Annotation of src/usr.bin/openssl/ts.c, Revision 1.2
1.2 ! jsing 1: /* $OpenBSD: ts.c,v 1.1 2014/08/26 17:47:25 jsing Exp $ */
1.1 jsing 2: /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3: * project 2002.
4: */
5: /* ====================================================================
6: * Copyright (c) 2001 The OpenSSL Project. All rights reserved.
7: *
8: * Redistribution and use in source and binary forms, with or without
9: * modification, are permitted provided that the following conditions
10: * are met:
11: *
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: *
15: * 2. Redistributions in binary form must reproduce the above copyright
16: * notice, this list of conditions and the following disclaimer in
17: * the documentation and/or other materials provided with the
18: * distribution.
19: *
20: * 3. All advertising materials mentioning features or use of this
21: * software must display the following acknowledgment:
22: * "This product includes software developed by the OpenSSL Project
23: * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24: *
25: * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26: * endorse or promote products derived from this software without
27: * prior written permission. For written permission, please contact
28: * licensing@OpenSSL.org.
29: *
30: * 5. Products derived from this software may not be called "OpenSSL"
31: * nor may "OpenSSL" appear in their names without prior written
32: * permission of the OpenSSL Project.
33: *
34: * 6. Redistributions of any form whatsoever must retain the following
35: * acknowledgment:
36: * "This product includes software developed by the OpenSSL Project
37: * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38: *
39: * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40: * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42: * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
43: * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44: * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45: * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48: * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49: * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50: * OF THE POSSIBILITY OF SUCH DAMAGE.
51: * ====================================================================
52: *
53: * This product includes cryptographic software written by Eric Young
54: * (eay@cryptsoft.com). This product includes software written by Tim
55: * Hudson (tjh@cryptsoft.com).
56: *
57: */
58:
59: #include <stdio.h>
60: #include <stdlib.h>
61: #include <string.h>
62:
63: #include "apps.h"
64:
65: #include <openssl/bio.h>
66: #include <openssl/bn.h>
67: #include <openssl/err.h>
68: #include <openssl/pem.h>
69: #include <openssl/rand.h>
70: #include <openssl/ts.h>
71:
72: /* Length of the nonce of the request in bits (must be a multiple of 8). */
73: #define NONCE_LENGTH 64
74:
75: /* Macro definitions for the configuration file. */
76: #define ENV_OID_FILE "oid_file"
77:
78: /* Local function declarations. */
79:
80: static ASN1_OBJECT *txt2obj(const char *oid);
81: static CONF *load_config_file(const char *configfile);
82:
83: /* Query related functions. */
84: static int query_command(const char *data, char *digest,
85: const EVP_MD * md, const char *policy, int no_nonce,
86: int cert, const char *in, const char *out, int text);
87: static BIO *BIO_open_with_default(const char *file, const char *mode,
88: FILE * default_fp);
89: static TS_REQ *create_query(BIO * data_bio, char *digest, const EVP_MD * md,
90: const char *policy, int no_nonce, int cert);
91: static int create_digest(BIO * input, char *digest,
92: const EVP_MD * md, unsigned char **md_value);
93: static ASN1_INTEGER *create_nonce(int bits);
94:
95: /* Reply related functions. */
96: static int reply_command(CONF * conf, char *section, char *engine,
97: char *queryfile, char *passin, char *inkey,
98: char *signer, char *chain, const char *policy,
99: char *in, int token_in, char *out, int token_out,
100: int text);
101: static TS_RESP *read_PKCS7(BIO * in_bio);
102: static TS_RESP *create_response(CONF * conf, const char *section, char *engine,
103: char *queryfile, char *passin, char *inkey,
104: char *signer, char *chain, const char *policy);
105: static ASN1_INTEGER *serial_cb(TS_RESP_CTX * ctx, void *data);
106: static ASN1_INTEGER *next_serial(const char *serialfile);
107: static int save_ts_serial(const char *serialfile, ASN1_INTEGER * serial);
108:
109: /* Verify related functions. */
110: static int verify_command(char *data, char *digest, char *queryfile,
111: char *in, int token_in,
112: char *ca_path, char *ca_file, char *untrusted);
113: static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
114: char *queryfile,
115: char *ca_path, char *ca_file,
116: char *untrusted);
117: static X509_STORE *create_cert_store(char *ca_path, char *ca_file);
118: static int verify_cb(int ok, X509_STORE_CTX * ctx);
119:
120: /* Main function definition. */
121: int ts_main(int, char **);
122:
123: int
124: ts_main(int argc, char **argv)
125: {
126: int ret = 1;
127: char *configfile = NULL;
128: char *section = NULL;
129: CONF *conf = NULL;
130: enum mode {
131: CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY
132: } mode = CMD_NONE;
133: char *data = NULL;
134: char *digest = NULL;
135: const EVP_MD *md = NULL;
136: char *policy = NULL;
137: int no_nonce = 0;
138: int cert = 0;
139: char *in = NULL;
140: char *out = NULL;
141: int text = 0;
142: char *queryfile = NULL;
143: char *passin = NULL; /* Password source. */
144: char *password = NULL; /* Password itself. */
145: char *inkey = NULL;
146: char *signer = NULL;
147: char *chain = NULL;
148: char *ca_path = NULL;
149: char *ca_file = NULL;
150: char *untrusted = NULL;
151: char *engine = NULL;
152: /* Input is ContentInfo instead of TimeStampResp. */
153: int token_in = 0;
154: /* Output is ContentInfo instead of TimeStampResp. */
155: int token_out = 0;
156:
157: for (argc--, argv++; argc > 0; argc--, argv++) {
158: if (strcmp(*argv, "-config") == 0) {
159: if (argc-- < 1)
160: goto usage;
161: configfile = *++argv;
162: } else if (strcmp(*argv, "-section") == 0) {
163: if (argc-- < 1)
164: goto usage;
165: section = *++argv;
166: } else if (strcmp(*argv, "-query") == 0) {
167: if (mode != CMD_NONE)
168: goto usage;
169: mode = CMD_QUERY;
170: } else if (strcmp(*argv, "-data") == 0) {
171: if (argc-- < 1)
172: goto usage;
173: data = *++argv;
174: } else if (strcmp(*argv, "-digest") == 0) {
175: if (argc-- < 1)
176: goto usage;
177: digest = *++argv;
178: } else if (strcmp(*argv, "-policy") == 0) {
179: if (argc-- < 1)
180: goto usage;
181: policy = *++argv;
182: } else if (strcmp(*argv, "-no_nonce") == 0) {
183: no_nonce = 1;
184: } else if (strcmp(*argv, "-cert") == 0) {
185: cert = 1;
186: } else if (strcmp(*argv, "-in") == 0) {
187: if (argc-- < 1)
188: goto usage;
189: in = *++argv;
190: } else if (strcmp(*argv, "-token_in") == 0) {
191: token_in = 1;
192: } else if (strcmp(*argv, "-out") == 0) {
193: if (argc-- < 1)
194: goto usage;
195: out = *++argv;
196: } else if (strcmp(*argv, "-token_out") == 0) {
197: token_out = 1;
198: } else if (strcmp(*argv, "-text") == 0) {
199: text = 1;
200: } else if (strcmp(*argv, "-reply") == 0) {
201: if (mode != CMD_NONE)
202: goto usage;
203: mode = CMD_REPLY;
204: } else if (strcmp(*argv, "-queryfile") == 0) {
205: if (argc-- < 1)
206: goto usage;
207: queryfile = *++argv;
208: } else if (strcmp(*argv, "-passin") == 0) {
209: if (argc-- < 1)
210: goto usage;
211: passin = *++argv;
212: } else if (strcmp(*argv, "-inkey") == 0) {
213: if (argc-- < 1)
214: goto usage;
215: inkey = *++argv;
216: } else if (strcmp(*argv, "-signer") == 0) {
217: if (argc-- < 1)
218: goto usage;
219: signer = *++argv;
220: } else if (strcmp(*argv, "-chain") == 0) {
221: if (argc-- < 1)
222: goto usage;
223: chain = *++argv;
224: } else if (strcmp(*argv, "-verify") == 0) {
225: if (mode != CMD_NONE)
226: goto usage;
227: mode = CMD_VERIFY;
228: } else if (strcmp(*argv, "-CApath") == 0) {
229: if (argc-- < 1)
230: goto usage;
231: ca_path = *++argv;
232: } else if (strcmp(*argv, "-CAfile") == 0) {
233: if (argc-- < 1)
234: goto usage;
235: ca_file = *++argv;
236: } else if (strcmp(*argv, "-untrusted") == 0) {
237: if (argc-- < 1)
238: goto usage;
239: untrusted = *++argv;
240: } else if (strcmp(*argv, "-engine") == 0) {
241: if (argc-- < 1)
242: goto usage;
243: engine = *++argv;
244: } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) {
245: /* empty. */
246: } else
247: goto usage;
248: }
249:
250: /* Get the password if required. */
251: if (mode == CMD_REPLY && passin &&
252: !app_passwd(bio_err, passin, NULL, &password, NULL)) {
253: BIO_printf(bio_err, "Error getting password.\n");
254: goto cleanup;
255: }
256: /*
257: * Check consistency of parameters and execute the appropriate
258: * function.
259: */
260: switch (mode) {
261: case CMD_NONE:
262: goto usage;
263: case CMD_QUERY:
264: /*
265: * Data file and message imprint cannot be specified at the
266: * same time.
267: */
268: ret = data != NULL && digest != NULL;
269: if (ret)
270: goto usage;
271: /* Load the config file for possible policy OIDs. */
272: conf = load_config_file(configfile);
273: ret = !query_command(data, digest, md, policy, no_nonce, cert,
274: in, out, text);
275: break;
276: case CMD_REPLY:
277: conf = load_config_file(configfile);
278: if (in == NULL) {
279: ret = !(queryfile != NULL && conf != NULL && !token_in);
280: if (ret)
281: goto usage;
282: } else {
283: /* 'in' and 'queryfile' are exclusive. */
284: ret = !(queryfile == NULL);
285: if (ret)
286: goto usage;
287: }
288:
289: ret = !reply_command(conf, section, engine, queryfile,
290: password, inkey, signer, chain, policy,
291: in, token_in, out, token_out, text);
292: break;
293: case CMD_VERIFY:
294: ret = !(((queryfile && !data && !digest) ||
295: (!queryfile && data && !digest) ||
296: (!queryfile && !data && digest)) && in != NULL);
297: if (ret)
298: goto usage;
299:
300: ret = !verify_command(data, digest, queryfile, in, token_in,
301: ca_path, ca_file, untrusted);
302: }
303:
304: goto cleanup;
305:
306: usage:
307: BIO_printf(bio_err, "usage:\n"
308: "ts -query [-config configfile] "
309: "[-data file_to_hash] [-digest digest_bytes]"
310: "[-md2|-md4|-md5|-sha|-sha1|-mdc2|-ripemd160] "
311: "[-policy object_id] [-no_nonce] [-cert] "
312: "[-in request.tsq] [-out request.tsq] [-text]\n");
313: BIO_printf(bio_err, "or\n"
314: "ts -reply [-config configfile] [-section tsa_section] "
315: "[-queryfile request.tsq] [-passin password] "
316: "[-signer tsa_cert.pem] [-inkey private_key.pem] "
317: "[-chain certs_file.pem] [-policy object_id] "
318: "[-in response.tsr] [-token_in] "
319: "[-out response.tsr] [-token_out] [-text] [-engine id]\n");
320: BIO_printf(bio_err, "or\n"
321: "ts -verify [-data file_to_hash] [-digest digest_bytes] "
322: "[-queryfile request.tsq] "
323: "-in response.tsr [-token_in] "
324: "-CApath ca_path -CAfile ca_file.pem "
325: "-untrusted cert_file.pem\n");
326:
327: cleanup:
328: /* Clean up. */
329: NCONF_free(conf);
330: free(password);
331: OBJ_cleanup();
332:
333: return (ret);
334: }
335:
336: /*
337: * Configuration file-related function definitions.
338: */
339:
340: static ASN1_OBJECT *
341: txt2obj(const char *oid)
342: {
343: ASN1_OBJECT *oid_obj = NULL;
344:
345: if (!(oid_obj = OBJ_txt2obj(oid, 0)))
346: BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
347:
348: return oid_obj;
349: }
350:
351: static CONF *
352: load_config_file(const char *configfile)
353: {
354: CONF *conf = NULL;
355: long errorline = -1;
356:
357: if (!configfile)
358: configfile = getenv("OPENSSL_CONF");
359: if (!configfile)
360: configfile = getenv("SSLEAY_CONF");
361:
362: if (configfile &&
363: (!(conf = NCONF_new(NULL)) ||
364: NCONF_load(conf, configfile, &errorline) <= 0)) {
365: if (errorline <= 0)
366: BIO_printf(bio_err, "error loading the config file "
367: "'%s'\n", configfile);
368: else
369: BIO_printf(bio_err, "error on line %ld of config file "
370: "'%s'\n", errorline, configfile);
371: }
372: if (conf != NULL) {
373: const char *p;
374:
375: BIO_printf(bio_err, "Using configuration from %s\n",
376: configfile);
377: p = NCONF_get_string(conf, NULL, ENV_OID_FILE);
378: if (p != NULL) {
379: BIO *oid_bio = BIO_new_file(p, "r");
380: if (!oid_bio)
381: ERR_print_errors(bio_err);
382: else {
383: OBJ_create_objects(oid_bio);
384: BIO_free_all(oid_bio);
385: }
386: } else
387: ERR_clear_error();
388: if (!add_oid_section(bio_err, conf))
389: ERR_print_errors(bio_err);
390: }
391: return conf;
392: }
393:
394: /*
395: * Query-related method definitions.
