diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-11-18 16:56:29 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2021-01-20 15:35:26 +1000 |
commit | 3e878d924f138f4a71c04628b57be75f1d45ef8e (patch) | |
tree | b30a318cd6e4c9991eaacb2a6c80ef8c32c006b6 /crypto/pkcs7 | |
parent | c972577684f8627267556f0bffa3c4035e9456e4 (diff) |
Remove pkey_downgrade from PKCS7 code
Fixes #12991
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13435)
Diffstat (limited to 'crypto/pkcs7')
-rw-r--r-- | crypto/pkcs7/pk7_lib.c | 78 |
1 files changed, 64 insertions, 14 deletions
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 35a757062b..ad59417529 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -11,6 +11,7 @@ #include "internal/cryptlib.h" #include <openssl/objects.h> #include <openssl/x509.h> +#include <openssl/pkcs7.h> #include "crypto/asn1.h" #include "crypto/evp.h" #include "crypto/x509.h" /* for sk_X509_add1_cert() */ @@ -292,6 +293,39 @@ int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) return 1; } +static int pkcs7_ecdsa_or_dsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, + int verify) +{ + if (verify == 0) { + int snid, hnid; + X509_ALGOR *alg1, *alg2; + EVP_PKEY *pkey = si->pkey; + + PKCS7_SIGNER_INFO_get0_algs(si, NULL, &alg1, &alg2); + if (alg1 == NULL || alg1->algorithm == NULL) + return -1; + hnid = OBJ_obj2nid(alg1->algorithm); + if (hnid == NID_undef) + return -1; + if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) + return -1; + X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); + } + return 1; +} + +static int pkcs7_rsa_sign_verify_setup(PKCS7_SIGNER_INFO *si, int verify) +{ + if (verify == 0) { + X509_ALGOR *alg = NULL; + + PKCS7_SIGNER_INFO_get0_algs(si, NULL, NULL, &alg); + if (alg != NULL) + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + } + return 1; +} + int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst) { @@ -313,17 +347,6 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, ASN1_INTEGER_dup(X509_get0_serialNumber(x509)))) goto err; - /* - * TODO(3.0) Adapt for provider-native keys - * Meanwhile, we downgrade the key. - * #legacy - */ - if (!evp_pkey_downgrade(pkey)) { - ERR_raise(ERR_LIB_PKCS7, - PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); - goto err; - } - /* lets keep the pkey around for a while */ EVP_PKEY_up_ref(pkey); p7i->pkey = pkey; @@ -333,7 +356,12 @@ int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, X509_ALGOR_set0(p7i->digest_alg, OBJ_nid2obj(EVP_MD_type(dgst)), V_ASN1_NULL, NULL); - if (pkey->ameth && pkey->ameth->pkey_ctrl) { + if (EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "DSA")) + return pkcs7_ecdsa_or_dsa_sign_verify_setup(p7i, 0); + if (EVP_PKEY_is_a(pkey, "RSA")) + return pkcs7_rsa_sign_verify_setup(p7i, 0); + + if (pkey->ameth != NULL && pkey->ameth->pkey_ctrl != NULL) { ret = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_PKCS7_SIGN, 0, p7i); if (ret > 0) return 1; @@ -526,6 +554,18 @@ int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) return 1; } +static int pkcs7_rsa_encrypt_decrypt_setup(PKCS7_RECIP_INFO *ri, int decrypt) +{ + X509_ALGOR *alg = NULL; + + if (decrypt == 0) { + PKCS7_RECIP_INFO_get0_alg(ri, &alg); + if (alg != NULL) + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + } + return 1; +} + int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) { int ret; @@ -542,8 +582,18 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) return 0; pkey = X509_get0_pubkey(x509); + if (pkey == NULL) + return 0; - if (!pkey || !pkey->ameth || !pkey->ameth->pkey_ctrl) { + if (EVP_PKEY_is_a(pkey, "RSA-PSS")) + return -2; + if (EVP_PKEY_is_a(pkey, "RSA")) { + if (pkcs7_rsa_encrypt_decrypt_setup(p7i, 0) <= 0) + goto err; + goto finished; + } + + if (pkey->ameth == NULL || pkey->ameth->pkey_ctrl == NULL) { ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); goto err; @@ -559,7 +609,7 @@ int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) ERR_raise(ERR_LIB_PKCS7, PKCS7_R_ENCRYPTION_CTRL_FAILURE); goto err; } - +finished: X509_up_ref(x509); p7i->cert = x509; |