1 /* crypto/pkcs7/pk7_doit.c */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 59 #include <stdio.h> 60 #include "cryptlib.h" 61 #include <openssl/rand.h> 62 #include <openssl/objects.h> 63 #include <openssl/x509.h> 64 #include <openssl/x509v3.h> 65 #include <openssl/err.h> 66 67 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 68 void *value); 69 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid); 70 71 static int PKCS7_type_is_other(PKCS7* p7) 72 { 73 int isOther=1; 74 75 int nid=OBJ_obj2nid(p7->type); 76 77 switch( nid ) 78 { 79 case NID_pkcs7_data: 80 case NID_pkcs7_signed: 81 case NID_pkcs7_enveloped: 82 case NID_pkcs7_signedAndEnveloped: 83 case NID_pkcs7_digest: 84 case NID_pkcs7_encrypted: 85 isOther=0; 86 break; 87 default: 88 isOther=1; 89 } 90 91 return isOther; 92 93 } 94 95 static ASN1_OCTET_STRING *PKCS7_get_octet_string(PKCS7 *p7) 96 { 97 if ( PKCS7_type_is_data(p7)) 98 return p7->d.data; 99 if ( PKCS7_type_is_other(p7) && p7->d.other 100 && (p7->d.other->type == V_ASN1_OCTET_STRING)) 101 return p7->d.other->value.octet_string; 102 return NULL; 103 } 104 105 static int PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) 106 { 107 BIO *btmp; 108 const EVP_MD *md; 109 if ((btmp=BIO_new(BIO_f_md())) == NULL) 110 { 111 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB); 112 goto err; 113 } 114 115 md=EVP_get_digestbyobj(alg->algorithm); 116 if (md == NULL) 117 { 118 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,PKCS7_R_UNKNOWN_DIGEST_TYPE); 119 goto err; 120 } 121 122 BIO_set_md(btmp,md); 123 if (*pbio == NULL) 124 *pbio=btmp; 125 else if (!BIO_push(*pbio,btmp)) 126 { 127 PKCS7err(PKCS7_F_PKCS7_BIO_ADD_DIGEST,ERR_R_BIO_LIB); 128 goto err; 129 } 130 btmp=NULL; 131 132 return 1; 133 134 err: 135 if (btmp) 136 BIO_free(btmp); 137 return 0; 138 139 } 140 141 static int pkcs7_encode_rinfo(PKCS7_RECIP_INFO *ri, 142 unsigned char *key, int keylen) 143 { 144 EVP_PKEY_CTX *pctx = NULL; 145 EVP_PKEY *pkey = NULL; 146 unsigned char *ek = NULL; 147 int ret = 0; 148 size_t eklen; 149 150 pkey = X509_get_pubkey(ri->cert); 151 152 if (!pkey) 153 return 0; 154 155 pctx = EVP_PKEY_CTX_new(pkey, NULL); 156 if (!pctx) 157 return 0; 158 159 if (EVP_PKEY_encrypt_init(pctx) <= 0) 160 goto err; 161 162 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, 163 EVP_PKEY_CTRL_PKCS7_ENCRYPT, 0, ri) <= 0) 164 { 165 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, PKCS7_R_CTRL_ERROR); 166 goto err; 167 } 168 169 if (EVP_PKEY_encrypt(pctx, NULL, &eklen, key, keylen) <= 0) 170 goto err; 171 172 ek = OPENSSL_malloc(eklen); 173 174 if (ek == NULL) 175 { 176 PKCS7err(PKCS7_F_PKCS7_ENCODE_RINFO, ERR_R_MALLOC_FAILURE); 177 goto err; 178 } 179 180 if (EVP_PKEY_encrypt(pctx, ek, &eklen, key, keylen) <= 0) 181 goto err; 182 183 ASN1_STRING_set0(ri->enc_key, ek, eklen); 184 ek = NULL; 185 186 ret = 1; 187 188 err: 189 if (pkey) 190 EVP_PKEY_free(pkey); 191 if (pctx) 192 EVP_PKEY_CTX_free(pctx); 193 if (ek) 194 OPENSSL_free(ek); 195 return ret; 196 197 } 198 199 200 static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, 201 PKCS7_RECIP_INFO *ri, EVP_PKEY *pkey) 202 { 203 EVP_PKEY_CTX *pctx = NULL; 204 unsigned char *ek = NULL; 205 size_t eklen; 206 207 int ret = -1; 208 209 pctx = EVP_PKEY_CTX_new(pkey, NULL); 210 if (!pctx) 211 return -1; 212 213 if (EVP_PKEY_decrypt_init(pctx) <= 0) 214 goto err; 215 216 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DECRYPT, 217 EVP_PKEY_CTRL_PKCS7_DECRYPT, 0, ri) <= 0) 218 { 219 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, PKCS7_R_CTRL_ERROR); 220 goto err; 221 } 222 223 if (EVP_PKEY_decrypt(pctx, NULL, &eklen, 224 ri->enc_key->data, ri->enc_key->length) <= 0) 225 goto err; 226 227 ek = OPENSSL_malloc(eklen); 228 229 if (ek == NULL) 230 { 231 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_MALLOC_FAILURE); 232 goto err; 233 } 234 235 if (EVP_PKEY_decrypt(pctx, ek, &eklen, 236 ri->enc_key->data, ri->enc_key->length) <= 0) 237 { 238 ret = 0; 239 PKCS7err(PKCS7_F_PKCS7_DECRYPT_RINFO, ERR_R_EVP_LIB); 240 goto err; 241 } 242 243 ret = 1; 244 245 if (*pek) 246 { 247 OPENSSL_cleanse(*pek, *peklen); 248 OPENSSL_free(*pek); 249 } 250 251 *pek = ek; 252 *peklen = eklen; 253 254 err: 255 if (pctx) 256 EVP_PKEY_CTX_free(pctx); 257 if (!ret && ek) 258 OPENSSL_free(ek); 259 260 return ret; 261 } 262 263 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) 264 { 265 int i; 266 BIO *out=NULL,*btmp=NULL; 267 X509_ALGOR *xa = NULL; 268 const EVP_CIPHER *evp_cipher=NULL; 269 STACK_OF(X509_ALGOR) *md_sk=NULL; 270 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; 271 X509_ALGOR *xalg=NULL; 272 PKCS7_RECIP_INFO *ri=NULL; 273 ASN1_OCTET_STRING *os=NULL; 274 275 i=OBJ_obj2nid(p7->type); 276 p7->state=PKCS7_S_HEADER; 277 278 switch (i) 279 { 280 case NID_pkcs7_signed: 281 md_sk=p7->d.sign->md_algs; 282 os = PKCS7_get_octet_string(p7->d.sign->contents); 283 break; 284 case NID_pkcs7_signedAndEnveloped: 285 rsk=p7->d.signed_and_enveloped->recipientinfo; 286 md_sk=p7->d.signed_and_enveloped->md_algs; 287 xalg=p7->d.signed_and_enveloped->enc_data->algorithm; 288 evp_cipher=p7->d.signed_and_enveloped->enc_data->cipher; 289 if (evp_cipher == NULL) 290 { 291 PKCS7err(PKCS7_F_PKCS7_DATAINIT, 292 PKCS7_R_CIPHER_NOT_INITIALIZED); 293 goto err; 294 } 295 break; 296 case NID_pkcs7_enveloped: 297 rsk=p7->d.enveloped->recipientinfo; 298 xalg=p7->d.enveloped->enc_data->algorithm; 299 evp_cipher=p7->d.enveloped->enc_data->cipher; 300 if (evp_cipher == NULL) 301 { 302 PKCS7err(PKCS7_F_PKCS7_DATAINIT, 303 PKCS7_R_CIPHER_NOT_INITIALIZED); 304 goto err; 305 } 306 break; 307 case NID_pkcs7_digest: 308 xa = p7->d.digest->md; 309 os = PKCS7_get_octet_string(p7->d.digest->contents); 310 break; 311 case NID_pkcs7_data: 312 break; 313 default: 314 PKCS7err(PKCS7_F_PKCS7_DATAINIT,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 315 goto err; 316 } 317 318 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) 319 if (!PKCS7_bio_add_digest(&out, sk_X509_ALGOR_value(md_sk, i))) 320 goto err; 321 322 if (xa && !PKCS7_bio_add_digest(&out, xa)) 323 goto err; 324 325 if (evp_cipher != NULL) 326 { 327 unsigned char key[EVP_MAX_KEY_LENGTH]; 328 unsigned char iv[EVP_MAX_IV_LENGTH]; 329 int keylen,ivlen; 330 EVP_CIPHER_CTX *ctx; 331 332 if ((btmp=BIO_new(BIO_f_cipher())) == NULL) 333 { 334 PKCS7err(PKCS7_F_PKCS7_DATAINIT,ERR_R_BIO_LIB); 335 goto err; 336 } 337 BIO_get_cipher_ctx(btmp, &ctx); 338 keylen=EVP_CIPHER_key_length(evp_cipher); 339 ivlen=EVP_CIPHER_iv_length(evp_cipher); 340 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher)); 341 if (ivlen > 0) 342 if (RAND_pseudo_bytes(iv,ivlen) <= 0) 343 goto err; 344 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL, NULL, 1)<=0) 345 goto err; 346 if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) 347 goto err; 348 if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, 1) <= 0) 349 goto err; 350 351 if (ivlen > 0) { 352 if (xalg->parameter == NULL) { 353 xalg->parameter = ASN1_TYPE_new(); 354 if (xalg->parameter == NULL) 355 goto err; 356 } 357 if(EVP_CIPHER_param_to_asn1(ctx, xalg->parameter) < 0) 358 goto err; 359 } 360 361 /* Lets do the pub key stuff :-) */ 362 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) 363 { 364 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); 365 if (pkcs7_encode_rinfo(ri, key, keylen) <= 0) 366 goto err; 367 } 368 OPENSSL_cleanse(key, keylen); 369 370 if (out == NULL) 371 out=btmp; 372 else 373 BIO_push(out,btmp); 374 btmp=NULL; 375 } 376 377 if (bio == NULL) 378 { 379 if (PKCS7_is_detached(p7)) 380 bio=BIO_new(BIO_s_null()); 381 else if (os && os->length > 0) 382 bio = BIO_new_mem_buf(os->data, os->length); 383 if(bio == NULL) 384 { 385 bio=BIO_new(BIO_s_mem()); 386 if (bio == NULL) 387 goto err; 388 BIO_set_mem_eof_return(bio,0); 389 } 390 } 391 if (out) 392 BIO_push(out,bio); 393 else 394 out = bio; 395 bio=NULL; 396 if (0) 397 { 398 err: 399 if (out != NULL) 400 BIO_free_all(out); 401 if (btmp != NULL) 402 BIO_free_all(btmp); 403 out=NULL; 404 } 405 return(out); 406 } 407 408 static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) 409 { 410 int ret; 411 ret = X509_NAME_cmp(ri->issuer_and_serial->issuer, 412 pcert->cert_info->issuer); 413 if (ret) 414 return ret; 415 return M_ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, 416 ri->issuer_and_serial->serial); 417 } 418 419 /* int */ 420 BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) 421 { 422 int i,j; 423 BIO *out=NULL,*btmp=NULL,*etmp=NULL,*bio=NULL; 424 X509_ALGOR *xa; 425 ASN1_OCTET_STRING *data_body=NULL; 426 const EVP_MD *evp_md; 427 const EVP_CIPHER *evp_cipher=NULL; 428 EVP_CIPHER_CTX *evp_ctx=NULL; 429 X509_ALGOR *enc_alg=NULL; 430 STACK_OF(X509_ALGOR) *md_sk=NULL; 431 STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; 432 PKCS7_RECIP_INFO *ri=NULL; 433 unsigned char *ek = NULL, *tkey = NULL; 434 int eklen = 0, tkeylen = 0; 435 436 i=OBJ_obj2nid(p7->type); 437 p7->state=PKCS7_S_HEADER; 438 439 switch (i) 440 { 441 case NID_pkcs7_signed: 442 data_body=PKCS7_get_octet_string(p7->d.sign->contents); 443 if (!PKCS7_is_detached(p7) && data_body == NULL) 444 { 445 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE); 446 goto err; 447 } 448 md_sk=p7->d.sign->md_algs; 449 break; 450 case NID_pkcs7_signedAndEnveloped: 451 rsk=p7->d.signed_and_enveloped->recipientinfo; 452 md_sk=p7->d.signed_and_enveloped->md_algs; 453 data_body=p7->d.signed_and_enveloped->enc_data->enc_data; 454 enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; 455 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); 456 if (evp_cipher == NULL) 457 { 458 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 459 goto err; 460 } 461 break; 462 case NID_pkcs7_enveloped: 463 rsk=p7->d.enveloped->recipientinfo; 464 enc_alg=p7->d.enveloped->enc_data->algorithm; 465 data_body=p7->d.enveloped->enc_data->enc_data; 466 evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); 467 if (evp_cipher == NULL) 468 { 469 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); 470 goto err; 471 } 472 break; 473 default: 474 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 475 goto err; 476 } 477 478 /* We will be checking the signature */ 479 if (md_sk != NULL) 480 { 481 for (i=0; i<sk_X509_ALGOR_num(md_sk); i++) 482 { 483 xa=sk_X509_ALGOR_value(md_sk,i); 484 if ((btmp=BIO_new(BIO_f_md())) == NULL) 485 { 486 PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB); 487 goto err; 488 } 489 490 j=OBJ_obj2nid(xa->algorithm); 491 evp_md=EVP_get_digestbynid(j); 492 if (evp_md == NULL) 493 { 494 PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNKNOWN_DIGEST_TYPE); 495 goto err; 496 } 497 498 BIO_set_md(btmp,evp_md); 499 if (out == NULL) 500 out=btmp; 501 else 502 BIO_push(out,btmp); 503 btmp=NULL; 504 } 505 } 506 507 if (evp_cipher != NULL) 508 { 509 #if 0 510 unsigned char key[EVP_MAX_KEY_LENGTH]; 511 unsigned char iv[EVP_MAX_IV_LENGTH]; 512 unsigned char *p; 513 int keylen,ivlen; 514 int max; 515 X509_OBJECT ret; 516 #endif 517 518 if ((etmp=BIO_new(BIO_f_cipher())) == NULL) 519 { 520 PKCS7err(PKCS7_F_PKCS7_DATADECODE,ERR_R_BIO_LIB); 521 goto err; 522 } 523 524 /* It was encrypted, we need to decrypt the secret key 525 * with the private key */ 526 527 /* Find the recipientInfo which matches the passed certificate 528 * (if any) 529 */ 530 531 if (pcert) 532 { 533 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) 534 { 535 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); 536 if (!pkcs7_cmp_ri(ri, pcert)) 537 break; 538 ri=NULL; 539 } 540 if (ri == NULL) 541 { 542 PKCS7err(PKCS7_F_PKCS7_DATADECODE, 543 PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE); 544 goto err; 545 } 546 } 547 548 /* If we haven't got a certificate try each ri in turn */ 549 if (pcert == NULL) 550 { 551 /* Always attempt to decrypt all rinfo even 552 * after sucess as a defence against MMA timing 553 * attacks. 