From 3ededf5f75596de6b6b98dd543a2c902c53a857c Mon Sep 17 00:00:00 2001 From: Rajeev Ranjan Date: Tue, 27 Feb 2024 13:16:31 +0100 Subject: [PATCH] fixup! add issuer check and generate warning --- apps/lib/cmp_mock_srv.c | 27 +++++++++++++------ .../80-test_cmp_http_data/test_commands.csv | 2 +- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c index b46e8a65dda0b9..46a4c9f0b1563b 100644 --- a/apps/lib/cmp_mock_srv.c +++ b/apps/lib/cmp_mock_srv.c @@ -408,6 +408,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, return OSSL_CMP_PKISI_dup(ctx->statusOut); } +/* return -1 for error */ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList, const X509_CRL *crl) { @@ -420,12 +421,15 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList, return 0; if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1) return 0; + crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0); if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &distpoint, &gen, &thisupd)) - return 0; + return -1; + if (thisupd != NULL && ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) >= 0) return 0; + if (gen != NULL) { GENERAL_NAME *gn = sk_GENERAL_NAME_value(gen, 0); @@ -433,7 +437,8 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList, X509_NAME *gen_name = gn->d.dirn; if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) { - return 0; + ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER); + return -1; } } } @@ -458,12 +463,18 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid, case NID_id_it_crlStatusList: { STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist; - - rsp = OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist) - ? check_client_crl(crlstatuslist, ctx->crlOut) - ? OSSL_CMP_ITAV_new_crls(ctx->crlOut) - : OSSL_CMP_ITAV_new_crls(NULL) - : OSSL_CMP_ITAV_new_crls(NULL); + int res = 0; + + if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist)) + return NULL; + + res = check_client_crl(crlstatuslist, ctx->crlOut); + if (res < 0) + rsp = NULL; + else if (res == 0) + rsp = OSSL_CMP_ITAV_new_crls(NULL); + else + rsp = OSSL_CMP_ITAV_new_crls(ctx->crlOut); } break; default: diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv index 048aac54964497..68447da02d9167 100644 --- a/test/recipes/80-test_cmp_http_data/test_commands.csv +++ b/test/recipes/80-test_cmp_http_data/test_commands.csv @@ -92,7 +92,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty 1,genm crlStatusList with latest crl , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, newcrl.pem,,,,, -crlout, _RESULT_DIR/test.crlout.pem 0,genm crlStatusList with -oldcert missing, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, idontexist,,,,, -crlout, _RESULT_DIR/test.crlout.pem 0,genm crlStatusList with -oldcrl missing, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, idontexist,,,,, -crlout, _RESULT_DIR/test.crlout.pem -1,genm crlStatusList with wrong issuer, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, server.crt,,,,, -crlout, _RESULT_DIR/test.crlout.pem +0,genm crlStatusList with wrong issuer, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, server.crt,,,,, -crlout, _RESULT_DIR/test.crlout.pem ,,,,,,,,,,,,,,,,,,,,,, 1,profile, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile1,BLANK,,BLANK, 0,profile wrong value, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile2,BLANK,,BLANK,