2 * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/cryptlib.h"
11 #include <openssl/asn1t.h>
12 #include <openssl/pem.h>
13 #include <openssl/x509v3.h>
14 #include <openssl/err.h>
15 #include <openssl/cms.h>
16 #include <openssl/aes.h>
18 #include "crypto/asn1.h"
19 #include "crypto/evp.h"
21 /* CMS EnvelopedData Utilities */
23 CMS_EnvelopedData
*cms_get0_enveloped(CMS_ContentInfo
*cms
)
25 if (OBJ_obj2nid(cms
->contentType
) != NID_pkcs7_enveloped
) {
26 CMSerr(CMS_F_CMS_GET0_ENVELOPED
,
27 CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA
);
30 return cms
->d
.envelopedData
;
33 static CMS_EnvelopedData
*cms_enveloped_data_init(CMS_ContentInfo
*cms
)
35 if (cms
->d
.other
== NULL
) {
36 cms
->d
.envelopedData
= M_ASN1_new_of(CMS_EnvelopedData
);
37 if (!cms
->d
.envelopedData
) {
38 CMSerr(CMS_F_CMS_ENVELOPED_DATA_INIT
, ERR_R_MALLOC_FAILURE
);
41 cms
->d
.envelopedData
->version
= 0;
42 cms
->d
.envelopedData
->encryptedContentInfo
->contentType
=
43 OBJ_nid2obj(NID_pkcs7_data
);
44 ASN1_OBJECT_free(cms
->contentType
);
45 cms
->contentType
= OBJ_nid2obj(NID_pkcs7_enveloped
);
46 return cms
->d
.envelopedData
;
48 return cms_get0_enveloped(cms
);
51 int cms_env_asn1_ctrl(CMS_RecipientInfo
*ri
, int cmd
)
55 if (ri
->type
== CMS_RECIPINFO_TRANS
)
56 pkey
= ri
->d
.ktri
->pkey
;
57 else if (ri
->type
== CMS_RECIPINFO_AGREE
) {
58 EVP_PKEY_CTX
*pctx
= ri
->d
.kari
->pctx
;
61 pkey
= EVP_PKEY_CTX_get0_pkey(pctx
);
66 if (!pkey
->ameth
|| !pkey
->ameth
->pkey_ctrl
)
68 i
= pkey
->ameth
->pkey_ctrl(pkey
, ASN1_PKEY_CTRL_CMS_ENVELOPE
, cmd
, ri
);
70 CMSerr(CMS_F_CMS_ENV_ASN1_CTRL
,
71 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE
);
75 CMSerr(CMS_F_CMS_ENV_ASN1_CTRL
, CMS_R_CTRL_FAILURE
);
81 STACK_OF(CMS_RecipientInfo
) *CMS_get0_RecipientInfos(CMS_ContentInfo
*cms
)
83 CMS_EnvelopedData
*env
;
84 env
= cms_get0_enveloped(cms
);
87 return env
->recipientInfos
;
90 int CMS_RecipientInfo_type(CMS_RecipientInfo
*ri
)
95 EVP_PKEY_CTX
*CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo
*ri
)
97 if (ri
->type
== CMS_RECIPINFO_TRANS
)
98 return ri
->d
.ktri
->pctx
;
99 else if (ri
->type
== CMS_RECIPINFO_AGREE
)
100 return ri
->d
.kari
->pctx
;
104 CMS_ContentInfo
*CMS_EnvelopedData_create(const EVP_CIPHER
*cipher
)
106 CMS_ContentInfo
*cms
;
107 CMS_EnvelopedData
*env
;
108 cms
= CMS_ContentInfo_new();
111 env
= cms_enveloped_data_init(cms
);
114 if (!cms_EncryptedContent_init(env
->encryptedContentInfo
,
119 CMS_ContentInfo_free(cms
);
120 CMSerr(CMS_F_CMS_ENVELOPEDDATA_CREATE
, ERR_R_MALLOC_FAILURE
);
124 /* Key Transport Recipient Info (KTRI) routines */
126 /* Initialise a ktri based on passed certificate and key */
128 static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo
*ri
, X509
*recip
,
129 EVP_PKEY
*pk
, unsigned int flags
)
131 CMS_KeyTransRecipientInfo
*ktri
;
134 ri
->d
.ktri
= M_ASN1_new_of(CMS_KeyTransRecipientInfo
);
137 ri
->type
= CMS_RECIPINFO_TRANS
;
141 if (flags
& CMS_USE_KEYID
) {
143 idtype
