]> git.saurik.com Git - apple/security.git/blob - OSX/include/security_smime/cmsutil.c
Security-57336.1.9.tar.gz
[apple/security.git] / OSX / include / security_smime / cmsutil.c
1 /*
2 * The contents of this file are subject to the Mozilla Public
3 * License Version 1.1 (the "License"); you may not use this file
4 * except in compliance with the License. You may obtain a copy of
5 * the License at http://www.mozilla.org/MPL/
6 *
7 * Software distributed under the License is distributed on an "AS
8 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
9 * implied. See the License for the specific language governing
10 * rights and limitations under the License.
11 *
12 * The Original Code is the Netscape security libraries.
13 *
14 * The Initial Developer of the Original Code is Netscape
15 * Communications Corporation. Portions created by Netscape are
16 * Copyright (C) 1994-2000 Netscape Communications Corporation. All
17 * Rights Reserved.
18 *
19 * Contributor(s):
20 *
21 * Alternatively, the contents of this file may be used under the
22 * terms of the GNU General Public License Version 2 or later (the
23 * "GPL"), in which case the provisions of the GPL are applicable
24 * instead of those above. If you wish to allow use of your
25 * version of this file only under the terms of the GPL and not to
26 * allow others to use your version of this file under the MPL,
27 * indicate your decision by deleting the provisions above and
28 * replace them with the notice and other provisions required by
29 * the GPL. If you do not delete the provisions above, a recipient
30 * may use your version of this file under either the MPL or the
31 * GPL.
32 */
33
34 /*
35 * CMS miscellaneous utility functions.
36 */
37
38 #include <Security/SecCmsEncoder.h> /* @@@ Remove this when we move the Encoder method. */
39 #include <Security/SecCmsSignerInfo.h>
40 #include "cmslocal.h"
41
42 #include "secitem.h"
43 #include "secoid.h"
44 #include "cryptohi.h"
45
46 #include <security_asn1/secasn1.h>
47 #include <security_asn1/secerr.h>
48 #include <Security/cssmapi.h>
49 #include <Security/cssmapple.h>
50 #include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
51
52
53 /*
54 * SecCmsArraySortByDER - sort array of objects by objects' DER encoding
55 *
56 * make sure that the order of the objects guarantees valid DER (which must be
57 * in lexigraphically ascending order for a SET OF); if reordering is necessary it
58 * will be done in place (in objs).
59 */
60 OSStatus
61 SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, void **objs2)
62 {
63 PRArenaPool *poolp;
64 int num_objs;
65 CSSM_DATA_PTR *enc_objs;
66 OSStatus rv = SECFailure;
67 int i;
68
69 if (objs == NULL) /* already sorted */
70 return SECSuccess;
71
72 num_objs = SecCmsArrayCount((void **)objs);
73 if (num_objs == 0 || num_objs == 1) /* already sorted. */
74 return SECSuccess;
75
76 poolp = PORT_NewArena (1024); /* arena for temporaries */
77 if (poolp == NULL)
78 return SECFailure; /* no memory; nothing we can do... */
79
80 /*
81 * Allocate arrays to hold the individual encodings which we will use
82 * for comparisons and the reordered attributes as they are sorted.
83 */
84 // Security check to prevent under-allocation
85 if (num_objs<0 || num_objs>=(int)((INT_MAX/sizeof(CSSM_DATA_PTR))-1)) {
86 goto loser;
87 }
88 enc_objs = (CSSM_DATA_PTR *)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(CSSM_DATA_PTR));
89 if (enc_objs == NULL)
90 goto loser;
91
92 /* DER encode each individual object. */
93 for (i = 0; i < num_objs; i++) {
94 enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
95 if (enc_objs[i] == NULL)
96 goto loser;
97 }
98 enc_objs[num_objs] = NULL;
99
100 /* now compare and sort objs by the order of enc_objs */
101 SecCmsArraySort((void **)enc_objs, SecCmsUtilDERCompare, objs, objs2);
102
103 rv = SECSuccess;
104
105 loser:
106 PORT_FreeArena (poolp, PR_FALSE);
107 return rv;
108 }
109
110 /*
111 * SecCmsUtilDERCompare - for use with SecCmsArraySort to
112 * sort arrays of CSSM_DATAs containing DER
113 */
114 int
115 SecCmsUtilDERCompare(void *a, void *b)
116 {
117 CSSM_DATA_PTR der1 = (CSSM_DATA_PTR)a;
118 CSSM_DATA_PTR der2 = (CSSM_DATA_PTR)b;
119 int j;
120
121 /*
122 * Find the lowest (lexigraphically) encoding. One that is
123 * shorter than all the rest is known to be "less" because each
124 * attribute is of the same type (a SEQUENCE) and so thus the
125 * first octet of each is the same, and the second octet is
126 * the length (or the length of the length with the high bit
127 * set, followed by the length, which also works out to always
128 * order the shorter first). Two (or more) that have the
129 * same length need to be compared byte by byte until a mismatch
130 * is found.
131 */
132 if (der1->Length != der2->Length)
133 return (der1->Length < der2->Length) ? -1 : 1;
134
135 for (j = 0; j < der1->Length; j++) {
136 if (der1->Data[j] == der2->Data[j])
137 continue;
138 return (der1->Data[j] < der2->Data[j]) ? -1 : 1;
139 }
140 return 0;
141 }
142
143 /*
144 * SecCmsAlgArrayGetIndexByAlgID - find a specific algorithm in an array of
145 * algorithms.
146 *
147 * algorithmArray - array of algorithm IDs
148 * algid - algorithmid of algorithm to pick
149 *
150 * Returns:
151 * An integer containing the index of the algorithm in the array or -1 if
152 * algorithm was not found.
153 */
154 int
155 SecCmsAlgArrayGetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid)
156 {
157 int i;
158
159 if (algorithmArray == NULL || algorithmArray[0] == NULL)
160 return -1;
161
162 for (i = 0; algorithmArray[i] != NULL; i++) {
163 if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual)
164 break; /* bingo */
165 }
166
167 if (algorithmArray[i] == NULL)
168 return -1; /* not found */
169
170 return i;
171 }
172
173 /*
174 * SecCmsAlgArrayGetIndexByAlgTag - find a specific algorithm in an array of
175 * algorithms.
176 *
177 * algorithmArray - array of algorithm IDs
178 * algtag - algorithm tag of algorithm to pick
179 *
180 * Returns:
181 * An integer containing the index of the algorithm in the array or -1 if
182 * algorithm was not found.
183 */
184 int
185 SecCmsAlgArrayGetIndexByAlgTag(SECAlgorithmID **algorithmArray,
186 SECOidTag algtag)
187 {
188 SECOidData *algid;
189 int i = -1;
190
191 if (algorithmArray == NULL || algorithmArray[0] == NULL)
192 return i;
193
194 #ifdef ORDER_N_SQUARED
195 for (i = 0; algorithmArray[i] != NULL; i++) {
196 algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
197 if (algid->offset == algtag)
198 break; /* bingo */
199 }
200 #else
201 algid = SECOID_FindOIDByTag(algtag);
202 if (!algid)
203 return i;
204 for (i = 0; algorithmArray[i] != NULL; i++) {
205 if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid))
206 break; /* bingo */
207 }
208 #endif
209
210 if (algorithmArray[i] == NULL)
211 return -1; /* not found */
212
213 return i;
214 }
215
216 CSSM_CC_HANDLE
217 SecCmsUtilGetHashObjByAlgID(SECAlgorithmID *algid)
218 {
219 SECOidData *oidData = SECOID_FindOID(&(algid->algorithm));
220 if (oidData)
221 {
222 CSSM_ALGORITHMS alg = oidData->cssmAlgorithm;
223 if (alg)
224 {
225 CSSM_CC_HANDLE digobj;
226 CSSM_CSP_HANDLE cspHandle = SecCspHandleForAlgorithm(alg);
227
228 if (!CSSM_CSP_CreateDigestContext(cspHandle, alg, &digobj))
229 return digobj;
230 }
231 }
232
233 return 0;
234 }
235
236 /*
237 * XXX I would *really* like to not have to do this, but the current
238 * signing interface gives me little choice.
239 */
240 SECOidTag
241 SecCmsUtilMakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg)
242 {
243 switch (encalg) {
244 case SEC_OID_PKCS1_RSA_ENCRYPTION:
245 switch (hashalg) {
246 case SEC_OID_MD2:
247 return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
248 case SEC_OID_MD5:
249 return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
250 case SEC_OID_SHA1:
251 return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
252 case SEC_OID_SHA256:
253 return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
254 case SEC_OID_SHA384:
255 return SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
256 case SEC_OID_SHA512:
257 return SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
258 default:
259 return SEC_OID_UNKNOWN;
260 }
261 case SEC_OID_ANSIX9_DSA_SIGNATURE:
262 case SEC_OID_MISSI_KEA_DSS:
263 case SEC_OID_MISSI_DSS:
264 switch (hashalg) {
265 case SEC_OID_SHA1:
266 return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
267 default:
268 return SEC_OID_UNKNOWN;
269 }
270 case SEC_OID_EC_PUBLIC_KEY:
271 switch(hashalg) {
272 /*
273 * Note this is only used when signing and verifying signed attributes,
274 * In which case we really do want the combined ECDSA_WithSHA1 alg...
275 */
276 case SEC_OID_SHA1:
277 return SEC_OID_ECDSA_WithSHA1;
278 default:
279 return SEC_OID_UNKNOWN;
280 }
281 default:
282 break;
283 }
284
285 return encalg; /* maybe it is already the right algid */
286 }
287
288 const SecAsn1Template *
289 SecCmsUtilGetTemplateByTypeTag(SECOidTag type)
290 {
291 const SecAsn1Template *template;
292 extern const SecAsn1Template SecCmsSignedDataTemplate[];
293 extern const SecAsn1Template SecCmsEnvelopedDataTemplate[];
294 extern const SecAsn1Template SecCmsEncryptedDataTemplate[];
295 extern const SecAsn1Template SecCmsDigestedDataTemplate[];
296
297 switch (type) {
298 case SEC_OID_PKCS7_SIGNED_DATA:
299 template = SecCmsSignedDataTemplate;
300 break;
301 case SEC_OID_PKCS7_ENVELOPED_DATA:
302 template = SecCmsEnvelopedDataTemplate;
303 break;
304 case SEC_OID_PKCS7_ENCRYPTED_DATA:
305 template = SecCmsEncryptedDataTemplate;
306 break;
307 case SEC_OID_PKCS7_DIGESTED_DATA:
308 template = SecCmsDigestedDataTemplate;
309 break;
310 default:
311 case SEC_OID_PKCS7_DATA:
312 case SEC_OID_OTHER:
313 template = NULL;
314 break;
315 }
316 return template;
317 }
318
319 size_t
320 SecCmsUtilGetSizeByTypeTag(SECOidTag type)
321 {
322 size_t size;
323
324 switch (type) {
325 case SEC_OID_PKCS7_SIGNED_DATA:
326 size = sizeof(SecCmsSignedData);
327 break;
328 case SEC_OID_PKCS7_ENVELOPED_DATA:
329 size = sizeof(SecCmsEnvelopedData);
330 break;
331 case SEC_OID_PKCS7_ENCRYPTED_DATA:
332 size = sizeof(SecCmsEncryptedData);
333 break;
334 case SEC_OID_PKCS7_DIGESTED_DATA:
335 size = sizeof(SecCmsDigestedData);
336 break;
337 default:
338 case SEC_OID_PKCS7_DATA:
339 size = 0;
340 break;
341 }
342 return size;
343 }
344
345 SecCmsContentInfoRef
346 SecCmsContentGetContentInfo(void *msg, SECOidTag type)
347 {
348 SecCmsContent c;
349 SecCmsContentInfoRef cinfo;
350
351 if (!msg)
352 return NULL;
353 c.pointer = msg;
354 switch (type) {
355 case SEC_OID_PKCS7_SIGNED_DATA:
356 cinfo = &(c.signedData->contentInfo);
357 break;
358 case SEC_OID_PKCS7_ENVELOPED_DATA:
359 cinfo = &(c.envelopedData->contentInfo);
360 break;
361 case SEC_OID_PKCS7_ENCRYPTED_DATA:
362 cinfo = &(c.encryptedData->contentInfo);
363 break;
364 case SEC_OID_PKCS7_DIGESTED_DATA:
365 cinfo = &(c.digestedData->contentInfo);
366 break;
367 default:
368 cinfo = NULL;
369 }
370 return cinfo;
371 }
372
373 // @@@ Return CFStringRef and do localization.
374 const char *
375 SecCmsUtilVerificationStatusToString(SecCmsVerificationStatus vs)
376 {
377 switch (vs) {
378 case SecCmsVSUnverified: return "Unverified";
379 case SecCmsVSGoodSignature: return "GoodSignature";
380 case SecCmsVSBadSignature: return "BadSignature";
381 case SecCmsVSDigestMismatch: return "DigestMismatch";
382 case SecCmsVSSigningCertNotFound: return "SigningCertNotFound";
383 case SecCmsVSSigningCertNotTrusted: return "SigningCertNotTrusted";
384 case SecCmsVSSignatureAlgorithmUnknown: return "SignatureAlgorithmUnknown";
385 case SecCmsVSSignatureAlgorithmUnsupported: return "SignatureAlgorithmUnsupported";
386 case SecCmsVSMalformedSignature: return "MalformedSignature";
387 case SecCmsVSProcessingError: return "ProcessingError";
388 default: return "Unknown";
389 }
390 }
391
392 OSStatus
393 SecArenaPoolCreate(size_t chunksize, SecArenaPoolRef *outArena)
394 {
395 OSStatus status;
396
397 if (!outArena) {
398 status = paramErr;
399 goto loser;
400 }
401
402 *outArena = (SecArenaPoolRef)PORT_NewArena(chunksize);
403 if (*outArena)
404 status = 0;
405 else
406 status = PORT_GetError();
407
408 loser:
409 return status;
410 }
411
412 void
413 SecArenaPoolFree(SecArenaPoolRef arena, Boolean zero)
414 {
415 PORT_FreeArena((PLArenaPool *)arena, zero);
416 }