Merge our current version of the code with the OSS libsecutils.

include/secutils/certstatus/certstatus.h

@@ -17,6 +17,7 @@
 #define SECUTILS_CERTSTATUS_H_
 
 #include <openssl/x509_vfy.h>
+
 #include "../util/log.h"
 
 #if OPENSSL_VERSION_NUMBER < 0x10101000L
@@ -132,4 +133,12 @@ bool check_cert_revocation(X509_STORE_CTX* ctx, OPTIONAL OCSP_RESPONSE* resp);
  */
 int check_revocation_any_method(X509_STORE_CTX* ctx);
 
+/*
+ * Check revocation status on certs in ctx->chain. As a generalization of
+ * check_revocation() in crypto/x509/x509_vfy.c, considers local CRLs only.
+ * To be used as a callback function to be past to
+ * X509_STORE_set_check_revocation()
+ */
+int check_revocation_local_only_method(X509_STORE_CTX* ctx);
+
 #endif /* SECUTILS_CERTSTATUS_H_ */

include/secutils/certstatus/crl_mgmt.h

@@ -17,7 +17,8 @@
 #define SECUTILS_HEADER_CRL_MGMT_H
 
 #include <openssl/x509.h>
-#include <secutils/basic.h>
+
+#include "../basic.h"
 
 #ifdef __cplusplus
 extern "C" {

include/secutils/certstatus/crls.h

@@ -16,6 +16,8 @@
 #ifndef SECUTILS_CRLS_H_
 #define SECUTILS_CRLS_H_
 
+#include "../basic.h"
+
 #include <openssl/x509.h>
 
 /*!*****************************************************************************

include/secutils/credentials/cert.h

@@ -26,8 +26,7 @@
 #include <string.h>  /* for strcmp, strlen */
 
 #include "../basic.h"
-#include "../operators.h"
-# include "../util/log.h"
+#include "../util/log.h"
 
 #include <openssl/x509.h>
 
@@ -99,19 +98,6 @@ int CERTS_save(OPTIONAL const STACK_OF(X509) *certs, const char *file, OPTIONAL
 void CERTS_free(OPTIONAL STACK_OF(X509) *certs);
 
 
-/*!*****************************************************************************
- * @brief parse an X.500 Distinguished Name (DN)
- *
- * @param dn string to be parsed, format "/type0=value0/type1=value1/type2=..." where characters may be escaped by '\'.
- * The NULL-DN may be given as "/" or "".
- * @param chtype type of the string, e.g., MBSTRING_ASC, as defined in openssl/asn1.h
- * @param multirdn flag whether to allow multi-valued RDNs
- * @return ASN.1 representation of the DN, or null on error
- *******************************************************************************/
-/* this function is used by the genCMPClient API implementation */
-X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn);
-
-
 /*!*****************************************************************************
  * @brief log messsage about the given certificate, printing its subject
  *
@@ -177,30 +163,4 @@ bool CERT_check_all(const char *uri, OPTIONAL STACK_OF(X509) *certs, int type_CA
                     OPTIONAL const X509_VERIFY_PARAM *vpm);
 
 
-/*!*****************************************************************************
- * @brief add certificate to given stack, optionally only if not already contained
- *
- * @param sk stack of certificates
- * @param cert certificate to be pushed to the stack
- * @param no_duplicate flag governing whether to add cert if it is a duplicate
- * @return true on success, else false
- *******************************************************************************/
-bool UTIL_sk_X509_add1_cert(STACK_OF(X509) * sk, X509* cert, bool no_duplicate);
-
-
-/*!*****************************************************************************
- * @brief add stack of certificates to given stack,
- * optionally only if not self-signed and optionally if not already contained
- *
- * @param sk stack of certificates
- * @param certs (optional) stack of certificates to be pushed to the stack
- * @param no_self_signed flag governing whether to add self-signed certs
- * @param no_duplicates flag governing whether to add cert if it is a duplicate
- * @return true on success, else false
- *******************************************************************************/
-/* this function is used by the genCMPClient API implementation */
-int UTIL_sk_X509_add1_certs(STACK_OF(X509) * sk, OPTIONAL const STACK_OF(X509) * certs, int no_self_signed,
-                            int no_duplicates);
-
-
 #endif /* SECUTILS_CERT_H_ */

include/secutils/credentials/store.h

@@ -208,6 +208,7 @@ bool STORE_load_check_dir(X509_STORE** pstore, const char* trust_dir,
 
 /*!*****************************************************************************
  * @brief search for files with CRLs in specified directory and add them to X509_STORE
+ * @note this function sets check_revocation_any_method() to be used as a callback during CRL validation
  *
  * @param pstore      pointer to trust store to be augmented with CRLs.
  *                    CRL-based status checking will be enabled in it for the full certificate chain.
@@ -220,6 +221,22 @@ bool STORE_load_check_dir(X509_STORE** pstore, const char* trust_dir,
  ******************************************************************************/
 bool STORE_load_crl_dir(X509_STORE* pstore, const char* crl_dir, OPTIONAL const char* desc, bool recursive, OPTIONAL uta_ctx* ctx);
 
+/*!*****************************************************************************
+ * @brief search for files with CRLs in specified directory and add them to X509_STORE
+ * @note this function sets check_revocation_local_only_method() to be used as a callback during CRL validation
+ *
+ * @param pstore      pointer to trust store to be augmented with CRLs.
+ *                    CRL-based status checking will be enabled in it for the full certificate chain.
+ * @param crl_dir     directory where to search for CRLs
+ * @param desc        description of CRLs to use for error reporting, or null
+ * @param recursive   if true, use recursive search in subdirectories
+ * @param ctx pointer to UTA context for checking file integrity&authenticity using ICV, or null
+ * @note at least one valid CRL file must be found in each visited directory
+ * @return true on success, false on error/failure
+ ******************************************************************************/
+bool STORE_load_crl_dir_local_only(X509_STORE* pstore, const char* crl_dir, OPTIONAL const char* desc, bool recursive,
+                                   OPTIONAL uta_ctx* ctx);
+
 /*!*****************************************************************************
  * @brief release a trust store
  *

include/secutils/credentials/verify.h

@@ -74,15 +74,13 @@ bool verify_cb_cert(X509_STORE_CTX* store_ctx, X509* cert, int err);
 /*!*****************************************************************************
  * @brief attempt to verify certificate
  *
- * @param ctx (optional) pointer to UTA context, unused
  * @param cert certificate to be verified
  * @param untrusted (optional) intermediate certs that may be useful for building
  * the chain of certificates between the cert and the trusted certs in the trust store
  * @param trust_store pointer to structure containing trusted (root) certs and further verification parameters
  * @note trust_store may contain CRLs loaded via STORE_load_crl_dir()
- * @return < 0 on on verification error, 0 for invalid cert, 1 for vaild cert
+ * @return < 0 on on verification error, 0 for invalid cert, 1 for valid cert
  *******************************************************************************/
-int CREDENTIALS_verify_cert(OPTIONAL uta_ctx* ctx, X509* cert,
-                            OPTIONAL const STACK_OF(X509) * untrusted, X509_STORE* trust_store);
+int CREDENTIALS_verify_cert(X509* cert, OPTIONAL const STACK_OF(X509) * untrusted, X509_STORE* trust_store);
 
 #endif /* SECUTILS_VERIFY_H_ */

include/secutils/storage/files_dv.h

@@ -25,6 +25,8 @@
 
 #include <openssl/x509.h>
 
+#include "../util/util.h"
+
 #include "../storage/uta_api.h"
 #define MAX_UTA_PASS_LEN (MAX_B64_CHARS_PER_BYTE * TA_OUTLEN + 1)
 #include "files.h"

include/secutils/storage/files_icv.h

@@ -20,6 +20,7 @@
 #include "../storage/uta_api.h"
 
 #include <openssl/ossl_typ.h>
+#include <openssl/safestack.h>
 
 /*!
  * @brief (re-)protect integrity of file (of any type that allows appending text) with ICV derived via UTA
@@ -126,5 +127,16 @@ bool FILES_store_cert_pem(OPTIONAL uta_ctx* ctx, const X509* cert, const char* f
  */
 bool FILES_store_crl_pem_icv(OPTIONAL uta_ctx* ctx, const X509_CRL* crl, const char* file, OPTIONAL const char* desc);
 
+/*!
+ * @brief Calculates a file's ICV and, if it is equal to the ICV stored in the file, returns the content without ICV.
+ *
+ * @param ctx pointer to UTA context, which typically is part of the libsecutils context
+ * @param path path to the file, can be relative or absolute
+ * @note if \p path is relative, it is transformed into absolute path
+ * @return \c OPENSSL_STRING containing content of the file if ICV matches, otherwise null pointer.
+ * In case of an error, message is logged and null pointer is returned.
+ * @warning Returned \c OPENSSL_STRING must be freed using function \c OPENSSL_free().
+ */
+OPENSSL_STRING FILE_get_file_content_if_existing_icv_is_valid(uta_ctx* ctx, const char* path);
 
 #endif /* SECUTILS_FILES_ICV_H_ */

include/secutils/util/log.h

@@ -71,7 +71,7 @@ void LOG_close(void);
  * @brief set verbosity level of LOG_default()
  * @note this may be done before LOG_init() is called
  *
- * @param level the minimal severity of messages to be printed; default: LOG_INFO
+ * @param level the minimal severity of messages to be printed; default: LOG_WARNING
  */
 /* this function is used by the genCMPClient CLI implementation */
 void LOG_set_verbosity(severity level);

include/secutils/util/util.h

@@ -30,11 +30,12 @@
 # include <unistd.h>
 
 # include "../basic.h"
-# include "../operators.h"
 
 # include <openssl/err.h>
 # include <openssl/x509v3.h>
 
+# include "../storage/uta_api.h"
+
 static const char *const
 UTIL_SECUTILS_NAME = "secutils";           /*!< short name of this library */
 static const int UTIL_max_path_len = 512;  /*!< max length of file path name */
@@ -195,6 +196,30 @@ typedef u_int64_t uint64_t;
 STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store);
 # endif
 
