79c97bf37c
Right now we're inconsistent about it. If the OPTIONAL container is missing, we report an error, but if the container is empty, we happily return nothing. The latter behavior is more convenient for emulating OpenSSL's PKCS#7 functions. These are our own functions, so we have some leeway here. Looking through callers, they appear to handle this fine. Update-Note: This is a behavior change. Change-Id: I1321025a64df3054d380003c90e57d9eb95e610f Reviewed-on: https://boringssl-review.googlesource.com/29364 Reviewed-by: Adam Langley <agl@google.com>
230 lines
6.1 KiB
C
230 lines
6.1 KiB
C
/* Copyright (c) 2017, Google Inc.
|
|
*
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
* copyright notice and this permission notice appear in all copies.
|
|
*
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
#include <openssl/pkcs7.h>
|
|
|
|
#include <assert.h>
|
|
#include <limits.h>
|
|
|
|
#include <openssl/bytestring.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/mem.h>
|
|
#include <openssl/pem.h>
|
|
#include <openssl/pool.h>
|
|
#include <openssl/stack.h>
|
|
#include <openssl/x509.h>
|
|
|
|
#include "internal.h"
|
|
|
|
|
|
int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
|
|
int ret = 0;
|
|
const size_t initial_certs_len = sk_X509_num(out_certs);
|
|
STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null();
|
|
if (raw == NULL ||
|
|
!PKCS7_get_raw_certificates(raw, cbs, NULL)) {
|
|
goto err;
|
|
}
|
|
|
|
for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) {
|
|
CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i);
|
|
X509 *x509 = X509_parse_from_buffer(buf);
|
|
if (x509 == NULL ||
|
|
!sk_X509_push(out_certs, x509)) {
|
|
X509_free(x509);
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
ret = 1;
|
|
|
|
err:
|
|
sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free);
|
|
if (!ret) {
|
|
while (sk_X509_num(out_certs) != initial_certs_len) {
|
|
X509 *x509 = sk_X509_pop(out_certs);
|
|
X509_free(x509);
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
|
|
CBS signed_data, crls;
|
|
uint8_t *der_bytes = NULL;
|
|
int ret = 0, has_crls;
|
|
const size_t initial_crls_len = sk_X509_CRL_num(out_crls);
|
|
|
|
// See https://tools.ietf.org/html/rfc2315#section-9.1
|
|
if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs) ||
|
|
// Even if only CRLs are included, there may be an empty certificates
|
|
// block. OpenSSL does this, for example.
|
|
!CBS_get_optional_asn1(
|
|
&signed_data, NULL, NULL,
|
|
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
|
|
!CBS_get_optional_asn1(
|
|
&signed_data, &crls, &has_crls,
|
|
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
|
|
goto err;
|
|
}
|
|
|
|
if (!has_crls) {
|
|
CBS_init(&crls, NULL, 0);
|
|
}
|
|
|
|
while (CBS_len(&crls) > 0) {
|
|
CBS crl_data;
|
|
X509_CRL *crl;
|
|
const uint8_t *inp;
|
|
|
|
if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) {
|
|
goto err;
|
|
}
|
|
|
|
if (CBS_len(&crl_data) > LONG_MAX) {
|
|
goto err;
|
|
}
|
|
inp = CBS_data(&crl_data);
|
|
crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data));
|
|
if (!crl) {
|
|
goto err;
|
|
}
|
|
|
|
assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data));
|
|
|
|
if (sk_X509_CRL_push(out_crls, crl) == 0) {
|
|
X509_CRL_free(crl);
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
ret = 1;
|
|
|
|
err:
|
|
OPENSSL_free(der_bytes);
|
|
|
|
if (!ret) {
|
|
while (sk_X509_CRL_num(out_crls) != initial_crls_len) {
|
|
X509_CRL_free(sk_X509_CRL_pop(out_crls));
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) {
|
|
uint8_t *data;
|
|
long len;
|
|
int ret;
|
|
|
|
// Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
|
|
// internally will actually allow several other values too, including
|
|
// "CERTIFICATE".
|
|
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
|
|
PEM_STRING_PKCS7, pem_bio,
|
|
NULL /* password callback */,
|
|
NULL /* password callback argument */)) {
|
|
return 0;
|
|
}
|
|
|
|
CBS cbs;
|
|
CBS_init(&cbs, data, len);
|
|
ret = PKCS7_get_certificates(out_certs, &cbs);
|
|
OPENSSL_free(data);
|
|
return ret;
|
|
}
|
|
|
|
int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {
|
|
uint8_t *data;
|
|
long len;
|
|
int ret;
|
|
|
|
// Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
|
|
// internally will actually allow several other values too, including
|
|
// "CERTIFICATE".
|
|
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
|
|
PEM_STRING_PKCS7, pem_bio,
|
|
NULL /* password callback */,
|
|
NULL /* password callback argument */)) {
|
|
return 0;
|
|
}
|
|
|
|
CBS cbs;
|
|
CBS_init(&cbs, data, len);
|
|
ret = PKCS7_get_CRLs(out_crls, &cbs);
|
|
OPENSSL_free(data);
|
|
return ret;
|
|
}
|
|
|
|
static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {
|
|
const STACK_OF(X509) *certs = arg;
|
|
size_t i;
|
|
CBB certificates;
|
|
|
|
// See https://tools.ietf.org/html/rfc2315#section-9.1
|
|
if (!CBB_add_asn1(out, &certificates,
|
|
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
|
|
return 0;
|
|
}
|
|
|
|
for (i = 0; i < sk_X509_num(certs); i++) {
|
|
X509 *x509 = sk_X509_value(certs, i);
|
|
uint8_t *buf;
|
|
int len = i2d_X509(x509, NULL);
|
|
|
|
if (len < 0 ||
|
|
!CBB_add_space(&certificates, &buf, len) ||
|
|
i2d_X509(x509, &buf) < 0) {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
return CBB_flush(out);
|
|
}
|
|
|
|
int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) {
|
|
return pkcs7_bundle(out, pkcs7_bundle_certificates_cb, certs);
|
|
}
|
|
|
|
static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
|
|
const STACK_OF(X509_CRL) *crls = arg;
|
|
size_t i;
|
|
CBB crl_data;
|
|
|
|
// See https://tools.ietf.org/html/rfc2315#section-9.1
|
|
if (!CBB_add_asn1(out, &crl_data,
|
|
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
|
|
return 0;
|
|
}
|
|
|
|
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
|
|
X509_CRL *crl = sk_X509_CRL_value(crls, i);
|
|
uint8_t *buf;
|
|
int len = i2d_X509_CRL(crl, NULL);
|
|
|
|
if (len < 0 ||
|
|
!CBB_add_space(&crl_data, &buf, len) ||
|
|
i2d_X509_CRL(crl, &buf) < 0) {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
return CBB_flush(out);
|
|
}
|
|
|
|
int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {
|
|
return pkcs7_bundle(out, pkcs7_bundle_crls_cb, crls);
|
|
}
|