/src/openssl/crypto/x509/x509_cmp.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the OpenSSL license (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdio.h> |
11 | | #include "internal/cryptlib.h" |
12 | | #include <openssl/asn1.h> |
13 | | #include <openssl/objects.h> |
14 | | #include <openssl/x509.h> |
15 | | #include <openssl/x509v3.h> |
16 | | #include "internal/x509_int.h" |
17 | | |
18 | | int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) |
19 | 0 | { |
20 | 0 | int i; |
21 | 0 | const X509_CINF *ai, *bi; |
22 | 0 |
|
23 | 0 | ai = &a->cert_info; |
24 | 0 | bi = &b->cert_info; |
25 | 0 | i = ASN1_INTEGER_cmp(&ai->serialNumber, &bi->serialNumber); |
26 | 0 | if (i) |
27 | 0 | return i; |
28 | 0 | return X509_NAME_cmp(ai->issuer, bi->issuer); |
29 | 0 | } |
30 | | |
31 | | #ifndef OPENSSL_NO_MD5 |
32 | | unsigned long X509_issuer_and_serial_hash(X509 *a) |
33 | 0 | { |
34 | 0 | unsigned long ret = 0; |
35 | 0 | EVP_MD_CTX *ctx = EVP_MD_CTX_new(); |
36 | 0 | unsigned char md[16]; |
37 | 0 | char *f; |
38 | 0 |
|
39 | 0 | if (ctx == NULL) |
40 | 0 | goto err; |
41 | 0 | f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0); |
42 | 0 | if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) |
43 | 0 | goto err; |
44 | 0 | if (!EVP_DigestUpdate(ctx, (unsigned char *)f, strlen(f))) |
45 | 0 | goto err; |
46 | 0 | OPENSSL_free(f); |
47 | 0 | if (!EVP_DigestUpdate |
48 | 0 | (ctx, (unsigned char *)a->cert_info.serialNumber.data, |
49 | 0 | (unsigned long)a->cert_info.serialNumber.length)) |
50 | 0 | goto err; |
51 | 0 | if (!EVP_DigestFinal_ex(ctx, &(md[0]), NULL)) |
52 | 0 | goto err; |
53 | 0 | ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | |
54 | 0 | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) |
55 | 0 | ) & 0xffffffffL; |
56 | 0 | err: |
57 | 0 | EVP_MD_CTX_free(ctx); |
58 | 0 | return ret; |
59 | 0 | } |
60 | | #endif |
61 | | |
62 | | int X509_issuer_name_cmp(const X509 *a, const X509 *b) |
63 | 0 | { |
64 | 0 | return X509_NAME_cmp(a->cert_info.issuer, b->cert_info.issuer); |
65 | 0 | } |
66 | | |
67 | | int X509_subject_name_cmp(const X509 *a, const X509 *b) |
68 | 0 | { |
69 | 0 | return X509_NAME_cmp(a->cert_info.subject, b->cert_info.subject); |
70 | 0 | } |
71 | | |
72 | | int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) |
73 | 0 | { |
74 | 0 | return X509_NAME_cmp(a->crl.issuer, b->crl.issuer); |
75 | 0 | } |
76 | | |
77 | | int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) |
78 | 0 | { |
79 | 0 | return memcmp(a->sha1_hash, b->sha1_hash, 20); |
80 | 0 | } |
81 | | |
82 | | X509_NAME *X509_get_issuer_name(const X509 *a) |
83 | 0 | { |
84 | 0 | return a->cert_info.issuer; |
85 | 0 | } |
86 | | |
87 | | unsigned long X509_issuer_name_hash(X509 *x) |
88 | 0 | { |
89 | 0 | return X509_NAME_hash(x->cert_info.issuer); |
90 | 0 | } |
91 | | |
92 | | #ifndef OPENSSL_NO_MD5 |
93 | | unsigned long X509_issuer_name_hash_old(X509 *x) |
94 | 0 | { |
95 | 0 | return X509_NAME_hash_old(x->cert_info.issuer); |
96 | 0 | } |
97 | | #endif |
98 | | |
99 | | X509_NAME *X509_get_subject_name(const X509 *a) |
100 | 0 | { |
101 | 0 | return a->cert_info.subject; |
