CMP: Improvements of the support for requesting CRL

Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23768)

CHANGES.md

@@ -47,6 +47,12 @@ OpenSSL 3.4
 
    *Tim Perry*
 
+ * Added support for requesting CRL in CMP.
+
+   This work was sponsored by Siemens AG.
+
+    *Rajeev Ranjan*
+
  * Added Attribute Certificate (RFC 5755) support. Attribute
    Certificates can be created, parsed, modified and printed via the
    public API. There is no command-line tool support at this time.
@@ -110,10 +116,6 @@ OpenSSL 3.3
 
     *Neil Horman*
 
- * Added support for requesting CRL in CMP.
-
-    *Rajeev Ranjan, Siemens AG*
-
  * Added `-set_issuer` and `-set_subject` options to `openssl x509` to
    override the Issuer and Subject when creating a certificate. The `-subj`
    option now is an alias for `-set_subject`.

apps/cmp.c

@@ -146,6 +146,10 @@ static int opt_revreason = CRL_REASON_NONE;
 /* credentials format */
 static char *opt_certform_s = "PEM";
 static int opt_certform = FORMAT_PEM;
+/* 
+ * DER format is the preferred choice for saving a CRL because it allows for
+ * more efficient storage, especially when dealing with large CRLs.
+ */
 static char *opt_crlform_s = "DER";
 static int opt_crlform = FORMAT_ASN1;
 static char *opt_keyform_s = NULL;
@@ -1955,20 +1959,20 @@ static int add_certProfile(OSSL_CMP_CTX *ctx, const char *name)
 
     if ((sk = sk_ASN1_UTF8STRING_new_reserve(NULL, 1)) == NULL)
         return 0;
-   if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
-       goto err;
-   if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) {
-       ASN1_STRING_free(utf8string);
-       goto err;
-   }
-   /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */
-   (void)sk_ASN1_UTF8STRING_push(sk, utf8string);
-   if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL)
-       goto err;
-   if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav))
-       return 1;
-   OSSL_CMP_ITAV_free(itav);
-   return 0;
+    if ((utf8string = ASN1_UTF8STRING_new()) == NULL)
+        goto err;
+    if (!ASN1_STRING_set(utf8string, name, (int)strlen(name))) {
+        ASN1_STRING_free(utf8string);
+        goto err;
+    }
+    /* Due to sk_ASN1_UTF8STRING_new_reserve(NULL, 1), this surely succeeds: */
+    (void)sk_ASN1_UTF8STRING_push(sk, utf8string);
+    if ((itav = OSSL_CMP_ITAV_new0_certProfile(sk)) == NULL)
+        goto err;
+    if (OSSL_CMP_CTX_push0_geninfo_ITAV(ctx, itav))
+        return 1;
+    OSSL_CMP_ITAV_free(itav);
+    return 0;
 
  err:
     sk_ASN1_UTF8STRING_pop_free(sk, ASN1_UTF8STRING_free);
@@ -2013,7 +2017,7 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
             if (*ptr != '\0') {
                 if (*ptr != ',') {
                     CMP_err1("Missing ',' or end of -geninfo arg after int at %.40s",
-                        ptr);
+                             ptr);
                     goto err;
                 }
                 ptr++;
@@ -3513,10 +3517,10 @@ int cmp_main(int argc, char **argv)
     if (opt_reqout_only != NULL) {
         const char *msg = "option is ignored since -reqout_only option is given";
 
-#if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
+# if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP)
         if (opt_server != NULL)
             CMP_warn1("-server %s", msg);
-#endif
+# endif
         if (opt_use_mock_srv)
             CMP_warn1("-use_mock_srv %s", msg);
         if (opt_reqout != NULL)

apps/lib/cmp_mock_srv.c

@@ -413,8 +413,8 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
                             const X509_CRL *crl)
 {
     OSSL_CMP_CRLSTATUS *crlstatus;
-    DIST_POINT_NAME *dpn;
-    GENERAL_NAMES *issuer;
+    DIST_POINT_NAME *dpn = NULL;
+    GENERAL_NAMES *issuer = NULL;
     ASN1_TIME *thisupd = NULL;
 
     if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) {
@@ -477,7 +477,7 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
         break;
     case NID_id_it_crlStatusList:
         {
-            STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist;
+            STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
             int res = 0;
 
             if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))

crypto/cmp/cmp_genm.c

@@ -354,7 +354,7 @@ int OSSL_CMP_get1_crlUpdate(OSSL_CMP_CTX *ctx, const X509 *crlcert,
     OSSL_CMP_CRLSTATUS *status = NULL;
     STACK_OF(OSSL_CMP_CRLSTATUS) *list = NULL;
     OSSL_CMP_ITAV *req = NULL, *itav = NULL;
-    STACK_OF(X509_CRL) *crls;
+    STACK_OF(X509_CRL) *crls = NULL;
     int res = 0;
 
     if (crl == NULL) {

crypto/x509/v3_genn.c

@@ -62,7 +62,7 @@ int GENERAL_NAME_set1_X509_NAME(GENERAL_NAME **tgt, const X509_NAME *src)
 {
     GENERAL_NAME *name;
 
-    if (tgt == NULL){
+    if (tgt == NULL) {
         ERR_raise(ERR_LIB_X509V3, X509V3_R_INVALID_NULL_ARGUMENT);
         return 0;
     }

doc/man1/openssl-cmp.pod.in

@@ -886,6 +886,8 @@ Default value is PEM.
 
 File format to use when saving a CRL to a file.
 Default value is DER.
+DER format is preferred because it enables more efficient storage
+of large CRLs.
 
 =item B<-keyform> I<PEM|DER|P12|ENGINE>
 
@@ -1471,8 +1473,10 @@ The B<cmp> application was added in OpenSSL 3.0.
 
 The B<-engine> option was deprecated in OpenSSL 3.0.
 
-B<-profile>, B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform>
-and B<-rsp_crl> options were added in OpenSSL 3.3.
+The B<-profile> option was added in OpenSSL 3.3.
+
+B<-crlcert>, B<-oldcrl>, B<-crlout>, B<-crlform>
+and B<-rsp_crl> options were added in OpenSSL 3.4.
 
 =head1 COPYRIGHT
 

doc/man3/GENERAL_NAME.pod

@@ -27,7 +27,7 @@ GENERAL_NAME_set1_X509_NAME() return 1 on success, 0 on error.
 
 =head1 HISTORY
 
-GENERAL_NAME_set1_X509_NAME() was added in OpenSSL 3.3.
+GENERAL_NAME_set1_X509_NAME() was added in OpenSSL 3.4.
 
 =head1 COPYRIGHT
 

doc/man3/OSSL_CMP_ITAV_new_caCerts.pod

@@ -173,7 +173,7 @@ were added in OpenSSL 3.2.
 OSSL_CMP_CRLSTATUS_new1(), OSSL_CMP_CRLSTATUS_create(),
 OSSL_CMP_CRLSTATUS_get0(), OSSL_CMP_ITAV_new0_crlStatusList(),
 OSSL_CMP_ITAV_get0_crlStatusList(), OSSL_CMP_ITAV_new_crls()
-and OSSL_CMP_ITAV_get0_crls() were added in OpenSSL 3.3.
+and OSSL_CMP_ITAV_get0_crls() were added in OpenSSL 3.4.
 
 =head1 COPYRIGHT
 

doc/man3/OSSL_CMP_exec_certreq.pod

@@ -232,8 +232,10 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
 OSSL_CMP_get1_caCerts() and OSSL_CMP_get1_rootCaKeyUpdate()
 were added in OpenSSL 3.2.
 
-OSSL_CMP_get1_crlUpdate() and support for delayed delivery 
-of all types of response messages was added in OpenSSL 3.3.
+Support for delayed delivery of all types of response messages
+was added in OpenSSL 3.3.
+
+OSSL_CMP_get1_crlUpdate() was added in OpenSSL 3.4.
 
 =head1 COPYRIGHT
 

util/libcrypto.num

@@ -5536,29 +5536,29 @@ X509_STORE_CTX_set_get_crl              5663	3_2_0	EXIST::FUNCTION:
 X509_STORE_CTX_set_current_reasons      5664	3_2_0	EXIST::FUNCTION:
 OSSL_STORE_delete                       5665	3_2_0	EXIST::FUNCTION:
 BIO_ADDR_copy                           5666	3_2_0	EXIST::FUNCTION:SOCK
-DIST_POINT_NAME_dup                     ?	3_3_0	EXIST::FUNCTION:
-GENERAL_NAME_set1_X509_NAME             ?	3_3_0	EXIST::FUNCTION:
 OSSL_CMP_CTX_get0_geninfo_ITAVs         5667	3_3_0	EXIST::FUNCTION:CMP
 OSSL_CMP_HDR_get0_geninfo_ITAVs         5668	3_3_0	EXIST::FUNCTION:CMP
 OSSL_CMP_ITAV_new0_certProfile          5669	3_3_0	EXIST::FUNCTION:CMP
 OSSL_CMP_ITAV_get0_certProfile          5670	3_3_0	EXIST::FUNCTION:CMP
 OSSL_CMP_MSG_get0_certreq_publickey     5671	3_3_0	EXIST::FUNCTION:CMP
 OSSL_CMP_SRV_CTX_init_trans             5672	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_create               ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_free                 ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_get0                 ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_CRLSTATUS_new1                 ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_get0_crlStatusList        ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_get0_crls                 ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_new0_crlStatusList        ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_ITAV_new_crls                  ?	3_3_0	EXIST::FUNCTION:CMP
-OSSL_CMP_get1_crlUpdate                 ?	3_3_0	EXIST::FUNCTION:CMP
 EVP_DigestSqueeze                       5673	3_3_0	EXIST::FUNCTION:
 ERR_pop                                 5674	3_3_0	EXIST::FUNCTION:
 X509_STORE_get1_objects                 5675	3_3_0	EXIST::FUNCTION:
 OPENSSL_LH_set_thunks                   5676	3_3_0	EXIST::FUNCTION:
 OPENSSL_LH_doall_arg_thunk              5677	3_3_0	EXIST::FUNCTION:
 OSSL_HTTP_REQ_CTX_set_max_response_hdr_lines 5678	3_3_0	EXIST::FUNCTION:HTTP
+DIST_POINT_NAME_dup                     ?	3_4_0	EXIST::FUNCTION:
+GENERAL_NAME_set1_X509_NAME             ?	3_4_0	EXIST::FUNCTION:
+OSSL_CMP_CRLSTATUS_create               ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_free                 ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_get0                 ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_CRLSTATUS_new1                 ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_crlStatusList        ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_get0_crls                 ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_new0_crlStatusList        ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_ITAV_new_crls                  ?	3_4_0	EXIST::FUNCTION:CMP
+OSSL_CMP_get1_crlUpdate                 ?	3_4_0	EXIST::FUNCTION:CMP
 CRYPTO_atomic_store                     ?	3_4_0	EXIST::FUNCTION:
 CRYPTO_aligned_alloc                    ?	3_4_0	EXIST::FUNCTION:
 d2i_X509_ACERT                          ?	3_4_0	EXIST::FUNCTION: