1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.] */
56
57 #include <assert.h>
58 #include <limits.h>
59 #include <stdio.h>
60
61 #include <openssl/asn1t.h>
62 #include <openssl/evp.h>
63 #include <openssl/mem.h>
64 #include <openssl/obj.h>
65 #include <openssl/pool.h>
66 #include <openssl/thread.h>
67 #include <openssl/x509.h>
68 #include <openssl/x509v3.h>
69
70 #include "../asn1/internal.h"
71 #include "../bytestring/internal.h"
72 #include "../internal.h"
73 #include "internal.h"
74
75 static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT;
76
77 ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
78 ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
79 ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
80 ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR),
81 ASN1_SIMPLE(X509_CINF, issuer, X509_NAME),
82 ASN1_SIMPLE(X509_CINF, validity, X509_VAL),
83 ASN1_SIMPLE(X509_CINF, subject, X509_NAME),
84 ASN1_SIMPLE(X509_CINF, key, X509_PUBKEY),
85 ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1),
86 ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2),
87 ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3),
88 } ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF)
89
90 IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
91
92 // x509_new_null returns a new |X509| object where the |cert_info|, |sig_alg|,
93 // and |signature| fields are not yet filled in.
94 static X509 *x509_new_null(void) {
95 X509 *ret = OPENSSL_zalloc(sizeof(X509));
96 if (ret == NULL) {
97 return NULL;
98 }
99
100 ret->references = 1;
101 ret->ex_pathlen = -1;
102 CRYPTO_new_ex_data(&ret->ex_data);
103 CRYPTO_MUTEX_init(&ret->lock);
104 return ret;
105 }
106
X509_new(void)107 X509 *X509_new(void) {
108 X509 *ret = x509_new_null();
109 if (ret == NULL) {
110 return NULL;
111 }
112
113 ret->cert_info = X509_CINF_new();
114 ret->sig_alg = X509_ALGOR_new();
115 ret->signature = ASN1_BIT_STRING_new();
116 if (ret->cert_info == NULL || ret->sig_alg == NULL ||
117 ret->signature == NULL) {
118 X509_free(ret);
119 return NULL;
120 }
121
122 return ret;
123 }
124
X509_free(X509 * x509)125 void X509_free(X509 *x509) {
126 if (x509 == NULL || !CRYPTO_refcount_dec_and_test_zero(&x509->references)) {
127 return;
128 }
129
130 CRYPTO_free_ex_data(&g_ex_data_class, x509, &x509->ex_data);
131
132 X509_CINF_free(x509->cert_info);
133 X509_ALGOR_free(x509->sig_alg);
134 ASN1_BIT_STRING_free(x509->signature);
135 ASN1_OCTET_STRING_free(x509->skid);
136 AUTHORITY_KEYID_free(x509->akid);
137 CRL_DIST_POINTS_free(x509->crldp);
138 GENERAL_NAMES_free(x509->altname);
139 NAME_CONSTRAINTS_free(x509->nc);
140 X509_CERT_AUX_free(x509->aux);
141 CRYPTO_MUTEX_cleanup(&x509->lock);
142
143 OPENSSL_free(x509);
144 }
145
x509_parse(CBS * cbs,CRYPTO_BUFFER * buf)146 static X509 *x509_parse(CBS *cbs, CRYPTO_BUFFER *buf) {
147 CBS cert, tbs, sigalg, sig;
148 if (!CBS_get_asn1(cbs, &cert, CBS_ASN1_SEQUENCE) ||
149 // Bound the length to comfortably fit in an int. Lengths in this
150 // module often omit overflow checks.
151 CBS_len(&cert) > INT_MAX / 2 ||
152 !CBS_get_asn1_element(&cert, &tbs, CBS_ASN1_SEQUENCE) ||
153 !CBS_get_asn1_element(&cert, &sigalg, CBS_ASN1_SEQUENCE)) {
154 OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);
155 return NULL;
156 }
157
158 // For just the signature field, we accept non-minimal BER lengths, though not
159 // indefinite-length encoding. See b/18228011.
160 //
161 // TODO(crbug.com/boringssl/354): Switch the affected callers to convert the
162 // certificate before parsing and then remove this workaround.
163 CBS_ASN1_TAG tag;
164 size_t header_len;
165 int indefinite;
166 if (!CBS_get_any_ber_asn1_element(&cert, &sig, &tag, &header_len,
167 /*out_ber_found=*/NULL,
168 &indefinite) ||
169 tag != CBS_ASN1_BITSTRING || indefinite || //
170 !CBS_skip(&sig, header_len) || //
171 CBS_len(&cert) != 0) {
172 OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR);
173 return NULL;
174 }
175
176 X509 *ret = x509_new_null();
177 if (ret == NULL) {
178 return NULL;
179 }
180
181 // TODO(crbug.com/boringssl/443): When the rest of the library is decoupled
182 // from the tasn_*.c implementation, replace this with |CBS|-based functions.
183 const uint8_t *inp = CBS_data(&tbs);
184 if (ASN1_item_ex_d2i((ASN1_VALUE **)&ret->cert_info, &inp, CBS_len(&tbs),
185 ASN1_ITEM_rptr(X509_CINF), /*tag=*/-1,
186 /*aclass=*/0, /*opt=*/0, buf) <= 0 ||
187 inp != CBS_data(&tbs) + CBS_len(&tbs)) {
188 goto err;
189 }
190
191 inp = CBS_data(&sigalg);
192 ret->sig_alg = d2i_X509_ALGOR(NULL, &inp, CBS_len(&sigalg));
193 if (ret->sig_alg == NULL || inp != CBS_data(&sigalg) + CBS_len(&sigalg)) {
194 goto err;
195 }
196
197 inp = CBS_data(&sig);
198 ret->signature = c2i_ASN1_BIT_STRING(NULL, &inp, CBS_len(&sig));
199 if (ret->signature == NULL || inp != CBS_data(&sig) + CBS_len(&sig)) {
200 goto err;
201 }
202
203 // The version must be one of v1(0), v2(1), or v3(2).
204 long version = X509_VERSION_1;
205 if (ret->cert_info->version != NULL) {
206 version = ASN1_INTEGER_get(ret->cert_info->version);
207 // TODO(https://crbug.com/boringssl/364): |X509_VERSION_1| should
208 // also be rejected here. This means an explicitly-encoded X.509v1
209 // version. v1 is DEFAULT, so DER requires it be omitted.
210 if (version < X509_VERSION_1 || version > X509_VERSION_3) {
211 OPENSSL_PUT_ERROR(X509, X509_R_INVALID_VERSION);
212 goto err;
213 }
214 }
215
216 // Per RFC 5280, section 4.1.2.8, these fields require v2 or v3.
217 if (version == X509_VERSION_1 && (ret->cert_info->issuerUID != NULL ||
218 ret->cert_info->subjectUID != NULL)) {
219 OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
220 goto err;
221 }
222
223 // Per RFC 5280, section 4.1.2.9, extensions require v3.
224 if (version != X509_VERSION_3 && ret->cert_info->extensions != NULL) {
225 OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION);
226 goto err;
227 }
228
229 return ret;
230
231 err:
232 X509_free(ret);
233 return NULL;
234 }
235
d2i_X509(X509 ** out,const uint8_t ** inp,long len)236 X509 *d2i_X509(X509 **out, const uint8_t **inp, long len) {
237 X509 *ret = NULL;
238 if (len < 0) {
239 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);
240 goto err;
241 }
242
243 CBS cbs;
244 CBS_init(&cbs, *inp, (size_t)len);
245 ret = x509_parse(&cbs, NULL);
246 if (ret == NULL) {
247 goto err;
248 }
249
250 *inp = CBS_data(&cbs);
251
252 err:
253 if (out != NULL) {
254 X509_free(*out);
255 *out = ret;
256 }
257 return ret;
258 }
259
i2d_X509(X509 * x509,uint8_t ** outp)260 int i2d_X509(X509 *x509, uint8_t **outp) {
261 if (x509 == NULL) {
262 OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE);
263 return -1;
264 }
265
266 CBB cbb, cert;
267 if (!CBB_init(&cbb, 64) || //
268 !CBB_add_asn1(&cbb, &cert, CBS_ASN1_SEQUENCE)) {
269 goto err;
270 }
271
272 // TODO(crbug.com/boringssl/443): When the rest of the library is decoupled
273 // from the tasn_*.c implementation, replace this with |CBS|-based functions.
