/*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT,
- OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN,
+ OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN,
OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT,
OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY,
OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS,
{"sign", OPT_SIGN, '-', "Sign message"},
{"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"},
{"resign", OPT_RESIGN, '-', "Resign a signed message"},
+ {"cades", OPT_CADES, '-', "Include signer certificate digest"},
{"verify", OPT_VERIFY, '-', "Verify signed message"},
{"verify_retcode", OPT_VERIFY_RETCODE, '-'},
{"verify_receipt", OPT_VERIFY_RECEIPT, '<'},
case OPT_BINARY:
flags |= CMS_BINARY;
break;
+ case OPT_CADES:
+ flags |= CMS_CADES;
+ break;
case OPT_KEYID:
flags |= CMS_USE_KEYID;
break;
md2 md4 md5 sha mdc2 gmac hmac ripemd whrlpool poly1305 blake2 \
siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \
seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \
- err comp ocsp cms ts srp cmac ct async kmac
+ err comp ocsp cms ts srp cmac ct async kmac ess
LIBS=../libcrypto
SOURCE[../libcrypto]=\
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNER, 0), "CMS_add1_signer"},
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNINGTIME, 0),
"cms_add1_signingTime"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNING_CERT, 0),
+ "CMS_add1_signing_cert"},
+ {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNING_CERT_V2, 0),
+ "CMS_add1_signing_cert_v2"},
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_COMPRESS, 0), "CMS_compress"},
{ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_COMPRESSEDDATA_CREATE, 0),
"cms_CompressedData_create"},
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include <openssl/cms.h>
+#include <openssl/ess.h>
#include "cms_lcl.h"
+#include "internal/ess_int.h"
IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest)
-/* ESS services: for now just Signed Receipt related */
+/* ESS services */
int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr)
{
CMS_ReceiptRequest_free(rr);
return os;
}
+
+/*
+ * Add signer certificate's V2 digest to a SignerInfo
+ * structure
+ */
+
+int CMS_add1_signing_cert_v2(CMS_SignerInfo *si,
+ ESS_SIGNING_CERT_V2 *sc)
+{
+ ASN1_STRING *seq = NULL;
+ unsigned char *p, *pp;
+ int len;
+
+ /* Add SigningCertificateV2 signed attribute to the signer info. */
+ len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
+ if ((pp = OPENSSL_malloc(len)) == NULL)
+ goto err;
+ p = pp;
+ i2d_ESS_SIGNING_CERT_V2(sc, &p);
+ if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len))
+ goto err;
+ OPENSSL_free(pp);
+ pp = NULL;
+ if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificateV2,
+ V_ASN1_SEQUENCE, seq, -1))
+ goto err;
+ ASN1_STRING_free(seq);
+ return 1;
+ err:
+ CMSerr(CMS_F_CMS_ADD1_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE);
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+ return 0;
+}
+
+/*
+ * Add signer certificate's digest to a SignerInfo
+ * structure
+ */
+
+int CMS_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc)
+{
+ ASN1_STRING *seq = NULL;
+ unsigned char *p, *pp;
+ int len;
+
+ /* Add SigningCertificate signed attribute to the signer info. */
+ len = i2d_ESS_SIGNING_CERT(sc, NULL);
+ if ((pp = OPENSSL_malloc(len)) == NULL)
+ goto err;
+ p = pp;
+ i2d_ESS_SIGNING_CERT(sc, &p);
+ if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len))
+ goto err;
+ OPENSSL_free(pp);
+ pp = NULL;
+ if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificate,
+ V_ASN1_SEQUENCE, seq, -1))
+ goto err;
+ ASN1_STRING_free(seq);
+ return 1;
+ err:
+ CMSerr(CMS_F_CMS_ADD1_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+ return 0;
+}
!CMS_SignerInfo_sign(si))
goto err;
}
+ if (flags & CMS_CADES) {
+ ESS_SIGNING_CERT *sc = NULL;
+ ESS_SIGNING_CERT_V2 *sc2 = NULL;
+ int add_sc;
+
+ if (md == EVP_sha1() || md == NULL) {
+ if ((sc = ESS_SIGNING_CERT_new_init(signer,
+ NULL, 1)) == NULL)
+ goto err;
+ add_sc = CMS_add1_signing_cert(si, sc);
+ ESS_SIGNING_CERT_free(sc);
+ } else {
+ if ((sc2 = ESS_SIGNING_CERT_V2_new_init(md, signer,
+ NULL, 1)) == NULL)
+ goto err;
+ add_sc = CMS_add1_signing_cert_v2(si, sc2);
+ ESS_SIGNING_CERT_V2_free(sc2);
+ }
+ if (!add_sc)
+ goto err;
+ }
}
if (!(flags & CMS_NOCERTS)) {
{ERR_PACK(ERR_LIB_KDF, 0, 0), "KDF routines"},
{ERR_PACK(ERR_LIB_OSSL_STORE, 0, 0), "STORE routines"},
{ERR_PACK(ERR_LIB_SM2, 0, 0), "SM2 routines"},
+ {ERR_PACK(ERR_LIB_ESS, 0, 0), "ESS routines"},
{0, NULL},
};
#include <openssl/asyncerr.h>
#include <openssl/kdferr.h>
#include <openssl/storeerr.h>
+#include <openssl/esserr.h>
int err_load_crypto_strings_int(void)
{
# ifndef OPENSSL_NO_CT
ERR_load_CT_strings() == 0 ||
# endif
+ ERR_load_ESS_strings() == 0 ||
ERR_load_ASYNC_strings() == 0 ||
#endif
ERR_load_KDF_strings() == 0 ||
L KDF include/openssl/kdf.h crypto/kdf/kdf_err.c
L SM2 crypto/include/internal/sm2.h crypto/sm2/sm2_err.c
L OSSL_STORE include/openssl/store.h crypto/store/store_err.c
+L ESS include/openssl/ess.h crypto/ess/ess_err.c
# additional header files to be scanned for function names
L NONE include/openssl/x509_vfy.h NONE
-# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
CMS_F_CMS_ADD1_RECIPIENT_CERT:101:CMS_add1_recipient_cert
CMS_F_CMS_ADD1_SIGNER:102:CMS_add1_signer
CMS_F_CMS_ADD1_SIGNINGTIME:103:cms_add1_signingTime
+CMS_F_CMS_ADD1_SIGNING_CERT:181:CMS_add1_signing_cert
+CMS_F_CMS_ADD1_SIGNING_CERT_V2:182:CMS_add1_signing_cert_v2
CMS_F_CMS_COMPRESS:104:CMS_compress
CMS_F_CMS_COMPRESSEDDATA_CREATE:105:cms_CompressedData_create
CMS_F_CMS_COMPRESSEDDATA_INIT_BIO:106:cms_CompressedData_init_bio
ENGINE_F_INT_ENGINE_CONFIGURE:188:int_engine_configure
ENGINE_F_INT_ENGINE_MODULE_INIT:187:int_engine_module_init
ENGINE_F_OSSL_HMAC_INIT:200:ossl_hmac_init
+ESS_F_ESS_CERT_ID_NEW_INIT:100:ESS_CERT_ID_new_init
+ESS_F_ESS_CERT_ID_V2_NEW_INIT:101:ESS_CERT_ID_V2_new_init
+ESS_F_ESS_SIGNING_CERT_ADD:104:ESS_SIGNING_CERT_add
+ESS_F_ESS_SIGNING_CERT_NEW_INIT:102:ESS_SIGNING_CERT_new_init
+ESS_F_ESS_SIGNING_CERT_V2_ADD:105:ESS_SIGNING_CERT_V2_add
+ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT:103:ESS_SIGNING_CERT_V2_new_init
EVP_F_AESNI_INIT_KEY:165:aesni_init_key
EVP_F_AES_GCM_CTRL:196:aes_gcm_ctrl
EVP_F_AES_GCM_TLS_CIPHER:207:aes_gcm_tls_cipher
SSL_F_WRITE_STATE_MACHINE:586:write_state_machine
TS_F_DEF_SERIAL_CB:110:def_serial_cb
TS_F_DEF_TIME_CB:111:def_time_cb
-TS_F_ESS_ADD_SIGNING_CERT:112:ess_add_signing_cert
-TS_F_ESS_ADD_SIGNING_CERT_V2:147:ess_add_signing_cert_v2
-TS_F_ESS_CERT_ID_NEW_INIT:113:ess_CERT_ID_new_init
-TS_F_ESS_CERT_ID_V2_NEW_INIT:156:ess_cert_id_v2_new_init
-TS_F_ESS_SIGNING_CERT_NEW_INIT:114:ess_SIGNING_CERT_new_init
-TS_F_ESS_SIGNING_CERT_V2_NEW_INIT:157:ess_signing_cert_v2_new_init
TS_F_INT_TS_RESP_VERIFY_TOKEN:149:int_ts_RESP_verify_token
TS_F_PKCS7_TO_TS_TST_INFO:148:PKCS7_to_TS_TST_INFO
TS_F_TS_ACCURACY_SET_MICROS:115:TS_ACCURACY_set_micros
ENGINE_R_UNIMPLEMENTED_DIGEST:147:unimplemented digest
ENGINE_R_UNIMPLEMENTED_PUBLIC_KEY_METHOD:101:unimplemented public key method
