/src/openssl32/crypto/cms/cms_ess.c

Source (jump to first uncovered line)
/*
 * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/ess.h>
#include "crypto/ess.h"
#include "crypto/x509.h"
#include "cms_local.h"

IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest)

/* ESS services */

int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr)
{
    ASN1_STRING *str;
    CMS_ReceiptRequest *rr;
    ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_receiptRequest);

    if (prr != NULL)
        *prr = NULL;
    str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
    if (str == NULL)
        return 0;

    rr = ASN1_item_unpack(str, ASN1_ITEM_rptr(CMS_ReceiptRequest));
    if (rr == NULL)
        return -1;
    if (prr != NULL)
        *prr = rr;
    else
        CMS_ReceiptRequest_free(rr);
    return 1;
}

/*
 * Returns 0 if attribute is not found, 1 if found,
 * or -1 on attribute parsing failure.
 */
static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
                                                ESS_SIGNING_CERT **psc)
{
    ASN1_STRING *str;
    ESS_SIGNING_CERT *sc;
    ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate);

    if (psc != NULL)
        *psc = NULL;
    str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
    if (str == NULL)
        return 0;

    sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT));
    if (sc == NULL)
        return -1;
    if (psc != NULL)
        *psc = sc;
    else
        ESS_SIGNING_CERT_free(sc);
    return 1;
}

/*
 * Returns 0 if attribute is not found, 1 if found,
 * or -1 on attribute parsing failure.
 */
static int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
                                                   ESS_SIGNING_CERT_V2 **psc)
{
    ASN1_STRING *str;
    ESS_SIGNING_CERT_V2 *sc;
    ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2);

    if (psc != NULL)
        *psc = NULL;
    str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
    if (str == NULL)
        return 0;

    sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT_V2));
    if (sc == NULL)
        return -1;
    if (psc != NULL)
        *psc = sc;
    else
        ESS_SIGNING_CERT_V2_free(sc);
    return 1;
}

int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
                                 const STACK_OF(X509) *chain)
{
    ESS_SIGNING_CERT *ss = NULL;
    ESS_SIGNING_CERT_V2 *ssv2 = NULL;
    int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0
        && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0
        && OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;

    ESS_SIGNING_CERT_free(ss);
    ESS_SIGNING_CERT_V2_free(ssv2);
    return ret;
}

CMS_ReceiptRequest *CMS_ReceiptRequest_create0_ex(
    unsigned char *id, int idlen, int allorfirst,
    STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo,
    OSSL_LIB_CTX *libctx)
{
    CMS_ReceiptRequest *rr;

    rr = CMS_ReceiptRequest_new();
    if (rr == NULL) {
        ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
        goto err;
    }
    if (id)
        ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen);
    else {
        if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) {
            ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
            goto err;
        }
        if (RAND_bytes_ex(libctx, rr->signedContentIdentifier->data, 32,
                          0) <= 0)
            goto err;
    }

    sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free);
    rr->receiptsTo = receiptsTo;

    if (receiptList != NULL) {
        rr->receiptsFrom->type = 1;
        rr->receiptsFrom->d.receiptList = receiptList;
    } else {
        rr->receiptsFrom->type = 0;
        rr->receiptsFrom->d.allOrFirstTier = allorfirst;
    }

    return rr;

 err:
    CMS_ReceiptRequest_free(rr);
    return NULL;

}

CMS_ReceiptRequest *CMS_ReceiptRequest_create0(
    unsigned char *id, int idlen, int allorfirst,
    STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo)
{
    return CMS_ReceiptRequest_create0_ex(id, idlen, allorfirst, receiptList,
                                         receiptsTo, NULL);
}

int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr)
{
    unsigned char *rrder = NULL;
    int rrderlen, r = 0;

    rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder);
    if (rrderlen < 0) {
        ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
        goto err;
    }

    if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest,
                                     V_ASN1_SEQUENCE, rrder, rrderlen)) {
        ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
        goto err;
    }

    r = 1;

 err:
    OPENSSL_free(rrder);

    return r;

