1 /*
2 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include "apps.h"
12 #include "cmp_mock_srv.h"
13
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
17
18 /* the context for the CMP mock server */
19 typedef struct {
20 X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
21 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
22 EVP_PKEY *keyOut; /* Private key to be returned for central keygen */
23 X509_CRL *crlOut; /* CRL to be returned in genp for crls */
24 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
25 STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
26 X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */
27 X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */
28 X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */
29 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
30 int sendError; /* send error response on given request type */
31 OSSL_CMP_MSG *req; /* original request message during polling */
32 int pollCount; /* number of polls before actual cert response */
33 int curr_pollCount; /* number of polls so far for current request */
34 int checkAfterTime; /* time the client should wait between polling */
35 } mock_srv_ctx;
36
mock_srv_ctx_free(mock_srv_ctx * ctx)37 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
38 {
39 if (ctx == NULL)
40 return;
41
42 OSSL_CMP_PKISI_free(ctx->statusOut);
43 X509_free(ctx->refCert);
44 X509_free(ctx->certOut);
45 OSSL_STACK_OF_X509_free(ctx->chainOut);
46 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
47 OSSL_CMP_MSG_free(ctx->req);
48 OPENSSL_free(ctx);
49 }
50
mock_srv_ctx_new(void)51 static mock_srv_ctx *mock_srv_ctx_new(void)
52 {
53 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
54
55 if (ctx == NULL)
56 goto err;
57
58 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
59 goto err;
60
61 ctx->sendError = -1;
62
63 /* all other elements are initialized to 0 or NULL, respectively */
64 return ctx;
65 err:
66 mock_srv_ctx_free(ctx);
67 return NULL;
68 }
69
70 #define DEFINE_OSSL_SET1_CERT(FIELD) \
71 int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \
72 X509 *cert) \
73 { \
74 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); \
75 \
76 if (ctx == NULL) { \
77 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \
78 return 0; \
79 } \
80 if (cert == NULL || X509_up_ref(cert)) { \
81 X509_free(ctx->FIELD); \
82 ctx->FIELD = cert; \
83 return 1; \
84 } \
85 return 0; \
86 }
87
88 DEFINE_OSSL_SET1_CERT(refCert)
DEFINE_OSSL_SET1_CERT(certOut)89 DEFINE_OSSL_SET1_CERT(certOut)
90
91 int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey)
92 {
93 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
94
95 if (ctx == NULL) {
96 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
97 return 0;
98 }
99 if (pkey != NULL && !EVP_PKEY_up_ref(pkey))
100 return 0;
101 EVP_PKEY_free(ctx->keyOut);
102 ctx->keyOut = pkey;
103 return 1;
104 }
105
ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX * srv_ctx,X509_CRL * crl)106 int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx,
107 X509_CRL *crl)
108 {
109 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
110
111 if (ctx == NULL) {
112 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
113 return 0;
114 }
115 if (crl != NULL && !X509_CRL_up_ref(crl))
116 return 0;
117 X509_CRL_free(ctx->crlOut);
118 ctx->crlOut = crl;
119 return 1;
120 }
121
ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* chain)122 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
123 STACK_OF(X509) *chain)
124 {
125 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
126 STACK_OF(X509) *chain_copy = NULL;
127
128 if (ctx == NULL) {
129 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
130 return 0;
131 }
132 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
133 return 0;
134 OSSL_STACK_OF_X509_free(ctx->chainOut);
135 ctx->chainOut = chain_copy;
136 return 1;
137 }
138
ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX * srv_ctx,STACK_OF (X509)* caPubs)139 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
140 STACK_OF(X509) *caPubs)
141 {
142 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
143 STACK_OF(X509) *caPubs_copy = NULL;
144
145 if (ctx == NULL) {
146 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
147 return 0;
148 }
149 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
150 return 0;
151 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
152 ctx->caPubsOut = caPubs_copy;
153 return 1;
154 }
155
156 DEFINE_OSSL_SET1_CERT(newWithNew)
DEFINE_OSSL_SET1_CERT(newWithOld)157 DEFINE_OSSL_SET1_CERT(newWithOld)
158 DEFINE_OSSL_SET1_CERT(oldWithNew)
159
160 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
161 int fail_info, const char *text)
162 {
163 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
164 OSSL_CMP_PKISI *si;
165
166 if (ctx == NULL) {
167 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
168 return 0;
169 }
170 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
171 return 0;
172 OSSL_CMP_PKISI_free(ctx->statusOut);
173 ctx->statusOut = si;
174 return 1;
175 }
176
ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX * srv_ctx,int bodytype)177 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
178 {
179 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
180
181 if (ctx == NULL) {
182 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
183 return 0;
184 }
185 /* might check bodytype, but this would require exporting all body types */
186 ctx->sendError = bodytype;
187 return 1;
188 }
189
ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX * srv_ctx,int count)190 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
191 {
192 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
193
194 if (ctx == NULL) {
195 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
196 return 0;
197 }
198 if (count < 0) {
199 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
200 return 0;
201 }
202 ctx->pollCount = count;
203 return 1;
204 }
205
ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX * srv_ctx,int sec)206 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
207 {
208 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
209
210 if (ctx == NULL) {
211 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
212 return 0;
213 }
214 ctx->checkAfterTime = sec;
215 return 1;
216 }
217
218 /* determine whether to delay response to (non-polling) request */
delayed_delivery(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * req)219 static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req)
220 {
221 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
222 int req_type = OSSL_CMP_MSG_get_bodytype(req);
223
224 if (ctx == NULL || req == NULL) {
225 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
226 return -1;
227 }
228
229 /*
230 * For ir/cr/p10cr/kur delayed delivery is handled separately in
231 * process_cert_request
232 */
233 if (req_type == OSSL_CMP_IR
234 || req_type == OSSL_CMP_CR
235 || req_type == OSSL_CMP_P10CR
236 || req_type == OSSL_CMP_KUR
237 /* Client may use error to abort the ongoing polling */
238 || req_type == OSSL_CMP_ERROR)
239 return 0;
240
241 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
242 /* start polling */
243 if ((ctx->req = OSSL_CMP_MSG_dup(req)) == NULL)
244 return -1;
245 return 1;
246 }
247 return 0;
248 }
249
250 /* check for matching reference cert components, as far as given */
refcert_cmp(const X509 * refcert,const X509_NAME * issuer,const ASN1_INTEGER * serial)251 static int refcert_cmp(const X509 *refcert,
252 const X509_NAME *issuer, const ASN1_INTEGER *serial)
253 {
254 const X509_NAME *ref_issuer;
255 const ASN1_INTEGER *ref_serial;
256
257 if (refcert == NULL)
258 return 1;
259 ref_issuer = X509_get_issuer_name(refcert);
260 ref_serial = X509_get0_serialNumber(refcert);
261 return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0)
262 && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
263 }
264
265 /* reset the state that belongs to a transaction */
clean_transaction(OSSL_CMP_SRV_CTX * srv_ctx,ossl_unused const ASN1_OCTET_STRING * id)266 static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx,
267 ossl_unused const ASN1_OCTET_STRING *id)
268 {
269 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
270
271 if (ctx == NULL) {
272 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
273 return 0;
274 }
275
276 ctx->curr_pollCount = 0;
277 OSSL_CMP_MSG_free(ctx->req);
278 ctx->req = NULL;
279 return 1;
280 }
281
process_cert_request(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * cert_req,ossl_unused int certReqId,const OSSL_CRMF_MSG * crm,const X509_REQ * p10cr,X509 ** certOut,STACK_OF (X509)** chainOut,STACK_OF (X509)** caPubs)282 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
283 const OSSL_CMP_MSG *cert_req,
284 ossl_unused int certReqId,
285 const OSSL_CRMF_MSG *crm,
286 const X509_REQ *p10cr,
287 X509 **certOut,
288 STACK_OF(X509) **chainOut,
289 STACK_OF(X509) **caPubs)
290 {
291 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
292 int bodytype, central_keygen;
293 OSSL_CMP_PKISI *si = NULL;
294 EVP_PKEY *keyOut = NULL;
295
296 if (ctx == NULL || cert_req == NULL
297 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
298 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
299 return NULL;
300 }
301 bodytype = OSSL_CMP_MSG_get_bodytype(cert_req);
302 if (ctx->sendError == 1 || ctx->sendError == bodytype) {
303 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
304 return NULL;
305 }
306
307 *certOut = NULL;
308 *chainOut = NULL;
309 *caPubs = NULL;
310
311 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
312 /* start polling */
313 if ((ctx->req = OSSL_CMP_MSG_dup(cert_req)) == NULL)
314 return NULL;
315 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
316 }
317 if (ctx->curr_pollCount >= ctx->pollCount)
318 /* give final response after polling */
319 ctx->curr_pollCount = 0;
320
321 /* accept cert profile for cr messages only with the configured name */
322 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_CR) {
323 STACK_OF(OSSL_CMP_ITAV) *itavs =
324 OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req));
325 int i;
326
327 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) {
328 OSSL_CMP_ITAV *itav = sk_OSSL_CMP_ITAV_value(itavs, i);
329 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(itav);
330 STACK_OF(ASN1_UTF8STRING) *strs;
331 ASN1_UTF8STRING *str;
332 const char *data;
333
334 if (OBJ_obj2nid(obj) == NID_id_it_certProfile) {
335 if (!OSSL_CMP_ITAV_get0_certProfile(itav, &strs))
336 return NULL;
337 if (sk_ASN1_UTF8STRING_num(strs) < 1) {
338 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
339 return NULL;
340 }
341 str = sk_ASN1_UTF8STRING_value(strs, 0);
342 if (str == NULL
343 || (data =
344 (const char *)ASN1_STRING_get0_data(str)) == NULL) {
345 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT);
346 return NULL;
347 }
348 if (strcmp(data, "profile1") != 0) {
349 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE);
350 return NULL;
351 }
352 break;
353 }
354 }
355 }
356
357 /* accept cert update request only for the reference cert, if given */
358 if (bodytype == OSSL_CMP_KUR
359 && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
360 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
361
362 if (cid == NULL) {
363 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
364 return NULL;
365 }
366 if (!refcert_cmp(ctx->refCert,
367 OSSL_CRMF_CERTID_get0_issuer(cid),
368 OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
369 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
370 return NULL;
371 }
372 }
373
374 if (ctx->certOut != NULL
375 && (*certOut = X509_dup(ctx->certOut)) == NULL)
376 /* Should return a cert produced from request template, see FR #16054 */
377 goto err;
378
379 central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr);
380 if (central_keygen < 0)
381 goto err;
382 if (central_keygen == 1
383 && (ctx->keyOut == NULL
384 || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL
385 || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
386 1 /* priv */, keyOut))) {
387 EVP_PKEY_free(keyOut);
388 goto err;
389 }
390 /*
391 * Note that this uses newPkey to return the private key
392 * and does not check whether the 'popo' field is absent.
393 */
394
395 if (ctx->chainOut != NULL
396 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
397 goto err;
398 if (ctx->caPubsOut != NULL /* OSSL_CMP_PKIBODY_IP not visible here */
399 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
400 goto err;
401 if (ctx->statusOut != NULL
402 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
403 goto err;
404 return si;
405
406 err:
407 X509_free(*certOut);
408 *certOut = NULL;
409 OSSL_STACK_OF_X509_free(*chainOut);
410 *chainOut = NULL;
411 OSSL_STACK_OF_X509_free(*caPubs);
412 *caPubs = NULL;
413 return NULL;
414 }
415
process_rr(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * rr,const X509_NAME * issuer,const ASN1_INTEGER * serial)416 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
417 const OSSL_CMP_MSG *rr,
418 const X509_NAME *issuer,
419 const ASN1_INTEGER *serial)
420 {
421 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
422
423 if (ctx == NULL || rr == NULL) {
424 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
425 return NULL;
426 }
427 if (ctx->sendError == 1
428 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
429 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
430 return NULL;
431 }
432
433 /* allow any RR derived from CSR which does not include issuer and serial */
434 if ((issuer != NULL || serial != NULL)
435 /* accept revocation only for the reference cert, if given */
436 && !refcert_cmp(ctx->refCert, issuer, serial)) {
437 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
438 "wrong certificate to revoke");
439 return NULL;
440 }
441 return OSSL_CMP_PKISI_dup(ctx->statusOut);
442 }
443
444 /* return -1 for error, 0 for no update available */
check_client_crl(const STACK_OF (OSSL_CMP_CRLSTATUS)* crlStatusList,const X509_CRL * crl)445 static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
446 const X509_CRL *crl)
447 {
448 OSSL_CMP_CRLSTATUS *crlstatus;
449 DIST_POINT_NAME *dpn = NULL;
450 GENERAL_NAMES *issuer = NULL;
451 ASN1_TIME *thisupd = NULL;
452
453 if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) {
454 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CRLSTATUSLIST);
455 return -1;
456 }
457 if (crl == NULL)
458 return 0;
459
460 crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0);
461 if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &dpn, &issuer, &thisupd))
462 return -1;
463
464 if (issuer != NULL) {
465 GENERAL_NAME *gn = sk_GENERAL_NAME_value(issuer, 0);
466
467 if (gn != NULL && gn->type == GEN_DIRNAME) {
468 X509_NAME *gen_name = gn->d.dirn;
469
470 if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) {
471 ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
472 return -1;
473 }
474 } else {
475 ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
476 return -1; /* error according to RFC 9483 section 4.3.4 */
477 }
478 }
479
480 return thisupd == NULL
481 || ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) < 0;
482 }
483
process_genm_itav(mock_srv_ctx * ctx,int req_nid,const OSSL_CMP_ITAV * req)484 static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
485 const OSSL_CMP_ITAV *req)
486 {
487 OSSL_CMP_ITAV *rsp = NULL;
488
489 switch (req_nid) {
490 case NID_id_it_caCerts:
491 rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut);
492 break;
493 case NID_id_it_rootCaCert:
494 {
495 X509 *rootcacert = NULL;
496
497 if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert))
498 return NULL;
499
500 if (rootcacert != NULL
501 && X509_NAME_cmp(X509_get_subject_name(rootcacert),
502 X509_get_subject_name(ctx->newWithNew)) != 0)
503 /* The subjects do not match */
504 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL);
505 else
506 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew,
507 ctx->newWithOld,
508 ctx->oldWithNew);
509 }
510 break;
511 case NID_id_it_crlStatusList:
512 {
513 STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL;
514 int res = 0;
515
516 if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
517 return NULL;
518
519 res = check_client_crl(crlstatuslist, ctx->crlOut);
520 if (res < 0)
521 rsp = NULL;
522 else
523 rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut);
524 }
525 break;
526 case NID_id_it_certReqTemplate:
527 {
528 OSSL_CRMF_CERTTEMPLATE *reqtemp;
529 OSSL_CMP_ATAVS *keyspec = NULL;
530 X509_ALGOR *keyalg = NULL;
531 OSSL_CMP_ATAV *rsakeylen, *eckeyalg;
532 int ok = 0;
533
534 if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL)
535 return NULL;
536
537 if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL,
538 X509_get_issuer_name(ctx->refCert),
539 NULL))
540 goto crt_err;
541
542 if ((keyalg = X509_ALGOR_new()) == NULL)
543 goto crt_err;
544
545 (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey),
546 V_ASN1_UNDEF, NULL); /* cannot fail */
547
548 eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg);
549 rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096);
550 ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg)
551 && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen);
552 OSSL_CMP_ATAV_free(eckeyalg);
553 OSSL_CMP_ATAV_free(rsakeylen);
554 X509_ALGOR_free(keyalg);
555
556 if (!ok)
557 goto crt_err;
558
559 rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec);
560 return rsp;
561
562 crt_err:
563 OSSL_CRMF_CERTTEMPLATE_free(reqtemp);
564 OSSL_CMP_ATAVS_free(keyspec);
565 return NULL;
566 }
567 break;
568 default:
569 rsp = OSSL_CMP_ITAV_dup(req);
570 }
571 return rsp;
572 }
573
process_genm(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * genm,const STACK_OF (OSSL_CMP_ITAV)* in,STACK_OF (OSSL_CMP_ITAV)** out)574 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
575 const OSSL_CMP_MSG *genm,
576 const STACK_OF(OSSL_CMP_ITAV) *in,
577 STACK_OF(OSSL_CMP_ITAV) **out)
578 {
579 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
580
581 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
582 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
583 return 0;
584 }
585 if (ctx->sendError == 1
586 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
587 || sk_OSSL_CMP_ITAV_num(in) > 1) {
588 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
589 return 0;
590 }
591 if (sk_OSSL_CMP_ITAV_num(in) == 1) {
592 OSSL_CMP_ITAV *req = sk_OSSL_CMP_ITAV_value(in, 0), *rsp;
593 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(req);
594
595 if ((*out = sk_OSSL_CMP_ITAV_new_reserve(NULL, 1)) == NULL)
596 return 0;
597 rsp = process_genm_itav(ctx, OBJ_obj2nid(obj), req);
598 if (rsp != NULL && sk_OSSL_CMP_ITAV_push(*out, rsp))
599 return 1;
600 sk_OSSL_CMP_ITAV_free(*out);
601 return 0;
602 }
603
604 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
605 OSSL_CMP_ITAV_free);
606 return *out != NULL;
607 }
608
process_error(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * error,const OSSL_CMP_PKISI * statusInfo,const ASN1_INTEGER * errorCode,const OSSL_CMP_PKIFREETEXT * errorDetails)609 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
610 const OSSL_CMP_PKISI *statusInfo,
611 const ASN1_INTEGER *errorCode,
612 const OSSL_CMP_PKIFREETEXT *errorDetails)
613 {
614 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
615 char buf[OSSL_CMP_PKISI_BUFLEN];
616 char *sibuf;
617 int i;
618
619 if (ctx == NULL || error == NULL) {
620 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
621 return;
622 }
623
624 BIO_printf(bio_err, "mock server received error:\n");
625
626 if (statusInfo == NULL) {
627 BIO_printf(bio_err, "pkiStatusInfo absent\n");
628 } else {
629 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
630 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
631 sibuf != NULL ? sibuf: "<invalid>");
632 }
633
634 if (errorCode == NULL)
635 BIO_printf(bio_err, "errorCode absent\n");
636 else
637 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
638
639 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
640 BIO_printf(bio_err, "errorDetails absent\n");
641 } else {
642 BIO_printf(bio_err, "errorDetails: ");
643 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
644 if (i > 0)
645 BIO_printf(bio_err, ", ");
646 ASN1_STRING_print_ex(bio_err,
647 sk_ASN1_UTF8STRING_value(errorDetails, i),
648 ASN1_STRFLGS_ESC_QUOTE);
649 }
650 BIO_printf(bio_err, "\n");
651 }
652 }
653
process_certConf(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * certConf,ossl_unused int certReqId,const ASN1_OCTET_STRING * certHash,const OSSL_CMP_PKISI * si)654 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
655 const OSSL_CMP_MSG *certConf,
656 ossl_unused int certReqId,
657 const ASN1_OCTET_STRING *certHash,
658 const OSSL_CMP_PKISI *si)
659 {
660 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
661 ASN1_OCTET_STRING *digest;
662
663 if (ctx == NULL || certConf == NULL || certHash == NULL) {
664 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
665 return 0;
666 }
667 if (ctx->sendError == 1
668 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
669 || ctx->certOut == NULL) {
670 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
671 return 0;
672 }
673
674 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
675 return 0;
676 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
677 ASN1_OCTET_STRING_free(digest);
678 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
679 return 0;
680 }
681 ASN1_OCTET_STRING_free(digest);
682 return 1;
683 }
684
685 /* return 0 on failure, 1 on success, setting *req or otherwise *check_after */
process_pollReq(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * pollReq,ossl_unused int certReqId,OSSL_CMP_MSG ** req,int64_t * check_after)686 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
687 const OSSL_CMP_MSG *pollReq,
688 ossl_unused int certReqId,
689 OSSL_CMP_MSG **req, int64_t *check_after)
690 {
691 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
692
693 if (req != NULL)
694 *req = NULL;
695 if (ctx == NULL || pollReq == NULL
696 || req == NULL || check_after == NULL) {
697 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
698 return 0;
699 }
700
701 if (ctx->sendError == 1
702 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
703 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
704 return 0;
705 }
706 if (ctx->req == NULL) { /* not currently in polling mode */
707 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_POLLREQ);
708 return 0;
709 }
710
711 if (++ctx->curr_pollCount >= ctx->pollCount) {
712 /* end polling */
713 *req = ctx->req;
714 ctx->req = NULL;
715 *check_after = 0;
716 } else {
717 *check_after = ctx->checkAfterTime;
718 }
719 return 1;
720 }
721
ossl_cmp_mock_srv_new(OSSL_LIB_CTX * libctx,const char * propq)722 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
723 {
724 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
725 mock_srv_ctx *ctx = mock_srv_ctx_new();
726
727 if (srv_ctx != NULL && ctx != NULL
728 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
729 process_rr, process_genm, process_error,
730 process_certConf, process_pollReq)
731 && OSSL_CMP_SRV_CTX_init_trans(srv_ctx,
732 delayed_delivery, clean_transaction))
733 return srv_ctx;
734
735 mock_srv_ctx_free(ctx);
736 OSSL_CMP_SRV_CTX_free(srv_ctx);
737 return NULL;
738 }
739
ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX * srv_ctx)740 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
741 {
742 if (srv_ctx != NULL)
743 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
744 OSSL_CMP_SRV_CTX_free(srv_ctx);
745 }
746