396: */
397:
398: static int
399: query_command(const char *data, char *digest, const EVP_MD * md,
400: const char *policy, int no_nonce, int cert, const char *in,
401: const char *out, int text)
402: {
403: int ret = 0;
404: TS_REQ *query = NULL;
405: BIO *in_bio = NULL;
406: BIO *data_bio = NULL;
407: BIO *out_bio = NULL;
408:
409: /* Build query object either from file or from scratch. */
410: if (in != NULL) {
411: if ((in_bio = BIO_new_file(in, "rb")) == NULL)
412: goto end;
413: query = d2i_TS_REQ_bio(in_bio, NULL);
414: } else {
415: /* Open the file if no explicit digest bytes were specified. */
416: if (!digest &&
417: !(data_bio = BIO_open_with_default(data, "rb", stdin)))
418: goto end;
419: /* Creating the query object. */
420: query = create_query(data_bio, digest, md,
421: policy, no_nonce, cert);
422: /* Saving the random number generator state. */
423: }
424: if (query == NULL)
425: goto end;
426:
427: /* Write query either in ASN.1 or in text format. */
428: if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
429: goto end;
430: if (text) {
431: /* Text output. */
432: if (!TS_REQ_print_bio(out_bio, query))
433: goto end;
434: } else {
435: /* ASN.1 output. */
436: if (!i2d_TS_REQ_bio(out_bio, query))
437: goto end;
438: }
439:
440: ret = 1;
441:
442: end:
443: ERR_print_errors(bio_err);
444:
445: /* Clean up. */
446: BIO_free_all(in_bio);
447: BIO_free_all(data_bio);
448: BIO_free_all(out_bio);
449: TS_REQ_free(query);
450:
451: return ret;
452: }
453:
454: static BIO *
455: BIO_open_with_default(const char *file, const char *mode, FILE * default_fp)
456: {
457: return file == NULL ? BIO_new_fp(default_fp, BIO_NOCLOSE) :
458: BIO_new_file(file, mode);
459: }
460:
461: static TS_REQ *
462: create_query(BIO * data_bio, char *digest, const EVP_MD * md,
463: const char *policy, int no_nonce, int cert)
464: {
465: int ret = 0;
466: TS_REQ *ts_req = NULL;
467: int len;
468: TS_MSG_IMPRINT *msg_imprint = NULL;
469: X509_ALGOR *algo = NULL;
470: unsigned char *data = NULL;
471: ASN1_OBJECT *policy_obj = NULL;
472: ASN1_INTEGER *nonce_asn1 = NULL;
473:
474: /* Setting default message digest. */
475: if (!md && !(md = EVP_get_digestbyname("sha1")))
476: goto err;
477:
478: /* Creating request object. */
479: if (!(ts_req = TS_REQ_new()))
480: goto err;
481:
482: /* Setting version. */
483: if (!TS_REQ_set_version(ts_req, 1))
484: goto err;
485:
486: /* Creating and adding MSG_IMPRINT object. */
487: if (!(msg_imprint = TS_MSG_IMPRINT_new()))
488: goto err;
489:
490: /* Adding algorithm. */
491: if (!(algo = X509_ALGOR_new()))
492: goto err;
493: if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))))
494: goto err;
495: if (!(algo->parameter = ASN1_TYPE_new()))
496: goto err;
497: algo->parameter->type = V_ASN1_NULL;
498: if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
499: goto err;
500:
501: /* Adding message digest. */
502: if ((len = create_digest(data_bio, digest, md, &data)) == 0)
503: goto err;
504: if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
505: goto err;
506:
507: if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
508: goto err;
509:
510: /* Setting policy if requested. */
511: if (policy && !(policy_obj = txt2obj(policy)))
512: goto err;
513: if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
514: goto err;
515:
516: /* Setting nonce if requested. */
517: if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH)))
518: goto err;
519: if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
520: goto err;
521:
522: /* Setting certificate request flag if requested. */
523: if (!TS_REQ_set_cert_req(ts_req, cert))
524: goto err;
525:
526: ret = 1;
527:
528: err:
529: if (!ret) {
530: TS_REQ_free(ts_req);
531: ts_req = NULL;
532: BIO_printf(bio_err, "could not create query\n");
533: }
534: TS_MSG_IMPRINT_free(msg_imprint);
535: X509_ALGOR_free(algo);
536: free(data);
537: ASN1_OBJECT_free(policy_obj);
538: ASN1_INTEGER_free(nonce_asn1);
539:
540: return ts_req;
541: }
542:
543: static int
544: create_digest(BIO * input, char *digest, const EVP_MD * md,
545: unsigned char **md_value)
546: {
547: int md_value_len;
548:
549: md_value_len = EVP_MD_size(md);
550: if (md_value_len < 0)
551: goto err;
552: if (input) {
553: /* Digest must be computed from an input file. */
554: EVP_MD_CTX md_ctx;
555: unsigned char buffer[4096];
556: int length;
557:
558: *md_value = malloc(md_value_len);
559: if (*md_value == 0)
560: goto err;
561:
562: EVP_DigestInit(&md_ctx, md);
563: while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
564: EVP_DigestUpdate(&md_ctx, buffer, length);
565: }
566: EVP_DigestFinal(&md_ctx, *md_value, NULL);
567: } else {
568: /* Digest bytes are specified with digest. */
569: long digest_len;
570: *md_value = string_to_hex(digest, &digest_len);
571: if (!*md_value || md_value_len != digest_len) {
572: free(*md_value);
573: *md_value = NULL;
574: BIO_printf(bio_err, "bad digest, %d bytes "
575: "must be specified\n", md_value_len);
576: goto err;
577: }
578: }
579:
580: return md_value_len;
581: err:
582: return 0;
583: }
584:
585: static ASN1_INTEGER *
586: create_nonce(int bits)
587: {
588: unsigned char buf[20];
589: ASN1_INTEGER *nonce = NULL;
590: int len = (bits - 1) / 8 + 1;
591: int i;
592:
593: /* Generating random byte sequence. */
594: if (len > (int) sizeof(buf))
595: goto err;
596: if (RAND_bytes(buf, len) <= 0)
597: goto err;
598:
599: /* Find the first non-zero byte and creating ASN1_INTEGER object. */
600: for (i = 0; i < len && !buf[i]; ++i)
601: ;
602: if (!(nonce = ASN1_INTEGER_new()))
603: goto err;
604: free(nonce->data);
605: /* Allocate at least one byte. */
606: nonce->length = len - i;
607: if (!(nonce->data = malloc(nonce->length + 1)))
608: goto err;
609: memcpy(nonce->data, buf + i, nonce->length);
610:
611: return nonce;
612:
613: err:
614: BIO_printf(bio_err, "could not create nonce\n");
615: ASN1_INTEGER_free(nonce);
616: return NULL;
617: }
618: /*
619: * Reply-related method definitions.
620: */
621:
622: static int
623: reply_command(CONF * conf, char *section, char *engine, char *queryfile,
624: char *passin, char *inkey, char *signer, char *chain, const char *policy,
625: char *in, int token_in, char *out, int token_out, int text)
626: {
627: int ret = 0;
628: TS_RESP *response = NULL;
629: BIO *in_bio = NULL;
630: BIO *query_bio = NULL;
631: BIO *inkey_bio = NULL;
632: BIO *signer_bio = NULL;
633: BIO *out_bio = NULL;
634:
635: /* Build response object either from response or query. */
636: if (in != NULL) {
637: if ((in_bio = BIO_new_file(in, "rb")) == NULL)
638: goto end;
639: if (token_in) {
640: /*
641: * We have a ContentInfo (PKCS7) object, add
642: * 'granted' status info around it.
643: */
644: response = read_PKCS7(in_bio);
645: } else {
646: /* We have a ready-made TS_RESP object. */
647: response = d2i_TS_RESP_bio(in_bio, NULL);
648: }
649: } else {
650: response = create_response(conf, section, engine, queryfile,
651: passin, inkey, signer, chain,
652: policy);
653: if (response)
654: BIO_printf(bio_err, "Response has been generated.\n");
655: else
656: BIO_printf(bio_err, "Response is not generated.\n");
657: }
658: if (response == NULL)
659: goto end;
660:
661: /* Write response either in ASN.1 or text format. */
662: if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
663: goto end;
664: if (text) {
665: /* Text output. */
666: if (token_out) {
667: TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
668: if (!TS_TST_INFO_print_bio(out_bio, tst_info))
669: goto end;
670: } else {
671: if (!TS_RESP_print_bio(out_bio, response))
672: goto end;
673: }
674: } else {
675: /* ASN.1 DER output. */
676: if (token_out) {
677: PKCS7 *token = TS_RESP_get_token(response);
678: if (!i2d_PKCS7_bio(out_bio, token))
679: goto end;
680: } else {
681: if (!i2d_TS_RESP_bio(out_bio, response))
682: goto end;
683: }
684: }
685:
686: ret = 1;
687:
688: end:
689: ERR_print_errors(bio_err);
690:
691: /* Clean up. */
692: BIO_free_all(in_bio);
693: BIO_free_all(query_bio);
694: BIO_free_all(inkey_bio);
695: BIO_free_all(signer_bio);
696: BIO_free_all(out_bio);
697: TS_RESP_free(response);
698:
699: return ret;
700: }
701:
702: /* Reads a PKCS7 token and adds default 'granted' status info to it. */
703: static TS_RESP *
704: read_PKCS7(BIO * in_bio)
705: {
706: int ret = 0;
707: PKCS7 *token = NULL;
708: TS_TST_INFO *tst_info = NULL;
709: TS_RESP *resp = NULL;
710: TS_STATUS_INFO *si = NULL;
711:
712: /* Read PKCS7 object and extract the signed time stamp info. */
713: if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
714: goto end;
715: if (!(tst_info = PKCS7_to_TS_TST_INFO(token)))
716: goto end;
717:
718: /* Creating response object. */
719: if (!(resp = TS_RESP_new()))
720: goto end;
721:
722: /* Create granted status info. */
723: if (!(si = TS_STATUS_INFO_new()))
724: goto end;
725: if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED)))
726: goto end;
727: if (!TS_RESP_set_status_info(resp, si))
728: goto end;
729:
730: /* Setting encapsulated token. */
731: TS_RESP_set_tst_info(resp, token, tst_info);
732: token = NULL; /* Ownership is lost. */
733: tst_info = NULL; /* Ownership is lost. */
734:
735: ret = 1;
736: end:
737: PKCS7_free(token);
738: TS_TST_INFO_free(tst_info);
739: if (!ret) {
740: TS_RESP_free(resp);
741: resp = NULL;
742: }
743: TS_STATUS_INFO_free(si);
744: return resp;
745: }
746:
747: static TS_RESP *
748: create_response(CONF * conf, const char *section, char *engine,
749: char *queryfile, char *passin, char *inkey,
750: char *signer, char *chain, const char *policy)
751: {
752: int ret = 0;
753: TS_RESP *response = NULL;
754: BIO *query_bio = NULL;
755: TS_RESP_CTX *resp_ctx = NULL;
756:
757: if (!(query_bio = BIO_new_file(queryfile, "rb")))
758: goto end;
759:
760: /* Getting TSA configuration section. */
761: if (!(section = TS_CONF_get_tsa_section(conf, section)))
762: goto end;
763:
764: /* Setting up response generation context. */
765: if (!(resp_ctx = TS_RESP_CTX_new()))
766: goto end;
767:
768: /* Setting serial number provider callback. */
769: if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
770: goto end;
771: #ifndef OPENSSL_NO_ENGINE
772: /* Setting default OpenSSL engine. */
773: if (!TS_CONF_set_crypto_device(conf, section, engine))
774: goto end;
775: #endif
776:
777: /* Setting TSA signer certificate. */
778: if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
779: goto end;
780:
781: /* Setting TSA signer certificate chain. */
782: if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
783: goto end;
784:
785: /* Setting TSA signer private key. */
786: if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
787: goto end;
788:
789: /* Setting default policy OID. */
790: if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
791: goto end;
792:
793: /* Setting acceptable policy OIDs. */
794: if (!TS_CONF_set_policies(conf, section, resp_ctx))
795: goto end;
796:
797: /* Setting the acceptable one-way hash algorithms. */
798: if (!TS_CONF_set_digests(conf, section, resp_ctx))
799: goto end;
800:
801: /* Setting guaranteed time stamp accuracy. */
802: if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
803: goto end;
804:
805: /* Setting the precision of the time. */
806: if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
807: goto end;
808:
809: /* Setting the ordering flaf if requested. */
810: if (!TS_CONF_set_ordering(conf, section, resp_ctx))
811: goto end;
812:
813: /* Setting the TSA name required flag if requested. */
814: if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
815: goto end;
816:
817: /* Setting the ESS cert id chain flag if requested. */
818: if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
819: goto end;
820:
821: /* Creating the response. */
822: if (!(response = TS_RESP_create_response(resp_ctx, query_bio)))
823: goto end;
824:
825: ret = 1;
826: end:
827: if (!ret) {
828: TS_RESP_free(response);
829: response = NULL;
830: }
831: TS_RESP_CTX_free(resp_ctx);
832: BIO_free_all(query_bio);
833:
834: return response;
835: }
836:
837: static ASN1_INTEGER *
838: serial_cb(TS_RESP_CTX * ctx, void *data)
839: {
840: const char *serial_file = (const char *) data;
841: ASN1_INTEGER *serial = next_serial(serial_file);
842:
843: if (!serial) {
844: TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
845: "Error during serial number "
846: "generation.");
847: TS_RESP_CTX_add_failure_info(ctx,
848: TS_INFO_ADD_INFO_NOT_AVAILABLE);
849: } else
850: save_ts_serial(serial_file, serial);
851:
852: return serial;
853: }
854:
855: static ASN1_INTEGER *
856: next_serial(const char *serialfile)
857: {
858: int ret = 0;
859: BIO *in = NULL;
860: ASN1_INTEGER *serial = NULL;
861: BIGNUM *bn = NULL;
862:
863: if (!(serial = ASN1_INTEGER_new()))
864: goto err;
865:
866: if (!(in = BIO_new_file(serialfile, "r"))) {
867: ERR_clear_error();
868: BIO_printf(bio_err, "Warning: could not open file %s for "
869: "reading, using serial number: 1\n", serialfile);
870: if (!ASN1_INTEGER_set(serial, 1))
871: goto err;
872: } else {
873: char buf[1024];
874: if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
875: BIO_printf(bio_err, "unable to load number from %s\n",
876: serialfile);
877: goto err;
878: }
879: if (!(bn = ASN1_INTEGER_to_BN(serial, NULL)))
880: goto err;
881: ASN1_INTEGER_free(serial);
882: serial = NULL;
883: if (!BN_add_word(bn, 1))
884: goto err;
885: if (!(serial = BN_to_ASN1_INTEGER(bn, NULL)))
886: goto err;
887: }
888: ret = 1;
889: err:
890: if (!ret) {
891: ASN1_INTEGER_free(serial);
892: serial = NULL;
893: }
894: BIO_free_all(in);
895: BN_free(bn);
896: return serial;
897: }
898:
899: static int
900: save_ts_serial(const char *serialfile, ASN1_INTEGER * serial)
901: {
902: int ret = 0;
903: BIO *out = NULL;
904:
905: if (!(out = BIO_new_file(serialfile, "w")))
906: goto err;
907: if (i2a_ASN1_INTEGER(out, serial) <= 0)
908: goto err;
909: if (BIO_puts(out, "\n") <= 0)
910: goto err;
911: ret = 1;
912: err:
913: if (!ret)
914: BIO_printf(bio_err, "could not save serial number to %s\n",
915: serialfile);
916: BIO_free_all(out);
917: return ret;
918: }
919:
920: /*
921: * Verify-related method definitions.
922: */
923:
924: static int
925: verify_command(char *data, char *digest, char *queryfile, char *in,
926: int token_in, char *ca_path, char *ca_file, char *untrusted)
927: {
928: BIO *in_bio = NULL;
929: PKCS7 *token = NULL;
930: TS_RESP *response = NULL;
931: TS_VERIFY_CTX *verify_ctx = NULL;
932: int ret = 0;
933:
934: /* Decode the token (PKCS7) or response (TS_RESP) files. */
935: if (!(in_bio = BIO_new_file(in, "rb")))
936: goto end;
937: if (token_in) {
938: if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
939: goto end;
940: } else {
941: if (!(response = d2i_TS_RESP_bio(in_bio, NULL)))
942: goto end;
943: }
944:
945: if (!(verify_ctx = create_verify_ctx(data, digest, queryfile,
946: ca_path, ca_file, untrusted)))
947: goto end;
948:
949: /* Checking the token or response against the request. */
950: ret = token_in ?
951: TS_RESP_verify_token(verify_ctx, token) :
952: TS_RESP_verify_response(verify_ctx, response);
953:
954: end:
955: printf("Verification: ");
956: if (ret)
957: printf("OK\n");
958: else {
959: printf("FAILED\n");
960: /* Print errors, if there are any. */
961: ERR_print_errors(bio_err);
962: }
963:
964: /* Clean up. */
965: BIO_free_all(in_bio);
966: PKCS7_free(token);
967: TS_RESP_free(response);
968: TS_VERIFY_CTX_free(verify_ctx);
969: return ret;
970: }
971:
972: static TS_VERIFY_CTX *
973: create_verify_ctx(char *data, char *digest, char *queryfile, char *ca_path,
974: char *ca_file, char *untrusted)
975: {
976: TS_VERIFY_CTX *ctx = NULL;
977: BIO *input = NULL;
978: TS_REQ *request = NULL;
979: int ret = 0;
980:
981: if (data != NULL || digest != NULL) {
982: if (!(ctx = TS_VERIFY_CTX_new()))
983: goto err;
984: ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER;
985: if (data != NULL) {
986: ctx->flags |= TS_VFY_DATA;
987: if (!(ctx->data = BIO_new_file(data, "rb")))
988: goto err;
989: } else if (digest != NULL) {
990: long imprint_len;
991: ctx->flags |= TS_VFY_IMPRINT;
992: if (!(ctx->imprint = string_to_hex(digest,
993: &imprint_len))) {
994: BIO_printf(bio_err, "invalid digest string\n");
995: goto err;
996: }
997: ctx->imprint_len = imprint_len;
998: }
999: } else if (queryfile != NULL) {
1000: /*
1001: * The request has just to be read, decoded and converted to
1002: * a verify context object.
1003: */
1004: if (!(input = BIO_new_file(queryfile, "rb")))
1005: goto err;
1006: if (!(request = d2i_TS_REQ_bio(input, NULL)))
1007: goto err;
1008: if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)))
1009: goto err;
1010: } else
1011: return NULL;
1012:
1013: /* Add the signature verification flag and arguments. */
1014: ctx->flags |= TS_VFY_SIGNATURE;
1015:
1016: /* Initialising the X509_STORE object. */
1017: if (!(ctx->store = create_cert_store(ca_path, ca_file)))
1018: goto err;
1019:
1020: /* Loading untrusted certificates. */
1021: if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted)))
1022: goto err;
1023:
1024: ret = 1;
1025: err:
1026: if (!ret) {
1027: TS_VERIFY_CTX_free(ctx);
1028: ctx = NULL;
1029: }
1030: BIO_free_all(input);
1031: TS_REQ_free(request);
1032: return ctx;
1033: }
1034:
1035: static X509_STORE *
1036: create_cert_store(char *ca_path, char *ca_file)
1037: {
1038: X509_STORE *cert_ctx = NULL;
1039: X509_LOOKUP *lookup = NULL;
1040: int i;
1041:
1042: /* Creating the X509_STORE object. */
1043: cert_ctx = X509_STORE_new();
1044:
1045: /* Setting the callback for certificate chain verification. */
1046: X509_STORE_set_verify_cb(cert_ctx, verify_cb);
1047:
1048: /* Adding a trusted certificate directory source. */
1049: if (ca_path) {
1050: lookup = X509_STORE_add_lookup(cert_ctx,
1051: X509_LOOKUP_hash_dir());
1052: if (lookup == NULL) {
1053: BIO_printf(bio_err, "memory allocation failure\n");
1054: goto err;
1055: }
1056: i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM);
1057: if (!i) {
1058: BIO_printf(bio_err, "Error loading directory %s\n",
1059: ca_path);
1060: goto err;
1061: }
1062: }
1063: /* Adding a trusted certificate file source. */
1064: if (ca_file) {
1065: lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
1066: if (lookup == NULL) {
1067: BIO_printf(bio_err, "memory allocation failure\n");
1068: goto err;
1069: }
1070: i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM);
1071: if (!i) {
1072: BIO_printf(bio_err, "Error loading file %s\n", ca_file);
1073: goto err;
1074: }
1075: }
1076: return cert_ctx;
1077: err:
1078: X509_STORE_free(cert_ctx);
1079: return NULL;
1080: }
1081:
1082: static int
1083: verify_cb(int ok, X509_STORE_CTX * ctx)
1084: {
1085: /*
1086: char buf[256];
1087:
1088: if (!ok)
1089: {
1090: X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
1091: buf, sizeof(buf));
1092: printf("%s\n", buf);
1093: printf("error %d at %d depth lookup: %s\n",
1094: ctx->error, ctx->error_depth,
1095: X509_verify_cert_error_string(ctx->error));
1096: }
1097: */
1098:
1099: return ok;
1100: }