1 /*
2 * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include "apps.h"
12 #include "cmp_mock_srv.h"
13
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
17
18 /* the context for the CMP mock server */
19 typedef struct
20 {
21 X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
22 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
23 X509_CRL *crlOut; /* CRL to be returned in genp for crls */
24 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
25 STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
26 X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
27 X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
28 X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
29 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
30 int sendError; /* send error response on given request type */
31 OSSL_CMP_MSG *req; /* original request message during polling */
32 int pollCount; /* number of polls before actual cert response */
33 int curr_pollCount; /* number of polls so far for current request */
34 int checkAfterTime; /* time the client should wait between polling */
35 } mock_srv_ctx;
36
mock_srv_ctx_free(mock_srv_ctx * ctx)37 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
38 {
39 if (ctx == NULL)
40 return;
41
42 OSSL_CMP_PKISI_free(ctx->statusOut);
43 X509_free(ctx->refCert);
44 X509_free(ctx->certOut);
45 OSSL_STACK_OF_X509_free(ctx->chainOut);
46 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
47 OSSL_CMP_MSG_free(ctx->req);
48 OPENSSL_free(ctx);
49 }
50
mock_srv_ctx_new(void)51 static mock_srv_ctx *mock_srv_ctx_new(void)
52 {
53 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
54
55 if (ctx == NULL)
56 goto err;
57
58 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
59 goto err;
60
61 ctx->sendError = -1;
62
63 /* all other elements are initialized to 0 or NULL, respectively */
64 return ctx;
65 err:
66 mock_srv_ctx_free(ctx);
67 return NULL;
68 }
69
70 #define DEFINE_OSSL_SET1_CERT(FIELD) \
71 int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
72 X509 *cert) \
73 { \
74 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); \
75 \
76 if (ctx == NULL) { \
77 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
78 return 0; \
79 } \
80 if (cert == NULL || X509_up_ref(cert)) { \
81 X509_free(ctx->FIELD); \
82 ctx->FIELD = cert; \
83 return 1; \
84 } \
85 return 0; \
86 }
87
88 DEFINE_OSSL_SET1_CERT(refCert)
DEFINE_OSSL_SET1_CERT(certOut)89 DEFINE_OSSL_SET1_CERT(certOut)
90
91 int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
92 X509_CRL *crl)
93 {
94 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
95
96 if (ctx == NULL) {
97 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
98 return 0;
99 }
100 if (crl != NULL && !X509_CRL_up_ref(crl))
101 return 0;
102 X509_CRL_free(ctx->crlOut);
103 ctx->crlOut = crl;
104 return 1;
105 }
106
ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* chain)107 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
108 STACK_OF(X509) *chain)
109 {
110 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
111 STACK_OF(X509) *chain_copy = NULL;
112
113 if (ctx == NULL) {
114 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
115 return 0;
116 }
117 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
118 return 0;
119 OSSL_STACK_OF_X509_free(ctx->chainOut);
120 ctx->chainOut = chain_copy;
121 return 1;
122 }
123
ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* caPubs)124 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
125 STACK_OF(X509) *caPubs)
126 {
127 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
128 STACK_OF(X509) *caPubs_copy = NULL;
129
130 if (ctx == NULL) {
131 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
132 return 0;
133 }
134 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
135 return 0;
136 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
137 ctx->caPubsOut = caPubs_copy;
138 return 1;
139 }
140
141 DEFINE_OSSL_SET1_CERT(newWithNew)
DEFINE_OSSL_SET1_CERT(newWithOld)142 DEFINE_OSSL_SET1_CERT(newWithOld)
143 DEFINE_OSSL_SET1_CERT(oldWithNew)
144
145 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
146 int fail_info, const char *text)
147 {
148 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
149 OSSL_CMP_PKISI *si;
150
151 if (ctx == NULL) {
152 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
153 return 0;
154 }
155 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
156 return 0;
157 OSSL_CMP_PKISI_free(ctx->statusOut);
158 ctx->statusOut = si;
159 return 1;
160 }
161
ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX * srv_ctx,int bodytype)162 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
163 {
164 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
165
166 if (ctx == NULL) {
167 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
168 return 0;
169 }
170 /* might check bodytype, but this would require exporting all body types */
171 ctx->sendError = bodytype;
172 return 1;
173 }
174
ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX * srv_ctx,int count)175 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
176 {
177 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
178
179 if (ctx == NULL) {
180 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
181 return 0;
182 }
183 if (count < 0) {
184 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
185 return 0;
186 }
187 ctx->pollCount = count;
188 return 1;
189 }
190
ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX * srv_ctx,int sec)191 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
192 {
193 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
194
195 if (ctx == NULL) {
196 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
197 return 0;
198 }
199 ctx->checkAfterTime = sec;
200 return 1;
201 }
202
203 /* determine whether to delay response to (non-polling) request */
delayed_delivery(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * req)204 static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req)
205 {
206 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
207 int req_type = OSSL_CMP_MSG_get_bodytype(req);
208
209 if (ctx == NULL || req == NULL) {
210 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
211 return -1;
212 }
213
214 /*
215 * For ir/cr/p10cr/kur delayed delivery is handled separately in
216 * process_cert_request
217 */
218 if (req_type == OSSL_CMP_IR
219 || req_type == OSSL_CMP_CR
220 || req_type == OSSL_CMP_P10CR
221 || req_type == OSSL_CMP_KUR
222 /* Client may use error to abort the ongoing polling */
223 || req_type == OSSL_CMP_ERROR)
224 return 0;
225
226 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
227 /* start polling */
228 if ((ctx->req = OSSL_CMP_MSG_dup(req)) == NULL)
229 return -1;
230 return 1;
231 }
232 return 0;
233 }
234
235 /* check for matching reference cert components, as far as given */
refcert_cmp(const X509 * refcert,const X509_NAME * issuer,const ASN1_INTEGER * serial)236 static int refcert_cmp(const X509 *refcert,
237 const X509_NAME *issuer, const ASN1_INTEGER *serial)
238 {
239 const X509_NAME *ref_issuer;
240 const ASN1_INTEGER *ref_serial;
241
242 if (refcert == NULL)
243 return 1;
244 ref_issuer = X509_get_issuer_name(refcert);
245 ref_serial = X509_get0_serialNumber(refcert);
246 return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0)
247 && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
248 }
249
250 /* reset the state that belongs to a transaction */
clean_transaction(OSSL_CMP_SRV_CTX * srv_ctx,ossl_unused const ASN1_OCTET_STRING * id)251 static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
252 ossl_unused const ASN1_OCTET_STRING *id)
253 {
254 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
255
256 if (ctx == NULL) {
257 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
258 return 0;
259 }
260
261 ctx->curr_pollCount = 0;
262 OSSL_CMP_MSG_free(ctx->req);
263 ctx->req = NULL;
264 return 1;
265 }
266
process_cert_request(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * cert_req,ossl_unused int certReqId,const OSSL_CRMF_MSG * crm,const X509_REQ * p10cr,X509 ** certOut,STACK_OF (X509)** chainOut,STACK_OF (X509)** caPubs)267 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
268 const OSSL_CMP_MSG *cert_req,
269 ossl_unused int certReqId,
270 const OSSL_CRMF_MSG *crm,
271 const X509_REQ *p10cr,
272 X509 **certOut,
273 STACK_OF(X509) **chainOut,
274 STACK_OF(X509) **caPubs)
275 {
276 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
277 int bodytype;
278 OSSL_CMP_PKISI *si = NULL;
279
280 if (ctx == NULL || cert_req == NULL
281 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
282 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
283 return NULL;
284 }
285 bodytype = OSSL_CMP_MSG_get_bodytype(cert_req);
286 if (ctx->sendError == 1 || ctx->sendError == bodytype) {
287 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
288 return NULL;
289 }
290
291 *certOut = NULL;
292 *chainOut = NULL;
293 *caPubs = NULL;
294
295 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
296 /* start polling */
297 if ((ctx->req = OSSL_CMP_MSG_dup(cert_req)) == NULL)
298 return NULL;
299 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
300 }
301 if (ctx->curr_pollCount >= ctx->pollCount)
302 /* give final response after polling */
303 ctx->curr_pollCount = 0;
304
305 /* accept cert profile for cr messages only with the configured name */
306 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_CR) {
307 STACK_OF(OSSL_CMP_ITAV) *itavs =
308 OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
309 int i;
310
311 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
312 OSSL_CMP_ITAV *itav = sk_OSSL_CMP_ITAV_value(itavs, i);
313 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(itav);
314 STACK_OF(ASN1_UTF8STRING) *strs;
315 ASN1_UTF8STRING *str;
316 const char *data;
317
318 if (OBJ_obj2nid(obj) == NID_id_it_certProfile) {
319 if (!OSSL_CMP_ITAV_get0_certProfile(itav, &strs))
320 return NULL;
321 if (sk_ASN1_UTF8STRING_num(strs) < 1) {
322 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
323 return NULL;
324 }
325 str = sk_ASN1_UTF8STRING_value(strs, 0);
326 if (str == NULL
327 || (data =
328 (const char *)ASN1_STRING_get0_data(str)) == NULL) {
329 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
330 return NULL;
331 }
332 if (strcmp(data, "profile1") != 0) {
333 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
334 return NULL;
335 }
336 break;
337 }
338 }
339 }
340
341 /* accept cert update request only for the reference cert, if given */
342 if (bodytype == OSSL_CMP_KUR
343 && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
344 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
345
346 if (cid == NULL) {
347 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
348 return NULL;
349 }
350 if (!refcert_cmp(ctx->refCert,
351 OSSL_CRMF_CERTID_get0_issuer(cid),
352 OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
353 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
354 return NULL;
355 }
356 }
357
358 if (ctx->certOut != NULL
359 && (*certOut = X509_dup(ctx->certOut)) == NULL)
360 /* Should return a cert produced from request template, see FR #16054 */
361 goto err;
362 if (ctx->chainOut != NULL
363 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
364 goto err;
365 if (ctx->caPubsOut != NULL /* OSSL_CMP_PKIBODY_IP not visible here */
366 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
367 goto err;
368 if (ctx->statusOut != NULL
369 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
370 goto err;
371 return si;
372
373 err:
374 X509_free(*certOut);
375 *certOut = NULL;
376 OSSL_STACK_OF_X509_free(*chainOut);
377 *chainOut = NULL;
378 OSSL_STACK_OF_X509_free(*caPubs);
379 *caPubs = NULL;
380 return NULL;
381 }
382
process_rr(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * rr,const X509_NAME * issuer,const ASN1_INTEGER * serial)383 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
384 const OSSL_CMP_MSG *rr,
385 const X509_NAME *issuer,
386 const ASN1_INTEGER *serial)
387 {
388 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
389
390 if (ctx == NULL || rr == NULL) {
391 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
392 return NULL;
393 }
394 if (ctx->sendError == 1
395 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
396 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
397 return NULL;
398 }
399
400 /* allow any RR derived from CSR which does not include issuer and serial */
401 if ((issuer != NULL || serial != NULL)
402 /* accept revocation only for the reference cert, if given */
403 && !refcert_cmp(ctx->refCert, issuer, serial)) {
404 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
405 "wrong certificate to revoke");
406 return NULL;
407 }
408 return OSSL_CMP_PKISI_dup(ctx->statusOut);
409 }
410
411 /* return -1 for error, 0 for no update available */
check_client_crl(const STACK_OF (OSSL_CMP_CRLSTATUS)* crlStatusList,const X509_CRL * crl)412 static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
413 const X509_CRL *crl)
414 {
415 OSSL_CMP_CRLSTATUS *crlstatus;
416 DIST_POINT_NAME *dpn = NULL;
417 GENERAL_NAMES *issuer = NULL;
418 ASN1_TIME *thisupd = NULL;
419
420 if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) {
421 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CRLSTATUSLIST);
422 return -1;
423 }
424 if (crl == NULL)
425 return 0;
426
427 crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0);
428 if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &dpn, &issuer, &thisupd))
429 return -1;
430
431 if (issuer != NULL) {
432 GENERAL_NAME *gn = sk_GENERAL_NAME_value(issuer, 0);
433
434 if (gn != NULL && gn->type == GEN_DIRNAME) {
435 X509_NAME *gen_name = gn->d.dirn;
436
437 if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) {
438 ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
439 return -1;
440 }
441 } else {
442 ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
443 return -1; /* error according to RFC 9483 section 4.3.4 */
444 }
445 }
446
447 return thisupd == NULL
448 || ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) < 0;
449 }
450
process_genm_itav(mock_srv_ctx * ctx,int req_nid,const OSSL_CMP_ITAV * req)451 static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
452 const OSSL_CMP_ITAV *req)
453 {
454 OSSL_CMP_ITAV *rsp = NULL;
455
456 switch (req_nid) {
457 case NID_id_it_caCerts:
458 rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
459 break;
460 case NID_id_it_rootCaCert:
461 {
462 X509 *rootcacert = NULL;
463
464 if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
465 return NULL;
466
467 if (rootcacert != NULL
468 && X509_NAME_cmp(X509_get_subject_name(rootcacert),
469 X509_get_subject_name(ctx->newWithNew)) != 0)
470 /* The subjects do not match */
471 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
472 else
473 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
474 ctx->newWithOld,
475 ctx->oldWithNew);
476 }
477 break;
478 case NID_id_it_crlStatusList:
479 {
480 STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
481 int res = 0;
482
483 if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
484 return NULL;
485
486 res = check_client_crl(crlstatuslist, ctx->crlOut);
487 if (res < 0)
488 rsp = NULL;
489 else
490 rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
491 }
492 break;
493 case NID_id_it_certReqTemplate:
494 {
495 OSSL_CRMF_CERTTEMPLATE *reqtemp;
496 OSSL_CMP_ATAVS *keyspec = NULL;
497 X509_ALGOR *keyalg = NULL;
498 OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
499 int ok = 0;
500
501 if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
502 return NULL;
503
504 if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
505 X509_get_issuer_name(ctx->refCert),
506 NULL))
507 goto crt_err;
508
509 if ((keyalg = X509_ALGOR_new()) == NULL)
510 goto crt_err;
511
512 (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
513 V_ASN1_UNDEF, NULL); /* cannot fail */
514
515 eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
516 rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
517 ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
518 && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
519 OSSL_CMP_ATAV_free(eckeyalg);
520 OSSL_CMP_ATAV_free(rsakeylen);
521 X509_ALGOR_free(keyalg);
522
523 if (!ok)
524 goto crt_err;
525
526 rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
527 return rsp;
528
529 crt_err:
530 OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
531 OSSL_CMP_ATAVS_free(keyspec);
532 return NULL;
533 }
534 break;
535 default:
536 rsp = OSSL_CMP_ITAV_dup(req);
537 }
538 return rsp;
539 }
540
process_genm(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * genm,const STACK_OF (OSSL_CMP_ITAV)* in,STACK_OF (OSSL_CMP_ITAV)** out)541 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
542 const OSSL_CMP_MSG *genm,
543 const STACK_OF(OSSL_CMP_ITAV) *in,
544 STACK_OF(OSSL_CMP_ITAV) **out)
545 {
546 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
547
548 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
549 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
550 return 0;
551 }
552 if (ctx->sendError == 1
553 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
554 || sk_OSSL_CMP_ITAV_num(in) > 1) {
555 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
556 return 0;
557 }
558 if (sk_OSSL_CMP_ITAV_num(in) == 1) {
559 OSSL_CMP_ITAV *req = sk_OSSL_CMP_ITAV_value(in, 0), *rsp;
560 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(req);
561
562 if ((*out = sk_OSSL_CMP_ITAV_new_reserve(NULL, 1)) == NULL)
563 return 0;
564 rsp = process_genm_itav(ctx, OBJ_obj2nid(obj), req);
565 if (rsp != NULL && sk_OSSL_CMP_ITAV_push(*out, rsp))
566 return 1;
567 sk_OSSL_CMP_ITAV_free(*out);
568 return 0;
569 }
570
571 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
572 OSSL_CMP_ITAV_free);
573 return *out != NULL;
574 }
575
process_error(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * error,const OSSL_CMP_PKISI * statusInfo,const ASN1_INTEGER * errorCode,const OSSL_CMP_PKIFREETEXT * errorDetails)576 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
577 const OSSL_CMP_PKISI *statusInfo,
578 const ASN1_INTEGER *errorCode,
579 const OSSL_CMP_PKIFREETEXT *errorDetails)
580 {
581 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
582 char buf[OSSL_CMP_PKISI_BUFLEN];
583 char *sibuf;
584 int i;
585
586 if (ctx == NULL || error == NULL) {
587 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
588 return;
589 }
590
591 BIO_printf(bio_err, "mock server received error:\n");
592
593 if (statusInfo == NULL) {
594 BIO_printf(bio_err, "pkiStatusInfo absent\n");
595 } else {
596 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
597 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
598 sibuf != NULL ? sibuf: "<invalid>");
599 }
600
601 if (errorCode == NULL)
602 BIO_printf(bio_err, "errorCode absent\n");
603 else
604 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
605
606 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
607 BIO_printf(bio_err, "errorDetails absent\n");
608 } else {
609 BIO_printf(bio_err, "errorDetails: ");
610 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
611 if (i > 0)
612 BIO_printf(bio_err, ", ");
613 ASN1_STRING_print_ex(bio_err,
614 sk_ASN1_UTF8STRING_value(errorDetails, i),
615 ASN1_STRFLGS_ESC_QUOTE);
616 }
617 BIO_printf(bio_err, "\n");
618 }
619 }
620
process_certConf(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * certConf,ossl_unused int certReqId,const ASN1_OCTET_STRING * certHash,const OSSL_CMP_PKISI * si)621 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
622 const OSSL_CMP_MSG *certConf,
623 ossl_unused int certReqId,
624 const ASN1_OCTET_STRING *certHash,
625 const OSSL_CMP_PKISI *si)
626 {
627 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
628 ASN1_OCTET_STRING *digest;
629
630 if (ctx == NULL || certConf == NULL || certHash == NULL) {
631 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
632 return 0;
633 }
634 if (ctx->sendError == 1
635 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
636 || ctx->certOut == NULL) {
637 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
638 return 0;
639 }
640
641 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
642 return 0;
643 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
644 ASN1_OCTET_STRING_free(digest);
645 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
646 return 0;
647 }
648 ASN1_OCTET_STRING_free(digest);
649 return 1;
650 }
651
652 /* return 0 on failure, 1 on success, setting *req or otherwise *check_after */
process_pollReq(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * pollReq,ossl_unused int certReqId,OSSL_CMP_MSG ** req,int64_t * check_after)653 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
654 const OSSL_CMP_MSG *pollReq,
655 ossl_unused int certReqId,
656 OSSL_CMP_MSG **req, int64_t *check_after)
657 {
658 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
659
660 if (req != NULL)
661 *req = NULL;
662 if (ctx == NULL || pollReq == NULL
663 || req == NULL || check_after == NULL) {
664 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
665 return 0;
666 }
667
668 if (ctx->sendError == 1
669 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
670 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
671 return 0;
672 }
673 if (ctx->req == NULL) { /* not currently in polling mode */
674 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_POLLREQ);
675 return 0;
676 }
677
678 if (++ctx->curr_pollCount >= ctx->pollCount) {
679 /* end polling */
680 *req = ctx->req;
681 ctx->req = NULL;
682 *check_after = 0;
683 } else {
684 *check_after = ctx->checkAfterTime;
685 }
686 return 1;
687 }
688
ossl_cmp_mock_srv_new(OSSL_LIB_CTX * libctx,const char * propq)689 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
690 {
691 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
692 mock_srv_ctx *ctx = mock_srv_ctx_new();
693
694 if (srv_ctx != NULL && ctx != NULL
695 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
696 process_rr, process_genm, process_error,
697 process_certConf, process_pollReq)
698 && OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
699 delayed_delivery, clean_transaction))
700 return srv_ctx;
701
702 mock_srv_ctx_free(ctx);
703 OSSL_CMP_SRV_CTX_free(srv_ctx);
704 return NULL;
705 }
706
ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX * srv_ctx)707 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
708 {
709 if (srv_ctx != NULL)
710 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
711 OSSL_CMP_SRV_CTX_free(srv_ctx);
712 }
713