root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

ESS: Export three core functions, clean up TS and CMS CAdES-BES usage 

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
This commit is contained in:
Dr. David von Oheimb 2021-03-15 20:24:40 +01:00
parent 624359374b
commit 1751768cd1
15 changed files with 168 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
crypto/cms/cms_ess.c
View File

@ -53,7 +53,7 @@ int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
ESS_SIGNING_CERT_V2 *ssv2 = NULL; ESS_SIGNING_CERT_V2 *ssv2 = NULL;
int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0 int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0
&& ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0 && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0
&& ossl_ess_check_signing_certs(ss, ssv2, chain, 1); && OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
ESS_SIGNING_CERT_free(ss); ESS_SIGNING_CERT_free(ss);
ESS_SIGNING_CERT_V2_free(ssv2); ESS_SIGNING_CERT_V2_free(ssv2);

4
crypto/cms/cms_sd.c
View File

@ -377,13 +377,13 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
int add_sc; int add_sc;
if (md == NULL || EVP_MD_is_a(md, SN_sha1)) { if (md == NULL || EVP_MD_is_a(md, SN_sha1)) {
if ((sc = ossl_ess_signing_cert_new_init(signer, if ((sc = OSSL_ESS_signing_cert_new_init(signer,
NULL, 1)) == NULL) NULL, 1)) == NULL)
goto err; goto err;
add_sc = ossl_cms_add1_signing_cert(si, sc); add_sc = ossl_cms_add1_signing_cert(si, sc);
ESS_SIGNING_CERT_free(sc); ESS_SIGNING_CERT_free(sc);
} else { } else {
if ((sc2 = ossl_ess_signing_cert_v2_new_init(md, signer, if ((sc2 = OSSL_ESS_signing_cert_v2_new_init(md, signer,
NULL, 1)) == NULL) NULL, 1)) == NULL)
goto err; goto err;
add_sc = ossl_cms_add1_signing_cert_v2(si, sc2); add_sc = ossl_cms_add1_signing_cert_v2(si, sc2);

9
crypto/ess/ess_asn1.c
View File

@ -58,12 +58,13 @@ ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
/* TODO the following two functions should be moved to ../cms/ */
/* No cms support means no CMS_SignerInfo* definitions */ /* No cms support means no CMS_SignerInfo* definitions */
#ifndef OPENSSL_NO_CMS #ifndef OPENSSL_NO_CMS
/* /*
* Returns < 0 if attribute is not found, 1 if found, or * Returns 0 if attribute is not found, 1 if found,
* -1 on attribute parsing failure. * or -1 on attribute parsing failure.
*/ */
int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si, int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
ESS_SIGNING_CERT_V2 **psc) ESS_SIGNING_CERT_V2 **psc)
@ -89,8 +90,8 @@ int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
} }
/* /*
* Returns < 0 if attribute is not found, 1 if found, or * Returns 0 if attribute is not found, 1 if found,
* -1 on attribute parsing failure. * or -1 on attribute parsing failure.
*/ */
int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si, int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
ESS_SIGNING_CERT **psc) ESS_SIGNING_CERT **psc)

