1 /* $OpenBSD: pk7_doit.c,v 1.43 2019/03/13 20:34:00 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include <stdlib.h> 61 #include <string.h> 62 63 #include <openssl/err.h> 64 #include <openssl/objects.h> 65 #include <openssl/x509.h> 66 #include <openssl/x509v3.h> 67 68 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 69 void *value); 70 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); 71 72 static int 73 PKCS7_type_is_other(PKCS7* p7) 74 { 75 int isOther = 1; 76 77 int nid = OBJ_obj2nid(p7->type); 78 79 switch (nid ) { 80 case NID_pkcs7_data: 81 case NID_pkcs7_signed: 82 case NID_pkcs7_enveloped: 83 case NID_pkcs7_signedAndEnveloped: 84 case NID_pkcs7_digest: 85 case NID_pkcs7_encrypted: 86 isOther = 0; 87 break; 88 default: 89 isOther = 1; 90 } 91 92 return isOther; 93 94 } 95 96 static ASN1_OCTET_STRING * 97 PKCS7_get_octet_string(PKCS7 *p7) 98 { 99 if (PKCS7_type_is_data(p7)) 100 return p7->d.data; 101 if (PKCS7_type_is_other(p7) && p7->d.other && 102 (p7->d.other->type == V_ASN1_OCTET_STRING)) 103 return p7->d.other->value.octet_string; 104 return NULL; 105 } 106 107 static int 108 PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) 109 { 110 BIO *btmp; 111 const EVP_MD *md; 112 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 113 PKCS7error(ERR_R_BIO_LIB); 114 goto err; 115 } 116 117 md = EVP_get_digestbyobj(alg->algorithm); 118 if (md == NULL) { 119 PKCS7error(PKCS7_R_UNKNOWN_DIGEST_TYPE); 120 goto err; 121 } 122 123 BIO_set_md(btmp, md); 124 if (*pbio == NULL) 125 *pbio = btmp; 126 else if (!BIO_push(*pbio, btmp)) { 127 PKCS7error(ERR_R_BIO_LIB); 128 goto err; 129 } 130 btmp = NULL; 131 132 return 1; 133 134 err: 135 BIO_free(btmp); 136 return 0; 137 138 } 139 140 static int 141 pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, unsigned char *key, int keylen) 142 { 143 EVP_PKEY_CTX *pctx = NULL; 144 EVP_PKEY *pkey = NULL; 145 unsigned char *ek = NULL; 146 int ret = 0; 147 size_t eklen; 148 149 pkey = X509_get_pubkey(ri->cert); 150 if (!pkey) 151 return 0; 152 153 pctx = EVP_PKEY_CTX_new(pkey, NULL); 154 if (!pctx) 155 return 0; 156 157 if (EVP_PKEY_encrypt_init(pctx) <= 0) 158 goto err; 159 160 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 161 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) { 162 PKCS7error(PKCS7_R_CTRL_ERROR); 163 goto err; 164 } 165 166 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) 167 goto err; 168 169 ek = malloc(eklen); 170 171 if (ek == NULL) { 172 PKCS7error(ERR_R_MALLOC_FAILURE); 173 goto err; 174 } 175 176 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) 177 goto err; 178 179 ASN1_STRING_set0(ri->enc_key, ek, eklen); 180 ek = NULL; 181 182 ret = 1; 183 184 err: 185 EVP_PKEY_free(pkey); 186 EVP_PKEY_CTX_free(pctx); 187 free(ek); 188 return ret; 189 } 190 191 192 static int 193 pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, 194 EVP_PKEY *pkey) 195 { 196 EVP_PKEY_CTX *pctx = NULL; 197 unsigned char *ek = NULL; 198 size_t eklen; 199 200 int ret = -1; 201 202 pctx = EVP_PKEY_CTX_new(pkey, NULL); 203 if (!pctx) 204 return -1; 205 206 if (EVP_PKEY_decrypt_init(pctx) <= 0) 207 goto err; 208 209 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 210 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) { 211 PKCS7error(PKCS7_R_CTRL_ERROR); 212 goto err; 213 } 214 215 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 216 ri->enc_key->data, ri->enc_key->length) <= 0) 217 goto err; 218 219 ek = malloc(eklen); 220 if (ek == NULL) { 221 PKCS7error(ERR_R_MALLOC_FAILURE); 222 goto err; 223 } 224 225 if (EVP_PKEY_decrypt(pctx, ek, &eklen, 226 ri->enc_key->data, ri->enc_key->length) <= 0) { 227 ret = 0; 228 PKCS7error(ERR_R_EVP_LIB); 229 goto err; 230 } 231 232 ret = 1; 233 234 freezero(*pek, *peklen); 235 236 *pek = ek; 237 *peklen = eklen; 238 239 err: 240 EVP_PKEY_CTX_free(pctx); 241 if (!ret && ek) 242 free(ek); 243 244 return ret; 245 } 246 247 BIO * 248 PKCS7_dataInit(PKCS7 *p7, BIO *bio) 249 { 250 int i; 251 BIO *out = NULL, *btmp = NULL; 252 X509_ALGOR *xa = NULL; 253 const EVP_CIPHER *evp_cipher = NULL; 254 STACK_OF(X509_ALGOR) *md_sk = NULL; 255 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 256 X509_ALGOR *xalg = NULL; 257 PKCS7_RECIP_INFO *ri = NULL; 258 ASN1_OCTET_STRING *os = NULL; 259 260 if (p7 == NULL) { 261 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 262 return NULL; 263 } 264 265 /* 266 * The content field in the PKCS7 ContentInfo is optional, 267 * but that really only applies to inner content (precisely, 268 * detached signatures). 269 * 270 * When reading content, missing outer content is therefore 271 * treated as an error. 272 * 273 * When creating content, PKCS7_content_new() must be called 274 * before calling this method, so a NULL p7->d is always 275 * an error. 276 */ 277 if (p7->d.ptr == NULL) { 278 PKCS7error(PKCS7_R_NO_CONTENT); 279 return NULL; 280 } 281 282 i = OBJ_obj2nid(p7->type); 283 p7->state = PKCS7_S_HEADER; 284 285 switch (i) { 286 case NID_pkcs7_signed: 287 md_sk = p7->d.sign->md_algs; 288 os = PKCS7_get_octet_string(p7->d.sign->contents); 289 break; 290 case NID_pkcs7_signedAndEnveloped: 291 rsk = p7->d.signed_and_enveloped->recipientinfo; 292 md_sk = p7->d.signed_and_enveloped->md_algs; 293 xalg = p7->d.signed_and_enveloped->enc_data->algorithm; 294 evp_cipher = p7->d.signed_and_enveloped->enc_data->cipher; 295 if (evp_cipher == NULL) { 296 PKCS7error(PKCS7_R_CIPHER_NOT_INITIALIZED); 297 goto err; 298 } 299 break; 300 case NID_pkcs7_enveloped: 301 rsk = p7->d.enveloped->recipientinfo; 302 xalg = p7->d.enveloped->enc_data->algorithm; 303 evp_cipher = p7->d.enveloped->enc_data->cipher; 304 if (evp_cipher == NULL) { 305 PKCS7error(PKCS7_R_CIPHER_NOT_INITIALIZED); 306 goto err; 307 } 308 break; 309 case NID_pkcs7_digest: 310 xa = p7->d.digest->md; 311 os = PKCS7_get_octet_string(p7->d.digest->contents); 312 break; 313 case NID_pkcs7_data: 314 break; 315 default: 316 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 317 goto err; 318 } 319 320 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) 321 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) 322 goto err; 323 324 if (xa && !PKCS7_bio_add_digest(&out, xa)) 325 goto err; 326 327 if (evp_cipher != NULL) { 328 unsigned char key[EVP_MAX_KEY_LENGTH]; 329 unsigned char iv[EVP_MAX_IV_LENGTH]; 330 int keylen, ivlen; 331 EVP_CIPHER_CTX *ctx; 332 333 if ((btmp = BIO_new(BIO_f_cipher())) == NULL) { 334 PKCS7error(ERR_R_BIO_LIB); 335 goto err; 336 } 337 BIO_get_cipher_ctx(btmp, &ctx); 338 keylen = EVP_CIPHER_key_length(evp_cipher); 339 ivlen = EVP_CIPHER_iv_length(evp_cipher); 340 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); 341 if (ivlen > 0) 342 arc4random_buf(iv, ivlen); 343 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, 344 NULL, 1) <= 0) 345 goto err; 346 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) 347 goto err; 348 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) 349 goto err; 350 351 if (ivlen > 0) { 352 if (xalg->parameter == NULL) { 353 xalg->parameter = ASN1_TYPE_new(); 354 if (xalg->parameter == NULL) 355 goto err; 356 } 357 if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) 358 goto err; 359 } 360 361 /* Lets do the pub key stuff :-) */ 362 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 363 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 364 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) 365 goto err; 366 } 367 explicit_bzero(key, keylen); 368 369 if (out == NULL) 370 out = btmp; 371 else 372 BIO_push(out, btmp); 373 btmp = NULL; 374 } 375 376 if (bio == NULL) { 377 if (PKCS7_is_detached(p7)) 378 bio = BIO_new(BIO_s_null()); 379 else if (os && os->length > 0) 380 bio = BIO_new_mem_buf(os->data, os->length); 381 if (bio == NULL) { 382 bio = BIO_new(BIO_s_mem()); 383 if (bio == NULL) 384 goto err; 385 BIO_set_mem_eof_return(bio, 0); 386 } 387 } 388 if (out) 389 BIO_push(out, bio); 390 else 391 out = bio; 392 bio = NULL; 393 if (0) { 394 err: 395 if (out != NULL) 396 BIO_free_all(out); 397 if (btmp != NULL) 398 BIO_free_all(btmp); 399 out = NULL; 400 } 401 return (out); 402 } 403 404 static int 405 pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) 406 { 407 int ret; 408 409 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, 410 pcert->cert_info->issuer); 411 if (ret) 412 return ret; 413 return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, 414 ri->issuer_and_serial->serial); 415 } 416 417 /* int */ 418 BIO * 419 PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) 420 { 421 int i, j; 422 BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL; 423 X509_ALGOR *xa; 424 ASN1_OCTET_STRING *data_body = NULL; 425 const EVP_MD *evp_md; 426 const EVP_CIPHER *evp_cipher = NULL; 427 EVP_CIPHER_CTX *evp_ctx = NULL; 428 X509_ALGOR *enc_alg = NULL; 429 STACK_OF(X509_ALGOR) *md_sk = NULL; 430 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 431 PKCS7_RECIP_INFO *ri = NULL; 432 unsigned char *ek = NULL, *tkey = NULL; 433 int eklen = 0, tkeylen = 0; 434 435 if (p7 == NULL) { 436 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 437 return NULL; 438 } 439 440 if (p7->d.ptr == NULL) { 441 PKCS7error(PKCS7_R_NO_CONTENT); 442 return NULL; 443 } 444 445 i = OBJ_obj2nid(p7->type); 446 p7->state = PKCS7_S_HEADER; 447 448 switch (i) { 449 case NID_pkcs7_signed: 450 data_body = PKCS7_get_octet_string(p7->d.sign->contents); 451 md_sk = p7->d.sign->md_algs; 452 break; 453 case NID_pkcs7_signedAndEnveloped: 454 rsk = p7->d.signed_and_enveloped->recipientinfo; 455 md_sk = p7->d.signed_and_enveloped->md_algs; 456 data_body = p7->d.signed_and_enveloped->enc_data->enc_data; 457 enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; 458 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 459 if (evp_cipher == NULL) { 460 PKCS7error(PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 461 goto err; 462 } 463 break; 464 case NID_pkcs7_enveloped: 465 rsk = p7->d.enveloped->recipientinfo; 466 enc_alg = p7->d.enveloped->enc_data->algorithm; 467 data_body = p7->d.enveloped->enc_data->enc_data; 468 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 469 if (evp_cipher == NULL) { 470 PKCS7error(PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 471 goto err; 472 } 473 break; 474 default: 475 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 476 goto err; 477 } 478 479 /* We will be checking the signature */ 480 if (md_sk != NULL) { 481 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) { 482 xa = sk_X509_ALGOR_value(md_sk, i); 483 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 484 PKCS7error(ERR_R_BIO_LIB); 485 goto err; 486 } 487 488 j = OBJ_obj2nid(xa->algorithm); 489 evp_md = EVP_get_digestbynid(j); 490 if (evp_md == NULL) { 491 PKCS7error(PKCS7_R_UNKNOWN_DIGEST_TYPE); 492 goto err; 493 } 494 495 BIO_set_md(btmp, evp_md); 496 if (out == NULL) 497 out = btmp; 498 else 499 BIO_push(out, btmp); 500 btmp = NULL; 501 } 502 } 503 504 if (evp_cipher != NULL) { 505 if ((etmp = BIO_new(BIO_f_cipher())) == NULL) { 506 PKCS7error(ERR_R_BIO_LIB); 507 goto err; 508 } 509 510 /* It was encrypted, we need to decrypt the secret key 511 * with the private key */ 512 513 /* Find the recipientInfo which matches the passed certificate 514 * (if any) 515 */ 516 if (pcert) { 517 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 518 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 519 if (!pkcs7_cmp_ri(ri, pcert)) 520 break; 521 ri = NULL; 522 } 523 if (ri == NULL) { 524 PKCS7error(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); 525 goto err; 526 } 527 } 528 529 /* If we haven't got a certificate try each ri in turn */ 530 if (pcert == NULL) { 531 /* Always attempt to decrypt all rinfo even 532 * after sucess as a defence against MMA timing 533 * attacks. 534 */ 535 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 536 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 537 538 if (pkcs7_decrypt_rinfo(&ek, &eklen, 539 ri, pkey) < 0) 540 goto err; 541 ERR_clear_error(); 542 } 543 } else { 544 /* Only exit on fatal errors, not decrypt failure */ 545 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) 546 goto err; 547 ERR_clear_error(); 548 } 549 550 evp_ctx = NULL; 551 BIO_get_cipher_ctx(etmp, &evp_ctx); 552 if (EVP_CipherInit_ex(evp_ctx, evp_cipher, NULL, NULL, 553 NULL, 0) <= 0) 554 goto err; 555 if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0) 556 goto err; 557 /* Generate random key as MMA defence */ 558 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); 559 tkey = malloc(tkeylen); 560 if (!tkey) 561 goto err; 562 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) 563 goto err; 564 if (ek == NULL) { 565 ek = tkey; 566 eklen = tkeylen; 567 tkey = NULL; 568 } 569 570 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 571 /* Some S/MIME clients don't use the same key 572 * and effective key length. The key length is 573 * determined by the size of the decrypted RSA key. 574 */ 575 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) { 576 /* Use random key as MMA defence */ 577 freezero(ek, eklen); 578 ek = tkey; 579 eklen = tkeylen; 580 tkey = NULL; 581 } 582 } 583 /* Clear errors so we don't leak information useful in MMA */ 584 ERR_clear_error(); 585 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0) 586 goto err; 587 588 freezero(ek, eklen); 589 ek = NULL; 590 freezero(tkey, tkeylen); 591 tkey = NULL; 592 593 if (out == NULL) 594 out = etmp; 595 else 596 BIO_push(out, etmp); 597 etmp = NULL; 598 } 599 600 if (PKCS7_is_detached(p7) || (in_bio != NULL)) { 601 bio = in_bio; 602 } else { 603 if (data_body != NULL && data_body->length > 0) 604 bio = BIO_new_mem_buf(data_body->data, data_body->length); 605 else { 606 bio = BIO_new(BIO_s_mem()); 607 BIO_set_mem_eof_return(bio, 0); 608 } 609 if (bio == NULL) 610 goto err; 611 } 612 BIO_push(out, bio); 613 614 if (0) { 615 err: 616 freezero(ek, eklen); 617 freezero(tkey, tkeylen); 618 if (out != NULL) 619 BIO_free_all(out); 620 if (btmp != NULL) 621 BIO_free_all(btmp); 622 if (etmp != NULL) 623 BIO_free_all(etmp); 624 out = NULL; 625 } 626 return (out); 627 } 628 629 static BIO * 630 PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) 631 { 632 for (;;) { 633 bio = BIO_find_type(bio, BIO_TYPE_MD); 634 if (bio == NULL) { 635 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 636 return NULL; 637 } 638 BIO_get_md_ctx(bio, pmd); 639 if (*pmd == NULL) { 640 PKCS7error(ERR_R_INTERNAL_ERROR); 641 return NULL; 642 } 643 if (EVP_MD_CTX_type(*pmd) == nid) 644 return bio; 645 bio = BIO_next(bio); 646 } 647 return NULL; 648 } 649 650 static int 651 do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) 652 { 653 unsigned char md_data[EVP_MAX_MD_SIZE]; 654 unsigned int md_len; 655 656 /* Add signing time if not already present */ 657 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { 658 if (!PKCS7_add0_attrib_signing_time(si, NULL)) { 659 PKCS7error(ERR_R_MALLOC_FAILURE); 660 return 0; 661 } 662 } 663 664 /* Add digest */ 665 if (!EVP_DigestFinal_ex(mctx, md_data, &md_len)) { 666 PKCS7error(ERR_R_EVP_LIB); 667 return 0; 668 } 669 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) { 670 PKCS7error(ERR_R_MALLOC_FAILURE); 671 return 0; 672 } 673 674 /* Now sign the attributes */ 675 if (!PKCS7_SIGNER_INFO_sign(si)) 676 return 0; 677 678 return 1; 679 } 680 681 682 int 683 PKCS7_dataFinal(PKCS7 *p7, BIO *bio) 684 { 685 int ret = 0; 686 int i, j; 687 BIO *btmp; 688 PKCS7_SIGNER_INFO *si; 689 EVP_MD_CTX *mdc, ctx_tmp; 690 STACK_OF(X509_ATTRIBUTE) *sk; 691 STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; 692 ASN1_OCTET_STRING *os = NULL; 693 694 if (p7 == NULL) { 695 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 696 return 0; 697 } 698 699 if (p7->d.ptr == NULL) { 700 PKCS7error(PKCS7_R_NO_CONTENT); 701 return 0; 702 } 703 704 EVP_MD_CTX_init(&ctx_tmp); 705 i = OBJ_obj2nid(p7->type); 706 p7->state = PKCS7_S_HEADER; 707 708 switch (i) { 709 case NID_pkcs7_data: 710 os = p7->d.data; 711 break; 712 case NID_pkcs7_signedAndEnveloped: 713 /* XXX */ 714 si_sk = p7->d.signed_and_enveloped->signer_info; 715 os = p7->d.signed_and_enveloped->enc_data->enc_data; 716 if (!os) { 717 os = ASN1_OCTET_STRING_new(); 718 if (!os) { 719 PKCS7error(ERR_R_MALLOC_FAILURE); 720 goto err; 721 } 722 p7->d.signed_and_enveloped->enc_data->enc_data = os; 723 } 724 break; 725 case NID_pkcs7_enveloped: 726 /* XXX */ 727 os = p7->d.enveloped->enc_data->enc_data; 728 if (!os) { 729 os = ASN1_OCTET_STRING_new(); 730 if (!os) { 731 PKCS7error(ERR_R_MALLOC_FAILURE); 732 goto err; 733 } 734 p7->d.enveloped->enc_data->enc_data = os; 735 } 736 break; 737 case NID_pkcs7_signed: 738 si_sk = p7->d.sign->signer_info; 739 os = PKCS7_get_octet_string(p7->d.sign->contents); 740 if (!PKCS7_is_detached(p7) && os == NULL) { 741 PKCS7error(PKCS7_R_DECODE_ERROR); 742 goto err; 743 } 744 /* If detached data then the content is excluded */ 745 if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { 746 ASN1_OCTET_STRING_free(os); 747 os = NULL; 748 p7->d.sign->contents->d.data = NULL; 749 } 750 break; 751 752 case NID_pkcs7_digest: 753 os = PKCS7_get_octet_string(p7->d.digest->contents); 754 if (os == NULL) { 755 PKCS7error(PKCS7_R_DECODE_ERROR); 756 goto err; 757 } 758 /* If detached data then the content is excluded */ 759 if (PKCS7_type_is_data(p7->d.digest->contents) && 760 p7->detached) { 761 ASN1_OCTET_STRING_free(os); 762 os = NULL; 763 p7->d.digest->contents->d.data = NULL; 764 } 765 break; 766 767 default: 768 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 769 goto err; 770 } 771 772 if (si_sk != NULL) { 773 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) { 774 si = sk_PKCS7_SIGNER_INFO_value(si_sk, i); 775 if (si->pkey == NULL) 776 continue; 777 778 j = OBJ_obj2nid(si->digest_alg->algorithm); 779 780 if ((btmp = PKCS7_find_digest(&mdc, bio, j)) == NULL) 781 goto err; 782 783 /* We now have the EVP_MD_CTX, lets do the 784 * signing. */ 785 if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc)) 786 goto err; 787 788 sk = si->auth_attr; 789 790 /* If there are attributes, we add the digest 791 * attribute and only sign the attributes */ 792 if (sk_X509_ATTRIBUTE_num(sk) > 0) { 793 if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) 794 goto err; 795 } else { 796 unsigned char *abuf = NULL; 797 unsigned int abuflen; 798 abuflen = EVP_PKEY_size(si->pkey); 799 abuf = malloc(abuflen); 800 if (!abuf) 801 goto err; 802 803 if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, 804 si->pkey)) { 805 PKCS7error(ERR_R_EVP_LIB); 806 goto err; 807 } 808 ASN1_STRING_set0(si->enc_digest, abuf, abuflen); 809 } 810 } 811 } else if (i == NID_pkcs7_digest) { 812 unsigned char md_data[EVP_MAX_MD_SIZE]; 813 unsigned int md_len; 814 815 if (!PKCS7_find_digest(&mdc, bio, 816 OBJ_obj2nid(p7->d.digest->md->algorithm))) 817 goto err; 818 if (!EVP_DigestFinal_ex(mdc, md_data, &md_len)) 819 goto err; 820 if (ASN1_STRING_set(p7->d.digest->digest, md_data, 821 md_len) == 0) 822 goto err; 823 } 824 825 if (!PKCS7_is_detached(p7)) { 826 /* 827 * NOTE: only reach os == NULL here because detached 828 * digested data support is broken? 829 */ 830 if (os == NULL) 831 goto err; 832 if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { 833 char *cont; 834 long contlen; 835 836 btmp = BIO_find_type(bio, BIO_TYPE_MEM); 837 if (btmp == NULL) { 838 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MEM_BIO); 839 goto err; 840 } 841 contlen = BIO_get_mem_data(btmp, &cont); 842 /* 843 * Mark the BIO read only then we can use its copy 844 * of the data instead of making an extra copy. 845 */ 846 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); 847 BIO_set_mem_eof_return(btmp, 0); 848 ASN1_STRING_set0(os, (unsigned char *)cont, contlen); 849 } 850 } 851 ret = 1; 852 err: 853 EVP_MD_CTX_cleanup(&ctx_tmp); 854 return (ret); 855 } 856 857 int 858 PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) 859 { 860 EVP_MD_CTX mctx; 861 EVP_PKEY_CTX *pctx; 862 unsigned char *abuf = NULL; 863 int alen; 864 size_t siglen; 865 const EVP_MD *md = NULL; 866 867 md = EVP_get_digestbyobj(si->digest_alg->algorithm); 868 if (md == NULL) 869 return 0; 870 871 EVP_MD_CTX_init(&mctx); 872 if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0) 873 goto err; 874 875 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 876 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) { 877 PKCS7error(PKCS7_R_CTRL_ERROR); 878 goto err; 879 } 880 881 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf, 882 &PKCS7_ATTR_SIGN_it); 883 if (!abuf) 884 goto err; 885 if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0) 886 goto err; 887 free(abuf); 888 abuf = NULL; 889 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) 890 goto err; 891 abuf = malloc(siglen); 892 if (!abuf) 893 goto err; 894 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0) 895 goto err; 896 897 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 898 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) { 899 PKCS7error(PKCS7_R_CTRL_ERROR); 900 goto err; 901 } 902 903 EVP_MD_CTX_cleanup(&mctx); 904 905 ASN1_STRING_set0(si->enc_digest, abuf, siglen); 906 907 return 1; 908 909 err: 910 free(abuf); 911 EVP_MD_CTX_cleanup(&mctx); 912 return 0; 913 } 914 915 int 916 PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, 917 PKCS7 *p7, PKCS7_SIGNER_INFO *si) 918 { 919 PKCS7_ISSUER_AND_SERIAL *ias; 920 int ret = 0, i; 921 STACK_OF(X509) *cert; 922 X509 *x509; 923 924 if (p7 == NULL) { 925 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 926 return 0; 927 } 928 929 if (p7->d.ptr == NULL) { 930 PKCS7error(PKCS7_R_NO_CONTENT); 931 return 0; 932 } 933 934 if (PKCS7_type_is_signed(p7)) { 935 cert = p7->d.sign->cert; 936 } else if (PKCS7_type_is_signedAndEnveloped(p7)) { 937 cert = p7->d.signed_and_enveloped->cert; 938 } else { 939 PKCS7error(PKCS7_R_WRONG_PKCS7_TYPE); 940 goto err; 941 } 942 /* XXXX */ 943 ias = si->issuer_and_serial; 944 945 x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial); 946 947 /* were we able to find the cert in passed to us */ 948 if (x509 == NULL) { 949 PKCS7error(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); 950 goto err; 951 } 952 953 /* Lets verify */ 954 if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) { 955 PKCS7error(ERR_R_X509_LIB); 956 goto err; 957 } 958 if (X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN) == 0) { 959 X509_STORE_CTX_cleanup(ctx); 960 goto err; 961 } 962 i = X509_verify_cert(ctx); 963 if (i <= 0) { 964 PKCS7error(ERR_R_X509_LIB); 965 X509_STORE_CTX_cleanup(ctx); 966 goto err; 967 } 968 X509_STORE_CTX_cleanup(ctx); 969 970 return PKCS7_signatureVerify(bio, p7, si, x509); 971 err: 972 973 return ret; 974 } 975 976 int 977 PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509) 978 { 979 ASN1_OCTET_STRING *os; 980 EVP_MD_CTX mdc_tmp, *mdc; 981 int ret = 0, i; 982 int md_type; 983 STACK_OF(X509_ATTRIBUTE) *sk; 984 BIO *btmp; 985 EVP_PKEY *pkey; 986 987 EVP_MD_CTX_init(&mdc_tmp); 988 989 if (!PKCS7_type_is_signed(p7) && 990 !PKCS7_type_is_signedAndEnveloped(p7)) { 991 PKCS7error(PKCS7_R_WRONG_PKCS7_TYPE); 992 goto err; 993 } 994 995 md_type = OBJ_obj2nid(si->digest_alg->algorithm); 996 997 btmp = bio; 998 for (;;) { 999 if ((btmp == NULL) || 1000 ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) { 1001 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1002 goto err; 1003 } 1004 BIO_get_md_ctx(btmp, &mdc); 1005 if (mdc == NULL) { 1006 PKCS7error(ERR_R_INTERNAL_ERROR); 1007 goto err; 1008 } 1009 if (EVP_MD_CTX_type(mdc) == md_type) 1010 break; 1011 /* Workaround for some broken clients that put the signature 1012 * OID instead of the digest OID in digest_alg->algorithm 1013 */ 1014 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) 1015 break; 1016 btmp = BIO_next(btmp); 1017 } 1018 1019 /* mdc is the digest ctx that we want, unless there are attributes, 1020 * in which case the digest is the signed attributes */ 1021 if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc)) 1022 goto err; 1023 1024 sk = si->auth_attr; 1025 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { 1026 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; 1027 unsigned int md_len; 1028 int alen; 1029 ASN1_OCTET_STRING *message_digest; 1030 1031 if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len)) 1032 goto err; 1033 message_digest = PKCS7_digest_from_attributes(sk); 1034 if (!message_digest) { 1035 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1036 goto err; 1037 } 1038 if ((message_digest->length != (int)md_len) || 1039 (memcmp(message_digest->data, md_dat, md_len))) { 1040 PKCS7error(PKCS7_R_DIGEST_FAILURE); 1041 ret = -1; 1042 goto err; 1043 } 1044 1045 if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), 1046 NULL)) 1047 goto err; 1048 1049 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1050 &PKCS7_ATTR_VERIFY_it); 1051 if (alen <= 0) { 1052 PKCS7error(ERR_R_ASN1_LIB); 1053 ret = -1; 1054 goto err; 1055 } 1056 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) 1057 goto err; 1058 1059 free(abuf); 1060 } 1061 1062 os = si->enc_digest; 1063 pkey = X509_get_pubkey(x509); 1064 if (!pkey) { 1065 ret = -1; 1066 goto err; 1067 } 1068 1069 i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey); 1070 EVP_PKEY_free(pkey); 1071 if (i <= 0) { 1072 PKCS7error(PKCS7_R_SIGNATURE_FAILURE); 1073 ret = -1; 1074 goto err; 1075 } else 1076 ret = 1; 1077 err: 1078 EVP_MD_CTX_cleanup(&mdc_tmp); 1079 return (ret); 1080 } 1081 1082 PKCS7_ISSUER_AND_SERIAL * 1083 PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) 1084 { 1085 STACK_OF(PKCS7_RECIP_INFO) *rsk; 1086 PKCS7_RECIP_INFO *ri; 1087 int i; 1088 1089 i = OBJ_obj2nid(p7->type); 1090 if (i != NID_pkcs7_signedAndEnveloped) 1091 return NULL; 1092 if (p7->d.signed_and_enveloped == NULL) 1093 return NULL; 1094 rsk = p7->d.signed_and_enveloped->recipientinfo; 1095 if (rsk == NULL) 1096 return NULL; 1097 ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); 1098 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) 1099 return (NULL); 1100 ri = sk_PKCS7_RECIP_INFO_value(rsk, idx); 1101 return (ri->issuer_and_serial); 1102 } 1103 1104 ASN1_TYPE * 1105 PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) 1106 { 1107 return (get_attribute(si->auth_attr, nid)); 1108 } 1109 1110 ASN1_TYPE * 1111 PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) 1112 { 1113 return (get_attribute(si->unauth_attr, nid)); 1114 } 1115 1116 static ASN1_TYPE * 1117 get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) 1118 { 1119 int i; 1120 X509_ATTRIBUTE *xa; 1121 ASN1_OBJECT *o; 1122 1123 o = OBJ_nid2obj(nid); 1124 if (!o || !sk) 1125 return (NULL); 1126 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1127 xa = sk_X509_ATTRIBUTE_value(sk, i); 1128 if (OBJ_cmp(xa->object, o) == 0) { 1129 if (!xa->single && sk_ASN1_TYPE_num(xa->value.set)) 1130 return (sk_ASN1_TYPE_value(xa->value.set, 0)); 1131 else 1132 return (NULL); 1133 } 1134 } 1135 return (NULL); 1136 } 1137 1138 ASN1_OCTET_STRING * 1139 PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) 1140 { 1141 ASN1_TYPE *astype; 1142 1143 if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) 1144 return NULL; 1145 if (astype->type != V_ASN1_OCTET_STRING) 1146 return NULL; 1147 return astype->value.octet_string; 1148 } 1149 1150 int 1151 PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, 1152 STACK_OF(X509_ATTRIBUTE) *sk) 1153 { 1154 int i; 1155 1156 if (p7si->auth_attr != NULL) 1157 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, 1158 X509_ATTRIBUTE_free); 1159 p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk); 1160 if (p7si->auth_attr == NULL) 1161 return 0; 1162 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1163 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr, i, 1164 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1165 == NULL) 1166 return (0); 1167 } 1168 return (1); 1169 } 1170 1171 int 1172 PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) 1173 { 1174 int i; 1175 1176 if (p7si->unauth_attr != NULL) 1177 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, 1178 X509_ATTRIBUTE_free); 1179 p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk); 1180 if (p7si->unauth_attr == NULL) 1181 return 0; 1182 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1183 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr, i, 1184 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1185 == NULL) 1186 return (0); 1187 } 1188 return (1); 1189 } 1190 1191 int 1192 PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1193 void *value) 1194 { 1195 return (add_attribute(&(p7si->auth_attr), nid, atrtype, value)); 1196 } 1197 1198 int 1199 PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value) 1200 { 1201 return (add_attribute(&(p7si->unauth_attr), nid, atrtype, value)); 1202 } 1203 1204 static int 1205 add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value) 1206 { 1207 X509_ATTRIBUTE *attr = NULL; 1208 1209 if (*sk == NULL) { 1210 *sk = sk_X509_ATTRIBUTE_new_null(); 1211 if (*sk == NULL) 1212 return 0; 1213 new_attrib: 1214 if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value))) 1215 return 0; 1216 if (!sk_X509_ATTRIBUTE_push(*sk, attr)) { 1217 X509_ATTRIBUTE_free(attr); 1218 return 0; 1219 } 1220 } else { 1221 int i; 1222 1223 for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) { 1224 attr = sk_X509_ATTRIBUTE_value(*sk, i); 1225 if (OBJ_obj2nid(attr->object) == nid) { 1226 X509_ATTRIBUTE_free(attr); 1227 attr = X509_ATTRIBUTE_create(nid, atrtype, 1228 value); 1229 if (attr == NULL) 1230 return 0; 1231 if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) { 1232 X509_ATTRIBUTE_free(attr); 1233 return 0; 1234 } 1235 goto end; 1236 } 1237 } 1238 goto new_attrib; 1239 } 1240 end: 1241 return (1); 1242 } 1243