= CMS_RECIPINFO_KEYIDENTIFIER
;
146 idtype
= CMS_RECIPINFO_ISSUER_SERIAL
;
150 * Not a typo: RecipientIdentifier and SignerIdentifier are the same
154 if (!cms_set1_SignerIdentifier(ktri
->rid
, recip
, idtype
))
163 if (flags
& CMS_KEY_PARAM
) {
164 ktri
->pctx
= EVP_PKEY_CTX_new(ktri
->pkey
, NULL
);
165 if (ktri
->pctx
== NULL
)
167 if (EVP_PKEY_encrypt_init(ktri
->pctx
) <= 0)
169 } else if (!cms_env_asn1_ctrl(ri
, 0))
175 * Add a recipient certificate using appropriate type of RecipientInfo
178 CMS_RecipientInfo
*CMS_add1_recipient_cert(CMS_ContentInfo
*cms
,
179 X509
*recip
, unsigned int flags
)
181 CMS_RecipientInfo
*ri
= NULL
;
182 CMS_EnvelopedData
*env
;
184 env
= cms_get0_enveloped(cms
);
188 /* Initialize recipient info */
189 ri
= M_ASN1_new_of(CMS_RecipientInfo
);
193 pk
= X509_get0_pubkey(recip
);
195 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT
, CMS_R_ERROR_GETTING_PUBLIC_KEY
);
199 switch (cms_pkey_get_ri_type(pk
)) {
201 case CMS_RECIPINFO_TRANS
:
202 if (!cms_RecipientInfo_ktri_init(ri
, recip
, pk
, flags
))
206 case CMS_RECIPINFO_AGREE
:
207 if (!cms_RecipientInfo_kari_init(ri
, recip
, pk
, flags
))
212 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT
,
213 CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE
);
218 if (!sk_CMS_RecipientInfo_push(env
->recipientInfos
, ri
))
224 CMSerr(CMS_F_CMS_ADD1_RECIPIENT_CERT
, ERR_R_MALLOC_FAILURE
);
226 M_ASN1_free_of(ri
, CMS_RecipientInfo
);
231 int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo
*ri
,
232 EVP_PKEY
**pk
, X509
**recip
,
235 CMS_KeyTransRecipientInfo
*ktri
;
236 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
237 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS
,
238 CMS_R_NOT_KEY_TRANSPORT
);
247 *recip
= ktri
->recip
;
249 *palg
= ktri
->keyEncryptionAlgorithm
;
253 int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo
*ri
,
254 ASN1_OCTET_STRING
**keyid
,
258 CMS_KeyTransRecipientInfo
*ktri
;
259 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
260 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID
,
261 CMS_R_NOT_KEY_TRANSPORT
);
266 return cms_SignerIdentifier_get0_signer_id(ktri
->rid
, keyid
, issuer
, sno
);
269 int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo
*ri
, X509
*cert
)
271 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
272 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP
,
273 CMS_R_NOT_KEY_TRANSPORT
);
276 return cms_SignerIdentifier_cert_cmp(ri
->d
.ktri
->rid
, cert
);
279 int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo
*ri
, EVP_PKEY
*pkey
)
281 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
282 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_PKEY
, CMS_R_NOT_KEY_TRANSPORT
);
285 EVP_PKEY_free(ri
->d
.ktri
->pkey
);
286 ri
->d
.ktri
->pkey
= pkey
;
290 /* Encrypt content key in key transport recipient info */
292 static int cms_RecipientInfo_ktri_encrypt(const CMS_ContentInfo
*cms
,
293 CMS_RecipientInfo
*ri
)
295 CMS_KeyTransRecipientInfo
*ktri
;
296 CMS_EncryptedContentInfo
*ec
;
298 unsigned char *ek
= NULL
;
303 if (ri
->type
!= CMS_RECIPINFO_TRANS
) {
304 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT
, CMS_R_NOT_KEY_TRANSPORT
);
308 ec
= cms
->d
.envelopedData
->encryptedContentInfo
;
313 if (!cms_env_asn1_ctrl(ri
, 0))
316 pctx
= EVP_PKEY_CTX_new(ktri
->pkey
, NULL
);
320 if (EVP_PKEY_encrypt_init(pctx
) <= 0)
324 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_ENCRYPT
,
325 EVP_PKEY_CTRL_CMS_ENCRYPT
, 0, ri
) <= 0) {
326 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT
, CMS_R_CTRL_ERROR
);
330 if (EVP_PKEY_encrypt(pctx
, NULL
, &eklen
, ec
->key
, ec
->keylen
) <= 0)
333 ek
= OPENSSL_malloc(eklen
);
336 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT
, ERR_R_MALLOC_FAILURE
);
340 if (EVP_PKEY_encrypt(pctx
, ek
, &eklen
, ec
->key
, ec
->keylen
) <= 0)
343 ASN1_STRING_set0(ktri
->encryptedKey
, ek
, eklen
);
349 EVP_PKEY_CTX_free(pctx
);
356 /* Decrypt content key from KTRI */
358 static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo
*cms
,
359 CMS_RecipientInfo
*ri
)
361 CMS_KeyTransRecipientInfo
*ktri
= ri
->d
.ktri
;
362 EVP_PKEY
*pkey
= ktri
->pkey
;
363 unsigned char *ek
= NULL
;
367 CMS_EncryptedContentInfo
*ec
;
368 ec
= cms
->d
.envelopedData
->encryptedContentInfo
;
370 if (ktri
->pkey
== NULL
) {
371 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT
, CMS_R_NO_PRIVATE_KEY
);
375 if (cms
->d
.envelopedData
->encryptedContentInfo
->havenocert
376 && !cms
->d
.envelopedData
->encryptedContentInfo
->debug
) {
377 X509_ALGOR
*calg
= ec
->contentEncryptionAlgorithm
;
378 const EVP_CIPHER
*ciph
= EVP_get_cipherbyobj(calg
->algorithm
);
381 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT
, CMS_R_UNKNOWN_CIPHER
);
385 fixlen
= EVP_CIPHER_key_length(ciph
);
388 ktri
->pctx
= EVP_PKEY_CTX_new(pkey
, NULL
);
389 if (ktri
->pctx
== NULL
)
392 if (EVP_PKEY_decrypt_init(ktri
->pctx
) <= 0)
395 if (!cms_env_asn1_ctrl(ri
, 1))
398 if (EVP_PKEY_CTX_ctrl(ktri
->pctx
, -1, EVP_PKEY_OP_DECRYPT
,
399 EVP_PKEY_CTRL_CMS_DECRYPT
, 0, ri
) <= 0) {
400 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT
, CMS_R_CTRL_ERROR
);
404 if (EVP_PKEY_decrypt(ktri
->pctx
, NULL
, &eklen
,
405 ktri
->encryptedKey
->data
,
406 ktri
->encryptedKey
->length
) <= 0)
409 ek
= OPENSSL_malloc(eklen
);
412 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT
, ERR_R_MALLOC_FAILURE
);
416 if (EVP_PKEY_decrypt(ktri
->pctx
, ek
, &eklen
,
417 ktri
->encryptedKey
->data
,
418 ktri
->encryptedKey
->length
) <= 0
420 || (fixlen
!= 0 && eklen
!= fixlen
)) {
421 CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT
, CMS_R_CMS_LIB
);
427 OPENSSL_clear_free(ec
->key
, ec
->keylen
);
432 EVP_PKEY_CTX_free(ktri
->pctx
);
440 /* Key Encrypted Key (KEK) RecipientInfo routines */
442 int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo
*ri
,
443 const unsigned char *id
, size_t idlen
)
445 ASN1_OCTET_STRING tmp_os
;
446 CMS_KEKRecipientInfo
*kekri
;
447 if (ri
->type
