modules/ssl/ssl_ct_sct.c

75f5c2db254c0167a0e396254460de09b775d203trawick/* Licensed to the Apache Software Foundation (ASF) under one or more
75f5c2db254c0167a0e396254460de09b775d203trawick * contributor license agreements.  See the NOTICE file distributed with
75f5c2db254c0167a0e396254460de09b775d203trawick * this work for additional information regarding copyright ownership.
75f5c2db254c0167a0e396254460de09b775d203trawick * The ASF licenses this file to You under the Apache License, Version 2.0
75f5c2db254c0167a0e396254460de09b775d203trawick * (the "License"); you may not use this file except in compliance with
75f5c2db254c0167a0e396254460de09b775d203trawick * the License.  You may obtain a copy of the License at
75f5c2db254c0167a0e396254460de09b775d203trawick *
75f5c2db254c0167a0e396254460de09b775d203trawick *     http://www.apache.org/licenses/LICENSE-2.0
75f5c2db254c0167a0e396254460de09b775d203trawick *
75f5c2db254c0167a0e396254460de09b775d203trawick * Unless required by applicable law or agreed to in writing, software
75f5c2db254c0167a0e396254460de09b775d203trawick * distributed under the License is distributed on an "AS IS" BASIS,
75f5c2db254c0167a0e396254460de09b775d203trawick * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
75f5c2db254c0167a0e396254460de09b775d203trawick * See the License for the specific language governing permissions and
75f5c2db254c0167a0e396254460de09b775d203trawick * limitations under the License.
75f5c2db254c0167a0e396254460de09b775d203trawick */
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick#include "ssl_ct_sct.h"
75f5c2db254c0167a0e396254460de09b775d203trawick#include "ssl_ct_util.h"
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick#include "http_log.h"
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawickAPLOG_USE_MODULE(ssl_ct);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawickstatic apr_status_t verify_signature(sct_fields_t *sctf,
75f5c2db254c0167a0e396254460de09b775d203trawick                                     EVP_PKEY *pkey)
75f5c2db254c0167a0e396254460de09b775d203trawick{
75f5c2db254c0167a0e396254460de09b775d203trawick    EVP_MD_CTX ctx;
75f5c2db254c0167a0e396254460de09b775d203trawick    int rc;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    if (sctf->signed_data == NULL) {
75f5c2db254c0167a0e396254460de09b775d203trawick        return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    EVP_MD_CTX_init(&ctx);
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_assert(1 == EVP_VerifyInit(&ctx, EVP_sha256()));
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_assert(1 == EVP_VerifyUpdate(&ctx, sctf->signed_data,
75f5c2db254c0167a0e396254460de09b775d203trawick                                    sctf->signed_data_len));
75f5c2db254c0167a0e396254460de09b775d203trawick    rc = EVP_VerifyFinal(&ctx, sctf->sig, sctf->siglen, pkey);
75f5c2db254c0167a0e396254460de09b775d203trawick    EVP_MD_CTX_cleanup(&ctx);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    return rc == 1 ? APR_SUCCESS : APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick}
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawickapr_status_t sct_verify_signature(conn_rec *c, sct_fields_t *sctf,
75f5c2db254c0167a0e396254460de09b775d203trawick                                  apr_array_header_t *log_config)
75f5c2db254c0167a0e396254460de09b775d203trawick{
75f5c2db254c0167a0e396254460de09b775d203trawick    apr_status_t rv = APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick    int i;
75f5c2db254c0167a0e396254460de09b775d203trawick    ct_log_config **config_elts;
75f5c2db254c0167a0e396254460de09b775d203trawick    int nelts = log_config->nelts;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_assert(sctf->signed_data != NULL);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    config_elts = (ct_log_config **)log_config->elts;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    for (i = 0; i < nelts; i++) {
75f5c2db254c0167a0e396254460de09b775d203trawick        EVP_PKEY *pubkey = config_elts[i]->public_key;
75f5c2db254c0167a0e396254460de09b775d203trawick        const char *logid = config_elts[i]->log_id;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        if (!pubkey || !logid) {
75f5c2db254c0167a0e396254460de09b775d203trawick            continue;
75f5c2db254c0167a0e396254460de09b775d203trawick        }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        if (!memcmp(logid, sctf->logid, LOG_ID_SIZE)) {
75f5c2db254c0167a0e396254460de09b775d203trawick            if (!log_valid_for_received_sct(config_elts[i], sctf->time)) {
75f5c2db254c0167a0e396254460de09b775d203trawick                ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                              APLOGNO(02766) "Got SCT from distrusted log, or "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                              "out of trusted time interval");
75f5c2db254c0167a0e396254460de09b775d203trawick                return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            rv = verify_signature(sctf, pubkey);
75f5c2db254c0167a0e396254460de09b775d203trawick            if (rv != APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick                ap_log_cerror(APLOG_MARK,
75f5c2db254c0167a0e396254460de09b775d203trawick                              APLOG_ERR,
75f5c2db254c0167a0e396254460de09b775d203trawick                              rv, c,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                              APLOGNO(02767) "verify_signature failed");
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            else {
75f5c2db254c0167a0e396254460de09b775d203trawick                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
75f5c2db254c0167a0e396254460de09b775d203trawick                              "verify_signature succeeded");
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            return rv;
75f5c2db254c0167a0e396254460de09b775d203trawick        }
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    return APR_NOTFOUND;
75f5c2db254c0167a0e396254460de09b775d203trawick}
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawickapr_status_t sct_parse(const char *source,
75f5c2db254c0167a0e396254460de09b775d203trawick                       server_rec *s, const unsigned char *sct,
75f5c2db254c0167a0e396254460de09b775d203trawick                       apr_size_t len, cert_chain *cc,
75f5c2db254c0167a0e396254460de09b775d203trawick                       sct_fields_t *fields)
75f5c2db254c0167a0e396254460de09b775d203trawick{
75f5c2db254c0167a0e396254460de09b775d203trawick    const unsigned char *cur;
75f5c2db254c0167a0e396254460de09b775d203trawick    apr_size_t orig_len = len;
75f5c2db254c0167a0e396254460de09b775d203trawick    apr_status_t rv;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    memset(fields, 0, sizeof *fields);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    if (len < 1 + LOG_ID_SIZE + 8) {
75f5c2db254c0167a0e396254460de09b775d203trawick        /* no room for header */
75f5c2db254c0167a0e396254460de09b775d203trawick        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                     APLOGNO(02768) "SCT size %" APR_SIZE_T_FMT " is too small",
75f5c2db254c0167a0e396254460de09b775d203trawick                     len);
75f5c2db254c0167a0e396254460de09b775d203trawick        return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    cur = sct;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    fields->version = *cur;
75f5c2db254c0167a0e396254460de09b775d203trawick    cur++;
75f5c2db254c0167a0e396254460de09b775d203trawick    len -= 1;
75f5c2db254c0167a0e396254460de09b775d203trawick    memcpy(fields->logid, cur, LOG_ID_SIZE);
75f5c2db254c0167a0e396254460de09b775d203trawick    cur += LOG_ID_SIZE;
75f5c2db254c0167a0e396254460de09b775d203trawick    len -= LOG_ID_SIZE;
75f5c2db254c0167a0e396254460de09b775d203trawick    rv = ctutil_deserialize_uint64(&cur, &len, &fields->timestamp);
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_assert(rv == APR_SUCCESS);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    fields->time = apr_time_from_msec(fields->timestamp);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    /* XXX maybe do this only if log level is such that we'll
75f5c2db254c0167a0e396254460de09b775d203trawick     *     use it later?
75f5c2db254c0167a0e396254460de09b775d203trawick     */
75f5c2db254c0167a0e396254460de09b775d203trawick    apr_rfc822_date(fields->timestr, fields->time);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    if (len < 2) {
75f5c2db254c0167a0e396254460de09b775d203trawick        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                     APLOGNO(02769) "SCT size %" APR_SIZE_T_FMT " has no space "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                     "for extension len", orig_len);
75f5c2db254c0167a0e396254460de09b775d203trawick        return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    rv = ctutil_deserialize_uint16(&cur, &len, &fields->extlen);
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_assert(rv == APR_SUCCESS);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    if (fields->extlen != 0) {
75f5c2db254c0167a0e396254460de09b775d203trawick        if (fields->extlen < len) {
75f5c2db254c0167a0e396254460de09b775d203trawick            ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                         APLOGNO(02770) "SCT size %" APR_SIZE_T_FMT " has no "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                         "space for %hu bytes of extensions",
75f5c2db254c0167a0e396254460de09b775d203trawick                         orig_len, fields->extlen);
75f5c2db254c0167a0e396254460de09b775d203trawick            return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick        }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        fields->extensions = cur;
75f5c2db254c0167a0e396254460de09b775d203trawick        cur += fields->extlen;
75f5c2db254c0167a0e396254460de09b775d203trawick        len -= fields->extlen;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick    else {
75f5c2db254c0167a0e396254460de09b775d203trawick        fields->extensions = 0;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    if (len < 4) {
75f5c2db254c0167a0e396254460de09b775d203trawick        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                     APLOGNO(02771) "SCT size %" APR_SIZE_T_FMT " has no space "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                     "for hash algorithm, signature algorithm, and "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                     "signature len",
75f5c2db254c0167a0e396254460de09b775d203trawick                     orig_len);
75f5c2db254c0167a0e396254460de09b775d203trawick        return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    fields->hash_alg = *cur;
75f5c2db254c0167a0e396254460de09b775d203trawick    cur += 1;
75f5c2db254c0167a0e396254460de09b775d203trawick    len -= 1;
75f5c2db254c0167a0e396254460de09b775d203trawick    fields->sig_alg = *cur;
75f5c2db254c0167a0e396254460de09b775d203trawick    cur += 1;
75f5c2db254c0167a0e396254460de09b775d203trawick    len -= 1;
75f5c2db254c0167a0e396254460de09b775d203trawick    rv = ctutil_deserialize_uint16(&cur, &len, &fields->siglen);
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_assert(rv == APR_SUCCESS);
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    if (fields->siglen < len) {
75f5c2db254c0167a0e396254460de09b775d203trawick        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                     APLOGNO(02772) "SCT has no space for signature");
75f5c2db254c0167a0e396254460de09b775d203trawick        return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    fields->sig = cur;
75f5c2db254c0167a0e396254460de09b775d203trawick    cur += fields->siglen;
75f5c2db254c0167a0e396254460de09b775d203trawick    len -= fields->siglen;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    if (cc) {
75f5c2db254c0167a0e396254460de09b775d203trawick        /* If we have the server certificate, we can construct the
75f5c2db254c0167a0e396254460de09b775d203trawick         * data over which the signature is computed.
75f5c2db254c0167a0e396254460de09b775d203trawick         */
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        /* XXX Which part is signed? */
75f5c2db254c0167a0e396254460de09b775d203trawick        /* See certificate-transparency/src/proto/serializer.cc,
75f5c2db254c0167a0e396254460de09b775d203trawick         * method Serializer::SerializeV1CertSCTSignatureInput()
75f5c2db254c0167a0e396254460de09b775d203trawick         */
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        apr_size_t orig_len;
75f5c2db254c0167a0e396254460de09b775d203trawick        apr_size_t avail;
75f5c2db254c0167a0e396254460de09b775d203trawick        int der_length;
75f5c2db254c0167a0e396254460de09b775d203trawick        unsigned char *mem;
75f5c2db254c0167a0e396254460de09b775d203trawick        unsigned char *orig_mem;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        der_length = i2d_X509(cc->leaf, NULL);
75f5c2db254c0167a0e396254460de09b775d203trawick        if (der_length < 0) {
75f5c2db254c0167a0e396254460de09b775d203trawick            rv = APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick        }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        if (rv == APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick            orig_len = 0
75f5c2db254c0167a0e396254460de09b775d203trawick                + 1 /* version 1 */
75f5c2db254c0167a0e396254460de09b775d203trawick                + 1 /* CERTIFICATE_TIMESTAMP */
75f5c2db254c0167a0e396254460de09b775d203trawick                + 8 /* timestamp */
75f5c2db254c0167a0e396254460de09b775d203trawick                + 2 /* X509_ENTRY */
75f5c2db254c0167a0e396254460de09b775d203trawick                + 3 + der_length /* 24-bit length + X509 */
75f5c2db254c0167a0e396254460de09b775d203trawick                + 2 + fields->extlen /* 16-bit length + extensions */
75f5c2db254c0167a0e396254460de09b775d203trawick                ;
75f5c2db254c0167a0e396254460de09b775d203trawick            avail = orig_len;
75f5c2db254c0167a0e396254460de09b775d203trawick            mem = malloc(avail);
75f5c2db254c0167a0e396254460de09b775d203trawick            orig_mem = mem;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick            rv = ctutil_serialize_uint8(&mem, &avail, 0); /* version 1 */
75f5c2db254c0167a0e396254460de09b775d203trawick            if (rv == APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick                rv = ctutil_serialize_uint8(&mem, &avail, 0); /* CERTIFICATE_TIMESTAMP */
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            if (rv == APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick                rv = ctutil_serialize_uint64(&mem, &avail, fields->timestamp);
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            if (rv == APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick                rv = ctutil_serialize_uint16(&mem, &avail, 0); /* X509_ENTRY */
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            if (rv == APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick                /* Get DER encoding of leaf certificate */
75f5c2db254c0167a0e396254460de09b775d203trawick                unsigned char *der_buf
75f5c2db254c0167a0e396254460de09b775d203trawick                    /* get OpenSSL to allocate: */
75f5c2db254c0167a0e396254460de09b775d203trawick                    = NULL;
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick                der_length = i2d_X509(cc->leaf, &der_buf);
75f5c2db254c0167a0e396254460de09b775d203trawick                if (der_length < 0) {
75f5c2db254c0167a0e396254460de09b775d203trawick                    rv = APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick                }
75f5c2db254c0167a0e396254460de09b775d203trawick                else {
75f5c2db254c0167a0e396254460de09b775d203trawick                    rv = ctutil_write_var24_bytes(&mem, &avail,
75f5c2db254c0167a0e396254460de09b775d203trawick                                                  der_buf, der_length);
75f5c2db254c0167a0e396254460de09b775d203trawick                    OPENSSL_free(der_buf);
75f5c2db254c0167a0e396254460de09b775d203trawick                }
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            if (rv == APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick                rv = ctutil_write_var16_bytes(&mem, &avail, fields->extensions,
75f5c2db254c0167a0e396254460de09b775d203trawick                                              fields->extlen);
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick        }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick        if (rv != APR_SUCCESS) {
75f5c2db254c0167a0e396254460de09b775d203trawick            ap_log_error(APLOG_MARK, APLOG_CRIT, rv, s,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                         APLOGNO(02773) "Failed to reconstruct signed data for "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                         "SCT");
75f5c2db254c0167a0e396254460de09b775d203trawick            free(orig_mem);
75f5c2db254c0167a0e396254460de09b775d203trawick        }
75f5c2db254c0167a0e396254460de09b775d203trawick        else {
75f5c2db254c0167a0e396254460de09b775d203trawick            if (avail != 0) {
75f5c2db254c0167a0e396254460de09b775d203trawick                ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                             APLOGNO(02774) "length miscalculation for signed "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                             "data (%" APR_SIZE_T_FMT
75f5c2db254c0167a0e396254460de09b775d203trawick                             " vs. %" APR_SIZE_T_FMT ")",
75f5c2db254c0167a0e396254460de09b775d203trawick                             orig_len, avail);
75f5c2db254c0167a0e396254460de09b775d203trawick            }
75f5c2db254c0167a0e396254460de09b775d203trawick            fields->signed_data_len = orig_len - avail;
75f5c2db254c0167a0e396254460de09b775d203trawick            fields->signed_data = orig_mem;
75f5c2db254c0167a0e396254460de09b775d203trawick            /* Force invalid signature error: orig_mem[0] = orig_mem[0] + 1; */
75f5c2db254c0167a0e396254460de09b775d203trawick        }
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
75f5c2db254c0167a0e396254460de09b775d203trawick                 "SCT from %s: version %d timestamp %s hash alg %d sig alg %d",
75f5c2db254c0167a0e396254460de09b775d203trawick                 source, fields->version, fields->timestr,
75f5c2db254c0167a0e396254460de09b775d203trawick                 fields->hash_alg, fields->sig_alg);
75f5c2db254c0167a0e396254460de09b775d203trawick#if AP_MODULE_MAGIC_AT_LEAST(20130702,2)
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_log_data(APLOG_MARK, APLOG_DEBUG, s, "Log Id",
75f5c2db254c0167a0e396254460de09b775d203trawick                fields->logid, sizeof(fields->logid),
75f5c2db254c0167a0e396254460de09b775d203trawick                AP_LOG_DATA_SHOW_OFFSET);
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_log_data(APLOG_MARK, APLOG_DEBUG, s, "Signature",
75f5c2db254c0167a0e396254460de09b775d203trawick                fields->sig, fields->siglen,
75f5c2db254c0167a0e396254460de09b775d203trawick                AP_LOG_DATA_SHOW_OFFSET);
75f5c2db254c0167a0e396254460de09b775d203trawick#endif /* httpd has ap_log_*data() */
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    ap_assert(!(fields->signed_data && rv != APR_SUCCESS));
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawick    return rv;
75f5c2db254c0167a0e396254460de09b775d203trawick}
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawickvoid sct_release(sct_fields_t *sctf)
75f5c2db254c0167a0e396254460de09b775d203trawick{
75f5c2db254c0167a0e396254460de09b775d203trawick    if (sctf->signed_data) {
75f5c2db254c0167a0e396254460de09b775d203trawick        free((void *)sctf->signed_data);
75f5c2db254c0167a0e396254460de09b775d203trawick        sctf->signed_data = NULL;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick}
75f5c2db254c0167a0e396254460de09b775d203trawick
75f5c2db254c0167a0e396254460de09b775d203trawickapr_status_t sct_verify_timestamp(conn_rec *c, sct_fields_t *sctf)
75f5c2db254c0167a0e396254460de09b775d203trawick{
75f5c2db254c0167a0e396254460de09b775d203trawick    if (sctf->time > apr_time_now()) {
75f5c2db254c0167a0e396254460de09b775d203trawick        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                      APLOGNO(02775) "Server sent SCT not yet valid (timestamp "
a7452f0ad4045af1d42dce45cc25854e7bf3cac4trawick                      "%s)",
75f5c2db254c0167a0e396254460de09b775d203trawick                      sctf->timestr);
75f5c2db254c0167a0e396254460de09b775d203trawick        return APR_EINVAL;
75f5c2db254c0167a0e396254460de09b775d203trawick    }
75f5c2db254c0167a0e396254460de09b775d203trawick    return APR_SUCCESS;
75f5c2db254c0167a0e396254460de09b775d203trawick}