Keep a not of original encoding in certificate requests.
authorDr. Stephen Henson <steve@openssl.org>
Tue, 5 Sep 2000 13:27:57 +0000 (13:27 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 5 Sep 2000 13:27:57 +0000 (13:27 +0000)
Add new option to PKCS7_sign to exclude S/MIME capabilities.

CHANGES
apps/smime.c
crypto/asn1/x_req.c
crypto/pkcs7/pk7_smime.c
crypto/pkcs7/pkcs7.h
crypto/x509/x509.h
ssl/ssl_lib.c

diff --git a/CHANGES b/CHANGES
index 4dbaca0..a8cc5f1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,17 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
+     excludes S/MIME capabilities.
+     [Steve Henson]
+
+  *) When a certificate request is read in keep a copy of the
+     original encoding of the signed data and use it when outputing
+     again. Signatures then use the original encoding rather than
+     a decoded, encoded version which may cause problems if the
+     request is improperly encoded.
+     [Steve Henson]
+
   *) For consistency with other BIO_puts implementations, call
      buffer_write(b, ...) directly in buffer_puts instead of calling
      BIO_write(b, ...).
index e380443..25997fe 100644 (file)
@@ -141,6 +141,8 @@ int MAIN(int argc, char **argv)
                                flags |= PKCS7_NOATTR;
                else if (!strcmp (*args, "-nodetach")) 
                                flags &= ~PKCS7_DETACHED;
+               else if (!strcmp (*args, "-nosmimecap"))
+                               flags |= PKCS7_NOSMIMECAP;
                else if (!strcmp (*args, "-binary"))
                                flags |= PKCS7_BINARY;
                else if (!strcmp (*args, "-nosigs"))
index 0056009..6dddd4f 100644 (file)
@@ -65,6 +65,14 @@ int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **pp)
        {
        M_ASN1_I2D_vars(a);
 
+       if(a->asn1) {
+               if(pp) {
+                       memcpy(*pp, a->asn1, a->length);
+                       *pp += a->length;
+               }
+               return a->length;
+       }
+
        M_ASN1_I2D_len(a->version,              i2d_ASN1_INTEGER);
        M_ASN1_I2D_len(a->subject,              i2d_X509_NAME);
        M_ASN1_I2D_len(a->pubkey,               i2d_X509_PUBKEY);
@@ -152,6 +160,7 @@ X509_REQ_INFO *X509_REQ_INFO_new(void)
        M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
        M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
        ret->req_kludge=0;
+       ret->asn1 = NULL;
        return(ret);
        M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
        }
@@ -159,6 +168,7 @@ X509_REQ_INFO *X509_REQ_INFO_new(void)
 void X509_REQ_INFO_free(X509_REQ_INFO *a)
        {
        if (a == NULL) return;
+       if(a->asn1) OPENSSL_free(a->asn1);
        M_ASN1_INTEGER_free(a->version);
        X509_NAME_free(a->subject);
        X509_PUBKEY_free(a->pubkey);
@@ -189,6 +199,17 @@ X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length)
        M_ASN1_D2I_Init();
        M_ASN1_D2I_start_sequence();
        M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
+
+       /* Keep a copy of the original encoding for signature checking */
+       ret->req_info->length = c.p - c.q;
+       if(!(ret->req_info->asn1 = OPENSSL_malloc(ret->req_info->length))) {
+               c.line=__LINE__;
+               c.error = ERR_R_MALLOC_FAILURE;
+               goto err;
+       }
+
+       memcpy(ret->req_info->asn1, c.q, ret->req_info->length);
+
        M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
        M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
        M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
index 225fc63..19e0b28 100644 (file)
@@ -109,6 +109,8 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
                PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
                                V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
                /* Add SMIMECapabilities */
+               if(!(flags & PKCS7_NOSMIMECAP))
+               {
                if(!(smcap = sk_X509_ALGOR_new(NULL))) {
                        PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
                        return NULL;
@@ -128,6 +130,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 #endif
                PKCS7_add_attrib_smimecap (si, smcap);
                sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
+               }
        }
 
        if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
index ac46c8d..556e84c 100644 (file)
@@ -247,15 +247,16 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 
 /* S/MIME related flags */
 
-#define PKCS7_TEXT     0x1
-#define PKCS7_NOCERTS  0x2
-#define PKCS7_NOSIGS   0x4
-#define PKCS7_NOCHAIN  0x8
-#define PKCS7_NOINTERN 0x10
-#define PKCS7_NOVERIFY 0x20
-#define PKCS7_DETACHED 0x40
-#define PKCS7_BINARY   0x80
-#define PKCS7_NOATTR   0x100
+#define PKCS7_TEXT             0x1
+#define PKCS7_NOCERTS          0x2
+#define PKCS7_NOSIGS           0x4
+#define PKCS7_NOCHAIN          0x8
+#define PKCS7_NOINTERN         0x10
+#define PKCS7_NOVERIFY         0x20
+#define PKCS7_DETACHED         0x40
+#define PKCS7_BINARY           0x80
+#define PKCS7_NOATTR           0x100
+#define        PKCS7_NOSMIMECAP        0x200
 
 /* Flags: for compatibility with older code */
 
index 7808b6a..9768754 100644 (file)
@@ -213,6 +213,8 @@ DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
 
 typedef struct X509_req_info_st
        {
+       unsigned char *asn1;
+       int length;
        ASN1_INTEGER *version;
        X509_NAME *subject;
        X509_PUBKEY *pubkey;
index 5fd93ec..1483fad 100644 (file)
@@ -1846,8 +1846,6 @@ int ssl_init_wbio_buffer(SSL *s,int push)
 
 void ssl_free_wbio_buffer(SSL *s)
        {
-       BIO *under;
-
        if (s->bbio == NULL) return;
 
        if (s->bbio == s->wbio)