2 * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
12 #include "cmp_mock_srv.h"
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
18 /* the context for the CMP mock server */
21 X509 *refCert; /* cert to expect for oldCertID in kur/rr msg */
22 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
23 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
24 STACK_OF(X509) *caPubsOut; /* used in caPubs of ip and in caCerts of genp */
25 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
26 int sendError; /* send error response on given request type */
27 OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
28 int pollCount; /* number of polls before actual cert response */
29 int curr_pollCount; /* number of polls so far for current request */
30 int checkAfterTime; /* time the client should wait between polling */
33 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
38 OSSL_CMP_PKISI_free(ctx->statusOut);
39 X509_free(ctx->refCert);
40 X509_free(ctx->certOut);
41 OSSL_STACK_OF_X509_free(ctx->chainOut);
42 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
43 OSSL_CMP_MSG_free(ctx->certReq);
47 static mock_srv_ctx *mock_srv_ctx_new(void)
49 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
54 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
59 /* all other elements are initialized to 0 or NULL, respectively */
62 mock_srv_ctx_free(ctx);
66 int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
68 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
71 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
74 if (cert == NULL || X509_up_ref(cert)) {
75 X509_free(ctx->refCert);
82 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
84 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
87 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
90 if (cert == NULL || X509_up_ref(cert)) {
91 X509_free(ctx->certOut);
98 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
99 STACK_OF(X509) *chain)
101 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
102 STACK_OF(X509) *chain_copy = NULL;
105 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
108 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
110 OSSL_STACK_OF_X509_free(ctx->chainOut);
111 ctx->chainOut = chain_copy;
115 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
116 STACK_OF(X509) *caPubs)
118 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
119 STACK_OF(X509) *caPubs_copy = NULL;
122 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
125 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
127 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
128 ctx->caPubsOut = caPubs_copy;
132 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
133 int fail_info, const char *text)
135 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
139 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
142 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
144 OSSL_CMP_PKISI_free(ctx->statusOut);
149 int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype)
151 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
154 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
157 /* might check bodytype, but this would require exporting all body types */
158 ctx->sendError = bodytype;
162 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
164 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
167 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
171 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
174 ctx->pollCount = count;
178 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
180 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
183 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
186 ctx->checkAfterTime = sec;
190 /* check for matching reference cert components, as far as given */
191 static int refcert_cmp(const X509 *refcert,
192 const X509_NAME *issuer, const ASN1_INTEGER *serial)
194 const X509_NAME *ref_issuer;
195 const ASN1_INTEGER *ref_serial;
199 ref_issuer = X509_get_issuer_name(refcert);
200 ref_serial = X509_get0_serialNumber(refcert);
201 return (ref_issuer == NULL || X509_NAME_cmp(issuer, ref_issuer) == 0)
202 && (ref_serial == NULL || ASN1_INTEGER_cmp(serial, ref_serial) == 0);
205 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
206 const OSSL_CMP_MSG *cert_req,
207 ossl_unused int certReqId,
208 const OSSL_CRMF_MSG *crm,
209 const X509_REQ *p10cr,
211 STACK_OF(X509) **chainOut,
212 STACK_OF(X509) **caPubs)
214 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
215 OSSL_CMP_PKISI *si = NULL;
217 if (ctx == NULL || cert_req == NULL
218 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
219 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
222 if (ctx->sendError == 1
223 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(cert_req)) {
224 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
232 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
234 if (ctx->certReq != NULL) {
235 /* already in polling mode */
236 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
239 if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
241 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
243 if (ctx->curr_pollCount >= ctx->pollCount)
244 /* give final response after polling */
245 ctx->curr_pollCount = 0;
247 /* accept cert update request only for the reference cert, if given */
248 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
249 && crm != NULL /* thus not p10cr */ && ctx->refCert != NULL) {
250 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
253 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
256 if (!refcert_cmp(ctx->refCert,
257 OSSL_CRMF_CERTID_get0_issuer(cid),
258 OSSL_CRMF_CERTID_get0_serialNumber(cid))) {
