EXPORT_C int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signature,
void *asn, EVP_PKEY *pkey)
{
EVP_MD_CTX ctx;
const EVP_MD *type;
unsigned char *buf_in=NULL;
int ret= -1,i,inl;
EVP_MD_CTX_init(&ctx);
i=OBJ_obj2nid(a->algorithm);
type=EVP_get_digestbyname(OBJ_nid2sn(i));
if (type == NULL)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
goto err;
}
if (!EVP_VerifyInit_ex(&ctx,type, NULL))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
goto err;
}
inl = ASN1_item_i2d(asn, &buf_in, it);
if (buf_in == NULL)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_MALLOC_FAILURE);
goto err;
}
EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
OPENSSL_cleanse(buf_in,(unsigned int)inl);
OPENSSL_free(buf_in);
if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
(unsigned int)signature->length,pkey) <= 0)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
goto err;
}
/* we don't need to zero the 'ctx' because we just checked
* public information */
/* memset(&ctx,0,sizeof(ctx)); */
ret=1;
err:
EVP_MD_CTX_cleanup(&ctx);
return(ret);
}
int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x)
{
unsigned char *b = NULL;
int n = ASN1_item_i2d(x, &b, it);
if (b == NULL) {
OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE);
return 0;
}
int ret = BIO_write_all(out, b, n);
OPENSSL_free(b);
return ret;
}
int OCSP_REQ_CTX_i2d(OCSP_REQ_CTX *rctx, const ASN1_ITEM *it, ASN1_VALUE *val)
{
static const char req_hdr[] =
"Content-Type: application/ocsp-request\r\n"
"Content-Length: %d\r\n\r\n";
int reqlen = ASN1_item_i2d(val, NULL, it);
if (BIO_printf(rctx->mem, req_hdr, reqlen) <= 0)
return 0;
if (ASN1_item_i2d_bio(it, rctx->mem, val) <= 0)
return 0;
rctx->state = OHS_ASN1_WRITE_INIT;
return 1;
}
int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn,
unsigned char *md, unsigned int *len)
{
int i;
unsigned char *str = NULL;
i=ASN1_item_i2d(asn,&str, it);
if (!str) return(0);
EVP_Digest(str, i, md, len, type, NULL);
OPENSSL_free(str);
return(1);
}
void *ASN1_item_dup(const ASN1_ITEM *it, void *x)
{
unsigned char *b = NULL, *p;
long i;
void *ret;
if (x == NULL) return(NULL);
i=ASN1_item_i2d(x,&b,it);
if (b == NULL)
{ ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
p= b;
ret=ASN1_item_d2i(NULL,&p,i, it);
OPENSSL_free(b);
return(ret);
}
static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method,
int ext_nid, int crit, void *ext_struc)
{
unsigned char *ext_der = NULL;
int ext_len;
ASN1_OCTET_STRING *ext_oct = NULL;
X509_EXTENSION *ext;
/* Convert internal representation to DER */
if (method->it) {
ext_der = NULL;
ext_len =
ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
if (ext_len < 0)
goto merr;
} else {
unsigned char *p;
ext_len = method->i2d(ext_struc, NULL);
if ((ext_der = OPENSSL_malloc(ext_len)) == NULL)
goto merr;
p = ext_der;
method->i2d(ext_struc, &p);
}
if ((ext_oct = ASN1_OCTET_STRING_new()) == NULL)
goto merr;
ext_oct->data = ext_der;
ext_der = NULL;
ext_oct->length = ext_len;
ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
if (!ext)
goto merr;
ASN1_OCTET_STRING_free(ext_oct);
return ext;
merr:
X509V3err(X509V3_F_DO_EXT_I2D, ERR_R_MALLOC_FAILURE);
OPENSSL_free(ext_der);
ASN1_OCTET_STRING_free(ext_oct);
return NULL;
}
static LUA_FUNCTION(openssl_csr_sign)
{
X509_REQ * csr = CHECK_OBJECT(1, X509_REQ, "openssl.x509_req");
