ts_conf.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507
  1. /* crypto/ts/ts_conf.c */
  2. /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  3. * project 2002.
  4. */
  5. /* ====================================================================
  6. * Copyright (c) 2006 The OpenSSL Project. All rights reserved.
  7. *
  8. * Redistribution and use in source and binary forms, with or without
  9. * modification, are permitted provided that the following conditions
  10. * are met:
  11. *
  12. * 1. Redistributions of source code must retain the above copyright
  13. * notice, this list of conditions and the following disclaimer.
  14. *
  15. * 2. Redistributions in binary form must reproduce the above copyright
  16. * notice, this list of conditions and the following disclaimer in
  17. * the documentation and/or other materials provided with the
  18. * distribution.
  19. *
  20. * 3. All advertising materials mentioning features or use of this
  21. * software must display the following acknowledgment:
  22. * "This product includes software developed by the OpenSSL Project
  23. * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24. *
  25. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26. * endorse or promote products derived from this software without
  27. * prior written permission. For written permission, please contact
  28. * licensing@OpenSSL.org.
  29. *
  30. * 5. Products derived from this software may not be called "OpenSSL"
  31. * nor may "OpenSSL" appear in their names without prior written
  32. * permission of the OpenSSL Project.
  33. *
  34. * 6. Redistributions of any form whatsoever must retain the following
  35. * acknowledgment:
  36. * "This product includes software developed by the OpenSSL Project
  37. * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38. *
  39. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50. * OF THE POSSIBILITY OF SUCH DAMAGE.
  51. * ====================================================================
  52. *
  53. * This product includes cryptographic software written by Eric Young
  54. * (eay@cryptsoft.com). This product includes software written by Tim
  55. * Hudson (tjh@cryptsoft.com).
  56. *
  57. */
  58. #include <string.h>
  59. #include <openssl/crypto.h>
  60. #include "cryptlib.h"
  61. #include <openssl/pem.h>
  62. #ifndef OPENSSL_NO_ENGINE
  63. #include <openssl/engine.h>
  64. #endif
  65. #include <openssl/ts.h>
  66. /* Macro definitions for the configuration file. */
  67. #define BASE_SECTION "tsa"
  68. #define ENV_DEFAULT_TSA "default_tsa"
  69. #define ENV_SERIAL "serial"
  70. #define ENV_CRYPTO_DEVICE "crypto_device"
  71. #define ENV_SIGNER_CERT "signer_cert"
  72. #define ENV_CERTS "certs"
  73. #define ENV_SIGNER_KEY "signer_key"
  74. #define ENV_DEFAULT_POLICY "default_policy"
  75. #define ENV_OTHER_POLICIES "other_policies"
  76. #define ENV_DIGESTS "digests"
  77. #define ENV_ACCURACY "accuracy"
  78. #define ENV_ORDERING "ordering"
  79. #define ENV_TSA_NAME "tsa_name"
  80. #define ENV_ESS_CERT_ID_CHAIN "ess_cert_id_chain"
  81. #define ENV_VALUE_SECS "secs"
  82. #define ENV_VALUE_MILLISECS "millisecs"
  83. #define ENV_VALUE_MICROSECS "microsecs"
  84. #define ENV_CLOCK_PRECISION_DIGITS "clock_precision_digits"
  85. #define ENV_VALUE_YES "yes"
  86. #define ENV_VALUE_NO "no"
  87. /* Function definitions for certificate and key loading. */
  88. X509 *TS_CONF_load_cert(const char *file)
  89. {
  90. BIO *cert = NULL;
  91. X509 *x = NULL;
  92. if ((cert = BIO_new_file(file, "r")) == NULL) goto end;
  93. x = PEM_read_bio_X509_AUX(cert, NULL, NULL, NULL);
  94. end:
  95. if (x == NULL)
  96. fprintf(stderr, "unable to load certificate: %s\n", file);
  97. BIO_free(cert);
  98. return x;
  99. }
  100. STACK_OF(X509) *TS_CONF_load_certs(const char *file)
  101. {
  102. BIO *certs = NULL;
  103. STACK_OF(X509) *othercerts = NULL;
  104. STACK_OF(X509_INFO) *allcerts = NULL;
  105. int i;
  106. if (!(certs = BIO_new_file(file, "r"))) goto end;
  107. if (!(othercerts = sk_X509_new_null())) goto end;
  108. allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
  109. for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
  110. {
  111. X509_INFO *xi = sk_X509_INFO_value(allcerts, i);
  112. if (xi->x509)
  113. {
  114. sk_X509_push(othercerts, xi->x509);
  115. xi->x509 = NULL;
  116. }
  117. }
  118. end:
  119. if (othercerts == NULL)
  120. fprintf(stderr, "unable to load certificates: %s\n", file);
  121. sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
  122. BIO_free(certs);
  123. return othercerts;
  124. }
  125. EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass)
  126. {
  127. BIO *key = NULL;
  128. EVP_PKEY *pkey = NULL;
  129. if (!(key = BIO_new_file(file, "r"))) goto end;
  130. pkey = PEM_read_bio_PrivateKey(key, NULL, NULL, (char *) pass);
  131. end:
  132. if (pkey == NULL)
  133. fprintf(stderr, "unable to load private key: %s\n", file);
  134. BIO_free(key);
  135. return pkey;
  136. }
  137. /* Function definitions for handling configuration options. */
  138. static void TS_CONF_lookup_fail(const char *name, const char *tag)
  139. {
  140. fprintf(stderr, "variable lookup failed for %s::%s\n", name, tag);
  141. }
  142. static void TS_CONF_invalid(const char *name, const char *tag)
  143. {
  144. fprintf(stderr, "invalid variable value for %s::%s\n", name, tag);
  145. }
  146. const char *TS_CONF_get_tsa_section(CONF *conf, const char *section)
  147. {
  148. if (!section)
  149. {
  150. section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_TSA);
  151. if (!section)
  152. TS_CONF_lookup_fail(BASE_SECTION, ENV_DEFAULT_TSA);
  153. }
  154. return section;
  155. }
  156. int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
  157. TS_RESP_CTX *ctx)
  158. {
  159. int ret = 0;
  160. char *serial = NCONF_get_string(conf, section, ENV_SERIAL);
  161. if (!serial)
  162. {
  163. TS_CONF_lookup_fail(section, ENV_SERIAL);
  164. goto err;
  165. }
  166. TS_RESP_CTX_set_serial_cb(ctx, cb, serial);
  167. ret = 1;
  168. err:
  169. return ret;
  170. }
  171. #ifndef OPENSSL_NO_ENGINE
  172. int TS_CONF_set_crypto_device(CONF *conf, const char *section,
  173. const char *device)
  174. {
  175. int ret = 0;
  176. if (!device)
  177. device = NCONF_get_string(conf, section,
  178. ENV_CRYPTO_DEVICE);
  179. if (device && !TS_CONF_set_default_engine(device))
  180. {
  181. TS_CONF_invalid(section, ENV_CRYPTO_DEVICE);
  182. goto err;
  183. }
  184. ret = 1;
  185. err:
  186. return ret;
  187. }
  188. int TS_CONF_set_default_engine(const char *name)
  189. {
  190. ENGINE *e = NULL;
  191. int ret = 0;
  192. /* Leave the default if builtin specified. */
  193. if (strcmp(name, "builtin") == 0) return 1;
  194. if (!(e = ENGINE_by_id(name))) goto err;
  195. /* Enable the use of the NCipher HSM for forked children. */
  196. if (strcmp(name, "chil") == 0)
  197. ENGINE_ctrl(e, ENGINE_CTRL_CHIL_SET_FORKCHECK, 1, 0, 0);
  198. /* All the operations are going to be carried out by the engine. */
  199. if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) goto err;
  200. ret = 1;
  201. err:
  202. if (!ret)
  203. {
  204. TSerr(TS_F_TS_CONF_SET_DEFAULT_ENGINE,
  205. TS_R_COULD_NOT_SET_ENGINE);
  206. ERR_add_error_data(2, "engine:", name);
  207. }
  208. if (e) ENGINE_free(e);
  209. return ret;
  210. }
  211. #endif
  212. int TS_CONF_set_signer_cert(CONF *conf, const char *section,
  213. const char *cert, TS_RESP_CTX *ctx)
  214. {
  215. int ret = 0;
  216. X509 *cert_obj = NULL;
  217. if (!cert)
  218. cert = NCONF_get_string(conf, section, ENV_SIGNER_CERT);
  219. if (!cert)
  220. {
  221. TS_CONF_lookup_fail(section, ENV_SIGNER_CERT);
  222. goto err;
  223. }
  224. if (!(cert_obj = TS_CONF_load_cert(cert)))
  225. goto err;
  226. if (!TS_RESP_CTX_set_signer_cert(ctx, cert_obj))
  227. goto err;
  228. ret = 1;
  229. err:
  230. X509_free(cert_obj);
  231. return ret;
  232. }
  233. int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
  234. TS_RESP_CTX *ctx)
  235. {
  236. int ret = 0;
  237. STACK_OF(X509) *certs_obj = NULL;
  238. if (!certs)
  239. certs = NCONF_get_string(conf, section, ENV_CERTS);
  240. /* Certificate chain is optional. */
  241. if (!certs) goto end;
  242. if (!(certs_obj = TS_CONF_load_certs(certs))) goto err;
  243. if (!TS_RESP_CTX_set_certs(ctx, certs_obj)) goto err;
  244. end:
  245. ret = 1;
  246. err:
  247. sk_X509_pop_free(certs_obj, X509_free);
  248. return ret;
  249. }
  250. int TS_CONF_set_signer_key(CONF *conf, const char *section,
  251. const char *key, const char *pass,
  252. TS_RESP_CTX *ctx)
  253. {
  254. int ret = 0;
  255. EVP_PKEY *key_obj = NULL;
  256. if (!key)
  257. key = NCONF_get_string(conf, section, ENV_SIGNER_KEY);
  258. if (!key)
  259. {
  260. TS_CONF_lookup_fail(section, ENV_SIGNER_KEY);
  261. goto err;
  262. }
  263. if (!(key_obj = TS_CONF_load_key(key, pass))) goto err;
  264. if (!TS_RESP_CTX_set_signer_key(ctx, key_obj)) goto err;
  265. ret = 1;
  266. err:
  267. EVP_PKEY_free(key_obj);
  268. return ret;
  269. }
  270. int TS_CONF_set_def_policy(CONF *conf, const char *section,
  271. const char *policy, TS_RESP_CTX *ctx)
  272. {
  273. int ret = 0;
  274. ASN1_OBJECT *policy_obj = NULL;
  275. if (!policy)
  276. policy = NCONF_get_string(conf, section,
  277. ENV_DEFAULT_POLICY);
  278. if (!policy)
  279. {
  280. TS_CONF_lookup_fail(section, ENV_DEFAULT_POLICY);
  281. goto err;
  282. }
  283. if (!(policy_obj = OBJ_txt2obj(policy, 0)))
  284. {
  285. TS_CONF_invalid(section, ENV_DEFAULT_POLICY);
  286. goto err;
  287. }
  288. if (!TS_RESP_CTX_set_def_policy(ctx, policy_obj))
  289. goto err;
  290. ret = 1;
  291. err:
  292. ASN1_OBJECT_free(policy_obj);
  293. return ret;
  294. }
  295. int TS_CONF_set_policies(CONF *conf, const char *section,
  296. TS_RESP_CTX *ctx)
  297. {
  298. int ret = 0;
  299. int i;
  300. STACK_OF(CONF_VALUE) *list = NULL;
  301. char *policies = NCONF_get_string(conf, section,
  302. ENV_OTHER_POLICIES);
  303. /* If no other policy is specified, that's fine. */
  304. if (policies && !(list = X509V3_parse_list(policies)))
  305. {
  306. TS_CONF_invalid(section, ENV_OTHER_POLICIES);
  307. goto err;
  308. }
  309. for (i = 0; i < sk_CONF_VALUE_num(list); ++i)
  310. {
  311. CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
  312. const char *extval = val->value ? val->value : val->name;
  313. ASN1_OBJECT *objtmp;
  314. if (!(objtmp = OBJ_txt2obj(extval, 0)))
  315. {
  316. TS_CONF_invalid(section, ENV_OTHER_POLICIES);
  317. goto err;
  318. }
  319. if (!TS_RESP_CTX_add_policy(ctx, objtmp))
  320. goto err;
  321. ASN1_OBJECT_free(objtmp);
  322. }
  323. ret = 1;
  324. err:
  325. sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
  326. return ret;
  327. }
  328. int TS_CONF_set_digests(CONF *conf, const char *section,
  329. TS_RESP_CTX *ctx)
  330. {
  331. int ret = 0;
  332. int i;
  333. STACK_OF(CONF_VALUE) *list = NULL;
  334. char *digests = NCONF_get_string(conf, section, ENV_DIGESTS);
  335. if (!digests)
  336. {
  337. TS_CONF_lookup_fail(section, ENV_DIGESTS);
  338. goto err;
  339. }
  340. if (!(list = X509V3_parse_list(digests)))
  341. {
  342. TS_CONF_invalid(section, ENV_DIGESTS);
  343. goto err;
  344. }
  345. if (sk_CONF_VALUE_num(list) == 0)
  346. {
  347. TS_CONF_invalid(section, ENV_DIGESTS);
  348. goto err;
  349. }
  350. for (i = 0; i < sk_CONF_VALUE_num(list); ++i)
  351. {
  352. CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
  353. const char *extval = val->value ? val->value : val->name;
  354. const EVP_MD *md;
  355. if (!(md = EVP_get_digestbyname(extval)))
  356. {
  357. TS_CONF_invalid(section, ENV_DIGESTS);
  358. goto err;
  359. }
  360. if (!TS_RESP_CTX_add_md(ctx, md))
  361. goto err;
  362. }
  363. ret = 1;
  364. err:
  365. sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
  366. return ret;
  367. }
  368. int TS_CONF_set_accuracy(CONF *conf, const char *section, TS_RESP_CTX *ctx)
  369. {
  370. int ret = 0;
  371. int i;
  372. int secs = 0, millis = 0, micros = 0;
  373. STACK_OF(CONF_VALUE) *list = NULL;
  374. char *accuracy = NCONF_get_string(conf, section, ENV_ACCURACY);
  375. if (accuracy && !(list = X509V3_parse_list(accuracy)))
  376. {
  377. TS_CONF_invalid(section, ENV_ACCURACY);
  378. goto err;
  379. }
  380. for (i = 0; i < sk_CONF_VALUE_num(list); ++i)
  381. {
  382. CONF_VALUE *val = sk_CONF_VALUE_value(list, i);
  383. if (strcmp(val->name, ENV_VALUE_SECS) == 0)
  384. {
  385. if (val->value) secs = atoi(val->value);
  386. }
  387. else if (strcmp(val->name, ENV_VALUE_MILLISECS) == 0)
  388. {
  389. if (val->value) millis = atoi(val->value);
  390. }
  391. else if (strcmp(val->name, ENV_VALUE_MICROSECS) == 0)
  392. {
  393. if (val->value) micros = atoi(val->value);
  394. }
  395. else
  396. {
  397. TS_CONF_invalid(section, ENV_ACCURACY);
  398. goto err;
  399. }
  400. }
  401. if (!TS_RESP_CTX_set_accuracy(ctx, secs, millis, micros))
  402. goto err;
  403. ret = 1;
  404. err:
  405. sk_CONF_VALUE_pop_free(list, X509V3_conf_free);
  406. return ret;
  407. }
  408. int TS_CONF_set_clock_precision_digits(CONF *conf, const char *section,
  409. TS_RESP_CTX *ctx)
  410. {
  411. int ret = 0;
  412. long digits = 0;
  413. /* If not specified, set the default value to 0, i.e. sec precision */
  414. if (!NCONF_get_number_e(conf, section, ENV_CLOCK_PRECISION_DIGITS,
  415. &digits))
  416. digits = 0;
  417. if (digits < 0 || digits > TS_MAX_CLOCK_PRECISION_DIGITS)
  418. {
  419. TS_CONF_invalid(section, ENV_CLOCK_PRECISION_DIGITS);
  420. goto err;
  421. }
  422. if (!TS_RESP_CTX_set_clock_precision_digits(ctx, digits))
  423. goto err;
  424. return 1;
  425. err:
  426. return ret;
  427. }
  428. static int TS_CONF_add_flag(CONF *conf, const char *section, const char *field,
  429. int flag, TS_RESP_CTX *ctx)
  430. {
  431. /* Default is false. */
  432. const char *value = NCONF_get_string(conf, section, field);
  433. if (value)
  434. {
  435. if (strcmp(value, ENV_VALUE_YES) == 0)
  436. TS_RESP_CTX_add_flags(ctx, flag);
  437. else if (strcmp(value, ENV_VALUE_NO) != 0)
  438. {
  439. TS_CONF_invalid(section, field);
  440. return 0;
  441. }
  442. }
  443. return 1;
  444. }
  445. int TS_CONF_set_ordering(CONF *conf, const char *section, TS_RESP_CTX *ctx)
  446. {
  447. return TS_CONF_add_flag(conf, section, ENV_ORDERING, TS_ORDERING, ctx);
  448. }
  449. int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx)
  450. {
  451. return TS_CONF_add_flag(conf, section, ENV_TSA_NAME, TS_TSA_NAME, ctx);
  452. }
  453. int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section,
  454. TS_RESP_CTX *ctx)
  455. {
  456. return TS_CONF_add_flag(conf, section, ENV_ESS_CERT_ID_CHAIN,
  457. TS_ESS_CERT_ID_CHAIN, ctx);
  458. }