summaryrefslogtreecommitdiff
path: root/lib/x509/pkcs7.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/x509/pkcs7.c')
-rw-r--r--lib/x509/pkcs7.c182
1 files changed, 120 insertions, 62 deletions
diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c
index ff8cab0158..c67bef6c32 100644
--- a/lib/x509/pkcs7.c
+++ b/lib/x509/pkcs7.c
@@ -50,10 +50,12 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
{
asn1_node c2;
int len, result;
- gnutls_datum_t tmp = {NULL, 0};
+ gnutls_datum_t tmp = { NULL, 0 };
len = MAX_OID_SIZE - 1;
- result = asn1_read_value(pkcs7->pkcs7, "contentType", pkcs7->encap_data_oid, &len);
+ result =
+ asn1_read_value(pkcs7->pkcs7, "contentType", pkcs7->encap_data_oid,
+ &len);
if (result != ASN1_SUCCESS) {
gnutls_assert();
return _gnutls_asn2err(result);
@@ -61,7 +63,8 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
if (strcmp(pkcs7->encap_data_oid, SIGNED_DATA_OID) != 0) {
gnutls_assert();
- _gnutls_debug_log("Unknown PKCS7 Content OID '%s'\n", pkcs7->encap_data_oid);
+ _gnutls_debug_log("Unknown PKCS7 Content OID '%s'\n",
+ pkcs7->encap_data_oid);
return GNUTLS_E_UNKNOWN_PKCS_CONTENT_TYPE;
}
@@ -94,7 +97,8 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
/* read the encapsulated content */
len = MAX_OID_SIZE - 1;
result =
- asn1_read_value(c2, "encapContentInfo.eContentType", pkcs7->encap_data_oid, &len);
+ asn1_read_value(c2, "encapContentInfo.eContentType",
+ pkcs7->encap_data_oid, &len);
if (result != ASN1_SUCCESS) {
gnutls_assert();
result = _gnutls_asn2err(result);
@@ -111,9 +115,14 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
/* Try reading as octet string according to rfc5652. If that fails, attempt
* a raw read according to rfc2315 */
- result = _gnutls_x509_read_string(c2, "encapContentInfo.eContent", &pkcs7->der_signed_data, ASN1_ETYPE_OCTET_STRING, 1);
+ result =
+ _gnutls_x509_read_string(c2, "encapContentInfo.eContent",
+ &pkcs7->der_signed_data,
+ ASN1_ETYPE_OCTET_STRING, 1);
if (result < 0) {
- result = _gnutls_x509_read_value(c2, "encapContentInfo.eContent", &pkcs7->der_signed_data);
+ result =
+ _gnutls_x509_read_value(c2, "encapContentInfo.eContent",
+ &pkcs7->der_signed_data);
if (result < 0) {
pkcs7->der_signed_data.data = NULL;
pkcs7->der_signed_data.size = 0;
@@ -123,14 +132,21 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
unsigned long tag;
/* we skip the embedded element's tag and length - uncharted territorry - used by MICROSOFT_CERT_TRUST_LIST */
- result = asn1_get_tag_der(pkcs7->der_signed_data.data, pkcs7->der_signed_data.size, &cls, &tag_len, &tag);
+ result =
+ asn1_get_tag_der(pkcs7->der_signed_data.data,
+ pkcs7->der_signed_data.size, &cls,
+ &tag_len, &tag);
if (result != ASN1_SUCCESS) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
- result = asn1_get_length_ber(pkcs7->der_signed_data.data+tag_len, pkcs7->der_signed_data.size-tag_len, &len_len);
+ result =
+ asn1_get_length_ber(pkcs7->der_signed_data.data +
+ tag_len,
+ pkcs7->der_signed_data.size -
+ tag_len, &len_len);
if (result < 0) {
gnutls_assert();
result = GNUTLS_E_ASN1_DER_ERROR;
@@ -138,8 +154,10 @@ static int _decode_pkcs7_signed_data(gnutls_pkcs7_t pkcs7)
