Keep a not of original encoding in certificate requests.

Add new option to PKCS7_sign to exclude S/MIME capabilities.
author: Dr. Stephen Henson <steve@openssl.org> 2000-09-05 13:27:57 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2000-09-05 13:27:57 +0000
commit: 34216c04229ffaa564adb204cea87bc6b5ed4fb1 (patch)
tree: 0fa6e17df83bdd9d7014c0558a8bd846f255933f
parent: 22c7ea4068a137c221c3f3995e60642c962a2e42 (diff)
7 files changed, 49 insertions, 11 deletions
diff --git a/CHANGES b/CHANGES
index 4dbaca012f..a8cc5f11dc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,17 @@
 
  Changes between 0.9.5a and 0.9.6  [xx XXX 2000]
 
+  *) Add new PKCS#7 signing option PKCS7_NOSMIMECAP which 
+     excludes S/MIME capabilities.
+     [Steve Henson]
+
+  *) When a certificate request is read in keep a copy of the
+     original encoding of the signed data and use it when outputing
+     again. Signatures then use the original encoding rather than
+     a decoded, encoded version which may cause problems if the
+     request is improperly encoded.
+     [Steve Henson]
+
   *) For consistency with other BIO_puts implementations, call
      buffer_write(b, ...) directly in buffer_puts instead of calling
      BIO_write(b, ...).
diff --git a/apps/smime.c b/apps/smime.c
index e380443d6c..25997feb6d 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -141,6 +141,8 @@ int MAIN(int argc, char **argv)
 				flags |= PKCS7_NOATTR;
 		else if (!strcmp (*args, "-nodetach")) 
 				flags &= ~PKCS7_DETACHED;
+		else if (!strcmp (*args, "-nosmimecap"))
+				flags |= PKCS7_NOSMIMECAP;
 		else if (!strcmp (*args, "-binary"))
 				flags |= PKCS7_BINARY;
 		else if (!strcmp (*args, "-nosigs"))
diff --git a/crypto/asn1/x_req.c b/crypto/asn1/x_req.c
index 0056009885..6dddd4f653 100644
--- a/crypto/asn1/x_req.c
+++ b/crypto/asn1/x_req.c
@@ -65,6 +65,14 @@ int i2d_X509_REQ_INFO(X509_REQ_INFO *a, unsigned char **pp)
 	{
 	M_ASN1_I2D_vars(a);
 
+	if(a->asn1) {
+		if(pp) {
+			memcpy(*pp, a->asn1, a->length);
+			*pp += a->length;
+		}
+		return a->length;
+	}
+
 	M_ASN1_I2D_len(a->version,		i2d_ASN1_INTEGER);
 	M_ASN1_I2D_len(a->subject,		i2d_X509_NAME);
 	M_ASN1_I2D_len(a->pubkey,		i2d_X509_PUBKEY);
@@ -152,6 +160,7 @@ X509_REQ_INFO *X509_REQ_INFO_new(void)
 	M_ASN1_New(ret->pubkey,X509_PUBKEY_new);
 	M_ASN1_New(ret->attributes,sk_X509_ATTRIBUTE_new_null);
 	ret->req_kludge=0;
+	ret->asn1 = NULL;
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_REQ_INFO_NEW);
 	}
@@ -159,6 +168,7 @@ X509_REQ_INFO *X509_REQ_INFO_new(void)
 void X509_REQ_INFO_free(X509_REQ_INFO *a)
 	{
 	if (a == NULL) return;
+	if(a->asn1) OPENSSL_free(a->asn1);
 	M_ASN1_INTEGER_free(a->version);
 	X509_NAME_free(a->subject);
 	X509_PUBKEY_free(a->pubkey);
@@ -189,6 +199,17 @@ X509_REQ *d2i_X509_REQ(X509_REQ **a, unsigned char **pp, long length)
 	M_ASN1_D2I_Init();
 	M_ASN1_D2I_start_sequence();
 	M_ASN1_D2I_get(ret->req_info,d2i_X509_REQ_INFO);
+
+	/* Keep a copy of the original encoding for signature checking */
+	ret->req_info->length = c.p - c.q;
+	if(!(ret->req_info->asn1 = OPENSSL_malloc(ret->req_info->length))) {
+		c.line=__LINE__;
+		c.error = ERR_R_MALLOC_FAILURE;
+		goto err;
+	}
+
+	memcpy(ret->req_info->asn1, c.q, ret->req_info->length);
+
 	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
 	M_ASN1_D2I_get(ret->signature,d2i_ASN1_BIT_STRING);
 	M_ASN1_D2I_Finish(a,X509_REQ_free,ASN1_F_D2I_X509_REQ);
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 225fc63da0..19e0b28a39 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -109,6 +109,8 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 		PKCS7_add_signed_attribute(si, NID_pkcs9_contentType,
 				V_ASN1_OBJECT, OBJ_nid2obj(NID_pkcs7_data));
 		/* Add SMIMECapabilities */
+		if(!(flags & PKCS7_NOSMIMECAP))
+		{
 		if(!(smcap = sk_X509_ALGOR_new(NULL))) {
 			PKCS7err(PKCS7_F_PKCS7_SIGN,ERR_R_MALLOC_FAILURE);
 			return NULL;
@@ -128,6 +130,7 @@ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
 #endif
 		PKCS7_add_attrib_smimecap (si, smcap);
 		sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free);
+		}
 	}
 
 	if(flags & PKCS7_DETACHED)PKCS7_set_detached(p7, 1);
diff --git a/crypto/pkcs7/pkcs7.h b/crypto/pkcs7/pkcs7.h
index ac46c8dd15..556e84cf21 100644
--- a/crypto/pkcs7/pkcs7.h
+++ b/crypto/pkcs7/pkcs7.h
@@ -247,15 +247,16 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 
 /* S/MIME related flags */
 
-#define PKCS7_TEXT	0x1
-#define PKCS7_NOCERTS	0x2
-#define PKCS7_NOSIGS	0x4
-#define PKCS7_NOCHAIN	0x8
-#define PKCS7_NOINTERN	0x10
-#define PKCS7_NOVERIFY	0x20
-#define PKCS7_DETACHED	0x40
-#define PKCS7_BINARY	0x80
-#define PKCS7_NOATTR	0x100
+#define PKCS7_TEXT		0x1
+#define PKCS7_NOCERTS		0x2
+#define PKCS7_NOSIGS		0x4
+#define PKCS7_NOCHAIN		0x8
+#define PKCS7_NOINTERN		0x10
+#define PKCS7_NOVERIFY		0x20
+#define PKCS7_DETACHED		0x40
+#define PKCS7_BINARY		0x80
+#define PKCS7_NOATTR		0x100
+#define	PKCS7_NOSMIMECAP	0x200
 
 /* Flags: for compatibility with older code */
 
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 7808b6a112..9768754fa7 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -213,6 +213,8 @@ DECLARE_ASN1_SET_OF(X509_ATTRIBUTE)
 
 typedef struct X509_req_info_st
 	{
+	unsigned char *asn1;
+	int length;
 	ASN1_INTEGER *version;
 	X509_NAME *subject;
 	X509_PUBKEY *pubkey;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 5fd93ecd48..1483fad19a 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1846,8 +1846,6 @@ int ssl_init_wbio_buffer(SSL *s,int push)
 
 void ssl_free_wbio_buffer(SSL *s)
 	{
-	BIO *under;
-
 	if (s->bbio == NULL) return;
 
 	if (s->bbio == s->wbio)
author	Dr. Stephen Henson <steve@openssl.org>	2000-09-05 13:27:57 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2000-09-05 13:27:57 +0000
commit	34216c04229ffaa564adb204cea87bc6b5ed4fb1 (patch)
tree	0fa6e17df83bdd9d7014c0558a8bd846f255933f
parent	22c7ea4068a137c221c3f3995e60642c962a2e42 (diff)