1 /*
2 * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <string.h>
11 #include <openssl/ocsp.h>
12 #include <openssl/err.h>
13 #include "internal/sizes.h"
14 #include "ocsp_local.h"
15
16 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
17 STACK_OF(X509) *certs, unsigned long flags);
18 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
19 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
20 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
21 OCSP_CERTID **ret);
22 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
23 STACK_OF(OCSP_SINGLERESP) *sresp);
24 static int ocsp_check_delegated(X509 *x);
25 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
26 const X509_NAME *nm, STACK_OF(X509) *certs,
27 unsigned long flags);
28
29 /* Returns 1 on success, 0 on failure, or -1 on fatal error */
ocsp_verify_signer(X509 * signer,int response,X509_STORE * st,unsigned long flags,STACK_OF (X509)* untrusted,STACK_OF (X509)** chain)30 static int ocsp_verify_signer(X509 *signer, int response,
31 X509_STORE *st, unsigned long flags,
32 STACK_OF(X509) *untrusted, STACK_OF(X509) **chain)
33 {
34 X509_STORE_CTX *ctx = X509_STORE_CTX_new();
35 X509_VERIFY_PARAM *vp;
36 int ret = -1;
37
38 if (ctx == NULL) {
39 ERR_raise(ERR_LIB_OCSP, ERR_R_MALLOC_FAILURE);
40 goto end;
41 }
42 if (!X509_STORE_CTX_init(ctx, st, signer, untrusted)) {
43 ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB);
44 goto end;
45 }
46 if ((vp = X509_STORE_CTX_get0_param(ctx)) == NULL)
47 goto end;
48 if ((flags & OCSP_PARTIAL_CHAIN) != 0)
49 X509_VERIFY_PARAM_set_flags(vp, X509_V_FLAG_PARTIAL_CHAIN);
50 if (response
51 && X509_get_ext_by_NID(signer, NID_id_pkix_OCSP_noCheck, -1) >= 0)
52 /*
53 * Locally disable revocation status checking for OCSP responder cert.
54 * Done here for CRLs; should be done also for OCSP-based checks.
55 */
56 X509_VERIFY_PARAM_clear_flags(vp, X509_V_FLAG_CRL_CHECK);
57 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
58 X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST);
59
60 ret = X509_verify_cert(ctx);
61 if (ret <= 0) {
62 ret = X509_STORE_CTX_get_error(ctx);
63 ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR,
64 "Verify error: %s", X509_verify_cert_error_string(ret));
65 goto end;
66 }
67 if (chain != NULL)
68 *chain = X509_STORE_CTX_get1_chain(ctx);
69
70 end:
71 X509_STORE_CTX_free(ctx);
72 return ret;
73 }
74
ocsp_verify(OCSP_REQUEST * req,OCSP_BASICRESP * bs,X509 * signer,unsigned long flags)75 static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
76 X509 *signer, unsigned long flags)
77 {
78 EVP_PKEY *skey;
79 int ret = 1;
80
81 if ((flags & OCSP_NOSIGS) == 0) {
82 if ((skey = X509_get0_pubkey(signer)) == NULL) {
83 ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_SIGNER_KEY);
84 return -1;
85 }
86 if (req != NULL)
87 ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq);
88 else
89 ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq);
90 if (ret <= 0)
91 ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE);
92 }
93 return ret;
94 }
95
96 /* Verify a basic response message */
OCSP_basic_verify(OCSP_BASICRESP * bs,STACK_OF (X509)* certs,X509_STORE * st,unsigned long flags)97 int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
98 X509_STORE *st, unsigned long flags)
99 {
100 X509 *signer, *x;
101 STACK_OF(X509) *chain = NULL;
102 STACK_OF(X509) *untrusted = NULL;
103 int ret = ocsp_find_signer(&signer, bs, certs, flags);
104
105 if (ret == 0) {
106 ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
107 goto end;
108 }
109 if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0)
110 flags |= OCSP_NOVERIFY;
111
112 if ((ret = ocsp_verify(NULL, bs, signer, flags)) <= 0)
113 goto end;
114 if ((flags & OCSP_NOVERIFY) == 0) {
115 ret = -1;
116 if ((flags & OCSP_NOCHAIN) == 0) {
117 if ((untrusted = sk_X509_dup(bs->certs)) == NULL)
118 goto end;
119 if (!X509_add_certs(untrusted, certs, X509_ADD_FLAG_DEFAULT))
120 goto end;
121 }
122 ret = ocsp_verify_signer(signer, 1, st, flags, untrusted, &chain);
123 if (ret <= 0)
124 goto end;
125 if ((flags & OCSP_NOCHECKS) != 0) {
126 ret = 1;
127 goto end;
128 }
129 /*
130 * At this point we have a valid certificate chain need to verify it
131 * against the OCSP issuer criteria.
132 */
133 ret = ocsp_check_issuer(bs, chain);
134
135 /* If fatal error or valid match then finish */
136 if (ret != 0)
137 goto end;
138
139 /*
140 * Easy case: explicitly trusted. Get root CA and check for explicit
141 * trust
142 */
143 if ((flags & OCSP_NOEXPLICIT) != 0)
144 goto end;
145
146 x = sk_X509_value(chain, sk_X509_num(chain) - 1);
147 if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
148 ERR_raise(ERR_LIB_OCSP, OCSP_R_ROOT_CA_NOT_TRUSTED);
149 ret = 0;
150 goto end;
151 }
152 ret = 1;
153 }
154
155 end:
156 sk_X509_pop_free(chain, X509_free);
157 sk_X509_free(untrusted);
158 return ret;
159 }
160
OCSP_resp_get0_signer(OCSP_BASICRESP * bs,X509 ** signer,STACK_OF (X509)* extra_certs)161 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
162 STACK_OF(X509) *extra_certs)
163 {
164 return ocsp_find_signer(signer, bs, extra_certs, 0) > 0;
165 }
166
ocsp_find_signer(X509 ** psigner,OCSP_BASICRESP * bs,STACK_OF (X509)* certs,unsigned long flags)167 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
168 STACK_OF(X509) *certs, unsigned long flags)
169 {
170 X509 *signer;
171 OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
172
173 if ((signer = ocsp_find_signer_sk(certs, rid)) != NULL) {
174 *psigner = signer;
175 return 2;
176 }
177 if ((flags & OCSP_NOINTERN) == 0 &&
178 (signer = ocsp_find_signer_sk(bs->certs, rid))) {
179 *psigner = signer;
180 return 1;
181 }
182 /* Maybe lookup from store if by subject name */
183
184 *psigner = NULL;
185 return 0;
186 }
187
ocsp_find_signer_sk(STACK_OF (X509)* certs,OCSP_RESPID * id)188 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
189 {
190 int i, r;
191 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
192 EVP_MD *md;
193 X509 *x;
194
195 /* Easy if lookup by name */
196 if (id->type == V_OCSP_RESPID_NAME)
197 return X509_find_by_subject(certs, id->value.byName);
198
199 /* Lookup by key hash */
200
201 /* If key hash isn't SHA1 length then forget it */
202 if (id->value.byKey->length != SHA_DIGEST_LENGTH)
203 return NULL;
204 keyhash = id->value.byKey->data;
205 /* Calculate hash of each key and compare */
206 for (i = 0; i < sk_X509_num(certs); i++) {
207 if ((x = sk_X509_value(certs, i)) != NULL) {
208 if ((md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq)) == NULL)
209 break;
210 r = X509_pubkey_digest(x, md, tmphash, NULL);
211 EVP_MD_free(md);
212 if (!r)
213 break;
214 if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0)
215 return x;
216 }
217 }
218 return NULL;
219 }
220
ocsp_check_issuer(OCSP_BASICRESP * bs,STACK_OF (X509)* chain)221 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
222 {
223 STACK_OF(OCSP_SINGLERESP) *sresp = bs->tbsResponseData.responses;
224 X509 *signer, *sca;
225 OCSP_CERTID *caid = NULL;
226 int ret;
227
228 if (sk_X509_num(chain) <= 0) {
229 ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
230 return -1;
231 }
232
233 /* See if the issuer IDs match. */
234 ret = ocsp_check_ids(sresp, &caid);
235
236 /* If ID mismatch or other error then return */
237 if (ret <= 0)
238 return ret;
239
240 signer = sk_X509_value(chain, 0);
241 /* Check to see if OCSP responder CA matches request CA */
242 if (sk_X509_num(chain) > 1) {
243 sca = sk_X509_value(chain, 1);
244 ret = ocsp_match_issuerid(sca, caid, sresp);
245 if (ret < 0)
246 return ret;
247 if (ret != 0) {
248 /* We have a match, if extensions OK then success */
249 if (ocsp_check_delegated(signer))
250 return 1;
251 return 0;
252 }
253 }
254
255 /* Otherwise check if OCSP request signed directly by request CA */
256 return ocsp_match_issuerid(signer, caid, sresp);
257 }
258
259 /*
260 * Check the issuer certificate IDs for equality. If there is a mismatch with
261 * the same algorithm then there's no point trying to match any certificates
262 * against the issuer. If the issuer IDs all match then we just need to check
263 * equality against one of them.
264 */
265
ocsp_check_ids(STACK_OF (OCSP_SINGLERESP)* sresp,OCSP_CERTID ** ret)266 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
267 {
268 OCSP_CERTID *tmpid, *cid;
269 int i, idcount;
270
271 idcount = sk_OCSP_SINGLERESP_num(sresp);
272 if (idcount <= 0) {
273 ERR_raise(ERR_LIB_OCSP, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
274 return -1;
275 }
276
277 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
278
279 *ret = NULL;
280 for (i = 1; i < idcount; i++) {
281 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
282 /* Check to see if IDs match */
283 if (OCSP_id_issuer_cmp(cid, tmpid)) {
284 /* If algorithm mismatch let caller deal with it */
285 if (OBJ_cmp(tmpid->hashAlgorithm.algorithm,
286 cid->hashAlgorithm.algorithm))
287 return 2;
288 /* Else mismatch */
289 return 0;
290 }
291 }
292
293 /* All IDs match: only need to check one ID */
294 *ret = cid;
295 return 1;
296 }
297
298 /*
299 * Match the certificate issuer ID.
300 * Returns -1 on fatal error, 0 if there is no match and 1 if there is a match.
301 */
ocsp_match_issuerid(X509 * cert,OCSP_CERTID * cid,STACK_OF (OCSP_SINGLERESP)* sresp)302 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
303 STACK_OF(OCSP_SINGLERESP) *sresp)
304 {
305 int ret = -1;
306 EVP_MD *dgst = NULL;
307
308 /* If only one ID to match then do it */
309 if (cid != NULL) {
310 char name[OSSL_MAX_NAME_SIZE];
311 const X509_NAME *iname;
312 int mdlen;
313 unsigned char md[EVP_MAX_MD_SIZE];
314
315 OBJ_obj2txt(name, sizeof(name), cid->hashAlgorithm.algorithm, 0);
316
317 (void)ERR_set_mark();
318 dgst = EVP_MD_fetch(NULL, name, NULL);
319 if (dgst == NULL)
320 dgst = (EVP_MD *)EVP_get_digestbyname(name);
321
322 if (dgst == NULL) {
323 (void)ERR_clear_last_mark();
324 ERR_raise(ERR_LIB_OCSP, OCSP_R_UNKNOWN_MESSAGE_DIGEST);
325 goto end;
326 }
327 (void)ERR_pop_to_mark();
328
329 mdlen = EVP_MD_get_size(dgst);
330 if (mdlen < 0) {
331 ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR);
332 goto end;
333 }
334 if (cid->issuerNameHash.length != mdlen ||
335 cid->issuerKeyHash.length != mdlen) {
336 ret = 0;
337 goto end;
338 }
339 iname = X509_get_subject_name(cert);
340 if (!X509_NAME_digest(iname, dgst, md, NULL))
341 goto end;
342 if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0) {
343 ret = 0;
344 goto end;
345 }
346 if (!X509_pubkey_digest(cert, dgst, md, NULL)) {
347 ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_ERR);
348 goto end;
349 }
350 ret = memcmp(md, cid->issuerKeyHash.data, mdlen) == 0;
351 goto end;
352 } else {
353 /* We have to match the whole lot */
354 int i;
355 OCSP_CERTID *tmpid;
356
357 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
358 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
359 ret = ocsp_match_issuerid(cert, tmpid, NULL);
360 if (ret <= 0)
361 return ret;
362 }
363 }
364 return 1;
365 end:
366 EVP_MD_free(dgst);
367 return ret;
368 }
369
ocsp_check_delegated(X509 * x)370 static int ocsp_check_delegated(X509 *x)
371 {
372 if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
373 && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
374 return 1;
375 ERR_raise(ERR_LIB_OCSP, OCSP_R_MISSING_OCSPSIGNING_USAGE);
376 return 0;
377 }
378
379 /*
380 * Verify an OCSP request. This is much easier than OCSP response verify.
381 * Just find the signer's certificate and verify it against a given trust value.
382 * Returns 1 on success, 0 on failure and on fatal error.
383 */
OCSP_request_verify(OCSP_REQUEST * req,STACK_OF (X509)* certs,X509_STORE * store,unsigned long flags)384 int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
385 X509_STORE *store, unsigned long flags)
386 {
387 X509 *signer;
388 const X509_NAME *nm;
389 GENERAL_NAME *gen;
390 int ret;
391
392 if (!req->optionalSignature) {
393 ERR_raise(ERR_LIB_OCSP, OCSP_R_REQUEST_NOT_SIGNED);
394 return 0;
395 }
396 gen = req->tbsRequest.requestorName;
397 if (!gen || gen->type != GEN_DIRNAME) {
398 ERR_raise(ERR_LIB_OCSP, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
399 return 0; /* not returning -1 here for backward compatibility*/
400 }
401 nm = gen->d.directoryName;
402 ret = ocsp_req_find_signer(&signer, req, nm, certs, flags);
403 if (ret <= 0) {
404 ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
405 return 0; /* not returning -1 here for backward compatibility*/
406 }
407 if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0)
408 flags |= OCSP_NOVERIFY;
409
410 if ((ret = ocsp_verify(req, NULL, signer, flags)) <= 0)
411 return 0; /* not returning 'ret' here for backward compatibility*/
412 if ((flags & OCSP_NOVERIFY) != 0)
413 return 1;
414 return ocsp_verify_signer(signer, 0, store, flags,
415 (flags & OCSP_NOCHAIN) != 0 ?
416 NULL : req->optionalSignature->certs, NULL) > 0;
417 /* using '> 0' here to avoid breaking backward compatibility returning -1 */
418 }
419
ocsp_req_find_signer(X509 ** psigner,OCSP_REQUEST * req,const X509_NAME * nm,STACK_OF (X509)* certs,unsigned long flags)420 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
421 const X509_NAME *nm, STACK_OF(X509) *certs,
422 unsigned long flags)
423 {
424 X509 *signer;
425
426 if ((flags & OCSP_NOINTERN) == 0) {
427 signer = X509_find_by_subject(req->optionalSignature->certs, nm);
428 if (signer != NULL) {
429 *psigner = signer;
430 return 1;
431 }
432 }
433
434 if ((signer = X509_find_by_subject(certs, nm)) != NULL) {
435 *psigner = signer;
436 return 2;
437 }
438 return 0;
439 }
440