kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4929 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: b9f30bb6fe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b9f30bb6fe'
${ noResults }
boringssl/ssl/ssl_cert.cc

914 lines
29 KiB
Raw Blame History 

  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.]

  56.  */

  57. /* ====================================================================

  58.  * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.

  59.  *

  60.  * Redistribution and use in source and binary forms, with or without

  61.  * modification, are permitted provided that the following conditions

  62.  * are met:

  63.  *

  64.  * 1. Redistributions of source code must retain the above copyright

  65.  *    notice, this list of conditions and the following disclaimer.

  66.  *

  67.  * 2. Redistributions in binary form must reproduce the above copyright

  68.  *    notice, this list of conditions and the following disclaimer in

  69.  *    the documentation and/or other materials provided with the

  70.  *    distribution.

  71.  *

  72.  * 3. All advertising materials mentioning features or use of this

  73.  *    software must display the following acknowledgment:

  74.  *    "This product includes software developed by the OpenSSL Project

  75.  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

  76.  *

  77.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  78.  *    endorse or promote products derived from this software without

  79.  *    prior written permission. For written permission, please contact

  80.  *    openssl-core@openssl.org.

  81.  *

  82.  * 5. Products derived from this software may not be called "OpenSSL"

  83.  *    nor may "OpenSSL" appear in their names without prior written

  84.  *    permission of the OpenSSL Project.

  85.  *

  86.  * 6. Redistributions of any form whatsoever must retain the following

  87.  *    acknowledgment:

  88.  *    "This product includes software developed by the OpenSSL Project

  89.  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"

  90.  *

  91.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  92.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  93.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  94.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  95.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  96.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  97.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  98.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  99.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  100.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  101.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  102.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  103.  * ====================================================================

  104.  *

  105.  * This product includes cryptographic software written by Eric Young

  106.  * (eay@cryptsoft.com).  This product includes software written by Tim

  107.  * Hudson (tjh@cryptsoft.com).

  108.  *

  109.  */

  110. /* ====================================================================

  111.  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.

  112.  * ECC cipher suite support in OpenSSL originally developed by

  113.  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */

  114. 

  115. #include <openssl/ssl.h>

  116. 

  117. #include <assert.h>

  118. #include <limits.h>

  119. #include <string.h>

  120. 

  121. #include <utility>

  122. 

  123. #include <openssl/bn.h>

  124. #include <openssl/buf.h>

  125. #include <openssl/bytestring.h>

  126. #include <openssl/ec_key.h>

  127. #include <openssl/err.h>

  128. #include <openssl/mem.h>

  129. #include <openssl/sha.h>

  130. #include <openssl/x509.h>

  131. 

  132. #include "../crypto/internal.h"

  133. #include "internal.h"

  134. 

  135. 

  136. namespace bssl {

  137. 

  138. CERT *ssl_cert_new(const SSL_X509_METHOD *x509_method) {

  139.   CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));

  140.   if (ret == NULL) {

  141.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  142.     return NULL;

  143.   }

  144.   OPENSSL_memset(ret, 0, sizeof(CERT));

  145.   ret->x509_method = x509_method;

  146. 

  147.   return ret;

  148. }

  149. 

  150. static CRYPTO_BUFFER *buffer_up_ref(CRYPTO_BUFFER *buffer) {

  151.   CRYPTO_BUFFER_up_ref(buffer);

  152.   return buffer;

  153. }

  154. 

  155. CERT *ssl_cert_dup(CERT *cert) {

  156.   CERT *ret = (CERT *)OPENSSL_malloc(sizeof(CERT));

  157.   if (ret == NULL) {

  158.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  159.     return NULL;

  160.   }

  161.   OPENSSL_memset(ret, 0, sizeof(CERT));

  162. 

  163.   ret->chain = sk_CRYPTO_BUFFER_deep_copy(cert->chain, buffer_up_ref,

  164.                                           CRYPTO_BUFFER_free);

  165. 

  166.   if (cert->privatekey != NULL) {

  167.     EVP_PKEY_up_ref(cert->privatekey);

  168.     ret->privatekey = cert->privatekey;

  169.   }

  170. 

  171.   ret->key_method = cert->key_method;

  172.   ret->x509_method = cert->x509_method;

  173. 

  174.   if (cert->sigalgs != NULL) {

  175.     ret->sigalgs = (uint16_t *)BUF_memdup(

  176.         cert->sigalgs, cert->num_sigalgs * sizeof(cert->sigalgs[0]));

  177.     if (ret->sigalgs == NULL) {

  178.       goto err;

  179.     }

  180.   }

  181.   ret->num_sigalgs = cert->num_sigalgs;

  182. 

  183.   ret->cert_cb = cert->cert_cb;

  184.   ret->cert_cb_arg = cert->cert_cb_arg;

  185. 

  186.   ret->x509_method->cert_dup(ret, cert);

  187. 

  188.   if (cert->signed_cert_timestamp_list != NULL) {

  189.     CRYPTO_BUFFER_up_ref(cert->signed_cert_timestamp_list);

  190.     ret->signed_cert_timestamp_list = cert->signed_cert_timestamp_list;

  191.   }

  192. 

  193.   if (cert->ocsp_response != NULL) {

  194.     CRYPTO_BUFFER_up_ref(cert->ocsp_response);

  195.     ret->ocsp_response = cert->ocsp_response;

  196.   }

  197. 

  198.   ret->sid_ctx_length = cert->sid_ctx_length;

  199.   OPENSSL_memcpy(ret->sid_ctx, cert->sid_ctx, sizeof(ret->sid_ctx));

  200. 

  201.   ret->enable_early_data = cert->enable_early_data;

  202. 

  203.   return ret;

  204. 

  205. err:

  206.   ssl_cert_free(ret);

  207.   return NULL;

  208. }

  209. 

  210. // Free up and clear all certificates and chains

  211. void ssl_cert_clear_certs(CERT *cert) {

  212.   if (cert == NULL) {

  213.     return;

  214.   }

  215. 

  216.   cert->x509_method->cert_clear(cert);

  217. 

  218.   sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);

  219.   cert->chain = NULL;

  220.   EVP_PKEY_free(cert->privatekey);

  221.   cert->privatekey = NULL;

  222.   cert->key_method = NULL;

  223. }

  224. 

  225. void ssl_cert_free(CERT *cert) {

  226.   if (cert == NULL) {

  227.     return;

  228.   }

  229. 

  230.   ssl_cert_clear_certs(cert);

  231.   cert->x509_method->cert_free(cert);

  232.   OPENSSL_free(cert->sigalgs);

  233.   CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);

  234.   CRYPTO_BUFFER_free(cert->ocsp_response);

  235. 

  236.   OPENSSL_free(cert);

  237. }

  238. 

  239. static void ssl_cert_set_cert_cb(CERT *cert, int (*cb)(SSL *ssl, void *arg),

  240.                                  void *arg) {

  241.   cert->cert_cb = cb;

  242.   cert->cert_cb_arg = arg;

  243. }

  244. 

  245. enum leaf_cert_and_privkey_result_t {

  246.   leaf_cert_and_privkey_error,

  247.   leaf_cert_and_privkey_ok,

  248.   leaf_cert_and_privkey_mismatch,

  249. };

  250. 

  251. // check_leaf_cert_and_privkey checks whether the certificate in |leaf_buffer|

  252. // and the private key in |privkey| are suitable and coherent. It returns

  253. // |leaf_cert_and_privkey_error| and pushes to the error queue if a problem is

  254. // found. If the certificate and private key are valid, but incoherent, it

  255. // returns |leaf_cert_and_privkey_mismatch|. Otherwise it returns

  256. // |leaf_cert_and_privkey_ok|.

  257. static enum leaf_cert_and_privkey_result_t check_leaf_cert_and_privkey(

  258.     CRYPTO_BUFFER *leaf_buffer, EVP_PKEY *privkey) {

  259.   CBS cert_cbs;

  260.   CRYPTO_BUFFER_init_CBS(leaf_buffer, &cert_cbs);

  261.   UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);

  262.   if (!pubkey) {

  263.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  264.     return leaf_cert_and_privkey_error;

  265.   }

  266. 

  267.   if (!ssl_is_key_type_supported(pubkey->type)) {

  268.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  269.     return leaf_cert_and_privkey_error;

  270.   }

  271. 

  272.   // An ECC certificate may be usable for ECDH or ECDSA. We only support ECDSA

  273.   // certificates, so sanity-check the key usage extension.

  274.   if (pubkey->type == EVP_PKEY_EC &&

  275.       !ssl_cert_check_digital_signature_key_usage(&cert_cbs)) {

  276.     OPENSSL_PUT_ERROR(SSL, SSL_R_UNKNOWN_CERTIFICATE_TYPE);

  277.     return leaf_cert_and_privkey_error;

  278.   }

  279. 

  280.   if (privkey != NULL &&

  281.       // Sanity-check that the private key and the certificate match.

  282.       !ssl_compare_public_and_private_key(pubkey.get(), privkey)) {

  283.     ERR_clear_error();

  284.     return leaf_cert_and_privkey_mismatch;

  285.   }

  286. 

  287.   return leaf_cert_and_privkey_ok;

  288. }

  289. 

  290. static int cert_set_chain_and_key(

  291.     CERT *cert, CRYPTO_BUFFER *const *certs, size_t num_certs,

  292.     EVP_PKEY *privkey, const SSL_PRIVATE_KEY_METHOD *privkey_method) {

  293.   if (num_certs == 0 ||

  294.       (privkey == NULL && privkey_method == NULL)) {

  295.     OPENSSL_PUT_ERROR(SSL, ERR_R_PASSED_NULL_PARAMETER);

  296.     return 0;

  297.   }

  298. 

  299.   if (privkey != NULL && privkey_method != NULL) {

  300.     OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_HAVE_BOTH_PRIVKEY_AND_METHOD);

  301.     return 0;

  302.   }

  303. 

  304.   switch (check_leaf_cert_and_privkey(certs[0], privkey)) {

  305.     case leaf_cert_and_privkey_error:

  306.       return 0;

  307.     case leaf_cert_and_privkey_mismatch:

  308.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERTIFICATE_AND_PRIVATE_KEY_MISMATCH);

  309.       return 0;

  310.     case leaf_cert_and_privkey_ok:

  311.       break;

  312.   }

  313. 

  314.   STACK_OF(CRYPTO_BUFFER) *certs_sk = sk_CRYPTO_BUFFER_new_null();

  315.   if (certs_sk == NULL) {

  316.     return 0;

  317.   }

  318. 

  319.   for (size_t i = 0; i < num_certs; i++) {

  320.     if (!sk_CRYPTO_BUFFER_push(certs_sk, certs[i])) {

  321.       sk_CRYPTO_BUFFER_pop_free(certs_sk, CRYPTO_BUFFER_free);

  322.       return 0;

  323.     }

  324.     CRYPTO_BUFFER_up_ref(certs[i]);

  325.   }

  326. 

  327.   EVP_PKEY_free(cert->privatekey);

  328.   cert->privatekey = privkey;

  329.   if (privkey != NULL) {

  330.     EVP_PKEY_up_ref(privkey);

  331.   }

  332.   cert->key_method = privkey_method;

  333. 

  334.   sk_CRYPTO_BUFFER_pop_free(cert->chain, CRYPTO_BUFFER_free);

  335.   cert->chain = certs_sk;

  336. 

  337.   return 1;

  338. }

  339. 

  340. int ssl_set_cert(CERT *cert, UniquePtr<CRYPTO_BUFFER> buffer) {

  341.   switch (check_leaf_cert_and_privkey(buffer.get(), cert->privatekey)) {

  342.     case leaf_cert_and_privkey_error:

  343.       return 0;

  344.     case leaf_cert_and_privkey_mismatch:

  345.       // don't fail for a cert/key mismatch, just free current private key

  346.       // (when switching to a different cert & key, first this function should

  347.       // be used, then |ssl_set_pkey|.

  348.       EVP_PKEY_free(cert->privatekey);

  349.       cert->privatekey = NULL;

  350.       break;

  351.     case leaf_cert_and_privkey_ok:

  352.       break;

  353.   }

  354. 

  355.   cert->x509_method->cert_flush_cached_leaf(cert);

  356. 

  357.   if (cert->chain != NULL) {

  358.     CRYPTO_BUFFER_free(sk_CRYPTO_BUFFER_value(cert->chain, 0));

  359.     sk_CRYPTO_BUFFER_set(cert->chain, 0, buffer.release());

  360.     return 1;

  361.   }

  362. 

  363.   cert->chain = sk_CRYPTO_BUFFER_new_null();

  364.   if (cert->chain == NULL) {

  365.     return 0;

  366.   }

  367. 

  368.   if (!PushToStack(cert->chain, std::move(buffer))) {

  369.     sk_CRYPTO_BUFFER_free(cert->chain);

  370.     cert->chain = NULL;

  371.     return 0;

  372.   }

  373. 

  374.   return 1;

  375. }

  376. 

  377. int ssl_has_certificate(const SSL *ssl) {

  378.   return ssl->cert->chain != NULL &&

  379.          sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0) != NULL &&

  380.          ssl_has_private_key(ssl);

  381. }

  382. 

  383. bool ssl_parse_cert_chain(uint8_t *out_alert,

  384.                           UniquePtr<STACK_OF(CRYPTO_BUFFER)> *out_chain,

  385.                           UniquePtr<EVP_PKEY> *out_pubkey,

  386.                           uint8_t *out_leaf_sha256, CBS *cbs,

  387.                           CRYPTO_BUFFER_POOL *pool) {

  388.   out_chain->reset();

  389.   out_pubkey->reset();

  390. 

  391.   CBS certificate_list;

  392.   if (!CBS_get_u24_length_prefixed(cbs, &certificate_list)) {

  393.     *out_alert = SSL_AD_DECODE_ERROR;

  394.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  395.     return false;

  396.   }

  397. 

