/*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/objects.h>
+#include <openssl/core_names.h>
#include "internal/dane.h"
#include "crypto/x509.h"
#include "x509_local.h"
#define CRL_SCORE_AKID 0x004 /* CRL issuer matches CRL AKID */
#define CRL_SCORE_TIME_DELTA 0x002 /* Have a delta CRL with valid times */
+static int x509_verify_x509(X509_STORE_CTX *ctx);
+static int x509_verify_rpk(X509_STORE_CTX *ctx);
static int build_chain(X509_STORE_CTX *ctx);
static int verify_chain(X509_STORE_CTX *ctx);
+static int verify_rpk(X509_STORE_CTX *ctx);
static int dane_verify(X509_STORE_CTX *ctx);
+static int dane_verify_rpk(X509_STORE_CTX *ctx);
static int null_callback(int ok, X509_STORE_CTX *e);
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
-static int check_chain(X509_STORE_CTX *ctx);
+static int check_extensions(X509_STORE_CTX *ctx);
static int check_name_constraints(X509_STORE_CTX *ctx);
static int check_id(X509_STORE_CTX *ctx);
static int check_trust(X509_STORE_CTX *ctx, int num_untrusted);
static int check_policy(X509_STORE_CTX *ctx);
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
-static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
+static int check_cert_key_level(X509_STORE_CTX *ctx, X509 *cert);
+static int check_key_level(X509_STORE_CTX *ctx, EVP_PKEY *pkey);
static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
static int check_curve(X509 *cert);
/*-
* Return 1 if given cert is considered self-signed, 0 if not, or -1 on error.
* This actually verifies self-signedness only if requested.
- * It calls X509v3_cache_extensions()
+ * It calls ossl_x509v3_cache_extensions()
* to match issuer and subject names (i.e., the cert being self-issued) and any
* present authority key identifier to match the subject key identifier, etc.
*/
ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
return -1;
}
- if (!x509v3_cache_extensions(cert))
+ if (!ossl_x509v3_cache_extensions(cert))
return -1;
if ((cert->ex_flags & EXFLAG_SS) == 0)
return 0;
return X509_verify(cert, pkey);
}
-/* Given a certificate try and find an exact match in the store */
-static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
+/*
+ * Given a certificate, try and find an exact match in the store.
+ * Returns 1 on success, 0 on not found, -1 on internal error.
+ */
+static int lookup_cert_match(X509 **result, X509_STORE_CTX *ctx, X509 *x)
{
STACK_OF(X509) *certs;
X509 *xtmp = NULL;
- int i;
+ int i, ret;
+ *result = NULL;
/* Lookup all certs with matching subject name */
ERR_set_mark();
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
ERR_pop_to_mark();
if (certs == NULL)
- return NULL;
+ return -1;
+
/* Look for exact match */
for (i = 0; i < sk_X509_num(certs); i++) {
xtmp = sk_X509_value(certs, i);
- if (!X509_cmp(xtmp, x))
+ if (X509_cmp(xtmp, x) == 0)
break;
xtmp = NULL;
}
- if (xtmp != NULL && !X509_up_ref(xtmp))
- xtmp = NULL;
- sk_X509_pop_free(certs, X509_free);
- return xtmp;
+ ret = xtmp != NULL;
+ if (ret) {
+ if (!X509_up_ref(xtmp))
+ ret = -1;
+ else
+ *result = xtmp;
+ }
+ OSSL_STACK_OF_X509_free(certs);
+ return ret;
}
/*-
* Inform the verify callback of an error.
- * If 'x' is not NULL it is the error cert, otherwise use the chain cert at
- * 'depth'
- * If 'err' is not X509_V_OK, that's the error value, otherwise leave
- * unchanged (presumably set by the caller).
+ * The error code is set to |err| if |err| is not X509_V_OK, else
+ * |ctx->error| is left unchanged (under the assumption it is set elsewhere).
+ * The error depth is |depth| if >= 0, else it defaults to |ctx->error_depth|.
+ * The error cert is |x| if not NULL, else the cert in |ctx->chain| at |depth|.
*
* Returns 0 to abort verification with an error, non-zero to continue.
*/
static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err)
{
- ctx->error_depth = depth;
- ctx->current_cert = (x != NULL) ? x : sk_X509_value(ctx->chain, depth);
+ if (depth < 0)
+ depth = ctx->error_depth;
+ else
+ ctx->error_depth = depth;
+ ctx->current_cert = x != NULL ? x : sk_X509_value(ctx->chain, depth);
if (err != X509_V_OK)
ctx->error = err;
return ctx->verify_cb(0, ctx);
return ctx->verify_cb(0, ctx);
}
+/* Sadly, returns 0 also on internal error in ctx->verify_cb(). */
static int check_auth_level(X509_STORE_CTX *ctx)
{
int i;
* We've already checked the security of the leaf key, so here we only
* check the security of issuer keys.
*/
- CB_FAIL_IF(i > 0 && !check_key_level(ctx, cert),
+ CB_FAIL_IF(i > 0 && !check_cert_key_level(ctx, cert),
ctx, cert, i, X509_V_ERR_CA_KEY_TOO_SMALL);
/*
* We also check the signature algorithm security of all certificates
return 1;
}
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
+static int verify_rpk(X509_STORE_CTX *ctx)
+{
+ /* Not much to verify on a RPK */
+ if (ctx->verify != NULL)
+ return ctx->verify(ctx);
+
+ return !!ctx->verify_cb(ctx->error == X509_V_OK, ctx);
+}
+
+
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
static int verify_chain(X509_STORE_CTX *ctx)
{
int err;
int ok;
- /*
- * Before either returning with an error, or continuing with CRL checks,
- * instantiate chain public key parameters.
