[331] | 1 | /*
|
---|
| 2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #include <limits.h>
|
---|
| 11 | #include <string.h>
|
---|
| 12 |
|
---|
| 13 | #include <openssl/ct.h>
|
---|
| 14 | #include <openssl/err.h>
|
---|
| 15 | #include <openssl/evp.h>
|
---|
| 16 |
|
---|
| 17 | #include "ct_locl.h"
|
---|
| 18 |
|
---|
| 19 | /*
|
---|
| 20 | * Decodes the base64 string |in| into |out|.
|
---|
| 21 | * A new string will be malloc'd and assigned to |out|. This will be owned by
|
---|
| 22 | * the caller. Do not provide a pre-allocated string in |out|.
|
---|
| 23 | */
|
---|
| 24 | static int ct_base64_decode(const char *in, unsigned char **out)
|
---|
| 25 | {
|
---|
| 26 | size_t inlen = strlen(in);
|
---|
| 27 | int outlen;
|
---|
| 28 | unsigned char *outbuf = NULL;
|
---|
| 29 |
|
---|
| 30 | if (inlen == 0) {
|
---|
| 31 | *out = NULL;
|
---|
| 32 | return 0;
|
---|
| 33 | }
|
---|
| 34 |
|
---|
| 35 | outlen = (inlen / 4) * 3;
|
---|
| 36 | outbuf = OPENSSL_malloc(outlen);
|
---|
| 37 | if (outbuf == NULL) {
|
---|
| 38 | CTerr(CT_F_CT_BASE64_DECODE, ERR_R_MALLOC_FAILURE);
|
---|
| 39 | goto err;
|
---|
| 40 | }
|
---|
| 41 |
|
---|
| 42 | outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen);
|
---|
| 43 | if (outlen < 0) {
|
---|
| 44 | CTerr(CT_F_CT_BASE64_DECODE, CT_R_BASE64_DECODE_ERROR);
|
---|
| 45 | goto err;
|
---|
| 46 | }
|
---|
| 47 |
|
---|
| 48 | /* Subtract padding bytes from |outlen| */
|
---|
| 49 | while (in[--inlen] == '=') {
|
---|
| 50 | --outlen;
|
---|
| 51 | }
|
---|
| 52 |
|
---|
| 53 | *out = outbuf;
|
---|
| 54 | return outlen;
|
---|
| 55 | err:
|
---|
| 56 | OPENSSL_free(outbuf);
|
---|
| 57 | return -1;
|
---|
| 58 | }
|
---|
| 59 |
|
---|
| 60 | SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64,
|
---|
| 61 | ct_log_entry_type_t entry_type, uint64_t timestamp,
|
---|
| 62 | const char *extensions_base64,
|
---|
| 63 | const char *signature_base64)
|
---|
| 64 | {
|
---|
| 65 | SCT *sct = SCT_new();
|
---|
| 66 | unsigned char *dec = NULL;
|
---|
| 67 | const unsigned char* p = NULL;
|
---|
| 68 | int declen;
|
---|
| 69 |
|
---|
| 70 | if (sct == NULL) {
|
---|
| 71 | CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_MALLOC_FAILURE);
|
---|
| 72 | return NULL;
|
---|
| 73 | }
|
---|
| 74 |
|
---|
| 75 | /*
|
---|
| 76 | * RFC6962 section 4.1 says we "MUST NOT expect this to be 0", but we
|
---|
| 77 | * can only construct SCT versions that have been defined.
