From 6fdea2aba9b75a5be58db21fb9eda43f48d778b9 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Sat, 15 Apr 2017 18:40:41 -0400
Subject: [PATCH] Move PKCS#7 functions into their own directory.

A follow-up change will add a CRYPTO_BUFFER variant. This makes the
naming match the header and doesn't require including x509.h. (Though
like ssl.h and pkcs8.h, some of the functions are implemented with code
that depends on crypto/x509.)

Change-Id: I5a7de209f4f775fe0027893f711326d89699ca1f
Reviewed-on: https://boringssl-review.googlesource.com/15128
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 crypto/CMakeLists.txt               |  2 +
 crypto/err/CMakeLists.txt           |  1 +
 crypto/err/pkcs7.errordata          |  4 ++
 crypto/pkcs7/CMakeLists.txt         | 20 +++++++++
 crypto/{x509 => pkcs7}/pkcs7.c      | 11 ++---
 crypto/{x509 => pkcs7}/pkcs7_test.c |  1 +
 crypto/x509/CMakeLists.txt          | 12 +-----
 include/openssl/pkcs7.h             | 64 ++++++++++++++++++++++++++++-
 include/openssl/x509.h              | 32 +--------------
 util/all_tests.json                 |  2 +-
 10 files changed, 99 insertions(+), 50 deletions(-)
 create mode 100644 crypto/err/pkcs7.errordata
 create mode 100644 crypto/pkcs7/CMakeLists.txt
 rename crypto/{x509 => pkcs7}/pkcs7.c (97%)
 rename crypto/{x509 => pkcs7}/pkcs7_test.c (99%)

diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt
index ef8c2d40..e4b559a4 100644
--- a/crypto/CMakeLists.txt
+++ b/crypto/CMakeLists.txt
@@ -116,6 +116,7 @@ add_subdirectory(x509)
 add_subdirectory(x509v3)
 
 # Level 4
+add_subdirectory(pkcs7)
 add_subdirectory(pkcs8)
 
 # Test support code
@@ -194,6 +195,7 @@ add_library(
   $<TARGET_OBJECTS:pem>
   $<TARGET_OBJECTS:x509>
   $<TARGET_OBJECTS:x509v3>
+  $<TARGET_OBJECTS:pkcs7>
   $<TARGET_OBJECTS:pkcs8_lib>
 
   ${CRYPTO_FIPS_OBJECTS}
diff --git a/crypto/err/CMakeLists.txt b/crypto/err/CMakeLists.txt
index 579a35be..91c6f6eb 100644
--- a/crypto/err/CMakeLists.txt
+++ b/crypto/err/CMakeLists.txt
@@ -21,6 +21,7 @@ add_custom_command(
   hkdf.errordata
   obj.errordata
   pem.errordata
+  pkcs7.errordata
   pkcs8.errordata
   rsa.errordata
   ssl.errordata
diff --git a/crypto/err/pkcs7.errordata b/crypto/err/pkcs7.errordata
new file mode 100644
index 00000000..7080bd94
--- /dev/null
+++ b/crypto/err/pkcs7.errordata
@@ -0,0 +1,4 @@
+PKCS7,100,BAD_PKCS7_VERSION
+PKCS7,101,NOT_PKCS7_SIGNED_DATA
+PKCS7,102,NO_CERTIFICATES_INCLUDED
+PKCS7,103,NO_CRLS_INCLUDED
diff --git a/crypto/pkcs7/CMakeLists.txt b/crypto/pkcs7/CMakeLists.txt
new file mode 100644
index 00000000..d97957ad
--- /dev/null
+++ b/crypto/pkcs7/CMakeLists.txt
@@ -0,0 +1,20 @@
+include_directories(../../include)
+
+add_library(
+  pkcs7
+
+  OBJECT
+
+  pkcs7.c
+)
+
+add_executable(
+  pkcs7_test
+
+  pkcs7_test.c
+
+  $<TARGET_OBJECTS:test_support>
+)
+
+target_link_libraries(pkcs7_test crypto)
+add_dependencies(all_tests pkcs7_test)
diff --git a/crypto/x509/pkcs7.c b/crypto/pkcs7/pkcs7.c
similarity index 97%
rename from crypto/x509/pkcs7.c
rename to crypto/pkcs7/pkcs7.c
index dc3ea7d9..b40ab9b2 100644
--- a/crypto/x509/pkcs7.c
+++ b/crypto/pkcs7/pkcs7.c
@@ -12,7 +12,7 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-#include <openssl/x509.h>
+#include <openssl/pkcs7.h>
 
