2 * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
12 #include "cmp_mock_srv.h"
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
18 DEFINE_STACK_OF(OSSL_CMP_ITAV)
19 DEFINE_STACK_OF(ASN1_UTF8STRING)
21 /* the context for the CMP mock server */
24 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
25 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
26 STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
27 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
28 int sendError; /* send error response also on valid requests */
29 OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
30 int certReqId; /* id of last ir/cr/kur, used for polling */
31 int pollCount; /* number of polls before actual cert response */
32 int checkAfterTime; /* time the client should wait between polling */
36 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
41 OSSL_CMP_PKISI_free(ctx->statusOut);
42 X509_free(ctx->certOut);
43 sk_X509_pop_free(ctx->chainOut, X509_free);
44 sk_X509_pop_free(ctx->caPubsOut, X509_free);
45 OSSL_CMP_MSG_free(ctx->certReq);
49 static mock_srv_ctx *mock_srv_ctx_new(void)
51 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
56 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
61 /* all other elements are initialized to 0 or NULL, respectively */
64 mock_srv_ctx_free(ctx);
68 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
70 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
73 CMPerr(0, CMP_R_NULL_ARGUMENT);
76 if (cert == NULL || X509_up_ref(cert)) {
77 X509_free(ctx->certOut);
84 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
85 STACK_OF(X509) *chain)
87 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
88 STACK_OF(X509) *chain_copy = NULL;
91 CMPerr(0, CMP_R_NULL_ARGUMENT);
94 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
96 sk_X509_pop_free(ctx->chainOut, X509_free);
97 ctx->chainOut = chain_copy;
101 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
102 STACK_OF(X509) *caPubs)
104 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
105 STACK_OF(X509) *caPubs_copy = NULL;
108 CMPerr(0, CMP_R_NULL_ARGUMENT);
111 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
113 sk_X509_pop_free(ctx->caPubsOut, X509_free);
114 ctx->caPubsOut = caPubs_copy;
118 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
119 int fail_info, const char *text)
121 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
125 CMPerr(0, CMP_R_NULL_ARGUMENT);
128 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
130 OSSL_CMP_PKISI_free(ctx->statusOut);
135 int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
137 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
140 CMPerr(0, CMP_R_NULL_ARGUMENT);
143 ctx->sendError = val != 0;
147 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
149 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
152 CMPerr(0, CMP_R_NULL_ARGUMENT);
156 CMPerr(0, CMP_R_INVALID_ARGS);
159 ctx->pollCount = count;
163 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
165 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
168 CMPerr(0, CMP_R_NULL_ARGUMENT);
171 ctx->checkAfterTime = sec;
175 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
176 const OSSL_CMP_MSG *cert_req,
178 const OSSL_CRMF_MSG *crm,
179 const X509_REQ *p10cr,
181 STACK_OF(X509) **chainOut,
182 STACK_OF(X509) **caPubs)
184 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
185 OSSL_CMP_PKISI *si = NULL;
187 if (ctx == NULL || cert_req == NULL
188 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
189 CMPerr(0, CMP_R_NULL_ARGUMENT);
192 if (ctx->sendError) {
193 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
200 ctx->certReqId = certReqId;
201 if (ctx->pollCount > 0) {
203 OSSL_CMP_MSG_free(ctx->certReq);
204 if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
206 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
208 if (ctx->certOut != NULL
209 && (*certOut = X509_dup(ctx->certOut)) == NULL)
210 /* TODO better return a cert produced from data in request template */
212 if (ctx->chainOut != NULL
213 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
215 if (ctx->caPubsOut != NULL
216 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
218 if (ctx->statusOut != NULL
219 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
226 sk_X509_pop_free(*chainOut, X509_free);
228 sk_X509_pop_free(*caPubs, X509_free);
233 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
234 const OSSL_CMP_MSG *rr,
235 const X509_NAME *issuer,
236 const ASN1_INTEGER *serial)
238 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
240 if (ctx == NULL || rr == NULL || issuer == NULL || serial == NULL) {
241 CMPerr(0, CMP_R_NULL_ARGUMENT);
244 if (ctx->sendError || ctx->certOut == NULL) {
245 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
249 /* accept revocation only for the certificate we sent in ir/cr/kur */
250 if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
251 || ASN1_INTEGER_cmp(serial,
252 X509_get0_serialNumber(ctx->certOut)) != 0) {
253 CMPerr(0, CMP_R_REQUEST_NOT_ACCEPTED);
256 return OSSL_CMP_PKISI_dup(ctx->statusOut);
259 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
260 const OSSL_CMP_MSG *genm,
261 const STACK_OF(OSSL_CMP_ITAV) *in,
262 STACK_OF(OSSL_CMP_ITAV) **out)
264 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
266 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
267 CMPerr(0, CMP_R_NULL_ARGUMENT);
270 if (ctx->sendError) {
271 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
275 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
280 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
281 const OSSL_CMP_PKISI *statusInfo,
282 const ASN1_INTEGER *errorCode,
283 const OSSL_CMP_PKIFREETEXT *errorDetails)
285 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
286 char buf[OSSL_CMP_PKISI_BUFLEN];
290 if (ctx == NULL || error == NULL) {
291 CMPerr(0, CMP_R_NULL_ARGUMENT);
295 BIO_printf(bio_err, "mock server received error:\n");
297 if (statusInfo == NULL) {
298 BIO_printf(bio_err, "pkiStatusInfo absent\n");
300 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
301 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
302 sibuf != NULL ? sibuf: "<invalid>");
305 if (errorCode == NULL)
306 BIO_printf(bio_err, "errorCode absent\n");
308 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
310 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
311 BIO_printf(bio_err, "errorDetails absent\n");
313 /* TODO could use sk_ASN1_UTF8STRING2text() if exported */
314 BIO_printf(bio_err, "errorDetails: ");
315 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
317 BIO_printf(bio_err, ", ");
318 BIO_printf(bio_err, "\"");
319 ASN1_STRING_print(bio_err,
320 sk_ASN1_UTF8STRING_value(errorDetails, i));
321 BIO_printf(bio_err, "\"");
323 BIO_printf(bio_err, "\n");
327 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
328 const OSSL_CMP_MSG *certConf, int certReqId,
329 const ASN1_OCTET_STRING *certHash,
330 const OSSL_CMP_PKISI *si)
332 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
333 ASN1_OCTET_STRING *digest;
335 if (ctx == NULL || certConf == NULL || certHash == NULL) {
336 CMPerr(0, CMP_R_NULL_ARGUMENT);
339 if (ctx->sendError || ctx->certOut == NULL) {
340 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
344 if (certReqId != ctx->certReqId) {
345 /* in case of error, invalid reqId -1 */
346 CMPerr(0, CMP_R_BAD_REQUEST_ID);
350 if ((digest = X509_digest_sig(ctx->certOut)) == NULL)
352 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
353 ASN1_OCTET_STRING_free(digest);
354 CMPerr(0, CMP_R_CERTHASH_UNMATCHED);
357 ASN1_OCTET_STRING_free(digest);
361 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
362 const OSSL_CMP_MSG *pollReq, int certReqId,
363 OSSL_CMP_MSG **certReq, int64_t *check_after)
365 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
367 if (ctx == NULL || pollReq == NULL
368 || certReq == NULL || check_after == NULL) {
369 CMPerr(0, CMP_R_NULL_ARGUMENT);
372 if (ctx->sendError || ctx->certReq == NULL) {
374 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
378 if (ctx->pollCount == 0) {
379 *certReq = ctx->certReq;
385 *check_after = ctx->checkAfterTime;
390 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OPENSSL_CTX *libctx, const char *propq)
392 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
393 mock_srv_ctx *ctx = mock_srv_ctx_new();
395 if (srv_ctx != NULL && ctx != NULL
396 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
397 process_rr, process_genm, process_error,
398 process_certConf, process_pollReq))
401 mock_srv_ctx_free(ctx);
402 OSSL_CMP_SRV_CTX_free(srv_ctx);
406 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
409 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
410 OSSL_CMP_SRV_CTX_free(srv_ctx);