- */
- if ((ok = build_chain(ctx)) == 0 ||
- (ok = check_chain(ctx)) == 0 ||
- (ok = check_auth_level(ctx)) == 0 ||
- (ok = check_id(ctx)) == 0 || 1)
- X509_get_pubkey_parameters(NULL, ctx->chain);
- if (ok == 0 || (ok = ctx->check_revocation(ctx)) == 0)
- return 0;
+ if ((ok = build_chain(ctx)) <= 0
+ || (ok = check_extensions(ctx)) <= 0
+ || (ok = check_auth_level(ctx)) <= 0
+ || (ok = check_id(ctx)) <= 0
+ || (ok = X509_get_pubkey_parameters(NULL, ctx->chain) ? 1 : -1) <= 0
+ || (ok = ctx->check_revocation(ctx)) <= 0)
+ return ok;
err = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
ctx->param->flags);
/* Verify chain signatures and expiration times */
ok = ctx->verify != NULL ? ctx->verify(ctx) : internal_verify(ctx);
- if (!ok)
- return 0;
+ if (ok <= 0)
+ return ok;
- if ((ok = check_name_constraints(ctx)) == 0)
- return 0;
+ if ((ok = check_name_constraints(ctx)) <= 0)
+ return ok;
#ifndef OPENSSL_NO_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
- if ((ok = X509v3_asid_validate_path(ctx)) == 0)
- return 0;
- if ((ok = X509v3_addr_validate_path(ctx)) == 0)
- return 0;
+ if ((ok = X509v3_asid_validate_path(ctx)) <= 0)
+ return ok;
+ if ((ok = X509v3_addr_validate_path(ctx)) <= 0)
+ return ok;
#endif
/* If we get this far evaluate policies */
- if (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)
+ if ((ctx->param->flags & X509_V_FLAG_POLICY_CHECK) != 0)
ok = ctx->check_policy(ctx);
return ok;
}
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}
+ if (ctx->rpk != NULL)
+ return x509_verify_rpk(ctx);
if (ctx->cert == NULL && sk_X509_num(ctx->untrusted) >= 1)
ctx->cert = sk_X509_value(ctx->untrusted, 0);
- return X509_verify_cert(ctx);
+ return x509_verify_x509(ctx);
}
int X509_verify_cert(X509_STORE_CTX *ctx)
{
- int ret;
-
if (ctx == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}
+ return (ctx->rpk != NULL) ? x509_verify_rpk(ctx) : x509_verify_x509(ctx);
+}
+
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
+static int x509_verify_rpk(X509_STORE_CTX *ctx)
+{
+ int ret;
+
+ /* If the peer's public key is too weak, we can stop early. */
+ if (!check_key_level(ctx, ctx->rpk)
+ && verify_cb_cert(ctx, NULL, 0, X509_V_ERR_EE_KEY_TOO_SMALL) == 0)
+ return 0;
+
+ /* Barring any data to verify the RPK, simply report it as untrusted */
+ ctx->error = X509_V_ERR_RPK_UNTRUSTED;
+
+ ret = DANETLS_ENABLED(ctx->dane) ? dane_verify_rpk(ctx) : verify_rpk(ctx);
+
+ /*
+ * Safety-net. If we are returning an error, we must also set ctx->error,
+ * so that the chain is not considered verified should the error be ignored
+ * (e.g. TLS with SSL_VERIFY_NONE).
+ */
+ if (ret <= 0 && ctx->error == X509_V_OK)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return ret;
+}
+
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
+static int x509_verify_x509(X509_STORE_CTX *ctx)
+{
+ int ret;
+
if (ctx->cert == NULL) {
ERR_raise(ERR_LIB_X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
ctx->error = X509_V_ERR_INVALID_CALL;
return -1;
}
- if (!X509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) {
+ if (!ossl_x509_add_cert_new(&ctx->chain, ctx->cert, X509_ADD_FLAG_UP_REF)) {
ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
ctx->num_untrusted = 1;
/* If the peer's public key is too weak, we can stop early. */
- CB_FAIL_IF(!check_key_level(ctx, ctx->cert),
+ CB_FAIL_IF(!check_cert_key_level(ctx, ctx->cert),
ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL);
ret = DANETLS_ENABLED(ctx->dane) ? dane_verify(ctx) : verify_chain(ctx);
if (ctx->check_issued(ctx, x, issuer)
&& (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
|| !sk_X509_contains(ctx->chain, issuer))) {
- if (x509_check_cert_time(ctx, issuer, -1))
+ if (ossl_x509_check_cert_time(ctx, issuer, -1))
return issuer;
if (rv == NULL || ASN1_TIME_compare(X509_get0_notAfter(issuer),
X509_get0_notAfter(rv)) > 0)
return rv;
}
-/* Check that the given certificate 'x' is issued by the certificate 'issuer' */
+/* Check that the given certificate |x| is issued by the certificate |issuer| */
static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
- return x509_likely_issued(issuer, x) == X509_V_OK;
+ int err = ossl_x509_likely_issued(issuer, x);
+
+ if (err == X509_V_OK)
+ return 1;
+ /*
+ * SUBJECT_ISSUER_MISMATCH just means 'x' is clearly not issued by 'issuer'.
+ * Every other error code likely indicates a real error.
+ */
+ return 0;
}
-/* Alternative lookup method: look from a STACK stored in other_ctx */
+/*-
+ * Alternative get_issuer method: look up from a STACK_OF(X509) in other_ctx.
+ * Returns -1 on internal error.
+ */
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
- if (*issuer != NULL && X509_up_ref(*issuer))
- return 1;
-
- *issuer = NULL;
- return 0;
+ if (*issuer == NULL)
+ return 0;
+ return X509_up_ref(*issuer) ? 1 : -1;
}
-static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx,
- const X509_NAME *nm)
+/*-
+ * Alternative lookup method: look from a STACK stored in other_ctx.
+ * Returns NULL on internal/fatal error, empty stack if not found.
+ */
+static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, const X509_NAME *nm)
{
- STACK_OF(X509) *sk = NULL;
+ STACK_OF(X509) *sk = sk_X509_new_null();
X509 *x;
int i;
+ if (sk == NULL)
+ return NULL;
for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {
x = sk_X509_value(ctx->other_ctx, i);
if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
- if (!X509_add_cert_new(&sk, x, X509_ADD_FLAG_UP_REF)) {
- sk_X509_pop_free(sk, X509_free);
+ if (!X509_add_cert(sk, x, X509_ADD_FLAG_UP_REF)) {
+ OSSL_STACK_OF_X509_free(sk);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return NULL;
}
/*
* Check EE or CA certificate purpose. For trusted certificates explicit local
* auxiliary trust can be used to override EKU-restrictions.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
*/
static int check_purpose(X509_STORE_CTX *ctx, X509 *x, int purpose, int depth,
int must_be_ca)
return 1;
case X509_TRUST_REJECTED:
break;
- default:
+ default: /* can only be X509_TRUST_UNTRUSTED */
switch (X509_check_purpose(x, purpose, must_be_ca > 0)) {
case 1:
return 1;
return verify_cb_cert(ctx, x, depth, X509_V_ERR_INVALID_PURPOSE);
}
-/* Check extensions of a cert chain for consistency with the supplied purpose */
-static int check_chain(X509_STORE_CTX *ctx)
+/*-
+ * Check extensions of a cert chain for consistency with the supplied purpose.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
+static int check_extensions(X509_STORE_CTX *ctx)
{
int i, must_be_ca, plen = 0;
X509 *x;
CB_FAIL_IF(x->altname != NULL
&& sk_GENERAL_NAME_num(x->altname) <= 0,
ctx, x, i, X509_V_ERR_EMPTY_SUBJECT_ALT_NAME);
- /* TODO add more checks on SAN entries */
/* Check sig alg consistency acc. to RFC 5280 section 4.1.1.2 */
CB_FAIL_IF(X509_ALGOR_cmp(&x->sig_alg, &x->cert_info.signature) != 0,
ctx, x, i, X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY);
CB_FAIL_IF(x->skid != NULL
&& (x->ex_flags & EXFLAG_SKID_CRITICAL) != 0,
ctx, x, i, X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL);
- if (X509_get_version(x) >= 2) { /* at least X.509v3 */
+ if (X509_get_version(x) >= X509_VERSION_3) {
/* Check AKID presence acc. to RFC 5280 section 4.2.1.1 */
CB_FAIL_IF(i + 1 < num /*
* this means not last cert in chain,
return ret;
}
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
static int check_name_constraints(X509_STORE_CTX *ctx)
{
int i;
*/
tmpsubject = X509_NAME_dup(tmpsubject);
if (tmpsubject == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
ctx->error = X509_V_ERR_OUT_OF_MEM;
- return 0;
+ return -1;
}
tmpentry = X509_NAME_delete_entry(tmpsubject, last_loc);
if (nc) {
int rv = NAME_CONSTRAINTS_check(x, nc);
+ int ret = 1;
/* If EE certificate check commonName too */
if (rv == X509_V_OK && i == 0
& X509_CHECK_FLAG_NEVER_CHECK_SUBJECT) == 0
&& ((ctx->param->hostflags
& X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT) != 0
- || !has_san_id(x, GEN_DNS)))
+ || (ret = has_san_id(x, GEN_DNS)) == 0))
rv = NAME_CONSTRAINTS_check_CN(x, nc);
+ if (ret < 0)
+ return ret;
switch (rv) {
case X509_V_OK:
break;
case X509_V_ERR_OUT_OF_MEM:
- return 0;
+ return -1;
default:
CB_FAIL_IF(1, ctx, x, i, rv);
break;
return 1;
}
+/* Returns -1 on internal error */
static int check_trust(X509_STORE_CTX *ctx, int num_untrusted)
{
- int i;
+ int i, res;
X509 *x = NULL;
X509 *mx;
SSL_DANE *dane = ctx->dane;
* match, we're done, otherwise we'll merely record the match depth.
*/
if (DANETLS_HAS_TA(dane) && num_untrusted > 0 && num_untrusted < num) {
- switch (trust = check_dane_issuer(ctx, num_untrusted)) {
- case X509_TRUST_TRUSTED:
- case X509_TRUST_REJECTED:
+ trust = check_dane_issuer(ctx, num_untrusted);
+ if (trust != X509_TRUST_UNTRUSTED)
return trust;
- }
}
/*
for (i = num_untrusted; i < num; i++) {
x = sk_X509_value(ctx->chain, i);
trust = X509_check_trust(x, ctx->param->trust, 0);
- /* If explicitly trusted return trusted */
+ /* If explicitly trusted (so not neutral nor rejected) return trusted */
if (trust == X509_TRUST_TRUSTED)
goto trusted;
if (trust == X509_TRUST_REJECTED)
* the chain is PKIX trusted.
*/
if (num_untrusted < num) {
- if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN)
+ if ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) != 0)
goto trusted;
return X509_TRUST_UNTRUSTED;
}
- if (num_untrusted == num && ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
+ if (num_untrusted == num
+ && (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) != 0) {
/*
* Last-resort call with no new trusted certificates, check the leaf
* for a direct trust store match.
*/
i = 0;
x = sk_X509_value(ctx->chain, i);
- mx = lookup_cert_match(ctx, x);
- if (mx == NULL)
+ res = lookup_cert_match(&mx, ctx, x);
+ if (res < 0)
+ return res;
+ if (res == 0)
return X509_TRUST_UNTRUSTED;
/*
return X509_TRUST_UNTRUSTED;
}
+/* Sadly, returns 0 also on internal error. */
static int check_revocation(X509_STORE_CTX *ctx)
{
int i = 0, last = 0, ok = 0;
last = sk_X509_num(ctx->chain) - 1;
} else {
/* If checking CRL paths this isn't the EE certificate */
- if (ctx->parent)
+ if (ctx->parent != NULL)
return 1;
last = 0;
}
return 1;
}
+/* Sadly, returns 0 also on internal error. */
static int check_cert(X509_STORE_CTX *ctx)
{
X509_CRL *crl = NULL, *dcrl = NULL;
time_t *ptime;
int i;
- if (notify)
- ctx->current_crl = crl;
if ((ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) != 0)
ptime = &ctx->param->check_time;
else if ((ctx->param->flags & X509_V_FLAG_NO_CHECK_TIME) != 0)
return 1;
else
ptime = NULL;
+ if (notify)
+ ctx->current_crl = crl;
i = X509_cmp_time(X509_CRL_get0_lastUpdate(crl), ptime);
if (i == 0) {
*/
static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
{
- X509_STORE_CTX crl_ctx;
+ X509_STORE_CTX crl_ctx = {0};
int ret;
/* Don't allow recursive CRL path validation */
return 1;
}
+/* Sadly, returns 0 also on internal error in ctx->verify_cb(). */
static int check_policy(X509_STORE_CTX *ctx)
{
int ret;
* X509_policy_check() call.
*/
if (ctx->bare_ta_signed && !sk_X509_push(ctx->chain, NULL)) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
- ctx->error = X509_V_ERR_OUT_OF_MEM;
- return 0;
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
+ goto memerr;
}
ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
ctx->param->policies, ctx->param->flags);
(void)sk_X509_pop(ctx->chain);
if (ret == X509_PCY_TREE_INTERNAL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
- ctx->error = X509_V_ERR_OUT_OF_MEM;
- return 0;
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto memerr;
}
/* Invalid or inconsistent extensions */
if (ret == X509_PCY_TREE_INVALID) {
- int i;
+ int i, cbcalled = 0;
/* Locate certificates with bad extensions and notify callback. */
- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
X509 *x = sk_X509_value(ctx->chain, i);
+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0)
+ cbcalled = 1;
CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0,
ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION);
}
+ if (!cbcalled) {
+ /* Should not be able to get here */
+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ /* The callback ignored the error so we return success */
return 1;
}
if (ret == X509_PCY_TREE_FAILURE) {
}
return 1;
+
+ memerr:
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
+ return -1;
}
/*-
* the validation status.
