]> git.saurik.com Git - apple/security.git/blob - OSX/sec/Security/SecCMS.c
Security-59306.11.20.tar.gz
[apple/security.git] / OSX / sec / Security / SecCMS.c
1 /*
2 * Copyright (c) 2008-2010,2012-2014 Apple Inc. All Rights Reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 *
23 */
24
25 /*
26 * signed_data.c
27 * Security
28 *
29 *
30 */
31 #include <AssertMacros.h>
32
33 #include <TargetConditionals.h>
34 #if TARGET_OS_OSX
35 #define ENABLE_CMS 0
36 #else
37 #define ENABLE_CMS 1
38 #endif
39
40 #if ENABLE_CMS
41 #include <Security/SecBase.h>
42 #include <Security/SecCmsMessage.h>
43 #include <Security/SecCmsSignedData.h>
44 #include <Security/SecCmsEnvelopedData.h>
45 #include <Security/SecCmsContentInfo.h>
46 #include <Security/SecCmsSignerInfo.h>
47 #include <Security/SecCmsRecipientInfo.h>
48 #include <Security/SecCmsEncoder.h>
49 #include <Security/SecCmsDecoder.h>
50 #include <Security/SecCmsDigestContext.h>
51 #include <Security/cmstpriv.h>
52
53 #include <CoreFoundation/CFData.h>
54
55 #include <Security/SecInternal.h>
56 #include <Security/SecBasePriv.h>
57 #include <Security/SecCertificatePriv.h>
58
59 #include <Security/SecCMS.h>
60 #include <Security/SecTrustPriv.h>
61
62
63 #include <security_asn1/secasn1.h>
64 #include <security_asn1/secerr.h>
65 #include <security_asn1/secport.h>
66 #include <Security/SecAsn1Item.h>
67 #include <security_smime/secoid.h>
68 #include <security_smime/cmslocal.h>
69
70
71 CFTypeRef kSecCMSSignDigest = CFSTR("kSecCMSSignDigest");
72 CFTypeRef kSecCMSSignDetached = CFSTR("kSecCMSSignDetached");
73 CFTypeRef kSecCMSCertChainMode = CFSTR("kSecCMSCertChainMode");
74 CFTypeRef kSecCMSCertChainModeNone = CFSTR("0");
75 CFTypeRef kSecCMSAdditionalCerts = CFSTR("kSecCMSAdditionalCerts");
76 CFTypeRef kSecCMSSignedAttributes = CFSTR("kSecCMSSignedAttributes");
77 CFTypeRef kSecCMSSignDate = CFSTR("kSecCMSSignDate");
78 CFTypeRef kSecCMSAllCerts = CFSTR("kSecCMSAllCerts");
79 CFTypeRef kSecCMSHashAgility = CFSTR("kSecCMSHashAgility");
80 CFTypeRef kSecCMSHashAgilityV2 = CFSTR("kSecCMSHashAgilityV2");
81 CFTypeRef kSecCMSExpirationDate = CFSTR("kSecCMSExpirationDate");
82
83 CFTypeRef kSecCMSBulkEncryptionAlgorithm = CFSTR("kSecCMSBulkEncryptionAlgorithm");
84 CFTypeRef kSecCMSEncryptionAlgorithmDESCBC = CFSTR("kSecCMSEncryptionAlgorithmDESCBC");
85 CFTypeRef kSecCMSEncryptionAlgorithmAESCBC = CFSTR("kSecCMSEncryptionAlgorithmAESCBC");
86
87 CFTypeRef kSecCMSSignHashAlgorithm = CFSTR("kSecCMSSignHashAlgorithm");
88 CFTypeRef kSecCMSHashingAlgorithmMD5 = CFSTR("kSecCMSHashingAlgorithmMD5");
89 CFTypeRef kSecCMSHashingAlgorithmSHA1 = CFSTR("kSecCMSHashingAlgorithmSHA1");
90 CFTypeRef kSecCMSHashingAlgorithmSHA256 = CFSTR("kSecCMSHashingAlgorithmSHA256");
91 CFTypeRef kSecCMSHashingAlgorithmSHA384 = CFSTR("kSecCMSHashingAlgorithmSHA384");
92 CFTypeRef kSecCMSHashingAlgorithmSHA512 = CFSTR("kSecCMSHashingAlgorithmSHA512");
93
94 OSStatus SecCMSCreateEnvelopedData(CFTypeRef recipient_or_cfarray_thereof,
95 CFDictionaryRef params, CFDataRef data, CFMutableDataRef enveloped_data)
96 {
97 SecCmsMessageRef cmsg = NULL;
98 SecCmsContentInfoRef cinfo;
99 SecCmsEnvelopedDataRef envd = NULL;
