1238384Sjkim/* crypto/ts/ts_resp_verify.c */ 2238384Sjkim/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL 3238384Sjkim * project 2002. 4238384Sjkim */ 5238384Sjkim/* ==================================================================== 6238384Sjkim * Copyright (c) 2006 The OpenSSL Project. All rights reserved. 7238384Sjkim * 8238384Sjkim * Redistribution and use in source and binary forms, with or without 9238384Sjkim * modification, are permitted provided that the following conditions 10238384Sjkim * are met: 11238384Sjkim * 12238384Sjkim * 1. Redistributions of source code must retain the above copyright 13238384Sjkim * notice, this list of conditions and the following disclaimer. 14238384Sjkim * 15238384Sjkim * 2. Redistributions in binary form must reproduce the above copyright 16238384Sjkim * notice, this list of conditions and the following disclaimer in 17238384Sjkim * the documentation and/or other materials provided with the 18238384Sjkim * distribution. 19238384Sjkim * 20238384Sjkim * 3. All advertising materials mentioning features or use of this 21238384Sjkim * software must display the following acknowledgment: 22238384Sjkim * "This product includes software developed by the OpenSSL Project 23238384Sjkim * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24238384Sjkim * 25238384Sjkim * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26238384Sjkim * endorse or promote products derived from this software without 27238384Sjkim * prior written permission. For written permission, please contact 28238384Sjkim * licensing@OpenSSL.org. 29238384Sjkim * 30238384Sjkim * 5. Products derived from this software may not be called "OpenSSL" 31238384Sjkim * nor may "OpenSSL" appear in their names without prior written 32238384Sjkim * permission of the OpenSSL Project. 33238384Sjkim * 34238384Sjkim * 6. Redistributions of any form whatsoever must retain the following 35238384Sjkim * acknowledgment: 36238384Sjkim * "This product includes software developed by the OpenSSL Project 37238384Sjkim * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38238384Sjkim * 39238384Sjkim * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40238384Sjkim * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41238384Sjkim * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42238384Sjkim * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43238384Sjkim * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44238384Sjkim * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45238384Sjkim * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46238384Sjkim * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47238384Sjkim * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48238384Sjkim * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49238384Sjkim * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50238384Sjkim * OF THE POSSIBILITY OF SUCH DAMAGE. 51238384Sjkim * ==================================================================== 52238384Sjkim * 53238384Sjkim * This product includes cryptographic software written by Eric Young 54238384Sjkim * (eay@cryptsoft.com). This product includes software written by Tim 55238384Sjkim * Hudson (tjh@cryptsoft.com). 56238384Sjkim * 57238384Sjkim */ 58238384Sjkim 59238384Sjkim#include <stdio.h> 60238384Sjkim#include "cryptlib.h" 61238384Sjkim#include <openssl/objects.h> 62238384Sjkim#include <openssl/ts.h> 63238384Sjkim#include <openssl/pkcs7.h> 64238384Sjkim 65238384Sjkim/* Private function declarations. */ 66238384Sjkim 67238384Sjkimstatic int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, 68238384Sjkim X509 *signer, STACK_OF(X509) **chain); 69238384Sjkimstatic int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); 70238384Sjkimstatic ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); 71238384Sjkimstatic int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); 