[apple/security.git] / OSX / libsecurity_smime / lib / cmstpriv.h

/*
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 * 
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 * 
 * The Original Code is the Netscape security libraries.
 * 
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are 
 * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
 * Rights Reserved.
 * 
 * Contributor(s):
 * 
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable 
 * instead of those above.  If you wish to allow use of your 
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */

/*
 * Header for CMS types.
 */

#ifndef _CMSTPRIV_H_
#define _CMSTPRIV_H_

#include <Security/SecCmsBase.h>
#include <security_smime/secoidt.h>

#include <Security/secasn1t.h>
#include <security_asn1/plarenas.h>
#include <Security/nameTemplates.h>

#include <CoreFoundation/CFArray.h>
#include <CoreFoundation/CFDate.h>
#include <Security/SecCertificate.h>
#include <Security/SecKey.h>

/* rjr: PKCS #11 cert handling (pk11cert.c) does use SecCmsRecipientInfo's.
 * This is because when we search the recipient list for the cert and key we
 * want, we need to invert the order of the loops we used to have. The old
 * loops were:
 *
 *  For each recipient {
 *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
 *       [which unrolls to... ]
 *       For each slot {
 *            Log into slot;
 *            search slot for cert;
 *      }
 *  }
 *
 *  the new loop searchs all the recipients at once on a slot. this allows
 *  PKCS #11 to order slots in such a way that logout slots don't get checked
 *  if we can find the cert on a logged in slot. This eliminates lots of
 *  spurious password prompts when smart cards are installed... so why this
 *  comment? If you make SecCmsRecipientInfo completely opaque, you need
 *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
 *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
 *  function.
 */

typedef struct SecCmsContentInfoStr SecCmsContentInfo;
typedef struct SecCmsMessageStr SecCmsMessage;
typedef struct SecCmsSignedDataStr SecCmsSignedData;
typedef struct SecCmsSignerInfoStr SecCmsSignerInfo;
typedef struct SecCmsEnvelopedDataStr SecCmsEnvelopedData;
typedef struct SecCmsRecipientInfoStr SecCmsRecipientInfo;
typedef struct SecCmsDigestedDataStr SecCmsDigestedData;
typedef struct SecCmsEncryptedDataStr SecCmsEncryptedData;

typedef struct SecCmsIssuerAndSNStr SecCmsIssuerAndSN;
typedef struct SecCmsOriginatorInfoStr SecCmsOriginatorInfo;
typedef struct SecCmsAttributeStr SecCmsAttribute;

typedef union SecCmsContentUnion SecCmsContent;
typedef struct SecCmsSignerIdentifierStr SecCmsSignerIdentifier;

typedef struct SecCmsSMIMEKEAParametersStr SecCmsSMIMEKEAParameters;

typedef struct SecCmsCipherContextStr SecCmsCipherContext;
typedef struct SecCmsCipherContextStr *SecCmsCipherContextRef;

/* =============================================================================
 * ENCAPSULATED CONTENTINFO & CONTENTINFO
 */

union SecCmsContentUnion {
    /* either unstructured */
    CSSM_DATA_PTR 			data;
    /* or structured data */
    SecCmsDigestedDataRef 	digestedData;
    SecCmsEncryptedDataRef 	encryptedData;
    SecCmsEnvelopedDataRef 	envelopedData;
    SecCmsSignedDataRef 		signedData;
    /* or anonymous pointer to something */
    void *			pointer;
};

struct SecCmsContentInfoStr {
    CSSM_DATA			contentType;
    SecCmsContent		content;
    /* --------- local; not part of encoding --------- */
    SECOidData *		contentTypeTag;	

    /* additional info for encryptedData and envelopedData */
    /* we waste this space for signedData and digestedData. sue me. */

    SECAlgorithmID		contentEncAlg;
    CSSM_DATA_PTR 			rawContent;		/* encrypted DER, optional */
							/* XXXX bytes not encrypted, but encoded? */
    /* --------- local; not part of encoding --------- */
    SecSymmetricKeyRef		bulkkey;		/* bulk encryption key */
    int				keysize;		/* size of bulk encryption key
							 * (only used by creation code) */
    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
							 * (only used by creation code) */
    SecCmsCipherContextRef ciphcx;		/* context for en/decryption going on */
    SecCmsDigestContextRef digcx;			/* context for digesting going on */
    SecPrivateKeyRef		privkey;		/* @@@ private key is only here as a workaround for 3401088 */
};

/* =============================================================================
 * MESSAGE
 */

/*!
    @typedef
    @discussion    Type of function called inside SecCmsSignedDataEncodeAfterData to
                    fire up XPC service to talk to TimeStamping server, etc.
    @param context  Typically a CFDictionary with URL, etc.
    @param messageImprint   a SecAsn1TSAMessageImprint with the algorithm and hash value
    @param tstoken  The returned TimeStampToken
 */
typedef OSStatus (*SecCmsTSACallback)(const void *context, void *messageImprint, uint64_t nonce, CSSM_DATA *tstoken);

struct SecCmsMessageStr {
    SecCmsContentInfo	contentInfo;		/* "outer" cinfo */
    /* --------- local; not part of encoding --------- */
    PLArenaPool *	poolp;
    Boolean		poolp_is_ours;
    int			refCount;
    /* properties of the "inner" data */
    SECAlgorithmID **	detached_digestalgs;
    CSSM_DATA_PTR *	detached_digests;
    void *		pwfn_arg;
    SecCmsGetDecryptKeyCallback decrypt_key_cb;
    void *		decrypt_key_cb_arg;
    