+/*!*****************************************************************************
+ * @brief add certificate to given stack, optionally only if not already contained
+ *
+ * @param sk stack of certificates
+ * @param cert certificate to be pushed to the stack
+ * @param no_duplicate flag governing whether to add cert if it is a duplicate
+ * @return true on success, else false
+ *******************************************************************************/
+bool UTIL_sk_X509_add1_cert(STACK_OF(X509) * sk, X509* cert, bool no_duplicate);
+
+/*!*****************************************************************************
+ * @brief add stack of certificates to given stack,
+ * optionally only if not self-signed and optionally if not already contained
+ *
+ * @param sk stack of certificates
+ * @param certs (optional) stack of certificates to be pushed to the stack
+ * @param no_self_signed flag governing whether to add self-signed certs
+ * @param no_duplicates flag governing whether to add cert if it is a duplicate
+ * @return true on success, else false
+ *******************************************************************************/
+/* this function is used by the genCMPClient API implementation */
+int UTIL_sk_X509_add1_certs(STACK_OF(X509) * sk, OPTIONAL const STACK_OF(X509) * certs, int no_self_signed,
+                            int no_duplicates);
+
 /*!*****************************************************************************
  * @brief initialize the OpenSSL crypto library
  * @param version expected OpenSSL version number
@@ -262,6 +287,18 @@ void *UTIL_read_file(const char *filename, int *lenp);
  ******************************************************************************/
 bool UTIL_write_file(const char *filename, const void *data, size_t len);
 
+/*!*****************************************************************************
+ * @brief parse an X.500 Distinguished Name (DN)
+ *
+ * @param dn string to be parsed, format "/type0=value0/type1=value1/type2=..." where characters may be escaped by '\'.
+ * The NULL-DN may be given as "/" or "".
+ * @param chtype type of the string, e.g., MBSTRING_ASC, as defined in openssl/asn1.h
+ * @param multirdn flag whether to allow multi-valued RDNs
+ * @return ASN.1 representation of the DN, or null on error
+ *******************************************************************************/
+/* this function is used by the genCMPClient API implementation */
+X509_NAME* UTIL_parse_name(const char* dn, long chtype, bool multirdn);
+
 /*!*****************************************************************************
  * @brief call given function on each file in dir, optionally with recursion
  * @param fn function to be called on each file.
@@ -370,6 +407,7 @@ size_t UTIL_url_encode(const char  *source,
 # define HEX_BITS 4
 # define HEX_MASK 0x0f
 # define MAX_DIGIT 9
+# define ICV_LEN16 16
 
 /*!
  * @brief The function converts a binary string into a sequence of hex values.
@@ -435,4 +473,33 @@ int UTIL_base64_encode_to_buf(const unsigned char *data, int len,
 unsigned char *UTIL_base64_decode(const char *b64_data, int b64_len,
                                   int *decoded_len);
 
+/*!
+ * @brief derive integrity protection hash for data with given len, using key as DV.
+ *
+ * @param ctx pointer to uta context object
+ * @param data pointer to data from which the ICV will be calculated
+ * @param data_len size of data from which the ICV will be calculated
+ * @param key_dv The derivation value for key for which the ICV is calculated
+ * @param icv_out Pointer to a buffer where the resulting ICV will be stored. This buffer must be at least
+ * ICV_LEN16 in size.
+ * @return true if calculating the ICV is successful, false otherwise
+ */
+bool UTIL_calculate_icv(uta_ctx* ctx, const unsigned char* data, const size_t data_len, const char* key_dv,
+                        unsigned char* icv_out);
+
+/*!
+ * @brief implementation of the function UTIL_calculate_icv.
+ * @note this function was created to avoid code repetition (the same computation is needed in files_icv.c).
+ *
+ * @param ctx pointer to uta context object
+ * @param data pointer to data from which the ICV will be calculated
+ * @param data_len size of data from which the ICV will be calculated
+ * @param key_dv The derivation value for key for which the ICV is calculated
+ * @param mac Pointer to a buffer where the resulting ICV will be stored. This buffer must be at least
+ * ICV_LEN16 in size.
+ * @return true if calculating the ICV is successful, false otherwise
+ */
+bool UTIL_calculate_icv_impl(uta_ctx* ctx, const unsigned char* data, const size_t data_len, const char* key_dv,
+                             unsigned char* mac);
+
 #endif /* SECUTILS_UTIL_H_ */