102 | 0 | } |
103 | | |
104 | | ASN1_INTEGER *X509_get_serialNumber(X509 *a) |
105 | 0 | { |
106 | 0 | return &a->cert_info.serialNumber; |
107 | 0 | } |
108 | | |
109 | | const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a) |
110 | 0 | { |
111 | 0 | return &a->cert_info.serialNumber; |
112 | 0 | } |
113 | | |
114 | | unsigned long X509_subject_name_hash(X509 *x) |
115 | 0 | { |
116 | 0 | return X509_NAME_hash(x->cert_info.subject); |
117 | 0 | } |
118 | | |
119 | | #ifndef OPENSSL_NO_MD5 |
120 | | unsigned long X509_subject_name_hash_old(X509 *x) |
121 | 0 | { |
122 | 0 | return X509_NAME_hash_old(x->cert_info.subject); |
123 | 0 | } |
124 | | #endif |
125 | | |
126 | | /* |
127 | | * Compare two certificates: they must be identical for this to work. NB: |
128 | | * Although "cmp" operations are generally prototyped to take "const" |
129 | | * arguments (eg. for use in STACKs), the way X509 handling is - these |
130 | | * operations may involve ensuring the hashes are up-to-date and ensuring |
131 | | * certain cert information is cached. So this is the point where the |
132 | | * "depth-first" constification tree has to halt with an evil cast. |
133 | | */ |
134 | | int X509_cmp(const X509 *a, const X509 *b) |
135 | 0 | { |
136 | 0 | int rv; |
137 | 0 | /* ensure hash is valid */ |
138 | 0 | X509_check_purpose((X509 *)a, -1, 0); |
139 | 0 | X509_check_purpose((X509 *)b, -1, 0); |
140 | 0 |
|
141 | 0 | rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); |
142 | 0 | if (rv) |
143 | 0 | return rv; |
144 | 0 | /* Check for match against stored encoding too */ |
145 | 0 | if (!a->cert_info.enc.modified && !b->cert_info.enc.modified) { |
146 | 0 | if (a->cert_info.enc.len < b->cert_info.enc.len) |
147 | 0 | return -1; |
148 | 0 | if (a->cert_info.enc.len > b->cert_info.enc.len) |
149 | 0 | return 1; |
150 | 0 | return memcmp(a->cert_info.enc.enc, b->cert_info.enc.enc, |
151 | 0 | a->cert_info.enc.len); |
152 | 0 | } |
153 | 0 | return rv; |
154 | 0 | } |
155 | | |
156 | | int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) |
157 | 0 | { |
158 | 0 | int ret; |
159 | 0 |
|
160 | 0 | /* Ensure canonical encoding is present and up to date */ |
161 | 0 |
|
162 | 0 | if (!a->canon_enc || a->modified) { |
163 | 0 | ret = i2d_X509_NAME((X509_NAME *)a, NULL); |
164 | 0 | if (ret < 0) |
165 | 0 | return -2; |
166 | 0 | } |
167 | 0 | |
168 | 0 | if (!b->canon_enc || b->modified) { |
169 | 0 | ret = i2d_X509_NAME((X509_NAME *)b, NULL); |
170 | 0 | if (ret < 0) |
171 | 0 | return -2; |
172 | 0 | } |
173 | 0 | |
174 | 0 | ret = a->canon_enclen - b->canon_enclen; |
175 | 0 |
|
176 | 0 | if (ret != 0 || a->canon_enclen == 0) |
177 | 0 | return ret; |
178 | 0 | |
179 | 0 | return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); |
180 | 0 |
|
181 | 0 | } |
182 | | |
183 | | unsigned long X509_NAME_hash(X509_NAME *x) |
184 | 0 | { |
185 | 0 | unsigned long ret = 0; |
186 | 0 | unsigned char md[SHA_DIGEST_LENGTH]; |
187 | 0 |
|
188 | 0 | /* Make sure X509_NAME structure contains valid cached encoding */ |
189 | 0 | i2d_X509_NAME(x, NULL); |
190 | 0 | if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(), |
191 | 0 | NULL)) |
192 | 0 | return 0; |
193 | 0 | |
194 | 0 | ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | |
195 | 0 | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) |
196 | 0 | ) & 0xffffffffL; |
197 | 0 | return ret; |
198 | 0 | } |
199 | | |
200 | | #ifndef OPENSSL_NO_MD5 |
201 | | /* |
202 | | * I now DER encode the name and hash it. Since I cache the DER encoding, |
203 | | * this is reasonably efficient. |
204 | | */ |
205 | | |
206 | | unsigned long X509_NAME_hash_old(X509_NAME *x) |
207 | 0 | { |
208 | 0 | EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); |
209 | 0 | unsigned long ret = 0; |
210 | 0 | unsigned char md[16]; |
211 | 0 |
|
212 | 0 | if (md_ctx == NULL) |
213 | 0 | return ret; |
214 | 0 | |
215 | 0 | /* Make sure X509_NAME structure contains valid cached encoding */ |
216 | 0 | i2d_X509_NAME(x, NULL); |
217 | 0 | EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); |
218 | 0 | if (EVP_DigestInit_ex(md_ctx, EVP_md5(), NULL) |
219 | 0 | && EVP_DigestUpdate(md_ctx, x->bytes->data, x->bytes->length) |
220 | 0 | && EVP_DigestFinal_ex(md_ctx, md, NULL)) |
221 | 0 | ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) | |
222 | 0 | ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L) |
223 | 0 | ) & 0xffffffffL; |
224 | 0 | EVP_MD_CTX_free(md_ctx); |
225 | 0 |
|
226 | 0 | return ret; |
227 | 0 | } |
228 | | #endif |
229 | | |
230 | | /* Search a stack of X509 for a match */ |
231 | | X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, |
232 | | ASN1_INTEGER *serial) |
233 | 0 | { |
234 | 0 | int i; |
235 | 0 | X509 x, *x509 = NULL; |
236 | 0 |
|
237 | 0 | if (!sk) |
238 | 0 | return NULL; |
239 | 0 | |
240 | 0 | x.cert_info.serialNumber = *serial; |
241 | 0 | x.cert_info.issuer = name; |
242 | 0 |
|
243 | 0 | for (i = 0; i < sk_X509_num(sk); i++) { |
244 | 0 | x509 = sk_X509_value(sk, i); |
245 | 0 | if (X509_issuer_and_serial_cmp(x509, &x) == 0) |
246 | 0 | return x509; |
247 | 0 | } |
248 | 0 | return NULL; |
249 | 0 | } |
250 | | |
251 | | X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name) |
252 | 0 | { |
253 | 0 | X509 *x509; |
254 | 0 | int i; |
255 | 0 |
|
256 | 0 | for (i = 0; i < sk_X509_num(sk); i++) { |
257 | 0 | x509 = sk_X509_value(sk, i); |
258 | 0 | if (X509_NAME_cmp(X509_get_subject_name(x509), name) == 0) |
259 | 0 | return x509; |
260 | 0 | } |
261 | 0 | return NULL; |
262 | 0 | } |
263 | | |
264 | | EVP_PKEY *X509_get0_pubkey(const X509 *x) |
265 | 0 | { |
266 | 0 | if (x == NULL) |
267 | 0 | return NULL; |
268 | 0 | return X509_PUBKEY_get0(x->cert_info.key); |
269 | 0 | } |
270 | | |
271 | | EVP_PKEY *X509_get_pubkey(X509 *x) |
272 | 0 | { |
273 | 0 | if (x == NULL) |
274 | 0 | return NULL; |
275 | 0 | return X509_PUBKEY_get(x->cert_info.key); |
276 | 0 | } |
277 | | |
278 | | int X509_check_private_key(const X509 *x, const EVP_PKEY *k) |
279 | 0 | { |
280 | 0 | const EVP_PKEY *xk; |
281 | 0 | int ret; |
282 | 0 |
|
283 | 0 | xk = X509_get0_pubkey(x); |
284 | 0 |
|
285 | 0 | if (xk) |
286 | 0 | ret = EVP_PKEY_cmp(xk, k); |
287 | 0 | else |
288 | 0 | ret = -2; |
289 | 0 |
|
290 | 0 | switch (ret) { |
291 | 0 | case 1: |
292 | 0 | break; |
293 | 0 | case 0: |
294 | 0 | X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_KEY_VALUES_MISMATCH); |
295 | 0 | break; |
296 | 0 | case -1: |
297 | 0 | X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_KEY_TYPE_MISMATCH); |
298 | 0 | break; |
299 | 0 | case -2: |
300 | 0 | X509err(X509_F_X509_CHECK_PRIVATE_KEY, X509_R_UNKNOWN_KEY_TYPE); |
301 | 0 | } |
302 | 0 | if (ret > 0) |
303 | 0 | return 1; |
304 | 0 | return 0; |
305 | 0 | } |
306 | | |
307 | | /* |
308 | | * Check a suite B algorithm is permitted: pass in a public key and the NID |
309 | | * of its signature (or 0 if no signature). The pflags is a pointer to a |
310 | | * flags field which must contain the suite B verification flags. |
311 | | */ |
312 | | |
313 | | #ifndef OPENSSL_NO_EC |
314 | | |
315 | | static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags) |
316 | 0 | { |
317 | 0 | const EC_GROUP *grp = NULL; |
318 | 0 | int curve_nid; |
319 | 0 | if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC) |
320 | 0 | grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey)); |
321 | 0 | if (!grp) |
322 | 0 | return X509_V_ERR_SUITE_B_INVALID_ALGORITHM; |
323 | 0 | curve_nid = EC_GROUP_get_curve_name(grp); |
324 | 0 | /* Check curve is consistent with LOS */ |
325 | 0 | if (curve_nid == NID_secp384r1) { /* P-384 */ |
326 | 0 | /* |
327 | 0 | * Check signature algorithm is consistent with curve. |
328 | 0 | */ |
329 | 0 | if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA384) |
330 | 0 | return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM; |
331 | 0 | if (!(*pflags & X509_V_FLAG_SUITEB_192_LOS)) |
332 | 0 | return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED; |
333 | 0 | /* If we encounter P-384 we cannot use P-256 later */ |
334 | 0 | *pflags &= ~X509_V_FLAG_SUITEB_128_LOS_ONLY; |
335 | 0 | } else if (curve_nid == NID_X9_62_prime256v1) { /* P-256 */ |
336 | 0 | if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA256) |
337 | 0 | return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM; |
338 | 0 | if (!(*pflags & X509_V_FLAG_SUITEB_128_LOS_ONLY)) |
339 | 0 | return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED; |
340 | 0 | } else |
341 | 0 | return X509_V_ERR_SUITE_B_INVALID_CURVE; |
342 | 0 | |
343 | 0 | return X509_V_OK; |
344 | 0 | } |
345 | | |
346 | | int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, |
347 | | unsigned long flags) |
348 | 0 | { |
349 | 0 | int rv, i, sign_nid; |
350 | 0 | EVP_PKEY *pk; |
351 | 0 | unsigned long tflags = flags; |
352 | 0 |
|
353 | 0 | if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) |
354 | 0 | return X509_V_OK; |
355 | 0 | |
356 | 0 | /* If no EE certificate passed in must be first in chain */ |
357 | 0 | if (x == NULL) { |
358 | 0 | x = sk_X509_value(chain, 0); |
359 | 0 | i = 1; |
360 | 0 | } else |
361 | 0 | i = 0; |
362 | 0 |
|
363 | 0 | pk = X509_get0_pubkey(x); |
364 | 0 |
|
365 | 0 | /* |
366 | 0 | * With DANE-EE(3) success, or DANE-EE(3)/PKIX-EE(1) failure we don't build |
367 | 0 | * a chain all, just report trust success or failure, but must also report |
