Skip to content

Commit

Permalink
Merge our current version of the code with the OSS libsecutils.
Browse files Browse the repository at this point in the history
(reflects securityUtilities b009f9d5)

API changes:

- functions for checking only against local CRLs added
- more generic functions for calculating/checking ICV added
- some functions moved to appropriate module (to util.h)

Internal changes:

- loading of credentials (.p12 containers):
    - containers with **empty password** are **rejected** if a nonempty
      password is provided as parameter (i.e. the empty password can no longer
      be used to circumvent UTA-protection)
    - containers that don't have private keys encrypted with the same algorithm
      that is used by "storage" functions (e.g. `CREDENTIALS_save_dv`) are
      **rejected**
- default log level changed to `LOG_WARNING` (should have minimal impact as
  most logs state the level explicitly)

Other changes:

- some includes fixed
- various compiler warnings fixed
  • Loading branch information
martin-barta-sie committed Jul 15, 2022
1 parent 8932ddf commit 1a6f340
Show file tree
Hide file tree
Showing 33 changed files with 979 additions and 405 deletions.
9 changes: 9 additions & 0 deletions include/secutils/certstatus/certstatus.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#define SECUTILS_CERTSTATUS_H_

#include <openssl/x509_vfy.h>

#include "../util/log.h"

#if OPENSSL_VERSION_NUMBER < 0x10101000L
Expand Down Expand Up @@ -132,4 +133,12 @@ bool check_cert_revocation(X509_STORE_CTX* ctx, OPTIONAL OCSP_RESPONSE* resp);
*/
int check_revocation_any_method(X509_STORE_CTX* ctx);

/*
* Check revocation status on certs in ctx->chain. As a generalization of
* check_revocation() in crypto/x509/x509_vfy.c, considers local CRLs only.
* To be used as a callback function to be past to
* X509_STORE_set_check_revocation()
*/
int check_revocation_local_only_method(X509_STORE_CTX* ctx);

#endif /* SECUTILS_CERTSTATUS_H_ */
3 changes: 2 additions & 1 deletion include/secutils/certstatus/crl_mgmt.h
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@
#define SECUTILS_HEADER_CRL_MGMT_H

#include <openssl/x509.h>
#include <secutils/basic.h>

#include "../basic.h"

#ifdef __cplusplus
extern "C" {
Expand Down
2 changes: 2 additions & 0 deletions include/secutils/certstatus/crls.h
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
#ifndef SECUTILS_CRLS_H_
#define SECUTILS_CRLS_H_

#include "../basic.h"

#include <openssl/x509.h>

/*!*****************************************************************************
Expand Down
42 changes: 1 addition & 41 deletions include/secutils/credentials/cert.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,7 @@
#include <string.h> /* for strcmp, strlen */

#include "../basic.h"
#include "../operators.h"
# include "../util/log.h"
#include "../util/log.h"

#include <openssl/x509.h>

Expand Down Expand Up @@ -99,19 +98,6 @@ int CERTS_save(OPTIONAL const STACK_OF(X509) *certs, const char *file, OPTIONAL
void CERTS_free(OPTIONAL STACK_OF(X509) *certs);


/*!*****************************************************************************
* @brief parse an X.500 Distinguished Name (DN)
*
* @param dn string to be parsed, format "/type0=value0/type1=value1/type2=..." where characters may be escaped by '\'.
* The NULL-DN may be given as "/" or "".
* @param chtype type of the string, e.g., MBSTRING_ASC, as defined in openssl/asn1.h
* @param multirdn flag whether to allow multi-valued RDNs
* @return ASN.1 representation of the DN, or null on error
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn);


/*!*****************************************************************************
* @brief log messsage about the given certificate, printing its subject
*
Expand Down Expand Up @@ -177,30 +163,4 @@ bool CERT_check_all(const char *uri, OPTIONAL STACK_OF(X509) *certs, int type_CA
OPTIONAL const X509_VERIFY_PARAM *vpm);


/*!*****************************************************************************
* @brief add certificate to given stack, optionally only if not already contained
*
* @param sk stack of certificates
* @param cert certificate to be pushed to the stack
* @param no_duplicate flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
bool UTIL_sk_X509_add1_cert(STACK_OF(X509) * sk, X509* cert, bool no_duplicate);


/*!*****************************************************************************
* @brief add stack of certificates to given stack,
* optionally only if not self-signed and optionally if not already contained
*
* @param sk stack of certificates
* @param certs (optional) stack of certificates to be pushed to the stack
* @param no_self_signed flag governing whether to add self-signed certs
* @param no_duplicates flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
int UTIL_sk_X509_add1_certs(STACK_OF(X509) * sk, OPTIONAL const STACK_OF(X509) * certs, int no_self_signed,
int no_duplicates);


#endif /* SECUTILS_CERT_H_ */
17 changes: 17 additions & 0 deletions include/secutils/credentials/store.h
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,7 @@ bool STORE_load_check_dir(X509_STORE** pstore, const char* trust_dir,

/*!*****************************************************************************
* @brief search for files with CRLs in specified directory and add them to X509_STORE
* @note this function sets check_revocation_any_method() to be used as a callback during CRL validation
*
* @param pstore pointer to trust store to be augmented with CRLs.
* CRL-based status checking will be enabled in it for the full certificate chain.
Expand All @@ -220,6 +221,22 @@ bool STORE_load_check_dir(X509_STORE** pstore, const char* trust_dir,
******************************************************************************/
bool STORE_load_crl_dir(X509_STORE* pstore, const char* crl_dir, OPTIONAL const char* desc, bool recursive, OPTIONAL uta_ctx* ctx);

/*!*****************************************************************************
* @brief search for files with CRLs in specified directory and add them to X509_STORE
* @note this function sets check_revocation_local_only_method() to be used as a callback during CRL validation
*
* @param pstore pointer to trust store to be augmented with CRLs.
* CRL-based status checking will be enabled in it for the full certificate chain.
* @param crl_dir directory where to search for CRLs
* @param desc description of CRLs to use for error reporting, or null
* @param recursive if true, use recursive search in subdirectories
* @param ctx pointer to UTA context for checking file integrity&authenticity using ICV, or null
* @note at least one valid CRL file must be found in each visited directory
* @return true on success, false on error/failure
******************************************************************************/
bool STORE_load_crl_dir_local_only(X509_STORE* pstore, const char* crl_dir, OPTIONAL const char* desc, bool recursive,
OPTIONAL uta_ctx* ctx);

/*!*****************************************************************************
* @brief release a trust store
*
Expand Down
6 changes: 2 additions & 4 deletions include/secutils/credentials/verify.h
Original file line number Diff line number Diff line change
Expand Up @@ -74,15 +74,13 @@ bool verify_cb_cert(X509_STORE_CTX* store_ctx, X509* cert, int err);
/*!*****************************************************************************
* @brief attempt to verify certificate
*
* @param ctx (optional) pointer to UTA context, unused
* @param cert certificate to be verified
* @param untrusted (optional) intermediate certs that may be useful for building
* the chain of certificates between the cert and the trusted certs in the trust store
* @param trust_store pointer to structure containing trusted (root) certs and further verification parameters
* @note trust_store may contain CRLs loaded via STORE_load_crl_dir()
* @return < 0 on on verification error, 0 for invalid cert, 1 for vaild cert
* @return < 0 on on verification error, 0 for invalid cert, 1 for valid cert
*******************************************************************************/
int CREDENTIALS_verify_cert(OPTIONAL uta_ctx* ctx, X509* cert,
OPTIONAL const STACK_OF(X509) * untrusted, X509_STORE* trust_store);
int CREDENTIALS_verify_cert(X509* cert, OPTIONAL const STACK_OF(X509) * untrusted, X509_STORE* trust_store);

#endif /* SECUTILS_VERIFY_H_ */
2 changes: 2 additions & 0 deletions include/secutils/storage/files_dv.h
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@

#include <openssl/x509.h>

#include "../util/util.h"

#include "../storage/uta_api.h"
#define MAX_UTA_PASS_LEN (MAX_B64_CHARS_PER_BYTE * TA_OUTLEN + 1)
#include "files.h"
Expand Down
12 changes: 12 additions & 0 deletions include/secutils/storage/files_icv.h
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include "../storage/uta_api.h"

#include <openssl/ossl_typ.h>
#include <openssl/safestack.h>

/*!
* @brief (re-)protect integrity of file (of any type that allows appending text) with ICV derived via UTA
Expand Down Expand Up @@ -126,5 +127,16 @@ bool FILES_store_cert_pem(OPTIONAL uta_ctx* ctx, const X509* cert, const char* f
*/
bool FILES_store_crl_pem_icv(OPTIONAL uta_ctx* ctx, const X509_CRL* crl, const char* file, OPTIONAL const char* desc);

/*!
* @brief Calculates a file's ICV and, if it is equal to the ICV stored in the file, returns the content without ICV.
*
* @param ctx pointer to UTA context, which typically is part of the libsecutils context
* @param path path to the file, can be relative or absolute
* @note if \p path is relative, it is transformed into absolute path
* @return \c OPENSSL_STRING containing content of the file if ICV matches, otherwise null pointer.
* In case of an error, message is logged and null pointer is returned.
* @warning Returned \c OPENSSL_STRING must be freed using function \c OPENSSL_free().
*/
OPENSSL_STRING FILE_get_file_content_if_existing_icv_is_valid(uta_ctx* ctx, const char* path);

#endif /* SECUTILS_FILES_ICV_H_ */
2 changes: 1 addition & 1 deletion include/secutils/util/log.h
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ void LOG_close(void);
* @brief set verbosity level of LOG_default()
* @note this may be done before LOG_init() is called
*
* @param level the minimal severity of messages to be printed; default: LOG_INFO
* @param level the minimal severity of messages to be printed; default: LOG_WARNING
*/
/* this function is used by the genCMPClient CLI implementation */
void LOG_set_verbosity(severity level);
Expand Down
69 changes: 68 additions & 1 deletion include/secutils/util/util.h
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,12 @@
# include <unistd.h>

# include "../basic.h"
# include "../operators.h"

# include <openssl/err.h>
# include <openssl/x509v3.h>

# include "../storage/uta_api.h"

static const char *const
UTIL_SECUTILS_NAME = "secutils"; /*!< short name of this library */
static const int UTIL_max_path_len = 512; /*!< max length of file path name */
Expand Down Expand Up @@ -195,6 +196,30 @@ typedef u_int64_t uint64_t;
STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store);
# endif

/*!*****************************************************************************
* @brief add certificate to given stack, optionally only if not already contained
*
* @param sk stack of certificates
* @param cert certificate to be pushed to the stack
* @param no_duplicate flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
bool UTIL_sk_X509_add1_cert(STACK_OF(X509) * sk, X509* cert, bool no_duplicate);

/*!*****************************************************************************
* @brief add stack of certificates to given stack,
* optionally only if not self-signed and optionally if not already contained
*
* @param sk stack of certificates
* @param certs (optional) stack of certificates to be pushed to the stack
* @param no_self_signed flag governing whether to add self-signed certs
* @param no_duplicates flag governing whether to add cert if it is a duplicate
* @return true on success, else false
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
int UTIL_sk_X509_add1_certs(STACK_OF(X509) * sk, OPTIONAL const STACK_OF(X509) * certs, int no_self_signed,
int no_duplicates);

/*!*****************************************************************************
* @brief initialize the OpenSSL crypto library
* @param version expected OpenSSL version number
Expand Down Expand Up @@ -262,6 +287,18 @@ void *UTIL_read_file(const char *filename, int *lenp);
******************************************************************************/
bool UTIL_write_file(const char *filename, const void *data, size_t len);

/*!*****************************************************************************
* @brief parse an X.500 Distinguished Name (DN)
*
* @param dn string to be parsed, format "/type0=value0/type1=value1/type2=..." where characters may be escaped by '\'.
* The NULL-DN may be given as "/" or "".
* @param chtype type of the string, e.g., MBSTRING_ASC, as defined in openssl/asn1.h
* @param multirdn flag whether to allow multi-valued RDNs
* @return ASN.1 representation of the DN, or null on error
*******************************************************************************/
/* this function is used by the genCMPClient API implementation */
X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn);

/*!*****************************************************************************
* @brief call given function on each file in dir, optionally with recursion
* @param fn function to be called on each file.
Expand Down Expand Up @@ -370,6 +407,7 @@ size_t UTIL_url_encode(const char *source,
# define HEX_BITS 4
# define HEX_MASK 0x0f
# define MAX_DIGIT 9
# define ICV_LEN16 16

/*!
* @brief The function converts a binary string into a sequence of hex values.
Expand Down Expand Up @@ -435,4 +473,33 @@ int UTIL_base64_encode_to_buf(const unsigned char *data, int len,
unsigned char *UTIL_base64_decode(const char *b64_data, int b64_len,
int *decoded_len);

/*!
* @brief derive integrity protection hash for data with given len, using key as DV.
*
* @param ctx pointer to uta context object
* @param data pointer to data from which the ICV will be calculated
* @param data_len size of data from which the ICV will be calculated
* @param key_dv The derivation value for key for which the ICV is calculated
* @param icv_out Pointer to a buffer where the resulting ICV will be stored. This buffer must be at least
* ICV_LEN16 in size.
* @return true if calculating the ICV is successful, false otherwise
*/
bool UTIL_calculate_icv(uta_ctx* ctx, const unsigned char* data, const size_t data_len, const char* key_dv,
unsigned char* icv_out);

/*!
* @brief implementation of the function UTIL_calculate_icv.
* @note this function was created to avoid code repetition (the same computation is needed in files_icv.c).
*
* @param ctx pointer to uta context object
* @param data pointer to data from which the ICV will be calculated
* @param data_len size of data from which the ICV will be calculated
* @param key_dv The derivation value for key for which the ICV is calculated
* @param mac Pointer to a buffer where the resulting ICV will be stored. This buffer must be at least
* ICV_LEN16 in size.
* @return true if calculating the ICV is successful, false otherwise
*/
bool UTIL_calculate_icv_impl(uta_ctx* ctx, const unsigned char* data, const size_t data_len, const char* key_dv,
unsigned char* mac);

#endif /* SECUTILS_UTIL_H_ */
Loading

0 comments on commit 1a6f340

Please sign in to comment.