2 * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 * @page page_cms CMS/PKCS7 message functions.
39 * CMS is defined in RFC 3369 and is an continuation of the RSA Labs
40 * standard PKCS7. The basic messages in CMS is
43 * Data signed with private key (RSA, DSA, ECDSA) or secret
46 * Data encrypted with private key (RSA)
48 * Data encrypted with secret (symmetric) key.
50 * Wrapper structure including type and data.
53 * See the library functions here: @ref hx509_cms
56 #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
57 #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
60 * Wrap data and oid in a ContentInfo and encode it.
62 * @param oid type of the content.
63 * @param buf data to be wrapped. If a NULL pointer is passed in, the
64 * optional content field in the ContentInfo is not going be filled
66 * @param res the encoded buffer, the result should be freed with
67 * der_free_octet_string().
69 * @return Returns an hx509 error code.
75 hx509_cms_wrap_ContentInfo(const heim_oid *oid,
76 const heim_octet_string *buf,
77 heim_octet_string *res)
83 memset(res, 0, sizeof(*res));
84 memset(&ci, 0, sizeof(ci));
86 ret = der_copy_oid(oid, &ci.contentType);
91 if (ci.content == NULL) {
92 free_ContentInfo(&ci);
95 ci.content->data = malloc(buf->length);
96 if (ci.content->data == NULL) {
97 free_ContentInfo(&ci);
100 memcpy(ci.content->data, buf->data, buf->length);
101 ci.content->length = buf->length;
104 ASN1_MALLOC_ENCODE(ContentInfo, res->data, res->length, &ci, &size, ret);
105 free_ContentInfo(&ci);
108 if (res->length != size)
109 _hx509_abort("internal ASN.1 encoder error");
115 * Decode an ContentInfo and unwrap data and oid it.
117 * @param in the encoded buffer.
118 * @param oid type of the content.
119 * @param out data to be wrapped.
120 * @param have_data since the data is optional, this flags show dthe
121 * diffrence between no data and the zero length data.
123 * @return Returns an hx509 error code.
129 hx509_cms_unwrap_ContentInfo(const heim_octet_string *in,
131 heim_octet_string *out,
138 memset(oid, 0, sizeof(*oid));
139 memset(out, 0, sizeof(*out));
141 ret = decode_ContentInfo(in->data, in->length, &ci, &size);
145 ret = der_copy_oid(&ci.contentType, oid);
147 free_ContentInfo(&ci);
151 ret = der_copy_octet_string(ci.content, out);
154 free_ContentInfo(&ci);
158 memset(out, 0, sizeof(*out));
161 *have_data = (ci.content != NULL) ? 1 : 0;
163 free_ContentInfo(&ci);
169 #define CMS_ID_NAME 1
172 fill_CMSIdentifier(const hx509_cert cert,
180 id->element = choice_CMSIdentifier_subjectKeyIdentifier;
181 ret = _hx509_find_extension_subject_key_id(_hx509_get_cert(cert),
182 &id->u.subjectKeyIdentifier);
189 id->element = choice_CMSIdentifier_issuerAndSerialNumber;
190 ret = hx509_cert_get_issuer(cert, &name);
193 ret = hx509_name_to_Name(name, &id->u.issuerAndSerialNumber.issuer);
194 hx509_name_free(&name);
198 ret = hx509_cert_get_serialnumber(cert, &id->u.issuerAndSerialNumber.serialNumber);
202 _hx509_abort("CMS fill identifier with unknown type");
208 unparse_CMSIdentifier(hx509_context context,
215 switch (id->element) {
216 case choice_CMSIdentifier_issuerAndSerialNumber: {
217 IssuerAndSerialNumber *iasn;
220 iasn = &id->u.issuerAndSerialNumber;
222 ret = _hx509_Name_to_string(&iasn->issuer, &name);
225 ret = der_print_hex_heim_integer(&iasn->serialNumber, &serial);
230 asprintf(str, "certificate issued by %s with serial number %s",
236 case choice_CMSIdentifier_subjectKeyIdentifier: {
237 KeyIdentifier *ki = &id->u.subjectKeyIdentifier;
241 len = hex_encode(ki->data, ki->length, &keyid);
245 asprintf(str, "certificate with id %s", keyid);
250 asprintf(str, "certificate have unknown CMSidentifier type");
259 find_CMSIdentifier(hx509_context context,
260 CMSIdentifier *client,
263 hx509_cert *signer_cert,
271 memset(&c, 0, sizeof(c));
272 _hx509_query_clear(&q);
276 switch (client->element) {
277 case choice_CMSIdentifier_issuerAndSerialNumber:
278 q.serial = &client->u.issuerAndSerialNumber.serialNumber;
279 q.issuer_name = &client->u.issuerAndSerialNumber.issuer;
280 q.match = HX509_QUERY_MATCH_SERIALNUMBER|HX509_QUERY_MATCH_ISSUER_NAME;
282 case choice_CMSIdentifier_subjectKeyIdentifier:
283 q.subject_id = &client->u.subjectKeyIdentifier;
