cmp_vfy.c 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861
  1. /*
  2. * Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. * Copyright Nokia 2007-2020
  4. * Copyright Siemens AG 2015-2020
  5. *
  6. * Licensed under the Apache License 2.0 (the "License"). You may not use
  7. * this file except in compliance with the License. You can obtain a copy
  8. * in the file LICENSE in the source distribution or at
  9. * https://www.openssl.org/source/license.html
  10. */
  11. /* CMP functions for PKIMessage checking */
  12. #include "cmp_local.h"
  13. #include <openssl/cmp_util.h>
  14. /* explicit #includes not strictly needed since implied by the above: */
  15. #include <openssl/asn1t.h>
  16. #include <openssl/cmp.h>
  17. #include <openssl/crmf.h>
  18. #include <openssl/err.h>
  19. #include <openssl/x509.h>
  20. /* Verify a message protected by signature according to RFC section 5.1.3.3 */
  21. static int verify_signature(const OSSL_CMP_CTX *cmp_ctx,
  22. const OSSL_CMP_MSG *msg, X509 *cert)
  23. {
  24. OSSL_CMP_PROTECTEDPART prot_part;
  25. EVP_PKEY *pubkey = NULL;
  26. BIO *bio;
  27. int res = 0;
  28. if (!ossl_assert(cmp_ctx != NULL && msg != NULL && cert != NULL))
  29. return 0;
  30. bio = BIO_new(BIO_s_mem()); /* may be NULL */
  31. if (bio == NULL)
  32. return 0;
  33. /* verify that keyUsage, if present, contains digitalSignature */
  34. if (!cmp_ctx->ignore_keyusage
  35. && (X509_get_key_usage(cert) & X509v3_KU_DIGITAL_SIGNATURE) == 0) {
  36. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_KEY_USAGE_DIGITALSIGNATURE);
  37. goto sig_err;
  38. }
  39. pubkey = X509_get_pubkey(cert);
  40. if (pubkey == NULL) {
  41. ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_EXTRACTING_PUBKEY);
  42. goto sig_err;
  43. }
  44. prot_part.header = msg->header;
  45. prot_part.body = msg->body;
  46. if (ASN1_item_verify_ex(ASN1_ITEM_rptr(OSSL_CMP_PROTECTEDPART),
  47. msg->header->protectionAlg, msg->protection,
  48. &prot_part, NULL, pubkey, cmp_ctx->libctx,
  49. cmp_ctx->propq) > 0) {
  50. res = 1;
  51. goto end;
  52. }
  53. sig_err:
  54. res = ossl_x509_print_ex_brief(bio, cert, X509_FLAG_NO_EXTENSIONS);
  55. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_VALIDATING_SIGNATURE);
  56. if (res)
  57. ERR_add_error_mem_bio("\n", bio);
  58. res = 0;
  59. end:
  60. EVP_PKEY_free(pubkey);
  61. BIO_free(bio);
  62. return res;
  63. }
  64. /* Verify a message protected with PBMAC */
  65. static int verify_PBMAC(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
  66. {
  67. ASN1_BIT_STRING *protection = NULL;
  68. int valid = 0;
  69. /* generate expected protection for the message */
  70. if ((protection = ossl_cmp_calc_protection(ctx, msg)) == NULL)
  71. return 0; /* failed to generate protection string! */
  72. valid = msg->protection != NULL && msg->protection->length >= 0
  73. && msg->protection->type == protection->type
  74. && msg->protection->length == protection->length
  75. && CRYPTO_memcmp(msg->protection->data, protection->data,
  76. protection->length) == 0;
  77. ASN1_BIT_STRING_free(protection);
  78. if (!valid)
  79. ERR_raise(ERR_LIB_CMP, CMP_R_WRONG_PBM_VALUE);
  80. return valid;
  81. }
  82. /*-
  83. * Attempt to validate certificate and path using any given store with trusted
  84. * certs (possibly including CRLs and a cert verification callback function)
  85. * and non-trusted intermediate certs from the given ctx.
  86. *
  87. * Returns 1 on successful validation and 0 otherwise.
  88. */
  89. int OSSL_CMP_validate_cert_path(const OSSL_CMP_CTX *ctx,
  90. X509_STORE *trusted_store, X509 *cert)
  91. {
  92. int valid = 0;
  93. X509_STORE_CTX *csc = NULL;
  94. int err;
  95. if (ctx == NULL || cert == NULL) {
  96. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  97. return 0;
  98. }
  99. if (trusted_store == NULL) {
  100. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_STORE);
  101. return 0;
  102. }
  103. if ((csc = X509_STORE_CTX_new_ex(ctx->libctx, ctx->propq)) == NULL
  104. || !X509_STORE_CTX_init(csc, trusted_store,
  105. cert, ctx->untrusted))
  106. goto err;
  107. valid = X509_verify_cert(csc) > 0;
  108. /* make sure suitable error is queued even if callback did not do */
  109. err = ERR_peek_last_error();
  110. if (!valid && ERR_GET_REASON(err) != CMP_R_POTENTIALLY_INVALID_CERTIFICATE)
  111. ERR_raise(ERR_LIB_CMP, CMP_R_POTENTIALLY_INVALID_CERTIFICATE);
  112. err:
  113. /* directly output any fresh errors, needed for check_msg_find_cert() */
  114. OSSL_CMP_CTX_print_errors(ctx);
  115. X509_STORE_CTX_free(csc);
  116. return valid;
  117. }
  118. /* Return 0 if expect_name != NULL and there is no matching actual_name */
  119. static int check_name(const OSSL_CMP_CTX *ctx, int log_success,
  120. const char *actual_desc, const X509_NAME *actual_name,
  121. const char *expect_desc, const X509_NAME *expect_name)
  122. {
  123. char *str;
  124. if (expect_name == NULL)
  125. return 1; /* no expectation, thus trivially fulfilled */
  126. /* make sure that a matching name is there */
  127. if (actual_name == NULL) {
  128. ossl_cmp_log1(WARN, ctx, "missing %s", actual_desc);
  129. return 0;
  130. }
  131. str = X509_NAME_oneline(actual_name, NULL, 0);
  132. if (X509_NAME_cmp(actual_name, expect_name) == 0) {
  133. if (log_success && str != NULL)
  134. ossl_cmp_log2(INFO, ctx, " subject matches %s: %s", expect_desc,
  135. str);
  136. OPENSSL_free(str);
  137. return 1;
  138. }
  139. if (str != NULL)
  140. ossl_cmp_log2(INFO, ctx, " actual name in %s = %s", actual_desc, str);
  141. OPENSSL_free(str);
  142. if ((str = X509_NAME_oneline(expect_name, NULL, 0)) != NULL)
  143. ossl_cmp_log2(INFO, ctx, " does not match %s = %s", expect_desc, str);
  144. OPENSSL_free(str);
  145. return 0;
  146. }
  147. /* Return 0 if skid != NULL and there is no matching subject key ID in cert */
  148. static int check_kid(const OSSL_CMP_CTX *ctx,
  149. const ASN1_OCTET_STRING *ckid,
  150. const ASN1_OCTET_STRING *skid)
  151. {
  152. char *str;
  153. if (skid == NULL)
  154. return 1; /* no expectation, thus trivially fulfilled */
  155. /* make sure that the expected subject key identifier is there */
  156. if (ckid == NULL) {
  157. ossl_cmp_warn(ctx, "missing Subject Key Identifier in certificate");
  158. return 0;
  159. }
  160. str = i2s_ASN1_OCTET_STRING(NULL, ckid);
  161. if (ASN1_OCTET_STRING_cmp(ckid, skid) == 0) {
  162. if (str != NULL)
  163. ossl_cmp_log1(INFO, ctx, " subjectKID matches senderKID: %s", str);
  164. OPENSSL_free(str);
  165. return 1;
  166. }
  167. if (str != NULL)
  168. ossl_cmp_log1(INFO, ctx, " cert Subject Key Identifier = %s", str);
  169. OPENSSL_free(str);
  170. if ((str = i2s_ASN1_OCTET_STRING(NULL, skid)) != NULL)
  171. ossl_cmp_log1(INFO, ctx, " does not match senderKID = %s", str);
  172. OPENSSL_free(str);
  173. return 0;
  174. }
  175. static int already_checked(const X509 *cert,
  176. const STACK_OF(X509) *already_checked)
  177. {
  178. int i;
  179. for (i = sk_X509_num(already_checked /* may be NULL */); i > 0; i--)
  180. if (X509_cmp(sk_X509_value(already_checked, i - 1), cert) == 0)
  181. return 1;
  182. return 0;
  183. }
  184. /*-
  185. * Check if the given cert is acceptable as sender cert of the given message.
  186. * The subject DN must match, the subject key ID as well if present in the msg,
  187. * and the cert must be current (checked if ctx->trusted is not NULL).
  188. * Note that cert revocation etc. is checked by OSSL_CMP_validate_cert_path().
  189. *
  190. * Returns 0 on error or not acceptable, else 1.
  191. */
  192. static int cert_acceptable(const OSSL_CMP_CTX *ctx,
  193. const char *desc1, const char *desc2, X509 *cert,
  194. const STACK_OF(X509) *already_checked1,
  195. const STACK_OF(X509) *already_checked2,
  196. const OSSL_CMP_MSG *msg)
  197. {
  198. X509_STORE *ts = ctx->trusted;
  199. int self_issued = X509_check_issued(cert, cert) == X509_V_OK;
  200. char *str;
  201. X509_VERIFY_PARAM *vpm = ts != NULL ? X509_STORE_get0_param(ts) : NULL;
  202. int time_cmp;
  203. ossl_cmp_log3(INFO, ctx, " considering %s%s %s with..",
  204. self_issued ? "self-issued ": "", desc1, desc2);
  205. if ((str = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0)) != NULL)
  206. ossl_cmp_log1(INFO, ctx, " subject = %s", str);
  207. OPENSSL_free(str);
  208. if (!self_issued) {
  209. str = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
  210. if (str != NULL)
  211. ossl_cmp_log1(INFO, ctx, " issuer = %s", str);
  212. OPENSSL_free(str);
  213. }
  214. if (already_checked(cert, already_checked1)
  215. || already_checked(cert, already_checked2)) {
  216. ossl_cmp_info(ctx, " cert has already been checked");
  217. return 0;
  218. }
  219. time_cmp = X509_cmp_timeframe(vpm, X509_get0_notBefore(cert),
  220. X509_get0_notAfter(cert));
  221. if (time_cmp != 0) {
  222. ossl_cmp_warn(ctx, time_cmp > 0 ? "cert has expired"
  223. : "cert is not yet valid");
  224. return 0;
  225. }
  226. if (!check_name(ctx, 1,
  227. "cert subject", X509_get_subject_name(cert),
  228. "sender field", msg->header->sender->d.directoryName))
  229. return 0;
  230. if (!check_kid(ctx, X509_get0_subject_key_id(cert), msg->header->senderKID))
  231. return 0;
  232. /* prevent misleading error later in case x509v3_cache_extensions() fails */
  233. if (!ossl_x509v3_cache_extensions(cert)) {
  234. ossl_cmp_warn(ctx, "cert appears to be invalid");
  235. return 0;
  236. }
  237. if (!verify_signature(ctx, msg, cert)) {
  238. ossl_cmp_warn(ctx, "msg signature verification failed");
  239. return 0;
  240. }
  241. /* acceptable also if there is no senderKID in msg header */
  242. ossl_cmp_info(ctx, " cert seems acceptable");
  243. return 1;
  244. }
  245. static int check_cert_path(const OSSL_CMP_CTX *ctx, X509_STORE *store,
  246. X509 *scrt)
  247. {
  248. if (OSSL_CMP_validate_cert_path(ctx, store, scrt))
  249. return 1;
  250. ossl_cmp_warn(ctx,
  251. "msg signature validates but cert path validation failed");
  252. return 0;
  253. }
  254. /*
  255. * Exceptional handling for 3GPP TS 33.310 [3G/LTE Network Domain Security
  256. * (NDS); Authentication Framework (AF)], only to use for IP messages
  257. * and if the ctx option is explicitly set: use self-issued certificates
  258. * from extraCerts as trust anchor to validate sender cert -
  259. * provided it also can validate the newly enrolled certificate
  260. */
  261. static int check_cert_path_3gpp(const OSSL_CMP_CTX *ctx,
  262. const OSSL_CMP_MSG *msg, X509 *scrt)
  263. {
  264. int valid = 0;
  265. X509_STORE *store;
  266. if (!ctx->permitTAInExtraCertsForIR)
  267. return 0;
  268. if ((store = X509_STORE_new()) == NULL
  269. || !ossl_cmp_X509_STORE_add1_certs(store, msg->extraCerts,
  270. 1 /* self-issued only */))
  271. goto err;
  272. /* store does not include CRLs */
  273. valid = OSSL_CMP_validate_cert_path(ctx, store, scrt);
  274. if (!valid) {
  275. ossl_cmp_warn(ctx,
  276. "also exceptional 3GPP mode cert path validation failed");
  277. } else {
  278. /*
  279. * verify that the newly enrolled certificate (which assumed rid ==
  280. * OSSL_CMP_CERTREQID) can also be validated with the same trusted store
  281. */
  282. EVP_PKEY *pkey = OSSL_CMP_CTX_get0_newPkey(ctx, 1);
  283. OSSL_CMP_CERTRESPONSE *crep =
  284. ossl_cmp_certrepmessage_get0_certresponse(msg->body->value.ip,
  285. OSSL_CMP_CERTREQID);
  286. X509 *newcrt = ossl_cmp_certresponse_get1_cert(crep, ctx, pkey);
  287. /*
  288. * maybe better use get_cert_status() from cmp_client.c, which catches
  289. * errors
  290. */
  291. valid = OSSL_CMP_validate_cert_path(ctx, store, newcrt);
  292. X509_free(newcrt);
  293. }
  294. err:
  295. X509_STORE_free(store);
  296. return valid;
  297. }
  298. static int check_msg_given_cert(const OSSL_CMP_CTX *ctx, X509 *cert,
  299. const OSSL_CMP_MSG *msg)
  300. {
  301. return cert_acceptable(ctx, "previously validated", "sender cert",
  302. cert, NULL, NULL, msg)
  303. && (check_cert_path(ctx, ctx->trusted, cert)
  304. || check_cert_path_3gpp(ctx, msg, cert));
  305. }
  306. /*-
  307. * Try all certs in given list for verifying msg, normally or in 3GPP mode.
  308. * If already_checked1 == NULL then certs are assumed to be the msg->extraCerts.
  309. * On success cache the found cert using ossl_cmp_ctx_set1_validatedSrvCert().
  310. */
  311. static int check_msg_with_certs(OSSL_CMP_CTX *ctx, const STACK_OF(X509) *certs,
  312. const char *desc,
  313. const STACK_OF(X509) *already_checked1,
  314. const STACK_OF(X509) *already_checked2,
  315. const OSSL_CMP_MSG *msg, int mode_3gpp)
  316. {
  317. int in_extraCerts = already_checked1 == NULL;
  318. int n_acceptable_certs = 0;
  319. int i;
  320. if (sk_X509_num(certs) <= 0) {
  321. ossl_cmp_log1(WARN, ctx, "no %s", desc);
  322. return 0;
  323. }
  324. for (i = 0; i < sk_X509_num(certs); i++) { /* certs may be NULL */
  325. X509 *cert = sk_X509_value(certs, i);
  326. if (!ossl_assert(cert != NULL))
  327. return 0;
  328. if (!cert_acceptable(ctx, "cert from", desc, cert,
  329. already_checked1, already_checked2, msg))
  330. continue;
  331. n_acceptable_certs++;
  332. if (mode_3gpp ? check_cert_path_3gpp(ctx, msg, cert)
  333. : check_cert_path(ctx, ctx->trusted, cert)) {
  334. /* store successful sender cert for further msgs in transaction */
  335. return ossl_cmp_ctx_set1_validatedSrvCert(ctx, cert);
  336. }
  337. }
  338. if (in_extraCerts && n_acceptable_certs == 0)
  339. ossl_cmp_warn(ctx, "no acceptable cert in extraCerts");
  340. return 0;
  341. }
  342. /*-
  343. * Verify msg trying first ctx->untrusted, which should include extraCerts
  344. * at its front, then trying the trusted certs in truststore (if any) of ctx.
  345. * On success cache the found cert using ossl_cmp_ctx_set1_validatedSrvCert().
  346. */
  347. static int check_msg_all_certs(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
  348. int mode_3gpp)
  349. {
  350. int ret = 0;
  351. if (mode_3gpp
  352. && ((!ctx->permitTAInExtraCertsForIR
  353. || OSSL_CMP_MSG_get_bodytype(msg) != OSSL_CMP_PKIBODY_IP)))
  354. return 0;
  355. ossl_cmp_info(ctx,
  356. mode_3gpp ? "normal mode failed; trying now 3GPP mode trusting extraCerts"
  357. : "trying first normal mode using trust store");
  358. if (check_msg_with_certs(ctx, msg->extraCerts, "extraCerts",
  359. NULL, NULL, msg, mode_3gpp))
  360. return 1;
  361. if (check_msg_with_certs(ctx, ctx->untrusted, "untrusted certs",
  362. msg->extraCerts, NULL, msg, mode_3gpp))
  363. return 1;
  364. if (ctx->trusted == NULL) {
  365. ossl_cmp_warn(ctx, mode_3gpp ? "no self-issued extraCerts"
  366. : "no trusted store");
  367. } else {
  368. STACK_OF(X509) *trusted = X509_STORE_get1_all_certs(ctx->trusted);
  369. ret = check_msg_with_certs(ctx, trusted,
  370. mode_3gpp ? "self-issued extraCerts"
  371. : "certs in trusted store",
  372. msg->extraCerts, ctx->untrusted,
  373. msg, mode_3gpp);
  374. OSSL_STACK_OF_X509_free(trusted);
  375. }
  376. return ret;
  377. }
  378. static int no_log_cb(const char *func, const char *file, int line,
  379. OSSL_CMP_severity level, const char *msg)
  380. {
  381. return 1;
  382. }
  383. /*-
  384. * Verify message signature with any acceptable and valid candidate cert.
  385. * On success cache the found cert using ossl_cmp_ctx_set1_validatedSrvCert().
  386. */
  387. static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
  388. {
  389. X509 *scrt = ctx->validatedSrvCert; /* previous successful sender cert */
  390. GENERAL_NAME *sender = msg->header->sender;
  391. char *sname = NULL;
  392. char *skid_str = NULL;
  393. const ASN1_OCTET_STRING *skid = msg->header->senderKID;
  394. OSSL_CMP_log_cb_t backup_log_cb = ctx->log_cb;
  395. int res = 0;
  396. if (sender == NULL || msg->body == NULL)
  397. return 0; /* other NULL cases already have been checked */
  398. if (sender->type != GEN_DIRNAME) {
  399. ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
  400. return 0;
  401. }
  402. /* dump any hitherto errors to avoid confusion when printing further ones */
  403. OSSL_CMP_CTX_print_errors(ctx);
  404. /* enable clearing irrelevant errors in attempts to validate sender certs */
  405. (void)ERR_set_mark();
  406. ctx->log_cb = no_log_cb; /* temporarily disable logging */
  407. /*
  408. * try first cached scrt, used successfully earlier in same transaction,
  409. * for validating this and any further msgs where extraCerts may be left out
  410. */
  411. if (scrt != NULL) {
  412. if (check_msg_given_cert(ctx, scrt, msg)) {
  413. ctx->log_cb = backup_log_cb;
  414. (void)ERR_pop_to_mark();
  415. return 1;
  416. }
  417. /* cached sender cert has shown to be no more successfully usable */
  418. (void)ossl_cmp_ctx_set1_validatedSrvCert(ctx, NULL);
  419. /* re-do the above check (just) for adding diagnostic information */
  420. ossl_cmp_info(ctx,
  421. "trying to verify msg signature with previously validated cert");
  422. (void)check_msg_given_cert(ctx, scrt, msg);
  423. }
  424. res = check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */)
  425. || check_msg_all_certs(ctx, msg, 1 /* 3gpp */);
  426. ctx->log_cb = backup_log_cb;
  427. if (res) {
  428. /* discard any diagnostic information on trying to use certs */
  429. (void)ERR_pop_to_mark();
  430. goto end;
  431. }
  432. /* failed finding a sender cert that verifies the message signature */
  433. (void)ERR_clear_last_mark();
  434. sname = X509_NAME_oneline(sender->d.directoryName, NULL, 0);
  435. skid_str = skid == NULL ? NULL : i2s_ASN1_OCTET_STRING(NULL, skid);
  436. if (ctx->log_cb != NULL) {
  437. ossl_cmp_info(ctx, "trying to verify msg signature with a valid cert that..");
  438. if (sname != NULL)
  439. ossl_cmp_log1(INFO, ctx, "matches msg sender = %s", sname);
  440. if (skid_str != NULL)
  441. ossl_cmp_log1(INFO, ctx, "matches msg senderKID = %s", skid_str);
  442. else
  443. ossl_cmp_info(ctx, "while msg header does not contain senderKID");
  444. /* re-do the above checks (just) for adding diagnostic information */
  445. (void)check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */);
  446. (void)check_msg_all_certs(ctx, msg, 1 /* 3gpp */);
  447. }
  448. ERR_raise(ERR_LIB_CMP, CMP_R_NO_SUITABLE_SENDER_CERT);
  449. if (sname != NULL) {
  450. ERR_add_error_txt(NULL, "for msg sender name = ");
  451. ERR_add_error_txt(NULL, sname);
  452. }
  453. if (skid_str != NULL) {
  454. ERR_add_error_txt(" and ", "for msg senderKID = ");
  455. ERR_add_error_txt(NULL, skid_str);
  456. }
  457. end:
  458. OPENSSL_free(sname);
  459. OPENSSL_free(skid_str);
  460. return res;
  461. }
  462. /*-
  463. * Validate the protection of the given PKIMessage using either password-
  464. * based mac (PBM) or a signature algorithm. In the case of signature algorithm,
  465. * the sender certificate can have been pinned by providing it in ctx->srvCert,
  466. * else it is searched in msg->extraCerts, ctx->untrusted, in ctx->trusted
  467. * (in this order) and is path is validated against ctx->trusted.
  468. * On success cache the found cert using ossl_cmp_ctx_set1_validatedSrvCert().
  469. *
  470. * If ctx->permitTAInExtraCertsForIR is true and when validating a CMP IP msg,
  471. * the trust anchor for validating the IP msg may be taken from msg->extraCerts
  472. * if a self-issued certificate is found there that can be used to
  473. * validate the enrolled certificate returned in the IP.
  474. * This is according to the need given in 3GPP TS 33.310.
  475. *
  476. * Returns 1 on success, 0 on error or validation failed.
  477. */
  478. int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
  479. {
  480. X509 *scrt;
  481. ossl_cmp_debug(ctx, "validating CMP message");
  482. if (ctx == NULL || msg == NULL
  483. || msg->header == NULL || msg->body == NULL) {
  484. ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
  485. return 0;
  486. }
  487. if (msg->header->protectionAlg == NULL /* unprotected message */
  488. || msg->protection == NULL || msg->protection->data == NULL) {
  489. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PROTECTION);
  490. return 0;
  491. }
  492. switch (ossl_cmp_hdr_get_protection_nid(msg->header)) {
  493. /* 5.1.3.1. Shared Secret Information */
  494. case NID_id_PasswordBasedMAC:
  495. if (ctx->secretValue == NULL) {
  496. ossl_cmp_warn(ctx, "no secret available for verifying PBM-based CMP message protection");
  497. return 1;
  498. }
  499. if (verify_PBMAC(ctx, msg)) {
  500. /*
  501. * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is
  502. * "shared secret information", then any certificate transported in
  503. * the caPubs field may be directly trusted as a root CA
  504. * certificate by the initiator.'
  505. */
  506. switch (OSSL_CMP_MSG_get_bodytype(msg)) {
  507. case -1:
  508. return 0;
  509. case OSSL_CMP_PKIBODY_IP:
  510. case OSSL_CMP_PKIBODY_CP:
  511. case OSSL_CMP_PKIBODY_KUP:
  512. case OSSL_CMP_PKIBODY_CCP:
  513. if (ctx->trusted != NULL) {
  514. STACK_OF(X509) *certs = msg->body->value.ip->caPubs;
  515. /* value.ip is same for cp, kup, and ccp */
  516. if (!ossl_cmp_X509_STORE_add1_certs(ctx->trusted, certs, 0))
  517. /* adds both self-issued and not self-issued certs */
  518. return 0;
  519. }
  520. break;
  521. default:
  522. break;
  523. }
  524. ossl_cmp_debug(ctx,
  525. "successfully validated PBM-based CMP message protection");
  526. return 1;
  527. }
  528. ossl_cmp_warn(ctx, "verifying PBM-based CMP message protection failed");
  529. break;
  530. /*
  531. * 5.1.3.2 DH Key Pairs
  532. * Not yet supported
  533. */
  534. case NID_id_DHBasedMac:
  535. ERR_raise(ERR_LIB_CMP, CMP_R_UNSUPPORTED_PROTECTION_ALG_DHBASEDMAC);
  536. break;
  537. /*
  538. * 5.1.3.3. Signature
  539. */
  540. default:
  541. scrt = ctx->srvCert;
  542. if (scrt == NULL) {
  543. if (ctx->trusted == NULL) {
  544. ossl_cmp_warn(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
  545. return 1;
  546. }
  547. if (check_msg_find_cert(ctx, msg)) {
  548. ossl_cmp_debug(ctx,
  549. "successfully validated signature-based CMP message protection using trust store");
  550. return 1;
  551. }
  552. } else { /* use pinned sender cert */
  553. /* use ctx->srvCert for signature check even if not acceptable */
  554. if (verify_signature(ctx, msg, scrt)) {
  555. ossl_cmp_debug(ctx,
  556. "successfully validated signature-based CMP message protection using pinned server cert");
  557. return ossl_cmp_ctx_set1_validatedSrvCert(ctx, scrt);
  558. }
  559. ossl_cmp_warn(ctx, "CMP message signature verification failed");
  560. ERR_raise(ERR_LIB_CMP, CMP_R_SRVCERT_DOES_NOT_VALIDATE_MSG);
  561. }
  562. break;
  563. }
  564. return 0;
  565. }
  566. static int check_transactionID_or_nonce(ASN1_OCTET_STRING *expected,
  567. ASN1_OCTET_STRING *actual, int reason)
  568. {
  569. if (expected != NULL
  570. && (actual == NULL || ASN1_OCTET_STRING_cmp(expected, actual) != 0)) {
  571. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  572. char *expected_str, *actual_str;
  573. expected_str = i2s_ASN1_OCTET_STRING(NULL, expected);
  574. actual_str = actual == NULL ? NULL: i2s_ASN1_OCTET_STRING(NULL, actual);
  575. ERR_raise_data(ERR_LIB_CMP, CMP_R_TRANSACTIONID_UNMATCHED,
  576. "expected = %s, actual = %s",
  577. expected_str == NULL ? "?" : expected_str,
  578. actual == NULL ? "(none)" :
  579. actual_str == NULL ? "?" : actual_str);
  580. OPENSSL_free(expected_str);
  581. OPENSSL_free(actual_str);
  582. return 0;
  583. #endif
  584. }
  585. return 1;
  586. }
  587. /*-
  588. * Check received message (i.e., response by server or request from client)
  589. * Any msg->extraCerts are prepended to ctx->untrusted.
  590. *
  591. * Ensures that:
  592. * its sender is of appropriate type (currently only X509_NAME) and
  593. * matches any expected sender or srvCert subject given in the ctx
  594. * it has a valid body type
  595. * its protection is valid (or invalid/absent, but only if a callback function
  596. * is present and yields a positive result using also the supplied argument)
  597. * its transaction ID matches the previous transaction ID stored in ctx (if any)
  598. * its recipNonce matches the previous senderNonce stored in the ctx (if any)
  599. *
  600. * If everything is fine:
  601. * learns the senderNonce from the received message,
  602. * learns the transaction ID if it is not yet in ctx,
  603. * and makes any certs in caPubs directly trusted.
  604. *
  605. * Returns 1 on success, 0 on error.
  606. */
  607. int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
  608. ossl_cmp_allow_unprotected_cb_t cb, int cb_arg)
  609. {
  610. OSSL_CMP_PKIHEADER *hdr;
  611. const X509_NAME *expected_sender;
  612. if (!ossl_assert(ctx != NULL && msg != NULL && msg->header != NULL))
  613. return 0;
  614. hdr = OSSL_CMP_MSG_get0_header(msg);
  615. /* validate sender name of received msg */
  616. if (hdr->sender->type != GEN_DIRNAME) {
  617. ERR_raise(ERR_LIB_CMP, CMP_R_SENDER_GENERALNAME_TYPE_NOT_SUPPORTED);
  618. return 0;
  619. }
  620. /*
  621. * Compare actual sender name of response with expected sender name.
  622. * Mitigates risk to accept misused PBM secret
  623. * or misused certificate of an unauthorized entity of a trusted hierarchy.
  624. */
  625. expected_sender = ctx->expected_sender;
  626. if (expected_sender == NULL && ctx->srvCert != NULL)
  627. expected_sender = X509_get_subject_name(ctx->srvCert);
  628. if (!check_name(ctx, 0, "sender DN field", hdr->sender->d.directoryName,
  629. "expected sender", expected_sender))
  630. return 0;
  631. /* Note: if recipient was NULL-DN it could be learned here if needed */
  632. if (sk_X509_num(msg->extraCerts) > 10)
  633. ossl_cmp_warn(ctx,
  634. "received CMP message contains more than 10 extraCerts");
  635. /*
  636. * Store any provided extraCerts in ctx for use in OSSL_CMP_validate_msg()
  637. * and for future use, such that they are available to ctx->certConf_cb and
  638. * the peer does not need to send them again in the same transaction.
  639. * Note that it does not help validating the message before storing the
  640. * extraCerts because they do not belong to the protected msg part anyway.
  641. * For efficiency, the extraCerts are prepended so they get used first.
  642. */
  643. if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
  644. /* this allows self-signed certs */
  645. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
  646. | X509_ADD_FLAG_PREPEND))
  647. return 0;
  648. /* validate message protection */
  649. if (hdr->protectionAlg != NULL) {
  650. /* detect explicitly permitted exceptions for invalid protection */
  651. if (!OSSL_CMP_validate_msg(ctx, msg)
  652. && (cb == NULL || (*cb)(ctx, msg, 1, cb_arg) <= 0)) {
  653. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  654. ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_VALIDATING_PROTECTION);
  655. return 0;
  656. #endif
  657. }
  658. } else {
  659. /* detect explicitly permitted exceptions for missing protection */
  660. if (cb == NULL || (*cb)(ctx, msg, 0, cb_arg) <= 0) {
  661. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  662. ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_PROTECTION);
  663. return 0;
  664. #endif
  665. }
  666. }
  667. /* check CMP version number in header */
  668. if (ossl_cmp_hdr_get_pvno(hdr) != OSSL_CMP_PVNO_2
  669. && ossl_cmp_hdr_get_pvno(hdr) != OSSL_CMP_PVNO_3) {
  670. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  671. ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PVNO);
  672. return 0;
  673. #endif
  674. }
  675. if (OSSL_CMP_MSG_get_bodytype(msg) < 0) {
  676. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  677. ERR_raise(ERR_LIB_CMP, CMP_R_PKIBODY_ERROR);
  678. return 0;
  679. #endif
  680. }
  681. /* compare received transactionID with the expected one in previous msg */
  682. if (!check_transactionID_or_nonce(ctx->transactionID, hdr->transactionID,
  683. CMP_R_TRANSACTIONID_UNMATCHED))
  684. return 0;
  685. /* compare received nonce with the one we sent */
  686. if (!check_transactionID_or_nonce(ctx->senderNonce, hdr->recipNonce,
  687. CMP_R_RECIPNONCE_UNMATCHED))
  688. return 0;
  689. /*
  690. * RFC 4210 section 5.1.1 states: the recipNonce is copied from
  691. * the senderNonce of the previous message in the transaction.
  692. * --> Store for setting in next message
  693. */
  694. if (!ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce))
  695. return 0;
  696. /* if not yet present, learn transactionID */
  697. if (ctx->transactionID == NULL
  698. && !OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID))
  699. return -1;
  700. /*
  701. * Store any provided extraCerts in ctx for future use,
  702. * such that they are available to ctx->certConf_cb and
  703. * the peer does not need to send them again in the same transaction.
  704. * For efficiency, the extraCerts are prepended so they get used first.
  705. */
  706. if (!X509_add_certs(ctx->untrusted, msg->extraCerts,
  707. /* this allows self-signed certs */
  708. X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
  709. | X509_ADD_FLAG_PREPEND))
  710. return -1;
  711. if (ossl_cmp_hdr_get_protection_nid(hdr) == NID_id_PasswordBasedMAC) {
  712. /*
  713. * RFC 4210, 5.3.2: 'Note that if the PKI Message Protection is
  714. * "shared secret information", then any certificate transported in
  715. * the caPubs field may be directly trusted as a root CA
  716. * certificate by the initiator.'
  717. */
  718. switch (OSSL_CMP_MSG_get_bodytype(msg)) {
  719. case OSSL_CMP_PKIBODY_IP:
  720. case OSSL_CMP_PKIBODY_CP:
  721. case OSSL_CMP_PKIBODY_KUP:
  722. case OSSL_CMP_PKIBODY_CCP:
  723. if (ctx->trusted != NULL) {
  724. STACK_OF(X509) *certs = msg->body->value.ip->caPubs;
  725. /* value.ip is same for cp, kup, and ccp */
  726. if (!ossl_cmp_X509_STORE_add1_certs(ctx->trusted, certs, 0))
  727. /* adds both self-issued and not self-issued certs */
  728. return 0;
  729. }
  730. break;
  731. default:
  732. break;
  733. }
  734. }
  735. return 1;
  736. }
  737. int ossl_cmp_verify_popo(const OSSL_CMP_CTX *ctx,
  738. const OSSL_CMP_MSG *msg, int acceptRAVerified)
  739. {
  740. if (!ossl_assert(msg != NULL && msg->body != NULL))
  741. return 0;
  742. switch (msg->body->type) {
  743. case OSSL_CMP_PKIBODY_P10CR:
  744. {
  745. X509_REQ *req = msg->body->value.p10cr;
  746. if (X509_REQ_verify_ex(req, X509_REQ_get0_pubkey(req), ctx->libctx,
  747. ctx->propq) <= 0) {
  748. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  749. ERR_raise(ERR_LIB_CMP, CMP_R_REQUEST_NOT_ACCEPTED);
  750. return 0;
  751. #endif
  752. }
  753. }
  754. break;
  755. case OSSL_CMP_PKIBODY_IR:
  756. case OSSL_CMP_PKIBODY_CR:
  757. case OSSL_CMP_PKIBODY_KUR:
  758. if (!OSSL_CRMF_MSGS_verify_popo(msg->body->value.ir, OSSL_CMP_CERTREQID,
  759. acceptRAVerified,
  760. ctx->libctx, ctx->propq)) {
  761. #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
  762. return 0;
  763. #endif
  764. }
  765. break;
  766. default:
  767. ERR_raise(ERR_LIB_CMP, CMP_R_PKIBODY_ERROR);
  768. return 0;
  769. }
  770. return 1;
  771. }