CMS ESS: Move four internal aux function to where they belong in crypto/cms

Also constify and slightly refactor them.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14601)

crypto/cms/cms_ess.c

@@ -16,7 +16,6 @@
 #include <openssl/cms.h>
 #include <openssl/ess.h>
 #include "crypto/ess.h"
-#include "crypto/cms.h"
 #include "crypto/x509.h"
 #include "cms_local.h"
 
@@ -46,6 +45,60 @@ int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr)
     return 1;
 }
 
+/*
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
+ */
+static int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
+                                                ESS_SIGNING_CERT **psc)
+{
+    ASN1_STRING *str;
+    ESS_SIGNING_CERT *sc;
+    ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate);
+
+    if (psc != NULL)
+        *psc = NULL;
+    str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
+    if (str == NULL)
+        return 0;
+
+    sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT));
+    if (sc == NULL)
+        return -1;
+    if (psc != NULL)
+        *psc = sc;
+    else
+        ESS_SIGNING_CERT_free(sc);
+    return 1;
+}
+
+/*
+ * Returns 0 if attribute is not found, 1 if found,
+ * or -1 on attribute parsing failure.
+ */
+static int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
+                                                   ESS_SIGNING_CERT_V2 **psc)
+{
+    ASN1_STRING *str;
+    ESS_SIGNING_CERT_V2 *sc;
+    ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2);
+
+    if (psc != NULL)
+        *psc = NULL;
+    str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
+    if (str == NULL)
+        return 0;
+
+    sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT_V2));
+    if (sc == NULL)
+        return -1;
+    if (psc != NULL)
+        *psc = sc;
+    else
+        ESS_SIGNING_CERT_V2_free(sc);
+    return 1;
+}
+
 int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
                                  const STACK_OF(X509) *chain)
 {
@@ -361,67 +414,3 @@ ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si)
     CMS_ReceiptRequest_free(rr);
     return os;
 }
-
-/*
- * Add signer certificate's V2 digest |sc| to a SignerInfo structure |si|
- */
-
-int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc)
-{
-    ASN1_STRING *seq = NULL;
-    unsigned char *p, *pp = NULL;
-    int len;
-
-    /* Add SigningCertificateV2 signed attribute to the signer info. */
-    len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
-    if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
-        goto err;
-    p = pp;
-    i2d_ESS_SIGNING_CERT_V2(sc, &p);
-    if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len))
-        goto err;
-    OPENSSL_free(pp);
-    pp = NULL;
-    if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificateV2,
-                                     V_ASN1_SEQUENCE, seq, -1))
-        goto err;
-    ASN1_STRING_free(seq);
-    return 1;
- err:
-    ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
-    ASN1_STRING_free(seq);
-    OPENSSL_free(pp);
-    return 0;
-}
-
-/*
- * Add signer certificate's digest |sc| to a SignerInfo structure |si|
- */
-
-int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc)
-{
-    ASN1_STRING *seq = NULL;
-    unsigned char *p, *pp = NULL;
-    int len;
-
-    /* Add SigningCertificate signed attribute to the signer info. */
-    len = i2d_ESS_SIGNING_CERT(sc, NULL);
-    if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
-        goto err;
-    p = pp;
-    i2d_ESS_SIGNING_CERT(sc, &p);
-    if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len))
-        goto err;
-    OPENSSL_free(pp);
-    pp = NULL;
-    if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificate,
-                                     V_ASN1_SEQUENCE, seq, -1))
-        goto err;
-    ASN1_STRING_free(seq);
-    return 1;
- err:
-    ERR_raise(ERR_LIB_CMS, ERR_R_MALLOC_FAILURE);
-    ASN1_STRING_free(seq);
-    OPENSSL_free(pp);
-    return 0;
-}

crypto/cms/cms_sd.c

@@ -18,7 +18,6 @@
 #include "internal/sizes.h"
 #include "crypto/asn1.h"
 #include "crypto/evp.h"
-#include "crypto/cms.h"
 #include "crypto/ess.h"
 #include "crypto/x509.h" /* for ossl_x509_add_cert_new() */
 #include "cms_local.h"
@@ -253,6 +252,56 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd)
     return 1;
 }
 
+/* Add SigningCertificate signed attribute to the signer info. */
+static int ossl_cms_add1_signing_cert(CMS_SignerInfo *si,
+                                      const ESS_SIGNING_CERT *sc)
+{
+    ASN1_STRING *seq = NULL;
+    unsigned char *p, *pp = NULL;
+    int ret, len = i2d_ESS_SIGNING_CERT(sc, NULL);
+
+    if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
+        return 0;
+
+    p = pp;
+    i2d_ESS_SIGNING_CERT(sc, &p);
+    if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
+        ASN1_STRING_free(seq);
+        OPENSSL_free(pp);
+        return 0;
+    }
+    OPENSSL_free(pp);
+    ret = CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificate,
+                                      V_ASN1_SEQUENCE, seq, -1);
+    ASN1_STRING_free(seq);
+    return ret;
+}
+
+/* Add SigningCertificateV2 signed attribute to the signer info. */
+static int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si,
+                                         const ESS_SIGNING_CERT_V2 *sc)
+{
+    ASN1_STRING *seq = NULL;
+    unsigned char *p, *pp = NULL;
+    int ret, len = i2d_ESS_SIGNING_CERT_V2(sc, NULL);
+
+    if (len <= 0 || (pp = OPENSSL_malloc(len)) == NULL)
+        return 0;
+
+    p = pp;
+    i2d_ESS_SIGNING_CERT_V2(sc, &p);
+    if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
+        ASN1_STRING_free(seq);
+        OPENSSL_free(pp);
+        return 0;
+    }
+    OPENSSL_free(pp);
+    ret = CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_signingCertificateV2,
+                                      V_ASN1_SEQUENCE, seq, -1);
+    ASN1_STRING_free(seq);
+    return ret;
+}
+
 CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms,
                                 X509 *signer, EVP_PKEY *pk, const EVP_MD *md,
                                 unsigned int flags)

crypto/ess/ess_asn1.c

@@ -13,7 +13,6 @@
 #include <openssl/ess.h>
 #include <openssl/x509v3.h>
 #include "crypto/ess.h"
-#include "crypto/cms.h"
 
 /* ASN1 stuff for ESS Structure */
 
@@ -36,7 +35,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID)
 ASN1_SEQUENCE(ESS_SIGNING_CERT) = {
         ASN1_SEQUENCE_OF(ESS_SIGNING_CERT, cert_ids, ESS_CERT_ID),
         ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT, policy_info, POLICYINFO)
-} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
+} ASN1_SEQUENCE_END(ESS_SIGNING_CERT)
 
 IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT)
 IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
@@ -53,66 +52,7 @@ IMPLEMENT_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
 ASN1_SEQUENCE(ESS_SIGNING_CERT_V2) = {
         ASN1_SEQUENCE_OF(ESS_SIGNING_CERT_V2, cert_ids, ESS_CERT_ID_V2),
         ASN1_SEQUENCE_OF_OPT(ESS_SIGNING_CERT_V2, policy_info, POLICYINFO)
-} static_ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
+} ASN1_SEQUENCE_END(ESS_SIGNING_CERT_V2)
 
 IMPLEMENT_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
 IMPLEMENT_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
-
-/* TODO the following two functions should be moved to ../cms/ */
-/* No cms support means no CMS_SignerInfo* definitions */
-#ifndef OPENSSL_NO_CMS
-
-/*
- * Returns 0 if attribute is not found, 1 if found,
- * or -1 on attribute parsing failure.
- */
-int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
-                                            ESS_SIGNING_CERT_V2 **psc)
-{
-    ASN1_STRING *str;
-    ESS_SIGNING_CERT_V2 *sc;
-    ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificateV2);
-
-    if (psc != NULL)
-        *psc = NULL;
-    str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
-    if (str == NULL)
-        return 0;
-
-    sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT_V2));
-    if (sc == NULL)
-        return -1;
-    if (psc != NULL)
-        *psc = sc;
-    else
-        ESS_SIGNING_CERT_V2_free(sc);
-    return 1;
-}
-
-/*
- * Returns 0 if attribute is not found, 1 if found,
- * or -1 on attribute parsing failure.
- */
-int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
-                                         ESS_SIGNING_CERT **psc)
-{
-    ASN1_STRING *str;
-    ESS_SIGNING_CERT *sc;
-    ASN1_OBJECT *obj = OBJ_nid2obj(NID_id_smime_aa_signingCertificate);
-
-    if (psc != NULL)
-        *psc = NULL;
-    str = CMS_signed_get0_data_by_OBJ(si, obj, -3, V_ASN1_SEQUENCE);
-    if (str == NULL)
-        return 0;
-
-    sc = ASN1_item_unpack(str, ASN1_ITEM_rptr(ESS_SIGNING_CERT));
-    if (sc == NULL)
-        return -1;
-    if (psc != NULL)
-        *psc = sc;
-    else
-        ESS_SIGNING_CERT_free(sc);
-    return 1;
-}
-#endif  /* !OPENSSL_NO_CMS */