  398.   if (CBS_len(&certificate_list) == 0) {

  399.     return true;

  400.   }

  401. 

  402.   UniquePtr<STACK_OF(CRYPTO_BUFFER)> chain(sk_CRYPTO_BUFFER_new_null());

  403.   if (!chain) {

  404.     *out_alert = SSL_AD_INTERNAL_ERROR;

  405.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  406.     return false;

  407.   }

  408. 

  409.   UniquePtr<EVP_PKEY> pubkey;

  410.   while (CBS_len(&certificate_list) > 0) {

  411.     CBS certificate;

  412.     if (!CBS_get_u24_length_prefixed(&certificate_list, &certificate) ||

  413.         CBS_len(&certificate) == 0) {

  414.       *out_alert = SSL_AD_DECODE_ERROR;

  415.       OPENSSL_PUT_ERROR(SSL, SSL_R_CERT_LENGTH_MISMATCH);

  416.       return false;

  417.     }

  418. 

  419.     if (sk_CRYPTO_BUFFER_num(chain.get()) == 0) {

  420.       pubkey = ssl_cert_parse_pubkey(&certificate);

  421.       if (!pubkey) {

  422.         *out_alert = SSL_AD_DECODE_ERROR;

  423.         return false;

  424.       }

  425. 

  426.       // Retain the hash of the leaf certificate if requested.

  427.       if (out_leaf_sha256 != NULL) {

  428.         SHA256(CBS_data(&certificate), CBS_len(&certificate), out_leaf_sha256);

  429.       }

  430.     }

  431. 

  432.     UniquePtr<CRYPTO_BUFFER> buf(

  433.         CRYPTO_BUFFER_new_from_CBS(&certificate, pool));

  434.     if (!buf ||

  435.         !PushToStack(chain.get(), std::move(buf))) {

  436.       *out_alert = SSL_AD_INTERNAL_ERROR;

  437.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  438.       return false;

  439.     }

  440.   }

  441. 

  442.   *out_chain = std::move(chain);

  443.   *out_pubkey = std::move(pubkey);

  444.   return true;

  445. }

  446. 

  447. int ssl_add_cert_chain(SSL *ssl, CBB *cbb) {

  448.   if (!ssl_has_certificate(ssl)) {

  449.     return CBB_add_u24(cbb, 0);

  450.   }

  451. 

  452.   CBB certs;

  453.   if (!CBB_add_u24_length_prefixed(cbb, &certs)) {

  454.     OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  455.     return 0;

  456.   }

  457. 

  458.   STACK_OF(CRYPTO_BUFFER) *chain = ssl->cert->chain;

  459.   for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(chain); i++) {

  460.     CRYPTO_BUFFER *buffer = sk_CRYPTO_BUFFER_value(chain, i);

  461.     CBB child;

  462.     if (!CBB_add_u24_length_prefixed(&certs, &child) ||

  463.         !CBB_add_bytes(&child, CRYPTO_BUFFER_data(buffer),

  464.                        CRYPTO_BUFFER_len(buffer)) ||

  465.         !CBB_flush(&certs)) {

  466.       OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);

  467.       return 0;

  468.     }

  469.   }

  470. 

  471.   return CBB_flush(cbb);

  472. }

  473. 

  474. // ssl_cert_skip_to_spki parses a DER-encoded, X.509 certificate from |in| and

  475. // positions |*out_tbs_cert| to cover the TBSCertificate, starting at the

  476. // subjectPublicKeyInfo.

  477. static int ssl_cert_skip_to_spki(const CBS *in, CBS *out_tbs_cert) {

  478.   /* From RFC 5280, section 4.1

  479.    *    Certificate  ::=  SEQUENCE  {

  480.    *      tbsCertificate       TBSCertificate,

  481.    *      signatureAlgorithm   AlgorithmIdentifier,

  482.    *      signatureValue       BIT STRING  }

  483. 

  484.    * TBSCertificate  ::=  SEQUENCE  {

  485.    *      version         [0]  EXPLICIT Version DEFAULT v1,

  486.    *      serialNumber         CertificateSerialNumber,

  487.    *      signature            AlgorithmIdentifier,

  488.    *      issuer               Name,

  489.    *      validity             Validity,

  490.    *      subject              Name,

  491.    *      subjectPublicKeyInfo SubjectPublicKeyInfo,

  492.    *      ... } */

  493.   CBS buf = *in;

  494. 

  495.   CBS toplevel;

  496.   if (!CBS_get_asn1(&buf, &toplevel, CBS_ASN1_SEQUENCE) ||

  497.       CBS_len(&buf) != 0 ||

  498.       !CBS_get_asn1(&toplevel, out_tbs_cert, CBS_ASN1_SEQUENCE) ||

  499.       // version

  500.       !CBS_get_optional_asn1(

  501.           out_tbs_cert, NULL, NULL,

  502.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) ||

  503.       // serialNumber

  504.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_INTEGER) ||

  505.       // signature algorithm

  506.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  507.       // issuer

  508.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  509.       // validity

  510.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  511.       // subject

  512.       !CBS_get_asn1(out_tbs_cert, NULL, CBS_ASN1_SEQUENCE)) {

  513.     return 0;

  514.   }

  515. 

  516.   return 1;

  517. }

  518. 

  519. UniquePtr<EVP_PKEY> ssl_cert_parse_pubkey(const CBS *in) {

  520.   CBS buf = *in, tbs_cert;

  521.   if (!ssl_cert_skip_to_spki(&buf, &tbs_cert)) {

  522.     OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  523.     return nullptr;

  524.   }

  525. 

  526.   return UniquePtr<EVP_PKEY>(EVP_parse_public_key(&tbs_cert));

  527. }

  528. 

  529. int ssl_compare_public_and_private_key(const EVP_PKEY *pubkey,

  530.                                        const EVP_PKEY *privkey) {

  531.   if (EVP_PKEY_is_opaque(privkey)) {

  532.     // We cannot check an opaque private key and have to trust that it

  533.     // matches.

  534.     return 1;

  535.   }

  536. 

  537.   int ret = 0;

  538. 

  539.   switch (EVP_PKEY_cmp(pubkey, privkey)) {

  540.     case 1:

  541.       ret = 1;

  542.       break;

  543.     case 0:

  544.       OPENSSL_PUT_ERROR(X509, X509_R_KEY_VALUES_MISMATCH);

  545.       break;

  546.     case -1:

  547.       OPENSSL_PUT_ERROR(X509, X509_R_KEY_TYPE_MISMATCH);

  548.       break;

  549.     case -2:

  550.       OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);

  551.       break;

  552.     default:

  553.       assert(0);

  554.       break;

  555.   }

  556. 

  557.   return ret;

  558. }

  559. 

  560. int ssl_cert_check_private_key(const CERT *cert, const EVP_PKEY *privkey) {

  561.   if (privkey == NULL) {

  562.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_PRIVATE_KEY_ASSIGNED);

  563.     return 0;

  564.   }

  565. 

  566.   if (cert->chain == NULL ||

  567.       sk_CRYPTO_BUFFER_value(cert->chain, 0) == NULL) {

  568.     OPENSSL_PUT_ERROR(SSL, SSL_R_NO_CERTIFICATE_ASSIGNED);

  569.     return 0;

  570.   }

  571. 

  572.   CBS cert_cbs;

  573.   CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(cert->chain, 0), &cert_cbs);

  574.   UniquePtr<EVP_PKEY> pubkey = ssl_cert_parse_pubkey(&cert_cbs);

  575.   if (!pubkey) {

  576.     OPENSSL_PUT_ERROR(X509, X509_R_UNKNOWN_KEY_TYPE);

  577.     return 0;

  578.   }

  579. 

  580.   return ssl_compare_public_and_private_key(pubkey.get(), privkey);

  581. }

  582. 

  583. int ssl_cert_check_digital_signature_key_usage(const CBS *in) {

  584.   CBS buf = *in;

  585. 

  586.   CBS tbs_cert, outer_extensions;

  587.   int has_extensions;

  588.   if (!ssl_cert_skip_to_spki(&buf, &tbs_cert) ||

  589.       // subjectPublicKeyInfo

  590.       !CBS_get_asn1(&tbs_cert, NULL, CBS_ASN1_SEQUENCE) ||

  591.       // issuerUniqueID

  592.       !CBS_get_optional_asn1(

  593.           &tbs_cert, NULL, NULL,

  594.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) ||

  595.       // subjectUniqueID

  596.       !CBS_get_optional_asn1(

  597.           &tbs_cert, NULL, NULL,

  598.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) ||

  599.       !CBS_get_optional_asn1(

  600.           &tbs_cert, &outer_extensions, &has_extensions,

  601.           CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 3)) {

  602.     OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  603.     return 0;

  604.   }

  605. 

  606.   if (!has_extensions) {

  607.     return 1;

  608.   }

  609. 

  610.   CBS extensions;

  611.   if (!CBS_get_asn1(&outer_extensions, &extensions, CBS_ASN1_SEQUENCE)) {

  612.     OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  613.     return 0;

  614.   }

  615. 

