summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/cms/cms_sd.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libcrypto/cms/cms_sd.c')
-rw-r--r--src/lib/libcrypto/cms/cms_sd.c1488
1 files changed, 744 insertions, 744 deletions
diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c
index b5b6dc4e67..57a92b59e3 100644
--- a/src/lib/libcrypto/cms/cms_sd.c
+++ b/src/lib/libcrypto/cms/cms_sd.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cms_sd.c,v 1.15 2019/08/10 16:39:17 jsing Exp $ */ 1/* $OpenBSD: cms_sd.c,v 1.16 2019/08/10 16:42:20 jsing Exp $ */
2/* 2/*
3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 3 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4 * project. 4 * project.
@@ -67,90 +67,90 @@
67 67
68static CMS_SignedData *cms_get0_signed(CMS_ContentInfo *cms) 68static CMS_SignedData *cms_get0_signed(CMS_ContentInfo *cms)
69{ 69{
70 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_signed) { 70 if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_signed) {
71 CMSerr(CMS_F_CMS_GET0_SIGNED, CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA); 71 CMSerr(CMS_F_CMS_GET0_SIGNED, CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA);
72 return NULL; 72 return NULL;
73 } 73 }
74 return cms->d.signedData; 74 return cms->d.signedData;
75} 75}
76 76
77static CMS_SignedData *cms_signed_data_init(CMS_ContentInfo *cms) 77static CMS_SignedData *cms_signed_data_init(CMS_ContentInfo *cms)
78{ 78{
79 if (cms->d.other == NULL) { 79 if (cms->d.other == NULL) {
80 cms->d.signedData = M_ASN1_new_of(CMS_SignedData); 80 cms->d.signedData = M_ASN1_new_of(CMS_SignedData);
81 if (!cms->d.signedData) { 81 if (!cms->d.signedData) {
82 CMSerr(CMS_F_CMS_SIGNED_DATA_INIT, ERR_R_MALLOC_FAILURE); 82 CMSerr(CMS_F_CMS_SIGNED_DATA_INIT, ERR_R_MALLOC_FAILURE);
83 return NULL; 83 return NULL;
84 } 84 }
85 cms->d.signedData->version = 1; 85 cms->d.signedData->version = 1;
86 cms->d.signedData->encapContentInfo->eContentType = 86 cms->d.signedData->encapContentInfo->eContentType =
87 OBJ_nid2obj(NID_pkcs7_data); 87 OBJ_nid2obj(NID_pkcs7_data);
88 cms->d.signedData->encapContentInfo->partial = 1; 88 cms->d.signedData->encapContentInfo->partial = 1;
89 ASN1_OBJECT_free(cms->contentType); 89 ASN1_OBJECT_free(cms->contentType);
90 cms->contentType = OBJ_nid2obj(NID_pkcs7_signed); 90 cms->contentType = OBJ_nid2obj(NID_pkcs7_signed);
91 return cms->d.signedData; 91 return cms->d.signedData;
92 } 92 }
93 return cms_get0_signed(cms); 93 return cms_get0_signed(cms);
94} 94}
95 95
96/* Just initialise SignedData e.g. for certs only structure */ 96/* Just initialise SignedData e.g. for certs only structure */
97 97
98int CMS_SignedData_init(CMS_ContentInfo *cms) 98int CMS_SignedData_init(CMS_ContentInfo *cms)
99{ 99{
100 if (cms_signed_data_init(cms)) 100 if (cms_signed_data_init(cms))
101 return 1; 101 return 1;
102 else 102 else
103 return 0; 103 return 0;
104} 104}
105 105
106/* Check structures and fixup version numbers (if necessary) */ 106/* Check structures and fixup version numbers (if necessary) */
107 107
108static void cms_sd_set_version(CMS_SignedData *sd) 108static void cms_sd_set_version(CMS_SignedData *sd)
109{ 109{
110 int i; 110 int i;
111 CMS_CertificateChoices *cch; 111 CMS_CertificateChoices *cch;
112 CMS_RevocationInfoChoice *rch; 112 CMS_RevocationInfoChoice *rch;
113 CMS_SignerInfo *si; 113 CMS_SignerInfo *si;
114 114
115 for (i = 0; i < sk_CMS_CertificateChoices_num(sd->certificates); i++) { 115 for (i = 0; i < sk_CMS_CertificateChoices_num(sd->certificates); i++) {
116 cch = sk_CMS_CertificateChoices_value(sd->certificates, i); 116 cch = sk_CMS_CertificateChoices_value(sd->certificates, i);
117 if (cch->type == CMS_CERTCHOICE_OTHER) { 117 if (cch->type == CMS_CERTCHOICE_OTHER) {
118 if (sd->version < 5) 118 if (sd->version < 5)
119 sd->version = 5; 119 sd->version = 5;
120 } else if (cch->type == CMS_CERTCHOICE_V2ACERT) { 120 } else if (cch->type == CMS_CERTCHOICE_V2ACERT) {
121 if (sd->version < 4) 121 if (sd->version < 4)
122 sd->version = 4; 122 sd->version = 4;
123 } else if (cch->type == CMS_CERTCHOICE_V1ACERT) { 123 } else if (cch->type == CMS_CERTCHOICE_V1ACERT) {
124 if (sd->version < 3) 124 if (sd->version < 3)
125 sd->version = 3; 125 sd->version = 3;
126 } 126 }
127 } 127 }
128 128
129 for (i = 0; i < sk_CMS_RevocationInfoChoice_num(sd->crls); i++) { 129 for (i = 0; i < sk_CMS_RevocationInfoChoice_num(sd->crls); i++) {
130 rch = sk_CMS_RevocationInfoChoice_value(sd->crls, i); 130 rch = sk_CMS_RevocationInfoChoice_value(sd->crls, i);
131 if (rch->type == CMS_REVCHOICE_OTHER) { 131 if (rch->type == CMS_REVCHOICE_OTHER) {
132 if (sd->version < 5) 132 if (sd->version < 5)
133 sd->version = 5; 133 sd->version = 5;
134 } 134 }
135 } 135 }
136 136
137 if ((OBJ_obj2nid(sd->encapContentInfo->eContentType) != NID_pkcs7_data) 137 if ((OBJ_obj2nid(sd->encapContentInfo->eContentType) != NID_pkcs7_data)
138 && (sd->version < 3)) 138 && (sd->version < 3))
139 sd->version = 3; 139 sd->version = 3;
140 140
141 for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) { 141 for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) {
142 si = sk_CMS_SignerInfo_value(sd->signerInfos, i); 142 si = sk_CMS_SignerInfo_value(sd->signerInfos, i);
143 if (si->sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) { 143 if (si->sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) {
144 if (si->version < 3) 144 if (si->version < 3)
145 si->version = 3; 145 si->version = 3;
146 if (sd->version < 3) 146 if (sd->version < 3)
147 sd->version = 3; 147 sd->version = 3;
