projects / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
engines/e_capi.c: accommodate recent DSA_SIG_[get|set]0 changes.
[openssl.git] / crypto / pkcs7 / pk7_lib.c
1 /*
2  * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the OpenSSL license (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9
10 #include <stdio.h>
11 #include "internal/cryptlib.h"
12 #include <openssl/objects.h>
13 #include <openssl/x509.h>
14 #include "internal/asn1_int.h"
15 #include "internal/evp_int.h"
16
17 long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
18 {
19     int nid;
20     long ret;
21
22     nid = OBJ_obj2nid(p7->type);
23
24     switch (cmd) {
25     /* NOTE(emilia): does not support detached digested data. */
26     case PKCS7_OP_SET_DETACHED_SIGNATURE:
27         if (nid == NID_pkcs7_signed) {
28             ret = p7->detached = (int)larg;
29             if (ret && PKCS7_type_is_data(p7->d.sign->contents)) {
30                 ASN1_OCTET_STRING *os;
31                 os = p7->d.sign->contents->d.data;
32                 ASN1_OCTET_STRING_free(os);
33                 p7->d.sign->contents->d.data = NULL;
34             }
35         } else {
36             PKCS7err(PKCS7_F_PKCS7_CTRL,
37                      PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
38             ret = 0;
39         }
40         break;
41     case PKCS7_OP_GET_DETACHED_SIGNATURE:
42         if (nid == NID_pkcs7_signed) {
43             if (!p7->d.sign || !p7->d.sign->contents->d.ptr)
44                 ret = 1;
45             else
46                 ret = 0;
47
48             p7->detached = ret;
49         } else {
50             PKCS7err(PKCS7_F_PKCS7_CTRL,
51                      PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
52             ret = 0;
53         }
54
55         break;
56     default:
57         PKCS7err(PKCS7_F_PKCS7_CTRL, PKCS7_R_UNKNOWN_OPERATION);
58         ret = 0;
59     }
60     return (ret);
61 }
62
63 int PKCS7_content_new(PKCS7 *p7, int type)
64 {
65     PKCS7 *ret = NULL;
66
67     if ((ret = PKCS7_new()) == NULL)
68         goto err;
69     if (!PKCS7_set_type(ret, type))
70         goto err;
71     if (!PKCS7_set_content(p7, ret))
72         goto err;
73
74     return (1);
75  err:
76     PKCS7_free(ret);
77     return (0);
78 }
79
80 int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
81 {
82     int i;
83
84     i = OBJ_obj2nid(p7->type);
85     switch (i) {
86     case NID_pkcs7_signed:
87         PKCS7_free(p7->d.sign->contents);
88         p7->d.sign->contents = p7_data;
89         break;
90     case NID_pkcs7_digest:
91         PKCS7_free(p7->d.digest->contents);
92         p7->d.digest->contents = p7_data;
93         break;
94     case NID_pkcs7_data:
95     case NID_pkcs7_enveloped:
96     case NID_pkcs7_signedAndEnveloped:
97     case NID_pkcs7_encrypted:
98     default:
99         PKCS7err(PKCS7_F_PKCS7_SET_CONTENT, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
100         goto err;
101     }
102     return (1);
103  err:
104     return (0);
105 }
106
107 int PKCS7_set_type(PKCS7 *p7, int type)
108 {
109     ASN1_OBJECT *obj;
110
111     /*
112      * PKCS7_content_free(p7);
113      */
114     obj = OBJ_nid2obj(type);    /* will not fail */
115
116     switch (type) {
117     case NID_pkcs7_signed:
118         p7->type = obj;
119         if ((p7->d.sign = PKCS7_SIGNED_new()) == NULL)
120             goto err;
121         if (!ASN1_INTEGER_set(p7->d.sign->version, 1)) {
122             PKCS7_SIGNED_free(p7->d.sign);
123             p7->d.sign = NULL;
124             goto err;
125         }
126         break;
127     case NID_pkcs7_data:
128         p7->type = obj;
129         if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL)
130             goto err;
131         break;
132     case NID_pkcs7_signedAndEnveloped:
133         p7->type = obj;
134         if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new())
135             == NULL)
136             goto err;
137         ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1);
138         if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1))
139             goto err;
140         p7->d.signed_and_enveloped->enc_data->content_type
141             = OBJ_nid2obj(NID_pkcs7_data);
142         break;
143     case NID_pkcs7_enveloped:
144         p7->type = obj;
145         if ((p7->d.enveloped = PKCS7_ENVELOPE_new())
146             == NULL)
147             goto err;
148         if (!ASN1_INTEGER_set(p7->d.enveloped->version, 0))
149             goto err;
150         p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
151         break;
152     case NID_pkcs7_encrypted:
153         p7->type = obj;
154         if ((p7->d.encrypted = PKCS7_ENCRYPT_new())
155             == NULL)
156             goto err;
157         if (!ASN1_INTEGER_set(p7->d.encrypted->version, 0))
158             goto err;
159         p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
160         break;
161
162     case NID_pkcs7_digest:
163         p7->type = obj;
164         if ((p7->d.digest = PKCS7_DIGEST_new())
165             == NULL)
166             goto err;
167         if (!ASN1_INTEGER_set(p7->d.digest->version, 0))
168             goto err;
169         break;
170     default:
171         PKCS7err(PKCS7_F_PKCS7_SET_TYPE, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
172         goto err;
173     }
174     return (1);
175  err:
176     return (0);
177 }
178
179 int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other)
180 {
181     p7->type = OBJ_nid2obj(type);
182     p7->d.other = other;
183     return 1;
184 }
185
186 int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
187 {
188     int i, j, nid;
189     X509_ALGOR *alg;
190     STACK_OF(PKCS7_SIGNER_INFO) *signer_sk;
191     STACK_OF(X509_ALGOR) *md_sk;
192
193     i = OBJ_obj2nid(p7->type);
194     switch (i) {
195     case NID_pkcs7_signed:
196         signer_sk = p7->d.sign->signer_info;
197         md_sk = p7->d.sign->md_algs;
198         break;
199     case NID_pkcs7_signedAndEnveloped:
200         signer_sk = p7->d.signed_and_enveloped->signer_info;
201         md_sk = p7->d.signed_and_enveloped->md_algs;
202         break;
203     default:
204         PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER, PKCS7_R_WRONG_CONTENT_TYPE);
205         return (0);
206     }
207
208     nid = OBJ_obj2nid(psi->digest_alg->algorithm);
209
210     /* If the digest is not currently listed, add it */
211     j = 0;
212     for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
213         alg = sk_X509_ALGOR_value(md_sk, i);
214         if (OBJ_obj2nid(alg->algorithm) == nid) {
215             j = 1;
216             break;
217         }
218     }
219     if (!j) {                   /* we need to add another algorithm */
220         if ((alg = X509_ALGOR_new()) == NULL
221             || (alg->parameter = ASN1_TYPE_new()) == NULL) {
222             X509_ALGOR_free(alg);
223             PKCS7err(PKCS7_F_PKCS7_ADD_SIGNER, ERR_R_MALLOC_FAILURE);
224             return (0);
225         }
226         alg->algorithm = OBJ_nid2obj(nid);
227         alg->parameter->type = V_ASN1_NULL;
228         if (!sk_X509_ALGOR_push(md_sk, alg)) {
229             X509_ALGOR_free(alg);
230             return 0;
231         }
232     }
233
234     if (!sk_PKCS7_SIGNER_INFO_push(signer_sk, psi))
235         return 0;
236     return (1);
237 }
238
239 int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
240 {
241     int i;
242     STACK_OF(X509) **sk;
243
244     i = OBJ_obj2nid(p7->type);
245     switch (i) {
246     case NID_pkcs7_signed:
247         sk = &(p7->d.sign->cert);
248         break;
249     case NID_pkcs7_signedAndEnveloped:
250         sk = &(p7->d.signed_and_enveloped->cert);
251         break;
252     default:
253         PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE, PKCS7_R_WRONG_CONTENT_TYPE);
254         return (0);
255     }
256
257     if (*sk == NULL)
258         *sk = sk_X509_new_null();
259     if (*sk == NULL) {
260         PKCS7err(PKCS7_F_PKCS7_ADD_CERTIFICATE, ERR_R_MALLOC_FAILURE);
261         return 0;
262     }
263     X509_up_ref(x509);
264     if (!sk_X509_push(*sk, x509)) {
265         X509_free(x509);
266         return 0;
267     }
268     return (1);
269 }
270
271 int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
272 {
273     int i;
274     STACK_OF(X509_CRL) **sk;
275
276     i = OBJ_obj2nid(p7->type);
277     switch (i) {
278     case NID_pkcs7_signed:
279         sk = &(p7->d.sign->crl);
280         break;
281     case NID_pkcs7_signedAndEnveloped:
282         sk = &(p7->d.signed_and_enveloped->crl);
283         break;
284     default:
285         PKCS7err(PKCS7_F_PKCS7_ADD_CRL, PKCS7_R_WRONG_CONTENT_TYPE);
286         return (0);
287     }
288
289     if (*sk == NULL)
290         *sk = sk_X509_CRL_new_null();
291     if (*sk == NULL) {
292         PKCS7err(PKCS7_F_PKCS7_ADD_CRL, ERR_R_MALLOC_FAILURE);
293         return 0;
294     }
295
296     X509_CRL_up_ref(crl);
297     if (!sk_X509_CRL_push(*sk, crl)) {
298         X509_CRL_free(crl);
299         return 0;
300     }
301     return (1);
302 }
303
304 int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
305                           const EVP_MD *dgst)
306 {
307     int ret;
308
309     /* We now need to add another PKCS7_SIGNER_INFO entry */
310     if (!ASN1_INTEGER_set(p7i->version, 1))
311         goto err;
312     if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
313                        X509_get_issuer_name(x509)))
314         goto err;
315
316     /*
317      * because ASN1_INTEGER_set is used to set a 'long' we will do things the
318      * ugly way.
319      */
320     ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
321     if (!(p7i->issuer_and_serial->serial =
322           ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
323         goto err;
324
325     /* lets keep the pkey around for a while */
326     EVP_PKEY_up_ref(pkey);
327     p7i->pkey = pkey;
328
329     /* Set the algorithms */
330
331     X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_type(dgst)),
332                     V_ASN1_NULL, NULL);
333
334     if (pkey->ameth && pkey->ameth->pkey_ctrl) {
335         ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i);
336         if (ret > 0)
337             return 1;
338         if (ret != -2) {
339             PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET,
340                      PKCS7_R_SIGNING_CTRL_FAILURE);
341             return 0;
342         }
343     }
344     PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SET,
345              PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
346  err:
347     return 0;
348 }
349
350 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
351                                        const EVP_MD *dgst)
352 {
353     PKCS7_SIGNER_INFO *si = NULL;
354
355     if (dgst == NULL) {
356         int def_nid;
357         if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
358             goto err;
359         dgst = EVP_get_digestbynid(def_nid);
360         if (dgst == NULL) {
361             PKCS7err(PKCS7_F_PKCS7_ADD_SIGNATURE, PKCS7_R_NO_DEFAULT_DIGEST);
362             goto err;
363         }
364     }
365
366     if ((si = PKCS7_SIGNER_INFO_new()) == NULL)
367         goto err;
368     if (!PKCS7_SIGNER_INFO_set(si, x509, pkey, dgst))
369         goto err;
370     if (!PKCS7_add_signer(p7, si))
371         goto err;
372     return (si);
373  err:
374     PKCS7_SIGNER_INFO_free(si);
375     return (NULL);
376 }
377
378 int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
379 {
380     if (PKCS7_type_is_digest(p7)) {
381         if ((p7->d.digest->md->parameter = ASN1_TYPE_new()) == NULL) {
382             PKCS7err(PKCS7_F_PKCS7_SET_DIGEST, ERR_R_MALLOC_FAILURE);
383             return 0;
384         }
385         p7->d.digest->md->parameter->type = V_ASN1_NULL;
386         p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
387         return 1;
388     }
389
390     PKCS7err(PKCS7_F_PKCS7_SET_DIGEST, PKCS7_R_WRONG_CONTENT_TYPE);
391     return 1;
392 }
393
394 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
395 {
396     if (p7 == NULL || p7->d.ptr == NULL)
397         return NULL;
398     if (PKCS7_type_is_signed(p7)) {
399         return (p7->d.sign->signer_info);
400     } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
401         return (p7->d.signed_and_enveloped->signer_info);
402     } else
403         return (NULL);
404 }
405
406 void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk,
407                                  X509_ALGOR **pdig, X509_ALGOR **psig)
408 {
409     if (pk)
410         *pk = si->pkey;
411     if (pdig)
412         *pdig = si->digest_alg;
413     if (psig)
414         *psig = si->digest_enc_alg;
415 }
416
417 void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc)
418 {
419     if (penc)
420         *penc = ri->key_enc_algor;
421 }
422
423 PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
424 {
425     PKCS7_RECIP_INFO *ri;
426
427     if ((ri = PKCS7_RECIP_INFO_new()) == NULL)
428         goto err;
429     if (!PKCS7_RECIP_INFO_set(ri, x509))
430         goto err;
431     if (!PKCS7_add_recipient_info(p7, ri))
432         goto err;
433     return ri;
434  err:
435     PKCS7_RECIP_INFO_free(ri);
436     return NULL;
437 }
438
439 int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
440 {
441     int i;
442     STACK_OF(PKCS7_RECIP_INFO) *sk;
443
444     i = OBJ_obj2nid(p7->type);
445     switch (i) {
446     case NID_pkcs7_signedAndEnveloped:
447         sk = p7->d.signed_and_enveloped->recipientinfo;
448         break;
449     case NID_pkcs7_enveloped:
450         sk = p7->d.enveloped->recipientinfo;
451         break;
452     default:
453         PKCS7err(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO,
454                  PKCS7_R_WRONG_CONTENT_TYPE);
455         return (0);
456     }
457
458     if (!sk_PKCS7_RECIP_INFO_push(sk, ri))
459         return 0;
460     return (1);
461 }
462
463 int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
464 {
465     int ret;
466     EVP_PKEY *pkey = NULL;
467     if (!ASN1_INTEGER_set(p7i->version, 0))
468         return 0;
469     if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
470                        X509_get_issuer_name(x509)))
471         return 0;
472
473     ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
474     if (!(p7i->issuer_and_serial->serial =
475           ASN1_INTEGER_dup(X509_get_serialNumber(x509))))
476         return 0;
477
478     pkey = X509_get0_pubkey(x509);
479
480     if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) {
481         PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
482                  PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
483         goto err;
484     }
485
486     ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT, 0, p7i);
487     if (ret == -2) {
488         PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
489                  PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
490         goto err;
491     }
492     if (ret <= 0) {
493         PKCS7err(PKCS7_F_PKCS7_RECIP_INFO_SET,
494                  PKCS7_R_ENCRYPTION_CTRL_FAILURE);
495         goto err;
496     }
497
498     X509_up_ref(x509);
499     p7i->cert = x509;
500
501     return 1;
502
503  err:
504     return 0;
505 }
506
507 X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
508 {
509     if (PKCS7_type_is_signed(p7))
510         return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
511                                                si->issuer_and_serial->issuer,
512                                                si->
513                                                issuer_and_serial->serial));
514     else
515         return (NULL);
516 }
517
518 int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
519 {
520     int i;
521     PKCS7_ENC_CONTENT *ec;
522
523     i = OBJ_obj2nid(p7->type);
524     switch (i) {
525     case NID_pkcs7_signedAndEnveloped:
526         ec = p7->d.signed_and_enveloped->enc_data;
527         break;
528     case NID_pkcs7_enveloped:
529         ec = p7->d.enveloped->enc_data;
530         break;
531     default:
532         PKCS7err(PKCS7_F_PKCS7_SET_CIPHER, PKCS7_R_WRONG_CONTENT_TYPE);
533         return (0);
534     }
535
536     /* Check cipher OID exists and has data in it */
537     i = EVP_CIPHER_type(cipher);
538     if (i == NID_undef) {
539         PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,
540                  PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
541         return (0);
542     }
543
544     ec->cipher = cipher;
545     return 1;
546 }
547
548 int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7)
549 {
550     ASN1_OCTET_STRING *os = NULL;
551
552     switch (OBJ_obj2nid(p7->type)) {
553     case NID_pkcs7_data:
554         os = p7->d.data;
555         break;
556
557     case NID_pkcs7_signedAndEnveloped:
558         os = p7->d.signed_and_enveloped->enc_data->enc_data;
559         if (os == NULL) {
560             os = ASN1_OCTET_STRING_new();
561             p7->d.signed_and_enveloped->enc_data->enc_data = os;
562         }
563         break;
564
565     case NID_pkcs7_enveloped:
566         os = p7->d.enveloped->enc_data->enc_data;
567         if (os == NULL) {
568             os = ASN1_OCTET_STRING_new();
569             p7->d.enveloped->enc_data->enc_data = os;
570         }
571         break;
572
573     case NID_pkcs7_signed:
574         os = p7->d.sign->contents->d.data;
575         break;
576
577     default:
578         os = NULL;
579         break;
580     }
581
582     if (os == NULL)
583         return 0;
584
585     os->flags |= ASN1_STRING_FLAG_NDEF;
586     *boundary = &os->data;
587
588     return 1;
589 }
Unnamed repository; edit this file 'description' to name the repository.