ESSCertIDv2 Update for RFC 3161 (ts module)

apps/openssl-vms.cnf

@@ -344,3 +344,5 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)

apps/openssl.cnf

@@ -344,3 +344,5 @@ tsa_name		= yes	# Must the TSA name be included in the reply?
 				# (optional, default: no)
 ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
 				# (optional, default: no)
+ess_cert_id_alg		= sha1	# algorithm to compute certificate
+				# identifier (optional, default: sha1)

apps/ts.c

@@ -709,6 +709,8 @@ static TS_RESP *create_response(CONF *conf, const char *section, const char *eng
             goto end;
     }
 
+    if (!TS_CONF_set_ess_cert_id_digest(conf, section, resp_ctx))
+        goto end;
     if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
         goto end;
     if (!TS_CONF_set_policies(conf, section, resp_ctx))

crypto/objects/obj_dat.h

@@ -10,7 +10,7 @@
  */
 
 /* Serialized OID's */
-static const unsigned char so[6900] = {
+static const unsigned char so[6911] = {
     0x2A,0x86,0x48,0x86,0xF7,0x0D,                 /* [    0] OBJ_rsadsi */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,            /* [    6] OBJ_pkcs */
     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02,       /* [   13] OBJ_md2 */
@@ -976,9 +976,10 @@ static const unsigned char so[6900] = {
     0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0D,  /* [ 6872] OBJ_aria_256_cfb128 */
     0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0E,  /* [ 6881] OBJ_aria_256_ofb128 */
     0x2A,0x83,0x1A,0x8C,0x9A,0x6E,0x01,0x01,0x0F,  /* [ 6890] OBJ_aria_256_ctr */
+    0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x1E,  /* [ 6899] OBJ_id_smime_aa_signingCertificateV2 */
 };
 
-#define NUM_NID 1086
+#define NUM_NID 1087
 static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"UNDEF", "undefined", NID_undef},
     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
@@ -2066,9 +2067,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
     {"ARIA-128-CFB8", "aria-128-cfb8", NID_aria_128_cfb8},
     {"ARIA-192-CFB8", "aria-192-cfb8", NID_aria_192_cfb8},
     {"ARIA-256-CFB8", "aria-256-cfb8", NID_aria_256_cfb8},
+    {"id-smime-aa-signingCertificateV2", "id-smime-aa-signingCertificateV2", NID_id_smime_aa_signingCertificateV2, 11, &so[6899]},
 };
 
-#define NUM_SN 1077
+#define NUM_SN 1078
 static const unsigned int sn_objs[NUM_SN] = {
      364,    /* "AD_DVCS" */
      419,    /* "AES-128-CBC" */
@@ -2712,6 +2714,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      213,    /* "id-smime-aa-securityLabel" */
      239,    /* "id-smime-aa-signatureType" */
      223,    /* "id-smime-aa-signingCertificate" */
+    1086,    /* "id-smime-aa-signingCertificateV2" */
      224,    /* "id-smime-aa-smimeEncryptCerts" */
      225,    /* "id-smime-aa-timeStampToken" */
      192,    /* "id-smime-alg" */
@@ -3149,7 +3152,7 @@ static const unsigned int sn_objs[NUM_SN] = {
      160,    /* "x509Crl" */
 };
 
-#define NUM_LN 1077
+#define NUM_LN 1078
 static const unsigned int ln_objs[NUM_LN] = {
      363,    /* "AD Time Stamping" */
      405,    /* "ANSI X9.62" */
@@ -3786,6 +3789,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      213,    /* "id-smime-aa-securityLabel" */
      239,    /* "id-smime-aa-signatureType" */
      223,    /* "id-smime-aa-signingCertificate" */
+    1086,    /* "id-smime-aa-signingCertificateV2" */
      224,    /* "id-smime-aa-smimeEncryptCerts" */
      225,    /* "id-smime-aa-timeStampToken" */
      192,    /* "id-smime-alg" */
@@ -4230,7 +4234,7 @@ static const unsigned int ln_objs[NUM_LN] = {
      125,    /* "zlib compression" */
 };
 
-#define NUM_OBJ 971
+#define NUM_OBJ 972
 static const unsigned int obj_objs[NUM_OBJ] = {
        0,    /* OBJ_undef                        0 */
      181,    /* OBJ_iso                          1 */
@@ -5173,6 +5177,7 @@ static const unsigned int obj_objs[NUM_OBJ] = {
      238,    /* OBJ_id_smime_aa_ets_archiveTimeStamp 1 2 840 113549 1 9 16 2 27 */
      239,    /* OBJ_id_smime_aa_signatureType    1 2 840 113549 1 9 16 2 28 */
      240,    /* OBJ_id_smime_aa_dvcs_dvc         1 2 840 113549 1 9 16 2 29 */
+    1086,    /* OBJ_id_smime_aa_signingCertificateV2 1 2 840 113549 1 9 16 2 30 */
      241,    /* OBJ_id_smime_alg_ESDHwith3DES    1 2 840 113549 1 9 16 3 1 */
      242,    /* OBJ_id_smime_alg_ESDHwithRC2     1 2 840 113549 1 9 16 3 2 */
      243,    /* OBJ_id_smime_alg_3DESwrap        1 2 840 113549 1 9 16 3 3 */

crypto/objects/obj_mac.num

@@ -1083,3 +1083,4 @@ aria_256_cfb1		1082
 aria_128_cfb8		1083
 aria_192_cfb8		1084
 aria_256_cfb8		1085
+id_smime_aa_signingCertificateV2		1086

crypto/objects/objects.txt

@@ -294,6 +294,7 @@ id-smime-aa 26		: id-smime-aa-ets-certCRLTimestamp
 id-smime-aa 27		: id-smime-aa-ets-archiveTimeStamp
 id-smime-aa 28		: id-smime-aa-signatureType
 id-smime-aa 29		: id-smime-aa-dvcs-dvc
+id-smime-aa 30		: id-smime-aa-signingCertificateV2
 
 # S/MIME Algorithm Identifiers
 # obsolete

crypto/ts/ts_asn1.c

@@ -225,6 +225,23 @@ ASN1_SEQUENCE(ESS_SIGNING_CERT) = {
 IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT)
 IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
 
+ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
+        ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
+        ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
+        ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
+} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2)
+IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
+
+ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
+        ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
+        ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
+} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2)
+IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
+
 /* Getting encapsulated TS_TST_INFO object from PKCS7. */
 TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
 {

crypto/ts/ts_conf.c

@@ -37,6 +37,7 @@
 #define ENV_CLOCK_PRECISION_DIGITS      "clock_precision_digits"
 #define ENV_VALUE_YES                   "yes"
 #define ENV_VALUE_NO                    "no"
+#define ENV_ESS_CERT_ID_ALG             "ess_cert_id_alg"
 
 /* Function definitions for certificate and key loading. */
 
@@ -466,3 +467,27 @@ int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
     return ts_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN,
                             TS_ESS_CERT_ID_CHAIN, ctx);
 }
+
+int TS_CONF_set_ess_cert_id_digest(CONF *conf, const char *section,
+                                   TS_RESP_CTX *ctx)
+{
+    int ret = 0;
+    const EVP_MD *cert_md = NULL;
+    const char *md = NCONF_get_string(conf, section, ENV_ESS_CERT_ID_ALG);
+
+    if (md == NULL)
+        md = "sha1";
+
+    cert_md = EVP_get_digestbyname(md);
+    if (cert_md == NULL) {
+        ts_CONF_invalid(section, ENV_ESS_CERT_ID_ALG);
+        goto err;
+    }
+
+    if (!TS_RESP_CTX_set_ess_cert_id_digest(ctx, cert_md))
+        goto err;
+
+    ret = 1;
+err:
+    return ret;
+}

crypto/ts/ts_err.c

@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -22,8 +22,12 @@ static ERR_STRING_DATA TS_str_functs[] = {
     {ERR_FUNC(TS_F_DEF_SERIAL_CB), "def_serial_cb"},
     {ERR_FUNC(TS_F_DEF_TIME_CB), "def_time_cb"},
     {ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT), "ESS_add_signing_cert"},
+    {ERR_FUNC(TS_F_ESS_ADD_SIGNING_CERT_V2), "ess_add_signing_cert_v2"},
     {ERR_FUNC(TS_F_ESS_CERT_ID_NEW_INIT), "ess_CERT_ID_new_init"},
+    {ERR_FUNC(TS_F_ESS_CERT_ID_V2_NEW_INIT), "ess_cert_id_new_init"},
     {ERR_FUNC(TS_F_ESS_SIGNING_CERT_NEW_INIT), "ess_SIGNING_CERT_new_init"},
+    {ERR_FUNC(TS_F_ESS_SIGNING_CERT_V2_NEW_INIT),
+     "ess_signing_cert_V2_new_init"},
     {ERR_FUNC(TS_F_INT_TS_RESP_VERIFY_TOKEN), "int_ts_RESP_verify_token"},
     {ERR_FUNC(TS_F_PKCS7_TO_TS_TST_INFO), "PKCS7_to_TS_TST_INFO"},
     {ERR_FUNC(TS_F_TS_ACCURACY_SET_MICROS), "TS_ACCURACY_set_micros"},
@@ -92,6 +96,8 @@ static ERR_STRING_DATA TS_str_reasons[] = {
     {ERR_REASON(TS_R_DETACHED_CONTENT), "detached content"},
     {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_ERROR),
      "ess add signing cert error"},
+    {ERR_REASON(TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR),
+     "ess add signing cert v2 error"},
     {ERR_REASON(TS_R_ESS_SIGNING_CERTIFICATE_ERROR),
      "ess signing certificate error"},
     {ERR_REASON(TS_R_INVALID_NULL_POINTER), "invalid null pointer"},

crypto/ts/ts_lcl.h

@@ -131,11 +131,39 @@ struct ESS_signing_cert {
     STACK_OF(POLICYINFO) *policy_info;
 };
 
+/*-
+ * ESSCertIDv2 ::=  SEQUENCE {
+ *        hashAlgorithm           AlgorithmIdentifier
+ *                DEFAULT {algorithm id-sha256},
+ *        certHash                Hash,
+ *        issuerSerial            IssuerSerial OPTIONAL
+ * }
+ */
+
+struct ESS_cert_id_v2_st {
+    X509_ALGOR *hash_alg;       /* Default: SHA-256 */
+    ASN1_OCTET_STRING *hash;
+    ESS_ISSUER_SERIAL *issuer_serial;
+};
+
+/*-
+ * SigningCertificateV2 ::= SEQUENCE {
+ *        certs                   SEQUENCE OF ESSCertIDv2,
+ *        policies                SEQUENCE OF PolicyInformation OPTIONAL
+ * }
+ */
+
+struct ESS_signing_cert_v2_st {
+    STACK_OF(ESS_CERT_ID_V2) *cert_ids;
+    STACK_OF(POLICYINFO) *policy_info;
+};
+
 
 struct TS_resp_ctx {
     X509 *signer_cert;
     EVP_PKEY *signer_key;
     const EVP_MD *signer_md;
+    const EVP_MD *ess_cert_id_digest;
     STACK_OF(X509) *certs;      /* Certs to include in signed data. */
     STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */
     ASN1_OBJECT *default_policy; /* It may appear in policies, too. */