pk7_doit.c 29 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258
  1. /* crypto/pkcs7/pk7_doit.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. #include <stdio.h>
  59. #include "cryptlib.h"
  60. #include <openssl/rand.h>
  61. #include <openssl/objects.h>
  62. #include <openssl/x509.h>
  63. #include <openssl/x509v3.h>
  64. #include <openssl/err.h>
  65. static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
  66. void *value);
  67. static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
  68. static int PKCS7_type_is_other(PKCS7* p7)
  69. {
  70. int isOther=1;
  71. int nid=OBJ_obj2nid(p7->type);
  72. switch( nid )
  73. {
  74. case NID_pkcs7_data:
  75. case NID_pkcs7_signed:
  76. case NID_pkcs7_enveloped:
  77. case NID_pkcs7_signedAndEnveloped:
  78. case NID_pkcs7_digest:
  79. case NID_pkcs7_encrypted:
  80. isOther=0;
  81. break;
  82. default:
  83. isOther=1;
  84. }
  85. return isOther;
  86. }
  87. static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7)
  88. {
  89. if ( PKCS7_type_is_data(p7))
  90. return p7->d.data;
  91. if ( PKCS7_type_is_other(p7) && p7->d.other
  92. && (p7->d.other->type == V_ASN1_OCTET_STRING))
  93. return p7->d.other->value.octet_string;
  94. return NULL;
  95. }
  96. static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg)
  97. {
  98. BIO *btmp;
  99. const EVP_MD *md;
  100. if ((btmp=BIO_new(BIO_f_md())) == NULL)
  101. {
  102. PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB);
  103. goto err;
  104. }
  105. md=EVP_get_digestbyobj(alg->algorithm);
  106. if (md == NULL)
  107. {
  108. PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,PKCS7_R_UNKNOWN_DIGEST_TYPE);
  109. goto err;
  110. }
  111. BIO_set_md(btmp,md);
  112. if (*pbio == NULL)
  113. *pbio=btmp;
  114. else if (!BIO_push(*pbio,btmp))
  115. {
  116. PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB);
  117. goto err;
  118. }
  119. btmp=NULL;
  120. return 1;
  121. err:
  122. if (btmp)
  123. BIO_free(btmp);
  124. return 0;
  125. }
  126. static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri,
  127. unsigned char *key, int keylen)
  128. {
  129. EVP_PKEY_CTX *pctx = NULL;
  130. EVP_PKEY *pkey = NULL;
  131. unsigned char *ek = NULL;
  132. int ret = 0;
  133. size_t eklen;
  134. pkey = X509_get_pubkey(ri->cert);
  135. if (!pkey)
  136. return 0;
  137. pctx = EVP_PKEY_CTX_new(pkey, NULL);
  138. if (!pctx)
  139. return 0;
  140. if (EVP_PKEY_encrypt_init(pctx) <= 0)
  141. goto err;
  142. if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT,
  143. EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0)
  144. {
  145. PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR);
  146. goto err;
  147. }
  148. if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0)
  149. goto err;
  150. ek = OPENSSL_malloc(eklen);
  151. if (ek == NULL)
  152. {
  153. PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE);
  154. goto err;
  155. }
  156. if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0)
  157. goto err;
  158. ASN1_STRING_set0(ri->enc_key, ek, eklen);
  159. ek = NULL;
  160. ret = 1;
  161. err:
  162. if (pkey)
  163. EVP_PKEY_free(pkey);
  164. if (pctx)
  165. EVP_PKEY_CTX_free(pctx);
  166. if (ek)
  167. OPENSSL_free(ek);
  168. return ret;
  169. }
  170. static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen,
  171. PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey)
  172. {
  173. EVP_PKEY_CTX *pctx = NULL;
  174. unsigned char *ek = NULL;
  175. size_t eklen;
  176. int ret = 0;
  177. pctx = EVP_PKEY_CTX_new(pkey, NULL);
  178. if (!pctx)
  179. return 0;
  180. if (EVP_PKEY_decrypt_init(pctx) <= 0)
  181. goto err;
  182. if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT,
  183. EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0)
  184. {
  185. PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR);
  186. goto err;
  187. }
  188. if (EVP_PKEY_decrypt(pctx, NULL, &eklen,
