1 /* $OpenBSD: ct_sct.c,v 1.8 2022/01/22 00:29:59 inoguchi Exp $ */
2 /*
3 * Written by Rob Stradling (rob@comodo.com), Stephen Henson (steve@openssl.org)
4 * and Adam Eijdenberg (adam.eijdenberg@gmail.com) for the OpenSSL project 2016.
5 */
6 /* ====================================================================
7 * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 * software must display the following acknowledgment:
23 * "This product includes software developed by the OpenSSL Project
24 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 * endorse or promote products derived from this software without
28 * prior written permission. For written permission, please contact
29 * licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 * nor may "OpenSSL" appear in their names without prior written
33 * permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 * acknowledgment:
37 * "This product includes software developed by the OpenSSL Project
38 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com). This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60 #ifdef OPENSSL_NO_CT
61 # error "CT disabled"
62 #endif
63
64 #include <openssl/ct.h>
65 #include <openssl/err.h>
66 #include <openssl/evp.h>
67 #include <openssl/tls1.h>
68 #include <openssl/x509.h>
69
70 #include <string.h>
71
72 #include "ct_local.h"
73
74 SCT *
SCT_new(void)75 SCT_new(void)
76 {
77 SCT *sct = calloc(1, sizeof(*sct));
78
79 if (sct == NULL) {
80 CTerror(ERR_R_MALLOC_FAILURE);
81 return NULL;
82 }
83
84 sct->entry_type = CT_LOG_ENTRY_TYPE_NOT_SET;
85 sct->version = SCT_VERSION_NOT_SET;
86 return sct;
87 }
88
89 void
SCT_free(SCT * sct)90 SCT_free(SCT *sct)
91 {
92 if (sct == NULL)
93 return;
94
95 free(sct->log_id);
96 free(sct->ext);
97 free(sct->sig);
98 free(sct->sct);
99 free(sct);
100 }
101
102 void
SCT_LIST_free(STACK_OF (SCT)* scts)103 SCT_LIST_free(STACK_OF(SCT) *scts)
104 {
105 sk_SCT_pop_free(scts, SCT_free);
106 }
107
108 int
SCT_set_version(SCT * sct,sct_version_t version)109 SCT_set_version(SCT *sct, sct_version_t version)
110 {
111 if (version != SCT_VERSION_V1) {
112 CTerror(CT_R_UNSUPPORTED_VERSION);
113 return 0;
114 }
115 sct->version = version;
116 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
117 return 1;
118 }
119
120 int
SCT_set_log_entry_type(SCT * sct,ct_log_entry_type_t entry_type)121 SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type)
122 {
123 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
124
125 switch (entry_type) {
126 case CT_LOG_ENTRY_TYPE_X509:
127 case CT_LOG_ENTRY_TYPE_PRECERT:
128 sct->entry_type = entry_type;
129 return 1;
130 case CT_LOG_ENTRY_TYPE_NOT_SET:
131 break;
132 }
133 CTerror(CT_R_UNSUPPORTED_ENTRY_TYPE);
134 return 0;
135 }
136
137 int
SCT_set0_log_id(SCT * sct,unsigned char * log_id,size_t log_id_len)138 SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len)
139 {
140 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) {
141 CTerror(CT_R_INVALID_LOG_ID_LENGTH);
142 return 0;
143 }
144
145 free(sct->log_id);
146 sct->log_id = log_id;
147 sct->log_id_len = log_id_len;
148 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
149 return 1;
150 }
151
152 int
SCT_set1_log_id(SCT * sct,const unsigned char * log_id,size_t log_id_len)153 SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len)
154 {
155 if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) {
156 CTerror(CT_R_INVALID_LOG_ID_LENGTH);
157 return 0;
158 }
159
160 free(sct->log_id);
161 sct->log_id = NULL;
162 sct->log_id_len = 0;
163 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
164
165 if (log_id != NULL && log_id_len > 0) {
166 sct->log_id = malloc(log_id_len);
167 if (sct->log_id == NULL) {
168 CTerror(ERR_R_MALLOC_FAILURE);
169 return 0;
170 }
171 memcpy(sct->log_id, log_id, log_id_len);
172 sct->log_id_len = log_id_len;
173 }
174 return 1;
175 }
176
177
178 void
SCT_set_timestamp(SCT * sct,uint64_t timestamp)179 SCT_set_timestamp(SCT *sct, uint64_t timestamp)
180 {
181 sct->timestamp = timestamp;
182 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
183 }
184
185 int
SCT_set_signature_nid(SCT * sct,int nid)186 SCT_set_signature_nid(SCT *sct, int nid)
187 {
188 switch (nid) {
189 case NID_sha256WithRSAEncryption:
190 sct->hash_alg = 4; /* XXX */
191 sct->sig_alg = 1; /* XXX */
192 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
193 return 1;
194 case NID_ecdsa_with_SHA256:
195 sct->hash_alg = 4; /* XXX */
196 sct->sig_alg = 3; /* XXX */
197 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
198 return 1;
199 default:
200 CTerror(CT_R_UNRECOGNIZED_SIGNATURE_NID);
201 return 0;
202 }
203 }
204
205 void
SCT_set0_extensions(SCT * sct,unsigned char * ext,size_t ext_len)206 SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
207 {
208 free(sct->ext);
209 sct->ext = ext;
210 sct->ext_len = ext_len;
211 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
212 }
213
214 int
SCT_set1_extensions(SCT * sct,const unsigned char * ext,size_t ext_len)215 SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len)
216 {
217 free(sct->ext);
218 sct->ext = NULL;
219 sct->ext_len = 0;
220 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
221
222 if (ext != NULL && ext_len > 0) {
223 sct->ext = malloc(ext_len);
224 if (sct->ext == NULL) {
225 CTerror(ERR_R_MALLOC_FAILURE);
226 return 0;
227 }
228 memcpy(sct->ext, ext, ext_len);
229 sct->ext_len = ext_len;
230 }
231 return 1;
232 }
233
234 void
SCT_set0_signature(SCT * sct,unsigned char * sig,size_t sig_len)235 SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
236 {
237 free(sct->sig);
238 sct->sig = sig;
239 sct->sig_len = sig_len;
240 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
241 }
242
243 int
SCT_set1_signature(SCT * sct,const unsigned char * sig,size_t sig_len)244 SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len)
245 {
246 free(sct->sig);
247 sct->sig = NULL;
248 sct->sig_len = 0;
249 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
250
251 if (sig != NULL && sig_len > 0) {
252 sct->sig = malloc(sig_len);
253 if (sct->sig == NULL) {
254 CTerror(ERR_R_MALLOC_FAILURE);
255 return 0;
256 }
257 memcpy(sct->sig, sig, sig_len);
258 sct->sig_len = sig_len;
259 }
260 return 1;
261 }
262
263 sct_version_t
SCT_get_version(const SCT * sct)264 SCT_get_version(const SCT *sct)
265 {
266 return sct->version;
267 }
268
269 ct_log_entry_type_t
SCT_get_log_entry_type(const SCT * sct)270 SCT_get_log_entry_type(const SCT *sct)
271 {
272 return sct->entry_type;
273 }
274
275 size_t
SCT_get0_log_id(const SCT * sct,unsigned char ** log_id)276 SCT_get0_log_id(const SCT *sct, unsigned char **log_id)
277 {
278 *log_id = sct->log_id;
279 return sct->log_id_len;
280 }
281
282 uint64_t
SCT_get_timestamp(const SCT * sct)283 SCT_get_timestamp(const SCT *sct)
284 {
285 return sct->timestamp;
286 }
287
288 int
SCT_get_signature_nid(const SCT * sct)289 SCT_get_signature_nid(const SCT *sct)
290 {
291 if (sct->version == SCT_VERSION_V1) {
292 /* XXX sigalg numbers */
293 if (sct->hash_alg == 4) {
294 switch (sct->sig_alg) {
295 case 3:
296 return NID_ecdsa_with_SHA256;
297 case 1:
298 return NID_sha256WithRSAEncryption;
299 default:
300 return NID_undef;
301 }
302 }
303 }
304 return NID_undef;
305 }
306
307 size_t
SCT_get0_extensions(const SCT * sct,unsigned char ** ext)308 SCT_get0_extensions(const SCT *sct, unsigned char **ext)
309 {
310 *ext = sct->ext;
311 return sct->ext_len;
312 }
313
314 size_t
SCT_get0_signature(const SCT * sct,unsigned char ** sig)315 SCT_get0_signature(const SCT *sct, unsigned char **sig)
316 {
317 *sig = sct->sig;
318 return sct->sig_len;
319 }
320
321 int
SCT_is_complete(const SCT * sct)322 SCT_is_complete(const SCT *sct)
323 {
324 switch (sct->version) {
325 case SCT_VERSION_NOT_SET:
326 return 0;
327 case SCT_VERSION_V1:
328 return sct->log_id != NULL && SCT_signature_is_complete(sct);
329 default:
330 return sct->sct != NULL; /* Just need cached encoding */
331 }
332 }
333
334 int
SCT_signature_is_complete(const SCT * sct)335 SCT_signature_is_complete(const SCT *sct)
336 {
337 return SCT_get_signature_nid(sct) != NID_undef &&
338 sct->sig != NULL && sct->sig_len > 0;
339 }
340
341 sct_source_t
SCT_get_source(const SCT * sct)342 SCT_get_source(const SCT *sct)
343 {
344 return sct->source;
345 }
346
347 int
SCT_set_source(SCT * sct,sct_source_t source)348 SCT_set_source(SCT *sct, sct_source_t source)
349 {
350 sct->source = source;
351 sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
352 switch (source) {
353 case SCT_SOURCE_TLS_EXTENSION:
354 case SCT_SOURCE_OCSP_STAPLED_RESPONSE:
355 return SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_X509);
356 case SCT_SOURCE_X509V3_EXTENSION:
357 return SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_PRECERT);
358 case SCT_SOURCE_UNKNOWN:
359 break;
360 }
361 /* if we aren't sure, leave the log entry type alone */
362 return 1;
363 }
364
365 sct_validation_status_t
SCT_get_validation_status(const SCT * sct)366 SCT_get_validation_status(const SCT *sct)
367 {
368 return sct->validation_status;
369 }
370
371 int
SCT_validate(SCT * sct,const CT_POLICY_EVAL_CTX * ctx)372 SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
373 {
374 int is_sct_valid = -1;
375 SCT_CTX *sctx = NULL;
376 X509_PUBKEY *pub = NULL, *log_pkey = NULL;
377 const CTLOG *log;
378
379 /*
380 * With an unrecognized SCT version we don't know what such an SCT means,
381 * let alone validate one. So we return validation failure (0).
382 */
383 if (sct->version != SCT_VERSION_V1) {
384 sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_VERSION;
385 return 0;
386 }
387
388 log = CTLOG_STORE_get0_log_by_id(ctx->log_store, sct->log_id,
389 sct->log_id_len);
390
391 /* Similarly, an SCT from an unknown log also cannot be validated. */
392 if (log == NULL) {
393 sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_LOG;
394 return 0;
395 }
396
397 sctx = SCT_CTX_new();
398 if (sctx == NULL)
399 goto err;
400
401 if (X509_PUBKEY_set(&log_pkey, CTLOG_get0_public_key(log)) != 1)
402 goto err;
403 if (SCT_CTX_set1_pubkey(sctx, log_pkey) != 1)
404 goto err;
405
406 if (SCT_get_log_entry_type(sct) == CT_LOG_ENTRY_TYPE_PRECERT) {
407 EVP_PKEY *issuer_pkey;
408
409 if (ctx->issuer == NULL) {
410 sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
411 goto end;
412 }
413
414 if ((issuer_pkey = X509_get0_pubkey(ctx->issuer)) == NULL)
415 goto err;
416
417 if (X509_PUBKEY_set(&pub, issuer_pkey) != 1)
418 goto err;
419 if (SCT_CTX_set1_issuer_pubkey(sctx, pub) != 1)
420 goto err;
421 }
422
423 SCT_CTX_set_time(sctx, ctx->epoch_time_in_ms);
424
425 /*
426 * XXX: Potential for optimization. This repeats some idempotent heavy
427 * lifting on the certificate for each candidate SCT, and appears to not
428 * use any information in the SCT itself, only the certificate is
429 * processed. So it may make more sense to to do this just once, perhaps
430 * associated with the shared (by all SCTs) policy eval ctx.
431 *
432 * XXX: Failure here is global (SCT independent) and represents either an
433 * issue with the certificate (e.g. duplicate extensions) or an out of
434 * memory condition. When the certificate is incompatible with CT, we just
435 * mark the SCTs invalid, rather than report a failure to determine the
436 * validation status. That way, callbacks that want to do "soft" SCT
437 * processing will not abort handshakes with false positive internal
438 * errors. Since the function does not distinguish between certificate
439 * issues (peer's fault) and internal problems (out fault) the safe thing
440 * to do is to report a validation failure and let the callback or
441 * application decide what to do.
442 */
443 if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
444 sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
445 else
446 sct->validation_status = SCT_CTX_verify(sctx, sct) == 1 ?
447 SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;
448
449 end:
450 is_sct_valid = sct->validation_status == SCT_VALIDATION_STATUS_VALID;
451 err:
452 X509_PUBKEY_free(pub);
453 X509_PUBKEY_free(log_pkey);
454 SCT_CTX_free(sctx);
455
456 return is_sct_valid;
457 }
458
459 int
SCT_LIST_validate(const STACK_OF (SCT)* scts,CT_POLICY_EVAL_CTX * ctx)460 SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx)
461 {
462 int are_scts_valid = 1;
463 int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
464 int i;
465
466 for (i = 0; i < sct_count; ++i) {
467 int is_sct_valid = -1;
468 SCT *sct = sk_SCT_value(scts, i);
469
470 if (sct == NULL)
471 continue;
472
473 is_sct_valid = SCT_validate(sct, ctx);
474 if (is_sct_valid < 0)
475 return is_sct_valid;
476 are_scts_valid &= is_sct_valid;
477 }
478
479 return are_scts_valid;
480 }
481