05d0977b4783e758a7045b7e9d5cc2991922803d
[strongswan.git] / src / libstrongswan / crypto / pkcs7.c
1 /**
2 * @file pkcs7.c
3 *
4 * @brief Implementation of pkcs7_contentInfo_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Copyright (C) 2002-2005 Andreas Steffen
11 * Hochschule fuer Technik Rapperswil, Switzerland
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 *
23 * RCSID $Id$
24 */
25
26 #include <stdlib.h>
27 #include <string.h>
28
29 #include <library.h>
30 #include "debug.h"
31
32 #include <asn1/asn1.h>
33 #include <asn1/oid.h>
34 #include <crypto/x509.h>
35
36 #include "pkcs7.h"
37
38 typedef struct private_pkcs7_contentInfo_t private_pkcs7_contentInfo_t;
39
40 /**
41 * Private data of a pkcs7_contentInfo_t object.
42 */
43 struct private_pkcs7_contentInfo_t {
44 /**
45 * Public interface for this certificate.
46 */
47 pkcs7_contentInfo_t public;
48
49 /**
50 * contentInfo type
51 */
52 int type;
53
54 /**
55 * ASN.1 encoded content
56 */
57 chunk_t content;
58 };
59
60 /**
61 * ASN.1 definition of the PKCS#7 ContentInfo type
62 */
63 static const asn1Object_t contentInfoObjects[] = {
64 { 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
65 { 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
66 { 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT |
67 ASN1_BODY }, /* 2 */
68 { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */
69 };
70
71 #define PKCS7_INFO_TYPE 1
72 #define PKCS7_INFO_CONTENT 2
73 #define PKCS7_INFO_ROOF 4
74
75 /**
76 * ASN.1 definition of the PKCS#7 signedData type
77 */
78 static const asn1Object_t signedDataObjects[] = {
79 { 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
80 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
81 { 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
82 { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
83 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
84 { 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
85 { 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT |
86 ASN1_LOOP }, /* 6 */
87 { 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
88 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
89 { 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT |
90 ASN1_LOOP }, /* 9 */
91 { 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
92 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
93 { 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
94 { 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
95 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
96 { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
97 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
98 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
99 { 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
100 { 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT |
101 ASN1_OBJ }, /* 19 */
102 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
103 { 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
104 { 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
105 { 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
106 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
107 { 1, "end loop", ASN1_EOC, ASN1_END } /* 25 */
108 };
109
110 #define PKCS7_DIGEST_ALG 3
111 #define PKCS7_SIGNED_CONTENT_INFO 5
112 #define PKCS7_SIGNED_CERT 7
113 #define PKCS7_SIGNER_INFO 13
114 #define PKCS7_SIGNED_ISSUER 16
115 #define PKCS7_SIGNED_SERIAL_NUMBER 17
116 #define PKCS7_DIGEST_ALGORITHM 18
117 #define PKCS7_AUTH_ATTRIBUTES 19
118 #define PKCS7_DIGEST_ENC_ALGORITHM 21
119 #define PKCS7_ENCRYPTED_DIGEST 22
120 #define PKCS7_SIGNED_ROOF 26
121
122 /**
123 * ASN.1 definition of the PKCS#7 envelopedData type
124 */
125 static const asn1Object_t envelopedDataObjects[] = {
126 { 0, "envelopedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
127 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
128 { 1, "recipientInfos", ASN1_SET, ASN1_LOOP }, /* 2 */
129 { 2, "recipientInfo", ASN1_SEQUENCE, ASN1_BODY }, /* 3 */
130 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 4 */
131 { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
132 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
133 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 7 */
134 { 3, "encryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 8 */
135 { 3, "encryptedKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */
136 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */
137 { 1, "encryptedContentInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
138 { 2, "contentType", ASN1_OID, ASN1_BODY }, /* 12 */
139 { 2, "contentEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 13 */
140 { 2, "encryptedContent", ASN1_CONTEXT_S_0, ASN1_BODY } /* 14 */
141 };
142
143 #define PKCS7_ENVELOPED_VERSION 1
144 #define PKCS7_RECIPIENT_INFO_VERSION 4
145 #define PKCS7_ISSUER 6
146 #define PKCS7_SERIAL_NUMBER 7
147 #define PKCS7_ENCRYPTION_ALG 8
148 #define PKCS7_ENCRYPTED_KEY 9
149 #define PKCS7_CONTENT_TYPE 12
150 #define PKCS7_CONTENT_ENC_ALGORITHM 13
151 #define PKCS7_ENCRYPTED_CONTENT 14
152 #define PKCS7_ENVELOPED_ROOF 15
153
154 /**
155 * PKCS7 contentInfo OIDs
156 */
157 static u_char ASN1_pkcs7_data_oid_str[] = {
158 0x06, 0x09,
159 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
160 };
161
162 static u_char ASN1_pkcs7_signed_data_oid_str[] = {
163 0x06, 0x09,
164 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02
165 };
166
167 static u_char ASN1_pkcs7_enveloped_data_oid_str[] = {
168 0x06, 0x09,
169 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03
170 };
171
172 static u_char ASN1_pkcs7_signed_enveloped_data_oid_str[] = {
173 0x06, 0x09,
174 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04
175 };
176
177 static u_char ASN1_pkcs7_digested_data_oid_str[] = {
178 0x06, 0x09,
179 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05
180 };
181
182 static char ASN1_pkcs7_encrypted_data_oid_str[] = {
183 0x06, 0x09,
184 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
185 };
186
187 static const chunk_t ASN1_pkcs7_data_oid =
188 chunk_from_buf(ASN1_pkcs7_data_oid_str);
189 static const chunk_t ASN1_pkcs7_signed_data_oid =
190 chunk_from_buf(ASN1_pkcs7_signed_data_oid_str);
191 static const chunk_t ASN1_pkcs7_enveloped_data_oid =
192 chunk_from_buf(ASN1_pkcs7_enveloped_data_oid_str);
193 static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid =
194 chunk_from_buf(ASN1_pkcs7_signed_enveloped_data_oid_str);
195 static const chunk_t ASN1_pkcs7_digested_data_oid =
196 chunk_from_buf(ASN1_pkcs7_digested_data_oid_str);
197 static const chunk_t ASN1_pkcs7_encrypted_data_oid =
198 chunk_from_buf(ASN1_pkcs7_encrypted_data_oid_str);
199
200 /**
201 * 3DES and DES encryption OIDs
202 */
203 static u_char ASN1_3des_ede_cbc_oid_str[] = {
204 0x06, 0x08,
205 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07
206 };
207
208 static u_char ASN1_des_cbc_oid_str[] = {
209 0x06, 0x05,
210 0x2B, 0x0E, 0x03, 0x02, 0x07
211 };
212
213 static const chunk_t ASN1_3des_ede_cbc_oid =
214 chunk_from_buf(ASN1_3des_ede_cbc_oid_str);
215 static const chunk_t ASN1_des_cbc_oid =
216 chunk_from_buf(ASN1_des_cbc_oid_str);
217
218 /**
219 * PKCS#7 attribute type OIDs
220 */
221 static u_char ASN1_contentType_oid_str[] = {
222 0x06, 0x09,
223 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
224 };
225
226 static u_char ASN1_messageDigest_oid_str[] = {
227 0x06, 0x09,
228 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
229 };
230
231 static const chunk_t ASN1_contentType_oid =
232 chunk_from_buf(ASN1_contentType_oid_str);
233 static const chunk_t ASN1_messageDigest_oid =
234 chunk_from_buf(ASN1_messageDigest_oid_str);
235
236 /**
237 * Implements pkcs7_contentInfo_t.destroy
238 */
239 static void destroy(private_pkcs7_contentInfo_t *this)
240 {
241 free(this);
242 }
243
244 /**
245 * Parse PKCS#7 ContentInfo object
246 */
247 static bool pkcs7_parse_contentInfo(chunk_t blob, u_int level0, private_pkcs7_contentInfo_t *cInfo)
248 {
249 asn1_ctx_t ctx;
250 chunk_t object;
251 u_int level;
252 int objectID = 0;
253
254 asn1_init(&ctx, blob, level0, FALSE, FALSE);
255
256 while (objectID < PKCS7_INFO_ROOF)
257 {
258 if (!extract_object(contentInfoObjects, &objectID, &object, &level, &ctx))
259 {
260 return FALSE;
261 }
262
263 if (objectID == PKCS7_INFO_TYPE)
264 {
265 cInfo->type = known_oid(object);
266 if (cInfo->type < OID_PKCS7_DATA
267 || cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
268 {
269 DBG1("unknown pkcs7 content type");
270 return FALSE;
271 }
272 }
273 else if (objectID == PKCS7_INFO_CONTENT)
274 {
275 cInfo->content = object;
276 }
277 objectID++;
278 }
279 return TRUE;
280 }
281
282 /*
283 * Described in header.
