mirror of https://github.com/openssl/openssl
Make X509_SIG opaque.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit is contained in:
parent
bb26842d1c
commit
a6eb1ce6a9
|
@ -668,10 +668,12 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
|
|||
case NID_pkcs8ShroudedKeyBag:
|
||||
if (options & INFO) {
|
||||
X509_SIG *tp8;
|
||||
X509_ALGOR *tp8alg;
|
||||
|
||||
BIO_printf(bio_err, "Shrouded Keybag: ");
|
||||
tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
|
||||
alg_print(tp8->algor);
|
||||
X509_SIG_get0(&tp8alg, NULL, tp8);
|
||||
alg_print(tp8alg);
|
||||
}
|
||||
if (options & NOKEYS)
|
||||
return 1;
|
||||
|
|
|
@ -59,6 +59,7 @@
|
|||
#include "internal/cryptlib.h"
|
||||
#include <openssl/asn1t.h>
|
||||
#include <openssl/x509.h>
|
||||
#include "internal/x509_int.h"
|
||||
|
||||
ASN1_SEQUENCE(X509_SIG) = {
|
||||
ASN1_SIMPLE(X509_SIG, algor, X509_ALGOR),
|
||||
|
@ -66,3 +67,12 @@ ASN1_SEQUENCE(X509_SIG) = {
|
|||
} ASN1_SEQUENCE_END(X509_SIG)
|
||||
|
||||
IMPLEMENT_ASN1_FUNCTIONS(X509_SIG)
|
||||
|
||||
void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
|
||||
X509_SIG *sig)
|
||||
{
|
||||
if (palg)
|
||||
*palg = sig->algor;
|
||||
if (pdigest)
|
||||
*pdigest = sig->digest;
|
||||
}
|
||||
|
|
|
@ -225,3 +225,8 @@ struct pkcs8_priv_key_info_st {
|
|||
ASN1_OCTET_STRING *pkey;
|
||||
STACK_OF(X509_ATTRIBUTE) *attributes;
|
||||
};
|
||||
|
||||
struct X509_sig_st {
|
||||
X509_ALGOR *algor;
|
||||
ASN1_OCTET_STRING *digest;
|
||||
};
|
||||
|
|
|
@ -74,10 +74,7 @@ void PKCS12_get0_mac(ASN1_OCTET_STRING **pmac, X509_ALGOR **pmacalg,
|
|||
PKCS12 *p12)
|
||||
{
|
||||
if (p12->mac) {
|
||||
if (pmac)
|
||||
*pmac = p12->mac->dinfo->digest;
|
||||
if (pmacalg)
|
||||
*pmacalg = p12->mac->dinfo->algor;
|
||||
X509_SIG_get0(pmacalg, pmac, p12->mac->dinfo);
|
||||
if (psalt)
|
||||
*psalt = p12->mac->salt;
|
||||
if (piter)
|
||||
|
@ -126,6 +123,8 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
|
|||
int saltlen, iter;
|
||||
int md_size = 0;
|
||||
int md_type_nid;
|
||||
X509_ALGOR *macalg;
|
||||
ASN1_OBJECT *macoid;
|
||||
|
||||
if (!PKCS7_type_is_data(p12->authsafes)) {
|
||||
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_CONTENT_TYPE_NOT_DATA);
|
||||
|
@ -138,8 +137,9 @@ int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
|
|||
iter = 1;
|
||||
else
|
||||
iter = ASN1_INTEGER_get(p12->mac->iter);
|
||||
if ((md_type = EVP_get_digestbyobj(p12->mac->dinfo->algor->algorithm))
|
||||
== NULL) {
|
||||
X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
|
||||
X509_ALGOR_get0(&macoid, NULL, NULL, macalg);
|
||||
if ((md_type = EVP_get_digestbyobj(macoid)) == NULL) {
|
||||
PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM);
|
||||
return 0;
|
||||
}
|
||||
|
@ -180,6 +180,8 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
|
|||
{
|
||||
unsigned char mac[EVP_MAX_MD_SIZE];
|
||||
unsigned int maclen;
|
||||
ASN1_OCTET_STRING *macoct;
|
||||
|
||||
if (p12->mac == NULL) {
|
||||
PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_ABSENT);
|
||||
return 0;
|
||||
|
@ -188,8 +190,9 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
|
|||
PKCS12err(PKCS12_F_PKCS12_VERIFY_MAC, PKCS12_R_MAC_GENERATION_ERROR);
|
||||
return 0;
|
||||
}
|
||||
if ((maclen != (unsigned int)p12->mac->dinfo->digest->length)
|
||||
|| CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen))
|
||||
X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
|
||||
if ((maclen != (unsigned int)ASN1_STRING_length(macoct))
|
||||
|| CRYPTO_memcmp(mac, ASN1_STRING_data(macoct), maclen))
|
||||
return 0;
|
||||
return 1;
|
||||
}
|
||||
|
@ -202,6 +205,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
|
|||
{
|
||||
unsigned char mac[EVP_MAX_MD_SIZE];
|
||||
unsigned int maclen;
|
||||
ASN1_OCTET_STRING *macoct;
|
||||
|
||||
if (!md_type)
|
||||
md_type = EVP_sha1();
|
||||
|
@ -213,7 +217,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
|
|||
PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_GENERATION_ERROR);
|
||||
return 0;
|
||||
}
|
||||
if (!(ASN1_OCTET_STRING_set(p12->mac->dinfo->digest, mac, maclen))) {
|
||||
X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
|
||||
if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) {
|
||||
PKCS12err(PKCS12_F_PKCS12_SET_MAC, PKCS12_R_MAC_STRING_SET_ERROR);
|
||||
return 0;
|
||||
}
|
||||
|
@ -224,6 +229,8 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
|
|||
int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
|
||||
const EVP_MD *md_type)
|
||||
{
|
||||
X509_ALGOR *macalg;
|
||||
|
||||
if ((p12->mac = PKCS12_MAC_DATA_new()) == NULL)
|
||||
return PKCS12_ERROR;
|
||||
if (iter > 1) {
|
||||
|
@ -248,12 +255,12 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
|
|||
return 0;
|
||||
} else
|
||||
memcpy(p12->mac->salt->data, salt, saltlen);
|
||||
p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
|
||||
if ((p12->mac->dinfo->algor->parameter = ASN1_TYPE_new()) == NULL) {
|
||||
X509_SIG_get0(&macalg, NULL, p12->mac->dinfo);
|
||||
if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_type(md_type)),
|
||||
V_ASN1_NULL, NULL)) {
|
||||
PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
p12->mac->dinfo->algor->parameter->type = V_ASN1_NULL;
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -109,7 +109,7 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
|
|||
STACK_OF(PKCS12_SAFEBAG) *bags;
|
||||
int i, bagnid, pbe_nid = 0, pbe_iter = 0, pbe_saltlen = 0;
|
||||
PKCS7 *p7, *p7new;
|
||||
ASN1_OCTET_STRING *p12_data_tmp = NULL, *macnew = NULL;
|
||||
ASN1_OCTET_STRING *p12_data_tmp = NULL, *macoct = NULL;
|
||||
unsigned char mac[EVP_MAX_MD_SIZE];
|
||||
unsigned int maclen;
|
||||
|
||||
|
@ -165,12 +165,9 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
|
|||
|
||||
if (!PKCS12_gen_mac(p12, newpass, -1, mac, &maclen))
|
||||
goto saferr;
|
||||
if ((macnew = ASN1_OCTET_STRING_new()) == NULL)
|
||||
X509_SIG_get0(NULL, &macoct, p12->mac->dinfo);
|
||||
if (!ASN1_OCTET_STRING_set(macoct, mac, maclen))
|
||||
goto saferr;
|
||||
if (!ASN1_OCTET_STRING_set(macnew, mac, maclen))
|
||||
goto saferr;
|
||||
ASN1_OCTET_STRING_free(p12->mac->dinfo->digest);
|
||||
p12->mac->dinfo->digest = macnew;
|
||||
ASN1_OCTET_STRING_free(p12_data_tmp);
|
||||
|
||||
return 1;
|
||||
|
@ -178,7 +175,6 @@ static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass)
|
|||
saferr:
|
||||
/* Restore old safe */
|
||||
ASN1_OCTET_STRING_free(p12->authsafes->d.data);
|
||||
ASN1_OCTET_STRING_free(macnew);
|
||||
p12->authsafes->d.data = p12_data_tmp;
|
||||
return 0;
|
||||
|
||||
|
@ -202,13 +198,15 @@ static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass)
|
|||
PKCS8_PRIV_KEY_INFO *p8;
|
||||
X509_SIG *p8new;
|
||||
int p8_nid, p8_saltlen, p8_iter;
|
||||
X509_ALGOR *shalg;
|
||||
|
||||
if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)
|
||||
return 1;
|
||||
|
||||
if ((p8 = PKCS8_decrypt(bag->value.shkeybag, oldpass, -1)) == NULL)
|
||||
return 0;
|
||||
if (!alg_get(bag->value.shkeybag->algor, &p8_nid, &p8_iter, &p8_saltlen))
|
||||
X509_SIG_get0(&shalg, NULL, bag->value.shkeybag);
|
||||
if (!alg_get(shalg, &p8_nid, &p8_iter, &p8_saltlen))
|
||||
return 0;
|
||||
if ((p8new = PKCS8_encrypt(p8_nid, NULL, newpass, -1, NULL, p8_saltlen,
|
||||
p8_iter, p8)) == NULL)
|
||||
|
|
|
@ -63,7 +63,10 @@
|
|||
PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass,
|
||||
int passlen)
|
||||
{
|
||||
return PKCS12_item_decrypt_d2i(p8->algor,
|
||||
X509_ALGOR *dalg;
|
||||
ASN1_OCTET_STRING *doct;
|
||||
X509_SIG_get0(&dalg, &doct, p8);
|
||||
return PKCS12_item_decrypt_d2i(dalg,
|
||||
ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass,
|
||||
passlen, p8->digest, 1);
|
||||
passlen, doct, 1);
|
||||
}
|
||||
|
|
|
@ -59,6 +59,7 @@
|
|||
#include <stdio.h>
|
||||
#include "internal/cryptlib.h"
|
||||
#include <openssl/pkcs12.h>
|
||||
#include "internal/x509_int.h"
|
||||
|
||||
X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
|
||||
const char *pass, int passlen,
|
||||
|
@ -103,13 +104,13 @@ X509_SIG *PKCS8_set0_pbe(const char *pass, int passlen,
|
|||
return NULL;
|
||||
}
|
||||
|
||||
if ((p8 = X509_SIG_new()) == NULL) {
|
||||
p8 = OPENSSL_zalloc(sizeof(*p8));
|
||||
|
||||
if (p8 == NULL) {
|
||||
PKCS12err(PKCS12_F_PKCS8_SET0_PBE, ERR_R_MALLOC_FAILURE);
|
||||
ASN1_OCTET_STRING_free(enckey);
|
||||
return NULL;
|
||||
}
|
||||
X509_ALGOR_free(p8->algor);
|
||||
ASN1_OCTET_STRING_free(p8->digest);
|
||||
p8->algor = pbe;
|
||||
p8->digest = enckey;
|
||||
|
||||
|
|
|
@ -61,6 +61,7 @@
|
|||
#include <openssl/rsa.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/x509.h>
|
||||
#include "internal/x509_int.h"
|
||||
#include "rsa_locl.h"
|
||||
|
||||
/* Size of an SSL signature: MD5+SHA1 */
|
||||
|
|
|
@ -10,15 +10,21 @@ d2i_X509_SIG, i2d_X509_SIG - DigestInfo functions.
|
|||
|
||||
X509_SIG *d2i_X509_SIG(X509_SIG **a, unsigned char **pp, long length);
|
||||
int i2d_X509_SIG(X509_SIG *a, unsigned char **pp);
|
||||
void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
|
||||
X509_SIG *sig);
|
||||
|
||||
=head1 DESCRIPTION
|
||||
|
||||
These functions decode and encode an X509_SIG structure which is
|
||||
equivalent to the B<DigestInfo> structure defined in PKCS#1 and PKCS#7.
|
||||
The functions d2i_X509_SIG() and i2d_X509_SIG() decode and encode an
|
||||
X509_SIG structure which is equivalent to the B<DigestInfo> structure
|
||||
defined in PKCS#1 and PKCS#7.
|
||||
|
||||
Otherwise these behave in a similar way to d2i_X509() and i2d_X509()
|
||||
Otherwise they behave in a similar way to d2i_X509() and i2d_X509()
|
||||
described in the L<d2i_X509(3)> manual page.
|
||||
|
||||
X509_SIG_get0() returns pointers to the algorithm identifier and digest
|
||||
value in B<sig>. These values can then be examined or initialised.
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<d2i_X509(3)>
|
||||
|
|
|
@ -136,10 +136,7 @@ struct X509_pubkey_st {
|
|||
CRYPTO_RWLOCK *lock;
|
||||
};
|
||||
|
||||
typedef struct X509_sig_st {
|
||||
X509_ALGOR *algor;
|
||||
ASN1_OCTET_STRING *digest;
|
||||
} X509_SIG;
|
||||
typedef struct X509_sig_st X509_SIG;
|
||||
|
||||
typedef struct X509_name_entry_st X509_NAME_ENTRY;
|
||||
|
||||
|
@ -586,6 +583,9 @@ EC_KEY *d2i_EC_PUBKEY(EC_KEY **a, const unsigned char **pp, long length);
|
|||
# endif
|
||||
|
||||
DECLARE_ASN1_FUNCTIONS(X509_SIG)
|
||||
void X509_SIG_get0(X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest,
|
||||
X509_SIG *sig);
|
||||
|
||||
DECLARE_ASN1_FUNCTIONS(X509_REQ_INFO)
|
||||
DECLARE_ASN1_FUNCTIONS(X509_REQ)
|
||||
|
||||
|
|
Loading…
Reference in New Issue