2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/rand.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/err.h>
18 static int add_attribute(STACK_OF(X509_ATTRIBUTE
) **sk
, int nid
, int atrtype
,
20 static ASN1_TYPE
*get_attribute(STACK_OF(X509_ATTRIBUTE
) *sk
, int nid
);
22 static int PKCS7_type_is_other(PKCS7
*p7
)
26 int nid
= OBJ_obj2nid(p7
->type
);
30 case NID_pkcs7_signed
:
31 case NID_pkcs7_enveloped
:
32 case NID_pkcs7_signedAndEnveloped
:
33 case NID_pkcs7_digest
:
34 case NID_pkcs7_encrypted
:
45 static ASN1_OCTET_STRING
*PKCS7_get_octet_string(PKCS7
*p7
)
47 if (PKCS7_type_is_data(p7
))
49 if (PKCS7_type_is_other(p7
) && p7
->d
.other
50 && (p7
->d
.other
->type
== V_ASN1_OCTET_STRING
))
51 return p7
->d
.other
->value
.octet_string
;
55 static int PKCS7_bio_add_digest(BIO
**pbio
, X509_ALGOR
*alg
)
59 if ((btmp
= BIO_new(BIO_f_md())) == NULL
) {
60 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST
, ERR_R_BIO_LIB
);
64 md
= EVP_get_digestbyobj(alg
->algorithm
);
66 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST
, PKCS7_R_UNKNOWN_DIGEST_TYPE
);
73 else if (!BIO_push(*pbio
, btmp
)) {
74 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST
, ERR_R_BIO_LIB
);
87 static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO
*ri
,
88 unsigned char *key
, int keylen
)
90 EVP_PKEY_CTX
*pctx
= NULL
;
91 EVP_PKEY
*pkey
= NULL
;
92 unsigned char *ek
= NULL
;
96 pkey
= X509_get0_pubkey(ri
->cert
);
101 pctx
= EVP_PKEY_CTX_new(pkey
, NULL
);
105 if (EVP_PKEY_encrypt_init(pctx
) <= 0)
108 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_ENCRYPT
,
109 EVP_PKEY_CTRL_PKCS7_ENCRYPT
, 0, ri
) <= 0) {
110 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO
, PKCS7_R_CTRL_ERROR
);
114 if (EVP_PKEY_encrypt(pctx
, NULL
, &eklen
, key
, keylen
) <= 0)
117 ek
= OPENSSL_malloc(eklen
);
120 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO
, ERR_R_MALLOC_FAILURE
);
124 if (EVP_PKEY_encrypt(pctx
, ek
, &eklen
, key
, keylen
) <= 0)
127 ASN1_STRING_set0(ri
->enc_key
, ek
, eklen
);
133 EVP_PKEY_CTX_free(pctx
);
139 static int pkcs7_decrypt_rinfo(unsigned char **pek
, int *peklen
,
140 PKCS7_RECIP_INFO
*ri
, EVP_PKEY
*pkey
)
142 EVP_PKEY_CTX
*pctx
= NULL
;
143 unsigned char *ek
= NULL
;
148 pctx
= EVP_PKEY_CTX_new(pkey
, NULL
);
152 if (EVP_PKEY_decrypt_init(pctx
) <= 0)
155 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_DECRYPT
,
156 EVP_PKEY_CTRL_PKCS7_DECRYPT
, 0, ri
) <= 0) {
157 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO
, PKCS7_R_CTRL_ERROR
);
161 if (EVP_PKEY_decrypt(pctx
, NULL
, &eklen
,
162 ri
->enc_key
->data
, ri
->enc_key
->length
) <= 0)
165 ek
= OPENSSL_malloc(eklen
);
168 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO
, ERR_R_MALLOC_FAILURE
);
172 if (EVP_PKEY_decrypt(pctx
, ek
, &eklen
,
173 ri
->enc_key
->data
, ri
->enc_key
->length
) <= 0) {
175 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO
, ERR_R_EVP_LIB
);
181 OPENSSL_clear_free(*pek
, *peklen
);
186 EVP_PKEY_CTX_free(pctx
);
193 BIO
*PKCS7_dataInit(PKCS7
*p7
, BIO
*bio
)
196 BIO
*out
= NULL
, *btmp
= NULL
;
197 X509_ALGOR
*xa
= NULL
;
198 const EVP_CIPHER
*evp_cipher
= NULL
;
199 STACK_OF(X509_ALGOR
) *md_sk
= NULL
;
200 STACK_OF(PKCS7_RECIP_INFO
) *rsk
= NULL
;
201 X509_ALGOR
*xalg
= NULL
;
202 PKCS7_RECIP_INFO
*ri
= NULL
;
203 ASN1_OCTET_STRING
*os
= NULL
;
206 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_INVALID_NULL_POINTER
);
210 * The content field in the PKCS7 ContentInfo is optional, but that really
211 * only applies to inner content (precisely, detached signatures).
