1
/*
2
 * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
3
 * (Royal Institute of Technology, Stockholm, Sweden).
4
 * All rights reserved.
5
 *
6
 * Redistribution and use in source and binary forms, with or without
7
 * modification, are permitted provided that the following conditions
8
 * are met:
9
 *
10
 * 1. Redistributions of source code must retain the above copyright
11
 *    notice, this list of conditions and the following disclaimer.
12
 *
13
 * 2. Redistributions in binary form must reproduce the above copyright
14
 *    notice, this list of conditions and the following disclaimer in the
15
 *    documentation and/or other materials provided with the distribution.
16
 *
17
 * 3. Neither the name of the Institute nor the names of its contributors
18
 *    may be used to endorse or promote products derived from this software
19
 *    without specific prior written permission.
20
 *
21
 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31
 * SUCH DAMAGE.
32
 */
33

34
#include "hx_locl.h"
35

36
/**
37
 * @page page_cms CMS/PKCS7 message functions.
38
 *
39
 * CMS is defined in RFC 3369 and is an continuation of the RSA Labs
40
 * standard PKCS7. The basic messages in CMS is
41
 *
42
 * - SignedData
43
 *   Data signed with private key (RSA, DSA, ECDSA) or secret
44
 *   (symmetric) key
45
 * - EnvelopedData
46
 *   Data encrypted with private key (RSA)
47
 * - EncryptedData
48
 *   Data encrypted with secret (symmetric) key.
49
 * - ContentInfo
50
 *   Wrapper structure including type and data.
51
 *
52
 *
53
 * See the library functions here: @ref hx509_cms
54
 */
55

56
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
57
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
58

59
/**
60
 * Wrap data and oid in a ContentInfo and encode it.
61
 *
62
 * @param oid type of the content.
63
 * @param buf data to be wrapped. If a NULL pointer is passed in, the
64
 * optional content field in the ContentInfo is not going be filled
65
 * in.
66
 * @param res the encoded buffer, the result should be freed with
67
 * der_free_octet_string().
68
 *
69
 * @return Returns an hx509 error code.
70
 *
71
 * @ingroup hx509_cms
72
 */
73

74
int
75
hx509_cms_wrap_ContentInfo(const heim_oid *oid,
76
			   const heim_octet_string *buf,
77
			   heim_octet_string *res)
78
{
79
    ContentInfo ci;
80
    size_t size;
81
    int ret;
82

83
    memset(res, 0, sizeof(*res));
84
    memset(&ci, 0, sizeof(ci));
85

86
    ret = der_copy_oid(oid, &ci.contentType);
87
    if (ret)
88
	return ret;
89
    if (buf) {
90
	ALLOC(ci.content, 1);
91
	if (ci.content == NULL) {
92
	    free_ContentInfo(&ci);
93
	    return ENOMEM;
94
	}
95
	ci.content->data = malloc(buf->length);
96
	if (ci.content->data == NULL) {
97
	    free_ContentInfo(&ci);
98
	    return ENOMEM;
99
	}
100
	memcpy(ci.content->data, buf->data, buf->length);
101
	ci.content->length = buf->length;
102
    }
103

104
    ASN1_MALLOC_ENCODE(ContentInfo, res->data, res->length, &ci, &size, ret);
105
    free_ContentInfo(&ci);
106
    if (ret)
107
	return ret;
108
    if (res->length != size)
109
	_hx509_abort("internal ASN.1 encoder error");
110

111
    return 0;
112
}
113

114
/**
115
 * Decode an ContentInfo and unwrap data and oid it.
116
 *
117
 * @param in the encoded buffer.
118
 * @param oid type of the content.
119
 * @param out data to be wrapped.
120
 * @param have_data since the data is optional, this flags show dthe
121
 * diffrence between no data and the zero length data.
122
 *
123
 * @return Returns an hx509 error code.
124
 *
125
 * @ingroup hx509_cms
126
 */
127

128
int
129
hx509_cms_unwrap_ContentInfo(const heim_octet_string *in,
130
			     heim_oid *oid,
131
			     heim_octet_string *out,
132
			     int *have_data)
133
{
134
    ContentInfo ci;
135
    size_t size;
136
    int ret;
137

138
    memset(oid, 0, sizeof(*oid));
139
    memset(out, 0, sizeof(*out));
140

141
    ret = decode_ContentInfo(in->data, in->length, &ci, &size);
142
    if (ret)
143
	return ret;
144

145
    ret = der_copy_oid(&ci.contentType, oid);
146
    if (ret) {
147
	free_ContentInfo(&ci);
148
	return ret;
149
    }
150
    if (ci.content) {
151
	ret = der_copy_octet_string(ci.content, out);
152
	if (ret) {
153
	    der_free_oid(oid);
154
	    free_ContentInfo(&ci);
155
	    return ret;
156
	}
157
    } else
158
	memset(out, 0, sizeof(*out));
159

160
    if (have_data)
161
	*have_data = (ci.content != NULL) ? 1 : 0;
162

163
    free_ContentInfo(&ci);
164

165
    return 0;
166
}
167

168
#define CMS_ID_SKI	0
169
#define CMS_ID_NAME	1
170

171
static int
172
fill_CMSIdentifier(const hx509_cert cert,
173
		   int type,
174
		   CMSIdentifier *id)
175
{
176
    int ret;
177

178
    switch (type) {
179
    case CMS_ID_SKI:
180
	id->element = choice_CMSIdentifier_subjectKeyIdentifier;
181
	ret = _hx509_find_extension_subject_key_id(_hx509_get_cert(cert),
182
						   &id->u.subjectKeyIdentifier);
183
	if (ret == 0)
184
	    break;
185
	/* FALL THOUGH */
186
    case CMS_ID_NAME: {
187
	hx509_name name;
188

189
	id->element = choice_CMSIdentifier_issuerAndSerialNumber;
190
	ret = hx509_cert_get_issuer(cert, &name);
191
	if (ret)
192
	    return ret;
193
	ret = hx509_name_to_Name(name, &id->u.issuerAndSerialNumber.issuer);
194
	hx509_name_free(&name);
195
	if (ret)
196
	    return ret;
197

198
	ret = hx509_cert_get_serialnumber(cert, &id->u.issuerAndSerialNumber.serialNumber);
199
	break;
200
    }
201
    default:
202
	_hx509_abort("CMS fill identifier with unknown type");
203
    }
204
    return ret;
205
}
206

207
static int
208
unparse_CMSIdentifier(hx509_context context,
209
		      CMSIdentifier *id,
210
		      char **str)
211
{
212
    int ret;
213

214
    *str = NULL;
215
    switch (id->element) {
216
    case choice_CMSIdentifier_issuerAndSerialNumber: {
217
	IssuerAndSerialNumber *iasn;
218
	char *serial, *name;
219

220
	iasn = &id->u.issuerAndSerialNumber;
221

222
	ret = _hx509_Name_to_string(&iasn->issuer, &name);
223
	if(ret)
224
	    return ret;
225
	ret = der_print_hex_heim_integer(&iasn->serialNumber, &serial);
226
	if (ret) {
227
	    free(name);
228
	    return ret;
229
	}
230
	asprintf(str, "certificate issued by %s with serial number %s",
231
		 name, serial);
232
	free(name);
233
	free(serial);
234
	break;
235
    }
236
    case choice_CMSIdentifier_subjectKeyIdentifier: {
237
	KeyIdentifier *ki  = &id->u.subjectKeyIdentifier;
238
	char *keyid;
239
	ssize_t len;
240

