1 /* $OpenBSD: parser.c,v 1.28 2021/11/04 18:26:48 claudio Exp $ */ 2 /* 3 * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org> 4 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/queue.h> 20 #include <sys/tree.h> 21 #include <sys/types.h> 22 23 #include <assert.h> 24 #include <err.h> 25 #include <poll.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <limits.h> 30 #include <unistd.h> 31 #include <imsg.h> 32 33 #include <openssl/asn1.h> 34 #include <openssl/err.h> 35 #include <openssl/evp.h> 36 #include <openssl/x509.h> 37 38 #include "extern.h" 39 40 static void build_chain(const struct auth *, STACK_OF(X509) **); 41 static struct crl *get_crl(const struct auth *); 42 static void build_crls(const struct crl *, STACK_OF(X509_CRL) **); 43 44 static X509_STORE_CTX *ctx; 45 static struct auth_tree auths = RB_INITIALIZER(&auths); 46 static struct crl_tree crlt = RB_INITIALIZER(&crlt); 47 48 /* 49 * Parse and validate a ROA. 50 * This is standard stuff. 51 * Returns the roa on success, NULL on failure. 52 */ 53 static struct roa * 54 proc_parser_roa(struct entity *entp, const unsigned char *der, size_t len) 55 { 56 struct roa *roa; 57 X509 *x509; 58 int c; 59 struct auth *a; 60 STACK_OF(X509) *chain; 61 STACK_OF(X509_CRL) *crls; 62 struct crl *crl; 63 64 if ((roa = roa_parse(&x509, entp->file, der, len)) == NULL) 65 return NULL; 66 67 a = valid_ski_aki(entp->file, &auths, roa->ski, roa->aki); 68 build_chain(a, &chain); 69 crl = get_crl(a); 70 build_crls(crl, &crls); 71 72 assert(x509 != NULL); 73 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 74 cryptoerrx("X509_STORE_CTX_init"); 75 X509_STORE_CTX_set_flags(ctx, 76 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 77 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 78 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 79 X509_STORE_CTX_set0_crls(ctx, crls); 80 81 if (X509_verify_cert(ctx) <= 0) { 82 c = X509_STORE_CTX_get_error(ctx); 83 X509_STORE_CTX_cleanup(ctx); 84 if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) 85 warnx("%s: %s", entp->file, 86 X509_verify_cert_error_string(c)); 87 X509_free(x509); 88 roa_free(roa); 89 sk_X509_free(chain); 90 sk_X509_CRL_free(crls); 91 return NULL; 92 } 93 X509_STORE_CTX_cleanup(ctx); 94 95 /* 96 * Check CRL to figure out the soonest transitive expiry moment 97 */ 98 if (crl != NULL && roa->expires > crl->expires) 99 roa->expires = crl->expires; 100 101 /* 102 * Scan the cert tree to figure out the soonest transitive 103 * expiry moment 104 */ 105 for (; a != NULL; a = a->parent) { 106 if (roa->expires > a->cert->expires) 107 roa->expires = a->cert->expires; 108 } 109 110 /* 111 * If the ROA isn't valid, we accept it anyway and depend upon 112 * the code around roa_read() to check the "valid" field itself. 113 */ 114 115 if (valid_roa(entp->file, &auths, roa)) 116 roa->valid = 1; 117 118 sk_X509_free(chain); 119 sk_X509_CRL_free(crls); 120 X509_free(x509); 121 122 return roa; 123 } 124 125 /* 126 * Parse and validate a manifest file. 127 * Here we *don't* validate against the list of CRLs, because the 128 * certificate used to sign the manifest may specify a CRL that the root 129 * certificate didn't, and we haven't scanned for it yet. 130 * This chicken-and-egg isn't important, however, because we'll catch 131 * the revocation list by the time we scan for any contained resources 132 * (ROA, CER) and will see it then. 133 * Return the mft on success or NULL on failure. 134 */ 135 static struct mft * 136 proc_parser_mft(struct entity *entp, const unsigned char *der, size_t len) 137 { 138 struct mft *mft; 139 X509 *x509; 140 int c; 141 struct auth *a; 142 STACK_OF(X509) *chain; 143 144 if ((mft = mft_parse(&x509, entp->file, der, len)) == NULL) 145 return NULL; 146 147 a = valid_ski_aki(entp->file, &auths, mft->ski, mft->aki); 148 build_chain(a, &chain); 149 150 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 151 cryptoerrx("X509_STORE_CTX_init"); 152 153 /* CRL checked disabled here because CRL is referenced from mft */ 154 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_IGNORE_CRITICAL); 155 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 156 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 157 158 if (X509_verify_cert(ctx) <= 0) { 159 c = X509_STORE_CTX_get_error(ctx); 160 X509_STORE_CTX_cleanup(ctx); 161 warnx("%s: %s", entp->file, X509_verify_cert_error_string(c)); 162 mft_free(mft); 163 X509_free(x509); 164 sk_X509_free(chain); 165 return NULL; 166 } 167 168 X509_STORE_CTX_cleanup(ctx); 169 sk_X509_free(chain); 170 X509_free(x509); 171 172 if (!mft_check(entp->file, mft)) { 173 mft_free(mft); 174 return NULL; 175 } 176 177 return mft; 178 } 179 180 /* 181 * Certificates are from manifests (has a digest and is signed with 182 * another certificate) Parse the certificate, make sure its 183 * signatures are valid (with CRLs), then validate the RPKI content. 184 * This returns a certificate (which must not be freed) or NULL on 185 * parse failure. 186 */ 187 static struct cert * 188 proc_parser_cert(const struct entity *entp, const unsigned char *der, 189 size_t len) 190 { 191 struct cert *cert; 192 X509 *x509; 193 int c; 194 struct auth *a = NULL; 195 STACK_OF(X509) *chain; 196 STACK_OF(X509_CRL) *crls; 197 198 assert(!entp->has_data); 199 200 /* Extract certificate data and X509. */ 201 202 cert = cert_parse(&x509, entp->file, der, len); 203 if (cert == NULL) 204 return NULL; 205 206 a = valid_ski_aki(entp->file, &auths, cert->ski, cert->aki); 207 build_chain(a, &chain); 208 build_crls(get_crl(a), &crls); 209 210 assert(x509 != NULL); 211 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 212 cryptoerrx("X509_STORE_CTX_init"); 213 214 X509_STORE_CTX_set_flags(ctx, 215 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 216 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 217 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 218 X509_STORE_CTX_set0_crls(ctx, crls); 219 220 if (X509_verify_cert(ctx) <= 0) { 221 c = X509_STORE_CTX_get_error(ctx); 222 warnx("%s: %s", entp->file, 223 X509_verify_cert_error_string(c)); 224 X509_STORE_CTX_cleanup(ctx); 225 cert_free(cert); 226 sk_X509_free(chain); 227 sk_X509_CRL_free(crls); 228 X509_free(x509); 229 return NULL; 230 } 231 232 X509_STORE_CTX_cleanup(ctx); 233 sk_X509_free(chain); 234 sk_X509_CRL_free(crls); 235 X509_free(x509); 236 237 cert->talid = a->cert->talid; 238 239 /* Validate the cert to get the parent */ 240 if (!valid_cert(entp->file, &auths, cert)) { 241 cert_free(cert); 242 return NULL; 243 } 244 245 /* 246 * Add validated CA certs to the RPKI auth tree. 247 */ 248 if (cert->purpose == CERT_PURPOSE_CA) { 249 if (!auth_insert(&auths, cert, a)) { 250 cert_free(cert); 251 return NULL; 252 } 253 } 254 255 return cert; 256 } 257 258 /* 259 * Root certificates come from TALs (has a pkey and is self-signed). 260 * Parse the certificate, ensure that it's public key matches the 261 * known public key from the TAL, and then validate the RPKI 262 * content. 263 * 264 * This returns a certificate (which must not be freed) or NULL on 265 * parse failure. 266 */ 267 static struct cert * 268 proc_parser_root_cert(const struct entity *entp, const unsigned char *der, 269 size_t len) 270 { 271 char subject[256]; 272 ASN1_TIME *notBefore, *notAfter; 273 X509_NAME *name; 274 struct cert *cert; 275 X509 *x509; 276 277 assert(entp->has_data); 278 279 /* Extract certificate data and X509. */ 280 281 cert = ta_parse(&x509, entp->file, der, len, entp->data, entp->datasz); 282 if (cert == NULL) 283 return NULL; 284 285 if ((name = X509_get_subject_name(x509)) == NULL) { 286 warnx("%s Unable to get certificate subject", entp->file); 287 goto badcert; 288 } 289 if (X509_NAME_oneline(name, subject, sizeof(subject)) == NULL) { 290 warnx("%s: Unable to parse certificate subject name", 291 entp->file); 292 goto badcert; 293 } 294 if ((notBefore = X509_get_notBefore(x509)) == NULL) { 295 warnx("%s: certificate has invalid notBefore, subject='%s'", 296 entp->file, subject); 297 goto badcert; 298 } 299 if ((notAfter = X509_get_notAfter(x509)) == NULL) { 300 warnx("%s: certificate has invalid notAfter, subject='%s'", 301 entp->file, subject); 302 goto badcert; 303 } 304 if (X509_cmp_current_time(notBefore) != -1) { 305 warnx("%s: certificate not yet valid, subject='%s'", entp->file, 306 subject); 307 goto badcert; 308 } 309 if (X509_cmp_current_time(notAfter) != 1) { 310 warnx("%s: certificate has expired, subject='%s'", entp->file, 311 subject); 312 goto badcert; 313 } 314 if (!valid_ta(entp->file, &auths, cert)) { 315 warnx("%s: certificate not a valid ta, subject='%s'", 316 entp->file, subject); 317 goto badcert; 318 } 319 320 X509_free(x509); 321 322 cert->talid = entp->talid; 323 324 /* 325 * Add valid roots to the RPKI auth tree. 326 */ 327 if (!auth_insert(&auths, cert, NULL)) { 328 cert_free(cert); 329 return NULL; 330 } 331 332 return cert; 333 334 badcert: 335 X509_free(x509); 336 cert_free(cert); 337 return NULL; 338 } 339 340 /* 341 * Parse a certificate revocation list 342 * This simply parses the CRL content itself, optionally validating it 343 * within the digest if it comes from a manifest, then adds it to the 344 * CRL tree. 345 */ 346 static void 347 proc_parser_crl(struct entity *entp, const unsigned char *der, size_t len) 348 { 349 X509_CRL *x509_crl; 350 struct crl *crl; 351 const ASN1_TIME *at; 352 struct tm expires_tm; 353 354 if ((x509_crl = crl_parse(entp->file, der, len)) != NULL) { 355 if ((crl = malloc(sizeof(*crl))) == NULL) 356 err(1, NULL); 357 if ((crl->aki = x509_crl_get_aki(x509_crl, entp->file)) == 358 NULL) { 359 warnx("x509_crl_get_aki failed"); 360 goto err; 361 } 362 363 crl->x509_crl = x509_crl; 364 365 /* extract expire time for later use */ 366 at = X509_CRL_get0_nextUpdate(x509_crl); 367 if (at == NULL) { 368 warnx("%s: X509_CRL_get0_nextUpdate failed", 369 entp->file); 370 goto err; 371 } 372 memset(&expires_tm, 0, sizeof(expires_tm)); 373 if (ASN1_time_parse(at->data, at->length, &expires_tm, 374 0) == -1) { 375 warnx("%s: ASN1_time_parse failed", entp->file); 376 goto err; 377 } 378 if ((crl->expires = mktime(&expires_tm)) == -1) 379 errx(1, "%s: mktime failed", entp->file); 380 381 if (RB_INSERT(crl_tree, &crlt, crl) != NULL) { 382 warnx("%s: duplicate AKI %s", entp->file, crl->aki); 383 goto err; 384 } 385 } 386 return; 387 err: 388 free_crl(crl); 389 } 390 391 /* 392 * Parse a ghostbuster record 393 */ 394 static void 395 proc_parser_gbr(struct entity *entp, const unsigned char *der, size_t len) 396 { 397 struct gbr *gbr; 398 X509 *x509; 399 int c; 400 struct auth *a; 401 STACK_OF(X509) *chain; 402 STACK_OF(X509_CRL) *crls; 403 404 if ((gbr = gbr_parse(&x509, entp->file, der, len)) == NULL) 405 return; 406 407 a = valid_ski_aki(entp->file, &auths, gbr->ski, gbr->aki); 408 409 build_chain(a, &chain); 410 build_crls(get_crl(a), &crls); 411 412 assert(x509 != NULL); 413 if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) 414 cryptoerrx("X509_STORE_CTX_init"); 415 X509_STORE_CTX_set_flags(ctx, 416 X509_V_FLAG_IGNORE_CRITICAL | X509_V_FLAG_CRL_CHECK); 417 X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); 418 X509_STORE_CTX_set0_trusted_stack(ctx, chain); 419 X509_STORE_CTX_set0_crls(ctx, crls); 420 421 if (X509_verify_cert(ctx) <= 0) { 422 c = X509_STORE_CTX_get_error(ctx); 423 if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) 424 warnx("%s: %s", entp->file, 425 X509_verify_cert_error_string(c)); 426 } 427 428 X509_STORE_CTX_cleanup(ctx); 429 sk_X509_free(chain); 430 sk_X509_CRL_free(crls); 431 X509_free(x509); 432 gbr_free(gbr); 433 } 434 435 /* 436 * Walk the certificate tree to the root and build a certificate 437 * chain from cert->x509. All certs in the tree are validated and 438 * can be loaded as trusted stack into the validator. 439 */ 440 static void 441 build_chain(const struct auth *a, STACK_OF(X509) **chain) 442 { 443 *chain = NULL; 444 445 if (a == NULL) 446 return; 447 448 if ((*chain = sk_X509_new_null()) == NULL) 449 err(1, "sk_X509_new_null"); 450 for (; a != NULL; a = a->parent) { 451 assert(a->cert->x509 != NULL); 452 if (!sk_X509_push(*chain, a->cert->x509)) 453 errx(1, "sk_X509_push"); 454 } 455 } 456 457 /* 458 * Find a CRL based on the auth SKI value. 459 */ 460 static struct crl * 461 get_crl(const struct auth *a) 462 { 463 struct crl find; 464 465 if (a == NULL) 466 return NULL; 467 468 find.aki = a->cert->ski; 469 return RB_FIND(crl_tree, &crlt, &find); 470 } 471 472 /* 473 * Add the CRL based on the certs SKI value. 474 * No need to insert any other CRL since those were already checked. 475 */ 476 static void 477 build_crls(const struct crl *crl, STACK_OF(X509_CRL) **crls) 478 { 479 *crls = NULL; 480 481 if (crl == NULL) 482 return; 483 484 if ((*crls = sk_X509_CRL_new_null()) == NULL) 485 errx(1, "sk_X509_CRL_new_null"); 486 487 if (!sk_X509_CRL_push(*crls, crl->x509_crl)) 488 err(1, "sk_X509_CRL_push"); 489 } 490 491 static void 492 parse_entity(struct entityq *q, struct msgbuf *msgq) 493 { 494 struct entity *entp; 495 struct tal *tal; 496 struct cert *cert; 497 struct mft *mft; 498 struct roa *roa; 499 struct ibuf *b; 500 unsigned char *f; 501 size_t flen; 502 int c; 503 504 while ((entp = TAILQ_FIRST(q)) != NULL) { 505 TAILQ_REMOVE(q, entp, entries); 506 507 b = io_new_buffer(); 508 io_simple_buffer(b, &entp->type, sizeof(entp->type)); 509 510 f = NULL; 511 if (entp->type != RTYPE_TAL) { 512 f = load_file(entp->file, &flen); 513 if (f == NULL) 514 warn("%s", entp->file); 515 } 516 517 switch (entp->type) { 518 case RTYPE_TAL: 519 if ((tal = tal_parse(entp->file, entp->data, 520 entp->datasz)) == NULL) 521 errx(1, "%s: could not parse tal file", 522 entp->file); 523 tal->id = entp->talid; 524 tal_buffer(b, tal); 525 tal_free(tal); 526 break; 527 case RTYPE_CER: 528 if (entp->has_data) 529 cert = proc_parser_root_cert(entp, f, flen); 530 else 531 cert = proc_parser_cert(entp, f, flen); 532 c = (cert != NULL); 533 io_simple_buffer(b, &c, sizeof(int)); 534 if (cert != NULL) 535 cert_buffer(b, cert); 536 /* 537 * The parsed certificate data "cert" is now 538 * managed in the "auths" table, so don't free 539 * it here (see the loop after "out"). 540 */ 541 break; 542 case RTYPE_CRL: 543 proc_parser_crl(entp, f, flen); 544 break; 545 case RTYPE_MFT: 546 mft = proc_parser_mft(entp, f, flen); 547 c = (mft != NULL); 548 io_simple_buffer(b, &c, sizeof(int)); 549 if (mft != NULL) 550 mft_buffer(b, mft); 551 mft_free(mft); 552 break; 553 case RTYPE_ROA: 554 roa = proc_parser_roa(entp, f, flen); 555 c = (roa != NULL); 556 io_simple_buffer(b, &c, sizeof(int)); 557 if (roa != NULL) 558 roa_buffer(b, roa); 559 roa_free(roa); 560 break; 561 case RTYPE_GBR: 562 proc_parser_gbr(entp, f, flen); 563 break; 564 default: 565 abort(); 566 } 567 568 free(f); 569 io_close_buffer(msgq, b); 570 entity_free(entp); 571 } 572 } 573 574 /* 575 * Process responsible for parsing and validating content. 576 * All this process does is wait to be told about a file to parse, then 577 * it parses it and makes sure that the data being returned is fully 578 * validated and verified. 579 * The process will exit cleanly only when fd is closed. 580 */ 581 void 582 proc_parser(int fd) 583 { 584 struct entityq q; 585 struct msgbuf msgq; 586 struct pollfd pfd; 587 struct entity *entp; 588 struct ibuf *b, *inbuf = NULL; 589 590 ERR_load_crypto_strings(); 591 OpenSSL_add_all_ciphers(); 592 OpenSSL_add_all_digests(); 593 594 if ((ctx = X509_STORE_CTX_new()) == NULL) 595 cryptoerrx("X509_STORE_CTX_new"); 596 597 TAILQ_INIT(&q); 598 599 msgbuf_init(&msgq); 600 msgq.fd = fd; 601 602 pfd.fd = fd; 603 604 for (;;) { 605 pfd.events = POLLIN; 606 if (msgq.queued) 607 pfd.events |= POLLOUT; 608 609 if (poll(&pfd, 1, INFTIM) == -1) 610 err(1, "poll"); 611 if ((pfd.revents & (POLLERR|POLLNVAL))) 612 errx(1, "poll: bad descriptor"); 613 614 /* If the parent closes, return immediately. */ 615 616 if ((pfd.revents & POLLHUP)) 617 break; 618 619 if ((pfd.revents & POLLIN)) { 620 b = io_buf_read(fd, &inbuf); 621 if (b != NULL) { 622 entp = calloc(1, sizeof(struct entity)); 623 if (entp == NULL) 624 err(1, NULL); 625 entity_read_req(b, entp); 626 TAILQ_INSERT_TAIL(&q, entp, entries); 627 ibuf_free(b); 628 } 629 } 630 631 if (pfd.revents & POLLOUT) { 632 switch (msgbuf_write(&msgq)) { 633 case 0: 634 errx(1, "write: connection closed"); 635 case -1: 636 err(1, "write"); 637 } 638 } 639 640 parse_entity(&q, &msgq); 641 } 642 643 while ((entp = TAILQ_FIRST(&q)) != NULL) { 644 TAILQ_REMOVE(&q, entp, entries); 645 entity_free(entp); 646 } 647 648 /* XXX free auths and crl tree */ 649 650 X509_STORE_CTX_free(ctx); 651 msgbuf_clear(&msgq); 652 653 exit(0); 654 } 655