[thirdparty/openssl.git] / crypto / ct / ct_vfy.c

/*
 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
 * (steve@openssl.org) for the OpenSSL project 2014.
 */
/* ====================================================================
 * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */

#include <string.h>

#include <openssl/ct.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/x509.h>

#include "ct_locl.h"

#define n2s(c,s)        ((s=(((unsigned int)((c)[0]))<< 8)| \
                            (((unsigned int)((c)[1]))    )),c+=2)

#define s2n(s,c)        ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
                          c[1]=(unsigned char)(((s)    )&0xff)),c+=2)

#define l2n3(l,c)       ((c[0]=(unsigned char)(((l)>>16)&0xff), \
                          c[1]=(unsigned char)(((l)>> 8)&0xff), \
                          c[2]=(unsigned char)(((l)    )&0xff)),c+=3)

#define n2l8(c,l)       (l =((uint64_t)(*((c)++)))<<56, \
                         l|=((uint64_t)(*((c)++)))<<48, \
                         l|=((uint64_t)(*((c)++)))<<40, \
                         l|=((uint64_t)(*((c)++)))<<32, \
                         l|=((uint64_t)(*((c)++)))<<24, \
                         l|=((uint64_t)(*((c)++)))<<16, \
                         l|=((uint64_t)(*((c)++)))<< 8, \
                         l|=((uint64_t)(*((c)++))))

#define l2n8(l,c)       (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
                         *((c)++)=(unsigned char)(((l)>>48)&0xff), \
                         *((c)++)=(unsigned char)(((l)>>40)&0xff), \
                         *((c)++)=(unsigned char)(((l)>>32)&0xff), \
                         *((c)++)=(unsigned char)(((l)>>24)&0xff), \
                         *((c)++)=(unsigned char)(((l)>>16)&0xff), \
                         *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
                         *((c)++)=(unsigned char)(((l)    )&0xff))

typedef enum sct_signature_type_t {
    SIGNATURE_TYPE_NOT_SET = -1,
    SIGNATURE_TYPE_CERT_TIMESTAMP,
    SIGNATURE_TYPE_TREE_HASH
} SCT_SIGNATURE_TYPE;

/*
 * Update encoding for SCT signature verification/generation to supplied
 * EVP_MD_CTX.
 */
static int sct_ctx_update(EVP_MD_CTX *ctx, const SCT_CTX *sctx, const SCT *sct)
{
    unsigned char tmpbuf[12];
    unsigned char *p, *der;
    size_t derlen;
    /*
     * digitally-signed struct { (1 byte) Version sct_version; (1 byte)
     * SignatureType signature_type = certificate_timestamp; (8 bytes) uint64
     * timestamp; (2 bytes) LogEntryType entry_type; (? bytes)
     * select(entry_type) { case x509_entry: ASN.1Cert; case precert_entry:
     * PreCert; } signed_entry; (2 bytes + sct->ext_len) CtExtensions
     * extensions;
     */

    if (sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET)
        return 0;

    if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)
        return 0;

    p = tmpbuf;

    *p++ = sct->version;
    *p++ = SIGNATURE_TYPE_CERT_TIMESTAMP;
    l2n8(sct->timestamp, p);
    s2n(sct->entry_type, p);

    if (!EVP_DigestUpdate(ctx, tmpbuf, p - tmpbuf))
        return 0;

    if (sct->entry_type == CT_LOG_ENTRY_TYPE_X509) {
        der = sctx->certder;
        derlen = sctx->certderlen;
    } else {
        if (!EVP_DigestUpdate(ctx, sctx->ihash, sctx->ihashlen))
            return 0;
        der = sctx->preder;
        derlen = sctx->prederlen;
    }

    /* If no encoding available, fatal error */
    if (der == NULL)
        return 0;

    /* Include length first */
    p = tmpbuf;
    l2n3(derlen, p);

    if (!EVP_DigestUpdate(ctx, tmpbuf, 3))
        return 0;
    if (!EVP_DigestUpdate(ctx, der, derlen))
        return 0;

    /* Add any extensions */
    p = tmpbuf;
    s2n(sct->ext_len, p);
    if (!EVP_DigestUpdate(ctx, tmpbuf, 2))
        return 0;

    if (sct->ext_len && !EVP_DigestUpdate(ctx, sct->ext, sct->ext_len))
        return 0;

    return 1;
}

int SCT_verify(const SCT_CTX *sctx, const SCT *sct)
{
    EVP_MD_CTX *ctx = NULL;
    int ret = -1;
    if (!SCT_is_complete(sct) || sctx->pkey == NULL ||
        sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET ||
        (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);
        return -1;
    }
    if (sct->version != SCT_VERSION_V1) {
        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
        return 0;
    }
    if (sct->log_id_len != sctx->pkeyhashlen ||
        memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
        return 0;
    }
    ctx = EVP_MD_CTX_new();
    if (ctx == NULL)
        goto end;

    if (!EVP_DigestVerifyInit(ctx, NULL, EVP_sha256(), NULL, sctx->pkey))
        goto end;

    if (!sct_ctx_update(ctx, sctx, sct))
        goto end;

    /* Verify signature */
    ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
    /* If ret < 0 some other error: fall through without setting error */
    if (ret == 0)
        CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);

 end:
    EVP_MD_CTX_free(ctx);
    return ret;
}

int SCT_verify_v1(SCT *sct, X509 *cert, X509 *preissuer,
                  X509_PUBKEY *log_pubkey, X509 *issuer_cert)
{
    int ret = 0;
    SCT_CTX *sctx = NULL;

    if (sct == NULL || cert == NULL || log_pubkey == NULL ||
        (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && issuer_cert == NULL)) {
        CTerr(CT_F_SCT_VERIFY_V1, ERR_R_PASSED_NULL_PARAMETER);
        return -1;
    } else if (!SCT_is_complete(sct)) {
        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
        return -1;
    } else if (sct->version != 0) {
        CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);
        return 0;
    }

    sctx = SCT_CTX_new();
    if (sctx == NULL)
        goto done;

    ret = SCT_CTX_set1_pubkey(sctx, log_pubkey);

    if (ret <= 0)
        goto done;

    ret = SCT_CTX_set1_cert(sctx, cert, preissuer);

    if (ret <= 0)
        goto done;

    if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT) {
        ret = SCT_CTX_set1_issuer(sctx, issuer_cert);
        if (ret <= 0)
            goto done;
    }

    ret = SCT_verify(sctx, sct);

