diff options
author | Shane Curran <shane@evervault.com> | 2021-03-04 13:21:11 +0000 |
---|---|---|
committer | Shane Curran <shane@evervault.com> | 2021-03-04 13:21:11 +0000 |
commit | 85d2983ac3dccfa7e33c36f26e9e9a2f552c92ef (patch) | |
tree | 0a0ccd45320bc1bfeb90004a56a1e6254c0512aa | |
parent | a141ee3844064f0f37f16dee60a5b991838943f9 (diff) | |
download | rust-openssl-85d2983ac3dccfa7e33c36f26e9e9a2f552c92ef.zip |
Created separate method for disabling CMS certificate check
-rw-r--r-- | openssl/src/cms.rs | 48 |
1 files changed, 36 insertions, 12 deletions
diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs index c3b27b11..d8493ea0 100644 --- a/openssl/src/cms.rs +++ b/openssl/src/cms.rs @@ -66,24 +66,20 @@ foreign_type_and_impl_send_sync! { pub struct CmsContentInfoRef; } -impl CmsContentInfoRef { - /// Given the sender's private key, `pkey` and the (optional) recipient's certificiate, `cert`, +impl CmsContentInfoRef { + /// Given the sender's private key, `pkey` and the recipient's certificiate, `cert`, /// decrypt the data in `self`. /// - /// *Warning*: Not providing a certificate may leave you vulnerable to Bleichenbacher's attack on PKCS#1 v1.5 RSA padding. - /// See the [`OpenSSL docs`] for more information. + /// OpenSSL documentation at [`CMS_decrypt`] /// - /// [`OpenSSL docs`]: https://www.openssl.org/docs/man1.1.0/crypto/CMS_decrypt.html - pub fn decrypt<T>(&self, pkey: &PKeyRef<T>, cert: Option<&X509>) -> Result<Vec<u8>, ErrorStack> + /// [`CMS_decrypt`]: https://www.openssl.org/docs/man1.1.0/crypto/CMS_decrypt.html + pub fn decrypt<T>(&self, pkey: &PKeyRef<T>, cert: &X509) -> Result<Vec<u8>, ErrorStack> where T: HasPrivate, { unsafe { let pkey = pkey.as_ptr(); - let cert = match cert { - Some(wrapped_cert) => wrapped_cert.as_ptr(), - None => ptr::null_mut(), - }; + let cert = cert.as_ptr(); let out = MemBio::new()?; cvt(ffi::CMS_decrypt( @@ -98,6 +94,34 @@ impl CmsContentInfoRef { Ok(out.get_buf().to_owned()) } } + + /// Given the sender's private key, `pkey`, + /// decrypt the data in `self` without validating the recipient certificate. + /// + /// *Warning*: Not checking the recipient certificate may leave you vulnerable to Bleichenbacher's attack on PKCS#1 v1.5 RSA padding. + /// See [`CMS_decrypt`] for more information. + /// + /// [`CMS_decrypt`]: https://www.openssl.org/docs/man1.1.0/crypto/CMS_decrypt.html + pub fn decrypt_without_cert_check<T>(&self, pkey: &PKeyRef<T>) -> Result<Vec<u8>, ErrorStack> + where + T: HasPrivate, + { + unsafe { + let pkey = pkey.as_ptr(); + let out = MemBio::new()?; + + cvt(ffi::CMS_decrypt( + self.as_ptr(), + pkey, + ptr::null_mut(), + ptr::null_mut(), + out.as_ptr(), + 0, + ))?; + + Ok(out.get_buf().to_owned()) + } + } to_der! { /// Serializes this CmsContentInfo using DER. @@ -279,12 +303,12 @@ mod test { let decrypt = CmsContentInfo::from_pem(&encrypted_pem).expect("failed read cms from pem"); let decrypt_with_cert_check = decrypt - .decrypt(&priv_cert.pkey, Some(&priv_cert.cert)) + .decrypt(&priv_cert.pkey, &priv_cert.cert) .expect("failed to decrypt cms"); let decrypt_with_cert_check = String::from_utf8(decrypt_with_cert_check) .expect("failed to create string from cms content"); let decrypt_without_cert_check = decrypt - .decrypt(&priv_cert.pkey, None) + .decrypt_without_cert_check(&priv_cert.pkey) .expect("failed to decrypt cms"); let decrypt_without_cert_check = String::from_utf8(decrypt_without_cert_check) .expect("failed to create string from cms content"); |