368 | 0 | * Suite-B errors if applicable. This is indicated via a NULL chain |
369 | 0 | * pointer. All we need to do is check the leaf key algorithm. |
370 | 0 | */ |
371 | 0 | if (chain == NULL) |
372 | 0 | return check_suite_b(pk, -1, &tflags); |
373 | 0 | |
374 | 0 | if (X509_get_version(x) != 2) { |
375 | 0 | rv = X509_V_ERR_SUITE_B_INVALID_VERSION; |
376 | 0 | /* Correct error depth */ |
377 | 0 | i = 0; |
378 | 0 | goto end; |
379 | 0 | } |
380 | 0 |
|
381 | 0 | /* Check EE key only */ |
382 | 0 | rv = check_suite_b(pk, -1, &tflags); |
383 | 0 | if (rv != X509_V_OK) { |
384 | 0 | /* Correct error depth */ |
385 | 0 | i = 0; |
386 | 0 | goto end; |
387 | 0 | } |
388 | 0 | for (; i < sk_X509_num(chain); i++) { |
389 | 0 | sign_nid = X509_get_signature_nid(x); |
390 | 0 | x = sk_X509_value(chain, i); |
391 | 0 | if (X509_get_version(x) != 2) { |
392 | 0 | rv = X509_V_ERR_SUITE_B_INVALID_VERSION; |
393 | 0 | goto end; |
394 | 0 | } |
395 | 0 | pk = X509_get0_pubkey(x); |
396 | 0 | rv = check_suite_b(pk, sign_nid, &tflags); |
397 | 0 | if (rv != X509_V_OK) |
398 | 0 | goto end; |
399 | 0 | } |
400 | 0 |
|
401 | 0 | /* Final check: root CA signature */ |
402 | 0 | rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags); |
403 | 0 | end: |
404 | 0 | if (rv != X509_V_OK) { |
405 | 0 | /* Invalid signature or LOS errors are for previous cert */ |
406 | 0 | if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM |
407 | 0 | || rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) && i) |
408 | 0 | i--; |
409 | 0 | /* |
410 | 0 | * If we have LOS error and flags changed then we are signing P-384 |
411 | 0 | * with P-256. Use more meaningful error. |
412 | 0 | */ |
413 | 0 | if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags) |
414 | 0 | rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256; |
415 | 0 | if (perror_depth) |
416 | 0 | *perror_depth = i; |
417 | 0 | } |
418 | 0 | return rv; |
419 | 0 | } |
420 | | |
421 | | int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) |
422 | 0 | { |
423 | 0 | int sign_nid; |
424 | 0 | if (!(flags & X509_V_FLAG_SUITEB_128_LOS)) |
425 | 0 | return X509_V_OK; |
426 | 0 | sign_nid = OBJ_obj2nid(crl->crl.sig_alg.algorithm); |
427 | 0 | return check_suite_b(pk, sign_nid, &flags); |
428 | 0 | } |
429 | | |
430 | | #else |
431 | | int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain, |
432 | | unsigned long flags) |
433 | | { |
434 | | return 0; |
435 | | } |
436 | | |
437 | | int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags) |
438 | | { |
439 | | return 0; |
440 | | } |
441 | | |
442 | | #endif |
443 | | /* |
444 | | * Not strictly speaking an "up_ref" as a STACK doesn't have a reference |
445 | | * count but it has the same effect by duping the STACK and upping the ref of |
446 | | * each X509 structure. |
447 | | */ |
448 | | STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain) |
449 | 0 | { |
450 | 0 | STACK_OF(X509) *ret; |
451 | 0 | int i; |
452 | 0 | ret = sk_X509_dup(chain); |
453 | 0 | for (i = 0; i < sk_X509_num(ret); i++) { |
454 | 0 | X509 *x = sk_X509_value(ret, i); |
455 | 0 | X509_up_ref(x); |
456 | 0 | } |
457 | 0 | return ret; |
458 | 0 | } |