259 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
264 if (ctx->certOut != NULL
265 && (*certOut = X509_dup(ctx->certOut)) == NULL)
266 /* Should return a cert produced from request template, see FR #16054 */
268 if (ctx->chainOut != NULL
269 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
271 if (ctx->caPubsOut != NULL
272 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
274 if (ctx->statusOut != NULL
275 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
282 OSSL_STACK_OF_X509_free(*chainOut);
284 OSSL_STACK_OF_X509_free(*caPubs);
289 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
290 const OSSL_CMP_MSG *rr,
291 const X509_NAME *issuer,
292 const ASN1_INTEGER *serial)
294 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
296 if (ctx == NULL || rr == NULL) {
297 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
300 if (ctx->sendError == 1
301 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(rr)) {
302 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
306 /* allow any RR derived from CSR which does not include issuer and serial */
307 if ((issuer != NULL || serial != NULL)
308 /* accept revocation only for the reference cert, if given */
309 && !refcert_cmp(ctx->refCert, issuer, serial)) {
310 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
311 "wrong certificate to revoke");
314 return OSSL_CMP_PKISI_dup(ctx->statusOut);
317 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
318 const OSSL_CMP_MSG *genm,
319 const STACK_OF(OSSL_CMP_ITAV) *in,
320 STACK_OF(OSSL_CMP_ITAV) **out)
322 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
324 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
325 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
328 if (ctx->sendError == 1
329 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(genm)
330 || sk_OSSL_CMP_ITAV_num(in) > 1) {
331 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
334 if (sk_OSSL_CMP_ITAV_num(in) == 1) {
335 OSSL_CMP_ITAV *req = sk_OSSL_CMP_ITAV_value(in, 0), *rsp;
336 ASN1_OBJECT *obj = OSSL_CMP_ITAV_get0_type(req);
338 if (OBJ_obj2nid(obj) == NID_id_it_caCerts) {
339 if ((*out = sk_OSSL_CMP_ITAV_new_reserve(NULL, 1)) == NULL)
341 if ((rsp = OSSL_CMP_ITAV_new_caCerts(ctx->caPubsOut)) == NULL) {
342 sk_OSSL_CMP_ITAV_free(*out);
345 (void)sk_OSSL_CMP_ITAV_push(*out, rsp);
350 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
355 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
356 const OSSL_CMP_PKISI *statusInfo,
357 const ASN1_INTEGER *errorCode,
358 const OSSL_CMP_PKIFREETEXT *errorDetails)
360 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
361 char buf[OSSL_CMP_PKISI_BUFLEN];
365 if (ctx == NULL || error == NULL) {
366 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
370 BIO_printf(bio_err, "mock server received error:\n");
372 if (statusInfo == NULL) {
373 BIO_printf(bio_err, "pkiStatusInfo absent\n");
375 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
376 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
377 sibuf != NULL ? sibuf: "<invalid>");
380 if (errorCode == NULL)
381 BIO_printf(bio_err, "errorCode absent\n");
383 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
385 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
386 BIO_printf(bio_err, "errorDetails absent\n");
388 BIO_printf(bio_err, "errorDetails: ");
389 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
391 BIO_printf(bio_err, ", ");
392 ASN1_STRING_print_ex(bio_err,
393 sk_ASN1_UTF8STRING_value(errorDetails, i),
394 ASN1_STRFLGS_ESC_QUOTE);
396 BIO_printf(bio_err, "\n");
400 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
401 const OSSL_CMP_MSG *certConf,
402 ossl_unused int certReqId,
403 const ASN1_OCTET_STRING *certHash,
404 const OSSL_CMP_PKISI *si)
406 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
407 ASN1_OCTET_STRING *digest;
409 if (ctx == NULL || certConf == NULL || certHash == NULL) {
410 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
413 if (ctx->sendError == 1
414 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(certConf)
415 || ctx->certOut == NULL) {
416 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
420 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
422 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
423 ASN1_OCTET_STRING_free(digest);
424 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
427 ASN1_OCTET_STRING_free(digest);
431 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
432 const OSSL_CMP_MSG *pollReq,
433 ossl_unused int certReqId,
434 OSSL_CMP_MSG **certReq, int64_t *check_after)
436 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
438 if (ctx == NULL || pollReq == NULL
439 || certReq == NULL || check_after == NULL) {
440 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
443 if (ctx->sendError == 1
444 || ctx->sendError == OSSL_CMP_MSG_get_bodytype(pollReq)) {
446 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
449 if (ctx->certReq == NULL) {
450 /* not currently in polling mode */
452 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
456 if (++ctx->curr_pollCount >= ctx->pollCount) {
458 *certReq = ctx->certReq;
463 *check_after = ctx->checkAfterTime;
468 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
470 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
471 mock_srv_ctx *ctx = mock_srv_ctx_new();
473 if (srv_ctx != NULL && ctx != NULL
474 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
475 process_rr, process_genm, process_error,
476 process_certConf, process_pollReq))
479 mock_srv_ctx_free(ctx);
480 OSSL_CMP_SRV_CTX_free(srv_ctx);
484 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
487 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
488 OSSL_CMP_SRV_CTX_free(srv_ctx);