Import Certificate Transparency verbatim from OpenSSL 1.1.1

This is not yet hooked up and will not compile. Follow on commits will KNF and then make it build. ok jsing@ tb@
author: beck <> 2021-10-28 11:21:03 +0000
committer: beck <> 2021-10-28 11:21:03 +0000
commit: 75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d (patch)
tree: 9ff551b95f548635aaa5da4f2fe4441215e48df4 /src/lib/libcrypto/ct/ct_b64.c
parent: ee22e7c226c205d772141de01defd5c3f92c36a6 (diff)
download: openbsd-75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d.tar.gz
openbsd-75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d.tar.bz2
openbsd-75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d.zip
1 files changed, 168 insertions, 0 deletions
diff --git a/src/lib/libcrypto/ct/ct_b64.c b/src/lib/libcrypto/ct/ct_b64.c
new file mode 100644
index 0000000000..4abe11ca29
--- /dev/null
+++ b/src/lib/libcrypto/ct/ct_b64.c
@@ -0,0 +1,168 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+#include <limits.h>
+#include <string.h>
+#include <openssl/ct.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include "ct_local.h"
+/*
+ * Decodes the base64 string |in| into |out|.
+ * A new string will be malloc'd and assigned to |out|. This will be owned by
+ * the caller. Do not provide a pre-allocated string in |out|.
+ */
+static int ct_base64_decode(const char *in, unsigned char **out)
+{
+    size_t inlen = strlen(in);
+    int outlen, i;
+    unsigned char *outbuf = NULL;
+    if (inlen == 0) {
+        *out = NULL;
+        return 0;
+    }
+    outlen = (inlen / 4) * 3;
+    outbuf = OPENSSL_malloc(outlen);
+    if (outbuf == NULL) {
+        CTerr(CT_F_CT_BASE64_DECODE, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
+    outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen);
+    if (outlen < 0) {
+        CTerr(CT_F_CT_BASE64_DECODE, CT_R_BASE64_DECODE_ERROR);
+        goto err;
+    }
+    /* Subtract padding bytes from |outlen|.  Any more than 2 is malformed. */
+    i = 0;
+    while (in[--inlen] == '=') {
+        --outlen;
+        if (++i > 2)
+            goto err;
+    }
+    *out = outbuf;
+    return outlen;
+err:
+    OPENSSL_free(outbuf);
+    return -1;
+}
+SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64,
+                         ct_log_entry_type_t entry_type, uint64_t timestamp,
+                         const char *extensions_base64,
+                         const char *signature_base64)
+{
+    SCT *sct = SCT_new();
+    unsigned char *dec = NULL;
+    const unsigned char* p = NULL;
+    int declen;
+    if (sct == NULL) {
+        CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_MALLOC_FAILURE);
+        return NULL;
+    }
+    /*
+     * RFC6962 section 4.1 says we "MUST NOT expect this to be 0", but we
+     * can only construct SCT versions that have been defined.
