/src/openssl30/crypto/ocsp/ocsp_vfy.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <string.h> |
11 | | #include <openssl/ocsp.h> |
12 | | #include <openssl/err.h> |
13 | | #include "internal/sizes.h" |
14 | | #include "ocsp_local.h" |
15 | | |
16 | | static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, |
17 | | STACK_OF(X509) *certs, unsigned long flags); |
18 | | static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id); |
19 | | static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); |
20 | | static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, |
21 | | OCSP_CERTID **ret); |
22 | | static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, |
23 | | STACK_OF(OCSP_SINGLERESP) *sresp); |
24 | | static int ocsp_check_delegated(X509 *x); |
25 | | static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, |
26 | | const X509_NAME *nm, STACK_OF(X509) *certs, |
27 | | unsigned long flags); |
28 | | |
29 | | /* Returns 1 on success, 0 on failure, or -1 on fatal error */ |
30 | | static int ocsp_verify_signer(X509 *signer, int response, |
31 | | X509_STORE *st, unsigned long flags, |
32 | | STACK_OF(X509) *untrusted, STACK_OF(X509) **chain) |
33 | 48 | { |
34 | 48 | X509_STORE_CTX *ctx = X509_STORE_CTX_new(); |
35 | 48 | X509_VERIFY_PARAM *vp; |
36 | 48 | int ret = -1; |
37 | | |
38 | 48 | if (ctx == NULL) { |
39 | 0 | ERR_raise(ERR_LIB_OCSP, ERR_R_MALLOC_FAILURE); |
40 | 0 | goto end; |
41 | 0 | } |
42 | 48 | if (!X509_STORE_CTX_init(ctx, st, signer, untrusted)) { |
43 | 0 | ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB); |
44 | 0 | goto end; |
45 | 0 | } |
46 | 48 | if ((vp = X509_STORE_CTX_get0_param(ctx)) == NULL) |
47 | 0 | goto end; |
48 | 48 | if ((flags & OCSP_PARTIAL_CHAIN) != 0) |
49 | 48 | X509_VERIFY_PARAM_set_flags(vp, X509_V_FLAG_PARTIAL_CHAIN); |
50 | 48 | if (response |
51 | 48 | && X509_get_ext_by_NID(signer, NID_id_pkix_OCSP_noCheck, -1) >= 0) |
52 | | /* |
53 | | * Locally disable revocation status checking for OCSP responder cert. |
54 | | * Done here for CRLs; should be done also for OCSP-based checks. |
55 | | */ |
56 | 0 | X509_VERIFY_PARAM_clear_flags(vp, X509_V_FLAG_CRL_CHECK); |
57 | 48 | X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER); |
58 | 48 | X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST); |
59 | | |
60 | 48 | ret = X509_verify_cert(ctx); |
61 | 48 | if (ret <= 0) { |
62 | 0 | int err = X509_STORE_CTX_get_error(ctx); |
63 | |
|
64 | 0 | ERR_raise_data(ERR_LIB_OCSP, OCSP_R_CERTIFICATE_VERIFY_ERROR, |
65 | 0 | "Verify error: %s", X509_verify_cert_error_string(err)); |
66 | 0 | goto end; |
67 | 0 | } |
68 | 48 | if (chain != NULL) |
69 | 48 | *chain = X509_STORE_CTX_get1_chain(ctx); |
70 | | |
71 | 48 | end: |
72 | 48 | X509_STORE_CTX_free(ctx); |
73 | 48 | return ret; |
74 | 48 | } |
75 | | |
76 | | static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs, |
77 | | X509 *signer, unsigned long flags) |
78 | 85 | { |
79 | 85 | EVP_PKEY *skey; |
80 | 85 | int ret = 1; |
81 | | |
82 | 85 | if ((flags & OCSP_NOSIGS) == 0) { |
83 | 85 | if ((skey = X509_get0_pubkey(signer)) == NULL) { |
84 | 3 | ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_SIGNER_KEY); |
85 | 3 | return -1; |
