VirtualBox

source: vbox/trunk/src/VBox/Runtime/common/crypto/pkcs7-sign.cpp@ 95604

Last change on this file since 95604 was 95604, checked in by vboxsync, 3 years ago

IPRT/RTCrPkcs7SimpleSignSignedData: Implemented pAdditionalAuthenticatedAttribs. bugref:8691
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 10.3 KB
Line 
1/* $Id: pkcs7-sign.cpp 95604 2022-07-12 09:37:41Z vboxsync $ */
2/** @file
3 * IPRT - Crypto - PKCS \#7, Signing
4 */
5
6/*
7 * Copyright (C) 2006-2022 Oracle Corporation
8 *
9 * This file is part of VirtualBox Open Source Edition (OSE), as
10 * available from http://www.215389.xyz. This file is free software;
11 * you can redistribute it and/or modify it under the terms of the GNU
12 * General Public License (GPL) as published by the Free Software
13 * Foundation, in version 2 as it comes in the "COPYING" file of the
14 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16 *
17 * The contents of this file may alternatively be used under the terms
18 * of the Common Development and Distribution License Version 1.0
19 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
20 * VirtualBox OSE distribution, in which case the provisions of the
21 * CDDL are applicable instead of those of the GPL.
22 *
23 * You may elect to license modified versions of this file under the
24 * terms and conditions of either the GPL or the CDDL or both.
25 */
26
27
28/*********************************************************************************************************************************
29* Header Files *
30*********************************************************************************************************************************/
31#include "internal/iprt.h"
32#include <iprt/crypto/pkcs7.h>
33
34#include <iprt/errcore.h>
35#include <iprt/string.h>
36#include <iprt/crypto/digest.h>
37#include <iprt/crypto/key.h>
38#include <iprt/crypto/pkix.h>
39#include <iprt/crypto/store.h>
40#include <iprt/crypto/x509.h>
41
42#ifdef IPRT_WITH_OPENSSL
43# include "internal/iprt-openssl.h"
44# include "internal/openssl-pre.h"
45# include <openssl/pkcs7.h>
46# include <openssl/cms.h>
47# include <openssl/x509.h>
48# include <openssl/err.h>
49# include "internal/openssl-post.h"
50#endif
51
52
53/*********************************************************************************************************************************
54* Structures and Typedefs *
55*********************************************************************************************************************************/
56/**
57 * PKCS\#7 / CMS signing operation instance.
58 */
59typedef struct RTCRPKCS7SIGNINGJOBINT
60{
61 /** Magic value (RTCRPKCS7SIGNINGJOBINT). */
62 uint32_t u32Magic;
63 /** Reference counter. */
64 uint32_t volatile cRefs;
65 /** RTCRPKCS7SIGN_F_XXX. */
66 uint64_t fFlags;
67 /** Set if finalized. */
68 bool fFinallized;
69
70 //....
71} RTCRPKCS7SIGNINGJOBINT;
72
73/** Magic value for RTCRPKCS7SIGNINGJOBINT (Jonathan Lethem). */
74#define RTCRPKCS7SIGNINGJOBINT_MAGIC UINT32_C(0x19640219)
75
76/** Handle to PKCS\#7/CMS signing operation. */
77typedef struct RTCRPKCS7SIGNINGJOBINT *RTCRPKCS7SIGNINGJOB;
78/** Pointer to a PKCS\#7/CMS signing operation handle. */
79typedef RTCRPKCS7SIGNINGJOB *PRTCRPKCS7SIGNINGJOB;
80
81//// CMS_sign
82//RTDECL(int) RTCrPkcs7Sign(PRTCRPKCS7SIGNINGJOB *phJob, uint64_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
83// RTCRSTORE hAdditionalCerts,
84//
85
86
87
88RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
89 void const *pvData, size_t cbData, RTDIGESTTYPE enmDigestType,
90 RTCRSTORE hAdditionalCerts, PCRTCRPKCS7ATTRIBUTES pAdditionalAuthenticatedAttribs,
91 void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo)
92{
93 size_t const cbResultBuf = *pcbResult;
94 *pcbResult = 0;
95 AssertReturn(!(fFlags & ~RTCRPKCS7SIGN_SD_F_VALID_MASK), VERR_INVALID_FLAGS);
96#ifdef IPRT_WITH_OPENSSL
97 AssertReturn((int)cbData >= 0 && (unsigned)cbData == cbData, VERR_TOO_MUCH_DATA);
98
99 /*
100 * Resolve the digest type.
101 */
102 const EVP_MD *pEvpMd = NULL;
103 if (enmDigestType != RTDIGESTTYPE_UNKNOWN)
104 {
105 pEvpMd = (const EVP_MD *)rtCrOpenSslConvertDigestType(enmDigestType, pErrInfo);
106 AssertReturn(pEvpMd, pErrInfo ? pErrInfo->rc : VERR_INVALID_PARAMETER);
107 }
108
109 /*
110 * Convert the private key.
111 */
112 EVP_PKEY *pEvpPrivateKey = NULL;
113 int rc = rtCrKeyToOpenSslKey(hPrivateKey, false /*fNeedPublic*/, (void **)&pEvpPrivateKey, pErrInfo);
114 if (RT_SUCCESS(rc))
115 {
116 /*
117 * Convert the signing certificate.
118 */
119 X509 *pOsslSigner = NULL;
120 rc = rtCrOpenSslConvertX509Cert((void **)&pOsslSigner, pSigner, pErrInfo);
121 if (RT_SUCCESS(rc))
122 {
123 /*
124 * Convert any additional certificates.
125 */
126 STACK_OF(X509) *pOsslAdditionalCerts = NULL;
127 if (hAdditionalCerts != NIL_RTCRSTORE)
128 rc = RTCrStoreConvertToOpenSslCertStack(hAdditionalCerts, 0 /*fFlags*/, (void **)&pOsslAdditionalCerts, pErrInfo);
129 if (RT_SUCCESS(rc))
130 {
131 /*
132 * Create a BIO for the data buffer.
133 */
134 BIO *pOsslData = BIO_new_mem_buf((void *)pvData, (int)cbData);
135 if (pOsslData)
136 {
137 /*
138 * Do the signing.
139 */
140 unsigned int fOsslSign = CMS_BINARY | CMS_PARTIAL;
141 if (fFlags & RTCRPKCS7SIGN_SD_F_DEATCHED)
142 fOsslSign |= CMS_DETACHED;
143 if (fFlags & RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP)
144 fOsslSign |= CMS_NOSMIMECAP;
145 CMS_ContentInfo *pCms = CMS_sign(NULL, NULL, pOsslAdditionalCerts, NULL, fOsslSign);
146 if (pCms != NULL)
147 {
148 CMS_SignerInfo *pSignerInfo = CMS_add1_signer(pCms, pOsslSigner, pEvpPrivateKey, pEvpMd, fOsslSign);
149 if (pSignerInfo)
150 {
151 if (pAdditionalAuthenticatedAttribs)
152 for (uint32_t i = 0; i < pAdditionalAuthenticatedAttribs->cItems && RT_SUCCESS(rc); i++)
153 {
154 PCRTCRPKCS7ATTRIBUTE pAttrib = pAdditionalAuthenticatedAttribs->papItems[i];
155 X509_ATTRIBUTE *pOsslAttrib;
156 rc = rtCrOpenSslConvertPkcs7Attribute((void **)&pOsslAttrib, pAttrib, pErrInfo);
157 if (RT_SUCCESS(rc))
158 {
159 rc = CMS_signed_add1_attr(pSignerInfo, pOsslAttrib);
160 rtCrOpenSslFreeConvertedPkcs7Attribute((void **)pOsslAttrib);
161 if (rc <= 0)
162 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "CMS_signed_add1_attr");
163 }
164 }
165 if (RT_SUCCESS(rc))
166 {
167 rc = CMS_final(pCms, pOsslData, NULL /*dcont*/, fOsslSign);
168 if (rc > 0)
169 {
170 /*
171 * Get the output and copy it into the result buffer.
172 */
173 BIO *pOsslResult = BIO_new(BIO_s_mem());
174 if (pOsslResult)
175 {
176 rc = i2d_CMS_bio(pOsslResult, pCms);
177 if (rc > 0)
178 {
179 BUF_MEM *pBuf = NULL;
180 rc = (int)BIO_get_mem_ptr(pOsslResult, &pBuf);
181 if (rc > 0)
182 {
183 AssertPtr(pBuf);
184 size_t const cbResult = pBuf->length;
185 if ( cbResultBuf >= cbResult
186 && pvResult != NULL)
187 {
188 memcpy(pvResult, pBuf->data, cbResult);
189 rc = VINF_SUCCESS;
190 }
191 else
192 rc = VERR_BUFFER_OVERFLOW;
193 *pcbResult = cbResult;
194 }
195 else
196 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "BIO_get_mem_ptr");
197 }
198 else
199 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "i2d_CMS_bio");
200 BIO_free(pOsslResult);
201 }
202 else
203 rc = RTErrInfoSet(pErrInfo, VERR_NO_MEMORY, "BIO_new/BIO_s_mem");
204 }
205 else
206 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "CMS_final");
207 }
208 }
209 else
210 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "CMS_add1_signer");
211 CMS_ContentInfo_free(pCms);
212 }
213 else
214 rc = RTErrInfoSet(pErrInfo, VERR_GENERAL_FAILURE, "CMS_sign");
215 BIO_free(pOsslData);
216 }
217 }
218 rtCrOpenSslFreeConvertedX509Cert(pOsslSigner);
219 }
220 EVP_PKEY_free(pEvpPrivateKey);
221 }
222 return rc;
223#else
224 RT_NOREF(fFlags, pSigner, hPrivateKey, pvData, cbData, enmDigestType, hAdditionalCerts, pAdditionalAuthenticatedAttribs,
225 pvResult, pErrInfo, cbResultBuf);
226 *pcbResult = 0;
227 return VERR_NOT_IMPLEMENTED;
228#endif
229}
230
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette