Gitiles
Code Review Sign In
192.168.1.100 / R306 / 2dbc1526a2b84342aa5d5d2a0b7c25c960d13710 / . / ap / lib / libssl / openssl-1.1.1o / crypto / pkcs7 / pk7_doit.c
blob: f63fbc50ea60ef4c8eb7820149f37ad41606d831 [file] [log] [blame]
yuezonghe824eb0c2024-06-27 02:32:26 -0700[diff] [blame]1/*
2 * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include <stdio.h>
11#include "internal/cryptlib.h"
12#include <openssl/rand.h>
13#include <openssl/objects.h>
14#include <openssl/x509.h>
15#include <openssl/x509v3.h>
16#include <openssl/err.h>
17
18static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
19 void *value);
20static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
21
22static int PKCS7_type_is_other(PKCS7 *p7)
23{
24 int isOther = 1;
25
26 int nid = OBJ_obj2nid(p7->type);
27
28 switch (nid) {
29 case NID_pkcs7_data:
30 case NID_pkcs7_signed:
31 case NID_pkcs7_enveloped:
32 case NID_pkcs7_signedAndEnveloped:
33 case NID_pkcs7_digest:
34 case NID_pkcs7_encrypted:
35 isOther = 0;
36 break;
37 default:
38 isOther = 1;
39 }
40
41 return isOther;
42
43}
44
45static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7)
46{
47 if (PKCS7_type_is_data(p7))
48 return p7->d.data;
49 if (PKCS7_type_is_other(p7) && p7->d.other
50 && (p7->d.other->type == V_ASN1_OCTET_STRING))
51 return p7->d.other->value.octet_string;
52 return NULL;
53}
54
55static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
56{
57 BIO *btmp;
58 const EVP_MD *md;
59 if ((btmp = BIO_new(BIO_f_md())) == NULL) {
60 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB);
61 goto err;
62 }
63
64 md = EVP_get_digestbyobj(alg->algorithm);
65 if (md == NULL) {
66 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, PKCS7_R_UNKNOWN_DIGEST_TYPE);
67 goto err;
68 }
69
70 BIO_set_md(btmp, md);
71 if (*pbio == NULL)
72 *pbio = btmp;
73 else if (!BIO_push(*pbio, btmp)) {
74 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB);
75 goto err;
76 }
77 btmp = NULL;
78
79 return 1;
80
81 err:
82 BIO_free(btmp);
83 return 0;
84
85}
86
87static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
88 unsigned char *key, int keylen)
89{
90 EVP_PKEY_CTX *pctx = NULL;
91 EVP_PKEY *pkey = NULL;
92 unsigned char *ek = NULL;
93 int ret = 0;
94 size_t eklen;
95
96 pkey = X509_get0_pubkey(ri->cert);
97
98 if (!pkey)
99 return 0;
100
101 pctx = EVP_PKEY_CTX_new(pkey, NULL);
102 if (!pctx)
103 return 0;
104
105 if (EVP_PKEY_encrypt_init(pctx) <= 0)
106 goto err;
107
108 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
109 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) {
110 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR);
111 goto err;
112 }
113
114 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0)
115 goto err;
116
117 ek = OPENSSL_malloc(eklen);
118
119 if (ek == NULL) {
120 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE);
121 goto err;
122 }
123
124 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0)
125 goto err;
126
127 ASN1_STRING_set0(ri->enc_key, ek, eklen);
128 ek = NULL;
129
130 ret = 1;
131
132 err:
133 EVP_PKEY_CTX_free(pctx);
134 OPENSSL_free(ek);
135 return ret;
136
137}
138
139static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
140 PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey,
141 size_t fixlen)
142{
143 EVP_PKEY_CTX *pctx = NULL;
144 unsigned char *ek = NULL;
145 size_t eklen;
146
147 int ret = -1;
