[apple/security.git] / OSX / libsecurity_smime / lib / cmstpriv.h

/*
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 * 
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 * 
 * The Original Code is the Netscape security libraries.
 * 
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are 
 * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
 * Rights Reserved.
 * 
 * Contributor(s):
 * 
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable 
 * instead of those above.  If you wish to allow use of your 
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */

/*
 * Header for CMS types.
 */

#ifndef _CMSTPRIV_H_
#define _CMSTPRIV_H_

#include <Security/SecCmsBase.h>
#include <security_smime/secoidt.h>

#include <Security/secasn1t.h>
#include <security_asn1/plarenas.h>
#include <Security/nameTemplates.h>

#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFDate.h>
#include <Security/SecCertificate.h>
#include <Security/SecKey.h>

/* rjr: PKCS #11 cert handling (pk11cert.c) does use SecCmsRecipientInfo's.
 * This is because when we search the recipient list for the cert and key we
 * want, we need to invert the order of the loops we used to have. The old
 * loops were:
 *
 *  For each recipient {
 *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
 *       [which unrolls to... ]
 *       For each slot {
 *            Log into slot;
 *            search slot for cert;
 *      }
 *  }
 *
 *  the new loop searchs all the recipients at once on a slot. this allows
 *  PKCS #11 to order slots in such a way that logout slots don't get checked
 *  if we can find the cert on a logged in slot. This eliminates lots of
 *  spurious password prompts when smart cards are installed... so why this
 *  comment? If you make SecCmsRecipientInfo completely opaque, you need
 *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
 *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
 *  function.
 */

typedef struct SecCmsContentInfoStr SecCmsContentInfo;
typedef struct SecCmsMessageStr SecCmsMessage;
typedef struct SecCmsSignedDataStr SecCmsSignedData;
typedef struct SecCmsSignerInfoStr SecCmsSignerInfo;
typedef struct SecCmsEnvelopedDataStr SecCmsEnvelopedData;
typedef struct SecCmsRecipientInfoStr SecCmsRecipientInfo;
typedef struct SecCmsDigestedDataStr SecCmsDigestedData;
typedef struct SecCmsEncryptedDataStr SecCmsEncryptedData;

typedef struct SecCmsIssuerAndSNStr SecCmsIssuerAndSN;
typedef struct SecCmsOriginatorInfoStr SecCmsOriginatorInfo;
typedef struct SecCmsAttributeStr SecCmsAttribute;

typedef union SecCmsContentUnion SecCmsContent;
typedef struct SecCmsSignerIdentifierStr SecCmsSignerIdentifier;

typedef struct SecCmsSMIMEKEAParametersStr SecCmsSMIMEKEAParameters;

typedef struct SecCmsCipherContextStr SecCmsCipherContext;
typedef struct SecCmsCipherContextStr *SecCmsCipherContextRef;

/* =============================================================================
 * ENCAPSULATED CONTENTINFO & CONTENTINFO
 */

union SecCmsContentUnion {
    /* either unstructured */
    CSSM_DATA_PTR 			data;
    /* or structured data */
    SecCmsDigestedDataRef 	digestedData;
    SecCmsEncryptedDataRef 	encryptedData;
    SecCmsEnvelopedDataRef 	envelopedData;
    SecCmsSignedDataRef 		signedData;
    /* or anonymous pointer to something */
    void *			pointer;
};

struct SecCmsContentInfoStr {
    CSSM_DATA			contentType;
    SecCmsContent		content;
    /* --------- local; not part of encoding --------- */
    SECOidData *		contentTypeTag;	

    /* additional info for encryptedData and envelopedData */
    /* we waste this space for signedData and digestedData. sue me. */

    SECAlgorithmID		contentEncAlg;
    CSSM_DATA_PTR 			rawContent;		/* encrypted DER, optional */
							/* XXXX bytes not encrypted, but encoded? */
    /* --------- local; not part of encoding --------- */
    SecSymmetricKeyRef		bulkkey;		/* bulk encryption key */
    int				keysize;		/* size of bulk encryption key
							 * (only used by creation code) */
    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
							 * (only used by creation code) */
    SecCmsCipherContextRef ciphcx;		/* context for en/decryption going on */
    SecCmsDigestContextRef digcx;			/* context for digesting going on */
    SecPrivateKeyRef		privkey;		/* @@@ private key is only here as a workaround for 3401088 */
};

/* =============================================================================
 * MESSAGE
 */

/*!
    @typedef
    @discussion    Type of function called inside SecCmsSignedDataEncodeAfterData to
                    fire up XPC service to talk to TimeStamping server, etc.
    @param context  Typically a CFDictionary with URL, etc.
    @param messageImprint   a SecAsn1TSAMessageImprint with the algorithm and hash value
    @param tstoken  The returned TimeStampToken
 */
typedef OSStatus (*SecCmsTSACallback)(const void *context, void *messageImprint, uint64_t nonce, CSSM_DATA *tstoken);

struct SecCmsMessageStr {
    SecCmsContentInfo	contentInfo;		/* "outer" cinfo */
    /* --------- local; not part of encoding --------- */
    PLArenaPool *	poolp;
    Boolean		poolp_is_ours;
    int			refCount;
    /* properties of the "inner" data */
    SECAlgorithmID **	detached_digestalgs;
    CSSM_DATA_PTR *	detached_digests;
    void *		pwfn_arg;
    SecCmsGetDecryptKeyCallback decrypt_key_cb;
    void *		decrypt_key_cb_arg;
    
    /* Fields for Time Stamping */
    SecCmsTSACallback tsaCallback;
    CFTypeRef tsaContext;
};

/* =============================================================================
 * SIGNEDDATA
 */

struct SecCmsSignedDataStr {
    CSSM_DATA			version;
    SECAlgorithmID **		digestAlgorithms;
    SecCmsContentInfo		contentInfo;
    CSSM_DATA_PTR *		rawCerts;
    CSSM_DATA_PTR *		rawCrls;
    SecCmsSignerInfoRef *		signerInfos;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
    CSSM_DATA_PTR *		digests;
    CFMutableArrayRef		certs;
};
#define SEC_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
#define SEC_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */

typedef enum {
    SecCmsSignerIDIssuerSN = 0,
    SecCmsSignerIDSubjectKeyID = 1
} SecCmsSignerIDSelector;

struct SecCmsSignerIdentifierStr {
    SecCmsSignerIDSelector identifierType;
    union {
	SecCmsIssuerAndSN *issuerAndSN;
	CSSM_DATA_PTR subjectKeyID;
    } id;
};

struct SecCmsIssuerAndSNStr {
	NSS_Name issuer;
	CSSM_DATA serialNumber;
    /* --------- local; not part of encoding --------- */
	CSSM_DATA derIssuer;
};

struct SecCmsSignerInfoStr {
    CSSM_DATA			version;
    SecCmsSignerIdentifier	signerIdentifier;
    SECAlgorithmID		digestAlg;
    SecCmsAttribute **		authAttr;
    SECAlgorithmID		digestEncAlg;
    CSSM_DATA			encDigest;
    SecCmsAttribute **		unAuthAttr;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
    SecCmsSignedDataRef		sigd;			/* back pointer to SignedData */
    SecCertificateRef		cert;
    CFArrayRef			certList;
    CFAbsoluteTime		signingTime;
    SecCmsVerificationStatus	verificationStatus;
    SecPrivateKeyRef		signingKey; /* Used if we're using subjKeyID*/
    SecPublicKeyRef		pubKey;
    CFAbsoluteTime		timestampTime;
    CFAbsoluteTime		tsaLeafNotBefore;   /* Start date for Timestamp Authority leaf */
    CFAbsoluteTime		tsaLeafNotAfter;    /* Expiration date for Timestamp Authority leaf */
    CFMutableArrayRef	timestampCertList;
    SecCertificateRef   timestampCert;
    CFDataRef           hashAgilityAttrValue;
    CFDictionaryRef     hashAgilityV2AttrValues;
    CFAbsoluteTime      expirationTime;
};
#define SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
#define SEC_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */

/* =============================================================================
 * ENVELOPED DATA
 */
struct SecCmsEnvelopedDataStr {
    CSSM_DATA			version;
    SecCmsOriginatorInfo *	originatorInfo;		/* optional */
    SecCmsRecipientInfoRef *	recipientInfos;
    SecCmsContentInfo		contentInfo;
    SecCmsAttribute **		unprotectedAttr;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
};
#define SEC_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
#define SEC_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */

struct SecCmsOriginatorInfoStr {
    CSSM_DATA_PTR *		rawCerts;
    CSSM_DATA_PTR *		rawCrls;
    /* --------- local; not part of encoding --------- */
    SecCertificateRef *		certs;
};

/* -----------------------------------------------------------------------------
 * key transport recipient info
 */
typedef enum {
    SecCmsRecipientIDIssuerSN = 0,
    SecCmsRecipientIDSubjectKeyID = 1
} SecCmsRecipientIDSelector;

struct SecCmsRecipientIdentifierStr {
    SecCmsRecipientIDSelector	identifierType;
    union {
	SecCmsIssuerAndSN	*issuerAndSN;
	CSSM_DATA_PTR subjectKeyID;
    } id;
};
typedef struct SecCmsRecipientIdentifierStr SecCmsRecipientIdentifier;

struct SecCmsKeyTransRecipientInfoStr {
    CSSM_DATA			version;
    SecCmsRecipientIdentifier	recipientIdentifier;
    SECAlgorithmID		keyEncAlg;
    CSSM_DATA			encKey;
};
typedef struct SecCmsKeyTransRecipientInfoStr SecCmsKeyTransRecipientInfo;

/*
 * View comments before SecCmsRecipientInfoStr for purpose of this
 * structure.
 */
struct SecCmsKeyTransRecipientInfoExStr {
    SecCmsKeyTransRecipientInfo recipientInfo;
    int version;  /* version of this structure (0) */
    SecPublicKeyRef pubKey;
};

typedef struct SecCmsKeyTransRecipientInfoExStr SecCmsKeyTransRecipientInfoEx;

