1*de0e0e4dSAntonio Huete Jimenez /* $OpenBSD: ct_local.h,v 1.8 2021/12/20 17:19:19 jsing Exp $ */ 2*de0e0e4dSAntonio Huete Jimenez /* 3*de0e0e4dSAntonio Huete Jimenez * Written by Rob Percival (robpercival@google.com) for the OpenSSL project. 4*de0e0e4dSAntonio Huete Jimenez */ 5*de0e0e4dSAntonio Huete Jimenez /* ==================================================================== 6*de0e0e4dSAntonio Huete Jimenez * Copyright (c) 2016 The OpenSSL Project. All rights reserved. 7*de0e0e4dSAntonio Huete Jimenez * 8*de0e0e4dSAntonio Huete Jimenez * Redistribution and use in source and binary forms, with or without 9*de0e0e4dSAntonio Huete Jimenez * modification, are permitted provided that the following conditions 10*de0e0e4dSAntonio Huete Jimenez * are met: 11*de0e0e4dSAntonio Huete Jimenez * 12*de0e0e4dSAntonio Huete Jimenez * 1. Redistributions of source code must retain the above copyright 13*de0e0e4dSAntonio Huete Jimenez * notice, this list of conditions and the following disclaimer. 14*de0e0e4dSAntonio Huete Jimenez * 15*de0e0e4dSAntonio Huete Jimenez * 2. Redistributions in binary form must reproduce the above copyright 16*de0e0e4dSAntonio Huete Jimenez * notice, this list of conditions and the following disclaimer in 17*de0e0e4dSAntonio Huete Jimenez * the documentation and/or other materials provided with the 18*de0e0e4dSAntonio Huete Jimenez * distribution. 19*de0e0e4dSAntonio Huete Jimenez * 20*de0e0e4dSAntonio Huete Jimenez * 3. All advertising materials mentioning features or use of this 21*de0e0e4dSAntonio Huete Jimenez * software must display the following acknowledgment: 22*de0e0e4dSAntonio Huete Jimenez * "This product includes software developed by the OpenSSL Project 23*de0e0e4dSAntonio Huete Jimenez * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24*de0e0e4dSAntonio Huete Jimenez * 25*de0e0e4dSAntonio Huete Jimenez * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26*de0e0e4dSAntonio Huete Jimenez * endorse or promote products derived from this software without 27*de0e0e4dSAntonio Huete Jimenez * prior written permission. For written permission, please contact 28*de0e0e4dSAntonio Huete Jimenez * licensing@OpenSSL.org. 29*de0e0e4dSAntonio Huete Jimenez * 30*de0e0e4dSAntonio Huete Jimenez * 5. Products derived from this software may not be called "OpenSSL" 31*de0e0e4dSAntonio Huete Jimenez * nor may "OpenSSL" appear in their names without prior written 32*de0e0e4dSAntonio Huete Jimenez * permission of the OpenSSL Project. 33*de0e0e4dSAntonio Huete Jimenez * 34*de0e0e4dSAntonio Huete Jimenez * 6. Redistributions of any form whatsoever must retain the following 35*de0e0e4dSAntonio Huete Jimenez * acknowledgment: 36*de0e0e4dSAntonio Huete Jimenez * "This product includes software developed by the OpenSSL Project 37*de0e0e4dSAntonio Huete Jimenez * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38*de0e0e4dSAntonio Huete Jimenez * 39*de0e0e4dSAntonio Huete Jimenez * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40*de0e0e4dSAntonio Huete Jimenez * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41*de0e0e4dSAntonio Huete Jimenez * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42*de0e0e4dSAntonio Huete Jimenez * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43*de0e0e4dSAntonio Huete Jimenez * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44*de0e0e4dSAntonio Huete Jimenez * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45*de0e0e4dSAntonio Huete Jimenez * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46*de0e0e4dSAntonio Huete Jimenez * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47*de0e0e4dSAntonio Huete Jimenez * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48*de0e0e4dSAntonio Huete Jimenez * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49*de0e0e4dSAntonio Huete Jimenez * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50*de0e0e4dSAntonio Huete Jimenez * OF THE POSSIBILITY OF SUCH DAMAGE. 