2 * Copyright 2018-2021 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
12 #include "cmp_mock_srv.h"
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
18 /* the context for the CMP mock server */
21 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
22 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
23 STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
24 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
25 int sendError; /* send error response also on valid requests */
26 OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
27 int certReqId; /* id of last ir/cr/kur, used for polling */
28 int pollCount; /* number of polls before actual cert response */
29 int curr_pollCount; /* number of polls so far for current request */
30 int checkAfterTime; /* time the client should wait between polling */
34 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
39 OSSL_CMP_PKISI_free(ctx->statusOut);
40 X509_free(ctx->certOut);
41 OSSL_STACK_OF_X509_free(ctx->chainOut);
42 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
43 OSSL_CMP_MSG_free(ctx->certReq);
47 static mock_srv_ctx *mock_srv_ctx_new(void)
49 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
54 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
59 /* all other elements are initialized to 0 or NULL, respectively */
62 mock_srv_ctx_free(ctx);
66 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
68 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
71 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
74 if (cert == NULL || X509_up_ref(cert)) {
75 X509_free(ctx->certOut);
82 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
83 STACK_OF(X509) *chain)
85 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
86 STACK_OF(X509) *chain_copy = NULL;
89 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
92 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
94 OSSL_STACK_OF_X509_free(ctx->chainOut);
95 ctx->chainOut = chain_copy;
99 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
100 STACK_OF(X509) *caPubs)
102 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
103 STACK_OF(X509) *caPubs_copy = NULL;
106 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
109 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
111 OSSL_STACK_OF_X509_free(ctx->caPubsOut);
112 ctx->caPubsOut = caPubs_copy;
116 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
117 int fail_info, const char *text)
119 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
123 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
126 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
128 OSSL_CMP_PKISI_free(ctx->statusOut);
133 int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
135 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
138 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
141 ctx->sendError = val != 0;
145 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
147 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
150 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
154 ERR_raise(ERR_LIB_CMP, CMP_R_INVALID_ARGS);
157 ctx->pollCount = count;
161 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
163 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
166 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
169 ctx->checkAfterTime = sec;
173 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
174 const OSSL_CMP_MSG *cert_req,
176 const OSSL_CRMF_MSG *crm,
177 const X509_REQ *p10cr,
179 STACK_OF(X509) **chainOut,
180 STACK_OF(X509) **caPubs)
182 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
183 OSSL_CMP_PKISI *si = NULL;
185 if (ctx == NULL || cert_req == NULL
186 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
187 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
190 if (ctx->sendError) {
191 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
198 ctx->certReqId = certReqId;
200 if (ctx->pollCount > 0 && ctx->curr_pollCount == 0) {
202 if (ctx->certReq != NULL) {
203 /* already in polling mode */
204 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
207 if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
209 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
211 if (ctx->curr_pollCount >= ctx->pollCount)
212 /* give final response after polling */
213 ctx->curr_pollCount = 0;
215 if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
216 && crm != NULL && ctx->certOut != NULL) {
217 const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
218 const X509_NAME *issuer = X509_get_issuer_name(ctx->certOut);
219 const ASN1_INTEGER *serial = X509_get0_serialNumber(ctx->certOut);
222 ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
226 && X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
227 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
231 && ASN1_INTEGER_cmp(serial,
232 OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
233 ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
238 if (ctx->certOut != NULL
239 && (*certOut = X509_dup(ctx->certOut)) == NULL)
241 if (ctx->chainOut != NULL