#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */

/* -----------------------------------------------------------------------------
 * key agreement recipient info
 */
struct SecCmsOriginatorPublicKeyStr {
    SECAlgorithmID			algorithmIdentifier;
    CSSM_DATA				publicKey;			/* bit string! */
};
typedef struct SecCmsOriginatorPublicKeyStr SecCmsOriginatorPublicKey;

typedef enum {
    SecCmsOriginatorIDOrKeyIssuerSN = 0,
    SecCmsOriginatorIDOrKeySubjectKeyID = 1,
    SecCmsOriginatorIDOrKeyOriginatorPublicKey = 2
} SecCmsOriginatorIDOrKeySelector;

struct SecCmsOriginatorIdentifierOrKeyStr {
    SecCmsOriginatorIDOrKeySelector identifierType;
    union {
	SecCmsIssuerAndSN			*issuerAndSN;			/* static-static */
	CSSM_DATA					subjectKeyID;			/* static-static */
	SecCmsOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
    } id;
};
typedef struct SecCmsOriginatorIdentifierOrKeyStr SecCmsOriginatorIdentifierOrKey;

struct SecCmsRecipientKeyIdentifierStr {
    CSSM_DATA 				subjectKeyIdentifier;
    CSSM_DATA 				date;			/* optional */
    CSSM_DATA 				other;			/* optional */
};
typedef struct SecCmsRecipientKeyIdentifierStr SecCmsRecipientKeyIdentifier;

typedef enum {
    SecCmsKeyAgreeRecipientIDIssuerSN = 0,
    SecCmsKeyAgreeRecipientIDRKeyID = 1
} SecCmsKeyAgreeRecipientIDSelector;

struct SecCmsKeyAgreeRecipientIdentifierStr {
    SecCmsKeyAgreeRecipientIDSelector	identifierType;
    union {
	SecCmsIssuerAndSN		*issuerAndSN;
	SecCmsRecipientKeyIdentifier	recipientKeyIdentifier;
    } id;
};
typedef struct SecCmsKeyAgreeRecipientIdentifierStr SecCmsKeyAgreeRecipientIdentifier;

struct SecCmsRecipientEncryptedKeyStr {
    SecCmsKeyAgreeRecipientIdentifier	recipientIdentifier;
    CSSM_DATA				encKey;
};
typedef struct SecCmsRecipientEncryptedKeyStr SecCmsRecipientEncryptedKey;

struct SecCmsKeyAgreeRecipientInfoStr {
    CSSM_DATA				version;
    SecCmsOriginatorIdentifierOrKey	originatorIdentifierOrKey;
    CSSM_DATA 				ukm;				/* optional */
    SECAlgorithmID			keyEncAlg;
    SecCmsRecipientEncryptedKey **	recipientEncryptedKeys;
};
typedef struct SecCmsKeyAgreeRecipientInfoStr SecCmsKeyAgreeRecipientInfo;

#define SEC_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */

/* -----------------------------------------------------------------------------
 * KEK recipient info
 */
struct SecCmsKEKIdentifierStr {
    CSSM_DATA			keyIdentifier;
    CSSM_DATA_PTR 			date;			/* optional */
    CSSM_DATA_PTR 			other;			/* optional */
};
typedef struct SecCmsKEKIdentifierStr SecCmsKEKIdentifier;

struct SecCmsKEKRecipientInfoStr {
    CSSM_DATA			version;
    SecCmsKEKIdentifier		kekIdentifier;
    SECAlgorithmID		keyEncAlg;
    CSSM_DATA			encKey;
};
typedef struct SecCmsKEKRecipientInfoStr SecCmsKEKRecipientInfo;

#define SEC_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */

/* -----------------------------------------------------------------------------
 * recipient info
 */

typedef enum {
    SecCmsRecipientInfoIDKeyTrans = 0,
    SecCmsRecipientInfoIDKeyAgree = 1,
    SecCmsRecipientInfoIDKEK = 2
} SecCmsRecipientInfoIDSelector;

/*
 * In order to preserve backwards binary compatibility when implementing
 * creation of Recipient Info's that uses subjectKeyID in the 
 * keyTransRecipientInfo we need to stash a public key pointer in this
 * structure somewhere.  We figured out that SecCmsKeyTransRecipientInfo
 * is the smallest member of the ri union.  We're in luck since that's
 * the very structure that would need to use the public key. So we created
 * a new structure SecCmsKeyTransRecipientInfoEx which has a member 
 * SecCmsKeyTransRecipientInfo as the first member followed by a version
 * and a public key pointer.  This way we can keep backwards compatibility
 * without changing the size of this structure.
 *
 * BTW, size of structure:
 * SecCmsKeyTransRecipientInfo:  9 ints, 4 pointers
 * SecCmsKeyAgreeRecipientInfo: 12 ints, 8 pointers
 * SecCmsKEKRecipientInfo:      10 ints, 7 pointers
 *
 * The new structure:
 * SecCmsKeyTransRecipientInfoEx: sizeof(SecCmsKeyTransRecipientInfo) +
 *                                1 int, 1 pointer
 */

struct SecCmsRecipientInfoStr {
    SecCmsRecipientInfoIDSelector recipientInfoType;
    union {
	SecCmsKeyTransRecipientInfo keyTransRecipientInfo;
	SecCmsKeyAgreeRecipientInfo keyAgreeRecipientInfo;
	SecCmsKEKRecipientInfo kekRecipientInfo;
	SecCmsKeyTransRecipientInfoEx keyTransRecipientInfoEx;
    } ri;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
    SecCertificateRef 		cert;			/* recipient's certificate */
};

