1 /* $OpenBSD: pk7_doit.c,v 1.28 2014/07/12 16:03:37 miod Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include <string.h> 61 62 #include <openssl/err.h> 63 #include <openssl/objects.h> 64 #include <openssl/rand.h> 65 #include <openssl/x509.h> 66 #include <openssl/x509v3.h> 67 68 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 69 void *value); 70 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); 71 72 static int 73 PKCS7_type_is_other(PKCS7* p7) 74 { 75 int isOther = 1; 76 77 int nid = OBJ_obj2nid(p7->type); 78 79 switch (nid ) { 80 case NID_pkcs7_data: 81 case NID_pkcs7_signed: 82 case NID_pkcs7_enveloped: 83 case NID_pkcs7_signedAndEnveloped: 84 case NID_pkcs7_digest: 85 case NID_pkcs7_encrypted: 86 isOther = 0; 87 break; 88 default: 89 isOther = 1; 90 } 91 92 return isOther; 93 94 } 95 96 static ASN1_OCTET_STRING * 97 PKCS7_get_octet_string(PKCS7 *p7) 98 { 99 if (PKCS7_type_is_data(p7)) 100 return p7->d.data; 101 if (PKCS7_type_is_other(p7) && p7->d.other && 102 (p7->d.other->type == V_ASN1_OCTET_STRING)) 103 return p7->d.other->value.octet_string; 104 return NULL; 105 } 106 107 static int 108 PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) 109 { 110 BIO *btmp; 111 const EVP_MD *md; 112 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 113 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB); 114 goto err; 115 } 116 117 md = EVP_get_digestbyobj(alg->algorithm); 118 if (md == NULL) { 119 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, 120 PKCS7_R_UNKNOWN_DIGEST_TYPE); 121 goto err; 122 } 123 124 BIO_set_md(btmp, md); 125 if (*pbio == NULL) 126 *pbio = btmp; 127 else if (!BIO_push(*pbio, btmp)) { 128 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB); 129 goto err; 130 } 131 btmp = NULL; 132 133 return 1; 134 135 err: 136 if (btmp) 137 BIO_free(btmp); 138 return 0; 139 140 } 141 142 static int 143 pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, unsigned char *key, int keylen) 144 { 145 EVP_PKEY_CTX *pctx = NULL; 146 EVP_PKEY *pkey = NULL; 147 unsigned char *ek = NULL; 148 int ret = 0; 149 size_t eklen; 150 151 pkey = X509_get_pubkey(ri->cert); 152 if (!pkey) 153 return 0; 154 155 pctx = EVP_PKEY_CTX_new(pkey, NULL); 156 if (!pctx) 157 return 0; 158 159 if (EVP_PKEY_encrypt_init(pctx) <= 0) 160 goto err; 161 162 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 163 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) { 164 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR); 165 goto err; 166 } 167 168 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) 169 goto err; 170 171 ek = malloc(eklen); 172 173 if (ek == NULL) { 174 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE); 175 goto err; 176 } 177 178 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) 179 goto err; 180 181 ASN1_STRING_set0(ri->enc_key, ek, eklen); 182 ek = NULL; 183 184 ret = 1; 185 186 err: 187 EVP_PKEY_free(pkey); 188 EVP_PKEY_CTX_free(pctx); 189 free(ek); 190 return ret; 191 } 192 193 194 static int 195 pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, 196 EVP_PKEY *pkey) 197 { 198 EVP_PKEY_CTX *pctx = NULL; 199 unsigned char *ek = NULL; 200 size_t eklen; 201 202 int ret = -1; 203 204 pctx = EVP_PKEY_CTX_new(pkey, NULL); 205 if (!pctx) 206 return -1; 207 208 if (EVP_PKEY_decrypt_init(pctx) <= 0) 209 goto err; 210 211 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 212 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) { 213 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR); 214 goto err; 215 } 216 217 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 218 ri->enc_key->data, ri->enc_key->length) <= 0) 219 goto err; 220 221 ek = malloc(eklen); 222 if (ek == NULL) { 223 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE); 224 goto err; 225 } 226 227 if (EVP_PKEY_decrypt(pctx, ek, &eklen, 228 ri->enc_key->data, ri->enc_key->length) <= 0) { 229 ret = 0; 230 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); 231 goto err; 232 } 233 234 ret = 1; 235 236 if (*pek) { 237 OPENSSL_cleanse(*pek, *peklen); 238 free(*pek); 239 } 240 241 *pek = ek; 242 *peklen = eklen; 243 244 err: 245 EVP_PKEY_CTX_free(pctx); 246 if (!ret && ek) 247 free(ek); 248 249 return ret; 250 } 251 252 BIO * 253 PKCS7_dataInit(PKCS7 *p7, BIO *bio) 254 { 255 int i; 256 BIO *out = NULL, *btmp = NULL; 257 X509_ALGOR *xa = NULL; 258 const EVP_CIPHER *evp_cipher = NULL; 259 STACK_OF(X509_ALGOR) *md_sk = NULL; 260 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 261 X509_ALGOR *xalg = NULL; 262 PKCS7_RECIP_INFO *ri = NULL; 263 ASN1_OCTET_STRING *os = NULL; 264 265 i = OBJ_obj2nid(p7->type); 266 p7->state = PKCS7_S_HEADER; 267 268 switch (i) { 269 case NID_pkcs7_signed: 270 md_sk = p7->d.sign->md_algs; 271 os = PKCS7_get_octet_string(p7->d.sign->contents); 272 break; 273 case NID_pkcs7_signedAndEnveloped: 274 rsk = p7->d.signed_and_enveloped->recipientinfo; 275 md_sk = p7->d.signed_and_enveloped->md_algs; 276 xalg = p7->d.signed_and_enveloped->enc_data->algorithm; 277 evp_cipher = p7->d.signed_and_enveloped->enc_data->cipher; 278 if (evp_cipher == NULL) { 279 PKCS7err(PKCS7_F_PKCS7_DATAINIT, 280 PKCS7_R_CIPHER_NOT_INITIALIZED); 281 goto err; 282 } 283 break; 284 case NID_pkcs7_enveloped: 285 rsk = p7->d.enveloped->recipientinfo; 286 xalg = p7->d.enveloped->enc_data->algorithm; 287 evp_cipher = p7->d.enveloped->enc_data->cipher; 288 if (evp_cipher == NULL) { 289 PKCS7err(PKCS7_F_PKCS7_DATAINIT, 290 PKCS7_R_CIPHER_NOT_INITIALIZED); 291 goto err; 292 } 293 break; 294 case NID_pkcs7_digest: 295 xa = p7->d.digest->md; 296 os = PKCS7_get_octet_string(p7->d.digest->contents); 297 break; 298 case NID_pkcs7_data: 299 break; 300 default: 301 PKCS7err(PKCS7_F_PKCS7_DATAINIT, 302 PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 303 goto err; 304 } 305 306 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) 307 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) 308 goto err; 309 310 if (xa && !PKCS7_bio_add_digest(&out, xa)) 311 goto err; 312 313 if (evp_cipher != NULL) { 314 unsigned char key[EVP_MAX_KEY_LENGTH]; 315 unsigned char iv[EVP_MAX_IV_LENGTH]; 316 int keylen, ivlen; 317 EVP_CIPHER_CTX *ctx; 318 319 if ((btmp = BIO_new(BIO_f_cipher())) == NULL) { 320 PKCS7err(PKCS7_F_PKCS7_DATAINIT, ERR_R_BIO_LIB); 321 goto err; 322 } 323 BIO_get_cipher_ctx(btmp, &ctx); 324 keylen = EVP_CIPHER_key_length(evp_cipher); 325 ivlen = EVP_CIPHER_iv_length(evp_cipher); 326 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); 327 if (ivlen > 0) 328 if (RAND_pseudo_bytes(iv, ivlen) <= 0) 329 goto err; 330 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, 331 NULL, 1) <= 0) 332 goto err; 333 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) 334 goto err; 335 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) 336 goto err; 337 338 if (ivlen > 0) { 339 if (xalg->parameter == NULL) { 340 xalg->parameter = ASN1_TYPE_new(); 341 if (xalg->parameter == NULL) 342 goto err; 343 } 344 if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) 345 goto err; 346 } 347 348 /* Lets do the pub key stuff :-) */ 349 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 350 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 351 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) 352 goto err; 353 } 354 OPENSSL_cleanse(key, keylen); 355 356 if (out == NULL) 357 out = btmp; 358 else 359 BIO_push(out, btmp); 360 btmp = NULL; 361 } 362 363 if (bio == NULL) { 364 if (PKCS7_is_detached(p7)) 365 bio = BIO_new(BIO_s_null()); 366 else if (os && os->length > 0) 367 bio = BIO_new_mem_buf(os->data, os->length); 368 if (bio == NULL) { 369 bio = BIO_new(BIO_s_mem()); 370 if (bio == NULL) 371 goto err; 372 BIO_set_mem_eof_return(bio, 0); 373 } 374 } 375 if (out) 376 BIO_push(out, bio); 377 