213 * When reading content, missing outer content is therefore treated as an
216 * When creating content, PKCS7_content_new() must be called before
217 * calling this method, so a NULL p7->d is always an error.
219 if (p7
->d
.ptr
== NULL
) {
220 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_NO_CONTENT
);
224 i
= OBJ_obj2nid(p7
->type
);
225 p7
->state
= PKCS7_S_HEADER
;
228 case NID_pkcs7_signed
:
229 md_sk
= p7
->d
.sign
->md_algs
;
230 os
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
232 case NID_pkcs7_signedAndEnveloped
:
233 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
234 md_sk
= p7
->d
.signed_and_enveloped
->md_algs
;
235 xalg
= p7
->d
.signed_and_enveloped
->enc_data
->algorithm
;
236 evp_cipher
= p7
->d
.signed_and_enveloped
->enc_data
->cipher
;
237 if (evp_cipher
== NULL
) {
238 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_CIPHER_NOT_INITIALIZED
);
242 case NID_pkcs7_enveloped
:
243 rsk
= p7
->d
.enveloped
->recipientinfo
;
244 xalg
= p7
->d
.enveloped
->enc_data
->algorithm
;
245 evp_cipher
= p7
->d
.enveloped
->enc_data
->cipher
;
246 if (evp_cipher
== NULL
) {
247 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_CIPHER_NOT_INITIALIZED
);
251 case NID_pkcs7_digest
:
252 xa
= p7
->d
.digest
->md
;
253 os
= PKCS7_get_octet_string(p7
->d
.digest
->contents
);
258 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
262 for (i
= 0; i
< sk_X509_ALGOR_num(md_sk
); i
++)
263 if (!PKCS7_bio_add_digest(&out
, sk_X509_ALGOR_value(md_sk
, i
)))
266 if (xa
&& !PKCS7_bio_add_digest(&out
, xa
))
269 if (evp_cipher
!= NULL
) {
270 unsigned char key
[EVP_MAX_KEY_LENGTH
];
271 unsigned char iv
[EVP_MAX_IV_LENGTH
];
275 if ((btmp
= BIO_new(BIO_f_cipher())) == NULL
) {
276 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, ERR_R_BIO_LIB
);
279 BIO_get_cipher_ctx(btmp
, &ctx
);
280 keylen
= EVP_CIPHER_key_length(evp_cipher
);
281 ivlen
= EVP_CIPHER_iv_length(evp_cipher
);
282 xalg
->algorithm
= OBJ_nid2obj(EVP_CIPHER_type(evp_cipher
));
284 if (RAND_bytes(iv
, ivlen
) <= 0)
286 if (EVP_CipherInit_ex(ctx
, evp_cipher
, NULL
, NULL
, NULL
, 1) <= 0)
288 if (EVP_CIPHER_CTX_rand_key(ctx
, key
) <= 0)
290 if (EVP_CipherInit_ex(ctx
, NULL
, NULL
, key
, iv
, 1) <= 0)
294 if (xalg
->parameter
== NULL
) {
295 xalg
->parameter
= ASN1_TYPE_new();
296 if (xalg
->parameter
== NULL
)
299 if (EVP_CIPHER_param_to_asn1(ctx
, xalg
->parameter
) < 0)
303 /* Lets do the pub key stuff :-) */
304 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
305 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
306 if (pkcs7_encode_rinfo(ri
, key
, keylen
) <= 0)
309 OPENSSL_cleanse(key
, keylen
);
319 if (PKCS7_is_detached(p7
)) {
320 bio
= BIO_new(BIO_s_null());
321 } else if (os
&& os
->length
> 0) {
322 bio
= BIO_new_mem_buf(os
->data
, os
->length
);
324 bio
= BIO_new(BIO_s_mem());
327 BIO_set_mem_eof_return(bio
, 0);
344 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO
*ri
, X509
*pcert
)
347 ret
= X509_NAME_cmp(ri
->issuer_and_serial
->issuer
,
348 X509_get_issuer_name(pcert
));
351 return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert
),
352 ri
->issuer_and_serial
->serial
);
356 BIO
*PKCS7_dataDecode(PKCS7
*p7
, EVP_PKEY
*pkey
, BIO
*in_bio
, X509
*pcert
)
359 BIO
*out
= NULL
, *btmp
= NULL
, *etmp
= NULL
, *bio
= NULL
;
361 ASN1_OCTET_STRING
*data_body
= NULL
;
362 const EVP_MD
*evp_md
;
363 const EVP_CIPHER
*evp_cipher
= NULL
;
364 EVP_CIPHER_CTX
*evp_ctx
= NULL
;
