2 * SSL/TLS interface functions for OpenSSL - BoringSSL OCSP
3 * Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
11 #include <openssl/ssl.h>
12 #include <openssl/err.h>
13 #include <openssl/x509v3.h>
14 #ifdef OPENSSL_IS_BORINGSSL
15 #include <openssl/asn1.h>
16 #include <openssl/asn1t.h>
17 #endif /* OPENSSL_IS_BORINGSSL */
20 #include "tls_openssl.h"
23 #ifdef OPENSSL_IS_BORINGSSL
25 static void tls_show_errors(int level, const char *func, const char *txt)
29 wpa_printf(level, "OpenSSL: %s - %s %s",
30 func, txt, ERR_error_string(ERR_get_error(), NULL));
32 while ((err = ERR_get_error())) {
33 wpa_printf(MSG_INFO, "OpenSSL: pending error: %s",
34 ERR_error_string(err, NULL));
40 * CertID ::= SEQUENCE {
41 * hashAlgorithm AlgorithmIdentifier,
42 * issuerNameHash OCTET STRING, -- Hash of Issuer's DN
43 * issuerKeyHash OCTET STRING, -- Hash of Issuer's public key
44 * serialNumber CertificateSerialNumber }
47 X509_ALGOR *hashAlgorithm;
48 ASN1_OCTET_STRING *issuerNameHash;
49 ASN1_OCTET_STRING *issuerKeyHash;
50 ASN1_INTEGER *serialNumber;
54 * ResponseBytes ::= SEQUENCE {
55 * responseType OBJECT IDENTIFIER,
56 * response OCTET STRING }
59 ASN1_OBJECT *responseType;
60 ASN1_OCTET_STRING *response;
64 * OCSPResponse ::= SEQUENCE {
65 * responseStatus OCSPResponseStatus,
66 * responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
69 ASN1_ENUMERATED *responseStatus;
70 ResponseBytes *responseBytes;
73 ASN1_SEQUENCE(ResponseBytes) = {
74 ASN1_SIMPLE(ResponseBytes, responseType, ASN1_OBJECT),
75 ASN1_SIMPLE(ResponseBytes, response, ASN1_OCTET_STRING)
76 } ASN1_SEQUENCE_END(ResponseBytes);
78 ASN1_SEQUENCE(OCSPResponse) = {
79 ASN1_SIMPLE(OCSPResponse, responseStatus, ASN1_ENUMERATED),
80 ASN1_EXP_OPT(OCSPResponse, responseBytes, ResponseBytes, 0)
81 } ASN1_SEQUENCE_END(OCSPResponse);
83 IMPLEMENT_ASN1_FUNCTIONS(OCSPResponse);
86 * ResponderID ::= CHOICE {
94 ASN1_OCTET_STRING *byKey;
99 * RevokedInfo ::= SEQUENCE {
100 * revocationTime GeneralizedTime,
101 * revocationReason [0] EXPLICIT CRLReason OPTIONAL }
104 ASN1_GENERALIZEDTIME *revocationTime;
105 ASN1_ENUMERATED *revocationReason;
109 * CertStatus ::= CHOICE {
110 * good [0] IMPLICIT NULL,
111 * revoked [1] IMPLICIT RevokedInfo,
112 * unknown [2] IMPLICIT UnknownInfo }
118 RevokedInfo *revoked;
124 * SingleResponse ::= SEQUENCE {
126 * certStatus CertStatus,
127 * thisUpdate GeneralizedTime,
128 * nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
129 * singleExtensions [1] EXPLICIT Extensions OPTIONAL }
133 CertStatus *certStatus;
134 ASN1_GENERALIZEDTIME *thisUpdate;
135 ASN1_GENERALIZEDTIME *nextUpdate;
136 STACK_OF(X509_EXTENSION) *singleExtensions;
140 * ResponseData ::= SEQUENCE {
141 * version [0] EXPLICIT Version DEFAULT v1,
142 * responderID ResponderID,
143 * producedAt GeneralizedTime,
144 * responses SEQUENCE OF SingleResponse,
145 * responseExtensions [1] EXPLICIT Extensions OPTIONAL }
148 ASN1_INTEGER *version;
149 ResponderID *responderID;
150 ASN1_GENERALIZEDTIME *producedAt;
151 STACK_OF(SingleResponse) *responses;
152 STACK_OF(X509_EXTENSION) *responseExtensions;
156 * BasicOCSPResponse ::= SEQUENCE {
157 * tbsResponseData ResponseData,
158 * signatureAlgorithm AlgorithmIdentifier,
159 * signature BIT STRING,
160 * certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
163 ResponseData *tbsResponseData;
164 X509_ALGOR *signatureAlgorithm;
165 ASN1_BIT_STRING *signature;
166 STACK_OF(X509) *certs;
169 ASN1_SEQUENCE(CertID) = {
170 ASN1_SIMPLE(CertID, hashAlgorithm, X509_ALGOR),
171 ASN1_SIMPLE(CertID, issuerNameHash, ASN1_OCTET_STRING),
172 ASN1_SIMPLE(CertID, issuerKeyHash, ASN1_OCTET_STRING),
173 ASN1_SIMPLE(CertID, serialNumber, ASN1_INTEGER)
174 } ASN1_SEQUENCE_END(CertID);
176 ASN1_CHOICE(ResponderID) = {
177 ASN1_EXP(ResponderID, value.byName, X509_NAME, 1),
178 ASN1_EXP(ResponderID, value.byKey, ASN1_OCTET_STRING, 2)
179 } ASN1_CHOICE_END(ResponderID);
181 ASN1_SEQUENCE(RevokedInfo) = {
182 ASN1_SIMPLE(RevokedInfo, revocationTime, ASN1_GENERALIZEDTIME),
183 ASN1_EXP_OPT(RevokedInfo, revocationReason, ASN1_ENUMERATED, 0)
184 } ASN1_SEQUENCE_END(RevokedInfo);
186 ASN1_CHOICE(CertStatus) = {
187 ASN1_IMP(CertStatus, value.good, ASN1_NULL, 0),
188 ASN1_IMP(CertStatus, value.revoked, RevokedInfo, 1),
189 ASN1_IMP(CertStatus, value.unknown, ASN1_NULL, 2)
190 } ASN1_CHOICE_END(CertStatus);
192 ASN1_SEQUENCE(SingleResponse) = {
193 ASN1_SIMPLE(SingleResponse, certID, CertID),
194 ASN1_SIMPLE(SingleResponse, certStatus, CertStatus),
195 ASN1_SIMPLE(SingleResponse, thisUpdate, ASN1_GENERALIZEDTIME),
196 ASN1_EXP_OPT(SingleResponse, nextUpdate, ASN1_GENERALIZEDTIME, 0),
197 ASN1_EXP_SEQUENCE_OF_OPT(SingleResponse, singleExtensions,
199 } ASN1_SEQUENCE_END(SingleResponse);
201 ASN1_SEQUENCE(ResponseData) = {
202 ASN1_EXP_OPT(ResponseData, version, ASN1_INTEGER, 0),
203 ASN1_SIMPLE(ResponseData, responderID, ResponderID),
204 ASN1_SIMPLE(ResponseData, producedAt, ASN1_GENERALIZEDTIME),
205 ASN1_SEQUENCE_OF(ResponseData, responses, SingleResponse),
206 ASN1_EXP_SEQUENCE_OF_OPT(ResponseData, responseExtensions,
208 } ASN1_SEQUENCE_END(ResponseData);
210 ASN1_SEQUENCE(BasicOCSPResponse) = {
211 ASN1_SIMPLE(BasicOCSPResponse, tbsResponseData, ResponseData),
212 ASN1_SIMPLE(BasicOCSPResponse, signatureAlgorithm, X509_ALGOR),
213 ASN1_SIMPLE(BasicOCSPResponse, signature, ASN1_BIT_STRING),
214 ASN1_EXP_SEQUENCE_OF_OPT(BasicOCSPResponse, certs, X509, 0)
215 } ASN1_SEQUENCE_END(BasicOCSPResponse);
217 IMPLEMENT_ASN1_FUNCTIONS(BasicOCSPResponse);
219 #define sk_SingleResponse_num(sk) \
220 sk_num(CHECKED_CAST(_STACK *, STACK_OF(SingleResponse) *, sk))
222 #define sk_SingleResponse_value(sk, i) \
223 ((SingleResponse *) \
224 sk_value(CHECKED_CAST(_STACK *, STACK_OF(SingleResponse) *, sk), (i)))
227 static char * mem_bio_to_str(BIO *out)
233 rlen = BIO_ctrl_pending(out);
234 txt = os_malloc(rlen + 1);
240 res = BIO_read(out, txt, rlen);
252 static char * generalizedtime_str(ASN1_GENERALIZEDTIME *t)
256 out = BIO_new(BIO_s_mem());
260 if (!ASN1_GENERALIZEDTIME_print(out, t)) {
265 return mem_bio_to_str(out);
269 static char * responderid_str(ResponderID *rid)
273 out = BIO_new(BIO_s_mem());
279 X509_NAME_print_ex(out, rid->value.byName, 0, XN_FLAG_ONELINE);
282 i2a_ASN1_STRING(out, rid->value.byKey, V_ASN1_OCTET_STRING);
289 return mem_bio_to_str(out);
293 static char * octet_string_str(ASN1_OCTET_STRING *o)
297 out = BIO_new(BIO_s_mem());
301 i2a_ASN1_STRING(out, o, V_ASN1_OCTET_STRING);
302 return mem_bio_to_str(out);
306 static char * integer_str(ASN1_INTEGER *i)
310 out = BIO_new(BIO_s_mem());
314 i2a_ASN1_INTEGER(out, i);
315 return mem_bio_to_str(out);
319 static char * algor_str(X509_ALGOR *alg)
323 out = BIO_new(BIO_s_mem());
327 i2a_ASN1_OBJECT(out, alg->algorithm);
328 return mem_bio_to_str(out);
332 static char * extensions_str(const char *title, STACK_OF(X509_EXTENSION) *ext)
339 out = BIO_new(BIO_s_mem());
343 if (!X509V3_extensions_print(out, title, ext, 0, 0)) {
347 return mem_bio_to_str(out);
351 static int ocsp_resp_valid(ASN1_GENERALIZEDTIME *thisupd,
352 ASN1_GENERALIZEDTIME *nextupd)
356 if (!ASN1_GENERALIZEDTIME_check(thisupd)) {
357 wpa_printf(MSG_DEBUG,
358 "OpenSSL: Invalid OCSP response thisUpdate");
363 tmp = now + 5 * 60; /* allow five minute clock difference */
364 if (X509_cmp_time(thisupd, &tmp) > 0) {
365 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response not yet valid");
370 return 1; /* OK - no limit on response age */
372 if (!ASN1_GENERALIZEDTIME_check(nextupd)) {
373 wpa_printf(MSG_DEBUG,
374 "OpenSSL: Invalid OCSP response nextUpdate");
378 tmp = now - 5 * 60; /* allow five minute clock difference */
379 if (X509_cmp_time(nextupd, &tmp) < 0) {
380 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP response expired");
384 if (ASN1_STRING_cmp(nextupd, thisupd) < 0) {
385 wpa_printf(MSG_DEBUG,
386 "OpenSSL: OCSP response nextUpdate before thisUpdate");
390 /* Both thisUpdate and nextUpdate are valid */
395 static int issuer_match(X509 *cert, X509 *issuer, CertID *certid)
398 ASN1_BIT_STRING *ikey;
401 unsigned char md[EVP_MAX_MD_SIZE];
402 ASN1_OCTET_STRING *hash;
405 dgst = EVP_get_digestbyobj(certid->hashAlgorithm->algorithm);
407 wpa_printf(MSG_DEBUG,
408 "OpenSSL: Could not find matching hash algorithm for OCSP");
412 iname = X509_get_issuer_name(cert);
413 if (!X509_NAME_digest(iname, dgst, md, &len))
415 hash = ASN1_OCTET_STRING_new();
418 if (!ASN1_OCTET_STRING_set(hash, md, len)) {
419 ASN1_OCTET_STRING_free(hash);
423 txt = octet_string_str(hash);
425 wpa_printf(MSG_DEBUG, "OpenSSL: calculated issuerNameHash: %s",
430 if (ASN1_OCTET_STRING_cmp(certid->issuerNameHash, hash)) {
431 ASN1_OCTET_STRING_free(hash);
435 ikey = X509_get0_pubkey_bitstr(issuer);
437 !EVP_Digest(ikey->data, ikey->length, md, &len, dgst, NULL) ||
