OLD | NEW |
1 /* crypto/pkcs7/pk7_doit.c */ | 1 /* crypto/pkcs7/pk7_doit.c */ |
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 * All rights reserved. | 3 * All rights reserved. |
4 * | 4 * |
5 * This package is an SSL implementation written | 5 * This package is an SSL implementation written |
6 * by Eric Young (eay@cryptsoft.com). | 6 * by Eric Young (eay@cryptsoft.com). |
7 * The implementation was written so as to conform with Netscapes SSL. | 7 * The implementation was written so as to conform with Netscapes SSL. |
8 * | 8 * |
9 * This library is free for commercial and non-commercial use as long as | 9 * This library is free for commercial and non-commercial use as long as |
10 * the following conditions are aheared to. The following conditions | 10 * the following conditions are aheared to. The following conditions |
(...skipping 120 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
131 | 131 |
132 return 1; | 132 return 1; |
133 | 133 |
134 err: | 134 err: |
135 if (btmp) | 135 if (btmp) |
136 BIO_free(btmp); | 136 BIO_free(btmp); |
137 return 0; | 137 return 0; |
138 | 138 |
139 } | 139 } |
140 | 140 |
| 141 static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, |
| 142 unsigned char *key, int keylen) |
| 143 { |
| 144 EVP_PKEY_CTX *pctx = NULL; |
| 145 EVP_PKEY *pkey = NULL; |
| 146 unsigned char *ek = NULL; |
| 147 int ret = 0; |
| 148 size_t eklen; |
| 149 |
| 150 pkey = X509_get_pubkey(ri->cert); |
| 151 |
| 152 if (!pkey) |
| 153 return 0; |
| 154 |
| 155 pctx = EVP_PKEY_CTX_new(pkey, NULL); |
| 156 if (!pctx) |
| 157 return 0; |
| 158 |
| 159 if (EVP_PKEY_encrypt_init(pctx) <= 0) |
| 160 goto err; |
| 161 |
| 162 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, |
| 163 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) |
| 164 { |
| 165 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR); |
| 166 goto err; |
| 167 } |
| 168 |
| 169 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) |
| 170 goto err; |
| 171 |
| 172 ek = OPENSSL_malloc(eklen); |
| 173 |
| 174 if (ek == NULL) |
| 175 { |
| 176 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE); |
| 177 goto err; |
| 178 } |
| 179 |
| 180 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) |
| 181 goto err; |
| 182 |
| 183 ASN1_STRING_set0(ri->enc_key, ek, eklen); |
| 184 ek = NULL; |
| 185 |
| 186 ret = 1; |
| 187 |
| 188 err: |
| 189 if (pkey) |
| 190 EVP_PKEY_free(pkey); |
| 191 if (pctx) |
| 192 EVP_PKEY_CTX_free(pctx); |
| 193 if (ek) |
| 194 OPENSSL_free(ek); |
| 195 return ret; |
| 196 |
| 197 } |
| 198 |
| 199 |
| 200 static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, |
| 201 PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) |
| 202 { |
| 203 EVP_PKEY_CTX *pctx = NULL; |
| 204 unsigned char *ek = NULL; |
| 205 size_t eklen; |
| 206 |
| 207 int ret = 0; |
| 208 |
| 209 pctx = EVP_PKEY_CTX_new(pkey, NULL); |
| 210 if (!pctx) |
| 211 return 0; |
| 212 |
| 213 if (EVP_PKEY_decrypt_init(pctx) <= 0) |
| 214 goto err; |
| 215 |
| 216 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, |
| 217 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) |
| 218 { |
| 219 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR); |
| 220 goto err; |
| 221 } |
| 222 |
| 223 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, |
| 224 ri->enc_key->data, ri->enc_key->length) <= 0) |
| 225 goto err; |
| 226 |
| 227 ek = OPENSSL_malloc(eklen); |
| 228 |
| 229 if (ek == NULL) |
| 230 { |
| 231 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE); |
| 232 goto err; |
| 233 } |
| 234 |
| 235 if (EVP_PKEY_decrypt(pctx, ek, &eklen, |
| 236 ri->enc_key->data, ri->enc_key->length) <= 0) |
| 237 { |
| 238 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); |
| 239 goto err; |
| 240 } |
| 241 |
| 242 ret = 1; |
| 243 |
| 244 *pek = ek; |
| 245 *peklen = eklen; |
| 246 |
| 247 err: |
| 248 if (pctx) |
| 249 EVP_PKEY_CTX_free(pctx); |
| 250 if (!ret && ek) |
| 251 OPENSSL_free(ek); |
| 252 |
| 253 return ret; |
| 254 } |
| 255 |
141 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) | 256 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) |
142 { | 257 { |
143 int i; | 258 int i; |
144 BIO *out=NULL,*btmp=NULL; | 259 BIO *out=NULL,*btmp=NULL; |
145 X509_ALGOR *xa = NULL; | 260 X509_ALGOR *xa = NULL; |
146 const EVP_CIPHER *evp_cipher=NULL; | 261 const EVP_CIPHER *evp_cipher=NULL; |
147 STACK_OF(X509_ALGOR) *md_sk=NULL; | 262 STACK_OF(X509_ALGOR) *md_sk=NULL; |
148 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; | 263 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; |
149 X509_ALGOR *xalg=NULL; | 264 X509_ALGOR *xalg=NULL; |
150 PKCS7_RECIP_INFO *ri=NULL; | 265 PKCS7_RECIP_INFO *ri=NULL; |
151 EVP_PKEY *pkey; | |
152 ASN1_OCTET_STRING *os=NULL; | 266 ASN1_OCTET_STRING *os=NULL; |
153 | 267 |
154 i=OBJ_obj2nid(p7->type); | 268 i=OBJ_obj2nid(p7->type); |
155 p7->state=PKCS7_S_HEADER; | 269 p7->state=PKCS7_S_HEADER; |
156 | 270 |
157 switch (i) | 271 switch (i) |
158 { | 272 { |
159 case NID_pkcs7_signed: | 273 case NID_pkcs7_signed: |
160 md_sk=p7->d.sign->md_algs; | 274 md_sk=p7->d.sign->md_algs; |
161 os = PKCS7_get_octet_string(p7->d.sign->contents); | 275 os = PKCS7_get_octet_string(p7->d.sign->contents); |
(...skipping 18 matching lines...) Expand all Loading... |
180 { | 294 { |
181 PKCS7err(PKCS7_F_PKCS7_DATAINIT, | 295 PKCS7err(PKCS7_F_PKCS7_DATAINIT, |
182 PKCS7_R_CIPHER_NOT_INITIALIZED); | 296 PKCS7_R_CIPHER_NOT_INITIALIZED); |
183 goto err; | 297 goto err; |
184 } | 298 } |
185 break; | 299 break; |
186 case NID_pkcs7_digest: | 300 case NID_pkcs7_digest: |
187 xa = p7->d.digest->md; | 301 xa = p7->d.digest->md; |
188 os = PKCS7_get_octet_string(p7->d.digest->contents); | 302 os = PKCS7_get_octet_string(p7->d.digest->contents); |
189 break; | 303 break; |
| 304 case NID_pkcs7_data: |
| 305 break; |
190 default: | 306 default: |
191 PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE
); | 307 PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE
); |
192 goto err; | 308 goto err; |
193 } | 309 } |
194 | 310 |
195 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) | 311 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) |
196 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) | 312 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) |
197 goto err; | 313 goto err; |
198 | 314 |
199 if (xa && !PKCS7_bio_add_digest(&out, xa)) | 315 if (xa && !PKCS7_bio_add_digest(&out, xa)) |
200 goto err; | 316 goto err; |
201 | 317 |
202 if (evp_cipher != NULL) | 318 if (evp_cipher != NULL) |
203 { | 319 { |
204 unsigned char key[EVP_MAX_KEY_LENGTH]; | 320 unsigned char key[EVP_MAX_KEY_LENGTH]; |
205 unsigned char iv[EVP_MAX_IV_LENGTH]; | 321 unsigned char iv[EVP_MAX_IV_LENGTH]; |
206 int keylen,ivlen; | 322 int keylen,ivlen; |
207 int jj,max; | |
208 unsigned char *tmp; | |
209 EVP_CIPHER_CTX *ctx; | 323 EVP_CIPHER_CTX *ctx; |
210 | 324 |
211 if ((btmp=BIO_new(BIO_f_cipher())) == NULL) | 325 if ((btmp=BIO_new(BIO_f_cipher())) == NULL) |
212 { | 326 { |
213 PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB); | 327 PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB); |
214 goto err; | 328 goto err; |
215 } | 329 } |
216 BIO_get_cipher_ctx(btmp, &ctx); | 330 BIO_get_cipher_ctx(btmp, &ctx); |
217 keylen=EVP_CIPHER_key_length(evp_cipher); | 331 keylen=EVP_CIPHER_key_length(evp_cipher); |
218 ivlen=EVP_CIPHER_iv_length(evp_cipher); | 332 ivlen=EVP_CIPHER_iv_length(evp_cipher); |
219 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); | 333 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); |
220 if (ivlen > 0) | 334 if (ivlen > 0) |
221 if (RAND_pseudo_bytes(iv,ivlen) <= 0) | 335 if (RAND_pseudo_bytes(iv,ivlen) <= 0) |
222 goto err; | 336 goto err; |
223 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0) | 337 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0) |
224 goto err; | 338 goto err; |
225 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) | 339 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) |
226 goto err; | 340 goto err; |
227 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) | 341 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) |
228 goto err; | 342 goto err; |
229 | 343 |
230 if (ivlen > 0) { | 344 if (ivlen > 0) { |
231 if (xalg->parameter == NULL) { | 345 if (xalg->parameter == NULL) { |
232 xalg->parameter = ASN1_TYPE_new(); | 346 xalg->parameter = ASN1_TYPE_new(); |
233 if (xalg->parameter == NULL) | 347 if (xalg->parameter == NULL) |
234 goto err; | 348 goto err; |
235 } | 349 } |
236 if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) | 350 if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) |
237 » » » goto err; | 351 » » » » goto err; |
238 } | 352 } |
239 | 353 |
240 /* Lets do the pub key stuff :-) */ | 354 /* Lets do the pub key stuff :-) */ |
241 max=0; | |
242 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) | 355 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) |
243 { | 356 { |
244 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); | 357 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); |
245 » » » if (ri->cert == NULL) | 358 » » » if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) |
246 » » » » { | |
247 » » » » PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_MISSING_
CERIPEND_INFO); | |
248 goto err; | 359 goto err; |
249 } | |
250 if ((pkey=X509_get_pubkey(ri->cert)) == NULL) | |
251 goto err; | |
252 jj=EVP_PKEY_size(pkey); | |
253 EVP_PKEY_free(pkey); | |
254 if (max < jj) max=jj; | |
255 } | 360 } |
256 if ((tmp=(unsigned char *)OPENSSL_malloc(max)) == NULL) | |
257 { | |
258 PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_MALLOC_FAILURE); | |
259 goto err; | |
260 } | |
261 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) | |
262 { | |
263 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); | |
264 if ((pkey=X509_get_pubkey(ri->cert)) == NULL) | |
265 goto err; | |
266 jj=EVP_PKEY_encrypt(tmp,key,keylen,pkey); | |
267 EVP_PKEY_free(pkey); | |
268 if (jj <= 0) | |
269 { | |
270 PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_EVP_LIB); | |
271 OPENSSL_free(tmp); | |
272 goto err; | |
273 } | |
274 if (!M_ASN1_OCTET_STRING_set(ri->enc_key,tmp,jj)) | |
275 { | |
276 PKCS7err(PKCS7_F_PKCS7_DATAINIT, | |
277 ERR_R_MALLOC_FAILURE); | |
278 OPENSSL_free(tmp); | |
279 goto err; | |
280 } | |
281 } | |
282 OPENSSL_free(tmp); | |
283 OPENSSL_cleanse(key, keylen); | 361 OPENSSL_cleanse(key, keylen); |
284 | 362 |
285 if (out == NULL) | 363 if (out == NULL) |
286 out=btmp; | 364 out=btmp; |
287 else | 365 else |
288 BIO_push(out,btmp); | 366 BIO_push(out,btmp); |
289 btmp=NULL; | 367 btmp=NULL; |
290 } | 368 } |
291 | 369 |
292 if (bio == NULL) | 370 if (bio == NULL) |
293 { | 371 { |
294 if (PKCS7_is_detached(p7)) | 372 if (PKCS7_is_detached(p7)) |
295 bio=BIO_new(BIO_s_null()); | 373 bio=BIO_new(BIO_s_null()); |
296 else if (os && os->length > 0) | 374 else if (os && os->length > 0) |
297 bio = BIO_new_mem_buf(os->data, os->length); | 375 bio = BIO_new_mem_buf(os->data, os->length); |
298 if(bio == NULL) | 376 if(bio == NULL) |
299 { | 377 { |
300 bio=BIO_new(BIO_s_mem()); | 378 bio=BIO_new(BIO_s_mem()); |
301 if (bio == NULL) | 379 if (bio == NULL) |
302 goto err; | 380 goto err; |
303 BIO_set_mem_eof_return(bio,0); | 381 BIO_set_mem_eof_return(bio,0); |
304 } | 382 } |
305 } | 383 } |
306 » BIO_push(out,bio); | 384 » if (out) |
| 385 » » BIO_push(out,bio); |
| 386 » else |
| 387 » » out = bio; |
307 bio=NULL; | 388 bio=NULL; |
308 if (0) | 389 if (0) |
309 { | 390 { |
310 err: | 391 err: |
311 if (out != NULL) | 392 if (out != NULL) |
312 BIO_free_all(out); | 393 BIO_free_all(out); |
313 if (btmp != NULL) | 394 if (btmp != NULL) |
314 BIO_free_all(btmp); | 395 BIO_free_all(btmp); |
315 out=NULL; | 396 out=NULL; |
316 } | 397 } |
317 return(out); | 398 return(out); |
318 } | 399 } |
319 | 400 |
320 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) | 401 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) |
321 { | 402 { |
322 int ret; | 403 int ret; |
323 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, | 404 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, |
324 pcert->cert_info->issuer); | 405 pcert->cert_info->issuer); |
325 if (ret) | 406 if (ret) |
326 return ret; | 407 return ret; |
327 return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, | 408 return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, |
328 ri->issuer_and_serial->serial); | 409 ri->issuer_and_serial->serial); |
329 } | 410 } |
330 | 411 |
331 /* int */ | 412 /* int */ |
332 BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) | 413 BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) |
333 { | 414 { |
334 int i,j; | 415 int i,j; |
335 BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL; | 416 BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL; |
336 unsigned char *tmp=NULL; | |
337 X509_ALGOR *xa; | 417 X509_ALGOR *xa; |
338 ASN1_OCTET_STRING *data_body=NULL; | 418 ASN1_OCTET_STRING *data_body=NULL; |
339 const EVP_MD *evp_md; | 419 const EVP_MD *evp_md; |
340 const EVP_CIPHER *evp_cipher=NULL; | 420 const EVP_CIPHER *evp_cipher=NULL; |
341 EVP_CIPHER_CTX *evp_ctx=NULL; | 421 EVP_CIPHER_CTX *evp_ctx=NULL; |
342 X509_ALGOR *enc_alg=NULL; | 422 X509_ALGOR *enc_alg=NULL; |
343 STACK_OF(X509_ALGOR) *md_sk=NULL; | 423 STACK_OF(X509_ALGOR) *md_sk=NULL; |
344 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; | 424 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; |
345 X509_ALGOR *xalg=NULL; | |
346 PKCS7_RECIP_INFO *ri=NULL; | 425 PKCS7_RECIP_INFO *ri=NULL; |
347 | 426 |
348 i=OBJ_obj2nid(p7->type); | 427 i=OBJ_obj2nid(p7->type); |
349 p7->state=PKCS7_S_HEADER; | 428 p7->state=PKCS7_S_HEADER; |
350 | 429 |
351 switch (i) | 430 switch (i) |
352 { | 431 { |
353 case NID_pkcs7_signed: | 432 case NID_pkcs7_signed: |
354 data_body=PKCS7_get_octet_string(p7->d.sign->contents); | 433 data_body=PKCS7_get_octet_string(p7->d.sign->contents); |
355 md_sk=p7->d.sign->md_algs; | 434 md_sk=p7->d.sign->md_algs; |
356 break; | 435 break; |
357 case NID_pkcs7_signedAndEnveloped: | 436 case NID_pkcs7_signedAndEnveloped: |
358 rsk=p7->d.signed_and_enveloped->recipientinfo; | 437 rsk=p7->d.signed_and_enveloped->recipientinfo; |
359 md_sk=p7->d.signed_and_enveloped->md_algs; | 438 md_sk=p7->d.signed_and_enveloped->md_algs; |
360 data_body=p7->d.signed_and_enveloped->enc_data->enc_data; | 439 data_body=p7->d.signed_and_enveloped->enc_data->enc_data; |
361 enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; | 440 enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; |
362 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); | 441 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); |
363 if (evp_cipher == NULL) | 442 if (evp_cipher == NULL) |
364 { | 443 { |
365 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CI
PHER_TYPE); | 444 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CI
PHER_TYPE); |
366 goto err; | 445 goto err; |
367 } | 446 } |
368 xalg=p7->d.signed_and_enveloped->enc_data->algorithm; | |
369 break; | 447 break; |
370 case NID_pkcs7_enveloped: | 448 case NID_pkcs7_enveloped: |
371 rsk=p7->d.enveloped->recipientinfo; | 449 rsk=p7->d.enveloped->recipientinfo; |
372 enc_alg=p7->d.enveloped->enc_data->algorithm; | 450 enc_alg=p7->d.enveloped->enc_data->algorithm; |
373 data_body=p7->d.enveloped->enc_data->enc_data; | 451 data_body=p7->d.enveloped->enc_data->enc_data; |
374 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); | 452 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); |
375 if (evp_cipher == NULL) | 453 if (evp_cipher == NULL) |
376 { | 454 { |
377 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CI
PHER_TYPE); | 455 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CI
PHER_TYPE); |
378 goto err; | 456 goto err; |
379 } | 457 } |
380 xalg=p7->d.enveloped->enc_data->algorithm; | |
381 break; | 458 break; |
382 default: | 459 default: |
383 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TY
PE); | 460 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TY
PE); |
384 goto err; | 461 goto err; |
385 } | 462 } |
386 | 463 |
387 /* We will be checking the signature */ | 464 /* We will be checking the signature */ |
388 if (md_sk != NULL) | 465 if (md_sk != NULL) |
389 { | 466 { |
390 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) | 467 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) |
(...skipping 25 matching lines...) Expand all Loading... |
416 if (evp_cipher != NULL) | 493 if (evp_cipher != NULL) |
417 { | 494 { |
418 #if 0 | 495 #if 0 |
419 unsigned char key[EVP_MAX_KEY_LENGTH]; | 496 unsigned char key[EVP_MAX_KEY_LENGTH]; |
420 unsigned char iv[EVP_MAX_IV_LENGTH]; | 497 unsigned char iv[EVP_MAX_IV_LENGTH]; |
421 unsigned char *p; | 498 unsigned char *p; |
422 int keylen,ivlen; | 499 int keylen,ivlen; |
423 int max; | 500 int max; |
424 X509_OBJECT ret; | 501 X509_OBJECT ret; |
425 #endif | 502 #endif |
426 » » int jj; | 503 » » unsigned char *ek = NULL; |
| 504 » » int eklen; |
427 | 505 |
428 if ((etmp=BIO_new(BIO_f_cipher())) == NULL) | 506 if ((etmp=BIO_new(BIO_f_cipher())) == NULL) |
429 { | 507 { |
430 PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB); | 508 PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB); |
431 goto err; | 509 goto err; |
432 } | 510 } |
433 | 511 |
434 /* It was encrypted, we need to decrypt the secret key | 512 /* It was encrypted, we need to decrypt the secret key |
435 * with the private key */ | 513 * with the private key */ |
436 | 514 |
437 /* Find the recipientInfo which matches the passed certificate | 515 /* Find the recipientInfo which matches the passed certificate |
438 * (if any) | 516 * (if any) |
439 */ | 517 */ |
440 | 518 |
441 » » if (pcert) { | 519 » » if (pcert) |
442 » » » for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) { | 520 » » » { |
| 521 » » » for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) |
| 522 » » » » { |
443 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); | 523 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); |
444 if (!pkcs7_cmp_ri(ri, pcert)) | 524 if (!pkcs7_cmp_ri(ri, pcert)) |
445 break; | 525 break; |
446 ri=NULL; | 526 ri=NULL; |
447 » » » } | 527 » » » » } |
448 » » » if (ri == NULL) { | 528 » » » if (ri == NULL) |
| 529 » » » » { |
449 PKCS7err(PKCS7_F_PKCS7_DATADECODE, | 530 PKCS7err(PKCS7_F_PKCS7_DATADECODE, |
450 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); | 531 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); |
451 goto err; | 532 goto err; |
452 » » » } | 533 » » » » } |
453 » » } | |
454 | |
455 » » jj=EVP_PKEY_size(pkey); | |
456 » » tmp=(unsigned char *)OPENSSL_malloc(jj+10); | |
457 » » if (tmp == NULL) | |
458 » » » { | |
459 » » » PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_MALLOC_FAILURE); | |
460 » » » goto err; | |
461 } | 534 } |
462 | 535 |
463 /* If we haven't got a certificate try each ri in turn */ | 536 /* If we haven't got a certificate try each ri in turn */ |
464 | 537 |
465 if (pcert == NULL) | 538 if (pcert == NULL) |
466 { | 539 { |
467 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) | 540 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) |
468 { | 541 { |
469 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); | 542 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); |
470 » » » » jj=EVP_PKEY_decrypt(tmp, | 543 » » » » if (pkcs7_decrypt_rinfo(&ek, &eklen, |
471 » » » » » M_ASN1_STRING_data(ri->enc_key), | 544 » » » » » » » ri, pkey) > 0) |
472 » » » » » M_ASN1_STRING_length(ri->enc_key), | |
473 » » » » » » pkey); | |
474 » » » » if (jj > 0) | |
475 break; | 545 break; |
476 ERR_clear_error(); | 546 ERR_clear_error(); |
477 ri = NULL; | 547 ri = NULL; |
478 } | 548 } |
479 if (ri == NULL) | 549 if (ri == NULL) |
480 { | 550 { |
481 PKCS7err(PKCS7_F_PKCS7_DATADECODE, | 551 PKCS7err(PKCS7_F_PKCS7_DATADECODE, |
482 PKCS7_R_NO_RECIPIENT_MATCHES_KEY); | 552 PKCS7_R_NO_RECIPIENT_MATCHES_KEY); |
483 goto err; | 553 goto err; |
484 } | 554 } |
485 } | 555 } |
486 else | 556 else |
487 { | 557 { |
488 » » » jj=EVP_PKEY_decrypt(tmp, | 558 » » » if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) <= 0) |
489 » » » » M_ASN1_STRING_data(ri->enc_key), | |
490 » » » » M_ASN1_STRING_length(ri->enc_key), pkey); | |
491 » » » if (jj <= 0) | |
492 » » » » { | |
493 » » » » PKCS7err(PKCS7_F_PKCS7_DATADECODE, | |
494 » » » » » » » » ERR_R_EVP_LIB); | |
495 goto err; | 559 goto err; |
496 } | |
497 } | 560 } |
498 | 561 |
499 evp_ctx=NULL; | 562 evp_ctx=NULL; |
500 BIO_get_cipher_ctx(etmp,&evp_ctx); | 563 BIO_get_cipher_ctx(etmp,&evp_ctx); |
501 if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0) | 564 if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0) |
502 goto err; | 565 goto err; |
503 if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) | 566 if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) |
504 goto err; | 567 goto err; |
505 | 568 |
506 » » if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) { | 569 » » if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { |
507 /* Some S/MIME clients don't use the same key | 570 /* Some S/MIME clients don't use the same key |
508 * and effective key length. The key length is | 571 * and effective key length. The key length is |
509 * determined by the size of the decrypted RSA key. | 572 * determined by the size of the decrypted RSA key. |
510 */ | 573 */ |
511 » » » if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, jj)) | 574 » » » if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) |
512 { | 575 { |
513 PKCS7err(PKCS7_F_PKCS7_DATADECODE, | 576 PKCS7err(PKCS7_F_PKCS7_DATADECODE, |
514 PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH); | 577 PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH); |
515 goto err; | 578 goto err; |
516 } | 579 } |
517 } | 580 } |
518 » » if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0) <= 0) | 581 » » if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0) |
519 goto err; | 582 goto err; |
520 | 583 |
521 » » OPENSSL_cleanse(tmp,jj); | 584 » » if (ek) |
| 585 » » » { |
| 586 » » » OPENSSL_cleanse(ek,eklen); |
| 587 » » » OPENSSL_free(ek); |
| 588 » » » } |
522 | 589 |
523 if (out == NULL) | 590 if (out == NULL) |
524 out=etmp; | 591 out=etmp; |
525 else | 592 else |
526 BIO_push(out,etmp); | 593 BIO_push(out,etmp); |
527 etmp=NULL; | 594 etmp=NULL; |
528 } | 595 } |
529 | 596 |
530 #if 1 | 597 #if 1 |
531 if (PKCS7_is_detached(p7) || (in_bio != NULL)) | 598 if (PKCS7_is_detached(p7) || (in_bio != NULL)) |
(...skipping 27 matching lines...) Expand all Loading... |
559 #endif | 626 #endif |
560 if (0) | 627 if (0) |
561 { | 628 { |
562 err: | 629 err: |
563 if (out != NULL) BIO_free_all(out); | 630 if (out != NULL) BIO_free_all(out); |
564 if (btmp != NULL) BIO_free_all(btmp); | 631 if (btmp != NULL) BIO_free_all(btmp); |
565 if (etmp != NULL) BIO_free_all(etmp); | 632 if (etmp != NULL) BIO_free_all(etmp); |
566 if (bio != NULL) BIO_free_all(bio); | 633 if (bio != NULL) BIO_free_all(bio); |
567 out=NULL; | 634 out=NULL; |
568 } | 635 } |
569 if (tmp != NULL) | |
570 OPENSSL_free(tmp); | |
571 return(out); | 636 return(out); |
572 } | 637 } |
573 | 638 |
574 static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) | 639 static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) |
575 { | 640 { |
576 for (;;) | 641 for (;;) |
577 { | 642 { |
578 bio=BIO_find_type(bio,BIO_TYPE_MD); | 643 bio=BIO_find_type(bio,BIO_TYPE_MD); |
579 if (bio == NULL) | 644 if (bio == NULL) |
580 { | 645 { |
581 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,PKCS7_R_UNABLE_TO_FIN
D_MESSAGE_DIGEST); | 646 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,PKCS7_R_UNABLE_TO_FIN
D_MESSAGE_DIGEST); |
582 return NULL; | 647 return NULL; |
583 } | 648 } |
584 BIO_get_md_ctx(bio,pmd); | 649 BIO_get_md_ctx(bio,pmd); |
585 if (*pmd == NULL) | 650 if (*pmd == NULL) |
586 { | 651 { |
587 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,ERR_R_INTERNAL_ERROR)
; | 652 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,ERR_R_INTERNAL_ERROR)
; |
588 return NULL; | 653 return NULL; |
589 } | 654 } |
590 if (EVP_MD_CTX_type(*pmd) == nid) | 655 if (EVP_MD_CTX_type(*pmd) == nid) |
591 return bio; | 656 return bio; |
592 bio=BIO_next(bio); | 657 bio=BIO_next(bio); |
593 } | 658 } |
594 return NULL; | 659 return NULL; |
595 } | 660 } |
596 | 661 |
| 662 static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) |
| 663 { |
| 664 unsigned char md_data[EVP_MAX_MD_SIZE]; |
| 665 unsigned int md_len; |
| 666 |
| 667 /* Add signing time if not already present */ |
| 668 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) |
| 669 { |
| 670 if (!PKCS7_add0_attrib_signing_time(si, NULL)) |
| 671 { |
| 672 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, |
| 673 ERR_R_MALLOC_FAILURE); |
| 674 return 0; |
| 675 } |
| 676 } |
| 677 |
| 678 /* Add digest */ |
| 679 EVP_DigestFinal_ex(mctx, md_data,&md_len); |
| 680 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) |
| 681 { |
| 682 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE); |
| 683 return 0; |
| 684 } |
| 685 |
| 686 /* Now sign the attributes */ |
| 687 if (!PKCS7_SIGNER_INFO_sign(si)) |
| 688 return 0; |
| 689 |
| 690 return 1; |
| 691 } |
| 692 |
| 693 |
597 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) | 694 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) |
598 { | 695 { |
599 int ret=0; | 696 int ret=0; |
600 int i,j; | 697 int i,j; |
601 BIO *btmp; | 698 BIO *btmp; |
602 BUF_MEM *buf_mem=NULL; | |
603 BUF_MEM *buf=NULL; | |
604 PKCS7_SIGNER_INFO *si; | 699 PKCS7_SIGNER_INFO *si; |
605 EVP_MD_CTX *mdc,ctx_tmp; | 700 EVP_MD_CTX *mdc,ctx_tmp; |
606 STACK_OF(X509_ATTRIBUTE) *sk; | 701 STACK_OF(X509_ATTRIBUTE) *sk; |
607 STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; | 702 STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; |
608 ASN1_OCTET_STRING *os=NULL; | 703 ASN1_OCTET_STRING *os=NULL; |
609 | 704 |
610 EVP_MD_CTX_init(&ctx_tmp); | 705 EVP_MD_CTX_init(&ctx_tmp); |
611 i=OBJ_obj2nid(p7->type); | 706 i=OBJ_obj2nid(p7->type); |
612 p7->state=PKCS7_S_HEADER; | 707 p7->state=PKCS7_S_HEADER; |
613 | 708 |
614 switch (i) | 709 switch (i) |
615 { | 710 { |
| 711 case NID_pkcs7_data: |
| 712 os = p7->d.data; |
| 713 break; |
616 case NID_pkcs7_signedAndEnveloped: | 714 case NID_pkcs7_signedAndEnveloped: |
617 /* XXXXXXXXXXXXXXXX */ | 715 /* XXXXXXXXXXXXXXXX */ |
618 si_sk=p7->d.signed_and_enveloped->signer_info; | 716 si_sk=p7->d.signed_and_enveloped->signer_info; |
619 » » if (!(os=M_ASN1_OCTET_STRING_new())) | 717 » » os = p7->d.signed_and_enveloped->enc_data->enc_data; |
| 718 » » if (!os) |
620 { | 719 { |
621 » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE); | 720 » » » os=M_ASN1_OCTET_STRING_new(); |
622 » » » goto err; | 721 » » » if (!os) |
| 722 » » » » { |
| 723 » » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FA
ILURE); |
| 724 » » » » goto err; |
| 725 » » » » } |
| 726 » » » p7->d.signed_and_enveloped->enc_data->enc_data=os; |
623 } | 727 } |
624 p7->d.signed_and_enveloped->enc_data->enc_data=os; | |
625 break; | 728 break; |
626 case NID_pkcs7_enveloped: | 729 case NID_pkcs7_enveloped: |
627 /* XXXXXXXXXXXXXXXX */ | 730 /* XXXXXXXXXXXXXXXX */ |
628 » » if (!(os=M_ASN1_OCTET_STRING_new())) | 731 » » os = p7->d.enveloped->enc_data->enc_data; |
| 732 » » if (!os) |
629 { | 733 { |
630 » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE); | 734 » » » os=M_ASN1_OCTET_STRING_new(); |
631 » » » goto err; | 735 » » » if (!os) |
| 736 » » » » { |
| 737 » » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FA
ILURE); |
| 738 » » » » goto err; |
| 739 » » » » } |
| 740 » » » p7->d.enveloped->enc_data->enc_data=os; |
632 } | 741 } |
633 p7->d.enveloped->enc_data->enc_data=os; | |
634 break; | 742 break; |
635 case NID_pkcs7_signed: | 743 case NID_pkcs7_signed: |
636 si_sk=p7->d.sign->signer_info; | 744 si_sk=p7->d.sign->signer_info; |
637 os=PKCS7_get_octet_string(p7->d.sign->contents); | 745 os=PKCS7_get_octet_string(p7->d.sign->contents); |
638 /* If detached data then the content is excluded */ | 746 /* If detached data then the content is excluded */ |
639 if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { | 747 if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { |
640 M_ASN1_OCTET_STRING_free(os); | 748 M_ASN1_OCTET_STRING_free(os); |
641 p7->d.sign->contents->d.data = NULL; | 749 p7->d.sign->contents->d.data = NULL; |
642 } | 750 } |
643 break; | 751 break; |
644 | 752 |
645 case NID_pkcs7_digest: | 753 case NID_pkcs7_digest: |
646 os=PKCS7_get_octet_string(p7->d.digest->contents); | 754 os=PKCS7_get_octet_string(p7->d.digest->contents); |
647 /* If detached data then the content is excluded */ | 755 /* If detached data then the content is excluded */ |
648 if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) | 756 if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) |
649 { | 757 { |
650 M_ASN1_OCTET_STRING_free(os); | 758 M_ASN1_OCTET_STRING_free(os); |
651 p7->d.digest->contents->d.data = NULL; | 759 p7->d.digest->contents->d.data = NULL; |
652 } | 760 } |
653 break; | 761 break; |
654 | 762 |
| 763 default: |
| 764 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNSUPPORTED_CONTENT_TYP
E); |
| 765 goto err; |
655 } | 766 } |
656 | 767 |
657 if (si_sk != NULL) | 768 if (si_sk != NULL) |
658 { | 769 { |
659 if ((buf=BUF_MEM_new()) == NULL) | |
660 { | |
661 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_BIO_LIB); | |
662 goto err; | |
663 } | |
664 for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++) | 770 for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++) |
665 { | 771 { |
666 si=sk_PKCS7_SIGNER_INFO_value(si_sk,i); | 772 si=sk_PKCS7_SIGNER_INFO_value(si_sk,i); |
667 » » » if (si->pkey == NULL) continue; | 773 » » » if (si->pkey == NULL) |
| 774 » » » » continue; |
668 | 775 |
669 » » » j=OBJ_obj2nid(si->digest_alg->algorithm); | 776 » » » j = OBJ_obj2nid(si->digest_alg->algorithm); |
670 | 777 |
671 btmp=bio; | 778 btmp=bio; |
672 | 779 |
673 btmp = PKCS7_find_digest(&mdc, btmp, j); | 780 btmp = PKCS7_find_digest(&mdc, btmp, j); |
674 | 781 |
675 if (btmp == NULL) | 782 if (btmp == NULL) |
676 goto err; | 783 goto err; |
677 | 784 |
678 /* We now have the EVP_MD_CTX, lets do the | 785 /* We now have the EVP_MD_CTX, lets do the |
679 * signing. */ | 786 * signing. */ |
680 EVP_MD_CTX_copy_ex(&ctx_tmp,mdc); | 787 EVP_MD_CTX_copy_ex(&ctx_tmp,mdc); |
681 if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey))) | |
682 { | |
683 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_BIO_LIB); | |
684 goto err; | |
685 } | |
686 | 788 |
687 sk=si->auth_attr; | 789 sk=si->auth_attr; |
688 | 790 |
689 /* If there are attributes, we add the digest | 791 /* If there are attributes, we add the digest |
690 * attribute and only sign the attributes */ | 792 * attribute and only sign the attributes */ |
691 » » » if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) | 793 » » » if (sk_X509_ATTRIBUTE_num(sk) > 0) |
692 { | 794 { |
693 » » » » unsigned char md_data[EVP_MAX_MD_SIZE], *abuf=NU
LL; | 795 » » » » if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) |
694 » » » » unsigned int md_len, alen; | 796 » » » » » goto err; |
695 » » » » ASN1_OCTET_STRING *digest; | 797 » » » » } |
696 » » » » ASN1_UTCTIME *sign_time; | 798 » » » else |
697 » » » » const EVP_MD *md_tmp; | 799 » » » » { |
| 800 » » » » unsigned char *abuf = NULL; |
| 801 » » » » unsigned int abuflen; |
| 802 » » » » abuflen = EVP_PKEY_size(si->pkey); |
| 803 » » » » abuf = OPENSSL_malloc(abuflen); |
| 804 » » » » if (!abuf) |
| 805 » » » » » goto err; |
698 | 806 |
699 » » » » /* Add signing time if not already present */ | 807 » » » » if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, |
700 » » » » if (!PKCS7_get_signed_attribute(si, | 808 » » » » » » » si->pkey)) |
701 » » » » » » » NID_pkcs9_signingTime)) | |
702 » » » » » { | |
703 » » » » » if (!(sign_time=X509_gmtime_adj(NULL,0))
) | |
704 » » » » » » { | |
705 » » » » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL
, | |
706 » » » » » » » ERR_R_MALLOC_FAILURE); | |
707 » » » » » » goto err; | |
708 » » » » » » } | |
709 » » » » » if (!PKCS7_add_signed_attribute(si, | |
710 » » » » » » NID_pkcs9_signingTime, | |
711 » » » » » » V_ASN1_UTCTIME,sign_time)) | |
712 » » » » » » { | |
713 » » » » » » M_ASN1_UTCTIME_free(sign_time); | |
714 » » » » » » goto err; | |
715 » » » » » » } | |
716 » » » » » } | |
717 | |
718 » » » » /* Add digest */ | |
719 » » » » md_tmp=EVP_MD_CTX_md(&ctx_tmp); | |
720 » » » » EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len); | |
721 » » » » if (!(digest=M_ASN1_OCTET_STRING_new())) | |
722 { | 809 { |
723 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, | 810 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, |
724 » » » » » » ERR_R_MALLOC_FAILURE); | 811 » » » » » » » ERR_R_EVP_LIB); |
725 goto err; | 812 goto err; |
726 } | 813 } |
727 » » » » if (!M_ASN1_OCTET_STRING_set(digest,md_data, | 814 » » » » ASN1_STRING_set0(si->enc_digest, abuf, abuflen); |
728 » » » » » » » » md_len)) | |
729 » » » » » { | |
730 » » » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL, | |
731 » » » » » » ERR_R_MALLOC_FAILURE); | |
732 » » » » » M_ASN1_OCTET_STRING_free(digest); | |
733 » » » » » goto err; | |
734 » » » » » } | |
735 » » » » if (!PKCS7_add_signed_attribute(si, | |
736 » » » » » NID_pkcs9_messageDigest, | |
737 » » » » » V_ASN1_OCTET_STRING,digest)) | |
738 » » » » » { | |
739 » » » » » M_ASN1_OCTET_STRING_free(digest); | |
740 » » » » » goto err; | |
741 » » » » » } | |
742 | |
743 » » » » /* Now sign the attributes */ | |
744 » » » » EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL); | |
745 » » » » alen = ASN1_item_i2d((ASN1_VALUE *)sk,&abuf, | |
746 » » » » » » » ASN1_ITEM_rptr(PKCS7_ATT
R_SIGN)); | |
747 » » » » if(!abuf) goto err; | |
748 » » » » EVP_SignUpdate(&ctx_tmp,abuf,alen); | |
749 » » » » OPENSSL_free(abuf); | |
750 » » » » } | |
751 | |
752 #ifndef OPENSSL_NO_DSA | |
753 » » » if (si->pkey->type == EVP_PKEY_DSA) | |
754 » » » » ctx_tmp.digest=EVP_dss1(); | |
755 #endif | |
756 #ifndef OPENSSL_NO_ECDSA | |
757 » » » if (si->pkey->type == EVP_PKEY_EC) | |
758 » » » » ctx_tmp.digest=EVP_ecdsa(); | |
759 #endif | |
760 | |
761 » » » if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data, | |
762 » » » » (unsigned int *)&buf->length,si->pkey)) | |
763 » » » » { | |
764 » » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_EVP_LIB); | |
765 » » » » goto err; | |
766 » » » » } | |
767 » » » if (!ASN1_STRING_set(si->enc_digest, | |
768 » » » » (unsigned char *)buf->data,buf->length)) | |
769 » » » » { | |
770 » » » » PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_ASN1_LIB)
; | |
771 » » » » goto err; | |
772 } | 815 } |
773 } | 816 } |
774 } | 817 } |
775 else if (i == NID_pkcs7_digest) | 818 else if (i == NID_pkcs7_digest) |
776 { | 819 { |
777 unsigned char md_data[EVP_MAX_MD_SIZE]; | 820 unsigned char md_data[EVP_MAX_MD_SIZE]; |
778 unsigned int md_len; | 821 unsigned int md_len; |
779 if (!PKCS7_find_digest(&mdc, bio, | 822 if (!PKCS7_find_digest(&mdc, bio, |
780 OBJ_obj2nid(p7->d.digest->md->algorithm))) | 823 OBJ_obj2nid(p7->d.digest->md->algorithm))) |
781 goto err; | 824 goto err; |
782 EVP_DigestFinal_ex(mdc,md_data,&md_len); | 825 EVP_DigestFinal_ex(mdc,md_data,&md_len); |
783 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); | 826 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); |
784 } | 827 } |
785 | 828 |
786 » if (!PKCS7_is_detached(p7)) | 829 » if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) |
787 { | 830 { |
| 831 char *cont; |
| 832 long contlen; |
788 btmp=BIO_find_type(bio,BIO_TYPE_MEM); | 833 btmp=BIO_find_type(bio,BIO_TYPE_MEM); |
789 if (btmp == NULL) | 834 if (btmp == NULL) |
790 { | 835 { |
791 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_
MEM_BIO); | 836 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_
MEM_BIO); |
792 goto err; | 837 goto err; |
793 } | 838 } |
794 » » BIO_get_mem_ptr(btmp,&buf_mem); | 839 » » contlen = BIO_get_mem_data(btmp, &cont); |
795 /* Mark the BIO read only then we can use its copy of the data | 840 /* Mark the BIO read only then we can use its copy of the data |
796 * instead of making an extra copy. | 841 * instead of making an extra copy. |
797 */ | 842 */ |
798 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); | 843 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); |
799 BIO_set_mem_eof_return(btmp, 0); | 844 BIO_set_mem_eof_return(btmp, 0); |
800 » » os->data = (unsigned char *)buf_mem->data; | 845 » » ASN1_STRING_set0(os, (unsigned char *)cont, contlen); |
801 » » os->length = buf_mem->length; | |
802 #if 0 | |
803 » » M_ASN1_OCTET_STRING_set(os, | |
804 » » » (unsigned char *)buf_mem->data,buf_mem->length); | |
805 #endif | |
806 } | 846 } |
807 ret=1; | 847 ret=1; |
808 err: | 848 err: |
809 EVP_MD_CTX_cleanup(&ctx_tmp); | 849 EVP_MD_CTX_cleanup(&ctx_tmp); |
810 if (buf != NULL) BUF_MEM_free(buf); | |
811 return(ret); | 850 return(ret); |
812 } | 851 } |
813 | 852 |
| 853 int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) |
| 854 { |
| 855 EVP_MD_CTX mctx; |
| 856 EVP_PKEY_CTX *pctx; |
| 857 unsigned char *abuf = NULL; |
| 858 int alen; |
| 859 size_t siglen; |
| 860 const EVP_MD *md = NULL; |
| 861 |
| 862 md = EVP_get_digestbyobj(si->digest_alg->algorithm); |
| 863 if (md == NULL) |
| 864 return 0; |
| 865 |
| 866 EVP_MD_CTX_init(&mctx); |
| 867 if (EVP_DigestSignInit(&mctx, &pctx, md,NULL, si->pkey) <= 0) |
| 868 goto err; |
| 869 |
| 870 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, |
| 871 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) |
| 872 { |
| 873 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); |
| 874 goto err; |
| 875 } |
| 876 |
| 877 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr,&abuf, |
| 878 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); |
| 879 if(!abuf) |
| 880 goto err; |
| 881 if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) |
| 882 goto err; |
| 883 OPENSSL_free(abuf); |
| 884 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) |
| 885 goto err; |
| 886 abuf = OPENSSL_malloc(siglen); |
| 887 if(!abuf) |
| 888 goto err; |
| 889 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0) |
| 890 goto err; |
| 891 |
| 892 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, |
| 893 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) |
| 894 { |
| 895 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); |
| 896 goto err; |
| 897 } |
| 898 |
| 899 EVP_MD_CTX_cleanup(&mctx); |
| 900 |
| 901 ASN1_STRING_set0(si->enc_digest, abuf, siglen); |
| 902 |
| 903 return 1; |
| 904 |
| 905 err: |
| 906 if (abuf) |
| 907 OPENSSL_free(abuf); |
| 908 EVP_MD_CTX_cleanup(&mctx); |
| 909 return 0; |
| 910 |
| 911 } |
| 912 |
814 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, | 913 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, |
815 PKCS7 *p7, PKCS7_SIGNER_INFO *si) | 914 PKCS7 *p7, PKCS7_SIGNER_INFO *si) |
816 { | 915 { |
817 PKCS7_ISSUER_AND_SERIAL *ias; | 916 PKCS7_ISSUER_AND_SERIAL *ias; |
818 int ret=0,i; | 917 int ret=0,i; |
819 STACK_OF(X509) *cert; | 918 STACK_OF(X509) *cert; |
820 X509 *x509; | 919 X509 *x509; |
821 | 920 |
822 if (PKCS7_type_is_signed(p7)) | 921 if (PKCS7_type_is_signed(p7)) |
823 { | 922 { |
(...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
915 } | 1014 } |
916 | 1015 |
917 /* mdc is the digest ctx that we want, unless there are attributes, | 1016 /* mdc is the digest ctx that we want, unless there are attributes, |
918 * in which case the digest is the signed attributes */ | 1017 * in which case the digest is the signed attributes */ |
919 EVP_MD_CTX_copy_ex(&mdc_tmp,mdc); | 1018 EVP_MD_CTX_copy_ex(&mdc_tmp,mdc); |
920 | 1019 |
921 sk=si->auth_attr; | 1020 sk=si->auth_attr; |
922 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) | 1021 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) |
923 { | 1022 { |
924 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; | 1023 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; |
925 unsigned int md_len, alen; | 1024 unsigned int md_len; |
| 1025 » » int alen; |
926 ASN1_OCTET_STRING *message_digest; | 1026 ASN1_OCTET_STRING *message_digest; |
927 | 1027 |
928 EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len); | 1028 EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len); |
929 message_digest=PKCS7_digest_from_attributes(sk); | 1029 message_digest=PKCS7_digest_from_attributes(sk); |
930 if (!message_digest) | 1030 if (!message_digest) |
931 { | 1031 { |
932 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, | 1032 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, |
933 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); | 1033 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); |
934 goto err; | 1034 goto err; |
935 } | 1035 } |
(...skipping 11 matching lines...) Expand all Loading... |
947 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, | 1047 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, |
948 PKCS7_R_DIGEST_FAILURE); | 1048 PKCS7_R_DIGEST_FAILURE); |
949 ret= -1; | 1049 ret= -1; |
950 goto err; | 1050 goto err; |
951 } | 1051 } |
952 | 1052 |
953 EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL); | 1053 EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL); |
954 | 1054 |
955 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, | 1055 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, |
956 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY
)); | 1056 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY
)); |
| 1057 if (alen <= 0) |
| 1058 { |
| 1059 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,ERR_R_ASN1_LIB); |
| 1060 ret = -1; |
| 1061 goto err; |
| 1062 } |
957 EVP_VerifyUpdate(&mdc_tmp, abuf, alen); | 1063 EVP_VerifyUpdate(&mdc_tmp, abuf, alen); |
958 | 1064 |
959 OPENSSL_free(abuf); | 1065 OPENSSL_free(abuf); |
960 } | 1066 } |
961 | 1067 |
962 os=si->enc_digest; | 1068 os=si->enc_digest; |
963 pkey = X509_get_pubkey(x509); | 1069 pkey = X509_get_pubkey(x509); |
964 if (!pkey) | 1070 if (!pkey) |
965 { | 1071 { |
966 ret = -1; | 1072 ret = -1; |
967 goto err; | 1073 goto err; |
968 } | 1074 } |
969 #ifndef OPENSSL_NO_DSA | |
970 if(pkey->type == EVP_PKEY_DSA) mdc_tmp.digest=EVP_dss1(); | |
971 #endif | |
972 #ifndef OPENSSL_NO_ECDSA | |
973 if (pkey->type == EVP_PKEY_EC) mdc_tmp.digest=EVP_ecdsa(); | |
974 #endif | |
975 | 1075 |
976 i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); | 1076 i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); |
977 EVP_PKEY_free(pkey); | 1077 EVP_PKEY_free(pkey); |
978 if (i <= 0) | 1078 if (i <= 0) |
979 { | 1079 { |
980 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, | 1080 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, |
981 PKCS7_R_SIGNATURE_FAILURE); | 1081 PKCS7_R_SIGNATURE_FAILURE); |
982 ret= -1; | 1082 ret= -1; |
983 goto err; | 1083 goto err; |
984 } | 1084 } |
(...skipping 115 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
1100 return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value)); | 1200 return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value)); |
1101 } | 1201 } |
1102 | 1202 |
1103 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, | 1203 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, |
1104 void *value) | 1204 void *value) |
1105 { | 1205 { |
1106 X509_ATTRIBUTE *attr=NULL; | 1206 X509_ATTRIBUTE *attr=NULL; |
1107 | 1207 |
1108 if (*sk == NULL) | 1208 if (*sk == NULL) |
1109 { | 1209 { |
1110 » » if (!(*sk = sk_X509_ATTRIBUTE_new_null())) | 1210 » » *sk = sk_X509_ATTRIBUTE_new_null(); |
1111 » » » return 0; | 1211 » » if (*sk == NULL) |
| 1212 » » » return 0;» |
1112 new_attrib: | 1213 new_attrib: |
1113 if (!(attr=X509_ATTRIBUTE_create(nid,atrtype,value))) | 1214 if (!(attr=X509_ATTRIBUTE_create(nid,atrtype,value))) |
1114 return 0; | 1215 return 0; |
1115 if (!sk_X509_ATTRIBUTE_push(*sk,attr)) | 1216 if (!sk_X509_ATTRIBUTE_push(*sk,attr)) |
1116 { | 1217 { |
1117 X509_ATTRIBUTE_free(attr); | 1218 X509_ATTRIBUTE_free(attr); |
1118 return 0; | 1219 return 0; |
1119 } | 1220 } |
1120 } | 1221 } |
1121 else | 1222 else |
(...skipping 16 matching lines...) Expand all Loading... |
1138 } | 1239 } |
1139 goto end; | 1240 goto end; |
1140 } | 1241 } |
1141 } | 1242 } |
1142 goto new_attrib; | 1243 goto new_attrib; |
1143 } | 1244 } |
1144 end: | 1245 end: |
1145 return(1); | 1246 return(1); |
1146 } | 1247 } |
1147 | 1248 |
OLD | NEW |