diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2023-04-25 19:14:34 +0200 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2023-05-12 10:46:27 +0200 |
| commit | 2d6585986f3b754750b25e7a296a08e7129a5320 (patch) | |
| tree | e83cf793bd5d4035095625d646782eaf72d2fa63 | |
| parent | 14ca1b6f4694ad27b1163bcafda1683f4dd05a30 (diff) | |
| download | openssl-new-2d6585986f3b754750b25e7a296a08e7129a5320.tar.gz | |
CMP client: fix error response on -csr without private key, also in docs
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/20832)
| -rw-r--r-- | apps/cmp.c | 19 | ||||
| -rw-r--r-- | crypto/cmp/cmp_err.c | 5 | ||||
| -rw-r--r-- | crypto/cmp/cmp_msg.c | 6 | ||||
| -rw-r--r-- | crypto/err/openssl.txt | 2 | ||||
| -rw-r--r-- | doc/man1/openssl-cmp.pod.in | 41 | ||||
| -rw-r--r-- | doc/man3/OSSL_CMP_MSG_get0_header.pod | 3 | ||||
| -rw-r--r-- | include/crypto/cmperr.h | 2 | ||||
| -rw-r--r-- | include/openssl/cmperr.h | 4 | ||||
| -rw-r--r-- | test/recipes/80-test_cmp_http_data/Mock/new_pub.key | 9 | ||||
| -rw-r--r-- | test/recipes/80-test_cmp_http_data/test_enrollment.csv | 7 |
10 files changed, 77 insertions, 21 deletions
diff --git a/apps/cmp.c b/apps/cmp.c index ec60e677c1..1cd8841b61 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -1525,10 +1525,25 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); if (opt_cmd == CMP_IR || opt_cmd == CMP_CR || opt_cmd == CMP_KUR) { - if (opt_newkey == NULL && opt_key == NULL && opt_csr == NULL) { - CMP_err("missing -newkey (or -key) to be certified and no -csr given"); + if (opt_newkey == NULL + && opt_key == NULL && opt_csr == NULL && opt_oldcert == NULL) { + CMP_err("missing -newkey (or -key) to be certified and no -csr, -oldcert, or -cert given for fallback public key"); return 0; } + if (opt_newkey == NULL + && opt_popo != OSSL_CRMF_POPO_NONE + && opt_popo != OSSL_CRMF_POPO_RAVERIFIED) { + if (opt_csr != NULL) { + CMP_err1("no -newkey option given with private key for POPO, -csr option only provides public key%s", + opt_key == NULL ? "" : + ", and -key option superseded by by -csr"); + return 0; + } + if (opt_key == NULL) { + CMP_err("missing -newkey (or -key) option for POPO"); + return 0; + } + } if (opt_certout == NULL) { CMP_err("-certout not given, nowhere to save newly enrolled certificate"); return 0; diff --git a/crypto/cmp/cmp_err.c b/crypto/cmp/cmp_err.c index fe7b96348b..dfc6dfbede 100644 --- a/crypto/cmp/cmp_err.c +++ b/crypto/cmp/cmp_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -95,7 +95,10 @@ static const ERR_STRING_DATA CMP_str_reasons[] = { {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PBM_SECRET), "missing pbm secret"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY), "missing private key"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO), + "missing private key for popo"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PROTECTION), "missing protection"}, + {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_PUBLIC_KEY), "missing public key"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_REFERENCE_CERT), "missing reference cert"}, {ERR_PACK(ERR_LIB_CMP, 0, CMP_R_MISSING_SECRET), "missing secret"}, diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 1920f19048..fa4815c2e1 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -293,7 +293,7 @@ OSSL_CRMF_MSG *OSSL_CMP_CTX_setup_CRM(OSSL_CMP_CTX *ctx, int for_KUR, int rid) rkey = ctx->pkey; /* default is independent of ctx->oldCert */ if (rkey == NULL) { #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION - ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PUBLIC_KEY); return NULL; #endif } @@ -417,8 +417,8 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type, */ if (privkey == NULL && OSSL_CMP_CTX_get0_newPkey(ctx, 0) == NULL) privkey = ctx->pkey; /* default is independent of ctx->oldCert */ - if (ctx->popoMethod == OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { - ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY); + if (ctx->popoMethod >= OSSL_CRMF_POPO_SIGNATURE && privkey == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PRIVATE_KEY_FOR_POPO); goto err; } if (crm == NULL) { diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index 330aba84c7..8545eaab96 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -240,7 +240,9 @@ CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE:142:missing key usage digitalsignature CMP_R_MISSING_P10CSR:121:missing p10csr CMP_R_MISSING_PBM_SECRET:166:missing pbm secret CMP_R_MISSING_PRIVATE_KEY:131:missing private key +CMP_R_MISSING_PRIVATE_KEY_FOR_POPO:190:missing private key for popo CMP_R_MISSING_PROTECTION:143:missing protection +CMP_R_MISSING_PUBLIC_KEY:183:missing public key CMP_R_MISSING_REFERENCE_CERT:168:missing reference cert CMP_R_MISSING_SECRET:178:missing secret CMP_R_MISSING_SENDER_IDENTIFICATION:111:missing sender identification diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 5021b8a1ec..76c4313bd5 