1 /* Copyright (c) 2017, Google Inc.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include <openssl/pkcs7.h>
16
17 #include <assert.h>
18 #include <limits.h>
19
20 #include <openssl/bytestring.h>
21 #include <openssl/err.h>
22 #include <openssl/mem.h>
23 #include <openssl/obj.h>
24 #include <openssl/pem.h>
25 #include <openssl/pool.h>
26 #include <openssl/stack.h>
27 #include <openssl/x509.h>
28
29 #include "internal.h"
30 #include "../internal.h"
31
32
PKCS7_get_certificates(STACK_OF (X509)* out_certs,CBS * cbs)33 int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
34 int ret = 0;
35 const size_t initial_certs_len = sk_X509_num(out_certs);
36 STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null();
37 if (raw == NULL ||
38 !PKCS7_get_raw_certificates(raw, cbs, NULL)) {
39 goto err;
40 }
41
42 for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) {
43 CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i);
44 X509 *x509 = X509_parse_from_buffer(buf);
45 if (x509 == NULL ||
46 !sk_X509_push(out_certs, x509)) {
47 X509_free(x509);
48 goto err;
49 }
50 }
51
52 ret = 1;
53
54 err:
55 sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free);
56 if (!ret) {
57 while (sk_X509_num(out_certs) != initial_certs_len) {
58 X509 *x509 = sk_X509_pop(out_certs);
59 X509_free(x509);
60 }
61 }
62
63 return ret;
64 }
65
PKCS7_get_CRLs(STACK_OF (X509_CRL)* out_crls,CBS * cbs)66 int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
67 CBS signed_data, crls;
68 uint8_t *der_bytes = NULL;
69 int ret = 0, has_crls;
70 const size_t initial_crls_len = sk_X509_CRL_num(out_crls);
71
72 // See https://tools.ietf.org/html/rfc2315#section-9.1
73 if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs) ||
74 // Even if only CRLs are included, there may be an empty certificates
75 // block. OpenSSL does this, for example.
76 !CBS_get_optional_asn1(
77 &signed_data, NULL, NULL,
78 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
79 !CBS_get_optional_asn1(
80 &signed_data, &crls, &has_crls,
81 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
82 goto err;
83 }
84
85 if (!has_crls) {
86 CBS_init(&crls, NULL, 0);
87 }
88
89 while (CBS_len(&crls) > 0) {
90 CBS crl_data;
91 X509_CRL *crl;
92 const uint8_t *inp;
93
94 if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) {
95 goto err;
96 }
97
98 if (CBS_len(&crl_data) > LONG_MAX) {
99 goto err;
100 }
101 inp = CBS_data(&crl_data);
102 crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data));
103 if (!crl) {
104 goto err;
105 }
106
107 assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data));
108
109 if (sk_X509_CRL_push(out_crls, crl) == 0) {
110 X509_CRL_free(crl);
111 goto err;
112 }
113 }
114
115 ret = 1;
116
117 err:
118 OPENSSL_free(der_bytes);
119
120 if (!ret) {
121 while (sk_X509_CRL_num(out_crls) != initial_crls_len) {
122 X509_CRL_free(sk_X509_CRL_pop(out_crls));
123 }
124 }
125
126 return ret;
127 }
128
PKCS7_get_PEM_certificates(STACK_OF (X509)* out_certs,BIO * pem_bio)129 int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) {
130 uint8_t *data;
131 long len;
132 int ret;
133
134 // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
135 // internally will actually allow several other values too, including
136 // "CERTIFICATE".
137 if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
138 PEM_STRING_PKCS7, pem_bio,
139 NULL /* password callback */,
140 NULL /* password callback argument */)) {
141 return 0;
142 }
143
144 CBS cbs;
145 CBS_init(&cbs, data, len);
146 ret = PKCS7_get_certificates(out_certs, &cbs);
147 OPENSSL_free(data);
148 return ret;
149 }
150
PKCS7_get_PEM_CRLs(STACK_OF (X509_CRL)* out_crls,BIO * pem_bio)151 int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {
152 uint8_t *data;
153 long len;
154 int ret;
155
156 // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
157 // internally will actually allow several other values too, including
158 // "CERTIFICATE".
159 if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
160 PEM_STRING_PKCS7, pem_bio,
161 NULL /* password callback */,
162 NULL /* password callback argument */)) {
163 return 0;
164 }
165
166 CBS cbs;
167 CBS_init(&cbs, data, len);
168 ret = PKCS7_get_CRLs(out_crls, &cbs);
169 OPENSSL_free(data);
170 return ret;
171 }
172
pkcs7_bundle_certificates_cb(CBB * out,const void * arg)173 static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {
174 const STACK_OF(X509) *certs = arg;
175 size_t i;
176 CBB certificates;
177
178 // See https://tools.ietf.org/html/rfc2315#section-9.1
179 if (!CBB_add_asn1(out, &certificates,
180 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
181 return 0;
182 }
183
184 for (i = 0; i < sk_X509_num(certs); i++) {
185 X509 *x509 = sk_X509_value(certs, i);
186 uint8_t *buf;
187 int len = i2d_X509(x509, NULL);
188
189 if (len < 0 ||
190 !CBB_add_space(&certificates, &buf, len) ||
191 i2d_X509(x509, &buf) < 0) {
192 return 0;
193 }
194 }
195
196 // |certificates| is a implicitly-tagged SET OF.
197 return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out);
198 }
199
PKCS7_bundle_certificates(CBB * out,const STACK_OF (X509)* certs)200 int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) {
201 return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,
202 pkcs7_bundle_certificates_cb,
203 /*signer_infos_cb=*/NULL, certs);
204 }
205
pkcs7_bundle_crls_cb(CBB * out,const void * arg)206 static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
207 const STACK_OF(X509_CRL) *crls = arg;
208 size_t i;
209 CBB crl_data;
210
211 // See https://tools.ietf.org/html/rfc2315#section-9.1
212 if (!CBB_add_asn1(out, &crl_data,
213 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
214 return 0;
215 }
216
217 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
218 X509_CRL *crl = sk_X509_CRL_value(crls, i);
219 uint8_t *buf;
220 int len = i2d_X509_CRL(crl, NULL);
221
222 if (len < 0 ||
223 !CBB_add_space(&crl_data, &buf, len) ||
224 i2d_X509_CRL(crl, &buf) < 0) {
225 return 0;
226 }
227 }
228
229 // |crl_data| is a implicitly-tagged SET OF.
230 return CBB_flush_asn1_set_of(&crl_data) && CBB_flush(out);
231 }
232
PKCS7_bundle_CRLs(CBB * out,const STACK_OF (X509_CRL)* crls)233 int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {
234 return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL,
235 pkcs7_bundle_crls_cb,
236 /*signer_infos_cb=*/NULL, crls);
237 }
238
pkcs7_new(CBS * cbs)239 static PKCS7 *pkcs7_new(CBS *cbs) {
240 PKCS7 *ret = OPENSSL_zalloc(sizeof(PKCS7));
241 if (ret == NULL) {
242 return NULL;
243 }
244 ret->type = OBJ_nid2obj(NID_pkcs7_signed);
245 ret->d.sign = OPENSSL_malloc(sizeof(PKCS7_SIGNED));
246 if (ret->d.sign == NULL) {
247 goto err;
248 }
249 ret->d.sign->cert = sk_X509_new_null();
250 ret->d.sign->crl = sk_X509_CRL_new_null();
251 CBS copy = *cbs, copy2 = *cbs;
252 if (ret->d.sign->cert == NULL || ret->d.sign->crl == NULL ||
253 !PKCS7_get_certificates(ret->d.sign->cert, ©) ||
254 !PKCS7_get_CRLs(ret->d.sign->crl, cbs)) {
255 goto err;
256 }
257
258 if (sk_X509_num(ret->d.sign->cert) == 0) {
259 sk_X509_free(ret->d.sign->cert);
260 ret->d.sign->cert = NULL;
261 }
262
263 if (sk_X509_CRL_num(ret->d.sign->crl) == 0) {
264 sk_X509_CRL_free(ret->d.sign->crl);
265 ret->d.sign->crl = NULL;
266 }
267
268 ret->ber_len = CBS_len(©2) - CBS_len(cbs);
269 ret->ber_bytes = OPENSSL_memdup(CBS_data(©2), ret->ber_len);
270 if (ret->ber_bytes == NULL) {
271 goto err;
272 }
273
274 return ret;
275
276 err:
277 PKCS7_free(ret);
278 return NULL;
279 }
280
d2i_PKCS7(PKCS7 ** out,const uint8_t ** inp,size_t len)281 PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp,
282 size_t len) {
283 CBS cbs;
284 CBS_init(&cbs, *inp, len);
285 PKCS7 *ret = pkcs7_new(&cbs);
286 if (ret == NULL) {
287 return NULL;
288 }
289 *inp = CBS_data(&cbs);
290 if (out != NULL) {
291 PKCS7_free(*out);
292 *out = ret;
293 }
294 return ret;
295 }
296
d2i_PKCS7_bio(BIO * bio,PKCS7 ** out)297 PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out) {
298 // Use a generous bound, to allow for PKCS#7 files containing large root sets.
299 static const size_t kMaxSize = 4 * 1024 * 1024;
300 uint8_t *data;
301 size_t len;
302 if (!BIO_read_asn1(bio, &data, &len, kMaxSize)) {
303 return NULL;
304 }
305
306 CBS cbs;
307 CBS_init(&cbs, data, len);
308 PKCS7 *ret = pkcs7_new(&cbs);
309 OPENSSL_free(data);
310 if (out != NULL && ret != NULL) {
311 PKCS7_free(*out);
312 *out = ret;
313 }
314 return ret;
315 }
316
i2d_PKCS7(const PKCS7 * p7,uint8_t ** out)317 int i2d_PKCS7(const PKCS7 *p7, uint8_t **out) {
318 if (p7->ber_len > INT_MAX) {
319 OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);
320 return -1;
321 }
322
323 if (out == NULL) {
324 return (int)p7->ber_len;
325 }
326
327 if (*out == NULL) {
328 *out = OPENSSL_memdup(p7->ber_bytes, p7->ber_len);
329 if (*out == NULL) {
330 return -1;
331 }
332 } else {
333 OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len);
334 *out += p7->ber_len;
335 }
336 return (int)p7->ber_len;
337 }
338
i2d_PKCS7_bio(BIO * bio,const PKCS7 * p7)339 int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7) {
340 return BIO_write_all(bio, p7->ber_bytes, p7->ber_len);
341 }
342
PKCS7_free(PKCS7 * p7)343 void PKCS7_free(PKCS7 *p7) {
344 if (p7 == NULL) {
345 return;
346 }
347
348 OPENSSL_free(p7->ber_bytes);
349 ASN1_OBJECT_free(p7->type);
350 // We only supported signed data.
351 if (p7->d.sign != NULL) {
352 sk_X509_pop_free(p7->d.sign->cert, X509_free);
353 sk_X509_CRL_pop_free(p7->d.sign->crl, X509_CRL_free);
354 OPENSSL_free(p7->d.sign);
355 }
356 OPENSSL_free(p7);
357 }
358
359 // We only support signed data, so these getters are no-ops.
PKCS7_type_is_data(const PKCS7 * p7)360 int PKCS7_type_is_data(const PKCS7 *p7) { return 0; }
PKCS7_type_is_digest(const PKCS7 * p7)361 int PKCS7_type_is_digest(const PKCS7 *p7) { return 0; }
PKCS7_type_is_encrypted(const PKCS7 * p7)362 int PKCS7_type_is_encrypted(const PKCS7 *p7) { return 0; }
PKCS7_type_is_enveloped(const PKCS7 * p7)363 int PKCS7_type_is_enveloped(const PKCS7 *p7) { return 0; }
PKCS7_type_is_signed(const PKCS7 * p7)364 int PKCS7_type_is_signed(const PKCS7 *p7) { return 1; }
PKCS7_type_is_signedAndEnveloped(const PKCS7 * p7)365 int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7) { return 0; }
366
367 // write_sha256_ai writes an AlgorithmIdentifier for SHA-256 to
368 // |digest_algos_set|.
write_sha256_ai(CBB * digest_algos_set,const void * arg)369 static int write_sha256_ai(CBB *digest_algos_set, const void *arg) {
370 CBB seq;
371 return CBB_add_asn1(digest_algos_set, &seq, CBS_ASN1_SEQUENCE) &&
372 OBJ_nid2cbb(&seq, NID_sha256) && //
373 // https://datatracker.ietf.org/doc/html/rfc5754#section-2
374 // "Implementations MUST generate SHA2 AlgorithmIdentifiers with absent
375 // parameters."
376 CBB_flush(digest_algos_set);
377 }
378
379 // sign_sha256 writes at most |max_out_sig| bytes of the signature of |data| by
380 // |pkey| to |out_sig| and sets |*out_sig_len| to the number of bytes written.
381 // It returns one on success or zero on error.
sign_sha256(uint8_t * out_sig,size_t * out_sig_len,size_t max_out_sig,EVP_PKEY * pkey,BIO * data)382 static int sign_sha256(uint8_t *out_sig, size_t *out_sig_len,
383 size_t max_out_sig, EVP_PKEY *pkey, BIO *data) {
384 static const size_t kBufSize = 4096;
385 uint8_t *buffer = OPENSSL_malloc(kBufSize);
386 if (!buffer) {
387 return 0;
388 }
389
390 EVP_MD_CTX ctx;
391 EVP_MD_CTX_init(&ctx);
392
393 int ret = 0;
394 if (!EVP_DigestSignInit(&ctx, NULL, EVP_sha256(), NULL, pkey)) {
395 goto out;
396 }
397
398 for (;;) {
399 const int n = BIO_read(data, buffer, kBufSize);
400 if (n == 0) {
401 break;
402 } else if (n < 0 || !EVP_DigestSignUpdate(&ctx, buffer, n)) {
403 goto out;
404 }
405 }
406
407 *out_sig_len = max_out_sig;
408 if (!EVP_DigestSignFinal(&ctx, out_sig, out_sig_len)) {
409 goto out;
410 }
411
412 ret = 1;
413
414 out:
415 EVP_MD_CTX_cleanup(&ctx);
416 OPENSSL_free(buffer);
417 return ret;
418 }
419
420 struct signer_info_data {
421 const X509 *sign_cert;
422 uint8_t *signature;
423 size_t signature_len;
424 };
425
426 // write_signer_info writes the SignerInfo structure from
427 // https://datatracker.ietf.org/doc/html/rfc2315#section-9.2 to |out|. It
428 // returns one on success or zero on error.
write_signer_info(CBB * out,const void * arg)429 static int write_signer_info(CBB *out, const void *arg) {
430 const struct signer_info_data *const si_data = arg;
431
432 int ret = 0;
433 uint8_t *subject_bytes = NULL;
434 uint8_t *serial_bytes = NULL;
435
436 const int subject_len =
437 i2d_X509_NAME(X509_get_subject_name(si_data->sign_cert), &subject_bytes);
438 const int serial_len = i2d_ASN1_INTEGER(
439 (ASN1_INTEGER *)X509_get0_serialNumber(si_data->sign_cert),
440 &serial_bytes);
441
442 CBB seq, issuer_and_serial, signing_algo, null, signature;
443 if (subject_len < 0 ||
444 serial_len < 0 ||
445 !CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) ||
446 // version
447 !CBB_add_asn1_uint64(&seq, 1) ||
448 !CBB_add_asn1(&seq, &issuer_and_serial, CBS_ASN1_SEQUENCE) ||
449 !CBB_add_bytes(&issuer_and_serial, subject_bytes, subject_len) ||
450 !CBB_add_bytes(&issuer_and_serial, serial_bytes, serial_len) ||
451 !write_sha256_ai(&seq, NULL) ||
452 !CBB_add_asn1(&seq, &signing_algo, CBS_ASN1_SEQUENCE) ||
453 !OBJ_nid2cbb(&signing_algo, NID_rsaEncryption) ||
454 !CBB_add_asn1(&signing_algo, &null, CBS_ASN1_NULL) ||
455 !CBB_add_asn1(&seq, &signature, CBS_ASN1_OCTETSTRING) ||
456 !CBB_add_bytes(&signature, si_data->signature, si_data->signature_len) ||
457 !CBB_flush(out)) {
458 goto out;
459 }
460
461 ret = 1;
462
463 out:
464 OPENSSL_free(subject_bytes);
465 OPENSSL_free(serial_bytes);
466 return ret;
467 }
468
PKCS7_sign(X509 * sign_cert,EVP_PKEY * pkey,STACK_OF (X509)* certs,BIO * data,int flags)469 PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
470 BIO *data, int flags) {
471 CBB cbb;
472 if (!CBB_init(&cbb, 2048)) {
473 return NULL;
474 }
475
476 uint8_t *der = NULL;
477 size_t len;
478 PKCS7 *ret = NULL;
479
480 if (sign_cert == NULL && pkey == NULL && flags == PKCS7_DETACHED) {
481 // Caller just wants to bundle certificates.
482 if (!PKCS7_bundle_certificates(&cbb, certs)) {
483 goto out;
484 }
485 } else if (sign_cert != NULL && pkey != NULL && certs == NULL &&
486 data != NULL &&
487 flags == (PKCS7_NOATTR | PKCS7_BINARY | PKCS7_NOCERTS |
488 PKCS7_DETACHED) &&
489 EVP_PKEY_id(pkey) == NID_rsaEncryption) {
490 // sign-file.c from the Linux kernel.
491 const size_t signature_max_len = EVP_PKEY_size(pkey);
492 struct signer_info_data si_data = {
493 .sign_cert = sign_cert,
494 .signature = OPENSSL_malloc(signature_max_len),
495 };
496
497 if (!si_data.signature ||
498 !sign_sha256(si_data.signature, &si_data.signature_len,
499 signature_max_len, pkey, data) ||
500 !pkcs7_add_signed_data(&cbb, write_sha256_ai, /*cert_crl_cb=*/NULL,
501 write_signer_info, &si_data)) {
502 OPENSSL_free(si_data.signature);
503 goto out;
504 }
505 OPENSSL_free(si_data.signature);
506 } else {
507 OPENSSL_PUT_ERROR(PKCS7, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
508 goto out;
509 }
510
511 if (!CBB_finish(&cbb, &der, &len)) {
512 goto out;
513 }
514
515 CBS cbs;
516 CBS_init(&cbs, der, len);
517 ret = pkcs7_new(&cbs);
518
519 out:
520 CBB_cleanup(&cbb);
521 OPENSSL_free(der);
522 return ret;
523 }
524