1 #include "asn1/signed_data.h"
2
3 #include <errno.h>
4
5 #include "algorithm.h"
6 #include "config.h"
7 #include "log.h"
8 #include "oid.h"
9 #include "thread_var.h"
10 #include "asn1/decode.h"
11 #include "asn1/asn1c/ContentType.h"
12 #include "asn1/asn1c/ContentTypePKCS7.h"
13 #include "asn1/asn1c/MessageDigest.h"
14 #include "asn1/asn1c/SignedDataPKCS7.h"
15 #include "crypto/hash.h"
16 #include "object/certificate.h"
17
18 static const OID oid_cta = OID_CONTENT_TYPE_ATTR;
19 static const OID oid_mda = OID_MESSAGE_DIGEST_ATTR;
20 static const OID oid_sta = OID_SIGNING_TIME_ATTR;
21 static const OID oid_bsta = OID_BINARY_SIGNING_TIME_ATTR;
22
23 int
signed_object_args_init(struct signed_object_args * args,struct rpki_uri * uri,STACK_OF (X509_CRL)* crls,bool force_inherit)24 signed_object_args_init(struct signed_object_args *args,
25 struct rpki_uri *uri,
26 STACK_OF(X509_CRL) *crls,
27 bool force_inherit)
28 {
29 args->res = resources_create(force_inherit);
30 if (args->res == NULL)
31 return pr_enomem();
32
33 args->uri = uri;
34 args->crls = crls;
35 memset(&args->refs, 0, sizeof(args->refs));
36 return 0;
37 }
38
39 void
signed_object_args_cleanup(struct signed_object_args * args)40 signed_object_args_cleanup(struct signed_object_args *args)
41 {
42 resources_destroy(args->res);
43 refs_cleanup(&args->refs);
44 }
45
46 static int
get_sid(struct SignerInfo * sinfo,OCTET_STRING_t ** result)47 get_sid(struct SignerInfo *sinfo, OCTET_STRING_t **result)
48 {
49 switch (sinfo->sid.present) {
50 case SignerIdentifier_PR_subjectKeyIdentifier:
51 *result = &sinfo->sid.choice.subjectKeyIdentifier;
52 return 0;
53 case SignerIdentifier_PR_issuerAndSerialNumber:
54 return pr_val_err("Signer Info's sid is an IssuerAndSerialNumber, not a SubjectKeyIdentifier.");
55 case SignerIdentifier_PR_NOTHING:
56 break;
57 }
58
59 return pr_val_err("Signer Info's sid is not a SubjectKeyIdentifier.");
60 }
61
62 static int
handle_sdata_certificate(ANY_t * cert_encoded,struct signed_object_args * args,OCTET_STRING_t * sid,ANY_t * signedData,SignatureValue_t * signature)63 handle_sdata_certificate(ANY_t *cert_encoded, struct signed_object_args *args,
64 OCTET_STRING_t *sid, ANY_t *signedData, SignatureValue_t *signature)
65 {
66 const unsigned char *tmp;
67 X509 *cert;
68 enum rpki_policy policy;
69 int error;
70
71 /*
72 * No need to validate certificate chain length, since we just arrived
73 * to a tree leaf. Loops aren't possible.
74 */
75
76 pr_val_debug("EE Certificate (embedded) {");
77
78 /*
79 * "If the call is successful *in is incremented to the byte following
80 * the parsed data."
81 * (https://www.openssl.org/docs/man1.0.2/crypto/d2i_X509_fp.html)
82 * We definitely don't want @any->buf to be modified, so use a dummy
83 * pointer.
84 */
85 tmp = (const unsigned char *) cert_encoded->buf;
86
87 cert = d2i_X509(NULL, &tmp, cert_encoded->size);
88 if (cert == NULL) {
89 error = val_crypto_err("Signed object's 'certificate' element does not decode into a Certificate");
90 goto end1;
91 }
92
93 x509_name_pr_debug("Issuer", X509_get_issuer_name(cert));
94
95 error = certificate_validate_chain(cert, args->crls);
96 if (error)
97 goto end2;
98 error = certificate_validate_rfc6487(cert, EE);
99 if (error)
100 goto end2;
101 error = certificate_validate_extensions_ee(cert, sid, &args->refs,
102 &policy);
103 if (error)
104 goto end2;
105 error = certificate_validate_aia(args->refs.caIssuers, cert);
106 if (error)
107 goto end2;
108 error = certificate_validate_signature(cert, signedData, signature);
109 if (error)
110 goto end2;
111
112 resources_set_policy(args->res, policy);
113 error = certificate_get_resources(cert, args->res, EE);
114 if (error)
115 goto end2;
116
117 end2:
118 X509_free(cert);
119 end1:
120 pr_val_debug("}");
121 return error;
122 }
123
124 /* rfc6488#section-2.1.6.4.1 */
125 static int
validate_content_type_attribute(CMSAttributeValue_t * value,EncapsulatedContentInfo_t * eci)126 validate_content_type_attribute(CMSAttributeValue_t *value,
127 EncapsulatedContentInfo_t *eci)
128 {
129 OBJECT_IDENTIFIER_t *attrValues;
130 OBJECT_IDENTIFIER_t *eContentType;
131 int error;
132
133 error = asn1_decode_any(value, &asn_DEF_OBJECT_IDENTIFIER,
134 (void **) &attrValues, true, false);
135 if (error)
136 return error;
137 eContentType = &eci->eContentType;
138
139 if (!oid_equal(attrValues, eContentType))
140 error = pr_val_err("The attrValues for the content-type attribute does not match the eContentType in the EncapsulatedContentInfo.");
141
142 ASN_STRUCT_FREE(asn_DEF_OBJECT_IDENTIFIER, attrValues);
143 return error;
144 }
145
146 static int
validate_message_digest_attribute(CMSAttributeValue_t * value,EncapsulatedContentInfo_t * eci)147 validate_message_digest_attribute(CMSAttributeValue_t *value,
148 EncapsulatedContentInfo_t *eci)
149 {
150 MessageDigest_t *digest;
151 int error;
152
153 if (eci->eContent == NULL)
154 return pr_val_err("There's no content being signed.");
155
156 error = asn1_decode_any(value, &asn_DEF_MessageDigest,
157 (void **) &digest, true, false);
158 if (error)
159 return error;
160
161 error = hash_validate_octet_string("sha256", digest, eci->eContent);
162 if (error)
163 pr_val_err("The content's hash does not match the Message-Digest Attribute.");
164
165 ASN_STRUCT_FREE(asn_DEF_MessageDigest, digest);
166 return error;
167 }
168
169 static int
validate_signed_attrs(struct SignerInfo * sinfo,EncapsulatedContentInfo_t * eci)170 validate_signed_attrs(struct SignerInfo *sinfo, EncapsulatedContentInfo_t *eci)
171 {
172 struct CMSAttribute *attr;
173 struct CMSAttribute__attrValues *attrs;
174 struct oid_arcs attrType;
175 unsigned int i;
176 bool content_type_found = false;
177 bool message_digest_found = false;
178 bool signing_time_found = false;
179 bool binary_signing_time_found = false;
180 int error;
181
182 if (sinfo->signedAttrs == NULL)
183 return pr_val_err("The SignerInfo's signedAttrs field is NULL.");
184
185 for (i = 0; i < sinfo->signedAttrs->list.count; i++) {
186 attr = sinfo->signedAttrs->list.array[i];
187 if (attr == NULL) {
188 pr_val_err("SignedAttrs array element %u is NULL.", i);
189 continue;
190 }
191 attrs = &attr->attrValues;
192
193 if (attrs->list.count != 1) {
194 return pr_val_err("signedAttrs's attribute set size (%d) is different than 1",
195 attr->attrValues.list.count);
196 }
197 if (attrs->list.array == NULL || attrs->list.array[0] == NULL)
198 pr_crit("Array size is 1 but array is NULL.");
199
200 error = oid2arcs(&attr->attrType, &attrType);
201 if (error)
202 return error;
203
204 if (ARCS_EQUAL_OIDS(&attrType, oid_cta)) {
205 if (content_type_found) {
206 pr_val_err("Multiple ContentTypes found.");
207 goto illegal_attrType;
208 }
209 error = validate_content_type_attribute(
210 attr->attrValues.list.array[0], eci);
211 content_type_found = true;
212
213 } else if (ARCS_EQUAL_OIDS(&attrType, oid_mda)) {
214 if (message_digest_found) {
215 pr_val_err("Multiple MessageDigests found.");
216 goto illegal_attrType;
217 }
218 error = validate_message_digest_attribute(
219 attr->attrValues.list.array[0], eci);
220 message_digest_found = true;
221
222 } else if (ARCS_EQUAL_OIDS(&attrType, oid_sta)) {
223 if (signing_time_found) {
224 pr_val_err("Multiple SigningTimes found.");
225 goto illegal_attrType;
226 }
227 error = 0; /* No validations needed for now. */
228 signing_time_found = true;
229
230 } else if (ARCS_EQUAL_OIDS(&attrType, oid_bsta)) {
231 if (binary_signing_time_found) {
232 pr_val_err("Multiple BinarySigningTimes found.");
233 goto illegal_attrType;
234 }
235 error = 0; /* No validations needed for now. */
236 binary_signing_time_found = true;
237
238 } else {
239 /* rfc6488#section-3.1.g */
240 pr_val_err("Illegal attrType OID in SignerInfo.");
241 goto illegal_attrType;
242 }
243
244 free_arcs(&attrType);
245
246 if (error)
247 return error;
248 }
249
250 /* rfc6488#section-3.1.f */
251 if (!content_type_found)
252 return pr_val_err("SignerInfo lacks a ContentType attribute.");
253 if (!message_digest_found)
254 return pr_val_err("SignerInfo lacks a MessageDigest attribute.");
255
256 return 0;
257
258 illegal_attrType:
259 free_arcs(&attrType);
260 return -EINVAL;
261 }
262
263 static int
validate(struct SignedData * sdata,ANY_t * sdata_encoded,struct signed_object_args * args)264 validate(struct SignedData *sdata, ANY_t *sdata_encoded,
265 struct signed_object_args *args)
266 {
267 struct SignerInfo *sinfo;
268 OCTET_STRING_t *sid = NULL;
269 unsigned long version;
270 int error;
271
272 /* rfc6488#section-2.1 */
273 if (sdata->signerInfos.list.count != 1) {
274 return pr_val_err("The SignedData's SignerInfo set is supposed to have only one element. (%d given.)",
275 sdata->signerInfos.list.count);
276 }
277
278 /* rfc6488#section-2.1.1 */
279 /* rfc6488#section-3.1.b */
280 error = asn_INTEGER2ulong(&sdata->version, &version);
281 if (error) {
282 if (errno)
283 pr_val_errno(errno, "Error converting SignedData version");
284 return pr_val_err("The SignedData version isn't a valid unsigned long");
285 }
286 if (version != 3) {
287 return pr_val_err("The SignedData version is only allowed to be 3. (Was %lu.)",
288 version);
289 }
290
291 /* rfc6488#section-2.1.2 */
292 /* rfc6488#section-3.1.j 1/2 */
293 if (sdata->digestAlgorithms.list.count != 1) {
294 return pr_val_err("The SignedData's digestAlgorithms set is supposed to have only one element. (%d given.)",
295 sdata->digestAlgorithms.list.count);
296 }
297
298 /*
299 * No idea what to do with struct DigestAlgorithmIdentifier; it's not
300 * defined anywhere and the code always seems to fall back to
301 * AlgorithmIdentifier instead. There's no API.
302 * This seems to work fine.
303 */
304 error = validate_cms_hashing_algorithm(
305 (AlgorithmIdentifier_t *) sdata->digestAlgorithms.list.array[0],
306 "SignedData");
307 if (error)
308 return error;
309
310 /* rfc6488#section-2.1.3 */
311 /* Specific sub-validations will be performed later by calling code. */
312
313 /*
314 * We will validate the certificate later, because we need the sid
315 * first. We should also probably validate the signed attributes first
316 * as well.
317 */
318
319 /* rfc6488#section-2.1.5 */
320 /* rfc6488#section-3.1.d */
321 if (sdata->crls != NULL && sdata->crls->list.count > 0)
322 return pr_val_err("The SignedData contains at least one CRL.");
323
324 /* rfc6488#section-2.1.6.1 */
325 /* rfc6488#section-3.1.e */
326 sinfo = sdata->signerInfos.list.array[0];
327 if (sinfo == NULL)
328 return pr_val_err("The SignerInfo object is NULL.");
329
330 error = asn_INTEGER2ulong(&sinfo->version, &version);
331 if (error) {
332 if (errno)
333 pr_val_errno(errno, "Error converting SignerInfo version");
334 return pr_val_err("The SignerInfo version isn't a valid unsigned long");
335 }
336 if (version != 3) {
337 return pr_val_err("The SignerInfo version is only allowed to be 3. (Was %lu.)",
338 version);
339 }
340
341 /* rfc6488#section-2.1.6.2 */
342 /* rfc6488#section-3.1.c 2/2 */
343 /* (Most of this requirement is in handle_ski_ee().) */
344 error = get_sid(sinfo, &sid);
345 if (error)
346 return error;
347
348 /* rfc6488#section-2.1.6.3 */
349 /* rfc6488#section-3.1.j 2/2 */
350 error = validate_cms_hashing_algorithm(&sinfo->digestAlgorithm,
351 "SignerInfo");
352 if (error)
353 return error;
354
355 /* rfc6488#section-2.1.6.4 */
356 error = validate_signed_attrs(sinfo, &sdata->encapContentInfo);
357 if (error)
358 return error;
359
360 /* rfc6488#section-2.1.6.5 */
361 /* rfc6488#section-3.1.k */
362 error = validate_cms_signature_algorithm(&sinfo->signatureAlgorithm);
363 if (error)
364 return error;
365
366 /* rfc6488#section-2.1.6.6 */
367 /* Signature handled below. */
368
369 /* rfc6488#section-2.1.6.7 */
370 /* rfc6488#section-3.1.i */
371 if (sinfo->unsignedAttrs != NULL && sinfo->unsignedAttrs->list.count > 0)
372 return pr_val_err("SignerInfo has at least one unsignedAttr.");
373
374 /* rfc6488#section-2.1.4 */
375 /* rfc6488#section-3.1.c 1/2 */
376 /* rfc6488#section-3.2 */
377 /* rfc6488#section-3.3 */
378 if (sdata->certificates == NULL)
379 return pr_val_err("The SignedData does not contain certificates.");
380
381 if (sdata->certificates->list.count != 1) {
382 return pr_val_err("The SignedData contains %d certificates, one expected.",
383 sdata->certificates->list.count);
384 }
385
386 error = handle_sdata_certificate(sdata->certificates->list.array[0],
387 args, sid, sdata_encoded, &sinfo->signature);
388 if (error)
389 return error;
390
391 return 0;
392 }
393
394 /*
395 * Function to handle 'Compatibility with PKCS #7' (RFC 5652 section 5.2.1:
396 * "If the implementation is unable to ASN.1 decode the SignedData type using
397 * the CMS SignedData encapContentInfo eContent OCTET STRING syntax,
398 * then the implementation MAY attempt to decode the SignedData type
399 * using the PKCS #7 SignedData contentInfo content ANY syntax and
400 * compute the message digest accordingly."
401 */
402 static int
signed_data_decode_pkcs7(ANY_t * coded,struct SignedData ** result)403 signed_data_decode_pkcs7(ANY_t *coded, struct SignedData **result)
404 {
405 struct SignedDataPKCS7 *sdata_pkcs7;
406 struct SignedData *sdata;
407 int error;
408
409 error = asn1_decode_any(coded, &asn_DEF_SignedDataPKCS7,
410 (void **) &sdata_pkcs7, true, false);
411 if (error)
412 return error;
413
414 sdata = calloc(1, sizeof(struct SignedData));
415 if (sdata == NULL) {
416 error = pr_enomem();
417 goto release_sdata_pkcs7;
418 }
419
420 /* Parse content as OCTET STRING */
421 error = asn1_decode_any(sdata_pkcs7->encapContentInfo.eContent,
422 &asn_DEF_ContentTypePKCS7,
423 (void **) &sdata->encapContentInfo.eContent, true, false);
424 if (error)
425 goto release_sdata;
426
427 /* Shallow copy to a SignedData struct */
428 sdata->version = sdata_pkcs7->version;
429 sdata->digestAlgorithms = sdata_pkcs7->digestAlgorithms;
430 sdata->encapContentInfo.eContentType =
431 sdata_pkcs7->encapContentInfo.eContentType;
432 sdata->certificates = sdata_pkcs7->certificates;
433 sdata->crls = sdata_pkcs7->crls;
434 sdata->signerInfos = sdata_pkcs7->signerInfos;
435
436 /* Release what isnt's referenced */
437 ASN_STRUCT_FREE(asn_DEF_ANY, sdata_pkcs7->encapContentInfo.eContent);
438 free(sdata_pkcs7);
439
440 *result = sdata;
441 return 0;
442
443 release_sdata:
444 free(sdata);
445 release_sdata_pkcs7:
446 ASN_STRUCT_FREE(asn_DEF_SignedDataPKCS7, sdata_pkcs7);
447 return error;
448 }
449
450 int
signed_data_decode(struct signed_data * sdata,ANY_t * coded)451 signed_data_decode(struct signed_data *sdata, ANY_t *coded)
452 {
453 int error;
454
455 sdata->encoded = coded;
456
457 error = asn1_decode_any(coded, &asn_DEF_SignedData,
458 (void **) &sdata->decoded, false, false);
459 if (error) {
460 /* Try to decode as PKCS content (RFC 5652 section 5.2.1) */
461 error = signed_data_decode_pkcs7(coded, &sdata->decoded);
462 }
463
464 return error;
465 }
466
467 int
signed_data_validate(struct signed_data * sdata,struct signed_object_args * args)468 signed_data_validate(struct signed_data *sdata, struct signed_object_args *args)
469 {
470 /*
471 * TODO (fine) maybe collapse this wrapper,
472 * since there's no point to it anymore.
473 */
474 return validate(sdata->decoded, sdata->encoded, args);
475 }
476
477 void
signed_data_cleanup(struct signed_data * sdata)478 signed_data_cleanup(struct signed_data *sdata)
479 {
480 ASN_STRUCT_FREE(asn_DEF_SignedData, sdata->decoded);
481 }
482
483 /* Caller must free *@result. */
484 int
get_content_type_attr(struct SignedData * sdata,OBJECT_IDENTIFIER_t ** result)485 get_content_type_attr(struct SignedData *sdata, OBJECT_IDENTIFIER_t **result)
486 {
487 struct SignedAttributes *signedAttrs;
488 struct CMSAttribute *attr;
489 int i;
490 int error;
491 struct oid_arcs arcs;
492 bool equal;
493
494 if (sdata == NULL)
495 return -EINVAL;
496 if (sdata->signerInfos.list.array == NULL)
497 return -EINVAL;
498 if (sdata->signerInfos.list.array[0] == NULL)
499 return -EINVAL;
500
501 signedAttrs = sdata->signerInfos.list.array[0]->signedAttrs;
502 if (signedAttrs->list.array == NULL)
503 return -EINVAL;
504
505 for (i = 0; i < signedAttrs->list.count; i++) {
506 attr = signedAttrs->list.array[i];
507 if (!attr)
508 return -EINVAL;
509 error = oid2arcs(&attr->attrType, &arcs);
510 if (error)
511 return -EINVAL;
512 equal = ARCS_EQUAL_OIDS(&arcs, oid_cta);
513 free_arcs(&arcs);
514 if (equal) {
515 if (attr->attrValues.list.array == NULL)
516 return -EINVAL;
517 if (attr->attrValues.list.array[0] == NULL)
518 return -EINVAL;
519 return asn1_decode_any(attr->attrValues.list.array[0],
520 &asn_DEF_OBJECT_IDENTIFIER,
521 (void **) result, true, false);
522 }
523 }
524
525 return -EINVAL;
526 }
527