doc/man3/X509_dup.pod

@@ -61,9 +61,11 @@ ESS_ISSUER_SERIAL_free,
 ESS_ISSUER_SERIAL_new,
 ESS_SIGNING_CERT_dup,
 ESS_SIGNING_CERT_free,
+ESS_SIGNING_CERT_it,
 ESS_SIGNING_CERT_new,
 ESS_SIGNING_CERT_V2_dup,
 ESS_SIGNING_CERT_V2_free,
+ESS_SIGNING_CERT_V2_it,
 ESS_SIGNING_CERT_V2_new,
 EXTENDED_KEY_USAGE_free,
 EXTENDED_KEY_USAGE_new,

include/crypto/cms.h

@@ -1,27 +0,0 @@
-/*
- * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
- *
- * Licensed under the Apache License 2.0 (the "License").  You may not use
- * this file except in compliance with the License.  You can obtain a copy
- * in the file LICENSE in the source distribution or at
- * https://www.openssl.org/source/license.html
- */
-
-#ifndef OSSL_CRYPTO_CMS_H
-# define OSSL_CRYPTO_CMS_H
-# pragma once
-
-# ifndef OPENSSL_NO_CMS
-
-/* internal CMS-ESS related stuff */
-
-int ossl_cms_add1_signing_cert(CMS_SignerInfo *si, ESS_SIGNING_CERT *sc);
-int ossl_cms_add1_signing_cert_v2(CMS_SignerInfo *si, ESS_SIGNING_CERT_V2 *sc);
-
-int ossl_cms_signerinfo_get_signing_cert_v2(const CMS_SignerInfo *si,
-                                            ESS_SIGNING_CERT_V2 **psc);
-int ossl_cms_signerinfo_get_signing_cert(const CMS_SignerInfo *si,
-                                         ESS_SIGNING_CERT **psc);
-# endif /* OPENSSL_NO_CMS */
-
-#endif

include/openssl/ess.h.in

@@ -52,16 +52,14 @@ DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_CERT_ID)
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_CERT_ID, ESS_CERT_ID)
 DECLARE_ASN1_DUP_FUNCTION(ESS_CERT_ID)
 
-DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_SIGNING_CERT)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT, ESS_SIGNING_CERT)
+DECLARE_ASN1_FUNCTIONS(ESS_SIGNING_CERT)
 DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT)
 
 DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_CERT_ID_V2)
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_CERT_ID_V2, ESS_CERT_ID_V2)
 DECLARE_ASN1_DUP_FUNCTION(ESS_CERT_ID_V2)
 
-DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_SIGNING_CERT_V2)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_SIGNING_CERT_V2, ESS_SIGNING_CERT_V2)
+DECLARE_ASN1_FUNCTIONS(ESS_SIGNING_CERT_V2)
 DECLARE_ASN1_DUP_FUNCTION(ESS_SIGNING_CERT_V2)
 
 ESS_SIGNING_CERT *OSSL_ESS_signing_cert_new_init(const X509 *signcert,

util/libcrypto.num

@@ -5318,6 +5318,8 @@ BIO_f_readbuffer                        ?	3_0_0	EXIST::FUNCTION:
 OSSL_ESS_check_signing_certs            ?	3_0_0	EXIST::FUNCTION:
 OSSL_ESS_signing_cert_new_init          ?	3_0_0	EXIST::FUNCTION:
 OSSL_ESS_signing_cert_v2_new_init       ?	3_0_0	EXIST::FUNCTION:
+ESS_SIGNING_CERT_it                     ?	3_0_0	EXIST::FUNCTION:
+ESS_SIGNING_CERT_V2_it                  ?	3_0_0	EXIST::FUNCTION:
 EVP_DigestInit_ex2                      ?	3_0_0	EXIST::FUNCTION:
 EVP_EncryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION:
 EVP_DecryptInit_ex2                     ?	3_0_0	EXIST::FUNCTION: