18 #include <sys/types.h> 19 #ifdef HAVE_SYS_SOCKET_H 20 #include <sys/socket.h> 27 #include <openssl/ssl.h> 28 #include <openssl/err.h> 29 #include <openssl/x509v3.h> 34 uint16_t port, ldns_dane_transport transport)
39 assert(tlsa_owner != NULL);
44 buf[0] = (char)(s - 1);
47 case LDNS_DANE_TRANSPORT_TCP:
51 case LDNS_DANE_TRANSPORT_UDP:
55 case LDNS_DANE_TRANSPORT_SCTP:
68 if (*tlsa_owner == NULL) {
78 ldns_tlsa_selector selector,
79 ldns_tlsa_matching_type matching_type)
81 unsigned char* buf = NULL;
87 unsigned char* digest;
93 case LDNS_TLSA_SELECTOR_FULL_CERTIFICATE:
95 len = (size_t)i2d_X509(cert, &buf);
98 case LDNS_TLSA_SELECTOR_SUBJECTPUBLICKEYINFO:
101 xpubkey = X509_get_X509_PUBKEY(cert);
106 epubkey = X509_PUBKEY_get(xpubkey);
110 len = (size_t)i2d_PUBKEY(epubkey, &buf);
117 switch(matching_type) {
118 case LDNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
125 case LDNS_TLSA_MATCHING_TYPE_SHA256:
128 if (digest == NULL) {
132 (void)
ldns_sha256(buf, (
unsigned int)len, digest);
140 case LDNS_TLSA_MATCHING_TYPE_SHA512:
143 if (digest == NULL) {
147 (void)
ldns_sha512(buf, (
unsigned int)len, digest);
166 ldns_dane_pkix_validate(X509* cert, STACK_OF(X509)* extra_certs,
169 X509_STORE_CTX* vrfy_ctx;
175 vrfy_ctx = X509_STORE_CTX_new();
180 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
181 cert, extra_certs) != 1) {
184 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
191 X509_STORE_CTX_free(vrfy_ctx);
200 ldns_dane_pkix_validate_and_get_chain(STACK_OF(X509)** chain, X509* cert,
201 STACK_OF(X509)* extra_certs, X509_STORE* store)
204 X509_STORE* empty_store = NULL;
205 X509_STORE_CTX* vrfy_ctx;
207 assert(chain != NULL);
210 store = empty_store = X509_STORE_new();
213 vrfy_ctx = X509_STORE_CTX_new();
216 goto exit_free_empty_store;
218 }
else if (X509_STORE_CTX_init(vrfy_ctx, store,
219 cert, extra_certs) != 1) {
220 goto exit_free_vrfy_ctx;
222 }
else if (X509_verify_cert(vrfy_ctx) == 1) {
229 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
235 X509_STORE_CTX_free(vrfy_ctx);
237 exit_free_empty_store:
239 X509_STORE_free(empty_store);
248 ldns_dane_pkix_get_chain(STACK_OF(X509)** chain,
249 X509* cert, STACK_OF(X509)* extra_certs)
252 X509_STORE* empty_store = NULL;
253 X509_STORE_CTX* vrfy_ctx;
255 assert(chain != NULL);
257 empty_store = X509_STORE_new();
259 vrfy_ctx = X509_STORE_CTX_new();
262 goto exit_free_empty_store;
264 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
265 cert, extra_certs) != 1) {
266 goto exit_free_vrfy_ctx;
268 (void) X509_verify_cert(vrfy_ctx);
269 *chain = X509_STORE_CTX_get1_chain(vrfy_ctx);
276 X509_STORE_CTX_free(vrfy_ctx);
278 exit_free_empty_store:
279 X509_STORE_free(empty_store);
287 ldns_dane_get_nth_cert_from_validation_chain(
288 X509** cert, STACK_OF(X509)* chain,
int n,
bool ca)
290 if (n >= sk_X509_num(chain) || n < 0) {
293 *cert = sk_X509_pop(chain);
296 *cert = sk_X509_pop(chain);
298 if (ca && ! X509_check_ca(*cert)) {
309 ldns_dane_pkix_get_last_self_signed(X509** out_cert,
310 X509* cert, STACK_OF(X509)* extra_certs)
313 X509_STORE* empty_store = NULL;
314 X509_STORE_CTX* vrfy_ctx;
316 assert(out_cert != NULL);
318 empty_store = X509_STORE_new();
320 vrfy_ctx = X509_STORE_CTX_new();
322 goto exit_free_empty_store;
324 }
else if (X509_STORE_CTX_init(vrfy_ctx, empty_store,
325 cert, extra_certs) != 1) {
326 goto exit_free_vrfy_ctx;
329 (void) X509_verify_cert(vrfy_ctx);
330 if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
331 vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){
333 *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx);
339 X509_STORE_CTX_free(vrfy_ctx);
341 exit_free_empty_store:
342 X509_STORE_free(empty_store);
349 X509* cert, STACK_OF(X509)* extra_certs,
350 X509_STORE* pkix_validation_store,
351 ldns_tlsa_certificate_usage cert_usage,
int offset)
354 STACK_OF(X509)* pkix_validation_chain = NULL;
356 assert(selected_cert != NULL);
357 assert(cert != NULL);
364 if (pkix_validation_store == NULL) {
365 switch (cert_usage) {
367 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
369 cert_usage = LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION;
372 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
374 cert_usage = LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE;
384 switch (cert_usage) {
386 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
388 s = ldns_dane_pkix_validate_and_get_chain(
389 &pkix_validation_chain,
391 pkix_validation_store);
392 if (! pkix_validation_chain) {
399 s = ldns_dane_get_nth_cert_from_validation_chain(
400 selected_cert, pkix_validation_chain,
403 sk_X509_pop_free(pkix_validation_chain, X509_free);
408 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
410 *selected_cert = cert;
411 return ldns_dane_pkix_validate(cert, extra_certs,
412 pkix_validation_store);
416 case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
419 s = ldns_dane_pkix_get_last_self_signed(
420 selected_cert, cert, extra_certs);
423 s = ldns_dane_pkix_get_chain(
424 &pkix_validation_chain,
428 ldns_dane_get_nth_cert_from_validation_chain(
429 selected_cert, pkix_validation_chain,
431 }
else if (! pkix_validation_chain) {
434 sk_X509_pop_free(pkix_validation_chain, X509_free);
440 case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
442 *selected_cert = cert;
455 ldns_tlsa_certificate_usage certificate_usage,
456 ldns_tlsa_selector selector,
457 ldns_tlsa_matching_type matching_type,
463 assert(tlsa != NULL);
464 assert(cert != NULL);
473 (uint8_t)certificate_usage);
511 ldns_dane_filter_unusable_records(
const ldns_rr_list* tlsas)
541 ldns_dane_match_cert_with_data(X509* cert, ldns_tlsa_selector selector,
542 ldns_tlsa_matching_type matching_type,
ldns_rdf* data)
563 ldns_dane_match_any_cert_with_data(STACK_OF(X509)* chain,
564 ldns_tlsa_selector selector,
565 ldns_tlsa_matching_type matching_type,
572 n = (size_t)sk_X509_num(chain);
573 for (i = 0; i < n; i++) {
574 cert = sk_X509_pop(chain);
579 s = ldns_dane_match_cert_with_data(cert,
580 selector, matching_type, data);
598 X509* cert, STACK_OF(X509)* extra_certs,
599 X509_STORE* pkix_validation_store)
603 STACK_OF(X509)* pkix_validation_chain = NULL;
605 ldns_tlsa_certificate_usage cert_usage;
606 ldns_tlsa_selector selector;
607 ldns_tlsa_matching_type matching_type;
613 return ldns_dane_pkix_validate(cert, extra_certs,
614 pkix_validation_store);
621 switch (cert_usage) {
622 case LDNS_TLSA_USAGE_CA_CONSTRAINT:
623 s = ldns_dane_pkix_validate_and_get_chain(
624 &pkix_validation_chain,
626 pkix_validation_store);
627 if (! pkix_validation_chain) {
639 s = ldns_dane_match_any_cert_with_data(
640 pkix_validation_chain,
641 selector, matching_type, data,
true);
654 s = ldns_dane_match_any_cert_with_data(
655 pkix_validation_chain,
656 selector, matching_type, data,
true);
658 sk_X509_pop_free(pkix_validation_chain, X509_free);
662 case LDNS_TLSA_USAGE_SERVICE_CERTIFICATE_CONSTRAINT:
663 s = ldns_dane_match_cert_with_data(cert,
664 selector, matching_type, data);
667 return ldns_dane_pkix_validate(cert, extra_certs,
668 pkix_validation_store);
673 case LDNS_TLSA_USAGE_TRUST_ANCHOR_ASSERTION:
674 s = ldns_dane_pkix_get_chain(&pkix_validation_chain,
678 s = ldns_dane_match_any_cert_with_data(
679 pkix_validation_chain,
680 selector, matching_type, data,
false);
682 }
else if (! pkix_validation_chain) {
685 sk_X509_pop_free(pkix_validation_chain, X509_free);
689 case LDNS_TLSA_USAGE_DOMAIN_ISSUED_CERTIFICATE:
690 return ldns_dane_match_cert_with_data(cert,
691 selector, matching_type, data);
703 X509* cert, STACK_OF(X509)* extra_certs,
704 X509_STORE* pkix_validation_store)
710 assert(cert != NULL);
713 tlsas = ldns_dane_filter_unusable_records(tlsas);
721 return ldns_dane_pkix_validate(cert, extra_certs,
722 pkix_validation_store);
728 pkix_validation_store);
739 s = (s > ps ? s : ps);
ldns_rdf * ldns_rr_rdf(const ldns_rr *rr, size_t nr)
returns the rdata field member counter.
ldns_rdf * ldns_rr_set_rdf(ldns_rr *rr, const ldns_rdf *f, size_t position)
sets a rdf member, it will be set on the position given.
#define LDNS_SHA512_DIGEST_LENGTH
bool ldns_rr_list_push_rr(ldns_rr_list *rr_list, const ldns_rr *rr)
pushes an rr to an rrlist.
List or Set of Resource Records.
uint8_t ldns_rdf2native_int8(const ldns_rdf *rd)
returns the native uint8_t representation from the rdf.
#define LDNS_XMALLOC(type, count)
size_t ldns_rdf_size(const ldns_rdf *rd)
returns the size of the rdf.
#define LDNS_SHA256_DIGEST_LENGTH
ldns_rr * ldns_rr_new_frm_type(ldns_rr_type t)
creates a new rr structure, based on the given type.
size_t ldns_rr_rd_count(const ldns_rr *rr)
returns the rd_count of an rr structure.
void ldns_rr_free(ldns_rr *rr)
frees an RR structure
unsigned char * ldns_sha256(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
void ldns_rr_list_free(ldns_rr_list *rr_list)
frees an rr_list structure.
ldns_status ldns_dane_create_tlsa_rr(ldns_rr **tlsa, ldns_tlsa_certificate_usage certificate_usage, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type, X509 *cert)
void ldns_rdf_free(ldns_rdf *rd)
frees a rdf structure, leaving the data pointer intact.
This module contains base functions for creating and verifying TLSA RR's with PKIX certificates...
Including this file will include all ldns files, and define some lookup tables.
ldns_rdf * ldns_native2rdf_int8(ldns_rdf_type type, uint8_t value)
returns the rdf containing the native uint8_t repr.
uint8_t * ldns_rdf_data(const ldns_rdf *rd)
returns the data of the rdf.
ldns_rr * ldns_rr_list_rr(const ldns_rr_list *rr_list, size_t nr)
returns a specific rr of an rrlist.
#define LDNS_MAX_DOMAINLEN
Maximum length of a complete dname.
ldns_status ldns_dane_cert2rdf(ldns_rdf **rdf, X509 *cert, ldns_tlsa_selector selector, ldns_tlsa_matching_type matching_type)
unsigned char * ldns_sha512(unsigned char *data, unsigned int data_len, unsigned char *digest)
Convenience function to digest a fixed block of data at once.
ldns_rr_list * ldns_rr_list_new(void)
creates a new rr_list structure.
ldns_status ldns_dane_verify(ldns_rr_list *tlsas, X509 *cert, STACK_OF(X509)*extra_certs, X509_STORE *pkix_validation_store)
ldns_rdf_type ldns_rdf_get_type(const ldns_rdf *rd)
returns the type of the rdf.
ldns_rr_type ldns_rr_get_type(const ldns_rr *rr)
returns the type of the rr.
ldns_status ldns_dane_create_tlsa_owner(ldns_rdf **tlsa_owner, const ldns_rdf *name, uint16_t port, ldns_dane_transport transport)
ldns_status ldns_dane_verify_rr(const ldns_rr *tlsa_rr, X509 *cert, STACK_OF(X509)*extra_certs, X509_STORE *pkix_validation_store)
enum ldns_enum_status ldns_status
ldns_rdf * ldns_rdf_new_frm_data(ldns_rdf_type type, size_t size, const void *data)
allocates a new rdf structure and fills it.
ldns_rdf * ldns_rdf_new(ldns_rdf_type type, size_t size, void *data)
allocates a new rdf structure and fills it.
Resource record data field.
size_t ldns_rr_list_rr_count(const ldns_rr_list *rr_list)
returns the number of rr's in an rr_list.
int ldns_rdf_compare(const ldns_rdf *rd1, const ldns_rdf *rd2)
compares two rdf's on their wire formats.
ldns_status ldns_dane_select_certificate(X509 **selected_cert, X509 *cert, STACK_OF(X509)*extra_certs, X509_STORE *pkix_validation_store, ldns_tlsa_certificate_usage cert_usage, int offset)