diff --git a/Userland/Libraries/LibTLS/CMakeLists.txt b/Userland/Libraries/LibTLS/CMakeLists.txt index 21dcdce4d2..a9fbae4089 100644 --- a/Userland/Libraries/LibTLS/CMakeLists.txt +++ b/Userland/Libraries/LibTLS/CMakeLists.txt @@ -1,6 +1,7 @@ add_compile_options(-Wvla) set(SOURCES + Certificate.cpp ClientHandshake.cpp Exchange.cpp Handshake.cpp diff --git a/Userland/Libraries/LibTLS/Certificate.cpp b/Userland/Libraries/LibTLS/Certificate.cpp new file mode 100644 index 0000000000..457e7dd20c --- /dev/null +++ b/Userland/Libraries/LibTLS/Certificate.cpp @@ -0,0 +1,479 @@ +/* + * Copyright (c) 2020, Ali Mohammad Pur + * + * SPDX-License-Identifier: BSD-2-Clause + */ + +#include "Certificate.h" +#include +#include +#include +#include + +namespace TLS { + +constexpr static Array + common_name_oid { 2, 5, 4, 3 }, + country_name_oid { 2, 5, 4, 6 }, + locality_name_oid { 2, 5, 4, 7 }, + organization_name_oid { 2, 5, 4, 10 }, + organizational_unit_name_oid { 2, 5, 4, 11 }; + +constexpr static Array + rsa_encryption_oid { 1, 2, 840, 113549, 1, 1, 1 }, + rsa_md5_encryption_oid { 1, 2, 840, 113549, 1, 1, 4 }, + rsa_sha1_encryption_oid { 1, 2, 840, 113549, 1, 1, 5 }, + rsa_sha256_encryption_oid { 1, 2, 840, 113549, 1, 1, 11 }, + rsa_sha512_encryption_oid { 1, 2, 840, 113549, 1, 1, 13 }; + +constexpr static Array + subject_alternative_name_oid { 2, 5, 29, 17 }; + +Optional Certificate::parse_asn1(ReadonlyBytes buffer, bool) +{ +#define ENTER_SCOPE_WITHOUT_TYPECHECK(scope) \ + do { \ + if (auto result = decoder.enter(); result.has_value()) { \ + dbgln_if(TLS_DEBUG, "Failed to enter object (" scope "): {}", result.value()); \ + return {}; \ + } \ + } while (0) + +#define ENTER_SCOPE_OR_FAIL(kind_name, scope) \ + do { \ + if (auto tag = decoder.peek(); tag.is_error() || tag.value().kind != Crypto::ASN1::Kind::kind_name) { \ + if constexpr (TLS_DEBUG) { \ + if (tag.is_error()) \ + dbgln(scope " data was invalid: {}", tag.error()); \ + else \ + dbgln(scope " data was not of kind " #kind_name); \ + } \ + return {}; \ + } \ + ENTER_SCOPE_WITHOUT_TYPECHECK(scope); \ + } while (0) + +#define EXIT_SCOPE(scope) \ + do { \ + if (auto error = decoder.leave(); error.has_value()) { \ + dbgln_if(TLS_DEBUG, "Error while exiting scope " scope ": {}", error.value()); \ + return {}; \ + } \ + } while (0) + +#define ENSURE_OBJECT_KIND(_kind_name, scope) \ + do { \ + if (auto tag = decoder.peek(); tag.is_error() || tag.value().kind != Crypto::ASN1::Kind::_kind_name) { \ + if constexpr (TLS_DEBUG) { \ + if (tag.is_error()) \ + dbgln(scope " data was invalid: {}", tag.error()); \ + else \ + dbgln(scope " data was not of kind " #_kind_name ", it was {}", Crypto::ASN1::kind_name(tag.value().kind)); \ + } \ + return {}; \ + } \ + } while (0) + +#define READ_OBJECT_OR_FAIL(kind_name, type_name, value_name, scope) \ + auto value_name##_result = decoder.read(Crypto::ASN1::Class::Universal, Crypto::ASN1::Kind::kind_name); \ + if (value_name##_result.is_error()) { \ + dbgln_if(TLS_DEBUG, scope " read of kind " #kind_name " failed: {}", value_name##_result.error()); \ + return {}; \ + } \ + auto value_name = value_name##_result.release_value(); + +#define DROP_OBJECT_OR_FAIL(scope) \ + do { \ + if (auto error = decoder.drop(); error.has_value()) { \ + dbgln_if(TLS_DEBUG, scope " read failed: {}", error.value()); \ + } \ + } while (0) + + Certificate certificate; + Crypto::ASN1::Decoder decoder { buffer }; + // Certificate ::= Sequence { + // certificate TBSCertificate, + // signature_algorithm AlgorithmIdentifier, + // signature_value BitString + // } + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate"); + + // TBSCertificate ::= Sequence { + // version (0) EXPLICIT Version DEFAULT v1, + // serial_number CertificateSerialNumber, + // signature AlgorithmIdentifier, + // issuer Name, + // validity Validity, + // subject Name, + // subject_public_key_info SubjectPublicKeyInfo, + // issuer_unique_id (1) IMPLICIT UniqueIdentifer OPTIONAL (if present, version > v1), + // subject_unique_id (2) IMPLICIT UniqueIdentiier OPTIONAL (if present, version > v1), + // extensions (3) EXPLICIT Extensions OPTIONAL (if present, version > v2) + // } + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate"); + + // version + { + // Version :: Integer { v1(0), v2(1), v3(2) } (Optional) + if (auto tag = decoder.peek(); !tag.is_error() && tag.value().type == Crypto::ASN1::Type::Constructed) { + ENTER_SCOPE_WITHOUT_TYPECHECK("Certificate::version"); + READ_OBJECT_OR_FAIL(Integer, Crypto::UnsignedBigInteger, value, "Certificate::version"); + if (!(value < 3)) { + dbgln_if(TLS_DEBUG, "Certificate::version Invalid value for version: {}", value.to_base10()); + return {}; + } + certificate.version = value.words()[0]; + EXIT_SCOPE("Certificate::version"); + } else { + certificate.version = 0; + } + } + + // serial_number + { + // CertificateSerialNumber :: Integer + READ_OBJECT_OR_FAIL(Integer, Crypto::UnsignedBigInteger, value, "Certificate::serial_number"); + certificate.serial_number = move(value); + } + + auto parse_algorithm_identifier = [&](CertificateKeyAlgorithm& field) -> Optional { + // AlgorithmIdentifier ::= Sequence { + // algorithm ObjectIdentifier, + // parameters ANY OPTIONAL + // } + ENTER_SCOPE_OR_FAIL(Sequence, "AlgorithmIdentifier"); + READ_OBJECT_OR_FAIL(ObjectIdentifier, Vector, identifier, "AlgorithmIdentifier::algorithm"); + if (identifier == rsa_encryption_oid) + field = CertificateKeyAlgorithm ::RSA_RSA; + else if (identifier == rsa_md5_encryption_oid) + field = CertificateKeyAlgorithm ::RSA_MD5; + else if (identifier == rsa_sha1_encryption_oid) + field = CertificateKeyAlgorithm ::RSA_SHA1; + else if (identifier == rsa_sha256_encryption_oid) + field = CertificateKeyAlgorithm ::RSA_SHA256; + else if (identifier == rsa_sha512_encryption_oid) + field = CertificateKeyAlgorithm ::RSA_SHA512; + else + return {}; + + EXIT_SCOPE("AlgorithmIdentifier"); + return true; + }; + + // signature + { + if (!parse_algorithm_identifier(certificate.algorithm).has_value()) + return {}; + } + + auto parse_name = [&](auto& name_struct) -> Optional { + // Name ::= Choice { + // rdn_sequence RDNSequence + // } // NOTE: since this is the only alternative, there's no index + // RDNSequence ::= Sequence OF RelativeDistinguishedName + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::issuer/subject"); + + // RelativeDistinguishedName ::= Set OF AttributeTypeAndValue + // AttributeTypeAndValue ::= Sequence { + // type AttributeType, + // value AttributeValue + // } + // AttributeType ::= ObjectIdentifier + // AttributeValue ::= Any + while (!decoder.eof()) { + // Parse only the the required fields, and ignore the rest. + ENTER_SCOPE_OR_FAIL(Set, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName"); + while (!decoder.eof()) { + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue"); + ENSURE_OBJECT_KIND(ObjectIdentifier, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::type"); + + if (auto type_identifier_or_error = decoder.read>(); !type_identifier_or_error.is_error()) { + // Figure out what type of identifier this is + auto& identifier = type_identifier_or_error.value(); + if (identifier == common_name_oid) { + READ_OBJECT_OR_FAIL(PrintableString, StringView, name, + "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); + name_struct.subject = name; + } else if (identifier == country_name_oid) { + READ_OBJECT_OR_FAIL(PrintableString, StringView, name, + "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); + name_struct.country = name; + } else if (identifier == locality_name_oid) { + READ_OBJECT_OR_FAIL(PrintableString, StringView, name, + "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); + name_struct.location = name; + } else if (identifier == organization_name_oid) { + READ_OBJECT_OR_FAIL(PrintableString, StringView, name, + "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); + name_struct.entity = name; + } else if (identifier == organizational_unit_name_oid) { + READ_OBJECT_OR_FAIL(PrintableString, StringView, name, + "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); + name_struct.unit = name; + } + } else { + dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::type data was invalid: {}", type_identifier_or_error.error()); + return {}; + } + + EXIT_SCOPE("Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue"); + } + EXIT_SCOPE("Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName"); + } + + EXIT_SCOPE("Certificate::TBSCertificate::issuer/subject"); + return true; + }; + + // issuer + { + if (!parse_name(certificate.issuer).has_value()) + return {}; + } + + // validity + { + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Validity"); + + auto parse_time = [&](Core::DateTime& datetime) -> Optional { + // Time ::= Choice { + // utc_time UTCTime, + // general_time GeneralizedTime + // } + auto tag = decoder.peek(); + if (tag.is_error()) { + dbgln_if(1, "Certificate::TBSCertificate::Validity::$::Time failed to read tag: {}", tag.error()); + return {}; + }; + + if (tag.value().kind == Crypto::ASN1::Kind::UTCTime) { + READ_OBJECT_OR_FAIL(UTCTime, StringView, time, "Certificate::TBSCertificate::Validity::$"); + auto result = Crypto::ASN1::parse_utc_time(time); + if (!result.has_value()) { + dbgln_if(1, "Certificate::TBSCertificate::Validity::$::Time Invalid UTC Time: {}", time); + return {}; + } + datetime = result.release_value(); + return true; + } + + if (tag.value().kind == Crypto::ASN1::Kind::GeneralizedTime) { + READ_OBJECT_OR_FAIL(UTCTime, StringView, time, "Certificate::TBSCertificate::Validity::$"); + auto result = Crypto::ASN1::parse_generalized_time(time); + if (!result.has_value()) { + dbgln_if(1, "Certificate::TBSCertificate::Validity::$::Time Invalid Generalized Time: {}", time); + return {}; + } + datetime = result.release_value(); + return true; + } + + dbgln_if(1, "Unrecognised Time format {}", Crypto::ASN1::kind_name(tag.value().kind)); + return {}; + }; + + if (!parse_time(certificate.not_before).has_value()) + return {}; + + if (!parse_time(certificate.not_after).has_value()) + return {}; + + EXIT_SCOPE("Certificate::TBSCertificate::Validity"); + } + + // subject + { + if (!parse_name(certificate.subject).has_value()) + return {}; + } + + // subject_public_key_info + { + // SubjectPublicKeyInfo ::= Sequence { + // algorithm AlgorithmIdentifier, + // subject_public_key BitString + // } + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::subject_public_key_info"); + + if (!parse_algorithm_identifier(certificate.key_algorithm).has_value()) + return {}; + + READ_OBJECT_OR_FAIL(BitString, const BitmapView, value, "Certificate::TBSCertificate::subject_public_key_info::subject_public_key_info"); + // Note: Once we support other kinds of keys, make sure to check the kind here! + auto key = Crypto::PK::RSA::parse_rsa_key({ value.data(), value.size_in_bytes() }); + if (!key.public_key.length()) { + dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::subject_public_key_info::subject_public_key_info: Invalid key"); + return {}; + } + certificate.public_key = move(key.public_key); + EXIT_SCOPE("Certificate::TBSCertificate::subject_public_key_info"); + } + + auto parse_unique_identifier = [&]() -> Optional { + if (certificate.version == 0) + return true; + + auto tag = decoder.peek(); + if (tag.is_error()) { + dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::*::UniqueIdentifier could not read tag: {}", tag.error()); + return {}; + } + + // The spec says to just ignore these. + if (static_cast(tag.value().kind) == 1 || static_cast(tag.value().kind) == 2) + DROP_OBJECT_OR_FAIL("UniqueIdentifier"); + + return true; + }; + + // issuer_unique_identifier + { + if (!parse_unique_identifier().has_value()) + return {}; + } + + // subject_unique_identifier + { + if (!parse_unique_identifier().has_value()) + return {}; + } + + // extensions + { + if (certificate.version == 2) { + auto tag = decoder.peek(); + if (tag.is_error()) { + dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::*::UniqueIdentifier could not read tag: {}", tag.error()); + return {}; + } + if (static_cast(tag.value().kind) == 3) { + // Extensions ::= Sequence OF Extension + // Extension ::= Sequence { + // extension_id ObjectIdentifier, + // critical Boolean DEFAULT false, + // extension_value OctetString (DER-encoded) + // } + ENTER_SCOPE_WITHOUT_TYPECHECK("Certificate::TBSCertificate::Extensions(IMPLICIT)"); + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Extensions"); + + while (!decoder.eof()) { + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Extensions::$::Extension"); + READ_OBJECT_OR_FAIL(ObjectIdentifier, Vector, extension_id, "Certificate::TBSCertificate::Extensions::$::Extension::extension_id"); + bool is_critical = false; + if (auto tag = decoder.peek(); !tag.is_error() && tag.value().kind == Crypto::ASN1::Kind::Boolean) { + // Read the 