1 /*
2 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include "apps.h"
12 #include "cmp_mock_srv.h"
13
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
17
18 /* the context for the CMP mock server */
19 typedef struct {
20 X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
21 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
22 EVP_PKEY *keyOut; /* Private key to be returned for central keygen */
23 X509_CRL *crlOut; /* CRL to be returned in genp for crls */
24 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
25 STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
26 X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
27 X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
28 X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
29 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
30 int sendError; /* send error response on given request type */
31 OSSL_CMP_MSG *req; /* original request message during polling */
32 int pollCount; /* number of polls before actual cert response */
33 int curr_pollCount; /* number of polls so far for current request */
34 int checkAfterTime; /* time the client should wait between polling */
35 } mock_srv_ctx;
36
mock_srv_ctx_free(mock_srv_ctx * ctx)37 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
38 {
39 if (ctx == NULL)
40 return;
41
42 OSSL_CMP_PKISI_free(ctx->statusOut);
43 X509_free(ctx->refCert);
44 X509_free(ctx->certOut);
45 OSSL_STACK_OF_X509_free(ctx->chainOut);
46 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
47 OSSL_CMP_MSG_free(ctx->req);
48 OPENSSL_free(ctx);
49 }
50
mock_srv_ctx_new(void)51 static mock_srv_ctx *mock_srv_ctx_new(void)
52 {
53 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
54
55 if (ctx == NULL)
56 goto err;
57
58 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
59 goto err;
60
61 ctx->sendError = -1;
62
63 /* all other elements are initialized to 0 or NULL, respectively */
64 return ctx;
65 err:
66 mock_srv_ctx_free(ctx);
67 return NULL;
68 }
69
70 #define DEFINE_OSSL_SET1_CERT(FIELD) \
71 int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
72 X509 *cert) \
73 { \
74 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); \
75 \
76 if (ctx == NULL) { \
77 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
78 return 0; \
79 } \
80 if (cert == NULL || X509_up_ref(cert)) { \
81 X509_free(ctx->FIELD); \
82 ctx->FIELD = cert; \
83 return 1; \
84 } \
85 return 0; \
86 }
87
88 DEFINE_OSSL_SET1_CERT(refCert)
DEFINE_OSSL_SET1_CERT(certOut)89 DEFINE_OSSL_SET1_CERT(certOut)
90
91 int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey)
92 {
93 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
94
95 if (ctx == NULL) {
96 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
97 return 0;
98 }
99 if (pkey != NULL && !EVP_PKEY_up_ref(pkey))
100 return 0;
101 EVP_PKEY_free(ctx->keyOut);
102 ctx->keyOut = pkey;
103 return 1;
104 }
105
ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX * srv_ctx,X509_CRL * crl)106 int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
107 X509_CRL *crl)
108 {
109 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
110
111 if (ctx == NULL) {
112 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
113 return 0;
114 }
115 if (crl != NULL && !X509_CRL_up_ref(crl))
116 return 0;
117 X509_CRL_free(ctx->crlOut);
118 ctx->crlOut = crl;
119 return 1;
120 }
121
ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* chain)122 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
123 STACK_OF(X509) *chain)
124 {
125 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
126 STACK_OF(X509) *chain_copy = NULL;
127
128 if (ctx == NULL) {
129 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
130 return 0;
131 }
132 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
133 return 0;
134 OSSL_STACK_OF_X509_free(ctx->chainOut);
135 ctx->chainOut = chain_copy;
136 return 1;
137 }
138
ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* caPubs)139 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
140 STACK_OF(X509) *caPubs)
141 {
142 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
143 STACK_OF(X509) *caPubs_copy = NULL;
144
145 if (ctx == NULL) {
146 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
147 return 0;
148 }
149 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
150 return 0;
151 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
152 ctx->caPubsOut = caPubs_copy;
153 return 1;
154 }
155
156 DEFINE_OSSL_SET1_CERT(newWithNew)
DEFINE_OSSL_SET1_CERT(newWithOld)157 DEFINE_OSSL_SET1_CERT(newWithOld)
158 DEFINE_OSSL_SET1_CERT(oldWithNew)
159
160 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
161 int fail_info, const char *text)
162 {
163 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
164 OSSL_CMP_PKISI *si;
165
166 if (ctx == NULL) {
167 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
168 return 0;
169 }
170 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
171 return 0;
172 OSSL_CMP_PKISI_free(ctx->statusOut);
173 ctx->statusOut = si;
174 return 1;
175 }
176
ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX * srv_ctx,int bodytype)177 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
178 {
179 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
180
181 if (ctx == NULL) {
182 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
183 return 0;
184 }
185 /* might check bodytype, but this would require exporting all body types */
186 ctx->sendError = bodytype;
187 return 1;
188 }
189
ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX * srv_ctx,int count)190 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
191 {
192 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
193
194 if (ctx == NULL) {
195 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
196 return 0;
197 }
198 if (count < 0) {
199 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
200 return 0;
201 }
202 ctx->pollCount = count;
203 return 1;
204 }
205
ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX * srv_ctx,int sec)206 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
207 {
208 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
209
210 if (ctx == NULL) {
211 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
212 return 0;
213 }
214 ctx->checkAfterTime = sec;
215 return 1;
216 }
217
218 /* determine whether to delay response to (non-polling) request */
delayed_delivery(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * req)219 static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req)
220 {
221 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
222 int req_type = OSSL_CMP_MSG_get_bodytype(req);
223
224 if (ctx == NULL || req == NULL) {
225 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
226 return -1;
227 }
228
229 /*
230 * For ir/cr/p10cr/kur delayed delivery is handled separately in
231 * process_cert_request
232 */
233 if (req_type == OSSL_CMP_IR
234 || req_type == OSSL_CMP_CR
235 || req_type == OSSL_CMP_P10CR
236 || req_type == OSSL_CMP_KUR
237 /* Client may use error to abort the ongoing polling */
238 || req_type == OSSL_CMP_ERROR)
239 return 0;
240
241 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
242 /* start polling */
243 if ((ctx->req = OSSL_CMP_MSG_dup(req)) == NULL)
244 return -1;
245 return 1;
246 }
247 return 0;
248 }
249
250 /* check for matching reference cert components, as far as given */
refcert_cmp(const X509 * refcert,const X509_NAME * issuer,const ASN1_INTEGER * serial)251 static int refcert_cmp(const X509 *refcert,
252 const X509_NAME *issuer, const ASN1_INTEGER *serial)
253 {
254 const X509_NAME *ref_issuer;
255 const ASN1_INTEGER *ref_serial;
256
257 if (refcert == NULL)
258 return 1;
259 ref_issuer = X509_get_issuer_name(refcert);
260 ref_serial = X509_get0_serialNumber(refcert);
261 return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0)
262 && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
263 }
264
265 /* reset the state that belongs to a transaction */
clean_transaction(OSSL_CMP_SRV_CTX * srv_ctx,ossl_unused const ASN1_OCTET_STRING * id)266 static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
267 ossl_unused const ASN1_OCTET_STRING *id)
268 {
269 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
270
271 if (ctx == NULL) {
272 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
273 return 0;
274 }
275
276 ctx->curr_pollCount = 0;
277 OSSL_CMP_MSG_free(ctx->req);
278 ctx->req = NULL;
279 return 1;
280 }
281
process_cert_request(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * cert_req,ossl_unused int certReqId,const OSSL_CRMF_MSG * crm,const X509_REQ * p10cr,X509 ** certOut,STACK_OF (X509)** chainOut,STACK_OF (X509)** caPubs)282 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
283 const OSSL_CMP_MSG *cert_req,
284 ossl_unused int certReqId,
285 const OSSL_CRMF_MSG *crm,
286 const X509_REQ *p10cr,
287 X509 **certOut,
288 STACK_OF(X509) **chainOut,
289 STACK_OF(X509) **caPubs)
290 {
291 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
292 int bodytype, central_keygen;
293 OSSL_CMP_PKISI *si = NULL;
294 EVP_PKEY *keyOut = NULL;
295
296 if (ctx == NULL || cert_req == NULL
297 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
298 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
299 return NULL;
300 }
301 bodytype = OSSL_CMP_MSG_get_bodytype(cert_req);
302 if (ctx->sendError == 1 || ctx->sendError == bodytype) {
303 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
304 return NULL;
