mirror of
https://github.com/rn10950/RetroZilla.git
synced 2024-11-14 03:30:17 +01:00
1142 lines
30 KiB
C
1142 lines
30 KiB
C
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
/*
|
|
* CMS signedData methods.
|
|
*/
|
|
|
|
#include "cmslocal.h"
|
|
|
|
#include "cert.h"
|
|
/*#include "cdbhdl.h"*/
|
|
#include "secasn1.h"
|
|
#include "secitem.h"
|
|
#include "secoid.h"
|
|
#include "pk11func.h"
|
|
#include "secerr.h"
|
|
|
|
NSSCMSSignedData *
|
|
NSS_CMSSignedData_Create(NSSCMSMessage *cmsg)
|
|
{
|
|
void *mark;
|
|
NSSCMSSignedData *sigd;
|
|
PLArenaPool *poolp;
|
|
|
|
if (!cmsg) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
|
|
poolp = cmsg->poolp;
|
|
|
|
mark = PORT_ArenaMark(poolp);
|
|
|
|
sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSSignedData));
|
|
if (sigd == NULL)
|
|
goto loser;
|
|
|
|
sigd->cmsg = cmsg;
|
|
|
|
/* signerInfos, certs, certlists, crls are all empty */
|
|
/* version is set in NSS_CMSSignedData_Finalize() */
|
|
|
|
PORT_ArenaUnmark(poolp, mark);
|
|
return sigd;
|
|
|
|
loser:
|
|
PORT_ArenaRelease(poolp, mark);
|
|
return NULL;
|
|
}
|
|
|
|
void
|
|
NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd)
|
|
{
|
|
CERTCertificate **certs, **tempCerts, *cert;
|
|
CERTCertificateList **certlists, *certlist;
|
|
NSSCMSSignerInfo **signerinfos, *si;
|
|
|
|
if (sigd == NULL)
|
|
return;
|
|
|
|
certs = sigd->certs;
|
|
tempCerts = sigd->tempCerts;
|
|
certlists = sigd->certLists;
|
|
signerinfos = sigd->signerInfos;
|
|
|
|
if (certs != NULL) {
|
|
while ((cert = *certs++) != NULL)
|
|
CERT_DestroyCertificate (cert);
|
|
}
|
|
|
|
if (tempCerts != NULL) {
|
|
while ((cert = *tempCerts++) != NULL)
|
|
CERT_DestroyCertificate (cert);
|
|
}
|
|
|
|
if (certlists != NULL) {
|
|
while ((certlist = *certlists++) != NULL)
|
|
CERT_DestroyCertificateList (certlist);
|
|
}
|
|
|
|
if (signerinfos != NULL) {
|
|
while ((si = *signerinfos++) != NULL)
|
|
NSS_CMSSignerInfo_Destroy(si);
|
|
}
|
|
|
|
/* everything's in a pool, so don't worry about the storage */
|
|
NSS_CMSContentInfo_Destroy(&(sigd->contentInfo));
|
|
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
|
|
* before start of encoding.
|
|
*
|
|
* In detail:
|
|
* - find out about the right value to put into sigd->version
|
|
* - come up with a list of digestAlgorithms (which should be the union of the algorithms
|
|
* in the signerinfos).
|
|
* If we happen to have a pre-set list of algorithms (and digest values!), we
|
|
* check if we have all the signerinfos' algorithms. If not, this is an error.
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd)
|
|
{
|
|
NSSCMSSignerInfo *signerinfo;
|
|
SECOidTag digestalgtag;
|
|
SECItem *dummy;
|
|
int version;
|
|
SECStatus rv;
|
|
PRBool haveDigests = PR_FALSE;
|
|
int n, i;
|
|
PLArenaPool *poolp;
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
poolp = sigd->cmsg->poolp;
|
|
|
|
/* we assume that we have precomputed digests if there is a list of algorithms, and */
|
|
/* a chunk of data for each of those algorithms */
|
|
if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) {
|
|
for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
|
|
if (sigd->digests[i] == NULL)
|
|
break;
|
|
}
|
|
if (sigd->digestAlgorithms[i] == NULL) /* reached the end of the array? */
|
|
haveDigests = PR_TRUE; /* yes: we must have all the digests */
|
|
}
|
|
|
|
version = NSS_CMS_SIGNED_DATA_VERSION_BASIC;
|
|
|
|
/* RFC2630 5.1 "version is the syntax version number..." */
|
|
if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA)
|
|
version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
|
|
|
|
/* prepare all the SignerInfos (there may be none) */
|
|
for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
|
|
signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
|
|
|
|
/* RFC2630 5.1 "version is the syntax version number..." */
|
|
if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN)
|
|
version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
|
|
|
|
/* collect digestAlgorithms from SignerInfos */
|
|
/* (we need to know which algorithms we have when the content comes in) */
|
|
/* do not overwrite any existing digestAlgorithms (and digest) */
|
|
digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
|
|
n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
|
|
if (n < 0 && haveDigests) {
|
|
/* oops, there is a digestalg we do not have a digest for */
|
|
/* but we were supposed to have all the digests already... */
|
|
goto loser;
|
|
} else if (n < 0) {
|
|
/* add the digestAlgorithm & a NULL digest */
|
|
rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
} else {
|
|
/* found it, nothing to do */
|
|
}
|
|
}
|
|
|
|
dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version);
|
|
if (dummy == NULL)
|
|
return SECFailure;
|
|
|
|
/* this is a SET OF, so we need to sort them guys */
|
|
rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms,
|
|
SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
|
|
(void **)sigd->digests);
|
|
if (rv != SECSuccess)
|
|
return SECFailure;
|
|
|
|
return SECSuccess;
|
|
|
|
loser:
|
|
return SECFailure;
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd)
|
|
{
|
|
SECStatus rv;
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
/* set up the digests */
|
|
if (sigd->digests && sigd->digests[0]) {
|
|
sigd->contentInfo.privateInfo->digcx = NULL; /* don't attempt to make new ones. */
|
|
} else if (sigd->digestAlgorithms != NULL) {
|
|
sigd->contentInfo.privateInfo->digcx =
|
|
NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
|
|
if (sigd->contentInfo.privateInfo->digcx == NULL)
|
|
return SECFailure;
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
|
|
* after all the encapsulated data was passed through the encoder.
|
|
*
|
|
* In detail:
|
|
* - create the signatures in all the SignerInfos
|
|
*
|
|
* Please note that nothing is done to the Certificates and CRLs in the message - this
|
|
* is entirely the responsibility of our callers.
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd)
|
|
{
|
|
NSSCMSSignerInfo **signerinfos, *signerinfo;
|
|
NSSCMSContentInfo *cinfo;
|
|
SECOidTag digestalgtag;
|
|
SECStatus ret = SECFailure;
|
|
SECStatus rv;
|
|
SECItem *contentType;
|
|
int certcount;
|
|
int i, ci, cli, n, rci, si;
|
|
PLArenaPool *poolp;
|
|
CERTCertificateList *certlist;
|
|
extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
poolp = sigd->cmsg->poolp;
|
|
cinfo = &(sigd->contentInfo);
|
|
|
|
/* did we have digest calculation going on? */
|
|
if (cinfo->privateInfo && cinfo->privateInfo->digcx) {
|
|
rv = NSS_CMSDigestContext_FinishMultiple(cinfo->privateInfo->digcx, poolp,
|
|
&(sigd->digests));
|
|
/* error has been set by NSS_CMSDigestContext_FinishMultiple */
|
|
cinfo->privateInfo->digcx = NULL;
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
}
|
|
|
|
signerinfos = sigd->signerInfos;
|
|
certcount = 0;
|
|
|
|
/* prepare all the SignerInfos (there may be none) */
|
|
for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
|
|
signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
|
|
|
|
/* find correct digest for this signerinfo */
|
|
digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
|
|
n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
|
|
if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) {
|
|
/* oops - digest not found */
|
|
PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
|
|
goto loser;
|
|
}
|
|
|
|
/* XXX if our content is anything else but data, we need to force the
|
|
* presence of signed attributes (RFC2630 5.3 "signedAttributes is a
|
|
* collection...") */
|
|
|
|
/* pass contentType here as we want a contentType attribute */
|
|
if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL)
|
|
goto loser;
|
|
|
|
/* sign the thing */
|
|
rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
/* while we're at it, count number of certs in certLists */
|
|
certlist = NSS_CMSSignerInfo_GetCertList(signerinfo);
|
|
if (certlist)
|
|
certcount += certlist->len;
|
|
}
|
|
|
|
/* this is a SET OF, so we need to sort them guys */
|
|
rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
/*
|
|
* now prepare certs & crls
|
|
*/
|
|
|
|
/* count the rest of the certs */
|
|
if (sigd->certs != NULL) {
|
|
for (ci = 0; sigd->certs[ci] != NULL; ci++)
|
|
certcount++;
|
|
}
|
|
|
|
if (sigd->certLists != NULL) {
|
|
for (cli = 0; sigd->certLists[cli] != NULL; cli++)
|
|
certcount += sigd->certLists[cli]->len;
|
|
}
|
|
|
|
if (certcount == 0) {
|
|
sigd->rawCerts = NULL;
|
|
} else {
|
|
/*
|
|
* Combine all of the certs and cert chains into rawcerts.
