]> git.ipfire.org Git - thirdparty/openssl.git/blob - apps/cmp_mock_srv.c
projects / thirdparty / openssl.git / blob
? search:


3a0819008bfc3204a7c5fd88dec2f1e5e31f1614
[thirdparty/openssl.git] / apps / cmp_mock_srv.c
1 /*
2 * Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Siemens AG 2018-2020
4 *
5 * Licensed under the Apache License 2.0 (the "License"). You may not use
6 * this file except in compliance with the License. You can obtain a copy
7 * in the file LICENSE in the source distribution or atf
8 * https://www.openssl.org/source/license.html
9 */
10
11 #include "apps.h"
12 #include "cmp_mock_srv.h"
13
14 #include <openssl/cmp.h>
15 #include <openssl/err.h>
16 #include <openssl/cmperr.h>
17
18 DEFINE_STACK_OF(X509)
19 DEFINE_STACK_OF(OSSL_CMP_ITAV)
20 DEFINE_STACK_OF(ASN1_UTF8STRING)
21
22 /* the context for the CMP mock server */
23 typedef struct
24 {
25 X509 *certOut; /* certificate to be returned in cp/ip/kup msg */
26 STACK_OF(X509) *chainOut; /* chain of certOut to add to extraCerts field */
27 STACK_OF(X509) *caPubsOut; /* certs to return in caPubs field of ip msg */
28 OSSL_CMP_PKISI *statusOut; /* status for ip/cp/kup/rp msg unless polling */
29 int sendError; /* send error response also on valid requests */
30 OSSL_CMP_MSG *certReq; /* ir/cr/p10cr/kur remembered while polling */
31 int certReqId; /* id of last ir/cr/kur, used for polling */
32 int pollCount; /* number of polls before actual cert response */
33 int checkAfterTime; /* time the client should wait between polling */
34 } mock_srv_ctx;
35
36
37 static void mock_srv_ctx_free(mock_srv_ctx *ctx)
38 {
39 if (ctx == NULL)
40 return;
41
42 OSSL_CMP_PKISI_free(ctx->statusOut);
43 X509_free(ctx->certOut);
44 sk_X509_pop_free(ctx->chainOut, X509_free);
45 sk_X509_pop_free(ctx->caPubsOut, X509_free);
46 OSSL_CMP_MSG_free(ctx->certReq);
47 OPENSSL_free(ctx);
48 }
49
50 static mock_srv_ctx *mock_srv_ctx_new(void)
51 {
52 mock_srv_ctx *ctx = OPENSSL_zalloc(sizeof(mock_srv_ctx));
53
54 if (ctx == NULL)
55 goto err;
56
57 if ((ctx->statusOut = OSSL_CMP_PKISI_new()) == NULL)
58 goto err;
59
60 ctx->certReqId = -1;
61
62 /* all other elements are initialized to 0 or NULL, respectively */
63 return ctx;
64 err:
65 mock_srv_ctx_free(ctx);
66 return NULL;
67 }
68
69 int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert)
70 {
71 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
72
73 if (ctx == NULL) {
74 CMPerr(0, CMP_R_NULL_ARGUMENT);
75 return 0;
76 }
77 if (cert == NULL || X509_up_ref(cert)) {
78 X509_free(ctx->certOut);
79 ctx->certOut = cert;
80 return 1;
81 }
82 return 0;
83 }
84
85 int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,
86 STACK_OF(X509) *chain)
87 {
88 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
89 STACK_OF(X509) *chain_copy = NULL;
90
91 if (ctx == NULL) {
92 CMPerr(0, CMP_R_NULL_ARGUMENT);
93 return 0;
94 }
95 if (chain != NULL && (chain_copy = X509_chain_up_ref(chain)) == NULL)
96 return 0;
97 sk_X509_pop_free(ctx->chainOut, X509_free);
98 ctx->chainOut = chain_copy;
99 return 1;
100 }
101
102 int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,
103 STACK_OF(X509) *caPubs)
104 {
105 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
106 STACK_OF(X509) *caPubs_copy = NULL;
107
108 if (ctx == NULL) {
109 CMPerr(0, CMP_R_NULL_ARGUMENT);
110 return 0;
111 }
112 if (caPubs != NULL && (caPubs_copy = X509_chain_up_ref(caPubs)) == NULL)
113 return 0;
114 sk_X509_pop_free(ctx->caPubsOut, X509_free);
115 ctx->caPubsOut = caPubs_copy;
116 return 1;
117 }
118
119 int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,
120 int fail_info, const char *text)
121 {
122 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
123 OSSL_CMP_PKISI *si;
124
125 if (ctx == NULL) {
126 CMPerr(0, CMP_R_NULL_ARGUMENT);
127 return 0;
128 }
129 if ((si = OSSL_CMP_STATUSINFO_new(status, fail_info, text)) == NULL)
130 return 0;
131 OSSL_CMP_PKISI_free(ctx->statusOut);
132 ctx->statusOut = si;
133 return 1;
134 }
135
136 int ossl_cmp_mock_srv_set_send_error(OSSL_CMP_SRV_CTX *srv_ctx, int val)
137 {
138 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
139
140 if (ctx == NULL) {
141 CMPerr(0, CMP_R_NULL_ARGUMENT);
142 return 0;
143 }
144 ctx->sendError = val != 0;
145 return 1;
146 }
147
148 int ossl_cmp_mock_srv_set_pollCount(OSSL_CMP_SRV_CTX *srv_ctx, int count)
149 {
150 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
151
152 if (ctx == NULL) {
153 CMPerr(0, CMP_R_NULL_ARGUMENT);
154 return 0;
155 }
156 if (count < 0) {
157 CMPerr(0, CMP_R_INVALID_ARGS);
158 return 0;
159 }
160 ctx->pollCount = count;
161 return 1;
162 }
163
164 int ossl_cmp_mock_srv_set_checkAfterTime(OSSL_CMP_SRV_CTX *srv_ctx, int sec)
165 {
166 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
167
168 if (ctx == NULL) {
169 CMPerr(0, CMP_R_NULL_ARGUMENT);
170 return 0;
171 }
172 ctx->checkAfterTime = sec;
173 return 1;
174 }
175
176 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
177 const OSSL_CMP_MSG *cert_req,
178 int certReqId,
179 const OSSL_CRMF_MSG *crm,
180 const X509_REQ *p10cr,
181 X509 **certOut,
182 STACK_OF(X509) **chainOut,
183 STACK_OF(X509) **caPubs)
184 {
185 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
186 OSSL_CMP_PKISI *si = NULL;
187
188 if (ctx == NULL || cert_req == NULL
189 || certOut == NULL || chainOut == NULL || caPubs == NULL) {
190 CMPerr(0, CMP_R_NULL_ARGUMENT);
191 return NULL;
192 }
193 if (ctx->sendError) {
194 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
195 return NULL;
196 }
197
198 *certOut = NULL;
199 *chainOut = NULL;
200 *caPubs = NULL;
201 ctx->certReqId = certReqId;
202 if (ctx->pollCount > 0) {
203 ctx->pollCount--;
204 OSSL_CMP_MSG_free(ctx->certReq);
205 if ((ctx->certReq = OSSL_CMP_MSG_dup(cert_req)) == NULL)
206 return NULL;
207 return OSSL_CMP_STATUSINFO_new(OSSL_CMP_PKISTATUS_waiting, 0, NULL);
208 }
209 if (ctx->certOut != NULL
210 && (*certOut = X509_dup(ctx->certOut)) == NULL)
211 /* TODO better return a cert produced from data in request template */
212 goto err;
213 if (ctx->chainOut != NULL
214 && (*chainOut = X509_chain_up_ref(ctx->chainOut)) == NULL)
215 goto err;
216 if (ctx->caPubsOut != NULL
217 && (*caPubs = X509_chain_up_ref(ctx->caPubsOut)) == NULL)
218 goto err;
219 if (ctx->statusOut != NULL
220 && (si = OSSL_CMP_PKISI_dup(ctx->statusOut)) == NULL)
221 goto err;
222 return si;
223
224 err:
225 X509_free(*certOut);
226 *certOut = NULL;
227 sk_X509_pop_free(*chainOut, X509_free);
228 *chainOut = NULL;
229 sk_X509_pop_free(*caPubs, X509_free);
230 *caPubs = NULL;
231 return NULL;
232 }
233
234 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
235 const OSSL_CMP_MSG *rr,
236 const X509_NAME *issuer,
237 const ASN1_INTEGER *serial)
238 {
239 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
240
241 if (ctx == NULL || rr == NULL || issuer == NULL || serial == NULL) {
242 CMPerr(0, CMP_R_NULL_ARGUMENT);
243 return NULL;
244 }
245 if (ctx->sendError || ctx->certOut == NULL) {
246 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
247 return NULL;
248 }
249
250 /* accept revocation only for the certificate we sent in ir/cr/kur */
251 if (X509_NAME_cmp(issuer, X509_get_issuer_name(ctx->certOut)) != 0
252 || ASN1_INTEGER_cmp(serial,
253 X509_get0_serialNumber(ctx->certOut)) != 0) {
254 CMPerr(0, CMP_R_REQUEST_NOT_ACCEPTED);
255 return NULL;
256 }
257 return OSSL_CMP_PKISI_dup(ctx->statusOut);
258 }
259
260 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
261 const OSSL_CMP_MSG *genm,
262 const STACK_OF(OSSL_CMP_ITAV) *in,
263 STACK_OF(OSSL_CMP_ITAV) **out)
264 {
265 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
266
267 if (ctx == NULL || genm == NULL || in == NULL || out == NULL) {
268 CMPerr(0, CMP_R_NULL_ARGUMENT);
269 return 0;
270 }
271 if (ctx->sendError) {
272 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
273 return 0;
274 }
275
276 *out = sk_OSSL_CMP_ITAV_deep_copy(in, OSSL_CMP_ITAV_dup,
277 OSSL_CMP_ITAV_free);
278 return *out != NULL;
279 }
280
281 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
282 const OSSL_CMP_PKISI *statusInfo,
283 const ASN1_INTEGER *errorCode,
284 const OSSL_CMP_PKIFREETEXT *errorDetails)
285 {
286 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
287 char buf[OSSL_CMP_PKISI_BUFLEN];
288 char *sibuf;
289 int i;
290
291 if (ctx == NULL || error == NULL) {
292 CMPerr(0, CMP_R_NULL_ARGUMENT);
293 return;
294 }
295
296 BIO_printf(bio_err, "mock server received error:\n");
297
298 if (statusInfo == NULL) {
299 BIO_printf(bio_err, "pkiStatusInfo absent\n");
300 } else {
301 sibuf = OSSL_CMP_snprint_PKIStatusInfo(statusInfo, buf, sizeof(buf));
302 BIO_printf(bio_err, "pkiStatusInfo: %s\n",
303 sibuf != NULL ? sibuf: "<invalid>");
304 }
305
306 if (errorCode == NULL)
307 BIO_printf(bio_err, "errorCode absent\n");
308 else
309 BIO_printf(bio_err, "errorCode: %ld\n", ASN1_INTEGER_get(errorCode));
310
311 if (sk_ASN1_UTF8STRING_num(errorDetails) <= 0) {
312 BIO_printf(bio_err, "errorDetails absent\n");
313 } else {
314 /* TODO could use sk_ASN1_UTF8STRING2text() if exported */
315 BIO_printf(bio_err, "errorDetails: ");
316 for (i = 0; i < sk_ASN1_UTF8STRING_num(errorDetails); i++) {
317 if (i > 0)
318 BIO_printf(bio_err, ", ");
319 BIO_printf(bio_err, "\"");
320 ASN1_STRING_print(bio_err,
321 sk_ASN1_UTF8STRING_value(errorDetails, i));
322 BIO_printf(bio_err, "\"");
323 }
324 BIO_printf(bio_err, "\n");
325 }
326 }
327
328 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
329 const OSSL_CMP_MSG *certConf, int certReqId,
330 const ASN1_OCTET_STRING *certHash,
331 const OSSL_CMP_PKISI *si)
332 {
333 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
334 ASN1_OCTET_STRING *digest;
335
336 if (ctx == NULL || certConf == NULL || certHash == NULL) {
337 CMPerr(0, CMP_R_NULL_ARGUMENT);
338 return 0;
339 }
340 if (ctx->sendError || ctx->certOut == NULL) {
341 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
342 return 0;
343 }
344
345 if (certReqId != ctx->certReqId) {
346 /* in case of error, invalid reqId -1 */
347 CMPerr(0, CMP_R_BAD_REQUEST_ID);
348 return 0;
349 }
350
351 if ((digest = X509_digest_sig(ctx->certOut)) == NULL)
352 return 0;
353 if (ASN1_OCTET_STRING_cmp(certHash, digest) != 0) {
354 ASN1_OCTET_STRING_free(digest);
355 CMPerr(0, CMP_R_CERTHASH_UNMATCHED);
356 return 0;
357 }
358 ASN1_OCTET_STRING_free(digest);
359 return 1;
360 }
361
362 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
363 const OSSL_CMP_MSG *pollReq, int certReqId,
364 OSSL_CMP_MSG **certReq, int64_t *check_after)
365 {
366 mock_srv_ctx *ctx = OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx);
367
368 if (ctx == NULL || pollReq == NULL
369 || certReq == NULL || check_after == NULL) {
370 CMPerr(0, CMP_R_NULL_ARGUMENT);
371 return 0;
372 }
373 if (ctx->sendError || ctx->certReq == NULL) {
374 *certReq = NULL;
375 CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
376 return 0;
377 }
378
379 if (ctx->pollCount == 0) {
380 *certReq = ctx->certReq;
381 ctx->certReq = NULL;
382 *check_after = 0;
383 } else {
384 ctx->pollCount--;
385 *certReq = NULL;
386 *check_after = ctx->checkAfterTime;
387 }
388 return 1;
389 }
390
391 OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OPENSSL_CTX *libctx, const char *propq)
392 {
393 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(libctx, propq);
394 mock_srv_ctx *ctx = mock_srv_ctx_new();
395
396 if (srv_ctx != NULL && ctx != NULL
397 && OSSL_CMP_SRV_CTX_init(srv_ctx, ctx, process_cert_request,
398 process_rr, process_genm, process_error,
399 process_certConf, process_pollReq))
400 return srv_ctx;
401
402 mock_srv_ctx_free(ctx);
403 OSSL_CMP_SRV_CTX_free(srv_ctx);
404 return NULL;
405 }
406
407 void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx)
408 {
409 if (srv_ctx != NULL)
410 mock_srv_ctx_free(OSSL_CMP_SRV_CTX_get0_custom_ctx(srv_ctx));
411 OSSL_CMP_SRV_CTX_free(srv_ctx);
412 }
A mirror of the official openssl repository