From: Nikos Mavrogiannopoulos Date: Mon, 1 Jun 2015 08:43:46 +0000 (+0200) Subject: verify PKCS #7 signed data X-Git-Tag: gnutls_3_4_2~66 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=07afd47766dccc8356fac66a863bd2b6ee752974;p=thirdparty%2Fgnutls.git verify PKCS #7 signed data --- diff --git a/lib/pkix.asn b/lib/pkix.asn index eb64138249..123609cdf5 100644 --- a/lib/pkix.asn +++ b/lib/pkix.asn @@ -366,8 +366,33 @@ pkcs-7-CertificateChoices ::= CHOICE { pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices -pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it - -- anyway +IssuerAndSerialNumber ::= SEQUENCE { + issuer Name, + serialNumber CertificateSerialNumber +} + +pkcs-7-SignerInfo ::= SEQUENCE { + version INTEGER, + sid SignerIdentifier, + digestAlgorithm AlgorithmIdentifier, + signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL, + signatureAlgorithm AlgorithmIdentifier, + signature OCTET STRING, + unsignedAttrs [1] IMPLICIT ANY OPTIONAL } + +SignedAttributes ::= SET SIZE (1..MAX) OF Attribute + +Attribute ::= SEQUENCE { + attrType OBJECT IDENTIFIER, + attrValues SET OF ANY +} + +SignerIdentifier ::= CHOICE { + issuerAndSerialNumber IssuerAndSerialNumber, + subjectKeyIdentifier [0] SubjectKeyIdentifier +} + +pkcs-7-SignerInfos ::= SET OF pkcs-7-SignerInfo -- BEGIN of RFC2986 diff --git a/lib/pkix_asn1_tab.c b/lib/pkix_asn1_tab.c index 5c7031cc15..8506ab4c0d 100644 --- a/lib/pkix_asn1_tab.c +++ b/lib/pkix_asn1_tab.c @@ -255,8 +255,32 @@ const asn1_static_node pkix_asn1_tab[] = { { "certificate", 13, NULL }, { "pkcs-7-CertificateSet", 1610612751, NULL }, { NULL, 2, "pkcs-7-CertificateChoices"}, - { "pkcs-7-SignerInfos", 1610612751, NULL }, + { "IssuerAndSerialNumber", 1610612741, NULL }, + { "issuer", 1073741826, "Name"}, + { "serialNumber", 2, "CertificateSerialNumber"}, + { "pkcs-7-SignerInfo", 1610612741, NULL }, + { "version", 1073741827, NULL }, + { "sid", 1073741826, "SignerIdentifier"}, + { "digestAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "signedAttrs", 1610637314, "SignedAttributes"}, + { NULL, 4104, "0"}, + { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"}, + { "signature", 1073741831, NULL }, + { "unsignedAttrs", 536895501, NULL }, + { NULL, 4104, "1"}, + { "SignedAttributes", 1612709903, NULL }, + { "MAX", 1074266122, "1"}, + { NULL, 2, "Attribute"}, + { "Attribute", 1610612741, NULL }, + { "attrType", 1073741836, NULL }, + { "attrValues", 536870927, NULL }, { NULL, 13, NULL }, + { "SignerIdentifier", 1610612754, NULL }, + { "issuerAndSerialNumber", 1073741826, "IssuerAndSerialNumber"}, + { "subjectKeyIdentifier", 536879106, "SubjectKeyIdentifier"}, + { NULL, 4104, "0"}, + { "pkcs-7-SignerInfos", 1610612751, NULL }, + { NULL, 2, "pkcs-7-SignerInfo"}, { "pkcs-10-CertificationRequestInfo", 1610612741, NULL }, { "version", 1073741827, NULL }, { "subject", 1073741826, "Name"}, diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index eb9fb68bfe..e90f1ac322 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -33,6 +33,7 @@ #include #define SIGNED_DATA_OID "1.2.840.113549.1.7.2" +#define PLAIN_DATA_OID "1.2.840.113549.1.7.1" /* Decodes the PKCS #7 signed data, and returns an ASN1_TYPE, * which holds them. If raw is non null then the raw decoded @@ -89,6 +90,20 @@ _decode_pkcs7_signed_data(ASN1_TYPE pkcs7, ASN1_TYPE * sdata) goto cleanup; } + /* read the encapsulated content */ + len = sizeof(oid) - 1; + result = asn1_read_value(c2, "encapContentInfo.eContentType", oid, &len); + if (result != ASN1_SUCCESS) { + gnutls_assert(); + return _gnutls_asn2err(result); + } + + if (strcmp(oid, PLAIN_DATA_OID) != 0) { + gnutls_assert(); + _gnutls_debug_log("Unknown or unexpected PKCS7 Encapsulated Content OID '%s'\n", oid); + return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE; + } + *sdata = c2; return 0; @@ -233,10 +248,7 @@ gnutls_pkcs7_import(gnutls_pkcs7_t pkcs7, const gnutls_datum_t * data, goto cleanup; } - if (need_free) - _gnutls_free_datum(&_data); - - return 0; + result = 0; cleanup: if (need_free)