284 */
285 pkcs7_contentInfo_t *pkcs7_contentInfo_create_from_chunk(chunk_t chunk, u_int level)
286 {
287 private_pkcs7_contentInfo_t *this = malloc_thing(private_pkcs7_contentInfo_t);
288
289 /* initialize */
290 this->type = OID_UNKNOWN;
291 this->content = chunk_empty;
292
293 /*public functions */
294 this->public.destroy = (void (*) (pkcs7_contentInfo_t*))destroy;
295
296 if (!pkcs7_parse_contentInfo(chunk, level, this))
297 {
298 destroy(this);
299 return NULL;
300 }
301 return &this->public;
302 }
303
304 /**
305 * Parse a PKCS#7 signedData object
306 */
307 bool pkcs7_parse_signedData(chunk_t blob, pkcs7_contentInfo_t *data, x509_t **cert,
308 chunk_t *attributes, const x509_t *cacert)
309 {
310 u_char buf[BUF_LEN];
311 asn1_ctx_t ctx;
312 chunk_t object;
313 u_int level;
314 int digest_alg = OID_UNKNOWN;
315 int enc_alg = OID_UNKNOWN;
316 int signerInfos = 0;
317 int objectID = 0;
318
319 private_pkcs7_contentInfo_t cInfo;
320 chunk_t encrypted_digest = chunk_empty;
321
322 if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
323 {
324 return FALSE;
325 }
326 if (cInfo.type != OID_PKCS7_SIGNED_DATA)
327 {
328 DBG1("pkcs7 content type is not signedData");
329 return FALSE;
330 }
331
332 asn1_init(&ctx, cInfo.content, 2, FALSE, FALSE);
333
334 while (objectID < PKCS7_SIGNED_ROOF)
335 {
336 if (!extract_object(signedDataObjects, &objectID, &object, &level, &ctx))
337 {
338 return FALSE;
339 }
340
341 switch (objectID)
342 {
343 case PKCS7_DIGEST_ALG:
344 digest_alg = parse_algorithmIdentifier(object, level, NULL);
345 break;
346 case PKCS7_SIGNED_CONTENT_INFO:
347 if (data != NULL)
348 {
349 pkcs7_parse_contentInfo(object, level, data);
350 }
351 break;
352 case PKCS7_SIGNED_CERT:
353 if (cert != NULL)
354 {
355 chunk_t cert_blob;
356
357 x509_t *newcert = alloc_thing(x509_t, "pkcs7 wrapped x509cert");
358
359 clonetochunk(cert_blob, object.ptr, object.len, "pkcs7 cert blob");
360 *newcert = empty_x509cert;
361
362 DBG2("parsing pkcs7-wrapped certificate");
363 if (parse_x509cert(cert_blob, level+1, newcert))
364 {
365 newcert->next = *cert;
366 *cert = newcert;
367 }
368 else
369 {
370 newcert->destroy(newcert);
371 }
372 }
373 break;
374 case PKCS7_SIGNER_INFO:
375 signerInfos++;
376 DBG2(" signer #%d", signerInfos);
377 break;
378 case PKCS7_SIGNED_ISSUER:
379 {
380 identification_t *issuer;
381
382 issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
383 DBG2(" '%D'", issuer);
384 issuer->destroy(issuer);
385 }
386 break;
387 case PKCS7_AUTH_ATTRIBUTES:
388 if (attributes != NULL)
389 {
390 *attributes = object;
391 *attributes->ptr = ASN1_SET;
392 }
393 break;
394 case PKCS7_DIGEST_ALGORITHM:
395 digest_alg = parse_algorithmIdentifier(object, level, NULL);
396 break;
397 case PKCS7_DIGEST_ENC_ALGORITHM:
398 enc_alg = parse_algorithmIdentifier(object, level, NULL);
399 break;
400 case PKCS7_ENCRYPTED_DIGEST:
401 encrypted_digest = object;
402 }
403 objectID++;
404 }
405
406 /* check the signature only if a cacert is available */
407 if (cacert != NULL)
408 {
409 if (signerInfos == 0)
410 {
411 DBG1("no signerInfo object found");
412 return FALSE;
413 }
414 else if (signerInfos > 1)
415 {
416 DBG1("more than one signerInfo object found");
417 return FALSE;
418 }
419 if (attributes->ptr == NULL)
420 {
421 DBG1("no authenticatedAttributes object found");
422 return FALSE;
423 }
424 if (!check_signature(*attributes, encrypted_digest, digest_alg
425 , enc_alg, cacert))
426 {
427 DBG1("invalid signature");
428 return FALSE;
429 }
430 else
431 {
432 DBG2("signature is valid");
433 }
434 }
435 return TRUE;
436 }
437
438 /**
439 * Parse a PKCS#7 envelopedData object
440 */
441 bool pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data,
442 chunk_t serialNumber,
443 const RSA_private_key_t *key)
444 {
445 asn1_ctx_t ctx;
446 chunk_t object;
447 chunk_t iv = empty_chunk;
448 chunk_t symmetric_key = empty_chunk;
449 chunk_t encrypted_content = empty_chunk;
450
451 u_char buf[BUF_LEN];
452 u_int level;
453 u_int total_keys = 3;
454 int enc_alg = OID_UNKNOWN;
455 int content_enc_alg = OID_UNKNOWN;
456 int objectID = 0;
457
458 contentInfo_t cInfo = empty_contentInfo;
459 *data = empty_chunk;
460
461 if (!pkcs7_pkcs7_parse_contentInfo(blob, 0, &cInfo))
462 {
463 goto failed;
464 }
465 if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
466 {
467 DBG1("pkcs7 content type is not envelopedData");
468 goto failed;
469 }
470
471 asn1_init(&ctx, cInfo.content, 2, FALSE, DBG_RAW);
472
473 while (objectID < PKCS7_ENVELOPED_ROOF)
474 {
475 if (!extract_object(envelopedDataObjects, &objectID, &object, &level, &ctx))
476 {
477 goto failed;
478 }
479
480 switch (objectID)
481 {
482 case PKCS7_ENVELOPED_VERSION:
483 if (*object.ptr != 0)
484 {
485 DBG1("envelopedData version is not 0");
486 goto failed;
487 }
488 break;
489 case PKCS7_RECIPIENT_INFO_VERSION:
490 if (*object.ptr != 0)
491 {
492 DBG1("recipient info version is not 0");
493 goto failed;
494 }
495 break;
496 case PKCS7_ISSUER:
497 {
498 identification_t *issuer;
499
500 issuer = identification_create_from_encoding(ID_DER_ASN1_DN, object);
501 DBG2(" '%D'", issuer);
502 issuer->destroy(issuer);
503 }
504 break;
505 case PKCS7_SERIAL_NUMBER:
506 if (!chunk_equals(serialNumber, object))
507 {
508 DBG1("serial numbers do not match");
509 goto failed;
510 }
511 break;
512 case PKCS7_ENCRYPTION_ALG:
513 enc_alg = parse_algorithmIdentifier(object, level, NULL);
514 if (enc_alg != OID_RSA_ENCRYPTION)
515 {
516 DBG1("only rsa encryption supported");
517 goto failed;
518 }
519 break;
520 case PKCS7_ENCRYPTED_KEY:
521 if (!RSA_decrypt(key, object, &symmetric_key))
522 {
523 DBG1("symmetric key could not be decrypted with rsa");
524 goto failed;
525 }
526 DBG4("symmetric key : %B", &symmetric_key);
527 break;
528 case PKCS7_CONTENT_TYPE:
529 if (known_oid(object) != OID_PKCS7_DATA)
530 {
531 DBG1("encrypted content not of type pkcs7 data");
532 goto failed;
533 }
534 break;
535 case PKCS7_CONTENT_ENC_ALGORITHM:
536 content_enc_alg = parse_algorithmIdentifier(object, level, &iv);
537
538 switch (content_enc_alg)
539 {
540 case OID_DES_CBC:
541 total_keys = 1;
542 break;
543 case OID_3DES_EDE_CBC:
544 total_keys = 3;
545 break;
546 default:
547 DBG1("Only DES and 3DES supported for symmetric encryption");
548 goto failed;
549 }
550 if (symmetric_key.len != (total_keys * DES_CBC_BLOCK_SIZE))
551 {
552 DBG1("key length is not %d", (total_keys * DES_CBC_BLOCK_SIZE));
553 goto failed;
554 }
