1 | /* |
2 | * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #ifdef OPENSSL_NO_CT |
11 | # error "CT is disabled" |
12 | #endif |
13 | |
14 | #include <stddef.h> |
15 | #include <string.h> |
16 | |
17 | #include <openssl/err.h> |
18 | #include <openssl/obj_mac.h> |
19 | #include <openssl/x509.h> |
20 | |
21 | #include "ct_local.h" |
22 | |
23 | SCT_CTX *SCT_CTX_new(void) |
24 | { |
25 | SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx)); |
26 | |
27 | if (sctx == NULL) |
28 | CTerr(CT_F_SCT_CTX_NEW, ERR_R_MALLOC_FAILURE); |
29 | |
30 | return sctx; |
31 | } |
32 | |
33 | void SCT_CTX_free(SCT_CTX *sctx) |
34 | { |
35 | if (sctx == NULL) |
36 | return; |
37 | EVP_PKEY_free(sctx->pkey); |
38 | OPENSSL_free(sctx->pkeyhash); |
39 | OPENSSL_free(sctx->ihash); |
40 | OPENSSL_free(sctx->certder); |
41 | OPENSSL_free(sctx->preder); |
42 | OPENSSL_free(sctx); |
43 | } |
44 | |
45 | /* |
46 | * Finds the index of the first extension with the given NID in cert. |
47 | * If there is more than one extension with that NID, *is_duplicated is set to |
48 | * 1, otherwise 0 (unless it is NULL). |
49 | */ |
50 | static int ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated) |
51 | { |
52 | int ret = X509_get_ext_by_NID(cert, nid, -1); |
53 | |
54 | if (is_duplicated != NULL) |
55 | *is_duplicated = ret >= 0 && X509_get_ext_by_NID(cert, nid, ret) >= 0; |
56 | |
57 | return ret; |
58 | } |
59 | |
60 | /* |
61 | * Modifies a certificate by deleting extensions and copying the issuer and |
62 | * AKID from the presigner certificate, if necessary. |
63 | * Returns 1 on success, 0 otherwise. |
64 | */ |
65 | __owur static int ct_x509_cert_fixup(X509 *cert, X509 *presigner) |
66 | { |
67 | int preidx, certidx; |
68 | int pre_akid_ext_is_dup, cert_akid_ext_is_dup; |
69 | |
70 | if (presigner == NULL) |
71 | return 1; |
72 | |
73 | preidx = ct_x509_get_ext(presigner, NID_authority_key_identifier, |
74 | &pre_akid_ext_is_dup); |
75 | certidx = ct_x509_get_ext(cert, NID_authority_key_identifier, |
76 | &cert_akid_ext_is_dup); |
77 | |
78 | /* An error occurred whilst searching for the extension */ |
79 | if (preidx < -1 || certidx < -1) |
80 | return 0; |
81 | /* Invalid certificate if they contain duplicate extensions */ |
82 | if (pre_akid_ext_is_dup || cert_akid_ext_is_dup) |
83 | return 0; |
84 | /* AKID must be present in both certificate or absent in both */ |
85 | if (preidx >= 0 && certidx == -1) |
86 | return 0; |
87 | if (preidx == -1 && certidx >= 0) |
88 | return 0; |
89 | /* Copy issuer name */ |
90 | if (!X509_set_issuer_name(cert, X509_get_issuer_name(presigner))) |
91 | return 0; |
92 | if (preidx != -1) { |
93 | /* Retrieve and copy AKID encoding */ |
94 | X509_EXTENSION *preext = X509_get_ext(presigner, preidx); |
95 | X509_EXTENSION *certext = X509_get_ext(cert, certidx); |
96 | ASN1_OCTET_STRING *preextdata; |
97 | |
98 | /* Should never happen */ |
99 | if (preext == NULL || certext == NULL) |
100 | return 0; |
101 | preextdata = X509_EXTENSION_get_data(preext); |
102 | if (preextdata == NULL || |
103 | !X509_EXTENSION_set_data(certext, preextdata)) |
104 | return 0; |
105 | } |
106 | return 1; |
107 | } |
108 | |
109 | int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) |
110 | { |
111 | unsigned char *certder = NULL, *preder = NULL; |
112 | X509 *pretmp = NULL; |
113 | int certderlen = 0, prederlen = 0; |
114 | int idx = -1; |
115 | int poison_ext_is_dup, sct_ext_is_dup; |
116 | int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup); |
117 | |
118 | /* Duplicate poison extensions are present - error */ |
119 | if (poison_ext_is_dup) |
120 | goto err; |
121 | |
122 | /* If *cert doesn't have a poison extension, it isn't a precert */ |
123 | if (poison_idx == -1) { |
124 | /* cert isn't a precert, so we shouldn't have a presigner */ |
