pk7_lib.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745
  1. /*
  2. * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/objects.h>
  12. #include <openssl/x509.h>
  13. #include <openssl/pkcs7.h>
  14. #include "crypto/asn1.h"
  15. #include "crypto/evp.h"
  16. #include "crypto/x509.h" /* for sk_X509_add1_cert() */
  17. #include "pk7_local.h"
  18. long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
  19. {
  20. int nid;
  21. long ret;
  22. nid = OBJ_obj2nid(p7->type);
  23. switch (cmd) {
  24. /* NOTE(emilia): does not support detached digested data. */
  25. case PKCS7_OP_SET_DETACHED_SIGNATURE:
  26. if (nid == NID_pkcs7_signed) {
  27. ret = p7->detached = (int)larg;
  28. if (ret && PKCS7_type_is_data(p7->d.sign->contents)) {
  29. ASN1_OCTET_STRING *os;
  30. os = p7->d.sign->contents->d.data;
  31. ASN1_OCTET_STRING_free(os);
  32. p7->d.sign->contents->d.data = NULL;
  33. }
  34. } else {
  35. ERR_raise(ERR_LIB_PKCS7,
  36. PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
  37. ret = 0;
  38. }
  39. break;
  40. case PKCS7_OP_GET_DETACHED_SIGNATURE:
  41. if (nid == NID_pkcs7_signed) {
  42. if (p7->d.sign == NULL || p7->d.sign->contents->d.ptr == NULL)
  43. ret = 1;
  44. else
  45. ret = 0;
  46. p7->detached = ret;
  47. } else {
  48. ERR_raise(ERR_LIB_PKCS7,
  49. PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
  50. ret = 0;
  51. }
  52. break;
  53. default:
  54. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNKNOWN_OPERATION);
  55. ret = 0;
  56. }
  57. return ret;
  58. }
  59. int PKCS7_content_new(PKCS7 *p7, int type)
  60. {
  61. PKCS7 *ret = NULL;
  62. if ((ret = PKCS7_new()) == NULL)
  63. goto err;
  64. if (!PKCS7_set_type(ret, type))
  65. goto err;
  66. if (!PKCS7_set_content(p7, ret))
  67. goto err;
  68. return 1;
  69. err:
  70. PKCS7_free(ret);
  71. return 0;
  72. }
  73. int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
  74. {
  75. int i;
  76. i = OBJ_obj2nid(p7->type);
  77. switch (i) {
  78. case NID_pkcs7_signed:
  79. PKCS7_free(p7->d.sign->contents);
  80. p7->d.sign->contents = p7_data;
  81. break;
  82. case NID_pkcs7_digest:
  83. PKCS7_free(p7->d.digest->contents);
  84. p7->d.digest->contents = p7_data;
  85. break;
  86. case NID_pkcs7_data:
  87. case NID_pkcs7_enveloped:
  88. case NID_pkcs7_signedAndEnveloped:
  89. case NID_pkcs7_encrypted:
  90. default:
  91. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
  92. goto err;
  93. }
  94. return 1;
  95. err:
  96. return 0;
  97. }
  98. int PKCS7_set_type(PKCS7 *p7, int type)
  99. {
  100. ASN1_OBJECT *obj;
  101. /*
  102. * PKCS7_content_free(p7);
  103. */
  104. obj = OBJ_nid2obj(type); /* will not fail */
  105. switch (type) {
  106. case NID_pkcs7_signed:
  107. p7->type = obj;
  108. if ((p7->d.sign = PKCS7_SIGNED_new()) == NULL)
  109. goto err;
  110. if (!ASN1_INTEGER_set(p7->d.sign->version, 1)) {
  111. PKCS7_SIGNED_free(p7->d.sign);
  112. p7->d.sign = NULL;
  113. goto err;
  114. }
  115. break;
  116. case NID_pkcs7_data:
  117. p7->type = obj;
  118. if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL)
  119. goto err;
  120. break;
  121. case NID_pkcs7_signedAndEnveloped:
  122. p7->type = obj;
  123. if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new())
  124. == NULL)
  125. goto err;
  126. if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1))
  127. goto err;
  128. p7->d.signed_and_enveloped->enc_data->content_type
  129. = OBJ_nid2obj(NID_pkcs7_data);
  130. break;
  131. case NID_pkcs7_enveloped:
  132. p7->type = obj;
  133. if ((p7->d.enveloped = PKCS7_ENVELOPE_new())
  134. == NULL)
  135. goto err;
  136. if (!ASN1_INTEGER_set(p7->d.enveloped->version, 0))
  137. goto err;
  138. p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
  139. break;
  140. case NID_pkcs7_encrypted:
  141. p7->type = obj;
  142. if ((p7->d.encrypted = PKCS7_ENCRYPT_new())
  143. == NULL)
  144. goto err;
  145. if (!ASN1_INTEGER_set(p7->d.encrypted->version, 0))
  146. goto err;
  147. p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
  148. break;
  149. case NID_pkcs7_digest:
  150. p7->type = obj;
  151. if ((p7->d.digest = PKCS7_DIGEST_new())
  152. == NULL)
  153. goto err;
  154. if (!ASN1_INTEGER_set(p7->d.digest->version, 0))
  155. goto err;
  156. break;
  157. default:
  158. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
  159. goto err;
  160. }
  161. return 1;
  162. err:
  163. return 0;
  164. }
  165. int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other)
  166. {
  167. p7->type = OBJ_nid2obj(type);
  168. p7->d.other = other;
  169. return 1;
  170. }
  171. int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
  172. {
  173. int i, j;
  174. ASN1_OBJECT *obj;
  175. X509_ALGOR *alg;
  176. STACK_OF(PKCS7_SIGNER_INFO) *signer_sk;
  177. STACK_OF(X509_ALGOR) *md_sk;
  178. i = OBJ_obj2nid(p7->type);
  179. switch (i) {
  180. case NID_pkcs7_signed:
  181. signer_sk = p7->d.sign->signer_info;
  182. md_sk = p7->d.sign->md_algs;
  183. break;
  184. case NID_pkcs7_signedAndEnveloped:
  185. signer_sk = p7->d.signed_and_enveloped->signer_info;
  186. md_sk = p7->d.signed_and_enveloped->md_algs;
  187. break;
  188. default:
  189. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  190. return 0;
  191. }
  192. obj = psi->digest_alg->algorithm;
  193. /* If the digest is not currently listed, add it */
  194. j = 0;
  195. for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
  196. alg = sk_X509_ALGOR_value(md_sk, i);
  197. if (OBJ_cmp(obj, alg->algorithm) == 0) {
  198. j = 1;
  199. break;
  200. }
  201. }
  202. if (!j) { /* we need to add another algorithm */
  203. int nid;
  204. if ((alg = X509_ALGOR_new()) == NULL
  205. || (alg->parameter = ASN1_TYPE_new()) == NULL) {
  206. X509_ALGOR_free(alg);
  207. ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
  208. return 0;
  209. }
  210. /*
  211. * If there is a constant copy of the ASN1 OBJECT in libcrypto, then
  212. * use that. Otherwise, use a dynamically duplicated copy
  213. */
  214. if ((nid = OBJ_obj2nid(obj)) != NID_undef)
  215. alg->algorithm = OBJ_nid2obj(nid);
  216. else
  217. alg->algorithm = OBJ_dup(obj);
  218. alg->parameter->type = V_ASN1_NULL;
  219. if (alg->algorithm == NULL || !sk_X509_ALGOR_push(md_sk, alg)) {
  220. X509_ALGOR_free(alg);
  221. return 0;
  222. }
  223. }
  224. psi->ctx = ossl_pkcs7_get0_ctx(p7);
  225. if (!sk_PKCS7_SIGNER_INFO_push(signer_sk, psi))
  226. return 0;
  227. return 1;
  228. }
  229. int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
  230. {
  231. int i;
  232. STACK_OF(X509) **sk;
  233. i = OBJ_obj2nid(p7->type);
  234. switch (i) {
  235. case NID_pkcs7_signed:
  236. sk = &(p7->d.sign->cert);
  237. break;
  238. case NID_pkcs7_signedAndEnveloped:
  239. sk = &(p7->d.signed_and_enveloped->cert);
  240. break;
  241. default:
  242. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  243. return 0;
  244. }
  245. return ossl_x509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF);
  246. }
  247. int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
  248. {
  249. int i;
  250. STACK_OF(X509_CRL) **sk;
  251. i = OBJ_obj2nid(p7->type);
  252. switch (i) {
  253. case NID_pkcs7_signed:
  254. sk = &(p7->d.sign->crl);
  255. break;
  256. case NID_pkcs7_signedAndEnveloped:
  257. sk = &(p7->d.signed_and_enveloped->crl);
  258. break;
  259. default:
  260. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  261. return 0;
  262. }
  263. if (*sk == NULL)
  264. *sk = sk_X509_CRL_new_null();
  265. if (*sk == NULL) {
  266. ERR_raise(ERR_LIB_PKCS7, ERR_R_CRYPTO_LIB);
  267. return 0;
  268. }
  269. X509_CRL_up_ref(crl);
  270. if (!sk_X509_CRL_push(*sk, crl)) {
  271. X509_CRL_free(crl);
  272. return 0;
  273. }
  274. return 1;
  275. }
  276. static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si,
  277. int verify)
  278. {
  279. if (!verify) {
  280. int snid, hnid;
  281. X509_ALGOR *alg1, *alg2;
  282. EVP_PKEY *pkey = si->pkey;
  283. PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2);
  284. if (alg1 == NULL || alg1->algorithm == NULL)
  285. return -1;
  286. hnid = OBJ_obj2nid(alg1->algorithm);
  287. if (hnid == NID_undef)
  288. return -1;
  289. if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey)))
  290. return -1;
  291. return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL);
  292. }
  293. return 1;
  294. }
  295. static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify)
  296. {
  297. if (!verify) {
  298. X509_ALGOR *alg = NULL;
  299. PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg);
  300. if (alg != NULL)
  301. return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
  302. V_ASN1_NULL, NULL);
  303. }
  304. return 1;
  305. }
  306. int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
  307. const EVP_MD *dgst)
  308. {
  309. int ret;
  310. /* We now need to add another PKCS7_SIGNER_INFO entry */
  311. if (!ASN1_INTEGER_set(p7i->version, 1))
  312. return 0;
  313. if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
  314. X509_get_issuer_name(x509)))
  315. return 0;
  316. /*
  317. * because ASN1_INTEGER_set is used to set a 'long' we will do things the
  318. * ugly way.
  319. */
  320. ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
  321. if (!(p7i->issuer_and_serial->serial =
  322. ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
  323. return 0;
  324. /* lets keep the pkey around for a while */
  325. EVP_PKEY_up_ref(pkey);
  326. p7i->pkey = pkey;
  327. /* Set the algorithms */
  328. if (!X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_get_type(dgst)),
  329. V_ASN1_NULL, NULL))
  330. return 0;
  331. if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA"))
  332. return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0);
  333. if (EVP_PKEY_is_a(pkey, "RSA"))
  334. return pkcs7_rsa_sign_verify_setup(p7i, 0);
  335. if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) {
  336. ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i);
  337. if (ret > 0)
  338. return 1;
  339. if (ret != -2) {
  340. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_CTRL_FAILURE);
  341. return 0;
  342. }
  343. }
  344. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  345. return 0;
  346. }
  347. PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
  348. const EVP_MD *dgst)
  349. {
  350. PKCS7_SIGNER_INFO *si = NULL;
  351. if (dgst == NULL) {
  352. int def_nid;
  353. if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
  354. goto err;
  355. dgst = EVP_get_digestbynid(def_nid);
  356. if (dgst == NULL) {
  357. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_DEFAULT_DIGEST);
  358. goto err;
  359. }
  360. }
  361. if ((si = PKCS7_SIGNER_INFO_new()) == NULL)
  362. goto err;
  363. if (PKCS7_SIGNER_INFO_set(si, x509, pkey, dgst) <= 0)
  364. goto err;
  365. if (!PKCS7_add_signer(p7, si))
  366. goto err;
  367. return si;
  368. err:
  369. PKCS7_SIGNER_INFO_free(si);
  370. return NULL;
  371. }
  372. static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
  373. {
  374. if (PKCS7_type_is_signed(p7))
  375. return p7->d.sign->cert;
  376. if (PKCS7_type_is_signedAndEnveloped(p7))
  377. return p7->d.signed_and_enveloped->cert;
  378. return NULL;
  379. }
  380. static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
  381. {
  382. if (PKCS7_type_is_signedAndEnveloped(p7))
  383. return p7->d.signed_and_enveloped->recipientinfo;
  384. if (PKCS7_type_is_enveloped(p7))
  385. return p7->d.enveloped->recipientinfo;
  386. return NULL;
  387. }
  388. /*
  389. * Set up the library context into any loaded structure that needs it.
  390. * i.e loaded X509 objects.
  391. */
  392. void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
  393. {
  394. int i;
  395. const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
  396. OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
  397. const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
  398. STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7);
  399. STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7);
  400. STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7);
  401. if (ctx == NULL)
  402. return;
  403. for (i = 0; i < sk_X509_num(certs); i++)
  404. ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
  405. for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rinfos); i++) {
  406. PKCS7_RECIP_INFO *ri = sk_PKCS7_RECIP_INFO_value(rinfos, i);
  407. ossl_x509_set0_libctx(ri->cert, libctx, propq);
  408. }
  409. for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
  410. PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
  411. if (si != NULL)
  412. si->ctx = ctx;
  413. }
  414. }
  415. const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7)
  416. {
  417. return p7 != NULL ? &p7->ctx : NULL;
  418. }
  419. void ossl_pkcs7_set0_libctx(PKCS7 *p7, OSSL_LIB_CTX *ctx)
  420. {
  421. p7->ctx.libctx = ctx;
  422. }
  423. int ossl_pkcs7_set1_propq(PKCS7 *p7, const char *propq)
  424. {
  425. if (p7->ctx.propq != NULL) {
  426. OPENSSL_free(p7->ctx.propq);
  427. p7->ctx.propq = NULL;
  428. }
  429. if (propq != NULL) {
  430. p7->ctx.propq = OPENSSL_strdup(propq);
  431. if (p7->ctx.propq == NULL)
  432. return 0;
  433. }
  434. return 1;
  435. }
  436. int ossl_pkcs7_ctx_propagate(const PKCS7 *from, PKCS7 *to)
  437. {
  438. ossl_pkcs7_set0_libctx(to, from->ctx.libctx);
  439. if (!ossl_pkcs7_set1_propq(to, from->ctx.propq))
  440. return 0;
  441. ossl_pkcs7_resolve_libctx(to);
  442. return 1;
  443. }
  444. OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx)
  445. {
  446. return ctx != NULL ? ctx->libctx : NULL;
  447. }
  448. const char *ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx)
  449. {
  450. return ctx != NULL ? ctx->propq : NULL;
  451. }
  452. int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
  453. {
  454. if (PKCS7_type_is_digest(p7)) {
  455. if ((p7->d.digest->md->parameter = ASN1_TYPE_new()) == NULL) {
  456. ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
  457. return 0;
  458. }
  459. p7->d.digest->md->parameter->type = V_ASN1_NULL;
  460. p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
  461. return 1;
  462. }
  463. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  464. return 1;
  465. }
  466. STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
  467. {
  468. if (p7 == NULL || p7->d.ptr == NULL)
  469. return NULL;
  470. if (PKCS7_type_is_signed(p7)) {
  471. return p7->d.sign->signer_info;
  472. } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
  473. return p7->d.signed_and_enveloped->signer_info;
  474. } else
  475. return NULL;
  476. }
  477. void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk,
  478. X509_ALGOR **pdig, X509_ALGOR **psig)
  479. {
  480. if (pk)
  481. *pk = si->pkey;
  482. if (pdig)
  483. *pdig = si->digest_alg;
  484. if (psig)
  485. *psig = si->digest_enc_alg;
  486. }
  487. void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc)
  488. {
  489. if (penc)
  490. *penc = ri->key_enc_algor;
  491. }
  492. PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
  493. {
  494. PKCS7_RECIP_INFO *ri;
  495. if ((ri = PKCS7_RECIP_INFO_new()) == NULL)
  496. goto err;
  497. if (PKCS7_RECIP_INFO_set(ri, x509) <= 0)
  498. goto err;
  499. if (!PKCS7_add_recipient_info(p7, ri))
  500. goto err;
  501. ri->ctx = ossl_pkcs7_get0_ctx(p7);
  502. return ri;
  503. err:
  504. PKCS7_RECIP_INFO_free(ri);
  505. return NULL;
  506. }
  507. int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
  508. {
  509. int i;
  510. STACK_OF(PKCS7_RECIP_INFO) *sk;
  511. i = OBJ_obj2nid(p7->type);
  512. switch (i) {
  513. case NID_pkcs7_signedAndEnveloped:
  514. sk = p7->d.signed_and_enveloped->recipientinfo;
  515. break;
  516. case NID_pkcs7_enveloped:
  517. sk = p7->d.enveloped->recipientinfo;
  518. break;
  519. default:
  520. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  521. return 0;
  522. }
  523. if (!sk_PKCS7_RECIP_INFO_push(sk, ri))
  524. return 0;
  525. return 1;
  526. }
  527. static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt)
  528. {
  529. X509_ALGOR *alg = NULL;
  530. if (!decrypt) {
  531. PKCS7_RECIP_INFO_get0_alg(ri, &alg);
  532. if (alg != NULL)
  533. return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
  534. V_ASN1_NULL, NULL);
  535. }
  536. return 1;
  537. }
  538. int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
  539. {
  540. int ret;
  541. EVP_PKEY *pkey = NULL;
  542. if (!ASN1_INTEGER_set(p7i->version, 0))
  543. return 0;
  544. if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
  545. X509_get_issuer_name(x509)))
  546. return 0;
  547. ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
  548. if (!(p7i->issuer_and_serial->serial =
  549. ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
  550. return 0;
  551. pkey = X509_get0_pubkey(x509);
  552. if (pkey == NULL)
  553. return 0;
  554. if (EVP_PKEY_is_a(pkey, "RSA-PSS"))
  555. return -2;
  556. if (EVP_PKEY_is_a(pkey, "RSA")) {
  557. if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0)
  558. goto err;
  559. goto finished;
  560. }
  561. if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) {
  562. ERR_raise(ERR_LIB_PKCS7,
  563. PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  564. goto err;
  565. }
  566. ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT, 0, p7i);
  567. if (ret == -2) {
  568. ERR_raise(ERR_LIB_PKCS7,
  569. PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  570. goto err;
  571. }
  572. if (ret <= 0) {
  573. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE);
  574. goto err;
  575. }
  576. finished:
  577. X509_up_ref(x509);
  578. p7i->cert = x509;
  579. return 1;
  580. err:
  581. return 0;
  582. }
  583. X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
  584. {
  585. if (PKCS7_type_is_signed(p7))
  586. return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
  587. si->issuer_and_serial->issuer,
  588. si->
  589. issuer_and_serial->serial));
  590. else
  591. return NULL;
  592. }
  593. int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
  594. {
  595. int i;
  596. PKCS7_ENC_CONTENT *ec;
  597. i = OBJ_obj2nid(p7->type);
  598. switch (i) {
  599. case NID_pkcs7_signedAndEnveloped:
  600. ec = p7->d.signed_and_enveloped->enc_data;
  601. break;
  602. case NID_pkcs7_enveloped:
  603. ec = p7->d.enveloped->enc_data;
  604. break;
  605. default:
  606. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  607. return 0;
  608. }
  609. /* Check cipher OID exists and has data in it */
  610. i = EVP_CIPHER_get_type(cipher);
  611. if (i == NID_undef) {
  612. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
  613. return 0;
  614. }
  615. ec->cipher = cipher;
  616. ec->ctx = ossl_pkcs7_get0_ctx(p7);
  617. return 1;
  618. }
  619. /* unfortunately cannot constify BIO_new_NDEF() due to this and CMS_stream() */
  620. int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7)
  621. {
  622. ASN1_OCTET_STRING *os = NULL;
  623. switch (OBJ_obj2nid(p7->type)) {
  624. case NID_pkcs7_data:
  625. os = p7->d.data;
  626. break;
  627. case NID_pkcs7_signedAndEnveloped:
  628. os = p7->d.signed_and_enveloped->enc_data->enc_data;
  629. if (os == NULL) {
  630. os = ASN1_OCTET_STRING_new();
  631. p7->d.signed_and_enveloped->enc_data->enc_data = os;
  632. }
  633. break;
  634. case NID_pkcs7_enveloped:
  635. os = p7->d.enveloped->enc_data->enc_data;
  636. if (os == NULL) {
  637. os = ASN1_OCTET_STRING_new();
  638. p7->d.enveloped->enc_data->enc_data = os;
  639. }
  640. break;
  641. case NID_pkcs7_signed:
  642. os = p7->d.sign->contents->d.data;
  643. break;
  644. default:
  645. os = NULL;
  646. break;
  647. }
  648. if (os == NULL)
  649. return 0;
  650. os->flags |= ASN1_STRING_FLAG_NDEF;
  651. *boundary = &os->data;
  652. return 1;
  653. }