51*de0e0e4dSAntonio Huete Jimenez * ==================================================================== 52*de0e0e4dSAntonio Huete Jimenez */ 53*de0e0e4dSAntonio Huete Jimenez 54*de0e0e4dSAntonio Huete Jimenez #include <stddef.h> 55*de0e0e4dSAntonio Huete Jimenez 56*de0e0e4dSAntonio Huete Jimenez #include <openssl/ct.h> 57*de0e0e4dSAntonio Huete Jimenez #include <openssl/evp.h> 58*de0e0e4dSAntonio Huete Jimenez #include <openssl/safestack.h> 59*de0e0e4dSAntonio Huete Jimenez #include <openssl/x509.h> 60*de0e0e4dSAntonio Huete Jimenez #include <openssl/x509v3.h> 61*de0e0e4dSAntonio Huete Jimenez 62*de0e0e4dSAntonio Huete Jimenez #include "bytestring.h" 63*de0e0e4dSAntonio Huete Jimenez 64*de0e0e4dSAntonio Huete Jimenez /* Number of bytes in an SCT v1 LogID - see RFC 6962 section 3.2. */ 65*de0e0e4dSAntonio Huete Jimenez #define CT_V1_LOG_ID_LEN 32 66*de0e0e4dSAntonio Huete Jimenez 67*de0e0e4dSAntonio Huete Jimenez /* Maximum size of an SCT - see RFC 6962 section 3.3. */ 68*de0e0e4dSAntonio Huete Jimenez #define MAX_SCT_SIZE 65535 69*de0e0e4dSAntonio Huete Jimenez #define MAX_SCT_LIST_SIZE MAX_SCT_SIZE 70*de0e0e4dSAntonio Huete Jimenez 71*de0e0e4dSAntonio Huete Jimenez /* 72*de0e0e4dSAntonio Huete Jimenez * Macros to write integers in network-byte order. 73*de0e0e4dSAntonio Huete Jimenez */ 74*de0e0e4dSAntonio Huete Jimenez 75*de0e0e4dSAntonio Huete Jimenez #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ 76*de0e0e4dSAntonio Huete Jimenez c[1]=(unsigned char)(((s) )&0xff)),c+=2) 77*de0e0e4dSAntonio Huete Jimenez 78*de0e0e4dSAntonio Huete Jimenez #define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \ 79*de0e0e4dSAntonio Huete Jimenez c[1]=(unsigned char)(((l)>> 8)&0xff), \ 80*de0e0e4dSAntonio Huete Jimenez c[2]=(unsigned char)(((l) )&0xff)),c+=3) 81*de0e0e4dSAntonio Huete Jimenez 82*de0e0e4dSAntonio Huete Jimenez #define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ 83*de0e0e4dSAntonio Huete Jimenez *((c)++)=(unsigned char)(((l)>>48)&0xff), \ 84*de0e0e4dSAntonio Huete Jimenez *((c)++)=(unsigned char)(((l)>>40)&0xff), \ 85*de0e0e4dSAntonio Huete Jimenez *((c)++)=(unsigned char)(((l)>>32)&0xff), \ 86*de0e0e4dSAntonio Huete Jimenez *((c)++)=(unsigned char)(((l)>>24)&0xff), \ 87*de0e0e4dSAntonio Huete Jimenez *((c)++)=(unsigned char)(((l)>>16)&0xff), \ 88*de0e0e4dSAntonio Huete Jimenez *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ 89*de0e0e4dSAntonio Huete Jimenez *((c)++)=(unsigned char)(((l) )&0xff)) 90*de0e0e4dSAntonio Huete Jimenez 91*de0e0e4dSAntonio Huete Jimenez /* Signed Certificate Timestamp */ 92*de0e0e4dSAntonio Huete Jimenez struct sct_st { 93*de0e0e4dSAntonio Huete Jimenez sct_version_t version; 94*de0e0e4dSAntonio Huete Jimenez /* If version is not SCT_VERSION_V1, this contains the encoded SCT */ 95*de0e0e4dSAntonio Huete Jimenez unsigned char *sct; 96*de0e0e4dSAntonio Huete Jimenez size_t sct_len; 97*de0e0e4dSAntonio Huete Jimenez /* 98*de0e0e4dSAntonio Huete Jimenez * If version is SCT_VERSION_V1, fields below contain components of 99*de0e0e4dSAntonio Huete Jimenez * the SCT 100*de0e0e4dSAntonio Huete Jimenez */ 101*de0e0e4dSAntonio Huete Jimenez unsigned char *log_id; 102*de0e0e4dSAntonio Huete Jimenez size_t log_id_len; 103*de0e0e4dSAntonio Huete Jimenez /* 104*de0e0e4dSAntonio Huete Jimenez * Note, we cannot distinguish between an unset timestamp, and one 105*de0e0e4dSAntonio Huete Jimenez * that is set to 0. However since CT didn't exist in 1970, no real 106*de0e0e4dSAntonio Huete Jimenez * SCT should ever be set as such. 107*de0e0e4dSAntonio Huete Jimenez */ 108*de0e0e4dSAntonio Huete Jimenez uint64_t timestamp; 109*de0e0e4dSAntonio Huete Jimenez unsigned char *ext; 110*de0e0e4dSAntonio Huete Jimenez size_t ext_len; 111*de0e0e4dSAntonio Huete Jimenez unsigned char hash_alg; 112*de0e0e4dSAntonio Huete Jimenez unsigned char sig_alg; 113*de0e0e4dSAntonio Huete Jimenez unsigned char *sig; 114*de0e0e4dSAntonio Huete Jimenez size_t sig_len; 115*de0e0e4dSAntonio Huete Jimenez /* Log entry type */ 116*de0e0e4dSAntonio Huete Jimenez ct_log_entry_type_t entry_type; 117*de0e0e4dSAntonio Huete Jimenez /* Where this SCT was found, e.g. certificate, OCSP response, etc. */ 118*de0e0e4dSAntonio Huete Jimenez sct_source_t source; 119*de0e0e4dSAntonio Huete Jimenez /* The result of the last attempt to validate this SCT. */ 120*de0e0e4dSAntonio Huete Jimenez sct_validation_status_t validation_status; 121*de0e0e4dSAntonio Huete Jimenez }; 122*de0e0e4dSAntonio Huete Jimenez 123*de0e0e4dSAntonio Huete Jimenez /* Miscellaneous data that is useful when verifying an SCT */ 124*de0e0e4dSAntonio Huete Jimenez struct sct_ctx_st { 125*de0e0e4dSAntonio Huete Jimenez /* Public key */ 126*de0e0e4dSAntonio Huete Jimenez EVP_PKEY *pkey; 127*de0e0e4dSAntonio Huete Jimenez /* Hash of public key */ 128*de0e0e4dSAntonio Huete Jimenez unsigned char *pkeyhash; 129*de0e0e4dSAntonio Huete Jimenez size_t pkeyhashlen; 130*de0e0e4dSAntonio Huete Jimenez /* For pre-certificate: issuer public key hash */ 131*de0e0e4dSAntonio Huete Jimenez unsigned char *ihash; 132*de0e0e4dSAntonio Huete Jimenez size_t ihashlen; 133*de0e0e4dSAntonio Huete Jimenez /* certificate encoding */ 134*de0e0e4dSAntonio Huete Jimenez unsigned char *certder; 135*de0e0e4dSAntonio Huete Jimenez size_t certderlen; 136*de0e0e4dSAntonio Huete Jimenez /* pre-certificate encoding */ 137*de0e0e4dSAntonio Huete Jimenez unsigned char *preder; 138*de0e0e4dSAntonio Huete Jimenez size_t prederlen; 139*de0e0e4dSAntonio Huete Jimenez /* 140*de0e0e4dSAntonio Huete Jimenez * milliseconds since epoch (to check that the SCT isn't from the 141*de0e0e4dSAntonio Huete Jimenez * future) 142*de0e0e4dSAntonio Huete Jimenez */ 143*de0e0e4dSAntonio Huete Jimenez uint64_t epoch_time_in_ms; 144*de0e0e4dSAntonio Huete Jimenez }; 145*de0e0e4dSAntonio Huete Jimenez 146*de0e0e4dSAntonio Huete Jimenez /* Context when evaluating whether a Certificate Transparency policy is met */ 147*de0e0e4dSAntonio Huete Jimenez struct ct_policy_eval_ctx_st { 148*de0e0e4dSAntonio Huete Jimenez X509 *cert; 149*de0e0e4dSAntonio Huete Jimenez X509 *issuer; 150*de0e0e4dSAntonio Huete Jimenez CTLOG_STORE *log_store; 151*de0e0e4dSAntonio Huete Jimenez /* 152*de0e0e4dSAntonio Huete Jimenez * milliseconds since epoch (to check that the SCT isn't from the 153*de0e0e4dSAntonio Huete Jimenez * future) 154*de0e0e4dSAntonio Huete Jimenez */ 155*de0e0e4dSAntonio Huete Jimenez uint64_t epoch_time_in_ms; 156*de0e0e4dSAntonio Huete Jimenez }; 157*de0e0e4dSAntonio Huete Jimenez 158*de0e0e4dSAntonio Huete Jimenez /* 159*de0e0e4dSAntonio Huete Jimenez * Creates a new context for verifying an SCT. 160*de0e0e4dSAntonio Huete Jimenez */ 161*de0e0e4dSAntonio Huete Jimenez SCT_CTX *SCT_CTX_new(void); 162*de0e0e4dSAntonio Huete Jimenez /* 163*de0e0e4dSAntonio Huete Jimenez * Deletes an SCT verification context. 164*de0e0e4dSAntonio Huete Jimenez */ 165*de0e0e4dSAntonio Huete Jimenez void SCT_CTX_free(SCT_CTX *sctx); 166*de0e0e4dSAntonio Huete Jimenez 167*de0e0e4dSAntonio Huete Jimenez /* 168*de0e0e4dSAntonio Huete Jimenez * Sets the certificate that the SCT was created for. 169*de0e0e4dSAntonio Huete Jimenez * If *cert does not have a poison extension, presigner must be NULL. 170*de0e0e4dSAntonio Huete Jimenez * If *cert does not have a poison extension, it may have a single SCT 171*de0e0e4dSAntonio Huete Jimenez * (NID_ct_precert_scts) extension. 172*de0e0e4dSAntonio Huete Jimenez * If either *cert or *presigner have an AKID (NID_authority_key_identifier) 173*de0e0e4dSAntonio Huete Jimenez * extension, both must have one. 174*de0e0e4dSAntonio Huete Jimenez * Returns 1 on success, 0 on failure. 175*de0e0e4dSAntonio Huete Jimenez */ 176*de0e0e4dSAntonio Huete Jimenez int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); 177*de0e0e4dSAntonio Huete Jimenez 178*de0e0e4dSAntonio Huete Jimenez /* 179*de0e0e4dSAntonio Huete Jimenez * Sets the issuer of the certificate that the SCT was created for. 180*de0e0e4dSAntonio Huete Jimenez * This is just a convenience method to save extracting the public key and 181*de0e0e4dSAntonio Huete Jimenez * calling SCT_CTX_set1_issuer_pubkey(). 182*de0e0e4dSAntonio Huete Jimenez * Issuer must not be NULL. 183*de0e0e4dSAntonio Huete Jimenez * Returns 1 on success, 0 on failure. 184*de0e0e4dSAntonio Huete Jimenez */ 185*de0e0e4dSAntonio Huete Jimenez int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); 186*de0e0e4dSAntonio Huete Jimenez 187*de0e0e4dSAntonio Huete Jimenez /* 188*de0e0e4dSAntonio Huete Jimenez * Sets the public key of the issuer of the certificate that the SCT was created 189*de0e0e4dSAntonio Huete Jimenez * for. 190*de0e0e4dSAntonio Huete Jimenez * The public key must not be NULL. 191*de0e0e4dSAntonio Huete Jimenez * Returns 1 on success, 0 on failure. 192*de0e0e4dSAntonio Huete Jimenez */ 193*de0e0e4dSAntonio Huete Jimenez int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 194*de0e0e4dSAntonio Huete Jimenez 195*de0e0e4dSAntonio Huete Jimenez /* 196*de0e0e4dSAntonio Huete Jimenez * Sets the public key of the CT log that the SCT is from. 197*de0e0e4dSAntonio Huete Jimenez * Returns 1 on success, 0 on failure. 198*de0e0e4dSAntonio Huete Jimenez */ 199*de0e0e4dSAntonio Huete Jimenez int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 200*de0e0e4dSAntonio Huete Jimenez 201*de0e0e4dSAntonio Huete Jimenez /* 202*de0e0e4dSAntonio Huete Jimenez * Sets the time to evaluate the SCT against, in milliseconds since the Unix 203*de0e0e4dSAntonio Huete Jimenez * epoch. If the SCT's timestamp is after this time, it will be interpreted as 204*de0e0e4dSAntonio Huete Jimenez * having been issued in the future. RFC6962 states that "TLS clients MUST 205*de0e0e4dSAntonio Huete Jimenez * reject SCTs whose timestamp is in the future", so an SCT will not validate 206*de0e0e4dSAntonio Huete Jimenez * in this case. 207*de0e0e4dSAntonio Huete Jimenez */ 208*de0e0e4dSAntonio Huete Jimenez void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms); 209*de0e0e4dSAntonio Huete Jimenez 210*de0e0e4dSAntonio Huete Jimenez /* 211*de0e0e4dSAntonio Huete Jimenez * Verifies an SCT with the given context. 