1 /* 2 * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <openssl/asn1t.h> 11 #include <openssl/x509v3.h> 12 #include <openssl/err.h> 13 #include <openssl/pem.h> 14 #include <openssl/bio.h> 15 #include <openssl/asn1.h> 16 #include <openssl/cms.h> 17 #include "cms_local.h" 18 19 IMPLEMENT_ASN1_FUNCTIONS(CMS_ContentInfo) 20 IMPLEMENT_ASN1_PRINT_FUNCTION(CMS_ContentInfo) 21 22 const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms) 23 { 24 return cms->contentType; 25 } 26 27 CMS_ContentInfo *cms_Data_create(void) 28 { 29 CMS_ContentInfo *cms; 30 cms = CMS_ContentInfo_new(); 31 if (cms != NULL) { 32 cms->contentType = OBJ_nid2obj(NID_pkcs7_data); 33 /* Never detached */ 34 CMS_set_detached(cms, 0); 35 } 36 return cms; 37 } 38 39 BIO *cms_content_bio(CMS_ContentInfo *cms) 40 { 41 ASN1_OCTET_STRING **pos = CMS_get0_content(cms); 42 if (!pos) 43 return NULL; 44 /* If content detached data goes nowhere: create NULL BIO */ 45 if (!*pos) 46 return BIO_new(BIO_s_null()); 47 /* 48 * If content not detached and created return memory BIO 49 */ 50 if (!*pos || ((*pos)->flags == ASN1_STRING_FLAG_CONT)) 51 return BIO_new(BIO_s_mem()); 52 /* Else content was read in: return read only BIO for it */ 53 return BIO_new_mem_buf((*pos)->data, (*pos)->length); 54 } 55 56 BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont) 57 { 58 BIO *cmsbio, *cont; 59 if (icont) 60 cont = icont; 61 else 62 cont = cms_content_bio(cms); 63 if (!cont) { 64 CMSerr(CMS_F_CMS_DATAINIT, CMS_R_NO_CONTENT); 65 return NULL; 66 } 67 switch (OBJ_obj2nid(cms->contentType)) { 68 69 case NID_pkcs7_data: 70 return cont; 71 72 case NID_pkcs7_signed: 73 cmsbio = cms_SignedData_init_bio(cms); 74 break; 75 76 case NID_pkcs7_digest: 77 cmsbio = cms_DigestedData_init_bio(cms); 78 break; 79 #ifdef ZLIB 80 case NID_id_smime_ct_compressedData: 81 cmsbio = cms_CompressedData_init_bio(cms); 82 break; 83 #endif 84 85 case NID_pkcs7_encrypted: 86 cmsbio = cms_EncryptedData_init_bio(cms); 87 break; 88 89 case NID_pkcs7_enveloped: 90 cmsbio = cms_EnvelopedData_init_bio(cms); 91 break; 92 93 default: 94 CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE); 95 goto err; 96 } 97 98 if (cmsbio) 99 return BIO_push(cmsbio, cont); 100 101 err: 102 if (!icont) 103 BIO_free(cont); 104 return NULL; 105 106 } 107 108 int CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio) 109 { 110 ASN1_OCTET_STRING **pos = CMS_get0_content(cms); 111 if (!pos) 112 return 0; 113 /* If embedded content find memory BIO and set content */ 114 if (*pos && ((*pos)->flags & ASN1_STRING_FLAG_CONT)) { 115 BIO *mbio; 116 unsigned char *cont; 117 long contlen; 118 mbio = BIO_find_type(cmsbio, BIO_TYPE_MEM); 119 if (!mbio) { 120 CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_CONTENT_NOT_FOUND); 121 return 0; 122 } 123 contlen = BIO_get_mem_data(mbio, &cont); 124 /* Set bio as read only so its content can't be clobbered */ 125 BIO_set_flags(mbio, BIO_FLAGS_MEM_RDONLY); 126 BIO_set_mem_eof_return(mbio, 0); 127 ASN1_STRING_set0(*pos, cont, contlen); 128 (*pos)->flags &= ~ASN1_STRING_FLAG_CONT; 129 } 130 131 switch (OBJ_obj2nid(cms->contentType)) { 132 133 case NID_pkcs7_data: 134 case NID_pkcs7_enveloped: 135 case NID_pkcs7_encrypted: 136 case NID_id_smime_ct_compressedData: 137 /* Nothing to do */ 138 return 1; 139 140 case NID_pkcs7_signed: 141 return cms_SignedData_final(cms, cmsbio); 142 143 case NID_pkcs7_digest: 144 return cms_DigestedData_do_final(cms, cmsbio, 0); 145 146 default: 147 CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_UNSUPPORTED_TYPE); 148 return 0; 149 } 150 } 151 152 /* 153 * Return an OCTET STRING pointer to content. This allows it to be accessed 154 * or set later. 155 */ 156 157 ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms) 158 { 159 switch (OBJ_obj2nid(cms->contentType)) { 160 161 case NID_pkcs7_data: 162 return &cms->d.data; 163 164 case NID_pkcs7_signed: 165 return &cms->d.signedData->encapContentInfo->eContent; 166 167 case NID_pkcs7_enveloped: 168 return &cms->d.envelopedData->encryptedContentInfo->encryptedContent; 169 170 case NID_pkcs7_digest: 171 return &cms->d.digestedData->encapContentInfo->eContent; 172 173 case NID_pkcs7_encrypted: 174 return &cms->d.encryptedData->encryptedContentInfo->encryptedContent; 175 176 case NID_id_smime_ct_authData: 177 return &cms->d.authenticatedData->encapContentInfo->eContent; 178 179 case NID_id_smime_ct_compressedData: 180 return &cms->d.compressedData->encapContentInfo->eContent; 181 182 default: 183 if (cms->d.other->type == V_ASN1_OCTET_STRING) 184 return &cms->d.other->value.octet_string; 185 CMSerr(CMS_F_CMS_GET0_CONTENT, CMS_R_UNSUPPORTED_CONTENT_TYPE); 186 return NULL; 187 188 } 189 } 190 191 /* 192 * Return an ASN1_OBJECT pointer to content type. This allows it to be 193 * accessed or set later. 194 */ 195 196 static ASN1_OBJECT **cms_get0_econtent_type(CMS_ContentInfo *cms) 197 { 198 switch (OBJ_obj2nid(cms->contentType)) { 199 200 case NID_pkcs7_signed: 201 return &cms->d.signedData->encapContentInfo->eContentType; 202 203 case NID_pkcs7_enveloped: 204 return &cms->d.envelopedData->encryptedContentInfo->contentType; 205 206 case NID_pkcs7_digest: 207 return &cms->d.digestedData->encapContentInfo->eContentType; 208 209 case NID_pkcs7_encrypted: 210 return &cms->d.encryptedData->encryptedContentInfo->contentType; 211 212 case NID_id_smime_ct_authData: 213 return &cms->d.authenticatedData->encapContentInfo->eContentType; 214 215 case NID_id_smime_ct_compressedData: 216 return &cms->d.compressedData->encapContentInfo->eContentType; 217 218 default: 219 CMSerr(CMS_F_CMS_GET0_ECONTENT_TYPE, CMS_R_UNSUPPORTED_CONTENT_TYPE); 220 return NULL; 221 222 } 223 } 224 225 const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms) 226 { 227 ASN1_OBJECT **petype; 228 petype = cms_get0_econtent_type(cms); 229 if (petype) 230 return *petype; 231 return NULL; 232 } 233 234 int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid) 235 { 236 ASN1_OBJECT **petype, *etype; 237 petype = cms_get0_econtent_type(cms); 238 if (!petype) 239 return 0; 240 if (!oid) 241 return 1; 242 etype = OBJ_dup(oid); 243 if (!etype) 244 return 0; 245 ASN1_OBJECT_free(*petype); 246 *petype = etype; 247 return 1; 248 } 249 250 int CMS_is_detached(CMS_ContentInfo *cms) 251 { 252 ASN1_OCTET_STRING **pos; 253 pos = CMS_get0_content(cms); 254 if (!pos) 255 return -1; 256 if (*pos) 257 return 0; 258 return 1; 259 } 260 261 int CMS_set_detached(CMS_ContentInfo *cms, int detached) 262 { 263 ASN1_OCTET_STRING **pos; 264 pos = CMS_get0_content(cms); 265 if (!pos) 266 return 0; 267 if (detached) { 268 ASN1_OCTET_STRING_free(*pos); 269 *pos = NULL; 270 return 1; 271 } 272 if (*pos == NULL) 273 *pos = ASN1_OCTET_STRING_new(); 274 if (*pos != NULL) { 275 /* 276 * NB: special flag to show content is created and not read in. 277 */ 278 (*pos)->flags |= ASN1_STRING_FLAG_CONT; 279 return 1; 280 } 281 CMSerr(CMS_F_CMS_SET_DETACHED, ERR_R_MALLOC_FAILURE); 282 return 0; 283 } 284 285 /* Create a digest BIO from an X509_ALGOR structure */ 286 287 BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm) 288 { 289 BIO *mdbio = NULL; 290 const ASN1_OBJECT *digestoid; 291 const EVP_MD *digest; 292 X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm); 293 digest = EVP_get_digestbyobj(digestoid); 294 if (!digest) { 295 CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, 296 CMS_R_UNKNOWN_DIGEST_ALGORITHM); 297 goto err; 298 } 299 mdbio = BIO_new(BIO_f_md()); 300 if (mdbio == NULL || !BIO_set_md(mdbio, digest)) { 301 CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, CMS_R_MD_BIO_INIT_ERROR); 302 goto err; 303 } 304 return mdbio; 305 err: 306 BIO_free(mdbio); 307 return NULL; 308 } 309 310 /* Locate a message digest content from a BIO chain based on SignerInfo */ 311 312 int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, 313 X509_ALGOR *mdalg) 314 { 315 int nid; 316 const ASN1_OBJECT *mdoid; 317 X509_ALGOR_get0(&mdoid, NULL, NULL, mdalg); 318 nid = OBJ_obj2nid(mdoid); 319 /* Look for digest type to match signature */ 320 for (;;) { 321 EVP_MD_CTX *mtmp; 322 chain = BIO_find_type(chain, BIO_TYPE_MD); 323 if (chain == NULL) { 324 CMSerr(CMS_F_CMS_DIGESTALGORITHM_FIND_CTX, 325 CMS_R_NO_MATCHING_DIGEST); 326 return 0; 327 } 328 BIO_get_md_ctx(chain, &mtmp); 329 if (EVP_MD_CTX_type(mtmp) == nid 330 /* 331 * Workaround for broken implementations that use signature 332 * algorithm OID instead of digest. 333 */ 334 || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) 335 return EVP_MD_CTX_copy_ex(mctx, mtmp); 336 chain = BIO_next(chain); 337 } 338 } 339 340 static STACK_OF(CMS_CertificateChoices) 341 **cms_get0_certificate_choices(CMS_ContentInfo *cms) 342 { 343 switch (OBJ_obj2nid(cms->contentType)) { 344 345 case NID_pkcs7_signed: 346 return &cms->d.signedData->certificates; 347 348 case NID_pkcs7_enveloped: 349 if (cms->d.envelopedData->originatorInfo == NULL) 350 return NULL; 351 return &cms->d.envelopedData->originatorInfo->certificates; 352 353 default: 354 CMSerr(CMS_F_CMS_GET0_CERTIFICATE_CHOICES, 355 CMS_R_UNSUPPORTED_CONTENT_TYPE); 356 return NULL; 357 358 } 359 } 360 361 CMS_CertificateChoices *CMS_add0_CertificateChoices(CMS_ContentInfo *cms) 362 { 363 STACK_OF(CMS_CertificateChoices) **pcerts; 364 CMS_CertificateChoices *cch; 365 pcerts = cms_get0_certificate_choices(cms); 366 if (!pcerts) 367 return NULL; 368 if (!*pcerts) 369 *pcerts = sk_CMS_CertificateChoices_new_null(); 370 if (!*pcerts) 371 return NULL; 372 cch = M_ASN1_new_of(CMS_CertificateChoices); 373 if (!cch) 374 return NULL; 375 if (!sk_CMS_CertificateChoices_push(*pcerts, cch)) { 376 M_ASN1_free_of(cch, CMS_CertificateChoices); 377 return NULL; 378 } 379 return cch; 380 } 381 382 int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert) 383 { 384 CMS_CertificateChoices *cch; 385 STACK_OF(CMS_CertificateChoices) **pcerts; 386 int i; 387 pcerts = cms_get0_certificate_choices(cms); 388 if (!pcerts) 389 return 0; 390 for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { 391 cch = sk_CMS_CertificateChoices_value(*pcerts, i); 392 if (cch->type == CMS_CERTCHOICE_CERT) { 393 if (!X509_cmp(cch->d.certificate, cert)) { 394 CMSerr(CMS_F_CMS_ADD0_CERT, 395 CMS_R_CERTIFICATE_ALREADY_PRESENT); 396 return 0; 397 } 398 } 399 } 400 cch = CMS_add0_CertificateChoices(cms); 401 if (!cch) 402 return 0; 403 cch->type = CMS_CERTCHOICE_CERT; 404 cch->d.certificate = cert; 405 return 1; 406 } 407 408 int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert) 409 { 410 int r; 411 r = CMS_add0_cert(cms, cert); 412 if (r > 0) 413 X509_up_ref(cert); 414 return r; 415 } 416 417 static STACK_OF(CMS_RevocationInfoChoice) 418 **cms_get0_revocation_choices(CMS_ContentInfo *cms) 419 { 420 switch (OBJ_obj2nid(cms->contentType)) { 421 422 case NID_pkcs7_signed: 423 return &cms->d.signedData->crls; 424 425 case NID_pkcs7_enveloped: 426 if (cms->d.envelopedData->originatorInfo == NULL) 427 return NULL; 428 return &cms->d.envelopedData->originatorInfo->crls; 429 430 default: 431 CMSerr(CMS_F_CMS_GET0_REVOCATION_CHOICES, 432 CMS_R_UNSUPPORTED_CONTENT_TYPE); 433 return NULL; 434 435 } 436 } 437 438 CMS_RevocationInfoChoice *CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms) 439 { 440 STACK_OF(CMS_RevocationInfoChoice) **pcrls; 441 CMS_RevocationInfoChoice *rch; 442 pcrls = cms_get0_revocation_choices(cms); 443 if (!pcrls) 444 return NULL; 445 if (!*pcrls) 446 *pcrls = sk_CMS_RevocationInfoChoice_new_null(); 447 if (!*pcrls) 448 return NULL; 449 rch = M_ASN1_new_of(CMS_RevocationInfoChoice); 450 if (!rch) 451 return NULL; 452 if (!sk_CMS_RevocationInfoChoice_push(*pcrls, rch)) { 453 M_ASN1_free_of(rch, CMS_RevocationInfoChoice); 454 return NULL; 455 } 456 return rch; 457 } 458 459 int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl) 460 { 461 CMS_RevocationInfoChoice *rch; 462 rch = CMS_add0_RevocationInfoChoice(cms); 463 if (!rch) 464 return 0; 465 rch->type = CMS_REVCHOICE_CRL; 466 rch->d.crl = crl; 467 return 1; 468 } 469 470 int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl) 471 { 472 int r; 473 r = CMS_add0_crl(cms, crl); 474 if (r > 0) 475 X509_CRL_up_ref(crl); 476 return r; 477 } 478 479 STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms) 480 { 481 STACK_OF(X509) *certs = NULL; 482 CMS_CertificateChoices *cch; 483 STACK_OF(CMS_CertificateChoices) **pcerts; 484 int i; 485 pcerts = cms_get0_certificate_choices(cms); 486 if (!pcerts) 487 return NULL; 488 for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { 489 cch = sk_CMS_CertificateChoices_value(*pcerts, i); 490 if (cch->type == 0) { 491 if (!certs) { 492 certs = sk_X509_new_null(); 493 if (!certs) 494 return NULL; 495 } 496 if (!sk_X509_push(certs, cch->d.certificate)) { 497 sk_X509_pop_free(certs, X509_free); 498 return NULL; 499 } 500 X509_up_ref(cch->d.certificate); 501 } 502 } 503 return certs; 504 505 } 506 507 STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms) 508 { 509 STACK_OF(X509_CRL) *crls = NULL; 510 STACK_OF(CMS_RevocationInfoChoice) **pcrls; 511 CMS_RevocationInfoChoice *rch; 512 int i; 513 pcrls = cms_get0_revocation_choices(cms); 514 if (!pcrls) 515 return NULL; 516 for (i = 0; i < sk_CMS_RevocationInfoChoice_num(*pcrls); i++) { 517 rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i); 518 if (rch->type == 0) { 519 if (!crls) { 520 crls = sk_X509_CRL_new_null(); 521 if (!crls) 522 return NULL; 523 } 524 if (!sk_X509_CRL_push(crls, rch->d.crl)) { 525 sk_X509_CRL_pop_free(crls, X509_CRL_free); 526 return NULL; 527 } 528 X509_CRL_up_ref(rch->d.crl); 529 } 530 } 531 return crls; 532 } 533 534 int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert) 535 { 536 int ret; 537 ret = X509_NAME_cmp(ias->issuer, X509_get_issuer_name(cert)); 538 if (ret) 539 return ret; 540 return ASN1_INTEGER_cmp(ias->serialNumber, X509_get_serialNumber(cert)); 541 } 542 543 int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) 544 { 545 const ASN1_OCTET_STRING *cert_keyid = X509_get0_subject_key_id(cert); 546 547 if (cert_keyid == NULL) 548 return -1; 549 return ASN1_OCTET_STRING_cmp(keyid, cert_keyid); 550 } 551 552 int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert) 553 { 554 CMS_IssuerAndSerialNumber *ias; 555 ias = M_ASN1_new_of(CMS_IssuerAndSerialNumber); 556 if (!ias) 557 goto err; 558 if (!X509_NAME_set(&ias->issuer, X509_get_issuer_name(cert))) 559 goto err; 560 if (!ASN1_STRING_copy(ias->serialNumber, X509_get_serialNumber(cert))) 561 goto err; 562 M_ASN1_free_of(*pias, CMS_IssuerAndSerialNumber); 563 *pias = ias; 564 return 1; 565 err: 566 M_ASN1_free_of(ias, CMS_IssuerAndSerialNumber); 567 CMSerr(CMS_F_CMS_SET1_IAS, ERR_R_MALLOC_FAILURE); 568 return 0; 569 } 570 571 int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) 572 { 573 ASN1_OCTET_STRING *keyid = NULL; 574 const ASN1_OCTET_STRING *cert_keyid; 575 cert_keyid = X509_get0_subject_key_id(cert); 576 if (cert_keyid == NULL) { 577 CMSerr(CMS_F_CMS_SET1_KEYID, CMS_R_CERTIFICATE_HAS_NO_KEYID); 578 return 0; 579 } 580 keyid = ASN1_STRING_dup(cert_keyid); 581 if (!keyid) { 582 CMSerr(CMS_F_CMS_SET1_KEYID, ERR_R_MALLOC_FAILURE); 583 return 0; 584 } 585 ASN1_OCTET_STRING_free(*pkeyid); 586 *pkeyid = keyid; 587 return 1; 588 } 589