| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| /* |
| * CMS signedData methods. |
| */ |
| |
| #include "cmslocal.h" |
| |
| #include "cert.h" |
| /*#include "cdbhdl.h"*/ |
| #include "secasn1.h" |
| #include "secitem.h" |
| #include "secoid.h" |
| #include "pk11func.h" |
| #include "secerr.h" |
| |
| NSSCMSSignedData * |
| NSS_CMSSignedData_Create(NSSCMSMessage *cmsg) |
| { |
| void *mark; |
| NSSCMSSignedData *sigd; |
| PLArenaPool *poolp; |
| |
| if (!cmsg) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| |
| poolp = cmsg->poolp; |
| |
| mark = PORT_ArenaMark(poolp); |
| |
| sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignedData)); |
| if (sigd == NULL) |
| goto loser; |
| |
| sigd->cmsg = cmsg; |
| |
| /* signerInfos, certs, certlists, crls are all empty */ |
| /* version is set in NSS_CMSSignedData_Finalize() */ |
| |
| PORT_ArenaUnmark(poolp, mark); |
| return sigd; |
| |
| loser: |
| PORT_ArenaRelease(poolp, mark); |
| return NULL; |
| } |
| |
| void |
| NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd) |
| { |
| CERTCertificate **certs, **tempCerts, *cert; |
| CERTCertificateList **certlists, *certlist; |
| NSSCMSSignerInfo **signerinfos, *si; |
| |
| if (sigd == NULL) |
| return; |
| |
| certs = sigd->certs; |
| tempCerts = sigd->tempCerts; |
| certlists = sigd->certLists; |
| signerinfos = sigd->signerInfos; |
| |
| if (certs != NULL) { |
| while ((cert = *certs++) != NULL) |
| CERT_DestroyCertificate(cert); |
| } |
| |
| if (tempCerts != NULL) { |
| while ((cert = *tempCerts++) != NULL) |
| CERT_DestroyCertificate(cert); |
| } |
| |
| if (certlists != NULL) { |
| while ((certlist = *certlists++) != NULL) |
| CERT_DestroyCertificateList(certlist); |
| } |
| |
| if (signerinfos != NULL) { |
| while ((si = *signerinfos++) != NULL) |
| NSS_CMSSignerInfo_Destroy(si); |
| } |
| |
| /* everything's in a pool, so don't worry about the storage */ |
| NSS_CMSContentInfo_Destroy(&(sigd->contentInfo)); |
| } |
| |
| /* |
| * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData |
| * before start of encoding. |
| * |
| * In detail: |
| * - find out about the right value to put into sigd->version |
| * - come up with a list of digestAlgorithms (which should be the union of the algorithms |
| * in the signerinfos). |
| * If we happen to have a pre-set list of algorithms (and digest values!), we |
| * check if we have all the signerinfos' algorithms. If not, this is an error. |
| */ |
| SECStatus |
| NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd) |
| { |
| NSSCMSSignerInfo *signerinfo; |
| SECOidTag digestalgtag; |
| SECItem *dummy; |
| int version; |
| SECStatus rv; |
| PRBool haveDigests = PR_FALSE; |
| int n, i; |
| PLArenaPool *poolp; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| poolp = sigd->cmsg->poolp; |
| |
| /* we assume that we have precomputed digests if there is a list of algorithms, and */ |
| /* a chunk of data for each of those algorithms */ |
| if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) { |
| for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { |
| if (sigd->digests[i] == NULL) |
| break; |
| } |
| if (sigd->digestAlgorithms[i] == NULL) /* reached the end of the array? */ |
| haveDigests = PR_TRUE; /* yes: we must have all the digests */ |
| } |
| |
| version = NSS_CMS_SIGNED_DATA_VERSION_BASIC; |
| |
| /* RFC2630 5.1 "version is the syntax version number..." */ |
| if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA) |
| version = NSS_CMS_SIGNED_DATA_VERSION_EXT; |
| |
| /* prepare all the SignerInfos (there may be none) */ |
| for (i = 0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { |
| signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); |
| |
| /* RFC2630 5.1 "version is the syntax version number..." */ |
| if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN) |
| version = NSS_CMS_SIGNED_DATA_VERSION_EXT; |
| |
| /* collect digestAlgorithms from SignerInfos */ |
| /* (we need to know which algorithms we have when the content comes in) */ |
| /* do not overwrite any existing digestAlgorithms (and digest) */ |
| digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); |
| n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); |
| if (n < 0 && haveDigests) { |
| /* oops, there is a digestalg we do not have a digest for */ |
| /* but we were supposed to have all the digests already... */ |
| goto loser; |
| } else if (n < 0) { |
| /* add the digestAlgorithm & a NULL digest */ |
| rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL); |
| if (rv != SECSuccess) |
| goto loser; |
| } else { |
| /* found it, nothing to do */ |
| } |
| } |
| |
| dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version); |
| if (dummy == NULL) |
| return SECFailure; |
| |
| /* this is a SET OF, so we need to sort them guys */ |
| rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, |
| SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), |
| (void **)sigd->digests); |
| if (rv != SECSuccess) |
| return SECFailure; |
| |
| return SECSuccess; |
| |
| loser: |
| return SECFailure; |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd) |
| { |
| SECStatus rv; |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo); |
| if (rv != SECSuccess) { |
| return SECFailure; |
| } |
| /* set up the digests */ |
| if (sigd->digests && sigd->digests[0]) { |
| sigd->contentInfo.privateInfo->digcx = NULL; /* don't attempt to make new ones. */ |
| } else if (sigd->digestAlgorithms != NULL) { |
| sigd->contentInfo.privateInfo->digcx = |
| NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); |
| if (sigd->contentInfo.privateInfo->digcx == NULL) |
| return SECFailure; |
| } |
| return SECSuccess; |
| } |
| |
| /* |
| * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData |
| * after all the encapsulated data was passed through the encoder. |
| * |
| * In detail: |
| * - create the signatures in all the SignerInfos |
| * |
| * Please note that nothing is done to the Certificates and CRLs in the message - this |
| * is entirely the responsibility of our callers. |
| */ |
| SECStatus |
| NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd) |
| { |
| NSSCMSSignerInfo **signerinfos, *signerinfo; |
| NSSCMSContentInfo *cinfo; |
| SECOidTag digestalgtag; |
| SECStatus ret = SECFailure; |
| SECStatus rv; |
| SECItem *contentType; |
| int certcount; |
| int i, ci, cli, n, rci, si; |
| PLArenaPool *poolp; |
| CERTCertificateList *certlist; |
| extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[]; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| poolp = sigd->cmsg->poolp; |
| cinfo = &(sigd->contentInfo); |
| |
| /* did we have digest calculation going on? */ |
| if (cinfo->privateInfo && cinfo->privateInfo->digcx) { |
| rv = NSS_CMSDigestContext_FinishMultiple(cinfo->privateInfo->digcx, poolp, |
| &(sigd->digests)); |
| /* error has been set by NSS_CMSDigestContext_FinishMultiple */ |
| cinfo->privateInfo->digcx = NULL; |
| if (rv != SECSuccess) |
| goto loser; |
| } |
| |
| signerinfos = sigd->signerInfos; |
| certcount = 0; |
| |
| /* prepare all the SignerInfos (there may be none) */ |
| for (i = 0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { |
| signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); |
| |
| /* find correct digest for this signerinfo */ |
| digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); |
| n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); |
| if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) { |
| /* oops - digest not found */ |
| PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); |
| goto loser; |
| } |
| |
| /* XXX if our content is anything else but data, we need to force the |
| * presence of signed attributes (RFC2630 5.3 "signedAttributes is a |
| * collection...") */ |
| |
| /* pass contentType here as we want a contentType attribute */ |
| if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL) |
| goto loser; |
| |
| /* sign the thing */ |
| rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType); |
| if (rv != SECSuccess) |
| goto loser; |
| |
| /* while we're at it, count number of certs in certLists */ |
| certlist = NSS_CMSSignerInfo_GetCertList(signerinfo); |
| if (certlist) |
| certcount += certlist->len; |
| } |
| |
| /* this is a SET OF, so we need to sort them guys */ |
| rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL); |
| if (rv != SECSuccess) |
| goto loser; |
| |
| /* |
| * now prepare certs & crls |
| */ |
| |
| /* count the rest of the certs */ |
| if (sigd->certs != NULL) { |
| for (ci = 0; sigd->certs[ci] != NULL; ci++) |
| certcount++; |
| } |
| |
| if (sigd->certLists != NULL) { |
| for (cli = 0; sigd->certLists[cli] != NULL; cli++) |
| certcount += sigd->certLists[cli]->len; |
| } |
| |
| if (certcount == 0) { |
| sigd->rawCerts = NULL; |
| } else { |
| /* |
| * Combine all of the certs and cert chains into rawcerts. |
| * Note: certcount is an upper bound; we may not need that many slots |
| * but we will allocate anyway to avoid having to do another pass. |
| * (The temporary space saving is not worth it.) |
| * |
| * XXX ARGH - this NEEDS to be fixed. need to come up with a decent |
| * SetOfDERcertficates implementation |
| */ |
| sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *)); |
| if (sigd->rawCerts == NULL) |
| return SECFailure; |
| |
| /* |
| * XXX Want to check for duplicates and not add *any* cert that is |
| * already in the set. This will be more important when we start |
| * dealing with larger sets of certs, dual-key certs (signing and |
| * encryption), etc. For the time being we can slide by... |
| * |
| * XXX ARGH - this NEEDS to be fixed. need to come up with a decent |
| * SetOfDERcertficates implementation |
| */ |
| rci = 0; |
| if (signerinfos != NULL) { |
| for (si = 0; signerinfos[si] != NULL; si++) { |
| signerinfo = signerinfos[si]; |
| for (ci = 0; ci < signerinfo->certList->len; ci++) |
| sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]); |
| } |
| } |
| |
| if (sigd->certs != NULL) { |
| for (ci = 0; sigd->certs[ci] != NULL; ci++) |
| sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert); |
| } |
| |
| if (sigd->certLists != NULL) { |
| for (cli = 0; sigd->certLists[cli] != NULL; cli++) { |
| for (ci = 0; ci < sigd->certLists[cli]->len; ci++) |
| sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]); |
| } |
| } |
| |
| sigd->rawCerts[rci] = NULL; |
| |
| /* this is a SET OF, so we need to sort them guys - we have the DER already, though */ |
| NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL); |
| } |
| |
| ret = SECSuccess; |
| |
| loser: |
| return ret; |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd) |
| { |
| SECStatus rv; |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo); |
| if (rv != SECSuccess) { |
| return SECFailure; |
| } |
| /* handle issue with Windows 2003 servers and kerberos */ |
| if (sigd->digestAlgorithms != NULL) { |
| int i; |
| for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { |
| SECAlgorithmID *algid = sigd->digestAlgorithms[i]; |
| SECOidTag senttag = SECOID_FindOIDTag(&algid->algorithm); |
| SECOidTag maptag = NSS_CMSUtil_MapSignAlgs(senttag); |
| |
| if (maptag != senttag) { |
| SECOidData *hashoid = SECOID_FindOIDByTag(maptag); |
| rv = SECITEM_CopyItem(sigd->cmsg->poolp, &algid->algorithm, &hashoid->oid); |
| if (rv != SECSuccess) { |
| return rv; |
| } |
| } |
| } |
| } |
| |
| /* set up the digests */ |
| if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) { |
| /* if digests are already there, do nothing */ |
| sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); |
| if (sigd->contentInfo.privateInfo->digcx == NULL) |
| return SECFailure; |
| } |
| return SECSuccess; |
| } |
| |
| /* |
| * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a |
| * SignedData after all the encapsulated data was passed through the decoder. |
| */ |
| SECStatus |
| NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd) |
| { |
| SECStatus rv = SECSuccess; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| /* did we have digest calculation going on? */ |
| if (sigd->contentInfo.privateInfo && sigd->contentInfo.privateInfo->digcx) { |
| rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.privateInfo->digcx, |
| sigd->cmsg->poolp, &(sigd->digests)); |
| /* error set by NSS_CMSDigestContext_FinishMultiple */ |
| sigd->contentInfo.privateInfo->digcx = NULL; |
| } |
| return rv; |
| } |
| |
| /* |
| * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData |
| * after all decoding is finished. |
| */ |
| SECStatus |
| NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd) |
| { |
| NSSCMSSignerInfo **signerinfos = NULL; |
| int i; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| /* set cmsg for all the signerinfos */ |
| signerinfos = sigd->signerInfos; |
| |
| /* set cmsg for all the signerinfos */ |
| if (signerinfos) { |
| for (i = 0; signerinfos[i] != NULL; i++) |
| signerinfos[i]->cmsg = sigd->cmsg; |
| } |
| |
| return SECSuccess; |
| } |
| |
| /* |
| * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list |
| */ |
| NSSCMSSignerInfo ** |
| NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| return sigd->signerInfos; |
| } |
| |
| int |
| NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return 0; |
| } |
| return NSS_CMSArray_Count((void **)sigd->signerInfos); |
| } |
| |
| NSSCMSSignerInfo * |
| NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| return sigd->signerInfos[i]; |
| } |
| |
| /* |
| * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list |
| */ |
| SECAlgorithmID ** |
| NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| return sigd->digestAlgorithms; |
| } |
| |
| /* |
| * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo |
| */ |
| NSSCMSContentInfo * |
| NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| return &(sigd->contentInfo); |
| } |
| |
| /* |
| * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list |
| */ |
| SECItem ** |
| NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| return sigd->rawCerts; |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb, |
| SECCertUsage certusage, PRBool keepcerts) |
| { |
| int certcount; |
| CERTCertificate **certArray = NULL; |
| CERTCertList *certList = NULL; |
| CERTCertListNode *node; |
| SECStatus rv; |
| SECItem **rawArray; |
| int i; |
| PRTime now; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| certcount = NSS_CMSArray_Count((void **)sigd->rawCerts); |
| |
| /* get the certs in the temp DB */ |
| rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, |
| &certArray, PR_FALSE, PR_FALSE, NULL); |
| if (rv != SECSuccess) { |
| goto loser; |
| } |
| |
| /* save the certs so they don't get destroyed */ |
| for (i = 0; i < certcount; i++) { |
| CERTCertificate *cert = certArray[i]; |
| if (cert) |
| NSS_CMSSignedData_AddTempCertificate(sigd, cert); |
| } |
| |
| if (!keepcerts) { |
| goto done; |
| } |
| |
| /* build a CertList for filtering */ |
| certList = CERT_NewCertList(); |
| if (certList == NULL) { |
| rv = SECFailure; |
| goto loser; |
| } |
| for (i = 0; i < certcount; i++) { |
| CERTCertificate *cert = certArray[i]; |
| if (cert) |
| cert = CERT_DupCertificate(cert); |
| if (cert) |
| CERT_AddCertToListTail(certList, cert); |
| } |
| |
| /* filter out the certs we don't want */ |
| rv = CERT_FilterCertListByUsage(certList, certusage, PR_FALSE); |
| if (rv != SECSuccess) { |
| goto loser; |
| } |
| |
| /* go down the remaining list of certs and verify that they have |
| * valid chains, then import them. |
| */ |
| now = PR_Now(); |
| for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); |
| node = CERT_LIST_NEXT(node)) { |
| CERTCertificateList *certChain; |
| |
| if (CERT_VerifyCert(certdb, node->cert, |
| PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) { |
| continue; |
| } |
| |
| certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE); |
| if (!certChain) { |
| continue; |
| } |
| |
| /* |
| * CertChain returns an array of SECItems, import expects an array of |
| * SECItem pointers. Create the SECItem Pointers from the array of |
| * SECItems. |
| */ |
| rawArray = (SECItem **)PORT_Alloc(certChain->len * sizeof(SECItem *)); |
| if (!rawArray) { |
| CERT_DestroyCertificateList(certChain); |
| continue; |
| } |
| for (i = 0; i < certChain->len; i++) { |
| rawArray[i] = &certChain->certs[i]; |
| } |
| (void)CERT_ImportCerts(certdb, certusage, certChain->len, |
| rawArray, NULL, keepcerts, PR_FALSE, NULL); |
| PORT_Free(rawArray); |
| CERT_DestroyCertificateList(certChain); |
| } |
| |
| rv = SECSuccess; |
| |
| /* XXX CRL handling */ |
| |
| done: |
| if (sigd->signerInfos != NULL) { |
| /* fill in all signerinfo's certs */ |
| for (i = 0; sigd->signerInfos[i] != NULL; i++) |
| (void)NSS_CMSSignerInfo_GetSigningCertificate( |
| sigd->signerInfos[i], certdb); |
| } |
| |
| loser: |
| /* now free everything */ |
| if (certArray) { |
| CERT_DestroyCertArray(certArray, certcount); |
| } |
| if (certList) { |
| CERT_DestroyCertList(certList); |
| } |
| |
| return rv; |
| } |
| |
| /* |
| * XXX the digests need to be passed in BETWEEN the decoding and the verification in case |
| * of external signatures! |
| */ |
| |
| /* |
| * NSS_CMSSignedData_VerifySignerInfo - check the signatures. |
| * |
| * The digests were either calculated during decoding (and are stored in the |
| * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests. |
| * |
| * The verification checks if the signing cert is valid and has a trusted chain |
| * for the purpose specified by "certusage". |
| */ |
| SECStatus |
| NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, |
| CERTCertDBHandle *certdb, SECCertUsage certusage) |
| { |
| NSSCMSSignerInfo *signerinfo; |
| NSSCMSContentInfo *cinfo; |
| SECOidData *algiddata; |
| SECItem *contentType, *digest; |
| SECOidTag oidTag; |
| SECStatus rv; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| cinfo = &(sigd->contentInfo); |
| |
| signerinfo = sigd->signerInfos[i]; |
| |
| /* verify certificate */ |
| rv = NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage); |
| if (rv != SECSuccess) |
| return rv; /* error is set */ |
| |
| /* find digest and contentType for signerinfo */ |
| algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo); |
| oidTag = algiddata ? algiddata->offset : SEC_OID_UNKNOWN; |
| digest = NSS_CMSSignedData_GetDigestValue(sigd, oidTag); |
| /* NULL digest is acceptable. */ |
| contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo); |
| /* NULL contentType is acceptable. */ |
| |
| /* now verify signature */ |
| rv = NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType); |
| return rv; |
| } |
| |
| /* |
| * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message |
| */ |
| SECStatus |
| NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, |
| CERTCertDBHandle *certdb, |
| SECCertUsage usage) |
| { |
| CERTCertificate *cert; |
| SECStatus rv = SECSuccess; |
| int i; |
| int count; |
| PRTime now; |
| void *pwarg = NULL; |
| |
| if (!sigd || !certdb || !sigd->rawCerts) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| count = NSS_CMSArray_Count((void **)sigd->rawCerts); |
| now = PR_Now(); |
| for (i = 0; i < count; i++) { |
| if (sigd->certs && sigd->certs[i]) { |
| cert = CERT_DupCertificate(sigd->certs[i]); |
| } else { |
| cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]); |
| if (!cert) { |
| rv = SECFailure; |
| break; |
| } |
| } |
| if (sigd->cmsg) { |
| pwarg = sigd->cmsg->pwfn_arg; |
| } |
| rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now, |
| pwarg, NULL); |
| CERT_DestroyCertificate(cert); |
| } |
| |
| return rv; |
| } |
| |
| /* |
| * NSS_CMSSignedData_HasDigests - see if we have digests in place |
| */ |
| PRBool |
| NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return PR_FALSE; |
| } |
| return (sigd->digests != NULL); |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist) |
| { |
| SECStatus rv; |
| |
| if (!sigd || !certlist) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */ |
| rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist); |
| |
| return rv; |
| } |
| |
| /* |
| * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs |
| */ |
| SECStatus |
| NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert) |
| { |
| CERTCertificateList *certlist; |
| SECCertUsage usage; |
| SECStatus rv; |
| |
| usage = certUsageEmailSigner; |
| |
| if (!sigd || !cert) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| /* do not include root */ |
| certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE); |
| if (certlist == NULL) |
| return SECFailure; |
| |
| rv = NSS_CMSSignedData_AddCertList(sigd, certlist); |
| |
| return rv; |
| } |
| |
| extern SECStatus |
| NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert) |
| { |
| CERTCertificate *c; |
| SECStatus rv; |
| |
| if (!sigd || !cert) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| c = CERT_DupCertificate(cert); |
| rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->tempCerts), (void *)c); |
| return rv; |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert) |
| { |
| CERTCertificate *c; |
| SECStatus rv; |
| |
| if (!sigd || !cert) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| c = CERT_DupCertificate(cert); |
| rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c); |
| return rv; |
| } |
| |
| PRBool |
| NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd) |
| { |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return PR_FALSE; |
| } |
| if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL) |
| return PR_TRUE; |
| else if (sigd->crls != NULL && sigd->crls[0] != NULL) |
| return PR_TRUE; |
| else |
| return PR_FALSE; |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, |
| NSSCMSSignerInfo *signerinfo) |
| { |
| void *mark; |
| SECStatus rv; |
| SECOidTag digestalgtag; |
| PLArenaPool *poolp; |
| |
| if (!sigd || !signerinfo) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| poolp = sigd->cmsg->poolp; |
| |
| mark = PORT_ArenaMark(poolp); |
| |
| /* add signerinfo */ |
| rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo); |
| if (rv != SECSuccess) |
| goto loser; |
| |
| /* |
| * add empty digest |
| * Empty because we don't have it yet. Either it gets created during encoding |
| * (if the data is present) or has to be set externally. |
| * XXX maybe pass it in optionally? |
| */ |
| digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); |
| rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL); |
| if (rv != SECSuccess) |
| goto loser; |
| |
| /* |
| * The last thing to get consistency would be adding the digest. |
| */ |
| |
| PORT_ArenaUnmark(poolp, mark); |
| return SECSuccess; |
| |
| loser: |
| PORT_ArenaRelease(poolp, mark); |
| return SECFailure; |
| } |
| |
| /* |
| * NSS_CMSSignedData_SetDigests - set a signedData's digests member |
| * |
| * "digestalgs" - array of digest algorithm IDs |
| * "digests" - array of digests corresponding to the digest algorithms |
| */ |
| SECStatus |
| NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd, |
| SECAlgorithmID **digestalgs, |
| SECItem **digests) |
| { |
| int cnt, i, idx; |
| |
| if (!sigd || !digestalgs || !digests) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| if (sigd->digestAlgorithms == NULL) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| /* we assume that the digests array is just not there yet */ |
| PORT_Assert(sigd->digests == NULL); |
| if (sigd->digests != NULL) { |
| PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); |
| return SECFailure; |
| } |
| |
| /* now allocate one (same size as digestAlgorithms) */ |
| cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms); |
| sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *)); |
| if (sigd->digests == NULL) { |
| PORT_SetError(SEC_ERROR_NO_MEMORY); |
| return SECFailure; |
| } |
| |
| for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { |
| /* try to find the sigd's i'th digest algorithm in the array we passed in */ |
| idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]); |
| if (idx < 0) { |
| PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); |
| return SECFailure; |
| } |
| if (!digests[idx]) { |
| /* We have no digest for this algorithm, probably because it is |
| ** unrecognized or unsupported. We'll ignore this here. If this |
| ** digest is needed later, an error will be be generated then. |
| */ |
| continue; |
| } |
| |
| /* found it - now set it */ |
| if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL || |
| SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess) { |
| PORT_SetError(SEC_ERROR_NO_MEMORY); |
| return SECFailure; |
| } |
| } |
| return SECSuccess; |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd, |
| SECOidTag digestalgtag, |
| SECItem *digestdata) |
| { |
| SECItem *digest = NULL; |
| PLArenaPool *poolp; |
| void *mark; |
| int n, cnt; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| poolp = sigd->cmsg->poolp; |
| |
| mark = PORT_ArenaMark(poolp); |
| |
| if (digestdata) { |
| digest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem)); |
| |
| /* copy digestdata item to arena (in case we have it and are not only making room) */ |
| if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess) |
| goto loser; |
| } |
| |
| /* now allocate one (same size as digestAlgorithms) */ |
| if (sigd->digests == NULL) { |
| cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms); |
| sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *)); |
| if (sigd->digests == NULL) { |
| PORT_SetError(SEC_ERROR_NO_MEMORY); |
| return SECFailure; |
| } |
| } |
| |
| n = -1; |
| if (sigd->digestAlgorithms != NULL) |
| n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); |
| |
| /* if not found, add a digest */ |
| if (n < 0) { |
| if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess) |
| goto loser; |
| } else { |
| /* replace NULL pointer with digest item (and leak previous value) */ |
| sigd->digests[n] = digest; |
| } |
| |
| PORT_ArenaUnmark(poolp, mark); |
| return SECSuccess; |
| |
| loser: |
| PORT_ArenaRelease(poolp, mark); |
| return SECFailure; |
| } |
| |
| SECStatus |
| NSS_CMSSignedData_AddDigest(PLArenaPool *poolp, |
| NSSCMSSignedData *sigd, |
| SECOidTag digestalgtag, |
| SECItem *digest) |
| { |
| SECAlgorithmID *digestalg; |
| void *mark; |
| |
| if (!sigd || !poolp) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return SECFailure; |
| } |
| |
| mark = PORT_ArenaMark(poolp); |
| |
| digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID)); |
| if (digestalg == NULL) |
| goto loser; |
| |
| if (SECOID_SetAlgorithmID(poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */ |
| goto loser; |
| |
| if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), |
| (void *)digestalg) != SECSuccess || |
| /* even if digest is NULL, add dummy to have same-size array */ |
| NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), |
| (void *)digest) != SECSuccess) { |
| goto loser; |
| } |
| |
| PORT_ArenaUnmark(poolp, mark); |
| return SECSuccess; |
| |
| loser: |
| PORT_ArenaRelease(poolp, mark); |
| return SECFailure; |
| } |
| |
| /* XXX This function doesn't set the error code on failure. */ |
| SECItem * |
| NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag) |
| { |
| int n; |
| |
| if (!sigd) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| |
| if (sigd->digestAlgorithms == NULL || sigd->digests == NULL) { |
| PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); |
| return NULL; |
| } |
| |
| n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); |
| |
| return (n < 0) ? NULL : sigd->digests[n]; |
| } |
| |
| /* ============================================================================= |
| * Misc. utility functions |
| */ |
| |
| /* |
| * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData. |
| * |
| * cert - base certificates that will be included |
| * include_chain - if true, include the complete cert chain for cert |
| * |
| * More certs and chains can be added via AddCertificate and AddCertChain. |
| * |
| * An error results in a return value of NULL and an error set. |
| * |
| * XXXX CRLs |
| */ |
| NSSCMSSignedData * |
| NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain) |
| { |
| NSSCMSSignedData *sigd; |
| void *mark; |
| PLArenaPool *poolp; |
| SECStatus rv; |
| |
| if (!cmsg || !cert) { |
| PORT_SetError(SEC_ERROR_INVALID_ARGS); |
| return NULL; |
| } |
| |
| poolp = cmsg->poolp; |
| mark = PORT_ArenaMark(poolp); |
| |
| sigd = NSS_CMSSignedData_Create(cmsg); |
| if (sigd == NULL) |
| goto loser; |
| |
| /* no signerinfos, thus no digestAlgorithms */ |
| |
| /* but certs */ |
| if (include_chain) { |
| rv = NSS_CMSSignedData_AddCertChain(sigd, cert); |
| } else { |
| rv = NSS_CMSSignedData_AddCertificate(sigd, cert); |
| } |
| if (rv != SECSuccess) |
| goto loser; |
| |
| /* RFC2630 5.2 sez: |
| * In the degenerate case where there are no signers, the |
| * EncapsulatedContentInfo value being "signed" is irrelevant. In this |
| * case, the content type within the EncapsulatedContentInfo value being |
| * "signed" should be id-data (as defined in section 4), and the content |
| * field of the EncapsulatedContentInfo value should be omitted. |
| */ |
| rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE); |
| if (rv != SECSuccess) |
| goto loser; |
| |
| PORT_ArenaUnmark(poolp, mark); |
| return sigd; |
| |
| loser: |
| if (sigd) |
| NSS_CMSSignedData_Destroy(sigd); |
| PORT_ArenaRelease(poolp, mark); |
| return NULL; |
| } |
| |
| /* TODO: |
| * NSS_CMSSignerInfo_GetReceiptRequest() |
| * NSS_CMSSignedData_HasReceiptRequest() |
| * easy way to iterate over signers |
| */ |