summaryrefslogtreecommitdiffstats
path: root/security/nss/lib/smime/cmst.h
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/lib/smime/cmst.h')
-rw-r--r--security/nss/lib/smime/cmst.h491
1 files changed, 491 insertions, 0 deletions
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
new file mode 100644
index 000000000..3d888bc04
--- /dev/null
+++ b/security/nss/lib/smime/cmst.h
@@ -0,0 +1,491 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Header for CMS types.
+ */
+
+#ifndef _CMST_H_
+#define _CMST_H_
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "certt.h"
+#include "secmodt.h"
+#include "secmodt.h"
+
+#include "plarena.h"
+
+/* Non-opaque objects. NOTE, though: I want them to be treated as
+ * opaque as much as possible. If I could hide them completely,
+ * I would. (I tried, but ran into trouble that was taking me too
+ * much time to get out of.) I still intend to try to do so.
+ * In fact, the only type that "outsiders" should even *name* is
+ * NSSCMSMessage, and they should not reference its fields.
+ */
+/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
+ * This is because when we search the recipient list for the cert and key we
+ * want, we need to invert the order of the loops we used to have. The old
+ * loops were:
+ *
+ * For each recipient {
+ * find_cert = PK11_Find_AllCert(recipient->issuerSN);
+ * [which unrolls to... ]
+ * For each slot {
+ * Log into slot;
+ * search slot for cert;
+ * }
+ * }
+ *
+ * the new loop searchs all the recipients at once on a slot. this allows
+ * PKCS #11 to order slots in such a way that logout slots don't get checked
+ * if we can find the cert on a logged in slot. This eliminates lots of
+ * spurious password prompts when smart cards are installed... so why this
+ * comment? If you make NSSCMSRecipientInfo completely opaque, you need
+ * to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
+ * and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
+ * function.
+ */
+
+typedef struct NSSCMSMessageStr NSSCMSMessage;
+
+typedef union NSSCMSContentUnion NSSCMSContent;
+typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
+
+typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
+typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
+typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
+
+typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
+typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
+typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
+
+typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
+typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
+
+typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData;
+
+typedef struct NSSCMSAttributeStr NSSCMSAttribute;
+
+typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
+typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
+
+typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
+typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
+
+typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate;
+
+typedef SECStatus (*NSSCMSGenericWrapperDataCallback)(NSSCMSGenericWrapperData *);
+typedef void (*NSSCMSGenericWrapperDataDestroy)(NSSCMSGenericWrapperData *);
+
+extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[];
+extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[];
+
+SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate)
+SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate)
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
+ * If specified, this is where the content bytes (only) will be "sent"
+ * as they are recovered during the decoding.
+ * And:
+ * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
+ * This is where the DER-encoded bytes will be "sent".
+ *
+ * XXX Should just combine this with NSSCMSEncoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
+ * to retrieve the decryption key. This function is intended to be
+ * used for EncryptedData content info's which do not have a key available
+ * in a certificate, etc.
+ */
+typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
+
+/* =============================================================================
+ * ENCAPSULATED CONTENTINFO & CONTENTINFO
+ */
+
+union NSSCMSContentUnion {
+ /* either unstructured */
+ SECItem *data;
+ /* or structured data */
+ NSSCMSDigestedData *digestedData;
+ NSSCMSEncryptedData *encryptedData;
+ NSSCMSEnvelopedData *envelopedData;
+ NSSCMSSignedData *signedData;
+ NSSCMSGenericWrapperData *genericData;
+ /* or anonymous pointer to something */
+ void *pointer;
+};
+
+struct NSSCMSContentInfoStr {
+ SECItem contentType;
+ NSSCMSContent content;
+ /* --------- local; not part of encoding --------- */
+ SECOidData *contentTypeTag;
+
+ /* additional info for encryptedData and envelopedData */
+ /* we waste this space for signedData and digestedData. sue me. */
+
+ SECAlgorithmID contentEncAlg;
+ SECItem *rawContent; /* encrypted DER, optional */
+ /* XXXX bytes not encrypted, but encoded? */
+ /* --------- local; not part of encoding --------- */
+ PK11SymKey *bulkkey; /* bulk encryption key */
+ int keysize; /* size of bulk encryption key
+ * (only used by creation code) */
+ SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm
+ * (only used by creation code) */
+ NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */
+ void *reserved; /* keep binary compatibility */
+};
+
+/* =============================================================================
+ * MESSAGE
+ */
+
+struct NSSCMSMessageStr {
+ NSSCMSContentInfo contentInfo; /* "outer" cinfo */
+ /* --------- local; not part of encoding --------- */
+ PLArenaPool *poolp;
+ PRBool poolp_is_ours;
+ int refCount;
+ /* properties of the "inner" data */
+ SECAlgorithmID **detached_digestalgs;
+ SECItem **detached_digests;
+ void *pwfn_arg;
+ NSSCMSGetDecryptKeyCallback decrypt_key_cb;
+ void *decrypt_key_cb_arg;
+};
+
+/* ============================================================================
+ * GENERIC WRAPPER
+ *
+ * used for user defined types.
+ */
+struct NSSCMSGenericWrapperDataStr {
+ NSSCMSContentInfo contentInfo;
+ /* ---- local; not part of encoding ------ */
+ NSSCMSMessage *cmsg;
+ /* wrapperspecific data starts here */
+};
+
+/* =============================================================================
+ * SIGNEDDATA
+ */
+
+struct NSSCMSSignedDataStr {
+ SECItem version;
+ SECAlgorithmID **digestAlgorithms;
+ NSSCMSContentInfo contentInfo;
+ SECItem **rawCerts;
+ CERTSignedCrl **crls;
+ NSSCMSSignerInfo **signerInfos;
+ /* --------- local; not part of encoding --------- */
+ NSSCMSMessage *cmsg; /* back pointer to message */
+ SECItem **digests;
+ CERTCertificate **certs;
+ CERTCertificateList **certLists;
+ CERTCertificate **tempCerts; /* temporary certs, needed
+ * for example for signature
+ * verification */
+};
+#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */
+#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */
+
+typedef enum {
+ NSSCMSVS_Unverified = 0,
+ NSSCMSVS_GoodSignature = 1,
+ NSSCMSVS_BadSignature = 2,
+ NSSCMSVS_DigestMismatch = 3,
+ NSSCMSVS_SigningCertNotFound = 4,
+ NSSCMSVS_SigningCertNotTrusted = 5,
+ NSSCMSVS_SignatureAlgorithmUnknown = 6,
+ NSSCMSVS_SignatureAlgorithmUnsupported = 7,
+ NSSCMSVS_MalformedSignature = 8,
+ NSSCMSVS_ProcessingError = 9
+} NSSCMSVerificationStatus;
+
+typedef enum {
+ NSSCMSSignerID_IssuerSN = 0,
+ NSSCMSSignerID_SubjectKeyID = 1
+} NSSCMSSignerIDSelector;
+
+struct NSSCMSSignerIdentifierStr {
+ NSSCMSSignerIDSelector identifierType;
+ union {
+ CERTIssuerAndSN *issuerAndSN;
+ SECItem *subjectKeyID;
+ } id;
+};
+
+struct NSSCMSSignerInfoStr {
+ SECItem version;
+ NSSCMSSignerIdentifier signerIdentifier;
+ SECAlgorithmID digestAlg;
+ NSSCMSAttribute **authAttr;
+ SECAlgorithmID digestEncAlg;
+ SECItem encDigest;
+ NSSCMSAttribute **unAuthAttr;
+ /* --------- local; not part of encoding --------- */
+ NSSCMSMessage *cmsg; /* back pointer to message */
+ CERTCertificate *cert;
