From eb045399f1998f9e5a99664642394594d109b291 Mon Sep 17 00:00:00 2001
From: Paul Gardiner <paulg.artifex@glidos.net>
Date: Thu, 30 May 2013 14:54:17 +0100
Subject: Check signatures on clicking the corresponding form field

---
 .gitignore               |   4 +
 Makefile                 |   2 +-
 apps/pdfapp.c            |  19 +++
 fitz/crypt_pkcs7.c       | 403 +++++++++++++++++++++++++++++++++++++++++++++++
 fitz/fitz.h              |   5 +
 win32/mujstest-v8.vcproj | 172 ++++++++++++++++++++
 win32/mupdf-v8.vcproj    | 172 ++++++++++++++++++++
 win32/mupdf.sln          |  42 +++++
 win32/mupdf.vcproj       | 171 ++++++++++++++++++++
 9 files changed, 989 insertions(+), 1 deletion(-)
 create mode 100644 fitz/crypt_pkcs7.c

diff --git a/.gitignore b/.gitignore
index 9dbfa288..6cf1838a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,9 +14,13 @@ win32/*.user
 win32/*.ncb
 win32/*.suo
 win32/Debug
+win32/DebugOpenssl
 win32/Profile
 win32/Release
+win32/ReleaseOpenssl
 win32/Memento
+thirdparty/v8-3.9
+thirdparty/openssl
 android/obj
 android/bin
 android/libs
diff --git a/Makefile b/Makefile
index 5e4265e9..08b938b4 100644
--- a/Makefile
+++ b/Makefile
@@ -187,7 +187,7 @@ generate: $(CMAP_HDR) $(FONT_HDR) $(JAVASCRIPT_HDR) $(ADOBECA_HDR)
 $(OUT)/pdf_cmap_table.o : $(CMAP_HDR)
 $(OUT)/pdf_fontfile.o : $(FONT_HDR)
 $(OUT)/pdf_js.o : $(JAVASCRIPT_HDR)
-$(OUT)/crypto_pkcs7_openssl.o : $(ADOBECA_HDR)
+$(OUT)/crypt_pkcs7.o : $(ADOBECA_HDR)
 $(OUT)/cmapdump.o : pdf/pdf_cmap.c pdf/pdf_cmap_parse.c
 
 # --- Tools and Apps ---
diff --git a/apps/pdfapp.c b/apps/pdfapp.c
index 887d823c..1f82218f 100644
--- a/apps/pdfapp.c
+++ b/apps/pdfapp.c
@@ -1288,6 +1288,25 @@ void pdfapp_onmouse(pdfapp_t *app, int x, int y, int btn, int modifiers, int sta
 						}
 					}
 					break;
+
+				case FZ_WIDGET_TYPE_SIGNATURE:
+					{
+						char ebuf[256];
+
+						ebuf[0] = 0;
+						if (fz_check_signature(ctx, idoc, widget, app->docpath, ebuf, sizeof(ebuf)))
+						{
+							winwarn(app, "Signature is valid");
+						}
+						else
+						{
+							if (ebuf[0] == 0)
+								winwarn(app, "Signature check failed for unknown reason");
+							else
+								winwarn(app, ebuf);
+						}
+					}
+					break;
 				}
 			}
 
diff --git a/fitz/crypt_pkcs7.c b/fitz/crypt_pkcs7.c
new file mode 100644
index 00000000..a1c434dd
--- /dev/null
+++ b/fitz/crypt_pkcs7.c
@@ -0,0 +1,403 @@
+#include "fitz.h"
+
+#ifdef HAVE_OPENSSL
+
+#include "openssl/err.h"
+#include "openssl/bio.h"
+#include "openssl/asn1.h"
+#include "openssl/x509.h"
+#include "openssl/err.h"
+#include "openssl/objects.h"
+#include "openssl/pem.h"
+#include "openssl/pkcs7.h"
+
+enum
+{
+	SEG_START = 0,
+	SEG_SIZE = 1
+};
+
+typedef struct bsegs_struct
+{
+	int (*seg)[2];
+	int nsegs;
+	int current_seg;
+	int seg_pos;
+} BIO_SEGS_CTX;
+
+static int bsegs_read(BIO *b, char *buf, int size)
+{
+	BIO_SEGS_CTX *ctx = (BIO_SEGS_CTX *)b->ptr;
+	int read = 0;
+
+	while (size > 0 && ctx->current_seg < ctx->nsegs)
+	{
+		int nb = ctx->seg[ctx->current_seg][SEG_SIZE] - ctx->seg_pos;
+
+		if (nb > size)
+			nb = size;
+
+		if (nb > 0)
+		{
+			if (ctx->seg_pos == 0)
+				(void)BIO_seek(b->next_bio, ctx->seg[ctx->current_seg][SEG_START]);
+
+			(void)BIO_read(b->next_bio, buf, nb);
+			ctx->seg_pos += nb;
+			read += nb;
+			buf += nb;
+			size -= nb;
+		}
+		else
+		{
+			ctx->current_seg++;
+
+			if (ctx->current_seg < ctx->nsegs)
+				ctx->seg_pos = 0;
+		}
+	}
+
+	return read;
+}
+
+static long bsegs_ctrl(BIO *b, int cmd, long arg1, void *arg2)
+{
+	return BIO_ctrl(b->next_bio, cmd, arg1, arg2);
+}
+
+static int bsegs_new(BIO *b)
+{
+	BIO_SEGS_CTX *ctx;
+
+	ctx = (BIO_SEGS_CTX *)malloc(sizeof(BIO_SEGS_CTX));
+	if (ctx == NULL)
+		return 0;
+
+	ctx->current_seg = 0;
+	ctx->seg_pos = 0;
+	ctx->seg = NULL;
+	ctx->nsegs = 0;
+
+	b->init = 1;
+	b->ptr = (char *)ctx;
+	b->flags = 0;
+	b->num = 0;
+
+	return 1;
+}
+
+static int bsegs_free(BIO *b)
+{
+	if (b == NULL)
+		return 0;
+
+	free(b->ptr);
+	b->ptr = NULL;
+	b->init = 0;
+	b->flags = 0;
+
+	return 1;
+}
+
+static long bsegs_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
+{
+	return BIO_callback_ctrl(b->next_bio, cmd, fp);
+}
+
+
+static BIO_METHOD methods_bsegs =
+{
+	0,"segment reader",
+	NULL,
+	bsegs_read,
+	NULL,
+	NULL,
+	bsegs_ctrl,
+	bsegs_new,
+	bsegs_free,
+	bsegs_callback_ctrl,
+};
+
+static BIO_METHOD *BIO_f_segments(void)
+{
+	return &methods_bsegs;
+}
+
+static void BIO_set_segments(BIO *b, int (*seg)[2], int nsegs)
+{
+	BIO_SEGS_CTX *ctx = (BIO_SEGS_CTX *)b->ptr;
+
+	ctx->seg = seg;
+	ctx->nsegs = nsegs;
+}
+
+
+typedef struct verify_context_s
+{
+	X509_STORE_CTX x509_ctx;
+	char certdesc[256];
+	int err;
+} verify_context;
+
+static int verify_callback(int ok, X509_STORE_CTX *ctx)
+{
+	verify_context *vctx;
+	X509 *err_cert;
+	int err, depth;
+
+	vctx = (verify_context *)ctx;
+
+	err_cert = X509_STORE_CTX_get_current_cert(ctx);
+	err = X509_STORE_CTX_get_error(ctx);
+	depth = X509_STORE_CTX_get_error_depth(ctx);
+
+	X509_NAME_oneline(X509_get_subject_name(err_cert), vctx->certdesc, sizeof(vctx->certdesc));
+
+	if (!ok && depth >= 6)
+	{
+		X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_CHAIN_TOO_LONG);
+	}
+
+	switch (ctx->error)
+	{
+	case X509_V_ERR_INVALID_PURPOSE:
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+	case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+		err = X509_V_OK;
+		X509_STORE_CTX_set_error(ctx, X509_V_OK);
+		ok = 1;
+		break;
+
+	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+		/*
+			In this case, don't reset err to X509_V_OK, so that it can be reported,
+			although we do return 1, so that the digest will still be checked
+		*/
+		ok = 1;
+		break;
+
+	default:
+		break;
+	}
+
+	if (ok && vctx->err == X509_V_OK)
+		vctx->err = err;
+	return ok;
+}
+
+static int pk7_verify(X509_STORE *cert_store, PKCS7 *p7, BIO *detached, char *ebuf, int ebufsize)
+{
+	PKCS7_SIGNER_INFO *si;
+	verify_context vctx;
+	BIO *p7bio=NULL;
+	char readbuf[1024*4];
+	int res = 1;
+	int i;
+	STACK_OF(PKCS7_SIGNER_INFO) *sk;
+
+	vctx.err = X509_V_OK;
+	ebuf[0] = 0;
+
+	OpenSSL_add_all_algorithms();
+
+	EVP_add_digest(EVP_md5());
+	EVP_add_digest(EVP_sha1());
+
+	ERR_load_crypto_strings();
+
+	ERR_clear_error();
+
+	X509_VERIFY_PARAM_set_flags(cert_store->param, X509_V_FLAG_CB_ISSUER_CHECK);
+	X509_STORE_set_verify_cb_func(cert_store, verify_callback);
+
+	p7bio = PKCS7_dataInit(p7, detached);
+
+	/* We now have to 'read' from p7bio to calculate digests etc. */
+	while (BIO_read(p7bio, readbuf, sizeof(readbuf)) > 0)
+		;
+
+	/* We can now verify signatures */
+	sk = PKCS7_get_signer_info(p7);
+	if (sk == NULL)
+	{
+		/* there are no signatures on this data */
+		res = 0;
+		strncpy(ebuf, "No signatures", sizeof(ebuf));
