[331] | 1 | /*
|
---|
| 2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
|
---|
| 3 | *
|
---|
| 4 | * Licensed under the OpenSSL license (the "License"). You may not use
|
---|
| 5 | * this file except in compliance with the License. You can obtain a copy
|
---|
| 6 | * in the file LICENSE in the source distribution or at
|
---|
| 7 | * https://www.openssl.org/source/license.html
|
---|
| 8 | */
|
---|
| 9 |
|
---|
| 10 | #ifdef OPENSSL_NO_CT
|
---|
| 11 | # error "CT is disabled"
|
---|
| 12 | #endif
|
---|
| 13 |
|
---|
| 14 | #include <stddef.h>
|
---|
| 15 | #include <string.h>
|
---|
| 16 |
|
---|
| 17 | #include <openssl/err.h>
|
---|
| 18 | #include <openssl/obj_mac.h>
|
---|
| 19 | #include <openssl/x509.h>
|
---|
| 20 |
|
---|
| 21 | #include "ct_locl.h"
|
---|
| 22 |
|
---|
| 23 | SCT_CTX *SCT_CTX_new(void)
|
---|
| 24 | {
|
---|
| 25 | SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx));
|
---|
| 26 |
|
---|
| 27 | if (sctx == NULL)
|
---|
| 28 | CTerr(CT_F_SCT_CTX_NEW, ERR_R_MALLOC_FAILURE);
|
---|
| 29 |
|
---|
| 30 | return sctx;
|
---|
| 31 | }
|
---|
| 32 |
|
---|
| 33 | void SCT_CTX_free(SCT_CTX *sctx)
|
---|
| 34 | {
|
---|
| 35 | if (sctx == NULL)
|
---|
| 36 | return;
|
---|
| 37 | EVP_PKEY_free(sctx->pkey);
|
---|
| 38 | OPENSSL_free(sctx->pkeyhash);
|
---|
| 39 | OPENSSL_free(sctx->ihash);
|
---|
| 40 | OPENSSL_free(sctx->certder);
|
---|
| 41 | OPENSSL_free(sctx->preder);
|
---|
| 42 | OPENSSL_free(sctx);
|
---|
| 43 | }
|
---|
| 44 |
|
---|
| 45 | /*
|
---|
| 46 | * Finds the index of the first extension with the given NID in cert.
|
---|
| 47 | * If there is more than one extension with that NID, *is_duplicated is set to
|
---|
| 48 | * 1, otherwise 0 (unless it is NULL).
|
---|
| 49 | */
|
---|
| 50 | static int ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated)
|
---|
| 51 | {
|
---|
| 52 | int ret = X509_get_ext_by_NID(cert, nid, -1);
|
---|
| 53 |
|
---|
| 54 | if (is_duplicated != NULL)
|
---|
| 55 | *is_duplicated = ret >= 0 && X509_get_ext_by_NID(cert, nid, ret) >= 0;
|
---|
| 56 |
|
---|
| 57 | return ret;
|
---|
| 58 | }
|
---|
| 59 |
|
---|
| 60 | /*
|
---|
| 61 | * Modifies a certificate by deleting extensions and copying the issuer and
|
---|
| 62 | * AKID from the presigner certificate, if necessary.
|
---|
| 63 | * Returns 1 on success, 0 otherwise.
