]>
Commit | Line | Data |
---|---|---|
5a9a4b29 | 1 | /* pk7_smime.c */ |
0f113f3e MC |
2 | /* |
3 | * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | |
27068df7 | 4 | * project. |
5a9a4b29 DSH |
5 | */ |
6 | /* ==================================================================== | |
9d10b15e | 7 | * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. |
5a9a4b29 DSH |
8 | * |
9 | * Redistribution and use in source and binary forms, with or without | |
10 | * modification, are permitted provided that the following conditions | |
11 | * are met: | |
12 | * | |
13 | * 1. Redistributions of source code must retain the above copyright | |
0f113f3e | 14 | * notice, this list of conditions and the following disclaimer. |
5a9a4b29 DSH |
15 | * |
16 | * 2. Redistributions in binary form must reproduce the above copyright | |
17 | * notice, this list of conditions and the following disclaimer in | |
18 | * the documentation and/or other materials provided with the | |
19 | * distribution. | |
20 | * | |
21 | * 3. All advertising materials mentioning features or use of this | |
22 | * software must display the following acknowledgment: | |
23 | * "This product includes software developed by the OpenSSL Project | |
24 | * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" | |
25 | * | |
26 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to | |
27 | * endorse or promote products derived from this software without | |
28 | * prior written permission. For written permission, please contact | |
29 | * licensing@OpenSSL.org. | |
30 | * | |
31 | * 5. Products derived from this software may not be called "OpenSSL" | |
32 | * nor may "OpenSSL" appear in their names without prior written | |
33 | * permission of the OpenSSL Project. | |
34 | * | |
35 | * 6. Redistributions of any form whatsoever must retain the following | |
36 | * acknowledgment: | |
37 | * "This product includes software developed by the OpenSSL Project | |
38 | * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" | |
39 | * | |
40 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY | |
41 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | |
43 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR | |
44 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | |
45 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
46 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
47 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |
49 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
50 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED | |
51 | * OF THE POSSIBILITY OF SUCH DAMAGE. | |
52 | * ==================================================================== | |
53 | * | |
54 | * This product includes cryptographic software written by Eric Young | |
55 | * (eay@cryptsoft.com). This product includes software written by Tim | |
56 | * Hudson (tjh@cryptsoft.com). | |
57 | * | |
58 | */ | |
59 | ||
60 | /* Simple PKCS#7 processing functions */ | |
61 | ||
62 | #include <stdio.h> | |
63 | #include "cryptlib.h" | |
64 | #include <openssl/x509.h> | |
65 | #include <openssl/x509v3.h> | |
66 | ||
55311921 DSH |
67 | static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si); |
68 | ||
5a9a4b29 | 69 | PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, |
0f113f3e | 70 | BIO *data, int flags) |
5a9a4b29 | 71 | { |
0f113f3e MC |
72 | PKCS7 *p7; |
73 | int i; | |
74 | ||
75ebbd9a | 75 | if ((p7 = PKCS7_new()) == NULL) { |
0f113f3e MC |
