Nagram/TMessagesProj/jni/boringssl/crypto/pkcs7/pkcs7_x509.c

/* Copyright (c) 2017, Google Inc.
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

#include <openssl/pkcs7.h>

#include <assert.h>
#include <limits.h>

#include <openssl/bytestring.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/pem.h>
#include <openssl/pool.h>
#include <openssl/stack.h>
#include <openssl/x509.h>

#include "internal.h"


int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs) {
  int ret = 0;
  const size_t initial_certs_len = sk_X509_num(out_certs);
  STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null();
  if (raw == NULL ||
      !PKCS7_get_raw_certificates(raw, cbs, NULL)) {
    goto err;
  }

  for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) {
    CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i);
    X509 *x509 = X509_parse_from_buffer(buf);
    if (x509 == NULL ||
        !sk_X509_push(out_certs, x509)) {
      X509_free(x509);
      goto err;
    }
  }

  ret = 1;

err:
  sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free);
  if (!ret) {
    while (sk_X509_num(out_certs) != initial_certs_len) {
      X509 *x509 = sk_X509_pop(out_certs);
      X509_free(x509);
    }
  }

  return ret;
}

int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs) {
  CBS signed_data, crls;
  uint8_t *der_bytes = NULL;
  int ret = 0;
  const size_t initial_crls_len = sk_X509_CRL_num(out_crls);

  if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs)) {
    return 0;
  }

  // See https://tools.ietf.org/html/rfc2315#section-9.1

  // Even if only CRLs are included, there may be an empty certificates block.
  // OpenSSL does this, for example.
  if (CBS_peek_asn1_tag(&signed_data,
                        CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) &&
      !CBS_get_asn1(&signed_data, NULL /* certificates */,
                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
    goto err;
  }

  if (!CBS_get_asn1(&signed_data, &crls,
                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
    OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CRLS_INCLUDED);
    goto err;
  }

  while (CBS_len(&crls) > 0) {
    CBS crl_data;
    X509_CRL *crl;
    const uint8_t *inp;

    if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) {
      goto err;
    }

    if (CBS_len(&crl_data) > LONG_MAX) {
      goto err;
    }
    inp = CBS_data(&crl_data);
    crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data));
    if (!crl) {
      goto err;
    }

    assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data));

    if (sk_X509_CRL_push(out_crls, crl) == 0) {
      X509_CRL_free(crl);
      goto err;
    }
  }

  ret = 1;

err:
  OPENSSL_free(der_bytes);

  if (!ret) {
    while (sk_X509_CRL_num(out_crls) != initial_crls_len) {
      X509_CRL_free(sk_X509_CRL_pop(out_crls));
    }
  }

  return ret;
}

int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio) {
  uint8_t *data;
  long len;
  int ret;

  // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
  // internally will actually allow several other values too, including
  // "CERTIFICATE".
  if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
                          PEM_STRING_PKCS7, pem_bio,
                          NULL /* password callback */,
                          NULL /* password callback argument */)) {
    return 0;
  }

  CBS cbs;
  CBS_init(&cbs, data, len);
  ret = PKCS7_get_certificates(out_certs, &cbs);
  OPENSSL_free(data);
  return ret;
}

int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio) {
  uint8_t *data;
  long len;
  int ret;

  // Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM
  // internally will actually allow several other values too, including
  // "CERTIFICATE".
  if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,
                          PEM_STRING_PKCS7, pem_bio,
                          NULL /* password callback */,
                          NULL /* password callback argument */)) {
    return 0;
  }

  CBS cbs;
  CBS_init(&cbs, data, len);
  ret = PKCS7_get_CRLs(out_crls, &cbs);
  OPENSSL_free(data);
  return ret;
}

static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) {
  const STACK_OF(X509) *certs = arg;
  size_t i;
  CBB certificates;

  // See https://tools.ietf.org/html/rfc2315#section-9.1
  if (!CBB_add_asn1(out, &certificates,
                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
    return 0;
  }

  for (i = 0; i < sk_X509_num(certs); i++) {
    X509 *x509 = sk_X509_value(certs, i);
    uint8_t *buf;
    int len = i2d_X509(x509, NULL);

    if (len < 0 ||
        !CBB_add_space(&certificates, &buf, len) ||
        i2d_X509(x509, &buf) < 0) {
      return 0;
    }
  }

  return CBB_flush(out);
}

int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) {
  return pkcs7_bundle(out, pkcs7_bundle_certificates_cb, certs);
}

static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) {
  const STACK_OF(X509_CRL) *crls = arg;
  size_t i;
  CBB crl_data;

  // See https://tools.ietf.org/html/rfc2315#section-9.1
  if (!CBB_add_asn1(out, &crl_data,
                    CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 1)) {
    return 0;
  }

  for (i = 0; i < sk_X509_CRL_num(crls); i++) {
    X509_CRL *crl = sk_X509_CRL_value(crls, i);
    uint8_t *buf;
    int len = i2d_X509_CRL(crl, NULL);

    if (len < 0 ||
        !CBB_add_space(&crl_data, &buf, len) ||
        i2d_X509_CRL(crl, &buf) < 0) {
      return 0;
    }
  }

  return CBB_flush(out);
}

int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) {
  return pkcs7_bundle(out, pkcs7_bundle_crls_cb, crls);
}
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`/* Copyright (c) 2017, Google Inc.`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`*`
			`* Permission to use, copy, modify, and/or distribute this software for any`
			`* purpose with or without fee is hereby granted, provided that the above`
			`* copyright notice and this permission notice appear in all copies.`
			`*`
			`* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES`
			`* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF`
			`* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY`
			`* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES`
			`* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION`
			`* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN`
			`* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`#include <openssl/pkcs7.h>`
Update to 3.2.2 2015-09-24 20:52:02 +00:00
			`#include <assert.h>`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`#include <limits.h>`
Update to 3.2.2 2015-09-24 20:52:02 +00:00
			`#include <openssl/bytestring.h>`
			`#include <openssl/err.h>`
			`#include <openssl/mem.h>`
			`#include <openssl/pem.h>`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`#include <openssl/pool.h>`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`#include <openssl/stack.h>`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`#include <openssl/x509.h>`
Update to 3.2.2 2015-09-24 20:52:02 +00:00
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`#include "internal.h"`
Update to 3.2.2 2015-09-24 20:52:02 +00:00

			`int PKCS7_get_certificates(STACK_OF(X509) out_certs, CBS cbs) {`
			`int ret = 0;`
			`const size_t initial_certs_len = sk_X509_num(out_certs);`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`STACK_OF(CRYPTO_BUFFER) *raw = sk_CRYPTO_BUFFER_new_null();`
			`if (raw == NULL \|\|`
			`!PKCS7_get_raw_certificates(raw, cbs, NULL)) {`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`goto err;`
			`}`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(raw); i++) {`
			`CRYPTO_BUFFER *buf = sk_CRYPTO_BUFFER_value(raw, i);`
			`X509 *x509 = X509_parse_from_buffer(buf);`
			`if (x509 == NULL \|\|`
			`!sk_X509_push(out_certs, x509)) {`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`X509_free(x509);`
			`goto err;`
			`}`
			`}`

			`ret = 1;`

			`err:`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`sk_CRYPTO_BUFFER_pop_free(raw, CRYPTO_BUFFER_free);`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`if (!ret) {`
			`while (sk_X509_num(out_certs) != initial_certs_len) {`
			`X509 *x509 = sk_X509_pop(out_certs);`
			`X509_free(x509);`
			`}`
			`}`

			`return ret;`
			`}`

			`int PKCS7_get_CRLs(STACK_OF(X509_CRL) out_crls, CBS cbs) {`
			`CBS signed_data, crls;`
			`uint8_t *der_bytes = NULL;`
			`int ret = 0;`
			`const size_t initial_crls_len = sk_X509_CRL_num(out_crls);`

			`if (!pkcs7_parse_header(&der_bytes, &signed_data, cbs)) {`
			`return 0;`
			`}`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`// See https://tools.ietf.org/html/rfc2315#section-9.1`
Update to 3.2.2 2015-09-24 20:52:02 +00:00
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`// Even if only CRLs are included, there may be an empty certificates block.`
			`// OpenSSL does this, for example.`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`if (CBS_peek_asn1_tag(&signed_data,`
			`CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 0) &&`
			`!CBS_get_asn1(&signed_data, NULL /* certificates */,`
			`CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 0)) {`
			`goto err;`
			`}`

			`if (!CBS_get_asn1(&signed_data, &crls,`
			`CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 1)) {`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_NO_CRLS_INCLUDED);`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`goto err;`
			`}`

			`while (CBS_len(&crls) > 0) {`
			`CBS crl_data;`
			`X509_CRL *crl;`
			`const uint8_t *inp;`

			`if (!CBS_get_asn1_element(&crls, &crl_data, CBS_ASN1_SEQUENCE)) {`
			`goto err;`
			`}`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`if (CBS_len(&crl_data) > LONG_MAX) {`
			`goto err;`
			`}`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`inp = CBS_data(&crl_data);`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`crl = d2i_X509_CRL(NULL, &inp, (long)CBS_len(&crl_data));`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`if (!crl) {`
			`goto err;`
			`}`