|
---|
| 64 | */
|
---|
| 65 | __owur static int ct_x509_cert_fixup(X509 *cert, X509 *presigner)
|
---|
| 66 | {
|
---|
| 67 | int preidx, certidx;
|
---|
| 68 | int pre_akid_ext_is_dup, cert_akid_ext_is_dup;
|
---|
| 69 |
|
---|
| 70 | if (presigner == NULL)
|
---|
| 71 | return 1;
|
---|
| 72 |
|
---|
| 73 | preidx = ct_x509_get_ext(presigner, NID_authority_key_identifier,
|
---|
| 74 | &pre_akid_ext_is_dup);
|
---|
| 75 | certidx = ct_x509_get_ext(cert, NID_authority_key_identifier,
|
---|
| 76 | &cert_akid_ext_is_dup);
|
---|
| 77 |
|
---|
| 78 | /* An error occurred whilst searching for the extension */
|
---|
| 79 | if (preidx < -1 || certidx < -1)
|
---|
| 80 | return 0;
|
---|
| 81 | /* Invalid certificate if they contain duplicate extensions */
|
---|
| 82 | if (pre_akid_ext_is_dup || cert_akid_ext_is_dup)
|
---|
| 83 | return 0;
|
---|
| 84 | /* AKID must be present in both certificate or absent in both */
|
---|
| 85 | if (preidx >= 0 && certidx == -1)
|
---|
| 86 | return 0;
|
---|
| 87 | if (preidx == -1 && certidx >= 0)
|
---|
| 88 | return 0;
|
---|
| 89 | /* Copy issuer name */
|
---|
| 90 | if (!X509_set_issuer_name(cert, X509_get_issuer_name(presigner)))
|
---|
| 91 | return 0;
|
---|
| 92 | if (preidx != -1) {
|
---|
| 93 | /* Retrieve and copy AKID encoding */
|
---|
| 94 | X509_EXTENSION *preext = X509_get_ext(presigner, preidx);
|
---|
| 95 | X509_EXTENSION *certext = X509_get_ext(cert, certidx);
|
---|
| 96 | ASN1_OCTET_STRING *preextdata;
|
---|
| 97 |
|
---|
| 98 | /* Should never happen */
|
---|
| 99 | if (preext == NULL || certext == NULL)
|
---|
| 100 | return 0;
|
---|
| 101 | preextdata = X509_EXTENSION_get_data(preext);
|
---|
| 102 | if (preextdata == NULL ||
|
---|
| 103 | !X509_EXTENSION_set_data(certext, preextdata))
|
---|
| 104 | return 0;
|
---|
| 105 | }
|
---|
| 106 | return 1;
|
---|
| 107 | }
|
---|
| 108 |
|
---|
| 109 | int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner)
|
---|
| 110 | {
|
---|
| 111 | unsigned char *certder = NULL, *preder = NULL;
|
---|
| 112 | X509 *pretmp = NULL;
|
---|
| 113 | int certderlen = 0, prederlen = 0;
|
---|
| 114 | int idx = -1;
|
---|
| 115 | int poison_ext_is_dup, sct_ext_is_dup;
|
---|
| 116 | int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup);
|
---|
| 117 |
|
---|
| 118 | /* Duplicate poison extensions are present - error */
|
---|
| 119 | if (poison_ext_is_dup)
|
---|
| 120 | goto err;
|
---|
| 121 |
|
---|
| 122 | /* If *cert doesn't have a poison extension, it isn't a precert */
|
---|
| 123 | if (poison_idx == -1) {
|
---|
| 124 | /* cert isn't a precert, so we shouldn't have a presigner */
|
---|
| 125 | if (presigner != NULL)
|
---|
| 126 | goto err;
|
---|
| 127 |
|
---|
| 128 | certderlen = i2d_X509(cert, &certder);
|
---|
| 129 | if (certderlen < 0)
|
---|
| 130 | goto err;
|
---|
| 131 | }
|
---|
| 132 |
|
---|
| 133 | /* See if cert has a precert SCTs extension */
|
---|
| 134 | idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup);
|
---|
| 135 | /* Duplicate SCT extensions are present - error */
|
---|
| 136 | if (sct_ext_is_dup)
|
---|
| 137 | goto err;
|
---|
| 138 |
|
---|
| 139 | if (idx >= 0 && poison_idx >= 0) {
|
---|
| 140 | /*
|
---|
| 141 | * cert can't both contain SCTs (i.e. have an SCT extension) and be a
|
---|
| 142 | * precert (i.e. have a poison extension).
|
---|
| 143 | */
|
---|
| 144 | goto err;
|
---|
| 145 | }
|
---|
| 146 |
|
---|
| 147 | if (idx == -1) {
|
---|
| 148 | idx = poison_idx;
|
---|
| 149 | }
|
---|
| 150 |
|
---|
| 151 | /*
|
---|
| 152 | * If either a poison or SCT extension is present, remove it before encoding
|
---|
| 153 | * cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see
|
---|
| 154 | * RFC5280) from cert, which is what the CT log signed when it produced the
|
---|
| 155 | * SCT.
