CAdES: Fix SignerInfo attribute construction order.
authorFdaSilvaYY <fdasilvayy@gmail.com>
Tue, 29 Jan 2019 22:54:30 +0000 (23:54 +0100)
committerShane Lontis <shane.lontis@oracle.com>
Wed, 29 May 2019 01:14:46 +0000 (11:14 +1000)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/8117)

apps/cms.c
crypto/cms/cms_sd.c

index 2863a92..9c9f01d 100644 (file)
@@ -603,6 +603,14 @@ int cms_main(int argc, char **argv)
         goto opthelp;
     }
 
+    if (flags & CMS_CADES) {
+        if (flags & CMS_NOATTR) {
+            BIO_puts(bio_err, "Incompatible options: "
+                     "CAdES required signed attributes\n");
+            goto opthelp;
+        }
+    }
+
     if (operation & SMIME_SIGNERS) {
         if (keyfile != NULL && signerfile == NULL) {
             BIO_puts(bio_err, "Illegal -inkey without -signer\n");
index 71b3041..65261cf 100644 (file)
@@ -325,13 +325,6 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
             if (!i)
                 goto merr;
         }
-        if (flags & CMS_REUSE_DIGEST) {
-            if (!cms_copy_messageDigest(cms, si))
-                goto err;
-            if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) &&
-                !CMS_SignerInfo_sign(si))
-                goto err;
-        }
         if (flags & CMS_CADES) {
             ESS_SIGNING_CERT *sc = NULL;
             ESS_SIGNING_CERT_V2 *sc2 = NULL;
@@ -353,6 +346,13 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
             if (!add_sc)
                 goto err;
         }
+        if (flags & CMS_REUSE_DIGEST) {
+            if (!cms_copy_messageDigest(cms, si))
+                goto err;
+            if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) &&
+                !CMS_SignerInfo_sign(si))
+                goto err;
+        }
     }
 
     if (!(flags & CMS_NOCERTS)) {
@@ -370,8 +370,7 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
                 goto err;
             if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0)
                 goto err;
-        } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <=
-                   0)
+        } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <= 0)
             goto err;
     }