diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2012-05-04 12:50:21 +0200 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2012-06-11 17:09:19 +0200 |
| commit | 07f0abd7acd5e731705eae45f77c55ed5b53eaa0 (patch) | |
| tree | b450c27ee9e3c54a54dd9fe24f3cbabb8625f5b3 | |
| parent | fd03443f42d525e84f4719eb5d412a217556470b (diff) | |
| download | strongswan-07f0abd7acd5e731705eae45f77c55ed5b53eaa0.tar.bz2 strongswan-07f0abd7acd5e731705eae45f77c55ed5b53eaa0.tar.xz | |
Updated PKCS#7 parser/generator in libstrongswan.
Added some functionality from pluto's version, updated usage of asn1
and crypto primitives. It does compile but is not really tested yet.
| -rw-r--r-- | src/libstrongswan/Android.mk | 1 | ||||
| -rw-r--r-- | src/libstrongswan/Makefile.am | 1 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/pkcs7.c | 404 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/pkcs7.h | 21 |
4 files changed, 226 insertions, 201 deletions
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index 24d99784e..77b0fa99e 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -15,6 +15,7 @@ asn1/oid.c asn1/oid.h \ bio/bio_reader.h bio/bio_reader.c bio/bio_writer.h bio/bio_writer.c \ crypto/crypters/crypter.c crypto/crypters/crypter.h \ crypto/hashers/hasher.h crypto/hashers/hasher.c \ +crypto/pkcs7.c crypto/pkcs7.h \ crypto/pkcs9.c crypto/pkcs9.h \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords.h \ crypto/prfs/prf.c crypto/prfs/prf.h \ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 514d3f1a4..af11f11e2 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -13,6 +13,7 @@ asn1/oid.c asn1/oid.h \ bio/bio_reader.h bio/bio_reader.c bio/bio_writer.h bio/bio_writer.c \ crypto/crypters/crypter.c crypto/crypters/crypter.h \ crypto/hashers/hasher.h crypto/hashers/hasher.c \ +crypto/pkcs7.c crypto/pkcs7.h \ crypto/pkcs9.c crypto/pkcs9.h \ crypto/proposal/proposal_keywords.c crypto/proposal/proposal_keywords.h \ crypto/prfs/prf.c crypto/prfs/prf.h \ diff --git a/src/libstrongswan/crypto/pkcs7.c b/src/libstrongswan/crypto/pkcs7.c index a4d0e71fe..a69242ca7 100644 --- a/src/libstrongswan/crypto/pkcs7.c +++ b/src/libstrongswan/crypto/pkcs7.c @@ -1,7 +1,7 @@ /* - * Copyright (C) 2005 Jan Hutter, Martin Willi + * Copyright (C) 2012 Tobias Brunner * Copyright (C) 2002-2008 Andreas Steffen - * + * Copyright (C) 2005 Jan Hutter, Martin Willi * Hochschule fuer Technik Rapperswil, Switzerland * * This program is free software; you can redistribute it and/or modify it @@ -17,9 +17,10 @@ #include <stdlib.h> #include <string.h> +#include <time.h> #include <library.h> -#include "debug.h" +#include <debug.h> #include <asn1/oid.h> #include <asn1/asn1.h> @@ -29,7 +30,6 @@ #include <crypto/pkcs9.h> #include <crypto/hashers/hasher.h> #include <crypto/crypters/crypter.h> - #include <utils/linked_list.h> #include "pkcs7.h" @@ -81,46 +81,6 @@ struct private_pkcs7_t { linked_list_t *certs; }; -/** - * PKCS7 contentInfo OIDs - */ -static chunk_t ASN1_pkcs7_data_oid = chunk_from_chars( - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01 -); -static chunk_t ASN1_pkcs7_signed_data_oid = chunk_from_chars( - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 -); -static chunk_t ASN1_pkcs7_enveloped_data_oid = chunk_from_chars( - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03 -); -static chunk_t ASN1_pkcs7_signed_enveloped_data_oid = chunk_from_chars( - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04 -); -static chunk_t ASN1_pkcs7_digested_data_oid = chunk_from_chars( - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05 -); -static chunk_t ASN1_pkcs7_encrypted_data_oid = chunk_from_chars( - 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06 -); - -/** - * 3DES and DES encryption OIDs - */ -static const chunk_t ASN1_3des_ede_cbc_oid = chunk_from_chars( - 0x06, 0x08, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07 -); -static const chunk_t ASN1_des_cbc_oid = chunk_from_chars( - 0x06, 0x05, - 0x2B, 0x0E, 0x03, 0x02, 0x07 -); - METHOD(pkcs7_t, is_data, bool, private_pkcs7_t *this) { @@ -147,7 +107,7 @@ static bool abort_parsing(private_pkcs7_t *this, int type) if (this->type != type) { DBG1(DBG_LIB, "pkcs7 content to be parsed is not of type '%s'", - oid_names[type]); + oid_names[type].name); return TRUE; } if (this->parsed) @@ -178,10 +138,7 @@ METHOD(pkcs7_t, parse_data, bool, this->data = chunk_clone(data); return TRUE; } - else - { - return FALSE; - } + return FALSE; } /** @@ -219,10 +176,12 @@ static const asn1Object_t signedDataObjects[] = { { 1, "end loop", ASN1_EOC, ASN1_END }, /* 25 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; +#define PKCS7_SIGNED_VERSION 1 #define PKCS7_DIGEST_ALG 3 #define PKCS7_SIGNED_CONTENT_INFO 5 #define PKCS7_SIGNED_CERT 7 #define PKCS7_SIGNER_INFO 13 +#define PKCS7_SIGNER_INFO_VERSION 14 #define PKCS7_SIGNED_ISSUER 16 #define PKCS7_SIGNED_SERIAL_NUMBER 17 #define PKCS7_DIGEST_ALGORITHM 18 @@ -231,11 +190,11 @@ static const asn1Object_t signedDataObjects[] = { #define PKCS7_ENCRYPTED_DIGEST 22 METHOD(pkcs7_t, parse_signedData, bool, - private_pkcs7_t *this, x509_t *cacert) + private_pkcs7_t *this, certificate_t *cacert) { asn1_parser_t *parser; chunk_t object; - int objectID; + int objectID, version; int digest_alg = OID_UNKNOWN; int enc_alg = OID_UNKNOWN; int signerInfos = 0; @@ -257,6 +216,10 @@ METHOD(pkcs7_t, parse_signedData, bool, switch (objectID) { + case PKCS7_SIGNED_VERSION: + version = object.len ? (int)*object.ptr : 0; + DBG2(DBG_LIB, " v%d", version); + break; case PKCS7_DIGEST_ALG: digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL); break; @@ -275,17 +238,22 @@ METHOD(pkcs7_t, parse_signedData, bool, goto end; } pureData = data->get_data(data); - this->data = (pureData.len)? chunk_clone(pureData) : chunk_empty; + this->data = (pureData.len) ? chunk_clone(pureData) : chunk_empty; data->destroy(data); break; } case PKCS7_SIGNED_CERT: { - x509_t *cert = x509_create_from_chunk(chunk_clone(object), level+1); + certificate_t *cert; + DBG2(DBG_LIB, " parsing pkcs7-wrapped certificate"); + cert = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, object, + BUILD_END); if (cert) { - this->certs->insert_last(this->certs, (void*)cert); + this->certs->insert_last(this->certs, cert); } break; } @@ -293,6 +261,10 @@ METHOD(pkcs7_t, parse_signedData, bool, signerInfos++; DBG2(DBG_LIB, " signer #%d", signerInfos); break; + case PKCS7_SIGNER_INFO_VERSION: + version = object.len ? (int)*object.ptr : 0; + DBG2(DBG_LIB, " v%d", version); + break; case PKCS7_SIGNED_ISSUER: { identification_t *issuer; @@ -308,10 +280,10 @@ METHOD(pkcs7_t, parse_signedData, bool, *object.ptr = ASN1_CONTEXT_C_0; break; case PKCS7_DIGEST_ALGORITHM: - digest_alg = parse_algorithmIdentifier(object, level, NULL); + digest_alg = asn1_parse_algorithmIdentifier(object, level, NULL); break; case PKCS7_DIGEST_ENC_ALGORITHM: - enc_alg = parse_algorithmIdentifier(object, level, NULL); + enc_alg = asn1_parse_algorithmIdentifier(object, level, NULL); break; case PKCS7_ENCRYPTED_DIGEST: encrypted_digest = object; @@ -329,9 +301,15 @@ end: /* check the signature only if a cacert is available */ if (cacert != NULL) { - hash_algorithm_t algorithm = hasher_algorithm_from_oid(digest_alg); - rsa_public_key_t *signer = cacert->get_public_key(cacert); + signature_scheme_t scheme; + public_key_t *key; + scheme = signature_scheme_from_oid(digest_alg); + if (scheme == SIGN_UNKNOWN) + { + DBG1(DBG_LIB, "unsupported signature scheme"); + return FALSE; + } if (signerInfos == 0) { DBG1(DBG_LIB, "no signerInfo object found"); @@ -352,20 +330,32 @@ end: DBG1(DBG_LIB, "only RSA digest encryption supported"); return FALSE; } - if (signer->verify_emsa_pkcs1_signature(signer, algorithm, - this->attributes->get_encoding(this->attributes), encrypted_digest) != SUCCESS) + + /* verify the signature */ + key = cacert->get_public_key(cacert); + if (key == NULL) { - DBG1(DBG_LIB, "invalid digest signature"); + DBG1(DBG_LIB, "no public key found in CA certificate"); return FALSE; } + if (key->verify(key, scheme, + this->attributes->get_encoding(this->attributes), encrypted_digest)) + { + DBG2(DBG_LIB, "signature is valid"); + } else { - DBG2(DBG_LIB, "digest signature is valid"); + DBG1(DBG_LIB, "invalid signature"); + key->destroy(key); + return FALSE; } + key->destroy(key); + if (this->data.ptr != NULL) { - chunk_t messageDigest = this->attributes->get_messageDigest(this->attributes); + chunk_t messageDigest; + messageDigest = this->attributes->get_messageDigest(this->attributes); if (messageDigest.ptr == NULL) { DBG1(DBG_LIB, "messageDigest attribute not found"); @@ -373,11 +363,13 @@ end: } else { + hash_algorithm_t algorithm; hasher_t *hasher; chunk_t hash; bool valid; - hasher = lib->crypto->create_hasher(lib->crypto, algorithm) + algorithm = hasher_algorithm_from_oid(digest_alg); + hasher = lib->crypto->create_hasher(lib->crypto, algorithm); if (hasher == NULL) { DBG1(DBG_LIB, "hash algorithm %N not supported", @@ -438,12 +430,12 @@ static const asn1Object_t envelopedDataObjects[] = { #define PKCS7_CONTENT_ENC_ALGORITHM 13 #define PKCS7_ENCRYPTED_CONTENT 14 -METHOD(parse_envelopedData, bool, - private_pkcs7_t *this, chunk_t serialNumber, rsa_private_key_t *key) +METHOD(pkcs7_t, parse_envelopedData, bool, + private_pkcs7_t *this, chunk_t serialNumber, private_key_t *key) { asn1_parser_t *parser; chunk_t object; - int objectID; + int objectID, version; bool success = FALSE; chunk_t iv = chunk_empty; @@ -462,100 +454,127 @@ METHOD(parse_envelopedData, bool, while (parser->iterate(parser, &objectID, &object)) { + u_int level = parser->get_level(parser); + switch (objectID) { case PKCS7_ENVELOPED_VERSION: - if (*object.ptr != 0) + { + version = object.len ? (int)*object.ptr : 0; + DBG2(DBG_LIB, " v%d", version); + if (version != 0) { DBG1(DBG_LIB, "envelopedData version is not 0"); goto end; } break; + } case PKCS7_RECIPIENT_INFO_VERSION: - if (*object.ptr != 0) + { + version = object.len ? (int)*object.ptr : 0; + DBG2(DBG_LIB, " v%d", version); + if (version != 0) { DBG1(DBG_LIB, "recipient info version is not 0"); goto end; } break; + } case PKCS7_ISSUER: - { - identification_t *issuer; + { + identification_t *issuer; - issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object); - DBG2(DBG_LIB, " '%Y'", issuer); - issuer->destroy(issuer); - } + issuer = identification_create_from_encoding(ID_DER_ASN1_DN, + object); + DBG2(DBG_LIB, " '%Y'", issuer); + issuer->destroy(issuer); break; + } case PKCS7_SERIAL_NUMBER: + { if (!chunk_equals(serialNumber, object)) { DBG1(DBG_LIB, "serial numbers do not match"); goto end; } break; + } case PKCS7_ENCRYPTION_ALG: - { - int alg = parse_algorithmIdentifier(object, level, NULL); + { + int alg; - if (alg != OID_RSA_ENCRYPTION) - { - DBG1(DBG_LIB, "only rsa encryption supported"); - goto end; - } + alg = asn1_parse_algorithmIdentifier(object, level, NULL); + if (alg != OID_RSA_ENCRYPTION) + { + DBG1(DBG_LIB, "only rsa encryption supported"); + goto end; } break; + } case PKCS7_ENCRYPTED_KEY: - if (key->pkcs1_decrypt(key, object, &symmetric_key) != SUCCESS) + { + if (!key->decrypt(key, ENCRYPT_RSA_PKCS1, object, &symmetric_key)) { DBG1(DBG_LIB, "symmetric key could not be decrypted with rsa"); goto end; } - DBG4(DBG_LIB, "symmetric key : %B", &symmetric_key); + DBG4(DBG_LIB, "symmetric key %B", &symmetric_key); break; + } case PKCS7_CONTENT_TYPE: - if (known_oid(object) != OID_PKCS7_DATA) + { + if (asn1_known_oid(object) != OID_PKCS7_DATA) { DBG1(DBG_LIB, "encrypted content not of type pkcs7 data"); goto end; } break; + } case PKCS7_CONTENT_ENC_ALGORITHM: + { + encryption_algorithm_t enc_alg; + size_t key_size; + int alg; + + alg = asn1_parse_algorithmIdentifier(object, level, &iv); + enc_alg = encryption_algorithm_from_oid(alg, &key_size); + if (enc_alg == ENCR_UNDEFINED) { - int alg = parse_algorithmIdentifier(object, level, &iv); - - switch (alg) - { - case OID_DES_CBC: - crypter = crypter_create(ENCR_DES, 0); - break; - case OID_3DES_EDE_CBC: - crypter = crypter_create(ENCR_3DES, 0); - break; - default: - DBG1(DBG_LIB, "Only DES and 3DES supported for symmetric encryption"); - goto end; - } - if (symmetric_key.len != crypter->get_key_size(crypter)) - { - DBG1(DBG_LIB, "symmetric key has wrong length"); - goto end; - } - if (!parse_asn1_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV")) - { - DBG1(DBG_LIB, "IV could not be parsed"); - goto end; - } - if (iv.len != crypter->get_iv_size(crypter)) - { - DBG1(DBG_LIB, "IV has wrong length"); - goto end; - } + DBG1(DBG_LIB, "unsupported content encryption algorithm"); + goto end; + } + crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, + key_size); + if (crypter == NULL) + { + DBG1(DBG_LIB, "crypter %N not available", + encryption_algorithm_names, enc_alg); + goto end; + } + if (symmetric_key.len != crypter->get_key_size(crypter)) + { + DBG1(DBG_LIB, "symmetric key length %d is wrong", + symmetric_key.len); + goto end; + } + if (!asn1_parse_simple_object(&iv, ASN1_OCTET_STRING, + level + 1, "IV")) + { + DBG1(DBG_LIB, "IV could not be parsed"); + goto end; + } + if (iv.len != crypter->get_iv_size(crypter)) + { + DBG1(DBG_LIB, "IV length %d is wrong", iv.len); + goto end; } break; + } case PKCS7_ENCRYPTED_CONTENT: + { encrypted_content = object; break; + } } } success = parser->success(parser); @@ -566,11 +585,12 @@ end: { goto failed; } + success = FALSE; /* decrypt the content */ crypter->set_key(crypter, symmetric_key); crypter->decrypt(crypter, encrypted_content, iv, &this->data); - DBG3(DBG_LIB, "decrypted content with padding: %B", &this->data); + DBG4(DBG_LIB, "decrypted content with padding: %B", &this->data); /* remove the padding */ { @@ -594,15 +614,16 @@ end: } } } - crypter->destroy(crypter); - free(symmetric_key.ptr); - return TRUE; + success = TRUE; failed: DESTROY_IF(crypter); - free(symmetric_key.ptr); - chunk_free(&this->data); - return FALSE; + chunk_clear(&symmetric_key); + if (!success) + { + chunk_free(&this->data); + } + return success; } METHOD(pkcs7_t, get_data, chunk_t, @@ -616,26 +637,16 @@ METHOD(pkcs7_t, get_contentInfo, chunk_t, { chunk_t content_type; - /* select DER-encoded OID for pkcs7_contentInfo type */ + /* create DER-encoded OID for pkcs7_contentInfo type */ switch(this->type) { case OID_PKCS7_DATA: - content_type = ASN1_pkcs7_data_oid; - break; case OID_PKCS7_SIGNED_DATA: - content_type = ASN1_pkcs7_signed_data_oid; - break; case OID_PKCS7_ENVELOPED_DATA: - content_type = ASN1_pkcs7_enveloped_data_oid; - break; case OID_PKCS7_SIGNED_ENVELOPED_DATA: - content_type = ASN1_pkcs7_signed_enveloped_data_oid; - break; case OID_PKCS7_DIGESTED_DATA: - content_type = ASN1_pkcs7_digested_data_oid; - break; case OID_PKCS7_ENCRYPTED_DATA: - content_type = ASN1_pkcs7_encrypted_data_oid; + content_type = asn1_build_known_oid(this->type); break; case OID_UNKNOWN: default: @@ -643,12 +654,10 @@ METHOD(pkcs7_t, get_contentInfo, chunk_t, return chunk_empty; } - return (this->content.ptr == NULL) - ? asn1_simple_object(ASN1_SEQUENCE, content_type) - : asn1_wrap(ASN1_SEQUENCE, "cm", - content_type, - asn1_simple_object(ASN1_CONTEXT_C_0, this->content) - ); + return this->content.ptr == NULL + ? asn1_wrap(ASN1_SEQUENCE, "m", content_type) + : asn1_wrap(ASN1_SEQUENCE, "mm", content_type, + asn1_simple_object(ASN1_CONTEXT_C_0, this->content)); } METHOD(pkcs7_t, create_certificate_enumerator, enumerator_t*, @@ -658,11 +667,10 @@ METHOD(pkcs7_t, create_certificate_enumerator, enumerator_t*, } METHOD(pkcs7_t, set_certificate, void, - private_pkcs7_t *this, x509_t *cert) + private_pkcs7_t *this, certificate_t *cert) { if (cert) { - /* TODO the certificate is currently not cloned */ this->certs->insert_last(this->certs, cert); } } @@ -676,37 +684,39 @@ METHOD(pkcs7_t, set_attributes, void, /** * build a DER-encoded issuerAndSerialNumber object */ -chunk_t pkcs7_build_issuerAndSerialNumber(x509_t *cert) +chunk_t pkcs7_build_issuerAndSerialNumber(certificate_t *cert) { identification_t *issuer = cert->get_issuer(cert); + chunk_t serial = chunk_empty; + + if (cert->get_type(cert) == CERT_X509) + { + x509_t *x509 = (x509_t*)cert; + serial = x509->get_serial(x509); + } return asn1_wrap(ASN1_SEQUENCE, "cm", - issuer->get_encoding(issuer), - asn1_simple_object(ASN1_INTEGER, cert->get_serialNumber(cert))); + issuer->get_encoding(issuer), + asn1_integer("c", serial)); } METHOD(pkcs7_t, build_envelopedData, bool, - private_pkcs7_t *this, x509_t *cert, encryption_algorithm_t alg) + private_pkcs7_t *this, certificate_t *cert, encryption_algorithm_t alg, + size_t key_size) { - chunk_t iv, symmetricKey, in, out, alg_oid; + chunk_t iv, symmetricKey, protectedKey, in, out; crypter_t *crypter; + int alg_oid; /* select OID of symmetric encryption algorithm */ - switch (alg) + alg_oid = encryption_algorithm_to_oid(alg, key_size); + if (alg_oid == OID_UNKNOWN) { - case ENCR_DES: - alg_oid = ASN1_des_cbc_oid; - break; - case ENCR_3DES: - alg_oid = ASN1_3des_ede_cbc_oid; - break; - default: - DBG1(DBG_LIB, " encryption algorithm %N not supported", - encryption_algorithm_names, alg); - return FALSE; + DBG1(DBG_LIB, " encryption algorithm %N not supported", + encryption_algorithm_names, alg); + return FALSE; } - - crypter = crypter_create(alg, 0); + crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8); if (crypter == NULL) { DBG1(DBG_LIB, " could not create crypter for algorithm %N", @@ -758,27 +768,37 @@ METHOD(pkcs7_t, build_envelopedData, bool, chunk_clear(&in); DBG3(DBG_LIB, " encrypted data: %B", &out); + /* protect symmetric key by public key encryption */ + { + public_key_t *key = cert->get_public_key(cert); + + if (key == NULL) + { + DBG1(DBG_LIB, " public key not found in encryption certificate"); + chunk_clear(&symmetricKey); + chunk_free(&iv); + chunk_free(&out); + return FALSE; + } + key->encrypt(key, ENCRYPT_RSA_PKCS1, symmetricKey, &protectedKey); + key->destroy(key); + chunk_clear(&symmetricKey); + } + /* build pkcs7 enveloped data object */ { - chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm", - alg_oid, + chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(alg_oid), asn1_wrap(ASN1_OCTET_STRING, "m", iv)); - chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm", - ASN1_pkcs7_data_oid, + chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_PKCS7_DATA), contentEncryptionAlgorithm, asn1_wrap(ASN1_CONTEXT_S_0, "m", out)); - chunk_t