241
	len = hex_encode(ki->data, ki->length, &keyid);
242
	if (len < 0)
243
	    return ENOMEM;
244

245
	asprintf(str, "certificate with id %s", keyid);
246
	free(keyid);
247
	break;
248
    }
249
    default:
250
	asprintf(str, "certificate have unknown CMSidentifier type");
251
	break;
252
    }
253
    if (*str == NULL)
254
	return ENOMEM;
255
    return 0;
256
}
257

258
static int
259
find_CMSIdentifier(hx509_context context,
260
		   CMSIdentifier *client,
261
		   hx509_certs certs,
262
		   time_t time_now,
263
		   hx509_cert *signer_cert,
264
		   int match)
265
{
266
    hx509_query q;
267
    hx509_cert cert;
268
    Certificate c;
269
    int ret;
270

271
    memset(&c, 0, sizeof(c));
272
    _hx509_query_clear(&q);
273

274
    *signer_cert = NULL;
275

276
    switch (client->element) {
277
    case choice_CMSIdentifier_issuerAndSerialNumber:
278
	q.serial = &client->u.issuerAndSerialNumber.serialNumber;
279
	q.issuer_name = &client->u.issuerAndSerialNumber.issuer;
280
	q.match = HX509_QUERY_MATCH_SERIALNUMBER|HX509_QUERY_MATCH_ISSUER_NAME;
281
	break;
282
    case choice_CMSIdentifier_subjectKeyIdentifier:
283
	q.subject_id = &client->u.subjectKeyIdentifier;
284
	q.match = HX509_QUERY_MATCH_SUBJECT_KEY_ID;
285
	break;
286
    default:
287
	hx509_set_error_string(context, 0, HX509_CMS_NO_RECIPIENT_CERTIFICATE,
288
			       "unknown CMS identifier element");
289
	return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
290
    }
291

292
    q.match |= match;
293

294
    q.match |= HX509_QUERY_MATCH_TIME;
295
    if (time_now)
296
	q.timenow = time_now;
297
    else
298
	q.timenow = time(NULL);
299

300
    ret = hx509_certs_find(context, certs, &q, &cert);
301
    if (ret == HX509_CERT_NOT_FOUND) {
302
	char *str;
303

304
	ret = unparse_CMSIdentifier(context, client, &str);
305
	if (ret == 0) {
306
	    hx509_set_error_string(context, 0,
307
				   HX509_CMS_NO_RECIPIENT_CERTIFICATE,
308
				   "Failed to find %s", str);
309
	} else
310
	    hx509_clear_error_string(context);
311
	return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
312
    } else if (ret) {
313
	hx509_set_error_string(context, HX509_ERROR_APPEND,
314
			       HX509_CMS_NO_RECIPIENT_CERTIFICATE,
315
			       "Failed to find CMS id in cert store");
316
	return HX509_CMS_NO_RECIPIENT_CERTIFICATE;
317
    }
318

319
    *signer_cert = cert;
320

321
    return 0;
322
}
323

324
/**
325
 * Decode and unencrypt EnvelopedData.
326
 *
327
 * Extract data and parameteres from from the EnvelopedData. Also
328
 * supports using detached EnvelopedData.
329
 *
330
 * @param context A hx509 context.
331
 * @param certs Certificate that can decrypt the EnvelopedData
332
 * encryption key.
333
 * @param flags HX509_CMS_UE flags to control the behavior.
334
 * @param data pointer the structure the contains the DER/BER encoded
335
 * EnvelopedData stucture.
336
 * @param length length of the data that data point to.
337
 * @param encryptedContent in case of detached signature, this
338
 * contains the actual encrypted data, othersize its should be NULL.
339
 * @param time_now set the current time, if zero the library uses now as the date.
340
 * @param contentType output type oid, should be freed with der_free_oid().
341
 * @param content the data, free with der_free_octet_string().
342
 *
343
 * @ingroup hx509_cms
344
 */
345

346
int
347
hx509_cms_unenvelope(hx509_context context,
348
		     hx509_certs certs,
349
		     int flags,
350
		     const void *data,
351
		     size_t length,
352
		     const heim_octet_string *encryptedContent,
353
		     time_t time_now,
354
		     heim_oid *contentType,
355
		     heim_octet_string *content)
356
{
357
    heim_octet_string key;
358
    EnvelopedData ed;
359
    hx509_cert cert;
360
    AlgorithmIdentifier *ai;
361
    const heim_octet_string *enccontent;
362
    heim_octet_string *params, params_data;
363
    heim_octet_string ivec;
364
    size_t size;
365
    int ret, matched = 0, findflags = 0;
366
    size_t i;
367

368

369
    memset(&key, 0, sizeof(key));
370
    memset(&ed, 0, sizeof(ed));
371
    memset(&ivec, 0, sizeof(ivec));
372
    memset(content, 0, sizeof(*content));
373
    memset(contentType, 0, sizeof(*contentType));
374

375
    if ((flags & HX509_CMS_UE_DONT_REQUIRE_KU_ENCIPHERMENT) == 0)
376
	findflags |= HX509_QUERY_KU_ENCIPHERMENT;
377

378
    ret = decode_EnvelopedData(data, length, &ed, &size);
379
    if (ret) {
380
	hx509_set_error_string(context, 0, ret,
381
			       "Failed to decode EnvelopedData");
382
	return ret;
383
    }
384

385
    if (ed.recipientInfos.len == 0) {
386
	ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
387
	hx509_set_error_string(context, 0, ret,
388
			       "No recipient info in enveloped data");
389
	goto out;
390
    }
391

392
    enccontent = ed.encryptedContentInfo.encryptedContent;
393
    if (enccontent == NULL) {
394
	if (encryptedContent == NULL) {
395
	    ret = HX509_CMS_NO_DATA_AVAILABLE;
396
	    hx509_set_error_string(context, 0, ret,
397
				   "Content missing from encrypted data");
398
	    goto out;
399
	}
400
	enccontent = encryptedContent;
401
    } else if (encryptedContent != NULL) {
402
	ret = HX509_CMS_NO_DATA_AVAILABLE;
403
	hx509_set_error_string(context, 0, ret,
404
			       "Both internal and external encrypted data");
405
	goto out;
406
    }
407

408
    cert = NULL;
409
    for (i = 0; i < ed.recipientInfos.len; i++) {
410
	KeyTransRecipientInfo *ri;
411
	char *str;
412
	int ret2;
413

414
	ri = &ed.recipientInfos.val[i];
415

416
	ret = find_CMSIdentifier(context, &ri->rid, certs,
417
				 time_now, &cert,
418
				 HX509_QUERY_PRIVATE_KEY|findflags);
419
	if (ret)
420
	    continue;
421

422
	matched = 1; /* found a matching certificate, let decrypt */
423

424
	ret = _hx509_cert_private_decrypt(context,
425
					  &ri->encryptedKey,
426
					  &ri->keyEncryptionAlgorithm.algorithm,
427
					  cert, &key);
428

429
	hx509_cert_free(cert);
430
	if (ret == 0)
431
	    break; /* succuessfully decrypted cert */
432
	cert = NULL;
433
	ret2 = unparse_CMSIdentifier(context, &ri->rid, &str);
434
	if (ret2 == 0) {
435
	    hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
436
				   "Failed to decrypt with %s", str);
437
	    free(str);
438
	}
439
    }
440

441
    if (!matched) {
442
	ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
443
	hx509_set_error_string(context, 0, ret,
444
			       "No private key matched any certificate");
445
	goto out;
446
    }
447

448
    if (cert == NULL) {
449
	ret = HX509_CMS_NO_RECIPIENT_CERTIFICATE;
450
	hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
451
			       "No private key decrypted the transfer key");
452
	goto out;
453
    }
454

455
    ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType);
456
    if (ret) {
457
	hx509_set_error_string(context, 0, ret,
458
			       "Failed to copy EnvelopedData content oid");
459
	goto out;
460
    }
461

462
    ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
463
    if (ai->parameters) {
464
	params_data.data = ai->parameters->data;
465
	params_data.length = ai->parameters->length;
466
	params = &params_data;
467
    } else
468
	params = NULL;
469

470
    {
471
	hx509_crypto crypto;
472

473
	ret = hx509_crypto_init(context, NULL, &ai->algorithm, &crypto);
474
	if (ret)
475
	    goto out;
476

477
	if (flags & HX509_CMS_UE_ALLOW_WEAK)
478
	    hx509_crypto_allow_weak(crypto);
479

480
	if (params) {
481
	    ret = hx509_crypto_set_params(context, crypto, params, &ivec);
482
	    if (ret) {
483
		hx509_crypto_destroy(crypto);
484
		goto out;
485
	    }
486
	}
487

488
	ret = hx509_crypto_set_key_data(crypto, key.data, key.length);
489
	if (ret) {
490
	    hx509_crypto_destroy(crypto);
491
	    hx509_set_error_string(context, 0, ret,
492
				   "Failed to set key for decryption "
493
				   "of EnvelopedData");
494
	    goto out;
495
	}
496

497
	ret = hx509_crypto_decrypt(crypto,
498
				   enccontent->data,
499
				   enccontent->length,
500
				   ivec.length ? &ivec : NULL,
501
				   content);
502
	hx509_crypto_destroy(crypto);
503
	if (ret) {
504
	    hx509_set_error_string(context, 0, ret,
505
				   "Failed to decrypt EnvelopedData");
506
	    goto out;
507
	}
508
    }
509

510
out:
511

512
    free_EnvelopedData(&ed);
513
    der_free_octet_string(&key);
514
    if (ivec.length)
515
	der_free_octet_string(&ivec);
516
    if (ret) {
517
	der_free_oid(contentType);
518
	der_free_octet_string(content);
519
    }
520

521
    return ret;
522
}
523

524
/**
525
 * Encrypt end encode EnvelopedData.
526
 *
527
 * Encrypt and encode EnvelopedData. The data is encrypted with a
528
 * random key and the the random key is encrypted with the
529
 * certificates private key. This limits what private key type can be
530
 * used to RSA.
531
 *
532
 * @param context A hx509 context.
533
 * @param flags flags to control the behavior.
534
 *    - HX509_CMS_EV_NO_KU_CHECK - Dont check KU on certificate
535
 *    - HX509_CMS_EV_ALLOW_WEAK - Allow weak crytpo
536
 *    - HX509_CMS_EV_ID_NAME - prefer issuer name and serial number
537
 * @param cert Certificate to encrypt the EnvelopedData encryption key
538
 * with.
539
 * @param data pointer the data to encrypt.
540
 * @param length length of the data that data point to.
541
 * @param encryption_type Encryption cipher to use for the bulk data,
542
 * use NULL to get default.
543
 * @param contentType type of the data that is encrypted
544
 * @param content the output of the function,
545
 * free with der_free_octet_string().
546
 *
547
 * @ingroup hx509_cms
548
 */
549

550
int
551
hx509_cms_envelope_1(hx509_context context,
552
		     int flags,
553
		     hx509_cert cert,
554
		     const void *data,
555
		     size_t length,
556
		     const heim_oid *encryption_type,
557
		     const heim_oid *contentType,
558
		     heim_octet_string *content)
559
{
560
    KeyTransRecipientInfo *ri;
561
    heim_octet_string ivec;
562
    heim_octet_string key;
563
    hx509_crypto crypto = NULL;
564
    int ret, cmsidflag;
565
    EnvelopedData ed;
566
    size_t size;
567

568
    memset(&ivec, 0, sizeof(ivec));
569
    memset(&key, 0, sizeof(key));
570
    memset(&ed, 0, sizeof(ed));
571
    memset(content, 0, sizeof(*content));
572

573
    if (encryption_type == NULL)
574
	encryption_type = &asn1_oid_id_aes_256_cbc;
575

576
    if ((flags & HX509_CMS_EV_NO_KU_CHECK) == 0) {
577
	ret = _hx509_check_key_usage(context, cert, 1 << 2, TRUE);
578
	if (ret)
579
	    goto out;
580
    }
581

582
    ret = hx509_crypto_init(context, NULL, encryption_type, &crypto);
583
    if (ret)
584
	goto out;
585

586
    if (flags & HX509_CMS_EV_ALLOW_WEAK)
587
	hx509_crypto_allow_weak(crypto);
588

589
    ret = hx509_crypto_set_random_key(crypto, &key);
590
    if (ret) {
591
	hx509_set_error_string(context, 0, ret,
592
			       "Create random key for EnvelopedData content");
593
	goto out;
594
    }
595

596
    ret = hx509_crypto_random_iv(crypto, &ivec);
597
    if (ret) {
598
	hx509_set_error_string(context, 0, ret,
599
			       "Failed to create a random iv");
600
	goto out;
601
    }
602

603
    ret = hx509_crypto_encrypt(crypto,
604
			       data,
605
			       length,
606
			       &ivec,
607
			       &ed.encryptedContentInfo.encryptedContent);
608
    if (ret) {
609
	hx509_set_error_string(context, 0, ret,
610
			       "Failed to encrypt EnvelopedData content");
611
	goto out;
612
    }
613

614
    {
615
	AlgorithmIdentifier *enc_alg;
616
	enc_alg = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
617
	ret = der_copy_oid(encryption_type, &enc_alg->algorithm);
618
	if (ret) {
619
	    hx509_set_error_string(context, 0, ret,
620
				   "Failed to set crypto oid "
621
				   "for EnvelopedData");
622
	    goto out;
623
	}
624
	ALLOC(enc_alg->parameters, 1);
625
	if (enc_alg->parameters == NULL) {
626
	    ret = ENOMEM;
627
	    hx509_set_error_string(context, 0, ret,
628
				   "Failed to allocate crypto paramaters "
629
				   "for EnvelopedData");
630
	    goto out;
631
	}
632

633
	ret = hx509_crypto_get_params(context,
634
				      crypto,
635
				      &ivec,
636
				      enc_alg->parameters);
637
	if (ret) {
638
	    goto out;
639
	}
640
    }
641

