1 /* 2 * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * Low level APIs are deprecated for public use, but still ok for 12 * internal use. 13 */ 14 #include "internal/deprecated.h" 15 16 #include <stdio.h> 17 #include "internal/cryptlib.h" 18 #include <openssl/buffer.h> 19 #include <openssl/asn1.h> 20 #include <openssl/evp.h> 21 #include <openssl/x509.h> 22 #include <openssl/x509_acert.h> 23 #include <openssl/http.h> 24 #include <openssl/rsa.h> 25 #include <openssl/dsa.h> 26 #include <openssl/x509v3.h> 27 #include "internal/asn1.h" 28 #include "crypto/pkcs7.h" 29 #include "crypto/x509.h" 30 #include "crypto/x509_acert.h" 31 #include "crypto/rsa.h" 32 33 int X509_verify(X509 *a, EVP_PKEY *r) 34 { 35 if (X509_ALGOR_cmp(&a->sig_alg, &a->cert_info.signature) != 0) 36 return 0; 37 38 return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_CINF), &a->sig_alg, 39 &a->signature, &a->cert_info, 40 a->distinguishing_id, r, a->libctx, a->propq); 41 } 42 43 int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx, 44 const char *propq) 45 { 46 if (X509_REQ_get_version(a) != X509_REQ_VERSION_1) { 47 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_VERSION); 48 return -1; 49 } 50 51 return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &a->sig_alg, 52 a->signature, &a->req_info, a->distinguishing_id, 53 r, libctx, propq); 54 } 55 56 int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) 57 { 58 return X509_REQ_verify_ex(a, r, NULL, NULL); 59 } 60 61 int X509_ACERT_verify(X509_ACERT *a, EVP_PKEY *r) 62 { 63 if (X509_ALGOR_cmp(&a->sig_alg, &a->acinfo->signature) != 0) 64 return 0; 65 66 return ASN1_item_verify_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &a->sig_alg, 67 &a->signature, a->acinfo, 68 NULL, r, NULL, NULL); 69 } 70 71 int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) 72 { 73 return ASN1_item_verify(ASN1_ITEM_rptr(NETSCAPE_SPKAC), 74 &a->sig_algor, a->signature, a->spkac, r); 75 } 76 77 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) 78 { 79 if (x == NULL) { 80 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 81 return 0; 82 } 83 if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0 84 && !X509_set_version(x, X509_VERSION_3)) 85 return 0; 86 87 /* 88 * Setting the modified flag before signing it. This makes the cached 89 * encoding to be ignored, so even if the certificate fields have changed, 90 * they are signed correctly. 91 * The X509_sign_ctx, X509_REQ_sign{,_ctx}, X509_CRL_sign{,_ctx} functions 92 * which exist below are the same. 93 */ 94 x->cert_info.enc.modified = 1; 95 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CINF), &x->cert_info.signature, 96 &x->sig_alg, &x->signature, &x->cert_info, NULL, 97 pkey, md, x->libctx, x->propq); 98 } 99 100 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) 101 { 102 if (x == NULL) { 103 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 104 return 0; 105 } 106 if (sk_X509_EXTENSION_num(X509_get0_extensions(x)) > 0 107 && !X509_set_version(x, X509_VERSION_3)) 108 return 0; 109 x->cert_info.enc.modified = 1; 110 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), 111 &x->cert_info.signature, 112 &x->sig_alg, &x->signature, &x->cert_info, ctx); 113 } 114 115 static ASN1_VALUE *simple_get_asn1(const char *url, BIO *bio, BIO *rbio, 116 int timeout, const ASN1_ITEM *it) 117 { 118 #ifndef OPENSSL_NO_HTTP 119 size_t max_resp_len = (it == ASN1_ITEM_rptr(X509_CRL)) ? OSSL_HTTP_DEFAULT_MAX_CRL_LEN : OSSL_HTTP_DEFAULT_MAX_RESP_LEN; 120 BIO *mem = OSSL_HTTP_get(url, NULL /* proxy */, NULL /* no_proxy */, 121 bio, rbio, NULL /* cb */, NULL /* arg */, 122 1024 /* buf_size */, NULL /* headers */, 123 NULL /* expected_ct */, 1 /* expect_asn1 */, 124 max_resp_len, timeout); 125 ASN1_VALUE *res = ASN1_item_d2i_bio(it, mem, NULL); 126 127 BIO_free(mem); 128 return res; 129 #else 130 return 0; 131 #endif 132 } 133 134 X509 *X509_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) 135 { 136 return (X509 *)simple_get_asn1(url, bio, rbio, timeout, 137 ASN1_ITEM_rptr(X509)); 138 } 139 140 int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) 141 { 142 if (x == NULL) { 143 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 144 return 0; 145 } 146 x->req_info.enc.modified = 1; 147 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_REQ_INFO), &x->sig_alg, NULL, 148 x->signature, &x->req_info, NULL, 149 pkey, md, x->libctx, x->propq); 150 } 151 152 int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) 153 { 154 if (x == NULL) { 155 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 156 return 0; 157 } 158 x->req_info.enc.modified = 1; 159 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_REQ_INFO), 160 &x->sig_alg, NULL, x->signature, &x->req_info, 161 ctx); 162 } 163 164 int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) 165 { 166 if (x == NULL) { 167 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 168 return 0; 169 } 170 x->crl.enc.modified = 1; 171 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_CRL_INFO), &x->crl.sig_alg, 172 &x->sig_alg, &x->signature, &x->crl, NULL, 173 pkey, md, x->libctx, x->propq); 174 } 175 176 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) 177 { 178 if (x == NULL) { 179 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 180 return 0; 181 } 182 x->crl.enc.modified = 1; 183 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), 184 &x->crl.sig_alg, &x->sig_alg, &x->signature, 185 &x->crl, ctx); 186 } 187 188 X509_CRL *X509_CRL_load_http(const char *url, BIO *bio, BIO *rbio, int timeout) 189 { 190 return (X509_CRL *)simple_get_asn1(url, bio, rbio, timeout, 191 ASN1_ITEM_rptr(X509_CRL)); 192 } 193 194 int X509_ACERT_sign(X509_ACERT *x, EVP_PKEY *pkey, const EVP_MD *md) 195 { 196 return ASN1_item_sign_ex(ASN1_ITEM_rptr(X509_ACERT_INFO), &x->sig_alg, 197 &x->acinfo->signature, 198 &x->signature, x->acinfo, NULL, 199 pkey, md, NULL, NULL); 200 } 201 202 int X509_ACERT_sign_ctx(X509_ACERT *x, EVP_MD_CTX *ctx) 203 { 204 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_ACERT_INFO), 205 &x->sig_alg, &x->acinfo->signature, &x->signature, 206 x->acinfo, ctx); 207 } 208 209 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) 210 { 211 return ASN1_item_sign_ex(ASN1_ITEM_rptr(NETSCAPE_SPKAC), &x->sig_algor, NULL, 212 x->signature, x->spkac, NULL, pkey, md, NULL, NULL); 213 } 214 215 #ifndef OPENSSL_NO_STDIO 216 X509 *d2i_X509_fp(FILE *fp, X509 **x509) 217 { 218 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509), fp, x509); 219 } 220 221 int i2d_X509_fp(FILE *fp, const X509 *x509) 222 { 223 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509), fp, x509); 224 } 225 #endif 226 227 X509 *d2i_X509_bio(BIO *bp, X509 **x509) 228 { 229 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509), bp, x509); 230 } 231 232 int i2d_X509_bio(BIO *bp, const X509 *x509) 233 { 234 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509), bp, x509); 235 } 236 237 #ifndef OPENSSL_NO_STDIO 238 X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl) 239 { 240 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl); 241 } 242 243 int