76 | PKCS7err(PKCS7_F_PKCS7_SIGN, ERR_R_MALLOC_FAILURE); |
77 | return NULL; | |
78 | } | |
79 | ||
80 | if (!PKCS7_set_type(p7, NID_pkcs7_signed)) | |
81 | goto err; | |
82 | ||
83 | if (!PKCS7_content_new(p7, NID_pkcs7_data)) | |
84 | goto err; | |
85 | ||
86 | if (pkey && !PKCS7_sign_add_signer(p7, signcert, pkey, NULL, flags)) { | |
87 | PKCS7err(PKCS7_F_PKCS7_SIGN, PKCS7_R_PKCS7_ADD_SIGNER_ERROR); | |
88 | goto err; | |
89 | } | |
90 | ||
91 | if (!(flags & PKCS7_NOCERTS)) { | |
92 | for (i = 0; i < sk_X509_num(certs); i++) { | |
93 | if (!PKCS7_add_certificate(p7, sk_X509_value(certs, i))) | |
94 | goto err; | |
95 | } | |
96 | } | |
97 | ||
98 | if (flags & PKCS7_DETACHED) | |
99 | PKCS7_set_detached(p7, 1); | |
100 | ||
101 | if (flags & (PKCS7_STREAM | PKCS7_PARTIAL)) | |
102 | return p7; | |
103 | ||
104 | if (PKCS7_final(p7, data, flags)) | |
105 | return p7; | |
106 | ||
107 | err: | |
108 | PKCS7_free(p7); | |
109 | return NULL; | |
60f20632 DSH |
110 | } |
111 | ||
112 | int PKCS7_final(PKCS7 *p7, BIO *data, int flags) | |
0f113f3e MC |
113 | { |
114 | BIO *p7bio; | |
115 | int ret = 0; | |
75ebbd9a | 116 | if ((p7bio = PKCS7_dataInit(p7, NULL)) == NULL) { |
0f113f3e MC |
117 | PKCS7err(PKCS7_F_PKCS7_FINAL, ERR_R_MALLOC_FAILURE); |
118 | return 0; | |
119 | } | |
60f20632 | 120 | |
0f113f3e | 121 | SMIME_crlf_copy(data, p7bio, flags); |
994df5a2 | 122 | |
0f113f3e | 123 | (void)BIO_flush(p7bio); |
60f20632 | 124 | |
0f113f3e MC |
125 | if (!PKCS7_dataFinal(p7, p7bio)) { |
126 | PKCS7err(PKCS7_F_PKCS7_FINAL, PKCS7_R_PKCS7_DATASIGN); | |
127 | goto err; | |
128 | } | |
5a9a4b29 | 129 | |
0f113f3e | 130 | ret = 1; |
60f20632 | 131 | |
0f113f3e MC |
132 | err: |
133 | BIO_free_all(p7bio); | |
60f20632 | 134 | |
0f113f3e | 135 | return ret; |
27068df7 | 136 | |
0f113f3e | 137 | } |
27068df7 | 138 | |
60f20632 | 139 | /* Check to see if a cipher exists and if so add S/MIME capabilities */ |
27068df7 | 140 | |
60f20632 | 141 | static int add_cipher_smcap(STACK_OF(X509_ALGOR) *sk, int nid, int arg) |
0f113f3e MC |
142 | { |
143 | if (EVP_get_cipherbynid(nid)) | |
144 | return PKCS7_simple_smimecap(sk, nid, arg); | |
145 | return 1; | |
146 | } | |
5a9a4b29 | 147 | |
61e5ec4b | 148 | static int add_digest_smcap(STACK_OF(X509_ALGOR) *sk, int nid, int arg) |
0f113f3e MC |
149 | { |
150 | if (EVP_get_digestbynid(nid)) | |
151 | return PKCS7_simple_smimecap(sk, nid, arg); | |
152 | return 1; | |
153 | } | |
61e5ec4b | 154 | |
60f20632 | 155 | PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert, |
0f113f3e MC |
156 | EVP_PKEY *pkey, const EVP_MD *md, |
157 | int flags) | |
158 | { | |
159 | PKCS7_SIGNER_INFO *si = NULL; | |
160 | STACK_OF(X509_ALGOR) *smcap = NULL; | |
161 | if (!X509_check_private_key(signcert, pkey)) { | |
162 | PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER, | |
163 | PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); | |
164 | return NULL; | |
165 | } | |
166 | ||
75ebbd9a | 167 | if ((si = PKCS7_add_signature(p7, signcert, pkey, md)) == NULL) { |
0f113f3e MC |
168 | PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER, |
169 | PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR); | |
170 | return NULL; | |
171 | } | |
172 | ||
173 | if (!(flags & PKCS7_NOCERTS)) { | |
174 | if (!PKCS7_add_certificate(p7, signcert)) | |
175 | goto err; | |
176 | } | |
177 | ||
178 | if (!(flags & PKCS7_NOATTR)) { | |
179 | if (!PKCS7_add_attrib_content_type(si, NULL)) | |
180 | goto err; | |
181 | /* Add SMIMECapabilities */ | |
