Annotation of src/usr.bin/openssl/ts.c, Revision 1.15
1.15 ! jsing 1: /* $OpenBSD: ts.c,v 1.14 2017/01/20 08:57:12 deraadt Exp $ */
1.1 jsing 2: /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3: * project 2002.
4: */
5: /* ====================================================================
6: * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
7: *
8: * Redistribution and use in source and binary forms, with or without
9: * modification, are permitted provided that the following conditions
10: * are met:
11: *
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: *
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in
17: * the documentation and/or other materials provided with the
18: * distribution.
19: *
20: * 3. All advertising materials mentioning features or use of this
21: * software must display the following acknowledgment:
22: * "This product includes software developed by the OpenSSL Project
23: * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24: *
25: * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26: * endorse or promote products derived from this software without
27: * prior written permission. For written permission, please contact
28: * licensing@OpenSSL.org.
29: *
30: * 5. Products derived from this software may not be called "OpenSSL"
31: * nor may "OpenSSL" appear in their names without prior written
32: * permission of the OpenSSL Project.
33: *
34: * 6. Redistributions of any form whatsoever must retain the following
35: * acknowledgment:
36: * "This product includes software developed by the OpenSSL Project
37: * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38: *
39: * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40: * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42: * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43: * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44: * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50: * OF THE POSSIBILITY OF SUCH DAMAGE.
51: * ====================================================================
52: *
53: * This product includes cryptographic software written by Eric Young
54: * (eay@cryptsoft.com). This product includes software written by Tim
55: * Hudson (tjh@cryptsoft.com).
56: *
57: */
58:
59: #include <stdio.h>
60: #include <stdlib.h>
61: #include <string.h>
62:
63: #include "apps.h"
64:
65: #include <openssl/bio.h>
66: #include <openssl/bn.h>
67: #include <openssl/err.h>
68: #include <openssl/pem.h>
69: #include <openssl/ts.h>
70:
71: /* Length of the nonce of the request in bits (must be a multiple of 8). */
72: #define NONCE_LENGTH 64
73:
74: /* Macro definitions for the configuration file. */
75: #define ENV_OID_FILE "oid_file"
76:
77: /* Local function declarations. */
78:
79: static ASN1_OBJECT *txt2obj(const char *oid);
80: static CONF *load_config_file(const char *configfile);
81:
82: /* Query related functions. */
83: static int query_command(const char *data, char *digest,
84: const EVP_MD * md, const char *policy, int no_nonce,
85: int cert, const char *in, const char *out, int text);
86: static BIO *BIO_open_with_default(const char *file, const char *mode,
87: FILE * default_fp);
88: static TS_REQ *create_query(BIO * data_bio, char *digest, const EVP_MD * md,
89: const char *policy, int no_nonce, int cert);
90: static int create_digest(BIO * input, char *digest,
91: const EVP_MD * md, unsigned char **md_value);
92: static ASN1_INTEGER *create_nonce(int bits);
93:
94: /* Reply related functions. */
1.6 bcook 95: static int reply_command(CONF * conf, char *section,
1.1 jsing 96: char *queryfile, char *passin, char *inkey,
97: char *signer, char *chain, const char *policy,
98: char *in, int token_in, char *out, int token_out,
99: int text);
100: static TS_RESP *read_PKCS7(BIO * in_bio);
1.6 bcook 101: static TS_RESP *create_response(CONF * conf, const char *section,
1.1 jsing 102: char *queryfile, char *passin, char *inkey,
103: char *signer, char *chain, const char *policy);
104: static ASN1_INTEGER *serial_cb(TS_RESP_CTX * ctx, void *data);
105: static ASN1_INTEGER *next_serial(const char *serialfile);
106: static int save_ts_serial(const char *serialfile, ASN1_INTEGER * serial);
107:
108: /* Verify related functions. */
109: static int verify_command(char *data, char *digest, char *queryfile,
110: char *in, int token_in,
111: char *ca_path, char *ca_file, char *untrusted);
112: static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
113: char *queryfile,
114: char *ca_path, char *ca_file,
115: char *untrusted);
116: static X509_STORE *create_cert_store(char *ca_path, char *ca_file);
117: static int verify_cb(int ok, X509_STORE_CTX * ctx);
118:
119: int
120: ts_main(int argc, char **argv)
121: {
122: int ret = 1;
123: char *configfile = NULL;
124: char *section = NULL;
125: CONF *conf = NULL;
126: enum mode {
127: CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY
128: } mode = CMD_NONE;
129: char *data = NULL;
130: char *digest = NULL;
131: const EVP_MD *md = NULL;
132: char *policy = NULL;
133: int no_nonce = 0;
134: int cert = 0;
135: char *in = NULL;
136: char *out = NULL;
137: int text = 0;
138: char *queryfile = NULL;
139: char *passin = NULL; /* Password source. */
140: char *password = NULL; /* Password itself. */
141: char *inkey = NULL;
142: char *signer = NULL;
143: char *chain = NULL;
144: char *ca_path = NULL;
145: char *ca_file = NULL;
146: char *untrusted = NULL;
147: /* Input is ContentInfo instead of TimeStampResp. */
148: int token_in = 0;
149: /* Output is ContentInfo instead of TimeStampResp. */
150: int token_out = 0;
1.11 doug 151:
152: if (single_execution) {
1.14 deraadt 153: if (pledge("stdio cpath wpath rpath tty", NULL) == -1) {
1.11 doug 154: perror("pledge");
1.13 doug 155: exit(1);
156: }
1.11 doug 157: }
1.1 jsing 158:
159: for (argc--, argv++; argc > 0; argc--, argv++) {
160: if (strcmp(*argv, "-config") == 0) {
161: if (argc-- < 1)
162: goto usage;
163: configfile = *++argv;
164: } else if (strcmp(*argv, "-section") == 0) {
165: if (argc-- < 1)
166: goto usage;
167: section = *++argv;
168: } else if (strcmp(*argv, "-query") == 0) {
169: if (mode != CMD_NONE)
170: goto usage;
171: mode = CMD_QUERY;
172: } else if (strcmp(*argv, "-data") == 0) {
173: if (argc-- < 1)
174: goto usage;
175: data = *++argv;
176: } else if (strcmp(*argv, "-digest") == 0) {
177: if (argc-- < 1)
178: goto usage;
179: digest = *++argv;
180: } else if (strcmp(*argv, "-policy") == 0) {
181: if (argc-- < 1)
182: goto usage;
183: policy = *++argv;
184: } else if (strcmp(*argv, "-no_nonce") == 0) {
185: no_nonce = 1;
186: } else if (strcmp(*argv, "-cert") == 0) {
187: cert = 1;
188: } else if (strcmp(*argv, "-in") == 0) {
189: if (argc-- < 1)
190: goto usage;
191: in = *++argv;
192: } else if (strcmp(*argv, "-token_in") == 0) {
193: token_in = 1;
194: } else if (strcmp(*argv, "-out") == 0) {
195: if (argc-- < 1)
196: goto usage;
197: out = *++argv;
198: } else if (strcmp(*argv, "-token_out") == 0) {
199: token_out = 1;
200: } else if (strcmp(*argv, "-text") == 0) {
201: text = 1;
202: } else if (strcmp(*argv, "-reply") == 0) {
203: if (mode != CMD_NONE)
204: goto usage;
205: mode = CMD_REPLY;
206: } else if (strcmp(*argv, "-queryfile") == 0) {
207: if (argc-- < 1)
208: goto usage;
209: queryfile = *++argv;
210: } else if (strcmp(*argv, "-passin") == 0) {
211: if (argc-- < 1)
212: goto usage;
213: passin = *++argv;
214: } else if (strcmp(*argv, "-inkey") == 0) {
215: if (argc-- < 1)
216: goto usage;
217: inkey = *++argv;
218: } else if (strcmp(*argv, "-signer") == 0) {
219: if (argc-- < 1)
220: goto usage;
221: signer = *++argv;
222: } else if (strcmp(*argv, "-chain") == 0) {
223: if (argc-- < 1)
224: goto usage;
225: chain = *++argv;
226: } else if (strcmp(*argv, "-verify") == 0) {
227: if (mode != CMD_NONE)
228: goto usage;
229: mode = CMD_VERIFY;
230: } else if (strcmp(*argv, "-CApath") == 0) {
231: if (argc-- < 1)
232: goto usage;
233: ca_path = *++argv;
234: } else if (strcmp(*argv, "-CAfile") == 0) {
235: if (argc-- < 1)
236: goto usage;
237: ca_file = *++argv;
238: } else if (strcmp(*argv, "-untrusted") == 0) {
239: if (argc-- < 1)
240: goto usage;
241: untrusted = *++argv;
242: } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) {
243: /* empty. */
244: } else
245: goto usage;
246: }
247:
248: /* Get the password if required. */
249: if (mode == CMD_REPLY && passin &&
250: !app_passwd(bio_err, passin, NULL, &password, NULL)) {
251: BIO_printf(bio_err, "Error getting password.\n");
252: goto cleanup;
253: }
254: /*
255: * Check consistency of parameters and execute the appropriate
256: * function.
257: */
258: switch (mode) {
259: case CMD_NONE:
260: goto usage;
261: case CMD_QUERY:
262: /*
263: * Data file and message imprint cannot be specified at the
264: * same time.
265: */
266: ret = data != NULL && digest != NULL;
267: if (ret)
268: goto usage;
269: /* Load the config file for possible policy OIDs. */
270: conf = load_config_file(configfile);
271: ret = !query_command(data, digest, md, policy, no_nonce, cert,
272: in, out, text);
273: break;
274: case CMD_REPLY:
275: conf = load_config_file(configfile);
276: if (in == NULL) {
277: ret = !(queryfile != NULL && conf != NULL && !token_in);
278: if (ret)
279: goto usage;
280: } else {
281: /* 'in' and 'queryfile' are exclusive. */
282: ret = !(queryfile == NULL);
283: if (ret)
284: goto usage;
285: }
286:
1.6 bcook 287: ret = !reply_command(conf, section, queryfile,
1.1 jsing 288: password, inkey, signer, chain, policy,
289: in, token_in, out, token_out, text);
290: break;
291: case CMD_VERIFY:
292: ret = !(((queryfile && !data && !digest) ||
293: (!queryfile && data && !digest) ||
294: (!queryfile && !data && digest)) && in != NULL);
295: if (ret)
296: goto usage;
297:
298: ret = !verify_command(data, digest, queryfile, in, token_in,
299: ca_path, ca_file, untrusted);
300: }
301:
302: goto cleanup;
303:
1.15 ! jsing 304: usage:
1.1 jsing 305: BIO_printf(bio_err, "usage:\n"
306: "ts -query [-config configfile] "
307: "[-data file_to_hash] [-digest digest_bytes]"
1.10 bcook 308: "[-md4|-md5|-sha1|-ripemd160] "
1.1 jsing 309: "[-policy object_id] [-no_nonce] [-cert] "
310: "[-in request.tsq] [-out request.tsq] [-text]\n");
311: BIO_printf(bio_err, "or\n"
312: "ts -reply [-config configfile] [-section tsa_section] "
313: "[-queryfile request.tsq] [-passin password] "
314: "[-signer tsa_cert.pem] [-inkey private_key.pem] "
315: "[-chain certs_file.pem] [-policy object_id] "
316: "[-in response.tsr] [-token_in] "
1.6 bcook 317: "[-out response.tsr] [-token_out] [-text]\n");
1.1 jsing 318: BIO_printf(bio_err, "or\n"
319: "ts -verify [-data file_to_hash] [-digest digest_bytes] "
320: "[-queryfile request.tsq] "
321: "-in response.tsr [-token_in] "
322: "-CApath ca_path -CAfile ca_file.pem "
323: "-untrusted cert_file.pem\n");
324:
1.15 ! jsing 325: cleanup:
1.1 jsing 326: /* Clean up. */
327: NCONF_free(conf);
328: free(password);
329: OBJ_cleanup();
330:
331: return (ret);
332: }
333:
334: /*
335: * Configuration file-related function definitions.
336: */
337:
338: static ASN1_OBJECT *
339: txt2obj(const char *oid)
340: {
341: ASN1_OBJECT *oid_obj = NULL;
342:
343: if (!(oid_obj = OBJ_txt2obj(oid, 0)))
344: BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
345:
346: return oid_obj;
347: }
348:
349: static CONF *
350: load_config_file(const char *configfile)
351: {
352: CONF *conf = NULL;
353: long errorline = -1;
354:
355: if (!configfile)
356: configfile = getenv("OPENSSL_CONF");
357:
358: if (configfile &&
359: (!(conf = NCONF_new(NULL)) ||
360: NCONF_load(conf, configfile, &errorline) <= 0)) {
361: if (errorline <= 0)
362: BIO_printf(bio_err, "error loading the config file "
363: "'%s'\n", configfile);
364: else
365: BIO_printf(bio_err, "error on line %ld of config file "
366: "'%s'\n", errorline, configfile);
367: }
368: if (conf != NULL) {
369: const char *p;
370:
371: BIO_printf(bio_err, "Using configuration from %s\n",
372: configfile);
373: p = NCONF_get_string(conf, NULL, ENV_OID_FILE);
374: if (p != NULL) {
375: BIO *oid_bio = BIO_new_file(p, "r");
376: if (!oid_bio)
377: ERR_print_errors(bio_err);
378: else {
379: OBJ_create_objects(oid_bio);
380: BIO_free_all(oid_bio);
381: }
382: } else
383: ERR_clear_error();
384: if (!add_oid_section(bio_err, conf))
385: ERR_print_errors(bio_err);
386: }
387: return conf;
388: }
389:
390: /*
391: * Query-related method definitions.
392: */
393:
394: static int
395: query_command(const char *data, char *digest, const EVP_MD * md,
396: const char *policy, int no_nonce, int cert, const char *in,
397: const char *out, int text)
398: {
399: int ret = 0;
400: TS_REQ *query = NULL;
401: BIO *in_bio = NULL;
402: BIO *data_bio = NULL;
403: BIO *out_bio = NULL;
404:
405: /* Build query object either from file or from scratch. */
406: if (in != NULL) {
407: if ((in_bio = BIO_new_file(in, "rb")) == NULL)
408: goto end;
409: query = d2i_TS_REQ_bio(in_bio, NULL);
410: } else {
411: /* Open the file if no explicit digest bytes were specified. */
412: if (!digest &&
413: !(data_bio = BIO_open_with_default(data, "rb", stdin)))
414: goto end;
415: /* Creating the query object. */
416: query = create_query(data_bio, digest, md,
417: policy, no_nonce, cert);
418: /* Saving the random number generator state. */
419: }
420: if (query == NULL)
421: goto end;
422:
423: /* Write query either in ASN.1 or in text format. */
424: if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
425: goto end;
426: if (text) {
427: /* Text output. */
428: if (!TS_REQ_print_bio(out_bio, query))
429: goto end;
430: } else {
431: /* ASN.1 output. */
432: if (!i2d_TS_REQ_bio(out_bio, query))
433: goto end;
434: }
435:
436: ret = 1;
437:
1.15 ! jsing 438: end:
1.1 jsing 439: ERR_print_errors(bio_err);
440:
441: /* Clean up. */
442: BIO_free_all(in_bio);
443: BIO_free_all(data_bio);
444: BIO_free_all(out_bio);
445: TS_REQ_free(query);
446:
447: return ret;
448: }
449:
450: static BIO *
451: BIO_open_with_default(const char *file, const char *mode, FILE * default_fp)
452: {
453: return file == NULL ? BIO_new_fp(default_fp, BIO_NOCLOSE) :
454: BIO_new_file(file, mode);
455: }
456:
457: static TS_REQ *
458: create_query(BIO * data_bio, char *digest, const EVP_MD * md,
459: const char *policy, int no_nonce, int cert)
460: {
461: int ret = 0;
462: TS_REQ *ts_req = NULL;
463: int len;
464: TS_MSG_IMPRINT *msg_imprint = NULL;
465: X509_ALGOR *algo = NULL;
466: unsigned char *data = NULL;
467: ASN1_OBJECT *policy_obj = NULL;
468: ASN1_INTEGER *nonce_asn1 = NULL;
469:
470: /* Setting default message digest. */
471: if (!md && !(md = EVP_get_digestbyname("sha1")))
472: goto err;
473:
474: /* Creating request object. */
475: if (!(ts_req = TS_REQ_new()))
476: goto err;
477:
478: /* Setting version. */
479: if (!TS_REQ_set_version(ts_req, 1))
480: goto err;
481:
482: /* Creating and adding MSG_IMPRINT object. */
483: if (!(msg_imprint = TS_MSG_IMPRINT_new()))
484: goto err;
485:
486: /* Adding algorithm. */
487: if (!(algo = X509_ALGOR_new()))
488: goto err;
489: if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))))
490: goto err;
491: if (!(algo->parameter = ASN1_TYPE_new()))
492: goto err;
493: algo->parameter->type = V_ASN1_NULL;
494: if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
495: goto err;
496:
497: /* Adding message digest. */
498: if ((len = create_digest(data_bio, digest, md, &data)) == 0)
499: goto err;
500: if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
501: goto err;
502:
503: if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
504: goto err;
505:
506: /* Setting policy if requested. */
507: if (policy && !(policy_obj = txt2obj(policy)))
508: goto err;
509: if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
510: goto err;
511:
512: /* Setting nonce if requested. */