148
149 pctx = EVP_PKEY_CTX_new(pkey, NULL);
150 if (!pctx)
151 return -1;
152
153 if (EVP_PKEY_decrypt_init(pctx) <= 0)
154 goto err;
155
156 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT,
157 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) {
158 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR);
159 goto err;
160 }
161
162 if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
163 ri->enc_key->data, ri->enc_key->length) <= 0)
164 goto err;
165
166 ek = OPENSSL_malloc(eklen);
167
168 if (ek == NULL) {
169 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE);
170 goto err;
171 }
172
173 if (EVP_PKEY_decrypt(pctx, ek, &eklen,
174 ri->enc_key->data, ri->enc_key->length) <= 0
175 || eklen == 0
176 || (fixlen != 0 && eklen != fixlen)) {
177 ret = 0;
178 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
179 goto err;
180 }
181
182 ret = 1;
183
184 OPENSSL_clear_free(*pek, *peklen);
185 *pek = ek;
186 *peklen = eklen;
187
188 err:
189 EVP_PKEY_CTX_free(pctx);
190 if (!ret)
191 OPENSSL_free(ek);
192
193 return ret;
194}
195
196BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
197{
198 int i;
199 BIO *out = NULL, *btmp = NULL;
200 X509_ALGOR *xa = NULL;
201 const EVP_CIPHER *evp_cipher = NULL;
202 STACK_OF(X509_ALGOR) *md_sk = NULL;
203 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL;
204 X509_ALGOR *xalg = NULL;
205 PKCS7_RECIP_INFO *ri = NULL;
206 ASN1_OCTET_STRING *os = NULL;
207
208 if (p7 == NULL) {
209 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
210 return NULL;
211 }
212 /*
213 * The content field in the PKCS7 ContentInfo is optional, but that really
214 * only applies to inner content (precisely, detached signatures).
215 *
216 * When reading content, missing outer content is therefore treated as an
217 * error.
218 *
219 * When creating content, PKCS7_content_new() must be called before
220 * calling this method, so a NULL p7->d is always an error.
221 */
222 if (p7->d.ptr == NULL) {
223 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
224 return NULL;
225 }
226
227 i = OBJ_obj2nid(p7->type);
228 p7->state = PKCS7_S_HEADER;
229
230 switch (i) {
231 case NID_pkcs7_signed:
232 md_sk = p7->d.sign->md_algs;
233 os = PKCS7_get_octet_string(p7->d.sign->contents);
234 break;
235 case NID_pkcs7_signedAndEnveloped:
236 rsk = p7->d.signed_and_enveloped->recipientinfo;
237 md_sk = p7->d.signed_and_enveloped->md_algs;
238 xalg = p7->d.signed_and_enveloped->enc_data->algorithm;
239 evp_cipher = p7->d.signed_and_enveloped->enc_data->cipher;
240 if (evp_cipher == NULL) {
241 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_CIPHER_NOT_INITIALIZED);
242 goto err;
243 }
244 break;
245 case NID_pkcs7_enveloped:
246 rsk = p7->d.enveloped->recipientinfo;
247 xalg = p7->d.enveloped->enc_data->algorithm;
248 evp_cipher = p7->d.enveloped->enc_data->cipher;
249 if (evp_cipher == NULL) {
250 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_CIPHER_NOT_INITIALIZED);
251 goto err;
252 }
253 break;
254 case NID_pkcs7_digest:
255 xa = p7->d.digest->md;
256 os = PKCS7_get_octet_string(p7->d.digest->contents);
257 break;
258 case NID_pkcs7_data:
259 break;
260 default:
261 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
262 goto err;
263 }
264
265 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++)
266 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i)))
267 goto err;
268
