]> granicus.if.org Git - openssl/commitdiff
add suite B chain validation flags and associated verify errors
authorDr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 16:01:31 +0000 (16:01 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 26 Dec 2012 16:01:31 +0000 (16:01 +0000)
(backport from HEAD)

CHANGES
crypto/x509/x509.h
crypto/x509/x509_cmp.c
crypto/x509/x509_txt.c
crypto/x509/x509_vfy.c
crypto/x509/x509_vfy.h

diff --git a/CHANGES b/CHANGES
index 08a67fbd1b48289ccb8c256d3ebfc92b4cad23f8..dafce7715ab336d88002a71db8d6f9f35c96799e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@
      OID NID.
      [Steve Henson]
 
+  *) New chain verification flags for Suite B levels of security. Check
+     algorithms are acceptable when flags are set in X509_verify_cert.
+     [Steve Henson]
+
   *) Make tls1_check_chain return a set of flags indicating checks passed
      by a certificate chain. Add additional tests to handle client
      certificates: checks for matching certificate type and issuer name
index ea310b4e80bdef6e85b05f5dd0104bf5df6ce413..191f5ab6a60cdbbaba1a923a001c3d2a7584dbd0 100644 (file)
@@ -965,6 +965,11 @@ int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
 int            X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
 
 int            X509_check_private_key(X509 *x509,EVP_PKEY *pkey);
+int            X509_chain_check_suiteb(int *perror_depth,
+                                               X509 *x, STACK_OF(X509) *chain,
+                                               unsigned long flags);
+int            X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk,
+                                               unsigned long flags);
 
 int            X509_issuer_and_serial_cmp(const X509 *a, const X509 *b);
 unsigned long  X509_issuer_and_serial_hash(X509 *a);
index 352aa374343b930eab79549ea35922350654c946..4f18a1bcdd8d9d6c7545e7113e593c01b23d1639 100644 (file)
@@ -341,3 +341,127 @@ int X509_check_private_key(X509 *x, EVP_PKEY *k)
                return 1;
        return 0;
        }
+
+/* Check a suite B algorithm is permitted: pass in a public key and
+ * the NID of its signature (or 0 if no signature). The pflags is
+ * a pointer to a flags field which must contain the suite B verification
+ * flags.
+ */
+
+static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags)
+       {
+       const EC_GROUP *grp = NULL;
+       int curve_nid;
+       if (pkey && pkey->type == EVP_PKEY_EC)
+               grp = EC_KEY_get0_group(pkey->pkey.ec);
+       if (!grp)
+               return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
+       curve_nid = EC_GROUP_get_curve_name(grp);
+       /* Check curve is consistent with LOS */
+       if (curve_nid == NID_secp384r1) /* P-384 */
+               {
+               /* Check signature algorithm is consistent with
+                * curve.
+                */
+               if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA384)
+                       return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
+               if (!(*pflags & X509_V_FLAG_SUITEB_192_LOS))
+                       return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
+               /* If we encounter P-384 we cannot use P-256 later */
+               *pflags &= ~X509_V_FLAG_SUITEB_128_LOS_ONLY;
+               }
+       else if (curve_nid == NID_X9_62_prime256v1) /* P-256 */
+               {
+               if (sign_nid != -1 && sign_nid != NID_ecdsa_with_SHA256)
+                       return X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM;
+               if (!(*pflags & X509_V_FLAG_SUITEB_128_LOS_ONLY))
+                       return X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED;
+               }
+       else
+               return X509_V_ERR_SUITE_B_INVALID_CURVE;
+
+       return X509_V_OK;
+       }
+
+int X509_chain_check_suiteb(int *perror_depth, X509 *x, STACK_OF(X509) *chain,
+                                                       unsigned long flags)
+       {
+       int rv, i, sign_nid;
+       EVP_PKEY *pk = NULL;
+       unsigned long tflags;
+       if (!(flags & X509_V_FLAG_SUITEB_128_LOS))
+               return X509_V_OK;
+       tflags = flags;
+       /* If no EE certificate passed in must be first in chain */
+       if (x == NULL)
+               {
+               x = sk_X509_value(chain, 0);
+               i = 1;
+               }
+       else
+               i = 0;
+
+       if (X509_get_version(x) != 2)
+               {
+               rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
+               /* Correct error depth */
+               i = 0;
+               goto end;
+               }
+
+       pk = X509_get_pubkey(x);
+       /* Check EE key only */
+       rv = check_suite_b(pk, -1, &tflags);
+       if (rv != X509_V_OK)
+               {
+               /* Correct error depth */
+               i = 0;
+               goto end;
+               }
+       for(; i < sk_X509_num(chain); i++)
+               {
+               sign_nid = X509_get_signature_nid(x);
+               x = sk_X509_value(chain, i);
+               if (X509_get_version(x) != 2)
+                       {
+                       rv = X509_V_ERR_SUITE_B_INVALID_VERSION;
+                       goto end;
+                       }
+               EVP_PKEY_free(pk);
+               pk = X509_get_pubkey(x);
+               rv = check_suite_b(pk, sign_nid, &tflags);
+               if (rv != X509_V_OK)
+                       goto end;
+               }
+
+       /* Final check: root CA signature */
+       rv = check_suite_b(pk, X509_get_signature_nid(x), &tflags);
+       end:
+       if (pk)
+               EVP_PKEY_free(pk);
+       if (rv != X509_V_OK)
+               {
+               /* Invalid signature or LOS errors are for previous cert */
+               if ((rv == X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM
+                   || rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED) && i)
+                       i--;
+               /* If we have LOS error and flags changed then we are signing
+                * P-384 with P-256. Use more meaninggul error.
+                */
+               if (rv == X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED && flags != tflags)
+                       rv = X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256;
+               if (perror_depth)
+                       *perror_depth = i;
+               }
+       return rv;
+       }
+
+int X509_CRL_check_suiteb(X509_CRL *crl, EVP_PKEY *pk, unsigned long flags)
+       {
+       int sign_nid;
+       if (!(flags & X509_V_FLAG_SUITEB_128_LOS))
+               return X509_V_OK;
+       sign_nid = OBJ_obj2nid(crl->crl->sig_alg->algorithm);
+       return check_suite_b(pk, sign_nid, &flags);
+       }
+
index e444176e90f0efe827828ea3237fa58bb613a78d..699f72ef7697b6f6cebc2051f69cfca4e4cadba4 100644 (file)
@@ -184,6 +184,19 @@ const char *X509_verify_cert_error_string(long n)
        case X509_V_ERR_CRL_PATH_VALIDATION_ERROR:
                return("CRL path validation error");
 
+       case X509_V_ERR_SUITE_B_INVALID_VERSION:
+               return("Suite B: certificate version invalid");
+       case X509_V_ERR_SUITE_B_INVALID_ALGORITHM:
+               return("Suite B: invalid public key algorithm");
+       case X509_V_ERR_SUITE_B_INVALID_CURVE:
+               return("Suite B: invalid ECC curve");
+       case X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM:
+               return("Suite B: invalid signature algorithm");
+       case X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED:
+               return("Suite B: curve not allowed for this LOS");
+       case X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256:
+               return("Suite B: cannot sign P-384 with P-256");
+
        case X509_V_ERR_HOSTNAME_MISMATCH:
                return("Hostname mismatch");
        case X509_V_ERR_EMAIL_MISMATCH:
index 1b3c62ef7de4deb44bf16f482f6aff1a227f368c..33adb4346553077e08d24d804623cf1c8ca52059 100644 (file)
@@ -408,6 +408,17 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
        ok = ctx->check_revocation(ctx);
        if(!ok) goto end;
 
+       i = X509_chain_check_suiteb(&ctx->error_depth, NULL, ctx->chain,
+                                                       ctx->param->flags);
+       if (i != X509_V_OK)
+               {
+               ctx->error = i;
+               ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
+               ok = cb(0, ctx);
+               if (!ok)
+                       goto end;
+               }
+
        /* At this point, we have a chain and need to verify it */
        if (ctx->verify != NULL)
                ok=ctx->verify(ctx);
@@ -1529,6 +1540,15 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
                        }
                else
                        {
+                       int rv;
+                       rv = X509_CRL_check_suiteb(crl, ikey, ctx->param->flags);
+                       if (rv != X509_V_OK)
+                               {
+                               ctx->error=rv;
+                               ok = ctx->verify_cb(0, ctx);
+                               if (!ok)
+                                       goto err;
+                               }
                        /* Verify CRL signature */
                        if(X509_CRL_verify(crl, ikey) <= 0)
                                {
index 40089cf50fcf91eecdf4957a56bf521bcfac7be7..5703045216b87cc52fc93d8ca0766a5cd0f95689 100644 (file)
@@ -360,6 +360,14 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define                X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
 #define                X509_V_ERR_CRL_PATH_VALIDATION_ERROR            54
 
+/* Suite B mode algorithm violation */
+#define                X509_V_ERR_SUITE_B_INVALID_VERSION              56
+#define                X509_V_ERR_SUITE_B_INVALID_ALGORITHM            57
+#define                X509_V_ERR_SUITE_B_INVALID_CURVE                58
+#define                X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM  59
+#define                X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED              60
+#define                X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
+
 /* Host, email and IP check errors */
 #define                X509_V_ERR_HOSTNAME_MISMATCH                    62
 #define                X509_V_ERR_EMAIL_MISMATCH                       63
@@ -402,6 +410,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 #define X509_V_FLAG_CHECK_SS_SIGNATURE         0x4000
 /* Use trusted store first */
 #define X509_V_FLAG_TRUSTED_FIRST              0x8000
+/* Suite B 128 bit only mode: not normally used */
+#define X509_V_FLAG_SUITEB_128_LOS_ONLY                0x10000
+/* Suite B 192 bit only mode */
+#define X509_V_FLAG_SUITEB_192_LOS             0x20000
+/* Suite B 128 bit mode allowing 192 bit algorithms */
+#define X509_V_FLAG_SUITEB_128_LOS             0x30000
 
 /* Allow partial chains if at least one certificate is in trusted store */
 #define X509_V_FLAG_PARTIAL_CHAIN              0x80000