/* * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy * in the file LICENSE in the source distribution or at * https://www.openssl.org/source/license.html */ #include "cmp_local.h" /* explicit #includes not strictly needed since implied by the above: */ #include #include #include #include #include /* * This function is also used for verification from cmp_vfy. * * Calculate protection for given PKImessage utilizing the given credentials * and the algorithm parameters set inside the message header's protectionAlg. * * Either secret or pkey must be set, the other must be NULL. Attempts doing * PBMAC in case 'secret' is set and signature if 'pkey' is set - but will only * do the protection already marked in msg->header->protectionAlg. * * returns ptr to ASN1_BIT_STRING containing protection on success, else NULL */ ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_MSG *msg, const ASN1_OCTET_STRING *secret, EVP_PKEY *pkey) { ASN1_BIT_STRING *prot = NULL; OSSL_CMP_PROTECTEDPART prot_part; const ASN1_OBJECT *algorOID = NULL; int len; size_t prot_part_der_len; unsigned char *prot_part_der = NULL; size_t sig_len; unsigned char *protection = NULL; const void *ppval = NULL; int pptype = 0; OSSL_CRMF_PBMPARAMETER *pbm = NULL; ASN1_STRING *pbm_str = NULL; const unsigned char *pbm_str_uc = NULL; EVP_MD_CTX *evp_ctx = NULL; int md_NID; const EVP_MD *md = NULL; if (!ossl_assert(msg != NULL)) return NULL; /* construct data to be signed */ prot_part.header = msg->header; prot_part.body = msg->body; len = i2d_OSSL_CMP_PROTECTEDPART(&prot_part, &prot_part_der); if (len < 0 || prot_part_der == NULL) { CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION); goto end; } prot_part_der_len = (size_t) len; if (msg->header->protectionAlg == NULL) { CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID); goto end; } X509_ALGOR_get0(&algorOID, &pptype, &ppval, msg->header->protectionAlg); if (secret != NULL && pkey == NULL) { if (ppval == NULL) { CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION); goto end; } if (NID_id_PasswordBasedMAC != OBJ_obj2nid(algorOID)) { CMPerr(0, CMP_R_WRONG_ALGORITHM_OID); goto end; } pbm_str = (ASN1_STRING *)ppval; pbm_str_uc = pbm_str->data; pbm = d2i_OSSL_CRMF_PBMPARAMETER(NULL, &pbm_str_uc, pbm_str->length); if (pbm == NULL) { CMPerr(0, CMP_R_WRONG_ALGORITHM_OID); goto end; } if (!OSSL_CRMF_pbm_new(pbm, prot_part_der, prot_part_der_len, secret->data, secret->length, &protection, &sig_len)) goto end; } else if (secret == NULL && pkey != NULL) { /* TODO combine this with large parts of CRMF_poposigningkey_init() */ /* EVP_DigestSignInit() checks that pkey type is correct for the alg */ if (!OBJ_find_sigid_algs(OBJ_obj2nid(algorOID), &md_NID, NULL) || (md = EVP_get_digestbynid(md_NID)) == NULL || (evp_ctx = EVP_MD_CTX_new()) == NULL) { CMPerr(0, CMP_R_UNKNOWN_ALGORITHM_ID); goto end; } if (EVP_DigestSignInit(evp_ctx, NULL, md, NULL, pkey) <= 0 || EVP_DigestSignUpdate(evp_ctx, prot_part_der, prot_part_der_len) <= 0 || EVP_DigestSignFinal(evp_ctx, NULL, &sig_len) <= 0 || (protection = OPENSSL_malloc(sig_len)) == NULL || EVP_DigestSignFinal(evp_ctx, protection, &sig_len) <= 0) { CMPerr(0, CMP_R_ERROR_CALCULATING_PROTECTION); goto end; } } else { CMPerr(0, CMP_R_INVALID_ARGS); goto end; } if ((prot = ASN1_BIT_STRING_new()) == NULL) goto end; /* OpenSSL defaults all bit strings to be encoded as ASN.1 NamedBitList */ prot->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); prot->flags |= ASN1_STRING_FLAG_BITS_LEFT; if (!ASN1_BIT_STRING_set(prot, protection, sig_len)) { ASN1_BIT_STRING_free(prot); prot = NULL; } end: OSSL_CRMF_PBMPARAMETER_free(pbm); EVP_MD_CTX_free(evp_ctx); OPENSSL_free(protection); OPENSSL_free(prot_part_der); return prot; } int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) { if (!ossl_assert(ctx != NULL && msg != NULL)) return 0; if (msg->extraCerts == NULL && (msg->extraCerts = sk_X509_new_null()) == NULL) return 0; if (ctx->clCert != NULL) { /* Make sure that our own cert gets sent, in the first position */ if (!X509_up_ref(ctx->clCert)) return 0; if (!sk_X509_push(msg->extraCerts, ctx->clCert)) { X509_free(ctx->clCert); return 0; } /* if we have untrusted store, try to add intermediate certs */ if (ctx->untrusted_certs != NULL) { STACK_OF(X509) *chain = ossl_cmp_build_cert_chain(ctx->untrusted_certs, ctx->clCert); int res = ossl_cmp_sk_X509_add1_certs(msg->extraCerts, chain, 1 /* no self-issued */, 1 /* no duplicates */, 0); sk_X509_pop_free(chain, X509_free); if (res == 0) return 0; } } /* add any additional certificates from ctx->extraCertsOut */ if (!ossl_cmp_sk_X509_add1_certs(msg->extraCerts, ctx->extraCertsOut, 0, 1 /* no duplicates */, 0)) return 0; /* if none was found avoid empty ASN.1 sequence */ if (sk_X509_num(msg->extraCerts) == 0) { sk_X509_free(msg->extraCerts); msg->extraCerts = NULL; } return 1; } /* * Create an X509_ALGOR structure for PasswordBasedMAC protection based on * the pbm settings in the context * returns pointer to X509_ALGOR on success, NULL on error */ static X509_ALGOR *create_pbmac_algor(OSSL_CMP_CTX *ctx) { X509_ALGOR *alg = NULL; OSSL_CRMF_PBMPARAMETER *pbm = NULL; unsigned char *pbm_der = NULL; int pbm_der_len; ASN1_STRING *pbm_str = NULL; if (!ossl_assert(ctx != NULL)) return NULL; alg = X509_ALGOR_new(); pbm = OSSL_CRMF_pbmp_new(ctx->pbm_slen, ctx->pbm_owf, ctx->pbm_itercnt, ctx->pbm_mac); pbm_str = ASN1_STRING_new(); if (alg == NULL || pbm == NULL || pbm_str == NULL) goto err; if ((pbm_der_len = i2d_OSSL_CRMF_PBMPARAMETER(pbm, &pbm_der)) < 0) goto err; if (!ASN1_STRING_set(pbm_str, pbm_der, pbm_der_len)) goto err; OPENSSL_free(pbm_der); X509_ALGOR_set0(alg, OBJ_nid2obj(NID_id_PasswordBasedMAC), V_ASN1_SEQUENCE, pbm_str); OSSL_CRMF_PBMPARAMETER_free(pbm); return alg; err: ASN1_STRING_free(pbm_str); X509_ALGOR_free(alg); OPENSSL_free(pbm_der); OSSL_CRMF_PBMPARAMETER_free(pbm); return NULL; } int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) { if (!ossl_assert(ctx != NULL && msg != NULL)) return 0; if (ctx->unprotectedSend) return 1; /* use PasswordBasedMac according to 5.1.3.1 if secretValue is given */ if (ctx->secretValue != NULL) { if ((msg->header->protectionAlg = create_pbmac_algor(ctx)) == NULL) goto err; if (ctx->referenceValue != NULL && !ossl_cmp_hdr_set1_senderKID(msg->header, ctx->referenceValue)) goto err; /* * add any additional certificates from ctx->extraCertsOut * while not needed to validate the signing cert, the option to do * this might be handy for certain use cases */ if (!ossl_cmp_msg_add_extraCerts(ctx, msg)) goto err; if ((msg->protection = ossl_cmp_calc_protection(msg, ctx->secretValue, NULL)) == NULL) goto err; } else { /* * use MSG_SIG_ALG according to 5.1.3.3 if client Certificate and * private key is given */ if (ctx->clCert != NULL && ctx->pkey != NULL) { const ASN1_OCTET_STRING *subjKeyIDStr = NULL; int algNID = 0; ASN1_OBJECT *alg = NULL; /* make sure that key and certificate match */ if (!X509_check_private_key(ctx->clCert, ctx->pkey)) { CMPerr(0, CMP_R_CERT_AND_KEY_DO_NOT_MATCH); goto err; } if (msg->header->protectionAlg == NULL) if ((msg->header->protectionAlg = X509_ALGOR_new()) == NULL) goto err; if (!OBJ_find_sigid_by_algs(&algNID, ctx->digest, EVP_PKEY_id(ctx->pkey))) { CMPerr(0, CMP_R_UNSUPPORTED_KEY_TYPE); goto err; } if ((alg = OBJ_nid2obj(algNID)) == NULL) goto err; if (!X509_ALGOR_set0(msg->header->protectionAlg, alg, V_ASN1_UNDEF, NULL)) { ASN1_OBJECT_free(alg); goto err; } /* * set senderKID to keyIdentifier of the used certificate according * to section 5.1.1 */ subjKeyIDStr = X509_get0_subject_key_id(ctx->clCert); if (subjKeyIDStr == NULL) subjKeyIDStr = ctx->referenceValue; /* fallback */ if (subjKeyIDStr != NULL && !ossl_cmp_hdr_set1_senderKID(msg->header, subjKeyIDStr)) goto err; /* * Add ctx->clCert followed, if possible, by its chain built * from ctx->untrusted_certs, and then ctx->extraCertsOut */ if (!ossl_cmp_msg_add_extraCerts(ctx, msg)) goto err; if ((msg->protection = ossl_cmp_calc_protection(msg, NULL, ctx->pkey)) == NULL) goto err; } else { CMPerr(0, CMP_R_MISSING_KEY_INPUT_FOR_CREATING_PROTECTION); goto err; } } /* * As required by RFC 4210 section 5.1.1., if the sender name is not known * to the client it set to NULL-DN. In this case for identification at least * the senderKID must be set, where we took the referenceValue as fallback. */ if (ossl_cmp_general_name_is_NULL_DN(msg->header->sender) && msg->header->senderKID == NULL) CMPerr(0, CMP_R_MISSING_SENDER_IDENTIFICATION); else return 1; err: CMPerr(0, CMP_R_ERROR_PROTECTING_MESSAGE); return 0; }