-Public CMS methods that create a CMS_ContentInfo object now have variants that also add a libctx and propq.
This includes CMS_ContentInfo_new_with_libctx(), CMS_sign_with_libctx(), CMS_data_create_with_libctx(),
CMS_digest_create_with_libctx(), CMS_EncryptedData_encrypt_with_libctx(), CMS_EnvelopedData_create_with_libctx().
-Added CMS_ReceiptRequest_create0_with_libctx().
-Added SMIME_read_CMS_ex() so that a new CMS_ContentInfo object (created using CMS_ContentInfo_new_with_libctx()) can
be passed to the read.
-d2i_CMS_bio() has been modified so that after it loads the CMS_ContentInfo() it then resolves any subobjects that require
the libctx/propq (such as objects containing X509 certificates).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11884)
static int save_certs(char *signerfile, STACK_OF(X509) *signers);
static int cms_cb(int ok, X509_STORE_CTX *ctx);
static void receipt_request_print(CMS_ContentInfo *cms);
-static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
- *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
- *rr_from);
+static CMS_ReceiptRequest *make_receipt_request(
+ STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
+ STACK_OF(OPENSSL_STRING) *rr_from, OPENSSL_CTX *libctx, const char *propq);
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param);
OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP,
OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE,
OPT_R_ENUM,
- OPT_PROV_ENUM,
+ OPT_PROV_ENUM, OPT_CONFIG,
OPT_V_ENUM,
OPT_CIPHER,
OPT_ORIGINATOR
# ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
+ OPT_CONFIG_OPTION,
OPT_SECTION("Action"),
{"encrypt", OPT_ENCRYPT, '-', "Encrypt message"},
{NULL}
};
+static CMS_ContentInfo *load_content_info(int informat, BIO *in, BIO **indata,
+ const char *name,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ CMS_ContentInfo *ret, *ci;
+
+ ret = CMS_ContentInfo_new_with_libctx(libctx, propq);
+ if (ret == NULL) {
+ BIO_printf(bio_err, "Error allocating CMS_contentinfo\n");
+ return NULL;
+ }
+ switch (informat) {
+ case FORMAT_SMIME:
+ ci = SMIME_read_CMS_ex(in, indata, &ret);
+ break;
+ case FORMAT_PEM:
+ ci = PEM_read_bio_CMS(in, &ret, NULL, NULL);
+ break;
+ case FORMAT_ASN1:
+ ci = d2i_CMS_bio(in, &ret);
+ break;
+ default:
+ BIO_printf(bio_err, "Bad input format for %s\n", name);
+ goto err;
+ }
+ if (ci == NULL) {
+ BIO_printf(bio_err, "Error reading %s Content Info\n", name);
+ goto err;
+ }
+ return ret;
+err:
+ CMS_ContentInfo_free(ret);
+ return NULL;
+}
+
int cms_main(int argc, char **argv)
{
+ CONF *conf = NULL;
ASN1_OBJECT *econtent_type = NULL;
BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL;
CMS_ContentInfo *cms = NULL, *rcms = NULL;
long ltmp;
const char *mime_eol = "\n";
OPTION_CHOICE o;
+ OPENSSL_CTX *libctx = app_get0_libctx();
+ const char *propq = app_get0_propq();
if ((vpm = X509_VERIFY_PARAM_new()) == NULL)
return 1;
rr_allorfirst = 1;
break;
case OPT_RCTFORM:
- if (rctformat == FORMAT_SMIME)
- rcms = SMIME_read_CMS(rctin, NULL);
- else if (rctformat == FORMAT_PEM)
- rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
- else if (rctformat == FORMAT_ASN1)
+ if (rctformat == FORMAT_ASN1) {
if (!opt_format(opt_arg(),
OPT_FMT_PEMDER | OPT_FMT_SMIME, &rctformat))
goto opthelp;
+ } else {
+ rcms = load_content_info(rctformat, rctin, NULL, "recipient",
+ libctx, propq);
+ }
break;
case OPT_CERTFILE:
certfile = opt_arg();
if (!opt_provider(o))
goto end;
break;
+ case OPT_CONFIG:
+ conf = app_load_config_modules(opt_arg());
+ if (conf == NULL)
+ goto end;
+ break;
case OPT_3DES_WRAP:
# ifndef OPENSSL_NO_DES
wrap_cipher = EVP_des_ede3_wrap();
goto end;
if (operation & SMIME_IP) {
- if (informat == FORMAT_SMIME) {
- cms = SMIME_read_CMS(in, &indata);
- } else if (informat == FORMAT_PEM) {
- cms = PEM_read_bio_CMS(in, NULL, NULL, NULL);
- } else if (informat == FORMAT_ASN1) {
- cms = d2i_CMS_bio(in, NULL);
- } else {
- BIO_printf(bio_err, "Bad input format for CMS file\n");
- goto end;
- }
-
- if (cms == NULL) {
- BIO_printf(bio_err, "Error reading S/MIME message\n");
+ cms = load_content_info(informat, in, &indata, "SMIME", libctx, propq);
+ if (cms == NULL)
goto end;
- }
if (contfile != NULL) {
BIO_free(indata);
if ((indata = BIO_new_file(contfile, "rb")) == NULL) {
goto end;
}
- if (rctformat == FORMAT_SMIME) {
- rcms = SMIME_read_CMS(rctin, NULL);
- } else if (rctformat == FORMAT_PEM) {
- rcms = PEM_read_bio_CMS(rctin, NULL, NULL, NULL);
- } else if (rctformat == FORMAT_ASN1) {
- rcms = d2i_CMS_bio(rctin, NULL);
- } else {
- BIO_printf(bio_err, "Bad input format for receipt\n");
- goto end;
- }
-
- if (rcms == NULL) {
- BIO_printf(bio_err, "Error reading receipt\n");
+ rcms = load_content_info(rctformat, rctin, NULL, "recipient", libctx,
+ propq);
+ if (rcms == NULL)
goto end;
- }
}
out = bio_open_default(outfile, 'w', outformat);
ret = 3;
if (operation == SMIME_DATA_CREATE) {
- cms = CMS_data_create(in, flags);
+ cms = CMS_data_create_with_libctx(in, flags, libctx, propq);
} else if (operation == SMIME_DIGEST_CREATE) {
- cms = CMS_digest_create(in, sign_md, flags);
+ cms = CMS_digest_create_with_libctx(in, sign_md, flags, libctx, propq);
} else if (operation == SMIME_COMPRESS) {
cms = CMS_compress(in, -1, flags);
} else if (operation == SMIME_ENCRYPT) {
int i;
flags |= CMS_PARTIAL;
- cms = CMS_encrypt(NULL, in, cipher, flags);
+ cms = CMS_encrypt_with_libctx(NULL, in, cipher, flags, libctx, propq);
if (cms == NULL)
goto end;
for (i = 0; i < sk_X509_num(encerts); i++) {
goto end;
}
} else if (operation == SMIME_ENCRYPTED_ENCRYPT) {
- cms = CMS_EncryptedData_encrypt(in, cipher,
- secret_key, secret_keylen, flags);
+ cms = CMS_EncryptedData_encrypt_with_libctx(in, cipher, secret_key,
+ secret_keylen, flags,
+ libctx, propq);
} else if (operation == SMIME_SIGN_RECEIPT) {
CMS_ContentInfo *srcms = NULL;
flags |= CMS_STREAM;
}
flags |= CMS_PARTIAL;
- cms = CMS_sign(NULL, NULL, other, in, flags);
+ cms = CMS_sign_with_libctx(NULL, NULL, other, in, flags, libctx, propq);
if (cms == NULL)
goto end;
if (econtent_type != NULL)
CMS_set1_eContentType(cms, econtent_type);
if (rr_to != NULL) {
- rr = make_receipt_request(rr_to, rr_allorfirst, rr_from);
+ rr = make_receipt_request(rr_to, rr_allorfirst, rr_from, libctx,
+ propq);
if (rr == NULL) {
BIO_puts(bio_err,
"Signed Receipt Request Creation Error\n");
BIO_free(indata);
BIO_free_all(out);
OPENSSL_free(passin);
+ NCONF_free(conf);
return ret;
}
return NULL;
}
-static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
- *rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
- *rr_from)
+static CMS_ReceiptRequest *make_receipt_request(
+ STACK_OF(OPENSSL_STRING) *rr_to, int rr_allorfirst,
+ STACK_OF(OPENSSL_STRING) *rr_from,
+ OPENSSL_CTX *libctx, const char *propq)
{
STACK_OF(GENERAL_NAMES) *rct_to = NULL, *rct_from = NULL;
CMS_ReceiptRequest *rr;
} else {
rct_from = NULL;
}
- rr = CMS_ReceiptRequest_create0(NULL, -1, rr_allorfirst, rct_from,
- rct_to);
+ rr = CMS_ReceiptRequest_create0_with_libctx(NULL, -1, rr_allorfirst,
+ rct_from, rct_to, libctx, propq);
return rr;
err:
sk_GENERAL_NAMES_pop_free(rct_to, GENERAL_NAMES_free);
/* CMS CompressedData Utilities */
-CMS_ContentInfo *cms_CompressedData_create(int comp_nid)
+CMS_ContentInfo *cms_CompressedData_create(int comp_nid, OPENSSL_CTX *libctx,
+ const char *propq)
{
CMS_ContentInfo *cms;
CMS_CompressedData *cd;
+
/*
* Will need something cleverer if there is ever more than one
* compression algorithm or parameters have some meaning...
CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM);
return NULL;
}
- cms = CMS_ContentInfo_new();
+ cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
if (cms == NULL)
return NULL;
{
CMS_CompressedData *cd;
const ASN1_OBJECT *compoid;
+
if (OBJ_obj2nid(cms->contentType) != NID_id_smime_ct_compressedData) {
CMSerr(CMS_F_CMS_COMPRESSEDDATA_INIT_BIO,
CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA);
/* CMS DigestedData Utilities */
-CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md)
+CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md,
+ OPENSSL_CTX *libctx, const char *propq)
{
CMS_ContentInfo *cms;
CMS_DigestedData *dd;
- cms = CMS_ContentInfo_new();
+
+ cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
if (cms == NULL)
return NULL;
BIO *cms_DigestedData_init_bio(const CMS_ContentInfo *cms)
{
- CMS_DigestedData *dd;
- dd = cms->d.digestedData;
- return cms_DigestAlgorithm_init_bio(dd->digestAlgorithm);
+ CMS_DigestedData *dd = cms->d.digestedData;
+
+ return cms_DigestAlgorithm_init_bio(dd->digestAlgorithm, cms_get0_cmsctx(cms));
}
int cms_DigestedData_do_final(const CMS_ContentInfo *cms, BIO *chain, int verify)
/* Return BIO based on EncryptedContentInfo and key */
-BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
+BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
+ const CMS_CTX *cms_ctx)
{
BIO *b;
EVP_CIPHER_CTX *ctx;
- const EVP_CIPHER *ciph;
+ EVP_CIPHER *fetched_ciph = NULL;
+ const EVP_CIPHER *cipher = NULL;
X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
unsigned char *tkey = NULL;
int len;
size_t tkeylen = 0;
-
int ok = 0;
-
int enc, keep_key = 0;
enc = ec->cipher ? 1 : 0;
BIO_get_cipher_ctx(b, &ctx);
if (enc) {
- ciph = ec->cipher;
+ cipher = ec->cipher;
/*
* If not keeping key set cipher to NULL so subsequent calls decrypt.