  189. ri->enc_key->data, ri->enc_key->length) <= 0)
  190. goto err;
  191. ek = OPENSSL_malloc(eklen);
  192. if (ek == NULL)
  193. {
  194. PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE);
  195. goto err;
  196. }
  197. if (EVP_PKEY_decrypt(pctx, ek, &eklen,
  198. ri->enc_key->data, ri->enc_key->length) <= 0)
  199. {
  200. PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB);
  201. goto err;
  202. }
  203. ret = 1;
  204. *pek = ek;
  205. *peklen = eklen;
  206. err:
  207. if (pctx)
  208. EVP_PKEY_CTX_free(pctx);
  209. if (!ret && ek)
  210. OPENSSL_free(ek);
  211. return ret;
  212. }
  213. BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
  214. {
  215. int i;
  216. BIO *out=NULL,*btmp=NULL;
  217. X509_ALGOR *xa = NULL;
  218. const EVP_CIPHER *evp_cipher=NULL;
  219. STACK_OF(X509_ALGOR) *md_sk=NULL;
  220. STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
  221. X509_ALGOR *xalg=NULL;
  222. PKCS7_RECIP_INFO *ri=NULL;
  223. ASN1_OCTET_STRING *os=NULL;
  224. i=OBJ_obj2nid(p7->type);
  225. p7->state=PKCS7_S_HEADER;
  226. switch (i)
  227. {
  228. case NID_pkcs7_signed:
  229. md_sk=p7->d.sign->md_algs;
  230. os = PKCS7_get_octet_string(p7->d.sign->contents);
  231. break;
  232. case NID_pkcs7_signedAndEnveloped:
  233. rsk=p7->d.signed_and_enveloped->recipientinfo;
  234. md_sk=p7->d.signed_and_enveloped->md_algs;
  235. xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
  236. evp_cipher=p7->d.signed_and_enveloped->enc_data->cipher;
  237. if (evp_cipher == NULL)
  238. {
  239. PKCS7err(PKCS7_F_PKCS7_DATAINIT,
  240. PKCS7_R_CIPHER_NOT_INITIALIZED);
  241. goto err;
  242. }
  243. break;
  244. case NID_pkcs7_enveloped:
  245. rsk=p7->d.enveloped->recipientinfo;
  246. xalg=p7->d.enveloped->enc_data->algorithm;
  247. evp_cipher=p7->d.enveloped->enc_data->cipher;
  248. if (evp_cipher == NULL)
  249. {
  250. PKCS7err(PKCS7_F_PKCS7_DATAINIT,
  251. PKCS7_R_CIPHER_NOT_INITIALIZED);
  252. goto err;
  253. }
  254. break;
  255. case NID_pkcs7_digest:
  256. xa = p7->d.digest->md;
  257. os = PKCS7_get_octet_string(p7->d.digest->contents);
  258. break;
  259. case NID_pkcs7_data:
  260. break;
  261. default:
  262. PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
  263. goto err;
  264. }
  265. for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
  266. if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i)))
  267. goto err;
  268. if (xa && !PKCS7_bio_add_digest(&out, xa))
  269. goto err;
  270. if (evp_cipher != NULL)
  271. {
  272. unsigned char key[EVP_MAX_KEY_LENGTH];
  273. unsigned char iv[EVP_MAX_IV_LENGTH];
  274. int keylen,ivlen;
  275. EVP_CIPHER_CTX *ctx;
  276. if ((btmp=BIO_new(BIO_f_cipher())) == NULL)
  277. {
  278. PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB);
  279. goto err;
  280. }
  281. BIO_get_cipher_ctx(btmp, &ctx);
  282. keylen=EVP_CIPHER_key_length(evp_cipher);
  283. ivlen=EVP_CIPHER_iv_length(evp_cipher);
  284. xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
  285. if (ivlen > 0)
  286. if (RAND_pseudo_bytes(iv,ivlen) <= 0)
  287. goto err;
  288. if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0)
  289. goto err;
  290. if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
  291. goto err;
  292. if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0)
  293. goto err;
  294. if (ivlen > 0) {
  295. if (xalg->parameter == NULL) {
  296. xalg->parameter = ASN1_TYPE_new();
  297. if (xalg->parameter == NULL)
  298. goto err;
  299. }
  300. if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0)
  301. goto err;
  302. }
  303. /* Lets do the pub key stuff :-) */
  304. for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
  305. {
  306. ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
  307. if (pkcs7_encode_rinfo(ri, key, keylen) <= 0)
  308. goto err;
  309. }
  310. OPENSSL_cleanse(key, keylen);
  311. if (out == NULL)
  312. out=btmp;
  313. else
  314. BIO_push(out,btmp);
  315. btmp=NULL;
  316. }
  317. if (bio == NULL)
  318. {
  319. if (PKCS7_is_detached(p7))
  320. bio=BIO_new(BIO_s_null());
  321. else if (os && os->length > 0)
  322. bio = BIO_new_mem_buf(os->data, os->length);
  323. if(bio == NULL)
  324. {
  325. bio=BIO_new(BIO_s_mem());
  326. if (bio == NULL)
  327. goto err;
  328. BIO_set_mem_eof_return(bio,0);
  329. }
  330. }
  331. if (out)
  332. BIO_push(out,bio);
  333. else
  334. out = bio;
  335. bio=NULL;
  336. if (0)
  337. {
  338. err:
  339. if (out != NULL)
  340. BIO_free_all(out);
  341. if (btmp != NULL)
  342. BIO_free_all(btmp);
  343. out=NULL;
  344. }
  345. return(out);
  346. }
  347. static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert)
  348. {
  349. int ret;
  350. ret = X509_NAME_cmp(ri->issuer_and_serial->issuer,
  351. pcert->cert_info->issuer);
  352. if (ret)
  353. return ret;
  354. return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber,
  355. ri->issuer_and_serial->serial);
  356. }
  357. /* int */
  358. BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
  359. {
  360. int i,j;
  361. BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL;
  362. X509_ALGOR *xa;
  363. ASN1_OCTET_STRING *data_body=NULL;
  364. const EVP_MD *evp_md;
  365. const EVP_CIPHER *evp_cipher=NULL;
  366. EVP_CIPHER_CTX *evp_ctx=NULL;
  367. X509_ALGOR *enc_alg=NULL;
  368. STACK_OF(X509_ALGOR) *md_sk=NULL;
  369. STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
  370. PKCS7_RECIP_INFO *ri=NULL;
  371. i=OBJ_obj2nid(p7->type);
  372. p7->state=PKCS7_S_HEADER;
  373. switch (i)
  374. {
  375. case NID_pkcs7_signed:
  376. data_body=PKCS7_get_octet_string(p7->d.sign->contents);
  377. md_sk=p7->d.sign->md_algs;
  378. break;
  379. case NID_pkcs7_signedAndEnveloped:
  380. rsk=p7->d.signed_and_enveloped->recipientinfo;
  381. md_sk=p7->d.signed_and_enveloped->md_algs;
  382. data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
  383. enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
  384. evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
  385. if (evp_cipher == NULL)
  386. {
  387. PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
  388. goto err;
  389. }
  390. break;
  391. case NID_pkcs7_enveloped:
  392. rsk=p7->d.enveloped->recipientinfo;
  393. enc_alg=p7->d.enveloped->enc_data->algorithm;
  394. data_body=p7->d.enveloped->enc_data->enc_data;
  395. evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
  396. if (evp_cipher == NULL)
  397. {
  398. PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
  399. goto err;
  400. }
  401. break;
  402. default:
  403. PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
  404. goto err;
  405. }
  406. /* We will be checking the signature */
  407. if (md_sk != NULL)
  408. {
  409. for (i=0; i<sk_X509_ALGOR_num(md_sk); i++)
  410. {
  411. xa=sk_X509_ALGOR_value(md_sk,i);
  412. if ((btmp=BIO_new(BIO_f_md())) == NULL)
  413. {
  414. PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
  415. goto err;
  416. }
  417. j=OBJ_obj2nid(xa->algorithm);
  418. evp_md=EVP_get_digestbynid(j);
  419. if (evp_md == NULL)
  420. {
  421. PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE);
  422. goto err;
  423. }
  424. BIO_set_md(btmp,evp_md);
  425. if (out == NULL)
  426. out=btmp;
  427. else
  428. BIO_push(out,btmp);
  429. btmp=NULL;
  430. }
  431. }
  432. if (evp_cipher != NULL)
  433. {
  434. #if 0
  435. unsigned char key[EVP_MAX_KEY_LENGTH];
  436. unsigned char iv[EVP_MAX_IV_LENGTH];
  437. unsigned char *p;
  438. int keylen,ivlen;
  439. int max;
  440. X509_OBJECT ret;
  441. #endif
  442. unsigned char *ek = NULL;
  443. int eklen;
  444. if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
  445. {
  446. PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB);
  447. goto err;
  448. }
  449. /* It was encrypted, we need to decrypt the secret key
  450. * with the private key */
  451. /* Find the recipientInfo which matches the passed certificate
  452. * (if any)
  453. */
  454. if (pcert)
  455. {
  456. for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
  457. {
  458. ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
  459. if (!pkcs7_cmp_ri(ri, pcert))
  460. break;
  461. ri=NULL;
  462. }
  463. if (ri == NULL)
  464. {
  465. PKCS7err(PKCS7_F_PKCS7_DATADECODE,
  466. PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE);
  467. goto err;
  468. }
  469. }
  470. /* If we haven't got a certificate try each ri in turn */
  471. if (pcert == NULL)
  472. {
  473. for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
  474. {
  475. ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
  476. if (pkcs7_decrypt_rinfo(&ek, &eklen,
  477. ri, pkey) > 0)
  478. break;
  479. ERR_clear_error();
  480. ri = NULL;
  481. }
  482. if (ri == NULL)
  483. {
  484. PKCS7err(PKCS7_F_PKCS7_DATADECODE,
  485. PKCS7_R_NO_RECIPIENT_MATCHES_KEY);
  486. goto err;
  487. }
  488. }
  489. else
  490. {
  491. if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) <= 0)
  492. goto err;
  493. }
  494. evp_ctx=NULL;
  495. BIO_get_cipher_ctx(etmp,&evp_ctx);
  496. if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0)
  497. goto err;
  498. if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
  499. goto err;
  500. if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) {
  501. /* Some S/MIME clients don't use the same key
  502. * and effective key length. The key length is
  503. * determined by the size of the decrypted RSA key.
  504. */
  505. if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen))
  506. {
  507. PKCS7err(PKCS7_F_PKCS7_DATADECODE,
  508. PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH);
  509. goto err;
  510. }
  511. }
  512. if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0)
  513. goto err;
  514. if (ek)
  515. {
  516. OPENSSL_cleanse(ek,eklen);
  517. OPENSSL_free(ek);
  518. }
  519. if (out == NULL)
  520. out=etmp;
  521. else
  522. BIO_push(out,etmp);
  523. etmp=NULL;
  524. }
  525. #if 1
  526. if (PKCS7_is_detached(p7) || (in_bio != NULL))
  527. {
  528. bio=in_bio;
  529. }
  530. else
  531. {
  532. #if 0
  533. bio=BIO_new(BIO_s_mem());
  534. /* We need to set this so that when we have read all
  535. * the data, the encrypt BIO, if present, will read
  536. * EOF and encode the last few bytes */
  537. BIO_set_mem_eof_return(bio,0);
  538. if (data_body->length > 0)
  539. BIO_write(bio,(char *)data_body->data,data_body->length);
  540. #else
  541. if (data_body->length > 0)
  542. bio = BIO_new_mem_buf(data_body->data,data_body->length);
  543. else {
  544. bio=BIO_new(BIO_s_mem());
  545. BIO_set_mem_eof_return(bio,0);
  546. }
  547. if (bio == NULL)
  548. goto err;
  549. #endif
  550. }
  551. BIO_push(out,bio);
  552. bio=NULL;
  553. #endif
  554. if (0)
  555. {
  556. err:
  557. if (out != NULL) BIO_free_all(out);
  558. if (btmp != NULL) BIO_free_all(btmp);
  559. if (etmp != NULL) BIO_free_all(etmp);
  560. if (bio != NULL) BIO_free_all(bio);
  561. out=NULL;
  562. }
  563. return(out);
  564. }
  565. static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid)
  566. {
  567. for (;;)
  568. {
  569. bio=BIO_find_type(bio,BIO_TYPE_MD);
  570. if (bio == NULL)
  571. {
  572. PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
  573. return NULL;
  574. }
  575. BIO_get_md_ctx(bio,pmd);
  576. if (*pmd == NULL)
  577. {
  578. PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,ERR_R_INTERNAL_ERROR);
  579. return NULL;
  580. }
  581. if (EVP_MD_CTX_type(*pmd) == nid)
  582. return bio;
  583. bio=BIO_next(bio);
  584. }
  585. return NULL;
  586. }
  587. static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx)
  588. {
  589. unsigned char md_data[EVP_MAX_MD_SIZE];
  590. unsigned int md_len;
  591. /* Add signing time if not already present */
  592. if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime))
  593. {
  594. if (!PKCS7_add0_attrib_signing_time(si, NULL))
  595. {
  596. PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB,
  597. ERR_R_MALLOC_FAILURE);
  598. return 0;
  599. }
  600. }
  601. /* Add digest */
  602. if (!EVP_DigestFinal_ex(mctx, md_data,&md_len))
  603. {
  604. PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB);
  605. return 0;
  606. }
  607. if (!PKCS7_add1_attrib_digest(si, md_data, md_len))
  608. {
  609. PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE);
  610. return 0;
  611. }
  612. /* Now sign the attributes */
  613. if (!PKCS7_SIGNER_INFO_sign(si))
  614. return 0;
  615. return 1;
  616. }
  617. int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
  618. {
  619. int ret=0;
  620. int i,j;
  621. BIO *btmp;
  622. PKCS7_SIGNER_INFO *si;
  623. EVP_MD_CTX *mdc,ctx_tmp;
  624. STACK_OF(X509_ATTRIBUTE) *sk;
  625. STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
  626. ASN1_OCTET_STRING *os=NULL;
  627. EVP_MD_CTX_init(&ctx_tmp);
  628. i=OBJ_obj2nid(p7->type);
  629. p7->state=PKCS7_S_HEADER;
  630. switch (i)
  631. {
  632. case NID_pkcs7_data:
  633. os = p7->d.data;
  634. break;
  635. case NID_pkcs7_signedAndEnveloped:
  636. /* XXXXXXXXXXXXXXXX */
  637. si_sk=p7->d.signed_and_enveloped->signer_info;
  638. os = p7->d.signed_and_enveloped->enc_data->enc_data;
  639. if (!os)
  640. {
  641. os=M_ASN1_OCTET_STRING_new();
  642. if (!os)
  643. {
  644. PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
  645. goto err;
  646. }
  647. p7->d.signed_and_enveloped->enc_data->enc_data=os;
  648. }
  649. break;
  650. case NID_pkcs7_enveloped:
  651. /* XXXXXXXXXXXXXXXX */
  652. os = p7->d.enveloped->enc_data->enc_data;
  653. if (!os)
  654. {
  655. os=M_ASN1_OCTET_STRING_new();
  656. if (!os)
  657. {
  658. PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
  659. goto err;
  660. }
  661. p7->d.enveloped->enc_data->enc_data=os;
  662. }
  663. break;
  664. case NID_pkcs7_signed:
  665. si_sk=p7->d.sign->signer_info;
  666. os=PKCS7_get_octet_string(p7->d.sign->contents);
  667. /* If detached data then the content is excluded */
  668. if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
  669. M_ASN1_OCTET_STRING_free(os);
  670. p7->d.sign->contents->d.data = NULL;
  671. }
  672. break;
  673. case NID_pkcs7_digest:
  674. os=PKCS7_get_octet_string(p7->d.digest->contents);
  675. /* If detached data then the content is excluded */
  676. if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
  677. {
  678. M_ASN1_OCTET_STRING_free(os);
  679. p7->d.digest->contents->d.data = NULL;
  680. }
  681. break;
  682. default:
  683. PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
  684. goto err;
  685. }
  686. if (si_sk != NULL)
  687. {
  688. for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++)
  689. {
  690. si=sk_PKCS7_SIGNER_INFO_value(si_sk,i);
  691. if (si->pkey == NULL)
  692. continue;
  693. j = OBJ_obj2nid(si->digest_alg->algorithm);
  694. btmp=bio;
  695. btmp = PKCS7_find_digest(&mdc, btmp, j);
  696. if (btmp == NULL)
  697. goto err;
  698. /* We now have the EVP_MD_CTX, lets do the
  699. * signing. */
  700. if (!EVP_MD_CTX_copy_ex(&ctx_tmp,mdc))
  701. goto err;
  702. sk=si->auth_attr;
  703. /* If there are attributes, we add the digest
  704. * attribute and only sign the attributes */
  705. if (sk_X509_ATTRIBUTE_num(sk) > 0)
  706. {
  707. if (!do_pkcs7_signed_attrib(si, &ctx_tmp))
  708. goto err;
  709. }
  710. else
  711. {
  712. unsigned char *abuf = NULL;
  713. unsigned int abuflen;
  714. abuflen = EVP_PKEY_size(si->pkey);
  715. abuf = OPENSSL_malloc(abuflen);
  716. if (!abuf)
  717. goto err;
  718. if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen,
  719. si->pkey))
  720. {
  721. PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
  722. ERR_R_EVP_LIB);
  723. goto err;
  724. }
  725. ASN1_STRING_set0(si->enc_digest, abuf, abuflen);
  726. }
  727. }
  728. }
  729. else if (i == NID_pkcs7_digest)
  730. {
  731. unsigned char md_data[EVP_MAX_MD_SIZE];
  732. unsigned int md_len;
  733. if (!PKCS7_find_digest(&mdc, bio,
  734. OBJ_obj2nid(p7->d.digest->md->algorithm)))
  735. goto err;
  736. if (!EVP_DigestFinal_ex(mdc,md_data,&md_len))
  737. goto err;
  738. M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
  739. }
  740. if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
  741. {
  742. char *cont;
  743. long contlen;
  744. btmp=BIO_find_type(bio,BIO_TYPE_MEM);
  745. if (btmp == NULL)
  746. {
  747. PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
  748. goto err;
  749. }
  750. contlen = BIO_get_mem_data(btmp, &cont);
  751. /* Mark the BIO read only then we can use its copy of the data
  752. * instead of making an extra copy.
  753. */
  754. BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
  755. BIO_set_mem_eof_return(btmp, 0);
  756. ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
  757. }
  758. ret=1;
  759. err:
  760. EVP_MD_CTX_cleanup(&ctx_tmp);
  761. return(ret);
  762. }
  763. int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si)
  764. {
  765. EVP_MD_CTX mctx;
  766. EVP_PKEY_CTX *pctx;
  767. unsigned char *abuf = NULL;
  768. int alen;
  769. size_t siglen;
  770. const EVP_MD *md = NULL;
  771. md = EVP_get_digestbyobj(si->digest_alg->algorithm);
  772. if (md == NULL)
  773. return 0;
  774. EVP_MD_CTX_init(&mctx);
  775. if (EVP_DigestSignInit(&mctx, &pctx, md,NULL, si->pkey) <= 0)
  776. goto err;
  777. if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
  778. EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0)
  779. {
  780. PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR);
  781. goto err;
  782. }
  783. alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr,&abuf,
  784. ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
  785. if(!abuf)
  786. goto err;
  787. if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
  788. goto err;
  789. OPENSSL_free(abuf);
  790. if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
  791. goto err;
  792. abuf = OPENSSL_malloc(siglen);
  793. if(!abuf)
  794. goto err;
  795. if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0)
  796. goto err;
  797. if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
  798. EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0)
  799. {
  800. PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR);
  801. goto err;
  802. }
  803. EVP_MD_CTX_cleanup(&mctx);
  804. ASN1_STRING_set0(si->enc_digest, abuf, siglen);
  805. return 1;
  806. err:
  807. if (abuf)
  808. OPENSSL_free(abuf);
  809. EVP_MD_CTX_cleanup(&mctx);
  810. return 0;
  811. }
  812. int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
  813. PKCS7 *p7, PKCS7_SIGNER_INFO *si)
  814. {
  815. PKCS7_ISSUER_AND_SERIAL *ias;
  816. int ret=0,i;
  817. STACK_OF(X509) *cert;
  818. X509 *x509;
  819. if (PKCS7_type_is_signed(p7))
  820. {
  821. cert=p7->d.sign->cert;
  822. }
  823. else if (PKCS7_type_is_signedAndEnveloped(p7))
  824. {
  825. cert=p7->d.signed_and_enveloped->cert;
  826. }
  827. else
  828. {
  829. PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_WRONG_PKCS7_TYPE);
  830. goto err;
  831. }
  832. /* XXXXXXXXXXXXXXXXXXXXXXX */
  833. ias=si->issuer_and_serial;
  834. x509=X509_find_by_issuer_and_serial(cert,ias->issuer,ias->serial);
  835. /* were we able to find the cert in passed to us */
  836. if (x509 == NULL)
  837. {
  838. PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_CERTIFICATE);
  839. goto err;
  840. }
  841. /* Lets verify */
  842. if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert))
  843. {
  844. PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
  845. goto err;
  846. }
  847. X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
  848. i=X509_verify_cert(ctx);
  849. if (i <= 0)
  850. {
  851. PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
  852. X509_STORE_CTX_cleanup(ctx);
  853. goto err;
  854. }
  855. X509_STORE_CTX_cleanup(ctx);
  856. return PKCS7_signatureVerify(bio, p7, si, x509);
  857. err:
  858. return ret;
  859. }
  860. int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
  861. X509 *x509)
  862. {
  863. ASN1_OCTET_STRING *os;
  864. EVP_MD_CTX mdc_tmp,*mdc;
  865. int ret=0,i;
  866. int md_type;
  867. STACK_OF(X509_ATTRIBUTE) *sk;
  868. BIO *btmp;
  869. EVP_PKEY *pkey;
  870. EVP_MD_CTX_init(&mdc_tmp);
  871. if (!PKCS7_type_is_signed(p7) &&
  872. !PKCS7_type_is_signedAndEnveloped(p7)) {
  873. PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
  874. PKCS7_R_WRONG_PKCS7_TYPE);
  875. goto err;
  876. }
  877. md_type=OBJ_obj2nid(si->digest_alg->algorithm);
  878. btmp=bio;
  879. for (;;)
  880. {
  881. if ((btmp == NULL) ||
  882. ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL))
  883. {
  884. PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
  885. PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
  886. goto err;
  887. }
  888. BIO_get_md_ctx(btmp,&mdc);
  889. if (mdc == NULL)
  890. {
  891. PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
  892. ERR_R_INTERNAL_ERROR);
  893. goto err;
  894. }
  895. if (EVP_MD_CTX_type(mdc) == md_type)
  896. break;
  897. /* Workaround for some broken clients that put the signature
  898. * OID instead of the digest OID in digest_alg->algorithm
  899. */
  900. if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
  901. break;
  902. btmp=BIO_next(btmp);
  903. }
  904. /* mdc is the digest ctx that we want, unless there are attributes,
  905. * in which case the digest is the signed attributes */
  906. if (!EVP_MD_CTX_copy_ex(&mdc_tmp,mdc))
  907. goto err;
  908. sk=si->auth_attr;
  909. if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
  910. {
  911. unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL;
  912. unsigned int md_len;
  913. int alen;
  914. ASN1_OCTET_STRING *message_digest;
  915. if (!EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len))
  916. goto err;
  917. message_digest=PKCS7_digest_from_attributes(sk);
  918. if (!message_digest)
  919. {
  920. PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
  921. PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
  922. goto err;
  923. }
  924. if ((message_digest->length != (int)md_len) ||
  925. (memcmp(message_digest->data,md_dat,md_len)))
  926. {
  927. #if 0
  928. {
  929. int ii;
  930. for (ii=0; ii<message_digest->length; ii++)
  931. printf("%02X",message_digest->data[ii]); printf(" sent\n");
  932. for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n");
  933. }
  934. #endif
  935. PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
  936. PKCS7_R_DIGEST_FAILURE);
  937. ret= -1;
  938. goto err;
  939. }
  940. if (!EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL))
  941. goto err;
  942. alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
  943. ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
  944. if (alen <= 0)
  945. {
  946. PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,ERR_R_ASN1_LIB);
  947. ret = -1;
  948. goto err;
  949. }
  950. if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
  951. goto err;
  952. OPENSSL_free(abuf);
  953. }
  954. os=si->enc_digest;
  955. pkey = X509_get_pubkey(x509);
  956. if (!pkey)
  957. {
  958. ret = -1;
  959. goto err;
  960. }
  961. i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey);
  962. EVP_PKEY_free(pkey);
  963. if (i <= 0)
  964. {
  965. PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
  966. PKCS7_R_SIGNATURE_FAILURE);
  967. ret= -1;
  968. goto err;
  969. }
  970. else
  971. ret=1;
  972. err:
  973. EVP_MD_CTX_cleanup(&mdc_tmp);
  974. return(ret);
  975. }
  976. PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
  977. {
  978. STACK_OF(PKCS7_RECIP_INFO) *rsk;
  979. PKCS7_RECIP_INFO *ri;
  980. int i;
  981. i=OBJ_obj2nid(p7->type);
  982. if (i != NID_pkcs7_signedAndEnveloped)
  983. return NULL;
  984. if (p7->d.signed_and_enveloped == NULL)
  985. return NULL;
  986. rsk=p7->d.signed_and_enveloped->recipientinfo;
  987. if (rsk == NULL)
  988. return NULL;
  989. ri=sk_PKCS7_RECIP_INFO_value(rsk,0);
  990. if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL);
  991. ri=sk_PKCS7_RECIP_INFO_value(rsk,idx);
  992. return(ri->issuer_and_serial);
  993. }
  994. ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid)
  995. {
  996. return(get_attribute(si->auth_attr,nid));
  997. }
  998. ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid)
  999. {
  1000. return(get_attribute(si->unauth_attr,nid));
  1001. }
  1002. static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid)
  1003. {
  1004. int i;
  1005. X509_ATTRIBUTE *xa;
  1006. ASN1_OBJECT *o;
  1007. o=OBJ_nid2obj(nid);
  1008. if (!o || !sk) return(NULL);
  1009. for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
  1010. {
  1011. xa=sk_X509_ATTRIBUTE_value(sk,i);
  1012. if (OBJ_cmp(xa->object,o) == 0)
  1013. {
  1014. if (!xa->single && sk_ASN1_TYPE_num(xa->value.set))
  1015. return(sk_ASN1_TYPE_value(xa->value.set,0));
  1016. else
  1017. return(NULL);
  1018. }
  1019. }
  1020. return(NULL);
  1021. }
  1022. ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
  1023. {
  1024. ASN1_TYPE *astype;
  1025. if(!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) return NULL;
  1026. return astype->value.octet_string;
  1027. }
  1028. int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
  1029. STACK_OF(X509_ATTRIBUTE) *sk)
  1030. {
  1031. int i;
  1032. if (p7si->auth_attr != NULL)
  1033. sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free);
  1034. p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk);
  1035. if (p7si->auth_attr == NULL)
  1036. return 0;
  1037. for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
  1038. {
  1039. if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr,i,
  1040. X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
  1041. == NULL)
  1042. return(0);
  1043. }
  1044. return(1);
  1045. }
  1046. int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk)
  1047. {
  1048. int i;
  1049. if (p7si->unauth_attr != NULL)
  1050. sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr,
  1051. X509_ATTRIBUTE_free);
  1052. p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk);
  1053. if (p7si->unauth_attr == NULL)
  1054. return 0;
  1055. for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++)
  1056. {
  1057. if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr,i,
  1058. X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i))))
  1059. == NULL)
  1060. return(0);
  1061. }
  1062. return(1);
  1063. }
  1064. int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
  1065. void *value)
  1066. {
  1067. return(add_attribute(&(p7si->auth_attr),nid,atrtype,value));
  1068. }
  1069. int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
  1070. void *value)
  1071. {
  1072. return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value));
  1073. }
  1074. static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
  1075. void *value)
  1076. {
  1077. X509_ATTRIBUTE *attr=NULL;
  1078. if (*sk == NULL)
  1079. {
  1080. *sk = sk_X509_ATTRIBUTE_new_null();
  1081. if (*sk == NULL)
  1082. return 0;
  1083. new_attrib:
  1084. if (!(attr=X509_ATTRIBUTE_create(nid,atrtype,value)))
  1085. return 0;
  1086. if (!sk_X509_ATTRIBUTE_push(*sk,attr))
  1087. {
  1088. X509_ATTRIBUTE_free(attr);
  1089. return 0;
  1090. }
  1091. }
  1092. else
  1093. {
  1094. int i;
  1095. for (i=0; i<sk_X509_ATTRIBUTE_num(*sk); i++)
  1096. {
  1097. attr=sk_X509_ATTRIBUTE_value(*sk,i);
  1098. if (OBJ_obj2nid(attr->object) == nid)
  1099. {
  1100. X509_ATTRIBUTE_free(attr);
  1101. attr=X509_ATTRIBUTE_create(nid,atrtype,value);
  1102. if (attr == NULL)
  1103. return 0;
  1104. if (!sk_X509_ATTRIBUTE_set(*sk,i,attr))
  1105. {
  1106. X509_ATTRIBUTE_free(attr);
  1107. return 0;
  1108. }
  1109. goto end;
  1110. }
  1111. }
  1112. goto new_attrib;
  1113. }
  1114. end:
  1115. return(1);
  1116. }