125 | if (presigner != NULL) |
126 | goto err; |
127 | |
128 | certderlen = i2d_X509(cert, &certder); |
129 | if (certderlen < 0) |
130 | goto err; |
131 | } |
132 | |
133 | /* See if cert has a precert SCTs extension */ |
134 | idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup); |
135 | /* Duplicate SCT extensions are present - error */ |
136 | if (sct_ext_is_dup) |
137 | goto err; |
138 | |
139 | if (idx >= 0 && poison_idx >= 0) { |
140 | /* |
141 | * cert can't both contain SCTs (i.e. have an SCT extension) and be a |
142 | * precert (i.e. have a poison extension). |
143 | */ |
144 | goto err; |
145 | } |
146 | |
147 | if (idx == -1) { |
148 | idx = poison_idx; |
149 | } |
150 | |
151 | /* |
152 | * If either a poison or SCT extension is present, remove it before encoding |
153 | * cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see |
154 | * RFC5280) from cert, which is what the CT log signed when it produced the |
155 | * SCT. |
156 | */ |
157 | if (idx >= 0) { |
158 | X509_EXTENSION *ext; |
159 | |
160 | /* Take a copy of certificate so we don't modify passed version */ |
161 | pretmp = X509_dup(cert); |
162 | if (pretmp == NULL) |
163 | goto err; |
164 | |
165 | ext = X509_delete_ext(pretmp, idx); |
166 | X509_EXTENSION_free(ext); |
167 | |
168 | if (!ct_x509_cert_fixup(pretmp, presigner)) |
169 | goto err; |
170 | |
171 | prederlen = i2d_re_X509_tbs(pretmp, &preder); |
172 | if (prederlen <= 0) |
173 | goto err; |
174 | } |
175 | |
176 | X509_free(pretmp); |
177 | |
178 | OPENSSL_free(sctx->certder); |
179 | sctx->certder = certder; |
180 | sctx->certderlen = certderlen; |
181 | |
182 | OPENSSL_free(sctx->preder); |
183 | sctx->preder = preder; |
184 | sctx->prederlen = prederlen; |
185 | |
186 | return 1; |
187 | err: |
188 | OPENSSL_free(certder); |
189 | OPENSSL_free(preder); |
190 | X509_free(pretmp); |
191 | return 0; |
192 | } |
193 | |
194 | __owur static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, |
195 | size_t *hash_len) |
196 | { |
197 | int ret = 0; |
198 | unsigned char *md = NULL, *der = NULL; |
199 | int der_len; |
200 | unsigned int md_len; |
201 | |
202 | /* Reuse buffer if possible */ |
203 | if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) { |
204 | md = *hash; |
205 | } else { |
206 | md = OPENSSL_malloc(SHA256_DIGEST_LENGTH); |
207 | if (md == NULL) |
208 | goto err; |
209 | } |
210 | |
211 | /* Calculate key hash */ |
212 | der_len = i2d_X509_PUBKEY(pkey, &der); |
213 | if (der_len <= 0) |
214 | goto err; |
215 | |
216 | if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha256(), NULL)) |
217 | goto err; |
218 | |
219 | if (md != *hash) { |
220 | OPENSSL_free(*hash); |
221 | *hash = md; |
222 | *hash_len = SHA256_DIGEST_LENGTH; |
223 | } |
224 | |
225 | md = NULL; |
226 | ret = 1; |
227 | err: |
228 | OPENSSL_free(md); |
229 | OPENSSL_free(der); |
230 | return ret; |
231 | } |
232 | |
233 | int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer) |
234 | { |
235 | return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer)); |
236 | } |
237 | |
238 | int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) |
239 | { |
240 | return ct_public_key_hash(pubkey, &sctx->ihash, &sctx->ihashlen); |
241 | } |
242 | |
243 | int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) |
244 | { |
245 | EVP_PKEY *pkey = X509_PUBKEY_get(pubkey); |
246 | |
247 | if (pkey == NULL) |
248 | return 0; |
249 | |
250 | if (!ct_public_key_hash(pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) { |
251 | EVP_PKEY_free(pkey); |
252 | return 0; |
253 | } |
254 | |
255 | EVP_PKEY_free(sctx->pkey); |
256 | sctx->pkey = pkey; |
257 | return 1; |
258 | } |
259 | |
260 | void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms) |
261 | { |
262 | sctx->epoch_time_in_ms = time_in_ms; |
263 | } |
264 | |