1 /*
2 * Copyright 2018-2024 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include "apps.h"
12 #include "cmp_mock_srv.h"
13
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
17
18 /* the context for the CMP mock server */
19 typedef struct {
20 X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
21 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
22 X509_CRL *crlOut; /* CRL to be returned in genp for crls */
23 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
24 STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
25 X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
26 X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
27 X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
28 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
29 int sendError; /* send error response on given request type */
30 OSSL_CMP_MSG *req; /* original request message during polling */
31 int pollCount; /* number of polls before actual cert response */
32 int curr_pollCount; /* number of polls so far for current request */
33 int checkAfterTime; /* time the client should wait between polling */
34 } mock_srv_ctx;
35
mock_srv_ctx_free(mock_srv_ctx * ctx)36 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
37 {
38 if (ctx == NULL)
39 return;
40
41 OSSL_CMP_PKISI_free(ctx->statusOut);
42 X509_free(ctx->refCert);
43 X509_free(ctx->certOut);
44 OSSL_STACK_OF_X509_free(ctx->chainOut);
45 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
46 OSSL_CMP_MSG_free(ctx->req);
47 OPENSSL_free(ctx);
48 }
49
mock_srv_ctx_new(void)50 static mock_srv_ctx *mock_srv_ctx_new(void)
51 {
52 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
53
54 if (ctx == NULL)
55 goto err;
56
57 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
58 goto err;
59
60 ctx->sendError = -1;
61
62 /* all other elements are initialized to 0 or NULL, respectively */
63 return ctx;
64 err:
65 mock_srv_ctx_free(ctx);
66 return NULL;
67 }
68
69 #define DEFINE_OSSL_SET1_CERT(FIELD) \
70 int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
71 X509 *cert) \
72 { \
73 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); \
74 \
75 if (ctx == NULL) { \
76 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
77 return 0; \
78 } \
79 if (cert == NULL || X509_up_ref(cert)) { \
80 X509_free(ctx->FIELD); \
81 ctx->FIELD = cert; \
82 return 1; \
83 } \
84 return 0; \
85 }
86
87 DEFINE_OSSL_SET1_CERT(refCert)
DEFINE_OSSL_SET1_CERT(certOut)88 DEFINE_OSSL_SET1_CERT(certOut)
89
90 int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
91 X509_CRL *crl)
92 {
93 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
94
95 if (ctx == NULL) {
96 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
97 return 0;
98 }
99 if (crl != NULL && !X509_CRL_up_ref(crl))
100 return 0;
101 X509_CRL_free(ctx->crlOut);
102 ctx->crlOut = crl;
103 return 1;
104 }
105
ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* chain)106 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
107 STACK_OF(X509) *chain)
108 {
109 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
110 STACK_OF(X509) *chain_copy = NULL;
111
112 if (ctx == NULL) {
113 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
114 return 0;
115 }
116 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
117 return 0;
118 OSSL_STACK_OF_X509_free(ctx->chainOut);
119 ctx->chainOut = chain_copy;
120 return 1;
121 }
122
ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* caPubs)123 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
124 STACK_OF(X509) *caPubs)
125 {
126 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
127 STACK_OF(X509) *caPubs_copy = NULL;
128
129 if (ctx == NULL) {
130 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
131 return 0;
132 }
133 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
134 return 0;
135 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
136 ctx->caPubsOut = caPubs_copy;
137 return 1;
138 }
139
140 DEFINE_OSSL_SET1_CERT(newWithNew)
DEFINE_OSSL_SET1_CERT(newWithOld)141 DEFINE_OSSL_SET1_CERT(newWithOld)
142 DEFINE_OSSL_SET1_CERT(oldWithNew)
143
144 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
145 int fail_info, const char *text)
146 {
147 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
148 OSSL_CMP_PKISI *si;
149
150 if (ctx == NULL) {
151 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
152 return 0;
153 }
154 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
155 return 0;
156 OSSL_CMP_PKISI_free(ctx->statusOut);
157 ctx->statusOut = si;
