1 /*- 2 * Copyright (c) 2017-2018, Juniper Networks, Inc. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 14 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 15 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 16 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 17 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 18 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 19 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 #include <sys/cdefs.h> 26 __FBSDID("$FreeBSD$"); 27 28 /** 29 * @file vets.c - trust store 30 * @brief verify signatures 31 * 32 * We leverage code from BearSSL www.bearssl.org 33 */ 34 35 #include <sys/time.h> 36 #include <stdarg.h> 37 #define NEED_BRSSL_H 38 #include "libsecureboot-priv.h" 39 #include <brssl.h> 40 #include <ta.h> 41 42 #ifndef TRUST_ANCHOR_STR 43 # define TRUST_ANCHOR_STR ta_PEM 44 #endif 45 46 #define EPOCH_YEAR 1970 47 #define AVG_SECONDS_PER_YEAR 31556952L 48 #define SECONDS_PER_DAY 86400 49 #define SECONDS_PER_YEAR 365 * SECONDS_PER_DAY 50 #ifndef VE_UTC_MAX_JUMP 51 # define VE_UTC_MAX_JUMP 20 * SECONDS_PER_YEAR 52 #endif 53 #define X509_DAYS_TO_UTC0 719528 54 55 int DebugVe = 0; 56 57 #ifndef VE_VERIFY_FLAGS 58 # define VE_VERIFY_FLAGS VEF_VERBOSE 59 #endif 60 int VerifyFlags = VE_VERIFY_FLAGS; 61 62 typedef VECTOR(br_x509_certificate) cert_list; 63 typedef VECTOR(hash_data) digest_list; 64 65 static anchor_list trust_anchors = VEC_INIT; 66 static anchor_list forbidden_anchors = VEC_INIT; 67 static digest_list forbidden_digests = VEC_INIT; 68 69 static int anchor_verbose = 0; 70 71 void 72 ve_anchor_verbose_set(int n) 73 { 74 anchor_verbose = n; 75 } 76 77 int 78 ve_anchor_verbose_get(void) 79 { 80 return (anchor_verbose); 81 } 82 83 void 84 ve_debug_set(int n) 85 { 86 DebugVe = n; 87 } 88 89 static char ebuf[512]; 90 91 char * 92 ve_error_get(void) 93 { 94 return (ebuf); 95 } 96 97 int 98 ve_error_set(const char *fmt, ...) 99 { 100 int rc; 101 va_list ap; 102 103 va_start(ap, fmt); 104 ebuf[0] = '\0'; 105 rc = 0; 106 if (fmt) { 107 #ifdef STAND_H 108 vsprintf(ebuf, fmt, ap); /* no vsnprintf in libstand */ 109 ebuf[sizeof(ebuf) - 1] = '\0'; 110 rc = strlen(ebuf); 111 #else 112 rc = vsnprintf(ebuf, sizeof(ebuf), fmt, ap); 113 #endif 114 } 115 va_end(ap); 116 return (rc); 117 } 118 119 #define isleap(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0)) 120 121 /* 122 * The *approximate* date. 123 * 124 * When certificate verification fails for being 125 * expired or not yet valid, it helps to indicate 126 * our current date. 127 * Since libsa lacks strftime and gmtime, 128 * this simple implementation suffices. 129 */ 130 static const char * 131 gdate(char *buf, size_t bufsz, time_t clock) 132 { 133 int days[] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }; 134 int year, y, m, d; 135 136 y = clock / AVG_SECONDS_PER_YEAR; 137 year = EPOCH_YEAR + y; 138 for (y = EPOCH_YEAR; y < year; y++) { 139 clock -= SECONDS_PER_YEAR; 140 if (isleap(y)) 141 clock -= SECONDS_PER_DAY; 142 } 143 d = clock / SECONDS_PER_DAY; 144 for (m = 0; d > 1 && m < 12; m++) { 145 if (d > days[m]) { 146 d -= days[m]; 147 if (m == 1 && d > 0 && isleap(year)) 148 d--; 149 } else 150 break; 151 } 152 d++; 153 if (d > days[m]) { 154 d = 1; 155 m++; 156 if (m >= 12) { 157 year++; 158 m = 0; 159 } 160 } 161 (void)snprintf(buf, bufsz, "%04d-%02d-%02d", year, m+1, d); 162 return(buf); 163 } 164 165 /* this is the time we use for verifying certs */ 166 #ifdef UNIT_TEST 167 extern time_t ve_utc; 168 time_t ve_utc = 0; 169 #else 170 static time_t ve_utc = 0; 171 #endif 172 173 /** 174 * @brief 175 * set ve_utc used for certificate verification 176 * 177 * @param[in] utc 178 * time - ignored unless greater than current value 179 * and not a leap of 20 years or more. 180 */ 181 void 182 ve_utc_set(time_t utc) 183 { 184 if (utc > ve_utc && 185 (ve_utc == 0 || (utc - ve_utc) < VE_UTC_MAX_JUMP)) { 186 DEBUG_PRINTF(2, ("Set ve_utc=%jd\n", (intmax_t)utc)); 187 ve_utc = utc; 188 } 189 } 190 191 static void 192 free_cert_contents(br_x509_certificate *xc) 193 { 194 xfree(xc->data); 195 } 196 197 /* 198 * a bit of a dance to get commonName from a certificate 199 */ 200 static char * 201 x509_cn_get(br_x509_certificate *xc, char *buf, size_t len) 202 { 203 br_x509_minimal_context mc; 204 br_name_element cn; 205 unsigned char cn_oid[4]; 206 int err; 207 208 if (buf == NULL) 209 return (buf); 210 /* 211 * We want the commonName field 212 * the OID we want is 2,5,4,3 - but DER encoded 213 */ 214 cn_oid[0] = 3; 215 cn_oid[1] = 0x55; 216 cn_oid[2] = 4; 217 cn_oid[3] = 3; 218 cn.oid = cn_oid; 219 cn.buf = buf; 220 cn.len = len; 221 cn.buf[0] = '\0'; 222 223 br_x509_minimal_init(&mc, &br_sha256_vtable, NULL, 0); 224 br_x509_minimal_set_name_elements(&mc, &cn, 1); 225 /* the below actually does the work - updates cn.status */ 226 mc.vtable->start_chain(&mc.vtable, NULL); 227 mc.vtable->start_cert(&mc.vtable, xc->data_len); 228 mc.vtable->append(&mc.vtable, xc->data, xc->data_len); 229 mc.vtable->end_cert(&mc.vtable); 230 /* we don' actually care about cert status - just its name */ 231 err = mc.vtable->end_chain(&mc.vtable); 232 233 if (!cn.status) 234 buf = NULL; 235 return (buf); 236 } 237 238 /* ASN parsing related defines */ 239 #define ASN1_PRIMITIVE_TAG 0x1F 240 #define ASN1_INF_LENGTH 0x80 241 #define ASN1_LENGTH_MASK 0x7F 242 243 /* 244 * Get TBS part of certificate. 245 * Since BearSSL doesn't provide any API to do this, 246 * it has to be implemented here. 247 */ 248 static void* 249 X509_to_tbs(unsigned char* cert, size_t* output_size) 250 { 251 unsigned char *result; 252 size_t tbs_size; 253 int size, i; 254 255 if (cert == NULL) 256 return (NULL); 257 258 /* Strip two sequences to get to the TBS section */ 259 for (i = 0; i < 2; i++) { 260 /* 261 * XXX: We don't need to support extended tags since 262 * they should not be present in certificates. 263 */ 264 if ((*cert & ASN1_PRIMITIVE_TAG) == ASN1_PRIMITIVE_TAG) 265 return (NULL); 266 267 cert++; 268 269 if (*cert == ASN1_INF_LENGTH) 270 return (NULL); 271 272 size = *cert & ASN1_LENGTH_MASK; 273 tbs_size = 0; 274 275 /* Size can either be stored on a single or multiple bytes */ 276 if (*cert & (ASN1_LENGTH_MASK + 1)) { 277 cert++; 278 while (*cert == 0 && size > 0) { 279 cert++; 280 size--; 281 } 282 while (size-- > 0) { 283 tbs_size <<= 8; 284 tbs_size |= *(cert++); 285 } 286 } 287 if (i == 0) 288 result = cert; 289 } 290 tbs_size += (cert - result); 291 292 if (output_size != NULL) 293 *output_size = tbs_size; 294 295 return (result); 296 } 297 298 void 299 ve_forbidden_digest_add(hash_data *digest, size_t num) 300 { 301 while (num--) 302 VEC_ADD(forbidden_digests, digest[num]); 303 } 304 305 static size_t 306 ve_anchors_add(br_x509_certificate *xcs, size_t num, anchor_list *anchors, 307 const char *anchors_name) 308 { 309 br_x509_trust_anchor ta; 310 size_t u; 311 312 for (u = 0; u < num; u++) { 313 if (certificate_to_trust_anchor_inner(&ta, &xcs[u]) < 0) { 314 break; 315 } 316 VEC_ADD(*anchors, ta); 317 if (anchor_verbose && anchors_name) { 318 char buf[64]; 319 char *cp; 320 321 cp = x509_cn_get(&xcs[u], buf, sizeof(buf)); 322 if (cp) { 323 printf("x509_anchor(%s) %s\n", cp, anchors_name); 324 } 325 } 326 } 327 return (u); 328 } 329 330 /** 331 * @brief 332 * add certs to our trust store 333 */ 334 size_t 335 ve_trust_anchors_add(br_x509_certificate *xcs, size_t num) 336 { 337 return (ve_anchors_add(xcs, num, &trust_anchors, "trusted")); 338 } 339 340 size_t 341 ve_forbidden_anchors_add(br_x509_certificate *xcs, size_t num) 342 { 343 return (ve_anchors_add(xcs, num, &forbidden_anchors, "forbidden")); 344 } 345 346 347 /** 348 * @brief add trust anchors in buf 349 * 350 * Assume buf contains x509 certificates, but if not and 351 * we support OpenPGP try adding as that. 352 * 353 * @return number of anchors added 354 */ 355 size_t 356 ve_trust_anchors_add_buf(unsigned char *buf, size_t len) 357 { 358 br_x509_certificate *xcs; 359 size_t num; 360 361 num = 0; 362 xcs = parse_certificates(buf, len, &num); 363 if (xcs != NULL) { 364 num = ve_trust_anchors_add(xcs, num); 365 #ifdef VE_OPENPGP_SUPPORT 366 } else { 367 num = openpgp_trust_add_buf(buf, len); 368 #endif 369 } 370 return (num); 371 } 372 373 /** 374 * @brief revoke trust anchors in buf 375 * 376 * Assume buf contains x509 certificates, but if not and 377 * we support OpenPGP try revoking keyId 378 * 379 * @return number of anchors revoked 380 */ 381 size_t 382 ve_trust_anchors_revoke(unsigned char *buf, size_t len) 383 { 384 br_x509_certificate *xcs; 385 size_t num; 386 387 num = 0; 388 xcs = parse_certificates(buf, len, &num); 389 if (xcs != NULL) { 390 num = ve_forbidden_anchors_add(xcs, num); 391 #ifdef VE_OPENPGP_SUPPORT 392 } else { 393 if (buf[len - 1] == '\n') 394 buf[len - 1] = '\0'; 395 num = openpgp_trust_revoke((char *)buf); 396 #endif 397 } 398 return (num); 399 } 400 401 /** 402 * @brief 403 * initialize our trust_anchors from ta_PEM 404 */ 405 int 406 ve_trust_init(void) 407 { 408 static int once = -1; 409 410 if (once >= 0) 411 return (once); 412 once = 0; /* to be sure */ 413 #ifdef BUILD_UTC 414 ve_utc_set(BUILD_UTC); /* ensure sanity */ 415 #endif 416 ve_utc_set(time(NULL)); 417 ve_error_set(NULL); /* make sure it is empty */ 418 #ifdef VE_PCR_SUPPORT 419 ve_pcr_init(); 420 #endif 421 422 #ifdef TRUST_ANCHOR_STR 423 if (TRUST_ANCHOR_STR != NULL && strlen(TRUST_ANCHOR_STR) != 0ul) 424 ve_trust_anchors_add_buf(__DECONST(unsigned char *, 425 TRUST_ANCHOR_STR), sizeof(TRUST_ANCHOR_STR)); 426 #endif 427 once = (int) VEC_LEN(trust_anchors); 428 #ifdef VE_OPENPGP_SUPPORT 429 once += openpgp_trust_init(); 430 #endif 431 return (once); 432 } 433 434 #ifdef HAVE_BR_X509_TIME_CHECK 435 static int 436 verify_time_cb(void *tctx __unused, 437 uint32_t not_before_days, uint32_t not_before_seconds, 438 uint32_t not_after_days, uint32_t not_after_seconds) 439 { 440 time_t not_before; 441 time_t not_after; 442 int rc; 443 #ifdef UNIT_TEST 444 char date[12], nb_date[12], na_date[12]; 445 #endif 446 447 not_before = ((not_before_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_before_seconds; 448 not_after = ((not_after_days - X509_DAYS_TO_UTC0) * SECONDS_PER_DAY) + not_after_seconds; 449 if (ve_utc < not_before) 450 rc = -1; 451 else if (ve_utc > not_after) 452 rc = 1; 453 else 454 rc = 0; 455 #ifdef UNIT_TEST 456 printf("notBefore %s notAfter %s date %s rc %d\n", 457 gdate(nb_date, sizeof(nb_date), not_before), 458 gdate(na_date, sizeof(na_date), not_after), 459 gdate(date, sizeof(date), ve_utc), rc); 460 #endif 461 #if defined(_STANDALONE) 462 rc = 0; /* don't fail */ 463 #endif 464 return rc; 465 } 466 #endif 467 468 /** 469 * if we can verify the certificate chain in "certs", 470 * return the public key and if "xcp" is !NULL the associated 471 * certificate 472 */ 473 static br_x509_pkey * 474 verify_signer_xcs(br_x509_certificate *xcs, 475 size_t num, 476 br_name_element *elts, size_t num_elts, 477 anchor_list *anchors) 478 { 479 br_x509_minimal_context mc; 480 br_x509_certificate *xc; 481 size_t u; 482 cert_list chain = VEC_INIT; 483 const br_x509_pkey *tpk; 484 br_x509_pkey *pk; 485 unsigned int usages; 486 int err; 487 488 DEBUG_PRINTF(5, ("verify_signer: %zu certs in chain\n", num)); 489 VEC_ADDMANY(chain, xcs, num); 490 if (VEC_LEN(chain) == 0) { 491 ve_error_set("ERROR: no/invalid certificate chain\n"); 492 return (NULL); 493 } 494 495 DEBUG_PRINTF(5, ("verify_signer: %zu trust anchors\n", 496 VEC_LEN(*anchors))); 497 498 br_x509_minimal_init(&mc, &br_sha256_vtable, 499 &VEC_ELT(*anchors, 0), 500 VEC_LEN(*anchors)); 501 #ifdef VE_ECDSA_SUPPORT 502 br_x509_minimal_set_ecdsa(&mc, 503 &br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1); 504 #endif 505 #ifdef VE_RSA_SUPPORT 506 br_x509_minimal_set_rsa(&mc, &br_rsa_i31_pkcs1_vrfy); 507 #endif 508 #if defined(UNIT_TEST) && defined(VE_DEPRECATED_RSA_SHA1_SUPPORT) 509 /* This is deprecated! do not enable unless you absoultely have to */ 510 br_x509_minimal_set_hash(&mc, br_sha1_ID, &br_sha1_vtable); 511 #endif 512 br_x509_minimal_set_hash(&mc, br_sha256_ID, &br_sha256_vtable); 513 #ifdef VE_SHA384_SUPPORT 514 br_x509_minimal_set_hash(&mc, br_sha384_ID, &br_sha384_vtable); 515 #endif 516 #ifdef VE_SHA512_SUPPORT 517 br_x509_minimal_set_hash(&mc, br_sha512_ID, &br_sha512_vtable); 518 #endif 519 br_x509_minimal_set_name_elements(&mc, elts, num_elts); 520 521 #ifdef HAVE_BR_X509_TIME_CHECK 522 br_x509_minimal_set_time_callback(&mc, NULL, verify_time_cb); 523 #else 524 #if defined(_STANDALONE) || defined(UNIT_TEST) 525 /* 526 * Clock is probably bogus so we use ve_utc. 527 */ 528 mc.days = (ve_utc / SECONDS_PER_DAY) + X509_DAYS_TO_UTC0; 529 mc.seconds = (ve_utc % SECONDS_PER_DAY); 530 #endif 531 #endif 532 mc.vtable->start_chain(&mc.vtable, NULL); 533 for (u = 0; u < VEC_LEN(chain); u ++) { 534 xc = &VEC_ELT(chain, u); 535 mc.vtable->start_cert(&mc.vtable, xc->data_len); 536 mc.vtable->append(&mc.vtable, xc->data, xc->data_len); 537 mc.vtable->end_cert(&mc.vtable); 538 switch (mc.err) { 539 case 0: 540 case BR_ERR_X509_OK: 541 case BR_ERR_X509_EXPIRED: 542 break; 543 default: 544 printf("u=%zu mc.err=%d\n", u, mc.err); 545 break; 546 } 547 } 548 err = mc.vtable->end_chain(&mc.vtable); 549 pk = NULL; 550 if (err) { 551 char date[12]; 552 553 switch (err) { 554 case 54: 555 ve_error_set("Validation failed, certificate not valid as of %s", 556 gdate(date, sizeof(date), ve_utc)); 557 break; 558 default: 559 ve_error_set("Validation failed, err = %d", err); 560 break; 561 } 562 } else { 563 tpk = mc.vtable->get_pkey(&mc.vtable, &usages); 564 if (tpk != NULL) { 565 pk = xpkeydup(tpk); 566 } 567 } 568 VEC_CLEAR(chain); 569 return (pk); 570 } 571 572 /* 573 * Check if digest of one of the certificates from verified chain 574 * is present in the forbidden database. 575 * Since UEFI allows to store three types of digests 576 * all of them have to be checked separately. 577 */ 578 static int 579 check_forbidden_digests(br_x509_certificate *xcs, size_t num) 580 { 581 unsigned char sha256_digest[br_sha256_SIZE]; 582 unsigned char sha384_digest[br_sha384_SIZE]; 583 unsigned char sha512_digest[br_sha512_SIZE]; 584 void *tbs; 585 hash_data *digest; 586 br_hash_compat_context ctx; 587 const br_hash_class *md; 588 size_t tbs_len, i; 589 int have_sha256, have_sha384, have_sha512; 590 591 if (VEC_LEN(forbidden_digests) == 0) 592 return (0); 593 594 /* 595 * Iterate through certificates, extract their To-Be-Signed section, 596 * and compare its digest against the ones in the forbidden database. 597 */ 598 while (num--) { 599 tbs = X509_to_tbs(xcs[num].data, &tbs_len); 600 if (tbs == NULL) { 601 printf("Failed to obtain TBS part of certificate\n"); 602 return (1); 603 } 604 have_sha256 = have_sha384 = have_sha512 = 0; 605 606 for (i = 0; i < VEC_LEN(forbidden_digests); i++) { 607 digest = &VEC_ELT(forbidden_digests, i); 608 switch (digest->hash_size) { 609 case br_sha256_SIZE: 610 if (!have_sha256) { 611 have_sha256 = 1; 612 md = &br_sha256_vtable; 613 md->init(&ctx.vtable); 614 md->update(&ctx.vtable, tbs, tbs_len); 615 md->out(&ctx.vtable, sha256_digest); 616 } 617 if (!memcmp(sha256_digest, 618 digest->data, 619 br_sha256_SIZE)) 620 return (1); 621 622 break; 623 case br_sha384_SIZE: 624 if (!have_sha384) { 625 have_sha384 = 1; 626 md = &br_sha384_vtable; 627 md->init(&ctx.vtable); 628 md->update(&ctx.vtable, tbs, tbs_len); 629 md->out(&ctx.vtable, sha384_digest); 630 } 631 if (!memcmp(sha384_digest, 632 digest->data, 633 br_sha384_SIZE)) 634 return (1); 635 636 break; 637 case br_sha512_SIZE: 638 if (!have_sha512) { 639 have_sha512 = 1; 640 md = &br_sha512_vtable; 641 md->init(&ctx.vtable); 642 md->update(&ctx.vtable, tbs, tbs_len); 643 md->out(&ctx.vtable, sha512_digest); 644 } 645 if (!memcmp(sha512_digest, 646 digest->data, 647 br_sha512_SIZE)) 648 return (1); 649 650 break; 651 } 652 } 653 } 654 655 return (0); 656 } 657 658 static br_x509_pkey * 659 verify_signer(const char *certs, 660 br_name_element *elts, size_t num_elts) 661 { 662 br_x509_certificate *xcs; 663 br_x509_pkey *pk; 664 size_t num; 665 666 pk = NULL; 667 668 ve_trust_init(); 669 xcs = read_certificates(certs, &num); 670 if (xcs == NULL) { 671 ve_error_set("cannot read certificates\n"); 672 return (NULL); 673 } 674 675 /* 676 * Check if either 677 * 1. There is a direct match between cert from forbidden_anchors 678 * and a cert from chain. 679 * 2. CA that signed the chain is found in forbidden_anchors. 680 */ 681 if (VEC_LEN(forbidden_anchors) > 0) 682 pk = verify_signer_xcs(xcs, num, elts, num_elts, &forbidden_anchors); 683 if (pk != NULL) { 684 ve_error_set("Certificate is on forbidden list\n"); 685 xfreepkey(pk); 686 pk = NULL; 687 goto out; 688 } 689 690 pk = verify_signer_xcs(xcs, num, elts, num_elts, &trust_anchors); 691 if (pk == NULL) 692 goto out; 693 694 /* 695 * Check if hash of tbs part of any certificate in chain 696 * is on the forbidden list. 697 */ 698 if (check_forbidden_digests(xcs, num)) { 699 ve_error_set("Certificate hash is on forbidden list\n"); 700 xfreepkey(pk); 701 pk = NULL; 702 } 703 out: 704 free_certificates(xcs, num); 705 return (pk); 706 } 707 708 /** 709 * we need a hex digest including trailing newline below 710 */ 711 char * 712 hexdigest(char *buf, size_t bufsz, unsigned char *foo, size_t foo_len) 713 { 714 char const