[thirdparty/openssl.git] / crypto / asn1 / a_sign.c

/*
 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <stdio.h>
#include <time.h>
#include <sys/types.h>

#include "internal/cryptlib.h"

#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/objects.h>
#include <openssl/buffer.h>
#include <openssl/core_names.h>
#include "crypto/asn1.h"
#include "crypto/evp.h"

#ifndef OPENSSL_NO_DEPRECATED_3_0

int ASN1_sign(i2d_of_void *i2d, X509_ALGOR *algor1, X509_ALGOR *algor2,
              ASN1_BIT_STRING *signature, char *data, EVP_PKEY *pkey,
              const EVP_MD *type)
{
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    unsigned char *p, *buf_in = NULL, *buf_out = NULL;
    int i, inl = 0, outl = 0;
    size_t inll = 0, outll = 0;
    X509_ALGOR *a;

    if (ctx == NULL) {
        ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    for (i = 0; i < 2; i++) {
        if (i == 0)
            a = algor1;
        else
            a = algor2;
        if (a == NULL)
            continue;
        if (type->pkey_type == NID_dsaWithSHA1) {
            /*
             * special case: RFC 2459 tells us to omit 'parameters' with
             * id-dsa-with-sha1
             */
            ASN1_TYPE_free(a->parameter);
            a->parameter = NULL;
        } else if ((a->parameter == NULL) ||
                   (a->parameter->type != V_ASN1_NULL)) {
            ASN1_TYPE_free(a->parameter);
            if ((a->parameter = ASN1_TYPE_new()) == NULL)
                goto err;
            a->parameter->type = V_ASN1_NULL;
        }
        ASN1_OBJECT_free(a->algorithm);
        a->algorithm = OBJ_nid2obj(type->pkey_type);
        if (a->algorithm == NULL) {
            ASN1err(ASN1_F_ASN1_SIGN, ASN1_R_UNKNOWN_OBJECT_TYPE);
            goto err;
        }
        if (a->algorithm->length == 0) {
            ASN1err(ASN1_F_ASN1_SIGN,
                    ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
            goto err;
        }
    }
    inl = i2d(data, NULL);
    if (inl <= 0) {
        ASN1err(ASN1_F_ASN1_SIGN, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    inll = (size_t)inl;
    buf_in = OPENSSL_malloc(inll);
    outll = outl = EVP_PKEY_size(pkey);
    buf_out = OPENSSL_malloc(outll);
    if (buf_in == NULL || buf_out == NULL) {
        outl = 0;
        ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
        goto err;
    }
    p = buf_in;

    i2d(data, &p);
    if (!EVP_SignInit_ex(ctx, type, NULL)
        || !EVP_SignUpdate(ctx, (unsigned char *)buf_in, inl)
        || !EVP_SignFinal(ctx, (unsigned char *)buf_out,
                          (unsigned int *)&outl, pkey)) {
        outl = 0;
        ASN1err(ASN1_F_ASN1_SIGN, ERR_R_EVP_LIB);
        goto err;
    }
    OPENSSL_free(signature->data);
    signature->data = buf_out;
    buf_out = NULL;
    signature->length = outl;
    /*
     * In the interests of compatibility, I'll make sure that the bit string
     * has a 'not-used bits' value of 0
     */
    signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
    signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
 err:
    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free((char *)buf_in, inll);
    OPENSSL_clear_free((char *)buf_out, outll);
    return outl;
}

#endif

int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
                   ASN1_BIT_STRING *signature, const void *data,
                   EVP_PKEY *pkey, const EVP_MD *md)
{
    return ASN1_item_sign_ex(it, algor1, algor2, signature, data, NULL, pkey,
                             md, NULL, NULL);
}

int ASN1_item_sign_ex(const ASN1_ITEM *it, X509_ALGOR *algor1,
                      X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
                      const void *data, const ASN1_OCTET_STRING *id,
                      EVP_PKEY *pkey, const EVP_MD *md, OSSL_LIB_CTX *libctx,
                      const char *propq)
{
    int rv = 0;
    EVP_MD_CTX *ctx = evp_md_ctx_new_ex(pkey, id, libctx, propq);

    if (ctx == NULL) {
        ASN1err(0, ERR_R_MALLOC_FAILURE);
        return 0;
    }
    if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
        goto err;

    rv = ASN1_item_sign_ctx(it, algor1, algor2, signature, data, ctx);

