2 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
11 #include "internal/cryptlib.h"
12 #include <openssl/rand.h>
13 #include <openssl/objects.h>
14 #include <openssl/x509.h>
15 #include <openssl/x509v3.h>
16 #include <openssl/err.h>
18 static int add_attribute(STACK_OF(X509_ATTRIBUTE
) **sk
, int nid
, int atrtype
,
20 static ASN1_TYPE
*get_attribute(STACK_OF(X509_ATTRIBUTE
) *sk
, int nid
);
22 static int PKCS7_type_is_other(PKCS7
*p7
)
26 int nid
= OBJ_obj2nid(p7
->type
);
30 case NID_pkcs7_signed
:
31 case NID_pkcs7_enveloped
:
32 case NID_pkcs7_signedAndEnveloped
:
33 case NID_pkcs7_digest
:
34 case NID_pkcs7_encrypted
:
45 static ASN1_OCTET_STRING
*PKCS7_get_octet_string(PKCS7
*p7
)
47 if (PKCS7_type_is_data(p7
))
49 if (PKCS7_type_is_other(p7
) && p7
->d
.other
50 && (p7
->d
.other
->type
== V_ASN1_OCTET_STRING
))
51 return p7
->d
.other
->value
.octet_string
;
55 static int PKCS7_bio_add_digest(BIO
**pbio
, X509_ALGOR
*alg
)
59 if ((btmp
= BIO_new(BIO_f_md())) == NULL
) {
60 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST
, ERR_R_BIO_LIB
);
64 md
= EVP_get_digestbyobj(alg
->algorithm
);
66 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST
, PKCS7_R_UNKNOWN_DIGEST_TYPE
);
73 else if (!BIO_push(*pbio
, btmp
)) {
74 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST
, ERR_R_BIO_LIB
);
87 static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO
*ri
,
88 unsigned char *key
, int keylen
)
90 EVP_PKEY_CTX
*pctx
= NULL
;
91 EVP_PKEY
*pkey
= NULL
;
92 unsigned char *ek
= NULL
;
96 pkey
= X509_get0_pubkey(ri
->cert
);
101 pctx
= EVP_PKEY_CTX_new(pkey
, NULL
);
105 if (EVP_PKEY_encrypt_init(pctx
) <= 0)
108 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_ENCRYPT
,
109 EVP_PKEY_CTRL_PKCS7_ENCRYPT
, 0, ri
) <= 0) {
110 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO
, PKCS7_R_CTRL_ERROR
);
114 if (EVP_PKEY_encrypt(pctx
, NULL
, &eklen
, key
, keylen
) <= 0)
117 ek
= OPENSSL_malloc(eklen
);
120 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO
, ERR_R_MALLOC_FAILURE
);
124 if (EVP_PKEY_encrypt(pctx
, ek
, &eklen
, key
, keylen
) <= 0)
127 ASN1_STRING_set0(ri
->enc_key
, ek
, eklen
);
133 EVP_PKEY_CTX_free(pctx
);
139 static int pkcs7_decrypt_rinfo(unsigned char **pek
, int *peklen
,
140 PKCS7_RECIP_INFO
*ri
, EVP_PKEY
*pkey
)
142 EVP_PKEY_CTX
*pctx
= NULL
;
143 unsigned char *ek
= NULL
;
148 pctx
= EVP_PKEY_CTX_new(pkey
, NULL
);
152 if (EVP_PKEY_decrypt_init(pctx
) <= 0)
155 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_DECRYPT
,
156 EVP_PKEY_CTRL_PKCS7_DECRYPT
, 0, ri
) <= 0) {
157 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO
, PKCS7_R_CTRL_ERROR
);
161 if (EVP_PKEY_decrypt(pctx
, NULL
, &eklen
,
162 ri
->enc_key
->data
, ri
->enc_key
->length
) <= 0)
165 ek
= OPENSSL_malloc(eklen
);
168 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO
, ERR_R_MALLOC_FAILURE
);
172 if (EVP_PKEY_decrypt(pctx
, ek
, &eklen
,
173 ri
->enc_key
->data
, ri
->enc_key
->length
) <= 0) {
175 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO
, ERR_R_EVP_LIB
);
181 OPENSSL_clear_free(*pek
, *peklen
);
186 EVP_PKEY_CTX_free(pctx
);
193 BIO
*PKCS7_dataInit(PKCS7
*p7
, BIO
*bio
)
196 BIO
*out
= NULL
, *btmp
= NULL
;
197 X509_ALGOR
*xa
= NULL
;
198 const EVP_CIPHER
*evp_cipher
= NULL
;
199 STACK_OF(X509_ALGOR
) *md_sk
= NULL
;
200 STACK_OF(PKCS7_RECIP_INFO
) *rsk
= NULL
;
201 X509_ALGOR
*xalg
= NULL
;
202 PKCS7_RECIP_INFO
*ri
= NULL
;
203 ASN1_OCTET_STRING
*os
= NULL
;
206 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_INVALID_NULL_POINTER
);
210 * The content field in the PKCS7 ContentInfo is optional, but that really
211 * only applies to inner content (precisely, detached signatures).
