2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include <openssl/rand.h>
12 #include <openssl/objects.h>
13 #include <openssl/x509.h>
14 #include <openssl/x509v3.h>
15 #include <openssl/err.h>
16 #include "internal/cryptlib.h"
17 #include "internal/sizes.h"
18 #include "pk7_local.h"
20 static int add_attribute(STACK_OF(X509_ATTRIBUTE
) **sk
, int nid
, int atrtype
,
22 static ASN1_TYPE
*get_attribute(const STACK_OF(X509_ATTRIBUTE
) *sk
, int nid
);
24 int PKCS7_type_is_other(PKCS7
*p7
)
28 int nid
= OBJ_obj2nid(p7
->type
);
32 case NID_pkcs7_signed
:
33 case NID_pkcs7_enveloped
:
34 case NID_pkcs7_signedAndEnveloped
:
35 case NID_pkcs7_digest
:
36 case NID_pkcs7_encrypted
:
47 ASN1_OCTET_STRING
*PKCS7_get_octet_string(PKCS7
*p7
)
49 if (PKCS7_type_is_data(p7
))
51 if (PKCS7_type_is_other(p7
) && p7
->d
.other
52 && (p7
->d
.other
->type
== V_ASN1_OCTET_STRING
))
53 return p7
->d
.other
->value
.octet_string
;
57 static int pkcs7_bio_add_digest(BIO
**pbio
, X509_ALGOR
*alg
,
61 char name
[OSSL_MAX_NAME_SIZE
];
62 EVP_MD
*fetched
= NULL
;
65 if ((btmp
= BIO_new(BIO_f_md())) == NULL
) {
66 ERR_raise(ERR_LIB_PKCS7
, ERR_R_BIO_LIB
);
70 OBJ_obj2txt(name
, sizeof(name
), alg
->algorithm
, 0);
73 fetched
= EVP_MD_fetch(ossl_pkcs7_ctx_get0_libctx(ctx
), name
,
74 ossl_pkcs7_ctx_get0_propq(ctx
));
78 md
= EVP_get_digestbyname(name
);
81 (void)ERR_clear_last_mark();
82 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNKNOWN_DIGEST_TYPE
);
85 (void)ERR_pop_to_mark();
91 else if (!BIO_push(*pbio
, btmp
)) {
92 ERR_raise(ERR_LIB_PKCS7
, ERR_R_BIO_LIB
);
104 static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO
*ri
,
105 unsigned char *key
, int keylen
)
107 EVP_PKEY_CTX
*pctx
= NULL
;
108 EVP_PKEY
*pkey
= NULL
;
109 unsigned char *ek
= NULL
;
112 const PKCS7_CTX
*ctx
= ri
->ctx
;
114 pkey
= X509_get0_pubkey(ri
->cert
);
118 pctx
= EVP_PKEY_CTX_new_from_pkey(ossl_pkcs7_ctx_get0_libctx(ctx
), pkey
,
119 ossl_pkcs7_ctx_get0_propq(ctx
));
123 if (EVP_PKEY_encrypt_init(pctx
) <= 0)
126 if (EVP_PKEY_encrypt(pctx
, NULL
, &eklen
, key
, keylen
) <= 0)
129 ek
= OPENSSL_malloc(eklen
);
132 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
136 if (EVP_PKEY_encrypt(pctx
, ek
, &eklen
, key
, keylen
) <= 0)
139 ASN1_STRING_set0(ri
->enc_key
, ek
, eklen
);
145 EVP_PKEY_CTX_free(pctx
);
151 static int pkcs7_decrypt_rinfo(unsigned char **pek
, int *peklen
,
152 PKCS7_RECIP_INFO
*ri
, EVP_PKEY
*pkey
,
155 EVP_PKEY_CTX
*pctx
= NULL
;
156 unsigned char *ek
= NULL
;
159 const PKCS7_CTX
*ctx
= ri
->ctx
;
161 pctx
= EVP_PKEY_CTX_new_from_pkey(ossl_pkcs7_ctx_get0_libctx(ctx
), pkey
,
162 ossl_pkcs7_ctx_get0_propq(ctx
));
166 if (EVP_PKEY_decrypt_init(pctx
) <= 0)
169 if (EVP_PKEY_decrypt(pctx
, NULL
, &eklen
,
170 ri
->enc_key
->data
, ri
->enc_key
->length
) <= 0)
173 ek
= OPENSSL_malloc(eklen
);
176 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
180 if (EVP_PKEY_decrypt(pctx