284 q.match = HX509_QUERY_MATCH_SUBJECT_KEY_ID;
287 hx509_set_error_string(context, 0, HX509_CMS_NO_RECIPIENT_CERTIFICATE,
288 "unknown CMS identifier element");
289 return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
294 q.match |= HX509_QUERY_MATCH_TIME;
296 q.timenow = time_now;
298 q.timenow = time(NULL);
300 ret = hx509_certs_find(context, certs, &q, &cert);
301 if (ret == HX509_CERT_NOT_FOUND) {
304 ret = unparse_CMSIdentifier(context, client, &str);
306 hx509_set_error_string(context, 0,
307 HX509_CMS_NO_RECIPIENT_CERTIFICATE,
308 "Failed to find %s", str);
310 hx509_clear_error_string(context);
311 return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
313 hx509_set_error_string(context, HX509_ERROR_APPEND,
314 HX509_CMS_NO_RECIPIENT_CERTIFICATE,
315 "Failed to find CMS id in cert store");
316 return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
325 * Decode and unencrypt EnvelopedData.
327 * Extract data and parameteres from from the EnvelopedData. Also
328 * supports using detached EnvelopedData.
330 * @param context A hx509 context.
331 * @param certs Certificate that can decrypt the EnvelopedData
333 * @param flags HX509_CMS_UE flags to control the behavior.
334 * @param data pointer the structure the contains the DER/BER encoded
335 * EnvelopedData stucture.
336 * @param length length of the data that data point to.
337 * @param encryptedContent in case of detached signature, this
338 * contains the actual encrypted data, othersize its should be NULL.
339 * @param time_now set the current time, if zero the library uses now as the date.
340 * @param contentType output type oid, should be freed with der_free_oid().
341 * @param content the data, free with der_free_octet_string().
347 hx509_cms_unenvelope(hx509_context context,
352 const heim_octet_string *encryptedContent,
354 heim_oid *contentType,
355 heim_octet_string *content)
357 heim_octet_string key;
360 AlgorithmIdentifier *ai;
361 const heim_octet_string *enccontent;
362 heim_octet_string *params, params_data;
363 heim_octet_string ivec;
365 int ret, i, matched = 0, findflags = 0;
368 memset(&key, 0, sizeof(key));
369 memset(&ed, 0, sizeof(ed));
370 memset(&ivec, 0, sizeof(ivec));
371 memset(content, 0, sizeof(*content));
372 memset(contentType, 0, sizeof(*contentType));
374 if ((flags & HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT) == 0)
375 findflags |= HX509_QUERY_KU_ENCIPHERMENT;
377 ret = decode_EnvelopedData(data, length, &ed, &size);
379 hx509_set_error_string(context, 0, ret,
380 "Failed to decode EnvelopedData");
384 if (ed.recipientInfos.len == 0) {
385 ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
386 hx509_set_error_string(context, 0, ret,
387 "No recipient info in enveloped data");
391 enccontent = ed.encryptedContentInfo.encryptedContent;
392 if (enccontent == NULL) {
393 if (encryptedContent == NULL) {
394 ret = HX509_CMS_NO_DATA_AVAILABLE;
395 hx509_set_error_string(context, 0, ret,
396 "Content missing from encrypted data");
399 enccontent = encryptedContent;
400 } else if (encryptedContent != NULL) {
401 ret = HX509_CMS_NO_DATA_AVAILABLE;
402 hx509_set_error_string(context, 0, ret,
403 "Both internal and external encrypted data");
408 for (i = 0; i < ed.recipientInfos.len; i++) {
409 KeyTransRecipientInfo *ri;
413 ri = &ed.recipientInfos.val[i];
415 ret = find_CMSIdentifier(context, &ri->rid, certs,
417 HX509_QUERY_PRIVATE_KEY|findflags);
421 matched = 1; /* found a matching certificate, let decrypt */
423 ret = _hx509_cert_private_decrypt(context,
425 &ri->keyEncryptionAlgorithm.algorithm,
428 hx509_cert_free(cert);
430 break; /* succuessfully decrypted cert */
432 ret2 = unparse_CMSIdentifier(context, &ri->rid, &str);
434 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
435 "Failed to decrypt with %s", str);
441 ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
442 hx509_set_error_string(context, 0, ret,
443 "No private key matched any certificate");
448 ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
449 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
450 "No private key decrypted the transfer key");
454 ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType);
456 hx509_set_error_string(context, 0, ret,
457 "Failed to copy EnvelopedData content oid");