76
crypto/ess/ess_lib.c
View File

@ -15,13 +15,15 @@
#include "crypto/ess.h" #include "crypto/ess.h"
#include "crypto/x509.h" #include "crypto/x509.h"
static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed); static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
int set_issuer_serial);
static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
X509 *cert, int issuer_needed); const X509 *cert,
int set_issuer_serial);
ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
STACK_OF(X509) *certs, const STACK_OF(X509) *certs,
int issuer_needed) int set_issuer_serial)
{ {
ESS_CERT_ID *cid = NULL; ESS_CERT_ID *cid = NULL;
ESS_SIGNING_CERT *sc; ESS_SIGNING_CERT *sc;
@ -33,11 +35,12 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
&& (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL) && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
goto err; goto err;
if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL if ((cid = ESS_CERT_ID_new_init(signcert, set_issuer_serial)) == NULL
|| !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
goto err; goto err;
for (i = 0; i < sk_X509_num(certs); ++i) { for (i = 0; i < sk_X509_num(certs); ++i) {
X509 *cert = sk_X509_value(certs, i); X509 *cert = sk_X509_value(certs, i);
if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL
|| !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
goto err; goto err;
@ -51,26 +54,22 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
return NULL; return NULL;
} }
static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
int set_issuer_serial)
{ {
ESS_CERT_ID *cid = NULL; ESS_CERT_ID *cid = NULL;
GENERAL_NAME *name = NULL; GENERAL_NAME *name = NULL;
unsigned char cert_sha1[SHA_DIGEST_LENGTH]; unsigned char cert_sha1[SHA_DIGEST_LENGTH];
/* Call for side-effect of computing hash and caching extensions */
if (!ossl_x509v3_cache_extensions(cert))
return NULL;
if ((cid = ESS_CERT_ID_new()) == NULL) if ((cid = ESS_CERT_ID_new()) == NULL)
goto err; goto err;
/* TODO(3.0): fetch sha1 algorithm from providers */
if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL)) if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
goto err; goto err;
if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH)) if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
goto err; goto err;
/* Setting the issuer/serial if requested. */ /* Setting the issuer/serial if requested. */
if (!issuer_needed) if (!set_issuer_serial)
return cid; return cid;
if (cid->issuer_serial == NULL if (cid->issuer_serial == NULL
@ -97,10 +96,11 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
return NULL; return NULL;
} }
ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
X509 *signcert, const X509 *signcert,
const
STACK_OF(X509) *certs, STACK_OF(X509) *certs,
int issuer_needed) int set_issuer_serial)
{ {
ESS_CERT_ID_V2 *cid = NULL; ESS_CERT_ID_V2 *cid = NULL;
ESS_SIGNING_CERT_V2 *sc; ESS_SIGNING_CERT_V2 *sc;
@ -108,7 +108,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL) if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
goto err; goto err;
if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL) cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, set_issuer_serial);
if (cid == NULL)
goto err; goto err;
if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
goto err; goto err;
@ -133,7 +134,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
} }
static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
X509 *cert, int issuer_needed) const X509 *cert,
int set_issuer_serial)
{ {
ESS_CERT_ID_V2 *cid; ESS_CERT_ID_V2 *cid;
GENERAL_NAME *name = NULL; GENERAL_NAME *name = NULL;
@ -159,14 +161,13 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
cid->hash_alg = NULL; cid->hash_alg = NULL;
} }
/* TODO(3.0): fetch sha1 algorithm from providers */
if (!X509_digest(cert, hash_alg, hash, &hash_len)) if (!X509_digest(cert, hash_alg, hash, &hash_len))
goto err; goto err;
if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len)) if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
goto err; goto err;
if (!issuer_needed) if (!set_issuer_serial)
return cid; return cid;
if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL) if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
@ -193,6 +194,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
return NULL; return NULL;
} }
/* TODO the following four functions should be moved to ../ts/ */
ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si) ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
{ {
ASN1_TYPE *attr; ASN1_TYPE *attr;
@ -295,8 +297,8 @@ static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert)
} }
/* /*
* Find cert referenced by |cid| (if not NULL, else |cidv2|) in |certs|. * Find the cert in |certs| referenced by |cid| if not NULL, else by |cid_v2|.
* If the cid{,v2} index is 0, the cert must be in the first in |certs| list. * The cert must be the first one in |certs| if and only if |index| is 0.
* Return 0 on not found, -1 on error, else 1 + the position in |certs|. * Return 0 on not found, -1 on error, else 1 + the position in |certs|.
*/ */
static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2, static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
@ -336,7 +338,6 @@ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
} }
(void)ERR_pop_to_mark(); (void)ERR_pop_to_mark();
/* Look for cert with cid in the certs. */
for (i = 0; i < sk_X509_num(certs); ++i) { for (i = 0; i < sk_X509_num(certs); ++i) {
cert = sk_X509_value(certs, i); cert = sk_X509_value(certs, i);
@ -369,34 +370,33 @@ end:
return ret; return ret;
} }
/* int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
* If ESSCertID and/or ESSCertIDv2 exist, which must be non-empty if given,
* check if their first ID entry matches the signer cert first in chain
* and each further ID entry matches any further cert in the chain.
*/
int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
const ESS_SIGNING_CERT_V2 *ssv2, const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain, const STACK_OF(X509) *chain,
int require_signing_cert) int require_signing_cert)
{ {
int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids); int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids);
int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids); int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids);
int i; int i, ret;
if (require_signing_cert && ss == NULL && ssv2 == NULL) { if (require_signing_cert && ss == NULL && ssv2 == NULL) {
ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE); ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
return 0; return -1;
} }
if (n_v1 == 0 || n_v2 == 0) { if (n_v1 == 0 || n_v2 == 0) {
ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST); ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST);
return 0; return -1;
} }
/* If both ss and ssv2 exist, as required evaluate them independently. */ /* If both ss and ssv2 exist, as required evaluate them independently. */
for (i = 0; i < n_v1; i++) for (i = 0; i < n_v1; i++) {
if (find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain) <= 0) ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain);
return 0; if (ret <= 0)
for (i = 0; i < n_v2; i++) return ret;
if (find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain) <= 0) }
return 0; for (i = 0; i < n_v2; i++) {
ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain);
if (ret <= 0)
return ret;
}
return 1; return 1;
} }

