1 | /* |
2 | * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. |
3 | * |
4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at |
7 | * https://www.openssl.org/source/license.html |
8 | */ |
9 | |
10 | #include <openssl/ocsp.h> |
11 | #include "ocsp_local.h" |
12 | #include <openssl/err.h> |
13 | #include <string.h> |
14 | |
15 | static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, |
16 | STACK_OF(X509) *certs, unsigned long flags); |
17 | static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); |
18 | static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); |
19 | static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, |
20 | OCSP_CERTID **ret); |
21 | static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, |
22 | STACK_OF(OCSP_SINGLERESP) *sresp); |
23 | static int ocsp_check_delegated(X509 *x); |
24 | static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, |
25 | X509_NAME *nm, STACK_OF(X509) *certs, |
26 | unsigned long flags); |
27 | |
28 | /* Verify a basic response message */ |
29 | |
30 | int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, |
31 | X509_STORE *st, unsigned long flags) |
32 | { |
33 | X509 *signer, *x; |
34 | STACK_OF(X509) *chain = NULL; |
35 | STACK_OF(X509) *untrusted = NULL; |
36 | X509_STORE_CTX *ctx = NULL; |
37 | int i, ret = ocsp_find_signer(&signer, bs, certs, flags); |
38 | |
39 | if (!ret) { |
40 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, |
41 | OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
42 | goto end; |
43 | } |
44 | ctx = X509_STORE_CTX_new(); |
45 | if (ctx == NULL) { |
46 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); |
47 | goto f_err; |
48 | } |
49 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) |
50 | flags |= OCSP_NOVERIFY; |
51 | if (!(flags & OCSP_NOSIGS)) { |
52 | EVP_PKEY *skey; |
53 | skey = X509_get0_pubkey(signer); |
54 | if (skey == NULL) { |
55 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY); |
56 | goto err; |
57 | } |
58 | ret = OCSP_BASICRESP_verify(bs, skey, 0); |
59 | if (ret <= 0) { |
60 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); |
61 | goto end; |
62 | } |
63 | } |
64 | if (!(flags & OCSP_NOVERIFY)) { |
65 | int init_res; |
66 | if (flags & OCSP_NOCHAIN) { |
67 | untrusted = NULL; |
68 | } else if (bs->certs && certs) { |
69 | untrusted = sk_X509_dup(bs->certs); |
70 | for (i = 0; i < sk_X509_num(certs); i++) { |
71 | if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) { |
72 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); |
73 | goto f_err; |
74 | } |
75 | } |
76 | } else if (certs != NULL) { |
77 | untrusted = certs; |
78 | } else { |
79 | untrusted = bs->certs; |
80 | } |
81 | init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted); |
82 | if (!init_res) { |
83 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); |
84 | goto f_err; |
85 | } |
86 | |
87 | X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); |
88 | ret = X509_verify_cert(ctx); |
89 | chain = X509_STORE_CTX_get1_chain(ctx); |
90 | if (ret <= 0) { |
91 | i = X509_STORE_CTX_get_error(ctx); |
92 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, |
93 | OCSP_R_CERTIFICATE_VERIFY_ERROR); |
94 | ERR_add_error_data(2, "Verify error:" , |
95 | X509_verify_cert_error_string(i)); |
96 | goto end; |
97 | } |
98 | if (flags & OCSP_NOCHECKS) { |
99 | ret = 1; |
100 | goto end; |
101 | } |
102 | /* |
103 | * At this point we have a valid certificate chain need to verify it |
104 | * against the OCSP issuer criteria. |
105 | */ |
106 | ret = ocsp_check_issuer(bs, chain); |
107 | |
108 | /* If fatal error or valid match then finish */ |
109 | if (ret != 0) |
110 | goto end; |
111 | |
112 | /* |
113 | * Easy case: explicitly trusted. Get root CA and check for explicit |
114 | * trust |
115 | */ |
116 | if (flags & OCSP_NOEXPLICIT) |
117 | goto end; |
118 | |
119 | x = sk_X509_value(chain, sk_X509_num(chain) - 1); |
120 | if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { |
121 | OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED); |
122 | goto err; |
123 | } |
124 | ret = 1; |
125 | } |
126 | end: |
127 | X509_STORE_CTX_free(ctx); |
128 | sk_X509_pop_free(chain, X509_free); |
129 | if (bs->certs && certs) |
130 | sk_X509_free(untrusted); |
131 | return ret; |
132 | |
133 | err: |
134 | ret = 0; |
135 | goto end; |
136 | f_err: |
137 | ret = -1; |
138 | goto end; |
139 | } |
140 | |
141 | int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, |
142 | STACK_OF(X509) *) |
143 | { |
144 | int ret; |
145 | |
146 | ret = ocsp_find_signer(signer, bs, extra_certs, 0); |
147 | return (ret > 0) ? 1 : 0; |
148 | } |
149 | |
150 | static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, |
151 | STACK_OF(X509) *certs, unsigned long flags) |
152 | { |
153 | X509 *signer; |
154 | OCSP_RESPID *rid = &bs->tbsResponseData.responderId; |
155 | if ((signer = ocsp_find_signer_sk(certs, rid))) { |
156 | *psigner = signer; |
157 | return 2; |
158 | } |
159 | if (!(flags & OCSP_NOINTERN) && |
160 | (signer = ocsp_find_signer_sk(bs->certs, rid))) { |
161 | *psigner = signer; |
162 | return 1; |
163 | } |
164 | /* Maybe lookup from store if by subject name */ |
165 | |
166 | *psigner = NULL; |
167 | return 0; |
168 | } |
169 | |
170 | static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) |
171 | { |
172 | int i; |
173 | unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; |
174 | X509 *x; |
175 | |
176 | /* Easy if lookup by name */ |
177 | if (id->type == V_OCSP_RESPID_NAME) |
178 | return X509_find_by_subject(certs, id->value.byName); |
179 | |
180 | /* Lookup by key hash */ |
181 | |
182 | /* If key hash isn't SHA1 length then forget it */ |
183 | if (id->value.byKey->length != SHA_DIGEST_LENGTH) |
184 | return NULL; |
185 | keyhash = id->value.byKey->data; |
186 | /* Calculate hash of each key and compare */ |
187 | for (i = 0; i < sk_X509_num(certs); i++) { |
188 | x = sk_X509_value(certs, i); |
189 | X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); |
190 | if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) |
191 | return x; |
192 | } |
193 | return NULL; |
194 | } |
195 | |
196 | static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) |
197 | { |
198 | STACK_OF(OCSP_SINGLERESP) *sresp; |
199 | X509 *signer, *sca; |
200 | OCSP_CERTID *caid = NULL; |
201 | int i; |
202 | sresp = bs->tbsResponseData.responses; |
203 | |
204 | if (sk_X509_num(chain) <= 0) { |
205 | OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN); |
206 | return -1; |
207 | } |
208 | |
209 | /* See if the issuer IDs match. */ |
210 | i = ocsp_check_ids(sresp, &caid); |
211 | |
212 | /* If ID mismatch or other error then return */ |
213 | if (i <= 0) |
214 | return i; |
215 | |
216 | signer = sk_X509_value(chain, 0); |
217 | /* Check to see if OCSP responder CA matches request CA */ |
218 | if (sk_X509_num(chain) > 1) { |
219 | sca = sk_X509_value(chain, 1); |
220 | i = ocsp_match_issuerid(sca, caid, sresp); |
221 | if (i < 0) |
222 | return i; |
223 | if (i) { |
224 | /* We have a match, if extensions OK then success */ |
225 | if (ocsp_check_delegated(signer)) |
226 | return 1; |
227 | return 0; |
228 | } |
229 | } |
230 | |
231 | /* Otherwise check if OCSP request signed directly by request CA */ |
232 | return ocsp_match_issuerid(signer, caid, sresp); |
233 | } |
234 | |
235 | /* |
236 | * Check the issuer certificate IDs for equality. If there is a mismatch with |
237 | * the same algorithm then there's no point trying to match any certificates |
238 | * against the issuer. If the issuer IDs all match then we just need to check |
239 | * equality against one of them. |
240 | */ |
241 | |
242 | static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) |
243 | { |
244 | OCSP_CERTID *tmpid, *cid; |
245 | int i, idcount; |
246 | |
247 | idcount = sk_OCSP_SINGLERESP_num(sresp); |
248 | if (idcount <= 0) { |
249 | OCSPerr(OCSP_F_OCSP_CHECK_IDS, |
250 | OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); |
251 | return -1; |
252 | } |
253 | |
254 | cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; |
255 | |
256 | *ret = NULL; |
257 | |
258 | for (i = 1; i < idcount; i++) { |
259 | tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; |
260 | /* Check to see if IDs match */ |
261 | if (OCSP_id_issuer_cmp(cid, tmpid)) { |
262 | /* If algorithm mismatch let caller deal with it */ |
263 | if (OBJ_cmp(tmpid->hashAlgorithm.algorithm, |
264 | cid->hashAlgorithm.algorithm)) |
265 | return 2; |
266 | /* Else mismatch */ |
267 | return 0; |
268 | } |
269 | } |
270 | |
271 | /* All IDs match: only need to check one ID */ |
272 | *ret = cid; |
273 | return 1; |
274 | } |
275 | |
276 | static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, |
277 | STACK_OF(OCSP_SINGLERESP) *sresp) |
278 | { |
279 | /* If only one ID to match then do it */ |
280 | if (cid) { |
281 | const EVP_MD *dgst; |
282 | X509_NAME *iname; |
283 | int mdlen; |
284 | unsigned char md[EVP_MAX_MD_SIZE]; |
285 | if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm)) |
286 | == NULL) { |
287 | OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, |
288 | OCSP_R_UNKNOWN_MESSAGE_DIGEST); |
289 | return -1; |
290 | } |
291 | |
292 | mdlen = EVP_MD_size(dgst); |
293 | if (mdlen < 0) |
294 | return -1; |
295 | if ((cid->issuerNameHash.length != mdlen) || |
296 | (cid->issuerKeyHash.length != mdlen)) |
297 | return 0; |
298 | iname = X509_get_subject_name(cert); |
299 | if (!X509_NAME_digest(iname, dgst, md, NULL)) |
300 | return -1; |
301 | if (memcmp(md, cid->issuerNameHash.data, mdlen)) |
302 | return 0; |
303 | X509_pubkey_digest(cert, dgst, md, NULL); |
304 | if (memcmp(md, cid->issuerKeyHash.data, mdlen)) |
305 | return 0; |
306 | |
307 | return 1; |
308 | |
309 | } else { |
310 | /* We have to match the whole lot */ |
311 | int i, ret; |
312 | OCSP_CERTID *tmpid; |
313 | for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { |
314 | tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; |
315 | ret = ocsp_match_issuerid(cert, tmpid, NULL); |
316 | if (ret <= 0) |
317 | return ret; |
318 | } |
319 | return 1; |
320 | } |
321 | |
322 | } |
323 | |
324 | static int ocsp_check_delegated(X509 *x) |
325 | { |
326 | if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) |
327 | && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) |
328 | return 1; |
329 | OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); |
330 | return 0; |
331 | } |
332 | |
333 | /* |
334 | * Verify an OCSP request. This is fortunately much easier than OCSP response |
335 | * verify. Just find the signers certificate and verify it against a given |
336 | * trust value. |
337 | */ |
338 | |
339 | int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, |
340 | X509_STORE *store, unsigned long flags) |
341 | { |
342 | X509 *signer; |
343 | X509_NAME *nm; |
344 | GENERAL_NAME *gen; |
345 | int ret = 0; |
346 | X509_STORE_CTX *ctx = X509_STORE_CTX_new(); |
347 | |
348 | if (ctx == NULL) { |
349 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE); |
350 | goto err; |
351 | } |
352 | |
353 | if (!req->optionalSignature) { |
354 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); |
355 | goto err; |
356 | } |
357 | gen = req->tbsRequest.requestorName; |
358 | if (!gen || gen->type != GEN_DIRNAME) { |
359 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, |
360 | OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); |
361 | goto err; |
362 | } |
363 | nm = gen->d.directoryName; |
364 | ret = ocsp_req_find_signer(&signer, req, nm, certs, flags); |
365 | if (ret <= 0) { |
366 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, |
367 | OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
368 | goto err; |
369 | } |
370 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) |
371 | flags |= OCSP_NOVERIFY; |
372 | if (!(flags & OCSP_NOSIGS)) { |
373 | EVP_PKEY *skey; |
374 | skey = X509_get0_pubkey(signer); |
375 | ret = OCSP_REQUEST_verify(req, skey); |
376 | if (ret <= 0) { |
377 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); |
378 | goto err; |
379 | } |
380 | } |
381 | if (!(flags & OCSP_NOVERIFY)) { |
382 | int init_res; |
383 | if (flags & OCSP_NOCHAIN) |
384 | init_res = X509_STORE_CTX_init(ctx, store, signer, NULL); |
385 | else |
386 | init_res = X509_STORE_CTX_init(ctx, store, signer, |
387 | req->optionalSignature->certs); |
388 | if (!init_res) { |
389 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); |
390 | goto err; |
391 | } |
392 | |
393 | X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); |
394 | X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); |
395 | ret = X509_verify_cert(ctx); |
396 | if (ret <= 0) { |
397 | ret = X509_STORE_CTX_get_error(ctx); |
398 | OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, |
399 | OCSP_R_CERTIFICATE_VERIFY_ERROR); |
400 | ERR_add_error_data(2, "Verify error:" , |
401 | X509_verify_cert_error_string(ret)); |
402 | goto err; |
403 | } |
404 | } |
405 | ret = 1; |
406 | goto end; |
407 | |
408 | err: |
409 | ret = 0; |
410 | end: |
411 | X509_STORE_CTX_free(ctx); |
412 | return ret; |
413 | |
414 | } |
415 | |
416 | static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, |
417 | X509_NAME *nm, STACK_OF(X509) *certs, |
418 | unsigned long flags) |
419 | { |
420 | X509 *signer; |
421 | if (!(flags & OCSP_NOINTERN)) { |
422 | signer = X509_find_by_subject(req->optionalSignature->certs, nm); |
423 | if (signer) { |
424 | *psigner = signer; |
425 | return 1; |
426 | } |
427 | } |
428 | |
429 | signer = X509_find_by_subject(certs, nm); |
430 | if (signer) { |
431 | *psigner = signer; |
432 | return 2; |
433 | } |
434 | return 0; |
435 | } |
436 | |