]>
Commit | Line | Data |
---|---|---|
0cea8832 | 1 | /* |
33388b44 | 2 | * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. |
0cea8832 | 3 | * |
5477e842 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
d2e9e320 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
0cea8832 RP |
8 | */ |
9 | ||
0cea8832 | 10 | #include <stddef.h> |
0cea8832 RP |
11 | #include <openssl/ct.h> |
12 | #include <openssl/evp.h> | |
13 | #include <openssl/x509.h> | |
d57611ea | 14 | #include <openssl/x509v3.h> |
0cea8832 RP |
15 | #include <openssl/safestack.h> |
16 | ||
17 | /* | |
18 | * From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT | |
19 | * sct_list <1..2^16-1>; } SignedCertificateTimestampList; | |
20 | */ | |
21 | # define MAX_SCT_SIZE 65535 | |
22 | # define MAX_SCT_LIST_SIZE MAX_SCT_SIZE | |
23 | ||
0f97a121 RP |
24 | /* |
25 | * Macros to read and write integers in network-byte order. | |
26 | */ | |
27 | ||
28 | #define n2s(c,s) ((s=(((unsigned int)((c)[0]))<< 8)| \ | |
29 | (((unsigned int)((c)[1])) )),c+=2) | |
30 | ||
31 | #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ | |
32 | c[1]=(unsigned char)(((s) )&0xff)),c+=2) | |
33 | ||
34 | #define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \ | |
35 | c[1]=(unsigned char)(((l)>> 8)&0xff), \ | |
36 | c[2]=(unsigned char)(((l) )&0xff)),c+=3) | |
37 | ||
38 | #define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \ | |
39 | l|=((uint64_t)(*((c)++)))<<48, \ | |
40 | l|=((uint64_t)(*((c)++)))<<40, \ | |
41 | l|=((uint64_t)(*((c)++)))<<32, \ | |
42 | l|=((uint64_t)(*((c)++)))<<24, \ | |
43 | l|=((uint64_t)(*((c)++)))<<16, \ | |
44 | l|=((uint64_t)(*((c)++)))<< 8, \ | |
45 | l|=((uint64_t)(*((c)++)))) | |
46 | ||
47 | #define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ | |
48 | *((c)++)=(unsigned char)(((l)>>48)&0xff), \ | |
49 | *((c)++)=(unsigned char)(((l)>>40)&0xff), \ | |
50 | *((c)++)=(unsigned char)(((l)>>32)&0xff), \ | |
51 | *((c)++)=(unsigned char)(((l)>>24)&0xff), \ | |
52 | *((c)++)=(unsigned char)(((l)>>16)&0xff), \ | |
53 | *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ | |
54 | *((c)++)=(unsigned char)(((l) )&0xff)) | |
55 | ||
0cea8832 RP |
56 | /* Signed Certificate Timestamp */ |
57 | struct sct_st { | |
58 | sct_version_t version; | |
59 | /* If version is not SCT_VERSION_V1, this contains the encoded SCT */ | |
60 | unsigned char *sct; | |
61 | size_t sct_len; | |
62 | /* If version is SCT_VERSION_V1, fields below contain components of the SCT */ | |
63 | unsigned char *log_id; | |
64 | size_t log_id_len; | |
65 | /* | |
66 | * Note, we cannot distinguish between an unset timestamp, and one | |
67 | * that is set to 0. However since CT didn't exist in 1970, no real | |
68 | * SCT should ever be set as such. | |
69 | */ | |
70 | uint64_t timestamp; | |
71 | unsigned char *ext; | |
72 | size_t ext_len; | |
73 | unsigned char hash_alg; | |
74 | unsigned char sig_alg; | |
75 | unsigned char *sig; | |
76 | size_t sig_len; | |
77 | /* Log entry type */ | |
78 | ct_log_entry_type_t entry_type; | |
8c6afbc5 RP |
79 | /* Where this SCT was found, e.g. certificate, OCSP response, etc. */ |
80 | sct_source_t source; | |
7d054e5a RP |
81 | /* The result of the last attempt to validate this SCT. */ |
82 | sct_validation_status_t validation_status; | |
0cea8832 RP |
83 | }; |
84 | ||
8c6afbc5 RP |
85 | /* Miscellaneous data that is useful when verifying an SCT */ |
86 | struct sct_ctx_st { | |
87 | /* Public key */ | |
88 | EVP_PKEY *pkey; | |
89 | /* Hash of public key */ | |
90 | unsigned char *pkeyhash; | |
91 | size_t pkeyhashlen; | |
92 | /* For pre-certificate: issuer public key hash */ | |
93 | unsigned char *ihash; | |
94 | size_t ihashlen; | |
95 | /* certificate encoding */ | |
96 | unsigned char *certder; | |
97 | size_t certderlen; | |
98 | /* pre-certificate encoding */ | |
99 | unsigned char *preder; | |
100 | size_t prederlen; | |
1fa9ffd9 RP |
101 | /* milliseconds since epoch (to check that the SCT isn't from the future) */ |
102 | uint64_t epoch_time_in_ms; | |
d4b2bfba | 103 | |
b4250010 | 104 | OSSL_LIB_CTX *libctx; |
d4b2bfba | 105 | char *propq; |
8c6afbc5 RP |
106 | }; |
107 | ||
7d054e5a RP |
108 | /* Context when evaluating whether a Certificate Transparency policy is met */ |
109 | struct ct_policy_eval_ctx_st { | |
110 | X509 *cert; | |
111 | X509 *issuer; | |
112 | CTLOG_STORE *log_store; | |
1fa9ffd9 RP |
113 | /* milliseconds since epoch (to check that SCTs aren't from the future) */ |
114 | uint64_t epoch_time_in_ms; | |
d4b2bfba | 115 | |
b4250010 | 116 | OSSL_LIB_CTX *libctx; |
d4b2bfba | 117 | char *propq; |
7d054e5a RP |
118 | }; |
119 | ||
8c6afbc5 RP |
120 | /* |
121 | * Creates a new context for verifying an SCT. | |
122 | */ | |
b4250010 | 123 | SCT_CTX *SCT_CTX_new(OSSL_LIB_CTX *ctx, const char *propq); |
8c6afbc5 RP |
124 | /* |
125 | * Deletes an SCT verification context. | |
126 | */ | |
127 | void SCT_CTX_free(SCT_CTX *sctx); | |
128 | ||
5da65ef2 | 129 | /* |
98af7310 RP |
130 | * Sets the certificate that the SCT was created for. |
131 | * If *cert does not have a poison extension, presigner must be NULL. | |
132 | * If *cert does not have a poison extension, it may have a single SCT | |
133 | * (NID_ct_precert_scts) extension. | |
134 | * If either *cert or *presigner have an AKID (NID_authority_key_identifier) | |
135 | * extension, both must have one. | |
5da65ef2 RP |
136 | * Returns 1 on success, 0 on failure. |
137 | */ | |
138 | __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); | |
139 | ||
140 | /* | |
98af7310 | 141 | * Sets the issuer of the certificate that the SCT was created for. |
5da65ef2 RP |
142 | * This is just a convenience method to save extracting the public key and |
143 | * calling SCT_CTX_set1_issuer_pubkey(). | |
144 | * Issuer must not be NULL. | |
145 | * Returns 1 on success, 0 on failure. | |
146 | */ | |
147 | __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); | |
148 | ||
149 | /* | |
98af7310 RP |
150 | * Sets the public key of the issuer of the certificate that the SCT was created |
151 | * for. | |
5da65ef2 RP |
152 | * The public key must not be NULL. |
153 | * Returns 1 on success, 0 on failure. | |
154 | */ | |
155 | __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); | |
156 | ||
157 | /* | |
158 | * Sets the public key of the CT log that the SCT is from. | |
159 | * Returns 1 on success, 0 on failure. | |
160 | */ | |
161 | __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); | |
8c6afbc5 | 162 | |
1fa9ffd9 | 163 | /* |
1871a5aa RP |
164 | * Sets the time to evaluate the SCT against, in milliseconds since the Unix |
165 | * epoch. If the SCT's timestamp is after this time, it will be interpreted as | |
166 | * having been issued in the future. RFC6962 states that "TLS clients MUST | |
167 | * reject SCTs whose timestamp is in the future", so an SCT will not validate | |
168 | * in this case. | |
1fa9ffd9 RP |
169 | */ |
170 | void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms); | |
171 | ||
cdb2a603 RP |
172 | /* |
173 | * Verifies an SCT with the given context. | |
174 | * Returns 1 if the SCT verifies successfully; any other value indicates | |
175 | * failure. See EVP_DigestVerifyFinal() for the meaning of those values. | |
176 | */ | |
177 | __owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); | |
178 | ||
0cea8832 | 179 | /* |
70279a81 | 180 | * Does this SCT have the minimum fields populated to be usable? |
0cea8832 RP |
181 | * Returns 1 if so, 0 otherwise. |
182 | */ | |
5da65ef2 | 183 | __owur int SCT_is_complete(const SCT *sct); |
0cea8832 RP |
184 | |
185 | /* | |
186 | * Does this SCT have the signature-related fields populated? | |
187 | * Returns 1 if so, 0 otherwise. | |
188 | * This checks that the signature and hash algorithms are set to supported | |
189 | * values and that the signature field is set. | |
190 | */ | |
5da65ef2 | 191 | __owur int SCT_signature_is_complete(const SCT *sct); |
0cea8832 | 192 | |
63e27d4d RP |
193 | /* |
194 | * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature | |
195 | * and o2i_SCT_signature conform to the i2d/d2i conventions. | |
196 | */ | |
197 | ||
198 | /* | |
199 | * Serialize (to TLS format) an |sct| signature and write it to |out|. | |
200 | * If |out| is null, no signature will be output but the length will be returned. | |
201 | * If |out| points to a null pointer, a string will be allocated to hold the | |
202 | * TLS-format signature. It is the responsibility of the caller to free it. | |
203 | * If |out| points to an allocated string, the signature will be written to it. | |
204 | * The length of the signature in TLS format will be returned. | |
205 | */ | |
206 | __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); | |
207 | ||
208 | /* | |
209 | * Parses an SCT signature in TLS format and populates the |sct| with it. | |
210 | * |in| should be a pointer to a string containing the TLS-format signature. | |
211 | * |in| will be advanced to the end of the signature if parsing succeeds. | |
212 | * |len| should be the length of the signature in |in|. | |
213 | * Returns the number of bytes parsed, or a negative integer if an error occurs. | |
eb96e8b5 RP |
214 | * If an error occurs, the SCT's signature NID may be updated whilst the |
215 | * signature field itself remains unset. | |
63e27d4d RP |
216 | */ |
217 | __owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len); | |
0cea8832 | 218 | |
d57611ea RS |
219 | /* |
220 | * Handlers for Certificate Transparency X509v3/OCSP extensions | |
221 | */ | |
4b68cb41 | 222 | extern const X509V3_EXT_METHOD v3_ct_scts[3]; |