ENGINE_R_VERSION_INCOMPATIBILITY:145:version incompatibility
+ESS_R_ESS_SIGNING_CERTIFICATE_ERROR:102:ess signing certificate error
+ESS_R_ESS_SIGNING_CERT_ADD_ERROR:100:ess signing cert add error
+ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR:101:ess signing cert v2 add error
EVP_R_AES_KEY_SETUP_FAILED:143:aes key setup failed
EVP_R_ARIA_KEY_SETUP_FAILED:176:aria key setup failed
EVP_R_BAD_DECRYPT:100:bad decrypt
--- /dev/null
+LIBS=../../libcrypto
+SOURCE[../../libcrypto]= \
+ ess_lib.c ess_asn1.c ess_err.c
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/err.h>
+#include <openssl/asn1t.h>
+#include <openssl/ess.h>
+#include <openssl/x509v3.h>
+#include "internal/ess_int.h"
+
+/* ASN1 stuff for ESS Structure */
+
+ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = {
+ ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME),
+ ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER)
+} static_ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(ESS_ISSUER_SERIAL)
+IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
+
+ASN1_SEQUENCE(ESS_CERT_ID) = {
+ ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING),
+ ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL)
+} static_ASN1_SEQUENCE_END(ESS_CERT_ID)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID)
+IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID)
+
+ASN1_SEQUENCE(ESS_SIGNING_CERT) = {
+ ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID),
+ ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO)
+} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT)
+IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
+
+ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
+ ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
+ ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
+ ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
+} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2)
+IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
+
+ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
+ ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
+ ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
+} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
+
+IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2)
+IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
--- /dev/null
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/err.h>
+#include <openssl/esserr.h>
+
+#ifndef OPENSSL_NO_ERR
+
+static const ERR_STRING_DATA ESS_str_functs[] = {
+ {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_CERT_ID_NEW_INIT, 0),
+ "ESS_CERT_ID_new_init"},
+ {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_CERT_ID_V2_NEW_INIT, 0),
+ "ESS_CERT_ID_V2_new_init"},
+ {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_ADD, 0),
+ "ESS_SIGNING_CERT_add"},
+ {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_NEW_INIT, 0),
+ "ESS_SIGNING_CERT_new_init"},
+ {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_V2_ADD, 0),
+ "ESS_SIGNING_CERT_V2_add"},
+ {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT, 0),
+ "ESS_SIGNING_CERT_V2_new_init"},
+ {0, NULL}
+};
+
+static const ERR_STRING_DATA ESS_str_reasons[] = {
+ {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERTIFICATE_ERROR),
+ "ess signing certificate error"},
+ {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERT_ADD_ERROR),
+ "ess signing cert add error"},
+ {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR),
+ "ess signing cert v2 add error"},
+ {0, NULL}
+};
+
+#endif
+
+int ERR_load_ESS_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+ if (ERR_func_error_string(ESS_str_functs[0].error) == NULL) {
+ ERR_load_strings_const(ESS_str_functs);
+ ERR_load_strings_const(ESS_str_reasons);
+ }
+#endif
+ return 1;
+}
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <string.h>
+#include <openssl/x509v3.h>
+#include <openssl/err.h>
+#include <openssl/ess.h>
+#include "internal/ess_int.h"
+
+static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed);
+static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
+ X509 *cert, int issuer_needed);
+
+ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert,
+ STACK_OF(X509) *certs,
+ int issuer_needed)
+{
+ ESS_CERT_ID *cid = NULL;
+ ESS_SIGNING_CERT *sc;
+ int i;
+
+ if ((sc = ESS_SIGNING_CERT_new()) == NULL)
+ goto err;
+ if (sc->cert_ids == NULL
+ && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
+ goto err;
+
+ if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL
+ || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
+ goto err;
+ for (i = 0; i < sk_X509_num(certs); ++i) {
+ X509 *cert = sk_X509_value(certs, i);
+ if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL
+ || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
+ goto err;
+ }
+
+ return sc;
+ err:
+ ESS_SIGNING_CERT_free(sc);
+ ESS_CERT_ID_free(cid);
+ ESSerr(ESS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE);
+ return NULL;
+}
+
+static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed)
+{
+ ESS_CERT_ID *cid = NULL;
+ GENERAL_NAME *name = NULL;
+ unsigned char cert_sha1[SHA_DIGEST_LENGTH];
+
+ /* Call for side-effect of computing hash and caching extensions */
+ X509_check_purpose(cert, -1, 0);
+ if ((cid = ESS_CERT_ID_new()) == NULL)
+ goto err;
+ X509_digest(cert, EVP_sha1(), cert_sha1, NULL);
+ if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
+ goto err;
+
+ /* Setting the issuer/serial if requested. */
+ if (!issuer_needed)
+ return cid;
+
+ if (cid->issuer_serial == NULL
+ && (cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
+ goto err;
+ if ((name = GENERAL_NAME_new()) == NULL)
+ goto err;
+ name->type = GEN_DIRNAME;
+ if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
+ goto err;
+ if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
+ goto err;
+ name = NULL; /* Ownership is lost. */
+ ASN1_INTEGER_free(cid->issuer_serial->serial);
+ if (!(cid->issuer_serial->serial =
+ ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
+ goto err;
+
+ return cid;
+ err:
+ GENERAL_NAME_free(name);
+ ESS_CERT_ID_free(cid);
+ ESSerr(ESS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE);
+ return NULL;
+}
+
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new_init(const EVP_MD *hash_alg,
+ X509 *signcert,
+ STACK_OF(X509) *certs,
+ int issuer_needed)
+{
+ ESS_CERT_ID_V2 *cid = NULL;
+ ESS_SIGNING_CERT_V2 *sc;
+ int i;
+
+ if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
+ goto err;
+ if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL)
+ goto err;
+ if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
+ goto err;
+ cid = NULL;
+
+ for (i = 0; i < sk_X509_num(certs); ++i) {
+ X509 *cert = sk_X509_value(certs, i);
+
+ if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, cert, 1)) == NULL)
+ goto err;
+ if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
+ goto err;
+ cid = NULL;
+ }
+
+ return sc;
+ err:
+ ESS_SIGNING_CERT_V2_free(sc);
+ ESS_CERT_ID_V2_free(cid);
+ ESSerr(ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT, ERR_R_MALLOC_FAILURE);
+ return NULL;
+}
+
+static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg,
+ X509 *cert, int issuer_needed)
+{
+ ESS_CERT_ID_V2 *cid;
+ GENERAL_NAME *name = NULL;
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ unsigned int hash_len = sizeof(hash);
+ X509_ALGOR *alg = NULL;
+
+ memset(hash, 0, sizeof(hash));
+
+ if ((cid = ESS_CERT_ID_V2_new()) == NULL)
+ goto err;
+
+ if (hash_alg != EVP_sha256()) {
+ alg = X509_ALGOR_new();
+ if (alg == NULL)
+ goto err;
+ X509_ALGOR_set_md(alg, hash_alg);
+ if (alg->algorithm == NULL)
+ goto err;
+ cid->hash_alg = alg;
+ alg = NULL;
+ } else {
+ cid->hash_alg = NULL;
+ }
+
+ if (!X509_digest(cert, hash_alg, hash, &hash_len))
+ goto err;
+
+ if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
+ goto err;
+
+ if (!issuer_needed)
+ return cid;
+
+ if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
+ goto err;
+ if ((name = GENERAL_NAME_new()) == NULL)
+ goto err;
+ name->type = GEN_DIRNAME;
+ if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
+ goto err;
+ if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
+ goto err;
+ name = NULL; /* Ownership is lost. */
+ ASN1_INTEGER_free(cid->issuer_serial->serial);
+ cid->issuer_serial->serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+ if (cid->issuer_serial->serial == NULL)
+ goto err;
+
+ return cid;
+ err:
+ X509_ALGOR_free(alg);
+ GENERAL_NAME_free(name);
+ ESS_CERT_ID_V2_free(cid);
+ ESSerr(ESS_F_ESS_CERT_ID_V2_NEW_INIT, ERR_R_MALLOC_FAILURE);
+ return NULL;
+}
+
+ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si)
+{
+ ASN1_TYPE *attr;
+ const unsigned char *p;
+ attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
+ if (!attr)
+ return NULL;
+ p = attr->value.sequence->data;
+ return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+}
+
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_get(PKCS7_SIGNER_INFO *si)
+{
+ ASN1_TYPE *attr;
+ const unsigned char *p;
+
+ attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
+ if (attr == NULL)
+ return NULL;
+ p = attr->value.sequence->data;
+ return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
+}
+
+int ESS_SIGNING_CERT_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
+{
+ ASN1_STRING *seq = NULL;
+ unsigned char *p, *pp = NULL;
+ int len;
+
+ len = i2d_ESS_SIGNING_CERT(sc, NULL);
+ if ((pp = OPENSSL_malloc(len)) == NULL) {
+ ESSerr(ESS_F_ESS_SIGNING_CERT_ADD, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ p = pp;
+ i2d_ESS_SIGNING_CERT(sc, &p);
+ if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
+ ESSerr(ESS_F_ESS_SIGNING_CERT_ADD, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+ OPENSSL_free(pp);
+ pp = NULL;
+ return PKCS7_add_signed_attribute(si,
+ NID_id_smime_aa_signingCertificate,
+ V_ASN1_SEQUENCE, seq);
+ err:
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+
+ return 0;
+}
+
+int ESS_SIGNING_CERT_V2_add(PKCS7_SIGNER_INFO *si,
+ ESS_SIGNING_CERT_V2 *sc)
+{
+ ASN1_STRING *seq = NULL;
+ unsigned char *p, *pp = NULL;
+ int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
+
+ if ((pp = OPENSSL_malloc(len)) == NULL) {
+ ESSerr(ESS_F_ESS_SIGNING_CERT_V2_ADD, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ p = pp;
+ i2d_ESS_SIGNING_CERT_V2(sc, &p);
+ if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
+ ESSerr(ESS_F_ESS_SIGNING_CERT_V2_ADD, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+
+ OPENSSL_free(pp);
+ pp = NULL;
+ return PKCS7_add_signed_attribute(si,
+ NID_id_smime_aa_signingCertificateV2,
+ V_ASN1_SEQUENCE, seq);
+ err:
+ ASN1_STRING_free(seq);
+ OPENSSL_free(pp);
+ return 0;
+}
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* internal ESS related stuff */
+
+ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si);
+int ESS_SIGNING_CERT_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
+
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_get(PKCS7_SIGNER_INFO *si);
+int ESS_SIGNING_CERT_V2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc);
+
+/*-
+ * IssuerSerial ::= SEQUENCE {
+ * issuer GeneralNames,
+ * serialNumber CertificateSerialNumber
+ * }
+ */
+
+struct ESS_issuer_serial {
+ STACK_OF(GENERAL_NAME) *issuer;
+ ASN1_INTEGER *serial;
+};
+
+/*-
+ * ESSCertID ::= SEQUENCE {
+ * certHash Hash,
+ * issuerSerial IssuerSerial OPTIONAL
+ * }
+ */
+
+struct ESS_cert_id {
+ ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */
+ ESS_ISSUER_SERIAL *issuer_serial;
+};
+
+/*-
+ * SigningCertificate ::= SEQUENCE {
+ * certs SEQUENCE OF ESSCertID,
+ * policies SEQUENCE OF PolicyInformation OPTIONAL
+ * }
+ */
+
+struct ESS_signing_cert {
+ STACK_OF(ESS_CERT_ID) *cert_ids;
+ STACK_OF(POLICYINFO) *policy_info;
+};
+
+/*-
+ * ESSCertIDv2 ::= SEQUENCE {
+ * hashAlgorithm AlgorithmIdentifier DEFAULT id-sha256,
+ * certHash Hash,
+ * issuerSerial IssuerSerial OPTIONAL
+ * }
+ */
+
+struct ESS_cert_id_v2_st {
+ X509_ALGOR *hash_alg; /* Default: SHA-256 */
+ ASN1_OCTET_STRING *hash;
+ ESS_ISSUER_SERIAL *issuer_serial;
+};
+
+/*-
+ * SigningCertificateV2 ::= SEQUENCE {
+ * certs SEQUENCE OF ESSCertIDv2,
+ * policies SEQUENCE OF PolicyInformation OPTIONAL
+ * }
+ */
+
+struct ESS_signing_cert_v2_st {
+ STACK_OF(ESS_CERT_ID_V2) *cert_ids;
+ STACK_OF(POLICYINFO) *policy_info;
+};
}
#endif
-ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = {
- ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME),
- ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER)
-} static_ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL)
-
-IMPLEMENT_ASN1_FUNCTIONS_const(ESS_ISSUER_SERIAL)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL)
-
-ASN1_SEQUENCE(ESS_CERT_ID) = {
- ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING),
- ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL)
-} static_ASN1_SEQUENCE_END(ESS_CERT_ID)
-
-IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID)
-
-ASN1_SEQUENCE(ESS_SIGNING_CERT) = {
- ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID),
- ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO)
-} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
-
-IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
-
-ASN1_SEQUENCE(ESS_CERT_ID_V2) = {
- ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR),
- ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING),
- ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL)
-} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2)
-
-IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
-
-ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
- ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
- ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
-} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
-
-IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2)
-IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
-
/* Getting encapsulated TS_TST_INFO object from PKCS7. */
TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token)
{
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
static const ERR_STRING_DATA TS_str_functs[] = {
{ERR_PACK(ERR_LIB_TS, TS_F_DEF_SERIAL_CB, 0), "def_serial_cb"},