213 * When reading content, missing outer content is therefore treated as an
216 * When creating content, PKCS7_content_new() must be called before
217 * calling this method, so a NULL p7->d is always an error.
219 if (p7
->d
.ptr
== NULL
) {
220 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_NO_CONTENT
);
224 i
= OBJ_obj2nid(p7
->type
);
225 p7
->state
= PKCS7_S_HEADER
;
228 case NID_pkcs7_signed
:
229 md_sk
= p7
->d
.sign
->md_algs
;
230 os
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
232 case NID_pkcs7_signedAndEnveloped
:
233 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
234 md_sk
= p7
->d
.signed_and_enveloped
->md_algs
;
235 xalg
= p7
->d
.signed_and_enveloped
->enc_data
->algorithm
;
236 evp_cipher
= p7
->d
.signed_and_enveloped
->enc_data
->cipher
;
237 if (evp_cipher
== NULL
) {
238 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_CIPHER_NOT_INITIALIZED
);
242 case NID_pkcs7_enveloped
:
243 rsk
= p7
->d
.enveloped
->recipientinfo
;
244 xalg
= p7
->d
.enveloped
->enc_data
->algorithm
;
245 evp_cipher
= p7
->d
.enveloped
->enc_data
->cipher
;
246 if (evp_cipher
== NULL
) {
247 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_CIPHER_NOT_INITIALIZED
);
251 case NID_pkcs7_digest
:
252 xa
= p7
->d
.digest
->md
;
253 os
= PKCS7_get_octet_string(p7
->d
.digest
->contents
);
258 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
262 for (i
= 0; i
< sk_X509_ALGOR_num(md_sk
); i
++)
263 if (!PKCS7_bio_add_digest(&out
, sk_X509_ALGOR_value(md_sk
, i
)))
266 if (xa
&& !PKCS7_bio_add_digest(&out
, xa
))
269 if (evp_cipher
!= NULL
) {
270 unsigned char key
[EVP_MAX_KEY_LENGTH
];
271 unsigned char iv
[EVP_MAX_IV_LENGTH
];
275 if ((btmp
= BIO_new(BIO_f_cipher())) == NULL
) {
276 PKCS7err(PKCS7_F_PKCS7_DATAINIT
, ERR_R_BIO_LIB
);
279 BIO_get_cipher_ctx(btmp
, &ctx
);
280 keylen
= EVP_CIPHER_key_length(evp_cipher
);
281 ivlen
= EVP_CIPHER_iv_length(evp_cipher
);
282 xalg
->algorithm
= OBJ_nid2obj(EVP_CIPHER_type(evp_cipher
));
284 if (RAND_bytes(iv
, ivlen
) <= 0)
286 if (EVP_CipherInit_ex(ctx
, evp_cipher
, NULL
, NULL
, NULL
, 1) <= 0)
288 if (EVP_CIPHER_CTX_rand_key(ctx
, key
) <= 0)
290 if (EVP_CipherInit_ex(ctx
, NULL
, NULL
, key
, iv
, 1) <= 0)
294 if (xalg
->parameter
== NULL
) {
295 xalg
->parameter
= ASN1_TYPE_new();
296 if (xalg
->parameter
== NULL
)
299 if (EVP_CIPHER_param_to_asn1(ctx
, xalg
->parameter
) < 0)
303 /* Lets do the pub key stuff :-) */
304 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
305 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
306 if (pkcs7_encode_rinfo(ri
, key
, keylen
) <= 0)
309 OPENSSL_cleanse(key
, keylen
);
319 if (PKCS7_is_detached(p7
))
320 bio
= BIO_new(BIO_s_null());
321 else if (os
&& os
->length
> 0)
322 bio
= BIO_new_mem_buf(os
->data
, os
->length
);
324 bio
= BIO_new(BIO_s_mem());
327 BIO_set_mem_eof_return(bio
, 0);
342 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO
*ri
, X509
*pcert
)
345 ret
= X509_NAME_cmp(ri
->issuer_and_serial
->issuer
,
346 X509_get_issuer_name(pcert
));
349 return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert
),
350 ri
->issuer_and_serial
->serial
);
354 BIO
*PKCS7_dataDecode(PKCS7
*p7
, EVP_PKEY
*pkey
, BIO
*in_bio
, X509
*pcert
)
357 BIO
*out
= NULL
, *btmp
= NULL
, *etmp
= NULL
, *bio
= NULL
;
359 ASN1_OCTET_STRING
*data_body
= NULL
;
360 const EVP_MD
*evp_md
;
361 const EVP_CIPHER
*evp_cipher
= NULL
;
362 EVP_CIPHER_CTX
*evp_ctx
= NULL
;