}

void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr,
                                    ASN1_STRING **pcid,
                                    int *pallorfirst,
                                    STACK_OF(GENERAL_NAMES) **plist,
                                    STACK_OF(GENERAL_NAMES) **prto)
{
    if (pcid != NULL)
        *pcid = rr->signedContentIdentifier;
    if (rr->receiptsFrom->type == 0) {
        if (pallorfirst != NULL)
            *pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier;
        if (plist != NULL)
            *plist = NULL;
    } else {
        if (pallorfirst != NULL)
            *pallorfirst = -1;
        if (plist != NULL)
            *plist = rr->receiptsFrom->d.receiptList;
    }
    if (prto != NULL)
        *prto = rr->receiptsTo;
}

/* Digest a SignerInfo structure for msgSigDigest attribute processing */

static int cms_msgSigDigest(CMS_SignerInfo *si,
                            unsigned char *dig, unsigned int *diglen)
{
    const EVP_MD *md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);

    if (md == NULL)
        return 0;
    if (!ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(CMS_Attributes_Verify), md,
                                  si->signedAttrs, dig, diglen,
                                  ossl_cms_ctx_get0_libctx(si->cms_ctx),
                                  ossl_cms_ctx_get0_propq(si->cms_ctx)))
        return 0;
    return 1;
}

/* Add a msgSigDigest attribute to a SignerInfo */

int ossl_cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src)
{
    unsigned char dig[EVP_MAX_MD_SIZE];
    unsigned int diglen;

    if (!cms_msgSigDigest(src, dig, &diglen)) {
        ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_ERROR);
        return 0;
    }
    if (!CMS_signed_add1_attr_by_NID(dest, NID_id_smime_aa_msgSigDigest,
                                     V_ASN1_OCTET_STRING, dig, diglen)) {
        ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
        return 0;
    }
    return 1;
}

/* Verify signed receipt after it has already passed normal CMS verify */

int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms)
{
    int r = 0, i;
    CMS_ReceiptRequest *rr = NULL;
    CMS_Receipt *rct = NULL;
    STACK_OF(CMS_SignerInfo) *sis, *osis;
    CMS_SignerInfo *si, *osi = NULL;
    ASN1_OCTET_STRING *msig, **pcont;
    ASN1_OBJECT *octype;
    unsigned char dig[EVP_MAX_MD_SIZE];
    unsigned int diglen;

    /* Get SignerInfos, also checks SignedData content type */
    osis = CMS_get0_SignerInfos(req_cms);
    sis = CMS_get0_SignerInfos(cms);
    if (!osis || !sis)
        goto err;

    if (sk_CMS_SignerInfo_num(sis) != 1) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NEED_ONE_SIGNER);
        goto err;
    }

    /* Check receipt content type */
    if (OBJ_obj2nid(CMS_get0_eContentType(cms)) != NID_id_smime_ct_receipt) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NOT_A_SIGNED_RECEIPT);
        goto err;
    }

    /* Extract and decode receipt content */
    pcont = CMS_get0_content(cms);
    if (pcont == NULL || *pcont == NULL) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT);
        goto err;
    }

    rct = ASN1_item_unpack(*pcont, ASN1_ITEM_rptr(CMS_Receipt));

    if (!rct) {
        ERR_raise(ERR_LIB_CMS, CMS_R_RECEIPT_DECODE_ERROR);
        goto err;
    }

    /* Locate original request */

    for (i = 0; i < sk_CMS_SignerInfo_num(osis); i++) {
        osi = sk_CMS_SignerInfo_value(osis, i);
        if (!ASN1_STRING_cmp(osi->signature, rct->originatorSignatureValue))
            break;
    }

    if (i == sk_CMS_SignerInfo_num(osis)) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_SIGNATURE);
        goto err;
    }

    si = sk_CMS_SignerInfo_value(sis, 0);

    /* Get msgSigDigest value and compare */

    msig = CMS_signed_get0_data_by_OBJ(si,
                                       OBJ_nid2obj
                                       (NID_id_smime_aa_msgSigDigest), -3,
                                       V_ASN1_OCTET_STRING);

    if (!msig) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NO_MSGSIGDIGEST);
        goto err;
    }

    if (!cms_msgSigDigest(osi, dig, &diglen)) {
        ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_ERROR);
        goto err;
    }

    if (diglen != (unsigned int)msig->length) {
        ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_WRONG_LENGTH);
        goto err;
    }

    if (memcmp(dig, msig->data, diglen)) {
        ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE);
        goto err;
    }

    /* Compare content types */

    octype = CMS_signed_get0_data_by_OBJ(osi,
                                         OBJ_nid2obj(NID_pkcs9_contentType),
                                         -3, V_ASN1_OBJECT);
    if (!octype) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT_TYPE);
        goto err;
    }

    /* Compare details in receipt request */

    if (OBJ_cmp(octype, rct->contentType)) {
        ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_MISMATCH);
        goto err;
    }

    /* Get original receipt request details */

    if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NO_RECEIPT_REQUEST);
        goto err;
    }

    if (ASN1_STRING_cmp(rr->signedContentIdentifier,
                        rct->signedContentIdentifier)) {
        ERR_raise(ERR_LIB_CMS, CMS_R_CONTENTIDENTIFIER_MISMATCH);
        goto err;
    }

    r = 1;

 err:
    CMS_ReceiptRequest_free(rr);
    M_ASN1_free_of(rct, CMS_Receipt);
    return r;

}

/*
 * Encode a Receipt into an OCTET STRING read for including into content of a
 * SignedData ContentInfo.
 */

ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si)
{
    CMS_Receipt rct;
    CMS_ReceiptRequest *rr = NULL;
    ASN1_OBJECT *ctype;
    ASN1_OCTET_STRING *os = NULL;

    /* Get original receipt request */

    /* Get original receipt request details */

    if (CMS_get1_ReceiptRequest(si, &rr) <= 0) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NO_RECEIPT_REQUEST);
        goto err;
    }

    /* Get original content type */

    ctype = CMS_signed_get0_data_by_OBJ(si,
                                        OBJ_nid2obj(NID_pkcs9_contentType),
                                        -3, V_ASN1_OBJECT);
    if (!ctype) {
        ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT_TYPE);
        goto err;
    }

    rct.version = 1;
    rct.contentType = ctype;
    rct.signedContentIdentifier = rr->signedContentIdentifier;
    rct.originatorSignatureValue = si->signature;

    os = ASN1_item_pack(&rct, ASN1_ITEM_rptr(CMS_Receipt), NULL);

