1328875Seadler/* 2133359Sobrien * Copyright (c) 2003 - 2007 Kungliga Tekniska H��gskolan 3133359Sobrien * (Royal Institute of Technology, Stockholm, Sweden). 4133359Sobrien * All rights reserved. 5133359Sobrien * 6133359Sobrien * Redistribution and use in source and binary forms, with or without 7133359Sobrien * modification, are permitted provided that the following conditions 8133359Sobrien * are met: 9133359Sobrien * 10133359Sobrien * 1. Redistributions of source code must retain the above copyright 11133359Sobrien * notice, this list of conditions and the following disclaimer. 12133359Sobrien * 13133359Sobrien * 2. Redistributions in binary form must reproduce the above copyright 14133359Sobrien * notice, this list of conditions and the following disclaimer in the 15226048Sobrien * documentation and/or other materials provided with the distribution. 16133359Sobrien * 17133359Sobrien * 3. Neither the name of the Institute nor the names of its contributors 18133359Sobrien * may be used to endorse or promote products derived from this software 19133359Sobrien * without specific prior written permission. 20133359Sobrien * 21133359Sobrien * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22133359Sobrien * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23133359Sobrien * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24133359Sobrien * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25133359Sobrien * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26133359Sobrien * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27133359Sobrien * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28328875Seadler * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29226048Sobrien * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30133359Sobrien * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31133359Sobrien * SUCH DAMAGE. 32133359Sobrien */ 33133359Sobrien 34133359Sobrien#include "hx_locl.h" 35267843Sdelphij 36226048Sobrien/** 37133359Sobrien * @page page_cms CMS/PKCS7 message functions. 38328875Seadler * 39133359Sobrien * CMS is defined in RFC 3369 and is an continuation of the RSA Labs 40133359Sobrien * standard PKCS7. The basic messages in CMS is 41133359Sobrien * 42267843Sdelphij * - SignedData 43267843Sdelphij * Data signed with private key (RSA, DSA, ECDSA) or secret 44276415Sdelphij * (symmetric) key 45276415Sdelphij * - EnvelopedData 46276415Sdelphij * Data encrypted with private key (RSA) 47267843Sdelphij * - EncryptedData 48226048Sobrien * Data encrypted with secret (symmetric) key. 49133359Sobrien * - ContentInfo 50133359Sobrien * Wrapper structure including type and data. 51133359Sobrien * 52133359Sobrien * 53133359Sobrien * See the library functions here: @ref hx509_cms 54133359Sobrien */ 55133359Sobrien 56133359Sobrien#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) 57133359Sobrien#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) 58133359Sobrien 59133359Sobrien/** 60133359Sobrien * Wrap data and oid in a ContentInfo and encode it. 61133359Sobrien * 62234250Sobrien * @param oid type of the content. 63226048Sobrien * @param buf data to be wrapped. If a NULL pointer is passed in, the 64234250Sobrien * optional content field in the ContentInfo is not going be filled 65133359Sobrien * in. 66226048Sobrien * @param res the encoded buffer, the result should be freed with 67133359Sobrien * der_free_octet_string(). 68328875Seadler * 69328875Seadler * @return Returns an hx509 error code. 70226048Sobrien * 71133359Sobrien * @ingroup hx509_cms 72226048Sobrien */ 73133359Sobrien 74226048Sobrienint 75133359Sobrienhx509_cms_wrap_ContentInfo(const heim_oid *oid, 76234250Sobrien const heim_octet_string *buf, 77234250Sobrien heim_octet_string *res) 78226048Sobrien{ 79267843Sdelphij ContentInfo ci; 80276415Sdelphij size_t size; 81276415Sdelphij int ret; 82276415Sdelphij 83276415Sdelphij memset(res, 0, sizeof(*res)); 84276415Sdelphij memset(&ci, 0, sizeof(ci)); 85276415Sdelphij 86267843Sdelphij ret = der_copy_oid(oid, &ci.contentType); 87133359Sobrien if (ret) 88133359Sobrien return ret; 89133359Sobrien if (buf) { 90133359Sobrien ALLOC(ci.content, 1); 91133359Sobrien if (ci.content == NULL) { 92133359Sobrien free_ContentInfo(&ci); 93133359Sobrien return ENOMEM; 94133359Sobrien } 95133359Sobrien ci.content->data = malloc(buf->length); 96226048Sobrien if (ci.content->data == NULL) { 97226048Sobrien free_ContentInfo(&ci); 98226048Sobrien return ENOMEM; 99226048Sobrien } 100226048Sobrien memcpy(ci.content->data, buf->data, buf->length); 101133359Sobrien ci.content->length = buf->length; 102133359Sobrien } 103133359Sobrien 104133359Sobrien ASN1_MALLOC_ENCODE(ContentInfo, res->data, res->length, &ci, &size, ret); 105133359Sobrien free_ContentInfo(&ci); 106133359Sobrien if (ret) 107133359Sobrien return ret; 108133359Sobrien if (res->length != size) 109133359Sobrien _hx509_abort("internal ASN.1 encoder error"); 110133359Sobrien 111133359Sobrien return 0; 112133359Sobrien} 113133359Sobrien 114133359Sobrien/** 115175296Sobrien * Decode an ContentInfo and unwrap data and oid it. 116175296Sobrien * 117175296Sobrien * @param in the encoded buffer. 118175296Sobrien * @param oid type of the content. 119226048Sobrien * @param out data to be wrapped. 120226048Sobrien * @param have_data since the data is optional, this flags show dthe 121133359Sobrien * diffrence between no data and the zero length data. 122133359Sobrien * 123133359Sobrien * @return Returns an hx509 error code. 124133359Sobrien * 125133359Sobrien * @ingroup hx509_cms 126133359Sobrien */ 127226048Sobrien 128133359Sobrienint 129133359Sobrienhx509_cms_unwrap_ContentInfo(const heim_octet_string *in, 130226048Sobrien heim_oid *oid, 131133359Sobrien heim_octet_string *out, 132133359Sobrien int *have_data) 133133359Sobrien{ 134133359Sobrien ContentInfo ci; 135133359Sobrien size_t size; 136226048Sobrien int ret; 137226048Sobrien 138284778Sdelphij memset(oid, 0, sizeof(*oid)); 139284778Sdelphij memset(out, 0, sizeof(*out)); 140284778Sdelphij 141284778Sdelphij ret = decode_ContentInfo(in->data, in->length, &ci, &size); 142175296Sobrien if (ret) 143226048Sobrien return ret; 144175296Sobrien 145175296Sobrien ret = der_copy_oid(&ci.contentType, oid); 146226048Sobrien if (ret) { 147226048Sobrien free_ContentInfo(&ci); 148175296Sobrien return ret; 149226048Sobrien } 150175296Sobrien if (ci.content) { 151226048Sobrien ret = der_copy_octet_string(ci.content, out); 152234250Sobrien if (ret) { 153226048Sobrien der_free_oid(oid); 154175296Sobrien free_ContentInfo(&ci); 155175296Sobrien return ret; 156175296Sobrien } 157175296Sobrien } else 158226048Sobrien memset(out, 0, sizeof(*out)); 159226048Sobrien 160175296Sobrien if (have_data) 161175296Sobrien *have_data = (ci.content != NULL) ? 1 : 0; 162133359Sobrien 163133359Sobrien free_ContentInfo(&ci); 164133359Sobrien 165133359Sobrien return 0; 166133359Sobrien} 167133359Sobrien 168133359Sobrien#define CMS_ID_SKI 0 169133359Sobrien#define CMS_ID_NAME 1 170133359Sobrien 171133359Sobrienstatic int 172226048Sobrienfill_CMSIdentifier(const hx509_cert cert, 173226048Sobrien int type, 174226048Sobrien CMSIdentifier *id) 175133359Sobrien{ 176133359Sobrien int ret; 177133359Sobrien 178175296Sobrien switch (type) { 179175296Sobrien case CMS_ID_SKI: 180133359Sobrien id->element = choice_CMSIdentifier_subjectKeyIdentifier; 181133359Sobrien ret = _hx509_find_extension_subject_key_id(_hx509_get_cert(cert), 182133359Sobrien &id->u.subjectKeyIdentifier); 183133359Sobrien if (ret == 0) 184133359Sobrien break; 185133359Sobrien /* FALL THOUGH */ 186226048Sobrien case CMS_ID_NAME: { 187226048Sobrien hx509_name name; 188226048Sobrien 189133359Sobrien id->element = choice_CMSIdentifier_issuerAndSerialNumber; 190133359Sobrien ret = hx509_cert_get_issuer(cert, &name); 191226048Sobrien if (ret) 192226048Sobrien return ret; 193226048Sobrien ret = hx509_name_to_Name(name, &id->u.issuerAndSerialNumber.issuer); 194133359Sobrien hx509_name_free(&name); 195133359Sobrien if (ret) 196226048Sobrien return ret; 197226048Sobrien 198226048Sobrien ret = hx509_cert_get_serialnumber(cert, &id->u.issuerAndSerialNumber.serialNumber); 199226048Sobrien break; 200226048Sobrien } 201226048Sobrien default: 202226048Sobrien _hx509_abort("CMS fill identifier with unknown type"); 203226048Sobrien } 204133359Sobrien return ret; 205133359Sobrien} 206133359Sobrien 207133359Sobrienstatic int 208133359Sobrienunparse_CMSIdentifier(hx509_context context, 209133359Sobrien CMSIdentifier *id, 210133359Sobrien char **str) 211133359Sobrien{ 212328875Seadler int ret; 213328875Seadler 214328875Seadler *str = NULL; 215328875Seadler switch (id->element) { 216328875Seadler case choice_CMSIdentifier_issuerAndSerialNumber: { 217328875Seadler IssuerAndSerialNumber *iasn; 218133359Sobrien char *serial, *name; 219226048Sobrien 220133359Sobrien iasn = &id->u.issuerAndSerialNumber; 221226048Sobrien 222226048Sobrien ret = _hx509_Name_to_string(&iasn->issuer, &name); 223175296Sobrien if(ret) 224133359Sobrien return ret; 225133359Sobrien ret = der_print_hex_heim_integer(&iasn->serialNumber, &serial); 226133359Sobrien if (ret) { 227133359Sobrien free(name); 228133359Sobrien return ret; 229133359Sobrien } 230226048Sobrien asprintf(str, "certificate issued by %s with serial number %s", 231226048Sobrien name, serial); 232226048Sobrien free(name); 233226048Sobrien free(serial); 234133359Sobrien break; 235133359Sobrien } 236133359Sobrien case choice_CMSIdentifier_subjectKeyIdentifier: { 237300899Sdelphij KeyIdentifier *ki = &id->u.subjectKeyIdentifier; 238133359Sobrien char *keyid; 239133359Sobrien ssize_t len; 240226048Sobrien 241226048Sobrien len = hex_encode(ki->data, ki->length, &keyid); 242226048Sobrien if (len < 0) 243226048Sobrien return ENOMEM; 244226048Sobrien 245133359Sobrien asprintf(str, "certificate with id %s", keyid); 246186690Sobrien free(keyid); 247186690Sobrien break; 248186690Sobrien } 249133359Sobrien default: 250133359Sobrien asprintf(str, "certificate have unknown CMSidentifier type"); 251234250Sobrien break; 252234250Sobrien } 253234250Sobrien if (*str == NULL) 254234250Sobrien return ENOMEM; 255234250Sobrien return 0; 256234250Sobrien} 257234250Sobrien 258234250Sobrienstatic int 259234250Sobrienfind_CMSIdentifier(hx509_context context, 260234250Sobrien CMSIdentifier *client, 261234250Sobrien hx509_certs certs, 262133359Sobrien time_t time_now, 263300899Sdelphij hx509_cert *signer_cert, 264133359Sobrien int match) 265133359Sobrien{ 266226048Sobrien hx509_query q; 267226048Sobrien hx509_cert cert; 268226048Sobrien Certificate c; 269133359Sobrien int ret; 270226048Sobrien 271226048Sobrien memset(&c, 0, sizeof(c)); 272133359Sobrien _hx509_query_clear(&q); 273186690Sobrien 274186690Sobrien *signer_cert = NULL; 275186690Sobrien 276267843Sdelphij switch (client->element) { 277267843Sdelphij case choice_CMSIdentifier_issuerAndSerialNumber: 278276415Sdelphij q.serial = &client->u.issuerAndSerialNumber.serialNumber; 279276415Sdelphij q.issuer_name = &client->u.issuerAndSerialNumber.issuer; 280276415Sdelphij q.match = HX509_QUERY_MATCH_SERIALNUMBER|HX509_QUERY_MATCH_ISSUER_NAME; 281276415Sdelphij break; 282276415Sdelphij case choice_CMSIdentifier_subjectKeyIdentifier: 283276415Sdelphij q.subject_id = &client->u.subjectKeyIdentifier; 284276415Sdelphij q.match = HX509_QUERY_MATCH_SUBJECT_KEY_ID; 285276415Sdelphij break; 286276415Sdelphij default: 287276415Sdelphij hx509_set_error_string(context, 0, HX509_CMS_NO_RECIPIENT_CERTIFICATE, 288276415Sdelphij "unknown CMS identifier element"); 289276415Sdelphij return HX509_CMS_NO_RECIPIENT_CERTIFICATE; 290276415Sdelphij } 291276415Sdelphij 292276415Sdelphij q.match |= match; 293276415Sdelphij 294300899Sdelphij q.match |= HX509_QUERY_MATCH_TIME; 295276415Sdelphij if (time_now) 296276415Sdelphij q.timenow = time_now; 297276415Sdelphij else 298276415Sdelphij q.timenow = time(NULL); 299276415Sdelphij 300277592Sdelphij ret = hx509_certs_find(context, certs, &q, &cert); 301276415Sdelphij if (ret == HX509_CERT_NOT_FOUND) { 302276415Sdelphij char *str; 303290152Sdelphij 304300899Sdelphij ret = unparse_CMSIdentifier(context, client, &str); 305276415Sdelphij if (ret == 0) { 306276415Sdelphij hx509_set_error_string(context, 0, 307276415Sdelphij HX509_CMS_NO_RECIPIENT_CERTIFICATE, 308276415Sdelphij "Failed to find %s", str); 309276415Sdelphij } else 310276415Sdelphij hx509_clear_error_string(context); 311276415Sdelphij return HX509_CMS_NO_RECIPIENT_CERTIFICATE; 312276415Sdelphij } else if (ret) { 313276415Sdelphij hx509_set_error_string(context, HX509_ERROR_APPEND, 314276415Sdelphij HX509_CMS_NO_RECIPIENT_CERTIFICATE, 315276415Sdelphij "Failed to find CMS id in cert store"); 316276415Sdelphij return HX509_CMS_NO_RECIPIENT_CERTIFICATE; 317276415Sdelphij } 318276415Sdelphij 319276415Sdelphij *signer_cert = cert; 320276415Sdelphij 321276415Sdelphij return 0; 322277592Sdelphij} 323277592Sdelphij 324277592Sdelphij/** 325277592Sdelphij * Decode and unencrypt EnvelopedData. 326276415Sdelphij * 327277592Sdelphij * Extract data and parameteres from from the EnvelopedData. Also 328276415Sdelphij * supports using detached EnvelopedData. 329276415Sdelphij * 330276415Sdelphij * @param context A hx509 context. 331277592Sdelphij * @param certs Certificate that can decrypt the EnvelopedData 332276415Sdelphij * encryption key. 333276415Sdelphij * @param flags HX509_CMS_UE flags to control the behavior. 334267843Sdelphij * @param data pointer the structure the contains the DER/BER encoded 335267843Sdelphij * EnvelopedData stucture. 336267843Sdelphij * @param length length of the data that data point to. 337267843Sdelphij * @param encryptedContent in case of detached signature, this 338267843Sdelphij * contains the actual encrypted data, othersize its should be NULL. 339267843Sdelphij * @param time_now set the current time, if zero the library uses now as the date. 340267843Sdelphij * @param contentType output type oid, should be freed with der_free_oid(). 341267843Sdelphij * @param content the data, free with der_free_octet_string(). 342133359Sobrien * 343133359Sobrien * @ingroup hx509_cms 344133359Sobrien */ 345226048Sobrien 346226048Sobrienint 347226048Sobrienhx509_cms_unenvelope(hx509_context context, 348226048Sobrien hx509_certs certs, 349226048Sobrien int flags, 350226048Sobrien const void *data, 351133359Sobrien size_t length, 352234250Sobrien const heim_octet_string *encryptedContent, 353133359Sobrien time_t time_now, 354133359Sobrien heim_oid *contentType, 355133359Sobrien heim_octet_string *content) 356133359Sobrien{ 357226048Sobrien heim_octet_string key; 358133359Sobrien EnvelopedData ed; 359234250Sobrien hx509_cert cert; 360234250Sobrien AlgorithmIdentifier *ai; 361234250Sobrien const heim_octet_string *enccontent; 362133359Sobrien heim_octet_string *params, params_data; 363226048Sobrien heim_octet_string ivec; 364226048Sobrien size_t size; 365226048Sobrien int ret, matched = 0, findflags = 0; 366226048Sobrien size_t i; 367133359Sobrien 368133359Sobrien 369226048Sobrien memset(&key, 0, sizeof(key)); 370226048Sobrien memset(&ed, 0, sizeof(ed)); 371226048Sobrien memset(&ivec, 0, sizeof(ivec)); 372267843Sdelphij memset(content, 0, sizeof(*content)); 373267843Sdelphij memset(contentType, 0, sizeof(*contentType)); 374267843Sdelphij 375133359Sobrien if ((flags & HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT) == 0) 376133359Sobrien findflags |= HX509_QUERY_KU_ENCIPHERMENT; 377226048Sobrien 378226048Sobrien ret = decode_EnvelopedData(data, length, &ed, &size); 379133359Sobrien if (ret) { 380133359Sobrien hx509_set_error_string(context, 0, ret, 381133359Sobrien "Failed to decode EnvelopedData"); 382133359Sobrien return ret; 383133359Sobrien } 384133359Sobrien 385191736Sobrien if (ed.recipientInfos.len == 0) { 386133359Sobrien ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE; 387133359Sobrien hx509_set_error_string(context, 0, ret, 388133359Sobrien "No recipient info in enveloped data"); 389133359Sobrien goto out; 390133359Sobrien } 391133359Sobrien 392133359Sobrien enccontent = ed.encryptedContentInfo.encryptedContent; 393226048Sobrien if (enccontent == NULL) { 394133359Sobrien if (encryptedContent == NULL) { 395226048Sobrien ret = HX509_CMS_NO_DATA_AVAILABLE; 396226048Sobrien hx509_set_error_string(context, 0, ret, 397226048Sobrien "Content missing from encrypted data"); 398226048Sobrien goto out; 399 } 400 enccontent = encryptedContent; 401 } else if (encryptedContent != NULL) { 402 ret = HX509_CMS_NO_DATA_AVAILABLE; 403 hx509_set_error_string(context, 0, ret, 404 "Both internal and external encrypted data"); 405 goto out; 406 } 407 408 cert = NULL; 409 for (i = 0; i < ed.recipientInfos.len; i++) { 410 KeyTransRecipientInfo *ri; 411 char *str; 412 int ret2; 413 414 ri = &ed.recipientInfos.val[i]; 415 416 ret = find_CMSIdentifier(context, &ri->rid, certs, 417 time_now, &cert, 418 HX509_QUERY_PRIVATE_KEY|findflags); 419 if (ret) 420 continue; 421 422 matched = 1; /* found a matching certificate, let decrypt */ 423 424 ret = _hx509_cert_private_decrypt(context, 425 &ri->encryptedKey, 426 &ri->keyEncryptionAlgorithm.algorithm, 427 cert, &key); 428 429 hx509_cert_free(cert); 430 if (ret == 0) 431 break; /* succuessfully decrypted cert */ 432 cert = NULL; 433 ret2 = unparse_CMSIdentifier(context, &ri->rid, &str); 434 if (ret2 == 0) { 435 hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 436 "Failed to decrypt with %s", str); 437 free(str); 438 } 439 } 440 441 if (!matched) { 442 ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE; 443 hx509_set_error_string(context, 0, ret, 444 "No private key matched any certificate"); 445 goto out; 446 } 447 448 if (cert == NULL) { 449 ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE; 450 hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 451 "No private key decrypted the transfer key"); 452 goto out; 453 } 454 455 ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType); 456 if (ret) { 457 hx509_set_error_string(context, 0, ret, 458 "Failed to copy EnvelopedData content oid"); 459 goto out; 460 } 461 462 ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm; 463 if (ai->parameters) { 464 params_data.data = ai->parameters->data; 465 params_data.length = ai->parameters->length; 466 params = ¶ms_data; 467 } else 468 params = NULL; 469 470 { 471 hx509_crypto crypto; 472 473 ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto); 474 if (ret) 475 goto out; 476 477 if (flags & HX509_CMS_UE_ALLOW_WEAK) 478 hx509_crypto_allow_weak(crypto); 479 480 if (params) { 481 ret = hx509_crypto_set_params(context, crypto, params, &ivec); 482 if (ret) { 483 hx509_crypto_destroy(crypto); 484 goto out; 485 } 486 } 487 488 ret = hx509_crypto_set_key_data(crypto, key.data, key.length); 489 if (ret) { 490 hx509_crypto_destroy(crypto); 491 hx509_set_error_string(context, 0, ret, 492 "Failed to set key for decryption " 493 "of EnvelopedData"); 494 goto out; 495 } 496 497 ret = hx509_crypto_decrypt(crypto, 498 enccontent->data, 499 enccontent->length, 500 ivec.length ? &ivec : NULL, 501 content); 502 hx509_crypto_destroy(crypto); 503 if (ret) { 504 hx509_set_error_string(context, 0, ret, 505 "Failed to decrypt EnvelopedData"); 506 goto out; 507 } 508 } 509 510out: 511 512 free_EnvelopedData(&ed); 513 der_free_octet_string(&key); 514 if (ivec.length) 515 der_free_octet_string(&ivec); 516 if (ret) { 517 der_free_oid(contentType); 518 der_free_octet_string(content); 519 } 520 521 return ret; 522} 523 524/** 525 * Encrypt end encode EnvelopedData. 526 * 527 * Encrypt and encode EnvelopedData. The data is encrypted with a 528 * random key and the the random key is encrypted with the 529 * certificates private key. This limits what private key type can be 530 * used to RSA. 531 * 532 * @param context A hx509 context. 533 * @param flags flags to control the behavior. 534 * - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate 535 * - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo 536 * - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number 537 * @param cert Certificate to encrypt the EnvelopedData encryption key 538 * with. 539 * @param data pointer the data to encrypt. 540 * @param length length of the data that data point to. 541 * @param encryption_type Encryption cipher to use for the bulk data, 542 * use NULL to get default. 543 * @param contentType type of the data that is encrypted 544 * @param content the output of the function, 545 * free with der_free_octet_string(). 546 * 547 * @ingroup hx509_cms 548 */ 549 550int 551hx509_cms_envelope_1(hx509_context context, 552 int flags, 553 hx509_cert cert, 554 const void *data, 555 size_t length, 556 const heim_oid *encryption_type, 557 const heim_oid *contentType, 558 heim_octet_string *content) 559{ 560 KeyTransRecipientInfo *ri; 561 heim_octet_string ivec; 562 heim_octet_string key; 563 hx509_crypto crypto = NULL; 564 int ret, cmsidflag; 565 EnvelopedData ed; 566 size_t size; 567 568 memset(&ivec, 0, sizeof(ivec)); 569 memset(&key, 0, sizeof(key)); 570 memset(&ed, 0, sizeof(ed)); 571 memset(content, 0, sizeof(*content)); 572 573 if (encryption_type == NULL) 574 encryption_type = &asn1_oid_id_aes_256_cbc; 575 576 if ((flags & HX509_CMS_EV_NO_KU_CHECK) == 0) { 577 ret = _hx509_check_key_usage(context, cert, 1 << 2, TRUE); 578 if (ret) 579 goto out; 580 } 581 582 ret = hx509_crypto_init(context, NULL, encryption_type, &crypto); 583 if (ret) 584 goto out; 585 586 if (flags & HX509_CMS_EV_ALLOW_WEAK) 587 hx509_crypto_allow_weak(crypto); 588 589 ret = hx509_crypto_set_random_key(crypto, &key); 590 if (ret) { 591 hx509_set_error_string(context, 0, ret, 592 "Create random key for EnvelopedData content"); 593 goto out; 594 } 595 596 ret = hx509_crypto_random_iv(crypto, &ivec); 597 if (ret) { 598 hx509_set_error_string(context, 0, ret, 599 "Failed to create a random iv"); 600 goto out; 601 } 602 603 ret = hx509_crypto_encrypt(crypto, 604 data, 605 length, 606 &ivec, 607 &ed.encryptedContentInfo.encryptedContent); 608 if (ret) { 609 hx509_set_error_string(context, 0, ret, 610 "Failed to encrypt EnvelopedData content"); 611 goto out; 612 } 613 614 { 615 AlgorithmIdentifier *enc_alg; 616 enc_alg = &ed.encryptedContentInfo.contentEncryptionAlgorithm; 617 ret = der_copy_oid(encryption_type, &enc_alg->algorithm); 618 if (ret) { 619 hx509_set_error_string(context, 0, ret, 620 "Failed to set crypto oid " 621 "for EnvelopedData"); 622 goto out; 623 } 624 ALLOC(enc_alg->parameters, 1); 625 if (enc_alg->parameters == NULL) { 626 ret = ENOMEM; 627 hx509_set_error_string(context, 0, ret, 628 "Failed to allocate crypto paramaters " 629 "for EnvelopedData"); 630 goto out; 631 } 632 633 ret = hx509_crypto_get_params(context, 634 crypto, 635 &ivec, 636 enc_alg->parameters); 637 if (ret) { 638 goto out; 639 } 640 } 641 642 ALLOC_SEQ(&ed.recipientInfos, 1); 643 if (ed.recipientInfos.val == NULL) { 644 ret = ENOMEM; 645 hx509_set_error_string(context, 0, ret, 646 "Failed to allocate recipients info " 647 "for EnvelopedData"); 648 goto out; 649 } 650 651 ri = &ed.recipientInfos.val[0]; 652 653 if (flags & HX509_CMS_EV_ID_NAME) { 654 ri->version = 0; 655 cmsidflag = CMS_ID_NAME; 656 } else { 657 ri->version = 2; 658 cmsidflag = CMS_ID_SKI; 659 } 660 661 ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid); 662 if (ret) { 663 hx509_set_error_string(context, 0, ret, 664 "Failed to set CMS identifier info " 665 "for EnvelopedData"); 666 goto out; 667 } 668 669 ret = hx509_cert_public_encrypt(context, 670 &key, cert, 671 &ri->keyEncryptionAlgorithm.algorithm, 672 &ri->encryptedKey); 673 if (ret) { 674 hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 675 "Failed to encrypt transport key for " 676 "EnvelopedData"); 677 goto out; 678 } 679 680 /* 681 * 682 */ 683 684 ed.version = 0; 685 ed.originatorInfo = NULL; 686 687 ret = der_copy_oid(contentType, &ed.encryptedContentInfo.contentType); 688 if (ret) { 689 hx509_set_error_string(context, 0, ret, 690 "Failed to copy content oid for " 691 "EnvelopedData"); 692 goto out; 693 } 694 695 ed.unprotectedAttrs = NULL; 696 697 ASN1_MALLOC_ENCODE(EnvelopedData, content->data, content->length, 698 &ed, &size, ret); 699 if (ret) { 700 hx509_set_error_string(context, 0, ret, 701 "Failed to encode EnvelopedData"); 702 goto out; 703 } 704 if (size != content->length) 705 _hx509_abort("internal ASN.1 encoder error"); 706 707out: 708 if (crypto) 709 hx509_crypto_destroy(crypto); 710 if (ret) 711 der_free_octet_string(content); 712 der_free_octet_string(&key); 713 der_free_octet_string(&ivec); 714 free_EnvelopedData(&ed); 715 716 return ret; 717} 718 719static int 720any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs) 721{ 722 int ret; 723 size_t i; 724 725 if (sd->certificates == NULL) 726 return 0; 727 728 for (i = 0; i < sd->certificates->len; i++) { 729 hx509_cert c; 730 731 ret = hx509_cert_init_data(context, 732 sd->certificates->val[i].data, 733 sd->certificates->val[i].length, 734 &c); 735 if (ret) 736 return ret; 737 ret = hx509_certs_add(context, certs, c); 738 hx509_cert_free(c); 739 if (ret) 740 return ret; 741 } 742 743 return 0; 744} 745 746static const Attribute * 747find_attribute(const CMSAttributes *attr, const heim_oid *oid) 748{ 749 size_t i; 750 for (i = 0; i < attr->len; i++) 751 if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0) 752 return &attr->val[i]; 753 return NULL; 754} 755 756/** 757 * Decode SignedData and verify that the signature is correct. 