			`assert(inp == CBS_data(&crl_data) + CBS_len(&crl_data));`

			`if (sk_X509_CRL_push(out_crls, crl) == 0) {`
			`X509_CRL_free(crl);`
			`goto err;`
			`}`
			`}`

			`ret = 1;`

			`err:`
Update to 4.9.0 2018-07-30 02:07:02 +00:00			`OPENSSL_free(der_bytes);`
Update to 3.2.2 2015-09-24 20:52:02 +00:00
			`if (!ret) {`
			`while (sk_X509_CRL_num(out_crls) != initial_crls_len) {`
			`X509_CRL_free(sk_X509_CRL_pop(out_crls));`
			`}`
			`}`

			`return ret;`
			`}`

			`int PKCS7_get_PEM_certificates(STACK_OF(X509) out_certs, BIO pem_bio) {`
			`uint8_t *data;`
			`long len;`
			`int ret;`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`// Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM`
			`// internally will actually allow several other values too, including`
			`// "CERTIFICATE".`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,`
			`PEM_STRING_PKCS7, pem_bio,`
			`NULL /* password callback */,`
			`NULL /* password callback argument */)) {`
			`return 0;`
			`}`

			`CBS cbs;`
			`CBS_init(&cbs, data, len);`
			`ret = PKCS7_get_certificates(out_certs, &cbs);`
			`OPENSSL_free(data);`
			`return ret;`
			`}`

			`int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) out_crls, BIO pem_bio) {`
			`uint8_t *data;`
			`long len;`
			`int ret;`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`// Even though we pass PEM_STRING_PKCS7 as the expected PEM type here, PEM`
			`// internally will actually allow several other values too, including`
			`// "CERTIFICATE".`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`if (!PEM_bytes_read_bio(&data, &len, NULL /* PEM type output */,`
			`PEM_STRING_PKCS7, pem_bio,`
			`NULL /* password callback */,`
			`NULL /* password callback argument */)) {`
			`return 0;`
			`}`

			`CBS cbs;`
			`CBS_init(&cbs, data, len);`
			`ret = PKCS7_get_CRLs(out_crls, &cbs);`
			`OPENSSL_free(data);`
			`return ret;`
			`}`

			`static int pkcs7_bundle_certificates_cb(CBB out, const void arg) {`
			`const STACK_OF(X509) *certs = arg;`
			`size_t i;`
			`CBB certificates;`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`// See https://tools.ietf.org/html/rfc2315#section-9.1`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`if (!CBB_add_asn1(out, &certificates,`
			`CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 0)) {`
			`return 0;`
			`}`

			`for (i = 0; i < sk_X509_num(certs); i++) {`
			`X509 *x509 = sk_X509_value(certs, i);`
			`uint8_t *buf;`
			`int len = i2d_X509(x509, NULL);`

			`if (len < 0 \|\|`
			`!CBB_add_space(&certificates, &buf, len) \|\|`
			`i2d_X509(x509, &buf) < 0) {`
			`return 0;`
			`}`
			`}`

			`return CBB_flush(out);`
			`}`

			`int PKCS7_bundle_certificates(CBB out, const STACK_OF(X509) certs) {`
			`return pkcs7_bundle(out, pkcs7_bundle_certificates_cb, certs);`
			`}`

			`static int pkcs7_bundle_crls_cb(CBB out, const void arg) {`
			`const STACK_OF(X509_CRL) *crls = arg;`
			`size_t i;`
			`CBB crl_data;`

Update to 4.9.0 2018-07-30 02:07:02 +00:00			`// See https://tools.ietf.org/html/rfc2315#section-9.1`
Update to 3.2.2 2015-09-24 20:52:02 +00:00			`if (!CBB_add_asn1(out, &crl_data,`
			`CBS_ASN1_CONTEXT_SPECIFIC \| CBS_ASN1_CONSTRUCTED \| 1)) {`
			`return 0;`
			`}`

			`for (i = 0; i < sk_X509_CRL_num(crls); i++) {`
			`X509_CRL *crl = sk_X509_CRL_value(crls, i);`
			`uint8_t *buf;`
			`int len = i2d_X509_CRL(crl, NULL);`

			`if (len < 0 \|\|`
			`!CBB_add_space(&crl_data, &buf, len) \|\|`
			`i2d_X509_CRL(crl, &buf) < 0) {`
			`return 0;`
			`}`
			`}`

			`return CBB_flush(out);`
			`}`

			`int PKCS7_bundle_CRLs(CBB out, const STACK_OF(X509_CRL) crls) {`
			`return pkcs7_bundle(out, pkcs7_bundle_crls_cb, crls);`
			`}`