]>
Commit | Line | Data |
---|---|---|
0f113f3e MC |
1 | /* |
2 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | |
f4cc56f4 DSH |
3 | * project. |
4 | */ | |
5 | /* ==================================================================== | |
6 | * Copyright (c) 2008 The OpenSSL Project. All rights reserved. | |
7 | * | |
8 | * Redistribution and use in source and binary forms, with or without | |
9 | * modification, are permitted provided that the following conditions | |
10 | * are met: | |
11 | * | |
12 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 13 | * notice, this list of conditions and the following disclaimer. |
f4cc56f4 DSH |
14 | * |
15 | * 2. Redistributions in binary form must reproduce the above copyright | |
16 | * notice, this list of conditions and the following disclaimer in | |
17 | * the documentation and/or other materials provided with the | |
18 | * distribution. | |
19 | * | |
20 | * 3. All advertising materials mentioning features or use of this | |
21 | * software must display the following acknowledgment: | |
22 | * "This product includes software developed by the OpenSSL Project | |
23 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |
24 | * | |
25 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
26 | * endorse or promote products derived from this software without | |
27 | * prior written permission. For written permission, please contact | |
28 | * licensing@OpenSSL.org. | |
29 | * | |
30 | * 5. Products derived from this software may not be called "OpenSSL" | |
31 | * nor may "OpenSSL" appear in their names without prior written | |
32 | * permission of the OpenSSL Project. | |
33 | * | |
34 | * 6. Redistributions of any form whatsoever must retain the following | |
35 | * acknowledgment: | |
36 | * "This product includes software developed by the OpenSSL Project | |
37 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |
38 | * | |
39 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
40 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
41 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
42 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
43 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
44 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
45 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
46 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
48 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
49 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
50 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
51 | * ==================================================================== | |
52 | */ | |
53 | ||
b39fc560 | 54 | #include "internal/cryptlib.h" |
f4cc56f4 DSH |
55 | #include <openssl/asn1t.h> |
56 | #include <openssl/pem.h> | |
57 | #include <openssl/rand.h> | |
58 | #include <openssl/x509v3.h> | |
59 | #include <openssl/err.h> | |
60 | #include <openssl/cms.h> | |
61 | #include "cms_lcl.h" | |
f4cc56f4 | 62 | |
f4cc56f4 DSH |
63 | IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest) |
64 | ||
65 | /* ESS services: for now just Signed Receipt related */ | |
66 | ||
67 | int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) | |
0f113f3e MC |
68 | { |
69 | ASN1_STRING *str; | |
70 | CMS_ReceiptRequest *rr = NULL; | |
71 | if (prr) | |
72 | *prr = NULL; | |
73 | str = CMS_signed_get0_data_by_OBJ(si, | |
74 | OBJ_nid2obj | |
75 | (NID_id_smime_aa_receiptRequest), -3, | |
76 | V_ASN1_SEQUENCE); | |