242 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
244 if (ctx->caPubsOut != NULL
245 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
247 if (ctx->statusOut != NULL
248 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
255 OSSL_STACK_OF_X509_free(*chainOut);
257 OSSL_STACK_OF_X509_free(*caPubs);
262 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
263 const OSSL_CMP_MSG *rr,
264 const X509_NAME *issuer,
265 const ASN1_INTEGER *serial)
267 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
269 if (ctx == NULL || rr == NULL) {
270 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
273 if (ctx->sendError || ctx->certOut == NULL) {
274 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
278 /* Allow any RR derived from CSR, which may include subject and serial */
279 if (issuer == NULL || serial == NULL)
280 return OSSL_CMP_PKISI_dup(ctx->statusOut);
282 /* accept revocation only for the certificate we sent in ir/cr/kur */
283 if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
284 || ASN1_INTEGER_cmp(serial,
285 X509_get0_serialNumber(ctx->certOut)) != 0) {
286 ERR_raise_data(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED,
287 "wrong certificate to revoke");
290 return OSSL_CMP_PKISI_dup(ctx->statusOut);
293 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
294 const OSSL_CMP_MSG *genm,
295 const STACK_OF(OSSL_CMP_ITAV) *in,
296 STACK_OF(OSSL_CMP_ITAV) **out)
298 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
300 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
301 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
304 if (ctx->sendError) {
305 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
309 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
314 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
315 const OSSL_CMP_PKISI *statusInfo,
316 const ASN1_INTEGER *errorCode,
317 const OSSL_CMP_PKIFREETEXT *errorDetails)
319 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
320 char buf[OSSL_CMP_PKISI_BUFLEN];
324 if (ctx == NULL || error == NULL) {
325 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
329 BIO_printf(bio_err, "mock server received error:\n");
331 if (statusInfo == NULL) {
332 BIO_printf(bio_err, "pkiStatusInfo absent\n");
334 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
335 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
336 sibuf != NULL ? sibuf: "<invalid>");
339 if (errorCode == NULL)
340 BIO_printf(bio_err, "errorCode absent\n");
342 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
344 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
345 BIO_printf(bio_err, "errorDetails absent\n");
347 BIO_printf(bio_err, "errorDetails: ");
348 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
350 BIO_printf(bio_err, ", ");
351 BIO_printf(bio_err, "\"");
352 ASN1_STRING_print(bio_err,
353 sk_ASN1_UTF8STRING_value(errorDetails, i));
354 BIO_printf(bio_err, "\"");
356 BIO_printf(bio_err, "\n");
360 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
361 const OSSL_CMP_MSG *certConf, int certReqId,
362 const ASN1_OCTET_STRING *certHash,
363 const OSSL_CMP_PKISI *si)
365 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
366 ASN1_OCTET_STRING *digest;
368 if (ctx == NULL || certConf == NULL || certHash == NULL) {
369 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
372 if (ctx->sendError || ctx->certOut == NULL) {
373 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
377 if (certReqId != ctx->certReqId) {
378 /* in case of error, invalid reqId -1 */
379 ERR_raise(ERR_LIB_CMP, CMP_R_BAD_REQUEST_ID);
383 if ((digest = X509_digest_sig(ctx->certOut, NULL, NULL)) == NULL)
385 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
386 ASN1_OCTET_STRING_free(digest);
387 ERR_raise(ERR_LIB_CMP, CMP_R_CERTHASH_UNMATCHED);
390 ASN1_OCTET_STRING_free(digest);
394 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
395 const OSSL_CMP_MSG *pollReq, int certReqId,
396 OSSL_CMP_MSG **certReq, int64_t *check_after)
398 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
400 if (ctx == NULL || pollReq == NULL
401 || certReq == NULL || check_after == NULL) {
402 ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
405 if (ctx->sendError) {
407 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
410 if (ctx->certReq == NULL) {
411 /* not currently in polling mode */
413 ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PKIBODY);
417 if (++ctx->curr_pollCount >= ctx->pollCount) {
419 *certReq = ctx->certReq;
424 *check_after = ctx->checkAfterTime;
429 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq)
431 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
432 mock_srv_ctx *ctx = mock_srv_ctx_new();
434 if (srv_ctx != NULL && ctx != NULL
435 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
436 process_rr, process_genm, process_error,
437 process_certConf, process_pollReq))
440 mock_srv_ctx_free(ctx);
441 OSSL_CMP_SRV_CTX_free(srv_ctx);
445 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
448 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
449 OSSL_CMP_SRV_CTX_free(srv_ctx);