758 * 759 * @param context A hx509 context. 760 * @param ctx a hx509 verify context. 761 * @param flags to control the behaivor of the function. 762 * - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage 763 * - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch 764 * - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below. 765 * @param data pointer to CMS SignedData encoded data. 766 * @param length length of the data that data point to. 767 * @param signedContent external data used for signature. 768 * @param pool certificate pool to build certificates paths. 769 * @param contentType free with der_free_oid(). 770 * @param content the output of the function, free with 771 * der_free_octet_string(). 772 * @param signer_certs list of the cerficates used to sign this 773 * request, free with hx509_certs_free(). 774 * 775 * @ingroup hx509_cms 776 */ 777 778int 779hx509_cms_verify_signed(hx509_context context, 780 hx509_verify_ctx ctx, 781 unsigned int flags, 782 const void *data, 783 size_t length, 784 const heim_octet_string *signedContent, 785 hx509_certs pool, 786 heim_oid *contentType, 787 heim_octet_string *content, 788 hx509_certs *signer_certs) 789{ 790 SignerInfo *signer_info; 791 hx509_cert cert = NULL; 792 hx509_certs certs = NULL; 793 SignedData sd; 794 size_t size; 795 int ret, found_valid_sig; 796 size_t i; 797 798 *signer_certs = NULL; 799 content->data = NULL; 800 content->length = 0; 801 contentType->length = 0; 802 contentType->components = NULL; 803 804 memset(&sd, 0, sizeof(sd)); 805 806 ret = decode_SignedData(data, length, &sd, &size); 807 if (ret) { 808 hx509_set_error_string(context, 0, ret, 809 "Failed to decode SignedData"); 810 goto out; 811 } 812 813 if (sd.encapContentInfo.eContent == NULL && signedContent == NULL) { 814 ret = HX509_CMS_NO_DATA_AVAILABLE; 815 hx509_set_error_string(context, 0, ret, 816 "No content data in SignedData"); 817 goto out; 818 } 819 if (sd.encapContentInfo.eContent && signedContent) { 820 ret = HX509_CMS_NO_DATA_AVAILABLE; 821 hx509_set_error_string(context, 0, ret, 822 "Both external and internal SignedData"); 823 goto out; 824 } 825 826 if (sd.encapContentInfo.eContent) 827 ret = der_copy_octet_string(sd.encapContentInfo.eContent, content); 828 else 829 ret = der_copy_octet_string(signedContent, content); 830 if (ret) { 831 hx509_set_error_string(context, 0, ret, "malloc: out of memory"); 832 goto out; 833 } 834 835 ret = hx509_certs_init(context, "MEMORY:cms-cert-buffer", 836 0, NULL, &certs); 837 if (ret) 838 goto out; 839 840 ret = hx509_certs_init(context, "MEMORY:cms-signer-certs", 841 0, NULL, signer_certs); 842 if (ret) 843 goto out; 844 845 /* XXX Check CMS version */ 846 847 ret = any_to_certs(context, &sd, certs); 848 if (ret) 849 goto out; 850 851 if (pool) { 852 ret = hx509_certs_merge(context, certs, pool); 853 if (ret) 854 goto out; 855 } 856 857 for (found_valid_sig = 0, i = 0; i < sd.signerInfos.len; i++) { 858 heim_octet_string signed_data; 859 const heim_oid *match_oid; 860 heim_oid decode_oid; 861 862 signer_info = &sd.signerInfos.val[i]; 863 match_oid = NULL; 864 865 if (signer_info->signature.length == 0) { 866 ret = HX509_CMS_MISSING_SIGNER_DATA; 867 hx509_set_error_string(context, 0, ret, 868 "SignerInfo %d in SignedData " 869 "missing sigature", i); 870 continue; 871 } 872 873 ret = find_CMSIdentifier(context, &signer_info->sid, certs, 874 _hx509_verify_get_time(ctx), &cert, 875 HX509_QUERY_KU_DIGITALSIGNATURE); 876 if (ret) { 877 /** 878 * If HX509_CMS_VS_NO_KU_CHECK is set, allow more liberal 879 * search for matching certificates by not considering 880 * KeyUsage bits on the certificates. 881 */ 882 if ((flags & HX509_CMS_VS_NO_KU_CHECK) == 0) 883 continue; 884 885 ret = find_CMSIdentifier(context, &signer_info->sid, certs, 886 _hx509_verify_get_time(ctx), &cert, 887 0); 888 if (ret) 889 continue; 890 891 } 892 893 if (signer_info->signedAttrs) { 894 const Attribute *attr; 895 896 CMSAttributes sa; 897 heim_octet_string os; 898 899 sa.val = signer_info->signedAttrs->val; 900 sa.len = signer_info->signedAttrs->len; 901 902 /* verify that sigature exists */ 903 attr = find_attribute(&sa, &asn1_oid_id_pkcs9_messageDigest); 904 if (attr == NULL) { 905 ret = HX509_CRYPTO_SIGNATURE_MISSING; 906 hx509_set_error_string(context, 0, ret, 907 "SignerInfo have signed attributes " 908 "but messageDigest (signature) " 909 "is missing"); 910 goto next_sigature; 911 } 912 if (attr->value.len != 1) { 913 ret = HX509_CRYPTO_SIGNATURE_MISSING; 914 hx509_set_error_string(context, 0, ret, 915 "SignerInfo have more then one " 916 "messageDigest (signature)"); 917 goto next_sigature; 918 } 919 920 ret = decode_MessageDigest(attr->value.val[0].data, 921 attr->value.val[0].length, 922 &os, 923 &size); 924 if (ret) { 925 hx509_set_error_string(context, 0, ret, 926 "Failed to decode " 927 "messageDigest (signature)"); 928 goto next_sigature; 929 } 930 931 ret = _hx509_verify_signature(context, 932 NULL, 933 &signer_info->digestAlgorithm, 934 content, 935 &os); 936 der_free_octet_string(&os); 937 if (ret) { 938 hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 939 "Failed to verify messageDigest"); 940 goto next_sigature; 941 } 942 943 /* 944 * Fetch content oid inside signedAttrs or set it to 945 * id-pkcs7-data. 946 */ 947 attr = find_attribute(&sa, &asn1_oid_id_pkcs9_contentType); 948 if (attr == NULL) { 949 match_oid = &asn1_oid_id_pkcs7_data; 950 } else { 951 if (attr->value.len != 1) { 952 ret = HX509_CMS_DATA_OID_MISMATCH; 953 hx509_set_error_string(context, 0, ret, 954 "More then one oid in signedAttrs"); 955 goto next_sigature; 956 957 } 958 ret = decode_ContentType(attr->value.val[0].data, 959 attr->value.val[0].length, 960 &decode_oid, 961 &size); 962 if (ret) { 963 hx509_set_error_string(context, 0, ret, 964 "Failed to decode " 965 "oid in signedAttrs"); 966 goto next_sigature; 967 } 968 match_oid = &decode_oid; 969 } 970 971 ASN1_MALLOC_ENCODE(CMSAttributes, 972 signed_data.data, 973 signed_data.length, 974 &sa, 975 &size, ret); 976 if (ret) { 977 if (match_oid == &decode_oid) 978 der_free_oid(&decode_oid); 979 hx509_clear_error_string(context); 980 goto next_sigature; 981 } 982 if (size != signed_data.length) 983 _hx509_abort("internal ASN.1 encoder error"); 984 985 } else { 986 signed_data.data = content->data; 987 signed_data.length = content->length; 988 match_oid = &asn1_oid_id_pkcs7_data; 989 } 990 991 /** 992 * If HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH, allow 993 * encapContentInfo mismatch with the oid in signedAttributes 994 * (or if no signedAttributes where use, pkcs7-data oid). 995 * This is only needed to work with broken CMS implementations 996 * that doesn't follow CMS signedAttributes rules. 997 */ 998 999 if (der_heim_oid_cmp(match_oid, &sd.encapContentInfo.eContentType) && 1000 (flags & HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH) == 0) { 1001 ret = HX509_CMS_DATA_OID_MISMATCH; 1002 hx509_set_error_string(context, 0, ret, 1003 "Oid in message mismatch from the expected"); 1004 } 1005 if (match_oid == &decode_oid) 1006 der_free_oid(&decode_oid); 1007 1008 if (ret == 0) { 1009 ret = hx509_verify_signature(context, 1010 cert, 1011 &signer_info->signatureAlgorithm, 1012 &signed_data, 1013 &signer_info->signature); 1014 if (ret) 1015 hx509_set_error_string(context, HX509_ERROR_APPEND, ret, 1016 "Failed to verify signature in " 1017 "CMS SignedData"); 1018 } 1019 if (signer_info->signedAttrs) 1020 free(signed_data.data); 1021 if (ret) 1022 goto next_sigature; 1023 1024 /** 1025 * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the 1026 * signing certificates and leave that up to the caller. 1027 */ 1028 1029 if ((flags & HX509_CMS_VS_NO_VALIDATE) == 0) { 1030 ret = hx509_verify_path(context, ctx, cert, certs); 1031 if (ret) 1032 goto next_sigature; 1033 } 1034 1035 ret = hx509_certs_add(context, *signer_certs, cert); 1036 if (ret) 1037 goto next_sigature; 1038 1039 found_valid_sig++; 1040 1041 next_sigature: 1042 if (cert) 1043 hx509_cert_free(cert); 1044 cert = NULL; 1045 } 1046 /** 1047 * If HX509_CMS_VS_ALLOW_ZERO_SIGNER is set, allow empty 1048 * SignerInfo (no signatures). If SignedData have no signatures, 1049 * the function will return 0 with signer_certs set to NULL. Zero 1050 * signers is allowed by the standard, but since its only useful 1051 * in corner cases, it make into a flag that the caller have to 1052 * turn on. 1053 */ 1054 if (sd.signerInfos.len == 0 && (flags & HX509_CMS_VS_ALLOW_ZERO_SIGNER)) { 1055 if (*signer_certs) 1056 hx509_certs_free(signer_certs); 1057 } else if (found_valid_sig == 0) { 1058 if (ret == 0) { 1059 ret = HX509_CMS_SIGNER_NOT_FOUND; 1060 hx509_set_error_string(context, 0, ret, 1061 "No signers where found"); 1062 } 1063 goto out; 1064 } 1065 1066 ret = der_copy_oid(&sd.encapContentInfo.eContentType, contentType); 1067 if (ret) { 1068 hx509_clear_error_string(context); 1069 goto out; 1070 } 1071 1072out: 1073 free_SignedData(&sd); 1074 if (certs) 1075 hx509_certs_free(&certs); 1076 if (ret) { 1077 if (content->data) 1078 der_free_octet_string(content); 1079 if (*signer_certs) 1080 hx509_certs_free(signer_certs); 1081 der_free_oid(contentType); 1082 der_free_octet_string(content); 1083 } 1084 1085 return ret; 1086} 1087 1088static int 1089add_one_attribute(Attribute **attr, 1090 unsigned int *len, 1091 const heim_oid *oid, 1092 heim_octet_string *data) 1093{ 1094 void *d; 1095 int ret; 1096 1097 d = realloc(*attr, sizeof((*attr)[0]) * (*len + 1)); 1098 if (d == NULL) 1099 return ENOMEM; 1100 (*attr) = d; 1101 1102 ret = der_copy_oid(oid, &(*attr)[*len].type); 1103 if (ret) 1104 return ret; 1105 1106 ALLOC_SEQ(&(*attr)[*len].value, 1); 1107 if ((*attr)[*len].value.val == NULL) { 1108 der_free_oid(&(*attr)[*len].type); 1109 return ENOMEM; 1110 } 1111 1112 (*attr)[*len].value.val[0].data = data->data; 1113 (*attr)[*len].value.val[0].length = data->length; 1114 1115 *len += 1; 1116 1117 return 0; 1118} 1119 1120/** 1121 * Decode SignedData and verify that the signature is correct. 1122 * 1123 * @param context A hx509 context. 1124 * @param flags 1125 * @param eContentType the type of the data. 1126 * @param data data to sign 1127 * @param length length of the data that data point to. 1128 * @param digest_alg digest algorithm to use, use NULL to get the 1129 * default or the peer determined algorithm. 1130 * @param cert certificate to use for sign the data. 1131 * @param peer info about the peer the message to send the message to, 1132 * like what digest algorithm to use. 1133 * @param anchors trust anchors that the client will use, used to 1134 * polulate the certificates included in the message 1135 * @param pool certificates to use in try to build the path to the 1136 * trust anchors. 1137 * @param signed_data the output of the function, free with 1138 * der_free_octet_string(). 1139 * 1140 * @ingroup hx509_cms 1141 */ 1142 1143int 1144hx509_cms_create_signed_1(hx509_context context, 1145 int flags, 1146 const heim_oid *eContentType, 1147 const void *data, size_t length, 1148 const AlgorithmIdentifier *digest_alg, 1149 hx509_cert cert, 1150 hx509_peer_info peer, 1151 hx509_certs anchors, 1152 hx509_certs pool, 1153 heim_octet_string *signed_data) 1154{ 1155 hx509_certs certs; 1156 int ret = 0; 1157 1158 signed_data->data = NULL; 1159 signed_data->length = 0; 1160 1161 ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs); 1162 if (ret) 1163 return ret; 1164 ret = hx509_certs_add(context, certs, cert); 1165 if (ret) 1166 goto out; 1167 1168 ret = hx509_cms_create_signed(context, flags, eContentType, data, length, 1169 digest_alg, certs, peer, anchors, pool, 1170 signed_data); 1171 1172 out: 1173 hx509_certs_free(&certs); 1174 return ret; 1175} 1176 1177struct sigctx { 1178 SignedData sd; 1179 const AlgorithmIdentifier *digest_alg; 1180 const heim_oid *eContentType; 1181 heim_octet_string content; 1182 hx509_peer_info peer; 1183 int cmsidflag; 1184 int leafonly; 1185 hx509_certs certs; 1186 hx509_certs anchors; 1187 hx509_certs pool; 1188}; 1189 1190static int 1191sig_process(hx509_context context, void *ctx, hx509_cert cert) 1192{ 1193 struct sigctx *sigctx = ctx; 1194 heim_octet_string buf, sigdata = { 0, NULL }; 1195 SignerInfo *signer_info = NULL; 1196 AlgorithmIdentifier digest; 1197 size_t size; 1198 void *ptr; 1199 int ret; 1200 SignedData *sd = &sigctx->sd; 1201 hx509_path path; 1202 1203 memset(&digest, 0, sizeof(digest)); 1204 memset(&path, 0, sizeof(path)); 1205 1206 if (_hx509_cert_private_key(cert) == NULL) { 1207 hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING, 1208 "Private key missing for signing"); 1209 return HX509_PRIVATE_KEY_MISSING; 1210 } 1211 1212 if (sigctx->digest_alg) { 1213 ret = copy_AlgorithmIdentifier(sigctx->digest_alg, &digest); 1214 if (ret) 1215 hx509_clear_error_string(context); 1216 } else { 1217 ret = hx509_crypto_select(context, HX509_SELECT_DIGEST, 1218 _hx509_cert_private_key(cert), 1219 sigctx->peer, &digest); 1220 } 1221 if (ret) 1222 goto out; 1223 1224 /* 1225 * Allocate on more signerInfo and do the signature processing 1226 */ 1227 1228 ptr = realloc(sd->signerInfos.val, 1229 (sd->signerInfos.len + 1) * sizeof(sd->signerInfos.val[0])); 1230 if (ptr == NULL) { 1231 ret = ENOMEM; 1232 goto out; 1233 } 1234 sd->signerInfos.val = ptr; 1235 1236 signer_info = &sd->signerInfos.val[sd->signerInfos.len]; 1237 1238 memset(signer_info, 0, sizeof(*signer_info)); 1239 1240 signer_info->version = 1; 1241 1242 ret = fill_CMSIdentifier(cert, sigctx->cmsidflag, &signer_info->sid); 1243 if (ret) { 1244 hx509_clear_error_string(context); 1245 goto out; 1246 } 1247 1248 signer_info->signedAttrs = NULL; 1249 signer_info->unsignedAttrs = NULL; 1250 1251 ret = copy_AlgorithmIdentifier(&digest, &signer_info->digestAlgorithm); 1252 if (ret) { 1253 hx509_clear_error_string(context); 1254 goto out; 1255 } 1256 1257 /* 1258 * If it isn't pkcs7-data send signedAttributes 1259 */ 1260 1261 if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) { 1262 CMSAttributes sa; 1263 heim_octet_string sig; 1264 1265 ALLOC(signer_info->signedAttrs, 1); 1266 if (signer_info->signedAttrs == NULL) { 1267 ret = ENOMEM; 1268 goto out; 1269 } 1270 1271 ret = _hx509_create_signature(context, 1272 NULL, 1273 &digest, 1274 &sigctx->content, 1275 NULL, 1276 &sig); 1277 if (ret) 1278 goto out; 1279 1280 ASN1_MALLOC_ENCODE(MessageDigest, 1281 buf.data, 1282 buf.length, 1283 &sig, 1284 &size, 1285 ret); 1286 der_free_octet_string(&sig); 1287 if (ret) { 1288 hx509_clear_error_string(context); 1289 goto out; 1290 } 1291 if (size != buf.length) 1292 _hx509_abort("internal ASN.1 encoder error"); 1293 1294 ret = add_one_attribute(&signer_info->signedAttrs->val, 1295 &signer_info->signedAttrs->len, 1296 &asn1_oid_id_pkcs9_messageDigest, 1297 &buf); 1298 if (ret) { 1299 free(buf.data); 1300 hx509_clear_error_string(context); 1301 goto out; 1302 } 1303 1304 1305 ASN1_MALLOC_ENCODE(ContentType, 1306 buf.data, 1307 buf.length, 1308 sigctx->eContentType, 1309 &size, 1310 ret); 1311 if (ret) 1312 goto out; 1313 if (size != buf.length) 1314 _hx509_abort("internal ASN.1 encoder error"); 1315 1316 ret = add_one_attribute(&signer_info->signedAttrs->val, 1317 &signer_info->signedAttrs->len, 1318 &asn1_oid_id_pkcs9_contentType, 1319 &buf); 1320 if (ret) { 1321 free(buf.data); 1322 hx509_clear_error_string(context); 1323 goto out; 1324 } 1325 1326 sa.val = signer_info->signedAttrs->val; 1327 sa.len = signer_info->signedAttrs->len; 1328 1329 ASN1_MALLOC_ENCODE(CMSAttributes, 1330 sigdata.data, 1331 sigdata.length, 1332 &sa, 1333 &size, 1334 ret); 1335 if (ret) { 1336 hx509_clear_error_string(context); 1337 goto out; 1338 } 1339 if (size != sigdata.length) 1340 _hx509_abort("internal ASN.1 encoder error"); 1341 } else { 1342 sigdata.data = sigctx->content.data; 1343 sigdata.length = sigctx->content.length; 1344 } 1345 1346 { 1347 AlgorithmIdentifier sigalg; 1348 1349 ret = hx509_crypto_select(context, HX509_SELECT_PUBLIC_SIG, 1350 _hx509_cert_private_key(cert), sigctx->peer, 1351 &sigalg); 1352 if (ret) 1353 goto out; 1354 1355 ret = _hx509_create_signature(context, 1356 _hx509_cert_private_key(cert), 1357 &sigalg, 1358 &sigdata, 1359 &signer_info->signatureAlgorithm, 1360 &signer_info->signature); 1361 free_AlgorithmIdentifier(&sigalg); 1362 if (ret) 1363 goto out; 1364 } 1365 1366 sigctx->sd.signerInfos.len++; 1367 signer_info = NULL; 1368 1369 /* 1370 * Provide best effort path 1371 */ 1372 if (sigctx->certs) { 1373 unsigned int i; 1374 1375 if (sigctx->pool && sigctx->leafonly == 0) { 1376 _hx509_calculate_path(context, 1377 HX509_CALCULATE_PATH_NO_ANCHOR, 1378 time(NULL), 1379 sigctx->anchors, 1380 0, 1381 cert, 1382 sigctx->pool, 1383 &path); 1384 } else 1385 _hx509_path_append(context, &path, cert); 1386 1387 for (i = 0; i < path.len; i++) { 1388 /* XXX remove dups */ 1389 ret = hx509_certs_add(context, sigctx->certs, path.val[i]); 1390 if (ret) { 1391 hx509_clear_error_string(context); 1392 goto out; 1393 } 1394 } 1395 } 1396 1397 out: 1398 if (signer_info) 1399 free_SignerInfo(signer_info); 1400 if (sigdata.data != sigctx->content.data) 1401 der_free_octet_string(&sigdata); 1402 _hx509_path_free(&path); 1403 free_AlgorithmIdentifier(&digest); 1404 1405 return ret; 1406} 1407 1408static int 1409cert_process(hx509_context context, void *ctx, hx509_cert cert) 1410{ 1411 struct sigctx *sigctx = ctx; 1412 const unsigned int i = sigctx->sd.certificates->len; 1413 void *ptr; 1414 int ret; 1415 1416 ptr = realloc(sigctx->sd.certificates->val, 1417 (i + 1) * sizeof(sigctx->sd.certificates->val[0])); 1418 if (ptr == NULL) 1419 return ENOMEM; 1420 sigctx->sd.certificates->val = ptr; 1421 1422 ret = hx509_cert_binary(context, cert, 1423 &sigctx->sd.certificates->val[i]); 1424 if (ret == 0) 1425 sigctx->sd.certificates->len++; 1426 1427 return ret; 1428} 1429 1430static int 1431cmp_AlgorithmIdentifier(const AlgorithmIdentifier *p, const AlgorithmIdentifier *q) 1432{ 1433 return der_heim_oid_cmp(&p->algorithm, &q->algorithm); 1434} 1435 1436int 1437hx509_cms_create_signed(hx509_context context, 1438 int flags, 1439 const heim_oid *eContentType, 1440 const void *data, size_t length, 1441 const AlgorithmIdentifier *digest_alg, 1442 hx509_certs certs, 1443 hx509_peer_info peer, 1444 hx509_certs anchors, 1445 hx509_certs pool, 1446 heim_octet_string *signed_data) 1447{ 1448 unsigned int i, j; 1449 hx509_name name; 1450 int ret; 1451 size_t size; 1452 struct sigctx sigctx; 1453 1454 memset(&sigctx, 0, sizeof(sigctx)); 1455 memset(&name, 0, sizeof(name)); 1456 1457 if (eContentType == NULL) 1458 eContentType = &asn1_oid_id_pkcs7_data; 1459 1460 sigctx.digest_alg = digest_alg; 1461 sigctx.content.data = rk_UNCONST(data); 1462 sigctx.content.length = length; 1463 sigctx.eContentType = eContentType; 1464 sigctx.peer = peer; 1465 /** 1466 * Use HX509_CMS_SIGNATURE_ID_NAME to preferred use of issuer name 1467 * and serial number if possible. Otherwise subject key identifier 1468 * will preferred. 1469 */ 1470 if (flags & HX509_CMS_SIGNATURE_ID_NAME) 1471 sigctx.cmsidflag = CMS_ID_NAME; 1472 else 1473 sigctx.cmsidflag = CMS_ID_SKI; 1474 1475 /** 1476 * Use HX509_CMS_SIGNATURE_LEAF_ONLY to only request leaf 1477 * certificates to be added to the SignedData. 1478 */ 1479 sigctx.leafonly = (flags & HX509_CMS_SIGNATURE_LEAF_ONLY) ? 1 : 0; 1480 1481 /** 1482 * Use HX509_CMS_NO_CERTS to make the SignedData contain no 1483 * certificates, overrides HX509_CMS_SIGNATURE_LEAF_ONLY. 1484 */ 1485 1486 if ((flags & HX509_CMS_SIGNATURE_NO_CERTS) == 0) { 1487 ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &sigctx.certs); 1488 if (ret) 1489 return ret; 1490 } 1491 1492 sigctx.anchors = anchors; 1493 sigctx.pool = pool; 1494 1495 sigctx.sd.version = CMSVersion_v3; 1496 1497 der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType); 1498 1499 /** 1500 * Use HX509_CMS_SIGNATURE_DETACHED to create detached signatures. 1501 */ 1502 if ((flags & HX509_CMS_SIGNATURE_DETACHED) == 0) { 1503 ALLOC(sigctx.sd.encapContentInfo.eContent, 1); 1504 if (sigctx.sd.encapContentInfo.eContent == NULL) { 1505 hx509_clear_error_string(context); 1506 ret = ENOMEM; 1507 goto out; 1508 } 1509 1510 sigctx.sd.encapContentInfo.eContent->data = malloc(length); 1511 if (sigctx.sd.encapContentInfo.eContent->data == NULL) { 1512 hx509_clear_error_string(context); 1513 ret = ENOMEM; 1514 goto out; 1515 } 1516 memcpy(sigctx.sd.encapContentInfo.eContent->data, data, length); 1517 sigctx.sd.encapContentInfo.eContent->length = length; 1518 } 1519 1520 /** 1521 * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no 1522 * signatures). 1523 */ 1524 if ((flags & HX509_CMS_SIGNATURE_NO_SIGNER) == 0) { 1525 ret = hx509_certs_iter_f(context, certs, sig_process, &sigctx); 1526 if (ret) 1527 goto out; 1528 } 1529 1530 if (sigctx.sd.signerInfos.len) { 1531 1532 /* 1533 * For each signerInfo, collect all different digest types. 1534 */ 1535 for (i = 0; i < sigctx.sd.signerInfos.len; i++) { 1536 AlgorithmIdentifier *di = 1537 &sigctx.sd.signerInfos.val[i].digestAlgorithm; 1538 1539 for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++) 1540 if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0) 1541 break; 1542 if (j == sigctx.sd.digestAlgorithms.len) { 1543 ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di); 1544 if (ret) { 1545 hx509_clear_error_string(context); 1546 goto out; 1547 } 1548 } 1549 } 1550 } 1551 1552 /* 1553 * Add certs we think are needed, build as part of sig_process 1554 */ 1555 if (sigctx.certs) { 1556 ALLOC(sigctx.sd.certificates, 1); 1557 if (sigctx.sd.certificates == NULL) { 1558 hx509_clear_error_string(context); 1559 ret = ENOMEM; 1560 goto out; 1561 } 1562 1563 ret = hx509_certs_iter_f(context, sigctx.certs, cert_process, &sigctx); 1564 if (ret) 1565 goto out; 1566 } 1567 1568 ASN1_MALLOC_ENCODE(SignedData, 1569 signed_data->data, signed_data->length, 1570 &sigctx.sd, &size, ret); 1571 if (ret) { 1572 hx509_clear_error_string(context); 1573 goto out; 1574 } 1575 if (signed_data->length != size) 1576 _hx509_abort("internal ASN.1 encoder error"); 1577 1578out: 1579 hx509_certs_free(&sigctx.certs); 1580 free_SignedData(&sigctx.sd); 1581 1582 return ret; 1583} 1584 1585int 1586hx509_cms_decrypt_encrypted(hx509_context context, 1587 hx509_lock lock, 1588 const void *data, 1589 size_t length, 1590 heim_oid *contentType, 1591 heim_octet_string *content) 1592{ 1593 heim_octet_string cont; 1594 CMSEncryptedData ed; 1595 AlgorithmIdentifier *ai; 1596 int ret; 1597 1598 memset(content, 0, sizeof(*content)); 1599 memset(&cont, 0, sizeof(cont)); 1600 1601 ret = decode_CMSEncryptedData(data, length, &ed, NULL); 1602 if (ret) { 1603 hx509_set_error_string(context, 0, ret, 1604 "Failed to decode CMSEncryptedData"); 1605 return ret; 1606 } 1607 1608 if (ed.encryptedContentInfo.encryptedContent == NULL) { 1609 ret = HX509_CMS_NO_DATA_AVAILABLE; 1610 hx509_set_error_string(context, 0, ret, 1611 "No content in EncryptedData"); 1612 goto out; 1613 } 1614 1615 ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType); 1616 if (ret) { 1617 hx509_clear_error_string(context); 1618 goto out; 1619 } 1620 1621 ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm; 1622 if (ai->parameters == NULL) { 1623 ret = HX509_ALG_NOT_SUPP; 1624 hx509_clear_error_string(context); 1625 goto out; 1626 } 1627 1628 ret = _hx509_pbe_decrypt(context, 1629 lock, 1630 ai, 1631 ed.encryptedContentInfo.encryptedContent, 1632 &cont); 1633 if (ret) 1634 goto out; 1635 1636 *content = cont; 1637 1638out: 1639 if (ret) { 1640 if (cont.data) 1641 free(cont.data); 1642 } 1643 free_CMSEncryptedData(&ed); 1644 return ret; 1645} 1646