From e85d19c68e7fb3302410bd72d434793e5c0c23a0 Mon Sep 17 00:00:00 2001 From: Antonio Iacono Date: Wed, 12 Dec 2018 23:08:49 +0100 Subject: [PATCH] crypto/cms: Add support for CAdES Basic Electronic Signatures (CAdES-BES) A CAdES Basic Electronic Signature (CAdES-BES) contains, among other specifications, a collection of Signing Certificate reference attributes, stored in the signedData ether as ESS signing-certificate or as ESS signing-certificate-v2. These are described in detail in Section 5.7.2 of RFC 5126 - CMS Advanced Electronic Signatures (CAdES). This patch adds support for adding ESS signing-certificate[-v2] attributes to CMS signedData. Although it implements only a small part of the RFC, it is sufficient many cases to enable the `openssl cms` app to create signatures which comply with legal requirements of some European States (e.g Italy). Reviewed-by: Richard Levitte Reviewed-by: Matthias St. Pierre (Merged from https://github.com/openssl/openssl/pull/7893) --- apps/cms.c | 8 +- crypto/build.info | 2 +- crypto/cms/cms_err.c | 4 + crypto/cms/cms_ess.c | 73 +++++++- crypto/cms/cms_sd.c | 21 +++ crypto/err/err.c | 1 + crypto/err/err_all.c | 2 + crypto/err/openssl.ec | 1 + crypto/err/openssl.txt | 19 +- crypto/ess/build.info | 3 + crypto/ess/ess_asn1.c | 57 ++++++ crypto/ess/ess_err.c | 53 ++++++ crypto/ess/ess_lib.c | 269 +++++++++++++++++++++++++++++ crypto/include/internal/ess_int.h | 78 +++++++++ crypto/ts/ts_asn1.c | 41 ----- crypto/ts/ts_err.c | 14 +- crypto/ts/ts_lcl.h | 61 ------- crypto/ts/ts_rsp_sign.c | 250 +-------------------------- crypto/ts/ts_rsp_verify.c | 32 +--- doc/man1/cms.pod | 41 +++++ doc/man3/CMS_add1_signing_cert.pod | 45 +++++ include/openssl/cms.h | 6 +- include/openssl/cmserr.h | 2 + include/openssl/err.h | 2 + include/openssl/ess.h | 80 +++++++++ include/openssl/esserr.h | 38 ++++ include/openssl/ts.h | 48 +---- include/openssl/tserr.h | 8 +- test/recipes/80-test_cms.t | 16 ++ util/libcrypto.num | 55 +++--- 30 files changed, 852 insertions(+), 478 deletions(-) create mode 100644 crypto/ess/build.info create mode 100644 crypto/ess/ess_asn1.c create mode 100644 crypto/ess/ess_err.c create mode 100644 crypto/ess/ess_lib.c create mode 100644 crypto/include/internal/ess_int.h create mode 100644 doc/man3/CMS_add1_signing_cert.pod create mode 100644 include/openssl/ess.h create mode 100644 include/openssl/esserr.h diff --git a/apps/cms.c b/apps/cms.c index 8402a272e2..b2037b4df2 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -65,7 +65,7 @@ struct cms_key_param_st { typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENCRYPT, - OPT_DECRYPT, OPT_SIGN, OPT_SIGN_RECEIPT, OPT_RESIGN, + OPT_DECRYPT, OPT_SIGN, OPT_CADES, OPT_SIGN_RECEIPT, OPT_RESIGN, OPT_VERIFY, OPT_VERIFY_RETCODE, OPT_VERIFY_RECEIPT, OPT_CMSOUT, OPT_DATA_OUT, OPT_DATA_CREATE, OPT_DIGEST_VERIFY, OPT_DIGEST_CREATE, OPT_COMPRESS, OPT_UNCOMPRESS, @@ -102,6 +102,7 @@ const OPTIONS cms_options[] = { {"sign", OPT_SIGN, '-', "Sign message"}, {"sign_receipt", OPT_SIGN_RECEIPT, '-', "Generate a signed receipt for the message"}, {"resign", OPT_RESIGN, '-', "Resign a signed message"}, + {"cades", OPT_CADES, '-', "Include signer certificate digest"}, {"verify", OPT_VERIFY, '-', "Verify signed message"}, {"verify_retcode", OPT_VERIFY_RETCODE, '-'}, {"verify_receipt", OPT_VERIFY_RECEIPT, '<'}, @@ -326,6 +327,9 @@ int cms_main(int argc, char **argv) case OPT_BINARY: flags |= CMS_BINARY; break; + case OPT_CADES: + flags |= CMS_CADES; + break; case OPT_KEYID: flags |= CMS_USE_KEYID; break; diff --git a/crypto/build.info b/crypto/build.info index a0bb90acb4..e014e0336e 100644 --- a/crypto/build.info +++ b/crypto/build.info @@ -5,7 +5,7 @@ SUBDIRS=objects buffer bio stack lhash rand evp asn1 pem x509 x509v3 conf \ md2 md4 md5 sha mdc2 gmac hmac ripemd whrlpool poly1305 blake2 \ siphash sm3 des aes rc2 rc4 rc5 idea aria bf cast camellia \ seed sm4 chacha modes bn ec rsa dsa dh sm2 dso engine \ - err comp ocsp cms ts srp cmac ct async kmac + err comp ocsp cms ts srp cmac ct async kmac ess LIBS=../libcrypto SOURCE[../libcrypto]=\ diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c index 9596fab182..f7d4b7fd96 100644 --- a/crypto/cms/cms_err.c +++ b/crypto/cms/cms_err.c @@ -27,6 +27,10 @@ static const ERR_STRING_DATA CMS_str_functs[] = { {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNER, 0), "CMS_add1_signer"}, {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNINGTIME, 0), "cms_add1_signingTime"}, + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNING_CERT, 0), + "CMS_add1_signing_cert"}, + {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_ADD1_SIGNING_CERT_V2, 0), + "CMS_add1_signing_cert_v2"}, {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_COMPRESS, 0), "CMS_compress"}, {ERR_PACK(ERR_LIB_CMS, CMS_F_CMS_COMPRESSEDDATA_CREATE, 0), "cms_CompressedData_create"}, diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 86e88ffbbe..95e3628d9c 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -1,5 +1,5 @@ /* - * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,11 +14,13 @@ #include #include #include +#include #include "cms_lcl.h" +#include "internal/ess_int.h" IMPLEMENT_ASN1_FUNCTIONS(CMS_ReceiptRequest) -/* ESS services: for now just Signed Receipt related */ +/* ESS services */ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) { @@ -335,3 +337,70 @@ ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si) CMS_ReceiptRequest_free(rr); return os; } + +/* + * Add signer certificate's V2 digest to a SignerInfo + * structure + */ + +int CMS_add1_signing_cert_v2(CMS_SignerInfo *si, + ESS_SIGNING_CERT_V2 *sc) +{ + ASN1_STRING *seq = NULL; + unsigned char *p, *pp; + int len; + + /* Add SigningCertificateV2 signed attribute to the signer info. */ + len = i2d_ESS_SIGNING_CERT_V2(sc, NULL); + if ((pp = OPENSSL_malloc(len)) == NULL) + goto err; + p = pp; + i2d_ESS_SIGNING_CERT_V2(sc, &p); + if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) + goto err; + OPENSSL_free(pp); + pp = NULL; + if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificateV2, + V_ASN1_SEQUENCE, seq, -1)) + goto err; + ASN1_STRING_free(seq); + return 1; + err: + CMSerr(CMS_F_CMS_ADD1_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(seq); + OPENSSL_free(pp); + return 0; +} + +/* + * Add signer certificate's digest to a SignerInfo + * structure + */ + +int CMS_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc) +{ + ASN1_STRING *seq = NULL; + unsigned char *p, *pp; + int len; + + /* Add SigningCertificate signed attribute to the signer info. */ + len = i2d_ESS_SIGNING_CERT(sc, NULL); + if ((pp = OPENSSL_malloc(len)) == NULL) + goto err; + p = pp; + i2d_ESS_SIGNING_CERT(sc, &p); + if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) + goto err; + OPENSSL_free(pp); + pp = NULL; + if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificate, + V_ASN1_SEQUENCE, seq, -1)) + goto err; + ASN1_STRING_free(seq); + return 1; + err: + CMSerr(CMS_F_CMS_ADD1_SIGNING_CERT, ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(seq); + OPENSSL_free(pp); + return 0; +} diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index f4f872efe8..71b3041116 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -332,6 +332,27 @@ CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, !CMS_SignerInfo_sign(si)) goto err; } + if (flags & CMS_CADES) { + ESS_SIGNING_CERT *sc = NULL; + ESS_SIGNING_CERT_V2 *sc2 = NULL; + int add_sc; + + if (md == EVP_sha1() || md == NULL) { + if ((sc = ESS_SIGNING_CERT_new_init(signer, + NULL, 1)) == NULL) + goto err; + add_sc = CMS_add1_signing_cert(si, sc); + ESS_SIGNING_CERT_free(sc); + } else { + if ((sc2 = ESS_SIGNING_CERT_V2_new_init(md, signer, + NULL, 1)) == NULL) + goto err; + add_sc = CMS_add1_signing_cert_v2(si, sc2); + ESS_SIGNING_CERT_V2_free(sc2); + } + if (!add_sc) + goto err; + } } if (!