Add new option to PKCS7_sign to exclude S/MIME capabilities.
Changes between 0.9.5a and 0.9.6 [xx XXX 2000]
+ *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which
+ excludes S/MIME capabilities.
+ [Steve Henson]
+
+ *) When a certificate request is read in keep a copy of the
+ original encoding of the signed data and use it when outputing
+ again. Signatures then use the original encoding rather than
+ a decoded, encoded version which may cause problems if the
+ request is improperly encoded.
+ [Steve Henson]
+
*) For consistency with other BIO_puts implementations, call
buffer_write(b, ...) directly in buffer_puts instead of calling
BIO_write(b, ...).
flags |= PKCS7_NOATTR;
else if (!strcmp (*args, "-nodetach"))
flags &= ~PKCS7_DETACHED;
+ else if (!strcmp (*args, "-nosmimecap"))
+ flags |= PKCS7_NOSMIMECAP;
else if (!strcmp (*args, "-binary"))
flags |= PKCS7_BINARY;
else if (!strcmp (*args, "-nosigs"))
{
M_ASN1_I2D_vars(a);
+ if(a->asn1) {
+ if(pp) {
+ memcpy(*pp, a->asn1, a->length);
+ *pp += a->length;
+ }
+ return a->length;
+ }
+
M_ASN1_I2D_len(a->version, i2d_ASN1_INTEGER);
M_ASN1_I2D_len(a->subject, i2d_X509_NAME);
M_ASN1_I2D_len(a->pubkey, i2d_X509_PUBKEY);
M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
ret->req_kludge=0;
+ ret->asn1 = NULL;
return(ret);
M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
}
void X509_REQ_INFO_free(X509_REQ_INFO *a)
{
if (a == NULL) return;
+ if(a->asn1) OPENSSL_free(a->asn1);
M_ASN1_INTEGER_free(a->version);
X509_NAME_free(a->subject);
X509_PUBKEY_free(a->pubkey);
M_ASN1_D2I_Init();
M_ASN1_D2I_start_sequence();
M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
+
+ /* Keep a copy of the original encoding for signature checking */
+ ret->req_info->length = c.p - c.q;
+ if(!(ret->req_info->asn1 = OPENSSL_malloc(ret->req_info->length))) {
+ c.line=__LINE__;
+ c.error = ERR_R_MALLOC_FAILURE;
+ goto err;
+ }
+
+ memcpy(ret->req_info->asn1, c.q, ret->req_info->length);
+
M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
/* Add SMIMECapabilities */
+ if(!(flags & PKCS7_NOSMIMECAP))
+ {
if(!(smcap = sk_X509_ALGOR_new(NULL))) {
PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
return NULL;
#endif
PKCS7_add_attrib_smimecap (si, smcap);
sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
+ }
}
if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
/* S/MIME related flags */
-#define PKCS7_TEXT 0x1
-#define PKCS7_NOCERTS 0x2
-#define PKCS7_NOSIGS 0x4
-#define PKCS7_NOCHAIN 0x8
-#define PKCS7_NOINTERN 0x10
-#define PKCS7_NOVERIFY 0x20
-#define PKCS7_DETACHED 0x40
-#define PKCS7_BINARY 0x80
-#define PKCS7_NOATTR 0x100
+#define PKCS7_TEXT 0x1
+#define PKCS7_NOCERTS 0x2
+#define PKCS7_NOSIGS 0x4
+#define PKCS7_NOCHAIN 0x8
+#define PKCS7_NOINTERN 0x10
+#define PKCS7_NOVERIFY 0x20
+#define PKCS7_DETACHED 0x40
+#define PKCS7_BINARY 0x80
+#define PKCS7_NOATTR 0x100
+#define PKCS7_NOSMIMECAP 0x200
/* Flags: for compatibility with older code */
typedef struct X509_req_info_st
{
+ unsigned char *asn1;
+ int length;
ASN1_INTEGER *version;
X509_NAME *subject;
X509_PUBKEY *pubkey;
void ssl_free_wbio_buffer(SSL *s)
{
- BIO *under;
-
if (s->bbio == NULL) return;
if (s->bbio == s->wbio)