 err:
    CMS_ReceiptRequest_free(rr);
    return os;
}

Coverage Report

Created: 2025-06-13 06:58

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License"). You may not use
5		* this file except in compliance with the License. You can obtain a copy
6		* in the file LICENSE in the source distribution or at
7		* https://www.openssl.org/source/license.html
8		*/
9
10		#include "internal/cryptlib.h"
11		#include <openssl/asn1t.h>
12		#include <openssl/pem.h>
13		#include <openssl/rand.h>
14		#include <openssl/x509v3.h>
15		#include <openssl/err.h>
16		#include <openssl/cms.h>
17		#include <openssl/ess.h>
18		#include "crypto/ess.h"
19		#include "crypto/x509.h"
20		#include "cms_local.h"
21
22		IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest)
23
24		/* ESS services */
25
26		int CMS_get1_ReceiptRequest(CMS_SignerInfo si, CMS_ReceiptRequest *prr)
27	0	{
28	0	ASN1_STRING *str;
29	0	CMS_ReceiptRequest *rr;
30	0	ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_receiptRequest);
31
32	0	if (prr != NULL)
33	0	*prr = NULL;
34	0	str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
35	0	if (str == NULL)
36	0	return 0;
37
38	0	rr = ASN1_item_unpack(str, ASN1_ITEM_rptr(CMS_ReceiptRequest));
39	0	if (rr == NULL)
40	0	return -1;
41	0	if (prr != NULL)
42	0	*prr = rr;
43	0	else
44	0	CMS_ReceiptRequest_free(rr);
45	0	return 1;
46	0	}
47
48		/*
49		* Returns 0 if attribute is not found, 1 if found,
50		* or -1 on attribute parsing failure.
51		*/
52		static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
53		ESS_SIGNING_CERT **psc)
54	0	{
55	0	ASN1_STRING *str;
56	0	ESS_SIGNING_CERT *sc;
57	0	ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate);
58
59	0	if (psc != NULL)
60	0	*psc = NULL;
61	0	str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
62	0	if (str == NULL)
63	0	return 0;
64
65	0	sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT));
66	0	if (sc == NULL)
67	0	return -1;
68	0	if (psc != NULL)
69	0	*psc = sc;
70	0	else
71	0	ESS_SIGNING_CERT_free(sc);
72	0	return 1;
73	0	}
74
75		/*
76		* Returns 0 if attribute is not found, 1 if found,
77		* or -1 on attribute parsing failure.
78		*/
79		static int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
80		ESS_SIGNING_CERT_V2 **psc)
81	0	{
82	0	ASN1_STRING *str;
83	0	ESS_SIGNING_CERT_V2 *sc;
84	0	ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2);
85
86	0	if (psc != NULL)
87	0	*psc = NULL;
88	0	str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
89	0	if (str == NULL)
90	0	return 0;
91
92	0	sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT_V2));
93	0	if (sc == NULL)
94	0	return -1;
95	0	if (psc != NULL)
96	0	*psc = sc;
97	0	else
98	0	ESS_SIGNING_CERT_V2_free(sc);
99	0	return 1;
100	0	}
101
102		int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
103		const STACK_OF(X509) *chain)
104	0	{
105	0	ESS_SIGNING_CERT *ss = NULL;
106	0	ESS_SIGNING_CERT_V2 *ssv2 = NULL;
107	0	int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0
108	0	&& ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0
109	0	&& OSSL_ESS_check_signing_certs(ss, ssv2, chain, 1) > 0;
110
111	0	ESS_SIGNING_CERT_free(ss);
112	0	ESS_SIGNING_CERT_V2_free(ssv2);
113	0	return ret;
114	0	}
115
116		CMS_ReceiptRequest *CMS_ReceiptRequest_create0_ex(
117		unsigned char *id, int idlen, int allorfirst,
118		STACK_OF(GENERAL_NAMES) receiptList, STACK_OF(GENERAL_NAMES) receiptsTo,
119		OSSL_LIB_CTX *libctx)
120	0	{
121	0	CMS_ReceiptRequest *rr;
122
123	0	rr = CMS_ReceiptRequest_new();
124	0	if (rr == NULL) {
125	0	ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
126	0	goto err;
127	0	}
128	0	if (id)
129	0	ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen);
130	0	else {
131	0	if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) {
132	0	ERR_raise(ERR_LIB_CMS, ERR_R_ASN1_LIB);
133	0	goto err;
134	0	}
135	0	if (RAND_bytes_ex(libctx, rr->signedContentIdentifier->data, 32,
136	0	0) <= 0)
137	0	goto err;
138	0	}
139
140	0	sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free);
141	0	rr->receiptsTo = receiptsTo;
142
143	0	if (receiptList != NULL) {
144	0	rr->receiptsFrom->type = 1;
145	0	rr->receiptsFrom->d.receiptList = receiptList;
146	0	} else {
147	0	rr->receiptsFrom->type = 0;
148	0	rr->receiptsFrom->d.allOrFirstTier = allorfirst;
149	0	}
150
151	0	return rr;
152
153	0	err:
154	0	CMS_ReceiptRequest_free(rr);
155	0	return NULL;
156
157	0	}
158
159		CMS_ReceiptRequest *CMS_ReceiptRequest_create0(
160		unsigned char *id, int idlen, int allorfirst,
161		STACK_OF(GENERAL_NAMES) receiptList, STACK_OF(GENERAL_NAMES) receiptsTo)
162	0	{
163	0	return CMS_ReceiptRequest_create0_ex(id, idlen, allorfirst, receiptList,
164	0	receiptsTo, NULL);
165	0	}
166
167		int CMS_add1_ReceiptRequest(CMS_SignerInfo si, CMS_ReceiptRequest rr)
168	0	{
169	0	unsigned char *rrder = NULL;
170	0	int rrderlen, r = 0;
171
172	0	rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder);
173	0	if (rrderlen < 0) {
174	0	ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
175	0	goto err;
176	0	}
177
178	0	if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest,
179	0	V_ASN1_SEQUENCE, rrder, rrderlen)) {
180	0	ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
181	0	goto err;
182	0	}
183
184	0	r = 1;
185
186	0	err:
187	0	OPENSSL_free(rrder);
188
189	0	return r;
190
191	0	}
192
193		void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr,
194		ASN1_STRING **pcid,
195		int *pallorfirst,
196		STACK_OF(GENERAL_NAMES) **plist,
197		STACK_OF(GENERAL_NAMES) **prto)
198	0	{
199	0	if (pcid != NULL)
200	0	*pcid = rr->signedContentIdentifier;
201	0	if (rr->receiptsFrom->type == 0) {
202	0	if (pallorfirst != NULL)
203	0	*pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier;
204	0	if (plist != NULL)
205	0	*plist = NULL;
206	0	} else {
207	0	if (pallorfirst != NULL)
208	0	*pallorfirst = -1;
209	0	if (plist != NULL)
210	0	*plist = rr->receiptsFrom->d.receiptList;
211	0	}
212	0	if (prto != NULL)
213	0	*prto = rr->receiptsTo;
214	0	}
215
216		/* Digest a SignerInfo structure for msgSigDigest attribute processing */
217
218		static int cms_msgSigDigest(CMS_SignerInfo *si,
219		unsigned char dig, unsigned int diglen)
220	0	{
221	0	const EVP_MD *md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
222
223	0	if (md == NULL)
224	0	return 0;
225	0	if (!ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(CMS_Attributes_Verify), md,
226	0	si->signedAttrs, dig, diglen,
227	0	ossl_cms_ctx_get0_libctx(si->cms_ctx),
228	0	ossl_cms_ctx_get0_propq(si->cms_ctx)))
229	0	return 0;
230	0	return 1;
231	0	}
232
233		/* Add a msgSigDigest attribute to a SignerInfo */
234
235		int ossl_cms_msgSigDigest_add1(CMS_SignerInfo dest, CMS_SignerInfo src)
236	0	{
237	0	unsigned char dig[EVP_MAX_MD_SIZE];
238	0	unsigned int diglen;
239
240	0	if (!cms_msgSigDigest(src, dig, &diglen)) {
241	0	ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_ERROR);
242	0	return 0;
243	0	}
244	0	if (!CMS_signed_add1_attr_by_NID(dest, NID_id_smime_aa_msgSigDigest,
245	0	V_ASN1_OCTET_STRING, dig, diglen)) {
246	0	ERR_raise(ERR_LIB_CMS, ERR_R_CMS_LIB);
247	0	return 0;
248	0	}
249	0	return 1;
250	0	}
251
252		/* Verify signed receipt after it has already passed normal CMS verify */
253
254		int ossl_cms_Receipt_verify(CMS_ContentInfo cms, CMS_ContentInfo req_cms)
255	0	{
256	0	int r = 0, i;
257	0	CMS_ReceiptRequest *rr = NULL;
258	0	CMS_Receipt *rct = NULL;
259	0	STACK_OF(CMS_SignerInfo) sis, osis;
260	0	CMS_SignerInfo si, osi = NULL;
261	0	ASN1_OCTET_STRING msig, *pcont;
262	0	ASN1_OBJECT *octype;
263	0	unsigned char dig[EVP_MAX_MD_SIZE];
264	0	unsigned int diglen;
265
266		/* Get SignerInfos, also checks SignedData content type */
267	0	osis = CMS_get0_SignerInfos(req_cms);
268	0	sis = CMS_get0_SignerInfos(cms);
269	0	if (!osis \|\| !sis)
270	0	goto err;
271
272	0	if (sk_CMS_SignerInfo_num(sis) != 1) {
273	0	ERR_raise(ERR_LIB_CMS, CMS_R_NEED_ONE_SIGNER);
274	0	goto err;
275	0	}
276
277		/* Check receipt content type */
278	0	if (OBJ_obj2nid(CMS_get0_eContentType(cms)) != NID_id_smime_ct_receipt) {
279	0	ERR_raise(ERR_LIB_CMS, CMS_R_NOT_A_SIGNED_RECEIPT);
280	0	goto err;
281	0	}
282
283		/* Extract and decode receipt content */
284	0	pcont = CMS_get0_content(cms);
285	0	if (pcont == NULL \|\| *pcont == NULL) {
286	0	ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT);
287	0	goto err;
288	0	}
289
290	0	rct = ASN1_item_unpack(*pcont, ASN1_ITEM_rptr(CMS_Receipt));
291
292	0	if (!rct) {
293	0	ERR_raise(ERR_LIB_CMS, CMS_R_RECEIPT_DECODE_ERROR);
294	0	goto err;
295	0	}
296
297		/* Locate original request */
298
299	0	for (i = 0; i < sk_CMS_SignerInfo_num(osis); i++) {
300	0	osi = sk_CMS_SignerInfo_value(osis, i);
301	0	if (!ASN1_STRING_cmp(osi->signature, rct->originatorSignatureValue))
302	0	break;
303	0	}
304
305	0	if (i == sk_CMS_SignerInfo_num(osis)) {
306	0	ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_SIGNATURE);
307	0	goto err;
308	0	}
309
310	0	si = sk_CMS_SignerInfo_value(sis, 0);
311
312		/* Get msgSigDigest value and compare */
313
314	0	msig = CMS_signed_get0_data_by_OBJ(si,
315	0	OBJ_nid2obj
316	0	(NID_id_smime_aa_msgSigDigest), -3,
317	0	V_ASN1_OCTET_STRING);
318
319	0	if (!msig) {
320	0	ERR_raise(ERR_LIB_CMS, CMS_R_NO_MSGSIGDIGEST);
321	0	goto err;
322	0	}
323
324	0	if (!cms_msgSigDigest(osi, dig, &diglen)) {
325	0	ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_ERROR);
326	0	goto err;
327	0	}
328
329	0	if (diglen != (unsigned int)msig->length) {
330	0	ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_WRONG_LENGTH);
331	0	goto err;
332	0	}
333
334	0	if (memcmp(dig, msig->data, diglen)) {
335	0	ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE);
336	0	goto err;
337	0	}
338
339		/* Compare content types */
340
341	0	octype = CMS_signed_get0_data_by_OBJ(osi,
342	0	OBJ_nid2obj(NID_pkcs9_contentType),
343	0	-3, V_ASN1_OBJECT);
344	0	if (!octype) {
345	0	ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT_TYPE);
346	0	goto err;
347	0	}
348
349		/* Compare details in receipt request */
350
351	0	if (OBJ_cmp(octype, rct->contentType)) {
352	0	ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_MISMATCH);
353	0	goto err;
354	0	}
355
356		/* Get original receipt request details */
357
358	0	if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) {
359	0	ERR_raise(ERR_LIB_CMS, CMS_R_NO_RECEIPT_REQUEST);
360	0	goto err;
361	0	}
362
363	0	if (ASN1_STRING_cmp(rr->signedContentIdentifier,
364	0	rct->signedContentIdentifier)) {
365	0	ERR_raise(ERR_LIB_CMS, CMS_R_CONTENTIDENTIFIER_MISMATCH);
366	0	goto err;
367	0	}
368
369	0	r = 1;
370
371	0	err:
372	0	CMS_ReceiptRequest_free(rr);
373	0	M_ASN1_free_of(rct, CMS_Receipt);
374	0	return r;
375
376	0	}
377
378		/*
379		* Encode a Receipt into an OCTET STRING read for including into content of a
380		* SignedData ContentInfo.
381		*/
382
383		ASN1_OCTET_STRING ossl_cms_encode_Receipt(CMS_SignerInfo si)
384	0	{
385	0	CMS_Receipt rct;
386	0	CMS_ReceiptRequest *rr = NULL;
387	0	ASN1_OBJECT *ctype;
388	0	ASN1_OCTET_STRING *os = NULL;
389
390		/* Get original receipt request */
391
392		/* Get original receipt request details */
393
394	0	if (CMS_get1_ReceiptRequest(si, &rr) <= 0) {
395	0	ERR_raise(ERR_LIB_CMS, CMS_R_NO_RECEIPT_REQUEST);
396	0	goto err;
397	0	}
398
399		/* Get original content type */
400
401	0	ctype = CMS_signed_get0_data_by_OBJ(si,
402	0	OBJ_nid2obj(NID_pkcs9_contentType),
403	0	-3, V_ASN1_OBJECT);
404	0	if (!ctype) {
405	0	ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT_TYPE);
406	0	goto err;
407	0	}
408
409	0	rct.version = 1;
410	0	rct.contentType = ctype;
411	0	rct.signedContentIdentifier = rr->signedContentIdentifier;
412	0	rct.originatorSignatureValue = si->signature;
413
414	0	os = ASN1_item_pack(&rct, ASN1_ITEM_rptr(CMS_Receipt), NULL);
415
416	0	err:
417	0	CMS_ReceiptRequest_free(rr);
418	0	return os;
419	0	}