openssl/ts: add functionality for a basic Time Stamp Authority

This change adds the missing wrappers to be able to generate a minimally
functional Time Stamp Authority, signing time stamp requests and generating
time stamp responses.

Author: krisztian-kovacs

openssl-sys/src/ts.rs

@@ -6,6 +6,7 @@ use *;
 pub enum TS_MSG_IMPRINT {}
 pub enum TS_REQ {}
 pub enum TS_RESP {}
+pub enum TS_RESP_CTX {}
 
 cfg_if! {
     if #[cfg(ossl110)] {
@@ -51,6 +52,13 @@ pub const TS_VFY_ALL_DATA: c_uint = TS_VFY_SIGNATURE
     | TS_VFY_SIGNER
     | TS_VFY_TSA_NAME;
 
+pub const TS_STATUS_GRANTED: c_uint = 0;
+pub const TS_STATUS_GRANTED_WITH_MODS: c_uint = 1;
+pub const TS_STATUS_REJECTION: c_uint = 2;
+pub const TS_STATUS_WAITING: c_uint = 3;
+pub const TS_STATUS_REVOCATION_WARNING: c_uint = 4;
+pub const TS_STATUS_REVOCATION_NOTIFICATION: c_uint = 5;
+
 extern "C" {
     pub fn TS_MSG_IMPRINT_new() -> *mut TS_MSG_IMPRINT;
     pub fn TS_MSG_IMPRINT_free(a: *mut TS_MSG_IMPRINT);
@@ -87,6 +95,14 @@ extern "C" {
 
     pub fn TS_REQ_to_TS_VERIFY_CTX(req: *mut TS_REQ, ctx: *mut TS_VERIFY_CTX)
         -> *mut TS_VERIFY_CTX;
+
+    pub fn TS_RESP_CTX_new() -> *mut TS_RESP_CTX;
+    pub fn TS_RESP_CTX_free(ctx: *mut TS_RESP_CTX);
+    pub fn TS_RESP_CTX_set_signer_cert(ctx: *mut TS_RESP_CTX, signer: *mut X509) -> c_int;
+    pub fn TS_RESP_CTX_set_signer_key(ctx: *mut TS_RESP_CTX, key: *mut EVP_PKEY) -> c_int;
+    pub fn TS_RESP_CTX_add_md(ctx: *mut TS_RESP_CTX, md: *const EVP_MD) -> c_int;
+
+    pub fn TS_RESP_create_response(ctx: *mut TS_RESP_CTX, req_bio: *mut BIO) -> *mut TS_RESP;
 }
 
 cfg_if! {
@@ -96,13 +112,32 @@ cfg_if! {
                 a: *mut TS_REQ,
                 policy: *const ASN1_OBJECT
             ) -> c_int;
+            pub fn TS_RESP_CTX_set_def_policy(
+                ctx: *mut TS_RESP_CTX,
+                def_policy: *const ASN1_OBJECT
+            ) -> c_int;
         }
     } else {
         extern "C" {
             pub fn TS_REQ_set_policy_id(
                 a: *mut TS_REQ,
                 policy: *mut ASN1_OBJECT
             ) -> c_int;
+            pub fn TS_RESP_CTX_set_def_policy(
+                ctx: *mut TS_RESP_CTX,
+                def_policy: *mut ASN1_OBJECT
+            ) -> c_int;
+        }
+    }
+}
+
+cfg_if! {
+    if #[cfg(ossl110)] {
+        extern "C" {
+            pub fn TS_RESP_CTX_set_signer_digest(
+                ctx: *mut TS_RESP_CTX,
+                signer_digest: *const EVP_MD,
+            ) -> c_int;
         }
     }
 }

openssl/src/ts.rs

@@ -10,16 +10,18 @@ use libc::{c_int, c_long, c_uint};
 use std::ptr;
 
 use crate::asn1::{Asn1IntegerRef, Asn1ObjectRef};
+use crate::bio::MemBioSlice;
 use crate::error::ErrorStack;
 use crate::hash::MessageDigest;
-use crate::x509::X509Algorithm;
+use crate::pkey::{HasPrivate, PKeyRef};
+use crate::x509::{X509Algorithm, X509Ref};
 use crate::{cvt, cvt_p};
 
 foreign_type_and_impl_send_sync! {
     type CType = ffi::TS_MSG_IMPRINT;
     fn drop = ffi::TS_MSG_IMPRINT_free;
 
-    /// A message imprint contains the has of the data to be timestamped.
+    /// A message imprint contains the hash of the data to be timestamped.
     pub struct TsMsgImprint;
 
     /// Reference to `TsMsgImprint`.
@@ -255,13 +257,123 @@ impl TsVerifyContext {
     }
 }
 
+foreign_type_and_impl_send_sync! {
+    type CType = ffi::TS_RESP_CTX;
+    fn drop = ffi::TS_RESP_CTX_free;
+
+    /// A context object used to sign timestamp requests.
+    pub struct TsRespContext;
+
+    /// Reference to `TsRespContext`.
+    pub struct TsRespContextRef;
+}
+
+impl TsRespContextRef {
+    /// Creates a signed timestamp response for the request.
+    ///
+    /// This corresponds to `TS_RESP_create_response`.
+    pub fn create_response(&mut self, request: &TsReqRef) -> Result<TsResp, ErrorStack> {
+        unsafe {
+            let der = request.to_der()?;
+            let bio = MemBioSlice::new(&der)?;
+            let response = cvt_p(ffi::TS_RESP_create_response(self.as_ptr(), bio.as_ptr()))?;
+            Ok(TsResp::from_ptr(response))
+        }
+    }
+}
+
+impl TsRespContext {
+    /// Creates a new response context.
+    ///
+    /// This corresponds to `TS_RESP_CTX_new`.
+    pub fn new() -> Result<TsRespContext, ErrorStack> {
+        unsafe {
+            ffi::init();
+            let resp_context: *mut ffi::TS_RESP_CTX = cvt_p(ffi::TS_RESP_CTX_new())?;
+            Ok(TsRespContext::from_ptr(resp_context))
+        }
+    }
+
+    /// Sets the OID of the default policy used by the TSA.
+    ///
+    /// This corresponds to `TS_RESP_CTX_set_def_policy`.
+    pub fn set_default_policy(&mut self, policy: &Asn1ObjectRef) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::TS_RESP_CTX_set_def_policy(
+                self.as_ptr(),
+                policy.as_ptr(),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    /// Sets the certificate the TSA uses to sign the request.
+    ///
+    /// This corresponds to `TS_RESP_CTX_set_signer_cert`.
+    pub fn set_signer_cert(&mut self, cert: &X509Ref) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::TS_RESP_CTX_set_signer_cert(
+                self.as_ptr(),
+                cert.as_ptr(),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    /// Sets the private key the TSA uses to sign the request.
+    ///
+    /// The private key match the X.509 certificate set by `set_signer_cert`.
+    ///
+    /// This corresponds to `TS_RESP_CTX_set_signer_key`.
+    pub fn set_signer_key<T>(&mut self, pkey: &PKeyRef<T>) -> Result<(), ErrorStack>
+    where
+        T: HasPrivate,
+    {
+        unsafe {
+            cvt(ffi::TS_RESP_CTX_set_signer_key(
+                self.as_ptr(),
+                pkey.as_ptr(),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    /// Sets the message digest algorithm to use for the signature.
+    ///
+    ///
+    /// Requires OpenSSL 1.1.0 or newer.
+    /// This corresponds to `TS_RESP_CTX_set_signer_digest`.
+    #[cfg(ossl110)]
+    pub fn set_signer_digest(&mut self, md: MessageDigest) -> Result<(), ErrorStack> {
+        unsafe {
+            cvt(ffi::TS_RESP_CTX_set_signer_digest(
+                self.as_ptr(),
+                md.as_ptr(),
+            ))
+            .map(|_| ())
+        }
+    }
+
+    /// Add an accepted message digest algorithm.
+    ///
+    /// At least one accepted digest algorithm should be added to the context.
+    ///
+    /// This corresponds to `TS_RESP_CTX_add_md`.
+    pub fn add_md(&mut self, md: MessageDigest) -> Result<(), ErrorStack> {
+        unsafe { cvt(ffi::TS_RESP_CTX_add_md(self.as_ptr(), md.as_ptr())).map(|_| ()) }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
 
-    use crate::asn1::Asn1Integer;
+    use crate::asn1::{Asn1Integer, Asn1Object};
     use crate::bn::BigNum;
+    use crate::hash::MessageDigest;
+    use crate::pkey::PKey;
     use crate::sha::sha512;
+    use crate::x509::X509;
 
     #[test]
     fn test_request() {
@@ -299,4 +411,24 @@ mod tests {
         let context = TsVerifyContext::from_req(&request).unwrap();
         response.verify(&context).unwrap();
     }
+
+    #[test]
+    fn test_response_context() {
+        let mut response_context = TsRespContext::new().unwrap();
+        response_context
+            .set_default_policy(&Asn1Object::from_str("1.2.3.4").unwrap())
+            .unwrap();
+        let cert = X509::from_pem(include_bytes!("../test/ts-cert.pem")).unwrap();
+        response_context.set_signer_cert(&cert).unwrap();
+        let key = PKey::private_key_from_pem(include_bytes!("../test/ts-key.pem")).unwrap();
+        response_context.set_signer_key(&key).unwrap();
+
+        response_context.add_md(MessageDigest::sha512()).unwrap();
+
+        let request = TsReq::from_der(include_bytes!("../test/ts-request.der")).unwrap();
+        let response = response_context.create_response(&request).unwrap();
+
+        let context = TsVerifyContext::from_req(&request).unwrap();
+        response.verify(&context).unwrap();
+    }
 }

openssl/test/ts-cert.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDOjCCAiKgAwIBAgIFN8DNd/kwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMC
+QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp
+dHMgUHR5IEx0ZDAeFw0yMDEwMjcwODQwMTBaFw0zMTEwMTAwODQwMTBaMFwxCzAJ
+BgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l
+dCBXaWRnaXRzIFB0eSBMdGQxFTATBgNVBAMTDFRpbWVzdGFtcGluZzCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANUTsyhUuzou06s/XXelCLSF7sd8xtFO
+4OJFEWAulg5K4m7w/GG/VIaelvqgNxdSHdzheT1l1UrMP6na2tAcAS5tBv+X0Q0C
+T3+FqlqcgV2HSUNKJy3CJ1CoNQCuN6eaqO7y3O9yfdze8jCpHcrYrx4BFNISw8/T
+KaAKQRHjrVbAOlIA+nCc7MGYXJS9ZVwfXNASrhRBoswLoesSf4mX1PPXwjnhGJMq
+nVhVI+1G1gD9t4l7CrdOhx5vONffOoSjmqDVfRmcyYNT33V8zlynUoKwLF985TKo
+hJAfA8qQDczLkPv6shssNWk8BJ+mYRz3sU9QHM4dkX1oql3oWlOx+o0CAwEAAaMa
+MBgwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwgwDQYJKoZIhvcNAQELBQADggEBAC1D
+6A5FrPsYV4Q2Zar/MdYsuA2XM2j8SA/H2m4uGz8Sg52/V1VWBouB4JVz1EHytAlG
+BD2A+71Bk/Y6JpxdU51O/ZgGlrOaCs+1L4+WLe1cgXGcgC65fP7eMCF3ajuOYZid
+q5cJxpbBEspecus7ArqEQ9+ahAVZXcSuKfHOcW+3DxqP3/GPvbt4vLdxjPbe1Dbx
+Le+UkPPIQoKNk7yOILMuZrR+O4E4O0cn7E2qodUoYIxSOWIg9euvfntFyR66NzXL
++pDtbVzWPKNiqgvhx5n5GjdyQGHA0X2gEpepT3p3S9dHMcdjJfDixVKp8F5f9mbx
+6wgs4XG7rb8sRDsAmAc=
+-----END CERTIFICATE-----

openssl/test/ts-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA1ROzKFS7Oi7Tqz9dd6UItIXux3zG0U7g4kURYC6WDkribvD8
+Yb9Uhp6W+qA3F1Id3OF5PWXVSsw/qdra0BwBLm0G/5fRDQJPf4WqWpyBXYdJQ0on
+LcInUKg1AK43p5qo7vLc73J93N7yMKkdytivHgEU0hLDz9MpoApBEeOtVsA6UgD6
+cJzswZhclL1lXB9c0BKuFEGizAuh6xJ/iZfU89fCOeEYkyqdWFUj7UbWAP23iXsK
+t06HHm841986hKOaoNV9GZzJg1PfdXzOXKdSgrAsX3zlMqiEkB8DypANzMuQ+/qy
+Gyw1aTwEn6ZhHPexT1Aczh2RfWiqXehaU7H6jQIDAQABAoIBAQDCoR76DQOELvfL
+qbKfshDUjK5Ca9hTokBKjppDh+orHf3dJqTySElWOhBg1+3akHiUpSQQkC8XBqB0
+b2OFyr7NgGtvFmavAlhJfHfSErkcDJJAM8C7zGgLBcp8V6agouYCdbaXxbXwBXmm
+NyPugKTcvFIfXWKdOB4CgLtVMunHnVz97+2O6HwN3nPfnsUTBNlImyO9UFO+2utB
+kk8vx9qvxhVo6bRmL85+CmuPAN0XiYaXqKRyF55b37c69A1mrMsGimRCO9fxuhhW
+JW7UwbXM/RHEDKRfD2P8dWMWyw+jQEBzQKrGZ/2dbjuXOVsTT6h/UVnLdFR7ntrk
+HljlNsXhAoGBAPwOyAIPBe9MZPmItO4Ssw2hr62MglmXYQITT+i6uuun2LMr6X/E
+zTlMNZGTOXPt8mDuPmELXX4rpKu1lBTuhM9/csbYG32kQK2I6j0QuY1fQ+NHnzcA
+4e9SkctZSx0auSo4u3+8SaoRpFfbxs6+tv7xJCcmvxkJZrKnTS7Z0SOJAoGBANho
+17fBqN63ogcf8y74D15KyxJi/spr7ZAZY1mH212TGf2xOC2gWpLyl+mENjj9L0+j
+qRh0J7y0wcnX9ZuuZHmU647/9bM3q21ZLpoP/gbUdZEBU9CnurCk+tTlGZ49iiN0
+KqX86JuynNlou/gcNFJS1v62TCnTr+aWGH6vOmnlAoGBALbTQd+8ZeGc1+Dnd9T3
+W0iX7oVDVYkGdCa9O0jjqJElvdi4ETXL2c+lp3VgBFxCS3xjUnuxcq8BmP+zRSWp
+nEuldesk9Uu8x+0XUk/Ywb35S5SfbqzGxxqAGaAVtJX3vDcTz2xndkcVZM8Vaq6r
+RrDE2CRNxm6ykvsivqks9LWBAoGAfuqF0KPHyM5DPRB0y0/5m2Ab1m2uZcKEMWVi
+SaiOc0OJE6pyeve3BsU1aGL8ddGuhHNEAS5l+5q6qAh6Z1IQZOl8eIIOc4urgtax
+qPLGFPVW+bKgmBc2OtCWtnKh4pbOw9omBPDc7isDJ9HvoyPPX5RruDfrVQBsAbx3
+IxzbEi0CgYAXZDdGCX1GiW1qBOGzgN/omrEKuXVQ9QEQYfAy+EWYw6EfWYSzgi3d
+QRV2x5q/T4IdPlrFM5fNilQGH2F9fGLX/CSJLWqnvPEKaB6e89y2ncFFZFIaP0YT
+UxDNUSmAmdP+GBYZCl3cYAUtVBKrjjyHRkCy8to62ldbSV7jsngX0A==
+-----END RSA PRIVATE KEY-----