2
0

cmp_mock_srv.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452
  1. /*
  2. * Copyright 2018-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Siemens AG 2018-2020
  4. *
  5. * Licensed under the Apache License 2.0 (the "License"). You may not use
  6. * this file except in compliance with the License. You can obtain a copy
  7. * in the file LICENSE in the source distribution or atf
  8. * https://www.openssl.org/source/license.html
  9. */
  10. #include "apps.h"
  11. #include "cmp_mock_srv.h"
  12. #include <openssl/cmp.h>
  13. #include <openssl/err.h>
  14. #include <openssl/cmperr.h>
  15. /* the context for the CMP mock server */
  16. typedef struct
  17. {
  18. X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
  19. STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
  20. STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
  21. OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
  22. int sendError; /* send error response on given request type */
  23. OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
  24. int pollCount; /* number of polls before actual cert response */
  25. int curr_pollCount; /* number of polls so far for current request */
  26. int checkAfterTime; /* time the client should wait between polling */
  27. } mock_srv_ctx;
  28. static void mock_srv_ctx_free(mock_srv_ctx *ctx)
  29. {
  30. if (ctx == NULL)
  31. return;
  32. OSSL_CMP_PKISI_free(ctx->statusOut);
  33. X509_free(ctx->certOut);
  34. sk_X509_pop_free(ctx->chainOut, X509_free);
  35. sk_X509_pop_free(ctx->caPubsOut, X509_free);
  36. OSSL_CMP_MSG_free(ctx->certReq);
  37. OPENSSL_free(ctx);
  38. }
  39. static mock_srv_ctx *mock_srv_ctx_new(void)
  40. {
  41. mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
  42. if (ctx == NULL)
  43. goto err;
  44. if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
  45. goto err;
  46. ctx->sendError = -1;
  47. /* all other elements are initialized to 0 or NULL, respectively */
  48. return ctx;
  49. err:
  50. mock_srv_ctx_free(ctx);
  51. return NULL;
  52. }
  53. int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
  54. {
  55. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  56. if (ctx == NULL) {
  57. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  58. return 0;
  59. }
  60. if (cert == NULL || X509_up_ref(cert)) {
  61. X509_free(ctx->certOut);
  62. ctx->certOut = cert;
  63. return 1;
  64. }
  65. return 0;
  66. }
  67. int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
  68. STACK_OF(X509) *chain)
  69. {
  70. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  71. STACK_OF(X509) *chain_copy = NULL;
  72. if (ctx == NULL) {
  73. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  74. return 0;
  75. }
  76. if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
  77. return 0;
  78. sk_X509_pop_free(ctx->chainOut, X509_free);
  79. ctx->chainOut = chain_copy;
  80. return 1;
  81. }
  82. int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
  83. STACK_OF(X509) *caPubs)
  84. {
  85. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  86. STACK_OF(X509) *caPubs_copy = NULL;
  87. if (ctx == NULL) {
  88. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  89. return 0;
  90. }
  91. if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
  92. return 0;
  93. sk_X509_pop_free(ctx->caPubsOut, X509_free);
  94. ctx->caPubsOut = caPubs_copy;
  95. return 1;
  96. }
  97. int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
  98. int fail_info, const char *text)
  99. {
  100. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  101. OSSL_CMP_PKISI *si;
  102. if (ctx == NULL) {
  103. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  104. return 0;
  105. }
  106. if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
  107. return 0;
  108. OSSL_CMP_PKISI_free(ctx->statusOut);
  109. ctx->statusOut = si;
  110. return 1;
  111. }
  112. int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
  113. {
  114. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  115. if (ctx == NULL) {
  116. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  117. return 0;
  118. }
  119. /* might check bodytype, but this would require exporting all body types */
  120. ctx->sendError = bodytype;
  121. return 1;
  122. }
  123. int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
  124. {
  125. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  126. if (ctx == NULL) {
  127. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  128. return 0;
  129. }
  130. if (count < 0) {
  131. ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
  132. return 0;
  133. }
  134. ctx->pollCount = count;
  135. return 1;
  136. }
  137. int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
  138. {
  139. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  140. if (ctx == NULL) {
  141. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  142. return 0;
  143. }
  144. ctx->checkAfterTime = sec;
  145. return 1;
  146. }
  147. static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
  148. const OSSL_CMP_MSG *cert_req,
  149. ossl_unused int certReqId,
  150. const OSSL_CRMF_MSG *crm,
  151. const X509_REQ *p10cr,
  152. X509 **certOut,
  153. STACK_OF(X509) **chainOut,
  154. STACK_OF(X509) **caPubs)
  155. {
  156. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  157. OSSL_CMP_PKISI *si = NULL;
  158. if (ctx == NULL || cert_req == NULL
  159. || certOut == NULL || chainOut == NULL || caPubs == NULL) {
  160. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  161. return NULL;
  162. }
  163. if (ctx->sendError == 1
  164. || ctx->sendError == OSSL_CMP_MSG_get_bodytype(cert_req)) {
  165. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  166. return NULL;
  167. }
  168. *certOut = NULL;
  169. *chainOut = NULL;
  170. *caPubs = NULL;
  171. if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
  172. /* start polling */
  173. if (ctx->certReq != NULL) {
  174. /* already in polling mode */
  175. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  176. return NULL;
  177. }
  178. if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
  179. return NULL;
  180. return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
  181. }
  182. if (ctx->curr_pollCount >= ctx->pollCount)
  183. /* give final response after polling */
  184. ctx->curr_pollCount = 0;
  185. if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
  186. && crm != NULL && ctx->certOut != NULL) {
  187. const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
  188. const X509_NAME *issuer = X509_get_issuer_name(ctx->certOut);
  189. const ASN1_INTEGER *serial = X509_get0_serialNumber(ctx->certOut);
  190. if (cid == NULL) {
  191. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
  192. return NULL;
  193. }
  194. if (issuer != NULL
  195. && X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
  196. ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
  197. return NULL;
  198. }
  199. if (serial != NULL
  200. && ASN1_INTEGER_cmp(serial,
  201. OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
  202. ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
  203. return NULL;
  204. }
  205. }
  206. if (ctx->certOut != NULL
  207. && (*certOut = X509_dup(ctx->certOut)) == NULL)
  208. goto err;
  209. if (ctx->chainOut != NULL
  210. && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
  211. goto err;
  212. if (ctx->caPubsOut != NULL
  213. && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
  214. goto err;
  215. if (ctx->statusOut != NULL
  216. && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
  217. goto err;
  218. return si;
  219. err:
  220. X509_free(*certOut);
  221. *certOut = NULL;
  222. sk_X509_pop_free(*chainOut, X509_free);
  223. *chainOut = NULL;
  224. sk_X509_pop_free(*caPubs, X509_free);
  225. *caPubs = NULL;
  226. return NULL;
  227. }
  228. static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
  229. const OSSL_CMP_MSG *rr,
  230. const X509_NAME *issuer,
  231. const ASN1_INTEGER *serial)
  232. {
  233. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  234. if (ctx == NULL || rr == NULL) {
  235. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  236. return NULL;
  237. }
  238. if (ctx->certOut == NULL || ctx->sendError == 1
  239. || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
  240. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  241. return NULL;
  242. }
  243. /* Allow any RR derived from CSR, which may include subject and serial */
  244. if (issuer == NULL || serial == NULL)
  245. return OSSL_CMP_PKISI_dup(ctx->statusOut);
  246. /* accept revocation only for the certificate we sent in ir/cr/kur */
  247. if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
  248. || ASN1_INTEGER_cmp(serial,
  249. X509_get0_serialNumber(ctx->certOut)) != 0) {
  250. ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
  251. "wrong certificate to revoke");
  252. return NULL;
  253. }
  254. return OSSL_CMP_PKISI_dup(ctx->statusOut);
  255. }
  256. static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
  257. const OSSL_CMP_MSG *genm,
  258. const STACK_OF(OSSL_CMP_ITAV) *in,
  259. STACK_OF(OSSL_CMP_ITAV) **out)
  260. {
  261. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  262. if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
  263. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  264. return 0;
  265. }
  266. if (ctx->sendError == 1
  267. || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
  268. || sk_OSSL_CMP_ITAV_num(in) > 1) {
  269. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  270. return 0;
  271. }
  272. *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
  273. OSSL_CMP_ITAV_free);
  274. return *out != NULL;
  275. }
  276. static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
  277. const OSSL_CMP_PKISI *statusInfo,
  278. const ASN1_INTEGER *errorCode,
  279. const OSSL_CMP_PKIFREETEXT *errorDetails)
  280. {
  281. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  282. char buf[OSSL_CMP_PKISI_BUFLEN];
  283. char *sibuf;
  284. int i;
  285. if (ctx == NULL || error == NULL) {
  286. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  287. return;
  288. }
  289. BIO_printf(bio_err, "mock server received error:\n");
  290. if (statusInfo == NULL) {
  291. BIO_printf(bio_err, "pkiStatusInfo absent\n");
  292. } else {
  293. sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
  294. BIO_printf(bio_err, "pkiStatusInfo: %s\n",
  295. sibuf != NULL ? sibuf: "<invalid>");
  296. }
  297. if (errorCode == NULL)
  298. BIO_printf(bio_err, "errorCode absent\n");
  299. else
  300. BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
  301. if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
  302. BIO_printf(bio_err, "errorDetails absent\n");
  303. } else {
  304. BIO_printf(bio_err, "errorDetails: ");
  305. for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
  306. if (i > 0)
  307. BIO_printf(bio_err, ", ");
  308. BIO_printf(bio_err, "\"");
  309. ASN1_STRING_print(bio_err,
  310. sk_ASN1_UTF8STRING_value(errorDetails, i));
  311. BIO_printf(bio_err, "\"");
  312. }
  313. BIO_printf(bio_err, "\n");
  314. }
  315. }
  316. static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
  317. const OSSL_CMP_MSG *certConf,
  318. ossl_unused int certReqId,
  319. const ASN1_OCTET_STRING *certHash,
  320. const OSSL_CMP_PKISI *si)
  321. {
  322. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  323. ASN1_OCTET_STRING *digest;
  324. if (ctx == NULL || certConf == NULL || certHash == NULL) {
  325. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  326. return 0;
  327. }
  328. if (ctx->sendError == 1
  329. || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
  330. || ctx->certOut == NULL) {
  331. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  332. return 0;
  333. }
  334. if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
  335. return 0;
  336. if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
  337. ASN1_OCTET_STRING_free(digest);
  338. ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
  339. return 0;
  340. }
  341. ASN1_OCTET_STRING_free(digest);
  342. return 1;
  343. }
  344. static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
  345. const OSSL_CMP_MSG *pollReq,
  346. ossl_unused int certReqId,
  347. OSSL_CMP_MSG **certReq, int64_t *check_after)
  348. {
  349. mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
  350. if (ctx == NULL || pollReq == NULL
  351. || certReq == NULL || check_after == NULL) {
  352. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  353. return 0;
  354. }
  355. if (ctx->sendError == 1
  356. || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
  357. *certReq = NULL;
  358. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
  359. return 0;
  360. }
  361. if (ctx->certReq == NULL) {
  362. /* not currently in polling mode */
  363. *certReq = NULL;
  364. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
  365. return 0;
  366. }
  367. if (++ctx->curr_pollCount >= ctx->pollCount) {
  368. /* end polling */
  369. *certReq = ctx->certReq;
  370. ctx->certReq = NULL;
  371. *check_after = 0;
  372. } else {
  373. *certReq = NULL;
  374. *check_after = ctx->checkAfterTime;
  375. }
  376. return 1;
  377. }
  378. OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
  379. {
  380. OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
  381. mock_srv_ctx *ctx = mock_srv_ctx_new();
  382. if (srv_ctx != NULL && ctx != NULL
  383. && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
  384. process_rr, process_genm, process_error,
  385. process_certConf, process_pollReq))
  386. return srv_ctx;
  387. mock_srv_ctx_free(ctx);
  388. OSSL_CMP_SRV_CTX_free(srv_ctx);
  389. return NULL;
  390. }
  391. void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
  392. {
  393. if (srv_ctx != NULL)
  394. mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
  395. OSSL_CMP_SRV_CTX_free(srv_ctx);
  396. }