diff options
| author | Rajeev Ranjan <ranjan.rajeev@siemens.com> | 2024-05-29 18:19:29 +0200 |
|---|---|---|
| committer | Tomas Mraz <tomas@openssl.org> | 2025-01-27 08:56:46 +0100 |
| commit | 0048817523b6b9d0bf514c90ad9c6a99167d0293 (patch) | |
| tree | aaadd4640a6eaade6a76c796030fbea979150095 /apps/lib | |
| parent | Fixes some memory leaks when errors occur in ossl_cmp_rp_new(). (diff) | |
| download | openssl-0048817523b6b9d0bf514c90ad9c6a99167d0293.tar.xz openssl-0048817523b6b9d0bf514c90ad9c6a99167d0293.zip | |
CMP: add support for central key generation
- add testcase for central keygen
- add documentation
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25132)
Diffstat (limited to 'apps/lib')
| -rw-r--r-- | apps/lib/cmp_mock_srv.c | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index 5bc166036e..b35ad0fe91 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -19,6 +19,7 @@ typedef struct { X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */ X509 *certOut; /* certificate to be returned in cp/ip/kup msg */ + EVP_PKEY *keyOut; /* Private key to be returned for central keygen */ X509_CRL *crlOut; /* CRL to be returned in genp for crls */ STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */ STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */ @@ -87,6 +88,21 @@ static mock_srv_ctx *mock_srv_ctx_new(void) DEFINE_OSSL_SET1_CERT(refCert) DEFINE_OSSL_SET1_CERT(certOut) +int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey) +{ + mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); + + if (ctx == NULL) { + ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); + return 0; + } + if (pkey != NULL && !EVP_PKEY_up_ref(pkey)) + return 0; + EVP_PKEY_free(ctx->keyOut); + ctx->keyOut = pkey; + return 1; +} + int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, X509_CRL *crl) { @@ -273,8 +289,9 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, STACK_OF(X509) **caPubs) { mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); - int bodytype; + int bodytype, central_keygen; OSSL_CMP_PKISI *si = NULL; + EVP_PKEY *keyOut = NULL; if (ctx == NULL || cert_req == NULL || certOut == NULL || chainOut == NULL || caPubs == NULL) { @@ -358,6 +375,23 @@ static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, && (*certOut = X509_dup(ctx->certOut)) == NULL) /* Should return a cert produced from request template, see FR #16054 */ goto err; + + central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr); + if (central_keygen < 0) + goto err; + if (central_keygen == 1 + && (ctx->keyOut == NULL + || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL + || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), + 1 /* priv */, keyOut))) { + EVP_PKEY_free(keyOut); + goto err; + } + /* + * Note that this uses newPkey to return the private key + * and does not check whether the 'popo' field is absent. + */ + if (ctx->chainOut != NULL && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL) goto err; |