hex2ascii[] = "0123456789abcdef"; 715 size_t i; 716 717 /* every binary byte is 2 chars in hex + newline + null */ 718 if (bufsz < (2 * foo_len) + 2) 719 return (NULL); 720 721 for (i = 0; i < foo_len; i++) { 722 buf[i * 2] = hex2ascii[foo[i] >> 4]; 723 buf[i * 2 + 1] = hex2ascii[foo[i] & 0x0f]; 724 } 725 726 buf[i * 2] = 0x0A; /* we also want a newline */ 727 buf[i * 2 + 1] = '\0'; 728 729 return (buf); 730 } 731 732 /** 733 * @brief 734 * verify file against sigfile using pk 735 * 736 * When we generated the signature in sigfile, 737 * we hashed (sha256) file, and sent that to signing server 738 * which hashed (sha256) that hash. 739 * 740 * To verify we need to replicate that result. 741 * 742 * @param[in] pk 743 * br_x509_pkey 744 * 745 * @paramp[in] file 746 * file to be verified 747 * 748 * @param[in] sigfile 749 * signature (PEM encoded) 750 * 751 * @return NULL on error, otherwise content of file. 752 */ 753 #ifdef VE_ECDSA_SUPPORT 754 static unsigned char * 755 verify_ec(br_x509_pkey *pk, const char *file, const char *sigfile) 756 { 757 #ifdef VE_ECDSA_HASH_AGAIN 758 char *hex, hexbuf[br_sha512_SIZE * 2 + 2]; 759 #endif 760 unsigned char rhbuf[br_sha512_SIZE]; 761 br_sha256_context ctx; 762 unsigned char *fcp, *scp; 763 size_t flen, slen, plen; 764 pem_object *po; 765 const br_ec_impl *ec; 766 br_ecdsa_vrfy vrfy; 767 768 if ((fcp = read_file(file, &flen)) == NULL) 769 return (NULL); 770 if ((scp = read_file(sigfile, &slen)) == NULL) { 771 free(fcp); 772 return (NULL); 773 } 774 if ((po = decode_pem(scp, slen, &plen)) == NULL) { 775 free(fcp); 776 free(scp); 777 return (NULL); 778 } 779 br_sha256_init(&ctx); 780 br_sha256_update(&ctx, fcp, flen); 781 br_sha256_out(&ctx, rhbuf); 782 #ifdef VE_ECDSA_HASH_AGAIN 783 hex = hexdigest(hexbuf, sizeof(hexbuf), rhbuf, br_sha256_SIZE); 784 /* now hash that */ 785 if (hex) { 786 br_sha256_init(&ctx); 787 br_sha256_update(&ctx, hex, strlen(hex)); 788 br_sha256_out(&ctx, rhbuf); 789 } 790 #endif 791 ec = br_ec_get_default(); 792 vrfy = br_ecdsa_vrfy_asn1_get_default(); 793 if (!vrfy(ec, rhbuf, br_sha256_SIZE, &pk->key.ec, po->data, 794 po->data_len)) { 795 free(fcp); 796 fcp = NULL; 797 } 798 free(scp); 799 return (fcp); 800 } 801 #endif 802 803 #if defined(VE_RSA_SUPPORT) || defined(VE_OPENPGP_SUPPORT) 804 /** 805 * @brief verify an rsa digest 806 * 807 * @return 0 on failure 808 */ 809 int 810 verify_rsa_digest (br_rsa_public_key *pkey, 811 const unsigned char *hash_oid, 812 unsigned char *mdata, size_t mlen, 813 unsigned char *sdata, size_t slen) 814 { 815 br_rsa_pkcs1_vrfy vrfy; 816 unsigned char vhbuf[br_sha512_SIZE]; 817 818 vrfy = br_rsa_pkcs1_vrfy_get_default(); 819 820 if (!vrfy(sdata, slen, hash_oid, mlen, pkey, vhbuf) || 821 memcmp(vhbuf, mdata, mlen) != 0) { 822 return (0); /* fail */ 823 } 824 return (1); /* ok */ 825 } 826 #endif 827 828 /** 829 * @brief 830 * verify file against sigfile using pk 831 * 832 * When we generated the signature in sigfile, 833 * we hashed (sha256) file, and sent that to signing server 834 * which hashed (sha256) that hash. 835 * 836 * Or (deprecated) we simply used sha1 hash directly. 837 * 838 * To verify we need to replicate that result. 