/src/openssl/crypto/pkcs7/pk7_lib.c

Source (jump to first uncovered line)
/*
 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
#include <openssl/pkcs7.h>
#include "crypto/asn1.h"
#include "crypto/evp.h"
#include "crypto/x509.h" /* for sk_X509_add1_cert() */
#include "pk7_local.h"

long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
{
    int nid;
    long ret;

    nid = OBJ_obj2nid(p7->type);

    switch (cmd) {
    /* NOTE(emilia): does not support detached digested data. */
    case PKCS7_OP_SET_DETACHED_SIGNATURE:
        if (nid == NID_pkcs7_signed) {
            ret = p7->detached = (int)larg;
            if (ret && PKCS7_type_is_data(p7->d.sign->contents)) {
                ASN1_OCTET_STRING *os;
                os = p7->d.sign->contents->d.data;
                ASN1_OCTET_STRING_free(os);
                p7->d.sign->contents->d.data = NULL;
            }
        } else {
            ERR_raise(ERR_LIB_PKCS7,
                      PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
            ret = 0;
        }
        break;
    case PKCS7_OP_GET_DETACHED_SIGNATURE:
        if (nid == NID_pkcs7_signed) {
            if (p7->d.sign == NULL || p7->d.sign->contents->d.ptr == NULL)
                ret = 1;
            else
                ret = 0;

            p7->detached = ret;
        } else {
            ERR_raise(ERR_LIB_PKCS7,
                      PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
            ret = 0;
        }

        break;
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNKNOWN_OPERATION);
        ret = 0;
    }
    return ret;
}

int PKCS7_content_new(PKCS7 *p7, int type)
{
    PKCS7 *ret = NULL;

    if ((ret = PKCS7_new()) == NULL)
        goto err;
    if (!PKCS7_set_type(ret, type))
        goto err;
    if (!PKCS7_set_content(p7, ret))
        goto err;

    return 1;
 err:
    PKCS7_free(ret);
    return 0;
}

int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
{
    int i;

    i = OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signed:
        PKCS7_free(p7->d.sign->contents);
        p7->d.sign->contents = p7_data;
        break;
    case NID_pkcs7_digest:
        PKCS7_free(p7->d.digest->contents);
        p7->d.digest->contents = p7_data;
        break;
    case NID_pkcs7_data:
    case NID_pkcs7_enveloped:
    case NID_pkcs7_signedAndEnveloped:
    case NID_pkcs7_encrypted:
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
        goto err;
    }
    return 1;
 err:
    return 0;
}

int PKCS7_set_type(PKCS7 *p7, int type)
{
    ASN1_OBJECT *obj;

    /*
     * PKCS7_content_free(p7);
     */
    obj = OBJ_nid2obj(type);    /* will not fail */

    switch (type) {
    case NID_pkcs7_signed:
        p7->type = obj;
        if ((p7->d.sign = PKCS7_SIGNED_new()) == NULL)
            goto err;
        if (!ASN1_INTEGER_set(p7->d.sign->version, 1)) {
            PKCS7_SIGNED_free(p7->d.sign);
            p7->d.sign = NULL;
            goto err;
        }
        break;
    case NID_pkcs7_data:
        p7->type = obj;
        if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL)
            goto err;
        break;
    case NID_pkcs7_signedAndEnveloped:
        p7->type = obj;
        if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new())
            == NULL)
            goto err;
        if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1))
            goto err;
        p7->d.signed_and_enveloped->enc_data->content_type
            = OBJ_nid2obj(NID_pkcs7_data);
        break;
    case NID_pkcs7_enveloped:
        p7->type = obj;
        if ((p7->d.enveloped = PKCS7_ENVELOPE_new())
            == NULL)
            goto err;
        if (!ASN1_INTEGER_set(p7->d.enveloped->version, 0))
            goto err;
        p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
        break;
    case NID_pkcs7_encrypted:
        p7->type = obj;
        if ((p7->d.encrypted = PKCS7_ENCRYPT_new())
            == NULL)
            goto err;
        if (!ASN1_INTEGER_set(p7->d.encrypted->version, 0))
            goto err;
        p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
        break;

    case NID_pkcs7_digest:
        p7->type = obj;
        if ((p7->d.digest = PKCS7_DIGEST_new())
            == NULL)
            goto err;
        if (!ASN1_INTEGER_set(p7->d.digest->version, 0))
            goto err;
        break;
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
        goto err;
    }
    return 1;
 err:
    return 0;
}

int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other)
{
    p7->type = OBJ_nid2obj(type);
    p7->d.other = other;
    return 1;
}

int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
{
    int i, j;
    ASN1_OBJECT *obj;
    X509_ALGOR *alg;
    STACK_OF(PKCS7_SIGNER_INFO) *signer_sk;
    STACK_OF(X509_ALGOR) *md_sk;

    i = OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signed:
        signer_sk = p7->d.sign->signer_info;
        md_sk = p7->d.sign->md_algs;
        break;
    case NID_pkcs7_signedAndEnveloped:
        signer_sk = p7->d.signed_and_enveloped->signer_info;
        md_sk = p7->d.signed_and_enveloped->md_algs;
        break;
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
        return 0;
    }

    obj = psi->digest_alg->algorithm;
    /* If the digest is not currently listed, add it */
    j = 0;
    for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
        alg = sk_X509_ALGOR_value(md_sk, i);
        if (OBJ_cmp(obj, alg->algorithm) == 0) {
            j = 1;
            break;
        }
    }
    if (!j) {                   /* we need to add another algorithm */
        int nid;

        if ((alg = X509_ALGOR_new()) == NULL
            || (alg->parameter = ASN1_TYPE_new()) == NULL) {
            X509_ALGOR_free(alg);
            ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
            return 0;
        }
        /*
         * If there is a constant copy of the ASN1 OBJECT in libcrypto, then
         * use that.  Otherwise, use a dynamically duplicated copy
         */
        if ((nid = OBJ_obj2nid(obj)) != NID_undef)
            alg->algorithm = OBJ_nid2obj(nid);
        else
            alg->algorithm = OBJ_dup(obj);
        alg->parameter->type = V_ASN1_NULL;
        if (alg->algorithm == NULL || !sk_X509_ALGOR_push(md_sk, alg)) {
            X509_ALGOR_free(alg);
            return 0;
        }
    }

    psi->ctx = ossl_pkcs7_get0_ctx(p7);
    if (!sk_PKCS7_SIGNER_INFO_push(signer_sk, psi))
        return 0;
    return 1;
}

int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
{
    int i;
    STACK_OF(X509) **sk;

    i = OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signed:
        sk = &(p7->d.sign->cert);
        break;
    case NID_pkcs7_signedAndEnveloped:
        sk = &(p7->d.signed_and_enveloped->cert);
        break;
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
        return 0;
    }

    return ossl_x509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF);
}

int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
{
    int i;
    STACK_OF(X509_CRL) **sk;

    i = OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signed:
        sk = &(p7->d.sign->crl);
        break;
    case NID_pkcs7_signedAndEnveloped:
        sk = &(p7->d.signed_and_enveloped->crl);
        break;
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
        return 0;
    }

    if (*sk == NULL)
        *sk = sk_X509_CRL_new_null();
    if (*sk == NULL) {
        ERR_raise(ERR_LIB_PKCS7, ERR_R_CRYPTO_LIB);
        return 0;
    }

    X509_CRL_up_ref(crl);
    if (!sk_X509_CRL_push(*sk, crl)) {
        X509_CRL_free(crl);
        return 0;
    }
    return 1;
}

static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si,
                                                int verify)
{
    if (!verify) {
        int snid, hnid;
        X509_ALGOR *alg1, *alg2;
        EVP_PKEY *pkey = si->pkey;

        PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2);
        if (alg1 == NULL || alg1->algorithm == NULL)
            return -1;
        hnid = OBJ_obj2nid(alg1->algorithm);
        if (hnid == NID_undef)
            return -1;
        if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey)))
            return -1;
        return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL);
    }
    return 1;
}

static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify)
{
    if (!verify) {
        X509_ALGOR *alg = NULL;

        PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg);
        if (alg != NULL)
            return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
                                   V_ASN1_NULL, NULL);
    }
    return 1;
}

int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
                          const EVP_MD *dgst)
{
    int ret;

    /* We now need to add another PKCS7_SIGNER_INFO entry */
    if (!ASN1_INTEGER_set(p7i->version, 1))
        return 0;
    if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
                       X509_get_issuer_name(x509)))
        return 0;

    /*
     * because ASN1_INTEGER_set is used to set a 'long' we will do things the
     * ugly way.
     */
    ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
    if (!(p7i->issuer_and_serial->serial =
          ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
        return 0;

    /* lets keep the pkey around for a while */
    EVP_PKEY_up_ref(pkey);
    p7i->pkey = pkey;

    /* Set the algorithms */

    if (!X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_get_type(dgst)),
                         V_ASN1_NULL, NULL))
        return 0;

    if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA"))
        return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0);
    if (EVP_PKEY_is_a(pkey, "RSA"))
        return pkcs7_rsa_sign_verify_setup(p7i, 0);

    if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) {
        ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i);
        if (ret > 0)
            return 1;
        if (ret != -2) {
            ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_CTRL_FAILURE);
            return 0;
        }
    }
    ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
    return 0;
}

PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
                                       const EVP_MD *dgst)
{
    PKCS7_SIGNER_INFO *si = NULL;

    if (dgst == NULL) {
        int def_nid;
        if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
            goto err;
        dgst = EVP_get_digestbynid(def_nid);
        if (dgst == NULL) {
            ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_DEFAULT_DIGEST);
            goto err;
        }
    }

    if ((si = PKCS7_SIGNER_INFO_new()) == NULL)
        goto err;
    if (PKCS7_SIGNER_INFO_set(si, x509, pkey, dgst) <= 0)
        goto err;
    if (!PKCS7_add_signer(p7, si))
        goto err;
    return si;
 err:
    PKCS7_SIGNER_INFO_free(si);
    return NULL;
}

STACK_OF(X509) *pkcs7_get0_certificates(const PKCS7 *p7)
{
    if (p7->d.ptr == NULL)
        return NULL;
    if (PKCS7_type_is_signed(p7))
        return p7->d.sign->cert;
    if (PKCS7_type_is_signedAndEnveloped(p7))
        return p7->d.signed_and_enveloped->cert;
    return NULL;
}

static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
{
    if (p7->d.ptr == NULL)
        return NULL;
    if (PKCS7_type_is_signedAndEnveloped(p7))
        return p7->d.signed_and_enveloped->recipientinfo;
    if (PKCS7_type_is_enveloped(p7))
        return p7->d.enveloped->recipientinfo;
    return NULL;
}

