| /* This Source Code Form is subject to the terms of the Mozilla Public |
| * License, v. 2.0. If a copy of the MPL was not distributed with this |
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| |
| /* |
| * CMS decoding. |
| */ |
| |
| #include "cmslocal.h" |
| |
| #include "cert.h" |
| #include "keyhi.h" |
| #include "secasn1.h" |
| #include "secitem.h" |
| #include "secoid.h" |
| #include "prtime.h" |
| #include "secerr.h" |
| |
| struct NSSCMSDecoderContextStr { |
| SEC_ASN1DecoderContext *dcx; /* ASN.1 decoder context */ |
| NSSCMSMessage *cmsg; /* backpointer to the root message */ |
| SECOidTag type; /* type of message */ |
| NSSCMSContent content; /* pointer to message */ |
| NSSCMSDecoderContext *childp7dcx; /* inner CMS decoder context */ |
| PRBool saw_contents; |
| int error; |
| NSSCMSContentCallback cb; |
| void *cb_arg; |
| PRBool first_decoded; |
| PRBool need_indefinite_finish; |
| }; |
| |
| struct NSSCMSDecoderDataStr { |
| SECItem data; /* must be first */ |
| unsigned int totalBufferSize; |
| }; |
| |
| typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData; |
| |
| static void nss_cms_decoder_update_filter(void *arg, const char *data, |
| unsigned long len, int depth, |
| SEC_ASN1EncodingPart data_kind); |
| static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx); |
| static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx); |
| static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx); |
| static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, |
| const unsigned char *data, |
| unsigned long len, |
| PRBool final); |
| static NSSCMSDecoderData *nss_cms_create_decoder_data(PLArenaPool *poolp); |
| |
| extern const SEC_ASN1Template NSSCMSMessageTemplate[]; |
| |
| static NSSCMSDecoderData * |
| nss_cms_create_decoder_data(PLArenaPool *poolp) |
| { |
| NSSCMSDecoderData *decoderData = NULL; |
| |
| decoderData = (NSSCMSDecoderData *) |
| PORT_ArenaAlloc(poolp, sizeof(NSSCMSDecoderData)); |
| if (!decoderData) { |
| return NULL; |
| } |
| decoderData->data.data = NULL; |
| decoderData->data.len = 0; |
| decoderData->totalBufferSize = 0; |
| return decoderData; |
| } |
| |
| /* |
| * nss_cms_decoder_notify - |
| * this is the driver of the decoding process. It gets called by the ASN.1 |
| * decoder before and after an object is decoded. |
| * at various points in the decoding process, we intercept to set up and do |
| * further processing. |
| */ |
| static void |
| nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth) |
| { |
| NSSCMSDecoderContext *p7dcx; |
| NSSCMSContentInfo *rootcinfo, *cinfo; |
| PRBool after = !before; |
| |
| p7dcx = (NSSCMSDecoderContext *)arg; |
| rootcinfo = &(p7dcx->cmsg->contentInfo); |
| |
| /* XXX error handling: need to set p7dcx->error */ |
| |
| #ifdef CMSDEBUG |
| fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", |
| dest, depth); |
| #endif |
| |
| /* so what are we working on right now? */ |
| if (p7dcx->type == SEC_OID_UNKNOWN) { |
| /* |
| * right now, we are still decoding the OUTER (root) cinfo |
| * As soon as we know the inner content type, set up the info, |
| * but NO inner decoder or filter. The root decoder handles the first |
| * level children by itself - only for encapsulated contents (which |
| * are encoded as DER inside of an OCTET STRING) we need to set up a |
| * child decoder... |
| */ |
| if (after && dest == &(rootcinfo->contentType)) { |
| p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo); |
| p7dcx->content = rootcinfo->content; |
| /* is this ready already ? need to alloc? */ |
| /* XXX yes we need to alloc -- continue here */ |
| } |
| } else if (NSS_CMSType_IsData(p7dcx->type)) { |
| /* this can only happen if the outermost cinfo has DATA in it */ |
| /* otherwise, we handle this type implicitely in the inner decoders */ |
| |
| if (before && dest == &(rootcinfo->content)) { |
| /* cause the filter to put the data in the right place... |
| ** We want the ASN.1 decoder to deliver the decoded bytes to us |
| ** from now on |
| */ |
| SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, |
| nss_cms_decoder_update_filter, |
| p7dcx, |
| (PRBool)(p7dcx->cb != NULL)); |
| } else if (after && dest == &(rootcinfo->content.data)) { |
| /* remove the filter */ |
| SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); |
| } |
| } else if (NSS_CMSType_IsWrapper(p7dcx->type)) { |
| if (!before || dest != &(rootcinfo->content)) { |
| |
| if (p7dcx->content.pointer == NULL) |
| p7dcx->content = rootcinfo->content; |
| |
| /* get this data type's inner contentInfo */ |
| cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, |
| p7dcx->type); |
| |
| if (before && dest == &(cinfo->contentType)) { |
| /* at this point, set up the &%$&$ back pointer */ |
| /* we cannot do it later, because the content itself |
| * is optional! */ |
| switch (p7dcx->type) { |
| case SEC_OID_PKCS7_SIGNED_DATA: |
| p7dcx->content.signedData->cmsg = p7dcx->cmsg; |
| break; |
| case SEC_OID_PKCS7_DIGESTED_DATA: |
| p7dcx->content.digestedData->cmsg = p7dcx->cmsg; |
| break; |
| case SEC_OID_PKCS7_ENVELOPED_DATA: |
| p7dcx->content.envelopedData->cmsg = p7dcx->cmsg; |
| break; |
| case SEC_OID_PKCS7_ENCRYPTED_DATA: |
| p7dcx->content.encryptedData->cmsg = p7dcx->cmsg; |
| break; |
| default: |
| p7dcx->content.genericData->cmsg = p7dcx->cmsg; |
| break; |
| } |
| } |
| |
| if (before && dest == &(cinfo->rawContent)) { |
| /* we want the ASN.1 decoder to deliver the decoded bytes to us |
| ** from now on |
| */ |
| SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, |
| nss_cms_decoder_update_filter, |
| p7dcx, (PRBool)(p7dcx->cb != NULL)); |
| |
| /* we're right in front of the data */ |
| if (nss_cms_before_data(p7dcx) != SECSuccess) { |
| SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); |
| /* stop all processing */ |
| p7dcx->error = PORT_GetError(); |
| } |
| } |
| if (after && dest == &(cinfo->rawContent)) { |
| /* we're right after of the data */ |
| if (nss_cms_after_data(p7dcx) != SECSuccess) |
| p7dcx->error = PORT_GetError(); |
| |
| /* we don't need to see the contents anymore */ |
| SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); |
| } |
| } |
| } else { |
| /* unsupported or unknown message type - fail gracefully */ |
| p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE; |
| } |
| } |
| |
| /* |
| * nss_cms_before_data - set up the current encoder to receive data |
| */ |
| static SECStatus |
| nss_cms_before_data(NSSCMSDecoderContext *p7dcx) |
| { |
| SECStatus rv; |
| SECOidTag childtype; |
| PLArenaPool *poolp; |
| NSSCMSDecoderContext *childp7dcx; |
| NSSCMSContentInfo *cinfo; |
| const SEC_ASN1Template *template; |
| void *mark = NULL; |
| size_t size; |
| |
| poolp = p7dcx->cmsg->poolp; |
| |
| /* call _Decode_BeforeData handlers */ |
| switch (p7dcx->type) { |
| case SEC_OID_PKCS7_SIGNED_DATA: |
| /* we're decoding a signedData, so set up the digests */ |
| rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData); |
| break; |
| case SEC_OID_PKCS7_DIGESTED_DATA: |
| /* we're encoding a digestedData, so set up the digest */ |
| rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData); |
| break; |
| case SEC_OID_PKCS7_ENVELOPED_DATA: |
| rv = NSS_CMSEnvelopedData_Decode_BeforeData( |
| p7dcx->content.envelopedData); |
| break; |
| case SEC_OID_PKCS7_ENCRYPTED_DATA: |
| rv = NSS_CMSEncryptedData_Decode_BeforeData( |
| p7dcx->content.encryptedData); |
| break; |
| default: |
| rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type, |
| p7dcx->content.genericData); |
| } |
| if (rv != SECSuccess) |
| return SECFailure; |
| |
| /* ok, now we have a pointer to cinfo */ |
| /* find out what kind of data is encapsulated */ |
| |
| cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type); |
| childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); |
| |
| if (NSS_CMSType_IsData(childtype)) { |
| cinfo->content.pointer = (void *)nss_cms_create_decoder_data(poolp); |
| if (cinfo->content.pointer == NULL) |
| /* set memory error */ |
| return SECFailure; |
| |
| p7dcx->childp7dcx = NULL; |
| return SECSuccess; |
| } |
| |
| /* set up inner decoder */ |
| |
| if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL) |
| return SECFailure; |
| |
| childp7dcx = PORT_ZNew(NSSCMSDecoderContext); |
| if (childp7dcx == NULL) |
| return SECFailure; |
| |
| mark = PORT_ArenaMark(poolp); |
| |
| /* allocate space for the stuff we're creating */ |
| size = NSS_CMSUtil_GetSizeByTypeTag(childtype); |
| childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size); |
| if (childp7dcx->content.pointer == NULL) |
| goto loser; |
| |
| /* give the parent a copy of the pointer so that it doesn't get lost */ |
| cinfo->content.pointer = childp7dcx->content.pointer; |
| |
| /* start the child decoder */ |
| childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, |
| template); |
| if (childp7dcx->dcx == NULL) |
| goto loser; |
| |
| /* the new decoder needs to notify, too */ |
| SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, |
| childp7dcx); |
| |
| /* tell the parent decoder that it needs to feed us the content data */ |
| p7dcx->childp7dcx = childp7dcx; |
| |
| childp7dcx->type = childtype; /* our type */ |
| |
| childp7dcx->cmsg = p7dcx->cmsg; /* backpointer to root message */ |
| |
| /* should the child decoder encounter real data, |
| ** it must give it to the caller |
| */ |
| childp7dcx->cb = p7dcx->cb; |
| childp7dcx->cb_arg = p7dcx->cb_arg; |
| childp7dcx->first_decoded = PR_FALSE; |
| childp7dcx->need_indefinite_finish = PR_FALSE; |
| if (childtype == SEC_OID_PKCS7_SIGNED_DATA) { |
| childp7dcx->first_decoded = PR_TRUE; |
| } |
| |
| /* now set up the parent to hand decoded data to the next level decoder */ |
| p7dcx->cb = (NSSCMSContentCallback)NSS_CMSDecoder_Update; |
| p7dcx->cb_arg = childp7dcx; |
| |
| PORT_ArenaUnmark(poolp, mark); |
| |
| return SECSuccess; |
| |
| loser: |
| if (mark) |
| PORT_ArenaRelease(poolp, mark); |
| PORT_Free(childp7dcx); |
| p7dcx->childp7dcx = NULL; |
| return SECFailure; |
| } |
| |
| static SECStatus |
| nss_cms_after_data(NSSCMSDecoderContext *p7dcx) |
| { |
| NSSCMSDecoderContext *childp7dcx; |
| SECStatus rv = SECFailure; |
| |
| /* Handle last block. This is necessary to flush out the last bytes |
| * of a possibly incomplete block */ |
| nss_cms_decoder_work_data(p7dcx, NULL, 0, PR_TRUE); |
| |
| /* finish any "inner" decoders - there's no more data coming... */ |
| if (p7dcx->childp7dcx != NULL) { |
| childp7dcx = p7dcx->childp7dcx; |
| if (childp7dcx->dcx != NULL) { |
| /* we started and indefinite sequence somewhere, not complete it */ |
| if (childp7dcx->need_indefinite_finish) { |
| static const char lbuf[2] = { 0, 0 }; |
| NSS_CMSDecoder_Update(childp7dcx, lbuf, sizeof(lbuf)); |
| childp7dcx->need_indefinite_finish = PR_FALSE; |
| } |
| |
| if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) { |
| /* do what? free content? */ |
| rv = SECFailure; |
| } else { |
| rv = nss_cms_after_end(childp7dcx); |
| } |
| if (rv != SECSuccess) |
| goto done; |
| } |
| PORT_Free(p7dcx->childp7dcx); |
| p7dcx->childp7dcx = NULL; |
| } |
| |
| switch (p7dcx->type) { |
| case SEC_OID_PKCS7_SIGNED_DATA: |
| /* this will finish the digests and verify */ |
| rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData); |
| break; |
| case SEC_OID_PKCS7_ENVELOPED_DATA: |
| rv = NSS_CMSEnvelopedData_Decode_AfterData( |
| p7dcx->content.envelopedData); |
| break; |
| case SEC_OID_PKCS7_DIGESTED_DATA: |