i2d_X509_CRL_fp(FILE *fp, const X509_CRL *crl) 244 { 245 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_CRL), fp, crl); 246 } 247 #endif 248 249 X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl) 250 { 251 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl); 252 } 253 254 int i2d_X509_CRL_bio(BIO *bp, const X509_CRL *crl) 255 { 256 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_CRL), bp, crl); 257 } 258 259 #ifndef OPENSSL_NO_STDIO 260 PKCS7 *d2i_PKCS7_fp(FILE *fp, PKCS7 **p7) 261 { 262 PKCS7 *ret; 263 OSSL_LIB_CTX *libctx = NULL; 264 const char *propq = NULL; 265 266 if (p7 != NULL && *p7 != NULL) { 267 libctx = (*p7)->ctx.libctx; 268 propq = (*p7)->ctx.propq; 269 } 270 271 ret = ASN1_item_d2i_fp_ex(ASN1_ITEM_rptr(PKCS7), fp, p7, libctx, propq); 272 if (ret != NULL) 273 ossl_pkcs7_resolve_libctx(ret); 274 return ret; 275 } 276 277 int i2d_PKCS7_fp(FILE *fp, const PKCS7 *p7) 278 { 279 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(PKCS7), fp, p7); 280 } 281 #endif 282 283 PKCS7 *d2i_PKCS7_bio(BIO *bp, PKCS7 **p7) 284 { 285 PKCS7 *ret; 286 OSSL_LIB_CTX *libctx = NULL; 287 const char *propq = NULL; 288 289 if (p7 != NULL && *p7 != NULL) { 290 libctx = (*p7)->ctx.libctx; 291 propq = (*p7)->ctx.propq; 292 } 293 294 ret = ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(PKCS7), bp, p7, libctx, propq); 295 if (ret != NULL) 296 ossl_pkcs7_resolve_libctx(ret); 297 return ret; 298 } 299 300 int i2d_PKCS7_bio(BIO *bp, const PKCS7 *p7) 301 { 302 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(PKCS7), bp, p7); 303 } 304 305 #ifndef OPENSSL_NO_STDIO 306 X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req) 307 { 308 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_REQ), fp, req); 309 } 310 311 int i2d_X509_REQ_fp(FILE *fp, const X509_REQ *req) 312 { 313 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_REQ), fp, req); 314 } 315 #endif 316 317 X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req) 318 { 319 OSSL_LIB_CTX *libctx = NULL; 320 const char *propq = NULL; 321 322 if (req != NULL && *req != NULL) { 323 libctx = (*req)->libctx; 324 propq = (*req)->propq; 325 } 326 327 return ASN1_item_d2i_bio_ex(ASN1_ITEM_rptr(X509_REQ), bp, req, libctx, propq); 328 } 329 330 int i2d_X509_REQ_bio(BIO *bp, const X509_REQ *req) 331 { 332 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_REQ), bp, req); 333 } 334 335 #ifndef OPENSSL_NO_STDIO 336 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa) 337 { 338 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa); 339 } 340 341 int i2d_RSAPrivateKey_fp(FILE *fp, const RSA *rsa) 342 { 343 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPrivateKey), fp, rsa); 344 } 345 346 RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa) 347 { 348 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa); 349 } 350 351 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa) 352 { 353 return ASN1_d2i_fp((void *(*)(void)) 354 RSA_new, 355 (D2I_OF(void))d2i_RSA_PUBKEY, fp, 356 (void **)rsa); 357 } 358 359 int i2d_RSAPublicKey_fp(FILE *fp, const RSA *rsa) 360 { 361 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(RSAPublicKey), fp, rsa); 362 } 363 364 int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa) 365 { 366 return ASN1_i2d_fp((I2D_OF(void))i2d_RSA_PUBKEY, fp, rsa); 367 } 368 #endif 369 370 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa) 371 { 372 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa); 373 } 374 375 int i2d_RSAPrivateKey_bio(BIO *bp, const RSA *rsa) 376 { 377 