]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/ts/ts_rsp_verify.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix safestack issues in pkcs7.h
[thirdparty/openssl.git] / crypto / ts / ts_rsp_verify.c
1 /*
2 * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include <stdio.h>
11 #include "internal/cryptlib.h"
12 #include <openssl/objects.h>
13 #include <openssl/ts.h>
14 #include <openssl/pkcs7.h>
15 #include "ts_local.h"
16 #include "crypto/ess.h"
17
18 DEFINE_STACK_OF(ESS_CERT_ID)
19 DEFINE_STACK_OF(ESS_CERT_ID_V2)
20
21 static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
22 X509 *signer, STACK_OF(X509) **chain);
23 static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
24 STACK_OF(X509) *chain);
25
26 static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
27 PKCS7 *token, TS_TST_INFO *tst_info);
28 static int ts_check_status_info(TS_RESP *response);
29 static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text);
30 static int ts_check_policy(const ASN1_OBJECT *req_oid,
31 const TS_TST_INFO *tst_info);
32 static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
33 X509_ALGOR **md_alg,
34 unsigned char **imprint, unsigned *imprint_len);
35 static int ts_check_imprints(X509_ALGOR *algor_a,
36 const unsigned char *imprint_a, unsigned len_a,
37 TS_TST_INFO *tst_info);
38 static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info);
39 static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer);
40 static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names,
41 GENERAL_NAME *name);
42
43 /*
44 * This must be large enough to hold all values in ts_status_text (with
45 * comma separator) or all text fields in ts_failure_info (also with comma).
46 */
47 #define TS_STATUS_BUF_SIZE 256
48
49 /*
50 * Local mapping between response codes and descriptions.
51 */
52 static const char *ts_status_text[] = {
53 "granted",
54 "grantedWithMods",
55 "rejection",
56 "waiting",
57 "revocationWarning",
58 "revocationNotification"
59 };
60
61 #define TS_STATUS_TEXT_SIZE OSSL_NELEM(ts_status_text)
62
63 static struct {
64 int code;
65 const char *text;
66 } ts_failure_info[] = {
67 {TS_INFO_BAD_ALG, "badAlg"},
68 {TS_INFO_BAD_REQUEST, "badRequest"},
69 {TS_INFO_BAD_DATA_FORMAT, "badDataFormat"},
70 {TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable"},
71 {TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy"},
72 {TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension"},
73 {TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable"},
74 {TS_INFO_SYSTEM_FAILURE, "systemFailure"}
75 };
76
77
78 /*-
79 * This function carries out the following tasks:
80 * - Checks if there is one and only one signer.
81 * - Search for the signing certificate in 'certs' and in the response.
82 * - Check the extended key usage and key usage fields of the signer
83 * certificate (done by the path validation).
84 * - Build and validate the certificate path.
85 * - Check if the certificate path meets the requirements of the
86 * SigningCertificate ESS signed attribute.
87 * - Verify the signature value.
88 * - Returns the signer certificate in 'signer', if 'signer' is not NULL.
89 */
90 int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
91 X509_STORE *store, X509 **signer_out)
92 {
93 STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
94 PKCS7_SIGNER_INFO *si;
95 STACK_OF(X509) *signers = NULL;
96 X509 *signer;
97 STACK_OF(X509) *chain = NULL;
98 char buf[4096];
99 int i, j = 0, ret = 0;
100 BIO *p7bio = NULL;
101
102 /* Some sanity checks first. */
103 if (!token) {
104 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER);
105 goto err;
106 }
107 if (!PKCS7_type_is_signed(token)) {
108 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE);
109 goto err;
110 }
111 sinfos = PKCS7_get_signer_info(token);
112 if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) {
113 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_THERE_MUST_BE_ONE_SIGNER);
114 goto err;
115 }
116 si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0);
117 if (PKCS7_get_detached(token)) {
118 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT);
119 goto err;
120 }
121
122 /*
123 * Get hold of the signer certificate, search only internal certificates
124 * if it was requested.
125 */
126 signers = PKCS7_get0_signers(token, certs, 0);
127 if (!signers || sk_X509_num(signers) != 1)
128 goto err;
129 signer = sk_X509_value(signers, 0);
130
131 if (!ts_verify_cert(store, certs, signer, &chain))
132 goto err;
133 if (!ts_check_signing_certs(si, chain))
134 goto err;
135 p7bio = PKCS7_dataInit(token, NULL);
136
137 /* We now have to 'read' from p7bio to calculate digests etc. */
138 while ((i = BIO_read(p7bio, buf, sizeof(buf))) > 0)
139 continue;
140
141 j = PKCS7_signatureVerify(p7bio, token, si, signer);
142 if (j <= 0) {
143 TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE);
144 goto err;
145 }
146
147 if (signer_out) {
148 *signer_out = signer;
149 X509_up_ref(signer);
150 }
151 ret = 1;
152
153 err:
154 BIO_free_all(p7bio);
155 sk_X509_pop_free(chain, X509_free);
156 sk_X509_free(signers);
157
158 return ret;
159 }
160
161 /*
162 * The certificate chain is returned in chain. Caller is responsible for
163 * freeing the vector.
164 */
165 static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
166 X509 *signer, STACK_OF(X509) **chain)
167 {
168 X509_STORE_CTX *cert_ctx = NULL;
169 int i;
170 int ret = 0;
171
172 *chain = NULL;
173 cert_ctx = X509_STORE_CTX_new();
174 if (cert_ctx == NULL) {
175 TSerr(TS_F_TS_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
176 goto err;
177 }
178 if (!X509_STORE_CTX_init(cert_ctx, store, signer, untrusted))
179 goto end;
180 X509_STORE_CTX_set_purpose(cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN);
181 i = X509_verify_cert(cert_ctx);
182 if (i <= 0) {
183 int j = X509_STORE_CTX_get_error(cert_ctx);
184 TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR);
185 ERR_add_error_data(2, "Verify error:",
186 X509_verify_cert_error_string(j));
187 goto err;
188 }
189 *chain = X509_STORE_CTX_get1_chain(cert_ctx);
190 ret = 1;
191 goto end;
192
193 err:
194 ret = 0;
195
196 end:
197 X509_STORE_CTX_free(cert_ctx);
198 return ret;
199 }
200
201 static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
202 STACK_OF(X509) *chain)
203 {
204 ESS_SIGNING_CERT *ss = ESS_SIGNING_CERT_get(si);
205 STACK_OF(ESS_CERT_ID) *cert_ids = NULL;
206 ESS_SIGNING_CERT_V2 *ssv2 = ESS_SIGNING_CERT_V2_get(si);
207 STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL;
208 X509 *cert;
209 int i = 0;
210 int ret = 0;
211
212 if (ss != NULL) {
213 cert_ids = ss->cert_ids;
214 cert = sk_X509_value(chain, 0);
215 if (ess_find_cert(cert_ids, cert) != 0)
216 goto err;
217
218 /*
219 * Check the other certificates of the chain if there are more than one
220 * certificate ids in cert_ids.
221 */
222 if (sk_ESS_CERT_ID_num(cert_ids) > 1) {
223 for (i = 1; i < sk_X509_num(chain); ++i) {
224 cert = sk_X509_value(chain, i);
225 if (ess_find_cert(cert_ids, cert) < 0)
226 goto err;
227 }
228 }
229 } else if (ssv2 != NULL) {
230 cert_ids_v2 = ssv2->cert_ids;
231 cert = sk_X509_value(chain, 0);
232 if (ess_find_cert_v2(cert_ids_v2, cert) != 0)
233 goto err;
234
235 /*
236 * Check the other certificates of the chain if there are more than one
237 * certificate ids in cert_ids.
238 */
239 if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) {
240 for (i = 1; i < sk_X509_num(chain); ++i) {
241 cert = sk_X509_value(chain, i);
242 if (ess_find_cert_v2(cert_ids_v2, cert) < 0)
243 goto err;
244 }
245 }
246 } else {
247 goto err;
248 }
249
250 ret = 1;
251 err:
252 if (!ret)
253 TSerr(TS_F_TS_CHECK_SIGNING_CERTS,
254 TS_R_ESS_SIGNING_CERTIFICATE_ERROR);
255 ESS_SIGNING_CERT_free(ss);
256 ESS_SIGNING_CERT_V2_free(ssv2);
257 return ret;
258 }
259
260 /*-
261 * Verifies whether 'response' contains a valid response with regards
262 * to the settings of the context:
263 * - Gives an error message if the TS_TST_INFO is not present.
264 * - Calls _TS_RESP_verify_token to verify the token content.
265 */
266 int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response)
267 {
268 PKCS7 *token = response->token;
269 TS_TST_INFO *tst_info = response->tst_info;
270 int ret = 0;
271
272 if (!ts_check_status_info(response))
273 goto err;
274 if (!int_ts_RESP_verify_token(ctx, token, tst_info))
275 goto err;
276 ret = 1;
277
278 err:
279 return ret;
280 }
281
282 /*
283 * Tries to extract a TS_TST_INFO structure from the PKCS7 token and
284 * calls the internal int_TS_RESP_verify_token function for verifying it.
285 */
286 int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token)
287 {
288 TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token);
289 int ret = 0;
290 if (tst_info) {
291 ret = int_ts_RESP_verify_token(ctx, token, tst_info);
292 TS_TST_INFO_free(tst_info);
293 }
294 return ret;
295 }
296
297 /*-
298 * Verifies whether the 'token' contains a valid time stamp token
299 * with regards to the settings of the context. Only those checks are
300 * carried out that are specified in the context:
301 * - Verifies the signature of the TS_TST_INFO.
302 * - Checks the version number of the response.
303 * - Check if the requested and returned policies math.
304 * - Check if the message imprints are the same.
305 * - Check if the nonces are the same.
306 * - Check if the TSA name matches the signer.
307 * - Check if the TSA name is the expected TSA.
308 */
309 static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
310 PKCS7 *token, TS_TST_INFO *tst_info)
311 {
312 X509 *signer = NULL;
313 GENERAL_NAME *tsa_name = tst_info->tsa;
314 X509_ALGOR *md_alg = NULL;
315 unsigned char *imprint = NULL;
316 unsigned imprint_len = 0;
317 int ret = 0;
318 int flags = ctx->flags;
319
320 /* Some options require us to also check the signature */
321 if (((flags & TS_VFY_SIGNER) && tsa_name != NULL)
322 || (flags & TS_VFY_TSA_NAME)) {
323 flags |= TS_VFY_SIGNATURE;
324 }
325
326 if ((flags & TS_VFY_SIGNATURE)
327 && !TS_RESP_verify_signature(token, ctx->certs, ctx->store, &signer))
328 goto err;
329 if ((flags & TS_VFY_VERSION)
330 && TS_TST_INFO_get_version(tst_info) != 1) {
331 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION);
332 goto err;
333 }
334 if ((flags & TS_VFY_POLICY)
335 && !ts_check_policy(ctx->policy, tst_info))
336 goto err;
337 if ((flags & TS_VFY_IMPRINT)
338 && !ts_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len,
339 tst_info))
340 goto err;
341 if ((flags & TS_VFY_DATA)
342 && (!ts_compute_imprint(ctx->data, tst_info,
343 &md_alg, &imprint, &imprint_len)
344 || !ts_check_imprints(md_alg, imprint, imprint_len, tst_info)))
345 goto err;
346 if ((flags & TS_VFY_NONCE)
347 && !ts_check_nonces(ctx->nonce, tst_info))
348 goto err;
349 if ((flags & TS_VFY_SIGNER)
350 && tsa_name && !ts_check_signer_name(tsa_name, signer)) {
351 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH);
352 goto err;
353 }
354 if ((flags & TS_VFY_TSA_NAME)
355 && !ts_check_signer_name(ctx->tsa_name, signer)) {
356 TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED);
357 goto err;
358 }
359 ret = 1;
360
361 err:
362 X509_free(signer);
363 X509_ALGOR_free(md_alg);
364 OPENSSL_free(imprint);
365 return ret;
366 }
367
368 static int ts_check_status_info(TS_RESP *response)
369 {
370 TS_STATUS_INFO *info = response->status_info;
371 long status = ASN1_INTEGER_get(info->status);
372 const char *status_text = NULL;
373 char *embedded_status_text = NULL;
374 char failure_text[TS_STATUS_BUF_SIZE] = "";
375
376 if (status == 0 || status == 1)
377 return 1;
378
379 /* There was an error, get the description in status_text. */
380 if (0 <= status && status < (long) OSSL_NELEM(ts_status_text))
381 status_text = ts_status_text[status];
382 else
383 status_text = "unknown code";
384
385 if (sk_ASN1_UTF8STRING_num(info->text) > 0
386 && (embedded_status_text = ts_get_status_text(info->text)) == NULL)
387 return 0;
388
389 /* Fill in failure_text with the failure information. */
390 if (info->failure_info) {
391 int i;
392 int first = 1;
393 for (i = 0; i < (int)OSSL_NELEM(ts_failure_info); ++i) {
394 if (ASN1_BIT_STRING_get_bit(info->failure_info,
395 ts_failure_info[i].code)) {
396 if (!first)
397 strcat(failure_text, ",");
398 else
399 first = 0;
400 strcat(failure_text, ts_failure_info[i].text);
401 }
402 }
403 }
404 if (failure_text[0] == '\0')
405 strcpy(failure_text, "unspecified");
406
407 TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN);
408 ERR_add_error_data(6,
409 "status code: ", status_text,
410 ", status text: ", embedded_status_text ?
411 embedded_status_text : "unspecified",
412 ", failure codes: ", failure_text);
413 OPENSSL_free(embedded_status_text);
414
415 return 0;
416 }
417
418 static char *ts_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
419 {
420 return sk_ASN1_UTF8STRING2text(text, "/", TS_MAX_STATUS_LENGTH);
421 }
422
423 static int ts_check_policy(const ASN1_OBJECT *req_oid,
424 const TS_TST_INFO *tst_info)
425 {
426 const ASN1_OBJECT *resp_oid = tst_info->policy_id;
427
428 if (OBJ_cmp(req_oid, resp_oid) != 0) {
429 TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH);
430 return 0;
431 }
432
433 return 1;
434 }
435
436 static int ts_compute_imprint(BIO *data, TS_TST_INFO *tst_info,
437 X509_ALGOR **md_alg,
438 unsigned char **imprint, unsigned *imprint_len)
439 {
440 TS_MSG_IMPRINT *msg_imprint = tst_info->msg_imprint;
441 X509_ALGOR *md_alg_resp = msg_imprint->hash_algo;
442 const EVP_MD *md;
443 EVP_MD_CTX *md_ctx = NULL;
444 unsigned char buffer[4096];
445 int length;
446
447 *md_alg = NULL;
448 *imprint = NULL;
449
450 if ((*md_alg = X509_ALGOR_dup(md_alg_resp)) == NULL)
451 goto err;
452 if ((md = EVP_get_digestbyobj((*md_alg)->algorithm)) == NULL) {
453 TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM);
454 goto err;
455 }
456 length = EVP_MD_size(md);
457 if (length < 0)
458 goto err;
459 *imprint_len = length;
460 if ((*imprint = OPENSSL_malloc(*imprint_len)) == NULL) {
461 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE);
462 goto err;
463 }
464
465 md_ctx = EVP_MD_CTX_new();
466 if (md_ctx == NULL) {
467 TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE);
468 goto err;
469 }
470 if (!EVP_DigestInit(md_ctx, md))
471 goto err;
472 while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) {
473 if (!EVP_DigestUpdate(md_ctx, buffer, length))
474 goto err;
475 }
476 if (!EVP_DigestFinal(md_ctx, *imprint, NULL))
477 goto err;
478 EVP_MD_CTX_free(md_ctx);
479
480 return 1;
481 err:
482 EVP_MD_CTX_free(md_ctx);
483 X509_ALGOR_free(*md_alg);
484 OPENSSL_free(*imprint);
485 *imprint_len = 0;
486 *imprint = 0;
487 return 0;
488 }
489
490 static int ts_check_imprints(X509_ALGOR *algor_a,
491 const unsigned char *imprint_a, unsigned len_a,
492 TS_TST_INFO *tst_info)
493 {
494 TS_MSG_IMPRINT *b = tst_info->msg_imprint;
495 X509_ALGOR *algor_b = b->hash_algo;
496 int ret = 0;
497
498 if (algor_a) {
499 if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm))
500 goto err;
501
502 /* The parameter must be NULL in both. */
503 if ((algor_a->parameter
504 && ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL)
505 || (algor_b->parameter
506 && ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL))
507 goto err;
508 }
509
510 ret = len_a == (unsigned)ASN1_STRING_length(b->hashed_msg) &&
511 memcmp(imprint_a, ASN1_STRING_get0_data(b->hashed_msg), len_a) == 0;
512 err:
513 if (!ret)
514 TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH);
515 return ret;
516 }
517
518 static int ts_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info)
519 {
520 const ASN1_INTEGER *b = tst_info->nonce;
521
522 if (!b) {
523 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED);
524 return 0;
525 }
526
527 /* No error if a nonce is returned without being requested. */
528 if (ASN1_INTEGER_cmp(a, b) != 0) {
529 TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH);
530 return 0;
531 }
532
533 return 1;
534 }
535
536 /*
537 * Check if the specified TSA name matches either the subject or one of the
538 * subject alternative names of the TSA certificate.
539 */
540 static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer)
541 {
542 STACK_OF(GENERAL_NAME) *gen_names = NULL;
543 int idx = -1;
544 int found = 0;
545
546 if (tsa_name->type == GEN_DIRNAME
547 && X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0)
548 return 1;
549 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, NULL, &idx);
550 while (gen_names != NULL) {
551 found = ts_find_name(gen_names, tsa_name) >= 0;
552 if (found)
553 break;
554 /*
555 * Get the next subject alternative name, although there should be no
556 * more than one.
557 */
558 GENERAL_NAMES_free(gen_names);
559 gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, NULL, &idx);
560 }
561 GENERAL_NAMES_free(gen_names);
562
563 return found;
564 }
565
566 /* Returns 1 if name is in gen_names, 0 otherwise. */
567 static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name)
568 {
569 int i, found;
570 for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names); ++i) {
571 GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i);
572 found = GENERAL_NAME_cmp(current, name) == 0;
573 }
574 return found ? i - 1 : -1;
575 }
A mirror of the official openssl repository