1/*	$OpenBSD: ct_sct.c,v 1.10 2023/07/22 17:02:49 tb Exp $ */
2/*
3 * Written by Rob Stradling (rob@comodo.com), Stephen Henson (steve@openssl.org)
4 * and Adam Eijdenberg (adam.eijdenberg@gmail.com) for the OpenSSL project 2016.
5 */
6/* ====================================================================
7 * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 *
13 * 1. Redistributions of source code must retain the above copyright
14 *    notice, this list of conditions and the following disclaimer.
15 *
16 * 2. Redistributions in binary form must reproduce the above copyright
17 *    notice, this list of conditions and the following disclaimer in
18 *    the documentation and/or other materials provided with the
19 *    distribution.
20 *
21 * 3. All advertising materials mentioning features or use of this
22 *    software must display the following acknowledgment:
23 *    "This product includes software developed by the OpenSSL Project
24 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25 *
26 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27 *    endorse or promote products derived from this software without
28 *    prior written permission. For written permission, please contact
29 *    licensing@OpenSSL.org.
30 *
31 * 5. Products derived from this software may not be called "OpenSSL"
32 *    nor may "OpenSSL" appear in their names without prior written
33 *    permission of the OpenSSL Project.
34 *
35 * 6. Redistributions of any form whatsoever must retain the following
36 *    acknowledgment:
37 *    "This product includes software developed by the OpenSSL Project
38 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51 * OF THE POSSIBILITY OF SUCH DAMAGE.
52 * ====================================================================
53 *
54 * This product includes cryptographic software written by Eric Young
55 * (eay@cryptsoft.com).  This product includes software written by Tim
56 * Hudson (tjh@cryptsoft.com).
57 *
58 */
59
60#ifdef OPENSSL_NO_CT
61# error "CT disabled"
62#endif
63
64#include <stdint.h>
65#include <stdlib.h>
66#include <string.h>
67
68#include <openssl/asn1.h>
69#include <openssl/ct.h>
70#include <openssl/err.h>
71#include <openssl/objects.h>
72#include <openssl/x509.h>
73
74#include "ct_local.h"
75
76SCT *
77SCT_new(void)
78{
79	SCT *sct = calloc(1, sizeof(*sct));
80
81	if (sct == NULL) {
82		CTerror(ERR_R_MALLOC_FAILURE);
83		return NULL;
84	}
85
86	sct->entry_type = CT_LOG_ENTRY_TYPE_NOT_SET;
87	sct->version = SCT_VERSION_NOT_SET;
88	return sct;
89}
90LCRYPTO_ALIAS(SCT_new);
91
92void
93SCT_free(SCT *sct)
94{
95	if (sct == NULL)
96		return;
97
98	free(sct->log_id);
99	free(sct->ext);
100	free(sct->sig);
101	free(sct->sct);
102	free(sct);
103}
104LCRYPTO_ALIAS(SCT_free);
105
106void
107SCT_LIST_free(STACK_OF(SCT) *scts)
108{
109	sk_SCT_pop_free(scts, SCT_free);
110}
111LCRYPTO_ALIAS(SCT_LIST_free);
112
113int
114SCT_set_version(SCT *sct, sct_version_t version)
115{
116	if (version != SCT_VERSION_V1) {
117		CTerror(CT_R_UNSUPPORTED_VERSION);
118		return 0;
119	}
120	sct->version = version;
121	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
122	return 1;
123}
124LCRYPTO_ALIAS(SCT_set_version);
125
126int
127SCT_set_log_entry_type(SCT *sct, ct_log_entry_type_t entry_type)
128{
129	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
130
131	switch (entry_type) {
132	case CT_LOG_ENTRY_TYPE_X509:
133	case CT_LOG_ENTRY_TYPE_PRECERT:
134		sct->entry_type = entry_type;
135		return 1;
136	case CT_LOG_ENTRY_TYPE_NOT_SET:
137		break;
138	}
139	CTerror(CT_R_UNSUPPORTED_ENTRY_TYPE);
140	return 0;
141}
142LCRYPTO_ALIAS(SCT_set_log_entry_type);
143
144int
145SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len)
146{
147	if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) {
148		CTerror(CT_R_INVALID_LOG_ID_LENGTH);
149		return 0;
150	}
151
152	free(sct->log_id);
153	sct->log_id = log_id;
154	sct->log_id_len = log_id_len;
155	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
156	return 1;
157}
158LCRYPTO_ALIAS(SCT_set0_log_id);
159
160int
161SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len)
162{
163	if (sct->version == SCT_VERSION_V1 && log_id_len != CT_V1_HASHLEN) {
164		CTerror(CT_R_INVALID_LOG_ID_LENGTH);
165		return 0;
166	}
167
168	free(sct->log_id);
169	sct->log_id = NULL;
170	sct->log_id_len = 0;
171	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
172
173	if (log_id != NULL && log_id_len > 0) {
174		sct->log_id = malloc(log_id_len);
175		if (sct->log_id == NULL) {
176			CTerror(ERR_R_MALLOC_FAILURE);
177			return 0;
178		}
179		memcpy(sct->log_id, log_id, log_id_len);
180		sct->log_id_len = log_id_len;
181	}
182	return 1;
183}
184LCRYPTO_ALIAS(SCT_set1_log_id);
185
186
187void
188SCT_set_timestamp(SCT *sct, uint64_t timestamp)
189{
190	sct->timestamp = timestamp;
191	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
192}
193LCRYPTO_ALIAS(SCT_set_timestamp);
194
195int
196SCT_set_signature_nid(SCT *sct, int nid)
197{
198	switch (nid) {
199	case NID_sha256WithRSAEncryption:
200		sct->hash_alg = 4; /* XXX */
201		sct->sig_alg = 1; /* XXX */
202		sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
203		return 1;
204	case NID_ecdsa_with_SHA256:
205		sct->hash_alg = 4; /* XXX */
206		sct->sig_alg = 3; /* XXX */
207		sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
208		return 1;
209	default:
210		CTerror(CT_R_UNRECOGNIZED_SIGNATURE_NID);
211		return 0;
212	}
213}
214LCRYPTO_ALIAS(SCT_set_signature_nid);
215
216void
217SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
218{
219	free(sct->ext);
220	sct->ext = ext;
221	sct->ext_len = ext_len;
222	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
223}
224LCRYPTO_ALIAS(SCT_set0_extensions);
225
226int
227SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len)
228{
229	free(sct->ext);
230	sct->ext = NULL;
231	sct->ext_len = 0;
232	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
233
234	if (ext != NULL && ext_len > 0) {
235		sct->ext = malloc(ext_len);
236		if (sct->ext == NULL) {
237			CTerror(ERR_R_MALLOC_FAILURE);
238			return 0;
239		}
240		memcpy(sct->ext, ext, ext_len);
241		sct->ext_len = ext_len;
242	}
243	return 1;
244}
245LCRYPTO_ALIAS(SCT_set1_extensions);
246
247void
248SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
249{
250	free(sct->sig);
251	sct->sig = sig;
252	sct->sig_len = sig_len;
253	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
254}
255LCRYPTO_ALIAS(SCT_set0_signature);
256
257int
258SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len)
259{
260	free(sct->sig);
261	sct->sig = NULL;
262	sct->sig_len = 0;
263	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
264
265	if (sig != NULL && sig_len > 0) {
266		sct->sig = malloc(sig_len);
267		if (sct->sig == NULL) {
268			CTerror(ERR_R_MALLOC_FAILURE);
269			return 0;
270		}
271		memcpy(sct->sig, sig, sig_len);
272		sct->sig_len = sig_len;
273	}
274	return 1;
275}
276LCRYPTO_ALIAS(SCT_set1_signature);
277
278sct_version_t
279SCT_get_version(const SCT *sct)
280{
281	return sct->version;
282}
283LCRYPTO_ALIAS(SCT_get_version);
284
285ct_log_entry_type_t
286SCT_get_log_entry_type(const SCT *sct)
287{
288	return sct->entry_type;
289}
290LCRYPTO_ALIAS(SCT_get_log_entry_type);
291
292size_t
293SCT_get0_log_id(const SCT *sct, unsigned char **log_id)
294{
295	*log_id = sct->log_id;
296	return sct->log_id_len;
297}
298LCRYPTO_ALIAS(SCT_get0_log_id);
299
300uint64_t
301SCT_get_timestamp(const SCT *sct)
302{
303	return sct->timestamp;
304}
305LCRYPTO_ALIAS(SCT_get_timestamp);
306
307int
308SCT_get_signature_nid(const SCT *sct)
309{
310	if (sct->version == SCT_VERSION_V1) {
311		/* XXX sigalg numbers */
312		if (sct->hash_alg == 4) {
313			switch (sct->sig_alg) {
314			case 3:
315				return NID_ecdsa_with_SHA256;
316			case 1:
317				return NID_sha256WithRSAEncryption;
318			default:
319				return NID_undef;
320			}
321		}
322	}
323	return NID_undef;
324}
325LCRYPTO_ALIAS(SCT_get_signature_nid);
326
327size_t
328SCT_get0_extensions(const SCT *sct, unsigned char **ext)
329{
330	*ext = sct->ext;
331	return sct->ext_len;
332}
333LCRYPTO_ALIAS(SCT_get0_extensions);
334
335size_t
336SCT_get0_signature(const SCT *sct, unsigned char **sig)
337{
338	*sig = sct->sig;
339	return sct->sig_len;
340}
341LCRYPTO_ALIAS(SCT_get0_signature);
342
343int
344SCT_is_complete(const SCT *sct)
345{
346	switch (sct->version) {
347	case SCT_VERSION_NOT_SET:
348		return 0;
349	case SCT_VERSION_V1:
350		return sct->log_id != NULL && SCT_signature_is_complete(sct);
351	default:
352		return sct->sct != NULL; /* Just need cached encoding */
353	}
354}
355
356int
357SCT_signature_is_complete(const SCT *sct)
358{
359	return SCT_get_signature_nid(sct) != NID_undef &&
360	    sct->sig != NULL && sct->sig_len > 0;
361}
362
363sct_source_t
364SCT_get_source(const SCT *sct)
365{
366	return sct->source;
367}
368LCRYPTO_ALIAS(SCT_get_source);
369
370int
371SCT_set_source(SCT *sct, sct_source_t source)
372{
373	sct->source = source;
374	sct->validation_status = SCT_VALIDATION_STATUS_NOT_SET;
375	switch (source) {
376	case SCT_SOURCE_TLS_EXTENSION:
377	case SCT_SOURCE_OCSP_STAPLED_RESPONSE:
378		return SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_X509);
379	case SCT_SOURCE_X509V3_EXTENSION:
380		return SCT_set_log_entry_type(sct, CT_LOG_ENTRY_TYPE_PRECERT);
381	case SCT_SOURCE_UNKNOWN:
382		break;
383	}
384	/* if we aren't sure, leave the log entry type alone */
385	return 1;
386}
387LCRYPTO_ALIAS(SCT_set_source);
388
389sct_validation_status_t
390SCT_get_validation_status(const SCT *sct)
391{
392	return sct->validation_status;
393}
394LCRYPTO_ALIAS(SCT_get_validation_status);
395
396int
397SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
398{
399	int is_sct_valid = -1;
400	SCT_CTX *sctx = NULL;
401	X509_PUBKEY *pub = NULL, *log_pkey = NULL;
402	const CTLOG *log;
403
404	/*
405	 * With an unrecognized SCT version we don't know what such an SCT means,
406	 * let alone validate one.  So we return validation failure (0).
407	 */
408	if (sct->version != SCT_VERSION_V1) {
409		sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_VERSION;
410		return 0;
411	}
412
413	log = CTLOG_STORE_get0_log_by_id(ctx->log_store, sct->log_id,
414	    sct->log_id_len);
415
416	/* Similarly, an SCT from an unknown log also cannot be validated. */
417	if (log == NULL) {
418		sct->validation_status = SCT_VALIDATION_STATUS_UNKNOWN_LOG;
419		return 0;
420	}
421
422	sctx = SCT_CTX_new();
423	if (sctx == NULL)
424		goto err;
425
426	if (X509_PUBKEY_set(&log_pkey, CTLOG_get0_public_key(log)) != 1)
427		goto err;
428	if (SCT_CTX_set1_pubkey(sctx, log_pkey) != 1)
429		goto err;
430
431	if (SCT_get_log_entry_type(sct) == CT_LOG_ENTRY_TYPE_PRECERT) {
432		EVP_PKEY *issuer_pkey;
433
434		if (ctx->issuer == NULL) {
435			sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
436			goto end;
437		}
438
439		if ((issuer_pkey = X509_get0_pubkey(ctx->issuer)) == NULL)
440			goto err;
441
442		if (X509_PUBKEY_set(&pub, issuer_pkey) != 1)
443			goto err;
444		if (SCT_CTX_set1_issuer_pubkey(sctx, pub) != 1)
445			goto err;
446	}
447
448	SCT_CTX_set_time(sctx, ctx->epoch_time_in_ms);
449
450	/*
451	 * XXX: Potential for optimization.  This repeats some idempotent heavy
452	 * lifting on the certificate for each candidate SCT, and appears to not
453	 * use any information in the SCT itself, only the certificate is
454	 * processed.  So it may make more sense to to do this just once, perhaps
455	 * associated with the shared (by all SCTs) policy eval ctx.
456	 *
457	 * XXX: Failure here is global (SCT independent) and represents either an
458	 * issue with the certificate (e.g. duplicate extensions) or an out of
459	 * memory condition.  When the certificate is incompatible with CT, we just
460	 * mark the SCTs invalid, rather than report a failure to determine the
461	 * validation status.  That way, callbacks that want to do "soft" SCT
462	 * processing will not abort handshakes with false positive internal
463	 * errors.  Since the function does not distinguish between certificate
464	 * issues (peer's fault) and internal problems (out fault) the safe thing
465	 * to do is to report a validation failure and let the callback or
466	 * application decide what to do.
467	 */
468	if (SCT_CTX_set1_cert(sctx, ctx->cert, NULL) != 1)
469		sct->validation_status = SCT_VALIDATION_STATUS_UNVERIFIED;
470	else
471		sct->validation_status = SCT_CTX_verify(sctx, sct) == 1 ?
472		    SCT_VALIDATION_STATUS_VALID : SCT_VALIDATION_STATUS_INVALID;
473
474 end:
475	is_sct_valid = sct->validation_status == SCT_VALIDATION_STATUS_VALID;
476 err:
477	X509_PUBKEY_free(pub);
478	X509_PUBKEY_free(log_pkey);
479	SCT_CTX_free(sctx);
480
481	return is_sct_valid;
482}
483LCRYPTO_ALIAS(SCT_validate);
484
485int
486SCT_LIST_validate(const STACK_OF(SCT) *scts, CT_POLICY_EVAL_CTX *ctx)
487{
488	int are_scts_valid = 1;
489	int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
490	int i;
491
492	for (i = 0; i < sct_count; ++i) {
493		int is_sct_valid = -1;
494		SCT *sct = sk_SCT_value(scts, i);
495
496		if (sct == NULL)
497			continue;
498
499		is_sct_valid = SCT_validate(sct, ctx);
500		if (is_sct_valid < 0)
501			return is_sct_valid;
502		are_scts_valid &= is_sct_valid;
503	}
504
505	return are_scts_valid;
506}
507LCRYPTO_ALIAS(SCT_LIST_validate);
508