}
tag_len += len_len;
- memmove(pkcs7->der_signed_data.data, &pkcs7->der_signed_data.data[tag_len], pkcs7->der_signed_data.size-tag_len);
- pkcs7->der_signed_data.size-=tag_len;
+ memmove(pkcs7->der_signed_data.data,
+ &pkcs7->der_signed_data.data[tag_len],
+ pkcs7->der_signed_data.size - tag_len);
+ pkcs7->der_signed_data.size -= tag_len;
}
}
@@ -405,7 +423,7 @@ gnutls_pkcs7_get_crt_raw2(gnutls_pkcs7_t pkcs7,
int
gnutls_pkcs7_get_crt_raw(gnutls_pkcs7_t pkcs7,
unsigned indx, void *certificate,
- size_t * certificate_size)
+ size_t *certificate_size)
{
int ret;
gnutls_datum_t tmp = { NULL, 0 };
@@ -753,7 +771,7 @@ int gnutls_pkcs7_get_signature_info(gnutls_pkcs7_t pkcs7, unsigned idx,
* and matches our calculated hash */
static int verify_hash_attr(gnutls_pkcs7_t pkcs7, const char *root,
gnutls_sign_algorithm_t algo,
- const gnutls_datum_t *data)
+ const gnutls_datum_t * data)
{
unsigned hash;
gnutls_datum_t tmp = { NULL, 0 };
@@ -886,7 +904,8 @@ static int figure_pkcs7_sigdata(gnutls_pkcs7_t pkcs7, const char *root,
/* We have no signedAttrs. Use the provided data, or the encapsulated */
if (data == NULL || data->data == NULL) {
- return _gnutls_set_datum(sigdata, pkcs7->der_signed_data.data, pkcs7->der_signed_data.size);
+ return _gnutls_set_datum(sigdata, pkcs7->der_signed_data.data,
+ pkcs7->der_signed_data.size);
}
return _gnutls_set_datum(sigdata, data->data, data->size);
@@ -916,7 +935,7 @@ static int figure_pkcs7_sigdata(gnutls_pkcs7_t pkcs7, const char *root,
**/
int
gnutls_pkcs7_get_embedded_data(gnutls_pkcs7_t pkcs7, unsigned flags,
- gnutls_datum_t *data)
+ gnutls_datum_t * data)
{
if (pkcs7 == NULL)
return GNUTLS_E_INVALID_REQUEST;
@@ -926,11 +945,16 @@ gnutls_pkcs7_get_embedded_data(gnutls_pkcs7_t pkcs7, unsigned flags,
if (flags & GNUTLS_PKCS7_EDATA_GET_RAW) {
if (pkcs7->signed_data == NULL)
- return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
+ return
+ gnutls_assert_val
+ (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
- return _gnutls_x509_read_value(pkcs7->signed_data, "encapContentInfo.eContent", data);
+ return _gnutls_x509_read_value(pkcs7->signed_data,
+ "encapContentInfo.eContent",
+ data);
} else {
- return _gnutls_set_datum(data, pkcs7->der_signed_data.data, pkcs7->der_signed_data.size);
+ return _gnutls_set_datum(data, pkcs7->der_signed_data.data,
+ pkcs7->der_signed_data.size);
}
}
@@ -947,8 +971,7 @@ gnutls_pkcs7_get_embedded_data(gnutls_pkcs7_t pkcs7, unsigned flags,
*
* Since: 3.5.5
**/
-const char *
-gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7)
+const char *gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7)
{
if (pkcs7 == NULL || pkcs7->encap_data_oid[0] == 0)
return NULL;
@@ -987,7 +1010,7 @@ gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7)
int gnutls_pkcs7_verify_direct(gnutls_pkcs7_t pkcs7,
gnutls_x509_crt_t signer,
unsigned idx,
- const gnutls_datum_t *data, unsigned flags)
+ const gnutls_datum_t * data, unsigned flags)
{
int count, ret;
gnutls_datum_t tmpdata = { NULL, 0 };
@@ -1038,9 +1061,9 @@ int gnutls_pkcs7_verify_direct(gnutls_pkcs7_t pkcs7,
/* Finds the issuer of the given certificate (@cert) in the
