1 /* 2 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved. 3 * Copyright Siemens AG 2018-2020 4 * 5 * Licensed under the Apache License 2.0 (the "License"). You may not use 6 * this file except in compliance with the License. You can obtain a copy 7 * in the file LICENSE in the source distribution or atf 8 * https://www.openssl.org/source/license.html 9 */ 10 11 #include "apps.h" 12 #include "cmp_mock_srv.h" 13 14 #include <openssl/cmp.h> 15 #include <openssl/err.h> 16 #include <openssl/cmperr.h> 17 18 /* the context for the CMP mock server */ 19 typedef struct { 20 X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */ 21 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */ 22 EVP_PKEY *keyOut; /* Private key to be returned for central keygen */ 23 X509_CRL *crlOut; /* CRL to be returned in genp for crls */ 24 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */ 25 STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */ 26 X509 *newWithNew; /* to return in newWithNew of rootKeyUpdate */ 27 X509 *newWithOld; /* to return in newWithOld of rootKeyUpdate */ 28 X509 *oldWithNew; /* to return in oldWithNew of rootKeyUpdate */ 29 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */ 30 int sendError; /* send error response on given request type */ 31 OSSL_CMP_MSG *req; /* original request message during polling */ 32 int pollCount; /* number of polls before actual cert response */ 33 int curr_pollCount; /* number of polls so far for current request */ 34 int checkAfterTime; /* time the client should wait between polling */ 35 } mock_srv_ctx; 36 37 static void mock_srv_ctx_free(mock_srv_ctx *ctx) 38 { 39 if (ctx == NULL) 40 return; 41 42 OSSL_CMP_PKISI_free(ctx->statusOut); 43 X509_free(ctx->refCert); 44 X509_free(ctx->certOut); 45 OSSL_STACK_OF_X509_free(ctx->chainOut); 46 OSSL_STACK_OF_X509_free(ctx->caPubsOut); 47 OSSL_CMP_MSG_free(ctx->req); 48 OPENSSL_free(ctx); 49 } 50 51 static mock_srv_ctx *mock_srv_ctx_new(void) 52 { 53 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx)); 54 55 if (ctx == NULL) 56 goto err; 57 58 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL) 59 goto err; 60 61 ctx->sendError = -1; 62 63 /* all other elements are initialized to 0 or NULL, respectively */ 64 return ctx; 65 err: 66 mock_srv_ctx_free(ctx); 67 return NULL; 68 } 69 70 #define DEFINE_OSSL_SET1_CERT(FIELD) \ 71 int ossl_cmp_mock_srv_set1_##FIELD(OSSL_CMP_SRV_CTX *srv_ctx, \ 72 X509 *cert) \ 73 { \ 74 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); \ 75 \ 76 if (ctx == NULL) { \ 77 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); \ 78 return 0; \ 79 } \ 80 if (cert == NULL || X509_up_ref(cert)) { \ 81 X509_free(ctx->FIELD); \ 82 ctx->FIELD = cert; \ 83 return 1; \ 84 } \ 85 return 0; \ 86 } 87 88 DEFINE_OSSL_SET1_CERT(refCert) 89 DEFINE_OSSL_SET1_CERT(certOut) 90 91 int ossl_cmp_mock_srv_set1_keyOut(OSSL_CMP_SRV_CTX *srv_ctx, EVP_PKEY *pkey) 92 { 93 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 94 95 if (ctx == NULL) { 96 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 97 return 0; 98 } 99 if (pkey != NULL && !EVP_PKEY_up_ref(pkey)) 100 return 0; 101 EVP_PKEY_free(ctx->keyOut); 102 ctx->keyOut = pkey; 103 return 1; 104 } 105 106 int ossl_cmp_mock_srv_set1_crlOut(OSSL_CMP_SRV_CTX *srv_ctx, 107 X509_CRL *crl) 108 { 109 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 110 111 if (ctx == NULL) { 112 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 113 return 0; 114 } 115 if (crl != NULL && !X509_CRL_up_ref(crl)) 116 return 0; 117 X509_CRL_free(ctx->crlOut); 118 ctx->crlOut = crl; 119 return 1; 120 } 121 122 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx, 123 STACK_OF(X509) *chain) 124 { 125 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 126 STACK_OF(X509) *chain_copy = NULL; 127 128 if (ctx == NULL) { 129 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 130 return 0; 131 } 132 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL) 133 return 0; 134 OSSL_STACK_OF_X509_free(ctx->chainOut); 135 ctx->chainOut = chain_copy; 136 return 1; 137 } 138 139 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx, 140 STACK_OF(X509) *caPubs) 141 { 142 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 143 STACK_OF(X509) *caPubs_copy = NULL; 144 145 if (ctx == NULL) { 146 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 147 return 0; 148 } 149 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL) 150 return 0; 151 OSSL_STACK_OF_X509_free(ctx->caPubsOut); 152 ctx->caPubsOut = caPubs_copy; 153 return 1; 154 } 155 156 DEFINE_OSSL_SET1_CERT(newWithNew) 157 DEFINE_OSSL_SET1_CERT(newWithOld) 158 DEFINE_OSSL_SET1_CERT(oldWithNew) 159 160 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status, 161 int fail_info, const char *text) 162 { 163 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 164 OSSL_CMP_PKISI *si; 165 166 if (ctx == NULL) { 167 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 168 return 0; 169 } 170 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL) 171 return 0; 172 OSSL_CMP_PKISI_free(ctx->statusOut); 173 ctx->statusOut = si; 174 return 1; 175 } 176 177 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype) 178 { 179 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 180 181 if (ctx == NULL) { 182 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 183 return 0; 184 } 185 /* might check bodytype, but this would require exporting all body types */ 186 ctx->sendError = bodytype; 187 return 1; 188 } 189 190 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count) 191 { 192 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 193 194 if (ctx == NULL) { 195 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 196 return 0; 197 } 198 if (count < 0) { 199 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS); 200 return 0; 201 } 202 ctx->pollCount = count; 203 return 1; 204 } 205 206 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec) 207 { 208 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 209 210 if (ctx == NULL) { 211 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 212 return 0; 213 } 214 ctx->checkAfterTime = sec; 215 return 1; 216 } 217 218 /* determine whether to delay response to (non-polling) request */ 219 static int delayed_delivery(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *req) 220 { 221 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 222 int req_type = OSSL_CMP_MSG_get_bodytype(req); 223 224 if (ctx == NULL || req == NULL) { 225 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 226 return -1; 227 } 228 229 /* 230 * For ir/cr/p10cr/kur delayed delivery is handled separately in 231 * process_cert_request 232 */ 233 if (req_type == OSSL_CMP_IR 234 || req_type == OSSL_CMP_CR 235 || req_type == OSSL_CMP_P10CR 236 || req_type == OSSL_CMP_KUR 237 /* Client may use error to abort the ongoing polling */ 238 || req_type == OSSL_CMP_ERROR) 239 return 0; 240 241 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) { 242 /* start polling */ 243 if ((ctx->req = OSSL_CMP_MSG_dup(req)) == NULL) 244 return -1; 245 return 1; 246 } 247 return 0; 248 } 249 250 /* check for matching reference cert components, as far as given */ 251 static int refcert_cmp(const X509 *refcert, 252 const X509_NAME *issuer, const ASN1_INTEGER *serial) 253 { 254 const X509_NAME *ref_issuer; 255 const ASN1_INTEGER *ref_serial; 256 257 if (refcert == NULL) 258 return 1; 259 ref_issuer = X509_get_issuer_name(refcert); 260 ref_serial = X509_get0_serialNumber(refcert); 261 return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0) 262 && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0); 263 } 264 265 /* reset the state that belongs to a transaction */ 266 static int clean_transaction(OSSL_CMP_SRV_CTX *srv_ctx, 267 ossl_unused const ASN1_OCTET_STRING *id) 268 { 269 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 270 271 if (ctx == NULL) { 272 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 273 return 0; 274 } 275 276 ctx->curr_pollCount = 0; 277 OSSL_CMP_MSG_free(ctx->req); 278 ctx->req = NULL; 279 return 1; 280 } 281 282 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, 283 const OSSL_CMP_MSG *cert_req, 284 ossl_unused int certReqId, 285 const OSSL_CRMF_MSG *crm, 286 const X509_REQ *p10cr, 287 X509 **certOut, 288 STACK_OF(X509) **chainOut, 289 STACK_OF(X509) **caPubs) 290 { 291 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 292 int bodytype, central_keygen; 293 OSSL_CMP_PKISI *si = NULL; 294 EVP_PKEY *keyOut = NULL; 295 296 if (ctx == NULL || cert_req == NULL 297 || certOut == NULL || chainOut == NULL || caPubs == NULL) { 298 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 299 return NULL; 300 } 301 bodytype = OSSL_CMP_MSG_get_bodytype(cert_req); 302 if (ctx->sendError == 1 || ctx->sendError == bodytype) { 303 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 304 return NULL; 305 } 306 307 *certOut = NULL; 308 *chainOut = NULL; 309 *caPubs = NULL; 310 311 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) { 312 /* start polling */ 313 if ((ctx->req = OSSL_CMP_MSG_dup(cert_req)) == NULL) 314 return NULL; 315 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL); 316 } 317 if (ctx->curr_pollCount >= ctx->pollCount) 318 /* give final response after polling */ 319 ctx->curr_pollCount = 0; 320 321 /* accept cert profile for cr messages only with the configured name */ 322 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_CR) { 323 STACK_OF(OSSL_CMP_ITAV) *itavs = 324 OSSL_CMP_HDR_get0_geninfo_ITAVs(OSSL_CMP_MSG_get0_header(cert_req)); 325 int i; 326 327 for (i = 0; i < sk_OSSL_CMP_ITAV_num(itavs); i++) { 328 OSSL_CMP_ITAV *itav = sk_OSSL_CMP_ITAV_value(itavs, i); 329 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(itav); 330 STACK_OF(ASN1_UTF8STRING) *strs; 331 ASN1_UTF8STRING *str; 332 const char *data; 333 334 if (OBJ_obj2nid(obj) == NID_id_it_certProfile) { 335 if (!OSSL_CMP_ITAV_get0_certProfile(itav, &strs)) 336 return NULL; 337 if (sk_ASN1_UTF8STRING_num(strs) < 1) { 338 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE); 339 return NULL; 340 } 341 str = sk_ASN1_UTF8STRING_value(strs, 0); 342 if (str == NULL 343 || (data = 344 (const char *)ASN1_STRING_get0_data(str)) == NULL) { 345 ERR_raise(ERR_LIB_CMP, ERR_R_PASSED_INVALID_ARGUMENT); 346 return NULL; 347 } 348 if (strcmp(data, "profile1") != 0) { 349 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE); 350 return NULL; 351 } 352 break; 353 } 354 } 355 } 356 357 /* accept cert update request only for the reference cert, if given */ 358 if (bodytype == OSSL_CMP_KUR 359 && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) { 360 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm); 361 362 if (cid == NULL) { 363 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID); 364 return NULL; 365 } 366 if (!refcert_cmp(ctx->refCert, 367 OSSL_CRMF_CERTID_get0_issuer(cid), 368 OSSL_CRMF_CERTID_get0_serialNumber(cid))) { 369 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID); 370 return NULL; 371 } 372 } 373 374 if (ctx->certOut != NULL 375 && (*certOut = X509_dup(ctx->certOut)) == NULL) 376 /* Should return a cert produced from request template, see FR #16054 */ 377 goto err; 378 379 central_keygen = OSSL_CRMF_MSG_centralkeygen_requested(crm, p10cr); 380 if (central_keygen < 0) 381 goto err; 382 if (central_keygen == 1 383 && (ctx->keyOut == NULL 384 || (keyOut = EVP_PKEY_dup(ctx->keyOut)) == NULL 385 || !OSSL_CMP_CTX_set0_newPkey(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), 386 1 /* priv */, keyOut))) { 387 EVP_PKEY_free(keyOut); 388 goto err; 389 } 390 /* 391 * Note that this uses newPkey to return the private key 392 * and does not check whether the 'popo' field is absent. 393 */ 394 395 if (ctx->chainOut != NULL 396 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL) 397 goto err; 398 if (ctx->caPubsOut != NULL /* OSSL_CMP_PKIBODY_IP not visible here */ 399 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL) 400 goto err; 401 if (ctx->statusOut != NULL 402 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL) 403 goto err; 404 return si; 405 406 err: 407 X509_free(*certOut); 408 *certOut = NULL; 409 OSSL_STACK_OF_X509_free(*chainOut); 410 *chainOut = NULL; 411 OSSL_STACK_OF_X509_free(*caPubs); 412 *caPubs = NULL; 413 return NULL; 414 } 415 416 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, 417 const OSSL_CMP_MSG *rr, 418 const X509_NAME *issuer, 419 const ASN1_INTEGER *serial) 420 { 421 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 422 423 if (ctx == NULL || rr == NULL) { 424 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 425 return NULL; 426 } 427 if (ctx->sendError == 1 428 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) { 429 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 430 return NULL; 431 } 432 433 /* allow any RR derived from CSR which does not include issuer and serial */ 434 if ((issuer != NULL || serial != NULL) 435 /* accept revocation only for the reference cert, if given */ 436 && !refcert_cmp(ctx->refCert, issuer, serial)) { 437 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED, 438 "wrong certificate to revoke"); 439 return NULL; 440 } 441 return OSSL_CMP_PKISI_dup(ctx->statusOut); 442 } 443 444 /* return -1 for error, 0 for no update available */ 445 static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList, 446 const X509_CRL *crl) 447 { 448 OSSL_CMP_CRLSTATUS *crlstatus; 449 DIST_POINT_NAME *dpn = NULL; 450 GENERAL_NAMES *issuer = NULL; 451 ASN1_TIME *thisupd = NULL; 452 453 if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) { 454 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_CRLSTATUSLIST); 455 return -1; 456 } 457 if (crl == NULL) 458 return 0; 459 460 crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0); 461 if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &dpn, &issuer, &thisupd)) 462 return -1; 463 464 if (issuer != NULL) { 465 GENERAL_NAME *gn = sk_GENERAL_NAME_value(issuer, 0); 466 467 if (gn != NULL && gn->type == GEN_DIRNAME) { 468 X509_NAME *gen_name = gn->d.dirn; 469 470 if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) { 471 ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER); 472 return -1; 473 } 474 } else { 475 ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED); 476 return -1; /* error according to RFC 9483 section 4.3.4 */ 477 } 478 } 479 480 return thisupd == NULL 481 || ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) < 0; 482 } 483 484 static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, 485 const OSSL_CMP_ITAV *req) 486 { 487 OSSL_CMP_ITAV *rsp = NULL; 488 489 switch (req_nid) { 490 case NID_id_it_caCerts: 491 rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut); 492 break; 493 case NID_id_it_rootCaCert: 494 { 495 X509 *rootcacert = NULL; 496 497 if (!OSSL_CMP_ITAV_get0_rootCaCert(req, &rootcacert)) 498 return NULL; 499 500 if (rootcacert != NULL 501 && X509_NAME_cmp(X509_get_subject_name(rootcacert), 502 X509_get_subject_name(ctx->newWithNew)) != 0) 503 /* The subjects do not match */ 504 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(NULL, NULL, NULL); 505 else 506 rsp = OSSL_CMP_ITAV_new_rootCaKeyUpdate(ctx->newWithNew, 507 ctx->newWithOld, 508 ctx->oldWithNew); 509 } 510 break; 511 case NID_id_it_crlStatusList: 512 { 513 STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist = NULL; 514 int res = 0; 515 516 if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist)) 517 return NULL; 518 519 res = check_client_crl(crlstatuslist, ctx->crlOut); 520 if (res < 0) 521 rsp = NULL; 522 else 523 rsp = OSSL_CMP_ITAV_new_crls(res == 0 ? NULL : ctx->crlOut); 524 } 525 break; 526 case NID_id_it_certReqTemplate: 527 { 528 OSSL_CRMF_CERTTEMPLATE *reqtemp; 529 OSSL_CMP_ATAVS *keyspec = NULL; 530 X509_ALGOR *keyalg = NULL; 531 OSSL_CMP_ATAV *rsakeylen, *eckeyalg; 532 int ok = 0; 533 534 if ((reqtemp = OSSL_CRMF_CERTTEMPLATE_new()) == NULL) 535 return NULL; 536 537 if (!OSSL_CRMF_CERTTEMPLATE_fill(reqtemp, NULL, NULL, 538 X509_get_issuer_name(ctx->refCert), 539 NULL)) 540 goto crt_err; 541 542 if ((keyalg = X509_ALGOR_new()) == NULL) 543 goto crt_err; 544 545 (void)X509_ALGOR_set0(keyalg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), 546 V_ASN1_UNDEF, NULL); /* cannot fail */ 547 548 eckeyalg = OSSL_CMP_ATAV_new_algId(keyalg); 549 rsakeylen = OSSL_CMP_ATAV_new_rsaKeyLen(4096); 550 ok = OSSL_CMP_ATAV_push1(&keyspec, eckeyalg) 551 && OSSL_CMP_ATAV_push1(&keyspec, rsakeylen); 552 OSSL_CMP_ATAV_free(eckeyalg); 553 OSSL_CMP_ATAV_free(rsakeylen); 554 X509_ALGOR_free(keyalg); 555 556 if (!ok) 557 goto crt_err; 558 559 rsp = OSSL_CMP_ITAV_new0_certReqTemplate(reqtemp, keyspec); 560 return rsp; 561 562 crt_err: 563 OSSL_CRMF_CERTTEMPLATE_free(reqtemp); 564 OSSL_CMP_ATAVS_free(keyspec); 565 return NULL; 566 } 567 break; 568 default: 569 rsp = OSSL_CMP_ITAV_dup(req); 570 } 571 return rsp; 572 } 573 574 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, 575 const OSSL_CMP_MSG *genm, 576 const STACK_OF(OSSL_CMP_ITAV) *in, 577 STACK_OF(OSSL_CMP_ITAV) **out) 578 { 579 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 580 581 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) { 582 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 583 return 0; 584 } 585 if (ctx->sendError == 1 586 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm) 587 || sk_OSSL_CMP_ITAV_num(in) > 1) { 588 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 589 return 0; 590 } 591 if (sk_OSSL_CMP_ITAV_num(in) == 1) { 592 OSSL_CMP_ITAV *req = sk_OSSL_CMP_ITAV_value(in, 0), *rsp; 593 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(req); 594 595 if ((*out = sk_OSSL_CMP_ITAV_new_reserve(NULL, 1)) == NULL) 596 return 0; 597 rsp = process_genm_itav(ctx, OBJ_obj2nid(obj), req); 598 if (rsp != NULL && sk_OSSL_CMP_ITAV_push(*out, rsp)) 599 return 1; 600 sk_OSSL_CMP_ITAV_free(*out); 601 return 0; 602 } 603 604 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup, 605 OSSL_CMP_ITAV_free); 606 return *out != NULL; 607 } 608 609 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error, 610 const OSSL_CMP_PKISI *statusInfo, 611 const ASN1_INTEGER *errorCode, 612 const OSSL_CMP_PKIFREETEXT *errorDetails) 613 { 614 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 615 char buf[OSSL_CMP_PKISI_BUFLEN]; 616 char *sibuf; 617 int i; 618 619 if (ctx == NULL || error == NULL) { 620 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 621 return; 622 } 623 624 BIO_printf(bio_err, "mock server received error:\n"); 625 626 if (statusInfo == NULL) { 627 BIO_printf(bio_err, "pkiStatusInfo absent\n"); 628 } else { 629 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf)); 630 BIO_printf(bio_err, "pkiStatusInfo: %s\n", 631 sibuf != NULL ? sibuf: "<invalid>"); 632 } 633 634 if (errorCode == NULL) 635 BIO_printf(bio_err, "errorCode absent\n"); 636 else 637 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode)); 638 639 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) { 640 BIO_printf(bio_err, "errorDetails absent\n"); 641 } else { 642 BIO_printf(bio_err, "errorDetails: "); 643 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) { 644 if (i > 0) 645 BIO_printf(bio_err, ", "); 646 ASN1_STRING_print_ex(bio_err, 647 sk_ASN1_UTF8STRING_value(errorDetails, i), 648 ASN1_STRFLGS_ESC_QUOTE); 649 } 650 BIO_printf(bio_err, "\n"); 651 } 652 } 653 654 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, 655 const OSSL_CMP_MSG *certConf, 656 ossl_unused int certReqId, 657 const ASN1_OCTET_STRING *certHash, 658 const OSSL_CMP_PKISI *si) 659 { 660 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 661 ASN1_OCTET_STRING *digest; 662 663 if (ctx == NULL || certConf == NULL || certHash == NULL) { 664 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 665 return 0; 666 } 667 if (ctx->sendError == 1 668 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf) 669 || ctx->certOut == NULL) { 670 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 671 return 0; 672 } 673 674 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL) 675 return 0; 676 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) { 677 ASN1_OCTET_STRING_free(digest); 678 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED); 679 return 0; 680 } 681 ASN1_OCTET_STRING_free(digest); 682 return 1; 683 } 684 685 /* return 0 on failure, 1 on success, setting *req or otherwise *check_after */ 686 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, 687 const OSSL_CMP_MSG *pollReq, 688 ossl_unused int certReqId, 689 OSSL_CMP_MSG **req, int64_t *check_after) 690 { 691 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx); 692 693 if (req != NULL) 694 *req = NULL; 695 if (ctx == NULL || pollReq == NULL 696 || req == NULL || check_after == NULL) { 697 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT); 698 return 0; 699 } 700 701 if (ctx->sendError == 1 702 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) { 703 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 704 return 0; 705 } 706 if (ctx->req == NULL) { /* not currently in polling mode */ 707 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_POLLREQ); 708 return 0; 709 } 710 711 if (++ctx->curr_pollCount >= ctx->pollCount) { 712 /* end polling */ 713 *req = ctx->req; 714 ctx->req = NULL; 715 *check_after = 0; 716 } else { 717 *check_after = ctx->checkAfterTime; 718 } 719 return 1; 720 } 721 722 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq) 723 { 724 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq); 725 mock_srv_ctx *ctx = mock_srv_ctx_new(); 726 727 if (srv_ctx != NULL && ctx != NULL 728 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request, 729 process_rr, process_genm, process_error, 730 process_certConf, process_pollReq) 731 && OSSL_CMP_SRV_CTX_init_trans(srv_ctx, 732 delayed_delivery, clean_transaction)) 733 return srv_ctx; 734 735 mock_srv_ctx_free(ctx); 736 OSSL_CMP_SRV_CTX_free(srv_ctx); 737 return NULL; 738 } 739 740 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx) 741 { 742 if (srv_ctx != NULL) 743 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx)); 744 OSSL_CMP_SRV_CTX_free(srv_ctx); 745 } 746