Show the contents of the RFC6962 Signed Certificate Timestamp List Certificate/OCSP...
[openssl.git] / crypto / x509v3 / v3_scts.c
1 /* v3_scts.c */
2 /* Written by Rob Stradling (rob@comodo.com) for the OpenSSL project 2014.
3  */
4 /* ====================================================================
5  * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer. 
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com).
55  *
56  */
57
58
59 #include <stdio.h>
60 #include "cryptlib.h"
61 #include <openssl/asn1.h>
62 #include "o_time.h"
63 #include <openssl/x509v3.h>
64 #include "../ssl/ssl_locl.h"
65
66 static int i2r_scts(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct, BIO *out, int indent);
67
68 const X509V3_EXT_METHOD v3_ct_scts[] = {
69 { NID_ct_precert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
70 0,0,0,0,
71 0,0,0,0,
72 (X509V3_EXT_I2R)i2r_scts, NULL,
73 NULL},
74
75 { NID_ct_cert_scts, 0, ASN1_ITEM_ref(ASN1_OCTET_STRING),
76 0,0,0,0,
77 0,0,0,0,
78 (X509V3_EXT_I2R)i2r_scts, NULL,
79 NULL},
80 };
81
82
83 /* <ripped>
84  * from crypto/asn1/t_x509.c
85  */
86 static const char *mon[12]=
87     {
88     "Jan","Feb","Mar","Apr","May","Jun",
89     "Jul","Aug","Sep","Oct","Nov","Dec"
90     };
91 /* </ripped> */
92
93
94 /* <ripped>
95  * from ssl/t1_lib.c
96  */
97 typedef struct 
98         {
99         int nid;
100         int id;
101         } tls12_lookup;
102
103 static tls12_lookup tls12_md[] = {
104         {NID_md5, TLSEXT_hash_md5},
105         {NID_sha1, TLSEXT_hash_sha1},
106         {NID_sha224, TLSEXT_hash_sha224},
107         {NID_sha256, TLSEXT_hash_sha256},
108         {NID_sha384, TLSEXT_hash_sha384},
109         {NID_sha512, TLSEXT_hash_sha512}
110 };
111
112 static tls12_lookup tls12_sig[] = {
113         {EVP_PKEY_RSA, TLSEXT_signature_rsa},
114         {EVP_PKEY_DSA, TLSEXT_signature_dsa},
115         {EVP_PKEY_EC, TLSEXT_signature_ecdsa}
116 };
117
118 static int tls12_find_nid(int id, tls12_lookup *table, size_t tlen)
119         {
120         size_t i;
121         for (i = 0; i < tlen; i++)
122                 {
123                 if ((table[i].id) == id)
124                         return table[i].nid;
125                 }
126         return NID_undef;
127         }
128
129 /* Convert TLS 1.2 signature algorithm extension values into NIDs */
130 static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid,
131                         int *psignhash_nid, const unsigned char *data)
132         {
133         int sign_nid = 0, hash_nid = 0;
134         if (!phash_nid && !psign_nid && !psignhash_nid)
135                 return;
136         if (phash_nid || psignhash_nid)
137                 {
138                 hash_nid = tls12_find_nid(data[0], tls12_md,
139                                         sizeof(tls12_md)/sizeof(tls12_lookup));
140                 if (phash_nid)
141                         *phash_nid = hash_nid;
142                 }
143         if (psign_nid || psignhash_nid)
144                 {
145                 sign_nid = tls12_find_nid(data[1], tls12_sig,
146                                         sizeof(tls12_sig)/sizeof(tls12_lookup));
147                 if (psign_nid)
148                         *psign_nid = sign_nid;
149                 }
150         if (psignhash_nid)
151                 {
152                 if (sign_nid && hash_nid)
153                         OBJ_find_sigid_by_algs(psignhash_nid,
154                                                         hash_nid, sign_nid);
155                 else
156                         *psignhash_nid = NID_undef;
157                 }
158         }
159 /* </ripped> */
160
161
162 static int i2r_scts(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct,
163              BIO *out, int indent)
164 {
165         BN_ULLONG timestamp;
166         unsigned char* data = oct->data;
167         unsigned short listlen, sctlen, fieldlen, linelen;
168         int signhash_nid;
169         time_t unix_epoch = 0;
170         struct tm tm1;
171
172         if (oct->length < 2)
173                 return 0;
174         n2s(data, listlen);
175         if (listlen != oct->length - 2)
176                 return 0;
177
178         while (listlen > 0) {
179                 if (listlen < 2)
180                         return 0;
181                 n2s(data, sctlen);
182                 listlen -= 2;
183
184                 if ((sctlen < 1) || (sctlen > listlen))
185                         return 0;
186                 listlen -= sctlen;
187
188                 if (*data == 0) {       /* v1 SCT */
189                         /* Fixed-length header:
190                          *              struct {
191                          * (1 byte)       Version sct_version;
192                          * (32 bytes)     LogID id;
193                          * (8 bytes)      uint64 timestamp;
194                          * (2 bytes + ?)  CtExtensions extensions;
195                          */
196                         if (sctlen < 43)
197                                 return 0;
198                         sctlen -= 43;
199
200                         BIO_printf(out, "\n%*sVersion   : v1(0)", indent, "");
201
202                         BIO_printf(out, "\n%*sLog ID    : ", indent, "");
203                         BIO_printf(out, "%s:", hex_to_string(data + 1, 16));
204                         BIO_printf(out, "\n%*s            ", indent, "");
205                         BIO_printf(out, "%s", hex_to_string(data + 17, 16));
206
207                         data += 33;
208                         n2l8(data, timestamp);
209                         OPENSSL_gmtime(&unix_epoch, &tm1);
210                         OPENSSL_gmtime_adj(&tm1, timestamp / 86400000,
211                                                 (timestamp % 86400000) / 1000);
212                         BIO_printf(out, "\n%*sTimestamp : ", indent, "");
213                         BIO_printf(out, "%s %2d %02d:%02d:%02d.%03u %d UTC",
214                                    mon[tm1.tm_mon], tm1.tm_mday, tm1.tm_hour,
215                                    tm1.tm_min, tm1.tm_sec,
216                                    (unsigned int)(timestamp % 1000),
217                                    tm1.tm_year + 1900);
218
219                         n2s(data, fieldlen);
220                         if (sctlen < fieldlen)
221                                 return 0;
222                         sctlen -= fieldlen;
223                         BIO_printf(out, "\n%*sExtensions:", indent, "");
224                         if (fieldlen == 0)
225                                 BIO_printf(out, " none");
226                         for (linelen = 16; fieldlen > 0; ) {
227                                 if (linelen > fieldlen)
228                                         linelen = fieldlen;
229                                 BIO_printf(out, "\n%*s       ", indent, "");
230                                 BIO_printf(out, "%s",
231                                            hex_to_string(data, linelen));
232                                 if (fieldlen > 16)
233                                         BIO_printf(out, ":");
234                                 data += linelen;
235                                 fieldlen -= linelen;
236                         }
237
238                         /* digitally-signed struct header:
239                          * (1 byte) Hash algorithm
240                          * (1 byte) Signature algorithm
241                          * (2 bytes + ?) Signature
242                          */
243                         if (sctlen < 4)
244                                 return 0;
245                         sctlen -= 4;
246
247                         tls1_lookup_sigalg(NULL, NULL, &signhash_nid, data);
248                         data += 2;
249                         n2s(data, fieldlen);
250                         if (sctlen != fieldlen)
251                                 return 0;
252                         BIO_printf(out, "\n%*sSignature : ", indent, "");
253                         BIO_printf(out, "%s", OBJ_nid2ln(signhash_nid));
254                         for (linelen = 16; fieldlen > 0; ) {
255                                 if (linelen > fieldlen)
256                                         linelen = fieldlen;
257                                 BIO_printf(out, "\n%*s            ", indent,
258                                            "");
259                                 BIO_printf(out, "%s",
260                                            hex_to_string(data, linelen));
261                                 if (fieldlen > 16)
262                                         BIO_printf(out, ":");
263                                 data += linelen;
264                                 fieldlen -= linelen;
265                         }
266
267                         BIO_printf(out, "\n");
268                 }
269         }
270
271         return 1;
272 }