1 /* 2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the OpenSSL license (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/rand.h> 13 #include <openssl/objects.h> 14 #include <openssl/x509.h> 15 #include <openssl/x509v3.h> 16 #include <openssl/err.h> 17 18 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 19 void *value); 20 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); 21 22 static int PKCS7_type_is_other(PKCS7 *p7) 23 { 24 int isOther = 1; 25 26 int nid = OBJ_obj2nid(p7->type); 27 28 switch (nid) { 29 case NID_pkcs7_data: 30 case NID_pkcs7_signed: 31 case NID_pkcs7_enveloped: 32 case NID_pkcs7_signedAndEnveloped: 33 case NID_pkcs7_digest: 34 case NID_pkcs7_encrypted: 35 isOther = 0; 36 break; 37 default: 38 isOther = 1; 39 } 40 41 return isOther; 42 43 } 44 45 static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7) 46 { 47 if (PKCS7_type_is_data(p7)) 48 return p7->d.data; 49 if (PKCS7_type_is_other(p7) && p7->d.other 50 && (p7->d.other->type == V_ASN1_OCTET_STRING)) 51 return p7->d.other->value.octet_string; 52 return NULL; 53 } 54 55 static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) 56 { 57 BIO *btmp; 58 const EVP_MD *md; 59 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 60 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB); 61 goto err; 62 } 63 64 md = EVP_get_digestbyobj(alg->algorithm); 65 if (md == NULL) { 66 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, PKCS7_R_UNKNOWN_DIGEST_TYPE); 67 goto err; 68 } 69 70 BIO_set_md(btmp, md); 71 if (*pbio == NULL) 72 *pbio = btmp; 73 else if (!BIO_push(*pbio, btmp)) { 74 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST, ERR_R_BIO_LIB); 75 goto err; 76 } 77 btmp = NULL; 78 79 return 1; 80 81 err: 82 BIO_free(btmp); 83 return 0; 84 85 } 86 87 static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, 88 unsigned char *key, int keylen) 89 { 90 EVP_PKEY_CTX *pctx = NULL; 91 EVP_PKEY *pkey = NULL; 92 unsigned char *ek = NULL; 93 int ret = 0; 94 size_t eklen; 95 96 pkey = X509_get0_pubkey(ri->cert); 97 98 if (!pkey) 99 return 0; 100 101 pctx = EVP_PKEY_CTX_new(pkey, NULL); 102 if (!pctx) 103 return 0; 104 105 if (EVP_PKEY_encrypt_init(pctx) <= 0) 106 goto err; 107 108 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 109 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) { 110 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR); 111 goto err; 112 } 113 114 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) 115 goto err; 116 117 ek = OPENSSL_malloc(eklen); 118 119 if (ek == NULL) { 120 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE); 121 goto err; 122 } 123 124 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) 125 goto err; 126 127 ASN1_STRING_set0(ri->enc_key, ek, eklen); 128 ek = NULL; 129 130 ret = 1; 131 132 err: 133 EVP_PKEY_CTX_free(pctx); 134 OPENSSL_free(ek); 135 return ret; 136 137 } 138 139 static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, 140 PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) 141 { 142 EVP_PKEY_CTX *pctx = NULL; 143 unsigned char *ek = NULL; 144 size_t eklen; 145 146 int ret = -1; 147 148 pctx = EVP_PKEY_CTX_new(pkey, NULL); 149 if (!pctx) 150 return -1; 151 152 if (EVP_PKEY_decrypt_init(pctx) <= 0) 153 goto err; 154 155 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 156 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) { 157 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR); 158 goto err; 159 } 160 161 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 162 ri->enc_key->data, ri->enc_key->length) <= 0) 163 goto err; 164 165 ek = OPENSSL_malloc(eklen); 166 167 if (ek == NULL) { 168 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE); 169 goto err; 170 } 171 172 if (EVP_PKEY_decrypt(pctx, ek, &eklen, 173 ri->enc_key->data, ri->enc_key->length) <= 0) { 174 ret = 0; 175 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); 176 goto err; 177 } 178 179 ret = 1; 180 181 OPENSSL_clear_free(*pek, *peklen); 182 *pek = ek; 183 *peklen = eklen; 184 185 err: 186 EVP_PKEY_CTX_free(pctx); 187 if (!ret) 188 OPENSSL_free(ek); 189 190 return ret; 191 } 192 193 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) 194 { 195 int i; 196 BIO *out = NULL, *btmp = NULL; 197 X509_ALGOR *xa = NULL; 198 const EVP_CIPHER *evp_cipher = NULL; 199 STACK_OF(X509_ALGOR) *md_sk = NULL; 200 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 201 X509_ALGOR *xalg = NULL; 202 PKCS7_RECIP_INFO *ri = NULL; 203 ASN1_OCTET_STRING *os = NULL; 204 205 if (p7 == NULL) { 206 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); 207 return NULL; 208 } 209 /* 210 * The content field in the PKCS7 ContentInfo is optional, but that really 211 * only applies to inner content (precisely, detached signatures). 212 * 213 * When reading content, missing outer content is therefore treated as an 214 * error. 215 * 216 * When creating content, PKCS7_content_new() must be called before 217 * calling this method, so a NULL p7->d is always an error. 218 */ 219 if (p7->d.ptr == NULL) { 220 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); 221 return NULL; 222 } 223 224 i = OBJ_obj2nid(p7->type); 225 p7->state = PKCS7_S_HEADER; 226 227 switch (i) { 228 case NID_pkcs7_signed: 229 md_sk = p7->d.sign->md_algs; 230 os = PKCS7_get_octet_string(p7->d.sign->contents); 231 break; 232 case NID_pkcs7_signedAndEnveloped: 233 rsk = p7->d.signed_and_enveloped->recipientinfo; 234 md_sk = p7->d.signed_and_enveloped->md_algs; 235 xalg = p7->d.signed_and_enveloped->enc_data->algorithm; 236 evp_cipher = p7->d.signed_and_enveloped->enc_data->cipher; 237 if (evp_cipher == NULL) { 238 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_CIPHER_NOT_INITIALIZED); 239 goto err; 240 } 241 break; 242 case NID_pkcs7_enveloped: 243 rsk = p7->d.enveloped->recipientinfo; 244 xalg = p7->d.enveloped->enc_data->algorithm; 245 evp_cipher = p7->d.enveloped->enc_data->cipher; 246 if (evp_cipher == NULL) { 247 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_CIPHER_NOT_INITIALIZED); 248 goto err; 249 } 250 break; 251 case NID_pkcs7_digest: 252 xa = p7->d.digest->md; 253 os = PKCS7_get_octet_string(p7->d.digest->contents); 254 break; 255 case NID_pkcs7_data: 256 break; 257 default: 258 PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 259 goto err; 260 } 261 262 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) 263 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) 264 goto err; 265 266 if (xa && !PKCS7_bio_add_digest(&out, xa)) 267 goto err; 268 269 if (evp_cipher != NULL) { 270 unsigned char key[EVP_MAX_KEY_LENGTH]; 271 unsigned char iv[EVP_MAX_IV_LENGTH]; 272 int keylen, ivlen; 273 EVP_CIPHER_CTX *ctx; 274 275 if ((btmp = BIO_new(BIO_f_cipher())) == NULL) { 276 PKCS7err(PKCS7_F_PKCS7_DATAINIT, ERR_R_BIO_LIB); 277 goto err; 278 } 279 BIO_get_cipher_ctx(btmp, &ctx); 280 keylen = EVP_CIPHER_key_length(evp_cipher); 281 ivlen = EVP_CIPHER_iv_length(evp_cipher); 282 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); 283 if (ivlen > 0) 284 if (RAND_bytes(iv, ivlen) <= 0) 285 goto err; 286 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1) <= 0) 287 goto err; 288 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) 289 goto err; 290 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) 291 goto err; 292 293 if (ivlen > 0) { 294 if (xalg->parameter == NULL) { 295 xalg->parameter = ASN1_TYPE_new(); 296 if (xalg->parameter == NULL) 297 goto err; 298 } 299 if (EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) 300 goto err; 301 } 302 303 /* Lets do the pub key stuff :-) */ 304 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 305 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 306 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) 307 goto err; 308 } 309 OPENSSL_cleanse(key, keylen); 310 311 if (out == NULL) 312 out = btmp; 313 else 314 BIO_push(out, btmp); 315 btmp = NULL; 316 } 317 318 