212*de0e0e4dSAntonio Huete Jimenez * Returns 1 if the SCT verifies successfully; any other value indicates 213*de0e0e4dSAntonio Huete Jimenez * failure. See EVP_DigestVerifyFinal() for the meaning of those values. 214*de0e0e4dSAntonio Huete Jimenez */ 215*de0e0e4dSAntonio Huete Jimenez int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); 216*de0e0e4dSAntonio Huete Jimenez 217*de0e0e4dSAntonio Huete Jimenez /* 218*de0e0e4dSAntonio Huete Jimenez * Does this SCT have the minimum fields populated to be usable? 219*de0e0e4dSAntonio Huete Jimenez * Returns 1 if so, 0 otherwise. 220*de0e0e4dSAntonio Huete Jimenez */ 221*de0e0e4dSAntonio Huete Jimenez int SCT_is_complete(const SCT *sct); 222*de0e0e4dSAntonio Huete Jimenez 223*de0e0e4dSAntonio Huete Jimenez /* 224*de0e0e4dSAntonio Huete Jimenez * Does this SCT have the signature-related fields populated? 225*de0e0e4dSAntonio Huete Jimenez * Returns 1 if so, 0 otherwise. 226*de0e0e4dSAntonio Huete Jimenez * This checks that the signature and hash algorithms are set to supported 227*de0e0e4dSAntonio Huete Jimenez * values and that the signature field is set. 228*de0e0e4dSAntonio Huete Jimenez */ 229*de0e0e4dSAntonio Huete Jimenez int SCT_signature_is_complete(const SCT *sct); 230*de0e0e4dSAntonio Huete Jimenez 231*de0e0e4dSAntonio Huete Jimenez /* 232*de0e0e4dSAntonio Huete Jimenez * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature 233*de0e0e4dSAntonio Huete Jimenez * and o2i_SCT_signature conform to the i2d/d2i conventions. 234*de0e0e4dSAntonio Huete Jimenez */ 235*de0e0e4dSAntonio Huete Jimenez 236*de0e0e4dSAntonio Huete Jimenez /* 237*de0e0e4dSAntonio Huete Jimenez * Serialize (to TLS format) an |sct| signature and write it to |out|. 238*de0e0e4dSAntonio Huete Jimenez * If |out| is null, no signature will be output but the length will be returned. 239*de0e0e4dSAntonio Huete Jimenez * If |out| points to a null pointer, a string will be allocated to hold the 240*de0e0e4dSAntonio Huete Jimenez * TLS-format signature. It is the responsibility of the caller to free it. 241*de0e0e4dSAntonio Huete Jimenez * If |out| points to an allocated string, the signature will be written to it. 242*de0e0e4dSAntonio Huete Jimenez * The length of the signature in TLS format will be returned. 243*de0e0e4dSAntonio Huete Jimenez */ 244*de0e0e4dSAntonio Huete Jimenez int i2o_SCT_signature(const SCT *sct, unsigned char **out); 245*de0e0e4dSAntonio Huete Jimenez 246*de0e0e4dSAntonio Huete Jimenez /* 247*de0e0e4dSAntonio Huete Jimenez * Parses an SCT signature in TLS format and populates the |sct| with it. 248*de0e0e4dSAntonio Huete Jimenez * |in| should be a pointer to a string containing the TLS-format signature. 249*de0e0e4dSAntonio Huete Jimenez * |in| will be advanced to the end of the signature if parsing succeeds. 250*de0e0e4dSAntonio Huete Jimenez * |len| should be the length of the signature in |in|. 251*de0e0e4dSAntonio Huete Jimenez * Returns the number of bytes parsed, or a negative integer if an error occurs. 252*de0e0e4dSAntonio Huete Jimenez * If an error occurs, the SCT's signature NID may be updated whilst the 253*de0e0e4dSAntonio Huete Jimenez * signature field itself remains unset. 254*de0e0e4dSAntonio Huete Jimenez */ 255*de0e0e4dSAntonio Huete Jimenez int o2i_SCT_signature(SCT *sct, CBS *cbs); 256*de0e0e4dSAntonio Huete Jimenez 257*de0e0e4dSAntonio Huete Jimenez /* 258*de0e0e4dSAntonio Huete Jimenez * Handlers for Certificate Transparency X509v3/OCSP extensions 259*de0e0e4dSAntonio Huete Jimenez */ 260*de0e0e4dSAntonio Huete Jimenez extern const X509V3_EXT_METHOD v3_ct_scts[3]; 261