1 /* $OpenBSD: pk7_doit.c,v 1.44 2019/10/04 18:03:55 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include <stdlib.h> 61 #include <string.h> 62 63 #include <openssl/err.h> 64 #include <openssl/objects.h> 65 #include <openssl/x509.h> 66 #include <openssl/x509v3.h> 67 68 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 69 void *value); 70 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); 71 72 static int 73 PKCS7_type_is_other(PKCS7* p7) 74 { 75 int isOther = 1; 76 77 int nid = OBJ_obj2nid(p7->type); 78 79 switch (nid ) { 80 case NID_pkcs7_data: 81 case NID_pkcs7_signed: 82 case NID_pkcs7_enveloped: 83 case NID_pkcs7_signedAndEnveloped: 84 case NID_pkcs7_digest: 85 case NID_pkcs7_encrypted: 86 isOther = 0; 87 break; 88 default: 89 isOther = 1; 90 } 91 92 return isOther; 93 94 } 95 96 static ASN1_OCTET_STRING * 97 PKCS7_get_octet_string(PKCS7 *p7) 98 { 99 if (PKCS7_type_is_data(p7)) 100 return p7->d.data; 101 if (PKCS7_type_is_other(p7) && p7->d.other && 102 (p7->d.other->type == V_ASN1_OCTET_STRING)) 103 return p7->d.other->value.octet_string; 104 return NULL; 105 } 106 107 static int 108 PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) 109 { 110 BIO *btmp; 111 const EVP_MD *md; 112 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 113 PKCS7error(ERR_R_BIO_LIB); 114 goto err; 115 } 116 117 md = EVP_get_digestbyobj(alg->algorithm); 118 if (md == NULL) { 119 PKCS7error(PKCS7_R_UNKNOWN_DIGEST_TYPE); 120 goto err; 121 } 122 123 BIO_set_md(btmp, md); 124 if (*pbio == NULL) 125 *pbio = btmp; 126 else if (!BIO_push(*pbio, btmp)) { 127 PKCS7error(ERR_R_BIO_LIB); 128 goto err; 129 } 130 btmp = NULL; 131 132 return 1; 133 134 err: 135 BIO_free(btmp); 136 return 0; 137 138 } 139 140 static int 141 pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, unsigned char *key, int keylen) 142 { 143 EVP_PKEY_CTX *pctx = NULL; 144 EVP_PKEY *pkey = NULL; 145 unsigned char *ek = NULL; 146 int ret = 0; 147 size_t eklen; 148 149 pkey = X509_get_pubkey(ri->cert); 150 if (!pkey) 151 return 0; 152 153 pctx = EVP_PKEY_CTX_new(pkey, NULL); 154 if (!pctx) 155 return 0; 156 157 if (EVP_PKEY_encrypt_init(pctx) <= 0) 158 goto err; 159 160 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 161 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) { 162 PKCS7error(PKCS7_R_CTRL_ERROR); 163 goto err; 164 } 165 166 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) 167 goto err; 168 169 ek = malloc(eklen); 170 171 if (ek == NULL) { 172 PKCS7error(ERR_R_MALLOC_FAILURE); 173 goto err; 174 } 175 176 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) 177 goto err; 178 179 ASN1_STRING_set0(ri->enc_key, ek, eklen); 180 ek = NULL; 181 182 ret = 1; 183 184 err: 185 EVP_PKEY_free(pkey); 186 EVP_PKEY_CTX_free(pctx); 187 free(ek); 188 return ret; 189 } 190 191 192 static int 193 pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, 194 EVP_PKEY *pkey, size_t fixlen) 195 { 196 EVP_PKEY_CTX *pctx = NULL; 197 unsigned char *ek = NULL; 198 size_t eklen; 199 200 int ret = -1; 201 202 pctx = EVP_PKEY_CTX_new(pkey, NULL); 203 if (!pctx) 204 return -1; 205 206 if (EVP_PKEY_decrypt_init(pctx) <= 0) 207 goto err; 208 209 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 210 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) { 211 PKCS7error(PKCS7_R_CTRL_ERROR); 212 goto err; 213 } 214 215 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 216 ri->enc_key->data, ri->enc_key->length) <= 0) 217 goto err; 218 219 ek = malloc(eklen); 220 if (ek == NULL) { 221 PKCS7error(ERR_R_MALLOC_FAILURE); 222 goto err; 223 } 224 225 if (EVP_PKEY_decrypt(pctx, ek, &eklen, ri->enc_key->data, 226 ri->enc_key->length) <= 0 || eklen == 0 || 227 (fixlen != 0 && eklen != fixlen)) { 228 ret = 0; 229 PKCS7error(ERR_R_EVP_LIB); 230 goto err; 231 } 232 233 ret = 1; 234 235 freezero(*pek, *peklen); 236 237 *pek = ek; 238 *peklen = eklen; 239 240 err: 241 EVP_PKEY_CTX_free(pctx); 242 if (!ret && ek) 243 free(ek); 244 245 return ret; 246 } 247 248 BIO * 249 PKCS7_dataInit(PKCS7 *p7, BIO *bio) 250 { 251 int i; 252 BIO *out = NULL, *btmp = NULL; 253 X509_ALGOR *xa = NULL; 254 const EVP_CIPHER *evp_cipher = NULL; 255 STACK_OF(X509_ALGOR) *md_sk = NULL; 256 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 257 X509_ALGOR *xalg = NULL; 258 PKCS7_RECIP_INFO *ri = NULL; 259 ASN1_OCTET_STRING *os = NULL; 260 261 if (p7 == NULL) { 262 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 263 return NULL; 264 } 265 266 /* 267 * The content field in the PKCS7 ContentInfo is optional, 268 * but that really only applies to inner content (precisely, 269 * detached signatures). 270 * 271 * When reading content, missing outer content is therefore 272 * treated as an error. 273 * 274 * When creating content, PKCS7_content_new() must be called 275 * before calling this method, so a NULL p7->d is always 276 * an error. 277 */ 278 if (p7->d.ptr == NULL) { 279 PKCS7error(PKCS7_R_NO_CONTENT); 280 return NULL; 281 } 282 283 i = OBJ_obj2nid(p7->type); 284 p7->state = PKCS7_S_HEADER; 285 286 switch (i) { 287 case NID_pkcs7_signed: 288 md_sk = p7->d.sign->md_algs; 289 os = PKCS7_get_octet_string(p7->d.sign->contents); 290 break; 291 case NID_pkcs7_signedAndEnveloped: 292 rsk = p7->d.signed_and_enveloped->recipientinfo; 293 md_sk = p7->d.signed_and_enveloped->md_algs; 294 xalg = p7->d.signed_and_enveloped->enc_data->algorithm; 295 evp_cipher = p7->d.signed_and_enveloped->enc_data->cipher; 296 if (evp_cipher == NULL) { 297 PKCS7error(PKCS7_R_CIPHER_NOT_INITIALIZED); 298 goto err; 299 } 300 break; 301 case NID_pkcs7_enveloped: 302 rsk = p7->d.enveloped->recipientinfo; 303 xalg = p7->d.enveloped->enc_data->algorithm; 304 evp_cipher = p7->d.enveloped->enc_data->cipher; 305 if (evp_cipher == NULL) { 306 PKCS7error(PKCS7_R_CIPHER_NOT_INITIALIZED); 307 goto err; 308 } 309 break; 310 case NID_pkcs7_digest: 311 xa = p7->d.digest->md; 312 os = PKCS7_get_octet_string(p7->d.digest->contents); 313 break; 314 case NID_pkcs7_data: 315 break; 316 default: 317 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 318 goto err; 319 } 320 321 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) 322 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) 323 goto err; 324 325 if (xa && !PKCS7_bio_add_digest(&out, xa)) 326 goto err; 327 328 if (evp_cipher != NULL) { 329 unsigned char key[EVP_MAX_KEY_LENGTH]; 330 unsigned char iv[EVP_MAX_IV_LENGTH]; 331 int keylen, ivlen; 332 EVP_CIPHER_CTX *ctx; 333 334 if ((btmp = BIO_new(BIO_f_cipher())) == NULL) { 335 PKCS7error(ERR_R_BIO_LIB); 336 goto err; 337 } 338 BIO_get_cipher_ctx(btmp, &ctx); 339 keylen = EVP_CIPHER_key_length(evp_cipher); 340 ivlen = EVP_CIPHER_iv_length(evp_cipher); 341 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); 342 if (ivlen > 0) 343 arc4random_buf(iv, ivlen); 344 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, 345 NULL, 1) <= 0) 346 goto err; 347 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) 348 goto err; 349 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) 350 goto err; 351 352 if (ivlen > 0) { 353 if (xalg->parameter == NULL) { 354 xalg->parameter = ASN1_TYPE_new(); 355 if (xalg->parameter == NULL) 356 goto err; 357 } 358 if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) 359 goto err; 360 } 361 362 /* Lets do the pub key stuff :-) */ 363 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 364 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 365 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) 366 goto err; 367 } 368 explicit_bzero(key, keylen); 369 370 if (out == NULL) 371 out = btmp; 372 else 373 BIO_push(out, btmp); 374 btmp = NULL; 375 } 376 377 if (bio == NULL) { 378 if (PKCS7_is_detached(p7)) 379 bio = BIO_new(BIO_s_null()); 380 else if (os && os->length > 0) 381 bio = BIO_new_mem_buf(os->data, os->length); 382 if (bio == NULL) { 383 bio = BIO_new(BIO_s_mem()); 384 if (bio == NULL) 385 goto err; 386 BIO_set_mem_eof_return(bio, 0); 387 } 388 } 389 if (out) 390 BIO_push(out, bio); 391 else 392 out = bio; 393 bio = NULL; 394 if (0) { 395 err: 396 if (out != NULL) 397 BIO_free_all(out); 398 if (btmp != NULL) 399 BIO_free_all(btmp); 400 out = NULL; 401 } 402 return (out); 403 } 404 405 static int 406 pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) 407 { 408 int ret; 409 410 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, 411 pcert->cert_info->issuer); 412 if (ret) 413 return ret; 414 return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, 415 ri->issuer_and_serial->serial); 416 } 417 418 /* int */ 419 BIO * 420 PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) 421 { 422 int i, j; 423 BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL; 424 X509_ALGOR *xa; 425 ASN1_OCTET_STRING *data_body = NULL; 426 const EVP_MD *evp_md; 427 const EVP_CIPHER *evp_cipher = NULL; 428 EVP_CIPHER_CTX *evp_ctx = NULL; 429 X509_ALGOR *enc_alg = NULL; 430 STACK_OF(X509_ALGOR) *md_sk = NULL; 431 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 432 PKCS7_RECIP_INFO *ri = NULL; 433 unsigned char *ek = NULL, *tkey = NULL; 434 int eklen = 0, tkeylen = 0; 435 436 if (p7 == NULL) { 437 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 438 return NULL; 439 } 440 441 if (p7->d.ptr == NULL) { 442 PKCS7error(PKCS7_R_NO_CONTENT); 443 return NULL; 444 } 445 446 i = OBJ_obj2nid(p7->type); 447 p7->state = PKCS7_S_HEADER; 448 449 switch (i) { 450 case NID_pkcs7_signed: 451 data_body = PKCS7_get_octet_string(p7->d.sign->contents); 452 md_sk = p7->d.sign->md_algs; 453 break; 454 case NID_pkcs7_signedAndEnveloped: 455 rsk = p7->d.signed_and_enveloped->recipientinfo; 456 md_sk = p7->d.signed_and_enveloped->md_algs; 457 data_body = p7->d.signed_and_enveloped->enc_data->enc_data; 458 enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; 459 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 460 if (evp_cipher == NULL) { 461 PKCS7error(PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 462 goto err; 463 } 464 break; 465 case NID_pkcs7_enveloped: 466 rsk = p7->d.enveloped->recipientinfo; 467 enc_alg = p7->d.enveloped->enc_data->algorithm; 468 data_body = p7->d.enveloped->enc_data->enc_data; 469 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 470 if (evp_cipher == NULL) { 471 PKCS7error(PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 472 goto err; 473 } 474 break; 475 default: 476 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 477 goto err; 478 } 479 480 /* We will be checking the signature */ 481 if (md_sk != NULL) { 482 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) { 483 xa = sk_X509_ALGOR_value(md_sk, i); 484 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 485 PKCS7error(ERR_R_BIO_LIB); 486 goto err; 487 } 488 489 j = OBJ_obj2nid(xa->algorithm); 490 evp_md = EVP_get_digestbynid(j); 491 if (evp_md == NULL) { 492 PKCS7error(PKCS7_R_UNKNOWN_DIGEST_TYPE); 493 goto err; 494 } 495 496 BIO_set_md(btmp, evp_md); 497 if (out == NULL) 498 out = btmp; 499 else 500 BIO_push(out, btmp); 501 btmp = NULL; 502 } 503 } 504 505 if (evp_cipher != NULL) { 506 if ((etmp = BIO_new(BIO_f_cipher())) == NULL) { 507 PKCS7error(ERR_R_BIO_LIB); 508 goto err; 509 } 510 511 /* It was encrypted, we need to decrypt the secret key 512 * with the private key */ 513 514 /* Find the recipientInfo which matches the passed certificate 515 * (if any) 516 */ 517 if (pcert) { 518 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 519 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 520 if (!pkcs7_cmp_ri(ri, pcert)) 521 break; 522 ri = NULL; 523 } 524 if (ri == NULL) { 525 PKCS7error(PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); 526 goto err; 527 } 528 } 529 530 /* If we haven't got a certificate try each ri in turn */ 531 if (pcert == NULL) { 532 /* Always attempt to decrypt all rinfo even 533 * after sucess as a defence against MMA timing 534 * attacks. 535 */ 536 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 537 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 538 539 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 540 EVP_CIPHER_key_length(evp_cipher)) < 0) 541 goto err; 542 ERR_clear_error(); 543 } 544 } else { 545 /* Only exit on fatal errors, not decrypt failure */ 546 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) 547 goto err; 548 ERR_clear_error(); 549 } 550 551 evp_ctx = NULL; 552 BIO_get_cipher_ctx(etmp, &evp_ctx); 553 if (EVP_CipherInit_ex(evp_ctx, evp_cipher, NULL, NULL, 554 NULL, 0) <= 0) 555 goto err; 556 if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0) 557 goto err; 558 /* Generate random key as MMA defence */ 559 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); 560 tkey = malloc(tkeylen); 561 if (!tkey) 562 goto err; 563 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) 564 goto err; 565 if (ek == NULL) { 566 ek = tkey; 567 eklen = tkeylen; 568 tkey = NULL; 569 } 570 571 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 572 /* Some S/MIME clients don't use the same key 573 * and effective key length. The key length is 574 * determined by the size of the decrypted RSA key. 575 */ 576 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) { 577 /* Use random key as MMA defence */ 578 freezero(ek, eklen); 579 ek = tkey; 580 eklen = tkeylen; 581 tkey = NULL; 582 } 583 } 584 /* Clear errors so we don't leak information useful in MMA */ 585 ERR_clear_error(); 586 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0) 587 goto err; 588 589 freezero(ek, eklen); 590 ek = NULL; 591 freezero(tkey, tkeylen); 592 tkey = NULL; 593 594 if (out == NULL) 595 out = etmp; 596 else 597 BIO_push(out, etmp); 598 etmp = NULL; 599 } 600 601 if (PKCS7_is_detached(p7) || (in_bio != NULL)) { 602 bio = in_bio; 603 } else { 604 if (data_body != NULL && data_body->length > 0) 605 bio = BIO_new_mem_buf(data_body->data, data_body->length); 606 else { 607 bio = BIO_new(BIO_s_mem()); 608 BIO_set_mem_eof_return(bio, 0); 609 } 610 if (bio == NULL) 611 goto err; 612 } 613 BIO_push(out, bio); 614 615 if (0) { 616 err: 617 freezero(ek, eklen); 618 freezero(tkey, tkeylen); 619 if (out != NULL) 620 BIO_free_all(out); 621 if (btmp != NULL) 622 BIO_free_all(btmp); 623 if (etmp != NULL) 624 BIO_free_all(etmp); 625 out = NULL; 626 } 627 return (out); 628 } 629 630 static BIO * 631 PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) 632 { 633 for (;;) { 634 bio = BIO_find_type(bio, BIO_TYPE_MD); 635 if (bio == NULL) { 636 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 637 return NULL; 638 } 639 BIO_get_md_ctx(bio, pmd); 640 if (*pmd == NULL) { 641 PKCS7error(ERR_R_INTERNAL_ERROR); 642 return NULL; 643 } 644 if (EVP_MD_CTX_type(*pmd) == nid) 645 return bio; 646 bio = BIO_next(bio); 647 } 648 return NULL; 649 } 650 651 static int 652 do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) 653 { 654 unsigned char md_data[EVP_MAX_MD_SIZE]; 655 unsigned int md_len; 656 657 /* Add signing time if not already present */ 658 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { 659 if (!PKCS7_add0_attrib_signing_time(si, NULL)) { 660 PKCS7error(ERR_R_MALLOC_FAILURE); 661 return 0; 662 } 663 } 664 665 /* Add digest */ 666 if (!EVP_DigestFinal_ex(mctx, md_data, &md_len)) { 667 PKCS7error(ERR_R_EVP_LIB); 668 return 0; 669 } 670 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) { 671 PKCS7error(ERR_R_MALLOC_FAILURE); 672 return 0; 673 } 674 675 /* Now sign the attributes */ 676 if (!PKCS7_SIGNER_INFO_sign(si)) 677 return 0; 678 679 return 1; 680 } 681 682 683 int 684 PKCS7_dataFinal(PKCS7 *p7, BIO *bio) 685 { 686 int ret = 0; 687 int i, j; 688 BIO *btmp; 689 PKCS7_SIGNER_INFO *si; 690 EVP_MD_CTX *mdc, ctx_tmp; 691 STACK_OF(X509_ATTRIBUTE) *sk; 692 STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; 693 ASN1_OCTET_STRING *os = NULL; 694 695 if (p7 == NULL) { 696 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 697 return 0; 698 } 699 700 if (p7->d.ptr == NULL) { 701 PKCS7error(PKCS7_R_NO_CONTENT); 702 return 0; 703 } 704 705 EVP_MD_CTX_init(&ctx_tmp); 706 i = OBJ_obj2nid(p7->type); 707 p7->state = PKCS7_S_HEADER; 708 709 switch (i) { 710 case NID_pkcs7_data: 711 os = p7->d.data; 712 break; 713 case NID_pkcs7_signedAndEnveloped: 714 /* XXX */ 715 si_sk = p7->d.signed_and_enveloped->signer_info; 716 os = p7->d.signed_and_enveloped->enc_data->enc_data; 717 if (!os) { 718 os = ASN1_OCTET_STRING_new(); 719 if (!os) { 720 PKCS7error(ERR_R_MALLOC_FAILURE); 721 goto err; 722 } 723 p7->d.signed_and_enveloped->enc_data->enc_data = os; 724 } 725 break; 726 case NID_pkcs7_enveloped: 727 /* XXX */ 728 os = p7->d.enveloped->enc_data->enc_data; 729 if (!os) { 730 os = ASN1_OCTET_STRING_new(); 731 if (!os) { 732 PKCS7error(ERR_R_MALLOC_FAILURE); 733 goto err; 734 } 735 p7->d.enveloped->enc_data->enc_data = os; 736 } 737 break; 738 case NID_pkcs7_signed: 739 si_sk = p7->d.sign->signer_info; 740 os = PKCS7_get_octet_string(p7->d.sign->contents); 741 if (!PKCS7_is_detached(p7) && os == NULL) { 742 PKCS7error(PKCS7_R_DECODE_ERROR); 743 goto err; 744 } 745 /* If detached data then the content is excluded */ 746 if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { 747 ASN1_OCTET_STRING_free(os); 748 os = NULL; 749 p7->d.sign->contents->d.data = NULL; 750 } 751 break; 752 753 case NID_pkcs7_digest: 754 os = PKCS7_get_octet_string(p7->d.digest->contents); 755 if (os == NULL) { 756 PKCS7error(PKCS7_R_DECODE_ERROR); 757 goto err; 758 } 759 /* If detached data then the content is excluded */ 760 if (PKCS7_type_is_data(p7->d.digest->contents) && 761 p7->detached) { 762 ASN1_OCTET_STRING_free(os); 763 os = NULL; 764 p7->d.digest->contents->d.data = NULL; 765 } 766 break; 767 768 default: 769 PKCS7error(PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 770 goto err; 771 } 772 773 if (si_sk != NULL) { 774 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) { 775 si = sk_PKCS7_SIGNER_INFO_value(si_sk, i); 776 if (si->pkey == NULL) 777 continue; 778 779 j = OBJ_obj2nid(si->digest_alg->algorithm); 780 781 if ((btmp = PKCS7_find_digest(&mdc, bio, j)) == NULL) 782 goto err; 783 784 /* We now have the EVP_MD_CTX, lets do the 785 * signing. */ 786 if (!EVP_MD_CTX_copy_ex(&ctx_tmp, mdc)) 787 goto err; 788 789 sk = si->auth_attr; 790 791 /* If there are attributes, we add the digest 792 * attribute and only sign the attributes */ 793 if (sk_X509_ATTRIBUTE_num(sk) > 0) { 794 if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) 795 goto err; 796 } else { 797 unsigned char *abuf = NULL; 798 unsigned int abuflen; 799 abuflen = EVP_PKEY_size(si->pkey); 800 abuf = malloc(abuflen); 801 if (!abuf) 802 goto err; 803 804 if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, 805 si->pkey)) { 806 PKCS7error(ERR_R_EVP_LIB); 807 goto err; 808 } 809 ASN1_STRING_set0(si->enc_digest, abuf, abuflen); 810 } 811 } 812 } else if (i == NID_pkcs7_digest) { 813 unsigned char md_data[EVP_MAX_MD_SIZE]; 814 unsigned int md_len; 815 816 if (!PKCS7_find_digest(&mdc, bio, 817 OBJ_obj2nid(p7->d.digest->md->algorithm))) 818 goto err; 819 if (!EVP_DigestFinal_ex(mdc, md_data, &md_len)) 820 goto err; 821 if (ASN1_STRING_set(p7->d.digest->digest, md_data, 822 md_len) == 0) 823 goto err; 824 } 825 826 if (!PKCS7_is_detached(p7)) { 827 /* 828 * NOTE: only reach os == NULL here because detached 829 * digested data support is broken? 830 */ 831 if (os == NULL) 832 goto err; 833 if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { 834 char *cont; 835 long contlen; 836 837 btmp = BIO_find_type(bio, BIO_TYPE_MEM); 838 if (btmp == NULL) { 839 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MEM_BIO); 840 goto err; 841 } 842 contlen = BIO_get_mem_data(btmp, &cont); 843 /* 844 * Mark the BIO read only then we can use its copy 845 * of the data instead of making an extra copy. 846 */ 847 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); 848 BIO_set_mem_eof_return(btmp, 0); 849 ASN1_STRING_set0(os, (unsigned char *)cont, contlen); 850 } 851 } 852 ret = 1; 853 err: 854 EVP_MD_CTX_cleanup(&ctx_tmp); 855 return (ret); 856 } 857 858 int 859 PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) 860 { 861 EVP_MD_CTX mctx; 862 EVP_PKEY_CTX *pctx; 863 unsigned char *abuf = NULL; 864 int alen; 865 size_t siglen; 866 const EVP_MD *md = NULL; 867 868 md = EVP_get_digestbyobj(si->digest_alg->algorithm); 869 if (md == NULL) 870 return 0; 871 872 EVP_MD_CTX_init(&mctx); 873 if (EVP_DigestSignInit(&mctx, &pctx, md, NULL, si->pkey) <= 0) 874 goto err; 875 876 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 877 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) { 878 PKCS7error(PKCS7_R_CTRL_ERROR); 879 goto err; 880 } 881 882 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf, 883 &PKCS7_ATTR_SIGN_it); 884 if (!abuf) 885 goto err; 886 if (EVP_DigestSignUpdate(&mctx, abuf, alen) <= 0) 887 goto err; 888 free(abuf); 889 abuf = NULL; 890 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) 891 goto err; 892 abuf = malloc(siglen); 893 if (!abuf) 894 goto err; 895 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0) 896 goto err; 897 898 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 899 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) { 900 PKCS7error(PKCS7_R_CTRL_ERROR); 901 goto err; 902 } 903 904 EVP_MD_CTX_cleanup(&mctx); 905 906 ASN1_STRING_set0(si->enc_digest, abuf, siglen); 907 908 return 1; 909 910 err: 911 free(abuf); 912 EVP_MD_CTX_cleanup(&mctx); 913 return 0; 914 } 915 916 int 917 PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, 918 PKCS7 *p7, PKCS7_SIGNER_INFO *si) 919 { 920 PKCS7_ISSUER_AND_SERIAL *ias; 921 int ret = 0, i; 922 STACK_OF(X509) *cert; 923 X509 *x509; 924 925 if (p7 == NULL) { 926 PKCS7error(PKCS7_R_INVALID_NULL_POINTER); 927 return 0; 928 } 929 930 if (p7->d.ptr == NULL) { 931 PKCS7error(PKCS7_R_NO_CONTENT); 932 return 0; 933 } 934 935 if (PKCS7_type_is_signed(p7)) { 936 cert = p7->d.sign->cert; 937 } else if (PKCS7_type_is_signedAndEnveloped(p7)) { 938 cert = p7->d.signed_and_enveloped->cert; 939 } else { 940 PKCS7error(PKCS7_R_WRONG_PKCS7_TYPE); 941 goto err; 942 } 943 /* XXXX */ 944 ias = si->issuer_and_serial; 945 946 x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial); 947 948 /* were we able to find the cert in passed to us */ 949 if (x509 == NULL) { 950 PKCS7error(PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); 951 goto err; 952 } 953 954 /* Lets verify */ 955 if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) { 956 PKCS7error(ERR_R_X509_LIB); 957 goto err; 958 } 959 if (X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN) == 0) { 960 X509_STORE_CTX_cleanup(ctx); 961 goto err; 962 } 963 i = X509_verify_cert(ctx); 964 if (i <= 0) { 965 PKCS7error(ERR_R_X509_LIB); 966 X509_STORE_CTX_cleanup(ctx); 967 goto err; 968 } 969 X509_STORE_CTX_cleanup(ctx); 970 971 return PKCS7_signatureVerify(bio, p7, si, x509); 972 err: 973 974 return ret; 975 } 976 977 int 978 PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509) 979 { 980 ASN1_OCTET_STRING *os; 981 EVP_MD_CTX mdc_tmp, *mdc; 982 int ret = 0, i; 983 int md_type; 984 STACK_OF(X509_ATTRIBUTE) *sk; 985 BIO *btmp; 986 EVP_PKEY *pkey; 987 988 EVP_MD_CTX_init(&mdc_tmp); 989 990 if (!PKCS7_type_is_signed(p7) && 991 !PKCS7_type_is_signedAndEnveloped(p7)) { 992 PKCS7error(PKCS7_R_WRONG_PKCS7_TYPE); 993 goto err; 994 } 995 996 md_type = OBJ_obj2nid(si->digest_alg->algorithm); 997 998 btmp = bio; 999 for (;;) { 1000 if ((btmp == NULL) || 1001 ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) { 1002 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1003 goto err; 1004 } 1005 BIO_get_md_ctx(btmp, &mdc); 1006 if (mdc == NULL) { 1007 PKCS7error(ERR_R_INTERNAL_ERROR); 1008 goto err; 1009 } 1010 if (EVP_MD_CTX_type(mdc) == md_type) 1011 break; 1012 /* Workaround for some broken clients that put the signature 1013 * OID instead of the digest OID in digest_alg->algorithm 1014 */ 1015 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) 1016 break; 1017 btmp = BIO_next(btmp); 1018 } 1019 1020 /* mdc is the digest ctx that we want, unless there are attributes, 1021 * in which case the digest is the signed attributes */ 1022 if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc)) 1023 goto err; 1024 1025 sk = si->auth_attr; 1026 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { 1027 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; 1028 unsigned int md_len; 1029 int alen; 1030 ASN1_OCTET_STRING *message_digest; 1031 1032 if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len)) 1033 goto err; 1034 message_digest = PKCS7_digest_from_attributes(sk); 1035 if (!message_digest) { 1036 PKCS7error(PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1037 goto err; 1038 } 1039 if ((message_digest->length != (int)md_len) || 1040 (memcmp(message_digest->data, md_dat, md_len))) { 1041 PKCS7error(PKCS7_R_DIGEST_FAILURE); 1042 ret = -1; 1043 goto err; 1044 } 1045 1046 if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), 1047 NULL)) 1048 goto err; 1049 1050 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1051 &PKCS7_ATTR_VERIFY_it); 1052 if (alen <= 0) { 1053 PKCS7error(ERR_R_ASN1_LIB); 1054 ret = -1; 1055 goto err; 1056 } 1057 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) 1058 goto err; 1059 1060 free(abuf); 1061 } 1062 1063 os = si->enc_digest; 1064 pkey = X509_get_pubkey(x509); 1065 if (!pkey) { 1066 ret = -1; 1067 goto err; 1068 } 1069 1070 i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey); 1071 EVP_PKEY_free(pkey); 1072 if (i <= 0) { 1073 PKCS7error(PKCS7_R_SIGNATURE_FAILURE); 1074 ret = -1; 1075 goto err; 1076 } else 1077 ret = 1; 1078 err: 1079 EVP_MD_CTX_cleanup(&mdc_tmp); 1080 return (ret); 1081 } 1082 1083 PKCS7_ISSUER_AND_SERIAL * 1084 PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) 1085 { 1086 STACK_OF(PKCS7_RECIP_INFO) *rsk; 1087 PKCS7_RECIP_INFO *ri; 1088 int i; 1089 1090 i = OBJ_obj2nid(p7->type); 1091 if (i != NID_pkcs7_signedAndEnveloped) 1092 return NULL; 1093 if (p7->d.signed_and_enveloped == NULL) 1094 return NULL; 1095 rsk = p7->d.signed_and_enveloped->recipientinfo; 1096 if (rsk == NULL) 1097 return NULL; 1098 ri = sk_PKCS7_RECIP_INFO_value(rsk, 0); 1099 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) 1100 return (NULL); 1101 ri = sk_PKCS7_RECIP_INFO_value(rsk, idx); 1102 return (ri->issuer_and_serial); 1103 } 1104 1105 ASN1_TYPE * 1106 PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) 1107 { 1108 return (get_attribute(si->auth_attr, nid)); 1109 } 1110 1111 ASN1_TYPE * 1112 PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) 1113 { 1114 return (get_attribute(si->unauth_attr, nid)); 1115 } 1116 1117 static ASN1_TYPE * 1118 get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) 1119 { 1120 int i; 1121 X509_ATTRIBUTE *xa; 1122 ASN1_OBJECT *o; 1123 1124 o = OBJ_nid2obj(nid); 1125 if (!o || !sk) 1126 return (NULL); 1127 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1128 xa = sk_X509_ATTRIBUTE_value(sk, i); 1129 if (OBJ_cmp(xa->object, o) == 0) { 1130 if (!xa->single && sk_ASN1_TYPE_num(xa->value.set)) 1131 return (sk_ASN1_TYPE_value(xa->value.set, 0)); 1132 else 1133 return (NULL); 1134 } 1135 } 1136 return (NULL); 1137 } 1138 1139 ASN1_OCTET_STRING * 1140 PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) 1141 { 1142 ASN1_TYPE *astype; 1143 1144 if (!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) 1145 return NULL; 1146 if (astype->type != V_ASN1_OCTET_STRING) 1147 return NULL; 1148 return astype->value.octet_string; 1149 } 1150 1151 int 1152 PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, 1153 STACK_OF(X509_ATTRIBUTE) *sk) 1154 { 1155 int i; 1156 1157 if (p7si->auth_attr != NULL) 1158 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, 1159 X509_ATTRIBUTE_free); 1160 p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk); 1161 if (p7si->auth_attr == NULL) 1162 return 0; 1163 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1164 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr, i, 1165 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1166 == NULL) 1167 return (0); 1168 } 1169 return (1); 1170 } 1171 1172 int 1173 PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) 1174 { 1175 int i; 1176 1177 if (p7si->unauth_attr != NULL) 1178 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, 1179 X509_ATTRIBUTE_free); 1180 p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk); 1181 if (p7si->unauth_attr == NULL) 1182 return 0; 1183 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1184 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr, i, 1185 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk, i)))) 1186 == NULL) 1187 return (0); 1188 } 1189 return (1); 1190 } 1191 1192 int 1193 PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1194 void *value) 1195 { 1196 return (add_attribute(&(p7si->auth_attr), nid, atrtype, value)); 1197 } 1198 1199 int 1200 PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value) 1201 { 1202 return (add_attribute(&(p7si->unauth_attr), nid, atrtype, value)); 1203 } 1204 1205 static int 1206 add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value) 1207 { 1208 X509_ATTRIBUTE *attr = NULL; 1209 1210 if (*sk == NULL) { 1211 *sk = sk_X509_ATTRIBUTE_new_null(); 1212 if (*sk == NULL) 1213 return 0; 1214 new_attrib: 1215 if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value))) 1216 return 0; 1217 if (!sk_X509_ATTRIBUTE_push(*sk, attr)) { 1218 X509_ATTRIBUTE_free(attr); 1219 return 0; 1220 } 1221 } else { 1222 int i; 1223 1224 for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) { 1225 attr = sk_X509_ATTRIBUTE_value(*sk, i); 1226 if (OBJ_obj2nid(attr->object) == nid) { 1227 X509_ATTRIBUTE_free(attr); 1228 attr = X509_ATTRIBUTE_create(nid, atrtype, 1229 value); 1230 if (attr == NULL) 1231 return 0; 1232 if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) { 1233 X509_ATTRIBUTE_free(attr); 1234 return 0; 1235 } 1236 goto end; 1237 } 1238 } 1239 goto new_attrib; 1240 } 1241 end: 1242 return (1); 1243 } 1244