CMP: support specifying certificate to be revoked via issuer and serial number

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/21116)
author: Rajeev Ranjan <ranjan.rajeev@siemens.com> 2023-04-11 10:19:15 +0200
committer: Dr. David von Oheimb <dev@ddvo.net> 2023-07-10 08:03:38 +0200
commit: 1d32ec20feae7320ddb2b929441688377b912a40 (patch)
tree: a818185558903373a76b087b8e5e770c09b00c77 /crypto/cmp
parent: 780b2527476a60f4a2bb791c2d4b1b72f6f0b423 (diff)
4 files changed, 30 insertions, 14 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 071c02b187..fbbcdd21d2 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -776,7 +776,8 @@ int OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
         return 0;
     }
     ctx->status = OSSL_CMP_PKISTATUS_request;
-    if (ctx->oldCert == NULL && ctx->p10CSR == NULL) {
+    if (ctx->oldCert == NULL && ctx->p10CSR == NULL
+        && (ctx->serialNumber == NULL || ctx->issuer == NULL)) {
         ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_REFERENCE_CERT);
         return 0;
     }
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 2b8bd2bd2e..ce8e94662e 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -230,6 +230,7 @@ void OSSL_CMP_CTX_free(OSSL_CMP_CTX *ctx)
 
     EVP_PKEY_free(ctx->newPkey);
     X509_NAME_free(ctx->issuer);
+    ASN1_INTEGER_free(ctx->serialNumber);
     X509_NAME_free(ctx->subjectName);
     sk_GENERAL_NAME_pop_free(ctx->subjectAltNames, GENERAL_NAME_free);
     X509_EXTENSIONS_free(ctx->reqExtensions);
@@ -615,6 +616,8 @@ DEFINE_OSSL_CMP_CTX_set1(expected_sender, X509_NAME)
 /* Set the X509 name of the issuer to be placed in the certTemplate */
 DEFINE_OSSL_CMP_CTX_set1(issuer, X509_NAME)
 
+/* Set the ASN1_INTEGER serial to be placed in the certTemplate for rr */
+DEFINE_OSSL_CMP_CTX_set1(serialNumber, ASN1_INTEGER)
 /*
  * Set the subject name that will be placed in the certificate
  * request. This will be the subject name on the received certificate.
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index b8168af06f..18401ddb60 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -103,7 +103,8 @@ struct ossl_cmp_ctx_st {
     /* certificate template */
     EVP_PKEY *newPkey; /* explicit new private/public key for cert enrollment */
     int newPkey_priv; /* flag indicating if newPkey contains private key */
-    X509_NAME *issuer; /* issuer name to used in cert template */
+    X509_NAME *issuer; /* issuer name to used in cert template, also in rr */
+    ASN1_INTEGER *serialNumber; /* certificate serial number to use in rr */
     int days; /* Number of days new certificates are asked to be valid for */
     X509_NAME *subjectName; /* subject name to be used in cert template */
     STACK_OF(GENERAL_NAME) *subjectAltNames; /* to add to the cert template */
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 806abe599d..242ba866d5 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -518,27 +518,38 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
 OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx)
 {
     OSSL_CMP_MSG *msg = NULL;
+    const X509_NAME *issuer = NULL;
+    const X509_NAME *subject = NULL;
+    const ASN1_INTEGER *serialNumber = NULL;
+    EVP_PKEY *pubkey = NULL;
     OSSL_CMP_REVDETAILS *rd;
     int ret;
 
-    if (!ossl_assert(ctx != NULL && (ctx->oldCert != NULL
-                                     || ctx->p10CSR != NULL)))
+    if (!ossl_assert(ctx != NULL
+                     && (ctx->oldCert != NULL || ctx->p10CSR != NULL
+                         || (ctx->serialNumber != NULL && ctx->issuer != NULL))))
         return NULL;
 
     if ((rd = OSSL_CMP_REVDETAILS_new()) == NULL)
         goto err;
 
+    if (ctx->serialNumber != NULL && ctx->issuer != NULL) {
+        issuer = ctx->issuer;
+        serialNumber = ctx->serialNumber;
+    } else if (ctx->oldCert != NULL) {
+        issuer = X509_get_issuer_name(ctx->oldCert);
+        serialNumber = X509_get0_serialNumber(ctx->oldCert);
+    } else if (ctx->p10CSR != NULL) {
+        pubkey = X509_REQ_get0_pubkey(ctx->p10CSR);
+        subject = X509_REQ_get_subject_name(ctx->p10CSR);
+    }
+    else {
+        goto err;
+    }
+
     /* Fill the template from the contents of the certificate to be revoked */
-    ret = ctx->oldCert != NULL
-        ? OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
-                                      NULL /* pubkey would be redundant */,
-                                      NULL /* subject would be redundant */,
-                                      X509_get_issuer_name(ctx->oldCert),
-                                      X509_get0_serialNumber(ctx->oldCert))
-        : OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails,
-                                      X509_REQ_get0_pubkey(ctx->p10CSR),
-                                      X509_REQ_get_subject_name(ctx->p10CSR),
-                                      NULL, NULL);
+    ret = OSSL_CRMF_CERTTEMPLATE_fill(rd->certDetails, pubkey, subject,
+                                      issuer, serialNumber);
     if (!ret)
         goto err;
author	Rajeev Ranjan <ranjan.rajeev@siemens.com>	2023-04-11 10:19:15 +0200
committer	Dr. David von Oheimb <dev@ddvo.net>	2023-07-10 08:03:38 +0200
commit	1d32ec20feae7320ddb2b929441688377b912a40 (patch)
tree	a818185558903373a76b087b8e5e770c09b00c77 /crypto/cmp
parent	780b2527476a60f4a2bb791c2d4b1b72f6f0b423 (diff)