/src/openssl/crypto/pkcs7/pk7_lib.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | #include <stdio.h> |
11 | | #include "internal/cryptlib.h" |
12 | | #include <openssl/objects.h> |
13 | | #include <openssl/x509.h> |
14 | | #include <openssl/pkcs7.h> |
15 | | #include "crypto/asn1.h" |
16 | | #include "crypto/evp.h" |
17 | | #include "crypto/x509.h" /* for sk_X509_add1_cert() */ |
18 | | #include "pk7_local.h" |
19 | | |
20 | | long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg) |
21 | 0 | { |
22 | 0 | int nid; |
23 | 0 | long ret; |
24 | |
|
25 | 0 | nid = OBJ_obj2nid(p7->type); |
26 | |
|
27 | 0 | switch (cmd) { |
28 | | /* NOTE(emilia): does not support detached digested data. */ |
29 | 0 | case PKCS7_OP_SET_DETACHED_SIGNATURE: |
30 | 0 | if (nid == NID_pkcs7_signed) { |
31 | 0 | ret = p7->detached = (int)larg; |
32 | 0 | if (ret && PKCS7_type_is_data(p7->d.sign->contents)) { |
33 | 0 | ASN1_OCTET_STRING *os; |
34 | 0 | os = p7->d.sign->contents->d.data; |
35 | 0 | ASN1_OCTET_STRING_free(os); |
36 | 0 | p7->d.sign->contents->d.data = NULL; |
37 | 0 | } |
38 | 0 | } else { |
39 | 0 | ERR_raise(ERR_LIB_PKCS7, |
40 | 0 | PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE); |
41 | 0 | ret = 0; |
42 | 0 | } |
43 | 0 | break; |
44 | 0 | case PKCS7_OP_GET_DETACHED_SIGNATURE: |
45 | 0 | if (nid == NID_pkcs7_signed) { |
46 | 0 | if (p7->d.sign == NULL || p7->d.sign->contents->d.ptr == NULL) |
47 | 0 | ret = 1; |
48 | 0 | else |
49 | 0 | ret = 0; |
50 | |
|
51 | 0 | p7->detached = ret; |
52 | 0 | } else { |
53 | 0 | ERR_raise(ERR_LIB_PKCS7, |
54 | 0 | PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE); |
55 | 0 | ret = 0; |
56 | 0 | } |
57 | |
|
58 | 0 | break; |
59 | 0 | default: |
60 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNKNOWN_OPERATION); |
61 | 0 | ret = 0; |
62 | 0 | } |
63 | 0 | return ret; |
64 | 0 | } |
65 | | |
66 | | int PKCS7_content_new(PKCS7 *p7, int type) |
67 | 0 | { |
68 | 0 | PKCS7 *ret = NULL; |
69 | |
|
70 | 0 | if ((ret = PKCS7_new()) == NULL) |
71 | 0 | goto err; |
72 | 0 | if (!PKCS7_set_type(ret, type)) |
73 | 0 | goto err; |
74 | 0 | if (!PKCS7_set_content(p7, ret)) |
75 | 0 | goto err; |
76 | | |
77 | 0 | return 1; |
78 | 0 | err: |
79 | 0 | PKCS7_free(ret); |
80 | 0 | return 0; |
81 | 0 | } |
82 | | |
83 | | int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data) |
84 | 0 | { |
85 | 0 | int i; |
86 | |
|
87 | 0 | i = OBJ_obj2nid(p7->type); |
88 | 0 | switch (i) { |
89 | 0 | case NID_pkcs7_signed: |
90 | 0 | PKCS7_free(p7->d.sign->contents); |
91 | 0 | p7->d.sign->contents = p7_data; |
92 | 0 | break; |
93 | 0 | case NID_pkcs7_digest: |
94 | 0 | PKCS7_free(p7->d.digest->contents); |
95 | 0 | p7->d.digest->contents = p7_data; |
96 | 0 | break; |
97 | 0 | case NID_pkcs7_data: |
98 | 0 | case NID_pkcs7_enveloped: |
99 | 0 | case NID_pkcs7_signedAndEnveloped: |
100 | 0 | case NID_pkcs7_encrypted: |
101 | 0 | default: |
102 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); |
103 | 0 | goto err; |
104 | 0 | } |
105 | 0 | return 1; |
