removed oid.txt and oid.pl in pluto subdir
[strongswan.git] / src / pluto / pkcs7.c
1 /* Support of PKCS#7 data structures
2 * Copyright (C) 2005 Jan Hutter, Martin Willi
3 * Copyright (C) 2002-2005 Andreas Steffen
4 * Hochschule fuer Technik Rapperswil, Switzerland
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * RCSID $Id: pkcs7.c,v 1.13 2005/12/22 22:11:24 as Exp $
17 */
18
19 #include <stdlib.h>
20 #include <string.h>
21 #include <libdes/des.h>
22
23 #include <freeswan.h>
24
25 #include "constants.h"
26 #include "defs.h"
27 #include "asn1.h"
28 #include <asn1/oid.h>
29 #include "log.h"
30 #include "x509.h"
31 #include "certs.h"
32 #include "pkcs7.h"
33 #include "rnd.h"
34
35 const contentInfo_t empty_contentInfo = {
36 OID_UNKNOWN , /* type */
37 { NULL, 0 } /* content */
38 };
39
40 /* ASN.1 definition of the PKCS#7 ContentInfo type */
41
42 static const asn1Object_t contentInfoObjects[] = {
43 { 0, "contentInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
44 { 1, "contentType", ASN1_OID, ASN1_BODY }, /* 1 */
45 { 1, "content", ASN1_CONTEXT_C_0, ASN1_OPT |
46 ASN1_BODY }, /* 2 */
47 { 1, "end opt", ASN1_EOC, ASN1_END } /* 3 */
48 };
49
50 #define PKCS7_INFO_TYPE 1
51 #define PKCS7_INFO_CONTENT 2
52 #define PKCS7_INFO_ROOF 4
53
54 /* ASN.1 definition of the PKCS#7 signedData type */
55
56 static const asn1Object_t signedDataObjects[] = {
57 { 0, "signedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
58 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
59 { 1, "digestAlgorithms", ASN1_SET, ASN1_LOOP }, /* 2 */
60 { 2, "algorithm", ASN1_EOC, ASN1_RAW }, /* 3 */
61 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 4 */
62 { 1, "contentInfo", ASN1_EOC, ASN1_RAW }, /* 5 */
63 { 1, "certificates", ASN1_CONTEXT_C_0, ASN1_OPT |
64 ASN1_LOOP }, /* 6 */
65 { 2, "certificate", ASN1_SEQUENCE, ASN1_OBJ }, /* 7 */
66 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 8 */
67 { 1, "crls", ASN1_CONTEXT_C_1, ASN1_OPT |
68 ASN1_LOOP }, /* 9 */
69 { 2, "crl", ASN1_SEQUENCE, ASN1_OBJ }, /* 10 */
70 { 1, "end opt or loop", ASN1_EOC, ASN1_END }, /* 11 */
71 { 1, "signerInfos", ASN1_SET, ASN1_LOOP }, /* 12 */
72 { 2, "signerInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 13 */
73 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 14 */
74 { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 15 */
75 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 16 */
76 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 17 */
77 { 3, "digestAlgorithm", ASN1_EOC, ASN1_RAW }, /* 18 */
78 { 3, "authenticatedAttributes", ASN1_CONTEXT_C_0, ASN1_OPT |
79 ASN1_OBJ }, /* 19 */
80 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 20 */
81 { 3, "digestEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 21 */
82 { 3, "encryptedDigest", ASN1_OCTET_STRING, ASN1_BODY }, /* 22 */
83 { 3, "unauthenticatedAttributes", ASN1_CONTEXT_C_1, ASN1_OPT }, /* 23 */
84 { 3, "end opt", ASN1_EOC, ASN1_END }, /* 24 */
