1 /* $OpenBSD: parser.c,v 1.4 2021/02/04 14:32:01 claudio Exp $ */ 2 /* 3 * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> 4 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/queue.h> 20 #include <sys/tree.h> 21 #include <sys/types.h> 22 23 #include <assert.h> 24 #include <err.h> 25 #include <poll.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <limits.h> 30 #include <unistd.h> 31 #include <imsg.h> 32 33 #include <openssl/asn1.h> 34 #include <openssl/err.h> 35 #include <openssl/evp.h> 36 #include <openssl/x509.h> 37 38 #include "extern.h" 39 40 static void build_chain(const struct auth *, STACK_OF(X509) **); 41 static void build_crls(const struct auth *, struct crl_tree *, 42 STACK_OF(X509_CRL) **); 43 /* 44 * Parse and validate a ROA. 45 * This is standard stuff. 46 * Returns the roa on success, NULL on failure. 47 */ 48 static struct roa * 49 proc_parser_roa(struct entity *entp, 50 X509_STORE *store, X509_STORE_CTX *ctx, 51 struct auth_tree *auths, struct crl_tree *crlt) 52 { 53 struct roa *roa; 54 X509 *x509; 55 int c; 56 struct auth *a; 57 STACK_OF(X509) *chain; 58 STACK_OF(X509_CRL) *crls; 59 60 if ((roa = roa_parse(&x509, entp->file)) == NULL) 61 return NULL; 62 63 a = valid_ski_aki(entp->file, auths, roa->ski, roa->aki); 64 65 build_chain(a, &chain); 66 build_crls(a, crlt, &crls); 67 68 assert(x509 != NULL); 69 if (!X509_STORE_CTX_init(ctx, store, x509, chain)) 70 cryptoerrx("X509_STORE_CTX_init"); 71 X509_STORE_CTX_set_flags(ctx, 72 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 73 X509_STORE_CTX_set0_crls(ctx, crls); 74 75 if (X509_verify_cert(ctx) <= 0) { 76 c = X509_STORE_CTX_get_error(ctx); 77 X509_STORE_CTX_cleanup(ctx); 78 if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) 79 warnx("%s: %s", entp->file, 80 X509_verify_cert_error_string(c)); 81 X509_free(x509); 82 roa_free(roa); 83 sk_X509_free(chain); 84 sk_X509_CRL_free(crls); 85 return NULL; 86 } 87 X509_STORE_CTX_cleanup(ctx); 88 sk_X509_free(chain); 89 sk_X509_CRL_free(crls); 90 X509_free(x509); 91 92 /* 93 * If the ROA isn't valid, we accept it anyway and depend upon 94 * the code around roa_read() to check the "valid" field itself. 95 */ 96 97 if (valid_roa(entp->file, auths, roa)) 98 roa->valid = 1; 99 100 return roa; 101 } 102 103 /* 104 * Parse and validate a manifest file. 105 * Here we *don't* validate against the list of CRLs, because the 106 * certificate used to sign the manifest may specify a CRL that the root 107 * certificate didn't, and we haven't scanned for it yet. 108 * This chicken-and-egg isn't important, however, because we'll catch 109 * the revocation list by the time we scan for any contained resources 110 * (ROA, CER) and will see it then. 111 * Return the mft on success or NULL on failure. 112 */ 113 static struct mft * 114 proc_parser_mft(struct entity *entp, X509_STORE *store, X509_STORE_CTX *ctx, 115 struct auth_tree *auths, struct crl_tree *crlt) 116 { 117 struct mft *mft; 118 X509 *x509; 119 int c; 120 struct auth *a; 121 STACK_OF(X509) *chain; 122 123 if ((mft = mft_parse(&x509, entp->file)) == NULL) 124 return NULL; 125 126 a = valid_ski_aki(entp->file, auths, mft->ski, mft->aki); 127 build_chain(a, &chain); 128 129 if (!X509_STORE_CTX_init(ctx, store, x509, chain)) 130 cryptoerrx("X509_STORE_CTX_init"); 131 132 /* CRL checked disabled here because CRL is referenced from mft */ 133 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_IGNORE_CRITICAL); 134 135 if (X509_verify_cert(ctx) <= 0) { 136 c = X509_STORE_CTX_get_error(ctx); 137 X509_STORE_CTX_cleanup(ctx); 138 warnx("%s: %s", entp->file, X509_verify_cert_error_string(c)); 139 mft_free(mft); 140 X509_free(x509); 141 sk_X509_free(chain); 142 return NULL; 143 } 144 145 X509_STORE_CTX_cleanup(ctx); 146 sk_X509_free(chain); 147 X509_free(x509); 148 149 if (!mft_check(entp->file, mft)) { 150 mft_free(mft); 151 return NULL; 152 } 153 154 return mft; 155 } 156 157 /* 158 * Certificates are from manifests (has a digest and is signed with 159 * another certificate) Parse the certificate, make sure its 160 * signatures are valid (with CRLs), then validate the RPKI content. 161 * This returns a certificate (which must not be freed) or NULL on 162 * parse failure. 163 */ 164 static struct cert * 165 proc_parser_cert(const struct entity *entp, 166 X509_STORE *store, X509_STORE_CTX *ctx, 167 struct auth_tree *auths, struct crl_tree *crlt) 168 { 169 struct cert *cert; 170 X509 *x509; 171 int c; 172 struct auth *a = NULL, *na; 173 char *tal; 174 STACK_OF(X509) *chain; 175 STACK_OF(X509_CRL) *crls; 176 177 assert(!entp->has_pkey); 178 179 /* Extract certificate data and X509. */ 180 181 cert = cert_parse(&x509, entp->file); 182 if (cert == NULL) 183 return NULL; 184 185 a = valid_ski_aki(entp->file, auths, cert->ski, cert->aki); 186 build_chain(a, &chain); 187 build_crls(a, crlt, &crls); 188 189 /* 190 * Validate certificate chain w/CRLs. 191 * Only check the CRLs if specifically asked. 192 */ 193 194 assert(x509 != NULL); 195 if (!X509_STORE_CTX_init(ctx, store, x509, chain)) 196 cryptoerrx("X509_STORE_CTX_init"); 197 198 X509_STORE_CTX_set_flags(ctx, 199 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 200 X509_STORE_CTX_set0_crls(ctx, crls); 201 202 if (X509_verify_cert(ctx) <= 0) { 203 c = X509_STORE_CTX_get_error(ctx); 204 warnx("%s: %s", entp->file, 205 X509_verify_cert_error_string(c)); 206 X509_STORE_CTX_cleanup(ctx); 207 cert_free(cert); 208 sk_X509_free(chain); 209 sk_X509_CRL_free(crls); 210 X509_free(x509); 211 return NULL; 212 } 213 214 X509_STORE_CTX_cleanup(ctx); 215 sk_X509_free(chain); 216 sk_X509_CRL_free(crls); 217 218 /* Validate the cert to get the parent */ 219 if (!valid_cert(entp->file, auths, cert)) { 220 X509_free(x509); // needed? XXX 221 return cert; 222 } 223 224 /* 225 * Add validated certs to the RPKI auth tree. 226 */ 227 228 cert->valid = 1; 229 230 na = malloc(sizeof(*na)); 231 if (na == NULL) 232 err(1, NULL); 233 234 tal = a->tal; 235 236 na->parent = a; 237 na->cert = cert; 238 na->tal = tal; 239 na->fn = strdup(entp->file); 240 if (na->fn == NULL) 241 err(1, NULL); 242 243 if (RB_INSERT(auth_tree, auths, na) != NULL) 244 err(1, "auth tree corrupted"); 245 246 return cert; 247 } 248 249 250 /* 251 * Root certificates come from TALs (has a pkey and is self-signed). 252 * Parse the certificate, ensure that it's public key matches the 253 * known public key from the TAL, and then validate the RPKI 254 * content. If valid, we add it as a trusted root (trust anchor) to 255 * "store". 256 * 257 * This returns a certificate (which must not be freed) or NULL on 258 * parse failure. 259 */ 260 static struct cert * 261 proc_parser_root_cert(const struct entity *entp, 262 X509_STORE *store, X509_STORE_CTX *ctx, 263 struct auth_tree *auths, struct crl_tree *crlt) 264 { 265 char subject[256]; 266 ASN1_TIME *notBefore, *notAfter; 267 X509_NAME *name; 268 struct cert *cert; 269 X509 *x509; 270 struct auth *na; 271 char *tal; 272 273 assert(entp->has_pkey); 274 275 /* Extract certificate data and X509. */ 276 277 cert = ta_parse(&x509, entp->file, entp->pkey, entp->pkeysz); 278 if (cert == NULL) 279 return NULL; 280 281 if ((name = X509_get_subject_name(x509)) == NULL) { 282 warnx("%s Unable to get certificate subject", entp->file); 283 goto badcert; 284 } 285 if (X509_NAME_oneline(name, subject, sizeof(subject)) == NULL) { 286 warnx("%s: Unable to parse certificate subject name", 287 entp->file); 288 goto badcert; 289 } 290 if ((notBefore = X509_get_notBefore(x509)) == NULL) { 291 warnx("%s: certificate has invalid notBefore, subject='%s'", 292 entp->file, subject); 293 goto badcert; 294 } 295 if ((notAfter = X509_get_notAfter(x509)) == NULL) { 296 warnx("%s: certificate has invalid notAfter, subject='%s'", 297 entp->file, subject); 298 goto badcert; 299 } 300 if (X509_cmp_current_time(notBefore) != -1) { 301 warnx("%s: certificate not yet valid, subject='%s'", entp->file, 302 subject); 303 goto badcert; 304 } 305 if (X509_cmp_current_time(notAfter) != 1) { 306 warnx("%s: certificate has expired, subject='%s'", entp->file, 307 subject); 308 goto badcert; 309 } 310 if (!valid_ta(entp->file, auths, cert)) { 311 warnx("%s: certificate not a valid ta, subject='%s'", 312 entp->file, subject); 313 goto badcert; 314 } 315 316 /* 317 * Add valid roots to the RPKI auth tree and as a trusted root 318 * for chain validation to the X509_STORE. 319 */ 320 321 cert->valid = 1; 322 323 na = malloc(sizeof(*na)); 324 if (na == NULL) 325 err(1, NULL); 326 327 if ((tal = strdup(entp->descr)) == NULL) 328 err(1, NULL); 329 330 na->parent = NULL; 331 na->cert = cert; 332 na->tal = tal; 333 na->fn = strdup(entp->file); 334 if (na->fn == NULL) 335 err(1, NULL); 336 337 if (RB_INSERT(auth_tree, auths, na) != NULL) 338 err(1, "auth tree corrupted"); 339 340 X509_STORE_add_cert(store, x509); 341 342 return cert; 343 badcert: 344 X509_free(x509); // needed? XXX 345 return cert; 346 } 347 348 /* 349 * Parse a certificate revocation list 350 * This simply parses the CRL content itself, optionally validating it 351 * within the digest if it comes from a manifest, then adds it to the 352 * store of CRLs. 353 */ 354 static void 355 proc_parser_crl(struct entity *entp, X509_STORE *store, 356 X509_STORE_CTX *ctx, struct crl_tree *crlt) 357 { 358 X509_CRL *x509_crl; 359 struct crl *crl; 360 361 if ((x509_crl = crl_parse(entp->file)) != NULL) { 362 if ((crl = malloc(sizeof(*crl))) == NULL) 363 err(1, NULL); 364 if ((crl->aki = x509_crl_get_aki(x509_crl)) == NULL) 365 errx(1, "x509_crl_get_aki failed"); 366 crl->x509_crl = x509_crl; 367 368 if (RB_INSERT(crl_tree, crlt, crl) != NULL) { 369 warnx("%s: duplicate AKI %s", entp->file, crl->aki); 370 free_crl(crl); 371 } 372 } 373 } 374 375 /* 376 * Parse a ghostbuster record 377 */ 378 static void 379 proc_parser_gbr(struct entity *entp, X509_STORE *store, 380 X509_STORE_CTX *ctx, struct auth_tree *auths, struct crl_tree *crlt) 381 { 382 struct gbr *gbr; 383 X509 *x509; 384 int c; 385 struct auth *a; 386 STACK_OF(X509) *chain; 387 STACK_OF(X509_CRL) *crls; 388 389 if ((gbr = gbr_parse(&x509, entp->file)) == NULL) 390 return; 391 392 a = valid_ski_aki(entp->file, auths, gbr->ski, gbr->aki); 393 394 build_chain(a, &chain); 395 build_crls(a, crlt, &crls); 396 397 assert(x509 != NULL); 398 if (!X509_STORE_CTX_init(ctx, store, x509, chain)) 399 cryptoerrx("X509_STORE_CTX_init"); 400 X509_STORE_CTX_set_flags(ctx, 401 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 402 X509_STORE_CTX_set0_crls(ctx, crls); 403 404 if (X509_verify_cert(ctx) <= 0) { 405 c = X509_STORE_CTX_get_error(ctx); 406 if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) 407 warnx("%s: %s", entp->file, 408 X509_verify_cert_error_string(c)); 409 } 410 411 X509_STORE_CTX_cleanup(ctx); 412 sk_X509_free(chain); 413 sk_X509_CRL_free(crls); 414 X509_free(x509); 415 gbr_free(gbr); 416 } 417 418 /* use the parent (id) to walk the tree to the root and 419 build a certificate chain from cert->x509 */ 420 static void 421 build_chain(const struct auth *a, STACK_OF(X509) **chain) 422 { 423 *chain = NULL; 424 425 if (a == NULL) 426 return; 427 428 if ((*chain = sk_X509_new_null()) == NULL) 429 err(1, "sk_X509_new_null"); 430 for (; a != NULL; a = a->parent) { 431 assert(a->cert->x509 != NULL); 432 if (!sk_X509_push(*chain, a->cert->x509)) 433 errx(1, "sk_X509_push"); 434 } 435 } 436 437 /* use the parent (id) to walk the tree to the root and 438 build a stack of CRLs */ 439 static void 440 build_crls(const struct auth *a, struct crl_tree *crlt, 441 STACK_OF(X509_CRL) **crls) 442 { 443 struct crl find, *found; 444 445 if ((*crls = sk_X509_CRL_new_null()) == NULL) 446 errx(1, "sk_X509_CRL_new_null"); 447 448 if (a == NULL) 449 return; 450 451 find.aki = a->cert->ski; 452 found = RB_FIND(crl_tree, crlt, &find); 453 if (found && !sk_X509_CRL_push(*crls, found->x509_crl)) 454 err(1, "sk_X509_CRL_push"); 455 } 456 457 /* 458 * Process responsible for parsing and validating content. 459 * All this process does is wait to be told about a file to parse, then 460 * it parses it and makes sure that the data being returned is fully 461 * validated and verified. 462 * The process will exit cleanly only when fd is closed. 463 */ 464 void 465 proc_parser(int fd) 466 { 467 struct tal *tal; 468 struct cert *cert; 469 struct mft *mft; 470 struct roa *roa; 471 struct entity *entp; 472 struct entityq q; 473 int c, rc = 1; 474 struct msgbuf msgq; 475 struct pollfd pfd; 476 struct ibuf *b; 477 X509_STORE *store; 478 X509_STORE_CTX *ctx; 479 struct auth_tree auths = RB_INITIALIZER(&auths); 480 struct crl_tree crlt = RB_INITIALIZER(&crlt); 481 482 ERR_load_crypto_strings(); 483 OpenSSL_add_all_ciphers(); 484 OpenSSL_add_all_digests(); 485 486 if ((store = X509_STORE_new()) == NULL) 487 cryptoerrx("X509_STORE_new"); 488 if ((ctx = X509_STORE_CTX_new()) == NULL) 489 cryptoerrx("X509_STORE_CTX_new"); 490 491 TAILQ_INIT(&q); 492 493 msgbuf_init(&msgq); 494 msgq.fd = fd; 495 496 pfd.fd = fd; 497 498 io_socket_nonblocking(pfd.fd); 499 500 for (;;) { 501 pfd.events = POLLIN; 502 if (msgq.queued) 503 pfd.events |= POLLOUT; 504 505 if (poll(&pfd, 1, INFTIM) == -1) 506 err(1, "poll"); 507 if ((pfd.revents & (POLLERR|POLLNVAL))) 508 errx(1, "poll: bad descriptor"); 509 510 /* If the parent closes, return immediately. */ 511 512 if ((pfd.revents & POLLHUP)) 513 break; 514 515 /* 516 * Start with read events. 517 * This means that the parent process is sending us 518 * something we need to parse. 519 * We don't actually parse it til we have space in our 520 * outgoing buffer for responding, though. 521 */ 522 523 if ((pfd.revents & POLLIN)) { 524 io_socket_blocking(fd); 525 entp = calloc(1, sizeof(struct entity)); 526 if (entp == NULL) 527 err(1, NULL); 528 entity_read_req(fd, entp); 529 TAILQ_INSERT_TAIL(&q, entp, entries); 530 io_socket_nonblocking(fd); 531 } 532 533 if (pfd.revents & POLLOUT) { 534 switch (msgbuf_write(&msgq)) { 535 case 0: 536 errx(1, "write: connection closed"); 537 case -1: 538 err(1, "write"); 539 } 540 } 541 542 /* 543 * If there's nothing to parse, then stop waiting for 544 * the write signal. 545 */ 546 547 if (TAILQ_EMPTY(&q)) { 548 pfd.events &= ~POLLOUT; 549 continue; 550 } 551 552 entp = TAILQ_FIRST(&q); 553 assert(entp != NULL); 554 555 if ((b = ibuf_dynamic(256, UINT_MAX)) == NULL) 556 err(1, NULL); 557 io_simple_buffer(b, &entp->type, sizeof(entp->type)); 558 559 switch (entp->type) { 560 case RTYPE_TAL: 561 if ((tal = tal_parse(entp->file, entp->descr)) == NULL) 562 goto out; 563 tal_buffer(b, tal); 564 tal_free(tal); 565 break; 566 case RTYPE_CER: 567 if (entp->has_pkey) 568 cert = proc_parser_root_cert(entp, store, ctx, 569 &auths, &crlt); 570 else 571 cert = proc_parser_cert(entp, store, ctx, 572 &auths, &crlt); 573 c = (cert != NULL); 574 io_simple_buffer(b, &c, sizeof(int)); 575 if (cert != NULL) 576 cert_buffer(b, cert); 577 /* 578 * The parsed certificate data "cert" is now 579 * managed in the "auths" table, so don't free 580 * it here (see the loop after "out"). 581 */ 582 break; 583 case RTYPE_MFT: 584 mft = proc_parser_mft(entp, store, ctx, &auths, &crlt); 585 c = (mft != NULL); 586 io_simple_buffer(b, &c, sizeof(int)); 587 if (mft != NULL) 588 mft_buffer(b, mft); 589 mft_free(mft); 590 break; 591 case RTYPE_CRL: 592 proc_parser_crl(entp, store, ctx, &crlt); 593 break; 594 case RTYPE_ROA: 595 roa = proc_parser_roa(entp, store, ctx, &auths, &crlt); 596 c = (roa != NULL); 597 io_simple_buffer(b, &c, sizeof(int)); 598 if (roa != NULL) 599 roa_buffer(b, roa); 600 roa_free(roa); 601 break; 602 case RTYPE_GBR: 603 proc_parser_gbr(entp, store, ctx, &auths, &crlt); 604 break; 605 default: 606 abort(); 607 } 608 609 ibuf_close(&msgq, b); 610 TAILQ_REMOVE(&q, entp, entries); 611 entity_free(entp); 612 } 613 614 rc = 0; 615 out: 616 while ((entp = TAILQ_FIRST(&q)) != NULL) { 617 TAILQ_REMOVE(&q, entp, entries); 618 entity_free(entp); 619 } 620 621 /* XXX free auths and crl tree */ 622 623 X509_STORE_CTX_free(ctx); 624 X509_STORE_free(store); 625 626 msgbuf_clear(&msgq); 627 628 exit(rc); 629 } 630