crypto/cms/cms_lib.c

   1 /* crypto/cms/cms_lib.c */
   2 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
   3  * project.
   4  */
   5 /* ====================================================================
   6  * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
   7  *
   8  * Redistribution and use in source and binary forms, with or without
   9  * modification, are permitted provided that the following conditions
  10  * are met:
  11  *
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  *
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in
  17  *    the documentation and/or other materials provided with the
  18  *    distribution.
  19  *
  20  * 3. All advertising materials mentioning features or use of this
  21  *    software must display the following acknowledgment:
  22  *    "This product includes software developed by the OpenSSL Project
  23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
  24  *
  25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  26  *    endorse or promote products derived from this software without
  27  *    prior written permission. For written permission, please contact
  28  *    licensing@OpenSSL.org.
  29  *
  30  * 5. Products derived from this software may not be called "OpenSSL"
  31  *    nor may "OpenSSL" appear in their names without prior written
  32  *    permission of the OpenSSL Project.
  33  *
  34  * 6. Redistributions of any form whatsoever must retain the following
  35  *    acknowledgment:
  36  *    "This product includes software developed by the OpenSSL Project
  37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
  38  *
  39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
  43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  50  * OF THE POSSIBILITY OF SUCH DAMAGE.
  51  * ====================================================================
  52  */
  53
  54 #include <openssl/asn1t.h>
  55 #include <openssl/x509.h>
  56 #include <openssl/err.h>
  57 #include <openssl/pem.h>
  58 #include <openssl/bio.h>
  59 #include <openssl/asn1.h>
  60 #include "cms.h"
  61 #include "cms_lcl.h"
  62
  63 IMPLEMENT_ASN1_FUNCTIONS(CMS_ContentInfo)
  64 IMPLEMENT_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
  65
  66 DECLARE_ASN1_ITEM(CMS_CertificateChoices)
  67 DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice)
  68 DECLARE_STACK_OF(CMS_CertificateChoices)
  69 DECLARE_STACK_OF(CMS_RevocationInfoChoice)
  70
  71 #if 0
  72 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(CMS_CertificateChoices)
  73 IMPLEMENT_ASN1_ALLOC_FUNCTIONS(CMS_RevocationInfoChoice)
  74 #endif
  75
  76
  77 const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms)
  78         {
  79         return cms->contentType;
  80         }
  81
  82 CMS_ContentInfo *cms_Data_create(void)
  83         {
  84         CMS_ContentInfo *cms;
  85         cms = CMS_ContentInfo_new();
  86         if (cms)
  87                 {
  88                 cms->contentType = OBJ_nid2obj(NID_pkcs7_data);
  89                 /* Never detached */
  90                 CMS_set_detached(cms, 0);
  91                 }
  92         return cms;
  93         }
  94
  95 BIO *cms_content_bio(CMS_ContentInfo *cms)
  96         {
  97         ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
  98         if (!pos)
  99                 return NULL;
 100         /* If content detached data goes nowhere: create NULL BIO */
 101         if (!*pos)
 102                 return BIO_new(BIO_s_null());
 103         /* If content not detached and created return memory BIO
 104          */
 105         if (!*pos || ((*pos)->flags == ASN1_STRING_FLAG_CONT))
 106                 return BIO_new(BIO_s_mem());
 107         /* Else content was read in: return read only BIO for it */
 108         return BIO_new_mem_buf((*pos)->data, (*pos)->length);
 109         }
 110
 111 BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont)
 112         {
 113         BIO *cmsbio, *cont;
 114         if (icont)
 115                 cont = icont;
 116         else
 117                 cont = cms_content_bio(cms);
 118         if (!cont)
 119                 {
 120                 CMSerr(CMS_F_CMS_DATAINIT, CMS_R_NO_CONTENT);
 121                 return NULL;
 122                 }
 123         switch (OBJ_obj2nid(cms->contentType))
 124                 {
 125
 126                 case NID_pkcs7_data:
 127                 return cont;
 128
 129                 case NID_pkcs7_signed:
 130                 cmsbio = cms_SignedData_init_bio(cms);
 131                 break;
 132
 133                 case NID_pkcs7_digest:
 134                 cmsbio = cms_DigestedData_init_bio(cms);
 135                 break;
 136 #ifdef ZLIB
 137                 case NID_id_smime_ct_compressedData:
 138                 cmsbio = cms_CompressedData_init_bio(cms);
 139                 break;
 140 #endif
 141
 142                 default:
 143                 CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE);
 144                 return NULL;
 145                 }
 146
 147         if (cmsbio)
 148                 return BIO_push(cmsbio, cont);
 149
 150         if (!icont)
 151                 BIO_free(cont);
 152         return NULL;
 153
 154         }
 155
 156 int CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio)
 157         {
 158         ASN1_OCTET_STRING **pos = CMS_get0_content(cms);
 159         if (!pos)
 160                 return 0;
 161         /* If ebmedded content find memory BIO and set content */
 162         if (*pos && ((*pos)->flags & ASN1_STRING_FLAG_CONT))
 163                 {
 164                 BIO *mbio;
 165                 unsigned char *cont;
 166                 long contlen;
 167                 mbio = BIO_find_type(cmsbio, BIO_TYPE_MEM);
 168                 if (!mbio)
 169                         {
 170                         CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_CONTENT_NOT_FOUND);
 171                         return 0;
 172                         }
 173                 contlen = BIO_get_mem_data(mbio, &cont);
 174                 /* Set bio as read only so its content can't be clobbered */
 175                 BIO_set_flags(mbio, BIO_FLAGS_MEM_RDONLY);
 176                 BIO_set_mem_eof_return(mbio, 0);
 177                 ASN1_STRING_set0(*pos, cont, contlen);
 178                 (*pos)->flags &= ~ASN1_STRING_FLAG_CONT;
 179                 }
 180
 181         switch (OBJ_obj2nid(cms->contentType))
 182                 {
 183
 184                 case NID_pkcs7_data:
 185                 case NID_id_smime_ct_compressedData:
 186                 /* Nothing to do */
 187                 return 1;
 188
 189                 case NID_pkcs7_signed:
 190                 return cms_SignedData_final(cms, cmsbio);
 191
 192                 case NID_pkcs7_digest:
 193                 return cms_DigestedData_do_final(cms, cmsbio, 0);
 194
 195                 default:
 196                 CMSerr(CMS_F_CMS_DATAFINAL, CMS_R_UNSUPPORTED_TYPE);
 197                 return 0;
 198                 }
 199         }
 200
 201 /* Return an OCTET STRING pointer to content. This allows it to
 202  * be accessed or set later.
 203  */
 204
 205 ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms)
 206         {
 207         switch (OBJ_obj2nid(cms->contentType))
 208                 {
 209
 210                 case NID_pkcs7_data:
 211                 return &cms->d.data;
 212
 213                 case NID_pkcs7_signed:
 214                 return &cms->d.signedData->encapContentInfo->eContent;
 215
 216                 case NID_pkcs7_enveloped:
 217                 return &cms->d.envelopedData->encryptedContentInfo->encryptedContent;
 218
 219                 case NID_pkcs7_digest:
 220                 return &cms->d.digestedData->encapContentInfo->eContent;
 221
 222                 case NID_pkcs7_encrypted:
 223                 return &cms->d.encryptedData->encryptedContentInfo->encryptedContent;
 224
 225                 case NID_id_smime_ct_authData:
 226                 return &cms->d.authenticatedData->encapContentInfo->eContent;
 227
 228                 case NID_id_smime_ct_compressedData:
 229                 return &cms->d.compressedData->encapContentInfo->eContent;
 230
 231                 default:
 232                 if (cms->d.other->type == V_ASN1_OCTET_STRING)
 233                         return &cms->d.other->value.octet_string;
 234                 CMSerr(CMS_F_CMS_GET0_CONTENT, CMS_R_UNSUPPORTED_CONTENT_TYPE);
 235                 return NULL;
 236
 237                 }
 238         }
 239
 240 /* Return an ASN1_OBJECT pointer to content type. This allows it to
 241  * be accessed or set later.
 242  */
 243
 244 static ASN1_OBJECT **cms_get0_econtent_type(CMS_ContentInfo *cms)
 245         {
 246         switch (OBJ_obj2nid(cms->contentType))
 247                 {
 248
 249                 case NID_pkcs7_signed:
 250                 return &cms->d.signedData->encapContentInfo->eContentType;
 251
 252                 case NID_pkcs7_enveloped:
 253                 return &cms->d.envelopedData->encryptedContentInfo->contentType;
 254
 255                 case NID_pkcs7_digest:
 256                 return &cms->d.digestedData->encapContentInfo->eContentType;
 257
 258                 case NID_pkcs7_encrypted:
 259                 return &cms->d.encryptedData->encryptedContentInfo->contentType;
 260
 261                 case NID_id_smime_ct_authData:
 262                 return &cms->d.authenticatedData->encapContentInfo->eContentType;
 263
 264                 case NID_id_smime_ct_compressedData:
 265                 return &cms->d.compressedData->encapContentInfo->eContentType;
 266
 267                 default:
 268                 CMSerr(CMS_F_CMS_GET0_ECONTENT_TYPE,
 269                                         CMS_R_UNSUPPORTED_CONTENT_TYPE);
 270                 return NULL;
 271
 272                 }
 273         }
 274
 275 const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms)
 276         {
 277         ASN1_OBJECT **petype;
 278         petype = cms_get0_econtent_type(cms);
 279         if (petype)
 280                 return *petype;
 281         return NULL;
 282         }
 283
 284 int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid)
 285         {
 286         ASN1_OBJECT **petype, *etype;
 287         petype = cms_get0_econtent_type(cms);
 288         if (!petype)
 289                 return 0;
 290         if (!oid)
 291                 return 1;
 292         etype = OBJ_dup(oid);
 293         if (!etype)
 294                 return 0;
 295         ASN1_OBJECT_free(*petype);
 296         *petype = etype;
 297         return 1;
 298         }
 299
 300 int CMS_is_detached(CMS_ContentInfo *cms)
 301         {
 302         ASN1_OCTET_STRING **pos;
 303         pos = CMS_get0_content(cms);
 304         if (!pos)
 305                 return -1;
 306         if (*pos)
 307                 return 0;
 308         return 1;
 309         }
 310
 311 int CMS_set_detached(CMS_ContentInfo *cms, int detached)
 312         {
 313         ASN1_OCTET_STRING **pos;
 314         pos = CMS_get0_content(cms);
 315         if (!pos)
 316                 return 0;
 317         if (detached)
 318                 {
 319                 if (*pos)
 320                         {
 321                         ASN1_OCTET_STRING_free(*pos);
 322                         *pos = NULL;
 323                         }
 324                 return 1;
 325                 }
 326         if (!*pos)
 327                 *pos = ASN1_OCTET_STRING_new();
 328         if (*pos)
 329                 {
 330                 /* NB: special flag to show content is created and not
 331                  * read in.
 332                  */
 333                 (*pos)->flags |= ASN1_STRING_FLAG_CONT;
 334                 return 1;
 335                 }
 336         CMSerr(CMS_F_CMS_SET_DETACHED, ERR_R_MALLOC_FAILURE);
 337         return 0;
 338         }
 339
 340 /* Set up an X509_ALGOR DigestAlgorithmIdentifier from an EVP_MD */
 341
 342 void cms_DigestAlgorithm_set(X509_ALGOR *alg, const EVP_MD *md)
 343         {
 344         int param_type;
 345
 346         if (md->flags & EVP_MD_FLAG_DIGALGID_ABSENT)
 347                 param_type = V_ASN1_UNDEF;
 348         else
 349                 param_type = V_ASN1_NULL;
 350
 351         X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
 352
 353         }
 354
 355 /* Create a digest BIO from an X509_ALGOR structure */
 356
 357 BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm)
 358         {
 359         BIO *mdbio = NULL;
 360         ASN1_OBJECT *digestoid;
 361         const EVP_MD *digest;
 362         X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm);
 363         digest = EVP_get_digestbyobj(digestoid);
 364         if (!digest)
 365                 {
 366                 CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO,
 367                                 CMS_R_UNKNOWN_DIGEST_ALGORIHM);
 368                 goto err;
 369                 }
 370         mdbio = BIO_new(BIO_f_md());
 371         if (!mdbio || !BIO_set_md(mdbio, digest))
 372                 {
 373                 CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO,
 374                                 CMS_R_MD_BIO_INIT_ERROR);
 375                 goto err;
 376                 }
 377         return mdbio;
 378         err:
 379         if (mdbio)
 380                 BIO_free(mdbio);
 381         return NULL;
 382         }
 383
 384 /* Locate a message digest content from a BIO chain based on SignerInfo */
 385
 386 int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
 387                                         X509_ALGOR *mdalg)
 388         {
 389         int nid;
 390         ASN1_OBJECT *mdoid;
 391         X509_ALGOR_get0(&mdoid, NULL, NULL, mdalg);
 392         nid = OBJ_obj2nid(mdoid);
 393         /* Look for digest type to match signature */
 394         for (;;)
 395                 {
 396                 EVP_MD_CTX *mtmp;
 397                 chain = BIO_find_type(chain, BIO_TYPE_MD);
 398                 if (chain == NULL)
 399                         {
 400                         CMSerr(CMS_F_CMS_DIGESTALGORITHM_FIND_CTX,
 401                                                 CMS_R_NO_MATCHING_DIGEST);
 402                         return 0;
 403                         }
 404                 BIO_get_md_ctx(chain, &mtmp);
 405                 if (EVP_MD_CTX_type(mtmp) == nid)
 406                         {
 407                         EVP_MD_CTX_copy_ex(mctx, mtmp);
 408                         return 1;
 409                         }
 410                 chain = BIO_next(chain);
 411                 }
 412         }
 413
 414 STACK_OF(CMS_CertificateChoices) **cms_get0_certificate_choices(CMS_ContentInfo *cms)
 415         {
 416         switch (OBJ_obj2nid(cms->contentType))
 417                 {
 418
 419                 case NID_pkcs7_signed:
 420                 return &cms->d.signedData->certificates;
 421
 422                 case NID_pkcs7_enveloped:
 423                 return &cms->d.envelopedData->originatorInfo->certificates;
 424
 425                 default:
 426                 CMSerr(CMS_F_CMS_GET0_CERTIFICATE_CHOICES,
 427                                         CMS_R_UNSUPPORTED_CONTENT_TYPE);
 428                 return NULL;
 429
 430                 }
 431         }
 432
 433 CMS_CertificateChoices *CMS_add0_CertificateChoices(CMS_ContentInfo *cms)
 434         {
 435         STACK_OF(CMS_CertificateChoices) **pcerts;
 436         CMS_CertificateChoices *cch;
 437         pcerts = cms_get0_certificate_choices(cms);
 438         if (!pcerts)
 439                 return NULL;
 440         if (!*pcerts)
 441                 *pcerts = sk_CMS_CertificateChoices_new_null();
 442         if (!*pcerts)
 443                 return NULL;
 444         cch = M_ASN1_new_of(CMS_CertificateChoices);
 445         if (!cch)
 446                 return NULL;
 447         if (!sk_CMS_CertificateChoices_push(*pcerts, cch))
 448                 {
 449                 M_ASN1_free_of(cch, CMS_CertificateChoices);
 450                 return NULL;
 451                 }
 452         return cch;
 453         }
 454
 455 int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
 456         {
 457         CMS_CertificateChoices *cch;
 458         STACK_OF(CMS_CertificateChoices) **pcerts;
 459         int i;
 460         pcerts = cms_get0_certificate_choices(cms);
 461         if (!pcerts)
 462                 return 0;
 463         if (!pcerts)
 464                 return 0;
 465         for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)
 466                 {
 467                 cch = sk_CMS_CertificateChoices_value(*pcerts, i);
 468                 if (cch->type == CMS_CERTCHOICE_CERT)
 469                         {
 470                         if (!X509_cmp(cch->d.certificate, cert))
 471                                 return -1;
 472
 473                         }
 474                 }
 475         cch = CMS_add0_CertificateChoices(cms);
 476         if (!cch)
 477                 return 0;
 478         cch->type = CMS_CERTCHOICE_CERT;
 479         cch->d.certificate = cert;
 480         return 1;
 481         }
 482
 483 int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert)
 484         {
 485         int r;
 486         r = CMS_add0_cert(cms, cert);
 487         if (r > 0)
 488                 CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
 489         return r;
 490         }
 491
 492 STACK_OF(CMS_RevocationInfoChoice) **cms_get0_revocation_choices(CMS_ContentInfo *cms)
 493         {
 494         switch (OBJ_obj2nid(cms->contentType))
 495                 {
 496
 497                 case NID_pkcs7_signed:
 498                 return &cms->d.signedData->crls;
 499
 500                 case NID_pkcs7_enveloped:
 501                 return &cms->d.envelopedData->originatorInfo->crls;
 502
 503                 default:
 504                 CMSerr(CMS_F_CMS_GET0_REVOCATION_CHOICES,
 505                                         CMS_R_UNSUPPORTED_CONTENT_TYPE);
 506                 return NULL;
 507
 508                 }
 509         }
 510
 511 CMS_RevocationInfoChoice *CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms)
 512         {
 513         STACK_OF(CMS_RevocationInfoChoice) **pcrls;
 514         CMS_RevocationInfoChoice *rch;
 515         pcrls = cms_get0_revocation_choices(cms);
 516         if (!pcrls)
 517                 return NULL;
 518         if (!*pcrls)
 519                 *pcrls = sk_CMS_RevocationInfoChoice_new_null();
 520         if (!*pcrls)
 521                 return NULL;
 522         rch = M_ASN1_new_of(CMS_RevocationInfoChoice);
 523         if (!rch)
 524                 return NULL;
 525         if (!sk_CMS_RevocationInfoChoice_push(*pcrls, rch))
 526                 {
 527                 M_ASN1_free_of(rch, CMS_RevocationInfoChoice);
 528                 return NULL;
 529                 }
 530         return rch;
 531         }
 532
 533 int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl)
 534         {
 535         CMS_RevocationInfoChoice *rch;
 536         rch = CMS_add0_RevocationInfoChoice(cms);
 537         if (!rch)
 538                 return 0;
 539         rch->type = CMS_REVCHOICE_CRL;
 540         rch->d.crl = crl;
 541         return 1;
 542         }
 543
 544 STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms)
 545         {
 546         STACK_OF(X509) *certs = NULL;
 547         CMS_CertificateChoices *cch;
 548         STACK_OF(CMS_CertificateChoices) **pcerts;
 549         int i;
 550         pcerts = cms_get0_certificate_choices(cms);
 551         if (!pcerts)
 552                 return NULL;
 553         for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)
 554                 {
 555                 cch = sk_CMS_CertificateChoices_value(*pcerts, i);
 556                 if (cch->type == 0)
 557                         {
 558                         if (!certs)
 559                                 {
 560                                 certs = sk_X509_new_null();
 561                                 if (!certs)
 562                                         return NULL;
 563                                 }
 564                         if (!sk_X509_push(certs, cch->d.certificate))
 565                                 {
 566                                 sk_X509_pop_free(certs, X509_free);
 567                                 return NULL;
 568                                 }
 569                         CRYPTO_add(&cch->d.certificate->references,
 570                                                 1, CRYPTO_LOCK_X509);
 571                         }
 572                 }
 573         return certs;
 574
 575         }
 576
 577 STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms)
 578         {
 579         STACK_OF(X509_CRL) *crls = NULL;
 580         STACK_OF(CMS_RevocationInfoChoice) **pcrls;
 581         CMS_RevocationInfoChoice *rch;
 582         int i;
 583         pcrls = cms_get0_revocation_choices(cms);
 584         if (!pcrls)
 585                 return NULL;
 586         for (i = 0; i < sk_CMS_RevocationInfoChoice_num(*pcrls); i++)
 587                 {
 588                 rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i);
 589                 if (rch->type == 0)
 590                         {
 591                         if (!crls)
 592                                 {
 593                                 crls = sk_X509_CRL_new_null();
 594                                 if (!crls)
 595                                         return NULL;
 596                                 }
 597                         if (!sk_X509_CRL_push(crls, rch->d.crl))
 598                                 {
 599                                 sk_X509_CRL_pop_free(crls, X509_CRL_free);
 600                                 return NULL;
 601                                 }
 602                         CRYPTO_add(&rch->d.crl->references,
 603                                                 1, CRYPTO_LOCK_X509_CRL);
 604                         }
 605                 }
 606         return crls;
 607         }