438 !ASN1_OCTET_STRING_set(hash, md, len)) {
439 ASN1_OCTET_STRING_free(hash);
443 txt = octet_string_str(hash);
445 wpa_printf(MSG_DEBUG, "OpenSSL: calculated issuerKeyHash: %s",
450 if (ASN1_OCTET_STRING_cmp(certid->issuerKeyHash, hash)) {
451 ASN1_OCTET_STRING_free(hash);
455 ASN1_OCTET_STRING_free(hash);
460 static X509 * ocsp_find_signer(STACK_OF(X509) *certs, ResponderID *rid)
463 unsigned char hash[SHA_DIGEST_LENGTH];
465 if (rid->type == 0) {
467 return X509_find_by_subject(certs, rid->value.byName);
471 if (rid->value.byKey->length != SHA_DIGEST_LENGTH)
473 for (i = 0; i < sk_X509_num(certs); i++) {
474 X509 *x = sk_X509_value(certs, i);
476 X509_pubkey_digest(x, EVP_sha1(), hash, NULL);
477 if (os_memcmp(rid->value.byKey->data, hash,
478 SHA_DIGEST_LENGTH) == 0)
486 enum ocsp_result check_ocsp_resp(SSL_CTX *ssl_ctx, SSL *ssl, X509 *cert,
487 X509 *issuer, X509 *issuer_issuer)
489 const uint8_t *resp_data;
493 ResponseBytes *bytes;
494 const u8 *basic_data;
496 BasicOCSPResponse *basic;
500 unsigned int j, num_resp;
501 SingleResponse *matching_resp = NULL, *cmp_sresp;
502 enum ocsp_result result = OCSP_INVALID;
504 STACK_OF(X509) *untrusted = NULL, *certs = NULL, *chain = NULL;
506 X509 *signer, *tmp_cert;
507 int signer_trusted = 0;
512 txt = integer_str(X509_get_serialNumber(cert));
514 wpa_printf(MSG_DEBUG,
515 "OpenSSL: Searching OCSP response for peer certificate serialNumber: %s", txt);
519 SSL_get0_ocsp_response(ssl, &resp_data, &resp_len);
520 if (resp_data == NULL || resp_len == 0) {
521 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
522 return OCSP_NO_RESPONSE;
525 wpa_hexdump(MSG_DEBUG, "OpenSSL: OCSP response", resp_data, resp_len);
527 resp = d2i_OCSPResponse(NULL, &resp_data, resp_len);
529 wpa_printf(MSG_INFO, "OpenSSL: Failed to parse OCSPResponse");
533 status = ASN1_ENUMERATED_get(resp->responseStatus);
535 wpa_printf(MSG_INFO, "OpenSSL: OCSP responder error %d",
540 bytes = resp->responseBytes;
543 OBJ_obj2nid(bytes->responseType) != NID_id_pkix_OCSP_basic) {
545 "OpenSSL: Could not find BasicOCSPResponse");
549 basic_data = ASN1_STRING_data(bytes->response);
550 basic_len = ASN1_STRING_length(bytes->response);
551 wpa_hexdump(MSG_DEBUG, "OpenSSL: BasicOCSPResponse",
552 basic_data, basic_len);
554 basic = d2i_BasicOCSPResponse(NULL, &basic_data, basic_len);
557 "OpenSSL: Could not parse BasicOCSPResponse");
558 OCSPResponse_free(resp);
562 rd = basic->tbsResponseData;
565 untrusted = sk_X509_dup(basic->certs);
569 num = sk_X509_num(basic->certs);
570 for (i = 0; i < num; i++) {
573 extra_cert = sk_X509_value(basic->certs, i);
574 X509_NAME_oneline(X509_get_subject_name(extra_cert),
576 wpa_printf(MSG_DEBUG,
577 "OpenSSL: BasicOCSPResponse cert %s", buf);
579 if (!sk_X509_push(untrusted, extra_cert)) {
580 wpa_printf(MSG_DEBUG,
581 "OpenSSL: Could not add certificate to the untrusted stack");
586 store = SSL_CTX_get_cert_store(ssl_ctx);
588 if (X509_STORE_add_cert(store, issuer) != 1) {
589 tls_show_errors(MSG_INFO, __func__,
590 "OpenSSL: Could not add issuer to certificate store");
592 certs = sk_X509_new_null();
594 tmp_cert = X509_dup(issuer);
595 if (tmp_cert && !sk_X509_push(certs, tmp_cert)) {
598 "OpenSSL: Could not add issuer to OCSP responder trust store");
603 if (certs && issuer_issuer) {
604 tmp_cert = X509_dup(issuer_issuer);
606 !sk_X509_push(certs, tmp_cert)) {
609 "OpenSSL: Could not add issuer's issuer to OCSP responder trust store");
616 signer = ocsp_find_signer(certs, rd->responderID);
618 signer = ocsp_find_signer(untrusted, rd->responderID);
622 wpa_printf(MSG_DEBUG,
623 "OpenSSL: Could not find OCSP signer certificate");
627 skey = X509_get_pubkey(signer);
629 wpa_printf(MSG_DEBUG,
630 "OpenSSL: Could not get OCSP signer public key");
633 if (ASN1_item_verify(ASN1_ITEM_rptr(ResponseData),
634 basic->signatureAlgorithm, basic->signature,
635 basic->tbsResponseData, skey) <= 0) {
636 wpa_printf(MSG_DEBUG,
637 "OpenSSL: BasicOCSPResponse signature is invalid");
641 X509_NAME_oneline(X509_get_subject_name(signer), buf, sizeof(buf));
642 wpa_printf(MSG_DEBUG,
643 "OpenSSL: Found OCSP signer certificate %s and verified BasicOCSPResponse signature",
646 if (!X509_STORE_CTX_init(&ctx, store, signer, untrusted))
648 X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
649 ret = X509_verify_cert(&ctx);
650 chain = X509_STORE_CTX_get1_chain(&ctx);
651 X509_STORE_CTX_cleanup(&ctx);
653 wpa_printf(MSG_DEBUG,
654 "OpenSSL: Could not validate OCSP signer certificate");
658 if (!chain || sk_X509_num(chain) <= 0) {
659 wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP signer chain found");
663 if (!signer_trusted) {
664 X509_check_purpose(signer, -1, 0);
665 if ((signer->ex_flags & EXFLAG_XKUSAGE) &&
666 (signer->ex_xkusage & XKU_OCSP_SIGN)) {
667 wpa_printf(MSG_DEBUG,
668 "OpenSSL: OCSP signer certificate delegation OK");
670 tmp_cert = sk_X509_value(chain, sk_X509_num(chain) - 1);
671 if (X509_check_trust(tmp_cert, NID_OCSP_sign, 0) !=
672 X509_TRUST_TRUSTED) {
673 wpa_printf(MSG_DEBUG,
674 "OpenSSL: OCSP signer certificate not trusted");
675 result = OCSP_NO_RESPONSE;
681 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP version: %lu",
682 ASN1_INTEGER_get(rd->version));
684 txt = responderid_str(rd->responderID);
686 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP responderID: %s",
691 txt = generalizedtime_str(rd->producedAt);
693 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP producedAt: %s",
698 num_resp = sk_SingleResponse_num(rd->responses);
700 wpa_printf(MSG_DEBUG,
701 "OpenSSL: No OCSP SingleResponse within BasicOCSPResponse");
702 result = OCSP_NO_RESPONSE;
705 cmp_sresp = sk_SingleResponse_value(rd->responses, 0);
706 for (j = 0; j < num_resp; j++) {
707 SingleResponse *sresp;
710 sresp = sk_SingleResponse_value(rd->responses, j);
711 wpa_printf(MSG_DEBUG, "OpenSSL: OCSP SingleResponse %u/%u",
714 txt = algor_str(sresp->certID->hashAlgorithm);
716 wpa_printf(MSG_DEBUG,
717 "OpenSSL: certID hashAlgorithm: %s", txt);
721 txt = octet_string_str(sresp->certID->issuerNameHash);
723 wpa_printf(MSG_DEBUG,
724 "OpenSSL: certID issuerNameHash: %s", txt);
728 txt = octet_string_str(sresp->certID->issuerKeyHash);
730 wpa_printf(MSG_DEBUG,
731 "OpenSSL: certID issuerKeyHash: %s", txt);
735 txt = integer_str(sresp->certID->serialNumber);
737 wpa_printf(MSG_DEBUG,
738 "OpenSSL: certID serialNumber: %s", txt);
742 switch (sresp->certStatus->type) {
744 wpa_printf(MSG_DEBUG, "OpenSSL: certStatus: good");
747 wpa_printf(MSG_DEBUG, "OpenSSL: certStatus: revoked");
750 wpa_printf(MSG_DEBUG, "OpenSSL: certStatus: unknown");
754 txt = generalizedtime_str(sresp->thisUpdate);
756 wpa_printf(MSG_DEBUG, "OpenSSL: thisUpdate: %s", txt);
760 if (sresp->nextUpdate) {
761 txt = generalizedtime_str(sresp->nextUpdate);
763 wpa_printf(MSG_DEBUG, "OpenSSL: nextUpdate: %s",
769 txt = extensions_str("singleExtensions",
770 sresp->singleExtensions);
772 wpa_printf(MSG_DEBUG, "OpenSSL: %s", txt);
776 cid1 = cmp_sresp->certID;
777 cid2 = sresp->certID;
779 (OBJ_cmp(cid1->hashAlgorithm->algorithm,
780 cid2->hashAlgorithm->algorithm) != 0 ||
781 ASN1_OCTET_STRING_cmp(cid1->issuerNameHash,
782 cid2->issuerNameHash) != 0 ||
783 ASN1_OCTET_STRING_cmp(cid1->issuerKeyHash,
784 cid2->issuerKeyHash) != 0)) {
785 wpa_printf(MSG_DEBUG,
786 "OpenSSL: Different OCSP response issuer information between SingleResponse values within BasicOCSPResponse");
790 if (!matching_resp && issuer &&
791 ASN1_INTEGER_cmp(sresp->certID->serialNumber,
792 X509_get_serialNumber(cert)) == 0 &&
793 issuer_match(cert, issuer, sresp->certID) == 0) {
794 wpa_printf(MSG_DEBUG,
795 "OpenSSL: This response matches peer certificate");
796 matching_resp = sresp;
800 txt = extensions_str("responseExtensions", rd->responseExtensions);
802 wpa_printf(MSG_DEBUG, "OpenSSL: %s", txt);
806 if (!matching_resp) {
807 wpa_printf(MSG_DEBUG,
808 "OpenSSL: Could not find OCSP response that matches the peer certificate");
809 result = OCSP_NO_RESPONSE;
813 if (!ocsp_resp_valid(matching_resp->thisUpdate,
814 matching_resp->nextUpdate)) {
815 wpa_printf(MSG_DEBUG,
816 "OpenSSL: OCSP response not valid at this time");
820 if (matching_resp->certStatus->type == 1) {
821 wpa_printf(MSG_DEBUG,
822 "OpenSSL: OCSP response indicated that the peer certificate has been revoked");
823 result = OCSP_REVOKED;
827 if (matching_resp->certStatus->type != 0) {
828 wpa_printf(MSG_DEBUG,
829 "OpenSSL: OCSP response did not indicate good status");
830 result = OCSP_NO_RESPONSE;
834 /* OCSP response indicated the certificate is good. */
837 sk_X509_pop_free(chain, X509_free);
838 sk_X509_free(untrusted);
839 sk_X509_pop_free(certs, X509_free);
840 BasicOCSPResponse_free(basic);
841 OCSPResponse_free(resp);
846 #endif /* OPENSSL_IS_BORINGSSL */