diff options
author | Antonio Iacono <antiac@gmail.com> | 2018-12-12 23:08:49 +0100 |
---|---|---|
committer | Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> | 2019-01-27 23:59:21 +0100 |
commit | e85d19c68e7fb3302410bd72d434793e5c0c23a0 (patch) | |
tree | 748f849bfd79db2cc7b35e5c215f4ed8794cbe62 /crypto/ts/ts_rsp_verify.c | |
parent | 9f5a87fd665cb597fa1c1f4eef882d2d2f833e61 (diff) | |
download | openssl-e85d19c68e7fb3302410bd72d434793e5c0c23a0.tar.gz |
crypto/cms: Add support for CAdES Basic Electronic Signatures (CAdES-BES)
A CAdES Basic Electronic Signature (CAdES-BES) contains, among other
specifications, a collection of Signing Certificate reference attributes,
stored in the signedData ether as ESS signing-certificate or as
ESS signing-certificate-v2. These are described in detail in Section 5.7.2
of RFC 5126 - CMS Advanced Electronic Signatures (CAdES).
This patch adds support for adding ESS signing-certificate[-v2] attributes
to CMS signedData. Although it implements only a small part of the RFC, it
is sufficient many cases to enable the `openssl cms` app to create signatures
which comply with legal requirements of some European States (e.g Italy).
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7893)
Diffstat (limited to 'crypto/ts/ts_rsp_verify.c')
-rw-r--r-- | crypto/ts/ts_rsp_verify.c | 32 |
1 files changed, 4 insertions, 28 deletions
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index facc4b580a..e658354eb3 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -13,12 +13,12 @@ #include <openssl/ts.h> #include <openssl/pkcs7.h> #include "ts_lcl.h" +#include "internal/ess_int.h" static int ts_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, X509 *signer, STACK_OF(X509) **chain); static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); -static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si); static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); static int ts_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert); static int int_ts_RESP_verify_token(TS_VERIFY_CTX *ctx, @@ -38,7 +38,6 @@ static int ts_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer); static int ts_find_name(STACK_OF(GENERAL_NAME) *gen_names, GENERAL_NAME *name); static int ts_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert); -static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si); /* * This must be large enough to hold all values in ts_status_text (with @@ -201,9 +200,9 @@ end: static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain) { - ESS_SIGNING_CERT *ss = ess_get_signing_cert(si); + ESS_SIGNING_CERT *ss = ESS_SIGNING_CERT_get(si); STACK_OF(ESS_CERT_ID) *cert_ids = NULL; - ESS_SIGNING_CERT_V2 *ssv2 = ess_get_signing_cert_v2(si); + ESS_SIGNING_CERT_V2 *ssv2 = ESS_SIGNING_CERT_V2_get(si); STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2 = NULL; X509 *cert; int i = 0; @@ -257,29 +256,6 @@ static int ts_check_signing_certs(PKCS7_SIGNER_INFO *si, return ret; } -static ESS_SIGNING_CERT *ess_get_signing_cert(PKCS7_SIGNER_INFO *si) -{ - ASN1_TYPE *attr; - const unsigned char *p; - attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate); - if (!attr) - return NULL; - p = attr->value.sequence->data; - return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); -} - -static ESS_SIGNING_CERT_V2 *ess_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) -{ - ASN1_TYPE *attr; - const unsigned char *p; - - attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); - if (attr == NULL) - return NULL; - p = attr->value.sequence->data; - return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); -} - /* Returns < 0 if certificate is not found, certificate index otherwise. */ static int ts_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) { |