63
63
#include <openssl/x509.h>
64
64
#include <openssl/x509v3.h>
66
static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
66
68
PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
67
69
BIO *data, int flags)
70
PKCS7_SIGNER_INFO *si;
74
if(!(p7 = PKCS7_new()))
76
PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
80
if (!PKCS7_set_type(p7, NID_pkcs7_signed))
83
if (!PKCS7_content_new(p7, NID_pkcs7_data))
86
if (pkey && !PKCS7_sign_add_signer(p7, signcert, pkey, NULL, flags))
88
PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNER_ERROR);
92
if(!(flags & PKCS7_NOCERTS))
94
for(i = 0; i < sk_X509_num(certs); i++)
96
if (!PKCS7_add_certificate(p7, sk_X509_value(certs, i)))
101
if(flags & PKCS7_DETACHED)
102
PKCS7_set_detached(p7, 1);
104
if (flags & (PKCS7_STREAM|PKCS7_PARTIAL))
107
if (PKCS7_final(p7, data, flags))
115
int PKCS7_final(PKCS7 *p7, BIO *data, int flags)
119
if (!(p7bio = PKCS7_dataInit(p7, NULL)))
121
PKCS7err(PKCS7_F_PKCS7_FINAL,ERR_R_MALLOC_FAILURE);
125
SMIME_crlf_copy(data, p7bio, flags);
127
(void)BIO_flush(p7bio);
130
if (!PKCS7_dataFinal(p7,p7bio))
132
PKCS7err(PKCS7_F_PKCS7_FINAL,PKCS7_R_PKCS7_DATASIGN);
145
/* Check to see if a cipher exists and if so add S/MIME capabilities */
147
static int add_cipher_smcap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
149
if (EVP_get_cipherbynid(nid))
150
return PKCS7_simple_smimecap(sk, nid, arg);
154
static int add_digest_smcap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
156
if (EVP_get_digestbynid(nid))
157
return PKCS7_simple_smimecap(sk, nid, arg);
161
PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert,
162
EVP_PKEY *pkey, const EVP_MD *md,
165
PKCS7_SIGNER_INFO *si = NULL;
72
166
STACK_OF(X509_ALGOR) *smcap = NULL;
75
if(!X509_check_private_key(signcert, pkey)) {
76
PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
167
if(!X509_check_private_key(signcert, pkey))
169
PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER,
170
PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE);
80
if(!(p7 = PKCS7_new())) {
81
PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
174
if (!(si = PKCS7_add_signature(p7,signcert,pkey, md)))
176
PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER,
177
PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
85
if (!PKCS7_set_type(p7, NID_pkcs7_signed))
88
if (!PKCS7_content_new(p7, NID_pkcs7_data))
91
if (!(si = PKCS7_add_signature(p7,signcert,pkey,EVP_sha1()))) {
92
PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR);
96
if(!(flags & PKCS7_NOCERTS)) {
181
if(!(flags & PKCS7_NOCERTS))
97
183
if (!PKCS7_add_certificate(p7, signcert))
99
if(certs) for(i = 0; i < sk_X509_num(certs); i++)
100
if (!PKCS7_add_certificate(p7, sk_X509_value(certs, i)))
104
if(!(flags & PKCS7_NOATTR)) {
105
if (!PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
106
V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data)))
187
if(!(flags & PKCS7_NOATTR))
189
if (!PKCS7_add_attrib_content_type(si, NULL))
108
191
/* Add SMIMECapabilities */
109
192
if(!(flags & PKCS7_NOSMIMECAP))
111
if(!(smcap = sk_X509_ALGOR_new_null())) {
112
PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
194
if(!(smcap = sk_X509_ALGOR_new_null()))
196
PKCS7err(PKCS7_F_PKCS7_SIGN_ADD_SIGNER,
197
ERR_R_MALLOC_FAILURE);
200
if (!add_cipher_smcap(smcap, NID_aes_256_cbc, -1)
201
|| !add_digest_smcap(smcap, NID_id_GostR3411_94, -1)
202
|| !add_cipher_smcap(smcap, NID_id_Gost28147_89, -1)
203
|| !add_cipher_smcap(smcap, NID_aes_192_cbc, -1)
204
|| !add_cipher_smcap(smcap, NID_aes_128_cbc, -1)
205
|| !add_cipher_smcap(smcap, NID_des_ede3_cbc, -1)
206
|| !add_cipher_smcap(smcap, NID_rc2_cbc, 128)
207
|| !add_cipher_smcap(smcap, NID_rc2_cbc, 64)
208
|| !add_cipher_smcap(smcap, NID_des_cbc, -1)
209
|| !add_cipher_smcap(smcap, NID_rc2_cbc, 40)
210
|| !PKCS7_add_attrib_smimecap (si, smcap))
212
sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
215
if (flags & PKCS7_REUSE_DIGEST)
217
if (!pkcs7_copy_existing_digest(p7, si))
219
if (!(flags & PKCS7_PARTIAL) &&
220
!PKCS7_SIGNER_INFO_sign(si))
115
#ifndef OPENSSL_NO_DES
116
if (!PKCS7_simple_smimecap (smcap, NID_des_ede3_cbc, -1))
119
#ifndef OPENSSL_NO_RC2
120
if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 128))
122
if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 64))
125
#ifndef OPENSSL_NO_DES
126
if (!PKCS7_simple_smimecap (smcap, NID_des_cbc, -1))
129
#ifndef OPENSSL_NO_RC2
130
if (!PKCS7_simple_smimecap (smcap, NID_rc2_cbc, 40))
133
if (!PKCS7_add_attrib_smimecap (si, smcap))
135
227
sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
231
/* Search for a digest matching SignerInfo digest type and if found
235
static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
238
STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
239
PKCS7_SIGNER_INFO *sitmp;
240
ASN1_OCTET_STRING *osdig = NULL;
241
sinfos = PKCS7_get_signer_info(p7);
242
for (i = 0; i < sk_PKCS7_SIGNER_INFO_num(sinfos); i++)
244
sitmp = sk_PKCS7_SIGNER_INFO_value(sinfos, i);
247
if (sk_X509_ATTRIBUTE_num(sitmp->auth_attr) <= 0)
249
if (!OBJ_cmp(si->digest_alg->algorithm,
250
sitmp->digest_alg->algorithm))
252
osdig = PKCS7_digest_from_attributes(sitmp->auth_attr);
140
if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
142
if (flags & PKCS7_STREAM)
146
if (!(p7bio = PKCS7_dataInit(p7, NULL))) {
147
PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
151
SMIME_crlf_copy(data, p7bio, flags);
154
if (!PKCS7_dataFinal(p7,p7bio)) {
155
PKCS7err(PKCS7_F_PKCS7_SIGN,PKCS7_R_PKCS7_DATASIGN);
162
sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
259
return PKCS7_add1_attrib_digest(si, osdig->data, osdig->length);
261
PKCS7err(PKCS7_F_PKCS7_COPY_EXISTING_DIGEST,
262
PKCS7_R_NO_MATCHING_DIGEST_TYPE_FOUND);
168
266
int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
169
267
BIO *indata, BIO *out, int flags)