77 | if (!str) | |
78 | return 0; | |
79 | ||
80 | rr = ASN1_item_unpack(str, ASN1_ITEM_rptr(CMS_ReceiptRequest)); | |
81 | if (!rr) | |
82 | return -1; | |
83 | if (prr) | |
84 | *prr = rr; | |
85 | else | |
86 | CMS_ReceiptRequest_free(rr); | |
87 | return 1; | |
88 | } | |
f4cc56f4 | 89 | |
f5e2354c | 90 | CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, |
0f113f3e MC |
91 | int allorfirst, |
92 | STACK_OF(GENERAL_NAMES) | |
93 | *receiptList, STACK_OF(GENERAL_NAMES) | |
94 | *receiptsTo) | |
95 | { | |
96 | CMS_ReceiptRequest *rr = NULL; | |
97 | ||
98 | rr = CMS_ReceiptRequest_new(); | |
90945fa3 | 99 | if (rr == NULL) |
0f113f3e MC |
100 | goto merr; |
101 | if (id) | |
102 | ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen); | |
103 | else { | |
104 | if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) | |
105 | goto merr; | |
266483d2 | 106 | if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0) |
0f113f3e MC |
107 | goto err; |
108 | } | |
109 | ||
110 | sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free); | |
111 | rr->receiptsTo = receiptsTo; | |
112 | ||
113 | if (receiptList) { | |
114 | rr->receiptsFrom->type = 1; | |
115 | rr->receiptsFrom->d.receiptList = receiptList; | |
116 | } else { | |
117 | rr->receiptsFrom->type = 0; | |
118 | rr->receiptsFrom->d.allOrFirstTier = allorfirst; | |
119 | } | |
120 | ||
121 | return rr; | |
122 | ||
123 | merr: | |
124 | CMSerr(CMS_F_CMS_RECEIPTREQUEST_CREATE0, ERR_R_MALLOC_FAILURE); | |
125 | ||
126 | err: | |
25aaa98a | 127 | CMS_ReceiptRequest_free(rr); |
0f113f3e MC |
128 | return NULL; |
129 | ||
130 | } | |
f5e2354c DSH |
131 | |
132 | int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr) | |
0f113f3e MC |
133 | { |
134 | unsigned char *rrder = NULL; | |
135 | int rrderlen, r = 0; | |
f5e2354c | 136 | |
0f113f3e MC |
137 | rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder); |
138 | if (rrderlen < 0) | |
139 | goto merr; | |
f5e2354c | 140 | |
0f113f3e MC |
141 | if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest, |
142 | V_ASN1_SEQUENCE, rrder, rrderlen)) | |
143 | goto merr; | |
f5e2354c | 144 | |
0f113f3e | 145 | r = 1; |
f5e2354c | 146 | |
0f113f3e MC |
147 | merr: |
148 | if (!r) | |
149 | CMSerr(CMS_F_CMS_ADD1_RECEIPTREQUEST, ERR_R_MALLOC_FAILURE); | |
f5e2354c | 150 | |
b548a1f1 | 151 | OPENSSL_free(rrder); |
f4cc56f4 | 152 | |
0f113f3e MC |
153 | return r; |
154 | ||
155 | } | |
f4cc56f4 DSH |
156 | |
157 | void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, | |
0f113f3e MC |
158 | ASN1_STRING **pcid, |
159 | int *pallorfirst, | |
160 | STACK_OF(GENERAL_NAMES) **plist, | |
161 | STACK_OF(GENERAL_NAMES) **prto) | |
162 | { | |
163 | if (pcid) | |
164 | *pcid = rr->signedContentIdentifier; | |
165 | if (rr->receiptsFrom->type == 0) { | |
166 | if (pallorfirst) | |
167 | *pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier; | |
168 | if (plist) | |
169 | *plist = NULL; | |
170 | } else { | |
171 | if (pallorfirst) | |
172 | *pallorfirst = -1; | |
173 | if (plist) | |
174 | *plist = rr->receiptsFrom->d.receiptList; | |
175 | } | |
176 | if (prto) | |
177 | *prto = rr->receiptsTo; | |
178 | } | |
f4cc56f4 | 179 | |
36309aa2 DSH |
180 | /* Digest a SignerInfo structure for msgSigDigest attribute processing */ |
181 | ||
eb9d8d8c | 182 | static int cms_msgSigDigest(CMS_SignerInfo *si, |
0f113f3e MC |
183 | unsigned char *dig, unsigned int *diglen) |
184 | { | |