85 { 1, "end loop", ASN1_EOC, ASN1_END } /* 25 */
86 };
87
88 #define PKCS7_DIGEST_ALG 3
89 #define PKCS7_SIGNED_CONTENT_INFO 5
90 #define PKCS7_SIGNED_CERT 7
91 #define PKCS7_SIGNER_INFO 13
92 #define PKCS7_SIGNED_ISSUER 16
93 #define PKCS7_SIGNED_SERIAL_NUMBER 17
94 #define PKCS7_DIGEST_ALGORITHM 18
95 #define PKCS7_AUTH_ATTRIBUTES 19
96 #define PKCS7_DIGEST_ENC_ALGORITHM 21
97 #define PKCS7_ENCRYPTED_DIGEST 22
98 #define PKCS7_SIGNED_ROOF 26
99
100 /* ASN.1 definition of the PKCS#7 envelopedData type */
101
102 static const asn1Object_t envelopedDataObjects[] = {
103 { 0, "envelopedData", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
104 { 1, "version", ASN1_INTEGER, ASN1_BODY }, /* 1 */
105 { 1, "recipientInfos", ASN1_SET, ASN1_LOOP }, /* 2 */
106 { 2, "recipientInfo", ASN1_SEQUENCE, ASN1_BODY }, /* 3 */
107 { 3, "version", ASN1_INTEGER, ASN1_BODY }, /* 4 */
108 { 3, "issuerAndSerialNumber", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
109 { 4, "issuer", ASN1_SEQUENCE, ASN1_OBJ }, /* 6 */
110 { 4, "serial", ASN1_INTEGER, ASN1_BODY }, /* 7 */
111 { 3, "encryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 8 */
112 { 3, "encryptedKey", ASN1_OCTET_STRING, ASN1_BODY }, /* 9 */
113 { 1, "end loop", ASN1_EOC, ASN1_END }, /* 10 */
114 { 1, "encryptedContentInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 11 */
115 { 2, "contentType", ASN1_OID, ASN1_BODY }, /* 12 */
116 { 2, "contentEncryptionAlgorithm", ASN1_EOC, ASN1_RAW }, /* 13 */
117 { 2, "encryptedContent", ASN1_CONTEXT_S_0, ASN1_BODY } /* 14 */
118 };
119
120 #define PKCS7_ENVELOPED_VERSION 1
121 #define PKCS7_RECIPIENT_INFO_VERSION 4
122 #define PKCS7_ISSUER 6
123 #define PKCS7_SERIAL_NUMBER 7
124 #define PKCS7_ENCRYPTION_ALG 8
125 #define PKCS7_ENCRYPTED_KEY 9
126 #define PKCS7_CONTENT_TYPE 12
127 #define PKCS7_CONTENT_ENC_ALGORITHM 13
128 #define PKCS7_ENCRYPTED_CONTENT 14
129 #define PKCS7_ENVELOPED_ROOF 15
130
131 /* PKCS7 contentInfo OIDs */
132
133 static u_char ASN1_pkcs7_data_oid_str[] = {
134 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x01
135 };
136
137 static u_char ASN1_pkcs7_signed_data_oid_str[] = {
138 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02
139 };
140
141 static u_char ASN1_pkcs7_enveloped_data_oid_str[] = {
142 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x03
143 };
144
145 static u_char ASN1_pkcs7_signed_enveloped_data_oid_str[] = {
146 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x04
147 };
148
149 static u_char ASN1_pkcs7_digested_data_oid_str[] = {
150 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x05
151 };
152
153 static char ASN1_pkcs7_encrypted_data_oid_str[] = {
154 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x06
155 };
156
157 static const chunk_t ASN1_pkcs7_data_oid =
158 strchunk(ASN1_pkcs7_data_oid_str);
159 static const chunk_t ASN1_pkcs7_signed_data_oid =
160 strchunk(ASN1_pkcs7_signed_data_oid_str);
161 static const chunk_t ASN1_pkcs7_enveloped_data_oid =
162 strchunk(ASN1_pkcs7_enveloped_data_oid_str);
163 static const chunk_t ASN1_pkcs7_signed_enveloped_data_oid =
164 strchunk(ASN1_pkcs7_signed_enveloped_data_oid_str);
165 static const chunk_t ASN1_pkcs7_digested_data_oid =
166 strchunk(ASN1_pkcs7_digested_data_oid_str);
167 static const chunk_t ASN1_pkcs7_encrypted_data_oid =
168 strchunk(ASN1_pkcs7_encrypted_data_oid_str);
169
170 /* 3DES and DES encryption OIDs */
171
172 static u_char ASN1_3des_ede_cbc_oid_str[] = {
173 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x03, 0x07
174 };
175
176 static u_char ASN1_des_cbc_oid_str[] = {
177 0x06, 0x05, 0x2B, 0x0E, 0x03, 0x02, 0x07
178 };
179
180 static const chunk_t ASN1_3des_ede_cbc_oid =
181 strchunk(ASN1_3des_ede_cbc_oid_str);
182 static const chunk_t ASN1_des_cbc_oid =
183 strchunk(ASN1_des_cbc_oid_str);
184
185 /* PKCS#7 attribute type OIDs */
186
187 static u_char ASN1_contentType_oid_str[] = {
188 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x03
189 };
190
191 static u_char ASN1_messageDigest_oid_str[] = {
192 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x04
193 };
194
195 static const chunk_t ASN1_contentType_oid =
196 strchunk(ASN1_contentType_oid_str);
197 static const chunk_t ASN1_messageDigest_oid =
198 strchunk(ASN1_messageDigest_oid_str);
199
200 /*
201 * Parse PKCS#7 ContentInfo object
202 */
203 bool
204 pkcs7_parse_contentInfo(chunk_t blob, u_int level0, contentInfo_t *cInfo)
205 {
206 asn1_ctx_t ctx;
207 chunk_t object;
208 u_int level;
209 int objectID = 0;
210
211 asn1_init(&ctx, blob, level0, FALSE, DBG_RAW);
212
213 while (objectID < PKCS7_INFO_ROOF)
214 {
215 if (!extract_object(contentInfoObjects, &objectID, &object, &level, &ctx))
216 return FALSE;
217
218 if (objectID == PKCS7_INFO_TYPE)
219 {
220 cInfo->type = known_oid(object);
221 if (cInfo->type < OID_PKCS7_DATA
222 || cInfo->type > OID_PKCS7_ENCRYPTED_DATA)
223 {
224 plog("unknown pkcs7 content type");
225 return FALSE;
226 }
227 }
228 else if (objectID == PKCS7_INFO_CONTENT)
229 {
230 cInfo->content = object;
231 }
232 objectID++;
233 }
234 return TRUE;
235 }
236
237 /*
238 * Parse a PKCS#7 signedData object
239 */
240 bool
241 pkcs7_parse_signedData(chunk_t blob, contentInfo_t *data, x509cert_t **cert
242 , chunk_t *attributes, const x509cert_t *cacert)
243 {
244 u_char buf[BUF_LEN];
245 asn1_ctx_t ctx;
246 chunk_t object;
247 u_int level;
248 int digest_alg = OID_UNKNOWN;
249 int enc_alg = OID_UNKNOWN;
250 int signerInfos = 0;
251 int objectID = 0;
252
253 contentInfo_t cInfo = empty_contentInfo;
254 chunk_t encrypted_digest = empty_chunk;
255
256 if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
257 return FALSE;
258
259 if (cInfo.type != OID_PKCS7_SIGNED_DATA)
260 {
261 plog("pkcs7 content type is not signedData");
262 return FALSE;
263 }
264
265 asn1_init(&ctx, cInfo.content, 2, FALSE, DBG_RAW);
266
267 while (objectID < PKCS7_SIGNED_ROOF)
268 {
269 if (!extract_object(signedDataObjects, &objectID, &object, &level, &ctx))
270 return FALSE;
271
