Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CMP: fix reporting error when no root CA cert update available #24169

Closed
wants to merge 4 commits into from
Closed

CMP: fix reporting error when no root CA cert update available #24169

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
68209d0
fix sending error when no root CA cert update available
rajeev-0 Mar 25, 2024
b204e1b
fixup! fix sending error when no root CA cert update available
rajeev-0 Apr 17, 2024
936463c
fixup! fix sending error when no root CA cert update available
rajeev-0 Apr 19, 2024
d49ae84
fixup! fix sending error when no root CA cert update available
rajeev-0 Apr 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 16 additions & 3 deletions apps/lib/cmp_mock_srv.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -401,9 +401,22 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
break;
case NID_id_it_rootCaCert:
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
{
X509 *rootcacert = NULL;

if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
return NULL;

if (rootcacert != NULL
&& X509_NAME_cmp(X509_get_subject_name(rootcacert),
X509_get_subject_name(ctx->newWithNew)) != 0)
/* The subjects do not match */
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
else
rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
ctx->newWithOld,
ctx->oldWithNew);
}
break;
default:
rsp = OSSL_CMP_ITAV_dup(req);
Expand Down
20 changes: 14 additions & 6 deletions crypto/cmp/cmp_asn.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -287,23 +287,31 @@ OSSL_CMP_ITAV *OSSL_CMP_ITAV_new_rootCaKeyUpdate(const X509 *newWithNew,
const X509 *oldWithNew)
{
OSSL_CMP_ITAV *itav;
OSSL_CMP_ROOTCAKEYUPDATE *upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
OSSL_CMP_ROOTCAKEYUPDATE *upd = NULL;

if (newWithNew == NULL)
goto null_value;

upd = OSSL_CMP_ROOTCAKEYUPDATE_new();
DDvO marked this conversation as resolved.
Show resolved Hide resolved
if (upd == NULL)
return NULL;
if (newWithNew != NULL && (upd->newWithNew = X509_dup(newWithNew)) == NULL)

if ((upd->newWithNew = X509_dup(newWithNew)) == NULL)
goto err;
if (newWithOld != NULL && (upd->newWithOld = X509_dup(newWithOld)) == NULL)
goto err;
if (oldWithNew != NULL && (upd->oldWithNew = X509_dup(oldWithNew)) == NULL)
goto err;

null_value:
DDvO marked this conversation as resolved.
Show resolved Hide resolved
if ((itav = OSSL_CMP_ITAV_new()) == NULL)
goto err;

itav->infoType = OBJ_nid2obj(NID_id_it_rootCaKeyUpdate);
itav->infoValue.rootCaKeyUpdate = upd;
return itav;

err:
err:
OSSL_CMP_ROOTCAKEYUPDATE_free(upd);
return NULL;
}
Expand All @@ -324,11 +332,11 @@ int OSSL_CMP_ITAV_get0_rootCaKeyUpdate(const OSSL_CMP_ITAV *itav,
return 0;
}
upd = itav->infoValue.rootCaKeyUpdate;
*newWithNew = upd->newWithNew;
*newWithNew = upd != NULL ? upd->newWithNew : NULL;
if (newWithOld != NULL)
*newWithOld = upd->newWithOld;
*newWithOld = upd != NULL ? upd->newWithOld : NULL;
if (oldWithNew != NULL)
*oldWithNew = upd->oldWithNew;
*oldWithNew = upd != NULL ? upd->oldWithNew : NULL;
return 1;
}

Expand Down
6 changes: 4 additions & 2 deletions crypto/cmp/cmp_genm.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,9 +307,11 @@ int OSSL_CMP_get1_rootCaKeyUpdate(OSSL_CMP_CTX *ctx,
if (!OSSL_CMP_ITAV_get0_rootCaKeyUpdate(itav, newWithNew,
&my_newWithOld, &my_oldWithNew))
goto end;

if (*newWithNew == NULL) /* no root CA cert update available */
/* no root CA cert update available */
if (*newWithNew == NULL) {
res = 1;
goto end;
}
if ((oldWithOld_copy = X509_dup(oldWithOld)) == NULL && oldWithOld != NULL)
goto end;
if (!verify_ss_cert_trans(ctx, oldWithOld_copy, my_newWithOld,
Expand Down
2 changes: 1 addition & 1 deletion test/recipes/80-test_cmp_http_data/test_commands.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
0,genm rootCaCert oldwithold empty file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, empty.txt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
0,genm rootCaCert oldwithold random file , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, random.bin , -newwithnew, _RESULT_DIR/test.newwithnew.pem
0,genm rootCaCert oldwithold nonexistent , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, idontexist , -newwithnew, _RESULT_DIR/test.newwithnew.pem
0,genm rootCaCert oldwithold wrong , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
1,genm rootCaCert oldwithold wrong , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, signer.crt , -newwithnew, _RESULT_DIR/test.newwithnew.pem
DDvO marked this conversation as resolved.
Show resolved Hide resolved
0,genm rootCaCert missing newwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, BLANK ,,
0,genm rootCaCert newwithnew missing arg , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew,,
1,genm rootCaCert with oldwithnew , -section,, -cmd,genm,, BLANK,,, -infotype,rootCaCert,, -oldwithold, oldWithOld.pem, -newwithnew, _RESULT_DIR/test.newwithnew1.pem, -oldwithnew, _RESULT_DIR/test.oldwithnew1.pem
Expand Down