554 */ 555 for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++) 556 { 557 ri=sk_PKCS7_RECIP_INFO_value(rsk,i); 558 559 if (pkcs7_decrypt_rinfo(&ek, &eklen, 560 ri, pkey) < 0) 561 goto err; 562 ERR_clear_error(); 563 } 564 } 565 else 566 { 567 /* Only exit on fatal errors, not decrypt failure */ 568 if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) 569 goto err; 570 ERR_clear_error(); 571 } 572 573 evp_ctx=NULL; 574 BIO_get_cipher_ctx(etmp,&evp_ctx); 575 if (EVP_CipherInit_ex(evp_ctx,evp_cipher,NULL,NULL,NULL,0) <= 0) 576 goto err; 577 if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0) 578 goto err; 579 /* Generate random key as MMA defence */ 580 tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx); 581 tkey = OPENSSL_malloc(tkeylen); 582 if (!tkey) 583 goto err; 584 if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0) 585 goto err; 586 if (ek == NULL) 587 { 588 ek = tkey; 589 eklen = tkeylen; 590 tkey = NULL; 591 } 592 593 if (eklen != EVP_CIPHER_CTX_key_length(evp_ctx)) { 594 /* Some S/MIME clients don't use the same key 595 * and effective key length. The key length is 596 * determined by the size of the decrypted RSA key. 597 */ 598 if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, eklen)) 599 { 600 /* Use random key as MMA defence */ 601 OPENSSL_cleanse(ek, eklen); 602 OPENSSL_free(ek); 603 ek = tkey; 604 eklen = tkeylen; 605 tkey = NULL; 606 } 607 } 608 /* Clear errors so we don't leak information useful in MMA */ 609 ERR_clear_error(); 610 if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,ek,NULL,0) <= 0) 611 goto err; 612 613 if (ek) 614 { 615 OPENSSL_cleanse(ek,eklen); 616 OPENSSL_free(ek); 617 ek = NULL; 618 } 619 if (tkey) 620 { 621 OPENSSL_cleanse(tkey,tkeylen); 622 OPENSSL_free(tkey); 623 tkey = NULL; 624 } 625 626 if (out == NULL) 627 out=etmp; 628 else 629 BIO_push(out,etmp); 630 etmp=NULL; 631 } 632 633 #if 1 634 if (PKCS7_is_detached(p7) || (in_bio != NULL)) 635 { 636 bio=in_bio; 637 } 638 else 639 { 640 #if 0 641 bio=BIO_new(BIO_s_mem()); 642 /* We need to set this so that when we have read all 643 * the data, the encrypt BIO, if present, will read 644 * EOF and encode the last few bytes */ 645 BIO_set_mem_eof_return(bio,0); 646 647 if (data_body->length > 0) 648 BIO_write(bio,(char *)data_body->data,data_body->length); 649 #else 650 if (data_body->length > 0) 651 bio = BIO_new_mem_buf(data_body->data,data_body->length); 652 else { 653 bio=BIO_new(BIO_s_mem()); 654 BIO_set_mem_eof_return(bio,0); 655 } 656 if (bio == NULL) 657 goto err; 658 #endif 659 } 660 BIO_push(out,bio); 661 bio=NULL; 662 #endif 663 if (0) 664 { 665 err: 666 if (ek) 667 { 668 OPENSSL_cleanse(ek,eklen); 669 OPENSSL_free(ek); 670 } 671 if (tkey) 672 { 673 OPENSSL_cleanse(tkey,tkeylen); 674 OPENSSL_free(tkey); 675 } 676 if (out != NULL) BIO_free_all(out); 677 if (btmp != NULL) BIO_free_all(btmp); 678 if (etmp != NULL) BIO_free_all(etmp); 679 if (bio != NULL) BIO_free_all(bio); 680 out=NULL; 681 } 682 return(out); 683 } 684 685 static BIO *PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) 686 { 687 for (;;) 688 { 689 bio=BIO_find_type(bio,BIO_TYPE_MD); 690 if (bio == NULL) 691 { 692 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 693 return NULL; 694 } 695 BIO_get_md_ctx(bio,pmd); 696 if (*pmd == NULL) 697 { 698 PKCS7err(PKCS7_F_PKCS7_FIND_DIGEST,ERR_R_INTERNAL_ERROR); 699 return NULL; 700 } 701 if (EVP_MD_CTX_type(*pmd) == nid) 702 return bio; 703 bio=BIO_next(bio); 704 } 705 return NULL; 706 } 707 708 static int do_pkcs7_signed_attrib(PKCS7_SIGNER_INFO *si, EVP_MD_CTX *mctx) 709 { 710 unsigned char md_data[EVP_MAX_MD_SIZE]; 711 unsigned int md_len; 712 713 /* Add signing time if not already present */ 714 if (!PKCS7_get_signed_attribute(si, NID_pkcs9_signingTime)) 715 { 716 if (!PKCS7_add0_attrib_signing_time(si, NULL)) 717 { 718 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, 719 ERR_R_MALLOC_FAILURE); 720 return 0; 721 } 722 } 723 724 /* Add digest */ 725 if (!EVP_DigestFinal_ex(mctx, md_data,&md_len)) 726 { 727 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_EVP_LIB); 728 return 0; 729 } 730 if (!PKCS7_add1_attrib_digest(si, md_data, md_len)) 731 { 732 PKCS7err(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB, ERR_R_MALLOC_FAILURE); 733 return 0; 734 } 735 736 /* Now sign the attributes */ 737 if (!PKCS7_SIGNER_INFO_sign(si)) 738 return 0; 739 740 return 1; 741 } 742 743 744 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) 745 { 746 int ret=0; 747 int i,j; 748 BIO *btmp; 749 PKCS7_SIGNER_INFO *si; 750 EVP_MD_CTX *mdc,ctx_tmp; 751 STACK_OF(X509_ATTRIBUTE) *sk; 752 STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; 753 ASN1_OCTET_STRING *os=NULL; 754 755 EVP_MD_CTX_init(&ctx_tmp); 756 i=OBJ_obj2nid(p7->type); 757 p7->state=PKCS7_S_HEADER; 758 759 switch (i) 760 { 761 case NID_pkcs7_data: 762 os = p7->d.data; 763 break; 764 case NID_pkcs7_signedAndEnveloped: 765 /* XXXXXXXXXXXXXXXX */ 766 si_sk=p7->d.signed_and_enveloped->signer_info; 767 os = p7->d.signed_and_enveloped->enc_data->enc_data; 768 if (!os) 769 { 770 os=M_ASN1_OCTET_STRING_new(); 771 if (!os) 772 { 773 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE); 774 goto err; 775 } 776 p7->d.signed_and_enveloped->enc_data->enc_data=os; 777 } 778 break; 779 case NID_pkcs7_enveloped: 780 /* XXXXXXXXXXXXXXXX */ 781 os = p7->d.enveloped->enc_data->enc_data; 782 if (!os) 783 { 784 os=M_ASN1_OCTET_STRING_new(); 785 if (!os) 786 { 787 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,ERR_R_MALLOC_FAILURE); 788 goto err; 789 } 790 p7->d.enveloped->enc_data->enc_data=os; 791 } 792 break; 793 case NID_pkcs7_signed: 794 si_sk=p7->d.sign->signer_info; 795 os=PKCS7_get_octet_string(p7->d.sign->contents); 796 /* If detached data then the content is excluded */ 797 if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { 798 M_ASN1_OCTET_STRING_free(os); 799 p7->d.sign->contents->d.data = NULL; 800 } 801 break; 802 803 case NID_pkcs7_digest: 804 os=PKCS7_get_octet_string(p7->d.digest->contents); 805 /* If detached data then the content is excluded */ 806 if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) 807 { 808 M_ASN1_OCTET_STRING_free(os); 809 p7->d.digest->contents->d.data = NULL; 810 } 811 break; 812 813 default: 814 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); 815 goto err; 816 } 817 818 if (si_sk != NULL) 819 { 820 for (i=0; i<sk_PKCS7_SIGNER_INFO_num(si_sk); i++) 821 { 822 si=sk_PKCS7_SIGNER_INFO_value(si_sk,i); 823 if (si->pkey == NULL) 824 continue; 825 826 j = OBJ_obj2nid(si->digest_alg->algorithm); 827 828 btmp=bio; 829 830 btmp = PKCS7_find_digest(&mdc, btmp, j); 831 832 if (btmp == NULL) 833 goto err; 834 835 /* We now have the EVP_MD_CTX, lets do the 836 * signing. */ 837 if (!EVP_MD_CTX_copy_ex(&ctx_tmp,mdc)) 838 goto err; 839 840 sk=si->auth_attr; 841 842 /* If there are attributes, we add the digest 843 * attribute and only sign the attributes */ 844 if (sk_X509_ATTRIBUTE_num(sk) > 0) 845 { 846 if (!do_pkcs7_signed_attrib(si, &ctx_tmp)) 847 goto err; 848 } 849 else 850 { 851 unsigned char *abuf = NULL; 852 unsigned int abuflen; 853 abuflen = EVP_PKEY_size(si->pkey); 854 abuf = OPENSSL_malloc(abuflen); 855 if (!abuf) 856 goto err; 857 858 if (!EVP_SignFinal(&ctx_tmp, abuf, &abuflen, 859 si->pkey)) 860 { 861 PKCS7err(PKCS7_F_PKCS7_DATAFINAL, 862 ERR_R_EVP_LIB); 863 goto err; 864 } 865 ASN1_STRING_set0(si->enc_digest, abuf, abuflen); 866 } 867 } 868 } 869 else if (i == NID_pkcs7_digest) 870 { 871 unsigned char md_data[EVP_MAX_MD_SIZE]; 872 unsigned int md_len; 873 if (!PKCS7_find_digest(&mdc, bio, 874 OBJ_obj2nid(p7->d.digest->md->algorithm))) 875 goto err; 876 if (!EVP_DigestFinal_ex(mdc,md_data,&md_len)) 877 goto err; 878 M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); 879 } 880 881 if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) 882 { 883 char *cont; 884 long contlen; 885 btmp=BIO_find_type(bio,BIO_TYPE_MEM); 886 if (btmp == NULL) 887 { 888 PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); 889 goto err; 890 } 891 contlen = BIO_get_mem_data(btmp, &cont); 892 /* Mark the BIO read only then we can use its copy of the data 893 * instead of making an extra copy. 894 */ 895 BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); 896 BIO_set_mem_eof_return(btmp, 0); 897 ASN1_STRING_set0(os, (unsigned char *)cont, contlen); 898 } 899 ret=1; 900 err: 901 EVP_MD_CTX_cleanup(&ctx_tmp); 902 return(ret); 903 } 904 905 int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) 906 { 907 EVP_MD_CTX mctx; 908 EVP_PKEY_CTX *pctx; 909 unsigned char *abuf = NULL; 910 int alen; 911 size_t siglen; 912 const EVP_MD *md = NULL; 913 914 md = EVP_get_digestbyobj(si->digest_alg->algorithm); 915 if (md == NULL) 916 return 0; 917 918 EVP_MD_CTX_init(&mctx); 919 if (EVP_DigestSignInit(&mctx, &pctx, md,NULL, si->pkey) <= 0) 920 goto err; 921 922 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 923 EVP_PKEY_CTRL_PKCS7_SIGN, 0, si) <= 0) 924 { 925 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 926 goto err; 927 } 928 929 alen = ASN1_item_i2d((ASN1_VALUE *)si->auth_attr,&abuf, 930 ASN1_ITEM_rptr(PKCS7_ATTR_SIGN)); 931 if(!abuf) 932 goto err; 933 if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) 934 goto err; 935 OPENSSL_free(abuf); 936 abuf = NULL; 937 if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) 938 goto err; 939 abuf = OPENSSL_malloc(siglen); 940 if(!abuf) 941 goto err; 942 if (EVP_DigestSignFinal(&mctx, abuf, &siglen) <= 0) 943 goto err; 944 945 if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, 946 EVP_PKEY_CTRL_PKCS7_SIGN, 1, si) <= 0) 947 { 948 PKCS7err(PKCS7_F_PKCS7_SIGNER_INFO_SIGN, PKCS7_R_CTRL_ERROR); 949 goto err; 950 } 951 952 EVP_MD_CTX_cleanup(&mctx); 953 954 ASN1_STRING_set0(si->enc_digest, abuf, siglen); 955 956 return 1; 957 958 err: 959 if (abuf) 960 OPENSSL_free(abuf); 961 EVP_MD_CTX_cleanup(&mctx); 962 return 0; 963 964 } 965 966 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, 967 PKCS7 *p7, PKCS7_SIGNER_INFO *si) 968 { 969 PKCS7_ISSUER_AND_SERIAL *ias; 970 int ret=0,i; 971 STACK_OF(X509) *cert; 972 X509 *x509; 973 974 if (PKCS7_type_is_signed(p7)) 975 { 976 cert=p7->d.sign->cert; 977 } 978 else if (PKCS7_type_is_signedAndEnveloped(p7)) 979 { 980 cert=p7->d.signed_and_enveloped->cert; 981 } 982 else 983 { 984 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_WRONG_PKCS7_TYPE); 985 goto err; 986 } 987 /* XXXXXXXXXXXXXXXXXXXXXXX */ 988 ias=si->issuer_and_serial; 989 990 x509=X509_find_by_issuer_and_serial(cert,ias->issuer,ias->serial); 991 992 /* were we able to find the cert in passed to us */ 993 if (x509 == NULL) 994 { 995 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,PKCS7_R_UNABLE_TO_FIND_CERTIFICATE); 996 goto err; 997 } 998 999 /* Lets verify */ 1000 if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert)) 1001 { 1002 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB); 1003 goto err; 1004 } 1005 X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN); 1006 i=X509_verify_cert(ctx); 1007 if (i <= 0) 1008 { 1009 PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB); 1010 X509_STORE_CTX_cleanup(ctx); 1011 goto err; 1012 } 1013 X509_STORE_CTX_cleanup(ctx); 1014 1015 return PKCS7_signatureVerify(bio, p7, si, x509); 1016 err: 1017 return ret; 1018 } 1019 1020 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, 1021 X509 *x509) 1022 { 1023 ASN1_OCTET_STRING *os; 1024 EVP_MD_CTX mdc_tmp,*mdc; 1025 int ret=0,i; 1026 int md_type; 1027 STACK_OF(X509_ATTRIBUTE) *sk; 1028 BIO *btmp; 1029 EVP_PKEY *pkey; 1030 1031 EVP_MD_CTX_init(&mdc_tmp); 1032 1033 if (!PKCS7_type_is_signed(p7) && 1034 !PKCS7_type_is_signedAndEnveloped(p7)) { 1035 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1036 PKCS7_R_WRONG_PKCS7_TYPE); 1037 goto err; 1038 } 1039 1040 md_type=OBJ_obj2nid(si->digest_alg->algorithm); 1041 1042 btmp=bio; 1043 for (;;) 1044 { 1045 if ((btmp == NULL) || 1046 ((btmp=BIO_find_type(btmp,BIO_TYPE_MD)) == NULL)) 1047 { 1048 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1049 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1050 goto err; 1051 } 1052 BIO_get_md_ctx(btmp,&mdc); 1053 if (mdc == NULL) 1054 { 1055 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1056 ERR_R_INTERNAL_ERROR); 1057 goto err; 1058 } 1059 if (EVP_MD_CTX_type(mdc) == md_type) 1060 break; 1061 /* Workaround for some broken clients that put the signature 1062 * OID instead of the digest OID in digest_alg->algorithm 1063 */ 1064 if (EVP_MD_pkey_type(EVP_MD_CTX_md(mdc)) == md_type) 1065 break; 1066 btmp=BIO_next(btmp); 1067 } 1068 1069 /* mdc is the digest ctx that we want, unless there are attributes, 1070 * in which case the digest is the signed attributes */ 1071 if (!EVP_MD_CTX_copy_ex(&mdc_tmp,mdc)) 1072 goto err; 1073 1074 sk=si->auth_attr; 1075 if ((sk != NULL) && (sk_X509_ATTRIBUTE_num(sk) != 0)) 1076 { 1077 unsigned char md_dat[EVP_MAX_MD_SIZE], *abuf = NULL; 1078 unsigned int md_len; 1079 int alen; 1080 ASN1_OCTET_STRING *message_digest; 1081 1082 if (!EVP_DigestFinal_ex(&mdc_tmp,md_dat,&md_len)) 1083 goto err; 1084 message_digest=PKCS7_digest_from_attributes(sk); 1085 if (!message_digest) 1086 { 1087 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1088 PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST); 1089 goto err; 1090 } 1091 if ((message_digest->length != (int)md_len) || 1092 (memcmp(message_digest->data,md_dat,md_len))) 1093 { 1094 #if 0 1095 { 1096 int ii; 1097 for (ii=0; ii<message_digest->length; ii++) 1098 printf("%02X",message_digest->data[ii]); printf(" sent\n"); 1099 for (ii=0; ii<md_len; ii++) printf("%02X",md_dat[ii]); printf(" calc\n"); 1100 } 1101 #endif 1102 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1103 PKCS7_R_DIGEST_FAILURE); 1104 ret= -1; 1105 goto err; 1106 } 1107 1108 if (!EVP_VerifyInit_ex(&mdc_tmp,EVP_get_digestbynid(md_type), NULL)) 1109 goto err; 1110 1111 alen = ASN1_item_i2d((ASN1_VALUE *)sk, &abuf, 1112 ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY)); 1113 if (alen <= 0) 1114 { 1115 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY,ERR_R_ASN1_LIB); 1116 ret = -1; 1117 goto err; 1118 } 1119 if (!EVP_VerifyUpdate(&mdc_tmp, abuf, alen)) 1120 goto err; 1121 1122 OPENSSL_free(abuf); 1123 } 1124 1125 os=si->enc_digest; 1126 pkey = X509_get_pubkey(x509); 1127 if (!pkey) 1128 { 1129 ret = -1; 1130 goto err; 1131 } 1132 1133 i=EVP_VerifyFinal(&mdc_tmp,os->data,os->length, pkey); 1134 EVP_PKEY_free(pkey); 1135 if (i <= 0) 1136 { 1137 PKCS7err(PKCS7_F_PKCS7_SIGNATUREVERIFY, 1138 PKCS7_R_SIGNATURE_FAILURE); 1139 ret= -1; 1140 goto err; 1141 } 1142 else 1143 ret=1; 1144 err: 1145 EVP_MD_CTX_cleanup(&mdc_tmp); 1146 return(ret); 1147 } 1148 1149 PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) 1150 { 1151 STACK_OF(PKCS7_RECIP_INFO) *rsk; 1152 PKCS7_RECIP_INFO *ri; 1153 int i; 1154 1155 i=OBJ_obj2nid(p7->type); 1156 if (i != NID_pkcs7_signedAndEnveloped) 1157 return NULL; 1158 if (p7->d.signed_and_enveloped == NULL) 1159 return NULL; 1160 rsk=p7->d.signed_and_enveloped->recipientinfo; 1161 if (rsk == NULL) 1162 return NULL; 1163 ri=sk_PKCS7_RECIP_INFO_value(rsk,0); 1164 if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx) return(NULL); 1165 ri=sk_PKCS7_RECIP_INFO_value(rsk,idx); 1166 return(ri->issuer_and_serial); 1167 } 1168 1169 ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) 1170 { 1171 return(get_attribute(si->auth_attr,nid)); 1172 } 1173 1174 ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) 1175 { 1176 return(get_attribute(si->unauth_attr,nid)); 1177 } 1178 1179 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) 1180 { 1181 int i; 1182 X509_ATTRIBUTE *xa; 1183 ASN1_OBJECT *o; 1184 1185 o=OBJ_nid2obj(nid); 1186 if (!o || !sk) return(NULL); 1187 for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++) 1188 { 1189 xa=sk_X509_ATTRIBUTE_value(sk,i); 1190 if (OBJ_cmp(xa->object,o) == 0) 1191 { 1192 if (!xa->single && sk_ASN1_TYPE_num(xa->value.set)) 1193 return(sk_ASN1_TYPE_value(xa->value.set,0)); 1194 else 1195 return(NULL); 1196 } 1197 } 1198 return(NULL); 1199 } 1200 1201 ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) 1202 { 1203 ASN1_TYPE *astype; 1204 if(!(astype = get_attribute(sk, NID_pkcs9_messageDigest))) return NULL; 1205 return astype->value.octet_string; 1206 } 1207 1208 int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, 1209 STACK_OF(X509_ATTRIBUTE) *sk) 1210 { 1211 int i; 1212 1213 if (p7si->auth_attr != NULL) 1214 sk_X509_ATTRIBUTE_pop_free(p7si->auth_attr,X509_ATTRIBUTE_free); 1215 p7si->auth_attr=sk_X509_ATTRIBUTE_dup(sk); 1216 if (p7si->auth_attr == NULL) 1217 return 0; 1218 for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++) 1219 { 1220 if ((sk_X509_ATTRIBUTE_set(p7si->auth_attr,i, 1221 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i)))) 1222 == NULL) 1223 return(0); 1224 } 1225 return(1); 1226 } 1227 1228 int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) 1229 { 1230 int i; 1231 1232 if (p7si->unauth_attr != NULL) 1233 sk_X509_ATTRIBUTE_pop_free(p7si->unauth_attr, 1234 X509_ATTRIBUTE_free); 1235 p7si->unauth_attr=sk_X509_ATTRIBUTE_dup(sk); 1236 if (p7si->unauth_attr == NULL) 1237 return 0; 1238 for (i=0; i<sk_X509_ATTRIBUTE_num(sk); i++) 1239 { 1240 if ((sk_X509_ATTRIBUTE_set(p7si->unauth_attr,i, 1241 X509_ATTRIBUTE_dup(sk_X509_ATTRIBUTE_value(sk,i)))) 1242 == NULL) 1243 return(0); 1244 } 1245 return(1); 1246 } 1247 1248 int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1249 void *value) 1250 { 1251 return(add_attribute(&(p7si->auth_attr),nid,atrtype,value)); 1252 } 1253 1254 int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, 1255 void *value) 1256 { 1257 return(add_attribute(&(p7si->unauth_attr),nid,atrtype,value)); 1258 } 1259 1260 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, 1261 void *value) 1262 { 1263 X509_ATTRIBUTE *attr=NULL; 1264 1265 if (*sk == NULL) 1266 { 1267 *sk = sk_X509_ATTRIBUTE_new_null(); 1268 if (*sk == NULL) 1269 return 0; 1270 new_attrib: 1271 if (!(attr=X509_ATTRIBUTE_create(nid,atrtype,value))) 1272 return 0; 1273 if (!sk_X509_ATTRIBUTE_push(*sk,attr)) 1274 { 1275 X509_ATTRIBUTE_free(attr); 1276 return 0; 1277 } 1278 } 1279 else 1280 { 1281 int i; 1282 1283 for (i=0; i<sk_X509_ATTRIBUTE_num(*sk); i++) 1284 { 1285 attr=sk_X509_ATTRIBUTE_value(*sk,i); 1286 if (OBJ_obj2nid(attr->object) == nid) 1287 { 1288 X509_ATTRIBUTE_free(attr); 1289 attr=X509_ATTRIBUTE_create(nid,atrtype,value); 1290 if (attr == NULL) 1291 return 0; 1292 if (!sk_X509_ATTRIBUTE_set(*sk,i,attr)) 1293 { 1294 X509_ATTRIBUTE_free(attr); 1295 return 0; 1296 } 1297 goto end; 1298 } 1299 } 1300 goto new_attrib; 1301 } 1302 end: 1303 return(1); 1304 }