*
* Return 1 on success, 0 otherwise.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
*/
-int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
+int ossl_x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth)
{
time_t *ptime;
int i;
return 1;
}
-/* verify the issuer signatures and cert times of ctx->chain */
+/*
+ * Verify the issuer signatures and cert times of ctx->chain.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
static int internal_verify(X509_STORE_CTX *ctx)
{
- int n = sk_X509_num(ctx->chain) - 1;
- X509 *xi = sk_X509_value(ctx->chain, n);
- X509 *xs = xi;
+ int n;
+ X509 *xi;
+ X509 *xs;
+
+ /* For RPK: just do the verify callback */
+ if (ctx->rpk != NULL) {
+ if (!ctx->verify_cb(ctx->error == X509_V_OK, ctx))
+ return 0;
+ return 1;
+ }
+ n = sk_X509_num(ctx->chain) - 1;
+ xi = sk_X509_value(ctx->chain, n);
+ xs = xi;
ctx->error_depth = n;
if (ctx->bare_ta_signed) {
* We report the issuer as NULL because all we have is a bare key.
*/
xi = NULL;
- } else if (!ctx->check_issued(ctx, xi, xi)
+ } else if (ossl_x509_likely_issued(xi, xi) != X509_V_OK
/* exceptional case: last cert in the chain is not self-issued */
&& ((ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) == 0)) {
if (n > 0) {
}
/*
- * Do not clear ctx->error = 0, it must be "sticky",
+ * Do not clear error (by ctx->error = X509_V_OK), it must be "sticky",
* only the user's callback is allowed to reset errors (at its own peril).
*/
while (n >= 0) {
*/
if (xi != NULL
&& (xs != xi
- || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)
+ || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE) != 0
&& (xi->ex_flags & EXFLAG_SS) != 0))) {
EVP_PKEY *pkey;
/*
* we are free to ignore any key usage restrictions on such certs.
*/
int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0
- ? X509_V_OK : x509_signing_allowed(xi, xs);
+ ? X509_V_OK : ossl_x509_signing_allowed(xi, xs);
CB_FAIL_IF(ret != X509_V_OK, ctx, xi, issuer_depth, ret);
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
}
}
- /* in addition to RFC 5280, do also for trusted (root) cert */
+ /* In addition to RFC 5280 requirements do also for trust anchor cert */
/* Calls verify callback as needed */
- if (!x509_check_cert_time(ctx, xs, n))
+ if (!ossl_x509_check_cert_time(ctx, xs, n))
return 0;
/*
return X509_cmp_time(ctm, NULL);
}
+/* returns 0 on error, otherwise 1 if ctm > cmp_time, else -1 */
int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
{
static const size_t utctime_length = sizeof("YYMMDDHHMMSSZ") - 1;
* Digit and date ranges will be verified in the conversion methods.
*/
for (i = 0; i < ctm->length - 1; i++) {
- if (!ascii_isdigit(ctm->data[i]))
+ if (!ossl_ascii_isdigit(ctm->data[i]))
return 0;
}
if (ctm->data[ctm->length - 1] != upper_z)
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
+/* Copy any missing public key parameters up the chain towards pkey */
int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
{
EVP_PKEY *ktmp = NULL, *ktmp2;
int i, j;
- if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey))
+ if (pkey != NULL && !EVP_PKEY_missing_parameters(pkey))
return 1;
for (i = 0; i < sk_X509_num(chain); i++) {
}
if (!EVP_PKEY_missing_parameters(ktmp))
break;
+ ktmp = NULL;
}
if (ktmp == NULL) {
ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
/* first, populate the other certs */
for (j = i - 1; j >= 0; j--) {
ktmp2 = X509_get0_pubkey(sk_X509_value(chain, j));
- EVP_PKEY_copy_parameters(ktmp2, ktmp);
+ if (!EVP_PKEY_copy_parameters(ktmp2, ktmp))
+ return 0;
}
if (pkey != NULL)
- EVP_PKEY_copy_parameters(pkey, ktmp);
+ return EVP_PKEY_copy_parameters(pkey, ktmp);
return 1;
}
-/* Make a delta CRL as the difference between two full CRLs */
+/*
+ * Make a delta CRL as the difference between two full CRLs.
+ * Sadly, returns NULL also on internal error.
+ */
X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
EVP_PKEY *skey, const EVP_MD *md, unsigned int flags)
{
X509_CRL *crl = NULL;
int i;
-
STACK_OF(X509_REVOKED) *revs = NULL;
+
/* CRLs can't be delta already */
if (base->base_crl_number != NULL || newer->base_crl_number != NULL) {
ERR_raise(ERR_LIB_X509, X509_R_CRL_ALREADY_DELTA);
return NULL;
}
/* Create new CRL */
- crl = X509_CRL_new();
- if (crl == NULL || !X509_CRL_set_version(crl, 1))
- goto memerr;
+ crl = X509_CRL_new_ex(base->libctx, base->propq);
+ if (crl == NULL || !X509_CRL_set_version(crl, X509_CRL_VERSION_2)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
/* Set issuer name */
- if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer)))
- goto memerr;
+ if (!X509_CRL_set_issuer_name(crl, X509_CRL_get_issuer(newer))) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
- if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer)))
- goto memerr;
- if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer)))
- goto memerr;
+ if (!X509_CRL_set1_lastUpdate(crl, X509_CRL_get0_lastUpdate(newer))) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
+ if (!X509_CRL_set1_nextUpdate(crl, X509_CRL_get0_nextUpdate(newer))) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
/* Set base CRL number: must be critical */
- if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0))
- goto memerr;
+ if (!X509_CRL_add1_ext_i2d(crl, NID_delta_crl, base->crl_number, 1, 0)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
/*
* Copy extensions across from newest CRL to delta: this will set CRL
for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
- if (!X509_CRL_add_ext(crl, ext, -1))
- goto memerr;
+ if (!X509_CRL_add_ext(crl, ext, -1)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
}
/* Go through revoked entries, copying as needed */
rvn = sk_X509_REVOKED_value(revs, i);
/*
- * Add only if not also in base. TODO: need something cleverer here
- * for some more complex CRLs covering multiple CAs.
+ * Add only if not also in base.
+ * Need something cleverer here for some more complex CRLs covering
+ * multiple CAs.
*/
if (!X509_CRL_get0_by_serial(base, &rvtmp, &rvn->serialNumber)) {
rvtmp = X509_REVOKED_dup(rvn);
- if (rvtmp == NULL)
- goto memerr;
+ if (rvtmp == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
+ goto err;
+ }
if (!X509_CRL_add0_revoked(crl, rvtmp)) {
X509_REVOKED_free(rvtmp);
- goto memerr;
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
}
}
}
- /* TODO: optionally prune deleted entries */
- if (skey != NULL && md != NULL && !X509_CRL_sign(crl, skey, md))
- goto memerr;
+ if (skey != NULL && md != NULL && !X509_CRL_sign(crl, skey, md)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto err;
+ }
return crl;
- memerr:
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ err:
X509_CRL_free(crl);
return NULL;
}
ctx->cert = x;
}
+void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *rpk)
+{
+ ctx->rpk = rpk;
+}
+
void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
{
ctx->crls = sk;
* application can set: if they aren't set then we use the default of SSL
* client/server.
*/
-
int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
int purpose, int trust)
{
/* If purpose not set use default */
if (purpose == 0)
purpose = def_purpose;
+ /*
+ * If purpose is set but we don't have a default then set the default to
+ * the current purpose
+ */
+ else if (def_purpose == 0)
+ def_purpose = purpose;
/* If we have a purpose then check it is valid */
if (purpose != 0) {
X509_PURPOSE *ptmp;
ptmp = X509_PURPOSE_get0(idx);
if (ptmp->trust == X509_TRUST_DEFAULT) {
idx = X509_PURPOSE_get_by_id(def_purpose);
- /*
- * XXX: In the two callers above def_purpose is always 0, which is
- * not a known value, so idx will always be -1. How is the
- * X509_TRUST_DEFAULT case actually supposed to be handled?
- */
if (idx == -1) {
ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_PURPOSE_ID);
return 0;
{
X509_STORE_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
- if (ctx == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ if (ctx == NULL)
return NULL;
- }
ctx->libctx = libctx;
if (propq != NULL) {
ctx->propq = OPENSSL_strdup(propq);
if (ctx->propq == NULL) {
OPENSSL_free(ctx);
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return NULL;
}
}
OPENSSL_free(ctx);
}
+
+int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *store, EVP_PKEY *rpk)
+{
+ if (!X509_STORE_CTX_init(ctx, store, NULL, NULL))
+ return 0;
+ ctx->rpk = rpk;
+ return 1;
+}
+
int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
STACK_OF(X509) *chain)
{
- int ret = 1;
+ if (ctx == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return 0;
+ }
+ X509_STORE_CTX_cleanup(ctx);
ctx->store = store;
ctx->cert = x509;
ctx->other_ctx = NULL;
ctx->valid = 0;
ctx->chain = NULL;
- ctx->error = 0;
+ ctx->error = X509_V_OK;
ctx->explicit_policy = 0;
ctx->error_depth = 0;
ctx->current_cert = NULL;
ctx->parent = NULL;
ctx->dane = NULL;
ctx->bare_ta_signed = 0;
+ ctx->rpk = NULL;
/* Zero ex_data to make sure we're cleanup-safe */
memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
if (store != NULL)
ctx->cleanup = store->cleanup;
else
- ctx->cleanup = 0;
+ ctx->cleanup = NULL;
if (store != NULL && store->check_issued != NULL)
ctx->check_issued = store->check_issued;
ctx->param = X509_VERIFY_PARAM_new();
if (ctx->param == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
goto err;
}
/* Inherit callbacks and flags from X509_STORE if not set use defaults. */
- if (store != NULL)
- ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
- else
+ if (store == NULL)
ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT | X509_VP_FLAG_ONCE;
+ else if (X509_VERIFY_PARAM_inherit(ctx->param, store->param) == 0)
+ goto err;
- if (ret)
- ret = X509_VERIFY_PARAM_inherit(ctx->param,
- X509_VERIFY_PARAM_lookup("default"));
-
- if (ret == 0) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ if (!X509_STORE_CTX_set_default(ctx, "default"))
goto err;
- }
/*
* XXX: For now, continue to inherit trust from VPM, but infer from the
if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
&ctx->ex_data))
return 1;
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
err:
/*
}
/*
- * Set alternative lookup method: just a STACK of trusted certificates. This
- * avoids X509_STORE nastiness where it isn't needed.
+ * Set alternative get_issuer method: just from a STACK of trusted certificates.
+ * This avoids the complexity of X509_STORE where it is not needed.
*/
void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
* calls cleanup() for the same object twice! Thus we must zero the
* pointers below after they're freed!
*/
- /* Seems to always be 0 in OpenSSL, do this at most once. */
+ /* Seems to always be NULL in OpenSSL, do this at most once. */
if (ctx->cleanup != NULL) {
ctx->cleanup(ctx);
ctx->cleanup = NULL;
}
X509_policy_tree_free(ctx->tree);
ctx->tree = NULL;
- sk_X509_pop_free(ctx->chain, X509_free);
+ OSSL_STACK_OF_X509_free(ctx->chain);
ctx->chain = NULL;
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
memset(&ctx->ex_data, 0, sizeof(ctx->ex_data));
return ctx->cert;
}
+EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx)
+{
+ return ctx->rpk;
+}
+
STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx)
{
return ctx->untrusted;
void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
{
- sk_X509_pop_free(ctx->chain, X509_free);
+ OSSL_STACK_OF_X509_free(ctx->chain);
ctx->chain = sk;
}
const X509_VERIFY_PARAM *param;
param = X509_VERIFY_PARAM_lookup(name);
- if (param == NULL)
+ if (param == NULL) {
+ ERR_raise_data(ERR_LIB_X509, X509_R_UNKNOWN_PURPOSE_ID, "name=%s", name);
return 0;
+ }
return X509_VERIFY_PARAM_inherit(ctx->param, param);
}
}
if (len < 0 || buf == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+ ERR_raise(ERR_LIB_X509, ERR_R_ASN1_LIB);
return NULL;
}
#define DANETLS_NONE 256 /* impossible uint8_t */
-static int dane_match(X509_STORE_CTX *ctx, X509 *cert, int depth)
+/* Returns -1 on internal error */
+static int dane_match_cert(X509_STORE_CTX *ctx, X509 *cert, int depth)
{
SSL_DANE *dane = ctx->dane;
unsigned usage = DANETLS_NONE;
return matched;
}
+/* Returns -1 on internal error */
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth)
{
SSL_DANE *dane = ctx->dane;
* for an exact match for the leaf certificate).
*/
cert = sk_X509_value(ctx->chain, depth);
- if (cert != NULL && (matched = dane_match(ctx, cert, depth)) < 0)
- return X509_TRUST_REJECTED;
+ if (cert != NULL && (matched = dane_match_cert(ctx, cert, depth)) < 0)
+ return matched;
if (matched > 0) {
ctx->num_untrusted = depth - 1;
return X509_TRUST_TRUSTED;
return X509_TRUST_UNTRUSTED;
}
+/*
+ * Only DANE-EE and SPKI are supported
+ * Returns -1 on internal error
+ */
+static int dane_match_rpk(X509_STORE_CTX *ctx, EVP_PKEY *rpk)
+{
+ SSL_DANE *dane = ctx->dane;
+ danetls_record *t = NULL;
+ int mtype = DANETLS_MATCHING_FULL;
+ unsigned char *i2dbuf = NULL;
+ unsigned int i2dlen = 0;
+ unsigned char mdbuf[EVP_MAX_MD_SIZE];
+ unsigned char *cmpbuf;
+ unsigned int cmplen = 0;
+ int len;
+ int recnum = sk_danetls_record_num(dane->trecs);
+ int i;
+ int matched = 0;
+
+ /* Calculate ASN.1 DER of RPK */
+ if ((len = i2d_PUBKEY(rpk, &i2dbuf)) <= 0)
+ return -1;
+ cmplen = i2dlen = (unsigned int)len;
+ cmpbuf = i2dbuf;
+
+ for (i = 0; i < recnum; i++) {
+ t = sk_danetls_record_value(dane->trecs, i);
+ if (t->usage != DANETLS_USAGE_DANE_EE || t->selector != DANETLS_SELECTOR_SPKI)
+ continue;
+
+ /* Calculate hash - keep only one around */
+ if (t->mtype != mtype) {
+ const EVP_MD *md = dane->dctx->mdevp[mtype = t->mtype];
+
+ cmpbuf = i2dbuf;
+ cmplen = i2dlen;
+
+ if (md != NULL) {
+ cmpbuf = mdbuf;
+ if (!EVP_Digest(i2dbuf, i2dlen, cmpbuf, &cmplen, md, 0)) {
+ matched = -1;
+ break;
+ }
+ }
+ }
+ if (cmplen == t->dlen && memcmp(cmpbuf, t->data, cmplen) == 0) {
+ matched = 1;
+ dane->mdpth = 0;
+ dane->mtlsa = t;
+ break;
+ }
+ }
+ OPENSSL_free(i2dbuf);
+ return matched;
+}
+
static void dane_reset(SSL_DANE *dane)
{
/* Reset state to verify another chain, or clear after failure. */
dane->pdpth = -1;
}
+/* Sadly, returns 0 also on internal error in ctx->verify_cb(). */
static int check_leaf_suiteb(X509_STORE_CTX *ctx, X509 *cert)
{
int err = X509_chain_check_suiteb(NULL, cert, NULL, ctx->param->flags);
return 1;
}
+/* Returns -1 on internal error */
+static int dane_verify_rpk(X509_STORE_CTX *ctx)
+{
+ SSL_DANE *dane = ctx->dane;
+ int matched;
+
+ dane_reset(dane);
+
+ /*
+ * Look for a DANE record for RPK
+ * If error, return -1
+ * If found, call ctx->verify_cb(1, ctx)
+ * If not found call ctx->verify_cb(0, ctx)
+ */
+ matched = dane_match_rpk(ctx, ctx->rpk);
+ ctx->error_depth = 0;
+
+ if (matched < 0) {
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return -1;
+ }
+
+ if (matched > 0)
+ ctx->error = X509_V_OK;
+ else
+ ctx->error = X509_V_ERR_DANE_NO_MATCH;
+
+ return verify_rpk(ctx);
+}
+
+/* Returns -1 on internal error */
static int dane_verify(X509_STORE_CTX *ctx)
{
X509 *cert = ctx->cert;
* + matched == 0, mdepth < 0 (no PKIX-EE match) and there are no
* DANE-TA(2) or PKIX-TA(0) to test.
*/
- matched = dane_match(ctx, ctx->cert, 0);
+ matched = dane_match_cert(ctx, ctx->cert, 0);
done = matched != 0 || (!DANETLS_HAS_TA(dane) && dane->mdpth < 0);
- if (done)
- X509_get_pubkey_parameters(NULL, ctx->chain);
+ if (done && !X509_get_pubkey_parameters(NULL, ctx->chain))
+ return -1;
if (matched > 0) {
/* Callback invoked as needed */
return verify_chain(ctx);
}
-/* Get issuer, without duplicate suppression */
-static int get_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
+/*
+ * Get trusted issuer, without duplicate suppression
+ * Returns -1 on internal error.
+ */
+static int get1_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *cert)
{
STACK_OF(X509) *saved_chain = ctx->chain;
int ok;
return ok;
}
+/*-
+ * Returns -1 on internal error.
+ * Sadly, returns 0 also on internal error in ctx->verify_cb().
+ */
static int build_chain(X509_STORE_CTX *ctx)
{
SSL_DANE *dane = ctx->dane;
int num = sk_X509_num(ctx->chain);
- X509 *curr = sk_X509_value(ctx->chain, num - 1); /* current end of chain */
- int self_signed = X509_self_signed(curr, 0); /* always refers to curr */
STACK_OF(X509) *sk_untrusted = NULL;
unsigned int search;
int may_trusted = 0;
int may_alternate = 0;
int trust = X509_TRUST_UNTRUSTED;
int alt_untrusted = 0;
- int depth;
+ int max_depth;
int ok = 0;
int i;
/* Our chain starts with a single untrusted element. */
if (!ossl_assert(num == 1 && ctx->num_untrusted == num))
goto int_err;
- if (self_signed < 0)
- goto int_err;
#define S_DOUNTRUSTED (1 << 0) /* Search untrusted chain */
#define S_DOTRUSTED (1 << 1) /* Search trusted store */
#define S_DOALTERNATE (1 << 2) /* Retry with pruned alternate chain */
/*
- * Set up search policy, untrusted if possible, trusted-first if enabled.
+ * Set up search policy, untrusted if possible, trusted-first if enabled,
+ * which is the default.
* If we're doing DANE and not doing PKIX-TA/PKIX-EE, we never look in the
* trust_store, otherwise we might look there first. If not trusted-first,
* and alternate chains are not disabled, try building an alternate chain
* if no luck with untrusted first.
*/
- search = (ctx->untrusted != NULL) ? S_DOUNTRUSTED : 0;
+ search = ctx->untrusted != NULL ? S_DOUNTRUSTED : 0;
if (DANETLS_HAS_PKIX(dane) || !DANETLS_HAS_DANE(dane)) {
if (search == 0 || (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) != 0)
search |= S_DOTRUSTED;
may_trusted = 1;
}
+ /* Initialize empty untrusted stack. */
+ if ((sk_untrusted = sk_X509_new_null()) == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
+ goto memerr;
+ }
+
/*
- * Shallow-copy the stack of untrusted certificates (with TLS, this is
- * typically the content of the peer's certificate message) so can make
- * multiple passes over it, while free to remove elements as we go.
+ * If we got any "Cert(0) Full(0)" trust anchors from DNS, *prepend* them
+ * to our working copy of the untrusted certificate stack.
*/
- if ((sk_untrusted = sk_X509_dup(ctx->untrusted)) == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
- ctx->error = X509_V_ERR_OUT_OF_MEM;
- return 0;
+ if (DANETLS_ENABLED(dane) && dane->certs != NULL
+ && !X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto memerr;
}
/*
- * If we got any "DANE-TA(2) Cert(0) Full(0)" trust anchors from DNS, add
- * them to our working copy of the untrusted certificate stack. Since the
- * caller of X509_STORE_CTX_init() may have provided only a leaf cert with
- * no corresponding stack of untrusted certificates, we may need to create
- * an empty stack first. [ At present only the ssl library provides DANE
- * support, and ssl_verify_cert_chain() always provides a non-null stack
- * containing at least the leaf certificate, but we must be prepared for
- * this to change. ]
+ * Shallow-copy the stack of untrusted certificates (with TLS, this is
+ * typically the content of the peer's certificate message) so we can make
+ * multiple passes over it, while free to remove elements as we go.
*/
- if (DANETLS_ENABLED(dane) && dane->certs != NULL) {
- if (sk_untrusted == NULL && (sk_untrusted = sk_X509_new_null()) == NULL) {
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
- ctx->error = X509_V_ERR_OUT_OF_MEM;
- return 0;
- }
- if (!X509_add_certs(sk_untrusted, dane->certs, X509_ADD_FLAG_DEFAULT)) {
- sk_X509_free(sk_untrusted);
- ctx->error = X509_V_ERR_OUT_OF_MEM;
- return 0;
- }
+ if (!X509_add_certs(sk_untrusted, ctx->untrusted, X509_ADD_FLAG_DEFAULT)) {
+ ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
+ goto memerr;
}
/*
* Build chains up to one longer the limit, later fail if we hit the limit,
* with an X509_V_ERR_CERT_CHAIN_TOO_LONG error code.
*/
- depth = ctx->param->depth + 1;
+ max_depth = ctx->param->depth + 1;
while (search != 0) {
- X509 *issuer = NULL;
+ X509 *curr, *issuer = NULL;
+ num = sk_X509_num(ctx->chain);
+ ctx->error_depth = num - 1;
/*
* Look in the trust store if enabled for first lookup, or we've run
* out of untrusted issuers and search here is not disabled. When we
* would be a-priori too long.
*/
if ((search & S_DOTRUSTED) != 0) {
- i = num = sk_X509_num(ctx->chain);
+ i = num;
if ((search & S_DOALTERNATE) != 0) {
/*
* As high up the chain as we can, look for an alternative
}
curr = sk_X509_value(ctx->chain, i - 1);
- ok = depth < num ? 0 : get_issuer(&issuer, ctx, curr);
+ /* Note: get1_trusted_issuer() must be used even if self-signed. */
+ ok = num > max_depth ? 0 : get1_trusted_issuer(&issuer, ctx, curr);
if (ok < 0) {
- trust = X509_TRUST_REJECTED;
+ trust = -1;
ctx->error = X509_V_ERR_STORE_LOOKUP;
break;
}
if (ok > 0) {
+ int self_signed = X509_self_signed(curr, 0);
+
+ if (self_signed < 0) {
+ X509_free(issuer);
+ goto int_err;
+ }
/*
* Alternative trusted issuer for a mid-chain untrusted cert?
* Pop the untrusted cert's successors and retry. We might now
*/
if ((search & S_DOALTERNATE) != 0) {
if (!ossl_assert(num > i && i > 0 && !self_signed)) {
- ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
X509_free(issuer);
- trust = X509_TRUST_REJECTED;
- ctx->error = X509_V_ERR_UNSPECIFIED;
- break;
+ goto int_err;
}
search &= ~S_DOALTERNATE;
for (; num > i; --num)
dane->pdpth = -1;
}
- /*
- * Self-signed untrusted certificates get replaced by their
- * trusted matching issuer. Otherwise, grow the chain.
- */
- if (!self_signed) {
- curr = issuer;
- if ((self_signed = X509_self_signed(curr, 0)) < 0)
- goto int_err;
- if (!sk_X509_push(ctx->chain, curr)) {
+ if (!self_signed) { /* untrusted not self-signed certificate */
+ /* Grow the chain by trusted issuer */
+ if (!sk_X509_push(ctx->chain, issuer)) {
X509_free(issuer);
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
- trust = X509_TRUST_REJECTED;
- ctx->error = X509_V_ERR_OUT_OF_MEM;
- break;
+ ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
+ goto memerr;
}
- } else if (num == ctx->num_untrusted) {
+ if ((self_signed = X509_self_signed(issuer, 0)) < 0)
+ goto int_err;
+ } else {
/*
- * We have a self-signed certificate that has the same
+ * We have a self-signed untrusted cert that has the same
* subject name (and perhaps keyid and/or serial number) as
* a trust anchor. We must have an exact match to avoid
* possible impersonation via key substitution etc.
X509_free(issuer);
ok = 0;
} else { /* curr "==" issuer */
+ /*
+ * Replace self-signed untrusted certificate
+ * by its trusted matching issuer.
+ */
X509_free(curr);
ctx->num_untrusted = --num;
(void)sk_X509_set(ctx->chain, num, issuer);
- curr = issuer;
- /* no need to update self_signed */
}
}
goto int_err;
search &= ~S_DOUNTRUSTED;
trust = check_trust(ctx, num);
- if (trust == X509_TRUST_TRUSTED
- || trust == X509_TRUST_REJECTED)
+ if (trust != X509_TRUST_UNTRUSTED)
break;
if (!self_signed)
continue;
/* Search for a trusted issuer of a shorter chain */
search |= S_DOALTERNATE;
alt_untrusted = ctx->num_untrusted - 1;
- self_signed = 0;
}
}
/*
- * Extend chain with peer-provided untrusted certificates
+ * Try to extend chain with peer-provided untrusted certificate
*/
if ((search & S_DOUNTRUSTED) != 0) {
num = sk_X509_num(ctx->chain);
if (!ossl_assert(num == ctx->num_untrusted))
goto int_err;
curr = sk_X509_value(ctx->chain, num - 1);
- issuer = (self_signed || depth < num) ?
