yggdrasil/ring
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add PKCS7_get_raw_certificates.

Browse Source 
This is a version of PKCS7_get_certificates but does not require
crypto/x509.

BUG=54

Change-Id: I20152a8d1f3ed866d47e41fe576ea9f442490224
Reviewed-on: https://boringssl-review.googlesource.com/15129
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2017-04-15 18:52:35 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 6fdea2aba9
commit 378a08aa31
5 changed files with 307 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
crypto/pkcs7/CMakeLists.txt
View File

@ -6,6 +6,7 @@ add_library(
OBJECT
pkcs7.c
pkcs7_x509.c
)
add_executable(

49
crypto/pkcs7/internal.h Normal file
View File

@ -0,0 +1,49 @@
/* Copyright (c) 2017, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#ifndef OPENSSL_HEADER_PKCS7_INTERNAL_H
#define OPENSSL_HEADER_PKCS7_INTERNAL_H
#include <openssl/base.h>
#if defined(__cplusplus)
extern "C" {
#endif
/* pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
* SignedData blob from |cbs| and sets |*out| to point to the rest of the
* input. If the input is in BER format, then |*der_bytes| will be set to a
* pointer that needs to be freed by the caller once they have finished
* processing |*out| (which will be pointing into |*der_bytes|).
*
* It returns one on success or zero on error. On error, |*der_bytes| is
* NULL. */
int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs);
/* pkcs7_bundle writes a PKCS#7, SignedData structure to |out| and then calls
* |cb| with a CBB to which certificate or CRL data can be written, and the
* opaque context pointer, |arg|. The callback can return zero to indicate an
* error.
*
* pkcs7_bundle returns one on success or zero on error. */
int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
const void *arg);
#if defined(__cplusplus)
} /* extern C */
#endif
#endif /* OPENSSL_HEADER_PKCS7_INTERNAL_H */

222
crypto/pkcs7/pkcs7.c
View File

@ -14,17 +14,13 @@
#include <openssl/pkcs7.h>
#include <assert.h>
#include <limits.h>
#include <openssl/bytestring.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/obj.h>
#include <openssl/pem.h>
#include <openssl/pool.h>
#include <openssl/stack.h>
#include <openssl/x509.h>
#include "internal.h"
#include "../bytestring/internal.h"
@ -44,7 +40,7 @@ static const uint8_t kPKCS7SignedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
*
* It returns one on success or zero on error. On error, |*der_bytes| is
* NULL. */
static int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) {
size_t der_len;
CBS in, content_info, content_type, wrapped_signed_data, signed_data;
uint64_t version;
@ -96,11 +92,12 @@ err:
return 0;
}
int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
int PKCS7_get_raw_certificates(STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs,
CRYPTO_BUFFER_POOL *pool) {
CBS signed_data, certificates;
uint8_t *der_bytes = NULL;
int ret = 0;
const size_t initial_certs_len = sk_X509_num(out_certs);
const size_t initial_certs_len = sk_CRYPTO_BUFFER_num(out_certs);
if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs)) {
return 0;
@ -115,26 +112,14 @@ int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
while (CBS_len(&certificates) > 0) {
CBS cert;
X509 *x509;
const uint8_t *inp;
if (!CBS_get_asn1_element(&certificates, &cert, CBS_ASN1_SEQUENCE)) {
goto err;
}
if (CBS_len(&cert) > LONG_MAX) {
goto err;
}
inp = CBS_data(&cert);
x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));
if (!x509) {
goto err;
}
assert(inp == CBS_data(&cert) + CBS_len(&cert));
if (sk_X509_push(out_certs, x509) == 0) {
X509_free(x509);
CRYPTO_BUFFER *buf = CRYPTO_BUFFER_new_from_CBS(&cert, pool);
if (buf == NULL ||
!sk_CRYPTO_BUFFER_push(out_certs, buf)) {
CRYPTO_BUFFER_free(buf);
goto err;
}
}
@ -145,134 +130,17 @@ err:
OPENSSL_free(der_bytes);
if (!ret) {
while (sk_X509_num(out_certs) != initial_certs_len) {
X509 *x509 = sk_X509_pop(out_certs);
X509_free(x509);
while (sk_CRYPTO_BUFFER_num(out_certs) != initial_certs_len) {
CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_pop(out_certs);
CRYPTO_BUFFER_free(buf);
}
}
return ret;
}
int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
CBS signed_data, crls;
uint8_t *der_bytes = NULL;
int ret = 0;
const size_t initial_crls_len = sk_X509_CRL_num(out_crls);
if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs)) {
return 0;
}
/* See https://tools.ietf.org/html/rfc2315#section-9.1 */
/* Even if only CRLs are included, there may be an empty certificates block.
* OpenSSL does this, for example. */
if (CBS_peek_asn1_tag(&signed_data,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) &&
!CBS_get_asn1(&signed_data, NULL /* certificates */,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
goto err;
}
if (!CBS_get_asn1(&signed_data, &crls,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CRLS_INCLUDED);
goto err;
}
while (CBS_len(&crls) > 0) {
CBS crl_data;
X509_CRL *crl;
const uint8_t *inp;
if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) {
goto err;
}
if (CBS_len(&crl_data) > LONG_MAX) {
goto err;
}
inp = CBS_data(&crl_data);
crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data));
if (!crl) {
goto err;
}
assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data));
if (sk_X509_CRL_push(out_crls, crl) == 0) {
X509_CRL_free(crl);
goto err;
}
}
ret = 1;
err:
OPENSSL_free(der_bytes);
if (!ret) {
while (sk_X509_CRL_num(out_crls) != initial_crls_len) {
X509_CRL_free(sk_X509_CRL_pop(out_crls));
}
}
return ret;
}
int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) {
uint8_t *data;
long len;
int ret;
/* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
* internally will actually allow several other values too, including
* "CERTIFICATE". */
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
PEM_STRING_PKCS7, pem_bio,
NULL /* password callback */,
NULL /* password callback argument */)) {
return 0;
}
CBS cbs;
CBS_init(&cbs, data, len);
ret = PKCS7_get_certificates(out_certs, &cbs);
OPENSSL_free(data);
return ret;
}
int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {
uint8_t *data;
long len;
int ret;
/* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
* internally will actually allow several other values too, including
* "CERTIFICATE". */
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
PEM_STRING_PKCS7, pem_bio,
NULL /* password callback */,
NULL /* password callback argument */)) {
return 0;
}
CBS cbs;
CBS_init(&cbs, data, len);
ret = PKCS7_get_CRLs(out_crls, &cbs);
OPENSSL_free(data);
return ret;
}
/* pkcs7_bundle writes a PKCS#7, SignedData structure to |out| and then calls
* |cb| with a CBB to which certificate or CRL data can be written, and the
* opaque context pointer, |arg|. The callback can return zero to indicate an
* error.
*
* pkcs7_bundle returns one on success or zero on error. */
static int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
const void *arg) {
int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
const void *arg) {
CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set,
content_info;
@ -296,63 +164,3 @@ static int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg),
return CBB_flush(out);
}
static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {
const STACK_OF(X509) *certs = arg;
size_t i;
CBB certificates;
/* See https://tools.ietf.org/html/rfc2315#section-9.1 */
if (!CBB_add_asn1(out, &certificates,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
return 0;
}
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *x509 = sk_X509_value(certs, i);
uint8_t *buf;
int len = i2d_X509(x509, NULL);
if (len < 0 ||
!CBB_add_space(&certificates, &buf, len) ||
i2d_X509(x509, &buf) < 0) {
return 0;
}
}
return CBB_flush(out);
}
int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) {
return pkcs7_bundle(out, pkcs7_bundle_certificates_cb, certs);
}
static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
const STACK_OF(X509_CRL) *crls = arg;
size_t i;
CBB crl_data;
/* See https://tools.ietf.org/html/rfc2315#section-9.1 */
if (!CBB_add_asn1(out, &crl_data,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
return 0;
}
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
X509_CRL *crl = sk_X509_CRL_value(crls, i);
uint8_t *buf;
int len = i2d_X509_CRL(crl, NULL);
if (len < 0 ||
!CBB_add_space(&crl_data, &buf, len) ||
i2d_X509_CRL(crl, &buf) < 0) {
return 0;
}
}
return CBB_flush(out);
}
int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {
return pkcs7_bundle(out, pkcs7_bundle_crls_cb, crls);
}

233
crypto/pkcs7/pkcs7_x509.c Normal file
View File

@ -0,0 +1,233 @@
/* Copyright (c) 2017, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/pkcs7.h>
#include <assert.h>
#include <limits.h>
#include <openssl/bytestring.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/pem.h>
#include <openssl/pool.h>
#include <openssl/stack.h>
#include <openssl/x509.h>
#include "internal.h"
int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
int ret = 0;
const size_t initial_certs_len = sk_X509_num(out_certs);
STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null();
if (raw == NULL ||
!PKCS7_get_raw_certificates(raw, cbs, NULL)) {
goto err;
}
for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) {
CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i);
X509 *x509 = X509_parse_from_buffer(buf);
if (x509 == NULL ||
!sk_X509_push(out_certs, x509)) {
X509_free(x509);
goto err;
}
}
ret = 1;
err:
sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free);
if (!ret) {
while (sk_X509_num(out_certs) != initial_certs_len) {
X509 *x509 = sk_X509_pop(out_certs);
X509_free(x509);
}
}
return ret;
}
int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
CBS signed_data, crls;
uint8_t *der_bytes = NULL;
int ret = 0;
const size_t initial_crls_len = sk_X509_CRL_num(out_crls);
if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs)) {
return 0;
}
/* See https://tools.ietf.org/html/rfc2315#section-9.1 */
/* Even if only CRLs are included, there may be an empty certificates block.
* OpenSSL does this, for example. */
if (CBS_peek_asn1_tag(&signed_data,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) &&
!CBS_get_asn1(&signed_data, NULL /* certificates */,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
goto err;
}
if (!CBS_get_asn1(&signed_data, &crls,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CRLS_INCLUDED);
goto err;
}
while (CBS_len(&crls) > 0) {
CBS crl_data;
X509_CRL *crl;
const uint8_t *inp;
if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) {
goto err;
}
if (CBS_len(&crl_data) > LONG_MAX) {
goto err;
}
inp = CBS_data(&crl_data);
crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data));
if (!crl) {
goto err;
}
assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data));
if (sk_X509_CRL_push(out_crls, crl) == 0) {
X509_CRL_free(crl);
goto err;
}
}
ret = 1;
err:
OPENSSL_free(der_bytes);
if (!ret) {
while (sk_X509_CRL_num(out_crls) != initial_crls_len) {
X509_CRL_free(sk_X509_CRL_pop(out_crls));
}
}
return ret;
}
int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) {
uint8_t *data;
long len;
int ret;
/* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
* internally will actually allow several other values too, including
* "CERTIFICATE". */
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
PEM_STRING_PKCS7, pem_bio,
NULL /* password callback */,
NULL /* password callback argument */)) {
return 0;
}
CBS cbs;
CBS_init(&cbs, data, len);
ret = PKCS7_get_certificates(out_certs, &cbs);
OPENSSL_free(data);
return ret;
}
int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {
uint8_t *data;
long len;
int ret;
/* Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
* internally will actually allow several other values too, including
* "CERTIFICATE". */
if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
PEM_STRING_PKCS7, pem_bio,
NULL /* password callback */,
NULL /* password callback argument */)) {
return 0;
}
CBS cbs;
CBS_init(&cbs, data, len);
ret = PKCS7_get_CRLs(out_crls, &cbs);
OPENSSL_free(data);
return ret;
}
static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {
const STACK_OF(X509) *certs = arg;
size_t i;
CBB certificates;
/* See https://tools.ietf.org/html/rfc2315#section-9.1 */
if (!CBB_add_asn1(out, &certificates,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
return 0;
}
for (i = 0; i < sk_X509_num(certs); i++) {
X509 *x509 = sk_X509_value(certs, i);
uint8_t *buf;
int len = i2d_X509(x509, NULL);
if (len < 0 ||
!CBB_add_space(&certificates, &buf, len) ||
i2d_X509(x509, &buf) < 0) {
return 0;
}
}
return CBB_flush(out);
}
int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) {
return pkcs7_bundle(out, pkcs7_bundle_certificates_cb, certs);
}
static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
const STACK_OF(X509_CRL) *crls = arg;
size_t i;
CBB crl_data;
/* See https://tools.ietf.org/html/rfc2315#section-9.1 */
if (!CBB_add_asn1(out, &crl_data,
CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
return 0;
}
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
X509_CRL *crl = sk_X509_CRL_value(crls, i);
uint8_t *buf;
int len = i2d_X509_CRL(crl, NULL);
if (len < 0 ||
!CBB_add_space(&crl_data, &buf, len) ||
i2d_X509_CRL(crl, &buf) < 0) {
return 0;
}
}
return CBB_flush(out);
}
int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {
return pkcs7_bundle(out, pkcs7_bundle_crls_cb, crls);
}

12
include/openssl/pkcs7.h
View File

@ -29,12 +29,18 @@ extern "C" {
* This library contains functions for extracting information from PKCS#7
* structures (RFC 2315). */
DECLARE_STACK_OF(CRYPTO_BUFFER)
DECLARE_STACK_OF(X509)
DECLARE_STACK_OF(X509_CRL)
/* PKCS7_get_certificates parses a PKCS#7, SignedData structure from |cbs| and
* appends the included certificates to |out_certs|. It returns one on success
* and zero on error. */
/* PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs|
* and appends the included certificates to |out_certs|. It returns one on
* success and zero on error. */
OPENSSL_EXPORT int PKCS7_get_raw_certificates(
STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool);
/* PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses
* them into |X509| objects. */
OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);
/* PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing