crypto/ct/ct_b64.c

   1 /*
   2  * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 #include <limits.h>
  11 #include <string.h>
  12
  13 #include <openssl/ct.h>
  14 #include <openssl/err.h>
  15 #include <openssl/evp.h>
  16
  17 #include "ct_local.h"
  18
  19 /*
  20  * Decodes the base64 string |in| into |out|.
  21  * A new string will be malloc'd and assigned to |out|. This will be owned by
  22  * the caller. Do not provide a pre-allocated string in |out|.
  23  */
  24 static int ct_base64_decode(const char *in, unsigned char **out)
  25 {
  26     size_t inlen = strlen(in);
  27     int outlen, i;
  28     unsigned char *outbuf = NULL;
  29
  30     if (inlen == 0) {
  31         *out = NULL;
  32         return 0;
  33     }
  34
  35     outlen = (inlen / 4) * 3;
  36     outbuf = OPENSSL_malloc(outlen);
  37     if (outbuf == NULL)
  38         goto err;
  39
  40     outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen);
  41     if (outlen < 0) {
  42         ERR_raise(ERR_LIB_CT, CT_R_BASE64_DECODE_ERROR);
  43         goto err;
  44     }
  45
  46     /* Subtract padding bytes from |outlen|.  Any more than 2 is malformed. */
  47     i = 0;
  48     while (in[--inlen] == '=') {
  49         --outlen;
  50         if (++i > 2)
  51             goto err;
  52     }
  53
  54     *out = outbuf;
  55     return outlen;
  56 err:
  57     OPENSSL_free(outbuf);
  58     return -1;
  59 }
  60
  61 SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64,
  62                          ct_log_entry_type_t entry_type, uint64_t timestamp,
  63                          const char *extensions_base64,
  64                          const char *signature_base64)
  65 {
  66     SCT *sct = SCT_new();
  67     unsigned char *dec = NULL;
  68     const unsigned char* p = NULL;
  69     int declen;
  70
  71     if (sct == NULL) {
  72         ERR_raise(ERR_LIB_CT, ERR_R_CT_LIB);
  73         return NULL;
  74     }
  75
  76     /*
  77      * RFC6962 section 4.1 says we "MUST NOT expect this to be 0", but we
  78      * can only construct SCT versions that have been defined.
  79      */
  80     if (!SCT_set_version(sct, version)) {
  81         ERR_raise(ERR_LIB_CT, CT_R_SCT_UNSUPPORTED_VERSION);
  82         goto err;
  83     }
  84
  85     declen = ct_base64_decode(logid_base64, &dec);
  86     if (declen < 0) {
  87         ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR);
  88         goto err;
  89     }
  90     if (!SCT_set0_log_id(sct, dec, declen))
  91         goto err;
  92     dec = NULL;
  93
  94     declen = ct_base64_decode(extensions_base64, &dec);
  95     if (declen < 0) {
  96         ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR);
  97         goto err;
  98     }
  99     SCT_set0_extensions(sct, dec, declen);
 100     dec = NULL;
 101
 102     declen = ct_base64_decode(signature_base64, &dec);
 103     if (declen < 0) {
 104         ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR);
 105         goto err;
 106     }
 107
 108     p = dec;
 109     if (o2i_SCT_signature(sct, &p, declen) <= 0)
 110         goto err;
 111     OPENSSL_free(dec);
 112     dec = NULL;
 113
 114     SCT_set_timestamp(sct, timestamp);
 115
 116     if (!SCT_set_log_entry_type(sct, entry_type))
 117         goto err;
 118
 119     return sct;
 120
 121  err:
 122     OPENSSL_free(dec);
 123     SCT_free(sct);
 124     return NULL;
 125 }
 126
 127 /*
 128  * Allocate, build and returns a new |ct_log| from input |pkey_base64|
 129  * It returns 1 on success,
 130  * 0 on decoding failure, or invalid parameter if any
 131  * -1 on internal (malloc) failure
 132  */
 133 int CTLOG_new_from_base64_ex(CTLOG **ct_log, const char *pkey_base64,
 134                              const char *name, OSSL_LIB_CTX *libctx,
 135                              const char *propq)
 136 {
 137     unsigned char *pkey_der = NULL;
 138     int pkey_der_len;
 139     const unsigned char *p;
 140     EVP_PKEY *pkey = NULL;
 141
 142     if (ct_log == NULL) {
 143         ERR_raise(ERR_LIB_CT, ERR_R_PASSED_INVALID_ARGUMENT);
 144         return 0;
 145     }
 146
 147     pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der);
 148     if (pkey_der_len < 0) {
 149         ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID_KEY);
 150         return 0;
 151     }
 152
 153     p = pkey_der;
 154     pkey = d2i_PUBKEY_ex(NULL, &p, pkey_der_len, libctx, propq);
 155     OPENSSL_free(pkey_der);
 156     if (pkey == NULL) {
 157         ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID_KEY);
 158         return 0;
 159     }
 160
 161     *ct_log = CTLOG_new_ex(pkey, name, libctx, propq);
 162     if (*ct_log == NULL) {
 163         EVP_PKEY_free(pkey);
 164         return 0;
 165     }
 166
 167     return 1;
 168 }
 169
 170 int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64,
 171                           const char *name)
 172 {
 173     return CTLOG_new_from_base64_ex(ct_log, pkey_base64, name, NULL, NULL);
 174 }