xref: /openssl/crypto/ct/ct_b64.c (revision e077455e) 
1 /*
2  * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #include <limits.h>
11 #include <string.h>
12 
13 #include <openssl/ct.h>
14 #include <openssl/err.h>
15 #include <openssl/evp.h>
16 
17 #include "ct_local.h"
18 
19 /*
20  * Decodes the base64 string |in| into |out|.
21  * A new string will be malloc'd and assigned to |out|. This will be owned by
22  * the caller. Do not provide a pre-allocated string in |out|.
23  */
ct_base64_decode(const char * in,unsigned char ** out)24 static int ct_base64_decode(const char *in, unsigned char **out)
25 {
26     size_t inlen = strlen(in);
27     int outlen, i;
28     unsigned char *outbuf = NULL;
29 
30     if (inlen == 0) {
31         *out = NULL;
32         return 0;
33     }
34 
35     outlen = (inlen / 4) * 3;
36     outbuf = OPENSSL_malloc(outlen);
37     if (outbuf == NULL)
38         goto err;
39 
40     outlen = EVP_DecodeBlock(outbuf, (unsigned char *)in, inlen);
41     if (outlen < 0) {
42         ERR_raise(ERR_LIB_CT, CT_R_BASE64_DECODE_ERROR);
43         goto err;
44     }
45 
46     /* Subtract padding bytes from |outlen|.  Any more than 2 is malformed. */
47     i = 0;
48     while (in[--inlen] == '=') {
49         --outlen;
50         if (++i > 2)
51             goto err;
52     }
53 
54     *out = outbuf;
55     return outlen;
56 err:
57     OPENSSL_free(outbuf);
58     return -1;
59 }
60 
SCT_new_from_base64(unsigned char version,const char * logid_base64,ct_log_entry_type_t entry_type,uint64_t timestamp,const char * extensions_base64,const char * signature_base64)61 SCT *SCT_new_from_base64(unsigned char version, const char *logid_base64,
62                          ct_log_entry_type_t entry_type, uint64_t timestamp,
63                          const char *extensions_base64,
64                          const char *signature_base64)
65 {
66     SCT *sct = SCT_new();
67     unsigned char *dec = NULL;
68     const unsigned char* p = NULL;
69     int declen;
70 
71     if (sct == NULL) {
72         ERR_raise(ERR_LIB_CT, ERR_R_CT_LIB);
73         return NULL;
74     }
75 
76     /*
77      * RFC6962 section 4.1 says we "MUST NOT expect this to be 0", but we
78      * can only construct SCT versions that have been defined.
79      */
80     if (!SCT_set_version(sct, version)) {
81         ERR_raise(ERR_LIB_CT, CT_R_SCT_UNSUPPORTED_VERSION);
82         goto err;
83     }
84 
85     declen = ct_base64_decode(logid_base64, &dec);
86     if (declen < 0) {
87         ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR);
88         goto err;
89     }
90     if (!SCT_set0_log_id(sct, dec, declen))
91         goto err;
92     dec = NULL;
93 
94     declen = ct_base64_decode(extensions_base64, &dec);
95     if (declen < 0) {
96         ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR);
97         goto err;
98     }
99     SCT_set0_extensions(sct, dec, declen);
100     dec = NULL;
101 
102     declen = ct_base64_decode(signature_base64, &dec);
103     if (declen < 0) {
104         ERR_raise(ERR_LIB_CT, X509_R_BASE64_DECODE_ERROR);
105         goto err;
106     }
107 
108     p = dec;
109     if (o2i_SCT_signature(sct, &p, declen) <= 0)
110         goto err;
111     OPENSSL_free(dec);
112     dec = NULL;
113 
114     SCT_set_timestamp(sct, timestamp);
115 
116     if (!SCT_set_log_entry_type(sct, entry_type))
117         goto err;
118 
119     return sct;
120 
121  err:
122     OPENSSL_free(dec);
123     SCT_free(sct);
124     return NULL;
125 }
126 
127 /*
128  * Allocate, build and returns a new |ct_log| from input |pkey_base64|
129  * It returns 1 on success,
130  * 0 on decoding failure, or invalid parameter if any
131  * -1 on internal (malloc) failure
132  */
CTLOG_new_from_base64_ex(CTLOG ** ct_log,const char * pkey_base64,const char * name,OSSL_LIB_CTX * libctx,const char * propq)133 int CTLOG_new_from_base64_ex(CTLOG **ct_log, const char *pkey_base64,
134                              const char *name, OSSL_LIB_CTX *libctx,
135                              const char *propq)
136 {
137     unsigned char *pkey_der = NULL;
138     int pkey_der_len;
139     const unsigned char *p;
140     EVP_PKEY *pkey = NULL;
141 
142     if (ct_log == NULL) {
143         ERR_raise(ERR_LIB_CT, ERR_R_PASSED_INVALID_ARGUMENT);
144         return 0;
145     }
146 
147     pkey_der_len = ct_base64_decode(pkey_base64, &pkey_der);
148     if (pkey_der_len < 0) {
149         ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID_KEY);
150         return 0;
151     }
152 
153     p = pkey_der;
154     pkey = d2i_PUBKEY_ex(NULL, &p, pkey_der_len, libctx, propq);
155     OPENSSL_free(pkey_der);
156     if (pkey == NULL) {
157         ERR_raise(ERR_LIB_CT, CT_R_LOG_CONF_INVALID_KEY);
158         return 0;
159     }
160 
161     *ct_log = CTLOG_new_ex(pkey, name, libctx, propq);
162     if (*ct_log == NULL) {
163         EVP_PKEY_free(pkey);
164         return 0;
165     }
166 
167     return 1;
168 }
169 
CTLOG_new_from_base64(CTLOG ** ct_log,const char * pkey_base64,const char * name)170 int CTLOG_new_from_base64(CTLOG **ct_log, const char *pkey_base64,
171                           const char *name)
172 {
173     return CTLOG_new_from_base64_ex(ct_log, pkey_base64, name, NULL, NULL);
174 }
175