    /* Fields for Time Stamping */
    SecCmsTSACallback tsaCallback;
    CFTypeRef tsaContext;
};

/* =============================================================================
 * SIGNEDDATA
 */

struct SecCmsSignedDataStr {
    CSSM_DATA			version;
    SECAlgorithmID **		digestAlgorithms;
    SecCmsContentInfo		contentInfo;
    CSSM_DATA_PTR *		rawCerts;
    CSSM_DATA_PTR *		rawCrls;
    SecCmsSignerInfoRef *		signerInfos;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
    CSSM_DATA_PTR *		digests;
    CFMutableArrayRef		certs;
};
#define SEC_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
#define SEC_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */

typedef enum {
    SecCmsSignerIDIssuerSN = 0,
    SecCmsSignerIDSubjectKeyID = 1
} SecCmsSignerIDSelector;

struct SecCmsSignerIdentifierStr {
    SecCmsSignerIDSelector identifierType;
    union {
	SecCmsIssuerAndSN *issuerAndSN;
	CSSM_DATA_PTR subjectKeyID;
    } id;
};

struct SecCmsIssuerAndSNStr {
	NSS_Name issuer;
	CSSM_DATA serialNumber;
    /* --------- local; not part of encoding --------- */
	CSSM_DATA derIssuer;
};

struct SecCmsSignerInfoStr {
    CSSM_DATA			version;
    SecCmsSignerIdentifier	signerIdentifier;
    SECAlgorithmID		digestAlg;
    SecCmsAttribute **		authAttr;
    SECAlgorithmID		digestEncAlg;
    CSSM_DATA			encDigest;
    SecCmsAttribute **		unAuthAttr;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
    SecCmsSignedDataRef		sigd;			/* back pointer to SignedData */
    SecCertificateRef		cert;
    CFArrayRef			certList;
    CFAbsoluteTime		signingTime;
    SecCmsVerificationStatus	verificationStatus;
    SecPrivateKeyRef		signingKey; /* Used if we're using subjKeyID*/
    SecPublicKeyRef		pubKey;
    CFAbsoluteTime		timestampTime;
    CFAbsoluteTime		tsaLeafNotBefore;   /* Start date for Timestamp Authority leaf */
    CFAbsoluteTime		tsaLeafNotAfter;    /* Expiration date for Timestamp Authority leaf */
    CFMutableArrayRef	timestampCertList;
    CFDataRef           hashAgilityAttrValue;
};
#define SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
#define SEC_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */

/* =============================================================================
 * ENVELOPED DATA
 */
struct SecCmsEnvelopedDataStr {
    CSSM_DATA			version;
    SecCmsOriginatorInfo *	originatorInfo;		/* optional */
    SecCmsRecipientInfoRef *	recipientInfos;
    SecCmsContentInfo		contentInfo;
    SecCmsAttribute **		unprotectedAttr;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
};
#define SEC_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
#define SEC_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */

struct SecCmsOriginatorInfoStr {
    CSSM_DATA_PTR *		rawCerts;
    CSSM_DATA_PTR *		rawCrls;
    /* --------- local; not part of encoding --------- */
    SecCertificateRef *		certs;
};

/* -----------------------------------------------------------------------------
 * key transport recipient info
 */
typedef enum {
    SecCmsRecipientIDIssuerSN = 0,
    SecCmsRecipientIDSubjectKeyID = 1
} SecCmsRecipientIDSelector;

struct SecCmsRecipientIdentifierStr {
    SecCmsRecipientIDSelector	identifierType;
    union {
	SecCmsIssuerAndSN	*issuerAndSN;
	CSSM_DATA_PTR subjectKeyID;
    } id;
};
typedef struct SecCmsRecipientIdentifierStr SecCmsRecipientIdentifier;

struct SecCmsKeyTransRecipientInfoStr {
    CSSM_DATA			version;
    SecCmsRecipientIdentifier	recipientIdentifier;
    SECAlgorithmID		keyEncAlg;
    CSSM_DATA			encKey;
};
typedef struct SecCmsKeyTransRecipientInfoStr SecCmsKeyTransRecipientInfo;

/*
 * View comments before SecCmsRecipientInfoStr for purpose of this
 * structure.
 */
struct SecCmsKeyTransRecipientInfoExStr {
    SecCmsKeyTransRecipientInfo recipientInfo;
    int version;  /* version of this structure (0) */
    SecPublicKeyRef pubKey;
};

typedef struct SecCmsKeyTransRecipientInfoExStr SecCmsKeyTransRecipientInfoEx;

#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */

/* -----------------------------------------------------------------------------
 * key agreement recipient info
 */
struct SecCmsOriginatorPublicKeyStr {
    SECAlgorithmID			algorithmIdentifier;
    CSSM_DATA				publicKey;			/* bit string! */
};
typedef struct SecCmsOriginatorPublicKeyStr SecCmsOriginatorPublicKey;

typedef enum {
    SecCmsOriginatorIDOrKeyIssuerSN = 0,
    SecCmsOriginatorIDOrKeySubjectKeyID = 1,
    SecCmsOriginatorIDOrKeyOriginatorPublicKey = 2
} SecCmsOriginatorIDOrKeySelector;

struct SecCmsOriginatorIdentifierOrKeyStr {
    SecCmsOriginatorIDOrKeySelector identifierType;
    union {
	SecCmsIssuerAndSN			*issuerAndSN;			/* static-static */
	CSSM_DATA					subjectKeyID;			/* static-static */
	SecCmsOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
    } id;
};
typedef struct SecCmsOriginatorIdentifierOrKeyStr SecCmsOriginatorIdentifierOrKey;

struct SecCmsRecipientKeyIdentifierStr {
    CSSM_DATA_PTR 				subjectKeyIdentifier;
    CSSM_DATA_PTR 				date;			/* optional */
    CSSM_DATA_PTR 				other;			/* optional */
};
typedef struct SecCmsRecipientKeyIdentifierStr SecCmsRecipientKeyIdentifier;

typedef enum {
    SecCmsKeyAgreeRecipientIDIssuerSN = 0,
    SecCmsKeyAgreeRecipientIDRKeyID = 1
} SecCmsKeyAgreeRecipientIDSelector;

struct SecCmsKeyAgreeRecipientIdentifierStr {
    SecCmsKeyAgreeRecipientIDSelector	identifierType;
    union {
	SecCmsIssuerAndSN		*issuerAndSN;
	SecCmsRecipientKeyIdentifier	recipientKeyIdentifier;
    } id;
};
typedef struct SecCmsKeyAgreeRecipientIdentifierStr SecCmsKeyAgreeRecipientIdentifier;

struct SecCmsRecipientEncryptedKeyStr {
    SecCmsKeyAgreeRecipientIdentifier	recipientIdentifier;
    CSSM_DATA				encKey;
};
typedef struct SecCmsRecipientEncryptedKeyStr SecCmsRecipientEncryptedKey;

struct SecCmsKeyAgreeRecipientInfoStr {
    CSSM_DATA				version;
    SecCmsOriginatorIdentifierOrKey	originatorIdentifierOrKey;
    CSSM_DATA 				ukm;				/* optional */
    SECAlgorithmID			keyEncAlg;
    SecCmsRecipientEncryptedKey **	recipientEncryptedKeys;
};
typedef struct SecCmsKeyAgreeRecipientInfoStr SecCmsKeyAgreeRecipientInfo;

#define SEC_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */

/* -----------------------------------------------------------------------------
 * KEK recipient info
 */
struct SecCmsKEKIdentifierStr {
    CSSM_DATA			keyIdentifier;
    CSSM_DATA_PTR 			date;			/* optional */
    CSSM_DATA_PTR 			other;			/* optional */
};
typedef struct SecCmsKEKIdentifierStr SecCmsKEKIdentifier;

struct SecCmsKEKRecipientInfoStr {
    CSSM_DATA			version;
    SecCmsKEKIdentifier		kekIdentifier;
    SECAlgorithmID		keyEncAlg;
    CSSM_DATA			encKey;
};
typedef struct SecCmsKEKRecipientInfoStr SecCmsKEKRecipientInfo;

#define SEC_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */

/* -----------------------------------------------------------------------------
 * recipient info
 */

typedef enum {
    SecCmsRecipientInfoIDKeyTrans = 0,
    SecCmsRecipientInfoIDKeyAgree = 1,
    SecCmsRecipientInfoIDKEK = 2
} SecCmsRecipientInfoIDSelector;

/*
 * In order to preserve backwards binary compatibility when implementing
 * creation of Recipient Info's that uses subjectKeyID in the 
 * keyTransRecipientInfo we need to stash a public key pointer in this
 * structure somewhere.  We figured out that SecCmsKeyTransRecipientInfo
 * is the smallest member of the ri union.  We're in luck since that's
 * the very structure that would need to use the public key. So we created
 * a new structure SecCmsKeyTransRecipientInfoEx which has a member 
 * SecCmsKeyTransRecipientInfo as the first member followed by a version
 * and a public key pointer.  This way we can keep backwards compatibility
 * without changing the size of this structure.
 *
 * BTW, size of structure:
 * SecCmsKeyTransRecipientInfo:  9 ints, 4 pointers
 * SecCmsKeyAgreeRecipientInfo: 12 ints, 8 pointers
 * SecCmsKEKRecipientInfo:      10 ints, 7 pointers
 *
 * The new structure:
 * SecCmsKeyTransRecipientInfoEx: sizeof(SecCmsKeyTransRecipientInfo) +
 *                                1 int, 1 pointer
 */

struct SecCmsRecipientInfoStr {
    SecCmsRecipientInfoIDSelector recipientInfoType;
    union {
	SecCmsKeyTransRecipientInfo keyTransRecipientInfo;
	SecCmsKeyAgreeRecipientInfo keyAgreeRecipientInfo;
	SecCmsKEKRecipientInfo kekRecipientInfo;
	SecCmsKeyTransRecipientInfoEx keyTransRecipientInfoEx;
    } ri;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;			/* back pointer to message */
    SecCertificateRef 		cert;			/* recipient's certificate */
};

