/src/openssl/crypto/ocsp/ocsp_vfy.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <string.h> |
11 | | #include <openssl/ocsp.h> |
12 | | #include <openssl/err.h> |
13 | | #include "internal/sizes.h" |
14 | | #include "ocsp_local.h" |
15 | | |
16 | | static int ocsp_find_signer(const X509 **psigner, OCSP_BASICRESP *bs, |
17 | | const STACK_OF(X509) *certs, unsigned long flags); |
18 | | static const X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id); |
19 | | static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); |
20 | | static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, |
21 | | OCSP_CERTID **ret); |
22 | | static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, |
23 | | STACK_OF(OCSP_SINGLERESP) *sresp); |
24 | | static int ocsp_check_delegated(X509 *x); |
25 | | static int ocsp_req_find_signer(const X509 **psigner, OCSP_REQUEST *req, |
26 | | const X509_NAME *nm, const STACK_OF(X509) *certs, |
27 | | unsigned long flags); |
28 | | |
29 | | /* Returns 1 on success, 0 on failure, or -1 on fatal error */ |
30 | | static int ocsp_verify_signer(const X509 *signer, int response, |
31 | | X509_STORE *st, unsigned long flags, |
32 | | STACK_OF(X509) *untrusted, STACK_OF(X509) **chain) |
33 | 0 | { |
34 | 0 | X509_STORE_CTX *ctx = X509_STORE_CTX_new(); |
35 | 0 | X509_VERIFY_PARAM *vp; |
36 | 0 | int ret = -1; |
37 | |
|
38 | 0 | if (ctx == NULL) { |
39 | 0 | ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB); |
40 | 0 | goto end; |
41 | 0 | } |
42 | | /* |
43 | | * TODO: The cast below can be dropped when #30076 lands |
44 | | */ |
45 | 0 | if (!X509_STORE_CTX_init(ctx, st, (X509 *)signer, untrusted)) { |
46 | 0 | ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB); |
47 | 0 | goto end; |
48 | 0 | } |
49 | 0 | if ((vp = X509_STORE_CTX_get0_param(ctx)) == NULL) |
50 | 0 | goto end; |
51 | 0 | if ((flags & OCSP_PARTIAL_CHAIN) != 0) |
52 | 0 | X509_VERIFY_PARAM_set_flags(vp, X509_V_FLAG_PARTIAL_CHAIN); |
53 | 0 | if (response |
54 | 0 | && X509_get_ext_by_NID(signer, NID_id_pkix_OCSP_noCheck, -1) >= 0) |
55 | | /* |
56 | | * Locally disable revocation status checking for OCSP responder cert. |
57 | | * Done here for CRLs; should be done also for OCSP-based checks. |
58 | | */ |
59 | 0 | X509_VERIFY_PARAM_clear_flags(vp, X509_V_FLAG_CRL_CHECK); |
60 | 0 | X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); |
61 | 0 | X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); |
62 | |
|
63 | 0 | ret = X509_verify_cert(ctx); |
64 | 0 | if (ret <= 0) { |
65 | 0 | int err = X509_STORE_CTX_get_error(ctx); |
66 | |
|
67 | 0 | ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR, |
68 | 0 | "Verify error: %s", X509_verify_cert_error_string(err)); |
69 | 0 | goto end; |
70 | 0 | } |
71 | 0 | if (chain != NULL) |
72 | 0 | *chain = X509_STORE_CTX_get1_chain(ctx); |
73 | |
|
74 | 0 | end: |
75 | 0 | X509_STORE_CTX_free(ctx); |
76 | 0 | return ret; |
77 | 0 | } |
78 | | |
79 | | static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs, |
80 | | const X509 *signer, unsigned long flags) |
81 | 0 | { |
82 | 0 | EVP_PKEY *skey; |
83 | 0 | int ret = 1; |
84 | |
|
85 | 0 | if ((flags & OCSP_NOSIGS) == 0) { |
86 | 0 | if ((skey = X509_get0_pubkey(signer)) == NULL) { |
87 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_SIGNER_KEY); |
88 | 0 | return -1; |
89 | 0 | } |
90 | 0 | if (req != NULL) |
91 | 0 | ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq); |
92 | 0 | else |
93 | 0 | ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq); |
94 | 0 | if (ret <= 0) |
95 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE); |
96 | 0 | } |
97 | 0 | return ret; |
98 | 0 | } |
99 | | |
100 | | /* Verify a basic response message */ |
101 | | int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, |
102 | | X509_STORE *st, unsigned long flags) |
103 | 0 | { |
104 | 0 | const X509 *signer, *x; |
105 | 0 | STACK_OF(X509) *chain = NULL; |
106 | 0 | STACK_OF(X509) *untrusted = NULL; |
107 | 0 | int ret = ocsp_find_signer(&signer, bs, certs, flags); |
108 | |
|
109 | 0 | if (ret == 0) { |
110 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
111 | 0 | goto end; |
112 | 0 | } |
113 | 0 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0) |
114 | 0 | flags |= OCSP_NOVERIFY; |
115 | |
|
116 | 0 | if ((ret = ocsp_verify(NULL, bs, signer, flags)) <= 0) |
117 | 0 | goto end; |
118 | 0 | if ((flags & OCSP_NOVERIFY) == 0) { |
119 | 0 | ret = -1; |
120 | 0 | if ((flags & OCSP_NOCHAIN) == 0) { |
121 | 0 | if ((untrusted = sk_X509_dup(bs->certs)) == NULL) |
122 | 0 | goto end; |
123 | 0 | if (!X509_add_certs(untrusted, certs, X509_ADD_FLAG_DEFAULT)) |
124 | 0 | goto end; |
125 | 0 | } |
126 | 0 | ret = ocsp_verify_signer(signer, 1, st, flags, untrusted, &chain); |
127 | 0 | if (ret <= 0) |
128 | 0 | goto end; |
129 | 0 | if ((flags & OCSP_NOCHECKS) != 0) { |
130 | 0 | ret = 1; |
131 | 0 | goto end; |
132 | 0 | } |
133 | | /* |
134 | | * At this point we have a valid certificate chain need to verify it |
135 | | * against the OCSP issuer criteria. |
136 | | */ |
137 | 0 | ret = ocsp_check_issuer(bs, chain); |
138 | | |
139 | | /* If fatal error or valid match then finish */ |
140 | 0 | if (ret != 0) |
141 | 0 | goto end; |
142 | | |
143 | | /* |
144 | | * Easy case: explicitly trusted. Get root CA and check for explicit |
145 | | * trust |
146 | | */ |
147 | 0 | if ((flags & OCSP_NOEXPLICIT) != 0) |
148 | 0 | goto end; |
149 | | |
150 | 0 | x = sk_X509_value(chain, sk_X509_num(chain) - 1); |
151 | | /* |
152 | | * TODO: Cast below can be dropped when #30071 lands |
153 | | */ |
154 | 0 | if (X509_check_trust((X509 *)x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { |
155 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_ROOT_CA_NOT_TRUSTED); |
156 | 0 | ret = 0; |
157 | 0 | goto end; |
158 | 0 | } |
159 | 0 | ret = 1; |
160 | 0 | } |
161 | | |
162 | 0 | end: |
163 | 0 | OSSL_STACK_OF_X509_free(chain); |
164 | 0 | sk_X509_free(untrusted); |
165 | 0 | return ret; |
166 | 0 | } |
167 | | |
168 | | int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, const X509 **signer, |
169 | | const STACK_OF(X509) *extra_certs) |
170 | 0 | { |
171 | 0 | return ocsp_find_signer(signer, bs, extra_certs, 0) > 0; |
172 | 0 | } |
173 | | |
174 | | static int ocsp_find_signer(const X509 **psigner, OCSP_BASICRESP *bs, |
175 | | const STACK_OF(X509) *certs, unsigned long flags) |
176 | 0 | { |
177 | 0 | const X509 *signer; |
178 | 0 | OCSP_RESPID *rid = &bs->tbsResponseData.responderId; |
179 | |
|
180 | 0 | if ((signer = ocsp_find_signer_sk(certs, rid)) != NULL) { |
181 | 0 | *psigner = signer; |
182 | 0 | return 2; |
183 | 0 | } |
184 | 0 | if ((flags & OCSP_NOINTERN) == 0 && (signer = ocsp_find_signer_sk(bs->certs, rid))) { |
185 | 0 | *psigner = signer; |
186 | 0 | return 1; |
187 | 0 | } |
188 | | /* Maybe lookup from store if by subject name */ |
189 | | |
190 | 0 | *psigner = NULL; |
191 | 0 | return 0; |
192 | 0 | } |
193 | | |
194 | | static const X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id) |
195 | 0 | { |
196 | 0 | int i, r; |
197 | 0 | unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; |
198 | 0 | EVP_MD *md; |
199 | 0 | X509 *x; |
200 | | |
201 | | /* Easy if lookup by name */ |
202 | 0 | if (id->type == V_OCSP_RESPID_NAME) |
203 | 0 | return X509_find_by_subject(certs, id->value.byName); |
204 | | |
205 | | /* Lookup by key hash */ |
206 | | |
207 | | /* If key hash isn't SHA1 length then forget it */ |
208 | 0 | if (id->value.byKey->length != SHA_DIGEST_LENGTH) |
209 | 0 | return NULL; |
210 | 0 | keyhash = id->value.byKey->data; |
211 | | /* Calculate hash of each key and compare */ |
212 | 0 | for (i = 0; i < sk_X509_num(certs); i++) { |
213 | 0 | if ((x = sk_X509_value(certs, i)) != NULL) { |
214 | 0 | if ((md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq)) == NULL) |
215 | 0 | break; |
216 | 0 | r = X509_pubkey_digest(x, md, tmphash, NULL); |
217 | 0 | EVP_MD_free(md); |
218 | 0 | if (!r) |
219 | 0 | break; |
220 | 0 | if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0) |
221 | 0 | return x; |
222 | 0 | } |
223 | 0 | } |
224 | 0 | return NULL; |
225 | 0 | } |
226 | | |
227 | | static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) |
228 | 0 | { |
229 | 0 | STACK_OF(OCSP_SINGLERESP) *sresp = bs->tbsResponseData.responses; |
230 | 0 | X509 *signer, *sca; |
231 | 0 | OCSP_CERTID *caid = NULL; |
232 | 0 | int ret; |
233 | |
|
234 | 0 | if (sk_X509_num(chain) <= 0) { |
235 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_CERTIFICATES_IN_CHAIN); |
236 | 0 | return -1; |
237 | 0 | } |
238 | | |
239 | | /* See if the issuer IDs match. */ |
240 | 0 | ret = ocsp_check_ids(sresp, &caid); |
241 | | |
242 | | /* If ID mismatch or other error then return */ |
243 | 0 | if (ret <= 0) |
244 | 0 | return ret; |
245 | | |
246 | 0 | signer = sk_X509_value(chain, 0); |
247 | | /* Check to see if OCSP responder CA matches request CA */ |
248 | 0 | if (sk_X509_num(chain) > 1) { |
249 | 0 | sca = sk_X509_value(chain, 1); |
250 | 0 | ret = ocsp_match_issuerid(sca, caid, sresp); |
251 | 0 | if (ret < 0) |
252 | 0 | return ret; |
253 | 0 | if (ret != 0) { |
254 | | /* We have a match, if extensions OK then success */ |
255 | 0 | if (ocsp_check_delegated(signer)) |
256 | 0 | return 1; |
257 | 0 | return 0; |
258 | 0 | } |
259 | 0 | } |
260 | | |
261 | | /* Otherwise check if OCSP request signed directly by request CA */ |
262 | 0 | return ocsp_match_issuerid(signer, caid, sresp); |
263 | 0 | } |
264 | | |
265 | | /* |
266 | | * Check the issuer certificate IDs for equality. If there is a mismatch with |
267 | | * the same algorithm then there's no point trying to match any certificates |
268 | | * against the issuer. If the issuer IDs all match then we just need to check |
269 | | * equality against one of them. |
270 | | */ |
271 | | |
272 | | static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) |
273 | 0 | { |
274 | 0 | OCSP_CERTID *tmpid, *cid; |
275 | 0 | int i, idcount; |
276 | |
|
277 | 0 | idcount = sk_OCSP_SINGLERESP_num(sresp); |
278 | 0 | if (idcount <= 0) { |
279 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); |
280 | 0 | return -1; |
281 | 0 | } |
282 | | |
283 | 0 | cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; |
284 | |
|
285 | 0 | *ret = NULL; |
286 | 0 | for (i = 1; i < idcount; i++) { |
287 | 0 | tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; |
288 | | /* Check to see if IDs match */ |
289 | 0 | if (OCSP_id_issuer_cmp(cid, tmpid)) { |
290 | | /* If algorithm mismatch let caller deal with it */ |
291 | 0 | if (OBJ_cmp(tmpid->hashAlgorithm.algorithm, |
292 | 0 | cid->hashAlgorithm.algorithm)) |
293 | 0 | return 2; |
294 | | /* Else mismatch */ |
295 | 0 | return 0; |
296 | 0 | } |
297 | 0 | } |
298 | | |
299 | | /* All IDs match: only need to check one ID */ |
300 | 0 | *ret = cid; |
301 | 0 | return 1; |
302 | 0 | } |
303 | | |
304 | | /* |
305 | | * Match the certificate issuer ID. |
306 | | * Returns -1 on fatal error, 0 if there is no match and 1 if there is a match. |
307 | | */ |
308 | | static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, |
309 | | STACK_OF(OCSP_SINGLERESP) *sresp) |
310 | 0 | { |
311 | 0 | int ret = -1; |
312 | 0 | EVP_MD *dgst = NULL; |
313 | | |
314 | | /* If only one ID to match then do it */ |
315 | 0 | if (cid != NULL) { |
316 | 0 | char name[OSSL_MAX_NAME_SIZE]; |
317 | 0 | const X509_NAME *iname; |
318 | 0 | int mdlen; |
319 | 0 | unsigned char md[EVP_MAX_MD_SIZE]; |
320 | |
|
321 | 0 | OBJ_obj2txt(name, sizeof(name), cid->hashAlgorithm.algorithm, 0); |
322 | |
|
323 | 0 | dgst = EVP_MD_fetch(NULL, name, NULL); |
324 | 0 | if (dgst == NULL) { |
325 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_UNKNOWN_MESSAGE_DIGEST); |
326 | 0 | goto end; |
327 | 0 | } |
328 | | |
329 | 0 | mdlen = EVP_MD_get_size(dgst); |
330 | 0 | if (mdlen <= 0) { |
331 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR); |
332 | 0 | goto end; |
333 | 0 | } |
334 | 0 | if (cid->issuerNameHash.length != mdlen || cid->issuerKeyHash.length != mdlen) { |
335 | 0 | ret = 0; |
336 | 0 | goto end; |
337 | 0 | } |
338 | 0 | iname = X509_get_subject_name(cert); |
339 | 0 | if (!X509_NAME_digest(iname, dgst, md, NULL)) |
340 | 0 | goto end; |
341 | 0 | if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0) { |
342 | 0 | ret = 0; |
343 | 0 | goto end; |
344 | 0 | } |
345 | 0 | if (!X509_pubkey_digest(cert, dgst, md, NULL)) { |
346 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_ERR); |
347 | 0 | goto end; |
348 | 0 | } |
349 | 0 | ret = memcmp(md, cid->issuerKeyHash.data, mdlen) == 0; |
350 | 0 | goto end; |
351 | 0 | } else { |
352 | | /* We have to match the whole lot */ |
353 | 0 | int i; |
354 | 0 | OCSP_CERTID *tmpid; |
355 | |
|
356 | 0 | for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { |
357 | 0 | tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; |
358 | 0 | ret = ocsp_match_issuerid(cert, tmpid, NULL); |
359 | 0 | if (ret <= 0) |
360 | 0 | return ret; |
361 | 0 | } |
362 | 0 | } |
363 | 0 | return 1; |
364 | 0 | end: |
365 | 0 | EVP_MD_free(dgst); |
366 | 0 | return ret; |
367 | 0 | } |
368 | | |
369 | | static int ocsp_check_delegated(X509 *x) |
370 | 0 | { |
371 | 0 | if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) |
372 | 0 | && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) |
373 | 0 | return 1; |
374 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_MISSING_OCSPSIGNING_USAGE); |
375 | 0 | return 0; |
376 | 0 | } |
377 | | |
378 | | /* |
379 | | * Verify an OCSP request. This is much easier than OCSP response verify. |
380 | | * Just find the signer's certificate and verify it against a given trust value. |
381 | | * Returns 1 on success, 0 on failure and on fatal error. |
382 | | */ |
383 | | int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs, |
384 | | X509_STORE *store, unsigned long flags) |
385 | 0 | { |
386 | 0 | const X509 *signer; |
387 | 0 | const X509_NAME *nm; |
388 | 0 | GENERAL_NAME *gen; |
389 | 0 | int ret; |
390 | |
|
391 | 0 | if (!req->optionalSignature) { |
392 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_REQUEST_NOT_SIGNED); |
393 | 0 | return 0; |
394 | 0 | } |
395 | 0 | gen = req->tbsRequest.requestorName; |
396 | 0 | if (!gen || gen->type != GEN_DIRNAME) { |
397 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); |
398 | 0 | return 0; /* not returning -1 here for backward compatibility*/ |
399 | 0 | } |
400 | 0 | nm = gen->d.directoryName; |
401 | 0 | ret = ocsp_req_find_signer(&signer, req, nm, certs, flags); |
402 | 0 | if (ret <= 0) { |
403 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
404 | 0 | return 0; /* not returning -1 here for backward compatibility*/ |
405 | 0 | } |
406 | 0 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0) |
407 | 0 | flags |= OCSP_NOVERIFY; |
408 | |
|
409 | 0 | if ((ret = ocsp_verify(req, NULL, signer, flags)) <= 0) |
410 | 0 | return 0; /* not returning 'ret' here for backward compatibility*/ |
411 | 0 | if ((flags & OCSP_NOVERIFY) != 0) |
412 | 0 | return 1; |
413 | 0 | return ocsp_verify_signer(signer, 0, store, flags, |
414 | 0 | (flags & OCSP_NOCHAIN) != 0 ? NULL : req->optionalSignature->certs, NULL) |
415 | 0 | > 0; |
416 | | /* using '> 0' here to avoid breaking backward compatibility returning -1 */ |
417 | 0 | } |
418 | | |
419 | | static int ocsp_req_find_signer(const X509 **psigner, OCSP_REQUEST *req, |
420 | | const X509_NAME *nm, const STACK_OF(X509) *certs, |
421 | | unsigned long flags) |
422 | 0 | { |
423 | 0 | const X509 *signer; |
424 | |
|
425 | 0 | if ((flags & OCSP_NOINTERN) == 0) { |
426 | 0 | signer = X509_find_by_subject(req->optionalSignature->certs, nm); |
427 | 0 | if (signer != NULL) { |
428 | 0 | *psigner = signer; |
429 | 0 | return 1; |
430 | 0 | } |
431 | 0 | } |
432 | | |
433 | 0 | if ((signer = X509_find_by_subject(certs, nm)) != NULL) { |
434 | 0 | *psigner = signer; |
435 | 0 | return 2; |
436 | 0 | } |
437 | 0 | return 0; |
438 | 0 | } |