ESS: Export three core functions, clean up TS and CMS CAdES-BES usage

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)

2 files changed, 43 insertions, 42 deletions

diff --git a/crypto/ess/ess_asn1.c b/crypto/ess/ess_asn1.c
index 08a0be8cc4..681ac4e727 100644
--- a/crypto/ess/ess_asn1.c
+++ b/crypto/ess/ess_asn1.c
@@ -58,12 +58,13 @@ ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
 IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
 IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
 
+/* TODO the following two functions should be moved to ../cms/ */
 /* No cms support means no CMS_SignerInfo* definitions */
 #ifndef OPENSSL_NO_CMS
 
 /*
- * Returns < 0 if attribute is not found, 1 if found, or 
- * -1 on attribute parsing failure.
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
  */
 int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
                                             ESS_SIGNING_CERT_V2 **psc)
@@ -89,8 +90,8 @@ int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
 }
 
 /*
- * Returns < 0 if attribute is not found, 1 if found, or 
- * -1 on attribute parsing failure.
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
  */
 int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
                                          ESS_SIGNING_CERT **psc)
diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c
index 6ded9f6328..beda9c4c16 100644
--- a/crypto/ess/ess_lib.c
+++ b/crypto/ess/ess_lib.c
@@ -15,13 +15,15 @@
 #include "crypto/ess.h"
 #include "crypto/x509.h"
 
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
+                                         int set_issuer_serial);
 static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
-                                               X509 *cert, int issuer_needed);
+                                               const X509 *cert,
+                                               int set_issuer_serial);
 
-ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
-                                                 STACK_OF(X509) *certs,
-                                                 int issuer_needed)
+ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,
+                                                 const STACK_OF(X509) *certs,
+                                                 int set_issuer_serial)
 {
     ESS_CERT_ID *cid = NULL;
     ESS_SIGNING_CERT *sc;
@@ -33,11 +35,12 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
         && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
         goto err;
 
-    if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL
+    if ((cid = ESS_CERT_ID_new_init(signcert, set_issuer_serial)) == NULL
         || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
         goto err;
     for (i = 0; i < sk_X509_num(certs); ++i) {
         X509 *cert = sk_X509_value(certs, i);
+
         if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL
             || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
             goto err;
@@ -51,26 +54,22 @@ ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert,
     return NULL;
 }
 
-static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
+static ESS_CERT_ID *ESS_CERT_ID_new_init(const X509 *cert,
+                                         int set_issuer_serial)
 {
     ESS_CERT_ID *cid = NULL;
     GENERAL_NAME *name = NULL;
     unsigned char cert_sha1[SHA_DIGEST_LENGTH];
 
-    /* Call for side-effect of computing hash and caching extensions */
-    if (!ossl_x509v3_cache_extensions(cert))
-        return NULL;
-
     if ((cid = ESS_CERT_ID_new()) == NULL)
         goto err;
-    /* TODO(3.0): fetch sha1 algorithm from providers */
     if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
         goto err;
     if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
         goto err;
 
     /* Setting the issuer/serial if requested. */
-    if (!issuer_needed)
+    if (!set_issuer_serial)
         return cid;
 
     if (cid->issuer_serial == NULL
@@ -97,10 +96,11 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
     return NULL;
 }
 
-ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
-                                                       X509 *signcert,
+ESS_SIGNING_CERT_V2 *OSSL_ESS_signing_cert_v2_new_init(const EVP_MD *hash_alg,
+                                                       const X509 *signcert,
+                                                       const
                                                        STACK_OF(X509) *certs,
-                                                       int issuer_needed)
+                                                       int set_issuer_serial)
 {
     ESS_CERT_ID_V2 *cid = NULL;
     ESS_SIGNING_CERT_V2 *sc;
@@ -108,7 +108,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
 
     if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
         goto err;
-    if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL)
+    cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, set_issuer_serial);
+    if (cid == NULL)
         goto err;
     if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
         goto err;
@@ -133,7 +134,8 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
 }
 
 static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
-                                               X509 *cert, int issuer_needed)
+                                               const X509 *cert,
+                                               int set_issuer_serial)
 {
     ESS_CERT_ID_V2 *cid;
     GENERAL_NAME *name = NULL;
@@ -159,14 +161,13 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
         cid->hash_alg = NULL;
     }
 
-    /* TODO(3.0): fetch sha1 algorithm from providers */
     if (!X509_digest(cert, hash_alg, hash, &hash_len))
         goto err;
 
     if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
         goto err;
 
-    if (!issuer_needed)
+    if (!set_issuer_serial)
         return cid;
 
     if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
@@ -193,6 +194,7 @@ static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
     return NULL;
 }
 
+/* TODO the following four functions should be moved to ../ts/ */
 ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
 {
     ASN1_TYPE *attr;
@@ -295,8 +297,8 @@ static int ess_issuer_serial_cmp(const ESS_ISSUER_SERIAL *is, const X509 *cert)
 }
 
 /*
- * Find cert referenced by |cid| (if not NULL, else |cidv2|) in |certs|.
- * If the cid{,v2} index is 0, the cert must be in the first in |certs| list.
+ * Find the cert in |certs| referenced by |cid| if not NULL, else by |cid_v2|.
+ * The cert must be the first one in |certs| if and only if |index| is 0.
  * Return 0 on not found, -1 on error, else 1 + the position in |certs|.
  */
 static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
@@ -336,7 +338,6 @@ static int find(const ESS_CERT_ID *cid, const ESS_CERT_ID_V2 *cid_v2,
     }
     (void)ERR_pop_to_mark();
 
-    /* Look for cert with cid in the certs. */
     for (i = 0; i < sk_X509_num(certs); ++i) {
         cert = sk_X509_value(certs, i);
 
@@ -369,34 +370,33 @@ end:
     return ret;
 }
 
-/*
- * If ESSCertID and/or ESSCertIDv2 exist, which must be non-empty if given,
- * check if their first ID entry matches the signer cert first in chain
- * and each further ID entry matches any further cert in the chain.
- */
-int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss,
+int OSSL_ESS_check_signing_certs(const ESS_SIGNING_CERT *ss,
                                  const ESS_SIGNING_CERT_V2 *ssv2,
                                  const STACK_OF(X509) *chain,
                                  int require_signing_cert)
 {
     int n_v1 = ss == NULL ? -1 : sk_ESS_CERT_ID_num(ss->cert_ids);
     int n_v2 = ssv2 == NULL ? -1 : sk_ESS_CERT_ID_V2_num(ssv2->cert_ids);
-    int i;
+    int i, ret;
 
     if (require_signing_cert && ss == NULL && ssv2 == NULL) {
         ERR_raise(ERR_LIB_CMS, ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE);
-        return 0;
+        return -1;
     }
     if (n_v1 == 0 || n_v2 == 0) {
         ERR_raise(ERR_LIB_ESS, ESS_R_EMPTY_ESS_CERT_ID_LIST);
-        return 0;
+        return -1;
     }
     /* If both ss and ssv2 exist, as required evaluate them independently. */
-    for (i = 0; i < n_v1; i++)
-        if (find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain) <= 0)
-            return 0;
-    for (i = 0; i < n_v2; i++)
-        if (find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain) <= 0)
-            return 0;
+    for (i = 0; i < n_v1; i++) {
+        ret = find(sk_ESS_CERT_ID_value(ss->cert_ids, i), NULL, i, chain);
+        if (ret <= 0)
+            return ret;
+    }
+    for (i = 0; i < n_v2; i++) {
+        ret = find(NULL, sk_ESS_CERT_ID_V2_value(ssv2->cert_ids, i), i, chain);
+        if (ret <= 0)
+            return ret;
+    }
     return 1;
 }