513: if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH)))
514: goto err;
515: if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
516: goto err;
517:
518: /* Setting certificate request flag if requested. */
519: if (!TS_REQ_set_cert_req(ts_req, cert))
520: goto err;
521:
522: ret = 1;
523:
1.15 ! jsing 524: err:
1.1 jsing 525: if (!ret) {
526: TS_REQ_free(ts_req);
527: ts_req = NULL;
528: BIO_printf(bio_err, "could not create query\n");
529: }
530: TS_MSG_IMPRINT_free(msg_imprint);
531: X509_ALGOR_free(algo);
532: free(data);
533: ASN1_OBJECT_free(policy_obj);
534: ASN1_INTEGER_free(nonce_asn1);
535:
536: return ts_req;
537: }
538:
539: static int
540: create_digest(BIO * input, char *digest, const EVP_MD * md,
541: unsigned char **md_value)
542: {
543: int md_value_len;
544:
545: md_value_len = EVP_MD_size(md);
546: if (md_value_len < 0)
547: goto err;
548: if (input) {
549: /* Digest must be computed from an input file. */
550: EVP_MD_CTX md_ctx;
551: unsigned char buffer[4096];
552: int length;
553:
554: *md_value = malloc(md_value_len);
555: if (*md_value == 0)
556: goto err;
557:
558: EVP_DigestInit(&md_ctx, md);
559: while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
560: EVP_DigestUpdate(&md_ctx, buffer, length);
561: }
562: EVP_DigestFinal(&md_ctx, *md_value, NULL);
563: } else {
564: /* Digest bytes are specified with digest. */
565: long digest_len;
566: *md_value = string_to_hex(digest, &digest_len);
567: if (!*md_value || md_value_len != digest_len) {
568: free(*md_value);
569: *md_value = NULL;
570: BIO_printf(bio_err, "bad digest, %d bytes "
571: "must be specified\n", md_value_len);
572: goto err;
573: }
574: }
575:
576: return md_value_len;
1.15 ! jsing 577: err:
1.1 jsing 578: return 0;
579: }
580:
581: static ASN1_INTEGER *
582: create_nonce(int bits)
583: {
584: unsigned char buf[20];
585: ASN1_INTEGER *nonce = NULL;
586: int len = (bits - 1) / 8 + 1;
587: int i;
588:
589: /* Generating random byte sequence. */
590: if (len > (int) sizeof(buf))
591: goto err;
1.3 jsing 592: arc4random_buf(buf, len);
1.1 jsing 593:
594: /* Find the first non-zero byte and creating ASN1_INTEGER object. */
595: for (i = 0; i < len && !buf[i]; ++i)
596: ;
597: if (!(nonce = ASN1_INTEGER_new()))
598: goto err;
599: free(nonce->data);
600: /* Allocate at least one byte. */
601: nonce->length = len - i;
602: if (!(nonce->data = malloc(nonce->length + 1)))
603: goto err;
604: memcpy(nonce->data, buf + i, nonce->length);
605:
606: return nonce;
607:
1.15 ! jsing 608: err:
1.1 jsing 609: BIO_printf(bio_err, "could not create nonce\n");
610: ASN1_INTEGER_free(nonce);
611: return NULL;
612: }
613: /*
614: * Reply-related method definitions.
615: */
616:
617: static int
1.6 bcook 618: reply_command(CONF * conf, char *section, char *queryfile,
1.1 jsing 619: char *passin, char *inkey, char *signer, char *chain, const char *policy,
620: char *in, int token_in, char *out, int token_out, int text)
621: {
622: int ret = 0;
623: TS_RESP *response = NULL;
624: BIO *in_bio = NULL;
625: BIO *query_bio = NULL;
626: BIO *inkey_bio = NULL;
627: BIO *signer_bio = NULL;
628: BIO *out_bio = NULL;
629:
630: /* Build response object either from response or query. */
631: if (in != NULL) {
632: if ((in_bio = BIO_new_file(in, "rb")) == NULL)
633: goto end;
634: if (token_in) {
635: /*
636: * We have a ContentInfo (PKCS7) object, add
637: * 'granted' status info around it.
638: */
639: response = read_PKCS7(in_bio);
640: } else {
641: /* We have a ready-made TS_RESP object. */
642: response = d2i_TS_RESP_bio(in_bio, NULL);
643: }
644: } else {
1.6 bcook 645: response = create_response(conf, section, queryfile,
1.1 jsing 646: passin, inkey, signer, chain,
647: policy);
648: if (response)
649: BIO_printf(bio_err, "Response has been generated.\n");
650: else
651: BIO_printf(bio_err, "Response is not generated.\n");
652: }
653: if (response == NULL)
654: goto end;
655:
656: /* Write response either in ASN.1 or text format. */
657: if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
658: goto end;
659: if (text) {
660: /* Text output. */
661: if (token_out) {
662: TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
663: if (!TS_TST_INFO_print_bio(out_bio, tst_info))
664: goto end;
665: } else {
666: if (!TS_RESP_print_bio(out_bio, response))
667: goto end;
668: }
669: } else {
670: /* ASN.1 DER output. */
671: if (token_out) {
672: PKCS7 *token = TS_RESP_get_token(response);
673: if (!i2d_PKCS7_bio(out_bio, token))
674: goto end;
675: } else {
676: if (!i2d_TS_RESP_bio(out_bio, response))
677: goto end;
678: }
679: }
680:
681: ret = 1;
682:
1.15 ! jsing 683: end:
1.1 jsing 684: ERR_print_errors(bio_err);
685:
686: /* Clean up. */
687: BIO_free_all(in_bio);
688: BIO_free_all(query_bio);
689: BIO_free_all(inkey_bio);
690: BIO_free_all(signer_bio);
691: BIO_free_all(out_bio);
692: TS_RESP_free(response);
693:
694: return ret;
695: }
696:
697: /* Reads a PKCS7 token and adds default 'granted' status info to it. */
698: static TS_RESP *
699: read_PKCS7(BIO * in_bio)
700: {
701: int ret = 0;
702: PKCS7 *token = NULL;
703: TS_TST_INFO *tst_info = NULL;
704: TS_RESP *resp = NULL;
705: TS_STATUS_INFO *si = NULL;
706:
707: /* Read PKCS7 object and extract the signed time stamp info. */
708: if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
709: goto end;
710: if (!(tst_info = PKCS7_to_TS_TST_INFO(token)))
711: goto end;
712:
713: /* Creating response object. */
714: if (!(resp = TS_RESP_new()))
715: goto end;
716:
717: /* Create granted status info. */
718: if (!(si = TS_STATUS_INFO_new()))
719: goto end;
720: if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED)))
721: goto end;
722: if (!TS_RESP_set_status_info(resp, si))
723: goto end;
724:
725: /* Setting encapsulated token. */
726: TS_RESP_set_tst_info(resp, token, tst_info);
727: token = NULL; /* Ownership is lost. */
728: tst_info = NULL; /* Ownership is lost. */
729:
730: ret = 1;
1.15 ! jsing 731: end:
1.1 jsing 732: PKCS7_free(token);
733: TS_TST_INFO_free(tst_info);
734: if (!ret) {
735: TS_RESP_free(resp);
736: resp = NULL;
737: }
738: TS_STATUS_INFO_free(si);
739: return resp;
740: }
741:
742: static TS_RESP *
1.6 bcook 743: create_response(CONF * conf, const char *section,
1.1 jsing 744: char *queryfile, char *passin, char *inkey,
745: char *signer, char *chain, const char *policy)
746: {
747: int ret = 0;
748: TS_RESP *response = NULL;
749: BIO *query_bio = NULL;
750: TS_RESP_CTX *resp_ctx = NULL;
751:
752: if (!(query_bio = BIO_new_file(queryfile, "rb")))
753: goto end;
754:
755: /* Getting TSA configuration section. */
756: if (!(section = TS_CONF_get_tsa_section(conf, section)))
757: goto end;
758:
759: /* Setting up response generation context. */
760: if (!(resp_ctx = TS_RESP_CTX_new()))
761: goto end;
762:
763: /* Setting serial number provider callback. */
764: if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
765: goto end;
766:
767: /* Setting TSA signer certificate. */
768: if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
769: goto end;
770:
771: /* Setting TSA signer certificate chain. */
772: if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
773: goto end;
774:
775: /* Setting TSA signer private key. */
776: if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
777: goto end;
778:
779: /* Setting default policy OID. */
780: if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
781: goto end;
782:
783: /* Setting acceptable policy OIDs. */
784: if (!TS_CONF_set_policies(conf, section, resp_ctx))
785: goto end;
786:
787: /* Setting the acceptable one-way hash algorithms. */
788: if (!TS_CONF_set_digests(conf, section, resp_ctx))
789: goto end;
790:
791: /* Setting guaranteed time stamp accuracy. */
792: if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
793: goto end;
794:
795: /* Setting the precision of the time. */
796: if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
797: goto end;
798:
799: /* Setting the ordering flaf if requested. */
800: if (!TS_CONF_set_ordering(conf, section, resp_ctx))
801: goto end;
802:
803: /* Setting the TSA name required flag if requested. */
804: if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
805: goto end;
806:
807: /* Setting the ESS cert id chain flag if requested. */
808: if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
809: goto end;
810:
811: /* Creating the response. */
812: if (!(response = TS_RESP_create_response(resp_ctx, query_bio)))
813: goto end;
814:
815: ret = 1;
1.15 ! jsing 816: end:
1.1 jsing 817: if (!ret) {
818: TS_RESP_free(response);
819: response = NULL;
820: }
821: TS_RESP_CTX_free(resp_ctx);
822: BIO_free_all(query_bio);
823:
824: return response;
825: }
826:
827: static ASN1_INTEGER *
828: serial_cb(TS_RESP_CTX * ctx, void *data)
829: {
830: const char *serial_file = (const char *) data;
831: ASN1_INTEGER *serial = next_serial(serial_file);
832:
833: if (!serial) {
834: TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
835: "Error during serial number "
836: "generation.");
837: TS_RESP_CTX_add_failure_info(ctx,
838: TS_INFO_ADD_INFO_NOT_AVAILABLE);
839: } else
840: save_ts_serial(serial_file, serial);
841:
842: return serial;
843: }
844:
845: static ASN1_INTEGER *
846: next_serial(const char *serialfile)
847: {
848: int ret = 0;
849: BIO *in = NULL;
850: ASN1_INTEGER *serial = NULL;
851: BIGNUM *bn = NULL;
852:
853: if (!(serial = ASN1_INTEGER_new()))
854: goto err;
855:
856: if (!(in = BIO_new_file(serialfile, "r"))) {
857: ERR_clear_error();
858: BIO_printf(bio_err, "Warning: could not open file %s for "
859: "reading, using serial number: 1\n", serialfile);
860: if (!ASN1_INTEGER_set(serial, 1))
861: goto err;
862: } else {
863: char buf[1024];
864: if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
865: BIO_printf(bio_err, "unable to load number from %s\n",
866: serialfile);
867: goto err;
868: }
869: if (!(bn = ASN1_INTEGER_to_BN(serial, NULL)))
870: goto err;
871: ASN1_INTEGER_free(serial);
872: serial = NULL;
873: if (!BN_add_word(bn, 1))
874: goto err;
875: if (!(serial = BN_to_ASN1_INTEGER(bn, NULL)))
876: goto err;
877: }
878: ret = 1;
1.15 ! jsing 879: err:
1.1 jsing 880: if (!ret) {
881: ASN1_INTEGER_free(serial);
882: serial = NULL;
883: }
884: BIO_free_all(in);
885: BN_free(bn);
886: return serial;
887: }
888:
889: static int
890: save_ts_serial(const char *serialfile, ASN1_INTEGER * serial)
891: {
892: int ret = 0;
893: BIO *out = NULL;
894:
895: if (!(out = BIO_new_file(serialfile, "w")))
896: goto err;
897: if (i2a_ASN1_INTEGER(out, serial) <= 0)
898: goto err;
899: if (BIO_puts(out, "\n") <= 0)
900: goto err;
901: ret = 1;
1.15 ! jsing 902: err:
1.1 jsing 903: if (!ret)
904: BIO_printf(bio_err, "could not save serial number to %s\n",
905: serialfile);
906: BIO_free_all(out);
907: return ret;
908: }
909:
910: /*
911: * Verify-related method definitions.
912: */
913:
914: static int
915: verify_command(char *data, char *digest, char *queryfile, char *in,
916: int token_in, char *ca_path, char *ca_file, char *untrusted)
917: {
918: BIO *in_bio = NULL;
919: PKCS7 *token = NULL;
920: TS_RESP *response = NULL;
921: TS_VERIFY_CTX *verify_ctx = NULL;
922: int ret = 0;
923:
924: /* Decode the token (PKCS7) or response (TS_RESP) files. */
925: if (!(in_bio = BIO_new_file(in, "rb")))
926: goto end;
927: if (token_in) {
928: if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
929: goto end;
930: } else {
931: if (!(response = d2i_TS_RESP_bio(in_bio, NULL)))
932: goto end;
933: }
934:
935: if (!(verify_ctx = create_verify_ctx(data, digest, queryfile,
936: ca_path, ca_file, untrusted)))
937: goto end;
938:
939: /* Checking the token or response against the request. */
940: ret = token_in ?
941: TS_RESP_verify_token(verify_ctx, token) :
942: TS_RESP_verify_response(verify_ctx, response);
943:
1.15 ! jsing 944: end:
1.1 jsing 945: printf("Verification: ");
946: if (ret)
947: printf("OK\n");
948: else {
949: printf("FAILED\n");
950: /* Print errors, if there are any. */
951: ERR_print_errors(bio_err);
952: }
953:
954: /* Clean up. */
955: BIO_free_all(in_bio);
956: PKCS7_free(token);
957: TS_RESP_free(response);
958: TS_VERIFY_CTX_free(verify_ctx);
959: return ret;
960: }
961:
962: static TS_VERIFY_CTX *
963: create_verify_ctx(char *data, char *digest, char *queryfile, char *ca_path,
964: char *ca_file, char *untrusted)
965: {
966: TS_VERIFY_CTX *ctx = NULL;
967: BIO *input = NULL;
968: TS_REQ *request = NULL;
969: int ret = 0;
970:
971: if (data != NULL || digest != NULL) {
972: if (!(ctx = TS_VERIFY_CTX_new()))
973: goto err;
974: ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER;
975: if (data != NULL) {
976: ctx->flags |= TS_VFY_DATA;
977: if (!(ctx->data = BIO_new_file(data, "rb")))
978: goto err;
979: } else if (digest != NULL) {
980: long imprint_len;
981: ctx->flags |= TS_VFY_IMPRINT;
982: if (!(ctx->imprint = string_to_hex(digest,
983: &imprint_len))) {
984: BIO_printf(bio_err, "invalid digest string\n");
985: goto err;
986: }
987: ctx->imprint_len = imprint_len;
988: }
989: } else if (queryfile != NULL) {
990: /*
991: * The request has just to be read, decoded and converted to
992: * a verify context object.
993: */
994: if (!(input = BIO_new_file(queryfile, "rb")))
995: goto err;
996: if (!(request = d2i_TS_REQ_bio(input, NULL)))
997: goto err;
998: if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)))
999: goto err;
1000: } else
1001: return NULL;
1002:
1003: /* Add the signature verification flag and arguments. */
1004: ctx->flags |= TS_VFY_SIGNATURE;
1005:
1006: /* Initialising the X509_STORE object. */
1007: if (!(ctx->store = create_cert_store(ca_path, ca_file)))
1008: goto err;
1009:
1010: /* Loading untrusted certificates. */
1011: if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted)))
1012: goto err;
1013:
1014: ret = 1;
1.15 ! jsing 1015: err:
1.1 jsing 1016: if (!ret) {
1017: TS_VERIFY_CTX_free(ctx);
1018: ctx = NULL;
1019: }
1020: BIO_free_all(input);
1021: TS_REQ_free(request);
1022: return ctx;
1023: }
1024:
1025: static X509_STORE *
1026: create_cert_store(char *ca_path, char *ca_file)
1027: {
1028: X509_STORE *cert_ctx = NULL;
1029: X509_LOOKUP *lookup = NULL;
1030: int i;
1031:
1032: /* Creating the X509_STORE object. */
1033: cert_ctx = X509_STORE_new();
1034:
1035: /* Setting the callback for certificate chain verification. */
1036: X509_STORE_set_verify_cb(cert_ctx, verify_cb);
1037:
1038: /* Adding a trusted certificate directory source. */
1039: if (ca_path) {
1040: lookup = X509_STORE_add_lookup(cert_ctx,
1041: X509_LOOKUP_hash_dir());
1042: if (lookup == NULL) {
1043: BIO_printf(bio_err, "memory allocation failure\n");
1044: goto err;
1045: }
1046: i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM);
1047: if (!i) {
1048: BIO_printf(bio_err, "Error loading directory %s\n",
1049: ca_path);
1050: goto err;
1051: }
1052: }
1053: /* Adding a trusted certificate file source. */
1054: if (ca_file) {
1055: lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
1056: if (lookup == NULL) {
1057: BIO_printf(bio_err, "memory allocation failure\n");
1058: goto err;
1059: }
1060: i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM);
1061: if (!i) {
1062: BIO_printf(bio_err, "Error loading file %s\n", ca_file);
1063: goto err;
1064: }
1065: }
1066: return cert_ctx;
1.15 ! jsing 1067: err:
1.1 jsing 1068: X509_STORE_free(cert_ctx);
1069: return NULL;
1070: }
1071:
1072: static int
1073: verify_cb(int ok, X509_STORE_CTX * ctx)
1074: {
1075: /*
1076: char buf[256];
1077:
1078: if (!ok)
1079: {
1080: X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
1081: buf, sizeof(buf));
1082: printf("%s\n", buf);
1083: printf("error %d at %d depth lookup: %s\n",
1084: ctx->error, ctx->error_depth,
1085: X509_verify_cert_error_string(ctx->error));
1086: }
1087: */
1088:
1089: return ok;
1090: }