!= CMS_RECIPINFO_KEK
) {
448 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP
, CMS_R_NOT_KEK
);
452 tmp_os
.type
= V_ASN1_OCTET_STRING
;
454 tmp_os
.data
= (unsigned char *)id
;
455 tmp_os
.length
= (int)idlen
;
456 return ASN1_OCTET_STRING_cmp(&tmp_os
, kekri
->kekid
->keyIdentifier
);
459 /* For now hard code AES key wrap info */
461 static size_t aes_wrap_keylen(int nid
)
464 case NID_id_aes128_wrap
:
467 case NID_id_aes192_wrap
:
470 case NID_id_aes256_wrap
:
478 CMS_RecipientInfo
*CMS_add0_recipient_key(CMS_ContentInfo
*cms
, int nid
,
479 unsigned char *key
, size_t keylen
,
480 unsigned char *id
, size_t idlen
,
481 ASN1_GENERALIZEDTIME
*date
,
482 ASN1_OBJECT
*otherTypeId
,
483 ASN1_TYPE
*otherType
)
485 CMS_RecipientInfo
*ri
= NULL
;
486 CMS_EnvelopedData
*env
;
487 CMS_KEKRecipientInfo
*kekri
;
488 env
= cms_get0_enveloped(cms
);
492 if (nid
== NID_undef
) {
495 nid
= NID_id_aes128_wrap
;
499 nid
= NID_id_aes192_wrap
;
503 nid
= NID_id_aes256_wrap
;
507 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY
, CMS_R_INVALID_KEY_LENGTH
);
513 size_t exp_keylen
= aes_wrap_keylen(nid
);
516 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY
,
517 CMS_R_UNSUPPORTED_KEK_ALGORITHM
);
521 if (keylen
!= exp_keylen
) {
522 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY
, CMS_R_INVALID_KEY_LENGTH
);
528 /* Initialize recipient info */
529 ri
= M_ASN1_new_of(CMS_RecipientInfo
);
533 ri
->d
.kekri
= M_ASN1_new_of(CMS_KEKRecipientInfo
);
536 ri
->type
= CMS_RECIPINFO_KEK
;
541 kekri
->kekid
->other
= M_ASN1_new_of(CMS_OtherKeyAttribute
);
542 if (kekri
->kekid
->other
== NULL
)
546 if (!sk_CMS_RecipientInfo_push(env
->recipientInfos
, ri
))
549 /* After this point no calls can fail */
554 kekri
->keylen
= keylen
;
556 ASN1_STRING_set0(kekri
->kekid
->keyIdentifier
, id
, idlen
);
558 kekri
->kekid
->date
= date
;
560 if (kekri
->kekid
->other
) {
561 kekri
->kekid
->other
->keyAttrId
= otherTypeId
;
562 kekri
->kekid
->other
->keyAttr
= otherType
;
565 X509_ALGOR_set0(kekri
->keyEncryptionAlgorithm
,
566 OBJ_nid2obj(nid
), V_ASN1_UNDEF
, NULL
);
571 CMSerr(CMS_F_CMS_ADD0_RECIPIENT_KEY
, ERR_R_MALLOC_FAILURE
);
573 M_ASN1_free_of(ri
, CMS_RecipientInfo
);
578 int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo
*ri
,
580 ASN1_OCTET_STRING
**pid
,
581 ASN1_GENERALIZEDTIME
**pdate
,
582 ASN1_OBJECT
**potherid
,
583 ASN1_TYPE
**pothertype
)
585 CMS_KEKIdentifier
*rkid
;
586 if (ri
->type
!= CMS_RECIPINFO_KEK
) {
587 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID
, CMS_R_NOT_KEK
);
590 rkid
= ri
->d
.kekri
->kekid
;
592 *palg
= ri
->d
.kekri
->keyEncryptionAlgorithm
;
594 *pid
= rkid
->keyIdentifier
;
599 *potherid
= rkid
->other
->keyAttrId
;
605 *pothertype
= rkid
->other
->keyAttr
;
612 int CMS_RecipientInfo_set0_key(CMS_RecipientInfo
*ri
,
613 unsigned char *key
, size_t keylen
)
615 CMS_KEKRecipientInfo
*kekri
;
616 if (ri
->type
!= CMS_RECIPINFO_KEK
) {
617 CMSerr(CMS_F_CMS_RECIPIENTINFO_SET0_KEY
, CMS_R_NOT_KEK
);
623 kekri
->keylen
= keylen
;
627 /* Encrypt content key in KEK recipient info */
629 static int cms_RecipientInfo_kekri_encrypt(const CMS_ContentInfo
*cms
,
630 CMS_RecipientInfo
*ri
)
632 CMS_EncryptedContentInfo
*ec
;
633 CMS_KEKRecipientInfo
*kekri
;
635 unsigned char *wkey
= NULL
;
639 ec
= cms
->d
.envelopedData
->encryptedContentInfo
;
644 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT
, CMS_R_NO_KEY
);
648 if (AES_set_encrypt_key(kekri
->key
, kekri
->keylen
<< 3, &actx
)) {
649 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT
,
650 CMS_R_ERROR_SETTING_KEY
);
654 wkey
= OPENSSL_malloc(ec
->keylen
+ 8);
657 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT
, ERR_R_MALLOC_FAILURE
);
661 wkeylen
= AES_wrap_key(&actx
, NULL
, wkey
, ec
->key
, ec
->keylen
);
664 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT
, CMS_R_WRAP_ERROR
);
668 ASN1_STRING_set0(kekri
->encryptedKey
, wkey
, wkeylen
);
676 OPENSSL_cleanse(&actx
, sizeof(actx
));
682 /* Decrypt content key in KEK recipient info */
684 static int cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo
*cms
,
685 CMS_RecipientInfo
*ri
)
687 CMS_EncryptedContentInfo
*ec
;
688 CMS_KEKRecipientInfo
*kekri
;
690 unsigned char *ukey
= NULL
;
694 ec
= cms
->d
.envelopedData
->encryptedContentInfo
;
699 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT
, CMS_R_NO_KEY
);
703 wrap_nid
= OBJ_obj2nid(kekri
->keyEncryptionAlgorithm
->algorithm
);
704 if (aes_wrap_keylen(wrap_nid
) != kekri
->keylen
) {
705 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT
,
706 CMS_R_INVALID_KEY_LENGTH
);
710 /* If encrypted key length is invalid don't bother */
712 if (kekri
->encryptedKey
->length
< 16) {
713 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT
,
714 CMS_R_INVALID_ENCRYPTED_KEY_LENGTH
);
718 if (AES_set_decrypt_key(kekri
->key
, kekri
->keylen
<< 3, &actx
)) {
719 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT
,
720 CMS_R_ERROR_SETTING_KEY
);
724 ukey
= OPENSSL_malloc(kekri
->encryptedKey
->length
- 8);
727 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT
, ERR_R_MALLOC_FAILURE
);
731 ukeylen
= AES_unwrap_key(&actx
, NULL
, ukey
,
732 kekri
->encryptedKey
->data
,
733 kekri
->encryptedKey
->length
);
736 CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT
, CMS_R_UNWRAP_ERROR
);
741 ec
->keylen
= ukeylen
;
749 OPENSSL_cleanse(&actx
, sizeof(actx
));
755 int CMS_RecipientInfo_decrypt(CMS_ContentInfo
*cms
, CMS_RecipientInfo
*ri
)
758 case CMS_RECIPINFO_TRANS
:
759 return cms_RecipientInfo_ktri_decrypt(cms
, ri
);
761 case CMS_RECIPINFO_KEK
:
762 return cms_RecipientInfo_kekri_decrypt(cms
, ri
);
764 case CMS_RECIPINFO_PASS
:
765 return cms_RecipientInfo_pwri_crypt(cms
, ri
, 0);
768 CMSerr(CMS_F_CMS_RECIPIENTINFO_DECRYPT
,
769 CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE
);
774 int CMS_RecipientInfo_encrypt(const CMS_ContentInfo
*cms
, CMS_RecipientInfo
*ri
)
777 case CMS_RECIPINFO_TRANS
:
778 return cms_RecipientInfo_ktri_encrypt(cms
, ri
);
780 case CMS_RECIPINFO_AGREE
:
781 return cms_RecipientInfo_kari_encrypt(cms
, ri
);
783 case CMS_RECIPINFO_KEK
:
784 return cms_RecipientInfo_kekri_encrypt(cms
, ri
);
786 case CMS_RECIPINFO_PASS
:
787 return cms_RecipientInfo_pwri_crypt(cms
, ri
, 1);
790 CMSerr(CMS_F_CMS_RECIPIENTINFO_ENCRYPT
,
791 CMS_R_UNSUPPORTED_RECIPIENT_TYPE
);
796 /* Check structures and fixup version numbers (if necessary) */
798 static void cms_env_set_originfo_version(CMS_EnvelopedData
*env
)
800 CMS_OriginatorInfo
*org
= env
->originatorInfo
;
804 for (i
= 0; i
< sk_CMS_CertificateChoices_num(org
->certificates
); i
++) {
805 CMS_CertificateChoices
*cch
;
806 cch
= sk_CMS_CertificateChoices_value(org
->certificates
, i
);
807 if (cch
->type
== CMS_CERTCHOICE_OTHER
) {
810 } else if (cch
->type
== CMS_CERTCHOICE_V2ACERT
) {
811 if (env
->version
< 3)
816 for (i
= 0; i
< sk_CMS_RevocationInfoChoice_num(org
->crls
); i
++) {
817 CMS_RevocationInfoChoice
*rch
;
818 rch
= sk_CMS_RevocationInfoChoice_value(org
->crls
, i
);
819 if (rch
->type
== CMS_REVCHOICE_OTHER
) {
826 static void cms_env_set_version(CMS_EnvelopedData
*env
)
829 CMS_RecipientInfo
*ri
;
832 * Can't set version higher than 4 so if 4 or more already nothing to do.
834 if (env
->version
>= 4)
837 cms_env_set_originfo_version(env
);
839 if (env
->version
>= 3)
842 for (i
= 0; i
< sk_CMS_RecipientInfo_num(env
->recipientInfos
); i
++) {
843 ri
= sk_CMS_RecipientInfo_value(env
->recipientInfos
, i
);
844 if (ri
->type
== CMS_RECIPINFO_PASS
|| ri
->type
== CMS_RECIPINFO_OTHER
) {
847 } else if (ri
->type
!= CMS_RECIPINFO_TRANS
848 || ri
->d
.ktri
->version
!= 0) {
852 if (env
->originatorInfo
|| env
->unprotectedAttrs
)
854 if (env
->version
== 2)
859 BIO
*cms_EnvelopedData_init_bio(const CMS_ContentInfo
*cms
)
861 CMS_EncryptedContentInfo
*ec
;
862 STACK_OF(CMS_RecipientInfo
) *rinfos
;
863 CMS_RecipientInfo
*ri
;
867 /* Get BIO first to set up key */
869 ec
= cms
->d
.envelopedData
->encryptedContentInfo
;
870 ret
= cms_EncryptedContent_init_bio(ec
);
872 /* If error or no cipher end of processing */
874 if (!ret
|| !ec
->cipher
)
877 /* Now encrypt content key according to each RecipientInfo type */
879 rinfos
= cms
->d
.envelopedData
->recipientInfos
;
881 for (i
= 0; i
< sk_CMS_RecipientInfo_num(rinfos
); i
++) {
882 ri
= sk_CMS_RecipientInfo_value(rinfos
, i
);
883 if (CMS_RecipientInfo_encrypt(cms
, ri
) <= 0) {
884 CMSerr(CMS_F_CMS_ENVELOPEDDATA_INIT_BIO
,
885 CMS_R_ERROR_SETTING_RECIPIENTINFO
);
889 cms_env_set_version(cms
->d
.envelopedData
);
895 OPENSSL_clear_free(ec
->key
, ec
->keylen
);
906 * Get RecipientInfo type (if any) supported by a key (public or private). To
907 * retain compatibility with previous behaviour if the ctrl value isn't
908 * supported we assume key transport.
910 int cms_pkey_get_ri_type(EVP_PKEY
*pk
)
912 if (pk
->ameth
&& pk
->ameth
->pkey_ctrl
) {
914 i
= pk
->ameth
->pkey_ctrl(pk
, ASN1_PKEY_CTRL_CMS_RI_TYPE
, 0, &r
);
918 return CMS_RECIPINFO_TRANS
;