Browse Source

Make X509_SIG opaque.

Reviewed-by: Rich Salz <rsalz@openssl.org>
master
Dr. Stephen Henson 6 years ago
parent
commit
a6eb1ce6a9
10 changed files with 66 additions and 33 deletions
  1. +3
    -1
      apps/pkcs12.c
  2. +10
    -0
      crypto/asn1/x_sig.c
  3. +5
    -0
      crypto/include/internal/x509_int.h
  4. +19
    -12
      crypto/pkcs12/p12_mutl.c
  5. +6
    -8
      crypto/pkcs12/p12_npas.c
  6. +5
    -2
      crypto/pkcs12/p12_p8d.c
  7. +4
    -3
      crypto/pkcs12/p12_p8e.c
  8. +1
    -0
      crypto/rsa/rsa_sign.c
  9. +9
    -3
      doc/crypto/d2i_X509_SIG.pod
  10. +4
    -4
      include/openssl/x509.h

+ 3
- 1
apps/pkcs12.c View File

@ -668,10 +668,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
case NID_pkcs8ShroudedKeyBag:
if (options & INFO) {
X509_SIG *tp8;
X509_ALGOR *tp8alg;
BIO_printf(bio_err, "Shrouded Keybag: ");
tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
alg_print(tp8->algor);
X509_SIG_get0(&tp8alg, NULL, tp8);
alg_print(tp8alg);
}
if (options & NOKEYS)
return 1;


+ 10
- 0
crypto/asn1/x_sig.c View File

@ -59,6 +59,7 @@
#include "internal/cryptlib.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include "internal/x509_int.h"
ASN1_SEQUENCE(X509_SIG) = {
ASN1_SIMPLE(X509_SIG, algor, X509_ALGOR),
@ -66,3 +67,12 @@ ASN1_SEQUENCE(X509_SIG) = {
} ASN1_SEQUENCE_END(X509_SIG)
IMPLEMENT_ASN1_FUNCTIONS(X509_SIG)
void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
X509_SIG *sig)
{
if (palg)
*palg = sig->algor;
if (pdigest)
*pdigest = sig->digest;
}

+ 5
- 0
crypto/include/internal/x509_int.h View File

@ -225,3 +225,8 @@ struct pkcs8_priv_key_info_st {
ASN1_OCTET_STRING *pkey;
STACK_OF(X509_ATTRIBUTE) *attributes;
};
struct X509_sig_st {
X509_ALGOR *algor;
ASN1_OCTET_STRING *digest;
};

+ 19
- 12
crypto/pkcs12/p12_mutl.c View File

@ -74,10 +74,7 @@ void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg,
PKCS12 *p12)
{
if (p12->mac) {
if (pmac)
*pmac = p12->mac->dinfo->digest;
if (pmacalg)
*pmacalg = p12->mac->dinfo->algor;
X509_SIG_get0(pmacalg, pmac, p12->mac->dinfo);
if (psalt)
*psalt = p12->mac->salt;
if (piter)
@ -126,6 +123,8 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
int saltlen, iter;
int md_size = 0;
int md_type_nid;
X509_ALGOR *macalg;
ASN1_OBJECT *macoid;
if (!PKCS7_type_is_data(p12->authsafes)) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA);
@ -138,8 +137,9 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
iter = 1;
else
iter = ASN1_INTEGER_get(p12->mac->iter);
if ((md_type = EVP_get_digestbyobj(p12->mac->dinfo->algor->algorithm))
== NULL) {
X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
X509_ALGOR_get0(&macoid, NULL, NULL, macalg);
if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) {
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
return 0;
}
@ -180,6 +180,8 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
{
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
ASN1_OCTET_STRING *macoct;
if (p12->mac == NULL) {
PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT);
return 0;
@ -188,8 +190,9 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR);
return 0;
}
if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
|| CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen))
X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
if ((maclen != (unsigned int)ASN1_STRING_length(macoct))
|| CRYPTO_memcmp(mac, ASN1_STRING_data(macoct), maclen))
return 0;
return 1;
}
@ -202,6 +205,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
{
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
ASN1_OCTET_STRING *macoct;
if (!md_type)
md_type = EVP_sha1();
@ -213,7 +217,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR);
return 0;
}
if (!(ASN1_OCTET_STRING_set(p12->mac->dinfo->digest, mac, maclen))) {
X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) {
PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR);
return 0;
}
@ -224,6 +229,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
const EVP_MD *md_type)
{
X509_ALGOR *macalg;
if ((p12->mac = PKCS12_MAC_DATA_new()) == NULL)
return PKCS12_ERROR;
if (iter > 1) {
@ -248,12 +255,12 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
return 0;
} else
memcpy(p12->mac->salt->data, salt, saltlen);
p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
if ((p12->mac->dinfo->algor->parameter = ASN1_TYPE_new()) == NULL) {
X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)),
V_ASN1_NULL, NULL)) {
PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
return 0;
}
p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
return 1;
}

+ 6
- 8
crypto/pkcs12/p12_npas.c View File

@ -109,7 +109,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
STACK_OF(PKCS12_SAFEBAG) *bags;
int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
PKCS7 *p7, *p7new;
ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
ASN1_OCTET_STRING *p12_data_tmp = NULL, *macoct = NULL;
unsigned char mac[EVP_MAX_MD_SIZE];
unsigned int maclen;
@ -165,12 +165,9 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
goto saferr;
if ((macnew = ASN1_OCTET_STRING_new()) == NULL)
X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
if (!ASN1_OCTET_STRING_set(macoct, mac, maclen))
goto saferr;
if (!ASN1_OCTET_STRING_set(macnew, mac, maclen))
goto saferr;
ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
p12->mac->dinfo->digest = macnew;
ASN1_OCTET_STRING_free(p12_data_tmp);
return 1;
@ -178,7 +175,6 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
saferr:
/* Restore old safe */
ASN1_OCTET_STRING_free(p12->authsafes->d.data);
ASN1_OCTET_STRING_free(macnew);
p12->authsafes->d.data = p12_data_tmp;
return 0;
@ -202,13 +198,15 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
PKCS8_PRIV_KEY_INFO *p8;
X509_SIG *p8new;
int p8_nid, p8_saltlen, p8_iter;
X509_ALGOR *shalg;
if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)
return 1;
if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL)
return 0;
if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen))
X509_SIG_get0(&shalg, NULL, bag->value.shkeybag);
if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen))
return 0;
if ((p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
p8_iter, p8)) == NULL)


+ 5
- 2
crypto/pkcs12/p12_p8d.c View File

@ -63,7 +63,10 @@
PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass,
int passlen)
{
return PKCS12_item_decrypt_d2i(p8->algor,
X509_ALGOR *dalg;
ASN1_OCTET_STRING *doct;
X509_SIG_get0(&dalg, &doct, p8);
return PKCS12_item_decrypt_d2i(dalg,
ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
passlen, p8->digest, 1);
passlen, doct, 1);
}

+ 4
- 3
crypto/pkcs12/p12_p8e.c View File

@ -59,6 +59,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
#include <openssl/pkcs12.h>
#include "internal/x509_int.h"
X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
const char *pass, int passlen,
@ -103,13 +104,13 @@ X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen,
return NULL;
}
if ((p8 = X509_SIG_new()) == NULL) {
p8 = OPENSSL_zalloc(sizeof(*p8));
if (p8 == NULL) {
PKCS12err(PKCS12_F_PKCS8_SET0_PBE, ERR_R_MALLOC_FAILURE);
ASN1_OCTET_STRING_free(enckey);
return NULL;
}
X509_ALGOR_free(p8->algor);
ASN1_OCTET_STRING_free(p8->digest);
p8->algor = pbe;
p8->digest = enckey;


+ 1
- 0
crypto/rsa/rsa_sign.c View File

@ -61,6 +61,7 @@
#include <openssl/rsa.h>
#include <openssl/objects.h>
#include <openssl/x509.h>
#include "internal/x509_int.h"
#include "rsa_locl.h"
/* Size of an SSL signature: MD5+SHA1 */


+ 9
- 3
doc/crypto/d2i_X509_SIG.pod View File

@ -10,15 +10,21 @@ d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions.
X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length);
int i2d_X509_SIG(X509_SIG *a, unsigned char **pp);
void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
X509_SIG *sig);
=head1 DESCRIPTION
These functions decode and encode an X509_SIG structure which is
equivalent to the B<DigestInfo> structure defined in PKCS#1 and PKCS#7.
The functions d2i_X509_SIG() and i2d_X509_SIG() decode and encode an
X509_SIG structure which is equivalent to the B<DigestInfo> structure
defined in PKCS#1 and PKCS#7.
Otherwise these behave in a similar way to d2i_X509() and i2d_X509()
Otherwise they behave in a similar way to d2i_X509() and i2d_X509()
described in the L<d2i_X509(3)> manual page.
X509_SIG_get0() returns pointers to the algorithm identifier and digest
value in B<sig>. These values can then be examined or initialised.
=head1 SEE ALSO
L<d2i_X509(3)>


+ 4
- 4
include/openssl/x509.h View File

@ -136,10 +136,7 @@ struct X509_pubkey_st {
CRYPTO_RWLOCK *lock;
};
typedef struct X509_sig_st {
X509_ALGOR *algor;
ASN1_OCTET_STRING *digest;
} X509_SIG;
typedef struct X509_sig_st X509_SIG;
typedef struct X509_name_entry_st X509_NAME_ENTRY;
@ -586,6 +583,9 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length);
# endif
DECLARE_ASN1_FUNCTIONS(X509_SIG)
void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
X509_SIG *sig);
DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
DECLARE_ASN1_FUNCTIONS(X509_REQ)


Loading…
Cancel
Save