[openssl] master update
dev at ddvo.net
dev at ddvo.net
Wed Apr 28 12:13:54 UTC 2021
The branch master has been updated
via 4189dc3782c5989dbaa7d247e41a96a25b27c940 (commit)
via 176a9a682a22d556037b0a959911e6020c8d2ecd (commit)
via 1751768cd191c3541dc89a2bb24da1e506385c37 (commit)
from 624359374b9af4f99ce1bfaf89e28b7306987777 (commit)
- Log -----------------------------------------------------------------
commit 4189dc3782c5989dbaa7d247e41a96a25b27c940
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Mar 16 16:41:52 2021 +0100
CMS ESS: Move four internal aux function to where they belong in crypto/cms
Also constify and slightly refactor them.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
commit 176a9a682a22d556037b0a959911e6020c8d2ecd
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Mar 16 16:04:08 2021 +0100
TS ESS: Move four internal aux function to where they belong in crypto/ts
Also constify and slightly refactor them.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
commit 1751768cd191c3541dc89a2bb24da1e506385c37
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Mar 15 20:24:40 2021 +0100
ESS: Export three core functions, clean up TS and CMS CAdES-BES usage
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)
-----------------------------------------------------------------------
Summary of changes:
crypto/cms/cms_ess.c | 121 ++++++++++------------
crypto/cms/cms_sd.c | 55 +++++++++-
crypto/ess/ess_asn1.c | 63 +-----------
crypto/ess/ess_lib.c | 161 +++++++-----------------------
crypto/ts/ts_rsp_sign.c | 54 +++++++++-
crypto/ts/ts_rsp_verify.c | 27 ++++-
doc/build.info | 6 ++
doc/man3/CMS_verify.pod | 1 +
doc/man3/OSSL_ESS_check_signing_certs.pod | 88 ++++++++++++++++
doc/man3/TS_VERIFY_CTX_set_certs.pod | 4 +
doc/man3/X509_dup.pod | 2 +
include/crypto/cms.h | 27 -----
include/crypto/ess.h | 22 ----
include/openssl/ess.h.in | 20 +++-
include/openssl/esserr.h | 2 -
test/recipes/80-test_cms.t | 2 +-
util/libcrypto.num | 5 +
17 files changed, 344 insertions(+), 316 deletions(-)
create mode 100644 doc/man3/OSSL_ESS_check_signing_certs.pod
delete mode 100644 include/crypto/cms.h
diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c
index ba78b6ebad..d029b75b69 100644
--- a/crypto/cms/cms_ess.c
+++ b/crypto/cms/cms_ess.c
@@ -16,7 +16,6 @@
#include <openssl/cms.h>
#include <openssl/ess.h>
#include "crypto/ess.h"
-#include "crypto/cms.h"
#include "crypto/x509.h"
#include "cms_local.h"
@@ -46,6 +45,60 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr)
return 1;
}
+/*
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
+ */
+static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
+ ESS_SIGNING_CERT **psc)
+{
+ ASN1_STRING *str;
+ ESS_SIGNING_CERT *sc;
+ ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate);
+
+ if (psc != NULL)
+ *psc = NULL;
+ str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
+ if (str == NULL)
+ return 0;
+
+ sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT));
+ if (sc == NULL)
+ return -1;
+ if (psc != NULL)
+ *psc = sc;
+ else
+ ESS_SIGNING_CERT_free(sc);
+ return 1;
+}
+
+/*
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
+ */
+static int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
+ ESS_SIGNING_CERT_V2 **psc)
+{
+ ASN1_STRING *str;
+ ESS_SIGNING_CERT_V2 *sc;
+ ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2);
+
+ if (psc != NULL)
+ *psc = NULL;
+ str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
+ if (str == NULL)
+ return 0;
+
+ sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT_V2));
+ if (sc == NULL)
+ return -1;
+ if (psc != NULL)
+ *psc = sc;
+ else
+ ESS_SIGNING_CERT_V2_free(sc);
+ return 1;
+}
+
int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
const STACK_OF(X509) *chain)
{
@@ -53,7 +106,7 @@ int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
ESS_SIGNING_CERT_V2 *ssv2 = NULL;
int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0
&& ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0
- && ossl_ess_check_signing_certs(ss, ssv2, chain, 1);
+ && OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
ESS_SIGNING_CERT_free(ss);
ESS_SIGNING_CERT_V2_free(ssv2);
@@ -361,67 +414,3 @@ ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si)
CMS_ReceiptRequest_free(rr);
return os;
}
-
-/*
- * Add signer certificate's V2 digest |sc| to a SignerInfo structure |si|
- */
-
-int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc)
-{
- ASN1_STRING *seq = NULL;
- unsigned char *p, *pp = NULL;
- int len;
-
- /* Add SigningCertificateV2 signed attribute to the signer info. */
- len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
