cmp_mock_srv.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473
  1. /*
  2. * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Siemens AG 2018-2020
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or atf
  8. * https://www.openssl.org/source/license.html
  9. */
  10. #include "apps.h"
  11. #include "cmp_mock_srv.h"
  12. #include <openssl/cmp.h>
  13. #include <openssl/err.h>
  14. #include <openssl/cmperr.h>
  15. /* the context for the CMP mock server */
  16. typedef struct
  17. {
  18. X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
  19. X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
  20. STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
  21. STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
  22. OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
  23. int sendError; /* send error response also on valid requests */
  24. OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
  25. int certReqId; /* id of last ir/cr/kur, used for polling */
  26. int pollCount; /* number of polls before actual cert response */
  27. int curr_pollCount; /* number of polls so far for current request */
  28. int checkAfterTime; /* time the client should wait between polling */
  29. } mock_srv_ctx;
  30. static void mock_srv_ctx_free(mock_srv_ctx *ctx)
  31. {
  32. if (ctx == NULL)
  33. return;
  34. OSSL_CMP_PKISI_free(ctx->statusOut);
  35. X509_free(ctx->refCert);
  36. X509_free(ctx->certOut);
  37. OSSL_STACK_OF_X509_free(ctx->chainOut);
  38. OSSL_STACK_OF_X509_free(ctx->caPubsOut);
  39. OSSL_CMP_MSG_free(ctx->certReq);
  40. OPENSSL_free(ctx);
  41. }
  42. static mock_srv_ctx *mock_srv_ctx_new(void)
  43. {
  44. mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
  45. if (ctx == NULL)
  46. goto err;
  47. if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
  48. goto err;
  49. ctx->certReqId = -1;
  50. /* all other elements are initialized to 0 or NULL, respectively */
  51. return ctx;
  52. err:
  53. mock_srv_ctx_free(ctx);
  54. return NULL;
  55. }
  56. int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
  57. {
  58. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  59. if (ctx == NULL) {
  60. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  61. return 0;
  62. }
  63. if (cert == NULL || X509_up_ref(cert)) {
  64. X509_free(ctx->refCert);
  65. ctx->refCert = cert;
  66. return 1;
  67. }
  68. return 0;
  69. }
  70. int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
  71. {
  72. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  73. if (ctx == NULL) {
  74. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  75. return 0;
  76. }
  77. if (cert == NULL || X509_up_ref(cert)) {
  78. X509_free(ctx->certOut);
  79. ctx->certOut = cert;
  80. return 1;
  81. }
  82. return 0;
  83. }
  84. int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
  85. STACK_OF(X509) *chain)
  86. {
  87. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  88. STACK_OF(X509) *chain_copy = NULL;
  89. if (ctx == NULL) {
  90. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  91. return 0;
  92. }
  93. if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
  94. return 0;
  95. OSSL_STACK_OF_X509_free(ctx->chainOut);
  96. ctx->chainOut = chain_copy;
  97. return 1;
  98. }
  99. int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
  100. STACK_OF(X509) *caPubs)
  101. {
  102. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  103. STACK_OF(X509) *caPubs_copy = NULL;
  104. if (ctx == NULL) {
  105. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  106. return 0;
  107. }
  108. if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
  109. return 0;
  110. OSSL_STACK_OF_X509_free(ctx->caPubsOut);
  111. ctx->caPubsOut = caPubs_copy;
  112. return 1;
  113. }
  114. int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
  115. int fail_info, const char *text)
  116. {
  117. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  118. OSSL_CMP_PKISI *si;
  119. if (ctx == NULL) {
  120. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  121. return 0;
  122. }
  123. if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
  124. return 0;
  125. OSSL_CMP_PKISI_free(ctx->statusOut);
  126. ctx->statusOut = si;
  127. return 1;
  128. }
  129. int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
  130. {
  131. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  132. if (ctx == NULL) {
  133. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  134. return 0;
  135. }
  136. ctx->sendError = val != 0;
  137. return 1;
  138. }
  139. int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
  140. {
  141. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  142. if (ctx == NULL) {
  143. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  144. return 0;
  145. }
  146. if (count < 0) {
  147. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  148. return 0;
  149. }
  150. ctx->pollCount = count;
  151. return 1;
  152. }
  153. int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
  154. {
  155. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  156. if (ctx == NULL) {
  157. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  158. return 0;
  159. }
  160. ctx->checkAfterTime = sec;
  161. return 1;
  162. }
  163. /* check for matching reference cert components, as far as given */
  164. static int refcert_cmp(const X509 *refcert,
  165. const X509_NAME *issuer, const ASN1_INTEGER *serial)
  166. {
  167. const X509_NAME *ref_issuer;
  168. const ASN1_INTEGER *ref_serial;
  169. if (refcert == NULL)
  170. return 1;
  171. ref_issuer = X509_get_issuer_name(refcert);
  172. ref_serial = X509_get0_serialNumber(refcert);
  173. return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0)
  174. && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
  175. }
  176. static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
  177. const OSSL_CMP_MSG *cert_req,
  178. int certReqId,
  179. const OSSL_CRMF_MSG *crm,
  180. const X509_REQ *p10cr,
  181. X509 **certOut,
  182. STACK_OF(X509) **chainOut,
  183. STACK_OF(X509) **caPubs)
  184. {
  185. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  186. OSSL_CMP_PKISI *si = NULL;
  187. if (ctx == NULL || cert_req == NULL
  188. || certOut == NULL || chainOut == NULL || caPubs == NULL) {
  189. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  190. return NULL;
  191. }
  192. if (ctx->sendError) {
  193. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  194. return NULL;
  195. }
  196. *certOut = NULL;
  197. *chainOut = NULL;
  198. *caPubs = NULL;
  199. ctx->certReqId = certReqId;
  200. if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
  201. /* start polling */
  202. if (ctx->certReq != NULL) {
  203. /* already in polling mode */
  204. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  205. return NULL;
  206. }
  207. if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
  208. return NULL;
  209. return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
  210. }
  211. if (ctx->curr_pollCount >= ctx->pollCount)
  212. /* give final response after polling */
  213. ctx->curr_pollCount = 0;
  214. /* accept cert update request only for the reference cert, if given */
  215. if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
  216. && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
  217. const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
  218. if (cid == NULL) {
  219. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
  220. return NULL;
  221. }
  222. if (!refcert_cmp(ctx->refCert,
  223. OSSL_CRMF_CERTID_get0_issuer(cid),
  224. OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
  225. ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
  226. return NULL;
  227. }
  228. }
  229. if (ctx->certOut != NULL
  230. && (*certOut = X509_dup(ctx->certOut)) == NULL)
  231. goto err;
  232. if (ctx->chainOut != NULL
  233. && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
  234. goto err;
  235. if (ctx->caPubsOut != NULL
  236. && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
  237. goto err;
  238. if (ctx->statusOut != NULL
  239. && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
  240. goto err;
  241. return si;
  242. err:
  243. X509_free(*certOut);
  244. *certOut = NULL;
  245. OSSL_STACK_OF_X509_free(*chainOut);
  246. *chainOut = NULL;
  247. OSSL_STACK_OF_X509_free(*caPubs);
  248. *caPubs = NULL;
  249. return NULL;
  250. }
  251. static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
  252. const OSSL_CMP_MSG *rr,
  253. const X509_NAME *issuer,
  254. const ASN1_INTEGER *serial)
  255. {
  256. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  257. if (ctx == NULL || rr == NULL) {
  258. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  259. return NULL;
  260. }
  261. if (ctx->sendError) {
  262. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  263. return NULL;
  264. }
  265. /* allow any RR derived from CSR which does not include issuer and serial */
  266. if ((issuer != NULL || serial != NULL)
  267. /* accept revocation only for the reference cert, if given */
  268. && !refcert_cmp(ctx->refCert, issuer, serial)) {
  269. ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
  270. "wrong certificate to revoke");
  271. return NULL;
  272. }
  273. return OSSL_CMP_PKISI_dup(ctx->statusOut);
  274. }
  275. static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
  276. const OSSL_CMP_MSG *genm,
  277. const STACK_OF(OSSL_CMP_ITAV) *in,