106 | 0 | err: |
107 | 0 | return 0; |
108 | 0 | } |
109 | | |
110 | | int PKCS7_set_type(PKCS7 *p7, int type) |
111 | 0 | { |
112 | 0 | ASN1_OBJECT *obj; |
113 | | |
114 | | /* |
115 | | * PKCS7_content_free(p7); |
116 | | */ |
117 | 0 | obj = OBJ_nid2obj(type); /* will not fail */ |
118 | |
|
119 | 0 | switch (type) { |
120 | 0 | case NID_pkcs7_signed: |
121 | 0 | p7->type = obj; |
122 | 0 | if ((p7->d.sign = PKCS7_SIGNED_new()) == NULL) |
123 | 0 | goto err; |
124 | 0 | if (!ASN1_INTEGER_set(p7->d.sign->version, 1)) { |
125 | 0 | PKCS7_SIGNED_free(p7->d.sign); |
126 | 0 | p7->d.sign = NULL; |
127 | 0 | goto err; |
128 | 0 | } |
129 | 0 | break; |
130 | 0 | case NID_pkcs7_data: |
131 | 0 | p7->type = obj; |
132 | 0 | if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL) |
133 | 0 | goto err; |
134 | 0 | break; |
135 | 0 | case NID_pkcs7_signedAndEnveloped: |
136 | 0 | p7->type = obj; |
137 | 0 | if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) |
138 | 0 | == NULL) |
139 | 0 | goto err; |
140 | 0 | if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) |
141 | 0 | goto err; |
142 | 0 | p7->d.signed_and_enveloped->enc_data->content_type |
143 | 0 | = OBJ_nid2obj(NID_pkcs7_data); |
144 | 0 | break; |
145 | 0 | case NID_pkcs7_enveloped: |
146 | 0 | p7->type = obj; |
147 | 0 | if ((p7->d.enveloped = PKCS7_ENVELOPE_new()) |
148 | 0 | == NULL) |
149 | 0 | goto err; |
150 | 0 | if (!ASN1_INTEGER_set(p7->d.enveloped->version, 0)) |
151 | 0 | goto err; |
152 | 0 | p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); |
153 | 0 | break; |
154 | 0 | case NID_pkcs7_encrypted: |
155 | 0 | p7->type = obj; |
156 | 0 | if ((p7->d.encrypted = PKCS7_ENCRYPT_new()) |
157 | 0 | == NULL) |
158 | 0 | goto err; |
159 | 0 | if (!ASN1_INTEGER_set(p7->d.encrypted->version, 0)) |
160 | 0 | goto err; |
161 | 0 | p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data); |
162 | 0 | break; |
163 | | |
164 | 0 | case NID_pkcs7_digest: |
165 | 0 | p7->type = obj; |
166 | 0 | if ((p7->d.digest = PKCS7_DIGEST_new()) |
167 | 0 | == NULL) |
168 | 0 | goto err; |
169 | 0 | if (!ASN1_INTEGER_set(p7->d.digest->version, 0)) |
170 | 0 | goto err; |
171 | 0 | break; |
172 | 0 | default: |
173 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); |
174 | 0 | goto err; |
175 | 0 | } |
176 | 0 | return 1; |
177 | 0 | err: |
178 | 0 | return 0; |
179 | 0 | } |
180 | | |
181 | | int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other) |
182 | 0 | { |
183 | 0 | p7->type = OBJ_nid2obj(type); |
184 | 0 | p7->d.other = other; |
185 | 0 | return 1; |
186 | 0 | } |
187 | | |
188 | | int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi) |
189 | 0 | { |
190 | 0 | int i, j; |
191 | 0 | ASN1_OBJECT *obj; |
192 | 0 | X509_ALGOR *alg; |
193 | 0 | STACK_OF(PKCS7_SIGNER_INFO) *signer_sk; |
194 | 0 | STACK_OF(X509_ALGOR) *md_sk; |
195 | |
|
196 | 0 | i = OBJ_obj2nid(p7->type); |
197 | 0 | switch (i) { |
198 | 0 | case NID_pkcs7_signed: |
199 | 0 | signer_sk = p7->d.sign->signer_info; |
200 | 0 | md_sk = p7->d.sign->md_algs; |
201 | 0 | break; |
202 | 0 | case NID_pkcs7_signedAndEnveloped: |
203 | 0 | signer_sk = p7->d.signed_and_enveloped->signer_info; |
204 | 0 | md_sk = p7->d.signed_and_enveloped->md_algs; |
205 | 0 | break; |
206 | 0 | default: |
207 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE); |
208 | 0 | return 0; |
209 | 0 | } |
210 | | |
211 | 0 | obj = psi->digest_alg->algorithm; |
212 | | /* If the digest is not currently listed, add it */ |
213 | 0 | j = 0; |
214 | 0 | for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) { |
215 | 0 | alg = sk_X509_ALGOR_value(md_sk, i); |
216 | 0 | if (OBJ_cmp(obj, alg->algorithm) == 0) { |
217 | 0 | j = 1; |
218 | 0 | break; |
219 | 0 | } |
220 | 0 | } |
221 | 0 | if (!j) { /* we need to add another algorithm */ |
222 | 0 | int nid; |
223 | |
|
224 | 0 | if ((alg = X509_ALGOR_new()) == NULL |
225 | 0 | || (alg->parameter = ASN1_TYPE_new()) == NULL) { |
226 | 0 | X509_ALGOR_free(alg); |
227 | 0 | ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB); |
228 | 0 | return 0; |
229 | 0 | } |
230 | | /* |
231 | | * If there is a constant copy of the ASN1 OBJECT in libcrypto, then |
232 | | * use that. Otherwise, use a dynamically duplicated copy |
233 | | */ |
234 | 0 | if ((nid = OBJ_obj2nid(obj)) != NID_undef) |
235 | 0 | alg->algorithm = OBJ_nid2obj(nid); |
236 | 0 | else |
237 | 0 | alg->algorithm = OBJ_dup(obj); |
238 | 0 | alg->parameter->type = V_ASN1_NULL; |
239 | 0 | if (alg->algorithm == NULL || !sk_X509_ALGOR_push(md_sk, alg)) { |
240 | 0 | X509_ALGOR_free(alg); |
241 | 0 | return 0; |
242 | 0 | } |
243 | 0 | } |
244 | | |
245 | 0 | psi->ctx = ossl_pkcs7_get0_ctx(p7); |
246 | 0 | if (!sk_PKCS7_SIGNER_INFO_push(signer_sk, psi)) |
247 | 0 | return 0; |
248 | 0 | return 1; |
249 | 0 | } |
250 | | |
251 | | int PKCS7_add_certificate(PKCS7 *p7, X509 *x509) |
252 | 0 | { |
253 | 0 | int i; |
254 | 0 | STACK_OF(X509) **sk; |
255 | |
|
256 | 0 | i = OBJ_obj2nid(p7->type); |
257 | 0 | switch (i) { |
258 | 0 | case NID_pkcs7_signed: |
259 | 0 | sk = &(p7->d.sign->cert); |
260 | 0 | break; |
261 | 0 | case NID_pkcs7_signedAndEnveloped: |
262 | 0 | sk = &(p7->d.signed_and_enveloped->cert); |
263 | 0 | break; |
264 | 0 | default: |
265 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE); |
266 | 0 | return 0; |
267 | 0 | } |
268 | | |
269 | 0 | return ossl_x509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF); |
270 | 0 | } |
271 | | |
272 | | int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) |
273 | 0 | { |
274 | 0 | int i; |
275 | 0 | STACK_OF(X509_CRL) **sk; |
276 | |
|
277 | 0 | i = OBJ_obj2nid(p7->type); |
278 | 0 | switch (i) { |
279 | 0 | case NID_pkcs7_signed: |
280 | 0 | sk = &(p7->d.sign->crl); |
281 | 0 | break; |
282 | 0 | case NID_pkcs7_signedAndEnveloped: |
283 | 0 | sk = &(p7->d.signed_and_enveloped->crl); |
284 | 0 | break; |
285 | 0 | default: |
286 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE); |
287 | 0 | return 0; |
288 | 0 | } |
289 | | |
290 | 0 | if (*sk == NULL) |
291 | 0 | *sk = sk_X509_CRL_new_null(); |
292 | 0 | if (*sk == NULL) { |
293 | 0 | ERR_raise(ERR_LIB_PKCS7, ERR_R_CRYPTO_LIB); |
294 | 0 | return 0; |
295 | 0 | } |
296 | | |
297 | 0 | X509_CRL_up_ref(crl); |
298 | 0 | if (!sk_X509_CRL_push(*sk, crl)) { |
299 | 0 | X509_CRL_free(crl); |
300 | 0 | return 0; |
301 | 0 | } |
302 | 0 | return 1; |
303 | 0 | } |
304 | | |
305 | | static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, |
306 | | int verify) |
307 | 0 | { |
308 | 0 | if (!verify) { |
309 | 0 | int snid, hnid; |
310 | 0 | X509_ALGOR *alg1, *alg2; |
311 | 0 | EVP_PKEY *pkey = si->pkey; |
312 | |
|
313 | 0 | PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2); |
314 | 0 | if (alg1 == NULL || alg1->algorithm == NULL) |
315 | 0 | return -1; |
316 | 0 | hnid = OBJ_obj2nid(alg1->algorithm); |
317 | 0 | if (hnid == NID_undef) |
318 | 0 | return -1; |
319 | 0 | if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey))) |
320 | 0 | return -1; |
321 | 0 | return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL); |
322 | 0 | } |
323 | 0 | return 1; |
324 | 0 | } |
325 | | |
326 | | static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify) |
327 | 0 | { |
328 | 0 | if (!verify) { |
329 | 0 | X509_ALGOR *alg = NULL; |
330 | |
|
331 | 0 | PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg); |
332 | 0 | if (alg != NULL) |
333 | 0 | return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), |
334 | 0 | V_ASN1_NULL, NULL); |
335 | 0 | } |
336 | 0 | return 1; |
337 | 0 | } |
338 | | |
339 | | int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, |
340 | | const EVP_MD *dgst) |
341 | 0 | { |
342 | 0 | int ret; |
343 | | |
344 | | /* We now need to add another PKCS7_SIGNER_INFO entry */ |
345 | 0 | if (!ASN1_INTEGER_set(p7i->version, 1)) |
346 | 0 | return 0; |
347 | 0 | if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, |
348 | 0 | X509_get_issuer_name(x509))) |
349 | 0 | return 0; |
350 | | |
351 | | /* |
352 | | * because ASN1_INTEGER_set is used to set a 'long' we will do things the |
353 | | * ugly way. |
354 | | */ |
355 | 0 | ASN1_INTEGER_free(p7i->issuer_and_serial->serial); |
356 | 0 | if (!(p7i->issuer_and_serial->serial = |
357 | 0 | ASN1_INTEGER_dup(X509_get0_serialNumber(x509)))) |
358 | 0 | return 0; |
359 | | |
360 | | /* lets keep the pkey around for a while */ |
361 | 0 | EVP_PKEY_up_ref(pkey); |
362 | 0 | p7i->pkey = pkey; |
363 | | |
364 | | /* Set the algorithms */ |
365 | |
|
366 | 0 | if (!X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_get_type(dgst)), |
367 | 0 | V_ASN1_NULL, NULL)) |
368 | 0 | return 0; |
369 | | |
370 | 0 | if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA")) |
371 | 0 | return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0); |
372 | 0 | if (EVP_PKEY_is_a(pkey, "RSA")) |
373 | 0 | return pkcs7_rsa_sign_verify_setup(p7i, 0); |
374 | | |
375 | 0 | if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) { |
376 | 0 | ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i); |
377 | 0 | if (ret > 0) |
378 | 0 | return 1; |
379 | 0 | if (ret != -2) { |
380 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_CTRL_FAILURE); |
381 | 0 | return 0; |
382 | 0 | } |
383 | 0 | } |
384 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); |
385 | 0 | return 0; |
386 | 0 | } |
387 | | |
388 | | PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, |
389 | | const EVP_MD *dgst) |
390 | 0 | { |
391 | 0 | PKCS7_SIGNER_INFO *si = NULL; |
392 | |
|
393 | 0 | if (dgst == NULL) { |
394 | 0 | int def_nid; |
395 | 0 | if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0) |
396 | 0 | goto err; |
397 | 0 | dgst = EVP_get_digestbynid(def_nid); |
398 | 0 | if (dgst == NULL) { |
399 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_DEFAULT_DIGEST); |
400 | 0 | goto err; |
401 | 0 | } |
402 | 0 | } |
403 | | |
404 | 0 | if ((si = PKCS7_SIGNER_INFO_new()) == NULL) |
405 | 0 | goto err; |
406 | 0 | if (PKCS7_SIGNER_INFO_set(si, x509, pkey, dgst) <= 0) |
407 | 0 | goto err; |
408 | 0 | if (!PKCS7_add_signer(p7, si)) |
409 | 0 | goto err; |
410 | 0 | return si; |
411 | 0 | err: |
412 | 0 | PKCS7_SIGNER_INFO_free(si); |
413 | 0 | return NULL; |
414 | 0 | } |
415 | | |
416 | | STACK_OF(X509) *pkcs7_get0_certificates(const PKCS7 *p7) |
417 | 0 | { |
418 | 0 | if (p7->d.ptr == NULL) |
419 | 0 | return NULL; |
420 | 0 | if (PKCS7_type_is_signed(p7)) |
421 | 0 | return p7->d.sign->cert; |
422 | 0 | if (PKCS7_type_is_signedAndEnveloped(p7)) |
423 | 0 | return p7->d.signed_and_enveloped->cert; |
424 | 0 | return NULL; |
425 | 0 | } |
426 | | |
427 | | static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) |
428 | 0 | { |
429 | 0 | if (p7->d.ptr == NULL) |
430 | 0 | return NULL; |
431 | 0 | if (PKCS7_type_is_signedAndEnveloped(p7)) |
432 | 0 | return p7->d.signed_and_enveloped->recipientinfo; |
433 | 0 | if (PKCS7_type_is_enveloped(p7)) |
434 | 0 | return p7->d.enveloped->recipientinfo; |
435 | 0 | return NULL; |
436 | 0 | } |
437 | | |
438 | | /* |
439 | | * Set up the library context into any loaded structure that needs it. |
440 | | * i.e loaded X509 objects. |
441 | | */ |
442 | | void ossl_pkcs7_resolve_libctx(PKCS7 *p7) |
443 | 0 | { |
444 | 0 | int i; |
445 | 0 | const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); |
446 | 0 | OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); |
447 | 0 | const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); |
448 | 0 | STACK_OF(PKCS7_RECIP_INFO) *rinfos; |
449 | 0 | STACK_OF(PKCS7_SIGNER_INFO) *sinfos; |
450 | 0 | STACK_OF(X509) *certs; |
451 | |
|
452 | 0 | if (ctx == NULL || p7->d.ptr == NULL) |
453 | 0 | return; |
454 | | |
455 | 0 | rinfos = pkcs7_get_recipient_info(p7); |
456 | 0 | sinfos = PKCS7_get_signer_info(p7); |
457 | 0 | certs = pkcs7_get0_certificates(p7); |
458 | |
|
459 | 0 | for (i = 0; i < sk_X509_num(certs); i++) |
460 | 0 | ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); |
461 | |
|
462 | 0 | for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rinfos); i++) { |
463 | 0 | PKCS7_RECIP_INFO *ri = sk_PKCS7_RECIP_INFO_value(rinfos, i); |
464 | |
|
465 | 0 | ossl_x509_set0_libctx(ri->cert, libctx, propq); |
466 | 0 | } |
467 | |
|
468 | 0 | for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { |
469 | 0 | PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); |
470 | |
|
471 | 0 | if (si != NULL) |
472 | 0 | si->ctx = ctx; |
473 | 0 | } |
474 | 0 | } |
475 | | |
476 | | const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7) |
477 | 0 | { |
478 | 0 | return p7 != NULL ? &p7->ctx : NULL; |
479 | 0 | } |
480 | | |
481 | | void ossl_pkcs7_set0_libctx(PKCS7 *p7, OSSL_LIB_CTX *ctx) |
482 | 0 | { |
483 | 0 | p7->ctx.libctx = ctx; |
484 | 0 | } |
485 | | |
486 | | int ossl_pkcs7_set1_propq(PKCS7 *p7, const char *propq) |
487 | 0 | { |
488 | 0 | if (p7->ctx.propq != NULL) { |
489 | 0 | OPENSSL_free(p7->ctx.propq); |
490 | 0 | p7->ctx.propq = NULL; |
491 | 0 | } |
492 | 0 | if (propq != NULL) { |
493 | 0 | p7->ctx.propq = OPENSSL_strdup(propq); |
494 | 0 | if (p7->ctx.propq == NULL) |
495 | 0 | return 0; |
496 | 0 | } |
497 | 0 | return 1; |
498 | 0 | } |
499 | | |
500 | | int ossl_pkcs7_ctx_propagate(const PKCS7 *from, PKCS7 *to) |
501 | 0 | { |
502 | 0 | ossl_pkcs7_set0_libctx(to, from->ctx.libctx); |
503 | 0 | if (!ossl_pkcs7_set1_propq(to, from->ctx.propq)) |
504 | 0 | return 0; |
505 | | |
506 | 0 | ossl_pkcs7_resolve_libctx(to); |
507 | 0 | return 1; |
508 | 0 | } |
509 | | |
510 | | OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx) |
511 | 0 | { |
512 | 0 | return ctx != NULL ? ctx->libctx : NULL; |
513 | 0 | } |
514 | | const char *ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx) |
515 | 0 | { |
516 | 0 | return ctx != NULL ? ctx->propq : NULL; |
517 | 0 | } |
518 | | |
519 | | int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md) |
520 | 0 | { |
521 | 0 | if (PKCS7_type_is_digest(p7)) { |
522 | 0 | if ((p7->d.digest->md->parameter = ASN1_TYPE_new()) == NULL) { |
523 | 0 | ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB); |
524 | 0 | return 0; |
525 | 0 | } |
526 | 0 | p7->d.digest->md->parameter->type = V_ASN1_NULL; |
527 | 0 | p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md)); |
528 | 0 | return 1; |
529 | 0 | } |
530 | | |
531 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE); |
532 | 0 | return 1; |
533 | 0 | } |
534 | | |
535 | | STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) |
536 | 0 | { |
537 | 0 | if (p7 == NULL || p7->d.ptr == NULL) |
538 | 0 | return NULL; |
539 | 0 | if (PKCS7_type_is_signed(p7)) { |
540 | 0 | return p7->d.sign->signer_info; |
541 | 0 | } else if (PKCS7_type_is_signedAndEnveloped(p7)) { |
542 | 0 | return p7->d.signed_and_enveloped->signer_info; |
543 | 0 | } else |
544 | 0 | return NULL; |
545 | 0 | } |
546 | | |
547 | | void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, |
548 | | X509_ALGOR **pdig, X509_ALGOR **psig) |
549 | 0 | { |
550 | 0 | if (pk) |
551 | 0 | *pk = si->pkey; |
552 | 0 | if (pdig) |
553 | 0 | *pdig = si->digest_alg; |
554 | 0 | if (psig) |
555 | 0 | *psig = si->digest_enc_alg; |
556 | 0 | } |
557 | | |
558 | | void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc) |
559 | 0 | { |
560 | 0 | if (penc) |
561 | 0 | *penc = ri->key_enc_algor; |
562 | 0 | } |
563 | | |
564 | | PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509) |
565 | 0 | { |
566 | 0 | PKCS7_RECIP_INFO *ri; |
567 | |
|
568 | 0 | if ((ri = PKCS7_RECIP_INFO_new()) == NULL) |
569 | 0 | goto err; |
570 | 0 | if (PKCS7_RECIP_INFO_set(ri, x509) <= 0) |
571 | 0 | goto err; |
572 | 0 | if (!PKCS7_add_recipient_info(p7, ri)) |
573 | 0 | goto err; |
574 | 0 | ri->ctx = ossl_pkcs7_get0_ctx(p7); |
575 | 0 | return ri; |
576 | 0 | err: |
577 | 0 | PKCS7_RECIP_INFO_free(ri); |
578 | 0 | return NULL; |
579 | 0 | } |
580 | | |
581 | | int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) |
582 | 0 | { |
583 | 0 | int i; |
584 | 0 | STACK_OF(PKCS7_RECIP_INFO) *sk; |
585 | |
|
586 | 0 | i = OBJ_obj2nid(p7->type); |
587 | 0 | switch (i) { |
588 | 0 | case NID_pkcs7_signedAndEnveloped: |
589 | 0 | sk = p7->d.signed_and_enveloped->recipientinfo; |
590 | 0 | break; |
591 | 0 | case NID_pkcs7_enveloped: |
592 | 0 | sk = p7->d.enveloped->recipientinfo; |
593 | 0 | break; |
594 | 0 | default: |
595 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE); |
596 | 0 | return 0; |
597 | 0 | } |
598 | | |
599 | 0 | if (!sk_PKCS7_RECIP_INFO_push(sk, ri)) |
600 | 0 | return 0; |
601 | 0 | return 1; |
602 | 0 | } |
603 | | |
604 | | static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt) |
605 | 0 | { |
606 | 0 | X509_ALGOR *alg = NULL; |
607 | |
|
608 | 0 | if (!decrypt) { |
609 | 0 | PKCS7_RECIP_INFO_get0_alg(ri, &alg); |
610 | 0 | if (alg != NULL) |
611 | 0 | return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), |
612 | 0 | V_ASN1_NULL, NULL); |
613 | 0 | } |
614 | 0 | return 1; |
615 | 0 | } |
616 | | |
617 | | int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) |
618 | 0 | { |
619 | 0 | int ret; |
620 | 0 | EVP_PKEY *pkey = NULL; |
621 | 0 | if (!ASN1_INTEGER_set(p7i->version, 0)) |
622 | 0 | return 0; |
623 | 0 | if (!X509_NAME_set(&p7i->issuer_and_serial->issuer, |
624 | 0 | X509_get_issuer_name(x509))) |
625 | 0 | return 0; |
626 | | |
627 | 0 | ASN1_INTEGER_free(p7i->issuer_and_serial->serial); |
628 | 0 | if (!(p7i->issuer_and_serial->serial = |
629 | 0 | ASN1_INTEGER_dup(X509_get0_serialNumber(x509)))) |
630 | 0 | return 0; |
631 | | |
632 | 0 | pkey = X509_get0_pubkey(x509); |
633 | 0 | if (pkey == NULL) |
634 | 0 | return 0; |
635 | | |
636 | 0 | if (EVP_PKEY_is_a(pkey, "RSA-PSS")) |
637 | 0 | return -2; |
638 | 0 | if (EVP_PKEY_is_a(pkey, "RSA")) { |
639 | 0 | if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0) |
640 | 0 | goto err; |
641 | 0 | goto finished; |
642 | 0 | } |
643 | | |
644 | 0 | if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) { |
645 | 0 | ERR_raise(ERR_LIB_PKCS7, |
646 | 0 | PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); |
647 | 0 | goto err; |
648 | 0 | } |
649 | | |
650 | 0 | ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT, 0, p7i); |
651 | 0 | if (ret == -2) { |
652 | 0 | ERR_raise(ERR_LIB_PKCS7, |
653 | 0 | PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); |
654 | 0 | goto err; |
655 | 0 | } |
656 | 0 | if (ret <= 0) { |
657 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE); |
658 | 0 | goto err; |
659 | 0 | } |
660 | 0 | finished: |
661 | 0 | X509_up_ref(x509); |
662 | 0 | p7i->cert = x509; |
663 | |
|
664 | 0 | return 1; |
665 | | |
666 | 0 | err: |
667 | 0 | return 0; |
668 | 0 | } |
669 | | |
670 | | X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si) |
671 | 0 | { |
672 | 0 | if (PKCS7_type_is_signed(p7)) |
673 | 0 | return (X509_find_by_issuer_and_serial(p7->d.sign->cert, |
674 | 0 | si->issuer_and_serial->issuer, |
675 | 0 | si-> |
676 | 0 | issuer_and_serial->serial)); |
677 | 0 | else |
678 | 0 | return NULL; |
679 | 0 | } |
680 | | |
681 | | int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher) |
682 | 0 | { |
683 | 0 | int i; |
684 | 0 | PKCS7_ENC_CONTENT *ec; |
685 | |
|
686 | 0 | i = OBJ_obj2nid(p7->type); |
687 | 0 | switch (i) { |
688 | 0 | case NID_pkcs7_signedAndEnveloped: |
689 | 0 | ec = p7->d.signed_and_enveloped->enc_data; |
690 | 0 | break; |
691 | 0 | case NID_pkcs7_enveloped: |
692 | 0 | ec = p7->d.enveloped->enc_data; |
693 | 0 | break; |
694 | 0 | default: |
695 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE); |
696 | 0 | return 0; |
697 | 0 | } |
698 | | |
699 | | /* Check cipher OID exists and has data in it */ |
700 | 0 | i = EVP_CIPHER_get_type(cipher); |
701 | 0 | if (i == NID_undef) { |
702 | 0 | ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER); |
703 | 0 | return 0; |
704 | 0 | } |
705 | | |
706 | 0 | ec->cipher = cipher; |
707 | 0 | ec->ctx = ossl_pkcs7_get0_ctx(p7); |
708 | 0 | return 1; |
709 | 0 | } |
710 | | |
711 | | /* unfortunately cannot constify BIO_new_NDEF() due to this and CMS_stream() */ |
712 | | int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7) |
713 | 0 | { |
714 | 0 | ASN1_OCTET_STRING *os = NULL; |
715 | |
|
716 | 0 | switch (OBJ_obj2nid(p7->type)) { |
717 | 0 | case NID_pkcs7_data: |
718 | 0 | os = p7->d.data; |
719 | 0 | break; |
720 | | |
721 | 0 | case NID_pkcs7_signedAndEnveloped: |
722 | 0 | os = p7->d.signed_and_enveloped->enc_data->enc_data; |
723 | 0 | if (os == NULL) { |
724 | 0 | os = ASN1_OCTET_STRING_new(); |
725 | 0 | p7->d.signed_and_enveloped->enc_data->enc_data = os; |
726 | 0 | } |
727 | 0 | break; |
728 | | |
729 | 0 | case NID_pkcs7_enveloped: |
730 | 0 | os = p7->d.enveloped->enc_data->enc_data; |
731 | 0 | if (os == NULL) { |
732 | 0 | os = ASN1_OCTET_STRING_new(); |
733 | 0 | p7->d.enveloped->enc_data->enc_data = os; |
734 | 0 | } |
735 | 0 | break; |
736 | | |
737 | 0 | case NID_pkcs7_signed: |
738 | 0 | os = p7->d.sign->contents->d.data; |
739 | 0 | break; |
740 | | |
741 | 0 | default: |
742 | 0 | os = NULL; |
743 | 0 | break; |
744 | 0 | } |
745 | | |
746 | 0 | if (os == NULL) |
747 | 0 | return 0; |
748 | | |
749 | 0 | os->flags |= ASN1_STRING_FLAG_NDEF; |
750 | 0 | *boundary = &os->data; |
751 | |
|
752 | 0 | return 1; |
753 | 0 | } |