]>
Commit | Line | Data |
---|---|---|
3dbc5156 | 1 | /* |
33388b44 | 2 | * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. |
3dbc5156 DDO |
3 | * Copyright Nokia 2007-2019 |
4 | * Copyright Siemens AG 2015-2019 | |
5 | * | |
6 | * Licensed under the Apache License 2.0 (the "License"). You may not use | |
7 | * this file except in compliance with the License. You can obtain a copy | |
8 | * in the file LICENSE in the source distribution or at | |
9 | * https://www.openssl.org/source/license.html | |
10 | */ | |
11 | ||
12 | #include "cmp_local.h" | |
13 | ||
14 | /* explicit #includes not strictly needed since implied by the above: */ | |
15 | #include <openssl/asn1t.h> | |
16 | #include <openssl/cmp.h> | |
17 | #include <openssl/crmf.h> | |
18 | #include <openssl/err.h> | |
19 | #include <openssl/x509.h> | |
20 | ||
21 | /* | |
22 | * This function is also used for verification from cmp_vfy. | |
23 | * | |
24 | * Calculate protection for given PKImessage utilizing the given credentials | |
25 | * and the algorithm parameters set inside the message header's protectionAlg. | |
26 | * | |
27 | * Either secret or pkey must be set, the other must be NULL. Attempts doing | |
28 | * PBMAC in case 'secret' is set and signature if 'pkey' is set - but will only | |
29 | * do the protection already marked in msg->header->protectionAlg. | |
30 | * | |
31 | * returns ptr to ASN1_BIT_STRING containing protection on success, else NULL | |
32 | */ | |
33 | ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_MSG *msg, | |
34 | const ASN1_OCTET_STRING *secret, | |
35 | EVP_PKEY *pkey) | |
36 | { | |
37 | ASN1_BIT_STRING *prot = NULL; | |
642f60d8 | 38 | OSSL_CMP_PROTECTEDPART prot_part; |
3dbc5156 DDO |
39 | const ASN1_OBJECT *algorOID = NULL; |
40 | int len; | |
41 | size_t prot_part_der_len; | |
42 | unsigned char *prot_part_der = NULL; | |
43 | size_t sig_len; | |
44 | unsigned char *protection = NULL; | |
45 | const void *ppval = NULL; | |
46 | int pptype = 0; | |
47 | OSSL_CRMF_PBMPARAMETER *pbm = NULL; | |
48 | ASN1_STRING *pbm_str = NULL; | |
49 | const unsigned char *pbm_str_uc = NULL; | |
50 | EVP_MD_CTX *evp_ctx = NULL; | |
51 | int md_NID; | |
52 | const EVP_MD *md = NULL; | |
53 | ||
54 | if (!ossl_assert(msg != NULL)) | |
55 | return NULL; | |
56 | ||
57 | /* construct data to be signed */ | |
58 | prot_part.header = msg->header; | |
59 | prot_part.body = msg->body; | |
60 | ||
642f60d8 | 61 | len = i2d_OSSL_CMP_PROTECTEDPART(&prot_part, &prot_part_der); |
3dbc5156 DDO |
62 | if (len < 0 || prot_part_der == NULL) { |
63 | CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION); | |
64 | goto end; | |
65 | } | |
66 | prot_part_der_len = (size_t) len; | |
67 | ||
68 | if (msg->header->protectionAlg == NULL) { | |
69 | CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID); | |
70 | goto end; | |
71 | } | |
72 | X509_ALGOR_get0(&algorOID, &pptype, &ppval, msg->header->protectionAlg); | |
73 | ||
74 | if (secret != NULL && pkey == NULL) { | |
75 | if (ppval == NULL) { | |
76 | CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION); | |
77 | goto end; | |
78 | } | |
79 | if (NID_id_PasswordBasedMAC != OBJ_obj2nid(algorOID)) { | |
80 | CMPerr(0, CMP_R_WRONG_ALGORITHM_OID); | |
81 | goto end; | |
82 | } | |
83 | pbm_str = (ASN1_STRING *)ppval; | |
84 | pbm_str_uc = pbm_str->data; | |
85 | pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, pbm_str->length); | |
86 | if (pbm == NULL) { | |
87 | CMPerr(0, CMP_R_WRONG_ALGORITHM_OID); | |
88 | goto end; | |
89 | } | |
90 | ||
91 | if (!OSSL_CRMF_pbm_new(pbm, prot_part_der, prot_part_der_len, | |
92 | secret->data, secret->length, | |
93 | &protection, &sig_len)) | |
94 | goto end; | |
95 | } else if (secret == NULL && pkey != NULL) { | |
96 | /* TODO combine this with large parts of CRMF_poposigningkey_init() */ | |
97 | /* EVP_DigestSignInit() checks that pkey type is correct for the alg */ | |
98 | ||
99 | if (!OBJ_find_sigid_algs(OBJ_obj2nid(algorOID), &md_NID, NULL) | |
100 | || (md = EVP_get_digestbynid(md_NID)) == NULL | |
101 | || (evp_ctx = EVP_MD_CTX_new()) == NULL) { | |
102 | CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID); | |
103 | goto end; | |
104 | } | |
105 | if (EVP_DigestSignInit(evp_ctx, NULL, md, NULL, pkey) <= 0 | |
106 | || EVP_DigestSignUpdate(evp_ctx, prot_part_der, | |
107 | prot_part_der_len) <= 0 | |
108 | || EVP_DigestSignFinal(evp_ctx, NULL, &sig_len) <= 0 | |
109 | || (protection = OPENSSL_malloc(sig_len)) == NULL | |
110 | || EVP_DigestSignFinal(evp_ctx, protection, &sig_len) <= 0) { | |
111 | CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION); | |
112 | goto end; | |
113 | } | |
114 | } else { | |
115 | CMPerr(0, CMP_R_INVALID_ARGS); | |
116 | goto end; | |
117 | } | |
118 | ||
119 | if ((prot = ASN1_BIT_STRING_new()) == NULL) | |
120 | goto end; | |
121 | /* OpenSSL defaults all bit strings to be encoded as ASN.1 NamedBitList */ | |
122 | prot->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); | |
123 | prot->flags |= ASN1_STRING_FLAG_BITS_LEFT; | |
124 | if (!ASN1_BIT_STRING_set(prot, protection, sig_len)) { | |
125 | ASN1_BIT_STRING_free(prot); | |
126 | prot = NULL; | |
127 | } | |
128 | ||
129 | end: | |
130 | OSSL_CRMF_PBMPARAMETER_free(pbm); | |
131 | EVP_MD_CTX_free(evp_ctx); | |
132 | OPENSSL_free(protection); | |
133 | OPENSSL_free(prot_part_der); | |
134 | return prot; | |
135 | } | |
136 | ||
137 | int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) | |
138 | { | |
139 | if (!ossl_assert(ctx != NULL && msg != NULL)) | |
140 | return 0; | |
141 | ||
142 | if (msg->extraCerts == NULL | |
143 | && (msg->extraCerts = sk_X509_new_null()) == NULL) | |
144 | return 0; | |
145 | ||
146 | if (ctx->clCert != NULL) { | |
147 | /* Make sure that our own cert gets sent, in the first position */ | |
148 | if (!X509_up_ref(ctx->clCert)) | |
149 | return 0; | |
150 | if (!sk_X509_push(msg->extraCerts, ctx->clCert)) { | |
151 | X509_free(ctx->clCert); | |
152 | return 0; | |
153 | } | |
154 | /* if we have untrusted store, try to add intermediate certs */ | |
155 | if (ctx->untrusted_certs != NULL) { | |
156 | STACK_OF(X509) *chain = | |
157 | ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->clCert); | |
158 | int res = ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain, | |
235595c4 | 159 | 1 /* no self-issued */, |
3dbc5156 DDO |
160 | 1 /* no duplicates */, 0); |
161 | sk_X509_pop_free(chain, X509_free); | |
162 | if (res == 0) | |
163 | return 0; | |
164 | } | |
165 | } | |
166 | ||
167 | /* add any additional certificates from ctx->extraCertsOut */ | |
168 | if (!ossl_cmp_sk_X509_add1_certs(msg->extraCerts, ctx->extraCertsOut, 0, | |
169 | 1 /* no duplicates */, 0)) | |
170 | return 0; | |
171 | ||
172 | /* if none was found avoid empty ASN.1 sequence */ | |
173 | if (sk_X509_num(msg->extraCerts) == 0) { | |
174 | sk_X509_free(msg->extraCerts); | |
175 | msg->extraCerts = NULL; | |
176 | } | |
177 | return 1; | |
178 | } | |
179 | ||
180 | /* | |
181 | * Create an X509_ALGOR structure for PasswordBasedMAC protection based on | |
182 | * the pbm settings in the context | |
183 | * returns pointer to X509_ALGOR on success, NULL on error | |
184 | */ | |
185 | static X509_ALGOR *create_pbmac_algor(OSSL_CMP_CTX *ctx) | |
186 | { | |
187 | X509_ALGOR *alg = NULL; | |
188 | OSSL_CRMF_PBMPARAMETER *pbm = NULL; | |
189 | unsigned char *pbm_der = NULL; | |
190 | int pbm_der_len; | |
191 | ASN1_STRING *pbm_str = NULL; | |
192 | ||
193 | if (!ossl_assert(ctx != NULL)) | |
194 | return NULL; | |
195 | ||
196 | alg = X509_ALGOR_new(); | |
197 | pbm = OSSL_CRMF_pbmp_new(ctx->pbm_slen, ctx->pbm_owf, ctx->pbm_itercnt, | |
198 | ctx->pbm_mac); | |
199 | pbm_str = ASN1_STRING_new(); | |
200 | if (alg == NULL || pbm == NULL || pbm_str == NULL) | |
201 | goto err; | |
202 | ||
203 | if ((pbm_der_len = i2d_OSSL_CRMF_PBMPARAMETER(pbm, &pbm_der)) < 0) | |
204 | goto err; | |
205 | ||
206 | if (!ASN1_STRING_set(pbm_str, pbm_der, pbm_der_len)) | |
207 | goto err; | |
208 | OPENSSL_free(pbm_der); | |
209 | ||
210 | X509_ALGOR_set0(alg, OBJ_nid2obj(NID_id_PasswordBasedMAC), | |
211 | V_ASN1_SEQUENCE, pbm_str); | |
212 | OSSL_CRMF_PBMPARAMETER_free(pbm); | |
213 | return alg; | |
214 | ||
215 | err: | |
216 | ASN1_STRING_free(pbm_str); | |
217 | X509_ALGOR_free(alg); | |
218 | OPENSSL_free(pbm_der); | |
219 | OSSL_CRMF_PBMPARAMETER_free(pbm); | |
220 | return NULL; | |
221 | } | |
222 | ||
223 | int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) | |
224 | { | |
225 | if (!ossl_assert(ctx != NULL && msg != NULL)) | |
226 | return 0; | |
227 | ||
228 | if (ctx->unprotectedSend) | |
229 | return 1; | |
230 | ||
231 | /* use PasswordBasedMac according to 5.1.3.1 if secretValue is given */ | |
232 | if (ctx->secretValue != NULL) { | |
233 | if ((msg->header->protectionAlg = create_pbmac_algor(ctx)) == NULL) | |
234 | goto err; | |
235 | if (ctx->referenceValue != NULL | |
236 | && !ossl_cmp_hdr_set1_senderKID(msg->header, | |
237 | ctx->referenceValue)) | |
238 | goto err; | |
239 | ||
240 | /* | |
241 | * add any additional certificates from ctx->extraCertsOut | |
242 | * while not needed to validate the signing cert, the option to do | |
243 | * this might be handy for certain use cases | |
244 | */ | |
245 | if (!ossl_cmp_msg_add_extraCerts(ctx, msg)) | |
246 | goto err; | |
247 | ||
248 | if ((msg->protection = | |
249 | ossl_cmp_calc_protection(msg, ctx->secretValue, NULL)) == NULL) | |
250 | goto err; | |
251 | } else { | |
252 | /* | |
253 | * use MSG_SIG_ALG according to 5.1.3.3 if client Certificate and | |
254 | * private key is given | |
255 | */ | |
256 | if (ctx->clCert != NULL && ctx->pkey != NULL) { | |
257 | const ASN1_OCTET_STRING *subjKeyIDStr = NULL; | |
258 | int algNID = 0; | |
259 | ASN1_OBJECT *alg = NULL; | |
260 | ||
261 | /* make sure that key and certificate match */ | |
262 | if (!X509_check_private_key(ctx->clCert, ctx->pkey)) { | |
263 | CMPerr(0, CMP_R_CERT_AND_KEY_DO_NOT_MATCH); | |
264 | goto err; | |
265 | } | |
266 | ||
267 | if (msg->header->protectionAlg == NULL) | |
268 | if ((msg->header->protectionAlg = X509_ALGOR_new()) == NULL) | |
269 | goto err; | |
270 | ||
271 | if (!OBJ_find_sigid_by_algs(&algNID, ctx->digest, | |
272 | EVP_PKEY_id(ctx->pkey))) { | |
273 | CMPerr(0, CMP_R_UNSUPPORTED_KEY_TYPE); | |
274 | goto err; | |
275 | } | |
276 | if ((alg = OBJ_nid2obj(algNID)) == NULL) | |
277 | goto err; | |
278 | if (!X509_ALGOR_set0(msg->header->protectionAlg, | |
279 | alg, V_ASN1_UNDEF, NULL)) { | |
280 | ASN1_OBJECT_free(alg); | |
281 | goto err; | |
282 | } | |
283 | ||
284 | /* | |
285 | * set senderKID to keyIdentifier of the used certificate according | |
286 | * to section 5.1.1 | |
287 | */ | |
288 | subjKeyIDStr = X509_get0_subject_key_id(ctx->clCert); | |
cfca56df DDO |
289 | if (subjKeyIDStr == NULL) |
290 | subjKeyIDStr = ctx->referenceValue; /* fallback */ | |
3dbc5156 DDO |
291 | if (subjKeyIDStr != NULL |
292 | && !ossl_cmp_hdr_set1_senderKID(msg->header, subjKeyIDStr)) | |
293 | goto err; | |
294 | ||
295 | /* | |
296 | * Add ctx->clCert followed, if possible, by its chain built | |
297 | * from ctx->untrusted_certs, and then ctx->extraCertsOut | |
298 | */ | |
299 | if (!ossl_cmp_msg_add_extraCerts(ctx, msg)) | |
300 | goto err; | |
301 | ||
302 | if ((msg->protection = | |
303 | ossl_cmp_calc_protection(msg, NULL, ctx->pkey)) == NULL) | |
304 | goto err; | |
305 | } else { | |
306 | CMPerr(0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION); | |
307 | goto err; | |
308 | } | |
309 | } | |
310 | ||
cfca56df DDO |
311 | /* |
312 | * As required by RFC 4210 section 5.1.1., if the sender name is not known | |
313 | * to the client it set to NULL-DN. In this case for identification at least | |
314 | * the senderKID must be set, where we took the referenceValue as fallback. | |
315 | */ | |
316 | ||
317 | if (ossl_cmp_general_name_is_NULL_DN(msg->header->sender) | |
318 | && msg->header->senderKID == NULL) | |
319 | CMPerr(0, CMP_R_MISSING_SENDER_IDENTIFICATION); | |
320 | else | |
321 | return 1; | |
322 | ||
3dbc5156 DDO |
323 | err: |
324 | CMPerr(0, CMP_R_ERROR_PROTECTING_MESSAGE); | |
325 | return 0; | |
326 | } |