1 /* 2 * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #ifdef OPENSSL_NO_CT 11 # error "CT is disabled" 12 #endif 13 14 #include <stddef.h> 15 #include <string.h> 16 17 #include <openssl/err.h> 18 #include <openssl/obj_mac.h> 19 #include <openssl/x509.h> 20 21 #include "ct_local.h" 22 23 SCT_CTX *SCT_CTX_new(void) 24 { 25 SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx)); 26 27 if (sctx == NULL) 28 CTerr(CT_F_SCT_CTX_NEW, ERR_R_MALLOC_FAILURE); 29 30 return sctx; 31 } 32 33 void SCT_CTX_free(SCT_CTX *sctx) 34 { 35 if (sctx == NULL) 36 return; 37 EVP_PKEY_free(sctx->pkey); 38 OPENSSL_free(sctx->pkeyhash); 39 OPENSSL_free(sctx->ihash); 40 OPENSSL_free(sctx->certder); 41 OPENSSL_free(sctx->preder); 42 OPENSSL_free(sctx); 43 } 44 45 /* 46 * Finds the index of the first extension with the given NID in cert. 47 * If there is more than one extension with that NID, *is_duplicated is set to 48 * 1, otherwise 0 (unless it is NULL). 49 */ 50 static int ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated) 51 { 52 int ret = X509_get_ext_by_NID(cert, nid, -1); 53 54 if (is_duplicated != NULL) 55 *is_duplicated = ret >= 0 && X509_get_ext_by_NID(cert, nid, ret) >= 0; 56 57 return ret; 58 } 59 60 /* 61 * Modifies a certificate by deleting extensions and copying the issuer and 62 * AKID from the presigner certificate, if necessary. 63 * Returns 1 on success, 0 otherwise. 64 */ 65 __owur static int ct_x509_cert_fixup(X509 *cert, X509 *presigner) 66 { 67 int preidx, certidx; 68 int pre_akid_ext_is_dup, cert_akid_ext_is_dup; 69 70 if (presigner == NULL) 71 return 1; 72 73 preidx = ct_x509_get_ext(presigner, NID_authority_key_identifier, 74 &pre_akid_ext_is_dup); 75 certidx = ct_x509_get_ext(cert, NID_authority_key_identifier, 76 &cert_akid_ext_is_dup); 77 78 /* An error occurred whilst searching for the extension */ 79 if (preidx < -1 || certidx < -1) 80 return 0; 81 /* Invalid certificate if they contain duplicate extensions */ 82 if (pre_akid_ext_is_dup || cert_akid_ext_is_dup) 83 return 0; 84 /* AKID must be present in both certificate or absent in both */ 85 if (preidx >= 0 && certidx == -1) 86 return 0; 87 if (preidx == -1 && certidx >= 0) 88 return 0; 89 /* Copy issuer name */ 90 if (!X509_set_issuer_name(cert, X509_get_issuer_name(presigner))) 91 return 0; 92 if (preidx != -1) { 93 /* Retrieve and copy AKID encoding */ 94 X509_EXTENSION *preext = X509_get_ext(presigner, preidx); 95 X509_EXTENSION *certext = X509_get_ext(cert, certidx); 96 ASN1_OCTET_STRING *preextdata; 97 98 /* Should never happen */ 99 if (preext == NULL || certext == NULL) 100 return 0; 101 preextdata = X509_EXTENSION_get_data(preext); 102 if (preextdata == NULL || 103 !X509_EXTENSION_set_data(certext, preextdata)) 104 return 0; 105 } 106 return 1; 107 } 108 109 int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) 110 { 111 unsigned char *certder = NULL, *preder = NULL; 112 X509 *pretmp = NULL; 113 int certderlen = 0, prederlen = 0; 114 int idx = -1; 115 int poison_ext_is_dup, sct_ext_is_dup; 116 int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup); 117 118 /* Duplicate poison extensions are present - error */ 119 if (poison_ext_is_dup) 120 goto err; 121 122 /* If *cert doesn't have a poison extension, it isn't a precert */ 123 if (poison_idx == -1) { 124 /* cert isn't a precert, so we shouldn't have a presigner */ 125 if (presigner != NULL) 126 goto err; 127 128 certderlen = i2d_X509(cert, &certder); 129 if (certderlen < 0) 130 goto err; 131 } 132 133 /* See if cert has a precert SCTs extension */ 134 idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup); 135 /* Duplicate SCT extensions are present - error */ 136 if (sct_ext_is_dup) 137 goto err; 138 139 if (idx >= 0 && poison_idx >= 0) { 140 /* 141 * cert can't both contain SCTs (i.e. have an SCT extension) and be a 142 * precert (i.e. have a poison extension). 143 */ 144 goto err; 145 } 146 147 if (idx == -1) { 148 idx = poison_idx; 149 } 150 151 /* 152 * If either a poison or SCT extension is present, remove it before encoding 153 * cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see 154 * RFC5280) from cert, which is what the CT log signed when it produced the 155 * SCT. 156 */ 157 if (idx >= 0) { 158 X509_EXTENSION *ext; 159 160 /* Take a copy of certificate so we don't modify passed version */ 161 pretmp = X509_dup(cert); 162 if (pretmp == NULL) 163 goto err; 164 165 ext = X509_delete_ext(pretmp, idx); 166 X509_EXTENSION_free(ext); 167 168 if (!ct_x509_cert_fixup(pretmp, presigner)) 169 goto err; 170 171 prederlen = i2d_re_X509_tbs(pretmp, &preder); 172 if (prederlen <= 0) 173 goto err; 174 } 175 176 X509_free(pretmp); 177 178 OPENSSL_free(sctx->certder); 179 sctx->certder = certder; 180 sctx->certderlen = certderlen; 181 182 OPENSSL_free(sctx->preder); 183 sctx->preder = preder; 184 sctx->prederlen = prederlen; 185 186 return 1; 187 err: 188 OPENSSL_free(certder); 189 OPENSSL_free(preder); 190 X509_free(pretmp); 191 return 0; 192 } 193 194 __owur static int ct_public_key_hash(X509_PUBKEY *pkey, unsigned char **hash, 195 size_t *hash_len) 196 { 197 int ret = 0; 198 unsigned char *md = NULL, *der = NULL; 199 int der_len; 200 unsigned int md_len; 201 202 /* Reuse buffer if possible */ 203 if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) { 204 md = *hash; 205 } else { 206 md = OPENSSL_malloc(SHA256_DIGEST_LENGTH); 207 if (md == NULL) 208 goto err; 209 } 210 211 /* Calculate key hash */ 212 der_len = i2d_X509_PUBKEY(pkey, &der); 213 if (der_len <= 0) 214 goto err; 215 216 if (!EVP_Digest(der, der_len, md, &md_len, EVP_sha256(), NULL)) 217 goto err; 218 219 if (md != *hash) { 220 OPENSSL_free(*hash); 221 *hash = md; 222 *hash_len = SHA256_DIGEST_LENGTH; 223 } 224 225 md = NULL; 226 ret = 1; 227 err: 228 OPENSSL_free(md); 229 OPENSSL_free(der); 230 return ret; 231 } 232 233 int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer) 234 { 235 return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer)); 236 } 237 238 int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) 239 { 240 return ct_public_key_hash(pubkey, &sctx->ihash, &sctx->ihashlen); 241 } 242 243 int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) 244 { 245 EVP_PKEY *pkey = X509_PUBKEY_get(pubkey); 246 247 if (pkey == NULL) 248 return 0; 249 250 if (!ct_public_key_hash(pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) { 251 EVP_PKEY_free(pkey); 252 return 0; 253 } 254 255 EVP_PKEY_free(sctx->pkey); 256 sctx->pkey = pkey; 257 return 1; 258 } 259 260 void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms) 261 { 262 sctx->epoch_time_in_ms = time_in_ms; 263 } 264