160662d10Schristos /*
2*1dcdf01fSchristos * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
360662d10Schristos *
4*1dcdf01fSchristos * Licensed under the OpenSSL license (the "License"). You may not use
5*1dcdf01fSchristos * this file except in compliance with the License. You can obtain a copy
6*1dcdf01fSchristos * in the file LICENSE in the source distribution or at
7*1dcdf01fSchristos * https://www.openssl.org/source/license.html
860662d10Schristos */
960662d10Schristos
1060662d10Schristos #include <stdio.h>
11*1dcdf01fSchristos #include "internal/cryptlib.h"
1260662d10Schristos #include <openssl/objects.h>
1360662d10Schristos #include <openssl/ts.h>
1460662d10Schristos #include <openssl/pkcs7.h>
15*1dcdf01fSchristos #include "ts_local.h"
1660662d10Schristos
17*1dcdf01fSchristos static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
1860662d10Schristos X509 *signer, STACK_OF(X509) **chain);
19*1dcdf01fSchristos static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
2060662d10Schristos STACK_OF(X509) *chain);
21*1dcdf01fSchristos static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si);
22*1dcdf01fSchristos static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
23*1dcdf01fSchristos static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert);
24*1dcdf01fSchristos static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
2560662d10Schristos PKCS7 *token, TS_TST_INFO *tst_info);
26*1dcdf01fSchristos static int ts_check_status_info(TS_RESP *response);
27*1dcdf01fSchristos static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text);
28*1dcdf01fSchristos static int ts_check_policy(const ASN1_OBJECT *req_oid,
29*1dcdf01fSchristos const TS_TST_INFO *tst_info);
30*1dcdf01fSchristos static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
3160662d10Schristos X509_ALGOR **md_alg,
3260662d10Schristos unsigned char **imprint, unsigned *imprint_len);
33*1dcdf01fSchristos static int ts_check_imprints(X509_ALGOR *algor_a,
34*1dcdf01fSchristos const unsigned char *imprint_a, unsigned len_a,
3560662d10Schristos TS_TST_INFO *tst_info);
36*1dcdf01fSchristos static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info);
37*1dcdf01fSchristos static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer);
38*1dcdf01fSchristos static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names,
3960662d10Schristos GENERAL_NAME *name);
40*1dcdf01fSchristos static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert);
41*1dcdf01fSchristos static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si);
42*1dcdf01fSchristos
43*1dcdf01fSchristos /*
44*1dcdf01fSchristos * This must be large enough to hold all values in ts_status_text (with
45*1dcdf01fSchristos * comma separator) or all text fields in ts_failure_info (also with comma).
46*1dcdf01fSchristos */
47*1dcdf01fSchristos #define TS_STATUS_BUF_SIZE 256
4860662d10Schristos
4960662d10Schristos /*
5060662d10Schristos * Local mapping between response codes and descriptions.
5160662d10Schristos */
52*1dcdf01fSchristos static const char *ts_status_text[] = {
53*1dcdf01fSchristos "granted",
5460662d10Schristos "grantedWithMods",
5560662d10Schristos "rejection",
5660662d10Schristos "waiting",
5760662d10Schristos "revocationWarning",
5860662d10Schristos "revocationNotification"
5960662d10Schristos };
6060662d10Schristos
61*1dcdf01fSchristos #define TS_STATUS_TEXT_SIZE OSSL_NELEM(ts_status_text)
6260662d10Schristos
6360662d10Schristos static struct {
6460662d10Schristos int code;
6560662d10Schristos const char *text;
66*1dcdf01fSchristos } ts_failure_info[] = {
67*1dcdf01fSchristos {TS_INFO_BAD_ALG, "badAlg"},
68*1dcdf01fSchristos {TS_INFO_BAD_REQUEST, "badRequest"},
69*1dcdf01fSchristos {TS_INFO_BAD_DATA_FORMAT, "badDataFormat"},
70*1dcdf01fSchristos {TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable"},
71*1dcdf01fSchristos {TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy"},
72*1dcdf01fSchristos {TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension"},
73*1dcdf01fSchristos {TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable"},
74*1dcdf01fSchristos {TS_INFO_SYSTEM_FAILURE, "systemFailure"}
7560662d10Schristos };
7660662d10Schristos
7760662d10Schristos
7860662d10Schristos /*-
7960662d10Schristos * This function carries out the following tasks:
8060662d10Schristos * - Checks if there is one and only one signer.
8160662d10Schristos * - Search for the signing certificate in 'certs' and in the response.
8260662d10Schristos * - Check the extended key usage and key usage fields of the signer
8360662d10Schristos * certificate (done by the path validation).
8460662d10Schristos * - Build and validate the certificate path.
8560662d10Schristos * - Check if the certificate path meets the requirements of the
8660662d10Schristos * SigningCertificate ESS signed attribute.
8760662d10Schristos * - Verify the signature value.
8860662d10Schristos * - Returns the signer certificate in 'signer', if 'signer' is not NULL.
8960662d10Schristos */
TS_RESP_verify_signature(PKCS7 * token,STACK_OF (X509)* certs,X509_STORE * store,X509 ** signer_out)9060662d10Schristos int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
9160662d10Schristos X509_STORE *store, X509 **signer_out)
9260662d10Schristos {
9360662d10Schristos STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
9460662d10Schristos PKCS7_SIGNER_INFO *si;
9560662d10Schristos STACK_OF(X509) *signers = NULL;
9660662d10Schristos X509 *signer;
9760662d10Schristos STACK_OF(X509) *chain = NULL;
9860662d10Schristos char buf[4096];
9960662d10Schristos int i, j = 0, ret = 0;
10060662d10Schristos BIO *p7bio = NULL;
10160662d10Schristos
10260662d10Schristos /* Some sanity checks first. */
10360662d10Schristos if (!token) {
10460662d10Schristos TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER);
10560662d10Schristos goto err;
10660662d10Schristos }
10760662d10Schristos if (!PKCS7_type_is_signed(token)) {
10860662d10Schristos TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE);
10960662d10Schristos goto err;
11060662d10Schristos }
11160662d10Schristos sinfos = PKCS7_get_signer_info(token);
11260662d10Schristos if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) {
11360662d10Schristos TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_THERE_MUST_BE_ONE_SIGNER);
11460662d10Schristos goto err;
11560662d10Schristos }
11660662d10Schristos si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
11760662d10Schristos if (PKCS7_get_detached(token)) {
11860662d10Schristos TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT);
11960662d10Schristos goto err;
12060662d10Schristos }
12160662d10Schristos
12260662d10Schristos /*
12360662d10Schristos * Get hold of the signer certificate, search only internal certificates
12460662d10Schristos * if it was requested.
12560662d10Schristos */
12660662d10Schristos signers = PKCS7_get0_signers(token, certs, 0);
12760662d10Schristos if (!signers || sk_X509_num(signers) != 1)
12860662d10Schristos goto err;
12960662d10Schristos signer = sk_X509_value(signers, 0);
13060662d10Schristos
131*1dcdf01fSchristos if (!ts_verify_cert(store, certs, signer, &chain))
13260662d10Schristos goto err;
133*1dcdf01fSchristos if (!ts_check_signing_certs(si, chain))
13460662d10Schristos goto err;
13560662d10Schristos p7bio = PKCS7_dataInit(token, NULL);
13660662d10Schristos
13760662d10Schristos /* We now have to 'read' from p7bio to calculate digests etc. */
138*1dcdf01fSchristos while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0)
139*1dcdf01fSchristos continue;
14060662d10Schristos
14160662d10Schristos j = PKCS7_signatureVerify(p7bio, token, si, signer);
14260662d10Schristos if (j <= 0) {
14360662d10Schristos TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE);
14460662d10Schristos goto err;
14560662d10Schristos }
14660662d10Schristos
14760662d10Schristos if (signer_out) {
14860662d10Schristos *signer_out = signer;
149*1dcdf01fSchristos X509_up_ref(signer);
15060662d10Schristos }
15160662d10Schristos ret = 1;
15260662d10Schristos
15360662d10Schristos err:
15460662d10Schristos BIO_free_all(p7bio);
15560662d10Schristos sk_X509_pop_free(chain, X509_free);
15660662d10Schristos sk_X509_free(signers);
15760662d10Schristos
15860662d10Schristos return ret;
15960662d10Schristos }
16060662d10Schristos
16160662d10Schristos /*
16260662d10Schristos * The certificate chain is returned in chain. Caller is responsible for
16360662d10Schristos * freeing the vector.
16460662d10Schristos */
ts_verify_cert(X509_STORE * store,STACK_OF (X509)* untrusted,X509 * signer,STACK_OF (X509)** chain)165*1dcdf01fSchristos static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
16660662d10Schristos X509 *signer, STACK_OF(X509) **chain)
16760662d10Schristos {
168*1dcdf01fSchristos X509_STORE_CTX *cert_ctx = NULL;
16960662d10Schristos int i;
170*1dcdf01fSchristos int ret = 0;
17160662d10Schristos
17260662d10Schristos *chain = NULL;
173*1dcdf01fSchristos cert_ctx = X509_STORE_CTX_new();
174*1dcdf01fSchristos if (cert_ctx == NULL) {
175*1dcdf01fSchristos TSerr(TS_F_TS_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
176*1dcdf01fSchristos goto err;
177*1dcdf01fSchristos }
178*1dcdf01fSchristos if (!X509_STORE_CTX_init(cert_ctx, store, signer, untrusted))
179*1dcdf01fSchristos goto end;
180*1dcdf01fSchristos X509_STORE_CTX_set_purpose(cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
181*1dcdf01fSchristos i = X509_verify_cert(cert_ctx);
18260662d10Schristos if (i <= 0) {
183*1dcdf01fSchristos int j = X509_STORE_CTX_get_error(cert_ctx);
18460662d10Schristos TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
18560662d10Schristos ERR_add_error_data(2, "Verify error:",
18660662d10Schristos X509_verify_cert_error_string(j));
187*1dcdf01fSchristos goto err;
18860662d10Schristos }
189*1dcdf01fSchristos *chain = X509_STORE_CTX_get1_chain(cert_ctx);
190*1dcdf01fSchristos ret = 1;
191*1dcdf01fSchristos goto end;
19260662d10Schristos
193*1dcdf01fSchristos err:
194*1dcdf01fSchristos ret = 0;
19560662d10Schristos
196*1dcdf01fSchristos end:
197*1dcdf01fSchristos X509_STORE_CTX_free(cert_ctx);
19860662d10Schristos return ret;
19960662d10Schristos }
20060662d10Schristos
ts_check_signing_certs(PKCS7_SIGNER_INFO * si,STACK_OF (X509)* chain)201*1dcdf01fSchristos static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
20260662d10Schristos STACK_OF(X509) *chain)
20360662d10Schristos {
204*1dcdf01fSchristos ESS_SIGNING_CERT *ss = ess_get_signing_cert(si);
20560662d10Schristos STACK_OF(ESS_CERT_ID) *cert_ids = NULL;
206*1dcdf01fSchristos ESS_SIGNING_CERT_V2 *ssv2 = ess_get_signing_cert_v2(si);
207*1dcdf01fSchristos STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL;
20860662d10Schristos X509 *cert;
20960662d10Schristos int i = 0;
21060662d10Schristos int ret = 0;
21160662d10Schristos
212*1dcdf01fSchristos if (ss != NULL) {
21360662d10Schristos cert_ids = ss->cert_ids;
21460662d10Schristos cert = sk_X509_value(chain, 0);
215*1dcdf01fSchristos if (ts_find_cert(cert_ids, cert) != 0)
21660662d10Schristos goto err;
21760662d10Schristos
21860662d10Schristos /*
21960662d10Schristos * Check the other certificates of the chain if there are more than one
22060662d10Schristos * certificate ids in cert_ids.
22160662d10Schristos */
22260662d10Schristos if (sk_ESS_CERT_ID_num(cert_ids) > 1) {
22360662d10Schristos for (i = 1; i < sk_X509_num(chain); ++i) {
22460662d10Schristos cert = sk_X509_value(chain, i);
225*1dcdf01fSchristos if (ts_find_cert(cert_ids, cert) < 0)
22660662d10Schristos goto err;
22760662d10Schristos }
22860662d10Schristos }
229*1dcdf01fSchristos } else if (ssv2 != NULL) {
230*1dcdf01fSchristos cert_ids_v2 = ssv2->cert_ids;
231*1dcdf01fSchristos cert = sk_X509_value(chain, 0);
232*1dcdf01fSchristos if (ts_find_cert_v2(cert_ids_v2, cert) != 0)
233*1dcdf01fSchristos goto err;
234*1dcdf01fSchristos
235*1dcdf01fSchristos /*
236*1dcdf01fSchristos * Check the other certificates of the chain if there are more than one
237*1dcdf01fSchristos * certificate ids in cert_ids.
238*1dcdf01fSchristos */
239*1dcdf01fSchristos if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) {
240*1dcdf01fSchristos for (i = 1; i < sk_X509_num(chain); ++i) {
241*1dcdf01fSchristos cert = sk_X509_value(chain, i);
242*1dcdf01fSchristos if (ts_find_cert_v2(cert_ids_v2, cert) < 0)
243*1dcdf01fSchristos goto err;
244*1dcdf01fSchristos }
245*1dcdf01fSchristos }
246*1dcdf01fSchristos } else {
247*1dcdf01fSchristos goto err;
248*1dcdf01fSchristos }
249*1dcdf01fSchristos
25060662d10Schristos ret = 1;
25160662d10Schristos err:
25260662d10Schristos if (!ret)
25360662d10Schristos TSerr(TS_F_TS_CHECK_SIGNING_CERTS,
25460662d10Schristos TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
25560662d10Schristos ESS_SIGNING_CERT_free(ss);
256*1dcdf01fSchristos ESS_SIGNING_CERT_V2_free(ssv2);
25760662d10Schristos return ret;
25860662d10Schristos }
25960662d10Schristos
ess_get_signing_cert(PKCS7_SIGNER_INFO * si)260*1dcdf01fSchristos static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si)
26160662d10Schristos {
26260662d10Schristos ASN1_TYPE *attr;
26360662d10Schristos const unsigned char *p;
26460662d10Schristos attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
26560662d10Schristos if (!attr)
26660662d10Schristos return NULL;
26760662d10Schristos p = attr->value.sequence->data;
26860662d10Schristos return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
26960662d10Schristos }
27060662d10Schristos
ess_get_signing_cert_v2(PKCS7_SIGNER_INFO * si)271*1dcdf01fSchristos static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si)
272*1dcdf01fSchristos {
273*1dcdf01fSchristos ASN1_TYPE *attr;
274*1dcdf01fSchristos const unsigned char *p;
275*1dcdf01fSchristos
276*1dcdf01fSchristos attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
277*1dcdf01fSchristos if (attr == NULL)
278*1dcdf01fSchristos return NULL;
279*1dcdf01fSchristos p = attr->value.sequence->data;
280*1dcdf01fSchristos return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
281*1dcdf01fSchristos }
282*1dcdf01fSchristos
28360662d10Schristos /* Returns < 0 if certificate is not found, certificate index otherwise. */
ts_find_cert(STACK_OF (ESS_CERT_ID)* cert_ids,X509 * cert)284*1dcdf01fSchristos static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
28560662d10Schristos {
28660662d10Schristos int i;
287*1dcdf01fSchristos unsigned char cert_sha1[SHA_DIGEST_LENGTH];
28860662d10Schristos
28960662d10Schristos if (!cert_ids || !cert)
29060662d10Schristos return -1;
29160662d10Schristos
29260662d10Schristos /* Recompute SHA1 hash of certificate if necessary (side effect). */
29360662d10Schristos X509_check_purpose(cert, -1, 0);
29460662d10Schristos
295*1dcdf01fSchristos if (!X509_digest(cert, EVP_sha1(), cert_sha1, NULL))
296*1dcdf01fSchristos return -1;
297*1dcdf01fSchristos
29860662d10Schristos /* Look for cert in the cert_ids vector. */
29960662d10Schristos for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) {
30060662d10Schristos ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i);
30160662d10Schristos
302*1dcdf01fSchristos if (cid->hash->length == SHA_DIGEST_LENGTH
303*1dcdf01fSchristos && memcmp(cid->hash->data, cert_sha1, SHA_DIGEST_LENGTH) == 0) {
30460662d10Schristos ESS_ISSUER_SERIAL *is = cid->issuer_serial;
305*1dcdf01fSchristos if (!is || !ts_issuer_serial_cmp(is, cert))
30660662d10Schristos return i;
30760662d10Schristos }
30860662d10Schristos }
30960662d10Schristos
31060662d10Schristos return -1;
31160662d10Schristos }
31260662d10Schristos
313*1dcdf01fSchristos /* Returns < 0 if certificate is not found, certificate index otherwise. */
ts_find_cert_v2(STACK_OF (ESS_CERT_ID_V2)* cert_ids,X509 * cert)314*1dcdf01fSchristos static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert)
315*1dcdf01fSchristos {
316*1dcdf01fSchristos int i;
317*1dcdf01fSchristos unsigned char cert_digest[EVP_MAX_MD_SIZE];
318*1dcdf01fSchristos unsigned int len;
319*1dcdf01fSchristos
320*1dcdf01fSchristos /* Look for cert in the cert_ids vector. */
321*1dcdf01fSchristos for (i = 0; i < sk_ESS_CERT_ID_V2_num(cert_ids); ++i) {
322*1dcdf01fSchristos ESS_CERT_ID_V2 *cid = sk_ESS_CERT_ID_V2_value(cert_ids, i);
323*1dcdf01fSchristos const EVP_MD *md;
324*1dcdf01fSchristos
325*1dcdf01fSchristos if (cid->hash_alg != NULL)
326*1dcdf01fSchristos md = EVP_get_digestbyobj(cid->hash_alg->algorithm);
327*1dcdf01fSchristos else
328*1dcdf01fSchristos md = EVP_sha256();
329*1dcdf01fSchristos
330*1dcdf01fSchristos if (!X509_digest(cert, md, cert_digest, &len))
331*1dcdf01fSchristos return -1;
332*1dcdf01fSchristos if (cid->hash->length != (int)len)
333*1dcdf01fSchristos return -1;
334*1dcdf01fSchristos
335*1dcdf01fSchristos if (memcmp(cid->hash->data, cert_digest, cid->hash->length) == 0) {
336*1dcdf01fSchristos ESS_ISSUER_SERIAL *is = cid->issuer_serial;
337*1dcdf01fSchristos
338*1dcdf01fSchristos if (is == NULL || !ts_issuer_serial_cmp(is, cert))
339*1dcdf01fSchristos return i;
340*1dcdf01fSchristos }
341*1dcdf01fSchristos }
342*1dcdf01fSchristos
343*1dcdf01fSchristos return -1;
344*1dcdf01fSchristos }
345*1dcdf01fSchristos
ts_issuer_serial_cmp(ESS_ISSUER_SERIAL * is,X509 * cert)346*1dcdf01fSchristos static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert)
34760662d10Schristos {
34860662d10Schristos GENERAL_NAME *issuer;
34960662d10Schristos
350*1dcdf01fSchristos if (!is || !cert || sk_GENERAL_NAME_num(is->issuer) != 1)
35160662d10Schristos return -1;
35260662d10Schristos
35360662d10Schristos issuer = sk_GENERAL_NAME_value(is->issuer, 0);
35460662d10Schristos if (issuer->type != GEN_DIRNAME
355*1dcdf01fSchristos || X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert)))
35660662d10Schristos return -1;
35760662d10Schristos
358*1dcdf01fSchristos if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert)))
35960662d10Schristos return -1;
36060662d10Schristos
36160662d10Schristos return 0;
36260662d10Schristos }
36360662d10Schristos
36460662d10Schristos /*-
36560662d10Schristos * Verifies whether 'response' contains a valid response with regards
36660662d10Schristos * to the settings of the context:
36760662d10Schristos * - Gives an error message if the TS_TST_INFO is not present.
