Lines Matching +full:no +full:- +full:cmp
2 * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
38 #include <openssl/cmp.h>
49 #define CMP_SECTION "cmp"
58 static OSSL_CMP_CTX *cmp_ctx = NULL; /* the client-side CMP context */
60 /* the type of cmp command we want to send */
79 static int opt_msg_timeout = -1;
80 static int opt_total_timeout = -1;
106 static int opt_cmd = -1;
123 static int opt_popo = OSSL_CRMF_POPO_NONE - 1;
154 /* client-side debugging */
266 {"help", OPT_HELP, '-', "Display this summary"},
270 "Section(s) in config file to get options from. \"\" = 'default'. Default 'cmp'"},
275 {"cmd", OPT_CMD, 's', "CMP request to send: ir/cr/kur/p10cr/rr/genm"},
290 "For kur, default is subject of -csr arg or reference cert (see -oldcert)"},
292 "this default is used for ir and cr only if no Subject Alt Names are set"},
296 "also used as recipient if neither -recipient nor -srvcert are given"},
302 "Augments or replaces any extensions contained CSR given with -csr"},
305 {"san_nodefault", OPT_SAN_NODEFAULT, '-',
306 "Do not take default SANs from reference certificate (see -oldcert)"},
311 {"policy_oids_critical", OPT_POLICY_OIDS_CRITICAL, '-',
312 "Flag the policy OID(s) given with -policy_oids as critical"},
314 "Proof-of-Possession (POPO) method to use for ir/cr/kur where"},
316 "-1 = NONE, 0 = RAVERIFIED, 1 = SIGNATURE (default), 2 = KEYENC"},
321 {"implicit_confirm", OPT_IMPLICIT_CONFIRM, '-',
323 {"disable_confirm", OPT_DISABLE_CONFIRM, '-',
335 "Certificate to be updated (defaulting to -cert) or to be revoked in rr;"},
337 "also used as reference (defaulting to -cert) for subject DN and SANs."},
339 "Issuer is used as recipient unless -recipient, -srvcert, or -issuer given"},
343 "0..6, 8..10 (see RFC5280, 5.3.1) or -1. Default -1 = none included"},
348 "NOTE: -server, -proxy, and -no_proxy not supported due to no-sock build"},
351 "[http[s]://]address[:port][/path] of CMP server. Default port 80 or 443."},
353 "address may be a DNS name or an IP address; path can be overridden by -path"},
362 "DN of CA. Default: subject of -srvcert, -issuer, issuer of -oldcert or -cert"},
364 "HTTP path (aka CMP alias) at the CMP server. Default from -server, else \"/\""},
366 "Persistent HTTP connections. 0: no, 1 (the default): request, 2: require"},
368 "Number of seconds allowed per CMP message round trip, or 0 for infinite"},
374 "Certificates to trust as chain roots when verifying signed CMP responses"},
375 {OPT_MORE_STR, 0, 0, "unless -srvcert is given"},
377 "Intermediate CA certs for chain construction for CMP/TLS/enrolled certs"},
379 "Server cert to pin and trust directly when verifying signed CMP responses"},
381 "DN of expected sender of responses. Defaults to subject of -srvcert, if any"},
382 {"ignore_keyusage", OPT_IGNORE_KEYUSAGE, '-',
383 "Ignore CMP signer cert key usage, else 'digitalSignature' must be allowed"},
384 {"unprotected_errors", OPT_UNPROTECTED_ERRORS, '-',
397 "Reference value to use as senderKID in case no -cert is given"},
401 "Client's CMP signer certificate; its public key must match the -key argument"},
407 "Optional certs to verify chain building for own CMP signer cert"},
408 {"key", OPT_KEY, 's', "CMP signer private key, not used when -secret given"},
414 "MAC algorithm to use in PBM-based message protection. Default \"hmac-sha1\""},
418 "This can be used as the default CMP signer cert chain to include"},
419 {"unprotected_requests", OPT_UNPROTECTED_REQUESTS, '-',
420 "Send messages without CMP-level protection"},
441 "NOTE: -tls_used and all other TLS options not supported due to no-sock build"},
443 {"tls_used", OPT_TLS_USED, '-',
457 "Address to be checked (rather than -server) during TLS host name validation"},
460 OPT_SECTION("Client-side debugging"),
461 {"batch", OPT_BATCH, '-',
465 {"reqin", OPT_REQIN, 's', "Take sequence of CMP requests from file(s)"},
466 {"reqin_new_tid", OPT_REQIN_NEW_TID, '-',
467 "Use fresh transactionID for CMP requests read from -reqin"},
468 {"reqout", OPT_REQOUT, 's', "Save sequence of CMP requests to file(s)"},
470 "Process sequence of CMP responses provided in file(s), skipping server"},
471 {"rspout", OPT_RSPOUT, 's', "Save sequence of CMP responses to file(s)"},
473 {"use_mock_srv", OPT_USE_MOCK_SRV, '-',
474 "Use internal mock server at API level, bypassing socket-based HTTP"},
479 "NOTE: -port and -max_msgs not supported due to no-sock build"},
482 "Act as HTTP-based mock server listening on given port"},
488 "Reference value to use as senderKID of server in case no -srv_cert is given"},
490 "Password source for server authentication with a pre-shared key (secret)"},
500 "Intermediate certs that may be useful for verifying CMP protection"},
511 {"grant_implicitconf", OPT_GRANT_IMPLICITCONF, '-',
519 "Number representing failure bits to include in server response, 0..2^27 - 1"},
522 {"send_error", OPT_SEND_ERROR, '-',
524 {"send_unprotected", OPT_SEND_UNPROTECTED, '-',
525 "Send response messages without CMP-level protection"},
526 {"send_unprot_err", OPT_SEND_UNPROT_ERR, '-',
532 {"accept_unprotected", OPT_ACCEPT_UNPROTECTED, '-',
534 {"accept_unprot_err", OPT_ACCEPT_UNPROT_ERR, '-',
536 {"accept_raverified", OPT_ACCEPT_RAVERIFIED, '-',
537 "Accept RAVERIFIED as proof-of-possession (POPO)"},
616 ? "CMP" : OPENSSL_FUNC)
619 (BIO_printf(bio, "%s:%s:%d:CMP %s: " msg "\n", \
709 CMP_warn("error while verifying CSR self-signature"); in load_csr_autofmt()
711 CMP_warn("CSR self-signature does not match the contents"); in load_csr_autofmt()
733 /* write OSSL_CMP_MSG DER-encoded to the specified file name item */
756 /* read DER-encoded OSSL_CMP_MSG from the specified file name item */
780 /*-
800 /*- in read_write_req_resp()
803 * The following workaround unfortunately requires re-protection. in read_write_req_resp()
961 CMP_err1("unknown cmp command '%s'", opt_cmd_s); in transform_opts()
965 CMP_err("no cmp command to execute"); in transform_opts()
994 OSSL_CMP_CTX *ctx; /* extra CMP (client) ctx partly used by server */ in setup_srv_ctx()
1005 CMP_err("must give -srv_ref for mock server if no -srv_cert given"); in setup_srv_ctx()
1027 CMP_err("mock server credentials must be given if -use_mock_srv or -port is used"); in setup_srv_ctx()
1030 …CMP_warn("mock server will not be able to handle PBM-protected requests since -srv_secret is not g… in setup_srv_ctx()
1035 CMP_err("must give both -srv_cert and -srv_key options or neither"); in setup_srv_ctx()
1070 …CMP_warn("mock server will not be able to handle signature-protected requests since -srv_trusted i… in setup_srv_ctx()
1078 CMP_warn("no -rsp_cert given for mock server"); in setup_srv_ctx()
1093 "CMP extra certificates for mock server", srv_ctx, in setup_srv_ctx()
1106 CMP_err1("-failure out of range, should be >= 0 and <= %d", in setup_srv_ctx()
1111 CMP_warn("-failurebits overrides -failure"); in setup_srv_ctx()
1116 CMP_err("-failurebits out of range"); in setup_srv_ctx()
1161 CMP_warn("-trusted option is ignored since -srvcert option is present"); in setup_verification_ctx()
1165 CMP_warn("-recipient option is ignored since -srvcert option is present"); in setup_verification_ctx()
1169 "directly trusted CMP server certificate"); in setup_verification_ctx()
1203 /* ignore any -attime here, new certs are current anyway */ in setup_verification_ctx()
1373 CMP_err("must give -key or -secret unless -unprotected_requests is used"); in setup_protection_ctx()
1379 CMP_err("must give -ref if no -cert and no -subject given"); in setup_protection_ctx()
1383 CMP_err("must give both -cert and -key options or neither"); in setup_protection_ctx()
1400 CMP_warn("-cert and -key not used for protection since -secret is given"); in setup_protection_ctx()
1409 "private key for CMP client certificate"); in setup_protection_ctx()
1418 CMP_warn("will not authenticate server due to missing -secret, -trusted, or -srvcert"); in setup_protection_ctx()
1427 "CMP client certificate (optionally with chain)", in setup_protection_ctx()
1438 "trusted certs for verifying own CMP signer cert"); in setup_protection_ctx()
1448 CMP_warn("-own_trusted option is ignored without -cert"); in setup_protection_ctx()
1451 if (!setup_certs(opt_extracerts, "extra certificates for CMP", ctx, in setup_protection_ctx()
1498 CMP_warn("no -subject given; no -csr or -oldcert or -cert available for fallback"); in setup_request_ctx()
1502 CMP_err("missing -newkey (or -key) to be certified and no -csr given"); in setup_request_ctx()
1506 CMP_err("-certout not given, nowhere to save newly enrolled certificate"); in setup_request_ctx()
1521 CMP_warn1("-subject %s since -ref or -cert is given", msg); in setup_request_ctx()
1525 CMP_warn1("-issuer %s", msg); in setup_request_ctx()
1527 CMP_warn1("-reqexts %s", msg); in setup_request_ctx()
1529 CMP_warn1("-san_nodefault %s", msg); in setup_request_ctx()
1531 CMP_warn1("-sans %s", msg); in setup_request_ctx()
1533 CMP_warn1("-policies %s", msg); in setup_request_ctx()
1535 CMP_warn1("-policy_oids %s", msg); in setup_request_ctx()
1541 CMP_err("missing -oldcert for certificate to be updated and no -csr given"); in setup_request_ctx()
1545 CMP_warn2("given -subject '%s' overrides the subject of '%s' for KUR", in setup_request_ctx()
1550 CMP_err("missing -oldcert for certificate to be revoked and no -csr given"); in setup_request_ctx()
1554 CMP_warn("ignoring -csr since certificate to be revoked is given"); in setup_request_ctx()
1563 …CMP_warn("missing -recipient, -srvcert, -issuer, -oldcert or -cert; recipient will be set to \"NUL… in setup_request_ctx()
1569 CMP_warn1("-newkeytype %s", msg); in setup_request_ctx()
1571 CMP_warn1("-newkey %s", msg); in setup_request_ctx()
1573 CMP_warn1("-days %s", msg); in setup_request_ctx()
1574 if (opt_popo != OSSL_CRMF_POPO_NONE - 1) in setup_request_ctx()
1575 CMP_warn1("-popo %s", msg); in setup_request_ctx()
1611 CMP_err("cannot have policies both via -policies and via -policy_oids"); in setup_request_ctx()
1617 CMP_warn("-csr option is ignored for command 'genm'"); in setup_request_ctx()
1648 CMP_err("cannot have Subject Alternative Names both via -reqexts and via -sans"); in setup_request_ctx()
1656 CMP_warn("-opt_san_nodefault has no effect when -sans is used"); in setup_request_ctx()
1663 CMP_warn("-opt_policy_oids_critical has no effect unless -policy_oids is given"); in setup_request_ctx()
1681 pinfo->policyid = policy; in setup_request_ctx()
1696 CMP_warn("-oldcert option is ignored for command 'genm'"); in setup_request_ctx()
1742 CMP_err("missing ':' in -geninfo option"); in handle_opt_geninfo()
1749 CMP_err("missing 'int:' in -geninfo option"); in handle_opt_geninfo()
1756 CMP_err("cannot parse int in -geninfo option"); in handle_opt_geninfo()
1762 CMP_err("cannot parse OID in -geninfo option"); in handle_opt_geninfo()
1795 * set up the client-side OSSL_CMP_CTX based on options from config file/CLI
1812 if (!opt_use_mock_srv && opt_rspin == NULL) { /* note: -port is not given */ in setup_client_ctx()
1815 CMP_err("missing -server or -use_mock_srv or -rspin option"); in setup_client_ctx()
1819 …CMP_err("missing -use_mock_srv or -rspin option; -server option is not supported due to no-sock bu… in setup_client_ctx()
1826 CMP_warn("ignoring -proxy option since -server is not given"); in setup_client_ctx()
1828 CMP_warn("ignoring -no_proxy option since -server is not given"); in setup_client_ctx()
1830 CMP_warn("ignoring -tls_used option since -server is not given"); in setup_client_ctx()
1837 CMP_err1("cannot parse -server URL: %s", opt_server); in setup_client_ctx()
1841 CMP_err("missing -tls_used option since -server URL indicates https"); in setup_client_ctx()
1872 char id_buf[100] = "id-it-"; in setup_client_ctx()
1874 strncat(id_buf, opt_infotype_s, sizeof(id_buf) - strlen(id_buf) - 1); in setup_client_ctx()
1876 CMP_err("unknown OID name in -infotype option"); in setup_client_ctx()
1889 CMP_err2("-total_timeout argument = %d must not be < %d (-msg_timeout)", in setup_client_ctx()
1901 CMP_warn("-reqin is ignored since -rspin is present"); in setup_client_ctx()
1903 CMP_warn("-reqin_new_tid is ignored since -reqin is not present"); in setup_client_ctx()
1915 CMP_err("missing -tls_key option"); in setup_client_ctx()
1918 CMP_err("missing -tls_cert option"); in setup_client_ctx()
1926 info->server = opt_server; in setup_client_ctx()
1927 info->port = server_port; in setup_client_ctx()
1929 info->use_proxy = proxy_host != NULL; in setup_client_ctx()
1930 info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT); in setup_client_ctx()
1931 info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); in setup_client_ctx()
1933 if (info->ssl_ctx == NULL) in setup_client_ctx()
1955 CMP_info("will not contact any server since -rspin is given"); in setup_client_ctx()
1993 * Returns number of written certificates on success, -1 on error.
2007 CMP_warn("saving more than one certificate in non-PEM format"); in save_free_certs()
2012 n = -1; in save_free_certs()
2019 n = -1; in save_free_certs()
2038 CMP_info("genp contains no ITAV"); in print_itavs()
2055 /* get previous name from a comma or space-separated list of names */
2065 --beg; in prev_item()
2071 len = end - beg; in prev_item()
2080 --beg; in prev_item()
2089 /* get str value for name from a comma-separated hierarchy of config sections */
2103 /* get long val for name from a comma-separated hierarchy of config sections */
2123 * use the command line option table to read values from the CMP section
2133 int start_opt = OPT_VERBOSITY - OPT_HELP; in read_config()
2134 int start_idx = OPT_VERBOSITY - 2; in read_config()
2139 int n_options = OSSL_NELEM(cmp_options) - 1; in read_config()
2142 opt->name != NULL; i++, opt++) in read_config()
2143 if (!strcmp(opt->name, OPT_SECTION_STR) in read_config()
2144 || !strcmp(opt->name, OPT_MORE_STR)) in read_config()
2145 n_options--; in read_config()
2147 + OPT_PROV__FIRST + 1 - OPT_PROV__LAST in read_config()
2148 + OPT_R__FIRST + 1 - OPT_R__LAST in read_config()
2149 + OPT_V__FIRST + 1 - OPT_V__LAST); in read_config()
2151 opt->name != NULL; i++, opt++) { in read_config()
2152 int provider_option = (OPT_PROV__FIRST <= opt->retval in read_config()
2153 && opt->retval < OPT_PROV__LAST); in read_config()
2154 int rand_state_option = (OPT_R__FIRST <= opt->retval in read_config()
2155 && opt->retval < OPT_R__LAST); in read_config()
2156 int verification_option = (OPT_V__FIRST <= opt->retval in read_config()
2157 && opt->retval < OPT_V__LAST); in read_config()
2159 if (strcmp(opt->name, OPT_SECTION_STR) == 0 in read_config()
2160 || strcmp(opt->name, OPT_MORE_STR) == 0) { in read_config()
2161 i--; in read_config()
2165 i--; in read_config()
2166 switch (opt->valtype) { in read_config()
2167 case '-': in read_config()
2172 if (!conf_get_number_e(conf, opt_section, opt->name, &num)) { in read_config()
2176 if (opt->valtype == 'p' && num <= 0) { in read_config()
2177 opt_printf_stderr("Non-positive number \"%ld\" for config option -%s\n", in read_config()
2178 num, opt->name); in read_config()
2179 return -1; in read_config()
2181 if (opt->valtype == 'N' && num < 0) { in read_config()
2182 opt_printf_stderr("Negative number \"%ld\" for config option -%s\n", in read_config()
2183 num, opt->name); in read_config()
2184 return -1; in read_config()
2190 txt = conf_get_string(conf, opt_section, opt->name); in read_config()
2198 opt->valtype, opt->name); in read_config()
2207 BIO_snprintf(arg1, 81, "-%s", (char *)opt->name); in read_config()
2210 if (opt->valtype == '-') { in read_config()
2215 conf_argv[2] = conf_get_string(conf, opt_section, opt->name); in read_config()
2225 opt->name, opt_section); in read_config()
2230 switch (opt->valtype) { in read_config()
2231 case '-': in read_config()
2238 opt->name); in read_config()
2266 } else if (arg[0] == '-') { in opt_str()
2272 /* returns 1 on success, 0 on error, -1 on -help (i.e., stop with success) */
2284 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); in get_opts()
2288 return -1; in get_opts()
2316 CMP_err("-keep_alive argument must be 0, 1, or 2"); in get_opts()
2457 CMP_err("invalid popo spec. Valid values are -1 .. 2"); in get_opts()
2487 CMP_err("invalid revreason. Valid values are -1 .. 6, 8 .. 10"); in get_opts()
2619 /* No extra args. */ in get_opts()
2647 if (ret == 0) { /* no request yet */ in cmp_server()
2656 if (ret++ == -1) /* fatal error */ in cmp_server()
2687 if (!ret) { /* on transmission error, cancel CMP transaction */ in cmp_server()
2692 || OSSL_CMP_CTX_get_status(srv_cmp_ctx) == -1 in cmp_server()
2721 * handle options -config, -section, and -verbosity upfront in cmp_main()
2724 for (i = 1; i < argc - 1; i++) { in cmp_main()
2725 if (*argv[i] == '-') { in cmp_main()
2726 if (!strcmp(argv[i] + 1, cmp_options[OPT_CONFIG - OPT_HELP].name)) in cmp_main()
2729 cmp_options[OPT_SECTION - OPT_HELP].name)) in cmp_main()
2732 cmp_options[OPT_VERBOSITY - OPT_HELP].name) == 0 in cmp_main()
2748 if (configfile != NULL && configfile[0] != '\0' /* non-empty string */ in cmp_main()
2749 && (configfile != default_config_file || access(configfile, F_OK) != -1)) { in cmp_main()
2758 CMP_info2("no [%s] section found in config file '%s';" in cmp_main()
2765 CMP_err2("no [%s] section found in config file '%s'", in cmp_main()
2773 ret = -1; in cmp_main()
2775 if (ret == -1) in cmp_main()
2776 BIO_printf(bio_err, "Use -help for summary.\n"); in cmp_main()
2815 CMP_warn("Ingnoring TLS options(s) since -tls_used is not given"); in cmp_main()
2818 CMP_err("-tls_used option not supported with -port option"); in cmp_main()
2822 CMP_err("cannot use -port with -use_mock_srv, -server, or -rspin options"); in cmp_main()
2827 CMP_err("cannot use both -server and -use_mock_srv options"); in cmp_main()
2832 CMP_err("cannot use both -rspin and -use_mock_srv options"); in cmp_main()
2856 CMP_warn("ignoring -tls_used option since -use_mock_srv or -rspin is given"); in cmp_main()
2860 if (opt_port != NULL) { /* act as very basic CMP HTTP server */ in cmp_main()
2865 /* act as CMP client, possibly using internal mock server */ in cmp_main()
2869 CMP_warn("ignoring -server option since -rspin is given"); in cmp_main()
2876 CMP_err("cannot set up CMP context"); in cmp_main()
2928 goto err; /* we got no response, maybe even did not send request */ in cmp_main()
3022 return ret == 0 ? EXIT_FAILURE : EXIT_SUCCESS; /* ret == -1 for -help */ in cmp_main()