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPrivateKey), bp, rsa); 378 } 379 380 RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa) 381 { 382 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa); 383 } 384 385 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa) 386 { 387 return ASN1_d2i_bio_of(RSA, RSA_new, d2i_RSA_PUBKEY, bp, rsa); 388 } 389 390 int i2d_RSAPublicKey_bio(BIO *bp, const RSA *rsa) 391 { 392 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(RSAPublicKey), bp, rsa); 393 } 394 395 int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa) 396 { 397 return ASN1_i2d_bio_of(RSA, i2d_RSA_PUBKEY, bp, rsa); 398 } 399 400 #ifndef OPENSSL_NO_DSA 401 #ifndef OPENSSL_NO_STDIO 402 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa) 403 { 404 return ASN1_d2i_fp_of(DSA, DSA_new, d2i_DSAPrivateKey, fp, dsa); 405 } 406 407 int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa) 408 { 409 return ASN1_i2d_fp_of(DSA, i2d_DSAPrivateKey, fp, dsa); 410 } 411 412 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa) 413 { 414 return ASN1_d2i_fp_of(DSA, DSA_new, d2i_DSA_PUBKEY, fp, dsa); 415 } 416 417 int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa) 418 { 419 return ASN1_i2d_fp_of(DSA, i2d_DSA_PUBKEY, fp, dsa); 420 } 421 #endif 422 423 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa) 424 { 425 return ASN1_d2i_bio_of(DSA, DSA_new, d2i_DSAPrivateKey, bp, dsa); 426 } 427 428 int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa) 429 { 430 return ASN1_i2d_bio_of(DSA, i2d_DSAPrivateKey, bp, dsa); 431 } 432 433 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa) 434 { 435 return ASN1_d2i_bio_of(DSA, DSA_new, d2i_DSA_PUBKEY, bp, dsa); 436 } 437 438 int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa) 439 { 440 return ASN1_i2d_bio_of(DSA, i2d_DSA_PUBKEY, bp, dsa); 441 } 442 443 #endif 444 445 #ifndef OPENSSL_NO_EC 446 #ifndef OPENSSL_NO_STDIO 447 EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey) 448 { 449 return ASN1_d2i_fp_of(EC_KEY, EC_KEY_new, d2i_EC_PUBKEY, fp, eckey); 450 } 451 452 int i2d_EC_PUBKEY_fp(FILE *fp, const EC_KEY *eckey) 453 { 454 return ASN1_i2d_fp_of(EC_KEY, i2d_EC_PUBKEY, fp, eckey); 455 } 456 457 EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey) 458 { 459 return ASN1_d2i_fp_of(EC_KEY, EC_KEY_new, d2i_ECPrivateKey, fp, eckey); 460 } 461 462 int i2d_ECPrivateKey_fp(FILE *fp, const EC_KEY *eckey) 463 { 464 return ASN1_i2d_fp_of(EC_KEY, i2d_ECPrivateKey, fp, eckey); 465 } 466 #endif 467 EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey) 468 { 469 return ASN1_d2i_bio_of(EC_KEY, EC_KEY_new, d2i_EC_PUBKEY, bp, eckey); 470 } 471 472 int i2d_EC_PUBKEY_bio(BIO *bp, const EC_KEY *ecdsa) 473 { 474 return ASN1_i2d_bio_of(EC_KEY, i2d_EC_PUBKEY, bp, ecdsa); 475 } 476 477 EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey) 478 { 479 return ASN1_d2i_bio_of(EC_KEY, EC_KEY_new, d2i_ECPrivateKey, bp, eckey); 480 } 481 482 int i2d_ECPrivateKey_bio(BIO *bp, const EC_KEY *eckey) 483 { 484 return ASN1_i2d_bio_of(EC_KEY, i2d_ECPrivateKey, bp, eckey); 485 } 486 #endif 487 488 int X509_pubkey_digest(const X509 *data, const EVP_MD *type, 489 unsigned char *md, unsigned int *len) 490 { 491 ASN1_BIT_STRING *key = X509_get0_pubkey_bitstr(data); 492 493 if (key == NULL) 494 return 0; 495 return EVP_Digest(key->data, key->length, md, len, type, NULL); 496 } 497 498 int X509_digest(const X509 *cert, const EVP_MD *md, unsigned char *data, 499 unsigned int *len) 500 { 501 if (EVP_MD_is_a(md, SN_sha1) && (cert->ex_flags & EXFLAG_SET) != 0 502 && (cert->ex_flags & EXFLAG_NO_FINGERPRINT) == 0) { 503 /* Asking for SHA1 and we already computed it. */ 504 if (len != NULL) 505 *len = sizeof(cert->sha1_hash); 506 memcpy(data, cert->sha1_hash, sizeof(cert->sha1_hash)); 507 return 1; 508 } 509 return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509), md, (char *)cert, 510 data, len, cert->libctx, cert->propq); 511 } 512 513 /* calculate cert digest using the same hash algorithm as in its signature */ 514 ASN1_OCTET_STRING *X509_digest_sig(const X509 *cert, 515 EVP_MD **md_used, int *md_is_fallback) 516 { 517 unsigned int len; 518 unsigned char hash[EVP_MAX_MD_SIZE]; 519 int mdnid, pknid; 520 EVP_MD *md = NULL; 521 const char *md_name; 522 ASN1_OCTET_STRING *new; 523 524 if (md_used != NULL) 525 *md_used = NULL; 526 if (md_is_fallback != NULL) 527 *md_is_fallback = 0; 528 529 if (cert == NULL) { 530 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 531 return NULL; 532 } 533 534 if (!OBJ_find_sigid_algs(X509_get_signature_nid(cert), &mdnid, &pknid)) { 535 ERR_raise(ERR_LIB_X509, X509_R_UNKNOWN_SIGID_ALGS); 536 return NULL; 537 } 538 539 if (mdnid == NID_undef) { 540 if (pknid == EVP_PKEY_RSA_PSS) { 541 RSA_PSS_PARAMS *pss = ossl_rsa_pss_decode(&cert->sig_alg); 542 const EVP_MD *mgf1md, *mmd = NULL; 543 int saltlen, trailerfield; 544 545 if (pss == NULL 546 || !ossl_rsa_pss_get_param_unverified(pss, &mmd, &mgf1md, 547 &saltlen, 548 &trailerfield) 549 || mmd == NULL) { 550 RSA_PSS_PARAMS_free(pss); 551 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM); 552 return NULL; 553 } 554 RSA_PSS_PARAMS_free(pss); 555 /* Fetch explicitly and do not fallback */ 556 if ((md = EVP_MD_fetch(cert->libctx, EVP_MD_get0_name(mmd), 557 cert->propq)) 558 == NULL) 559 /* Error code from fetch is sufficient */ 560 return NULL; 561 } else if (pknid != NID_undef) { 562 /* A known algorithm, but without a digest */ 563 switch (pknid) { 564 case NID_ED25519: /* Follow CMS default given in RFC8419 */ 565 md_name = "SHA512"; 566 break; 567 case NID_ED448: /* Follow CMS default given in RFC8419 */ 568 md_name = "SHAKE256"; 569 break; 570 default: /* Fall back to SHA-256 */ 571 md_name = "SHA256"; 572 break; 573 } 574 if ((md = EVP_MD_fetch(cert->libctx, md_name, 575 cert->propq)) 576 == NULL) 577 return NULL; 578 if (md_is_fallback != NULL) 579 *md_is_fallback = 1; 580 } else { 581 /* A completely unknown algorithm */ 582 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM); 583 return NULL; 584 } 585 } else if ((md = EVP_MD_fetch(cert->libctx, OBJ_nid2sn(mdnid), 586 cert->propq)) 587 == NULL 588 && (md = (EVP_MD *)EVP_get_digestbynid(mdnid)) == NULL) { 589 ERR_raise(ERR_LIB_X509, X509_R_UNSUPPORTED_ALGORITHM); 590 return NULL; 591 } 592 if (!X509_digest(cert, md, hash, &len) 593 || (new = ASN1_OCTET_STRING_new()) == NULL) 594 goto err; 595 if (ASN1_OCTET_STRING_set(new, hash, len)) { 596 if (md_used != NULL) 597 *md_used = md; 598 else 599 EVP_MD_free(md); 600 return new; 601 } 602 ASN1_OCTET_STRING_free(new); 603 err: 604 EVP_MD_free(md); 605 return NULL; 606 } 607 608 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, 609 unsigned char *md, unsigned int *len) 610 { 611 if (type == NULL) { 612 ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER); 613 return 0; 614 } 615 if (EVP_MD_is_a(type, SN_sha1) 616 && (data->flags & EXFLAG_SET) != 0 617 && (data->flags & EXFLAG_NO_FINGERPRINT) == 0) { 618 /* Asking for SHA1; always computed in CRL d2i. */ 619 if (len != NULL) 620 *len = sizeof(data->sha1_hash); 621 memcpy(md, data->sha1_hash, sizeof(data->sha1_hash)); 622 return 1; 623 } 624 return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_CRL), type, (char *)data, 625 md, len, data->libctx, data->propq); 626 } 627 628 int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, 629 unsigned char *md, unsigned int *len) 630 { 631 return ossl_asn1_item_digest_ex(ASN1_ITEM_rptr(X509_REQ), type, (char *)data, 632 md, len, data->libctx, data->propq); 633 } 634 635 int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, 636 unsigned char *md, unsigned int *len) 637 { 638 return ASN1_item_digest(ASN1_ITEM_rptr(X509_NAME), type, (char *)data, 639 md, len); 640 } 641 642 int PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, 643 const EVP_MD *type, unsigned char *md, 644 unsigned int *len) 645 { 646 return ASN1_item_digest(ASN1_ITEM_rptr(PKCS7_ISSUER_AND_SERIAL), type, 647 (char *)data, md, len); 648 } 649 650 #ifndef OPENSSL_NO_STDIO 651 X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8) 652 { 653 return ASN1_d2i_fp_of(X509_SIG, X509_SIG_new, d2i_X509_SIG, fp, p8); 654 } 655 656 int i2d_PKCS8_fp(FILE *fp, const X509_SIG *p8) 657 { 658 return ASN1_i2d_fp_of(X509_SIG, i2d_X509_SIG, fp, p8); 659 } 660 #endif 661 662 X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8) 663 { 664 return ASN1_d2i_bio_of(X509_SIG, X509_SIG_new, d2i_X509_SIG, bp, p8); 665 } 666 667 int i2d_PKCS8_bio(BIO *bp, const X509_SIG *p8) 668 { 669 return ASN1_i2d_bio_of(X509_SIG, i2d_X509_SIG, bp, p8); 670 } 671 672 #ifndef OPENSSL_NO_STDIO 673 X509_PUBKEY *d2i_X509_PUBKEY_fp(FILE *fp, X509_PUBKEY **xpk) 674 { 675 return ASN1_d2i_fp_of(X509_PUBKEY, X509_PUBKEY_new, d2i_X509_PUBKEY, 676 fp, xpk); 677 } 678 679 int i2d_X509_PUBKEY_fp(FILE *fp, const X509_PUBKEY *xpk) 680 { 681 return ASN1_i2d_fp_of(X509_PUBKEY, i2d_X509_PUBKEY, fp, xpk); 682 } 683 #endif 684 685 X509_PUBKEY *d2i_X509_PUBKEY_bio(BIO *bp, X509_PUBKEY **xpk) 686 { 687 return ASN1_d2i_bio_of(X509_PUBKEY, X509_PUBKEY_new, d2i_X509_PUBKEY, 688 bp, xpk); 689 } 690 691 int i2d_X509_PUBKEY_bio(BIO *bp, const X509_PUBKEY *xpk) 692 { 693 return ASN1_i2d_bio_of(X509_PUBKEY, i2d_X509_PUBKEY, bp, xpk); 694 } 695 696 #ifndef OPENSSL_NO_STDIO 697 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, 698 PKCS8_PRIV_KEY_INFO **p8inf) 699 { 700 return ASN1_d2i_fp_of(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_new, 701 d2i_PKCS8_PRIV_KEY_INFO, fp, p8inf); 702 } 703 704 int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, const PKCS8_PRIV_KEY_INFO *p8inf) 705 { 706 return ASN1_i2d_fp_of(PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO, fp, 707 p8inf); 708 } 709 710 int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, const EVP_PKEY *key) 711 { 712 PKCS8_PRIV_KEY_INFO *p8inf; 713 int ret; 714 715 p8inf = EVP_PKEY2PKCS8(key); 716 if (p8inf == NULL) 717 return 0; 718 ret = i2d_PKCS8_PRIV_KEY_INFO_fp(fp, p8inf); 719 PKCS8_PRIV_KEY_INFO_free(p8inf); 720 return ret; 721 } 722 723 int i2d_PrivateKey_fp(FILE *fp, const EVP_PKEY *pkey) 724 { 725 return ASN1_i2d_fp_of(EVP_PKEY, i2d_PrivateKey, fp, pkey); 726 } 727 728 EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a) 729 { 730 return ASN1_d2i_fp_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, fp, a); 731 } 732 733 EVP_PKEY *d2i_PrivateKey_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, 734 const char *propq) 735 { 736 BIO *b; 737 void *ret; 738 739 if ((b = BIO_new(BIO_s_file())) == NULL) { 740 ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB); 741 return NULL; 742 } 743 BIO_set_fp(b, fp, BIO_NOCLOSE); 744 ret = d2i_PrivateKey_ex_bio(b, a, libctx, propq); 