642
    ALLOC_SEQ(&ed.recipientInfos, 1);
643
    if (ed.recipientInfos.val == NULL) {
644
	ret = ENOMEM;
645
	hx509_set_error_string(context, 0, ret,
646
			       "Failed to allocate recipients info "
647
			       "for EnvelopedData");
648
	goto out;
649
    }
650

651
    ri = &ed.recipientInfos.val[0];
652

653
    if (flags & HX509_CMS_EV_ID_NAME) {
654
	ri->version = 0;
655
	cmsidflag = CMS_ID_NAME;
656
    } else {
657
	ri->version = 2;
658
	cmsidflag = CMS_ID_SKI;
659
    }
660

661
    ret = fill_CMSIdentifier(cert, cmsidflag, &ri->rid);
662
    if (ret) {
663
	hx509_set_error_string(context, 0, ret,
664
			       "Failed to set CMS identifier info "
665
			       "for EnvelopedData");
666
	goto out;
667
    }
668

669
    ret = hx509_cert_public_encrypt(context,
670
				     &key, cert,
671
				     &ri->keyEncryptionAlgorithm.algorithm,
672
				     &ri->encryptedKey);
673
    if (ret) {
674
	hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
675
			       "Failed to encrypt transport key for "
676
			       "EnvelopedData");
677
	goto out;
678
    }
679

680
    /*
681
     *
682
     */
683

684
    ed.version = 0;
685
    ed.originatorInfo = NULL;
686

687
    ret = der_copy_oid(contentType, &ed.encryptedContentInfo.contentType);
688
    if (ret) {
689
	hx509_set_error_string(context, 0, ret,
690
			       "Failed to copy content oid for "
691
			       "EnvelopedData");
692
	goto out;
693
    }
694

695
    ed.unprotectedAttrs = NULL;
696

697
    ASN1_MALLOC_ENCODE(EnvelopedData, content->data, content->length,
698
		       &ed, &size, ret);
699
    if (ret) {
700
	hx509_set_error_string(context, 0, ret,
701
			       "Failed to encode EnvelopedData");
702
	goto out;
703
    }
704
    if (size != content->length)
705
	_hx509_abort("internal ASN.1 encoder error");
706

707
out:
708
    if (crypto)
709
	hx509_crypto_destroy(crypto);
710
    if (ret)
711
	der_free_octet_string(content);
712
    der_free_octet_string(&key);
713
    der_free_octet_string(&ivec);
714
    free_EnvelopedData(&ed);
715

716
    return ret;
717
}
718

719
static int
720
any_to_certs(hx509_context context, const SignedData *sd, hx509_certs certs)
721
{
722
    int ret;
723
    size_t i;
724

725
    if (sd->certificates == NULL)
726
	return 0;
727

728
    for (i = 0; i < sd->certificates->len; i++) {
729
	hx509_cert c;
730

731
	ret = hx509_cert_init_data(context,
732
				   sd->certificates->val[i].data,
733
				   sd->certificates->val[i].length,
734
				   &c);
735
	if (ret)
736
	    return ret;
737
	ret = hx509_certs_add(context, certs, c);
738
	hx509_cert_free(c);
739
	if (ret)
740
	    return ret;
741
    }
742

743
    return 0;
744
}
745

746
static const Attribute *
747
find_attribute(const CMSAttributes *attr, const heim_oid *oid)
748
{
749
    size_t i;
750
    for (i = 0; i < attr->len; i++)
751
	if (der_heim_oid_cmp(&attr->val[i].type, oid) == 0)
752
	    return &attr->val[i];
753
    return NULL;
754
}
755

756
/**
757
 * Decode SignedData and verify that the signature is correct.
758
 *
759
 * @param context A hx509 context.
760
 * @param ctx a hx509 verify context.
761
 * @param flags to control the behaivor of the function.
762
 *    - HX509_CMS_VS_NO_KU_CHECK - Don't check KeyUsage
763
 *    - HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH - allow oid mismatch
764
 *    - HX509_CMS_VS_ALLOW_ZERO_SIGNER - no signer, see below.
765
 * @param data pointer to CMS SignedData encoded data.
766
 * @param length length of the data that data point to.
767
 * @param signedContent external data used for signature.
768
 * @param pool certificate pool to build certificates paths.
769
 * @param contentType free with der_free_oid().
770
 * @param content the output of the function, free with
771
 * der_free_octet_string().
772
 * @param signer_certs list of the cerficates used to sign this
773
 * request, free with hx509_certs_free().
774
 *
775
 * @ingroup hx509_cms
776
 */
777

778
int
779
hx509_cms_verify_signed(hx509_context context,
780
			hx509_verify_ctx ctx,
781
			unsigned int flags,
782
			const void *data,
783
			size_t length,
784
			const heim_octet_string *signedContent,
785
			hx509_certs pool,
786
			heim_oid *contentType,
787
			heim_octet_string *content,
788
			hx509_certs *signer_certs)
789
{
790
    SignerInfo *signer_info;
791
    hx509_cert cert = NULL;
792
    hx509_certs certs = NULL;
793
    SignedData sd;
794
    size_t size;
795
    int ret, found_valid_sig;
796
    size_t i;
797

798
    *signer_certs = NULL;
799
    content->data = NULL;
800
    content->length = 0;
801
    contentType->length = 0;
802
    contentType->components = NULL;
803

804
    memset(&sd, 0, sizeof(sd));
805

806
    ret = decode_SignedData(data, length, &sd, &size);
807
    if (ret) {
808
	hx509_set_error_string(context, 0, ret,
809
			       "Failed to decode SignedData");
810
	goto out;
811
    }
812

813
    if (sd.encapContentInfo.eContent == NULL && signedContent == NULL) {
814
	ret = HX509_CMS_NO_DATA_AVAILABLE;
815
	hx509_set_error_string(context, 0, ret,
816
			       "No content data in SignedData");
817
	goto out;
818
    }
819
    if (sd.encapContentInfo.eContent && signedContent) {
820
	ret = HX509_CMS_NO_DATA_AVAILABLE;
821
	hx509_set_error_string(context, 0, ret,
822
			       "Both external and internal SignedData");
823
	goto out;
824
    }
825

826
    if (sd.encapContentInfo.eContent)
827
	ret = der_copy_octet_string(sd.encapContentInfo.eContent, content);
828
    else
829
	ret = der_copy_octet_string(signedContent, content);
830
    if (ret) {
831
	hx509_set_error_string(context, 0, ret, "malloc: out of memory");
832
	goto out;
833
    }
834

835
    ret = hx509_certs_init(context, "MEMORY:cms-cert-buffer",
836
			   0, NULL, &certs);
837
    if (ret)
838
	goto out;
839

840
    ret = hx509_certs_init(context, "MEMORY:cms-signer-certs",
841
			   0, NULL, signer_certs);
842
    if (ret)
843
	goto out;
844

845
    /* XXX Check CMS version */
846

847
    ret = any_to_certs(context, &sd, certs);
848
    if (ret)
849
	goto out;
850

851
    if (pool) {
852
	ret = hx509_certs_merge(context, certs, pool);
853
	if (ret)
854
	    goto out;
855
    }
856

857
    for (found_valid_sig = 0, i = 0; i < sd.signerInfos.len; i++) {
858
	heim_octet_string signed_data;
859
	const heim_oid *match_oid;
860
	heim_oid decode_oid;
861

862
	signer_info = &sd.signerInfos.val[i];
863
	match_oid = NULL;
864

865
	if (signer_info->signature.length == 0) {
866
	    ret = HX509_CMS_MISSING_SIGNER_DATA;
867
	    hx509_set_error_string(context, 0, ret,
868
				   "SignerInfo %d in SignedData "
869
				   "missing sigature", i);
870
	    continue;
871
	}
872

873
	ret = find_CMSIdentifier(context, &signer_info->sid, certs,
874
				 _hx509_verify_get_time(ctx), &cert,
875
				 HX509_QUERY_KU_DIGITALSIGNATURE);
876
	if (ret) {
877
	    /**
878
	     * If HX509_CMS_VS_NO_KU_CHECK is set, allow more liberal
879
	     * search for matching certificates by not considering
880
	     * KeyUsage bits on the certificates.
881
	     */
882
	    if ((flags & HX509_CMS_VS_NO_KU_CHECK) == 0)
883
		continue;
884

885
	    ret = find_CMSIdentifier(context, &signer_info->sid, certs,
886
				     _hx509_verify_get_time(ctx), &cert,
887
				     0);
888
	    if (ret)
889
		continue;
890

891
	}
892

893
	if (signer_info->signedAttrs) {
894
	    const Attribute *attr;
895

896
	    CMSAttributes sa;
897
	    heim_octet_string os;
898

899
	    sa.val = signer_info->signedAttrs->val;
900
	    sa.len = signer_info->signedAttrs->len;
901

902
	    /* verify that sigature exists */
903
	    attr = find_attribute(&sa, &asn1_oid_id_pkcs9_messageDigest);
904
	    if (attr == NULL) {
905
		ret = HX509_CRYPTO_SIGNATURE_MISSING;
906
		hx509_set_error_string(context, 0, ret,
907
				       "SignerInfo have signed attributes "
908
				       "but messageDigest (signature) "
909
				       "is missing");
910
		goto next_sigature;
911
	    }
912
	    if (attr->value.len != 1) {
913
		ret = HX509_CRYPTO_SIGNATURE_MISSING;
914
		hx509_set_error_string(context, 0, ret,
915
				       "SignerInfo have more then one "
916
				       "messageDigest (signature)");
917
		goto next_sigature;
918
	    }
919

920
	    ret = decode_MessageDigest(attr->value.val[0].data,
921
				       attr->value.val[0].length,
922
				       &os,
923
				       &size);
924
	    if (ret) {
925
		hx509_set_error_string(context, 0, ret,
926
				       "Failed to decode "
927
				       "messageDigest (signature)");
928
		goto next_sigature;
929
	    }
930

931
	    ret = _hx509_verify_signature(context,
932
					  NULL,
933
					  &signer_info->digestAlgorithm,
934
					  content,
935
					  &os);
936
	    der_free_octet_string(&os);
937
	    if (ret) {
938
		hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
939
				       "Failed to verify messageDigest");
940
		goto next_sigature;
941
	    }
942

943
	    /*
944
	     * Fetch content oid inside signedAttrs or set it to
945
	     * id-pkcs7-data.
946
	     */
947
	    attr = find_attribute(&sa, &asn1_oid_id_pkcs9_contentType);
948
	    if (attr == NULL) {
949
		match_oid = &asn1_oid_id_pkcs7_data;
950
	    } else {
951
		if (attr->value.len != 1) {
952
		    ret = HX509_CMS_DATA_OID_MISMATCH;
953
		    hx509_set_error_string(context, 0, ret,
954
					   "More then one oid in signedAttrs");
955
		    goto next_sigature;
956

957
		}
958
		ret = decode_ContentType(attr->value.val[0].data,
959
					 attr->value.val[0].length,
960
					 &decode_oid,
961
					 &size);
962
		if (ret) {
963
		    hx509_set_error_string(context, 0, ret,
964
					   "Failed to decode "
965
					   "oid in signedAttrs");
966
		    goto next_sigature;
967
		}
968
		match_oid = &decode_oid;
969
	    }
970

971
	    ASN1_MALLOC_ENCODE(CMSAttributes,
972
			       signed_data.data,
973
			       signed_data.length,
974
			       &sa,
975
			       &size, ret);
976
	    if (ret) {
977
		if (match_oid == &decode_oid)
978
		    der_free_oid(&decode_oid);
979
		hx509_clear_error_string(context);
980
		goto next_sigature;
981
	    }
982
	    if (size != signed_data.length)
983
		_hx509_abort("internal ASN.1 encoder error");
984

985
	} else {
986
	    signed_data.data = content->data;
987
	    signed_data.length = content->length;
988
	    match_oid = &asn1_oid_id_pkcs7_data;
989
	}
990

991
	/**
992
	 * If HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH, allow
993
	 * encapContentInfo mismatch with the oid in signedAttributes
994
	 * (or if no signedAttributes where use, pkcs7-data oid).
995
	 * This is only needed to work with broken CMS implementations
996
	 * that doesn't follow CMS signedAttributes rules.
997
	 */
998

999
	if (der_heim_oid_cmp(match_oid, &sd.encapContentInfo.eContentType) &&
1000
	    (flags & HX509_CMS_VS_ALLOW_DATA_OID_MISMATCH) == 0) {
1001
	    ret = HX509_CMS_DATA_OID_MISMATCH;
1002
	    hx509_set_error_string(context, 0, ret,
1003
				   "Oid in message mismatch from the expected");
1004
	}
1005
	if (match_oid == &decode_oid)
1006
	    der_free_oid(&decode_oid);
1007

1008
	if (ret == 0) {
1009
	    ret = hx509_verify_signature(context,
1010
					 cert,
1011
					 &signer_info->signatureAlgorithm,
1012
					 &signed_data,
1013
					 &signer_info->signature);
1014
	    if (ret)
1015
		hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
1016
				       "Failed to verify signature in "
1017
				       "CMS SignedData");
1018
	}
1019
        if (signer_info->signedAttrs)
1020
	    free(signed_data.data);
1021
	if (ret)
1022
	    goto next_sigature;
1023

1024
	/**
1025
	 * If HX509_CMS_VS_NO_VALIDATE flags is set, do not verify the
1026
	 * signing certificates and leave that up to the caller.
1027
	 */
1028

1029
	if ((flags & HX509_CMS_VS_NO_VALIDATE) == 0) {
1030
	    ret = hx509_verify_path(context, ctx, cert, certs);
1031
	    if (ret)
1032
		goto next_sigature;
1033
	}
1034

1035
	ret = hx509_certs_add(context, *signer_certs, cert);
1036
	if (ret)
1037
	    goto next_sigature;
1038

1039
	found_valid_sig++;
1040

1041
    next_sigature:
1042
	if (cert)
1043
	    hx509_cert_free(cert);
1044
	cert = NULL;
1045
    }
1046
    /**
1047
     * If HX509_CMS_VS_ALLOW_ZERO_SIGNER is set, allow empty
1048
     * SignerInfo (no signatures). If SignedData have no signatures,
1049
     * the function will return 0 with signer_certs set to NULL. Zero
1050
     * signers is allowed by the standard, but since its only useful
1051
     * in corner cases, it make into a flag that the caller have to
1052
     * turn on.
1053
     */
1054
    if (sd.signerInfos.len == 0 && (flags & HX509_CMS_VS_ALLOW_ZERO_SIGNER)) {
1055
	if (*signer_certs)
1056
	    hx509_certs_free(signer_certs);
1057
    } else if (found_valid_sig == 0) {
1058
	if (ret == 0) {
1059
	    ret = HX509_CMS_SIGNER_NOT_FOUND;
1060
	    hx509_set_error_string(context, 0, ret,
1061
				   "No signers where found");
1062
	}
1063
	goto out;
1064
    }
1065

