1 /*
2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include "apps.h"
12 #include "cmp_mock_srv.h"
13
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
17
18 /* the context for the CMP mock server */
19 typedef struct
20 {
21 X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
22 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
23 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
24 STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
25 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
26 int sendError; /* send error response also on valid requests */
27 OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
28 int certReqId; /* id of last ir/cr/kur, used for polling */
29 int pollCount; /* number of polls before actual cert response */
30 int curr_pollCount; /* number of polls so far for current request */
31 int checkAfterTime; /* time the client should wait between polling */
32 } mock_srv_ctx;
33
34
mock_srv_ctx_free(mock_srv_ctx * ctx)35 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
36 {
37 if (ctx == NULL)
38 return;
39
40 OSSL_CMP_PKISI_free(ctx->statusOut);
41 X509_free(ctx->refCert);
42 X509_free(ctx->certOut);
43 OSSL_STACK_OF_X509_free(ctx->chainOut);
44 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
45 OSSL_CMP_MSG_free(ctx->certReq);
46 OPENSSL_free(ctx);
47 }
48
mock_srv_ctx_new(void)49 static mock_srv_ctx *mock_srv_ctx_new(void)
50 {
51 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
52
53 if (ctx == NULL)
54 goto err;
55
56 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
57 goto err;
58
59 ctx->certReqId = -1;
60
61 /* all other elements are initialized to 0 or NULL, respectively */
62 return ctx;
63 err:
64 mock_srv_ctx_free(ctx);
65 return NULL;
66 }
67
ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX * srv_ctx,X509 * cert)68 int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
69 {
70 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
71
72 if (ctx == NULL) {
73 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
74 return 0;
75 }
76 if (cert == NULL || X509_up_ref(cert)) {
77 X509_free(ctx->refCert);
78 ctx->refCert = cert;
79 return 1;
80 }
81 return 0;
82 }
83
ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX * srv_ctx,X509 * cert)84 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
85 {
86 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
87
88 if (ctx == NULL) {
89 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
90 return 0;
91 }
92 if (cert == NULL || X509_up_ref(cert)) {
93 X509_free(ctx->certOut);
94 ctx->certOut = cert;
95 return 1;
96 }
97 return 0;
98 }
99
ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* chain)100 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
101 STACK_OF(X509) *chain)
102 {
103 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
104 STACK_OF(X509) *chain_copy = NULL;
105
106 if (ctx == NULL) {
107 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
108 return 0;
109 }
110 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
111 return 0;
112 OSSL_STACK_OF_X509_free(ctx->chainOut);
113 ctx->chainOut = chain_copy;
114 return 1;
115 }
116
ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* caPubs)117 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
118 STACK_OF(X509) *caPubs)
119 {
120 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
121 STACK_OF(X509) *caPubs_copy = NULL;
122
123 if (ctx == NULL) {
124 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
125 return 0;
126 }
127 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
128 return 0;
129 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
130 ctx->caPubsOut = caPubs_copy;
131 return 1;
132 }
133
ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX * srv_ctx,int status,int fail_info,const char * text)134 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
135 int fail_info, const char *text)
136 {
137 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
138 OSSL_CMP_PKISI *si;
139
140 if (ctx == NULL) {
141 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
142 return 0;
143 }
144 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
145 return 0;
146 OSSL_CMP_PKISI_free(ctx->statusOut);
147 ctx->statusOut = si;
148 return 1;
149 }
150
ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX * srv_ctx,int val)151 int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
152 {
153 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
154
155 if (ctx == NULL) {
156 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
157 return 0;
158 }
159 ctx->sendError = val != 0;
160 return 1;
161 }
162
ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX * srv_ctx,int count)163 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
164 {
165 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
166
167 if (ctx == NULL) {
168 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
169 return 0;
170 }
171 if (count < 0) {
172 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
173 return 0;
174 }
175 ctx->pollCount = count;
176 return 1;
177 }
178
ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX * srv_ctx,int sec)179 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
180 {
181 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
182
183 if (ctx == NULL) {
184 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
185 return 0;
186 }
187 ctx->checkAfterTime = sec;
188 return 1;
189 }
190
191 /* check for matching reference cert components, as far as given */
refcert_cmp(const X509 * refcert,const X509_NAME * issuer,const ASN1_INTEGER * serial)192 static int refcert_cmp(const X509 *refcert,
193 const X509_NAME *issuer, const ASN1_INTEGER *serial)
194 {
195 const X509_NAME *ref_issuer;
196 const ASN1_INTEGER *ref_serial;
197
198 if (refcert == NULL)
199 return 1;
200 ref_issuer = X509_get_issuer_name(refcert);
201 ref_serial = X509_get0_serialNumber(refcert);
202 return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0)
203 && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
204 }
205
process_cert_request(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * cert_req,int certReqId,const OSSL_CRMF_MSG * crm,const X509_REQ * p10cr,X509 ** certOut,STACK_OF (X509)** chainOut,STACK_OF (X509)** caPubs)206 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
207 const OSSL_CMP_MSG *cert_req,
208 int certReqId,
209 const OSSL_CRMF_MSG *crm,
210 const X509_REQ *p10cr,
211 X509 **certOut,
212 STACK_OF(X509) **chainOut,
213 STACK_OF(X509) **caPubs)
214 {
215 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
216 OSSL_CMP_PKISI *si = NULL;
217
218 if (ctx == NULL || cert_req == NULL
219 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
220 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
221 return NULL;
222 }
223 if (ctx->sendError) {
224 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
225 return NULL;
226 }
227
228 *certOut = NULL;
229 *chainOut = NULL;
230 *caPubs = NULL;
231 ctx->certReqId = certReqId;
232
233 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
234 /* start polling */
235 if (ctx->certReq != NULL) {
236 /* already in polling mode */
237 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
238 return NULL;
239 }
240 if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
241 return NULL;
242 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
243 }
244 if (ctx->curr_pollCount >= ctx->pollCount)
245 /* give final response after polling */
246 ctx->curr_pollCount = 0;
247
248 /* accept cert update request only for the reference cert, if given */
249 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
250 && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
251 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
252
253 if (cid == NULL) {
254 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
255 return NULL;
256 }
257 if (!refcert_cmp(ctx->refCert,
258 OSSL_CRMF_CERTID_get0_issuer(cid),
259 OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
260 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
261 return NULL;
262 }
263 }
264
265 if (ctx->certOut != NULL
266 && (*certOut = X509_dup(ctx->certOut)) == NULL)
267 goto err;
268 if (ctx->chainOut != NULL
269 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
270 goto err;
271 if (ctx->caPubsOut != NULL
272 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
273 goto err;
274 if (ctx->statusOut != NULL
275 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
276 goto err;
277 return si;
278
279 err:
280 X509_free(*certOut);
281 *certOut = NULL;
282 OSSL_STACK_OF_X509_free(*chainOut);
283 *chainOut = NULL;
284 OSSL_STACK_OF_X509_free(*caPubs);
285 *caPubs = NULL;
286 return NULL;
287 }
288
process_rr(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * rr,const X509_NAME * issuer,const ASN1_INTEGER * serial)289 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
290 const OSSL_CMP_MSG *rr,
291 const X509_NAME *issuer,
292 const ASN1_INTEGER *serial)
293 {
294 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
295
296 if (ctx == NULL || rr == NULL) {
297 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
298 return NULL;
299 }
300 if (ctx->sendError) {
301 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
302 return NULL;
303 }
304
305 /* allow any RR derived from CSR which does not include issuer and serial */
306 if ((issuer != NULL || serial != NULL)
307 /* accept revocation only for the reference cert, if given */
308 && !refcert_cmp(ctx->refCert, issuer, serial)) {
309 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
310 "wrong certificate to revoke");
311 return NULL;
312 }
313 return OSSL_CMP_PKISI_dup(ctx->statusOut);
314 }
315
process_genm(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * genm,const STACK_OF (OSSL_CMP_ITAV)* in,STACK_OF (OSSL_CMP_ITAV)** out)316 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
317 const OSSL_CMP_MSG *genm,
318 const STACK_OF(OSSL_CMP_ITAV) *in,
319 STACK_OF(OSSL_CMP_ITAV) **out)
320 {