+ issuer = (X509_self_signed(curr, 0) > 0 || num > max_depth) ?
NULL : find_issuer(ctx, sk_untrusted, curr);
if (issuer == NULL) {
/*
- * Once we have reached a self-signed cert or num exceeds depth
+ * Once we have reached a self-signed cert or num > max_depth
* or can't find an issuer in the untrusted list we stop looking
* there and start looking only in the trust store if enabled.
*/
/* Drop this issuer from future consideration */
(void)sk_X509_delete_ptr(sk_untrusted, issuer);
- if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))
+ /* Grow the chain by untrusted issuer */
+ if (!X509_add_cert(ctx->chain, issuer, X509_ADD_FLAG_UP_REF))
goto int_err;
++ctx->num_untrusted;
- curr = issuer;
- if ((self_signed = X509_self_signed(curr, 0)) < 0)
- goto int_err;
/* Check for DANE-TA trust of the topmost untrusted certificate. */
trust = check_dane_issuer(ctx, ctx->num_untrusted - 1);
}
sk_X509_free(sk_untrusted);
+ if (trust < 0) /* internal error */
+ return trust;
+
/*
* Last chance to make a trusted chain, either bare DANE-TA public-key
* signers, or else direct leaf PKIX trust.
*/
num = sk_X509_num(ctx->chain);
- if (num <= depth) {
+ if (num <= max_depth) {
if (trust == X509_TRUST_UNTRUSTED && DANETLS_HAS_DANE_TA(dane))
trust = check_dane_pkeys(ctx);
if (trust == X509_TRUST_UNTRUSTED && num == ctx->num_untrusted)
return 0;
case X509_TRUST_UNTRUSTED:
default:
- num = sk_X509_num(ctx->chain);
- CB_FAIL_IF(num > depth,
+ switch (ctx->error) {
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ return 0; /* Callback already done by ossl_x509_check_cert_time() */
+ default: /* A preliminary error has become final */
+ return verify_cb_cert(ctx, NULL, num - 1, ctx->error);
+ case X509_V_OK:
+ break;
+ }
+ CB_FAIL_IF(num > max_depth,
ctx, NULL, num - 1, X509_V_ERR_CERT_CHAIN_TOO_LONG);
CB_FAIL_IF(DANETLS_ENABLED(dane)
&& (!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0),
ctx, NULL, num - 1, X509_V_ERR_DANE_NO_MATCH);
- if (self_signed)
+ if (X509_self_signed(sk_X509_value(ctx->chain, num - 1), 0) > 0)
return verify_cb_cert(ctx, NULL, num - 1,
- sk_X509_num(ctx->chain) == 1
+ num == 1
? X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN);
return verify_cb_cert(ctx, NULL, num - 1,
}
int_err:
- sk_X509_free(sk_untrusted);
ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
ctx->error = X509_V_ERR_UNSPECIFIED;
- return 0;
+ sk_X509_free(sk_untrusted);
+ return -1;
+
+ memerr:
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
+ sk_X509_free(sk_untrusted);
+ return -1;
}
+STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
+ X509_STORE *store, int with_self_signed,
+ OSSL_LIB_CTX *libctx, const char *propq)
+{
+ int finish_chain = store != NULL;
+ X509_STORE_CTX *ctx;
+ int flags = X509_ADD_FLAG_UP_REF;
+ STACK_OF(X509) *result = NULL;
+
+ if (target == NULL) {
+ ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+
+ if ((ctx = X509_STORE_CTX_new_ex(libctx, propq)) == NULL)
+ return NULL;
+ if (!X509_STORE_CTX_init(ctx, store, target, finish_chain ? certs : NULL))
+ goto err;
+ if (!finish_chain)
+ X509_STORE_CTX_set0_trusted_stack(ctx, certs);
+ if (!ossl_x509_add_cert_new(&ctx->chain, target, X509_ADD_FLAG_UP_REF)) {
+ ctx->error = X509_V_ERR_OUT_OF_MEM;
+ goto err;
+ }
+ ctx->num_untrusted = 1;
+
+ if (!build_chain(ctx) && finish_chain)
+ goto err;
+
+ /* result list to store the up_ref'ed certificates */
+ if (sk_X509_num(ctx->chain) > 1 && !with_self_signed)
+ flags |= X509_ADD_FLAG_NO_SS;
+ if (!ossl_x509_add_certs_new(&result, ctx->chain, flags)) {
+ sk_X509_free(result);
+ result = NULL;
+ }
+
+ err:
+ X509_STORE_CTX_free(ctx);
+ return result;
+}
+
+/*
+ * note that there's a corresponding minbits_table in ssl/ssl_cert.c
+ * in ssl_get_security_level_bits that's used for selection of DH parameters
+ */
static const int minbits_table[] = { 80, 112, 128, 192, 256 };
static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
/*-
- * Check whether the public key of `cert` meets the security level of `ctx`.
+ * Check whether the given public key meets the security level of `ctx`.
* Returns 1 on success, 0 otherwise.
*/
-static int check_key_level(X509_STORE_CTX *ctx, X509 *cert)
+static int check_key_level(X509_STORE_CTX *ctx, EVP_PKEY *pkey)
{
- EVP_PKEY *pkey = X509_get0_pubkey(cert);
int level = ctx->param->auth_level;
/*
if (level > NUM_AUTH_LEVELS)
level = NUM_AUTH_LEVELS;
- return EVP_PKEY_security_bits(pkey) >= minbits_table[level - 1];
+ return EVP_PKEY_get_security_bits(pkey) >= minbits_table[level - 1];
+}
+
+/*-
+ * Check whether the public key of `cert` meets the security level of `ctx`.
+ * Returns 1 on success, 0 otherwise.
+ */
+static int check_cert_key_level(X509_STORE_CTX *ctx, X509 *cert)
+{
+ return check_key_level(ctx, X509_get0_pubkey(cert));
}
/*-
*/
static int check_curve(X509 *cert)
{
-#ifndef OPENSSL_NO_EC
EVP_PKEY *pkey = X509_get0_pubkey(cert);
+ int ret, val;
/* Unsupported or malformed key */
if (pkey == NULL)
return -1;
+ if (EVP_PKEY_get_id(pkey) != EVP_PKEY_EC)
+ return 1;
- if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
- int ret;
-
- ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
- return ret < 0 ? ret : !ret;
- }
-#endif
-
- return 1;
+ ret =
+ EVP_PKEY_get_int_param(pkey,
+ OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS,
+ &val);
+ return ret < 0 ? ret : !val;
}
/*-