/* =============================================================================
 * DIGESTED DATA
 */
struct SecCmsDigestedDataStr {
    CSSM_DATA			version;
    SECAlgorithmID		digestAlg;
    SecCmsContentInfo		contentInfo;
    CSSM_DATA			digest;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;		/* back pointer */
    CSSM_DATA			cdigest;	/* calculated digest */
};
#define SEC_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
#define SEC_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */

/* =============================================================================
 * ENCRYPTED DATA
 */
struct SecCmsEncryptedDataStr {
    CSSM_DATA			version;
    SecCmsContentInfo		contentInfo;
    SecCmsAttribute **		unprotectedAttr;	/* optional */
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;		/* back pointer */
};
#define SEC_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
#define SEC_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */

/* =============================================================================
 * FORTEZZA KEA
 */

/* An enumerated type used to select templates based on the encryption
   scenario and data specifics. */
typedef enum {
    SecCmsKEAInvalid = -1,
    SecCmsKEAUsesSkipjack = 0,
    SecCmsKEAUsesNonSkipjack = 1,
    SecCmsKEAUsesNonSkipjackWithPaddedEncKey = 2
} SecCmsKEATemplateSelector;

/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
                but I cannot think of a more appropriate place at this time. */
struct SecCmsSMIMEKEAParametersStr {
    CSSM_DATA originatorKEAKey;	/* sender KEA key (encrypted?) */
    CSSM_DATA originatorRA;	/* random number generated by sender */
    CSSM_DATA nonSkipjackIV;	/* init'n vector for SkipjackCBC64
			           decryption of KEA key if Skipjack
				   is not the bulk algorithm used on
				   the message */
    CSSM_DATA bulkKeySize;	/* if Skipjack is not the bulk
			           algorithm used on the message,
				   and the size of the bulk encryption
				   key is not the same as that of
				   originatorKEAKey (due to padding
				   perhaps), this field will contain
				   the real size of the bulk encryption
				   key. */
};

/*
 * *****************************************************************************
 * *****************************************************************************
 * *****************************************************************************
 */

/*
 * See comment above about this type not really belonging to CMS.
 */
struct SecCmsAttributeStr {
    /* The following fields make up an encoded Attribute: */
    CSSM_DATA			type;
    CSSM_DATA_PTR *		values;	/* data may or may not be encoded */
    /* The following fields are not part of an encoded Attribute: */
    SECOidData *		typeTag;
    Boolean			encoded;	/* when true, values are encoded */
};


#endif /* _CMSTPRIV_H_ */
Commit	Line	Data
d8f41ccd A	1	/*
	2	* The contents of this file are subject to the Mozilla Public
	3	* License Version 1.1 (the "License"); you may not use this file
	4	* except in compliance with the License. You may obtain a copy of
	5	* the License at http://www.mozilla.org/MPL/
	6	*
	7	* Software distributed under the License is distributed on an "AS
	8	* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
	9	* implied. See the License for the specific language governing
	10	* rights and limitations under the License.
	11	*
	12	* The Original Code is the Netscape security libraries.
	13	*
	14	* The Initial Developer of the Original Code is Netscape
	15	* Communications Corporation. Portions created by Netscape are
	16	* Copyright (C) 1994-2000 Netscape Communications Corporation. All
	17	* Rights Reserved.
	18	*
	19	* Contributor(s):
	20	*
	21	* Alternatively, the contents of this file may be used under the
	22	* terms of the GNU General Public License Version 2 or later (the
	23	* "GPL"), in which case the provisions of the GPL are applicable
	24	* instead of those above. If you wish to allow use of your
	25	* version of this file only under the terms of the GPL and not to
	26	* allow others to use your version of this file under the MPL,
	27	* indicate your decision by deleting the provisions above and
	28	* replace them with the notice and other provisions required by
	29	* the GPL. If you do not delete the provisions above, a recipient
	30	* may use your version of this file under either the MPL or the
	31	* GPL.
	32	*/
	33
	34	/*
	35	* Header for CMS types.
	36	*/
	37
	38	#ifndef _CMSTPRIV_H_
	39	#define _CMSTPRIV_H_
	40
	41	#include <Security/SecCmsBase.h>
	42	#include <security_smime/secoidt.h>
	43
	44	#include <Security/secasn1t.h>
	45	#include <security_asn1/plarenas.h>
	46	#include <Security/nameTemplates.h>
	47
	48	#include <CoreFoundation/CFArray.h>
	49	#include <CoreFoundation/CFDate.h>
	50	#include <Security/SecCertificate.h>
	51	#include <Security/SecKey.h>
	52
	53	/* rjr: PKCS #11 cert handling (pk11cert.c) does use SecCmsRecipientInfo's.
	54	* This is because when we search the recipient list for the cert and key we
	55	* want, we need to invert the order of the loops we used to have. The old
	56	* loops were:
	57	*
	58	* For each recipient {
	59	* find_cert = PK11_Find_AllCert(recipient->issuerSN);
	60	* [which unrolls to... ]
	61	* For each slot {
	62	* Log into slot;
	63	* search slot for cert;
	64	* }
65	* }
66	*
67	* the new loop searchs all the recipients at once on a slot. this allows
68	* PKCS #11 to order slots in such a way that logout slots don't get checked
69	* if we can find the cert on a logged in slot. This eliminates lots of
70	* spurious password prompts when smart cards are installed... so why this
71	* comment? If you make SecCmsRecipientInfo completely opaque, you need
72	* to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
73	* and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
74	* function.
75	*/
76
77	typedef struct SecCmsContentInfoStr SecCmsContentInfo;
78	typedef struct SecCmsMessageStr SecCmsMessage;
79	typedef struct SecCmsSignedDataStr SecCmsSignedData;
80	typedef struct SecCmsSignerInfoStr SecCmsSignerInfo;
81	typedef struct SecCmsEnvelopedDataStr SecCmsEnvelopedData;
82	typedef struct SecCmsRecipientInfoStr SecCmsRecipientInfo;
83	typedef struct SecCmsDigestedDataStr SecCmsDigestedData;
84	typedef struct SecCmsEncryptedDataStr SecCmsEncryptedData;
85
86	typedef struct SecCmsIssuerAndSNStr SecCmsIssuerAndSN;
87	typedef struct SecCmsOriginatorInfoStr SecCmsOriginatorInfo;
88	typedef struct SecCmsAttributeStr SecCmsAttribute;
89
90	typedef union SecCmsContentUnion SecCmsContent;
91	typedef struct SecCmsSignerIdentifierStr SecCmsSignerIdentifier;
92
93	typedef struct SecCmsSMIMEKEAParametersStr SecCmsSMIMEKEAParameters;
94
95	typedef struct SecCmsCipherContextStr SecCmsCipherContext;
96	typedef struct SecCmsCipherContextStr *SecCmsCipherContextRef;
97
98	/* =============================================================================
99	* ENCAPSULATED CONTENTINFO & CONTENTINFO
100	*/
101
102	union SecCmsContentUnion {
103	/* either unstructured */
104	CSSM_DATA_PTR data;
105	/* or structured data */
106	SecCmsDigestedDataRef digestedData;
107	SecCmsEncryptedDataRef encryptedData;
108	SecCmsEnvelopedDataRef envelopedData;
109	SecCmsSignedDataRef signedData;
110	/* or anonymous pointer to something */
111	void * pointer;
112	};
113
114	struct SecCmsContentInfoStr {
115	CSSM_DATA contentType;
116	SecCmsContent content;
117	/* --------- local; not part of encoding --------- */
118	SECOidData * contentTypeTag;
119
120	/* additional info for encryptedData and envelopedData */
121	/* we waste this space for signedData and digestedData. sue me. */
