#include "internal/cryptlib.h"
#include <openssl/objects.h>
#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
#include "crypto/asn1.h"
#include "crypto/evp.h"
#include "crypto/x509.h" /* for sk_X509_add1_cert() */
return 1;
}
+static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si,
+ int verify)
+{
+ if (verify == 0) {
+ int snid, hnid;
+ X509_ALGOR *alg1, *alg2;
+ EVP_PKEY *pkey = si->pkey;
+
+ PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2);
+ if (alg1 == NULL || alg1->algorithm == NULL)
+ return -1;
+ hnid = OBJ_obj2nid(alg1->algorithm);
+ if (hnid == NID_undef)
+ return -1;
+ if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey)))
+ return -1;
+ X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0);
+ }
+ return 1;
+}
+
+static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify)
+{
+ if (verify == 0) {
+ X509_ALGOR *alg = NULL;
+
+ PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg);
+ if (alg != NULL)
+ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
+ }
+ return 1;
+}
+
int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
const EVP_MD *dgst)
{
ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
goto err;
- /*
- * TODO(3.0) Adapt for provider-native keys
- * Meanwhile, we downgrade the key.
- * #legacy
- */
- if (!evp_pkey_downgrade(pkey)) {
- ERR_raise(ERR_LIB_PKCS7,
- PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
- goto err;
- }
-
/* lets keep the pkey around for a while */
EVP_PKEY_up_ref(pkey);
p7i->pkey = pkey;
X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_type(dgst)),
V_ASN1_NULL, NULL);
- if (pkey->ameth && pkey->ameth->pkey_ctrl) {
+ if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA"))
+ return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0);
+ if (EVP_PKEY_is_a(pkey, "RSA"))
+ return pkcs7_rsa_sign_verify_setup(p7i, 0);
+
+ if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) {
ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i);
if (ret > 0)
return 1;
return 1;
}
+static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt)
+{
+ X509_ALGOR *alg = NULL;
+
+ if (decrypt == 0) {
+ PKCS7_RECIP_INFO_get0_alg(ri, &alg);
+ if (alg != NULL)
+ X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0);
+ }
+ return 1;
+}
+
int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
{
int ret;
return 0;
pkey = X509_get0_pubkey(x509);
+ if (pkey == NULL)
+ return 0;
- if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) {
+ if (EVP_PKEY_is_a(pkey, "RSA-PSS"))
+ return -2;
+ if (EVP_PKEY_is_a(pkey, "RSA")) {
+ if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0)
+ goto err;
+ goto finished;
+ }
+
+ if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) {
ERR_raise(ERR_LIB_PKCS7,
PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
goto err;
ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE);
goto err;
}
-
+finished:
X509_up_ref(x509);
p7i->cert = x509;
projects / openssl.git / blobdiff