 #include <assert.h>
 #include <limits.h>
@@ -23,6 +23,7 @@
 #include <openssl/obj.h>
 #include <openssl/pem.h>
 #include <openssl/stack.h>
+#include <openssl/x509.h>
 
 #include "../bytestring/internal.h"
 
@@ -67,7 +68,7 @@ static int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
 
   if (!CBS_mem_equal(&content_type, kPKCS7SignedData,
                      sizeof(kPKCS7SignedData))) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NOT_PKCS7_SIGNED_DATA);
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NOT_PKCS7_SIGNED_DATA);
     goto err;
   }
 
@@ -82,7 +83,7 @@ static int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
   }
 
   if (version < 1) {
-    OPENSSL_PUT_ERROR(X509, X509_R_BAD_PKCS7_VERSION);
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_BAD_PKCS7_VERSION);
     goto err;
   }
 
@@ -108,7 +109,7 @@ int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
   /* See https://tools.ietf.org/html/rfc2315#section-9.1 */
   if (!CBS_get_asn1(&signed_data, &certificates,
                     CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NO_CERTIFICATES_INCLUDED);
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CERTIFICATES_INCLUDED);
     goto err;
   }
 
@@ -176,7 +177,7 @@ int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
 
   if (!CBS_get_asn1(&signed_data, &crls,
                     CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
-    OPENSSL_PUT_ERROR(X509, X509_R_NO_CRLS_INCLUDED);
+    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CRLS_INCLUDED);
     goto err;
   }
 
diff --git a/crypto/x509/pkcs7_test.c b/crypto/pkcs7/pkcs7_test.c
similarity index 99%
rename from crypto/x509/pkcs7_test.c
rename to crypto/pkcs7/pkcs7_test.c
index f620b9bc..486fdc89 100644
--- a/crypto/x509/pkcs7_test.c
+++ b/crypto/pkcs7/pkcs7_test.c
@@ -19,6 +19,7 @@
 #include <openssl/bytestring.h>
 #include <openssl/crypto.h>
 #include <openssl/mem.h>
+#include <openssl/pkcs7.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
diff --git a/crypto/x509/CMakeLists.txt b/crypto/x509/CMakeLists.txt
index 5d82e0a9..0d8c98c3 100644
--- a/crypto/x509/CMakeLists.txt
+++ b/crypto/x509/CMakeLists.txt
@@ -14,7 +14,6 @@ add_library(
   by_dir.c
   by_file.c
   i2d_pr.c
-  pkcs7.c
   rsa_pss.c
   t_crl.c
   t_req.c
@@ -58,14 +57,6 @@ add_library(
   x_x509a.c
 )
 
-add_executable(
-  pkcs7_test
-
-  pkcs7_test.c
-
-  $<TARGET_OBJECTS:test_support>
-)
-
 add_executable(
   x509_test
 
@@ -74,6 +65,5 @@ add_executable(
   $<TARGET_OBJECTS:test_support>
 )
 
-target_link_libraries(pkcs7_test crypto)
 target_link_libraries(x509_test crypto)
-add_dependencies(all_tests pkcs7_test x509_test)
+add_dependencies(all_tests x509_test)
diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h
index 6e5e4330..f507ab6b 100644
--- a/include/openssl/pkcs7.h
+++ b/include/openssl/pkcs7.h
@@ -12,5 +12,65 @@
  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
 
-/* This header is provided in order to make compiling against code that expects
-   OpenSSL easier. */
+#ifndef OPENSSL_HEADER_PKCS7_H
+#define OPENSSL_HEADER_PKCS7_H
+
+#include <openssl/base.h>
+
+#include <openssl/stack.h>
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+
+/* PKCS#7.
+ *
+ * This library contains functions for extracting information from PKCS#7
+ * structures (RFC 2315). */
+
+DECLARE_STACK_OF(X509)
+DECLARE_STACK_OF(X509_CRL)
+
+/* PKCS7_get_certificates parses a PKCS#7, SignedData structure from |cbs| and
+ * appends the included certificates to |out_certs|. It returns one on success
+ * and zero on error. */
+OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);
+
+/* PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing
+ * |certs| to |out|. It returns one on success and zero on error. */
+OPENSSL_EXPORT int PKCS7_bundle_certificates(
+    CBB *out, const STACK_OF(X509) *certs);
+
+/* PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends
+ * the included CRLs to |out_crls|. It returns one on success and zero on
+ * error. */
+OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs);
+
+/* PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing
+ * |crls| to |out|. It returns one on success and zero on error. */
+OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls);
+
+/* PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure
+ * from |pem_bio| and appends the included certificates to |out_certs|. It
+ * returns one on success and zero on error. */
+OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
+                                              BIO *pem_bio);
+
+/* PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from
+ * |pem_bio| and appends the included CRLs to |out_crls|. It returns one on
+ * success and zero on error. */
+OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
+                                      BIO *pem_bio);
+
+
+#if defined(__cplusplus)
+}  /* extern C */
+#endif
+
+#define PKCS7_R_BAD_PKCS7_VERSION 100
+#define PKCS7_R_NOT_PKCS7_SIGNED_DATA 101
+#define PKCS7_R_NO_CERTIFICATES_INCLUDED 102
+#define PKCS7_R_NO_CRLS_INCLUDED 103
+
+#endif  /* OPENSSL_HEADER_PKCS7_H */
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 44b3b7b0..914b2757 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -77,6 +77,7 @@
 #include <openssl/ec.h>
 #include <openssl/evp.h>
 #include <openssl/obj.h>
+#include <openssl/pkcs7.h>
 #include <openssl/pool.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
@@ -1115,37 +1116,6 @@ typedef struct rsa_pss_params_st {
 DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
 
 
-/* PKCS7_get_certificates parses a PKCS#7, SignedData structure from |cbs| and
- * appends the included certificates to |out_certs|. It returns one on success
- * and zero on error. */
-OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);
-
-/* PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing
- * |certs| to |out|. It returns one on success and zero on error. */
-OPENSSL_EXPORT int PKCS7_bundle_certificates(
-    CBB *out, const STACK_OF(X509) *certs);
-
-/* PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends
- * the included CRLs to |out_crls|. It returns one on success and zero on
- * error. */
-OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs);
-
-/* PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing
- * |crls| to |out|. It returns one on success and zero on error. */
-OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls);
-
-/* PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure
- * from |pem_bio| and appends the included certificates to |out_certs|. It
- * returns one on success and zero on error. */
-OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
-                                              BIO *pem_bio);
-
-/* PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from
- * |pem_bio| and appends the included CRLs to |out_crls|. It returns one on
- * success and zero on error. */
-OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
-                                      BIO *pem_bio);
-
 /* EVP_PK values indicate the algorithm of the public key in a certificate. */
 
 #define EVP_PK_RSA	0x0001
diff --git a/util/all_tests.json b/util/all_tests.json
index ebc632d9..ad85dea9 100644
--- a/util/all_tests.json
+++ b/util/all_tests.json
@@ -63,6 +63,7 @@
 	["crypto/lhash/lhash_test"],
 	["crypto/modes/gcm_test"],
 	["crypto/obj/obj_test"],
+	["crypto/pkcs7/pkcs7_test"],
 	["crypto/pkcs8/pkcs12_test"],
 	["crypto/pkcs8/pkcs8_test"],
 	["crypto/poly1305/poly1305_test", "crypto/poly1305/poly1305_tests.txt"],
@@ -70,7 +71,6 @@
 	["crypto/rand/ctrdrbg_vector_test", "crypto/rand/ctrdrbg_vectors.txt"],
 	["crypto/refcount_test"],
 	["crypto/thread_test"],
-	["crypto/x509/pkcs7_test"],
 	["crypto/x509/x509_test"],
 	["crypto/x509v3/tab_test"],
 	["crypto/x509v3/v3name_test"],