pk7_lib.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753
  1. /*
  2. * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the Apache License 2.0 (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include <stdio.h>
  10. #include "internal/cryptlib.h"
  11. #include <openssl/objects.h>
  12. #include <openssl/x509.h>
  13. #include <openssl/pkcs7.h>
  14. #include "crypto/asn1.h"
  15. #include "crypto/evp.h"
  16. #include "crypto/x509.h" /* for sk_X509_add1_cert() */
  17. #include "pk7_local.h"
  18. long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
  19. {
  20. int nid;
  21. long ret;
  22. nid = OBJ_obj2nid(p7->type);
  23. switch (cmd) {
  24. /* NOTE(emilia): does not support detached digested data. */
  25. case PKCS7_OP_SET_DETACHED_SIGNATURE:
  26. if (nid == NID_pkcs7_signed) {
  27. ret = p7->detached = (int)larg;
  28. if (ret && PKCS7_type_is_data(p7->d.sign->contents)) {
  29. ASN1_OCTET_STRING *os;
  30. os = p7->d.sign->contents->d.data;
  31. ASN1_OCTET_STRING_free(os);
  32. p7->d.sign->contents->d.data = NULL;
  33. }
  34. } else {
  35. ERR_raise(ERR_LIB_PKCS7,
  36. PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
  37. ret = 0;
  38. }
  39. break;
  40. case PKCS7_OP_GET_DETACHED_SIGNATURE:
  41. if (nid == NID_pkcs7_signed) {
  42. if (p7->d.sign == NULL || p7->d.sign->contents->d.ptr == NULL)
  43. ret = 1;
  44. else
  45. ret = 0;
  46. p7->detached = ret;
  47. } else {
  48. ERR_raise(ERR_LIB_PKCS7,
  49. PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE);
  50. ret = 0;
  51. }
  52. break;
  53. default:
  54. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNKNOWN_OPERATION);
  55. ret = 0;
  56. }
  57. return ret;
  58. }
  59. int PKCS7_content_new(PKCS7 *p7, int type)
  60. {
  61. PKCS7 *ret = NULL;
  62. if ((ret = PKCS7_new()) == NULL)
  63. goto err;
  64. if (!PKCS7_set_type(ret, type))
  65. goto err;
  66. if (!PKCS7_set_content(p7, ret))
  67. goto err;
  68. return 1;
  69. err:
  70. PKCS7_free(ret);
  71. return 0;
  72. }
  73. int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data)
  74. {
  75. int i;
  76. i = OBJ_obj2nid(p7->type);
  77. switch (i) {
  78. case NID_pkcs7_signed:
  79. PKCS7_free(p7->d.sign->contents);
  80. p7->d.sign->contents = p7_data;
  81. break;
  82. case NID_pkcs7_digest:
  83. PKCS7_free(p7->d.digest->contents);
  84. p7->d.digest->contents = p7_data;
  85. break;
  86. case NID_pkcs7_data:
  87. case NID_pkcs7_enveloped:
  88. case NID_pkcs7_signedAndEnveloped:
  89. case NID_pkcs7_encrypted:
  90. default:
  91. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
  92. goto err;
  93. }
  94. return 1;
  95. err:
  96. return 0;
  97. }
  98. int PKCS7_set_type(PKCS7 *p7, int type)
  99. {
  100. ASN1_OBJECT *obj;
  101. /*
  102. * PKCS7_content_free(p7);
  103. */
  104. obj = OBJ_nid2obj(type); /* will not fail */
  105. switch (type) {
  106. case NID_pkcs7_signed:
  107. p7->type = obj;
  108. if ((p7->d.sign = PKCS7_SIGNED_new()) == NULL)
  109. goto err;
  110. if (!ASN1_INTEGER_set(p7->d.sign->version, 1)) {
  111. PKCS7_SIGNED_free(p7->d.sign);
  112. p7->d.sign = NULL;
  113. goto err;
  114. }
  115. break;
  116. case NID_pkcs7_data:
  117. p7->type = obj;
  118. if ((p7->d.data = ASN1_OCTET_STRING_new()) == NULL)
  119. goto err;
  120. break;
  121. case NID_pkcs7_signedAndEnveloped:
  122. p7->type = obj;
  123. if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new())
  124. == NULL)
  125. goto err;
  126. if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1))
  127. goto err;
  128. p7->d.signed_and_enveloped->enc_data->content_type
  129. = OBJ_nid2obj(NID_pkcs7_data);
  130. break;
  131. case NID_pkcs7_enveloped:
  132. p7->type = obj;
  133. if ((p7->d.enveloped = PKCS7_ENVELOPE_new())
  134. == NULL)
  135. goto err;
  136. if (!ASN1_INTEGER_set(p7->d.enveloped->version, 0))
  137. goto err;
  138. p7->d.enveloped->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
  139. break;
  140. case NID_pkcs7_encrypted:
  141. p7->type = obj;
  142. if ((p7->d.encrypted = PKCS7_ENCRYPT_new())
  143. == NULL)
  144. goto err;
  145. if (!ASN1_INTEGER_set(p7->d.encrypted->version, 0))
  146. goto err;
  147. p7->d.encrypted->enc_data->content_type = OBJ_nid2obj(NID_pkcs7_data);
  148. break;
  149. case NID_pkcs7_digest:
  150. p7->type = obj;
  151. if ((p7->d.digest = PKCS7_DIGEST_new())
  152. == NULL)
  153. goto err;
  154. if (!ASN1_INTEGER_set(p7->d.digest->version, 0))
  155. goto err;
  156. break;
  157. default:
  158. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
  159. goto err;
  160. }
  161. return 1;
  162. err:
  163. return 0;
  164. }
  165. int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other)
  166. {
  167. p7->type = OBJ_nid2obj(type);
  168. p7->d.other = other;
  169. return 1;
  170. }
  171. int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi)
  172. {
  173. int i, j;
  174. ASN1_OBJECT *obj;
  175. X509_ALGOR *alg;
  176. STACK_OF(PKCS7_SIGNER_INFO) *signer_sk;
  177. STACK_OF(X509_ALGOR) *md_sk;
  178. i = OBJ_obj2nid(p7->type);
  179. switch (i) {
  180. case NID_pkcs7_signed:
  181. signer_sk = p7->d.sign->signer_info;
  182. md_sk = p7->d.sign->md_algs;
  183. break;
  184. case NID_pkcs7_signedAndEnveloped:
  185. signer_sk = p7->d.signed_and_enveloped->signer_info;
  186. md_sk = p7->d.signed_and_enveloped->md_algs;
  187. break;
  188. default:
  189. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  190. return 0;
  191. }
  192. obj = psi->digest_alg->algorithm;
  193. /* If the digest is not currently listed, add it */
  194. j = 0;
  195. for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) {
  196. alg = sk_X509_ALGOR_value(md_sk, i);
  197. if (OBJ_cmp(obj, alg->algorithm) == 0) {
  198. j = 1;
  199. break;
  200. }
  201. }
  202. if (!j) { /* we need to add another algorithm */
  203. int nid;
  204. if ((alg = X509_ALGOR_new()) == NULL
  205. || (alg->parameter = ASN1_TYPE_new()) == NULL) {
  206. X509_ALGOR_free(alg);
  207. ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
  208. return 0;
  209. }
  210. /*
  211. * If there is a constant copy of the ASN1 OBJECT in libcrypto, then
  212. * use that. Otherwise, use a dynamically duplicated copy
  213. */
  214. if ((nid = OBJ_obj2nid(obj)) != NID_undef)
  215. alg->algorithm = OBJ_nid2obj(nid);
  216. else
  217. alg->algorithm = OBJ_dup(obj);
  218. alg->parameter->type = V_ASN1_NULL;
  219. if (alg->algorithm == NULL || !sk_X509_ALGOR_push(md_sk, alg)) {
  220. X509_ALGOR_free(alg);
  221. return 0;
  222. }
  223. }
  224. psi->ctx = ossl_pkcs7_get0_ctx(p7);
  225. if (!sk_PKCS7_SIGNER_INFO_push(signer_sk, psi))
  226. return 0;
  227. return 1;
  228. }
  229. int PKCS7_add_certificate(PKCS7 *p7, X509 *x509)
  230. {
  231. int i;
  232. STACK_OF(X509) **sk;
  233. i = OBJ_obj2nid(p7->type);
  234. switch (i) {
  235. case NID_pkcs7_signed:
  236. sk = &(p7->d.sign->cert);
  237. break;
  238. case NID_pkcs7_signedAndEnveloped:
  239. sk = &(p7->d.signed_and_enveloped->cert);
  240. break;
  241. default:
  242. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  243. return 0;
  244. }
  245. return ossl_x509_add_cert_new(sk, x509, X509_ADD_FLAG_UP_REF);
  246. }
  247. int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl)
  248. {
  249. int i;
  250. STACK_OF(X509_CRL) **sk;
  251. i = OBJ_obj2nid(p7->type);
  252. switch (i) {
  253. case NID_pkcs7_signed:
  254. sk = &(p7->d.sign->crl);
  255. break;
  256. case NID_pkcs7_signedAndEnveloped:
  257. sk = &(p7->d.signed_and_enveloped->crl);
  258. break;
  259. default:
  260. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  261. return 0;
  262. }
  263. if (*sk == NULL)
  264. *sk = sk_X509_CRL_new_null();
  265. if (*sk == NULL) {
  266. ERR_raise(ERR_LIB_PKCS7, ERR_R_CRYPTO_LIB);
  267. return 0;
  268. }
  269. X509_CRL_up_ref(crl);
  270. if (!sk_X509_CRL_push(*sk, crl)) {
  271. X509_CRL_free(crl);
  272. return 0;
  273. }
  274. return 1;
  275. }
  276. static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si,
  277. int verify)
  278. {
  279. if (!verify) {
  280. int snid, hnid;
  281. X509_ALGOR *alg1, *alg2;
  282. EVP_PKEY *pkey = si->pkey;
  283. PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2);
  284. if (alg1 == NULL || alg1->algorithm == NULL)
  285. return -1;
  286. hnid = OBJ_obj2nid(alg1->algorithm);
  287. if (hnid == NID_undef)
  288. return -1;
  289. if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_get_id(pkey)))
  290. return -1;
  291. return X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, NULL);
  292. }
  293. return 1;
  294. }
  295. static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify)
  296. {
  297. if (!verify) {
  298. X509_ALGOR *alg = NULL;
  299. PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg);
  300. if (alg != NULL)
  301. return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
  302. V_ASN1_NULL, NULL);
  303. }
  304. return 1;
  305. }
  306. int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey,
  307. const EVP_MD *dgst)
  308. {
  309. int ret;
  310. /* We now need to add another PKCS7_SIGNER_INFO entry */
  311. if (!ASN1_INTEGER_set(p7i->version, 1))
  312. return 0;
  313. if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
  314. X509_get_issuer_name(x509)))
  315. return 0;
  316. /*
  317. * because ASN1_INTEGER_set is used to set a 'long' we will do things the
  318. * ugly way.
  319. */
  320. ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
  321. if (!(p7i->issuer_and_serial->serial =
  322. ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
  323. return 0;
  324. /* lets keep the pkey around for a while */
  325. EVP_PKEY_up_ref(pkey);
  326. p7i->pkey = pkey;
  327. /* Set the algorithms */
  328. if (!X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_get_type(dgst)),
  329. V_ASN1_NULL, NULL))
  330. return 0;
  331. if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA"))
  332. return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0);
  333. if (EVP_PKEY_is_a(pkey, "RSA"))
  334. return pkcs7_rsa_sign_verify_setup(p7i, 0);
  335. if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) {
  336. ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i);
  337. if (ret > 0)
  338. return 1;
  339. if (ret != -2) {
  340. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_CTRL_FAILURE);
  341. return 0;
  342. }
  343. }
  344. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  345. return 0;
  346. }
  347. PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey,
  348. const EVP_MD *dgst)
  349. {
  350. PKCS7_SIGNER_INFO *si = NULL;
  351. if (dgst == NULL) {
  352. int def_nid;
  353. if (EVP_PKEY_get_default_digest_nid(pkey, &def_nid) <= 0)
  354. goto err;
  355. dgst = EVP_get_digestbynid(def_nid);
  356. if (dgst == NULL) {
  357. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_NO_DEFAULT_DIGEST);
  358. goto err;
  359. }
  360. }
  361. if ((si = PKCS7_SIGNER_INFO_new()) == NULL)
  362. goto err;
  363. if (PKCS7_SIGNER_INFO_set(si, x509, pkey, dgst) <= 0)
  364. goto err;
  365. if (!PKCS7_add_signer(p7, si))
  366. goto err;
  367. return si;
  368. err:
  369. PKCS7_SIGNER_INFO_free(si);
  370. return NULL;
  371. }
  372. static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7)
  373. {
  374. if (p7->d.ptr == NULL)
  375. return NULL;
  376. if (PKCS7_type_is_signed(p7))
  377. return p7->d.sign->cert;
  378. if (PKCS7_type_is_signedAndEnveloped(p7))
  379. return p7->d.signed_and_enveloped->cert;
  380. return NULL;
  381. }
  382. static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7)
  383. {
  384. if (p7->d.ptr == NULL)
  385. return NULL;
  386. if (PKCS7_type_is_signedAndEnveloped(p7))
  387. return p7->d.signed_and_enveloped->recipientinfo;
  388. if (PKCS7_type_is_enveloped(p7))
  389. return p7->d.enveloped->recipientinfo;
  390. return NULL;
  391. }
  392. /*
  393. * Set up the library context into any loaded structure that needs it.
  394. * i.e loaded X509 objects.
  395. */
  396. void ossl_pkcs7_resolve_libctx(PKCS7 *p7)
  397. {
  398. int i;
  399. const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
  400. OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx);
  401. const char *propq = ossl_pkcs7_ctx_get0_propq(ctx);
  402. STACK_OF(PKCS7_RECIP_INFO) *rinfos;
  403. STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
  404. STACK_OF(X509) *certs;
  405. if (ctx == NULL || p7->d.ptr == NULL)
  406. return;
  407. rinfos = pkcs7_get_recipient_info(p7);
  408. sinfos = PKCS7_get_signer_info(p7);
  409. certs = pkcs7_get_signer_certs(p7);
  410. for (i = 0; i < sk_X509_num(certs); i++)
  411. ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq);
  412. for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rinfos); i++) {
  413. PKCS7_RECIP_INFO *ri = sk_PKCS7_RECIP_INFO_value(rinfos, i);
  414. ossl_x509_set0_libctx(ri->cert, libctx, propq);
  415. }
  416. for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++) {
  417. PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
  418. if (si != NULL)
  419. si->ctx = ctx;
  420. }
  421. }
  422. const PKCS7_CTX *ossl_pkcs7_get0_ctx(const PKCS7 *p7)
  423. {
  424. return p7 != NULL ? &p7->ctx : NULL;
  425. }
  426. void ossl_pkcs7_set0_libctx(PKCS7 *p7, OSSL_LIB_CTX *ctx)
  427. {
  428. p7->ctx.libctx = ctx;
  429. }
  430. int ossl_pkcs7_set1_propq(PKCS7 *p7, const char *propq)
  431. {
  432. if (p7->ctx.propq != NULL) {
  433. OPENSSL_free(p7->ctx.propq);
  434. p7->ctx.propq = NULL;
  435. }
  436. if (propq != NULL) {
  437. p7->ctx.propq = OPENSSL_strdup(propq);
  438. if (p7->ctx.propq == NULL)
  439. return 0;
  440. }
  441. return 1;
  442. }
  443. int ossl_pkcs7_ctx_propagate(const PKCS7 *from, PKCS7 *to)
  444. {
  445. ossl_pkcs7_set0_libctx(to, from->ctx.libctx);
  446. if (!ossl_pkcs7_set1_propq(to, from->ctx.propq))
  447. return 0;
  448. ossl_pkcs7_resolve_libctx(to);
  449. return 1;
  450. }
  451. OSSL_LIB_CTX *ossl_pkcs7_ctx_get0_libctx(const PKCS7_CTX *ctx)
  452. {
  453. return ctx != NULL ? ctx->libctx : NULL;
  454. }
  455. const char *ossl_pkcs7_ctx_get0_propq(const PKCS7_CTX *ctx)
  456. {
  457. return ctx != NULL ? ctx->propq : NULL;
  458. }
  459. int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
  460. {
  461. if (PKCS7_type_is_digest(p7)) {
  462. if ((p7->d.digest->md->parameter = ASN1_TYPE_new()) == NULL) {
  463. ERR_raise(ERR_LIB_PKCS7, ERR_R_ASN1_LIB);
  464. return 0;
  465. }
  466. p7->d.digest->md->parameter->type = V_ASN1_NULL;
  467. p7->d.digest->md->algorithm = OBJ_nid2obj(EVP_MD_nid(md));
  468. return 1;
  469. }
  470. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  471. return 1;
  472. }
  473. STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
  474. {
  475. if (p7 == NULL || p7->d.ptr == NULL)
  476. return NULL;
  477. if (PKCS7_type_is_signed(p7)) {
  478. return p7->d.sign->signer_info;
  479. } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
  480. return p7->d.signed_and_enveloped->signer_info;
  481. } else
  482. return NULL;
  483. }
  484. void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk,
  485. X509_ALGOR **pdig, X509_ALGOR **psig)
  486. {
  487. if (pk)
  488. *pk = si->pkey;
  489. if (pdig)
  490. *pdig = si->digest_alg;
  491. if (psig)
  492. *psig = si->digest_enc_alg;
  493. }
  494. void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc)
  495. {
  496. if (penc)
  497. *penc = ri->key_enc_algor;
  498. }
  499. PKCS7_RECIP_INFO *PKCS7_add_recipient(PKCS7 *p7, X509 *x509)
  500. {
  501. PKCS7_RECIP_INFO *ri;
  502. if ((ri = PKCS7_RECIP_INFO_new()) == NULL)
  503. goto err;
  504. if (PKCS7_RECIP_INFO_set(ri, x509) <= 0)
  505. goto err;
  506. if (!PKCS7_add_recipient_info(p7, ri))
  507. goto err;
  508. ri->ctx = ossl_pkcs7_get0_ctx(p7);
  509. return ri;
  510. err:
  511. PKCS7_RECIP_INFO_free(ri);
  512. return NULL;
  513. }
  514. int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri)
  515. {
  516. int i;
  517. STACK_OF(PKCS7_RECIP_INFO) *sk;
  518. i = OBJ_obj2nid(p7->type);
  519. switch (i) {
  520. case NID_pkcs7_signedAndEnveloped:
  521. sk = p7->d.signed_and_enveloped->recipientinfo;
  522. break;
  523. case NID_pkcs7_enveloped:
  524. sk = p7->d.enveloped->recipientinfo;
  525. break;
  526. default:
  527. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  528. return 0;
  529. }
  530. if (!sk_PKCS7_RECIP_INFO_push(sk, ri))
  531. return 0;
  532. return 1;
  533. }
  534. static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt)
  535. {
  536. X509_ALGOR *alg = NULL;
  537. if (!decrypt) {
  538. PKCS7_RECIP_INFO_get0_alg(ri, &alg);
  539. if (alg != NULL)
  540. return X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption),
  541. V_ASN1_NULL, NULL);
  542. }
  543. return 1;
  544. }
  545. int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509)
  546. {
  547. int ret;
  548. EVP_PKEY *pkey = NULL;
  549. if (!ASN1_INTEGER_set(p7i->version, 0))
  550. return 0;
  551. if (!X509_NAME_set(&p7i->issuer_and_serial->issuer,
  552. X509_get_issuer_name(x509)))
  553. return 0;
  554. ASN1_INTEGER_free(p7i->issuer_and_serial->serial);
  555. if (!(p7i->issuer_and_serial->serial =
  556. ASN1_INTEGER_dup(X509_get0_serialNumber(x509))))
  557. return 0;
  558. pkey = X509_get0_pubkey(x509);
  559. if (pkey == NULL)
  560. return 0;
  561. if (EVP_PKEY_is_a(pkey, "RSA-PSS"))
  562. return -2;
  563. if (EVP_PKEY_is_a(pkey, "RSA")) {
  564. if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0)
  565. goto err;
  566. goto finished;
  567. }
  568. if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) {
  569. ERR_raise(ERR_LIB_PKCS7,
  570. PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  571. goto err;
  572. }
  573. ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_ENCRYPT, 0, p7i);
  574. if (ret == -2) {
  575. ERR_raise(ERR_LIB_PKCS7,
  576. PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
  577. goto err;
  578. }
  579. if (ret <= 0) {
  580. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE);
  581. goto err;
  582. }
  583. finished:
  584. X509_up_ref(x509);
  585. p7i->cert = x509;
  586. return 1;
  587. err:
  588. return 0;
  589. }
  590. X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
  591. {
  592. if (PKCS7_type_is_signed(p7))
  593. return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
  594. si->issuer_and_serial->issuer,
  595. si->
  596. issuer_and_serial->serial));
  597. else
  598. return NULL;
  599. }
  600. int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
  601. {
  602. int i;
  603. PKCS7_ENC_CONTENT *ec;
  604. i = OBJ_obj2nid(p7->type);
  605. switch (i) {
  606. case NID_pkcs7_signedAndEnveloped:
  607. ec = p7->d.signed_and_enveloped->enc_data;
  608. break;
  609. case NID_pkcs7_enveloped:
  610. ec = p7->d.enveloped->enc_data;
  611. break;
  612. default:
  613. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_WRONG_CONTENT_TYPE);
  614. return 0;
  615. }
  616. /* Check cipher OID exists and has data in it */
  617. i = EVP_CIPHER_get_type(cipher);
  618. if (i == NID_undef) {
  619. ERR_raise(ERR_LIB_PKCS7, PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
  620. return 0;
  621. }
  622. ec->cipher = cipher;
  623. ec->ctx = ossl_pkcs7_get0_ctx(p7);
  624. return 1;
  625. }
  626. /* unfortunately cannot constify BIO_new_NDEF() due to this and CMS_stream() */
  627. int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7)
  628. {
  629. ASN1_OCTET_STRING *os = NULL;
  630. switch (OBJ_obj2nid(p7->type)) {
  631. case NID_pkcs7_data:
  632. os = p7->d.data;
  633. break;
  634. case NID_pkcs7_signedAndEnveloped:
  635. os = p7->d.signed_and_enveloped->enc_data->enc_data;
  636. if (os == NULL) {
  637. os = ASN1_OCTET_STRING_new();
  638. p7->d.signed_and_enveloped->enc_data->enc_data = os;
  639. }
  640. break;
  641. case NID_pkcs7_enveloped:
  642. os = p7->d.enveloped->enc_data->enc_data;
  643. if (os == NULL) {
  644. os = ASN1_OCTET_STRING_new();
  645. p7->d.enveloped->enc_data->enc_data = os;
  646. }
  647. break;
  648. case NID_pkcs7_signed:
  649. os = p7->d.sign->contents->d.data;
  650. break;
  651. default:
  652. os = NULL;
  653. break;
  654. }
  655. if (os == NULL)
  656. return 0;
  657. os->flags |= ASN1_STRING_FLAG_NDEF;
  658. *boundary = &os->data;
  659. return 1;
  660. }