4
crypto/ts/ts_rsp_sign.c
View File

@ -687,7 +687,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
if (ctx->ess_cert_id_digest == NULL if (ctx->ess_cert_id_digest == NULL
|| EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) { || EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) {
if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert, if ((sc = OSSL_ESS_signing_cert_new_init(ctx->signer_cert,
certs, 0)) == NULL) certs, 0)) == NULL)
goto err; goto err;
@ -696,7 +696,7 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
goto err; goto err;
} }
} else { } else {
sc2 = ossl_ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest, sc2 = OSSL_ESS_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
ctx->signer_cert, certs, 0); ctx->signer_cert, certs, 0);
if (sc2 == NULL) if (sc2 == NULL)
goto err; goto err;

2
crypto/ts/ts_rsp_verify.c
View File

@ -208,7 +208,7 @@ static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si,
{ {
ESS_SIGNING_CERT *ss = ossl_ess_get_signing_cert(si); ESS_SIGNING_CERT *ss = ossl_ess_get_signing_cert(si);
ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_get_signing_cert_v2(si); ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_get_signing_cert_v2(si);
int ret = ossl_ess_check_signing_certs(ss, ssv2, chain, 1); int ret = OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
ESS_SIGNING_CERT_free(ss); ESS_SIGNING_CERT_free(ss);
ESS_SIGNING_CERT_V2_free(ssv2); ESS_SIGNING_CERT_V2_free(ssv2);

6
doc/build.info
View File

@ -1602,6 +1602,10 @@ DEPEND[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod
GENERATE[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod GENERATE[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod
DEPEND[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod DEPEND[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
GENERATE[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod GENERATE[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
DEPEND[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
GENERATE[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
DEPEND[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
GENERATE[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod
@ -3050,6 +3054,7 @@ html/man3/OSSL_ENCODER.html \
html/man3/OSSL_ENCODER_CTX.html \ html/man3/OSSL_ENCODER_CTX.html \
html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \ html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \
html/man3/OSSL_ENCODER_to_bio.html \ html/man3/OSSL_ENCODER_to_bio.html \
html/man3/OSSL_ESS_check_signing_certs.html \
html/man3/OSSL_HTTP_REQ_CTX.html \ html/man3/OSSL_HTTP_REQ_CTX.html \
html/man3/OSSL_HTTP_parse_url.html \ html/man3/OSSL_HTTP_parse_url.html \
html/man3/OSSL_HTTP_transfer.html \ html/man3/OSSL_HTTP_transfer.html \
@ -3625,6 +3630,7 @@ man/man3/OSSL_ENCODER.3 \
man/man3/OSSL_ENCODER_CTX.3 \ man/man3/OSSL_ENCODER_CTX.3 \
man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \ man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \
man/man3/OSSL_ENCODER_to_bio.3 \ man/man3/OSSL_ENCODER_to_bio.3 \
man/man3/OSSL_ESS_check_signing_certs.3 \
man/man3/OSSL_HTTP_REQ_CTX.3 \ man/man3/OSSL_HTTP_REQ_CTX.3 \
man/man3/OSSL_HTTP_parse_url.3 \ man/man3/OSSL_HTTP_parse_url.3 \
man/man3/OSSL_HTTP_transfer.3 \ man/man3/OSSL_HTTP_transfer.3 \

1
doc/man3/CMS_verify.pod
View File

@ -122,6 +122,7 @@ be held in memory if it is not detached.
=head1 SEE ALSO =head1 SEE ALSO
L<OSSL_ESS_check_signing_certs(3)>,
L<ERR_get_error(3)>, L<CMS_sign(3)> L<ERR_get_error(3)>, L<CMS_sign(3)>
=head1 COPYRIGHT =head1 COPYRIGHT

88
doc/man3/OSSL_ESS_check_signing_certs.pod Normal file
View File

@ -0,0 +1,88 @@
=pod
=head1 NAME
OSSL_ESS_signing_cert_new_init,
OSSL_ESS_signing_cert_v2_new_init,
OSSL_ESS_check_signing_certs
- Enhanced Security Services (ESS) functions
=head1 SYNOPSIS
#include <openssl/ess.h>
ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
const STACK_OF(X509) *certs,
int set_issuer_serial);
ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
const X509 *signcert,
const
STACK_OF(X509) *certs,
int set_issuer_serial);
int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain,
int require_signing_cert);
=head1 DESCRIPTION
OSSL_ESS_signing_cert_new_init() generates a new B<ESS_SIGNING_CERT> structure
referencing the given I<signcert> and any given further I<certs>
using their SHA-1 fingerprints.
If I<set_issuer_serial> is nonzero then also the issuer and serial number
of I<signcert> are included in the B<ESS_CERT_ID> as the B<issuerSerial> field.
For all members of I<certs> the B<issuerSerial> field is always included.
OSSL_ESS_signing_cert_v2_new_init() is the same as
OSSL_ESS_signing_cert_new_init() except that it uses the given I<hash_alg> and
generates a B<ESS_SIGNING_CERT_V2> structure with B<ESS_CERT_ID_V2> elements.
OSSL_ESS_check_signing_certs() checks if the validation chain I<chain> contains
the certificates required by the identifiers given in I<ss> and/or I<ssv2>.
If I<require_signing_cert> is nonzero, I<ss> or I<ssv2> must not be NULL.
If both I<ss> and I<ssv2> are not NULL, they are evaluated independently.
The list of certificate identifiers in I<ss> is of type B<ESS_CERT_ID>,
while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
As far as these lists are present, they must be nonempty.
The certificate identified by their first entry must be the first element of
I<chain>, i.e. the signer certificate.
Any further certficates referenced in the list must also be found in I<chain>.
The matching is done using the given certificate hash algorithm and value.
In addition to the checks required by RFCs 2624 and 5035,
if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
it must match the certificate issuer and serial number attributes.
=head1 NOTES
ESS has been defined in RFC 2634, which has been updated in RFC 5035
(ESS version 2) to support hash algorithms other than SHA-1.
This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126).
=head1 RETURN VALUES
OSSL_ESS_signing_cert_new_init() and OSSL_ESS_signing_cert_v2_new_init()
return a pointer to the new structure or NULL on malloc failure.
OSSL_ESS_check_signing_certs() returns 1 on success,
0 if a required certificate cannot be found, -1 on other error.
=head1 SEE ALSO
L<TS_VERIFY_CTX_set_certs(3)>,
L<CMS_verify(3)>
=head1 HISTORY
OSSL_ESS_signing_cert_new_init(), OSSL_ESS_signing_cert_v2_new_init(), and
OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.
=cut

4
doc/man3/TS_VERIFY_CTX_set_certs.pod
View File

@ -39,6 +39,10 @@ which takes the same parameters and returns the same result.
TS_VERIFY_CTX_set_certs() returns the stack of B<X509> certificates the user TS_VERIFY_CTX_set_certs() returns the stack of B<X509> certificates the user
passes in via parameter B<certs>. passes in via parameter B<certs>.
=head1 SEE ALSO
L<OSSL_ESS_check_signing_certs(3)>
=head1 HISTORY =head1 HISTORY
The spelling of TS_VERIFY_CTX_set_certs() was corrected in OpenSSL 3.0.0. The spelling of TS_VERIFY_CTX_set_certs() was corrected in OpenSSL 3.0.0.

17
include/crypto/ess.h
View File

@ -11,27 +11,16 @@
# define OSSL_CRYPTO_ESS_H # define OSSL_CRYPTO_ESS_H
# pragma once # pragma once
/* internal ESS related stuff */ /* internal ESS related functions used for TS */
/* TODO move these four decls to a new include/crypto/ts.h */
ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si); ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si);
int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
STACK_OF(X509) *certs,
int issuer_needed);
ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si); ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si);
int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc); int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc);
ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, /* internal ESS stuff */
X509 *signcert,
STACK_OF(X509) *certs,
int issuer_needed);
int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain,
int require_signing_cert);
/*- /*-
* IssuerSerial ::= SEQUENCE { * IssuerSerial ::= SEQUENCE {

14
include/openssl/ess.h.in
View File

@ -44,7 +44,6 @@ typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2;
generate_stack_macros("ESS_CERT_ID_V2"); generate_stack_macros("ESS_CERT_ID_V2");
-} -}
DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL) DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL)
DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL) DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL)
DECLARE_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL) DECLARE_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
@ -65,6 +64,19 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_SIGNING_CERT_V2)
DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT_V2, ESS_SIGNING_CERT_V2) DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT_V2, ESS_SIGNING_CERT_V2)
DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
const STACK_OF(X509) *certs,
int set_issuer_serial);
ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
const X509 *signcert,
const
STACK_OF(X509) *certs,
int set_issuer_serial);
int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain,
int require_signing_cert);
# ifdef __cplusplus # ifdef __cplusplus
} }
# endif # endif

2
include/openssl/esserr.h
View File

@ -16,8 +16,6 @@
# include <openssl/symhacks.h> # include <openssl/symhacks.h>
# include <openssl/cryptoerr_legacy.h> # include <openssl/cryptoerr_legacy.h>
/* /*
* ESS reason codes. * ESS reason codes.
*/ */

2
test/recipes/80-test_cms.t
View File

@ -455,7 +455,7 @@ my @smime_cms_cades_ko_tests = (
[ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", [ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-certfile", catfile($smdir, "smroot.pem"), "-certfile", catfile($smdir, "smroot.pem"),
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ], "-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
"fail to verify token because requiring CAdES-BES compatibility", "fail to verify token since requiring CAdES-BES compatibility",
[ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER", [ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ], "-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
\&final_compare \&final_compare

3
util/libcrypto.num
View File

@ -5315,6 +5315,9 @@ RAND_set_DRBG_type ? 3_0_0 EXIST::FUNCTION:
RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION: RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION:
BN_mod_exp_mont_consttime_x2 ? 3_0_0 EXIST::FUNCTION: BN_mod_exp_mont_consttime_x2 ? 3_0_0 EXIST::FUNCTION:
BIO_f_readbuffer ? 3_0_0 EXIST::FUNCTION: BIO_f_readbuffer ? 3_0_0 EXIST::FUNCTION:
OSSL_ESS_check_signing_certs ? 3_0_0 EXIST::FUNCTION:
OSSL_ESS_signing_cert_new_init ? 3_0_0 EXIST::FUNCTION:
OSSL_ESS_signing_cert_v2_new_init ? 3_0_0 EXIST::FUNCTION:
EVP_DigestInit_ex2 ? 3_0_0 EXIST::FUNCTION: EVP_DigestInit_ex2 ? 3_0_0 EXIST::FUNCTION:
EVP_EncryptInit_ex2 ? 3_0_0 EXIST::FUNCTION: EVP_EncryptInit_ex2 ? 3_0_0 EXIST::FUNCTION:
EVP_DecryptInit_ex2 ? 3_0_0 EXIST::FUNCTION: EVP_DecryptInit_ex2 ? 3_0_0 EXIST::FUNCTION: