ocsp_vfy.c 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435
  1. /*
  2. * Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/ocsp.h>
  10. #include "ocsp_local.h"
  11. #include <openssl/err.h>
  12. #include <string.h>
  13. static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
  14. STACK_OF(X509) *certs, unsigned long flags);
  15. static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
  16. static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
  17. static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
  18. OCSP_CERTID **ret);
  19. static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
  20. STACK_OF(OCSP_SINGLERESP) *sresp);
  21. static int ocsp_check_delegated(X509 *x);
  22. static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
  23. X509_NAME *nm, STACK_OF(X509) *certs,
  24. unsigned long flags);
  25. /* Verify a basic response message */
  26. int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
  27. X509_STORE *st, unsigned long flags)
  28. {
  29. X509 *signer, *x;
  30. STACK_OF(X509) *chain = NULL;
  31. STACK_OF(X509) *untrusted = NULL;
  32. X509_STORE_CTX *ctx = NULL;
  33. int i, ret = ocsp_find_signer(&signer, bs, certs, flags);
  34. if (!ret) {
  35. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
  36. OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
  37. goto end;
  38. }
  39. ctx = X509_STORE_CTX_new();
  40. if (ctx == NULL) {
  41. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
  42. goto f_err;
  43. }
  44. if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
  45. flags |= OCSP_NOVERIFY;
  46. if (!(flags & OCSP_NOSIGS)) {
  47. EVP_PKEY *skey;
  48. skey = X509_get0_pubkey(signer);
  49. if (skey == NULL) {
  50. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_NO_SIGNER_KEY);
  51. goto err;
  52. }
  53. ret = OCSP_BASICRESP_verify(bs, skey, 0);
  54. if (ret <= 0) {
  55. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
  56. goto end;
  57. }
  58. }
  59. if (!(flags & OCSP_NOVERIFY)) {
  60. int init_res;
  61. if (flags & OCSP_NOCHAIN) {
  62. untrusted = NULL;
  63. } else if (bs->certs && certs) {
  64. untrusted = sk_X509_dup(bs->certs);
  65. for (i = 0; i < sk_X509_num(certs); i++) {
  66. if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
  67. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
  68. goto f_err;
  69. }
  70. }
  71. } else if (certs != NULL) {
  72. untrusted = certs;
  73. } else {
  74. untrusted = bs->certs;
  75. }
  76. init_res = X509_STORE_CTX_init(ctx, st, signer, untrusted);
  77. if (!init_res) {
  78. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
  79. goto f_err;
  80. }
  81. X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
  82. ret = X509_verify_cert(ctx);
  83. chain = X509_STORE_CTX_get1_chain(ctx);
  84. if (ret <= 0) {
  85. i = X509_STORE_CTX_get_error(ctx);
  86. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,
  87. OCSP_R_CERTIFICATE_VERIFY_ERROR);
  88. ERR_add_error_data(2, "Verify error:",
  89. X509_verify_cert_error_string(i));
  90. goto end;
  91. }
  92. if (flags & OCSP_NOCHECKS) {
  93. ret = 1;
  94. goto end;
  95. }
  96. /*
  97. * At this point we have a valid certificate chain need to verify it
  98. * against the OCSP issuer criteria.
  99. */
  100. ret = ocsp_check_issuer(bs, chain);
  101. /* If fatal error or valid match then finish */
  102. if (ret != 0)
  103. goto end;
  104. /*
  105. * Easy case: explicitly trusted. Get root CA and check for explicit
  106. * trust
  107. */
  108. if (flags & OCSP_NOEXPLICIT)
  109. goto end;
  110. x = sk_X509_value(chain, sk_X509_num(chain) - 1);
  111. if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
  112. OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_ROOT_CA_NOT_TRUSTED);
  113. goto err;
  114. }
  115. ret = 1;
  116. }
  117. end:
  118. X509_STORE_CTX_free(ctx);
  119. sk_X509_pop_free(chain, X509_free);
  120. if (bs->certs && certs)
  121. sk_X509_free(untrusted);
  122. return ret;
  123. err:
  124. ret = 0;
  125. goto end;
  126. f_err:
  127. ret = -1;
  128. goto end;
  129. }
  130. int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
  131. STACK_OF(X509) *extra_certs)
  132. {
  133. int ret;
  134. ret = ocsp_find_signer(signer, bs, extra_certs, 0);
  135. return (ret > 0) ? 1 : 0;
  136. }
  137. static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
  138. STACK_OF(X509) *certs, unsigned long flags)
  139. {
  140. X509 *signer;
  141. OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
  142. if ((signer = ocsp_find_signer_sk(certs, rid))) {
  143. *psigner = signer;
  144. return 2;
  145. }
  146. if (!(flags & OCSP_NOINTERN) &&
  147. (signer = ocsp_find_signer_sk(bs->certs, rid))) {
  148. *psigner = signer;
  149. return 1;
  150. }
  151. /* Maybe lookup from store if by subject name */
  152. *psigner = NULL;
  153. return 0;
  154. }
  155. static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
  156. {
  157. int i;
  158. unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
  159. X509 *x;
  160. /* Easy if lookup by name */
  161. if (id->type == V_OCSP_RESPID_NAME)
  162. return X509_find_by_subject(certs, id->value.byName);
  163. /* Lookup by key hash */
  164. /* If key hash isn't SHA1 length then forget it */
  165. if (id->value.byKey->length != SHA_DIGEST_LENGTH)
  166. return NULL;
  167. keyhash = id->value.byKey->data;
  168. /* Calculate hash of each key and compare */
  169. for (i = 0; i < sk_X509_num(certs); i++) {
  170. x = sk_X509_value(certs, i);
  171. X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
  172. if (!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
  173. return x;
  174. }
  175. return NULL;
  176. }
  177. static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain)
  178. {
  179. STACK_OF(OCSP_SINGLERESP) *sresp;
  180. X509 *signer, *sca;
  181. OCSP_CERTID *caid = NULL;
  182. int i;
  183. sresp = bs->tbsResponseData.responses;
  184. if (sk_X509_num(chain) <= 0) {
  185. OCSPerr(OCSP_F_OCSP_CHECK_ISSUER, OCSP_R_NO_CERTIFICATES_IN_CHAIN);
  186. return -1;
  187. }
  188. /* See if the issuer IDs match. */
  189. i = ocsp_check_ids(sresp, &caid);
  190. /* If ID mismatch or other error then return */
  191. if (i <= 0)
  192. return i;
  193. signer = sk_X509_value(chain, 0);
  194. /* Check to see if OCSP responder CA matches request CA */
  195. if (sk_X509_num(chain) > 1) {
  196. sca = sk_X509_value(chain, 1);
  197. i = ocsp_match_issuerid(sca, caid, sresp);
  198. if (i < 0)
  199. return i;
  200. if (i) {
  201. /* We have a match, if extensions OK then success */
  202. if (ocsp_check_delegated(signer))
  203. return 1;
  204. return 0;
  205. }
  206. }
  207. /* Otherwise check if OCSP request signed directly by request CA */
  208. return ocsp_match_issuerid(signer, caid, sresp);
  209. }
  210. /*
  211. * Check the issuer certificate IDs for equality. If there is a mismatch with
  212. * the same algorithm then there's no point trying to match any certificates
  213. * against the issuer. If the issuer IDs all match then we just need to check
  214. * equality against one of them.
  215. */
  216. static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
  217. {
  218. OCSP_CERTID *tmpid, *cid;
  219. int i, idcount;
  220. idcount = sk_OCSP_SINGLERESP_num(sresp);
  221. if (idcount <= 0) {
  222. OCSPerr(OCSP_F_OCSP_CHECK_IDS,
  223. OCSP_R_RESPONSE_CONTAINS_NO_REVOCATION_DATA);
  224. return -1;
  225. }
  226. cid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
  227. *ret = NULL;
  228. for (i = 1; i < idcount; i++) {
  229. tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
  230. /* Check to see if IDs match */
  231. if (OCSP_id_issuer_cmp(cid, tmpid)) {
  232. /* If algorithm mismatch let caller deal with it */
  233. if (OBJ_cmp(tmpid->hashAlgorithm.algorithm,
  234. cid->hashAlgorithm.algorithm))
  235. return 2;
  236. /* Else mismatch */
  237. return 0;
  238. }
  239. }
  240. /* All IDs match: only need to check one ID */
  241. *ret = cid;
  242. return 1;
  243. }
  244. static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
  245. STACK_OF(OCSP_SINGLERESP) *sresp)
  246. {
  247. /* If only one ID to match then do it */
  248. if (cid) {
  249. const EVP_MD *dgst;
  250. X509_NAME *iname;
  251. int mdlen;
  252. unsigned char md[EVP_MAX_MD_SIZE];
  253. if ((dgst = EVP_get_digestbyobj(cid->hashAlgorithm.algorithm))
  254. == NULL) {
  255. OCSPerr(OCSP_F_OCSP_MATCH_ISSUERID,
  256. OCSP_R_UNKNOWN_MESSAGE_DIGEST);
  257. return -1;
  258. }
  259. mdlen = EVP_MD_size(dgst);
  260. if (mdlen < 0)
  261. return -1;
  262. if ((cid->issuerNameHash.length != mdlen) ||
  263. (cid->issuerKeyHash.length != mdlen))
  264. return 0;
  265. iname = X509_get_subject_name(cert);
  266. if (!X509_NAME_digest(iname, dgst, md, NULL))
  267. return -1;
  268. if (memcmp(md, cid->issuerNameHash.data, mdlen))
  269. return 0;
  270. X509_pubkey_digest(cert, dgst, md, NULL);
  271. if (memcmp(md, cid->issuerKeyHash.data, mdlen))
  272. return 0;
  273. return 1;
  274. } else {
  275. /* We have to match the whole lot */
  276. int i, ret;
  277. OCSP_CERTID *tmpid;
  278. for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++) {
  279. tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
  280. ret = ocsp_match_issuerid(cert, tmpid, NULL);
  281. if (ret <= 0)
  282. return ret;
  283. }
  284. return 1;
  285. }
  286. }
  287. static int ocsp_check_delegated(X509 *x)
  288. {
  289. if ((X509_get_extension_flags(x) & EXFLAG_XKUSAGE)
  290. && (X509_get_extended_key_usage(x) & XKU_OCSP_SIGN))
  291. return 1;
  292. OCSPerr(OCSP_F_OCSP_CHECK_DELEGATED, OCSP_R_MISSING_OCSPSIGNING_USAGE);
  293. return 0;
  294. }
  295. /*
  296. * Verify an OCSP request. This is fortunately much easier than OCSP response
  297. * verify. Just find the signers certificate and verify it against a given
  298. * trust value.
  299. */
  300. int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
  301. X509_STORE *store, unsigned long flags)
  302. {
  303. X509 *signer;
  304. X509_NAME *nm;
  305. GENERAL_NAME *gen;
  306. int ret = 0;
  307. X509_STORE_CTX *ctx = X509_STORE_CTX_new();
  308. if (ctx == NULL) {
  309. OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_MALLOC_FAILURE);
  310. goto err;
  311. }
  312. if (!req->optionalSignature) {
  313. OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_REQUEST_NOT_SIGNED);
  314. goto err;
  315. }
  316. gen = req->tbsRequest.requestorName;
  317. if (!gen || gen->type != GEN_DIRNAME) {
  318. OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
  319. OCSP_R_UNSUPPORTED_REQUESTORNAME_TYPE);
  320. goto err;
  321. }
  322. nm = gen->d.directoryName;
  323. ret = ocsp_req_find_signer(&signer, req, nm, certs, flags);
  324. if (ret <= 0) {
  325. OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
  326. OCSP_R_SIGNER_CERTIFICATE_NOT_FOUND);
  327. goto err;
  328. }
  329. if ((ret == 2) && (flags & OCSP_TRUSTOTHER))
  330. flags |= OCSP_NOVERIFY;
  331. if (!(flags & OCSP_NOSIGS)) {
  332. EVP_PKEY *skey;
  333. skey = X509_get0_pubkey(signer);
  334. ret = OCSP_REQUEST_verify(req, skey);
  335. if (ret <= 0) {
  336. OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, OCSP_R_SIGNATURE_FAILURE);
  337. goto err;
  338. }
  339. }
  340. if (!(flags & OCSP_NOVERIFY)) {
  341. int init_res;
  342. if (flags & OCSP_NOCHAIN)
  343. init_res = X509_STORE_CTX_init(ctx, store, signer, NULL);
  344. else
  345. init_res = X509_STORE_CTX_init(ctx, store, signer,
  346. req->optionalSignature->certs);
  347. if (!init_res) {
  348. OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY, ERR_R_X509_LIB);
  349. goto err;
  350. }
  351. X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_OCSP_HELPER);
  352. X509_STORE_CTX_set_trust(ctx, X509_TRUST_OCSP_REQUEST);
  353. ret = X509_verify_cert(ctx);
  354. if (ret <= 0) {
  355. ret = X509_STORE_CTX_get_error(ctx);
  356. OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,
  357. OCSP_R_CERTIFICATE_VERIFY_ERROR);
  358. ERR_add_error_data(2, "Verify error:",
  359. X509_verify_cert_error_string(ret));
  360. goto err;
  361. }
  362. }
  363. ret = 1;
  364. goto end;
  365. err:
  366. ret = 0;
  367. end:
  368. X509_STORE_CTX_free(ctx);
  369. return ret;
  370. }
  371. static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
  372. X509_NAME *nm, STACK_OF(X509) *certs,
  373. unsigned long flags)
  374. {
  375. X509 *signer;
  376. if (!(flags & OCSP_NOINTERN)) {
  377. signer = X509_find_by_subject(req->optionalSignature->certs, nm);
  378. if (signer) {
  379. *psigner = signer;
  380. return 1;
  381. }
  382. }
  383. signer = X509_find_by_subject(certs, nm);
  384. if (signer) {
  385. *psigner = signer;
  386. return 2;
  387. }
  388. return 0;
  389. }