From 74107c4428edbe8d6797ac6a700e0ea2c9e14952 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 6 Aug 2021 11:45:13 +0200 Subject: CMP: implement optional hashAlg field of certConf CMPv3 message Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale Reviewed-by: Hugo Landau (Merged from https://github.com/openssl/openssl/pull/18294) --- crypto/cmp/cmp_asn.c | 3 ++- crypto/cmp/cmp_local.h | 4 +++- crypto/cmp/cmp_msg.c | 15 +++++++++++++-- 3 files changed, 18 insertions(+), 4 deletions(-) (limited to 'crypto') diff --git a/crypto/cmp/cmp_asn.c b/crypto/cmp/cmp_asn.c index 0ca107554c..c6f37ef4df 100644 --- a/crypto/cmp/cmp_asn.c +++ b/crypto/cmp/cmp_asn.c @@ -321,7 +321,8 @@ IMPLEMENT_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI) ASN1_SEQUENCE(OSSL_CMP_CERTSTATUS) = { ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certHash, ASN1_OCTET_STRING), ASN1_SIMPLE(OSSL_CMP_CERTSTATUS, certReqId, ASN1_INTEGER), - ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI) + ASN1_OPT(OSSL_CMP_CERTSTATUS, statusInfo, OSSL_CMP_PKISI), + ASN1_EXP_OPT(OSSL_CMP_CERTSTATUS, hashAlg, X509_ALGOR, 0) } ASN1_SEQUENCE_END(OSSL_CMP_CERTSTATUS) IMPLEMENT_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h index 07a8c8eab2..255eb58ba6 100644 --- a/crypto/cmp/cmp_local.h +++ b/crypto/cmp/cmp_local.h @@ -369,13 +369,15 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_ERRORMSGCONTENT) * -- as is used to create and verify the certificate signature * certReqId INTEGER, * -- to match this confirmation with the corresponding req/rep - * statusInfo PKIStatusInfo OPTIONAL + * statusInfo PKIStatusInfo OPTIONAL, + * hashAlg [0] AlgorithmIdentifier OPTIONAL * } */ struct ossl_cmp_certstatus_st { ASN1_OCTET_STRING *certHash; ASN1_INTEGER *certReqId; OSSL_CMP_PKISI *statusInfo; + X509_ALGOR *hashAlg; /* 0 */ } /* OSSL_CMP_CERTSTATUS */; DECLARE_ASN1_FUNCTIONS(OSSL_CMP_CERTSTATUS) typedef STACK_OF(OSSL_CMP_CERTSTATUS) OSSL_CMP_CERTCONFIRMCONTENT; diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 6b108ac39b..bd141b5a7b 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -801,6 +801,8 @@ OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, { OSSL_CMP_MSG *msg = NULL; OSSL_CMP_CERTSTATUS *certStatus = NULL; + EVP_MD *md; + int is_fallback; ASN1_OCTET_STRING *certHash = NULL; OSSL_CMP_PKISI *sinfo; @@ -823,13 +825,22 @@ OSSL_CMP_MSG *ossl_cmp_certConf_new(OSSL_CMP_CTX *ctx, int fail_info, /* set the ID of the certReq */ if (!ASN1_INTEGER_set(certStatus->certReqId, OSSL_CMP_CERTREQID)) goto err; + certStatus->hashAlg = NULL; /* * The hash of the certificate, using the same hash algorithm * as is used to create and verify the certificate signature. - * If not available, a default hash algorithm is used. + * If not available, a fallback hash algorithm is used. */ - if ((certHash = X509_digest_sig(ctx->newCert, NULL, NULL)) == NULL) + if ((certHash = X509_digest_sig(ctx->newCert, &md, &is_fallback)) == NULL) goto err; + if (is_fallback) { + if (!ossl_cmp_hdr_set_pvno(msg->header, OSSL_CMP_PVNO_3)) + goto err; + if ((certStatus->hashAlg = X509_ALGOR_new()) == NULL) + goto err; + X509_ALGOR_set_md(certStatus->hashAlg, md); + } + EVP_MD_free(md); if (!ossl_cmp_certstatus_set0_certHash(certStatus, certHash)) goto err; -- cgit v1.2.1