269 if (xa && !PKCS7_bio_add_digest(&out, xa))
270 goto err;
271
272 if (evp_cipher != NULL) {
273 unsigned char key[EVP_MAX_KEY_LENGTH];
274 unsigned char iv[EVP_MAX_IV_LENGTH];
275 int keylen, ivlen;
276 EVP_CIPHER_CTX *ctx;
277
278 if ((btmp = BIO_new(BIO_f_cipher())) == NULL) {
279 PKCS7err(PKCS7_F_PKCS7_DATAINIT, ERR_R_BIO_LIB);
280 goto err;
281 }
282 BIO_get_cipher_ctx(btmp, &ctx);
283 keylen = EVP_CIPHER_key_length(evp_cipher);
284 ivlen = EVP_CIPHER_iv_length(evp_cipher);
285 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
286 if (ivlen > 0)
287 if (RAND_bytes(iv, ivlen) <= 0)
288 goto err;
289 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1) <= 0)
290 goto err;
291 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
292 goto err;
293 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0)
294 goto err;
295
296 if (ivlen > 0) {
297 if (xalg->parameter == NULL) {
298 xalg->parameter = ASN1_TYPE_new();
299 if (xalg->parameter == NULL)
300 goto err;
301 }
302 if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0)
303 goto err;
304 }
305
306 /* Lets do the pub key stuff :-) */
307 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
308 ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
309 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0)
310 goto err;
311 }
312 OPENSSL_cleanse(key, keylen);
313
314 if (out == NULL)
315 out = btmp;
316 else
317 BIO_push(out, btmp);
318 btmp = NULL;
319 }
320
321 if (bio == NULL) {
322 if (PKCS7_is_detached(p7)) {
323 bio = BIO_new(BIO_s_null());
324 } else if (os && os->length > 0) {
325 bio = BIO_new_mem_buf(os->data, os->length);
326 } else {
327 bio = BIO_new(BIO_s_mem());
328 if (bio == NULL)
329 goto err;
330 BIO_set_mem_eof_return(bio, 0);
331 }
332 if (bio == NULL)
333 goto err;
334 }
335 if (out)
336 BIO_push(out, bio);
337 else
338 out = bio;
339 return out;
340
341 err:
342 BIO_free_all(out);
343 BIO_free_all(btmp);
344 return NULL;
345}
346
347static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
348{
349 int ret;
350 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
351 X509_get_issuer_name(pcert));
352 if (ret)
353 return ret;
354 return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert),
355 ri->issuer_and_serial->serial);
356}
357
358/* int */
359BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
360{
361 int i, j;
362 BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL;
363 X509_ALGOR *xa;
364 ASN1_OCTET_STRING *data_body = NULL;
365 const EVP_MD *evp_md;
366 const EVP_CIPHER *evp_cipher = NULL;
367 EVP_CIPHER_CTX *evp_ctx = NULL;
368 X509_ALGOR *enc_alg = NULL;
369 STACK_OF(X509_ALGOR) *md_sk = NULL;
370 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL;
371 PKCS7_RECIP_INFO *ri = NULL;
372 unsigned char *ek = NULL, *tkey = NULL;
373 int eklen = 0, tkeylen = 0;
374
375 if (p7 == NULL) {
376 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
377 return NULL;
378 }
379
380 if (p7->d.ptr == NULL) {
381 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
382 return NULL;
383 }
384
385 i = OBJ_obj2nid(p7->type);
386 p7->state = PKCS7_S_HEADER;
387
388 switch (i) {
389 case NID_pkcs7_signed:
390 /*
391 * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
392 * field and optional content.
393 * data_body is NULL if that structure has no (=detached) content
394 * or if the contentType is wrong (i.e., not "data").
395 */
396 data_body = PKCS7_get_octet_string(p7->d.sign->contents);
397 if (!PKCS7_is_detached(p7) && data_body == NULL) {
398 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
399 PKCS7_R_INVALID_SIGNED_DATA_TYPE);
400 goto err;
401 }
402 md_sk = p7->d.sign->md_algs;
403 break;
404 case NID_pkcs7_signedAndEnveloped:
405 rsk = p7->d.signed_and_enveloped->recipientinfo;
406 md_sk = p7->d.signed_and_enveloped->md_algs;
407 /* data_body is NULL if the optional EncryptedContent is missing. */
408 data_body = p7->d.signed_and_enveloped->enc_data->enc_data;
409 enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm;
410 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
411 if (evp_cipher == NULL) {
412 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
413 PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
414 goto err;
415 }
416 break;
417 case NID_pkcs7_enveloped:
418 rsk = p7->d.enveloped->recipientinfo;
419 enc_alg = p7->d.enveloped->enc_data->algorithm;
420 /* data_body is NULL if the optional EncryptedContent is missing. */
421 data_body = p7->d.enveloped->enc_data->enc_data;
422 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm);
423 if (evp_cipher == NULL) {
424 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
425 PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
426 goto err;
427 }
428 break;
429 default:
430 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
431 goto err;
432 }
433
434 /* Detached content must be supplied via in_bio instead. */
435 if (data_body == NULL && in_bio == NULL) {
436 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
437 goto err;
438 }
439
440 /* We will be checking the signature */
441 if (md_sk != NULL) {
442 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
443 xa = sk_X509_ALGOR_value(md_sk, i);
444 if ((btmp = BIO_new(BIO_f_md())) == NULL) {
445 PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
446 goto err;
447 }
448
449 j = OBJ_obj2nid(xa->algorithm);
450 evp_md = EVP_get_digestbynid(j);
451 if (evp_md == NULL) {
452 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
453 PKCS7_R_UNKNOWN_DIGEST_TYPE);
454 goto err;
455 }
456
457 BIO_set_md(btmp, evp_md);
458 if (out == NULL)
459 out = btmp;
460 else
461 BIO_push(out, btmp);
462 btmp = NULL;
463 }
464 }
465
466 if (evp_cipher != NULL) {
467 if ((etmp = BIO_new(BIO_f_cipher())) == NULL) {
468 PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB);
469 goto err;
470 }
471
472 /*
473 * It was encrypted, we need to decrypt the secret key with the
474 * private key
475 */
476
477 /*
478 * Find the recipientInfo which matches the passed certificate (if
479 * any)
480 */
481
482 if (pcert) {
483 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
484 ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
485 if (!pkcs7_cmp_ri(ri, pcert))
486 break;
487 ri = NULL;
488 }
489 if (ri == NULL) {
490 PKCS7err(PKCS7_F_PKCS7_DATADECODE,
491 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
492 goto err;
493 }
494 }
495
496 /* If we haven't got a certificate try each ri in turn */
497 if (pcert == NULL) {
498 /*
499 * Always attempt to decrypt all rinfo even after success as a
500 * defence against MMA timing attacks.
501 */
502 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) {
503 ri = sk_PKCS7_RECIP_INFO_value(rsk, i);
504
505 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey,
506 EVP_CIPHER_key_length(evp_cipher)) < 0)
507 goto err;
508 ERR_clear_error();
509 }
510 } else {
511 /* Only exit on fatal errors, not decrypt failure */
512 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0)
513 goto err;
514 ERR_clear_error();
515 }
516
517 evp_ctx = NULL;
518 BIO_get_cipher_ctx(etmp, &evp_ctx);
519 if (EVP_CipherInit_ex(evp_ctx, evp_cipher, NULL, NULL, NULL, 0) <= 0)
520 goto err;
521 if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0)
522 goto err;
523 /* Generate random key as MMA defence */
524 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
525 tkey = OPENSSL_malloc(tkeylen);
526 if (tkey == NULL)
527 goto err;
528 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
529 goto err;
530 if (ek == NULL) {
531 ek = tkey;
532 eklen = tkeylen;
533 tkey = NULL;
534 }
535
536 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) {
537 /*
538 * Some S/MIME clients don't use the same key and effective key
539 * length. The key length is determined by the size of the
540 * decrypted RSA key.
541 */
542 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) {
543 /* Use random key as MMA defence */
544 OPENSSL_clear_free(ek, eklen);
545 ek = tkey;
546 eklen = tkeylen;
547 tkey = NULL;
548 }
549 }
550 /* Clear errors so we don't leak information useful in MMA */
551 ERR_clear_error();
552 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0)
553 goto err;
554
555 OPENSSL_clear_free(ek, eklen);
556 ek = NULL;
557 OPENSSL_clear_free(tkey, tkeylen);
558 tkey = NULL;
559
560 if (out == NULL)
561 out = etmp;
562 else
563 BIO_push(out, etmp);
564 etmp = NULL;
565 }
566 if (in_bio != NULL) {
567 bio = in_bio;
568 } else {
569 if (data_body->length > 0)
570 bio = BIO_new_mem_buf(data_body->data, data_body->length);
571 else {
572 bio = BIO_new(BIO_s_mem());
573 if (bio == NULL)
574 goto err;
575 BIO_set_mem_eof_return(bio, 0);
576 }
577 if (bio == NULL)
578 goto err;
579 }
580 BIO_push(out, bio);
581 bio = NULL;
582 return out;
583
584 err:
585 OPENSSL_clear_free(ek, eklen);
586 OPENSSL_clear_free(tkey, tkeylen);
587 BIO_free_all(out);
588 BIO_free_all(btmp);
589 BIO_free_all(etmp);
590 BIO_free_all(bio);
591 return NULL;
592}
593
594static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid)
595{
596 for (;;) {
597 bio = BIO_find_type(bio, BIO_TYPE_MD);
598 if (bio == NULL) {
599 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,
600 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
601 return NULL;
602 }
603 BIO_get_md_ctx(bio, pmd);
604 if (*pmd == NULL) {
605 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST, ERR_R_INTERNAL_ERROR);
606 return NULL;
607 }
608 if (EVP_MD_CTX_type(*pmd) == nid)
609 return bio;
610 bio = BIO_next(bio);
611 }
612 return NULL;
613}
614
615static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx)
616{
617 unsigned char md_data[EVP_MAX_MD_SIZE];
618 unsigned int md_len;
619
620 /* Add signing time if not already present */
621 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) {
622 if (!PKCS7_add0_attrib_signing_time(si, NULL)) {
623 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE);
624 return 0;
625 }
626 }
627
628 /* Add digest */
629 if (!EVP_DigestFinal_ex(mctx, md_data, &md_len)) {
630 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB);
631 return 0;
632 }
633 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) {
634 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE);
635 return 0;
636 }
637
638 /* Now sign the attributes */
639 if (!PKCS7_SIGNER_INFO_sign(si))
640 return 0;
641
642 return 1;
643}
644
645int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
646{
647 int ret = 0;
648 int i, j;
649 BIO *btmp;
650 PKCS7_SIGNER_INFO *si;
651 EVP_MD_CTX *mdc, *ctx_tmp;
652 STACK_OF(X509_ATTRIBUTE) *sk;
653 STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
654 ASN1_OCTET_STRING *os = NULL;
655
656 if (p7 == NULL) {
657 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
658 return 0;
659 }
660
661 if (p7->d.ptr == NULL) {
662 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
663 return 0;
664 }
665
666 ctx_tmp = EVP_MD_CTX_new();
667 if (ctx_tmp == NULL) {
668 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
669 return 0;
670 }
671
672 i = OBJ_obj2nid(p7->type);
673 p7->state = PKCS7_S_HEADER;
674
675 switch (i) {
676 case NID_pkcs7_data:
677 os = p7->d.data;
678 break;
679 case NID_pkcs7_signedAndEnveloped:
680 /* XXXXXXXXXXXXXXXX */
681 si_sk = p7->d.signed_and_enveloped->signer_info;
682 os = p7->d.signed_and_enveloped->enc_data->enc_data;
683 if (os == NULL) {
684 os = ASN1_OCTET_STRING_new();
685 if (os == NULL) {
686 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
687 goto err;
688 }
689 p7->d.signed_and_enveloped->enc_data->enc_data = os;
690 }
691 break;
692 case NID_pkcs7_enveloped:
693 /* XXXXXXXXXXXXXXXX */
694 os = p7->d.enveloped->enc_data->enc_data;
695 if (os == NULL) {
696 os = ASN1_OCTET_STRING_new();
697 if (os == NULL) {
698 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE);
699 goto err;
700 }
701 p7->d.enveloped->enc_data->enc_data = os;
702 }
703 break;
704 case NID_pkcs7_signed:
705 si_sk = p7->d.sign->signer_info;
706 os = PKCS7_get_octet_string(p7->d.sign->contents);
707 /* If detached data then the content is excluded */
708 if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
709 ASN1_OCTET_STRING_free(os);
710 os = NULL;
711 p7->d.sign->contents->d.data = NULL;
712 }
713 break;
714
715 case NID_pkcs7_digest:
716 os = PKCS7_get_octet_string(p7->d.digest->contents);
717 /* If detached data then the content is excluded */
718 if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) {
719 ASN1_OCTET_STRING_free(os);
720 os = NULL;
721 p7->d.digest->contents->d.data = NULL;
722 }
723 break;
724
725 default:
726 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
727 goto err;
728 }
729
730 if (si_sk != NULL) {
731 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) {
732 si = sk_PKCS7_SIGNER_INFO_value(si_sk, i);
733 if (si->pkey == NULL)
734 continue;
735
736 j = OBJ_obj2nid(si->digest_alg->algorithm);
737
738 btmp = bio;
739
740 btmp = PKCS7_find_digest(&mdc, btmp, j);
741
742 if (btmp == NULL)
743 goto err;
744
745 /*
746 * We now have the EVP_MD_CTX, lets do the signing.
747 */
748 if (!EVP_MD_CTX_copy_ex(ctx_tmp, mdc))
749 goto err;
750
751 sk = si->auth_attr;
752
753 /*
754 * If there are attributes, we add the digest attribute and only
755 * sign the attributes
756 */
757 if (sk_X509_ATTRIBUTE_num(sk) > 0) {
758 if (!do_pkcs7_signed_attrib(si, ctx_tmp))
759 goto err;
760 } else {
761 unsigned char *abuf = NULL;
762 unsigned int abuflen;
763 abuflen = EVP_PKEY_size(si->pkey);
764 abuf = OPENSSL_malloc(abuflen);
765 if (abuf == NULL)
766 goto err;
767
768 if (!EVP_SignFinal(ctx_tmp, abuf, &abuflen, si->pkey)) {
769 OPENSSL_free(abuf);
770 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_EVP_LIB);
771 goto err;
772 }
773 ASN1_STRING_set0(si->enc_digest, abuf, abuflen);
774 }
775 }
776 } else if (i == NID_pkcs7_digest) {
777 unsigned char md_data[EVP_MAX_MD_SIZE];
778 unsigned int md_len;
779 if (!PKCS7_find_digest(&mdc, bio,
780 OBJ_obj2nid(p7->d.digest->md->algorithm)))
781 goto err;
782 if (!EVP_DigestFinal_ex(mdc, md_data, &md_len))
783 goto err;
784 if (!ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len))
785 goto err;
786 }
787
788 if (!PKCS7_is_detached(p7)) {
789 /*
790 * NOTE(emilia): I think we only reach os == NULL here because detached
791 * digested data support is broken.
792 */
793 if (os == NULL)
794 goto err;
795 if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
796 char *cont;
797 long contlen;
798 btmp = BIO_find_type(bio, BIO_TYPE_MEM);
799 if (btmp == NULL) {
800 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
801 goto err;
802 }
803 contlen = BIO_get_mem_data(btmp, &cont);
804 /*
805 * Mark the BIO read only then we can use its copy of the data
806 * instead of making an extra copy.
807 */
808 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
809 BIO_set_mem_eof_return(btmp, 0);
810 ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
811 }
812 }
813 ret = 1;
814 err:
815 EVP_MD_CTX_free(ctx_tmp);
816 return ret;
817}
818
819int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
820{
821 EVP_MD_CTX *mctx;
822 EVP_PKEY_CTX *pctx = NULL;
823 unsigned char *abuf = NULL;
824 int alen;
825 size_t siglen;
826 const EVP_MD *md = NULL;
827
828 md = EVP_get_digestbyobj(si->digest_alg->algorithm);
829 if (md == NULL)
830 return 0;
831
832 mctx = EVP_MD_CTX_new();
833 if (mctx == NULL) {
834 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, ERR_R_MALLOC_FAILURE);
835 goto err;
836 }
837
838 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
839 goto err;
840
841 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
842 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) {
843 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR);
844 goto err;
845 }
846
847 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf,
848 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
849 if (!abuf)
850 goto err;
851 if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0)
852 goto err;
853 OPENSSL_free(abuf);
854 abuf = NULL;
855 if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0)
856 goto err;
857 abuf = OPENSSL_malloc(siglen);
858 if (abuf == NULL)
859 goto err;
860 if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0)
861 goto err;
862
863 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
864 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) {
865 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR);
866 goto err;
867 }
868
869 EVP_MD_CTX_free(mctx);
870
871 ASN1_STRING_set0(si->enc_digest, abuf, siglen);
872
873 return 1;
874
875 err:
876 OPENSSL_free(abuf);
877 EVP_MD_CTX_free(mctx);
878 return 0;
879
880}
881
882int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
883 PKCS7 *p7, PKCS7_SIGNER_INFO *si)
884{
885 PKCS7_ISSUER_AND_SERIAL *ias;
886 int ret = 0, i;
887 STACK_OF(X509) *cert;
888 X509 *x509;
889
890 if (p7 == NULL) {
891 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
892 return 0;
893 }
894
895 if (p7->d.ptr == NULL) {
896 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
897 return 0;
898 }
899
900 if (PKCS7_type_is_signed(p7)) {
901 cert = p7->d.sign->cert;
902 } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
903 cert = p7->d.signed_and_enveloped->cert;
904 } else {
905 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_WRONG_PKCS7_TYPE);
906 goto err;
907 }
908 /* XXXXXXXXXXXXXXXXXXXXXXX */
909 ias = si->issuer_and_serial;
910
911 x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial);
912
913 /* were we able to find the cert in passed to us */
914 if (x509 == NULL) {
915 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,
916 PKCS7_R_UNABLE_TO_FIND_CERTIFICATE);
917 goto err;
918 }
919
920 /* Lets verify */
921 if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) {
922 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
923 goto err;
924 }
925 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
926 i = X509_verify_cert(ctx);
927 if (i <= 0) {
928 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB);
929 X509_STORE_CTX_cleanup(ctx);
930 goto err;
931 }
932 X509_STORE_CTX_cleanup(ctx);
933
934 return PKCS7_signatureVerify(bio, p7, si, x509);
935 err:
936 return ret;
937}
938
939int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
940 X509 *x509)
941{
942 ASN1_OCTET_STRING *os;
943 EVP_MD_CTX *mdc_tmp, *mdc;
944 int ret = 0, i;
945 int md_type;
946 STACK_OF(X509_ATTRIBUTE) *sk;
947 BIO *btmp;
948 EVP_PKEY *pkey;
949
950 mdc_tmp = EVP_MD_CTX_new();
951 if (mdc_tmp == NULL) {
952 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_MALLOC_FAILURE);
953 goto err;
954 }
955
956 if (!PKCS7_type_is_signed(p7) && !PKCS7_type_is_signedAndEnveloped(p7)) {
957 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_WRONG_PKCS7_TYPE);
958 goto err;
959 }
960
961 md_type = OBJ_obj2nid(si->digest_alg->algorithm);
962
963 btmp = bio;
964 for (;;) {
965 if ((btmp == NULL) ||
966 ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) {
967 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
968 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
969 goto err;
970 }
971 BIO_get_md_ctx(btmp, &mdc);
972 if (mdc == NULL) {
973 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_INTERNAL_ERROR);
974 goto err;
975 }
976 if (EVP_MD_CTX_type(mdc) == md_type)
977 break;
978 /*
979 * Workaround for some broken clients that put the signature OID
980 * instead of the digest OID in digest_alg->algorithm
981 */
982 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
983 break;
984 btmp = BIO_next(btmp);
985 }
986
987 /*
988 * mdc is the digest ctx that we want, unless there are attributes, in
989 * which case the digest is the signed attributes
990 */
991 if (!EVP_MD_CTX_copy_ex(mdc_tmp, mdc))
992 goto err;
993
994 sk = si->auth_attr;
995 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) {
996 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL;
997 unsigned int md_len;
998 int alen;
999 ASN1_OCTET_STRING *message_digest;
1000
1001 if (!EVP_DigestFinal_ex(mdc_tmp, md_dat, &md_len))
1002 goto err;
1003 message_digest = PKCS7_digest_from_attributes(sk);
1004 if (!message_digest) {
1005 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
1006 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
1007 goto err;
1008 }
1009 if ((message_digest->length != (int)md_len) ||
1010 (memcmp(message_digest->data, md_dat, md_len))) {
1011 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_DIGEST_FAILURE);
1012 ret = -1;
1013 goto err;
1014 }
1015
1016 if (!EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL))
1017 goto err;
1018
1019 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
1020 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
1021 if (alen <= 0) {
1022 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_ASN1_LIB);
1023 ret = -1;
1024 goto err;
1025 }
1026 if (!EVP_VerifyUpdate(mdc_tmp, abuf, alen))
1027 goto err;
1028
1029 OPENSSL_free(abuf);
1030 }
1031
1032 os = si->enc_digest;
1033 pkey = X509_get0_pubkey(x509);
1034 if (!pkey) {
1035 ret = -1;
1036 goto err;
1037 }
1038
1039 i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey);
1040 if (i <= 0) {
1041 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
1042 ret = -1;
1043 goto err;
1044 }
1045 ret = 1;
1046 err:
1047 EVP_MD_CTX_free(mdc_tmp);
1048 return ret;
1049}
1050
1051PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
1052{
1053 STACK_OF(PKCS7_RECIP_INFO) *rsk;
1054 PKCS7_RECIP_INFO *ri;
1055 int i;
1056
1057 i = OBJ_obj2nid(p7->type);
1058 if (i != NID_pkcs7_signedAndEnveloped)
1059 return NULL;
1060 if (p7->d.signed_and_enveloped == NULL)
1061 return NULL;
1062 rsk = p7->d.signed_and_enveloped->recipientinfo;
1063 if (rsk == NULL)
1064 return NULL;
1065 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
1066 return NULL;
1067 ri = sk_PKCS7_RECIP_INFO_value(rsk, idx);
1068 return ri->issuer_and_serial;
1069}
1070
1071ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid)
1072{
1073 return get_attribute(si->auth_attr, nid);
1074}
1075
1076ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
1077{
1078 return get_attribute(si->unauth_attr, nid);
1079}
1080
1081static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
1082{
1083 int idx;
1084 X509_ATTRIBUTE *xa;
1085 idx = X509at_get_attr_by_NID(sk, nid, -1);
1086 xa = X509at_get_attr(sk, idx);
1087 return X509_ATTRIBUTE_get0_type(xa, 0);
1088}
1089
1090ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
1091{
1092 ASN1_TYPE *astype;
1093 if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
1094 return NULL;
1095 return astype->value.octet_string;
1096}
1097
1098int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
1099 STACK_OF(X509_ATTRIBUTE) *sk)
1100{
1101 int i;
1102
1103 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free);
1104 p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk);
1105 if (p7si->auth_attr == NULL)
1106 return 0;
1107 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
1108 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr, i,
1109 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1110 (sk, i))))
1111 == NULL)
1112 return 0;
1113 }
1114 return 1;
1115}
1116
1117int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,
1118 STACK_OF(X509_ATTRIBUTE) *sk)
1119{
1120 int i;
1121
1122 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free);
1123 p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk);
1124 if (p7si->unauth_attr == NULL)
1125 return 0;
1126 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
1127 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr, i,
1128 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1129 (sk, i))))
1130 == NULL)
1131 return 0;
1132 }
1133 return 1;
1134}
1135
1136int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
1137 void *value)
1138{
1139 return add_attribute(&(p7si->auth_attr), nid, atrtype, value);
1140}
1141
1142int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
1143 void *value)
1144{
1145 return add_attribute(&(p7si->unauth_attr), nid, atrtype, value);
1146}
1147
1148static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
1149 void *value)
1150{
1151 X509_ATTRIBUTE *attr = NULL;
1152
1153 if (*sk == NULL) {
1154 if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
1155 return 0;
1156 new_attrib:
1157 if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
1158 return 0;
1159 if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
1160 X509_ATTRIBUTE_free(attr);
1161 return 0;
1162 }
1163 } else {
1164 int i;
1165
1166 for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
1167 attr = sk_X509_ATTRIBUTE_value(*sk, i);
1168 if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) {
1169 X509_ATTRIBUTE_free(attr);
1170 attr = X509_ATTRIBUTE_create(nid, atrtype, value);
1171 if (attr == NULL)
1172 return 0;
1173 if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
1174 X509_ATTRIBUTE_free(attr);
1175 return 0;
1176 }
1177 goto end;
1178 }
1179 }
1180 goto new_attrib;
1181 }
1182 end:
1183 return 1;
1184}