fixup! add issuer check and generate warning

siemens · Feb 27, 2024 · 3ededf5 · 3ededf5
1 parent 76a70f2
commit 3ededf5
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 9 deletions.
diff --git a/apps/lib/cmp_mock_srv.c b/apps/lib/cmp_mock_srv.c
@@ -408,6 +408,7 @@ static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
     return OSSL_CMP_PKISI_dup(ctx->statusOut);
 }
 
+/* return -1 for error */
 static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
                             const X509_CRL *crl)
 {
@@ -420,20 +421,24 @@ static int check_client_crl(const STACK_OF(OSSL_CMP_CRLSTATUS) *crlStatusList,
         return 0;
     if (sk_OSSL_CMP_CRLSTATUS_num(crlStatusList) != 1)
         return 0;
+
     crlstatus = sk_OSSL_CMP_CRLSTATUS_value(crlStatusList, 0);
     if (!OSSL_CMP_CRLSTATUS_get0(crlstatus, &distpoint, &gen, &thisupd))
-        return 0;
+        return -1;
+
     if (thisupd != NULL
         && ASN1_TIME_compare(thisupd, X509_CRL_get0_lastUpdate(crl)) >= 0)
         return 0;
+
     if (gen != NULL) {
         GENERAL_NAME *gn = sk_GENERAL_NAME_value(gen, 0);
 
         if (gn != NULL && gn->type == GEN_DIRNAME) {
             X509_NAME *gen_name = gn->d.dirn;
 
             if (X509_NAME_cmp(gen_name, X509_CRL_get_issuer(crl)) != 0) {
-                return 0;
+                ERR_raise(ERR_LIB_CMP, CMP_R_UNKNOWN_CRL_ISSUER);
+                return -1;
             }
         }
     }
@@ -458,12 +463,18 @@ static OSSL_CMP_ITAV *process_genm_itav(mock_srv_ctx *ctx, int req_nid,
     case NID_id_it_crlStatusList:
         {
             STACK_OF(OSSL_CMP_CRLSTATUS) *crlstatuslist;
-
-            rsp = OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist)
-                ? check_client_crl(crlstatuslist, ctx->crlOut)
-                ? OSSL_CMP_ITAV_new_crls(ctx->crlOut)
-                : OSSL_CMP_ITAV_new_crls(NULL)
-                : OSSL_CMP_ITAV_new_crls(NULL);
+            int res = 0;
+
+            if (!OSSL_CMP_ITAV_get0_crlStatusList(req, &crlstatuslist))
+                return NULL;
+
+            res = check_client_crl(crlstatuslist, ctx->crlOut);
+            if (res < 0)
+                rsp = NULL;
+            else if (res == 0)
+                rsp = OSSL_CMP_ITAV_new_crls(NULL);
+            else
+                rsp = OSSL_CMP_ITAV_new_crls(ctx->crlOut);
         }
         break;
     default:

diff --git a/test/recipes/80-test_cmp_http_data/test_commands.csv b/test/recipes/80-test_cmp_http_data/test_commands.csv
@@ -92,7 +92,7 @@ expected,description, -section,val, -cmd,val,val2, -cacertsout,val,val2, -infoty
 1,genm crlStatusList with latest crl     , -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, newcrl.pem,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 0,genm crlStatusList with -oldcert missing, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, idontexist,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 0,genm crlStatusList with -oldcrl missing, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcrl, idontexist,,,,, -crlout, _RESULT_DIR/test.crlout.pem
-1,genm crlStatusList with wrong issuer, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, server.crt,,,,, -crlout, _RESULT_DIR/test.crlout.pem
+0,genm crlStatusList with wrong issuer, -section,, -cmd,genm,, BLANK,,, -infotype,crlStatusList,, -oldcert, server.crt,,,,, -crlout, _RESULT_DIR/test.crlout.pem
 ,,,,,,,,,,,,,,,,,,,,,,
 1,profile, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile1,BLANK,,BLANK,
 0,profile wrong value, -section,, -cmd,cr,, -cert,signer.crt, -key,signer.p12, -keypass,pass:12345,BLANK,, -profile,profile2,BLANK,,BLANK,