305 }
306
307 *certOut = NULL;
308 *chainOut = NULL;
309 *caPubs = NULL;
310
311 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
312 /* start polling */
313 if ((ctx->req = OSSL_CMP_MSG_dup(cert_req)) == NULL)
314 return NULL;
315 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
316 }
317 if (ctx->curr_pollCount >= ctx->pollCount)
318 /* give final response after polling */
319 ctx->curr_pollCount = 0;
320
321 /* accept cert profile for cr messages only with the configured name */
322 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_CR) {
323 STACK_OF(OSSL_CMP_ITAV) *itavs = OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
324 int i;
325
326 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
327 OSSL_CMP_ITAV *itav = sk_OSSL_CMP_ITAV_value(itavs, i);
328 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(itav);
329 STACK_OF(ASN1_UTF8STRING) *strs;
330 ASN1_UTF8STRING *str;
331 const char *data;
332
333 if (OBJ_obj2nid(obj) == NID_id_it_certProfile) {
334 if (!OSSL_CMP_ITAV_get0_certProfile(itav, &strs))
335 return NULL;
336 if (sk_ASN1_UTF8STRING_num(strs) < 1) {
337 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
338 return NULL;
339 }
340 str = sk_ASN1_UTF8STRING_value(strs, 0);
341 if (str == NULL
342 || (data = (const char *)ASN1_STRING_get0_data(str)) == NULL) {
343 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
344 return NULL;
345 }
346 if (strcmp(data, "profile1") != 0) {
347 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
348 return NULL;
349 }
350 break;
351 }
352 }
353 }
354
355 /* accept cert update request only for the reference cert, if given */
356 if (bodytype == OSSL_CMP_KUR
357 && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
358 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
359
360 if (cid == NULL) {
361 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
362 return NULL;
363 }
364 if (!refcert_cmp(ctx->refCert,
365 OSSL_CRMF_CERTID_get0_issuer(cid),
366 OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
367 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
368 return NULL;
369 }
370 }
371
372 if (ctx->certOut != NULL
373 && (*certOut = X509_dup(ctx->certOut)) == NULL)
374 /* Should return a cert produced from request template, see FR #16054 */
375 goto err;
376
377 central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr);
378 if (central_keygen < 0)
379 goto err;
380 if (central_keygen == 1
381 && (ctx->keyOut == NULL
382 || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL
383 || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
384 1 /* priv */, keyOut))) {
385 EVP_PKEY_free(keyOut);
386 goto err;
387 }
388 /*
389 * Note that this uses newPkey to return the private key
390 * and does not check whether the 'popo' field is absent.
391 */
392
393 if (ctx->chainOut != NULL
394 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
395 goto err;
396 if (ctx->caPubsOut != NULL /* OSSL_CMP_PKIBODY_IP not visible here */
397 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
398 goto err;
399 if (ctx->statusOut != NULL
400 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
401 goto err;
402 return si;
403
404 err:
405 X509_free(*certOut);
406 *certOut = NULL;
407 OSSL_STACK_OF_X509_free(*chainOut);
408 *chainOut = NULL;
409 OSSL_STACK_OF_X509_free(*caPubs);
410 *caPubs = NULL;
411 return NULL;
412 }
413
process_rr(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * rr,const X509_NAME * issuer,const ASN1_INTEGER * serial)414 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
415 const OSSL_CMP_MSG *rr,
416 const X509_NAME *issuer,
417 const ASN1_INTEGER *serial)
418 {
419 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
420
421 if (ctx == NULL || rr == NULL) {
422 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
423 return NULL;
424 }
425 if (ctx->sendError == 1
426 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
427 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
428 return NULL;
429 }
430
431 /* allow any RR derived from CSR which does not include issuer and serial */
432 if ((issuer != NULL || serial != NULL)
433 /* accept revocation only for the reference cert, if given */
434 && !refcert_cmp(ctx->refCert, issuer, serial)) {
435 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
436 "wrong certificate to revoke");
437 return NULL;
438 }
439 return OSSL_CMP_PKISI_dup(ctx->statusOut);
440 }
441
442 /* return -1 for error, 0 for no update available */
check_client_crl(const STACK_OF (OSSL_CMP_CRLSTATUS)* crlStatusList,const X509_CRL * crl)443 static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
444 const X509_CRL *crl)
445 {
446 OSSL_CMP_CRLSTATUS *crlstatus;
447 DIST_POINT_NAME *dpn = NULL;
448 GENERAL_NAMES *issuer = NULL;
449 ASN1_TIME *thisupd = NULL;
450
451 if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) {
452 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CRLSTATUSLIST);
453 return -1;
454 }
455 if (crl == NULL)
456 return 0;
457
458 crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0);
459 if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &dpn, &issuer, &thisupd))
460 return -1;
461
462 if (issuer != NULL) {
463 GENERAL_NAME *gn = sk_GENERAL_NAME_value(issuer, 0);
464
465 if (gn != NULL && gn->type == GEN_DIRNAME) {
466 X509_NAME *gen_name = gn->d.dirn;
467
468 if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) {
469 ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
470 return -1;
471 }
472 } else {
473 ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
474 return -1; /* error according to RFC 9483 section 4.3.4 */
475 }
476 }
477
478 return thisupd == NULL
479 || ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) < 0;
480 }
481
process_genm_itav(mock_srv_ctx * ctx,int req_nid,const OSSL_CMP_ITAV * req)482 static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
483 const OSSL_CMP_ITAV *req)
484 {
485 OSSL_CMP_ITAV *rsp = NULL;
486
487 switch (req_nid) {
488 case NID_id_it_caCerts:
489 rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
490 break;
491 case NID_id_it_rootCaCert: {
492 X509 *rootcacert = NULL;
493
494 if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
495 return NULL;
496
497 if (rootcacert != NULL
498 && X509_NAME_cmp(X509_get_subject_name(rootcacert),
499 X509_get_subject_name(ctx->newWithNew))
500 != 0)
501 /* The subjects do not match */
502 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
503 else
504 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
505 ctx->newWithOld,
506 ctx->oldWithNew);
507 } break;
508 case NID_id_it_crlStatusList: {
509 STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
510 int res = 0;
511
512 if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
513 return NULL;
514
515 res = check_client_crl(crlstatuslist, ctx->crlOut);
516 if (res < 0)
517 rsp = NULL;
518 else
519 rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
520 } break;
521 case NID_id_it_certReqTemplate: {
522 OSSL_CRMF_CERTTEMPLATE *reqtemp;
523 OSSL_CMP_ATAVS *keyspec = NULL;
524 X509_ALGOR *keyalg = NULL;
525 OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
526 int ok = 0;
527
528 if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
529 return NULL;
530
531 if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
532 X509_get_issuer_name(ctx->refCert),
533 NULL))
534 goto crt_err;
535
536 if ((keyalg = X509_ALGOR_new()) == NULL)
537 goto crt_err;
538
539 (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
540 V_ASN1_UNDEF, NULL); /* cannot fail */
541
542 eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
543 rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
544 ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
545 && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
546 OSSL_CMP_ATAV_free(eckeyalg);
547 OSSL_CMP_ATAV_free(rsakeylen);
548 X509_ALGOR_free(keyalg);
549
550 if (!ok)
551 goto crt_err;
552
553 rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
554 return rsp;
555
556 crt_err:
557 OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
558 OSSL_CMP_ATAVS_free(keyspec);
559 return NULL;
560 } break;
561 default:
562 rsp = OSSL_CMP_ITAV_dup(req);
563 }
564 return rsp;
565 }
566
process_genm(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * genm,const STACK_OF (OSSL_CMP_ITAV)* in,STACK_OF (OSSL_CMP_ITAV)** out)567 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
568 const OSSL_CMP_MSG *genm,
569 const STACK_OF(OSSL_CMP_ITAV) *in,
570 STACK_OF(OSSL_CMP_ITAV) **out)
571 {
572 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
573
574 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
575 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
576 return 0;
577 }
578 if (ctx->sendError == 1
579 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
580 || sk_OSSL_CMP_ITAV_num(in) > 1) {
581 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
582 return 0;
583 }
584 if (sk_OSSL_CMP_ITAV_num(in) == 1) {
585 OSSL_CMP_ITAV *req = sk_OSSL_CMP_ITAV_value(in, 0), *rsp;
586 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(req);
587
588 if ((*out = sk_OSSL_CMP_ITAV_new_reserve(NULL, 1)) == NULL)
589 return 0;
590 rsp = process_genm_itav(ctx, OBJ_obj2nid(obj), req);
591 if (rsp != NULL && sk_OSSL_CMP_ITAV_push(*out, rsp))
592 return 1;
593 sk_OSSL_CMP_ITAV_free(*out);
594 return 0;
595 }
596
597 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
598 OSSL_CMP_ITAV_free);
599 return *out != NULL;
600 }
601
process_error(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * error,const OSSL_CMP_PKISI * statusInfo,const ASN1_INTEGER * errorCode,const OSSL_CMP_PKIFREETEXT * errorDetails)602 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
603 const OSSL_CMP_PKISI *statusInfo,
604 const ASN1_INTEGER *errorCode,
605 const OSSL_CMP_PKIFREETEXT *errorDetails)
606 {
607 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
608 char buf[OSSL_CMP_PKISI_BUFLEN];
609 char *sibuf;
610 int i;
611
612 if (ctx == NULL || error == NULL) {
613 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
614 return;
615 }
616
617 BIO_printf(bio_err, "mock server received error:\n");
618
619 if (statusInfo == NULL) {
620 BIO_printf(bio_err, "pkiStatusInfo absent\n");
621 } else {
622 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
623 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
624 sibuf != NULL ? sibuf : "<invalid>");
625 }
626
627 if (errorCode == NULL)
628 BIO_printf(bio_err, "errorCode absent\n");
629 else
630 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
631
632 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
633 BIO_printf(bio_err, "errorDetails absent\n");
634 } else {
635 BIO_printf(bio_err, "errorDetails: ");
636 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
637 if (i > 0)
638 BIO_printf(bio_err, ", ");
639 ASN1_STRING_print_ex(bio_err,
640 sk_ASN1_UTF8STRING_value(errorDetails, i),
641 ASN1_STRFLGS_ESC_QUOTE);
642 }
643 BIO_printf(bio_err, "\n");
644 }
645 }
646
process_certConf(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * certConf,ossl_unused int certReqId,const ASN1_OCTET_STRING * certHash,const OSSL_CMP_PKISI * si)647 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
648 const OSSL_CMP_MSG *certConf,
649 ossl_unused int certReqId,
650 const ASN1_OCTET_STRING *certHash,
651 const OSSL_CMP_PKISI *si)
652 {
653 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
654 ASN1_OCTET_STRING *digest;
655
656 if (ctx == NULL || certConf == NULL || certHash == NULL) {
657 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
658 return 0;
659 }
660 if (ctx->sendError == 1
661 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
662 || ctx->certOut == NULL) {
663 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
664 return 0;
665 }
666
667 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
668 return 0;
669 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
670 ASN1_OCTET_STRING_free(digest);
671 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
672 return 0;
673 }
674 ASN1_OCTET_STRING_free(digest);
675 return 1;
676 }
677
678 /* return 0 on failure, 1 on success, setting *req or otherwise *check_after */
process_pollReq(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * pollReq,ossl_unused int certReqId,OSSL_CMP_MSG ** req,int64_t * check_after)679 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
680 const OSSL_CMP_MSG *pollReq,
681 ossl_unused int certReqId,
682 OSSL_CMP_MSG **req, int64_t *check_after)
683 {
684 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
685
686 if (req != NULL)
687 *req = NULL;
688 if (ctx == NULL || pollReq == NULL
689 || req == NULL || check_after == NULL) {
690 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
691 return 0;
692 }
693
694 if (ctx->sendError == 1
695 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
696 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
697 return 0;
698 }
699 if (ctx->req == NULL) { /* not currently in polling mode */
700 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_POLLREQ);
701 return 0;
702 }
703
704 if (++ctx->curr_pollCount >= ctx->pollCount) {
705 /* end polling */
706 *req = ctx->req;
707 ctx->req = NULL;
708 *check_after = 0;
709 } else {
710 *check_after = ctx->checkAfterTime;
711 }
712 return 1;
713 }
714
ossl_cmp_mock_srv_new(OSSL_LIB_CTX * libctx,const char * propq)715 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
716 {
717 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
718 mock_srv_ctx *ctx = mock_srv_ctx_new();
719
720 if (srv_ctx != NULL && ctx != NULL
721 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
722 process_rr, process_genm, process_error,
723 process_certConf, process_pollReq)
724 && OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
725 delayed_delivery, clean_transaction))
726 return srv_ctx;
727
728 mock_srv_ctx_free(ctx);
729 OSSL_CMP_SRV_CTX_free(srv_ctx);
730 return NULL;
731 }
732
ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX * srv_ctx)733 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
734 {
735 if (srv_ctx != NULL)
736 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
737 OSSL_CMP_SRV_CTX_free(srv_ctx);
738 }
739