148 } else if (si->version < 1) 148 } else if (si->version < 1)
149 si->version = 1; 149 si->version = 1;
150 } 150 }
151 151
152 if (sd->version < 1) 152 if (sd->version < 1)
153 sd->version = 1; 153 sd->version = 1;
154 154
155} 155}
156 156
@@ -158,814 +158,814 @@ static void cms_sd_set_version(CMS_SignedData *sd)
158 158
159static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si) 159static int cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si)
160{ 160{
161 STACK_OF(CMS_SignerInfo) *sinfos; 161 STACK_OF(CMS_SignerInfo) *sinfos;
162 CMS_SignerInfo *sitmp; 162 CMS_SignerInfo *sitmp;
163 int i; 163 int i;
164 sinfos = CMS_get0_SignerInfos(cms); 164 sinfos = CMS_get0_SignerInfos(cms);
165 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { 165 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
166 ASN1_OCTET_STRING *messageDigest; 166 ASN1_OCTET_STRING *messageDigest;
167 sitmp = sk_CMS_SignerInfo_value(sinfos, i); 167 sitmp = sk_CMS_SignerInfo_value(sinfos, i);
168 if (sitmp == si) 168 if (sitmp == si)
169 continue; 169 continue;
170 if (CMS_signed_get_attr_count(sitmp) < 0) 170 if (CMS_signed_get_attr_count(sitmp) < 0)
171 continue; 171 continue;
172 if (OBJ_cmp(si->digestAlgorithm->algorithm, 172 if (OBJ_cmp(si->digestAlgorithm->algorithm,
173 sitmp->digestAlgorithm->algorithm)) 173 sitmp->digestAlgorithm->algorithm))
174 continue; 174 continue;
175 messageDigest = CMS_signed_get0_data_by_OBJ(sitmp, 175 messageDigest = CMS_signed_get0_data_by_OBJ(sitmp,
176 OBJ_nid2obj 176 OBJ_nid2obj
177 (NID_pkcs9_messageDigest), 177 (NID_pkcs9_messageDigest),
178 -3, V_ASN1_OCTET_STRING); 178 -3, V_ASN1_OCTET_STRING);
179 if (!messageDigest) { 179 if (!messageDigest) {
180 CMSerr(CMS_F_CMS_COPY_MESSAGEDIGEST, 180 CMSerr(CMS_F_CMS_COPY_MESSAGEDIGEST,
181 CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE); 181 CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE);
182 return 0; 182 return 0;
183 } 183 }
184 184
185 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest, 185 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest,
186 V_ASN1_OCTET_STRING, 186 V_ASN1_OCTET_STRING,
187 messageDigest, -1)) 187 messageDigest, -1))
188 return 1; 188 return 1;
189 else 189 else
190 return 0; 190 return 0;
191 } 191 }
192 CMSerr(CMS_F_CMS_COPY_MESSAGEDIGEST, CMS_R_NO_MATCHING_DIGEST); 192 CMSerr(CMS_F_CMS_COPY_MESSAGEDIGEST, CMS_R_NO_MATCHING_DIGEST);
193 return 0; 193 return 0;
194} 194}
195 195
196int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type) 196int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type)
197{ 197{
198 switch (type) { 198 switch (type) {
199 case CMS_SIGNERINFO_ISSUER_SERIAL: 199 case CMS_SIGNERINFO_ISSUER_SERIAL:
200 if (!cms_set1_ias(&sid->d.issuerAndSerialNumber, cert)) 200 if (!cms_set1_ias(&sid->d.issuerAndSerialNumber, cert))
201 return 0; 201 return 0;
202 break; 202 break;
203 203
204 case CMS_SIGNERINFO_KEYIDENTIFIER: 204 case CMS_SIGNERINFO_KEYIDENTIFIER:
205 if (!cms_set1_keyid(&sid->d.subjectKeyIdentifier, cert)) 205 if (!cms_set1_keyid(&sid->d.subjectKeyIdentifier, cert))
206 return 0; 206 return 0;
207 break; 207 break;
208 208
209 default: 209 default:
210 CMSerr(CMS_F_CMS_SET1_SIGNERIDENTIFIER, CMS_R_UNKNOWN_ID); 210 CMSerr(CMS_F_CMS_SET1_SIGNERIDENTIFIER, CMS_R_UNKNOWN_ID);
211 return 0; 211 return 0;
212 } 212 }
213 213
214 sid->type = type; 214 sid->type = type;
215 215
216 return 1; 216 return 1;
217} 217}
218 218
219int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, 219int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid,
220 ASN1_OCTET_STRING **keyid, 220 ASN1_OCTET_STRING **keyid,
221 X509_NAME **issuer, 221 X509_NAME **issuer,
222 ASN1_INTEGER **sno) 222 ASN1_INTEGER **sno)
223{ 223{
224 if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) { 224 if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) {
225 if (issuer) 225 if (issuer)
226 *issuer = sid->d.issuerAndSerialNumber->issuer; 226 *issuer = sid->d.issuerAndSerialNumber->issuer;
227 if (sno) 227 if (sno)
228 *sno = sid->d.issuerAndSerialNumber->serialNumber; 228 *sno = sid->d.issuerAndSerialNumber->serialNumber;
229 } else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) { 229 } else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) {
230 if (keyid) 230 if (keyid)
231 *keyid = sid->d.subjectKeyIdentifier; 231 *keyid = sid->d.subjectKeyIdentifier;
232 } else 232 } else
233 return 0; 233 return 0;
234 return 1; 234 return 1;
235} 235}
236 236
237int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert) 237int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert)
238{ 238{
239 if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) 239 if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL)
240 return cms_ias_cert_cmp(sid->d.issuerAndSerialNumber, cert); 240 return cms_ias_cert_cmp(sid->d.issuerAndSerialNumber, cert);
241 else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) 241 else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER)
242 return cms_keyid_cert_cmp(sid->d.subjectKeyIdentifier, cert); 242 return cms_keyid_cert_cmp(sid->d.subjectKeyIdentifier, cert);
243 else 243 else
244 return -1; 244 return -1;
245} 245}
246 246
247static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) 247static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd)
248{ 248{
249 EVP_PKEY *pkey = si->pkey; 249 EVP_PKEY *pkey = si->pkey;
250 int i; 250 int i;
251 if (!pkey->ameth || !pkey->ameth->pkey_ctrl) 251 if (!pkey->ameth || !pkey->ameth->pkey_ctrl)
252 return 1; 252 return 1;
253 i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si); 253 i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si);
254 if (i == -2) { 254 if (i == -2) {
255 CMSerr(CMS_F_CMS_SD_ASN1_CTRL, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); 255 CMSerr(CMS_F_CMS_SD_ASN1_CTRL, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE);
256 return 0; 256 return 0;
257 } 257 }
258 if (i <= 0) { 258 if (i <= 0) {
259 CMSerr(CMS_F_CMS_SD_ASN1_CTRL, CMS_R_CTRL_FAILURE); 259 CMSerr(CMS_F_CMS_SD_ASN1_CTRL, CMS_R_CTRL_FAILURE);
260 return 0; 260 return 0;
261 } 261 }
262 return 1; 262 return 1;
263} 263}
264 264
265CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, 265CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
266 X509 *signer, EVP_PKEY *pk, const EVP_MD *md, 266 X509 *signer, EVP_PKEY *pk, const EVP_MD *md,
267 unsigned int flags) 267 unsigned int flags)
268{ 268{
269 CMS_SignedData *sd; 269 CMS_SignedData *sd;
270 CMS_SignerInfo *si = NULL; 270 CMS_SignerInfo *si = NULL;
271 X509_ALGOR *alg; 271 X509_ALGOR *alg;
272 int i, type; 272 int i, type;
273 if (!X509_check_private_key(signer, pk)) { 273 if (!X509_check_private_key(signer, pk)) {
274 CMSerr(CMS_F_CMS_ADD1_SIGNER, 274 CMSerr(CMS_F_CMS_ADD1_SIGNER,
275 CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); 275 CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
276 return NULL; 276 return NULL;
277 } 277 }
278 sd = cms_signed_data_init(cms); 278 sd = cms_signed_data_init(cms);
279 if (!sd) 279 if (!sd)
280 goto err; 280 goto err;
281 si = M_ASN1_new_of(CMS_SignerInfo); 281 si = M_ASN1_new_of(CMS_SignerInfo);
282 if (!si) 282 if (!si)
283 goto merr; 283 goto merr;
284 /* Call for side-effect of computing hash and caching extensions */ 284 /* Call for side-effect of computing hash and caching extensions */
285 X509_check_purpose(signer, -1, -1); 285 X509_check_purpose(signer, -1, -1);
286 286
287 X509_up_ref(signer); 287 X509_up_ref(signer);
288 EVP_PKEY_up_ref(pk); 288 EVP_PKEY_up_ref(pk);
289 289
290 si->pkey = pk; 290 si->pkey = pk;
291 si->signer = signer; 291 si->signer = signer;
292 si->mctx = EVP_MD_CTX_new(); 292 si->mctx = EVP_MD_CTX_new();
293 si->pctx = NULL; 293 si->pctx = NULL;
294 294
295 if (si->mctx == NULL) { 295 if (si->mctx == NULL) {
296 CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE); 296 CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE);
297 goto err; 297 goto err;
298 } 298 }
299 299
300 if (flags & CMS_USE_KEYID) { 300 if (flags & CMS_USE_KEYID) {
301 si->version = 3; 301 si->version = 3;
302 if (sd->version < 3) 302 if (sd->version < 3)
303 sd->version = 3; 303 sd->version = 3;
304 type = CMS_SIGNERINFO_KEYIDENTIFIER; 304 type = CMS_SIGNERINFO_KEYIDENTIFIER;
305 } else { 305 } else {
306 type = CMS_SIGNERINFO_ISSUER_SERIAL; 306 type = CMS_SIGNERINFO_ISSUER_SERIAL;
307 si->version = 1; 307 si->version = 1;
308 } 308 }
309 309
310 if (!cms_set1_SignerIdentifier(si->sid, signer, type)) 310 if (!cms_set1_SignerIdentifier(si->sid, signer, type))
311 goto err; 311 goto err;
312 312
313 if (md == NULL) { 313 if (md == NULL) {
314 int def_nid; 314 int def_nid;
315 if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0) 315 if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0)
316 goto err; 316 goto err;
317 md = EVP_get_digestbynid(def_nid); 317 md = EVP_get_digestbynid(def_nid);
318 if (md == NULL) { 318 if (md == NULL) {
319 CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DEFAULT_DIGEST); 319 CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DEFAULT_DIGEST);
320 goto err; 320 goto err;
321 } 321 }
322 } 322 }
323 323
324 if (!md) { 324 if (!md) {
325 CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DIGEST_SET); 325 CMSerr(CMS_F_CMS_ADD1_SIGNER, CMS_R_NO_DIGEST_SET);
326 goto err; 326 goto err;
327 } 327 }
328 328
329 X509_ALGOR_set_md(si->digestAlgorithm, md); 329 X509_ALGOR_set_md(si->digestAlgorithm, md);
330 330
331 /* See if digest is present in digestAlgorithms */ 331 /* See if digest is present in digestAlgorithms */
332 for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) { 332 for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {
333 const ASN1_OBJECT *aoid; 333 const ASN1_OBJECT *aoid;
334 alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i); 334 alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
335 X509_ALGOR_get0(&aoid, NULL, NULL, alg); 335 X509_ALGOR_get0(&aoid, NULL, NULL, alg);
336 if (OBJ_obj2nid(aoid) == EVP_MD_type(md)) 336 if (OBJ_obj2nid(aoid) == EVP_MD_type(md))
337 break; 337 break;
338 } 338 }
339 339
340 if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) { 340 if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) {
341 alg = X509_ALGOR_new(); 341 alg = X509_ALGOR_new();
342 if (alg == NULL) 342 if (alg == NULL)
343 goto merr; 343 goto merr;
344 X509_ALGOR_set_md(alg, md); 344 X509_ALGOR_set_md(alg, md);
345 if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) { 345 if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) {
346 X509_ALGOR_free(alg); 346 X509_ALGOR_free(alg);
347 goto merr; 347 goto merr;
348 } 348 }
349 } 349 }
350 350
351 if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0)) 351 if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0))
352 goto err; 352 goto err;
353 if (!(flags & CMS_NOATTR)) { 353 if (!(flags & CMS_NOATTR)) {
354 /* 354 /*
355 * Initialize signed attributes structure so other attributes 355 * Initialize signed attributes structure so other attributes
356 * such as signing time etc are added later even if we add none here. 356 * such as signing time etc are added later even if we add none here.
