1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57/* ====================================================================
58 * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
114
115#include <openssl/ssl.h>
116
117#include <assert.h>
118#include <limits.h>
119#include <string.h>
120
121#include <utility>
122
123#include <openssl/bn.h>
124#include <openssl/buf.h>
125#include <openssl/bytestring.h>
126#include <openssl/ec_key.h>
127#include <openssl/err.h>
128#include <openssl/mem.h>
129#include <openssl/sha.h>
130#include <openssl/x509.h>
131
132#include "../crypto/internal.h"
133#include "internal.h"
134
135
136BSSL_NAMESPACE_BEGIN
137
138CERT::CERT(const SSL_X509_METHOD *x509_method_arg)
139 : x509_method(x509_method_arg) {}
140
141CERT::~CERT() {
142 ssl_cert_clear_certs(this);
143 x509_method->cert_free(this);
144}
145
146static CRYPTO_BUFFER *buffer_up_ref(CRYPTO_BUFFER *buffer) {
147 CRYPTO_BUFFER_up_ref(buffer);
148 return buffer;
149}
150
151UniquePtr<CERT> ssl_cert_dup(CERT *cert) {
152 UniquePtr<CERT> ret = MakeUnique<CERT>(cert->x509_method);
153 if (!ret) {
154 return nullptr;
155 }
156
157 if (cert->chain) {
158 ret->chain.reset(sk_CRYPTO_BUFFER_deep_copy(
159 cert->chain.get(), buffer_up_ref, CRYPTO_BUFFER_free));
160 if (!ret->chain) {
161 return nullptr;
162 }
163 }
164
165 ret->privatekey = UpRef(cert->privatekey);
166 ret->key_method = cert->key_method;
167
168 if (!ret->sigalgs.CopyFrom(cert->sigalgs)) {
169 return nullptr;
170 }
171
172 ret->cert_cb = cert->cert_cb;
173 ret->cert_cb_arg = cert->cert_cb_arg;
174
175 ret->x509_method->cert_dup(ret.get(), cert);
176
177 ret->signed_cert_timestamp_list = UpRef(cert->signed_cert_timestamp_list);
178 ret->ocsp_response = UpRef(cert->ocsp_response);
179
180 ret->sid_ctx_length = cert->sid_ctx_length;
181 OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx));
182
183 if (cert->dc) {
184 ret->dc = cert->dc->Dup();
185 if (!ret->dc) {
186 return nullptr;
187 }
188 }
189
190 ret->dc_privatekey = UpRef(cert->dc_privatekey);
191 ret->dc_key_method = cert->dc_key_method;
192
193 return ret;
194}
195
196// Free up and clear all certificates and chains
197void ssl_cert_clear_certs(CERT *cert) {
198 if (cert == NULL) {
199 return;
200 }
201
202 cert->x509_method->cert_clear(cert);
203
204 cert->chain.reset();
205 cert->privatekey.reset();
206 cert->key_method = nullptr;
207
208 cert->dc.reset();
209 cert->dc_privatekey.reset();
210 cert->dc_key_method = nullptr;
211}
212
213static void ssl_cert_set_cert_cb(CERT *cert, int (*cb)(SSL *ssl, void *arg),
214 void *arg) {
215 cert->cert_cb = cb;
216 cert->cert_cb_arg = arg;
217}
218
219enum leaf_cert_and_privkey_result_t {
220 leaf_cert_and_privkey_error,
221 leaf_cert_and_privkey_ok,
222 leaf_cert_and_privkey_mismatch,
223};
224
225// check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|
226// and the private key in |privkey| are suitable and coherent. It returns
227// |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is
228// found. If the certificate and private key are valid, but incoherent, it
229// returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns
230// |leaf_cert_and_privkey_ok|.
231static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(
232 CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) {
233 CBS cert_cbs;
234 CRYPTO_BUFFER_init_CBS(leaf_buffer, &cert_cbs);
235 UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
236 if (!pubkey) {
237 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
238 return leaf_cert_and_privkey_error;
239 }
240
241 if (!ssl_is_key_type_supported(pubkey->type)) {
242 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
243 return leaf_cert_and_privkey_error;
244 }
245
246 // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA
247 // certificates, so sanity-check the key usage extension.
248 if (pubkey->type == EVP_PKEY_EC &&
249 !ssl_cert_check_key_usage(&cert_cbs, key_usage_digital_signature)) {
250 OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);
251 return leaf_cert_and_privkey_error;
252 }
253
254 if (privkey != NULL &&
255 // Sanity-check that the private key and the certificate match.
256 !ssl_compare_public_and_private_key(pubkey.get(), privkey)) {
257 ERR_clear_error();
258 return leaf_cert_and_privkey_mismatch;
259 }
260
261 return leaf_cert_and_privkey_ok;
262}
263
264static int cert_set_chain_and_key(
265 CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs,
266 EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) {
267 if (num_certs == 0 ||
268 (privkey == NULL && privkey_method == NULL)) {
269 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
270 return 0;
271 }
272
273 if (privkey != NULL && privkey_method != NULL) {
274 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD);
275 return 0;
276 }
277
278 switch (check_leaf_cert_and_privkey(certs[0], privkey)) {
279 case leaf_cert_and_privkey_error:
280 return 0;
281 case leaf_cert_and_privkey_mismatch:
282 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH);
283 return 0;
284 case leaf_cert_and_privkey_ok:
285 break;
286 }
287
288 UniquePtr<STACK_OF(CRYPTO_BUFFER)> certs_sk(sk_CRYPTO_BUFFER_new_null());
289 if (!certs_sk) {
290 return 0;
291 }
292
293 for (size_t i = 0; i < num_certs; i++) {
294 if (!PushToStack(certs_sk.get(), UpRef(certs[i]))) {
295 return 0;
296 }
297 }
298
299 cert->privatekey = UpRef(privkey);
300 cert->key_method = privkey_method;
301
302 cert->chain = std::move(certs_sk);
303 return 1;
304}
305
306bool ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {
307 switch (check_leaf_cert_and_privkey(buffer.get(), cert->privatekey.get())) {
308 case leaf_cert_and_privkey_error:
309 return false;
310 case leaf_cert_and_privkey_mismatch:
311 // don't fail for a cert/key mismatch, just free current private key
312 // (when switching to a different cert & key, first this function should
313 // be used, then |ssl_set_pkey|.
314 cert->privatekey.reset();
315 break;
316 case leaf_cert_and_privkey_ok:
317 break;
318 }
319
320 cert->x509_method->cert_flush_cached_leaf(cert);
321
322 if (cert->chain != nullptr) {
323 CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0));
324 sk_CRYPTO_BUFFER_set(cert->chain.get(), 0, buffer.release());
325 return true;
326 }
327
328 cert->chain.reset(sk_CRYPTO_BUFFER_new_null());
329 if (cert->chain == nullptr) {
330 return false;
331 }
332
333 if (!PushToStack(cert->chain.get(), std::move(buffer))) {
334 cert->chain.reset();
335 return false;
336 }
337
338 return true;
339}
340
341bool ssl_has_certificate(const SSL_HANDSHAKE *hs) {
342 return hs->config->cert->chain != nullptr &&
343 sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0) != nullptr &&
344 ssl_has_private_key(hs);
345}
346
347bool ssl_parse_cert_chain(uint8_t *out_alert,
348 UniquePtr<STACK_OF(CRYPTO_BUFFER)> *out_chain,
349 UniquePtr<EVP_PKEY> *out_pubkey,
350 uint8_t *out_leaf_sha256, CBS *cbs,
351 CRYPTO_BUFFER_POOL *pool) {
352 out_chain->reset();
353 out_pubkey->reset();
354
355 CBS certificate_list;
356 if (!CBS_get_u24_length_prefixed(cbs, &certificate_list)) {
357 *out_alert = SSL_AD_DECODE_ERROR;
358 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
359 return false;
360 }
361
362 if (CBS_len(&certificate_list) == 0) {
363 return true;
364 }
365
366 UniquePtr<STACK_OF(CRYPTO_BUFFER)> chain(sk_CRYPTO_BUFFER_new_null());
367 if (!chain) {
368 *out_alert = SSL_AD_INTERNAL_ERROR;
369 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
370 return false;
371 }
372
373 UniquePtr<EVP_PKEY> pubkey;
374 while (CBS_len(&certificate_list) > 0) {
375 CBS certificate;
376 if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||
377 CBS_len(&certificate) == 0) {
378 *out_alert = SSL_AD_DECODE_ERROR;
379 OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);
380 return false;
381 }
382
383 if (sk_CRYPTO_BUFFER_num(chain.get()) == 0) {
384 pubkey = ssl_cert_parse_pubkey(&certificate);
385 if (!pubkey) {
386 *out_alert = SSL_AD_DECODE_ERROR;
387 return false;
388 }
389
390 // Retain the hash of the leaf certificate if requested.
391 if (out_leaf_sha256 != NULL) {
392 SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);
393 }
394 }
395
396 UniquePtr<CRYPTO_BUFFER> buf(
397 CRYPTO_BUFFER_new_from_CBS(&certificate, pool));
398 if (!buf ||
399 !PushToStack(chain.get(), std::move(buf))) {
400 *out_alert = SSL_AD_INTERNAL_ERROR;
401 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
402 return false;
403 }
404 }
405
406 *out_chain = std::move(chain);
407 *out_pubkey = std::move(pubkey);
408 return true;
409}
410
411bool ssl_add_cert_chain(SSL_HANDSHAKE *hs, CBB *cbb) {
412 if (!ssl_has_certificate(hs)) {
413 return CBB_add_u24(cbb, 0);
414 }
415
416 CBB certs;
417 if (!CBB_add_u24_length_prefixed(cbb, &certs)) {
418 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
419 return false;
420 }
421
422 STACK_OF(CRYPTO_BUFFER) *chain = hs->config->cert->chain.get();
423 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) {
424 CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i);
425 CBB child;
426 if (!CBB_add_u24_length_prefixed(&certs, &child) ||
427 !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),
428 CRYPTO_BUFFER_len(buffer)) ||
429 !CBB_flush(&certs)) {
430 OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
431 return false;
432 }
433 }
434
435 return CBB_flush(cbb);
436}
437
438// ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and
439// positions |*out_tbs_cert| to cover the TBSCertificate, starting at the
440// subjectPublicKeyInfo.
441static bool ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {
442 /* From RFC 5280, section 4.1
443 * Certificate ::= SEQUENCE {
444 * tbsCertificate TBSCertificate,
445 * signatureAlgorithm AlgorithmIdentifier,
446 * signatureValue BIT STRING }
447
448 * TBSCertificate ::= SEQUENCE {
449 * version [0] EXPLICIT Version DEFAULT v1,
450 * serialNumber CertificateSerialNumber,
451 * signature AlgorithmIdentifier,
452 * issuer Name,
453 * validity Validity,
454 * subject Name,
455 * subjectPublicKeyInfo SubjectPublicKeyInfo,
456 * ... } */
457 CBS buf = *in;
458
459 CBS toplevel;
460 if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||
461 CBS_len(&buf) != 0 ||
462 !CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||
463 // version
464 !CBS_get_optional_asn1(
465 out_tbs_cert, NULL, NULL,
466 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||
467 // serialNumber
468 !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||
469 // signature algorithm
470 !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
471 // issuer
472 !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
473 // validity
474 !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
475 // subject
476 !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {
477 return false;
478 }
479
480 return true;
481}
482
483UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) {
484 CBS buf = *in, tbs_cert;
485 if (!ssl_cert_skip_to_spki(&buf, &tbs_cert)) {
486 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
487 return nullptr;
488 }
489
490 return UniquePtr<EVP_PKEY>(EVP_parse_public_key(&tbs_cert));
491}
492
493bool ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,
494 const EVP_PKEY *privkey) {
495 if (EVP_PKEY_is_opaque(privkey)) {
496 // We cannot check an opaque private key and have to trust that it
497 // matches.
498 return true;
499 }
500
501 switch (EVP_PKEY_cmp(pubkey, privkey)) {
502 case 1:
503 return true;
504 case 0:
505 OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);
506 return false;
507 case -1:
508 OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);
509 return false;
510 case -2:
511 OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
512 return false;
513 }
514
515 assert(0);
516 return false;
517}
518
519bool ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {
520 if (privkey == nullptr) {
521 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);
522 return false;
523 }
524
525 if (cert->chain == nullptr ||
526 sk_CRYPTO_BUFFER_value(cert->chain.get(), 0) == nullptr) {
527 OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);
528 return false;
529 }
530
531 CBS cert_cbs;
532 CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain.get(), 0),
533 &cert_cbs);
534 UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);
535 if (!pubkey) {
536 OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);
537 return false;
538 }
539
540 return ssl_compare_public_and_private_key(pubkey.get(), privkey);
541}
542
543bool ssl_cert_check_key_usage(const CBS *in, enum ssl_key_usage_t bit) {
544 CBS buf = *in;
545
546 CBS tbs_cert, outer_extensions;
547 int has_extensions;
548 if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||
549 // subjectPublicKeyInfo
550 !CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||
551 // issuerUniqueID
552 !CBS_get_optional_asn1(
553 &tbs_cert, NULL, NULL,
554 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||
555 // subjectUniqueID
556 !CBS_get_optional_asn1(
557 &tbs_cert, NULL, NULL,
558 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||
559 !CBS_get_optional_asn1(
560 &tbs_cert, &outer_extensions, &has_extensions,
561 CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3)) {
562 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
563 return false;
564 }
565
566 if (!has_extensions) {
567 return true;
568 }
569
570 CBS extensions;
571 if (!CBS_get_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) {
572 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
573 return false;
574 }
575
576 while (CBS_len(&extensions) > 0) {
577 CBS extension, oid, contents;
578 if (!CBS_get_asn1(&extensions, &extension, CBS_ASN1_SEQUENCE) ||
579 !CBS_get_asn1(&extension, &oid, CBS_ASN1_OBJECT) ||
580 (CBS_peek_asn1_tag(&extension, CBS_ASN1_BOOLEAN) &&
581 !CBS_get_asn1(&extension, NULL, CBS_ASN1_BOOLEAN)) ||
582 !CBS_get_asn1(&extension, &contents, CBS_ASN1_OCTETSTRING) ||
583 CBS_len(&extension) != 0) {
584 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
585 return false;
586 }
587
588 static const uint8_t kKeyUsageOID[3] = {0x55, 0x1d, 0x0f};
589 if (CBS_len(&oid) != sizeof(kKeyUsageOID) ||
590 OPENSSL_memcmp(CBS_data(&oid), kKeyUsageOID, sizeof(kKeyUsageOID)) !=
591 0) {
592 continue;
593 }
594
595 CBS bit_string;
596 if (!CBS_get_asn1(&contents, &bit_string, CBS_ASN1_BITSTRING) ||
597 CBS_len(&contents) != 0) {
598 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
599 return false;
600 }
601
602 // This is the KeyUsage extension. See
603 // https://tools.ietf.org/html/rfc5280#section-4.2.1.3
604 if (!CBS_is_valid_asn1_bitstring(&bit_string)) {
605 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);
606 return false;
607 }
608
609 if (!CBS_asn1_bitstring_has_bit(&bit_string, bit)) {
610 OPENSSL_PUT_ERROR(SSL, SSL_R_KEY_USAGE_BIT_INCORRECT);
611 return false;
612 }
613
614 return true;
615 }
616
617 // No KeyUsage extension found.
618 return true;
619}
620
621UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,
622 uint8_t *out_alert,
623 CBS *cbs) {
624 CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool;
625
626 UniquePtr<STACK_OF(CRYPTO_BUFFER)> ret(sk_CRYPTO_BUFFER_new_null());
627 if (!ret) {
628 *out_alert = SSL_AD_INTERNAL_ERROR;
629 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
630 return nullptr;
631 }
632
633 CBS child;
634 if (!CBS_get_u16_length_prefixed(cbs, &child)) {
635 *out_alert = SSL_AD_DECODE_ERROR;
636 OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);
637 return nullptr;
638 }
639
640 while (CBS_len(&child) > 0) {
641 CBS distinguished_name;
642 if (!CBS_get_u16_length_prefixed(&child, &distinguished_name)) {
643 *out_alert = SSL_AD_DECODE_ERROR;
644 OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG);
645 return nullptr;
646 }
647
648 UniquePtr<CRYPTO_BUFFER> buffer(
649 CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool));
650 if (!buffer ||
651 !PushToStack(ret.get(), std::move(buffer))) {
652 *out_alert = SSL_AD_INTERNAL_ERROR;
653 OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);
654 return nullptr;
655 }
656 }
657
658 if (!ssl->ctx->x509_method->check_client_CA_list(ret.get())) {
659 *out_alert = SSL_AD_DECODE_ERROR;
660 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
661 return nullptr;
662 }
663
664 return ret;
665}
666
667bool ssl_has_client_CAs(const SSL_CONFIG *cfg) {
668 const STACK_OF(CRYPTO_BUFFER) *names = cfg->client_CA.get();
669 if (names == nullptr) {
670 names = cfg->ssl->ctx->client_CA.get();
671 }
672 if (names == nullptr) {
673 return false;
674 }
675 return sk_CRYPTO_BUFFER_num(names) > 0;
676}
677
678bool ssl_add_client_CA_list(SSL_HANDSHAKE *hs, CBB *cbb) {
679 CBB child, name_cbb;
680 if (!CBB_add_u16_length_prefixed(cbb, &child)) {
681 return false;
682 }
683
684 const STACK_OF(CRYPTO_BUFFER) *names = hs->config->client_CA.get();
685 if (names == NULL) {
686 names = hs->ssl->ctx->client_CA.get();
687 }
688 if (names == NULL) {
689 return CBB_flush(cbb);
690 }
691
692 for (const CRYPTO_BUFFER *name : names) {
693 if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||
694 !CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),
695 CRYPTO_BUFFER_len(name))) {
696 return false;
697 }
698 }
699
700 return CBB_flush(cbb);
701}
702
703bool ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,
704 const CRYPTO_BUFFER *leaf) {
705 assert(ssl_protocol_version(hs->ssl) < TLS1_3_VERSION);
706
707 // Check the certificate's type matches the cipher.
708 if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {
709 OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);
710 return false;
711 }
712
713 if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
714 // Check the key's group and point format are acceptable.
715 EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);
716 uint16_t group_id;
717 if (!ssl_nid_to_group_id(
718 &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||
719 !tls1_check_group_id(hs, group_id) ||
720 EC_KEY_get_conv_form(ec_key) != POINT_CONVERSION_UNCOMPRESSED) {
721 OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);
722 return false;
723 }
724 }
725
726 return true;
727}
728
729bool ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {
730 SSL *const ssl = hs->ssl;
731 if (!ssl_has_certificate(hs)) {
732 // Nothing to do.
733 return true;
734 }
735
736 if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(hs)) {
737 return false;
738 }
739
740 CBS leaf;
741 CRYPTO_BUFFER_init_CBS(
742 sk_CRYPTO_BUFFER_value(hs->config->cert->chain.get(), 0), &leaf);
743
744 if (ssl_signing_with_dc(hs)) {
745 hs->local_pubkey = UpRef(hs->config->cert->dc->pkey);
746 } else {
747 hs->local_pubkey = ssl_cert_parse_pubkey(&leaf);
748 }
749 return hs->local_pubkey != NULL;
750}
751
752
753// Delegated credentials.
754
755DC::DC() = default;
756DC::~DC() = default;
757
758UniquePtr<DC> DC::Dup() {
759 bssl::UniquePtr<DC> ret = MakeUnique<DC>();
760 if (!ret) {
761 return nullptr;
762 }
763
764 ret->raw = UpRef(raw);
765 ret->expected_cert_verify_algorithm = expected_cert_verify_algorithm;
766 ret->pkey = UpRef(pkey);
767 return ret;
768}
769
770// static
771UniquePtr<DC> DC::Parse(CRYPTO_BUFFER *in, uint8_t *out_alert) {
772 UniquePtr<DC> dc = MakeUnique<DC>();
773 if (!dc) {
774 *out_alert = SSL_AD_INTERNAL_ERROR;
775 return nullptr;
776 }
777
778 dc->raw = UpRef(in);
779
780 CBS pubkey, deleg, sig;
781 uint32_t valid_time;
782 uint16_t algorithm;
783 CRYPTO_BUFFER_init_CBS(dc->raw.get(), &deleg);
784 if (!CBS_get_u32(&deleg, &valid_time) ||
785 !CBS_get_u16(&deleg, &dc->expected_cert_verify_algorithm) ||
786 !CBS_get_u24_length_prefixed(&deleg, &pubkey) ||
787 !CBS_get_u16(&deleg, &algorithm) ||
788 !CBS_get_u16_length_prefixed(&deleg, &sig) ||
789 CBS_len(&deleg) != 0) {
790 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
791 *out_alert = SSL_AD_DECODE_ERROR;
792 return nullptr;
793 }
794
795 dc->pkey.reset(EVP_parse_public_key(&pubkey));
796 if (dc->pkey == nullptr) {
797 OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
798 *out_alert = SSL_AD_DECODE_ERROR;
799 return nullptr;
800 }
801
802 return dc;
803}
804
805// ssl_can_serve_dc returns true if the host has configured a DC that it can
806// serve in the handshake. Specifically, it checks that a DC has been
807// configured and that the DC signature algorithm is supported by the peer.
808static bool ssl_can_serve_dc(const SSL_HANDSHAKE *hs) {
809 // Check that a DC has been configured.
810 const CERT *cert = hs->config->cert.get();
811 if (cert->dc == nullptr ||
812 cert->dc->raw == nullptr ||
813 (cert->dc_privatekey == nullptr && cert->dc_key_method == nullptr)) {
814 return false;
815 }
816
817 // Check that 1.3 or higher has been negotiated.
818 const DC *dc = cert->dc.get();
819 assert(hs->ssl->s3->have_version);
820 if (ssl_protocol_version(hs->ssl) < TLS1_3_VERSION) {
821 return false;
822 }
823
824 // Check that the DC signature algorithm is supported by the peer.
825 Span<const uint16_t> peer_sigalgs = tls1_get_peer_verify_algorithms(hs);
826 bool sigalg_found = false;
827 for (uint16_t peer_sigalg : peer_sigalgs) {
828 if (dc->expected_cert_verify_algorithm == peer_sigalg) {
829 sigalg_found = true;
830 break;
831 }
832 }
833
834 return sigalg_found;
835}
836
837bool ssl_signing_with_dc(const SSL_HANDSHAKE *hs) {
838 // As of draft-ietf-tls-subcert-03, only the server may use delegated
839 // credentials to authenticate itself.
840 return hs->ssl->server &&
841 hs->delegated_credential_requested &&
842 ssl_can_serve_dc(hs);
843}
844
845static int cert_set_dc(CERT *cert, CRYPTO_BUFFER *const raw, EVP_PKEY *privkey,
846 const SSL_PRIVATE_KEY_METHOD *key_method) {
847 if (privkey == nullptr && key_method == nullptr) {
848 OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);
849 return 0;
850 }
851
852 if (privkey != nullptr && key_method != nullptr) {
853 OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD);
854 return 0;
855 }
856
857 uint8_t alert;
858 UniquePtr<DC> dc = DC::Parse(raw, &alert);
859 if (dc == nullptr) {
860 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_DELEGATED_CREDENTIAL);
861 return 0;
862 }
863
864 if (privkey) {
865 // Check that the public and private keys match.
866 if (!ssl_compare_public_and_private_key(dc->pkey.get(), privkey)) {
867 OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH);
868 return 0;
869 }
870 }
871
872 cert->dc = std::move(dc);
873 cert->dc_privatekey = UpRef(privkey);
874 cert->dc_key_method = key_method;
875
876 return 1;
877}
878
879BSSL_NAMESPACE_END
880
881using namespace bssl;
882
883int SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs,
884 size_t num_certs, EVP_PKEY *privkey,
885 const SSL_PRIVATE_KEY_METHOD *privkey_method) {
886 if (!ssl->config) {
887 return 0;
888 }
889 return cert_set_chain_and_key(ssl->config->cert.get(), certs, num_certs,
890 privkey, privkey_method);
891}
892
893int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,
894 size_t num_certs, EVP_PKEY *privkey,
895 const SSL_PRIVATE_KEY_METHOD *privkey_method) {
896 return cert_set_chain_and_key(ctx->cert.get(), certs, num_certs, privkey,
897 privkey_method);
898}
899
900int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,
901 const uint8_t *der) {
902 UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));
903 if (!buffer) {
904 return 0;
905 }
906
907 return ssl_set_cert(ctx->cert.get(), std::move(buffer));
908}
909
910int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {
911 UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));
912 if (!buffer || !ssl->config) {
913 return 0;
914 }
915
916 return ssl_set_cert(ssl->config->cert.get(), std::move(buffer));
917}
918
919void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),
920 void *arg) {
921 ssl_cert_set_cert_cb(ctx->cert.get(), cb, arg);
922}
923
924void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {
925 if (!ssl->config) {
926 return;
927 }
928 ssl_cert_set_cert_cb(ssl->config->cert.get(), cb, arg);
929}
930
931const STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) {
932 SSL_SESSION *session = SSL_get_session(ssl);
933 if (session == NULL) {
934 return NULL;
935 }
936
937 return session->certs.get();
938}
939
940const STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {
941 if (ssl->s3->hs == NULL) {
942 return NULL;
943 }
944 return ssl->s3->hs->ca_names.get();
945}
946
947static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,
948 size_t list_len) {
949 CBS sct_list;
950 CBS_init(&sct_list, list, list_len);
951 if (!ssl_is_sct_list_valid(&sct_list)) {
952 OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST);
953 return 0;
954 }
955
956 cert->signed_cert_timestamp_list.reset(
957 CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), nullptr));
958 return cert->signed_cert_timestamp_list != nullptr;
959}
960
961int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list,
962 size_t list_len) {
963 return set_signed_cert_timestamp_list(ctx->cert.get(), list, list_len);
964}
965
966int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list,
967 size_t list_len) {
968 if (!ssl->config) {
969 return 0;
970 }
971 return set_signed_cert_timestamp_list(ssl->config->cert.get(), list,
972 list_len);
973}
974
975int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response,
976 size_t response_len) {
977 ctx->cert->ocsp_response.reset(
978 CRYPTO_BUFFER_new(response, response_len, nullptr));
979 return ctx->cert->ocsp_response != nullptr;
980}
981
982int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,
983 size_t response_len) {
984 if (!ssl->config) {
985 return 0;
986 }
987 ssl->config->cert->ocsp_response.reset(
988 CRYPTO_BUFFER_new(response, response_len, nullptr));
989 return ssl->config->cert->ocsp_response != nullptr;
990}
991
992void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) {
993 ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);
994 ctx->client_CA.reset(name_list);
995}
996
997void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) {
998 if (!ssl->config) {
999 return;
1000 }
1001 ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl->config.get());
1002 ssl->config->client_CA.reset(name_list);
1003}
1004
1005int SSL_set1_delegated_credential(SSL *ssl, CRYPTO_BUFFER *dc, EVP_PKEY *pkey,
1006 const SSL_PRIVATE_KEY_METHOD *key_method) {
1007 if (!ssl->config) {
1008 return 0;
1009 }
1010
1011 return cert_set_dc(ssl->config->cert.get(), dc, pkey, key_method);
1012}
1013
1014int SSL_delegated_credential_used(const SSL *ssl) {
1015 return ssl->s3->delegated_credential_used;
1016}
1017