321 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
322
323 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
324 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
325 return 0;
326 }
327 if (ctx->sendError) {
328 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
329 return 0;
330 }
331
332 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
333 OSSL_CMP_ITAV_free);
334 return *out != NULL;
335 }
336
process_error(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * error,const OSSL_CMP_PKISI * statusInfo,const ASN1_INTEGER * errorCode,const OSSL_CMP_PKIFREETEXT * errorDetails)337 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
338 const OSSL_CMP_PKISI *statusInfo,
339 const ASN1_INTEGER *errorCode,
340 const OSSL_CMP_PKIFREETEXT *errorDetails)
341 {
342 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
343 char buf[OSSL_CMP_PKISI_BUFLEN];
344 char *sibuf;
345 int i;
346
347 if (ctx == NULL || error == NULL) {
348 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
349 return;
350 }
351
352 BIO_printf(bio_err, "mock server received error:\n");
353
354 if (statusInfo == NULL) {
355 BIO_printf(bio_err, "pkiStatusInfo absent\n");
356 } else {
357 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
358 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
359 sibuf != NULL ? sibuf: "<invalid>");
360 }
361
362 if (errorCode == NULL)
363 BIO_printf(bio_err, "errorCode absent\n");
364 else
365 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
366
367 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
368 BIO_printf(bio_err, "errorDetails absent\n");
369 } else {
370 BIO_printf(bio_err, "errorDetails: ");
371 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
372 if (i > 0)
373 BIO_printf(bio_err, ", ");
374 BIO_printf(bio_err, "\"");
375 ASN1_STRING_print(bio_err,
376 sk_ASN1_UTF8STRING_value(errorDetails, i));
377 BIO_printf(bio_err, "\"");
378 }
379 BIO_printf(bio_err, "\n");
380 }
381 }
382
process_certConf(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * certConf,int certReqId,const ASN1_OCTET_STRING * certHash,const OSSL_CMP_PKISI * si)383 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
384 const OSSL_CMP_MSG *certConf, int certReqId,
385 const ASN1_OCTET_STRING *certHash,
386 const OSSL_CMP_PKISI *si)
387 {
388 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
389 ASN1_OCTET_STRING *digest;
390
391 if (ctx == NULL || certConf == NULL || certHash == NULL) {
392 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
393 return 0;
394 }
395 if (ctx->sendError || ctx->certOut == NULL) {
396 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
397 return 0;
398 }
399
400 if (certReqId != ctx->certReqId) {
401 /* in case of error, invalid reqId -1 */
402 ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
403 return 0;
404 }
405
406 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
407 return 0;
408 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
409 ASN1_OCTET_STRING_free(digest);
410 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
411 return 0;
412 }
413 ASN1_OCTET_STRING_free(digest);
414 return 1;
415 }
416
process_pollReq(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * pollReq,int certReqId,OSSL_CMP_MSG ** certReq,int64_t * check_after)417 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
418 const OSSL_CMP_MSG *pollReq, int certReqId,
419 OSSL_CMP_MSG **certReq, int64_t *check_after)
420 {
421 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
422
423 if (ctx == NULL || pollReq == NULL
424 || certReq == NULL || check_after == NULL) {
425 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
426 return 0;
427 }
428 if (ctx->sendError) {
429 *certReq = NULL;
430 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
431 return 0;
432 }
433 if (ctx->certReq == NULL) {
434 /* not currently in polling mode */
435 *certReq = NULL;
436 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
437 return 0;
438 }
439
440 if (++ctx->curr_pollCount >= ctx->pollCount) {
441 /* end polling */
442 *certReq = ctx->certReq;
443 ctx->certReq = NULL;
444 *check_after = 0;
445 } else {
446 *certReq = NULL;
447 *check_after = ctx->checkAfterTime;
448 }
449 return 1;
450 }
451
ossl_cmp_mock_srv_new(OSSL_LIB_CTX * libctx,const char * propq)452 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
453 {
454 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
455 mock_srv_ctx *ctx = mock_srv_ctx_new();
456
457 if (srv_ctx != NULL && ctx != NULL
458 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
459 process_rr, process_genm, process_error,
460 process_certConf, process_pollReq))
461 return srv_ctx;
462
463 mock_srv_ctx_free(ctx);
464 OSSL_CMP_SRV_CTX_free(srv_ctx);
465 return NULL;
466 }
467
ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX * srv_ctx)468 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
469 {
470 if (srv_ctx != NULL)
471 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
472 OSSL_CMP_SRV_CTX_free(srv_ctx);
473 }
474