|
---|
| 156 | */
|
---|
| 157 | if (idx >= 0) {
|
---|
| 158 | X509_EXTENSION *ext;
|
---|
| 159 |
|
---|
| 160 | /* Take a copy of certificate so we don't modify passed version */
|
---|
| 161 | pretmp = X509_dup(cert);
|
---|
| 162 | if (pretmp == NULL)
|
---|
| 163 | goto err;
|
---|
| 164 |
|
---|
| 165 | ext = X509_delete_ext(pretmp, idx);
|
---|
| 166 | X509_EXTENSION_free(ext);
|
---|
| 167 |
|
---|
| 168 | if (!ct_x509_cert_fixup(pretmp, presigner))
|
---|
| 169 | goto err;
|
---|
| 170 |
|
---|
| 171 | prederlen = i2d_re_X509_tbs(pretmp, &preder);
|
---|
| 172 | if (prederlen <= 0)
|
---|
| 173 | goto err;
|
---|
| 174 | }
|
---|
| 175 |
|
---|
| 176 | X509_free(pretmp);
|
---|
| 177 |
|
---|
| 178 | OPENSSL_free(sctx->certder);
|
---|
| 179 | sctx->certder = certder;
|
---|
| 180 | sctx->certderlen = certderlen;
|
---|
| 181 |
|
---|
| 182 | OPENSSL_free(sctx->preder);
|
---|
| 183 | sctx->preder = preder;
|
---|
| 184 | sctx->prederlen = prederlen;
|
---|
| 185 |
|
---|
| 186 | return 1;
|
---|
| 187 | err:
|
---|
| 188 | OPENSSL_free(certder);
|
---|
| 189 | OPENSSL_free(preder);
|
---|
| 190 | X509_free(pretmp);
|
---|
| 191 | return 0;
|
---|
| 192 | }
|
---|
| 193 |
|
---|
| 194 | __owur static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash,
|
---|
| 195 | size_t *hash_len)
|
---|
| 196 | {
|
---|
| 197 | int ret = 0;
|
---|
| 198 | unsigned char *md = NULL, *der = NULL;
|
---|
| 199 | int der_len;
|
---|
| 200 | unsigned int md_len;
|
---|
| 201 |
|
---|
| 202 | /* Reuse buffer if possible */
|
---|
| 203 | if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) {
|
---|
| 204 | md = *hash;
|
---|
| 205 | } else {
|
---|
| 206 | md = OPENSSL_malloc(SHA256_DIGEST_LENGTH);
|
---|
| 207 | if (md == NULL)
|
---|
| 208 | goto err;
|
---|
| 209 | }
|
---|
| 210 |
|
---|
| 211 | /* Calculate key hash */
|
---|
| 212 | der_len = i2d_X509_PUBKEY(pkey, &der);
|
---|
| 213 | if (der_len <= 0)
|
---|
| 214 | goto err;
|
---|
| 215 |
|
---|
| 216 | if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha256(), NULL))
|
---|
| 217 | goto err;
|
---|
| 218 |
|
---|
| 219 | if (md != *hash) {
|
---|
| 220 | OPENSSL_free(*hash);
|
---|
| 221 | *hash = md;
|
---|
| 222 | *hash_len = SHA256_DIGEST_LENGTH;
|
---|
| 223 | }
|
---|
| 224 |
|
---|
| 225 | md = NULL;
|
---|
| 226 | ret = 1;
|
---|
| 227 | err:
|
---|
| 228 | OPENSSL_free(md);
|
---|
| 229 | OPENSSL_free(der);
|
---|
| 230 | return ret;
|
---|
| 231 | }
|
---|
| 232 |
|
---|
| 233 | int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer)
|
---|
| 234 | {
|
---|
| 235 | return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer));
|
---|
| 236 | }
|
---|
| 237 |
|
---|
| 238 | int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
|
---|
| 239 | {
|
---|
| 240 | return ct_public_key_hash(pubkey, &sctx->ihash, &sctx->ihashlen);
|
---|
| 241 | }
|
---|
| 242 |
|
---|
| 243 | int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
|
---|
| 244 | {
|
---|
| 245 | EVP_PKEY *pkey = X509_PUBKEY_get(pubkey);
|
---|
| 246 |
|
---|
| 247 | if (pkey == NULL)
|
---|
| 248 | return 0;
|
---|
| 249 |
|
---|
| 250 | if (!ct_public_key_hash(pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) {
|
---|
| 251 | EVP_PKEY_free(pkey);
|
---|
| 252 | return 0;
|
---|
| 253 | }
|
---|
| 254 |
|
---|
| 255 | EVP_PKEY_free(sctx->pkey);
|
---|
| 256 | sctx->pkey = pkey;
|
---|
| 257 | return 1;
|
---|
| 258 | }
|
---|
| 259 |
|
---|
| 260 | void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms)
|
---|
| 261 | {
|
---|
| 262 | sctx->epoch_time_in_ms = time_in_ms;
|
---|
| 263 | }
|
---|