summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--INSTALL3
-rw-r--r--crypto/build.info2
-rw-r--r--crypto/cmp/build.info2
-rw-r--r--crypto/cmp/cmp_asn.c398
-rw-r--r--crypto/cmp/cmp_err.c35
-rw-r--r--crypto/cmp/cmp_int.h589
-rw-r--r--crypto/crmf/crmf_asn.c6
-rw-r--r--crypto/crmf/crmf_int.h6
-rw-r--r--crypto/crmf/crmf_lib.c4
-rw-r--r--crypto/crmf/crmf_pbm.c6
-rw-r--r--crypto/err/err.c1
-rw-r--r--crypto/err/err_all.c2
-rw-r--r--crypto/err/openssl.ec1
-rw-r--r--doc/man3/OSSL_CMP_ITAV_set0.pod105
-rw-r--r--doc/man3/OSSL_CRMF_MSG_get0_tmpl.pod2
-rw-r--r--doc/man3/OSSL_CRMF_MSG_set1_regCtrl_regToken.pod2
-rw-r--r--doc/man3/OSSL_CRMF_MSG_set1_regInfo_certReq.pod2
-rw-r--r--doc/man3/OSSL_CRMF_MSG_set_validity.pod2
-rw-r--r--doc/man3/OSSL_CRMF_pbmp_new.pod2
-rw-r--r--doc/man3/X509_dup.pod23
-rw-r--r--doc/man3/d2i_X509.pod20
-rw-r--r--include/openssl/cmp.h243
-rw-r--r--include/openssl/cmperr.h32
-rw-r--r--include/openssl/crmf.h6
-rw-r--r--include/openssl/err.h2
-rw-r--r--util/libcrypto.num302
26 files changed, 1632 insertions, 166 deletions
diff --git a/INSTALL b/INSTALL
index 605f1d4cdb..e980f50e1d 100644
--- a/INSTALL
+++ b/INSTALL
@@ -314,6 +314,9 @@
Don't build the CAPI engine. This option will be forced if
on a platform that does not support CAPI.
+ no-cmp
+ Don't build support for CMP features
+
no-cms
Don't build support for CMS features
diff --git a/crypto/build.info b/crypto/build.info
index 629e819b8a..7798bcbe18 100644
--- a/crypto/build.info
+++ b/crypto/build.info
@@ -5,7 +5,7 @@ SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 conf \
md2 md4 md5 sha mdc2 gmac hmac ripemd whrlpool poly1305 blake2 \
siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
- err comp ocsp cms ts srp cmac ct async kmac ess crmf
+ err comp ocsp cms ts srp cmac ct async kmac ess crmf cmp
LIBS=../libcrypto
# The Core
diff --git a/crypto/cmp/build.info b/crypto/cmp/build.info
new file mode 100644
index 0000000000..6b6ccaaf49
--- /dev/null
+++ b/crypto/cmp/build.info
@@ -0,0 +1,2 @@
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]= cmp_asn.c cmp_err.c
diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c
new file mode 100644
index 0000000000..8555586dfd
--- /dev/null
+++ b/crypto/cmp/cmp_asn.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ *
+ * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
+ */
+
+#include <openssl/asn1t.h>
+
+#include "cmp_int.h"
+
+/* explicit #includes not strictly needed since implied by the above: */
+#include <openssl/cmp.h>
+#include <openssl/crmf.h>
+
+/* ASN.1 declarations from RFC4210 */
+ASN1_SEQUENCE(OSSL_CMP_REVANNCONTENT) = {
+ /* OSSL_CMP_PKISTATUS is effectively ASN1_INTEGER so it is used directly */
+ ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, status, ASN1_INTEGER),
+ ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, certId, OSSL_CRMF_CERTID),
+ ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, willBeRevokedAt, ASN1_GENERALIZEDTIME),
+ ASN1_SIMPLE(OSSL_CMP_REVANNCONTENT, badSinceDate, ASN1_GENERALIZEDTIME),
+ ASN1_OPT(OSSL_CMP_REVANNCONTENT, crlDetails, X509_EXTENSIONS)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVANNCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CHALLENGE) = {
+ ASN1_OPT(OSSL_CMP_CHALLENGE, owf, X509_ALGOR),
+ ASN1_SIMPLE(OSSL_CMP_CHALLENGE, witness, ASN1_OCTET_STRING),
+ ASN1_SIMPLE(OSSL_CMP_CHALLENGE, challenge, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_CHALLENGE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYCHALLCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+ OSSL_CMP_POPODECKEYCHALLCONTENT, OSSL_CMP_CHALLENGE)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYCHALLCONTENT)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POPODECKEYRESPCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+ OSSL_CMP_POPODECKEYRESPCONTENT, ASN1_INTEGER)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POPODECKEYRESPCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CAKEYUPDANNCONTENT) = {
+ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+ ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, oldWithNew, X509),
+ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+ ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithOld, X509),
+ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+ ASN1_SIMPLE(OSSL_CMP_CAKEYUPDANNCONTENT, newWithNew, X509)
+} ASN1_SEQUENCE_END(OSSL_CMP_CAKEYUPDANNCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_ERRORMSGCONTENT) = {
+ ASN1_SIMPLE(OSSL_CMP_ERRORMSGCONTENT, pKIStatusInfo, OSSL_CMP_PKISI),
+ ASN1_OPT(OSSL_CMP_ERRORMSGCONTENT, errorCode, ASN1_INTEGER),
+ /*
+ * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+ * so it is used directly
+ *
+ */
+ ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ERRORMSGCONTENT, errorDetails, ASN1_UTF8STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_ERRORMSGCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
+
+ASN1_ADB_TEMPLATE(infotypeandvalue_default) = ASN1_OPT(OSSL_CMP_ITAV,
+ infoValue.other, ASN1_ANY);
+/* ITAV means InfoTypeAndValue */
+ASN1_ADB(OSSL_CMP_ITAV) = {
+ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+ ADB_ENTRY(NID_id_it_caProtEncCert, ASN1_OPT(OSSL_CMP_ITAV,
+ infoValue.caProtEncCert, X509)),
+ ADB_ENTRY(NID_id_it_signKeyPairTypes,
+ ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+ infoValue.signKeyPairTypes, X509_ALGOR)),
+ ADB_ENTRY(NID_id_it_encKeyPairTypes,
+ ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+ infoValue.encKeyPairTypes, X509_ALGOR)),
+ ADB_ENTRY(NID_id_it_preferredSymmAlg,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.preferredSymmAlg,
+ X509_ALGOR)),
+ ADB_ENTRY(NID_id_it_caKeyUpdateInfo,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.caKeyUpdateInfo,
+ OSSL_CMP_CAKEYUPDANNCONTENT)),
+ ADB_ENTRY(NID_id_it_currentCRL,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.currentCRL, X509_CRL)),
+ ADB_ENTRY(NID_id_it_unsupportedOIDs,
+ ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV,
+ infoValue.unsupportedOIDs, ASN1_OBJECT)),
+ ADB_ENTRY(NID_id_it_keyPairParamReq,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamReq,
+ ASN1_OBJECT)),
+ ADB_ENTRY(NID_id_it_keyPairParamRep,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.keyPairParamRep,
+ X509_ALGOR)),
+ ADB_ENTRY(NID_id_it_revPassphrase,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.revPassphrase,
+ OSSL_CRMF_ENCRYPTEDVALUE)),
+ ADB_ENTRY(NID_id_it_implicitConfirm,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.implicitConfirm,
+ ASN1_NULL)),
+ ADB_ENTRY(NID_id_it_confirmWaitTime,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.confirmWaitTime,
+ ASN1_GENERALIZEDTIME)),
+ ADB_ENTRY(NID_id_it_origPKIMessage,
+ ASN1_OPT(OSSL_CMP_ITAV, infoValue.origPKIMessage,
+ OSSL_CMP_MSGS)),
+ ADB_ENTRY(NID_id_it_suppLangTags,
+ ASN1_SEQUENCE_OF_OPT(OSSL_CMP_ITAV, infoValue.suppLangTagsValue,
+ ASN1_UTF8STRING)),
+} ASN1_ADB_END(OSSL_CMP_ITAV, 0, infoType, 0,
+ &infotypeandvalue_default_tt, NULL);
+
+
+ASN1_SEQUENCE(OSSL_CMP_ITAV) = {
+ ASN1_SIMPLE(OSSL_CMP_ITAV, infoType, ASN1_OBJECT),
+ ASN1_ADB_OBJECT(OSSL_CMP_ITAV)
+} ASN1_SEQUENCE_END(OSSL_CMP_ITAV)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
+
+OSSL_CMP_ITAV *OSSL_CMP_ITAV_create(ASN1_OBJECT *type, ASN1_TYPE *value)
+{
+ OSSL_CMP_ITAV *itav;
+
+ if (type == NULL || (itav = OSSL_CMP_ITAV_new()) == NULL)
+ return NULL;
+ OSSL_CMP_ITAV_set0(itav, type, value);
+ return itav;
+}
+
+void OSSL_CMP_ITAV_set0(OSSL_CMP_ITAV *itav, ASN1_OBJECT *type,
+ ASN1_TYPE *value)
+{
+ itav->infoType = type;
+ itav->infoValue.other = value;
+}
+
+ASN1_OBJECT *OSSL_CMP_ITAV_get0_type(const OSSL_CMP_ITAV *itav)
+{
+ if (itav == NULL)
+ return NULL;
+ return itav->infoType;
+}
+
+ASN1_TYPE *OSSL_CMP_ITAV_get0_value(const OSSL_CMP_ITAV *itav)
+{
+ if (itav == NULL)
+ return NULL;
+ return itav->infoValue.other;
+}
+
+int OSSL_CMP_ITAV_push0_stack_item(STACK_OF(OSSL_CMP_ITAV) **itav_sk_p,
+ OSSL_CMP_ITAV *itav)
+{
+ int created = 0;
+
+ if (itav_sk_p == NULL)
+ goto err;
+
+ if (*itav_sk_p == NULL) {
+ if ((*itav_sk_p = sk_OSSL_CMP_ITAV_new_null()) == NULL)
+ goto err;
+ created = 1;
+ }
+ if (itav != NULL) {
+ if (!sk_OSSL_CMP_ITAV_push(*itav_sk_p, itav))
+ goto err;
+ }
+ return 1;
+ err:
+ if (created != 0) {
+ sk_OSSL_CMP_ITAV_free(*itav_sk_p);
+ *itav_sk_p = NULL;
+ }
+ return 0;
+}
+
+ASN1_CHOICE(OSSL_CMP_CERTORENCCERT) = {
+ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+ ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.certificate, X509, 0),
+ ASN1_EXP(OSSL_CMP_CERTORENCCERT, value.encryptedCert,
+ OSSL_CRMF_ENCRYPTEDVALUE, 1),
+} ASN1_CHOICE_END(OSSL_CMP_CERTORENCCERT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_CERTIFIEDKEYPAIR) = {
+ ASN1_SIMPLE(OSSL_CMP_CERTIFIEDKEYPAIR, certOrEncCert,
+ OSSL_CMP_CERTORENCCERT),
+ ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, privateKey,
+ OSSL_CRMF_ENCRYPTEDVALUE, 0),
+ ASN1_EXP_OPT(OSSL_CMP_CERTIFIEDKEYPAIR, publicationInfo,
+ OSSL_CRMF_PKIPUBLICATIONINFO, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTIFIEDKEYPAIR)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
+
+
+ASN1_SEQUENCE(OSSL_CMP_REVDETAILS) = {
+ ASN1_SIMPLE(OSSL_CMP_REVDETAILS, certDetails, OSSL_CRMF_CERTTEMPLATE),
+ ASN1_OPT(OSSL_CMP_REVDETAILS, crlEntryDetails, X509_EXTENSIONS)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVDETAILS)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_REVREQCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_REVREQCONTENT,
+ OSSL_CMP_REVDETAILS)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_REVREQCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_REVREPCONTENT) = {
+ ASN1_SEQUENCE_OF(OSSL_CMP_REVREPCONTENT, status, OSSL_CMP_PKISI),
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, revCerts, OSSL_CRMF_CERTID,
+ 0),
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_REVREPCONTENT, crls, X509_CRL, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_REVREPCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
+
+
+ASN1_SEQUENCE(OSSL_CMP_KEYRECREPCONTENT) = {
+ ASN1_SIMPLE(OSSL_CMP_KEYRECREPCONTENT, status, OSSL_CMP_PKISI),
+ ASN1_EXP_OPT(OSSL_CMP_KEYRECREPCONTENT, newSigCert, X509, 0),
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, caCerts, X509, 1),
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_KEYRECREPCONTENT, keyPairHist,
+ OSSL_CMP_CERTIFIEDKEYPAIR, 2)
+} ASN1_SEQUENCE_END(OSSL_CMP_KEYRECREPCONTENT)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
+
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_PKISTATUS) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_UNIVERSAL, 0, status, ASN1_INTEGER)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_PKISTATUS)
+
+ASN1_SEQUENCE(OSSL_CMP_PKISI) = {
+ ASN1_SIMPLE(OSSL_CMP_PKISI, status, OSSL_CMP_PKISTATUS),
+ /*
+ * CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+ * so it is used directly
+ */
+ ASN1_SEQUENCE_OF_OPT(OSSL_CMP_PKISI, statusString, ASN1_UTF8STRING),
+ /*
+ * OSSL_CMP_PKIFAILUREINFO is effectively ASN1_BIT_STRING so used directly
+ */
+ ASN1_OPT(OSSL_CMP_PKISI, failInfo, ASN1_BIT_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_PKISI)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = {
+ ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING),
+ ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER),
+ ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_CERTCONFIRMCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_CERTCONFIRMCONTENT,
+ OSSL_CMP_CERTSTATUS)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CERTCONFIRMCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTRESPONSE) = {
+ ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, certReqId, ASN1_INTEGER),
+ ASN1_SIMPLE(OSSL_CMP_CERTRESPONSE, status, OSSL_CMP_PKISI),
+ ASN1_OPT(OSSL_CMP_CERTRESPONSE, certifiedKeyPair,
+ OSSL_CMP_CERTIFIEDKEYPAIR),
+ ASN1_OPT(OSSL_CMP_CERTRESPONSE, rspInfo, ASN1_OCTET_STRING)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTRESPONSE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTRESPONSE)
+
+ASN1_SEQUENCE(OSSL_CMP_POLLREQ) = {
+ ASN1_SIMPLE(OSSL_CMP_POLLREQ, certReqId, ASN1_INTEGER)
+} ASN1_SEQUENCE_END(OSSL_CMP_POLLREQ)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREQ)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREQCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_POLLREQCONTENT,
+ OSSL_CMP_POLLREQ)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREQCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_POLLREP) = {
+ ASN1_SIMPLE(OSSL_CMP_POLLREP, certReqId, ASN1_INTEGER),
+ ASN1_SIMPLE(OSSL_CMP_POLLREP, checkAfter, ASN1_INTEGER),
+ ASN1_SEQUENCE_OF_OPT(OSSL_CMP_POLLREP, reason, ASN1_UTF8STRING),
+} ASN1_SEQUENCE_END(OSSL_CMP_POLLREP)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_POLLREP)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_POLLREPCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+ OSSL_CMP_POLLREPCONTENT,
+ OSSL_CMP_POLLREP)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_POLLREPCONTENT)
+
+ASN1_SEQUENCE(OSSL_CMP_CERTREPMESSAGE) = {
+ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_CERTREPMESSAGE, caPubs, X509, 1),
+ ASN1_SEQUENCE_OF(OSSL_CMP_CERTREPMESSAGE, response, OSSL_CMP_CERTRESPONSE)
+} ASN1_SEQUENCE_END(OSSL_CMP_CERTREPMESSAGE)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTREPMESSAGE)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_GENMSGCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENMSGCONTENT,
+ OSSL_CMP_ITAV)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENMSGCONTENT)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_GENREPCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_GENREPCONTENT,
+ OSSL_CMP_ITAV)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_GENREPCONTENT)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_CRLANNCONTENT) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0,
+ OSSL_CMP_CRLANNCONTENT, X509_CRL)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_CRLANNCONTENT)
+
+ASN1_CHOICE(OSSL_CMP_PKIBODY) = {
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.ir, OSSL_CRMF_MSGS, 0),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.ip, OSSL_CMP_CERTREPMESSAGE, 1),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.cr, OSSL_CRMF_MSGS, 2),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.cp, OSSL_CMP_CERTREPMESSAGE, 3),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.p10cr, X509_REQ, 4),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecc, OSSL_CMP_POPODECKEYCHALLCONTENT, 5),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.popdecr, OSSL_CMP_POPODECKEYRESPCONTENT, 6),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.kur, OSSL_CRMF_MSGS, 7),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.kup, OSSL_CMP_CERTREPMESSAGE, 8),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.krr, OSSL_CRMF_MSGS, 9),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.krp, OSSL_CMP_KEYRECREPCONTENT, 10),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.rr, OSSL_CMP_REVREQCONTENT, 11),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.rp, OSSL_CMP_REVREPCONTENT, 12),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.ccr, OSSL_CRMF_MSGS, 13),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.ccp, OSSL_CMP_CERTREPMESSAGE, 14),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.ckuann, OSSL_CMP_CAKEYUPDANNCONTENT, 15),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.cann, X509, 16),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.rann, OSSL_CMP_REVANNCONTENT, 17),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.crlann, OSSL_CMP_CRLANNCONTENT, 18),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.pkiconf, ASN1_ANY, 19),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.nested, OSSL_CMP_MSGS, 20),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.genm, OSSL_CMP_GENMSGCONTENT, 21),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.genp, OSSL_CMP_GENREPCONTENT, 22),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.error, OSSL_CMP_ERRORMSGCONTENT, 23),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.certConf, OSSL_CMP_CERTCONFIRMCONTENT, 24),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.pollReq, OSSL_CMP_POLLREQCONTENT, 25),
+ ASN1_EXP(OSSL_CMP_PKIBODY, value.pollRep, OSSL_CMP_POLLREPCONTENT, 26),
+} ASN1_CHOICE_END(OSSL_CMP_PKIBODY)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIBODY)
+
+ASN1_SEQUENCE(OSSL_CMP_PKIHEADER) = {
+ ASN1_SIMPLE(OSSL_CMP_PKIHEADER, pvno, ASN1_INTEGER),
+ ASN1_SIMPLE(OSSL_CMP_PKIHEADER, sender, GENERAL_NAME),
+ ASN1_SIMPLE(OSSL_CMP_PKIHEADER, recipient, GENERAL_NAME),
+ ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, messageTime, ASN1_GENERALIZEDTIME, 0),
+ ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, protectionAlg, X509_ALGOR, 1),
+ ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderKID, ASN1_OCTET_STRING, 2),
+ ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipKID, ASN1_OCTET_STRING, 3),
+ ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, transactionID, ASN1_OCTET_STRING, 4),
+ ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, senderNonce, ASN1_OCTET_STRING, 5),
+ ASN1_EXP_OPT(OSSL_CMP_PKIHEADER, recipNonce, ASN1_OCTET_STRING, 6),
+ /*
+ * OSSL_CMP_PKIFREETEXT is effectively a sequence of ASN1_UTF8STRING
+ * so it is used directly
+ */
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, freeText, ASN1_UTF8STRING, 7),
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_PKIHEADER, generalInfo,
+ OSSL_CMP_ITAV, 8)
+} ASN1_SEQUENCE_END(OSSL_CMP_PKIHEADER)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_PKIHEADER)
+
+ASN1_SEQUENCE(CMP_PROTECTEDPART) = {
+ ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
+ ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY)
+} ASN1_SEQUENCE_END(CMP_PROTECTEDPART)
+IMPLEMENT_ASN1_FUNCTIONS(CMP_PROTECTEDPART)
+
+ASN1_SEQUENCE(OSSL_CMP_MSG) = {
+ ASN1_SIMPLE(OSSL_CMP_MSG, header, OSSL_CMP_PKIHEADER),
+ ASN1_SIMPLE(OSSL_CMP_MSG, body, OSSL_CMP_PKIBODY),
+ ASN1_EXP_OPT(OSSL_CMP_MSG, protection, ASN1_BIT_STRING, 0),
+ /* OSSL_CMP_CMPCERTIFICATE is effectively X509 so it is used directly */
+ ASN1_EXP_SEQUENCE_OF_OPT(OSSL_CMP_MSG, extraCerts, X509, 1)
+} ASN1_SEQUENCE_END(OSSL_CMP_MSG)
+IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_MSG)
+IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
+
+ASN1_ITEM_TEMPLATE(OSSL_CMP_MSGS) =
+ ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, OSSL_CMP_MSGS,
+ OSSL_CMP_MSG)
+ASN1_ITEM_TEMPLATE_END(OSSL_CMP_MSGS)
diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c
new file mode 100644
index 0000000000..b85b8bac82
--- /dev/null
+++ b/crypto/cmp/cmp_err.c
@@ -0,0 +1,35 @@
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/err.h>
+#include <openssl/cmperr.h>
+
+#ifndef OPENSSL_NO_ERR
+
+static const ERR_STRING_DATA CMP_str_functs[] = {
+ {0, NULL}
+};
+
+static const ERR_STRING_DATA CMP_str_reasons[] = {
+ {0, NULL}
+};
+
+#endif
+
+int ERR_load_CMP_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+ if (ERR_func_error_string(CMP_str_functs[0].error) == NULL) {
+ ERR_load_strings_const(CMP_str_functs);
+ ERR_load_strings_const(CMP_str_reasons);
+ }
+#endif
+ return 1;
+}
diff --git a/crypto/cmp/cmp_int.h b/crypto/cmp/cmp_int.h
new file mode 100644
index 0000000000..e78968aaa1
--- /dev/null
+++ b/crypto/cmp/cmp_int.h
@@ -0,0 +1,589 @@
+/*
+ * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright Nokia 2007-2019
+ * Copyright Siemens AG 2015-2019
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ *
+ * CMP implementation by Martin Peylo, Miikka Viljanen, and David von Oheimb.
+ */
+
+#ifndef OSSL_HEADER_CMP_INT_H
+# define OSSL_HEADER_CMP_INT_H
+
+# include "internal/cryptlib.h"
+
+# include <openssl/cmp.h>
+# include <openssl/err.h>
+
+/* explicit #includes not strictly needed since implied by the above: */
+# include <openssl/crmf.h>
+# include <openssl/ossl_typ.h>
+# include <openssl/safestack.h>
+# include <openssl/x509.h>
+# include <openssl/x509v3.h>
+
+/*
+ * ##########################################################################
+ * ASN.1 DECLARATIONS
+ * ##########################################################################
+ */
+
+/*-
+ * RevAnnContent ::= SEQUENCE {
+ * status PKIStatus,
+ * certId CertId,
+ * willBeRevokedAt GeneralizedTime,
+ * badSinceDate GeneralizedTime,
+ * crlDetails Extensions OPTIONAL
+ * -- extra CRL details (e.g., crl number, reason, location, etc.)
+ * }
+ */
+typedef struct OSSL_cmp_revanncontent_st {
+ ASN1_INTEGER *status;
+ OSSL_CRMF_CERTID *certId;
+ ASN1_GENERALIZEDTIME *willBeRevokedAt;
+ ASN1_GENERALIZEDTIME *badSinceDate;
+ X509_EXTENSIONS *crlDetails;
+} OSSL_CMP_REVANNCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVANNCONTENT)
+
+/*-
+ * Challenge ::= SEQUENCE {
+ * owf AlgorithmIdentifier OPTIONAL,
+ *
+ * -- MUST be present in the first Challenge; MAY be omitted in
+ * -- any subsequent Challenge in POPODecKeyChallContent (if
+ * -- omitted, then the owf used in the immediately preceding
+ * -- Challenge is to be used).
+ *
+ * witness OCTET STRING,
+ * -- the result of applying the one-way function (owf) to a
+ * -- randomly-generated INTEGER, A. [Note that a different
+ * -- INTEGER MUST be used for each Challenge.]
+ * challenge OCTET STRING
+ * -- the encryption (under the public key for which the cert.
+ * -- request is being made) of Rand, where Rand is specified as
+ * -- Rand ::= SEQUENCE {
+ * -- int INTEGER,
+ * -- - the randomly-generated INTEGER A (above)
+ * -- sender GeneralName
+ * -- - the sender's name (as included in PKIHeader)
+ * -- }
+ * }
+ */
+typedef struct OSSL_cmp_challenge_st {
+ X509_ALGOR *owf;
+ ASN1_OCTET_STRING *witness;
+ ASN1_OCTET_STRING *challenge;
+} OSSL_CMP_CHALLENGE;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CHALLENGE)
+
+/*-
+ * CAKeyUpdAnnContent ::= SEQUENCE {
+ * oldWithNew Certificate,
+ * newWithOld Certificate,
+ * newWithNew Certificate
+ * }
+ */
+typedef struct OSSL_cmp_cakeyupdanncontent_st {
+ X509 *oldWithNew;
+ X509 *newWithOld;
+ X509 *newWithNew;
+} OSSL_CMP_CAKEYUPDANNCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CAKEYUPDANNCONTENT)
+
+/*-
+ * declared already here as it will be used in OSSL_CMP_MSG (nested) and
+ * infoType and infoValue
+ */
+typedef STACK_OF(OSSL_CMP_MSG) OSSL_CMP_MSGS;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_MSGS)
+
+/*-
+ * InfoTypeAndValue ::= SEQUENCE {
+ * infoType OBJECT IDENTIFIER,
+ * infoValue ANY DEFINED BY infoType OPTIONAL
+ * }
+ */
+struct OSSL_cmp_itav_st {
+ ASN1_OBJECT *infoType;
+ union {
+ char *ptr;
+ /* NID_id_it_caProtEncCert - CA Protocol Encryption Certificate */
+ X509 *caProtEncCert;
+ /* NID_id_it_signKeyPairTypes - Signing Key Pair Types */
+ STACK_OF(X509_ALGOR) *signKeyPairTypes;
+ /* NID_id_it_encKeyPairTypes - Encryption/Key Agreement Key Pair Types */
+ STACK_OF(X509_ALGOR) *encKeyPairTypes;
+ /* NID_id_it_preferredSymmAlg - Preferred Symmetric Algorithm */
+ X509_ALGOR *preferredSymmAlg;
+ /* NID_id_it_caKeyUpdateInfo - Updated CA Key Pair */
+ OSSL_CMP_CAKEYUPDANNCONTENT *caKeyUpdateInfo;
+ /* NID_id_it_currentCRL - CRL */
+ X509_CRL *currentCRL;
+ /* NID_id_it_unsupportedOIDs - Unsupported Object Identifiers */
+ STACK_OF(ASN1_OBJECT) *unsupportedOIDs;
+ /* NID_id_it_keyPairParamReq - Key Pair Parameters Request */
+ ASN1_OBJECT *keyPairParamReq;
+ /* NID_id_it_keyPairParamRep - Key Pair Parameters Response */
+ X509_ALGOR *keyPairParamRep;
+ /* NID_id_it_revPassphrase - Revocation Passphrase */
+ OSSL_CRMF_ENCRYPTEDVALUE *revPassphrase;
+ /* NID_id_it_implicitConfirm - ImplicitConfirm */
+ ASN1_NULL *implicitConfirm;
+ /* NID_id_it_confirmWaitTime - ConfirmWaitTime */
+ ASN1_GENERALIZEDTIME *confirmWaitTime;
+ /* NID_id_it_origPKIMessage - origPKIMessage */
+ OSSL_CMP_MSGS *origPKIMessage;
+ /* NID_id_it_suppLangTags - Supported Language Tags */
+ STACK_OF(ASN1_UTF8STRING) *suppLangTagsValue;
+ /* this is to be used for so far undeclared objects */
+ ASN1_TYPE *other;
+ } infoValue;
+} /* OSSL_CMP_ITAV */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ITAV)
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
+
+
+typedef struct OSSL_cmp_certorenccert_st {
+ int type;
+ union {
+ X509 *certificate;
+ OSSL_CRMF_ENCRYPTEDVALUE *encryptedCert;
+ } value;
+} OSSL_CMP_CERTORENCCERT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTORENCCERT)
+
+/*-
+ * CertifiedKeyPair ::= SEQUENCE {
+ * certOrEncCert CertOrEncCert,
+ * privateKey [0] EncryptedValue OPTIONAL,
+ * -- see [CRMF] for comment on encoding
+ * publicationInfo [1] PKIPublicationInfo OPTIONAL
+ * }
+ */
+typedef struct OSSL_cmp_certifiedkeypair_st {
+ OSSL_CMP_CERTORENCCERT *certOrEncCert;
+ OSSL_CRMF_ENCRYPTEDVALUE *privateKey;
+ OSSL_CRMF_PKIPUBLICATIONINFO *publicationInfo;
+} OSSL_CMP_CERTIFIEDKEYPAIR;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTIFIEDKEYPAIR)
+
+/*-
+ * PKIStatusInfo ::= SEQUENCE {
+ * status PKIStatus,
+ * statusString PKIFreeText OPTIONAL,
+ * failInfo PKIFailureInfo OPTIONAL
+ * }
+ */
+struct OSSL_cmp_pkisi_st {
+ OSSL_CMP_PKISTATUS *status;
+ OSSL_CMP_PKIFREETEXT *statusString;
+ OSSL_CMP_PKIFAILUREINFO *failInfo;
+} /* OSSL_CMP_PKISI */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
+DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
+
+/*-
+ * RevReqContent ::= SEQUENCE OF RevDetails
+ *
+ * RevDetails ::= SEQUENCE {
+ * certDetails CertTemplate,
+ * crlEntryDetails Extensions OPTIONAL
+ * }
+ */
+typedef struct OSSL_cmp_revdetails_st {
+ OSSL_CRMF_CERTTEMPLATE *certDetails;
+ X509_EXTENSIONS *crlEntryDetails;
+} OSSL_CMP_REVDETAILS;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVDETAILS)
+DEFINE_STACK_OF(OSSL_CMP_REVDETAILS)
+
+/*-
+ * RevRepContent ::= SEQUENCE {
+ * status SEQUENCE SIZE (1..MAX) OF PKIStatusInfo,
+ * -- in same order as was sent in RevReqContent
+ * revCerts [0] SEQUENCE SIZE (1..MAX) OF CertId
+ * OPTIONAL,
+ * -- IDs for which revocation was requested
+ * -- (same order as status)
+ * crls [1] SEQUENCE SIZE (1..MAX) OF CertificateList
+ * OPTIONAL
+ * -- the resulting CRLs (there may be more than one)
+ * }
+ */
+struct OSSL_cmp_revrepcontent_st {
+ STACK_OF(OSSL_CMP_PKISI) *status;
+ STACK_OF(OSSL_CRMF_CERTID) *revCerts;
+ STACK_OF(X509_CRL) *crls;
+} /* OSSL_CMP_REVREPCONTENT */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_REVREPCONTENT)
+
+/*-
+ * KeyRecRepContent ::= SEQUENCE {
+ * status PKIStatusInfo,
+ * newSigCert [0] Certificate OPTIONAL,
+ * caCerts [1] SEQUENCE SIZE (1..MAX) OF
+ * Certificate OPTIONAL,
+ * keyPairHist [2] SEQUENCE SIZE (1..MAX) OF
+ * CertifiedKeyPair OPTIONAL
+ * }
+ */
+typedef struct OSSL_cmp_keyrecrepcontent_st {
+ OSSL_CMP_PKISI *status;
+ X509 *newSigCert;
+ STACK_OF(X509) *caCerts;
+ STACK_OF(OSSL_CMP_CERTIFIEDKEYPAIR) *keyPairHist;
+} OSSL_CMP_KEYRECREPCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_KEYRECREPCONTENT)
+
+/*-
+ * ErrorMsgContent ::= SEQUENCE {
+ * pKIStatusInfo PKIStatusInfo,
+ * errorCode INTEGER OPTIONAL,
+ * -- implementation-specific error codes
+ * errorDetails PKIFreeText OPTIONAL
+ * -- implementation-specific error details
+ * }
+ */
+typedef struct OSSL_cmp_errormsgcontent_st {
+ OSSL_CMP_PKISI *pKIStatusInfo;
+ ASN1_INTEGER *errorCode;
+ OSSL_CMP_PKIFREETEXT *errorDetails;
+} OSSL_CMP_ERRORMSGCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT)
+
+/*-
+ * CertConfirmContent ::= SEQUENCE OF CertStatus
+ *
+ * CertStatus ::= SEQUENCE {
+ * certHash OCTET STRING,
+ * -- the hash of the certificate, using the same hash algorithm
+ * -- as is used to create and verify the certificate signature
+ * certReqId INTEGER,
+ * -- to match this confirmation with the corresponding req/rep
+ * statusInfo PKIStatusInfo OPTIONAL
+ * }
+ */
+struct OSSL_cmp_certstatus_st {
+ ASN1_OCTET_STRING *certHash;
+ ASN1_INTEGER *certReqId;
+ OSSL_CMP_PKISI *statusInfo;
+} /* OSSL_CMP_CERTSTATUS */;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS)
+
+typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT;
+DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTCONFIRMCONTENT)
+
+/*-
+ * CertResponse ::= SEQUENCE {
+ * certReqId INTEGER,
+ * -- to match this response with corresponding request (a value
+ * -- of -1 is to be used if certReqId is not specified in the
+ * -- corresponding request)
+ * status PKIStatusInfo,
+ * certifiedKeyPair CertifiedKeyPair OPTIONAL,
+ * rspInfo OCTET STRING