+ CERTCertificateList *certList;
+ PRTime signingTime;
+ NSSCMSVerificationStatus verificationStatus;
+ SECKEYPrivateKey *signingKey; /* Used if we're using subjKeyID*/
+ SECKEYPublicKey *pubKey;
+};
+#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */
+#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */
+
+typedef enum {
+ NSSCMSCM_None = 0,
+ NSSCMSCM_CertOnly = 1,
+ NSSCMSCM_CertChain = 2,
+ NSSCMSCM_CertChainWithRoot = 3
+} NSSCMSCertChainMode;
+
+/* =============================================================================
+ * ENVELOPED DATA
+ */
+struct NSSCMSEnvelopedDataStr {
+ SECItem version;
+ NSSCMSOriginatorInfo *originatorInfo; /* optional */
+ NSSCMSRecipientInfo **recipientInfos;
+ NSSCMSContentInfo contentInfo;
+ NSSCMSAttribute **unprotectedAttr;
+ /* --------- local; not part of encoding --------- */
+ NSSCMSMessage *cmsg; /* back pointer to message */
+};
+#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */
+#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */
+
+struct NSSCMSOriginatorInfoStr {
+ SECItem **rawCerts;
+ CERTSignedCrl **crls;
+ /* --------- local; not part of encoding --------- */
+ CERTCertificate **certs;
+};
+
+/* -----------------------------------------------------------------------------
+ * key transport recipient info
+ */
+typedef enum {
+ NSSCMSRecipientID_IssuerSN = 0,
+ NSSCMSRecipientID_SubjectKeyID = 1,
+ NSSCMSRecipientID_BrandNew = 2
+} NSSCMSRecipientIDSelector;
+
+struct NSSCMSRecipientIdentifierStr {
+ NSSCMSRecipientIDSelector identifierType;
+ union {
+ CERTIssuerAndSN *issuerAndSN;
+ SECItem *subjectKeyID;
+ } id;
+};
+typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
+
+struct NSSCMSKeyTransRecipientInfoStr {
+ SECItem version;
+ NSSCMSRecipientIdentifier recipientIdentifier;
+ SECAlgorithmID keyEncAlg;
+ SECItem encKey;
+};
+typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
+
+/*
+ * View comments before NSSCMSRecipientInfoStr for purpose of this
+ * structure.
+ */
+struct NSSCMSKeyTransRecipientInfoExStr {
+ NSSCMSKeyTransRecipientInfo recipientInfo;
+ int version; /* version of this structure (0) */
+ SECKEYPublicKey *pubKey;
+};
+
+typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
+
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * key agreement recipient info
+ */
+struct NSSCMSOriginatorPublicKeyStr {
+ SECAlgorithmID algorithmIdentifier;
+ SECItem publicKey; /* bit string! */
+};
+typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
+
+typedef enum {
+ NSSCMSOriginatorIDOrKey_IssuerSN = 0,
+ NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
+ NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
+} NSSCMSOriginatorIDOrKeySelector;
+
+struct NSSCMSOriginatorIdentifierOrKeyStr {
+ NSSCMSOriginatorIDOrKeySelector identifierType;
+ union {
+ CERTIssuerAndSN *issuerAndSN; /* static-static */
+ SECItem *subjectKeyID; /* static-static */
+ NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */
+ } id;
+};
+typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
+
+struct NSSCMSRecipientKeyIdentifierStr {
+ SECItem *subjectKeyIdentifier;
+ SECItem *date; /* optional */
+ SECItem *other; /* optional */
+};
+typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
+
+typedef enum {
+ NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
+ NSSCMSKeyAgreeRecipientID_RKeyID = 1
+} NSSCMSKeyAgreeRecipientIDSelector;
+
+struct NSSCMSKeyAgreeRecipientIdentifierStr {
+ NSSCMSKeyAgreeRecipientIDSelector identifierType;
+ union {
+ CERTIssuerAndSN *issuerAndSN;
+ NSSCMSRecipientKeyIdentifier recipientKeyIdentifier;
+ } id;
+};
+typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
+
+struct NSSCMSRecipientEncryptedKeyStr {
+ NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier;
+ SECItem encKey;
+};
+typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
+
+struct NSSCMSKeyAgreeRecipientInfoStr {
+ SECItem version;
+ NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
+ SECItem *ukm; /* optional */
