Revision 92a8109e4d3a34fb6b115c9098b51767dc933444 authored by Ross Lagerwall on 08 January 2019, 18:30:56 UTC, committed by Steve French on 11 January 2019, 13:14:40 UTC
The code tries to allocate a contiguous buffer with a size supplied by
the server (maxBuf). This could fail if memory is fragmented since it
results in high order allocations for commonly used server
implementations. It is also wasteful since there are probably
few locks in the usual case. Limit the buffer to be no larger than a
page to avoid memory allocation failures due to fragmentation.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
1 parent 15bc77f
Raw File
pkcs7.asn1
PKCS7ContentInfo ::= SEQUENCE {
	contentType	ContentType ({ pkcs7_check_content_type }),
	content		[0] EXPLICIT SignedData OPTIONAL
}

ContentType ::= OBJECT IDENTIFIER ({ pkcs7_note_OID })

SignedData ::= SEQUENCE {
	version			INTEGER ({ pkcs7_note_signeddata_version }),
	digestAlgorithms	DigestAlgorithmIdentifiers,
	contentInfo		ContentInfo ({ pkcs7_note_content }),
	certificates		CHOICE {
		certSet		[0] IMPLICIT ExtendedCertificatesAndCertificates,
		certSequence	[2] IMPLICIT Certificates
	} OPTIONAL ({ pkcs7_note_certificate_list }),
	crls CHOICE {
		crlSet		[1] IMPLICIT CertificateRevocationLists,
		crlSequence	[3] IMPLICIT CRLSequence
	} OPTIONAL,
	signerInfos		SignerInfos
}

ContentInfo ::= SEQUENCE {
	contentType	ContentType ({ pkcs7_note_OID }),
	content		[0] EXPLICIT Data OPTIONAL
}

Data ::= ANY ({ pkcs7_note_data })

DigestAlgorithmIdentifiers ::= CHOICE {
	daSet			SET OF DigestAlgorithmIdentifier,
	daSequence		SEQUENCE OF DigestAlgorithmIdentifier
}

DigestAlgorithmIdentifier ::= SEQUENCE {
	algorithm   OBJECT IDENTIFIER ({ pkcs7_note_OID }),
	parameters  ANY OPTIONAL
}

--
-- Certificates and certificate lists
--
ExtendedCertificatesAndCertificates ::= SET OF ExtendedCertificateOrCertificate

ExtendedCertificateOrCertificate ::= CHOICE {
  certificate		Certificate,				-- X.509
  extendedCertificate	[0] IMPLICIT ExtendedCertificate	-- PKCS#6
}

ExtendedCertificate ::= Certificate -- cheating

Certificates ::= SEQUENCE OF Certificate

CertificateRevocationLists ::= SET OF CertificateList

CertificateList ::= SEQUENCE OF Certificate -- This may be defined incorrectly

CRLSequence ::= SEQUENCE OF CertificateList

Certificate ::= ANY ({ pkcs7_extract_cert }) -- X.509

--
-- Signer information
--
SignerInfos ::= CHOICE {
	siSet		SET OF SignerInfo,
	siSequence	SEQUENCE OF SignerInfo
}

SignerInfo ::= SEQUENCE {
	version			INTEGER ({ pkcs7_note_signerinfo_version }),
	sid			SignerIdentifier, -- CMS variant, not PKCS#7
	digestAlgorithm		DigestAlgorithmIdentifier ({ pkcs7_sig_note_digest_algo }),
	authenticatedAttributes	CHOICE {
		aaSet		[0] IMPLICIT SetOfAuthenticatedAttribute
					({ pkcs7_sig_note_set_of_authattrs }),
		aaSequence	[2] EXPLICIT SEQUENCE OF AuthenticatedAttribute
			-- Explicit because easier to compute digest on
			-- sequence of attributes and then reuse encoded
			-- sequence in aaSequence.
	} OPTIONAL,
	digestEncryptionAlgorithm
				DigestEncryptionAlgorithmIdentifier ({ pkcs7_sig_note_pkey_algo }),
	encryptedDigest		EncryptedDigest,
	unauthenticatedAttributes CHOICE {
		uaSet		[1] IMPLICIT SET OF UnauthenticatedAttribute,
		uaSequence	[3] IMPLICIT SEQUENCE OF UnauthenticatedAttribute
	} OPTIONAL
} ({ pkcs7_note_signed_info })

SignerIdentifier ::= CHOICE {
	-- RFC5652 sec 5.3
	issuerAndSerialNumber IssuerAndSerialNumber,
        subjectKeyIdentifier [0] IMPLICIT SubjectKeyIdentifier
}

IssuerAndSerialNumber ::= SEQUENCE {
	issuer			Name ({ pkcs7_sig_note_issuer }),
	serialNumber		CertificateSerialNumber ({ pkcs7_sig_note_serial })
}

CertificateSerialNumber ::= INTEGER

SubjectKeyIdentifier ::= OCTET STRING ({ pkcs7_sig_note_skid })

SetOfAuthenticatedAttribute ::= SET OF AuthenticatedAttribute

AuthenticatedAttribute ::= SEQUENCE {
	type			OBJECT IDENTIFIER ({ pkcs7_note_OID }),
	values			SET OF ANY ({ pkcs7_sig_note_authenticated_attr })
}

UnauthenticatedAttribute ::= SEQUENCE {
	type			OBJECT IDENTIFIER,
	values			SET OF ANY
}

DigestEncryptionAlgorithmIdentifier ::= SEQUENCE {
	algorithm		OBJECT IDENTIFIER ({ pkcs7_note_OID }),
	parameters		ANY OPTIONAL
}

EncryptedDigest ::= OCTET STRING ({ pkcs7_sig_note_signature })

---
--- X.500 Name
---
Name ::= SEQUENCE OF RelativeDistinguishedName

RelativeDistinguishedName ::= SET OF AttributeValueAssertion

AttributeValueAssertion ::= SEQUENCE {
	attributeType		OBJECT IDENTIFIER ({ pkcs7_note_OID }),
	attributeValue		ANY
}
back to top