365 X509_ALGOR
*enc_alg
= NULL
;
366 STACK_OF(X509_ALGOR
) *md_sk
= NULL
;
367 STACK_OF(PKCS7_RECIP_INFO
) *rsk
= NULL
;
368 PKCS7_RECIP_INFO
*ri
= NULL
;
369 unsigned char *ek
= NULL
, *tkey
= NULL
;
370 int eklen
= 0, tkeylen
= 0;
373 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_INVALID_NULL_POINTER
);
377 if (p7
->d
.ptr
== NULL
) {
378 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_NO_CONTENT
);
382 i
= OBJ_obj2nid(p7
->type
);
383 p7
->state
= PKCS7_S_HEADER
;
386 case NID_pkcs7_signed
:
388 * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
389 * field and optional content.
390 * data_body is NULL if that structure has no (=detached) content
391 * or if the contentType is wrong (i.e., not "data").
393 data_body
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
394 if (!PKCS7_is_detached(p7
) && data_body
== NULL
) {
395 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
396 PKCS7_R_INVALID_SIGNED_DATA_TYPE
);
399 md_sk
= p7
->d
.sign
->md_algs
;
401 case NID_pkcs7_signedAndEnveloped
:
402 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
403 md_sk
= p7
->d
.signed_and_enveloped
->md_algs
;
404 /* data_body is NULL if the optional EncryptedContent is missing. */
405 data_body
= p7
->d
.signed_and_enveloped
->enc_data
->enc_data
;
406 enc_alg
= p7
->d
.signed_and_enveloped
->enc_data
->algorithm
;
407 evp_cipher
= EVP_get_cipherbyobj(enc_alg
->algorithm
);
408 if (evp_cipher
== NULL
) {
409 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
410 PKCS7_R_UNSUPPORTED_CIPHER_TYPE
);
414 case NID_pkcs7_enveloped
:
415 rsk
= p7
->d
.enveloped
->recipientinfo
;
416 enc_alg
= p7
->d
.enveloped
->enc_data
->algorithm
;
417 /* data_body is NULL if the optional EncryptedContent is missing. */
418 data_body
= p7
->d
.enveloped
->enc_data
->enc_data
;
419 evp_cipher
= EVP_get_cipherbyobj(enc_alg
->algorithm
);
420 if (evp_cipher
== NULL
) {
421 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
422 PKCS7_R_UNSUPPORTED_CIPHER_TYPE
);
427 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
431 /* Detached content must be supplied via in_bio instead. */
432 if (data_body
== NULL
&& in_bio
== NULL
) {
433 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_NO_CONTENT
);
437 /* We will be checking the signature */
439 for (i
= 0; i
< sk_X509_ALGOR_num(md_sk
); i
++) {
440 xa
= sk_X509_ALGOR_value(md_sk
, i
);
441 if ((btmp
= BIO_new(BIO_f_md())) == NULL
) {
442 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, ERR_R_BIO_LIB
);
446 j
= OBJ_obj2nid(xa
->algorithm
);
447 evp_md
= EVP_get_digestbynid(j
);
448 if (evp_md
== NULL
) {
449 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
450 PKCS7_R_UNKNOWN_DIGEST_TYPE
);
454 BIO_set_md(btmp
, evp_md
);
463 if (evp_cipher
!= NULL
) {
464 if ((etmp
= BIO_new(BIO_f_cipher())) == NULL
) {
465 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, ERR_R_BIO_LIB
);
470 * It was encrypted, we need to decrypt the secret key with the
475 * Find the recipientInfo which matches the passed certificate (if
480 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
481 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
482 if (!pkcs7_cmp_ri(ri
, pcert
))
487 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
488 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE
);
493 /* If we haven't got a certificate try each ri in turn */
496 * Always attempt to decrypt all rinfo even after success as a
497 * defence against MMA timing attacks.