+		goto exit;
+	}
+
+	for (i=0; i<sk_PKCS7_SIGNER_INFO_num(sk); i++)
+	{
+		int rc;
+		si = sk_PKCS7_SIGNER_INFO_value(sk, i);
+		rc = PKCS7_dataVerify(cert_store, &vctx.x509_ctx, p7bio,p7, si);
+		if (rc <= 0 || vctx.err != X509_V_OK)
+		{
+			char tbuf[120];
+
+			if (rc <= 0)
+			{
+				strncpy(ebuf, ERR_error_string(ERR_get_error(), tbuf), ebufsize-1);
+			}
+			else
+			{
+				/* Error while checking the certificate chain */
+				snprintf(ebuf, ebufsize-1, "%s(%d): %s", X509_verify_cert_error_string(vctx.err), vctx.err, vctx.certdesc);
+			}
+
+			ebuf[ebufsize-1] = 0;
+
+			res = 0;
+			goto exit;
+		}
+	}
+
+exit:
+	X509_STORE_CTX_cleanup(&vctx.x509_ctx);
+	ERR_free_strings();
+
+	return res;
+}
+
+
+static unsigned char adobe_ca[] =
+{
+#include "../generated/adobe_ca.h"
+};
+
+static int verify_sig(char *sig, int sig_len, char *file, int (*byte_range)[2], int byte_range_len, char *ebuf, int ebufsize)
+{
+	PKCS7 *pk7sig = NULL;
+	PKCS7 *pk7cert = NULL;
+	X509_STORE *st = NULL;
+	BIO *bsig = NULL;
+	BIO *bcert = NULL;
+	BIO *bdata = NULL;
+	BIO *bsegs = NULL;
+	STACK_OF(X509) *certs = NULL;
+	int t;
+	int res = 0;
+
+	bsig = BIO_new_mem_buf(sig, sig_len);
+	pk7sig = d2i_PKCS7_bio(bsig, NULL);
+	if (pk7sig == NULL)
+		goto exit;
+
+	bdata = BIO_new(BIO_s_file());
+	BIO_read_filename(bdata, file);
+
+	bsegs = BIO_new(BIO_f_segments());
+	if (bsegs == NULL)
+		goto exit;
+
+	bsegs->next_bio = bdata;
+	BIO_set_segments(bsegs, byte_range, byte_range_len);
+
+	/* Find the certificates in the pk7 file */
+	bcert = BIO_new_mem_buf(adobe_ca, sizeof(adobe_ca));
+	pk7cert = d2i_PKCS7_bio(bcert, NULL);
+	if (pk7cert == NULL)
+		goto exit;
+
+	t = OBJ_obj2nid(pk7cert->type);
+	switch (t)
+	{
+	case NID_pkcs7_signed:
+		certs = pk7cert->d.sign->cert;
+		break;
+
+	case NID_pkcs7_signedAndEnveloped:
+		certs = pk7cert->d.sign->cert;
+		break;
+
+	default:
+		break;
+	}
+
+	st = X509_STORE_new();
+	if (st == NULL)
+		goto exit;
+
+	/* Add the certificates to the store */
+	if (certs != NULL)
+	{
+		int i, n = sk_X509_num(certs);
+
+		for (i = 0; i < n; i++)
+		{
+			X509 *c = sk_X509_value(certs, i);
+			X509_STORE_add_cert(st, c);
+		}
+	}
+
+	res = pk7_verify(st, pk7sig, bsegs, ebuf, ebufsize);
+
+exit:
+	BIO_free(bsig);
+	BIO_free(bdata);
+	BIO_free(bsegs);
+	BIO_free(bcert);
+	PKCS7_free(pk7sig);
+	PKCS7_free(pk7cert);
+	X509_STORE_free(st);
+
+	return res;
+}
+
+int fz_check_signature(fz_context *ctx, fz_interactive *idoc, fz_widget *widget, char *file, char *ebuf, int ebufsize)
+{
+	int (*byte_range)[2] = NULL;
+	int byte_range_len;
+	char *contents = NULL;
+	int contents_len;
+	int res = 0;
+
+	fz_var(byte_range);
+	fz_var(res);
+	fz_try(ctx);
+	{
+		byte_range_len = fz_signature_widget_byte_range(idoc, widget, NULL);
+		if (byte_range_len)
+		{
+			byte_range = fz_calloc(ctx, byte_range_len, sizeof(*byte_range));
+			fz_signature_widget_byte_range(idoc, widget, byte_range);
+		}
+
+		contents_len = fz_signature_widget_contents(idoc, widget, &contents);
+		if (byte_range && contents)
+		{
+			res = verify_sig(contents, contents_len, file, byte_range, byte_range_len, ebuf, ebufsize);
+		}
+		else
+		{
+			res = 0;
+			strncpy(ebuf, "Not signed", ebufsize);
+		}
+
+	}
+	fz_always(ctx)
+	{
+		fz_free(ctx, byte_range);
+	}
+	fz_catch(ctx)
+	{
+		res = 0;
+		strncpy(ebuf, ctx->error->message, ebufsize);