+     */
+    if (!SCT_set_version(sct, version)) {
+        CTerr(CT_F_SCT_NEW_FROM_BASE64, CT_R_SCT_UNSUPPORTED_VERSION);
+        goto err;
+    }
+    declen = ct_base64_decode(logid_base64, &dec);
+    if (declen < 0) {
+        CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
+        goto err;
+    }
+    if (!SCT_set0_log_id(sct, dec, declen))
+        goto err;
+    dec = NULL;
+    declen = ct_base64_decode(extensions_base64, &dec);
+    if (declen < 0) {
+        CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
+        goto err;
+    }
+    SCT_set0_extensions(sct, dec, declen);
+    dec = NULL;
+    declen = ct_base64_decode(signature_base64, &dec);
+    if (declen < 0) {
+        CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
+        goto err;
+    }
+    p = dec;
+    if (o2i_SCT_signature(sct, &p, declen) <= 0)
+        goto err;
+    OPENSSL_free(dec);
+    dec = NULL;
+    SCT_set_timestamp(sct, timestamp);
+    if (!SCT_set_log_entry_type(sct, entry_type))
+        goto err;
+    return sct;
+ err:
+    OPENSSL_free(dec);
+    SCT_free(sct);
+    return NULL;
+}
+/*
+ * Allocate, build and returns a new |ct_log| from input |pkey_base64|
+ * It returns 1 on success,
+ * 0 on decoding failure, or invalid parameter if any
+ * -1 on internal (malloc) failure
+ */
+int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64, const char *name)
+{
+    unsigned char *pkey_der = NULL;
+    int pkey_der_len;
+    const unsigned char *p;
+    EVP_PKEY *pkey = NULL;
+    if (ct_log == NULL) {
+        CTerr(CT_F_CTLOG_NEW_FROM_BASE64, ERR_R_PASSED_INVALID_ARGUMENT);
+        return 0;
+    }
+    pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der);
+    if (pkey_der_len < 0) {
+        CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY);
+        return 0;
+    }
+    p = pkey_der;
+    pkey = d2i_PUBKEY(NULL, &p, pkey_der_len);
+    OPENSSL_free(pkey_der);
+    if (pkey == NULL) {
+        CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY);
+        return 0;
+    }
+    *ct_log = CTLOG_new(pkey, name);
+    if (*ct_log == NULL) {
+        EVP_PKEY_free(pkey);
+        return 0;
+    }
+    return 1;
+}
author	beck <>	2021-10-28 11:21:03 +0000
committer	beck <>	2021-10-28 11:21:03 +0000
commit	75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d (patch)
tree	9ff551b95f548635aaa5da4f2fe4441215e48df4 /src/lib/libcrypto/ct/ct_b64.c
parent	ee22e7c226c205d772141de01defd5c3f92c36a6 (diff)
download	openbsd-75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d.tar.gz openbsd-75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d.tar.bz2 openbsd-75b3e83cc7ac4c558b39a6ff97eee42c60b08f3d.zip

diff --git a/src/lib/libcrypto/ct/ct_b64.c b/src/lib/libcrypto/ct/ct_b64.c new file mode 100644 index 0000000000..4abe11ca29 --- /dev/null +++ b/src/lib/libcrypto/ct/ct_b64.c
@@ -0,0 +1,168 @@
	1	/*
	2	* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the OpenSSL license (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	#include <limits.h>
	11	#include <string.h>
	12
	13	#include <openssl/ct.h>
	14	#include <openssl/err.h>
	15	#include <openssl/evp.h>
	16
	17	#include "ct_local.h"
	18
	19	/*
	20	* Decodes the base64 string \|in\| into \|out\|.
	21	* A new string will be malloc'd and assigned to \|out\|. This will be owned by
	22	* the caller. Do not provide a pre-allocated string in \|out\|.
	23	*/
	24	static int ct_base64_decode(const char in, unsigned char *out)
	25	{
	26	size_t inlen = strlen(in);
	27	int outlen, i;
	28	unsigned char *outbuf = NULL;
	29
	30	if (inlen == 0) {
	31	*out = NULL;
	32	return 0;
	33	}
	34
	35	outlen = (inlen / 4) * 3;
	36	outbuf = OPENSSL_malloc(outlen);
	37	if (outbuf == NULL) {
	38	CTerr(CT_F_CT_BASE64_DECODE, ERR_R_MALLOC_FAILURE);
	39	goto err;
	40	}
	41
	42	outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen);
	43	if (outlen < 0) {
	44	CTerr(CT_F_CT_BASE64_DECODE, CT_R_BASE64_DECODE_ERROR);
	45	goto err;
	46	}
	47
	48	/* Subtract padding bytes from \|outlen\|. Any more than 2 is malformed. */
	49	i = 0;
	50	while (in[--inlen] == '=') {
	51	--outlen;
	52	if (++i > 2)
	53	goto err;
	54	}
	55
	56	*out = outbuf;
	57	return outlen;
	58	err:
	59	OPENSSL_free(outbuf);
	60	return -1;
	61	}
	62
	63	SCT SCT_new_from_base64(unsigned char version, const char logid_base64,
	64	ct_log_entry_type_t entry_type, uint64_t timestamp,
	65	const char *extensions_base64,
	66	const char *signature_base64)
	67	{
	68	SCT *sct = SCT_new();
	69	unsigned char *dec = NULL;
	70	const unsigned char* p = NULL;
	71	int declen;
	72
	73	if (sct == NULL) {
	74	CTerr(CT_F_SCT_NEW_FROM_BASE64, ERR_R_MALLOC_FAILURE);
	75	return NULL;
	76	}
	77
	78	/*
	79	* RFC6962 section 4.1 says we "MUST NOT expect this to be 0", but we
	80	* can only construct SCT versions that have been defined.
	81	*/
	82	if (!SCT_set_version(sct, version)) {
	83	CTerr(CT_F_SCT_NEW_FROM_BASE64, CT_R_SCT_UNSUPPORTED_VERSION);
	84	goto err;
	85	}
	86
	87	declen = ct_base64_decode(logid_base64, &dec);
	88	if (declen < 0) {
	89	CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
	90	goto err;
	91	}
	92	if (!SCT_set0_log_id(sct, dec, declen))
	93	goto err;
	94	dec = NULL;
	95
	96	declen = ct_base64_decode(extensions_base64, &dec);
	97	if (declen < 0) {
	98	CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
	99	goto err;
	100	}
	101	SCT_set0_extensions(sct, dec, declen);
	102	dec = NULL;
	103
	104	declen = ct_base64_decode(signature_base64, &dec);
	105	if (declen < 0) {
	106	CTerr(CT_F_SCT_NEW_FROM_BASE64, X509_R_BASE64_DECODE_ERROR);
	107	goto err;
	108	}
	109
	110	p = dec;
	111	if (o2i_SCT_signature(sct, &p, declen) <= 0)
	112	goto err;
	113	OPENSSL_free(dec);
	114	dec = NULL;
	115
	116	SCT_set_timestamp(sct, timestamp);
	117
	118	if (!SCT_set_log_entry_type(sct, entry_type))
	119	goto err;
	120
	121	return sct;
	122
	123	err:
	124	OPENSSL_free(dec);
	125	SCT_free(sct);
	126	return NULL;
	127	}
	128
	129	/*
	130	* Allocate, build and returns a new \|ct_log\| from input \|pkey_base64\|
	131	* It returns 1 on success,
	132	* 0 on decoding failure, or invalid parameter if any
	133	* -1 on internal (malloc) failure
	134	*/
	135	int CTLOG_new_from_base64(CTLOG *ct_log, const char pkey_base64, const char *name)
	136	{
	137	unsigned char *pkey_der = NULL;
	138	int pkey_der_len;
	139	const unsigned char *p;
	140	EVP_PKEY *pkey = NULL;
	141
	142	if (ct_log == NULL) {
	143	CTerr(CT_F_CTLOG_NEW_FROM_BASE64, ERR_R_PASSED_INVALID_ARGUMENT);
	144	return 0;
	145	}
	146
	147	pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der);
	148	if (pkey_der_len < 0) {
	149	CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY);
	150	return 0;
	151	}
	152
	153	p = pkey_der;
	154	pkey = d2i_PUBKEY(NULL, &p, pkey_der_len);
	155	OPENSSL_free(pkey_der);
	156	if (pkey == NULL) {
	157	CTerr(CT_F_CTLOG_NEW_FROM_BASE64, CT_R_LOG_CONF_INVALID_KEY);
	158	return 0;
	159	}
	160
	161	*ct_log = CTLOG_new(pkey, name);
	162	if (*ct_log == NULL) {
	163	EVP_PKEY_free(pkey);
	164	return 0;
	165	}
	166
	167	return 1;
	168	}