272 switch (objectID)
273 {
274 case PKCS7_DIGEST_ALG:
275 digest_alg = parse_algorithmIdentifier(object, level, NULL);
276 break;
277 case PKCS7_SIGNED_CONTENT_INFO:
278 if (data != NULL)
279 {
280 pkcs7_parse_contentInfo(object, level, data);
281 }
282 break;
283 case PKCS7_SIGNED_CERT:
284 if (cert != NULL)
285 {
286 chunk_t cert_blob;
287
288 x509cert_t *newcert = alloc_thing(x509cert_t
289 , "pkcs7 wrapped x509cert");
290
291 clonetochunk(cert_blob, object.ptr, object.len
292 , "pkcs7 cert blob");
293 *newcert = empty_x509cert;
294
295 DBG(DBG_CONTROL | DBG_PARSING,
296 DBG_log("parsing pkcs7-wrapped certificate")
297 )
298 if (parse_x509cert(cert_blob, level+1, newcert))
299 {
300 newcert->next = *cert;
301 *cert = newcert;
302 }
303 else
304 {
305 free_x509cert(newcert);
306 }
307 }
308 break;
309 case PKCS7_SIGNER_INFO:
310 signerInfos++;
311 DBG(DBG_PARSING,
312 DBG_log(" signer #%d", signerInfos)
313 )
314 break;
315 case PKCS7_SIGNED_ISSUER:
316 DBG(DBG_PARSING,
317 dntoa(buf, BUF_LEN, object);
318 DBG_log(" '%s'",buf)
319 )
320 break;
321 case PKCS7_AUTH_ATTRIBUTES:
322 if (attributes != NULL)
323 {
324 *attributes = object;
325 *attributes->ptr = ASN1_SET;
326 }
327 break;
328 case PKCS7_DIGEST_ALGORITHM:
329 digest_alg = parse_algorithmIdentifier(object, level, NULL);
330 break;
331 case PKCS7_DIGEST_ENC_ALGORITHM:
332 enc_alg = parse_algorithmIdentifier(object, level, NULL);
333 break;
334 case PKCS7_ENCRYPTED_DIGEST:
335 encrypted_digest = object;
336 }
337 objectID++;
338 }
339
340 /* check the signature only if a cacert is available */
341 if (cacert != NULL)
342 {
343 if (signerInfos == 0)
344 {
345 plog("no signerInfo object found");
346 return FALSE;
347 }
348 else if (signerInfos > 1)
349 {
350 plog("more than one signerInfo object found");
351 return FALSE;
352 }
353 if (attributes->ptr == NULL)
354 {
355 plog("no authenticatedAttributes object found");
356 return FALSE;
357 }
358 if (!check_signature(*attributes, encrypted_digest, digest_alg
359 , enc_alg, cacert))
360 {
361 plog("invalid signature");
362 return FALSE;
363 }
364 else
365 {
366 DBG(DBG_CONTROL,
367 DBG_log("signature is valid")
368 )
369 }
370 }
371 return TRUE;
372 }
373
374 /*
375 * Parse a PKCS#7 envelopedData object
376 */
377 bool
378 pkcs7_parse_envelopedData(chunk_t blob, chunk_t *data
379 , chunk_t serialNumber, const RSA_private_key_t *key)
380 {
381 asn1_ctx_t ctx;
382 chunk_t object;
383 chunk_t iv = empty_chunk;
384 chunk_t symmetric_key = empty_chunk;
385 chunk_t encrypted_content = empty_chunk;
386
387 u_char buf[BUF_LEN];
388 u_int level;
389 u_int total_keys = 3;
390 int enc_alg = OID_UNKNOWN;
391 int content_enc_alg = OID_UNKNOWN;
392 int objectID = 0;
393
394 contentInfo_t cInfo = empty_contentInfo;
395 *data = empty_chunk;
396
397 if (!pkcs7_parse_contentInfo(blob, 0, &cInfo))
398 goto failed;
399
400 if (cInfo.type != OID_PKCS7_ENVELOPED_DATA)
401 {
402 plog("pkcs7 content type is not envelopedData");
403 return FALSE;
404 }