|
---|
| 78 | */
|
---|
| 79 | if (!SCT_set_version(sct, version)) {
|
---|
| 80 | CTerr(CT_F_SCT_NEW_FROM_BASE64, CT_R_SCT_UNSUPPORTED_VERSION);
|
---|
| 81 | goto err;
|
---|
| 82 | }
|
---|
| 83 |
|
---|
| 84 | declen = ct_base64_decode(logid_base64, &dec);
|
---|
| 85 | if (declen < 0) {
|
---|
| 86 | CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
|
---|
| 87 | goto err;
|
---|
| 88 | }
|
---|
| 89 | if (!SCT_set0_log_id(sct, dec, declen))
|
---|
| 90 | goto err;
|
---|
| 91 | dec = NULL;
|
---|
| 92 |
|
---|
| 93 | declen = ct_base64_decode(extensions_base64, &dec);
|
---|
| 94 | if (declen < 0) {
|
---|
| 95 | CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
|
---|
| 96 | goto err;
|
---|
| 97 | }
|
---|
| 98 | SCT_set0_extensions(sct, dec, declen);
|
---|
| 99 | dec = NULL;
|
---|
| 100 |
|
---|
| 101 | declen = ct_base64_decode(signature_base64, &dec);
|
---|
| 102 | if (declen < 0) {
|
---|
| 103 | CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
|
---|
| 104 | goto err;
|
---|
| 105 | }
|
---|
| 106 |
|
---|
| 107 | p = dec;
|
---|
| 108 | if (o2i_SCT_signature(sct, &p, declen) <= 0)
|
---|
| 109 | goto err;
|
---|
| 110 | OPENSSL_free(dec);
|
---|
| 111 | dec = NULL;
|
---|
| 112 |
|
---|
| 113 | SCT_set_timestamp(sct, timestamp);
|
---|
| 114 |
|
---|
| 115 | if (!SCT_set_log_entry_type(sct, entry_type))
|
---|
| 116 | goto err;
|
---|
| 117 |
|
---|
| 118 | return sct;
|
---|
| 119 |
|
---|
| 120 | err:
|
---|
| 121 | OPENSSL_free(dec);
|
---|
| 122 | SCT_free(sct);
|
---|
| 123 | return NULL;
|
---|
| 124 | }
|
---|
| 125 |
|
---|
| 126 | /*
|
---|
| 127 | * Allocate, build and returns a new |ct_log| from input |pkey_base64|
|
---|
| 128 | * It returns 1 on success,
|
---|
| 129 | * 0 on decoding failure, or invalid parameter if any
|
---|
| 130 | * -1 on internal (malloc) failure
|
---|
| 131 | */
|
---|
| 132 | int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, const char *name)
|
---|
| 133 | {
|
---|
| 134 | unsigned char *pkey_der = NULL;
|
---|
| 135 | int pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der);
|
---|
| 136 | const unsigned char *p;
|
---|
| 137 | EVP_PKEY *pkey = NULL;
|
---|
| 138 |
|
---|
| 139 | if (ct_log == NULL) {
|
---|
| 140 | CTerr(CT_F_CTLOG_NEW_FROM_BASE64, ERR_R_PASSED_INVALID_ARGUMENT);
|
---|
| 141 | return 0;
|
---|
| 142 | }
|
---|
| 143 |
|
---|
| 144 | if (pkey_der_len <= 0) {
|
---|
| 145 | CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY);
|
---|
| 146 | return 0;
|
---|
| 147 | }
|
---|
| 148 |
|
---|
| 149 | p = pkey_der;
|
---|
| 150 | pkey = d2i_PUBKEY(NULL, &p, pkey_der_len);
|
---|
| 151 | OPENSSL_free(pkey_der);
|
---|
| 152 | if (pkey == NULL) {
|
---|
| 153 | CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY);
|
---|
| 154 | return 0;
|
---|
| 155 | }
|
---|
| 156 |
|
---|
| 157 | *ct_log = CTLOG_new(pkey, name);
|
---|
| 158 | if (*ct_log == NULL) {
|
---|
| 159 | EVP_PKEY_free(pkey);
|
---|
| 160 | return 0;
|
---|
| 161 | }
|
---|
| 162 |
|
---|
| 163 | return 1;
|
---|
| 164 | }
|
---|