, ek
, &eklen
,
181 ri
->enc_key
->data
, ri
->enc_key
->length
) <= 0
183 || (fixlen
!= 0 && eklen
!= fixlen
)) {
185 ERR_raise(ERR_LIB_PKCS7
, ERR_R_EVP_LIB
);
191 OPENSSL_clear_free(*pek
, *peklen
);
196 EVP_PKEY_CTX_free(pctx
);
203 BIO
*PKCS7_dataInit(PKCS7
*p7
, BIO
*bio
)
206 BIO
*out
= NULL
, *btmp
= NULL
;
207 X509_ALGOR
*xa
= NULL
;
208 EVP_CIPHER
*fetched_cipher
= NULL
;
209 const EVP_CIPHER
*cipher
;
210 const EVP_CIPHER
*evp_cipher
= NULL
;
211 STACK_OF(X509_ALGOR
) *md_sk
= NULL
;
212 STACK_OF(PKCS7_RECIP_INFO
) *rsk
= NULL
;
213 X509_ALGOR
*xalg
= NULL
;
214 PKCS7_RECIP_INFO
*ri
= NULL
;
215 ASN1_OCTET_STRING
*os
= NULL
;
216 const PKCS7_CTX
*p7_ctx
;
217 OSSL_LIB_CTX
*libctx
;
221 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_INVALID_NULL_POINTER
);
224 p7_ctx
= ossl_pkcs7_get0_ctx(p7
);
225 libctx
= ossl_pkcs7_ctx_get0_libctx(p7_ctx
);
226 propq
= ossl_pkcs7_ctx_get0_propq(p7_ctx
);
229 * The content field in the PKCS7 ContentInfo is optional, but that really
230 * only applies to inner content (precisely, detached signatures).
232 * When reading content, missing outer content is therefore treated as an
235 * When creating content, PKCS7_content_new() must be called before
236 * calling this method, so a NULL p7->d is always an error.
238 if (p7
->d
.ptr
== NULL
) {
239 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_NO_CONTENT
);
243 i
= OBJ_obj2nid(p7
->type
);
244 p7
->state
= PKCS7_S_HEADER
;
247 case NID_pkcs7_signed
:
248 md_sk
= p7
->d
.sign
->md_algs
;
249 os
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
251 case NID_pkcs7_signedAndEnveloped
:
252 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
253 md_sk
= p7
->d
.signed_and_enveloped
->md_algs
;
254 xalg
= p7
->d
.signed_and_enveloped
->enc_data
->algorithm
;
255 evp_cipher
= p7
->d
.signed_and_enveloped
->enc_data
->cipher
;
256 if (evp_cipher
== NULL
) {
257 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_CIPHER_NOT_INITIALIZED
);
261 case NID_pkcs7_enveloped
:
262 rsk
= p7
->d
.enveloped
->recipientinfo
;
263 xalg
= p7
->d
.enveloped
->enc_data
->algorithm
;
264 evp_cipher
= p7
->d
.enveloped
->enc_data
->cipher
;
265 if (evp_cipher
== NULL
) {
266 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_CIPHER_NOT_INITIALIZED
);
270 case NID_pkcs7_digest
:
271 xa
= p7
->d
.digest
->md
;
272 os
= PKCS7_get_octet_string(p7
->d
.digest
->contents
);
277 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
281 for (i
= 0; i
< sk_X509_ALGOR_num(md_sk
); i
++)
282 if (!pkcs7_bio_add_digest(&out
, sk_X509_ALGOR_value(md_sk
, i
), p7_ctx
))
285 if (xa
&& !pkcs7_bio_add_digest(&out
, xa
, p7_ctx
))
288 if (evp_cipher
!= NULL
) {
289 unsigned char key
[EVP_MAX_KEY_LENGTH
];
290 unsigned char iv
[EVP_MAX_IV_LENGTH
];
294 if ((btmp
= BIO_new(BIO_f_cipher())) == NULL
) {
295 ERR_raise(ERR_LIB_PKCS7
, ERR_R_BIO_LIB
);
298 BIO_get_cipher_ctx(btmp
, &ctx
);
299 keylen
