diff options
author | Rajeev Ranjan <ranjan.rajeev@siemens.com> | 2024-03-07 20:23:34 +0100 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2024-05-01 14:59:39 +0200 |
commit | ee28152e86641e0299fdb3151716bb0451b2bc53 (patch) | |
tree | 31c213bd37f8b543fb095a98f6f8f1202c4aa76c | |
parent | 40a200f9e781381d72d234c886e38bcfce36bbc8 (diff) |
CMP: Improvements of the support for requesting CRL
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23768)
-rw-r--r-- | CHANGES.md | 10 | ||||
-rw-r--r-- | apps/cmp.c | 38 | ||||
-rw-r--r-- | apps/lib/cmp_mock_srv.c | 6 | ||||
-rw-r--r-- | crypto/cmp/cmp_genm.c | 2 | ||||
-rw-r--r-- | crypto/x509/v3_genn.c | 2 | ||||
-rw-r--r-- | doc/man1/openssl-cmp.pod.in | 8 | ||||
-rw-r--r-- | doc/man3/GENERAL_NAME.pod | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_ITAV_new_caCerts.pod | 2 | ||||
-rw-r--r-- | doc/man3/OSSL_CMP_exec_certreq.pod | 6 | ||||
-rw-r--r-- | util/libcrypto.num | 22 |
10 files changed, 55 insertions, 43 deletions
diff --git a/CHANGES.md b/CHANGES.md index 73587dc732..21fd185444 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -47,6 +47,12 @@ OpenSSL 3.4 *Tim Perry* + * Added support for requesting CRL in CMP. + + This work was sponsored by Siemens AG. + + *Rajeev Ranjan* + * Added Attribute Certificate (RFC 5755) support. Attribute Certificates can be created, parsed, modified and printed via the public API. There is no command-line tool support at this time. @@ -110,10 +116,6 @@ OpenSSL 3.3 *Neil Horman* - * Added support for requesting CRL in CMP. - - *Rajeev Ranjan, Siemens AG* - * Added `-set_issuer` and `-set_subject` options to `openssl x509` to override the Issuer and Subject when creating a certificate. The `-subj` option now is an alias for `-set_subject`. diff --git a/apps/cmp.c b/apps/cmp.c index 407ee5ec32..7639ab2cf8 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -146,6 +146,10 @@ static int opt_revreason = CRL_REASON_NONE; /* credentials format */ static char *opt_certform_s = "PEM"; static int opt_certform = FORMAT_PEM; +/* + * DER format is the preferred choice for saving a CRL because it allows for + * more efficient storage, especially when dealing with large CRLs. + */ static char *opt_crlform_s = "DER"; static int opt_crlform = FORMAT_ASN1; static char *opt_keyform_s = NULL; @@ -1955,20 +1959,20 @@ static int add_certProfile(OSSL_CMP_CTX *ctx, const char *name) if ((sk = sk_ASN1_UTF8STRING_new_reserve(NULL, 1)) == NULL) return 0; - if ((utf8string = ASN1_UTF8STRING_new()) == NULL) - goto err; - if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) { - ASN1_STRING_free(utf8string); - goto err; - } - /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */ - (void)sk_ASN1_UTF8STRING_push(sk, utf8string); - if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL) - goto err; - if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav)) - return 1; - OSSL_CMP_ITAV_free(itav); - return 0; + if ((utf8string = ASN1_UTF8STRING_new()) == NULL) + goto err; + if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) { + ASN1_STRING_free(utf8string); + goto err; + } + /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */ + (void)sk_ASN1_UTF8STRING_push(sk, utf8string); + if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL) + goto err; + if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav)) + return 1; + OSSL_CMP_ITAV_free(itav); + return 0; err: sk_ASN1_UTF8STRING_pop_free(sk, ASN1_UTF8STRING_free); @@ -2013,7 +2017,7 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx) if (*ptr != '\0') { if (*ptr != ',') { CMP_err1("Missing ',' or end of -geninfo arg after int at %.40s", - ptr); + ptr); goto err; } ptr++; @@ -3513,10 +3517,10 @@ int cmp_main(int argc, char **argv) if (opt_reqout_only != NULL) { const char *msg = "option is ignored since -reqout_only option is given"; -#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP) +# if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP) if (opt_server != NULL) CMP_warn1("-server %s", msg); -#endif +# endif if (opt_use_mock_srv) CMP_warn1("-use_mock_srv %s", msg); if (opt_reqout != NULL) diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index 1c7bf22f6b..b69d29a678 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -413,8 +413,8 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList, const X509_CRL *crl) { OSSL_CMP_CRLSTATUS *crlstatus; - DIST_POINT_NAME *dpn; - GENERAL_NAMES *issuer; + DIST_POINT_NAME *dpn = NULL; + GENERAL_NAMES *issuer = NULL; ASN1_TIME *thisupd = NULL; if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) { @@ -477,7 +477,7 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, break; case NID_id_it_crlStatusList: { - STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist; + STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL; int res = 0; if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist)) diff --git a/crypto/cmp/cmp_genm.c b/crypto/cmp/cmp_genm.c index 8d92019c83..17f2f1d3ac 100644 --- a/crypto/cmp/cmp_genm.c +++ b/crypto/cmp/cmp_genm.c @@ -354,7 +354,7 @@ int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert, OSSL_CMP_CRLSTATUS *status = NULL; STACK_OF(OSSL_CMP_CRLSTATUS) *list = NULL; OSSL_CMP_ITAV *req = NULL, *itav = NULL; - STACK_OF(X509_CRL) *crls; + STACK_OF(X509_CRL) *crls = NULL; int res = 0; if (crl == NULL) { diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c index c71e5b9111..b3c3a5c545 100644 --- a/crypto/x509/v3_genn.c +++ b/crypto/x509/v3_genn.c @@ -62,7 +62,7 @@ int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME **tgt, const X509_NAME *src) { GENERAL_NAME *name; - if (tgt == NULL){ + if (tgt == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_ARGUMENT); return 0; } diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index abfac3c420..5b36e821be 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -886,6 +886,8 @@ Default value is PEM. File format to use when saving a CRL to a file. Default value is DER. +DER format is preferred because it enables more efficient storage +of large CRLs. =item B<-keyform> I<PEM|DER|P12|ENGINE> @@ -1471,8 +1473,10 @@ The B<cmp> application was added in OpenSSL 3.0. The B<-engine> option was deprecated in OpenSSL 3.0. -B<-profile>, B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform> -and B<-rsp_crl> options were added in OpenSSL 3.3. +The B<-profile> option was added in OpenSSL 3.3. + +B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform> +and B<-rsp_crl> options were added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/doc/man3/GENERAL_NAME.pod b/doc/man3/GENERAL_NAME.pod index 903a33944e..0bd13dc3ad 100644 --- a/doc/man3/GENERAL_NAME.pod +++ b/doc/man3/GENERAL_NAME.pod @@ -27,7 +27,7 @@ GENERAL_NAME_set1_X509_NAME() return 1 on success, 0 on error. =head1 HISTORY -GENERAL_NAME_set1_X509_NAME() was added in OpenSSL 3.3. +GENERAL_NAME_set1_X509_NAME() was added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod index 982f840a8e..209c56929e 100644 --- a/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod +++ b/doc/man3/OSSL_CMP_ITAV_new_caCerts.pod @@ -173,7 +173,7 @@ were added in OpenSSL 3.2. OSSL_CMP_CRLSTATUS_new1(), OSSL_CMP_CRLSTATUS_create(), OSSL_CMP_CRLSTATUS_get0(), OSSL_CMP_ITAV_new0_crlStatusList(), OSSL_CMP_ITAV_get0_crlStatusList(), OSSL_CMP_ITAV_new_crls() -and OSSL_CMP_ITAV_get0_crls() were added in OpenSSL 3.3. +and OSSL_CMP_ITAV_get0_crls() were added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/doc/man3/OSSL_CMP_exec_certreq.pod b/doc/man3/OSSL_CMP_exec_certreq.pod index 56e6bb8ef2..a264ec8827 100644 --- a/doc/man3/OSSL_CMP_exec_certreq.pod +++ b/doc/man3/OSSL_CMP_exec_certreq.pod @@ -232,8 +232,10 @@ The OpenSSL CMP support was added in OpenSSL 3.0. OSSL_CMP_get1_caCerts() and OSSL_CMP_get1_rootCaKeyUpdate() were added in OpenSSL 3.2. -OSSL_CMP_get1_crlUpdate() and support for delayed delivery -of all types of response messages was added in OpenSSL 3.3. +Support for delayed delivery of all types of response messages +was added in OpenSSL 3.3. + +OSSL_CMP_get1_crlUpdate() was added in OpenSSL 3.4. =head1 COPYRIGHT diff --git a/util/libcrypto.num b/util/libcrypto.num index facac4db4f..3f52107eda 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5536,29 +5536,29 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION: X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK -DIST_POINT_NAME_dup ? 3_3_0 EXIST::FUNCTION: -GENERAL_NAME_set1_X509_NAME ? 3_3_0 EXIST::FUNCTION: OSSL_CMP_CTX_get0_geninfo_ITAVs 5667 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_HDR_get0_geninfo_ITAVs 5668 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_ITAV_new0_certProfile 5669 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_ITAV_get0_certProfile 5670 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_MSG_get0_certreq_publickey 5671 3_3_0 EXIST::FUNCTION:CMP OSSL_CMP_SRV_CTX_init_trans 5672 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_CRLSTATUS_create ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_CRLSTATUS_free ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_CRLSTATUS_get0 ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_CRLSTATUS_new1 ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_get0_crlStatusList ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_get0_crls ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_new0_crlStatusList ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_ITAV_new_crls ? 3_3_0 EXIST::FUNCTION:CMP -OSSL_CMP_get1_crlUpdate ? 3_3_0 EXIST::FUNCTION:CMP EVP_DigestSqueeze 5673 3_3_0 EXIST::FUNCTION: ERR_pop 5674 3_3_0 EXIST::FUNCTION: X509_STORE_get1_objects 5675 3_3_0 EXIST::FUNCTION: OPENSSL_LH_set_thunks 5676 3_3_0 EXIST::FUNCTION: OPENSSL_LH_doall_arg_thunk 5677 3_3_0 EXIST::FUNCTION: OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines 5678 3_3_0 EXIST::FUNCTION:HTTP +DIST_POINT_NAME_dup ? 3_4_0 EXIST::FUNCTION: +GENERAL_NAME_set1_X509_NAME ? 3_4_0 EXIST::FUNCTION: +OSSL_CMP_CRLSTATUS_create ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_CRLSTATUS_free ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_CRLSTATUS_get0 ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_CRLSTATUS_new1 ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_get0_crlStatusList ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_get0_crls ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_new0_crlStatusList ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_ITAV_new_crls ? 3_4_0 EXIST::FUNCTION:CMP +OSSL_CMP_get1_crlUpdate ? 3_4_0 EXIST::FUNCTION:CMP CRYPTO_atomic_store ? 3_4_0 EXIST::FUNCTION: CRYPTO_aligned_alloc ? 3_4_0 EXIST::FUNCTION: d2i_X509_ACERT ? 3_4_0 EXIST::FUNCTION: |