Move PKCS#7 functions into their own directory. A follow-up change will add a CRYPTO_BUFFER variant. This makes the naming match the header and doesn't require including x509.h. (Though like ssl.h and pkcs8.h, some of the functions are implemented with code that depends on crypto/x509.) Change-Id: I5a7de209f4f775fe0027893f711326d89699ca1f Reviewed-on: https://boringssl-review.googlesource.com/15128 Commit-Queue: Steven Valdez <svaldez@google.com> Reviewed-by: Steven Valdez <svaldez@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index ef8c2d4..e4b559a 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt
@@ -116,6 +116,7 @@ add_subdirectory(x509v3) # Level 4 +add_subdirectory(pkcs7) add_subdirectory(pkcs8) # Test support code @@ -194,6 +195,7 @@ $<TARGET_OBJECTS:pem> $<TARGET_OBJECTS:x509> $<TARGET_OBJECTS:x509v3> + $<TARGET_OBJECTS:pkcs7> $<TARGET_OBJECTS:pkcs8_lib> ${CRYPTO_FIPS_OBJECTS}
diff --git a/crypto/err/CMakeLists.txt b/crypto/err/CMakeLists.txt index 579a35b..91c6f6e 100644 --- a/crypto/err/CMakeLists.txt +++ b/crypto/err/CMakeLists.txt
@@ -21,6 +21,7 @@ hkdf.errordata obj.errordata pem.errordata + pkcs7.errordata pkcs8.errordata rsa.errordata ssl.errordata
diff --git a/crypto/err/pkcs7.errordata b/crypto/err/pkcs7.errordata new file mode 100644 index 0000000..7080bd9 --- /dev/null +++ b/crypto/err/pkcs7.errordata
@@ -0,0 +1,4 @@ +PKCS7,100,BAD_PKCS7_VERSION +PKCS7,101,NOT_PKCS7_SIGNED_DATA +PKCS7,102,NO_CERTIFICATES_INCLUDED +PKCS7,103,NO_CRLS_INCLUDED
diff --git a/crypto/pkcs7/CMakeLists.txt b/crypto/pkcs7/CMakeLists.txt new file mode 100644 index 0000000..d97957a --- /dev/null +++ b/crypto/pkcs7/CMakeLists.txt
@@ -0,0 +1,20 @@ +include_directories(../../include) + +add_library( + pkcs7 + + OBJECT + + pkcs7.c +) + +add_executable( + pkcs7_test + + pkcs7_test.c + + $<TARGET_OBJECTS:test_support> +) + +target_link_libraries(pkcs7_test crypto) +add_dependencies(all_tests pkcs7_test)
diff --git a/crypto/x509/pkcs7.c b/crypto/pkcs7/pkcs7.c similarity index 97% rename from crypto/x509/pkcs7.c rename to crypto/pkcs7/pkcs7.c index dc3ea7d..b40ab9b 100644 --- a/crypto/x509/pkcs7.c +++ b/crypto/pkcs7/pkcs7.c
@@ -12,7 +12,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include <openssl/x509.h> +#include <openssl/pkcs7.h> #include <assert.h> #include <limits.h> @@ -23,6 +23,7 @@ #include <openssl/obj.h> #include <openssl/pem.h> #include <openssl/stack.h> +#include <openssl/x509.h> #include "../bytestring/internal.h" @@ -67,7 +68,7 @@ if (!CBS_mem_equal(&content_type, kPKCS7SignedData, sizeof(kPKCS7SignedData))) { - OPENSSL_PUT_ERROR(X509, X509_R_NOT_PKCS7_SIGNED_DATA); + OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NOT_PKCS7_SIGNED_DATA); goto err; } @@ -82,7 +83,7 @@ } if (version < 1) { - OPENSSL_PUT_ERROR(X509, X509_R_BAD_PKCS7_VERSION); + OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_BAD_PKCS7_VERSION); goto err; } @@ -108,7 +109,7 @@ /* See https://tools.ietf.org/html/rfc2315#section-9.1 */ if (!CBS_get_asn1(&signed_data, &certificates, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { - OPENSSL_PUT_ERROR(X509, X509_R_NO_CERTIFICATES_INCLUDED); + OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CERTIFICATES_INCLUDED); goto err; } @@ -176,7 +177,7 @@ if (!CBS_get_asn1(&signed_data, &crls, CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) { - OPENSSL_PUT_ERROR(X509, X509_R_NO_CRLS_INCLUDED); + OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CRLS_INCLUDED); goto err; }
diff --git a/crypto/x509/pkcs7_test.c b/crypto/pkcs7/pkcs7_test.c similarity index 99% rename from crypto/x509/pkcs7_test.c rename to crypto/pkcs7/pkcs7_test.c index f620b9b..486fdc8 100644 --- a/crypto/x509/pkcs7_test.c +++ b/crypto/pkcs7/pkcs7_test.c
@@ -19,6 +19,7 @@ #include <openssl/bytestring.h> #include <openssl/crypto.h> #include <openssl/mem.h> +#include <openssl/pkcs7.h> #include <openssl/stack.h> #include <openssl/x509.h>
diff --git a/crypto/x509/CMakeLists.txt b/crypto/x509/CMakeLists.txt index 5d82e0a..0d8c98c 100644 --- a/crypto/x509/CMakeLists.txt +++ b/crypto/x509/CMakeLists.txt
@@ -14,7 +14,6 @@ by_dir.c by_file.c i2d_pr.c - pkcs7.c rsa_pss.c t_crl.c t_req.c @@ -59,14 +58,6 @@ ) add_executable( - pkcs7_test - - pkcs7_test.c - - $<TARGET_OBJECTS:test_support> -) - -add_executable( x509_test x509_test.cc @@ -74,6 +65,5 @@ $<TARGET_OBJECTS:test_support> ) -target_link_libraries(pkcs7_test crypto) target_link_libraries(x509_test crypto) -add_dependencies(all_tests pkcs7_test x509_test) +add_dependencies(all_tests x509_test)
diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h index 6e5e433..f507ab6 100644 --- a/include/openssl/pkcs7.h +++ b/include/openssl/pkcs7.h