/* =============================================================================
 * DIGESTED DATA
 */
struct SecCmsDigestedDataStr {
    CSSM_DATA			version;
    SECAlgorithmID		digestAlg;
    SecCmsContentInfo		contentInfo;
    CSSM_DATA			digest;
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;		/* back pointer */
    CSSM_DATA			cdigest;	/* calculated digest */
};
#define SEC_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
#define SEC_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */

/* =============================================================================
 * ENCRYPTED DATA
 */
struct SecCmsEncryptedDataStr {
    CSSM_DATA			version;
    SecCmsContentInfo		contentInfo;
    SecCmsAttribute **		unprotectedAttr;	/* optional */
    /* --------- local; not part of encoding --------- */
    SecCmsMessageRef 		cmsg;		/* back pointer */
};
#define SEC_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
#define SEC_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */

/* =============================================================================
 * FORTEZZA KEA
 */

/* An enumerated type used to select templates based on the encryption
   scenario and data specifics. */
typedef enum {
    SecCmsKEAInvalid = -1,
    SecCmsKEAUsesSkipjack = 0,
    SecCmsKEAUsesNonSkipjack = 1,
    SecCmsKEAUsesNonSkipjackWithPaddedEncKey = 2
} SecCmsKEATemplateSelector;

/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
                but I cannot think of a more appropriate place at this time. */
struct SecCmsSMIMEKEAParametersStr {
    CSSM_DATA originatorKEAKey;	/* sender KEA key (encrypted?) */
    CSSM_DATA originatorRA;	/* random number generated by sender */
    CSSM_DATA nonSkipjackIV;	/* init'n vector for SkipjackCBC64
			           decryption of KEA key if Skipjack
				   is not the bulk algorithm used on
				   the message */
    CSSM_DATA bulkKeySize;	/* if Skipjack is not the bulk
			           algorithm used on the message,
				   and the size of the bulk encryption
				   key is not the same as that of
				   originatorKEAKey (due to padding
				   perhaps), this field will contain
				   the real size of the bulk encryption
				   key. */
};

/*
 * *****************************************************************************
 * *****************************************************************************
 * *****************************************************************************
 */

/*
 * See comment above about this type not really belonging to CMS.
 */
struct SecCmsAttributeStr {
    /* The following fields make up an encoded Attribute: */
    CSSM_DATA			type;
    CSSM_DATA_PTR *		values;	/* data may or may not be encoded */
    /* The following fields are not part of an encoded Attribute: */
    SECOidData *		typeTag;
    Boolean			encoded;	/* when true, values are encoded */
};


