/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * CMS decoding.
 */

#include "cmslocal.h"

#include "cert.h"
#include "key.h"
#include "secasn1.h"
#include "secitem.h"
#include "secoid.h"
#include "prtime.h"
#include "secerr.h"

struct NSSCMSDecoderContextStr {
    SEC_ASN1DecoderContext *dcx;      /* ASN.1 decoder context */
    NSSCMSMessage *cmsg;              /* backpointer to the root message */
    SECOidTag type;                   /* type of message */
    NSSCMSContent content;            /* pointer to message */
    NSSCMSDecoderContext *childp7dcx; /* inner CMS decoder context */
    PRBool saw_contents;
    int error;
    NSSCMSContentCallback cb;
    void *cb_arg;
    PRBool first_decoded;
    PRBool need_indefinite_finish;
};

struct NSSCMSDecoderDataStr {
    SECItem data; /* must be first */
    unsigned int totalBufferSize;
};

typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData;

static void nss_cms_decoder_update_filter(void *arg, const char *data,
                                          unsigned long len, int depth,
                                          SEC_ASN1EncodingPart data_kind);
static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx);
static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx);
static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx);
static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
                                      const unsigned char *data,
                                      unsigned long len,
                                      PRBool final);
static NSSCMSDecoderData *nss_cms_create_decoder_data(PLArenaPool *poolp);

extern const SEC_ASN1Template NSSCMSMessageTemplate[];

static NSSCMSDecoderData *
nss_cms_create_decoder_data(PLArenaPool *poolp)
{
    NSSCMSDecoderData *decoderData = NULL;

    decoderData = (NSSCMSDecoderData *)
        PORT_ArenaAlloc(poolp, sizeof(NSSCMSDecoderData));
    if (!decoderData) {
        return NULL;
    }
    decoderData->data.data = NULL;
    decoderData->data.len = 0;
    decoderData->totalBufferSize = 0;
    return decoderData;
}

/*
 * nss_cms_decoder_notify -
 *  this is the driver of the decoding process. It gets called by the ASN.1
 *  decoder before and after an object is decoded.
 *  at various points in the decoding process, we intercept to set up and do
 *  further processing.
 */
static void
nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth)
{
    NSSCMSDecoderContext *p7dcx;
    NSSCMSContentInfo *rootcinfo, *cinfo;
    PRBool after = !before;

    p7dcx = (NSSCMSDecoderContext *)arg;
    rootcinfo = &(p7dcx->cmsg->contentInfo);

/* XXX error handling: need to set p7dcx->error */

#ifdef CMSDEBUG
    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after",
            dest, depth);
#endif

    /* so what are we working on right now? */
    if (p7dcx->type == SEC_OID_UNKNOWN) {
        /*
         * right now, we are still decoding the OUTER (root) cinfo
         * As soon as we know the inner content type, set up the info,
         * but NO inner decoder or filter. The root decoder handles the first
         * level children by itself - only for encapsulated contents (which
         * are encoded as DER inside of an OCTET STRING) we need to set up a
         * child decoder...
         */
        if (after && dest == &(rootcinfo->contentType)) {
            p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);
            p7dcx->content = rootcinfo->content;
            /* is this ready already ? need to alloc? */
            /* XXX yes we need to alloc -- continue here */
        }
    } else if (NSS_CMSType_IsData(p7dcx->type)) {
        /* this can only happen if the outermost cinfo has DATA in it */
        /* otherwise, we handle this type implicitely in the inner decoders */

        if (before && dest == &(rootcinfo->content)) {
            /* cause the filter to put the data in the right place...
            ** We want the ASN.1 decoder to deliver the decoded bytes to us
            ** from now on
            */
            SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
                                         nss_cms_decoder_update_filter,
                                         p7dcx,
                                         (PRBool)(p7dcx->cb != NULL));
        } else if (after && dest == &(rootcinfo->content.data)) {
            /* remove the filter */
            SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
        }
    } else if (NSS_CMSType_IsWrapper(p7dcx->type)) {
        if (!before || dest != &(rootcinfo->content)) {

            if (p7dcx->content.pointer == NULL)
                p7dcx->content = rootcinfo->content;

            /* get this data type's inner contentInfo */
            cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer,
                                                  p7dcx->type);

            if (before && dest == &(cinfo->contentType)) {
                /* at this point, set up the &%$&$ back pointer */
                /* we cannot do it later, because the content itself
                 * is optional! */
                switch (p7dcx->type) {
                    case SEC_OID_PKCS7_SIGNED_DATA:
                        p7dcx->content.signedData->cmsg = p7dcx->cmsg;
                        break;
                    case SEC_OID_PKCS7_DIGESTED_DATA:
                        p7dcx->content.digestedData->cmsg = p7dcx->cmsg;
                        break;
                    case SEC_OID_PKCS7_ENVELOPED_DATA:
                        p7dcx->content.envelopedData->cmsg = p7dcx->cmsg;
                        break;
                    case SEC_OID_PKCS7_ENCRYPTED_DATA:
                        p7dcx->content.encryptedData->cmsg = p7dcx->cmsg;
                        break;
                    default:
                        p7dcx->content.genericData->cmsg = p7dcx->cmsg;
                        break;
                }
            }

            if (before && dest == &(cinfo->rawContent)) {
                /* we want the ASN.1 decoder to deliver the decoded bytes to us
                 ** from now on
                 */
                SEC_ASN1DecoderSetFilterProc(p7dcx->dcx,
                                             nss_cms_decoder_update_filter,
                                             p7dcx, (PRBool)(p7dcx->cb != NULL));

                /* we're right in front of the data */
                if (nss_cms_before_data(p7dcx) != SECSuccess) {
                    SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
                    /* stop all processing */
                    p7dcx->error = PORT_GetError();
                }
            }
            if (after && dest == &(cinfo->rawContent)) {
                /* we're right after of the data */
                if (nss_cms_after_data(p7dcx) != SECSuccess)
                    p7dcx->error = PORT_GetError();

                /* we don't need to see the contents anymore */
                SEC_ASN1DecoderClearFilterProc(p7dcx->dcx);
            }
        }
    } else {
        /* unsupported or unknown message type - fail  gracefully */
        p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE;
    }
}

/*
 * nss_cms_before_data - set up the current encoder to receive data
 */
static SECStatus
nss_cms_before_data(NSSCMSDecoderContext *p7dcx)
{
    SECStatus rv;
    SECOidTag childtype;
    PLArenaPool *poolp;
    NSSCMSDecoderContext *childp7dcx;
    NSSCMSContentInfo *cinfo;
    const SEC_ASN1Template *template;
    void *mark = NULL;
    size_t size;

    poolp = p7dcx->cmsg->poolp;

    /* call _Decode_BeforeData handlers */
    switch (p7dcx->type) {
        case SEC_OID_PKCS7_SIGNED_DATA:
            /* we're decoding a signedData, so set up the digests */
            rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData);
            break;
        case SEC_OID_PKCS7_DIGESTED_DATA:
            /* we're encoding a digestedData, so set up the digest */
            rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData);
            break;
        case SEC_OID_PKCS7_ENVELOPED_DATA:
            rv = NSS_CMSEnvelopedData_Decode_BeforeData(
                p7dcx->content.envelopedData);
            break;
        case SEC_OID_PKCS7_ENCRYPTED_DATA:
            rv = NSS_CMSEncryptedData_Decode_BeforeData(
                p7dcx->content.encryptedData);
            break;
        default:
            rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type,
                                                             p7dcx->content.genericData);
    }
    if (rv != SECSuccess)
        return SECFailure;

    /* ok, now we have a pointer to cinfo */
    /* find out what kind of data is encapsulated */

    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);

    if (NSS_CMSType_IsData(childtype)) {
        cinfo->content.pointer = (void *)nss_cms_create_decoder_data(poolp);
        if (cinfo->content.pointer == NULL)
            /* set memory error */
            return SECFailure;

        p7dcx->childp7dcx = NULL;
        return SECSuccess;
    }

    /* set up inner decoder */

    if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL)
        return SECFailure;

    childp7dcx = PORT_ZNew(NSSCMSDecoderContext);
    if (childp7dcx == NULL)
        return SECFailure;

    mark = PORT_ArenaMark(poolp);

    /* allocate space for the stuff we're creating */
    size = NSS_CMSUtil_GetSizeByTypeTag(childtype);
    childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size);
    if (childp7dcx->content.pointer == NULL)
        goto loser;

    /* give the parent a copy of the pointer so that it doesn't get lost */
    cinfo->content.pointer = childp7dcx->content.pointer;

    /* start the child decoder */
    childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer,
                                           template);
    if (childp7dcx->dcx == NULL)
        goto loser;

    /* the new decoder needs to notify, too */
    SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify,
                                 childp7dcx);

    /* tell the parent decoder that it needs to feed us the content data */
    p7dcx->childp7dcx = childp7dcx;

    childp7dcx->type = childtype; /* our type */

    childp7dcx->cmsg = p7dcx->cmsg; /* backpointer to root message */

    /* should the child decoder encounter real data,
    ** it must give it to the caller
    */
    childp7dcx->cb = p7dcx->cb;
    childp7dcx->cb_arg = p7dcx->cb_arg;
    childp7dcx->first_decoded = PR_FALSE;
    childp7dcx->need_indefinite_finish = PR_FALSE;
    if (childtype == SEC_OID_PKCS7_SIGNED_DATA) {
        childp7dcx->first_decoded = PR_TRUE;
    }

    /* now set up the parent to hand decoded data to the next level decoder */
    p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update;
    p7dcx->cb_arg = childp7dcx;

    PORT_ArenaUnmark(poolp, mark);

    return SECSuccess;

loser:
    if (mark)
        PORT_ArenaRelease(poolp, mark);
    PORT_Free(childp7dcx);
    p7dcx->childp7dcx = NULL;
    return SECFailure;
}

static SECStatus
nss_cms_after_data(NSSCMSDecoderContext *p7dcx)
{
    NSSCMSDecoderContext *childp7dcx;
    SECStatus rv = SECFailure;

    /* Handle last block. This is necessary to flush out the last bytes
     * of a possibly incomplete block */
    nss_cms_decoder_work_data(p7dcx, NULL, 0, PR_TRUE);

    /* finish any "inner" decoders - there's no more data coming... */
    if (p7dcx->childp7dcx != NULL) {
        childp7dcx = p7dcx->childp7dcx;
        if (childp7dcx->dcx != NULL) {
            /* we started and indefinite sequence somewhere, not complete it */
            if (childp7dcx->need_indefinite_finish) {
                static const char lbuf[2] = { 0, 0 };
                NSS_CMSDecoder_Update(childp7dcx, lbuf, sizeof(lbuf));
                childp7dcx->need_indefinite_finish = PR_FALSE;
            }

            if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) {
                /* do what? free content? */
                rv = SECFailure;
            } else {
                rv = nss_cms_after_end(childp7dcx);
            }
            if (rv != SECSuccess)
                goto done;
        }
        PORT_Free(p7dcx->childp7dcx);
        p7dcx->childp7dcx = NULL;
    }

    switch (p7dcx->type) {
        case SEC_OID_PKCS7_SIGNED_DATA:
            /* this will finish the digests and verify */
            rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData);
            break;
        case SEC_OID_PKCS7_ENVELOPED_DATA:
            rv = NSS_CMSEnvelopedData_Decode_AfterData(
                p7dcx->content.envelopedData);
            break;
        case SEC_OID_PKCS7_DIGESTED_DATA:
            rv = NSS_CMSDigestedData_Decode_AfterData(
                p7dcx->content.digestedData);
            break;
        case SEC_OID_PKCS7_ENCRYPTED_DATA:
            rv = NSS_CMSEncryptedData_Decode_AfterData(
                p7dcx->content.encryptedData);
            break;
        case SEC_OID_PKCS7_DATA:
            /* do nothing */
            break;
        default:
            rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type,
                                                            p7dcx->content.genericData);
            break;
    }
done:
    return rv;
}