499 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
500 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
502 if (pkcs7_decrypt_rinfo(&ek
, &eklen
, ri
, pkey
) < 0)
507 /* Only exit on fatal errors, not decrypt failure */
508 if (pkcs7_decrypt_rinfo(&ek
, &eklen
, ri
, pkey
) < 0)
514 BIO_get_cipher_ctx(etmp
, &evp_ctx
);
515 if (EVP_CipherInit_ex(evp_ctx
, evp_cipher
, NULL
, NULL
, NULL
, 0) <= 0)
517 if (EVP_CIPHER_asn1_to_param(evp_ctx
, enc_alg
->parameter
) < 0)
519 /* Generate random key as MMA defence */
520 tkeylen
= EVP_CIPHER_CTX_key_length(evp_ctx
);
521 tkey
= OPENSSL_malloc(tkeylen
);
524 if (EVP_CIPHER_CTX_rand_key(evp_ctx
, tkey
) <= 0)
532 if (eklen
!= EVP_CIPHER_CTX_key_length(evp_ctx
)) {
534 * Some S/MIME clients don't use the same key and effective key
535 * length. The key length is determined by the size of the
538 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx
, eklen
)) {
539 /* Use random key as MMA defence */
540 OPENSSL_clear_free(ek
, eklen
);
546 /* Clear errors so we don't leak information useful in MMA */
548 if (EVP_CipherInit_ex(evp_ctx
, NULL
, NULL
, ek
, NULL
, 0) <= 0)
551 OPENSSL_clear_free(ek
, eklen
);
553 OPENSSL_clear_free(tkey
, tkeylen
);
562 if (in_bio
!= NULL
) {
565 if (data_body
->length
> 0)
566 bio
= BIO_new_mem_buf(data_body
->data
, data_body
->length
);
568 bio
= BIO_new(BIO_s_mem());
571 BIO_set_mem_eof_return(bio
, 0);
581 OPENSSL_clear_free(ek
, eklen
);
582 OPENSSL_clear_free(tkey
, tkeylen
);
590 static BIO
*PKCS7_find_digest(EVP_MD_CTX
**pmd
, BIO
*bio
, int nid
)
593 bio
= BIO_find_type(bio
, BIO_TYPE_MD
);
595 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST
,
596 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
599 BIO_get_md_ctx(bio
, pmd
);
601 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST
, ERR_R_INTERNAL_ERROR
);
604 if (EVP_MD_CTX_type(*pmd
) == nid
)
611 static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO
*si
, EVP_MD_CTX
*mctx
)
613 unsigned char md_data
[EVP_MAX_MD_SIZE
];
616 /* Add signing time if not already present */
617 if (!PKCS7_get_signed_attribute(si
, NID_pkcs9_signingTime
)) {
618 if (!PKCS7_add0_attrib_signing_time(si
, NULL
)) {
619 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB
, ERR_R_MALLOC_FAILURE
);
625 if (!EVP_DigestFinal_ex(mctx
, md_data
, &md_len
)) {
626 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB
, ERR_R_EVP_LIB
);
629 if (!PKCS7_add1_attrib_digest(si
, md_data
, md_len
)) {
630 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB
, ERR_R_MALLOC_FAILURE
);
634 /* Now sign the attributes */
635 if (!PKCS7_SIGNER_INFO_sign(si
))
641 int PKCS7_dataFinal(PKCS7
*p7
, BIO
*bio
)
646 PKCS7_SIGNER_INFO
*si
;
647 EVP_MD_CTX
*mdc
, *ctx_tmp
;
648 STACK_OF(X509_ATTRIBUTE
) *sk
;
649 STACK_OF(PKCS7_SIGNER_INFO
) *si_sk
= NULL
;
650 ASN1_OCTET_STRING
*os
= NULL
;
653 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_INVALID_NULL_POINTER
);
657 if (p7
->d
.ptr
== NULL
) {
658 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_NO_CONTENT
);
662 ctx_tmp
= EVP_MD_CTX_new();
663 if (ctx_tmp
== NULL
) {
664 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_MALLOC_FAILURE
);
668 i
= OBJ_obj2nid(p7
->type
);
669 p7
->state
= PKCS7_S_HEADER
;
675 case NID_pkcs7_signedAndEnveloped
:
676 /* XXXXXXXXXXXXXXXX */
677 si_sk
= p7
->d
.signed_and_enveloped
->signer_info
;
678 os
= p7
->d
.signed_and_enveloped
->enc_data
->enc_data
;
680 os
= ASN1_OCTET_STRING_new();
682 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_MALLOC_FAILURE
);
685 p7
->d
.signed_and_enveloped
->enc_data
->enc_data
= os
;
688 case NID_pkcs7_enveloped
:
689 /* XXXXXXXXXXXXXXXX */
690 os
= p7
->d
.enveloped
->enc_data
->enc_data
;
692 os
= ASN1_OCTET_STRING_new();
694 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_MALLOC_FAILURE
);
697 p7
->d
.enveloped
->enc_data
->enc_data
= os
;
700 case NID_pkcs7_signed
:
701 si_sk
= p7
->d
.sign
->signer_info
;
702 os
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
703 /* If detached data then the content is excluded */
704 if (PKCS7_type_is_data(p7
->d
.sign
->contents
) && p7
->detached
) {
705 ASN1_OCTET_STRING_free(os
);
707 p7
->d
.sign
->contents
->d
.data
= NULL
;
711 case NID_pkcs7_digest
:
712 os
= PKCS7_get_octet_string(p7
->d
.digest
->contents
);
713 /* If detached data then the content is excluded */
714 if (PKCS7_type_is_data(p7
->d
.digest
->contents
) && p7
->detached
) {
715 ASN1_OCTET_STRING_free(os
);
717 p7
->d
.digest
->contents
->d
.data
= NULL
;
722 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
727 for (i
= 0; i
< sk_PKCS7_SIGNER_INFO_num(si_sk
); i
++) {
728 si
= sk_PKCS7_SIGNER_INFO_value(si_sk
, i
);
729 if (si
->pkey
== NULL
)
732 j
= OBJ_obj2nid(si
->digest_alg
->algorithm
);
736 btmp
= PKCS7_find_digest(&mdc
, btmp
, j
);
742 * We now have the EVP_MD_CTX, lets do the signing.
744 if (!EVP_MD_CTX_copy_ex(ctx_tmp
, mdc
))
750 * If there are attributes, we add the digest attribute and only
751 * sign the attributes
753 if (sk_X509_ATTRIBUTE_num(sk
) > 0) {
754 if (!do_pkcs7_signed_attrib(si
, ctx_tmp
))
757 unsigned char *abuf
= NULL
;
758 unsigned int abuflen
;
759 abuflen
= EVP_PKEY_size(si
->pkey
);
760 abuf
= OPENSSL_malloc(abuflen
);
764 if (!EVP_SignFinal(ctx_tmp
, abuf
, &abuflen
, si
->pkey
)) {
766 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_EVP_LIB
);
769 ASN1_STRING_set0(si
->enc_digest
, abuf
, abuflen
);
772 } else if (i
== NID_pkcs7_digest
) {
773 unsigned char md_data
[EVP_MAX_MD_SIZE
];
775 if (!PKCS7_find_digest(&mdc
, bio
,
776 OBJ_obj2nid(p7
->d
.digest
->md
->algorithm
)))
778 if (!EVP_DigestFinal_ex(mdc
, md_data
, &md_len
))
780 if (!ASN1_OCTET_STRING_set(p7
->d
.digest
->digest
, md_data
, md_len
))
784 if (!PKCS7_is_detached(p7
)) {
786 * NOTE(emilia): I think we only reach os == NULL here because detached
787 * digested data support is broken.
791 if (!(os
->flags
& ASN1_STRING_FLAG_NDEF
)) {
794 btmp
= BIO_find_type(bio
, BIO_TYPE_MEM
);
796 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_UNABLE_TO_FIND_MEM_BIO
);
799 contlen
= BIO_get_mem_data(btmp
, &cont
);
801 * Mark the BIO read only then we can use its copy of the data
802 * instead of making an extra copy.
804 BIO_set_flags(btmp
, BIO_FLAGS_MEM_RDONLY
);
805 BIO_set_mem_eof_return(btmp
, 0);
806 ASN1_STRING_set0(os
, (unsigned char *)cont
, contlen
);
811 EVP_MD_CTX_free(ctx_tmp
);
815 int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO
*si
)
818 EVP_PKEY_CTX
*pctx
= NULL
;
819 unsigned char *abuf
= NULL
;
822 const EVP_MD
*md
= NULL
;
824 md
= EVP_get_digestbyobj(si
->digest_alg
->algorithm
);
828 mctx
= EVP_MD_CTX_new();
830 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN
, ERR_R_MALLOC_FAILURE
);
834 if (EVP_DigestSignInit(mctx
, &pctx
, md
, NULL
, si
->pkey
) <= 0)
837 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_SIGN
,
838 EVP_PKEY_CTRL_PKCS7_SIGN
, 0, si
) <= 0) {
839 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN
, PKCS7_R_CTRL_ERROR
);
843 alen
= ASN1_item_i2d((ASN1_VALUE
*)si
->auth_attr
, &abuf
,
844 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN
));
847 if (EVP_DigestSignUpdate(mctx
, abuf
, alen
) <= 0)
851 if (EVP_DigestSignFinal(mctx
, NULL
, &siglen
) <= 0)
853 abuf
= OPENSSL_malloc(siglen
);
856 if (EVP_DigestSignFinal(mctx
, abuf
, &siglen
) <= 0)
859 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_SIGN
,
860 EVP_PKEY_CTRL_PKCS7_SIGN
, 1, si
) <= 0) {
861 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN
, PKCS7_R_CTRL_ERROR
);
865 EVP_MD_CTX_free(mctx
);
867 ASN1_STRING_set0(si
->enc_digest
, abuf
, siglen
);
873 EVP_MD_CTX_free(mctx
);
878 int PKCS7_dataVerify(X509_STORE
*cert_store
, X509_STORE_CTX
*ctx
, BIO
*bio
,
879 PKCS7
*p7
, PKCS7_SIGNER_INFO
*si
)
881 PKCS7_ISSUER_AND_SERIAL
*ias
;
883 STACK_OF(X509
) *cert
;
887 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, PKCS7_R_INVALID_NULL_POINTER
);
891 if (p7
->d
.ptr
== NULL
) {
892 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, PKCS7_R_NO_CONTENT
);
896 if (PKCS7_type_is_signed(p7
)) {
897 cert
= p7
->d
.sign
->cert
;
898 } else if (PKCS7_type_is_signedAndEnveloped(p7
)) {
899 cert
= p7
->d
.signed_and_enveloped
->cert
;
901 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, PKCS7_R_WRONG_PKCS7_TYPE
);
904 /* XXXXXXXXXXXXXXXXXXXXXXX */
905 ias
= si
->issuer_and_serial
;
907 x509
= X509_find_by_issuer_and_serial(cert
, ias
->issuer
, ias
->serial
);
909 /* were we able to find the cert in passed to us */
911 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
,
912 PKCS7_R_UNABLE_TO_FIND_CERTIFICATE
);
917 if (!X509_STORE_CTX_init(ctx
, cert_store
, x509
, cert
)) {
918 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, ERR_R_X509_LIB
);
921 X509_STORE_CTX_set_purpose(ctx
, X509_PURPOSE_SMIME_SIGN
);
922 i
= X509_verify_cert(ctx
);
924 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, ERR_R_X509_LIB
);
925 X509_STORE_CTX_cleanup(ctx
);
928 X509_STORE_CTX_cleanup(ctx
);
930 return PKCS7_signatureVerify(bio
, p7
, si
, x509
);
935 int PKCS7_signatureVerify(BIO
*bio
, PKCS7
*p7
, PKCS7_SIGNER_INFO
*si
,
938 ASN1_OCTET_STRING
*os
;
939 EVP_MD_CTX
*mdc_tmp
, *mdc
;
942 STACK_OF(X509_ATTRIBUTE
) *sk
;
946 mdc_tmp
= EVP_MD_CTX_new();
947 if (mdc_tmp
== NULL
) {
948 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, ERR_R_MALLOC_FAILURE
);
952 if (!PKCS7_type_is_signed(p7
) && !PKCS7_type_is_signedAndEnveloped(p7
)) {
953 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, PKCS7_R_WRONG_PKCS7_TYPE
);
957 md_type
= OBJ_obj2nid(si
->digest_alg
->algorithm
);
961 if ((btmp
== NULL
) ||
962 ((btmp
= BIO_find_type(btmp
, BIO_TYPE_MD
)) == NULL
)) {
963 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
,
964 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
967 BIO_get_md_ctx(btmp
, &mdc
);
969 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, ERR_R_INTERNAL_ERROR
);
972 if (EVP_MD_CTX_type(mdc
) == md_type
)
975 * Workaround for some broken clients that put the signature OID
976 * instead of the digest OID in digest_alg->algorithm
978 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc
)) == md_type
)
980 btmp
= BIO_next(btmp
);
984 * mdc is the digest ctx that we want, unless there are attributes, in
985 * which case the digest is the signed attributes
987 if (!EVP_MD_CTX_copy_ex(mdc_tmp
, mdc
))
991 if ((sk
!= NULL
) && (sk_X509_ATTRIBUTE_num(sk
) != 0)) {
992 unsigned char md_dat
[EVP_MAX_MD_SIZE
], *abuf
= NULL
;
995 ASN1_OCTET_STRING
*message_digest
;
997 if (!EVP_DigestFinal_ex(mdc_tmp
, md_dat
, &md_len
))
999 message_digest
= PKCS7_digest_from_attributes(sk
);
1000 if (!message_digest
) {
1001 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
,
1002 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
1005 if ((message_digest
->length
!= (int)md_len
) ||
1006 (memcmp(message_digest
->data
, md_dat
, md_len
))) {
1007 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, PKCS7_R_DIGEST_FAILURE
);
1012 if (!EVP_VerifyInit_ex(mdc_tmp
, EVP_get_digestbynid(md_type
), NULL
))
1015 alen
= ASN1_item_i2d((ASN1_VALUE
*)sk
, &abuf
,
1016 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY
));
1018 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, ERR_R_ASN1_LIB
);
1022 if (!EVP_VerifyUpdate(mdc_tmp
, abuf
, alen
))
1028 os
= si
->enc_digest
;
1029 pkey
= X509_get0_pubkey(x509
);
1035 i
= EVP_VerifyFinal(mdc_tmp
, os
->data
, os
->length
, pkey
);
1037 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, PKCS7_R_SIGNATURE_FAILURE
);
1043 EVP_MD_CTX_free(mdc_tmp
);
1047 PKCS7_ISSUER_AND_SERIAL
*PKCS7_get_issuer_and_serial(PKCS7
*p7
, int idx
)
1049 STACK_OF(PKCS7_RECIP_INFO
) *rsk
;
1050 PKCS7_RECIP_INFO
*ri
;
1053 i
= OBJ_obj2nid(p7
->type
);
1054 if (i
!= NID_pkcs7_signedAndEnveloped
)
1056 if (p7
->d
.signed_and_enveloped
== NULL
)
1058 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
1061 if (sk_PKCS7_RECIP_INFO_num(rsk
) <= idx
)
1063 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, idx
);
1064 return ri
->issuer_and_serial
;
1067 ASN1_TYPE
*PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO
*si
, int nid
)
1069 return get_attribute(si
->auth_attr
, nid
);
1072 ASN1_TYPE
*PKCS7_get_attribute(PKCS7_SIGNER_INFO
*si
, int nid
)
1074 return get_attribute(si
->unauth_attr
, nid
);
1077 static ASN1_TYPE
*get_attribute(STACK_OF(X509_ATTRIBUTE
) *sk
, int nid
)
1081 idx
= X509at_get_attr_by_NID(sk
, nid
, -1);
1082 xa
= X509at_get_attr(sk
, idx
);
1083 return X509_ATTRIBUTE_get0_type(xa
, 0);
1086 ASN1_OCTET_STRING
*PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE
) *sk
)
1089 if ((astype
= get_attribute(sk
, NID_pkcs9_messageDigest
)) == NULL
)
1091 return astype
->value
.octet_string
;
1094 int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO
*p7si
,
1095 STACK_OF(X509_ATTRIBUTE
) *sk
)
1099 sk_X509_ATTRIBUTE_pop_free(p7si
->auth_attr
, X509_ATTRIBUTE_free
);
1100 p7si
->auth_attr
= sk_X509_ATTRIBUTE_dup(sk
);
1101 if (p7si
->auth_attr
== NULL
)
1103 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(sk
); i
++) {
1104 if ((sk_X509_ATTRIBUTE_set(p7si
->auth_attr
, i
,
1105 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1113 int PKCS7_set_attributes(PKCS7_SIGNER_INFO
*p7si
,
1114 STACK_OF(X509_ATTRIBUTE
) *sk
)
1118 sk_X509_ATTRIBUTE_pop_free(p7si
->unauth_attr
, X509_ATTRIBUTE_free
);
1119 p7si
->unauth_attr
= sk_X509_ATTRIBUTE_dup(sk
);
1120 if (p7si
->unauth_attr
== NULL
)
1122 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(sk
); i
++) {
1123 if ((sk_X509_ATTRIBUTE_set(p7si
->unauth_attr
, i
,
1124 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1132 int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO
*p7si
, int nid
, int atrtype
,
1135 return add_attribute(&(p7si
->auth_attr
), nid
, atrtype
, value
);
1138 int PKCS7_add_attribute(PKCS7_SIGNER_INFO
*p7si
, int nid
, int atrtype
,
1141 return add_attribute(&(p7si
->unauth_attr
), nid
, atrtype
, value
);
1144 static int add_attribute(STACK_OF(X509_ATTRIBUTE
) **sk
, int nid
, int atrtype
,
1147 X509_ATTRIBUTE
*attr
= NULL
;
1150 if ((*sk
= sk_X509_ATTRIBUTE_new_null()) == NULL
)
1153 if ((attr
= X509_ATTRIBUTE_create(nid
, atrtype
, value
)) == NULL
)
1155 if (!sk_X509_ATTRIBUTE_push(*sk
, attr
)) {
1156 X509_ATTRIBUTE_free(attr
);
1162 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(*sk
); i
++) {
1163 attr
= sk_X509_ATTRIBUTE_value(*sk
, i
);
1164 if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr
)) == nid
) {
1165 X509_ATTRIBUTE_free(attr
);
1166 attr
= X509_ATTRIBUTE_create(nid
, atrtype
, value
);
1169 if (!sk_X509_ATTRIBUTE_set(*sk
, i
, attr
)) {
1170 X509_ATTRIBUTE_free(attr
);