  278. STACK_OF(OSSL_CMP_ITAV) **out)
  279. {
  280. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  281. if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
  282. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  283. return 0;
  284. }
  285. if (ctx->sendError) {
  286. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  287. return 0;
  288. }
  289. *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
  290. OSSL_CMP_ITAV_free);
  291. return *out != NULL;
  292. }
  293. static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
  294. const OSSL_CMP_PKISI *statusInfo,
  295. const ASN1_INTEGER *errorCode,
  296. const OSSL_CMP_PKIFREETEXT *errorDetails)
  297. {
  298. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  299. char buf[OSSL_CMP_PKISI_BUFLEN];
  300. char *sibuf;
  301. int i;
  302. if (ctx == NULL || error == NULL) {
  303. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  304. return;
  305. }
  306. BIO_printf(bio_err, "mock server received error:\n");
  307. if (statusInfo == NULL) {
  308. BIO_printf(bio_err, "pkiStatusInfo absent\n");
  309. } else {
  310. sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
  311. BIO_printf(bio_err, "pkiStatusInfo: %s\n",
  312. sibuf != NULL ? sibuf: "<invalid>");
  313. }
  314. if (errorCode == NULL)
  315. BIO_printf(bio_err, "errorCode absent\n");
  316. else
  317. BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
  318. if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
  319. BIO_printf(bio_err, "errorDetails absent\n");
  320. } else {
  321. BIO_printf(bio_err, "errorDetails: ");
  322. for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
  323. if (i > 0)
  324. BIO_printf(bio_err, ", ");
  325. BIO_printf(bio_err, "\"");
  326. ASN1_STRING_print(bio_err,
  327. sk_ASN1_UTF8STRING_value(errorDetails, i));
  328. BIO_printf(bio_err, "\"");
  329. }
  330. BIO_printf(bio_err, "\n");
  331. }
  332. }
  333. static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
  334. const OSSL_CMP_MSG *certConf, int certReqId,
  335. const ASN1_OCTET_STRING *certHash,
  336. const OSSL_CMP_PKISI *si)
  337. {
  338. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  339. ASN1_OCTET_STRING *digest;
  340. if (ctx == NULL || certConf == NULL || certHash == NULL) {
  341. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  342. return 0;
  343. }
  344. if (ctx->sendError || ctx->certOut == NULL) {
  345. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  346. return 0;
  347. }
  348. if (certReqId != ctx->certReqId) {
  349. /* in case of error, invalid reqId -1 */
  350. ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
  351. return 0;
  352. }
  353. if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
  354. return 0;
  355. if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
  356. ASN1_OCTET_STRING_free(digest);
  357. ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
  358. return 0;
  359. }
  360. ASN1_OCTET_STRING_free(digest);
  361. return 1;
  362. }
  363. static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
  364. const OSSL_CMP_MSG *pollReq, int certReqId,
  365. OSSL_CMP_MSG **certReq, int64_t *check_after)
  366. {
  367. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  368. if (ctx == NULL || pollReq == NULL
  369. || certReq == NULL || check_after == NULL) {
  370. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  371. return 0;
  372. }
  373. if (ctx->sendError) {
  374. *certReq = NULL;
  375. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  376. return 0;
  377. }
  378. if (ctx->certReq == NULL) {
  379. /* not currently in polling mode */
  380. *certReq = NULL;
  381. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  382. return 0;
  383. }
  384. if (++ctx->curr_pollCount >= ctx->pollCount) {
  385. /* end polling */
  386. *certReq = ctx->certReq;
  387. ctx->certReq = NULL;
  388. *check_after = 0;
  389. } else {
  390. *certReq = NULL;
  391. *check_after = ctx->checkAfterTime;
  392. }
  393. return 1;
  394. }
  395. OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
  396. {
  397. OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
  398. mock_srv_ctx *ctx = mock_srv_ctx_new();
  399. if (srv_ctx != NULL && ctx != NULL
  400. && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
  401. process_rr, process_genm, process_error,
  402. process_certConf, process_pollReq))
  403. return srv_ctx;
  404. mock_srv_ctx_free(ctx);
  405. OSSL_CMP_SRV_CTX_free(srv_ctx);
  406. return NULL;
  407. }
  408. void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
  409. {
  410. if (srv_ctx != NULL)
  411. mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
  412. OSSL_CMP_SRV_CTX_free(srv_ctx);
  413. }