| rv = NSS_CMSDigestedData_Decode_AfterData( |
| p7dcx->content.digestedData); |
| break; |
| case SEC_OID_PKCS7_ENCRYPTED_DATA: |
| rv = NSS_CMSEncryptedData_Decode_AfterData( |
| p7dcx->content.encryptedData); |
| break; |
| case SEC_OID_PKCS7_DATA: |
| /* do nothing */ |
| break; |
| default: |
| rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type, |
| p7dcx->content.genericData); |
| break; |
| } |
| done: |
| return rv; |
| } |
| |
| static SECStatus |
| nss_cms_after_end(NSSCMSDecoderContext *p7dcx) |
| { |
| SECStatus rv = SECSuccess; |
| |
| switch (p7dcx->type) { |
| case SEC_OID_PKCS7_SIGNED_DATA: |
| if (p7dcx->content.signedData) |
| rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData); |
| break; |
| case SEC_OID_PKCS7_ENVELOPED_DATA: |
| if (p7dcx->content.envelopedData) |
| rv = NSS_CMSEnvelopedData_Decode_AfterEnd( |
| p7dcx->content.envelopedData); |
| break; |
| case SEC_OID_PKCS7_DIGESTED_DATA: |
| if (p7dcx->content.digestedData) |
| rv = NSS_CMSDigestedData_Decode_AfterEnd( |
| p7dcx->content.digestedData); |
| break; |
| case SEC_OID_PKCS7_ENCRYPTED_DATA: |
| if (p7dcx->content.encryptedData) |
| rv = NSS_CMSEncryptedData_Decode_AfterEnd( |
| p7dcx->content.encryptedData); |
| break; |
| case SEC_OID_PKCS7_DATA: |
| break; |
| default: |
| rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type, |
| p7dcx->content.genericData); |
| break; |
| } |
| return rv; |
| } |
| |
| /* |
| * nss_cms_decoder_work_data - handle decoded data bytes. |
| * |
| * This function either decrypts the data if needed, and/or calculates digests |
| * on it, then either stores it or passes it on to the next level decoder. |
| */ |
| static void |
| nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, |
| const unsigned char *data, unsigned long len, |
| PRBool final) |
| { |
| NSSCMSContentInfo *cinfo; |
| unsigned char *buf = NULL; |
| unsigned char *dest; |
| unsigned int offset; |
| SECStatus rv; |
| |
| /* |
| * We should really have data to process, or we should be trying |
| * to finish/flush the last block. (This is an overly paranoid |
| * check since all callers are in this file and simple inspection |
| * proves they do it right. But it could find a bug in future |
| * modifications/development, that is why it is here.) |
| */ |
| PORT_Assert((data != NULL && len) || final); |
| |
| cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type); |
| if (!cinfo) { |
| /* The original programmer didn't expect this to happen */ |
| p7dcx->error = SEC_ERROR_LIBRARY_FAILURE; |
| goto loser; |
| } |
| |
| if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) { |
| /* |
| * we are decrypting. |
| * |
| * XXX If we get an error, we do not want to do the digest or callback, |
| * but we want to keep decoding. Or maybe we want to stop decoding |
| * altogether if there is a callback, because obviously we are not |
| * sending the data back and they want to know that. |
| */ |
| |
| unsigned int outlen = 0; /* length of decrypted data */ |
| unsigned int buflen; /* length available for decrypted data */ |
| |
| /* find out about the length of decrypted data */ |
| buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final); |
| |
| /* |
| * it might happen that we did not provide enough data for a full |
| * block (decryption unit), and that there is no output available |
| */ |
| |
| /* no output available, AND no input? */ |
| if (buflen == 0 && len == 0) |
| goto loser; /* bail out */ |
| |
| /* |
| * have inner decoder: pass the data on (means inner content type is NOT data) |
| * no inner decoder: we have DATA in here: either call callback or store |
| */ |
| if (buflen != 0) { |
| /* there will be some output - need to make room for it */ |
| /* allocate buffer from the heap */ |
| buf = (unsigned char *)PORT_Alloc(buflen); |
| if (buf == NULL) { |
