1/*
2 * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright Nokia 2007-2019
4 * Copyright Siemens AG 2015-2019
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12#include "cmp_local.h"
13
14/* explicit #includes not strictly needed since implied by the above: */
15#include <openssl/asn1t.h>
16#include <openssl/cmp.h>
17#include <openssl/crmf.h>
18#include <openssl/err.h>
19#include <openssl/x509.h>
20
21/*
22 * This function is also used for verification from cmp_vfy.
23 *
24 * Calculate protection for given PKImessage utilizing the given credentials
25 * and the algorithm parameters set inside the message header's protectionAlg.
26 *
27 * Either secret or pkey must be set, the other must be NULL. Attempts doing
28 * PBMAC in case 'secret' is set and signature if 'pkey' is set - but will only
29 * do the protection already marked in msg->header->protectionAlg.
30 *
31 * returns ptr to ASN1_BIT_STRING containing protection on success, else NULL
32 */
33ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_MSG *msg,
34 const ASN1_OCTET_STRING *secret,
35 EVP_PKEY *pkey)
36{
37 ASN1_BIT_STRING *prot = NULL;
38 CMP_PROTECTEDPART prot_part;
39 const ASN1_OBJECT *algorOID = NULL;
40 int len;
41 size_t prot_part_der_len;
42 unsigned char *prot_part_der = NULL;
43 size_t sig_len;
44 unsigned char *protection = NULL;
45 const void *ppval = NULL;
46 int pptype = 0;
47 OSSL_CRMF_PBMPARAMETER *pbm = NULL;
48 ASN1_STRING *pbm_str = NULL;
49 const unsigned char *pbm_str_uc = NULL;
50 EVP_MD_CTX *evp_ctx = NULL;
51 int md_NID;
52 const EVP_MD *md = NULL;
53
54 if (!ossl_assert(msg != NULL))
55 return NULL;
56
57 /* construct data to be signed */
58 prot_part.header = msg->header;
59 prot_part.body = msg->body;
60
61 len = i2d_CMP_PROTECTEDPART(&prot_part, &prot_part_der);
62 if (len < 0 || prot_part_der == NULL) {
63 CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION);
64 goto end;
65 }
66 prot_part_der_len = (size_t) len;
67
68 if (msg->header->protectionAlg == NULL) {
69 CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID);
70 goto end;
71 }
72 X509_ALGOR_get0(&algorOID, &pptype, &ppval, msg->header->protectionAlg);
73
74 if (secret != NULL && pkey == NULL) {
75 if (ppval == NULL) {
76 CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION);
77 goto end;
78 }
79 if (NID_id_PasswordBasedMAC != OBJ_obj2nid(algorOID)) {
80 CMPerr(0, CMP_R_WRONG_ALGORITHM_OID);
81 goto end;
82 }
83 pbm_str = (ASN1_STRING *)ppval;
84 pbm_str_uc = pbm_str->data;
85 pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, pbm_str->length);
86 if (pbm == NULL) {
87 CMPerr(0, CMP_R_WRONG_ALGORITHM_OID);
88 goto end;
89 }
90
91 if (!OSSL_CRMF_pbm_new(pbm, prot_part_der, prot_part_der_len,
92 secret->data, secret->length,
93 &protection, &sig_len))
94 goto end;
95 } else if (secret == NULL && pkey != NULL) {
96 /* TODO combine this with large parts of CRMF_poposigningkey_init() */
97 /* EVP_DigestSignInit() checks that pkey type is correct for the alg */
98
99 if (!OBJ_find_sigid_algs(OBJ_obj2nid(algorOID), &md_NID, NULL)
100 || (md = EVP_get_digestbynid(md_NID)) == NULL
101 || (evp_ctx = EVP_MD_CTX_new()) == NULL) {
102 CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID);
103 goto end;
104 }
105 if (EVP_DigestSignInit(evp_ctx, NULL, md, NULL, pkey) <= 0
106 || EVP_DigestSignUpdate(evp_ctx, prot_part_der,
107 prot_part_der_len) <= 0
108 || EVP_DigestSignFinal(evp_ctx, NULL, &sig_len) <= 0
109 || (protection = OPENSSL_malloc(sig_len)) == NULL
110 || EVP_DigestSignFinal(evp_ctx, protection, &sig_len) <= 0) {
111 CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION);
112 goto end;
113 }
114 } else {
115 CMPerr(0, CMP_R_INVALID_ARGS);
116 goto end;
117 }
118
119 if ((prot = ASN1_BIT_STRING_new()) == NULL)
120 goto end;
121 /* OpenSSL defaults all bit strings to be encoded as ASN.1 NamedBitList */
122 prot->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
123 prot->flags |= ASN1_STRING_FLAG_BITS_LEFT;
124 if (!ASN1_BIT_STRING_set(prot, protection, sig_len)) {
125 ASN1_BIT_STRING_free(prot);
126 prot = NULL;
127 }
128
129 end:
130 OSSL_CRMF_PBMPARAMETER_free(pbm);
131 EVP_MD_CTX_free(evp_ctx);
132 OPENSSL_free(protection);
133 OPENSSL_free(prot_part_der);
134 return prot;
135}
136
137int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
138{
139 if (!ossl_assert(ctx != NULL && msg != NULL))
140 return 0;
141
142 if (msg->extraCerts == NULL
143 && (msg->extraCerts = sk_X509_new_null()) == NULL)
144 return 0;
145
146 if (ctx->clCert != NULL) {
147 /* Make sure that our own cert gets sent, in the first position */
148 if (!X509_up_ref(ctx->clCert))
149 return 0;
150 if (!sk_X509_push(msg->extraCerts, ctx->clCert)) {
151 X509_free(ctx->clCert);
152 return 0;
153 }
154 /* if we have untrusted store, try to add intermediate certs */
155 if (ctx->untrusted_certs != NULL) {
156 STACK_OF(X509) *chain =
157 ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->clCert);
158 int res = ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain,
159 1 /* no self-signed */,
160 1 /* no duplicates */, 0);
161 sk_X509_pop_free(chain, X509_free);
162 if (res == 0)
163 return 0;
164 }
165 }
166
167 /* add any additional certificates from ctx->extraCertsOut */
168 if (!ossl_cmp_sk_X509_add1_certs(msg->extraCerts, ctx->extraCertsOut, 0,
169 1 /* no duplicates */, 0))
170 return 0;
171
172 /* if none was found avoid empty ASN.1 sequence */
173 if (sk_X509_num(msg->extraCerts) == 0) {
174 sk_X509_free(msg->extraCerts);
175 msg->extraCerts = NULL;
176 }
177 return 1;
178}
179
180/*
181 * Create an X509_ALGOR structure for PasswordBasedMAC protection based on
182 * the pbm settings in the context
183 * returns pointer to X509_ALGOR on success, NULL on error
184 */
185static X509_ALGOR *create_pbmac_algor(OSSL_CMP_CTX *ctx)
186{
187 X509_ALGOR *alg = NULL;
188 OSSL_CRMF_PBMPARAMETER *pbm = NULL;
189 unsigned char *pbm_der = NULL;
190 int pbm_der_len;
191 ASN1_STRING *pbm_str = NULL;
192
193 if (!ossl_assert(ctx != NULL))
194 return NULL;
195
196 alg = X509_ALGOR_new();
197 pbm = OSSL_CRMF_pbmp_new(ctx->pbm_slen, ctx->pbm_owf, ctx->pbm_itercnt,
198 ctx->pbm_mac);
199 pbm_str = ASN1_STRING_new();
200 if (alg == NULL || pbm == NULL || pbm_str == NULL)
201 goto err;
202
203 if ((pbm_der_len = i2d_OSSL_CRMF_PBMPARAMETER(pbm, &pbm_der)) < 0)
204 goto err;
205
206 if (!ASN1_STRING_set(pbm_str, pbm_der, pbm_der_len))
207 goto err;
208 OPENSSL_free(pbm_der);
209
210 X509_ALGOR_set0(alg, OBJ_nid2obj(NID_id_PasswordBasedMAC),
211 V_ASN1_SEQUENCE, pbm_str);
212 OSSL_CRMF_PBMPARAMETER_free(pbm);
213 return alg;
214
215 err:
216 ASN1_STRING_free(pbm_str);
217 X509_ALGOR_free(alg);
218 OPENSSL_free(pbm_der);
219 OSSL_CRMF_PBMPARAMETER_free(pbm);
220 return NULL;
221}
222
223int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
224{
225 if (!ossl_assert(ctx != NULL && msg != NULL))
226 return 0;
227
228 if (ctx->unprotectedSend)
229 return 1;
230
231 /* use PasswordBasedMac according to 5.1.3.1 if secretValue is given */
232 if (ctx->secretValue != NULL) {
233 if ((msg->header->protectionAlg = create_pbmac_algor(ctx)) == NULL)
234 goto err;
235 if (ctx->referenceValue != NULL
236 && !ossl_cmp_hdr_set1_senderKID(msg->header,
237 ctx->referenceValue))
238 goto err;
239
240 /*
241 * add any additional certificates from ctx->extraCertsOut
242 * while not needed to validate the signing cert, the option to do
243 * this might be handy for certain use cases
244 */
245 if (!ossl_cmp_msg_add_extraCerts(ctx, msg))
246 goto err;
247
248 if ((msg->protection =
249 ossl_cmp_calc_protection(msg, ctx->secretValue, NULL)) == NULL)
250 goto err;
251 } else {
252 /*
253 * use MSG_SIG_ALG according to 5.1.3.3 if client Certificate and
254 * private key is given
255 */
256 if (ctx->clCert != NULL && ctx->pkey != NULL) {
257 const ASN1_OCTET_STRING *subjKeyIDStr = NULL;
258 int algNID = 0;
259 ASN1_OBJECT *alg = NULL;
260
261 /* make sure that key and certificate match */
262 if (!X509_check_private_key(ctx->clCert, ctx->pkey)) {
263 CMPerr(0, CMP_R_CERT_AND_KEY_DO_NOT_MATCH);
264 goto err;
265 }
266
267 if (msg->header->protectionAlg == NULL)
268 if ((msg->header->protectionAlg = X509_ALGOR_new()) == NULL)
269 goto err;
270
271 if (!OBJ_find_sigid_by_algs(&algNID, ctx->digest,
272 EVP_PKEY_id(ctx->pkey))) {
273 CMPerr(0, CMP_R_UNSUPPORTED_KEY_TYPE);
274 goto err;
275 }
276 if ((alg = OBJ_nid2obj(algNID)) == NULL)
277 goto err;
278 if (!X509_ALGOR_set0(msg->header->protectionAlg,
279 alg, V_ASN1_UNDEF, NULL)) {
280 ASN1_OBJECT_free(alg);
281 goto err;
282 }
283
284 /*
285 * set senderKID to keyIdentifier of the used certificate according
286 * to section 5.1.1
287 */
288 subjKeyIDStr = X509_get0_subject_key_id(ctx->clCert);
289 if (subjKeyIDStr != NULL
290 && !ossl_cmp_hdr_set1_senderKID(msg->header, subjKeyIDStr))
291 goto err;
292
293 /*
294 * Add ctx->clCert followed, if possible, by its chain built
295 * from ctx->untrusted_certs, and then ctx->extraCertsOut
296 */
297 if (!ossl_cmp_msg_add_extraCerts(ctx, msg))
298 goto err;
299
300 if ((msg->protection =
301 ossl_cmp_calc_protection(msg, NULL, ctx->pkey)) == NULL)
302 goto err;
303 } else {
304 CMPerr(0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION);
305 goto err;
306 }
307 }
308
309 return 1;
310 err:
311 CMPerr(0, CMP_R_ERROR_PROTECTING_MESSAGE);
312 return 0;
313}
314