(flags & CMS_NOCERTS)) { diff --git a/crypto/err/err.c b/crypto/err/err.c index 44e7115f9c..4505479772 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -64,6 +64,7 @@ static ERR_STRING_DATA ERR_str_libraries[] = { {ERR_PACK(ERR_LIB_KDF, 0, 0), "KDF routines"}, {ERR_PACK(ERR_LIB_OSSL_STORE, 0, 0), "STORE routines"}, {ERR_PACK(ERR_LIB_SM2, 0, 0), "SM2 routines"}, + {ERR_PACK(ERR_LIB_ESS, 0, 0), "ESS routines"}, {0, NULL}, }; diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index 83ceff5c2e..3911ecc5c9 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -38,6 +38,7 @@ #include #include #include +#include int err_load_crypto_strings_int(void) { @@ -91,6 +92,7 @@ int err_load_crypto_strings_int(void) # ifndef OPENSSL_NO_CT ERR_load_CT_strings() == 0 || # endif + ERR_load_ESS_strings() == 0 || ERR_load_ASYNC_strings() == 0 || #endif ERR_load_KDF_strings() == 0 || diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec index 3e092eae0a..94d46d067b 100644 --- a/crypto/err/openssl.ec +++ b/crypto/err/openssl.ec @@ -34,6 +34,7 @@ L ASYNC include/openssl/async.h crypto/async/async_err.c L KDF include/openssl/kdf.h crypto/kdf/kdf_err.c L SM2 crypto/include/internal/sm2.h crypto/sm2/sm2_err.c L OSSL_STORE include/openssl/store.h crypto/store/store_err.c +L ESS include/openssl/ess.h crypto/ess/ess_err.c # additional header files to be scanned for function names L NONE include/openssl/x509_vfy.h NONE diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt index fba1dc31f1..0e133d6e7d 100644 --- a/crypto/err/openssl.txt +++ b/crypto/err/openssl.txt @@ -1,4 +1,4 @@ -# Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the Apache License 2.0 (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -242,6 +242,8 @@ CMS_F_CMS_ADD1_RECEIPTREQUEST:158:CMS_add1_ReceiptRequest CMS_F_CMS_ADD1_RECIPIENT_CERT:101:CMS_add1_recipient_cert CMS_F_CMS_ADD1_SIGNER:102:CMS_add1_signer CMS_F_CMS_ADD1_SIGNINGTIME:103:cms_add1_signingTime +CMS_F_CMS_ADD1_SIGNING_CERT:181:CMS_add1_signing_cert +CMS_F_CMS_ADD1_SIGNING_CERT_V2:182:CMS_add1_signing_cert_v2 CMS_F_CMS_COMPRESS:104:CMS_compress CMS_F_CMS_COMPRESSEDDATA_CREATE:105:cms_CompressedData_create CMS_F_CMS_COMPRESSEDDATA_INIT_BIO:106:cms_CompressedData_init_bio @@ -709,6 +711,12 @@ ENGINE_F_INT_CTRL_HELPER:172:int_ctrl_helper ENGINE_F_INT_ENGINE_CONFIGURE:188:int_engine_configure ENGINE_F_INT_ENGINE_MODULE_INIT:187:int_engine_module_init ENGINE_F_OSSL_HMAC_INIT:200:ossl_hmac_init +ESS_F_ESS_CERT_ID_NEW_INIT:100:ESS_CERT_ID_new_init +ESS_F_ESS_CERT_ID_V2_NEW_INIT:101:ESS_CERT_ID_V2_new_init +ESS_F_ESS_SIGNING_CERT_ADD:104:ESS_SIGNING_CERT_add +ESS_F_ESS_SIGNING_CERT_NEW_INIT:102:ESS_SIGNING_CERT_new_init +ESS_F_ESS_SIGNING_CERT_V2_ADD:105:ESS_SIGNING_CERT_V2_add +ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT:103:ESS_SIGNING_CERT_V2_new_init EVP_F_AESNI_INIT_KEY:165:aesni_init_key EVP_F_AES_GCM_CTRL:196:aes_gcm_ctrl EVP_F_AES_GCM_TLS_CIPHER:207:aes_gcm_tls_cipher @@ -1558,12 +1566,6 @@ SSL_F_WPACKET_START_SUB_PACKET_LEN__:634:WPACKET_start_sub_packet_len__ SSL_F_WRITE_STATE_MACHINE:586:write_state_machine TS_F_DEF_SERIAL_CB:110:def_serial_cb TS_F_DEF_TIME_CB:111:def_time_cb -TS_F_ESS_ADD_SIGNING_CERT:112:ess_add_signing_cert -TS_F_ESS_ADD_SIGNING_CERT_V2:147:ess_add_signing_cert_v2 -TS_F_ESS_CERT_ID_NEW_INIT:113:ess_CERT_ID_new_init -TS_F_ESS_CERT_ID_V2_NEW_INIT:156:ess_cert_id_v2_new_init -TS_F_ESS_SIGNING_CERT_NEW_INIT:114:ess_SIGNING_CERT_new_init -TS_F_ESS_SIGNING_CERT_V2_NEW_INIT:157:ess_signing_cert_v2_new_init TS_F_INT_TS_RESP_VERIFY_TOKEN:149:int_ts_RESP_verify_token TS_F_PKCS7_TO_TS_TST_INFO:148:PKCS7_to_TS_TST_INFO TS_F_TS_ACCURACY_SET_MICROS:115:TS_ACCURACY_set_micros @@ -2223,6 +2225,9 @@ ENGINE_R_UNIMPLEMENTED_CIPHER:146:unimplemented cipher ENGINE_R_UNIMPLEMENTED_DIGEST:147:unimplemented digest ENGINE_R_UNIMPLEMENTED_PUBLIC_KEY_METHOD:101:unimplemented public key method ENGINE_R_VERSION_INCOMPATIBILITY:145:version incompatibility +ESS_R_ESS_SIGNING_CERTIFICATE_ERROR:102:ess signing certificate error +ESS_R_ESS_SIGNING_CERT_ADD_ERROR:100:ess signing cert add error +ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR:101:ess signing cert v2 add error EVP_R_AES_KEY_SETUP_FAILED:143:aes key setup failed EVP_R_ARIA_KEY_SETUP_FAILED:176:aria key setup failed EVP_R_BAD_DECRYPT:100:bad decrypt diff --git a/crypto/ess/build.info b/crypto/ess/build.info new file mode 100644 index 0000000000..24fcecc8f5 --- /dev/null +++ b/crypto/ess/build.info @@ -0,0 +1,3 @@ +LIBS=../../libcrypto +SOURCE[../../libcrypto]= \ + ess_lib.c ess_asn1.c ess_err.c diff --git a/crypto/ess/ess_asn1.c b/crypto/ess/ess_asn1.c new file mode 100644 index 0000000000..d10746906a --- /dev/null +++ b/crypto/ess/ess_asn1.c @@ -0,0 +1,57 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "internal/ess_int.h" + +/* ASN1 stuff for ESS Structure */ + +ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = { + ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME), + ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER) +} static_ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL) + +IMPLEMENT_ASN1_FUNCTIONS_const(ESS_ISSUER_SERIAL) +IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL) + +ASN1_SEQUENCE(ESS_CERT_ID) = { + ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING), + ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL) +} static_ASN1_SEQUENCE_END(ESS_CERT_ID) + +IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID) +IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID) + +ASN1_SEQUENCE(ESS_SIGNING_CERT) = { + ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID), + ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO) +} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT) + +IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT) +IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT) + +ASN1_SEQUENCE(ESS_CERT_ID_V2) = { + ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR), + ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING), + ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL) +} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2) + +IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2) +IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2) + +ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { + ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2), + ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO) +} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2) + +IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2) +IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) diff --git a/crypto/ess/ess_err.c b/crypto/ess/ess_err.c new file mode 100644 index 0000000000..215b7f1ebc --- /dev/null +++ b/crypto/ess/ess_err.c @@ -0,0 +1,53 @@ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#ifndef OPENSSL_NO_ERR + +static const ERR_STRING_DATA ESS_str_functs[] = { + {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_CERT_ID_NEW_INIT, 0), + "ESS_CERT_ID_new_init"}, + {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_CERT_ID_V2_NEW_INIT, 0), + "ESS_CERT_ID_V2_new_init"}, + {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_ADD, 0), + "ESS_SIGNING_CERT_add"}, + {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_NEW_INIT, 0), + "ESS_SIGNING_CERT_new_init"}, + {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_V2_ADD, 0), + "ESS_SIGNING_CERT_V2_add"}, + {ERR_PACK(ERR_LIB_ESS, ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT, 0), + "ESS_SIGNING_CERT_V2_new_init"}, + {0, NULL} +}; + +static const ERR_STRING_DATA ESS_str_reasons[] = { + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERTIFICATE_ERROR), + "ess signing certificate error"}, + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERT_ADD_ERROR), + "ess signing cert add error"}, + {ERR_PACK(ERR_LIB_ESS, 0, ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR), + "ess signing cert v2 add error"}, + {0, NULL} +}; + +#endif + +int ERR_load_ESS_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(ESS_str_functs[0].error) == NULL) { + ERR_load_strings_const(ESS_str_functs); + ERR_load_strings_const(ESS_str_reasons); + } +#endif + return 1; +} diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c new file mode 100644 index 0000000000..fa9cff18be --- /dev/null +++ b/crypto/ess/ess_lib.c @@ -0,0 +1,269 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include +#include +#include +#include "internal/ess_int.h" + +static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed); +static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, + X509 *cert, int issuer_needed); + +ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed) +{ + ESS_CERT_ID *cid = NULL; + ESS_SIGNING_CERT *sc; + int i; + + if ((sc = ESS_SIGNING_CERT_new()) == NULL) + goto err; + if (sc->cert_ids == NULL + && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL) + goto err; + + if ((cid = ESS_CERT_ID_new_init(signcert, issuer_needed)) == NULL + || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) + goto err; + for (i = 0; i < sk_X509_num(certs); ++i) { + X509 *cert = sk_X509_value(certs, i); + if ((cid = ESS_CERT_ID_new_init(cert, 1)) == NULL + || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) + goto err; + } + + return sc; + err: + ESS_SIGNING_CERT_free(sc); + ESS_CERT_ID_free(cid); + ESSerr(ESS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE); + return NULL; +} + +static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) +{ + ESS_CERT_ID *cid = NULL; + GENERAL_NAME *name = NULL; + unsigned char cert_sha1[SHA_DIGEST_LENGTH]; + + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(cert, -1, 0); + if ((cid = ESS_CERT_ID_new()) == NULL) + goto err; + X509_digest(cert, EVP_sha1(), cert_sha1, NULL); + if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH)) + goto err; + + /* Setting the issuer/serial if requested. */ + if (!issuer_needed) + return cid; + + if (cid->issuer_serial == NULL + && (cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL) + goto err; + if ((name = GENERAL_NAME_new()) == NULL) + goto err; + name->type = GEN_DIRNAME; + if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) + goto err; + if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) + goto err; + name = NULL; /* Ownership is lost. */ + ASN1_INTEGER_free(cid->issuer_serial->serial); + if (!(cid->issuer_serial->serial = + ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) + goto err; + + return cid; + err: + GENERAL_NAME_free(name); + ESS_CERT_ID_free(cid); + ESSerr(ESS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE); + return NULL; +} + +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new_init(const EVP_MD *hash_alg, + X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed) +{ + ESS_CERT_ID_V2 *cid = NULL; + ESS_SIGNING_CERT_V2 *sc; + int i; + + if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL) + goto err; + if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, signcert, issuer_needed)) == NULL) + goto err; + if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) + goto err; + cid = NULL; + + for (i = 0; i < sk_X509_num(certs); ++i) { + X509 *cert = sk_X509_value(certs, i); + + if ((cid = ESS_CERT_ID_V2_new_init(hash_alg, cert, 1)) == NULL) + goto err; + if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) + goto err; + cid = NULL; + } + + return sc; + err: + ESS_SIGNING_CERT_V2_free(sc); + ESS_CERT_ID_V2_free(cid); + ESSerr(ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT, ERR_R_MALLOC_FAILURE); + return NULL; +} + +static ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new_init(const EVP_MD *hash_alg, + X509 *cert, int issuer_needed) +{ + ESS_CERT_ID_V2 *cid; + GENERAL_NAME *name = NULL; + unsigned char hash[EVP_MAX_MD_SIZE]; + unsigned int hash_len = sizeof(hash); + X509_ALGOR *alg = NULL; + + memset(hash, 0, sizeof(hash)); + + if ((cid = ESS_CERT_ID_V2_new()) == NULL) + goto err; + + if (hash_alg != EVP_sha256()) { + alg = X509_ALGOR_new(); + if (alg == NULL) + goto err; + X509_ALGOR_set_md(alg, hash_alg); + if (alg->algorithm == NULL) + goto err; + cid->hash_alg = alg; + alg = NULL; + } else { + cid->hash_alg = NULL; + } + + if (!X509_digest(cert, hash_alg, hash, &hash_len)) + goto err; + + if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len)) + goto err; + + if (!issuer_needed) + return cid; + + if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL) + goto err; + if ((name = GENERAL_NAME_new()) == NULL) + goto err; + name->type = GEN_DIRNAME; + if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) + goto err; + if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) + goto err; + name = NULL; /* Ownership is lost. */ + ASN1_INTEGER_free(cid->issuer_serial->serial); + cid->issuer_serial->serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert)); + if (cid->issuer_serial->serial == NULL) + goto err; + + return cid; + err: + X509_ALGOR_free(alg); + GENERAL_NAME_free(name); + ESS_CERT_ID_V2_free(cid); + ESSerr(ESS_F_ESS_CERT_ID_V2_NEW_INIT, ERR_R_MALLOC_FAILURE); + return NULL; +} + +ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si) +{ + ASN1_TYPE *attr; + const unsigned char *p; + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); + if (!attr) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); +} + +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_get(PKCS7_SIGNER_INFO *si) +{ + ASN1_TYPE *attr; + const unsigned char *p; + + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); + if (attr == NULL) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); +} + +int ESS_SIGNING_CERT_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) +{ + ASN1_STRING *seq = NULL; + unsigned char *p, *pp = NULL; + int len; + + len = i2d_ESS_SIGNING_CERT(sc, NULL); + if ((pp = OPENSSL_malloc(len)) == NULL) { + ESSerr(ESS_F_ESS_SIGNING_CERT_ADD, ERR_R_MALLOC_FAILURE); + goto err; + } + p = pp; + i2d_ESS_SIGNING_CERT(sc, &p); + if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) { + ESSerr(ESS_F_ESS_SIGNING_CERT_ADD, ERR_R_MALLOC_FAILURE); + goto err; + } + OPENSSL_free(pp); + pp = NULL; + return PKCS7_add_signed_attribute(si, + NID_id_smime_aa_signingCertificate, + V_ASN1_SEQUENCE, seq); + err: + ASN1_STRING_free(seq); + OPENSSL_free(pp); + + return 0; +} + +int ESS_SIGNING_CERT_V2_add(PKCS7_SIGNER_INFO *si, + ESS_SIGNING_CERT_V2 *sc) +{ + ASN1_STRING *seq = NULL; + unsigned char *p, *pp = NULL; + int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL); + + if ((pp = OPENSSL_malloc(len)) == NULL) { + ESSerr(ESS_F_ESS_SIGNING_CERT_V2_ADD, ERR_R_MALLOC_FAILURE); + goto err; + } + + p = pp; + i2d_ESS_SIGNING_CERT_V2(sc, &p); + if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) { + ESSerr(ESS_F_ESS_SIGNING_CERT_V2_ADD, ERR_R_MALLOC_FAILURE); + goto err; + } + + OPENSSL_free(pp); + pp = NULL; + return PKCS7_add_signed_attribute(si, + NID_id_smime_aa_signingCertificateV2, + V_ASN1_SEQUENCE, seq); + err: + ASN1_STRING_free(seq); + OPENSSL_free(pp); + return 0; +} diff --git a/crypto/include/internal/ess_int.h b/crypto/include/internal/ess_int.h new file mode 100644 index 0000000000..26476ae984 --- /dev/null +++ b/crypto/include/internal/ess_int.h @@ -0,0 +1,78 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* internal ESS related stuff */ + +ESS_SIGNING_CERT *ESS_SIGNING_CERT_get(PKCS7_SIGNER_INFO *si); +int ESS_SIGNING_CERT_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); + +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_get(PKCS7_SIGNER_INFO *si); +int ESS_SIGNING_CERT_V2_add(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT_V2 *sc); + +/*- + * IssuerSerial ::= SEQUENCE { + * issuer GeneralNames, + * serialNumber CertificateSerialNumber + * } + */ + +struct ESS_issuer_serial { + STACK_OF(GENERAL_NAME) *issuer; + ASN1_INTEGER *serial; +}; + +/*- + * ESSCertID ::= SEQUENCE { + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL + * } + */ + +struct ESS_cert_id { + ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ + ESS_ISSUER_SERIAL *issuer_serial; +}; + +/*- + * SigningCertificate ::= SEQUENCE { + * certs SEQUENCE OF ESSCertID, + * policies SEQUENCE OF PolicyInformation OPTIONAL + * } + */ + +struct ESS_signing_cert { + STACK_OF(ESS_CERT_ID) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +}; + +/*- + * ESSCertIDv2 ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier DEFAULT id-sha256, + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL + * } + */ + +struct ESS_cert_id_v2_st { + X509_ALGOR *hash_alg; /* Default: SHA-256 */ + ASN1_OCTET_STRING *hash; + ESS_ISSUER_SERIAL *issuer_serial; +}; + +/*- + * SigningCertificateV2 ::= SEQUENCE { + * certs SEQUENCE OF ESSCertIDv2, + * policies SEQUENCE OF PolicyInformation OPTIONAL + * } + */ + +struct ESS_signing_cert_v2_st { + STACK_OF(ESS_CERT_ID_V2) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +}; diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c index 0db78b1e4f..5a588413bc 100644 --- a/crypto/ts/ts_asn1.c +++ b/crypto/ts/ts_asn1.c @@ -201,47 +201,6 @@ int i2d_TS_RESP_fp(FILE *fp, TS_RESP *a) } #endif -ASN1_SEQUENCE(ESS_ISSUER_SERIAL) = { - ASN1_SEQUENCE_OF(ESS_ISSUER_SERIAL, issuer, GENERAL_NAME), - ASN1_SIMPLE(ESS_ISSUER_SERIAL, serial, ASN1_INTEGER) -} static_ASN1_SEQUENCE_END(ESS_ISSUER_SERIAL) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_ISSUER_SERIAL) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_ISSUER_SERIAL) - -ASN1_SEQUENCE(ESS_CERT_ID) = { - ASN1_SIMPLE(ESS_CERT_ID, hash, ASN1_OCTET_STRING), - ASN1_OPT(ESS_CERT_ID, issuer_serial, ESS_ISSUER_SERIAL) -} static_ASN1_SEQUENCE_END(ESS_CERT_ID) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID) - -ASN1_SEQUENCE(ESS_SIGNING_CERT) = { - ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID), - ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO) -} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT) - -ASN1_SEQUENCE(ESS_CERT_ID_V2) = { - ASN1_OPT(ESS_CERT_ID_V2, hash_alg, X509_ALGOR), - ASN1_SIMPLE(ESS_CERT_ID_V2, hash, ASN1_OCTET_STRING), - ASN1_OPT(ESS_CERT_ID_V2, issuer_serial, ESS_ISSUER_SERIAL) -} static_ASN1_SEQUENCE_END(ESS_CERT_ID_V2) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_CERT_ID_V2) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2) - -ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = { - ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2), - ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO) -} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2) - -IMPLEMENT_ASN1_FUNCTIONS_const(ESS_SIGNING_CERT_V2) -IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2) - /* Getting encapsulated TS_TST_INFO object from PKCS7. */ TS_TST_INFO *PKCS7_to_TS_TST_INFO(PKCS7 *token) { diff --git a/crypto/ts/ts_err.c b/crypto/ts/ts_err.c index cb89efb0d2..c971d477a6 100644 --- a/crypto/ts/ts_err.c +++ b/crypto/ts/ts_err.c @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,18 +16,6 @@ static const ERR_STRING_DATA TS_str_functs[] = { {ERR_PACK(ERR_LIB_TS, TS_F_DEF_SERIAL_CB, 0), "def_serial_cb"}, {ERR_PACK(ERR_LIB_TS, TS_F_DEF_TIME_CB, 0), "def_time_cb"}, - {ERR_PACK(ERR_LIB_TS, TS_F_ESS_ADD_SIGNING_CERT, 0), - "ess_add_signing_cert"}, - {ERR_PACK(ERR_LIB_TS, TS_F_ESS_ADD_SIGNING_CERT_V2, 0), - "ess_add_signing_cert_v2"}, - {ERR_PACK(ERR_LIB_TS, TS_F_ESS_CERT_ID_NEW_INIT, 0), - "ess_CERT_ID_new_init"}, - {ERR_PACK(ERR_LIB_TS, TS_F_ESS_CERT_ID_V2_NEW_INIT, 0), - "ess_cert_id_v2_new_init"}, - {ERR_PACK(ERR_LIB_TS, TS_F_ESS_SIGNING_CERT_NEW_INIT, 0), - "ess_SIGNING_CERT_new_init"}, - {ERR_PACK(ERR_LIB_TS, TS_F_ESS_SIGNING_CERT_V2_NEW_INIT, 0), - "ess_signing_cert_v2_new_init"}, {ERR_PACK(ERR_LIB_TS, TS_F_INT_TS_RESP_VERIFY_TOKEN, 0), "int_ts_RESP_verify_token"}, {ERR_PACK(ERR_LIB_TS, TS_F_PKCS7_TO_TS_TST_INFO, 0), diff --git a/crypto/ts/ts_lcl.h b/crypto/ts/ts_lcl.h index 967ea06943..320173376a 100644 --- a/crypto/ts/ts_lcl.h +++ b/crypto/ts/ts_lcl.h @@ -98,67 +98,6 @@ struct TS_status_info_st { ASN1_BIT_STRING *failure_info; }; -/*- - * IssuerSerial ::= SEQUENCE { - * issuer GeneralNames, - * serialNumber CertificateSerialNumber - * } - */ -struct ESS_issuer_serial { - STACK_OF(GENERAL_NAME) *issuer; - ASN1_INTEGER *serial; -}; - -/*- - * ESSCertID ::= SEQUENCE { - * certHash Hash, - * issuerSerial IssuerSerial OPTIONAL - * } - */ -struct ESS_cert_id { - ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ - ESS_ISSUER_SERIAL *issuer_serial; -}; - -/*- - * SigningCertificate ::= SEQUENCE { - * certs SEQUENCE OF ESSCertID, - * policies SEQUENCE OF PolicyInformation OPTIONAL - * } - */ -struct ESS_signing_cert { - STACK_OF(ESS_CERT_ID) *cert_ids; - STACK_OF(POLICYINFO) *policy_info; -}; - -/*- - * ESSCertIDv2 ::= SEQUENCE { - * hashAlgorithm AlgorithmIdentifier - * DEFAULT {algorithm id-sha256}, - * certHash Hash, - * issuerSerial IssuerSerial OPTIONAL - * } - */ - -struct ESS_cert_id_v2_st { - X509_ALGOR *hash_alg; /* Default: SHA-256 */ - ASN1_OCTET_STRING *hash; - ESS_ISSUER_SERIAL *issuer_serial; -}; - -/*- - * SigningCertificateV2 ::= SEQUENCE { - * certs SEQUENCE OF ESSCertIDv2, - * policies SEQUENCE OF PolicyInformation OPTIONAL - * } - */ - -struct ESS_signing_cert_v2_st { - STACK_OF(ESS_CERT_ID_V2) *cert_ids; - STACK_OF(POLICYINFO) *policy_info; -}; - - struct TS_resp_ctx { X509 *signer_cert; EVP_PKEY *signer_key; diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 27fa4f56b9..7791fc73c8 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -15,6 +15,7 @@ #include #include #include "ts_lcl.h" +#include "internal/ess_int.h" static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *); static int def_time_cb(struct TS_resp_ctx *, void *, long *sec, long *usec); @@ -29,20 +30,7 @@ static TS_TST_INFO *ts_RESP_create_tst_info(TS_RESP_CTX *ctx, static int ts_RESP_process_extensions(TS_RESP_CTX *ctx); static int ts_RESP_sign(TS_RESP_CTX *ctx); -static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert, - STACK_OF(X509) *certs); -static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed); static int ts_TST_INFO_content_new(PKCS7 *p7); -static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc); - -static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, - X509 *signcert, - STACK_OF(X509) - *certs); -static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg, - X509 *cert, int issuer_needed); -static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si, - ESS_SIGNING_CERT_V2 *sc); static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *, long, long, @@ -681,20 +669,20 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) certs = ctx->flags & TS_ESS_CERT_ID_CHAIN ? ctx->certs : NULL; if (ctx->ess_cert_id_digest == NULL || ctx->ess_cert_id_digest == EVP_sha1()) { - if ((sc = ess_SIGNING_CERT_new_init(ctx->signer_cert, certs)) == NULL) + if ((sc = ESS_SIGNING_CERT_new_init(ctx->signer_cert, certs, 0)) == NULL) goto err; - if (!ess_add_signing_cert(si, sc)) { + if (!ESS_SIGNING_CERT_add(si, sc)) { TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_ERROR); goto err; } } else { - sc2 = ess_signing_cert_v2_new_init(ctx->ess_cert_id_digest, - ctx->signer_cert, certs); + sc2 = ESS_SIGNING_CERT_V2_new_init(ctx->ess_cert_id_digest, + ctx->signer_cert, certs, 0); if (sc2 == NULL) goto err; - if (!ess_add_signing_cert_v2(si, sc2)) { + if (!ESS_SIGNING_CERT_V2_add(si, sc2)) { TSerr(TS_F_TS_RESP_SIGN, TS_R_ESS_ADD_SIGNING_CERT_V2_ERROR); goto err; } @@ -731,77 +719,6 @@ static int ts_RESP_sign(TS_RESP_CTX *ctx) return ret; } -static ESS_SIGNING_CERT *ess_SIGNING_CERT_new_init(X509 *signcert, - STACK_OF(X509) *certs) -{ - ESS_CERT_ID *cid; - ESS_SIGNING_CERT *sc = NULL; - int i; - - if ((sc = ESS_SIGNING_CERT_new()) == NULL) - goto err; - if (sc->cert_ids == NULL - && (sc->cert_ids = sk_ESS_CERT_ID_new_null()) == NULL) - goto err; - - if ((cid = ess_CERT_ID_new_init(signcert, 0)) == NULL - || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) - goto err; - for (i = 0; i < sk_X509_num(certs); ++i) { - X509 *cert = sk_X509_value(certs, i); - if ((cid = ess_CERT_ID_new_init(cert, 1)) == NULL - || !sk_ESS_CERT_ID_push(sc->cert_ids, cid)) - goto err; - } - - return sc; - err: - ESS_SIGNING_CERT_free(sc); - TSerr(TS_F_ESS_SIGNING_CERT_NEW_INIT, ERR_R_MALLOC_FAILURE); - return NULL; -} - -static ESS_CERT_ID *ess_CERT_ID_new_init(X509 *cert, int issuer_needed) -{ - ESS_CERT_ID *cid = NULL; - GENERAL_NAME *name = NULL; - unsigned char cert_sha1[SHA_DIGEST_LENGTH]; - - /* Call for side-effect of computing hash and caching extensions */ - X509_check_purpose(cert, -1, 0); - if ((cid = ESS_CERT_ID_new()) == NULL) - goto err; - X509_digest(cert, EVP_sha1(), cert_sha1, NULL); - if (!ASN1_OCTET_STRING_set(cid->hash, cert_sha1, SHA_DIGEST_LENGTH)) - goto err; - - /* Setting the issuer/serial if requested. */ - if (issuer_needed) { - if (cid->issuer_serial == NULL - && (cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL) - goto err; - if ((name = GENERAL_NAME_new()) == NULL) - goto err; - name->type = GEN_DIRNAME; - if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) - goto err; - if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) - goto err; - name = NULL; /* Ownership is lost. */ - ASN1_INTEGER_free(cid->issuer_serial->serial); - if (!(cid->issuer_serial->serial = - ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) - goto err; - } - - return cid; - err: - GENERAL_NAME_free(name); - ESS_CERT_ID_free(cid); - TSerr(TS_F_ESS_CERT_ID_NEW_INIT, ERR_R_MALLOC_FAILURE); - return NULL; -} - static int ts_TST_INFO_content_new(PKCS7 *p7) { PKCS7 *ret = NULL; @@ -829,159 +746,6 @@ static int ts_TST_INFO_content_new(PKCS7 *p7) return 0; } -static int ess_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc) -{ - ASN1_STRING *seq = NULL; - unsigned char *p, *pp = NULL; - int len; - - len = i2d_ESS_SIGNING_CERT(sc, NULL); - if ((pp = OPENSSL_malloc(len)) == NULL) { - TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); - goto err; - } - p = pp; - i2d_ESS_SIGNING_CERT(sc, &p); - if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) { - TSerr(TS_F_ESS_ADD_SIGNING_CERT, ERR_R_MALLOC_FAILURE); - goto err; - } - OPENSSL_free(pp); - pp = NULL; - return PKCS7_add_signed_attribute(si, - NID_id_smime_aa_signingCertificate, - V_ASN1_SEQUENCE, seq); - err: - ASN1_STRING_free(seq); - OPENSSL_free(pp); - - return 0; -} - -static ESS_SIGNING_CERT_V2 *ess_signing_cert_v2_new_init(const EVP_MD *hash_alg, - X509 *signcert, - STACK_OF(X509) *certs) -{ - ESS_CERT_ID_V2 *cid = NULL; - ESS_SIGNING_CERT_V2 *sc = NULL; - int i; - - if ((sc = ESS_SIGNING_CERT_V2_new()) == NULL) - goto err; - if ((cid = ess_cert_id_v2_new_init(hash_alg, signcert, 0)) == NULL) - goto err; - if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) - goto err; - cid = NULL; - - for (i = 0; i < sk_X509_num(certs); ++i) { - X509 *cert = sk_X509_value(certs, i); - - if ((cid = ess_cert_id_v2_new_init(hash_alg, cert, 1)) == NULL) - goto err; - if (!sk_ESS_CERT_ID_V2_push(sc->cert_ids, cid)) - goto err; - cid = NULL; - } - - return sc; - err: - ESS_SIGNING_CERT_V2_free(sc); - ESS_CERT_ID_V2_free(cid); - TSerr(TS_F_ESS_SIGNING_CERT_V2_NEW_INIT, ERR_R_MALLOC_FAILURE); - return NULL; -} - -static ESS_CERT_ID_V2 *ess_cert_id_v2_new_init(const EVP_MD *hash_alg, - X509 *cert, int issuer_needed) -{ - ESS_CERT_ID_V2 *cid = NULL; - GENERAL_NAME *name = NULL; - unsigned char hash[EVP_MAX_MD_SIZE]; - unsigned int hash_len = sizeof(hash); - X509_ALGOR *alg = NULL; - - memset(hash, 0, sizeof(hash)); - - if ((cid = ESS_CERT_ID_V2_new()) == NULL) - goto err; - - if (hash_alg != EVP_sha256()) { - alg = X509_ALGOR_new(); - if (alg == NULL) - goto err; - X509_ALGOR_set_md(alg, hash_alg); - if (alg->algorithm == NULL) - goto err; - cid->hash_alg = alg; - alg = NULL; - } else { - cid->hash_alg = NULL; - } - - if (!X509_digest(cert, hash_alg, hash, &hash_len)) - goto err; - - if (!ASN1_OCTET_STRING_set(cid->hash, hash, hash_len)) - goto err; - - if (issuer_needed) { - if ((cid->issuer_serial = ESS_ISSUER_SERIAL_new()) == NULL) - goto err; - if ((name = GENERAL_NAME_new()) == NULL) - goto err; - name->type = GEN_DIRNAME; - if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) - goto err; - if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) - goto err; - name = NULL; /* Ownership is lost. */ - ASN1_INTEGER_free(cid->issuer_serial->serial); - cid->issuer_serial->serial = - ASN1_INTEGER_dup(X509_get_serialNumber(cert)); - if (cid->issuer_serial->serial == NULL) - goto err; - } - - return cid; - err: - X509_ALGOR_free(alg); - GENERAL_NAME_free(name); - ESS_CERT_ID_V2_free(cid); - TSerr(TS_F_ESS_CERT_ID_V2_NEW_INIT, ERR_R_MALLOC_FAILURE); - return NULL; -} - -static int ess_add_signing_cert_v2(PKCS7_SIGNER_INFO *si, - ESS_SIGNING_CERT_V2 *sc) -{ - ASN1_STRING *seq = NULL; - unsigned char *p, *pp = NULL; - int len = i2d_ESS_SIGNING_CERT_V2(sc, NULL); - - if ((pp = OPENSSL_malloc(len)) == NULL) { - TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE); - goto err; - } - - p = pp; - i2d_ESS_SIGNING_CERT_V2(sc, &p); - if ((seq = ASN1_STRING_new()) == NULL || !ASN1_STRING_set(seq, pp, len)) { - TSerr(TS_F_ESS_ADD_SIGNING_CERT_V2, ERR_R_MALLOC_FAILURE); - goto err; - } - - OPENSSL_free(pp); - pp = NULL; - return PKCS7_add_signed_attribute(si, - NID_id_smime_aa_signingCertificateV2, - V_ASN1_SEQUENCE, seq); - err: - ASN1_STRING_free(seq); - OPENSSL_free(pp); - return 0; -} - static ASN1_GENERALIZEDTIME *TS_RESP_set_genTime_with_precision( ASN1_GENERALIZEDTIME *asn1_time, long sec, long usec, unsigned precision) diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index facc4b580a..e658354eb3 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,12 +13,12 @@ #include #include #include "ts_lcl.h" +#include "internal/ess_int.h" static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer, STACK_OF(X509) **chain); static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); -static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si); static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert); static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, @@ -38,7 +38,6 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name); static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert); -static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si); /* * This must be large enough to hold all values in ts_status_text (with @@ -201,9 +200,9 @@ end: static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain) { - ESS_SIGNING_CERT *ss = ess_get_signing_cert(si); + ESS_SIGNING_CERT *ss = ESS_SIGNING_CERT_get(si); STACK_OF(ESS_CERT_ID) *cert_ids = NULL; - ESS_SIGNING_CERT_V2 *ssv2 = ess_get_signing_cert_v2(si); + ESS_SIGNING_CERT_V2 *ssv2 = ESS_SIGNING_CERT_V2_get(si); STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL; X509 *cert; int i = 0; @@ -257,29 +256,6 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, return ret; } -static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si) -{ - ASN1_TYPE *attr; - const unsigned char *p; - attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); - if (!attr) - return NULL; - p = attr->value.sequence->data; - return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); -} - -static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) -{ - ASN1_TYPE *attr; - const unsigned char *p; - - attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); - if (attr == NULL) - return NULL; - p = attr->value.sequence->data; - return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); -} - /* Returns < 0 if certificate is not found, certificate index otherwise. */ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) { diff --git a/doc/man1/cms.pod b/doc/man1/cms.pod index 3d360e4262..b2031c6a7a 100644 --- a/doc/man1/cms.pod +++ b/doc/man1/cms.pod @@ -15,6 +15,7 @@ B B [B<-verify>] [B<-cmsout>] [B<-resign>] +[B<-cades>] [B<-data_create>] [B<-data_out>] [B<-digest_create>] @@ -158,6 +159,12 @@ Takes an input message and writes out a PEM encoded CMS structure. Resign a message: take an existing message and one or more new signers. +=item B<-cades> + +Add an ESS signing-certificate or ESS signing-certificate-v2 signed-attribute to the SignerInfo, in order to make +the signature comply with the requirements for a CAdES Basic Electronic Signature (CAdES-BES). See the NOTES +section for more details. + =item B<-data_create> Create a CMS B type. @@ -553,6 +560,40 @@ The B<-debug_decrypt> option can be used to disable the MMA attack protection and return an error if no recipient can be found: this option should be used with caution. For a fuller description see L). +=head1 CAdES Basic Electronic Signature (CAdES-BES) + +A CAdES Basic Electronic Signature (CAdES-BES), as defined in the European Standard ETSI EN 319 122-1 V1.1.1, contains: + +=over 4 + +=item * + +The signed user data as defined in CMS (RFC 3852); + +=item * + +Content-type of the EncapsulatedContentInfo value being signed; + +=item * + +Message-digest of the eContent OCTET STRING within encapContentInfo being signed; + +=item * + +An ESS signing-certificate or ESS signing-certificate-v2 attribute, as defined in Enhanced Security Services (ESS), RFC 2634 and RFC 5035. +An ESS signing-certificate attribute only allows for the use of SHA-1 as a digest algorithm. +An ESS signing-certificate-v2 attribute allows for the use of any digest algorithm. + +=item * + +The digital signature value computed on the user data and, when present, on the signed attributes. + +Note that currently the B<-cades> option applies only to the B<-sign> operation and is ignored during +the B<-verify> operation, i.e. the signing certification is not checked during the verification process. +This feature might be added in a future version. + +=back + =head1 EXIT CODES =over 4 diff --git a/doc/man3/CMS_add1_signing_cert.pod b/doc/man3/CMS_add1_signing_cert.pod new file mode 100644 index 0000000000..035e679d2c --- /dev/null +++ b/doc/man3/CMS_add1_signing_cert.pod @@ -0,0 +1,45 @@ +=pod + +=head1 NAME + +CMS_add1_signing_cert, CMS_add1_signing_cert_v2 +- add ESS signing-certificate signed attribute to a +CMS_SignerInfo data structure + +=head1 SYNOPSIS + + #include + + int CMS_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc); + + int CMS_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc2); + +=head1 DESCRIPTION + +CMS_add1_signing_cert() adds an ESS Signing Certificate B (version 1) signed +attribute to the CMS_SignerInfo B. +CMS_add1_signing_cert_v2() adds an ESS Signing Certificate B (version 2) signed +attribute to the CMS_SignerInfo B. +The ESS Signing Certificate attributes version 1 and 2 are defined in RFC 5035 +which updates Section 5.4 of RFC 2634. + +=head1 NOTES + +This attribute is mandatory to make a CMS compliant with CAdES-BES +(European Standard ETSI EN 319 122-1 V1.1.1). +For a fuller description see L). + +=head1 RETURN VALUES + +CMS_add1_signing_cert() and CMS_add1_signing_cert_v2() return 1 if attribute is added or 0 if an error occurred. + +=head1 COPYRIGHT + +Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the Apache License 2.0 (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L. + +=cut diff --git a/include/openssl/cms.h b/include/openssl/cms.h index 901fdeb072..483895411e 100644 --- a/include/openssl/cms.h +++ b/include/openssl/cms.h @@ -1,5 +1,5 @@ /* - * Copyright 2008-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -16,6 +16,7 @@ # include # include # include +# include # ifdef __cplusplus extern "C" { # endif @@ -73,6 +74,7 @@ DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo) # define CMS_DEBUG_DECRYPT 0x20000 # define CMS_KEY_PARAM 0x40000 # define CMS_ASCIICRLF 0x80000 +# define CMS_CADES 0x100000 const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms); @@ -283,6 +285,8 @@ int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, const void *bytes, int len); void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, int lastpos, int type); +int CMS_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc); +int CMS_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc); # ifdef HEADER_X509V3_H diff --git a/include/openssl/cmserr.h b/include/openssl/cmserr.h index d6cb489990..e7337f59dc 100644 --- a/include/openssl/cmserr.h +++ b/include/openssl/cmserr.h @@ -31,6 +31,8 @@ int ERR_load_CMS_strings(void); # define CMS_F_CMS_ADD1_RECIPIENT_CERT 101 # define CMS_F_CMS_ADD1_SIGNER 102 # define CMS_F_CMS_ADD1_SIGNINGTIME 103 +# define CMS_F_CMS_ADD1_SIGNING_CERT 181 +# define CMS_F_CMS_ADD1_SIGNING_CERT_V2 182 # define CMS_F_CMS_COMPRESS 104 # define CMS_F_CMS_COMPRESSEDDATA_CREATE 105 # define CMS_F_CMS_COMPRESSEDDATA_INIT_BIO 106 diff --git a/include/openssl/err.h b/include/openssl/err.h index 5b03814db1..ed3a2f0635 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -94,6 +94,7 @@ typedef struct err_state_st { # define ERR_LIB_ASYNC 51 # define ERR_LIB_KDF 52 # define ERR_LIB_SM2 53 +# define ERR_LIB_ESS 54 # define ERR_LIB_USER 128 @@ -133,6 +134,7 @@ typedef struct err_state_st { # define ASYNCerr(f,r) ERR_PUT_error(ERR_LIB_ASYNC,(f),(r),OPENSSL_FILE,OPENSSL_LINE) # define KDFerr(f,r) ERR_PUT_error(ERR_LIB_KDF,(f),(r),OPENSSL_FILE,OPENSSL_LINE) # define SM2err(f,r) ERR_PUT_error(ERR_LIB_SM2,(f),(r),OPENSSL_FILE,OPENSSL_LINE) +# define ESSerr(f,r) ERR_PUT_error(ERR_LIB_ESS,(f),(r),OPENSSL_FILE,OPENSSL_LINE) # define ERR_PACK(l,f,r) ( \ (((unsigned int)(l) & 0x0FF) << 24L) | \ diff --git a/include/openssl/ess.h b/include/openssl/ess.h new file mode 100644 index 0000000000..3912071882 --- /dev/null +++ b/include/openssl/ess.h @@ -0,0 +1,80 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_ESS_H +# define HEADER_ESS_H + +# include + +# ifdef __cplusplus +extern "C" { +# endif +# include +# include +# include + +typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; +typedef struct ESS_cert_id ESS_CERT_ID; +typedef struct ESS_signing_cert ESS_SIGNING_CERT; + +DEFINE_STACK_OF(ESS_CERT_ID) + +typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2; +typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2; + +DEFINE_STACK_OF(ESS_CERT_ID_V2) + +ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void); +void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a); +int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, unsigned char **pp); +ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a, + const unsigned char **pp, + long length); +ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a); + +ESS_CERT_ID *ESS_CERT_ID_new(void); +void ESS_CERT_ID_free(ESS_CERT_ID *a); +int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp); +ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp, + long length); +ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a); + +ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void); +void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a); +int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, unsigned char **pp); +ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, + const unsigned char **pp, long length); +ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); +ESS_SIGNING_CERT *ESS_SIGNING_CERT_new_init(X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed); + +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void); +void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a); +int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp); +ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, + const unsigned char **pp, long length); +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a); + +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void); +void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a); +int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **pp); +ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, + const unsigned char **pp, + long length); +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a); +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new_init(const EVP_MD *hash_alg, + X509 *signcert, + STACK_OF(X509) *certs, + int issuer_needed); + +# ifdef __cplusplus +} +# endif +#endif diff --git a/include/openssl/esserr.h b/include/openssl/esserr.h new file mode 100644 index 0000000000..e8fdb1d2ae --- /dev/null +++ b/include/openssl/esserr.h @@ -0,0 +1,38 @@ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef HEADER_ESSERR_H +# define HEADER_ESSERR_H + +# include + +# ifdef __cplusplus +extern "C" +# endif +int ERR_load_ESS_strings(void); + +/* + * ESS function codes. + */ +# define ESS_F_ESS_CERT_ID_NEW_INIT 100 +# define ESS_F_ESS_CERT_ID_V2_NEW_INIT 101 +# define ESS_F_ESS_SIGNING_CERT_ADD 104 +# define ESS_F_ESS_SIGNING_CERT_NEW_INIT 102 +# define ESS_F_ESS_SIGNING_CERT_V2_ADD 105 +# define ESS_F_ESS_SIGNING_CERT_V2_NEW_INIT 103 + +/* + * ESS reason codes. + */ +# define ESS_R_ESS_SIGNING_CERTIFICATE_ERROR 102 +# define ESS_R_ESS_SIGNING_CERT_ADD_ERROR 100 +# define ESS_R_ESS_SIGNING_CERT_V2_ADD_ERROR 101 + +#endif diff --git a/include/openssl/ts.h b/include/openssl/ts.h index 966eb79a93..ef78d8c67e 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -23,6 +23,7 @@ # include # include # include +# include # ifdef __cplusplus extern "C" { # endif @@ -55,16 +56,6 @@ typedef struct TS_tst_info_st TS_TST_INFO; typedef struct TS_status_info_st TS_STATUS_INFO; -typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; -typedef struct ESS_cert_id ESS_CERT_ID; -typedef struct ESS_signing_cert ESS_SIGNING_CERT; - -DEFINE_STACK_OF(ESS_CERT_ID) - -typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2; -typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2; - -DEFINE_STACK_OF(ESS_CERT_ID_V2) typedef struct TS_resp_st TS_RESP; @@ -139,43 +130,6 @@ TS_ACCURACY *d2i_TS_ACCURACY(TS_ACCURACY **a, const unsigned char **pp, long length); TS_ACCURACY *TS_ACCURACY_dup(TS_ACCURACY *a); -ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_new(void); -void ESS_ISSUER_SERIAL_free(ESS_ISSUER_SERIAL *a); -int i2d_ESS_ISSUER_SERIAL(const ESS_ISSUER_SERIAL *a, unsigned char **pp); -ESS_ISSUER_SERIAL *d2i_ESS_ISSUER_SERIAL(ESS_ISSUER_SERIAL **a, - const unsigned char **pp, - long length); -ESS_ISSUER_SERIAL *ESS_ISSUER_SERIAL_dup(ESS_ISSUER_SERIAL *a); - -ESS_CERT_ID *ESS_CERT_ID_new(void); -void ESS_CERT_ID_free(ESS_CERT_ID *a); -int i2d_ESS_CERT_ID(const ESS_CERT_ID *a, unsigned char **pp); -ESS_CERT_ID *d2i_ESS_CERT_ID(ESS_CERT_ID **a, const unsigned char **pp, - long length); -ESS_CERT_ID *ESS_CERT_ID_dup(ESS_CERT_ID *a); - -ESS_SIGNING_CERT *ESS_SIGNING_CERT_new(void); -void ESS_SIGNING_CERT_free(ESS_SIGNING_CERT *a); -int i2d_ESS_SIGNING_CERT(const ESS_SIGNING_CERT *a, unsigned char **pp); -ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, - const unsigned char **pp, long length); -ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); - -ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void); -void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a); -int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp); -ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, - const unsigned char **pp, long length); -ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a); - -ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void); -void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a); -int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **pp); -ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, - const unsigned char **pp, - long length); -ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a); - int TS_REQ_set_version(TS_REQ *a, long version); long TS_REQ_get_version(const TS_REQ *a); diff --git a/include/openssl/tserr.h b/include/openssl/tserr.h index dd5ab28def..0a2dd15930 100644 --- a/include/openssl/tserr.h +++ b/include/openssl/tserr.h @@ -1,6 +1,6 @@ /* * Generated by util/mkerr.pl DO NOT EDIT - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -25,12 +25,6 @@ int ERR_load_TS_strings(void); */ # define TS_F_DEF_SERIAL_CB 110 # define TS_F_DEF_TIME_CB 111 -# define TS_F_ESS_ADD_SIGNING_CERT 112 -# define TS_F_ESS_ADD_SIGNING_CERT_V2 147 -# define TS_F_ESS_CERT_ID_NEW_INIT 113 -# define TS_F_ESS_CERT_ID_V2_NEW_INIT 156 -# define TS_F_ESS_SIGNING_CERT_NEW_INIT 114 -# define TS_F_ESS_SIGNING_CERT_V2_NEW_INIT 157 # define TS_F_INT_TS_RESP_VERIFY_TOKEN 149 # define TS_F_PKCS7_TO_TS_TST_INFO 148 # define TS_F_TS_ACCURACY_SET_MICROS 115 diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t index d0ee2da6c0..76f1ec20af 100644 --- a/test/recipes/80-test_cms.t +++ b/test/recipes/80-test_cms.t @@ -219,6 +219,22 @@ my @smime_cms_tests = ( "-CAfile", catfile($smdir, "smroot.pem") ] ], + [ "signed content DER format, RSA key, CAdES-BES compatible", + [ "-sign", "-cades", "-in", $smcont, "-outform", "DER", "-nodetach", + "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + + [ "signed content DER format, RSA key, SHA256 md, CAdES-BES compatible", + [ "-sign", "-cades", "-md", "sha256", "-in", $smcont, "-outform", + "DER", "-nodetach", "-certfile", catfile($smdir, "smroot.pem"), + "-signer", catfile($smdir, "smrsa1.pem"), "-out", "test.cms" ], + [ "-verify", "-in", "test.cms", "-inform", "DER", + "-CAfile", catfile($smdir, "smroot.pem"), "-out", "smtst.txt" ] + ], + [ "enveloped content test streaming S/MIME format, DES, 3 recipients, keyid", [ "-encrypt", "-in", $smcont, "-stream", "-out", "test.cms", "-keyid", diff --git a/util/libcrypto.num b/util/libcrypto.num index e7d2ed7625..cc88ac4652 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -10,7 +10,7 @@ TS_RESP_CTX_new 9 3_0_0 EXIST::FUNCTION:TS PKCS5_PBE_add 10 3_0_0 EXIST::FUNCTION: i2d_DSAparams 11 3_0_0 EXIST::FUNCTION:DSA X509_NAME_get0_der 12 3_0_0 EXIST::FUNCTION: -i2d_ESS_ISSUER_SERIAL 13 3_0_0 EXIST::FUNCTION:TS +i2d_ESS_ISSUER_SERIAL 13 3_0_0 EXIST::FUNCTION: X509at_get_attr_by_NID 14 3_0_0 EXIST::FUNCTION: X509_PUBKEY_set0_param 15 3_0_0 EXIST::FUNCTION: PKCS12_it 16 3_0_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE: @@ -322,7 +322,7 @@ d2i_OCSP_RESPID 322 3_0_0 EXIST::FUNCTION:OCSP BIO_s_accept 323 3_0_0 EXIST::FUNCTION:SOCK EVP_whirlpool 324 3_0_0 EXIST::FUNCTION:WHIRLPOOL OCSP_ONEREQ_get1_ext_d2i 325 3_0_0 EXIST::FUNCTION:OCSP -d2i_ESS_SIGNING_CERT 326 3_0_0 EXIST::FUNCTION:TS +d2i_ESS_SIGNING_CERT 326 3_0_0 EXIST::FUNCTION: EC_KEY_set_default_method 327 3_0_0 EXIST::FUNCTION:EC X509_OBJECT_up_ref_count 328 3_0_0 EXIST::FUNCTION: RAND_load_file 329 3_0_0 EXIST::FUNCTION: @@ -577,7 +577,7 @@ CMAC_CTX_copy 577 3_0_0 EXIST::FUNCTION:CMAC EVP_camellia_128_cfb128 579 3_0_0 EXIST::FUNCTION:CAMELLIA DH_compute_key_padded 580 3_0_0 EXIST::FUNCTION:DH ERR_load_CONF_strings 581 3_0_0 EXIST::FUNCTION: -ESS_ISSUER_SERIAL_dup 582 3_0_0 EXIST::FUNCTION:TS +ESS_ISSUER_SERIAL_dup 582 3_0_0 