From c35953a8468d7efd75b83e361cf933cba330181d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Wed, 12 Oct 2016 13:36:01 +0200 Subject: gnutls_pkcs7_get_embedded_data: added GNUTLS_PKCS7_EDATA_GET_RAW flag This flag allows the export of the stored embedded data with any wrapping encoding included. This in particular, it allows to read the data from the microsoft catalog PKCS#7 structures, which store as embedded data elements of a SEQUENCE, but only authenticate the inner parts without the bytes forming the SEQUENCE header. --- lib/includes/gnutls/pkcs7.h | 4 +++- lib/x509/pkcs7.c | 20 +++++++++++++++----- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/lib/includes/gnutls/pkcs7.h b/lib/includes/gnutls/pkcs7.h index 59b788bc96..376f2d1d4b 100644 --- a/lib/includes/gnutls/pkcs7.h +++ b/lib/includes/gnutls/pkcs7.h @@ -55,7 +55,9 @@ int gnutls_pkcs7_export2(gnutls_pkcs7_t pkcs7, gnutls_datum_t * out); int gnutls_pkcs7_get_signature_count(gnutls_pkcs7_t pkcs7); -int gnutls_pkcs7_get_embedded_data(gnutls_pkcs7_t pkcs7, unsigned idx, gnutls_datum_t *data); + +#define GNUTLS_PKCS7_EDATA_GET_RAW (1<<24) +int gnutls_pkcs7_get_embedded_data(gnutls_pkcs7_t pkcs7, unsigned flags, gnutls_datum_t *data); const char * gnutls_pkcs7_get_embedded_data_oid(gnutls_pkcs7_t pkcs7); diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index 0ff6efdc4a..b2de03f2d4 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -891,16 +891,19 @@ static int figure_pkcs7_sigdata(gnutls_pkcs7_t pkcs7, const char *root, /** * gnutls_pkcs7_get_embedded_data: * @pkcs7: should contain a gnutls_pkcs7_t type - * @flags: must be zero + * @flags: must be zero or %GNUTLS_PKCS7_EDATA_GET_RAW * @data: will hold the embedded data in the provided structure * * This function will return the data embedded in the signature of * the PKCS7 structure. If no data are available then * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. * - * Note, that since a PKCS#7 structure may contain embedded data - * for each attached signature, this function accepts and index which - * corresponds to the signature index to get the data from. + * The returned data must be de-allocated using gnutls_free(). + * + * Note, that this function returns the exact same data that are + * authenticated. If the %GNUTLS_PKCS7_EDATA_GET_RAW flag is provided, + * the returned data will be including the wrapping tag/value as + * they are encoded in the structure. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. @@ -917,7 +920,14 @@ gnutls_pkcs7_get_embedded_data(gnutls_pkcs7_t pkcs7, unsigned flags, if (pkcs7->der_signed_data.size == 0) return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - return _gnutls_set_datum(data, pkcs7->der_signed_data.data, pkcs7->der_signed_data.size); + if (flags & GNUTLS_PKCS7_EDATA_GET_RAW) { + if (pkcs7->signed_data == NULL) + return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + + return _gnutls_x509_read_value(pkcs7->signed_data, "encapContentInfo.eContent", data); + } else { + return _gnutls_set_datum(data, pkcs7->der_signed_data.data, pkcs7->der_signed_data.size); + } } /** -- cgit v1.2.1