36860662d10Schristos * - Calls _TS_RESP_verify_token to verify the token content.
36960662d10Schristos */
TS_RESP_verify_response(TS_VERIFY_CTX * ctx,TS_RESP * response)37060662d10Schristos int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
37160662d10Schristos {
372*1dcdf01fSchristos PKCS7 *token = response->token;
373*1dcdf01fSchristos TS_TST_INFO *tst_info = response->tst_info;
37460662d10Schristos int ret = 0;
37560662d10Schristos
376*1dcdf01fSchristos if (!ts_check_status_info(response))
37760662d10Schristos goto err;
378*1dcdf01fSchristos if (!int_ts_RESP_verify_token(ctx, token, tst_info))
37960662d10Schristos goto err;
38060662d10Schristos ret = 1;
381*1dcdf01fSchristos
38260662d10Schristos err:
38360662d10Schristos return ret;
38460662d10Schristos }
38560662d10Schristos
38660662d10Schristos /*
38760662d10Schristos * Tries to extract a TS_TST_INFO structure from the PKCS7 token and
38860662d10Schristos * calls the internal int_TS_RESP_verify_token function for verifying it.
38960662d10Schristos */
TS_RESP_verify_token(TS_VERIFY_CTX * ctx,PKCS7 * token)39060662d10Schristos int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
39160662d10Schristos {
39260662d10Schristos TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token);
39360662d10Schristos int ret = 0;
39460662d10Schristos if (tst_info) {
395*1dcdf01fSchristos ret = int_ts_RESP_verify_token(ctx, token, tst_info);
39660662d10Schristos TS_TST_INFO_free(tst_info);
39760662d10Schristos }
39860662d10Schristos return ret;
39960662d10Schristos }
40060662d10Schristos
40160662d10Schristos /*-
40260662d10Schristos * Verifies whether the 'token' contains a valid time stamp token
40360662d10Schristos * with regards to the settings of the context. Only those checks are
40460662d10Schristos * carried out that are specified in the context:
40560662d10Schristos * - Verifies the signature of the TS_TST_INFO.
40660662d10Schristos * - Checks the version number of the response.
40760662d10Schristos * - Check if the requested and returned policies math.
40860662d10Schristos * - Check if the message imprints are the same.
40960662d10Schristos * - Check if the nonces are the same.
41060662d10Schristos * - Check if the TSA name matches the signer.
41160662d10Schristos * - Check if the TSA name is the expected TSA.
41260662d10Schristos */
int_ts_RESP_verify_token(TS_VERIFY_CTX * ctx,PKCS7 * token,TS_TST_INFO * tst_info)413*1dcdf01fSchristos static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
41460662d10Schristos PKCS7 *token, TS_TST_INFO *tst_info)
41560662d10Schristos {
41660662d10Schristos X509 *signer = NULL;
417*1dcdf01fSchristos GENERAL_NAME *tsa_name = tst_info->tsa;
41860662d10Schristos X509_ALGOR *md_alg = NULL;
41960662d10Schristos unsigned char *imprint = NULL;
42060662d10Schristos unsigned imprint_len = 0;
42160662d10Schristos int ret = 0;
42260662d10Schristos int flags = ctx->flags;
42360662d10Schristos
42460662d10Schristos /* Some options require us to also check the signature */
42560662d10Schristos if (((flags & TS_VFY_SIGNER) && tsa_name != NULL)
42660662d10Schristos || (flags & TS_VFY_TSA_NAME)) {
42760662d10Schristos flags |= TS_VFY_SIGNATURE;
42860662d10Schristos }
42960662d10Schristos
43060662d10Schristos if ((flags & TS_VFY_SIGNATURE)
43160662d10Schristos && !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer))
43260662d10Schristos goto err;
43360662d10Schristos if ((flags & TS_VFY_VERSION)
43460662d10Schristos && TS_TST_INFO_get_version(tst_info) != 1) {
43560662d10Schristos TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION);
43660662d10Schristos goto err;
43760662d10Schristos }
43860662d10Schristos if ((flags & TS_VFY_POLICY)