EXIST::FUNCTION: BN_GF2m_mod_exp_arr 583 3_0_0 EXIST::FUNCTION:EC2M ASN1_UTF8STRING_free 584 3_0_0 EXIST::FUNCTION: BN_X931_generate_prime_ex 585 3_0_0 EXIST::FUNCTION: @@ -653,7 +653,7 @@ PEM_read_bio_CMS 653 3_0_0 EXIST::FUNCTION:CMS PEM_get_EVP_CIPHER_INFO 654 3_0_0 EXIST::FUNCTION: X509V3_EXT_print 655 3_0_0 EXIST::FUNCTION: i2d_OCSP_SINGLERESP 656 3_0_0 EXIST::FUNCTION:OCSP -ESS_CERT_ID_free 657 3_0_0 EXIST::FUNCTION:TS +ESS_CERT_ID_free 657 3_0_0 EXIST::FUNCTION: PEM_SignInit 658 3_0_0 EXIST::FUNCTION: EVP_CIPHER_CTX_set_key_length 659 3_0_0 EXIST::FUNCTION: X509_delete_ext 660 3_0_0 EXIST::FUNCTION: @@ -1429,7 +1429,7 @@ X509_NAME_new 1417 3_0_0 EXIST::FUNCTION: ASN1_item_pack 1418 3_0_0 EXIST::FUNCTION: ASN1_BIT_STRING_set_asc 1419 3_0_0 EXIST::FUNCTION: d2i_GENERAL_NAME 1420 3_0_0 EXIST::FUNCTION: -i2d_ESS_CERT_ID 1421 3_0_0 EXIST::FUNCTION:TS +i2d_ESS_CERT_ID 1421 3_0_0 EXIST::FUNCTION: X509_TRUST_get_by_id 1422 3_0_0 EXIST::FUNCTION: d2i_RSA_PUBKEY_fp 1423 3_0_0 EXIST::FUNCTION:RSA,STDIO EVP_PBE_get 1424 3_0_0 EXIST::FUNCTION: @@ -1711,7 +1711,7 @@ PKCS7_SIGNED_it 1698 3_0_0 EXIST:!EXPORT_VAR_AS_FUNCTION PKCS7_SIGNED_it 1698 3_0_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: b2i_PublicKey 1699 3_0_0 EXIST::FUNCTION:DSA X509_PURPOSE_cleanup 1700 3_0_0 EXIST::FUNCTION: -ESS_SIGNING_CERT_dup 1701 3_0_0 EXIST::FUNCTION:TS +ESS_SIGNING_CERT_dup 1701 3_0_0 EXIST::FUNCTION: ENGINE_set_default_DSA 1702 3_0_0 EXIST::FUNCTION:ENGINE X509_REVOKED_new 1703 3_0_0 EXIST::FUNCTION: NCONF_WIN32 1704 3_0_0 EXIST::FUNCTION: @@ -2115,7 +2115,7 @@ PEM_read 2093 3_0_0 EXIST::FUNCTION:STDIO X509_STORE_set_depth 2094 3_0_0 EXIST::FUNCTION: EC_KEY_METHOD_get_sign 2095 3_0_0 EXIST::FUNCTION:EC EVP_CIPHER_CTX_iv 2096 3_0_0 EXIST::FUNCTION: -i2d_ESS_SIGNING_CERT 2097 3_0_0 EXIST::FUNCTION:TS +i2d_ESS_SIGNING_CERT 2097 3_0_0 EXIST::FUNCTION: TS_RESP_set_tst_info 2098 3_0_0 EXIST::FUNCTION:TS EVP_PKEY_CTX_set_data 2099 3_0_0 EXIST::FUNCTION: CMS_EnvelopedData_create 2100 3_0_0 EXIST::FUNCTION:CMS @@ -2326,7 +2326,7 @@ X509at_get_attr_count 2295 3_0_0 EXIST::FUNCTION: PKCS12_init 2296 3_0_0 EXIST::FUNCTION: CRYPTO_free_ex_data 2297 3_0_0 EXIST::FUNCTION: EVP_aes_128_cfb8 2298 3_0_0 EXIST::FUNCTION: -ESS_ISSUER_SERIAL_free 2299 3_0_0 EXIST::FUNCTION:TS +ESS_ISSUER_SERIAL_free 2299 3_0_0 EXIST::FUNCTION: BN_mod_exp_mont_word 2300 3_0_0 EXIST::FUNCTION: X509V3_EXT_nconf_nid 2301 3_0_0 EXIST::FUNCTION: UTF8_putc 2302 3_0_0 EXIST::FUNCTION: @@ -2653,7 +2653,7 @@ IPAddressRange_it 2618 3_0_0 EXIST:EXPORT_VAR_AS_FUNCTION: PEM_read_bio_DSAPrivateKey 2619 3_0_0 EXIST::FUNCTION:DSA CMS_get0_type 2620 3_0_0 EXIST::FUNCTION:CMS ASN1_PCTX_free 2621 3_0_0 EXIST::FUNCTION: -ESS_SIGNING_CERT_new 2622 3_0_0 EXIST::FUNCTION:TS +ESS_SIGNING_CERT_new 2622 3_0_0 EXIST::FUNCTION: X509V3_EXT_conf_nid 2623 3_0_0 EXIST::FUNCTION: EC_KEY_check_key 2624 3_0_0 EXIST::FUNCTION:EC PKCS5_PBKDF2_HMAC 2625 3_0_0 EXIST::FUNCTION: @@ -3093,7 +3093,7 @@ EVP_DecryptUpdate 3046 3_0_0 EXIST::FUNCTION: CAST_cbc_encrypt 3047 3_0_0 EXIST::FUNCTION:CAST BN_BLINDING_invert 3048 3_0_0 EXIST::FUNCTION: SHA512_Update 3049 3_0_0 EXIST::FUNCTION: -ESS_ISSUER_SERIAL_new 3050 3_0_0 EXIST::FUNCTION:TS +ESS_ISSUER_SERIAL_new 3050 3_0_0 EXIST::FUNCTION: PKCS12_SAFEBAG_get0_pkcs8 3051 3_0_0 EXIST::FUNCTION: X509_get_ext_by_NID 3052 3_0_0 EXIST::FUNCTION: d2i_IPAddressFamily 3053 3_0_0 EXIST::FUNCTION:RFC3779 @@ -3185,7 +3185,7 @@ BN_to_ASN1_ENUMERATED 3137 3_0_0 EXIST::FUNCTION: i2d_ISSUING_DIST_POINT 3138 3_0_0 EXIST::FUNCTION: TXT_DB_free 3139 3_0_0 EXIST::FUNCTION: ASN1_STRING_set 3140 3_0_0 EXIST::FUNCTION: -d2i_ESS_CERT_ID 3141 3_0_0 EXIST::FUNCTION:TS +d2i_ESS_CERT_ID 3141 3_0_0 EXIST::FUNCTION: EVP_PKEY_meth_set_derive 3142 3_0_0 EXIST::FUNCTION: OPENSSL_LH_stats 3143 3_0_0 EXIST::FUNCTION:STDIO NCONF_dump_fp 3144 3_0_0 EXIST::FUNCTION:STDIO @@ -3280,7 +3280,7 @@ i2d_X509_ALGORS 3233 3_0_0 EXIST::FUNCTION: EVP_camellia_192_cfb1 3234 3_0_0 EXIST::FUNCTION:CAMELLIA TS_RESP_CTX_add_failure_info 3235 3_0_0 EXIST::FUNCTION:TS EVP_PBE_alg_add 3236 3_0_0 EXIST::FUNCTION: -ESS_CERT_ID_dup 3237 3_0_0 EXIST::FUNCTION:TS +ESS_CERT_ID_dup 3237 3_0_0 EXIST::FUNCTION: CMS_SignerInfo_get0_signature 3238 3_0_0 EXIST::FUNCTION:CMS EVP_PKEY_verify_recover 3239 3_0_0 EXIST::FUNCTION: i2d_PUBKEY 3240 3_0_0 EXIST::FUNCTION: @@ -3404,7 +3404,7 @@ X509_ATTRIBUTE_create_by_OBJ 3356 3_0_0 EXIST::FUNCTION: RSA_generate_key_ex 3357 3_0_0 EXIST::FUNCTION:RSA CMS_SignerInfo_get0_algs 3358 3_0_0 EXIST::FUNCTION:CMS DIST_POINT_free 3359 3_0_0 EXIST::FUNCTION: -ESS_SIGNING_CERT_free 3360 3_0_0 EXIST::FUNCTION:TS +ESS_SIGNING_CERT_free 3360 3_0_0 EXIST::FUNCTION: SCT_new_from_base64 3361 3_0_0 EXIST::FUNCTION:CT OpenSSL_version 3362 3_0_0 EXIST::FUNCTION: OCSP_SINGLERESP_get_ext_by_OBJ 3363 3_0_0 EXIST::FUNCTION:OCSP @@ -3522,7 +3522,7 @@ EVP_PKEY_save_parameters 3475 3_0_0 EXIST::FUNCTION: SCT_set_source 3476 3_0_0 EXIST::FUNCTION:CT DES_set_odd_parity 3477 3_0_0 EXIST::FUNCTION:DES CMAC_CTX_free 3478 3_0_0 EXIST::FUNCTION:CMAC -d2i_ESS_ISSUER_SERIAL 3479 3_0_0 EXIST::FUNCTION:TS +d2i_ESS_ISSUER_SERIAL 3479 3_0_0 EXIST::FUNCTION: HMAC_CTX_set_flags 3480 3_0_0 EXIST::FUNCTION: d2i_PKCS8_bio 3481 3_0_0 EXIST::FUNCTION: OCSP_ONEREQ_get_ext_count 3482 3_0_0 EXIST::FUNCTION:OCSP @@ -3708,7 +3708,7 @@ ERR_load_DH_strings 3664 3_0_0 EXIST::FUNCTION:DH EVP_MD_block_size 3665 3_0_0 EXIST::FUNCTION: TS_X509_ALGOR_print_bio 3666 3_0_0 EXIST::FUNCTION:TS d2i_PKCS7_ENVELOPE 3667 3_0_0 EXIST::FUNCTION: -ESS_CERT_ID_new 3669 3_0_0 EXIST::FUNCTION:TS +ESS_CERT_ID_new 3669 3_0_0 EXIST::FUNCTION: EC_POINT_invert 3670 3_0_0 EXIST::FUNCTION:EC CAST_set_key 3671 3_0_0 EXIST::FUNCTION:CAST ENGINE_get_pkey_meth 3672 3_0_0 EXIST::FUNCTION:ENGINE @@ -4275,18 +4275,18 @@ X509_CRL_print_ex 4218 3_0_0 EXIST::FUNCTION: X509_SIG_INFO_get 4219 3_0_0 EXIST::FUNCTION: X509_get_signature_info 4220 3_0_0 EXIST::FUNCTION: X509_SIG_INFO_set 4221 3_0_0 EXIST::FUNCTION: -ESS_CERT_ID_V2_free 4222 3_0_0 EXIST::FUNCTION:TS -ESS_SIGNING_CERT_V2_new 4223 3_0_0 EXIST::FUNCTION:TS -d2i_ESS_SIGNING_CERT_V2 4224 3_0_0 EXIST::FUNCTION:TS -i2d_ESS_CERT_ID_V2 4225 3_0_0 EXIST::FUNCTION:TS -ESS_CERT_ID_V2_dup 4226 3_0_0 EXIST::FUNCTION:TS +ESS_CERT_ID_V2_free 4222 3_0_0 EXIST::FUNCTION: +ESS_SIGNING_CERT_V2_new 4223 3_0_0 EXIST::FUNCTION: +d2i_ESS_SIGNING_CERT_V2 4224 3_0_0 EXIST::FUNCTION: +i2d_ESS_CERT_ID_V2 4225 3_0_0 EXIST::FUNCTION: +ESS_CERT_ID_V2_dup 4226 3_0_0 EXIST::FUNCTION: TS_RESP_CTX_set_ess_cert_id_digest 4227 3_0_0 EXIST::FUNCTION:TS -d2i_ESS_CERT_ID_V2 4228 3_0_0 EXIST::FUNCTION:TS -i2d_ESS_SIGNING_CERT_V2 4229 3_0_0 EXIST::FUNCTION:TS +d2i_ESS_CERT_ID_V2 4228 3_0_0 EXIST::FUNCTION: +i2d_ESS_SIGNING_CERT_V2 4229 3_0_0 EXIST::FUNCTION: TS_CONF_set_ess_cert_id_digest 4230 3_0_0 EXIST::FUNCTION:TS -ESS_SIGNING_CERT_V2_free 4231 3_0_0 EXIST::FUNCTION:TS -ESS_SIGNING_CERT_V2_dup 4232 3_0_0 EXIST::FUNCTION:TS -ESS_CERT_ID_V2_new 4233 3_0_0 EXIST::FUNCTION:TS +ESS_SIGNING_CERT_V2_free 4231 3_0_0 EXIST::FUNCTION: +ESS_SIGNING_CERT_V2_dup 4232 3_0_0 EXIST::FUNCTION: +ESS_CERT_ID_V2_new 4233 3_0_0 EXIST::FUNCTION: PEM_read_bio_ex 4234 3_0_0 EXIST::FUNCTION: PEM_bytes_read_bio_secmem 4235 3_0_0 EXIST::FUNCTION: EVP_DigestSign 4236 3_0_0 EXIST::FUNCTION: @@ -4626,3 +4626,8 @@ ASYNC_WAIT_CTX_get_callback 4581 3_0_0 EXIST::FUNCTION: ASYNC_WAIT_CTX_set_callback 4582 3_0_0 EXIST::FUNCTION: ASYNC_WAIT_CTX_set_status 4583 3_0_0 EXIST::FUNCTION: ASYNC_WAIT_CTX_get_status 4584 3_0_0 EXIST::FUNCTION: +CMS_add1_signing_cert 4585 3_0_0 EXIST::FUNCTION:CMS +CMS_add1_signing_cert_v2 4586 3_0_0 EXIST::FUNCTION:CMS +ESS_SIGNING_CERT_new_init 4587 3_0_0 EXIST::FUNCTION: +ESS_SIGNING_CERT_V2_new_init 4588 3_0_0 EXIST::FUNCTION: +ERR_load_ESS_strings 4589 3_0_0 EXIST::FUNCTION: -- 2.25.1