72238384Sjkimstatic int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); 73238384Sjkimstatic int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, 74238384Sjkim PKCS7 *token, TS_TST_INFO *tst_info); 75238384Sjkimstatic int TS_check_status_info(TS_RESP *response); 76238384Sjkimstatic char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text); 77238384Sjkimstatic int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info); 78238384Sjkimstatic int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, 79238384Sjkim X509_ALGOR **md_alg, 80238384Sjkim unsigned char **imprint, unsigned *imprint_len); 81238384Sjkimstatic int TS_check_imprints(X509_ALGOR *algor_a, 82238384Sjkim unsigned char *imprint_a, unsigned len_a, 83238384Sjkim TS_TST_INFO *tst_info); 84238384Sjkimstatic int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info); 85238384Sjkimstatic int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); 86238384Sjkimstatic int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name); 87238384Sjkim 88238384Sjkim/* 89238384Sjkim * Local mapping between response codes and descriptions. 90238384Sjkim * Don't forget to change TS_STATUS_BUF_SIZE when modifying 91238384Sjkim * the elements of this array. 92238384Sjkim */ 93238384Sjkimstatic const char *TS_status_text[] = 94238384Sjkim { "granted", 95238384Sjkim "grantedWithMods", 96238384Sjkim "rejection", 97238384Sjkim "waiting", 98238384Sjkim "revocationWarning", 99238384Sjkim "revocationNotification" }; 100238384Sjkim 101238384Sjkim#define TS_STATUS_TEXT_SIZE (sizeof(TS_status_text)/sizeof(*TS_status_text)) 102238384Sjkim 103238384Sjkim/* 104238384Sjkim * This must be greater or equal to the sum of the strings in TS_status_text 105238384Sjkim * plus the number of its elements. 106238384Sjkim */ 107238384Sjkim#define TS_STATUS_BUF_SIZE 256 108238384Sjkim 109238384Sjkimstatic struct 110238384Sjkim { 111238384Sjkim int code; 112238384Sjkim const char *text; 113238384Sjkim } TS_failure_info[] = 114238384Sjkim { { TS_INFO_BAD_ALG, "badAlg" }, 115238384Sjkim { TS_INFO_BAD_REQUEST, "badRequest" }, 116238384Sjkim { TS_INFO_BAD_DATA_FORMAT, "badDataFormat" }, 117238384Sjkim { TS_INFO_TIME_NOT_AVAILABLE, "timeNotAvailable" }, 118238384Sjkim { TS_INFO_UNACCEPTED_POLICY, "unacceptedPolicy" }, 119238384Sjkim { TS_INFO_UNACCEPTED_EXTENSION, "unacceptedExtension" }, 120238384Sjkim { TS_INFO_ADD_INFO_NOT_AVAILABLE, "addInfoNotAvailable" }, 121238384Sjkim { TS_INFO_SYSTEM_FAILURE, "systemFailure" } }; 122238384Sjkim 123238384Sjkim#define TS_FAILURE_INFO_SIZE (sizeof(TS_failure_info) / \ 124238384Sjkim sizeof(*TS_failure_info)) 125238384Sjkim 126238384Sjkim/* Functions for verifying a signed TS_TST_INFO structure. */ 127238384Sjkim 128238384Sjkim/* 129238384Sjkim * This function carries out the following tasks: 130238384Sjkim * - Checks if there is one and only one signer. 131238384Sjkim * - Search for the signing certificate in 'certs' and in the response. 132238384Sjkim * - Check the extended key usage and key usage fields of the signer 133238384Sjkim * certificate (done by the path validation). 134238384Sjkim * - Build and validate the certificate path. 135238384Sjkim * - Check if the certificate path meets the requirements of the 136238384Sjkim * SigningCertificate ESS signed attribute. 137238384Sjkim * - Verify the signature value. 