405
406 asn1_init(&ctx, cInfo.content, 2, FALSE, DBG_RAW);
407
408 while (objectID < PKCS7_ENVELOPED_ROOF)
409 {
410 if (!extract_object(envelopedDataObjects, &objectID, &object, &level, &ctx))
411 goto failed;
412
413 switch (objectID)
414 {
415 case PKCS7_ENVELOPED_VERSION:
416 if (*object.ptr != 0)
417 {
418 plog("envelopedData version is not 0");
419 goto failed;
420 }
421 break;
422 case PKCS7_RECIPIENT_INFO_VERSION:
423 if (*object.ptr != 0)
424 {
425 plog("recipient info version is not 0");
426 goto failed;
427 }
428 break;
429 case PKCS7_ISSUER:
430 DBG(DBG_PARSING,
431 dntoa(buf, BUF_LEN, object);
432 DBG_log(" '%s'", buf)
433 )
434 break;
435 case PKCS7_SERIAL_NUMBER:
436 if (!same_chunk(serialNumber, object))
437 {
438 plog("serial numbers do not match");
439 goto failed;
440 }
441 break;
442 case PKCS7_ENCRYPTION_ALG:
443 enc_alg = parse_algorithmIdentifier(object, level, NULL);
444 if (enc_alg != OID_RSA_ENCRYPTION)
445 {
446 plog("only rsa encryption supported");
447 goto failed;
448 }
449 break;
450 case PKCS7_ENCRYPTED_KEY:
451 if (!RSA_decrypt(key, object, &symmetric_key))
452 {
453 plog("symmetric key could not be decrypted with rsa");
454 goto failed;
455 }
456 DBG(DBG_PRIVATE,
457 DBG_dump_chunk("symmetric key :", symmetric_key)
458 )
459 break;
460 case PKCS7_CONTENT_TYPE:
461 if (known_oid(object) != OID_PKCS7_DATA)
462 {
463 plog("encrypted content not of type pkcs7 data");
464 goto failed;
465 }
466 break;
467 case PKCS7_CONTENT_ENC_ALGORITHM:
468 content_enc_alg = parse_algorithmIdentifier(object, level, &iv);
469
470 switch (content_enc_alg)
471 {
472 case OID_DES_CBC:
473 total_keys = 1;
474 break;
475 case OID_3DES_EDE_CBC:
476 total_keys = 3;
477 break;
478 default:
479 plog("Only DES and 3DES supported for symmetric encryption");
480 goto failed;
481 }
482 if (symmetric_key.len != (total_keys * DES_CBC_BLOCK_SIZE))
483 {
484 plog("key length is not %d",(total_keys * DES_CBC_BLOCK_SIZE));
485 goto failed;
486 }
487 if (!parse_asn1_simple_object(&iv, ASN1_OCTET_STRING, level+1, "IV"))
488 {
489 plog("IV could not be parsed");
490 goto failed;
491 }
492 if (iv.len != DES_CBC_BLOCK_SIZE)
493 {
494 plog("IV has wrong length");
495 goto failed;
496 }
497 break;
498 case PKCS7_ENCRYPTED_CONTENT:
499 encrypted_content = object;
500 break;
501 }
502 objectID++;
503 }
504
505 /* decrypt the content */
506 {
507 u_int i;
508 des_cblock des_key[3], des_iv;
509 des_key_schedule key_s[3];
510
511 memcpy((char *)des_key, symmetric_key.ptr, symmetric_key.len);
512 memcpy((char *)des_iv, iv.ptr, iv.len);
513
514 for (i = 0; i < total_keys; i++)
515 {
516 if (des_set_key(&des_key[i], key_s[i]))
517 {
518 plog("des key schedule failed");
519 goto failed;
520 }
521 }
522
523 data->len = encrypted_content.len;
524 data->ptr = alloc_bytes(data->len, "decrypted data");
525
526 switch (content_enc_alg)
527 {
528 case OID_DES_CBC:
529 des_cbc_encrypt((des_cblock*)encrypted_content.ptr
530 , (des_cblock*)data->ptr, data->len
531 , key_s[0], &des_iv, DES_DECRYPT);
532 break;
533 case OID_3DES_EDE_CBC:
534 des_ede3_cbc_encrypt( (des_cblock*)encrypted_content.ptr
535 , (des_cblock*)data->ptr, data->len
536 , key_s[0], key_s[1], key_s[2]
537 , &des_iv, DES_DECRYPT);
538 }
539 DBG(DBG_PRIVATE,
540 DBG_dump_chunk("decrypted content with padding:\n", *data)
541 )
542 }
543
544 /* remove the padding */
545 {
546 u_char *pos = data->ptr + data->len - 1;
547 u_char pattern = *pos;
548 size_t padding = pattern;
549
550 if (padding > data->len)
551 {
552 plog("padding greater than data length");
553 goto failed;
554 }
555 data->len -= padding;
556
557 while (padding-- > 0)
558 {
559 if (*pos-- != pattern)
560 {
561 plog("wrong padding pattern");
562 goto failed;
563 }
564 }
565 }
566 freeanychunk(symmetric_key);
567 return TRUE;
568
569 failed:
570 freeanychunk(symmetric_key);
571 pfreeany(data->ptr);
572 return FALSE;
573 }
574
575 /**
576 * @brief Builds a contentType attribute
577 *
578 * @return ASN.1 encoded contentType attribute
579 */
580 chunk_t
581 pkcs7_contentType_attribute(void)
582 {
583 return asn1_wrap(ASN1_SEQUENCE, "cm"
584 , ASN1_contentType_oid
585 , asn1_simple_object(ASN1_SET, ASN1_pkcs7_data_oid));
586 }
587
588 /**
589 * @brief Builds a messageDigest attribute
590 *
591 *
592 * @param[in] blob content to create digest of
593 * @param[in] digest_alg digest algorithm to be used
594 * @return ASN.1 encoded messageDigest attribute
595 *
596 */
597 chunk_t
598 pkcs7_messageDigest_attribute(chunk_t content, int digest_alg)
599 {
600 u_char digest_buf[MAX_DIGEST_LEN];
601 chunk_t digest = { digest_buf, MAX_DIGEST_LEN };
602
603 compute_digest(content, digest_alg, &digest);
604
605 return asn1_wrap(ASN1_SEQUENCE, "cm"
606 , ASN1_messageDigest_oid
607 , asn1_wrap(ASN1_SET, "m"
608 , asn1_simple_object(ASN1_OCTET_STRING, digest)
609 )
610 );
611 }
612 /*
613 * build a DER-encoded contentInfo object
614 */
615 static chunk_t
616 pkcs7_build_contentInfo(contentInfo_t *cInfo)
617 {
618 chunk_t content_type;
619
620 /* select DER-encoded OID for pkcs7 contentInfo type */
621 switch(cInfo->type)
622 {
623 case OID_PKCS7_DATA:
624 content_type = ASN1_pkcs7_data_oid;
625 break;
626 case OID_PKCS7_SIGNED_DATA:
627 content_type = ASN1_pkcs7_signed_data_oid;
628 break;
629 case OID_PKCS7_ENVELOPED_DATA:
630 content_type = ASN1_pkcs7_enveloped_data_oid;
631 break;
632 case OID_PKCS7_SIGNED_ENVELOPED_DATA:
633 content_type = ASN1_pkcs7_signed_enveloped_data_oid;
634 break;
635 case OID_PKCS7_DIGESTED_DATA:
636 content_type = ASN1_pkcs7_digested_data_oid;
637 break;
638 case OID_PKCS7_ENCRYPTED_DATA:
639 content_type = ASN1_pkcs7_encrypted_data_oid;
640 break;
641 case OID_UNKNOWN:
642 default:
643 fprintf(stderr, "invalid pkcs7 contentInfo type");
644 return empty_chunk;
645 }
646
647 return (cInfo->content.ptr == NULL)
648 ? asn1_simple_object(ASN1_SEQUENCE, content_type)
649 : asn1_wrap(ASN1_SEQUENCE, "cm"
650 , content_type
651 , asn1_simple_object(ASN1_CONTEXT_C_0, cInfo->content)
652 );
653 }
654
655 /*
656 * build issuerAndSerialNumber object
657 */
658 chunk_t
659 pkcs7_build_issuerAndSerialNumber(const x509cert_t *cert)
660 {
661 return asn1_wrap(ASN1_SEQUENCE, "cm"
662 , cert->issuer
663 , asn1_simple_object(ASN1_INTEGER, cert->serialNumber));
664 }
665
666 /*
667 * create a signed pkcs7 contentInfo object
668 */
669 chunk_t
670 pkcs7_build_signedData(chunk_t data, chunk_t attributes, const x509cert_t *cert
671 , int digest_alg, const RSA_private_key_t *key)
672 {
673 contentInfo_t pkcs7Data, signedData;
674 chunk_t authenticatedAttributes, encryptedDigest, signerInfo, cInfo;
675
676 chunk_t digestAlgorithm = asn1_algorithmIdentifier(digest_alg);
677
678 if (attributes.ptr != NULL)
679 {
680 encryptedDigest = pkcs1_build_signature(attributes, digest_alg
681 , key, FALSE);
682 clonetochunk(authenticatedAttributes, attributes.ptr, attributes.len
683 , "authenticatedAttributes");
684 *authenticatedAttributes.ptr = ASN1_CONTEXT_C_0;
685 }
686 else
687 {
688 encryptedDigest = (data.ptr == NULL)? empty_chunk
689 : pkcs1_build_signature(data, digest_alg, key, FALSE);
690 authenticatedAttributes = empty_chunk;
691 }
692
693 signerInfo = asn1_wrap(ASN1_SEQUENCE, "cmcmcm"
694 , ASN1_INTEGER_1
695 , pkcs7_build_issuerAndSerialNumber(cert)
696 , digestAlgorithm
697 , authenticatedAttributes
698 , ASN1_rsaEncryption_id
699 , encryptedDigest);
700
701 pkcs7Data.type = OID_PKCS7_DATA;
702 pkcs7Data.content = (data.ptr == NULL)? empty_chunk
703 : asn1_simple_object(ASN1_OCTET_STRING, data);
704
705 signedData.type = OID_PKCS7_SIGNED_DATA;
706 signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm"
707 , ASN1_INTEGER_1
708 , asn1_simple_object(ASN1_SET, digestAlgorithm)
709 , pkcs7_build_contentInfo(&pkcs7Data)
710 , asn1_simple_object(ASN1_CONTEXT_C_0, cert->certificate)
711 , asn1_wrap(ASN1_SET, "m", signerInfo));
712
713 cInfo = pkcs7_build_contentInfo(&signedData);
714 DBG(DBG_RAW,
715 DBG_dump_chunk("signedData:\n", cInfo)
716 )
717
718 freeanychunk(pkcs7Data.content);
719 freeanychunk(signedData.content);
720 return cInfo;
721 }
722
723 /*
724 * create a symmetrically encrypted pkcs7 contentInfo object
725 */
726 chunk_t
727 pkcs7_build_envelopedData(chunk_t data, const x509cert_t *cert, int cipher)
728 {
729 bool des_check_key_save;
730 des_key_schedule ks[3];
731 des_cblock key[3], des_iv, des_iv_buf;
732
733 chunk_t iv = { (u_char *)des_iv_buf, DES_CBC_BLOCK_SIZE };
734 chunk_t out;
735 chunk_t cipher_oid;
736
737 u_int total_keys, i;
738 size_t padding = pad_up(data.len, DES_CBC_BLOCK_SIZE);
739
740 RSA_public_key_t public_key;
741
742 init_RSA_public_key(&public_key, cert->publicExponent
743 , cert->modulus);
744
745 if (padding == 0)
746 padding += DES_CBC_BLOCK_SIZE;
747
748 out.len = data.len + padding;
749 out.ptr = alloc_bytes(out.len, "DES-encrypted output");
750
751 DBG(DBG_CONTROL,
752 DBG_log("padding %d bytes of data to multiple DES block size of %d bytes"
753 , (int)data.len, (int)out.len)
754 )
755
756 /* copy data */
757 memcpy(out.ptr, data.ptr, data.len);
758 /* append padding */
759 memset(out.ptr + data.len, padding, padding);
760
761 DBG(DBG_RAW,
762 DBG_dump_chunk("Padded unencrypted data:\n", out)
763 )
764
765 /* select OID and keylength for specified cipher */
766 switch (cipher)
767 {
768 case OID_DES_CBC:
769 total_keys = 1;
770 cipher_oid = ASN1_des_cbc_oid;
771 break;
772 case OID_3DES_EDE_CBC:
773 default:
774 total_keys = 3;
775 cipher_oid = ASN1_3des_ede_cbc_oid;
776 }
777 DBG(DBG_CONTROLMORE,
778 DBG_log("pkcs7 encryption cipher: %s", oid_names[cipher].name)
779 )
780
781 /* generate a strong random key for DES/3DES */
782 des_check_key_save = des_check_key;
783 des_check_key = TRUE;
784 for (i = 0; i < total_keys;i++)
785 {
786 for (;;)
787 {
788 get_rnd_bytes((char*)key[i], DES_CBC_BLOCK_SIZE);
789 des_set_odd_parity(&key[i]);
790 if (!des_set_key(&key[i], ks[i]))
791 break;
792 plog("weak DES key discarded - we try again");
793 }
794 DBG(DBG_PRIVATE,
795 DBG_dump("DES key:", key[i], 8)
796 )
797 }
798 des_check_key = des_check_key_save;
799
800 /* generate an iv for DES/3DES CBC */
801 get_rnd_bytes(des_iv, DES_CBC_BLOCK_SIZE);
802 memcpy(iv.ptr, des_iv, DES_CBC_BLOCK_SIZE);
803 DBG(DBG_RAW,
804 DBG_dump_chunk("DES IV :", iv)
805 )
806
807 /* encryption using specified cipher */
808 switch (cipher)
809 {
810 case OID_DES_CBC:
811 des_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
812 , ks[0], &des_iv, DES_ENCRYPT);
813 break;
814 case OID_3DES_EDE_CBC:
815 default:
816 des_ede3_cbc_encrypt((des_cblock*)out.ptr, (des_cblock*)out.ptr, out.len
817 , ks[0], ks[1], ks[2], &des_iv, DES_ENCRYPT);
818 }
819 DBG(DBG_RAW,
820 DBG_dump_chunk("Encrypted data:\n", out));
821
822 /* build pkcs7 enveloped data object */
823 {
824 chunk_t contentEncryptionAlgorithm = asn1_wrap(ASN1_SEQUENCE, "cm"
825 , cipher_oid
826 , asn1_simple_object(ASN1_OCTET_STRING, iv));
827
828 chunk_t encryptedContentInfo = asn1_wrap(ASN1_SEQUENCE, "cmm"
829 , ASN1_pkcs7_data_oid
830 , contentEncryptionAlgorithm
831 , asn1_wrap(ASN1_CONTEXT_S_0, "m", out));
832
833 chunk_t plainKey = { (u_char *)key, DES_CBC_BLOCK_SIZE * total_keys };
834
835 chunk_t encryptedKey = asn1_wrap(ASN1_OCTET_STRING, "m"
836 , RSA_encrypt(&public_key, plainKey));
837
838 chunk_t recipientInfo = asn1_wrap(ASN1_SEQUENCE, "cmcm"
839 , ASN1_INTEGER_0
840 , pkcs7_build_issuerAndSerialNumber(cert)
841 , ASN1_rsaEncryption_id
842 , encryptedKey);
843
844 chunk_t cInfo;
845 contentInfo_t envelopedData;
846
847 envelopedData.type = OID_PKCS7_ENVELOPED_DATA;
848 envelopedData.content = asn1_wrap(ASN1_SEQUENCE, "cmm"
849 , ASN1_INTEGER_0
850 , asn1_wrap(ASN1_SET, "m", recipientInfo)
851 , encryptedContentInfo);
852
853 cInfo = pkcs7_build_contentInfo(&envelopedData);
854 DBG(DBG_RAW,
855 DBG_dump_chunk("envelopedData:\n", cInfo)
856 )
857
858 free_RSA_public_content(&public_key);
859 freeanychunk(envelopedData.content);
860 return cInfo;
861 }
862 }