Tor  0.4.7.0-alpha-dev
x509_openssl.c
Go to the documentation of this file.
1 /* Copyright (c) 2003, Roger Dingledine.
2  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3  * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 
6 /**
7  * \file x509_openssl.c
8  * \brief Wrapper functions to present a consistent interface to
9  * X.509 functions from OpenSSL.
10  **/
11 
12 #define TOR_X509_PRIVATE
13 #include "lib/tls/x509.h"
14 #include "lib/tls/x509_internal.h"
15 #include "lib/tls/tortls.h"
18 #include "lib/crypt_ops/compat_openssl.h"
19 
20 /* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
21  * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
22 DISABLE_GCC_WARNING("-Wredundant-decls")
23 
24 #include <openssl/opensslv.h>
25 
26 #ifdef OPENSSL_NO_EC
27 #error "We require OpenSSL with ECC support"
28 #endif
29 
30 #include <openssl/err.h>
31 #include <openssl/asn1.h>
32 #include <openssl/bio.h>
33 #include <openssl/bn.h>
34 #include <openssl/evp.h>
35 #include <openssl/objects.h>
36 #include <openssl/rsa.h>
37 #include <openssl/x509.h>
38 
39 ENABLE_GCC_WARNING("-Wredundant-decls")
40 
41 #include "lib/log/log.h"
42 #include "lib/log/util_bug.h"
43 #include "lib/ctime/di_ops.h"
44 #include "lib/encoding/time_fmt.h"
45 
46 #include <stdlib.h>
47 #include <string.h>
48 
49 #ifdef OPENSSL_1_1_API
50 #define X509_get_notBefore_const(cert) \
51  X509_get0_notBefore(cert)
52 #define X509_get_notAfter_const(cert) \
53  X509_get0_notAfter(cert)
54 #ifndef X509_get_notBefore
55 #define X509_get_notBefore(cert) \
56  X509_getm_notBefore(cert)
57 #endif
58 #ifndef X509_get_notAfter
59 #define X509_get_notAfter(cert) \
60  X509_getm_notAfter(cert)
61 #endif
62 #else /* !defined(OPENSSL_1_1_API) */
63 #define X509_get_notBefore_const(cert) \
64  ((const ASN1_TIME*) X509_get_notBefore((X509 *)cert))
65 #define X509_get_notAfter_const(cert) \
66  ((const ASN1_TIME*) X509_get_notAfter((X509 *)cert))
67 #endif /* defined(OPENSSL_1_1_API) */
68 
69 /** Return a newly allocated X509 name with commonName <b>cname</b>. */
70 static X509_NAME *
71 tor_x509_name_new(const char *cname)
72 {
73  int nid;
74  X509_NAME *name;
75  /* LCOV_EXCL_BR_START : these branches will only fail on OOM errors */
76  if (!(name = X509_NAME_new()))
77  return NULL;
78  if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
79  if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
80  (unsigned char*)cname, -1, -1, 0)))
81  goto error;
82  /* LCOV_EXCL_BR_STOP */
83  return name;
84 
85  /* LCOV_EXCL_START : these lines will only execute on out of memory errors*/
86  error:
87  X509_NAME_free(name);
88  return NULL;
89  /* LCOV_EXCL_STOP */
90 }
91 
92 /** Generate and sign an X509 certificate with the public key <b>rsa</b>,
93  * signed by the private key <b>rsa_sign</b>. The commonName of the
94  * certificate will be <b>cname</b>; the commonName of the issuer will be
95  * <b>cname_sign</b>. The cert will be valid for <b>cert_lifetime</b>
96  * seconds, starting from some time in the past.
97  *
98  * Return a certificate on success, NULL on failure.
99  */
100 MOCK_IMPL(X509 *,
102  crypto_pk_t *rsa_sign,
103  const char *cname,
104  const char *cname_sign,
105  unsigned int cert_lifetime))
106 {
107  /* OpenSSL generates self-signed certificates with random 64-bit serial
108  * numbers, so let's do that too. */
109 #define SERIAL_NUMBER_SIZE 8
110 
111  time_t start_time, end_time;
112  BIGNUM *serial_number = NULL;
113  unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
114  EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
115  X509 *x509 = NULL;
116  X509_NAME *name = NULL, *name_issuer=NULL;
117 
118  tor_tls_init();
119 
120  time_t now = time(NULL);
121 
122  tor_tls_pick_certificate_lifetime(now, cert_lifetime,
123  &start_time, &end_time);
124 
125  tor_assert(rsa);
126  tor_assert(cname);
127  tor_assert(rsa_sign);
128  tor_assert(cname_sign);
129  if (!(sign_pkey = crypto_pk_get_openssl_evp_pkey_(rsa_sign,1)))
130  goto error;
131  if (!(pkey = crypto_pk_get_openssl_evp_pkey_(rsa,0)))
132  goto error;
133  if (!(x509 = X509_new()))
134  goto error;
135  if (!(X509_set_version(x509, 2)))
136  goto error;
137 
138  { /* our serial number is 8 random bytes. */
139  crypto_rand((char *)serial_tmp, sizeof(serial_tmp));
140  if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
141  goto error;
142  if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
143  goto error;
144  }
145 
146  if (!(name = tor_x509_name_new(cname)))
147  goto error;
148  if (!(X509_set_subject_name(x509, name)))
149  goto error;
150  if (!(name_issuer = tor_x509_name_new(cname_sign)))
151  goto error;
152  if (!(X509_set_issuer_name(x509, name_issuer)))
153  goto error;
154 
155  if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
156  goto error;
157  if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
158  goto error;
159  if (!X509_set_pubkey(x509, pkey))
160  goto error;
161 
162  if (!X509_sign(x509, sign_pkey, EVP_sha256()))
163  goto error;
164 
165  goto done;
166  error:
167  if (x509) {
168  X509_free(x509);
169  x509 = NULL;
170  }
171  done:
172  tls_log_errors(NULL, LOG_WARN, LD_NET, "generating certificate");
173  if (sign_pkey)
174  EVP_PKEY_free(sign_pkey);
175  if (pkey)
176  EVP_PKEY_free(pkey);
177  if (serial_number)
178  BN_clear_free(serial_number);
179  if (name)
180  X509_NAME_free(name);
181  if (name_issuer)
182  X509_NAME_free(name_issuer);
183  return x509;
184 
185 #undef SERIAL_NUMBER_SIZE
186 }
187 
188 /** Set the 'encoded' and 'encoded_len' fields of "cert" from cert->cert. */
189 int
191 {
192  unsigned char *buf = NULL;
193  int length = i2d_X509(cert->cert, &buf);
194 
195  if (length <= 0 || buf == NULL) {
196  return -1;
197  }
198  cert->encoded_len = (size_t) length;
199  cert->encoded = tor_malloc(length);
200  memcpy(cert->encoded, buf, length);
201  OPENSSL_free(buf);
202  return 0;
203 }
204 
205 void
206 tor_x509_cert_impl_free_(tor_x509_cert_impl_t *cert)
207 {
208  if (cert)
209  X509_free(cert);
210 }
211 
212 tor_x509_cert_impl_t *
213 tor_x509_cert_impl_dup_(tor_x509_cert_impl_t *cert)
214 {
215  if (cert)
216  return X509_dup(cert);
217  else
218  return NULL;
219 }
220 
221 /** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
222  * representation and length, respectively. */
223 void
224 tor_x509_cert_get_der(const tor_x509_cert_t *cert,
225  const uint8_t **encoded_out, size_t *size_out)
226 {
227  tor_assert(cert);
228  tor_assert(encoded_out);
229  tor_assert(size_out);
230  *encoded_out = cert->encoded;
231  *size_out = cert->encoded_len;
232 }
233 
234 /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>,
235  * from a <b>certificate</b>. Return a newly allocated tor_x509_cert_t on
236  * success and NULL on failure. */
237 tor_x509_cert_t *
238 tor_x509_cert_decode(const uint8_t *certificate, size_t certificate_len)
239 {
240  X509 *x509;
241  const unsigned char *cp = (const unsigned char *)certificate;
242  tor_x509_cert_t *newcert;
243  tor_assert(certificate);
244  check_no_tls_errors();
245 
246  if (certificate_len > INT_MAX)
247  goto err;
248 
249  x509 = d2i_X509(NULL, &cp, (int)certificate_len);
250 
251  if (!x509)
252  goto err; /* Couldn't decode */
253  if (cp - certificate != (int)certificate_len) {
254  X509_free(x509);
255  goto err; /* Didn't use all the bytes */
256  }
257  newcert = tor_x509_cert_new(x509);
258  if (!newcert) {
259  goto err;
260  }
261  if (newcert->encoded_len != certificate_len ||
262  fast_memneq(newcert->encoded, certificate, certificate_len)) {
263  /* Cert wasn't in DER */
264  tor_x509_cert_free(newcert);
265  goto err;
266  }
267  return newcert;
268  err:
269  tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "decoding a certificate");
270  return NULL;
271 }
272 
273 /**
274  * Return a newly allocated copy of the public key that a certificate
275  * certifies. Watch out! This returns NULL if the cert's key is not RSA.
276  */
277 crypto_pk_t *
278 tor_tls_cert_get_key(tor_x509_cert_t *cert)
279 {
280  crypto_pk_t *result = NULL;
281  EVP_PKEY *pkey = X509_get_pubkey(cert->cert);
282  RSA *rsa;
283  if (!pkey)
284  return NULL;
285  rsa = EVP_PKEY_get1_RSA(pkey);
286  if (!rsa) {
287  EVP_PKEY_free(pkey);
288  return NULL;
289  }
290  result = crypto_new_pk_from_openssl_rsa_(rsa);
291  EVP_PKEY_free(pkey);
292  return result;
293 }
294 
295 /** Check whether <b>cert</b> is well-formed, currently live, and correctly
296  * signed by the public key in <b>signing_cert</b>. If <b>check_rsa_1024</b>,
297  * make sure that it has an RSA key with 1024 bits; otherwise, just check that
298  * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
299  * we couldn't check it. */
300 int
302  const tor_x509_cert_t *cert,
303  const tor_x509_cert_t *signing_cert,
304  time_t now,
305  int check_rsa_1024)
306 {
307  check_no_tls_errors();
308  EVP_PKEY *cert_key;
309  int r, key_ok = 0;
310 
311  if (!signing_cert || !cert)
312  goto bad;
313 
314  EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
315  if (!signing_key)
316  goto bad;
317  r = X509_verify(cert->cert, signing_key);
318  EVP_PKEY_free(signing_key);
319  if (r <= 0)
320  goto bad;
321 
322  /* okay, the signature checked out right. Now let's check the check the
323  * lifetime. */
324  if (tor_x509_check_cert_lifetime_internal(severity, cert->cert, now,
325  TOR_X509_PAST_SLOP,
326  TOR_X509_FUTURE_SLOP) < 0)
327  goto bad;
328 
329  cert_key = X509_get_pubkey(cert->cert);
330  if (check_rsa_1024 && cert_key) {
331  RSA *rsa = EVP_PKEY_get1_RSA(cert_key);
332 #ifdef OPENSSL_1_1_API
333  if (rsa && RSA_bits(rsa) == 1024) {
334 #else
335  if (rsa && BN_num_bits(rsa->n) == 1024) {
336 #endif
337  key_ok = 1;
338  } else {
339  log_fn(severity, LD_CRYPTO, "Invalid certificate: Key is not RSA1024.");
340  }
341 
342  if (rsa)
343  RSA_free(rsa);
344  } else if (cert_key) {
345  int min_bits = 1024;
346 #ifdef EVP_PKEY_EC
347  if (EVP_PKEY_base_id(cert_key) == EVP_PKEY_EC)
348  min_bits = 128;
349 #endif
350  if (EVP_PKEY_bits(cert_key) >= min_bits)
351  key_ok = 1;
352  }
353  EVP_PKEY_free(cert_key);
354  if (!key_ok)
355  goto bad;
356 
357  /* XXXX compare DNs or anything? */
358 
359  return 1;
360  bad:
361  tls_log_errors(NULL, LOG_INFO, LD_CRYPTO, "checking a certificate");
362  return 0;
363 }
364 
365 /** Warn that a certificate lifetime extends through a certain range. */
366 static void
367 log_cert_lifetime(int severity, const X509 *cert, const char *problem,
368  time_t now)
369 {
370  BIO *bio = NULL;
371  BUF_MEM *buf;
372  char *s1=NULL, *s2=NULL;
373  char mytime[33];
374  struct tm tm;
375  size_t n;
376 
377  if (problem)
378  tor_log(severity, LD_GENERAL,
379  "Certificate %s. Either their clock is set wrong, or your clock "
380  "is wrong.",
381  problem);
382 
383  if (!(bio = BIO_new(BIO_s_mem()))) {
384  log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
385  }
386  if (!(ASN1_TIME_print(bio, X509_get_notBefore_const(cert)))) {
387  tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
388  goto end;
389  }
390  BIO_get_mem_ptr(bio, &buf);
391  s1 = tor_strndup(buf->data, buf->length);
392 
393  (void)BIO_reset(bio);
394  if (!(ASN1_TIME_print(bio, X509_get_notAfter_const(cert)))) {
395  tls_log_errors(NULL, LOG_WARN, LD_NET, "printing certificate lifetime");
396  goto end;
397  }
398  BIO_get_mem_ptr(bio, &buf);
399  s2 = tor_strndup(buf->data, buf->length);
400 
401  n = strftime(mytime, 32, "%b %d %H:%M:%S %Y UTC", tor_gmtime_r(&now, &tm));
402  if (n > 0) {
403  tor_log(severity, LD_GENERAL,
404  "(certificate lifetime runs from %s through %s. Your time is %s.)",
405  s1,s2,mytime);
406  } else {
407  tor_log(severity, LD_GENERAL,
408  "(certificate lifetime runs from %s through %s. "
409  "Couldn't get your time.)",
410  s1, s2);
411  }
412 
413  end:
414  /* Not expected to get invoked */
415  tls_log_errors(NULL, LOG_WARN, LD_NET, "getting certificate lifetime");
416  if (bio)
417  BIO_free(bio);
418  tor_free(s1);
419  tor_free(s2);
420 }
421 
422 /** Helper: check whether <b>cert</b> is expired give or take
423  * <b>past_tolerance</b> seconds, or not-yet-valid give or take
424  * <b>future_tolerance</b> seconds. (Relative to the current time
425  * <b>now</b>.) If it is live, return 0. If it is not live, log a message
426  * and return -1. */
427 int
428 tor_x509_check_cert_lifetime_internal(int severity, const X509 *cert,
429  time_t now,
430  int past_tolerance, int future_tolerance)
431 {
432  time_t t;
433 
434  t = now + future_tolerance;
435  if (X509_cmp_time(X509_get_notBefore_const(cert), &t) > 0) {
436  log_cert_lifetime(severity, cert, "not yet valid", now);
437  return -1;
438  }
439  t = now - past_tolerance;
440  if (X509_cmp_time(X509_get_notAfter_const(cert), &t) < 0) {
441  log_cert_lifetime(severity, cert, "already expired", now);
442  return -1;
443  }
444 
445  return 0;
446 }
447 
448 #ifdef TOR_UNIT_TESTS
449 /* Testing only: return a new x509 cert with the same contents as <b>inp</b>,
450  but with the expiration time <b>new_expiration_time</b>, signed with
451  <b>signing_key</b>. */
452 STATIC tor_x509_cert_t *
453 tor_x509_cert_replace_expiration(const tor_x509_cert_t *inp,
454  time_t new_expiration_time,
455  crypto_pk_t *signing_key)
456 {
457  X509 *newc = X509_dup(inp->cert);
458  X509_time_adj(X509_get_notAfter(newc), 0, &new_expiration_time);
459  EVP_PKEY *pk = crypto_pk_get_openssl_evp_pkey_(signing_key, 1);
460  tor_assert(X509_sign(newc, pk, EVP_sha256()));
461  EVP_PKEY_free(pk);
462  return tor_x509_cert_new(newc);
463 }
464 #endif /* defined(TOR_UNIT_TESTS) */
const char * name
Definition: config.c:2434
void crypto_rand(char *to, size_t n)
Definition: crypto_rand.c:477
Common functions for using (pseudo-)random number generators.
Common functions for cryptographic routines.
Headers for di_ops.c.
#define fast_memneq(a, b, c)
Definition: di_ops.h:42
void tor_log(int severity, log_domain_mask_t domain, const char *format,...)
Definition: log.c:590
#define log_fn(severity, domain, args,...)
Definition: log.h:283
#define LD_CRYPTO
Definition: log.h:64
#define LD_NET
Definition: log.h:66
#define LD_GENERAL
Definition: log.h:62
#define LOG_WARN
Definition: log.h:53
#define LOG_INFO
Definition: log.h:45
#define tor_free(p)
Definition: malloc.h:52
#define STATIC
Definition: testsupport.h:32
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
struct tm * tor_gmtime_r(const time_t *timep, struct tm *result)
Definition: time_fmt.c:65
Header for time_fmt.c.
Headers for tortls.c.
void tor_tls_init(void)
Definition: tortls_nss.c:356
void tls_log_errors(tor_tls_t *tls, int severity, int domain, const char *doing)
Definition: tortls_nss.c:362
Macros to manage assertions, fatal and non-fatal.
#define tor_assert(expr)
Definition: util_bug.h:102
Headers for tortls.c.
int tor_x509_check_cert_lifetime_internal(int severity, const X509 *cert, time_t now, int past_tolerance, int future_tolerance)
Definition: x509_openssl.c:428
X509 * tor_tls_create_certificate(crypto_pk_t *rsa, crypto_pk_t *rsa_sign, const char *cname, const char *cname_sign, unsigned int cert_lifetime)
Definition: x509_openssl.c:105
crypto_pk_t * tor_tls_cert_get_key(tor_x509_cert_t *cert)
Definition: x509_openssl.c:278
int tor_tls_cert_is_valid(int severity, const tor_x509_cert_t *cert, const tor_x509_cert_t *signing_cert, time_t now, int check_rsa_1024)
Definition: x509_openssl.c:301
static X509_NAME * tor_x509_name_new(const char *cname)
Definition: x509_openssl.c:71
static void log_cert_lifetime(int severity, const X509 *cert, const char *problem, time_t now)
Definition: x509_openssl.c:367
void tor_x509_cert_get_der(const tor_x509_cert_t *cert, const uint8_t **encoded_out, size_t *size_out)
Definition: x509_openssl.c:224
tor_x509_cert_t * tor_x509_cert_decode(const uint8_t *certificate, size_t certificate_len)
Definition: x509_openssl.c:238
int tor_x509_cert_set_cached_der_encoding(tor_x509_cert_t *cert)
Definition: x509_openssl.c:190