*/
- if (ec->key)
+ if (ec->key != NULL)
ec->cipher = NULL;
} else {
- ciph = EVP_get_cipherbyobj(calg->algorithm);
-
- if (!ciph) {
+ cipher = EVP_get_cipherbyobj(calg->algorithm);
+ }
+ if (cipher != NULL) {
+ fetched_ciph = EVP_CIPHER_fetch(cms_ctx->libctx, EVP_CIPHER_name(cipher),
+ cms_ctx->propq);
+ if (fetched_ciph == NULL) {
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, CMS_R_UNKNOWN_CIPHER);
goto err;
}
}
-
- if (EVP_CipherInit_ex(ctx, ciph, NULL, NULL, NULL, enc) <= 0) {
+ if (EVP_CipherInit_ex(ctx, fetched_ciph, NULL, NULL, NULL, enc) <= 0) {
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
CMS_R_CIPHER_INITIALISATION_ERROR);
goto err;
}
+ EVP_CIPHER_free(fetched_ciph);
if (enc) {
int ivlen;
/* Generate a random IV if we need one */
ivlen = EVP_CIPHER_CTX_iv_length(ctx);
if (ivlen > 0) {
- if (RAND_bytes(iv, ivlen) <= 0)
+ if (RAND_bytes_ex(cms_ctx->libctx, iv, ivlen) <= 0)
goto err;
piv = iv;
}
int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
const EVP_CIPHER *cipher,
- const unsigned char *key, size_t keylen)
+ const unsigned char *key, size_t keylen,
+ const CMS_CTX *cms_ctx)
{
ec->cipher = cipher;
if (key) {
memcpy(ec->key, key, keylen);
}
ec->keylen = keylen;
- if (cipher)
+ if (cipher != NULL)
ec->contentType = OBJ_nid2obj(NID_pkcs7_data);
return 1;
}
const unsigned char *key, size_t keylen)
{
CMS_EncryptedContentInfo *ec;
+
if (!key || !keylen) {
CMSerr(CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY, CMS_R_NO_KEY);
return 0;
return 0;
}
ec = cms->d.encryptedData->encryptedContentInfo;
- return cms_EncryptedContent_init(ec, ciph, key, keylen);
+ return cms_EncryptedContent_init(ec, ciph, key, keylen, cms_get0_cmsctx(cms));
}
BIO *cms_EncryptedData_init_bio(const CMS_ContentInfo *cms)
CMS_EncryptedData *enc = cms->d.encryptedData;
if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs)
enc->version = 2;
- return cms_EncryptedContent_init_bio(enc->encryptedContentInfo);
+ return cms_EncryptedContent_init_bio(enc->encryptedContentInfo,
+ cms_get0_cmsctx(cms));
}
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/evp.h>
-#include "cms_local.h"
#include "crypto/asn1.h"
#include "crypto/evp.h"
+#include "crypto/x509.h"
+#include "cms_local.h"
DEFINE_STACK_OF(CMS_RecipientInfo)
DEFINE_STACK_OF(CMS_RevocationInfoChoice)
return env->recipientInfos;
}
+void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms)
+{
+ int i;
+ CMS_RecipientInfo *ri;
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
+ STACK_OF(CMS_RecipientInfo) *rinfos = CMS_get0_RecipientInfos(cms);
+
+ for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) {
+ ri = sk_CMS_RecipientInfo_value(rinfos, i);
+ if (ri != NULL) {
+ switch (ri->type) {
+ case CMS_RECIPINFO_AGREE:
+ ri->d.kari->cms_ctx = ctx;
+ break;
+ case CMS_RECIPINFO_TRANS:
+ ri->d.ktri->cms_ctx = ctx;
+ x509_set0_libctx(ri->d.ktri->recip, ctx->libctx, ctx->propq);
+ break;
+ case CMS_RECIPINFO_KEK:
+ ri->d.kekri->cms_ctx = ctx;
+ break;
+ case CMS_RECIPINFO_PASS:
+ ri->d.pwri->cms_ctx = ctx;
+ break;
+ default:
+ break;
+ }
+ }
+ }
+}
+
int CMS_RecipientInfo_type(CMS_RecipientInfo *ri)
{
return ri->type;
return NULL;
}
-CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
+CMS_ContentInfo *CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
+ OPENSSL_CTX *libctx,
+ const char *propq)
{
CMS_ContentInfo *cms;
CMS_EnvelopedData *env;
- cms = CMS_ContentInfo_new();
+
+ cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
if (cms == NULL)
goto merr;
env = cms_enveloped_data_init(cms);
if (env == NULL)
goto merr;
- if (!cms_EncryptedContent_init(env->encryptedContentInfo,
- cipher, NULL, 0))
+
+ if (!cms_EncryptedContent_init(env->encryptedContentInfo, cipher, NULL, 0,
+ cms_get0_cmsctx(cms)))
goto merr;
return cms;
merr:
CMS_ContentInfo_free(cms);
- CMSerr(CMS_F_CMS_ENVELOPEDDATA_CREATE, ERR_R_MALLOC_FAILURE);
+ CMSerr(0, ERR_R_MALLOC_FAILURE);
return NULL;
}
+CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher)
+{
+ return CMS_EnvelopedData_create_with_libctx(cipher, NULL, NULL);
+}
+
int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain)
{
CMS_EnvelopedData *env = NULL;
/* Initialise a ktri based on passed certificate and key */
static int cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip,
- EVP_PKEY *pk, unsigned int flags)
+ EVP_PKEY *pk, unsigned int flags,
+ const CMS_CTX *ctx)
{
CMS_KeyTransRecipientInfo *ktri;
int idtype;
ri->type = CMS_RECIPINFO_TRANS;
ktri = ri->d.ktri;
+ ktri->cms_ctx = ctx;
if (flags & CMS_USE_KEYID) {
ktri->version = 2;
* structure.
*/
- if (!cms_set1_SignerIdentifier(ktri->rid, recip, idtype))
+ if (!cms_set1_SignerIdentifier(ktri->rid, recip, idtype, ctx))
return 0;
X509_up_ref(recip);
ktri->recip = recip;
if (flags & CMS_KEY_PARAM) {
- ktri->pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL);
+ ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey,
+ ctx->propq);
if (ktri->pctx == NULL)
return 0;
if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0)
CMS_RecipientInfo *ri = NULL;
CMS_EnvelopedData *env;
EVP_PKEY *pk = NULL;
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
+
env = cms_get0_enveloped(cms);
if (!env)
goto err;
switch (cms_pkey_get_ri_type(pk)) {
case CMS_RECIPINFO_TRANS:
- if (!cms_RecipientInfo_ktri_init(ri, recip, pk, flags))
+ if (!cms_RecipientInfo_ktri_init(ri, recip, pk, flags, ctx))
goto err;
break;
case CMS_RECIPINFO_AGREE:
- if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator, originatorPrivKey, flags))
+ if (!cms_RecipientInfo_kari_init(ri, recip, pk, originator,
+ originatorPrivKey, flags, ctx))
goto err;
break;
EVP_PKEY_CTX *pctx;
unsigned char *ek = NULL;
size_t eklen;
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
int ret = 0;
if (!cms_env_asn1_ctrl(ri, 0))
goto err;
} else {
- pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL);
+ pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ktri->pkey, ctx->propq);
if (pctx == NULL)
return 0;
ktri->pctx = NULL;
OPENSSL_free(ek);
return ret;
-
}
/* Decrypt content key from KTRI */
size_t eklen;
int ret = 0;
size_t fixlen = 0;
+ EVP_CIPHER *ciph = NULL;
CMS_EncryptedContentInfo *ec;
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
+
ec = cms->d.envelopedData->encryptedContentInfo;
if (ktri->pkey == NULL) {
if (cms->d.envelopedData->encryptedContentInfo->havenocert
&& !cms->d.envelopedData->encryptedContentInfo->debug) {
X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
- const EVP_CIPHER *ciph = EVP_get_cipherbyobj(calg->algorithm);
+ const char *name = OBJ_nid2sn(OBJ_obj2nid(calg->algorithm));
+ ciph = EVP_CIPHER_fetch(ctx->libctx, name, ctx->propq);
if (ciph == NULL) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT, CMS_R_UNKNOWN_CIPHER);
return 0;
}
fixlen = EVP_CIPHER_key_length(ciph);
+ EVP_CIPHER_free(ciph);
}
- ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL);
+ ktri->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pkey, ctx->propq);
if (ktri->pctx == NULL)
- return 0;
+ goto err;
if (EVP_PKEY_decrypt_init(ktri->pctx) <= 0)
goto err;
err:
M_ASN1_free_of(ri, CMS_RecipientInfo);
return NULL;
-
}
int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri,
return 1;
}
-static const EVP_CIPHER *cms_get_key_wrap_cipher(size_t keylen)
+static EVP_CIPHER *cms_get_key_wrap_cipher(size_t keylen, const CMS_CTX *ctx)
{
+ const char *alg = NULL;
+
switch(keylen) {
case 16:
- return EVP_aes_128_wrap();
-
+ alg = "AES-128-WRAP";
+ break;
case 24:
- return EVP_aes_192_wrap();
-
+ alg = "AES-192-WRAP";
+ break;
case 32:
- return EVP_aes_256_wrap();
+ alg = "AES-256-WRAP";
+ break;
+ default:
+ return NULL;
}
-
- return NULL;
+ return EVP_CIPHER_fetch(ctx->libctx, alg, ctx->propq);
}
unsigned char *wkey = NULL;
int wkeylen;
int r = 0;
- const EVP_CIPHER *cipher = NULL;
+ EVP_CIPHER *cipher = NULL;
int outlen = 0;
EVP_CIPHER_CTX *ctx = NULL;
+ const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms);
ec = cms->d.envelopedData->encryptedContentInfo;
return 0;
}
- cipher = cms_get_key_wrap_cipher(kekri->keylen);
+ cipher = cms_get_key_wrap_cipher(kekri->keylen, cms_ctx);
if (cipher == NULL) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT, CMS_R_INVALID_KEY_LENGTH);
goto err;
r = 1;
err:
+ EVP_CIPHER_free(cipher);
if (!r)
OPENSSL_free(wkey);
EVP_CIPHER_CTX_free(ctx);
return r;
-
}
/* Decrypt content key in KEK recipient info */
unsigned char *ukey = NULL;
int ukeylen;
int r = 0, wrap_nid;
- const EVP_CIPHER *cipher = NULL;
+ EVP_CIPHER *cipher = NULL;
int outlen = 0;
EVP_CIPHER_CTX *ctx = NULL;
+ const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms);
ec = cms->d.envelopedData->encryptedContentInfo;
goto err;
}
- cipher = cms_get_key_wrap_cipher(kekri->keylen);
+ cipher = cms_get_key_wrap_cipher(kekri->keylen, cms_ctx);
if (cipher == NULL) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT, CMS_R_INVALID_KEY_LENGTH);
goto err;
r = 1;
err:
+ EVP_CIPHER_free(cipher);
if (!r)
OPENSSL_free(ukey);
EVP_CIPHER_CTX_free(ctx);
return r;
-
}
int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri)
static BIO *cms_EnvelopedData_Decryption_init_bio(CMS_ContentInfo *cms)
{
CMS_EncryptedContentInfo *ec = cms->d.envelopedData->encryptedContentInfo;
- BIO *contentBio = cms_EncryptedContent_init_bio(ec);
+ BIO *contentBio = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms));
EVP_CIPHER_CTX *ctx = NULL;
if (contentBio == NULL)
/* Get BIO first to set up key */
ec = cms->d.envelopedData->encryptedContentInfo;
- ret = cms_EncryptedContent_init_bio(ec);
+ ret = cms_EncryptedContent_init_bio(ec, cms_get0_cmsctx(cms));
/* If error end of processing */
if (!ret)
if (pk->ameth != NULL && pk->ameth->pkey_ctrl != NULL) {
int i, r;
- i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED, ri_type, &r);
+ i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_IS_RI_TYPE_SUPPORTED,
+ ri_type, &r);
if (i > 0)
return r;
}
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/ess.h>
-#include "cms_local.h"
#include "crypto/ess.h"
#include "crypto/cms.h"
+#include "crypto/x509.h"
+#include "cms_local.h"
DEFINE_STACK_OF(GENERAL_NAMES)
DEFINE_STACK_OF(CMS_SignerInfo)
return ret;
}
-CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
- int allorfirst,
- STACK_OF(GENERAL_NAMES)
- *receiptList, STACK_OF(GENERAL_NAMES)
- *receiptsTo)
+CMS_ReceiptRequest *CMS_ReceiptRequest_create0_with_libctx(
+ unsigned char *id, int idlen, int allorfirst,
+ STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo,
+ OPENSSL_CTX *libctx, const char *propq)
{
CMS_ReceiptRequest *rr;
else {
if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
goto merr;
- if (RAND_bytes(rr->signedContentIdentifier->data, 32) <= 0)
+ if (RAND_bytes_ex(libctx, rr->signedContentIdentifier->data, 32) <= 0)
goto err;
}
sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free);
rr->receiptsTo = receiptsTo;
- if (receiptList) {
+ if (receiptList != NULL) {
rr->receiptsFrom->type = 1;
rr->receiptsFrom->d.receiptList = receiptList;
} else {
return rr;
merr:
- CMSerr(CMS_F_CMS_RECEIPTREQUEST_CREATE0, ERR_R_MALLOC_FAILURE);
+ CMSerr(0, ERR_R_MALLOC_FAILURE);
err:
CMS_ReceiptRequest_free(rr);
}
+CMS_ReceiptRequest *CMS_ReceiptRequest_create0(
+ unsigned char *id, int idlen, int allorfirst,
+ STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo)
+{
+ return CMS_ReceiptRequest_create0_with_libctx(id, idlen, allorfirst,
+ receiptList, receiptsTo,
+ NULL, NULL);
+}
+
int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr)
{
unsigned char *rrder = NULL;
STACK_OF(GENERAL_NAMES) **plist,
STACK_OF(GENERAL_NAMES) **prto)
{
- if (pcid)
+ if (pcid != NULL)
*pcid = rr->signedContentIdentifier;
if (rr->receiptsFrom->type == 0) {
- if (pallorfirst)
+ if (pallorfirst != NULL)
*pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier;
- if (plist)
+ if (plist != NULL)
*plist = NULL;
} else {
- if (pallorfirst)
+ if (pallorfirst != NULL)
*pallorfirst = -1;
- if (plist)
+ if (plist != NULL)
*plist = rr->receiptsFrom->d.receiptList;
}
- if (prto)
+ if (prto != NULL)
*prto = rr->receiptsTo;
}
static int cms_msgSigDigest(CMS_SignerInfo *si,
unsigned char *dig, unsigned int *diglen)
{
- const EVP_MD *md;
+ const EVP_MD *md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
- md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
if (md == NULL)
return 0;
- if (!ASN1_item_digest(ASN1_ITEM_rptr(CMS_Attributes_Verify), md,
- si->signedAttrs, dig, diglen))
+ if (!asn1_item_digest_with_libctx(ASN1_ITEM_rptr(CMS_Attributes_Verify), md,
+ si->signedAttrs, dig, diglen,
+ si->cms_ctx->libctx, si->cms_ctx->propq))
return 0;
return 1;
}
CMS_ContentInfo *d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms)
{
- return ASN1_item_d2i_bio(ASN1_ITEM_rptr(CMS_ContentInfo), bp, cms);
+ CMS_ContentInfo *ci;
+
+ ci = ASN1_item_d2i_bio(ASN1_ITEM_rptr(CMS_ContentInfo), bp, cms);
+ if (ci != NULL && cms != NULL)
+ cms_resolve_libctx(ci);
+ return ci;
}
int i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms)
STACK_OF(X509_ALGOR) *mdalgs;
int ctype_nid = OBJ_obj2nid(cms->contentType);
int econt_nid = OBJ_obj2nid(CMS_get0_eContentType(cms));
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
+
if (ctype_nid == NID_pkcs7_signed)
mdalgs = cms->d.signedData->digestAlgorithms;
else
mdalgs = NULL;
- return SMIME_write_ASN1(bio, (ASN1_VALUE *)cms, data, flags,
- ctype_nid, econt_nid, mdalgs,
- ASN1_ITEM_rptr(CMS_ContentInfo));
+ return SMIME_write_ASN1_with_libctx(bio, (ASN1_VALUE *)cms, data, flags,
+ ctype_nid, econt_nid, mdalgs,
+ ASN1_ITEM_rptr(CMS_ContentInfo),
+ cms_ctx_get0_libctx(ctx),
+ cms_ctx_get0_propq(ctx));
+}
+
+CMS_ContentInfo *SMIME_read_CMS_ex(BIO *bio, BIO **bcont, CMS_ContentInfo **cms)
+{
+ CMS_ContentInfo *ci;
+
+ ci = (CMS_ContentInfo *)SMIME_read_ASN1_ex(bio, bcont,
+ ASN1_ITEM_rptr(CMS_ContentInfo),
+ (ASN1_VALUE **)cms);
+ if (ci != NULL && cms != NULL)
+ cms_resolve_libctx(ci);
+ return ci;
}
CMS_ContentInfo *SMIME_read_CMS(BIO *bio, BIO **bcont)
{
- return (CMS_ContentInfo *)SMIME_read_ASN1(bio, bcont,
- ASN1_ITEM_rptr
- (CMS_ContentInfo));
+ return SMIME_read_CMS_ex(bio, bcont, NULL);
}
ASN1_INTEGER **sno)
{
CMS_OriginatorIdentifierOrKey *oik;
+
if (ri->type != CMS_RECIPINFO_AGREE) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID,
CMS_R_NOT_KEY_AGREEMENT);
int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert)
{
CMS_OriginatorIdentifierOrKey *oik;
+
if (ri->type != CMS_RECIPINFO_AGREE) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP,
CMS_R_NOT_KEY_AGREEMENT);
X509_NAME **issuer, ASN1_INTEGER **sno)
{
CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
+
if (rid->type == CMS_REK_ISSUER_SERIAL) {
if (issuer)
*issuer = rid->d.issuerAndSerialNumber->issuer;
X509 *cert)
{
CMS_KeyAgreeRecipientIdentifier *rid = rek->rid;
+
if (rid->type == CMS_REK_ISSUER_SERIAL)
return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert);
else if (rid->type == CMS_REK_KEYIDENTIFIER)
if (pk == NULL)
return 1;
- pctx = EVP_PKEY_CTX_new(pk, NULL);
+ pctx = EVP_PKEY_CTX_new_from_pkey(kari->cms_ctx->libctx, pk,
+ kari->cms_ctx->propq);
if (pctx == NULL || EVP_PKEY_derive_init(pctx) <= 0)
goto err;
int rv = 0;
unsigned char *out = NULL;
int outlen;
+
keklen = EVP_CIPHER_CTX_key_length(kari->ctx);
if (keklen > EVP_MAX_KEY_LENGTH)
return 0;
EVP_PKEY_CTX *pctx = NULL;
EVP_PKEY *ekey = NULL;
int rv = 0;
+ const CMS_CTX *ctx = kari->cms_ctx;
- pctx = EVP_PKEY_CTX_new(pk, NULL);
+ pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, pk, ctx->propq);
if (pctx == NULL)
goto err;
if (EVP_PKEY_keygen_init(pctx) <= 0)
if (EVP_PKEY_keygen(pctx, &ekey) <= 0)
goto err;
EVP_PKEY_CTX_free(pctx);
- pctx = EVP_PKEY_CTX_new(ekey, NULL);
+ pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, ekey, ctx->propq);
if (pctx == NULL)
goto err;
if (EVP_PKEY_derive_init(pctx) <= 0)
}
/* Set originator private key and initialise context based on it */
-static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *originatorPrivKey )
+static int cms_kari_set_originator_private_key(CMS_KeyAgreeRecipientInfo *kari,
+ EVP_PKEY *originatorPrivKey )
{
EVP_PKEY_CTX *pctx = NULL;
int rv = 0;
+ const CMS_CTX *ctx = kari->cms_ctx;
- pctx = EVP_PKEY_CTX_new(originatorPrivKey, NULL);
+ pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, originatorPrivKey, ctx->propq);
if (pctx == NULL)
goto err;
if (EVP_PKEY_derive_init(pctx) <= 0)
/* Initialise a kari based on passed certificate and key */
-int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *recipPubKey, X509 * originator, EVP_PKEY *originatorPrivKey, unsigned int flags)
+int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
+ EVP_PKEY *recipPubKey, X509 *originator,
+ EVP_PKEY *originatorPrivKey, unsigned int flags,
+ const CMS_CTX *ctx)
{
CMS_KeyAgreeRecipientInfo *kari;
CMS_RecipientEncryptedKey *rek = NULL;
ri->d.kari = M_ASN1_new_of(CMS_KeyAgreeRecipientInfo);
- if (!ri->d.kari)
+ if (ri->d.kari == NULL)
return 0;
ri->type = CMS_RECIPINFO_AGREE;
kari = ri->d.kari;
kari->version = 3;
+ kari->cms_ctx = ctx;
rek = M_ASN1_new_of(CMS_RecipientEncryptedKey);
if (rek == NULL)
static int cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari,
const EVP_CIPHER *cipher)
{
+ const CMS_CTX *cms_ctx = kari->cms_ctx;
EVP_CIPHER_CTX *ctx = kari->ctx;
const EVP_CIPHER *kekcipher;
+ EVP_CIPHER *fetched_kekcipher;
+ const char *kekcipher_name;
int keylen;
int ret;
if (kekcipher != NULL) {
if (EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE)
return 0;
-
- return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
+ kekcipher_name = EVP_CIPHER_name(kekcipher);
+ goto enc;
}
}
*/
#ifndef OPENSSL_NO_DES
if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
- kekcipher = EVP_des_ede3_wrap();
+ kekcipher_name = SN_id_smime_alg_CMS3DESwrap;
else
#endif
if (keylen <= 16)
- kekcipher = EVP_aes_128_wrap();
+ kekcipher_name = SN_id_aes128_wrap;
else if (keylen <= 24)
- kekcipher = EVP_aes_192_wrap();
+ kekcipher_name = SN_id_aes192_wrap;
else
- kekcipher = EVP_aes_256_wrap();
- return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL);
+ kekcipher_name = SN_id_aes256_wrap;
+enc:
+ fetched_kekcipher = EVP_CIPHER_fetch(cms_ctx->libctx, kekcipher_name,
+ cms_ctx->propq);
+ if (fetched_kekcipher == NULL)
+ return 0;
+ ret = EVP_EncryptInit_ex(ctx, fetched_kekcipher, NULL, NULL, NULL);
+ EVP_CIPHER_free(fetched_kekcipher);
+ return ret;
}
/* Encrypt content key in key agreement recipient info */
}
return 1;
-
}
#include <openssl/bio.h>
#include <openssl/asn1.h>
#include <openssl/cms.h>
+#include <openssl/cms.h>
+#include "crypto/x509.h"
#include "cms_local.h"
+static STACK_OF(CMS_CertificateChoices)
+**cms_get0_certificate_choices(CMS_ContentInfo *cms);
+
DEFINE_STACK_OF(CMS_RevocationInfoChoice)
DEFINE_STACK_OF(X509)
DEFINE_STACK_OF(X509_CRL)
-IMPLEMENT_ASN1_FUNCTIONS(CMS_ContentInfo)
IMPLEMENT_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
+CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a,
+ const unsigned char **in, long len)
+{
+ CMS_ContentInfo *ci;
+
+ ci = (CMS_ContentInfo *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+ (CMS_ContentInfo_it()));
+ if (ci != NULL && a != NULL)
+ cms_resolve_libctx(ci);
+ return ci;
+}
+
+int i2d_CMS_ContentInfo(const CMS_ContentInfo *a, unsigned char **out)
+{
+ return ASN1_item_i2d((const ASN1_VALUE *)a, out, (CMS_ContentInfo_it()));
+}
+
+CMS_ContentInfo *CMS_ContentInfo_new_with_libctx(OPENSSL_CTX *libctx,
+ const char *propq)
+{
+ CMS_ContentInfo *ci;
+
+ ci = (CMS_ContentInfo *)ASN1_item_new(ASN1_ITEM_rptr(CMS_ContentInfo));
+ if (ci != NULL) {
+ ci->ctx.libctx = libctx;
+ ci->ctx.propq = NULL;
+ if (propq != NULL) {
+ ci->ctx.propq = OPENSSL_strdup(propq);
+ if (ci->ctx.propq == NULL) {
+ CMS_ContentInfo_free(ci);
+ ci = NULL;
+ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE);
+ }
+ }
+ }
+ return ci;
+}
+
+CMS_ContentInfo *CMS_ContentInfo_new(void)
+{
+ return CMS_ContentInfo_new_with_libctx(NULL, NULL);
+}
+
+void CMS_ContentInfo_free(CMS_ContentInfo *cms)
+{
+ if (cms != NULL) {
+ OPENSSL_free(cms->ctx.propq);
+ ASN1_item_free((ASN1_VALUE *)cms, ASN1_ITEM_rptr(CMS_ContentInfo));
+ }
+}
+
+const CMS_CTX *cms_get0_cmsctx(const CMS_ContentInfo *cms)
+{
+ return cms != NULL ? &cms->ctx : NULL;
+}
+
+OPENSSL_CTX *cms_ctx_get0_libctx(const CMS_CTX *ctx)
+{
+ return ctx->libctx;
+}
+
+const char *cms_ctx_get0_propq(const CMS_CTX *ctx)
+{
+ return ctx->propq;
+}
+
+void cms_resolve_libctx(CMS_ContentInfo *ci)
+{
+ int i;
+ CMS_CertificateChoices *cch;
+ STACK_OF(CMS_CertificateChoices) **pcerts;
+ const CMS_CTX *ctx;
+
+ if (ci == NULL)
+ return;
+
+ ctx = cms_get0_cmsctx(ci);
+ cms_SignerInfos_set_cmsctx(ci);
+ cms_RecipientInfos_set_cmsctx(ci);
+
+ pcerts = cms_get0_certificate_choices(ci);
+ if (pcerts != NULL) {
+ for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) {
+ cch = sk_CMS_CertificateChoices_value(*pcerts, i);
+ if (cch->type == CMS_CERTCHOICE_CERT)
+ x509_set0_libctx(cch->d.certificate, ctx->libctx, ctx->propq);
+ }
+ }
+}
+
const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms)
{
return cms->contentType;
}
-CMS_ContentInfo *cms_Data_create(void)
+CMS_ContentInfo *cms_Data_create(OPENSSL_CTX *libctx, const char *propq)
{
- CMS_ContentInfo *cms;
- cms = CMS_ContentInfo_new();
+ CMS_ContentInfo *cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
+
if (cms != NULL) {
cms->contentType = OBJ_nid2obj(NID_pkcs7_data);
/* Never detached */
/* Create a digest BIO from an X509_ALGOR structure */
-BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm)
+BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
+ const CMS_CTX *ctx)
{
BIO *mdbio = NULL;
const ASN1_OBJECT *digestoid;
- const EVP_MD *digest;
+ EVP_MD *digest = NULL;
+ const char *alg;
+
X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm);
- digest = EVP_get_digestbyobj(digestoid);
- if (!digest) {
+ alg = OBJ_nid2sn(OBJ_obj2nid(digestoid));
+ digest = EVP_MD_fetch(ctx->libctx, alg, ctx->propq);
+ if (digest == NULL) {
CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO,
CMS_R_UNKNOWN_DIGEST_ALGORITHM);
goto err;
CMSerr(CMS_F_CMS_DIGESTALGORITHM_INIT_BIO, CMS_R_MD_BIO_INIT_ERROR);
goto err;
}
+ EVP_MD_free(digest);
return mdbio;
err:
+ EVP_MD_free(digest);
BIO_free(mdbio);
return NULL;
}
typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
+typedef struct CMS_CTX_st CMS_CTX;
+
+struct CMS_CTX_st {
+ OPENSSL_CTX *libctx;
+ char *propq;
+};
struct CMS_ContentInfo_st {
ASN1_OBJECT *contentType;
/* Other types ... */
void *otherData;
} d;
+ CMS_CTX ctx;
};
DEFINE_STACK_OF(CMS_CertificateChoices)
/* Digest and public key context for alternative parameters */
EVP_MD_CTX *mctx;
EVP_PKEY_CTX *pctx;
+ const CMS_CTX *cms_ctx;
};
struct CMS_SignerIdentifier_st {
EVP_PKEY *pkey;
/* Public key context for this operation */
EVP_PKEY_CTX *pctx;
+ const CMS_CTX *cms_ctx;
};
struct CMS_KeyAgreeRecipientInfo_st {
EVP_PKEY_CTX *pctx;
/* Cipher context for CEK wrapping */
EVP_CIPHER_CTX *ctx;
+ const CMS_CTX *cms_ctx;
};
struct CMS_OriginatorIdentifierOrKey_st {
/* Extra info: symmetric key to use */
unsigned char *key;
size_t keylen;
+ const CMS_CTX *cms_ctx;
};
struct CMS_KEKIdentifier_st {
/* Extra info: password to use */
unsigned char *pass;
size_t passlen;
+ const CMS_CTX *cms_ctx;
};
struct CMS_OtherRecipientInfo_st {
# define CMS_OIK_PUBKEY 2
BIO *cms_content_bio(CMS_ContentInfo *cms);
+const CMS_CTX *cms_get0_cmsctx(const CMS_ContentInfo *cms);
+OPENSSL_CTX *cms_ctx_get0_libctx(const CMS_CTX *ctx);
+const char *cms_ctx_get0_propq(const CMS_CTX *ctx);
+void cms_resolve_libctx(CMS_ContentInfo *ci);
-CMS_ContentInfo *cms_Data_create(void);
+CMS_ContentInfo *cms_Data_create(OPENSSL_CTX *ctx, const char *propq);
-CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md);
+CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md,
+ OPENSSL_CTX *libctx, const char *propq);
BIO *cms_DigestedData_init_bio(const CMS_ContentInfo *cms);
int cms_DigestedData_do_final(const CMS_ContentInfo *cms, BIO *chain, int verify);
BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms);
int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain);
int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert,
- int type);
+ int type, const CMS_CTX *ctx);
int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid,
ASN1_OCTET_STRING **keyid,
X509_NAME **issuer,
ASN1_INTEGER **sno);
int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert);
-CMS_ContentInfo *cms_CompressedData_create(int comp_nid);
+CMS_ContentInfo *cms_CompressedData_create(int comp_nid, OPENSSL_CTX *libctx,
+ const char *propq);
BIO *cms_CompressedData_init_bio(const CMS_ContentInfo *cms);
-BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm);
+BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
+ const CMS_CTX *ctx);
int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
X509_ALGOR *mdalg);
int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert);
int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert);
-BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec);
+BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
+ const CMS_CTX *ctx);
BIO *cms_EncryptedData_init_bio(const CMS_ContentInfo *cms);
int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
const EVP_CIPHER *cipher,
- const unsigned char *key, size_t keylen);
+ const unsigned char *key, size_t keylen,
+ const CMS_CTX *ctx);
int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms);
int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
int cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
+
+/* RecipientInfo routines */
int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
int cms_pkey_get_ri_type(EVP_PKEY *pk);
int cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
+
+void cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms);
+
/* KARI routines */
int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
EVP_PKEY *recipPubKey, X509 *originator,
- EVP_PKEY *originatorPrivKey, unsigned int flags);
+ EVP_PKEY *originatorPrivKey, unsigned int flags,
+ const CMS_CTX *ctx);
int cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
CMS_RecipientInfo *ri);
/* PWRI routines */
-int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
- int en_de);
+int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
+ CMS_RecipientInfo *ri, int en_de);
/* SignerInfo routines */
int CMS_si_check_attributes(const CMS_SignerInfo *si);
+void cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms);
+
/* ESS routines */
int ess_check_signing_certs(CMS_SignerInfo *si, STACK_OF(X509) *chain);
X509_ALGOR *encalg = NULL;
unsigned char iv[EVP_MAX_IV_LENGTH];
int ivlen;
+ const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms);
env = cms_get0_enveloped(cms);
if (!env)
ivlen = EVP_CIPHER_CTX_iv_length(ctx);
if (ivlen > 0) {
- if (RAND_bytes(iv, ivlen) <= 0)
+ if (RAND_bytes_ex(cms_ctx->libctx, iv, ivlen) <= 0)
goto err;
if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) {
CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD, ERR_R_EVP_LIB);
ri->type = CMS_RECIPINFO_PASS;
pwri = ri->d.pwri;
+ pwri->cms_ctx = cms_ctx;
/* Since this is overwritten, free up empty structure already there */
X509_ALGOR_free(pwri->keyEncryptionAlgorithm);
pwri->keyEncryptionAlgorithm = X509_ALGOR_new();
static int kek_wrap_key(unsigned char *out, size_t *outlen,
const unsigned char *in, size_t inlen,
- EVP_CIPHER_CTX *ctx)
+ EVP_CIPHER_CTX *ctx, const CMS_CTX *cms_ctx)
{
size_t blocklen = EVP_CIPHER_CTX_block_size(ctx);
size_t olen;
memcpy(out + 4, in, inlen);
/* Add random padding to end */
if (olen > inlen + 4
- && RAND_bytes(out + 4 + inlen, olen - 4 - inlen) <= 0)
+ && RAND_bytes_ex(cms_ctx->libctx, out + 4 + inlen,
+ olen - 4 - inlen) <= 0)
return 0;
/* Encrypt twice */
if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen)
/* Encrypt/Decrypt content key in PWRI recipient info */
-int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
- int en_de)
+int cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
+ CMS_RecipientInfo *ri, int en_de)
{
CMS_EncryptedContentInfo *ec;
CMS_PasswordRecipientInfo *pwri;
int r = 0;
X509_ALGOR *algtmp, *kekalg = NULL;
EVP_CIPHER_CTX *kekctx = NULL;
- const EVP_CIPHER *kekcipher;
+ const char *name;
+ EVP_CIPHER *kekcipher;
unsigned char *key = NULL;
size_t keylen;
+ const CMS_CTX *cms_ctx = cms_get0_cmsctx(cms);
ec = cms->d.envelopedData->encryptedContentInfo;
return 0;
}
- kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
+ name = OBJ_nid2sn(OBJ_obj2nid(kekalg->algorithm));
+ kekcipher = EVP_CIPHER_fetch(cms_ctx->libctx, name, cms_ctx->propq);
- if (!kekcipher) {
+ if (kekcipher == NULL) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, CMS_R_UNKNOWN_CIPHER);
- return 0;
+ goto err;
}
kekctx = EVP_CIPHER_CTX_new();
if (kekctx == NULL) {
CMSerr(CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT, ERR_R_MALLOC_FAILURE);
- return 0;
+ goto err;
}
/* Fixup cipher based on AlgorithmIdentifier to set IV etc */
if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
if (en_de) {
- if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, kekctx))
+ if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, kekctx, cms_ctx))
goto err;
key = OPENSSL_malloc(keylen);
if (key == NULL)
goto err;
- if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, kekctx))
+ if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, kekctx, cms_ctx))
goto err;
pwri->encryptedKey->data = key;
pwri->encryptedKey->length = keylen;
r = 1;
err:
-
+ EVP_CIPHER_free(kekcipher);
EVP_CIPHER_CTX_free(kekctx);
if (!r)
return 0;
}
+
/* Check structures and fixup version numbers (if necessary) */
static void cms_sd_set_version(CMS_SignedData *sd)
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *sitmp;
int i;
+
sinfos = CMS_get0_SignerInfos(cms);
for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
ASN1_OCTET_STRING *messageDigest;
+
sitmp = sk_CMS_SignerInfo_value(sinfos, i);
if (sitmp == si)
continue;
return 0;
}
-int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type)
+int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type,
+ const CMS_CTX *ctx)
{
switch (type) {
case CMS_SIGNERINFO_ISSUER_SERIAL:
{
EVP_PKEY *pkey = si->pkey;
int i;
+
if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL)
return 1;
i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si);
CMS_SignerInfo *si = NULL;
X509_ALGOR *alg;
int i, type;
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
+
if (!X509_check_private_key(signer, pk)) {
CMSerr(CMS_F_CMS_ADD1_SIGNER,
CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
X509_up_ref(signer);
EVP_PKEY_up_ref(pk);
+ si->cms_ctx = ctx;
si->pkey = pk;
si->signer = signer;
si->mctx = EVP_MD_CTX_new();
si->version = 1;
}
- if (!cms_set1_SignerIdentifier(si->sid, signer, type))
+ if (!cms_set1_SignerIdentifier(si->sid, signer, type, ctx))
goto err;
if (md == NULL) {
goto err;
}
+ if (md == NULL) {
+ CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DIGEST_SET);
+ goto err;
+ }
+
X509_ALGOR_set_md(si->digestAlgorithm, md);
/* See if digest is present in digestAlgorithms */
if (flags & CMS_KEY_PARAM) {
if (flags & CMS_NOATTR) {
- si->pctx = EVP_PKEY_CTX_new(si->pkey, NULL);
+ si->pctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, si->pkey,
+ ctx->propq);
if (si->pctx == NULL)
goto err;
if (EVP_PKEY_sign_init(si->pctx) <= 0)
goto err;
if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0)
goto err;
- } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <= 0)
+ } else if (EVP_DigestSignInit_with_libctx(si->mctx, &si->pctx,
+ EVP_MD_name(md),
+ ctx->libctx, ctx->propq,
+ pk) <= 0) {
goto err;
+ }
}
if (!sd->signerInfos)
}
+void cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms)
+{
+ int i;
+ CMS_SignerInfo *si;
+ STACK_OF(CMS_SignerInfo) *sinfos = CMS_get0_SignerInfos(cms);
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
+
+ for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
+ si = sk_CMS_SignerInfo_value(sinfos, i);
+ if (si != NULL)
+ si->cms_ctx = ctx;
+ }
+}
+
static int cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)
{
ASN1_TIME *tt;
int r = 0;
- if (t)
+
+ if (t != NULL)
tt = t;
else
tt = X509_gmtime_adj(NULL, 0);
- if (!tt)
+ if (tt == NULL)
goto merr;
if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
goto merr;
r = 1;
-
merr:
-
- if (!t)
+ if (t == NULL)
ASN1_TIME_free(tt);
if (!r)
STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms)
{
- CMS_SignedData *sd;
- sd = cms_get0_signed(cms);
- if (!sd)
- return NULL;
- return sd->signerInfos;
+ CMS_SignedData *sd = cms_get0_signed(cms);
+
+ return sd != NULL ? sd->signerInfos : NULL;
}
STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms)
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *si;
int i;
+
sinfos = CMS_get0_SignerInfos(cms);
for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
si = sk_CMS_SignerInfo_value(sinfos, i);
- if (si->signer) {
- if (!signers) {
+ if (si->signer != NULL) {
+ if (signers == NULL) {
signers = sk_X509_new_null();
- if (!signers)
+ if (signers == NULL)
return NULL;
}
if (!sk_X509_push(signers, si->signer)) {
void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer)
{
- if (signer) {
+ if (signer != NULL) {
X509_up_ref(signer);
EVP_PKEY_free(si->pkey);
si->pkey = X509_get_pubkey(signer);
X509 *x;
int i, j;
int ret = 0;
+
sd = cms_get0_signed(cms);
- if (!sd)
+ if (sd == NULL)
return -1;
certs = sd->certificates;
for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) {
si = sk_CMS_SignerInfo_value(sd->signerInfos, i);
- if (si->signer)
+ if (si->signer != NULL)
continue;
for (j = 0; j < sk_X509_num(scerts); j++) {
}
}
- if (si->signer || (flags & CMS_NOINTERN))
+ if (si->signer != NULL || (flags & CMS_NOINTERN))
continue;
for (j = 0; j < sk_CMS_CertificateChoices_num(certs); j++) {
X509 **signer, X509_ALGOR **pdig,
X509_ALGOR **psig)
{
- if (pk)
+ if (pk != NULL)
*pk = si->pkey;
- if (signer)
+ if (signer != NULL)
*signer = si->signer;
- if (pdig)
+ if (pdig != NULL)
*pdig = si->digestAlgorithm;
- if (psig)
+ if (psig != NULL)
*psig = si->signatureAlgorithm;
}
EVP_MD_CTX *mctx = EVP_MD_CTX_new();
int r = 0;
EVP_PKEY_CTX *pctx = NULL;
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
if (mctx == NULL) {
CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE);
return 0;
}
- if (!si->pkey) {
+ if (si->pkey == NULL) {
CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, CMS_R_NO_PRIVATE_KEY);
goto err;
}
if (CMS_signed_get_attr_count(si) >= 0) {
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
+
if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
goto err;
if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest,
size_t siglen;
unsigned char md[EVP_MAX_MD_SIZE];
unsigned int mdlen;
+
pctx = si->pctx;
if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
goto err;
} else {
unsigned char *sig;
unsigned int siglen;
+
sig = OPENSSL_malloc(EVP_PKEY_size(si->pkey));
if (sig == NULL) {
CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE);
goto err;
}
- if (!EVP_SignFinal(mctx, sig, &siglen, si->pkey)) {
+ if (!EVP_SignFinal_with_libctx(mctx, sig, &siglen, si->pkey,
+ ctx->libctx, ctx->propq)) {
CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, CMS_R_SIGNFINAL_ERROR);
OPENSSL_free(sig);
goto err;
STACK_OF(CMS_SignerInfo) *sinfos;
CMS_SignerInfo *si;
int i;
+
sinfos = CMS_get0_SignerInfos(cms);
for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
si = sk_CMS_SignerInfo_value(sinfos, i);
unsigned char *abuf = NULL;
int alen;
size_t siglen;
- const EVP_MD *md = NULL;
+ const CMS_CTX *ctx = si->cms_ctx;
+ const char *md_name = OBJ_nid2sn(OBJ_obj2nid(si->digestAlgorithm->algorithm));
- md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
- if (md == NULL)
+ if (md_name == NULL)
return 0;
if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
pctx = si->pctx;
else {
EVP_MD_CTX_reset(mctx);
- if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
+ if (EVP_DigestSignInit_with_libctx(mctx, &pctx,
+ md_name, ctx->libctx, ctx->propq,
+ si->pkey) <= 0)
goto err;
si->pctx = pctx;
}
EVP_MD_CTX *mctx = NULL;
unsigned char *abuf = NULL;
int alen, r = -1;
- const EVP_MD *md = NULL;
+ const char *name;
+ EVP_MD *md = NULL;
+ const CMS_CTX *ctx = si->cms_ctx;
- if (!si->pkey) {
+ if (si->pkey == NULL) {
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_NO_PUBLIC_KEY);
return -1;
}
if (!CMS_si_check_attributes(si))
return -1;
- md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
+ name = OBJ_nid2sn(OBJ_obj2nid(si->digestAlgorithm->algorithm));
+ md = EVP_MD_fetch(ctx->libctx, name, ctx->propq);
if (md == NULL)
return -1;
if (si->mctx == NULL && (si->mctx = EVP_MD_CTX_new()) == NULL) {
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, ERR_R_MALLOC_FAILURE);
- return -1;
+ goto err;
}
mctx = si->mctx;
- if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0)
+ if (EVP_DigestVerifyInit_with_libctx(mctx, &si->pctx,
+ EVP_MD_name(md), ctx->libctx, NULL,
+ si->pkey) <= 0)
goto err;
if (!cms_sd_asn1_ctrl(si, 1))
if (r <= 0)
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE);
err:
+ EVP_MD_free(md);
EVP_MD_CTX_reset(mctx);
return r;
}
int i;
CMS_SignedData *sd;
BIO *chain = NULL;
+
sd = cms_get0_signed(cms);
- if (!sd)
+ if (sd == NULL)
return NULL;
if (cms->d.signedData->encapContentInfo->partial)
cms_sd_set_version(sd);
for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {
X509_ALGOR *digestAlgorithm;
BIO *mdbio;
+
digestAlgorithm = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
- mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm);
- if (!mdbio)
+ mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm, cms_get0_cmsctx(cms));
+ if (mdbio == NULL)
goto err;
- if (chain)
+ if (chain != NULL)
BIO_push(chain, mdbio);
else
chain = mdbio;
os = CMS_signed_get0_data_by_OBJ(si,
OBJ_nid2obj(NID_pkcs9_messageDigest),
-3, V_ASN1_OCTET_STRING);
- if (!os) {
+ if (os == NULL) {
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE);
goto err;
/* If messageDigest found compare it */
- if (os) {
+ if (os != NULL) {
if (mlen != (unsigned int)os->length) {
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH);
r = 1;
} else {
const EVP_MD *md = EVP_MD_CTX_md(mctx);
- pkctx = EVP_PKEY_CTX_new(si->pkey, NULL);
+ const CMS_CTX *ctx = si->cms_ctx;
+
+ pkctx = EVP_PKEY_CTX_new_from_pkey(ctx->libctx, si->pkey, ctx->propq);
if (pkctx == NULL)
goto err;
if (EVP_PKEY_verify_init(pkctx) <= 0)
{
unsigned char *smder = NULL;
int smderlen, r;
+
smderlen = i2d_X509_ALGORS(algs, &smder);
if (smderlen <= 0)
return 0;
{
X509_ALGOR *alg;
ASN1_INTEGER *key = NULL;
+
if (keysize > 0) {
key = ASN1_INTEGER_new();
if (key == NULL || !ASN1_INTEGER_set(key, keysize)) {
static BIO *cms_get_text_bio(BIO *out, unsigned int flags)
{
BIO *rbio;
+
if (out == NULL)
rbio = BIO_new(BIO_s_null());
else if (flags & CMS_TEXT) {
break;
}
- if (tmpout && (BIO_write(tmpout, buf, i) != i))
+ if (tmpout != NULL && (BIO_write(tmpout, buf, i) != i))
goto err;
}
}
r = 1;
-
err:
if (tmpout != out)
BIO_free(tmpout);
{
if (upto != NULL) {
BIO *tbio;
+
do {
tbio = BIO_pop(f);
BIO_free(f);
f = tbio;
} while (f != NULL && f != upto);
- } else
+ } else {
BIO_free_all(f);
+ }
}
int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags)
{
BIO *cont;
int r;
+
if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_data) {
CMSerr(CMS_F_CMS_DATA, CMS_R_TYPE_NOT_DATA);
return 0;
}
cont = CMS_dataInit(cms, NULL);
- if (!cont)
+ if (cont == NULL)
return 0;
r = cms_copy_content(out, cont, flags);
BIO_free_all(cont);
return r;
}
-CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags)
+CMS_ContentInfo *CMS_data_create_with_libctx(BIO *in, unsigned int flags,
+ OPENSSL_CTX *libctx,
+ const char *propq)
{
- CMS_ContentInfo *cms;
- cms = cms_Data_create();
- if (!cms)
+ CMS_ContentInfo *cms = cms_Data_create(libctx, propq);
+
+ if (cms == NULL)
return NULL;
if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags))
return cms;
CMS_ContentInfo_free(cms);
-
return NULL;
}
+CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags)
+{
+ return CMS_data_create_with_libctx(in, flags, NULL, NULL);
+}
+
int CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out,
unsigned int flags)
{
BIO *cont;
int r;
+
if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_digest) {
CMSerr(CMS_F_CMS_DIGEST_VERIFY, CMS_R_TYPE_NOT_DIGESTED_DATA);
return 0;
}
- if (!dcont && !check_content(cms))
+ if (dcont == NULL && !check_content(cms))
return 0;
cont = CMS_dataInit(cms, dcont);
- if (!cont)
+ if (cont == NULL)
return 0;
+
r = cms_copy_content(out, cont, flags);
if (r)
r = cms_DigestedData_do_final(cms, cont, 1);
return r;
}
-CMS_ContentInfo *CMS_digest_create(BIO *in, const EVP_MD *md,
- unsigned int flags)
+CMS_ContentInfo *CMS_digest_create_with_libctx(BIO *in,
+ const EVP_MD *md,
+ unsigned int flags,
+ OPENSSL_CTX *ctx,
+ const char *propq)
{
CMS_ContentInfo *cms;
- if (!md)
+
+ if (md == NULL)
md = EVP_sha1();
- cms = cms_DigestedData_create(md);
- if (!cms)
+ cms = cms_DigestedData_create(md, ctx, propq);
+ if (cms == NULL)
return NULL;
if (!(flags & CMS_DETACHED))
return NULL;
}
+CMS_ContentInfo *CMS_digest_create(BIO *in, const EVP_MD *md,
+ unsigned int flags)
+{
+ return CMS_digest_create_with_libctx(in, md, flags, NULL, NULL);
+}
+
int CMS_EncryptedData_decrypt(CMS_ContentInfo *cms,
const unsigned char *key, size_t keylen,
BIO *dcont, BIO *out, unsigned int flags)
{
BIO *cont;
int r;
+
if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_encrypted) {
CMSerr(CMS_F_CMS_ENCRYPTEDDATA_DECRYPT,
CMS_R_TYPE_NOT_ENCRYPTED_DATA);
return 0;
}
- if (!dcont && !check_content(cms))
+ if (dcont == NULL && !check_content(cms))
return 0;
if (CMS_EncryptedData_set1_key(cms, NULL, key, keylen) <= 0)
return 0;
cont = CMS_dataInit(cms, dcont);
- if (!cont)
+ if (cont == NULL)
return 0;
r = cms_copy_content(out, cont, flags);
do_free_upto(cont, dcont);
return r;
}
-CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
- const unsigned char *key,
- size_t keylen, unsigned int flags)
+CMS_ContentInfo *CMS_EncryptedData_encrypt_with_libctx(BIO *in,
+ const EVP_CIPHER *cipher,
+ const unsigned char *key,
+ size_t keylen,
+ unsigned int flags,
+ OPENSSL_CTX *libctx,
+ const char *propq)
{
CMS_ContentInfo *cms;
- if (!cipher) {
- CMSerr(CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT, CMS_R_NO_CIPHER);
+
+ if (cipher == NULL) {
+ CMSerr(0, CMS_R_NO_CIPHER);
return NULL;
}
- cms = CMS_ContentInfo_new();
+ cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
if (cms == NULL)
return NULL;
if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))
return NULL;
}
+CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
+ const unsigned char *key,
+ size_t keylen, unsigned int flags)
+{
+ return CMS_EncryptedData_encrypt_with_libctx(in, cipher, key, keylen, flags,
+ NULL, NULL);
+}
+
static int cms_signerinfo_verify_cert(CMS_SignerInfo *si,
X509_STORE *store,
STACK_OF(X509) *certs,
STACK_OF(X509_CRL) *crls,
- STACK_OF(X509) **chain)
+ STACK_OF(X509) **chain,
+ const CMS_CTX *cms_ctx)
{
- X509_STORE_CTX *ctx = X509_STORE_CTX_new();
+ X509_STORE_CTX *ctx;
X509 *signer;
int i, j, r = 0;
+ ctx = X509_STORE_CTX_new_with_libctx(cms_ctx->libctx, cms_ctx->propq);
if (ctx == NULL) {
CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
goto err;
goto err;
}
X509_STORE_CTX_set_default(ctx, "smime_sign");
- if (crls)
+ if (crls != NULL)
X509_STORE_CTX_set0_crls(ctx, crls);
i = X509_verify_cert(ctx);
int i, scount = 0, ret = 0;
BIO *cmsbio = NULL, *tmpin = NULL, *tmpout = NULL;
int cadesVerify = (flags & CMS_CADES) != 0;
+ const CMS_CTX *ctx = cms_get0_cmsctx(cms);
- if (!dcont && !check_content(cms))
+ if (dcont == NULL && !check_content(cms))
return 0;
- if (dcont && !(flags & CMS_BINARY)) {
+ if (dcont != NULL && !(flags & CMS_BINARY)) {
const ASN1_OBJECT *coid = CMS_get0_eContentType(cms);
+
if (OBJ_obj2nid(coid) == NID_id_ct_asciiTextWithCRLF)
flags |= CMS_ASCIICRLF;
}
si = sk_CMS_SignerInfo_value(sinfos, i);
if (!cms_signerinfo_verify_cert(si, store, cms_certs, crls,
- si_chains ? &si_chains[i] : NULL))
+ si_chains ? &si_chains[i] : NULL,
+ ctx))
goto err;
}
}
* reading from a read write memory BIO when signatures are calculated.
*/
- if (dcont && (BIO_method_type(dcont) == BIO_TYPE_MEM)) {
+ if (dcont != NULL && (BIO_method_type(dcont) == BIO_TYPE_MEM)) {
char *ptr;
long len;
+
len = BIO_get_mem_data(dcont, &ptr);
tmpin = BIO_new_mem_buf(ptr, len);
if (tmpin == NULL) {
CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE);
goto err2;
}
- } else
+ } else {
tmpin = dcont;
+ }
/*
* If not binary mode and detached generate digests by *writing* through
* the BIO. That makes it possible to canonicalise the input.
* included content doesn't override detached content.
*/
tmpout = cms_get_text_bio(out, flags);
- if (!tmpout) {
+ if (tmpout == NULL) {
CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
}
cmsbio = CMS_dataInit(cms, tmpout);
- if (!cmsbio)
+ if (cmsbio == NULL)
goto err;
/*
* Don't use SMIME_TEXT for verify: it adds headers and we want to
}
} else {
cmsbio = CMS_dataInit(cms, tmpin);
- if (!cmsbio)
+ if (cmsbio == NULL)
goto err;
if (!cms_copy_content(out, cmsbio, flags))
}
ret = 1;
-
err:
if (!(flags & SMIME_BINARY) && dcont) {
do_free_upto(cmsbio, tmpout);
X509_STORE *store, unsigned int flags)
{
int r;
+
flags &= ~(CMS_DETACHED | CMS_TEXT);
r = CMS_verify(rcms, certs, store, NULL, NULL, flags);
if (r <= 0)
return cms_Receipt_verify(rcms, ocms);
}
-CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey,
- STACK_OF(X509) *certs, BIO *data,
- unsigned int flags)
+CMS_ContentInfo *CMS_sign_with_libctx(X509 *signcert, EVP_PKEY *pkey,
+ STACK_OF(X509) *certs, BIO *data,
+ unsigned int flags,
+ OPENSSL_CTX *libctx, const char *propq)
{
CMS_ContentInfo *cms;
int i;
- cms = CMS_ContentInfo_new();
+ cms = CMS_ContentInfo_new_with_libctx(libctx, propq);
if (cms == NULL || !CMS_SignedData_init(cms))
goto merr;
if (flags & CMS_ASCIICRLF
OBJ_nid2obj(NID_id_ct_asciiTextWithCRLF)))
goto err;
- if (pkey && !CMS_add1_signer(cms, signcert, pkey, NULL, flags)) {
- CMSerr(CMS_F_CMS_SIGN, CMS_R_ADD_SIGNER_ERROR);
+ if (pkey != NULL && !CMS_add1_signer(cms, signcert, pkey, NULL, flags)) {
+ CMSerr(0, CMS_R_ADD_SIGNER_ERROR);
goto err;
}
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *x = sk_X509_value(certs, i);
+
if (!CMS_add1_cert(cms, x))
goto merr;
}
goto err;
merr:
- CMSerr(CMS_F_CMS_SIGN, ERR_R_MALLOC_FAILURE);
+ CMSerr(0, ERR_R_MALLOC_FAILURE);
err:
CMS_ContentInfo_free(cms);
return NULL;
}
+CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+ BIO *data, unsigned int flags)
+{
+ return CMS_sign_with_libctx(signcert, pkey, certs, data, flags, NULL, NULL);
+}
+
CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
X509 *signcert, EVP_PKEY *pkey,
STACK_OF(X509) *certs, unsigned int flags)
ASN1_OCTET_STRING **pos, *os;
BIO *rct_cont = NULL;
int r = 0;
+ const CMS_CTX *ctx = si->cms_ctx;
flags &= ~(CMS_STREAM | CMS_TEXT);
/* Not really detached but avoids content being allocated */
/* Initialize signed data */
- cms = CMS_sign(NULL, NULL, certs, NULL, flags);
- if (!cms)
+ cms = CMS_sign_with_libctx(NULL, NULL, certs, NULL, flags,
+ ctx->libctx, ctx->propq);
+ if (cms == NULL)
goto err;
/* Set inner content type to signed receipt */
}
os = cms_encode_Receipt(si);
-
- if (!os)
+ if (os == NULL)
goto err;
/* Set content to digest */
rct_cont = BIO_new_mem_buf(os->data, os->length);
- if (!rct_cont)
+ if (rct_cont == NULL)
goto err;
/* Add msgSigDigest attribute */
}
-CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data,
- const EVP_CIPHER *cipher, unsigned int flags)
+CMS_ContentInfo *CMS_encrypt_with_libctx(STACK_OF(X509) *certs,
+ BIO *data, const EVP_CIPHER *cipher,
+ unsigned int flags,
+ OPENSSL_CTX *libctx, const char *propq)
{
CMS_ContentInfo *cms;
int i;
X509 *recip;
- cms = CMS_EnvelopedData_create(cipher);
- if (!cms)
+
+ cms = CMS_EnvelopedData_create_with_libctx(cipher, libctx, propq);
+ if (cms == NULL)
goto merr;
for (i = 0; i < sk_X509_num(certs); i++) {
recip = sk_X509_value(certs, i);
if (!CMS_add1_recipient_cert(cms, recip, flags)) {
- CMSerr(CMS_F_CMS_ENCRYPT, CMS_R_RECIPIENT_ERROR);
+ CMSerr(0, CMS_R_RECIPIENT_ERROR);
goto err;
}
}
goto err;
merr:
- CMSerr(CMS_F_CMS_ENCRYPT, ERR_R_MALLOC_FAILURE);
+ CMSerr(0, ERR_R_MALLOC_FAILURE);
err:
CMS_ContentInfo_free(cms);
return NULL;
}
-static int cms_kari_set1_pkey_and_peer(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
+CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data,
+ const EVP_CIPHER *cipher, unsigned int flags)
+{
+ return CMS_encrypt_with_libctx(certs, data, cipher, flags, NULL, NULL);
+}
+
+static int cms_kari_set1_pkey_and_peer(CMS_ContentInfo *cms,
+ CMS_RecipientInfo *ri,
EVP_PKEY *pk, X509 *cert, X509 *peer)
{
int i;
reks = CMS_RecipientInfo_kari_get0_reks(ri);
for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) {
int rv;
+
rek = sk_CMS_RecipientEncryptedKey_value(reks, i);
if (cert != NULL && CMS_RecipientEncryptedKey_cert_cmp(rek, cert))
continue;
return CMS_decrypt_set1_pkey_and_peer(cms, pk, cert, NULL);
}
-int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer)
+int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
+ X509 *cert, X509 *peer)
{
STACK_OF(CMS_RecipientInfo) *ris;
CMS_RecipientInfo *ri;
int i, r, cms_pkey_ri_type;
int debug = 0, match_ri = 0;
+
ris = CMS_get0_RecipientInfos(cms);
- if (ris)
+ if (ris != NULL)
debug = cms->d.envelopedData->encryptedContentInfo->debug;
cms_pkey_ri_type = cms_pkey_get_ri_type(pk);
* If we have a cert try matching RecipientInfo otherwise try them
* all.
*/
- else if (!cert || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {
+ else if (cert == NULL|| !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) {
EVP_PKEY_up_ref(pk);
CMS_RecipientInfo_set0_pkey(ri, pk);
r = CMS_RecipientInfo_decrypt(cms, ri);
CMS_RecipientInfo_set0_pkey(ri, NULL);
- if (cert) {
+ if (cert != NULL) {
/*
* If not debugging clear any error and return success to
* avoid leaking of information useful to MMA
}
}
/* If no cert, key transport and not debugging always return success */
- if (cert == NULL && cms_pkey_ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) {
+ if (cert == NULL
+ && cms_pkey_ri_type == CMS_RECIPINFO_TRANS
+ && match_ri
+ && !debug) {
ERR_clear_error();
return 1;
}
STACK_OF(CMS_RecipientInfo) *ris;
CMS_RecipientInfo *ri;
int i, r;
+
ris = CMS_get0_RecipientInfos(cms);
for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
ri = sk_CMS_RecipientInfo_value(ris, i);
* If we have an id try matching RecipientInfo otherwise try them
* all.
*/
- if (!id || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) {
+ if (id == NULL || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) {
CMS_RecipientInfo_set0_key(ri, key, keylen);
r = CMS_RecipientInfo_decrypt(cms, ri);
CMS_RecipientInfo_set0_key(ri, NULL, 0);
if (r > 0)
return 1;
- if (id) {
+ if (id != NULL) {
CMSerr(CMS_F_CMS_DECRYPT_SET1_KEY, CMS_R_DECRYPT_ERROR);
return 0;
}
STACK_OF(CMS_RecipientInfo) *ris;
CMS_RecipientInfo *ri;
int i, r;
+
ris = CMS_get0_RecipientInfos(cms);
for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) {
ri = sk_CMS_RecipientInfo_value(ris, i);
CMSerr(CMS_F_CMS_DECRYPT, CMS_R_TYPE_NOT_ENVELOPED_DATA);
return 0;
}
- if (!dcont && !check_content(cms))
+ if (dcont == NULL && !check_content(cms))
return 0;
if (flags & CMS_DEBUG_DECRYPT)
cms->d.envelopedData->encryptedContentInfo->debug = 1;
else
cms->d.envelopedData->encryptedContentInfo->debug = 0;
- if (!cert)
+ if (cert == NULL)
cms->d.envelopedData->encryptedContentInfo->havenocert = 1;
else
cms->d.envelopedData->encryptedContentInfo->havenocert = 0;
return 0;
}
- SMIME_crlf_copy(data, cmsbio, flags);
+ ret = SMIME_crlf_copy(data, cmsbio, flags);
(void)BIO_flush(cmsbio);
CMSerr(CMS_F_CMS_FINAL, CMS_R_CMS_DATAFINAL_ERROR);
goto err;
}
-
- ret = 1;
-
- err:
+err:
do_free_upto(cmsbio, dcont);
return ret;
{
BIO *cont;
int r;
+
if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_id_smime_ct_compressedData) {
CMSerr(CMS_F_CMS_UNCOMPRESS, CMS_R_TYPE_NOT_COMPRESSED_DATA);
return 0;
}
- if (!dcont && !check_content(cms))
+ if (dcont == NULL && !check_content(cms))
return 0;
cont = CMS_dataInit(cms, dcont);
- if (!cont)
+ if (cont == NULL)
return 0;
r = cms_copy_content(out, cont, flags);
do_free_upto(cont, dcont);
CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags)
{
CMS_ContentInfo *cms;
+
if (comp_nid <= 0)
comp_nid = NID_zlib_compression;
- cms = cms_CompressedData_create(comp_nid);
- if (!cms)
+ cms = cms_CompressedData_create(comp_nid, NULL, NULL);
+ if (cms == NULL)
return NULL;
if (!(flags & CMS_DETACHED))
{- $OpenSSL::safe::opt_r_synopsis -}
{- $OpenSSL::safe::opt_engine_synopsis -}
{- $OpenSSL::safe::opt_provider_synopsis -}
+{- $OpenSSL::safe::opt_config_synopsis -}
[I<recipient-cert> ...]
=for openssl ifdef des-wrap engine
{- $OpenSSL::safe::opt_provider_item -}
+{- $OpenSSL::safe::opt_config_item -}
+
=item I<recipient-cert> ...
One or more certificates of message recipients: used when encrypting
=head1 NAME
-CMS_EnvelopedData_create - Create CMS envelope
+CMS_EnvelopedData_create_with_libctx, CMS_EnvelopedData_create
+- Create CMS envelope
=head1 SYNOPSIS
#include <openssl/cms.h>
+ CMS_ContentInfo *CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
+ OPENSSL_CTX *libctx,
+ const char *propq);
CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
=head1 DESCRIPTION
-CMS_EnvelopedData_create() creates a B<CMS_ContentInfo> structure with
-a type B<NID_pkcs7_enveloped>. B<cipher> is the symmetric cipher to use.
+CMS_EnvelopedData_create_with_libctx() creates a B<CMS_ContentInfo> structure with
+a type B<NID_pkcs7_enveloped>. I<cipher> is the symmetric cipher to use. The
+library context I<libctx> and the property query I<propq> are used when
+retrieving algorithms from providers.
-The algorithm passed in the B<cipher> parameter must support ASN1 encoding of
+The algorithm passed in the I<cipher> parameter must support ASN1 encoding of
its parameters.
The recipients can be added later using L<CMS_add1_recipient_cert(3)> or
The B<CMS_ContentInfo> structure needs to be finalized using L<CMS_final(3)>
and then freed using L<CMS_ContentInfo_free(3)>.
+CMS_EnvelopedData_create() is similar to CMS_EnvelopedData_create_with_libctx()
+but uses default values of NULL for the library context I<libctx> and the
+property query I<propq>.
+
=head1 NOTES
Although CMS_EnvelopedData_create() allocates a new B<CMS_ContentInfo>
L<ERR_get_error(3)>, L<CMS_encrypt(3)>, L<CMS_decrypt(3)>, L<CMS_final(3)>
+head1 HISTORY
+
+The CMS_EnvelopedData_create_with_libctx() method was added in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
=head1 NAME
-CMS_encrypt - create a CMS envelopedData structure
+CMS_encrypt_with_libctx, CMS_encrypt - create a CMS envelopedData structure
=head1 SYNOPSIS
#include <openssl/cms.h>
+ CMS_ContentInfo *CMS_encrypt_with_libctx(STACK_OF(X509) *certs,
+ BIO *in, const EVP_CIPHER *cipher,
+ unsigned int flags,
+ OPENSSL_CTX *libctx, const char *propq);
CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, unsigned int flags);
=head1 DESCRIPTION
-CMS_encrypt() creates and returns a CMS EnvelopedData structure. B<certs>
-is a list of recipient certificates. B<in> is the content to be encrypted.
-B<cipher> is the symmetric cipher to use. B<flags> is an optional set of flags.
+CMS_encrypt_with_libctx() creates and returns a CMS EnvelopedData structure.
+I<certs> is a list of recipient certificates. I<in> is the content to be
+encrypted. I<cipher> is the symmetric cipher to use. I<flags> is an optional set
+of flags. The library context I<libctx> and the property query I<propq> are used
+internally when retrieving algorithms from providers.
Only certificates carrying RSA, Diffie-Hellman or EC keys are supported by this
function.
The parameter B<certs> may be NULL if B<CMS_PARTIAL> is set and recipients
added later using CMS_add1_recipient_cert() or CMS_add0_recipient_key().
+CMS_encrypt() is similar to CMS_encrypt_with_libctx() but uses default values of
+NULL for the library context I<libctx> and the property query I<propq>.
+
=head1 RETURN VALUES
-CMS_encrypt() returns either a CMS_ContentInfo structure or NULL if an error
-occurred. The error can be obtained from ERR_get_error(3).
+CMS_encrypt_with_libctx() and CMS_encrypt() return either a CMS_ContentInfo
+structure or NULL if an error occurred. The error can be obtained from
+ERR_get_error(3).
=head1 SEE ALSO
=head1 HISTORY
+The function CMS_encrypt_with_libctx() was added in OpenSSL 3.0.
+
The B<CMS_STREAM> flag was first supported in OpenSSL 1.0.0.
=head1 COPYRIGHT
-Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NAME
-CMS_ReceiptRequest_create0, CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values - CMS signed receipt request functions
+CMS_ReceiptRequest_create0_with_libctx, CMS_ReceiptRequest_create0,
+CMS_add1_ReceiptRequest, CMS_get1_ReceiptRequest, CMS_ReceiptRequest_get0_values
+- CMS signed receipt request functions
=head1 SYNOPSIS
#include <openssl/cms.h>
- CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
- int allorfirst,
- STACK_OF(GENERAL_NAMES) *receiptList,
- STACK_OF(GENERAL_NAMES) *receiptsTo);
+ CMS_ReceiptRequest *CMS_ReceiptRequest_create0_with_libctx(
+ unsigned char *id, int idlen, int allorfirst,
+ STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo,
+ OPENSSL_CTX *libctx, const char *propq);
+ CMS_ReceiptRequest *CMS_ReceiptRequest_create0(
+ unsigned char *id, int idlen, int allorfirst,
+ STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo);
int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr);
int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr);
void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid,
=head1 DESCRIPTION
-CMS_ReceiptRequest_create0() creates a signed receipt request structure. The
-B<signedContentIdentifier> field is set using B<id> and B<idlen>, or it is set
-to 32 bytes of pseudo random data if B<id> is NULL. If B<receiptList> is NULL
-the allOrFirstTier option in B<receiptsFrom> is used and set to the value of
-the B<allorfirst> parameter. If B<receiptList> is not NULL the B<receiptList>
-option in B<receiptsFrom> is used. The B<receiptsTo> parameter specifies the
-B<receiptsTo> field value.
+CMS_ReceiptRequest_create0_with_libctx() creates a signed receipt request
+structure. The B<signedContentIdentifier> field is set using I<id> and I<idlen>,
+or it is set to 32 bytes of pseudo random data if I<id> is NULL.
+If I<receiptList> is NULL the allOrFirstTier option in I<receiptsFrom> is used
+and set to the value of the I<allorfirst> parameter. If I<receiptList> is not
+NULL the I<receiptList> option in I<receiptsFrom> is used. The I<receiptsTo>
+parameter specifies the I<receiptsTo> field value. The library context I<libctx>
+and the property query I<propq> are used when retrieving algorithms from providers.
+
+CMS_ReceiptRequest_create0() is similar to
+CMS_ReceiptRequest_create0_with_libctx() but uses default values of NULL for the
+library context I<libctx> and the property query I<propq>.
The CMS_add1_ReceiptRequest() function adds a signed receipt request B<rr>
to SignerInfo structure B<si>.
=head1 RETURN VALUES
-CMS_ReceiptRequest_create0() returns a signed receipt request structure or
-NULL if an error occurred.
+CMS_ReceiptRequest_create0_with_libctx() and CMS_ReceiptRequest_create0() return
+a signed receipt request structure or NULL if an error occurred.
CMS_add1_ReceiptRequest() returns 1 for success or 0 if an error occurred.
L<CMS_sign_receipt(3)>, L<CMS_verify(3)>
L<CMS_verify_receipt(3)>
+=head1 HISTORY
+
+The function CMS_ReceiptRequest_create0_with_libctx() was added in OpenSSL 3.0.
+
=head1 COPYRIGHT
-Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NAME
-CMS_sign - create a CMS SignedData structure
+CMS_sign, CMS_sign_with_libctx - create a CMS SignedData structure
=head1 SYNOPSIS
#include <openssl/cms.h>
+ CMS_ContentInfo *CMS_sign_with_libctx(X509 *signcert, EVP_PKEY *pkey,
+ STACK_OF(X509) *certs, BIO *data,
+ unsigned int flags,
+ OPENSSL_CTX *ctx, const char *propq);
CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
BIO *data, unsigned int flags);
=head1 DESCRIPTION
-CMS_sign() creates and returns a CMS SignedData structure. B<signcert> is
-the certificate to sign with, B<pkey> is the corresponding private key.
-B<certs> is an optional additional set of certificates to include in the CMS
-structure (for example any intermediate CAs in the chain). Any or all of
-these parameters can be B<NULL>, see B<NOTES> below.
+CMS_sign_with_libctx() creates and returns a CMS SignedData structure.
+I<signcert> is the certificate to sign with, I<pkey> is the corresponding
+private key. I<certs> is an optional additional set of certificates to include
+in the CMS structure (for example any intermediate CAs in the chain). The
+library context I<libctx> and the property query I<propq> are used when
+retrieving algorithms from providers. Any or all of these parameters can be
+B<NULL>, see B<NOTES> below.
The data to be signed is read from BIO B<data>.
B<flags> is an optional set of flags.
+CMS_sign() is similar to CMS_sign_with_libctx() but uses default values of NULL
+for the library context I<libctx> and the property query I<propq>.
+
=head1 NOTES
Any of the following flags (ored together) can be passed in the B<flags>
If present the SMIMECapabilities attribute indicates support for the following
algorithms in preference order: 256 bit AES, Gost R3411-94, Gost 28147-89, 192
bit AES, 128 bit AES, triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2.
-If any of these algorithms is not available then it will not be included: for example the GOST algorithms will not be included if the GOST ENGINE is
+If any of these algorithms is not available then it will not be included:
+for example the GOST algorithms will not be included if the GOST ENGINE is
not loaded.
OpenSSL will by default identify signing certificates using issuer name
=head1 RETURN VALUES
-CMS_sign() returns either a valid CMS_ContentInfo structure or NULL if an error
-occurred. The error can be obtained from ERR_get_error(3).
+CMS_sign_with_libctx() and CMS_sign() return either a valid CMS_ContentInfo
+structure or NULL if an error occurred. The error can be obtained from
+ERR_get_error(3).
=head1 SEE ALSO
The B<CMS_STREAM> flag is only supported for detached data in OpenSSL 0.9.8,
it is supported for embedded data in OpenSSL 1.0.0 and later.
+The CMS_sign_with_libctx() method was added in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
=head1 NAME
-SMIME_read_CMS - parse S/MIME message
+SMIME_read_CMS_ex, SMIME_read_CMS - parse S/MIME message
=head1 SYNOPSIS
#include <openssl/cms.h>
+ CMS_ContentInfo *SMIME_read_CMS_ex(BIO *bio, BIO **bcont,
+ CMS_ContentInfo **cms);
CMS_ContentInfo *SMIME_read_CMS(BIO *in, BIO **bcont);
=head1 DESCRIPTION
The parsed CMS_ContentInfo structure is returned or NULL if an
error occurred.
+SMIME_read_CMS_ex() is similar to SMIME_read_CMS() but can optionally supply a
+previously created I<cms> CMS_ContentInfo object. If I<cms> is NULL then it is
+identical to SMIME_read_CMS().
+To create a I<cms> object use L<CMS_ContentInfo_new_with_libctx(3)>.
+
=head1 NOTES
If B<*bcont> is not NULL then the message is clear text signed. B<*bcont> can
=head1 RETURN VALUES
-SMIME_read_CMS() returns a valid B<CMS_ContentInfo> structure or B<NULL>
-if an error occurred. The error can be obtained from ERR_get_error(3).
+SMIME_read_CMS_ex() and SMIME_read_CMS() return a valid B<CMS_ContentInfo>
+structure or B<NULL> if an error occurred. The error can be obtained from
+ERR_get_error(3).
=head1 SEE ALSO
L<ERR_get_error(3)>,
-L<SMIME_read_CMS(3)>, L<CMS_sign(3)>,
-L<CMS_verify(3)>, L<CMS_encrypt(3)>,
+L<CMS_sign(3)>,
+L<CMS_verify(3)>,
+L<CMS_encrypt(3)>,
L<CMS_decrypt(3)>
+=head1 HISTORY
+
+The function SMIME_read_CMS_ex() was added in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
DECLARE_ASN1_FUNCTIONS(CMS_ReceiptRequest)
DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
+CMS_ContentInfo *CMS_ContentInfo_new_with_libctx(OPENSSL_CTX *libctx,
+ const char *propq);
+
# define CMS_SIGNERINFO_ISSUER_SERIAL 0
# define CMS_SIGNERINFO_KEYIDENTIFIER 1
int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in,
int flags);
CMS_ContentInfo *SMIME_read_CMS(BIO *bio, BIO **bcont);
+CMS_ContentInfo *SMIME_read_CMS_ex(BIO *bio, BIO **bcont, CMS_ContentInfo **ci);
int SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags);
int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont,
CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey,
STACK_OF(X509) *certs, BIO *data,
unsigned int flags);
+CMS_ContentInfo *CMS_sign_with_libctx(X509 *signcert, EVP_PKEY *pkey,
+ STACK_OF(X509) *certs, BIO *data,
+ unsigned int flags,
+ OPENSSL_CTX *ctx, const char *propq);
CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
X509 *signcert, EVP_PKEY *pkey,
int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags);
CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags);
+CMS_ContentInfo *CMS_data_create_with_libctx(BIO *in, unsigned int flags,
+ OPENSSL_CTX *ctx,
+ const char *propq);
int CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out,
unsigned int flags);
CMS_ContentInfo *CMS_digest_create(BIO *in, const EVP_MD *md,
unsigned int flags);
+CMS_ContentInfo *CMS_digest_create_with_libctx(BIO *in, const EVP_MD *md,
+ unsigned int flags,
+ OPENSSL_CTX *ctx,
+ const char *propq);
int CMS_EncryptedData_decrypt(CMS_ContentInfo *cms,
const unsigned char *key, size_t keylen,
CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
const unsigned char *key,
size_t keylen, unsigned int flags);
+CMS_ContentInfo *CMS_EncryptedData_encrypt_with_libctx(BIO *in,
+ const EVP_CIPHER *cipher,
+ const unsigned char *key,
+ size_t keylen,
+ unsigned int flags,
+ OPENSSL_CTX *ctx,
+ const char *propq);
int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph,
const unsigned char *key, size_t keylen);
CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, unsigned int flags);
+CMS_ContentInfo *CMS_encrypt_with_libctx(STACK_OF(X509) *certs,
+ BIO *in, const EVP_CIPHER *cipher,
+ unsigned int flags,
+ OPENSSL_CTX *ctx, const char *propq);
int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert,
BIO *dcont, BIO *out, unsigned int flags);
int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert);
-int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, X509 *peer);
+int CMS_decrypt_set1_pkey_and_peer(CMS_ContentInfo *cms, EVP_PKEY *pk,
+ X509 *cert, X509 *peer);
int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
unsigned char *key, size_t keylen,
const unsigned char *id, size_t idlen);
int CMS_RecipientInfo_type(CMS_RecipientInfo *ri);
EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri);
CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher);
+CMS_ContentInfo *CMS_EnvelopedData_create_with_libctx(const EVP_CIPHER *cipher,
+ OPENSSL_CTX *ctx,
+ const char *propq);
+
CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms,
X509 *recip, unsigned int flags);
CMS_RecipientInfo *CMS_add1_recipient(CMS_ContentInfo *cms, X509 *recip,
int lastpos, int type);
int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr);
-CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen,
- int allorfirst,
- STACK_OF(GENERAL_NAMES)
- *receiptList, STACK_OF(GENERAL_NAMES)
- *receiptsTo);
+CMS_ReceiptRequest *CMS_ReceiptRequest_create0(
+ unsigned char *id, int idlen, int allorfirst,
+ STACK_OF(GENERAL_NAMES) *receiptList,
+ STACK_OF(GENERAL_NAMES) *receiptsTo);
+CMS_ReceiptRequest *CMS_ReceiptRequest_create0_with_libctx(
+ unsigned char *id, int idlen, int allorfirst,
+ STACK_OF(GENERAL_NAMES) *receiptList,
+ STACK_OF(GENERAL_NAMES) *receiptsTo,
+ OPENSSL_CTX *ctx, const char *propq);
+
int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr);
void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr,
ASN1_STRING **pcid,