EVP_PKEY *pkey = CHECK_OBJECT(2, EVP_PKEY, "openssl.evp_pkey");
if (openssl_pkey_is_private(pkey))
{
const EVP_MD* md = get_digest(L, 3);
return openssl_pushresult(L, X509_REQ_sign(csr, pkey, md));
} else if (lua_isnoneornil(L, 3) && X509_REQ_set_pubkey(csr, pkey))
{
unsigned char* tosign = NULL;
const ASN1_ITEM *it = ASN1_ITEM_rptr(X509_REQ_INFO);
int inl = ASN1_item_i2d((void*)csr->req_info, &tosign, it);
if (inl > 0 && tosign)
{
lua_pushlstring(L, (const char*)tosign, inl);
OPENSSL_free(tosign);
return 1;
}
return openssl_pushresult(L, 0);
} else {
size_t siglen;
const unsigned char* sigdata = (const unsigned char*)luaL_checklstring(L, 3, &siglen);
const EVP_MD* md = get_digest(L, 4);
/* (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL) ? V_ASN1_NULL : V_ASN1_UNDEF, */
X509_ALGOR_set0(csr->sig_alg, OBJ_nid2obj(md->pkey_type), V_ASN1_NULL, NULL);
if (csr->signature->data != NULL)
OPENSSL_free(csr->signature->data);
csr->signature->data = OPENSSL_malloc(siglen);
memcpy(csr->signature->data, sigdata, siglen);
csr->signature->length = siglen;
/*
* In the interests of compatibility, I'll make sure that the bit string
* has a 'not-used bits' value of 0
*/
csr->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
csr->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
lua_pushboolean(L, 1);
return 1;
}
}
int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
{
EVP_MD_CTX ctx;
uint8_t *buf_in = NULL;
int ret = 0, inl = 0;
if (!pkey) {
OPENSSL_PUT_ERROR(X509, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) {
OPENSSL_PUT_ERROR(X509, X509_R_INVALID_BIT_STRING_BITS_LEFT);
return 0;
}
EVP_MD_CTX_init(&ctx);
if (!x509_digest_verify_init(&ctx, a, pkey)) {
goto err;
}
inl = ASN1_item_i2d(asn, &buf_in, it);
if (buf_in == NULL) {
OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EVP_DigestVerify(&ctx, signature->data, (size_t)signature->length,
buf_in, inl)) {
OPENSSL_PUT_ERROR(X509, ERR_R_EVP_LIB);
goto err;
}
ret = 1;
err:
OPENSSL_free(buf_in);
EVP_MD_CTX_cleanup(&ctx);
return ret;
}
int
i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS12_BAGS_it);
}
int
i2d_PKCS12_MAC_DATA(PKCS12_MAC_DATA *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS12_MAC_DATA_it);
}
int
i2d_X509_EXTENSIONS(X509_EXTENSIONS *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_EXTENSIONS_it);
}
int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
{
int ret=0;
int i,j;
BIO *btmp;
BUF_MEM *buf_mem=NULL;
BUF_MEM *buf=NULL;
PKCS7_SIGNER_INFO *si;
EVP_MD_CTX *mdc,ctx_tmp;
STACK_OF(X509_ATTRIBUTE) *sk;
STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
ASN1_OCTET_STRING *os=NULL;
EVP_MD_CTX_init(&ctx_tmp);
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
switch (i)
{
case NID_pkcs7_signedAndEnveloped:
/* XXXXXXXXXXXXXXXX */
si_sk=p7->d.signed_and_enveloped->signer_info;
if (!(os=M_ASN1_OCTET_STRING_new()))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
goto err;
}
p7->d.signed_and_enveloped->enc_data->enc_data=os;
break;
case NID_pkcs7_enveloped:
/* XXXXXXXXXXXXXXXX */
if (!(os=M_ASN1_OCTET_STRING_new()))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE);
goto err;
}
p7->d.enveloped->enc_data->enc_data=os;
break;
case NID_pkcs7_signed:
si_sk=p7->d.sign->signer_info;
os=PKCS7_get_octet_string(p7->d.sign->contents);
/* If detached data then the content is excluded */
if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
M_ASN1_OCTET_STRING_free(os);
p7->d.sign->contents->d.data = NULL;
}
break;
case NID_pkcs7_digest:
os=PKCS7_get_octet_string(p7->d.digest->contents);
/* If detached data then the content is excluded */
if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
{
M_ASN1_OCTET_STRING_free(os);
p7->d.digest->contents->d.data = NULL;
}
break;
}
if (si_sk != NULL)
{
if ((buf=BUF_MEM_new()) == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_BIO_LIB);
goto err;
}
for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++)
{
si=sk_PKCS7_SIGNER_INFO_value(si_sk,i);
if (si->pkey == NULL) continue;
j=OBJ_obj2nid(si->digest_alg->algorithm);
btmp=bio;
btmp = PKCS7_find_digest(&mdc, btmp, j);
if (btmp == NULL)
goto err;
/* We now have the EVP_MD_CTX, lets do the
* signing. */
EVP_MD_CTX_copy_ex(&ctx_tmp,mdc);
if (!BUF_MEM_grow_clean(buf,EVP_PKEY_size(si->pkey)))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_BIO_LIB);
goto err;
}
sk=si->auth_attr;
/* If there are attributes, we add the digest
* attribute and only sign the attributes */
if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0))
{
unsigned char md_data[EVP_MAX_MD_SIZE], *abuf=NULL;
unsigned int md_len, alen;
ASN1_OCTET_STRING *digest;
ASN1_UTCTIME *sign_time;
const EVP_MD *md_tmp;
/* Add signing time if not already present */
if (!PKCS7_get_signed_attribute(si,
NID_pkcs9_signingTime))
{
if (!(sign_time=X509_gmtime_adj(NULL,0)))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
ERR_R_MALLOC_FAILURE);
goto err;
}
PKCS7_add_signed_attribute(si,
NID_pkcs9_signingTime,
V_ASN1_UTCTIME,sign_time);
}
/* Add digest */
md_tmp=EVP_MD_CTX_md(&ctx_tmp);
EVP_DigestFinal_ex(&ctx_tmp,md_data,&md_len);
if (!(digest=M_ASN1_OCTET_STRING_new()))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
ERR_R_MALLOC_FAILURE);
goto err;
}
if (!M_ASN1_OCTET_STRING_set(digest,md_data,
md_len))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
ERR_R_MALLOC_FAILURE);
goto err;
}
PKCS7_add_signed_attribute(si,
NID_pkcs9_messageDigest,
V_ASN1_OCTET_STRING,digest);
/* Now sign the attributes */
EVP_SignInit_ex(&ctx_tmp,md_tmp,NULL);
alen = ASN1_item_i2d((ASN1_VALUE *)sk,&abuf,
ASN1_ITEM_rptr(PKCS7_ATTR_SIGN));
if(!abuf) goto err;
EVP_SignUpdate(&ctx_tmp,abuf,alen);
OPENSSL_free(abuf);
}
#ifndef OPENSSL_NO_DSA
if (si->pkey->type == EVP_PKEY_DSA)
ctx_tmp.digest=EVP_dss1();
#endif
#ifndef OPENSSL_NO_ECDSA
if (si->pkey->type == EVP_PKEY_EC)
ctx_tmp.digest=EVP_ecdsa();
#endif
if (!EVP_SignFinal(&ctx_tmp,(unsigned char *)buf->data,
(unsigned int *)&buf->length,si->pkey))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_EVP_LIB);
goto err;
}
if (!ASN1_STRING_set(si->enc_digest,
(unsigned char *)buf->data,buf->length))
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_ASN1_LIB);
goto err;
}
}
}
else if (i == NID_pkcs7_digest)
{
unsigned char md_data[EVP_MAX_MD_SIZE];
unsigned int md_len;
if (!PKCS7_find_digest(&mdc, bio,
OBJ_obj2nid(p7->d.digest->md->algorithm)))
goto err;
EVP_DigestFinal_ex(mdc,md_data,&md_len);
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
}
if (!PKCS7_is_detached(p7))
{
btmp=BIO_find_type(bio,BIO_TYPE_MEM);
if (btmp == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
goto err;
}
BIO_get_mem_ptr(btmp,&buf_mem);
/* Mark the BIO read only then we can use its copy of the data
* instead of making an extra copy.