461 ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
462 if (ai->parameters) {
463 params_data.data = ai->parameters->data;
464 params_data.length = ai->parameters->length;
465 params = ¶ms_data;
472 ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto);
476 if (flags & HX509_CMS_UE_ALLOW_WEAK)
477 hx509_crypto_allow_weak(crypto);
480 ret = hx509_crypto_set_params(context, crypto, params, &ivec);
482 hx509_crypto_destroy(crypto);
487 ret = hx509_crypto_set_key_data(crypto, key.data, key.length);
489 hx509_crypto_destroy(crypto);
490 hx509_set_error_string(context, 0, ret,
491 "Failed to set key for decryption "
496 ret = hx509_crypto_decrypt(crypto,
499 ivec.length ? &ivec : NULL,
501 hx509_crypto_destroy(crypto);
503 hx509_set_error_string(context, 0, ret,
504 "Failed to decrypt EnvelopedData");
511 free_EnvelopedData(&ed);
512 der_free_octet_string(&key);
514 der_free_octet_string(&ivec);
516 der_free_oid(contentType);
517 der_free_octet_string(content);
524 * Encrypt end encode EnvelopedData.
526 * Encrypt and encode EnvelopedData. The data is encrypted with a
527 * random key and the the random key is encrypted with the
528 * certificates private key. This limits what private key type can be
531 * @param context A hx509 context.
532 * @param flags flags to control the behavior.
533 * - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate
534 * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
535 * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
536 * @param cert Certificate to encrypt the EnvelopedData encryption key
538 * @param data pointer the data to encrypt.
539 * @param length length of the data that data point to.
540 * @param encryption_type Encryption cipher to use for the bulk data,
541 * use NULL to get default.
542 * @param contentType type of the data that is encrypted
543 * @param content the output of the function,
544 * free with der_free_octet_string().
550 hx509_cms_envelope_1(hx509_context context,
555 const heim_oid *encryption_type,
556 const heim_oid *contentType,
557 heim_octet_string *content)
559 KeyTransRecipientInfo *ri;
560 heim_octet_string ivec;
561 heim_octet_string key;
562 hx509_crypto crypto = NULL;
567 memset(&ivec, 0, sizeof(ivec));
568 memset(&key, 0, sizeof(key));
569 memset(&ed, 0, sizeof(ed));
570 memset(content, 0, sizeof(*content));
572 if (encryption_type == NULL)
573 encryption_type = &asn1_oid_id_aes_256_cbc;
575 if ((flags & HX509_CMS_EV_NO_KU_CHECK) == 0) {
576 ret = _hx509_check_key_usage(context, cert, 1 << 2, TRUE);
581 ret = hx509_crypto_init(context, NULL, encryption_type, &crypto);
585 if (flags & HX509_CMS_EV_ALLOW_WEAK)
586 hx509_crypto_allow_weak(crypto);
588 ret = hx509_crypto_set_random_key(crypto, &key);
590 hx509_set_error_string(context, 0, ret,
591 "Create random key for EnvelopedData content");
595 ret = hx509_crypto_random_iv(crypto, &ivec);
597 hx509_set_error_string(context, 0, ret,
598 "Failed to create a random iv");
602 ret = hx509_crypto_encrypt(crypto,
606 &ed.encryptedContentInfo.encryptedContent);
608 hx509_set_error_string(context, 0, ret,
609 "Failed to encrypt EnvelopedData content");
614 AlgorithmIdentifier *enc_alg;
615 enc_alg = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
616 ret = der_copy_oid(encryption_type, &enc_alg->algorithm);
618 hx509_set_error_string(context, 0, ret,
619 "Failed to set crypto oid "
620 "for EnvelopedData");
623 ALLOC(enc_alg->parameters, 1);
624 if (enc_alg->parameters == NULL) {
626 hx509_set_error_string(context, 0, ret,
627 "Failed to allocate crypto paramaters "
628 "for EnvelopedData");
632 ret = hx509_crypto_get_params(context,
635 enc_alg->parameters);
641 ALLOC_SEQ(&ed.recipientInfos, 1);
642 if (ed.recipientInfos.val == NULL) {
644 hx509_set_error_string(context, 0, ret,
645 "Failed to allocate recipients info "
646 "for EnvelopedData");
650 ri = &ed.recipientInfos.val[0];
652 if (flags & HX509_CMS_EV_ID_NAME) {
654 cmsidflag = CMS_ID_NAME;
657 cmsidflag = CMS_ID_SKI;
660 ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid);
662 hx509_set_error_string(context, 0, ret,
663 "Failed to set CMS identifier info "
664 "for EnvelopedData");
668 ret = _hx509_cert_public_encrypt(context,
670 &ri->keyEncryptionAlgorithm.algorithm,
673 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
674 "Failed to encrypt transport key for "
684 ed.originatorInfo = NULL;
686 ret = der_copy_oid(contentType, &ed.encryptedContentInfo.contentType);
688 hx509_set_error_string(context, 0, ret,
689 "Failed to copy content oid for "
694 ed.unprotectedAttrs = NULL;
696 ASN1_MALLOC_ENCODE(EnvelopedData, content->data, content->length,
699 hx509_set_error_string(context, 0, ret,
700 "Failed to encode EnvelopedData");
703 if (size != content->length)
704 _hx509_abort("internal ASN.1 encoder error");
708 hx509_crypto_destroy(crypto);
710 der_free_octet_string(content);
711 der_free_octet_string(&key);
712 der_free_octet_string(&ivec);
713 free_EnvelopedData(&ed);
719 any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
723 if (sd->certificates == NULL)
726 for (i = 0; i < sd->certificates->len; i++) {
729 ret = hx509_cert_init_data(context,
730 sd->certificates->val[i].data,
731 sd->certificates->val[i].length,
735 ret = hx509_certs_add(context, certs, c);
744 static const Attribute *
745 find_attribute(const CMSAttributes *attr, const heim_oid *oid)
748 for (i = 0; i < attr->len; i++)
749 if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0)
750 return &attr->val[i];
755 * Decode SignedData and verify that the signature is correct.
757 * @param context A hx509 context.
758 * @param ctx a hx509 verify context.
759 * @param flags to control the behaivor of the function.
760 * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
761 * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
762 * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
763 * @param data pointer to CMS SignedData encoded data.
764 * @param length length of the data that data point to.
765 * @param signedContent external data used for signature.
766 * @param pool certificate pool to build certificates paths.
767 * @param contentType free with der_free_oid().
768 * @param content the output of the function, free with
769 * der_free_octet_string().
770 * @param signer_certs list of the cerficates used to sign this
771 * request, free with hx509_certs_free().
777 hx509_cms_verify_signed(hx509_context context,
778 hx509_verify_ctx ctx,
782 const heim_octet_string *signedContent,
784 heim_oid *contentType,
785 heim_octet_string *content,
786 hx509_certs *signer_certs)
788 SignerInfo *signer_info;
789 hx509_cert cert = NULL;
790 hx509_certs certs = NULL;
793 int ret, i, found_valid_sig;
795 *signer_certs = NULL;
796 content->data = NULL;
798 contentType->length = 0;
799 contentType->components = NULL;
801 memset(&sd, 0, sizeof(sd));
803 ret = decode_SignedData(data, length, &sd, &size);
805 hx509_set_error_string(context, 0, ret,
806 "Failed to decode SignedData");
810 if (sd.encapContentInfo.eContent == NULL && signedContent == NULL) {
811 ret = HX509_CMS_NO_DATA_AVAILABLE;
812 hx509_set_error_string(context, 0, ret,
813 "No content data in SignedData");
816 if (sd.encapContentInfo.eContent && signedContent) {
817 ret = HX509_CMS_NO_DATA_AVAILABLE;
818 hx509_set_error_string(context, 0, ret,
819 "Both external and internal SignedData");
823 if (sd.encapContentInfo.eContent)
824 ret = der_copy_octet_string(sd.encapContentInfo.eContent, content);
826 ret = der_copy_octet_string(signedContent, content);
828 hx509_set_error_string(context, 0, ret, "malloc: out of memory");
832 ret = hx509_certs_init(context, "MEMORY:cms-cert-buffer",
837 ret = hx509_certs_init(context, "MEMORY:cms-signer-certs",
838 0, NULL, signer_certs);
842 /* XXX Check CMS version */
844 ret = any_to_certs(context, &sd, certs);
849 ret = hx509_certs_merge(context, certs, pool);
854 for (found_valid_sig = 0, i = 0; i < sd.signerInfos.len; i++) {
855 heim_octet_string signed_data;
856 const heim_oid *match_oid;
859 signer_info = &sd.signerInfos.val[i];
862 if (signer_info->signature.length == 0) {
863 ret = HX509_CMS_MISSING_SIGNER_DATA;
864 hx509_set_error_string(context, 0, ret,
865 "SignerInfo %d in SignedData "
866 "missing sigature", i);
870 ret = find_CMSIdentifier(context, &signer_info->sid, certs,
871 _hx509_verify_get_time(ctx), &cert,
872 HX509_QUERY_KU_DIGITALSIGNATURE);
875 * If HX509_CMS_VS_NO_KU_CHECK is set, allow more liberal
876 * search for matching certificates by not considering
877 * KeyUsage bits on the certificates.