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -250,12 +250,16 @@ e.g., C<1.2.3.4:int:56789>. =item B<-newkey> I<filename>|I<uri> -The source of the private or public key for the certificate requested -in Initialization Request (IR), Certification Request(CR), or -Key Update Request (KUR). +The source of the private or public key for the certificate being requested. Defaults to the public key in the PKCS#10 CSR given with the B<-csr> option, the public key of the reference certificate, or the current client key. +The public portion of the key is placed in the certification request. + +Unless B<-cmd> I<p10cr>, B<-popo> I<-1>, or B<-popo> I<0> is given, the +private key will be needed as well to provide the proof of possession (POPO), +where the B<-key> option may provide a fallback. + =item B<-newkeypass> I<arg> Pass phrase source for the key given with the B<-newkey> option. @@ -347,7 +351,7 @@ Flag the policies given with B<-policy_oids> as critical. =item B<-popo> I<number> -Proof-of-Possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where +Proof-of-possession (POPO) method to use for IR/CR/KUR; values: C<-1>..<2> where C<-1> = NONE, C<0> = RAVERIFIED, C<1> = SIGNATURE (default), C<2> = KEYENC. Note that a signature-based POPO can only be produced if a private key @@ -357,10 +361,16 @@ is provided via the B<-newkey> or B<-key> options. PKCS#10 CSR in PEM or DER format containing a certificate request. With B<-cmd> I<p10cr> it is used directly in a legacy P10CR message. + When used with B<-cmd> I<ir>, I<cr>, or I<kur>, -it is transformed into the respective regular CMP request, -while its public key is ignored if I<-newkey> is given. -It may also be used with B<-cmd> I<rr> to specify the certificate to be revoked +it is transformed into the respective regular CMP request. +In this case, a private key must be provided (with B<-newkey> or B<-key>) +for the proof of possession (unless B<-popo> I<-1> or B<-popo> I<0> is used) +and the respective public key is placed in the certification request +(rather than taking over the public key contained in the PKCS#10 CSR). + +PKCS#10 CSR input may also be used with B<-cmd> I<rr> +to specify the certificate to be revoked via the included subject name and public key. Its subject is used as fallback sender in CMP message headers if B<-cert> and B<-oldcert> are not given. @@ -414,6 +424,7 @@ For RR the certificate to be revoked can also be specified using B<-csr>. The reference certificate, if any, is also used for deriving default subject DN and Subject Alternative Names and the default issuer entry in the requested certificate template of an IR/CR/KUR. +Its public key is used as a fallback in the template of certification requests. Its subject is used as sender of outgoing messages if B<-cert> is not given. Its issuer is used as default recipient in CMP message headers if neither B<-recipient>, B<-srvcert>, nor B<-issuer> is given. @@ -673,17 +684,25 @@ L<openssl-passphrase-options(1)>. The client's current CMP signer certificate. Requires the corresponding key to be given with B<-key>. + +The subject and the public key contained in this certificate +serve as fallback values in the certificate template of IR/CR/KUR messages. + The subject of this certificate will be used as sender of outgoing CMP messages, while the subject of B<-oldcert> or B<-subjectName> may provide fallback values. + The issuer of this certificate is used as one of the recipient fallback values -and as fallback issuer entry in the certificate template of IR/CR/KUR. +and as fallback issuer entry in the certificate template of IR/CR/KUR messages. + When using signature-based message protection, this "protection certificate" will be included first in the extraCerts field of outgoing messages and the signature is done with the corresponding key. In Initialization Request (IR) messages this can be used for authenticating using an external entity certificate as defined in appendix E.7 of RFC 4210. + For Key Update Request (KUR) messages this is also used as the certificate to be updated if the B<-oldcert> option is not given. + If the file includes further certs, they are appended to the untrusted certs because they typically constitute the chain of the client certificate, which is included in the extraCerts field in signature-protected request messages. @@ -709,6 +728,8 @@ the B<-cert> option. This will be used for signature-based message protection unless the B<-secret> option indicating PBM or B<-unprotected_requests> is given. +It is also used as a fallback for the B<-newkey> option with IR/CR/KUR messages. + =item B<-keypass> I<arg> Pass phrase source for the private key given with the B<-key> option. @@ -723,7 +744,7 @@ L<openssl-passphrase-options(1)>. Specifies name of supported digest to use in RFC 4210's MSG_SIG_ALG and as the one-way function (OWF) in MSG_MAC_ALG. If applicable, this is used for message protection and -Proof-of-Possession (POPO) signatures. +proof-of-possession (POPO) signatures. To see the list of supported digests, use C<openssl list -digest-commands>. Defaults to C<sha256>. @@ -1074,7 +1095,7 @@ So far this has no effect because the server does not accept any error messages. =item B<-accept_raverified> -Accept RAVERIFED as proof-of-possession (POPO). +Accept RAVERIFED as proof of possession (POPO). =back diff --git a/doc/man3/OSSL_CMP_MSG_get0_header.pod b/doc/man3/OSSL_CMP_MSG_get0_header.pod index ff94fca973..653f568d0c 100644 --- a/doc/man3/OSSL_CMP_MSG_get0_header.pod +++ b/doc/man3/OSSL_CMP_MSG_get0_header.pod @@ -72,7 +72,8 @@ The public key included is the first available value of these: =item the public key of any PKCS#10 CSR given in I<ctx>, -=item the public key of any reference certificate given in I<ctx>, +=item the public key of any reference certificate given in I<ctx> +(see L<OSSL_CMP_CTX_set1_oldCert(3)>), =item the public key derived from any client's private key set via L<OSSL_CMP_CTX_set1_pkey(3)>. diff --git a/include/crypto/cmperr.h b/include/crypto/cmperr.h index 9cbd380618..2bd1637384 100644 --- a/include/crypto/cmperr.h +++ b/include/crypto/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cmperr.h b/include/openssl/cmperr.h index 06e9dbff36..49fd5e392a 100644 --- a/include/openssl/cmperr.h +++ b/include/openssl/cmperr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -67,7 +67,9 @@ # define CMP_R_MISSING_P10CSR 121 # define CMP_R_MISSING_PBM_SECRET 166 # define CMP_R_MISSING_PRIVATE_KEY 131 +# define CMP_R_MISSING_PRIVATE_KEY_FOR_POPO 190 # define CMP_R_MISSING_PROTECTION 143 +# define CMP_R_MISSING_PUBLIC_KEY 183 # define CMP_R_MISSING_REFERENCE_CERT 168 # define CMP_R_MISSING_SECRET 178 # define CMP_R_MISSING_SENDER_IDENTIFICATION 111 diff --git a/test/recipes/80-test_cmp_http_data/Mock/new_pub.key b/test/recipes/80-test_cmp_http_data/Mock/new_pub.key new file mode 100644 index 0000000000..b0e08583ef --- /dev/null +++ b/test/recipes/80-test_cmp_http_data/Mock/new_pub.key @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0Qo9WC/BKA70LtQJdwV +GSXqr9dut3cQmiFzTb/SaWldjOT1sRNDFxSzdTJjU/8cIDEZvaTIwRxP/dtVQLjc ++4jzrUwz93NuZYlsEWUEUg4Lrnfs0Nz50yHk4rJhVxWjb8Ii/wRBViWHFExP7CwT +kXiTclC1bCqTuWkjxF3thTfTsttRyY7qNkz2JpNx0guD8v4otQoYjA5AEZvK4IXL +wOwxol5xBTMvIrvvff2kkh+c7OC2QVbUTow/oppjqIKCx2maNHCtLFTJELf3fwtR +JLJsy4fKGP0/6kpZc8Sp88WK4B4FauF9IV1CmoAJUC1vJxhagHIKfVtFjUWs8GPo +bQIDAQAB +-----END PUBLIC KEY----- diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv index 79988a78f8..bcd11002f6 100644 --- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv +++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv @@ -86,10 +86,13 @@ expected,description, -section,val, -cmd,val, -newkey,val,val, -newkeypass,val, 0,oldcert empty file, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert4.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,, 0,oldcert random contents, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_oldcert5.pem,, -out_trusted,root.crt,, -oldcert,random.bin,BLANK,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, -1,csr used in ir, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, +1,pkcs10 converted to ir with privkey, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr1.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, +0,pkcs10 converted to ir with pubkey with popo SIGNATURE, -section,, -cmd,ir, -newkey,new_pub.key,, BLANK,,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr2.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, +0,pkcs10 converted to ir with pubkey with popo RAVERIFIED, -section,, -cmd,ir, -newkey,new_pub.key,, BLANK,,,,BLANK,,BLANK,,BLANK,,BLANK,, -popo,0,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr3.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, +0,pkcs10 converted to ir without -newkey, -section,, -cmd,ir, -newkey,"""",, BLANK,,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_csr4.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, 1,p10cr csr present, -section,, -cmd,p10cr,BLANK,,, BLANK,,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr.pem,, -out_trusted,root.crt,,BLANK,, -csr,csr.pem,, 0,p10cr csr missing, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,, -0,p10cr csr missing arg, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr1.pem,, -out_trusted,root.crt,,BLANK,, -csr,,, +0,p10cr csr missing arg, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr2.pem,, -out_trusted,root.crt,,BLANK,, -csr,,, 0,p10cr csr non-existing file, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr3.pem,, -out_trusted,root.crt,,BLANK,, -csr,idontexist,, 0,p10cr csr empty file, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr4.pem,, -out_trusted,root.crt,,BLANK,, -csr,empty.txt,, TODO,p10cr wrong csr, -section,, -cmd,p10cr, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_p10cr5.pem,, -out_trusted,root.crt,,BLANK,, -csr,wrong_csr.pem,, |