185 | const EVP_MD *md; | |
186 | md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); | |
187 | if (md == NULL) | |
188 | return 0; | |
189 | if (!ASN1_item_digest(ASN1_ITEM_rptr(CMS_Attributes_Verify), md, | |
190 | si->signedAttrs, dig, diglen)) | |
191 | return 0; | |
192 | return 1; | |
193 | } | |
eb9d8d8c | 194 | |
36309aa2 DSH |
195 | /* Add a msgSigDigest attribute to a SignerInfo */ |
196 | ||
197 | int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src) | |
0f113f3e MC |
198 | { |
199 | unsigned char dig[EVP_MAX_MD_SIZE]; | |
200 | unsigned int diglen; | |
201 | if (!cms_msgSigDigest(src, dig, &diglen)) { | |
202 | CMSerr(CMS_F_CMS_MSGSIGDIGEST_ADD1, CMS_R_MSGSIGDIGEST_ERROR); | |
203 | return 0; | |
204 | } | |
205 | if (!CMS_signed_add1_attr_by_NID(dest, NID_id_smime_aa_msgSigDigest, | |
206 | V_ASN1_OCTET_STRING, dig, diglen)) { | |
207 | CMSerr(CMS_F_CMS_MSGSIGDIGEST_ADD1, ERR_R_MALLOC_FAILURE); | |
208 | return 0; | |
209 | } | |
210 | return 1; | |
211 | } | |
36309aa2 | 212 | |
eb9d8d8c DSH |
213 | /* Verify signed receipt after it has already passed normal CMS verify */ |
214 | ||
215 | int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) | |
0f113f3e MC |
216 | { |
217 | int r = 0, i; | |
218 | CMS_ReceiptRequest *rr = NULL; | |
219 | CMS_Receipt *rct = NULL; | |
220 | STACK_OF(CMS_SignerInfo) *sis, *osis; | |
221 | CMS_SignerInfo *si, *osi = NULL; | |
222 | ASN1_OCTET_STRING *msig, **pcont; | |
223 | ASN1_OBJECT *octype; | |
224 | unsigned char dig[EVP_MAX_MD_SIZE]; | |
225 | unsigned int diglen; | |
226 | ||
227 | /* Get SignerInfos, also checks SignedData content type */ | |
228 | osis = CMS_get0_SignerInfos(req_cms); | |
229 | sis = CMS_get0_SignerInfos(cms); | |
230 | if (!osis || !sis) | |
231 | goto err; | |
232 | ||
233 | if (sk_CMS_SignerInfo_num(sis) != 1) { | |
234 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NEED_ONE_SIGNER); | |
235 | goto err; | |
236 | } | |
237 | ||
238 | /* Check receipt content type */ | |
239 | if (OBJ_obj2nid(CMS_get0_eContentType(cms)) != NID_id_smime_ct_receipt) { | |
240 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NOT_A_SIGNED_RECEIPT); | |
241 | goto err; | |
242 | } | |
243 | ||
244 | /* Extract and decode receipt content */ | |
245 | pcont = CMS_get0_content(cms); | |
246 | if (!pcont || !*pcont) { | |
247 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_CONTENT); | |
248 | goto err; | |
249 | } | |
250 | ||
251 | rct = ASN1_item_unpack(*pcont, ASN1_ITEM_rptr(CMS_Receipt)); | |
252 | ||
253 | if (!rct) { | |
254 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_RECEIPT_DECODE_ERROR); | |
255 | goto err; | |
256 | } | |
257 | ||
258 | /* Locate original request */ | |
259 | ||
260 | for (i = 0; i < sk_CMS_SignerInfo_num(osis); i++) { | |
261 | osi = sk_CMS_SignerInfo_value(osis, i); | |
262 | if (!ASN1_STRING_cmp(osi->signature, rct->originatorSignatureValue)) | |
263 | break; | |
264 | } | |
265 | ||
266 | if (i == sk_CMS_SignerInfo_num(osis)) { | |
267 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_MATCHING_SIGNATURE); | |
268 | goto err; | |
269 | } | |
270 | ||
271 | si = sk_CMS_SignerInfo_value(sis, 0); | |
272 | ||
273 | /* Get msgSigDigest value and compare */ | |
274 | ||
275 | msig = CMS_signed_get0_data_by_OBJ(si, | |
276 | OBJ_nid2obj | |
277 | (NID_id_smime_aa_msgSigDigest), -3, | |
278 | V_ASN1_OCTET_STRING); | |
279 | ||
280 | if (!msig) { | |
281 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_MSGSIGDIGEST); | |
282 | goto err; | |
283 | } | |
284 | ||
285 | if (!cms_msgSigDigest(osi, dig, &diglen)) { | |
286 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_MSGSIGDIGEST_ERROR); | |
287 | goto err; | |
288 | } | |
289 | ||
290 | if (diglen != (unsigned int)msig->length) { | |
291 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_MSGSIGDIGEST_WRONG_LENGTH); | |
292 | goto err; | |
293 | } | |
294 | ||
295 | if (memcmp(dig, msig->data, diglen)) { | |
296 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, | |
297 | CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE); | |
298 | goto err; | |
299 | } | |
300 | ||
301 | /* Compare content types */ | |
302 | ||
303 | octype = CMS_signed_get0_data_by_OBJ(osi, | |
304 | OBJ_nid2obj(NID_pkcs9_contentType), | |
305 | -3, V_ASN1_OBJECT); | |
306 | if (!octype) { | |
307 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_CONTENT_TYPE); | |
308 | goto err; | |
309 | } | |
310 | ||
311 | /* Compare details in receipt request */ | |
312 | ||
313 | if (OBJ_cmp(octype, rct->contentType)) { | |
314 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_CONTENT_TYPE_MISMATCH); | |
315 | goto err; | |
316 | } | |
317 | ||
318 | /* Get original receipt request details */ | |
319 | ||
320 | if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) { | |
321 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_RECEIPT_REQUEST); | |
322 | goto err; | |
323 | } | |
324 | ||
325 | if (ASN1_STRING_cmp(rr->signedContentIdentifier, | |
326 | rct->signedContentIdentifier)) { | |
327 | CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_CONTENTIDENTIFIER_MISMATCH); | |
328 | goto err; | |
329 | } | |
330 | ||
331 | r = 1; | |
332 | ||
333 | err: | |
25aaa98a | 334 | CMS_ReceiptRequest_free(rr); |
2ace7450 | 335 | M_ASN1_free_of(rct, CMS_Receipt); |
0f113f3e MC |
336 | return r; |
337 | ||
338 | } | |
339 | ||
340 | /* | |
341 | * Encode a Receipt into an OCTET STRING read for including into content of a | |
342 | * SignedData ContentInfo. | |
36309aa2 DSH |
343 | */ |
344 | ||
345 | ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si) | |
0f113f3e MC |
346 | { |
347 | CMS_Receipt rct; | |
348 | CMS_ReceiptRequest *rr = NULL; | |
349 | ASN1_OBJECT *ctype; | |
350 | ASN1_OCTET_STRING *os = NULL; | |
36309aa2 | 351 | |
0f113f3e | 352 | /* Get original receipt request */ |
36309aa2 | 353 | |
0f113f3e | 354 | /* Get original receipt request details */ |
36309aa2 | 355 | |
0f113f3e MC |
356 | if (CMS_get1_ReceiptRequest(si, &rr) <= 0) { |
357 | CMSerr(CMS_F_CMS_ENCODE_RECEIPT, CMS_R_NO_RECEIPT_REQUEST); | |
358 | goto err; | |
359 | } | |
36309aa2 | 360 | |
0f113f3e | 361 | /* Get original content type */ |
36309aa2 | 362 | |
0f113f3e MC |
363 | ctype = CMS_signed_get0_data_by_OBJ(si, |
364 | OBJ_nid2obj(NID_pkcs9_contentType), | |
365 | -3, V_ASN1_OBJECT); | |
366 | if (!ctype) { | |
367 | CMSerr(CMS_F_CMS_ENCODE_RECEIPT, CMS_R_NO_CONTENT_TYPE); | |
368 | goto err; | |
369 | } | |
36309aa2 | 370 | |
0f113f3e MC |
371 | rct.version = 1; |
372 | rct.contentType = ctype; | |
373 | rct.signedContentIdentifier = rr->signedContentIdentifier; | |
374 | rct.originatorSignatureValue = si->signature; | |
36309aa2 | 375 | |
0f113f3e | 376 | os = ASN1_item_pack(&rct, ASN1_ITEM_rptr(CMS_Receipt), NULL); |
36309aa2 | 377 | |
0f113f3e | 378 | err: |
25aaa98a | 379 | CMS_ReceiptRequest_free(rr); |
0f113f3e | 380 | return os; |
0f113f3e | 381 | } |