crmf_lib.c create_popo_signature(): add error queue entry on signature failure

Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <ppzgs1@gmail.com> (Merged from https://github.com/openssl/openssl/pull/28482)
2025-06-02 20:58:01 +02:00 · 2025-06-02 20:58:01 +02:00 · 84c5268621
parent 1c99e070b1
commit 84c5268621
5 changed files with 12 additions and 5 deletions
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@ -116,7 +116,7 @@ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
        if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART),
                              msg->header->protectionAlg, /* sets X509_ALGOR */
                              NULL, prot, &prot_part, NULL, ctx->pkey, md,
-                              ctx->libctx, ctx->propq))
+                              ctx->libctx, ctx->propq) != 0)
            return prot;
        ASN1_BIT_STRING_free(prot);
        return NULL;
--- a/crypto/crmf/crmf_err.c
+++ b/crypto/crmf/crmf_err.c
@ -36,6 +36,8 @@ static const ERR_STRING_DATA CRMF_str_reasons[] = {
     "error decrypting symmetric key"},
    {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_SETTING_PURPOSE),
     "error setting purpose"},
+    {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_SIGNING_POPO),
+     "error signing popo"},
    {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY),
     "error verifying encryptedkey"},
    {ERR_PACK(ERR_LIB_CRMF, 0, CRMF_R_FAILURE_OBTAINING_RANDOM),
--- a/crypto/crmf/crmf_lib.c
+++ b/crypto/crmf/crmf_lib.c
@ -379,10 +379,13 @@ static int create_popo_signature(OSSL_CRMF_POPOSIGNINGKEY *ps,
            && strcmp(name, "UNDEF") == 0) /* at least for Ed25519, Ed448 */
        digest = NULL;

-    return ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST),
-                             ps->algorithmIdentifier, /* sets this X509_ALGOR */
-                             NULL, ps->signature, /* sets the ASN1_BIT_STRING */
-                             cr, NULL, pkey, digest, libctx, propq);
+    if (ASN1_item_sign_ex(ASN1_ITEM_rptr(OSSL_CRMF_CERTREQUEST),
+                          ps->algorithmIdentifier, /* sets this X509_ALGOR */
+                          NULL, ps->signature, /* sets the ASN1_BIT_STRING */
+                          cr, NULL, pkey, digest, libctx, propq) != 0)
+        return 1;
+    ERR_raise(ERR_LIB_CRMF, CRMF_R_ERROR_SIGNING_POPO);
+    return 0;
 }

 int OSSL_CRMF_MSG_create_popo(int meth, OSSL_CRMF_MSG *crm,
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@ -464,6 +464,7 @@ CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY:124:error decrypting encryptedkey
 CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE:125:error decrypting encryptedvalue
 CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY:106:error decrypting symmetric key
 CRMF_R_ERROR_SETTING_PURPOSE:126:error setting purpose
+CRMF_R_ERROR_SIGNING_POPO:129:error signing popo
 CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY:127:error verifying encryptedkey
 CRMF_R_FAILURE_OBTAINING_RANDOM:107:failure obtaining random
 CRMF_R_ITERATIONCOUNT_BELOW_100:108:iterationcount below 100
--- a/include/openssl/crmferr.h
+++ b/include/openssl/crmferr.h
@ -34,6 +34,7 @@
 #  define CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE           125
 #  define CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY            106
 #  define CRMF_R_ERROR_SETTING_PURPOSE                     126
+#  define CRMF_R_ERROR_SIGNING_POPO                        129
 #  define CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY              127
 #  define CRMF_R_FAILURE_OBTAINING_RANDOM                  107
 #  define CRMF_R_ITERATIONCOUNT_BELOW_100                  108