 28 29/* CMP functions related to PKIStatus */ 30 31int ossl_cmp_pkisi_get_status(const OSSL_CMP_PKISI *si) 32{ 33 int res ; 34 35 if (!ossl_assert(si != NULL && si->status != NULL)) 36 return -1; 37 res = ossl_cmp_asn1_get_int(si->status); 38 return res == -2 ? -1 : res; 39} 40 41const char *ossl_cmp_PKIStatus_to_string(int status) 42{ 43 switch (status) { 44 case OSSL_CMP_PKISTATUS_accepted: 45 return "PKIStatus: accepted"; 46 case OSSL_CMP_PKISTATUS_grantedWithMods: 47 return "PKIStatus: granted with modifications"; 48 case OSSL_CMP_PKISTATUS_rejection: 49 return "PKIStatus: rejection"; 50 case OSSL_CMP_PKISTATUS_waiting: 51 return "PKIStatus: waiting"; 52 case OSSL_CMP_PKISTATUS_revocationWarning: 53 return "PKIStatus: revocation warning - a revocation of the cert is imminent"; 54 case OSSL_CMP_PKISTATUS_revocationNotification: 55 return "PKIStatus: revocation notification - a revocation of the cert has occurred"; 56 case OSSL_CMP_PKISTATUS_keyUpdateWarning: 57 return "PKIStatus: key update warning - update already done for the cert"; 58 default: 59 ERR_raise_data(ERR_LIB_CMP, CMP_R_ERROR_PARSING_PKISTATUS, 60 "PKIStatus: invalid=%d", status); 61 return NULL; 62 } 63} 64 65OSSL_CMP_PKIFREETEXT *ossl_cmp_pkisi_get0_statusString(const OSSL_CMP_PKISI *si) 66{ 67 if (!ossl_assert(si != NULL)) 68 return NULL; 69 return si->statusString; 70} 71 72int ossl_cmp_pkisi_get_pkifailureinfo(const OSSL_CMP_PKISI *si) 73{ 74 int i; 75 int res = 0; 76 77 if (!ossl_assert(si != NULL)) 78 return -1; 79 if (si->failInfo != NULL) 80 for (i = 0; i <= OSSL_CMP_PKIFAILUREINFO_MAX; i++) 81 if (ASN1_BIT_STRING_get_bit(si->failInfo, i)) 82 res |= 1 << i; 83 return res; 84} 85 86/*- 87 * convert PKIFailureInfo number to human-readable string 88 * returns pointer to static string, or NULL on error 89 */ 90static const char *CMP_PKIFAILUREINFO_to_string(int number) 91{ 92 switch (number) { 93 case OSSL_CMP_PKIFAILUREINFO_badAlg: 94 return "badAlg"; 95 case OSSL_CMP_PKIFAILUREINFO_badMessageCheck: 96 return "badMessageCheck"; 97 case OSSL_CMP_PKIFAILUREINFO_badRequest: 98 return "badRequest"; 99 case OSSL_CMP_PKIFAILUREINFO_badTime: 100 return "badTime"; 101 case OSSL_CMP_PKIFAILUREINFO_badCertId: 102 return "badCertId"; 103 case OSSL_CMP_PKIFAILUREINFO_badDataFormat: 104 return "badDataFormat"; 105 case OSSL_CMP_PKIFAILUREINFO_wrongAuthority: 106 return "wrongAuthority"; 107 case OSSL_CMP_PKIFAILUREINFO_incorrectData: 108 return "incorrectData"; 109 case OSSL_CMP_PKIFAILUREINFO_missingTimeStamp: 110 return "missingTimeStamp"; 111 case OSSL_CMP_PKIFAILUREINFO_badPOP: 112 return "badPOP"; 113 case OSSL_CMP_PKIFAILUREINFO_certRevoked: 114 return "certRevoked"; 115 case OSSL_CMP_PKIFAILUREINFO_certConfirmed: 116 return "certConfirmed"; 117 case OSSL_CMP_PKIFAILUREINFO_wrongIntegrity: 118 return "wrongIntegrity"; 119 case OSSL_CMP_PKIFAILUREINFO_badRecipientNonce: 120 return "badRecipientNonce"; 121 case OSSL_CMP_PKIFAILUREINFO_timeNotAvailable: 122 return "timeNotAvailable"; 123 case OSSL_CMP_PKIFAILUREINFO_unacceptedPolicy: 