From 170afce58d5c9ffc399892e19a52c5559e2db801 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 22 Jun 1999 13:33:22 +0000 Subject: [PATCH] New function PKCS7_signatureVerify to allow the signing certificate to be explicitly stated with PKCS#7 verify. Also fix for util/mkerr.pl: if the -nostatic option is being used this will be for an external library so the autogenerated C file should include the header file as: #include "any/path/to/header.h" rather than the internal library form: #include --- CHANGES | 8 +++++++ crypto/pkcs7/pk7_doit.c | 48 +++++++++++++++++++++++++++++------------ crypto/pkcs7/pkcs7.h | 3 +++ crypto/pkcs7/pkcs7err.c | 1 + util/libeay.num | 1 + util/mkerr.pl | 12 ++++++++--- 6 files changed, 56 insertions(+), 17 deletions(-) diff --git a/CHANGES b/CHANGES index 6dddf4a280..278eafbdac 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,14 @@ Changes between 0.9.3a and 0.9.4 + *) Add a new function PKCS7_signatureVerify. This allows the verification + of a PKCS#7 signature but with the signing certificate passed to the + function itself. This contrasts with PKCS7_dataVerify which assumes the + certificate is present in the PKCS#7 structure. This isn't always the + case: certificates can be omitted from a PKCS#7 structure and be + distributed by "out of band" means (such as a certificate database). + [Steve Henson] + *) Complete the PEM_* macros with DECLARE_PEM versions to replace the function prototypes in pem.h, also change util/mkdef.pl to add the necessary function names. diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 5481036f35..dee81b547a 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -626,18 +626,10 @@ err: int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si) { -/* PKCS7_SIGNED *s; */ - ASN1_OCTET_STRING *os; - EVP_MD_CTX mdc_tmp,*mdc; - unsigned char *pp,*p; PKCS7_ISSUER_AND_SERIAL *ias; int ret=0,i; - int md_type; - STACK_OF(X509_ATTRIBUTE) *sk; STACK_OF(X509) *cert; - BIO *btmp; X509 *x509; - EVP_PKEY *pkey; if (PKCS7_type_is_signed(p7)) { @@ -674,7 +666,30 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, } X509_STORE_CTX_cleanup(ctx); - /* So we like 'x509', lets check the signature. */ + return PKCS7_signatureVerify(bio, p7, si, x509); + err: + return ret; + } + +int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, + X509 *x509) + { + ASN1_OCTET_STRING *os; + EVP_MD_CTX mdc_tmp,*mdc; + unsigned char *pp,*p; + int ret=0,i; + int md_type; + STACK_OF(X509_ATTRIBUTE) *sk; + BIO *btmp; + EVP_PKEY *pkey; + + if (!PKCS7_type_is_signed(p7) && + !PKCS7_type_is_signedAndEnveloped(p7)) { + PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, + PKCS7_R_WRONG_PKCS7_TYPE); + goto err; + } + md_type=OBJ_obj2nid(si->digest_alg->algorithm); btmp=bio; @@ -683,13 +698,15 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, if ((btmp == NULL) || ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL)) { - PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); + PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, + PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } BIO_get_md_ctx(btmp,&mdc); if (mdc == NULL) { - PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_INTERNAL_ERROR); + PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, + PKCS7_R_INTERNAL_ERROR); goto err; } if (EVP_MD_type(EVP_MD_CTX_type(mdc)) == md_type) @@ -712,7 +729,8 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, message_digest=PKCS7_digest_from_attributes(sk); if (!message_digest) { - PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); + PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, + PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); goto err; } if ((message_digest->length != (int)md_len) || @@ -726,7 +744,8 @@ for (ii=0; iilength; ii++) for (ii=0; ii$cfile") || die "Can't open $cfile for writing"; @@ -351,7 +357,7 @@ EOF #include #include -#include +#include $hincf /* BEGIN ERROR CODES */ #ifndef NO_ERR -- 2.25.1