2
0

cms_lib.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588
  1. /*
  2. * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <openssl/asn1t.h>
  10. #include <openssl/x509v3.h>
  11. #include <openssl/err.h>
  12. #include <openssl/pem.h>
  13. #include <openssl/bio.h>
  14. #include <openssl/asn1.h>
  15. #include <openssl/cms.h>
  16. #include "cms_local.h"
  17. IMPLEMENT_ASN1_FUNCTIONS(CMS_ContentInfo)
  18. IMPLEMENT_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
  19. const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms)
  20. {
  21. return cms->contentType;
  22. }
  23. CMS_ContentInfo *cms_Data_create(void)
  24. {
  25. CMS_ContentInfo *cms;
  26. cms = CMS_ContentInfo_new();
  27. if (cms != NULL) {
  28. cms->contentType = OBJ_nid2obj(NID_pkcs7_data);
  29. /* Never detached */
  30. CMS_set_detached(cms, 0);
  31. }
  32. return cms;
  33. }
  34. BIO *cms_content_bio(CMS_ContentInfo *cms)
  35. {
  36. ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
  37. if (!pos)
  38. return NULL;
  39. /* If content detached data goes nowhere: create NULL BIO */
  40. if (!*pos)
  41. return BIO_new(BIO_s_null());
  42. /*
  43. * If content not detached and created return memory BIO
  44. */
  45. if (!*pos || ((*pos)->flags == ASN1_STRING_FLAG_CONT))
  46. return BIO_new(BIO_s_mem());
  47. /* Else content was read in: return read only BIO for it */
  48. return BIO_new_mem_buf((*pos)->data, (*pos)->length);
  49. }
  50. BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont)
  51. {
  52. BIO *cmsbio, *cont;
  53. if (icont)
  54. cont = icont;
  55. else
  56. cont = cms_content_bio(cms);
  57. if (!cont) {
  58. CMSerr(CMS_F_CMS_DATAINIT, CMS_R_NO_CONTENT);
  59. return NULL;
  60. }
  61. switch (OBJ_obj2nid(cms->contentType)) {
  62. case NID_pkcs7_data:
  63. return cont;
  64. case NID_pkcs7_signed:
  65. cmsbio = cms_SignedData_init_bio(cms);
  66. break;
  67. case NID_pkcs7_digest:
  68. cmsbio = cms_DigestedData_init_bio(cms);
  69. break;
  70. #ifdef ZLIB
  71. case NID_id_smime_ct_compressedData:
  72. cmsbio = cms_CompressedData_init_bio(cms);
  73. break;
  74. #endif
  75. case NID_pkcs7_encrypted:
  76. cmsbio = cms_EncryptedData_init_bio(cms);
  77. break;
  78. case NID_pkcs7_enveloped:
  79. cmsbio = cms_EnvelopedData_init_bio(cms);
  80. break;
  81. default:
  82. CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE);
  83. goto err;
  84. }
  85. if (cmsbio)
  86. return BIO_push(cmsbio, cont);
  87. err:
  88. if (!icont)
  89. BIO_free(cont);
  90. return NULL;
  91. }
  92. int CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio)
  93. {
  94. ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
  95. if (!pos)
  96. return 0;
  97. /* If embedded content find memory BIO and set content */
  98. if (*pos && ((*pos)->flags & ASN1_STRING_FLAG_CONT)) {
  99. BIO *mbio;
  100. unsigned char *cont;
  101. long contlen;
  102. mbio = BIO_find_type(cmsbio, BIO_TYPE_MEM);
  103. if (!mbio) {
  104. CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_CONTENT_NOT_FOUND);
  105. return 0;
  106. }
  107. contlen = BIO_get_mem_data(mbio, &cont);
  108. /* Set bio as read only so its content can't be clobbered */
  109. BIO_set_flags(mbio, BIO_FLAGS_MEM_RDONLY);
  110. BIO_set_mem_eof_return(mbio, 0);
  111. ASN1_STRING_set0(*pos, cont, contlen);
  112. (*pos)->flags &= ~ASN1_STRING_FLAG_CONT;
  113. }
  114. switch (OBJ_obj2nid(cms->contentType)) {
  115. case NID_pkcs7_data:
  116. case NID_pkcs7_enveloped:
  117. case NID_pkcs7_encrypted:
  118. case NID_id_smime_ct_compressedData:
  119. /* Nothing to do */
  120. return 1;
  121. case NID_pkcs7_signed:
  122. return cms_SignedData_final(cms, cmsbio);
  123. case NID_pkcs7_digest:
  124. return cms_DigestedData_do_final(cms, cmsbio, 0);
  125. default:
  126. CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_UNSUPPORTED_TYPE);
  127. return 0;
  128. }
  129. }
  130. /*
  131. * Return an OCTET STRING pointer to content. This allows it to be accessed
  132. * or set later.