= EVP_CIPHER_get_key_length(evp_cipher
);
300 ivlen
= EVP_CIPHER_get_iv_length(evp_cipher
);
301 xalg
->algorithm
= OBJ_nid2obj(EVP_CIPHER_get_type(evp_cipher
));
303 if (RAND_bytes_ex(libctx
, iv
, ivlen
, 0) <= 0)
306 (void)ERR_set_mark();
307 fetched_cipher
= EVP_CIPHER_fetch(libctx
,
308 EVP_CIPHER_get0_name(evp_cipher
),
310 (void)ERR_pop_to_mark();
311 if (fetched_cipher
!= NULL
)
312 cipher
= fetched_cipher
;
316 if (EVP_CipherInit_ex(ctx
, cipher
, NULL
, NULL
, NULL
, 1) <= 0)
319 EVP_CIPHER_free(fetched_cipher
);
320 fetched_cipher
= NULL
;
322 if (EVP_CIPHER_CTX_rand_key(ctx
, key
) <= 0)
324 if (EVP_CipherInit_ex(ctx
, NULL
, NULL
, key
, iv
, 1) <= 0)
328 if (xalg
->parameter
== NULL
) {
329 xalg
->parameter
= ASN1_TYPE_new();
330 if (xalg
->parameter
== NULL
)
333 if (EVP_CIPHER_param_to_asn1(ctx
, xalg
->parameter
) < 0)
337 /* Lets do the pub key stuff :-) */
338 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
339 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
340 if (pkcs7_encode_rinfo(ri
, key
, keylen
) <= 0)
343 OPENSSL_cleanse(key
, keylen
);
353 if (PKCS7_is_detached(p7
)) {
354 bio
= BIO_new(BIO_s_null());
355 } else if (os
&& os
->length
> 0) {
356 bio
= BIO_new_mem_buf(os
->data
, os
->length
);
358 bio
= BIO_new(BIO_s_mem());
361 BIO_set_mem_eof_return(bio
, 0);
373 EVP_CIPHER_free(fetched_cipher
);
379 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO
*ri
, X509
*pcert
)
382 ret
= X509_NAME_cmp(ri
->issuer_and_serial
->issuer
,
383 X509_get_issuer_name(pcert
));
386 return ASN1_INTEGER_cmp(X509_get0_serialNumber(pcert
),
387 ri
->issuer_and_serial
->serial
);
391 BIO
*PKCS7_dataDecode(PKCS7
*p7
, EVP_PKEY
*pkey
, BIO
*in_bio
, X509
*pcert
)
394 BIO
*out
= NULL
, *btmp
= NULL
, *etmp
= NULL
, *bio
= NULL
;
396 ASN1_OCTET_STRING
*data_body
= NULL
;
397 EVP_MD
*evp_md
= NULL
;
399 EVP_CIPHER
*evp_cipher
= NULL
;
400 const EVP_CIPHER
*cipher
= NULL
;
401 EVP_CIPHER_CTX
*evp_ctx
= NULL
;
402 X509_ALGOR
*enc_alg
= NULL
;
403 STACK_OF(X509_ALGOR
) *md_sk
= NULL
;
404 STACK_OF(PKCS7_RECIP_INFO
) *rsk
= NULL
;
405 PKCS7_RECIP_INFO
*ri
= NULL
;
406 unsigned char *ek
= NULL
, *tkey
= NULL
;
407 int eklen
= 0, tkeylen
= 0;
408 char name
[OSSL_MAX_NAME_SIZE
];
409 const PKCS7_CTX
*p7_ctx
;
410 OSSL_LIB_CTX
*libctx
;
414 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_INVALID_NULL_POINTER
);
418 p7_ctx
= ossl_pkcs7_get0_ctx(p7
);
419 libctx
= ossl_pkcs7_ctx_get0_libctx(p7_ctx
);
420 propq
= ossl_pkcs7_ctx_get0_propq(p7_ctx
);
422 if (p7
->d
.ptr
== NULL
) {
423 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_NO_CONTENT
);
427 i
= OBJ_obj2nid(p7
->type
);
428 p7
->state
= PKCS7_S_HEADER
;
431 case NID_pkcs7_signed
:
433 * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
434 * field and optional content.
435 * data_body is NULL if that structure has no (=detached) content
436 * or if the contentType is wrong (i.e., not "data").
438 data_body
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
439 if (!PKCS7_is_detached(p7
) && data_body
== NULL
) {
440 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_INVALID_SIGNED_DATA_TYPE
);
443 md_sk
= p7
->d
.sign
->md_algs
;
445 case NID_pkcs7_signedAndEnveloped
:
446 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
447 md_sk
= p7
->d
.signed_and_enveloped
->md_algs
;
448 /* data_body is NULL if the optional EncryptedContent is missing. */
449 data_body
= p7
->d
.signed_and_enveloped
->enc_data
->enc_data
;
450 enc_alg
= p7
->d
.signed_and_enveloped
->enc_data
->algorithm
;
452 OBJ_obj2txt(name
, sizeof(name
), enc_alg
->algorithm
, 0);
454 (void)ERR_set_mark();
455 evp_cipher
= EVP_CIPHER_fetch(libctx
, name
, propq
);
456 if (evp_cipher
!= NULL
)
459 cipher
= EVP_get_cipherbyname(name
);
461 if (cipher
== NULL
) {
462 (void)ERR_clear_last_mark();
463 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNSUPPORTED_CIPHER_TYPE
);
466 (void)ERR_pop_to_mark();
468 case NID_pkcs7_enveloped
:
469 rsk
= p7
->d
.enveloped
->recipientinfo
;
470 enc_alg
= p7
->d
.enveloped
->enc_data
->algorithm
;
471 /* data_body is NULL if the optional EncryptedContent is missing. */
472 data_body
= p7
->d
.enveloped
->enc_data
->enc_data
;
473 OBJ_obj2txt(name
, sizeof(name
), enc_alg
->algorithm
, 0);
475 (void)ERR_set_mark();
476 evp_cipher
= EVP_CIPHER_fetch(libctx
, name
, propq
);
477 if (evp_cipher
!= NULL
)
480 cipher
= EVP_get_cipherbyname(name
);
482 if (cipher
== NULL
) {
483 (void)ERR_clear_last_mark();
484 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNSUPPORTED_CIPHER_TYPE
);
487 (void)ERR_pop_to_mark();
490 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
494 /* Detached content must be supplied via in_bio instead. */
495 if (data_body
== NULL
&& in_bio
== NULL
) {
496 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_NO_CONTENT
);
500 /* We will be checking the signature */
502 for (i
= 0; i
< sk_X509_ALGOR_num(md_sk
); i
++) {
503 xa
= sk_X509_ALGOR_value(md_sk
, i
);
504 if ((btmp
= BIO_new(BIO_f_md())) == NULL
) {
505 ERR_raise(ERR_LIB_PKCS7
, ERR_R_BIO_LIB
);
509 OBJ_obj2txt(name
, sizeof(name
), xa
->algorithm
, 0);
511 (void)ERR_set_mark();
512 evp_md
= EVP_MD_fetch(libctx
, name
, propq
);
516 md
= EVP_get_digestbyname(name
);
519 (void)ERR_clear_last_mark();
520 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNKNOWN_DIGEST_TYPE
);
523 (void)ERR_pop_to_mark();
525 BIO_set_md(btmp
, md
);
535 if (cipher
!= NULL
) {
536 if ((etmp
= BIO_new(BIO_f_cipher())) == NULL
) {
537 ERR_raise(ERR_LIB_PKCS7
, ERR_R_BIO_LIB
);
542 * It was encrypted, we need to decrypt the secret key with the
547 * Find the recipientInfo which matches the passed certificate (if
552 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
553 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
554 if (!pkcs7_cmp_ri(ri
, pcert
))
559 ERR_raise(ERR_LIB_PKCS7
,
560 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE
);
565 /* If we haven't got a certificate try each ri in turn */
568 * Always attempt to decrypt all rinfo even after success as a
569 * defence against MMA timing attacks.
571 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
572 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
574 if (pkcs7_decrypt_rinfo(&ek
, &eklen
, ri
, pkey
,
575 EVP_CIPHER_get_key_length(cipher
)) < 0)
581 /* Only exit on fatal errors, not decrypt failure */
582 if (pkcs7_decrypt_rinfo(&ek
, &eklen
, ri
, pkey
, 0) < 0)
588 BIO_get_cipher_ctx(etmp
, &evp_ctx
);
589 if (EVP_CipherInit_ex(evp_ctx
, cipher
, NULL
, NULL
, NULL
, 0) <= 0)
591 if (EVP_CIPHER_asn1_to_param(evp_ctx
, enc_alg
->parameter
) < 0)
593 /* Generate random key as MMA defence */
594 len
= EVP_CIPHER_CTX_get_key_length(evp_ctx
);
597 tkeylen
= (size_t)len
;
598 tkey
= OPENSSL_malloc(tkeylen
);
601 if (EVP_CIPHER_CTX_rand_key(evp_ctx
, tkey
) <= 0)
609 if (eklen
!= EVP_CIPHER_CTX_get_key_length(evp_ctx
)) {
611 * Some S/MIME clients don't use the same key and effective key
612 * length. The key length is determined by the size of the
615 if (EVP_CIPHER_CTX_set_key_length(evp_ctx
, eklen
) <= 0) {
616 /* Use random key as MMA defence */
617 OPENSSL_clear_free(ek
, eklen
);
623 /* Clear errors so we don't leak information useful in MMA */
625 if (EVP_CipherInit_ex(evp_ctx
, NULL
, NULL
, ek
, NULL
, 0) <= 0)
628 OPENSSL_clear_free(ek
, eklen
);
630 OPENSSL_clear_free(tkey
, tkeylen
);
639 if (in_bio
!= NULL
) {
642 if (data_body
->length
> 0)
643 bio
= BIO_new_mem_buf(data_body
->data
, data_body
->length
);
645 bio
= BIO_new(BIO_s_mem());
648 BIO_set_mem_eof_return(bio
, 0);
655 EVP_CIPHER_free(evp_cipher
);
659 EVP_CIPHER_free(evp_cipher
);
660 OPENSSL_clear_free(ek
, eklen
);
661 OPENSSL_clear_free(tkey
, tkeylen
);
669 static BIO
*PKCS7_find_digest(EVP_MD_CTX
**pmd
, BIO
*bio
, int nid
)
672 bio
= BIO_find_type(bio
, BIO_TYPE_MD
);
674 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
677 BIO_get_md_ctx(bio
, pmd
);
679 ERR_raise(ERR_LIB_PKCS7
, ERR_R_INTERNAL_ERROR
);
682 if (EVP_MD_CTX_get_type(*pmd
) == nid
)
689 static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO
*si
, EVP_MD_CTX
*mctx
)
691 unsigned char md_data
[EVP_MAX_MD_SIZE
];
694 /* Add signing time if not already present */
695 if (!PKCS7_get_signed_attribute(si
, NID_pkcs9_signingTime
)) {
696 if (!PKCS7_add0_attrib_signing_time(si
, NULL
)) {
697 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
703 if (!EVP_DigestFinal_ex(mctx
, md_data
, &md_len
)) {
704 ERR_raise(ERR_LIB_PKCS7
, ERR_R_EVP_LIB
);
707 if (!PKCS7_add1_attrib_digest(si
, md_data
, md_len
)) {
708 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
712 /* Now sign the attributes */
713 if (!PKCS7_SIGNER_INFO_sign(si
))
719 int PKCS7_dataFinal(PKCS7
*p7
, BIO
*bio
)
724 PKCS7_SIGNER_INFO
*si
;
725 EVP_MD_CTX
*mdc
, *ctx_tmp
;
726 STACK_OF(X509_ATTRIBUTE
) *sk
;
727 STACK_OF(PKCS7_SIGNER_INFO
) *si_sk
= NULL
;
728 ASN1_OCTET_STRING
*os
= NULL
;
729 const PKCS7_CTX
*p7_ctx
;
732 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_INVALID_NULL_POINTER
);
736 p7_ctx
= ossl_pkcs7_get0_ctx(p7
);
738 if (p7
->d
.ptr
== NULL
) {
739 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_NO_CONTENT
);
743 ctx_tmp
= EVP_MD_CTX_new();
744 if (ctx_tmp
== NULL
) {
745 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
749 i
= OBJ_obj2nid(p7
->type
);
750 p7
->state
= PKCS7_S_HEADER
;
756 case NID_pkcs7_signedAndEnveloped
:
757 /* XXXXXXXXXXXXXXXX */
758 si_sk
= p7
->d
.signed_and_enveloped
->signer_info
;
759 os
= p7
->d
.signed_and_enveloped
->enc_data
->enc_data
;
761 os
= ASN1_OCTET_STRING_new();
763 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
766 p7
->d
.signed_and_enveloped
->enc_data
->enc_data
= os
;
769 case NID_pkcs7_enveloped
:
770 /* XXXXXXXXXXXXXXXX */
771 os
= p7
->d
.enveloped
->enc_data
->enc_data
;
773 os
= ASN1_OCTET_STRING_new();
775 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
778 p7
->d
.enveloped
->enc_data
->enc_data
= os
;
781 case NID_pkcs7_signed
:
782 si_sk
= p7
->d
.sign
->signer_info
;
783 os
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
784 /* If detached data then the content is excluded */
785 if (PKCS7_type_is_data(p7
->d
.sign
->contents
) && p7
->detached
) {
786 ASN1_OCTET_STRING_free(os
);
788 p7
->d
.sign
->contents
->d
.data
= NULL
;
792 case NID_pkcs7_digest
:
793 os
= PKCS7_get_octet_string(p7
->d
.digest
->contents
);
794 /* If detached data then the content is excluded */
795 if (PKCS7_type_is_data(p7
->d
.digest
->contents
) && p7
->detached
) {
796 ASN1_OCTET_STRING_free(os
);
798 p7
->d
.digest
->contents
->d
.data
= NULL
;
803 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
808 for (i
= 0; i
< sk_PKCS7_SIGNER_INFO_num(si_sk
); i
++) {
809 si
= sk_PKCS7_SIGNER_INFO_value(si_sk
, i
);
810 if (si
->pkey
== NULL
)
813 j
= OBJ_obj2nid(si
->digest_alg
->algorithm
);
817 btmp
= PKCS7_find_digest(&mdc
, btmp
, j
);
823 * We now have the EVP_MD_CTX, lets do the signing.
825 if (!EVP_MD_CTX_copy_ex(ctx_tmp
, mdc
))
831 * If there are attributes, we add the digest attribute and only
832 * sign the attributes
834 if (sk_X509_ATTRIBUTE_num(sk
) > 0) {
835 if (!do_pkcs7_signed_attrib(si
, ctx_tmp
))
838 unsigned char *abuf
= NULL
;
839 unsigned int abuflen
;
840 abuflen
= EVP_PKEY_get_size(si
->pkey
);
841 abuf
= OPENSSL_malloc(abuflen
);
845 if (!EVP_SignFinal_ex(ctx_tmp
, abuf
, &abuflen
, si
->pkey
,
846 ossl_pkcs7_ctx_get0_libctx(p7_ctx
),
847 ossl_pkcs7_ctx_get0_propq(p7_ctx
))) {
849 ERR_raise(ERR_LIB_PKCS7
, ERR_R_EVP_LIB
);
852 ASN1_STRING_set0(si
->enc_digest
, abuf
, abuflen
);
855 } else if (i
== NID_pkcs7_digest
) {
856 unsigned char md_data
[EVP_MAX_MD_SIZE
];
858 if (!PKCS7_find_digest(&mdc
, bio
,
859 OBJ_obj2nid(p7
->d
.digest
->md
->algorithm
)))
861 if (!EVP_DigestFinal_ex(mdc
, md_data
, &md_len
))
863 if (!ASN1_OCTET_STRING_set(p7
->d
.digest
->digest
, md_data
, md_len
))
867 if (!PKCS7_is_detached(p7
)) {
869 * NOTE(emilia): I think we only reach os == NULL here because detached
870 * digested data support is broken.
874 if (!(os
->flags
& ASN1_STRING_FLAG_NDEF
)) {
877 btmp
= BIO_find_type(bio
, BIO_TYPE_MEM
);
879 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNABLE_TO_FIND_MEM_BIO
);
882 contlen
= BIO_get_mem_data(btmp
, &cont
);
884 * Mark the BIO read only then we can use its copy of the data
885 * instead of making an extra copy.
887 BIO_set_flags(btmp
, BIO_FLAGS_MEM_RDONLY
);
888 BIO_set_mem_eof_return(btmp
, 0);
889 ASN1_STRING_set0(os
, (unsigned char *)cont
, contlen
);
894 EVP_MD_CTX_free(ctx_tmp
);
898 int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO
*si
)
901 EVP_PKEY_CTX
*pctx
= NULL
;
902 unsigned char *abuf
= NULL
;
905 const EVP_MD
*md
= NULL
;
906 const PKCS7_CTX
*ctx
= si
->ctx
;
908 md
= EVP_get_digestbyobj(si
->digest_alg
->algorithm
);
912 mctx
= EVP_MD_CTX_new();
914 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
918 if (EVP_DigestSignInit_ex(mctx
, &pctx
, EVP_MD_get0_name(md
),
919 ossl_pkcs7_ctx_get0_libctx(ctx
),
920 ossl_pkcs7_ctx_get0_propq(ctx
), si
->pkey
,
924 alen
= ASN1_item_i2d((ASN1_VALUE
*)si
->auth_attr
, &abuf
,
925 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN
));
928 if (EVP_DigestSignUpdate(mctx
, abuf
, alen
) <= 0)
932 if (EVP_DigestSignFinal(mctx
, NULL
, &siglen
) <= 0)
934 abuf
= OPENSSL_malloc(siglen
);
937 if (EVP_DigestSignFinal(mctx
, abuf
, &siglen
) <= 0)
940 EVP_MD_CTX_free(mctx
);
942 ASN1_STRING_set0(si
->enc_digest
, abuf
, siglen
);
948 EVP_MD_CTX_free(mctx
);
952 /* This partly overlaps with PKCS7_verify(). It does not support flags. */
953 int PKCS7_dataVerify(X509_STORE
*cert_store
, X509_STORE_CTX
*ctx
, BIO
*bio
,
954 PKCS7
*p7
, PKCS7_SIGNER_INFO
*si
)
956 PKCS7_ISSUER_AND_SERIAL
*ias
;
958 STACK_OF(X509
) *untrusted
;
959 STACK_OF(X509_CRL
) *crls
;
963 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_INVALID_NULL_POINTER
);
967 if (p7
->d
.ptr
== NULL
) {
968 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_NO_CONTENT
);
972 if (PKCS7_type_is_signed(p7
)) {
973 untrusted
= p7
->d
.sign
->cert
;
974 crls
= p7
->d
.sign
->crl
;
975 } else if (PKCS7_type_is_signedAndEnveloped(p7
)) {
976 untrusted
= p7
->d
.signed_and_enveloped
->cert
;
977 crls
= p7
->d
.signed_and_enveloped
->crl
;
979 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_WRONG_PKCS7_TYPE
);
982 X509_STORE_CTX_set0_crls(ctx
, crls
);
984 /* XXXXXXXXXXXXXXXXXXXXXXX */
985 ias
= si
->issuer_and_serial
;
987 signer
= X509_find_by_issuer_and_serial(untrusted
, ias
->issuer
, ias
->serial
);
989 /* Were we able to find the signer certificate in passed to us? */
990 if (signer
== NULL
) {
991 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNABLE_TO_FIND_CERTIFICATE
);
996 if (!X509_STORE_CTX_init(ctx
, cert_store
, signer
, untrusted
)) {
997 ERR_raise(ERR_LIB_PKCS7
, ERR_R_X509_LIB
);
1000 X509_STORE_CTX_set_purpose(ctx
, X509_PURPOSE_SMIME_SIGN
);
1001 i
= X509_verify_cert(ctx
);
1003 ERR_raise(ERR_LIB_PKCS7
, ERR_R_X509_LIB
);
1007 return PKCS7_signatureVerify(bio
, p7
, si
, signer
);
1012 int PKCS7_signatureVerify(BIO
*bio
, PKCS7
*p7
, PKCS7_SIGNER_INFO
*si
,
1015 ASN1_OCTET_STRING
*os
;
1016 EVP_MD_CTX
*mdc_tmp
, *mdc
;
1018 EVP_MD
*fetched_md
= NULL
;
1021 STACK_OF(X509_ATTRIBUTE
) *sk
;
1024 const PKCS7_CTX
*ctx
= ossl_pkcs7_get0_ctx(p7
);
1025 OSSL_LIB_CTX
*libctx
= ossl_pkcs7_ctx_get0_libctx(ctx
);
1026 const char *propq
= ossl_pkcs7_ctx_get0_propq(ctx
);
1028 mdc_tmp
= EVP_MD_CTX_new();
1029 if (mdc_tmp
== NULL
) {
1030 ERR_raise(ERR_LIB_PKCS7
, ERR_R_MALLOC_FAILURE
);
1034 if (!PKCS7_type_is_signed(p7
) && !PKCS7_type_is_signedAndEnveloped(p7
)) {
1035 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_WRONG_PKCS7_TYPE
);
1039 md_type
= OBJ_obj2nid(si
->digest_alg
->algorithm
);
1043 if ((btmp
== NULL
) ||
1044 ((btmp
= BIO_find_type(btmp
, BIO_TYPE_MD
)) == NULL
)) {
1045 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
1048 BIO_get_md_ctx(btmp
, &mdc
);
1050 ERR_raise(ERR_LIB_PKCS7
, ERR_R_INTERNAL_ERROR
);
1053 if (EVP_MD_CTX_get_type(mdc
) == md_type
)
1056 * Workaround for some broken clients that put the signature OID
1057 * instead of the digest OID in digest_alg->algorithm
1059 if (EVP_MD_get_pkey_type(EVP_MD_CTX_get0_md(mdc
)) == md_type
)
1061 btmp
= BIO_next(btmp
);
1065 * mdc is the digest ctx that we want, unless there are attributes, in
1066 * which case the digest is the signed attributes
1068 if (!EVP_MD_CTX_copy_ex(mdc_tmp
, mdc
))
1072 if ((sk
!= NULL
) && (sk_X509_ATTRIBUTE_num(sk
) != 0)) {
1073 unsigned char md_dat
[EVP_MAX_MD_SIZE
], *abuf
= NULL
;
1074 unsigned int md_len
;
1076 ASN1_OCTET_STRING
*message_digest
;
1078 if (!EVP_DigestFinal_ex(mdc_tmp
, md_dat
, &md_len
))
1080 message_digest
= PKCS7_digest_from_attributes(sk
);
1081 if (!message_digest
) {
1082 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
1085 if ((message_digest
->length
!= (int)md_len
) ||
1086 (memcmp(message_digest
->data
, md_dat
, md_len
))) {
1087 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_DIGEST_FAILURE
);
1092 (void)ERR_set_mark();
1093 fetched_md
= EVP_MD_fetch(libctx
, OBJ_nid2sn(md_type
), propq
);
1095 if (fetched_md
!= NULL
)
1098 md
= EVP_get_digestbynid(md_type
);
1100 if (md
== NULL
|| !EVP_VerifyInit_ex(mdc_tmp
, md
, NULL
)) {
1101 (void)ERR_clear_last_mark();
1104 (void)ERR_pop_to_mark();
1106 alen
= ASN1_item_i2d((ASN1_VALUE
*)sk
, &abuf
,
1107 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY
));
1109 ERR_raise(ERR_LIB_PKCS7
, ERR_R_ASN1_LIB
);
1113 if (!EVP_VerifyUpdate(mdc_tmp
, abuf
, alen
))
1119 os
= si
->enc_digest
;
1120 pkey
= X509_get0_pubkey(signer
);
1126 i
= EVP_VerifyFinal_ex(mdc_tmp
, os
->data
, os
->length
, pkey
, libctx
, propq
);
1128 ERR_raise(ERR_LIB_PKCS7
, PKCS7_R_SIGNATURE_FAILURE
);
1134 EVP_MD_CTX_free(mdc_tmp
);
1135 EVP_MD_free(fetched_md
);
1139 PKCS7_ISSUER_AND_SERIAL
*PKCS7_get_issuer_and_serial(PKCS7
*p7
, int idx
)
1141 STACK_OF(PKCS7_RECIP_INFO
) *rsk
;
1142 PKCS7_RECIP_INFO
*ri
;
1145 i
= OBJ_obj2nid(p7
->type
);
1146 if (i
!= NID_pkcs7_signedAndEnveloped
)
1148 if (p7
->d
.signed_and_enveloped
== NULL
)
1150 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
1153 if (sk_PKCS7_RECIP_INFO_num(rsk
) <= idx
)
1155 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, idx
);
1156 return ri
->issuer_and_serial
;
1159 ASN1_TYPE
*PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO
*si
, int nid
)
1161 return get_attribute(si
->auth_attr
, nid
);
1164 ASN1_TYPE
*PKCS7_get_attribute(const PKCS7_SIGNER_INFO
*si
, int nid
)
1166 return get_attribute(si
->unauth_attr
, nid
);
1169 static ASN1_TYPE
*get_attribute(const STACK_OF(X509_ATTRIBUTE
) *sk
, int nid
)
1171 int idx
= X509at_get_attr_by_NID(sk
, nid
, -1);
1175 return X509_ATTRIBUTE_get0_type(X509at_get_attr(sk
, idx
), 0);
1178 ASN1_OCTET_STRING
*PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE
) *sk
)
1181 if ((astype
= get_attribute(sk
, NID_pkcs9_messageDigest
)) == NULL
)
1183 return astype
->value
.octet_string
;
1186 int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO
*p7si
,
1187 STACK_OF(X509_ATTRIBUTE
) *sk
)
1191 sk_X509_ATTRIBUTE_pop_free(p7si
->auth_attr
, X509_ATTRIBUTE_free
);
1192 p7si
->auth_attr
= sk_X509_ATTRIBUTE_dup(sk
);
1193 if (p7si
->auth_attr
== NULL
)
1195 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(sk
); i
++) {
1196 if ((sk_X509_ATTRIBUTE_set(p7si
->auth_attr
, i
,
1197 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1205 int PKCS7_set_attributes(PKCS7_SIGNER_INFO
*p7si
,
1206 STACK_OF(X509_ATTRIBUTE
) *sk
)
1210 sk_X509_ATTRIBUTE_pop_free(p7si
->unauth_attr
, X509_ATTRIBUTE_free
);
1211 p7si
->unauth_attr
= sk_X509_ATTRIBUTE_dup(sk
);
1212 if (p7si
->unauth_attr
== NULL
)
1214 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(sk
); i
++) {
1215 if ((sk_X509_ATTRIBUTE_set(p7si
->unauth_attr
, i
,
1216 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1224 int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO
*p7si
, int nid
, int atrtype
,
1227 return add_attribute(&(p7si
->auth_attr
), nid
, atrtype
, value
);
1230 int PKCS7_add_attribute(PKCS7_SIGNER_INFO
*p7si
, int nid
, int atrtype
,
1233 return add_attribute(&(p7si
->unauth_attr
), nid
, atrtype
, value
);
1236 static int add_attribute(STACK_OF(X509_ATTRIBUTE
) **sk
, int nid
, int atrtype
,
1239 X509_ATTRIBUTE
*attr
= NULL
;
1242 if ((*sk
= sk_X509_ATTRIBUTE_new_null()) == NULL
)
1245 if ((attr
= X509_ATTRIBUTE_create(nid
, atrtype
, value
)) == NULL
)
1247 if (!sk_X509_ATTRIBUTE_push(*sk
, attr
)) {
1248 X509_ATTRIBUTE_free(attr
);
1254 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(*sk
); i
++) {
1255 attr
= sk_X509_ATTRIBUTE_value(*sk
, i
);
1256 if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr
)) == nid
) {
1257 X509_ATTRIBUTE_free(attr
);
1258 attr
= X509_ATTRIBUTE_create(nid
, atrtype
, value
);
1261 if (!sk_X509_ATTRIBUTE_set(*sk
, i
, attr
)) {
1262 X509_ATTRIBUTE_free(attr
);