|
|
* Note: certcount is an upper bound; we may not need that many slots
|
|
* but we will allocate anyway to avoid having to do another pass.
|
|
* (The temporary space saving is not worth it.)
|
|
*
|
|
* XXX ARGH - this NEEDS to be fixed. need to come up with a decent
|
|
* SetOfDERcertficates implementation
|
|
*/
|
|
sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *));
|
|
if (sigd->rawCerts == NULL)
|
|
return SECFailure;
|
|
|
|
/*
|
|
* XXX Want to check for duplicates and not add *any* cert that is
|
|
* already in the set. This will be more important when we start
|
|
* dealing with larger sets of certs, dual-key certs (signing and
|
|
* encryption), etc. For the time being we can slide by...
|
|
*
|
|
* XXX ARGH - this NEEDS to be fixed. need to come up with a decent
|
|
* SetOfDERcertficates implementation
|
|
*/
|
|
rci = 0;
|
|
if (signerinfos != NULL) {
|
|
for (si = 0; signerinfos[si] != NULL; si++) {
|
|
signerinfo = signerinfos[si];
|
|
for (ci = 0; ci < signerinfo->certList->len; ci++)
|
|
sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]);
|
|
}
|
|
}
|
|
|
|
if (sigd->certs != NULL) {
|
|
for (ci = 0; sigd->certs[ci] != NULL; ci++)
|
|
sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert);
|
|
}
|
|
|
|
if (sigd->certLists != NULL) {
|
|
for (cli = 0; sigd->certLists[cli] != NULL; cli++) {
|
|
for (ci = 0; ci < sigd->certLists[cli]->len; ci++)
|
|
sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]);
|
|
}
|
|
}
|
|
|
|
sigd->rawCerts[rci] = NULL;
|
|
|
|
/* this is a SET OF, so we need to sort them guys - we have the DER already, though */
|
|
NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL);
|
|
}
|
|
|
|
ret = SECSuccess;
|
|
|
|
loser:
|
|
return ret;
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
|
|
{
|
|
SECStatus rv;
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo);
|
|
if (rv != SECSuccess) {
|
|
return SECFailure;
|
|
}
|
|
/* handle issue with Windows 2003 servers and kerberos */
|
|
if (sigd->digestAlgorithms != NULL) {
|
|
int i;
|
|
for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
|
|
SECAlgorithmID *algid = sigd->digestAlgorithms[i];
|
|
SECOidTag senttag= SECOID_FindOIDTag(&algid->algorithm);
|
|
SECOidTag maptag = NSS_CMSUtil_MapSignAlgs(senttag);
|
|
|
|
if (maptag != senttag) {
|
|
SECOidData *hashoid = SECOID_FindOIDByTag(maptag);
|
|
rv = SECITEM_CopyItem(sigd->cmsg->poolp, &algid->algorithm
|
|
,&hashoid->oid);
|
|
if (rv != SECSuccess) {
|
|
return rv;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/* set up the digests */
|
|
if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
|
|
/* if digests are already there, do nothing */
|
|
sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
|
|
if (sigd->contentInfo.privateInfo->digcx == NULL)
|
|
return SECFailure;
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a
|
|
* SignedData after all the encapsulated data was passed through the decoder.
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd)
|
|
{
|
|
SECStatus rv = SECSuccess;
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* did we have digest calculation going on? */
|
|
if (sigd->contentInfo.privateInfo && sigd->contentInfo.privateInfo->digcx) {
|
|
rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.privateInfo->digcx,
|
|
sigd->cmsg->poolp, &(sigd->digests));
|
|
/* error set by NSS_CMSDigestContext_FinishMultiple */
|
|
sigd->contentInfo.privateInfo->digcx = NULL;
|
|
}
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
|
|
* after all decoding is finished.
