1/* $OpenBSD: ct_local.h,v 1.8 2021/12/20 17:19:19 jsing Exp $ */ 2/* 3 * Written by Rob Percival (robpercival@google.com) for the OpenSSL project. 4 */ 5/* ==================================================================== 6 * Copyright (c) 2016 The OpenSSL Project. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in 17 * the documentation and/or other materials provided with the 18 * distribution. 19 * 20 * 3. All advertising materials mentioning features or use of this 21 * software must display the following acknowledgment: 22 * "This product includes software developed by the OpenSSL Project 23 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 24 * 25 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 26 * endorse or promote products derived from this software without 27 * prior written permission. For written permission, please contact 28 * licensing@OpenSSL.org. 29 * 30 * 5. Products derived from this software may not be called "OpenSSL" 31 * nor may "OpenSSL" appear in their names without prior written 32 * permission of the OpenSSL Project. 33 * 34 * 6. Redistributions of any form whatsoever must retain the following 35 * acknowledgment: 36 * "This product includes software developed by the OpenSSL Project 37 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 38 * 39 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 40 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 41 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 42 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 43 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 44 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 45 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 46 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 48 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 49 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 50 * OF THE POSSIBILITY OF SUCH DAMAGE. 51 * ==================================================================== 52 */ 53 54#include <stddef.h> 55 56#include <openssl/ct.h> 57#include <openssl/evp.h> 58#include <openssl/safestack.h> 59#include <openssl/x509.h> 60#include <openssl/x509v3.h> 61 62#include "bytestring.h" 63 64/* Number of bytes in an SCT v1 LogID - see RFC 6962 section 3.2. */ 65#define CT_V1_LOG_ID_LEN 32 66 67/* Maximum size of an SCT - see RFC 6962 section 3.3. */ 68#define MAX_SCT_SIZE 65535 69#define MAX_SCT_LIST_SIZE MAX_SCT_SIZE 70 71/* 72 * Macros to write integers in network-byte order. 73 */ 74 75#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ 76 c[1]=(unsigned char)(((s) )&0xff)),c+=2) 77 78#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \ 79 c[1]=(unsigned char)(((l)>> 8)&0xff), \ 80 c[2]=(unsigned char)(((l) )&0xff)),c+=3) 81 82#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ 83 *((c)++)=(unsigned char)(((l)>>48)&0xff), \ 84 *((c)++)=(unsigned char)(((l)>>40)&0xff), \ 85 *((c)++)=(unsigned char)(((l)>>32)&0xff), \ 86 *((c)++)=(unsigned char)(((l)>>24)&0xff), \ 87 *((c)++)=(unsigned char)(((l)>>16)&0xff), \ 88 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ 89 *((c)++)=(unsigned char)(((l) )&0xff)) 90 91/* Signed Certificate Timestamp */ 92struct sct_st { 93 sct_version_t version; 94 /* If version is not SCT_VERSION_V1, this contains the encoded SCT */ 95 unsigned char *sct; 96 size_t sct_len; 97 /* 98 * If version is SCT_VERSION_V1, fields below contain components of 99 * the SCT 100 */ 101 unsigned char *log_id; 102 size_t log_id_len; 103 /* 104 * Note, we cannot distinguish between an unset timestamp, and one 105 * that is set to 0. However since CT didn't exist in 1970, no real 106 * SCT should ever be set as such. 107 */ 108 uint64_t timestamp; 109 unsigned char *ext; 110 size_t ext_len; 111 unsigned char hash_alg; 112 unsigned char sig_alg; 113 unsigned char *sig; 114 size_t sig_len; 115 /* Log entry type */ 116 ct_log_entry_type_t entry_type; 117 /* Where this SCT was found, e.g. certificate, OCSP response, etc. */ 118 sct_source_t source; 119 /* The result of the last attempt to validate this SCT. */ 120 sct_validation_status_t validation_status; 121}; 122 123/* Miscellaneous data that is useful when verifying an SCT */ 124struct sct_ctx_st { 125 /* Public key */ 126 EVP_PKEY *pkey; 127 /* Hash of public key */ 128 unsigned char *pkeyhash; 129 size_t pkeyhashlen; 130 /* For pre-certificate: issuer public key hash */ 131 unsigned char *ihash; 132 size_t ihashlen; 133 /* certificate encoding */ 134 unsigned char *certder; 135 size_t certderlen; 136 /* pre-certificate encoding */ 137 unsigned char *preder; 138 size_t prederlen; 139 /* 140 * milliseconds since epoch (to check that the SCT isn't from the 141 * future) 142 */ 143 uint64_t epoch_time_in_ms; 144}; 145 146/* Context when evaluating whether a Certificate Transparency policy is met */ 147struct ct_policy_eval_ctx_st { 148 X509 *cert; 149 X509 *issuer; 150 CTLOG_STORE *log_store; 151 /* 152 * milliseconds since epoch (to check that the SCT isn't from the 153 * future) 154 */ 155 uint64_t epoch_time_in_ms; 156}; 157 158/* 159 * Creates a new context for verifying an SCT. 160 */ 161SCT_CTX *SCT_CTX_new(void); 162/* 163 * Deletes an SCT verification context. 164 */ 165void SCT_CTX_free(SCT_CTX *sctx); 166 167/* 168 * Sets the certificate that the SCT was created for. 169 * If *cert does not have a poison extension, presigner must be NULL. 170 * If *cert does not have a poison extension, it may have a single SCT 171 * (NID_ct_precert_scts) extension. 172 * If either *cert or *presigner have an AKID (NID_authority_key_identifier) 173 * extension, both must have one. 174 * Returns 1 on success, 0 on failure. 175 */ 176int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner); 177 178/* 179 * Sets the issuer of the certificate that the SCT was created for. 180 * This is just a convenience method to save extracting the public key and 181 * calling SCT_CTX_set1_issuer_pubkey(). 182 * Issuer must not be NULL. 183 * Returns 1 on success, 0 on failure. 184 */ 185int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer); 186 187/* 188 * Sets the public key of the issuer of the certificate that the SCT was created 189 * for. 190 * The public key must not be NULL. 191 * Returns 1 on success, 0 on failure. 192 */ 193int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 194 195/* 196 * Sets the public key of the CT log that the SCT is from. 197 * Returns 1 on success, 0 on failure. 198 */ 199int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey); 200 201/* 202 * Sets the time to evaluate the SCT against, in milliseconds since the Unix 203 * epoch. If the SCT's timestamp is after this time, it will be interpreted as 204 * having been issued in the future. RFC6962 states that "TLS clients MUST 205 * reject SCTs whose timestamp is in the future", so an SCT will not validate 206 * in this case. 207 */ 208void SCT_CTX_set_time(SCT_CTX *sctx, uint64_t time_in_ms); 209 210/* 211 * Verifies an SCT with the given context. 212 * Returns 1 if the SCT verifies successfully; any other value indicates 213 * failure. See EVP_DigestVerifyFinal() for the meaning of those values. 214 */ 215int SCT_CTX_verify(const SCT_CTX *sctx, const SCT *sct); 216 217/* 218 * Does this SCT have the minimum fields populated to be usable? 219 * Returns 1 if so, 0 otherwise. 220 */ 221int SCT_is_complete(const SCT *sct); 222 223/* 224 * Does this SCT have the signature-related fields populated? 225 * Returns 1 if so, 0 otherwise. 226 * This checks that the signature and hash algorithms are set to supported 227 * values and that the signature field is set. 228 */ 229int SCT_signature_is_complete(const SCT *sct); 230 231/* 232 * TODO(RJPercival): Create an SCT_signature struct and make i2o_SCT_signature 233 * and o2i_SCT_signature conform to the i2d/d2i conventions. 234 */ 235 236/* 237 * Serialize (to TLS format) an |sct| signature and write it to |out|. 238 * If |out| is null, no signature will be output but the length will be returned. 239 * If |out| points to a null pointer, a string will be allocated to hold the 240 * TLS-format signature. It is the responsibility of the caller to free it. 241 * If |out| points to an allocated string, the signature will be written to it. 242 * The length of the signature in TLS format will be returned. 243 */ 244int i2o_SCT_signature(const SCT *sct, unsigned char **out); 245 246/* 247 * Parses an SCT signature in TLS format and populates the |sct| with it. 248 * |in| should be a pointer to a string containing the TLS-format signature. 249 * |in| will be advanced to the end of the signature if parsing succeeds. 250 * |len| should be the length of the signature in |in|. 251 * Returns the number of bytes parsed, or a negative integer if an error occurs. 252 * If an error occurs, the SCT's signature NID may be updated whilst the 253 * signature field itself remains unset. 254 */ 255int o2i_SCT_signature(SCT *sct, CBS *cbs); 256 257/* 258 * Handlers for Certificate Transparency X509v3/OCSP extensions 259 */ 260extern const X509V3_EXT_METHOD v3_ct_scts[3]; 261