ct_locl.h 7.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216
  1. /*
  2. * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stddef.h>
  10. #include <openssl/ct.h>
  11. #include <openssl/evp.h>
  12. #include <openssl/x509.h>
  13. #include <openssl/x509v3.h>
  14. #include <openssl/safestack.h>
  15. /*
  16. * From RFC6962: opaque SerializedSCT<1..2^16-1>; struct { SerializedSCT
  17. * sct_list <1..2^16-1>; } SignedCertificateTimestampList;
  18. */
  19. # define MAX_SCT_SIZE 65535
  20. # define MAX_SCT_LIST_SIZE MAX_SCT_SIZE
  21. /*
  22. * Macros to read and write integers in network-byte order.
  23. */
  24. #define n2s(c,s) ((s=(((unsigned int)((c)[0]))<< 8)| \
  25. (((unsigned int)((c)[1])) )),c+=2)
  26. #define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
  27. c[1]=(unsigned char)(((s) )&0xff)),c+=2)
  28. #define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \
  29. c[1]=(unsigned char)(((l)>> 8)&0xff), \
  30. c[2]=(unsigned char)(((l) )&0xff)),c+=3)
  31. #define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \
  32. l|=((uint64_t)(*((c)++)))<<48, \
  33. l|=((uint64_t)(*((c)++)))<<40, \
  34. l|=((uint64_t)(*((c)++)))<<32, \
  35. l|=((uint64_t)(*((c)++)))<<24, \
  36. l|=((uint64_t)(*((c)++)))<<16, \
  37. l|=((uint64_t)(*((c)++)))<< 8, \
  38. l|=((uint64_t)(*((c)++))))
  39. #define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
  40. *((c)++)=(unsigned char)(((l)>>48)&0xff), \
  41. *((c)++)=(unsigned char)(((l)>>40)&0xff), \
  42. *((c)++)=(unsigned char)(((l)>>32)&0xff), \
  43. *((c)++)=(unsigned char)(((l)>>24)&0xff), \
  44. *((c)++)=(unsigned char)(((l)>>16)&0xff), \
  45. *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
  46. *((c)++)=(unsigned char)(((l) )&0xff))
  47. /* Signed Certificate Timestamp */
  48. struct sct_st {
  49. sct_version_t version;
  50. /* If version is not SCT_VERSION_V1, this contains the encoded SCT */
  51. unsigned char *sct;
  52. size_t sct_len;
  53. /* If version is SCT_VERSION_V1, fields below contain components of the SCT */
  54. unsigned char *log_id;
  55. size_t log_id_len;
  56. /*
  57. * Note, we cannot distinguish between an unset timestamp, and one
  58. * that is set to 0. However since CT didn't exist in 1970, no real
  59. * SCT should ever be set as such.
  60. */
  61. uint64_t timestamp;
  62. unsigned char *ext;
  63. size_t ext_len;
  64. unsigned char hash_alg;
  65. unsigned char sig_alg;
  66. unsigned char *sig;
  67. size_t sig_len;
  68. /* Log entry type */
  69. ct_log_entry_type_t entry_type;
  70. /* Where this SCT was found, e.g. certificate, OCSP response, etc. */
  71. sct_source_t source;
  72. /* The result of the last attempt to validate this SCT. */
  73. sct_validation_status_t validation_status;
  74. };
  75. /* Miscellaneous data that is useful when verifying an SCT */
  76. struct sct_ctx_st {
  77. /* Public key */
  78. EVP_PKEY *pkey;
  79. /* Hash of public key */
  80. unsigned char *pkeyhash;
  81. size_t pkeyhashlen;
  82. /* For pre-certificate: issuer public key hash */
  83. unsigned char *ihash;
  84. size_t ihashlen;
  85. /* certificate encoding */
  86. unsigned char *certder;
  87. size_t certderlen;
  88. /* pre-certificate encoding */
  89. unsigned char *preder;
  90. size_t prederlen;
  91. /* milliseconds since epoch (to check that the SCT isn't from the future) */
  92. uint64_t epoch_time_in_ms;
  93. };
  94. /* Context when evaluating whether a Certificate Transparency policy is met */
  95. struct ct_policy_eval_ctx_st {
  96. X509 *cert;
  97. X509 *issuer;
  98. CTLOG_STORE *log_store;
  99. /* milliseconds since epoch (to check that SCTs aren't from the future) */
  100. uint64_t epoch_time_in_ms;
  101. };
  102. /*
  103. * Creates a new context for verifying an SCT.
  104. */
  105. SCT_CTX *SCT_CTX_new(void);
  106. /*
  107. * Deletes an SCT verification context.
  108. */
  109. void SCT_CTX_free(SCT_CTX *sctx);
  110. /*
  111. * Sets the certificate that the SCT was created for.
  112. * If *cert does not have a poison extension, presigner must be NULL.
  113. * If *cert does not have a poison extension, it may have a single SCT
  114. * (NID_ct_precert_scts) extension.
  115. * If either *cert or *presigner have an AKID (NID_authority_key_identifier)
  116. * extension, both must have one.
  117. * Returns 1 on success, 0 on failure.
  118. */
  119. __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
  120. /*
  121. * Sets the issuer of the certificate that the SCT was created for.
  122. * This is just a convenience method to save extracting the public key and
  123. * calling SCT_CTX_set1_issuer_pubkey().
  124. * Issuer must not be NULL.
  125. * Returns 1 on success, 0 on failure.
  126. */
  127. __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
  128. /*
  129. * Sets the public key of the issuer of the certificate that the SCT was created
  130. * for.
  131. * The public key must not be NULL.
  132. * Returns 1 on success, 0 on failure.
  133. */
  134. __owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
  135. /*
  136. * Sets the public key of the CT log that the SCT is from.
  137. * Returns 1 on success, 0 on failure.
  138. */
  139. __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
  140. /*
  141. * Sets the time to evaluate the SCT against, in milliseconds since the Unix
  142. * epoch. If the SCT's timestamp is after this time, it will be interpreted as
  143. * having been issued in the future. RFC6962 states that "TLS clients MUST
  144. * reject SCTs whose timestamp is in the future", so an SCT will not validate
  145. * in this case.
  146. */
  147. void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms);
  148. /*
  149. * Verifies an SCT with the given context.
  150. * Returns 1 if the SCT verifies successfully; any other value indicates
  151. * failure. See EVP_DigestVerifyFinal() for the meaning of those values.
  152. */
  153. __owur int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct);
  154. /*
  155. * Does this SCT have the minimum fields populated to be usable?
  156. * Returns 1 if so, 0 otherwise.
  157. */
  158. __owur int SCT_is_complete(const SCT *sct);
  159. /*
  160. * Does this SCT have the signature-related fields populated?
  161. * Returns 1 if so, 0 otherwise.
  162. * This checks that the signature and hash algorithms are set to supported
  163. * values and that the signature field is set.
  164. */
  165. __owur int SCT_signature_is_complete(const SCT *sct);
  166. /*
  167. * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature
  168. * and o2i_SCT_signature conform to the i2d/d2i conventions.
  169. */
  170. /*
  171. * Serialize (to TLS format) an |sct| signature and write it to |out|.
  172. * If |out| is null, no signature will be output but the length will be returned.
  173. * If |out| points to a null pointer, a string will be allocated to hold the
  174. * TLS-format signature. It is the responsibility of the caller to free it.
  175. * If |out| points to an allocated string, the signature will be written to it.
  176. * The length of the signature in TLS format will be returned.
  177. */
  178. __owur int i2o_SCT_signature(const SCT *sct, unsigned char **out);
  179. /*
  180. * Parses an SCT signature in TLS format and populates the |sct| with it.
  181. * |in| should be a pointer to a string containing the TLS-format signature.
  182. * |in| will be advanced to the end of the signature if parsing succeeds.
  183. * |len| should be the length of the signature in |in|.
  184. * Returns the number of bytes parsed, or a negative integer if an error occurs.
  185. * If an error occurs, the SCT's signature NID may be updated whilst the
  186. * signature field itself remains unset.
  187. */
  188. __owur int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
  189. /*
  190. * Handlers for Certificate Transparency X509v3/OCSP extensions
  191. */
  192. extern const X509V3_EXT_METHOD v3_ct_scts[3];