1066
    ret = der_copy_oid(&sd.encapContentInfo.eContentType, contentType);
1067
    if (ret) {
1068
	hx509_clear_error_string(context);
1069
	goto out;
1070
    }
1071

1072
out:
1073
    free_SignedData(&sd);
1074
    if (certs)
1075
	hx509_certs_free(&certs);
1076
    if (ret) {
1077
	if (content->data)
1078
	    der_free_octet_string(content);
1079
	if (*signer_certs)
1080
	    hx509_certs_free(signer_certs);
1081
	der_free_oid(contentType);
1082
	der_free_octet_string(content);
1083
    }
1084

1085
    return ret;
1086
}
1087

1088
static int
1089
add_one_attribute(Attribute **attr,
1090
		  unsigned int *len,
1091
		  const heim_oid *oid,
1092
		  heim_octet_string *data)
1093
{
1094
    void *d;
1095
    int ret;
1096

1097
    d = realloc(*attr, sizeof((*attr)[0]) * (*len + 1));
1098
    if (d == NULL)
1099
	return ENOMEM;
1100
    (*attr) = d;
1101

1102
    ret = der_copy_oid(oid, &(*attr)[*len].type);
1103
    if (ret)
1104
	return ret;
1105

1106
    ALLOC_SEQ(&(*attr)[*len].value, 1);
1107
    if ((*attr)[*len].value.val == NULL) {
1108
	der_free_oid(&(*attr)[*len].type);
1109
	return ENOMEM;
1110
    }
1111

1112
    (*attr)[*len].value.val[0].data = data->data;
1113
    (*attr)[*len].value.val[0].length = data->length;
1114

1115
    *len += 1;
1116

1117
    return 0;
1118
}
1119

1120
/**
1121
 * Decode SignedData and verify that the signature is correct.
1122
 *
1123
 * @param context A hx509 context.
1124
 * @param flags
1125
 * @param eContentType the type of the data.
1126
 * @param data data to sign
1127
 * @param length length of the data that data point to.
1128
 * @param digest_alg digest algorithm to use, use NULL to get the
1129
 * default or the peer determined algorithm.
1130
 * @param cert certificate to use for sign the data.
1131
 * @param peer info about the peer the message to send the message to,
1132
 * like what digest algorithm to use.
1133
 * @param anchors trust anchors that the client will use, used to
1134
 * polulate the certificates included in the message
1135
 * @param pool certificates to use in try to build the path to the
1136
 * trust anchors.
1137
 * @param signed_data the output of the function, free with
1138
 * der_free_octet_string().
1139
 *
1140
 * @ingroup hx509_cms
1141
 */
1142

1143
int
1144
hx509_cms_create_signed_1(hx509_context context,
1145
			  int flags,
1146
			  const heim_oid *eContentType,
1147
			  const void *data, size_t length,
1148
			  const AlgorithmIdentifier *digest_alg,
1149
			  hx509_cert cert,
1150
			  hx509_peer_info peer,
1151
			  hx509_certs anchors,
1152
			  hx509_certs pool,
1153
			  heim_octet_string *signed_data)
1154
{
1155
    hx509_certs certs;
1156
    int ret = 0;
1157

1158
    signed_data->data = NULL;
1159
    signed_data->length = 0;
1160

1161
    ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &certs);
1162
    if (ret)
1163
	return ret;
1164
    ret = hx509_certs_add(context, certs, cert);
1165
    if (ret)
1166
	goto out;
1167

1168
    ret = hx509_cms_create_signed(context, flags, eContentType, data, length,
1169
				  digest_alg, certs, peer, anchors, pool,
1170
				  signed_data);
1171

1172
 out:
1173
    hx509_certs_free(&certs);
1174
    return ret;
1175
}
1176

1177
struct sigctx {
1178
    SignedData sd;
1179
    const AlgorithmIdentifier *digest_alg;
1180
    const heim_oid *eContentType;
1181
    heim_octet_string content;
1182
    hx509_peer_info peer;
1183
    int cmsidflag;
1184
    int leafonly;
1185
    hx509_certs certs;
1186
    hx509_certs anchors;
1187
    hx509_certs pool;
1188
};
1189

1190
static int
1191
sig_process(hx509_context context, void *ctx, hx509_cert cert)
1192
{
1193
    struct sigctx *sigctx = ctx;
1194
    heim_octet_string buf, sigdata = { 0, NULL };
1195
    SignerInfo *signer_info = NULL;
1196
    AlgorithmIdentifier digest;
1197
    size_t size;
1198
    void *ptr;
1199
    int ret;
1200
    SignedData *sd = &sigctx->sd;
1201
    hx509_path path;
1202

1203
    memset(&digest, 0, sizeof(digest));
1204
    memset(&path, 0, sizeof(path));
1205

1206
    if (_hx509_cert_private_key(cert) == NULL) {
1207
	hx509_set_error_string(context, 0, HX509_PRIVATE_KEY_MISSING,
1208
			       "Private key missing for signing");
1209
	return HX509_PRIVATE_KEY_MISSING;
1210
    }
1211

1212
    if (sigctx->digest_alg) {
1213
	ret = copy_AlgorithmIdentifier(sigctx->digest_alg, &digest);
1214
	if (ret)
1215
	    hx509_clear_error_string(context);
1216
    } else {
1217
	ret = hx509_crypto_select(context, HX509_SELECT_DIGEST,
1218
				  _hx509_cert_private_key(cert),
1219
				  sigctx->peer, &digest);
1220
    }
1221
    if (ret)
1222
	goto out;
1223

1224
    /*
1225
     * Allocate on more signerInfo and do the signature processing
1226
     */
1227

1228
    ptr = realloc(sd->signerInfos.val,
1229
		  (sd->signerInfos.len + 1) * sizeof(sd->signerInfos.val[0]));
1230
    if (ptr == NULL) {
1231
	ret = ENOMEM;
1232
	goto out;
1233
    }
1234
    sd->signerInfos.val = ptr;
1235

1236
    signer_info = &sd->signerInfos.val[sd->signerInfos.len];
1237

1238
    memset(signer_info, 0, sizeof(*signer_info));
1239

1240
    signer_info->version = 1;
1241

1242
    ret = fill_CMSIdentifier(cert, sigctx->cmsidflag, &signer_info->sid);
1243
    if (ret) {
1244
	hx509_clear_error_string(context);
1245
	goto out;
1246
    }
1247

1248
    signer_info->signedAttrs = NULL;
1249
    signer_info->unsignedAttrs = NULL;
1250

1251
    ret = copy_AlgorithmIdentifier(&digest, &signer_info->digestAlgorithm);
1252
    if (ret) {
1253
	hx509_clear_error_string(context);
1254
	goto out;
1255
    }
1256

1257
    /*
1258
     * If it isn't pkcs7-data send signedAttributes
1259
     */
1260

1261
    if (der_heim_oid_cmp(sigctx->eContentType, &asn1_oid_id_pkcs7_data) != 0) {
1262
	CMSAttributes sa;
1263
	heim_octet_string sig;
1264

1265
	ALLOC(signer_info->signedAttrs, 1);
1266
	if (signer_info->signedAttrs == NULL) {
1267
	    ret = ENOMEM;
1268
	    goto out;
1269
	}
1270

1271
	ret = _hx509_create_signature(context,
1272
				      NULL,
1273
				      &digest,
1274
				      &sigctx->content,
1275
				      NULL,
1276
				      &sig);
1277
	if (ret)
1278
	    goto out;
1279

1280
	ASN1_MALLOC_ENCODE(MessageDigest,
1281
			   buf.data,
1282
			   buf.length,
1283
			   &sig,
1284
			   &size,
1285
			   ret);
1286
	der_free_octet_string(&sig);
1287
	if (ret) {
1288
	    hx509_clear_error_string(context);
1289
	    goto out;
1290
	}
1291
	if (size != buf.length)
1292
	    _hx509_abort("internal ASN.1 encoder error");
1293

1294
	ret = add_one_attribute(&signer_info->signedAttrs->val,
1295
				&signer_info->signedAttrs->len,
1296
				&asn1_oid_id_pkcs9_messageDigest,
1297
				&buf);
1298
	if (ret) {
1299
	    free(buf.data);
1300
	    hx509_clear_error_string(context);
1301
	    goto out;
1302
	}
1303

1304

1305
	ASN1_MALLOC_ENCODE(ContentType,
1306
			   buf.data,
1307
			   buf.length,
1308
			   sigctx->eContentType,
1309
			   &size,
1310
			   ret);
1311
	if (ret)
1312
	    goto out;
1313
	if (size != buf.length)
1314
	    _hx509_abort("internal ASN.1 encoder error");
1315

1316
	ret = add_one_attribute(&signer_info->signedAttrs->val,
1317
				&signer_info->signedAttrs->len,
1318
				&asn1_oid_id_pkcs9_contentType,
1319
				&buf);
1320
	if (ret) {
1321
	    free(buf.data);
1322
	    hx509_clear_error_string(context);
1323
	    goto out;
1324
	}
1325

1326
	sa.val = signer_info->signedAttrs->val;
1327
	sa.len = signer_info->signedAttrs->len;
1328

1329
	ASN1_MALLOC_ENCODE(CMSAttributes,
1330
			   sigdata.data,
1331
			   sigdata.length,
1332
			   &sa,
1333
			   &size,
1334
			   ret);
1335
	if (ret) {
1336
	    hx509_clear_error_string(context);
1337
	    goto out;
1338
	}
1339
	if (size != sigdata.length)
1340
	    _hx509_abort("internal ASN.1 encoder error");
1341
    } else {
1342
	sigdata.data = sigctx->content.data;
1343
	sigdata.length = sigctx->content.length;
1344
    }
1345

1346
    {
1347
	AlgorithmIdentifier sigalg;
1348

1349
	ret = hx509_crypto_select(context, HX509_SELECT_PUBLIC_SIG,
1350
				  _hx509_cert_private_key(cert), sigctx->peer,
1351
				  &sigalg);
1352
	if (ret)
1353
	    goto out;
1354

1355
	ret = _hx509_create_signature(context,
1356
				      _hx509_cert_private_key(cert),
1357
				      &sigalg,
1358
				      &sigdata,
1359
				      &signer_info->signatureAlgorithm,
1360
				      &signer_info->signature);
1361
	free_AlgorithmIdentifier(&sigalg);
1362
	if (ret)
1363
	    goto out;
1364
    }
1365

1366
    sigctx->sd.signerInfos.len++;
1367
    signer_info = NULL;
1368

1369
    /*
1370
     * Provide best effort path
1371
     */
1372
    if (sigctx->certs) {
1373
	unsigned int i;
1374

1375
	if (sigctx->pool && sigctx->leafonly == 0) {
1376
	    _hx509_calculate_path(context,
1377
				  HX509_CALCULATE_PATH_NO_ANCHOR,
1378
				  time(NULL),
1379
				  sigctx->anchors,
1380
				  0,
1381
				  cert,
1382
				  sigctx->pool,
1383
				  &path);
1384
	} else
1385
	    _hx509_path_append(context, &path, cert);
1386

1387
	for (i = 0; i < path.len; i++) {
1388
	    /* XXX remove dups */
1389
	    ret = hx509_certs_add(context, sigctx->certs, path.val[i]);
1390
	    if (ret) {
1391
		hx509_clear_error_string(context);
1392
		goto out;
1393
	    }
1394
	}
1395
    }
1396

1397
 out:
1398
    if (signer_info)
1399
	free_SignerInfo(signer_info);
1400
    if (sigdata.data != sigctx->content.data)
1401
	der_free_octet_string(&sigdata);
1402
    _hx509_path_free(&path);
1403
    free_AlgorithmIdentifier(&digest);
1404

1405
    return ret;
1406
}
1407

1408
static int
1409
cert_process(hx509_context context, void *ctx, hx509_cert cert)
1410
{
1411
    struct sigctx *sigctx = ctx;
1412
    const unsigned int i = sigctx->sd.certificates->len;
1413
    void *ptr;
1414
    int ret;
1415

1416
    ptr = realloc(sigctx->sd.certificates->val,
1417
		  (i + 1) * sizeof(sigctx->sd.certificates->val[0]));
1418
    if (ptr == NULL)
1419
	return ENOMEM;
1420
    sigctx->sd.certificates->val = ptr;
1421

1422
    ret = hx509_cert_binary(context, cert,
1423
			    &sigctx->sd.certificates->val[i]);
1424
    if (ret == 0)
1425
	sigctx->sd.certificates->len++;
1426

1427
    return ret;
1428
}
1429

1430
static int
1431
cmp_AlgorithmIdentifier(const AlgorithmIdentifier *p, const AlgorithmIdentifier *q)
1432
{
1433
    return der_heim_oid_cmp(&p->algorithm, &q->algorithm);
1434
}
1435

1436
int
1437
hx509_cms_create_signed(hx509_context context,
1438
			int flags,
1439
			const heim_oid *eContentType,
1440
			const void *data, size_t length,
1441
			const AlgorithmIdentifier *digest_alg,
1442
			hx509_certs certs,
1443
			hx509_peer_info peer,
1444
			hx509_certs anchors,
1445
			hx509_certs pool,
1446
			heim_octet_string *signed_data)
1447
{
1448
    unsigned int i, j;
1449
    hx509_name name;
1450
    int ret;
1451
    size_t size;
1452
    struct sigctx sigctx;
1453

1454
    memset(&sigctx, 0, sizeof(sigctx));
1455
    memset(&name, 0, sizeof(name));
1456

1457
    if (eContentType == NULL)
1458
	eContentType = &asn1_oid_id_pkcs7_data;
1459

1460
    sigctx.digest_alg = digest_alg;
1461
    sigctx.content.data = rk_UNCONST(data);
1462
    sigctx.content.length = length;
1463
    sigctx.eContentType = eContentType;
1464
    sigctx.peer = peer;
1465
    /**
1466
     * Use HX509_CMS_SIGNATURE_ID_NAME to preferred use of issuer name
1467
     * and serial number if possible. Otherwise subject key identifier
1468
     * will preferred.
1469
     */
1470
    if (flags & HX509_CMS_SIGNATURE_ID_NAME)
1471
	sigctx.cmsidflag = CMS_ID_NAME;
1472
    else
1473
	sigctx.cmsidflag = CMS_ID_SKI;
1474

1475
    /**
1476
     * Use HX509_CMS_SIGNATURE_LEAF_ONLY to only request leaf
1477
     * certificates to be added to the SignedData.
1478
     */
1479
    sigctx.leafonly = (flags & HX509_CMS_SIGNATURE_LEAF_ONLY) ? 1 : 0;
1480

1481
    /**
1482
     * Use HX509_CMS_NO_CERTS to make the SignedData contain no
1483
     * certificates, overrides HX509_CMS_SIGNATURE_LEAF_ONLY.
1484
     */
1485

1486
    if ((flags & HX509_CMS_SIGNATURE_NO_CERTS) == 0) {
1487
	ret = hx509_certs_init(context, "MEMORY:certs", 0, NULL, &sigctx.certs);
1488
	if (ret)
1489
	    return ret;
1490
    }
1491

1492
    sigctx.anchors = anchors;
1493
    sigctx.pool = pool;
1494

1495
    sigctx.sd.version = CMSVersion_v3;
1496

1497
    der_copy_oid(eContentType, &sigctx.sd.encapContentInfo.eContentType);
1498

1499
    /**
1500
     * Use HX509_CMS_SIGNATURE_DETACHED to create detached signatures.
1501
     */
1502
    if ((flags & HX509_CMS_SIGNATURE_DETACHED) == 0) {
1503
	ALLOC(sigctx.sd.encapContentInfo.eContent, 1);
1504
	if (sigctx.sd.encapContentInfo.eContent == NULL) {
1505
	    hx509_clear_error_string(context);
1506
	    ret = ENOMEM;
1507
	    goto out;
1508
	}
1509

1510
	sigctx.sd.encapContentInfo.eContent->data = malloc(length);
1511
	if (sigctx.sd.encapContentInfo.eContent->data == NULL) {
1512
	    hx509_clear_error_string(context);
1513
	    ret = ENOMEM;
1514
	    goto out;
1515
	}
1516
	memcpy(sigctx.sd.encapContentInfo.eContent->data, data, length);
1517
	sigctx.sd.encapContentInfo.eContent->length = length;
1518
    }
1519

1520
    /**
1521
     * Use HX509_CMS_SIGNATURE_NO_SIGNER to create no sigInfo (no
1522
     * signatures).
1523
     */
1524
    if ((flags & HX509_CMS_SIGNATURE_NO_SIGNER) == 0) {
1525
	ret = hx509_certs_iter_f(context, certs, sig_process, &sigctx);
1526
	if (ret)
1527
	    goto out;
1528
    }
1529

1530
    if (sigctx.sd.signerInfos.len) {
1531

1532
	/*
1533
	 * For each signerInfo, collect all different digest types.
1534
	 */
1535
	for (i = 0; i < sigctx.sd.signerInfos.len; i++) {
1536
	    AlgorithmIdentifier *di =
1537
		&sigctx.sd.signerInfos.val[i].digestAlgorithm;
1538

1539
	    for (j = 0; j < sigctx.sd.digestAlgorithms.len; j++)
1540
		if (cmp_AlgorithmIdentifier(di, &sigctx.sd.digestAlgorithms.val[j]) == 0)
1541
		    break;
1542
	    if (j == sigctx.sd.digestAlgorithms.len) {
1543
		ret = add_DigestAlgorithmIdentifiers(&sigctx.sd.digestAlgorithms, di);
1544
		if (ret) {
1545
		    hx509_clear_error_string(context);
1546
		    goto out;
1547
		}
1548
	    }
1549
	}
1550
    }
1551

1552
    /*
1553
     * Add certs we think are needed, build as part of sig_process
1554
     */
1555
    if (sigctx.certs) {
1556
	ALLOC(sigctx.sd.certificates, 1);
1557
	if (sigctx.sd.certificates == NULL) {
1558
	    hx509_clear_error_string(context);
1559
	    ret = ENOMEM;
1560
	    goto out;
1561
	}
1562

1563
	ret = hx509_certs_iter_f(context, sigctx.certs, cert_process, &sigctx);
1564
	if (ret)
1565
	    goto out;
1566
    }
1567

1568
    ASN1_MALLOC_ENCODE(SignedData,
1569
		       signed_data->data, signed_data->length,
1570
		       &sigctx.sd, &size, ret);
1571
    if (ret) {
1572
	hx509_clear_error_string(context);
1573
	goto out;
1574
    }
1575
    if (signed_data->length != size)
1576
	_hx509_abort("internal ASN.1 encoder error");
1577

1578
out:
1579
    hx509_certs_free(&sigctx.certs);
1580
    free_SignedData(&sigctx.sd);
1581

1582
    return ret;
1583
}
1584

1585
int
1586
hx509_cms_decrypt_encrypted(hx509_context context,
1587
			    hx509_lock lock,
1588
			    const void *data,
1589
			    size_t length,
1590
			    heim_oid *contentType,
1591
			    heim_octet_string *content)
1592
{
1593
    heim_octet_string cont;
1594
    CMSEncryptedData ed;
1595
    AlgorithmIdentifier *ai;
1596
    int ret;
1597

1598
    memset(content, 0, sizeof(*content));
1599
    memset(&cont, 0, sizeof(cont));
1600

1601
    ret = decode_CMSEncryptedData(data, length, &ed, NULL);
1602
    if (ret) {
1603
	hx509_set_error_string(context, 0, ret,
1604
			       "Failed to decode CMSEncryptedData");
1605
	return ret;
1606
    }
1607

1608
    if (ed.encryptedContentInfo.encryptedContent == NULL) {
1609
	ret = HX509_CMS_NO_DATA_AVAILABLE;
1610
	hx509_set_error_string(context, 0, ret,
1611
			       "No content in EncryptedData");
1612
	goto out;
1613
    }
1614

1615
    ret = der_copy_oid(&ed.encryptedContentInfo.contentType, contentType);
1616
    if (ret) {
1617
	hx509_clear_error_string(context);
1618
	goto out;
1619
    }
1620

1621
    ai = &ed.encryptedContentInfo.contentEncryptionAlgorithm;
1622
    if (ai->parameters == NULL) {
1623
	ret = HX509_ALG_NOT_SUPP;
1624
	hx509_clear_error_string(context);
1625
	goto out;
1626
    }
1627

1628
    ret = _hx509_pbe_decrypt(context,
1629
			     lock,
1630
			     ai,
1631
			     ed.encryptedContentInfo.encryptedContent,
1632
			     &cont);
1633
    if (ret)
1634
	goto out;
1635

1636
    *content = cont;
1637

1638
out:
1639
    if (ret) {
1640
	if (cont.data)
1641
	    free(cont.data);
1642
    }
1643
    free_CMSEncryptedData(&ed);
1644
    return ret;
1645
}
1646

1647