274 uint8_t *out;
275 int len = i2d_X509_CINF(x509->cert_info, NULL);
276 if (len < 0 || //
277 !CBB_add_space(&cert, &out, (size_t)len) ||
278 i2d_X509_CINF(x509->cert_info, &out) != len) {
279 goto err;
280 }
281
282 len = i2d_X509_ALGOR(x509->sig_alg, NULL);
283 if (len < 0 || //
284 !CBB_add_space(&cert, &out, (size_t)len) ||
285 i2d_X509_ALGOR(x509->sig_alg, &out) != len) {
286 goto err;
287 }
288
289 len = i2d_ASN1_BIT_STRING(x509->signature, NULL);
290 if (len < 0 || //
291 !CBB_add_space(&cert, &out, (size_t)len) ||
292 i2d_ASN1_BIT_STRING(x509->signature, &out) != len) {
293 goto err;
294 }
295
296 return CBB_finish_i2d(&cbb, outp);
297
298 err:
299 CBB_cleanup(&cbb);
300 return -1;
301 }
302
x509_new_cb(ASN1_VALUE ** pval,const ASN1_ITEM * it)303 static int x509_new_cb(ASN1_VALUE **pval, const ASN1_ITEM *it) {
304 *pval = (ASN1_VALUE *)X509_new();
305 return *pval != NULL;
306 }
307
x509_free_cb(ASN1_VALUE ** pval,const ASN1_ITEM * it)308 static void x509_free_cb(ASN1_VALUE **pval, const ASN1_ITEM *it) {
309 X509_free((X509 *)*pval);
310 *pval = NULL;
311 }
312
x509_d2i_cb(ASN1_VALUE ** pval,const unsigned char ** in,long len,const ASN1_ITEM * it,int opt,ASN1_TLC * ctx)313 static int x509_d2i_cb(ASN1_VALUE **pval, const unsigned char **in, long len,
314 const ASN1_ITEM *it, int opt, ASN1_TLC *ctx) {
315 if (len < 0) {
316 OPENSSL_PUT_ERROR(ASN1, ASN1_R_BUFFER_TOO_SMALL);
317 return 0;
318 }
319
320 CBS cbs;
321 CBS_init(&cbs, *in, len);
322 if (opt && !CBS_peek_asn1_tag(&cbs, CBS_ASN1_SEQUENCE)) {
323 return -1;
324 }
325
326 X509 *ret = x509_parse(&cbs, NULL);
327 if (ret == NULL) {
328 return 0;
329 }
330
331 *in = CBS_data(&cbs);
332 X509_free((X509 *)*pval);
333 *pval = (ASN1_VALUE *)ret;
334 return 1;
335 }
336
x509_i2d_cb(ASN1_VALUE ** pval,unsigned char ** out,const ASN1_ITEM * it)337 static int x509_i2d_cb(ASN1_VALUE **pval, unsigned char **out,
338 const ASN1_ITEM *it) {
339 return i2d_X509((X509 *)*pval, out);
340 }
341
342 static const ASN1_EXTERN_FUNCS x509_extern_funcs = {
343 x509_new_cb,
344 x509_free_cb,
345 x509_d2i_cb,
346 x509_i2d_cb,
347 };
348
IMPLEMENT_EXTERN_ASN1(X509,V_ASN1_SEQUENCE,x509_extern_funcs)349 IMPLEMENT_EXTERN_ASN1(X509, V_ASN1_SEQUENCE, x509_extern_funcs)
350
351 X509 *X509_dup(X509 *x509) {
352 uint8_t *der = NULL;
353 int len = i2d_X509(x509, &der);
354 if (len < 0) {
355 return NULL;
356 }
357
358 const uint8_t *inp = der;
359 X509 *ret = d2i_X509(NULL, &inp, len);
360 OPENSSL_free(der);
361 return ret;
362 }
363
X509_parse_from_buffer(CRYPTO_BUFFER * buf)364 X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf) {
365 CBS cbs;
366 CBS_init(&cbs, CRYPTO_BUFFER_data(buf), CRYPTO_BUFFER_len(buf));
367 X509 *ret = x509_parse(&cbs, buf);
368 if (ret == NULL || CBS_len(&cbs) != 0) {
369 X509_free(ret);
370 return NULL;
371 }
372
373 return ret;
374 }
375
X509_up_ref(X509 * x)376 int X509_up_ref(X509 *x) {
377 CRYPTO_refcount_inc(&x->references);
378 return 1;
379 }
380
X509_get_ex_new_index(long argl,void * argp,CRYPTO_EX_unused * unused,CRYPTO_EX_dup * dup_unused,CRYPTO_EX_free * free_func)381 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused,
382 CRYPTO_EX_dup *dup_unused,
383 CRYPTO_EX_free *free_func) {
384 int index;
385 if (!CRYPTO_get_ex_new_index(&g_ex_data_class, &index, argl, argp,
386 free_func)) {
387 return -1;
388 }
389 return index;
390 }
391
X509_set_ex_data(X509 * r,int idx,void * arg)392 int X509_set_ex_data(X509 *r, int idx, void *arg) {
393 return (CRYPTO_set_ex_data(&r->ex_data, idx, arg));
394 }
395
X509_get_ex_data(X509 * r,int idx)396 void *X509_get_ex_data(X509 *r, int idx) {
397 return (CRYPTO_get_ex_data(&r->ex_data, idx));
398 }
399
400 // X509_AUX ASN1 routines. X509_AUX is the name given to a certificate with
401 // extra info tagged on the end. Since these functions set how a certificate
402 // is trusted they should only be used when the certificate comes from a
403 // reliable source such as local storage.
404
d2i_X509_AUX(X509 ** a,const unsigned char ** pp,long length)405 X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) {
406 const unsigned char *q = *pp;
407 X509 *ret;
408 int freeret = 0;
409
410 if (!a || *a == NULL) {
411 freeret = 1;
412 }
413 ret = d2i_X509(a, &q, length);
414 // If certificate unreadable then forget it
415 if (!ret) {
416 return NULL;
417 }
418 // update length
419 length -= q - *pp;
420 // Parse auxiliary information if there is any.
421 if (length > 0 && !d2i_X509_CERT_AUX(&ret->aux, &q, length)) {
422 goto err;
423 }
424 *pp = q;
425 return ret;
426 err:
427 if (freeret) {
428 X509_free(ret);
429 if (a) {
430 *a = NULL;
431 }
432 }
433 return NULL;
434 }
435
436 // Serialize trusted certificate to *pp or just return the required buffer
437 // length if pp == NULL. We ultimately want to avoid modifying *pp in the
438 // error path, but that depends on similar hygiene in lower-level functions.
439 // Here we avoid compounding the problem.
i2d_x509_aux_internal(X509 * a,unsigned char ** pp)440 static int i2d_x509_aux_internal(X509 *a, unsigned char **pp) {
441 int length, tmplen;
442 unsigned char *start = pp != NULL ? *pp : NULL;
443
444 assert(pp == NULL || *pp != NULL);
445
446 // This might perturb *pp on error, but fixing that belongs in i2d_X509()
447 // not here. It should be that if a == NULL length is zero, but we check
448 // both just in case.