/*
 * Set up the library context into any loaded structure that needs it.
 * i.e loaded X509 objects.
 */
void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
{
    int i;
    const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
    OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
    const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
    STACK_OF(PKCS7_RECIP_INFO) *rinfos;
    STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
    STACK_OF(X509) *certs;

    if (ctx == NULL || p7->d.ptr == NULL)
        return;

    rinfos = pkcs7_get_recipient_info(p7);
    sinfos = PKCS7_get_signer_info(p7);
    certs = pkcs7_get0_certificates(p7);

    for (i = 0; i < sk_X509_num(certs); i++)
        ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);

    for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rinfos); i++) {
        PKCS7_RECIP_INFO *ri = sk_PKCS7_RECIP_INFO_value(rinfos, i);

        ossl_x509_set0_libctx(ri->cert, libctx, propq);
    }

    for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
        PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);

        if (si != NULL)
            si->ctx = ctx;
    }
}

const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7)
{
    return p7 != NULL ? &p7->ctx : NULL;
}

void ossl_pkcs7_set0_libctx(PKCS7 *p7, OSSL_LIB_CTX *ctx)
{
    p7->ctx.libctx = ctx;
}

int ossl_pkcs7_set1_propq(PKCS7 *p7, const char *propq)
{
    if (p7->ctx.propq != NULL) {
        OPENSSL_free(p7->ctx.propq);
        p7->ctx.propq = NULL;
    }
    if (propq != NULL) {
        p7->ctx.propq = OPENSSL_strdup(propq);
        if (p7->ctx.propq == NULL)
            return 0;
    }
    return 1;
}

int ossl_pkcs7_ctx_propagate(const PKCS7 *from, PKCS7 *to)
{
    ossl_pkcs7_set0_libctx(to, from->ctx.libctx);
    if (!ossl_pkcs7_set1_propq(to, from->ctx.propq))
        return 0;

    ossl_pkcs7_resolve_libctx(to);
    return 1;
}

OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx)
{
    return ctx != NULL ? ctx->libctx : NULL;
}
const char *ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx)
{
    return ctx != NULL ? ctx->propq : NULL;
}

int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
{
    if (PKCS7_type_is_digest(p7)) {
        if ((p7->d.digest->md->parameter = ASN1_TYPE_new()) == NULL) {
            ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
            return 0;
        }
        p7->d.digest->md->parameter->type = V_ASN1_NULL;
        p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
        return 1;
    }

    ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
    return 1;
}

STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
{
    if (p7 == NULL || p7->d.ptr == NULL)
        return NULL;
    if (PKCS7_type_is_signed(p7)) {
        return p7->d.sign->signer_info;
    } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
        return p7->d.signed_and_enveloped->signer_info;
    } else
        return NULL;
}

void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk,
                                 X509_ALGOR **pdig, X509_ALGOR **psig)
{
    if (pk)
        *pk = si->pkey;
    if (pdig)
        *pdig = si->digest_alg;
    if (psig)
        *psig = si->digest_enc_alg;
}

void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc)
{
    if (penc)
        *penc = ri->key_enc_algor;
}

PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
{
    PKCS7_RECIP_INFO *ri;

    if ((ri = PKCS7_RECIP_INFO_new()) == NULL)
        goto err;
    if (PKCS7_RECIP_INFO_set(ri, x509) <= 0)
        goto err;
    if (!PKCS7_add_recipient_info(p7, ri))
        goto err;
    ri->ctx = ossl_pkcs7_get0_ctx(p7);
    return ri;
 err:
    PKCS7_RECIP_INFO_free(ri);
    return NULL;
}

int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
{
    int i;
    STACK_OF(PKCS7_RECIP_INFO) *sk;

    i = OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signedAndEnveloped:
        sk = p7->d.signed_and_enveloped->recipientinfo;
        break;
    case NID_pkcs7_enveloped:
        sk = p7->d.enveloped->recipientinfo;
        break;
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
        return 0;
    }

    if (!sk_PKCS7_RECIP_INFO_push(sk, ri))
        return 0;
    return 1;
}

static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt)
{
    X509_ALGOR *alg = NULL;

    if (!decrypt) {
        PKCS7_RECIP_INFO_get0_alg(ri, &alg);
        if (alg != NULL)
            return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
                                   V_ASN1_NULL, NULL);
    }
    return 1;
}

int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
{
    int ret;
    EVP_PKEY *pkey = NULL;
    if (!ASN1_INTEGER_set(p7i->version, 0))
        return 0;
    if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
                       X509_get_issuer_name(x509)))
        return 0;

    ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
    if (!(p7i->issuer_and_serial->serial =
          ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
        return 0;

    pkey = X509_get0_pubkey(x509);
    if (pkey == NULL)
        return 0;

    if (EVP_PKEY_is_a(pkey, "RSA-PSS"))
        return -2;
    if (EVP_PKEY_is_a(pkey, "RSA")) {
        if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0)
            goto err;
        goto finished;
    }

    if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) {
        ERR_raise(ERR_LIB_PKCS7,
                  PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
        goto err;
    }

    ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT, 0, p7i);
    if (ret == -2) {
        ERR_raise(ERR_LIB_PKCS7,
                  PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
        goto err;
    }
    if (ret <= 0) {
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE);
        goto err;
    }
finished:
    X509_up_ref(x509);
    p7i->cert = x509;

    return 1;

 err:
    return 0;
}

X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
{
    if (PKCS7_type_is_signed(p7))
        return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
                                               si->issuer_and_serial->issuer,
                                               si->
                                               issuer_and_serial->serial));
    else
        return NULL;
}

int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
{
    int i;
    PKCS7_ENC_CONTENT *ec;

    i = OBJ_obj2nid(p7->type);
    switch (i) {
    case NID_pkcs7_signedAndEnveloped:
        ec = p7->d.signed_and_enveloped->enc_data;
        break;
    case NID_pkcs7_enveloped:
        ec = p7->d.enveloped->enc_data;
        break;
    default:
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
        return 0;
    }

    /* Check cipher OID exists and has data in it */
    i = EVP_CIPHER_get_type(cipher);
    if (i == NID_undef) {
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
        return 0;
    }

    ec->cipher = cipher;
    ec->ctx = ossl_pkcs7_get0_ctx(p7);
    return 1;
}

/* unfortunately cannot constify BIO_new_NDEF() due to this and CMS_stream() */
int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7)
{
    ASN1_OCTET_STRING *os = NULL;

    switch (OBJ_obj2nid(p7->type)) {
    case NID_pkcs7_data:
        os = p7->d.data;
        break;

    case NID_pkcs7_signedAndEnveloped:
        os = p7->d.signed_and_enveloped->enc_data->enc_data;
        if (os == NULL) {
            os = ASN1_OCTET_STRING_new();
            p7->d.signed_and_enveloped->enc_data->enc_data = os;
        }
        break;

    case NID_pkcs7_enveloped:
        os = p7->d.enveloped->enc_data->enc_data;
        if (os == NULL) {
            os = ASN1_OCTET_STRING_new();
            p7->d.enveloped->enc_data->enc_data = os;
        }
        break;

    case NID_pkcs7_signed:
        os = p7->d.sign->contents->d.data;
        break;

    default:
        os = NULL;
        break;
    }

    if (os == NULL)
        return 0;

    os->flags |= ASN1_STRING_FLAG_NDEF;
    *boundary = &os->data;

    return 1;
}

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include <stdio.h>
11		#include "internal/cryptlib.h"
12		#include <openssl/objects.h>
13		#include <openssl/x509.h>
14		#include <openssl/pkcs7.h>
15		#include "crypto/asn1.h"
16		#include "crypto/evp.h"
17		#include "crypto/x509.h" /* for sk_X509_add1_cert() */
18		#include "pk7_local.h"
19
20		long PKCS7_ctrl(PKCS7 p7, int cmd, long larg, char parg)
21	0	{
22	0	int nid;
23	0	long ret;
24
25	0	nid = OBJ_obj2nid(p7->type);
26
27	0	switch (cmd) {
28		/* NOTE(emilia): does not support detached digested data. */
29	0	case PKCS7_OP_SET_DETACHED_SIGNATURE:
30	0	if (nid == NID_pkcs7_signed) {
31	0	ret = p7->detached = (int)larg;
32	0	if (ret && PKCS7_type_is_data(p7->d.sign->contents)) {
33	0	ASN1_OCTET_STRING *os;
34	0	os = p7->d.sign->contents->d.data;
35	0	ASN1_OCTET_STRING_free(os);
36	0	p7->d.sign->contents->d.data = NULL;
37	0	}
38	0	} else {
39	0	ERR_raise(ERR_LIB_PKCS7,
40	0	PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
41	0	ret = 0;
42	0	}
43	0	break;
44	0	case PKCS7_OP_GET_DETACHED_SIGNATURE:
45	0	if (nid == NID_pkcs7_signed) {
46	0	if (p7->d.sign == NULL \|\| p7->d.sign->contents->d.ptr == NULL)
47	0	ret = 1;
48	0	else
49	0	ret = 0;
50
51	0	p7->detached = ret;
52	0	} else {
53	0	ERR_raise(ERR_LIB_PKCS7,
54	0	PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
55	0	ret = 0;
56	0	}
57
58	0	break;
59	0	default:
60	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNKNOWN_OPERATION);
61	0	ret = 0;
62	0	}
63	0	return ret;
64	0	}
65
66		int PKCS7_content_new(PKCS7 *p7, int type)
67	0	{
68	0	PKCS7 *ret = NULL;
69
70	0	if ((ret = PKCS7_new()) == NULL)
71	0	goto err;
72	0	if (!PKCS7_set_type(ret, type))
73	0	goto err;
74	0	if (!PKCS7_set_content(p7, ret))
75	0	goto err;
76
77	0	return 1;
78	0	err:
79	0	PKCS7_free(ret);
80	0	return 0;
81	0	}
82
83		int PKCS7_set_content(PKCS7 p7, PKCS7 p7_data)
84	0	{
85	0	int i;
86
87	0	i = OBJ_obj2nid(p7->type);
88	0	switch (i) {
89	0	case NID_pkcs7_signed:
90	0	PKCS7_free(p7->d.sign->contents);
91	0	p7->d.sign->contents = p7_data;
92	0	break;
93	0	case NID_pkcs7_digest:
94	0	PKCS7_free(p7->d.digest->contents);
95	0	p7->d.digest->contents = p7_data;
96	0	break;
97	0	case NID_pkcs7_data:
98	0	case NID_pkcs7_enveloped:
99	0	case NID_pkcs7_signedAndEnveloped:
100	0	case NID_pkcs7_encrypted:
101	0	default:
102	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
103	0	goto err;
104	0	}
105	0	return 1;
106	0	err:
107	0	return 0;
108	0	}
109
110		int PKCS7_set_type(PKCS7 *p7, int type)
111	0	{
112	0	ASN1_OBJECT *obj;
113
114		/*
115		* PKCS7_content_free(p7);
116		*/
117	0	obj = OBJ_nid2obj(type); /* will not fail */
118
119	0	switch (type) {
120	0	case NID_pkcs7_signed:
121	0	p7->type = obj;
122	0	if ((p7->d.sign = PKCS7_SIGNED_new()) == NULL)
123	0	goto err;
124	0	if (!ASN1_INTEGER_set(p7->d.sign->version, 1)) {
125	0	PKCS7_SIGNED_free(p7->d.sign);
126	0	p7->d.sign = NULL;
127	0	goto err;
128	0	}
129	0	break;
130	0	case NID_pkcs7_data:
131	0	p7->type = obj;
132	0	if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL)
133	0	goto err;
134	0	break;
135	0	case NID_pkcs7_signedAndEnveloped:
136	0	p7->type = obj;
137	0	if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new())
138	0	== NULL)
139	0	goto err;
140	0	if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1))
141	0	goto err;
142	0	p7->d.signed_and_enveloped->enc_data->content_type
143	0	= OBJ_nid2obj(NID_pkcs7_data);
144	0	break;
145	0	case NID_pkcs7_enveloped:
146	0	p7->type = obj;
147	0	if ((p7->d.enveloped = PKCS7_ENVELOPE_new())
148	0	== NULL)
149	0	goto err;
150	0	if (!ASN1_INTEGER_set(p7->d.enveloped->version, 0))
151	0	goto err;
152	0	p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
153	0	break;
154	0	case NID_pkcs7_encrypted:
155	0	p7->type = obj;
156	0	if ((p7->d.encrypted = PKCS7_ENCRYPT_new())
157	0	== NULL)
158	0	goto err;
159	0	if (!ASN1_INTEGER_set(p7->d.encrypted->version, 0))
160	0	goto err;
161	0	p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
162	0	break;
163
164	0	case NID_pkcs7_digest:
165	0	p7->type = obj;
166	0	if ((p7->d.digest = PKCS7_DIGEST_new())
167	0	== NULL)
168	0	goto err;
169	0	if (!ASN1_INTEGER_set(p7->d.digest->version, 0))
170	0	goto err;
171	0	break;
172	0	default:
173	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
174	0	goto err;
175	0	}
176	0	return 1;
177	0	err:
178	0	return 0;
179	0	}
180
181		int PKCS7_set0_type_other(PKCS7 p7, int type, ASN1_TYPE other)
182	0	{
183	0	p7->type = OBJ_nid2obj(type);
184	0	p7->d.other = other;
185	0	return 1;
186	0	}
187
188		int PKCS7_add_signer(PKCS7 p7, PKCS7_SIGNER_INFO psi)
189	0	{
190	0	int i, j;
191	0	ASN1_OBJECT *obj;
192	0	X509_ALGOR *alg;
193	0	STACK_OF(PKCS7_SIGNER_INFO) *signer_sk;
194	0	STACK_OF(X509_ALGOR) *md_sk;
195
196	0	i = OBJ_obj2nid(p7->type);
197	0	switch (i) {
198	0	case NID_pkcs7_signed:
199	0	signer_sk = p7->d.sign->signer_info;
200	0	md_sk = p7->d.sign->md_algs;
201	0	break;
202	0	case NID_pkcs7_signedAndEnveloped:
203	0	signer_sk = p7->d.signed_and_enveloped->signer_info;
204	0	md_sk = p7->d.signed_and_enveloped->md_algs;
205	0	break;
206	0	default:
207	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
208	0	return 0;
209	0	}
210
211	0	obj = psi->digest_alg->algorithm;
212		/* If the digest is not currently listed, add it */
213	0	j = 0;
214	0	for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
215	0	alg = sk_X509_ALGOR_value(md_sk, i);
216	0	if (OBJ_cmp(obj, alg->algorithm) == 0) {
217	0	j = 1;
218	0	break;
219	0	}
220	0	}
221	0	if (!j) { /* we need to add another algorithm */
222	0	int nid;
223
224	0	if ((alg = X509_ALGOR_new()) == NULL
225	0	\|\| (alg->parameter = ASN1_TYPE_new()) == NULL) {
226	0	X509_ALGOR_free(alg);
227	0	ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
228	0	return 0;
229	0	}
230		/*
231		* If there is a constant copy of the ASN1 OBJECT in libcrypto, then
232		* use that. Otherwise, use a dynamically duplicated copy
233		*/
234	0	if ((nid = OBJ_obj2nid(obj)) != NID_undef)
235	0	alg->algorithm = OBJ_nid2obj(nid);
236	0	else
237	0	alg->algorithm = OBJ_dup(obj);
238	0	alg->parameter->type = V_ASN1_NULL;
239	0	if (alg->algorithm == NULL \|\| !sk_X509_ALGOR_push(md_sk, alg)) {
240	0	X509_ALGOR_free(alg);
241	0	return 0;
242	0	}
243	0	}
244
245	0	psi->ctx = ossl_pkcs7_get0_ctx(p7);
246	0	if (!sk_PKCS7_SIGNER_INFO_push(signer_sk, psi))
247	0	return 0;
248	0	return 1;
249	0	}
250
251		int PKCS7_add_certificate(PKCS7 p7, X509 x509)
252	0	{
253	0	int i;
254	0	STACK_OF(X509) **sk;
255
256	0	i = OBJ_obj2nid(p7->type);
257	0	switch (i) {
258	0	case NID_pkcs7_signed:
259	0	sk = &(p7->d.sign->cert);
260	0	break;
261	0	case NID_pkcs7_signedAndEnveloped:
262	0	sk = &(p7->d.signed_and_enveloped->cert);
263	0	break;
264	0	default:
265	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
266	0	return 0;
267	0	}
268
269	0	return ossl_x509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF);
270	0	}
271
272		int PKCS7_add_crl(PKCS7 p7, X509_CRL crl)
273	0	{
274	0	int i;
275	0	STACK_OF(X509_CRL) **sk;
276
277	0	i = OBJ_obj2nid(p7->type);
278	0	switch (i) {
279	0	case NID_pkcs7_signed:
280	0	sk = &(p7->d.sign->crl);
281	0	break;
282	0	case NID_pkcs7_signedAndEnveloped:
283	0	sk = &(p7->d.signed_and_enveloped->crl);
284	0	break;
285	0	default:
286	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
287	0	return 0;
288	0	}
289
290	0	if (*sk == NULL)
291	0	*sk = sk_X509_CRL_new_null();
292	0	if (*sk == NULL) {
293	0	ERR_raise(ERR_LIB_PKCS7, ERR_R_CRYPTO_LIB);
294	0	return 0;
295	0	}
296
297	0	X509_CRL_up_ref(crl);
298	0	if (!sk_X509_CRL_push(*sk, crl)) {
299	0	X509_CRL_free(crl);
300	0	return 0;
301	0	}
302	0	return 1;
303	0	}
304
305		static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si,
306		int verify)
307	0	{
308	0	if (!verify) {
309	0	int snid, hnid;
310	0	X509_ALGOR alg1, alg2;
311	0	EVP_PKEY *pkey = si->pkey;
312
313	0	PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2);
314	0	if (alg1 == NULL \|\| alg1->algorithm == NULL)
315	0	return -1;
316	0	hnid = OBJ_obj2nid(alg1->algorithm);
317	0	if (hnid == NID_undef)
318	0	return -1;
319	0	if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey)))
320	0	return -1;
321	0	return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL);
322	0	}
323	0	return 1;
324	0	}
325
326		static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify)
327	0	{
328	0	if (!verify) {
329	0	X509_ALGOR *alg = NULL;
330
331	0	PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg);
332	0	if (alg != NULL)
333	0	return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
334	0	V_ASN1_NULL, NULL);
335	0	}
336	0	return 1;
337	0	}
338
339		int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO p7i, X509 x509, EVP_PKEY *pkey,
340		const EVP_MD *dgst)
341	0	{
342	0	int ret;
343
344		/* We now need to add another PKCS7_SIGNER_INFO entry */
345	0	if (!ASN1_INTEGER_set(p7i->version, 1))
346	0	return 0;
347	0	if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
348	0	X509_get_issuer_name(x509)))
349	0	return 0;
350
351		/*
352		* because ASN1_INTEGER_set is used to set a 'long' we will do things the
353		* ugly way.
354		*/
355	0	ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
356	0	if (!(p7i->issuer_and_serial->serial =
357	0	ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
358	0	return 0;
359
360		/* lets keep the pkey around for a while */
361	0	EVP_PKEY_up_ref(pkey);
362	0	p7i->pkey = pkey;
363
364		/* Set the algorithms */
365
366	0	if (!X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_get_type(dgst)),
367	0	V_ASN1_NULL, NULL))
368	0	return 0;
369
370	0	if (EVP_PKEY_is_a(pkey, "EC") \|\| EVP_PKEY_is_a(pkey, "DSA"))
371	0	return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0);
372	0	if (EVP_PKEY_is_a(pkey, "RSA"))
373	0	return pkcs7_rsa_sign_verify_setup(p7i, 0);
374
375	0	if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) {
376	0	ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i);
377	0	if (ret > 0)
378	0	return 1;
379	0	if (ret != -2) {
380	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_CTRL_FAILURE);
381	0	return 0;
382	0	}
383	0	}
384	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
385	0	return 0;
386	0	}
387
388		PKCS7_SIGNER_INFO PKCS7_add_signature(PKCS7 p7, X509 x509, EVP_PKEY pkey,
389		const EVP_MD *dgst)
390	0	{
391	0	PKCS7_SIGNER_INFO *si = NULL;
392
393	0	if (dgst == NULL) {
394	0	int def_nid;
395	0	if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
396	0	goto err;
397	0	dgst = EVP_get_digestbynid(def_nid);
398	0	if (dgst == NULL) {
399	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_DEFAULT_DIGEST);
400	0	goto err;
401	0	}
402	0	}
403
404	0	if ((si = PKCS7_SIGNER_INFO_new()) == NULL)
405	0	goto err;
406	0	if (PKCS7_SIGNER_INFO_set(si, x509, pkey, dgst) <= 0)
407	0	goto err;
408	0	if (!PKCS7_add_signer(p7, si))
409	0	goto err;
410	0	return si;
411	0	err:
412	0	PKCS7_SIGNER_INFO_free(si);
413	0	return NULL;
414	0	}
415
416		STACK_OF(X509) pkcs7_get0_certificates(const PKCS7 p7)
417	0	{
418	0	if (p7->d.ptr == NULL)
419	0	return NULL;
420	0	if (PKCS7_type_is_signed(p7))
421	0	return p7->d.sign->cert;
422	0	if (PKCS7_type_is_signedAndEnveloped(p7))
423	0	return p7->d.signed_and_enveloped->cert;
424	0	return NULL;
425	0	}
426
427		static STACK_OF(PKCS7_RECIP_INFO) pkcs7_get_recipient_info(const PKCS7 p7)
428	0	{
429	0	if (p7->d.ptr == NULL)
430	0	return NULL;
431	0	if (PKCS7_type_is_signedAndEnveloped(p7))
432	0	return p7->d.signed_and_enveloped->recipientinfo;
433	0	if (PKCS7_type_is_enveloped(p7))
434	0	return p7->d.enveloped->recipientinfo;
435	0	return NULL;
436	0	}
437
438		/*
439		* Set up the library context into any loaded structure that needs it.
440		* i.e loaded X509 objects.
441		*/
442		void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
443	0	{
444	0	int i;
445	0	const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
446	0	OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
447	0	const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
448	0	STACK_OF(PKCS7_RECIP_INFO) *rinfos;
449	0	STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
450	0	STACK_OF(X509) *certs;
451
452	0	if (ctx == NULL \|\| p7->d.ptr == NULL)
453	0	return;
454
455	0	rinfos = pkcs7_get_recipient_info(p7);
456	0	sinfos = PKCS7_get_signer_info(p7);
457	0	certs = pkcs7_get0_certificates(p7);
458
459	0	for (i = 0; i < sk_X509_num(certs); i++)
460	0	ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
461
462	0	for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rinfos); i++) {
463	0	PKCS7_RECIP_INFO *ri = sk_PKCS7_RECIP_INFO_value(rinfos, i);
464
465	0	ossl_x509_set0_libctx(ri->cert, libctx, propq);
466	0	}
467
468	0	for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
469	0	PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
470
471	0	if (si != NULL)
472	0	si->ctx = ctx;
473	0	}
474	0	}
475
476		const PKCS7_CTX ossl_pkcs7_get0_ctx(const PKCS7 p7)
477	0	{
478	0	return p7 != NULL ? &p7->ctx : NULL;
479	0	}
480
481		void ossl_pkcs7_set0_libctx(PKCS7 p7, OSSL_LIB_CTX ctx)
482	0	{
483	0	p7->ctx.libctx = ctx;
484	0	}
485
486		int ossl_pkcs7_set1_propq(PKCS7 p7, const char propq)
487	0	{
488	0	if (p7->ctx.propq != NULL) {
489	0	OPENSSL_free(p7->ctx.propq);
490	0	p7->ctx.propq = NULL;
491	0	}
492	0	if (propq != NULL) {
493	0	p7->ctx.propq = OPENSSL_strdup(propq);
494	0	if (p7->ctx.propq == NULL)
495	0	return 0;
496	0	}
497	0	return 1;
498	0	}
499
500		int ossl_pkcs7_ctx_propagate(const PKCS7 from, PKCS7 to)
501	0	{
502	0	ossl_pkcs7_set0_libctx(to, from->ctx.libctx);
503	0	if (!ossl_pkcs7_set1_propq(to, from->ctx.propq))
504	0	return 0;
505
506	0	ossl_pkcs7_resolve_libctx(to);
507	0	return 1;
508	0	}
509
510		OSSL_LIB_CTX ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX ctx)
511	0	{
512	0	return ctx != NULL ? ctx->libctx : NULL;
513	0	}
514		const char ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX ctx)
515	0	{
516	0	return ctx != NULL ? ctx->propq : NULL;
517	0	}
518
519		int PKCS7_set_digest(PKCS7 p7, const EVP_MD md)
520	0	{
521	0	if (PKCS7_type_is_digest(p7)) {
522	0	if ((p7->d.digest->md->parameter = ASN1_TYPE_new()) == NULL) {
523	0	ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
524	0	return 0;
525	0	}
526	0	p7->d.digest->md->parameter->type = V_ASN1_NULL;
527	0	p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
528	0	return 1;
529	0	}
530
531	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
532	0	return 1;
533	0	}
534
535		STACK_OF(PKCS7_SIGNER_INFO) PKCS7_get_signer_info(PKCS7 p7)
536	0	{
537	0	if (p7 == NULL \|\| p7->d.ptr == NULL)
538	0	return NULL;
539	0	if (PKCS7_type_is_signed(p7)) {
540	0	return p7->d.sign->signer_info;
541	0	} else if (PKCS7_type_is_signedAndEnveloped(p7)) {
542	0	return p7->d.signed_and_enveloped->signer_info;
543	0	} else
544	0	return NULL;
545	0	}
546
547		void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO si, EVP_PKEY *pk,
548		X509_ALGOR pdig, X509_ALGOR psig)
549	0	{
550	0	if (pk)
551	0	*pk = si->pkey;
552	0	if (pdig)
553	0	*pdig = si->digest_alg;
554	0	if (psig)
555	0	*psig = si->digest_enc_alg;
556	0	}
557
558		void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO ri, X509_ALGOR *penc)
559	0	{
560	0	if (penc)
561	0	*penc = ri->key_enc_algor;
562	0	}
563
564		PKCS7_RECIP_INFO PKCS7_add_recipient(PKCS7 p7, X509 *x509)
565	0	{
566	0	PKCS7_RECIP_INFO *ri;
567
568	0	if ((ri = PKCS7_RECIP_INFO_new()) == NULL)
569	0	goto err;
570	0	if (PKCS7_RECIP_INFO_set(ri, x509) <= 0)
571	0	goto err;
572	0	if (!PKCS7_add_recipient_info(p7, ri))
573	0	goto err;
574	0	ri->ctx = ossl_pkcs7_get0_ctx(p7);
575	0	return ri;
576	0	err:
577	0	PKCS7_RECIP_INFO_free(ri);
578	0	return NULL;
579	0	}
580
581		int PKCS7_add_recipient_info(PKCS7 p7, PKCS7_RECIP_INFO ri)
582	0	{
583	0	int i;
584	0	STACK_OF(PKCS7_RECIP_INFO) *sk;
585
586	0	i = OBJ_obj2nid(p7->type);
587	0	switch (i) {
588	0	case NID_pkcs7_signedAndEnveloped:
589	0	sk = p7->d.signed_and_enveloped->recipientinfo;
590	0	break;
591	0	case NID_pkcs7_enveloped:
592	0	sk = p7->d.enveloped->recipientinfo;
593	0	break;
594	0	default:
595	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
596	0	return 0;
597	0	}
598
599	0	if (!sk_PKCS7_RECIP_INFO_push(sk, ri))
600	0	return 0;
601	0	return 1;
602	0	}
603
604		static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt)
605	0	{
606	0	X509_ALGOR *alg = NULL;
607
608	0	if (!decrypt) {
609	0	PKCS7_RECIP_INFO_get0_alg(ri, &alg);
610	0	if (alg != NULL)
611	0	return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
612	0	V_ASN1_NULL, NULL);
613	0	}
614	0	return 1;
615	0	}
616
617		int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO p7i, X509 x509)
618	0	{
619	0	int ret;
620	0	EVP_PKEY *pkey = NULL;
621	0	if (!ASN1_INTEGER_set(p7i->version, 0))
622	0	return 0;
623	0	if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
624	0	X509_get_issuer_name(x509)))
625	0	return 0;
626
627	0	ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
628	0	if (!(p7i->issuer_and_serial->serial =
629	0	ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
630	0	return 0;
631
632	0	pkey = X509_get0_pubkey(x509);
633	0	if (pkey == NULL)
634	0	return 0;
635
636	0	if (EVP_PKEY_is_a(pkey, "RSA-PSS"))
637	0	return -2;
638	0	if (EVP_PKEY_is_a(pkey, "RSA")) {
639	0	if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0)
640	0	goto err;
641	0	goto finished;
642	0	}
643
644	0	if (pkey->ameth == NULL \|\| pkey->ameth->pkey_ctrl == NULL) {
645	0	ERR_raise(ERR_LIB_PKCS7,
646	0	PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
647	0	goto err;
648	0	}
649
650	0	ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT, 0, p7i);
651	0	if (ret == -2) {
652	0	ERR_raise(ERR_LIB_PKCS7,
653	0	PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
654	0	goto err;
655	0	}
656	0	if (ret <= 0) {
657	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE);
658	0	goto err;
659	0	}
660	0	finished:
661	0	X509_up_ref(x509);
662	0	p7i->cert = x509;
663
664	0	return 1;
665
666	0	err:
667	0	return 0;
668	0	}
669
670		X509 PKCS7_cert_from_signer_info(PKCS7 p7, PKCS7_SIGNER_INFO *si)
671	0	{
672	0	if (PKCS7_type_is_signed(p7))
673	0	return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
674	0	si->issuer_and_serial->issuer,
675	0	si->
676	0	issuer_and_serial->serial));
677	0	else
678	0	return NULL;
679	0	}
680
681		int PKCS7_set_cipher(PKCS7 p7, const EVP_CIPHER cipher)
682	0	{
683	0	int i;
684	0	PKCS7_ENC_CONTENT *ec;
685
686	0	i = OBJ_obj2nid(p7->type);
687	0	switch (i) {
688	0	case NID_pkcs7_signedAndEnveloped:
689	0	ec = p7->d.signed_and_enveloped->enc_data;
690	0	break;
691	0	case NID_pkcs7_enveloped:
692	0	ec = p7->d.enveloped->enc_data;
693	0	break;
694	0	default:
695	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
696	0	return 0;
697	0	}
698
699		/* Check cipher OID exists and has data in it */
700	0	i = EVP_CIPHER_get_type(cipher);
701	0	if (i == NID_undef) {
702	0	ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
703	0	return 0;
704	0	}
705
706	0	ec->cipher = cipher;
707	0	ec->ctx = ossl_pkcs7_get0_ctx(p7);
708	0	return 1;
709	0	}
710
711		/* unfortunately cannot constify BIO_new_NDEF() due to this and CMS_stream() */
712		int PKCS7_stream(unsigned char **boundary, PKCS7 p7)
713	0	{
714	0	ASN1_OCTET_STRING *os = NULL;
715
716	0	switch (OBJ_obj2nid(p7->type)) {
717	0	case NID_pkcs7_data:
718	0	os = p7->d.data;
719	0	break;
720
721	0	case NID_pkcs7_signedAndEnveloped:
722	0	os = p7->d.signed_and_enveloped->enc_data->enc_data;
723	0	if (os == NULL) {
724	0	os = ASN1_OCTET_STRING_new();
725	0	p7->d.signed_and_enveloped->enc_data->enc_data = os;
726	0	}
727	0	break;
728
729	0	case NID_pkcs7_enveloped:
730	0	os = p7->d.enveloped->enc_data->enc_data;
731	0	if (os == NULL) {
732	0	os = ASN1_OCTET_STRING_new();
733	0	p7->d.enveloped->enc_data->enc_data = os;
734	0	}
735	0	break;
736
737	0	case NID_pkcs7_signed:
738	0	os = p7->d.sign->contents->d.data;
739	0	break;
740
741	0	default:
742	0	os = NULL;
743	0	break;
744	0	}
745
746	0	if (os == NULL)
747	0	return 0;
748
749	0	os->flags \|= ASN1_STRING_FLAG_NDEF;
750	0	*boundary = &os->data;
751
752	0	return 1;
753	0	}