From: pcarana Date: Wed, 29 May 2019 17:38:14 +0000 (-0500) Subject: Add CMS compatibility with PKCS #7 and fix debug log bug X-Git-Tag: v0.0.2~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c07ab3513f822fe31bbd8e84cb884faf92fa20d;p=thirdparty%2FFORT-validator.git Add CMS compatibility with PKCS #7 and fix debug log bug --- diff --git a/src/asn1/signed_data.c b/src/asn1/signed_data.c index 42e51224..aa549da4 100644 --- a/src/asn1/signed_data.c +++ b/src/asn1/signed_data.c @@ -2,7 +2,9 @@ #include #include +#include #include +#include #include "algorithm.h" #include "config.h" @@ -386,6 +388,62 @@ validate(struct SignedData *sdata, ANY_t *sdata_encoded, return 0; } +/* + * Function to handle 'Compatibility with PKCS #7' (RFC 5652 section 5.2.1: + * "If the implementation is unable to ASN.1 decode the SignedData type using + * the CMS SignedData encapContentInfo eContent OCTET STRING syntax, + * then the implementation MAY attempt to decode the SignedData type + * using the PKCS #7 SignedData contentInfo content ANY syntax and + * compute the message digest accordingly." + */ +static int +signed_data_decode_pkcs7(ANY_t *coded, struct SignedData **result) +{ + struct SignedDataPKCS7 *sdata_pkcs7; + struct SignedData *sdata; + int error; + + error = asn1_decode_any(coded, &asn_DEF_SignedDataPKCS7, + (void **) &sdata_pkcs7); + if (error) + return error; + + sdata = calloc(1, sizeof(struct SignedData)); + if (sdata == NULL) { + error = pr_enomem(); + goto release_sdata_pkcs7; + } + + /* Parse content as OCTET STRING */ + error = asn1_decode_any(sdata_pkcs7->encapContentInfo.eContent, + &asn_DEF_ContentTypePKCS7, + (void **) &sdata->encapContentInfo.eContent); + if (error) + goto release_sdata; + + /* Shallow copy to a SignedData struct */ + sdata->version = sdata_pkcs7->version; + sdata->digestAlgorithms = sdata_pkcs7->digestAlgorithms; + sdata->encapContentInfo.eContentType = + sdata_pkcs7->encapContentInfo.eContentType; + sdata->certificates = sdata_pkcs7->certificates; + sdata->crls = sdata_pkcs7->crls; + sdata->signerInfos = sdata_pkcs7->signerInfos; + + /* Release what isnt's referenced */ + ASN_STRUCT_FREE(asn_DEF_ANY, sdata_pkcs7->encapContentInfo.eContent); + free(sdata_pkcs7); + + *result = sdata; + return 0; + +release_sdata: + free(sdata); +release_sdata_pkcs7: + ASN_STRUCT_FREE(asn_DEF_SignedDataPKCS7, sdata_pkcs7); + return error; +} + int signed_data_decode(ANY_t *coded, struct signed_object_args *args, struct SignedData **result) @@ -396,8 +454,12 @@ signed_data_decode(ANY_t *coded, struct signed_object_args *args, /* rfc6488#section-3.1.l */ /* TODO (next iteration) this is BER, not guaranteed to be DER. */ error = asn1_decode_any(coded, &asn_DEF_SignedData, (void **) &sdata); - if (error) - return error; + if (error) { + /* Try to decode as PKCS content (RFC 5652 section 5.2.1) */ + error = signed_data_decode_pkcs7(coded, &sdata); + if (error) + return (error); + } error = validate(sdata, coded, args); if (error) { diff --git a/src/object/certificate.c b/src/object/certificate.c index 3f1cbd5a..7f6b53c2 100644 --- a/src/object/certificate.c +++ b/src/object/certificate.c @@ -15,7 +15,6 @@ #include "thread_var.h" #include "asn1/decode.h" #include "asn1/oid.h" -#include "asn1/signed_data.h" #include "crypto/hash.h" #include "object/name.h" #include "rsync/rsync.h" @@ -1437,7 +1436,7 @@ certificate_traverse(struct rpp *rpp_parent, struct rpki_uri const *cert_uri, if (sk_X509_num(validation_certs(state)) >= config_get_max_cert_depth()) return pr_err("Certificate chain maximum depth exceeded."); - pr_debug_add("%s Certificate '%s' {", is_ta ? "TA" : "CA", + pr_debug_add("%s Certificate '%s' {", IS_TA ? "TA" : "CA", uri_get_printable(cert_uri)); fnstack_push_uri(cert_uri); memset(&refs, 0, sizeof(refs)); diff --git a/src/object/ghostbusters.c b/src/object/ghostbusters.c index 72c28515..fb5e2ac5 100644 --- a/src/object/ghostbusters.c +++ b/src/object/ghostbusters.c @@ -3,7 +3,6 @@ #include "log.h" #include "thread_var.h" #include "asn1/oid.h" -#include "asn1/signed_data.h" #include "object/signed_object.h" #include "vcard.h"