449 length = i2d_X509(a, pp);
450 if (length <= 0 || a == NULL) {
451 return length;
452 }
453
454 if (a->aux != NULL) {
455 tmplen = i2d_X509_CERT_AUX(a->aux, pp);
456 if (tmplen < 0) {
457 if (start != NULL) {
458 *pp = start;
459 }
460 return tmplen;
461 }
462 length += tmplen;
463 }
464
465 return length;
466 }
467
468 // Serialize trusted certificate to *pp, or just return the required buffer
469 // length if pp == NULL.
470 //
471 // When pp is not NULL, but *pp == NULL, we allocate the buffer, but since
472 // we're writing two ASN.1 objects back to back, we can't have i2d_X509() do
473 // the allocation, nor can we allow i2d_X509_CERT_AUX() to increment the
474 // allocated buffer.
i2d_X509_AUX(X509 * a,unsigned char ** pp)475 int i2d_X509_AUX(X509 *a, unsigned char **pp) {
476 int length;
477 unsigned char *tmp;
478
479 // Buffer provided by caller
480 if (pp == NULL || *pp != NULL) {
481 return i2d_x509_aux_internal(a, pp);
482 }
483
484 // Obtain the combined length
485 if ((length = i2d_x509_aux_internal(a, NULL)) <= 0) {
486 return length;
487 }
488
489 // Allocate requisite combined storage
490 *pp = tmp = OPENSSL_malloc(length);
491 if (tmp == NULL) {
492 return -1; // Push error onto error stack?
493 }
494
495 // Encode, but keep *pp at the originally malloced pointer
496 length = i2d_x509_aux_internal(a, &tmp);
497 if (length <= 0) {
498 OPENSSL_free(*pp);
499 *pp = NULL;
500 }
501 return length;
502 }
503
i2d_re_X509_tbs(X509 * x509,unsigned char ** outp)504 int i2d_re_X509_tbs(X509 *x509, unsigned char **outp) {
505 asn1_encoding_clear(&x509->cert_info->enc);
506 return i2d_X509_CINF(x509->cert_info, outp);
507 }
508
i2d_X509_tbs(X509 * x509,unsigned char ** outp)509 int i2d_X509_tbs(X509 *x509, unsigned char **outp) {
510 return i2d_X509_CINF(x509->cert_info, outp);
511 }
512
X509_set1_signature_algo(X509 * x509,const X509_ALGOR * algo)513 int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo) {
514 X509_ALGOR *copy1 = X509_ALGOR_dup(algo);
515 X509_ALGOR *copy2 = X509_ALGOR_dup(algo);
516 if (copy1 == NULL || copy2 == NULL) {
517 X509_ALGOR_free(copy1);
518 X509_ALGOR_free(copy2);
519 return 0;
520 }
521
522 X509_ALGOR_free(x509->sig_alg);
523 x509->sig_alg = copy1;
524 X509_ALGOR_free(x509->cert_info->signature);
525 x509->cert_info->signature = copy2;
526 return 1;
527 }
528
X509_set1_signature_value(X509 * x509,const uint8_t * sig,size_t sig_len)529 int X509_set1_signature_value(X509 *x509, const uint8_t *sig, size_t sig_len) {
530 if (!ASN1_STRING_set(x509->signature, sig, sig_len)) {
531 return 0;
532 }
533 x509->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
534 x509->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
535 return 1;
536 }
537
X509_get0_signature(const ASN1_BIT_STRING ** psig,const X509_ALGOR ** palg,const X509 * x)538 void X509_get0_signature(const ASN1_BIT_STRING **psig, const X509_ALGOR **palg,
539 const X509 *x) {
540 if (psig) {
541 *psig = x->signature;
542 }
543 if (palg) {
544 *palg = x->sig_alg;
545 }
546 }
547
X509_get_signature_nid(const X509 * x)548 int X509_get_signature_nid(const X509 *x) {
549 return OBJ_obj2nid(x->sig_alg->algorithm);
550 }
551