 done:
    if (sctx != NULL)
        SCT_CTX_free(sctx);
    return ret;
}
Commit	Line	Data
8c6afbc5 RP	1	/*
	2	* Written by Rob Stradling (rob@comodo.com) and Stephen Henson
	3	* (steve@openssl.org) for the OpenSSL project 2014.
	4	*/
	5	/* ====================================================================
	6	* Copyright (c) 2014 The OpenSSL Project. All rights reserved.
	7	*
	8	* Redistribution and use in source and binary forms, with or without
	9	* modification, are permitted provided that the following conditions
	10	* are met:
	11	*
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	*
	15	* 2. Redistributions in binary form must reproduce the above copyright
	16	* notice, this list of conditions and the following disclaimer in
	17	* the documentation and/or other materials provided with the
	18	* distribution.
	19	*
	20	* 3. All advertising materials mentioning features or use of this
	21	* software must display the following acknowledgment:
	22	* "This product includes software developed by the OpenSSL Project
	23	* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
	24	*
	25	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
	26	* endorse or promote products derived from this software without
	27	* prior written permission. For written permission, please contact
	28	* licensing@OpenSSL.org.
	29	*
	30	* 5. Products derived from this software may not be called "OpenSSL"
	31	* nor may "OpenSSL" appear in their names without prior written
	32	* permission of the OpenSSL Project.
	33	*
	34	* 6. Redistributions of any form whatsoever must retain the following
	35	* acknowledgment:
	36	* "This product includes software developed by the OpenSSL Project
	37	* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
	38	*
	39	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
	40	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	41	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
	42	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
	43	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
	44	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	45	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
	46	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	47	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
	48	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
	49	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
	50	* OF THE POSSIBILITY OF SUCH DAMAGE.
	51	* ====================================================================
	52	*
	53	* This product includes cryptographic software written by Eric Young
	54	* (eay@cryptsoft.com). This product includes software written by Tim
	55	* Hudson (tjh@cryptsoft.com).
	56	*
	57	*/
	58
	59	#include <string.h>
	60
	61	#include <openssl/ct.h>
	62	#include <openssl/err.h>
	63	#include <openssl/evp.h>
	64	#include <openssl/x509.h>
65
66	#include "ct_locl.h"
67
68	#define n2s(c,s) ((s=(((unsigned int)((c)[0]))<< 8)\| \
69	(((unsigned int)((c)[1])) )),c+=2)
70
71	#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
72	c[1]=(unsigned char)(((s) )&0xff)),c+=2)
73
74	#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
75	c[1]=(unsigned char)(((l)>> 8)&0xff), \
76	c[2]=(unsigned char)(((l) )&0xff)),c+=3)
77
78	#define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \
79	l\|=((uint64_t)(*((c)++)))<<48, \
80	l\|=((uint64_t)(*((c)++)))<<40, \
81	l\|=((uint64_t)(*((c)++)))<<32, \
82	l\|=((uint64_t)(*((c)++)))<<24, \
83	l\|=((uint64_t)(*((c)++)))<<16, \
84	l\|=((uint64_t)(*((c)++)))<< 8, \
85	l\|=((uint64_t)(*((c)++))))
86
87	#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
88	*((c)++)=(unsigned char)(((l)>>48)&0xff), \
89	*((c)++)=(unsigned char)(((l)>>40)&0xff), \
90	*((c)++)=(unsigned char)(((l)>>32)&0xff), \
91	*((c)++)=(unsigned char)(((l)>>24)&0xff), \
92	*((c)++)=(unsigned char)(((l)>>16)&0xff), \
93	*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
94	*((c)++)=(unsigned char)(((l) )&0xff))
95
96	typedef enum sct_signature_type_t {
97	SIGNATURE_TYPE_NOT_SET = -1,
98	SIGNATURE_TYPE_CERT_TIMESTAMP,
99	SIGNATURE_TYPE_TREE_HASH
100	} SCT_SIGNATURE_TYPE;
101
102	/*
103	* Update encoding for SCT signature verification/generation to supplied
104	* EVP_MD_CTX.
105	*/
106	static int sct_ctx_update(EVP_MD_CTX ctx, const SCT_CTX sctx, const SCT *sct)
107	{
108	unsigned char tmpbuf[12];
109	unsigned char p, der;
110	size_t derlen;
111	/*
112	* digitally-signed struct { (1 byte) Version sct_version; (1 byte)
113	* SignatureType signature_type = certificate_timestamp; (8 bytes) uint64
114	* timestamp; (2 bytes) LogEntryType entry_type; (? bytes)
115	* select(entry_type) { case x509_entry: ASN.1Cert; case precert_entry:
116	* PreCert; } signed_entry; (2 bytes + sct->ext_len) CtExtensions
117	* extensions;
118	*/
119
120	if (sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET)
121	return 0;
122
123	if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)
124	return 0;
125
126	p = tmpbuf;
127
128	*p++ = sct->version;
129	*p++ = SIGNATURE_TYPE_CERT_TIMESTAMP;
130	l2n8(sct->timestamp, p);
131	s2n(sct->entry_type, p);
132
133	if (!EVP_DigestUpdate(ctx, tmpbuf, p - tmpbuf))
134	return 0;
135
136	if (sct->entry_type == CT_LOG_ENTRY_TYPE_X509) {
137	der = sctx->certder;
138	derlen = sctx->certderlen;
139	} else {
140	if (!EVP_DigestUpdate(ctx, sctx->ihash, sctx->ihashlen))
141	return 0;
142	der = sctx->preder;
143	derlen = sctx->prederlen;
144	}
145
146	/* If no encoding available, fatal error */
147	if (der == NULL)
148	return 0;
149
150	/* Include length first */
151	p = tmpbuf;
152	l2n3(derlen, p);
153
154	if (!EVP_DigestUpdate(ctx, tmpbuf, 3))
155	return 0;
156	if (!EVP_DigestUpdate(ctx, der, derlen))
157	return 0;
158
159	/* Add any extensions */
160	p = tmpbuf;
161	s2n(sct->ext_len, p);
162	if (!EVP_DigestUpdate(ctx, tmpbuf, 2))
163	return 0;
164
165	if (sct->ext_len && !EVP_DigestUpdate(ctx, sct->ext, sct->ext_len))
166	return 0;
167
168	return 1;
169	}
170
171	int SCT_verify(const SCT_CTX sctx, const SCT sct)
172	{
173	EVP_MD_CTX *ctx = NULL;
174	int ret = -1;
175	if (!SCT_is_complete(sct) \|\| sctx->pkey == NULL \|\|
176	sct->entry_type == CT_LOG_ENTRY_TYPE_NOT_SET \|\|
177	(sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && sctx->ihash == NULL)) {
178	CTerr(CT_F_SCT_VERIFY, CT_R_SCT_NOT_SET);
179	return -1;
180	}
181	if (sct->version != SCT_VERSION_V1) {
182	CTerr(CT_F_SCT_VERIFY, CT_R_SCT_UNSUPPORTED_VERSION);
183	return 0;
184	}
185	if (sct->log_id_len != sctx->pkeyhashlen \|\|
186	memcmp(sct->log_id, sctx->pkeyhash, sctx->pkeyhashlen) != 0) {
187	CTerr(CT_F_SCT_VERIFY, CT_R_SCT_LOG_ID_MISMATCH);
188	return 0;
189	}
190	ctx = EVP_MD_CTX_new();
191	if (ctx == NULL)
192	goto end;
193
194	if (!EVP_DigestVerifyInit(ctx, NULL, EVP_sha256(), NULL, sctx->pkey))
195	goto end;
196
197	if (!sct_ctx_update(ctx, sctx, sct))
198	goto end;
199
200	/* Verify signature */
201	ret = EVP_DigestVerifyFinal(ctx, sct->sig, sct->sig_len);
202	/* If ret < 0 some other error: fall through without setting error */
203	if (ret == 0)
204	CTerr(CT_F_SCT_VERIFY, CT_R_SCT_INVALID_SIGNATURE);
205
206	end:
207	EVP_MD_CTX_free(ctx);
208	return ret;
209	}
210
211	int SCT_verify_v1(SCT sct, X509 cert, X509 *preissuer,
212	X509_PUBKEY log_pubkey, X509 issuer_cert)
213	{
214	int ret = 0;
215	SCT_CTX *sctx = NULL;
216
217	if (sct == NULL \|\| cert == NULL \|\| log_pubkey == NULL \|\|
218	(sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT && issuer_cert == NULL)) {
219	CTerr(CT_F_SCT_VERIFY_V1, ERR_R_PASSED_NULL_PARAMETER);
220	return -1;
221	} else if (!SCT_is_complete(sct)) {
222	CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_NOT_SET);
223	return -1;
224	} else if (sct->version != 0) {
225	CTerr(CT_F_SCT_VERIFY_V1, CT_R_SCT_UNSUPPORTED_VERSION);
226	return 0;
227	}
228
229	sctx = SCT_CTX_new();
230	if (sctx == NULL)
231	goto done;
232
233	ret = SCT_CTX_set1_pubkey(sctx, log_pubkey);
234
235	if (ret <= 0)
236	goto done;
237
238	ret = SCT_CTX_set1_cert(sctx, cert, preissuer);
239
240	if (ret <= 0)
241	goto done;
242
243	if (sct->entry_type == CT_LOG_ENTRY_TYPE_PRECERT) {
244	ret = SCT_CTX_set1_issuer(sctx, issuer_cert);
245	if (ret <= 0)
246	goto done;
247	}
248
249	ret = SCT_verify(sctx, sct);
250
251	done:
252	if (sctx != NULL)
253	SCT_CTX_free(sctx);
254	return ret;
255	}