1 /* $OpenBSD: pk7_doit.c,v 1.50 2022/12/26 07:18:52 jmc Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include <stdlib.h> 61 #include <string.h> 62 63 #include <openssl/err.h> 64 #include <openssl/objects.h> 65 #include <openssl/x509.h> 66 #include <openssl/x509v3.h> 67 68 #include "evp_local.h" 69 #include "x509_local.h" 70 71 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 72 void *value); 73 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); 74 75 static int 76 PKCS7_type_is_other(PKCS7* p7) 77 { 78 int isOther = 1; 79 80 int nid = OBJ_obj2nid(p7->type); 81 82 switch (nid ) { 83 case NID_pkcs7_data: 84 case NID_pkcs7_signed: 85 case NID_pkcs7_enveloped: 86 case NID_pkcs7_signedAndEnveloped: 87 case NID_pkcs7_digest: 88 case NID_pkcs7_encrypted: 89 isOther = 0; 90 break; 91 default: 92 isOther = 1; 93 } 94 95 return isOther; 96 97 } 98 99 static ASN1_OCTET_STRING * 100 PKCS7_get_octet_string(PKCS7 *p7) 101 { 102 if (PKCS7_type_is_data(p7)) 103 return p7->d.data; 104 if (PKCS7_type_is_other(p7) && p7->d.other && 105 (p7->d.other->type == V_ASN1_OCTET_STRING)) 106 return p7->d.other->value.octet_string; 107 return NULL; 108 } 109 110 static int 111 PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) 112 { 113 BIO *btmp; 114 const EVP_MD *md; 115 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 116 PKCS7error(ERR_R_BIO_LIB); 117 goto err; 118 } 119 120 md = EVP_get_digestbyobj(alg->algorithm); 121 if (md == NULL) { 122 PKCS7error(PKCS7_R_UNKNOWN_DIGEST_TYPE); 123 goto err; 124 } 125 126 BIO_set_md(btmp, md); 127 if (*pbio == NULL) 128 *pbio = btmp; 129 else if (!BIO_push(*pbio, btmp)) { 130 PKCS7error(ERR_R_BIO_LIB); 131 goto err; 132 } 133 btmp = NULL; 134 135 return 1; 136 137 err: 138 BIO_free(btmp); 139 return 0; 140 141 } 142 143 static int 144 pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, unsigned char *key, int keylen) 145 { 146 EVP_PKEY_CTX *pctx = NULL; 147 EVP_PKEY *pkey = NULL; 148 unsigned char *ek = NULL; 149 int ret = 0; 150 size_t eklen; 151 152 pkey = X509_get_pubkey(ri->cert); 153 if (!pkey) 154 return 0; 155 156 pctx = EVP_PKEY_CTX_new(pkey, NULL); 157 if (!pctx) 158 return 0; 159 160 if (EVP_PKEY_encrypt_init(pctx) <= 0) 161 goto err; 162 163 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 164 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) { 165 PKCS7error(PKCS7_R_CTRL_ERROR); 166 goto err; 167 } 168 169 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) 170 goto err; 171 172 ek = malloc(eklen); 173 174 if (ek == NULL) { 175 PKCS7error(ERR_R_MALLOC_FAILURE); 176 goto err; 177 } 178 179 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) 180 goto err; 181 182 ASN1_STRING_set0(ri->enc_key, ek, eklen); 183 ek = NULL; 184 185 ret = 1; 186 187 err: 188 EVP_PKEY_free(pkey); 189 EVP_PKEY_CTX_free(pctx); 190 free(ek); 191 return ret; 192 } 193 194 195 static int 196 pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, 197 EVP_PKEY *pkey, size_t fixlen) 198 { 199 EVP_PKEY_CTX *pctx = NULL; 200 unsigned char *ek = NULL; 201 size_t eklen; 202 203 int ret = -1; 204 205 pctx = EVP_PKEY_CTX_new(pkey, NULL); 206 if (!pctx) 207 return -1; 208 209 if (EVP_PKEY_decrypt_init(pctx) <= 0) 210 goto err; 211 212 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 213 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) { 214 PKCS7error(PKCS7_R_CTRL_ERROR); 215 goto err; 216 } 217 218 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 219 ri->enc_key->data, ri->enc_key->length) <= 0) 220 goto err; 221 222 ek = malloc(eklen); 223 if (ek == NULL) { 224 PKCS7error(ERR_R_MALLOC_FAILURE); 225 goto err; 226 } 227 228 if (EVP_PKEY_decrypt(pctx, ek, &eklen, ri->enc_key->data, 229 ri->enc_key->length) <= 0 || eklen == 0 || 230 (fixlen != 0 && eklen != fixlen)) { 231 ret = 0; 232 PKCS7error(ERR_R_EVP_LIB); 233 goto err; 234 } 235 236 ret = 1; 237 238 freezero(*pek, *peklen); 239 240 *pek = ek; 241 *peklen = eklen; 242 243 err: 244 EVP_PKEY_CTX_free(pctx); 245 if (!ret && ek) 246 free(ek); 247 248 return ret; 249 } 250 251 BIO * 252 PKCS7_dataInit(PKCS7 *p7, BIO *bio) 253 { 254 int i; 255 BIO *out = NULL, *btmp = NULL; 256 X509_ALGOR *xa = NULL; 257 const EVP_CIPHER *evp_cipher = NULL; 258 STACK_OF(X509_ALGOR) *md_sk = NULL; 259 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 260 X509_ALGOR *xalg = NULL; 261 PKCS7_RECIP_INFO *ri = NULL; 262 ASN1_OCTET_STRING *os = NULL; 263 264 if (p7 == NULL) { 265 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 266 return NULL; 267 } 268 269 /* 270 * The content field in the PKCS7 ContentInfo is optional, 271 * but that really only applies to inner content (precisely, 272 * detached signatures). 273 * 274 * When reading content, missing outer content is therefore 275 * treated as an error. 276 * 277 * When creating content, PKCS7_content_new() must be called 278 * before calling this method, so a NULL p7->d is always 279 * an error. 280 */ 281 if (p7->d.ptr == NULL) { 282 PKCS7error(PKCS7_R_NO_CONTENT); 283 return NULL; 284 } 285 286 i = OBJ_obj2nid(p7->type); 287 p7->state = PKCS7_S_HEADER; 288 289 switch (i) { 290 case NID_pkcs7_signed: 291 md_sk = p7->d.sign->md_algs; 292 os = PKCS7_get_octet_string(p7->d.sign->contents); 293 break; 294 case NID_pkcs7_signedAndEnveloped: 295 rsk = p7->d.signed_and_enveloped->recipientinfo; 296 md_sk = p7->d.signed_and_enveloped->md_algs; 297 xalg = p7->d.signed_and_enveloped->enc_data->algorithm; 298 evp_cipher = p7->d.signed_and_enveloped->enc_data->cipher; 299 if (evp_cipher == NULL) { 300 PKCS7error(PKCS7_R_CIPHER_NOT_INITIALIZED); 301 goto err; 302 } 303 break; 304 case NID_pkcs7_enveloped: 305 rsk = p7->d.enveloped->recipientinfo; 306 xalg = p7->d.enveloped->enc_data->algorithm; 307 evp_cipher = p7->d.enveloped->enc_data->cipher; 308 if (evp_cipher == NULL) { 309 PKCS7error(PKCS7_R_CIPHER_NOT_INITIALIZED); 310 goto err; 311 } 312 break; 313 case NID_pkcs7_digest: 314 xa = p7->d.digest->md; 315 os = PKCS7_get_octet_string(p7->d.digest->contents); 316 break; 317 case NID_pkcs7_data: 318 break; 319 default: 320 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 321 goto err; 322 } 323 324 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) 325 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) 326 goto err; 327 328 if (xa && !PKCS7_bio_add_digest(&out, xa)) 329 goto err; 330 331 if (evp_cipher != NULL) { 332 unsigned char key[EVP_MAX_KEY_LENGTH]; 333 unsigned char iv[EVP_MAX_IV_LENGTH]; 334 int keylen, ivlen; 335 EVP_CIPHER_CTX *ctx; 336 337 if ((btmp = BIO_new(BIO_f_cipher())) == NULL) { 338 PKCS7error(ERR_R_BIO_LIB); 339 goto err; 340 } 341 BIO_get_cipher_ctx(btmp, &ctx); 342 keylen = EVP_CIPHER_key_length(evp_cipher); 343 ivlen = EVP_CIPHER_iv_length(evp_cipher); 344 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); 345 if (ivlen > 0) 346 arc4random_buf(iv, ivlen); 347 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, 348 NULL, 1) <= 0) 349 goto err; 350 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) 351 goto err; 352 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) 353 goto err; 354 355 if (ivlen > 0) { 356 if (xalg->parameter == NULL) { 357 xalg->parameter = ASN1_TYPE_new(); 358 if (xalg->parameter == NULL) 359 goto err; 360 } 361 if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) 362 goto err; 363 } 364 365 /* Lets do the pub key stuff :-) */ 366 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 367 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 368 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) 369 goto err; 370 } 371 explicit_bzero(key, keylen); 372 373 if (out == NULL) 374 out = btmp; 375 else 376 BIO_push(out, btmp); 377 btmp = NULL; 378 } 379 380 if (bio == NULL) { 381 if (PKCS7_is_detached(p7)) 382 bio = BIO_new(BIO_s_null()); 383 else if (os && os->length > 0) 384 bio = BIO_new_mem_buf(os->data, os->length); 385 if (bio == NULL) { 386 bio = BIO_new(BIO_s_mem()); 387 if (bio == NULL) 388 goto err; 389 BIO_set_mem_eof_return(bio, 0); 390 } 391 } 392 if (out) 393 BIO_push(out, bio); 394 else 395 out = bio; 396 bio = NULL; 397 if (0) { 398 err: 399 if (out != NULL) 400 BIO_free_all(out); 401 if (btmp != NULL) 402 BIO_free_all(btmp); 403 out = NULL; 404 } 405 return (out); 406 } 407 LCRYPTO_ALIAS(PKCS7_dataInit) 408 409 static int 410 pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) 411 { 412 int ret; 413 414 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, 415 pcert->cert_info->issuer); 416 if (ret) 417 return ret; 418 return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, 419 ri->issuer_and_serial->serial); 420 } 421 422 /* int */ 423 BIO * 424 PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) 425 { 426 int i, j; 427 BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL; 428 X509_ALGOR *xa; 429 ASN1_OCTET_STRING *data_body = NULL; 430 const EVP_MD *evp_md; 431 const EVP_CIPHER *evp_cipher = NULL; 432 EVP_CIPHER_CTX *evp_ctx = NULL; 433 X509_ALGOR *enc_alg = NULL; 434 STACK_OF(X509_ALGOR) *md_sk = NULL; 435 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 436 PKCS7_RECIP_INFO *ri = NULL; 437 unsigned char *ek = NULL, *tkey = NULL; 438 int eklen = 0, tkeylen = 0; 439 440 if (p7 == NULL) { 441 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 442 return NULL; 443 } 444 445 if (p7->d.ptr == NULL) { 446 PKCS7error(PKCS7_R_NO_CONTENT); 447 return NULL; 448 } 449 450 i = OBJ_obj2nid(p7->type); 451 p7->state = PKCS7_S_HEADER; 452 453 switch (i) { 454 case NID_pkcs7_signed: 455 data_body = PKCS7_get_octet_string(p7->d.sign->contents); 456 md_sk = p7->d.sign->md_algs; 457 break; 458 case NID_pkcs7_signedAndEnveloped: 459 rsk = p7->d.signed_and_enveloped->recipientinfo; 460 md_sk = p7->d.signed_and_enveloped->md_algs; 461 data_body = p7->d.signed_and_enveloped->enc_data->enc_data; 462 enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; 463 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 464 if (evp_cipher == NULL) { 465 PKCS7error(PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 466 goto err; 467 } 468 break; 469 case NID_pkcs7_enveloped: 470 rsk = p7->d.enveloped->recipientinfo; 471 enc_alg = p7->d.enveloped->enc_data->algorithm; 472 data_body = p7->d.enveloped->enc_data->enc_data; 473 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 474 if (evp_cipher == NULL) { 475 PKCS7error(PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 476 goto err; 477 } 478 break; 479 default: 480 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 481 goto err; 482 } 483 484 /* We will be checking the signature */ 485 if (md_sk != NULL) { 486 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) { 487 xa = sk_X509_ALGOR_value(md_sk, i); 488 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 489 PKCS7error(ERR_R_BIO_LIB); 490 goto err; 491 } 492 493 j = OBJ_obj2nid(xa->algorithm); 494 evp_md = EVP_get_digestbynid(j); 495 if (evp_md == NULL) { 496 PKCS7error(PKCS7_R_UNKNOWN_DIGEST_TYPE); 497 goto err; 498 } 499 500 BIO_set_md(btmp, evp_md); 501 if (out == NULL) 502 out = btmp; 503 else 504 BIO_push(out, btmp); 505 btmp = NULL; 506 } 507 } 508 509 if (evp_cipher != NULL) { 510 if ((etmp = BIO_new(BIO_f_cipher())) == NULL) { 511 PKCS7error(ERR_R_BIO_LIB); 512 goto err; 513 } 514 515 /* It was encrypted, we need to decrypt the secret key 516 * with the private key */ 517 518 /* Find the recipientInfo which matches the passed certificate 519 * (if any) 520 */ 521 if (pcert) { 522 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 523 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 524 if (!pkcs7_cmp_ri(ri, pcert)) 525 break; 526 ri = NULL; 527 } 528 if (ri == NULL) { 529 PKCS7error(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); 530 goto err; 531 } 532 } 533 534 /* If we haven't got a certificate try each ri in turn */ 535 if (pcert == NULL) { 536 /* Always attempt to decrypt all rinfo even 537 * after success as a defence against MMA timing 538 * attacks. 539 */ 540 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 541 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 542 543 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 544 EVP_CIPHER_key_length(evp_cipher)) < 0) 545 goto err; 546 ERR_clear_error(); 547 } 548 } else { 549 /* Only exit on fatal errors, not decrypt failure */ 550 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) 551 goto err; 552 ERR_clear_error(); 553 } 554 555 evp_ctx = NULL; 556 BIO_get_cipher_ctx(etmp, &evp_ctx); 557 if (EVP_CipherInit_ex(evp_ctx, evp_cipher, NULL, NULL, 558 NULL, 0) <= 0) 559 goto err; 560 if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0) 561 goto err; 562 /* Generate random key as MMA defence */ 563 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); 564 tkey = malloc(tkeylen); 565 if (!tkey) 566 goto err; 567 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) 568 goto err; 569 if (ek == NULL) { 570 ek = tkey; 571 eklen = tkeylen; 572 tkey = NULL; 573 } 574 575 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 576 /* Some S/MIME clients don't use the same key 577 * and effective key length. The key length is 578 * determined by the size of the decrypted RSA key. 579 */ 580 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) { 581 /* Use random key as MMA defence */ 582 freezero(ek, eklen); 583 ek = tkey; 584 eklen = tkeylen; 585 tkey = NULL; 586 } 587 } 588 /* Clear errors so we don't leak information useful in MMA */ 589 ERR_clear_error(); 590 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0) 591 goto err; 592 593 freezero(ek, eklen); 594 ek = NULL; 595 freezero(tkey, tkeylen); 596 tkey = NULL; 597 598 if (out == NULL) 599 out = etmp; 600 else 601 BIO_push(out, etmp); 602 etmp = NULL; 603 } 604 605 if (PKCS7_is_detached(p7) || (in_bio != NULL)) { 606 bio = in_bio; 607 } else { 608 if (data_body != NULL && data_body->length > 0) 609 bio = BIO_new_mem_buf(data_body->data, data_body->length); 610 else { 611 bio = BIO_new(BIO_s_mem()); 612 BIO_set_mem_eof_return(bio, 0); 613 } 614 if (bio == NULL) 615 goto err; 616 } 617 BIO_push(out, bio); 618 619 if (0) { 620 err: 621 freezero(ek, eklen); 622 freezero(tkey, tkeylen); 623 if (out != NULL) 624 BIO_free_all(out); 625 if (btmp != NULL) 626 BIO_free_all(btmp); 627 if (etmp != NULL) 628 BIO_free_all(etmp); 629 out = NULL; 630 } 631 return (out); 632 } 633 LCRYPTO_ALIAS(PKCS7_dataDecode) 634 635 static BIO * 636 PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) 637 { 638 for (;;) { 639 bio = BIO_find_type(bio, BIO_TYPE_MD); 640 if (bio == NULL) { 641 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 642 return NULL; 643 } 644 BIO_get_md_ctx(bio, pmd); 645 if (*pmd == NULL) { 646 PKCS7error(ERR_R_INTERNAL_ERROR); 647 return NULL; 648 } 649 if (EVP_MD_CTX_type(*pmd) == nid) 650 return bio; 651 bio = BIO_next(bio); 652 } 653 return NULL; 654 } 655 656 static int 657 do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) 658 { 659 unsigned char md_data[EVP_MAX_MD_SIZE]; 660 unsigned int md_len; 661 662 /* Add signing time if not already present */ 663 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { 664 if (!PKCS7_add0_attrib_signing_time(si, NULL)) { 665 PKCS7error(ERR_R_MALLOC_FAILURE); 666 return 0; 667 } 668 } 669 670 /* Add digest */ 671 if (!EVP_DigestFinal_ex(mctx, md_data, &md_len)) { 672 PKCS7error(ERR_R_EVP_LIB); 673 return 0; 674 } 675 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) { 676 PKCS7error(ERR_R_MALLOC_FAILURE); 677 return 0; 678 } 679 680 /* Now sign the attributes */ 681 if (!PKCS7_SIGNER_INFO_sign(si)) 682 return 0; 683 684 return 1; 685 } 686 687 688 int 689 PKCS7_dataFinal(PKCS7 *p7, BIO *bio) 690 { 691 int ret = 0; 692 int i, j; 693 BIO *btmp; 694 PKCS7_SIGNER_INFO *si; 695 EVP_MD_CTX *mdc, ctx_tmp; 696 STACK_OF(X509_ATTRIBUTE) *sk; 697 STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; 698 ASN1_OCTET_STRING *os = NULL; 699 700 if (p7 == NULL) { 701 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 702 return 0; 703 } 704 705 if (p7->d.ptr == NULL) { 706 PKCS7error(PKCS7_R_NO_CONTENT); 707 return 0; 708 } 709 710 EVP_MD_CTX_init(&ctx_tmp); 711 i = OBJ_obj2nid(p7->type); 712 p7->state = PKCS7_S_HEADER; 713 714 switch (i) { 715 case NID_pkcs7_data: 716 os = p7->d.data; 717 break; 718 case NID_pkcs7_signedAndEnveloped: 719 /* XXX */ 720 si_sk = p7->d.signed_and_enveloped->signer_info; 721 os = p7->d.signed_and_enveloped->enc_data->enc_data; 722 if (!os) { 723 os = ASN1_OCTET_STRING_new(); 724 if (!os) { 725 PKCS7error(ERR_R_MALLOC_FAILURE); 726 goto err; 727 } 728 p7->d.signed_and_enveloped->enc_data->enc_data = os; 729 } 730 break; 731 case NID_pkcs7_enveloped: 732 /* XXX */ 733 os = p7->d.enveloped->enc_data->enc_data; 734 if (!os) { 735 os = ASN1_OCTET_STRING_new(); 736 if (!os) { 737 PKCS7error(ERR_R_MALLOC_FAILURE); 738 goto err; 739 } 740 p7->d.enveloped->enc_data->enc_data = os; 741 } 742 break; 743 case NID_pkcs7_signed: 744 si_sk = p7->d.sign->signer_info; 745 os = PKCS7_get_octet_string(p7->d.sign->contents); 746 if (!PKCS7_is_detached(p7) && os == NULL) { 747 PKCS7error(PKCS7_R_DECODE_ERROR); 748 goto err; 749 } 750 /* If detached data then the content is excluded */ 751 if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { 752 ASN1_OCTET_STRING_free(os); 753 os = NULL; 754 p7->d.sign->contents->d.data = NULL; 755 } 756 break; 757 758 case NID_pkcs7_digest: 759 os = PKCS7_get_octet_string(p7->d.digest->contents); 760 if (os == NULL) { 761 PKCS7error(PKCS7_R_DECODE_ERROR); 762 goto err; 763 } 764 /* If detached data then the content is excluded */ 765 if (PKCS7_type_is_data(p7->d.digest->contents) && 766 p7->detached) { 767 ASN1_OCTET_STRING_free(os); 768 os = NULL; 769 p7->d.digest->contents->d.data = NULL; 770 } 771 break; 772 773 default: 774 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 775 goto err; 776 } 777 778 if (si_sk != NULL) { 779 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) { 780 si = sk_PKCS7_SIGNER_INFO_value(si_sk, i); 781 if (si->pkey == NULL) 782 continue; 783 784 j = OBJ_obj2nid(si->digest_alg->algorithm); 785 786 if ((btmp = PKCS7_find_digest(&mdc, bio, j)) == NULL) 787 goto err; 788 789 /* We now have the EVP_MD_CTX, lets do the 790 * signing. */ 791 if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc)) 792 goto err; 793 794 sk = si->auth_attr; 795 796 /* If there are attributes, we add the digest 797 * attribute and only sign the attributes */ 798 if (sk_X509_ATTRIBUTE_num(sk) > 0) { 799 if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) 800 goto err; 801 } else { 802 unsigned char *abuf = NULL; 803 unsigned int abuflen; 804 abuflen = EVP_PKEY_size(si->pkey); 805 abuf = malloc(abuflen); 806 if (!abuf) 807 goto err; 808 809 if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, 810 si->pkey)) { 811 PKCS7error(ERR_R_EVP_LIB); 812 goto err; 813 } 814 ASN1_STRING_set0(si->enc_digest, abuf, abuflen); 815 } 816 } 817 } else if (i == NID_pkcs7_digest) { 818 unsigned char md_data[EVP_MAX_MD_SIZE]; 819 unsigned int md_len; 820 821 if (!PKCS7_find_digest(&mdc, bio, 822 OBJ_obj2nid(p7->d.digest->md->algorithm))) 823 goto err; 824 if (!EVP_DigestFinal_ex(mdc, md_data, &md_len)) 825 goto err; 826 if (ASN1_STRING_set(p7->d.digest->digest, md_data, 827 md_len) == 0) 828 goto err; 829 } 830 831 if (!PKCS7_is_detached(p7)) { 832 /* 833 * NOTE: only reach os == NULL here because detached 834 * digested data support is broken? 835 */ 836 if (os == NULL) 837 goto err; 838 if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { 839 char *cont; 840 long contlen; 841 842 btmp = BIO_find_type(bio, BIO_TYPE_MEM); 843 if (btmp == NULL) { 844 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MEM_BIO); 845 goto err; 846 } 847 contlen = BIO_get_mem_data(btmp, &cont); 848 /* 849 * Mark the BIO read only then we can use its copy 850 * of the data instead of making an extra copy. 851 */ 852 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); 853 BIO_set_mem_eof_return(btmp, 0); 854 ASN1_STRING_set0(os, (unsigned char *)cont, contlen); 855 } 856 } 857 ret = 1; 858 err: 859 EVP_MD_CTX_cleanup(&ctx_tmp); 860 return (ret); 861 } 862 LCRYPTO_ALIAS(PKCS7_dataFinal) 863 864 int 865 PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) 866 { 867 EVP_MD_CTX mctx; 868 EVP_PKEY_CTX *pctx; 869 unsigned char *abuf = NULL; 870 int alen; 871 size_t siglen; 872 const EVP_MD *md = NULL; 873 874 md = EVP_get_digestbyobj(si->digest_alg->algorithm); 875 if (md == NULL) 876 return 0; 877 878 EVP_MD_CTX_init(&mctx); 879 if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0) 880 goto err; 881 882 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 883 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) { 884 PKCS7error(PKCS7_R_CTRL_ERROR); 885 goto err; 886 } 887 888 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf, 889 &PKCS7_ATTR_SIGN_it); 890 if (!abuf) 891 goto err; 892 if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0) 893 goto err; 894 free(abuf); 895 abuf = NULL; 896 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) 897 goto err; 898 abuf = malloc(siglen); 899 if (!abuf) 900 goto err; 901 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0) 902 goto err; 903 904 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 905 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) { 906 PKCS7error(PKCS7_R_CTRL_ERROR); 907 goto err; 908 } 909 910 EVP_MD_CTX_cleanup(&mctx); 911 912 ASN1_STRING_set0(si->enc_digest, abuf, siglen); 913 914 return 1; 915 916 err: 917 free(abuf); 918 EVP_MD_CTX_cleanup(&mctx); 919 return 0; 920 } 921 LCRYPTO_ALIAS(PKCS7_SIGNER_INFO_sign) 922 923 int 924 PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, 925 PKCS7 *p7, PKCS7_SIGNER_INFO *si) 926 { 927 PKCS7_ISSUER_AND_SERIAL *ias; 928 int ret = 0, i; 929 STACK_OF(X509) *cert; 930 X509 *x509; 931 932 if (p7 == NULL) { 933 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 934 return 0; 935 } 936 937 if (p7->d.ptr == NULL) { 938 PKCS7error(PKCS7_R_NO_CONTENT); 939 return 0; 940 } 941 942 if (PKCS7_type_is_signed(p7)) { 943 cert = p7->d.sign->cert; 944 } else if (PKCS7_type_is_signedAndEnveloped(p7)) { 945 cert = p7->d.signed_and_enveloped->cert; 946 } else { 947 PKCS7error(PKCS7_R_WRONG_PKCS7_TYPE); 948 goto err; 949 } 950 /* XXXX */ 951 ias = si->issuer_and_serial; 952 953 x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial); 954 955 /* were we able to find the cert in passed to us */ 956 if (x509 == NULL) { 957 PKCS7error(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); 958 goto err; 959 } 960 961 /* Lets verify */ 962 if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) { 963 PKCS7error(ERR_R_X509_LIB); 964 goto err; 965 } 966 if (X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN) == 0) { 967 X509_STORE_CTX_cleanup(ctx); 968 goto err; 969 } 970 i = X509_verify_cert(ctx); 971 if (i <= 0) { 972 PKCS7error(ERR_R_X509_LIB); 973 X509_STORE_CTX_cleanup(ctx); 974 goto err; 975 } 976 X509_STORE_CTX_cleanup(ctx); 977 978 return PKCS7_signatureVerify(bio, p7, si, x509); 979 err: 980 981 return ret; 982 } 983 LCRYPTO_ALIAS(PKCS7_dataVerify) 984 985 int 986 PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509) 987 { 988 ASN1_OCTET_STRING *os; 989 EVP_MD_CTX mdc_tmp, *mdc; 990 int ret = 0, i; 991 int md_type; 992 STACK_OF(X509_ATTRIBUTE) *sk; 993 BIO *btmp; 994 EVP_PKEY *pkey; 995 996 EVP_MD_CTX_init(&mdc_tmp); 997 998 if (!PKCS7_type_is_signed(p7) && 999 !PKCS7_type_is_signedAndEnveloped(p7)) { 1000 PKCS7error(PKCS7_R_WRONG_PKCS7_TYPE); 1001 goto err; 1002 } 1003 1004 md_type = OBJ_obj2nid(si->digest_alg->algorithm); 1005 1006 btmp = bio; 1007 for (;;) { 1008 if ((btmp == NULL) || 1009 ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) { 1010 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1011 goto err; 1012 } 1013 BIO_get_md_ctx(btmp, &mdc); 1014 if (mdc == NULL) { 1015 PKCS7error(ERR_R_INTERNAL_ERROR); 1016 goto err; 1017 } 1018 if (EVP_MD_CTX_type(mdc) == md_type) 1019 break; 1020 /* Workaround for some broken clients that put the signature 1021 * OID instead of the digest OID in digest_alg->algorithm 1022 */ 1023 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) 1024 break; 1025 btmp = BIO_next(btmp); 1026 } 1027 1028 /* mdc is the digest ctx that we want, unless there are attributes, 1029 * in which case the digest is the signed attributes */ 1030 if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc)) 1031 goto err; 1032 1033 sk = si->auth_attr; 1034 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { 1035 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; 1036 unsigned int md_len; 1037 int alen; 1038 ASN1_OCTET_STRING *message_digest; 1039 1040 if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len)) 1041 goto err; 1042 message_digest = PKCS7_digest_from_attributes(sk); 1043 if (!message_digest) { 1044 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1045 goto err; 1046 } 1047 if ((message_digest->length != (int)md_len) || 1048 (memcmp(message_digest->data, md_dat, md_len))) { 1049 PKCS7error(PKCS7_R_DIGEST_FAILURE); 1050 ret = -1; 1051 goto err; 1052 } 1053 1054 if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), 1055 NULL)) 1056 goto err; 1057 1058 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1059 &PKCS7_ATTR_VERIFY_it); 1060 if (alen <= 0) { 1061 PKCS7error(ERR_R_ASN1_LIB); 1062 ret = -1; 1063 goto err; 1064 } 1065 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) 1066 goto err; 1067 1068 free(abuf); 1069 } 1070 1071 os = si->enc_digest; 1072 pkey = X509_get_pubkey(x509); 1073 if (!pkey) { 1074 ret = -1; 1075 goto err; 1076 } 1077 1078 i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey); 1079 EVP_PKEY_free(pkey); 1080 if (i <= 0) { 1081 PKCS7error(PKCS7_R_SIGNATURE_FAILURE); 1082 ret = -1; 1083 goto err; 1084 } else 1085 ret = 1; 1086 err: 1087 EVP_MD_CTX_cleanup(&mdc_tmp); 1088 return (ret); 1089 } 1090 LCRYPTO_ALIAS(PKCS7_signatureVerify) 1091 1092 PKCS7_ISSUER_AND_SERIAL * 1093 PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) 1094 { 1095 STACK_OF(PKCS7_RECIP_INFO) *rsk; 1096 PKCS7_RECIP_INFO *ri; 1097 int i; 1098 1099 i = OBJ_obj2nid(p7->type); 1100 if (i != NID_pkcs7_signedAndEnveloped) 1101 return NULL; 1102 if (p7->d.signed_and_enveloped == NULL) 1103 return NULL; 1104 rsk = p7->d.signed_and_enveloped->recipientinfo; 1105 if (rsk == NULL) 1106 return NULL; 1107 ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); 1108 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) 1109 return (NULL); 1110 ri = sk_PKCS7_RECIP_INFO_value(rsk, idx); 1111 return (ri->issuer_and_serial); 1112 } 1113 LCRYPTO_ALIAS(PKCS7_get_issuer_and_serial) 1114 1115 ASN1_TYPE * 1116 PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) 1117 { 1118 return (get_attribute(si->auth_attr, nid)); 1119 } 1120 LCRYPTO_ALIAS(PKCS7_get_signed_attribute) 1121 1122 ASN1_TYPE * 1123 PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) 1124 { 1125 return (get_attribute(si->unauth_attr, nid)); 1126 } 1127 LCRYPTO_ALIAS(PKCS7_get_attribute) 1128 1129 static ASN1_TYPE * 1130 get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) 1131 { 1132 int i; 1133 X509_ATTRIBUTE *xa; 1134 ASN1_OBJECT *o; 1135 1136 o = OBJ_nid2obj(nid); 1137 if (!o || !sk) 1138 return (NULL); 1139 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1140 xa = sk_X509_ATTRIBUTE_value(sk, i); 1141 if (OBJ_cmp(xa->object, o) == 0) 1142 return (sk_ASN1_TYPE_value(xa->set, 0)); 1143 } 1144 return (NULL); 1145 } 1146 1147 ASN1_OCTET_STRING * 1148 PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) 1149 { 1150 ASN1_TYPE *astype; 1151 1152 if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) 1153 return NULL; 1154 if (astype->type != V_ASN1_OCTET_STRING) 1155 return NULL; 1156 return astype->value.octet_string; 1157 } 1158 LCRYPTO_ALIAS(PKCS7_digest_from_attributes) 1159 1160 int 1161 PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, 1162 STACK_OF(X509_ATTRIBUTE) *sk) 1163 { 1164 int i; 1165 1166 if (p7si->auth_attr != NULL) 1167 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, 1168 X509_ATTRIBUTE_free); 1169 p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk); 1170 if (p7si->auth_attr == NULL) 1171 return 0; 1172 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1173 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr, i, 1174 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1175 == NULL) 1176 return (0); 1177 } 1178 return (1); 1179 } 1180 LCRYPTO_ALIAS(PKCS7_set_signed_attributes) 1181 1182 int 1183 PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) 1184 { 1185 int i; 1186 1187 if (p7si->unauth_attr != NULL) 1188 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, 1189 X509_ATTRIBUTE_free); 1190 p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk); 1191 if (p7si->unauth_attr == NULL) 1192 return 0; 1193 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1194 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr, i, 1195 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1196 == NULL) 1197 return (0); 1198 } 1199 return (1); 1200 } 1201 LCRYPTO_ALIAS(PKCS7_set_attributes) 1202 1203 int 1204 PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1205 void *value) 1206 { 1207 return (add_attribute(&(p7si->auth_attr), nid, atrtype, value)); 1208 } 1209 LCRYPTO_ALIAS(PKCS7_add_signed_attribute) 1210 1211 int 1212 PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value) 1213 { 1214 return (add_attribute(&(p7si->unauth_attr), nid, atrtype, value)); 1215 } 1216 LCRYPTO_ALIAS(PKCS7_add_attribute) 1217 1218 static int 1219 add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value) 1220 { 1221 X509_ATTRIBUTE *attr = NULL; 1222 1223 if (*sk == NULL) { 1224 *sk = sk_X509_ATTRIBUTE_new_null(); 1225 if (*sk == NULL) 1226 return 0; 1227 new_attrib: 1228 if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value))) 1229 return 0; 1230 if (!sk_X509_ATTRIBUTE_push(*sk, attr)) { 1231 X509_ATTRIBUTE_free(attr); 1232 return 0; 1233 } 1234 } else { 1235 int i; 1236 1237 for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) { 1238 attr = sk_X509_ATTRIBUTE_value(*sk, i); 1239 if (OBJ_obj2nid(attr->object) == nid) { 1240 X509_ATTRIBUTE_free(attr); 1241 attr = X509_ATTRIBUTE_create(nid, atrtype, 1242 value); 1243 if (attr == NULL) 1244 return 0; 1245 if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) { 1246 X509_ATTRIBUTE_free(attr); 1247 return 0; 1248 } 1249 goto end; 1250 } 1251 } 1252 goto new_attrib; 1253 } 1254 end: 1255 return (1); 1256 } 1257