 err:
    EVP_PKEY_CTX_free(EVP_MD_CTX_pkey_ctx(ctx));
    EVP_MD_CTX_free(ctx);
    return rv;
}

int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1,
                       X509_ALGOR *algor2, ASN1_BIT_STRING *signature,
                       const void *data, EVP_MD_CTX *ctx)
{
    const EVP_MD *md;
    EVP_PKEY *pkey;
    unsigned char *buf_in = NULL, *buf_out = NULL;
    size_t inl = 0, outl = 0, outll = 0;
    int signid, paramtype, buf_len = 0;
    int rv, pkey_id;

    md = EVP_MD_CTX_md(ctx);
    pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));

    if (pkey == NULL) {
        ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
        goto err;
    }

    if (pkey->ameth == NULL) {
        EVP_PKEY_CTX *pctx = EVP_MD_CTX_pkey_ctx(ctx);
        OSSL_PARAM params[2];
        unsigned char aid[128];
        size_t aid_len = 0;

        if (pctx == NULL
            || !EVP_PKEY_CTX_IS_SIGNATURE_OP(pctx)) {
            ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
            goto err;
        }

        params[0] =
            OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID,
                                              aid, sizeof(aid));
        params[1] = OSSL_PARAM_construct_end();

        if (EVP_PKEY_CTX_get_params(pctx, params) <= 0)
            goto err;

        if ((aid_len = params[0].return_size) == 0) {
            ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
                    ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
            goto err;
        }

        if (algor1 != NULL) {
            const unsigned char *pp = aid;

            if (d2i_X509_ALGOR(&algor1, &pp, aid_len) == NULL) {
                ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
                goto err;
            }
        }

        if (algor2 != NULL) {
            const unsigned char *pp = aid;

            if (d2i_X509_ALGOR(&algor2, &pp, aid_len) == NULL) {
                ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
                goto err;
            }
        }

        rv = 3;
    } else if (pkey->ameth->item_sign) {
        rv = pkey->ameth->item_sign(ctx, it, data, algor1, algor2, signature);
        if (rv == 1)
            outl = signature->length;
        /*-
         * Return value meanings:
         * <=0: error.
         *   1: method does everything.
         *   2: carry on as normal.
         *   3: ASN1 method sets algorithm identifiers: just sign.
         */
        if (rv <= 0)
            ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
        if (rv <= 1)
            goto err;
    } else {
        rv = 2;
    }

    if (rv == 2) {
        if (md == NULL) {
            ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
            goto err;
        }

        pkey_id =
#ifndef OPENSSL_NO_SM2
            EVP_PKEY_id(pkey) == NID_sm2 ? NID_sm2 :
#endif
            pkey->ameth->pkey_id;

        if (!OBJ_find_sigid_by_algs(&signid, EVP_MD_nid(md), pkey_id)) {
            ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
                    ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
            goto err;
        }

        if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
            paramtype = V_ASN1_NULL;
        else
            paramtype = V_ASN1_UNDEF;

        if (algor1)
            X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL);
        if (algor2)
            X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL);

    }

    buf_len = ASN1_item_i2d(data, &buf_in, it);
    if (buf_len <= 0) {
        outl = 0;
        ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
        goto err;
    }
    inl = buf_len;
    if (!EVP_DigestSign(ctx, NULL, &outll, buf_in, inl)) {
        outl = 0;
        ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
        goto err;
    }
    outl = outll;
    buf_out = OPENSSL_malloc(outll);
    if (buf_in == NULL || buf_out == NULL) {
        outl = 0;
        ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_MALLOC_FAILURE);
        goto err;
    }

    if (!EVP_DigestSign(ctx, buf_out, &outl, buf_in, inl)) {
        outl = 0;
        ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
        goto err;
    }
    OPENSSL_free(signature->data);
    signature->data = buf_out;
    buf_out = NULL;
    signature->length = outl;
    /*
     * In the interests of compatibility, I'll make sure that the bit string
     * has a 'not-used bits' value of 0
     */
    signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
    signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
 err:
    OPENSSL_clear_free((char *)buf_in, inl);
    OPENSSL_clear_free((char *)buf_out, outll);
    return outl;
}
Commit	Line	Data
2039c421	1	/*
33388b44	2	* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
8df61b50	3	*
365a2d99	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
2039c421 RS	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
8df61b50	8	*/
d02b48c6 RE	9
	10	#include <stdio.h>
	11	#include <time.h>
b379fe6c	12	#include <sys/types.h>
d02b48c6	13
b39fc560	14	#include "internal/cryptlib.h"
17f389bb	15
ec577822 BM	16	#include <openssl/bn.h>
	17	#include <openssl/evp.h>
	18	#include <openssl/x509.h>
	19	#include <openssl/objects.h>
	20	#include <openssl/buffer.h>
d5aef594	21	#include <openssl/core_names.h>
25f2138b DMSP	22	#include "crypto/asn1.h"
25f2138b DMSP	23	#include "crypto/evp.h"
d02b48c6	24
12d99aac	25	#ifndef OPENSSL_NO_DEPRECATED_3_0
73e92de5	26
8bb826ee	27	int ASN1_sign(i2d_of_void i2d, X509_ALGOR algor1, X509_ALGOR *algor2,
0f113f3e MC	28	ASN1_BIT_STRING signature, char data, EVP_PKEY *pkey,
	29	const EVP_MD *type)
	30	{
bfb0641f	31	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
0f113f3e	32	unsigned char p, buf_in = NULL, *buf_out = NULL;
da84249b F	33	int i, inl = 0, outl = 0;
da84249b F	34	size_t inll = 0, outll = 0;
0f113f3e	35	X509_ALGOR *a;
d02b48c6	36
6e59a892 RL	37	if (ctx == NULL) {
	38	ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
	39	goto err;
	40	}
0f113f3e MC	41	for (i = 0; i < 2; i++) {
	42	if (i == 0)
	43	a = algor1;
	44	else
	45	a = algor2;
	46	if (a == NULL)
	47	continue;
	48	if (type->pkey_type == NID_dsaWithSHA1) {
	49	/*
	50	* special case: RFC 2459 tells us to omit 'parameters' with
	51	* id-dsa-with-sha1
	52	*/
	53	ASN1_TYPE_free(a->parameter);
	54	a->parameter = NULL;
	55	} else if ((a->parameter == NULL) \|\|
	56	(a->parameter->type != V_ASN1_NULL)) {
	57	ASN1_TYPE_free(a->parameter);
	58	if ((a->parameter = ASN1_TYPE_new()) == NULL)
	59	goto err;
	60	a->parameter->type = V_ASN1_NULL;
	61	}
	62	ASN1_OBJECT_free(a->algorithm);
	63	a->algorithm = OBJ_nid2obj(type->pkey_type);
	64	if (a->algorithm == NULL) {
	65	ASN1err(ASN1_F_ASN1_SIGN, ASN1_R_UNKNOWN_OBJECT_TYPE);
	66	goto err;
	67	}
	68	if (a->algorithm->length == 0) {
	69	ASN1err(ASN1_F_ASN1_SIGN,
	70	ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
	71	goto err;
	72	}
	73	}
	74	inl = i2d(data, NULL);
da84249b F	75	if (inl <= 0) {
	76	ASN1err(ASN1_F_ASN1_SIGN, ERR_R_INTERNAL_ERROR);
	77	goto err;
	78	}
	79	inll = (size_t)inl;
	80	buf_in = OPENSSL_malloc(inll);
0f113f3e	81	outll = outl = EVP_PKEY_size(pkey);
da84249b F	82	buf_out = OPENSSL_malloc(outll);
da84249b F	83	if (buf_in == NULL \|\| buf_out == NULL) {
0f113f3e MC	84	outl = 0;
	85	ASN1err(ASN1_F_ASN1_SIGN, ERR_R_MALLOC_FAILURE);
	86	goto err;
	87	}
	88	p = buf_in;
d02b48c6	89
0f113f3e	90	i2d(data, &p);
6e59a892 RL	91	if (!EVP_SignInit_ex(ctx, type, NULL)
	92	\|\| !EVP_SignUpdate(ctx, (unsigned char *)buf_in, inl)
	93	\|\| !EVP_SignFinal(ctx, (unsigned char *)buf_out,
0f113f3e MC	94	(unsigned int *)&outl, pkey)) {
	95	outl = 0;
	96	ASN1err(ASN1_F_ASN1_SIGN, ERR_R_EVP_LIB);
	97	goto err;
	98	}
b548a1f1	99	OPENSSL_free(signature->data);
0f113f3e MC	100	signature->data = buf_out;
	101	buf_out = NULL;
	102	signature->length = outl;
	103	/*
	104	* In the interests of compatibility, I'll make sure that the bit string
	105	* has a 'not-used bits' value of 0
	106	*/
	107	signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT \| 0x07);
	108	signature->flags \|= ASN1_STRING_FLAG_BITS_LEFT;
	109	err:
bfb0641f	110	EVP_MD_CTX_free(ctx);
da84249b	111	OPENSSL_clear_free((char *)buf_in, inll);
4b45c6e5	112	OPENSSL_clear_free((char *)buf_out, outll);
26a7d938	113	return outl;
0f113f3e	114	}
09ab755c	115
73e92de5 DSH	116	#endif
73e92de5 DSH	117
ded346fa DDO	118	int ASN1_item_sign(const ASN1_ITEM it, X509_ALGOR algor1, X509_ALGOR *algor2,
	119	ASN1_BIT_STRING signature, const void data,
	120	EVP_PKEY pkey, const EVP_MD md)
0f113f3e	121	{
d8652be0 MC	122	return ASN1_item_sign_ex(it, algor1, algor2, signature, data, NULL, pkey,
d8652be0 MC	123	md, NULL, NULL);
ded346fa DDO	124	}
ded346fa DDO	125
d8652be0 MC	126	int ASN1_item_sign_ex(const ASN1_ITEM it, X509_ALGOR algor1,
	127	X509_ALGOR algor2, ASN1_BIT_STRING signature,
	128	const void data, const ASN1_OCTET_STRING id,
b4250010	129	EVP_PKEY pkey, const EVP_MD md, OSSL_LIB_CTX *libctx,
d8652be0	130	const char *propq)
ded346fa DDO	131	{
ded346fa DDO	132	int rv = 0;
d8652be0	133	EVP_MD_CTX *ctx = evp_md_ctx_new_ex(pkey, id, libctx, propq);
6e59a892 RL	134
6e59a892 RL	135	if (ctx == NULL) {
ded346fa	136	ASN1err(0, ERR_R_MALLOC_FAILURE);
0f113f3e MC	137	return 0;
0f113f3e MC	138	}
ded346fa DDO	139	if (!EVP_DigestSignInit(ctx, NULL, md, NULL, pkey))
ded346fa DDO	140	goto err;
c6aca19b	141
ded346fa	142	rv = ASN1_item_sign_ctx(it, algor1, algor2, signature, data, ctx);
c6aca19b	143
ded346fa DDO	144	err:
ded346fa DDO	145	EVP_PKEY_CTX_free(EVP_MD_CTX_pkey_ctx(ctx));
c6aca19b SF	146	EVP_MD_CTX_free(ctx);
c6aca19b SF	147	return rv;
0f113f3e	148	}
85522a07	149
ded346fa DDO	150	int ASN1_item_sign_ctx(const ASN1_ITEM it, X509_ALGOR algor1,
	151	X509_ALGOR algor2, ASN1_BIT_STRING signature,
	152	const void data, EVP_MD_CTX ctx)
0f113f3e	153	{
ded346fa	154	const EVP_MD *md;
0f113f3e MC	155	EVP_PKEY *pkey;
	156	unsigned char buf_in = NULL, buf_out = NULL;
	157	size_t inl = 0, outl = 0, outll = 0;
da84249b	158	int signid, paramtype, buf_len = 0;
bc42bd62	159	int rv, pkey_id;
85522a07	160
ded346fa	161	md = EVP_MD_CTX_md(ctx);
6e59a892	162	pkey = EVP_PKEY_CTX_get0_pkey(EVP_MD_CTX_pkey_ctx(ctx));
09ab755c	163
7dd6de9f	164	if (pkey == NULL) {
0f113f3e	165	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
2c91b3f5 MRA	166	goto err;
	167	}
	168
219f3ca6	169	if (pkey->ameth == NULL) {
d5aef594 RL	170	EVP_PKEY_CTX *pctx = EVP_MD_CTX_pkey_ctx(ctx);
	171	OSSL_PARAM params[2];
	172	unsigned char aid[128];
	173	size_t aid_len = 0;
	174
	175	if (pctx == NULL
	176	\|\| !EVP_PKEY_CTX_IS_SIGNATURE_OP(pctx)) {
	177	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
	178	goto err;
	179	}
	180
	181	params[0] =
	182	OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_ALGORITHM_ID,
	183	aid, sizeof(aid));
	184	params[1] = OSSL_PARAM_construct_end();
	185
	186	if (EVP_PKEY_CTX_get_params(pctx, params) <= 0)
	187	goto err;
	188
	189	if ((aid_len = params[0].return_size) == 0) {
	190	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
	191	ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
	192	goto err;
	193	}
	194
	195	if (algor1 != NULL) {
	196	const unsigned char *pp = aid;
	197
	198	if (d2i_X509_ALGOR(&algor1, &pp, aid_len) == NULL) {
	199	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
	200	goto err;
	201	}
	202	}
	203
	204	if (algor2 != NULL) {
	205	const unsigned char *pp = aid;
	206
	207	if (d2i_X509_ALGOR(&algor2, &pp, aid_len) == NULL) {
	208	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
	209	goto err;
	210	}
	211	}
03919683	212
d5aef594 RL	213	rv = 3;
d5aef594 RL	214	} else if (pkey->ameth->item_sign) {
ded346fa	215	rv = pkey->ameth->item_sign(ctx, it, data, algor1, algor2, signature);
0f113f3e MC	216	if (rv == 1)
0f113f3e MC	217	outl = signature->length;
50e735f9 MC	218	/*-
	219	* Return value meanings:
	220	* <=0: error.
	221	* 1: method does everything.
	222	* 2: carry on as normal.
	223	* 3: ASN1 method sets algorithm identifiers: just sign.
	224	*/
0f113f3e MC	225	if (rv <= 0)
	226	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
	227	if (rv <= 1)
	228	goto err;
7dd6de9f	229	} else {
0f113f3e	230	rv = 2;
7dd6de9f	231	}
03919683	232
0f113f3e	233	if (rv == 2) {
ded346fa	234	if (md == NULL) {
7dd6de9f DSH	235	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
	236	goto err;
	237	}
bc42bd62 PY	238
	239	pkey_id =
	240	#ifndef OPENSSL_NO_SM2
	241	EVP_PKEY_id(pkey) == NID_sm2 ? NID_sm2 :
	242	#endif
d5aef594	243	pkey->ameth->pkey_id;
bc42bd62	244
ded346fa	245	if (!OBJ_find_sigid_by_algs(&signid, EVP_MD_nid(md), pkey_id)) {
7f572e95 DSH	246	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
7f572e95 DSH	247	ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
2c91b3f5	248	goto err;
7f572e95	249	}
ee1d9ec0	250
0f113f3e MC	251	if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
	252	paramtype = V_ASN1_NULL;
	253	else
	254	paramtype = V_ASN1_UNDEF;
ee1d9ec0	255
0f113f3e MC	256	if (algor1)
	257	X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL);
	258	if (algor2)
	259	X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL);
85522a07	260
0f113f3e	261	}
ee1d9ec0	262
ded346fa	263	buf_len = ASN1_item_i2d(data, &buf_in, it);
da84249b F	264	if (buf_len <= 0) {
	265	outl = 0;
	266	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_INTERNAL_ERROR);
	267	goto err;
	268	}
	269	inl = buf_len;
9767a3dc RL	270	if (!EVP_DigestSign(ctx, NULL, &outll, buf_in, inl)) {
	271	outl = 0;
	272	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
	273	goto err;
	274	}
	275	outl = outll;
da84249b F	276	buf_out = OPENSSL_malloc(outll);
da84249b F	277	if (buf_in == NULL \|\| buf_out == NULL) {
0f113f3e MC	278	outl = 0;
	279	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_MALLOC_FAILURE);
	280	goto err;
	281	}
09ab755c	282
75394189	283	if (!EVP_DigestSign(ctx, buf_out, &outl, buf_in, inl)) {
0f113f3e MC	284	outl = 0;
	285	ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
	286	goto err;
	287	}
b548a1f1	288	OPENSSL_free(signature->data);
0f113f3e MC	289	signature->data = buf_out;
	290	buf_out = NULL;
	291	signature->length = outl;
	292	/*
	293	* In the interests of compatibility, I'll make sure that the bit string
	294	* has a 'not-used bits' value of 0
	295	*/
	296	signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT \| 0x07);
	297	signature->flags \|= ASN1_STRING_FLAG_BITS_LEFT;
	298	err:
da84249b	299	OPENSSL_clear_free((char *)buf_in, inl);
4b45c6e5	300	OPENSSL_clear_free((char *)buf_out, outll);
26a7d938	301	return outl;
0f113f3e	302	}