{ERR_PACK(ERR_LIB_TS, TS_F_DEF_TIME_CB, 0), "def_time_cb"},
- {ERR_PACK(ERR_LIB_TS, TS_F_ESS_ADD_SIGNING_CERT, 0),
- "ess_add_signing_cert"},
- {ERR_PACK(ERR_LIB_TS, TS_F_ESS_ADD_SIGNING_CERT_V2, 0),
- "ess_add_signing_cert_v2"},
- {ERR_PACK(ERR_LIB_TS, TS_F_ESS_CERT_ID_NEW_INIT, 0),
- "ess_CERT_ID_new_init"},
- {ERR_PACK(ERR_LIB_TS, TS_F_ESS_CERT_ID_V2_NEW_INIT, 0),
- "ess_cert_id_v2_new_init"},
- {ERR_PACK(ERR_LIB_TS, TS_F_ESS_SIGNING_CERT_NEW_INIT, 0),
- "ess_SIGNING_CERT_new_init"},
- {ERR_PACK(ERR_LIB_TS, TS_F_ESS_SIGNING_CERT_V2_NEW_INIT, 0),
- "ess_signing_cert_v2_new_init"},
{ERR_PACK(ERR_LIB_TS, TS_F_INT_TS_RESP_VERIFY_TOKEN, 0),
"int_ts_RESP_verify_token"},
{ERR_PACK(ERR_LIB_TS, TS_F_PKCS7_TO_TS_TST_INFO, 0),
ASN1_BIT_STRING *failure_info;
};
-/*-
- * IssuerSerial ::= SEQUENCE {
- * issuer GeneralNames,
- * serialNumber CertificateSerialNumber
- * }
- */
-struct ESS_issuer_serial {
- STACK_OF(GENERAL_NAME) *issuer;
- ASN1_INTEGER *serial;
-};
-
-/*-
- * ESSCertID ::= SEQUENCE {
- * certHash Hash,
- * issuerSerial IssuerSerial OPTIONAL
- * }
- */
-struct ESS_cert_id {
- ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */
- ESS_ISSUER_SERIAL *issuer_serial;
-};
-
-/*-
- * SigningCertificate ::= SEQUENCE {
- * certs SEQUENCE OF ESSCertID,
- * policies SEQUENCE OF PolicyInformation OPTIONAL
- * }
- */
-struct ESS_signing_cert {
- STACK_OF(ESS_CERT_ID) *cert_ids;
- STACK_OF(POLICYINFO) *policy_info;
-};
-
-/*-
- * ESSCertIDv2 ::= SEQUENCE {
- * hashAlgorithm AlgorithmIdentifier
- * DEFAULT {algorithm id-sha256},
- * certHash Hash,
- * issuerSerial IssuerSerial OPTIONAL
- * }
- */
-
-struct ESS_cert_id_v2_st {
- X509_ALGOR *hash_alg; /* Default: SHA-256 */
- ASN1_OCTET_STRING *hash;
- ESS_ISSUER_SERIAL *issuer_serial;
-};
-
-/*-
- * SigningCertificateV2 ::= SEQUENCE {
- * certs SEQUENCE OF ESSCertIDv2,
- * policies SEQUENCE OF PolicyInformation OPTIONAL
- * }
- */
-
-struct ESS_signing_cert_v2_st {
- STACK_OF(ESS_CERT_ID_V2) *cert_ids;
- STACK_OF(POLICYINFO) *policy_info;
-};
-
-
struct TS_resp_ctx {
X509 *signer_cert;
EVP_PKEY *signer_key;
/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/pkcs7.h>
#include <openssl/crypto.h>
#include "ts_lcl.h"
+#include "internal/ess_int.h"
static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
static int def_time_cb(struct TS_resp_ctx *, void *, long *sec, long *usec);
static int ts_RESP_process_extensions(TS_RESP_CTX *ctx);
static int ts_RESP_sign(TS_RESP_CTX *ctx);
-static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert,
- STACK_OF(X509) *certs);
-static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed);
static int ts_TST_INFO_content_new(PKCS7 *p7);
-static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc);
-
-static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
- X509 *signcert,
- STACK_OF(X509)
- *certs);
-static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg,
- X509 *cert, int issuer_needed);
-static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si,
- ESS_SIGNING_CERT_V2 *sc);
static ASN1_GENERALIZEDTIME
*TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *, long, long,
certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL;
if (ctx->ess_cert_id_digest == NULL
|| ctx->ess_cert_id_digest == EVP_sha1()) {
- if ((sc = ess_SIGNING_CERT_new_init(ctx->signer_cert, certs)) == NULL)
+ if ((sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs, 0)) == NULL)
goto err;
- if (!ess_add_signing_cert(si, sc)) {
+ if (!ESS_SIGNING_CERT_add(si, sc)) {
TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR);
goto err;
}
} else {
- sc2 = ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest,
- ctx->signer_cert, certs);
+ sc2 = ESS_SIGNING_CERT_V2_new_init(ctx->ess_cert_id_digest,
+ ctx->signer_cert, certs, 0);
if (sc2 == NULL)
goto err;
- if (!ess_add_signing_cert_v2(si, sc2)) {
+ if (!ESS_SIGNING_CERT_V2_add(si, sc2)) {
TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR);
goto err;
}
return ret;
}
-static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert,
- STACK_OF(X509) *certs)
-{
- ESS_CERT_ID *cid;
- ESS_SIGNING_CERT *sc = NULL;
- int i;
-
- if ((sc = ESS_SIGNING_CERT_new()) == NULL)
- goto err;
- if (sc->cert_ids == NULL
- && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL)
- goto err;
-
- if ((cid = ess_CERT_ID_new_init(signcert, 0)) == NULL
- || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
- goto err;
- for (i = 0; i < sk_X509_num(certs); ++i) {
- X509 *cert = sk_X509_value(certs, i);
- if ((cid = ess_CERT_ID_new_init(cert, 1)) == NULL
- || !sk_ESS_CERT_ID_push(sc->cert_ids, cid))
- goto err;
- }
-
- return sc;
- err:
- ESS_SIGNING_CERT_free(sc);
- TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE);
- return NULL;
-}
-
-static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed)
-{
- ESS_CERT_ID *cid = NULL;
- GENERAL_NAME *name = NULL;
- unsigned char cert_sha1[SHA_DIGEST_LENGTH];
-
- /* Call for side-effect of computing hash and caching extensions */
- X509_check_purpose(cert, -1, 0);
- if ((cid = ESS_CERT_ID_new()) == NULL)
- goto err;
- X509_digest(cert, EVP_sha1(), cert_sha1, NULL);
- if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH))
- goto err;
-
- /* Setting the issuer/serial if requested. */
- if (issuer_needed) {
- if (cid->issuer_serial == NULL
- && (cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
- goto err;
- if ((name = GENERAL_NAME_new()) == NULL)
- goto err;
- name->type = GEN_DIRNAME;
- if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
- goto err;
- if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
- goto err;
- name = NULL; /* Ownership is lost. */
- ASN1_INTEGER_free(cid->issuer_serial->serial);
- if (!(cid->issuer_serial->serial =
- ASN1_INTEGER_dup(X509_get_serialNumber(cert))))
- goto err;
- }
-
- return cid;
- err:
- GENERAL_NAME_free(name);
- ESS_CERT_ID_free(cid);
- TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE);
- return NULL;
-}
-
static int ts_TST_INFO_content_new(PKCS7 *p7)
{
PKCS7 *ret = NULL;
return 0;
}
-static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
-{
- ASN1_STRING *seq = NULL;
- unsigned char *p, *pp = NULL;
- int len;
-
- len = i2d_ESS_SIGNING_CERT(sc, NULL);
- if ((pp = OPENSSL_malloc(len)) == NULL) {
- TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- p = pp;
- i2d_ESS_SIGNING_CERT(sc, &p);
- if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
- TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- OPENSSL_free(pp);
- pp = NULL;
- return PKCS7_add_signed_attribute(si,
- NID_id_smime_aa_signingCertificate,
- V_ASN1_SEQUENCE, seq);
- err:
- ASN1_STRING_free(seq);
- OPENSSL_free(pp);
-
- return 0;
-}
-
-static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg,
- X509 *signcert,
- STACK_OF(X509) *certs)
-{
- ESS_CERT_ID_V2 *cid = NULL;
- ESS_SIGNING_CERT_V2 *sc = NULL;
- int i;
-
- if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL)
- goto err;
- if ((cid = ess_cert_id_v2_new_init(hash_alg, signcert, 0)) == NULL)
- goto err;
- if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
- goto err;
- cid = NULL;
-
- for (i = 0; i < sk_X509_num(certs); ++i) {
- X509 *cert = sk_X509_value(certs, i);
-
- if ((cid = ess_cert_id_v2_new_init(hash_alg, cert, 1)) == NULL)
- goto err;
- if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid))
- goto err;
- cid = NULL;
- }
-
- return sc;
- err:
- ESS_SIGNING_CERT_V2_free(sc);
- ESS_CERT_ID_V2_free(cid);
- TSerr(TS_F_ESS_SIGNING_CERT_V2_NEW_INIT, ERR_R_MALLOC_FAILURE);
- return NULL;
-}
-
-static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg,
- X509 *cert, int issuer_needed)
-{
- ESS_CERT_ID_V2 *cid = NULL;
- GENERAL_NAME *name = NULL;
- unsigned char hash[EVP_MAX_MD_SIZE];
- unsigned int hash_len = sizeof(hash);
- X509_ALGOR *alg = NULL;
-
- memset(hash, 0, sizeof(hash));
-
- if ((cid = ESS_CERT_ID_V2_new()) == NULL)
- goto err;
-
- if (hash_alg != EVP_sha256()) {
- alg = X509_ALGOR_new();
- if (alg == NULL)
- goto err;
- X509_ALGOR_set_md(alg, hash_alg);
- if (alg->algorithm == NULL)
- goto err;
- cid->hash_alg = alg;
- alg = NULL;
- } else {
- cid->hash_alg = NULL;
- }
-
- if (!X509_digest(cert, hash_alg, hash, &hash_len))
- goto err;
-
- if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len))
- goto err;
-
- if (issuer_needed) {
- if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL)
- goto err;
- if ((name = GENERAL_NAME_new()) == NULL)
- goto err;
- name->type = GEN_DIRNAME;
- if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL)
- goto err;
- if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name))
- goto err;
- name = NULL; /* Ownership is lost. */
- ASN1_INTEGER_free(cid->issuer_serial->serial);
- cid->issuer_serial->serial =
- ASN1_INTEGER_dup(X509_get_serialNumber(cert));
- if (cid->issuer_serial->serial == NULL)
- goto err;
- }
-
- return cid;
- err:
- X509_ALGOR_free(alg);
- GENERAL_NAME_free(name);
- ESS_CERT_ID_V2_free(cid);
- TSerr(TS_F_ESS_CERT_ID_V2_NEW_INIT, ERR_R_MALLOC_FAILURE);
- return NULL;
-}
-
-static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si,
- ESS_SIGNING_CERT_V2 *sc)
-{
- ASN1_STRING *seq = NULL;
- unsigned char *p, *pp = NULL;
- int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
-
- if ((pp = OPENSSL_malloc(len)) == NULL) {
- TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- p = pp;
- i2d_ESS_SIGNING_CERT_V2(sc, &p);
- if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) {
- TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE);
- goto err;
- }
-
- OPENSSL_free(pp);
- pp = NULL;
- return PKCS7_add_signed_attribute(si,
- NID_id_smime_aa_signingCertificateV2,
- V_ASN1_SEQUENCE, seq);
- err:
- ASN1_STRING_free(seq);
- OPENSSL_free(pp);
- return 0;
-}
-
static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(
ASN1_GENERALIZEDTIME *asn1_time, long sec, long usec,
unsigned precision)
/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/ts.h>
#include <openssl/pkcs7.h>
#include "ts_lcl.h"
+#include "internal/ess_int.h"
static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
X509 *signer, STACK_OF(X509) **chain);
static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
STACK_OF(X509) *chain);
-static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si);
static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert);
static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert);
static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx,
static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names,
GENERAL_NAME *name);
static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert);
-static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si);
/*
* This must be large enough to hold all values in ts_status_text (with
static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si,
STACK_OF(X509) *chain)
{
- ESS_SIGNING_CERT *ss = ess_get_signing_cert(si);
+ ESS_SIGNING_CERT *ss = ESS_SIGNING_CERT_get(si);
STACK_OF(ESS_CERT_ID) *cert_ids = NULL;
- ESS_SIGNING_CERT_V2 *ssv2 = ess_get_signing_cert_v2(si);
+ ESS_SIGNING_CERT_V2 *ssv2 = ESS_SIGNING_CERT_V2_get(si);
STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL;
X509 *cert;
int i = 0;
return ret;
}
-static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si)
-{
- ASN1_TYPE *attr;
- const unsigned char *p;
- attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
- if (!attr)
- return NULL;
- p = attr->value.sequence->data;
- return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
-}
-
-static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si)
-{
- ASN1_TYPE *attr;
- const unsigned char *p;
-
- attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
- if (attr == NULL)
- return NULL;
- p = attr->value.sequence->data;
- return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
-}
-
/* Returns < 0 if certificate is not found, certificate index otherwise. */
static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert)
{
[B<-verify>]
[B<-cmsout>]
[B<-resign>]
+[B<-cades>]
[B<-data_create>]
[B<-data_out>]
[B<-digest_create>]
Resign a message: take an existing message and one or more new signers.
+=item B<-cades>
+
+Add an ESS signing-certificate or ESS signing-certificate-v2 signed-attribute to the SignerInfo, in order to make
+the signature comply with the requirements for a CAdES Basic Electronic Signature (CAdES-BES). See the NOTES
+section for more details.
+
=item B<-data_create>
Create a CMS B<Data> type.
and return an error if no recipient can be found: this option should be used
with caution. For a fuller description see L<CMS_decrypt(3)>).
+=head1 CAdES Basic Electronic Signature (CAdES-BES)
+
+A CAdES Basic Electronic Signature (CAdES-BES), as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains:
+
+=over 4
+
+=item *
+
+The signed user data as defined in CMS (RFC 3852);
+
+=item *
+
+Content-type of the EncapsulatedContentInfo value being signed;
+
+=item *
+
+Message-digest of the eContent OCTET STRING within encapContentInfo being signed;
+
+=item *
+
+An ESS signing-certificate or ESS signing-certificate-v2 attribute, as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035.
+An ESS signing-certificate attribute only allows for the use of SHA-1 as a digest algorithm.
+An ESS signing-certificate-v2 attribute allows for the use of any digest algorithm.
+
+=item *
+
+The digital signature value computed on the user data and, when present, on the signed attributes.
+
+Note that currently the B<-cades> option applies only to the B<-sign> operation and is ignored during
+the B<-verify> operation, i.e. the signing certification is not checked during the verification process.
+This feature might be added in a future version.
+
+=back
+
=head1 EXIT CODES
=over 4
--- /dev/null
+=pod
+
+=head1 NAME
+
+CMS_add1_signing_cert, CMS_add1_signing_cert_v2
+- add ESS signing-certificate signed attribute to a
+CMS_SignerInfo data structure
+
+=head1 SYNOPSIS
+
+ #include <openssl/cms.h>
+
+ int CMS_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc);
+
+ int CMS_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc2);
+
+=head1 DESCRIPTION
+
+CMS_add1_signing_cert() adds an ESS Signing Certificate B<sc> (version 1) signed
+attribute to the CMS_SignerInfo B<si>.
+CMS_add1_signing_cert_v2() adds an ESS Signing Certificate B<sc2> (version 2) signed
+attribute to the CMS_SignerInfo B<si>.
+The ESS Signing Certificate attributes version 1 and 2 are defined in RFC 5035
+which updates Section 5.4 of RFC 2634.
+
+=head1 NOTES
+
+This attribute is mandatory to make a CMS compliant with CAdES-BES
+(European Standard ETSI EN 319 122-1 V1.1.1).
+For a fuller description see L<cms(1)>).
+
+=head1 RETURN VALUES
+
+CMS_add1_signing_cert() and CMS_add1_signing_cert_v2() return 1 if attribute is added or 0 if an error occurred.
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License"). You may not use
+this file except in compliance with the License. You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
/*
- * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# include <openssl/x509.h>
# include <openssl/x509v3.h>
# include <openssl/cmserr.h>
+# include <openssl/ess.h>
# ifdef __cplusplus
extern "C" {
# endif
# define CMS_DEBUG_DECRYPT 0x20000
# define CMS_KEY_PARAM 0x40000
# define CMS_ASCIICRLF 0x80000
+# define CMS_CADES 0x100000
const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms);
const void *bytes, int len);
void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid,
int lastpos, int type);
+int CMS_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc);
+int CMS_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc);
# ifdef HEADER_X509V3_H
# define CMS_F_CMS_ADD1_RECIPIENT_CERT 101
# define CMS_F_CMS_ADD1_SIGNER 102
# define CMS_F_CMS_ADD1_SIGNINGTIME 103
+# define CMS_F_CMS_ADD1_SIGNING_CERT 181
+# define CMS_F_CMS_ADD1_SIGNING_CERT_V2 182
# define CMS_F_CMS_COMPRESS 104
# define CMS_F_CMS_COMPRESSEDDATA_CREATE 105
# define CMS_F_CMS_COMPRESSEDDATA_INIT_BIO 106
# define ERR_LIB_ASYNC 51
# define ERR_LIB_KDF 52
# define ERR_LIB_SM2 53
+# define ERR_LIB_ESS 54
# define ERR_LIB_USER 128
# define ASYNCerr(f,r) ERR_PUT_error(ERR_LIB_ASYNC,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
# define KDFerr(f,r) ERR_PUT_error(ERR_LIB_KDF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
# define SM2err(f,r) ERR_PUT_error(ERR_LIB_SM2,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+# define ESSerr(f,r) ERR_PUT_error(ERR_LIB_ESS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
# define ERR_PACK(l,f,r) ( \
(((unsigned int)(l) & 0x0FF) << 24L) | \
--- /dev/null
+/*
+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_ESS_H
+# define HEADER_ESS_H
+
+# include <openssl/opensslconf.h>
+
+# ifdef __cplusplus
+extern "C" {
+# endif
+# include <openssl/safestack.h>
+# include <openssl/x509.h>
+# include <openssl/esserr.h>
+
+typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
+typedef struct ESS_cert_id ESS_CERT_ID;
+typedef struct ESS_signing_cert ESS_SIGNING_CERT;
+
+DEFINE_STACK_OF(ESS_CERT_ID)
+
+typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2;
+typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2;
+
+DEFINE_STACK_OF(ESS_CERT_ID_V2)
+
+ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void);
+void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a);
+int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, unsigned char **pp);
+ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a,
+ const unsigned char **pp,
+ long length);
+ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a);
+
+ESS_CERT_ID *ESS_CERT_ID_new(void);
+void ESS_CERT_ID_free(ESS_CERT_ID *a);
+int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp);
+ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp,
+ long length);
+ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a);
+
+ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void);
+void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a);
+int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, unsigned char **pp);
+ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
+ const unsigned char **pp, long length);
+ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
+ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert,
+ STACK_OF(X509) *certs,
+ int issuer_needed);
+
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void);
+void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a);
+int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp);
+ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a,
+ const unsigned char **pp, long length);
+ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a);
+
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void);
+void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a);
+int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **pp);
+ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a,
+ const unsigned char **pp,
+ long length);
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a);
+ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new_init(const EVP_MD *hash_alg,
+ X509 *signcert,
+ STACK_OF(X509) *certs,
+ int issuer_needed);
+
+# ifdef __cplusplus
+}
+# endif
+#endif
--- /dev/null
+/*
+ * Generated by util/mkerr.pl DO NOT EDIT
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef HEADER_ESSERR_H
+# define HEADER_ESSERR_H
+
+# include <openssl/opensslconf.h>
+
+# ifdef __cplusplus
+extern "C"
+# endif
+int ERR_load_ESS_strings(void);
+
+/*
+ * ESS function codes.
+ */
+# define ESS_F_ESS_CERT_ID_NEW_INIT 100
+# define ESS_F_ESS_CERT_ID_V2_NEW_INIT 101
+# define ESS_F_ESS_SIGNING_CERT_ADD 104
+# define ESS_F_ESS_SIGNING_CERT_NEW_INIT 102
+# define ESS_F_ESS_SIGNING_CERT_V2_ADD 105
+# define ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT 103
+
+/*
+ * ESS reason codes.
+ */
+# define ESS_R_ESS_SIGNING_CERTIFICATE_ERROR 102
+# define ESS_R_ESS_SIGNING_CERT_ADD_ERROR 100
+# define ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR 101
+