357 */ 357 */
358 if (!si->signedAttrs) { 358 if (!si->signedAttrs) {
359 si->signedAttrs = sk_X509_ATTRIBUTE_new_null(); 359 si->signedAttrs = sk_X509_ATTRIBUTE_new_null();
360 if (!si->signedAttrs) 360 if (!si->signedAttrs)
361 goto merr; 361 goto merr;
362 } 362 }
363 363
364 if (!(flags & CMS_NOSMIMECAP)) { 364 if (!(flags & CMS_NOSMIMECAP)) {
365 STACK_OF(X509_ALGOR) *smcap = NULL; 365 STACK_OF(X509_ALGOR) *smcap = NULL;
366 i = CMS_add_standard_smimecap(&smcap); 366 i = CMS_add_standard_smimecap(&smcap);
367 if (i) 367 if (i)
368 i = CMS_add_smimecap(si, smcap); 368 i = CMS_add_smimecap(si, smcap);
369 sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); 369 sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
370 if (!i) 370 if (!i)
371 goto merr; 371 goto merr;
372 } 372 }
373 if (flags & CMS_REUSE_DIGEST) { 373 if (flags & CMS_REUSE_DIGEST) {
374 if (!cms_copy_messageDigest(cms, si)) 374 if (!cms_copy_messageDigest(cms, si))
375 goto err; 375 goto err;
376 if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) && 376 if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) &&
377 !CMS_SignerInfo_sign(si)) 377 !CMS_SignerInfo_sign(si))
378 goto err; 378 goto err;
379 } 379 }
380 } 380 }
381 381
382 if (!(flags & CMS_NOCERTS)) { 382 if (!(flags & CMS_NOCERTS)) {
383 /* NB ignore -1 return for duplicate cert */ 383 /* NB ignore -1 return for duplicate cert */
384 if (!CMS_add1_cert(cms, signer)) 384 if (!CMS_add1_cert(cms, signer))
385 goto merr; 385 goto merr;
386 } 386 }
387 387
388 if (flags & CMS_KEY_PARAM) { 388 if (flags & CMS_KEY_PARAM) {
389 if (flags & CMS_NOATTR) { 389 if (flags & CMS_NOATTR) {
390 si->pctx = EVP_PKEY_CTX_new(si->pkey, NULL); 390 si->pctx = EVP_PKEY_CTX_new(si->pkey, NULL);
391 if (si->pctx == NULL) 391 if (si->pctx == NULL)
392 goto err; 392 goto err;
393 if (EVP_PKEY_sign_init(si->pctx) <= 0) 393 if (EVP_PKEY_sign_init(si->pctx) <= 0)
394 goto err; 394 goto err;
395 if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0) 395 if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0)
396 goto err; 396 goto err;
397 } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <= 397 } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, NULL, pk) <=
398 0) 398 0)
399 goto err; 399 goto err;
400 } 400 }
401 401
402 if (!sd->signerInfos) 402 if (!sd->signerInfos)
403 sd->signerInfos = sk_CMS_SignerInfo_new_null(); 403 sd->signerInfos = sk_CMS_SignerInfo_new_null();
404 if (!sd->signerInfos || !sk_CMS_SignerInfo_push(sd->signerInfos, si)) 404 if (!sd->signerInfos || !sk_CMS_SignerInfo_push(sd->signerInfos, si))
405 goto merr; 405 goto merr;
406 406
407 return si; 407 return si;
408 408
409 merr: 409 merr:
410 CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE); 410 CMSerr(CMS_F_CMS_ADD1_SIGNER, ERR_R_MALLOC_FAILURE);
411 err: 411 err:
412 M_ASN1_free_of(si, CMS_SignerInfo); 412 M_ASN1_free_of(si, CMS_SignerInfo);
413 return NULL; 413 return NULL;
414 414
415} 415}
416 416
417static int cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t) 417static int cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)
418{ 418{
419 ASN1_TIME *tt; 419 ASN1_TIME *tt;
420 int r = 0; 420 int r = 0;
421 if (t) 421 if (t)
422 tt = t; 422 tt = t;
423 else 423 else
424 tt = X509_gmtime_adj(NULL, 0); 424 tt = X509_gmtime_adj(NULL, 0);
425 425
426 if (!tt) 426 if (!tt)
427 goto merr; 427 goto merr;
428 428
429 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime, 429 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
430 tt->type, tt, -1) <= 0) 430 tt->type, tt, -1) <= 0)
431 goto merr; 431 goto merr;
432 432
433 r = 1; 433 r = 1;
434 434
435 merr: 435 merr:
436 436
437 if (!t) 437 if (!t)
438 ASN1_TIME_free(tt); 438 ASN1_TIME_free(tt);
439 439
440 if (!r) 440 if (!r)
441 CMSerr(CMS_F_CMS_ADD1_SIGNINGTIME, ERR_R_MALLOC_FAILURE); 441 CMSerr(CMS_F_CMS_ADD1_SIGNINGTIME, ERR_R_MALLOC_FAILURE);
442 442
443 return r; 443 return r;
444 444
445} 445}
446 446
447EVP_PKEY_CTX *CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si) 447EVP_PKEY_CTX *CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si)
448{ 448{
449 return si->pctx; 449 return si->pctx;
450} 450}
451 451
452EVP_MD_CTX *CMS_SignerInfo_get0_md_ctx(CMS_SignerInfo *si) 452EVP_MD_CTX *CMS_SignerInfo_get0_md_ctx(CMS_SignerInfo *si)
453{ 453{
454 return si->mctx; 454 return si->mctx;
455} 455}
456 456
457STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms) 457STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms)
458{ 458{
459 CMS_SignedData *sd; 459 CMS_SignedData *sd;
460 sd = cms_get0_signed(cms); 460 sd = cms_get0_signed(cms);
461 if (!sd) 461 if (!sd)
462 return NULL; 462 return NULL;
463 return sd->signerInfos; 463 return sd->signerInfos;
464} 464}
465 465
466STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms) 466STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms)
467{ 467{
468 STACK_OF(X509) *signers = NULL; 468 STACK_OF(X509) *signers = NULL;
469 STACK_OF(CMS_SignerInfo) *sinfos; 469 STACK_OF(CMS_SignerInfo) *sinfos;
470 CMS_SignerInfo *si; 470 CMS_SignerInfo *si;
471 int i; 471 int i;
472 sinfos = CMS_get0_SignerInfos(cms); 472 sinfos = CMS_get0_SignerInfos(cms);
473 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { 473 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
474 si = sk_CMS_SignerInfo_value(sinfos, i); 474 si = sk_CMS_SignerInfo_value(sinfos, i);
475 if (si->signer) { 475 if (si->signer) {
476 if (!signers) { 476 if (!signers) {
477 signers = sk_X509_new_null(); 477 signers = sk_X509_new_null();
478 if (!signers) 478 if (!signers)
479 return NULL; 479 return NULL;
480 } 480 }
481 if (!sk_X509_push(signers, si->signer)) { 481 if (!sk_X509_push(signers, si->signer)) {
482 sk_X509_free(signers); 482 sk_X509_free(signers);
483 return NULL; 483 return NULL;
484 } 484 }
485 } 485 }
486 } 486 }
487 return signers; 487 return signers;
488} 488}
489 489
490void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer) 490void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer)
491{ 491{
492 if (signer) { 492 if (signer) {
493 X509_up_ref(signer); 493 X509_up_ref(signer);
494 EVP_PKEY_free(si->pkey); 494 EVP_PKEY_free(si->pkey);
495 si->pkey = X509_get_pubkey(signer); 495 si->pkey = X509_get_pubkey(signer);
496 } 496 }
497 X509_free(si->signer); 497 X509_free(si->signer);
498 si->signer = signer; 498 si->signer = signer;
499} 499}
500 500
501int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, 501int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si,
502 ASN1_OCTET_STRING **keyid, 502 ASN1_OCTET_STRING **keyid,
503 X509_NAME **issuer, ASN1_INTEGER **sno) 503 X509_NAME **issuer, ASN1_INTEGER **sno)
504{ 504{
505 return cms_SignerIdentifier_get0_signer_id(si->sid, keyid, issuer, sno); 505 return cms_SignerIdentifier_get0_signer_id(si->sid, keyid, issuer, sno);
506} 506}
507 507
508int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert) 508int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert)
509{ 509{
510 return cms_SignerIdentifier_cert_cmp(si->sid, cert); 510 return cms_SignerIdentifier_cert_cmp(si->sid, cert);
511} 511}
512 512
513int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts, 513int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts,
514 unsigned int flags) 514 unsigned int flags)
515{ 515{
516 CMS_SignedData *sd; 516 CMS_SignedData *sd;
517 CMS_SignerInfo *si; 517 CMS_SignerInfo *si;
518 CMS_CertificateChoices *cch; 518 CMS_CertificateChoices *cch;
519 STACK_OF(CMS_CertificateChoices) *certs; 519 STACK_OF(CMS_CertificateChoices) *certs;
520 X509 *x; 520 X509 *x;
521 int i, j; 521 int i, j;
522 int ret = 0; 522 int ret = 0;
523 sd = cms_get0_signed(cms); 523 sd = cms_get0_signed(cms);
524 if (!sd) 524 if (!sd)
525 return -1; 525 return -1;
526 certs = sd->certificates; 526 certs = sd->certificates;
527 for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) { 527 for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) {
528 si = sk_CMS_SignerInfo_value(sd->signerInfos, i); 528 si = sk_CMS_SignerInfo_value(sd->signerInfos, i);
529 if (si->signer) 529 if (si->signer)
530 continue; 530 continue;
531 531
532 for (j = 0; j < sk_X509_num(scerts); j++) { 532 for (j = 0; j < sk_X509_num(scerts); j++) {
533 x = sk_X509_value(scerts, j); 533 x = sk_X509_value(scerts, j);
534 if (CMS_SignerInfo_cert_cmp(si, x) == 0) { 534 if (CMS_SignerInfo_cert_cmp(si, x) == 0) {
535 CMS_SignerInfo_set1_signer_cert(si, x); 535 CMS_SignerInfo_set1_signer_cert(si, x);
536 ret++; 536 ret++;
537 break; 537 break;
538 } 538 }
539 } 539 }
540 540
541 if (si->signer || (flags & CMS_NOINTERN)) 541 if (si->signer || (flags & CMS_NOINTERN))
542 continue; 542 continue;
543 543
544 for (j = 0; j < sk_CMS_CertificateChoices_num(certs); j++) { 544 for (j = 0; j < sk_CMS_CertificateChoices_num(certs); j++) {
545 cch = sk_CMS_CertificateChoices_value(certs, j); 545 cch = sk_CMS_CertificateChoices_value(certs, j);
546 if (cch->type != 0) 546 if (cch->type != 0)
547 continue; 547 continue;
548 x = cch->d.certificate; 548 x = cch->d.certificate;
549 if (CMS_SignerInfo_cert_cmp(si, x) == 0) { 549 if (CMS_SignerInfo_cert_cmp(si, x) == 0) {
550 CMS_SignerInfo_set1_signer_cert(si, x); 550 CMS_SignerInfo_set1_signer_cert(si, x);
551 ret++; 551 ret++;
552 break; 552 break;
553 } 553 }
554 } 554 }
555 } 555 }
556 return ret; 556 return ret;
557} 557}
558 558
559void CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, 559void CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk,
560 X509 **signer, X509_ALGOR **pdig, 560 X509 **signer, X509_ALGOR **pdig,
561 X509_ALGOR **psig) 561 X509_ALGOR **psig)
562{ 562{
563 if (pk) 563 if (pk)
564 *pk = si->pkey; 564 *pk = si->pkey;
565 if (signer) 565 if (signer)
566 *signer = si->signer; 566 *signer = si->signer;
567 if (pdig) 567 if (pdig)
568 *pdig = si->digestAlgorithm; 568 *pdig = si->digestAlgorithm;
569 if (psig) 569 if (psig)
570 *psig = si->signatureAlgorithm; 570 *psig = si->signatureAlgorithm;
571} 571}
572 572
573ASN1_OCTET_STRING *CMS_SignerInfo_get0_signature(CMS_SignerInfo *si) 573ASN1_OCTET_STRING *CMS_SignerInfo_get0_signature(CMS_SignerInfo *si)
574{ 574{
575 return si->signature; 575 return si->signature;
576} 576}
577 577
578static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms, 578static int cms_SignerInfo_content_sign(CMS_ContentInfo *cms,
579 CMS_SignerInfo *si, BIO *chain) 579 CMS_SignerInfo *si, BIO *chain)
580{ 580{
581 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 581 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
582 int r = 0; 582 int r = 0;
583 EVP_PKEY_CTX *pctx = NULL; 583 EVP_PKEY_CTX *pctx = NULL;
584 584
585 if (mctx == NULL) { 585 if (mctx == NULL) {
586 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE); 586 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE);
587 return 0; 587 return 0;
588 } 588 }
589 589
590 if (!si->pkey) { 590 if (!si->pkey) {
591 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, CMS_R_NO_PRIVATE_KEY); 591 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, CMS_R_NO_PRIVATE_KEY);
592 goto err; 592 goto err;
593 } 593 }
594 594
595 if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) 595 if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm))
596 goto err; 596 goto err;
597 /* Set SignerInfo algorithm details if we used custom parameter */ 597 /* Set SignerInfo algorithm details if we used custom parameter */
598 if (si->pctx && !cms_sd_asn1_ctrl(si, 0)) 598 if (si->pctx && !cms_sd_asn1_ctrl(si, 0))
599 goto err; 599 goto err;
600 600
601 /* 601 /*
602 * If any signed attributes calculate and add messageDigest attribute 602 * If any signed attributes calculate and add messageDigest attribute
603 */ 603 */
604 604
605 if (CMS_signed_get_attr_count(si) >= 0) { 605 if (CMS_signed_get_attr_count(si) >= 0) {
606 ASN1_OBJECT *ctype = 606 ASN1_OBJECT *ctype =
607 cms->d.signedData->encapContentInfo->eContentType; 607 cms->d.signedData->encapContentInfo->eContentType;
608 unsigned char md[EVP_MAX_MD_SIZE]; 608 unsigned char md[EVP_MAX_MD_SIZE];
609 unsigned int mdlen; 609 unsigned int mdlen;
610 if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) 610 if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
611 goto err; 611 goto err;
612 if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest, 612 if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest,
613 V_ASN1_OCTET_STRING, md, mdlen)) 613 V_ASN1_OCTET_STRING, md, mdlen))
614 goto err; 614 goto err;
615 /* Copy content type across */ 615 /* Copy content type across */
616 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType, 616 if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType,
617 V_ASN1_OBJECT, ctype, -1) <= 0) 617 V_ASN1_OBJECT, ctype, -1) <= 0)
618 goto err; 618 goto err;
619 if (!CMS_SignerInfo_sign(si)) 619 if (!CMS_SignerInfo_sign(si))
620 goto err; 620 goto err;
