Google Git
Sign in
flutter/third_party/openssl/66be663b64e05fb5524edd051b85fb919f59e054^!/.
commit
66be663b64e05fb5524edd051b85fb919f59e054
[log]
author
Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Tue Jun 22 15:40:49 2021 +0200
committer
Tomas Mraz <tomas@openssl.org>
Wed Jun 30 10:38:23 2021 +0200
tree
5b115eea6eadbb1a61378bf2d2de8c27e79aff2a
parent
7df56adac7cf58b4ad3e8e34077ccd988263f408 [diff]
cmp_mock_srv.c: Add missing OldCertID check for 'kur' cert update requests

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15790)

diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
index cf82000..1fb5adc 100644
--- a/apps/lib/cmp_mock_srv.c
+++ b/apps/lib/cmp_mock_srv.c

@@ -212,6 +212,29 @@
         /* give final response after polling */
         ctx->curr_pollCount = 0;
 
+    if (OSSL_CMP_MSG_get_bodytype(cert_req) == OSSL_CMP_KUR
+            && crm != NULL && ctx->certOut != NULL) {
+        const OSSL_CRMF_CERTID *cid = OSSL_CRMF_MSG_get0_regCtrl_oldCertID(crm);
+        const X509_NAME *issuer = X509_get_issuer_name(ctx->certOut);
+        const ASN1_INTEGER *serial = X509_get0_serialNumber(ctx->certOut);
+
+        if (cid == NULL) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_CERTID);
+            return NULL;
+        }
+        if (issuer != NULL
+            && X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
+            return NULL;
+        }
+        if (serial != NULL
+            && ASN1_INTEGER_cmp(serial,
+                                OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
+            ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_CERTID);
+            return NULL;
+        }
+    }
+
     if (ctx->certOut != NULL
             && (*certOut = X509_dup(ctx->certOut)) == NULL)
         goto err;

diff --git a/test/recipes/80-test_cmp_http_data/test_enrollment.csv b/test/recipes/80-test_cmp_http_data/test_enrollment.csv
index db44b46..358521d 100644
--- a/test/recipes/80-test_cmp_http_data/test_enrollment.csv
+++ b/test/recipes/80-test_cmp_http_data/test_enrollment.csv

@@ -47,7 +47,7 @@
 1,sans 2 ip, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_two_ip.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,sans 1 uri, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,https://www.sample.com,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_uri.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 1,san_nodefault, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4, -san_nodefault,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_nodefault.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
-1,san default, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_default.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,
+1,san default via oldcert, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,,,BLANK,, -sans,127.0.0.1 1.2.3.4,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_sans_default.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,
 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 1,popo SIGNATURE, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -popo,1,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_popo.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
 0,popo RAVERIFIED, -section,, -cmd,ir, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -popo,0,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_popo1.pem,, -out_trusted,root.crt,,BLANK,,BLANK,,,
@@ -105,5 +105,6 @@
 0,kur newkey parameter count no match, -section,, -cmd,kur, -newkey,abc,def, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur3.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur newkey missing argument, -section,, -cmd,kur, -newkey,BLANK,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur4.pem,, -out_trusted,root.crt,, -oldcert,_RESULT_DIR/test.certout_newkey.pem,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur oldcert not existing, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur6.pem,, -out_trusted,root.crt,, -oldcert,idontexist,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
+0,kur wrong oldcert, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur6.pem,, -out_trusted,root.crt,, -oldcert,root.crt,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur empty oldcert file, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur7.pem,, -out_trusted,root.crt,, -oldcert,empty.txt,BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT
 0,kur without cert and oldcert, -section,, -cmd,kur, -newkey,new.key,, -newkeypass,pass:,,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,,BLANK,, -certout,_RESULT_DIR/test.certout_kur8.pem,, -out_trusted,root.crt,, -cert,"""",BLANK,,,,,-server,_SERVER_HOST:_KUR_PORT