wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add more CT utility routines to be used as part of larger patch.

Browse source 
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
Adam Eijdenberg 2015-12-04 10:49:14 -08:00 committed by Rich Salz
parent 5d3222876e
commit 5ad29c5408
10 changed files with 896 additions and 307 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
crypto/ct/Makefile.in
View file

@ -15,8 +15,8 @@ CFLAGS= $(INCLUDES) $(CFLAG) $(SHARED_CFLAG)
GENERAL=Makefile
LIB=$(TOP)/libcrypto.a
LIBSRC= ct_lib.c ct_err.c
LIBOBJ= ct_lib.o ct_err.o
LIBSRC= ct_lib.c ct_err.c ct_oct.c ct_prn.c
LIBOBJ= ct_lib.o ct_err.o ct_oct.o ct_prn.o
SRC= $(LIBSRC)

19
crypto/ct/ct_err.c
View file

@ -1,5 +1,6 @@
/* ct_err.c */
/* ====================================================================
* Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@ -69,16 +70,32 @@
# define ERR_REASON(reason) ERR_PACK(ERR_LIB_CT,0,reason)
static ERR_STRING_DATA CT_str_functs[] = {
{ERR_FUNC(CT_F_D2I_SCT_LIST), "d2i_SCT_LIST"},
{ERR_FUNC(CT_F_I2D_SCT_LIST), "i2d_SCT_LIST"},
{ERR_FUNC(CT_F_I2O_SCT), "i2o_SCT"},
{ERR_FUNC(CT_F_I2O_SCT_LIST), "i2o_SCT_LIST"},
{ERR_FUNC(CT_F_I2O_SCT_SIGNATURE), "i2o_SCT_signature"},
{ERR_FUNC(CT_F_O2I_SCT), "o2i_SCT"},
{ERR_FUNC(CT_F_O2I_SCT_LIST), "o2i_SCT_LIST"},
{ERR_FUNC(CT_F_O2I_SCT_SIGNATURE), "o2i_SCT_signature"},
{ERR_FUNC(CT_F_SCT_NEW), "SCT_new"},
{ERR_FUNC(CT_F_SCT_SET0_LOG_ID), "SCT_set0_log_id"},
{ERR_FUNC(CT_F_SCT_SET1_EXTENSIONS), "SCT_set1_extensions"},
{ERR_FUNC(CT_F_SCT_SET1_LOG_ID), "SCT_set1_log_id"},
{ERR_FUNC(CT_F_SCT_SET1_SIGNATURE), "SCT_set1_signature"},
{ERR_FUNC(CT_F_SCT_SET_LOG_ENTRY_TYPE), "SCT_set_log_entry_type"},
{ERR_FUNC(CT_F_SCT_SET_SIGNATURE_NID), "SCT_set_signature_nid"},
{ERR_FUNC(CT_F_SCT_SET_VERSION), "SCT_set_version"},
{ERR_FUNC(CT_F_SCT_SIGNATURE_IS_VALID), "SCT_signature_is_valid"},
{0, NULL}
};
static ERR_STRING_DATA CT_str_reasons[] = {
{ERR_REASON(CT_R_INVALID_LOG_ID_LENGTH), "invalid log id length"},
{ERR_REASON(CT_R_SCT_INVALID), "sct invalid"},
{ERR_REASON(CT_R_SCT_INVALID_SIGNATURE), "sct invalid signature"},
{ERR_REASON(CT_R_SCT_LIST_INVALID), "sct list invalid"},
{ERR_REASON(CT_R_SCT_NOT_SET), "sct not set"},
{ERR_REASON(CT_R_UNRECOGNIZED_SIGNATURE_NID),
"unrecognized signature nid"},
{ERR_REASON(CT_R_UNSUPPORTED_ENTRY_TYPE), "unsupported entry type"},

72
crypto/ct/ct_lib.c
View file

@ -77,7 +77,7 @@ SCT *SCT_new(void)
void SCT_free(SCT *sct)
{
if (sct) {
if (sct != NULL) {
OPENSSL_free(sct->log_id);
OPENSSL_free(sct->ext);
OPENSSL_free(sct->sig);
@ -119,6 +119,31 @@ int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len)
return 1;
}
int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len)
{
/* Currently only SHA-256 allowed so length must be SCT_V1_HASHLEN */
if (log_id_len != SCT_V1_HASHLEN) {
CTerr(CT_F_SCT_SET1_LOG_ID, CT_R_INVALID_LOG_ID_LENGTH);
return 0;
}
OPENSSL_free(sct->log_id);
if (log_id == NULL || log_id_len == 0) {
sct->log_id = NULL;
} else {
sct->log_id = OPENSSL_memdup(log_id, log_id_len);
if (sct->log_id == NULL) {
CTerr(CT_F_SCT_SET1_LOG_ID, ERR_R_MALLOC_FAILURE);
return 0;
}
}
sct->log_id_len = log_id_len;
return 1;
}
void SCT_set_timestamp(SCT *sct, uint64_t timestamp)
{
sct->timestamp = timestamp;
@ -148,6 +173,23 @@ void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len)
sct->ext_len = ext_len;
}
int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len)
{
OPENSSL_free(sct->ext);
sct->ext = NULL;
sct->ext_len = 0;
if (ext != NULL && ext_len > 0) {
sct->ext = OPENSSL_memdup(ext, ext_len);
if (sct->ext == NULL) {
CTerr(CT_F_SCT_SET1_EXTENSIONS, ERR_R_MALLOC_FAILURE);
return 0;
}
sct->ext_len = ext_len;
}
return 1;
}
void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
{
OPENSSL_free(sct->sig);
@ -155,6 +197,22 @@ void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len)
sct->sig_len = sig_len;
}
int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len)
{
OPENSSL_free(sct->sig);
if (sig == NULL || sig_len == 0) {
sct->sig = NULL;
} else {
sct->sig = OPENSSL_memdup(sig, sig_len);
if (sct->sig == NULL) {
CTerr(CT_F_SCT_SET1_SIGNATURE, ERR_R_MALLOC_FAILURE);
return 0;
}
}
sct->sig_len = sig_len;
return 1;
}
sct_version_t SCT_get_version(const SCT *sct)
{
return sct->version;
@ -205,4 +263,16 @@ size_t SCT_get0_signature(const SCT *sct, unsigned char **sig)
return sct->sig_len;
}
int SCT_is_valid(const SCT *sct)
{
switch (sct->version) {
case UNSET_VERSION:
return 0;
case SCT_V1:
return sct->log_id != NULL && SCT_signature_is_valid(sct);
default:
return sct->sct != NULL; /* Just need cached encoding */
}
}
#endif

535
crypto/ct/ct_oct.c Normal file
View file

@ -0,0 +1,535 @@
/*
* Written by Rob Stradling (rob@comodo.com) and Stephen Henson
* (steve@openssl.org) for the OpenSSL project 2014.
*/
/* ====================================================================
* Copyright (c) 2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef OPENSSL_NO_CT
# include <limits.h>
# include "internal/cryptlib.h"
# include <openssl/asn1.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/x509v3.h>
# include "crypto/include/internal/ct_int.h"
# define n2s(c,s) ((s=(((unsigned int)((c)[0]))<< 8)| \
(((unsigned int)((c)[1])) )),c+=2)
# define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \
c[1]=(unsigned char)(((s) )&0xff)),c+=2)
# define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \
l|=((uint64_t)(*((c)++)))<<48, \
l|=((uint64_t)(*((c)++)))<<40, \
l|=((uint64_t)(*((c)++)))<<32, \
l|=((uint64_t)(*((c)++)))<<24, \
l|=((uint64_t)(*((c)++)))<<16, \
l|=((uint64_t)(*((c)++)))<< 8, \
l|=((uint64_t)(*((c)++))))
# define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
*((c)++)=(unsigned char)(((l)>>48)&0xff), \
*((c)++)=(unsigned char)(((l)>>40)&0xff), \
*((c)++)=(unsigned char)(((l)>>32)&0xff), \
*((c)++)=(unsigned char)(((l)>>24)&0xff), \
*((c)++)=(unsigned char)(((l)>>16)&0xff), \
*((c)++)=(unsigned char)(((l)>> 8)&0xff), \
*((c)++)=(unsigned char)(((l) )&0xff))
static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
const unsigned char **pp, int len);
static int i2d_SCT_LIST(STACK_OF(SCT) *a, unsigned char **pp);
static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
BIO *out, int indent);
static char *i2s_poison(const X509V3_EXT_METHOD *method, void *val)
{
return OPENSSL_strdup("NULL");
}
const X509V3_EXT_METHOD v3_ct_scts[] = {
{ NID_ct_precert_scts, 0, NULL,
0, (X509V3_EXT_FREE)SCT_LIST_free,
(X509V3_EXT_D2I)d2i_SCT_LIST, (X509V3_EXT_I2D)i2d_SCT_LIST,
0, 0, 0, 0,
(X509V3_EXT_I2R)i2r_SCT_LIST, 0,
NULL },
{ NID_ct_precert_poison, 0, ASN1_ITEM_ref(ASN1_NULL),
0, 0, 0, 0, i2s_poison, 0,
0, 0, 0, 0, NULL },
{ NID_ct_cert_scts, 0, NULL,
0, (X509V3_EXT_FREE)SCT_LIST_free,
(X509V3_EXT_D2I)d2i_SCT_LIST, (X509V3_EXT_I2D)i2d_SCT_LIST,
0, 0, 0, 0,
(X509V3_EXT_I2R)i2r_SCT_LIST, 0,
NULL },
};
int SCT_signature_is_valid(const SCT *sct)
{
if (SCT_get_signature_nid(sct) == NID_undef ||
sct->sig_len == 0 || sct->sig == NULL) {
return 0;
}
return 1;
}
int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len)
{
size_t siglen;
size_t len_remaining = len;
const unsigned char *p = *in;
if (sct->version != SCT_V1) {
CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION);
return -1;
}
/*
* digitally-signed struct header: (1 byte) Hash algorithm (1 byte)
* Signature algorithm (2 bytes + ?) Signature
*
* This explicitly rejects empty signatures: they're invalid for
* all supported algorithms.
*/
if (len <= 4) {
CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE);
return -1;
}
/* Get hash and signature algorithm */
sct->hash_alg = *p++;
sct->sig_alg = *p++;
if (SCT_get_signature_nid(sct) == NID_undef) {
CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE);
return -1;
}
/* Retrieve signature and check it is consistent with the buffer length */
n2s(p, siglen);
len_remaining -= (p - *in);
if (siglen > len_remaining) {
CTerr(CT_F_O2I_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE);
return -1;
}
if (SCT_set1_signature(sct, p, siglen) != 1)
return -1;
len_remaining -= siglen;
*in = p + siglen;
return len - len_remaining;
}
SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len)
{
SCT *sct = NULL;
const unsigned char *p;
if (len == 0 || len > MAX_SCT_SIZE) {
CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID);
goto err;
}
if ((sct = SCT_new()) == NULL)
goto err;
p = *in;
sct->version = *p;
if (sct->version == SCT_V1) {
int sig_len;
size_t len2;
/*
* Fixed-length header: struct { (1 byte) Version sct_version; (32
* bytes) log_id id; (8 bytes) uint64 timestamp; (2 bytes + ?)
* CtExtensions extensions;
*/
if (len < 43) {
CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID);
goto err;
}
len -= 43;
p++;
sct->log_id = BUF_memdup(p, SCT_V1_HASHLEN);
if (sct->log_id == NULL)
goto err;
sct->log_id_len = SCT_V1_HASHLEN;
p += SCT_V1_HASHLEN;
n2l8(p, sct->timestamp);
n2s(p, len2);
if (len < len2) {
CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID);
goto err;
}
if (len2 > 0) {
sct->ext = BUF_memdup(p, len2);
if (sct->ext == NULL)
goto err;
}
sct->ext_len = len2;
p += len2;
len -= len2;
sig_len = o2i_SCT_signature(sct, &p, len);
if (sig_len <= 0) {
CTerr(CT_F_O2I_SCT, CT_R_SCT_INVALID);
goto err;
}
len -= sig_len;
*in = p + len;
} else {
/* If not V1 just cache encoding */
sct->sct = BUF_memdup(p, len);
if (sct->sct == NULL)
goto err;
sct->sct_len = len;
*in = p + len;
}
if (psct != NULL) {
SCT_free(*psct);
*psct = sct;
}
return sct;
err:
SCT_free(sct);
return NULL;
}
int i2o_SCT_signature(const SCT *sct, unsigned char **out)
{
size_t len;
unsigned char *p = NULL;
if (!SCT_signature_is_valid(sct)) {
CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_SCT_INVALID_SIGNATURE);
goto err;
}
if (sct->version != SCT_V1) {
CTerr(CT_F_I2O_SCT_SIGNATURE, CT_R_UNSUPPORTED_VERSION);
goto err;
}
/*
* (1 byte) Hash algorithm
* (1 byte) Signature algorithm
* (2 bytes + ?) Signature
*/
len = 4 + sct->sig_len;
if (out != NULL) {
if (*out != NULL) {
p = *out;
*out += len;
} else {
p = OPENSSL_malloc(len);
if (p == NULL) {
CTerr(CT_F_I2O_SCT_SIGNATURE, ERR_R_MALLOC_FAILURE);
goto err;
}
*out = p;
}
*p++ = sct->hash_alg;
*p++ = sct->sig_alg;
s2n(sct->sig_len, p);
memcpy(p, sct->sig, sct->sig_len);
}
return len;
err:
OPENSSL_free(p);
return -1;
}
int i2o_SCT(const SCT *sct, unsigned char **out)
{
size_t len;
unsigned char *p = NULL;
if (!SCT_is_valid(sct)) {
CTerr(CT_F_I2O_SCT, CT_R_SCT_NOT_SET);
goto err;
}
/*
* Fixed-length header: struct { (1 byte) Version sct_version; (32 bytes)
* log_id id; (8 bytes) uint64 timestamp; (2 bytes + ?) CtExtensions
* extensions; (1 byte) Hash algorithm (1 byte) Signature algorithm (2
* bytes + ?) Signature
*/
if (sct->version == SCT_V1)
len = 43 + sct->ext_len + 4 + sct->sig_len;
else
len = sct->sct_len;
if (out == NULL)
return len;
if (*out != NULL) {
p = *out;
*out += len;
} else {
p = OPENSSL_malloc(len);
if (p == NULL) {
CTerr(CT_F_I2O_SCT, ERR_R_MALLOC_FAILURE);
goto err;
}
*out = p;
}
if (sct->version == SCT_V1) {
*p++ = sct->version;
memcpy(p, sct->log_id, SCT_V1_HASHLEN);
p += SCT_V1_HASHLEN;
l2n8(sct->timestamp, p);
s2n(sct->ext_len, p);
if (sct->ext_len > 0) {
memcpy(p, sct->ext, sct->ext_len);
p += sct->ext_len;
}
if (i2o_SCT_signature(sct, &p) <= 0)
goto err;
} else {
memcpy(p, sct->sct, len);
}
return len;
err:
OPENSSL_free(p);
return -1;
}
void SCT_LIST_free(STACK_OF(SCT) *a)
{
sk_SCT_pop_free(a, SCT_free);
}
STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
size_t len)
{
STACK_OF(SCT) *sk = NULL;
size_t list_len, sct_len;
if (len < 2 || len > MAX_SCT_LIST_SIZE) {
CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID);
return NULL;
}
n2s(*pp, list_len);
if (list_len != len - 2) {
CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID);
return NULL;
}
if (a == NULL || *a == NULL) {
sk = sk_SCT_new_null();
if (sk == NULL)
return NULL;
} else {
SCT *sct;
/* Use the given stack, but empty it first. */
sk = *a;
while ((sct = sk_SCT_pop(sk)) != NULL)
SCT_free(sct);
}
while (list_len > 0) {
SCT *sct;
if (list_len < 2) {
CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID);
goto err;
}
n2s(*pp, sct_len);
list_len -= 2;
if (sct_len == 0 || sct_len > list_len) {
CTerr(CT_F_O2I_SCT_LIST, CT_R_SCT_LIST_INVALID);
goto err;
}
list_len -= sct_len;
if ((sct = o2i_SCT(NULL, pp, sct_len)) == NULL)
goto err;
if (!sk_SCT_push(sk, sct)) {
SCT_free(sct);
goto err;
}
}
if (a != NULL && *a == NULL)
*a = sk;
return sk;
err:
if (a == NULL || *a == NULL)
SCT_LIST_free(sk);
return NULL;
}
int i2o_SCT_LIST(STACK_OF(SCT) *a, unsigned char **pp)
{
int len, sct_len, i, is_pp_new = 0;
size_t len2;
unsigned char *p = NULL, *p2;
if (pp != NULL) {
if (*pp == NULL) {
if ((len = i2o_SCT_LIST(a, NULL)) == -1) {
CTerr(CT_F_I2O_SCT_LIST, CT_R_SCT_LIST_INVALID);
return -1;
}
if ((*pp = OPENSSL_malloc(len)) == NULL) {
CTerr(CT_F_I2O_SCT_LIST, ERR_R_MALLOC_FAILURE);
return -1;
}
is_pp_new = 1;
}
p = *pp + 2;
}
len2 = 2;
for (i = 0; i < sk_SCT_num(a); i++) {
if (pp != NULL) {
p2 = p;
p += 2;
if ((sct_len = i2o_SCT(sk_SCT_value(a, i), &p)) == -1)
goto err;
s2n(sct_len, p2);
} else {
if ((sct_len = i2o_SCT(sk_SCT_value(a, i), NULL)) == -1)
goto err;
}
len2 += 2 + sct_len;
}
if (len2 > MAX_SCT_LIST_SIZE)
goto err;
if (pp != NULL) {
p = *pp;
s2n(len2 - 2, p);
}
if (!is_pp_new)
*pp += len2;
return len2;
err:
if (is_pp_new) {
OPENSSL_free(*pp);
*pp = NULL;
}
return -1;
}
static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
const unsigned char **pp, int len)
{
ASN1_OCTET_STRING *oct = NULL;
STACK_OF(SCT) *sk = NULL;
const unsigned char *p;
p = *pp;
if (d2i_ASN1_OCTET_STRING(&oct, &p, len) == NULL)
return NULL;
p = oct->data;
if ((sk = o2i_SCT_LIST(a, &p, oct->length)) != NULL)
*pp += len;
ASN1_OCTET_STRING_free(oct);
return sk;
}
static int i2d_SCT_LIST(STACK_OF(SCT) *a, unsigned char **out)
{
ASN1_OCTET_STRING oct;
int len;
oct.data = NULL;
if ((oct.length = i2o_SCT_LIST(a, &oct.data)) == -1)
return -1;
len = i2d_ASN1_OCTET_STRING(&oct, out);
OPENSSL_free(oct.data);
return len;
}
static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
BIO *out, int indent)
{
int i;
for (i = 0; i < sk_SCT_num(sct_list); ++i) {
SCT *sct = sk_SCT_value(sct_list, i);
SCT_print(sct, out, indent);
if (i < sk_SCT_num(sct_list) - 1)
BIO_printf(out, "\n");
}
return 1;
}
#endif

129
crypto/ct/ct_prn.c Normal file
View file

@ -0,0 +1,129 @@
/*
* Written by Rob Stradling (rob@comodo.com) and Stephen Henson
* (steve@openssl.org) for the OpenSSL project 2014.
*/
/* ====================================================================
* Copyright (c) 2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#ifndef OPENSSL_NO_CT
# include <limits.h>
# include "internal/cryptlib.h"
# include <openssl/asn1.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/x509v3.h>
# include "crypto/include/internal/ct_int.h"
static void sct_sigalg_print(BIO *out, const SCT *sct)
{
int nid = SCT_get_signature_nid(sct);
if (nid <= 0)
BIO_printf(out, "%02X%02X", sct->hash_alg, sct->sig_alg);
else
BIO_printf(out, "%s", OBJ_nid2ln(nid));
}
static void timestamp_print(BIO *out, uint64_t timestamp)
{
ASN1_GENERALIZEDTIME *gen = ASN1_GENERALIZEDTIME_new();
char genstr[20];
ASN1_GENERALIZEDTIME_adj(gen, (time_t)0,
(int)(timestamp / 86400000),
(timestamp % 86400000) / 1000);
/*
* Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
* characters long with a final Z. Update it with fractional seconds.
*/
BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
ASN1_STRING_data(gen), (unsigned int)(timestamp % 1000));
ASN1_GENERALIZEDTIME_set_string(gen, genstr);
ASN1_GENERALIZEDTIME_print(out, gen);
ASN1_GENERALIZEDTIME_free(gen);
}
void SCT_print(SCT *sct, BIO *out, int indent)
{
BIO_printf(out, "%*sSigned Certificate Timestamp:", indent, "");
BIO_printf(out, "\n%*sVersion : ", indent + 4, "");
if (sct->version != SCT_V1) {
BIO_printf(out, "unknown\n%*s", indent + 16, "");
BIO_hex_string(out, indent + 16, 16, sct->sct, sct->sct_len);
return;
}
BIO_printf(out, "v1 (0x0)");
BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
BIO_hex_string(out, indent + 16, 16, sct->log_id, sct->log_id_len);
BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
timestamp_print(out, sct->timestamp);
BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
if (sct->ext_len == 0)
BIO_printf(out, "none");
else
BIO_hex_string(out, indent + 16, 16, sct->ext, sct->ext_len);
BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
sct_sigalg_print(out, sct);
BIO_printf(out, "\n%*s ", indent + 4, "");
BIO_hex_string(out, indent + 16, 16, sct->sig, sct->sig_len);
}
#endif

138
crypto/include/internal/ct_int.h
View file

@ -60,6 +60,8 @@ extern "C" {
# ifndef OPENSSL_NO_CT
# include <openssl/x509v3.h>
/* All hashes are currently SHA256 */
# define SCT_V1_HASHLEN 32
/* Minimum RSA key size, from RFC6962 */
@ -105,6 +107,7 @@ typedef struct {
uint64_t timestamp;
unsigned char *ext;
size_t ext_len;
/* TODO(robpercival): Extract the following 4 fields into a struct */
unsigned char hash_alg;
unsigned char sig_alg;
unsigned char *sig;
@ -115,6 +118,8 @@ typedef struct {
DEFINE_STACK_OF(SCT)
extern const X509V3_EXT_METHOD v3_ct_scts[];
/*
* Allocate new SCT.
* Caller is responsible for calling SCT_free when done.
@ -139,12 +144,19 @@ int SCT_set_version(SCT *sct, sct_version_t version);
int SCT_set_log_entry_type(SCT *sct, log_entry_type_t entry_type);
/*
* Set the log id of an SCT to point directly to the *log_id specified.
* Set the log ID of an SCT to point directly to the *log_id specified.
* The SCT takes ownership of the specified pointer.
* Returns 1 on success.
*/
int SCT_set0_log_id(SCT *sct, unsigned char *log_id, size_t log_id_len);
/*
* Set the log ID of an SCT.
* This makes a copy of the log_id.
* Returns 1 on success.
*/
int SCT_set1_log_id(SCT *sct, const unsigned char *log_id, size_t log_id_len);
/*
* Set the timestamp of an SCT.
*/
@ -163,12 +175,25 @@ int SCT_set_signature_nid(SCT *sct, int nid);
*/
void SCT_set0_extensions(SCT *sct, unsigned char *ext, size_t ext_len);
/*
* Set the extensions of an SCT.
* This takes a copy of the ext.
* Returns 1 on success.
*/
int SCT_set1_extensions(SCT *sct, const unsigned char *ext, size_t ext_len);
/*
* Set the signature of an SCT to point directly to the *sig specified.
* The SCT takes ownership of the specified pointer.
*/
void SCT_set0_signature(SCT *sct, unsigned char *sig, size_t sig_len);
/*
* Set the signature of an SCT to be a copy of the *sig specified.
* Returns 1 on success.
*/
int SCT_set1_signature(SCT *sct, const unsigned char *sig, size_t sig_len);
/*
* Returns the version of the SCT.
*/
@ -212,6 +237,101 @@ size_t SCT_get0_extensions(const SCT *sct, unsigned char **ext);
*/
size_t SCT_get0_signature(const SCT *sct, unsigned char **sig);
/*
* Pretty-print debug information about a SCT, indented as specified.
*/
void SCT_print(SCT *sct, BIO *out, int indent);
/*
* Does this SCT have the minimum fields populated to be valid?
* Returns 1 if so, 0 otherwise.
* This does not verify the SCT signature.
*/
int SCT_is_valid(const SCT *sct);
/*
* Is the signature of this SCT valid?
* Returns 1 if so, 0 otherwise.
* This checks that the signature and hash algorithms are supported and that the
* signature field is set.
*/
int SCT_signature_is_valid(const SCT *sct);
/*
* Free a stack of SCTs, and the underlying SCTs themselves.
* Intended to be compatible with X509V3_EXT_FREE.
*/
void SCT_LIST_free(STACK_OF(SCT) *a);
/*
* Serialize (to TLS format) a stack of SCTs and return the length.
* "a" must not be NULL.
* If "pp" is NULL, just return the length of what would have been serialized.
* If "pp" is not NULL and "*pp" is null, function will allocate a new pointer
* for data that caller is responsible for freeing (only if function returns
* successfully).
* If "pp" is NULL and "*pp" is not NULL, caller is responsible for ensuring
* that "*pp" is large enough to accept all of the serializied data.
* Returns < 0 on error, >= 0 indicating bytes written (or would have been)
* on success.
*/
int i2o_SCT_LIST(STACK_OF(SCT) *a, unsigned char **pp);
/*
* Parses an SCT signature in TLS format and populates the |sct| with it.
* |in| should be a pointer to a string contianing the TLS-format signature.
* |in| will be advanced to the end of the signature if parsing succeeds.
* |len| should be the length of the signature in |in|.
* Returns the number of bytes parsed, or a negative integer if an error occurs.
*/
int o2i_SCT_signature(SCT *sct, const unsigned char **in, size_t len);
/*
* Parses an SCT in TLS format and returns it.
* If |psct| is not null, it will end up pointing to the parsed SCT. If it
* already points to a non-null pointer, the pointer will be free'd.
* |in| should be a pointer to a string contianing the TLS-format SCT.
* |in| will be advanced to the end of the SCT if parsing succeeds.
* |len| should be the length of the SCT in |in|.
* Returns NULL if an error occurs.
* If the SCT is an unsupported version, only the SCT's 'sct' and 'sct_len'
* fields will be populated (with |in| and |len| respectively).
*/
SCT *o2i_SCT(SCT **psct, const unsigned char **in, size_t len);
/*
* Converts an |sct| signature into TLS format and writes it to |out|.
* If |out| is null, no signature will be output but the length will be returned.
* If |out| points to a null pointer, a string will be allocated to hold the
* TLS-format signature. It is the responsibility of the caller to free it.
* If |out| points to an allocated string, the signature will be written to it.
* The length of the signature in TLS format will be returned.
*/
int i2o_SCT_signature(const SCT *sct, unsigned char **out);
/*
* Converts an |sct| into TLS format and writes it to |out|.
* If |out| is null, no SCT will be output but the length will still be returned.
* If |out| points to a null pointer, a string will be allocated to hold the
* TLS-format SCT. It is the responsibility of the caller to free it.
* If |out| points to an allocated string, the TLS-format SCT will be written
* to it.
* The length of the SCT in TLS format will be returned.
*/
int i2o_SCT(const SCT *sct, unsigned char **out);
/*
* Convert TLS format SCT list to a stack of SCTs.
* If "a" or "*a" is NULL, a new stack will be created that the caller is
* responsible for freeing (by calling SCT_LIST_free).
* "**pp" and "*pp" must not be NULL.
* Upon success, "*pp" will point to after the last bytes read, and a stack
* will be returned.
* Upon failure, a NULL pointer will be returned, and the position of "*p" is
* not defined.
*/
STACK_OF(SCT) *o2i_SCT_LIST(STACK_OF(SCT) **a, const unsigned char **pp,
size_t len);
# endif
@ -225,14 +345,30 @@ void ERR_load_CT_strings(void);
/* Error codes for the CT functions. */
/* Function codes. */
# define CT_F_D2I_SCT_LIST 105
# define CT_F_I2D_SCT_LIST 106
# define CT_F_I2O_SCT 107
# define CT_F_I2O_SCT_LIST 108
# define CT_F_I2O_SCT_SIGNATURE 109
# define CT_F_O2I_SCT 110
# define CT_F_O2I_SCT_LIST 111
# define CT_F_O2I_SCT_SIGNATURE 112
# define CT_F_SCT_NEW 100
# define CT_F_SCT_SET0_LOG_ID 101
# define CT_F_SCT_SET1_EXTENSIONS 114
# define CT_F_SCT_SET1_LOG_ID 115
# define CT_F_SCT_SET1_SIGNATURE 116
# define CT_F_SCT_SET_LOG_ENTRY_TYPE 102
# define CT_F_SCT_SET_SIGNATURE_NID 103
# define CT_F_SCT_SET_VERSION 104
# define CT_F_SCT_SIGNATURE_IS_VALID 113
/* Reason codes. */
# define CT_R_INVALID_LOG_ID_LENGTH 100
# define CT_R_SCT_INVALID 104
# define CT_R_SCT_INVALID_SIGNATURE 107
# define CT_R_SCT_LIST_INVALID 105
# define CT_R_SCT_NOT_SET 106
# define CT_R_UNRECOGNIZED_SIGNATURE_NID 101
# define CT_R_UNSUPPORTED_ENTRY_TYPE 102
# define CT_R_UNSUPPORTED_VERSION 103

4
crypto/x509v3/Makefile.in
View file

@ -20,13 +20,13 @@ v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c \
v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
v3_asid.c v3_addr.c v3_scts.c v3_tlsf.c
v3_asid.c v3_addr.c v3_tlsf.c
LIBOBJ= v3_bcons.o v3_bitst.o v3_conf.o v3_extku.o v3_ia5.o v3_lib.o \
v3_prn.o v3_utl.o v3err.o v3_genn.o v3_alt.o v3_skey.o v3_akey.o v3_pku.o \
v3_int.o v3_enum.o v3_sxnet.o v3_cpols.o v3_crld.o v3_purp.o v3_info.o \
v3_akeya.o v3_pmaps.o v3_pcons.o v3_ncons.o v3_pcia.o v3_pci.o \
pcy_cache.o pcy_node.o pcy_data.o pcy_map.o pcy_tree.o pcy_lib.o \
v3_asid.o v3_addr.o v3_scts.o v3_tlsf.o
v3_asid.o v3_addr.o v3_tlsf.o
SRC= $(LIBSRC)

2
crypto/x509v3/build.info
View file

@ -5,4 +5,4 @@ SOURCE[../../libcrypto]=\
v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c \
v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c \
pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c \
v3_asid.c v3_addr.c v3_scts.c v3_tlsf.c
v3_asid.c v3_addr.c v3_tlsf.c

1
crypto/x509v3/v3_lib.c
View file

@ -154,6 +154,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
#ifndef OPENSSL_NO_CT
&v3_ct_scts[0],
&v3_ct_scts[1],
&v3_ct_scts[2],
#endif
&v3_tls_feature,
};

299
crypto/x509v3/v3_scts.c
View file

@ -1,299 +0,0 @@
/*
* Written by Rob Stradling (rob@comodo.com) for the OpenSSL project 2014.
*/
/* ====================================================================
* Copyright (c) 2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* licensing@OpenSSL.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/asn1.h>
#include <openssl/x509v3.h>
#include "ext_dat.h"
#include "internal/ct_int.h"
#ifndef OPENSSL_NO_CT
/* Signature and hash algorithms from RFC 5246 */
#define TLSEXT_hash_sha256 4
#define TLSEXT_signature_rsa 1
#define TLSEXT_signature_ecdsa 3
#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \
(((unsigned int)(c[1])) )),c+=2)
#define n2l8(c,l) (l =((uint64_t)(*((c)++)))<<56, \
l|=((uint64_t)(*((c)++)))<<48, \
l|=((uint64_t)(*((c)++)))<<40, \
l|=((uint64_t)(*((c)++)))<<32, \
l|=((uint64_t)(*((c)++)))<<24, \
l|=((uint64_t)(*((c)++)))<<16, \
l|=((uint64_t)(*((c)++)))<< 8, \
l|=((uint64_t)(*((c)++))))
static void SCT_LIST_free(STACK_OF(SCT) *a);
static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
const unsigned char **pp, long length);
static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
BIO *out, int indent);
const X509V3_EXT_METHOD v3_ct_scts[] = {
{NID_ct_precert_scts, 0, NULL,
0, (X509V3_EXT_FREE)SCT_LIST_free,
(X509V3_EXT_D2I)d2i_SCT_LIST, 0,
0, 0, 0, 0,
(X509V3_EXT_I2R)i2r_SCT_LIST, 0,
NULL},
{NID_ct_cert_scts, 0, NULL,
0, (X509V3_EXT_FREE)SCT_LIST_free,
(X509V3_EXT_D2I)d2i_SCT_LIST, 0,
0, 0, 0, 0,
(X509V3_EXT_I2R)i2r_SCT_LIST, 0,
NULL},
};
static void tls12_signature_print(BIO *out, const unsigned char hash_alg,
const unsigned char sig_alg)
{
int nid = NID_undef;
/* RFC6962 only permits two signature algorithms */
if (hash_alg == TLSEXT_hash_sha256) {
if (sig_alg == TLSEXT_signature_rsa)
nid = NID_sha256WithRSAEncryption;
else if (sig_alg == TLSEXT_signature_ecdsa)
nid = NID_ecdsa_with_SHA256;
}
if (nid == NID_undef)
BIO_printf(out, "%02X%02X", hash_alg, sig_alg);
else
BIO_printf(out, "%s", OBJ_nid2ln(nid));
}
static void timestamp_print(BIO *out, uint64_t timestamp)
{
ASN1_GENERALIZEDTIME *gen;
char genstr[20];
gen = ASN1_GENERALIZEDTIME_new();
ASN1_GENERALIZEDTIME_adj(gen, (time_t)0,
(int)(timestamp / 86400000),
(timestamp % 86400000) / 1000);
/*
* Note GeneralizedTime from ASN1_GENERALIZETIME_adj is always 15
* characters long with a final Z. Update it with fractional seconds.
*/
BIO_snprintf(genstr, sizeof(genstr), "%.14s.%03dZ",
ASN1_STRING_data(gen), (unsigned int)(timestamp % 1000));
ASN1_GENERALIZEDTIME_set_string(gen, genstr);
ASN1_GENERALIZEDTIME_print(out, gen);
ASN1_GENERALIZEDTIME_free(gen);
}
static void SCT_LIST_free(STACK_OF(SCT) *a)
{
sk_SCT_pop_free(a, SCT_free);
}
static STACK_OF(SCT) *d2i_SCT_LIST(STACK_OF(SCT) **a,
const unsigned char **pp, long length)
{
ASN1_OCTET_STRING *oct = NULL;
STACK_OF(SCT) *sk = NULL;
SCT *sct;
unsigned char *p, *p2;
unsigned short listlen, sctlen = 0, fieldlen;
const unsigned char *q = *pp;
if (d2i_ASN1_OCTET_STRING(&oct, &q, length) == NULL)
return NULL;
if (oct->length < 2)
goto done;
p = oct->data;
n2s(p, listlen);
if (listlen != oct->length - 2)
goto done;
if ((sk = sk_SCT_new_null()) == NULL)
goto done;
while (listlen > 0) {
if (listlen < 2)
goto err;
n2s(p, sctlen);
listlen -= 2;
if ((sctlen < 1) || (sctlen > listlen))
goto err;
listlen -= sctlen;
sct = OPENSSL_malloc(sizeof(*sct));
if (sct == NULL)
goto err;
if (!sk_SCT_push(sk, sct)) {
OPENSSL_free(sct);
goto err;
}
sct->sct = OPENSSL_malloc(sctlen);
if (sct->sct == NULL)
goto err;
memcpy(sct->sct, p, sctlen);
sct->sct_len = sctlen;
p += sctlen;
p2 = sct->sct;
sct->version = *p2++;
if (sct->version == 0) { /* SCT v1 */
/*-
* Fixed-length header:
* struct {
* (1 byte) Version sct_version;
* (32 bytes) LogID id;
* (8 bytes) uint64 timestamp;
* (2 bytes + ?) CtExtensions extensions;
*/
if (sctlen < 43)
goto err;
sctlen -= 43;
sct->log_id = p2;
sct->log_id_len = 32;
p2 += 32;
n2l8(p2, sct->timestamp);
n2s(p2, fieldlen);
if (sctlen < fieldlen)
goto err;
sct->ext = p2;
sct->ext_len = fieldlen;
p2 += fieldlen;
sctlen -= fieldlen;
/*-
* digitally-signed struct header:
* (1 byte) Hash algorithm
* (1 byte) Signature algorithm
* (2 bytes + ?) Signature
*/
if (sctlen < 4)
goto err;
sctlen -= 4;
sct->hash_alg = *p2++;
sct->sig_alg = *p2++;
n2s(p2, fieldlen);
if (sctlen != fieldlen)
goto err;
sct->sig = p2;
sct->sig_len = fieldlen;
}
}
done:
ASN1_OCTET_STRING_free(oct);
*pp = q;
return sk;
err:
SCT_LIST_free(sk);
sk = NULL;
goto done;
}
static int i2r_SCT_LIST(X509V3_EXT_METHOD *method, STACK_OF(SCT) *sct_list,
BIO *out, int indent)
{
SCT *sct;
int i;
for (i = 0; i < sk_SCT_num(sct_list);) {
sct = sk_SCT_value(sct_list, i);
BIO_printf(out, "%*sSigned Certificate Timestamp:", indent, "");
BIO_printf(out, "\n%*sVersion : ", indent + 4, "");
if (sct->version == 0) { /* SCT v1 */
BIO_printf(out, "v1(0)");
BIO_printf(out, "\n%*sLog ID : ", indent + 4, "");
BIO_hex_string(out, indent + 16, 16, sct->log_id, sct->log_id_len);
BIO_printf(out, "\n%*sTimestamp : ", indent + 4, "");
timestamp_print(out, sct->timestamp);
BIO_printf(out, "\n%*sExtensions: ", indent + 4, "");
if (sct->ext_len == 0)
BIO_printf(out, "none");
else
BIO_hex_string(out, indent + 16, 16, sct->ext, sct->ext_len);
BIO_printf(out, "\n%*sSignature : ", indent + 4, "");
tls12_signature_print(out, sct->hash_alg, sct->sig_alg);
BIO_printf(out, "\n%*s ", indent + 4, "");
BIO_hex_string(out, indent + 16, 16, sct->sig, sct->sig_len);
} else { /* Unknown version */
BIO_printf(out, "unknown\n%*s", indent + 16, "");
BIO_hex_string(out, indent + 16, 16, sct->sct, sct->sct_len);
}
if (++i < sk_SCT_num(sct_list))
BIO_printf(out, "\n");
}
return 1;
}
#endif