+ SECAlgorithmID keyEncAlg;
+ NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
+};
+typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
+
+#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * KEK recipient info
+ */
+struct NSSCMSKEKIdentifierStr {
+ SECItem keyIdentifier;
+ SECItem *date; /* optional */
+ SECItem *other; /* optional */
+};
+typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
+
+struct NSSCMSKEKRecipientInfoStr {
+ SECItem version;
+ NSSCMSKEKIdentifier kekIdentifier;
+ SECAlgorithmID keyEncAlg;
+ SECItem encKey;
+};
+typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
+
+#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * recipient info
+ */
+
+typedef enum {
+ NSSCMSRecipientInfoID_KeyTrans = 0,
+ NSSCMSRecipientInfoID_KeyAgree = 1,
+ NSSCMSRecipientInfoID_KEK = 2
+} NSSCMSRecipientInfoIDSelector;
+
+/*
+ * In order to preserve backwards binary compatibility when implementing
+ * creation of Recipient Info's that uses subjectKeyID in the
+ * keyTransRecipientInfo we need to stash a public key pointer in this
+ * structure somewhere. We figured out that NSSCMSKeyTransRecipientInfo
+ * is the smallest member of the ri union. We're in luck since that's
+ * the very structure that would need to use the public key. So we created
+ * a new structure NSSCMSKeyTransRecipientInfoEx which has a member
+ * NSSCMSKeyTransRecipientInfo as the first member followed by a version
+ * and a public key pointer. This way we can keep backwards compatibility
+ * without changing the size of this structure.
+ *
+ * BTW, size of structure:
+ * NSSCMSKeyTransRecipientInfo: 9 ints, 4 pointers
+ * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
+ * NSSCMSKEKRecipientInfo: 10 ints, 7 pointers
+ *
+ * The new structure:
+ * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
+ * 1 int, 1 pointer
+ */
+
+struct NSSCMSRecipientInfoStr {
+ NSSCMSRecipientInfoIDSelector recipientInfoType;
+ union {
+ NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
+ NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
+ NSSCMSKEKRecipientInfo kekRecipientInfo;
+ NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
+ } ri;
+ /* --------- local; not part of encoding --------- */
+ NSSCMSMessage *cmsg; /* back pointer to message */
+ CERTCertificate *cert; /* recipient's certificate */
+};
+
+/* =============================================================================
+ * DIGESTED DATA
+ */
+struct NSSCMSDigestedDataStr {
+ SECItem version;
+ SECAlgorithmID digestAlg;
+ NSSCMSContentInfo contentInfo;
+ SECItem digest;
+ /* --------- local; not part of encoding --------- */
+ NSSCMSMessage *cmsg; /* back pointer */
+ SECItem cdigest; /* calculated digest */
+};
+#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */
+#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */
+
+/* =============================================================================
+ * ENCRYPTED DATA
+ */
+struct NSSCMSEncryptedDataStr {
+ SECItem version;
+ NSSCMSContentInfo contentInfo;
+ NSSCMSAttribute **unprotectedAttr; /* optional */
+ /* --------- local; not part of encoding --------- */
+ NSSCMSMessage *cmsg; /* back pointer */
+};
+#define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */
+#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */
+
+/*
+ * *****************************************************************************
+ * *****************************************************************************
+ * *****************************************************************************
+ */
+
+/*
+ * See comment above about this type not really belonging to CMS.
+ */
+struct NSSCMSAttributeStr {
+ /* The following fields make up an encoded Attribute: */
+ SECItem type;
+ SECItem **values; /* data may or may not be encoded */
+ /* The following fields are not part of an encoded Attribute: */
+ SECOidData *typeTag;
+ PRBool encoded; /* when true, values are encoded */
+};
+
+#endif /* _CMST_H_ */