| /* Copyright (c) 2017, Google Inc. |
| * |
| * Permission to use, copy, modify, and/or distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
| * copyright notice and this permission notice appear in all copies. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| |
| #include <openssl/pkcs7.h> |
| |
| #include <assert.h> |
| #include <limits.h> |
| |
| #include <openssl/bytestring.h> |
| #include <openssl/err.h> |
| #include <openssl/mem.h> |
| #include <openssl/obj.h> |
| #include <openssl/pem.h> |
| #include <openssl/pool.h> |
| #include <openssl/stack.h> |
| #include <openssl/x509.h> |
| |
| #include "internal.h" |
| #include "../internal.h" |
| |
| |
| int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) { |
| int ret = 0; |
| const size_t initial_certs_len = sk_X509_num(out_certs); |
| STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null(); |
| if (raw == NULL || |
| !PKCS7_get_raw_certificates(raw, cbs, NULL)) { |
| goto err; |
| } |
| |
| for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) { |
| CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i); |
| X509 *x509 = X509_parse_from_buffer(buf); |
| if (x509 == NULL || |
| !sk_X509_push(out_certs, x509)) { |
| X509_free(x509); |
| goto err; |
| } |
| } |
| |
| ret = 1; |
| |
| err: |
| sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free); |
| if (!ret) { |
| while (sk_X509_num(out_certs) != initial_certs_len) { |
| X509 *x509 = sk_X509_pop(out_certs); |
| X509_free(x509); |
| } |
| } |
| |
| return ret; |
| } |
| |
| int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) { |
| CBS signed_data, crls; |
| uint8_t *der_bytes = NULL; |
| int ret = 0, has_crls; |
| const size_t initial_crls_len = sk_X509_CRL_num(out_crls); |
| |
| // See https://tools.ietf.org/html/rfc2315#section-9.1 |
| if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs) || |
| // Even if only CRLs are included, there may be an empty certificates |
| // block. OpenSSL does this, for example. |
| !CBS_get_optional_asn1( |
| &signed_data, NULL, NULL, |
| CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || |
| !CBS_get_optional_asn1( |
| &signed_data, &crls, &has_crls, |
| CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) { |
| goto err; |
| } |
| |
| if (!has_crls) { |
| CBS_init(&crls, NULL, 0); |
| } |
| |
| while (CBS_len(&crls) > 0) { |
| CBS crl_data; |
| X509_CRL *crl; |
| const uint8_t *inp; |
| |
| if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) { |
| goto err; |
| } |
| |
| if (CBS_len(&crl_data) > LONG_MAX) { |
| goto err; |
| } |
| inp = CBS_data(&crl_data); |
| crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data)); |
| if (!crl) { |
| goto err; |
| } |
| |
| assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data)); |
| |
| if (sk_X509_CRL_push(out_crls, crl) == 0) { |
| X509_CRL_free(crl); |
| goto err; |
| } |
| } |
| |
| ret = 1; |
| |
| err: |
| OPENSSL_free(der_bytes); |
| |
| if (!ret) { |
| while (sk_X509_CRL_num(out_crls) != initial_crls_len) { |
| X509_CRL_free(sk_X509_CRL_pop(out_crls)); |
| } |
| } |
| |
| return ret; |
| } |
| |
| int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) { |
| uint8_t *data; |
| long len; |
| int ret; |
| |
| // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM |
| // internally will actually allow several other values too, including |
| // "CERTIFICATE". |
| if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */, |
| PEM_STRING_PKCS7, pem_bio, |
| NULL /* password callback */, |
| NULL /* password callback argument */)) { |
| return 0; |
| } |
| |
| CBS cbs; |
| CBS_init(&cbs, data, len); |
| ret = PKCS7_get_certificates(out_certs, &cbs); |
| OPENSSL_free(data); |
| return ret; |
| } |
| |
| int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) { |
| uint8_t *data; |
| long len; |
| int ret; |
| |
| // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM |
| // internally will actually allow several other values too, including |
| // "CERTIFICATE". |
| if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */, |
| PEM_STRING_PKCS7, pem_bio, |
| NULL /* password callback */, |
| NULL /* password callback argument */)) { |
| return 0; |
| } |
| |
| CBS cbs; |
| CBS_init(&cbs, data, len); |
| ret = PKCS7_get_CRLs(out_crls, &cbs); |
| OPENSSL_free(data); |
| return ret; |
| } |
| |
| static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) { |
| const STACK_OF(X509) *certs = arg; |
| size_t i; |
| CBB certificates; |
| |
| // See https://tools.ietf.org/html/rfc2315#section-9.1 |
| if (!CBB_add_asn1(out, &certificates, |
| CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { |
| return 0; |
| } |
| |
| for (i = 0; i < sk_X509_num(certs); i++) { |
| X509 *x509 = sk_X509_value(certs, i); |
| uint8_t *buf; |
| int len = i2d_X509(x509, NULL); |
| |
| if (len < 0 || |
| !CBB_add_space(&certificates, &buf, len) || |
| i2d_X509(x509, &buf) < 0) { |
| return 0; |
| } |
| } |
| |
| // |certificates| is a implicitly-tagged SET OF. |
| return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out); |
| } |
| |
| int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) { |
| return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL, |
| pkcs7_bundle_certificates_cb, |
| /*signer_infos_cb=*/NULL, certs); |
| } |
| |
| static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) { |
| const STACK_OF(X509_CRL) *crls = arg; |
| size_t i; |
| CBB crl_data; |
| |
| // See https://tools.ietf.org/html/rfc2315#section-9.1 |
| if (!CBB_add_asn1(out, &crl_data, |
| CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) { |
| return 0; |
| } |
| |
| for (i = 0; i < sk_X509_CRL_num(crls); i++) { |
| X509_CRL *crl = sk_X509_CRL_value(crls, i); |
| uint8_t *buf; |
| int len = i2d_X509_CRL(crl, NULL); |
| |
| if (len < 0 || |
| !CBB_add_space(&crl_data, &buf, len) || |
| i2d_X509_CRL(crl, &buf) < 0) { |
| return 0; |
| } |
| } |
| |
| // |crl_data| is a implicitly-tagged SET OF. |
| return CBB_flush_asn1_set_of(&crl_data) && CBB_flush(out); |
| } |
| |
| int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) { |
| return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL, |
| pkcs7_bundle_crls_cb, |
| /*signer_infos_cb=*/NULL, crls); |
| } |
| |
| static PKCS7 *pkcs7_new(CBS *cbs) { |
| PKCS7 *ret = OPENSSL_zalloc(sizeof(PKCS7)); |
| if (ret == NULL) { |
| return NULL; |
| } |
| ret->type = OBJ_nid2obj(NID_pkcs7_signed); |
| ret->d.sign = OPENSSL_malloc(sizeof(PKCS7_SIGNED)); |
| if (ret->d.sign == NULL) { |
| goto err; |
| } |
| ret->d.sign->cert = sk_X509_new_null(); |
| ret->d.sign->crl = sk_X509_CRL_new_null(); |
| CBS copy = *cbs, copy2 = *cbs; |
| if (ret->d.sign->cert == NULL || ret->d.sign->crl == NULL || |
| !PKCS7_get_certificates(ret->d.sign->cert, ©) || |
| !PKCS7_get_CRLs(ret->d.sign->crl, cbs)) { |
| goto err; |
| } |
| |
| if (sk_X509_num(ret->d.sign->cert) == 0) { |
| sk_X509_free(ret->d.sign->cert); |
| ret->d.sign->cert = NULL; |
| } |
| |
| if (sk_X509_CRL_num(ret->d.sign->crl) == 0) { |
| sk_X509_CRL_free(ret->d.sign->crl); |
| ret->d.sign->crl = NULL; |
| } |
| |
| ret->ber_len = CBS_len(©2) - CBS_len(cbs); |
| ret->ber_bytes = OPENSSL_memdup(CBS_data(©2), ret->ber_len); |
| if (ret->ber_bytes == NULL) { |
| goto err; |
| } |
| |
| return ret; |
| |
| err: |
| PKCS7_free(ret); |
| return NULL; |
| } |
| |
| PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp, |
| size_t len) { |
| CBS cbs; |
| CBS_init(&cbs, *inp, len); |
| PKCS7 *ret = pkcs7_new(&cbs); |
| if (ret == NULL) { |
| return NULL; |
| } |
| *inp = CBS_data(&cbs); |
| if (out != NULL) { |
| PKCS7_free(*out); |
| *out = ret; |
| } |
| return ret; |
| } |
| |
| PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out) { |
| // Use a generous bound, to allow for PKCS#7 files containing large root sets. |
| static const size_t kMaxSize = 4 * 1024 * 1024; |
| uint8_t *data; |
| size_t len; |
| if (!BIO_read_asn1(bio, &data, &len, kMaxSize)) { |
| return NULL; |
| } |
| |
| CBS cbs; |
| CBS_init(&cbs, data, len); |
| PKCS7 *ret = pkcs7_new(&cbs); |
| OPENSSL_free(data); |
| if (out != NULL && ret != NULL) { |
| PKCS7_free(*out); |
| *out = ret; |
| } |
| return ret; |
| } |
| |
| int i2d_PKCS7(const PKCS7 *p7, uint8_t **out) { |
| if (p7->ber_len > INT_MAX) { |
| OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW); |
| return -1; |
| } |
| |
| if (out == NULL) { |
| return (int)p7->ber_len; |
| } |
| |
| if (*out == NULL) { |
| *out = OPENSSL_memdup(p7->ber_bytes, p7->ber_len); |
| if (*out == NULL) { |
| return -1; |
| } |
| } else { |
| OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len); |
| *out += p7->ber_len; |
| } |
| return (int)p7->ber_len; |
| } |
| |
| int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7) { |
| return BIO_write_all(bio, p7->ber_bytes, p7->ber_len); |
| } |
| |
| void PKCS7_free(PKCS7 *p7) { |
| if (p7 == NULL) { |
| return; |
| } |
| |
| OPENSSL_free(p7->ber_bytes); |
| ASN1_OBJECT_free(p7->type); |
| // We only supported signed data. |
| if (p7->d.sign != NULL) { |
| sk_X509_pop_free(p7->d.sign->cert, X509_free); |
| sk_X509_CRL_pop_free(p7->d.sign->crl, X509_CRL_free); |
| OPENSSL_free(p7->d.sign); |
| } |
| OPENSSL_free(p7); |
| } |
| |
| // We only support signed data, so these getters are no-ops. |
| int PKCS7_type_is_data(const PKCS7 *p7) { return 0; } |
| int PKCS7_type_is_digest(const PKCS7 *p7) { return 0; } |
| int PKCS7_type_is_encrypted(const PKCS7 *p7) { return 0; } |
| int PKCS7_type_is_enveloped(const PKCS7 *p7) { return 0; } |
| int PKCS7_type_is_signed(const PKCS7 *p7) { return 1; } |
| int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7) { return 0; } |
| |
| // write_sha256_ai writes an AlgorithmIdentifier for SHA-256 to |
| // |digest_algos_set|. |
| static int write_sha256_ai(CBB *digest_algos_set, const void *arg) { |
| CBB seq; |
| return CBB_add_asn1(digest_algos_set, &seq, CBS_ASN1_SEQUENCE) && |
| OBJ_nid2cbb(&seq, NID_sha256) && // |
| // https://datatracker.ietf.org/doc/html/rfc5754#section-2 |
| // "Implementations MUST generate SHA2 AlgorithmIdentifiers with absent |
| // parameters." |
| CBB_flush(digest_algos_set); |
| } |
| |
| // sign_sha256 writes at most |max_out_sig| bytes of the signature of |data| by |
| // |pkey| to |out_sig| and sets |*out_sig_len| to the number of bytes written. |
| // It returns one on success or zero on error. |
| static int sign_sha256(uint8_t *out_sig, size_t *out_sig_len, |
| size_t max_out_sig, EVP_PKEY *pkey, BIO *data) { |
| static const size_t kBufSize = 4096; |
| uint8_t *buffer = OPENSSL_malloc(kBufSize); |
| if (!buffer) { |
| return 0; |
| } |
| |
| EVP_MD_CTX ctx; |
| EVP_MD_CTX_init(&ctx); |
| |
| int ret = 0; |
| if (!EVP_DigestSignInit(&ctx, NULL, EVP_sha256(), NULL, pkey)) { |
| goto out; |
| } |
| |
| for (;;) { |
| const int n = BIO_read(data, buffer, kBufSize); |
| if (n == 0) { |
| break; |
| } else if (n < 0 || !EVP_DigestSignUpdate(&ctx, buffer, n)) { |
| goto out; |
| } |
| } |
| |
| *out_sig_len = max_out_sig; |
| if (!EVP_DigestSignFinal(&ctx, out_sig, out_sig_len)) { |
| goto out; |
| } |
| |
| ret = 1; |
| |
| out: |
| EVP_MD_CTX_cleanup(&ctx); |
| OPENSSL_free(buffer); |
| return ret; |
| } |
| |
| struct signer_info_data { |
| const X509 *sign_cert; |
| uint8_t *signature; |
| size_t signature_len; |
| }; |
| |
| // write_signer_info writes the SignerInfo structure from |
| // https://datatracker.ietf.org/doc/html/rfc2315#section-9.2 to |out|. It |
| // returns one on success or zero on error. |
| static int write_signer_info(CBB *out, const void *arg) { |
| const struct signer_info_data *const si_data = arg; |
| |
| int ret = 0; |
| uint8_t *subject_bytes = NULL; |
| uint8_t *serial_bytes = NULL; |
| |
| const int subject_len = |
| i2d_X509_NAME(X509_get_subject_name(si_data->sign_cert), &subject_bytes); |
| const int serial_len = i2d_ASN1_INTEGER( |
| (ASN1_INTEGER *)X509_get0_serialNumber(si_data->sign_cert), |
| &serial_bytes); |
| |
| CBB seq, issuer_and_serial, signing_algo, null, signature; |
| if (subject_len < 0 || |
| serial_len < 0 || |
| !CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || |
| // version |
| !CBB_add_asn1_uint64(&seq, 1) || |
| !CBB_add_asn1(&seq, &issuer_and_serial, CBS_ASN1_SEQUENCE) || |
| !CBB_add_bytes(&issuer_and_serial, subject_bytes, subject_len) || |
| !CBB_add_bytes(&issuer_and_serial, serial_bytes, serial_len) || |
| !write_sha256_ai(&seq, NULL) || |
| !CBB_add_asn1(&seq, &signing_algo, CBS_ASN1_SEQUENCE) || |
| !OBJ_nid2cbb(&signing_algo, NID_rsaEncryption) || |
| !CBB_add_asn1(&signing_algo, &null, CBS_ASN1_NULL) || |
| !CBB_add_asn1(&seq, &signature, CBS_ASN1_OCTETSTRING) || |
| !CBB_add_bytes(&signature, si_data->signature, si_data->signature_len) || |
| !CBB_flush(out)) { |
| goto out; |
| } |
| |
| ret = 1; |
| |
| out: |
| OPENSSL_free(subject_bytes); |
| OPENSSL_free(serial_bytes); |
| return ret; |
| } |
| |
| PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, STACK_OF(X509) *certs, |
| BIO *data, int flags) { |
| CBB cbb; |
| if (!CBB_init(&cbb, 2048)) { |
| return NULL; |
| } |
| |
| uint8_t *der = NULL; |
| size_t len; |
| PKCS7 *ret = NULL; |
| |
| if (sign_cert == NULL && pkey == NULL && flags == PKCS7_DETACHED) { |
| // Caller just wants to bundle certificates. |
| if (!PKCS7_bundle_certificates(&cbb, certs)) { |
| goto out; |
| } |
| } else if (sign_cert != NULL && pkey != NULL && certs == NULL && |
| data != NULL && |
| flags == (PKCS7_NOATTR | PKCS7_BINARY | PKCS7_NOCERTS | |
| PKCS7_DETACHED) && |
| EVP_PKEY_id(pkey) == NID_rsaEncryption) { |
| // sign-file.c from the Linux kernel. |
| const size_t signature_max_len = EVP_PKEY_size(pkey); |
| struct signer_info_data si_data = { |
| .sign_cert = sign_cert, |
| .signature = OPENSSL_malloc(signature_max_len), |
| }; |
| |
| if (!si_data.signature || |
| !sign_sha256(si_data.signature, &si_data.signature_len, |
| signature_max_len, pkey, data) || |
| !pkcs7_add_signed_data(&cbb, write_sha256_ai, /*cert_crl_cb=*/NULL, |
| write_signer_info, &si_data)) { |
| OPENSSL_free(si_data.signature); |
| goto out; |
| } |
| OPENSSL_free(si_data.signature); |
| } else { |
| OPENSSL_PUT_ERROR(PKCS7, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); |
| goto out; |
| } |
| |
| if (!CBB_finish(&cbb, &der, &len)) { |
| goto out; |
| } |
| |
| CBS cbs; |
| CBS_init(&cbs, der, len); |
| ret = pkcs7_new(&cbs); |
| |
| out: |
| CBB_cleanup(&cbb); |
| OPENSSL_free(der); |
| return ret; |
| } |