138238384Sjkim * - Returns the signer certificate in 'signer', if 'signer' is not NULL. 139238384Sjkim */ 140238384Sjkimint TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, 141238384Sjkim X509_STORE *store, X509 **signer_out) 142238384Sjkim { 143238384Sjkim STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL; 144238384Sjkim PKCS7_SIGNER_INFO *si; 145238384Sjkim STACK_OF(X509) *signers = NULL; 146238384Sjkim X509 *signer; 147238384Sjkim STACK_OF(X509) *chain = NULL; 148238384Sjkim char buf[4096]; 149238384Sjkim int i, j = 0, ret = 0; 150238384Sjkim BIO *p7bio = NULL; 151238384Sjkim 152238384Sjkim /* Some sanity checks first. */ 153238384Sjkim if (!token) 154238384Sjkim { 155238384Sjkim TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_INVALID_NULL_POINTER); 156238384Sjkim goto err; 157238384Sjkim } 158238384Sjkim 159238384Sjkim /* Check for the correct content type */ 160238384Sjkim if(!PKCS7_type_is_signed(token)) 161238384Sjkim { 162238384Sjkim TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_WRONG_CONTENT_TYPE); 163238384Sjkim goto err; 164238384Sjkim } 165238384Sjkim 166238384Sjkim /* Check if there is one and only one signer. */ 167238384Sjkim sinfos = PKCS7_get_signer_info(token); 168238384Sjkim if (!sinfos || sk_PKCS7_SIGNER_INFO_num(sinfos) != 1) 169238384Sjkim { 170238384Sjkim TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, 171238384Sjkim TS_R_THERE_MUST_BE_ONE_SIGNER); 172238384Sjkim goto err; 173238384Sjkim } 174238384Sjkim si = sk_PKCS7_SIGNER_INFO_value(sinfos, 0); 175238384Sjkim 176238384Sjkim /* Check for no content: no data to verify signature. */ 177238384Sjkim if (PKCS7_get_detached(token)) 178238384Sjkim { 179238384Sjkim TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_NO_CONTENT); 180238384Sjkim goto err; 181238384Sjkim } 182238384Sjkim 183238384Sjkim /* Get hold of the signer certificate, search only internal 184238384Sjkim certificates if it was requested. */ 185238384Sjkim signers = PKCS7_get0_signers(token, certs, 0); 186238384Sjkim if (!signers || sk_X509_num(signers) != 1) goto err; 187238384Sjkim signer = sk_X509_value(signers, 0); 188238384Sjkim 189238384Sjkim /* Now verify the certificate. */ 190238384Sjkim if (!TS_verify_cert(store, certs, signer, &chain)) goto err; 191238384Sjkim 192238384Sjkim /* Check if the signer certificate is consistent with the 193238384Sjkim ESS extension. */ 194238384Sjkim if (!TS_check_signing_certs(si, chain)) goto err; 195238384Sjkim 196238384Sjkim /* Creating the message digest. */ 197238384Sjkim p7bio = PKCS7_dataInit(token, NULL); 198238384Sjkim 199238384Sjkim /* We now have to 'read' from p7bio to calculate digests etc. */ 200238384Sjkim while ((i = BIO_read(p7bio,buf,sizeof(buf))) > 0); 201238384Sjkim 202238384Sjkim /* Verifying the signature. */ 203238384Sjkim j = PKCS7_signatureVerify(p7bio, token, si, signer); 204238384Sjkim if (j <= 0) 205238384Sjkim { 206238384Sjkim TSerr(TS_F_TS_RESP_VERIFY_SIGNATURE, TS_R_SIGNATURE_FAILURE); 207238384Sjkim goto err; 208238384Sjkim } 209238384Sjkim 210238384Sjkim /* Return the signer certificate if needed. */ 211238384Sjkim if (signer_out) 212238384Sjkim { 213238384Sjkim *signer_out = signer; 214238384Sjkim CRYPTO_add(&signer->references, 1, CRYPTO_LOCK_X509); 215238384Sjkim } 216238384Sjkim 217238384Sjkim ret = 1; 218238384Sjkim 219238384Sjkim err: 220238384Sjkim BIO_free_all(p7bio); 221238384Sjkim sk_X509_pop_free(chain, X509_free); 222238384Sjkim sk_X509_free(signers); 223238384Sjkim 224238384Sjkim return ret; 225238384Sjkim } 226238384Sjkim 227238384Sjkim/* 228238384Sjkim * The certificate chain is returned in chain. Caller is responsible for 229238384Sjkim * freeing the vector. 230238384Sjkim */ 231238384Sjkimstatic int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, 232238384Sjkim X509 *signer, STACK_OF(X509) **chain) 233238384Sjkim { 234238384Sjkim X509_STORE_CTX cert_ctx; 235238384Sjkim int i; 236238384Sjkim int ret = 1; 237238384Sjkim 238238384Sjkim /* chain is an out argument. */ 239238384Sjkim *chain = NULL; 240238384Sjkim X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted); 241238384Sjkim X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN); 242238384Sjkim i = X509_verify_cert(&cert_ctx); 243238384Sjkim if (i <= 0) 244238384Sjkim { 245238384Sjkim int j = X509_STORE_CTX_get_error(&cert_ctx); 246238384Sjkim TSerr(TS_F_TS_VERIFY_CERT, TS_R_CERTIFICATE_VERIFY_ERROR); 247238384Sjkim