static SECStatus
nss_cms_after_end(NSSCMSDecoderContext *p7dcx)
{
    SECStatus rv = SECSuccess;

    switch (p7dcx->type) {
        case SEC_OID_PKCS7_SIGNED_DATA:
            if (p7dcx->content.signedData)
                rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData);
            break;
        case SEC_OID_PKCS7_ENVELOPED_DATA:
            if (p7dcx->content.envelopedData)
                rv = NSS_CMSEnvelopedData_Decode_AfterEnd(
                    p7dcx->content.envelopedData);
            break;
        case SEC_OID_PKCS7_DIGESTED_DATA:
            if (p7dcx->content.digestedData)
                rv = NSS_CMSDigestedData_Decode_AfterEnd(
                    p7dcx->content.digestedData);
            break;
        case SEC_OID_PKCS7_ENCRYPTED_DATA:
            if (p7dcx->content.encryptedData)
                rv = NSS_CMSEncryptedData_Decode_AfterEnd(
                    p7dcx->content.encryptedData);
            break;
        case SEC_OID_PKCS7_DATA:
            break;
        default:
            rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type,
                                                           p7dcx->content.genericData);
            break;
    }
    return rv;
}

/*
 * nss_cms_decoder_work_data - handle decoded data bytes.
 *
 * This function either decrypts the data if needed, and/or calculates digests
 * on it, then either stores it or passes it on to the next level decoder.
 */
static void
nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx,
                          const unsigned char *data, unsigned long len,
                          PRBool final)
{
    NSSCMSContentInfo *cinfo;
    unsigned char *buf = NULL;
    unsigned char *dest;
    unsigned int offset;
    SECStatus rv;

    /*
     * We should really have data to process, or we should be trying
     * to finish/flush the last block.  (This is an overly paranoid
     * check since all callers are in this file and simple inspection
     * proves they do it right.  But it could find a bug in future
     * modifications/development, that is why it is here.)
     */
    PORT_Assert((data != NULL && len) || final);

    cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type);
    if (!cinfo) {
        /* The original programmer didn't expect this to happen */
        p7dcx->error = SEC_ERROR_LIBRARY_FAILURE;
        goto loser;
    }

    if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) {
        /*
         * we are decrypting.
         *
         * XXX If we get an error, we do not want to do the digest or callback,
         * but we want to keep decoding.  Or maybe we want to stop decoding
         * altogether if there is a callback, because obviously we are not
         * sending the data back and they want to know that.
         */

        unsigned int outlen = 0; /* length of decrypted data */
        unsigned int buflen;     /* length available for decrypted data */

        /* find out about the length of decrypted data */
        buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final);

        /*
         * it might happen that we did not provide enough data for a full
         * block (decryption unit), and that there is no output available
         */

        /* no output available, AND no input? */
        if (buflen == 0 && len == 0)
            goto loser; /* bail out */

        /*
         * have inner decoder: pass the data on (means inner content type is NOT data)
         * no inner decoder: we have DATA in here: either call callback or store
         */
        if (buflen != 0) {
            /* there will be some output - need to make room for it */
            /* allocate buffer from the heap */
            buf = (unsigned char *)PORT_Alloc(buflen);
            if (buf == NULL) {
                p7dcx->error = SEC_ERROR_NO_MEMORY;
                goto loser;
            }
        }

        /*
         * decrypt incoming data
         * buf can still be NULL here (and buflen == 0) here if we don't expect
         * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to
         * keep track of incoming data
         */
        rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen,
                                          data, len, final);
        if (rv != SECSuccess) {
            p7dcx->error = PORT_GetError();
            goto loser;
        }

        PORT_Assert(final || outlen == buflen);

        /* swap decrypted data in */
        data = buf;
        len = outlen;
    }

    if (len == 0)
        goto done; /* nothing more to do */

    /*
     * Update the running digests with plaintext bytes (if we need to).
     */
    if (cinfo->privateInfo && cinfo->privateInfo->digcx)
        NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len);

    /* at this point, we have the plain decoded & decrypted data
    ** which is either more encoded DER (which we need to hand to the child
    ** decoder) or data we need to hand back to our caller
    */

    /* pass the content back to our caller or */
    /* feed our freshly decrypted and decoded data into child decoder */
    if (p7dcx->cb != NULL) {
        (*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len);
    }
#if 1
    else
#endif
        if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) {
        /* store it in "inner" data item as well */
        /* find the DATA item in the encapsulated cinfo and store it there */
        NSSCMSDecoderData *decoderData =
            (NSSCMSDecoderData *)cinfo->content.pointer;
        SECItem *dataItem = &decoderData->data;

        offset = dataItem->len;
        if (dataItem->len + len > decoderData->totalBufferSize) {
            int needLen = (dataItem->len + len) * 2;
            dest = (unsigned char *)
                PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen);
            if (dest == NULL) {
                p7dcx->error = SEC_ERROR_NO_MEMORY;
                goto loser;
            }

            if (dataItem->len) {
                PORT_Memcpy(dest, dataItem->data, dataItem->len);
            }
            decoderData->totalBufferSize = needLen;
            dataItem->data = dest;
        }

        /* copy it in */
        PORT_Memcpy(dataItem->data + offset, data, len);
        dataItem->len += len;
    }

done:
loser:
    if (buf)
        PORT_Free(buf);
}

/*
 * nss_cms_decoder_update_filter - process ASN.1 data
 *
 * once we have set up a filter in nss_cms_decoder_notify(),
 * all data processed by the ASN.1 decoder is also passed through here.
 * we pass the content bytes (as opposed to length and tag bytes) on to
 * nss_cms_decoder_work_data().
 */
static void
nss_cms_decoder_update_filter(void *arg, const char *data, unsigned long len,
                              int depth, SEC_ASN1EncodingPart data_kind)
{
    NSSCMSDecoderContext *p7dcx;

    PORT_Assert(len); /* paranoia */
    if (len == 0)
        return;

    p7dcx = (NSSCMSDecoderContext *)arg;

    p7dcx->saw_contents = PR_TRUE;

    /* pass on the content bytes only */
    if (data_kind == SEC_ASN1_Contents)
        nss_cms_decoder_work_data(p7dcx, (const unsigned char *)data, len,
                                  PR_FALSE);
}

/*
 * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message
 *
 * "poolp" - pointer to arena for message, or NULL if new pool should be created
 * "cb", "cb_arg" - callback function and argument for delivery of inner content
 * "pwfn", pwfn_arg" - callback function for getting token password
 * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData
 */
NSSCMSDecoderContext *
NSS_CMSDecoder_Start(PLArenaPool *poolp,
                     NSSCMSContentCallback cb, void *cb_arg,
                     PK11PasswordFunc pwfn, void *pwfn_arg,
                     NSSCMSGetDecryptKeyCallback decrypt_key_cb,
                     void *decrypt_key_cb_arg)
{
    NSSCMSDecoderContext *p7dcx;
    NSSCMSMessage *cmsg;

    cmsg = NSS_CMSMessage_Create(poolp);
    if (cmsg == NULL)
        return NULL;

    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb,
                                     decrypt_key_cb_arg, NULL, NULL);

    p7dcx = PORT_ZNew(NSSCMSDecoderContext);
    if (p7dcx == NULL) {
        NSS_CMSMessage_Destroy(cmsg);
        return NULL;
    }

    p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate);
    if (p7dcx->dcx == NULL) {
        PORT_Free(p7dcx);
        NSS_CMSMessage_Destroy(cmsg);
        return NULL;
    }

    SEC_ASN1DecoderSetNotifyProc(p7dcx->dcx, nss_cms_decoder_notify, p7dcx);

    p7dcx->cmsg = cmsg;
    p7dcx->type = SEC_OID_UNKNOWN;

    p7dcx->cb = cb;
    p7dcx->cb_arg = cb_arg;
    p7dcx->first_decoded = PR_FALSE;
    p7dcx->need_indefinite_finish = PR_FALSE;
    return p7dcx;
}

/*
 * NSS_CMSDecoder_Update - feed DER-encoded data to decoder
 */
SECStatus
NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf,
                      unsigned long len)
{
    SECStatus rv = SECSuccess;
    if (p7dcx->dcx != NULL && p7dcx->error == 0) {
        /* if error is set already, don't bother */
        if ((p7dcx->type == SEC_OID_PKCS7_SIGNED_DATA) && (p7dcx->first_decoded == PR_TRUE) && (buf[0] == SEC_ASN1_INTEGER)) {
            /* Microsoft Windows 2008 left out the Sequence wrapping in some
             * of their kerberos replies. If we are here, we most likely are
             * dealing with one of those replies. Supply the Sequence wrap
             * as indefinite encoding (since we don't know the total length
             * yet) */
            static const char lbuf[2] =
                { SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED, 0x80 };
            rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, lbuf, sizeof(lbuf));
            if (rv != SECSuccess) {
                goto loser;
            }
            /* ok, we're going to need the indefinite finish when we are done */
            p7dcx->need_indefinite_finish = PR_TRUE;
        }

        rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len);
    }

loser:
    p7dcx->first_decoded = PR_FALSE;
    if (rv != SECSuccess) {
        p7dcx->error = PORT_GetError();
        PORT_Assert(p7dcx->error);
        if (p7dcx->error == 0)
            p7dcx->error = -1;
    }

    if (p7dcx->error == 0)
        return SECSuccess;

    /* there has been a problem, let's finish the decoder */
    if (p7dcx->dcx != NULL) {
        (void)SEC_ASN1DecoderFinish(p7dcx->dcx);
        p7dcx->dcx = NULL;
    }
    PORT_SetError(p7dcx->error);

    return SECFailure;
}

/*
 * NSS_CMSDecoder_Cancel - stop decoding in case of error
 */
void
NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx)
{
    if (p7dcx->dcx != NULL)
        (void)SEC_ASN1DecoderFinish(p7dcx->dcx);
    NSS_CMSMessage_Destroy(p7dcx->cmsg);
    PORT_Free(p7dcx);
}

/*
 * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding
 */
NSSCMSMessage *
NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx)
{
    NSSCMSMessage *cmsg;

    cmsg = p7dcx->cmsg;

    if (p7dcx->dcx == NULL ||
        SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess ||
        nss_cms_after_end(p7dcx) != SECSuccess) {
        NSS_CMSMessage_Destroy(cmsg); /* get rid of pool if it's ours */
        cmsg = NULL;
    }

    PORT_Free(p7dcx);
    return cmsg;
}

NSSCMSMessage *
NSS_CMSMessage_CreateFromDER(SECItem *DERmessage,
                             NSSCMSContentCallback cb, void *cb_arg,
                             PK11PasswordFunc pwfn, void *pwfn_arg,
                             NSSCMSGetDecryptKeyCallback decrypt_key_cb,
                             void *decrypt_key_cb_arg)
{
    NSSCMSDecoderContext *p7dcx;

    /* first arg(poolp) == NULL => create our own pool */
    p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg,
                                 decrypt_key_cb, decrypt_key_cb_arg);
    if (p7dcx == NULL)
        return NULL;
    NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len);
    return NSS_CMSDecoder_Finish(p7dcx);
}