mirror of
https://github.com/openssl/openssl.git
synced 2024-12-03 05:41:46 +08:00
6f811d839f
Fixes #18854 Replace and deprecate the functions `TS_VERIFY_CTX_set_data`, `TS_VERIFY_CTX_set_store`, `TS_VERIFY_CTX_set_certs`, `TS_VERIFY_CTX_set_imprint` with new versions: `TS_VERIFY_CTX_set0_data`, `TS_VERIFY_CTX_set0_store`, `TS_VERIFY_CTX_set0_certs` and `TS_VERIFY_CTX_set0_imprint`. The previous functions had poorly documented memory handling, potentially leading to memory leaks. The new functions improve memory management and provide clearer usage. Also, update existing code to use the new function calls instead of the deprecated ones. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24701)
1040 lines
32 KiB
C
1040 lines
32 KiB
C
/*
|
|
* Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
*
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
* in the file LICENSE in the source distribution or at
|
|
* https://www.openssl.org/source/license.html
|
|
*/
|
|
|
|
#include <openssl/opensslconf.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include "apps.h"
|
|
#include "progs.h"
|
|
#include <openssl/bio.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/ts.h>
|
|
#include <openssl/bn.h>
|
|
|
|
/* Request nonce length, in bits (must be a multiple of 8). */
|
|
#define NONCE_LENGTH 64
|
|
|
|
/* Name of config entry that defines the OID file. */
|
|
#define ENV_OID_FILE "oid_file"
|
|
|
|
/* Is |EXACTLY_ONE| of three pointers set? */
|
|
#define EXACTLY_ONE(a, b, c) \
|
|
(( a && !b && !c) || \
|
|
( b && !a && !c) || \
|
|
( c && !a && !b))
|
|
|
|
static ASN1_OBJECT *txt2obj(const char *oid);
|
|
static CONF *load_config_file(const char *configfile);
|
|
|
|
/* Query related functions. */
|
|
static int query_command(const char *data, const char *digest,
|
|
const EVP_MD *md, const char *policy, int no_nonce,
|
|
int cert, const char *in, const char *out, int text);
|
|
static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
|
|
const char *policy, int no_nonce, int cert);
|
|
static int create_digest(BIO *input, const char *digest,
|
|
const EVP_MD *md, unsigned char **md_value);
|
|
static ASN1_INTEGER *create_nonce(int bits);
|
|
|
|
/* Reply related functions. */
|
|
static int reply_command(CONF *conf, const char *section, const char *engine,
|
|
const char *queryfile, const char *passin, const char *inkey,
|
|
const EVP_MD *md, const char *signer, const char *chain,
|
|
const char *policy, const char *in, int token_in,
|
|
const char *out, int token_out, int text);
|
|
static TS_RESP *read_PKCS7(BIO *in_bio);
|
|
static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
|
|
const char *queryfile, const char *passin,
|
|
const char *inkey, const EVP_MD *md, const char *signer,
|
|
const char *chain, const char *policy);
|
|
static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data);
|
|
static ASN1_INTEGER *next_serial(const char *serialfile);
|
|
static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial);
|
|
|
|
/* Verify related functions. */
|
|
static int verify_command(const char *data, const char *digest, const char *queryfile,
|
|
const char *in, int token_in,
|
|
const char *CApath, const char *CAfile,
|
|
const char *CAstore,
|
|
char *untrusted, X509_VERIFY_PARAM *vpm);
|
|
static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
|
|
const char *queryfile,
|
|
const char *CApath, const char *CAfile,
|
|
const char *CAstore,
|
|
char *untrusted,
|
|
X509_VERIFY_PARAM *vpm);
|
|
static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
|
|
const char *CAstore, X509_VERIFY_PARAM *vpm);
|
|
static int verify_cb(int ok, X509_STORE_CTX *ctx);
|
|
|
|
typedef enum OPTION_choice {
|
|
OPT_COMMON,
|
|
OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA,
|
|
OPT_DIGEST, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT,
|
|
OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT,
|
|
OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER,
|
|
OPT_CHAIN, OPT_VERIFY, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_UNTRUSTED,
|
|
OPT_MD, OPT_V_ENUM, OPT_R_ENUM, OPT_PROV_ENUM
|
|
} OPTION_CHOICE;
|
|
|
|
const OPTIONS ts_options[] = {
|
|
OPT_SECTION("General"),
|
|
{"help", OPT_HELP, '-', "Display this summary"},
|
|
{"config", OPT_CONFIG, '<', "Configuration file"},
|
|
{"section", OPT_SECTION, 's', "Section to use within config file"},
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
|
#endif
|
|
{"inkey", OPT_INKEY, 's', "File with private key for reply"},
|
|
{"signer", OPT_SIGNER, 's', "Signer certificate file"},
|
|
{"chain", OPT_CHAIN, '<', "File with signer CA chain"},
|
|
{"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
|
|
{"CApath", OPT_CAPATH, '/', "Path to trusted CA files"},
|
|
{"CAstore", OPT_CASTORE, ':', "URI to trusted CA store"},
|
|
{"untrusted", OPT_UNTRUSTED, '<', "Extra untrusted certs"},
|
|
{"token_in", OPT_TOKEN_IN, '-', "Input is a PKCS#7 file"},
|
|
{"token_out", OPT_TOKEN_OUT, '-', "Output is a PKCS#7 file"},
|
|
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
|
|
{"", OPT_MD, '-', "Any supported digest"},
|
|
|
|
OPT_SECTION("Query"),
|
|
{"query", OPT_QUERY, '-', "Generate a TS query"},
|
|
{"data", OPT_DATA, '<', "File to hash"},
|
|
{"digest", OPT_DIGEST, 's', "Digest (as a hex string)"},
|
|
{"queryfile", OPT_QUERYFILE, '<', "File containing a TS query"},
|
|
{"cert", OPT_CERT, '-', "Put cert request into query"},
|
|
{"in", OPT_IN, '<', "Input file"},
|
|
|
|
OPT_SECTION("Verify"),
|
|
{"verify", OPT_VERIFY, '-', "Verify a TS response"},
|
|
{"reply", OPT_REPLY, '-', "Generate a TS reply"},
|
|
{"tspolicy", OPT_TSPOLICY, 's', "Policy OID to use"},
|
|
{"no_nonce", OPT_NO_NONCE, '-', "Do not include a nonce"},
|
|
{"out", OPT_OUT, '>', "Output file"},
|
|
{"text", OPT_TEXT, '-', "Output text (not DER)"},
|
|
|
|
OPT_R_OPTIONS,
|
|
OPT_V_OPTIONS,
|
|
OPT_PROV_OPTIONS,
|
|
{NULL}
|
|
};
|
|
|
|
/*
|
|
* This command is so complex, special help is needed.
|
|
*/
|
|
static char* opt_helplist[] = {
|
|
"",
|
|
"Typical uses:",
|
|
" openssl ts -query [-rand file...] [-config file] [-data file]",
|
|
" [-digest hexstring] [-tspolicy oid] [-no_nonce] [-cert]",
|
|
" [-in file] [-out file] [-text]",
|
|
"",
|
|
" openssl ts -reply [-config file] [-section tsa_section]",
|
|
" [-queryfile file] [-passin password]",
|
|
" [-signer tsa_cert.pem] [-inkey private_key.pem]",
|
|
" [-chain certs_file.pem] [-tspolicy oid]",
|
|
" [-in file] [-token_in] [-out file] [-token_out]",
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
" [-text] [-engine id]",
|
|
#else
|
|
" [-text]",
|
|
#endif
|
|
"",
|
|
" openssl ts -verify -CApath dir -CAfile root-cert.pem -CAstore uri",
|
|
" -untrusted extra-certs.pem [-data file] [-digest hexstring]",
|
|
" [-queryfile request.tsq] -in response.tsr [-token_in] ...",
|
|
NULL,
|
|
};
|
|
|
|
int ts_main(int argc, char **argv)
|
|
{
|
|
CONF *conf = NULL;
|
|
const char *CAfile = NULL, *prog;
|
|
char *untrusted = NULL;
|
|
const char *configfile = default_config_file, *engine = NULL;
|
|
const char *section = NULL, *digestname = NULL;
|
|
char **helpp;
|
|
char *password = NULL;
|
|
char *data = NULL, *digest = NULL, *policy = NULL;
|
|
char *in = NULL, *out = NULL, *queryfile = NULL, *passin = NULL;
|
|
char *inkey = NULL, *signer = NULL, *chain = NULL, *CApath = NULL;
|
|
char *CAstore = NULL;
|
|
EVP_MD *md = NULL;
|
|
OPTION_CHOICE o, mode = OPT_ERR;
|
|
int ret = 1, no_nonce = 0, cert = 0, text = 0;
|
|
int vpmtouched = 0;
|
|
X509_VERIFY_PARAM *vpm = NULL;
|
|
/* Input is ContentInfo instead of TimeStampResp. */
|
|
int token_in = 0;
|
|
/* Output is ContentInfo instead of TimeStampResp. */
|
|
int token_out = 0;
|
|
|
|
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
|
|
goto end;
|
|
|
|
opt_set_unknown_name("digest");
|
|
prog = opt_init(argc, argv, ts_options);
|
|
while ((o = opt_next()) != OPT_EOF) {
|
|
switch (o) {
|
|
case OPT_EOF:
|
|
case OPT_ERR:
|
|
opthelp:
|
|
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
|
goto end;
|
|
case OPT_HELP:
|
|
opt_help(ts_options);
|
|
for (helpp = opt_helplist; *helpp; ++helpp)
|
|
BIO_printf(bio_err, "%s\n", *helpp);
|
|
ret = 0;
|
|
goto end;
|
|
case OPT_CONFIG:
|
|
configfile = opt_arg();
|
|
break;
|
|
case OPT_SECTION:
|
|
section = opt_arg();
|
|
break;
|
|
case OPT_QUERY:
|
|
case OPT_REPLY:
|
|
case OPT_VERIFY:
|
|
if (mode != OPT_ERR) {
|
|
BIO_printf(bio_err, "%s: Must give only one of -query, -reply, or -verify\n", prog);
|
|
goto opthelp;
|
|
}
|
|
mode = o;
|
|
break;
|
|
case OPT_DATA:
|
|
data = opt_arg();
|
|
break;
|
|
case OPT_DIGEST:
|
|
digest = opt_arg();
|
|
break;
|
|
case OPT_R_CASES:
|
|
if (!opt_rand(o))
|
|
goto end;
|
|
break;
|
|
case OPT_PROV_CASES:
|
|
if (!opt_provider(o))
|
|
goto end;
|
|
break;
|
|
case OPT_TSPOLICY:
|
|
policy = opt_arg();
|
|
break;
|
|
case OPT_NO_NONCE:
|
|
no_nonce = 1;
|
|
break;
|
|
case OPT_CERT:
|
|
cert = 1;
|
|
break;
|
|
case OPT_IN:
|
|
in = opt_arg();
|
|
break;
|
|
case OPT_TOKEN_IN:
|
|
token_in = 1;
|
|
break;
|
|
case OPT_OUT:
|
|
out = opt_arg();
|
|
break;
|
|
case OPT_TOKEN_OUT:
|
|
token_out = 1;
|
|
break;
|
|
case OPT_TEXT:
|
|
text = 1;
|
|
break;
|
|
case OPT_QUERYFILE:
|
|
queryfile = opt_arg();
|
|
break;
|
|
case OPT_PASSIN:
|
|
passin = opt_arg();
|
|
break;
|
|
case OPT_INKEY:
|
|
inkey = opt_arg();
|
|
break;
|
|
case OPT_SIGNER:
|
|
signer = opt_arg();
|
|
break;
|
|
case OPT_CHAIN:
|
|
chain = opt_arg();
|
|
break;
|
|
case OPT_CAPATH:
|
|
CApath = opt_arg();
|
|
break;
|
|
case OPT_CAFILE:
|
|
CAfile = opt_arg();
|
|
break;
|
|
case OPT_CASTORE:
|
|
CAstore = opt_arg();
|
|
break;
|
|
case OPT_UNTRUSTED:
|
|
untrusted = opt_arg();
|
|
break;
|
|
case OPT_ENGINE:
|
|
engine = opt_arg();
|
|
break;
|
|
case OPT_MD:
|
|
digestname = opt_unknown();
|
|
break;
|
|
case OPT_V_CASES:
|
|
if (!opt_verify(o, vpm))
|
|
goto end;
|
|
vpmtouched++;
|
|
break;
|
|
}
|
|
}
|
|
|
|
/* No extra arguments. */
|
|
if (!opt_check_rest_arg(NULL))
|
|
goto opthelp;
|
|
if (mode == OPT_ERR) {
|
|
BIO_printf(bio_err, "%s: Must give one of -query, -reply, or -verify\n", prog);
|
|
goto opthelp;
|
|
}
|
|
|
|
if (!app_RAND_load())
|
|
goto end;
|
|
|
|
if (!opt_md(digestname, &md))
|
|
goto opthelp;
|
|
if (mode == OPT_REPLY && passin &&
|
|
!app_passwd(passin, NULL, &password, NULL)) {
|
|
BIO_printf(bio_err, "Error getting password.\n");
|
|
goto end;
|
|
}
|
|
|
|
if ((conf = load_config_file(configfile)) == NULL)
|
|
goto end;
|
|
if (configfile != default_config_file && !app_load_modules(conf))
|
|
goto end;
|
|
|
|
/* Check parameter consistency and execute the appropriate function. */
|
|
if (mode == OPT_QUERY) {
|
|
if (vpmtouched)
|
|
goto opthelp;
|
|
if ((data != NULL) && (digest != NULL))
|
|
goto opthelp;
|
|
ret = !query_command(data, digest, md, policy, no_nonce, cert,
|
|
in, out, text);
|
|
} else if (mode == OPT_REPLY) {
|
|
if (vpmtouched)
|
|
goto opthelp;
|
|
if ((in != NULL) && (queryfile != NULL))
|
|
goto opthelp;
|
|
if (in == NULL) {
|
|
if ((conf == NULL) || (token_in != 0))
|
|
goto opthelp;
|
|
}
|
|
ret = !reply_command(conf, section, engine, queryfile,
|
|
password, inkey, md, signer, chain, policy,
|
|
in, token_in, out, token_out, text);
|
|
|
|
} else if (mode == OPT_VERIFY) {
|
|
if ((in == NULL) || !EXACTLY_ONE(queryfile, data, digest))
|
|
goto opthelp;
|
|
ret = !verify_command(data, digest, queryfile, in, token_in,
|
|
CApath, CAfile, CAstore, untrusted,
|
|
vpmtouched ? vpm : NULL);
|
|
} else {
|
|
goto opthelp;
|
|
}
|
|
|
|
end:
|
|
X509_VERIFY_PARAM_free(vpm);
|
|
EVP_MD_free(md);
|
|
NCONF_free(conf);
|
|
OPENSSL_free(password);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* Configuration file-related function definitions.
|
|
*/
|
|
|
|
static ASN1_OBJECT *txt2obj(const char *oid)
|
|
{
|
|
ASN1_OBJECT *oid_obj = NULL;
|
|
|
|
if ((oid_obj = OBJ_txt2obj(oid, 0)) == NULL)
|
|
BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
|
|
|
|
return oid_obj;
|
|
}
|
|
|
|
static CONF *load_config_file(const char *configfile)
|
|
{
|
|
CONF *conf = app_load_config(configfile);
|
|
|
|
if (conf != NULL) {
|
|
const char *p;
|
|
|
|
BIO_printf(bio_err, "Using configuration from %s\n", configfile);
|
|
p = app_conf_try_string(conf, NULL, ENV_OID_FILE);
|
|
if (p != NULL) {
|
|
BIO *oid_bio = BIO_new_file(p, "r");
|
|
if (!oid_bio)
|
|
ERR_print_errors(bio_err);
|
|
else {
|
|
OBJ_create_objects(oid_bio);
|
|
BIO_free_all(oid_bio);
|
|
}
|
|
}
|
|
if (!add_oid_section(conf))
|
|
ERR_print_errors(bio_err);
|
|
}
|
|
return conf;
|
|
}
|
|
|
|
/*
|
|
* Query-related method definitions.
|
|
*/
|
|
static int query_command(const char *data, const char *digest, const EVP_MD *md,
|
|
const char *policy, int no_nonce,
|
|
int cert, const char *in, const char *out, int text)
|
|
{
|
|
int ret = 0;
|
|
TS_REQ *query = NULL;
|
|
BIO *in_bio = NULL;
|
|
BIO *data_bio = NULL;
|
|
BIO *out_bio = NULL;
|
|
|
|
/* Build query object. */
|
|
if (in != NULL) {
|
|
if ((in_bio = bio_open_default(in, 'r', FORMAT_ASN1)) == NULL)
|
|
goto end;
|
|
query = d2i_TS_REQ_bio(in_bio, NULL);
|
|
} else {
|
|
if (digest == NULL
|
|
&& (data_bio = bio_open_default(data, 'r', FORMAT_ASN1)) == NULL)
|
|
goto end;
|
|
query = create_query(data_bio, digest, md, policy, no_nonce, cert);
|
|
}
|
|
if (query == NULL)
|
|
goto end;
|
|
|
|
if (text) {
|
|
if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
|
|
goto end;
|
|
if (!TS_REQ_print_bio(out_bio, query))
|
|
goto end;
|
|
} else {
|
|
if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
|
|
goto end;
|
|
if (!i2d_TS_REQ_bio(out_bio, query))
|
|
goto end;
|
|
}
|
|
|
|
ret = 1;
|
|
|
|
end:
|
|
ERR_print_errors(bio_err);
|
|
BIO_free_all(in_bio);
|
|
BIO_free_all(data_bio);
|
|
BIO_free_all(out_bio);
|
|
TS_REQ_free(query);
|
|
return ret;
|
|
}
|
|
|
|
static TS_REQ *create_query(BIO *data_bio, const char *digest, const EVP_MD *md,
|
|
const char *policy, int no_nonce, int cert)
|
|
{
|
|
int ret = 0;
|
|
TS_REQ *ts_req = NULL;
|
|
int len;
|
|
TS_MSG_IMPRINT *msg_imprint = NULL;
|
|
X509_ALGOR *algo = NULL;
|
|
unsigned char *data = NULL;
|
|
ASN1_OBJECT *policy_obj = NULL;
|
|
ASN1_INTEGER *nonce_asn1 = NULL;
|
|
|
|
if (md == NULL && (md = EVP_get_digestbyname("sha256")) == NULL)
|
|
goto err;
|
|
if ((ts_req = TS_REQ_new()) == NULL)
|
|
goto err;
|
|
if (!TS_REQ_set_version(ts_req, 1))
|
|
goto err;
|
|
if ((msg_imprint = TS_MSG_IMPRINT_new()) == NULL)
|
|
goto err;
|
|
if ((algo = X509_ALGOR_new()) == NULL)
|
|
goto err;
|
|
if ((algo->algorithm = OBJ_nid2obj(EVP_MD_get_type(md))) == NULL)
|
|
goto err;
|
|
if ((algo->parameter = ASN1_TYPE_new()) == NULL)
|
|
goto err;
|
|
algo->parameter->type = V_ASN1_NULL;
|
|
if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
|
|
goto err;
|
|
if ((len = create_digest(data_bio, digest, md, &data)) == 0)
|
|
goto err;
|
|
if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
|
|
goto err;
|
|
if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
|
|
goto err;
|
|
if (policy && (policy_obj = txt2obj(policy)) == NULL)
|
|
goto err;
|
|
if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
|
|
goto err;
|
|
|
|
/* Setting nonce if requested. */
|
|
if (!no_nonce && (nonce_asn1 = create_nonce(NONCE_LENGTH)) == NULL)
|
|
goto err;
|
|
if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
|
|
goto err;
|
|
if (!TS_REQ_set_cert_req(ts_req, cert))
|
|
goto err;
|
|
|
|
ret = 1;
|
|
err:
|
|
if (!ret) {
|
|
TS_REQ_free(ts_req);
|
|
ts_req = NULL;
|
|
BIO_printf(bio_err, "could not create query\n");
|
|
ERR_print_errors(bio_err);
|
|
}
|
|
TS_MSG_IMPRINT_free(msg_imprint);
|
|
X509_ALGOR_free(algo);
|
|
OPENSSL_free(data);
|
|
ASN1_OBJECT_free(policy_obj);
|
|
ASN1_INTEGER_free(nonce_asn1);
|
|
return ts_req;
|
|
}
|
|
|
|
static int create_digest(BIO *input, const char *digest, const EVP_MD *md,
|
|
unsigned char **md_value)
|
|
{
|
|
int md_value_len;
|
|
int rv = 0;
|
|
EVP_MD_CTX *md_ctx = NULL;
|
|
|
|
md_value_len = EVP_MD_get_size(md);
|
|
if (md_value_len < 0)
|
|
return 0;
|
|
|
|
if (input != NULL) {
|
|
unsigned char buffer[4096];
|
|
int length;
|
|
|
|
md_ctx = EVP_MD_CTX_new();
|
|
if (md_ctx == NULL)
|
|
return 0;
|
|
*md_value = app_malloc(md_value_len, "digest buffer");
|
|
if (!EVP_DigestInit(md_ctx, md))
|
|
goto err;
|
|
while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
|
|
if (!EVP_DigestUpdate(md_ctx, buffer, length))
|
|
goto err;
|
|
}
|
|
if (!EVP_DigestFinal(md_ctx, *md_value, NULL))
|
|
goto err;
|
|
md_value_len = EVP_MD_get_size(md);
|
|
} else {
|
|
long digest_len;
|
|
|
|
*md_value = OPENSSL_hexstr2buf(digest, &digest_len);
|
|
if (*md_value == NULL || md_value_len != digest_len) {
|
|
BIO_printf(bio_err, "bad digest, %d bytes "
|
|
"must be specified\n", md_value_len);
|
|
goto err;
|
|
}
|
|
}
|
|
rv = md_value_len;
|
|
err:
|
|
if (rv <= 0) {
|
|
OPENSSL_free(*md_value);
|
|
*md_value = NULL;
|
|
rv = 0;
|
|
}
|
|
EVP_MD_CTX_free(md_ctx);
|
|
return rv;
|
|
}
|
|
|
|
static ASN1_INTEGER *create_nonce(int bits)
|
|
{
|
|
unsigned char buf[20];
|
|
ASN1_INTEGER *nonce = NULL;
|
|
int len = (bits - 1) / 8 + 1;
|
|
int i;
|
|
|
|
if (len > (int)sizeof(buf))
|
|
goto err;
|
|
if (RAND_bytes(buf, len) <= 0)
|
|
goto err;
|
|
|
|
/* Find the first non-zero byte and creating ASN1_INTEGER object. */
|
|
for (i = 0; i < len && !buf[i]; ++i)
|
|
continue;
|
|
if ((nonce = ASN1_INTEGER_new()) == NULL)
|
|
goto err;
|
|
OPENSSL_free(nonce->data);
|
|
nonce->length = len - i;
|
|
nonce->data = app_malloc(nonce->length + 1, "nonce buffer");
|
|
memcpy(nonce->data, buf + i, nonce->length);
|
|
return nonce;
|
|
|
|
err:
|
|
BIO_printf(bio_err, "could not create nonce\n");
|
|
ASN1_INTEGER_free(nonce);
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Reply-related method definitions.
|
|
*/
|
|
|
|
static int reply_command(CONF *conf, const char *section, const char *engine,
|
|
const char *queryfile, const char *passin, const char *inkey,
|
|
const EVP_MD *md, const char *signer, const char *chain,
|
|
const char *policy, const char *in, int token_in,
|
|
const char *out, int token_out, int text)
|
|
{
|
|
int ret = 0;
|
|
TS_RESP *response = NULL;
|
|
BIO *in_bio = NULL;
|
|
BIO *query_bio = NULL;
|
|
BIO *inkey_bio = NULL;
|
|
BIO *signer_bio = NULL;
|
|
BIO *out_bio = NULL;
|
|
|
|
if (in != NULL) {
|
|
if ((in_bio = BIO_new_file(in, "rb")) == NULL)
|
|
goto end;
|
|
if (token_in) {
|
|
response = read_PKCS7(in_bio);
|
|
} else {
|
|
response = d2i_TS_RESP_bio(in_bio, NULL);
|
|
}
|
|
} else {
|
|
response = create_response(conf, section, engine, queryfile,
|
|
passin, inkey, md, signer, chain, policy);
|
|
if (response != NULL)
|
|
BIO_printf(bio_err, "Response has been generated.\n");
|
|
else
|
|
BIO_printf(bio_err, "Response is not generated.\n");
|
|
}
|
|
if (response == NULL)
|
|
goto end;
|
|
|
|
/* Write response. */
|
|
if (text) {
|
|
if ((out_bio = bio_open_default(out, 'w', FORMAT_TEXT)) == NULL)
|
|
goto end;
|
|
if (token_out) {
|
|
TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
|
|
if (!TS_TST_INFO_print_bio(out_bio, tst_info))
|
|
goto end;
|
|
} else {
|
|
if (!TS_RESP_print_bio(out_bio, response))
|
|
goto end;
|
|
}
|
|
} else {
|
|
if ((out_bio = bio_open_default(out, 'w', FORMAT_ASN1)) == NULL)
|
|
goto end;
|
|
if (token_out) {
|
|
PKCS7 *token = TS_RESP_get_token(response);
|
|
if (!i2d_PKCS7_bio(out_bio, token))
|
|
goto end;
|
|
} else {
|
|
if (!i2d_TS_RESP_bio(out_bio, response))
|
|
goto end;
|
|
}
|
|
}
|
|
|
|
ret = 1;
|
|
|
|
end:
|
|
ERR_print_errors(bio_err);
|
|
BIO_free_all(in_bio);
|
|
BIO_free_all(query_bio);
|
|
BIO_free_all(inkey_bio);
|
|
BIO_free_all(signer_bio);
|
|
BIO_free_all(out_bio);
|
|
TS_RESP_free(response);
|
|
return ret;
|
|
}
|
|
|
|
/* Reads a PKCS7 token and adds default 'granted' status info to it. */
|
|
static TS_RESP *read_PKCS7(BIO *in_bio)
|
|
{
|
|
int ret = 0;
|
|
PKCS7 *token = NULL;
|
|
TS_TST_INFO *tst_info = NULL;
|
|
TS_RESP *resp = NULL;
|
|
TS_STATUS_INFO *si = NULL;
|
|
|
|
if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL)
|
|
goto end;
|
|
if ((tst_info = PKCS7_to_TS_TST_INFO(token)) == NULL)
|
|
goto end;
|
|
if ((resp = TS_RESP_new()) == NULL)
|
|
goto end;
|
|
if ((si = TS_STATUS_INFO_new()) == NULL)
|
|
goto end;
|
|
if (!TS_STATUS_INFO_set_status(si, TS_STATUS_GRANTED))
|
|
goto end;
|
|
if (!TS_RESP_set_status_info(resp, si))
|
|
goto end;
|
|
TS_RESP_set_tst_info(resp, token, tst_info);
|
|
token = NULL; /* Ownership is lost. */
|
|
tst_info = NULL; /* Ownership is lost. */
|
|
ret = 1;
|
|
|
|
end:
|
|
PKCS7_free(token);
|
|
TS_TST_INFO_free(tst_info);
|
|
if (!ret) {
|
|
TS_RESP_free(resp);
|
|
resp = NULL;
|
|
}
|
|
TS_STATUS_INFO_free(si);
|
|
return resp;
|
|
}
|
|
|
|
static TS_RESP *create_response(CONF *conf, const char *section, const char *engine,
|
|
const char *queryfile, const char *passin,
|
|
const char *inkey, const EVP_MD *md, const char *signer,
|
|
const char *chain, const char *policy)
|
|
{
|
|
int ret = 0;
|
|
TS_RESP *response = NULL;
|
|
BIO *query_bio = NULL;
|
|
TS_RESP_CTX *resp_ctx = NULL;
|
|
|
|
if ((query_bio = BIO_new_file(queryfile, "rb")) == NULL)
|
|
goto end;
|
|
if ((section = TS_CONF_get_tsa_section(conf, section)) == NULL)
|
|
goto end;
|
|
if ((resp_ctx = TS_RESP_CTX_new()) == NULL)
|
|
goto end;
|
|
if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
|
|
goto end;
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
if (!TS_CONF_set_crypto_device(conf, section, engine))
|
|
goto end;
|
|
#endif
|
|
if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
|
|
goto end;
|
|
|
|
if (md) {
|
|
if (!TS_RESP_CTX_set_signer_digest(resp_ctx, md))
|
|
goto end;
|
|
} else if (!TS_CONF_set_signer_digest(conf, section, NULL, resp_ctx)) {
|
|
goto end;
|
|
}
|
|
|
|
if (!TS_CONF_set_ess_cert_id_digest(conf, section, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_policies(conf, section, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_digests(conf, section, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_ordering(conf, section, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
|
|
goto end;
|
|
if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
|
|
goto end;
|
|
if ((response = TS_RESP_create_response(resp_ctx, query_bio)) == NULL)
|
|
goto end;
|
|
ret = 1;
|
|
|
|
end:
|
|
if (!ret) {
|
|
TS_RESP_free(response);
|
|
response = NULL;
|
|
}
|
|
TS_RESP_CTX_free(resp_ctx);
|
|
BIO_free_all(query_bio);
|
|
return response;
|
|
}
|
|
|
|
static ASN1_INTEGER *serial_cb(TS_RESP_CTX *ctx, void *data)
|
|
{
|
|
const char *serial_file = (const char *)data;
|
|
ASN1_INTEGER *serial = next_serial(serial_file);
|
|
|
|
if (serial == NULL) {
|
|
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
|
|
"Error during serial number "
|
|
"generation.");
|
|
TS_RESP_CTX_add_failure_info(ctx, TS_INFO_ADD_INFO_NOT_AVAILABLE);
|
|
} else {
|
|
save_ts_serial(serial_file, serial);
|
|
}
|
|
|
|
return serial;
|
|
}
|
|
|
|
static ASN1_INTEGER *next_serial(const char *serialfile)
|
|
{
|
|
int ret = 0;
|
|
BIO *in = NULL;
|
|
ASN1_INTEGER *serial = NULL;
|
|
BIGNUM *bn = NULL;
|
|
|
|
if ((serial = ASN1_INTEGER_new()) == NULL)
|
|
goto err;
|
|
|
|
if ((in = BIO_new_file(serialfile, "r")) == NULL) {
|
|
ERR_clear_error();
|
|
BIO_printf(bio_err, "Warning: could not open file %s for "
|
|
"reading, using serial number: 1\n", serialfile);
|
|
if (!ASN1_INTEGER_set(serial, 1))
|
|
goto err;
|
|
} else {
|
|
char buf[1024];
|
|
if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
|
|
BIO_printf(bio_err, "unable to load number from %s\n",
|
|
serialfile);
|
|
goto err;
|
|
}
|
|
if ((bn = ASN1_INTEGER_to_BN(serial, NULL)) == NULL)
|
|
goto err;
|
|
ASN1_INTEGER_free(serial);
|
|
serial = NULL;
|
|
if (!BN_add_word(bn, 1))
|
|
goto err;
|
|
if ((serial = BN_to_ASN1_INTEGER(bn, NULL)) == NULL)
|
|
goto err;
|
|
}
|
|
ret = 1;
|
|
|
|
err:
|
|
if (!ret) {
|
|
ASN1_INTEGER_free(serial);
|
|
serial = NULL;
|
|
}
|
|
BIO_free_all(in);
|
|
BN_free(bn);
|
|
return serial;
|
|
}
|
|
|
|
static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial)
|
|
{
|
|
int ret = 0;
|
|
BIO *out = NULL;
|
|
|
|
if ((out = BIO_new_file(serialfile, "w")) == NULL)
|
|
goto err;
|
|
if (i2a_ASN1_INTEGER(out, serial) <= 0)
|
|
goto err;
|
|
if (BIO_puts(out, "\n") <= 0)
|
|
goto err;
|
|
ret = 1;
|
|
err:
|
|
if (!ret)
|
|
BIO_printf(bio_err, "could not save serial number to %s\n",
|
|
serialfile);
|
|
BIO_free_all(out);
|
|
return ret;
|
|
}
|
|
|
|
|
|
/*
|
|
* Verify-related method definitions.
|
|
*/
|
|
|
|
static int verify_command(const char *data, const char *digest, const char *queryfile,
|
|
const char *in, int token_in,
|
|
const char *CApath, const char *CAfile,
|
|
const char *CAstore, char *untrusted,
|
|
X509_VERIFY_PARAM *vpm)
|
|
{
|
|
BIO *in_bio = NULL;
|
|
PKCS7 *token = NULL;
|
|
TS_RESP *response = NULL;
|
|
TS_VERIFY_CTX *verify_ctx = NULL;
|
|
int ret = 0;
|
|
|
|
if ((in_bio = BIO_new_file(in, "rb")) == NULL)
|
|
goto end;
|
|
if (token_in) {
|
|
if ((token = d2i_PKCS7_bio(in_bio, NULL)) == NULL)
|
|
goto end;
|
|
} else {
|
|
if ((response = d2i_TS_RESP_bio(in_bio, NULL)) == NULL)
|
|
goto end;
|
|
}
|
|
|
|
if ((verify_ctx = create_verify_ctx(data, digest, queryfile,
|
|
CApath, CAfile, CAstore, untrusted,
|
|
vpm)) == NULL)
|
|
goto end;
|
|
|
|
ret = token_in
|
|
? TS_RESP_verify_token(verify_ctx, token)
|
|
: TS_RESP_verify_response(verify_ctx, response);
|
|
|
|
end:
|
|
printf("Verification: ");
|
|
if (ret)
|
|
printf("OK\n");
|
|
else {
|
|
printf("FAILED\n");
|
|
ERR_print_errors(bio_err);
|
|
}
|
|
|
|
BIO_free_all(in_bio);
|
|
PKCS7_free(token);
|
|
TS_RESP_free(response);
|
|
TS_VERIFY_CTX_free(verify_ctx);
|
|
return ret;
|
|
}
|
|
|
|
static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
|
|
const char *queryfile,
|
|
const char *CApath, const char *CAfile,
|
|
const char *CAstore,
|
|
char *untrusted,
|
|
X509_VERIFY_PARAM *vpm)
|
|
{
|
|
TS_VERIFY_CTX *ctx = NULL;
|
|
STACK_OF(X509) *certs;
|
|
BIO *input = NULL;
|
|
TS_REQ *request = NULL;
|
|
int ret = 0;
|
|
int f = 0;
|
|
|
|
if (data != NULL || digest != NULL) {
|
|
if ((ctx = TS_VERIFY_CTX_new()) == NULL)
|
|
goto err;
|
|
f = TS_VFY_VERSION | TS_VFY_SIGNER;
|
|
if (data != NULL) {
|
|
BIO *out = NULL;
|
|
|
|
f |= TS_VFY_DATA;
|
|
if ((out = BIO_new_file(data, "rb")) == NULL)
|
|
goto err;
|
|
if (!TS_VERIFY_CTX_set0_data(ctx, out)) {
|
|
BIO_free_all(out);
|
|
goto err;
|
|
}
|
|
} else if (digest != NULL) {
|
|
long imprint_len;
|
|
unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
|
|
f |= TS_VFY_IMPRINT;
|
|
if (!TS_VERIFY_CTX_set0_imprint(ctx, hexstr, imprint_len)) {
|
|
BIO_printf(bio_err, "invalid digest string\n");
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
} else if (queryfile != NULL) {
|
|
if ((input = BIO_new_file(queryfile, "rb")) == NULL)
|
|
goto err;
|
|
if ((request = d2i_TS_REQ_bio(input, NULL)) == NULL)
|
|
goto err;
|
|
if ((ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)) == NULL)
|
|
goto err;
|
|
} else {
|
|
return NULL;
|
|
}
|
|
|
|
/* Add the signature verification flag and arguments. */
|
|
TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
|
|
|
|
/* Initialising the X509_STORE object. */
|
|
if (!TS_VERIFY_CTX_set0_store(ctx, create_cert_store(CApath, CAfile,
|
|
CAstore, vpm)))
|
|
goto err;
|
|
|
|
/* Loading any extra untrusted certificates. */
|
|
if (untrusted != NULL) {
|
|
certs = load_certs_multifile(untrusted, NULL, "extra untrusted certs",
|
|
vpm);
|
|
if (certs == NULL || !TS_VERIFY_CTX_set0_certs(ctx, certs))
|
|
goto err;
|
|
}
|
|
ret = 1;
|
|
|
|
err:
|
|
if (!ret) {
|
|
TS_VERIFY_CTX_free(ctx);
|
|
ctx = NULL;
|
|
}
|
|
BIO_free_all(input);
|
|
TS_REQ_free(request);
|
|
return ctx;
|
|
}
|
|
|
|
static X509_STORE *create_cert_store(const char *CApath, const char *CAfile,
|
|
const char *CAstore, X509_VERIFY_PARAM *vpm)
|
|
{
|
|
X509_STORE *cert_ctx = NULL;
|
|
X509_LOOKUP *lookup = NULL;
|
|
OSSL_LIB_CTX *libctx = app_get0_libctx();
|
|
const char *propq = app_get0_propq();
|
|
|
|
cert_ctx = X509_STORE_new();
|
|
if (cert_ctx == NULL) {
|
|
BIO_printf(bio_err, "memory allocation failure\n");
|
|
return NULL;
|
|
}
|
|
X509_STORE_set_verify_cb(cert_ctx, verify_cb);
|
|
if (CApath != NULL) {
|
|
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
|
|
if (lookup == NULL) {
|
|
BIO_printf(bio_err, "memory allocation failure\n");
|
|
goto err;
|
|
}
|
|
if (X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM) <= 0) {
|
|
BIO_printf(bio_err, "Error loading directory %s\n", CApath);
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
if (CAfile != NULL) {
|
|
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
|
|
if (lookup == NULL) {
|
|
BIO_printf(bio_err, "memory allocation failure\n");
|
|
goto err;
|
|
}
|
|
if (X509_LOOKUP_load_file_ex(lookup, CAfile, X509_FILETYPE_PEM, libctx,
|
|
propq) <= 0) {
|
|
BIO_printf(bio_err, "Error loading file %s\n", CAfile);
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
if (CAstore != NULL) {
|
|
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_store());
|
|
if (lookup == NULL) {
|
|
BIO_printf(bio_err, "memory allocation failure\n");
|
|
goto err;
|
|
}
|
|
if (X509_LOOKUP_load_store_ex(lookup, CAstore, libctx, propq) <= 0) {
|
|
BIO_printf(bio_err, "Error loading store URI %s\n", CAstore);
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
if (vpm != NULL)
|
|
X509_STORE_set1_param(cert_ctx, vpm);
|
|
|
|
return cert_ctx;
|
|
|
|
err:
|
|
X509_STORE_free(cert_ctx);
|
|
return NULL;
|
|
}
|
|
|
|
static int verify_cb(int ok, X509_STORE_CTX *ctx)
|
|
{
|
|
return ok;
|
|
}
|