wrappedKey, encryptedKey, recipientInfo; + chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m", protectedKey); - rsa_public_key_t *public_key = cert->get_public_key(cert); - - public_key->pkcs1_encrypt(public_key, symmetricKey, &wrappedKey); - chunk_clear(&symmetricKey); - - encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m", wrappedKey); - - recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm", + chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmmm", ASN1_INTEGER_0, pkcs7_build_issuerAndSerialNumber(cert), asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), @@ -794,24 +814,26 @@ METHOD(pkcs7_t, build_envelopedData, bool, } METHOD(pkcs7_t, build_signedData, bool, - private_pkcs7_t *this, rsa_private_key_t *private_key, hash_algorithm_t alg) + private_pkcs7_t *this, private_key_t *private_key, hash_algorithm_t alg) { - int signature_oid = hasher_signature_algorithm_to_oid(alg, - private_key->get_type(private_key)); chunk_t authenticatedAttributes = chunk_empty; chunk_t encryptedDigest = chunk_empty; - chunk_t signerInfo; - x509_t *cert; + chunk_t signerInfo, encoding = chunk_empty; + signature_scheme_t scheme; + int digest_oid; + certificate_t *cert; if (this->certs->get_first(this->certs, (void**)&cert) != SUCCESS) { DBG1(DBG_LIB, " no pkcs7 signer certificate found"); return FALSE; } + digest_oid = hasher_algorithm_to_oid(alg); + scheme = signature_scheme_from_oid(digest_oid); if (this->attributes != NULL) { - if(this->data.ptr != NULL) + if (this->data.ptr != NULL) { hasher_t *hasher; @@ -832,42 +854,41 @@ METHOD(pkcs7_t, build_signedData, bool, hasher->allocate_hash(hasher, this->data, &messageDigest); hasher->destroy(hasher); this->attributes->set_attribute(this->attributes, - OID_PKCS9_CONTENT_TYPE, ASN1_pkcs7_data_oid); + OID_PKCS9_CONTENT_TYPE, + asn1_build_known_oid(OID_PKCS7_DATA)); this->attributes->set_messageDigest(this->attributes, - messageDigest); + messageDigest); this->attributes->set_attribute(this->attributes, - OID_PKCS9_SIGNING_TIME, signingTime); + OID_PKCS9_SIGNING_TIME, signingTime); attributes = this->attributes->get_encoding(this->attributes); free(messageDigest.ptr); free(signingTime.ptr); - private_key->build_emsa_pkcs1_signature(private_key, alg, - attributes, &encryptedDigest); + private_key->sign(private_key, scheme, attributes, &encryptedDigest); authenticatedAttributes = chunk_clone(attributes); *authenticatedAttributes.ptr = ASN1_CONTEXT_C_0; } } else if (this->data.ptr != NULL) { - private_key->build_emsa_pkcs1_signature(private_key, alg, - this->data, &encryptedDigest); + private_key->sign(private_key, scheme, this->data, &encryptedDigest); } if (encryptedDigest.ptr) { encryptedDigest = asn1_wrap(ASN1_OCTET_STRING, "m", encryptedDigest); } - signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmmmmm", ASN1_INTEGER_1, pkcs7_build_issuerAndSerialNumber(cert), - asn1_algorithmIdentifier(signature_oid), + asn1_algorithmIdentifier(digest_oid), authenticatedAttributes, asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), encryptedDigest); if (this->data.ptr != NULL) { + chunk_free(&this->content); this->content = asn1_simple_object(ASN1_OCTET_STRING, this->data); chunk_free(&this->data); } @@ -876,12 +897,13 @@ METHOD(pkcs7_t, build_signedData, bool, chunk_free(&this->content); this->type = OID_PKCS7_SIGNED_DATA; + cert->get_encoding(cert, CERT_ASN1_DER, &encoding); this->content = asn1_wrap(ASN1_SEQUENCE, "cmcmm", ASN1_INTEGER_1, - asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(signature_oid)), + asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_oid)), this->data, - asn1_simple_object(ASN1_CONTEXT_C_0, cert->get_certificate(cert)), + asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding), asn1_wrap(ASN1_SET, "m", signerInfo)); return TRUE; @@ -891,7 +913,7 @@ METHOD(pkcs7_t, destroy, void, private_pkcs7_t *this) { DESTROY_IF(this->attributes); - this->certs->destroy_offset(this->certs, offsetof(x509_t, destroy)); + this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); free(this->content.ptr); free(this->data.ptr); free(this); @@ -928,7 +950,7 @@ static bool parse_contentInfo(chunk_t blob, u_int level0, private_pkcs7_t *cInfo { if (objectID == PKCS7_INFO_TYPE) { - cInfo->type = known_oid(object); + cInfo->type = asn1_known_oid(object); if (cInfo->type < OID_PKCS7_DATA || cInfo->type > OID_PKCS7_ENCRYPTED_DATA) { diff --git a/src/libstrongswan/crypto/pkcs7.h b/src/libstrongswan/crypto/pkcs7.h index 16c53feda..107f2729f 100644 --- a/src/libstrongswan/crypto/pkcs7.h +++ b/src/libstrongswan/crypto/pkcs7.h @@ -1,7 +1,6 @@ /* * Copyright (C) 2005 Jan Hutter, Martin Willi * Copyright (C) 2002-2008 Andreas Steffen - * * Hochschule fuer Technik Rapperswil, Switzerland * * This program is free software; you can redistribute it and/or modify it @@ -26,7 +25,6 @@ typedef struct pkcs7_t pkcs7_t; #include <library.h> -#include <credentials/certificates/x509.h> #include <credentials/keys/private_key.h> #include <crypto/pkcs9.h> #include <crypto/crypters/crypter.h> @@ -36,6 +34,7 @@ typedef struct pkcs7_t pkcs7_t; * PKCS#7 contentInfo object. */ struct pkcs7_t { + /** * Check if the PKCS#7 contentType is data * @@ -70,7 +69,7 @@ struct pkcs7_t { * @param cacert cacert used to verify the signature * @return TRUE if parsing was successful */ - bool (*parse_signedData) (pkcs7_t *this, x509_t *cacert); + bool (*parse_signedData) (pkcs7_t *this, certificate_t *cacert); /** * Parse a PKCS#7 envelopedData content. @@ -79,7 +78,8 @@ struct pkcs7_t { * @param key private key used to decrypt the symmetric key * @return TRUE if parsing was successful */ - bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber, private_key_t *key); + bool (*parse_envelopedData) (pkcs7_t *this, chunk_t serialNumber, + private_key_t *key); /** * Returns the parsed data object @@ -105,9 +105,9 @@ struct pkcs7_t { /** * Add a certificate. * - * @param cert certificate to be included + * @param cert certificate to be included (gets adopted) */ - void (*set_certificate) (pkcs7_t *this, x509_t *cert); + void (*set_certificate) (pkcs7_t *this, certificate_t *cert); /** * Add authenticated attributes. @@ -128,10 +128,11 @@ struct pkcs7_t { * * @param cert receivers's certificate * @param alg encryption algorithm + * @param key_size key size to use * @return TRUE if build was successful */ - bool (*build_envelopedData) (pkcs7_t *this, x509_t *cert, - encryption_algorithm_t alg); + bool (*build_envelopedData) (pkcs7_t *this, certificate_t *cert, + encryption_algorithm_t alg, size_t key_size); /** * Build an signedData object @@ -154,7 +155,7 @@ struct pkcs7_t { * * @param chunk chunk containing DER encoded data * @param level ASN.1 parsing start level - * @return created pkcs7_contentInfo object, or NULL if invalid. + * @return created pkcs7_contentInfo object, or NULL if invalid. */ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level); @@ -162,7 +163,7 @@ pkcs7_t *pkcs7_create_from_chunk(chunk_t chunk, u_int level); * Create a PKCS#7 contentInfo object * * @param data chunk containing data - * @return created pkcs7_contentInfo object. + * @return created pkcs7_contentInfo object. */ pkcs7_t *pkcs7_create_from_data(chunk_t data); |