Lines Matching defs:msg
26 const OSSL_CMP_MSG *msg, X509 *cert)
33 if (!ossl_assert(cmp_ctx != NULL && msg != NULL && cert != NULL))
51 prot_part.header = msg->header;
52 prot_part.body = msg->body;
55 msg->header->protectionAlg, msg->protection,
77 static int verify_PBMAC(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
83 if ((protection = ossl_cmp_calc_protection(ctx, msg)) == NULL)
86 valid = msg->protection != NULL && msg->protection->length >= 0
87 && msg->protection->type == protection->type
88 && msg->protection->length == protection->length
89 && CRYPTO_memcmp(msg->protection->data, protection->data,
219 * The subject DN must match, the subject key ID as well if present in the msg,
229 const OSSL_CMP_MSG *msg)
265 "sender field", msg->header->sender->d.directoryName))
268 if (!check_kid(ctx, X509_get0_subject_key_id(cert), msg->header->senderKID))
275 if (!verify_signature(ctx, msg, cert)) {
276 ossl_cmp_warn(ctx, "msg signature verification failed");
279 /* acceptable also if there is no senderKID in msg header */
291 "msg signature validates but cert path validation failed");
303 const OSSL_CMP_MSG *msg, X509 *scrt)
312 || !ossl_cmp_X509_STORE_add1_certs(store, msg->extraCerts,
327 ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip,
345 const OSSL_CMP_MSG *msg)
348 cert, NULL, NULL, msg)
350 || check_cert_path_3gpp(ctx, msg, cert));
354 * Try all certs in given list for verifying msg, normally or in 3GPP mode.
355 * If already_checked1 == NULL then certs are assumed to be the msg->extraCerts.
362 const OSSL_CMP_MSG *msg, int mode_3gpp)
379 already_checked1, already_checked2, msg))
382 if (mode_3gpp ? check_cert_path_3gpp(ctx, msg, cert)
400 * Verify msg trying first ctx->untrusted, which should include extraCerts
404 static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
411 || OSSL_CMP_MSG_get_bodytype(msg) != OSSL_CMP_PKIBODY_IP)))
417 if (check_msg_with_certs(ctx, msg->extraCerts, "extraCerts",
418 NULL, NULL, msg, mode_3gpp))
421 msg->extraCerts, NULL, msg, mode_3gpp))
432 msg->extraCerts, ctx->untrusted,
433 msg, mode_3gpp);
440 OSSL_CMP_severity level, const char *msg)
449 static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
452 GENERAL_NAME *sender = msg->header->sender;
455 const ASN1_OCTET_STRING *skid = msg->header->senderKID;
459 if (sender == NULL || msg->body == NULL)
478 if (check_msg_given_cert(ctx, scrt, msg)) {
487 "trying to verify msg signature with previously validated cert");
488 (void)check_msg_given_cert(ctx, scrt, msg);
491 res = check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */)
492 || check_msg_all_certs(ctx, msg, 1 /* 3gpp */);
506 ossl_cmp_info(ctx, "trying to verify msg signature with a valid cert that..");
508 ossl_cmp_log1(INFO, ctx, "matches msg sender = %s", sname);
510 ossl_cmp_log1(INFO, ctx, "matches msg senderKID = %s", skid_str);
512 ossl_cmp_info(ctx, "while msg header does not contain senderKID");
514 (void)check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */);
515 (void)check_msg_all_certs(ctx, msg, 1 /* 3gpp */);
520 ERR_add_error_txt(NULL, "for msg sender name = ");
524 ERR_add_error_txt(" and ", "for msg senderKID = ");
538 * else it is searched in msg->extraCerts, ctx->untrusted, in ctx->trusted
542 * If ctx->permitTAInExtraCertsForIR is true and when validating a CMP IP msg,
543 * the trust anchor for validating the IP msg may be taken from msg->extraCerts
550 int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
555 if (ctx == NULL || msg == NULL
556 || msg->header == NULL || msg->body == NULL) {
561 if (msg->header->protectionAlg == NULL /* unprotected message */
562 || msg->protection == NULL || msg->protection->data == NULL) {
567 switch (ossl_cmp_hdr_get_protection_nid(msg->header)) {
575 if (verify_PBMAC(ctx, msg)) {
582 switch (OSSL_CMP_MSG_get_bodytype(msg)) {
590 STACK_OF(X509) *certs = msg->body->value.ip->caPubs;
627 if (check_msg_find_cert(ctx, msg))
631 if (verify_signature(ctx, msg, scrt)) {
647 * Any msg->extraCerts are prepended to ctx->untrusted.
665 int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
671 if (!ossl_assert(ctx != NULL && msg != NULL && msg->header != NULL))
673 hdr = OSSL_CMP_MSG_get0_header(msg);
675 /* validate sender name of received msg */
693 if (sk_X509_num(msg->extraCerts) > 10)
701 * extraCerts because they do not belong to the protected msg part anyway.
704 if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
713 if (!OSSL_CMP_validate_msg(ctx, msg)
714 && (cb == NULL || (*cb)(ctx, msg, 1, cb_arg) <= 0)) {
722 if (cb == NULL || (*cb)(ctx, msg, 0, cb_arg) <= 0) {
738 if (OSSL_CMP_MSG_get_bodytype(msg) < 0) {
745 /* compare received transactionID with the expected one in previous msg */
758 && (msg->header->recipNonce == NULL
786 if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
799 switch (OSSL_CMP_MSG_get_bodytype(msg)) {
805 STACK_OF(X509) *certs = msg->body->value.ip->caPubs;
821 const OSSL_CMP_MSG *msg, int acceptRAVerified)
823 if (!ossl_assert(msg != NULL && msg->body != NULL))
825 switch (msg->body->type) {
828 X509_REQ *req = msg->body->value.p10cr;
842 if (!OSSL_CRMF_MSGS_verify_popo(msg->body->value.ir, OSSL_CMP_CERTREQID,