diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-03-15 20:24:40 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-04-28 14:10:45 +0200 |
commit | 1751768cd191c3541dc89a2bb24da1e506385c37 (patch) | |
tree | 8921c0c143160551591d5d2e3f9b3a62ee419a6a | |
parent | 624359374b9af4f99ce1bfaf89e28b7306987777 (diff) | |
download | openssl-1751768cd191c3541dc89a2bb24da1e506385c37.tar.gz |
ESS: Export three core functions, clean up TS and CMS CAdES-BES usage
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
-rw-r--r-- | crypto/cms/cms_ess.c | 2 | ||||
-rw-r--r-- | crypto/cms/cms_sd.c | 4 | ||||
-rw-r--r-- | crypto/ess/ess_asn1.c | 9 | ||||
-rw-r--r-- | crypto/ess/ess_lib.c | 76 | ||||
-rw-r--r-- | crypto/ts/ts_rsp_sign.c | 4 | ||||
-rw-r--r-- | crypto/ts/ts_rsp_verify.c | 2 | ||||
-rw-r--r-- | doc/build.info | 6 | ||||
-rw-r--r-- | doc/man3/CMS_verify.pod | 1 | ||||
-rw-r--r-- | doc/man3/OSSL_ESS_check_signing_certs.pod | 88 | ||||
-rw-r--r-- | doc/man3/TS_VERIFY_CTX_set_certs.pod | 4 | ||||
-rw-r--r-- | include/crypto/ess.h | 17 | ||||
-rw-r--r-- | include/openssl/ess.h.in | 14 | ||||
-rw-r--r-- | include/openssl/esserr.h | 2 | ||||
-rw-r--r-- | test/recipes/80-test_cms.t | 2 | ||||
-rw-r--r-- | util/libcrypto.num | 3 |
15 files changed, 168 insertions, 66 deletions
diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index ba78b6ebad..fd9903eee8 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -53,7 +53,7 @@ int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *ssv2 = NULL; int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0 && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0 - && ossl_ess_check_signing_certs(ss, ssv2, chain, 1); + && OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0; ESS_SIGNING_CERT_free(ss); ESS_SIGNING_CERT_V2_free(ssv2); diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 898916d548..43dbec6004 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -377,13 +377,13 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, int add_sc; if (md == NULL || EVP_MD_is_a(md, SN_sha1)) { - if ((sc = ossl_ess_signing_cert_new_init(signer, + if ((sc = OSSL_ESS_signing_cert_new_init(signer, NULL, 1)) == NULL) goto err; add_sc = ossl_cms_add1_signing_cert(si, sc); ESS_SIGNING_CERT_free(sc); } else { - if ((sc2 = ossl_ess_signing_cert_v2_new_init(md, signer, + if ((sc2 = OSSL_ESS_signing_cert_v2_new_init(md, signer, NULL, 1)) == NULL) goto err; add_sc = ossl_cms_add1_signing_cert_v2(si, sc2); diff --git a/crypto/ess/ess_asn1.c b/crypto/ess/ess_asn1.c index 08a0be8cc4..681ac4e727 100644 --- a/crypto/ess/ess_asn1.c +++ b/crypto/ess/ess_asn1.c @@ -58,12 +58,13 @@ ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) +/* TODO the following two functions should be moved to ../cms/ */ /* No cms support means no CMS_SignerInfo* definitions */ #ifndef OPENSSL_NO_CMS /* - * Returns < 0 if attribute is not found, 1 if found, or - * -1 on attribute parsing failure. + * Returns 0 if attribute is not found, 1 if found, + * or -1 on attribute parsing failure. */ int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 **psc) @@ -89,8 +90,8 @@ int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si, } /* - * Returns < 0 if attribute is not found, 1 if found, or - * -1 on attribute parsing failure. + * Returns 0 if attribute is not found, 1 if found, + * or -1 on attribute parsing failure. */ int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si, ESS_SIGNING_CERT **psc) diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index 6ded9f6328..beda9c4c16 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -15,13 +15,15 @@ #include "crypto/ess.h" #include "crypto/x509.h" -static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed); +static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert, + int set_issuer_serial); static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, - X509 *cert, int issuer_needed); + const X509 *cert, + int set_issuer_serial); -ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, - STACK_OF(X509) *certs, - int issuer_needed) +ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert, + const STACK_OF(X509) *certs, + int set_issuer_serial) { ESS_CERT_ID *cid = NULL; ESS_SIGNING_CERT *sc; @@ -33,11 +35,12 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL) goto err; - if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL + if ((cid = ESS_CERT_ID_new_init(signcert, set_issuer_serial)) == NULL || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) goto err; for (i = 0; i < sk_X509_num(certs); ++i) { X509 *cert = sk_X509_value(certs, i); + if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) goto err; @@ -51,26 +54,22 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, return NULL; } -static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) +static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert, + int set_issuer_serial) { ESS_CERT_ID *cid = NULL; GENERAL_NAME *name = NULL; unsigned char cert_sha1[SHA_DIGEST_LENGTH]; - /* Call for side-effect of computing hash and caching extensions */ - if (!ossl_x509v3_cache_extensions(cert)) - return NULL; - if ((cid = ESS_CERT_ID_new()) == NULL) goto err; - /* TODO(3.0): fetch sha1 algorithm from providers */ if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL)) goto err; if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH)) goto err; /* Setting the issuer/serial if requested. */ - if (!issuer_needed) + if (!set_issuer_serial) return cid; if (cid->issuer_serial == NULL @@ -97,10 +96,11 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) return NULL; } -ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, - X509 *signcert, +ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg, + const X509 *signcert, + const STACK_OF(X509) *certs, - int issuer_needed) + int set_issuer_serial) { ESS_CERT_ID_V2 *cid = NULL; ESS_SIGNING_CERT_V2 *sc; @@ -108,7 +108,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL) goto err; - if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL) + cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, set_issuer_serial); + if (cid == NULL) goto err; if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) goto err; @@ -133,7 +134,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, } static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, - X509 *cert, int issuer_needed) + const X509 *cert, + int set_issuer_serial) { ESS_CERT_ID_V2 *cid; GENERAL_NAME *name = NULL; @@ -159,14 +161,13 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, cid->hash_alg = NULL; } - /* TODO(3.0): fetch sha1 algorithm from providers */ if (!X509_digest(cert, hash_alg, hash, &hash_len)) goto err; if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len)) goto err; - if (!issuer_needed) + if (!set_issuer_serial) return cid; if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL) @@ -193,6 +194,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, return NULL; } +/* TODO the following four functions should be moved to ../ts/ */ ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si) { ASN1_TYPE *attr; @@ -295,8 +297,8 @@ static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert) } /* - * Find cert referenced by |cid| (if not NULL, else |cidv2|) in |certs|. - * If the cid{,v2} index is 0, the cert must be in the first in |certs| list. + * Find the cert in |certs| referenced by |cid| if not NULL, else by |cid_v2|. + * The cert must be the first one in |certs| if and only if |index| is 0. * Return 0 on not found, -1 on error, else 1 + the position in |certs|. */ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2, @@ -336,7 +338,6 @@ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2, } (void)ERR_pop_to_mark(); - /* Look for cert with cid in the certs. */ for (i = 0; i < sk_X509_num(certs); ++i) { cert = sk_X509_value(certs, i); @@ -369,34 +370,33 @@ end: return ret; } -/* - * If ESSCertID and/or ESSCertIDv2 exist, which must be non-empty if given, - * check if their first ID entry matches the signer cert first in chain - * and each further ID entry matches any further cert in the chain. - */ -int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss, +int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss, const ESS_SIGNING_CERT_V2 *ssv2, const STACK_OF(X509) *chain, int require_signing_cert) { int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids); int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); - int i; + int i, ret; if (require_signing_cert && ss == NULL && ssv2 == NULL) { ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); - return 0; + return -1; } if (n_v1 == 0 || n_v2 == 0) { ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST); - return 0; + return -1; } /* If both ss and ssv2 exist, as required evaluate them independently. */ - for (i = 0; i < n_v1; i++) - if (find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain) <= 0) - return 0; - for (i = 0; i < n_v2; i++) - if (find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain) <= 0) - return 0; + for (i = 0; i < n_v1; i++) { + ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain); + if (ret <= 0) + return ret; + } + for (i = 0; i < n_v2; i++) { + ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain); + if (ret <= 0) + return ret; + } return 1; } diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 6d00a471a2..8f0653c5d3 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -687,7 +687,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; if (ctx->ess_cert_id_digest == NULL || EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) { - if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert, + if ((sc = OSSL_ESS_signing_cert_new_init(ctx->signer_cert, certs, 0)) == NULL) goto err; @@ -696,7 +696,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) goto err; } } else { - sc2 = ossl_ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest, + sc2 = OSSL_ESS_signing_cert_v2_new_init(ctx->ess_cert_id_digest, ctx->signer_cert, certs, 0); if (sc2 == NULL) goto err; diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 09daa2a449..56f40b1152 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -208,7 +208,7 @@ static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si, { ESS_SIGNING_CERT *ss = ossl_ess_get_signing_cert(si); ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_get_signing_cert_v2(si); - int ret = ossl_ess_check_signing_certs(ss, ssv2, chain, 1); + int ret = OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0; ESS_SIGNING_CERT_free(ss); ESS_SIGNING_CERT_V2_free(ssv2); diff --git a/doc/build.info b/doc/build.info index d9c5d8d4fc..86daf403d7 100644 --- a/doc/build.info +++ b/doc/build.info @@ -1602,6 +1602,10 @@ DEPEND[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod GENERATE[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod DEPEND[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod GENERATE[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod +DEPEND[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod +GENERATE[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod +DEPEND[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod +GENERATE[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod @@ -3050,6 +3054,7 @@ html/man3/OSSL_ENCODER.html \ html/man3/OSSL_ENCODER_CTX.html \ html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \ html/man3/OSSL_ENCODER_to_bio.html \ +html/man3/OSSL_ESS_check_signing_certs.html \ html/man3/OSSL_HTTP_REQ_CTX.html \ html/man3/OSSL_HTTP_parse_url.html \ html/man3/OSSL_HTTP_transfer.html \ @@ -3625,6 +3630,7 @@ man/man3/OSSL_ENCODER.3 \ man/man3/OSSL_ENCODER_CTX.3 \ man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \ man/man3/OSSL_ENCODER_to_bio.3 \ +man/man3/OSSL_ESS_check_signing_certs.3 \ man/man3/OSSL_HTTP_REQ_CTX.3 \ man/man3/OSSL_HTTP_parse_url.3 \ man/man3/OSSL_HTTP_transfer.3 \ diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod index 0331f7cf7e..33130bc9f2 100644 --- a/doc/man3/CMS_verify.pod +++ b/doc/man3/CMS_verify.pod @@ -122,6 +122,7 @@ be held in memory if it is not detached. =head1 SEE ALSO +L<OSSL_ESS_check_signing_certs(3)>, L<ERR_get_error(3)>, L<CMS_sign(3)> =head1 COPYRIGHT diff --git a/doc/man3/OSSL_ESS_check_signing_certs.pod b/doc/man3/OSSL_ESS_check_signing_certs.pod new file mode 100644 index 0000000000..bff26193d7 --- /dev/null +++ b/doc/man3/OSSL_ESS_check_signing_certs.pod @@ -0,0 +1,88 @@ +=pod + +=head1 NAME + +OSSL_ESS_signing_cert_new_init, +OSSL_ESS_signing_cert_v2_new_init, +OSSL_ESS_check_signing_certs +- Enhanced Security Services (ESS) functions + +=head1 SYNOPSIS + + #include <openssl/ess.h> + + ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert, + const STACK_OF(X509) *certs, + int set_issuer_serial); + ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg, + const X509 *signcert, + const + STACK_OF(X509) *certs, + int set_issuer_serial); + int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss, + const ESS_SIGNING_CERT_V2 *ssv2, + const STACK_OF(X509) *chain, + int require_signing_cert); + +=head1 DESCRIPTION + +OSSL_ESS_signing_cert_new_init() generates a new B<ESS_SIGNING_CERT> structure +referencing the given I<signcert> and any given further I<certs> +using their SHA-1 fingerprints. +If I<set_issuer_serial> is nonzero then also the issuer and serial number +of I<signcert> are included in the B<ESS_CERT_ID> as the B<issuerSerial> field. +For all members of I<certs> the B<issuerSerial> field is always included. + +OSSL_ESS_signing_cert_v2_new_init() is the same as +OSSL_ESS_signing_cert_new_init() except that it uses the given I<hash_alg> and +generates a B<ESS_SIGNING_CERT_V2> structure with B<ESS_CERT_ID_V2> elements. + +OSSL_ESS_check_signing_certs() checks if the validation chain I<chain> contains +the certificates required by the identifiers given in I<ss> and/or I<ssv2>. +If I<require_signing_cert> is nonzero, I<ss> or I<ssv2> must not be NULL. +If both I<ss> and I<ssv2> are not NULL, they are evaluated independently. +The list of certificate identifiers in I<ss> is of type B<ESS_CERT_ID>, +while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>. +As far as these lists are present, they must be nonempty. +The certificate identified by their first entry must be the first element of +I<chain>, i.e. the signer certificate. +Any further certficates referenced in the list must also be found in I<chain>. +The matching is done using the given certificate hash algorithm and value. +In addition to the checks required by RFCs 2624 and 5035, +if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2> +it must match the certificate issuer and serial number attributes. + +=head1 NOTES + +ESS has been defined in RFC 2634, which has been updated in RFC 5035 +(ESS version 2) to support hash algorithms other than SHA-1. +This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126). + +=head1 RETURN VALUES + +OSSL_ESS_signing_cert_new_init() and OSSL_ESS_signing_cert_v2_new_init() +return a pointer to the new structure or NULL on malloc failure. + +OSSL_ESS_check_signing_certs() returns 1 on success, +0 if a required certificate cannot be found, -1 on other error. + +=head1 SEE ALSO + +L<TS_VERIFY_CTX_set_certs(3)>, +L<CMS_verify(3)> + +=head1 HISTORY + +OSSL_ESS_signing_cert_new_init(), OSSL_ESS_signing_cert_v2_new_init(), and +OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0. + +=head1 COPYRIGHT + +Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/doc/man3/TS_VERIFY_CTX_set_certs.pod b/doc/man3/TS_VERIFY_CTX_set_certs.pod index 26c9a66abc..cf6aee1921 100644 --- a/doc/man3/TS_VERIFY_CTX_set_certs.pod +++ b/doc/man3/TS_VERIFY_CTX_set_certs.pod @@ -39,6 +39,10 @@ which takes the same parameters and returns the same result. TS_VERIFY_CTX_set_certs() returns the stack of B<X509> certificates the user passes in via parameter B<certs>. +=head1 SEE ALSO + +L<OSSL_ESS_check_signing_certs(3)> + =head1 HISTORY The spelling of TS_VERIFY_CTX_set_certs() was corrected in OpenSSL 3.0.0. diff --git a/include/crypto/ess.h b/include/crypto/ess.h index 1961e39067..7a687d47cc 100644 --- a/include/crypto/ess.h +++ b/include/crypto/ess.h @@ -11,27 +11,16 @@ # define OSSL_CRYPTO_ESS_H # pragma once -/* internal ESS related stuff */ +/* internal ESS related functions used for TS */ +/* TODO move these four decls to a new include/crypto/ts.h */ ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si); int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); -ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, - STACK_OF(X509) *certs, - int issuer_needed); - ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si); int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc); -ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, - X509 *signcert, - STACK_OF(X509) *certs, - int issuer_needed); - -int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss, - const ESS_SIGNING_CERT_V2 *ssv2, - const STACK_OF(X509) *chain, - int require_signing_cert); +/* internal ESS stuff */ /*- * IssuerSerial ::= SEQUENCE { diff --git a/include/openssl/ess.h.in b/include/openssl/ess.h.in index 6dd686ba77..c35d8ef82d 100644 --- a/include/openssl/ess.h.in +++ b/include/openssl/ess.h.in @@ -44,7 +44,6 @@ typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2; generate_stack_macros("ESS_CERT_ID_V2"); -} - DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL) DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL) DECLARE_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL) @@ -65,6 +64,19 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_SIGNING_CERT_V2) DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT_V2, ESS_SIGNING_CERT_V2) DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) +ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert, + const STACK_OF(X509) *certs, + int set_issuer_serial); +ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg, + const X509 *signcert, + const + STACK_OF(X509) *certs, + int set_issuer_serial); +int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss, + const ESS_SIGNING_CERT_V2 *ssv2, + const STACK_OF(X509) *chain, + int require_signing_cert); + # ifdef __cplusplus } # endif diff --git a/include/openssl/esserr.h b/include/openssl/esserr.h index 0b9e89e4cb..165ce7c437 100644 --- a/include/openssl/esserr.h +++ b/include/openssl/esserr.h @@ -16,8 +16,6 @@ # include <openssl/symhacks.h> # include <openssl/cryptoerr_legacy.h> - - /* * ESS reason codes. */ diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index 1837a51bbe..a371f21ad8 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -455,7 +455,7 @@ my @smime_cms_cades_ko_tests = ( [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", "-certfile", catfile($smdir, "smroot.pem"), "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ], - "fail to verify token because requiring CAdES-BES compatibility", + "fail to verify token since requiring CAdES-BES compatibility", [ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ], \&final_compare diff --git a/util/libcrypto.num b/util/libcrypto.num index f49ebeef45..dcfc71b13d 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5315,6 +5315,9 @@ RAND_set_DRBG_type ? 3_0_0 EXIST::FUNCTION: RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION: BN_mod_exp_mont_consttime_x2 ? 3_0_0 EXIST::FUNCTION: BIO_f_readbuffer ? 3_0_0 EXIST::FUNCTION: +OSSL_ESS_check_signing_certs ? 3_0_0 EXIST::FUNCTION: +OSSL_ESS_signing_cert_new_init ? 3_0_0 EXIST::FUNCTION: +OSSL_ESS_signing_cert_v2_new_init ? 3_0_0 EXIST::FUNCTION: EVP_DigestInit_ex2 ? 3_0_0 EXIST::FUNCTION: EVP_EncryptInit_ex2 ? 3_0_0 EXIST::FUNCTION: EVP_DecryptInit_ex2 ? 3_0_0 EXIST::FUNCTION: |