  616.   while (CBS_len(&extensions) > 0) {

  617.     CBS extension, oid, contents;

  618.     if (!CBS_get_asn1(&extensions, &extension, CBS_ASN1_SEQUENCE) ||

  619.         !CBS_get_asn1(&extension, &oid, CBS_ASN1_OBJECT) ||

  620.         (CBS_peek_asn1_tag(&extension, CBS_ASN1_BOOLEAN) &&

  621.          !CBS_get_asn1(&extension, NULL, CBS_ASN1_BOOLEAN)) ||

  622.         !CBS_get_asn1(&extension, &contents, CBS_ASN1_OCTETSTRING) ||

  623.         CBS_len(&extension) != 0) {

  624.       OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  625.       return 0;

  626.     }

  627. 

  628.     static const uint8_t kKeyUsageOID[3] = {0x55, 0x1d, 0x0f};

  629.     if (CBS_len(&oid) != sizeof(kKeyUsageOID) ||

  630.         OPENSSL_memcmp(CBS_data(&oid), kKeyUsageOID, sizeof(kKeyUsageOID)) !=

  631.             0) {

  632.       continue;

  633.     }

  634. 

  635.     CBS bit_string;

  636.     if (!CBS_get_asn1(&contents, &bit_string, CBS_ASN1_BITSTRING) ||

  637.         CBS_len(&contents) != 0) {

  638.       OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  639.       return 0;

  640.     }

  641. 

  642.     // This is the KeyUsage extension. See

  643.     // https://tools.ietf.org/html/rfc5280#section-4.2.1.3

  644.     if (!CBS_is_valid_asn1_bitstring(&bit_string)) {

  645.       OPENSSL_PUT_ERROR(SSL, SSL_R_CANNOT_PARSE_LEAF_CERT);

  646.       return 0;

  647.     }

  648. 

  649.     if (!CBS_asn1_bitstring_has_bit(&bit_string, 0)) {

  650.       OPENSSL_PUT_ERROR(SSL, SSL_R_ECC_CERT_NOT_FOR_SIGNING);

  651.       return 0;

  652.     }

  653. 

  654.     return 1;

  655.   }

  656. 

  657.   // No KeyUsage extension found.

  658.   return 1;

  659. }

  660. 

  661. UniquePtr<STACK_OF(CRYPTO_BUFFER)> ssl_parse_client_CA_list(SSL *ssl,

  662.                                                             uint8_t *out_alert,

  663.                                                             CBS *cbs) {

  664.   CRYPTO_BUFFER_POOL *const pool = ssl->ctx->pool;

  665. 

  666.   UniquePtr<STACK_OF(CRYPTO_BUFFER)> ret(sk_CRYPTO_BUFFER_new_null());

  667.   if (!ret) {

  668.     *out_alert = SSL_AD_INTERNAL_ERROR;

  669.     OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  670.     return nullptr;

  671.   }

  672. 

  673.   CBS child;

  674.   if (!CBS_get_u16_length_prefixed(cbs, &child)) {

  675.     *out_alert = SSL_AD_DECODE_ERROR;

  676.     OPENSSL_PUT_ERROR(SSL, SSL_R_LENGTH_MISMATCH);

  677.     return nullptr;

  678.   }

  679. 

  680.   while (CBS_len(&child) > 0) {

  681.     CBS distinguished_name;

  682.     if (!CBS_get_u16_length_prefixed(&child, &distinguished_name)) {

  683.       *out_alert = SSL_AD_DECODE_ERROR;

  684.       OPENSSL_PUT_ERROR(SSL, SSL_R_CA_DN_TOO_LONG);

  685.       return nullptr;

  686.     }

  687. 

  688.     UniquePtr<CRYPTO_BUFFER> buffer(

  689.         CRYPTO_BUFFER_new_from_CBS(&distinguished_name, pool));

  690.     if (!buffer ||

  691.         !PushToStack(ret.get(), std::move(buffer))) {

  692.       *out_alert = SSL_AD_INTERNAL_ERROR;

  693.       OPENSSL_PUT_ERROR(SSL, ERR_R_MALLOC_FAILURE);

  694.       return nullptr;

  695.     }

  696.   }

  697. 

  698.   if (!ssl->ctx->x509_method->check_client_CA_list(ret.get())) {

  699.     *out_alert = SSL_AD_INTERNAL_ERROR;

  700.     OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);

  701.     return nullptr;

  702.   }

  703. 

  704.   return ret;

  705. }

  706. 

  707. bool ssl_has_client_CAs(SSL *ssl) {

  708.   STACK_OF(CRYPTO_BUFFER) *names = ssl->client_CA;

  709.   if (names == NULL) {

  710.     names = ssl->ctx->client_CA;

  711.   }

  712.   if (names == NULL) {

  713.     return false;

  714.   }

  715.   return sk_CRYPTO_BUFFER_num(names) > 0;

  716. }

  717. 

  718. int ssl_add_client_CA_list(SSL *ssl, CBB *cbb) {

  719.   CBB child, name_cbb;

  720.   if (!CBB_add_u16_length_prefixed(cbb, &child)) {

  721.     return 0;

  722.   }

  723. 

  724.   STACK_OF(CRYPTO_BUFFER) *names = ssl->client_CA;

  725.   if (names == NULL) {

  726.     names = ssl->ctx->client_CA;

  727.   }

  728.   if (names == NULL) {

  729.     return CBB_flush(cbb);

  730.   }

  731. 

  732.   for (const CRYPTO_BUFFER *name : names) {

  733.     if (!CBB_add_u16_length_prefixed(&child, &name_cbb) ||

  734.         !CBB_add_bytes(&name_cbb, CRYPTO_BUFFER_data(name),

  735.                        CRYPTO_BUFFER_len(name))) {

  736.       return 0;

  737.     }

  738.   }

  739. 

  740.   return CBB_flush(cbb);

  741. }

  742. 

  743. int ssl_check_leaf_certificate(SSL_HANDSHAKE *hs, EVP_PKEY *pkey,

  744.                                const CRYPTO_BUFFER *leaf) {

  745.   SSL *const ssl = hs->ssl;

  746.   assert(ssl_protocol_version(ssl) < TLS1_3_VERSION);

  747. 

  748.   // Check the certificate's type matches the cipher.

  749.   if (!(hs->new_cipher->algorithm_auth & ssl_cipher_auth_mask_for_key(pkey))) {

  750.     OPENSSL_PUT_ERROR(SSL, SSL_R_WRONG_CERTIFICATE_TYPE);

  751.     return 0;

  752.   }

  753. 

  754.   // Check key usages for all key types but RSA. This is needed to distinguish

  755.   // ECDH certificates, which we do not support, from ECDSA certificates. In

  756.   // principle, we should check RSA key usages based on cipher, but this breaks

  757.   // buggy antivirus deployments. Other key types are always used for signing.

  758.   //

  759.   // TODO(davidben): Get more recent data on RSA key usages.

  760.   if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA) {

  761.     CBS leaf_cbs;

  762.     CBS_init(&leaf_cbs, CRYPTO_BUFFER_data(leaf), CRYPTO_BUFFER_len(leaf));

  763.     if (!ssl_cert_check_digital_signature_key_usage(&leaf_cbs)) {

  764.       return 0;

  765.     }

  766.   }

  767. 

  768.   if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {

  769.     // Check the key's group and point format are acceptable.

  770.     EC_KEY *ec_key = EVP_PKEY_get0_EC_KEY(pkey);

  771.     uint16_t group_id;

  772.     if (!ssl_nid_to_group_id(

  773.             &group_id, EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key))) ||

  774.         !tls1_check_group_id(ssl, group_id) ||

  775.         EC_KEY_get_conv_form(ec_key) != POINT_CONVERSION_UNCOMPRESSED) {

  776.       OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_ECC_CERT);

  777.       return 0;

  778.     }

  779.   }

  780. 

  781.   return 1;

  782. }

  783. 

  784. int ssl_on_certificate_selected(SSL_HANDSHAKE *hs) {

  785.   SSL *const ssl = hs->ssl;

  786.   if (!ssl_has_certificate(ssl)) {

  787.     // Nothing to do.

  788.     return 1;

  789.   }

  790. 

  791.   if (!ssl->ctx->x509_method->ssl_auto_chain_if_needed(ssl)) {

  792.     return 0;

  793.   }

  794. 

  795.   CBS leaf;

  796.   CRYPTO_BUFFER_init_CBS(sk_CRYPTO_BUFFER_value(ssl->cert->chain, 0), &leaf);

  797. 

  798.   hs->local_pubkey = ssl_cert_parse_pubkey(&leaf);

  799.   return hs->local_pubkey != NULL;

  800. }

  801. 

  802. }  // namespace bssl

  803. 

  804. using namespace bssl;

  805. 

  806. int SSL_set_chain_and_key(SSL *ssl, CRYPTO_BUFFER *const *certs,

  807.                           size_t num_certs, EVP_PKEY *privkey,

  808.                           const SSL_PRIVATE_KEY_METHOD *privkey_method) {

  809.   return cert_set_chain_and_key(ssl->cert, certs, num_certs, privkey,

  810.                                 privkey_method);

  811. }

  812. 

  813. int SSL_CTX_set_chain_and_key(SSL_CTX *ctx, CRYPTO_BUFFER *const *certs,

  814.                               size_t num_certs, EVP_PKEY *privkey,

  815.                               const SSL_PRIVATE_KEY_METHOD *privkey_method) {

  816.   return cert_set_chain_and_key(ctx->cert, certs, num_certs, privkey,

  817.                                 privkey_method);

  818. }

  819. 

  820. int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, size_t der_len,

  821.                                  const uint8_t *der) {

  822.   UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));

  823.   if (!buffer) {

  824.     return 0;

  825.   }

  826. 

  827.   return ssl_set_cert(ctx->cert, std::move(buffer));

  828. }

  829. 

  830. int SSL_use_certificate_ASN1(SSL *ssl, const uint8_t *der, size_t der_len) {

  831.   UniquePtr<CRYPTO_BUFFER> buffer(CRYPTO_BUFFER_new(der, der_len, NULL));

  832.   if (!buffer) {

  833.     return 0;

  834.   }

  835. 

  836.   return ssl_set_cert(ssl->cert, std::move(buffer));

  837. }

  838. 

  839. void SSL_CTX_set_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, void *arg),

  840.                          void *arg) {

  841.   ssl_cert_set_cert_cb(ctx->cert, cb, arg);

  842. }

  843. 

  844. void SSL_set_cert_cb(SSL *ssl, int (*cb)(SSL *ssl, void *arg), void *arg) {

  845.   ssl_cert_set_cert_cb(ssl->cert, cb, arg);

  846. }

  847. 

  848. STACK_OF(CRYPTO_BUFFER) *SSL_get0_peer_certificates(const SSL *ssl) {

  849.   SSL_SESSION *session = SSL_get_session(ssl);

  850.   if (session == NULL) {

  851.     return NULL;

  852.   }

  853. 

  854.   return session->certs;

  855. }

  856. 

  857. STACK_OF(CRYPTO_BUFFER) *SSL_get0_server_requested_CAs(const SSL *ssl) {

  858.   if (ssl->s3->hs == NULL) {

  859.     return NULL;

  860.   }

  861.   return ssl->s3->hs->ca_names.get();

  862. }

  863. 

  864. static int set_signed_cert_timestamp_list(CERT *cert, const uint8_t *list,

  865.                                            size_t list_len) {

  866.   CBS sct_list;

  867.   CBS_init(&sct_list, list, list_len);

  868.   if (!ssl_is_sct_list_valid(&sct_list)) {

  869.     OPENSSL_PUT_ERROR(SSL, SSL_R_INVALID_SCT_LIST);

  870.     return 0;

  871.   }

  872. 

  873.   CRYPTO_BUFFER_free(cert->signed_cert_timestamp_list);

  874.   cert->signed_cert_timestamp_list =

  875.       CRYPTO_BUFFER_new(CBS_data(&sct_list), CBS_len(&sct_list), NULL);

  876.   return cert->signed_cert_timestamp_list != NULL;

  877. }

  878. 

  879. int SSL_CTX_set_signed_cert_timestamp_list(SSL_CTX *ctx, const uint8_t *list,

  880.                                            size_t list_len) {

  881.   return set_signed_cert_timestamp_list(ctx->cert, list, list_len);

  882. }

  883. 

  884. int SSL_set_signed_cert_timestamp_list(SSL *ssl, const uint8_t *list,

  885.                                        size_t list_len) {

  886.   return set_signed_cert_timestamp_list(ssl->cert, list, list_len);

  887. }

  888. 

  889. int SSL_CTX_set_ocsp_response(SSL_CTX *ctx, const uint8_t *response,

  890.                               size_t response_len) {

  891.   CRYPTO_BUFFER_free(ctx->cert->ocsp_response);

  892.   ctx->cert->ocsp_response = CRYPTO_BUFFER_new(response, response_len, NULL);

  893.   return ctx->cert->ocsp_response != NULL;

  894. }

  895. 

  896. int SSL_set_ocsp_response(SSL *ssl, const uint8_t *response,

  897.                           size_t response_len) {

  898.   CRYPTO_BUFFER_free(ssl->cert->ocsp_response);

  899.   ssl->cert->ocsp_response = CRYPTO_BUFFER_new(response, response_len, NULL);

  900.   return ssl->cert->ocsp_response != NULL;

  901. }

  902. 

  903. void SSL_CTX_set0_client_CAs(SSL_CTX *ctx, STACK_OF(CRYPTO_BUFFER) *name_list) {

  904.   ctx->x509_method->ssl_ctx_flush_cached_client_CA(ctx);

  905.   sk_CRYPTO_BUFFER_pop_free(ctx->client_CA, CRYPTO_BUFFER_free);

  906.   ctx->client_CA = name_list;

  907. }

  908. 

  909. void SSL_set0_client_CAs(SSL *ssl, STACK_OF(CRYPTO_BUFFER) *name_list) {

  910.   ssl->ctx->x509_method->ssl_flush_cached_client_CA(ssl);

  911.   sk_CRYPTO_BUFFER_pop_free(ssl->client_CA, CRYPTO_BUFFER_free);

  912.   ssl->client_CA = name_list;

  913. }