+#endif
# include <openssl/dsa.h>
# include <openssl/dh.h>
# include <openssl/tserr.h>
+# include <openssl/ess.h>
# ifdef __cplusplus
extern "C" {
# endif
typedef struct TS_status_info_st TS_STATUS_INFO;
-typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
-typedef struct ESS_cert_id ESS_CERT_ID;
-typedef struct ESS_signing_cert ESS_SIGNING_CERT;
-
-DEFINE_STACK_OF(ESS_CERT_ID)
-
-typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2;
-typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2;
-
-DEFINE_STACK_OF(ESS_CERT_ID_V2)
typedef struct TS_resp_st TS_RESP;
long length);
TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a);
-ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void);
-void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a);
-int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, unsigned char **pp);
-ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a,
- const unsigned char **pp,
- long length);
-ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a);
-
-ESS_CERT_ID *ESS_CERT_ID_new(void);
-void ESS_CERT_ID_free(ESS_CERT_ID *a);
-int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp);
-ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp,
- long length);
-ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a);
-
-ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void);
-void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a);
-int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, unsigned char **pp);
-ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a,
- const unsigned char **pp, long length);
-ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a);
-
-ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void);
-void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a);
-int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp);
-ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a,
- const unsigned char **pp, long length);
-ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a);
-
-ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void);
-void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a);
-int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **pp);
-ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a,
- const unsigned char **pp,
- long length);
-ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a);
-
int TS_REQ_set_version(TS_REQ *a, long version);
long TS_REQ_get_version(const TS_REQ *a);
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*/
# define TS_F_DEF_SERIAL_CB 110
# define TS_F_DEF_TIME_CB 111
-# define TS_F_ESS_ADD_SIGNING_CERT 112
-# define TS_F_ESS_ADD_SIGNING_CERT_V2 147
-# define TS_F_ESS_CERT_ID_NEW_INIT 113
-# define TS_F_ESS_CERT_ID_V2_NEW_INIT 156
-# define TS_F_ESS_SIGNING_CERT_NEW_INIT 114
-# define TS_F_ESS_SIGNING_CERT_V2_NEW_INIT 157
# define TS_F_INT_TS_RESP_VERIFY_TOKEN 149
# define TS_F_PKCS7_TO_TS_TST_INFO 148
# define TS_F_TS_ACCURACY_SET_MICROS 115
"-CAfile", catfile($smdir, "smroot.pem") ]
],
+ [ "signed content DER format, RSA key, CAdES-BES compatible",
+ [ "-sign", "-cades", "-in", $smcont, "-outform", "DER", "-nodetach",
+ "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
+ [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible",
+ [ "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform",
+ "DER", "-nodetach", "-certfile", catfile($smdir, "smroot.pem"),
+ "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ],
+ [ "-verify", "-in", "test.cms", "-inform", "DER",
+ "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ]
+ ],
+
[ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid",
[ "-encrypt", "-in", $smcont,
"-stream", "-out", "test.cms", "-keyid",
PKCS5_PBE_add 10 3_0_0 EXIST::FUNCTION:
i2d_DSAparams 11 3_0_0 EXIST::FUNCTION:DSA
X509_NAME_get0_der 12 3_0_0 EXIST::FUNCTION:
-i2d_ESS_ISSUER_SERIAL 13 3_0_0 EXIST::FUNCTION:TS
+i2d_ESS_ISSUER_SERIAL 13 3_0_0 EXIST::FUNCTION:
X509at_get_attr_by_NID 14 3_0_0 EXIST::FUNCTION:
X509_PUBKEY_set0_param 15 3_0_0 EXIST::FUNCTION:
PKCS12_it 16 3_0_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
BIO_s_accept 323 3_0_0 EXIST::FUNCTION:SOCK
EVP_whirlpool 324 3_0_0 EXIST::FUNCTION:WHIRLPOOL
OCSP_ONEREQ_get1_ext_d2i 325 3_0_0 EXIST::FUNCTION:OCSP
-d2i_ESS_SIGNING_CERT 326 3_0_0 EXIST::FUNCTION:TS
+d2i_ESS_SIGNING_CERT 326 3_0_0 EXIST::FUNCTION:
EC_KEY_set_default_method 327 3_0_0 EXIST::FUNCTION:EC
X509_OBJECT_up_ref_count 328 3_0_0 EXIST::FUNCTION:
RAND_load_file 329 3_0_0 EXIST::FUNCTION:
EVP_camellia_128_cfb128 579 3_0_0 EXIST::FUNCTION:CAMELLIA
DH_compute_key_padded 580 3_0_0 EXIST::FUNCTION:DH
ERR_load_CONF_strings 581 3_0_0 EXIST::FUNCTION:
-ESS_ISSUER_SERIAL_dup 582 3_0_0 EXIST::FUNCTION:TS
+ESS_ISSUER_SERIAL_dup 582 3_0_0 EXIST::FUNCTION:
BN_GF2m_mod_exp_arr 583 3_0_0 EXIST::FUNCTION:EC2M
ASN1_UTF8STRING_free 584 3_0_0 EXIST::FUNCTION:
BN_X931_generate_prime_ex 585 3_0_0 EXIST::FUNCTION:
PEM_get_EVP_CIPHER_INFO 654 3_0_0 EXIST::FUNCTION:
X509V3_EXT_print 655 3_0_0 EXIST::FUNCTION:
i2d_OCSP_SINGLERESP 656 3_0_0 EXIST::FUNCTION:OCSP
-ESS_CERT_ID_free 657 3_0_0 EXIST::FUNCTION:TS
+ESS_CERT_ID_free 657 3_0_0 EXIST::FUNCTION:
PEM_SignInit 658 3_0_0 EXIST::FUNCTION:
EVP_CIPHER_CTX_set_key_length 659 3_0_0 EXIST::FUNCTION:
X509_delete_ext 660 3_0_0 EXIST::FUNCTION:
ASN1_item_pack 1418 3_0_0 EXIST::FUNCTION:
ASN1_BIT_STRING_set_asc 1419 3_0_0 EXIST::FUNCTION:
d2i_GENERAL_NAME 1420 3_0_0 EXIST::FUNCTION:
-i2d_ESS_CERT_ID 1421 3_0_0 EXIST::FUNCTION:TS
+i2d_ESS_CERT_ID 1421 3_0_0 EXIST::FUNCTION:
X509_TRUST_get_by_id 1422 3_0_0 EXIST::FUNCTION:
d2i_RSA_PUBKEY_fp 1423 3_0_0 EXIST::FUNCTION:RSA,STDIO
EVP_PBE_get 1424 3_0_0 EXIST::FUNCTION:
PKCS7_SIGNED_it 1698 3_0_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
b2i_PublicKey 1699 3_0_0 EXIST::FUNCTION:DSA
X509_PURPOSE_cleanup 1700 3_0_0 EXIST::FUNCTION:
-ESS_SIGNING_CERT_dup 1701 3_0_0 EXIST::FUNCTION:TS
+ESS_SIGNING_CERT_dup 1701 3_0_0 EXIST::FUNCTION:
ENGINE_set_default_DSA 1702 3_0_0 EXIST::FUNCTION:ENGINE
X509_REVOKED_new 1703 3_0_0 EXIST::FUNCTION:
NCONF_WIN32 1704 3_0_0 EXIST::FUNCTION:
X509_STORE_set_depth 2094 3_0_0 EXIST::FUNCTION:
EC_KEY_METHOD_get_sign 2095 3_0_0 EXIST::FUNCTION:EC
EVP_CIPHER_CTX_iv 2096 3_0_0 EXIST::FUNCTION:
-i2d_ESS_SIGNING_CERT 2097 3_0_0 EXIST::FUNCTION:TS
+i2d_ESS_SIGNING_CERT 2097 3_0_0 EXIST::FUNCTION:
TS_RESP_set_tst_info 2098 3_0_0 EXIST::FUNCTION:TS
EVP_PKEY_CTX_set_data 2099 3_0_0 EXIST::FUNCTION:
CMS_EnvelopedData_create 2100 3_0_0 EXIST::FUNCTION:CMS
PKCS12_init 2296 3_0_0 EXIST::FUNCTION:
CRYPTO_free_ex_data 2297 3_0_0 EXIST::FUNCTION:
EVP_aes_128_cfb8 2298 3_0_0 EXIST::FUNCTION:
-ESS_ISSUER_SERIAL_free 2299 3_0_0 EXIST::FUNCTION:TS
+ESS_ISSUER_SERIAL_free 2299 3_0_0 EXIST::FUNCTION:
BN_mod_exp_mont_word 2300 3_0_0 EXIST::FUNCTION:
X509V3_EXT_nconf_nid 2301 3_0_0 EXIST::FUNCTION:
UTF8_putc 2302 3_0_0 EXIST::FUNCTION:
PEM_read_bio_DSAPrivateKey 2619 3_0_0 EXIST::FUNCTION:DSA
CMS_get0_type 2620 3_0_0 EXIST::FUNCTION:CMS
ASN1_PCTX_free 2621 3_0_0 EXIST::FUNCTION:
-ESS_SIGNING_CERT_new 2622 3_0_0 EXIST::FUNCTION:TS
+ESS_SIGNING_CERT_new 2622 3_0_0 EXIST::FUNCTION:
X509V3_EXT_conf_nid 2623 3_0_0 EXIST::FUNCTION:
EC_KEY_check_key 2624 3_0_0 EXIST::FUNCTION:EC
PKCS5_PBKDF2_HMAC 2625 3_0_0 EXIST::FUNCTION:
CAST_cbc_encrypt 3047 3_0_0 EXIST::FUNCTION:CAST
BN_BLINDING_invert 3048 3_0_0 EXIST::FUNCTION:
SHA512_Update 3049 3_0_0 EXIST::FUNCTION:
-ESS_ISSUER_SERIAL_new 3050 3_0_0 EXIST::FUNCTION:TS
+ESS_ISSUER_SERIAL_new 3050 3_0_0 EXIST::FUNCTION:
PKCS12_SAFEBAG_get0_pkcs8 3051 3_0_0 EXIST::FUNCTION:
X509_get_ext_by_NID 3052 3_0_0 EXIST::FUNCTION:
d2i_IPAddressFamily 3053 3_0_0 EXIST::FUNCTION:RFC3779
i2d_ISSUING_DIST_POINT 3138 3_0_0 EXIST::FUNCTION:
TXT_DB_free 3139 3_0_0 EXIST::FUNCTION:
ASN1_STRING_set 3140 3_0_0 EXIST::FUNCTION:
-d2i_ESS_CERT_ID 3141 3_0_0 EXIST::FUNCTION:TS
+d2i_ESS_CERT_ID 3141 3_0_0 EXIST::FUNCTION:
EVP_PKEY_meth_set_derive 3142 3_0_0 EXIST::FUNCTION:
OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:STDIO
NCONF_dump_fp 3144 3_0_0 EXIST::FUNCTION:STDIO
EVP_camellia_192_cfb1 3234 3_0_0 EXIST::FUNCTION:CAMELLIA
TS_RESP_CTX_add_failure_info 3235 3_0_0 EXIST::FUNCTION:TS
EVP_PBE_alg_add 3236 3_0_0 EXIST::FUNCTION:
-ESS_CERT_ID_dup 3237 3_0_0 EXIST::FUNCTION:TS
+ESS_CERT_ID_dup 3237 3_0_0 EXIST::FUNCTION:
CMS_SignerInfo_get0_signature 3238 3_0_0 EXIST::FUNCTION:CMS
EVP_PKEY_verify_recover 3239 3_0_0 EXIST::FUNCTION:
i2d_PUBKEY 3240 3_0_0 EXIST::FUNCTION:
RSA_generate_key_ex 3357 3_0_0 EXIST::FUNCTION:RSA
CMS_SignerInfo_get0_algs 3358 3_0_0 EXIST::FUNCTION:CMS
DIST_POINT_free 3359 3_0_0 EXIST::FUNCTION:
-ESS_SIGNING_CERT_free 3360 3_0_0 EXIST::FUNCTION:TS
+ESS_SIGNING_CERT_free 3360 3_0_0 EXIST::FUNCTION:
SCT_new_from_base64 3361 3_0_0 EXIST::FUNCTION:CT
OpenSSL_version 3362 3_0_0 EXIST::FUNCTION:
OCSP_SINGLERESP_get_ext_by_OBJ 3363 3_0_0 EXIST::FUNCTION:OCSP
SCT_set_source 3476 3_0_0 EXIST::FUNCTION:CT
DES_set_odd_parity 3477 3_0_0 EXIST::FUNCTION:DES
CMAC_CTX_free 3478 3_0_0 EXIST::FUNCTION:CMAC
-d2i_ESS_ISSUER_SERIAL 3479 3_0_0 EXIST::FUNCTION:TS
+d2i_ESS_ISSUER_SERIAL 3479 3_0_0 EXIST::FUNCTION:
HMAC_CTX_set_flags 3480 3_0_0 EXIST::FUNCTION:
d2i_PKCS8_bio 3481 3_0_0 EXIST::FUNCTION:
OCSP_ONEREQ_get_ext_count 3482 3_0_0 EXIST::FUNCTION:OCSP
EVP_MD_block_size 3665 3_0_0 EXIST::FUNCTION:
TS_X509_ALGOR_print_bio 3666 3_0_0 EXIST::FUNCTION:TS
d2i_PKCS7_ENVELOPE 3667 3_0_0 EXIST::FUNCTION:
-ESS_CERT_ID_new 3669 3_0_0 EXIST::FUNCTION:TS
+ESS_CERT_ID_new 3669 3_0_0 EXIST::FUNCTION:
EC_POINT_invert 3670 3_0_0 EXIST::FUNCTION:EC
CAST_set_key 3671 3_0_0 EXIST::FUNCTION:CAST
ENGINE_get_pkey_meth 3672 3_0_0 EXIST::FUNCTION:ENGINE
X509_SIG_INFO_get 4219 3_0_0 EXIST::FUNCTION:
X509_get_signature_info 4220 3_0_0 EXIST::FUNCTION:
X509_SIG_INFO_set 4221 3_0_0 EXIST::FUNCTION:
-ESS_CERT_ID_V2_free 4222 3_0_0 EXIST::FUNCTION:TS
-ESS_SIGNING_CERT_V2_new 4223 3_0_0 EXIST::FUNCTION:TS
-d2i_ESS_SIGNING_CERT_V2 4224 3_0_0 EXIST::FUNCTION:TS
-i2d_ESS_CERT_ID_V2 4225 3_0_0 EXIST::FUNCTION:TS
-ESS_CERT_ID_V2_dup 4226 3_0_0 EXIST::FUNCTION:TS
+ESS_CERT_ID_V2_free 4222 3_0_0 EXIST::FUNCTION:
+ESS_SIGNING_CERT_V2_new 4223 3_0_0 EXIST::FUNCTION:
+d2i_ESS_SIGNING_CERT_V2 4224 3_0_0 EXIST::FUNCTION:
+i2d_ESS_CERT_ID_V2 4225 3_0_0 EXIST::FUNCTION:
+ESS_CERT_ID_V2_dup 4226 3_0_0 EXIST::FUNCTION:
TS_RESP_CTX_set_ess_cert_id_digest 4227 3_0_0 EXIST::FUNCTION:TS
-d2i_ESS_CERT_ID_V2 4228 3_0_0 EXIST::FUNCTION:TS
-i2d_ESS_SIGNING_CERT_V2 4229 3_0_0 EXIST::FUNCTION:TS
+d2i_ESS_CERT_ID_V2 4228 3_0_0 EXIST::FUNCTION:
+i2d_ESS_SIGNING_CERT_V2 4229 3_0_0 EXIST::FUNCTION:
TS_CONF_set_ess_cert_id_digest 4230 3_0_0 EXIST::FUNCTION:TS
-ESS_SIGNING_CERT_V2_free 4231 3_0_0 EXIST::FUNCTION:TS
-ESS_SIGNING_CERT_V2_dup 4232 3_0_0 EXIST::FUNCTION:TS
-ESS_CERT_ID_V2_new 4233 3_0_0 EXIST::FUNCTION:TS
+ESS_SIGNING_CERT_V2_free 4231 3_0_0 EXIST::FUNCTION:
+ESS_SIGNING_CERT_V2_dup 4232 3_0_0 EXIST::FUNCTION:
+ESS_CERT_ID_V2_new 4233 3_0_0 EXIST::FUNCTION:
PEM_read_bio_ex 4234 3_0_0 EXIST::FUNCTION:
PEM_bytes_read_bio_secmem 4235 3_0_0 EXIST::FUNCTION:
EVP_DigestSign 4236 3_0_0 EXIST::FUNCTION:
ASYNC_WAIT_CTX_set_callback 4582 3_0_0 EXIST::FUNCTION:
ASYNC_WAIT_CTX_set_status 4583 3_0_0 EXIST::FUNCTION:
ASYNC_WAIT_CTX_get_status 4584 3_0_0 EXIST::FUNCTION:
+CMS_add1_signing_cert 4585 3_0_0 EXIST::FUNCTION:CMS
+CMS_add1_signing_cert_v2 4586 3_0_0 EXIST::FUNCTION:CMS
+ESS_SIGNING_CERT_new_init 4587 3_0_0 EXIST::FUNCTION:
+ESS_SIGNING_CERT_V2_new_init 4588 3_0_0 EXIST::FUNCTION:
+ERR_load_ESS_strings 4589 3_0_0 EXIST::FUNCTION: