Merge pull request #1423 from shanecurran/master

Updated CMS (PKCS#7) to match OpenSSL spec
author: Steven Fackler <sfackler@gmail.com> 2021-03-05 20:07:42 -0500
committer: GitHub <noreply@github.com> 2021-03-05 20:07:42 -0500
commit: 1d8eda65f899e94743e8b19831ea75541e5696f8 (patch)
tree: 8c999761c02160b4890ecd833a0e766ee1992938
parent: 32e215751e01eb8f583a124479a9c3f630dccae1 (diff)
parent: 05ee8790264aa57df56310b51ec7a0a8267c4541 (diff)
download: rust-openssl-1d8eda65f899e94743e8b19831ea75541e5696f8.zip
1 files changed, 55 insertions, 9 deletions
diff --git a/openssl/src/cms.rs b/openssl/src/cms.rs
index a925b7c4..3d560cec 100644
--- a/openssl/src/cms.rs
+++ b/openssl/src/cms.rs
@@ -1,6 +1,6 @@
 //! SMIME implementation using CMS
 //!
-//! CMS (PKCS#7) is an encyption standard.  It allows signing and ecrypting data using
+//! CMS (PKCS#7) is an encyption standard.  It allows signing and encrypting data using
 //! X.509 certificates.  The OpenSSL implementation of CMS is used in email encryption
 //! generated from a `Vec` of bytes.  This `Vec` follows the smime protocol standards.
 //! Data accepted by this module will be smime type `enveloped-data`.
@@ -95,6 +95,34 @@ impl CmsContentInfoRef {
         }
     }
 
+    /// Given the sender's private key, `pkey`,
+    /// decrypt the data in `self` without validating the recipient certificate.
+    ///
+    /// *Warning*: Not checking the recipient certificate may leave you vulnerable to Bleichenbacher's attack on PKCS#1 v1.5 RSA padding.
+    /// See [`CMS_decrypt`] for more information.
+    ///
+    /// [`CMS_decrypt`]: https://www.openssl.org/docs/man1.1.0/crypto/CMS_decrypt.html
+    pub fn decrypt_without_cert_check<T>(&self, pkey: &PKeyRef<T>) -> Result<Vec<u8>, ErrorStack>
+    where
+        T: HasPrivate,
+    {
+        unsafe {
+            let pkey = pkey.as_ptr();
+            let out = MemBio::new()?;
+
+            cvt(ffi::CMS_decrypt(
+                self.as_ptr(),
+                pkey,
+                ptr::null_mut(),
+                ptr::null_mut(),
+                out.as_ptr(),
+                0,
+            ))?;
+
+            Ok(out.get_buf().to_owned())
+        }
+    }
+
     to_der! {
         /// Serializes this CmsContentInfo using DER.
         ///
@@ -261,12 +289,21 @@ mod test {
             let encrypted_der = encrypt.to_der().expect("failed to create der from cms");
             let decrypt =
                 CmsContentInfo::from_der(&encrypted_der).expect("failed read cms from der");
-            let decrypt = decrypt
+
+            let decrypt_with_cert_check = decrypt
                 .decrypt(&priv_cert.pkey, &priv_cert.cert)
                 .expect("failed to decrypt cms");
-            let decrypt =
-                String::from_utf8(decrypt).expect("failed to create string from cms content");
-            assert_eq!(input, decrypt);
+            let decrypt_with_cert_check = String::from_utf8(decrypt_with_cert_check)
+                .expect("failed to create string from cms content");
+
+            let decrypt_without_cert_check = decrypt
+                .decrypt_without_cert_check(&priv_cert.pkey)
+                .expect("failed to decrypt cms");
+            let decrypt_without_cert_check = String::from_utf8(decrypt_without_cert_check)
+                .expect("failed to create string from cms content");
+
+            assert_eq!(input, decrypt_with_cert_check);
+            assert_eq!(input, decrypt_without_cert_check);
         }
 
         // decrypt cms message using private key cert (PEM)
@@ -274,12 +311,21 @@ mod test {
             let encrypted_pem = encrypt.to_pem().expect("failed to create pem from cms");
             let decrypt =
                 CmsContentInfo::from_pem(&encrypted_pem).expect("failed read cms from pem");
-            let decrypt = decrypt
+
+            let decrypt_with_cert_check = decrypt
                 .decrypt(&priv_cert.pkey, &priv_cert.cert)
                 .expect("failed to decrypt cms");
-            let decrypt =
-                String::from_utf8(decrypt).expect("failed to create string from cms content");
-            assert_eq!(input, decrypt);
+            let decrypt_with_cert_check = String::from_utf8(decrypt_with_cert_check)
+                .expect("failed to create string from cms content");
+
+            let decrypt_without_cert_check = decrypt
+                .decrypt_without_cert_check(&priv_cert.pkey)
+                .expect("failed to decrypt cms");
+            let decrypt_without_cert_check = String::from_utf8(decrypt_without_cert_check)
+                .expect("failed to create string from cms content");
+
+            assert_eq!(input, decrypt_with_cert_check);
+            assert_eq!(input, decrypt_without_cert_check);
         }
     }
 }
author	Steven Fackler <sfackler@gmail.com>	2021-03-05 20:07:42 -0500
committer	GitHub <noreply@github.com>	2021-03-05 20:07:42 -0500
commit	1d8eda65f899e94743e8b19831ea75541e5696f8 (patch)
tree	8c999761c02160b4890ecd833a0e766ee1992938
parent	32e215751e01eb8f583a124479a9c3f630dccae1 (diff)
parent	05ee8790264aa57df56310b51ec7a0a8267c4541 (diff)
download	rust-openssl-1d8eda65f899e94743e8b19831ea75541e5696f8.zip