555 if (!parse_asn1_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
556 {
557 DBG1("IV could not be parsed");
558 goto failed;
559 }
560 if (iv.len != DES_CBC_BLOCK_SIZE)
561 {
562 plog("IV has wrong length");
563 goto failed;
564 }
565 break;
566 case PKCS7_ENCRYPTED_CONTENT:
567 encrypted_content = object;
568 break;
569 }
570 objectID++;
571 }
572
573 /* decrypt the content */
574 {
575 u_int i;
576 des_cblock des_key[3], des_iv;
577 des_key_schedule key_s[3];
578
579 memcpy((char *)des_key, symmetric_key.ptr, symmetric_key.len);
580 memcpy((char *)des_iv, iv.ptr, iv.len);
581
582 for (i = 0; i < total_keys; i++)
583 {
584 if (des_set_key(&des_key[i], key_s[i]))
585 {
586 plog("des key schedule failed");
587 goto failed;
588 }
589 }
590
591 data->len = encrypted_content.len;
592 data->ptr = alloc_bytes(data->len, "decrypted data");
593
594 switch (content_enc_alg)
595 {
596 case OID_DES_CBC:
597 des_cbc_encrypt((des_cblock*)encrypted_content.ptr
598 , (des_cblock*)data->ptr, data->len
599 , key_s[0], &des_iv, DES_DECRYPT);
600 break;
601 case OID_3DES_EDE_CBC:
602 des_ede3_cbc_encrypt( (des_cblock*)encrypted_content.ptr
603 , (des_cblock*)data->ptr, data->len
604 , key_s[0], key_s[1], key_s[2]
605 , &des_iv, DES_DECRYPT);
606 }
607 DBG4("decrypted content with padding: %B", data);
608 }
609
610 /* remove the padding */
611 {
612 u_char *pos = data->ptr + data->len - 1;
613 u_char pattern = *pos;
614 size_t padding = pattern;
615
616 if (padding > data->len)
617 {
618 DBG1("padding greater than data length");
619 goto failed;
620 }
621 data->len -= padding;
622
623 while (padding-- > 0)
624 {
625 if (*pos-- != pattern)
626 {
627 DBG1("wrong padding pattern");
628 goto failed;
629 }
630 }
631 }
632 free(symmetric_key.ptr);
633 return TRUE;
634
635 failed:
636 free(symmetric_key.ptr);
637 pfreeany(data->ptr);
638 return FALSE;
639 }
640
641 /**
642 * @brief Builds a contentType attribute
643 *
644 * @return ASN.1 encoded contentType attribute
645 */
646 chunk_t pkcs7_contentType_attribute(void)
647 {
648 return asn1_wrap(ASN1_SEQUENCE, "cm"
649 , ASN1_contentType_oid
650 , asn1_simple_object(ASN1_SET, ASN1_pkcs7_data_oid));
651 }
652
653 /**
654 * @brief Builds a messageDigest attribute
655 *
656 *
657 * @param[in] blob content to create digest of
658 * @param[in] digest_alg digest algorithm to be used
659 * @return ASN.1 encoded messageDigest attribute
660 *
661 */
662 chunk_t pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
663 {
664 u_char digest_buf[MAX_DIGEST_LEN];
665 chunk_t digest = { digest_buf, MAX_DIGEST_LEN };
666
667 compute_digest(content, digest_alg, &digest);
668
669 return asn1_wrap(ASN1_SEQUENCE, "cm"
670 , ASN1_messageDigest_oid
671 , asn1_wrap(ASN1_SET, "m"
672 , asn1_simple_object(ASN1_OCTET_STRING, digest)
673 )
674 );
675 }
676
677 /**
678 * build a DER-encoded contentInfo object
679 */
680 static chunk_t pkcs7_build_contentInfo(contentInfo_t *cInfo)
681 {
682 chunk_t content_type;
683
684 /* select DER-encoded OID for pkcs7 contentInfo type */
685 switch(cInfo->type)
686 {
687 case OID_PKCS7_DATA:
688 content_type = ASN1_pkcs7_data_oid;
689 break;
690 case OID_PKCS7_SIGNED_DATA:
691 content_type = ASN1_pkcs7_signed_data_oid;
692 break;
693 case OID_PKCS7_ENVELOPED_DATA:
694 content_type = ASN1_pkcs7_enveloped_data_oid;
695 break;
696 case OID_PKCS7_SIGNED_ENVELOPED_DATA:
697 content_type = ASN1_pkcs7_signed_enveloped_data_oid;
698 break;
699 case OID_PKCS7_DIGESTED_DATA:
700 content_type = ASN1_pkcs7_digested_data_oid;
701 break;
702 case OID_PKCS7_ENCRYPTED_DATA:
703 content_type = ASN1_pkcs7_encrypted_data_oid;
704 break;
705 case OID_UNKNOWN:
706 default:
707 DBG1("invalid pkcs7 contentInfo type");
708 return chunk_empty;
709 }
710
711 return (cInfo->content.ptr == NULL)
712 ? asn1_simple_object(ASN1_SEQUENCE, content_type)
713 : asn1_wrap(ASN1_SEQUENCE, "cm"
714 , content_type
715 , asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)
716 );
717 }
718
719 /**
720 * build issuerAndSerialNumber object
721 */
722 chunk_t pkcs7_build_issuerAndSerialNumber(const x509_t *cert)
723 {
724 return asn1_wrap(ASN1_SEQUENCE, "cm"
725 , cert->issuer
726 , asn1_simple_object(ASN1_INTEGER, cert->serialNumber));
727 }
728
729 /**
730 * create a signed pkcs7 contentInfo object
731 */
732 chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes, const x509_t *cert,
733 int digest_alg, const RSA_private_key_t *key)
734 {
735 contentInfo_t pkcs7Data, signedData;
736 chunk_t authenticatedAttributes, encryptedDigest, signerInfo, cInfo;
737
738 chunk_t digestAlgorithm = asn1_algorithmIdentifier(digest_alg);
739
740 if (attributes.ptr != NULL)
741 {
742 encryptedDigest = pkcs1_build_signature(attributes, digest_alg
743 , key, FALSE);
744 clonetochunk(authenticatedAttributes, attributes.ptr, attributes.len
745 , "authenticatedAttributes");
746 *authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
747 }
748 else
749 {
750 encryptedDigest = (data.ptr == NULL)? empty_chunk
751 : pkcs1_build_signature(data, digest_alg, key, FALSE);
752 authenticatedAttributes = empty_chunk;
753 }
754
755 signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmcmcm"
756 , ASN1_INTEGER_1
757 , pkcs7_build_issuerAndSerialNumber(cert)
758 , digestAlgorithm
759 , authenticatedAttributes
760 , ASN1_rsaEncryption_id
761 , encryptedDigest);
762
763 pkcs7Data.type = OID_PKCS7_DATA;
764 pkcs7Data.content = (data.ptr == NULL)? empty_chunk
765 : asn1_simple_object(ASN1_OCTET_STRING, data);
766
767 signedData.type = OID_PKCS7_SIGNED_DATA;
768 signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
769 , ASN1_INTEGER_1
770 , asn1_simple_object(ASN1_SET, digestAlgorithm)
771 , pkcs7_build_contentInfo(&pkcs7Data)
772 , asn1_simple_object(ASN1_CONTEXT_C_0, cert->certificate)
773 , asn1_wrap(ASN1_SET, "m", signerInfo));
774
775 cInfo = pkcs7_build_contentInfo(&signedData);
776 DBG3("signedData: %B", &cInfo);
777
778 free(pkcs7Data.content.ptr);
779 free(signedData.content.ptr);
780 return cInfo;
781 }
782
783 /**
784 * create a symmetrically encrypted pkcs7 contentInfo object
785 */
786 chunk_t pkcs7_build_envelopedData(chunk_t data, const x509_t *cert, int cipher)
787 {
788 bool des_check_key_save;
789 des_key_schedule ks[3];
790 des_cblock key[3], des_iv, des_iv_buf;
791
792 chunk_t iv = { (u_char *)des_iv_buf, DES_CBC_BLOCK_SIZE };
793 chunk_t out;
794 chunk_t cipher_oid;
795
796 u_int total_keys, i;
797 size_t padding = pad_up(data.len, DES_CBC_BLOCK_SIZE);
798
799 RSA_public_key_t public_key;
800
801 init_RSA_public_key(&public_key, cert->publicExponent
802 , cert->modulus);
803
804 if (padding == 0)
805 {
806 padding += DES_CBC_BLOCK_SIZE;
807 }
808
809 out.len = data.len + padding;
810 out.ptr = alloc_bytes(out.len, "DES-encrypted output");
811
812 DBG2("padding %d bytes of data to multiple DES block size of %d bytes"
813 , (int)data.len, (int)out.len);
814
815 /* copy data */
816 memcpy(out.ptr, data.ptr, data.len);
817 /* append padding */
818 memset(out.ptr + data.len, padding, padding);
819
820 DBG3("padded unencrypted data: %B", &out);
821
822 /* select OID and keylength for specified cipher */
823 switch (cipher)
824 {
825 case OID_DES_CBC:
826 total_keys = 1;
827 cipher_oid = ASN1_des_cbc_oid;
828 break;
829 case OID_3DES_EDE_CBC:
830 default:
831 total_keys = 3;
832 cipher_oid = ASN1_3des_ede_cbc_oid;
833 }
834 DBG2("pkcs7 encryption cipher: %s", oid_names[cipher].name);
835
836 /* generate a strong random key for DES/3DES */
837 des_check_key_save = des_check_key;
838 des_check_key = TRUE;
839 for (i = 0; i < total_keys;i++)
840 {
841 for (;;)
842 {
843 get_rnd_bytes((char*)key[i], DES_CBC_BLOCK_SIZE);
844 des_set_odd_parity(&key[i]);
845 if (!des_set_key(&key[i], ks[i]))
846 {
847 break;
848 plog("weak DES key discarded - we try again");
849 }
850 }
851 /* TODO DBG4("DES key: %#B", key[i], 8) */
852 }
853 des_check_key = des_check_key_save;
854
855 /* generate an iv for DES/3DES CBC */
856 get_rnd_bytes(des_iv, DES_CBC_BLOCK_SIZE);
857 memcpy(iv.ptr, des_iv, DES_CBC_BLOCK_SIZE);
858 DBG3("DES IV : %#B", &iv);
859
860 /* encryption using specified cipher */
861 switch (cipher)
862 {
863 case OID_DES_CBC:
864 des_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
865 , ks[0], &des_iv, DES_ENCRYPT);
866 break;
867 case OID_3DES_EDE_CBC:
868 default:
869 des_ede3_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
870 , ks[0], ks[1], ks[2], &des_iv, DES_ENCRYPT);
871 }
872 DBG3(("Encrypted data: %B", &out);
873
874 /* build pkcs7 enveloped data object */
875 {
876 chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm"
877 , cipher_oid
878 , asn1_simple_object(ASN1_OCTET_STRING, iv));
879
880 chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
881 , ASN1_pkcs7_data_oid
882 , contentEncryptionAlgorithm
883 , asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
884
885 chunk_t plainKey = { (u_char *)key, DES_CBC_BLOCK_SIZE * total_keys };
886
887 chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
888 , RSA_encrypt(&public_key, plainKey));
889
890 chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
891 , ASN1_INTEGER_0
892 , pkcs7_build_issuerAndSerialNumber(cert)
893 , ASN1_rsaEncryption_id
894 , encryptedKey);
895
896 chunk_t cInfo;
897 contentInfo_t envelopedData;
898
899 envelopedData.type = OID_PKCS7_ENVELOPED_DATA;
900 envelopedData.content = asn1_wrap(ASN1_SEQUENCE, "cmm"
901 , ASN1_INTEGER_0
902 , asn1_wrap(ASN1_SET, "m", recipientInfo)
903 , encryptedContentInfo);
904
905 cInfo = pkcs7_build_contentInfo(&envelopedData);
906 DBG3("envelopedData: %B", &cInfo);
907
908 free_RSA_public_content(&public_key);
909 free(envelopedData.content.ptr);
910 return cInfo;
911 }
912 }