122
123	SECAlgorithmID contentEncAlg;
124	CSSM_DATA_PTR rawContent; /* encrypted DER, optional */
125	/* XXXX bytes not encrypted, but encoded? */
126	/* --------- local; not part of encoding --------- */
127	SecSymmetricKeyRef bulkkey; /* bulk encryption key */
128	int keysize; /* size of bulk encryption key
129	* (only used by creation code) */
130	SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm
131	* (only used by creation code) */
132	SecCmsCipherContextRef ciphcx; /* context for en/decryption going on */
133	SecCmsDigestContextRef digcx; /* context for digesting going on */
134	SecPrivateKeyRef privkey; /* @@@ private key is only here as a workaround for 3401088 */
135	};
136
137	/* =============================================================================
138	* MESSAGE
139	*/
140
141	/*!
142	@typedef
143	@discussion Type of function called inside SecCmsSignedDataEncodeAfterData to
144	fire up XPC service to talk to TimeStamping server, etc.
145	@param context Typically a CFDictionary with URL, etc.
146	@param messageImprint a SecAsn1TSAMessageImprint with the algorithm and hash value
147	@param tstoken The returned TimeStampToken
148	*/
149	typedef OSStatus (SecCmsTSACallback)(const void context, void messageImprint, uint64_t nonce, CSSM_DATA tstoken);
150
151	struct SecCmsMessageStr {
152	SecCmsContentInfo contentInfo; /* "outer" cinfo */
153	/* --------- local; not part of encoding --------- */
154	PLArenaPool * poolp;
155	Boolean poolp_is_ours;
156	int refCount;
157	/* properties of the "inner" data */
158	SECAlgorithmID ** detached_digestalgs;
159	CSSM_DATA_PTR * detached_digests;
160	void * pwfn_arg;
161	SecCmsGetDecryptKeyCallback decrypt_key_cb;
162	void * decrypt_key_cb_arg;
163
164	/* Fields for Time Stamping */
165	SecCmsTSACallback tsaCallback;
166	CFTypeRef tsaContext;
167	};
168
169	/* =============================================================================
170	* SIGNEDDATA
171	*/
172
173	struct SecCmsSignedDataStr {
174	CSSM_DATA version;
175	SECAlgorithmID ** digestAlgorithms;
176	SecCmsContentInfo contentInfo;
177	CSSM_DATA_PTR * rawCerts;
178	CSSM_DATA_PTR * rawCrls;
179	SecCmsSignerInfoRef * signerInfos;
180	/* --------- local; not part of encoding --------- */
181	SecCmsMessageRef cmsg; /* back pointer to message */
182	CSSM_DATA_PTR * digests;
183	CFMutableArrayRef certs;
184	};
185	#define SEC_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we create */
186	#define SEC_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we create */
187
188	typedef enum {
189	SecCmsSignerIDIssuerSN = 0,
190	SecCmsSignerIDSubjectKeyID = 1
191	} SecCmsSignerIDSelector;
192
193	struct SecCmsSignerIdentifierStr {
194	SecCmsSignerIDSelector identifierType;
195	union {
196	SecCmsIssuerAndSN *issuerAndSN;
197	CSSM_DATA_PTR subjectKeyID;
198	} id;
199	};
200
201	struct SecCmsIssuerAndSNStr {
202	NSS_Name issuer;
203	CSSM_DATA serialNumber;
204	/* --------- local; not part of encoding --------- */
205	CSSM_DATA derIssuer;
206	};
207
208	struct SecCmsSignerInfoStr {
209	CSSM_DATA version;
210	SecCmsSignerIdentifier signerIdentifier;
211	SECAlgorithmID digestAlg;
212	SecCmsAttribute ** authAttr;
213	SECAlgorithmID digestEncAlg;
214	CSSM_DATA encDigest;
215	SecCmsAttribute ** unAuthAttr;
216	/* --------- local; not part of encoding --------- */
217	SecCmsMessageRef cmsg; /* back pointer to message */
218	SecCmsSignedDataRef sigd; /* back pointer to SignedData */
219	SecCertificateRef cert;
220	CFArrayRef certList;
221	CFAbsoluteTime signingTime;
222	SecCmsVerificationStatus verificationStatus;
223	SecPrivateKeyRef signingKey; /* Used if we're using subjKeyID*/
224	SecPublicKeyRef pubKey;
225	CFAbsoluteTime timestampTime;
226	CFAbsoluteTime tsaLeafNotBefore; /* Start date for Timestamp Authority leaf */
227	CFAbsoluteTime tsaLeafNotAfter; /* Expiration date for Timestamp Authority leaf */
228	CFMutableArrayRef timestampCertList;
ecaf5866	229	SecCertificateRef timestampCert;
e3d460c9	230	CFDataRef hashAgilityAttrValue;
ecaf5866	231	CFDictionaryRef hashAgilityV2AttrValues;
79b9da22	232	CFAbsoluteTime expirationTime;
d8f41ccd A	233	};
	234	#define SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we create */
	235	#define SEC_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we create */
	236
	237	/* =============================================================================
	238	* ENVELOPED DATA
	239	*/
	240	struct SecCmsEnvelopedDataStr {
	241	CSSM_DATA version;
	242	SecCmsOriginatorInfo * originatorInfo; /* optional */
	243	SecCmsRecipientInfoRef * recipientInfos;
	244	SecCmsContentInfo contentInfo;
	245	SecCmsAttribute ** unprotectedAttr;
	246	/* --------- local; not part of encoding --------- */
	247	SecCmsMessageRef cmsg; /* back pointer to message */
	248	};
	249	#define SEC_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we create */
	250	#define SEC_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we create */
	251
	252	struct SecCmsOriginatorInfoStr {
	253	CSSM_DATA_PTR * rawCerts;
	254	CSSM_DATA_PTR * rawCrls;
	255	/* --------- local; not part of encoding --------- */
	256	SecCertificateRef * certs;
	257	};
	258
	259	/* -----------------------------------------------------------------------------
	260	* key transport recipient info
	261	*/
	262	typedef enum {
	263	SecCmsRecipientIDIssuerSN = 0,
	264	SecCmsRecipientIDSubjectKeyID = 1
	265	} SecCmsRecipientIDSelector;
	266
	267	struct SecCmsRecipientIdentifierStr {
	268	SecCmsRecipientIDSelector identifierType;
	269	union {
	270	SecCmsIssuerAndSN *issuerAndSN;
	271	CSSM_DATA_PTR subjectKeyID;
	272	} id;
	273	};
	274	typedef struct SecCmsRecipientIdentifierStr SecCmsRecipientIdentifier;
	275
	276	struct SecCmsKeyTransRecipientInfoStr {
	277	CSSM_DATA version;
	278	SecCmsRecipientIdentifier recipientIdentifier;
	279	SECAlgorithmID keyEncAlg;
	280	CSSM_DATA encKey;
	281	};
	282	typedef struct SecCmsKeyTransRecipientInfoStr SecCmsKeyTransRecipientInfo;
	283
	284	/*
	285	* View comments before SecCmsRecipientInfoStr for purpose of this
	286	* structure.
	287	*/
	288	struct SecCmsKeyTransRecipientInfoExStr {
	289	SecCmsKeyTransRecipientInfo recipientInfo;
	290	int version; /* version of this structure (0) */
	291	SecPublicKeyRef pubKey;
	292	};
	293
	294	typedef struct SecCmsKeyTransRecipientInfoExStr SecCmsKeyTransRecipientInfoEx;
	295
	296	#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we create */
297	#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we create */
298
299	/* -----------------------------------------------------------------------------
300	* key agreement recipient info
301	*/
302	struct SecCmsOriginatorPublicKeyStr {
303	SECAlgorithmID algorithmIdentifier;
304	CSSM_DATA publicKey; /* bit string! */
305	};
306	typedef struct SecCmsOriginatorPublicKeyStr SecCmsOriginatorPublicKey;
307
308	typedef enum {
309	SecCmsOriginatorIDOrKeyIssuerSN = 0,
310	SecCmsOriginatorIDOrKeySubjectKeyID = 1,
311	SecCmsOriginatorIDOrKeyOriginatorPublicKey = 2
312	} SecCmsOriginatorIDOrKeySelector;
313
314	struct SecCmsOriginatorIdentifierOrKeyStr {
315	SecCmsOriginatorIDOrKeySelector identifierType;
316	union {
317	SecCmsIssuerAndSN issuerAndSN; / static-static */
318	CSSM_DATA subjectKeyID; /* static-static */
319	SecCmsOriginatorPublicKey originatorPublicKey; /* ephemeral-static */
320	} id;
321	};
322	typedef struct SecCmsOriginatorIdentifierOrKeyStr SecCmsOriginatorIdentifierOrKey;
323
324	struct SecCmsRecipientKeyIdentifierStr {
0e1db9d1 A	325	CSSM_DATA subjectKeyIdentifier;
	326	CSSM_DATA date; /* optional */
	327	CSSM_DATA other; /* optional */
d8f41ccd A	328	};
	329	typedef struct SecCmsRecipientKeyIdentifierStr SecCmsRecipientKeyIdentifier;
	330
	331	typedef enum {
	332	SecCmsKeyAgreeRecipientIDIssuerSN = 0,
	333	SecCmsKeyAgreeRecipientIDRKeyID = 1
	334	} SecCmsKeyAgreeRecipientIDSelector;
	335
	336	struct SecCmsKeyAgreeRecipientIdentifierStr {
	337	SecCmsKeyAgreeRecipientIDSelector identifierType;
	338	union {
	339	SecCmsIssuerAndSN *issuerAndSN;
	340	SecCmsRecipientKeyIdentifier recipientKeyIdentifier;
	341	} id;
	342	};
	343	typedef struct SecCmsKeyAgreeRecipientIdentifierStr SecCmsKeyAgreeRecipientIdentifier;
	344
	345	struct SecCmsRecipientEncryptedKeyStr {
	346	SecCmsKeyAgreeRecipientIdentifier recipientIdentifier;
	347	CSSM_DATA encKey;
	348	};
	349	typedef struct SecCmsRecipientEncryptedKeyStr SecCmsRecipientEncryptedKey;
	350
	351	struct SecCmsKeyAgreeRecipientInfoStr {
	352	CSSM_DATA version;
	353	SecCmsOriginatorIdentifierOrKey originatorIdentifierOrKey;
	354	CSSM_DATA ukm; /* optional */
	355	SECAlgorithmID keyEncAlg;
	356	SecCmsRecipientEncryptedKey ** recipientEncryptedKeys;
	357	};
	358	typedef struct SecCmsKeyAgreeRecipientInfoStr SecCmsKeyAgreeRecipientInfo;
	359
	360	#define SEC_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we create */
	361
	362	/* -----------------------------------------------------------------------------
	363	* KEK recipient info
	364	*/
	365	struct SecCmsKEKIdentifierStr {
	366	CSSM_DATA keyIdentifier;
	367	CSSM_DATA_PTR date; /* optional */
	368	CSSM_DATA_PTR other; /* optional */
	369	};
	370	typedef struct SecCmsKEKIdentifierStr SecCmsKEKIdentifier;
	371
	372	struct SecCmsKEKRecipientInfoStr {
	373	CSSM_DATA version;
	374	SecCmsKEKIdentifier kekIdentifier;
	375	SECAlgorithmID keyEncAlg;
	376	CSSM_DATA encKey;
	377	};
	378	typedef struct SecCmsKEKRecipientInfoStr SecCmsKEKRecipientInfo;
	379
	380	#define SEC_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we create */
	381
	382	/* -----------------------------------------------------------------------------
	383	* recipient info
	384	*/
	385
	386	typedef enum {
	387	SecCmsRecipientInfoIDKeyTrans = 0,
	388	SecCmsRecipientInfoIDKeyAgree = 1,
	389	SecCmsRecipientInfoIDKEK = 2
	390	} SecCmsRecipientInfoIDSelector;
	391
392	/*
393	* In order to preserve backwards binary compatibility when implementing
394	* creation of Recipient Info's that uses subjectKeyID in the
395	* keyTransRecipientInfo we need to stash a public key pointer in this
396	* structure somewhere. We figured out that SecCmsKeyTransRecipientInfo
397	* is the smallest member of the ri union. We're in luck since that's
398	* the very structure that would need to use the public key. So we created
399	* a new structure SecCmsKeyTransRecipientInfoEx which has a member
400	* SecCmsKeyTransRecipientInfo as the first member followed by a version
401	* and a public key pointer. This way we can keep backwards compatibility
402	* without changing the size of this structure.
403	*
404	* BTW, size of structure:
405	* SecCmsKeyTransRecipientInfo: 9 ints, 4 pointers
406	* SecCmsKeyAgreeRecipientInfo: 12 ints, 8 pointers
407	* SecCmsKEKRecipientInfo: 10 ints, 7 pointers
408	*
409	* The new structure:
410	* SecCmsKeyTransRecipientInfoEx: sizeof(SecCmsKeyTransRecipientInfo) +
411	* 1 int, 1 pointer
412	*/
413
414	struct SecCmsRecipientInfoStr {
415	SecCmsRecipientInfoIDSelector recipientInfoType;
416	union {
417	SecCmsKeyTransRecipientInfo keyTransRecipientInfo;
418	SecCmsKeyAgreeRecipientInfo keyAgreeRecipientInfo;
419	SecCmsKEKRecipientInfo kekRecipientInfo;
420	SecCmsKeyTransRecipientInfoEx keyTransRecipientInfoEx;
421	} ri;
422	/* --------- local; not part of encoding --------- */
423	SecCmsMessageRef cmsg; /* back pointer to message */
424	SecCertificateRef cert; /* recipient's certificate */
425	};
426
427	/* =============================================================================
428	* DIGESTED DATA
429	*/
430	struct SecCmsDigestedDataStr {
431	CSSM_DATA version;
432	SECAlgorithmID digestAlg;
433	SecCmsContentInfo contentInfo;
434	CSSM_DATA digest;
435	/* --------- local; not part of encoding --------- */
436	SecCmsMessageRef cmsg; /* back pointer */
437	CSSM_DATA cdigest; /* calculated digest */
438	};
439	#define SEC_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we create */
440	#define SEC_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we create */
441
442	/* =============================================================================
443	* ENCRYPTED DATA
444	*/
445	struct SecCmsEncryptedDataStr {
446	CSSM_DATA version;
447	SecCmsContentInfo contentInfo;
448	SecCmsAttribute ** unprotectedAttr; /* optional */
449	/* --------- local; not part of encoding --------- */
450	SecCmsMessageRef cmsg; /* back pointer */
451	};
452	#define SEC_CMS_ENCRYPTED_DATA_VERSION 0 /* what we create */
453	#define SEC_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we create */
454
455	/* =============================================================================
456	* FORTEZZA KEA
457	*/
458
459	/* An enumerated type used to select templates based on the encryption
460	scenario and data specifics. */
461	typedef enum {
462	SecCmsKEAInvalid = -1,
463	SecCmsKEAUsesSkipjack = 0,
464	SecCmsKEAUsesNonSkipjack = 1,
465	SecCmsKEAUsesNonSkipjackWithPaddedEncKey = 2
466	} SecCmsKEATemplateSelector;
467
468	/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
469	but I cannot think of a more appropriate place at this time. */
470	struct SecCmsSMIMEKEAParametersStr {
471	CSSM_DATA originatorKEAKey; /* sender KEA key (encrypted?) */
472	CSSM_DATA originatorRA; /* random number generated by sender */
473	CSSM_DATA nonSkipjackIV; /* init'n vector for SkipjackCBC64
474	decryption of KEA key if Skipjack
475	is not the bulk algorithm used on
476	the message */
477	CSSM_DATA bulkKeySize; /* if Skipjack is not the bulk
478	algorithm used on the message,
479	and the size of the bulk encryption
480	key is not the same as that of
481	originatorKEAKey (due to padding
482	perhaps), this field will contain
483	the real size of the bulk encryption
484	key. */
485	};
486
487	/*
488	* *****************************************************************************
489	* *****************************************************************************
490	* *****************************************************************************
491	*/
492
493	/*
494	* See comment above about this type not really belonging to CMS.
495	*/
496	struct SecCmsAttributeStr {
497	/* The following fields make up an encoded Attribute: */
498	CSSM_DATA type;
499	CSSM_DATA_PTR * values; /* data may or may not be encoded */
500	/* The following fields are not part of an encoded Attribute: */
501	SECOidData * typeTag;
502	Boolean encoded; /* when true, values are encoded */
503	};
504
505
506	#endif /* _CMSTPRIV_H_ */