@@ -12,5 +12,65 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* This header is provided in order to make compiling against code that expects - OpenSSL easier. */ +#ifndef OPENSSL_HEADER_PKCS7_H +#define OPENSSL_HEADER_PKCS7_H + +#include <openssl/base.h> + +#include <openssl/stack.h> + +#if defined(__cplusplus) +extern "C" { +#endif + + +/* PKCS#7. + * + * This library contains functions for extracting information from PKCS#7 + * structures (RFC 2315). */ + +DECLARE_STACK_OF(X509) +DECLARE_STACK_OF(X509_CRL) + +/* PKCS7_get_certificates parses a PKCS#7, SignedData structure from |cbs| and + * appends the included certificates to |out_certs|. It returns one on success + * and zero on error. */ +OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs); + +/* PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing + * |certs| to |out|. It returns one on success and zero on error. */ +OPENSSL_EXPORT int PKCS7_bundle_certificates( + CBB *out, const STACK_OF(X509) *certs); + +/* PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends + * the included CRLs to |out_crls|. It returns one on success and zero on + * error. */ +OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs); + +/* PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing + * |crls| to |out|. It returns one on success and zero on error. */ +OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls); + +/* PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure + * from |pem_bio| and appends the included certificates to |out_certs|. It + * returns one on success and zero on error. */ +OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, + BIO *pem_bio); + +/* PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from + * |pem_bio| and appends the included CRLs to |out_crls|. It returns one on + * success and zero on error. */ +OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, + BIO *pem_bio); + + +#if defined(__cplusplus) +} /* extern C */ +#endif + +#define PKCS7_R_BAD_PKCS7_VERSION 100 +#define PKCS7_R_NOT_PKCS7_SIGNED_DATA 101 +#define PKCS7_R_NO_CERTIFICATES_INCLUDED 102 +#define PKCS7_R_NO_CRLS_INCLUDED 103 + +#endif /* OPENSSL_HEADER_PKCS7_H */
diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 44b3b7b..914b275 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h
@@ -77,6 +77,7 @@ #include <openssl/ec.h> #include <openssl/evp.h> #include <openssl/obj.h> +#include <openssl/pkcs7.h> #include <openssl/pool.h> #include <openssl/rsa.h> #include <openssl/sha.h> @@ -1115,37 +1116,6 @@ DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS) -/* PKCS7_get_certificates parses a PKCS#7, SignedData structure from |cbs| and - * appends the included certificates to |out_certs|. It returns one on success - * and zero on error. */ -OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs); - -/* PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing - * |certs| to |out|. It returns one on success and zero on error. */ -OPENSSL_EXPORT int PKCS7_bundle_certificates( - CBB *out, const STACK_OF(X509) *certs); - -/* PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends - * the included CRLs to |out_crls|. It returns one on success and zero on - * error. */ -OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs); - -/* PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing - * |crls| to |out|. It returns one on success and zero on error. */ -OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls); - -/* PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure - * from |pem_bio| and appends the included certificates to |out_certs|. It - * returns one on success and zero on error. */ -OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, - BIO *pem_bio); - -/* PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from - * |pem_bio| and appends the included CRLs to |out_crls|. It returns one on - * success and zero on error. */ -OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, - BIO *pem_bio); - /* EVP_PK values indicate the algorithm of the public key in a certificate. */ #define EVP_PK_RSA 0x0001
diff --git a/util/all_tests.json b/util/all_tests.json index ebc632d..ad85dea 100644 --- a/util/all_tests.json +++ b/util/all_tests.json
@@ -63,6 +63,7 @@ ["crypto/lhash/lhash_test"], ["crypto/modes/gcm_test"], ["crypto/obj/obj_test"], + ["crypto/pkcs7/pkcs7_test"], ["crypto/pkcs8/pkcs12_test"], ["crypto/pkcs8/pkcs8_test"], ["crypto/poly1305/poly1305_test", "crypto/poly1305/poly1305_tests.txt"], @@ -70,7 +71,6 @@ ["crypto/rand/ctrdrbg_vector_test", "crypto/rand/ctrdrbg_vectors.txt"], ["crypto/refcount_test"], ["crypto/thread_test"], - ["crypto/x509/pkcs7_test"], ["crypto/x509/x509_test"], ["crypto/x509v3/tab_test"], ["crypto/x509v3/v3name_test"],