879 if ((flags & HX509_CMS_VS_NO_KU_CHECK) == 0)
882 ret = find_CMSIdentifier(context, &signer_info->sid, certs,
883 _hx509_verify_get_time(ctx), &cert,
890 if (signer_info->signedAttrs) {
891 const Attribute *attr;
894 heim_octet_string os;
896 sa.val = signer_info->signedAttrs->val;
897 sa.len = signer_info->signedAttrs->len;
899 /* verify that sigature exists */
900 attr = find_attribute(&sa, &asn1_oid_id_pkcs9_messageDigest);
902 ret = HX509_CRYPTO_SIGNATURE_MISSING;
903 hx509_set_error_string(context, 0, ret,
904 "SignerInfo have signed attributes "
905 "but messageDigest (signature) "
909 if (attr->value.len != 1) {
910 ret = HX509_CRYPTO_SIGNATURE_MISSING;
911 hx509_set_error_string(context, 0, ret,
912 "SignerInfo have more then one "
913 "messageDigest (signature)");
917 ret = decode_MessageDigest(attr->value.val[0].data,
918 attr->value.val[0].length,
922 hx509_set_error_string(context, 0, ret,
924 "messageDigest (signature)");
928 ret = _hx509_verify_signature(context,
930 &signer_info->digestAlgorithm,
933 der_free_octet_string(&os);
935 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
936 "Failed to verify messageDigest");
941 * Fetch content oid inside signedAttrs or set it to
944 attr = find_attribute(&sa, &asn1_oid_id_pkcs9_contentType);
946 match_oid = &asn1_oid_id_pkcs7_data;
948 if (attr->value.len != 1) {
949 ret = HX509_CMS_DATA_OID_MISMATCH;
950 hx509_set_error_string(context, 0, ret,
951 "More then one oid in signedAttrs");
955 ret = decode_ContentType(attr->value.val[0].data,
956 attr->value.val[0].length,
960 hx509_set_error_string(context, 0, ret,
962 "oid in signedAttrs");
965 match_oid = &decode_oid;
968 ASN1_MALLOC_ENCODE(CMSAttributes,
974 if (match_oid == &decode_oid)
975 der_free_oid(&decode_oid);
976 hx509_clear_error_string(context);
979 if (size != signed_data.length)
980 _hx509_abort("internal ASN.1 encoder error");
983 signed_data.data = content->data;
984 signed_data.length = content->length;
985 match_oid = &asn1_oid_id_pkcs7_data;
989 * If HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH, allow
990 * encapContentInfo mismatch with the oid in signedAttributes
991 * (or if no signedAttributes where use, pkcs7-data oid).
992 * This is only needed to work with broken CMS implementations
993 * that doesn't follow CMS signedAttributes rules.
996 if (der_heim_oid_cmp(match_oid, &sd.encapContentInfo.eContentType) &&
997 (flags & HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH) == 0) {
998 ret = HX509_CMS_DATA_OID_MISMATCH;
999 hx509_set_error_string(context, 0, ret,
1000 "Oid in message mismatch from the expected");
1002 if (match_oid == &decode_oid)
1003 der_free_oid(&decode_oid);
1006 ret = hx509_verify_signature(context,
1008 &signer_info->signatureAlgorithm,
1010 &signer_info->signature);
1012 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
1013 "Failed to verify signature in "
1016 if (signer_info->signedAttrs)
1017 free(signed_data.data);
1022 * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the
1023 * signing certificates and leave that up to the caller.
1026 if ((flags & HX509_CMS_VS_NO_VALIDATE) == 0) {
1027 ret = hx509_verify_path(context, ctx, cert, certs);
1032 ret = hx509_certs_add(context, *signer_certs, cert);
1040 hx509_cert_free(cert);
1044 * If HX509_CMS_VS_ALLOW_ZERO_SIGNER is set, allow empty
1045 * SignerInfo (no signatures). If SignedData have no signatures,
1046 * the function will return 0 with signer_certs set to NULL. Zero
1047 * signers is allowed by the standard, but since its only useful
1048 * in corner cases, it make into a flag that the caller have to
1051 if (sd.signerInfos.len == 0 && (flags & HX509_CMS_VS_ALLOW_ZERO_SIGNER)) {
1053 hx509_certs_free(signer_certs);
1054 } else if (found_valid_sig == 0) {
1056 ret = HX509_CMS_SIGNER_NOT_FOUND;
1057 hx509_set_error_string(context, 0, ret,
1058 "No signers where found");
1063 ret = der_copy_oid(&sd.encapContentInfo.eContentType, contentType);
1065 hx509_clear_error_string(context);
1070 free_SignedData(&sd);
1072 hx509_certs_free(&certs);
1075 der_free_octet_string(content);
1077 hx509_certs_free(signer_certs);
1078 der_free_oid(contentType);
1079 der_free_octet_string(content);
1086 add_one_attribute(Attribute **attr,
1088 const heim_oid *oid,
1089 heim_octet_string *data)
1094 d = realloc(*attr, sizeof((*attr)[0]) * (*len + 1));
1099 ret = der_copy_oid(oid, &(*attr)[*len].type);
1103 ALLOC_SEQ(&(*attr)[*len].value, 1);
1104 if ((*attr)[*len].value.val == NULL) {
1105 der_free_oid(&(*attr)[*len].type);
1109 (*attr)[*len].value.val[0].data = data->data;
1110 (*attr)[*len].value.val[0].length = data->length;
1118 * Decode SignedData and verify that the signature is correct.
1120 * @param context A hx509 context.
1122 * @param eContentType the type of the data.
1123 * @param data data to sign
1124 * @param length length of the data that data point to.
1125 * @param digest_alg digest algorithm to use, use NULL to get the
1126 * default or the peer determined algorithm.
1127 * @param cert certificate to use for sign the data.
1128 * @param peer info about the peer the message to send the message to,
1129 * like what digest algorithm to use.
1130 * @param anchors trust anchors that the client will use, used to
1131 * polulate the certificates included in the message
1132 * @param pool certificates to use in try to build the path to the
1134 * @param signed_data the output of the function, free with
1135 * der_free_octet_string().
1137 * @ingroup hx509_cms
1141 hx509_cms_create_signed_1(hx509_context context,
1143 const heim_oid *eContentType,
1144 const void *data, size_t length,
1145 const AlgorithmIdentifier *digest_alg,
1147 hx509_peer_info peer,
1148 hx509_certs anchors,
1150 heim_octet_string *signed_data)
1155 signed_data->data = NULL;
1156 signed_data->length = 0;
1158 ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs);
1161 ret = hx509_certs_add(context, certs, cert);
1165 ret = hx509_cms_create_signed(context, flags, eContentType, data, length,
1166 digest_alg, certs, peer, anchors, pool,
1170 hx509_certs_free(&certs);
1176 const AlgorithmIdentifier *digest_alg;
1177 const heim_oid *eContentType;
1178 heim_octet_string content;
1179 hx509_peer_info peer;
1183 hx509_certs anchors;
1188 sig_process(hx509_context context, void *ctx, hx509_cert cert)
1190 struct sigctx *sigctx = ctx;
1191 heim_octet_string buf, sigdata = { 0, NULL };
1192 SignerInfo *signer_info = NULL;
1193 AlgorithmIdentifier digest;
1197 SignedData *sd = &sigctx->sd;
1200 memset(&digest, 0, sizeof(digest));
1201 memset(&path, 0, sizeof(path));
1203 if (_hx509_cert_private_key(cert) == NULL) {
1204 hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,
1205 "Private key missing for signing");
1206 return HX509_PRIVATE_KEY_MISSING;
1209 if (sigctx->digest_alg) {
1210 ret = copy_AlgorithmIdentifier(sigctx->digest_alg, &digest);
1212 hx509_clear_error_string(context);
1214 ret = hx509_crypto_select(context, HX509_SELECT_DIGEST,
1215 _hx509_cert_private_key(cert),
1216 sigctx->peer, &digest);
1222 * Allocate on more signerInfo and do the signature processing
1225 ptr = realloc(sd->signerInfos.val,
1226 (sd->signerInfos.len + 1) * sizeof(sd->signerInfos.val[0]));
1231 sd->signerInfos.val = ptr;
1233 signer_info = &sd->signerInfos.val[sd->signerInfos.len];
1235 memset(signer_info, 0, sizeof(*signer_info));
1237 signer_info->version = 1;
1239 ret = fill_CMSIdentifier(cert, sigctx->cmsidflag, &signer_info->sid);
1241 hx509_clear_error_string(context);
1245 signer_info->signedAttrs = NULL;
1246 signer_info->unsignedAttrs = NULL;
1248 ret = copy_AlgorithmIdentifier(&digest, &signer_info->digestAlgorithm);
1250 hx509_clear_error_string(context);
1255 * If it isn't pkcs7-data send signedAttributes
1258 if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) {
1260 heim_octet_string sig;
1262 ALLOC(signer_info->signedAttrs, 1);
1263 if (signer_info->signedAttrs == NULL) {
1268 ret = _hx509_create_signature(context,
1277 ASN1_MALLOC_ENCODE(MessageDigest,
1283 der_free_octet_string(&sig);
1285 hx509_clear_error_string(context);
1288 if (size != buf.length)
1289 _hx509_abort("internal ASN.1 encoder error");
1291 ret = add_one_attribute(&signer_info->signedAttrs->val,
1292 &signer_info->signedAttrs->len,
1293 &asn1_oid_id_pkcs9_messageDigest,
1297 hx509_clear_error_string(context);
1302 ASN1_MALLOC_ENCODE(ContentType,
1305 sigctx->eContentType,
1310 if (size != buf.length)
1311 _hx509_abort("internal ASN.1 encoder error");
1313 ret = add_one_attribute(&signer_info->signedAttrs->val,
1314 &signer_info->signedAttrs->len,
1315 &asn1_oid_id_pkcs9_contentType,
1319 hx509_clear_error_string(context);
1323 sa.val = signer_info->signedAttrs->val;
1324 sa.len = signer_info->signedAttrs->len;
1326 ASN1_MALLOC_ENCODE(CMSAttributes,
1333 hx509_clear_error_string(context);
1336 if (size != sigdata.length)
1337 _hx509_abort("internal ASN.1 encoder error");
1339 sigdata.data = sigctx->content.data;
1340 sigdata.length = sigctx->content.length;
1344 AlgorithmIdentifier sigalg;
1346 ret = hx509_crypto_select(context, HX509_SELECT_PUBLIC_SIG,
1347 _hx509_cert_private_key(cert), sigctx->peer,
1352 ret = _hx509_create_signature(context,
1353 _hx509_cert_private_key(cert),
1356 &signer_info->signatureAlgorithm,
1357 &signer_info->signature);
1358 free_AlgorithmIdentifier(&sigalg);
1363 sigctx->sd.signerInfos.len++;
1367 * Provide best effort path
1369 if (sigctx->certs) {
1372 if (sigctx->pool && sigctx->leafonly == 0) {
1373 _hx509_calculate_path(context,
1374 HX509_CALCULATE_PATH_NO_ANCHOR,
1382 _hx509_path_append(context, &path, cert);
1384 for (i = 0; i < path.len; i++) {
1385 /* XXX remove dups */
1386 ret = hx509_certs_add(context, sigctx->certs, path.val[i]);
1388 hx509_clear_error_string(context);
1396 free_SignerInfo(signer_info);
1397 if (sigdata.data != sigctx->content.data)
1398 der_free_octet_string(&sigdata);
1399 _hx509_path_free(&path);
1400 free_AlgorithmIdentifier(&digest);
1406 cert_process(hx509_context context, void *ctx, hx509_cert cert)
1408 struct sigctx *sigctx = ctx;
1409 const unsigned int i = sigctx->sd.certificates->len;
1413 ptr = realloc(sigctx->sd.certificates->val,
1414 (i + 1) * sizeof(sigctx->sd.certificates->val[0]));
1417 sigctx->sd.certificates->val = ptr;
1419 ret = hx509_cert_binary(context, cert,
1420 &sigctx->sd.certificates->val[i]);
1422 sigctx->sd.certificates->len++;
1428 cmp_AlgorithmIdentifier(const AlgorithmIdentifier *p, const AlgorithmIdentifier *q)
1430 return der_heim_oid_cmp(&p->algorithm, &q->algorithm);
1434 hx509_cms_create_signed(hx509_context context,
1436 const heim_oid *eContentType,
1437 const void *data, size_t length,
1438 const AlgorithmIdentifier *digest_alg,
1440 hx509_peer_info peer,
1441 hx509_certs anchors,
1443 heim_octet_string *signed_data)
1449 struct sigctx sigctx;
1451 memset(&sigctx, 0, sizeof(sigctx));
1452 memset(&name, 0, sizeof(name));
1454 if (eContentType == NULL)
1455 eContentType = &asn1_oid_id_pkcs7_data;
1457 sigctx.digest_alg = digest_alg;
1458 sigctx.content.data = rk_UNCONST(data);
1459 sigctx.content.length = length;
1460 sigctx.eContentType = eContentType;
1463 * Use HX509_CMS_SIGNATURE_ID_NAME to preferred use of issuer name
1464 * and serial number if possible. Otherwise subject key identifier
1467 if (flags & HX509_CMS_SIGNATURE_ID_NAME)
1468 sigctx.cmsidflag = CMS_ID_NAME;
1470 sigctx.cmsidflag = CMS_ID_SKI;
1473 * Use HX509_CMS_SIGNATURE_LEAF_ONLY to only request leaf
1474 * certificates to be added to the SignedData.
1476 sigctx.leafonly = (flags & HX509_CMS_SIGNATURE_LEAF_ONLY) ? 1 : 0;
1479 * Use HX509_CMS_NO_CERTS to make the SignedData contain no
1480 * certificates, overrides HX509_CMS_SIGNATURE_LEAF_ONLY.
1483 if ((flags & HX509_CMS_SIGNATURE_NO_CERTS) == 0) {
1484 ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &sigctx.certs);
1489 sigctx.anchors = anchors;
1492 sigctx.sd.version = CMSVersion_v3;
1494 der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
1497 * Use HX509_CMS_SIGNATURE_DETACHED to create detached signatures.
1499 if ((flags & HX509_CMS_SIGNATURE_DETACHED) == 0) {
1500 ALLOC(sigctx.sd.encapContentInfo.eContent, 1);
1501 if (sigctx.sd.encapContentInfo.eContent == NULL) {
1502 hx509_clear_error_string(context);
1507 sigctx.sd.encapContentInfo.eContent->data = malloc(length);
1508 if (sigctx.sd.encapContentInfo.eContent->data == NULL) {
1509 hx509_clear_error_string(context);
1513 memcpy(sigctx.sd.encapContentInfo.eContent->data, data, length);
1514 sigctx.sd.encapContentInfo.eContent->length = length;
1518 * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no
1521 if ((flags & HX509_CMS_SIGNATURE_NO_SIGNER) == 0) {
1522 ret = hx509_certs_iter_f(context, certs, sig_process, &sigctx);
1527 if (sigctx.sd.signerInfos.len) {
1528 for (i = 0; i < sigctx.sd.signerInfos.len; i++) {
1529 AlgorithmIdentifier *di =
1530 &sigctx.sd.signerInfos.val[i].digestAlgorithm;
1532 for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++)
1533 if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0)
1535 if (j < sigctx.sd.digestAlgorithms.len) {
1536 ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di);
1538 hx509_clear_error_string(context);
1546 ALLOC(sigctx.sd.certificates, 1);
1547 if (sigctx.sd.certificates == NULL) {
1548 hx509_clear_error_string(context);
1553 ret = hx509_certs_iter_f(context, sigctx.certs, cert_process, &sigctx);
1558 ASN1_MALLOC_ENCODE(SignedData,
1559 signed_data->data, signed_data->length,
1560 &sigctx.sd, &size, ret);
1562 hx509_clear_error_string(context);
1565 if (signed_data->length != size)
1566 _hx509_abort("internal ASN.1 encoder error");
1569 hx509_certs_free(&sigctx.certs);
1570 free_SignedData(&sigctx.sd);
1576 hx509_cms_decrypt_encrypted(hx509_context context,
1580 heim_oid *contentType,
1581 heim_octet_string *content)
1583 heim_octet_string cont;
1584 CMSEncryptedData ed;
1585 AlgorithmIdentifier *ai;
1588 memset(content, 0, sizeof(*content));
1589 memset(&cont, 0, sizeof(cont));
1591 ret = decode_CMSEncryptedData(data, length, &ed, NULL);
1593 hx509_set_error_string(context, 0, ret,
1594 "Failed to decode CMSEncryptedData");
1598 if (ed.encryptedContentInfo.encryptedContent == NULL) {
1599 ret = HX509_CMS_NO_DATA_AVAILABLE;
1600 hx509_set_error_string(context, 0, ret,
1601 "No content in EncryptedData");
1605 ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType);
1607 hx509_clear_error_string(context);
1611 ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
1612 if (ai->parameters == NULL) {
1613 ret = HX509_ALG_NOT_SUPP;
1614 hx509_clear_error_string(context);
1618 ret = _hx509_pbe_decrypt(context,
1621 ed.encryptedContentInfo.encryptedContent,
1633 free_CMSEncryptedData(&ed);
git.samba.org / samba.git / blob