if (bio == NULL) { 319 if (PKCS7_is_detached(p7)) { 320 bio = BIO_new(BIO_s_null()); 321 } else if (os && os->length > 0) { 322 bio = BIO_new_mem_buf(os->data, os->length); 323 } else { 324 bio = BIO_new(BIO_s_mem()); 325 if (bio == NULL) 326 goto err; 327 BIO_set_mem_eof_return(bio, 0); 328 } 329 if (bio == NULL) 330 goto err; 331 } 332 if (out) 333 BIO_push(out, bio); 334 else 335 out = bio; 336 return out; 337 338 err: 339 BIO_free_all(out); 340 BIO_free_all(btmp); 341 return NULL; 342 } 343 344 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) 345 { 346 int ret; 347 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, 348 X509_get_issuer_name(pcert)); 349 if (ret) 350 return ret; 351 return ASN1_INTEGER_cmp(X509_get_serialNumber(pcert), 352 ri->issuer_and_serial->serial); 353 } 354 355 /* int */ 356 BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) 357 { 358 int i, j; 359 BIO *out = NULL, *btmp = NULL, *etmp = NULL, *bio = NULL; 360 X509_ALGOR *xa; 361 ASN1_OCTET_STRING *data_body = NULL; 362 const EVP_MD *evp_md; 363 const EVP_CIPHER *evp_cipher = NULL; 364 EVP_CIPHER_CTX *evp_ctx = NULL; 365 X509_ALGOR *enc_alg = NULL; 366 STACK_OF(X509_ALGOR) *md_sk = NULL; 367 STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL; 368 PKCS7_RECIP_INFO *ri = NULL; 369 unsigned char *ek = NULL, *tkey = NULL; 370 int eklen = 0, tkeylen = 0; 371 372 if (p7 == NULL) { 373 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); 374 return NULL; 375 } 376 377 if (p7->d.ptr == NULL) { 378 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); 379 return NULL; 380 } 381 382 i = OBJ_obj2nid(p7->type); 383 p7->state = PKCS7_S_HEADER; 384 385 switch (i) { 386 case NID_pkcs7_signed: 387 /* 388 * p7->d.sign->contents is a PKCS7 structure consisting of a contentType 389 * field and optional content. 390 * data_body is NULL if that structure has no (=detached) content 391 * or if the contentType is wrong (i.e., not "data"). 392 */ 393 data_body = PKCS7_get_octet_string(p7->d.sign->contents); 394 if (!PKCS7_is_detached(p7) && data_body == NULL) { 395 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 396 PKCS7_R_INVALID_SIGNED_DATA_TYPE); 397 goto err; 398 } 399 md_sk = p7->d.sign->md_algs; 400 break; 401 case NID_pkcs7_signedAndEnveloped: 402 rsk = p7->d.signed_and_enveloped->recipientinfo; 403 md_sk = p7->d.signed_and_enveloped->md_algs; 404 /* data_body is NULL if the optional EncryptedContent is missing. */ 405 data_body = p7->d.signed_and_enveloped->enc_data->enc_data; 406 enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; 407 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 408 if (evp_cipher == NULL) { 409 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 410 PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 411 goto err; 412 } 413 break; 414 case NID_pkcs7_enveloped: 415 rsk = p7->d.enveloped->recipientinfo; 416 enc_alg = p7->d.enveloped->enc_data->algorithm; 417 /* data_body is NULL if the optional EncryptedContent is missing. */ 418 data_body = p7->d.enveloped->enc_data->enc_data; 419 evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); 420 if (evp_cipher == NULL) { 421 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 422 PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 423 goto err; 424 } 425 break; 426 default: 427 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 428 goto err; 429 } 430 431 /* Detached content must be supplied via in_bio instead. */ 432 if (data_body == NULL && in_bio == NULL) { 433 PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); 434 goto err; 435 } 436 437 /* We will be checking the signature */ 438 if (md_sk != NULL) { 439 for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) { 440 xa = sk_X509_ALGOR_value(md_sk, i); 441 if ((btmp = BIO_new(BIO_f_md())) == NULL) { 442 PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); 443 goto err; 444 } 445 446 j = OBJ_obj2nid(xa->algorithm); 447 evp_md = EVP_get_digestbynid(j); 448 if (evp_md == NULL) { 449 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 450 PKCS7_R_UNKNOWN_DIGEST_TYPE); 451 goto err; 452 } 453 454 BIO_set_md(btmp, evp_md); 455 if (out == NULL) 456 out = btmp; 457 else 458 BIO_push(out, btmp); 459 btmp = NULL; 460 } 461 } 462 463 if (evp_cipher != NULL) { 464 if ((etmp = BIO_new(BIO_f_cipher())) == NULL) { 465 PKCS7err(PKCS7_F_PKCS7_DATADECODE, ERR_R_BIO_LIB); 466 goto err; 467 } 468 469 /* 470 * It was encrypted, we need to decrypt the secret key with the 471 * private key 472 */ 473 474 /* 475 * Find the recipientInfo which matches the passed certificate (if 476 * any) 477 */ 478 479 if (pcert) { 480 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 481 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 482 if (!pkcs7_cmp_ri(ri, pcert)) 483 break; 484 ri = NULL; 485 } 486 if (ri == NULL) { 487 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 488 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); 489 goto err; 490 } 491 } 492 493 /* If we haven't got a certificate try each ri in turn */ 494 if (pcert == NULL) { 495 /* 496 * Always attempt to decrypt all rinfo even after success as a 497 * defence against MMA timing attacks. 498 */ 499 for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { 500 ri = sk_PKCS7_RECIP_INFO_value(rsk, i); 501 502 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) 503 goto err; 504 ERR_clear_error(); 505 } 506 } else { 507 /* Only exit on fatal errors, not decrypt failure */ 508 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) 509 goto err; 510 ERR_clear_error(); 511 } 512 513 evp_ctx = NULL; 514 BIO_get_cipher_ctx(etmp, &evp_ctx); 515 if (EVP_CipherInit_ex(evp_ctx, evp_cipher, NULL, NULL, NULL, 0) <= 0) 516 goto err; 517 if (EVP_CIPHER_asn1_to_param(evp_ctx, enc_alg->parameter) < 0) 518 goto err; 519 /* Generate random key as MMA defence */ 520 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); 521 tkey = OPENSSL_malloc(tkeylen); 522 if (tkey == NULL) 523 goto err; 524 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) 525 goto err; 526 if (ek == NULL) { 527 ek = tkey; 528 eklen = tkeylen; 529 tkey = NULL; 530 } 531 532 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 533 /* 534 * Some S/MIME clients don't use the same key and effective key 535 * length. The key length is determined by the size of the 536 * decrypted RSA key. 537 */ 538 if (!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) { 539 /* Use random key as MMA defence */ 540 OPENSSL_clear_free(ek, eklen); 541 ek = tkey; 542 eklen = tkeylen; 543 tkey = NULL; 544 } 545 } 546 /* Clear errors so we don't leak information useful in MMA */ 547 ERR_clear_error(); 548 if (EVP_CipherInit_ex(evp_ctx, NULL, NULL, ek, NULL, 0) <= 0) 549 goto err; 550 551 OPENSSL_clear_free(ek, eklen); 552 ek = NULL; 553 OPENSSL_clear_free(tkey, tkeylen); 554 tkey = NULL; 555 556 if (out == NULL) 557 out = etmp; 558 else 559 BIO_push(out, etmp); 560 etmp = NULL; 561 } 562 if (in_bio != NULL) { 563 bio = in_bio; 564 } else { 565 if (data_body->length > 0) 566 bio = BIO_new_mem_buf(data_body->data, data_body->length); 567 else { 568 bio = BIO_new(BIO_s_mem()); 569 if (bio == NULL) 570 goto err; 571 BIO_set_mem_eof_return(bio, 0); 572 } 573 if (bio == NULL) 574 goto err; 575 } 576 BIO_push(out, bio); 577 bio = NULL; 578 return out; 579 580 err: 581 OPENSSL_clear_free(ek, eklen); 582 OPENSSL_clear_free(tkey, tkeylen); 583 BIO_free_all(out); 584 BIO_free_all(btmp); 585 BIO_free_all(etmp); 586 BIO_free_all(bio); 587 return NULL; 588 } 589 590 static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) 591 { 592 for (;;) { 593 bio = BIO_find_type(bio, BIO_TYPE_MD); 594 if (bio == NULL) { 595 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST, 596 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 597 return NULL; 598 } 599 BIO_get_md_ctx(bio, pmd); 600 if (*pmd == NULL) { 601 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST, ERR_R_INTERNAL_ERROR); 602 return NULL; 603 } 604 if (EVP_MD_CTX_type(*pmd) == nid) 605 return bio; 606 bio = BIO_next(bio); 607 } 608 return NULL; 609 } 610 611 static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) 612 { 613 unsigned char md_data[EVP_MAX_MD_SIZE]; 614 unsigned int md_len; 615 616 /* Add signing time if not already present */ 617 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) { 618 if (!PKCS7_add0_attrib_signing_time(si, NULL)) { 619 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE); 620 return 0; 621 } 622 } 623 624 /* Add digest */ 625 if (!EVP_DigestFinal_ex(mctx, md_data, &md_len)) { 626 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB); 627 return 0; 628 } 629 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) { 630 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE); 631 return 0; 632 } 633 634 /* Now sign the attributes */ 635 if (!PKCS7_SIGNER_INFO_sign(si)) 636 return 0; 637 638 return 1; 639 } 640 641 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) 642 { 643 int ret = 0; 644 int i, j; 645 BIO *btmp; 646 PKCS7_SIGNER_INFO *si; 647 EVP_MD_CTX *mdc, *ctx_tmp; 648 STACK_OF(X509_ATTRIBUTE) *sk; 649 STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL; 650 ASN1_OCTET_STRING *os = NULL; 651 652 if (p7 == NULL) { 653 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); 654 return 0; 655 } 656 657 if (p7->d.ptr == NULL) { 658 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); 659 return 0; 660 } 661 662 ctx_tmp = EVP_MD_CTX_new(); 663 if (ctx_tmp == NULL) { 664 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE); 665 return 0; 666 } 667 668 i = OBJ_obj2nid(p7->type); 669 p7->state = PKCS7_S_HEADER; 670 671 switch (i) { 672 case NID_pkcs7_data: 673 os = p7->d.data; 674 break; 675 case NID_pkcs7_signedAndEnveloped: 676 /* XXXXXXXXXXXXXXXX */ 677 si_sk = p7->d.signed_and_enveloped->signer_info; 678 os = p7->d.signed_and_enveloped->enc_data->enc_data; 679 if (os == NULL) { 680 os = ASN1_OCTET_STRING_new(); 681 if (os == NULL) { 682 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE); 683 goto err; 684 } 685 p7->d.signed_and_enveloped->enc_data->enc_data = os; 686 } 687 break; 688 case NID_pkcs7_enveloped: 689 /* XXXXXXXXXXXXXXXX */ 690 os = p7->d.enveloped->enc_data->enc_data; 691 if (os == NULL) { 692 os = ASN1_OCTET_STRING_new(); 693 if (os == NULL) { 694 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_MALLOC_FAILURE); 695 goto err; 696 } 697 p7->d.enveloped->enc_data->enc_data = os; 698 } 699 break; 700 case NID_pkcs7_signed: 701 si_sk = p7->d.sign->signer_info; 702 os = PKCS7_get_octet_string(p7->d.sign->contents); 703 /* If detached data then the content is excluded */ 704 if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { 705 ASN1_OCTET_STRING_free(os); 706 os = NULL; 707 p7->d.sign->contents->d.data = NULL; 708 } 709 break; 710 711 case NID_pkcs7_digest: 712 os = PKCS7_get_octet_string(p7->d.digest->contents); 713 /* If detached data then the content is excluded */ 714 if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) { 715 ASN1_OCTET_STRING_free(os); 716 os = NULL; 717 p7->d.digest->contents->d.data = NULL; 718 } 719 break; 720 721 default: 722 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 723 goto err; 724 } 725 726 if (si_sk != NULL) { 727 for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(si_sk); i++) { 728 si = sk_PKCS7_SIGNER_INFO_value(si_sk, i); 729 if (si->pkey == NULL) 730 continue; 731 732 j = OBJ_obj2nid(si->digest_alg->algorithm); 733 734 btmp = bio; 735 736 btmp = PKCS7_find_digest(&mdc, btmp, j); 737 738 if (btmp == NULL) 739 goto err; 740 741 /* 742 * We now have the EVP_MD_CTX, lets do the signing. 743 */ 744 if (!EVP_MD_CTX_copy_ex(ctx_tmp, mdc)) 745 goto err; 746 747 sk = si->auth_attr; 748 749 /* 750 * If there are attributes, we add the digest attribute and only 751 * sign the attributes 752 */ 753 if (sk_X509_ATTRIBUTE_num(sk) > 0) { 754 if (!do_pkcs7_signed_attrib(si, ctx_tmp)) 755 goto err; 756 } else { 757 unsigned char *abuf = NULL; 758 unsigned int abuflen; 759 abuflen = EVP_PKEY_size(si->pkey); 760 abuf = OPENSSL_malloc(abuflen); 761 if (abuf == NULL) 762 goto err; 763 764 if (!EVP_SignFinal(ctx_tmp, abuf, &abuflen, si->pkey)) { 765 OPENSSL_free(abuf); 766 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, ERR_R_EVP_LIB); 767 goto err; 768 } 769 ASN1_STRING_set0(si->enc_digest, abuf, abuflen); 770 } 771 } 772 } else if (i == NID_pkcs7_digest) { 773 unsigned char md_data[EVP_MAX_MD_SIZE]; 774 unsigned int md_len; 775 if (!PKCS7_find_digest(&mdc, bio, 776 OBJ_obj2nid(p7->d.digest->md->algorithm))) 777 goto err; 778 if (!EVP_DigestFinal_ex(mdc, md_data, &md_len)) 779 goto err; 780 if (!ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len)) 781 goto err; 782 } 783 784 if (!PKCS7_is_detached(p7)) { 785 /* 786 * NOTE(emilia): I think we only reach os == NULL here because detached 787 * digested data support is broken. 788 */ 789 if (os == NULL) 790 goto err; 791 if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { 792 char *cont; 793 long contlen; 794 btmp = BIO_find_type(bio, BIO_TYPE_MEM); 795 if (btmp == NULL) { 796 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO); 797 goto err; 798 } 799 contlen = BIO_get_mem_data(btmp, &cont); 800 /* 801 * Mark the BIO read only then we can use its copy of the data 802 * instead of making an extra copy. 803 */ 804 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); 805 BIO_set_mem_eof_return(btmp, 0); 806 ASN1_STRING_set0(os, (unsigned char *)cont, contlen); 807 } 808 } 809 ret = 1; 810 err: 811 EVP_MD_CTX_free(ctx_tmp); 812 return ret; 813 } 814 815 int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) 816 { 817 EVP_MD_CTX *mctx; 818 EVP_PKEY_CTX *pctx = NULL; 819 unsigned char *abuf = NULL; 820 int alen; 821 size_t siglen; 822 const EVP_MD *md = NULL; 823 824 md = EVP_get_digestbyobj(si->digest_alg->algorithm); 825 if (md == NULL) 826 return 0; 827 828 mctx = EVP_MD_CTX_new(); 829 if (mctx == NULL) { 830 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, ERR_R_MALLOC_FAILURE); 831 goto err; 832 } 833 834 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0) 835 goto err; 836 837 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 838 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) { 839 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 840 goto err; 841 } 842 843 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr, &abuf, 844 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); 845 if (!abuf) 846 goto err; 847 if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0) 848 goto err; 849 OPENSSL_free(abuf); 850 abuf = NULL; 851 if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) 852 goto err; 853 abuf = OPENSSL_malloc(siglen); 854 if (abuf == NULL) 855 goto err; 856 if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0) 857 goto err; 858 859 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 860 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) { 861 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 862 goto err; 863 } 864 865 EVP_MD_CTX_free(mctx); 866 867 ASN1_STRING_set0(si->enc_digest, abuf, siglen); 868 869 return 1; 870 871 err: 872 OPENSSL_free(abuf); 873 EVP_MD_CTX_free(mctx); 874 return 0; 875 876 } 877 878 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, 879 PKCS7 *p7, PKCS7_SIGNER_INFO *si) 880 { 881 PKCS7_ISSUER_AND_SERIAL *ias; 882 int ret = 0, i; 883 STACK_OF(X509) *cert; 884 X509 *x509; 885 886 if (p7 == NULL) { 887 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); 888 return 0; 889 } 890 891 if (p7->d.ptr == NULL) { 892 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); 893 return 0; 894 } 895 896 if (PKCS7_type_is_signed(p7)) { 897 cert = p7->d.sign->cert; 898 } else if (PKCS7_type_is_signedAndEnveloped(p7)) { 899 cert = p7->d.signed_and_enveloped->cert; 900 } else { 901 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_WRONG_PKCS7_TYPE); 902 goto err; 903 } 904 /* XXXXXXXXXXXXXXXXXXXXXXX */ 905 ias = si->issuer_and_serial; 906 907 x509 = X509_find_by_issuer_and_serial(cert, ias->issuer, ias->serial); 908 909 /* were we able to find the cert in passed to us */ 910 if (x509 == NULL) { 911 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, 912 PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); 913 goto err; 914 } 915 916 /* Lets verify */ 917 if (!X509_STORE_CTX_init(ctx, cert_store, x509, cert)) { 918 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB); 919 goto err; 920 } 921 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN); 922 i = X509_verify_cert(ctx); 923 if (i <= 0) { 924 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, ERR_R_X509_LIB); 925 X509_STORE_CTX_cleanup(ctx); 926 goto err; 927 } 928 X509_STORE_CTX_cleanup(ctx); 929 930 return PKCS7_signatureVerify(bio, p7, si, x509); 931 err: 932 return ret; 933 } 934 935 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, 936 X509 *x509) 937 { 938 ASN1_OCTET_STRING *os; 939 EVP_MD_CTX *mdc_tmp, *mdc; 940 int ret = 0, i; 941 int md_type; 942 STACK_OF(X509_ATTRIBUTE) *sk; 943 BIO *btmp; 944 EVP_PKEY *pkey; 945 946 mdc_tmp = EVP_MD_CTX_new(); 947 if (mdc_tmp == NULL) { 948 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_MALLOC_FAILURE); 949 goto err; 950 } 951 952 if (!PKCS7_type_is_signed(p7) && !PKCS7_type_is_signedAndEnveloped(p7)) { 953 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_WRONG_PKCS7_TYPE); 954 goto err; 955 } 956 957 md_type = OBJ_obj2nid(si->digest_alg->algorithm); 958 959 btmp = bio; 960 for (;;) { 961 if ((btmp == NULL) || 962 ((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) { 963 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 964 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 965 goto err; 966 } 967 BIO_get_md_ctx(btmp, &mdc); 968 if (mdc == NULL) { 969 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_INTERNAL_ERROR); 970 goto err; 971 } 972 if (EVP_MD_CTX_type(mdc) == md_type) 973 break; 974 /* 975 * Workaround for some broken clients that put the signature OID 976 * instead of the digest OID in digest_alg->algorithm 977 */ 978 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) 979 break; 980 btmp = BIO_next(btmp); 981 } 982 983 /* 984 * mdc is the digest ctx that we want, unless there are attributes, in 985 * which case the digest is the signed attributes 986 */ 987 if (!EVP_MD_CTX_copy_ex(mdc_tmp, mdc)) 988 goto err; 989 990 sk = si->auth_attr; 991 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) { 992 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; 993 unsigned int md_len; 994 int alen; 995 ASN1_OCTET_STRING *message_digest; 996 997 if (!EVP_DigestFinal_ex(mdc_tmp, md_dat, &md_len)) 998 goto err; 999 message_digest = PKCS7_digest_from_attributes(sk); 1000 if (!message_digest) { 1001 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1002 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1003 goto err; 1004 } 1005 if ((message_digest->length != (int)md_len) || 1006 (memcmp(message_digest->data, md_dat, md_len))) { 1007 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_DIGEST_FAILURE); 1008 ret = -1; 1009 goto err; 1010 } 1011 1012 if (!EVP_VerifyInit_ex(mdc_tmp, EVP_get_digestbynid(md_type), NULL)) 1013 goto err; 1014 1015 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1016 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY)); 1017 if (alen <= 0) { 1018 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_ASN1_LIB); 1019 ret = -1; 1020 goto err; 1021 } 1022 if (!EVP_VerifyUpdate(mdc_tmp, abuf, alen)) 1023 goto err; 1024 1025 OPENSSL_free(abuf); 1026 } 1027 1028 os = si->enc_digest; 1029 pkey = X509_get0_pubkey(x509); 1030 if (!pkey) { 1031 ret = -1; 1032 goto err; 1033 } 1034 1035 i = EVP_VerifyFinal(mdc_tmp, os->data, os->length, pkey); 1036 if (i <= 0) { 1037 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE); 1038 ret = -1; 1039 goto err; 1040 } 1041 ret = 1; 1042 err: 1043 EVP_MD_CTX_free(mdc_tmp); 1044 return ret; 1045 } 1046 1047 PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) 1048 { 1049 STACK_OF(PKCS7_RECIP_INFO) *rsk; 1050 PKCS7_RECIP_INFO *ri; 1051 int i; 1052 1053 i = OBJ_obj2nid(p7->type); 1054 if (i != NID_pkcs7_signedAndEnveloped) 1055 return NULL; 1056 if (p7->d.signed_and_enveloped == NULL) 1057 return NULL; 1058 rsk = p7->d.signed_and_enveloped->recipientinfo; 1059 if (rsk == NULL) 1060 return NULL; 1061 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) 1062 return NULL; 1063 ri = sk_PKCS7_RECIP_INFO_value(rsk, idx); 1064 return ri->issuer_and_serial; 1065 } 1066 1067 ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) 1068 { 1069 return get_attribute(si->auth_attr, nid); 1070 } 1071 1072 ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) 1073 { 1074 return get_attribute(si->unauth_attr, nid); 1075 } 1076 1077 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) 1078 { 1079 int idx; 1080 X509_ATTRIBUTE *xa; 1081 idx = X509at_get_attr_by_NID(sk, nid, -1); 1082 xa = X509at_get_attr(sk, idx); 1083 return X509_ATTRIBUTE_get0_type(xa, 0); 1084 } 1085 1086 ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) 1087 { 1088 ASN1_TYPE *astype; 1089 if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL) 1090 return NULL; 1091 return astype->value.octet_string; 1092 } 1093 1094 int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, 1095 STACK_OF(X509_ATTRIBUTE) *sk) 1096 { 1097 int i; 1098 1099 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr, X509_ATTRIBUTE_free); 1100 p7si->auth_attr = sk_X509_ATTRIBUTE_dup(sk); 1101 if (p7si->auth_attr == NULL) 1102 return 0; 1103 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1104 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr, i, 1105 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value 1106 (sk, i)))) 1107 == NULL) 1108 return 0; 1109 } 1110 return 1; 1111 } 1112 1113 int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, 1114 STACK_OF(X509_ATTRIBUTE) *sk) 1115 { 1116 int i; 1117 1118 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, X509_ATTRIBUTE_free); 1119 p7si->unauth_attr = sk_X509_ATTRIBUTE_dup(sk); 1120 if (p7si->unauth_attr == NULL) 1121 return 0; 1122 for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { 1123 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr, i, 1124 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value 1125 (sk, i)))) 1126 == NULL) 1127 return 0; 1128 } 1129 return 1; 1130 } 1131 1132 int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1133 void *value) 1134 { 1135 return add_attribute(&(p7si->auth_attr), nid, atrtype, value); 1136 } 1137 1138 int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1139 void *value) 1140 { 1141 return add_attribute(&(p7si->unauth_attr), nid, atrtype, value); 1142 } 1143 1144 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 1145 void *value) 1146 { 1147 X509_ATTRIBUTE *attr = NULL; 1148 1149 if (*sk == NULL) { 1150 if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL) 1151 return 0; 1152 new_attrib: 1153 if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL) 1154 return 0; 1155 if (!sk_X509_ATTRIBUTE_push(*sk, attr)) { 1156 X509_ATTRIBUTE_free(attr); 1157 return 0; 1158 } 1159 } else { 1160 int i; 1161 1162 for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) { 1163 attr = sk_X509_ATTRIBUTE_value(*sk, i); 1164 if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) { 1165 X509_ATTRIBUTE_free(attr); 1166 attr = X509_ATTRIBUTE_create(nid, atrtype, value); 1167 if (attr == NULL) 1168 return 0; 1169 if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) { 1170 X509_ATTRIBUTE_free(attr); 1171 return 0; 1172 } 1173 goto end; 1174 } 1175 } 1176 goto new_attrib; 1177 } 1178 end: 1179 return 1; 1180 } 1181