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd)
|
|
{
|
|
NSSCMSSignerInfo **signerinfos = NULL;
|
|
int i;
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* set cmsg for all the signerinfos */
|
|
signerinfos = sigd->signerInfos;
|
|
|
|
/* set cmsg for all the signerinfos */
|
|
if (signerinfos) {
|
|
for (i = 0; signerinfos[i] != NULL; i++)
|
|
signerinfos[i]->cmsg = sigd->cmsg;
|
|
}
|
|
|
|
return SECSuccess;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
|
|
*/
|
|
NSSCMSSignerInfo **
|
|
NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
return sigd->signerInfos;
|
|
}
|
|
|
|
int
|
|
NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return 0;
|
|
}
|
|
return NSS_CMSArray_Count((void **)sigd->signerInfos);
|
|
}
|
|
|
|
NSSCMSSignerInfo *
|
|
NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
return sigd->signerInfos[i];
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
|
|
*/
|
|
SECAlgorithmID **
|
|
NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
return sigd->digestAlgorithms;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
|
|
*/
|
|
NSSCMSContentInfo *
|
|
NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
return &(sigd->contentInfo);
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
|
|
*/
|
|
SECItem **
|
|
NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
return sigd->rawCerts;
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
|
|
SECCertUsage certusage, PRBool keepcerts)
|
|
{
|
|
int certcount;
|
|
CERTCertificate **certArray = NULL;
|
|
CERTCertList *certList = NULL;
|
|
CERTCertListNode *node;
|
|
SECStatus rv;
|
|
SECItem **rawArray;
|
|
int i;
|
|
PRTime now;
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
certcount = NSS_CMSArray_Count((void **)sigd->rawCerts);
|
|
|
|
/* get the certs in the temp DB */
|
|
rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts,
|
|
&certArray, PR_FALSE, PR_FALSE, NULL);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
|
|
/* save the certs so they don't get destroyed */
|
|
for (i=0; i < certcount; i++) {
|
|
CERTCertificate *cert = certArray[i];
|
|
if (cert)
|
|
NSS_CMSSignedData_AddTempCertificate(sigd, cert);
|
|
}
|
|
|
|
if (!keepcerts) {
|
|
goto done;
|
|
}
|
|
|
|
/* build a CertList for filtering */
|
|
certList = CERT_NewCertList();
|
|
if (certList == NULL) {
|
|
rv = SECFailure;
|
|
goto loser;
|
|
}
|
|
for (i=0; i < certcount; i++) {
|
|
CERTCertificate *cert = certArray[i];
|
|
if (cert)
|
|
cert = CERT_DupCertificate(cert);
|
|
if (cert)
|
|
CERT_AddCertToListTail(certList,cert);
|
|
}
|
|
|
|
/* filter out the certs we don't want */
|
|
rv = CERT_FilterCertListByUsage(certList,certusage, PR_FALSE);
|
|
if (rv != SECSuccess) {
|
|
goto loser;
|
|
}
|
|
|
|
/* go down the remaining list of certs and verify that they have
|
|
* valid chains, then import them.
|
|
*/
|
|
now = PR_Now();
|
|
for (node = CERT_LIST_HEAD(certList) ; !CERT_LIST_END(node,certList);
|
|
node= CERT_LIST_NEXT(node)) {
|
|
CERTCertificateList *certChain;
|
|
|
|
if (CERT_VerifyCert(certdb, node->cert,
|
|
PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) {
|
|
continue;
|
|
}
|
|
|
|
certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE);
|
|
if (!certChain) {
|
|
continue;
|
|
}
|
|
|
|
/*
|
|
* CertChain returns an array of SECItems, import expects an array of
|
|
* SECItem pointers. Create the SECItem Pointers from the array of
|
|
* SECItems.
|
|
*/
|
|
rawArray = (SECItem **)PORT_Alloc(certChain->len*sizeof (SECItem *));
|
|
if (!rawArray) {
|
|
CERT_DestroyCertificateList(certChain);
|
|
continue;
|
|
}
|
|
for (i=0; i < certChain->len; i++) {
|
|
rawArray[i] = &certChain->certs[i];
|
|
}
|
|
(void )CERT_ImportCerts(certdb, certusage, certChain->len,
|
|
rawArray, NULL, keepcerts, PR_FALSE, NULL);
|
|
PORT_Free(rawArray);
|
|
CERT_DestroyCertificateList(certChain);
|
|
}
|
|
|
|
rv = SECSuccess;
|
|
|
|
/* XXX CRL handling */
|
|
|
|
done:
|
|
if (sigd->signerInfos != NULL) {
|
|
/* fill in all signerinfo's certs */
|
|
for (i = 0; sigd->signerInfos[i] != NULL; i++)
|
|
(void)NSS_CMSSignerInfo_GetSigningCertificate(
|
|
sigd->signerInfos[i], certdb);
|
|
}
|
|
|
|
loser:
|
|
/* now free everything */
|
|
if (certArray) {
|
|
CERT_DestroyCertArray(certArray,certcount);
|
|
}
|
|
if (certList) {
|
|
CERT_DestroyCertList(certList);
|
|
}
|
|
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* XXX the digests need to be passed in BETWEEN the decoding and the verification in case
|
|
* of external signatures!
|
|
*/
|
|
|
|
/*
|
|
* NSS_CMSSignedData_VerifySignerInfo - check the signatures.
|
|
*
|
|
* The digests were either calculated during decoding (and are stored in the
|
|
* signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
|
|
*
|
|
* The verification checks if the signing cert is valid and has a trusted chain
|
|
* for the purpose specified by "certusage".
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i,
|
|
CERTCertDBHandle *certdb, SECCertUsage certusage)
|
|
{
|
|
NSSCMSSignerInfo *signerinfo;
|
|
NSSCMSContentInfo *cinfo;
|
|
SECOidData *algiddata;
|
|
SECItem *contentType, *digest;
|
|
SECOidTag oidTag;
|
|
SECStatus rv;
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
cinfo = &(sigd->contentInfo);
|
|
|
|
signerinfo = sigd->signerInfos[i];
|
|
|
|
/* verify certificate */
|
|
rv = NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage);
|
|
if (rv != SECSuccess)
|
|
return rv; /* error is set */
|
|
|
|
/* find digest and contentType for signerinfo */
|
|
algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo);
|
|
oidTag = algiddata ? algiddata->offset : SEC_OID_UNKNOWN;
|
|
digest = NSS_CMSSignedData_GetDigestValue(sigd, oidTag);
|
|
/* NULL digest is acceptable. */
|
|
contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo);
|
|
/* NULL contentType is acceptable. */
|
|
|
|
/* now verify signature */
|
|
rv = NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType);
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd,
|
|
CERTCertDBHandle *certdb,
|
|
SECCertUsage usage)
|
|
{
|
|
CERTCertificate *cert;
|
|
SECStatus rv = SECSuccess;
|
|
int i;
|
|
int count;
|
|
PRTime now;
|
|
|
|
if (!sigd || !certdb || !sigd->rawCerts) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
count = NSS_CMSArray_Count((void**)sigd->rawCerts);
|
|
now = PR_Now();
|
|
for (i=0; i < count; i++) {
|
|
if (sigd->certs && sigd->certs[i]) {
|
|
cert = CERT_DupCertificate(sigd->certs[i]);
|
|
} else {
|
|
cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
|
|
if (!cert) {
|
|
rv = SECFailure;
|
|
break;
|
|
}
|
|
}
|
|
rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now,
|
|
NULL, NULL);
|
|
CERT_DestroyCertificate(cert);
|
|
}
|
|
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_HasDigests - see if we have digests in place
|
|
*/
|
|
PRBool
|
|
NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return PR_FALSE;
|
|
}
|
|
return (sigd->digests != NULL);
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist)
|
|
{
|
|
SECStatus rv;
|
|
|
|
if (!sigd || !certlist) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */
|
|
rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist);
|
|
|
|
return rv;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert)
|
|
{
|
|
CERTCertificateList *certlist;
|
|
SECCertUsage usage;
|
|
SECStatus rv;
|
|
|
|
usage = certUsageEmailSigner;
|
|
|
|
if (!sigd || !cert) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* do not include root */
|
|
certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE);
|
|
if (certlist == NULL)
|
|
return SECFailure;
|
|
|
|
rv = NSS_CMSSignedData_AddCertList(sigd, certlist);
|
|
|
|
return rv;
|
|
}
|
|
|
|
extern SECStatus
|
|
NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
|
|
{
|
|
CERTCertificate *c;
|
|
SECStatus rv;
|
|
|
|
if (!sigd || !cert) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
c = CERT_DupCertificate(cert);
|
|
rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->tempCerts), (void *)c);
|
|
return rv;
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
|
|
{
|
|
CERTCertificate *c;
|
|
SECStatus rv;
|
|
|
|
if (!sigd || !cert) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
c = CERT_DupCertificate(cert);
|
|
rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c);
|
|
return rv;
|
|
}
|
|
|
|
PRBool
|
|
NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd)
|
|
{
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return PR_FALSE;
|
|
}
|
|
if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL)
|
|
return PR_TRUE;
|
|
else if (sigd->crls != NULL && sigd->crls[0] != NULL)
|
|
return PR_TRUE;
|
|
else
|
|
return PR_FALSE;
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
|
|
NSSCMSSignerInfo *signerinfo)
|
|
{
|
|
void *mark;
|
|
SECStatus rv;
|
|
SECOidTag digestalgtag;
|
|
PLArenaPool *poolp;
|
|
|
|
if (!sigd || !signerinfo) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
poolp = sigd->cmsg->poolp;
|
|
|
|
mark = PORT_ArenaMark(poolp);
|
|
|
|
/* add signerinfo */
|
|
rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
/*
|
|
* add empty digest
|
|
* Empty because we don't have it yet. Either it gets created during encoding
|
|
* (if the data is present) or has to be set externally.
|
|
* XXX maybe pass it in optionally?
|
|
*/
|
|
digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
|
|
rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
/*
|
|
* The last thing to get consistency would be adding the digest.
|
|
*/
|
|
|
|
PORT_ArenaUnmark(poolp, mark);
|
|
return SECSuccess;
|
|
|
|
loser:
|
|
PORT_ArenaRelease (poolp, mark);
|
|
return SECFailure;
|
|
}
|
|
|
|
/*
|
|
* NSS_CMSSignedData_SetDigests - set a signedData's digests member
|
|
*
|
|
* "digestalgs" - array of digest algorithm IDs
|
|
* "digests" - array of digests corresponding to the digest algorithms
|
|
*/
|
|
SECStatus
|
|
NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
|
|
SECAlgorithmID **digestalgs,
|
|
SECItem **digests)
|
|
{
|
|
int cnt, i, idx;
|
|
|
|
if (!sigd || !digestalgs || !digests) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
if (sigd->digestAlgorithms == NULL) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* we assume that the digests array is just not there yet */
|
|
PORT_Assert(sigd->digests == NULL);
|
|
if (sigd->digests != NULL) {
|
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* now allocate one (same size as digestAlgorithms) */
|
|
cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
|
|
sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
|
|
if (sigd->digests == NULL) {
|
|
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
|
return SECFailure;
|
|
}
|
|
|
|
for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
|
|
/* try to find the sigd's i'th digest algorithm in the array we passed in */
|
|
idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
|
|
if (idx < 0) {
|
|
PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
|
|
return SECFailure;
|
|
}
|
|
if (!digests[idx]) {
|
|
/* We have no digest for this algorithm, probably because it is
|
|
** unrecognized or unsupported. We'll ignore this here. If this
|
|
** digest is needed later, an error will be be generated then.
|
|
*/
|
|
continue;
|
|
}
|
|
|
|
/* found it - now set it */
|
|
if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
|
|
SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
|
|
{
|
|
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
|
return SECFailure;
|
|
}
|
|
}
|
|
return SECSuccess;
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
|
|
SECOidTag digestalgtag,
|
|
SECItem *digestdata)
|
|
{
|
|
SECItem *digest = NULL;
|
|
PLArenaPool *poolp;
|
|
void *mark;
|
|
int n, cnt;
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
poolp = sigd->cmsg->poolp;
|
|
|
|
mark = PORT_ArenaMark(poolp);
|
|
|
|
|
|
if (digestdata) {
|
|
digest = (SECItem *) PORT_ArenaZAlloc(poolp,sizeof(SECItem));
|
|
|
|
/* copy digestdata item to arena (in case we have it and are not only making room) */
|
|
if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess)
|
|
goto loser;
|
|
}
|
|
|
|
/* now allocate one (same size as digestAlgorithms) */
|
|
if (sigd->digests == NULL) {
|
|
cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
|
|
sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
|
|
if (sigd->digests == NULL) {
|
|
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
|
return SECFailure;
|
|
}
|
|
}
|
|
|
|
n = -1;
|
|
if (sigd->digestAlgorithms != NULL)
|
|
n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
|
|
|
|
/* if not found, add a digest */
|
|
if (n < 0) {
|
|
if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess)
|
|
goto loser;
|
|
} else {
|
|
/* replace NULL pointer with digest item (and leak previous value) */
|
|
sigd->digests[n] = digest;
|
|
}
|
|
|
|
