1 | /* |
2 | * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <stddef.h> |
11 | #include <openssl/ct.h> |
12 | #include <openssl/evp.h> |
13 | #include <openssl/x509.h> |
14 | #include <openssl/x509v3.h> |
15 | #include <openssl/safestack.h> |
16 | |
17 | /* |
18 | * From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT |
19 | * sct_list <1..2^16-1>; } SignedCertificateTimestampList; |
20 | */ |
21 | # define MAX_SCT_SIZE 65535 |
22 | # define MAX_SCT_LIST_SIZE MAX_SCT_SIZE |
23 | |
24 | /* |
25 | * Macros to read and write integers in network-byte order. |
26 | */ |
27 | |
28 | #define n2s(c,s) ((s=(((unsigned int)((c)[0]))<< 8)| \ |
29 | (((unsigned int)((c)[1])) )),c+=2) |
30 | |
31 | #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ |
32 | c[1]=(unsigned char)(((s) )&0xff)),c+=2) |
33 | |
34 | #define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \ |
35 | c[1]=(unsigned char)(((l)>> 8)&0xff), \ |
36 | c[2]=(unsigned char)(((l) )&0xff)),c+=3) |
37 | |
38 | #define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \ |
39 | l|=((uint64_t)(*((c)++)))<<48, \ |
40 | l|=((uint64_t)(*((c)++)))<<40, \ |
41 | l|=((uint64_t)(*((c)++)))<<32, \ |
42 | l|=((uint64_t)(*((c)++)))<<24, \ |
43 | l|=((uint64_t)(*((c)++)))<<16, \ |
44 | l|=((uint64_t)(*((c)++)))<< 8, \ |
45 | l|=((uint64_t)(*((c)++)))) |
46 | |
47 | #define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ |
48 | *((c)++)=(unsigned char)(((l)>>48)&0xff), \ |
49 | *((c)++)=(unsigned char)(((l)>>40)&0xff), \ |
50 | *((c)++)=(unsigned char)(((l)>>32)&0xff), \ |
51 | *((c)++)=(unsigned char)(((l)>>24)&0xff), \ |
52 | *((c)++)=(unsigned char)(((l)>>16)&0xff), \ |
53 | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ |
54 | *((c)++)=(unsigned char)(((l) )&0xff)) |
55 | |
56 | /* Signed Certificate Timestamp */ |
57 | struct sct_st { |
58 | sct_version_t version; |
59 | /* If version is not SCT_VERSION_V1, this contains the encoded SCT */ |
60 | unsigned char *sct; |
61 | size_t sct_len; |
62 | /* If version is SCT_VERSION_V1, fields below contain components of the SCT */ |
63 | unsigned char *log_id; |
64 | size_t log_id_len; |
65 | /* |
66 | * Note, we cannot distinguish between an unset timestamp, and one |
67 | * that is set to 0. However since CT didn't exist in 1970, no real |
68 | * SCT should ever be set as such. |
69 | */ |
70 | uint64_t timestamp; |
71 | unsigned char *ext; |
72 | size_t ext_len; |
73 | unsigned char hash_alg; |
74 | unsigned char sig_alg; |
75 | unsigned char *sig; |
76 | size_t sig_len; |
77 | /* Log entry type */ |
78 | ct_log_entry_type_t entry_type; |
79 | /* Where this SCT was found, e.g. certificate, OCSP response, etc. */ |
80 | sct_source_t source; |
81 | /* The result of the last attempt to validate this SCT. */ |
82 | sct_validation_status_t validation_status; |
83 | }; |
84 | |
85 | /* Miscellaneous data that is useful when verifying an SCT */ |
86 | struct sct_ctx_st { |
87 | /* Public key */ |
88 | EVP_PKEY *pkey; |
89 | /* Hash of public key */ |
90 | unsigned char *pkeyhash; |
91 | size_t pkeyhashlen; |
92 | /* For pre-certificate: issuer public key hash */ |
93 | unsigned char *ihash; |
94 | size_t ihashlen; |
95 | /* certificate encoding */ |
96 | unsigned char *certder; |
97 | size_t certderlen; |
98 | /* pre-certificate encoding */ |
99 | unsigned char *preder; |
100 | size_t prederlen; |
101 | /* milliseconds since epoch (to check that the SCT isn't from the future) */ |
102 | uint64_t epoch_time_in_ms; |
103 | }; |
104 | |
105 | /* Context when evaluating whether a Certificate Transparency policy is met */ |
106 | struct ct_policy_eval_ctx_st { |
107 | X509 *cert; |
108 | X509 *issuer; |
109 | CTLOG_STORE *log_store; |
110 | /* milliseconds since epoch (to check that SCTs aren't from the future) */ |
111 | uint64_t epoch_time_in_ms; |
112 | }; |
113 | |
114 | /* |
115 | * Creates a new context for verifying an SCT. |
116 | */ |
117 | SCT_CTX *SCT_CTX_new(void); |
118 | /* |
119 | * Deletes an SCT verification context. |
120 | */ |
121 | void SCT_CTX_free(SCT_CTX *sctx); |
122 | |
123 | /* |
124 | * Sets the certificate that the SCT was created for. |
125 | * If *cert does not have a poison extension, presigner must be NULL. |
126 | * If *cert does not have a poison extension, it may have a single SCT |
127 | * (NID_ct_precert_scts) extension. |
128 | * If either *cert or *presigner have an AKID (NID_authority_key_identifier) |
129 | * extension, both must have one. |
130 | * Returns 1 on success, 0 on failure. |
131 | */ |
132 | __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); |
133 | |
134 | /* |
135 | * Sets the issuer of the certificate that the SCT was created for. |
136 | * This is just a convenience method to save extracting the public key and |
137 | * calling SCT_CTX_set1_issuer_pubkey(). |
138 | * Issuer must not be NULL. |
139 | * Returns 1 on success, 0 on failure. |
140 | */ |
141 | __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); |
142 | |
143 | /* |
144 | * Sets the public key of the issuer of the certificate that the SCT was created |
145 | * for. |
146 | * The public key must not be NULL. |
147 | * Returns 1 on success, 0 on failure. |
148 | */ |
149 | __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); |
150 | |
151 | /* |
152 | * Sets the public key of the CT log that the SCT is from. |
153 | * Returns 1 on success, 0 on failure. |
154 | */ |
155 | __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); |
156 | |
157 | /* |
158 | * Sets the time to evaluate the SCT against, in milliseconds since the Unix |
159 | * epoch. If the SCT's timestamp is after this time, it will be interpreted as |
160 | * having been issued in the future. RFC6962 states that "TLS clients MUST |
161 | * reject SCTs whose timestamp is in the future", so an SCT will not validate |
162 | * in this case. |
163 | */ |
164 | void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms); |
165 | |
166 | /* |
167 | * Verifies an SCT with the given context. |
168 | * Returns 1 if the SCT verifies successfully; any other value indicates |
169 | * failure. See EVP_DigestVerifyFinal() for the meaning of those values. |
170 | */ |
171 | __owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); |
172 | |
173 | /* |
174 | * Does this SCT have the minimum fields populated to be usable? |
175 | * Returns 1 if so, 0 otherwise. |
176 | */ |
177 | __owur int SCT_is_complete(const SCT *sct); |
178 | |
179 | /* |
180 | * Does this SCT have the signature-related fields populated? |
181 | * Returns 1 if so, 0 otherwise. |
182 | * This checks that the signature and hash algorithms are set to supported |
183 | * values and that the signature field is set. |
184 | */ |
185 | __owur int SCT_signature_is_complete(const SCT *sct); |
186 | |
187 | /* |
188 | * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature |
189 | * and o2i_SCT_signature conform to the i2d/d2i conventions. |
190 | */ |
191 | |
192 | /* |
193 | * Serialize (to TLS format) an |sct| signature and write it to |out|. |
194 | * If |out| is null, no signature will be output but the length will be returned. |
195 | * If |out| points to a null pointer, a string will be allocated to hold the |
196 | * TLS-format signature. It is the responsibility of the caller to free it. |
197 | * If |out| points to an allocated string, the signature will be written to it. |
198 | * The length of the signature in TLS format will be returned. |
199 | */ |
200 | __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); |
201 | |
202 | /* |
203 | * Parses an SCT signature in TLS format and populates the |sct| with it. |
204 | * |in| should be a pointer to a string containing the TLS-format signature. |
205 | * |in| will be advanced to the end of the signature if parsing succeeds. |
206 | * |len| should be the length of the signature in |in|. |
207 | * Returns the number of bytes parsed, or a negative integer if an error occurs. |
208 | * If an error occurs, the SCT's signature NID may be updated whilst the |
209 | * signature field itself remains unset. |
210 | */ |
211 | __owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len); |
212 | |
213 | /* |
214 | * Handlers for Certificate Transparency X509v3/OCSP extensions |
215 | */ |
216 | extern const X509V3_EXT_METHOD v3_ct_scts[3]; |
217 | |