621 } else if (si->pctx) { 621 } else if (si->pctx) {
622 unsigned char *sig; 622 unsigned char *sig;
623 size_t siglen; 623 size_t siglen;
624 unsigned char md[EVP_MAX_MD_SIZE]; 624 unsigned char md[EVP_MAX_MD_SIZE];
625 unsigned int mdlen; 625 unsigned int mdlen;
626 pctx = si->pctx; 626 pctx = si->pctx;
627 if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) 627 if (!EVP_DigestFinal_ex(mctx, md, &mdlen))
628 goto err; 628 goto err;
629 siglen = EVP_PKEY_size(si->pkey); 629 siglen = EVP_PKEY_size(si->pkey);
630 sig = OPENSSL_malloc(siglen); 630 sig = OPENSSL_malloc(siglen);
631 if (sig == NULL) { 631 if (sig == NULL) {
632 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE); 632 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE);
633 goto err; 633 goto err;
634 } 634 }
635 if (EVP_PKEY_sign(pctx, sig, &siglen, md, mdlen) <= 0) { 635 if (EVP_PKEY_sign(pctx, sig, &siglen, md, mdlen) <= 0) {
636 OPENSSL_free(sig); 636 OPENSSL_free(sig);
637 goto err; 637 goto err;
638 } 638 }
639 ASN1_STRING_set0(si->signature, sig, siglen); 639 ASN1_STRING_set0(si->signature, sig, siglen);
640 } else { 640 } else {
641 unsigned char *sig; 641 unsigned char *sig;
642 unsigned int siglen; 642 unsigned int siglen;
643 sig = OPENSSL_malloc(EVP_PKEY_size(si->pkey)); 643 sig = OPENSSL_malloc(EVP_PKEY_size(si->pkey));
644 if (sig == NULL) { 644 if (sig == NULL) {
645 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE); 645 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, ERR_R_MALLOC_FAILURE);
646 goto err; 646 goto err;
647 } 647 }
648 if (!EVP_SignFinal(mctx, sig, &siglen, si->pkey)) { 648 if (!EVP_SignFinal(mctx, sig, &siglen, si->pkey)) {
649 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, CMS_R_SIGNFINAL_ERROR); 649 CMSerr(CMS_F_CMS_SIGNERINFO_CONTENT_SIGN, CMS_R_SIGNFINAL_ERROR);
650 OPENSSL_free(sig); 650 OPENSSL_free(sig);
651 goto err; 651 goto err;
652 } 652 }
653 ASN1_STRING_set0(si->signature, sig, siglen); 653 ASN1_STRING_set0(si->signature, sig, siglen);
654 } 654 }
655 655
656 r = 1; 656 r = 1;
657 657
658 err: 658 err:
659 EVP_MD_CTX_free(mctx); 659 EVP_MD_CTX_free(mctx);
660 EVP_PKEY_CTX_free(pctx); 660 EVP_PKEY_CTX_free(pctx);
661 return r; 661 return r;
662 662
663} 663}
664 664
665int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain) 665int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain)
666{ 666{
667 STACK_OF(CMS_SignerInfo) *sinfos; 667 STACK_OF(CMS_SignerInfo) *sinfos;
668 CMS_SignerInfo *si; 668 CMS_SignerInfo *si;
669 int i; 669 int i;
670 sinfos = CMS_get0_SignerInfos(cms); 670 sinfos = CMS_get0_SignerInfos(cms);
671 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { 671 for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) {
672 si = sk_CMS_SignerInfo_value(sinfos, i); 672 si = sk_CMS_SignerInfo_value(sinfos, i);
673 if (!cms_SignerInfo_content_sign(cms, si, chain)) 673 if (!cms_SignerInfo_content_sign(cms, si, chain))
674 return 0; 674 return 0;
675 } 675 }
676 cms->d.signedData->encapContentInfo->partial = 0; 676 cms->d.signedData->encapContentInfo->partial = 0;
677 return 1; 677 return 1;
678} 678}
679 679
680int CMS_SignerInfo_sign(CMS_SignerInfo *si) 680int CMS_SignerInfo_sign(CMS_SignerInfo *si)
681{ 681{
682 EVP_MD_CTX *mctx = si->mctx; 682 EVP_MD_CTX *mctx = si->mctx;
683 EVP_PKEY_CTX *pctx = NULL; 683 EVP_PKEY_CTX *pctx = NULL;
684 unsigned char *abuf = NULL; 684 unsigned char *abuf = NULL;
685 int alen; 685 int alen;
686 size_t siglen; 686 size_t siglen;
687 const EVP_MD *md = NULL; 687 const EVP_MD *md = NULL;
688 688
689 md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); 689 md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
690 if (md == NULL) 690 if (md == NULL)
691 return 0; 691 return 0;
692 692
693 if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) { 693 if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
694 if (!cms_add1_signingTime(si, NULL)) 694 if (!cms_add1_signingTime(si, NULL))
695 goto err; 695 goto err;
696 } 696 }
697 697
698 if (si->pctx) 698 if (si->pctx)
699 pctx = si->pctx; 699 pctx = si->pctx;
700 else { 700 else {
701 EVP_MD_CTX_reset(mctx); 701 EVP_MD_CTX_reset(mctx);
702 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0) 702 if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0)
703 goto err; 703 goto err;
704 si->pctx = pctx; 704 si->pctx = pctx;
705 } 705 }
706 706
707 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 707 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
708 EVP_PKEY_CTRL_CMS_SIGN, 0, si) <= 0) { 708 EVP_PKEY_CTRL_CMS_SIGN, 0, si) <= 0) {
709 CMSerr(CMS_F_CMS_SIGNERINFO_SIGN, CMS_R_CTRL_ERROR); 709 CMSerr(CMS_F_CMS_SIGNERINFO_SIGN, CMS_R_CTRL_ERROR);
710 goto err; 710 goto err;
711 } 711 }
712 712
713 alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf, 713 alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf,
714 ASN1_ITEM_rptr(CMS_Attributes_Sign)); 714 ASN1_ITEM_rptr(CMS_Attributes_Sign));
715 if (!abuf) 715 if (!abuf)
716 goto err; 716 goto err;
717 if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0) 717 if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0)
718 goto err; 718 goto err;
719 if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) 719 if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0)
720 goto err; 720 goto err;
721 OPENSSL_free(abuf); 721 OPENSSL_free(abuf);
722 abuf = OPENSSL_malloc(siglen); 722 abuf = OPENSSL_malloc(siglen);
723 if (abuf == NULL) 723 if (abuf == NULL)
724 goto err; 724 goto err;
725 if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0) 725 if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0)
726 goto err; 726 goto err;
727 727
728 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 728 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN,
729 EVP_PKEY_CTRL_CMS_SIGN, 1, si) <= 0) { 729 EVP_PKEY_CTRL_CMS_SIGN, 1, si) <= 0) {
730 CMSerr(CMS_F_CMS_SIGNERINFO_SIGN, CMS_R_CTRL_ERROR); 730 CMSerr(CMS_F_CMS_SIGNERINFO_SIGN, CMS_R_CTRL_ERROR);
731 goto err; 731 goto err;
732 } 732 }
733 733
734 EVP_MD_CTX_reset(mctx); 734 EVP_MD_CTX_reset(mctx);
735 735
736 ASN1_STRING_set0(si->signature, abuf, siglen); 736 ASN1_STRING_set0(si->signature, abuf, siglen);
737 737
738 return 1; 738 return 1;
739 739
740 err: 740 err:
741 OPENSSL_free(abuf); 741 OPENSSL_free(abuf);
742 EVP_MD_CTX_reset(mctx); 742 EVP_MD_CTX_reset(mctx);
743 return 0; 743 return 0;
744 744
745} 745}
746 746
747int CMS_SignerInfo_verify(CMS_SignerInfo *si) 747int CMS_SignerInfo_verify(CMS_SignerInfo *si)
748{ 748{
749 EVP_MD_CTX *mctx = NULL; 749 EVP_MD_CTX *mctx = NULL;
750 unsigned char *abuf = NULL; 750 unsigned char *abuf = NULL;
751 int alen, r = -1; 751 int alen, r = -1;
752 const EVP_MD *md = NULL; 752 const EVP_MD *md = NULL;
753 753
754 if (!si->pkey) { 754 if (!si->pkey) {
755 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_NO_PUBLIC_KEY); 755 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_NO_PUBLIC_KEY);
756 return -1; 756 return -1;
757 } 757 }
758 758
759 md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); 759 md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm);
760 if (md == NULL) 760 if (md == NULL)
761 return -1; 761 return -1;
762 if (si->mctx == NULL && (si->mctx = EVP_MD_CTX_new()) == NULL) { 762 if (si->mctx == NULL && (si->mctx = EVP_MD_CTX_new()) == NULL) {
763 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, ERR_R_MALLOC_FAILURE); 763 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, ERR_R_MALLOC_FAILURE);
764 return -1; 764 return -1;
765 } 765 }
766 mctx = si->mctx; 766 mctx = si->mctx;
767 if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0) 767 if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0)
768 goto err; 768 goto err;
769 769
770 if (!cms_sd_asn1_ctrl(si, 1)) 770 if (!cms_sd_asn1_ctrl(si, 1))
771 goto err; 771 goto err;
772 772
773 alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf, 773 alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf,
774 ASN1_ITEM_rptr(CMS_Attributes_Verify)); 774 ASN1_ITEM_rptr(CMS_Attributes_Verify));
775 if (!abuf) 775 if (!abuf)
776 goto err; 776 goto err;
777 r = EVP_DigestVerifyUpdate(mctx, abuf, alen); 777 r = EVP_DigestVerifyUpdate(mctx, abuf, alen);
778 OPENSSL_free(abuf); 778 OPENSSL_free(abuf);
779 if (r <= 0) { 779 if (r <= 0) {
780 r = -1; 780 r = -1;
781 goto err; 781 goto err;
782 } 782 }
783 r = EVP_DigestVerifyFinal(mctx, 783 r = EVP_DigestVerifyFinal(mctx,
784 si->signature->data, si->signature->length); 784 si->signature->data, si->signature->length);
785 if (r <= 0) 785 if (r <= 0)
786 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE); 786 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY, CMS_R_VERIFICATION_FAILURE);
787 err: 787 err:
788 EVP_MD_CTX_reset(mctx); 788 EVP_MD_CTX_reset(mctx);
789 return r; 789 return r;
790} 790}
791 791
792/* Create a chain of digest BIOs from a CMS ContentInfo */ 792/* Create a chain of digest BIOs from a CMS ContentInfo */
793 793
794BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms) 794BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms)
795{ 795{
796 int i; 796 int i;
797 CMS_SignedData *sd; 797 CMS_SignedData *sd;
798 BIO *chain = NULL; 798 BIO *chain = NULL;
799 sd = cms_get0_signed(cms); 799 sd = cms_get0_signed(cms);
800 if (!sd) 800 if (!sd)
801 return NULL; 801 return NULL;
802 if (cms->d.signedData->encapContentInfo->partial) 802 if (cms->d.signedData->encapContentInfo->partial)
803 cms_sd_set_version(sd); 803 cms_sd_set_version(sd);
804 for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) { 804 for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) {
805 X509_ALGOR *digestAlgorithm; 805 X509_ALGOR *digestAlgorithm;
806 BIO *mdbio; 806 BIO *mdbio;
807 digestAlgorithm = sk_X509_ALGOR_value(sd->digestAlgorithms, i); 807 digestAlgorithm = sk_X509_ALGOR_value(sd->digestAlgorithms, i);
808 mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm); 808 mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm);
809 if (!mdbio) 809 if (!mdbio)
810 goto err; 810 goto err;
811 if (chain) 811 if (chain)
812 BIO_push(chain, mdbio); 812 BIO_push(chain, mdbio);
813 else 813 else
814 chain = mdbio; 814 chain = mdbio;
815 } 815 }
816 return chain; 816 return chain;
817 err: 817 err:
818 BIO_free_all(chain); 818 BIO_free_all(chain);
819 return NULL; 819 return NULL;
820} 820}
821 821
822int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) 822int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain)
823{ 823{
824 ASN1_OCTET_STRING *os = NULL; 824 ASN1_OCTET_STRING *os = NULL;
825 EVP_MD_CTX *mctx = EVP_MD_CTX_new(); 825 EVP_MD_CTX *mctx = EVP_MD_CTX_new();
826 EVP_PKEY_CTX *pkctx = NULL; 826 EVP_PKEY_CTX *pkctx = NULL;
827 int r = -1; 827 int r = -1;
828 unsigned char mval[EVP_MAX_MD_SIZE]; 828 unsigned char mval[EVP_MAX_MD_SIZE];
829 unsigned int mlen; 829 unsigned int mlen;
830 830
831 if (mctx == NULL) { 831 if (mctx == NULL) {
832 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, ERR_R_MALLOC_FAILURE); 832 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, ERR_R_MALLOC_FAILURE);
833 goto err; 833 goto err;
834 } 834 }
835 /* If we have any signed attributes look for messageDigest value */ 835 /* If we have any signed attributes look for messageDigest value */
836 if (CMS_signed_get_attr_count(si) >= 0) { 836 if (CMS_signed_get_attr_count(si) >= 0) {
837 os = CMS_signed_get0_data_by_OBJ(si, 837 os = CMS_signed_get0_data_by_OBJ(si,
838 OBJ_nid2obj(NID_pkcs9_messageDigest), 838 OBJ_nid2obj(NID_pkcs9_messageDigest),
839 -3, V_ASN1_OCTET_STRING); 839 -3, V_ASN1_OCTET_STRING);
840 if (!os) { 840 if (!os) {
841 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 841 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
842 CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE); 842 CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE);
843 goto err; 843 goto err;
844 } 844 }
845 } 845 }
846 846
847 if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) 847 if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm))
848 goto err; 848 goto err;
849 849
850 if (EVP_DigestFinal_ex(mctx, mval, &mlen) <= 0) { 850 if (EVP_DigestFinal_ex(mctx, mval, &mlen) <= 0) {
851 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 851 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
852 CMS_R_UNABLE_TO_FINALIZE_CONTEXT); 852 CMS_R_UNABLE_TO_FINALIZE_CONTEXT);
853 goto err; 853 goto err;
854 } 854 }
855 855
856 /* If messageDigest found compare it */ 856 /* If messageDigest found compare it */
857 857
858 if (os) { 858 if (os) {
859 if (mlen != (unsigned int)os->length) { 859 if (mlen != (unsigned int)os->length) {
860 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 860 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
861 CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH); 861 CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH);
862 goto err; 862 goto err;
863 } 863 }
864 864
865 if (memcmp(mval, os->data, mlen)) { 865 if (memcmp(mval, os->data, mlen)) {
866 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 866 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
867 CMS_R_VERIFICATION_FAILURE); 867 CMS_R_VERIFICATION_FAILURE);
868 r = 0; 868 r = 0;
869 } else 869 } else
870 r = 1; 870 r = 1;
871 } else { 871 } else {
872 const EVP_MD *md = EVP_MD_CTX_md(mctx); 872 const EVP_MD *md = EVP_MD_CTX_md(mctx);
873 pkctx = EVP_PKEY_CTX_new(si->pkey, NULL); 873 pkctx = EVP_PKEY_CTX_new(si->pkey, NULL);
874 if (pkctx == NULL) 874 if (pkctx == NULL)
875 goto err; 875 goto err;
876 if (EVP_PKEY_verify_init(pkctx) <= 0) 876 if (EVP_PKEY_verify_init(pkctx) <= 0)
877 goto err; 877 goto err;
878 if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0) 878 if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0)
879 goto err; 879 goto err;
880 si->pctx = pkctx; 880 si->pctx = pkctx;
881 if (!cms_sd_asn1_ctrl(si, 1)) 881 if (!cms_sd_asn1_ctrl(si, 1))
882 goto err; 882 goto err;
883 r = EVP_PKEY_verify(pkctx, si->signature->data, 883 r = EVP_PKEY_verify(pkctx, si->signature->data,
884 si->signature->length, mval, mlen); 884 si->signature->length, mval, mlen);
885 if (r <= 0) { 885 if (r <= 0) {
886 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT, 886 CMSerr(CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT,
887 CMS_R_VERIFICATION_FAILURE); 887 CMS_R_VERIFICATION_FAILURE);
888 r = 0; 888 r = 0;
889 } 889 }
890 } 890 }
891 891
892 err: 892 err:
893 EVP_PKEY_CTX_free(pkctx); 893 EVP_PKEY_CTX_free(pkctx);
894 EVP_MD_CTX_free(mctx); 894 EVP_MD_CTX_free(mctx);
895 return r; 895 return r;
896 896
897} 897}
898 898
899int CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs) 899int CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs)
900{ 900{
901 unsigned char *smder = NULL; 901 unsigned char *smder = NULL;
902 int smderlen, r; 902 int smderlen, r;
903 smderlen = i2d_X509_ALGORS(algs, &smder); 903 smderlen = i2d_X509_ALGORS(algs, &smder);
904 if (smderlen <= 0) 904 if (smderlen <= 0)
905 return 0; 905 return 0;
906 r = CMS_signed_add1_attr_by_NID(si, NID_SMIMECapabilities, 906 r = CMS_signed_add1_attr_by_NID(si, NID_SMIMECapabilities,
907 V_ASN1_SEQUENCE, smder, smderlen); 907 V_ASN1_SEQUENCE, smder, smderlen);
908 OPENSSL_free(smder); 908 OPENSSL_free(smder);
909 return r; 909 return r;
910} 910}
911 911
912int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, 912int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs,
913 int algnid, int keysize) 913 int algnid, int keysize)
914{ 914{
915 X509_ALGOR *alg; 915 X509_ALGOR *alg;
916 ASN1_INTEGER *key = NULL; 916 ASN1_INTEGER *key = NULL;
917 if (keysize > 0) { 917 if (keysize > 0) {
918 key = ASN1_INTEGER_new(); 918 key = ASN1_INTEGER_new();
919 if (key == NULL || !ASN1_INTEGER_set(key, keysize)) 919 if (key == NULL || !ASN1_INTEGER_set(key, keysize))
920 return 0; 920 return 0;
921 } 921 }
922 alg = X509_ALGOR_new(); 922 alg = X509_ALGOR_new();
923 if (alg == NULL) { 923 if (alg == NULL) {
924 ASN1_INTEGER_free(key); 924 ASN1_INTEGER_free(key);
925 return 0; 925 return 0;
926 } 926 }
927 927
928 X509_ALGOR_set0(alg, OBJ_nid2obj(algnid), 928 X509_ALGOR_set0(alg, OBJ_nid2obj(algnid),
929 key ? V_ASN1_INTEGER : V_ASN1_UNDEF, key); 929 key ? V_ASN1_INTEGER : V_ASN1_UNDEF, key);
930 if (*algs == NULL) 930 if (*algs == NULL)
931 *algs = sk_X509_ALGOR_new_null(); 931 *algs = sk_X509_ALGOR_new_null();
932 if (*algs == NULL || !sk_X509_ALGOR_push(*algs, alg)) { 932 if (*algs == NULL || !sk_X509_ALGOR_push(*algs, alg)) {
933 X509_ALGOR_free(alg); 933 X509_ALGOR_free(alg);
934 return 0; 934 return 0;
935 } 935 }
936 return 1; 936 return 1;
937} 937}
938 938
939/* Check to see if a cipher exists and if so add S/MIME capabilities */ 939/* Check to see if a cipher exists and if so add S/MIME capabilities */
940 940
941static int cms_add_cipher_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg) 941static int cms_add_cipher_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg)
942{ 942{
943 if (EVP_get_cipherbynid(nid)) 943 if (EVP_get_cipherbynid(nid))
944 return CMS_add_simple_smimecap(sk, nid, arg); 944 return CMS_add_simple_smimecap(sk, nid, arg);
945 return 1; 945 return 1;
946} 946}
947 947
948static int cms_add_digest_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg) 948static int cms_add_digest_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg)
949{ 949{
950 if (EVP_get_digestbynid(nid)) 950 if (EVP_get_digestbynid(nid))
951 return CMS_add_simple_smimecap(sk, nid, arg); 951 return CMS_add_simple_smimecap(sk, nid, arg);
952 return 1; 952 return 1;
953} 953}
954 954
955int CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap) 955int CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap)
956{ 956{
957 if (!cms_add_cipher_smcap(smcap, NID_aes_256_cbc, -1) 957 if (!cms_add_cipher_smcap(smcap, NID_aes_256_cbc, -1)
958 || !cms_add_digest_smcap(smcap, NID_id_GostR3411_2012_256, -1) 958 || !cms_add_digest_smcap(smcap, NID_id_GostR3411_2012_256, -1)
959 || !cms_add_digest_smcap(smcap, NID_id_GostR3411_2012_512, -1) 959 || !cms_add_digest_smcap(smcap, NID_id_GostR3411_2012_512, -1)
960 || !cms_add_digest_smcap(smcap, NID_id_GostR3411_94, -1) 960 || !cms_add_digest_smcap(smcap, NID_id_GostR3411_94, -1)
961 || !cms_add_cipher_smcap(smcap, NID_id_Gost28147_89, -1) 961 || !cms_add_cipher_smcap(smcap, NID_id_Gost28147_89, -1)
962 || !cms_add_cipher_smcap(smcap, NID_aes_192_cbc, -1) 962 || !cms_add_cipher_smcap(smcap, NID_aes_192_cbc, -1)
963 || !cms_add_cipher_smcap(smcap, NID_aes_128_cbc, -1) 963 || !cms_add_cipher_smcap(smcap, NID_aes_128_cbc, -1)
964 || !cms_add_cipher_smcap(smcap, NID_des_ede3_cbc, -1) 964 || !cms_add_cipher_smcap(smcap, NID_des_ede3_cbc, -1)
965 || !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 128) 965 || !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 128)
966 || !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 64) 966 || !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 64)
967 || !cms_add_cipher_smcap(smcap, NID_des_cbc, -1) 967 || !cms_add_cipher_smcap(smcap, NID_des_cbc, -1)
968 || !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 40)) 968 || !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 40))
969 return 0; 969 return 0;
970 return 1; 970 return 1;
971} 971}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-16 20:46:58 +0000