| p7dcx->error = SEC_ERROR_NO_MEMORY; |
| goto loser; |
| } |
| } |
| |
| /* |
| * decrypt incoming data |
| * buf can still be NULL here (and buflen == 0) here if we don't expect |
| * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to |
| * keep track of incoming data |
| */ |
| rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen, |
| data, len, final); |
| if (rv != SECSuccess) { |
| p7dcx->error = PORT_GetError(); |
| goto loser; |
| } |
| |
| PORT_Assert(final || outlen == buflen); |
| |
| /* swap decrypted data in */ |
| data = buf; |
| len = outlen; |
| } |
| |
| if (len == 0) |
| goto done; /* nothing more to do */ |
| |
| /* |
| * Update the running digests with plaintext bytes (if we need to). |
| */ |
| if (cinfo->privateInfo && cinfo->privateInfo->digcx) |
| NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len); |
| |
| /* at this point, we have the plain decoded & decrypted data |
| ** which is either more encoded DER (which we need to hand to the child |
| ** decoder) or data we need to hand back to our caller |
| */ |
| |
| /* pass the content back to our caller or */ |
| /* feed our freshly decrypted and decoded data into child decoder */ |
| if (p7dcx->cb != NULL) { |
| (*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len); |
| } |
| #if 1 |
| else |
| #endif |
| if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) { |
| /* store it in "inner" data item as well */ |
| /* find the DATA item in the encapsulated cinfo and store it there */ |
| NSSCMSDecoderData *decoderData = |
| (NSSCMSDecoderData *)cinfo->content.pointer; |
| SECItem *dataItem = &decoderData->data; |
| |
| offset = dataItem->len; |
| if (dataItem->len + len > decoderData->totalBufferSize) { |
| int needLen = (dataItem->len + len) * 2; |
| dest = (unsigned char *) |
| PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen); |
| if (dest == NULL) { |
| p7dcx->error = SEC_ERROR_NO_MEMORY; |
| goto loser; |
| } |
| |
| if (dataItem->len) { |
| PORT_Memcpy(dest, dataItem->data, dataItem->len); |
| } |
| decoderData->totalBufferSize = needLen; |
| dataItem->data = dest; |
| } |
| |
| /* copy it in */ |
| PORT_Memcpy(dataItem->data + offset, data, len); |
| dataItem->len += len; |
| } |
| |
| done: |
| loser: |
| if (buf) |
| PORT_Free(buf); |
| } |
| |
| /* |
| * nss_cms_decoder_update_filter - process ASN.1 data |
| * |
| * once we have set up a filter in nss_cms_decoder_notify(), |
| * all data processed by the ASN.1 decoder is also passed through here. |
| * we pass the content bytes (as opposed to length and tag bytes) on to |
| * nss_cms_decoder_work_data(). |
| */ |
| static void |
| nss_cms_decoder_update_filter(void *arg, const char *data, unsigned long len, |
| int depth, SEC_ASN1EncodingPart data_kind) |
| { |
| NSSCMSDecoderContext *p7dcx; |
| |
| PORT_Assert(len); /* paranoia */ |
| if (len == 0) |
| return; |
| |
| p7dcx = (NSSCMSDecoderContext *)arg; |
| |
| p7dcx->saw_contents = PR_TRUE; |
| |
| /* pass on the content bytes only */ |
| if (data_kind == SEC_ASN1_Contents) |
| nss_cms_decoder_work_data(p7dcx, (const unsigned char *)data, len, |
| PR_FALSE); |
| } |
| |
| /* |
| * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message |
| * |
| * "poolp" - pointer to arena for message, or NULL if new pool should be created |
| * "cb", "cb_arg" - callback function and argument for delivery of inner content |
| * "pwfn", pwfn_arg" - callback function for getting token password |
| * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData |
| */ |
| NSSCMSDecoderContext * |
| NSS_CMSDecoder_Start(PLArenaPool *poolp, |
| NSSCMSContentCallback cb, void *cb_arg, |
| PK11PasswordFunc pwfn, void *pwfn_arg, |
| NSSCMSGetDecryptKeyCallback decrypt_key_cb, |
| void *decrypt_key_cb_arg) |
| { |
| NSSCMSDecoderContext *p7dcx; |
| NSSCMSMessage *cmsg; |
| |
| cmsg = NSS_CMSMessage_Create(poolp); |
| if (cmsg == NULL) |
| return NULL; |
| |
| NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, |
| decrypt_key_cb_arg, NULL, NULL); |
| |
| p7dcx = PORT_ZNew(NSSCMSDecoderContext); |
| if (p7dcx == NULL) { |
| NSS_CMSMessage_Destroy(cmsg); |
| return NULL; |
| } |
| |
| p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate); |
| if (p7dcx->dcx == NULL) { |
| PORT_Free(p7dcx); |
| NSS_CMSMessage_Destroy(cmsg); |
| return NULL; |
| } |
| |
| SEC_ASN1DecoderSetNotifyProc(p7dcx->dcx, nss_cms_decoder_notify, p7dcx); |
| |
| p7dcx->cmsg = cmsg; |
| p7dcx->type = SEC_OID_UNKNOWN; |
| |
| p7dcx->cb = cb; |
| p7dcx->cb_arg = cb_arg; |
| p7dcx->first_decoded = PR_FALSE; |
| p7dcx->need_indefinite_finish = PR_FALSE; |
| return p7dcx; |
| } |
| |
| /* |
| * NSS_CMSDecoder_Update - feed DER-encoded data to decoder |
| */ |
| SECStatus |
| NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, |
| unsigned long len) |
| { |
| SECStatus rv = SECSuccess; |
| if (p7dcx->dcx != NULL && p7dcx->error == 0) { |
| /* if error is set already, don't bother */ |
| if ((p7dcx->type == SEC_OID_PKCS7_SIGNED_DATA) && (p7dcx->first_decoded == PR_TRUE) && (buf[0] == SEC_ASN1_INTEGER)) { |
| /* Microsoft Windows 2008 left out the Sequence wrapping in some |
| * of their kerberos replies. If we are here, we most likely are |
| * dealing with one of those replies. Supply the Sequence wrap |
| * as indefinite encoding (since we don't know the total length |
| * yet) */ |
| static const char lbuf[2] = |
| { SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED, 0x80 }; |
| rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, lbuf, sizeof(lbuf)); |
| if (rv != SECSuccess) { |
| goto loser; |
| } |
| /* ok, we're going to need the indefinite finish when we are done */ |
| p7dcx->need_indefinite_finish = PR_TRUE; |
| } |
| |
| rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len); |
| } |
| |
| loser: |
| p7dcx->first_decoded = PR_FALSE; |
| if (rv != SECSuccess) { |
| p7dcx->error = PORT_GetError(); |
| PORT_Assert(p7dcx->error); |
| if (p7dcx->error == 0) |
| p7dcx->error = -1; |
| } |
| |
| if (p7dcx->error == 0) |
| return SECSuccess; |
| |
| /* there has been a problem, let's finish the decoder */ |
| if (p7dcx->dcx != NULL) { |
| (void)SEC_ASN1DecoderFinish(p7dcx->dcx); |
| p7dcx->dcx = NULL; |
| } |
| PORT_SetError(p7dcx->error); |
| |
| return SECFailure; |
| } |
| |
| /* |
| * NSS_CMSDecoder_Cancel - stop decoding in case of error |
| */ |
| void |
| NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx) |
| { |
| if (p7dcx->dcx != NULL) |
| (void)SEC_ASN1DecoderFinish(p7dcx->dcx); |
| NSS_CMSMessage_Destroy(p7dcx->cmsg); |
| PORT_Free(p7dcx); |
| } |
| |
| /* |
| * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding |
| */ |
| NSSCMSMessage * |
| NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx) |
| { |
| NSSCMSMessage *cmsg; |
| |
| cmsg = p7dcx->cmsg; |
| |
| if (p7dcx->dcx == NULL || |
| SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess || |
| nss_cms_after_end(p7dcx) != SECSuccess) { |
| NSS_CMSMessage_Destroy(cmsg); /* get rid of pool if it's ours */ |
| cmsg = NULL; |
| } |
| |
| PORT_Free(p7dcx); |
| return cmsg; |
| } |
| |
| NSSCMSMessage * |
| NSS_CMSMessage_CreateFromDER(SECItem *DERmessage, |
| NSSCMSContentCallback cb, void *cb_arg, |
| PK11PasswordFunc pwfn, void *pwfn_arg, |
| NSSCMSGetDecryptKeyCallback decrypt_key_cb, |
| void *decrypt_key_cb_arg) |
| { |
| NSSCMSDecoderContext *p7dcx; |
| |
| /* first arg(poolp) == NULL => create our own pool */ |
| p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, |
| decrypt_key_cb, decrypt_key_cb_arg); |
| if (p7dcx == NULL) |
| return NULL; |
| NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len); |
| return NSS_CMSDecoder_Finish(p7dcx); |
| } |