1 /* 2 * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/ocsp.h> 11 #include "ocsp_local.h" 12 #include <openssl/err.h> 13 #include <string.h> 14 15 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, 16 STACK_OF(X509) *certs, unsigned long flags); 17 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); 18 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); 19 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, 20 OCSP_CERTID **ret); 21 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, 22 STACK_OF(OCSP_SINGLERESP) *sresp); 23 static int ocsp_check_delegated(X509 *x); 24 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, 25 X509_NAME *nm, STACK_OF(X509) *certs, 26 unsigned long flags); 27 28 /* Verify a basic response message */ 29 30 int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, 31 X509_STORE *st, unsigned long flags) 32 { 33 X509 *signer, *x; 34 STACK_OF(X509) *chain = NULL; 35 STACK_OF(X509) *untrusted = NULL; 36 X509_STORE_CTX *ctx = NULL; 37 int i, ret = ocsp_find_signer(&signer, bs, certs, flags); 38 39 if (!ret) { 40 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, 41 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); 42 goto end; 43 } 44 ctx = X509_STORE_CTX_new(); 45 if (ctx == NULL) { 46 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); 47 goto f_err; 48 } 49 if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) 50 flags |= OCSP_NOVERIFY; 51 if (!(flags & OCSP_NOSIGS)) { 52 EVP_PKEY *skey; 53 skey = X509_get0_pubkey(signer); 54 if (skey == NULL) { 55 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY); 56 goto err; 57 } 58 ret = OCSP_BASICRESP_verify(bs, skey, 0); 59 if (ret <= 0) { 60 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); 61 goto end; 62 } 63 } 64 if (!(flags & OCSP_NOVERIFY)) { 65 int init_res; 66 if (flags & OCSP_NOCHAIN) { 67 untrusted = NULL; 68 } else if (bs->certs && certs) { 69 untrusted = sk_X509_dup(bs->certs); 70 for (i = 0; i < sk_X509_num(certs); i++) { 71 if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) { 72 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); 73 goto f_err; 74 } 75 } 76 } else if (certs != NULL) { 77 untrusted = certs; 78 } else { 79 untrusted = bs->certs; 80 } 81 init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted); 82 if (!init_res) { 83 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); 84 goto f_err; 85 } 86 87 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); 88 ret = X509_verify_cert(ctx); 89 chain = X509_STORE_CTX_get1_chain(ctx); 90 if (ret <= 0) { 91 i = X509_STORE_CTX_get_error(ctx); 92 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, 93 OCSP_R_CERTIFICATE_VERIFY_ERROR); 94 ERR_add_error_data(2, "Verify error:", 95 X509_verify_cert_error_string(i)); 96 goto end; 97 } 98 if (flags & OCSP_NOCHECKS) { 99 ret = 1; 100 goto end; 101 } 102 /* 103 * At this point we have a valid certificate chain need to verify it 104 * against the OCSP issuer criteria. 105 */ 106 ret = ocsp_check_issuer(bs, chain); 107 108 /* If fatal error or valid match then finish */ 109 if (ret != 0) 110 goto end; 111 112 /* 113 * Easy case: explicitly trusted. Get root CA and check for explicit 114 * trust 115 */ 116 if (flags & OCSP_NOEXPLICIT) 117 goto end; 118 119 x = sk_X509_value(chain, sk_X509_num(chain) - 1); 120 if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { 121 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED); 122 goto err; 123 } 124 ret = 1; 125 } 126 end: 127 X509_STORE_CTX_free(ctx); 128 sk_X509_pop_free(chain, X509_free); 129 if (bs->certs && certs) 130 sk_X509_free(untrusted); 131 return ret; 132 133 err: 134 ret = 0; 135 goto end; 136 f_err: 137 ret = -1; 138 goto end; 139 } 140 141 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, 142 STACK_OF(X509) *extra_certs) 143 { 144 int ret; 145 146 ret = ocsp_find_signer(signer, bs, extra_certs, 0); 147 return (ret > 0) ? 1 : 0; 148 } 149 150 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, 151 STACK_OF(X509) *certs, unsigned long flags) 152 { 153 X509 *signer; 154 OCSP_RESPID *rid = &bs->tbsResponseData.responderId; 155 if ((signer = ocsp_find_signer_sk(certs, rid))) { 156 *psigner = signer; 157 return 2; 158 } 159 if (!(flags & OCSP_NOINTERN) && 160 (signer = ocsp_find_signer_sk(bs->certs, rid))) { 161 *psigner = signer; 162 return 1; 163 } 164 /* Maybe lookup from store if by subject name */ 165 166 *psigner = NULL; 167 return 0; 168 } 169 170 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) 171 { 172 int i; 173 unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; 174 X509 *x; 175 176 /* Easy if lookup by name */ 177 if (id->type == V_OCSP_RESPID_NAME) 178 return X509_find_by_subject(certs, id->value.byName); 179 180 /* Lookup by key hash */ 181 182 /* If key hash isn't SHA1 length then forget it */ 183 if (id->value.byKey->length != SHA_DIGEST_LENGTH) 184 return NULL; 185 keyhash = id->value.byKey->data; 186 /* Calculate hash of each key and compare */ 187 for (i = 0; i < sk_X509_num(certs); i++) { 188 x = sk_X509_value(certs, i); 189 X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); 190 if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) 191 return x; 192 } 193 return NULL; 194 } 195 196 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) 197 { 198 STACK_OF(OCSP_SINGLERESP) *sresp; 199 X509 *signer, *sca; 200 OCSP_CERTID *caid = NULL; 201 int i; 202 sresp = bs->tbsResponseData.responses; 203 204 if (sk_X509_num(chain) <= 0) { 205 OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN); 206 return -1; 207 } 208 209 /* See if the issuer IDs match. */ 210 i = ocsp_check_ids(sresp, &caid); 211 212 /* If ID mismatch or other error then return */ 213 if (i <= 0) 214 return i; 215 216 signer = sk_X509_value(chain, 0); 217 /* Check to see if OCSP responder CA matches request CA */ 218 if (sk_X509_num(chain) > 1) { 219 sca = sk_X509_value(chain, 1); 220 i = ocsp_match_issuerid(sca, caid, sresp); 221 if (i < 0) 222 return i; 223 if (i) { 224 /* We have a match, if extensions OK then success */ 225 if (ocsp_check_delegated(signer)) 226 return 1; 227 return 0; 228 } 229 } 230 231 /* Otherwise check if OCSP request signed directly by request CA */ 232 return ocsp_match_issuerid(signer, caid, sresp); 233 } 234 235 /* 236 * Check the issuer certificate IDs for equality. If there is a mismatch with 237 * the same algorithm then there's no point trying to match any certificates 238 * against the issuer. If the issuer IDs all match then we just need to check 239 * equality against one of them. 240 */ 241 242 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) 243 { 244 OCSP_CERTID *tmpid, *cid; 245 int i, idcount; 246 247 idcount = sk_OCSP_SINGLERESP_num(sresp); 248 if (idcount <= 0) { 249 OCSPerr(OCSP_F_OCSP_CHECK_IDS, 250 OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); 251 return -1; 252 } 253 254 cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; 255 256 *ret = NULL; 257 258 for (i = 1; i < idcount; i++) { 259 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; 260 /* Check to see if IDs match */ 261 if (OCSP_id_issuer_cmp(cid, tmpid)) { 262 /* If algorithm mismatch let caller deal with it */ 263 if (OBJ_cmp(tmpid->hashAlgorithm.algorithm, 264 cid->hashAlgorithm.algorithm)) 265 return 2; 266 /* Else mismatch */ 267 return 0; 268 } 269 } 270 271 /* All IDs match: only need to check one ID */ 272 *ret = cid; 273 return 1; 274 } 275 276 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, 277 STACK_OF(OCSP_SINGLERESP) *sresp) 278 { 279 /* If only one ID to match then do it */ 280 if (cid) { 281 const EVP_MD *dgst; 282 X509_NAME *iname; 283 int mdlen; 284 unsigned char md[EVP_MAX_MD_SIZE]; 285 if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm)) 286 == NULL) { 287 OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID, 288 OCSP_R_UNKNOWN_MESSAGE_DIGEST); 289 return -1; 290 } 291 292 mdlen = EVP_MD_size(dgst); 293 if (mdlen < 0) 294 return -1; 295 if ((cid->issuerNameHash.length != mdlen) || 296 (cid->issuerKeyHash.length != mdlen)) 297 return 0; 298 iname = X509_get_subject_name(cert); 299 if (!X509_NAME_digest(iname, dgst, md, NULL)) 300 return -1; 301 if (memcmp(md, cid->issuerNameHash.data, mdlen)) 302 return 0; 303 X509_pubkey_digest(cert, dgst, md, NULL); 304 if (memcmp(md, cid->issuerKeyHash.data, mdlen)) 305 return 0; 306 307 return 1; 308 309 } else { 310 /* We have to match the whole lot */ 311 int i, ret; 312 OCSP_CERTID *tmpid; 313 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { 314 tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; 315 ret = ocsp_match_issuerid(cert, tmpid, NULL); 316 if (ret <= 0) 317 return ret; 318 } 319 return 1; 320 } 321 322 } 323 324 static int ocsp_check_delegated(X509 *x) 325 { 326 if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) 327 && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) 328 return 1; 329 OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE); 330 return 0; 331 } 332 333 /* 334 * Verify an OCSP request. This is fortunately much easier than OCSP response 335 * verify. Just find the signers certificate and verify it against a given 336 * trust value. 337 */ 338 339 int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, 340 X509_STORE *store, unsigned long flags) 341 { 342 X509 *signer; 343 X509_NAME *nm; 344 GENERAL_NAME *gen; 345 int ret = 0; 346 X509_STORE_CTX *ctx = X509_STORE_CTX_new(); 347 348 if (ctx == NULL) { 349 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE); 350 goto err; 351 } 352 353 if (!req->optionalSignature) { 354 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED); 355 goto err; 356 } 357 gen = req->tbsRequest.requestorName; 358 if (!gen || gen->type != GEN_DIRNAME) { 359 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, 360 OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); 361 goto err; 362 } 363 nm = gen->d.directoryName; 364 ret = ocsp_req_find_signer(&signer, req, nm, certs, flags); 365 if (ret <= 0) { 366 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, 367 OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); 368 goto err; 369 } 370 if ((ret == 2) && (flags & OCSP_TRUSTOTHER)) 371 flags |= OCSP_NOVERIFY; 372 if (!(flags & OCSP_NOSIGS)) { 373 EVP_PKEY *skey; 374 skey = X509_get0_pubkey(signer); 375 ret = OCSP_REQUEST_verify(req, skey); 376 if (ret <= 0) { 377 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE); 378 goto err; 379 } 380 } 381 if (!(flags & OCSP_NOVERIFY)) { 382 int init_res; 383 if (flags & OCSP_NOCHAIN) 384 init_res = X509_STORE_CTX_init(ctx, store, signer, NULL); 385 else 386 init_res = X509_STORE_CTX_init(ctx, store, signer, 387 req->optionalSignature->certs); 388 if (!init_res) { 389 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB); 390 goto err; 391 } 392 393 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); 394 X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); 395 ret = X509_verify_cert(ctx); 396 if (ret <= 0) { 397 ret = X509_STORE_CTX_get_error(ctx); 398 OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, 399 OCSP_R_CERTIFICATE_VERIFY_ERROR); 400 ERR_add_error_data(2, "Verify error:", 401 X509_verify_cert_error_string(ret)); 402 goto err; 403 } 404 } 405 ret = 1; 406 goto end; 407 408 err: 409 ret = 0; 410 end: 411 X509_STORE_CTX_free(ctx); 412 return ret; 413 414 } 415 416 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, 417 X509_NAME *nm, STACK_OF(X509) *certs, 418 unsigned long flags) 419 { 420 X509 *signer; 421 if (!(flags & OCSP_NOINTERN)) { 422 signer = X509_find_by_subject(req->optionalSignature->certs, nm); 423 if (signer) { 424 *psigner = signer; 425 return 1; 426 } 427 } 428 429 signer = X509_find_by_subject(certs, nm); 430 if (signer) { 431 *psigner = signer; 432 return 2; 433 } 434 return 0; 435 } 436