#endif /* _CMSTPRIV_H_ */
Commit	Line	Data
d8f41ccd A	1	/*
	2	* The contents of this file are subject to the Mozilla Public
	3	* License Version 1.1 (the "License"); you may not use this file
	4	* except in compliance with the License. You may obtain a copy of
	5	* the License at http://www.mozilla.org/MPL/
	6	*
	7	* Software distributed under the License is distributed on an "AS
	8	* IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
	9	* implied. See the License for the specific language governing
	10	* rights and limitations under the License.
	11	*
	12	* The Original Code is the Netscape security libraries.
	13	*
	14	* The Initial Developer of the Original Code is Netscape
	15	* Communications Corporation. Portions created by Netscape are
	16	* Copyright (C) 1994-2000 Netscape Communications Corporation. All
	17	* Rights Reserved.
	18	*
	19	* Contributor(s):
	20	*
	21	* Alternatively, the contents of this file may be used under the
	22	* terms of the GNU General Public License Version 2 or later (the
	23	* "GPL"), in which case the provisions of the GPL are applicable
	24	* instead of those above. If you wish to allow use of your
	25	* version of this file only under the terms of the GPL and not to
	26	* allow others to use your version of this file under the MPL,
	27	* indicate your decision by deleting the provisions above and
	28	* replace them with the notice and other provisions required by
	29	* the GPL. If you do not delete the provisions above, a recipient
	30	* may use your version of this file under either the MPL or the
	31	* GPL.
	32	*/
	33
	34	/*
	35	* Header for CMS types.
	36	*/
	37
	38	#ifndef _CMSTPRIV_H_
	39	#define _CMSTPRIV_H_
	40
	41	#include <Security/SecCmsBase.h>
	42	#include <security_smime/secoidt.h>
	43
	44	#include <Security/secasn1t.h>
	45	#include <security_asn1/plarenas.h>
	46	#include <Security/nameTemplates.h>
	47
	48	#include <CoreFoundation/CFArray.h>
	49	#include <CoreFoundation/CFDate.h>
	50	#include <Security/SecCertificate.h>
	51	#include <Security/SecKey.h>
	52
	53	/* rjr: PKCS #11 cert handling (pk11cert.c) does use SecCmsRecipientInfo's.
	54	* This is because when we search the recipient list for the cert and key we
	55	* want, we need to invert the order of the loops we used to have. The old
	56	* loops were:
	57	*
	58	* For each recipient {
	59	* find_cert = PK11_Find_AllCert(recipient->issuerSN);
	60	* [which unrolls to... ]
	61	* For each slot {
	62	* Log into slot;
	63	* search slot for cert;
	64	* }
65	* }
66	*
67	* the new loop searchs all the recipients at once on a slot. this allows
68	* PKCS #11 to order slots in such a way that logout slots don't get checked
69	* if we can find the cert on a logged in slot. This eliminates lots of
70	* spurious password prompts when smart cards are installed... so why this
71	* comment? If you make SecCmsRecipientInfo completely opaque, you need
72	* to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
73	* and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
74	* function.
75	*/
76
77	typedef struct SecCmsContentInfoStr SecCmsContentInfo;
78	typedef struct SecCmsMessageStr SecCmsMessage;
79	typedef struct SecCmsSignedDataStr SecCmsSignedData;
80	typedef struct SecCmsSignerInfoStr SecCmsSignerInfo;
81	typedef struct SecCmsEnvelopedDataStr SecCmsEnvelopedData;
82	typedef struct SecCmsRecipientInfoStr SecCmsRecipientInfo;
83	typedef struct SecCmsDigestedDataStr SecCmsDigestedData;
84	typedef struct SecCmsEncryptedDataStr SecCmsEncryptedData;
85
86	typedef struct SecCmsIssuerAndSNStr SecCmsIssuerAndSN;
87	typedef struct SecCmsOriginatorInfoStr SecCmsOriginatorInfo;
88	typedef struct SecCmsAttributeStr SecCmsAttribute;
89
90	typedef union SecCmsContentUnion SecCmsContent;
91	typedef struct SecCmsSignerIdentifierStr SecCmsSignerIdentifier;
92
93	typedef struct SecCmsSMIMEKEAParametersStr SecCmsSMIMEKEAParameters;
94
95	typedef struct SecCmsCipherContextStr SecCmsCipherContext;
96	typedef struct SecCmsCipherContextStr *SecCmsCipherContextRef;
97
98	/* =============================================================================
99	* ENCAPSULATED CONTENTINFO & CONTENTINFO
100	*/
101
102	union SecCmsContentUnion {
103	/* either unstructured */
104	CSSM_DATA_PTR data;
105	/* or structured data */
106	SecCmsDigestedDataRef digestedData;
107	SecCmsEncryptedDataRef encryptedData;
108	SecCmsEnvelopedDataRef envelopedData;
109	SecCmsSignedDataRef signedData;
110	/* or anonymous pointer to something */
111	void * pointer;
112	};
113
114	struct SecCmsContentInfoStr {
115	CSSM_DATA contentType;
116	SecCmsContent content;
117	/* --------- local; not part of encoding --------- */
118	SECOidData * contentTypeTag;
119
120	/* additional info for encryptedData and envelopedData */
121	/* we waste this space for signedData and digestedData. sue me. */
122
123	SECAlgorithmID contentEncAlg;
124	CSSM_DATA_PTR rawContent; /* encrypted DER, optional */
125	/* XXXX bytes not encrypted, but encoded? */
126	/* --------- local; not part of encoding --------- */
127	SecSymmetricKeyRef bulkkey; /* bulk encryption key */
128	int keysize; /* size of bulk encryption key
129	* (only used by creation code) */
130	SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm
131	* (only used by creation code) */
132	SecCmsCipherContextRef ciphcx; /* context for en/decryption going on */
133	SecCmsDigestContextRef digcx; /* context for digesting going on */
134	SecPrivateKeyRef privkey; /* @@@ private key is only here as a workaround for 3401088 */
135	};
136
137	/* =============================================================================
138	* MESSAGE
139	*/
140
141	/*!
142	@typedef
143	@discussion Type of function called inside SecCmsSignedDataEncodeAfterData to
144	fire up XPC service to talk to TimeStamping server, etc.
145	@param context Typically a CFDictionary with URL, etc.
146	@param messageImprint a SecAsn1TSAMessageImprint with the algorithm and hash value
147	@param tstoken The returned TimeStampToken
148	*/
149	typedef OSStatus (SecCmsTSACallback)(const void context, void messageImprint, uint64_t nonce, CSSM_DATA tstoken);
150
151	struct SecCmsMessageStr {
152	SecCmsContentInfo contentInfo; /* "outer" cinfo */
153	/* --------- local; not part of encoding --------- */
154	PLArenaPool * poolp;
155	Boolean poolp_is_ours;
156	int refCount;
157	/* properties of the "inner" data */
158	SECAlgorithmID ** detached_digestalgs;
159	CSSM_DATA_PTR * detached_digests;
160	void * pwfn_arg;
161	SecCmsGetDecryptKeyCallback decrypt_key_cb;
162	void * decrypt_key_cb_arg;
163
164	/* Fields for Time Stamping */
165	SecCmsTSACallback tsaCallback;
166	CFTypeRef tsaContext;
167	};
168
169	/* =============================================================================
170	* SIGNEDDATA
171	*/
172
173	struct SecCmsSignedDataStr {
174	CSSM_DATA version;
175	SECAlgorithmID ** digestAlgorithms;
176	SecCmsContentInfo contentInfo;
177	CSSM_DATA_PTR * rawCerts;
178	CSSM_DATA_PTR * rawCrls;
179	SecCmsSignerInfoRef * signerInfos;
180	/* --------- local; not part of encoding --------- */
181	SecCmsMessageRef cmsg; /* back pointer to message */
182	CSSM_DATA_PTR * digests;
183	CFMutableArrayRef certs;
184	};
185	#define SEC_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we create */
186	#define SEC_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we create */
187
188	typedef enum {
189	SecCmsSignerIDIssuerSN = 0,
190	SecCmsSignerIDSubjectKeyID = 1
191	} SecCmsSignerIDSelector;
192
193	struct SecCmsSignerIdentifierStr {
194	SecCmsSignerIDSelector identifierType;
195	union {
196	SecCmsIssuerAndSN *issuerAndSN;
197	CSSM_DATA_PTR subjectKeyID;
198	} id;
199	};
200
201	struct SecCmsIssuerAndSNStr {
202	NSS_Name issuer;
203	CSSM_DATA serialNumber;
204	/* --------- local; not part of encoding --------- */
205	CSSM_DATA derIssuer;
206	};
207
208	struct SecCmsSignerInfoStr {
209	CSSM_DATA version;
210	SecCmsSignerIdentifier signerIdentifier;
211	SECAlgorithmID digestAlg;
212	SecCmsAttribute ** authAttr;
213	SECAlgorithmID digestEncAlg;
214	CSSM_DATA encDigest;
215	SecCmsAttribute ** unAuthAttr;
216	/* --------- local; not part of encoding --------- */
217	SecCmsMessageRef cmsg; /* back pointer to message */
218	SecCmsSignedDataRef sigd; /* back pointer to SignedData */
219	SecCertificateRef cert;
220	CFArrayRef certList;
221	CFAbsoluteTime signingTime;
222	SecCmsVerificationStatus verificationStatus;
223	SecPrivateKeyRef signingKey; /* Used if we're using subjKeyID*/
224	SecPublicKeyRef pubKey;
225	CFAbsoluteTime timestampTime;
226	CFAbsoluteTime tsaLeafNotBefore; /* Start date for Timestamp Authority leaf */
227	CFAbsoluteTime tsaLeafNotAfter; /* Expiration date for Timestamp Authority leaf */
228	CFMutableArrayRef timestampCertList;
e3d460c9	229	CFDataRef hashAgilityAttrValue;
d8f41ccd A	230	};
	231	#define SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we create */
	232	#define SEC_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we create */
	233
	234	/* =============================================================================
	235	* ENVELOPED DATA
	236	*/
	237	struct SecCmsEnvelopedDataStr {
	238	CSSM_DATA version;
	239	SecCmsOriginatorInfo * originatorInfo; /* optional */
	240	SecCmsRecipientInfoRef * recipientInfos;
	241	SecCmsContentInfo contentInfo;
	242	SecCmsAttribute ** unprotectedAttr;
	243	/* --------- local; not part of encoding --------- */
	244	SecCmsMessageRef cmsg; /* back pointer to message */
	245	};
	246	#define SEC_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we create */
	247	#define SEC_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we create */
	248
	249	struct SecCmsOriginatorInfoStr {
	250	CSSM_DATA_PTR * rawCerts;
	251	CSSM_DATA_PTR * rawCrls;
	252	/* --------- local; not part of encoding --------- */
	253	SecCertificateRef * certs;
	254	};
	255
	256	/* -----------------------------------------------------------------------------
	257	* key transport recipient info
	258	*/
	259	typedef enum {
	260	SecCmsRecipientIDIssuerSN = 0,
	261	SecCmsRecipientIDSubjectKeyID = 1
	262	} SecCmsRecipientIDSelector;
	263
	264	struct SecCmsRecipientIdentifierStr {
	265	SecCmsRecipientIDSelector identifierType;
	266	union {
	267	SecCmsIssuerAndSN *issuerAndSN;
	268	CSSM_DATA_PTR subjectKeyID;
	269	} id;
	270	};
	271	typedef struct SecCmsRecipientIdentifierStr SecCmsRecipientIdentifier;
	272
	273	struct SecCmsKeyTransRecipientInfoStr {
	274	CSSM_DATA version;
	275	SecCmsRecipientIdentifier recipientIdentifier;
	276	SECAlgorithmID keyEncAlg;
	277	CSSM_DATA encKey;
	278	};
	279	typedef struct SecCmsKeyTransRecipientInfoStr SecCmsKeyTransRecipientInfo;
	280
	281	/*
	282	* View comments before SecCmsRecipientInfoStr for purpose of this
	283	* structure.
	284	*/
	285	struct SecCmsKeyTransRecipientInfoExStr {
	286	SecCmsKeyTransRecipientInfo recipientInfo;
	287	int version; /* version of this structure (0) */
	288	SecPublicKeyRef pubKey;
	289	};
	290
	291	typedef struct SecCmsKeyTransRecipientInfoExStr SecCmsKeyTransRecipientInfoEx;
	292
	293	#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we create */
294	#define SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we create */
295
296	/* -----------------------------------------------------------------------------
297	* key agreement recipient info
298	*/
299	struct SecCmsOriginatorPublicKeyStr {
300	SECAlgorithmID algorithmIdentifier;
301	CSSM_DATA publicKey; /* bit string! */
302	};
303	typedef struct SecCmsOriginatorPublicKeyStr SecCmsOriginatorPublicKey;
304
305	typedef enum {
306	SecCmsOriginatorIDOrKeyIssuerSN = 0,
307	SecCmsOriginatorIDOrKeySubjectKeyID = 1,
308	SecCmsOriginatorIDOrKeyOriginatorPublicKey = 2
309	} SecCmsOriginatorIDOrKeySelector;
310
311	struct SecCmsOriginatorIdentifierOrKeyStr {
312	SecCmsOriginatorIDOrKeySelector identifierType;
313	union {
314	SecCmsIssuerAndSN issuerAndSN; / static-static */
315	CSSM_DATA subjectKeyID; /* static-static */
316	SecCmsOriginatorPublicKey originatorPublicKey; /* ephemeral-static */
317	} id;
318	};
319	typedef struct SecCmsOriginatorIdentifierOrKeyStr SecCmsOriginatorIdentifierOrKey;
320
321	struct SecCmsRecipientKeyIdentifierStr {
322	CSSM_DATA_PTR subjectKeyIdentifier;
323	CSSM_DATA_PTR date; /* optional */
324	CSSM_DATA_PTR other; /* optional */
325	};
326	typedef struct SecCmsRecipientKeyIdentifierStr SecCmsRecipientKeyIdentifier;
327
328	typedef enum {
329	SecCmsKeyAgreeRecipientIDIssuerSN = 0,
330	SecCmsKeyAgreeRecipientIDRKeyID = 1
331	} SecCmsKeyAgreeRecipientIDSelector;
332
333	struct SecCmsKeyAgreeRecipientIdentifierStr {
334	SecCmsKeyAgreeRecipientIDSelector identifierType;
335	union {
336	SecCmsIssuerAndSN *issuerAndSN;
337	SecCmsRecipientKeyIdentifier recipientKeyIdentifier;
338	} id;
339	};
340	typedef struct SecCmsKeyAgreeRecipientIdentifierStr SecCmsKeyAgreeRecipientIdentifier;
341
342	struct SecCmsRecipientEncryptedKeyStr {
343	SecCmsKeyAgreeRecipientIdentifier recipientIdentifier;
344	CSSM_DATA encKey;
345	};
346	typedef struct SecCmsRecipientEncryptedKeyStr SecCmsRecipientEncryptedKey;
347
348	struct SecCmsKeyAgreeRecipientInfoStr {
349	CSSM_DATA version;
350	SecCmsOriginatorIdentifierOrKey originatorIdentifierOrKey;
351	CSSM_DATA ukm; /* optional */
352	SECAlgorithmID keyEncAlg;
353	SecCmsRecipientEncryptedKey ** recipientEncryptedKeys;
354	};
355	typedef struct SecCmsKeyAgreeRecipientInfoStr SecCmsKeyAgreeRecipientInfo;
356
357	#define SEC_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we create */
358
359	/* -----------------------------------------------------------------------------
360	* KEK recipient info
361	*/
362	struct SecCmsKEKIdentifierStr {
363	CSSM_DATA keyIdentifier;
364	CSSM_DATA_PTR date; /* optional */
365	CSSM_DATA_PTR other; /* optional */
366	};
367	typedef struct SecCmsKEKIdentifierStr SecCmsKEKIdentifier;
368
369	struct SecCmsKEKRecipientInfoStr {
370	CSSM_DATA version;
371	SecCmsKEKIdentifier kekIdentifier;
372	SECAlgorithmID keyEncAlg;
373	CSSM_DATA encKey;
374	};
375	typedef struct SecCmsKEKRecipientInfoStr SecCmsKEKRecipientInfo;
376
377	#define SEC_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we create */
378
379	/* -----------------------------------------------------------------------------
380	* recipient info
381	*/
382
383	typedef enum {
384	SecCmsRecipientInfoIDKeyTrans = 0,
385	SecCmsRecipientInfoIDKeyAgree = 1,
386	SecCmsRecipientInfoIDKEK = 2
387	} SecCmsRecipientInfoIDSelector;
388
389	/*
390	* In order to preserve backwards binary compatibility when implementing
391	* creation of Recipient Info's that uses subjectKeyID in the
392	* keyTransRecipientInfo we need to stash a public key pointer in this
393	* structure somewhere. We figured out that SecCmsKeyTransRecipientInfo
394	* is the smallest member of the ri union. We're in luck since that's
395	* the very structure that would need to use the public key. So we created
396	* a new structure SecCmsKeyTransRecipientInfoEx which has a member
397	* SecCmsKeyTransRecipientInfo as the first member followed by a version
398	* and a public key pointer. This way we can keep backwards compatibility
399	* without changing the size of this structure.
400	*
401	* BTW, size of structure:
402	* SecCmsKeyTransRecipientInfo: 9 ints, 4 pointers
403	* SecCmsKeyAgreeRecipientInfo: 12 ints, 8 pointers
404	* SecCmsKEKRecipientInfo: 10 ints, 7 pointers
405	*
406	* The new structure:
407	* SecCmsKeyTransRecipientInfoEx: sizeof(SecCmsKeyTransRecipientInfo) +
408	* 1 int, 1 pointer
409	*/
410
411	struct SecCmsRecipientInfoStr {
412	SecCmsRecipientInfoIDSelector recipientInfoType;
413	union {
414	SecCmsKeyTransRecipientInfo keyTransRecipientInfo;
415	SecCmsKeyAgreeRecipientInfo keyAgreeRecipientInfo;
416	SecCmsKEKRecipientInfo kekRecipientInfo;
417	SecCmsKeyTransRecipientInfoEx keyTransRecipientInfoEx;
418	} ri;
419	/* --------- local; not part of encoding --------- */
420	SecCmsMessageRef cmsg; /* back pointer to message */
421	SecCertificateRef cert; /* recipient's certificate */
422	};
423
424	/* =============================================================================
425	* DIGESTED DATA
426	*/
427	struct SecCmsDigestedDataStr {
428	CSSM_DATA version;
429	SECAlgorithmID digestAlg;
430	SecCmsContentInfo contentInfo;
431	CSSM_DATA digest;
432	/* --------- local; not part of encoding --------- */
433	SecCmsMessageRef cmsg; /* back pointer */
434	CSSM_DATA cdigest; /* calculated digest */
435	};
436	#define SEC_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we create */
437	#define SEC_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we create */
438
439	/* =============================================================================
440	* ENCRYPTED DATA
441	*/
442	struct SecCmsEncryptedDataStr {
443	CSSM_DATA version;
444	SecCmsContentInfo contentInfo;
445	SecCmsAttribute ** unprotectedAttr; /* optional */
446	/* --------- local; not part of encoding --------- */
447	SecCmsMessageRef cmsg; /* back pointer */
448	};
449	#define SEC_CMS_ENCRYPTED_DATA_VERSION 0 /* what we create */
450	#define SEC_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we create */
451
452	/* =============================================================================
453	* FORTEZZA KEA
454	*/
455
456	/* An enumerated type used to select templates based on the encryption
457	scenario and data specifics. */
458	typedef enum {
459	SecCmsKEAInvalid = -1,
460	SecCmsKEAUsesSkipjack = 0,
461	SecCmsKEAUsesNonSkipjack = 1,
462	SecCmsKEAUsesNonSkipjackWithPaddedEncKey = 2
463	} SecCmsKEATemplateSelector;
464
465	/* ### mwelch - S/MIME KEA parameters. These don't really fit here,
466	but I cannot think of a more appropriate place at this time. */
467	struct SecCmsSMIMEKEAParametersStr {
468	CSSM_DATA originatorKEAKey; /* sender KEA key (encrypted?) */
469	CSSM_DATA originatorRA; /* random number generated by sender */
470	CSSM_DATA nonSkipjackIV; /* init'n vector for SkipjackCBC64
471	decryption of KEA key if Skipjack
472	is not the bulk algorithm used on
473	the message */
474	CSSM_DATA bulkKeySize; /* if Skipjack is not the bulk
475	algorithm used on the message,
476	and the size of the bulk encryption
477	key is not the same as that of
478	originatorKEAKey (due to padding
479	perhaps), this field will contain
480	the real size of the bulk encryption
481	key. */
482	};
483
484	/*
485	* *****************************************************************************
486	* *****************************************************************************
487	* *****************************************************************************
488	*/
489
490	/*
491	* See comment above about this type not really belonging to CMS.
492	*/
493	struct SecCmsAttributeStr {
494	/* The following fields make up an encoded Attribute: */
495	CSSM_DATA type;
496	CSSM_DATA_PTR * values; /* data may or may not be encoded */
497	/* The following fields are not part of an encoded Attribute: */
498	SECOidData * typeTag;
499	Boolean encoded; /* when true, values are encoded */
500	};
501
502
503	#endif /* _CMSTPRIV_H_ */