* included in PKCS#7 list of certificates */
static gnutls_x509_crt_t find_verified_issuer_of(gnutls_pkcs7_t pkcs7,
- gnutls_x509_crt_t cert,
- const char *purpose,
- unsigned vflags)
+ gnutls_x509_crt_t cert,
+ const char *purpose,
+ unsigned vflags)
{
gnutls_x509_crt_t issuer = NULL;
int ret, count;
@@ -1078,9 +1101,14 @@ static gnutls_x509_crt_t find_verified_issuer_of(gnutls_pkcs7_t pkcs7,
goto skip;
}
- ret = gnutls_x509_crt_verify(cert, &issuer, 1, vflags|GNUTLS_VERIFY_DO_NOT_ALLOW_SAME, &vtmp);
- if (ret < 0 || vtmp != 0 ||
- (purpose != NULL && !_gnutls_check_key_purpose(issuer, purpose, 0))) {
+ ret =
+ gnutls_x509_crt_verify(cert, &issuer, 1,
+ vflags |
+ GNUTLS_VERIFY_DO_NOT_ALLOW_SAME,
+ &vtmp);
+ if (ret < 0 || vtmp != 0
+ || (purpose != NULL
+ && !_gnutls_check_key_purpose(issuer, purpose, 0))) {
gnutls_assert(); /* maybe next one is trusted */
_gnutls_cert_log("failed verification with", issuer);
skip:
@@ -1120,7 +1148,8 @@ static gnutls_x509_crt_t find_verified_issuer_of(gnutls_pkcs7_t pkcs7,
static gnutls_x509_crt_t find_child_of_with_serial(gnutls_pkcs7_t pkcs7,
gnutls_x509_crt_t issuer,
const char *purpose,
- gnutls_pkcs7_signature_info_st *info)
+ gnutls_pkcs7_signature_info_st
+ * info)
{
gnutls_x509_crt_t crt = NULL;
int ret, count;
@@ -1149,7 +1178,8 @@ static gnutls_x509_crt_t find_child_of_with_serial(gnutls_pkcs7_t pkcs7,
goto fail;
}
- ret = gnutls_x509_crt_import(crt, &tmpdata, GNUTLS_X509_FMT_DER);
+ ret =
+ gnutls_x509_crt_import(crt, &tmpdata, GNUTLS_X509_FMT_DER);
if (ret < 0) {
gnutls_assert();
goto fail;
@@ -1163,10 +1193,10 @@ static gnutls_x509_crt_t find_child_of_with_serial(gnutls_pkcs7_t pkcs7,
}
if (purpose) {
- ret =
- _gnutls_check_key_purpose(crt, purpose, 0);
+ ret = _gnutls_check_key_purpose(crt, purpose, 0);
if (ret == 0) {
- _gnutls_cert_log("key purpose unacceptable", crt);
+ _gnutls_cert_log("key purpose unacceptable",
+ crt);
goto skip;
}
}
@@ -1188,7 +1218,9 @@ static gnutls_x509_crt_t find_child_of_with_serial(gnutls_pkcs7_t pkcs7,
}
} else if (info->issuer_keyid.size > 0) {
tmp_size = sizeof(tmp);
- ret = gnutls_x509_crt_get_subject_key_id(crt, tmp, &tmp_size, NULL);
+ ret =
+ gnutls_x509_crt_get_subject_key_id(crt, tmp,
+ &tmp_size, NULL);
if (ret < 0) {
gnutls_assert();
goto skip;
@@ -1285,7 +1317,9 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
if (issuer) {
/* try to find the actual signer in the list of
* certificates */
- signer = find_child_of_with_serial(pkcs7, issuer, purpose, info);
+ signer =
+ find_child_of_with_serial(pkcs7, issuer, purpose,
+ info);
if (signer == NULL) {
gnutls_assert();
goto fail;
@@ -1307,7 +1341,10 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
/* if the signer cannot be verified from our trust list, make a chain of certificates
* starting from the identified signer, to a root we know. */
- ret = gnutls_x509_trust_list_verify_crt2(tl, &signer, 1, vdata, vdata_size, vflags, &vtmp, NULL);
+ ret =
+ gnutls_x509_trust_list_verify_crt2(tl, &signer, 1, vdata,
+ vdata_size, vflags,
+ &vtmp, NULL);
if (ret < 0 || vtmp != 0) {
gnutls_x509_crt_t prev = NULL;
@@ -1319,37 +1356,52 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
}
prev = issuer;
- issuer = find_verified_issuer_of(pkcs7, issuer, purpose, vflags);
+ issuer =
+ find_verified_issuer_of(pkcs7, issuer,
+ purpose, vflags);
- if (issuer != NULL && gnutls_x509_crt_check_issuer(issuer, issuer)) {
+ if (issuer != NULL
+ && gnutls_x509_crt_check_issuer(issuer,
+ issuer)) {
if (prev && prev != signer)
gnutls_x509_crt_deinit(prev);
prev = issuer;
break;
}
- } while(issuer != NULL);
+ } while (issuer != NULL);
- issuer = prev; /* the last we have seen */
+ issuer = prev; /* the last we have seen */
if (issuer == NULL) {
gnutls_assert();
goto fail;
}
- ret = gnutls_x509_trust_list_verify_crt2(tl, &issuer, 1, vdata, vdata_size, vflags, &vtmp, NULL);
+ ret =
+ gnutls_x509_trust_list_verify_crt2(tl, &issuer, 1,
+ vdata,
+ vdata_size,
+ vflags, &vtmp,
+ NULL);
if (ret < 0 || vtmp != 0) {
/* could not construct a valid chain */
- _gnutls_reason_log("signer's chain failed trust list verification", vtmp);
+ _gnutls_reason_log
+ ("signer's chain failed trust list verification",
+ vtmp);
gnutls_assert();
goto fail;
}
}
} else {
/* verify that the signer we got is trusted */
- ret = gnutls_x509_trust_list_verify_crt2(tl, &signer, 1, vdata, vdata_size, vflags, &vtmp, NULL);
+ ret =
+ gnutls_x509_trust_list_verify_crt2(tl, &signer, 1, vdata,
+ vdata_size, vflags,
+ &vtmp, NULL);
if (ret < 0 || vtmp != 0) {
/* could not construct a valid chain */
- _gnutls_reason_log("signer failed trust list verification", vtmp);
+ _gnutls_reason_log
+ ("signer failed trust list verification", vtmp);
gnutls_assert();
goto fail;
}
@@ -1404,10 +1456,10 @@ gnutls_x509_crt_t find_signer(gnutls_pkcs7_t pkcs7, gnutls_x509_trust_list_t tl,
**/
int gnutls_pkcs7_verify(gnutls_pkcs7_t pkcs7,
gnutls_x509_trust_list_t tl,
- gnutls_typed_vdata_st *vdata,
+ gnutls_typed_vdata_st * vdata,
unsigned int vdata_size,
unsigned idx,
- const gnutls_datum_t *data, unsigned flags)
+ const gnutls_datum_t * data, unsigned flags)
{
int count, ret;
gnutls_datum_t tmpdata = { NULL, 0 };
@@ -1445,10 +1497,12 @@ int gnutls_pkcs7_verify(gnutls_pkcs7_t pkcs7,
signer = find_signer(pkcs7, tl, vdata, vdata_size, flags, &info);
if (signer) {
ret =
- gnutls_x509_crt_verify_data3(signer, info.algo, vdata, vdata_size,
- &sigdata, &info.sig, flags);
+ gnutls_x509_crt_verify_data3(signer, info.algo, vdata,
+ vdata_size, &sigdata,
+ &info.sig, flags);
if (ret < 0) {
- _gnutls_cert_log("failed struct verification with", signer);
+ _gnutls_cert_log("failed struct verification with",
+ signer);
gnutls_assert();
}
gnutls_x509_crt_deinit(signer);
@@ -1479,7 +1533,8 @@ static void disable_opt_fields(gnutls_pkcs7_t pkcs7)
result =
asn1_number_of_elements(pkcs7->signed_data, "certificates", &count);
if (result != ASN1_SUCCESS || count == 0) {
- (void)asn1_write_value(pkcs7->signed_data, "certificates", NULL, 0);
+ (void)asn1_write_value(pkcs7->signed_data, "certificates", NULL,
+ 0);
}
return;
@@ -1538,7 +1593,7 @@ static int reencode(gnutls_pkcs7_t pkcs7)
int
gnutls_pkcs7_export(gnutls_pkcs7_t pkcs7,
gnutls_x509_crt_fmt_t format, void *output_data,
- size_t * output_data_size)
+ size_t *output_data_size)
{
int ret;
if (pkcs7 == NULL)
@@ -1867,7 +1922,7 @@ gnutls_pkcs7_get_crl_raw2(gnutls_pkcs7_t pkcs7,
**/
int
gnutls_pkcs7_get_crl_raw(gnutls_pkcs7_t pkcs7,
- unsigned indx, void *crl, size_t * crl_size)
+ unsigned indx, void *crl, size_t *crl_size)
{
int ret;
gnutls_datum_t tmp = { NULL, 0 };
@@ -2282,7 +2337,9 @@ static int write_attributes(asn1_node c2, const char *root,
/* If we add any attribute we should add them all */
/* Add hash */
digest_size = _gnutls_hash_get_algo_len(me);
- ret = gnutls_hash_fast(MAC_TO_DIG(me->id), data->data, data->size, digest);
+ ret =
+ gnutls_hash_fast(MAC_TO_DIG(me->id), data->data, data->size,
+ digest);
if (ret < 0) {
gnutls_assert();
return ret;
@@ -2337,7 +2394,7 @@ static int write_attributes(asn1_node c2, const char *root,
int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
gnutls_x509_crt_t signer,
gnutls_privkey_t signer_key,
- const gnutls_datum_t *data,
+ const gnutls_datum_t * data,
gnutls_pkcs7_attrs_t signed_attrs,
gnutls_pkcs7_attrs_t unsigned_attrs,
gnutls_digest_algorithm_t dig, unsigned flags)
@@ -2366,7 +2423,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
if (!(flags & GNUTLS_PKCS7_EMBED_DATA)) {
(void)asn1_write_value(pkcs7->signed_data,
- "encapContentInfo.eContent", NULL, 0);
+ "encapContentInfo.eContent",
+ NULL, 0);
}
}
@@ -2378,8 +2436,7 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
result =
asn1_write_value(pkcs7->signed_data,
- "encapContentInfo.eContentType", DATA_OID,
- 0);
+ "encapContentInfo.eContentType", DATA_OID, 0);
if (result != ASN1_SUCCESS) {
ret = _gnutls_asn2err(result);
goto cleanup;
@@ -2388,8 +2445,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
if ((flags & GNUTLS_PKCS7_EMBED_DATA) && data->data) { /* embed data */
ret =
_gnutls_x509_write_string(pkcs7->signed_data,
- "encapContentInfo.eContent", data,
- ASN1_ETYPE_OCTET_STRING);
+ "encapContentInfo.eContent", data,
+ ASN1_ETYPE_OCTET_STRING);
if (ret < 0) {
goto cleanup;
}
@@ -2423,7 +2480,7 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
}
(void)asn1_write_value(pkcs7->signed_data,
- "digestAlgorithms.?LAST.parameters", NULL, 0);
+ "digestAlgorithms.?LAST.parameters", NULL, 0);
/* append signer's info */
result = asn1_write_value(pkcs7->signed_data, "signerInfos", "NEW", 1);
@@ -2453,8 +2510,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
}
(void)asn1_write_value(pkcs7->signed_data,
- "signerInfos.?LAST.digestAlgorithm.parameters", NULL,
- 0);
+ "signerInfos.?LAST.digestAlgorithm.parameters",
+ NULL, 0);
ret =
write_signer_id(pkcs7->signed_data, "signerInfos.?LAST", signer,
@@ -2499,7 +2556,7 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
}
ret = _gnutls_privkey_update_spki_params(signer_key, pk, dig, 0,
- &params);
+ &params);
if (ret < 0) {
gnutls_assert();
goto cleanup;
@@ -2507,7 +2564,8 @@ int gnutls_pkcs7_sign(gnutls_pkcs7_t pkcs7,
se = _gnutls_pk_to_sign_entry(params.pk, dig);
if (se == NULL) {
- ret = gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ ret =
+ gnutls_assert_val(GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM);
goto cleanup;
}
View Lorry Controller Status