*/
BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
BIO_set_mem_eof_return(btmp, 0);
os->data = (unsigned char *)buf_mem->data;
os->length = buf_mem->length;
#if 0
M_ASN1_OCTET_STRING_set(os,
(unsigned char *)buf_mem->data,buf_mem->length);
#endif
}
ret=1;
err:
EVP_MD_CTX_cleanup(&ctx_tmp);
if (buf != NULL) BUF_MEM_free(buf);
return(ret);
}
int
i2d_X509_REVOKED(X509_REVOKED *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_REVOKED_it);
}
int
i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAMES_it);
}
int
i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &EDIPARTYNAME_it);
}
int
i2d_OTHERNAME(OTHERNAME *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &OTHERNAME_it);
}
int i2d_ASN1_INTEGER(const ASN1_INTEGER *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(ASN1_INTEGER));
}
int
i2d_PKCS12_SAFEBAG(PKCS12_SAFEBAG *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS12_SAFEBAG_it);
}
int
i2d_X509_CRL_INFO(X509_CRL_INFO *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_CRL_INFO_it);
}
int
i2d_NETSCAPE_SPKAC(NETSCAPE_SPKAC *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &NETSCAPE_SPKAC_it);
}
int ASN1_item_sign_ctx(const ASN1_ITEM *it,
X509_ALGOR *algor1, X509_ALGOR *algor2,
ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx)
{
const EVP_MD *type;
EVP_PKEY *pkey;
unsigned char *buf_in = NULL, *buf_out = NULL;
size_t inl = 0, outl = 0, outll = 0;
int signid, paramtype;
int rv;
type = EVP_MD_CTX_md(ctx);
pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx);
if (!type || !pkey) {
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ASN1_R_CONTEXT_NOT_INITIALISED);
return 0;
}
if (pkey->ameth->item_sign) {
rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2, signature);
if (rv == 1)
outl = signature->length;
/*-
* Return value meanings:
* <=0: error.
* 1: method does everything.
* 2: carry on as normal.
* 3: ASN1 method sets algorithm identifiers: just sign.
*/
if (rv <= 0)
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
if (rv <= 1)
goto err;
} else
rv = 2;
if (rv == 2) {
if (type->flags & EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) {
if (!pkey->ameth ||
!OBJ_find_sigid_by_algs(&signid,
EVP_MD_nid(type),
pkey->ameth->pkey_id)) {
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX,
ASN1_R_DIGEST_AND_KEY_TYPE_NOT_SUPPORTED);
return 0;
}
} else
signid = type->pkey_type;
if (pkey->ameth->pkey_flags & ASN1_PKEY_SIGPARAM_NULL)
paramtype = V_ASN1_NULL;
else
paramtype = V_ASN1_UNDEF;
if (algor1)
X509_ALGOR_set0(algor1, OBJ_nid2obj(signid), paramtype, NULL);
if (algor2)
X509_ALGOR_set0(algor2, OBJ_nid2obj(signid), paramtype, NULL);
}
inl = ASN1_item_i2d(asn, &buf_in, it);
outll = outl = EVP_PKEY_size(pkey);
buf_out = OPENSSL_malloc((unsigned int)outl);
if ((buf_in == NULL) || (buf_out == NULL)) {
outl = 0;
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EVP_DigestSignUpdate(ctx, buf_in, inl)
|| !EVP_DigestSignFinal(ctx, buf_out, &outl)) {
outl = 0;
ASN1err(ASN1_F_ASN1_ITEM_SIGN_CTX, ERR_R_EVP_LIB);
goto err;
}
if (signature->data != NULL)
OPENSSL_free(signature->data);
signature->data = buf_out;
buf_out = NULL;
signature->length = outl;
/*
* In the interests of compatibility, I'll make sure that the bit string
* has a 'not-used bits' value of 0
*/
signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
err:
EVP_MD_CTX_cleanup(ctx);
if (buf_in != NULL) {
OPENSSL_cleanse((char *)buf_in, (unsigned int)inl);
OPENSSL_free(buf_in);
}
if (buf_out != NULL) {
OPENSSL_cleanse((char *)buf_out, outll);
OPENSSL_free(buf_out);
}
return (outl);
}
int
i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &BASIC_CONSTRAINTS_it);
}
ASN1_ITEM_rptr(X509_EXTENSIONS));
}
/*
* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
* in case we want to create a non standard one.
*/
int X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts,
int nid)
{
int extlen;
int rv = 0;
unsigned char *ext = NULL;
/* Generate encoding of extensions */
extlen = ASN1_item_i2d((ASN1_VALUE *)exts, &ext,
ASN1_ITEM_rptr(X509_EXTENSIONS));
if (extlen <= 0)
return 0;
rv = X509_REQ_add1_attr_by_NID(req, nid, V_ASN1_SEQUENCE, ext, extlen);
OPENSSL_free(ext);
return rv;
}
/* This is the normal usage: use the "official" OID */
int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts)
{
return X509_REQ_add_extensions_nid(req, exts, NID_ext_req);
}
/* Request attribute functions */
int
i2d_X509_ATTRIBUTE(X509_ATTRIBUTE *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_ATTRIBUTE_it);
}
int
i2d_X509(X509 *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &X509_it);
}
static X509_EXTENSION* openssl_new_xextension(lua_State*L, int idx, int v3)
{
int nid;
int critical = 0;
ASN1_OCTET_STRING* value = NULL;
X509_EXTENSION* y = NULL;
lua_getfield(L, idx, "object");
nid = openssl_get_nid(L, -1);
lua_pop(L, 1);
lua_getfield(L, idx, "critical");
critical = lua_isnil(L, -1) ? 0 : lua_toboolean(L, -1);
lua_pop(L, 1);
if (nid == NID_undef)
{
lua_pushfstring(L, "%s is not valid object id", lua_tostring(L, -1));
luaL_argerror(L, idx, lua_tostring(L, -1));
}
lua_getfield(L, idx, "value");
luaL_argcheck(L, lua_isstring(L, -1) || auxiliar_isgroup(L, "openssl.asn1group", -1),
1, "field value must be string or openssl.asn1group object");
if (lua_isstring(L, -1))
{
size_t size;
const char* data = lua_tolstring(L, -1, &size);
if (v3)
{
const X509V3_EXT_METHOD *method = X509V3_EXT_get_nid(nid);
if (method)
{
void *ext_struc = NULL;
STACK_OF(CONF_VALUE) *nval = X509V3_parse_list(data);
/* Now get internal extension representation based on type */
if (method->v2i && nval)
{
if (sk_CONF_VALUE_num(nval) > 0)
{
ext_struc = method->v2i(method, NULL, nval);
}
}
else if (method->s2i)
{
ext_struc = method->s2i(method, NULL, data);
}
if (nval)
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
if (ext_struc)
{
unsigned char *ext_der = NULL;
int ext_len;
/* Convert internal representation to DER */
if (method->it)
{
ext_der = NULL;
ext_len = ASN1_item_i2d(ext_struc, &ext_der, ASN1_ITEM_ptr(method->it));
if (ext_len < 0)
{
ext_der = NULL;
}
}
else
{
ext_len = method->i2d(ext_struc, NULL);
ext_der = OPENSSL_malloc(ext_len);
if (ext_der)
{
unsigned char* p = ext_der;
method->i2d(ext_struc, &p);
}
}
if (ext_der)
{
value = ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
ASN1_STRING_set(value, ext_der, ext_len);
}
else
value = NULL;
if (method->it) ASN1_item_free(ext_struc, ASN1_ITEM_ptr(method->it));
else method->ext_free(ext_struc);
}
}
}
else
{
value = ASN1_STRING_type_new(V_ASN1_OCTET_STRING);
ASN1_STRING_set(value, data, size);
}
if (value)
{
y = X509_EXTENSION_create_by_NID(NULL, nid, critical, value);
ASN1_STRING_free(value);
return y;
}
else
{
luaL_error(L, "don't support object(%s) with value (%s)", OBJ_nid2ln(nid), data);
return NULL;
}
}
else
{
value = CHECK_GROUP(-1, ASN1_STRING, "openssl.asn1group");
y = X509_EXTENSION_create_by_NID(NULL, nid, critical, value);
lua_pop(L, 1);
return y;
}
}
int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
ASN1_BIT_STRING *signature, void *asn, EVP_PKEY *pkey)
{
EVP_MD_CTX ctx;
unsigned char *buf_in=NULL;
int ret= -1,inl;
int mdnid, pknid;
if (!pkey)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}
EVP_MD_CTX_init(&ctx);
/* Convert signature OID into digest and public key OIDs */
if (!OBJ_find_sigid_algs(OBJ_obj2nid(a->algorithm), &mdnid, &pknid))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
goto err;
}
if (mdnid == NID_undef)
{
if (!pkey->ameth || !pkey->ameth->item_verify)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM);
goto err;
}
ret = pkey->ameth->item_verify(&ctx, it, asn, a,
signature, pkey);
/* Return value of 2 means carry on, anything else means we
* exit straight away: either a fatal error of the underlying
* verification routine handles all verification.
*/
if (ret != 2)
goto err;
ret = -1;
}
else
{
const EVP_MD *type;
type=EVP_get_digestbynid(mdnid);
if (type == NULL)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
goto err;
}
/* Check public key OID matches public key type */
if (EVP_PKEY_type(pknid) != pkey->ameth->pkey_id)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_WRONG_PUBLIC_KEY_TYPE);
goto err;
}
if (!EVP_DigestVerifyInit(&ctx, NULL, type, NULL, pkey))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
goto err;
}
}
inl = ASN1_item_i2d(asn, &buf_in, it);
if (buf_in == NULL)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_MALLOC_FAILURE);
goto err;
}
if (!EVP_DigestVerifyUpdate(&ctx,buf_in,inl))
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
goto err;
}
OPENSSL_cleanse(buf_in,(unsigned int)inl);
OPENSSL_free(buf_in);
if (EVP_DigestVerifyFinal(&ctx,signature->data,
(size_t)signature->length) <= 0)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
ret=0;
goto err;
}
/* we don't need to zero the 'ctx' because we just checked
* public information */
/* memset(&ctx,0,sizeof(ctx)); */
ret=1;
err:
EVP_MD_CTX_cleanup(&ctx);
return(ret);
}
int
i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
}
int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
X509 *x509)
{
ASN1_OCTET_STRING *os;
EVP_MD_CTX mdc_tmp, *mdc;
int ret = 0, i;
int md_type;
STACK_OF(X509_ATTRIBUTE) *sk;
BIO *btmp;
EVP_PKEY *pkey;
EVP_MD_CTX_init(&mdc_tmp);
if (!PKCS7_type_is_signed(p7) && !PKCS7_type_is_signedAndEnveloped(p7)) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_WRONG_PKCS7_TYPE);
goto err;
}
md_type = OBJ_obj2nid(si->digest_alg->algorithm);
btmp = bio;
for (;;) {
if ((btmp == NULL) ||
((btmp = BIO_find_type(btmp, BIO_TYPE_MD)) == NULL)) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
goto err;
}
BIO_get_md_ctx(btmp, &mdc);
if (mdc == NULL) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_INTERNAL_ERROR);
goto err;
}
if (EVP_MD_CTX_type(mdc) == md_type)
break;
/*
* Workaround for some broken clients that put the signature OID
* instead of the digest OID in digest_alg->algorithm
*/
if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type)
break;
btmp = BIO_next(btmp);
}
/*
* mdc is the digest ctx that we want, unless there are attributes, in
* which case the digest is the signed attributes
*/
if (!EVP_MD_CTX_copy_ex(&mdc_tmp, mdc))
goto err;
sk = si->auth_attr;
if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) {
unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL;
unsigned int md_len;
int alen;
ASN1_OCTET_STRING *message_digest;
if (!EVP_DigestFinal_ex(&mdc_tmp, md_dat, &md_len))
goto err;
message_digest = PKCS7_digest_from_attributes(sk);
if (!message_digest) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,
PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST);
goto err;
}
if ((message_digest->length != (int)md_len) ||
(memcmp(message_digest->data, md_dat, md_len))) {
#if 0
{
int ii;
for (ii = 0; ii < message_digest->length; ii++)
printf("%02X", message_digest->data[ii]);
printf(" sent\n");
for (ii = 0; ii < md_len; ii++)
printf("%02X", md_dat[ii]);
printf(" calc\n");
}
#endif
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_DIGEST_FAILURE);
ret = -1;
goto err;
}
if (!EVP_VerifyInit_ex(&mdc_tmp, EVP_get_digestbynid(md_type), NULL))
goto err;
alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf,
ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY));
if (alen <= 0) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, ERR_R_ASN1_LIB);
ret = -1;
goto err;
}
if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen))
goto err;
OPENSSL_free(abuf);
}
os = si->enc_digest;
pkey = X509_get_pubkey(x509);
if (!pkey) {
ret = -1;
goto err;
}
i = EVP_VerifyFinal(&mdc_tmp, os->data, os->length, pkey);
EVP_PKEY_free(pkey);
if (i <= 0) {
PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, PKCS7_R_SIGNATURE_FAILURE);
ret = -1;
goto err;
} else
ret = 1;
err:
EVP_MD_CTX_cleanup(&mdc_tmp);
return (ret);
}
int
i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out)
{
return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
}
