interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
getdns/src/pubkey-pinning.c

141 lines
4.8 KiB
C
Raw Normal View History

add getdns_pubkey_pin_create_from_string()
2015-12-20 11:58:50 -06:00
/**
*
* /brief functions for Public Key Pinning
*
*/
/*
* Copyright (c) 2015, Daniel Kahn Gillmor
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* * Neither the names of the copyright holders nor the
* names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL Verisign, Inc. BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* getdns Public Key Pinning
*
* a public key pinset is a list of dicts. each dict should have a
* "digest" and a "value".
*
* "digest": a string indicating the type of digest. at the moment, we
* only support a "digest" of "sha256".
*
* "value": a binary representation of the digest provided.
*
* given a such a pinset, we should be able to validate a chain
* properly according to section 2.6 of RFC 7469.
*/
#include <getdns/getdns.h>
#include <openssl/evp.h>
#include <openssl/bio.h>
#include <openssl/sha.h>
#include <string.h>
/* we only support sha256 at the moment. adding support for another
digest is more complex than just adding another entry here. in
particular, you'll probably need a match for a particular cert
against all supported algorithms. better to wait on doing that
until it is a better-understood problem (i.e. wait until hpkp is
updated and follow the guidance in rfc7469bis)
*/
static const getdns_bindata sha256 = {
.size = sizeof("sha256") - 1,
.data = (uint8_t*)"sha256"
};
#define PIN_PREFIX "pin-sha256=\""
#define PIN_PREFIX_LENGTH (sizeof(PIN_PREFIX) - 1)
/* b64 turns every 3 octets (or fraction thereof) into 4 octets */
#define B64_ENCODED_SHA256_LENGTH (((SHA256_DIGEST_LENGTH + 2)/3) * 4)
/* convert an HPKP-style pin description to an appropriate getdns data
structure. An example string is: (with the quotes, without any
leading or trailing whitespace):
pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="
getdns_build_pin_from_string returns a dict created from ctx, or
NULL if the string did not match. If ctx is NULL, the dict is
created via getdns_dict_create().
It is the caller's responsibility to call getdns_dict_destroy when
it is no longer needed.
*/
getdns_dict* getdns_pubkey_pin_create_from_string(
getdns_context* context,
const char* str)
{
BIO *bio = NULL;
int i;
uint8_t buf[SHA256_DIGEST_LENGTH];
char inbuf[B64_ENCODED_SHA256_LENGTH + 1];
getdns_bindata value = { .size = SHA256_DIGEST_LENGTH, .data = buf };
getdns_dict* out = NULL;
/* we only do sha256 right now, make sure this is well-formed */
if (strncmp(PIN_PREFIX, str, PIN_PREFIX_LENGTH))
return NULL;
for (i = PIN_PREFIX_LENGTH; i < PIN_PREFIX_LENGTH + B64_ENCODED_SHA256_LENGTH - 1; i++)
if (!((str[i] >= 'a' && str[i] <= 'z') ||
(str[i] >= 'A' && str[i] <= 'Z') ||
(str[i] >= '0' && str[i] <= '9') ||
(str[i] == '+') || (str[i] == '/')))
return NULL;
if (str[i++] != '=')
return NULL;
if (str[i++] != '"')
return NULL;
if (str[i++] != '\0')
return NULL;
/* openssl needs a trailing newline to base64 decode */
memcpy(inbuf, str + PIN_PREFIX_LENGTH, B64_ENCODED_SHA256_LENGTH);
inbuf[B64_ENCODED_SHA256_LENGTH] = '\n';
bio = BIO_push(BIO_new(BIO_f_base64()),
BIO_new_mem_buf(inbuf, sizeof(inbuf)));
if (BIO_read(bio, buf, sizeof(buf)) != sizeof(buf))
goto fail;
if (context)
out = getdns_dict_create_with_context(context);
else
out = getdns_dict_create();
if (out == NULL)
goto fail;
if (getdns_dict_set_bindata(out, "digest", &sha256))
goto fail;
if (getdns_dict_set_bindata(out, "value", &value))
goto fail;
return out;
fail:
BIO_free_all(bio);
getdns_dict_destroy(out);
return NULL;
}
/* pubkey-pinning.c */