]>
Commit | Line | Data |
---|---|---|
0f113f3e | 1 | /* |
4333b89f | 2 | * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved. |
f4cc56f4 | 3 | * |
08ddd302 | 4 | * Licensed under the Apache License 2.0 (the "License"). You may not use |
b1322259 RS |
5 | * this file except in compliance with the License. You can obtain a copy |
6 | * in the file LICENSE in the source distribution or at | |
7 | * https://www.openssl.org/source/license.html | |
f4cc56f4 DSH |
8 | */ |
9 | ||
b39fc560 | 10 | #include "internal/cryptlib.h" |
f4cc56f4 DSH |
11 | #include <openssl/asn1t.h> |
12 | #include <openssl/pem.h> | |
13 | #include <openssl/rand.h> | |
14 | #include <openssl/x509v3.h> | |
15 | #include <openssl/err.h> | |
16 | #include <openssl/cms.h> | |
e85d19c6 | 17 | #include <openssl/ess.h> |
25f2138b DMSP |
18 | #include "crypto/ess.h" |
19 | #include "crypto/cms.h" | |
c1669f41 SL |
20 | #include "crypto/x509.h" |
21 | #include "cms_local.h" | |
f4cc56f4 | 22 | |
f4cc56f4 DSH |
23 | IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest) |
24 | ||
e85d19c6 | 25 | /* ESS services */ |
f4cc56f4 DSH |
26 | |
27 | int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) | |
0f113f3e MC |
28 | { |
29 | ASN1_STRING *str; | |
9e3c510b F |
30 | CMS_ReceiptRequest *rr; |
31 | ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_receiptRequest); | |
32 | ||
33 | if (prr != NULL) | |
0f113f3e | 34 | *prr = NULL; |
9e3c510b F |
35 | str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE); |
36 | if (str == NULL) | |
0f113f3e MC |
37 | return 0; |
38 | ||
39 | rr = ASN1_item_unpack(str, ASN1_ITEM_rptr(CMS_ReceiptRequest)); | |
9e3c510b | 40 | if (rr == NULL) |
0f113f3e | 41 | return -1; |
9e3c510b | 42 | if (prr != NULL) |
0f113f3e MC |
43 | *prr = rr; |
44 | else | |
45 | CMS_ReceiptRequest_free(rr); | |
46 | return 1; | |
47 | } | |
f4cc56f4 | 48 | |
63b64f19 DDO |
49 | int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, |
50 | const STACK_OF(X509) *chain) | |
9e3c510b F |
51 | { |
52 | ESS_SIGNING_CERT *ss = NULL; | |
53 | ESS_SIGNING_CERT_V2 *ssv2 = NULL; | |
63b64f19 DDO |
54 | int ret = ossl_cms_signerinfo_get_signing_cert(si, &ss) >= 0 |
55 | && ossl_cms_signerinfo_get_signing_cert_v2(si, &ssv2) >= 0 | |
56 | && ossl_ess_check_signing_certs(ss, ssv2, chain, 1); | |
9e3c510b F |
57 | |
58 | ESS_SIGNING_CERT_free(ss); | |
59 | ESS_SIGNING_CERT_V2_free(ssv2); | |
60 | return ret; | |
61 | } | |
62 | ||
d8652be0 | 63 | CMS_ReceiptRequest *CMS_ReceiptRequest_create0_ex( |
c1669f41 SL |
64 | unsigned char *id, int idlen, int allorfirst, |
65 | STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo, | |
b4250010 | 66 | OSSL_LIB_CTX *libctx, const char *propq) |
0f113f3e | 67 | { |
9e3c510b | 68 | CMS_ReceiptRequest *rr; |
0f113f3e MC |
69 | |
70 | rr = CMS_ReceiptRequest_new(); | |
90945fa3 | 71 | if (rr == NULL) |
0f113f3e MC |
72 | goto merr; |
73 | if (id) | |
74 | ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen); | |
75 | else { | |
76 | if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) | |
77 | goto merr; | |
c1669f41 | 78 | if (RAND_bytes_ex(libctx, rr->signedContentIdentifier->data, 32) <= 0) |
0f113f3e MC |
79 | goto err; |
80 | } | |
81 | ||
82 | sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free); | |
83 | rr->receiptsTo = receiptsTo; | |
84 | ||
c1669f41 | 85 | if (receiptList != NULL) { |
0f113f3e MC |
86 | rr->receiptsFrom->type = 1; |
87 | rr->receiptsFrom->d.receiptList = receiptList; | |
88 | } else { | |
89 | rr->receiptsFrom->type = 0; | |
90 | rr->receiptsFrom->d.allOrFirstTier = allorfirst; | |
91 | } | |
92 | ||
93 | return rr; | |
94 | ||
95 | merr: | |
9311d0c4 | 96 | ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
97 | |
98 | err: | |
25aaa98a | 99 | CMS_ReceiptRequest_free(rr); |
0f113f3e MC |
100 | return NULL; |
101 | ||
102 | } | |
f5e2354c | 103 | |
c1669f41 SL |
104 | CMS_ReceiptRequest *CMS_ReceiptRequest_create0( |
105 | unsigned char *id, int idlen, int allorfirst, | |
106 | STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo) | |
107 | { | |
d8652be0 MC |
108 | return CMS_ReceiptRequest_create0_ex(id, idlen, allorfirst, receiptList, |
109 | receiptsTo, NULL, NULL); | |
c1669f41 SL |
110 | } |
111 | ||
f5e2354c | 112 | int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr) |
0f113f3e MC |
113 | { |
114 | unsigned char *rrder = NULL; | |
115 | int rrderlen, r = 0; | |
f5e2354c | 116 | |
0f113f3e MC |
117 | rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder); |
118 | if (rrderlen < 0) | |
119 | goto merr; | |
f5e2354c | 120 | |
0f113f3e MC |
121 | if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest, |
122 | V_ASN1_SEQUENCE, rrder, rrderlen)) | |
123 | goto merr; | |
f5e2354c | 124 | |
0f113f3e | 125 | r = 1; |
f5e2354c | 126 | |
0f113f3e MC |
127 | merr: |
128 | if (!r) | |
9311d0c4 | 129 | ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); |
f5e2354c | 130 | |
b548a1f1 | 131 | OPENSSL_free(rrder); |
f4cc56f4 | 132 | |
0f113f3e MC |
133 | return r; |
134 | ||
135 | } | |
f4cc56f4 DSH |
136 | |
137 | void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, | |
0f113f3e MC |
138 | ASN1_STRING **pcid, |
139 | int *pallorfirst, | |
140 | STACK_OF(GENERAL_NAMES) **plist, | |
141 | STACK_OF(GENERAL_NAMES) **prto) | |
142 | { | |
c1669f41 | 143 | if (pcid != NULL) |
0f113f3e MC |
144 | *pcid = rr->signedContentIdentifier; |
145 | if (rr->receiptsFrom->type == 0) { | |
c1669f41 | 146 | if (pallorfirst != NULL) |
0f113f3e | 147 | *pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier; |
c1669f41 | 148 | if (plist != NULL) |
0f113f3e MC |
149 | *plist = NULL; |
150 | } else { | |
c1669f41 | 151 | if (pallorfirst != NULL) |
0f113f3e | 152 | *pallorfirst = -1; |
c1669f41 | 153 | if (plist != NULL) |
0f113f3e MC |
154 | *plist = rr->receiptsFrom->d.receiptList; |
155 | } | |
c1669f41 | 156 | if (prto != NULL) |
0f113f3e MC |
157 | *prto = rr->receiptsTo; |
158 | } | |
f4cc56f4 | 159 | |
36309aa2 DSH |
160 | /* Digest a SignerInfo structure for msgSigDigest attribute processing */ |
161 | ||
eb9d8d8c | 162 | static int cms_msgSigDigest(CMS_SignerInfo *si, |
0f113f3e MC |
163 | unsigned char *dig, unsigned int *diglen) |
164 | { | |
c1669f41 | 165 | const EVP_MD *md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); |
9e3c510b | 166 | |
0f113f3e MC |
167 | if (md == NULL) |
168 | return 0; | |
d8652be0 | 169 | if (!asn1_item_digest_ex(ASN1_ITEM_rptr(CMS_Attributes_Verify), md, |
84af8027 | 170 | si->signedAttrs, dig, diglen, |
53155f1c SL |
171 | ossl_cms_ctx_get0_libctx(si->cms_ctx), |
172 | ossl_cms_ctx_get0_propq(si->cms_ctx))) | |
0f113f3e MC |
173 | return 0; |
174 | return 1; | |
175 | } | |
eb9d8d8c | 176 | |
36309aa2 DSH |
177 | /* Add a msgSigDigest attribute to a SignerInfo */ |
178 | ||
53155f1c | 179 | int ossl_cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src) |
0f113f3e MC |
180 | { |
181 | unsigned char dig[EVP_MAX_MD_SIZE]; | |
182 | unsigned int diglen; | |
9e3c510b | 183 | |
0f113f3e | 184 | if (!cms_msgSigDigest(src, dig, &diglen)) { |
9311d0c4 | 185 | ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_ERROR); |
0f113f3e MC |
186 | return 0; |
187 | } | |
188 | if (!CMS_signed_add1_attr_by_NID(dest, NID_id_smime_aa_msgSigDigest, | |
189 | V_ASN1_OCTET_STRING, dig, diglen)) { | |
9311d0c4 | 190 | ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); |
0f113f3e MC |
191 | return 0; |
192 | } | |
193 | return 1; | |
194 | } | |
36309aa2 | 195 | |
eb9d8d8c DSH |
196 | /* Verify signed receipt after it has already passed normal CMS verify */ |
197 | ||
53155f1c | 198 | int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) |
0f113f3e MC |
199 | { |
200 | int r = 0, i; | |
201 | CMS_ReceiptRequest *rr = NULL; | |
202 | CMS_Receipt *rct = NULL; | |
203 | STACK_OF(CMS_SignerInfo) *sis, *osis; | |
204 | CMS_SignerInfo *si, *osi = NULL; | |
205 | ASN1_OCTET_STRING *msig, **pcont; | |
206 | ASN1_OBJECT *octype; | |
207 | unsigned char dig[EVP_MAX_MD_SIZE]; | |
208 | unsigned int diglen; | |
209 | ||
210 | /* Get SignerInfos, also checks SignedData content type */ | |
211 | osis = CMS_get0_SignerInfos(req_cms); | |
212 | sis = CMS_get0_SignerInfos(cms); | |
213 | if (!osis || !sis) | |
214 | goto err; | |
215 | ||
216 | if (sk_CMS_SignerInfo_num(sis) != 1) { | |
9311d0c4 | 217 | ERR_raise(ERR_LIB_CMS, CMS_R_NEED_ONE_SIGNER); |
0f113f3e MC |
218 | goto err; |
219 | } | |
220 | ||
221 | /* Check receipt content type */ | |
222 | if (OBJ_obj2nid(CMS_get0_eContentType(cms)) != NID_id_smime_ct_receipt) { | |
9311d0c4 | 223 | ERR_raise(ERR_LIB_CMS, CMS_R_NOT_A_SIGNED_RECEIPT); |
0f113f3e MC |
224 | goto err; |
225 | } | |
226 | ||
227 | /* Extract and decode receipt content */ | |
228 | pcont = CMS_get0_content(cms); | |
12a765a5 | 229 | if (pcont == NULL || *pcont == NULL) { |
9311d0c4 | 230 | ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT); |
0f113f3e MC |
231 | goto err; |
232 | } | |
233 | ||
234 | rct = ASN1_item_unpack(*pcont, ASN1_ITEM_rptr(CMS_Receipt)); | |
235 | ||
236 | if (!rct) { | |
9311d0c4 | 237 | ERR_raise(ERR_LIB_CMS, CMS_R_RECEIPT_DECODE_ERROR); |
0f113f3e MC |
238 | goto err; |
239 | } | |
240 | ||
241 | /* Locate original request */ | |
242 | ||
243 | for (i = 0; i < sk_CMS_SignerInfo_num(osis); i++) { | |
244 | osi = sk_CMS_SignerInfo_value(osis, i); | |
245 | if (!ASN1_STRING_cmp(osi->signature, rct->originatorSignatureValue)) | |
246 | break; | |
247 | } | |
248 | ||
249 | if (i == sk_CMS_SignerInfo_num(osis)) { | |
9311d0c4 | 250 | ERR_raise(ERR_LIB_CMS, CMS_R_NO_MATCHING_SIGNATURE); |
0f113f3e MC |
251 | goto err; |
252 | } | |
253 | ||
254 | si = sk_CMS_SignerInfo_value(sis, 0); | |
255 | ||
256 | /* Get msgSigDigest value and compare */ | |
257 | ||
258 | msig = CMS_signed_get0_data_by_OBJ(si, | |
259 | OBJ_nid2obj | |
260 | (NID_id_smime_aa_msgSigDigest), -3, | |
261 | V_ASN1_OCTET_STRING); | |
262 | ||
263 | if (!msig) { | |
9311d0c4 | 264 | ERR_raise(ERR_LIB_CMS, CMS_R_NO_MSGSIGDIGEST); |
0f113f3e MC |
265 | goto err; |
266 | } | |
267 | ||
268 | if (!cms_msgSigDigest(osi, dig, &diglen)) { | |
9311d0c4 | 269 | ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_ERROR); |
0f113f3e MC |
270 | goto err; |
271 | } | |
272 | ||
273 | if (diglen != (unsigned int)msig->length) { | |
9311d0c4 | 274 | ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_WRONG_LENGTH); |
0f113f3e MC |
275 | goto err; |
276 | } | |
277 | ||
278 | if (memcmp(dig, msig->data, diglen)) { | |
9311d0c4 | 279 | ERR_raise(ERR_LIB_CMS, CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE); |
0f113f3e MC |
280 | goto err; |
281 | } | |
282 | ||
283 | /* Compare content types */ | |
284 | ||
285 | octype = CMS_signed_get0_data_by_OBJ(osi, | |
286 | OBJ_nid2obj(NID_pkcs9_contentType), | |
287 | -3, V_ASN1_OBJECT); | |
288 | if (!octype) { | |
9311d0c4 | 289 | ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT_TYPE); |
0f113f3e MC |
290 | goto err; |
291 | } | |
292 | ||
293 | /* Compare details in receipt request */ | |
294 | ||
295 | if (OBJ_cmp(octype, rct->contentType)) { | |
9311d0c4 | 296 | ERR_raise(ERR_LIB_CMS, CMS_R_CONTENT_TYPE_MISMATCH); |
0f113f3e MC |
297 | goto err; |
298 | } | |
299 | ||
300 | /* Get original receipt request details */ | |
301 | ||
302 | if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) { | |
9311d0c4 | 303 | ERR_raise(ERR_LIB_CMS, CMS_R_NO_RECEIPT_REQUEST); |
0f113f3e MC |
304 | goto err; |
305 | } | |
306 | ||
307 | if (ASN1_STRING_cmp(rr->signedContentIdentifier, | |
308 | rct->signedContentIdentifier)) { | |
9311d0c4 | 309 | ERR_raise(ERR_LIB_CMS, CMS_R_CONTENTIDENTIFIER_MISMATCH); |
0f113f3e MC |
310 | goto err; |
311 | } | |
312 | ||
313 | r = 1; | |
314 | ||
315 | err: | |
25aaa98a | 316 | CMS_ReceiptRequest_free(rr); |
2ace7450 | 317 | M_ASN1_free_of(rct, CMS_Receipt); |
0f113f3e MC |
318 | return r; |
319 | ||
320 | } | |
321 | ||
322 | /* | |
323 | * Encode a Receipt into an OCTET STRING read for including into content of a | |
324 | * SignedData ContentInfo. | |
36309aa2 DSH |
325 | */ |
326 | ||
53155f1c | 327 | ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si) |
0f113f3e MC |
328 | { |
329 | CMS_Receipt rct; | |
330 | CMS_ReceiptRequest *rr = NULL; | |
331 | ASN1_OBJECT *ctype; | |
332 | ASN1_OCTET_STRING *os = NULL; | |
36309aa2 | 333 | |
0f113f3e | 334 | /* Get original receipt request */ |
36309aa2 | 335 | |
0f113f3e | 336 | /* Get original receipt request details */ |
36309aa2 | 337 | |
0f113f3e | 338 | if (CMS_get1_ReceiptRequest(si, &rr) <= 0) { |
9311d0c4 | 339 | ERR_raise(ERR_LIB_CMS, CMS_R_NO_RECEIPT_REQUEST); |
0f113f3e MC |
340 | goto err; |
341 | } | |
36309aa2 | 342 | |
0f113f3e | 343 | /* Get original content type */ |
36309aa2 | 344 | |
0f113f3e MC |
345 | ctype = CMS_signed_get0_data_by_OBJ(si, |
346 | OBJ_nid2obj(NID_pkcs9_contentType), | |
347 | -3, V_ASN1_OBJECT); | |
348 | if (!ctype) { | |
9311d0c4 | 349 | ERR_raise(ERR_LIB_CMS, CMS_R_NO_CONTENT_TYPE); |
0f113f3e MC |
350 | goto err; |
351 | } | |
36309aa2 | 352 | |
0f113f3e MC |
353 | rct.version = 1; |
354 | rct.contentType = ctype; | |
355 | rct.signedContentIdentifier = rr->signedContentIdentifier; | |
356 | rct.originatorSignatureValue = si->signature; | |
36309aa2 | 357 | |
0f113f3e | 358 | os = ASN1_item_pack(&rct, ASN1_ITEM_rptr(CMS_Receipt), NULL); |
36309aa2 | 359 | |
0f113f3e | 360 | err: |
25aaa98a | 361 | CMS_ReceiptRequest_free(rr); |
0f113f3e | 362 | return os; |
0f113f3e | 363 | } |
e85d19c6 AI |
364 | |
365 | /* | |
8c00f267 | 366 | * Add signer certificate's V2 digest |sc| to a SignerInfo structure |si| |
e85d19c6 AI |
367 | */ |
368 | ||
53155f1c | 369 | int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc) |
e85d19c6 AI |
370 | { |
371 | ASN1_STRING *seq = NULL; | |
5340c8ea | 372 | unsigned char *p, *pp = NULL; |
e85d19c6 AI |
373 | int len; |
374 | ||
375 | /* Add SigningCertificateV2 signed attribute to the signer info. */ | |
376 | len = i2d_ESS_SIGNING_CERT_V2(sc, NULL); | |
5340c8ea | 377 | if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL) |
e85d19c6 AI |
378 | goto err; |
379 | p = pp; | |
380 | i2d_ESS_SIGNING_CERT_V2(sc, &p); | |
381 | if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) | |
382 | goto err; | |
383 | OPENSSL_free(pp); | |
384 | pp = NULL; | |
385 | if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificateV2, | |
386 | V_ASN1_SEQUENCE, seq, -1)) | |
387 | goto err; | |
388 | ASN1_STRING_free(seq); | |
389 | return 1; | |
390 | err: | |
9311d0c4 | 391 | ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); |
e85d19c6 AI |
392 | ASN1_STRING_free(seq); |
393 | OPENSSL_free(pp); | |
394 | return 0; | |
395 | } | |
396 | ||
397 | /* | |
8c00f267 | 398 | * Add signer certificate's digest |sc| to a SignerInfo structure |si| |
e85d19c6 AI |
399 | */ |
400 | ||
53155f1c | 401 | int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc) |
e85d19c6 AI |
402 | { |
403 | ASN1_STRING *seq = NULL; | |
5340c8ea | 404 | unsigned char *p, *pp = NULL; |
e85d19c6 AI |
405 | int len; |
406 | ||
407 | /* Add SigningCertificate signed attribute to the signer info. */ | |
408 | len = i2d_ESS_SIGNING_CERT(sc, NULL); | |
5340c8ea | 409 | if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL) |
e85d19c6 AI |
410 | goto err; |
411 | p = pp; | |
412 | i2d_ESS_SIGNING_CERT(sc, &p); | |
413 | if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) | |
414 | goto err; | |
415 | OPENSSL_free(pp); | |
416 | pp = NULL; | |
417 | if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificate, | |
418 | V_ASN1_SEQUENCE, seq, -1)) | |
419 | goto err; | |
420 | ASN1_STRING_free(seq); | |
421 | return 1; | |
422 | err: | |
9311d0c4 | 423 | ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE); |
e85d19c6 AI |
424 | ASN1_STRING_free(seq); |
425 | OPENSSL_free(pp); | |
426 | return 0; | |
427 | } |