1/* 2 * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10#ifdef OPENSSL_NO_CT 11# error "CT is disabled" 12#endif 13 14#include <stddef.h> 15#include <string.h> 16 17#include <openssl/err.h> 18#include <openssl/obj_mac.h> 19#include <openssl/x509.h> 20 21#include "ct_local.h" 22 23SCT_CTX *SCT_CTX_new(OSSL_LIB_CTX *libctx, const char *propq) 24{ 25 SCT_CTX *sctx = OPENSSL_zalloc(sizeof(*sctx)); 26 27 if (sctx == NULL) { 28 ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); 29 return NULL; 30 } 31 32 sctx->libctx = libctx; 33 if (propq != NULL) { 34 sctx->propq = OPENSSL_strdup(propq); 35 if (sctx->propq == NULL) { 36 ERR_raise(ERR_LIB_CT, ERR_R_MALLOC_FAILURE); 37 OPENSSL_free(sctx); 38 return NULL; 39 } 40 } 41 42 return sctx; 43} 44 45void SCT_CTX_free(SCT_CTX *sctx) 46{ 47 if (sctx == NULL) 48 return; 49 EVP_PKEY_free(sctx->pkey); 50 OPENSSL_free(sctx->pkeyhash); 51 OPENSSL_free(sctx->ihash); 52 OPENSSL_free(sctx->certder); 53 OPENSSL_free(sctx->preder); 54 OPENSSL_free(sctx->propq); 55 OPENSSL_free(sctx); 56} 57 58/* 59 * Finds the index of the first extension with the given NID in cert. 60 * If there is more than one extension with that NID, *is_duplicated is set to 61 * 1, otherwise 0 (unless it is NULL). 62 */ 63static int ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated) 64{ 65 int ret = X509_get_ext_by_NID(cert, nid, -1); 66 67 if (is_duplicated != NULL) 68 *is_duplicated = ret >= 0 && X509_get_ext_by_NID(cert, nid, ret) >= 0; 69 70 return ret; 71} 72 73/* 74 * Modifies a certificate by deleting extensions and copying the issuer and 75 * AKID from the presigner certificate, if necessary. 76 * Returns 1 on success, 0 otherwise. 77 */ 78__owur static int ct_x509_cert_fixup(X509 *cert, X509 *presigner) 79{ 80 int preidx, certidx; 81 int pre_akid_ext_is_dup, cert_akid_ext_is_dup; 82 83 if (presigner == NULL) 84 return 1; 85 86 preidx = ct_x509_get_ext(presigner, NID_authority_key_identifier, 87 &pre_akid_ext_is_dup); 88 certidx = ct_x509_get_ext(cert, NID_authority_key_identifier, 89 &cert_akid_ext_is_dup); 90 91 /* An error occurred whilst searching for the extension */ 92 if (preidx < -1 || certidx < -1) 93 return 0; 94 /* Invalid certificate if they contain duplicate extensions */ 95 if (pre_akid_ext_is_dup || cert_akid_ext_is_dup) 96 return 0; 97 /* AKID must be present in both certificate or absent in both */ 98 if (preidx >= 0 && certidx == -1) 99 return 0; 100 if (preidx == -1 && certidx >= 0) 101 return 0; 102 /* Copy issuer name */ 103 if (!X509_set_issuer_name(cert, X509_get_issuer_name(presigner))) 104 return 0; 105 if (preidx != -1) { 106 /* Retrieve and copy AKID encoding */ 107 X509_EXTENSION *preext = X509_get_ext(presigner, preidx); 108 X509_EXTENSION *certext = X509_get_ext(cert, certidx); 109 ASN1_OCTET_STRING *preextdata; 110 111 /* Should never happen */ 112 if (preext == NULL || certext == NULL) 113 return 0; 114 preextdata = X509_EXTENSION_get_data(preext); 115 if (preextdata == NULL || 116 !X509_EXTENSION_set_data(certext, preextdata)) 117 return 0; 118 } 119 return 1; 120} 121 122int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner) 123{ 124 unsigned char *certder = NULL, *preder = NULL; 125 X509 *pretmp = NULL; 126 int certderlen = 0, prederlen = 0; 127 int idx = -1; 128 int poison_ext_is_dup, sct_ext_is_dup; 129 int poison_idx = ct_x509_get_ext(cert, NID_ct_precert_poison, &poison_ext_is_dup); 130 131 /* Duplicate poison extensions are present - error */ 132 if (poison_ext_is_dup) 133 goto err; 134 135 /* If *cert doesn't have a poison extension, it isn't a precert */ 136 if (poison_idx == -1) { 137 /* cert isn't a precert, so we shouldn't have a presigner */ 138 if (presigner != NULL) 139 goto err; 140 141 certderlen = i2d_X509(cert, &certder); 142 if (certderlen < 0) 143 goto err; 144 } 145 146 /* See if cert has a precert SCTs extension */ 147 idx = ct_x509_get_ext(cert, NID_ct_precert_scts, &sct_ext_is_dup); 148 /* Duplicate SCT extensions are present - error */ 149 if (sct_ext_is_dup) 150 goto err; 151 152 if (idx >= 0 && poison_idx >= 0) { 153 /* 154 * cert can't both contain SCTs (i.e. have an SCT extension) and be a 155 * precert (i.e. have a poison extension). 156 */ 157 goto err; 158 } 159 160 if (idx == -1) { 161 idx = poison_idx; 162 } 163 164 /* 165 * If either a poison or SCT extension is present, remove it before encoding 166 * cert. This, along with ct_x509_cert_fixup(), gets a TBSCertificate (see 167 * RFC5280) from cert, which is what the CT log signed when it produced the 168 * SCT. 169 */ 170 if (idx >= 0) { 171 /* Take a copy of certificate so we don't modify passed version */ 172 pretmp = X509_dup(cert); 173 if (pretmp == NULL) 174 goto err; 175 176 X509_EXTENSION_free(X509_delete_ext(pretmp, idx)); 177 178 if (!ct_x509_cert_fixup(pretmp, presigner)) 179 goto err; 180 181 prederlen = i2d_re_X509_tbs(pretmp, &preder); 182 if (prederlen <= 0) 183 goto err; 184 } 185 186 X509_free(pretmp); 187 188 OPENSSL_free(sctx->certder); 189 sctx->certder = certder; 190 sctx->certderlen = certderlen; 191 192 OPENSSL_free(sctx->preder); 193 sctx->preder = preder; 194 sctx->prederlen = prederlen; 195 196 return 1; 197err: 198 OPENSSL_free(certder); 199 OPENSSL_free(preder); 200 X509_free(pretmp); 201 return 0; 202} 203 204__owur static int ct_public_key_hash(SCT_CTX *sctx, X509_PUBKEY *pkey, 205 unsigned char **hash, size_t *hash_len) 206{ 207 int ret = 0; 208 unsigned char *md = NULL, *der = NULL; 209 int der_len; 210 unsigned int md_len; 211 EVP_MD *sha256 = EVP_MD_fetch(sctx->libctx, "SHA2-256", sctx->propq); 212 213 if (sha256 == NULL) 214 goto err; 215 216 /* Reuse buffer if possible */ 217 if (*hash != NULL && *hash_len >= SHA256_DIGEST_LENGTH) { 218 md = *hash; 219 } else { 220 md = OPENSSL_malloc(SHA256_DIGEST_LENGTH); 221 if (md == NULL) 222 goto err; 223 } 224 225 /* Calculate key hash */ 226 der_len = i2d_X509_PUBKEY(pkey, &der); 227 if (der_len <= 0) 228 goto err; 229 230 if (!EVP_Digest(der, der_len, md, &md_len, sha256, NULL)) 231 goto err; 232 233 if (md != *hash) { 234 OPENSSL_free(*hash); 235 *hash = md; 236 *hash_len = SHA256_DIGEST_LENGTH; 237 } 238 239 md = NULL; 240 ret = 1; 241 err: 242 EVP_MD_free(sha256); 243 OPENSSL_free(md); 244 OPENSSL_free(der); 245 return ret; 246} 247 248int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer) 249{ 250 return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer)); 251} 252 253int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) 254{ 255 return ct_public_key_hash(sctx, pubkey, &sctx->ihash, &sctx->ihashlen); 256} 257 258int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey) 259{ 260 EVP_PKEY *pkey = X509_PUBKEY_get(pubkey); 261 262 if (pkey == NULL) 263 return 0; 264 265 if (!ct_public_key_hash(sctx, pubkey, &sctx->pkeyhash, &sctx->pkeyhashlen)) { 266 EVP_PKEY_free(pkey); 267 return 0; 268 } 269 270 EVP_PKEY_free(sctx->pkey); 271 sctx->pkey = pkey; 272 return 1; 273} 274 275void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms) 276{ 277 sctx->epoch_time_in_ms = time_in_ms; 278} 279