ERR_add_error_data(2, "Verify error:", 248238384Sjkim X509_verify_cert_error_string(j)); 249238384Sjkim ret = 0; 250238384Sjkim } 251238384Sjkim else 252238384Sjkim { 253238384Sjkim /* Get a copy of the certificate chain. */ 254238384Sjkim *chain = X509_STORE_CTX_get1_chain(&cert_ctx); 255238384Sjkim } 256238384Sjkim 257238384Sjkim X509_STORE_CTX_cleanup(&cert_ctx); 258238384Sjkim 259238384Sjkim return ret; 260238384Sjkim } 261238384Sjkim 262238384Sjkimstatic int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain) 263238384Sjkim { 264238384Sjkim ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si); 265238384Sjkim STACK_OF(ESS_CERT_ID) *cert_ids = NULL; 266238384Sjkim X509 *cert; 267238384Sjkim int i = 0; 268238384Sjkim int ret = 0; 269238384Sjkim 270238384Sjkim if (!ss) goto err; 271238384Sjkim cert_ids = ss->cert_ids; 272238384Sjkim /* The signer certificate must be the first in cert_ids. */ 273238384Sjkim cert = sk_X509_value(chain, 0); 274238384Sjkim if (TS_find_cert(cert_ids, cert) != 0) goto err; 275238384Sjkim 276238384Sjkim /* Check the other certificates of the chain if there are more 277238384Sjkim than one certificate ids in cert_ids. */ 278238384Sjkim if (sk_ESS_CERT_ID_num(cert_ids) > 1) 279238384Sjkim { 280238384Sjkim /* All the certificates of the chain must be in cert_ids. */ 281238384Sjkim for (i = 1; i < sk_X509_num(chain); ++i) 282238384Sjkim { 283238384Sjkim cert = sk_X509_value(chain, i); 284238384Sjkim if (TS_find_cert(cert_ids, cert) < 0) goto err; 285238384Sjkim } 286238384Sjkim } 287238384Sjkim ret = 1; 288238384Sjkim err: 289238384Sjkim if (!ret) 290238384Sjkim TSerr(TS_F_TS_CHECK_SIGNING_CERTS, 291238384Sjkim TS_R_ESS_SIGNING_CERTIFICATE_ERROR); 292238384Sjkim ESS_SIGNING_CERT_free(ss); 293238384Sjkim return ret; 294238384Sjkim } 295238384Sjkim 296238384Sjkimstatic ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si) 297238384Sjkim { 298238384Sjkim ASN1_TYPE *attr; 299238384Sjkim const unsigned char *p; 300238384Sjkim attr = PKCS7_get_signed_attribute(si, 301238384Sjkim NID_id_smime_aa_signingCertificate); 302238384Sjkim if (!attr) return NULL; 303238384Sjkim p = attr->value.sequence->data; 304238384Sjkim return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); 305238384Sjkim } 306238384Sjkim 307238384Sjkim/* Returns < 0 if certificate is not found, certificate index otherwise. */ 308238384Sjkimstatic int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) 309238384Sjkim { 310238384Sjkim int i; 311238384Sjkim 312238384Sjkim if (!cert_ids || !cert) return -1; 313238384Sjkim 314238384Sjkim /* Recompute SHA1 hash of certificate if necessary (side effect). */ 315238384Sjkim X509_check_purpose(cert, -1, 0); 316238384Sjkim 317238384Sjkim /* Look for cert in the cert_ids vector. */ 318238384Sjkim for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) 319238384Sjkim { 320238384Sjkim ESS_CERT_ID *cid = sk_ESS_CERT_ID_value(cert_ids, i); 321238384Sjkim 322238384Sjkim /* Check the SHA-1 hash first. */ 323238384Sjkim if (cid->hash->length == sizeof(cert->sha1_hash) 324238384Sjkim && !memcmp(cid->hash->data, cert->sha1_hash, 325238384Sjkim sizeof(cert->sha1_hash))) 326238384Sjkim { 327238384Sjkim /* Check the issuer/serial as well if specified. */ 328238384Sjkim ESS_ISSUER_SERIAL *is = cid->issuer_serial; 329238384Sjkim if (!is || !TS_issuer_serial_cmp(is, cert->cert_info)) 330238384Sjkim return i; 331238384Sjkim } 332238384Sjkim } 333238384Sjkim 334238384Sjkim return -1; 335238384Sjkim } 336238384Sjkim 337238384Sjkimstatic int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) 338238384Sjkim { 339238384Sjkim GENERAL_NAME *issuer; 340238384Sjkim 341238384Sjkim if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) return -1; 342238384Sjkim 343238384Sjkim /* Check the issuer first. It must be a directory name. */ 344238384Sjkim issuer = sk_GENERAL_NAME_value(is->issuer, 0); 345238384Sjkim if (issuer->type != GEN_DIRNAME 346238384Sjkim || X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) 347238384Sjkim return -1; 348238384Sjkim 349238384Sjkim /* Check the serial number, too. */ 350238384Sjkim if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber)) 351238384Sjkim return -1; 352238384Sjkim 353238384Sjkim return 0; 354238384Sjkim } 355238384Sjkim 356238384Sjkim/* 357238384Sjkim * Verifies whether 'response' contains a valid response with regards 358238384Sjkim * to the settings of the context: 359238384Sjkim * - Gives an error message if the TS_TST_INFO is not present. 360238384Sjkim * - Calls _TS_RESP_verify_token to verify the token content. 361238384Sjkim */ 362238384Sjkimint TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response) 363238384Sjkim { 364238384Sjkim PKCS7 *token = TS_RESP_get_token(response); 365238384Sjkim TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response); 366238384Sjkim int ret = 0; 367238384Sjkim 368238384Sjkim /* Check if we have a successful TS_TST_INFO object in place. */ 369238384Sjkim if (!TS_check_status_info(response)) goto err; 370238384Sjkim 371238384Sjkim /* Check the contents of the time stamp token. */ 372238384Sjkim if (!int_TS_RESP_verify_token(ctx, token, tst_info)) 373238384Sjkim goto err; 374238384Sjkim 375238384Sjkim ret = 1; 376238384Sjkim err: 377238384Sjkim return ret; 378238384Sjkim } 379238384Sjkim 380238384Sjkim/* 381238384Sjkim * Tries to extract a TS_TST_INFO structure from the PKCS7 token and 382238384Sjkim * calls the internal int_TS_RESP_verify_token function for verifying it. 383238384Sjkim */ 384238384Sjkimint TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token) 385238384Sjkim { 386238384Sjkim TS_TST_INFO *tst_info = PKCS7_to_TS_TST_INFO(token); 387238384Sjkim int ret = 0; 388238384Sjkim if (tst_info) 389238384Sjkim { 390238384Sjkim ret = int_TS_RESP_verify_token(ctx, token, tst_info); 391238384Sjkim TS_TST_INFO_free(tst_info); 392238384Sjkim } 393238384Sjkim return ret; 394238384Sjkim } 395238384Sjkim 396238384Sjkim/* 397238384Sjkim * Verifies whether the 'token' contains a valid time stamp token 398238384Sjkim * with regards to the settings of the context. Only those checks are 399238384Sjkim * carried out that are specified in the context: 400238384Sjkim * - Verifies the signature of the TS_TST_INFO. 401238384Sjkim * - Checks the version number of the response. 402238384Sjkim * - Check if the requested and returned policies math. 403238384Sjkim * - Check if the message imprints are the same. 404238384Sjkim * - Check if the nonces are the same. 405238384Sjkim * - Check if the TSA name matches the signer. 406238384Sjkim * - Check if the TSA name is the expected TSA. 407238384Sjkim */ 408238384Sjkimstatic int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, 409238384Sjkim PKCS7 *token, TS_TST_INFO *tst_info) 410238384Sjkim { 411238384Sjkim X509 *signer = NULL; 412238384Sjkim GENERAL_NAME *tsa_name = TS_TST_INFO_get_tsa(tst_info); 413238384Sjkim X509_ALGOR *md_alg = NULL; 414238384Sjkim unsigned char *imprint = NULL; 415238384Sjkim unsigned imprint_len = 0; 416238384Sjkim int ret = 0; 417238384Sjkim 418238384Sjkim /* Verify the signature. */ 419238384Sjkim if ((ctx->flags & TS_VFY_SIGNATURE) 420238384Sjkim && !TS_RESP_verify_signature(token, ctx->certs, ctx->store, 421238384Sjkim &signer)) 422238384Sjkim goto err; 423238384Sjkim 424238384Sjkim /* Check version number of response. */ 425238384Sjkim if ((ctx->flags & TS_VFY_VERSION) 426238384Sjkim && TS_TST_INFO_get_version(tst_info) != 1) 427238384Sjkim { 428238384Sjkim TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_UNSUPPORTED_VERSION); 429238384Sjkim goto err; 430238384Sjkim } 431238384Sjkim 432238384Sjkim /* Check policies. */ 433238384Sjkim if ((ctx->flags & TS_VFY_POLICY) 434238384Sjkim && !TS_check_policy(ctx->policy, tst_info)) 435238384Sjkim goto err; 436238384Sjkim 437238384Sjkim /* Check message imprints. */ 438238384Sjkim if ((ctx->flags & TS_VFY_IMPRINT) 439238384Sjkim && !TS_check_imprints(ctx->md_alg, ctx->imprint, ctx->imprint_len, 440238384Sjkim tst_info)) 441238384Sjkim goto err; 442238384Sjkim 443238384Sjkim /* Compute and check message imprints. */ 444238384Sjkim if ((ctx->flags & TS_VFY_DATA) 445238384Sjkim && (!TS_compute_imprint(ctx->data, tst_info, 446238384Sjkim &md_alg, &imprint, &imprint_len) 447238384Sjkim || !TS_check_imprints(md_alg, imprint, imprint_len, tst_info))) 448238384Sjkim goto err; 449238384Sjkim 450238384Sjkim /* Check nonces. */ 451238384Sjkim if ((ctx->flags & TS_VFY_NONCE) 452238384Sjkim && !TS_check_nonces(ctx->nonce, tst_info)) 453238384Sjkim goto err; 454238384Sjkim 455238384Sjkim /* Check whether TSA name and signer certificate match. */ 456238384Sjkim if ((ctx->flags & TS_VFY_SIGNER) 457238384Sjkim && tsa_name && !TS_check_signer_name(tsa_name, signer)) 458238384Sjkim { 459238384Sjkim TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_NAME_MISMATCH); 460238384Sjkim goto err; 461238384Sjkim } 462238384Sjkim 463238384Sjkim /* Check whether the TSA is the expected one. */ 464238384Sjkim if ((ctx->flags & TS_VFY_TSA_NAME) 465238384Sjkim && !TS_check_signer_name(ctx->tsa_name, signer)) 466238384Sjkim { 467238384Sjkim TSerr(TS_F_INT_TS_RESP_VERIFY_TOKEN, TS_R_TSA_UNTRUSTED); 468238384Sjkim goto err; 469238384Sjkim } 470238384Sjkim 471238384Sjkim ret = 1; 472238384Sjkim err: 473238384Sjkim X509_free(signer); 474238384Sjkim X509_ALGOR_free(md_alg); 475238384Sjkim OPENSSL_free(imprint); 476238384Sjkim return ret; 477238384Sjkim } 478238384Sjkim 479238384Sjkimstatic int TS_check_status_info(TS_RESP *response) 480238384Sjkim { 481238384Sjkim TS_STATUS_INFO *info = TS_RESP_get_status_info(response); 482238384Sjkim long status = ASN1_INTEGER_get(info->status); 483238384Sjkim const char *status_text = NULL; 484238384Sjkim char *embedded_status_text = NULL; 485238384Sjkim char failure_text[TS_STATUS_BUF_SIZE] = ""; 486238384Sjkim 487238384Sjkim /* Check if everything went fine. */ 488238384Sjkim if (status == 0 || status == 1) return 1; 489238384Sjkim 490238384Sjkim /* There was an error, get the description in status_text. */ 491238384Sjkim if (0 <= status && status < (long)TS_STATUS_TEXT_SIZE) 492238384Sjkim status_text = TS_status_text[status]; 493238384Sjkim else 494238384Sjkim status_text = "unknown code"; 495238384Sjkim 496238384Sjkim /* Set the embedded_status_text to the returned description. */ 497238384Sjkim if (sk_ASN1_UTF8STRING_num(info->text) > 0 498238384Sjkim && !(embedded_status_text = TS_get_status_text(info->text))) 499238384Sjkim return 0; 500238384Sjkim 501238384Sjkim /* Filling in failure_text with the failure information. */ 502238384Sjkim if (info->failure_info) 503238384Sjkim { 504238384Sjkim int i; 505238384Sjkim int first = 1; 506238384Sjkim for (i = 0; i < (int)TS_FAILURE_INFO_SIZE; ++i) 507238384Sjkim { 508238384Sjkim if (ASN1_BIT_STRING_get_bit(info->failure_info, 509238384Sjkim TS_failure_info[i].code)) 510238384Sjkim { 511238384Sjkim if (!first) 512238384Sjkim strcpy(failure_text, ","); 513238384Sjkim else 514238384Sjkim first = 0; 515238384Sjkim strcat(failure_text, TS_failure_info[i].text); 516238384Sjkim } 517238384Sjkim } 518238384Sjkim } 519238384Sjkim if (failure_text[0] == '\0') 520238384Sjkim strcpy(failure_text, "unspecified"); 521238384Sjkim 522238384Sjkim /* Making up the error string. */ 523238384Sjkim TSerr(TS_F_TS_CHECK_STATUS_INFO, TS_R_NO_TIME_STAMP_TOKEN); 524238384Sjkim ERR_add_error_data(6, 525238384Sjkim "status code: ", status_text, 526238384Sjkim ", status text: ", embedded_status_text ? 527238384Sjkim embedded_status_text : "unspecified", 528238384Sjkim ", failure codes: ", failure_text); 529238384Sjkim OPENSSL_free(embedded_status_text); 530238384Sjkim 531238384Sjkim return 0; 532238384Sjkim } 533238384Sjkim 534238384Sjkimstatic char *TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text) 535238384Sjkim { 536238384Sjkim int i; 537238384Sjkim unsigned int length = 0; 538238384Sjkim char *result = NULL; 539238384Sjkim char *p; 540238384Sjkim 541238384Sjkim /* Determine length first. */ 542238384Sjkim for (i = 0; i < sk_ASN1_UTF8STRING_num(text); ++i) 543238384Sjkim { 544238384Sjkim ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); 545238384Sjkim length += ASN1_STRING_length(current); 546238384Sjkim length += 1; /* separator character */ 547238384Sjkim } 548238384Sjkim /* Allocate memory (closing '\0' included). */ 549238384Sjkim if (!(result = OPENSSL_malloc(length))) 550238384Sjkim { 551238384Sjkim TSerr(TS_F_TS_GET_STATUS_TEXT, ERR_R_MALLOC_FAILURE); 552238384Sjkim return NULL; 553238384Sjkim } 554238384Sjkim /* Concatenate the descriptions. */ 555238384Sjkim for (i = 0, p = result; i < sk_ASN1_UTF8STRING_num(text); ++i) 556238384Sjkim { 557238384Sjkim ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i); 558238384Sjkim length = ASN1_STRING_length(current); 559238384Sjkim if (i > 0) *p++ = '/'; 560238384Sjkim strncpy(p, (const char *)ASN1_STRING_data(current), length); 561238384Sjkim p += length; 562238384Sjkim } 563238384Sjkim /* We do have space for this, too. */ 564238384Sjkim *p = '\0'; 565238384Sjkim 566238384Sjkim return result; 567238384Sjkim } 568238384Sjkim 569238384Sjkimstatic int TS_check_policy(ASN1_OBJECT *req_oid, TS_TST_INFO *tst_info) 570238384Sjkim { 571238384Sjkim ASN1_OBJECT *resp_oid = TS_TST_INFO_get_policy_id(tst_info); 572238384Sjkim 573238384Sjkim if (OBJ_cmp(req_oid, resp_oid) != 0) 574238384Sjkim { 575238384Sjkim TSerr(TS_F_TS_CHECK_POLICY, TS_R_POLICY_MISMATCH); 576238384Sjkim return 0; 577238384Sjkim } 578238384Sjkim 579238384Sjkim return 1; 580238384Sjkim } 581238384Sjkim 582238384Sjkimstatic int TS_compute_imprint(BIO *data, TS_TST_INFO *tst_info, 583238384Sjkim X509_ALGOR **md_alg, 584238384Sjkim unsigned char **imprint, unsigned *imprint_len) 585238384Sjkim { 586238384Sjkim TS_MSG_IMPRINT *msg_imprint = TS_TST_INFO_get_msg_imprint(tst_info); 587238384Sjkim X509_ALGOR *md_alg_resp = TS_MSG_IMPRINT_get_algo(msg_imprint); 588238384Sjkim const EVP_MD *md; 589238384Sjkim EVP_MD_CTX md_ctx; 590238384Sjkim unsigned char buffer[4096]; 591238384Sjkim int length; 592238384Sjkim 593238384Sjkim *md_alg = NULL; 594238384Sjkim *imprint = NULL; 595238384Sjkim 596238384Sjkim /* Return the MD algorithm of the response. */ 597238384Sjkim if (!(*md_alg = X509_ALGOR_dup(md_alg_resp))) goto err; 598238384Sjkim 599238384Sjkim /* Getting the MD object. */ 600238384Sjkim if (!(md = EVP_get_digestbyobj((*md_alg)->algorithm))) 601238384Sjkim { 602238384Sjkim TSerr(TS_F_TS_COMPUTE_IMPRINT, TS_R_UNSUPPORTED_MD_ALGORITHM); 603238384Sjkim goto err; 604238384Sjkim } 605238384Sjkim 606238384Sjkim /* Compute message digest. */ 607238384Sjkim length = EVP_MD_size(md); 608238384Sjkim if (length < 0) 609238384Sjkim goto err; 610238384Sjkim *imprint_len = length; 611238384Sjkim if (!(*imprint = OPENSSL_malloc(*imprint_len))) 612238384Sjkim { 613238384Sjkim TSerr(TS_F_TS_COMPUTE_IMPRINT, ERR_R_MALLOC_FAILURE); 614238384Sjkim goto err; 615238384Sjkim } 616238384Sjkim 617238384Sjkim if (!EVP_DigestInit(&md_ctx, md)) 618238384Sjkim goto err; 619238384Sjkim while ((length = BIO_read(data, buffer, sizeof(buffer))) > 0) 620238384Sjkim { 621238384Sjkim if (!EVP_DigestUpdate(&md_ctx, buffer, length)) 622238384Sjkim goto err; 623238384Sjkim } 624238384Sjkim if (!EVP_DigestFinal(&md_ctx, *imprint, NULL)) 625238384Sjkim goto err; 626238384Sjkim 627238384Sjkim return 1; 628238384Sjkim err: 629238384Sjkim X509_ALGOR_free(*md_alg); 630238384Sjkim OPENSSL_free(*imprint); 631238384Sjkim *imprint_len = 0; 632279264Sdelphij *imprint = NULL; 633238384Sjkim return 0; 634238384Sjkim } 635238384Sjkim 636238384Sjkimstatic int TS_check_imprints(X509_ALGOR *algor_a, 637238384Sjkim unsigned char *imprint_a, unsigned len_a, 638238384Sjkim TS_TST_INFO *tst_info) 639238384Sjkim { 640238384Sjkim TS_MSG_IMPRINT *b = TS_TST_INFO_get_msg_imprint(tst_info); 641238384Sjkim X509_ALGOR *algor_b = TS_MSG_IMPRINT_get_algo(b); 642238384Sjkim int ret = 0; 643238384Sjkim 644238384Sjkim /* algor_a is optional. */ 645238384Sjkim if (algor_a) 646238384Sjkim { 647238384Sjkim /* Compare algorithm OIDs. */ 648238384Sjkim if (OBJ_cmp(algor_a->algorithm, algor_b->algorithm)) goto err; 649238384Sjkim 650238384Sjkim /* The parameter must be NULL in both. */ 651238384Sjkim if ((algor_a->parameter 652238384Sjkim && ASN1_TYPE_get(algor_a->parameter) != V_ASN1_NULL) 653238384Sjkim || (algor_b->parameter 654238384Sjkim && ASN1_TYPE_get(algor_b->parameter) != V_ASN1_NULL)) 655238384Sjkim goto err; 656238384Sjkim } 657238384Sjkim 658238384Sjkim /* Compare octet strings. */ 659238384Sjkim ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) && 660238384Sjkim memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0; 661238384Sjkim err: 662238384Sjkim if (!ret) 663238384Sjkim TSerr(TS_F_TS_CHECK_IMPRINTS, TS_R_MESSAGE_IMPRINT_MISMATCH); 664238384Sjkim return ret; 665238384Sjkim } 666238384Sjkim 667238384Sjkimstatic int TS_check_nonces(const ASN1_INTEGER *a, TS_TST_INFO *tst_info) 668238384Sjkim { 669238384Sjkim const ASN1_INTEGER *b = TS_TST_INFO_get_nonce(tst_info); 670238384Sjkim 671238384Sjkim /* Error if nonce is missing. */ 672238384Sjkim if (!b) 673238384Sjkim { 674238384Sjkim TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_NOT_RETURNED); 675238384Sjkim return 0; 676238384Sjkim } 677238384Sjkim 678238384Sjkim /* No error if a nonce is returned without being requested. */ 679238384Sjkim if (ASN1_INTEGER_cmp(a, b) != 0) 680238384Sjkim { 681238384Sjkim TSerr(TS_F_TS_CHECK_NONCES, TS_R_NONCE_MISMATCH); 682238384Sjkim return 0; 683238384Sjkim } 684238384Sjkim 685238384Sjkim return 1; 686238384Sjkim } 687238384Sjkim 688238384Sjkim/* Check if the specified TSA name matches either the subject 689238384Sjkim or one of the subject alternative names of the TSA certificate. */ 690238384Sjkimstatic int TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) 691238384Sjkim { 692238384Sjkim STACK_OF(GENERAL_NAME) *gen_names = NULL; 693238384Sjkim int idx = -1; 694238384Sjkim int found = 0; 695238384Sjkim 696238384Sjkim /* Check the subject name first. */ 697238384Sjkim if (tsa_name->type == GEN_DIRNAME 698238384Sjkim && X509_name_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) 699238384Sjkim return 1; 700238384Sjkim 701238384Sjkim /* Check all the alternative names. */ 702238384Sjkim gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, 703238384Sjkim NULL, &idx); 704238384Sjkim while (gen_names != NULL 705238384Sjkim && !(found = TS_find_name(gen_names, tsa_name) >= 0)) 706238384Sjkim { 707238384Sjkim /* Get the next subject alternative name, 708238384Sjkim although there should be no more than one. */ 709238384Sjkim GENERAL_NAMES_free(gen_names); 710238384Sjkim gen_names = X509_get_ext_d2i(signer, NID_subject_alt_name, 711238384Sjkim NULL, &idx); 712238384Sjkim } 713238384Sjkim if (gen_names) GENERAL_NAMES_free(gen_names); 714238384Sjkim 715238384Sjkim return found; 716238384Sjkim } 717238384Sjkim 718238384Sjkim/* Returns 1 if name is in gen_names, 0 otherwise. */ 719238384Sjkimstatic int TS_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name) 720238384Sjkim { 721238384Sjkim int i, found; 722238384Sjkim for (i = 0, found = 0; !found && i < sk_GENERAL_NAME_num(gen_names); 723238384Sjkim ++i) 724238384Sjkim { 725238384Sjkim GENERAL_NAME *current = sk_GENERAL_NAME_value(gen_names, i); 726238384Sjkim found = GENERAL_NAME_cmp(current, name) == 0; 727238384Sjkim } 728238384Sjkim return found ? i - 1 : -1; 729238384Sjkim } 730