else 378 out = bio; 379 bio = NULL; 380 if (0) { 381 err: 382 if (out != NULL) 383 BIO_free_all(out); 384 if (btmp != NULL) 385 BIO_free_all(btmp); 386 out = NULL; 387 } 388 return (out); 389 } 390 391 static int 392 pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) 393 { 394 int ret; 395 396 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, 397 pcert->cert_info->issuer); 398 if (ret) 399 return ret; 400 return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, 401 ri->issuer_and_serial->serial); 402 } 403 404 /* int */ 405 BIO * 406 PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) 407 { 408 int i, j; 409 BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL; 410 X509_ALGOR *xa; 411 ASN1_OCTET_STRING *data_body = NULL; 412 const EVP_MD *evp_md; 413 const EVP_CIPHER *evp_cipher = NULL; 414 EVP_CIPHER_CTX *evp_ctx = NULL; 415 X509_ALGOR *enc_alg = NULL; 416 STACK_OF(X509_ALGOR) *md_sk = NULL; 417 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 418 PKCS7_RECIP_INFO *ri = NULL; 419 unsigned char *ek = NULL, *tkey = NULL; 420 int eklen = 0, tkeylen = 0; 421 422 i = OBJ_obj2nid(p7->type); 423 p7->state = PKCS7_S_HEADER; 424 425 switch (i) { 426 case NID_pkcs7_signed: 427 data_body = PKCS7_get_octet_string(p7->d.sign->contents); 428 md_sk = p7->d.sign->md_algs; 429 break; 430 case NID_pkcs7_signedAndEnveloped: 431 rsk = p7->d.signed_and_enveloped->recipientinfo; 432 md_sk = p7->d.signed_and_enveloped->md_algs; 433 data_body = p7->d.signed_and_enveloped->enc_data->enc_data; 434 enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; 435 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 436 if (evp_cipher == NULL) { 437 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 438 PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 439 goto err; 440 } 441 break; 442 case NID_pkcs7_enveloped: 443 rsk = p7->d.enveloped->recipientinfo; 444 enc_alg = p7->d.enveloped->enc_data->algorithm; 445 data_body = p7->d.enveloped->enc_data->enc_data; 446 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 447 if (evp_cipher == NULL) { 448 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 449 PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 450 goto err; 451 } 452 break; 453 default: 454 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 455 PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 456 goto err; 457 } 458 459 /* We will be checking the signature */ 460 if (md_sk != NULL) { 461 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) { 462 xa = sk_X509_ALGOR_value(md_sk, i); 463 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 464 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 465 ERR_R_BIO_LIB); 466 goto err; 467 } 468 469 j = OBJ_obj2nid(xa->algorithm); 470 evp_md = EVP_get_digestbynid(j); 471 if (evp_md == NULL) { 472 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 473 PKCS7_R_UNKNOWN_DIGEST_TYPE); 474 goto err; 475 } 476 477 BIO_set_md(btmp, evp_md); 478 if (out == NULL) 479 out = btmp; 480 else 481 BIO_push(out, btmp); 482 btmp = NULL; 483 } 484 } 485 486 if (evp_cipher != NULL) { 487 #if 0 488 unsigned char key[EVP_MAX_KEY_LENGTH]; 489 unsigned char iv[EVP_MAX_IV_LENGTH]; 490 unsigned char *p; 491 int keylen, ivlen; 492 int max; 493 X509_OBJECT ret; 494 #endif 495 496 if ((etmp = BIO_new(BIO_f_cipher())) == NULL) { 497 PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); 498 goto err; 499 } 500 501 /* It was encrypted, we need to decrypt the secret key 502 * with the private key */ 503 504 /* Find the recipientInfo which matches the passed certificate 505 * (if any) 506 */ 507 if (pcert) { 508 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 509 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 510 if (!pkcs7_cmp_ri(ri, pcert)) 511 break; 512 ri = NULL; 513 } 514 if (ri == NULL) { 515 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 516 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); 517 goto err; 518 } 519 } 520 521 /* If we haven't got a certificate try each ri in turn */ 522 if (pcert == NULL) { 523 /* Always attempt to decrypt all rinfo even 524 * after sucess as a defence against MMA timing 525 * attacks. 526 */ 527 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 528 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 529 530 if (pkcs7_decrypt_rinfo(&ek, &eklen, 531 ri, pkey) < 0) 532 goto err; 533 ERR_clear_error(); 534 } 535 } else { 536 /* Only exit on fatal errors, not decrypt failure */ 537 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) 538 goto err; 539 ERR_clear_error(); 540 } 541 542 evp_ctx = NULL; 543 BIO_get_cipher_ctx(etmp, &evp_ctx); 544 if (EVP_CipherInit_ex(evp_ctx, evp_cipher, NULL, NULL, 545 NULL, 0) <= 0) 546 goto err; 547 if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0) 548 goto err; 549 /* Generate random key as MMA defence */ 550 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); 551 tkey = malloc(tkeylen); 552 if (!tkey) 553 goto err; 554 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) 555 goto err; 556 if (ek == NULL) { 557 ek = tkey; 558 eklen = tkeylen; 559 tkey = NULL; 560 } 561 562 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 563 /* Some S/MIME clients don't use the same key 564 * and effective key length. The key length is 565 * determined by the size of the decrypted RSA key. 566 */ 567 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) { 568 /* Use random key as MMA defence */ 569 OPENSSL_cleanse(ek, eklen); 570 free(ek); 571 ek = tkey; 572 eklen = tkeylen; 573 tkey = NULL; 574 } 575 } 576 /* Clear errors so we don't leak information useful in MMA */ 577 ERR_clear_error(); 578 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0) 579 goto err; 580 581 if (ek) { 582 OPENSSL_cleanse(ek, eklen); 583 free(ek); 584 ek = NULL; 585 } 586 if (tkey) { 587 OPENSSL_cleanse(tkey, tkeylen); 588 free(tkey); 589 tkey = NULL; 590 } 591 592 if (out == NULL) 593 out = etmp; 594 else 595 BIO_push(out, etmp); 596 etmp = NULL; 597 } 598 599 #if 1 600 if (PKCS7_is_detached(p7) || (in_bio != NULL)) { 601 bio = in_bio; 602 } else { 603 #if 0 604 bio = BIO_new(BIO_s_mem()); 605 /* We need to set this so that when we have read all 606 * the data, the encrypt BIO, if present, will read 607 * EOF and encode the last few bytes */ 608 BIO_set_mem_eof_return(bio, 0); 609 610 if (data_body != NULL && data_body->length > 0) 611 BIO_write(bio, (char *)data_body->data, data_body->length); 612 #else 613 if (data_body != NULL && data_body->length > 0) 614 bio = BIO_new_mem_buf(data_body->data, data_body->length); 615 else { 616 bio = BIO_new(BIO_s_mem()); 617 BIO_set_mem_eof_return(bio, 0); 618 } 619 if (bio == NULL) 620 goto err; 621 #endif 622 } 623 BIO_push(out, bio); 624 bio = NULL; 625 #endif 626 if (0) { 627 err: 628 if (ek) { 629 OPENSSL_cleanse(ek, eklen); 630 free(ek); 631 } 632 if (tkey) { 633 OPENSSL_cleanse(tkey, tkeylen); 634 free(tkey); 635 } 636 if (out != NULL) 637 BIO_free_all(out); 638 if (btmp != NULL) 639 BIO_free_all(btmp); 640 if (etmp != NULL) 641 BIO_free_all(etmp); 642 if (bio != NULL) 643 BIO_free_all(bio); 644 out = NULL; 645 } 646 return (out); 647 } 648 649 static BIO * 650 PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) 651 { 652 for (;;) { 653 bio = BIO_find_type(bio, BIO_TYPE_MD); 654 if (bio == NULL) { 655 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST, 656 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 657 return NULL; 658 } 659 BIO_get_md_ctx(bio, pmd); 660 if (*pmd == NULL) { 661 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST, 662 ERR_R_INTERNAL_ERROR); 663 return NULL; 664 } 665 if (EVP_MD_CTX_type(*pmd) == nid) 666 return bio; 667 bio = BIO_next(bio); 668 } 669 return NULL; 670 } 671 672 static int 673 do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) 674 { 675 unsigned char md_data[EVP_MAX_MD_SIZE]; 676 unsigned int md_len; 677 678 /* Add signing time if not already present */ 679 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { 680 if (!PKCS7_add0_attrib_signing_time(si, NULL)) { 681 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, 682 ERR_R_MALLOC_FAILURE); 683 return 0; 684 } 685 } 686 687 /* Add digest */ 688 if (!EVP_DigestFinal_ex(mctx, md_data, &md_len)) { 689 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB); 690 return 0; 691 } 692 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) { 693 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE); 694 return 0; 695 } 696 697 /* Now sign the attributes */ 698 if (!PKCS7_SIGNER_INFO_sign(si)) 699 return 0; 700 701 return 1; 702 } 703 704 705 int 706 PKCS7_dataFinal(PKCS7 *p7, BIO *bio) 707 { 708 int ret = 0; 709 int i, j; 710 BIO *btmp; 711 PKCS7_SIGNER_INFO *si; 712 EVP_MD_CTX *mdc, ctx_tmp; 713 STACK_OF(X509_ATTRIBUTE) *sk; 714 STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; 715 ASN1_OCTET_STRING *os = NULL; 716 717 EVP_MD_CTX_init(&ctx_tmp); 718 i = OBJ_obj2nid(p7->type); 719 p7->state = PKCS7_S_HEADER; 720 721 switch (i) { 722 case NID_pkcs7_data: 723 os = p7->d.data; 724 break; 725 case NID_pkcs7_signedAndEnveloped: 726 /* XXX */ 727 si_sk = p7->d.signed_and_enveloped->signer_info; 728 os = p7->d.signed_and_enveloped->enc_data->enc_data; 729 if (!os) { 730 os = M_ASN1_OCTET_STRING_new(); 731 if (!os) { 732 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, 733 ERR_R_MALLOC_FAILURE); 734 goto err; 735 } 736 p7->d.signed_and_enveloped->enc_data->enc_data = os; 737 } 738 break; 739 case NID_pkcs7_enveloped: 740 /* XXX */ 741 os = p7->d.enveloped->enc_data->enc_data; 742 if (!os) { 743 os = M_ASN1_OCTET_STRING_new(); 744 if (!os) { 745 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, 746 ERR_R_MALLOC_FAILURE); 747 goto err; 748 } 749 p7->d.enveloped->enc_data->enc_data = os; 750 } 751 break; 752 case NID_pkcs7_signed: 753 si_sk = p7->d.sign->signer_info; 754 os = PKCS7_get_octet_string(p7->d.sign->contents); 755 if (!PKCS7_is_detached(p7) && os == NULL) { 756 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_DECODE_ERROR); 757 goto err; 758 } 759 /* If detached data then the content is excluded */ 760 if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { 761 M_ASN1_OCTET_STRING_free(os); 762 p7->d.sign->contents->d.data = NULL; 763 } 764 break; 765 766 case NID_pkcs7_digest: 767 os = PKCS7_get_octet_string(p7->d.digest->contents); 768 if (os == NULL) { 769 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_DECODE_ERROR); 770 goto err; 771 } 772 /* If detached data then the content is excluded */ 773 if (PKCS7_type_is_data(p7->d.digest->contents) && 774 p7->detached) { 775 M_ASN1_OCTET_STRING_free(os); 776 p7->d.digest->contents->d.data = NULL; 777 } 778 break; 779 780 default: 781 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, 782 PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 783 goto err; 784 } 785 786 if (si_sk != NULL) { 787 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) { 788 si = sk_PKCS7_SIGNER_INFO_value(si_sk, i); 789 if (si->pkey == NULL) 790 continue; 791 792 j = OBJ_obj2nid(si->digest_alg->algorithm); 793 794 btmp = bio; 795 796 btmp = PKCS7_find_digest(&mdc, btmp, j); 797 798 if (btmp == NULL) 799 goto err; 800 801 /* We now have the EVP_MD_CTX, lets do the 802 * signing. */ 803 if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc)) 804 goto err; 805 806 sk = si->auth_attr; 807 808 /* If there are attributes, we add the digest 809 * attribute and only sign the attributes */ 810 if (sk_X509_ATTRIBUTE_num(sk) > 0) { 811 if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) 812 goto err; 813 } else { 814 unsigned char *abuf = NULL; 815 unsigned int abuflen; 816 abuflen = EVP_PKEY_size(si->pkey); 817 abuf = malloc(abuflen); 818 if (!abuf) 819 goto err; 820 821 if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, 822 si->pkey)) { 823 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, 824 ERR_R_EVP_LIB); 825 goto err; 826 } 827 ASN1_STRING_set0(si->enc_digest, abuf, abuflen); 828 } 829 } 830 } else if (i == NID_pkcs7_digest) { 831 unsigned char md_data[EVP_MAX_MD_SIZE]; 832 unsigned int md_len; 833 if (!PKCS7_find_digest(&mdc, bio, 834 OBJ_obj2nid(p7->d.digest->md->algorithm))) 835 goto err; 836 if (!EVP_DigestFinal_ex(mdc, md_data, &md_len)) 837 goto err; 838 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); 839 } 840 841 if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) { 842 char *cont; 843 long contlen; 844 btmp = BIO_find_type(bio, BIO_TYPE_MEM); 845 if (btmp == NULL) { 846 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, 847 PKCS7_R_UNABLE_TO_FIND_MEM_BIO); 848 goto err; 849 } 850 contlen = BIO_get_mem_data(btmp, &cont); 851 /* Mark the BIO read only then we can use its copy of the data 852 * instead of making an extra copy. 853 */ 854 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); 855 BIO_set_mem_eof_return(btmp, 0); 856 ASN1_STRING_set0(os, (unsigned char *)cont, contlen); 857 } 858 ret = 1; 859 err: 860 EVP_MD_CTX_cleanup(&ctx_tmp); 861 return (ret); 862 } 863 864 int 865 PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) 866 { 867 EVP_MD_CTX mctx; 868 EVP_PKEY_CTX *pctx; 869 unsigned char *abuf = NULL; 870 int alen; 871 size_t siglen; 872 const EVP_MD *md = NULL; 873 874 md = EVP_get_digestbyobj(si->digest_alg->algorithm); 875 if (md == NULL) 876 return 0; 877 878 EVP_MD_CTX_init(&mctx); 879 if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0) 880 goto err; 881 882 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 883 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) { 884 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 885 goto err; 886 } 887 888 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf, 889 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); 890 if (!abuf) 891 goto err; 892 if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0) 893 goto err; 894 free(abuf); 895 abuf = NULL; 896 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) 897 goto err; 898 abuf = malloc(siglen); 899 if (!abuf) 900 goto err; 901 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0) 902 goto err; 903 904 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 905 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) { 906 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 907 goto err; 908 } 909 910 EVP_MD_CTX_cleanup(&mctx); 911 912 ASN1_STRING_set0(si->enc_digest, abuf, siglen); 913 914 return 1; 915 916 err: 917 free(abuf); 918 EVP_MD_CTX_cleanup(&mctx); 919 return 0; 920 } 921 922 int 923 PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, 924 PKCS7 *p7, PKCS7_SIGNER_INFO *si) 925 { 926 PKCS7_ISSUER_AND_SERIAL *ias; 927 int ret = 0, i; 928 STACK_OF(X509) *cert; 929 X509 *x509; 930 931 if (PKCS7_type_is_signed(p7)) { 932 cert = p7->d.sign->cert; 933 } else if (PKCS7_type_is_signedAndEnveloped(p7)) { 934 cert = p7->d.signed_and_enveloped->cert; 935 } else { 936 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_WRONG_PKCS7_TYPE); 937 goto err; 938 } 939 /* XXXX */ 940 ias = si->issuer_and_serial; 941 942 x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial); 943 944 /* were we able to find the cert in passed to us */ 945 if (x509 == NULL) { 946 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, 947 PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); 948 goto err; 949 } 950 951 /* Lets verify */ 952 if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) { 953 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB); 954 goto err; 955 } 956 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN); 957 i = X509_verify_cert(ctx); 958 if (i <= 0) { 959 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB); 960 X509_STORE_CTX_cleanup(ctx); 961 goto err; 962 } 963 X509_STORE_CTX_cleanup(ctx); 964 965 return PKCS7_signatureVerify(bio, p7, si, x509); 966 err: 967 return ret; 968 } 969 970 int 971 PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509) 972 { 973 ASN1_OCTET_STRING *os; 974 EVP_MD_CTX mdc_tmp, *mdc; 975 int ret = 0, i; 976 int md_type; 977 STACK_OF(X509_ATTRIBUTE) *sk; 978 BIO *btmp; 979 EVP_PKEY *pkey; 980 981 EVP_MD_CTX_init(&mdc_tmp); 982 983 if (!PKCS7_type_is_signed(p7) && 984 !PKCS7_type_is_signedAndEnveloped(p7)) { 985 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 986 PKCS7_R_WRONG_PKCS7_TYPE); 987 goto err; 988 } 989 990 md_type = OBJ_obj2nid(si->digest_alg->algorithm); 991 992 btmp = bio; 993 for (;;) { 994 if ((btmp == NULL) || 995 ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) { 996 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 997 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 998 goto err; 999 } 1000 BIO_get_md_ctx(btmp, &mdc); 1001 if (mdc == NULL) { 1002 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1003 ERR_R_INTERNAL_ERROR); 1004 goto err; 1005 } 1006 if (EVP_MD_CTX_type(mdc) == md_type) 1007 break; 1008 /* Workaround for some broken clients that put the signature 1009 * OID instead of the digest OID in digest_alg->algorithm 1010 */ 1011 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) 1012 break; 1013 btmp = BIO_next(btmp); 1014 } 1015 1016 /* mdc is the digest ctx that we want, unless there are attributes, 1017 * in which case the digest is the signed attributes */ 1018 if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc)) 1019 goto err; 1020 1021 sk = si->auth_attr; 1022 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { 1023 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; 1024 unsigned int md_len; 1025 int alen; 1026 ASN1_OCTET_STRING *message_digest; 1027 1028 if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len)) 1029 goto err; 1030 message_digest = PKCS7_digest_from_attributes(sk); 1031 if (!message_digest) { 1032 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1033 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1034 goto err; 1035 } 1036 if ((message_digest->length != (int)md_len) || 1037 (memcmp(message_digest->data, md_dat, md_len))) { 1038 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1039 PKCS7_R_DIGEST_FAILURE); 1040 ret = -1; 1041 goto err; 1042 } 1043 1044 if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), 1045 NULL)) 1046 goto err; 1047 1048 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1049 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY)); 1050 if (alen <= 0) { 1051 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_ASN1_LIB); 1052 ret = -1; 1053 goto err; 1054 } 1055 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) 1056 goto err; 1057 1058 free(abuf); 1059 } 1060 1061 os = si->enc_digest; 1062 pkey = X509_get_pubkey(x509); 1063 if (!pkey) { 1064 ret = -1; 1065 goto err; 1066 } 1067 1068 i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey); 1069 EVP_PKEY_free(pkey); 1070 if (i <= 0) { 1071 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1072 PKCS7_R_SIGNATURE_FAILURE); 1073 ret = -1; 1074 goto err; 1075 } else 1076 ret = 1; 1077 err: 1078 EVP_MD_CTX_cleanup(&mdc_tmp); 1079 return (ret); 1080 } 1081 1082 PKCS7_ISSUER_AND_SERIAL * 1083 PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) 1084 { 1085 STACK_OF(PKCS7_RECIP_INFO) *rsk; 1086 PKCS7_RECIP_INFO *ri; 1087 int i; 1088 1089 i = OBJ_obj2nid(p7->type); 1090 if (i != NID_pkcs7_signedAndEnveloped) 1091 return NULL; 1092 if (p7->d.signed_and_enveloped == NULL) 1093 return NULL; 1094 rsk = p7->d.signed_and_enveloped->recipientinfo; 1095 if (rsk == NULL) 1096 return NULL; 1097 ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); 1098 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) 1099 return (NULL); 1100 ri = sk_PKCS7_RECIP_INFO_value(rsk, idx); 1101 return (ri->issuer_and_serial); 1102 } 1103 1104 ASN1_TYPE * 1105 PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) 1106 { 1107 return (get_attribute(si->auth_attr, nid)); 1108 } 1109 1110 ASN1_TYPE * 1111 PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) 1112 { 1113 return (get_attribute(si->unauth_attr, nid)); 1114 } 1115 1116 static ASN1_TYPE * 1117 get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) 1118 { 1119 int i; 1120 X509_ATTRIBUTE *xa; 1121 ASN1_OBJECT *o; 1122 1123 o = OBJ_nid2obj(nid); 1124 if (!o || !sk) 1125 return (NULL); 1126 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1127 xa = sk_X509_ATTRIBUTE_value(sk, i); 1128 if (OBJ_cmp(xa->object, o) == 0) { 1129 if (!xa->single && sk_ASN1_TYPE_num(xa->value.set)) 1130 return (sk_ASN1_TYPE_value(xa->value.set, 0)); 1131 else 1132 return (NULL); 1133 } 1134 } 1135 return (NULL); 1136 } 1137 1138 ASN1_OCTET_STRING * 1139 PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) 1140 { 1141 ASN1_TYPE *astype; 1142 1143 if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) 1144 return NULL; 1145 return astype->value.octet_string; 1146 } 1147 1148 int 1149 PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, 1150 STACK_OF(X509_ATTRIBUTE) *sk) 1151 { 1152 int i; 1153 1154 if (p7si->auth_attr != NULL) 1155 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, 1156 X509_ATTRIBUTE_free); 1157 p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk); 1158 if (p7si->auth_attr == NULL) 1159 return 0; 1160 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1161 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr, i, 1162 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1163 == NULL) 1164 return (0); 1165 } 1166 return (1); 1167 } 1168 1169 int 1170 PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) 1171 { 1172 int i; 1173 1174 if (p7si->unauth_attr != NULL) 1175 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, 1176 X509_ATTRIBUTE_free); 1177 p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk); 1178 if (p7si->unauth_attr == NULL) 1179 return 0; 1180 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1181 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr, i, 1182 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1183 == NULL) 1184 return (0); 1185 } 1186 return (1); 1187 } 1188 1189 int 1190 PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1191 void *value) 1192 { 1193 return (add_attribute(&(p7si->auth_attr), nid, atrtype, value)); 1194 } 1195 1196 int 1197 PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value) 1198 { 1199 return (add_attribute(&(p7si->unauth_attr), nid, atrtype, value)); 1200 } 1201 1202 static int 1203 add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value) 1204 { 1205 X509_ATTRIBUTE *attr = NULL; 1206 1207 if (*sk == NULL) { 1208 *sk = sk_X509_ATTRIBUTE_new_null(); 1209 if (*sk == NULL) 1210 return 0; 1211 new_attrib: 1212 if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value))) 1213 return 0; 1214 if (!sk_X509_ATTRIBUTE_push(*sk, attr)) { 1215 X509_ATTRIBUTE_free(attr); 1216 return 0; 1217 } 1218 } else { 1219 int i; 1220 1221 for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) { 1222 attr = sk_X509_ATTRIBUTE_value(*sk, i); 1223 if (OBJ_obj2nid(attr->object) == nid) { 1224 X509_ATTRIBUTE_free(attr); 1225 attr = X509_ATTRIBUTE_create(nid, atrtype, 1226 value); 1227 if (attr == NULL) 1228 return 0; 1229 if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) { 1230 X509_ATTRIBUTE_free(attr); 1231 return 0; 1232 } 1233 goto end; 1234 } 1235 } 1236 goto new_attrib; 1237 } 1238 end: 1239 return (1); 1240 } 1241