PORT_ArenaUnmark(poolp, mark);
|
|
return SECSuccess;
|
|
|
|
loser:
|
|
PORT_ArenaRelease(poolp, mark);
|
|
return SECFailure;
|
|
}
|
|
|
|
SECStatus
|
|
NSS_CMSSignedData_AddDigest(PLArenaPool *poolp,
|
|
NSSCMSSignedData *sigd,
|
|
SECOidTag digestalgtag,
|
|
SECItem *digest)
|
|
{
|
|
SECAlgorithmID *digestalg;
|
|
void *mark;
|
|
|
|
if (!sigd || !poolp) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return SECFailure;
|
|
}
|
|
|
|
mark = PORT_ArenaMark(poolp);
|
|
|
|
digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
|
|
if (digestalg == NULL)
|
|
goto loser;
|
|
|
|
if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
|
|
goto loser;
|
|
|
|
if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
|
|
/* even if digest is NULL, add dummy to have same-size array */
|
|
NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess)
|
|
{
|
|
goto loser;
|
|
}
|
|
|
|
PORT_ArenaUnmark(poolp, mark);
|
|
return SECSuccess;
|
|
|
|
loser:
|
|
PORT_ArenaRelease(poolp, mark);
|
|
return SECFailure;
|
|
}
|
|
|
|
/* XXX This function doesn't set the error code on failure. */
|
|
SECItem *
|
|
NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag)
|
|
{
|
|
int n;
|
|
|
|
if (!sigd) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
|
|
if (sigd->digestAlgorithms == NULL || sigd->digests == NULL) {
|
|
PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
|
|
return NULL;
|
|
}
|
|
|
|
n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
|
|
|
|
return (n < 0) ? NULL : sigd->digests[n];
|
|
}
|
|
|
|
/* =============================================================================
|
|
* Misc. utility functions
|
|
*/
|
|
|
|
/*
|
|
* NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
|
|
*
|
|
* cert - base certificates that will be included
|
|
* include_chain - if true, include the complete cert chain for cert
|
|
*
|
|
* More certs and chains can be added via AddCertificate and AddCertChain.
|
|
*
|
|
* An error results in a return value of NULL and an error set.
|
|
*
|
|
* XXXX CRLs
|
|
*/
|
|
NSSCMSSignedData *
|
|
NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain)
|
|
{
|
|
NSSCMSSignedData *sigd;
|
|
void *mark;
|
|
PLArenaPool *poolp;
|
|
SECStatus rv;
|
|
|
|
if (!cmsg || !cert) {
|
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
return NULL;
|
|
}
|
|
|
|
poolp = cmsg->poolp;
|
|
mark = PORT_ArenaMark(poolp);
|
|
|
|
sigd = NSS_CMSSignedData_Create(cmsg);
|
|
if (sigd == NULL)
|
|
goto loser;
|
|
|
|
/* no signerinfos, thus no digestAlgorithms */
|
|
|
|
/* but certs */
|
|
if (include_chain) {
|
|
rv = NSS_CMSSignedData_AddCertChain(sigd, cert);
|
|
} else {
|
|
rv = NSS_CMSSignedData_AddCertificate(sigd, cert);
|
|
}
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
/* RFC2630 5.2 sez:
|
|
* In the degenerate case where there are no signers, the
|
|
* EncapsulatedContentInfo value being "signed" is irrelevant. In this
|
|
* case, the content type within the EncapsulatedContentInfo value being
|
|
* "signed" should be id-data (as defined in section 4), and the content
|
|
* field of the EncapsulatedContentInfo value should be omitted.
|
|
*/
|
|
rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE);
|
|
if (rv != SECSuccess)
|
|
goto loser;
|
|
|
|
PORT_ArenaUnmark(poolp, mark);
|
|
return sigd;
|
|
|
|
loser:
|
|
if (sigd)
|
|
NSS_CMSSignedData_Destroy(sigd);
|
|
PORT_ArenaRelease(poolp, mark);
|
|
return NULL;
|
|
}
|
|
|
|
/* TODO:
|
|
* NSS_CMSSignerInfo_GetReceiptRequest()
|
|
* NSS_CMSSignedData_HasReceiptRequest()
|
|
* easy way to iterate over signers
|
|
*/
|
|
|