VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/pkcs7-sign.cpp@ 95634

Last change on this file since 95634 was 95624, checked in by vboxsync, 3 years ago

IPRT/RTAsn1,RTCrSpc: Generate setter functions for RTASN1TMPL_MEMBER_OPT_XTAG_EX and RTASN1TMPL_MEMBER_OPT_ITAG_EX members. Added setter prototypes to the spc.h header. bugref:8691
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 13.2 KB
Line 
1/* $Id: pkcs7-sign.cpp 95624 2022-07-13 20:31:41Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - PKCS \#7, Signing
4 */
5
6/*
7 * Copyright (C) 2006-2022 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.virtualbox.org. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/pkcs7.h>
33
34#include <iprt/err.h>
35#include <iprt/string.h>
36#include <iprt/crypto/digest.h>
37#include <iprt/crypto/key.h>
38#include <iprt/crypto/pkix.h>
39#include <iprt/crypto/store.h>
40#include <iprt/crypto/x509.h>
41
42#ifdef IPRT_WITH_OPENSSL
43# include "internal/iprt-openssl.h"
44# include "internal/openssl-pre.h"
45# include <openssl/pkcs7.h>
46# include <openssl/cms.h>
47# include <openssl/x509.h>
48# include <openssl/err.h>
49# include "internal/openssl-post.h"
50#endif
51
52
53/*********************************************************************************************************************************
54* Structures and Typedefs *
55*********************************************************************************************************************************/
56/**
57 * PKCS\#7 / CMS signing operation instance.
58 */
59typedef struct RTCRPKCS7SIGNINGJOBINT
60{
61 /** Magic value (RTCRPKCS7SIGNINGJOBINT). */
62 uint32_t u32Magic;
63 /** Reference counter. */
64 uint32_t volatile cRefs;
65 /** RTCRPKCS7SIGN_F_XXX. */
66 uint64_t fFlags;
67 /** Set if finalized. */
68 bool fFinallized;
69
70 //....
71} RTCRPKCS7SIGNINGJOBINT;
72
73/** Magic value for RTCRPKCS7SIGNINGJOBINT (Jonathan Lethem). */
74#define RTCRPKCS7SIGNINGJOBINT_MAGIC UINT32_C(0x19640219)
75
76/** Handle to PKCS\#7/CMS signing operation. */
77typedef struct RTCRPKCS7SIGNINGJOBINT *RTCRPKCS7SIGNINGJOB;
78/** Pointer to a PKCS\#7/CMS signing operation handle. */
79typedef RTCRPKCS7SIGNINGJOB *PRTCRPKCS7SIGNINGJOB;
80
81//// CMS_sign
82//RTDECL(int) RTCrPkcs7Sign(PRTCRPKCS7SIGNINGJOB *phJob, uint64_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
83// RTCRSTORE hAdditionalCerts,
84//
85
86
87
88RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
89 void const *pvData, size_t cbData, RTDIGESTTYPE enmDigestType,
90 RTCRSTORE hAdditionalCerts, PCRTCRPKCS7ATTRIBUTES pAdditionalAuthenticatedAttribs,
91 void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo)
92{
93 size_t const cbResultBuf = *pcbResult;
94 *pcbResult = 0;
95 AssertReturn(!(fFlags & ~RTCRPKCS7SIGN_SD_F_VALID_MASK), VERR_INVALID_FLAGS);
96#ifdef IPRT_WITH_OPENSSL
97 AssertReturn((int)cbData >= 0 && (unsigned)cbData == cbData, VERR_TOO_MUCH_DATA);
98
99 /*
100 * Resolve the digest type.
101 */
102 const EVP_MD *pEvpMd = NULL;
103 if (enmDigestType != RTDIGESTTYPE_UNKNOWN)
104 {
105 pEvpMd = (const EVP_MD *)rtCrOpenSslConvertDigestType(enmDigestType, pErrInfo);
106 AssertReturn(pEvpMd, pErrInfo ? pErrInfo->rc : VERR_INVALID_PARAMETER);
107 }
108
109 /*
110 * Convert the private key.
111 */
112 EVP_PKEY *pEvpPrivateKey = NULL;
113 int rc = rtCrKeyToOpenSslKey(hPrivateKey, false /*fNeedPublic*/, (void **)&pEvpPrivateKey, pErrInfo);
114 if (RT_SUCCESS(rc))
115 {
116 /*
117 * Convert the signing certificate.
118 */
119 X509 *pOsslSigner = NULL;
120 rc = rtCrOpenSslConvertX509Cert((void **)&pOsslSigner, pSigner, pErrInfo);
121 if (RT_SUCCESS(rc))
122 {
123 /*
124 * Convert any additional certificates.
125 */
126 STACK_OF(X509) *pOsslAdditionalCerts = NULL;
127 if (hAdditionalCerts != NIL_RTCRSTORE)
128 rc = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0 /*fFlags*/, (void **)&pOsslAdditionalCerts, pErrInfo);
129 if (RT_SUCCESS(rc))
130 {
131 /*
132 * Create a BIO for the data buffer.
133 */
134 BIO *pOsslData = BIO_new_mem_buf((void *)pvData, (int)cbData);
135 if (pOsslData)
136 {
137 /*
138 * Use CMS_sign with CMS_PARTIAL to start a extended the signing process.
139 */
140 /* Create a ContentInfo we can modify using CMS_sign w/ CMS_PARTIAL. */
141 unsigned int fOsslSign = CMS_BINARY | CMS_PARTIAL;
142 if (fFlags & RTCRPKCS7SIGN_SD_F_DEATCHED)
143 fOsslSign |= CMS_DETACHED;
144 if (fFlags & RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP)
145 fOsslSign |= CMS_NOSMIMECAP;
146 CMS_ContentInfo *pCms = CMS_sign(NULL, NULL, pOsslAdditionalCerts, NULL, fOsslSign);
147 if (pCms != NULL)
148 {
149 /*
150 * Set encapsulated content type if present in the auth attribs.
151 */
152 uint32_t iAuthAttrSkip = UINT32_MAX;
153 for (uint32_t i = 0; i < pAdditionalAuthenticatedAttribs->cItems && RT_SUCCESS(rc); i++)
154 {
155 PCRTCRPKCS7ATTRIBUTE pAttrib = pAdditionalAuthenticatedAttribs->papItems[i];
156 if ( pAttrib->enmType == RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS
157 && RTAsn1ObjId_CompareWithString(&pAttrib->Type, RTCR_PKCS9_ID_CONTENT_TYPE_OID) == 0)
158 {
159 AssertBreakStmt(pAttrib->uValues.pObjIds && pAttrib->uValues.pObjIds->cItems == 1,
160 rc = VERR_INTERNAL_ERROR_3);
161 PCRTASN1OBJID pObjId = pAttrib->uValues.pObjIds->papItems[0];
162 ASN1_OBJECT *pOsslObjId = OBJ_txt2obj(pObjId->szObjId, 0 /*no_name*/);
163 if (pOsslObjId)
164 {
165 rc = CMS_set1_eContentType(pCms, pOsslObjId);
166 ASN1_OBJECT_free(pOsslObjId);
167 if (rc < 0)
168 rc = RTErrInfoSetF(pErrInfo, VERR_CR_PKIX_GENERIC_ERROR,
169 "CMS_set1_eContentType(%s)", pObjId->szObjId);
170 }
171 else
172 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "OBJ_txt2obj");
173
174 iAuthAttrSkip = i;
175 break;
176 }
177 }
178 if (RT_SUCCESS(rc))
179 {
180 /*
181 * Add a signer.
182 */
183 CMS_SignerInfo *pSignerInfo = CMS_add1_signer(pCms, pOsslSigner, pEvpPrivateKey, pEvpMd, fOsslSign);
184 if (pSignerInfo)
185 {
186 /*
187 * Add additional attributes, skipping the content type if found above.
188 */
189 if (pAdditionalAuthenticatedAttribs)
190 for (uint32_t i = 0; i < pAdditionalAuthenticatedAttribs->cItems && RT_SUCCESS(rc); i++)
191 if (i != iAuthAttrSkip)
192 {
193 PCRTCRPKCS7ATTRIBUTE pAttrib = pAdditionalAuthenticatedAttribs->papItems[i];
194 X509_ATTRIBUTE *pOsslAttrib;
195 rc = rtCrOpenSslConvertPkcs7Attribute((void **)&pOsslAttrib, pAttrib, pErrInfo);
196 if (RT_SUCCESS(rc))
197 {
198 rc = CMS_signed_add1_attr(pSignerInfo, pOsslAttrib);
199 rtCrOpenSslFreeConvertedPkcs7Attribute((void **)pOsslAttrib);
200 if (rc <= 0)
201 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "CMS_signed_add1_attr");
202 }
203 }
204 if (RT_SUCCESS(rc))
205 {
206 /*
207 * Finalized and actually sign the data.
208 */
209 rc = CMS_final(pCms, pOsslData, NULL /*dcont*/, fOsslSign);
210 if (rc > 0)
211 {
212 /*
213 * Get the output and copy it into the result buffer.
214 */
215 BIO *pOsslResult = BIO_new(BIO_s_mem());
216 if (pOsslResult)
217 {
218 rc = i2d_CMS_bio(pOsslResult, pCms);
219 if (rc > 0)
220 {
221 BUF_MEM *pBuf = NULL;
222 rc = (int)BIO_get_mem_ptr(pOsslResult, &pBuf);
223 if (rc > 0)
224 {
225 AssertPtr(pBuf);
226 size_t const cbResult = pBuf->length;
227 if ( cbResultBuf >= cbResult
228 && pvResult != NULL)
229 {
230 memcpy(pvResult, pBuf->data, cbResult);
231 rc = VINF_SUCCESS;
232 }
233 else
234 rc = VERR_BUFFER_OVERFLOW;
235 *pcbResult = cbResult;
236 }
237 else
238 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "BIO_get_mem_ptr");
239 }
240 else
241 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "i2d_CMS_bio");
242 BIO_free(pOsslResult);
243 }
244 else
245 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "BIO_new/BIO_s_mem");
246 }
247 else
248 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "CMS_final");
249 }
250 }
251 else
252 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "CMS_add1_signer");
253 }
254 CMS_ContentInfo_free(pCms);
255 }
256 else
257 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "CMS_sign");
258 BIO_free(pOsslData);
259 }
260 }
261 rtCrOpenSslFreeConvertedX509Cert(pOsslSigner);
262 }
263 EVP_PKEY_free(pEvpPrivateKey);
264 }
265 return rc;
266#else
267 RT_NOREF(fFlags, pSigner, hPrivateKey, pvData, cbData, enmDigestType, hAdditionalCerts, pAdditionalAuthenticatedAttribs,
268 pvResult, pErrInfo, cbResultBuf);
269 *pcbResult = 0;
270 return VERR_NOT_IMPLEMENTED;
271#endif
272}
273
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette