diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-08-28 12:11:31 +0200 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-09-10 07:07:55 +0200 |
commit | a0745e2be6635ffdf286ba5bc3bd867c8d4152a9 (patch) | |
tree | 00d93474fb208fba1ce021a5a82d1effb933535b /crypto/cmp/cmp_client.c | |
parent | 474853c39a2b631f9f401df32834043500081b7c (diff) | |
download | openssl-a0745e2be6635ffdf286ba5bc3bd867c8d4152a9.tar.gz |
Clean up CMP chain building for CMP signer, TLS client, and newly enrolled certs
* Use strenghtened cert chain building, verifying chain using optional trust store
while making sure that no certificate status (e.g., CRL) checks are done
* Use OSSL_CMP_certConf_cb() by default and move its doc to OSSL_CMP_CTX_new.pod
* Simplify certificate and cert store loading in apps/cmp.c
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12741)
Diffstat (limited to 'crypto/cmp/cmp_client.c')
-rw-r--r-- | crypto/cmp/cmp_client.c | 46 |
1 files changed, 35 insertions, 11 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index d5a4f3ced5..4f8a9e2444 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -22,6 +22,7 @@ #include "openssl/cmp_util.h" DEFINE_STACK_OF(ASN1_UTF8STRING) +DEFINE_STACK_OF(X509) DEFINE_STACK_OF(X509_CRL) DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE) DEFINE_STACK_OF(OSSL_CMP_PKISI) @@ -487,14 +488,35 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info, const char **text) { X509_STORE *out_trusted = OSSL_CMP_CTX_get_certConf_cb_arg(ctx); + STACK_OF(X509) *chain = NULL; (void)text; /* make (artificial) use of var to prevent compiler warning */ if (fail_info != 0) /* accept any error flagged by CMP core library */ return fail_info; - if (out_trusted != NULL - && !OSSL_CMP_validate_cert_path(ctx, out_trusted, cert)) - fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; + ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert"); + chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, + out_trusted /* may be NULL */, + ctx->untrusted, cert); + if (sk_X509_num(chain) > 0) + X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */ + if (out_trusted != NULL) { + if (chain == NULL) { + ossl_cmp_err(ctx, "failed building chain for newly enrolled cert"); + fail_info = 1 << OSSL_CMP_PKIFAILUREINFO_incorrectData; + } else { + ossl_cmp_debug(ctx, + "succeeded building proper chain for newly enrolled cert"); + } + } else if (chain == NULL) { + ossl_cmp_warn(ctx, "could not build approximate chain for newly enrolled cert, resorting to received extraCerts"); + chain = OSSL_CMP_CTX_get1_extraCertsIn(ctx); + } else { + ossl_cmp_debug(ctx, + "success building approximate chain for newly enrolled cert"); + } + (void)ossl_cmp_ctx_set1_newChain(ctx, chain); + sk_X509_pop_free(chain, X509_free); return fail_info; } @@ -515,10 +537,14 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, const char *txt = NULL; OSSL_CMP_CERTREPMESSAGE *crepmsg; OSSL_CMP_CERTRESPONSE *crep; + OSSL_CMP_certConf_cb_t cb; X509 *cert; char *subj = NULL; int ret = 1; + if (!ossl_assert(ctx != NULL)) + return 0; + retry: crepmsg = (*resp)->body->value.ip; /* same for cp and kup */ if (sk_OSSL_CMP_CERTRESPONSE_num(crepmsg->response) > 1) { @@ -584,21 +610,19 @@ static int cert_response(OSSL_CMP_CTX *ctx, int sleep, int rid, * OSSL_CMP_PKISTATUS_rejection, fail_info, txt) * not throwing CMP_R_CERTIFICATE_NOT_ACCEPTED with txt * not returning 0 - * since we better leave this for any ctx->certConf_cb to decide + * since we better leave this for the certConf_cb to decide */ } /* - * Execute the certification checking callback function possibly set in ctx, + * Execute the certification checking callback function, * which can determine whether to accept a newly enrolled certificate. * It may overrule the pre-decision reflected in 'fail_info' and '*txt'. */ - if (ctx->certConf_cb - && (fail_info = ctx->certConf_cb(ctx, ctx->newCert, - fail_info, &txt)) != 0) { - if (txt == NULL) - txt = "CMP client application did not accept it"; - } + cb = ctx->certConf_cb != NULL ? ctx->certConf_cb : OSSL_CMP_certConf_cb; + if ((fail_info = cb(ctx, ctx->newCert, fail_info, &txt)) != 0 + && txt == NULL) + txt = "CMP client did not accept it"; if (fail_info != 0) /* immediately log error before any certConf exchange */ ossl_cmp_log1(ERROR, ctx, "rejecting newly enrolled cert with subject: %s", subj); |