'critical' property + READ_OBJECT_OR_FAIL(Boolean, bool, critical, "Certificate::TBSCertificate::Extensions::$::Extension::critical"); + is_critical = critical; + } + READ_OBJECT_OR_FAIL(OctetString, StringView, extension_value, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value"); + + // Figure out what this extension is. + if (extension_id == subject_alternative_name_oid) { + Crypto::ASN1::Decoder decoder { extension_value.bytes() }; + // SubjectAlternativeName ::= GeneralNames + // GeneralNames ::= Sequence OF GeneralName + // GeneralName ::= CHOICE { + // other_name (0) OtherName, + // rfc_822_name (1) IA5String, + // dns_name (2) IA5String, + // x400Address (3) ORAddress, + // directory_name (4) Name, + // edi_party_name (5) EDIPartyName, + // uri (6) IA5String, + // ip_address (7) OctetString, + // registered_id (8) ObjectIdentifier, + // } + ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName"); + + while (!decoder.eof()) { + auto tag = decoder.peek(); + if (tag.is_error()) { + dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$ could not read tag: {}", tag.error()); + return {}; + } + + auto tag_value = static_cast(tag.value().kind); + switch (tag_value) { + case 0: + // OtherName + // We don't know how to use this. + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::OtherName"); + break; + case 1: + // RFC 822 name + // We don't know how to use this. + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::RFC822Name"); + break; + case 2: { + // DNS Name + READ_OBJECT_OR_FAIL(IA5String, StringView, name, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::DNSName"); + certificate.SAN.append(name); + break; + } + case 3: + // x400Address + // We don't know how to use this. + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::X400Adress"); + break; + case 4: + // Directory name + // We don't know how to use this. + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::DirectoryName"); + break; + case 5: + // edi party name + // We don't know how to use this. + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::EDIPartyName"); + break; + case 6: { + // URI + READ_OBJECT_OR_FAIL(IA5String, StringView, name, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::URI"); + certificate.SAN.append(name); + break; + } + case 7: + // IP Address + // We can't handle these. + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::IPAddress"); + break; + case 8: + // Registered ID + // We can't handle these. + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::RegisteredID"); + break; + default: + dbgln_if(TLS_DEBUG, "Unknown tag in SAN choice {}", tag_value); + if (is_critical) + return {}; + else + DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::???"); + } + } + } + + EXIT_SCOPE("Certificate::TBSCertificate::Extensions::$::Extension"); + } + + EXIT_SCOPE("Certificate::TBSCertificate::Extensions"); + EXIT_SCOPE("Certificate::TBSCertificate::Extensions(IMPLICIT)"); + } + } + } + + // Just ignore the rest of the data for now. + EXIT_SCOPE("Certificate::TBSCertificate"); + EXIT_SCOPE("Certificate"); + + dbgln_if(TLS_DEBUG, "Certificate issued for {} by {}", certificate.subject.subject, certificate.issuer.subject); + + return certificate; + +#undef DROP_OBJECT_OR_FAIL +#undef ENSURE_OBJECT_KIND +#undef ENTER_SCOPE_OR_FAIL +#undef ENTER_SCOPE_WITHOUT_TYPECHECK +#undef EXIT_SCOPE +#undef READ_OBJECT_OR_FAIL +} + +} diff --git a/Userland/Libraries/LibTLS/Certificate.h b/Userland/Libraries/LibTLS/Certificate.h index f5e31ed820..2810b3ac4f 100644 --- a/Userland/Libraries/LibTLS/Certificate.h +++ b/Userland/Libraries/LibTLS/Certificate.h @@ -8,6 +8,7 @@ #include #include +#include #include #include #include @@ -25,7 +26,8 @@ enum class CertificateKeyAlgorithm { RSA_SHA512 = 0x0d, }; -struct Certificate { +class Certificate { +public: u16 version { 0 }; CertificateKeyAlgorithm algorithm { CertificateKeyAlgorithm::Unsupported }; CertificateKeyAlgorithm key_algorithm { CertificateKeyAlgorithm::Unsupported }; @@ -51,6 +53,8 @@ struct Certificate { ByteBuffer der {}; ByteBuffer data {}; + static Optional parse_asn1(ReadonlyBytes, bool client_cert = false); + bool is_valid() const; }; diff --git a/Userland/Libraries/LibTLS/TLSv12.cpp b/Userland/Libraries/LibTLS/TLSv12.cpp index 9cb927bf30..796232273c 100644 --- a/Userland/Libraries/LibTLS/TLSv12.cpp +++ b/Userland/Libraries/LibTLS/TLSv12.cpp @@ -12,7 +12,6 @@ #include #include #include -#include #include #include #include @@ -24,470 +23,6 @@ namespace TLS { -constexpr static Array - common_name_oid { 2, 5, 4, 3 }, - country_name_oid { 2, 5, 4, 6 }, - locality_name_oid { 2, 5, 4, 7 }, - organization_name_oid { 2, 5, 4, 10 }, - organizational_unit_name_oid { 2, 5, 4, 11 }; - -constexpr static Array - rsa_encryption_oid { 1, 2, 840, 113549, 1, 1, 1 }, - rsa_md5_encryption_oid { 1, 2, 840, 113549, 1, 1, 4 }, - rsa_sha1_encryption_oid { 1, 2, 840, 113549, 1, 1, 5 }, - rsa_sha256_encryption_oid { 1, 2, 840, 113549, 1, 1, 11 }, - rsa_sha512_encryption_oid { 1, 2, 840, 113549, 1, 1, 13 }; - -constexpr static Array - subject_alternative_name_oid { 2, 5, 29, 17 }; - -Optional TLSv12::parse_asn1(ReadonlyBytes buffer, bool) const -{ -#define ENTER_SCOPE_WITHOUT_TYPECHECK(scope) \ - do { \ - if (auto result = decoder.enter(); result.has_value()) { \ - dbgln_if(TLS_DEBUG, "Failed to enter object (" scope "): {}", result.value()); \ - return {}; \ - } \ - } while (0) - -#define ENTER_SCOPE_OR_FAIL(kind_name, scope) \ - do { \ - if (auto tag = decoder.peek(); tag.is_error() || tag.value().kind != Crypto::ASN1::Kind::kind_name) { \ - if constexpr (TLS_DEBUG) { \ - if (tag.is_error()) \ - dbgln(scope " data was invalid: {}", tag.error()); \ - else \ - dbgln(scope " data was not of kind " #kind_name); \ - } \ - return {}; \ - } \ - ENTER_SCOPE_WITHOUT_TYPECHECK(scope); \ - } while (0) - -#define EXIT_SCOPE(scope) \ - do { \ - if (auto error = decoder.leave(); error.has_value()) { \ - dbgln_if(TLS_DEBUG, "Error while exiting scope " scope ": {}", error.value()); \ - return {}; \ - } \ - } while (0) - -#define ENSURE_OBJECT_KIND(_kind_name, scope) \ - do { \ - if (auto tag = decoder.peek(); tag.is_error() || tag.value().kind != Crypto::ASN1::Kind::_kind_name) { \ - if constexpr (TLS_DEBUG) { \ - if (tag.is_error()) \ - dbgln(scope " data was invalid: {}", tag.error()); \ - else \ - dbgln(scope " data was not of kind " #_kind_name ", it was {}", Crypto::ASN1::kind_name(tag.value().kind)); \ - } \ - return {}; \ - } \ - } while (0) - -#define READ_OBJECT_OR_FAIL(kind_name, type_name, value_name, scope) \ - auto value_name##_result = decoder.read(Crypto::ASN1::Class::Universal, Crypto::ASN1::Kind::kind_name); \ - if (value_name##_result.is_error()) { \ - dbgln_if(TLS_DEBUG, scope " read of kind " #kind_name " failed: {}", value_name##_result.error()); \ - return {}; \ - } \ - auto value_name = value_name##_result.release_value(); - -#define DROP_OBJECT_OR_FAIL(scope) \ - do { \ - if (auto error = decoder.drop(); error.has_value()) { \ - dbgln_if(TLS_DEBUG, scope " read failed: {}", error.value()); \ - } \ - } while (0) - - Certificate certificate; - Crypto::ASN1::Decoder decoder { buffer }; - // Certificate ::= Sequence { - // certificate TBSCertificate, - // signature_algorithm AlgorithmIdentifier, - // signature_value BitString - // } - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate"); - - // TBSCertificate ::= Sequence { - // version (0) EXPLICIT Version DEFAULT v1, - // serial_number CertificateSerialNumber, - // signature AlgorithmIdentifier, - // issuer Name, - // validity Validity, - // subject Name, - // subject_public_key_info SubjectPublicKeyInfo, - // issuer_unique_id (1) IMPLICIT UniqueIdentifer OPTIONAL (if present, version > v1), - // subject_unique_id (2) IMPLICIT UniqueIdentiier OPTIONAL (if present, version > v1), - // extensions (3) EXPLICIT Extensions OPTIONAL (if present, version > v2) - // } - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate"); - - // version - { - // Version :: Integer { v1(0), v2(1), v3(2) } (Optional) - if (auto tag = decoder.peek(); !tag.is_error() && tag.value().type == Crypto::ASN1::Type::Constructed) { - ENTER_SCOPE_WITHOUT_TYPECHECK("Certificate::version"); - READ_OBJECT_OR_FAIL(Integer, Crypto::UnsignedBigInteger, value, "Certificate::version"); - if (!(value < 3)) { - dbgln_if(TLS_DEBUG, "Certificate::version Invalid value for version: {}", value.to_base10()); - return {}; - } - certificate.version = value.words()[0]; - EXIT_SCOPE("Certificate::version"); - } else { - certificate.version = 0; - } - } - - // serial_number - { - // CertificateSerialNumber :: Integer - READ_OBJECT_OR_FAIL(Integer, Crypto::UnsignedBigInteger, value, "Certificate::serial_number"); - certificate.serial_number = move(value); - } - - auto parse_algorithm_identifier = [&](CertificateKeyAlgorithm& field) -> Optional { - // AlgorithmIdentifier ::= Sequence { - // algorithm ObjectIdentifier, - // parameters ANY OPTIONAL - // } - ENTER_SCOPE_OR_FAIL(Sequence, "AlgorithmIdentifier"); - READ_OBJECT_OR_FAIL(ObjectIdentifier, Vector, identifier, "AlgorithmIdentifier::algorithm"); - if (identifier == rsa_encryption_oid) - field = CertificateKeyAlgorithm ::RSA_RSA; - else if (identifier == rsa_md5_encryption_oid) - field = CertificateKeyAlgorithm ::RSA_MD5; - else if (identifier == rsa_sha1_encryption_oid) - field = CertificateKeyAlgorithm ::RSA_SHA1; - else if (identifier == rsa_sha256_encryption_oid) - field = CertificateKeyAlgorithm ::RSA_SHA256; - else if (identifier == rsa_sha512_encryption_oid) - field = CertificateKeyAlgorithm ::RSA_SHA512; - else - return {}; - - EXIT_SCOPE("AlgorithmIdentifier"); - return true; - }; - - // signature - { - if (!parse_algorithm_identifier(certificate.algorithm).has_value()) - return {}; - } - - auto parse_name = [&](auto& name_struct) -> Optional { - // Name ::= Choice { - // rdn_sequence RDNSequence - // } // NOTE: since this is the only alternative, there's no index - // RDNSequence ::= Sequence OF RelativeDistinguishedName - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::issuer/subject"); - - // RelativeDistinguishedName ::= Set OF AttributeTypeAndValue - // AttributeTypeAndValue ::= Sequence { - // type AttributeType, - // value AttributeValue - // } - // AttributeType ::= ObjectIdentifier - // AttributeValue ::= Any - while (!decoder.eof()) { - // Parse only the the required fields, and ignore the rest. - ENTER_SCOPE_OR_FAIL(Set, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName"); - while (!decoder.eof()) { - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue"); - ENSURE_OBJECT_KIND(ObjectIdentifier, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::type"); - - if (auto type_identifier_or_error = decoder.read>(); !type_identifier_or_error.is_error()) { - // Figure out what type of identifier this is - auto& identifier = type_identifier_or_error.value(); - if (identifier == common_name_oid) { - READ_OBJECT_OR_FAIL(PrintableString, StringView, name, - "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); - name_struct.subject = name; - } else if (identifier == country_name_oid) { - READ_OBJECT_OR_FAIL(PrintableString, StringView, name, - "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); - name_struct.country = name; - } else if (identifier == locality_name_oid) { - READ_OBJECT_OR_FAIL(PrintableString, StringView, name, - "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); - name_struct.location = name; - } else if (identifier == organization_name_oid) { - READ_OBJECT_OR_FAIL(PrintableString, StringView, name, - "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); - name_struct.entity = name; - } else if (identifier == organizational_unit_name_oid) { - READ_OBJECT_OR_FAIL(PrintableString, StringView, name, - "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::Value"); - name_struct.unit = name; - } - } else { - dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue::type data was invalid: {}", type_identifier_or_error.error()); - return {}; - } - - EXIT_SCOPE("Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName::$::AttributeTypeAndValue"); - } - EXIT_SCOPE("Certificate::TBSCertificate::issuer/subject::$::RelativeDistinguishedName"); - } - - EXIT_SCOPE("Certificate::TBSCertificate::issuer/subject"); - return true; - }; - - // issuer - { - if (!parse_name(certificate.issuer).has_value()) - return {}; - } - - // validity - { - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Validity"); - - auto parse_time = [&](Core::DateTime& datetime) -> Optional { - // Time ::= Choice { - // utc_time UTCTime, - // general_time GeneralizedTime - // } - auto tag = decoder.peek(); - if (tag.is_error()) { - dbgln_if(1, "Certificate::TBSCertificate::Validity::$::Time failed to read tag: {}", tag.error()); - return {}; - }; - - if (tag.value().kind == Crypto::ASN1::Kind::UTCTime) { - READ_OBJECT_OR_FAIL(UTCTime, StringView, time, "Certificate::TBSCertificate::Validity::$"); - auto result = Crypto::ASN1::parse_utc_time(time); - if (!result.has_value()) { - dbgln_if(1, "Certificate::TBSCertificate::Validity::$::Time Invalid UTC Time: {}", time); - return {}; - } - datetime = result.release_value(); - return true; - } - - if (tag.value().kind == Crypto::ASN1::Kind::GeneralizedTime) { - READ_OBJECT_OR_FAIL(UTCTime, StringView, time, "Certificate::TBSCertificate::Validity::$"); - auto result = Crypto::ASN1::parse_generalized_time(time); - if (!result.has_value()) { - dbgln_if(1, "Certificate::TBSCertificate::Validity::$::Time Invalid Generalized Time: {}", time); - return {}; - } - datetime = result.release_value(); - return true; - } - - dbgln_if(1, "Unrecognised Time format {}", Crypto::ASN1::kind_name(tag.value().kind)); - return {}; - }; - - if (!parse_time(certificate.not_before).has_value()) - return {}; - - if (!parse_time(certificate.not_after).has_value()) - return {}; - - EXIT_SCOPE("Certificate::TBSCertificate::Validity"); - } - - // subject - { - if (!parse_name(certificate.subject).has_value()) - return {}; - } - - // subject_public_key_info - { - // SubjectPublicKeyInfo ::= Sequence { - // algorithm AlgorithmIdentifier, - // subject_public_key BitString - // } - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::subject_public_key_info"); - - if (!parse_algorithm_identifier(certificate.key_algorithm).has_value()) - return {}; - - READ_OBJECT_OR_FAIL(BitString, const BitmapView, value, "Certificate::TBSCertificate::subject_public_key_info::subject_public_key_info"); - // Note: Once we support other kinds of keys, make sure to check the kind here! - auto key = Crypto::PK::RSA::parse_rsa_key({ value.data(), value.size_in_bytes() }); - if (!key.public_key.length()) { - dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::subject_public_key_info::subject_public_key_info: Invalid key"); - return {}; - } - certificate.public_key = move(key.public_key); - EXIT_SCOPE("Certificate::TBSCertificate::subject_public_key_info"); - } - - auto parse_unique_identifier = [&]() -> Optional { - if (certificate.version == 0) - return true; - - auto tag = decoder.peek(); - if (tag.is_error()) { - dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::*::UniqueIdentifier could not read tag: {}", tag.error()); - return {}; - } - - // The spec says to just ignore these. - if (static_cast(tag.value().kind) == 1 || static_cast(tag.value().kind) == 2) - DROP_OBJECT_OR_FAIL("UniqueIdentifier"); - - return true; - }; - - // issuer_unique_identifier - { - if (!parse_unique_identifier().has_value()) - return {}; - } - - // subject_unique_identifier - { - if (!parse_unique_identifier().has_value()) - return {}; - } - - // extensions - { - if (certificate.version == 2) { - auto tag = decoder.peek(); - if (tag.is_error()) { - dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::*::UniqueIdentifier could not read tag: {}", tag.error()); - return {}; - } - if (static_cast(tag.value().kind) == 3) { - // Extensions ::= Sequence OF Extension - // Extension ::= Sequence { - // extension_id ObjectIdentifier, - // critical Boolean DEFAULT false, - // extension_value OctetString (DER-encoded) - // } - ENTER_SCOPE_WITHOUT_TYPECHECK("Certificate::TBSCertificate::Extensions(IMPLICIT)"); - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Extensions"); - - while (!decoder.eof()) { - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Extensions::$::Extension"); - READ_OBJECT_OR_FAIL(ObjectIdentifier, Vector, extension_id, "Certificate::TBSCertificate::Extensions::$::Extension::extension_id"); - bool is_critical = false; - if (auto tag = decoder.peek(); !tag.is_error() && tag.value().kind == Crypto::ASN1::Kind::Boolean) { - // Read the 'critical' property - READ_OBJECT_OR_FAIL(Boolean, bool, critical, "Certificate::TBSCertificate::Extensions::$::Extension::critical"); - is_critical = critical; - } - READ_OBJECT_OR_FAIL(OctetString, StringView, extension_value, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value"); - - // Figure out what this extension is. - if (extension_id == subject_alternative_name_oid) { - Crypto::ASN1::Decoder decoder { extension_value.bytes() }; - // SubjectAlternativeName ::= GeneralNames - // GeneralNames ::= Sequence OF GeneralName - // GeneralName ::= CHOICE { - // other_name (0) OtherName, - // rfc_822_name (1) IA5String, - // dns_name (2) IA5String, - // x400Address (3) ORAddress, - // directory_name (4) Name, - // edi_party_name (5) EDIPartyName, - // uri (6) IA5String, - // ip_address (7) OctetString, - // registered_id (8) ObjectIdentifier, - // } - ENTER_SCOPE_OR_FAIL(Sequence, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName"); - - while (!decoder.eof()) { - auto tag = decoder.peek(); - if (tag.is_error()) { - dbgln_if(TLS_DEBUG, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$ could not read tag: {}", tag.error()); - return {}; - } - - auto tag_value = static_cast(tag.value().kind); - switch (tag_value) { - case 0: - // OtherName - // We don't know how to use this. - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::OtherName"); - break; - case 1: - // RFC 822 name - // We don't know how to use this. - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::RFC822Name"); - break; - case 2: { - // DNS Name - READ_OBJECT_OR_FAIL(IA5String, StringView, name, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::DNSName"); - certificate.SAN.append(name); - break; - } - case 3: - // x400Address - // We don't know how to use this. - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::X400Adress"); - break; - case 4: - // Directory name - // We don't know how to use this. - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::DirectoryName"); - break; - case 5: - // edi party name - // We don't know how to use this. - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::EDIPartyName"); - break; - case 6: { - // URI - READ_OBJECT_OR_FAIL(IA5String, StringView, name, "Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::URI"); - certificate.SAN.append(name); - break; - } - case 7: - // IP Address - // We can't handle these. - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::IPAddress"); - break; - case 8: - // Registered ID - // We can't handle these. - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::RegisteredID"); - break; - default: - dbgln_if(TLS_DEBUG, "Unknown tag in SAN choice {}", tag_value); - if (is_critical) - return {}; - else - DROP_OBJECT_OR_FAIL("Certificate::TBSCertificate::Extensions::$::Extension::extension_value::SubjectAlternativeName::$::???"); - } - } - } - - EXIT_SCOPE("Certificate::TBSCertificate::Extensions::$::Extension"); - } - - EXIT_SCOPE("Certificate::TBSCertificate::Extensions"); - EXIT_SCOPE("Certificate::TBSCertificate::Extensions(IMPLICIT)"); - } - } - } - - // Just ignore the rest of the data for now. - EXIT_SCOPE("Certificate::TBSCertificate"); - EXIT_SCOPE("Certificate"); - - dbgln_if(TLS_DEBUG, "Certificate issued for {} by {}", certificate.subject.subject, certificate.issuer.subject); - - return certificate; - -#undef DROP_OBJECT_OR_FAIL -#undef ENSURE_OBJECT_KIND -#undef ENTER_SCOPE_OR_FAIL -#undef ENTER_SCOPE_WITHOUT_TYPECHECK -#undef EXIT_SCOPE -#undef READ_OBJECT_OR_FAIL -} - ssize_t TLSv12::handle_certificate(ReadonlyBytes buffer) { ssize_t res = 0; @@ -553,7 +88,7 @@ ssize_t TLSv12::handle_certificate(ReadonlyBytes buffer) } remaining -= certificate_size_specific; - auto certificate = parse_asn1(buffer.slice(res_cert, certificate_size_specific), false); + auto certificate = Certificate::parse_asn1(buffer.slice(res_cert, certificate_size_specific), false); if (certificate.has_value()) { if (certificate.value().is_valid()) { m_context.certificates.append(certificate.value()); @@ -883,7 +418,7 @@ bool TLSv12::add_client_key(ReadonlyBytes certificate_pem_buffer, ReadonlyBytes return false; } - auto maybe_certificate = parse_asn1(decoded_certificate); + auto maybe_certificate = Certificate::parse_asn1(decoded_certificate); if (!maybe_certificate.has_value()) { dbgln("Invalid certificate"); return false; diff --git a/Userland/Libraries/LibTLS/TLSv12.h b/Userland/Libraries/LibTLS/TLSv12.h index 0d2f6276e1..46a6383074 100644 --- a/Userland/Libraries/LibTLS/TLSv12.h +++ b/Userland/Libraries/LibTLS/TLSv12.h @@ -277,7 +277,6 @@ public: m_context.extensions.SNI = sni; } - Optional parse_asn1(ReadonlyBytes, bool client_cert = false) const; bool load_certificates(ReadonlyBytes pem_buffer); bool load_private_key(ReadonlyBytes pem_buffer);