124 return "unacceptedPolicy"; 125 case OSSL_CMP_PKIFAILUREINFO_unacceptedExtension: 126 return "unacceptedExtension"; 127 case OSSL_CMP_PKIFAILUREINFO_addInfoNotAvailable: 128 return "addInfoNotAvailable"; 129 case OSSL_CMP_PKIFAILUREINFO_badSenderNonce: 130 return "badSenderNonce"; 131 case OSSL_CMP_PKIFAILUREINFO_badCertTemplate: 132 return "badCertTemplate"; 133 case OSSL_CMP_PKIFAILUREINFO_signerNotTrusted: 134 return "signerNotTrusted"; 135 case OSSL_CMP_PKIFAILUREINFO_transactionIdInUse: 136 return "transactionIdInUse"; 137 case OSSL_CMP_PKIFAILUREINFO_unsupportedVersion: 138 return "unsupportedVersion"; 139 case OSSL_CMP_PKIFAILUREINFO_notAuthorized: 140 return "notAuthorized"; 141 case OSSL_CMP_PKIFAILUREINFO_systemUnavail: 142 return "systemUnavail"; 143 case OSSL_CMP_PKIFAILUREINFO_systemFailure: 144 return "systemFailure"; 145 case OSSL_CMP_PKIFAILUREINFO_duplicateCertReq: 146 return "duplicateCertReq"; 147 default: 148 return NULL; /* illegal failure number */ 149 } 150} 151 152int ossl_cmp_pkisi_check_pkifailureinfo(const OSSL_CMP_PKISI *si, int bit_index) 153{ 154 if (!ossl_assert(si != NULL && si->failInfo != NULL)) 155 return -1; 156 if (bit_index < 0 || bit_index > OSSL_CMP_PKIFAILUREINFO_MAX) { 157 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); 158 return -1; 159 } 160 161 return ASN1_BIT_STRING_get_bit(si->failInfo, bit_index); 162} 163 164/*- 165 * place human-readable error string created from PKIStatusInfo in given buffer 166 * returns pointer to the same buffer containing the string, or NULL on error 167 */ 168static 169char *snprint_PKIStatusInfo_parts(int status, int fail_info, 170 const OSSL_CMP_PKIFREETEXT *status_strings, 171 char *buf, size_t bufsize) 172{ 173 int failure; 174 const char *status_string, *failure_string; 175 ASN1_UTF8STRING *text; 176 int i; 177 int printed_chars; 178 int failinfo_found = 0; 179 int n_status_strings; 180 char *write_ptr = buf; 181 182 if (buf == NULL 183 || status < 0 184 || (status_string = ossl_cmp_PKIStatus_to_string(status)) == NULL) 185 return NULL; 186 187#define ADVANCE_BUFFER \ 188 if (printed_chars < 0 || (size_t)printed_chars >= bufsize) \ 189 return NULL; \ 190 write_ptr += printed_chars; \ 191 bufsize -= printed_chars; 192 193 printed_chars = BIO_snprintf(write_ptr, bufsize, "%s", status_string); 194 ADVANCE_BUFFER; 195 196 /* 197 * failInfo is optional and may be empty; 198 * if present, print failInfo before statusString because it is more concise 199 */ 200 if (fail_info != -1 && fail_info != 0) { 201 printed_chars = BIO_snprintf(write_ptr, bufsize, "; PKIFailureInfo: "); 202 ADVANCE_BUFFER; 203 for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) { 204 if ((fail_info & (1 << failure)) != 0) { 205 failure_string = CMP_PKIFAILUREINFO_to_string(failure); 206 if (failure_string != NULL) { 207 printed_chars = BIO_snprintf(write_ptr, bufsize, "%s%s", 208 failinfo_found ? ", " : "", 209 failure_string); 210 ADVANCE_BUFFER; 211 failinfo_found = 1; 212 } 213 } 214 } 215 } 216 if (!failinfo_found && status != OSSL_CMP_PKISTATUS_accepted 217 && status != OSSL_CMP_PKISTATUS_grantedWithMods) { 218 printed_chars = BIO_snprintf(write_ptr, bufsize, "; <no failure info>"); 219 ADVANCE_BUFFER; 220 } 221 222 /* statusString sequence is optional and may be empty */ 223 n_status_strings = sk_ASN1_UTF8STRING_num(status_strings); 224 if (n_status_strings > 0) { 225 printed_chars = BIO_snprintf(write_ptr, bufsize, "; StatusString%s: ", 226 n_status_strings > 1 ? "s" : ""); 227 ADVANCE_BUFFER; 228 for (i = 0; i < n_status_strings; i++) { 229 text = sk_ASN1_UTF8STRING_value(status_strings, i); 230 printed_chars = BIO_snprintf(write_ptr, bufsize, "\"%.*s\"%s", 231 ASN1_STRING_length(text), 232 ASN1_STRING_get0_data(text), 233 i < n_status_strings - 1 ? ", " : ""); 234 ADVANCE_BUFFER; 235 } 236 } 237#undef ADVANCE_BUFFER 238 return buf; 239} 240 241char *OSSL_CMP_snprint_PKIStatusInfo(const OSSL_CMP_PKISI *statusInfo, 242 char *buf, size_t bufsize) 243{ 244 int failure_info; 245 246 if (statusInfo == NULL) { 247 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 248 return NULL; 249 } 250 251 failure_info = ossl_cmp_pkisi_get_pkifailureinfo(statusInfo); 252 253 return snprint_PKIStatusInfo_parts(ASN1_INTEGER_get(statusInfo->status), 254 failure_info, 255 statusInfo->statusString, buf, bufsize); 256} 257 258char *OSSL_CMP_CTX_snprint_PKIStatus(const OSSL_CMP_CTX *ctx, char *buf, 259 size_t bufsize) 260{ 261 if (ctx == NULL) { 262 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 263 return NULL; 264 } 265 266 return snprint_PKIStatusInfo_parts(OSSL_CMP_CTX_get_status(ctx), 267 OSSL_CMP_CTX_get_failInfoCode(ctx), 268 OSSL_CMP_CTX_get0_statusString(ctx), 269 buf, bufsize); 270} 271 272/*- 273 * Creates a new PKIStatusInfo structure and fills it in 274 * returns a pointer to the structure on success, NULL on error 275 * note: strongly overlaps with TS_RESP_CTX_set_status_info() 276 * and TS_RESP_CTX_add_failure_info() in ../ts/ts_rsp_sign.c 277 */ 278OSSL_CMP_PKISI *OSSL_CMP_STATUSINFO_new(int status, int fail_info, 279 const char *text) 280{ 281 OSSL_CMP_PKISI *si = OSSL_CMP_PKISI_new(); 282 ASN1_UTF8STRING *utf8_text = NULL; 283 int failure; 284 285 if (si == NULL) 286 goto err; 287 if (!ASN1_INTEGER_set(si->status, status)) 288 goto err; 289 290 if (text != NULL) { 291 if ((utf8_text = ASN1_UTF8STRING_new()) == NULL 292 || !ASN1_STRING_set(utf8_text, text, -1)) 293 goto err; 294 if ((si->statusString = sk_ASN1_UTF8STRING_new_null()) == NULL) 295 goto err; 296 if (!sk_ASN1_UTF8STRING_push(si->statusString, utf8_text)) 297 goto err; 298 /* Ownership is lost. */ 299 utf8_text = NULL; 300 } 301 302 for (failure = 0; failure <= OSSL_CMP_PKIFAILUREINFO_MAX; failure++) { 303 if ((fail_info & (1 << failure)) != 0) { 304 if (si->failInfo == NULL 305 && (si->failInfo = ASN1_BIT_STRING_new()) == NULL) 306 goto err; 307 if (!ASN1_BIT_STRING_set_bit(si->failInfo, failure, 1)) 308 goto err; 309 } 310 } 311 return si; 312 313 err: 314 OSSL_CMP_PKISI_free(si); 315 ASN1_UTF8STRING_free(utf8_text); 316 return NULL; 317} 318