Chunk 10 of CMP contribution to OpenSSL: CMP http client and related tests

Also improve the generic HTTP client w.r.t. proxy and no_proxy options. Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712). Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI. Adds extensive documentation and tests. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/11404)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-02-19 18:00:26 +0100
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-04-02 18:17:00 +0200
commit: afe554c2d244b4e7fc8c1b14acef806a2a581a8d (patch)
tree: 0af31aa1a20a0106423ee23522e35504e6013e1a /doc
parent: 98278b963171ece10a42d18594045b875103115b (diff)
4 files changed, 76 insertions, 16 deletions
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index 016d851ddc..2c1ad59750 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -13,8 +13,8 @@ OSSL_CMP_CTX_print_errors,
 OSSL_CMP_CTX_set1_serverPath,
 OSSL_CMP_CTX_set1_serverName,
 OSSL_CMP_CTX_set_serverPort,
-OSSL_CMP_CTX_set1_proxyName,
-OSSL_CMP_CTX_set_proxyPort,
+OSSL_CMP_CTX_set1_proxy,
+OSSL_CMP_CTX_set1_no_proxy,
 OSSL_CMP_DEFAULT_PORT,
 OSSL_CMP_CTX_set_http_cb,
 OSSL_CMP_CTX_set_http_cb_arg,
@@ -80,8 +80,8 @@ OSSL_CMP_CTX_set1_senderNonce
  int OSSL_CMP_CTX_set1_serverPath(OSSL_CMP_CTX *ctx, const char *path);
  int OSSL_CMP_CTX_set1_serverName(OSSL_CMP_CTX *ctx, const char *name);
  int OSSL_CMP_CTX_set_serverPort(OSSL_CMP_CTX *ctx, int port);
- int OSSL_CMP_CTX_set1_proxyName(OSSL_CMP_CTX *ctx, const char *name);
- int OSSL_CMP_CTX_set_proxyPort(OSSL_CMP_CTX *ctx, int port);
+ int OSSL_CMP_CTX_set1_proxy(OSSL_CMP_CTX *ctx, const char *name);
+ int OSSL_CMP_CTX_set1_no_proxy(OSSL_CMP_CTX *ctx, const char *names);
  #define OSSL_CMP_DEFAULT_PORT 80
  int OSSL_CMP_CTX_set_http_cb(OSSL_CMP_CTX *ctx, HTTP_bio_cb_t cb);
  int OSSL_CMP_CTX_set_http_cb_arg(OSSL_CMP_CTX *ctx, void *arg);
@@ -314,11 +314,15 @@ in the given OSSL_CMP_CTX structure.
 OSSL_CMP_CTX_set_serverPort() sets the port of the CMP server to connect to.
 Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
 
-OSSL_CMP_CTX_set1_proxyName() sets the hostname of the HTTP proxy to be used
-for connecting to the CA server.
+OSSL_CMP_CTX_set1_proxy() sets the HTTP proxy to be used for connecting to the
+CMP server.
+Defaults to the environment variable B<http_proxy> if set, else B<HTTP_PROXY>
+in case no TLS is used, otherwise B<https_proxy> if set, else B<HTTPS_PROXY>.
+The format is [http://]address[:port][/path] where the optional path is ignored.
 
-OSSL_CMP_CTX_set_proxyPort() sets the port of the HTTP proxy.
-Port defaults to OSSL_CMP_DEFAULT_PORT = 80 if not set explicitly.
+OSSL_CMP_CTX_set1_no_proxy() sets the list of server hostnames not to use
+an HTTP proxy for. The names may be separated by commas and/or whitespace.
+Defaults to the environment variable B<no_proxy> if set, else B<NO_PROXY>.
 
 OSSL_CMP_CTX_set_http_cb() sets the optional BIO connect/disconnect callback
 function, which has the prototype
diff --git a/doc/man3/OSSL_CMP_MSG_http_perform.pod b/doc/man3/OSSL_CMP_MSG_http_perform.pod
new file mode 100644
index 0000000000..92f6000867
--- /dev/null
+++ b/doc/man3/OSSL_CMP_MSG_http_perform.pod
@@ -0,0 +1,49 @@
+=pod
+
+=head1 NAME
+
+OSSL_CMP_MSG_http_perform
+- implementation of HTTP transfer for CMP messages
+
+=head1 SYNOPSIS
+
+ #include <openssl/cmp.h>
+
+ SSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
+                                        const OSSL_CMP_MSG *req);
+
+=head1 DESCRIPTION
+
+This is the API for creating a BIO for CMP (Certificate Management
+Protocol) over HTTP(S) with OpenSSL.
+
+OSSL_CMP_MSG_http_perform() sends the given PKIMessage req to the CMP server
+specified in ctx. On success it returns the server's response.
+
+=head1 NOTES
+
+CMP is defined in RFC 4210 (and CRMF in RFC 4211).
+
+=head1 RETURN VALUES
+
+OSSL_CMP_MSG_http_perform() returns a message on success or else NULL.
+It uses ctx->http_cb if set and respects ctx->msgTimeOut.
+
+=head1 SEE ALSO
+
+L<OSSL_CMP_CTX_new(3)>, L<OSSL_CMP_exec_IR_ses(3)>
+
+=head1 HISTORY
+
+The OpenSSL CMP support was added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
index c9d6d95a1b..eaebce8864 100644
--- a/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
+++ b/doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod
@@ -18,8 +18,7 @@ OSSL_CRMF_MSG_get_certReqId
  OSSL_CRMF_CERTTEMPLATE *OSSL_CRMF_MSG_get0_tmpl(const OSSL_CRMF_MSG *crm);
  ASN1_INTEGER
      *OSSL_CRMF_CERTTEMPLATE_get0_serialNumber(OSSL_CRMF_CERTTEMPLATE *tmpl);
- const X509_NAME
-     *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
+ X509_NAME *OSSL_CRMF_CERTTEMPLATE_get0_issuer(OSSL_CRMF_CERTTEMPLATE *tmpl);
 
  ASN1_INTEGER *OSSL_CRMF_CERTID_get0_serialNumber(const OSSL_CRMF_CERTID *cid);
  const X509_NAME *OSSL_CRMF_CERTID_get0_issuer(const OSSL_CRMF_CERTID *cid);
diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod
index 68010cb6bd..27f438114e 100644
--- a/doc/man3/OSSL_HTTP_transfer.pod
+++ b/doc/man3/OSSL_HTTP_transfer.pod
@@ -17,14 +17,14 @@ OSSL_HTTP_parse_url
 
  typedef BIO *(*OSSL_HTTP_bio_cb_t)(BIO *bio, void *arg,
                                     int connect, int detail);
- BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *proxy_port,
+ BIO *OSSL_HTTP_get(const char *url, const char *proxy, const char *no_proxy,
                     BIO *bio, BIO *rbio,
                     OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                     const STACK_OF(CONF_VALUE) *headers,
                     int maxline, unsigned long max_resp_len, int timeout,
                     const char *expected_content_type, int expect_asn1);
  ASN1_VALUE *OSSL_HTTP_get_asn1(const char *url,
-                                const char *proxy, const char *proxy_port,
+                                const char *proxy, const char *no_proxy,
                                 BIO *bio, BIO *rbio,
                                 OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                 const STACK_OF(CONF_VALUE) *headers,
@@ -33,7 +33,7 @@ OSSL_HTTP_parse_url
                                 const ASN1_ITEM *it);
  ASN1_VALUE *OSSL_HTTP_post_asn1(const char *server, const char *port,
                                  const char *path, int use_ssl,
-                                 const char *proxy, const char *proxy_port,
+                                 const char *proxy, const char *no_proxy,
                                  BIO *bio, BIO *rbio,
                                  OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                                  const STACK_OF(CONF_VALUE) *headers,
@@ -43,7 +43,7 @@ OSSL_HTTP_parse_url
                                  int timeout, const char *expected_ct,
                                  const ASN1_ITEM *rsp_it);
  BIO *OSSL_HTTP_transfer(const char *server, const char *port, const char *path,
-                         int use_ssl, const char *proxy, const char *proxy_port,
+                         int use_ssl, const char *proxy, const char *no_proxy,
                          BIO *bio, BIO *rbio,
                          OSSL_HTTP_bio_cb_t bio_update_fn, void *arg,
                          const STACK_OF(CONF_VALUE) *headers,
@@ -91,8 +91,16 @@ L<OPENSSL_free(3)>.
 
 The above functions have the following parameters in common.
 
-If the B<proxy> parameter is not NULL the HTTP client functions connect
-via the given proxy and the optionally given B<proxy_port>.
+If the optional B<proxy> parameter contains a non-empty string or
+it is NULL and one of the environment variables B<http_proxy> and B<HTTP_PROXY>
+(or B<https_proxy> and B<HTTPS_PROXY>, respectively, in case B<use_ssl> != 0)
+is set and contains a non-empty string this is used as the candidate address
+of HTTP(S) proxy to use.
+The address may include a port specification separated by ':'.
+Any prefix "http://" and any trailing string starting with '/' is ignored.
+The HTTP client functions connect via the given proxy unless the B<server>
+is found in the optional list B<no_proxy> of proxy hostnames (if it is not NULL,
+else in the environment variable B<no_proxy> if set or else in B<HTTP_PROXY>).
 Proxying plain HTTP is supported directly,
 while using a proxy for HTTPS connections requires a suitable callback function
 such as OSSL_HTTP_proxy_connect(), described below.
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-02-19 18:00:26 +0100
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-04-02 18:17:00 +0200
commit	afe554c2d244b4e7fc8c1b14acef806a2a581a8d (patch)
tree	0af31aa1a20a0106423ee23522e35504e6013e1a /doc
parent	98278b963171ece10a42d18594045b875103115b (diff)