182 | if (!(flags & PKCS7_NOSMIMECAP)) { | |
75ebbd9a | 183 | if ((smcap = sk_X509_ALGOR_new_null()) == NULL) { |
0f113f3e MC |
184 | PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER, ERR_R_MALLOC_FAILURE); |
185 | goto err; | |
186 | } | |
187 | if (!add_cipher_smcap(smcap, NID_aes_256_cbc, -1) | |
188 | || !add_digest_smcap(smcap, NID_id_GostR3411_94, -1) | |
189 | || !add_cipher_smcap(smcap, NID_id_Gost28147_89, -1) | |
190 | || !add_cipher_smcap(smcap, NID_aes_192_cbc, -1) | |
191 | || !add_cipher_smcap(smcap, NID_aes_128_cbc, -1) | |
192 | || !add_cipher_smcap(smcap, NID_des_ede3_cbc, -1) | |
193 | || !add_cipher_smcap(smcap, NID_rc2_cbc, 128) | |
194 | || !add_cipher_smcap(smcap, NID_rc2_cbc, 64) | |
195 | || !add_cipher_smcap(smcap, NID_des_cbc, -1) | |
196 | || !add_cipher_smcap(smcap, NID_rc2_cbc, 40) | |
197 | || !PKCS7_add_attrib_smimecap(si, smcap)) | |
198 | goto err; | |
199 | sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); | |
200 | smcap = NULL; | |
201 | } | |
202 | if (flags & PKCS7_REUSE_DIGEST) { | |
203 | if (!pkcs7_copy_existing_digest(p7, si)) | |
204 | goto err; | |
205 | if (!(flags & PKCS7_PARTIAL) && !PKCS7_SIGNER_INFO_sign(si)) | |
206 | goto err; | |
207 | } | |
208 | } | |
209 | return si; | |
210 | err: | |
222561fe | 211 | sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); |
0f113f3e MC |
212 | return NULL; |
213 | } | |
214 | ||
215 | /* | |
216 | * Search for a digest matching SignerInfo digest type and if found copy | |
217 | * across. | |
55311921 DSH |
218 | */ |
219 | ||
220 | static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si) | |
0f113f3e MC |
221 | { |
222 | int i; | |
223 | STACK_OF(PKCS7_SIGNER_INFO) *sinfos; | |
224 | PKCS7_SIGNER_INFO *sitmp; | |
225 | ASN1_OCTET_STRING *osdig = NULL; | |
226 | sinfos = PKCS7_get_signer_info(p7); | |
227 | for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { | |
228 | sitmp = sk_PKCS7_SIGNER_INFO_value(sinfos, i); | |
229 | if (si == sitmp) | |
230 | break; | |
231 | if (sk_X509_ATTRIBUTE_num(sitmp->auth_attr) <= 0) | |
232 | continue; | |
233 | if (!OBJ_cmp(si->digest_alg->algorithm, sitmp->digest_alg->algorithm)) { | |
234 | osdig = PKCS7_digest_from_attributes(sitmp->auth_attr); | |
235 | break; | |
236 | } | |
237 | ||
238 | } | |
239 | ||
240 | if (osdig) | |
241 | return PKCS7_add1_attrib_digest(si, osdig->data, osdig->length); | |
242 | ||
243 | PKCS7err(PKCS7_F_PKCS7_COPY_EXISTING_DIGEST, | |
244 | PKCS7_R_NO_MATCHING_DIGEST_TYPE_FOUND); | |
245 | return 0; | |
246 | } | |
55311921 | 247 | |
5a9a4b29 | 248 | int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, |
0f113f3e | 249 | BIO *indata, BIO *out, int flags) |
5a9a4b29 | 250 | { |
0f113f3e MC |
251 | STACK_OF(X509) *signers; |
252 | X509 *signer; | |
253 | STACK_OF(PKCS7_SIGNER_INFO) *sinfos; | |
254 | PKCS7_SIGNER_INFO *si; | |
255 | X509_STORE_CTX cert_ctx; | |
256 | char buf[4096]; | |
257 | int i, j = 0, k, ret = 0; | |
258 | BIO *p7bio; | |
259 | BIO *tmpin, *tmpout; | |
260 | ||
261 | if (!p7) { | |
262 | PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_INVALID_NULL_POINTER); | |
263 | return 0; | |
264 | } | |
265 | ||
266 | if (!PKCS7_type_is_signed(p7)) { | |
267 | PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_WRONG_CONTENT_TYPE); | |
268 | return 0; | |
269 | } | |
270 | ||
271 | /* Check for no data and no content: no data to verify signature */ | |
272 | if (PKCS7_get_detached(p7) && !indata) { | |
273 | PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_CONTENT); | |
274 | return 0; | |
275 | } | |
02a938c9 | 276 | |
0f113f3e | 277 | /* |
02a938c9 RS |
278 | * Very old Netscape illegally included empty content with |
279 | * a detached signature. To not support that, enable the | |
280 | * following flag. | |
0f113f3e | 281 | */ |
02a938c9 | 282 | #ifdef OPENSSL_DONT_SUPPORT_OLD_NETSCAPE |
0f113f3e MC |
283 | /* Check for data and content: two sets of data */ |
284 | if (!PKCS7_get_detached(p7) && indata) { | |
285 | PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_CONTENT_AND_DATA_PRESENT); | |
286 | return 0; | |
287 | } | |
730e37ed | 288 | #endif |
5a9a4b29 | 289 | |
0f113f3e MC |
290 | sinfos = PKCS7_get_signer_info(p7); |
291 | ||
292 | if (!sinfos || !sk_PKCS7_SIGNER_INFO_num(sinfos)) { | |
293 | PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_NO_SIGNATURES_ON_DATA); | |
294 | return 0; | |
295 | } | |
296 | ||
297 | signers = PKCS7_get0_signers(p7, certs, flags); | |
298 | ||
299 | if (!signers) | |
300 | return 0; | |
301 | ||
302 | /* Now verify the certificates */ | |
303 | ||
304 | if (!(flags & PKCS7_NOVERIFY)) | |
305 | for (k = 0; k < sk_X509_num(signers); k++) { | |
306 | signer = sk_X509_value(signers, k); | |
307 | if (!(flags & PKCS7_NOCHAIN)) { | |
308 | if (!X509_STORE_CTX_init(&cert_ctx, store, signer, | |
309 | p7->d.sign->cert)) { | |
310 | PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB); | |
311 | sk_X509_free(signers); | |
312 | return 0; | |
313 | } | |
314 | X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); | |
315 | } else if (!X509_STORE_CTX_init(&cert_ctx, store, signer, NULL)) { | |
316 | PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_X509_LIB); | |
317 | sk_X509_free(signers); | |
318 | return 0; | |
319 | } | |
320 | if (!(flags & PKCS7_NOCRL)) | |
321 | X509_STORE_CTX_set0_crls(&cert_ctx, p7->d.sign->crl); | |
322 | i = X509_verify_cert(&cert_ctx); | |
323 | if (i <= 0) | |
324 | j = X509_STORE_CTX_get_error(&cert_ctx); | |
325 | X509_STORE_CTX_cleanup(&cert_ctx); | |
326 | if (i <= 0) { | |
327 | PKCS7err(PKCS7_F_PKCS7_VERIFY, | |
328 | PKCS7_R_CERTIFICATE_VERIFY_ERROR); | |
329 | ERR_add_error_data(2, "Verify error:", | |
330 | X509_verify_cert_error_string(j)); | |
331 | sk_X509_free(signers); | |
332 | return 0; | |
333 | } | |
334 | /* Check for revocation status here */ | |
335 | } | |
336 | ||
337 | /* | |
338 | * Performance optimization: if the content is a memory BIO then store | |
339 | * its contents in a temporary read only memory BIO. This avoids | |
340 | * potentially large numbers of slow copies of data which will occur when | |
341 | * reading from a read write memory BIO when signatures are calculated. | |
342 | */ | |
343 | ||
344 | if (indata && (BIO_method_type(indata) == BIO_TYPE_MEM)) { | |
345 | char *ptr; | |
346 | long len; | |
347 | len = BIO_get_mem_data(indata, &ptr); | |
348 | tmpin = BIO_new_mem_buf(ptr, len); | |
349 | if (tmpin == NULL) { | |
350 | PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE); | |
351 | return 0; | |
352 | } | |
353 | } else | |
354 | tmpin = indata; | |
355 | ||
75ebbd9a | 356 | if ((p7bio = PKCS7_dataInit(p7, tmpin)) == NULL) |
0f113f3e MC |
357 | goto err; |
358 | ||
359 | if (flags & PKCS7_TEXT) { | |
75ebbd9a | 360 | if ((tmpout = BIO_new(BIO_s_mem())) == NULL) { |
0f113f3e MC |
361 | PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE); |
362 | goto err; | |
363 | } | |
364 | BIO_set_mem_eof_return(tmpout, 0); | |
365 | } else | |
366 | tmpout = out; | |
367 | ||
368 | /* We now have to 'read' from p7bio to calculate digests etc. */ | |
369 | for (;;) { | |
370 | i = BIO_read(p7bio, buf, sizeof(buf)); | |
371 | if (i <= 0) | |
372 | break; | |
373 | if (tmpout) | |
374 | BIO_write(tmpout, buf, i); | |
375 | } | |
376 | ||
377 | if (flags & PKCS7_TEXT) { | |
378 | if (!SMIME_text(tmpout, out)) { | |
379 | PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_SMIME_TEXT_ERROR); | |
380 | BIO_free(tmpout); | |
381 | goto err; | |
382 | } | |
383 | BIO_free(tmpout); | |
384 | } | |
385 | ||
386 | /* Now Verify All Signatures */ | |
387 | if (!(flags & PKCS7_NOSIGS)) | |
388 | for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { | |
389 | si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); | |
390 | signer = sk_X509_value(signers, i); | |
391 | j = PKCS7_signatureVerify(p7bio, p7, si, signer); | |
392 | if (j <= 0) { | |
393 | PKCS7err(PKCS7_F_PKCS7_VERIFY, PKCS7_R_SIGNATURE_FAILURE); | |
394 | goto err; | |
395 | } | |
396 | } | |
397 | ||
398 | ret = 1; | |
399 | ||
400 | err: | |
401 | ||
402 | if (tmpin == indata) { | |
403 | if (indata) | |
404 | BIO_pop(p7bio); | |
405 | } | |
406 | BIO_free_all(p7bio); | |
407 | ||
408 | sk_X509_free(signers); | |
409 | ||
410 | return ret; | |
5a9a4b29 DSH |
411 | } |
412 | ||
0f113f3e MC |
413 | STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, |
414 | int flags) | |
55ec5861 | 415 | { |
0f113f3e MC |
416 | STACK_OF(X509) *signers; |
417 | STACK_OF(PKCS7_SIGNER_INFO) *sinfos; | |
418 | PKCS7_SIGNER_INFO *si; | |
419 | PKCS7_ISSUER_AND_SERIAL *ias; | |
420 | X509 *signer; | |
421 | int i; | |
422 | ||
423 | if (!p7) { | |
424 | PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS, PKCS7_R_INVALID_NULL_POINTER); | |
425 | return NULL; | |
426 | } | |
427 | ||
428 | if (!PKCS7_type_is_signed(p7)) { | |
429 | PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS, PKCS7_R_WRONG_CONTENT_TYPE); | |
430 | return NULL; | |
431 | } | |
432 | ||
433 | /* Collect all the signers together */ | |
434 | ||
435 | sinfos = PKCS7_get_signer_info(p7); | |
436 | ||
437 | if (sk_PKCS7_SIGNER_INFO_num(sinfos) <= 0) { | |
438 | PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS, PKCS7_R_NO_SIGNERS); | |
439 | return 0; | |
440 | } | |
441 | ||
75ebbd9a | 442 | if ((signers = sk_X509_new_null()) == NULL) { |
0f113f3e MC |
443 | PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS, ERR_R_MALLOC_FAILURE); |
444 | return NULL; | |
445 | } | |
446 | ||
447 | for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) { | |
448 | si = sk_PKCS7_SIGNER_INFO_value(sinfos, i); | |
449 | ias = si->issuer_and_serial; | |
450 | signer = NULL; | |
451 | /* If any certificates passed they take priority */ | |
452 | if (certs) | |
453 | signer = X509_find_by_issuer_and_serial(certs, | |
454 | ias->issuer, ias->serial); | |
455 | if (!signer && !(flags & PKCS7_NOINTERN) | |
456 | && p7->d.sign->cert) | |
457 | signer = | |
458 | X509_find_by_issuer_and_serial(p7->d.sign->cert, | |
459 | ias->issuer, ias->serial); | |
460 | if (!signer) { | |
461 | PKCS7err(PKCS7_F_PKCS7_GET0_SIGNERS, | |
462 | PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND); | |
463 | sk_X509_free(signers); | |
464 | return 0; | |
465 | } | |
466 | ||
467 | if (!sk_X509_push(signers, signer)) { | |
468 | sk_X509_free(signers); | |
469 | return NULL; | |
470 | } | |
471 | } | |
472 | return signers; | |
55ec5861 DSH |
473 | } |
474 | ||
5a9a4b29 DSH |
475 | /* Build a complete PKCS#7 enveloped data */ |
476 | ||
13588350 | 477 | PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, |
0f113f3e | 478 | int flags) |
5a9a4b29 | 479 | { |
0f113f3e MC |
480 | PKCS7 *p7; |
481 | BIO *p7bio = NULL; | |
482 | int i; | |
483 | X509 *x509; | |
75ebbd9a | 484 | if ((p7 = PKCS7_new()) == NULL) { |
0f113f3e MC |
485 | PKCS7err(PKCS7_F_PKCS7_ENCRYPT, ERR_R_MALLOC_FAILURE); |
486 | return NULL; | |
487 | } | |
488 | ||
489 | if (!PKCS7_set_type(p7, NID_pkcs7_enveloped)) | |
490 | goto err; | |
491 | if (!PKCS7_set_cipher(p7, cipher)) { | |
492 | PKCS7err(PKCS7_F_PKCS7_ENCRYPT, PKCS7_R_ERROR_SETTING_CIPHER); | |
493 | goto err; | |
494 | } | |
495 | ||
496 | for (i = 0; i < sk_X509_num(certs); i++) { | |
497 | x509 = sk_X509_value(certs, i); | |
498 | if (!PKCS7_add_recipient(p7, x509)) { | |
499 | PKCS7err(PKCS7_F_PKCS7_ENCRYPT, PKCS7_R_ERROR_ADDING_RECIPIENT); | |
500 | goto err; | |
501 | } | |
502 | } | |
503 | ||
504 | if (flags & PKCS7_STREAM) | |
505 | return p7; | |
506 | ||
507 | if (PKCS7_final(p7, in, flags)) | |
508 | return p7; | |
509 | ||
510 | err: | |
511 | ||
512 | BIO_free_all(p7bio); | |
513 | PKCS7_free(p7); | |
514 | return NULL; | |
5a9a4b29 DSH |
515 | |
516 | } | |
517 | ||
518 | int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) | |
519 | { | |
0f113f3e MC |
520 | BIO *tmpmem; |
521 | int ret, i; | |
522 | char buf[4096]; | |
523 | ||
524 | if (!p7) { | |
525 | PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_INVALID_NULL_POINTER); | |
526 | return 0; | |
527 | } | |
528 | ||
529 | if (!PKCS7_type_is_enveloped(p7)) { | |
530 | PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_WRONG_CONTENT_TYPE); | |
531 | return 0; | |
532 | } | |
533 | ||
534 | if (cert && !X509_check_private_key(cert, pkey)) { | |
535 | PKCS7err(PKCS7_F_PKCS7_DECRYPT, | |
536 | PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); | |
537 | return 0; | |
538 | } | |
539 | ||
75ebbd9a | 540 | if ((tmpmem = PKCS7_dataDecode(p7, pkey, NULL, cert)) == NULL) { |
0f113f3e MC |
541 | PKCS7err(PKCS7_F_PKCS7_DECRYPT, PKCS7_R_DECRYPT_ERROR); |
542 | return 0; | |
543 | } | |
544 | ||
545 | if (flags & PKCS7_TEXT) { | |
546 | BIO *tmpbuf, *bread; | |
547 | /* Encrypt BIOs can't do BIO_gets() so add a buffer BIO */ | |
75ebbd9a | 548 | if ((tmpbuf = BIO_new(BIO_f_buffer())) == NULL) { |
0f113f3e MC |
549 | PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE); |
550 | BIO_free_all(tmpmem); | |
551 | return 0; | |
552 | } | |
75ebbd9a | 553 | if ((bread = BIO_push(tmpbuf, tmpmem)) == NULL) { |
0f113f3e MC |
554 | PKCS7err(PKCS7_F_PKCS7_DECRYPT, ERR_R_MALLOC_FAILURE); |
555 | BIO_free_all(tmpbuf); | |
556 | BIO_free_all(tmpmem); | |
557 | return 0; | |
558 | } | |
559 | ret = SMIME_text(bread, data); | |
560 | if (ret > 0 && BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) { | |
561 | if (!BIO_get_cipher_status(tmpmem)) | |
562 | ret = 0; | |
563 | } | |
564 | BIO_free_all(bread); | |
565 | return ret; | |
566 | } else { | |
567 | for (;;) { | |
568 | i = BIO_read(tmpmem, buf, sizeof(buf)); | |
569 | if (i <= 0) { | |
570 | ret = 1; | |
571 | if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER) { | |
572 | if (!BIO_get_cipher_status(tmpmem)) | |
573 | ret = 0; | |
574 | } | |
575 | ||
576 | break; | |
577 | } | |
578 | if (BIO_write(data, buf, i) != i) { | |
579 | ret = 0; | |
580 | break; | |
581 | } | |
582 | } | |
583 | BIO_free_all(tmpmem); | |
584 | return ret; | |
585 | } | |
5a9a4b29 | 586 | } |