+	}
+
+	if (ebufsize > 0)
+		ebuf[ebufsize-1] = 0;
+
+	return res;
+}
+
+#else /* HAVE_OPENSSL */
+
+int fz_check_signature(fz_context *ctx, fz_interactive *idoc, fz_widget *widget, char *file, char *ebuf, int ebufsize)
+{
+	strncpy(ebuf, "This version of MuPDF was built without signature support", ebufsize);
+
+	return 0;
+}
+
+#endif /* HAVE_OPENSSL */
diff --git a/fitz/fitz.h b/fitz/fitz.h
index 70da29d7..a2c67b6e 100644
--- a/fitz/fitz.h
+++ b/fitz/fitz.h
@@ -3237,6 +3237,11 @@ int fz_signature_widget_byte_range(fz_interactive *idoc, fz_widget *widget, int
 */
 int fz_signature_widget_contents(fz_interactive *idoc, fz_widget *widget, char **contents);
 
+/*
+	fz_check_signature: check a signature's certificate chain and digest
+*/
+int fz_check_signature(fz_context *ctx, fz_interactive *idoc, fz_widget *widget, char *file, char *ebuf, int ebufsize);
+
 /*
 	Document events: the objects via which MuPDF informs the calling app
 	of occurrences emanating from the document, possibly from user interaction
diff --git a/win32/mujstest-v8.vcproj b/win32/mujstest-v8.vcproj
index b075880e..37d88b98 100644
--- a/win32/mujstest-v8.vcproj
+++ b/win32/mujstest-v8.vcproj
@@ -239,10 +239,182 @@
 				Name="VCPostBuildEventTool"
 			/>
 		</Configuration>
+		<Configuration
+			Name="DebugOpenssl|Win32"
+			OutputDirectory="$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				AdditionalIncludeDirectories="..\fitz;..\pdf;..\xps;..\cbz"
+				PreprocessorDefinitions="FT2_BUILD_LIBRARY;OPJ_STATIC;DEBUG=1;HAVE_OPENSSL"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="1"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalOptions="/FORCE"
+				AdditionalDependencies="v8_base.lib v8_snapshot.lib ws2_32.lib winmm.lib libeay32.lib"
+				AdditionalLibraryDirectories="&quot;..\thirdparty\v8-3.9\build\Debug\lib\&quot;;..\thirdparty\openssl\lib"
+				GenerateDebugInformation="true"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="ReleaseOpenssl|Win32"
+			OutputDirectory="$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="2"
+				EnableIntrinsicFunctions="true"
+				AdditionalIncludeDirectories="..\fitz;..\pdf;..\xps;..\cbz"
+				PreprocessorDefinitions="HAVE_OPENSSL"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalDependencies="v8_base.lib v8_snapshot.lib libeay32.lib ws2_32.lib winmm.lib"
+				AdditionalLibraryDirectories="&quot;..\thirdparty\v8-3.9\build\release\lib\&quot;;..\thirdparty\openssl\lib"
+				GenerateDebugInformation="true"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
 	</Configurations>
 	<References>
 	</References>
 	<Files>
+		<File
+			RelativePath="..\fitz\crypt_pkcs7.c"
+			>
+			<FileConfiguration
+				Name="DebugOpenssl|Win32"
+				>
+				<Tool
+					Name="VCCLCompilerTool"
+					AdditionalIncludeDirectories="..\thirdparty\openssl\include"
+				/>
+			</FileConfiguration>
+			<FileConfiguration
+				Name="ReleaseOpenssl|Win32"
+				>
+				<Tool
+					Name="VCCLCompilerTool"
+					AdditionalIncludeDirectories="..\thirdparty\openssl\include"
+				/>
+			</FileConfiguration>
+		</File>
 		<File
 			RelativePath="..\apps\jstest_main.c"
 			>
diff --git a/win32/mupdf-v8.vcproj b/win32/mupdf-v8.vcproj
index 4eb086c3..6bfcab18 100644
--- a/win32/mupdf-v8.vcproj
+++ b/win32/mupdf-v8.vcproj
@@ -239,10 +239,182 @@
 				Name="VCPostBuildEventTool"
 			/>
 		</Configuration>
+		<Configuration
+			Name="DebugOpenssl|Win32"
+			OutputDirectory="$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				AdditionalIncludeDirectories="..\fitz;..\pdf;..\xps;..\cbz"
+				PreprocessorDefinitions="FT2_BUILD_LIBRARY;OPJ_STATIC;DEBUG=1;HAVE_OPENSSL"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="1"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalOptions="/FORCE"
+				AdditionalDependencies="v8_base.lib v8_snapshot.lib libeay32.lib ws2_32.lib winmm.lib"
+				AdditionalLibraryDirectories="&quot;..\thirdparty\v8-3.9\build\Debug\lib&quot;;..\thirdparty\openssl\lib"
+				GenerateDebugInformation="true"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="ReleaseOpenssl|Win32"
+			OutputDirectory="$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="2"
+				EnableIntrinsicFunctions="true"
+				AdditionalIncludeDirectories="..\fitz;..\pdf;..\xps;..\cbz"
+				PreprocessorDefinitions="HAVE_OPENSSL"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalDependencies="v8_base.lib v8_snapshot.lib libeay32.lib ws2_32.lib winmm.lib"
+				AdditionalLibraryDirectories="&quot;..\thirdparty\v8-3.9\Build\release\lib&quot;;..\thirdparty\openssl\lib"
+				GenerateDebugInformation="true"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
 	</Configurations>
 	<References>
 	</References>
 	<Files>
+		<File
+			RelativePath="..\fitz\crypt_pkcs7.c"
+			>
+			<FileConfiguration
+				Name="DebugOpenssl|Win32"
+				>
+				<Tool
+					Name="VCCLCompilerTool"
+					AdditionalIncludeDirectories="..\thirdparty\openssl\include"
+				/>
+			</FileConfiguration>
+			<FileConfiguration
+				Name="ReleaseOpenssl|Win32"
+				>
+				<Tool
+					Name="VCCLCompilerTool"
+					AdditionalIncludeDirectories="..\thirdparty\openssl\include"
+				/>
+			</FileConfiguration>
+		</File>
 		<File
 			RelativePath="..\apps\pdfapp.c"
 			>
diff --git a/win32/mupdf.sln b/win32/mupdf.sln
index 47a81740..7b3de7fa 100644
--- a/win32/mupdf.sln
+++ b/win32/mupdf.sln
@@ -53,70 +53,112 @@ EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Win32 = Debug|Win32
+		DebugOpenssl|Win32 = DebugOpenssl|Win32
 		Memento|Win32 = Memento|Win32
 		Release|Win32 = Release|Win32
+		ReleaseOpenssl|Win32 = ReleaseOpenssl|Win32
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.Debug|Win32.ActiveCfg = Debug|Win32
 		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.Debug|Win32.Build.0 = Debug|Win32
+		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.DebugOpenssl|Win32.ActiveCfg = DebugOpenssl|Win32
+		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.DebugOpenssl|Win32.Build.0 = DebugOpenssl|Win32
 		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.Memento|Win32.ActiveCfg = Memento|Win32
 		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.Memento|Win32.Build.0 = Memento|Win32
 		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.Release|Win32.ActiveCfg = Release|Win32
 		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.Release|Win32.Build.0 = Release|Win32
+		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.ReleaseOpenssl|Win32.ActiveCfg = ReleaseOpenssl|Win32
+		{E74F29F0-FA43-4ADC-B92C-6AFA08E4A417}.ReleaseOpenssl|Win32.Build.0 = ReleaseOpenssl|Win32
 		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.Debug|Win32.ActiveCfg = Debug|Win32
 		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.Debug|Win32.Build.0 = Debug|Win32
+		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.DebugOpenssl|Win32.ActiveCfg = Debug|Win32
+		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.DebugOpenssl|Win32.Build.0 = Debug|Win32
 		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.Memento|Win32.ActiveCfg = Memento|Win32
 		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.Memento|Win32.Build.0 = Memento|Win32
 		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.Release|Win32.ActiveCfg = Release|Win32
 		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.Release|Win32.Build.0 = Release|Win32
+		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.ReleaseOpenssl|Win32.ActiveCfg = Release|Win32
+		{5EDCF4FD-0291-4FB9-8D96-D58957CA5E3C}.ReleaseOpenssl|Win32.Build.0 = Release|Win32
 		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.Debug|Win32.ActiveCfg = Debug|Win32
 		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.Debug|Win32.Build.0 = Debug|Win32
+		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.DebugOpenssl|Win32.ActiveCfg = Debug|Win32
+		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.DebugOpenssl|Win32.Build.0 = Debug|Win32
 		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.Memento|Win32.ActiveCfg = Memento|Win32
 		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.Memento|Win32.Build.0 = Memento|Win32
 		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.Release|Win32.ActiveCfg = Release|Win32
 		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.Release|Win32.Build.0 = Release|Win32
+		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.ReleaseOpenssl|Win32.ActiveCfg = Release|Win32
+		{5F615F91-DFF8-4F05-BF48-6222B7D86519}.ReleaseOpenssl|Win32.Build.0 = Release|Win32
 		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.Debug|Win32.ActiveCfg = Debug|Win32
 		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.Debug|Win32.Build.0 = Debug|Win32
+		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.DebugOpenssl|Win32.ActiveCfg = Debug|Win32
+		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.DebugOpenssl|Win32.Build.0 = Debug|Win32
 		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.Memento|Win32.ActiveCfg = Memento|Win32
 		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.Memento|Win32.Build.0 = Memento|Win32
 		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.Release|Win32.ActiveCfg = Release|Win32
 		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.Release|Win32.Build.0 = Release|Win32
+		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.ReleaseOpenssl|Win32.ActiveCfg = Release|Win32
+		{0B51171B-B10E-4EAC-8FFA-19226A1828A3}.ReleaseOpenssl|Win32.Build.0 = Release|Win32
 		{00811970-815B-4F64-BC9D-219078B1F3AA}.Debug|Win32.ActiveCfg = Debug|Win32
 		{00811970-815B-4F64-BC9D-219078B1F3AA}.Debug|Win32.Build.0 = Debug|Win32
+		{00811970-815B-4F64-BC9D-219078B1F3AA}.DebugOpenssl|Win32.ActiveCfg = Debug|Win32
+		{00811970-815B-4F64-BC9D-219078B1F3AA}.DebugOpenssl|Win32.Build.0 = Debug|Win32
 		{00811970-815B-4F64-BC9D-219078B1F3AA}.Memento|Win32.ActiveCfg = Memento|Win32
 		{00811970-815B-4F64-BC9D-219078B1F3AA}.Memento|Win32.Build.0 = Memento|Win32
 		{00811970-815B-4F64-BC9D-219078B1F3AA}.Release|Win32.ActiveCfg = Release|Win32
 		{00811970-815B-4F64-BC9D-219078B1F3AA}.Release|Win32.Build.0 = Release|Win32
