1.18.0-1 (component version v-2.16.13)

Author: jenkins[bot]

src/mock/tsl/MockOcsp.cxx

@@ -23,19 +23,18 @@
 
 namespace
 {
-    std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)>
+    OcspCertidPtr
     createUnexpectedCertId()
     {
         const auto pkiPath = MockConfiguration::instance().getPathValue(MockConfigurationKey::MOCK_GENERATED_PKI_PATH);
         const Certificate certificate = Certificate::fromBase64Der(FileHelper::readFileAsString(
             pkiPath / "../tsl/X509Certificate/QES-noType.base64.der"));
         const Certificate certificateCA = Certificate::fromBase64Der(FileHelper::readFileAsString(
             pkiPath / "../tsl/X509Certificate/QES-noTypeCA.base64.der"));
-        return std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)>(
-            OCSP_cert_to_id(nullptr, certificate.toX509(), certificateCA.toX509()), OCSP_CERTID_free);
+        return OcspCertidPtr(OCSP_cert_to_id(nullptr, certificate.toX509(), certificateCA.toX509()));
     }
 
-    std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)>
+    OcspCertidPtr
     getCertificateIdFromOcspRequest(const std::string& ocspRequest)
     {
         const unsigned char* buffer = reinterpret_cast<const unsigned char*>(ocspRequest.data());
@@ -54,7 +53,7 @@ namespace
         OCSP_CERTID* ocspCertId = OCSP_onereq_get0_id(oneRequest);
         OpenSslExpect(ocspCertId != nullptr, "can not get certificate id from OCSP request");
 
-        return std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)>(OCSP_CERTID_dup(ocspCertId), OCSP_CERTID_free);
+        return OcspCertidPtr(OCSP_CERTID_dup(ocspCertId));
     }
 
 
@@ -163,9 +162,8 @@ namespace
 
         for(const auto& certificatePair : ocspResponderKnownCertificateCaPairs)
         {
-            std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)> knownCertificateId(
-                OCSP_cert_to_id(nullptr, certificatePair.certificate.toX509(), certificatePair.issuer.toX509()),
-                OCSP_CERTID_free);
+            OcspCertidPtr knownCertificateId(
+                OCSP_cert_to_id(nullptr, certificatePair.certificate.toX509(), certificatePair.issuer.toX509()));
             OpenSslExpect(knownCertificateId != nullptr, "can not create certificate id");
             if (0 == OCSP_id_cmp(&certificateId, knownCertificateId.get()))
             {
@@ -195,7 +193,7 @@ MockOcsp MockOcsp::create (
     CertificateOcspTestMode testMode =
         certificateToSign.has_value() ? certificateToSign->testMode : CertificateOcspTestMode::SUCCESS;
 
-    std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)> unexpectedCertId{nullptr, OCSP_CERTID_free};
+    OcspCertidPtr unexpectedCertId(nullptr);
     if (testMode == CertificateOcspTestMode::WRONG_CERTID)
     {
         unexpectedCertId = createUnexpectedCertId();
@@ -263,7 +261,7 @@ MockOcsp MockOcsp::create (
     Certificate& certificate,
     shared_EVP_PKEY& privateKey)
 {
-    std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)> certificateId =
+    OcspCertidPtr certificateId =
         getCertificateIdFromOcspRequest(ocspRequest);
     OpenSslExpect(certificateId != nullptr, "can not create certificate id");
     return create(certificateId.get(), ocspResponderKnownCertificateCaPairs, certificate, privateKey);

src/shared/tsl/OcspService.cxx

@@ -489,7 +489,8 @@ namespace
             TrustStore& trustStore,
             const std::optional<std::vector<X509Certificate>>& ocspSignerCertificates,
             const bool validateHashExtension,
-            bool validateProducedAt)
+            bool validateProducedAt,
+            bool allowCaching)
     {
         auto response = parseResponse(
                 certificate,
@@ -504,7 +505,7 @@ namespace
         TVLOG(2) << "Returning new OCSP status: " << response.status.to_string();
         response.response = (serializedOcspResponse.has_value() ? *serializedOcspResponse
                                                                 : OcspHelper::ocspResponseToString(*ocspResponse));
-        if (response.status.certificateStatus != CertificateStatus::unknown)
+        if (allowCaching && response.status.certificateStatus != CertificateStatus::unknown)
         {
             // the returned OCSP response is only cached if the status is not unknown
             trustStore.setCacheOcspData(certificate.getSha256FingerprintHex(), response);
@@ -538,7 +539,8 @@ namespace
             trustStore,
             ocspSignerCertificates,
             validateHashExtension,
-            true // validateProducedAt
+            true, // validateProducedAt
+            true  // allowCaching
         );
     }
 
@@ -627,7 +629,9 @@ namespace
                         trustStore,
                         ocspSignerCertificates,
                         validateHashExtension,
-                        validateProducedAt);
+                        validateProducedAt,
+                        false // allowCaching
+                    );
                     // validate the producedAt afterwards to check if we can fall
                     // back to cache
                     auto now = std::chrono::system_clock::now();
@@ -690,7 +694,9 @@ namespace
                     trustStore,
                     ocspSignerCertificates,
                     validateHashExtension,
-                    true);
+                    true,
+                    false // allowCaching
+                );
         }
         Fail("Invalid value for OcspCheckMode: " + std::to_string(static_cast<uintmax_t>(ocspCheckDescriptor.mode)));
     }

src/shared/tsl/TrustStore.hxx

@@ -194,6 +194,7 @@ private:
     FRIEND_TEST(TslServiceTest, verifyCertificateValidThenRevokedCASuccess);
     FRIEND_TEST(TslServiceTest, verifyCertificatePolicyNoRestrictionsSuccessful);
     FRIEND_TEST(TslServiceTest, verifyCertificatePolicySuccessful);
+    FRIEND_TEST(TslServiceTest, doNotCacheProvidedOcspResponse);
 
     friend class TslTestHelper;
 

test/CMakeLists.txt

@@ -73,6 +73,7 @@ add_library(erp-test-util-lib OBJECT ${ERP_TEST_UTIL_SOURCES})
 target_link_libraries(erp-test-util-lib
         PUBLIC
         date::date
+        erp-hsm-tpm-mock
         erp-test-resourcemanager
         glog::glog
         GTest::gtest
@@ -401,8 +402,6 @@ list(
 )
 
 
-target_compile_definitions(erp-test PUBLIC WITH_HSM_MOCK=1)
-
 target_link_libraries ( erp-test
     PUBLIC
         erp-hsm-tpm-mock

test/erp/tsl/TslManagerTest.cxx

@@ -1375,8 +1375,7 @@ TEST_F(TslManagerTest, permitOutdatedProducedAt)//NOLINT(readability-function-co
     std::shared_ptr<TslManager> manager = TslTestHelper::createTslManager<TslManager>(
         {}, {}, {{"http://ehca-testref.komp-ca.telematik-test:8080/status/qocsp", {certPairValid}}});
 
-    std::unique_ptr<OCSP_CERTID, decltype(&OCSP_CERTID_free)> certId(
-        OCSP_cert_to_id(nullptr, certificate.toX509(), certificateCA.toX509()), OCSP_CERTID_free);
+    OcspCertidPtr certId(OCSP_cert_to_id(nullptr, certificate.toX509(), certificateCA.toX509()));
 
     auto checkDescriptor = TslTestHelper::getDefaultTestOcspCheckDescriptor();
     checkDescriptor.mode = OcspCheckDescriptor::PROVIDED_OR_CACHE_REQUEST_IF_OUTDATED;

test/erp/tsl/TslServiceTests.cxx

@@ -9,6 +9,7 @@
 
 #include "shared/crypto/Certificate.hxx"
 #include "shared/crypto/EllipticCurveUtils.hxx"
+#include "shared/tsl/OcspHelper.hxx"
 #include "shared/tsl/OcspService.hxx"
 #include "shared/tsl/TrustStore.hxx"
 #include "shared/tsl/TslService.hxx"
@@ -178,3 +179,59 @@ TEST_F(TslServiceTest, verifyCertificatePolicyFailing)//NOLINT(readability-funct
         {TslErrorCode::CERT_TYPE_MISMATCH},
         HttpStatus::BadRequest);
 }
+
+
+TEST_F(TslServiceTest, doNotCacheProvidedOcspResponse)
+{
+    UrlRequestSenderMock requestSender({});
+    X509Certificate x509Certificate = X509Certificate::createFromAsnBytes(
+        {reinterpret_cast<const unsigned char*>(userCertificate.data()), userCertificate.size()});
+
+    auto iterator = mTrustStore->mServiceInformationMap.find(
+        {x509Certificate.getIssuer(), x509Certificate.getAuthorityKeyIdentifier()});
+    ASSERT_NE(mTrustStore->mServiceInformationMap.end(), iterator);
+
+    auto cert = Certificate::fromBinaryDer(userCertificate);
+    auto certCa = Certificate::fromBase64Der(iterator->second.certificate.toBase64());
+
+    auto checkDescriptor = TslTestHelper::getDefaultTestOcspCheckDescriptor();
+    OcspCertidPtr certId(OCSP_cert_to_id(nullptr, cert.toX509(), certCa.toX509()));
+
+    const auto certPairValid = MockOcsp::CertificatePair{.certificate = cert,
+                                                         .issuer = certCa,
+                                                         .testMode = MockOcsp::CertificateOcspTestMode::SUCCESS};
+
+    auto ocspCert = TslTestHelper::getDefaultOcspCertificate();
+    auto ocspKey = TslTestHelper::getDefaultOcspPrivateKey();
+
+    auto response = MockOcsp::create(certId.get(), {certPairValid}, ocspCert, ocspKey).toDer();
+    checkDescriptor.providedOcspResponse = OcspHelper::stringToOcspResponse(response);
+
+
+    const auto fingerprint = x509Certificate.getSha256FingerprintHex();
+
+    // if we dont make a request, do not cache the ocsp response
+    using enum OcspCheckDescriptor::OcspCheckMode;
+    for (auto mode : {PROVIDED_OR_CACHE_REQUEST_IF_OUTDATED, PROVIDED_OR_CACHE, PROVIDED_OR_CACHE_REQUEST_IF_OUTDATED,
+                      PROVIDED_ONLY})
+    {
+        checkDescriptor.mode = mode;
+        mTrustStore->cleanCachedOcspData(fingerprint);
+        EXPECT_NO_THROW(TslService::checkCertificate(x509Certificate, {CertificateType::C_HCI_OSIG}, requestSender,
+                                                     *mTrustStore, checkDescriptor));
+        ASSERT_FALSE(mTrustStore->getCachedOcspData(fingerprint).has_value());
+    }
+
+    // if we have to make a request, allow caching of the ocsp response
+    TslTestHelper::setOcspUrlRequestHandler(requestSender, "http://ocsp-testref.tsl.telematik-test/ocsp",
+                                            {{cert, certCa, MockOcsp::CertificateOcspTestMode::SUCCESS}});
+
+    for (auto mode : {FORCE_OCSP_REQUEST_STRICT, FORCE_OCSP_REQUEST_ALLOW_CACHE})
+    {
+        checkDescriptor.mode = mode;
+        mTrustStore->cleanCachedOcspData(fingerprint);
+        EXPECT_NO_THROW(TslService::checkCertificate(x509Certificate, {CertificateType::C_HCI_OSIG}, requestSender,
+                                                     *mTrustStore, checkDescriptor));
+        ASSERT_TRUE(mTrustStore->getCachedOcspData(fingerprint).has_value());
+    }
+}

version.txt

@@ -1 +1 @@
-v-2.16.12
+v-2.16.13