- if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
- goto err;
- p = pp;
- i2d_ESS_SIGNING_CERT_V2(sc, &p);
- if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len))
- goto err;
- OPENSSL_free(pp);
- pp = NULL;
- if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificateV2,
- V_ASN1_SEQUENCE, seq, -1))
- goto err;
- ASN1_STRING_free(seq);
- return 1;
- err:
- ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
- ASN1_STRING_free(seq);
- OPENSSL_free(pp);
- return 0;
-}
-
-/*
- * Add signer certificate's digest |sc| to a SignerInfo structure |si|
- */
-
-int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc)
-{
- ASN1_STRING *seq = NULL;
- unsigned char *p, *pp = NULL;
- int len;
-
- /* Add SigningCertificate signed attribute to the signer info. */
- len = i2d_ESS_SIGNING_CERT(sc, NULL);
- if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
- goto err;
- p = pp;
- i2d_ESS_SIGNING_CERT(sc, &p);
- if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len))
- goto err;
- OPENSSL_free(pp);
- pp = NULL;
- if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificate,
- V_ASN1_SEQUENCE, seq, -1))
- goto err;
- ASN1_STRING_free(seq);
- return 1;
- err:
- ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
- ASN1_STRING_free(seq);
- OPENSSL_free(pp);
- return 0;
-}
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 898916d548..d208822c4b 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -18,7 +18,6 @@
#include "internal/sizes.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
-#include "crypto/cms.h"
#include "crypto/ess.h"
#include "crypto/x509.h" /* for ossl_x509_add_cert_new() */
#include "cms_local.h"
@@ -253,6 +252,56 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd)
return 1;
}
+/* Add SigningCertificate signed attribute to the signer info. */
+static int ossl_cms_add1_signing_cert(CMS_SignerInfo *si,
+ const ESS_SIGNING_CERT *sc)
+{
+ ASN1_STRING *seq = NULL;
+ unsigned char *p, *pp = NULL;
+ int ret, len = i2d_ESS_SIGNING_CERT(sc, NULL);
+
+ if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
+ return 0;
+
+ p = pp;
+ i2d_ESS_SIGNING_CERT(sc, &p);
+ if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+ return 0;
+ }
+ OPENSSL_free(pp);
+ ret = CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificate,
+ V_ASN1_SEQUENCE, seq, -1);
+ ASN1_STRING_free(seq);
+ return ret;
+}
+
+/* Add SigningCertificateV2 signed attribute to the signer info. */
+static int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si,
+ const ESS_SIGNING_CERT_V2 *sc)
+{
+ ASN1_STRING *seq = NULL;
+ unsigned char *p, *pp = NULL;
+ int ret, len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
+
+ if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
+ return 0;
+
+ p = pp;
+ i2d_ESS_SIGNING_CERT_V2(sc, &p);
+ if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+ return 0;
+ }
+ OPENSSL_free(pp);
+ ret = CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificateV2,
+ V_ASN1_SEQUENCE, seq, -1);
+ ASN1_STRING_free(seq);
+ return ret;
+}
+
CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
X509 *signer, EVP_PKEY *pk, const EVP_MD *md,
unsigned int flags)
@@ -377,13 +426,13 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
int add_sc;
if (md == NULL || EVP_MD_is_a(md, SN_sha1)) {
- if ((sc = ossl_ess_signing_cert_new_init(signer,
+ if ((sc = OSSL_ESS_signing_cert_new_init(signer,
NULL, 1)) == NULL)
goto err;
add_sc = ossl_cms_add1_signing_cert(si, sc);
ESS_SIGNING_CERT_free(sc);
} else {
- if ((sc2 = ossl_ess_signing_cert_v2_new_init(md, signer,
+ if ((sc2 = OSSL_ESS_signing_cert_v2_new_init(md, signer,
NULL, 1)) == NULL)
goto err;
add_sc = ossl_cms_add1_signing_cert_v2(si, sc2);
diff --git a/crypto/ess/ess_asn1.c b/crypto/ess/ess_asn1.c
index 08a0be8cc4..68bc854c99 100644
--- a/crypto/ess/ess_asn1.c
+++ b/crypto/ess/ess_asn1.c
@@ -13,7 +13,6 @@
#include <openssl/ess.h>
#include <openssl/x509v3.h>
#include "crypto/ess.h"
-#include "crypto/cms.h"
/* ASN1 stuff for ESS Structure */
@@ -36,7 +35,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID)
ASN1_SEQUENCE(ESS_SIGNING_CERT) = {
ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID),
ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO)
-} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
+} ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
@@ -53,65 +52,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
-} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
+} ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
-
-/* No cms support means no CMS_SignerInfo* definitions */
-#ifndef OPENSSL_NO_CMS
-
-/*
- * Returns < 0 if attribute is not found, 1 if found, or
- * -1 on attribute parsing failure.
- */
-int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
- ESS_SIGNING_CERT_V2 **psc)
-{
- ASN1_STRING *str;
- ESS_SIGNING_CERT_V2 *sc;
- ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2);
-
- if (psc != NULL)
- *psc = NULL;
- str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
- if (str == NULL)
- return 0;
-
- sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT_V2));
- if (sc == NULL)
- return -1;
- if (psc != NULL)
- *psc = sc;
- else
- ESS_SIGNING_CERT_V2_free(sc);
- return 1;
-}
-
-/*
- * Returns < 0 if attribute is not found, 1 if found, or
- * -1 on attribute parsing failure.
- */
-int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
- ESS_SIGNING_CERT **psc)
-{
- ASN1_STRING *str;
- ESS_SIGNING_CERT *sc;
- ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate);
-
- if (psc != NULL)
- *psc = NULL;
- str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
- if (str == NULL)
- return 0;
-
- sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT));
- if (sc == NULL)
- return -1;
- if (psc != NULL)
- *psc = sc;
- else
- ESS_SIGNING_CERT_free(sc);
- return 1;
-}
-#endif /* !OPENSSL_NO_CMS */
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index 6ded9f6328..65444d383f 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -15,13 +15,15 @@
#include "crypto/ess.h"
#include "crypto/x509.h"
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
+ int set_issuer_serial);
static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
- X509 *cert, int issuer_needed);
+ const X509 *cert,
+ int set_issuer_serial);
-ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
- STACK_OF(X509) *certs,
- int issuer_needed)
+ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
+ const STACK_OF(X509) *certs,
+ int set_issuer_serial)
{
ESS_CERT_ID *cid = NULL;
ESS_SIGNING_CERT *sc;
@@ -33,11 +35,12 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
&& (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
goto err;
- if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL
+ if ((cid = ESS_CERT_ID_new_init(signcert, set_issuer_serial)) == NULL
|| !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
goto err;
for (i = 0; i < sk_X509_num(certs); ++i) {
X509 *cert = sk_X509_value(certs, i);
+
if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL
|| !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
goto err;
@@ -51,26 +54,22 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
return NULL;
}
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
+ int set_issuer_serial)
{
ESS_CERT_ID *cid = NULL;
GENERAL_NAME *name = NULL;
unsigned char cert_sha1[SHA_DIGEST_LENGTH];
- /* Call for side-effect of computing hash and caching extensions */
- if (!ossl_x509v3_cache_extensions(cert))
- return NULL;
-
if ((cid = ESS_CERT_ID_new()) == NULL)
goto err;
- /* TODO(3.0): fetch sha1 algorithm from providers */
if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
goto err;
if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
goto err;
/* Setting the issuer/serial if requested. */
- if (!issuer_needed)
+ if (!set_issuer_serial)
return cid;
if (cid->issuer_serial == NULL
@@ -97,10 +96,11 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
return NULL;
}
-ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
- X509 *signcert,
+ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+ const X509 *signcert,
+ const
STACK_OF(X509) *certs,
- int issuer_needed)
+ int set_issuer_serial)
{
ESS_CERT_ID_V2 *cid = NULL;
ESS_SIGNING_CERT_V2 *sc;
@@ -108,7 +108,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
goto err;
- if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL)
+ cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, set_issuer_serial);
+ if (cid == NULL)
goto err;
if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
goto err;
@@ -133,7 +134,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
}
static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
- X509 *cert, int issuer_needed)
+ const X509 *cert,
+ int set_issuer_serial)
{
ESS_CERT_ID_V2 *cid;
GENERAL_NAME *name = NULL;
@@ -159,14 +161,13 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
cid->hash_alg = NULL;
}
- /* TODO(3.0): fetch sha1 algorithm from providers */
if (!X509_digest(cert, hash_alg, hash, &hash_len))
goto err;
if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
goto err;
- if (!issuer_needed)
+ if (!set_issuer_serial)
return cid;
if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
@@ -193,92 +194,6 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
return NULL;
}
-ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
-{
- ASN1_TYPE *attr;
- const unsigned char *p;
-
- attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
- if (attr == NULL)
- return NULL;
- p = attr->value.sequence->data;
- return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
-}
-
-ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si)
-{
- ASN1_TYPE *attr;
- const unsigned char *p;
-
- attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
- if (attr == NULL)
- return NULL;
- p = attr->value.sequence->data;
- return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
-}
-
-int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
-{
- ASN1_STRING *seq = NULL;
- unsigned char *p, *pp = NULL;
- int len;
-
- len = i2d_ESS_SIGNING_CERT(sc, NULL);
- if (len <= 0)
- goto err;
- if ((pp = OPENSSL_malloc(len)) == NULL) {
- ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- p = pp;
- i2d_ESS_SIGNING_CERT(sc, &p);
- if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
- ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- OPENSSL_free(pp);
- pp = NULL;
- return PKCS7_add_signed_attribute(si,
- NID_id_smime_aa_signingCertificate,
- V_ASN1_SEQUENCE, seq);
- err:
- ASN1_STRING_free(seq);
- OPENSSL_free(pp);
-
- return 0;
-}
-
-int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc)
-{
- ASN1_STRING *seq = NULL;
- unsigned char *p, *pp = NULL;
- int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
-
- if (len <= 0)
- goto err;
- if ((pp = OPENSSL_malloc(len)) == NULL) {
- ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- p = pp;
- i2d_ESS_SIGNING_CERT_V2(sc, &p);
- if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
- ERR_raise(ERR_LIB_ESS, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- OPENSSL_free(pp);
- pp = NULL;
- return PKCS7_add_signed_attribute(si,
- NID_id_smime_aa_signingCertificateV2,
- V_ASN1_SEQUENCE, seq);
- err:
- ASN1_STRING_free(seq);
- OPENSSL_free(pp);
- return 0;
-}
-
static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert)
{
GENERAL_NAME *issuer;
@@ -295,8 +210,8 @@ static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert)
}
/*
- * Find cert referenced by |cid| (if not NULL, else |cidv2|) in |certs|.
- * If the cid{,v2} index is 0, the cert must be in the first in |certs| list.
+ * Find the cert in |certs| referenced by |cid| if not NULL, else by |cid_v2|.
+ * The cert must be the first one in |certs| if and only if |index| is 0.
* Return 0 on not found, -1 on error, else 1 + the position in |certs|.
*/
static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
@@ -336,7 +251,6 @@ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
}
(void)ERR_pop_to_mark();
- /* Look for cert with cid in the certs. */
for (i = 0; i < sk_X509_num(certs); ++i) {
cert = sk_X509_value(certs, i);
@@ -369,34 +283,33 @@ end:
return ret;
}
-/*
- * If ESSCertID and/or ESSCertIDv2 exist, which must be non-empty if given,
- * check if their first ID entry matches the signer cert first in chain
- * and each further ID entry matches any further cert in the chain.
- */
-int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
+int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
const ESS_SIGNING_CERT_V2 *ssv2,
const STACK_OF(X509) *chain,
int require_signing_cert)
{
int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids);
int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids);
- int i;
+ int i, ret;
if (require_signing_cert && ss == NULL && ssv2 == NULL) {
ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
- return 0;
+ return -1;
}
if (n_v1 == 0 || n_v2 == 0) {
ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST);
- return 0;
+ return -1;
}
/* If both ss and ssv2 exist, as required evaluate them independently. */
- for (i = 0; i < n_v1; i++)
- if (find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain) <= 0)
- return 0;
- for (i = 0; i < n_v2; i++)
- if (find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain) <= 0)
- return 0;
+ for (i = 0; i < n_v1; i++) {
+ ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain);
+ if (ret <= 0)
+ return ret;
+ }
+ for (i = 0; i < n_v2; i++) {
+ ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain);
+ if (ret <= 0)
+ return ret;
+ }
return 1;
}
diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c
index 6d00a471a2..172d444d09 100644
--- a/crypto/ts/ts_rsp_sign.c
+++ b/crypto/ts/ts_rsp_sign.c
@@ -626,6 +626,52 @@ static int ts_RESP_process_extensions(TS_RESP_CTX *ctx)
}
/* Functions for signing the TS_TST_INFO structure of the context. */
+static int ossl_ess_add1_signing_cert(PKCS7_SIGNER_INFO *si,
+ const ESS_SIGNING_CERT *sc)
+{
+ ASN1_STRING *seq = NULL;
+ int len = i2d_ESS_SIGNING_CERT(sc, NULL);
+ unsigned char *p, *pp = OPENSSL_malloc(len);
+
+ if (pp == NULL)
+ return 0;
+
+ p = pp;
+ i2d_ESS_SIGNING_CERT(sc, &p);
+ if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+ return 0;
+ }
+
+ OPENSSL_free(pp);
+ return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
+ V_ASN1_SEQUENCE, seq);
+}
+
+static int ossl_ess_add1_signing_cert_v2(PKCS7_SIGNER_INFO *si,
+ const ESS_SIGNING_CERT_V2 *sc)
+{
+ ASN1_STRING *seq = NULL;
+ int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
+ unsigned char *p, *pp = OPENSSL_malloc(len);
+
+ if (pp == NULL)
+ return 0;
+
+ p = pp;
+ i2d_ESS_SIGNING_CERT_V2(sc, &p);
+ if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+ return 0;
+ }
+
+ OPENSSL_free(pp);
+ return PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificateV2,
+ V_ASN1_SEQUENCE, seq);
+}
+
static int ts_RESP_sign(TS_RESP_CTX *ctx)
{
int ret = 0;
@@ -687,21 +733,21 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx)
certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
if (ctx->ess_cert_id_digest == NULL
|| EVP_MD_is_a(ctx->ess_cert_id_digest, SN_sha1)) {
- if ((sc = ossl_ess_signing_cert_new_init(ctx->signer_cert,
+ if ((sc = OSSL_ESS_signing_cert_new_init(ctx->signer_cert,
certs, 0)) == NULL)
goto err;
- if (!ossl_ess_signing_cert_add(si, sc)) {
+ if (!ossl_ess_add1_signing_cert(si, sc)) {
ERR_raise(ERR_LIB_TS, TS_R_ESS_ADD_SIGNING_CERT_ERROR);
goto err;
}
} else {
- sc2 = ossl_ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
+ sc2 = OSSL_ESS_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
ctx->signer_cert, certs, 0);
if (sc2 == NULL)
goto err;
- if (!ossl_ess_signing_cert_v2_add(si, sc2)) {
+ if (!ossl_ess_add1_signing_cert_v2(si, sc2)) {
ERR_raise(ERR_LIB_TS, TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR);
goto err;
}
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 09daa2a449..03e7312843 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -203,12 +203,37 @@ end:
return ret;
}
+static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
+{
+ ASN1_TYPE *attr;
+ const unsigned char *p;
+
+ attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
+ if (attr == NULL)
+ return NULL;
+ p = attr->value.sequence->data;
+ return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+}
+
+static
+ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si)
+{
+ ASN1_TYPE *attr;
+ const unsigned char *p;
+
+ attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
+ if (attr == NULL)
+ return NULL;
+ p = attr->value.sequence->data;
+ return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
+}
+
static int ts_check_signing_certs(const PKCS7_SIGNER_INFO *si,
const STACK_OF(X509) *chain)
{
ESS_SIGNING_CERT *ss = ossl_ess_get_signing_cert(si);
ESS_SIGNING_CERT_V2 *ssv2 = ossl_ess_get_signing_cert_v2(si);
- int ret = ossl_ess_check_signing_certs(ss, ssv2, chain, 1);
+ int ret = OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
ESS_SIGNING_CERT_free(ss);
ESS_SIGNING_CERT_V2_free(ssv2);
diff --git a/doc/build.info b/doc/build.info
index d9c5d8d4fc..86daf403d7 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -1602,6 +1602,10 @@ DEPEND[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod
GENERATE[html/man3/OSSL_ENCODER_to_bio.html]=man3/OSSL_ENCODER_to_bio.pod
DEPEND[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
GENERATE[man/man3/OSSL_ENCODER_to_bio.3]=man3/OSSL_ENCODER_to_bio.pod
+DEPEND[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
+GENERATE[html/man3/OSSL_ESS_check_signing_certs.html]=man3/OSSL_ESS_check_signing_certs.pod
+DEPEND[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
+GENERATE[man/man3/OSSL_ESS_check_signing_certs.3]=man3/OSSL_ESS_check_signing_certs.pod
DEPEND[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
GENERATE[html/man3/OSSL_HTTP_REQ_CTX.html]=man3/OSSL_HTTP_REQ_CTX.pod
DEPEND[man/man3/OSSL_HTTP_REQ_CTX.3]=man3/OSSL_HTTP_REQ_CTX.pod
@@ -3050,6 +3054,7 @@ html/man3/OSSL_ENCODER.html \
html/man3/OSSL_ENCODER_CTX.html \
html/man3/OSSL_ENCODER_CTX_new_for_pkey.html \
html/man3/OSSL_ENCODER_to_bio.html \
+html/man3/OSSL_ESS_check_signing_certs.html \
html/man3/OSSL_HTTP_REQ_CTX.html \
html/man3/OSSL_HTTP_parse_url.html \
html/man3/OSSL_HTTP_transfer.html \
@@ -3625,6 +3630,7 @@ man/man3/OSSL_ENCODER.3 \
man/man3/OSSL_ENCODER_CTX.3 \
man/man3/OSSL_ENCODER_CTX_new_for_pkey.3 \
man/man3/OSSL_ENCODER_to_bio.3 \
+man/man3/OSSL_ESS_check_signing_certs.3 \
man/man3/OSSL_HTTP_REQ_CTX.3 \
man/man3/OSSL_HTTP_parse_url.3 \
man/man3/OSSL_HTTP_transfer.3 \
diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod
index 0331f7cf7e..33130bc9f2 100644
--- a/doc/man3/CMS_verify.pod
+++ b/doc/man3/CMS_verify.pod
@@ -122,6 +122,7 @@ be held in memory if it is not detached.
=head1 SEE ALSO
+L<OSSL_ESS_check_signing_certs(3)>,
L<ERR_get_error(3)>, L<CMS_sign(3)>
=head1 COPYRIGHT
diff --git a/doc/man3/OSSL_ESS_check_signing_certs.pod b/doc/man3/OSSL_ESS_check_signing_certs.pod
new file mode 100644
index 0000000000..bff26193d7
--- /dev/null
+++ b/doc/man3/OSSL_ESS_check_signing_certs.pod
@@ -0,0 +1,88 @@
+=pod
+
+=head1 NAME
+
+OSSL_ESS_signing_cert_new_init,
+OSSL_ESS_signing_cert_v2_new_init,
+OSSL_ESS_check_signing_certs
+- Enhanced Security Services (ESS) functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/ess.h>
+
+ ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
+ const STACK_OF(X509) *certs,
+ int set_issuer_serial);
+ ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+ const X509 *signcert,
+ const
+ STACK_OF(X509) *certs,
+ int set_issuer_serial);
+ int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
+ const ESS_SIGNING_CERT_V2 *ssv2,
+ const STACK_OF(X509) *chain,
+ int require_signing_cert);
+
+=head1 DESCRIPTION
+
+OSSL_ESS_signing_cert_new_init() generates a new B<ESS_SIGNING_CERT> structure
+referencing the given I<signcert> and any given further I<certs>
+using their SHA-1 fingerprints.
+If I<set_issuer_serial> is nonzero then also the issuer and serial number
+of I<signcert> are included in the B<ESS_CERT_ID> as the B<issuerSerial> field.
+For all members of I<certs> the B<issuerSerial> field is always included.
+
+OSSL_ESS_signing_cert_v2_new_init() is the same as
+OSSL_ESS_signing_cert_new_init() except that it uses the given I<hash_alg> and
+generates a B<ESS_SIGNING_CERT_V2> structure with B<ESS_CERT_ID_V2> elements.
+
+OSSL_ESS_check_signing_certs() checks if the validation chain I<chain> contains
+the certificates required by the identifiers given in I<ss> and/or I<ssv2>.
+If I<require_signing_cert> is nonzero, I<ss> or I<ssv2> must not be NULL.
+If both I<ss> and I<ssv2> are not NULL, they are evaluated independently.
+The list of certificate identifiers in I<ss> is of type B<ESS_CERT_ID>,
+while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
+As far as these lists are present, they must be nonempty.
+The certificate identified by their first entry must be the first element of
+I<chain>, i.e. the signer certificate.
+Any further certficates referenced in the list must also be found in I<chain>.
+The matching is done using the given certificate hash algorithm and value.
+In addition to the checks required by RFCs 2624 and 5035,
+if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
+it must match the certificate issuer and serial number attributes.
+
+=head1 NOTES
+
+ESS has been defined in RFC 2634, which has been updated in RFC 5035
+(ESS version 2) to support hash algorithms other than SHA-1.
+This is used for TSP (RFC 3161) and CAdES-BES (informational RFC 5126).
+
+=head1 RETURN VALUES
+
+OSSL_ESS_signing_cert_new_init() and OSSL_ESS_signing_cert_v2_new_init()
+return a pointer to the new structure or NULL on malloc failure.
+
+OSSL_ESS_check_signing_certs() returns 1 on success,
+0 if a required certificate cannot be found, -1 on other error.
+
+=head1 SEE ALSO
+
+L<TS_VERIFY_CTX_set_certs(3)>,
+L<CMS_verify(3)>
+
+=head1 HISTORY
+
+OSSL_ESS_signing_cert_new_init(), OSSL_ESS_signing_cert_v2_new_init(), and
+OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0.
+
+=head1 COPYRIGHT
+
+Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/TS_VERIFY_CTX_set_certs.pod b/doc/man3/TS_VERIFY_CTX_set_certs.pod
index 26c9a66abc..cf6aee1921 100644
--- a/doc/man3/TS_VERIFY_CTX_set_certs.pod
+++ b/doc/man3/TS_VERIFY_CTX_set_certs.pod
@@ -39,6 +39,10 @@ which takes the same parameters and returns the same result.
TS_VERIFY_CTX_set_certs() returns the stack of B<X509> certificates the user
passes in via parameter B<certs>.
+=head1 SEE ALSO
+
+L<OSSL_ESS_check_signing_certs(3)>
+
=head1 HISTORY
The spelling of TS_VERIFY_CTX_set_certs() was corrected in OpenSSL 3.0.0.
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index 9629082310..b68d42e934 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -61,9 +61,11 @@ ESS_ISSUER_SERIAL_free,
ESS_ISSUER_SERIAL_new,
ESS_SIGNING_CERT_dup,
ESS_SIGNING_CERT_free,
+ESS_SIGNING_CERT_it,
ESS_SIGNING_CERT_new,
ESS_SIGNING_CERT_V2_dup,
ESS_SIGNING_CERT_V2_free,
+ESS_SIGNING_CERT_V2_it,
ESS_SIGNING_CERT_V2_new,
EXTENDED_KEY_USAGE_free,
EXTENDED_KEY_USAGE_new,
diff --git a/include/crypto/cms.h b/include/crypto/cms.h
deleted file mode 100644
index fe1aed0c09..0000000000
--- a/include/crypto/cms.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License"). You may not use
- * this file except in compliance with the License. You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_CMS_H
-# define OSSL_CRYPTO_CMS_H
-# pragma once
-
-# ifndef OPENSSL_NO_CMS
-
-/* internal CMS-ESS related stuff */
-
-int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc);
-int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc);
-
-int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
- ESS_SIGNING_CERT_V2 **psc);
-int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
- ESS_SIGNING_CERT **psc);
-# endif /* OPENSSL_NO_CMS */
-
-#endif
diff --git a/include/crypto/ess.h b/include/crypto/ess.h
index 1961e39067..7acde5f8a4 100644
--- a/include/crypto/ess.h
+++ b/include/crypto/ess.h
@@ -11,28 +11,6 @@
# define OSSL_CRYPTO_ESS_H
# pragma once
-/* internal ESS related stuff */
-
-ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si);
-int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
-
-ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
- STACK_OF(X509) *certs,
- int issuer_needed);
-
-ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si);
-int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc);
-
-ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
- X509 *signcert,
- STACK_OF(X509) *certs,
- int issuer_needed);
-
-int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
- const ESS_SIGNING_CERT_V2 *ssv2,
- const STACK_OF(X509) *chain,
- int require_signing_cert);
-
/*-
* IssuerSerial ::= SEQUENCE {
* issuer GeneralNames,
diff --git a/include/openssl/ess.h.in b/include/openssl/ess.h.in
index 6dd686ba77..d1a685b98e 100644
--- a/include/openssl/ess.h.in
+++ b/include/openssl/ess.h.in
@@ -44,7 +44,6 @@ typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2;
generate_stack_macros("ESS_CERT_ID_V2");
-}
-
DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL)
DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL)
DECLARE_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
@@ -53,18 +52,29 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_CERT_ID)
DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_CERT_ID, ESS_CERT_ID)
DECLARE_ASN1_DUP_FUNCTION(ESS_CERT_ID)
-DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_SIGNING_CERT)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT, ESS_SIGNING_CERT)
+DECLARE_ASN1_FUNCTIONS(ESS_SIGNING_CERT)
DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_CERT_ID_V2)
DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_CERT_ID_V2, ESS_CERT_ID_V2)
DECLARE_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
-DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_SIGNING_CERT_V2)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT_V2, ESS_SIGNING_CERT_V2)
+DECLARE_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
+ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
+ const STACK_OF(X509) *certs,
+ int set_issuer_serial);
+ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+ const X509 *signcert,
+ const
+ STACK_OF(X509) *certs,
+ int set_issuer_serial);
+int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
+ const ESS_SIGNING_CERT_V2 *ssv2,
+ const STACK_OF(X509) *chain,
+ int require_signing_cert);
+
# ifdef __cplusplus
}
# endif
diff --git a/include/openssl/esserr.h b/include/openssl/esserr.h
index 0b9e89e4cb..165ce7c437 100644
--- a/include/openssl/esserr.h
+++ b/include/openssl/esserr.h
@@ -16,8 +16,6 @@
# include <openssl/symhacks.h>
# include <openssl/cryptoerr_legacy.h>
-
-
/*
* ESS reason codes.
*/
diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
index 1837a51bbe..a371f21ad8 100644
--- a/test/recipes/80-test_cms.t
+++ b/test/recipes/80-test_cms.t
@@ -455,7 +455,7 @@ my @smime_cms_cades_ko_tests = (
[ @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach",
"-certfile", catfile($smdir, "smroot.pem"),
"-signer", catfile($smdir, "smrsa1.pem"), "-out", "{output}.cms" ],
- "fail to verify token because requiring CAdES-BES compatibility",
+ "fail to verify token since requiring CAdES-BES compatibility",
[ @prov, "-verify", "-cades", "-in", "{output}.cms", "-inform", "DER",
"-CAfile", catfile($smdir, "smroot.pem"), "-out", "{output}.txt" ],
\&final_compare
diff --git a/util/libcrypto.num b/util/libcrypto.num
index f49ebeef45..54978afe20 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5315,6 +5315,11 @@ RAND_set_DRBG_type ? 3_0_0 EXIST::FUNCTION:
RAND_set_seed_source_type ? 3_0_0 EXIST::FUNCTION:
BN_mod_exp_mont_consttime_x2 ? 3_0_0 EXIST::FUNCTION:
BIO_f_readbuffer ? 3_0_0 EXIST::FUNCTION:
+OSSL_ESS_check_signing_certs ? 3_0_0 EXIST::FUNCTION:
+OSSL_ESS_signing_cert_new_init ? 3_0_0 EXIST::FUNCTION:
+OSSL_ESS_signing_cert_v2_new_init ? 3_0_0 EXIST::FUNCTION:
+ESS_SIGNING_CERT_it ? 3_0_0 EXIST::FUNCTION:
+ESS_SIGNING_CERT_V2_it ? 3_0_0 EXIST::FUNCTION:
EVP_DigestInit_ex2 ? 3_0_0 EXIST::FUNCTION:
EVP_EncryptInit_ex2 ? 3_0_0 EXIST::FUNCTION:
EVP_DecryptInit_ex2 ? 3_0_0 EXIST::FUNCTION:
More information about the openssl-commits
mailing list