+		{00811970-815B-4F64-BC9D-219078B1F3AA}.ReleaseOpenssl|Win32.ActiveCfg = Release|Win32
+		{00811970-815B-4F64-BC9D-219078B1F3AA}.ReleaseOpenssl|Win32.Build.0 = Release|Win32
 		{A5053AA7-02E5-4903-B596-04F17AEB1526}.Debug|Win32.ActiveCfg = Debug|Win32
 		{A5053AA7-02E5-4903-B596-04F17AEB1526}.Debug|Win32.Build.0 = Debug|Win32
+		{A5053AA7-02E5-4903-B596-04F17AEB1526}.DebugOpenssl|Win32.ActiveCfg = Debug|Win32
+		{A5053AA7-02E5-4903-B596-04F17AEB1526}.DebugOpenssl|Win32.Build.0 = Debug|Win32
 		{A5053AA7-02E5-4903-B596-04F17AEB1526}.Memento|Win32.ActiveCfg = Memento|Win32
 		{A5053AA7-02E5-4903-B596-04F17AEB1526}.Memento|Win32.Build.0 = Memento|Win32
 		{A5053AA7-02E5-4903-B596-04F17AEB1526}.Release|Win32.ActiveCfg = Release|Win32
 		{A5053AA7-02E5-4903-B596-04F17AEB1526}.Release|Win32.Build.0 = Release|Win32
+		{A5053AA7-02E5-4903-B596-04F17AEB1526}.ReleaseOpenssl|Win32.ActiveCfg = Release|Win32
+		{A5053AA7-02E5-4903-B596-04F17AEB1526}.ReleaseOpenssl|Win32.Build.0 = Release|Win32
 		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.Debug|Win32.ActiveCfg = Debug|Win32
 		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.Debug|Win32.Build.0 = Debug|Win32
+		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.DebugOpenssl|Win32.ActiveCfg = Debug|Win32
+		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.DebugOpenssl|Win32.Build.0 = Debug|Win32
 		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.Memento|Win32.ActiveCfg = Memento|Win32
 		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.Memento|Win32.Build.0 = Memento|Win32
 		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.Release|Win32.ActiveCfg = Release|Win32
 		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.Release|Win32.Build.0 = Release|Win32
+		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.ReleaseOpenssl|Win32.ActiveCfg = Release|Win32
+		{2E5DAFDB-A060-4011-B760-32F6A3A4BC9D}.ReleaseOpenssl|Win32.Build.0 = Release|Win32
 		{9035A4F3-4219-45A5-985D-FBF4D9609713}.Debug|Win32.ActiveCfg = Debug|Win32
 		{9035A4F3-4219-45A5-985D-FBF4D9609713}.Debug|Win32.Build.0 = Debug|Win32
+		{9035A4F3-4219-45A5-985D-FBF4D9609713}.DebugOpenssl|Win32.ActiveCfg = DebugOpenssl|Win32
+		{9035A4F3-4219-45A5-985D-FBF4D9609713}.DebugOpenssl|Win32.Build.0 = DebugOpenssl|Win32
 		{9035A4F3-4219-45A5-985D-FBF4D9609713}.Memento|Win32.ActiveCfg = Memento|Win32
 		{9035A4F3-4219-45A5-985D-FBF4D9609713}.Memento|Win32.Build.0 = Memento|Win32
 		{9035A4F3-4219-45A5-985D-FBF4D9609713}.Release|Win32.ActiveCfg = Release|Win32
 		{9035A4F3-4219-45A5-985D-FBF4D9609713}.Release|Win32.Build.0 = Release|Win32
+		{9035A4F3-4219-45A5-985D-FBF4D9609713}.ReleaseOpenssl|Win32.ActiveCfg = ReleaseOpenssl|Win32
+		{9035A4F3-4219-45A5-985D-FBF4D9609713}.ReleaseOpenssl|Win32.Build.0 = ReleaseOpenssl|Win32
 		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.Debug|Win32.ActiveCfg = Debug|Win32
 		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.Debug|Win32.Build.0 = Debug|Win32
+		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.DebugOpenssl|Win32.ActiveCfg = DebugOpenssl|Win32
+		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.DebugOpenssl|Win32.Build.0 = DebugOpenssl|Win32
 		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.Memento|Win32.ActiveCfg = Memento|Win32
 		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.Memento|Win32.Build.0 = Memento|Win32
 		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.Release|Win32.ActiveCfg = Release|Win32
 		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.Release|Win32.Build.0 = Release|Win32
+		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.ReleaseOpenssl|Win32.ActiveCfg = ReleaseOpenssl|Win32
+		{21E28758-E4D2-4B84-8EC5-B631CEE66B30}.ReleaseOpenssl|Win32.Build.0 = ReleaseOpenssl|Win32
 		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.Debug|Win32.ActiveCfg = Debug|Win32
 		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.Debug|Win32.Build.0 = Debug|Win32
+		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.DebugOpenssl|Win32.ActiveCfg = Debug|Win32
+		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.DebugOpenssl|Win32.Build.0 = Debug|Win32
 		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.Memento|Win32.ActiveCfg = Memento|Win32
 		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.Memento|Win32.Build.0 = Memento|Win32
 		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.Release|Win32.ActiveCfg = Release|Win32
 		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.Release|Win32.Build.0 = Release|Win32
+		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.ReleaseOpenssl|Win32.ActiveCfg = Release|Win32
+		{EC81A9F3-88A6-4170-B7B4-C41CB789A7F6}.ReleaseOpenssl|Win32.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
diff --git a/win32/mupdf.vcproj b/win32/mupdf.vcproj
index 3bbc83a9..95c3a383 100644
--- a/win32/mupdf.vcproj
+++ b/win32/mupdf.vcproj
@@ -232,10 +232,181 @@
 				Name="VCPostBuildEventTool"
 			/>
 		</Configuration>
+		<Configuration
+			Name="DebugOpenssl|Win32"
+			OutputDirectory="$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				AdditionalIncludeDirectories="..\fitz;..\pdf;..\xps;..\cbz"
+				PreprocessorDefinitions="FT2_BUILD_LIBRARY;OPJ_STATIC;DEBUG=1;HAVE_OPENSSL"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="1"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalDependencies="libeay32.lib"
+				AdditionalLibraryDirectories="..\thirdparty\openssl\lib"
+				GenerateDebugInformation="true"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="ReleaseOpenssl|Win32"
+			OutputDirectory="$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="2"
+				EnableIntrinsicFunctions="true"
+				AdditionalIncludeDirectories="..\fitz;..\pdf;..\xps;..\cbz"
+				PreprocessorDefinitions="HAVE_OPENSSL"
+				RuntimeLibrary="0"
+				EnableFunctionLevelLinking="true"
+				WarningLevel="3"
+				DebugInformationFormat="3"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalDependencies="libeay32.lib"
+				AdditionalLibraryDirectories="..\thirdparty\openssl\lib"
+				GenerateDebugInformation="true"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
 	</Configurations>
 	<References>
 	</References>
 	<Files>
+		<File
+			RelativePath="..\fitz\crypt_pkcs7.c"
+			>
+			<FileConfiguration
+				Name="DebugOpenssl|Win32"
+				>
+				<Tool
+					Name="VCCLCompilerTool"
+					AdditionalIncludeDirectories="..\thirdparty\openssl\include"
+				/>
+			</FileConfiguration>
+			<FileConfiguration
+				Name="ReleaseOpenssl|Win32"
+				>
+				<Tool
+					Name="VCCLCompilerTool"
+					AdditionalIncludeDirectories="..\thirdparty\openssl\include"
+				/>
+			</FileConfiguration>
+		</File>
 		<File
 			RelativePath="..\apps\pdfapp.c"
 			>
-- 
cgit v1.2.3