745 BIO_free(b); 746 return ret; 747 } 748 749 int i2d_PUBKEY_fp(FILE *fp, const EVP_PKEY *pkey) 750 { 751 return ASN1_i2d_fp_of(EVP_PKEY, i2d_PUBKEY, fp, pkey); 752 } 753 754 EVP_PKEY *d2i_PUBKEY_ex_fp(FILE *fp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, 755 const char *propq) 756 { 757 BIO *b; 758 void *ret; 759 760 if ((b = BIO_new(BIO_s_file())) == NULL) { 761 ERR_raise(ERR_LIB_X509, ERR_R_BUF_LIB); 762 return NULL; 763 } 764 BIO_set_fp(b, fp, BIO_NOCLOSE); 765 ret = d2i_PUBKEY_ex_bio(b, a, libctx, propq); 766 BIO_free(b); 767 return ret; 768 } 769 770 EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a) 771 { 772 return ASN1_d2i_fp_of(EVP_PKEY, EVP_PKEY_new, d2i_PUBKEY, fp, a); 773 } 774 775 #endif 776 777 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, 778 PKCS8_PRIV_KEY_INFO **p8inf) 779 { 780 return ASN1_d2i_bio_of(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_new, 781 d2i_PKCS8_PRIV_KEY_INFO, bp, p8inf); 782 } 783 784 int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, const PKCS8_PRIV_KEY_INFO *p8inf) 785 { 786 return ASN1_i2d_bio_of(PKCS8_PRIV_KEY_INFO, i2d_PKCS8_PRIV_KEY_INFO, bp, 787 p8inf); 788 } 789 790 int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, const EVP_PKEY *key) 791 { 792 PKCS8_PRIV_KEY_INFO *p8inf; 793 int ret; 794 795 p8inf = EVP_PKEY2PKCS8(key); 796 if (p8inf == NULL) 797 return 0; 798 ret = i2d_PKCS8_PRIV_KEY_INFO_bio(bp, p8inf); 799 PKCS8_PRIV_KEY_INFO_free(p8inf); 800 return ret; 801 } 802 803 int i2d_PrivateKey_bio(BIO *bp, const EVP_PKEY *pkey) 804 { 805 return ASN1_i2d_bio_of(EVP_PKEY, i2d_PrivateKey, bp, pkey); 806 } 807 808 EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a) 809 { 810 return ASN1_d2i_bio_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, bp, a); 811 } 812 813 EVP_PKEY *d2i_PrivateKey_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, 814 const char *propq) 815 { 816 BUF_MEM *b = NULL; 817 const unsigned char *p; 818 void *ret = NULL; 819 int len; 820 821 len = asn1_d2i_read_bio(bp, &b); 822 if (len < 0) 823 goto err; 824 825 p = (unsigned char *)b->data; 826 ret = d2i_AutoPrivateKey_ex(a, &p, len, libctx, propq); 827 err: 828 BUF_MEM_free(b); 829 return ret; 830 } 831 832 int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey) 833 { 834 return ASN1_i2d_bio_of(EVP_PKEY, i2d_PUBKEY, bp, pkey); 835 } 836 837 EVP_PKEY *d2i_PUBKEY_ex_bio(BIO *bp, EVP_PKEY **a, OSSL_LIB_CTX *libctx, 838 const char *propq) 839 { 840 BUF_MEM *b = NULL; 841 const unsigned char *p; 842 void *ret = NULL; 843 int len; 844 845 len = asn1_d2i_read_bio(bp, &b); 846 if (len < 0) 847 goto err; 848 849 p = (unsigned char *)b->data; 850 ret = d2i_PUBKEY_ex(a, &p, len, libctx, propq); 851 err: 852 BUF_MEM_free(b); 853 return ret; 854 } 855 856 EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a) 857 { 858 return ASN1_d2i_bio_of(EVP_PKEY, EVP_PKEY_new, d2i_PUBKEY, bp, a); 859 } 860 861 #ifndef OPENSSL_NO_STDIO 862 X509_ACERT *d2i_X509_ACERT_fp(FILE *fp, X509_ACERT **acert) 863 { 864 return ASN1_item_d2i_fp(ASN1_ITEM_rptr(X509_ACERT), fp, acert); 865 } 866 867 int i2d_X509_ACERT_fp(FILE *fp, const X509_ACERT *acert) 868 { 869 return ASN1_item_i2d_fp(ASN1_ITEM_rptr(X509_ACERT), fp, acert); 870 } 871 #endif 872 873 X509_ACERT *d2i_X509_ACERT_bio(BIO *bp, X509_ACERT **acert) 874 { 875 return ASN1_item_d2i_bio(ASN1_ITEM_rptr(X509_ACERT), bp, acert); 876 } 877 878 int i2d_X509_ACERT_bio(BIO *bp, const X509_ACERT *acert) 879 { 880 return ASN1_item_i2d_bio(ASN1_ITEM_rptr(X509_ACERT), bp, acert); 881 } 882