diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-01-23 12:54:39 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-03-02 11:05:34 +0100 |
commit | dd5fa5f5afcb58d75f22d45075224ce3c80f91f3 (patch) | |
tree | cac61ee70ab0cc1c9ffda68b905b032a617b44f0 /crypto/cmp | |
parent | e1f946630f06c2d3a112022472bb13a1586f599f (diff) |
CMP: On NULL-DN subject or issuer input omit field in cert template
Also improve diagnostics on inconsistent cert request input in apps/cmp.c,
add trace output for transactionIDs on new sessions,
and update the documentation in openssl-cmp.pod.in.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14018)
Diffstat (limited to 'crypto/cmp')
-rw-r--r-- | crypto/cmp/cmp_hdr.c | 24 | ||||
-rw-r--r-- | crypto/cmp/cmp_local.h | 3 | ||||
-rw-r--r-- | crypto/cmp/cmp_msg.c | 5 |
3 files changed, 23 insertions, 9 deletions
diff --git a/crypto/cmp/cmp_hdr.c b/crypto/cmp/cmp_hdr.c index 5882d9c9de..58b07dd8b2 100644 --- a/crypto/cmp/cmp_hdr.c +++ b/crypto/cmp/cmp_hdr.c @@ -72,15 +72,11 @@ ASN1_OCTET_STRING *OSSL_CMP_HDR_get0_recipNonce(const OSSL_CMP_PKIHEADER *hdr) return hdr->recipNonce; } +/* a NULL-DN as an empty sequence of RDNs */ int ossl_cmp_general_name_is_NULL_DN(GENERAL_NAME *name) { - X509_NAME *null = X509_NAME_new(); - int res = name == NULL || null == NULL - || (name->type == GEN_DIRNAME - && X509_NAME_cmp(name->d.directoryName, null) == 0); - - X509_NAME_free(null); - return res; + return name == NULL + || (name->type == GEN_DIRNAME && IS_NULL_DN(name->d.directoryName)); } /* assign to *tgt a copy of src (which may be NULL to indicate an empty DN) */ @@ -273,6 +269,20 @@ int ossl_cmp_hdr_has_implicitConfirm(const OSSL_CMP_PKIHEADER *hdr) */ int ossl_cmp_hdr_set_transactionID(OSSL_CMP_CTX *ctx, OSSL_CMP_PKIHEADER *hdr) { + if (ctx->transactionID == NULL) { + char *tid; + + if (!set_random(&ctx->transactionID, ctx, + OSSL_CMP_TRANSACTIONID_LENGTH)) + return 0; + tid = OPENSSL_buf2hexstr(ctx->transactionID->data, + ctx->transactionID->length); + if (tid != NULL) + ossl_cmp_log1(DEBUG, ctx, + "Starting new transaction with ID=%s", tid); + OPENSSL_free(tid); + } + if (ctx->transactionID == NULL && !set_random(&ctx->transactionID, ctx, OSSL_CMP_TRANSACTIONID_LENGTH)) return 0; diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index a4d3cf9ea4..c5f4fd198d 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -25,6 +25,8 @@ # include <openssl/x509v3.h> # include "crypto/x509.h" +#define IS_NULL_DN(name) (X509_NAME_get_entry(name, 0) == NULL) + /* * this structure is used to store the context for CMP sessions */ @@ -778,6 +780,7 @@ int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx, # define ossl_cmp_warn(ctx, msg) ossl_cmp_log(WARN, ctx, msg) # define ossl_cmp_info(ctx, msg) ossl_cmp_log(INFO, ctx, msg) # define ossl_cmp_debug(ctx, msg) ossl_cmp_log(DEBUG, ctx, msg) +# define ossl_cmp_trace(ctx, msg) ossl_cmp_log(TRACE, ctx, msg) int ossl_cmp_ctx_set0_validatedSrvCert(OSSL_CMP_CTX *ctx, X509 *cert); int ossl_cmp_ctx_set_status(OSSL_CMP_CTX *ctx, int status); int ossl_cmp_ctx_set0_statusString(OSSL_CMP_CTX *ctx, diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 8514336801..09b2d7b03b 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -218,7 +218,7 @@ static const X509_NAME *determine_subj(OSSL_CMP_CTX *ctx, int for_KUR) { if (ctx->subjectName != NULL) - return ctx->subjectName; + return IS_NULL_DN(ctx->subjectName) ? NULL : ctx->subjectName; if (ref_subj != NULL && (for_KUR || !HAS_SAN(ctx))) /* @@ -241,7 +241,8 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) refcert != NULL ? X509_get_subject_name(refcert) : NULL; const X509_NAME *subject = determine_subj(ctx, ref_subj, for_KUR); const X509_NAME *issuer = ctx->issuer != NULL || refcert == NULL - ? ctx->issuer : X509_get_issuer_name(refcert); + ? (IS_NULL_DN(ctx->issuer) ? NULL : ctx->issuer) + : X509_get_issuer_name(refcert); int crit = ctx->setSubjectAltNameCritical || subject == NULL; /* RFC5280: subjectAltName MUST be critical if subject is null */ X509_EXTENSIONS *exts = NULL; |