839 * 840 * @param[in] pk 841 * br_x509_pkey 842 * 843 * @paramp[in] file 844 * file to be verified 845 * 846 * @param[in] sigfile 847 * signature (PEM encoded) 848 * 849 * @return NULL on error, otherwise content of file. 850 */ 851 #ifdef VE_RSA_SUPPORT 852 static unsigned char * 853 verify_rsa(br_x509_pkey *pk, const char *file, const char *sigfile) 854 { 855 unsigned char rhbuf[br_sha512_SIZE]; 856 const unsigned char *hash_oid; 857 const br_hash_class *md; 858 br_hash_compat_context mctx; 859 unsigned char *fcp, *scp; 860 size_t flen, slen, plen, hlen; 861 pem_object *po; 862 863 if ((fcp = read_file(file, &flen)) == NULL) 864 return (NULL); 865 if ((scp = read_file(sigfile, &slen)) == NULL) { 866 free(fcp); 867 return (NULL); 868 } 869 if ((po = decode_pem(scp, slen, &plen)) == NULL) { 870 free(fcp); 871 free(scp); 872 return (NULL); 873 } 874 875 switch (po->data_len) { 876 #if defined(UNIT_TEST) && defined(VE_DEPRECATED_RSA_SHA1_SUPPORT) 877 case 256: 878 // this is our old deprecated sig method 879 md = &br_sha1_vtable; 880 hlen = br_sha1_SIZE; 881 hash_oid = BR_HASH_OID_SHA1; 882 break; 883 #endif 884 default: 885 md = &br_sha256_vtable; 886 hlen = br_sha256_SIZE; 887 hash_oid = BR_HASH_OID_SHA256; 888 break; 889 } 890 md->init(&mctx.vtable); 891 md->update(&mctx.vtable, fcp, flen); 892 md->out(&mctx.vtable, rhbuf); 893 if (!verify_rsa_digest(&pk->key.rsa, hash_oid, 894 rhbuf, hlen, po->data, po->data_len)) { 895 free(fcp); 896 fcp = NULL; 897 } 898 free(scp); 899 return (fcp); 900 } 901 #endif 902 903 /** 904 * @brief 905 * verify a signature and return content of signed file 906 * 907 * @param[in] sigfile 908 * file containing signature 909 * we derrive path of signed file and certificate change from 910 * this. 911 * 912 * @param[in] flags 913 * only bit 1 significant so far 914 * 915 * @return NULL on error otherwise content of signed file 916 */ 917 unsigned char * 918 verify_sig(const char *sigfile, int flags) 919 { 920 br_x509_pkey *pk; 921 br_name_element cn; 922 char cn_buf[80]; 923 unsigned char cn_oid[4]; 924 char pbuf[MAXPATHLEN]; 925 char *cp; 926 unsigned char *ucp; 927 size_t n; 928 929 DEBUG_PRINTF(5, ("verify_sig: %s\n", sigfile)); 930 n = strlcpy(pbuf, sigfile, sizeof(pbuf)); 931 if (n > (sizeof(pbuf) - 5) || strcmp(&sigfile[n - 3], "sig") != 0) 932 return (NULL); 933 cp = strcpy(&pbuf[n - 3], "certs"); 934 /* 935 * We want the commonName field 936 * the OID we want is 2,5,4,3 - but DER encoded 937 */ 938 cn_oid[0] = 3; 939 cn_oid[1] = 0x55; 940 cn_oid[2] = 4; 941 cn_oid[3] = 3; 942 cn.oid = cn_oid; 943 cn.buf = cn_buf; 944 cn.len = sizeof(cn_buf); 945 946 pk = verify_signer(pbuf, &cn, 1); 947 if (!pk) { 948 printf("cannot verify: %s: %s\n", pbuf, ve_error_get()); 949 return (NULL); 950 } 951 for (; cp > pbuf; cp--) { 952 if (*cp == '.') { 953 *cp = '\0'; 954 break; 955 } 956 } 957 switch (pk->key_type) { 958 #ifdef VE_ECDSA_SUPPORT 959 case BR_KEYTYPE_EC: 960 ucp = verify_ec(pk, pbuf, sigfile); 961 break; 962 #endif 963 #ifdef VE_RSA_SUPPORT 964 case BR_KEYTYPE_RSA: 965 ucp = verify_rsa(pk, pbuf, sigfile); 966 break; 967 #endif 968 default: 969 ucp = NULL; /* not supported */ 970 } 971 xfreepkey(pk); 972 if (!ucp) { 973 printf("Unverified %s (%s)\n", pbuf, 974 cn.status ? cn_buf : "unknown"); 975 } else if ((flags & VEF_VERBOSE) != 0) { 976 printf("Verified %s signed by %s\n", pbuf, 977 cn.status ? cn_buf : "someone we trust"); 978 } 979 return (ucp); 980 } 981 982 983 /** 984 * @brief verify hash matches 985 * 986 * We have finished hashing a file, 987 * see if we got the desired result. 988 * 989 * @param[in] ctx 990 * pointer to hash context 991 * 992 * @param[in] md 993 * pointer to hash class 994 * 995 * @param[in] path 996 * name of the file we are checking 997 * 998 * @param[in] want 999 * the expected result 1000 * 1001 * @param[in] hlen 1002 * size of hash output 1003 * 1004 * @return 0 on success 1005 */ 1006 int 1007 ve_check_hash(br_hash_compat_context *ctx, const br_hash_class *md, 1008 const char *path, const char *want, size_t hlen) 1009 { 1010 char hexbuf[br_sha512_SIZE * 2 + 2]; 1011 unsigned char hbuf[br_sha512_SIZE]; 1012 char *hex; 1013 int rc; 1014 int n; 1015 1016 md->out(&ctx->vtable, hbuf); 1017 #ifdef VE_PCR_SUPPORT 1018 ve_pcr_update(path, hbuf, hlen); 1019 #endif 1020 hex = hexdigest(hexbuf, sizeof(hexbuf), hbuf, hlen); 1021 if (!hex) 1022 return (VE_FINGERPRINT_WRONG); 1023 n = 2*hlen; 1024 if ((rc = strncmp(hex, want, n))) { 1025 ve_error_set("%s: %.*s != %.*s", path, n, hex, n, want); 1026 rc = VE_FINGERPRINT_WRONG; 1027 } 1028 return (rc ? rc : VE_FINGERPRINT_OK); 1029 } 1030 1031 #ifdef VE_HASH_KAT_STR 1032 static int 1033 test_hash(const br_hash_class *md, size_t hlen, 1034 const char *hname, const char *s, size_t slen, const char *want) 1035 { 1036 br_hash_compat_context mctx; 1037 1038 md->init(&mctx.vtable); 1039 md->update(&mctx.vtable, s, slen); 1040 return (ve_check_hash(&mctx, md, hname, want, hlen) != VE_FINGERPRINT_OK); 1041 } 1042 1043 #endif 1044 1045 #define ve_test_hash(n, N) \ 1046 printf("Testing hash: " #n "\t\t\t\t%s\n", \ 1047 test_hash(&br_ ## n ## _vtable, br_ ## n ## _SIZE, #n, \ 1048 VE_HASH_KAT_STR, VE_HASH_KAT_STRLEN(VE_HASH_KAT_STR), \ 1049 vh_ ## N) ? "Failed" : "Passed") 1050 1051 /** 1052 * @brief 1053 * run self tests on hash and signature verification 1054 * 1055 * Test that the hash methods (SHA1 and SHA256) work. 1056 * Test that we can verify a certificate for each supported 1057 * Root CA. 1058 * 1059 * @return cached result. 1060 */ 1061 int 1062 ve_self_tests(void) 1063 { 1064 static int once = -1; 1065 #ifdef VERIFY_CERTS_STR 1066 br_x509_certificate *xcs; 1067 br_x509_pkey *pk; 1068 br_name_element cn; 1069 char cn_buf[80]; 1070 unsigned char cn_oid[4]; 1071 size_t num; 1072 size_t u; 1073 #endif 1074 1075 if (once >= 0) 1076 return (once); 1077 once = 0; 1078 1079 DEBUG_PRINTF(5, ("Self tests...\n")); 1080 #ifdef VE_HASH_KAT_STR 1081 #ifdef VE_SHA1_SUPPORT 1082 ve_test_hash(sha1, SHA1); 1083 #endif 1084 #ifdef VE_SHA256_SUPPORT 1085 ve_test_hash(sha256, SHA256); 1086 #endif 1087 #ifdef VE_SHA384_SUPPORT 1088 ve_test_hash(sha384, SHA384); 1089 #endif 1090 #ifdef VE_SHA512_SUPPORT 1091 ve_test_hash(sha512, SHA512); 1092 #endif 1093 #endif 1094 #ifdef VERIFY_CERTS_STR 1095 xcs = parse_certificates(__DECONST(unsigned char *, VERIFY_CERTS_STR), 1096 sizeof(VERIFY_CERTS_STR), &num); 1097 if (xcs != NULL) { 1098 /* 1099 * We want the commonName field 1100 * the OID we want is 2,5,4,3 - but DER encoded 1101 */ 1102 cn_oid[0] = 3; 1103 cn_oid[1] = 0x55; 1104 cn_oid[2] = 4; 1105 cn_oid[3] = 3; 1106 cn.oid = cn_oid; 1107 cn.buf = cn_buf; 1108 1109 for (u = 0; u < num; u ++) { 1110 cn.len = sizeof(cn_buf); 1111 if ((pk = verify_signer_xcs(&xcs[u], 1, &cn, 1, &trust_anchors)) != NULL) { 1112 free_cert_contents(&xcs[u]); 1113 once++; 1114 printf("Testing verify certificate: %s\tPassed\n", 1115 cn.status ? cn_buf : ""); 1116 xfreepkey(pk); 1117 } 1118 } 1119 if (!once) 1120 printf("Testing verify certificate:\t\t\tFailed\n"); 1121 xfree(xcs); 1122 } 1123 #endif /* VERIFY_CERTS_STR */ 1124 #ifdef VE_OPENPGP_SUPPORT 1125 if (!openpgp_self_tests()) 1126 once++; 1127 #endif 1128 return (once); 1129 } 1130