363 X509_ALGOR
*enc_alg
= NULL
;
364 STACK_OF(X509_ALGOR
) *md_sk
= NULL
;
365 STACK_OF(PKCS7_RECIP_INFO
) *rsk
= NULL
;
366 PKCS7_RECIP_INFO
*ri
= NULL
;
367 unsigned char *ek
= NULL
, *tkey
= NULL
;
368 int eklen
= 0, tkeylen
= 0;
371 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_INVALID_NULL_POINTER
);
375 if (p7
->d
.ptr
== NULL
) {
376 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_NO_CONTENT
);
380 i
= OBJ_obj2nid(p7
->type
);
381 p7
->state
= PKCS7_S_HEADER
;
384 case NID_pkcs7_signed
:
386 * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
387 * field and optional content.
388 * data_body is NULL if that structure has no (=detached) content
389 * or if the contentType is wrong (i.e., not "data").
391 data_body
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
392 if (!PKCS7_is_detached(p7
) && data_body
== NULL
) {
393 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
394 PKCS7_R_INVALID_SIGNED_DATA_TYPE
);
397 md_sk
= p7
->d
.sign
->md_algs
;
399 case NID_pkcs7_signedAndEnveloped
:
400 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
401 md_sk
= p7
->d
.signed_and_enveloped
->md_algs
;
402 /* data_body is NULL if the optional EncryptedContent is missing. */
403 data_body
= p7
->d
.signed_and_enveloped
->enc_data
->enc_data
;
404 enc_alg
= p7
->d
.signed_and_enveloped
->enc_data
->algorithm
;
405 evp_cipher
= EVP_get_cipherbyobj(enc_alg
->algorithm
);
406 if (evp_cipher
== NULL
) {
407 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
408 PKCS7_R_UNSUPPORTED_CIPHER_TYPE
);
412 case NID_pkcs7_enveloped
:
413 rsk
= p7
->d
.enveloped
->recipientinfo
;
414 enc_alg
= p7
->d
.enveloped
->enc_data
->algorithm
;
415 /* data_body is NULL if the optional EncryptedContent is missing. */
416 data_body
= p7
->d
.enveloped
->enc_data
->enc_data
;
417 evp_cipher
= EVP_get_cipherbyobj(enc_alg
->algorithm
);
418 if (evp_cipher
== NULL
) {
419 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
420 PKCS7_R_UNSUPPORTED_CIPHER_TYPE
);
425 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
429 /* Detached content must be supplied via in_bio instead. */
430 if (data_body
== NULL
&& in_bio
== NULL
) {
431 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, PKCS7_R_NO_CONTENT
);
435 /* We will be checking the signature */
437 for (i
= 0; i
< sk_X509_ALGOR_num(md_sk
); i
++) {
438 xa
= sk_X509_ALGOR_value(md_sk
, i
);
439 if ((btmp
= BIO_new(BIO_f_md())) == NULL
) {
440 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, ERR_R_BIO_LIB
);
444 j
= OBJ_obj2nid(xa
->algorithm
);
445 evp_md
= EVP_get_digestbynid(j
);
446 if (evp_md
== NULL
) {
447 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
448 PKCS7_R_UNKNOWN_DIGEST_TYPE
);
452 BIO_set_md(btmp
, evp_md
);
461 if (evp_cipher
!= NULL
) {
462 if ((etmp
= BIO_new(BIO_f_cipher())) == NULL
) {
463 PKCS7err(PKCS7_F_PKCS7_DATADECODE
, ERR_R_BIO_LIB
);
468 * It was encrypted, we need to decrypt the secret key with the
473 * Find the recipientInfo which matches the passed certificate (if
478 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
479 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
480 if (!pkcs7_cmp_ri(ri
, pcert
))
485 PKCS7err(PKCS7_F_PKCS7_DATADECODE
,
486 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE
);
491 /* If we haven't got a certificate try each ri in turn */
494 * Always attempt to decrypt all rinfo even after success as a
495 * defence against MMA timing attacks.
497 for (i
= 0; i
< sk_PKCS7_RECIP_INFO_num(rsk
); i
++) {
498 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, i
);
500 if (pkcs7_decrypt_rinfo(&ek
, &eklen
, ri
, pkey
) < 0)
505 /* Only exit on fatal errors, not decrypt failure */
506 if (pkcs7_decrypt_rinfo(&ek
, &eklen
, ri
, pkey
) < 0)
512 BIO_get_cipher_ctx(etmp
, &evp_ctx
);
513 if (EVP_CipherInit_ex(evp_ctx
, evp_cipher
, NULL
, NULL
, NULL
, 0) <= 0)
515 if (EVP_CIPHER_asn1_to_param(evp_ctx
, enc_alg
->parameter
) < 0)
517 /* Generate random key as MMA defence */
518 tkeylen
= EVP_CIPHER_CTX_key_length(evp_ctx
);
519 tkey
= OPENSSL_malloc(tkeylen
);
522 if (EVP_CIPHER_CTX_rand_key(evp_ctx
, tkey
) <= 0)
530 if (eklen
!= EVP_CIPHER_CTX_key_length(evp_ctx
)) {
532 * Some S/MIME clients don't use the same key and effective key
533 * length. The key length is determined by the size of the
536 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx
, eklen
)) {
537 /* Use random key as MMA defence */
538 OPENSSL_clear_free(ek
, eklen
);
544 /* Clear errors so we don't leak information useful in MMA */
546 if (EVP_CipherInit_ex(evp_ctx
, NULL
, NULL
, ek
, NULL
, 0) <= 0)
549 OPENSSL_clear_free(ek
, eklen
);
551 OPENSSL_clear_free(tkey
, tkeylen
);
560 if (in_bio
!= NULL
) {
563 if (data_body
->length
> 0)
564 bio
= BIO_new_mem_buf(data_body
->data
, data_body
->length
);
566 bio
= BIO_new(BIO_s_mem());
569 BIO_set_mem_eof_return(bio
, 0);
579 OPENSSL_clear_free(ek
, eklen
);
580 OPENSSL_clear_free(tkey
, tkeylen
);
588 static BIO
*PKCS7_find_digest(EVP_MD_CTX
**pmd
, BIO
*bio
, int nid
)
591 bio
= BIO_find_type(bio
, BIO_TYPE_MD
);
593 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST
,
594 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
597 BIO_get_md_ctx(bio
, pmd
);
599 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST
, ERR_R_INTERNAL_ERROR
);
602 if (EVP_MD_CTX_type(*pmd
) == nid
)
609 static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO
*si
, EVP_MD_CTX
*mctx
)
611 unsigned char md_data
[EVP_MAX_MD_SIZE
];
614 /* Add signing time if not already present */
615 if (!PKCS7_get_signed_attribute(si
, NID_pkcs9_signingTime
)) {
616 if (!PKCS7_add0_attrib_signing_time(si
, NULL
)) {
617 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB
, ERR_R_MALLOC_FAILURE
);
623 if (!EVP_DigestFinal_ex(mctx
, md_data
, &md_len
)) {
624 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB
, ERR_R_EVP_LIB
);
627 if (!PKCS7_add1_attrib_digest(si
, md_data
, md_len
)) {
628 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB
, ERR_R_MALLOC_FAILURE
);
632 /* Now sign the attributes */
633 if (!PKCS7_SIGNER_INFO_sign(si
))
639 int PKCS7_dataFinal(PKCS7
*p7
, BIO
*bio
)
644 PKCS7_SIGNER_INFO
*si
;
645 EVP_MD_CTX
*mdc
, *ctx_tmp
;
646 STACK_OF(X509_ATTRIBUTE
) *sk
;
647 STACK_OF(PKCS7_SIGNER_INFO
) *si_sk
= NULL
;
648 ASN1_OCTET_STRING
*os
= NULL
;
651 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_INVALID_NULL_POINTER
);
655 if (p7
->d
.ptr
== NULL
) {
656 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_NO_CONTENT
);
660 ctx_tmp
= EVP_MD_CTX_new();
661 if (ctx_tmp
== NULL
) {
662 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_MALLOC_FAILURE
);
666 i
= OBJ_obj2nid(p7
->type
);
667 p7
->state
= PKCS7_S_HEADER
;
673 case NID_pkcs7_signedAndEnveloped
:
674 /* XXXXXXXXXXXXXXXX */
675 si_sk
= p7
->d
.signed_and_enveloped
->signer_info
;
676 os
= p7
->d
.signed_and_enveloped
->enc_data
->enc_data
;
678 os
= ASN1_OCTET_STRING_new();
680 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_MALLOC_FAILURE
);
683 p7
->d
.signed_and_enveloped
->enc_data
->enc_data
= os
;
686 case NID_pkcs7_enveloped
:
687 /* XXXXXXXXXXXXXXXX */
688 os
= p7
->d
.enveloped
->enc_data
->enc_data
;
690 os
= ASN1_OCTET_STRING_new();
692 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_MALLOC_FAILURE
);
695 p7
->d
.enveloped
->enc_data
->enc_data
= os
;
698 case NID_pkcs7_signed
:
699 si_sk
= p7
->d
.sign
->signer_info
;
700 os
= PKCS7_get_octet_string(p7
->d
.sign
->contents
);
701 /* If detached data then the content is excluded */
702 if (PKCS7_type_is_data(p7
->d
.sign
->contents
) && p7
->detached
) {
703 ASN1_OCTET_STRING_free(os
);
705 p7
->d
.sign
->contents
->d
.data
= NULL
;
709 case NID_pkcs7_digest
:
710 os
= PKCS7_get_octet_string(p7
->d
.digest
->contents
);
711 /* If detached data then the content is excluded */
712 if (PKCS7_type_is_data(p7
->d
.digest
->contents
) && p7
->detached
) {
713 ASN1_OCTET_STRING_free(os
);
715 p7
->d
.digest
->contents
->d
.data
= NULL
;
720 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_UNSUPPORTED_CONTENT_TYPE
);
725 for (i
= 0; i
< sk_PKCS7_SIGNER_INFO_num(si_sk
); i
++) {
726 si
= sk_PKCS7_SIGNER_INFO_value(si_sk
, i
);
727 if (si
->pkey
== NULL
)
730 j
= OBJ_obj2nid(si
->digest_alg
->algorithm
);
734 btmp
= PKCS7_find_digest(&mdc
, btmp
, j
);
740 * We now have the EVP_MD_CTX, lets do the signing.
742 if (!EVP_MD_CTX_copy_ex(ctx_tmp
, mdc
))
748 * If there are attributes, we add the digest attribute and only
749 * sign the attributes
751 if (sk_X509_ATTRIBUTE_num(sk
) > 0) {
752 if (!do_pkcs7_signed_attrib(si
, ctx_tmp
))
755 unsigned char *abuf
= NULL
;
756 unsigned int abuflen
;
757 abuflen
= EVP_PKEY_size(si
->pkey
);
758 abuf
= OPENSSL_malloc(abuflen
);
762 if (!EVP_SignFinal(ctx_tmp
, abuf
, &abuflen
, si
->pkey
)) {
764 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, ERR_R_EVP_LIB
);
767 ASN1_STRING_set0(si
->enc_digest
, abuf
, abuflen
);
770 } else if (i
== NID_pkcs7_digest
) {
771 unsigned char md_data
[EVP_MAX_MD_SIZE
];
773 if (!PKCS7_find_digest(&mdc
, bio
,
774 OBJ_obj2nid(p7
->d
.digest
->md
->algorithm
)))
776 if (!EVP_DigestFinal_ex(mdc
, md_data
, &md_len
))
778 if (!ASN1_OCTET_STRING_set(p7
->d
.digest
->digest
, md_data
, md_len
))
782 if (!PKCS7_is_detached(p7
)) {
784 * NOTE(emilia): I think we only reach os == NULL here because detached
785 * digested data support is broken.
789 if (!(os
->flags
& ASN1_STRING_FLAG_NDEF
)) {
792 btmp
= BIO_find_type(bio
, BIO_TYPE_MEM
);
794 PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, PKCS7_R_UNABLE_TO_FIND_MEM_BIO
);
797 contlen
= BIO_get_mem_data(btmp
, &cont
);
799 * Mark the BIO read only then we can use its copy of the data
800 * instead of making an extra copy.
802 BIO_set_flags(btmp
, BIO_FLAGS_MEM_RDONLY
);
803 BIO_set_mem_eof_return(btmp
, 0);
804 ASN1_STRING_set0(os
, (unsigned char *)cont
, contlen
);
809 EVP_MD_CTX_free(ctx_tmp
);
813 int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO
*si
)
817 unsigned char *abuf
= NULL
;
820 const EVP_MD
*md
= NULL
;
822 md
= EVP_get_digestbyobj(si
->digest_alg
->algorithm
);
826 mctx
= EVP_MD_CTX_new();
828 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN
, ERR_R_MALLOC_FAILURE
);
832 if (EVP_DigestSignInit(mctx
, &pctx
, md
, NULL
, si
->pkey
) <= 0)
835 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_SIGN
,
836 EVP_PKEY_CTRL_PKCS7_SIGN
, 0, si
) <= 0) {
837 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN
, PKCS7_R_CTRL_ERROR
);
841 alen
= ASN1_item_i2d((ASN1_VALUE
*)si
->auth_attr
, &abuf
,
842 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN
));
845 if (EVP_DigestSignUpdate(mctx
, abuf
, alen
) <= 0)
849 if (EVP_DigestSignFinal(mctx
, NULL
, &siglen
) <= 0)
851 abuf
= OPENSSL_malloc(siglen
);
854 if (EVP_DigestSignFinal(mctx
, abuf
, &siglen
) <= 0)
857 if (EVP_PKEY_CTX_ctrl(pctx
, -1, EVP_PKEY_OP_SIGN
,
858 EVP_PKEY_CTRL_PKCS7_SIGN
, 1, si
) <= 0) {
859 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN
, PKCS7_R_CTRL_ERROR
);
863 EVP_MD_CTX_free(mctx
);
865 ASN1_STRING_set0(si
->enc_digest
, abuf
, siglen
);
871 EVP_MD_CTX_free(mctx
);
876 int PKCS7_dataVerify(X509_STORE
*cert_store
, X509_STORE_CTX
*ctx
, BIO
*bio
,
877 PKCS7
*p7
, PKCS7_SIGNER_INFO
*si
)
879 PKCS7_ISSUER_AND_SERIAL
*ias
;
881 STACK_OF(X509
) *cert
;
885 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, PKCS7_R_INVALID_NULL_POINTER
);
889 if (p7
->d
.ptr
== NULL
) {
890 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, PKCS7_R_NO_CONTENT
);
894 if (PKCS7_type_is_signed(p7
)) {
895 cert
= p7
->d
.sign
->cert
;
896 } else if (PKCS7_type_is_signedAndEnveloped(p7
)) {
897 cert
= p7
->d
.signed_and_enveloped
->cert
;
899 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, PKCS7_R_WRONG_PKCS7_TYPE
);
902 /* XXXXXXXXXXXXXXXXXXXXXXX */
903 ias
= si
->issuer_and_serial
;
905 x509
= X509_find_by_issuer_and_serial(cert
, ias
->issuer
, ias
->serial
);
907 /* were we able to find the cert in passed to us */
909 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
,
910 PKCS7_R_UNABLE_TO_FIND_CERTIFICATE
);
915 if (!X509_STORE_CTX_init(ctx
, cert_store
, x509
, cert
)) {
916 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, ERR_R_X509_LIB
);
919 X509_STORE_CTX_set_purpose(ctx
, X509_PURPOSE_SMIME_SIGN
);
920 i
= X509_verify_cert(ctx
);
922 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY
, ERR_R_X509_LIB
);
923 X509_STORE_CTX_cleanup(ctx
);
926 X509_STORE_CTX_cleanup(ctx
);
928 return PKCS7_signatureVerify(bio
, p7
, si
, x509
);
933 int PKCS7_signatureVerify(BIO
*bio
, PKCS7
*p7
, PKCS7_SIGNER_INFO
*si
,
936 ASN1_OCTET_STRING
*os
;
937 EVP_MD_CTX
*mdc_tmp
, *mdc
;
940 STACK_OF(X509_ATTRIBUTE
) *sk
;
944 mdc_tmp
= EVP_MD_CTX_new();
945 if (mdc_tmp
== NULL
) {
946 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, ERR_R_MALLOC_FAILURE
);
950 if (!PKCS7_type_is_signed(p7
) && !PKCS7_type_is_signedAndEnveloped(p7
)) {
951 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, PKCS7_R_WRONG_PKCS7_TYPE
);
955 md_type
= OBJ_obj2nid(si
->digest_alg
->algorithm
);
959 if ((btmp
== NULL
) ||
960 ((btmp
= BIO_find_type(btmp
, BIO_TYPE_MD
)) == NULL
)) {
961 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
,
962 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
965 BIO_get_md_ctx(btmp
, &mdc
);
967 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, ERR_R_INTERNAL_ERROR
);
970 if (EVP_MD_CTX_type(mdc
) == md_type
)
973 * Workaround for some broken clients that put the signature OID
974 * instead of the digest OID in digest_alg->algorithm
976 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc
)) == md_type
)
978 btmp
= BIO_next(btmp
);
982 * mdc is the digest ctx that we want, unless there are attributes, in
983 * which case the digest is the signed attributes
985 if (!EVP_MD_CTX_copy_ex(mdc_tmp
, mdc
))
989 if ((sk
!= NULL
) && (sk_X509_ATTRIBUTE_num(sk
) != 0)) {
990 unsigned char md_dat
[EVP_MAX_MD_SIZE
], *abuf
= NULL
;
993 ASN1_OCTET_STRING
*message_digest
;
995 if (!EVP_DigestFinal_ex(mdc_tmp
, md_dat
, &md_len
))
997 message_digest
= PKCS7_digest_from_attributes(sk
);
998 if (!message_digest
) {
999 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
,
1000 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST
);
1003 if ((message_digest
->length
!= (int)md_len
) ||
1004 (memcmp(message_digest
->data
, md_dat
, md_len
))) {
1005 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, PKCS7_R_DIGEST_FAILURE
);
1010 if (!EVP_VerifyInit_ex(mdc_tmp
, EVP_get_digestbynid(md_type
), NULL
))
1013 alen
= ASN1_item_i2d((ASN1_VALUE
*)sk
, &abuf
,
1014 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY
));
1016 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, ERR_R_ASN1_LIB
);
1020 if (!EVP_VerifyUpdate(mdc_tmp
, abuf
, alen
))
1026 os
= si
->enc_digest
;
1027 pkey
= X509_get0_pubkey(x509
);
1033 i
= EVP_VerifyFinal(mdc_tmp
, os
->data
, os
->length
, pkey
);
1035 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY
, PKCS7_R_SIGNATURE_FAILURE
);
1041 EVP_MD_CTX_free(mdc_tmp
);
1045 PKCS7_ISSUER_AND_SERIAL
*PKCS7_get_issuer_and_serial(PKCS7
*p7
, int idx
)
1047 STACK_OF(PKCS7_RECIP_INFO
) *rsk
;
1048 PKCS7_RECIP_INFO
*ri
;
1051 i
= OBJ_obj2nid(p7
->type
);
1052 if (i
!= NID_pkcs7_signedAndEnveloped
)
1054 if (p7
->d
.signed_and_enveloped
== NULL
)
1056 rsk
= p7
->d
.signed_and_enveloped
->recipientinfo
;
1059 if (sk_PKCS7_RECIP_INFO_num(rsk
) <= idx
)
1061 ri
= sk_PKCS7_RECIP_INFO_value(rsk
, idx
);
1062 return (ri
->issuer_and_serial
);
1065 ASN1_TYPE
*PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO
*si
, int nid
)
1067 return (get_attribute(si
->auth_attr
, nid
));
1070 ASN1_TYPE
*PKCS7_get_attribute(PKCS7_SIGNER_INFO
*si
, int nid
)
1072 return (get_attribute(si
->unauth_attr
, nid
));
1075 static ASN1_TYPE
*get_attribute(STACK_OF(X509_ATTRIBUTE
) *sk
, int nid
)
1079 idx
= X509at_get_attr_by_NID(sk
, nid
, -1);
1080 xa
= X509at_get_attr(sk
, idx
);
1081 return X509_ATTRIBUTE_get0_type(xa
, 0);
1084 ASN1_OCTET_STRING
*PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE
) *sk
)
1087 if ((astype
= get_attribute(sk
, NID_pkcs9_messageDigest
)) == NULL
)
1089 return astype
->value
.octet_string
;
1092 int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO
*p7si
,
1093 STACK_OF(X509_ATTRIBUTE
) *sk
)
1097 sk_X509_ATTRIBUTE_pop_free(p7si
->auth_attr
, X509_ATTRIBUTE_free
);
1098 p7si
->auth_attr
= sk_X509_ATTRIBUTE_dup(sk
);
1099 if (p7si
->auth_attr
== NULL
)
1101 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(sk
); i
++) {
1102 if ((sk_X509_ATTRIBUTE_set(p7si
->auth_attr
, i
,
1103 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1111 int PKCS7_set_attributes(PKCS7_SIGNER_INFO
*p7si
,
1112 STACK_OF(X509_ATTRIBUTE
) *sk
)
1116 sk_X509_ATTRIBUTE_pop_free(p7si
->unauth_attr
, X509_ATTRIBUTE_free
);
1117 p7si
->unauth_attr
= sk_X509_ATTRIBUTE_dup(sk
);
1118 if (p7si
->unauth_attr
== NULL
)
1120 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(sk
); i
++) {
1121 if ((sk_X509_ATTRIBUTE_set(p7si
->unauth_attr
, i
,
1122 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value
1130 int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO
*p7si
, int nid
, int atrtype
,
1133 return (add_attribute(&(p7si
->auth_attr
), nid
, atrtype
, value
));
1136 int PKCS7_add_attribute(PKCS7_SIGNER_INFO
*p7si
, int nid
, int atrtype
,
1139 return (add_attribute(&(p7si
->unauth_attr
), nid
, atrtype
, value
));
1142 static int add_attribute(STACK_OF(X509_ATTRIBUTE
) **sk
, int nid
, int atrtype
,
1145 X509_ATTRIBUTE
*attr
= NULL
;
1148 if ((*sk
= sk_X509_ATTRIBUTE_new_null()) == NULL
)
1151 if ((attr
= X509_ATTRIBUTE_create(nid
, atrtype
, value
)) == NULL
)
1153 if (!sk_X509_ATTRIBUTE_push(*sk
, attr
)) {
1154 X509_ATTRIBUTE_free(attr
);
1160 for (i
= 0; i
< sk_X509_ATTRIBUTE_num(*sk
); i
++) {
1161 attr
= sk_X509_ATTRIBUTE_value(*sk
, i
);
1162 if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr
)) == nid
) {
1163 X509_ATTRIBUTE_free(attr
);
1164 attr
= X509_ATTRIBUTE_create(nid
, atrtype
, value
);
1167 if (!sk_X509_ATTRIBUTE_set(*sk
, i
, attr
)) {
1168 X509_ATTRIBUTE_free(attr
);