From 63b64f19c13d59d68dc2e525f454aea62a739842 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 12 Mar 2021 19:45:40 +0100 Subject: TS and CMS CAdES-BES: Refactor check_signing_certs() funcs into common ESS func Also constify related CMS/PKCS7 functions and improve error codes thrown. Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/14503) --- include/crypto/cms.h | 4 ++-- include/crypto/ess.h | 14 ++++++-------- include/crypto/esserr.h | 2 +- include/openssl/cms.h.in | 3 ++- include/openssl/cmserr.h | 1 - include/openssl/esserr.h | 6 ++++++ include/openssl/pkcs7.h.in | 4 ++-- 7 files changed, 19 insertions(+), 15 deletions(-) (limited to 'include') diff --git a/include/crypto/cms.h b/include/crypto/cms.h index f1cf6bd6bf..fe1aed0c09 100644 --- a/include/crypto/cms.h +++ b/include/crypto/cms.h @@ -18,9 +18,9 @@ int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc); int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc); -int ossl_cms_signerinfo_get_signing_cert_v2(CMS_SignerInfo *si, +int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 **psc); -int ossl_cms_signerinfo_get_signing_cert(CMS_SignerInfo *si, +int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si, ESS_SIGNING_CERT **psc); # endif /* OPENSSL_NO_CMS */ diff --git a/include/crypto/ess.h b/include/crypto/ess.h index 099e3de9a5..1961e39067 100644 --- a/include/crypto/ess.h +++ b/include/crypto/ess.h @@ -13,14 +13,14 @@ /* internal ESS related stuff */ -ESS_SIGNING_CERT *ossl_ess_signing_cert_get(PKCS7_SIGNER_INFO *si); +ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si); int ossl_ess_signing_cert_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); ESS_SIGNING_CERT *ossl_ess_signing_cert_new_init(X509 *signcert, STACK_OF(X509) *certs, int issuer_needed); -ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_get(PKCS7_SIGNER_INFO *si); +ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO *si); int ossl_ess_signing_cert_v2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc); ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, @@ -28,12 +28,10 @@ ESS_SIGNING_CERT_V2 *ossl_ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, STACK_OF(X509) *certs, int issuer_needed); -/* Returns < 0 if certificate is not found, certificate index otherwise. */ -int ossl_ess_find_cert_v2(const STACK_OF(ESS_CERT_ID_V2) *cert_ids, - const X509 *cert); -int ossl_ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); -int ossl_ess_find_cid(const STACK_OF(X509) *certs, - ESS_CERT_ID *cid, ESS_CERT_ID_V2 *cid_v2); +int ossl_ess_check_signing_certs(const ESS_SIGNING_CERT *ss, + const ESS_SIGNING_CERT_V2 *ssv2, + const STACK_OF(X509) *chain, + int require_signing_cert); /*- * IssuerSerial ::= SEQUENCE { diff --git a/include/crypto/esserr.h b/include/crypto/esserr.h index d253356a90..a87d4fabce 100644 --- a/include/crypto/esserr.h +++ b/include/crypto/esserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in index 5ffd3b4405..e2912b47cc 100644 --- a/include/openssl/cms.h.in +++ b/include/openssl/cms.h.in @@ -310,7 +310,8 @@ int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, int type, const void *bytes, int len); -void *CMS_signed_get0_data_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *oid, +void *CMS_signed_get0_data_by_OBJ(const CMS_SignerInfo *si, + const ASN1_OBJECT *oid, int lastpos, int type); int CMS_unsigned_get_attr_count(const CMS_SignerInfo *si); diff --git a/include/openssl/cmserr.h b/include/openssl/cmserr.h index 418e8baff9..1c4f4c799d 100644 --- a/include/openssl/cmserr.h +++ b/include/openssl/cmserr.h @@ -49,7 +49,6 @@ # define CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE 114 # define CMS_R_ERROR_SETTING_KEY 115 # define CMS_R_ERROR_SETTING_RECIPIENTINFO 116 -# define CMS_R_ESS_NO_SIGNING_CERTID_ATTRIBUTE 182 # define CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR 183 # define CMS_R_INVALID_ENCRYPTED_KEY_LENGTH 117 # define CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER 176 diff --git a/include/openssl/esserr.h b/include/openssl/esserr.h index 2eb82c1eb7..0b9e89e4cb 100644 --- a/include/openssl/esserr.h +++ b/include/openssl/esserr.h @@ -21,8 +21,14 @@ /* * ESS reason codes. */ +# define ESS_R_EMPTY_ESS_CERT_ID_LIST 107 +# define ESS_R_ESS_CERT_DIGEST_ERROR 103 +# define ESS_R_ESS_CERT_ID_NOT_FOUND 104 +# define ESS_R_ESS_CERT_ID_WRONG_ORDER 105 +# define ESS_R_ESS_DIGEST_ALG_UNKNOWN 106 # define ESS_R_ESS_SIGNING_CERTIFICATE_ERROR 102 # define ESS_R_ESS_SIGNING_CERT_ADD_ERROR 100 # define ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR 101 +# define ESS_R_MISSING_SIGNING_CERTIFICATE_ATTRIBUTE 108 #endif diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in index df53acc2a1..87dda54115 100644 --- a/include/openssl/pkcs7.h.in +++ b/include/openssl/pkcs7.h.in @@ -304,8 +304,8 @@ int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int type, void *data); int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value); -ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid); -ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid); +ASN1_TYPE *PKCS7_get_attribute(const PKCS7_SIGNER_INFO *si, int nid); +ASN1_TYPE *PKCS7_get_signed_attribute(const PKCS7_SIGNER_INFO *si, int nid); int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk); int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, -- cgit v1.2.3