1 /* 2 * Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stddef.h> 11 #include <openssl/ct.h> 12 #include <openssl/evp.h> 13 #include <openssl/x509.h> 14 #include <openssl/x509v3.h> 15 #include <openssl/safestack.h> 16 17 /* 18 * From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT 19 * sct_list <1..2^16-1>; } SignedCertificateTimestampList; 20 */ 21 #define MAX_SCT_SIZE 65535 22 #define MAX_SCT_LIST_SIZE MAX_SCT_SIZE 23 24 /* 25 * Macros to read and write integers in network-byte order. 26 */ 27 28 #define n2s(c, s) ((s = (((unsigned int)((c)[0])) << 8) | (((unsigned int)((c)[1])))), c += 2) 29 30 #define s2n(s, c) ((c[0] = (unsigned char)(((s) >> 8) & 0xff), \ 31 c[1] = (unsigned char)(((s)) & 0xff)), \ 32 c += 2) 33 34 #define l2n3(l, c) ((c[0] = (unsigned char)(((l) >> 16) & 0xff), \ 35 c[1] = (unsigned char)(((l) >> 8) & 0xff), \ 36 c[2] = (unsigned char)(((l)) & 0xff)), \ 37 c += 3) 38 39 #define n2l8(c, l) (l = ((uint64_t)(*((c)++))) << 56, \ 40 l |= ((uint64_t)(*((c)++))) << 48, \ 41 l |= ((uint64_t)(*((c)++))) << 40, \ 42 l |= ((uint64_t)(*((c)++))) << 32, \ 43 l |= ((uint64_t)(*((c)++))) << 24, \ 44 l |= ((uint64_t)(*((c)++))) << 16, \ 45 l |= ((uint64_t)(*((c)++))) << 8, \ 46 l |= ((uint64_t)(*((c)++)))) 47 48 #define l2n8(l, c) (*((c)++) = (unsigned char)(((l) >> 56) & 0xff), \ 49 *((c)++) = (unsigned char)(((l) >> 48) & 0xff), \ 50 *((c)++) = (unsigned char)(((l) >> 40) & 0xff), \ 51 *((c)++) = (unsigned char)(((l) >> 32) & 0xff), \ 52 *((c)++) = (unsigned char)(((l) >> 24) & 0xff), \ 53 *((c)++) = (unsigned char)(((l) >> 16) & 0xff), \ 54 *((c)++) = (unsigned char)(((l) >> 8) & 0xff), \ 55 *((c)++) = (unsigned char)(((l)) & 0xff)) 56 57 /* Signed Certificate Timestamp */ 58 struct sct_st { 59 sct_version_t version; 60 /* If version is not SCT_VERSION_V1, this contains the encoded SCT */ 61 unsigned char *sct; 62 size_t sct_len; 63 /* If version is SCT_VERSION_V1, fields below contain components of the SCT */ 64 unsigned char *log_id; 65 size_t log_id_len; 66 /* 67 * Note, we cannot distinguish between an unset timestamp, and one 68 * that is set to 0. However since CT didn't exist in 1970, no real 69 * SCT should ever be set as such. 70 */ 71 uint64_t timestamp; 72 unsigned char *ext; 73 size_t ext_len; 74 unsigned char hash_alg; 75 unsigned char sig_alg; 76 unsigned char *sig; 77 size_t sig_len; 78 /* Log entry type */ 79 ct_log_entry_type_t entry_type; 80 /* Where this SCT was found, e.g. certificate, OCSP response, etc. */ 81 sct_source_t source; 82 /* The result of the last attempt to validate this SCT. */ 83 sct_validation_status_t validation_status; 84 }; 85 86 /* Miscellaneous data that is useful when verifying an SCT */ 87 struct sct_ctx_st { 88 /* Public key */ 89 EVP_PKEY *pkey; 90 /* Hash of public key */ 91 unsigned char *pkeyhash; 92 size_t pkeyhashlen; 93 /* For pre-certificate: issuer public key hash */ 94 unsigned char *ihash; 95 size_t ihashlen; 96 /* certificate encoding */ 97 unsigned char *certder; 98 size_t certderlen; 99 /* pre-certificate encoding */ 100 unsigned char *preder; 101 size_t prederlen; 102 /* milliseconds since epoch (to check that the SCT isn't from the future) */ 103 uint64_t epoch_time_in_ms; 104 105 OSSL_LIB_CTX *libctx; 106 char *propq; 107 }; 108 109 /* Context when evaluating whether a Certificate Transparency policy is met */ 110 struct ct_policy_eval_ctx_st { 111 X509 *cert; 112 X509 *issuer; 113 CTLOG_STORE *log_store; 114 /* milliseconds since epoch (to check that SCTs aren't from the future) */ 115 uint64_t epoch_time_in_ms; 116 117 OSSL_LIB_CTX *libctx; 118 char *propq; 119 }; 120 121 /* 122 * Creates a new context for verifying an SCT. 123 */ 124 SCT_CTX *SCT_CTX_new(OSSL_LIB_CTX *ctx, const char *propq); 125 /* 126 * Deletes an SCT verification context. 127 */ 128 void SCT_CTX_free(SCT_CTX *sctx); 129 130 /* 131 * Sets the certificate that the SCT was created for. 132 * If *cert does not have a poison extension, presigner must be NULL. 133 * If *cert does not have a poison extension, it may have a single SCT 134 * (NID_ct_precert_scts) extension. 135 * If either *cert or *presigner have an AKID (NID_authority_key_identifier) 136 * extension, both must have one. 137 * Returns 1 on success, 0 on failure. 138 */ 139 __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); 140 141 /* 142 * Sets the issuer of the certificate that the SCT was created for. 143 * This is just a convenience method to save extracting the public key and 144 * calling SCT_CTX_set1_issuer_pubkey(). 145 * Issuer must not be NULL. 146 * Returns 1 on success, 0 on failure. 147 */ 148 __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); 149 150 /* 151 * Sets the public key of the issuer of the certificate that the SCT was created 152 * for. 153 * The public key must not be NULL. 154 * Returns 1 on success, 0 on failure. 155 */ 156 __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 157 158 /* 159 * Sets the public key of the CT log that the SCT is from. 160 * Returns 1 on success, 0 on failure. 161 */ 162 __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 163 164 /* 165 * Sets the time to evaluate the SCT against, in milliseconds since the Unix 166 * epoch. If the SCT's timestamp is after this time, it will be interpreted as 167 * having been issued in the future. RFC6962 states that "TLS clients MUST 168 * reject SCTs whose timestamp is in the future", so an SCT will not validate 169 * in this case. 170 */ 171 void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms); 172 173 /* 174 * Verifies an SCT with the given context. 175 * Returns 1 if the SCT verifies successfully; any other value indicates 176 * failure. See EVP_DigestVerifyFinal() for the meaning of those values. 177 */ 178 __owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); 179 180 /* 181 * Does this SCT have the minimum fields populated to be usable? 182 * Returns 1 if so, 0 otherwise. 183 */ 184 __owur int SCT_is_complete(const SCT *sct); 185 186 /* 187 * Does this SCT have the signature-related fields populated? 188 * Returns 1 if so, 0 otherwise. 189 * This checks that the signature and hash algorithms are set to supported 190 * values and that the signature field is set. 191 */ 192 __owur int SCT_signature_is_complete(const SCT *sct); 193 194 /* 195 * Serialize (to TLS format) an |sct| signature and write it to |out|. 196 * If |out| is null, no signature will be output but the length will be returned. 197 * If |out| points to a null pointer, a string will be allocated to hold the 198 * TLS-format signature. It is the responsibility of the caller to free it. 199 * If |out| points to an allocated string, the signature will be written to it. 200 * The length of the signature in TLS format will be returned. 201 */ 202 __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out); 203 204 /* 205 * Parses an SCT signature in TLS format and populates the |sct| with it. 206 * |in| should be a pointer to a string containing the TLS-format signature. 207 * |in| will be advanced to the end of the signature if parsing succeeds. 208 * |len| should be the length of the signature in |in|. 209 * Returns the number of bytes parsed, or a negative integer if an error occurs. 210 * If an error occurs, the SCT's signature NID may be updated whilst the 211 * signature field itself remains unset. 212 */ 213 __owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len); 214 215 /* 216 * Handlers for Certificate Transparency X509v3/OCSP extensions 217 */ 218 extern const X509V3_EXT_METHOD ossl_v3_ct_scts[3]; 219