diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-13 17:44:54 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-21 09:04:13 +0200 |
commit | 6d1f50b520ce0a2eaa624686a26ffd4a5af00d93 (patch) | |
tree | d094306e91bd79803bb49a9323ec36bd122ecb4e /crypto/crmf | |
parent | cac30a69bcadcfcf5beb034abf958bbcdb8b83cb (diff) |
Use in CMP+CRMF libctx and propq param added to sign/verify/HMAC/decrypt
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11808)
Diffstat (limited to 'crypto/crmf')
-rw-r--r-- | crypto/crmf/crmf_err.c | 4 | ||||
-rw-r--r-- | crypto/crmf/crmf_lib.c | 91 | ||||
-rw-r--r-- | crypto/crmf/crmf_pbm.c | 19 |
3 files changed, 58 insertions, 56 deletions
diff --git a/crypto/crmf/crmf_err.c b/crypto/crmf/crmf_err.c index 159d5b2c91..61a1488838 100644 --- a/crypto/crmf/crmf_err.c +++ b/crypto/crmf/crmf_err.c @@ -30,6 +30,8 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = { "iterationcount below 100"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_MALFORMED_IV), "malformed iv"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_NULL_ARGUMENT), "null argument"}, + {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPOSKINPUT_NOT_SUPPORTED), + "poposkinput not supported"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY), "popo inconsistent public key"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_POPO_MISSING), "popo missing"}, @@ -45,8 +47,6 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = { "setting owf algor failure"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_UNSUPPORTED_ALGORITHM), "unsupported algorithm"}, - {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_UNSUPPORTED_ALG_FOR_POPSIGNINGKEY), - "unsupported alg for popsigningkey"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_UNSUPPORTED_CIPHER), "unsupported cipher"}, {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_UNSUPPORTED_METHOD_FOR_CREATING_POPO), diff --git a/crypto/crmf/crmf_lib.c b/crypto/crmf/crmf_lib.c index 7530120ff3..3202f357c1 100644 --- a/crypto/crmf/crmf_lib.c +++ b/crypto/crmf/crmf_lib.c @@ -353,57 +353,47 @@ int OSSL_CRMF_MSG_push0_extension(OSSL_CRMF_MSG *crm, return 0; } -/* TODO: support cases 1+2 (besides case 3) defined in RFC 4211, section 4.1. */ -static int CRMF_poposigningkey_init(OSSL_CRMF_POPOSIGNINGKEY *ps, - OSSL_CRMF_CERTREQUEST *cr, - EVP_PKEY *pkey, int dgst) +static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps, + const OSSL_CRMF_CERTREQUEST *cr, + EVP_PKEY *pkey, const EVP_MD *digest, + OPENSSL_CTX *libctx, const char *propq) { - int ret = 0; - EVP_MD *fetched_md = NULL; - const EVP_MD *md = EVP_get_digestbynid(dgst); - if (ps == NULL || cr == NULL || pkey == NULL) { - CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, CRMF_R_NULL_ARGUMENT); + CRMFerr(0, CRMF_R_NULL_ARGUMENT); return 0; } - - /* If we didn't find legacy MD, we try an implicit fetch */ - if (md == NULL) - md = fetched_md = EVP_MD_fetch(NULL, OBJ_nid2sn(dgst), NULL); - - if (md == NULL) { - CRMFerr(CRMF_F_CRMF_POPOSIGNINGKEY_INIT, - CRMF_R_UNSUPPORTED_ALG_FOR_POPSIGNINGKEY); + if (ps->poposkInput != NULL) { + /* TODO: support cases 1+2 defined in RFC 4211, section 4.1 */ + CRMFerr(0, CRMF_R_POPOSKINPUT_NOT_SUPPORTED); return 0; } - ret = ASN1_item_sign(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), - ps->algorithmIdentifier, NULL, ps->signature, - cr, pkey, md); - - EVP_MD_free(fetched_md); - return ret; + return ASN1_item_sign_with_libctx(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), + ps->algorithmIdentifier, NULL, + ps->signature, cr, NULL, pkey, digest, + libctx, propq); } -int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, - int dgst, int ppmtd) +int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm, + EVP_PKEY *pkey, const EVP_MD *digest, + OPENSSL_CTX *libctx, const char *propq) { OSSL_CRMF_POPO *pp = NULL; ASN1_INTEGER *tag = NULL; - if (crm == NULL || (ppmtd == OSSL_CRMF_POPO_SIGNATURE && pkey == NULL)) { + if (crm == NULL || (meth == OSSL_CRMF_POPO_SIGNATURE && pkey == NULL)) { CRMFerr(CRMF_F_OSSL_CRMF_MSG_CREATE_POPO, CRMF_R_NULL_ARGUMENT); return 0; } - if (ppmtd == OSSL_CRMF_POPO_NONE) + if (meth == OSSL_CRMF_POPO_NONE) goto end; if ((pp = OSSL_CRMF_POPO_new()) == NULL) goto err; - pp->type = ppmtd; + pp->type = meth; - switch (ppmtd) { + switch (meth) { case OSSL_CRMF_POPO_RAVERIFIED: if ((pp->value.raVerified = ASN1_NULL_new()) == NULL) goto err; @@ -412,8 +402,11 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, case OSSL_CRMF_POPO_SIGNATURE: { OSSL_CRMF_POPOSIGNINGKEY *ps = OSSL_CRMF_POPOSIGNINGKEY_new(); - if (ps == NULL - || !CRMF_poposigningkey_init(ps, crm->certReq, pkey, dgst)) { + + if (ps == NULL) + goto err; + if (!create_popo_signature(ps, crm->certReq, pkey, digest, + libctx, propq)) { OSSL_CRMF_POPOSIGNINGKEY_free(ps); goto err; } @@ -451,11 +444,14 @@ int OSSL_CRMF_MSG_create_popo(OSSL_CRMF_MSG *crm, EVP_PKEY *pkey, /* verifies the Proof-of-Possession of the request with the given rid in reqs */ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, - int rid, int acceptRAVerified) + int rid, int acceptRAVerified, + OPENSSL_CTX *libctx, const char *propq) { OSSL_CRMF_MSG *req = NULL; X509_PUBKEY *pubkey = NULL; OSSL_CRMF_POPOSIGNINGKEY *sig = NULL; + const ASN1_ITEM *it; + void *asn; if (reqs == NULL || (req = sk_OSSL_CRMF_MSG_value(reqs, rid)) == NULL) { CRMFerr(CRMF_F_OSSL_CRMF_MSGS_VERIFY_POPO, CRMF_R_NULL_ARGUMENT); @@ -499,21 +495,21 @@ int OSSL_CRMF_MSGS_verify_popo(const OSSL_CRMF_MSGS *reqs, * TODO check the contents of the authInfo sub-field, * see RFC 4211 https://tools.ietf.org/html/rfc4211#section-4.1 */ - if (ASN1_item_verify(ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT), - sig->algorithmIdentifier, sig->signature, - sig->poposkInput, - X509_PUBKEY_get0(pubkey)) < 1) - return 0; + it = ASN1_ITEM_rptr(OSSL_CRMF_POPOSIGNINGKEYINPUT); + asn = sig->poposkInput; } else { if (req->certReq->certTemplate->subject == NULL) { CRMFerr(0, CRMF_R_POPO_MISSING_SUBJECT); return 0; } - if (ASN1_item_verify(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST), - sig->algorithmIdentifier, sig->signature, - req->certReq, X509_PUBKEY_get0(pubkey)) < 1) - return 0; + it = ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST); + asn = req->certReq; } + if (ASN1_item_verify_with_libctx(it, sig->algorithmIdentifier, + sig->signature, asn, NULL, + X509_PUBKEY_get0(pubkey), + libctx, propq) < 1) + return 0; break; case OSSL_CRMF_POPO_KEYENC: /* @@ -594,8 +590,10 @@ int OSSL_CRMF_CERTTEMPLATE_fill(OSSL_CRMF_CERTTEMPLATE *tmpl, * returns a pointer to the decrypted certificate * returns NULL on error or if no certificate available */ -X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, - EVP_PKEY *pkey) +X509 +*OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecert, + OPENSSL_CTX *libctx, const char *propq, + EVP_PKEY *pkey) { X509 *cert = NULL; /* decrypted certificate */ EVP_CIPHER_CTX *evp_ctx = NULL; /* context for symmetric encryption */ @@ -629,7 +627,7 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecer } cikeysize = EVP_CIPHER_key_length(cipher); /* first the symmetric key needs to be decrypted */ - pkctx = EVP_PKEY_CTX_new(pkey, NULL); + pkctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); if (pkctx != NULL && EVP_PKEY_decrypt_init(pkctx)) { ASN1_BIT_STRING *encKey = ecert->encSymmKey; size_t failure; @@ -685,10 +683,11 @@ X509 *OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert(const OSSL_CRMF_ENCRYPTEDVALUE *ecer outlen += n; /* convert decrypted certificate from DER to internal ASN.1 structure */ - if ((cert = d2i_X509(NULL, &p, outlen)) == NULL) { + if ((cert = X509_new_with_libctx(libctx, propq)) == NULL) + goto end; + if (d2i_X509(&cert, &p, outlen) == NULL) CRMFerr(CRMF_F_OSSL_CRMF_ENCRYPTEDVALUE_GET1_ENCCERT, CRMF_R_ERROR_DECODING_CERTIFICATE); - } end: EVP_PKEY_CTX_free(pkctx); OPENSSL_free(outbuf); diff --git a/crypto/crmf/crmf_pbm.c b/crypto/crmf/crmf_pbm.c index 77ef6e0a37..3aedf8b57f 100644 --- a/crypto/crmf/crmf_pbm.c +++ b/crypto/crmf/crmf_pbm.c @@ -122,14 +122,16 @@ OSSL_CRMF_PBMPARAMETER *OSSL_CRMF_pbmp_new(OPENSSL_CTX *libctx, size_t slen, * |maclen| if not NULL, will set variable to the length of the mac on success * returns 1 on success, 0 on error */ -int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, +/* TODO try to combine with other MAC calculations in the libray */ +int OSSL_CRMF_pbm_new(OPENSSL_CTX *libctx, const char *propq, + const OSSL_CRMF_PBMPARAMETER *pbmp, const unsigned char *msg, size_t msglen, const unsigned char *sec, size_t seclen, unsigned char **out, size_t *outlen) { int mac_nid, hmac_md_nid = NID_undef; - const char *mdname = NULL; - const EVP_MD *m = NULL; + const char *mdname; + EVP_MD *owf = NULL; EVP_MD_CTX *ctx = NULL; unsigned char basekey[EVP_MAX_MD_SIZE]; unsigned int bklen = EVP_MAX_MD_SIZE; @@ -153,7 +155,8 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, * compute the key used in the MAC process. All implementations MUST * support SHA-1. */ - if ((m = EVP_get_digestbyobj(pbmp->owf->algorithm)) == NULL) { + mdname = OBJ_nid2sn(OBJ_obj2nid(pbmp->owf->algorithm)); + if ((owf = EVP_MD_fetch(libctx, mdname, propq)) == NULL) { CRMFerr(CRMF_F_OSSL_CRMF_PBM_NEW, CRMF_R_UNSUPPORTED_ALGORITHM); goto err; } @@ -162,7 +165,7 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, goto err; /* compute the basekey of the salted secret */ - if (!EVP_DigestInit_ex(ctx, m, NULL)) + if (!EVP_DigestInit_ex(ctx, owf, NULL)) goto err; /* first the secret */ if (!EVP_DigestUpdate(ctx, sec, seclen)) @@ -181,7 +184,7 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, /* the first iteration was already done above */ while (--iterations > 0) { - if (!EVP_DigestInit_ex(ctx, m, NULL)) + if (!EVP_DigestInit_ex(ctx, owf, NULL)) goto err; if (!EVP_DigestUpdate(ctx, basekey, bklen)) goto err; @@ -206,7 +209,7 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, (char *)mdname, 0); macparams[1] = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, basekey, bklen); - if ((mac = EVP_MAC_fetch(NULL, "HMAC", NULL)) == NULL + if ((mac = EVP_MAC_fetch(libctx, "HMAC", propq)) == NULL || (mctx = EVP_MAC_CTX_new(mac)) == NULL || !EVP_MAC_CTX_set_params(mctx, macparams) || !EVP_MAC_init(mctx) @@ -217,10 +220,10 @@ int OSSL_CRMF_pbm_new(const OSSL_CRMF_PBMPARAMETER *pbmp, ok = 1; err: - /* cleanup */ OPENSSL_cleanse(basekey, bklen); EVP_MAC_CTX_free(mctx); EVP_MAC_free(mac); + EVP_MD_free(owf); EVP_MD_CTX_free(ctx); if (ok == 1) { |