439*1dcdf01fSchristos && !ts_check_policy(ctx->policy, tst_info))
44060662d10Schristos goto err;
44160662d10Schristos if ((flags & TS_VFY_IMPRINT)
442*1dcdf01fSchristos && !ts_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len,
44360662d10Schristos tst_info))
44460662d10Schristos goto err;
44560662d10Schristos if ((flags & TS_VFY_DATA)
446*1dcdf01fSchristos && (!ts_compute_imprint(ctx->data, tst_info,
44760662d10Schristos &md_alg, &imprint, &imprint_len)
448*1dcdf01fSchristos || !ts_check_imprints(md_alg, imprint, imprint_len, tst_info)))
44960662d10Schristos goto err;
45060662d10Schristos if ((flags & TS_VFY_NONCE)
451*1dcdf01fSchristos && !ts_check_nonces(ctx->nonce, tst_info))
45260662d10Schristos goto err;
45360662d10Schristos if ((flags & TS_VFY_SIGNER)
454*1dcdf01fSchristos && tsa_name && !ts_check_signer_name(tsa_name, signer)) {
45560662d10Schristos TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH);
45660662d10Schristos goto err;
45760662d10Schristos }
45860662d10Schristos if ((flags & TS_VFY_TSA_NAME)
459*1dcdf01fSchristos && !ts_check_signer_name(ctx->tsa_name, signer)) {
46060662d10Schristos TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED);
46160662d10Schristos goto err;
46260662d10Schristos }
46360662d10Schristos ret = 1;
464*1dcdf01fSchristos
46560662d10Schristos err:
46660662d10Schristos X509_free(signer);
46760662d10Schristos X509_ALGOR_free(md_alg);
46860662d10Schristos OPENSSL_free(imprint);
46960662d10Schristos return ret;
47060662d10Schristos }
47160662d10Schristos
ts_check_status_info(TS_RESP * response)472*1dcdf01fSchristos static int ts_check_status_info(TS_RESP *response)
47360662d10Schristos {
474*1dcdf01fSchristos TS_STATUS_INFO *info = response->status_info;
47560662d10Schristos long status = ASN1_INTEGER_get(info->status);
47660662d10Schristos const char *status_text = NULL;
47760662d10Schristos char *embedded_status_text = NULL;
47860662d10Schristos char failure_text[TS_STATUS_BUF_SIZE] = "";
47960662d10Schristos
48060662d10Schristos if (status == 0 || status == 1)
48160662d10Schristos return 1;
48260662d10Schristos
48360662d10Schristos /* There was an error, get the description in status_text. */
484*1dcdf01fSchristos if (0 <= status && status < (long) OSSL_NELEM(ts_status_text))
485*1dcdf01fSchristos status_text = ts_status_text[status];
48660662d10Schristos else
48760662d10Schristos status_text = "unknown code";
48860662d10Schristos
48960662d10Schristos if (sk_ASN1_UTF8STRING_num(info->text) > 0
490*1dcdf01fSchristos && (embedded_status_text = ts_get_status_text(info->text)) == NULL)
49160662d10Schristos return 0;
49260662d10Schristos
493*1dcdf01fSchristos /* Fill in failure_text with the failure information. */
49460662d10Schristos if (info->failure_info) {
49560662d10Schristos int i;
49660662d10Schristos int first = 1;
497*1dcdf01fSchristos for (i = 0; i < (int)OSSL_NELEM(ts_failure_info); ++i) {
49860662d10Schristos if (ASN1_BIT_STRING_get_bit(info->failure_info,
499*1dcdf01fSchristos ts_failure_info[i].code)) {
50060662d10Schristos if (!first)
50160662d10Schristos strcat(failure_text, ",");
50260662d10Schristos else
50360662d10Schristos first = 0;
504*1dcdf01fSchristos strcat(failure_text, ts_failure_info[i].text);
50560662d10Schristos }
50660662d10Schristos }
50760662d10Schristos }
50860662d10Schristos if (failure_text[0] == '\0')
50960662d10Schristos strcpy(failure_text, "unspecified");
51060662d10Schristos
51160662d10Schristos TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN);
51260662d10Schristos ERR_add_error_data(6,
51360662d10Schristos "status code: ", status_text,
51460662d10Schristos ", status text: ", embedded_status_text ?
51560662d10Schristos embedded_status_text : "unspecified",
51660662d10Schristos ", failure codes: ", failure_text);
51760662d10Schristos OPENSSL_free(embedded_status_text);
51860662d10Schristos
51960662d10Schristos return 0;
52060662d10Schristos }
52160662d10Schristos
ts_get_status_text(STACK_OF (ASN1_UTF8STRING)* text)522*1dcdf01fSchristos static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
52360662d10Schristos {
52460662d10Schristos int i;
52560662d10Schristos int length = 0;
52660662d10Schristos char *result = NULL;
52760662d10Schristos char *p;
52860662d10Schristos
52960662d10Schristos for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) {
53060662d10Schristos ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
53160662d10Schristos if (ASN1_STRING_length(current) > TS_MAX_STATUS_LENGTH - length - 1)
53260662d10Schristos return NULL;
53360662d10Schristos length += ASN1_STRING_length(current);
53460662d10Schristos length += 1; /* separator character */
53560662d10Schristos }
536*1dcdf01fSchristos if ((result = OPENSSL_malloc(length)) == NULL) {
53760662d10Schristos TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE);
53860662d10Schristos return NULL;
53960662d10Schristos }
540*1dcdf01fSchristos
54160662d10Schristos for (i = 0, p = result; i < sk_ASN1_UTF8STRING_num(text); ++i) {
54260662d10Schristos ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
54360662d10Schristos length = ASN1_STRING_length(current);
54460662d10Schristos if (i > 0)
54560662d10Schristos *p++ = '/';
546*1dcdf01fSchristos strncpy(p, (const char *)ASN1_STRING_get0_data(current), length);
54760662d10Schristos p += length;
54860662d10Schristos }
54960662d10Schristos *p = '\0';
55060662d10Schristos
55160662d10Schristos return result;
55260662d10Schristos }
55360662d10Schristos
ts_check_policy(const ASN1_OBJECT * req_oid,const TS_TST_INFO * tst_info)554*1dcdf01fSchristos static int ts_check_policy(const ASN1_OBJECT *req_oid,
555*1dcdf01fSchristos const TS_TST_INFO *tst_info)
55660662d10Schristos {
557*1dcdf01fSchristos const ASN1_OBJECT *resp_oid = tst_info->policy_id;
55860662d10Schristos
55960662d10Schristos if (OBJ_cmp(req_oid, resp_oid) != 0) {
56060662d10Schristos TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH);
56160662d10Schristos return 0;
56260662d10Schristos }
56360662d10Schristos
56460662d10Schristos return 1;
56560662d10Schristos }
56660662d10Schristos
ts_compute_imprint(BIO * data,TS_TST_INFO * tst_info,X509_ALGOR ** md_alg,unsigned char ** imprint,unsigned * imprint_len)567*1dcdf01fSchristos static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
56860662d10Schristos X509_ALGOR **md_alg,
56960662d10Schristos unsigned char **imprint, unsigned *imprint_len)
57060662d10Schristos {
571*1dcdf01fSchristos TS_MSG_IMPRINT *msg_imprint = tst_info->msg_imprint;
572*1dcdf01fSchristos X509_ALGOR *md_alg_resp = msg_imprint->hash_algo;
57360662d10Schristos const EVP_MD *md;
574*1dcdf01fSchristos EVP_MD_CTX *md_ctx = NULL;
57560662d10Schristos unsigned char buffer[4096];
57660662d10Schristos int length;
57760662d10Schristos
57860662d10Schristos *md_alg = NULL;
57960662d10Schristos *imprint = NULL;
58060662d10Schristos
581*1dcdf01fSchristos if ((*md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL)
58260662d10Schristos goto err;
583*1dcdf01fSchristos if ((md = EVP_get_digestbyobj((*md_alg)->algorithm)) == NULL) {
58460662d10Schristos TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM);
58560662d10Schristos goto err;
58660662d10Schristos }
58760662d10Schristos length = EVP_MD_size(md);
58860662d10Schristos if (length < 0)
58960662d10Schristos goto err;
59060662d10Schristos *imprint_len = length;
591*1dcdf01fSchristos if ((*imprint = OPENSSL_malloc(*imprint_len)) == NULL) {
59260662d10Schristos TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE);
59360662d10Schristos goto err;
59460662d10Schristos }
59560662d10Schristos
596*1dcdf01fSchristos md_ctx = EVP_MD_CTX_new();
597*1dcdf01fSchristos if (md_ctx == NULL) {
598*1dcdf01fSchristos TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE);
59960662d10Schristos goto err;
60060662d10Schristos }
601*1dcdf01fSchristos if (!EVP_DigestInit(md_ctx, md))
60260662d10Schristos goto err;
603*1dcdf01fSchristos while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) {
604*1dcdf01fSchristos if (!EVP_DigestUpdate(md_ctx, buffer, length))
605*1dcdf01fSchristos goto err;
606*1dcdf01fSchristos }
607*1dcdf01fSchristos if (!EVP_DigestFinal(md_ctx, *imprint, NULL))
608*1dcdf01fSchristos goto err;
609*1dcdf01fSchristos EVP_MD_CTX_free(md_ctx);
61060662d10Schristos
61160662d10Schristos return 1;
61260662d10Schristos err:
613*1dcdf01fSchristos EVP_MD_CTX_free(md_ctx);
61460662d10Schristos X509_ALGOR_free(*md_alg);
615*1dcdf01fSchristos *md_alg = NULL;
61660662d10Schristos OPENSSL_free(*imprint);
61760662d10Schristos *imprint_len = 0;
61860662d10Schristos *imprint = 0;
61960662d10Schristos return 0;
62060662d10Schristos }
62160662d10Schristos
ts_check_imprints(X509_ALGOR * algor_a,const unsigned char * imprint_a,unsigned len_a,TS_TST_INFO * tst_info)622*1dcdf01fSchristos static int ts_check_imprints(X509_ALGOR *algor_a,
623*1dcdf01fSchristos const unsigned char *imprint_a, unsigned len_a,
62460662d10Schristos TS_TST_INFO *tst_info)
62560662d10Schristos {
626*1dcdf01fSchristos TS_MSG_IMPRINT *b = tst_info->msg_imprint;
627*1dcdf01fSchristos X509_ALGOR *algor_b = b->hash_algo;
62860662d10Schristos int ret = 0;
62960662d10Schristos
63060662d10Schristos if (algor_a) {
63160662d10Schristos if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm))
63260662d10Schristos goto err;
63360662d10Schristos
63460662d10Schristos /* The parameter must be NULL in both. */
63560662d10Schristos if ((algor_a->parameter
63660662d10Schristos && ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL)
63760662d10Schristos || (algor_b->parameter
63860662d10Schristos && ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL))
63960662d10Schristos goto err;
64060662d10Schristos }
64160662d10Schristos
64260662d10Schristos ret = len_a == (unsigned)ASN1_STRING_length(b->hashed_msg) &&
643*1dcdf01fSchristos memcmp(imprint_a, ASN1_STRING_get0_data(b->hashed_msg), len_a) == 0;
64460662d10Schristos err:
64560662d10Schristos if (!ret)
64660662d10Schristos TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH);
64760662d10Schristos return ret;
64860662d10Schristos }
64960662d10Schristos
ts_check_nonces(const ASN1_INTEGER * a,TS_TST_INFO * tst_info)650*1dcdf01fSchristos static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
65160662d10Schristos {
652*1dcdf01fSchristos const ASN1_INTEGER *b = tst_info->nonce;
65360662d10Schristos
65460662d10Schristos if (!b) {
65560662d10Schristos TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED);
65660662d10Schristos return 0;
65760662d10Schristos }
65860662d10Schristos
65960662d10Schristos /* No error if a nonce is returned without being requested. */
66060662d10Schristos if (ASN1_INTEGER_cmp(a, b) != 0) {
66160662d10Schristos TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH);
66260662d10Schristos return 0;
66360662d10Schristos }
66460662d10Schristos
66560662d10Schristos return 1;
66660662d10Schristos }
66760662d10Schristos
66860662d10Schristos /*
66960662d10Schristos * Check if the specified TSA name matches either the subject or one of the
67060662d10Schristos * subject alternative names of the TSA certificate.
67160662d10Schristos */
ts_check_signer_name(GENERAL_NAME * tsa_name,X509 * signer)672*1dcdf01fSchristos static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
67360662d10Schristos {
67460662d10Schristos STACK_OF(GENERAL_NAME) *gen_names = NULL;
67560662d10Schristos int idx = -1;
67660662d10Schristos int found = 0;
67760662d10Schristos
67860662d10Schristos if (tsa_name->type == GEN_DIRNAME
679*1dcdf01fSchristos && X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0)
68060662d10Schristos return 1;
68160662d10Schristos gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, NULL, &idx);
682*1dcdf01fSchristos while (gen_names != NULL) {
683*1dcdf01fSchristos found = ts_find_name(gen_names, tsa_name) >= 0;
684*1dcdf01fSchristos if (found)
685*1dcdf01fSchristos break;
68660662d10Schristos /*
68760662d10Schristos * Get the next subject alternative name, although there should be no
68860662d10Schristos * more than one.
68960662d10Schristos */
69060662d10Schristos GENERAL_NAMES_free(gen_names);
691*1dcdf01fSchristos gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, NULL, &idx);
69260662d10Schristos }
69360662d10Schristos GENERAL_NAMES_free(gen_names);
69460662d10Schristos
69560662d10Schristos return found;
69660662d10Schristos }
69760662d10Schristos
69860662d10Schristos /* Returns 1 if name is in gen_names, 0 otherwise. */
ts_find_name(STACK_OF (GENERAL_NAME)* gen_names,GENERAL_NAME * name)699*1dcdf01fSchristos static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name)
70060662d10Schristos {
70160662d10Schristos int i, found;
70260662d10Schristos for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names); ++i) {
70360662d10Schristos GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i);
70460662d10Schristos found = GENERAL_NAME_cmp(current, name) == 0;
70560662d10Schristos }
70660662d10Schristos return found ? i - 1 : -1;
70760662d10Schristos }
708