1 /* $OpenBSD: parser.c,v 1.14 2021/10/22 11:13:06 claudio Exp $ */ 2 /* 3 * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> 4 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/queue.h> 20 #include <sys/tree.h> 21 #include <sys/types.h> 22 23 #include <assert.h> 24 #include <err.h> 25 #include <poll.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <limits.h> 30 #include <unistd.h> 31 #include <imsg.h> 32 33 #include <openssl/asn1.h> 34 #include <openssl/err.h> 35 #include <openssl/evp.h> 36 #include <openssl/x509.h> 37 38 #include "extern.h" 39 40 static void build_chain(const struct auth *, STACK_OF(X509) **); 41 static struct crl *get_crl(const struct auth *, struct crl_tree *); 42 static void build_crls(const struct crl *, STACK_OF(X509_CRL) **); 43 44 /* Limit how deep the RPKI tree can be. */ 45 #define MAX_CERT_DEPTH 12 46 47 /* 48 * Parse and validate a ROA. 49 * This is standard stuff. 50 * Returns the roa on success, NULL on failure. 51 */ 52 static struct roa * 53 proc_parser_roa(struct entity *entp, X509_STORE_CTX *ctx, 54 struct auth_tree *auths, struct crl_tree *crlt) 55 { 56 struct roa *roa; 57 X509 *x509; 58 int c; 59 struct auth *a; 60 STACK_OF(X509) *chain; 61 STACK_OF(X509_CRL) *crls; 62 struct crl *crl; 63 64 if ((roa = roa_parse(&x509, entp->file)) == NULL) 65 return NULL; 66 67 a = valid_ski_aki(entp->file, auths, roa->ski, roa->aki); 68 69 build_chain(a, &chain); 70 crl = get_crl(a, crlt); 71 build_crls(crl, &crls); 72 73 assert(x509 != NULL); 74 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 75 cryptoerrx("X509_STORE_CTX_init"); 76 X509_STORE_CTX_set_flags(ctx, 77 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 78 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 79 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 80 X509_STORE_CTX_set0_crls(ctx, crls); 81 82 if (X509_verify_cert(ctx) <= 0) { 83 c = X509_STORE_CTX_get_error(ctx); 84 X509_STORE_CTX_cleanup(ctx); 85 if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) 86 warnx("%s: %s", entp->file, 87 X509_verify_cert_error_string(c)); 88 X509_free(x509); 89 roa_free(roa); 90 sk_X509_free(chain); 91 sk_X509_CRL_free(crls); 92 return NULL; 93 } 94 X509_STORE_CTX_cleanup(ctx); 95 96 /* 97 * Check CRL to figure out the soonest transitive expiry moment 98 */ 99 if (roa->expires > crl->expires) 100 roa->expires = crl->expires; 101 102 /* 103 * Scan the cert tree to figure out the soonest transitive 104 * expiry moment 105 */ 106 for (; a->parent != NULL; a = a->parent) { 107 if (roa->expires > a->cert->expires) 108 roa->expires = a->cert->expires; 109 } 110 111 /* 112 * If the ROA isn't valid, we accept it anyway and depend upon 113 * the code around roa_read() to check the "valid" field itself. 114 */ 115 116 if (valid_roa(entp->file, auths, roa)) 117 roa->valid = 1; 118 119 sk_X509_free(chain); 120 sk_X509_CRL_free(crls); 121 X509_free(x509); 122 123 return roa; 124 } 125 126 /* 127 * Parse and validate a manifest file. 128 * Here we *don't* validate against the list of CRLs, because the 129 * certificate used to sign the manifest may specify a CRL that the root 130 * certificate didn't, and we haven't scanned for it yet. 131 * This chicken-and-egg isn't important, however, because we'll catch 132 * the revocation list by the time we scan for any contained resources 133 * (ROA, CER) and will see it then. 134 * Return the mft on success or NULL on failure. 135 */ 136 static struct mft * 137 proc_parser_mft(struct entity *entp, X509_STORE_CTX *ctx, 138 struct auth_tree *auths, struct crl_tree *crlt) 139 { 140 struct mft *mft; 141 X509 *x509; 142 int c; 143 struct auth *a; 144 STACK_OF(X509) *chain; 145 146 if ((mft = mft_parse(&x509, entp->file)) == NULL) 147 return NULL; 148 149 a = valid_ski_aki(entp->file, auths, mft->ski, mft->aki); 150 build_chain(a, &chain); 151 152 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 153 cryptoerrx("X509_STORE_CTX_init"); 154 155 /* CRL checked disabled here because CRL is referenced from mft */ 156 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_IGNORE_CRITICAL); 157 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 158 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 159 160 if (X509_verify_cert(ctx) <= 0) { 161 c = X509_STORE_CTX_get_error(ctx); 162 X509_STORE_CTX_cleanup(ctx); 163 warnx("%s: %s", entp->file, X509_verify_cert_error_string(c)); 164 mft_free(mft); 165 X509_free(x509); 166 sk_X509_free(chain); 167 return NULL; 168 } 169 170 X509_STORE_CTX_cleanup(ctx); 171 sk_X509_free(chain); 172 X509_free(x509); 173 174 if (!mft_check(entp->file, mft)) { 175 mft_free(mft); 176 return NULL; 177 } 178 179 return mft; 180 } 181 182 /* 183 * Certificates are from manifests (has a digest and is signed with 184 * another certificate) Parse the certificate, make sure its 185 * signatures are valid (with CRLs), then validate the RPKI content. 186 * This returns a certificate (which must not be freed) or NULL on 187 * parse failure. 188 */ 189 static struct cert * 190 proc_parser_cert(const struct entity *entp, X509_STORE_CTX *ctx, 191 struct auth_tree *auths, struct crl_tree *crlt) 192 { 193 struct cert *cert; 194 X509 *x509; 195 int c; 196 struct auth *a = NULL, *na; 197 STACK_OF(X509) *chain; 198 STACK_OF(X509_CRL) *crls; 199 200 assert(!entp->has_pkey); 201 202 /* Extract certificate data and X509. */ 203 204 cert = cert_parse(&x509, entp->file); 205 if (cert == NULL) 206 return NULL; 207 208 a = valid_ski_aki(entp->file, auths, cert->ski, cert->aki); 209 build_chain(a, &chain); 210 build_crls(get_crl(a, crlt), &crls); 211 212 assert(x509 != NULL); 213 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 214 cryptoerrx("X509_STORE_CTX_init"); 215 216 X509_STORE_CTX_set_flags(ctx, 217 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 218 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 219 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 220 X509_STORE_CTX_set0_crls(ctx, crls); 221 222 if (X509_verify_cert(ctx) <= 0) { 223 c = X509_STORE_CTX_get_error(ctx); 224 warnx("%s: %s", entp->file, 225 X509_verify_cert_error_string(c)); 226 X509_STORE_CTX_cleanup(ctx); 227 cert_free(cert); 228 sk_X509_free(chain); 229 sk_X509_CRL_free(crls); 230 X509_free(x509); 231 return NULL; 232 } 233 234 X509_STORE_CTX_cleanup(ctx); 235 sk_X509_free(chain); 236 sk_X509_CRL_free(crls); 237 238 /* Validate the cert to get the parent */ 239 if (!valid_cert(entp->file, auths, cert)) { 240 X509_free(x509); // needed? XXX 241 return cert; 242 } 243 244 /* 245 * Add validated certs to the RPKI auth tree. 246 */ 247 248 cert->valid = 1; 249 250 na = malloc(sizeof(*na)); 251 if (na == NULL) 252 err(1, NULL); 253 254 cert->tal = strdup(a->tal); 255 if (cert->tal == NULL) 256 err(1, NULL); 257 258 na->parent = a; 259 na->cert = cert; 260 na->tal = a->tal; 261 na->fn = strdup(entp->file); 262 if (na->fn == NULL) 263 err(1, NULL); 264 265 if (RB_INSERT(auth_tree, auths, na) != NULL) 266 err(1, "auth tree corrupted"); 267 268 return cert; 269 } 270 271 272 /* 273 * Root certificates come from TALs (has a pkey and is self-signed). 274 * Parse the certificate, ensure that it's public key matches the 275 * known public key from the TAL, and then validate the RPKI 276 * content. 277 * 278 * This returns a certificate (which must not be freed) or NULL on 279 * parse failure. 280 */ 281 static struct cert * 282 proc_parser_root_cert(const struct entity *entp, X509_STORE_CTX *ctx, 283 struct auth_tree *auths, struct crl_tree *crlt) 284 { 285 char subject[256]; 286 ASN1_TIME *notBefore, *notAfter; 287 X509_NAME *name; 288 struct cert *cert; 289 X509 *x509; 290 struct auth *na; 291 char *tal; 292 293 assert(entp->has_pkey); 294 295 /* Extract certificate data and X509. */ 296 297 cert = ta_parse(&x509, entp->file, entp->pkey, entp->pkeysz); 298 if (cert == NULL) 299 return NULL; 300 301 if ((name = X509_get_subject_name(x509)) == NULL) { 302 warnx("%s Unable to get certificate subject", entp->file); 303 goto badcert; 304 } 305 if (X509_NAME_oneline(name, subject, sizeof(subject)) == NULL) { 306 warnx("%s: Unable to parse certificate subject name", 307 entp->file); 308 goto badcert; 309 } 310 if ((notBefore = X509_get_notBefore(x509)) == NULL) { 311 warnx("%s: certificate has invalid notBefore, subject='%s'", 312 entp->file, subject); 313 goto badcert; 314 } 315 if ((notAfter = X509_get_notAfter(x509)) == NULL) { 316 warnx("%s: certificate has invalid notAfter, subject='%s'", 317 entp->file, subject); 318 goto badcert; 319 } 320 if (X509_cmp_current_time(notBefore) != -1) { 321 warnx("%s: certificate not yet valid, subject='%s'", entp->file, 322 subject); 323 goto badcert; 324 } 325 if (X509_cmp_current_time(notAfter) != 1) { 326 warnx("%s: certificate has expired, subject='%s'", entp->file, 327 subject); 328 goto badcert; 329 } 330 if (!valid_ta(entp->file, auths, cert)) { 331 warnx("%s: certificate not a valid ta, subject='%s'", 332 entp->file, subject); 333 goto badcert; 334 } 335 336 /* 337 * Add valid roots to the RPKI auth tree. 338 */ 339 340 cert->valid = 1; 341 342 na = malloc(sizeof(*na)); 343 if (na == NULL) 344 err(1, NULL); 345 346 if ((tal = strdup(entp->descr)) == NULL) 347 err(1, NULL); 348 349 na->parent = NULL; 350 na->cert = cert; 351 na->tal = tal; 352 na->fn = strdup(entp->file); 353 if (na->fn == NULL) 354 err(1, NULL); 355 356 if (RB_INSERT(auth_tree, auths, na) != NULL) 357 err(1, "auth tree corrupted"); 358 359 return cert; 360 badcert: 361 X509_free(x509); // needed? XXX 362 return cert; 363 } 364 365 /* 366 * Parse a certificate revocation list 367 * This simply parses the CRL content itself, optionally validating it 368 * within the digest if it comes from a manifest, then adds it to the 369 * CRL tree. 370 */ 371 static void 372 proc_parser_crl(struct entity *entp, X509_STORE_CTX *ctx, struct crl_tree *crlt) 373 { 374 X509_CRL *x509_crl; 375 struct crl *crl; 376 const ASN1_TIME *at; 377 struct tm expires_tm; 378 379 if ((x509_crl = crl_parse(entp->file)) != NULL) { 380 if ((crl = malloc(sizeof(*crl))) == NULL) 381 err(1, NULL); 382 if ((crl->aki = x509_crl_get_aki(x509_crl, entp->file)) == 383 NULL) 384 errx(1, "x509_crl_get_aki failed"); 385 crl->x509_crl = x509_crl; 386 387 /* extract expire time for later use */ 388 at = X509_CRL_get0_nextUpdate(x509_crl); 389 if (at == NULL) { 390 errx(1, "%s: X509_CRL_get0_nextUpdate failed", 391 entp->file); 392 } 393 memset(&expires_tm, 0, sizeof(expires_tm)); 394 if (ASN1_time_parse(at->data, at->length, &expires_tm, 395 0) == -1) { 396 errx(1, "%s: ASN1_time_parse failed", entp->file); 397 } 398 if ((crl->expires = mktime(&expires_tm)) == -1) { 399 errx(1, "%s: mktime failed", entp->file); 400 } 401 402 if (RB_INSERT(crl_tree, crlt, crl) != NULL) { 403 warnx("%s: duplicate AKI %s", entp->file, crl->aki); 404 free_crl(crl); 405 } 406 } 407 } 408 409 /* 410 * Parse a ghostbuster record 411 */ 412 static void 413 proc_parser_gbr(struct entity *entp, X509_STORE_CTX *ctx, 414 struct auth_tree *auths, struct crl_tree *crlt) 415 { 416 struct gbr *gbr; 417 X509 *x509; 418 int c; 419 struct auth *a; 420 STACK_OF(X509) *chain; 421 STACK_OF(X509_CRL) *crls; 422 423 if ((gbr = gbr_parse(&x509, entp->file)) == NULL) 424 return; 425 426 a = valid_ski_aki(entp->file, auths, gbr->ski, gbr->aki); 427 428 build_chain(a, &chain); 429 build_crls(get_crl(a, crlt), &crls); 430 431 assert(x509 != NULL); 432 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 433 cryptoerrx("X509_STORE_CTX_init"); 434 X509_STORE_CTX_set_flags(ctx, 435 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 436 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 437 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 438 X509_STORE_CTX_set0_crls(ctx, crls); 439 440 if (X509_verify_cert(ctx) <= 0) { 441 c = X509_STORE_CTX_get_error(ctx); 442 if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) 443 warnx("%s: %s", entp->file, 444 X509_verify_cert_error_string(c)); 445 } 446 447 X509_STORE_CTX_cleanup(ctx); 448 sk_X509_free(chain); 449 sk_X509_CRL_free(crls); 450 X509_free(x509); 451 gbr_free(gbr); 452 } 453 454 /* 455 * Walk the certificate tree to the root and build a certificate 456 * chain from cert->x509. All certs in the tree are validated and 457 * can be loaded as trusted stack into the validator. 458 */ 459 static void 460 build_chain(const struct auth *a, STACK_OF(X509) **chain) 461 { 462 *chain = NULL; 463 464 if (a == NULL) 465 return; 466 467 if ((*chain = sk_X509_new_null()) == NULL) 468 err(1, "sk_X509_new_null"); 469 for (; a != NULL; a = a->parent) { 470 assert(a->cert->x509 != NULL); 471 if (!sk_X509_push(*chain, a->cert->x509)) 472 errx(1, "sk_X509_push"); 473 } 474 } 475 476 /* 477 * Find a CRL based on the auth SKI value. 478 */ 479 static struct crl * 480 get_crl(const struct auth *a, struct crl_tree *crlt) 481 { 482 struct crl find; 483 484 if (a == NULL) 485 return NULL; 486 487 find.aki = a->cert->ski; 488 return RB_FIND(crl_tree, crlt, &find); 489 } 490 491 /* 492 * Add the CRL based on the certs SKI value. 493 * No need to insert any other CRL since those were already checked. 494 */ 495 static void 496 build_crls(const struct crl *crl, STACK_OF(X509_CRL) **crls) 497 { 498 *crls = NULL; 499 500 if (crl == NULL) 501 return; 502 503 if ((*crls = sk_X509_CRL_new_null()) == NULL) 504 errx(1, "sk_X509_CRL_new_null"); 505 506 if (!sk_X509_CRL_push(*crls, crl->x509_crl)) 507 err(1, "sk_X509_CRL_push"); 508 } 509 510 /* 511 * Process responsible for parsing and validating content. 512 * All this process does is wait to be told about a file to parse, then 513 * it parses it and makes sure that the data being returned is fully 514 * validated and verified. 515 * The process will exit cleanly only when fd is closed. 516 */ 517 void 518 proc_parser(int fd) 519 { 520 struct tal *tal; 521 struct cert *cert; 522 struct mft *mft; 523 struct roa *roa; 524 struct entity *entp; 525 struct entityq q; 526 struct msgbuf msgq; 527 struct pollfd pfd; 528 struct ibuf *b; 529 X509_STORE_CTX *ctx; 530 struct auth_tree auths = RB_INITIALIZER(&auths); 531 struct crl_tree crlt = RB_INITIALIZER(&crlt); 532 int c, rc = 1; 533 534 ERR_load_crypto_strings(); 535 OpenSSL_add_all_ciphers(); 536 OpenSSL_add_all_digests(); 537 538 if ((ctx = X509_STORE_CTX_new()) == NULL) 539 cryptoerrx("X509_STORE_CTX_new"); 540 541 TAILQ_INIT(&q); 542 543 msgbuf_init(&msgq); 544 msgq.fd = fd; 545 546 pfd.fd = fd; 547 548 io_socket_nonblocking(pfd.fd); 549 550 for (;;) { 551 pfd.events = POLLIN; 552 if (msgq.queued) 553 pfd.events |= POLLOUT; 554 555 if (poll(&pfd, 1, INFTIM) == -1) 556 err(1, "poll"); 557 if ((pfd.revents & (POLLERR|POLLNVAL))) 558 errx(1, "poll: bad descriptor"); 559 560 /* If the parent closes, return immediately. */ 561 562 if ((pfd.revents & POLLHUP)) 563 break; 564 565 /* 566 * Start with read events. 567 * This means that the parent process is sending us 568 * something we need to parse. 569 * We don't actually parse it til we have space in our 570 * outgoing buffer for responding, though. 571 */ 572 573 if ((pfd.revents & POLLIN)) { 574 io_socket_blocking(fd); 575 entp = calloc(1, sizeof(struct entity)); 576 if (entp == NULL) 577 err(1, NULL); 578 entity_read_req(fd, entp); 579 TAILQ_INSERT_TAIL(&q, entp, entries); 580 io_socket_nonblocking(fd); 581 } 582 583 if (pfd.revents & POLLOUT) { 584 switch (msgbuf_write(&msgq)) { 585 case 0: 586 errx(1, "write: connection closed"); 587 case -1: 588 err(1, "write"); 589 } 590 } 591 592 /* 593 * If there's nothing to parse, then stop waiting for 594 * the write signal. 595 */ 596 597 if (TAILQ_EMPTY(&q)) { 598 pfd.events &= ~POLLOUT; 599 continue; 600 } 601 602 entp = TAILQ_FIRST(&q); 603 assert(entp != NULL); 604 605 b = io_buf_new(); 606 io_simple_buffer(b, &entp->type, sizeof(entp->type)); 607 608 switch (entp->type) { 609 case RTYPE_TAL: 610 if ((tal = tal_parse(entp->file, entp->descr)) == NULL) 611 goto out; 612 tal_buffer(b, tal); 613 tal_free(tal); 614 break; 615 case RTYPE_CER: 616 if (entp->has_pkey) 617 cert = proc_parser_root_cert(entp, ctx, &auths, 618 &crlt); 619 else 620 cert = proc_parser_cert(entp, ctx, &auths, 621 &crlt); 622 c = (cert != NULL); 623 io_simple_buffer(b, &c, sizeof(int)); 624 if (cert != NULL) 625 cert_buffer(b, cert); 626 /* 627 * The parsed certificate data "cert" is now 628 * managed in the "auths" table, so don't free 629 * it here (see the loop after "out"). 630 */ 631 break; 632 case RTYPE_MFT: 633 mft = proc_parser_mft(entp, ctx, &auths, &crlt); 634 c = (mft != NULL); 635 io_simple_buffer(b, &c, sizeof(int)); 636 if (mft != NULL) 637 mft_buffer(b, mft); 638 mft_free(mft); 639 break; 640 case RTYPE_CRL: 641 proc_parser_crl(entp, ctx, &crlt); 642 break; 643 case RTYPE_ROA: 644 roa = proc_parser_roa(entp, ctx, &auths, &crlt); 645 c = (roa != NULL); 646 io_simple_buffer(b, &c, sizeof(int)); 647 if (roa != NULL) 648 roa_buffer(b, roa); 649 roa_free(roa); 650 break; 651 case RTYPE_GBR: 652 proc_parser_gbr(entp, ctx, &auths, &crlt); 653 break; 654 default: 655 abort(); 656 } 657 658 io_buf_close(&msgq, b); 659 TAILQ_REMOVE(&q, entp, entries); 660 entity_free(entp); 661 } 662 663 rc = 0; 664 out: 665 while ((entp = TAILQ_FIRST(&q)) != NULL) { 666 TAILQ_REMOVE(&q, entp, entries); 667 entity_free(entp); 668 } 669 670 /* XXX free auths and crl tree */ 671 672 X509_STORE_CTX_free(ctx); 673 674 msgbuf_clear(&msgq); 675 676 exit(rc); 677 } 678