  133. */
  134. ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms)
  135. {
  136. switch (OBJ_obj2nid(cms->contentType)) {
  137. case NID_pkcs7_data:
  138. return &cms->d.data;
  139. case NID_pkcs7_signed:
  140. return &cms->d.signedData->encapContentInfo->eContent;
  141. case NID_pkcs7_enveloped:
  142. return &cms->d.envelopedData->encryptedContentInfo->encryptedContent;
  143. case NID_pkcs7_digest:
  144. return &cms->d.digestedData->encapContentInfo->eContent;
  145. case NID_pkcs7_encrypted:
  146. return &cms->d.encryptedData->encryptedContentInfo->encryptedContent;
  147. case NID_id_smime_ct_authData:
  148. return &cms->d.authenticatedData->encapContentInfo->eContent;
  149. case NID_id_smime_ct_compressedData:
  150. return &cms->d.compressedData->encapContentInfo->eContent;
  151. default:
  152. if (cms->d.other->type == V_ASN1_OCTET_STRING)
  153. return &cms->d.other->value.octet_string;
  154. CMSerr(CMS_F_CMS_GET0_CONTENT, CMS_R_UNSUPPORTED_CONTENT_TYPE);
  155. return NULL;
  156. }
  157. }
  158. /*
  159. * Return an ASN1_OBJECT pointer to content type. This allows it to be
  160. * accessed or set later.
  161. */
  162. static ASN1_OBJECT **cms_get0_econtent_type(CMS_ContentInfo *cms)
  163. {
  164. switch (OBJ_obj2nid(cms->contentType)) {
  165. case NID_pkcs7_signed:
  166. return &cms->d.signedData->encapContentInfo->eContentType;
  167. case NID_pkcs7_enveloped:
  168. return &cms->d.envelopedData->encryptedContentInfo->contentType;
  169. case NID_pkcs7_digest:
  170. return &cms->d.digestedData->encapContentInfo->eContentType;
  171. case NID_pkcs7_encrypted:
  172. return &cms->d.encryptedData->encryptedContentInfo->contentType;
  173. case NID_id_smime_ct_authData:
  174. return &cms->d.authenticatedData->encapContentInfo->eContentType;
  175. case NID_id_smime_ct_compressedData:
  176. return &cms->d.compressedData->encapContentInfo->eContentType;
  177. default:
  178. CMSerr(CMS_F_CMS_GET0_ECONTENT_TYPE, CMS_R_UNSUPPORTED_CONTENT_TYPE);
  179. return NULL;
  180. }
  181. }
  182. const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms)
  183. {
  184. ASN1_OBJECT **petype;
  185. petype = cms_get0_econtent_type(cms);
  186. if (petype)
  187. return *petype;
  188. return NULL;
  189. }
  190. int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid)
  191. {
  192. ASN1_OBJECT **petype, *etype;
  193. petype = cms_get0_econtent_type(cms);
  194. if (!petype)
  195. return 0;
  196. if (!oid)
  197. return 1;
  198. etype = OBJ_dup(oid);
  199. if (!etype)
  200. return 0;
  201. ASN1_OBJECT_free(*petype);
  202. *petype = etype;
  203. return 1;
  204. }
  205. int CMS_is_detached(CMS_ContentInfo *cms)
  206. {
  207. ASN1_OCTET_STRING **pos;
  208. pos = CMS_get0_content(cms);
  209. if (!pos)
  210. return -1;
  211. if (*pos)
  212. return 0;
  213. return 1;
  214. }
  215. int CMS_set_detached(CMS_ContentInfo *cms, int detached)
  216. {
  217. ASN1_OCTET_STRING **pos;
  218. pos = CMS_get0_content(cms);
  219. if (!pos)
  220. return 0;
  221. if (detached) {
  222. ASN1_OCTET_STRING_free(*pos);
  223. *pos = NULL;
  224. return 1;
  225. }
  226. if (*pos == NULL)
  227. *pos = ASN1_OCTET_STRING_new();
  228. if (*pos != NULL) {
  229. /*
  230. * NB: special flag to show content is created and not read in.
  231. */
  232. (*pos)->flags |= ASN1_STRING_FLAG_CONT;
  233. return 1;
  234. }
  235. CMSerr(CMS_F_CMS_SET_DETACHED, ERR_R_MALLOC_FAILURE);
  236. return 0;
  237. }
  238. /* Create a digest BIO from an X509_ALGOR structure */
  239. BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm)
  240. {
  241. BIO *mdbio = NULL;
  242. const ASN1_OBJECT *digestoid;
  243. const EVP_MD *digest;
  244. X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm);
  245. digest = EVP_get_digestbyobj(digestoid);
  246. if (!digest) {
  247. CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO,
  248. CMS_R_UNKNOWN_DIGEST_ALGORITHM);
  249. goto err;
  250. }
  251. mdbio = BIO_new(BIO_f_md());
  252. if (mdbio == NULL || !BIO_set_md(mdbio, digest)) {
  253. CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, CMS_R_MD_BIO_INIT_ERROR);
  254. goto err;
  255. }
  256. return mdbio;
  257. err:
  258. BIO_free(mdbio);
  259. return NULL;
  260. }
  261. /* Locate a message digest content from a BIO chain based on SignerInfo */
  262. int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
  263. X509_ALGOR *mdalg)
  264. {
  265. int nid;
  266. const ASN1_OBJECT *mdoid;
  267. X509_ALGOR_get0(&mdoid, NULL, NULL, mdalg);
  268. nid = OBJ_obj2nid(mdoid);
  269. /* Look for digest type to match signature */
  270. for (;;) {
  271. EVP_MD_CTX *mtmp;
  272. chain = BIO_find_type(chain, BIO_TYPE_MD);
  273. if (chain == NULL) {
  274. CMSerr(CMS_F_CMS_DIGESTALGORITHM_FIND_CTX,
  275. CMS_R_NO_MATCHING_DIGEST);
  276. return 0;
  277. }
  278. BIO_get_md_ctx(chain, &mtmp);
  279. if (EVP_MD_CTX_type(mtmp) == nid
  280. /*
  281. * Workaround for broken implementations that use signature
  282. * algorithm OID instead of digest.
  283. */
  284. || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid)
  285. return EVP_MD_CTX_copy_ex(mctx, mtmp);
  286. chain = BIO_next(chain);
  287. }
  288. }
  289. static STACK_OF(CMS_CertificateChoices)
  290. **cms_get0_certificate_choices(CMS_ContentInfo *cms)
  291. {
  292. switch (OBJ_obj2nid(cms->contentType)) {
  293. case NID_pkcs7_signed:
  294. return &cms->d.signedData->certificates;
  295. case NID_pkcs7_enveloped:
  296. if (cms->d.envelopedData->originatorInfo == NULL)
  297. return NULL;
  298. return &cms->d.envelopedData->originatorInfo->certificates;
  299. default:
  300. CMSerr(CMS_F_CMS_GET0_CERTIFICATE_CHOICES,
  301. CMS_R_UNSUPPORTED_CONTENT_TYPE);
  302. return NULL;
  303. }
  304. }
  305. CMS_CertificateChoices *CMS_add0_CertificateChoices(CMS_ContentInfo *cms)
  306. {
  307. STACK_OF(CMS_CertificateChoices) **pcerts;
  308. CMS_CertificateChoices *cch;
  309. pcerts = cms_get0_certificate_choices(cms);
  310. if (!pcerts)
  311. return NULL;
  312. if (!*pcerts)
  313. *pcerts = sk_CMS_CertificateChoices_new_null();
  314. if (!*pcerts)
  315. return NULL;
  316. cch = M_ASN1_new_of(CMS_CertificateChoices);
  317. if (!cch)
  318. return NULL;
  319. if (!sk_CMS_CertificateChoices_push(*pcerts, cch)) {
  320. M_ASN1_free_of(cch, CMS_CertificateChoices);
  321. return NULL;
  322. }
  323. return cch;
  324. }
  325. int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
  326. {
  327. CMS_CertificateChoices *cch;
  328. STACK_OF(CMS_CertificateChoices) **pcerts;
  329. int i;
  330. pcerts = cms_get0_certificate_choices(cms);
  331. if (!pcerts)
  332. return 0;
  333. for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) {
  334. cch = sk_CMS_CertificateChoices_value(*pcerts, i);
  335. if (cch->type == CMS_CERTCHOICE_CERT) {
  336. if (!X509_cmp(cch->d.certificate, cert)) {
  337. CMSerr(CMS_F_CMS_ADD0_CERT,
  338. CMS_R_CERTIFICATE_ALREADY_PRESENT);
  339. return 0;
  340. }
  341. }
  342. }
  343. cch = CMS_add0_CertificateChoices(cms);
  344. if (!cch)
  345. return 0;
  346. cch->type = CMS_CERTCHOICE_CERT;
  347. cch->d.certificate = cert;
  348. return 1;
  349. }
  350. int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert)
  351. {
  352. int r;
  353. r = CMS_add0_cert(cms, cert);
  354. if (r > 0)
  355. X509_up_ref(cert);
  356. return r;
  357. }
  358. static STACK_OF(CMS_RevocationInfoChoice)
  359. **cms_get0_revocation_choices(CMS_ContentInfo *cms)
  360. {
  361. switch (OBJ_obj2nid(cms->contentType)) {
  362. case NID_pkcs7_signed:
  363. return &cms->d.signedData->crls;
  364. case NID_pkcs7_enveloped:
  365. if (cms->d.envelopedData->originatorInfo == NULL)
  366. return NULL;
  367. return &cms->d.envelopedData->originatorInfo->crls;
  368. default:
  369. CMSerr(CMS_F_CMS_GET0_REVOCATION_CHOICES,
  370. CMS_R_UNSUPPORTED_CONTENT_TYPE);
  371. return NULL;
  372. }
  373. }
  374. CMS_RevocationInfoChoice *CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms)
  375. {
  376. STACK_OF(CMS_RevocationInfoChoice) **pcrls;
  377. CMS_RevocationInfoChoice *rch;
  378. pcrls = cms_get0_revocation_choices(cms);
  379. if (!pcrls)
  380. return NULL;
  381. if (!*pcrls)
  382. *pcrls = sk_CMS_RevocationInfoChoice_new_null();
  383. if (!*pcrls)
  384. return NULL;
  385. rch = M_ASN1_new_of(CMS_RevocationInfoChoice);
  386. if (!rch)
  387. return NULL;
  388. if (!sk_CMS_RevocationInfoChoice_push(*pcrls, rch)) {
  389. M_ASN1_free_of(rch, CMS_RevocationInfoChoice);
  390. return NULL;
  391. }
  392. return rch;
  393. }
  394. int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl)
  395. {
  396. CMS_RevocationInfoChoice *rch;
  397. rch = CMS_add0_RevocationInfoChoice(cms);
  398. if (!rch)
  399. return 0;
  400. rch->type = CMS_REVCHOICE_CRL;
  401. rch->d.crl = crl;
  402. return 1;
  403. }
  404. int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl)
  405. {
  406. int r;
  407. r = CMS_add0_crl(cms, crl);
  408. if (r > 0)
  409. X509_CRL_up_ref(crl);
  410. return r;
  411. }
  412. STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms)
  413. {
  414. STACK_OF(X509) *certs = NULL;
  415. CMS_CertificateChoices *cch;
  416. STACK_OF(CMS_CertificateChoices) **pcerts;
  417. int i;
  418. pcerts = cms_get0_certificate_choices(cms);
  419. if (!pcerts)
  420. return NULL;
  421. for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) {
  422. cch = sk_CMS_CertificateChoices_value(*pcerts, i);
  423. if (cch->type == 0) {
  424. if (!certs) {
  425. certs = sk_X509_new_null();
  426. if (!certs)
  427. return NULL;
  428. }
  429. if (!sk_X509_push(certs, cch->d.certificate)) {
  430. sk_X509_pop_free(certs, X509_free);
  431. return NULL;
  432. }
  433. X509_up_ref(cch->d.certificate);
  434. }
  435. }
  436. return certs;
  437. }
  438. STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms)
  439. {
  440. STACK_OF(X509_CRL) *crls = NULL;
  441. STACK_OF(CMS_RevocationInfoChoice) **pcrls;
  442. CMS_RevocationInfoChoice *rch;
  443. int i;
  444. pcrls = cms_get0_revocation_choices(cms);
  445. if (!pcrls)
  446. return NULL;
  447. for (i = 0; i < sk_CMS_RevocationInfoChoice_num(*pcrls); i++) {
  448. rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i);
  449. if (rch->type == 0) {
  450. if (!crls) {
  451. crls = sk_X509_CRL_new_null();
  452. if (!crls)
  453. return NULL;
  454. }
  455. if (!sk_X509_CRL_push(crls, rch->d.crl)) {
  456. sk_X509_CRL_pop_free(crls, X509_CRL_free);
  457. return NULL;
  458. }
  459. X509_CRL_up_ref(rch->d.crl);
  460. }
  461. }
  462. return crls;
  463. }
  464. int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert)
  465. {
  466. int ret;
  467. ret = X509_NAME_cmp(ias->issuer, X509_get_issuer_name(cert));
  468. if (ret)
  469. return ret;
  470. return ASN1_INTEGER_cmp(ias->serialNumber, X509_get_serialNumber(cert));
  471. }
  472. int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert)
  473. {
  474. const ASN1_OCTET_STRING *cert_keyid = X509_get0_subject_key_id(cert);
  475. if (cert_keyid == NULL)
  476. return -1;
  477. return ASN1_OCTET_STRING_cmp(keyid, cert_keyid);
  478. }
  479. int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert)
  480. {
  481. CMS_IssuerAndSerialNumber *ias;
  482. ias = M_ASN1_new_of(CMS_IssuerAndSerialNumber);
  483. if (!ias)
  484. goto err;
  485. if (!X509_NAME_set(&ias->issuer, X509_get_issuer_name(cert)))
  486. goto err;
  487. if (!ASN1_STRING_copy(ias->serialNumber, X509_get_serialNumber(cert)))
  488. goto err;
  489. M_ASN1_free_of(*pias, CMS_IssuerAndSerialNumber);
  490. *pias = ias;
  491. return 1;
  492. err:
  493. M_ASN1_free_of(ias, CMS_IssuerAndSerialNumber);
  494. CMSerr(CMS_F_CMS_SET1_IAS, ERR_R_MALLOC_FAILURE);
  495. return 0;
  496. }
  497. int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert)
  498. {
  499. ASN1_OCTET_STRING *keyid = NULL;
  500. const ASN1_OCTET_STRING *cert_keyid;
  501. cert_keyid = X509_get0_subject_key_id(cert);
  502. if (cert_keyid == NULL) {
  503. CMSerr(CMS_F_CMS_SET1_KEYID, CMS_R_CERTIFICATE_HAS_NO_KEYID);
  504. return 0;
  505. }
  506. keyid = ASN1_STRING_dup(cert_keyid);
  507. if (!keyid) {
  508. CMSerr(CMS_F_CMS_SET1_KEYID, ERR_R_MALLOC_FAILURE);
  509. return 0;
  510. }
  511. ASN1_OCTET_STRING_free(*pkeyid);
  512. *pkeyid = keyid;
  513. return 1;
  514. }