86 | 3 | } |
87 | 82 | if (req != NULL) |
88 | 0 | ret = OCSP_REQUEST_verify(req, skey, signer->libctx, signer->propq); |
89 | 82 | else |
90 | 82 | ret = OCSP_BASICRESP_verify(bs, skey, signer->libctx, signer->propq); |
91 | 82 | if (ret <= 0) |
92 | 82 | ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNATURE_FAILURE); |
93 | 82 | } |
94 | 82 | return ret; |
95 | 85 | } |
96 | | |
97 | | /* Verify a basic response message */ |
98 | | int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, |
99 | | X509_STORE *st, unsigned long flags) |
100 | 87 | { |
101 | 87 | X509 *signer, *x; |
102 | 87 | STACK_OF(X509) *chain = NULL; |
103 | 87 | STACK_OF(X509) *untrusted = NULL; |
104 | 87 | int ret = ocsp_find_signer(&signer, bs, certs, flags); |
105 | | |
106 | 87 | if (ret == 0) { |
107 | 2 | ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
108 | 2 | goto end; |
109 | 2 | } |
110 | 85 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0) |
111 | 0 | flags |= OCSP_NOVERIFY; |
112 | | |
113 | 85 | if ((ret = ocsp_verify(NULL, bs, signer, flags)) <= 0) |
114 | 37 | goto end; |
115 | 48 | if ((flags & OCSP_NOVERIFY) == 0) { |
116 | 48 | ret = -1; |
117 | 48 | if ((flags & OCSP_NOCHAIN) == 0) { |
118 | 48 | if ((untrusted = sk_X509_dup(bs->certs)) == NULL) |
119 | 0 | goto end; |
120 | 48 | if (!X509_add_certs(untrusted, certs, X509_ADD_FLAG_DEFAULT)) |
121 | 0 | goto end; |
122 | 48 | } |
123 | 48 | ret = ocsp_verify_signer(signer, 1, st, flags, untrusted, &chain); |
124 | 48 | if (ret <= 0) |
125 | 0 | goto end; |
126 | 48 | if ((flags & OCSP_NOCHECKS) != 0) { |
127 | 0 | ret = 1; |
128 | 0 | goto end; |
129 | 0 | } |
130 | | /* |
131 | | * At this point we have a valid certificate chain need to verify it |
132 | | * against the OCSP issuer criteria. |
133 | | */ |
134 | 48 | ret = ocsp_check_issuer(bs, chain); |
135 | | |
136 | | /* If fatal error or valid match then finish */ |
137 | 48 | if (ret != 0) |
138 | 0 | goto end; |
139 | | |
140 | | /* |
141 | | * Easy case: explicitly trusted. Get root CA and check for explicit |
142 | | * trust |
143 | | */ |
144 | 48 | if ((flags & OCSP_NOEXPLICIT) != 0) |
145 | 0 | goto end; |
146 | | |
147 | 48 | x = sk_X509_value(chain, sk_X509_num(chain) - 1); |
148 | 48 | if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { |
149 | 48 | ERR_raise(ERR_LIB_OCSP, OCSP_R_ROOT_CA_NOT_TRUSTED); |
150 | 48 | ret = 0; |
151 | 48 | goto end; |
152 | 48 | } |
153 | 0 | ret = 1; |
154 | 0 | } |
155 | | |
156 | 87 | end: |
157 | 87 | sk_X509_pop_free(chain, X509_free); |
158 | 87 | sk_X509_free(untrusted); |
159 | 87 | return ret; |
160 | 48 | } |
161 | | |
162 | | int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, |
163 | | STACK_OF(X509) *extra_certs) |
164 | 0 | { |
165 | 0 | return ocsp_find_signer(signer, bs, extra_certs, 0) > 0; |
166 | 0 | } |
167 | | |
168 | | static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, |
169 | | STACK_OF(X509) *certs, unsigned long flags) |
170 | 87 | { |
171 | 87 | X509 *signer; |
172 | 87 | OCSP_RESPID *rid = &bs->tbsResponseData.responderId; |
173 | | |
174 | 87 | if ((signer = ocsp_find_signer_sk(certs, rid)) != NULL) { |
175 | 1 | *psigner = signer; |
176 | 1 | return 2; |
177 | 1 | } |
178 | 86 | if ((flags & OCSP_NOINTERN) == 0 && |
179 | 86 | (signer = ocsp_find_signer_sk(bs->certs, rid))) { |
180 | 84 | *psigner = signer; |
181 | 84 | return 1; |
182 | 84 | } |
183 | | /* Maybe lookup from store if by subject name */ |
184 | | |
185 | 2 | *psigner = NULL; |
186 | 2 | return 0; |
187 | 86 | } |
188 | | |
189 | | static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) |
190 | 173 | { |
191 | 173 | int i, r; |
192 | 173 | unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; |
193 | 173 | EVP_MD *md; |
194 | 173 | X509 *x; |
195 | | |
196 | | /* Easy if lookup by name */ |
197 | 173 | if (id->type == V_OCSP_RESPID_NAME) |
198 | 173 | return X509_find_by_subject(certs, id->value.byName); |
199 | | |
200 | | /* Lookup by key hash */ |
201 | | |
202 | | /* If key hash isn't SHA1 length then forget it */ |
203 | 0 | if (id->value.byKey->length != SHA_DIGEST_LENGTH) |
204 | 0 | return NULL; |
205 | 0 | keyhash = id->value.byKey->data; |
206 | | /* Calculate hash of each key and compare */ |
207 | 0 | for (i = 0; i < sk_X509_num(certs); i++) { |
208 | 0 | if ((x = sk_X509_value(certs, i)) != NULL) { |
209 | 0 | if ((md = EVP_MD_fetch(x->libctx, SN_sha1, x->propq)) == NULL) |
210 | 0 | break; |
211 | 0 | r = X509_pubkey_digest(x, md, tmphash, NULL); |
212 | 0 | EVP_MD_free(md); |
213 | 0 | if (!r) |
214 | 0 | break; |
215 | 0 | if (memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH) == 0) |
216 | 0 | return x; |
217 | 0 | } |
218 | 0 | } |
219 | 0 | return NULL; |
220 | 0 | } |
221 | | |
222 | | static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain) |
223 | 48 | { |
224 | 48 | STACK_OF(OCSP_SINGLERESP) *sresp = bs->tbsResponseData.responses; |
225 | 48 | X509 *signer, *sca; |
226 | 48 | OCSP_CERTID *caid = NULL; |
227 | 48 | int ret; |
228 | | |
229 | 48 | if (sk_X509_num(chain) <= 0) { |
230 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_NO_CERTIFICATES_IN_CHAIN); |
231 | 0 | return -1; |
232 | 0 | } |
233 | | |
234 | | /* See if the issuer IDs match. */ |
235 | 48 | ret = ocsp_check_ids(sresp, &caid); |
236 | | |
237 | | /* If ID mismatch or other error then return */ |
238 | 48 | if (ret <= 0) |
239 | 0 | return ret; |
240 | | |
241 | 48 | signer = sk_X509_value(chain, 0); |
242 | | /* Check to see if OCSP responder CA matches request CA */ |
243 | 48 | if (sk_X509_num(chain) > 1) { |
244 | 26 | sca = sk_X509_value(chain, 1); |
245 | 26 | ret = ocsp_match_issuerid(sca, caid, sresp); |
246 | 26 | if (ret < 0) |
247 | 0 | return ret; |
248 | 26 | if (ret != 0) { |
249 | | /* We have a match, if extensions OK then success */ |
250 | 8 | if (ocsp_check_delegated(signer)) |
251 | 0 | return 1; |
252 | 8 | return 0; |
253 | 8 | } |
254 | 26 | } |
255 | | |
256 | | /* Otherwise check if OCSP request signed directly by request CA */ |
257 | 40 | return ocsp_match_issuerid(signer, caid, sresp); |
258 | 48 | } |
259 | | |
260 | | /* |
261 | | * Check the issuer certificate IDs for equality. If there is a mismatch with |
262 | | * the same algorithm then there's no point trying to match any certificates |
263 | | * against the issuer. If the issuer IDs all match then we just need to check |
264 | | * equality against one of them. |
265 | | */ |
266 | | |
267 | | static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret) |
268 | 48 | { |
269 | 48 | OCSP_CERTID *tmpid, *cid; |
270 | 48 | int i, idcount; |
271 | | |
272 | 48 | idcount = sk_OCSP_SINGLERESP_num(sresp); |
273 | 48 | if (idcount <= 0) { |
274 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA); |
275 | 0 | return -1; |
276 | 0 | } |
277 | | |
278 | 48 | cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId; |
279 | | |
280 | 48 | *ret = NULL; |
281 | 48 | for (i = 1; i < idcount; i++) { |
282 | 0 | tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; |
283 | | /* Check to see if IDs match */ |
284 | 0 | if (OCSP_id_issuer_cmp(cid, tmpid)) { |
285 | | /* If algorithm mismatch let caller deal with it */ |
286 | 0 | if (OBJ_cmp(tmpid->hashAlgorithm.algorithm, |
287 | 0 | cid->hashAlgorithm.algorithm)) |
288 | 0 | return 2; |
289 | | /* Else mismatch */ |
290 | 0 | return 0; |
291 | 0 | } |
292 | 0 | } |
293 | | |
294 | | /* All IDs match: only need to check one ID */ |
295 | 48 | *ret = cid; |
296 | 48 | return 1; |
297 | 48 | } |
298 | | |
299 | | /* |
300 | | * Match the certificate issuer ID. |
301 | | * Returns -1 on fatal error, 0 if there is no match and 1 if there is a match. |
302 | | */ |
303 | | static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, |
304 | | STACK_OF(OCSP_SINGLERESP) *sresp) |
305 | 66 | { |
306 | 66 | int ret = -1; |
307 | 66 | EVP_MD *dgst = NULL; |
308 | | |
309 | | /* If only one ID to match then do it */ |
310 | 66 | if (cid != NULL) { |
311 | 66 | char name[OSSL_MAX_NAME_SIZE]; |
312 | 66 | const X509_NAME *iname; |
313 | 66 | int mdlen; |
314 | 66 | unsigned char md[EVP_MAX_MD_SIZE]; |
315 | | |
316 | 66 | OBJ_obj2txt(name, sizeof(name), cid->hashAlgorithm.algorithm, 0); |
317 | | |
318 | 66 | (void)ERR_set_mark(); |
319 | 66 | dgst = EVP_MD_fetch(NULL, name, NULL); |
320 | 66 | if (dgst == NULL) |
321 | 0 | dgst = (EVP_MD *)EVP_get_digestbyname(name); |
322 | | |
323 | 66 | if (dgst == NULL) { |
324 | 0 | (void)ERR_clear_last_mark(); |
325 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_UNKNOWN_MESSAGE_DIGEST); |
326 | 0 | goto end; |
327 | 0 | } |
328 | 66 | (void)ERR_pop_to_mark(); |
329 | | |
330 | 66 | mdlen = EVP_MD_get_size(dgst); |
331 | 66 | if (mdlen < 0) { |
332 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_SIZE_ERR); |
333 | 0 | goto end; |
334 | 0 | } |
335 | 66 | if (cid->issuerNameHash.length != mdlen || |
336 | 66 | cid->issuerKeyHash.length != mdlen) { |
337 | 0 | ret = 0; |
338 | 0 | goto end; |
339 | 0 | } |
340 | 66 | iname = X509_get_subject_name(cert); |
341 | 66 | if (!X509_NAME_digest(iname, dgst, md, NULL)) |
342 | 0 | goto end; |
343 | 66 | if (memcmp(md, cid->issuerNameHash.data, mdlen) != 0) { |
344 | 43 | ret = 0; |
345 | 43 | goto end; |
346 | 43 | } |
347 | 23 | if (!X509_pubkey_digest(cert, dgst, md, NULL)) { |
348 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_DIGEST_ERR); |
349 | 0 | goto end; |
350 | 0 | } |
351 | 23 | ret = memcmp(md, cid->issuerKeyHash.data, mdlen) == 0; |
352 | 23 | goto end; |
353 | 23 | } else { |
354 | | /* We have to match the whole lot */ |
355 | 0 | int i; |
356 | 0 | OCSP_CERTID *tmpid; |
357 | |
|
358 | 0 | for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) { |
359 | 0 | tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId; |
360 | 0 | ret = ocsp_match_issuerid(cert, tmpid, NULL); |
361 | 0 | if (ret <= 0) |
362 | 0 | return ret; |
363 | 0 | } |
364 | 0 | } |
365 | 0 | return 1; |
366 | 66 | end: |
367 | 66 | EVP_MD_free(dgst); |
368 | 66 | return ret; |
369 | 66 | } |
370 | | |
371 | | static int ocsp_check_delegated(X509 *x) |
372 | 8 | { |
373 | 8 | if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE) |
374 | 8 | && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN)) |
375 | 0 | return 1; |
376 | 8 | ERR_raise(ERR_LIB_OCSP, OCSP_R_MISSING_OCSPSIGNING_USAGE); |
377 | 8 | return 0; |
378 | 8 | } |
379 | | |
380 | | /* |
381 | | * Verify an OCSP request. This is much easier than OCSP response verify. |
382 | | * Just find the signer's certificate and verify it against a given trust value. |
383 | | * Returns 1 on success, 0 on failure and on fatal error. |
384 | | */ |
385 | | int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, |
386 | | X509_STORE *store, unsigned long flags) |
387 | 0 | { |
388 | 0 | X509 *signer; |
389 | 0 | const X509_NAME *nm; |
390 | 0 | GENERAL_NAME *gen; |
391 | 0 | int ret; |
392 | |
|
393 | 0 | if (!req->optionalSignature) { |
394 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_REQUEST_NOT_SIGNED); |
395 | 0 | return 0; |
396 | 0 | } |
397 | 0 | gen = req->tbsRequest.requestorName; |
398 | 0 | if (!gen || gen->type != GEN_DIRNAME) { |
399 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE); |
400 | 0 | return 0; /* not returning -1 here for backward compatibility*/ |
401 | 0 | } |
402 | 0 | nm = gen->d.directoryName; |
403 | 0 | ret = ocsp_req_find_signer(&signer, req, nm, certs, flags); |
404 | 0 | if (ret <= 0) { |
405 | 0 | ERR_raise(ERR_LIB_OCSP, OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND); |
406 | 0 | return 0; /* not returning -1 here for backward compatibility*/ |
407 | 0 | } |
408 | 0 | if ((ret == 2) && (flags & OCSP_TRUSTOTHER) != 0) |
409 | 0 | flags |= OCSP_NOVERIFY; |
410 | |
|
411 | 0 | if ((ret = ocsp_verify(req, NULL, signer, flags)) <= 0) |
412 | 0 | return 0; /* not returning 'ret' here for backward compatibility*/ |
413 | 0 | if ((flags & OCSP_NOVERIFY) != 0) |
414 | 0 | return 1; |
415 | 0 | return ocsp_verify_signer(signer, 0, store, flags, |
416 | 0 | (flags & OCSP_NOCHAIN) != 0 ? |
417 | 0 | NULL : req->optionalSignature->certs, NULL) > 0; |
418 | | /* using '> 0' here to avoid breaking backward compatibility returning -1 */ |
419 | 0 | } |
420 | | |
421 | | static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, |
422 | | const X509_NAME *nm, STACK_OF(X509) *certs, |
423 | | unsigned long flags) |
424 | 0 | { |
425 | 0 | X509 *signer; |
426 | |
|
427 | 0 | if ((flags & OCSP_NOINTERN) == 0) { |
428 | 0 | signer = X509_find_by_subject(req->optionalSignature->certs, nm); |
429 | 0 | if (signer != NULL) { |
430 | 0 | *psigner = signer; |
431 | 0 | return 1; |
432 | 0 | } |
433 | 0 | } |
434 | | |
435 | 0 | if ((signer = X509_find_by_subject(certs, nm)) != NULL) { |
436 | 0 | *psigner = signer; |
437 | 0 | return 2; |
438 | 0 | } |
439 | 0 | return 0; |
440 | 0 | } |