GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: usr.bin/openssl/ts.c Lines: 261 393 66.4 %
Date: 2017-11-13 Branches: 172 395 43.5 %

Line Branch Exec Source
1
/* $OpenBSD: ts.c,v 1.14 2017/01/20 08:57:12 deraadt Exp $ */
2
/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3
 * project 2002.
4
 */
5
/* ====================================================================
6
 * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 *
12
 * 1. Redistributions of source code must retain the above copyright
13
 *    notice, this list of conditions and the following disclaimer.
14
 *
15
 * 2. Redistributions in binary form must reproduce the above copyright
16
 *    notice, this list of conditions and the following disclaimer in
17
 *    the documentation and/or other materials provided with the
18
 *    distribution.
19
 *
20
 * 3. All advertising materials mentioning features or use of this
21
 *    software must display the following acknowledgment:
22
 *    "This product includes software developed by the OpenSSL Project
23
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24
 *
25
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26
 *    endorse or promote products derived from this software without
27
 *    prior written permission. For written permission, please contact
28
 *    licensing@OpenSSL.org.
29
 *
30
 * 5. Products derived from this software may not be called "OpenSSL"
31
 *    nor may "OpenSSL" appear in their names without prior written
32
 *    permission of the OpenSSL Project.
33
 *
34
 * 6. Redistributions of any form whatsoever must retain the following
35
 *    acknowledgment:
36
 *    "This product includes software developed by the OpenSSL Project
37
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38
 *
39
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50
 * OF THE POSSIBILITY OF SUCH DAMAGE.
51
 * ====================================================================
52
 *
53
 * This product includes cryptographic software written by Eric Young
54
 * (eay@cryptsoft.com).  This product includes software written by Tim
55
 * Hudson (tjh@cryptsoft.com).
56
 *
57
 */
58
59
#include <stdio.h>
60
#include <stdlib.h>
61
#include <string.h>
62
63
#include "apps.h"
64
65
#include <openssl/bio.h>
66
#include <openssl/bn.h>
67
#include <openssl/err.h>
68
#include <openssl/pem.h>
69
#include <openssl/ts.h>
70
71
/* Length of the nonce of the request in bits (must be a multiple of 8). */
72
#define	NONCE_LENGTH		64
73
74
/* Macro definitions for the configuration file. */
75
#define	ENV_OID_FILE		"oid_file"
76
77
/* Local function declarations. */
78
79
static ASN1_OBJECT *txt2obj(const char *oid);
80
static CONF *load_config_file(const char *configfile);
81
82
/* Query related functions. */
83
static int query_command(const char *data, char *digest,
84
    const EVP_MD * md, const char *policy, int no_nonce,
85
    int cert, const char *in, const char *out, int text);
86
static BIO *BIO_open_with_default(const char *file, const char *mode,
87
    FILE * default_fp);
88
static TS_REQ *create_query(BIO * data_bio, char *digest, const EVP_MD * md,
89
    const char *policy, int no_nonce, int cert);
90
static int create_digest(BIO * input, char *digest,
91
    const EVP_MD * md, unsigned char **md_value);
92
static ASN1_INTEGER *create_nonce(int bits);
93
94
/* Reply related functions. */
95
static int reply_command(CONF * conf, char *section,
96
    char *queryfile, char *passin, char *inkey,
97
    char *signer, char *chain, const char *policy,
98
    char *in, int token_in, char *out, int token_out,
99
    int text);
100
static TS_RESP *read_PKCS7(BIO * in_bio);
101
static TS_RESP *create_response(CONF * conf, const char *section,
102
    char *queryfile, char *passin, char *inkey,
103
    char *signer, char *chain, const char *policy);
104
static ASN1_INTEGER *serial_cb(TS_RESP_CTX * ctx, void *data);
105
static ASN1_INTEGER *next_serial(const char *serialfile);
106
static int save_ts_serial(const char *serialfile, ASN1_INTEGER * serial);
107
108
/* Verify related functions. */
109
static int verify_command(char *data, char *digest, char *queryfile,
110
    char *in, int token_in,
111
    char *ca_path, char *ca_file, char *untrusted);
112
static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
113
    char *queryfile,
114
    char *ca_path, char *ca_file,
115
    char *untrusted);
116
static X509_STORE *create_cert_store(char *ca_path, char *ca_file);
117
static int verify_cb(int ok, X509_STORE_CTX * ctx);
118
119
int
120
ts_main(int argc, char **argv)
121
{
122
	int ret = 1;
123
	char *configfile = NULL;
124
	char *section = NULL;
125
	CONF *conf = NULL;
126
	enum mode {
127
		CMD_NONE, CMD_QUERY, CMD_REPLY, CMD_VERIFY
128
	} mode = CMD_NONE;
129
	char *data = NULL;
130
	char *digest = NULL;
131
	const EVP_MD *md = NULL;
132
	char *policy = NULL;
133
	int no_nonce = 0;
134
	int cert = 0;
135
	char *in = NULL;
136
	char *out = NULL;
137
	int text = 0;
138
	char *queryfile = NULL;
139
	char *passin = NULL;	/* Password source. */
140
40
	char *password = NULL;	/* Password itself. */
141
	char *inkey = NULL;
142
	char *signer = NULL;
143
	char *chain = NULL;
144
	char *ca_path = NULL;
145
	char *ca_file = NULL;
146
	char *untrusted = NULL;
147
	/* Input is ContentInfo instead of TimeStampResp. */
148
	int token_in = 0;
149
	/* Output is ContentInfo instead of TimeStampResp. */
150
	int token_out = 0;
151
152
20
	if (single_execution) {
153
20
		if (pledge("stdio cpath wpath rpath tty flock", NULL) == -1) {
154
			perror("pledge");
155
			exit(1);
156
		}
157
	}
158
159
200
	for (argc--, argv++; argc > 0; argc--, argv++) {
160
84
		if (strcmp(*argv, "-config") == 0) {
161
			if (argc-- < 1)
162
				goto usage;
163
			configfile = *++argv;
164
84
		} else if (strcmp(*argv, "-section") == 0) {
165
			if (argc-- < 1)
166
				goto usage;
167
			section = *++argv;
168
84
		} else if (strcmp(*argv, "-query") == 0) {
169
8
			if (mode != CMD_NONE)
170
				goto usage;
171
			mode = CMD_QUERY;
172
84
		} else if (strcmp(*argv, "-data") == 0) {
173
4
			if (argc-- < 1)
174
				goto usage;
175
4
			data = *++argv;
176
76
		} else if (strcmp(*argv, "-digest") == 0) {
177
			if (argc-- < 1)
178
				goto usage;
179
			digest = *++argv;
180
72
		} else if (strcmp(*argv, "-policy") == 0) {
181
			if (argc-- < 1)
182
				goto usage;
183
			policy = *++argv;
184
72
		} else if (strcmp(*argv, "-no_nonce") == 0) {
185
			no_nonce = 1;
186
72
		} else if (strcmp(*argv, "-cert") == 0) {
187
			cert = 1;
188
68
		} else if (strcmp(*argv, "-in") == 0) {
189
8
			if (argc-- < 1)
190
				goto usage;
191
8
			in = *++argv;
192
68
		} else if (strcmp(*argv, "-token_in") == 0) {
193
			token_in = 1;
194
60
		} else if (strcmp(*argv, "-out") == 0) {
195
8
			if (argc-- < 1)
196
				goto usage;
197
8
			out = *++argv;
198
60
		} else if (strcmp(*argv, "-token_out") == 0) {
199
			token_out = 1;
200
52
		} else if (strcmp(*argv, "-text") == 0) {
201
			text = 1;
202
52
		} else if (strcmp(*argv, "-reply") == 0) {
203
4
			if (mode != CMD_NONE)
204
				goto usage;
205
			mode = CMD_REPLY;
206
48
		} else if (strcmp(*argv, "-queryfile") == 0) {
207
8
			if (argc-- < 1)
208
				goto usage;
209
8
			queryfile = *++argv;
210
44
		} else if (strcmp(*argv, "-passin") == 0) {
211
4
			if (argc-- < 1)
212
				goto usage;
213
4
			passin = *++argv;
214
36
		} else if (strcmp(*argv, "-inkey") == 0) {
215
4
			if (argc-- < 1)
216
				goto usage;
217
4
			inkey = *++argv;
218
32
		} else if (strcmp(*argv, "-signer") == 0) {
219
4
			if (argc-- < 1)
220
				goto usage;
221
4
			signer = *++argv;
222
28
		} else if (strcmp(*argv, "-chain") == 0) {
223
4
			if (argc-- < 1)
224
				goto usage;
225
4
			chain = *++argv;
226
24
		} else if (strcmp(*argv, "-verify") == 0) {
227
4
			if (mode != CMD_NONE)
228
				goto usage;
229
			mode = CMD_VERIFY;
230
20
		} else if (strcmp(*argv, "-CApath") == 0) {
231
			if (argc-- < 1)
232
				goto usage;
233
			ca_path = *++argv;
234
16
		} else if (strcmp(*argv, "-CAfile") == 0) {
235
4
			if (argc-- < 1)
236
				goto usage;
237
4
			ca_file = *++argv;
238
16
		} else if (strcmp(*argv, "-untrusted") == 0) {
239
4
			if (argc-- < 1)
240
				goto usage;
241
4
			untrusted = *++argv;
242
12
		} else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) {
243
			/* empty. */
244
		} else
245
			goto usage;
246
	}
247
248
	/* Get the password if required. */
249

20
	if (mode == CMD_REPLY && passin &&
250
4
	    !app_passwd(bio_err, passin, NULL, &password, NULL)) {
251
		BIO_printf(bio_err, "Error getting password.\n");
252
		goto cleanup;
253
	}
254
	/*
255
	 * Check consistency of parameters and execute the appropriate
256
	 * function.
257
	 */
258

32
	switch (mode) {
259
	case CMD_NONE:
260
		goto usage;
261
	case CMD_QUERY:
262
		/*
263
		 * Data file and message imprint cannot be specified at the
264
		 * same time.
265
		 */
266
8
		ret = data != NULL && digest != NULL;
267
8
		if (ret)
268
			goto usage;
269
		/* Load the config file for possible policy OIDs. */
270
8
		conf = load_config_file(configfile);
271
8
		ret = !query_command(data, digest, md, policy, no_nonce, cert,
272
		    in, out, text);
273
8
		break;
274
	case CMD_REPLY:
275
4
		conf = load_config_file(configfile);
276
4
		if (in == NULL) {
277
12
			ret = !(queryfile != NULL && conf != NULL && !token_in);
278
4
			if (ret)
279
				goto usage;
280
		} else {
281
			/* 'in' and 'queryfile' are exclusive. */
282
			ret = !(queryfile == NULL);
283
			if (ret)
284
				goto usage;
285
		}
286
287
4
		ret = !reply_command(conf, section, queryfile,
288
4
		    password, inkey, signer, chain, policy,
289
		    in, token_in, out, token_out, text);
290
4
		break;
291
	case CMD_VERIFY:
292
8
		ret = !(((queryfile && !data && !digest) ||
293
		    (!queryfile && data && !digest) ||
294
4
		    (!queryfile && !data && digest)) && in != NULL);
295
4
		if (ret)
296
			goto usage;
297
298
4
		ret = !verify_command(data, digest, queryfile, in, token_in,
299
		    ca_path, ca_file, untrusted);
300
4
	}
301
302
	goto cleanup;
303
304
usage:
305
4
	BIO_printf(bio_err, "usage:\n"
306
	    "ts -query [-config configfile] "
307
	    "[-data file_to_hash] [-digest digest_bytes]"
308
	    "[-md4|-md5|-sha1|-ripemd160] "
309
	    "[-policy object_id] [-no_nonce] [-cert] "
310
	    "[-in request.tsq] [-out request.tsq] [-text]\n");
311
4
	BIO_printf(bio_err, "or\n"
312
	    "ts -reply [-config configfile] [-section tsa_section] "
313
	    "[-queryfile request.tsq] [-passin password] "
314
	    "[-signer tsa_cert.pem] [-inkey private_key.pem] "
315
	    "[-chain certs_file.pem] [-policy object_id] "
316
	    "[-in response.tsr] [-token_in] "
317
	    "[-out response.tsr] [-token_out] [-text]\n");
318
4
	BIO_printf(bio_err, "or\n"
319
	    "ts -verify [-data file_to_hash] [-digest digest_bytes] "
320
	    "[-queryfile request.tsq] "
321
	    "-in response.tsr [-token_in] "
322
	    "-CApath ca_path -CAfile ca_file.pem "
323
	    "-untrusted cert_file.pem\n");
324
325
cleanup:
326
	/* Clean up. */
327
20
	NCONF_free(conf);
328
20
	free(password);
329
20
	OBJ_cleanup();
330
331
20
	return (ret);
332
20
}
333
334
/*
335
 * Configuration file-related function definitions.
336
 */
337
338
static ASN1_OBJECT *
339
txt2obj(const char *oid)
340
{
341
	ASN1_OBJECT *oid_obj = NULL;
342
343
	if (!(oid_obj = OBJ_txt2obj(oid, 0)))
344
		BIO_printf(bio_err, "cannot convert %s to OID\n", oid);
345
346
	return oid_obj;
347
}
348
349
static CONF *
350
load_config_file(const char *configfile)
351
{
352
	CONF *conf = NULL;
353
24
	long errorline = -1;
354
355
12
	if (!configfile)
356
12
		configfile = getenv("OPENSSL_CONF");
357
358

24
	if (configfile &&
359
12
	    (!(conf = NCONF_new(NULL)) ||
360
12
	    NCONF_load(conf, configfile, &errorline) <= 0)) {
361
		if (errorline <= 0)
362
			BIO_printf(bio_err, "error loading the config file "
363
			    "'%s'\n", configfile);
364
		else
365
			BIO_printf(bio_err, "error on line %ld of config file "
366
			    "'%s'\n", errorline, configfile);
367
	}
368
12
	if (conf != NULL) {
369
		const char *p;
370
371
12
		BIO_printf(bio_err, "Using configuration from %s\n",
372
		    configfile);
373
12
		p = NCONF_get_string(conf, NULL, ENV_OID_FILE);
374
12
		if (p != NULL) {
375
			BIO *oid_bio = BIO_new_file(p, "r");
376
			if (!oid_bio)
377
				ERR_print_errors(bio_err);
378
			else {
379
				OBJ_create_objects(oid_bio);
380
				BIO_free_all(oid_bio);
381
			}
382
		} else
383
12
			ERR_clear_error();
384
12
		if (!add_oid_section(bio_err, conf))
385
			ERR_print_errors(bio_err);
386
12
	}
387
12
	return conf;
388
12
}
389
390
/*
391
 * Query-related method definitions.
392
 */
393
394
static int
395
query_command(const char *data, char *digest, const EVP_MD * md,
396
    const char *policy, int no_nonce, int cert, const char *in,
397
    const char *out, int text)
398
{
399
	int ret = 0;
400
	TS_REQ *query = NULL;
401
	BIO *in_bio = NULL;
402
	BIO *data_bio = NULL;
403
	BIO *out_bio = NULL;
404
405
	/* Build query object either from file or from scratch. */
406
16
	if (in != NULL) {
407
4
		if ((in_bio = BIO_new_file(in, "rb")) == NULL)
408
			goto end;
409
4
		query = d2i_TS_REQ_bio(in_bio, NULL);
410
4
	} else {
411
		/* Open the file if no explicit digest bytes were specified. */
412

8
		if (!digest &&
413
4
		    !(data_bio = BIO_open_with_default(data, "rb", stdin)))
414
			goto end;
415
		/* Creating the query object. */
416
4
		query = create_query(data_bio, digest, md,
417
		    policy, no_nonce, cert);
418
		/* Saving the random number generator state. */
419
	}
420
8
	if (query == NULL)
421
		goto end;
422
423
	/* Write query either in ASN.1 or in text format. */
424
8
	if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
425
		goto end;
426
8
	if (text) {
427
		/* Text output. */
428
4
		if (!TS_REQ_print_bio(out_bio, query))
429
			goto end;
430
	} else {
431
		/* ASN.1 output. */
432
4
		if (!i2d_TS_REQ_bio(out_bio, query))
433
			goto end;
434
	}
435
436
8
	ret = 1;
437
438
end:
439
8
	ERR_print_errors(bio_err);
440
441
	/* Clean up. */
442
8
	BIO_free_all(in_bio);
443
8
	BIO_free_all(data_bio);
444
8
	BIO_free_all(out_bio);
445
8
	TS_REQ_free(query);
446
447
8
	return ret;
448
}
449
450
static BIO *
451
BIO_open_with_default(const char *file, const char *mode, FILE * default_fp)
452
{
453
64
	return file == NULL ? BIO_new_fp(default_fp, BIO_NOCLOSE) :
454
12
	    BIO_new_file(file, mode);
455
}
456
457
static TS_REQ *
458
create_query(BIO * data_bio, char *digest, const EVP_MD * md,
459
    const char *policy, int no_nonce, int cert)
460
{
461
	int ret = 0;
462
	TS_REQ *ts_req = NULL;
463
	int len;
464
	TS_MSG_IMPRINT *msg_imprint = NULL;
465
	X509_ALGOR *algo = NULL;
466
8
	unsigned char *data = NULL;
467
	ASN1_OBJECT *policy_obj = NULL;
468
	ASN1_INTEGER *nonce_asn1 = NULL;
469
470
	/* Setting default message digest. */
471

4
	if (!md && !(md = EVP_get_digestbyname("sha1")))
472
		goto err;
473
474
	/* Creating request object. */
475
4
	if (!(ts_req = TS_REQ_new()))
476
		goto err;
477
478
	/* Setting version. */
479
4
	if (!TS_REQ_set_version(ts_req, 1))
480
		goto err;
481
482
	/* Creating and adding MSG_IMPRINT object. */
483
4
	if (!(msg_imprint = TS_MSG_IMPRINT_new()))
484
		goto err;
485
486
	/* Adding algorithm. */
487
4
	if (!(algo = X509_ALGOR_new()))
488
		goto err;
489
4
	if (!(algo->algorithm = OBJ_nid2obj(EVP_MD_type(md))))
490
		goto err;
491
4
	if (!(algo->parameter = ASN1_TYPE_new()))
492
		goto err;
493
4
	algo->parameter->type = V_ASN1_NULL;
494
4
	if (!TS_MSG_IMPRINT_set_algo(msg_imprint, algo))
495
		goto err;
496
497
	/* Adding message digest. */
498
4
	if ((len = create_digest(data_bio, digest, md, &data)) == 0)
499
		goto err;
500
4
	if (!TS_MSG_IMPRINT_set_msg(msg_imprint, data, len))
501
		goto err;
502
503
4
	if (!TS_REQ_set_msg_imprint(ts_req, msg_imprint))
504
		goto err;
505
506
	/* Setting policy if requested. */
507

4
	if (policy && !(policy_obj = txt2obj(policy)))
508
		goto err;
509

4
	if (policy_obj && !TS_REQ_set_policy_id(ts_req, policy_obj))
510
		goto err;
511
512
	/* Setting nonce if requested. */
513

4
	if (!no_nonce && !(nonce_asn1 = create_nonce(NONCE_LENGTH)))
514
		goto err;
515

4
	if (nonce_asn1 && !TS_REQ_set_nonce(ts_req, nonce_asn1))
516
		goto err;
517
518
	/* Setting certificate request flag if requested. */
519
4
	if (!TS_REQ_set_cert_req(ts_req, cert))
520
		goto err;
521
522
4
	ret = 1;
523
524
err:
525
4
	if (!ret) {
526
		TS_REQ_free(ts_req);
527
		ts_req = NULL;
528
		BIO_printf(bio_err, "could not create query\n");
529
	}
530
4
	TS_MSG_IMPRINT_free(msg_imprint);
531
4
	X509_ALGOR_free(algo);
532
4
	free(data);
533
4
	ASN1_OBJECT_free(policy_obj);
534
4
	ASN1_INTEGER_free(nonce_asn1);
535
536
4
	return ts_req;
537
4
}
538
539
static int
540
create_digest(BIO * input, char *digest, const EVP_MD * md,
541
    unsigned char **md_value)
542
{
543
	int md_value_len;
544
545
8
	md_value_len = EVP_MD_size(md);
546
4
	if (md_value_len < 0)
547
		goto err;
548
4
	if (input) {
549
		/* Digest must be computed from an input file. */
550
4
		EVP_MD_CTX md_ctx;
551
4
		unsigned char buffer[4096];
552
		int length;
553
554
4
		*md_value = malloc(md_value_len);
555
4
		if (*md_value == 0)
556
			goto err;
557
558
4
		EVP_DigestInit(&md_ctx, md);
559
16
		while ((length = BIO_read(input, buffer, sizeof(buffer))) > 0) {
560
4
			EVP_DigestUpdate(&md_ctx, buffer, length);
561
		}
562
4
		EVP_DigestFinal(&md_ctx, *md_value, NULL);
563
12
	} else {
564
		/* Digest bytes are specified with digest. */
565
		long digest_len;
566
		*md_value = string_to_hex(digest, &digest_len);
567
		if (!*md_value || md_value_len != digest_len) {
568
			free(*md_value);
569
			*md_value = NULL;
570
			BIO_printf(bio_err, "bad digest, %d bytes "
571
			    "must be specified\n", md_value_len);
572
			goto err;
573
		}
574
	}
575
576
4
	return md_value_len;
577
err:
578
	return 0;
579
4
}
580
581
static ASN1_INTEGER *
582
create_nonce(int bits)
583
{
584
	unsigned char buf[20];
585
	ASN1_INTEGER *nonce = NULL;
586
	int len = (bits - 1) / 8 + 1;
587
	int i;
588
589
	/* Generating random byte sequence. */
590
	if (len > (int) sizeof(buf))
591
		goto err;
592
	arc4random_buf(buf, len);
593
594
	/* Find the first non-zero byte and creating ASN1_INTEGER object. */
595
	for (i = 0; i < len && !buf[i]; ++i)
596
		;
597
	if (!(nonce = ASN1_INTEGER_new()))
598
		goto err;
599
	free(nonce->data);
600
	/* Allocate at least one byte. */
601
	nonce->length = len - i;
602
	if (!(nonce->data = malloc(nonce->length + 1)))
603
		goto err;
604
	memcpy(nonce->data, buf + i, nonce->length);
605
606
	return nonce;
607
608
err:
609
	BIO_printf(bio_err, "could not create nonce\n");
610
	ASN1_INTEGER_free(nonce);
611
	return NULL;
612
}
613
/*
614
 * Reply-related method definitions.
615
 */
616
617
static int
618
reply_command(CONF * conf, char *section, char *queryfile,
619
    char *passin, char *inkey, char *signer, char *chain, const char *policy,
620
    char *in, int token_in, char *out, int token_out, int text)
621
{
622
	int ret = 0;
623
	TS_RESP *response = NULL;
624
	BIO *in_bio = NULL;
625
	BIO *query_bio = NULL;
626
	BIO *inkey_bio = NULL;
627
	BIO *signer_bio = NULL;
628
	BIO *out_bio = NULL;
629
630
	/* Build response object either from response or query. */
631
8
	if (in != NULL) {
632
		if ((in_bio = BIO_new_file(in, "rb")) == NULL)
633
			goto end;
634
		if (token_in) {
635
			/*
636
			 * We have a ContentInfo (PKCS7) object, add
637
			 * 'granted' status info around it.
638
			 */
639
			response = read_PKCS7(in_bio);
640
		} else {
641
			/* We have a ready-made TS_RESP object. */
642
			response = d2i_TS_RESP_bio(in_bio, NULL);
643
		}
644
	} else {
645
4
		response = create_response(conf, section, queryfile,
646
		    passin, inkey, signer, chain,
647
		    policy);
648
4
		if (response)
649
4
			BIO_printf(bio_err, "Response has been generated.\n");
650
		else
651
			BIO_printf(bio_err, "Response is not generated.\n");
652
	}
653
4
	if (response == NULL)
654
		goto end;
655
656
	/* Write response either in ASN.1 or text format. */
657
4
	if ((out_bio = BIO_open_with_default(out, "wb", stdout)) == NULL)
658
		goto end;
659
4
	if (text) {
660
		/* Text output. */
661
		if (token_out) {
662
			TS_TST_INFO *tst_info = TS_RESP_get_tst_info(response);
663
			if (!TS_TST_INFO_print_bio(out_bio, tst_info))
664
				goto end;
665
		} else {
666
			if (!TS_RESP_print_bio(out_bio, response))
667
				goto end;
668
		}
669
	} else {
670
		/* ASN.1 DER output. */
671
4
		if (token_out) {
672
			PKCS7 *token = TS_RESP_get_token(response);
673
			if (!i2d_PKCS7_bio(out_bio, token))
674
				goto end;
675
		} else {
676
4
			if (!i2d_TS_RESP_bio(out_bio, response))
677
				goto end;
678
		}
679
	}
680
681
4
	ret = 1;
682
683
end:
684
4
	ERR_print_errors(bio_err);
685
686
	/* Clean up. */
687
4
	BIO_free_all(in_bio);
688
4
	BIO_free_all(query_bio);
689
4
	BIO_free_all(inkey_bio);
690
4
	BIO_free_all(signer_bio);
691
4
	BIO_free_all(out_bio);
692
4
	TS_RESP_free(response);
693
694
4
	return ret;
695
4
}
696
697
/* Reads a PKCS7 token and adds default 'granted' status info to it. */
698
static TS_RESP *
699
read_PKCS7(BIO * in_bio)
700
{
701
	int ret = 0;
702
	PKCS7 *token = NULL;
703
	TS_TST_INFO *tst_info = NULL;
704
	TS_RESP *resp = NULL;
705
	TS_STATUS_INFO *si = NULL;
706
707
	/* Read PKCS7 object and extract the signed time stamp info. */
708
	if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
709
		goto end;
710
	if (!(tst_info = PKCS7_to_TS_TST_INFO(token)))
711
		goto end;
712
713
	/* Creating response object. */
714
	if (!(resp = TS_RESP_new()))
715
		goto end;
716
717
	/* Create granted status info. */
718
	if (!(si = TS_STATUS_INFO_new()))
719
		goto end;
720
	if (!(ASN1_INTEGER_set(si->status, TS_STATUS_GRANTED)))
721
		goto end;
722
	if (!TS_RESP_set_status_info(resp, si))
723
		goto end;
724
725
	/* Setting encapsulated token. */
726
	TS_RESP_set_tst_info(resp, token, tst_info);
727
	token = NULL;		/* Ownership is lost. */
728
	tst_info = NULL;	/* Ownership is lost. */
729
730
	ret = 1;
731
end:
732
	PKCS7_free(token);
733
	TS_TST_INFO_free(tst_info);
734
	if (!ret) {
735
		TS_RESP_free(resp);
736
		resp = NULL;
737
	}
738
	TS_STATUS_INFO_free(si);
739
	return resp;
740
}
741
742
static TS_RESP *
743
create_response(CONF * conf, const char *section,
744
    char *queryfile, char *passin, char *inkey,
745
    char *signer, char *chain, const char *policy)
746
{
747
	int ret = 0;
748
	TS_RESP *response = NULL;
749
	BIO *query_bio = NULL;
750
	TS_RESP_CTX *resp_ctx = NULL;
751
752
8
	if (!(query_bio = BIO_new_file(queryfile, "rb")))
753
		goto end;
754
755
	/* Getting TSA configuration section. */
756
4
	if (!(section = TS_CONF_get_tsa_section(conf, section)))
757
		goto end;
758
759
	/* Setting up response generation context. */
760
4
	if (!(resp_ctx = TS_RESP_CTX_new()))
761
		goto end;
762
763
	/* Setting serial number provider callback. */
764
4
	if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
765
		goto end;
766
767
	/* Setting TSA signer certificate. */
768
4
	if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
769
		goto end;
770
771
	/* Setting TSA signer certificate chain. */
772
4
	if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
773
		goto end;
774
775
	/* Setting TSA signer private key. */
776
4
	if (!TS_CONF_set_signer_key(conf, section, inkey, passin, resp_ctx))
777
		goto end;
778
779
	/* Setting default policy OID. */
780
4
	if (!TS_CONF_set_def_policy(conf, section, policy, resp_ctx))
781
		goto end;
782
783
	/* Setting acceptable policy OIDs. */
784
4
	if (!TS_CONF_set_policies(conf, section, resp_ctx))
785
		goto end;
786
787
	/* Setting the acceptable one-way hash algorithms. */
788
4
	if (!TS_CONF_set_digests(conf, section, resp_ctx))
789
		goto end;
790
791
	/* Setting guaranteed time stamp accuracy. */
792
4
	if (!TS_CONF_set_accuracy(conf, section, resp_ctx))
793
		goto end;
794
795
	/* Setting the precision of the time. */
796
4
	if (!TS_CONF_set_clock_precision_digits(conf, section, resp_ctx))
797
		goto end;
798
799
	/* Setting the ordering flaf if requested. */
800
4
	if (!TS_CONF_set_ordering(conf, section, resp_ctx))
801
		goto end;
802
803
	/* Setting the TSA name required flag if requested. */
804
4
	if (!TS_CONF_set_tsa_name(conf, section, resp_ctx))
805
		goto end;
806
807
	/* Setting the ESS cert id chain flag if requested. */
808
4
	if (!TS_CONF_set_ess_cert_id_chain(conf, section, resp_ctx))
809
		goto end;
810
811
	/* Creating the response. */
812
4
	if (!(response = TS_RESP_create_response(resp_ctx, query_bio)))
813
		goto end;
814
815
4
	ret = 1;
816
end:
817
4
	if (!ret) {
818
		TS_RESP_free(response);
819
		response = NULL;
820
	}
821
4
	TS_RESP_CTX_free(resp_ctx);
822
4
	BIO_free_all(query_bio);
823
824
4
	return response;
825
}
826
827
static ASN1_INTEGER *
828
serial_cb(TS_RESP_CTX * ctx, void *data)
829
{
830
	const char *serial_file = (const char *) data;
831
8
	ASN1_INTEGER *serial = next_serial(serial_file);
832
833
4
	if (!serial) {
834
		TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
835
		    "Error during serial number "
836
		    "generation.");
837
		TS_RESP_CTX_add_failure_info(ctx,
838
		    TS_INFO_ADD_INFO_NOT_AVAILABLE);
839
	} else
840
4
		save_ts_serial(serial_file, serial);
841
842
4
	return serial;
843
}
844
845
static ASN1_INTEGER *
846
next_serial(const char *serialfile)
847
{
848
	int ret = 0;
849
	BIO *in = NULL;
850
	ASN1_INTEGER *serial = NULL;
851
	BIGNUM *bn = NULL;
852
853
8
	if (!(serial = ASN1_INTEGER_new()))
854
		goto err;
855
856
4
	if (!(in = BIO_new_file(serialfile, "r"))) {
857
		ERR_clear_error();
858
		BIO_printf(bio_err, "Warning: could not open file %s for "
859
		    "reading, using serial number: 1\n", serialfile);
860
		if (!ASN1_INTEGER_set(serial, 1))
861
			goto err;
862
	} else {
863
4
		char buf[1024];
864
4
		if (!a2i_ASN1_INTEGER(in, serial, buf, sizeof(buf))) {
865
			BIO_printf(bio_err, "unable to load number from %s\n",
866
			    serialfile);
867
			goto err;
868
		}
869
4
		if (!(bn = ASN1_INTEGER_to_BN(serial, NULL)))
870
			goto err;
871
4
		ASN1_INTEGER_free(serial);
872
		serial = NULL;
873
4
		if (!BN_add_word(bn, 1))
874
			goto err;
875
4
		if (!(serial = BN_to_ASN1_INTEGER(bn, NULL)))
876
			goto err;
877
16
	}
878
4
	ret = 1;
879
err:
880
4
	if (!ret) {
881
		ASN1_INTEGER_free(serial);
882
		serial = NULL;
883
	}
884
4
	BIO_free_all(in);
885
4
	BN_free(bn);
886
4
	return serial;
887
4
}
888
889
static int
890
save_ts_serial(const char *serialfile, ASN1_INTEGER * serial)
891
{
892
	int ret = 0;
893
	BIO *out = NULL;
894
895
8
	if (!(out = BIO_new_file(serialfile, "w")))
896
		goto err;
897
4
	if (i2a_ASN1_INTEGER(out, serial) <= 0)
898
		goto err;
899
4
	if (BIO_puts(out, "\n") <= 0)
900
		goto err;
901
4
	ret = 1;
902
err:
903
4
	if (!ret)
904
		BIO_printf(bio_err, "could not save serial number to %s\n",
905
		    serialfile);
906
4
	BIO_free_all(out);
907
4
	return ret;
908
}
909
910
/*
911
 * Verify-related method definitions.
912
 */
913
914
static int
915
verify_command(char *data, char *digest, char *queryfile, char *in,
916
    int token_in, char *ca_path, char *ca_file, char *untrusted)
917
{
918
	BIO *in_bio = NULL;
919
	PKCS7 *token = NULL;
920
	TS_RESP *response = NULL;
921
	TS_VERIFY_CTX *verify_ctx = NULL;
922
	int ret = 0;
923
924
	/* Decode the token (PKCS7) or response (TS_RESP) files. */
925
8
	if (!(in_bio = BIO_new_file(in, "rb")))
926
		goto end;
927
4
	if (token_in) {
928
		if (!(token = d2i_PKCS7_bio(in_bio, NULL)))
929
			goto end;
930
	} else {
931
4
		if (!(response = d2i_TS_RESP_bio(in_bio, NULL)))
932
			goto end;
933
	}
934
935
4
	if (!(verify_ctx = create_verify_ctx(data, digest, queryfile,
936
	    ca_path, ca_file, untrusted)))
937
		goto end;
938
939
	/* Checking the token or response against the request. */
940
12
	ret = token_in ?
941
	    TS_RESP_verify_token(verify_ctx, token) :
942
4
	    TS_RESP_verify_response(verify_ctx, response);
943
944
end:
945
4
	printf("Verification: ");
946
4
	if (ret)
947
4
		printf("OK\n");
948
	else {
949
		printf("FAILED\n");
950
		/* Print errors, if there are any. */
951
		ERR_print_errors(bio_err);
952
	}
953
954
	/* Clean up. */
955
4
	BIO_free_all(in_bio);
956
4
	PKCS7_free(token);
957
4
	TS_RESP_free(response);
958
4
	TS_VERIFY_CTX_free(verify_ctx);
959
4
	return ret;
960
}
961
962
static TS_VERIFY_CTX *
963
create_verify_ctx(char *data, char *digest, char *queryfile, char *ca_path,
964
    char *ca_file, char *untrusted)
965
{
966
	TS_VERIFY_CTX *ctx = NULL;
967
	BIO *input = NULL;
968
	TS_REQ *request = NULL;
969
	int ret = 0;
970
971
8
	if (data != NULL || digest != NULL) {
972
		if (!(ctx = TS_VERIFY_CTX_new()))
973
			goto err;
974
		ctx->flags = TS_VFY_VERSION | TS_VFY_SIGNER;
975
		if (data != NULL) {
976
			ctx->flags |= TS_VFY_DATA;
977
			if (!(ctx->data = BIO_new_file(data, "rb")))
978
				goto err;
979
		} else if (digest != NULL) {
980
			long imprint_len;
981
			ctx->flags |= TS_VFY_IMPRINT;
982
			if (!(ctx->imprint = string_to_hex(digest,
983
				    &imprint_len))) {
984
				BIO_printf(bio_err, "invalid digest string\n");
985
				goto err;
986
			}
987
			ctx->imprint_len = imprint_len;
988
		}
989
4
	} else if (queryfile != NULL) {
990
		/*
991
		 * The request has just to be read, decoded and converted to
992
		 * a verify context object.
993
		 */
994
4
		if (!(input = BIO_new_file(queryfile, "rb")))
995
			goto err;
996
4
		if (!(request = d2i_TS_REQ_bio(input, NULL)))
997
			goto err;
998
4
		if (!(ctx = TS_REQ_to_TS_VERIFY_CTX(request, NULL)))
999
			goto err;
1000
	} else
1001
		return NULL;
1002
1003
	/* Add the signature verification flag and arguments. */
1004
4
	ctx->flags |= TS_VFY_SIGNATURE;
1005
1006
	/* Initialising the X509_STORE object. */
1007
4
	if (!(ctx->store = create_cert_store(ca_path, ca_file)))
1008
		goto err;
1009
1010
	/* Loading untrusted certificates. */
1011

8
	if (untrusted && !(ctx->certs = TS_CONF_load_certs(untrusted)))
1012
		goto err;
1013
1014
4
	ret = 1;
1015
err:
1016
4
	if (!ret) {
1017
		TS_VERIFY_CTX_free(ctx);
1018
		ctx = NULL;
1019
	}
1020
4
	BIO_free_all(input);
1021
4
	TS_REQ_free(request);
1022
4
	return ctx;
1023
4
}
1024
1025
static X509_STORE *
1026
create_cert_store(char *ca_path, char *ca_file)
1027
{
1028
	X509_STORE *cert_ctx = NULL;
1029
	X509_LOOKUP *lookup = NULL;
1030
	int i;
1031
1032
	/* Creating the X509_STORE object. */
1033
8
	cert_ctx = X509_STORE_new();
1034
1035
	/* Setting the callback for certificate chain verification. */
1036
4
	X509_STORE_set_verify_cb(cert_ctx, verify_cb);
1037
1038
	/* Adding a trusted certificate directory source. */
1039
4
	if (ca_path) {
1040
		lookup = X509_STORE_add_lookup(cert_ctx,
1041
		    X509_LOOKUP_hash_dir());
1042
		if (lookup == NULL) {
1043
			BIO_printf(bio_err, "memory allocation failure\n");
1044
			goto err;
1045
		}
1046
		i = X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM);
1047
		if (!i) {
1048
			BIO_printf(bio_err, "Error loading directory %s\n",
1049
			    ca_path);
1050
			goto err;
1051
		}
1052
	}
1053
	/* Adding a trusted certificate file source. */
1054
4
	if (ca_file) {
1055
4
		lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
1056
4
		if (lookup == NULL) {
1057
			BIO_printf(bio_err, "memory allocation failure\n");
1058
			goto err;
1059
		}
1060
4
		i = X509_LOOKUP_load_file(lookup, ca_file, X509_FILETYPE_PEM);
1061
4
		if (!i) {
1062
			BIO_printf(bio_err, "Error loading file %s\n", ca_file);
1063
			goto err;
1064
		}
1065
	}
1066
4
	return cert_ctx;
1067
err:
1068
	X509_STORE_free(cert_ctx);
1069
	return NULL;
1070
4
}
1071
1072
static int
1073
verify_cb(int ok, X509_STORE_CTX * ctx)
1074
{
1075
	/*
1076
	char buf[256];
1077
1078
	if (!ok)
1079
		{
1080
		X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),
1081
				  buf, sizeof(buf));
1082
		printf("%s\n", buf);
1083
		printf("error %d at %d depth lookup: %s\n",
1084
		       ctx->error, ctx->error_depth,
1085
			X509_verify_cert_error_string(ctx->error));
1086
		}
1087
	*/
1088
1089
16
	return ok;
1090
}