diff options
Diffstat (limited to 'security/nss/lib/smime/cmssigdata.c')
| -rw-r--r-- | security/nss/lib/smime/cmssigdata.c | 1141 |
1 files changed, 1141 insertions, 0 deletions
diff --git a/security/nss/lib/smime/cmssigdata.c b/security/nss/lib/smime/cmssigdata.c new file mode 100644 index 000000000..7dd6ea4e5 --- /dev/null +++ b/security/nss/lib/smime/cmssigdata.c @@ -0,0 +1,1141 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * CMS signedData methods. + */ + +#include "cmslocal.h" + +#include "cert.h" +/*#include "cdbhdl.h"*/ +#include "secasn1.h" +#include "secitem.h" +#include "secoid.h" +#include "pk11func.h" +#include "secerr.h" + +NSSCMSSignedData * +NSS_CMSSignedData_Create(NSSCMSMessage *cmsg) +{ + void *mark; + NSSCMSSignedData *sigd; + PLArenaPool *poolp; + + if (!cmsg) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + poolp = cmsg->poolp; + + mark = PORT_ArenaMark(poolp); + + sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignedData)); + if (sigd == NULL) + goto loser; + + sigd->cmsg = cmsg; + + /* signerInfos, certs, certlists, crls are all empty */ + /* version is set in NSS_CMSSignedData_Finalize() */ + + PORT_ArenaUnmark(poolp, mark); + return sigd; + +loser: + PORT_ArenaRelease(poolp, mark); + return NULL; +} + +void +NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd) +{ + CERTCertificate **certs, **tempCerts, *cert; + CERTCertificateList **certlists, *certlist; + NSSCMSSignerInfo **signerinfos, *si; + + if (sigd == NULL) + return; + + certs = sigd->certs; + tempCerts = sigd->tempCerts; + certlists = sigd->certLists; + signerinfos = sigd->signerInfos; + + if (certs != NULL) { + while ((cert = *certs++) != NULL) + CERT_DestroyCertificate(cert); + } + + if (tempCerts != NULL) { + while ((cert = *tempCerts++) != NULL) + CERT_DestroyCertificate(cert); + } + + if (certlists != NULL) { + while ((certlist = *certlists++) != NULL) + CERT_DestroyCertificateList(certlist); + } + + if (signerinfos != NULL) { + while ((si = *signerinfos++) != NULL) + NSS_CMSSignerInfo_Destroy(si); + } + + /* everything's in a pool, so don't worry about the storage */ + NSS_CMSContentInfo_Destroy(&(sigd->contentInfo)); +} + +/* + * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData + * before start of encoding. + * + * In detail: + * - find out about the right value to put into sigd->version + * - come up with a list of digestAlgorithms (which should be the union of the algorithms + * in the signerinfos). + * If we happen to have a pre-set list of algorithms (and digest values!), we + * check if we have all the signerinfos' algorithms. If not, this is an error. + */ +SECStatus +NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd) +{ + NSSCMSSignerInfo *signerinfo; + SECOidTag digestalgtag; + SECItem *dummy; + int version; + SECStatus rv; + PRBool haveDigests = PR_FALSE; + int n, i; + PLArenaPool *poolp; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + poolp = sigd->cmsg->poolp; + + /* we assume that we have precomputed digests if there is a list of algorithms, and */ + /* a chunk of data for each of those algorithms */ + if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) { + for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { + if (sigd->digests[i] == NULL) + break; + } + if (sigd->digestAlgorithms[i] == NULL) /* reached the end of the array? */ + haveDigests = PR_TRUE; /* yes: we must have all the digests */ + } + + version = NSS_CMS_SIGNED_DATA_VERSION_BASIC; + + /* RFC2630 5.1 "version is the syntax version number..." */ + if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA) + version = NSS_CMS_SIGNED_DATA_VERSION_EXT; + + /* prepare all the SignerInfos (there may be none) */ + for (i = 0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { + signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); + + /* RFC2630 5.1 "version is the syntax version number..." */ + if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN) + version = NSS_CMS_SIGNED_DATA_VERSION_EXT; + + /* collect digestAlgorithms from SignerInfos */ + /* (we need to know which algorithms we have when the content comes in) */ + /* do not overwrite any existing digestAlgorithms (and digest) */ + digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); + n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); + if (n < 0 && haveDigests) { + /* oops, there is a digestalg we do not have a digest for */ + /* but we were supposed to have all the digests already... */ + goto loser; + } else if (n < 0) { + /* add the digestAlgorithm & a NULL digest */ + rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL); + if (rv != SECSuccess) + goto loser; + } else { + /* found it, nothing to do */ + } + } + + dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version); + if (dummy == NULL) + return SECFailure; + + /* this is a SET OF, so we need to sort them guys */ + rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, + SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), + (void **)sigd->digests); + if (rv != SECSuccess) + return SECFailure; + + return SECSuccess; + +loser: + return SECFailure; +} + +SECStatus +NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd) +{ + SECStatus rv; + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo); + if (rv != SECSuccess) { + return SECFailure; + } + /* set up the digests */ + if (sigd->digests && sigd->digests[0]) { + sigd->contentInfo.privateInfo->digcx = NULL; /* don't attempt to make new ones. */ + } else if (sigd->digestAlgorithms != NULL) { + sigd->contentInfo.privateInfo->digcx = + NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); + if (sigd->contentInfo.privateInfo->digcx == NULL) + return SECFailure; + } + return SECSuccess; +} + +/* + * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData + * after all the encapsulated data was passed through the encoder. + * + * In detail: + * - create the signatures in all the SignerInfos + * + * Please note that nothing is done to the Certificates and CRLs in the message - this + * is entirely the responsibility of our callers. + */ +SECStatus +NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd) +{ + NSSCMSSignerInfo **signerinfos, *signerinfo; + NSSCMSContentInfo *cinfo; + SECOidTag digestalgtag; + SECStatus ret = SECFailure; + SECStatus rv; + SECItem *contentType; + int certcount; + int i, ci, cli, n, rci, si; + PLArenaPool *poolp; + CERTCertificateList *certlist; + extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[]; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + poolp = sigd->cmsg->poolp; + cinfo = &(sigd->contentInfo); + + /* did we have digest calculation going on? */ + if (cinfo->privateInfo && cinfo->privateInfo->digcx) { + rv = NSS_CMSDigestContext_FinishMultiple(cinfo->privateInfo->digcx, poolp, + &(sigd->digests)); + /* error has been set by NSS_CMSDigestContext_FinishMultiple */ + cinfo->privateInfo->digcx = NULL; + if (rv != SECSuccess) + goto loser; + } + + signerinfos = sigd->signerInfos; + certcount = 0; + + /* prepare all the SignerInfos (there may be none) */ + for (i = 0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { + signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); + + /* find correct digest for this signerinfo */ + digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); + n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); + if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) { + /* oops - digest not found */ + PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); + goto loser; + } + + /* XXX if our content is anything else but data, we need to force the + * presence of signed attributes (RFC2630 5.3 "signedAttributes is a + * collection...") */ + + /* pass contentType here as we want a contentType attribute */ + if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL) + goto loser; + + /* sign the thing */ + rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType); + if (rv != SECSuccess) + goto loser; + + /* while we're at it, count number of certs in certLists */ + certlist = NSS_CMSSignerInfo_GetCertList(signerinfo); + if (certlist) + certcount += certlist->len; + } + + /* this is a SET OF, so we need to sort them guys */ + rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL); + if (rv != SECSuccess) + goto loser; + + /* + * now prepare certs & crls + */ + + /* count the rest of the certs */ + if (sigd->certs != NULL) { + for (ci = 0; sigd->certs[ci] != NULL; ci++) + certcount++; + } + + if (sigd->certLists != NULL) { + for (cli = 0; sigd->certLists[cli] != NULL; cli++) + certcount += sigd->certLists[cli]->len; + } + + if (certcount == 0) { + sigd->rawCerts = NULL; + } else { + /* + * Combine all of the certs and cert chains into rawcerts. + * Note: certcount is an upper bound; we may not need that many slots + * but we will allocate anyway to avoid having to do another pass. + * (The temporary space saving is not worth it.) + * + * XXX ARGH - this NEEDS to be fixed. need to come up with a decent + * SetOfDERcertficates implementation + */ + sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *)); + if (sigd->rawCerts == NULL) + return SECFailure; + + /* + * XXX Want to check for duplicates and not add *any* cert that is + * already in the set. This will be more important when we start + * dealing with larger sets of certs, dual-key certs (signing and + * encryption), etc. For the time being we can slide by... + * + * XXX ARGH - this NEEDS to be fixed. need to come up with a decent + * SetOfDERcertficates implementation + */ + rci = 0; + if (signerinfos != NULL) { + for (si = 0; signerinfos[si] != NULL; si++) { + signerinfo = signerinfos[si]; + for (ci = 0; ci < signerinfo->certList->len; ci++) + sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]); + } + } + + if (sigd->certs != NULL) { + for (ci = 0; sigd->certs[ci] != NULL; ci++) + sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert); + } + + if (sigd->certLists != NULL) { + for (cli = 0; sigd->certLists[cli] != NULL; cli++) { + for (ci = 0; ci < sigd->certLists[cli]->len; ci++) + sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]); + } + } + + sigd->rawCerts[rci] = NULL; + + /* this is a SET OF, so we need to sort them guys - we have the DER already, though */ + NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL); + } + + ret = SECSuccess; + +loser: + return ret; +} + +SECStatus +NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd) +{ + SECStatus rv; + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo); + if (rv != SECSuccess) { + return SECFailure; + } + /* handle issue with Windows 2003 servers and kerberos */ + if (sigd->digestAlgorithms != NULL) { + int i; + for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { + SECAlgorithmID *algid = sigd->digestAlgorithms[i]; + SECOidTag senttag = SECOID_FindOIDTag(&algid->algorithm); + SECOidTag maptag = NSS_CMSUtil_MapSignAlgs(senttag); + + if (maptag != senttag) { + SECOidData *hashoid = SECOID_FindOIDByTag(maptag); + rv = SECITEM_CopyItem(sigd->cmsg->poolp, &algid->algorithm, &hashoid->oid); + if (rv != SECSuccess) { + return rv; + } + } + } + } + + /* set up the digests */ + if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) { + /* if digests are already there, do nothing */ + sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); + if (sigd->contentInfo.privateInfo->digcx == NULL) + return SECFailure; + } + return SECSuccess; +} + +/* + * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a + * SignedData after all the encapsulated data was passed through the decoder. + */ +SECStatus +NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd) +{ + SECStatus rv = SECSuccess; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + /* did we have digest calculation going on? */ + if (sigd->contentInfo.privateInfo && sigd->contentInfo.privateInfo->digcx) { + rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.privateInfo->digcx, + sigd->cmsg->poolp, &(sigd->digests)); + /* error set by NSS_CMSDigestContext_FinishMultiple */ + sigd->contentInfo.privateInfo->digcx = NULL; + } + return rv; +} + +/* + * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData + * after all decoding is finished. + */ +SECStatus +NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd) +{ + NSSCMSSignerInfo **signerinfos = NULL; + int i; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + /* set cmsg for all the signerinfos */ + signerinfos = sigd->signerInfos; + + /* set cmsg for all the signerinfos */ + if (signerinfos) { + for (i = 0; signerinfos[i] != NULL; i++) + signerinfos[i]->cmsg = sigd->cmsg; + } + + return SECSuccess; +} + +/* + * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list + */ +NSSCMSSignerInfo ** +NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + return sigd->signerInfos; +} + +int +NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return 0; + } + return NSS_CMSArray_Count((void **)sigd->signerInfos); +} + +NSSCMSSignerInfo * +NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + return sigd->signerInfos[i]; +} + +/* + * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list + */ +SECAlgorithmID ** +NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + return sigd->digestAlgorithms; +} + +/* + * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo + */ +NSSCMSContentInfo * +NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + return &(sigd->contentInfo); +} + +/* + * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list + */ +SECItem ** +NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + return sigd->rawCerts; +} + +SECStatus +NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb, + SECCertUsage certusage, PRBool keepcerts) +{ + int certcount; + CERTCertificate **certArray = NULL; + CERTCertList *certList = NULL; + CERTCertListNode *node; + SECStatus rv; + SECItem **rawArray; + int i; + PRTime now; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + certcount = NSS_CMSArray_Count((void **)sigd->rawCerts); + + /* get the certs in the temp DB */ + rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, + &certArray, PR_FALSE, PR_FALSE, NULL); + if (rv != SECSuccess) { + goto loser; + } + + /* save the certs so they don't get destroyed */ + for (i = 0; i < certcount; i++) { + CERTCertificate *cert = certArray[i]; + if (cert) + NSS_CMSSignedData_AddTempCertificate(sigd, cert); + } + + if (!keepcerts) { + goto done; + } + + /* build a CertList for filtering */ + certList = CERT_NewCertList(); + if (certList == NULL) { + rv = SECFailure; + goto loser; + } + for (i = 0; i < certcount; i++) { + CERTCertificate *cert = certArray[i]; + if (cert) + cert = CERT_DupCertificate(cert); + if (cert) + CERT_AddCertToListTail(certList, cert); + } + + /* filter out the certs we don't want */ + rv = CERT_FilterCertListByUsage(certList, certusage, PR_FALSE); + if (rv != SECSuccess) { + goto loser; + } + + /* go down the remaining list of certs and verify that they have + * valid chains, then import them. + */ + now = PR_Now(); + for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); + node = CERT_LIST_NEXT(node)) { + CERTCertificateList *certChain; + + if (CERT_VerifyCert(certdb, node->cert, + PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) { + continue; + } + + certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE); + if (!certChain) { + continue; + } + + /* + * CertChain returns an array of SECItems, import expects an array of + * SECItem pointers. Create the SECItem Pointers from the array of + * SECItems. + */ + rawArray = (SECItem **)PORT_Alloc(certChain->len * sizeof(SECItem *)); + if (!rawArray) { + CERT_DestroyCertificateList(certChain); + continue; + } + for (i = 0; i < certChain->len; i++) { + rawArray[i] = &certChain->certs[i]; + } + (void)CERT_ImportCerts(certdb, certusage, certChain->len, + rawArray, NULL, keepcerts, PR_FALSE, NULL); + PORT_Free(rawArray); + CERT_DestroyCertificateList(certChain); + } + + rv = SECSuccess; + +/* XXX CRL handling */ + +done: + if (sigd->signerInfos != NULL) { + /* fill in all signerinfo's certs */ + for (i = 0; sigd->signerInfos[i] != NULL; i++) + (void)NSS_CMSSignerInfo_GetSigningCertificate( + sigd->signerInfos[i], certdb); + } + +loser: + /* now free everything */ + if (certArray) { + CERT_DestroyCertArray(certArray, certcount); + } + if (certList) { + CERT_DestroyCertList(certList); + } + + return rv; +} + +/* + * XXX the digests need to be passed in BETWEEN the decoding and the verification in case + * of external signatures! + */ + +/* + * NSS_CMSSignedData_VerifySignerInfo - check the signatures. + * + * The digests were either calculated during decoding (and are stored in the + * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests. + * + * The verification checks if the signing cert is valid and has a trusted chain + * for the purpose specified by "certusage". + */ +SECStatus +NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, + CERTCertDBHandle *certdb, SECCertUsage certusage) +{ + NSSCMSSignerInfo *signerinfo; + NSSCMSContentInfo *cinfo; + SECOidData *algiddata; + SECItem *contentType, *digest; + SECOidTag oidTag; + SECStatus rv; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + cinfo = &(sigd->contentInfo); + + signerinfo = sigd->signerInfos[i]; + + /* verify certificate */ + rv = NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage); + if (rv != SECSuccess) + return rv; /* error is set */ + + /* find digest and contentType for signerinfo */ + algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo); + oidTag = algiddata ? algiddata->offset : SEC_OID_UNKNOWN; + digest = NSS_CMSSignedData_GetDigestValue(sigd, oidTag); + /* NULL digest is acceptable. */ + contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo); + /* NULL contentType is acceptable. */ + + /* now verify signature */ + rv = NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType); + return rv; +} + +/* + * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message + */ +SECStatus +NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, + CERTCertDBHandle *certdb, + SECCertUsage usage) +{ + CERTCertificate *cert; + SECStatus rv = SECSuccess; + int i; + int count; + PRTime now; + void *pwarg = NULL; + + if (!sigd || !certdb || !sigd->rawCerts) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + count = NSS_CMSArray_Count((void **)sigd->rawCerts); + now = PR_Now(); + for (i = 0; i < count; i++) { + if (sigd->certs && sigd->certs[i]) { + cert = CERT_DupCertificate(sigd->certs[i]); + } else { + cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]); + if (!cert) { + rv = SECFailure; + break; + } + } + if (sigd->cmsg) { + pwarg = sigd->cmsg->pwfn_arg; + } + rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now, + pwarg, NULL); + CERT_DestroyCertificate(cert); + } + + return rv; +} + +/* + * NSS_CMSSignedData_HasDigests - see if we have digests in place + */ +PRBool +NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return PR_FALSE; + } + return (sigd->digests != NULL); +} + +SECStatus +NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist) +{ + SECStatus rv; + + if (!sigd || !certlist) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */ + rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist); + + return rv; +} + +/* + * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs + */ +SECStatus +NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert) +{ + CERTCertificateList *certlist; + SECCertUsage usage; + SECStatus rv; + + usage = certUsageEmailSigner; + + if (!sigd || !cert) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + /* do not include root */ + certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE); + if (certlist == NULL) + return SECFailure; + + rv = NSS_CMSSignedData_AddCertList(sigd, certlist); + + return rv; +} + +extern SECStatus +NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert) +{ + CERTCertificate *c; + SECStatus rv; + + if (!sigd || !cert) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + c = CERT_DupCertificate(cert); + rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->tempCerts), (void *)c); + return rv; +} + +SECStatus +NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert) +{ + CERTCertificate *c; + SECStatus rv; + + if (!sigd || !cert) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + c = CERT_DupCertificate(cert); + rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c); + return rv; +} + +PRBool +NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd) +{ + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return PR_FALSE; + } + if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL) + return PR_TRUE; + else if (sigd->crls != NULL && sigd->crls[0] != NULL) + return PR_TRUE; + else + return PR_FALSE; +} + +SECStatus +NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, + NSSCMSSignerInfo *signerinfo) +{ + void *mark; + SECStatus rv; + SECOidTag digestalgtag; + PLArenaPool *poolp; + + if (!sigd || !signerinfo) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + poolp = sigd->cmsg->poolp; + + mark = PORT_ArenaMark(poolp); + + /* add signerinfo */ + rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo); + if (rv != SECSuccess) + goto loser; + + /* + * add empty digest + * Empty because we don't have it yet. Either it gets created during encoding + * (if the data is present) or has to be set externally. + * XXX maybe pass it in optionally? + */ + digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); + rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL); + if (rv != SECSuccess) + goto loser; + + /* + * The last thing to get consistency would be adding the digest. + */ + + PORT_ArenaUnmark(poolp, mark); + return SECSuccess; + +loser: + PORT_ArenaRelease(poolp, mark); + return SECFailure; +} + +/* + * NSS_CMSSignedData_SetDigests - set a signedData's digests member + * + * "digestalgs" - array of digest algorithm IDs + * "digests" - array of digests corresponding to the digest algorithms + */ +SECStatus +NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd, + SECAlgorithmID **digestalgs, + SECItem **digests) +{ + int cnt, i, idx; + + if (!sigd || !digestalgs || !digests) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + if (sigd->digestAlgorithms == NULL) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + /* we assume that the digests array is just not there yet */ + PORT_Assert(sigd->digests == NULL); + if (sigd->digests != NULL) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + /* now allocate one (same size as digestAlgorithms) */ + cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms); + sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *)); + if (sigd->digests == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + + for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { + /* try to find the sigd's i'th digest algorithm in the array we passed in */ + idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]); + if (idx < 0) { + PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); + return SECFailure; + } + if (!digests[idx]) { + /* We have no digest for this algorithm, probably because it is + ** unrecognized or unsupported. We'll ignore this here. If this + ** digest is needed later, an error will be be generated then. + */ + continue; + } + + /* found it - now set it */ + if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL || + SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + } + return SECSuccess; +} + +SECStatus +NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd, + SECOidTag digestalgtag, + SECItem *digestdata) +{ + SECItem *digest = NULL; + PLArenaPool *poolp; + void *mark; + int n, cnt; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + poolp = sigd->cmsg->poolp; + + mark = PORT_ArenaMark(poolp); + + if (digestdata) { + digest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem)); + + /* copy digestdata item to arena (in case we have it and are not only making room) */ + if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess) + goto loser; + } + + /* now allocate one (same size as digestAlgorithms) */ + if (sigd->digests == NULL) { + cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms); + sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *)); + if (sigd->digests == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } + } + + n = -1; + if (sigd->digestAlgorithms != NULL) + n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); + + /* if not found, add a digest */ + if (n < 0) { + if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess) + goto loser; + } else { + /* replace NULL pointer with digest item (and leak previous value) */ + sigd->digests[n] = digest; + } + + PORT_ArenaUnmark(poolp, mark); + return SECSuccess; + +loser: + PORT_ArenaRelease(poolp, mark); + return SECFailure; +} + +SECStatus +NSS_CMSSignedData_AddDigest(PLArenaPool *poolp, + NSSCMSSignedData *sigd, + SECOidTag digestalgtag, + SECItem *digest) +{ + SECAlgorithmID *digestalg; + void *mark; + + if (!sigd || !poolp) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + + mark = PORT_ArenaMark(poolp); + + digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID)); + if (digestalg == NULL) + goto loser; + + if (SECOID_SetAlgorithmID(poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */ + goto loser; + + if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), + (void *)digestalg) != SECSuccess || + /* even if digest is NULL, add dummy to have same-size array */ + NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), + (void *)digest) != SECSuccess) { + goto loser; + } + + PORT_ArenaUnmark(poolp, mark); + return SECSuccess; + +loser: + PORT_ArenaRelease(poolp, mark); + return SECFailure; +} + +/* XXX This function doesn't set the error code on failure. */ +SECItem * +NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag) +{ + int n; + + if (!sigd) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + if (sigd->digestAlgorithms == NULL || sigd->digests == NULL) { + PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); + return NULL; + } + + n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); + + return (n < 0) ? NULL : sigd->digests[n]; +} + +/* ============================================================================= + * Misc. utility functions + */ + +/* + * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData. + * + * cert - base certificates that will be included + * include_chain - if true, include the complete cert chain for cert + * + * More certs and chains can be added via AddCertificate and AddCertChain. + * + * An error results in a return value of NULL and an error set. + * + * XXXX CRLs + */ +NSSCMSSignedData * +NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain) +{ + NSSCMSSignedData *sigd; + void *mark; + PLArenaPool *poolp; + SECStatus rv; + + if (!cmsg || !cert) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } + + poolp = cmsg->poolp; + mark = PORT_ArenaMark(poolp); + + sigd = NSS_CMSSignedData_Create(cmsg); + if (sigd == NULL) + goto loser; + + /* no signerinfos, thus no digestAlgorithms */ + + /* but certs */ + if (include_chain) { + rv = NSS_CMSSignedData_AddCertChain(sigd, cert); + } else { + rv = NSS_CMSSignedData_AddCertificate(sigd, cert); + } + if (rv != SECSuccess) + goto loser; + + /* RFC2630 5.2 sez: + * In the degenerate case where there are no signers, the + * EncapsulatedContentInfo value being "signed" is irrelevant. In this + * case, the content type within the EncapsulatedContentInfo value being + * "signed" should be id-data (as defined in section 4), and the content + * field of the EncapsulatedContentInfo value should be omitted. + */ + rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE); + if (rv != SECSuccess) + goto loser; + + PORT_ArenaUnmark(poolp, mark); + return sigd; + +loser: + if (sigd) + NSS_CMSSignedData_Destroy(sigd); + PORT_ArenaRelease(poolp, mark); + return NULL; +} + +/* TODO: + * NSS_CMSSignerInfo_GetReceiptRequest() + * NSS_CMSSignedData_HasReceiptRequest() + * easy way to iterate over signers + */ |