diff options
Diffstat (limited to 'security/nss/lib/smime/cmst.h')
-rw-r--r-- | security/nss/lib/smime/cmst.h | 491 |
1 files changed, 491 insertions, 0 deletions
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h new file mode 100644 index 000000000..3d888bc04 --- /dev/null +++ b/security/nss/lib/smime/cmst.h @@ -0,0 +1,491 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Header for CMS types. + */ + +#ifndef _CMST_H_ +#define _CMST_H_ + +#include "seccomon.h" +#include "secoidt.h" +#include "certt.h" +#include "secmodt.h" +#include "secmodt.h" + +#include "plarena.h" + +/* Non-opaque objects. NOTE, though: I want them to be treated as + * opaque as much as possible. If I could hide them completely, + * I would. (I tried, but ran into trouble that was taking me too + * much time to get out of.) I still intend to try to do so. + * In fact, the only type that "outsiders" should even *name* is + * NSSCMSMessage, and they should not reference its fields. + */ +/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's. + * This is because when we search the recipient list for the cert and key we + * want, we need to invert the order of the loops we used to have. The old + * loops were: + * + * For each recipient { + * find_cert = PK11_Find_AllCert(recipient->issuerSN); + * [which unrolls to... ] + * For each slot { + * Log into slot; + * search slot for cert; + * } + * } + * + * the new loop searchs all the recipients at once on a slot. this allows + * PKCS #11 to order slots in such a way that logout slots don't get checked + * if we can find the cert on a logged in slot. This eliminates lots of + * spurious password prompts when smart cards are installed... so why this + * comment? If you make NSSCMSRecipientInfo completely opaque, you need + * to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs + * and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11 + * function. + */ + +typedef struct NSSCMSMessageStr NSSCMSMessage; + +typedef union NSSCMSContentUnion NSSCMSContent; +typedef struct NSSCMSContentInfoStr NSSCMSContentInfo; + +typedef struct NSSCMSSignedDataStr NSSCMSSignedData; +typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo; +typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier; + +typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData; +typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo; +typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo; + +typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData; +typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData; + +typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData; + +typedef struct NSSCMSAttributeStr NSSCMSAttribute; + +typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext; +typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext; + +typedef struct NSSCMSCipherContextStr NSSCMSCipherContext; +typedef struct NSSCMSDigestContextStr NSSCMSDigestContext; + +typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate; + +typedef SECStatus (*NSSCMSGenericWrapperDataCallback)(NSSCMSGenericWrapperData *); +typedef void (*NSSCMSGenericWrapperDataDestroy)(NSSCMSGenericWrapperData *); + +extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[]; +extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[]; + +SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate) +SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate) + +/* + * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart. + * If specified, this is where the content bytes (only) will be "sent" + * as they are recovered during the decoding. + * And: + * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart. + * This is where the DER-encoded bytes will be "sent". + * + * XXX Should just combine this with NSSCMSEncoderContentCallback type + * and use a simpler, common name. + */ +typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len); + +/* + * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart + * to retrieve the decryption key. This function is intended to be + * used for EncryptedData content info's which do not have a key available + * in a certificate, etc. + */ +typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid); + +/* ============================================================================= + * ENCAPSULATED CONTENTINFO & CONTENTINFO + */ + +union NSSCMSContentUnion { + /* either unstructured */ + SECItem *data; + /* or structured data */ + NSSCMSDigestedData *digestedData; + NSSCMSEncryptedData *encryptedData; + NSSCMSEnvelopedData *envelopedData; + NSSCMSSignedData *signedData; + NSSCMSGenericWrapperData *genericData; + /* or anonymous pointer to something */ + void *pointer; +}; + +struct NSSCMSContentInfoStr { + SECItem contentType; + NSSCMSContent content; + /* --------- local; not part of encoding --------- */ + SECOidData *contentTypeTag; + + /* additional info for encryptedData and envelopedData */ + /* we waste this space for signedData and digestedData. sue me. */ + + SECAlgorithmID contentEncAlg; + SECItem *rawContent; /* encrypted DER, optional */ + /* XXXX bytes not encrypted, but encoded? */ + /* --------- local; not part of encoding --------- */ + PK11SymKey *bulkkey; /* bulk encryption key */ + int keysize; /* size of bulk encryption key + * (only used by creation code) */ + SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm + * (only used by creation code) */ + NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */ + void *reserved; /* keep binary compatibility */ +}; + +/* ============================================================================= + * MESSAGE + */ + +struct NSSCMSMessageStr { + NSSCMSContentInfo contentInfo; /* "outer" cinfo */ + /* --------- local; not part of encoding --------- */ + PLArenaPool *poolp; + PRBool poolp_is_ours; + int refCount; + /* properties of the "inner" data */ + SECAlgorithmID **detached_digestalgs; + SECItem **detached_digests; + void *pwfn_arg; + NSSCMSGetDecryptKeyCallback decrypt_key_cb; + void *decrypt_key_cb_arg; +}; + +/* ============================================================================ + * GENERIC WRAPPER + * + * used for user defined types. + */ +struct NSSCMSGenericWrapperDataStr { + NSSCMSContentInfo contentInfo; + /* ---- local; not part of encoding ------ */ + NSSCMSMessage *cmsg; + /* wrapperspecific data starts here */ +}; + +/* ============================================================================= + * SIGNEDDATA + */ + +struct NSSCMSSignedDataStr { + SECItem version; + SECAlgorithmID **digestAlgorithms; + NSSCMSContentInfo contentInfo; + SECItem **rawCerts; + CERTSignedCrl **crls; + NSSCMSSignerInfo **signerInfos; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage *cmsg; /* back pointer to message */ + SECItem **digests; + CERTCertificate **certs; + CERTCertificateList **certLists; + CERTCertificate **tempCerts; /* temporary certs, needed + * for example for signature + * verification */ +}; +#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */ +#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */ + +typedef enum { + NSSCMSVS_Unverified = 0, + NSSCMSVS_GoodSignature = 1, + NSSCMSVS_BadSignature = 2, + NSSCMSVS_DigestMismatch = 3, + NSSCMSVS_SigningCertNotFound = 4, + NSSCMSVS_SigningCertNotTrusted = 5, + NSSCMSVS_SignatureAlgorithmUnknown = 6, + NSSCMSVS_SignatureAlgorithmUnsupported = 7, + NSSCMSVS_MalformedSignature = 8, + NSSCMSVS_ProcessingError = 9 +} NSSCMSVerificationStatus; + +typedef enum { + NSSCMSSignerID_IssuerSN = 0, + NSSCMSSignerID_SubjectKeyID = 1 +} NSSCMSSignerIDSelector; + +struct NSSCMSSignerIdentifierStr { + NSSCMSSignerIDSelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; + SECItem *subjectKeyID; + } id; +}; + +struct NSSCMSSignerInfoStr { + SECItem version; + NSSCMSSignerIdentifier signerIdentifier; + SECAlgorithmID digestAlg; + NSSCMSAttribute **authAttr; + SECAlgorithmID digestEncAlg; + SECItem encDigest; + NSSCMSAttribute **unAuthAttr; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage *cmsg; /* back pointer to message */ + CERTCertificate *cert; + CERTCertificateList *certList; + PRTime signingTime; + NSSCMSVerificationStatus verificationStatus; + SECKEYPrivateKey *signingKey; /* Used if we're using subjKeyID*/ + SECKEYPublicKey *pubKey; +}; +#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */ +#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */ + +typedef enum { + NSSCMSCM_None = 0, + NSSCMSCM_CertOnly = 1, + NSSCMSCM_CertChain = 2, + NSSCMSCM_CertChainWithRoot = 3 +} NSSCMSCertChainMode; + +/* ============================================================================= + * ENVELOPED DATA + */ +struct NSSCMSEnvelopedDataStr { + SECItem version; + NSSCMSOriginatorInfo *originatorInfo; /* optional */ + NSSCMSRecipientInfo **recipientInfos; + NSSCMSContentInfo contentInfo; + NSSCMSAttribute **unprotectedAttr; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage *cmsg; /* back pointer to message */ +}; +#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */ +#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */ + +struct NSSCMSOriginatorInfoStr { + SECItem **rawCerts; + CERTSignedCrl **crls; + /* --------- local; not part of encoding --------- */ + CERTCertificate **certs; +}; + +/* ----------------------------------------------------------------------------- + * key transport recipient info + */ +typedef enum { + NSSCMSRecipientID_IssuerSN = 0, + NSSCMSRecipientID_SubjectKeyID = 1, + NSSCMSRecipientID_BrandNew = 2 +} NSSCMSRecipientIDSelector; + +struct NSSCMSRecipientIdentifierStr { + NSSCMSRecipientIDSelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; + SECItem *subjectKeyID; + } id; +}; +typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier; + +struct NSSCMSKeyTransRecipientInfoStr { + SECItem version; + NSSCMSRecipientIdentifier recipientIdentifier; + SECAlgorithmID keyEncAlg; + SECItem encKey; +}; +typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo; + +/* + * View comments before NSSCMSRecipientInfoStr for purpose of this + * structure. + */ +struct NSSCMSKeyTransRecipientInfoExStr { + NSSCMSKeyTransRecipientInfo recipientInfo; + int version; /* version of this structure (0) */ + SECKEYPublicKey *pubKey; +}; + +typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx; + +#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */ +#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */ + +/* ----------------------------------------------------------------------------- + * key agreement recipient info + */ +struct NSSCMSOriginatorPublicKeyStr { + SECAlgorithmID algorithmIdentifier; + SECItem publicKey; /* bit string! */ +}; +typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey; + +typedef enum { + NSSCMSOriginatorIDOrKey_IssuerSN = 0, + NSSCMSOriginatorIDOrKey_SubjectKeyID = 1, + NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2 +} NSSCMSOriginatorIDOrKeySelector; + +struct NSSCMSOriginatorIdentifierOrKeyStr { + NSSCMSOriginatorIDOrKeySelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; /* static-static */ + SECItem *subjectKeyID; /* static-static */ + NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */ + } id; +}; +typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey; + +struct NSSCMSRecipientKeyIdentifierStr { + SECItem *subjectKeyIdentifier; + SECItem *date; /* optional */ + SECItem *other; /* optional */ +}; +typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier; + +typedef enum { + NSSCMSKeyAgreeRecipientID_IssuerSN = 0, + NSSCMSKeyAgreeRecipientID_RKeyID = 1 +} NSSCMSKeyAgreeRecipientIDSelector; + +struct NSSCMSKeyAgreeRecipientIdentifierStr { + NSSCMSKeyAgreeRecipientIDSelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; + NSSCMSRecipientKeyIdentifier recipientKeyIdentifier; + } id; +}; +typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier; + +struct NSSCMSRecipientEncryptedKeyStr { + NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier; + SECItem encKey; +}; +typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey; + +struct NSSCMSKeyAgreeRecipientInfoStr { + SECItem version; + NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey; + SECItem *ukm; /* optional */ + SECAlgorithmID keyEncAlg; + NSSCMSRecipientEncryptedKey **recipientEncryptedKeys; +}; +typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo; + +#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */ + +/* ----------------------------------------------------------------------------- + * KEK recipient info + */ +struct NSSCMSKEKIdentifierStr { + SECItem keyIdentifier; + SECItem *date; /* optional */ + SECItem *other; /* optional */ +}; +typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier; + +struct NSSCMSKEKRecipientInfoStr { + SECItem version; + NSSCMSKEKIdentifier kekIdentifier; + SECAlgorithmID keyEncAlg; + SECItem encKey; +}; +typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo; + +#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */ + +/* ----------------------------------------------------------------------------- + * recipient info + */ + +typedef enum { + NSSCMSRecipientInfoID_KeyTrans = 0, + NSSCMSRecipientInfoID_KeyAgree = 1, + NSSCMSRecipientInfoID_KEK = 2 +} NSSCMSRecipientInfoIDSelector; + +/* + * In order to preserve backwards binary compatibility when implementing + * creation of Recipient Info's that uses subjectKeyID in the + * keyTransRecipientInfo we need to stash a public key pointer in this + * structure somewhere. We figured out that NSSCMSKeyTransRecipientInfo + * is the smallest member of the ri union. We're in luck since that's + * the very structure that would need to use the public key. So we created + * a new structure NSSCMSKeyTransRecipientInfoEx which has a member + * NSSCMSKeyTransRecipientInfo as the first member followed by a version + * and a public key pointer. This way we can keep backwards compatibility + * without changing the size of this structure. + * + * BTW, size of structure: + * NSSCMSKeyTransRecipientInfo: 9 ints, 4 pointers + * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers + * NSSCMSKEKRecipientInfo: 10 ints, 7 pointers + * + * The new structure: + * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) + + * 1 int, 1 pointer + */ + +struct NSSCMSRecipientInfoStr { + NSSCMSRecipientInfoIDSelector recipientInfoType; + union { + NSSCMSKeyTransRecipientInfo keyTransRecipientInfo; + NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo; + NSSCMSKEKRecipientInfo kekRecipientInfo; + NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx; + } ri; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage *cmsg; /* back pointer to message */ + CERTCertificate *cert; /* recipient's certificate */ +}; + +/* ============================================================================= + * DIGESTED DATA + */ +struct NSSCMSDigestedDataStr { + SECItem version; + SECAlgorithmID digestAlg; + NSSCMSContentInfo contentInfo; + SECItem digest; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage *cmsg; /* back pointer */ + SECItem cdigest; /* calculated digest */ +}; +#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */ +#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */ + +/* ============================================================================= + * ENCRYPTED DATA + */ +struct NSSCMSEncryptedDataStr { + SECItem version; + NSSCMSContentInfo contentInfo; + NSSCMSAttribute **unprotectedAttr; /* optional */ + /* --------- local; not part of encoding --------- */ + NSSCMSMessage *cmsg; /* back pointer */ +}; +#define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */ +#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */ + +/* + * ***************************************************************************** + * ***************************************************************************** + * ***************************************************************************** + */ + +/* + * See comment above about this type not really belonging to CMS. + */ +struct NSSCMSAttributeStr { + /* The following fields make up an encoded Attribute: */ + SECItem type; + SECItem **values; /* data may or may not be encoded */ + /* The following fields are not part of an encoded Attribute: */ + SECOidData *typeTag; + PRBool encoded; /* when true, values are encoded */ +}; + +#endif /* _CMST_H_ */ |