158 return 1;
159 }
160
ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX * srv_ctx,int bodytype)161 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
162 {
163 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
164
165 if (ctx == NULL) {
166 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
167 return 0;
168 }
169 /* might check bodytype, but this would require exporting all body types */
170 ctx->sendError = bodytype;
171 return 1;
172 }
173
ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX * srv_ctx,int count)174 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
175 {
176 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
177
178 if (ctx == NULL) {
179 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
180 return 0;
181 }
182 if (count < 0) {
183 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
184 return 0;
185 }
186 ctx->pollCount = count;
187 return 1;
188 }
189
ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX * srv_ctx,int sec)190 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
191 {
192 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
193
194 if (ctx == NULL) {
195 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
196 return 0;
197 }
198 ctx->checkAfterTime = sec;
199 return 1;
200 }
201
202 /* determine whether to delay response to (non-polling) request */
delayed_delivery(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * req)203 static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req)
204 {
205 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
206 int req_type = OSSL_CMP_MSG_get_bodytype(req);
207
208 if (ctx == NULL || req == NULL) {
209 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
210 return -1;
211 }
212
213 /*
214 * For ir/cr/p10cr/kur delayed delivery is handled separately in
215 * process_cert_request
216 */
217 if (req_type == OSSL_CMP_IR
218 || req_type == OSSL_CMP_CR
219 || req_type == OSSL_CMP_P10CR
220 || req_type == OSSL_CMP_KUR
221 /* Client may use error to abort the ongoing polling */
222 || req_type == OSSL_CMP_ERROR)
223 return 0;
224
225 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
226 /* start polling */
227 if ((ctx->req = OSSL_CMP_MSG_dup(req)) == NULL)
228 return -1;
229 return 1;
230 }
231 return 0;
232 }
233
234 /* check for matching reference cert components, as far as given */
refcert_cmp(const X509 * refcert,const X509_NAME * issuer,const ASN1_INTEGER * serial)235 static int refcert_cmp(const X509 *refcert,
236 const X509_NAME *issuer, const ASN1_INTEGER *serial)
237 {
238 const X509_NAME *ref_issuer;
239 const ASN1_INTEGER *ref_serial;
240
241 if (refcert == NULL)
242 return 1;
243 ref_issuer = X509_get_issuer_name(refcert);
244 ref_serial = X509_get0_serialNumber(refcert);
245 return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0)
246 && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
247 }
248
249 /* reset the state that belongs to a transaction */
clean_transaction(OSSL_CMP_SRV_CTX * srv_ctx,ossl_unused const ASN1_OCTET_STRING * id)250 static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
251 ossl_unused const ASN1_OCTET_STRING *id)
252 {
253 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
254
255 if (ctx == NULL) {
256 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
257 return 0;
258 }
259
260 ctx->curr_pollCount = 0;
261 OSSL_CMP_MSG_free(ctx->req);
262 ctx->req = NULL;
263 return 1;
264 }
265
process_cert_request(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * cert_req,ossl_unused int certReqId,const OSSL_CRMF_MSG * crm,const X509_REQ * p10cr,X509 ** certOut,STACK_OF (X509)** chainOut,STACK_OF (X509)** caPubs)266 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
267 const OSSL_CMP_MSG *cert_req,
268 ossl_unused int certReqId,
269 const OSSL_CRMF_MSG *crm,
270 const X509_REQ *p10cr,
271 X509 **certOut,
272 STACK_OF(X509) **chainOut,
273 STACK_OF(X509) **caPubs)
274 {
275 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
276 int bodytype;
277 OSSL_CMP_PKISI *si = NULL;
278
279 if (ctx == NULL || cert_req == NULL
280 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
281 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
282 return NULL;
283 }
284 bodytype = OSSL_CMP_MSG_get_bodytype(cert_req);
285 if (ctx->sendError == 1 || ctx->sendError == bodytype) {
286 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
287 return NULL;
288 }
289
290 *certOut = NULL;
291 *chainOut = NULL;
292 *caPubs = NULL;
293
294 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
295 /* start polling */
296 if ((ctx->req = OSSL_CMP_MSG_dup(cert_req)) == NULL)
297 return NULL;
298 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
299 }
300 if (ctx->curr_pollCount >= ctx->pollCount)
301 /* give final response after polling */
302 ctx->curr_pollCount = 0;
303
304 /* accept cert profile for cr messages only with the configured name */
305 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_CR) {
306 STACK_OF(OSSL_CMP_ITAV) *itavs =
307 OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
308 int i;
309
310 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
311 OSSL_CMP_ITAV *itav = sk_OSSL_CMP_ITAV_value(itavs, i);
312 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(itav);
313 STACK_OF(ASN1_UTF8STRING) *strs;
314 ASN1_UTF8STRING *str;
315 const char *data;
316
317 if (OBJ_obj2nid(obj) == NID_id_it_certProfile) {
318 if (!OSSL_CMP_ITAV_get0_certProfile(itav, &strs))
319 return NULL;
320 if (sk_ASN1_UTF8STRING_num(strs) < 1) {
321 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
322 return NULL;
323 }
324 str = sk_ASN1_UTF8STRING_value(strs, 0);
325 if (str == NULL
326 || (data =
327 (const char *)ASN1_STRING_get0_data(str)) == NULL) {
328 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
329 return NULL;
330 }
331 if (strcmp(data, "profile1") != 0) {
332 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
333 return NULL;
334 }
335 break;
336 }
337 }
338 }
339
340 /* accept cert update request only for the reference cert, if given */
341 if (bodytype == OSSL_CMP_KUR
342 && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
343 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
344
345 if (cid == NULL) {
346 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
347 return NULL;
348 }
349 if (!refcert_cmp(ctx->refCert,
350 OSSL_CRMF_CERTID_get0_issuer(cid),
351 OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
352 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
353 return NULL;
354 }
355 }
356
357 if (ctx->certOut != NULL
358 && (*certOut = X509_dup(ctx->certOut)) == NULL)
359 /* Should return a cert produced from request template, see FR #16054 */
360 goto err;
361 if (ctx->chainOut != NULL
362 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
363 goto err;
364 if (ctx->caPubsOut != NULL /* OSSL_CMP_PKIBODY_IP not visible here */
365 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
366 goto err;
367 if (ctx->statusOut != NULL
368 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
369 goto err;
370 return si;
371
372 err:
373 X509_free(*certOut);
374 *certOut = NULL;
375 OSSL_STACK_OF_X509_free(*chainOut);
376 *chainOut = NULL;
377 OSSL_STACK_OF_X509_free(*caPubs);
378 *caPubs = NULL;
379 return NULL;
380 }
381
process_rr(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * rr,const X509_NAME * issuer,const ASN1_INTEGER * serial)382 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
383 const OSSL_CMP_MSG *rr,
384 const X509_NAME *issuer,
385 const ASN1_INTEGER *serial)
386 {
387 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
388
389 if (ctx == NULL || rr == NULL) {
390 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
391 return NULL;
392 }
393 if (ctx->sendError == 1
394 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
395 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
396 return NULL;
397 }
398
399 /* allow any RR derived from CSR which does not include issuer and serial */
400 if ((issuer != NULL || serial != NULL)
401 /* accept revocation only for the reference cert, if given */
402 && !refcert_cmp(ctx->refCert, issuer, serial)) {
403 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
404 "wrong certificate to revoke");
405 return NULL;
406 }
407 return OSSL_CMP_PKISI_dup(ctx->statusOut);
408 }
409
410 /* return -1 for error, 0 for no update available */
check_client_crl(const STACK_OF (OSSL_CMP_CRLSTATUS)* crlStatusList,const X509_CRL * crl)411 static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
412 const X509_CRL *crl)
413 {
414 OSSL_CMP_CRLSTATUS *crlstatus;
415 DIST_POINT_NAME *dpn = NULL;
416 GENERAL_NAMES *issuer = NULL;
417 ASN1_TIME *thisupd = NULL;
418
419 if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) {
420 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CRLSTATUSLIST);
421 return -1;
422 }
423 if (crl == NULL)
424 return 0;
425
426 crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0);
427 if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &dpn, &issuer, &thisupd))
428 return -1;
429
430 if (issuer != NULL) {
431 GENERAL_NAME *gn = sk_GENERAL_NAME_value(issuer, 0);
432
433 if (gn != NULL && gn->type == GEN_DIRNAME) {
434 X509_NAME *gen_name = gn->d.dirn;
435
436 if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) {
437 ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
438 return -1;
439 }
440 } else {
441 ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
442 return -1; /* error according to RFC 9483 section 4.3.4 */
443 }
444 }
445
446 return thisupd == NULL
447 || ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) < 0;
448 }
449
process_genm_itav(mock_srv_ctx * ctx,int req_nid,const OSSL_CMP_ITAV * req)450 static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
451 const OSSL_CMP_ITAV *req)
452 {
453 OSSL_CMP_ITAV *rsp = NULL;
454
455 switch (req_nid) {
456 case NID_id_it_caCerts:
457 rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
458 break;
459 case NID_id_it_rootCaCert:
460 {
461 X509 *rootcacert = NULL;
462
463 if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
464 return NULL;
465
466 if (rootcacert != NULL
467 && X509_NAME_cmp(X509_get_subject_name(rootcacert),
468 X509_get_subject_name(ctx->newWithNew)) != 0)
469 /* The subjects do not match */
470 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
471 else
472 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
473 ctx->newWithOld,
474 ctx->oldWithNew);
475 }
476 break;
477 case NID_id_it_crlStatusList:
478 {
479 STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
480 int res = 0;
481
482 if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
483 return NULL;
484
485 res = check_client_crl(crlstatuslist, ctx->crlOut);
486 if (res < 0)
487 rsp = NULL;
488 else
489 rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
490 }
491 break;
492 case NID_id_it_certReqTemplate:
493 {
494 OSSL_CRMF_CERTTEMPLATE *reqtemp;
495 OSSL_CMP_ATAVS *keyspec = NULL;
496 X509_ALGOR *keyalg = NULL;
497 OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
498 int ok = 0;
499
500 if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
501 return NULL;
502
503 if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
504 X509_get_issuer_name(ctx->refCert),
505 NULL))
506 goto crt_err;
507
508 if ((keyalg = X509_ALGOR_new()) == NULL)
509 goto crt_err;
510
511 (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
512 V_ASN1_UNDEF, NULL); /* cannot fail */
513
514 eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
515 rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
516 ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
517 && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
518 OSSL_CMP_ATAV_free(eckeyalg);
519 OSSL_CMP_ATAV_free(rsakeylen);
520 X509_ALGOR_free(keyalg);
521
522 if (!ok)
523 goto crt_err;
524
525 rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
526 return rsp;
527
528 crt_err:
529 OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
530 OSSL_CMP_ATAVS_free(keyspec);
531 return NULL;
532 }
533 break;
534 default:
535 rsp = OSSL_CMP_ITAV_dup(req);
536 }
537 return rsp;
538 }
539
process_genm(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * genm,const STACK_OF (OSSL_CMP_ITAV)* in,STACK_OF (OSSL_CMP_ITAV)** out)540 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
541 const OSSL_CMP_MSG *genm,
542 const STACK_OF(OSSL_CMP_ITAV) *in,
543 STACK_OF(OSSL_CMP_ITAV) **out)
544 {
545 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
546
547 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
548 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
549 return 0;
550 }
551 if (ctx->sendError == 1
552 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
553 || sk_OSSL_CMP_ITAV_num(in) > 1) {
554 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
555 return 0;
556 }
557 if (sk_OSSL_CMP_ITAV_num(in) == 1) {
558 OSSL_CMP_ITAV *req = sk_OSSL_CMP_ITAV_value(in, 0), *rsp;
559 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(req);
560
561 if ((*out = sk_OSSL_CMP_ITAV_new_reserve(NULL, 1)) == NULL)
562 return 0;
563 rsp = process_genm_itav(ctx, OBJ_obj2nid(obj), req);
564 if (rsp != NULL && sk_OSSL_CMP_ITAV_push(*out, rsp))
565 return 1;
566 sk_OSSL_CMP_ITAV_free(*out);
567 return 0;
568 }
569
570 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
571 OSSL_CMP_ITAV_free);
572 return *out != NULL;
573 }
574
process_error(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * error,const OSSL_CMP_PKISI * statusInfo,const ASN1_INTEGER * errorCode,const OSSL_CMP_PKIFREETEXT * errorDetails)575 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
576 const OSSL_CMP_PKISI *statusInfo,
577 const ASN1_INTEGER *errorCode,
578 const OSSL_CMP_PKIFREETEXT *errorDetails)
579 {
580 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
581 char buf[OSSL_CMP_PKISI_BUFLEN];
582 char *sibuf;
583 int i;
584
585 if (ctx == NULL || error == NULL) {
586 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
587 return;
588 }
589
590 BIO_printf(bio_err, "mock server received error:\n");
591
592 if (statusInfo == NULL) {
593 BIO_printf(bio_err, "pkiStatusInfo absent\n");
594 } else {
595 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
596 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
597 sibuf != NULL ? sibuf: "<invalid>");
598 }
599
600 if (errorCode == NULL)
601 BIO_printf(bio_err, "errorCode absent\n");
602 else
603 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
604
605 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
606 BIO_printf(bio_err, "errorDetails absent\n");
607 } else {
608 BIO_printf(bio_err, "errorDetails: ");
609 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
610 if (i > 0)
611 BIO_printf(bio_err, ", ");
612 ASN1_STRING_print_ex(bio_err,
613 sk_ASN1_UTF8STRING_value(errorDetails, i),
614 ASN1_STRFLGS_ESC_QUOTE);
615 }
616 BIO_printf(bio_err, "\n");
617 }
618 }
619
process_certConf(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * certConf,ossl_unused int certReqId,const ASN1_OCTET_STRING * certHash,const OSSL_CMP_PKISI * si)620 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
621 const OSSL_CMP_MSG *certConf,
622 ossl_unused int certReqId,
623 const ASN1_OCTET_STRING *certHash,
624 const OSSL_CMP_PKISI *si)
625 {
626 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
627 ASN1_OCTET_STRING *digest;
628
629 if (ctx == NULL || certConf == NULL || certHash == NULL) {
630 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
631 return 0;
632 }
633 if (ctx->sendError == 1
634 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
635 || ctx->certOut == NULL) {
636 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
637 return 0;
638 }
639
640 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
641 return 0;
642 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
643 ASN1_OCTET_STRING_free(digest);
644 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
645 return 0;
646 }
647 ASN1_OCTET_STRING_free(digest);
648 return 1;
649 }
650
651 /* return 0 on failure, 1 on success, setting *req or otherwise *check_after */
process_pollReq(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * pollReq,ossl_unused int certReqId,OSSL_CMP_MSG ** req,int64_t * check_after)652 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
653 const OSSL_CMP_MSG *pollReq,
654 ossl_unused int certReqId,
655 OSSL_CMP_MSG **req, int64_t *check_after)
656 {
657 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
658
659 if (req != NULL)
660 *req = NULL;
661 if (ctx == NULL || pollReq == NULL
662 || req == NULL || check_after == NULL) {
663 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
664 return 0;
665 }
666
667 if (ctx->sendError == 1
668 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
669 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
670 return 0;
671 }
672 if (ctx->req == NULL) { /* not currently in polling mode */
673 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_POLLREQ);
674 return 0;
675 }
676
677 if (++ctx->curr_pollCount >= ctx->pollCount) {
678 /* end polling */
679 *req = ctx->req;
680 ctx->req = NULL;
681 *check_after = 0;
682 } else {
683 *check_after = ctx->checkAfterTime;
684 }
685 return 1;
686 }
687
ossl_cmp_mock_srv_new(OSSL_LIB_CTX * libctx,const char * propq)688 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
689 {
690 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
691 mock_srv_ctx *ctx = mock_srv_ctx_new();
692
693 if (srv_ctx != NULL && ctx != NULL
694 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
695 process_rr, process_genm, process_error,
696 process_certConf, process_pollReq)
697 && OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
698 delayed_delivery, clean_transaction))
699 return srv_ctx;
700
701 mock_srv_ctx_free(ctx);
702 OSSL_CMP_SRV_CTX_free(srv_ctx);
703 return NULL;
704 }
705
ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX * srv_ctx)706 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
707 {
708 if (srv_ctx != NULL)
709 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
710 OSSL_CMP_SRV_CTX_free(srv_ctx);
711 }
712