/src/boringssl/crypto/pkcs7/pkcs7.c

Source (jump to first uncovered line)
/* Copyright (c) 2014, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

#include <openssl/pkcs7.h>

#include <openssl/bytestring.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/pool.h>
#include <openssl/stack.h>

#include "internal.h"
#include "../bytestring/internal.h"


// 1.2.840.113549.1.7.1
static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
                                     0x0d, 0x01, 0x07, 0x01};

// 1.2.840.113549.1.7.2
static const uint8_t kPKCS7SignedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
                                           0x0d, 0x01, 0x07, 0x02};

// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
// SignedData blob from |cbs| and sets |*out| to point to the rest of the
// input. If the input is in BER format, then |*der_bytes| will be set to a
// pointer that needs to be freed by the caller once they have finished
// processing |*out| (which will be pointing into |*der_bytes|).
//
// It returns one on success or zero on error. On error, |*der_bytes| is
// NULL.
int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
  CBS in, content_info, content_type, wrapped_signed_data, signed_data;
  uint64_t version;

  // The input may be in BER format.
  *der_bytes = NULL;
  if (!CBS_asn1_ber_to_der(cbs, &in, der_bytes) ||
      // See https://tools.ietf.org/html/rfc2315#section-7
      !CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {
    goto err;
  }

  if (!CBS_mem_equal(&content_type, kPKCS7SignedData,
                     sizeof(kPKCS7SignedData))) {
    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NOT_PKCS7_SIGNED_DATA);
    goto err;
  }

  // See https://tools.ietf.org/html/rfc2315#section-9.1
  if (!CBS_get_asn1(&content_info, &wrapped_signed_data,
                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
      !CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) ||
      !CBS_get_asn1_uint64(&signed_data, &version) ||
      !CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) ||
      !CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) {
    goto err;
  }

  if (version < 1) {
    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_BAD_PKCS7_VERSION);
    goto err;
  }

  CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data));
  return 1;

err:
  OPENSSL_free(*der_bytes);
  *der_bytes = NULL;
  return 0;
}

int PKCS7_get_raw_certificates(STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs,
                               CRYPTO_BUFFER_POOL *pool) {
  CBS signed_data, certificates;
  uint8_t *der_bytes = NULL;
  int ret = 0, has_certificates;
  const size_t initial_certs_len = sk_CRYPTO_BUFFER_num(out_certs);

  // See https://tools.ietf.org/html/rfc2315#section-9.1
  if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs) ||
      !CBS_get_optional_asn1(
          &signed_data, &certificates, &has_certificates,
          CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
    goto err;
  }

  if (!has_certificates) {
    CBS_init(&certificates, NULL, 0);
  }

  while (CBS_len(&certificates) > 0) {
    CBS cert;
    if (!CBS_get_asn1_element(&certificates, &cert, CBS_ASN1_SEQUENCE)) {
      goto err;
    }

    CRYPTO_BUFFER *buf = CRYPTO_BUFFER_new_from_CBS(&cert, pool);
    if (buf == NULL ||
        !sk_CRYPTO_BUFFER_push(out_certs, buf)) {
      CRYPTO_BUFFER_free(buf);
      goto err;
    }
  }

  ret = 1;

err:
  OPENSSL_free(der_bytes);

  if (!ret) {
    while (sk_CRYPTO_BUFFER_num(out_certs) != initial_certs_len) {
      CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_pop(out_certs);
      CRYPTO_BUFFER_free(buf);
    }
  }

  return ret;
}

static int pkcs7_bundle_raw_certificates_cb(CBB *out, const void *arg) {
  const STACK_OF(CRYPTO_BUFFER) *certs = arg;
  CBB certificates;

  // See https://tools.ietf.org/html/rfc2315#section-9.1
  if (!CBB_add_asn1(out, &certificates,
                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
    return 0;
  }

  for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(certs); i++) {
    CRYPTO_BUFFER *cert = sk_CRYPTO_BUFFER_value(certs, i);
    if (!CBB_add_bytes(&certificates, CRYPTO_BUFFER_data(cert),
                       CRYPTO_BUFFER_len(cert))) {
      return 0;
    }
  }

  // |certificates| is a implicitly-tagged SET OF.
  return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out);
}

int PKCS7_bundle_raw_certificates(CBB *out,
                                  const STACK_OF(CRYPTO_BUFFER) *certs) {
  return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,
                               pkcs7_bundle_raw_certificates_cb,
                               /*signer_infos_cb=*/NULL, certs);
}

int pkcs7_add_signed_data(CBB *out,
                          int (*digest_algos_cb)(CBB *out, const void *arg),
                          int (*cert_crl_cb)(CBB *out, const void *arg),
                          int (*signer_infos_cb)(CBB *out, const void *arg),
                          const void *arg) {
  CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set,
      content_info, signer_infos;

  // See https://tools.ietf.org/html/rfc2315#section-7
  if (!CBB_add_asn1(out, &outer_seq, CBS_ASN1_SEQUENCE) ||
      !CBB_add_asn1(&outer_seq, &oid, CBS_ASN1_OBJECT) ||
      !CBB_add_bytes(&oid, kPKCS7SignedData, sizeof(kPKCS7SignedData)) ||
      !CBB_add_asn1(&outer_seq, &wrapped_seq,
                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
      // See https://tools.ietf.org/html/rfc2315#section-9.1
      !CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) ||
      !CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) ||
      !CBB_add_u8(&version_bytes, 1) ||
      !CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) ||
      (digest_algos_cb != NULL && !digest_algos_cb(&digest_algos_set, arg)) ||
      !CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) ||
      !CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) ||
      !CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) ||
      (cert_crl_cb != NULL && !cert_crl_cb(&seq, arg)) ||
      !CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET) ||
      (signer_infos_cb != NULL && !signer_infos_cb(&signer_infos, arg))) {
    return 0;
  }

  return CBB_flush(out);
}

Line	Count	Source (jump to first uncovered line)
1		/* Copyright (c) 2014, Google Inc.
2		*
3		* Permission to use, copy, modify, and/or distribute this software for any
4		* purpose with or without fee is hereby granted, provided that the above
5		* copyright notice and this permission notice appear in all copies.
6		*
7		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10		* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12		* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13		* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15		#include <openssl/pkcs7.h>
16
17		#include <openssl/bytestring.h>
18		#include <openssl/err.h>
19		#include <openssl/mem.h>
20		#include <openssl/pool.h>
21		#include <openssl/stack.h>
22
23		#include "internal.h"
24		#include "../bytestring/internal.h"
25
26
27		// 1.2.840.113549.1.7.1
28		static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
29		0x0d, 0x01, 0x07, 0x01};
30
31		// 1.2.840.113549.1.7.2
32		static const uint8_t kPKCS7SignedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
33		0x0d, 0x01, 0x07, 0x02};
34
35		// pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
36		// SignedData blob from \|cbs\| and sets \|*out\| to point to the rest of the
37		// input. If the input is in BER format, then \|*der_bytes\| will be set to a
38		// pointer that needs to be freed by the caller once they have finished
39		// processing \|out\| (which will be pointing into \|der_bytes\|).
40		//
41		// It returns one on success or zero on error. On error, \|*der_bytes\| is
42		// NULL.
43	0	int pkcs7_parse_header(uint8_t *der_bytes, CBS out, CBS *cbs) {
44	0	CBS in, content_info, content_type, wrapped_signed_data, signed_data;
45	0	uint64_t version;
46
47		// The input may be in BER format.
48	0	*der_bytes = NULL;
49	0	if (!CBS_asn1_ber_to_der(cbs, &in, der_bytes) \|\|
50		// See https://tools.ietf.org/html/rfc2315#section-7
51	0	!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE) \|\|
52	0	!CBS_get_asn1(&content_info, &content_type, CBS_ASN1_OBJECT)) {
53	0	goto err;
54	0	}
55
56	0	if (!CBS_mem_equal(&content_type, kPKCS7SignedData,
57	0	sizeof(kPKCS7SignedData))) {
58	0	OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NOT_PKCS7_SIGNED_DATA);
59	0	goto err;
60	0	}
61
62		// See https://tools.ietf.org/html/rfc2315#section-9.1
63	0	if (!CBS_get_asn1(&content_info, &wrapped_signed_data,
64	0	CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 0) \|\|
65	0	!CBS_get_asn1(&wrapped_signed_data, &signed_data, CBS_ASN1_SEQUENCE) \|\|
66	0	!CBS_get_asn1_uint64(&signed_data, &version) \|\|
67	0	!CBS_get_asn1(&signed_data, NULL /* digests */, CBS_ASN1_SET) \|\|
68	0	!CBS_get_asn1(&signed_data, NULL /* content */, CBS_ASN1_SEQUENCE)) {
69	0	goto err;
70	0	}
71
72	0	if (version < 1) {
73	0	OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_BAD_PKCS7_VERSION);
74	0	goto err;
75	0	}
76
77	0	CBS_init(out, CBS_data(&signed_data), CBS_len(&signed_data));
78	0	return 1;
79
80	0	err:
81	0	OPENSSL_free(*der_bytes);
82	0	*der_bytes = NULL;
83	0	return 0;
84	0	}
85
86		int PKCS7_get_raw_certificates(STACK_OF(CRYPTO_BUFFER) out_certs, CBS cbs,
87	0	CRYPTO_BUFFER_POOL *pool) {
88	0	CBS signed_data, certificates;
89	0	uint8_t *der_bytes = NULL;
90	0	int ret = 0, has_certificates;
91	0	const size_t initial_certs_len = sk_CRYPTO_BUFFER_num(out_certs);
92
93		// See https://tools.ietf.org/html/rfc2315#section-9.1
94	0	if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs) \|\|
95	0	!CBS_get_optional_asn1(
96	0	&signed_data, &certificates, &has_certificates,
97	0	CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 0)) {
98	0	goto err;
99	0	}
100
101	0	if (!has_certificates) {
102	0	CBS_init(&certificates, NULL, 0);
103	0	}
104
105	0	while (CBS_len(&certificates) > 0) {
106	0	CBS cert;
107	0	if (!CBS_get_asn1_element(&certificates, &cert, CBS_ASN1_SEQUENCE)) {
108	0	goto err;
109	0	}
110
111	0	CRYPTO_BUFFER *buf = CRYPTO_BUFFER_new_from_CBS(&cert, pool);
112	0	if (buf == NULL \|\|
113	0	!sk_CRYPTO_BUFFER_push(out_certs, buf)) {
114	0	CRYPTO_BUFFER_free(buf);
115	0	goto err;
116	0	}
117	0	}
118
119	0	ret = 1;
120
121	0	err:
122	0	OPENSSL_free(der_bytes);
123
124	0	if (!ret) {
125	0	while (sk_CRYPTO_BUFFER_num(out_certs) != initial_certs_len) {
126	0	CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_pop(out_certs);
127	0	CRYPTO_BUFFER_free(buf);
128	0	}
129	0	}
130
131	0	return ret;
132	0	}
133
134	0	static int pkcs7_bundle_raw_certificates_cb(CBB out, const void arg) {
135	0	const STACK_OF(CRYPTO_BUFFER) *certs = arg;
136	0	CBB certificates;
137
138		// See https://tools.ietf.org/html/rfc2315#section-9.1
139	0	if (!CBB_add_asn1(out, &certificates,
140	0	CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 0)) {
141	0	return 0;
142	0	}
143
144	0	for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(certs); i++) {
145	0	CRYPTO_BUFFER *cert = sk_CRYPTO_BUFFER_value(certs, i);
146	0	if (!CBB_add_bytes(&certificates, CRYPTO_BUFFER_data(cert),
147	0	CRYPTO_BUFFER_len(cert))) {
148	0	return 0;
149	0	}
150	0	}
151
152		// \|certificates\| is a implicitly-tagged SET OF.
153	0	return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out);
154	0	}
155
156		int PKCS7_bundle_raw_certificates(CBB *out,
157	0	const STACK_OF(CRYPTO_BUFFER) *certs) {
158	0	return pkcs7_add_signed_data(out, /digest_algos_cb=/NULL,
159	0	pkcs7_bundle_raw_certificates_cb,
160		/signer_infos_cb=/NULL, certs);
161	0	}
162
163		int pkcs7_add_signed_data(CBB *out,
164		int (digest_algos_cb)(CBB out, const void *arg),
165		int (cert_crl_cb)(CBB out, const void *arg),
166		int (signer_infos_cb)(CBB out, const void *arg),
167	0	const void *arg) {
168	0	CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set,
169	0	content_info, signer_infos;
170
171		// See https://tools.ietf.org/html/rfc2315#section-7
172	0	if (!CBB_add_asn1(out, &outer_seq, CBS_ASN1_SEQUENCE) \|\|
173	0	!CBB_add_asn1(&outer_seq, &oid, CBS_ASN1_OBJECT) \|\|
174	0	!CBB_add_bytes(&oid, kPKCS7SignedData, sizeof(kPKCS7SignedData)) \|\|
175	0	!CBB_add_asn1(&outer_seq, &wrapped_seq,
176	0	CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 0) \|\|
177		// See https://tools.ietf.org/html/rfc2315#section-9.1
178	0	!CBB_add_asn1(&wrapped_seq, &seq, CBS_ASN1_SEQUENCE) \|\|
179	0	!CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) \|\|
180	0	!CBB_add_u8(&version_bytes, 1) \|\|
181	0	!CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) \|\|
182	0	(digest_algos_cb != NULL && !digest_algos_cb(&digest_algos_set, arg)) \|\|
183	0	!CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) \|\|
184	0	!CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) \|\|
185	0	!CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) \|\|
186	0	(cert_crl_cb != NULL && !cert_crl_cb(&seq, arg)) \|\|
187	0	!CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET) \|\|
188	0	(signer_infos_cb != NULL && !signer_infos_cb(&signer_infos, arg))) {
189	0	return 0;
190	0	}
191
192	0	return CBB_flush(out);
193	0	}

Coverage Report

Created: 2023-06-07 07:13