100 SECOidTag algorithmTag = SEC_OID_DES_EDE3_CBC;
101 int keySize = 192;
102 OSStatus status = errSecParam;
103
104 if (params) {
105 CFStringRef algorithm_name = CFDictionaryGetValue(params, kSecCMSBulkEncryptionAlgorithm);
106 if (algorithm_name) {
107 if (CFEqual(kSecCMSEncryptionAlgorithmDESCBC, algorithm_name)) {
108 algorithmTag = SEC_OID_DES_CBC;
109 keySize = 64;
110 } else if (CFEqual(kSecCMSEncryptionAlgorithmAESCBC, algorithm_name)) {
111 algorithmTag = SEC_OID_AES_128_CBC;
112 keySize = 128;
113 }
114 }
115 }
116
117 require(cmsg = SecCmsMessageCreate(), out);
118 require(envd = SecCmsEnvelopedDataCreate(cmsg, algorithmTag, keySize), out);
119 require(cinfo = SecCmsMessageGetContentInfo(cmsg), out);
120 require_noerr(SecCmsContentInfoSetContentEnvelopedData(cinfo, envd), out);
121 require(cinfo = SecCmsEnvelopedDataGetContentInfo(envd), out);
122 require_noerr(SecCmsContentInfoSetContentData(cinfo, NULL, false), out);
123 // == wrapper of: require(SECSuccess == SecCmsContentInfoSetContent(cinfo, SEC_OID_PKCS7_DATA, NULL), out);
124
125 if (CFGetTypeID(recipient_or_cfarray_thereof) == CFArrayGetTypeID()) {
126 CFIndex dex, numCerts = CFArrayGetCount(recipient_or_cfarray_thereof);
127 for(dex=0; dex<numCerts; dex++) {
128 SecCertificateRef recip =
129 (SecCertificateRef)CFArrayGetValueAtIndex(recipient_or_cfarray_thereof, dex);
130 SecCmsRecipientInfoRef rinfo;
131 require(rinfo = SecCmsRecipientInfoCreate(envd, recip), out);
132 }
133 } else if (CFGetTypeID(recipient_or_cfarray_thereof) == SecCertificateGetTypeID()) {
134 require(SecCmsRecipientInfoCreate(envd, (SecCertificateRef)recipient_or_cfarray_thereof), out);
135 } else
136 goto out;
137
138 SecAsn1Item input = {};
139 if (data) {
140 input.Length = CFDataGetLength(data);
141 input.Data = (uint8_t*)CFDataGetBytePtr(data);
142 }
143 require_noerr(SecCmsMessageEncode(cmsg, (data && input.Length) ? &input : NULL, enveloped_data), out);
144
145 status = errSecSuccess;
146 out:
147 if (cmsg) SecCmsMessageDestroy(cmsg);
148 return status;
149 }
150
151 OSStatus SecCMSDecryptEnvelopedData(CFDataRef message,
152 CFMutableDataRef data, SecCertificateRef *recipient)
153 {
154 SecCmsMessageRef cmsg = NULL;
155 SecCmsContentInfoRef cinfo;
156 SecCmsEnvelopedDataRef envd = NULL;
157 SecCertificateRef used_recipient = NULL;
158 OSStatus status = errSecParam;
159
160 SecAsn1Item encoded_message = { CFDataGetLength(message), (uint8_t*)CFDataGetBytePtr(message) };
161 require_noerr_action_quiet(SecCmsMessageDecode(&encoded_message, NULL, NULL, NULL, NULL, NULL, NULL, &cmsg),
162 out, status = errSecDecode);
163 require_quiet(cinfo = SecCmsMessageContentLevel(cmsg, 0), out);
164 require_quiet(SecCmsContentInfoGetContentTypeTag(cinfo) == SEC_OID_PKCS7_ENVELOPED_DATA, out);
165 require_quiet(envd = (SecCmsEnvelopedDataRef)SecCmsContentInfoGetContent(cinfo), out);
166 SecCmsRecipientInfoRef *rinfo = envd->recipientInfos;
167 while (!used_recipient && *rinfo) {
168 used_recipient = (*rinfo)->cert;
169 rinfo++;
170 }
171 require_quiet(2 == SecCmsMessageContentLevelCount(cmsg), out);
172 require_quiet(cinfo = SecCmsMessageContentLevel(cmsg, 1), out);
173 require_quiet(SecCmsContentInfoGetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA, out);
174 const SecAsn1Item *content = SecCmsMessageGetContent(cmsg);
175 if (content)
176 CFDataAppendBytes(data, content->Data, content->Length);
177 if (recipient) {
178 CFRetainSafe(used_recipient);
179 *recipient = used_recipient;
180 }
181 status = errSecSuccess;
182 out:
183 if (cmsg) SecCmsMessageDestroy(cmsg);
184 return status;
185 }
186
187 static SecCmsAttribute *
188 make_attr(PLArenaPool *poolp, SecAsn1Item *type, SecAsn1Item *value, bool encoded)
189 {
190 SecAsn1Item * copiedvalue;
191 SecCmsAttribute *attr = (SecCmsAttribute *)PORT_ArenaZAlloc(poolp, sizeof(SecCmsAttribute));
192 if (attr == NULL)
193 goto loser;
194
195 if (SECITEM_CopyItem(poolp, &(attr->type), type) != SECSuccess)
196 goto loser;
197
198 if (value != NULL) {
199 if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, value->Length)) == NULL)
200 goto loser;
201
202 if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess)
203 goto loser;
204
205 if (SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess)
206 goto loser;
207 }
208
209 attr->encoded = encoded;
210
211 loser:
212 return attr;
213 }
214
215 static void
216 signerinfo_add_auth_attr(SecCmsSignerInfoRef signerinfo, /*SECOidTag oidtag*/
217 SecAsn1Item *oid, SecAsn1Item *value, bool encoded)
218 {
219 PLArenaPool *poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
220 PORT_Assert (poolp != NULL);
221 void *mark = PORT_ArenaMark (poolp);
222
223 SecCmsAttribute *attr = make_attr(poolp, oid, value, encoded);
224 if (!attr || SecCmsAttributeArrayAddAttr(poolp, &(signerinfo->authAttr), attr) != SECSuccess)
225 goto loser;
226
227 PORT_ArenaUnmark (poolp, mark);
228 return;
229
230 loser:
231 PORT_Assert (mark != NULL);
232 PORT_ArenaRelease (poolp, mark);
233 return;
234 }
235
236 static void sign_all_attributes(const void *key, const void *value, void *context)
237 {
238 SecAsn1Item oid = { CFDataGetLength(key), (uint8_t*)CFDataGetBytePtr(key) },
239 oid_value = { CFDataGetLength(value), (uint8_t*)CFDataGetBytePtr(value) };
240
241 signerinfo_add_auth_attr((SecCmsSignerInfoRef)context, &oid, &oid_value, true);
242 }
243
244 #if 0
245 static void enveloped_data_add_unprotected_attr(SecCmsEnvelopedDataRef envd,
246 SecAsn1Item *oid, SecAsn1Item *value, bool encoded)
247 {
248 PLArenaPool *poolp = envd->contentInfo.cmsg->poolp;
249 PORT_Assert (poolp != NULL);
250 void *mark = PORT_ArenaMark (poolp);
251 SecCmsAttribute *attr = make_attr(poolp, oid, value, encoded);
252
253 if (!attr || SecCmsAttributeArrayAddAttr(
254 poolp,
255 &(envd->unprotectedAttr), attr) != SECSuccess)
256 goto loser;
257
258 PORT_ArenaUnmark (poolp, mark);
259 return;
260
261 loser:
262 PORT_Assert (mark != NULL);
263 PORT_ArenaRelease (poolp, mark);
264 return;
265
266 }
267 #endif
268
269 static OSStatus SecCMSSignDataOrDigestAndAttributes(SecIdentityRef identity,
270 CFDataRef data, bool detached, bool data_is_digest, SECOidTag sign_algorithm,
271 CFMutableDataRef signed_data, CFDictionaryRef signed_attributes, SecCmsCertChainMode chainMode, CFArrayRef additional_certs)
272 {
273 SecCmsMessageRef cmsg = NULL;
274 SecCmsContentInfoRef cinfo;
275 SecCmsSignedDataRef sigd = NULL;
276 SecCmsSignerInfoRef signerinfo;
277 OSStatus status = errSecParam;
278
279 require(!data_is_digest || detached /* if digest, must be detached */, out);
280
281 require(cmsg = SecCmsMessageCreate(), out);
282 require(sigd = SecCmsSignedDataCreate(cmsg), out);
283 require(cinfo = SecCmsMessageGetContentInfo(cmsg), out);
284 require_noerr(SecCmsContentInfoSetContentSignedData(cinfo, sigd), out);
285 require(cinfo = SecCmsSignedDataGetContentInfo(sigd), out);
286 require_noerr(SecCmsContentInfoSetContentData(cinfo, NULL, detached), out);
287 require(signerinfo = SecCmsSignerInfoCreate(sigd, identity, sign_algorithm), out);
288 if (additional_certs)
289 require_noerr(SecCmsSignedDataAddCertList(sigd, additional_certs), out);
290 require_noerr(SecCmsSignerInfoIncludeCerts(signerinfo, chainMode, certUsageAnyCA), out);
291 require_noerr(SecCmsSignerInfoAddSigningTime(signerinfo, CFAbsoluteTimeGetCurrent()), out);
292
293 if (signed_attributes)
294 CFDictionaryApplyFunction(signed_attributes, sign_all_attributes, signerinfo);
295
296 SecAsn1Item input = {};
297 if (data) {
298 input.Length = CFDataGetLength(data);
299 input.Data = (uint8_t*)CFDataGetBytePtr(data);
300 }
301 if (data_is_digest) {
302 require_noerr(SecCmsSignedDataSetDigestValue(sigd, sign_algorithm, &input), out);
303 require_noerr(SecCmsMessageEncode(cmsg, NULL, signed_data), out);
304 }
305 else
306 require_noerr(SecCmsMessageEncode(cmsg, (data && input.Length) ? &input : NULL, signed_data), out);
307
308 status = errSecSuccess;
309 out:
310 if (cmsg) SecCmsMessageDestroy(cmsg);
311 return status;
312 }
313
314 OSStatus SecCMSSignDataAndAttributes(SecIdentityRef identity, CFDataRef data, bool detached,
315 CFMutableDataRef signed_data, CFDictionaryRef signed_attributes)
316 {
317 return SecCMSSignDataOrDigestAndAttributes(identity, data, detached, false, SEC_OID_SHA1,
318 signed_data, signed_attributes, SecCmsCMCertChain, NULL);
319 }
320
321 OSStatus SecCMSSignDigestAndAttributes(SecIdentityRef identity, CFDataRef digest,
322 CFMutableDataRef signed_data, CFDictionaryRef signed_attributes)
323 {
324 return SecCMSSignDataOrDigestAndAttributes(identity, digest, true, true, SEC_OID_SHA1,
325 signed_data, signed_attributes, SecCmsCMCertChain, NULL);
326 }
327
328
329 OSStatus SecCMSCreateSignedData(SecIdentityRef identity, CFDataRef data,
330 CFDictionaryRef parameters, CFDictionaryRef signed_attributes,
331 CFMutableDataRef signed_data)
332 {
333 bool is_digest = false, is_detached = false;
334 CFStringRef algorithm_name = NULL;
335 SecCmsCertChainMode chain_mode = SecCmsCMCertChain;
336 CFArrayRef additional_certs = NULL;
337
338 if (parameters) {
339 is_digest = CFDictionaryGetValueIfPresent(parameters,
340 kSecCMSSignDigest, NULL);
341 is_detached = CFDictionaryGetValueIfPresent(parameters,
342 kSecCMSSignDetached, NULL);
343 algorithm_name = CFDictionaryGetValue(parameters,
344 kSecCMSSignHashAlgorithm);
345
346 CFTypeRef chain_mode_param = CFDictionaryGetValue(parameters, kSecCMSCertChainMode);
347 if (chain_mode_param && (CFGetTypeID(chain_mode_param) == CFStringGetTypeID()))
348 chain_mode = CFStringGetIntValue(chain_mode_param);
349
350 CFTypeRef additional_certs_param = CFDictionaryGetValue(parameters, kSecCMSAdditionalCerts);
351 if (additional_certs_param && (CFGetTypeID(additional_certs_param) == CFArrayGetTypeID()))
352 additional_certs = (CFArrayRef)additional_certs_param;
353 }
354
355 SECOidTag algorithm = SEC_OID_SHA1;
356 if (algorithm_name) {
357 if (CFEqual(kSecCMSHashingAlgorithmSHA1, algorithm_name)) {
358 algorithm = SEC_OID_SHA1;
359 } else if (CFEqual(kSecCMSHashingAlgorithmSHA256, algorithm_name)) {
360 algorithm = SEC_OID_SHA256;
361 } else if (CFEqual(kSecCMSHashingAlgorithmSHA384, algorithm_name)) {
362 algorithm = SEC_OID_SHA384;
363 } else if (CFEqual(kSecCMSHashingAlgorithmSHA512, algorithm_name)) {
364 algorithm = SEC_OID_SHA512;
365 } else {
366 return errSecParam;
367 }
368 }
369
370 return SecCMSSignDataOrDigestAndAttributes(identity, data,
371 is_detached, is_digest, algorithm,
372 signed_data, signed_attributes, chain_mode, additional_certs);
373 }
374
375
376 static CFMutableArrayRef copy_signed_attribute_values(SecCmsAttribute *attr)
377 {
378 CFMutableArrayRef array = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
379 SecAsn1Item **item = attr->values;
380 if (item) while (*item) {
381 CFDataRef asn1data = CFDataCreate(kCFAllocatorDefault, (*item)->Data, (*item)->Length);
382 if (asn1data) {
383 CFArrayAppendValue(array, asn1data);
384 CFRelease(asn1data);
385 }
386 item++;
387 }
388 return array;
389 }
390
391 static OSStatus SecCMSVerifySignedData_internal(CFDataRef message, CFDataRef detached_contents,
392 CFTypeRef policy, SecTrustRef *trustref, CFArrayRef additional_certs,
393 CFDataRef *attached_contents, CFDictionaryRef *signed_attributes)
394 {
395 SecCmsMessageRef cmsg = NULL;
396 SecCmsContentInfoRef cinfo;
397 SecCmsSignedDataRef sigd = NULL;
398 OSStatus status = errSecParam;
399
400 require(message, out);
401 SecAsn1Item encoded_message = { CFDataGetLength(message), (uint8_t*)CFDataGetBytePtr(message) };
402 require_noerr_action_quiet(SecCmsMessageDecode(&encoded_message, NULL, NULL, NULL, NULL, NULL, NULL, &cmsg),
403 out, status = errSecDecode);
404 /* expected to be a signed data message at the top level */
405 require_quiet(cinfo = SecCmsMessageContentLevel(cmsg, 0), out);
406 require_quiet(SecCmsContentInfoGetContentTypeTag(cinfo) == SEC_OID_PKCS7_SIGNED_DATA, out);
407 require_quiet(sigd = (SecCmsSignedDataRef)SecCmsContentInfoGetContent(cinfo), out);
408
409 if (detached_contents)
410 {
411 require_quiet(!SecCmsSignedDataHasDigests(sigd), out);
412 SECAlgorithmID **digestalgs = SecCmsSignedDataGetDigestAlgs(sigd);
413 SecCmsDigestContextRef digcx = SecCmsDigestContextStartMultiple(digestalgs);
414 SecCmsDigestContextUpdate(digcx, CFDataGetBytePtr(detached_contents), CFDataGetLength(detached_contents));
415 SecCmsSignedDataSetDigestContext(sigd, digcx);
416 SecCmsDigestContextDestroy(digcx);
417 }
418
419 if (additional_certs)
420 require_noerr_quiet(SecCmsSignedDataAddCertList(sigd, additional_certs), out);
421
422 if (policy) { /* if no policy is given skip verification */
423 /* find out about signers */
424 int nsigners = SecCmsSignedDataSignerInfoCount(sigd);
425 require_quiet(nsigners == 1, out);
426 require_noerr_action_quiet(SecCmsSignedDataVerifySignerInfo(sigd, 0, NULL, policy, trustref),
427 out, status = errSecAuthFailed);
428 }
429
430 #if 0
431 if (nsigners > 1)
432 trustrefs = CFArrayCreateMutable(kCFAllocatorDefault, nsigners, &kCFTypeArrayCallBacks);
433
434 int j;
435 for (j = 0; j < nsigners; j++)
436 {
437 SecTrustRef trustRef;
438 require_noerr_action_quiet(SecCmsSignedDataVerifySignerInfo(sigd, j, NULL, policy, &trustRef),
439 out, status = errSecAuthFailed);
440 if ((j == 0) && (nsigners == 1))
441 *trustref_or_cfarray_thereof = trustRef;
442 else {
443 CFArrayAppendValue(trustrefs, trustRef);
444 CFRelease(trustRef);
445 }
446 }
447 *trustref_or_cfarray_thereof = trustrefs;
448 trustrefs = NULL;
449 #endif
450
451 status = errSecSuccess;
452
453 if (attached_contents) {
454 const SecAsn1Item *content = SecCmsMessageGetContent(cmsg);
455 if (content)
456 *attached_contents = CFDataCreate(kCFAllocatorDefault, content->Data, content->Length);
457 else
458 *attached_contents = NULL;
459 }
460
461 if (signed_attributes) {
462 CFMutableDictionaryRef attrs = CFDictionaryCreateMutable(kCFAllocatorDefault,
463 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
464 require_quiet(attrs, out);
465 SecCmsAttribute **signed_attrs = sigd->signerInfos[0]->authAttr;
466 if (signed_attrs) while (*signed_attrs) {
467 CFDataRef type = CFDataCreate(kCFAllocatorDefault, (*signed_attrs)->type.Data, (*signed_attrs)->type.Length);
468 if (type) {
469 CFMutableArrayRef attr = copy_signed_attribute_values(*signed_attrs);
470 if (attr) {
471 CFMutableArrayRef existing_attrs = (CFMutableArrayRef)CFDictionaryGetValue(attrs, type);
472 if (existing_attrs) {
473 CFIndex count = CFArrayGetCount(attr);
474 if (count)
475 CFArrayAppendArray(existing_attrs, attr, CFRangeMake(0, count));
476 } else
477 CFDictionarySetValue(attrs, type, attr);
478 CFRelease(attr);
479 }
480 CFRelease(type);
481 }
482 signed_attrs++;
483 }
484 CFMutableArrayRef certs = NULL;
485
486 SecAsn1Item **cert_datas = SecCmsSignedDataGetCertificateList(sigd);
487 certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
488 SecAsn1Item *cert_data;
489 if (cert_datas) while ((cert_data = *cert_datas) != NULL) {
490 SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, cert_data->Data, cert_data->Length);
491 if (cert) {
492 CFArrayAppendValue(certs, cert);
493 CFRelease(cert);
494 }
495 cert_datas++;
496 }
497
498 CFDictionaryAddValue(attrs, kSecCMSAllCerts, certs);
499
500 /* Add "cooked" values separately */
501 CFAbsoluteTime signing_time;
502 if (errSecSuccess == SecCmsSignerInfoGetSigningTime(sigd->signerInfos[0], &signing_time)) {
503 CFDateRef signing_date = CFDateCreate(kCFAllocatorDefault, signing_time);
504 if (signing_date){
505 CFDictionarySetValue(attrs, kSecCMSSignDate, signing_date);
506 CFReleaseSafe(signing_date);
507 }
508 }
509
510 CFDataRef hash_agility_value = NULL;
511 if (errSecSuccess == SecCmsSignerInfoGetAppleCodesigningHashAgility(sigd->signerInfos[0], &hash_agility_value)) {
512 if (hash_agility_value) {
513 CFDictionarySetValue(attrs, kSecCMSHashAgility, hash_agility_value);
514 }
515 }
516
517 CFDictionaryRef hash_agility_values = NULL;
518 if (errSecSuccess == SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(sigd->signerInfos[0], &hash_agility_values)) {
519 if (hash_agility_values) {
520 CFDictionarySetValue(attrs, kSecCMSHashAgilityV2, hash_agility_values);
521 }
522 }
523
524 CFAbsoluteTime expiration_time;
525 if (errSecSuccess == SecCmsSignerInfoGetAppleExpirationTime(sigd->signerInfos[0], &expiration_time)) {
526 CFDateRef expiration_date = CFDateCreate(NULL, expiration_time);
527 if (expiration_date) {
528 CFDictionarySetValue(attrs, kSecCMSExpirationDate, expiration_date);
529 CFReleaseSafe(expiration_date);
530 }
531 }
532
533 *signed_attributes = attrs;
534 CFReleaseSafe(certs);
535 }
536
537
538 out:
539 if (cmsg) SecCmsMessageDestroy(cmsg);
540 return status;
541 }
542
543 OSStatus SecCMSVerifyCopyDataAndAttributes(CFDataRef message, CFDataRef detached_contents,
544 CFTypeRef policy, SecTrustRef *trustref,
545 CFDataRef *attached_contents, CFDictionaryRef *signed_attributes)
546 {
547 OSStatus status = SecCMSVerifySignedData_internal(message, detached_contents, policy, trustref, NULL, attached_contents, signed_attributes);
548
549 return status;
550 }
551
552 OSStatus SecCMSVerifySignedData(CFDataRef message, CFDataRef detached_contents,
553 CFTypeRef policy, SecTrustRef *trustref, CFArrayRef additional_certificates,
554 CFDataRef *attached_contents, CFDictionaryRef *message_attributes)
555 {
556 CFDictionaryRef signed_attributes = NULL;
557 OSStatus status = SecCMSVerifySignedData_internal(message, detached_contents, policy, trustref, additional_certificates, attached_contents, &signed_attributes);
558 if (!status && signed_attributes && message_attributes) {
559 *message_attributes = CFDictionaryCreate(kCFAllocatorDefault, &kSecCMSSignedAttributes, (const void **)&signed_attributes, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
560 }
561 CFReleaseSafe(signed_attributes);
562
563 return status;
564 }
565
566 OSStatus SecCMSVerify(CFDataRef message, CFDataRef detached_contents,
567 CFTypeRef policy, SecTrustRef *trustref,
568 CFDataRef *attached_contents) {
569 return SecCMSVerifySignedData_internal(message, detached_contents, policy, trustref, NULL, attached_contents, NULL);
570 }
571
572 CFArrayRef SecCMSCertificatesOnlyMessageCopyCertificates(CFDataRef message) {
573 SecCmsMessageRef cmsg = NULL;
574 SecCmsContentInfoRef cinfo;
575 SecCmsSignedDataRef sigd = NULL;
576 CFMutableArrayRef certs = NULL;
577
578 if (!message) {
579 return NULL;
580 }
581
582 SecAsn1Item encoded_message = { CFDataGetLength(message), (uint8_t*)CFDataGetBytePtr(message) };
583 require_noerr_quiet(SecCmsMessageDecode(&encoded_message, NULL, NULL, NULL, NULL, NULL, NULL, &cmsg), out);
584 /* expected to be a signed data message at the top level */
585 require(cinfo = SecCmsMessageContentLevel(cmsg, 0), out);
586 require(SecCmsContentInfoGetContentTypeTag(cinfo) == SEC_OID_PKCS7_SIGNED_DATA, out);
587 require(sigd = (SecCmsSignedDataRef)SecCmsContentInfoGetContent(cinfo), out);
588
589 /* find out about signers */
590 int nsigners = SecCmsSignedDataSignerInfoCount(sigd);
591 require(nsigners == 0, out);
592
593 SecAsn1Item **cert_datas = SecCmsSignedDataGetCertificateList(sigd);
594 certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
595 SecAsn1Item *cert_data;
596 if (cert_datas) while ((cert_data = *cert_datas) != NULL) {
597 SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, cert_data->Data, cert_data->Length);
598 if (cert) {
599 CFArrayAppendValue(certs, cert);
600 CFRelease(cert);
601 }
602 cert_datas++;
603 }
604
605 out:
606 if (cmsg) { SecCmsMessageDestroy(cmsg); }
607 if (certs && CFArrayGetCount(certs) < 1) {
608 CFReleaseNull(certs);
609 }
610
611 return certs;
612 }
613
614
615 extern const SecAsn1Template SecCmsMessageTemplate[];
616
617 CFDataRef SecCMSCreateCertificatesOnlyMessage(CFTypeRef cert_or_array_thereof) {
618 OSStatus status = errSecParam;
619 SecCmsMessageRef cmsg = NULL;
620 SecCmsContentInfoRef cinfo;
621 SecCmsSignedDataRef sigd = NULL;
622 CFMutableDataRef cert_only_signed_data = NULL;
623 CFArrayRef cert_array = NULL;
624 CFIndex cert_array_count = 0;
625 SecCertificateRef cert = NULL;
626
627 require(cert_or_array_thereof, out);
628
629 require(cmsg = SecCmsMessageCreate(), out);
630 require(sigd = SecCmsSignedDataCreate(cmsg), out);
631 require_noerr(SecCmsContentInfoSetContentData(&(sigd->contentInfo), NULL, PR_TRUE), out);
632 require(cinfo = SecCmsMessageGetContentInfo(cmsg), out);
633 require_noerr(SecCmsContentInfoSetContentSignedData(cinfo, sigd), out);
634 long version = SEC_CMS_SIGNED_DATA_VERSION_BASIC;
635 require(SEC_ASN1EncodeInteger(cmsg->poolp, &(sigd->version), version), out);
636
637 if (CFGetTypeID(cert_or_array_thereof) == SecCertificateGetTypeID()) {
638 cert_array = CFArrayCreate(kCFAllocatorDefault, &cert_or_array_thereof, 1, &kCFTypeArrayCallBacks);
639 } else if (CFGetTypeID(cert_or_array_thereof) == CFArrayGetTypeID()) {
640 cert_array = CFArrayCreateCopy(kCFAllocatorDefault, (CFArrayRef)cert_or_array_thereof);
641 }
642
643 require(cert_array, out);
644 cert_array_count = CFArrayGetCount(cert_array);
645 require(cert_array_count > 0, out);
646
647 sigd->rawCerts = (SecAsn1Item * *)PORT_ArenaAlloc(cmsg->poolp, (cert_array_count + 1) * sizeof(SecAsn1Item *));
648 require(sigd->rawCerts, out);
649 CFIndex ix;
650 for (ix = 0; ix < cert_array_count; ix++) {
651 cert = (SecCertificateRef)CFArrayGetValueAtIndex(cert_array, ix);
652 require(cert, out);
653
654 sigd->rawCerts[ix] = PORT_ArenaZAlloc(cmsg->poolp, sizeof(SecAsn1Item));
655 SecAsn1Item cert_data = { SecCertificateGetLength(cert),
656 (uint8_t *)SecCertificateGetBytePtr(cert) };
657 *(sigd->rawCerts[ix]) = cert_data;
658 }
659 sigd->rawCerts[ix] = NULL;
660
661 /* this is a SET OF, so we need to sort them guys - we have the DER already, though */
662 if (cert_array_count > 1)
663 SecCmsArraySort((void **)sigd->rawCerts, SecCmsUtilDERCompare, NULL, NULL);
664
665 cert_only_signed_data = CFDataCreateMutable(kCFAllocatorDefault, 0);
666 SecAsn1Item cert_only_signed_data_item = {};
667 require_quiet(SEC_ASN1EncodeItem(cmsg->poolp, &cert_only_signed_data_item,
668 cmsg, SecCmsMessageTemplate), out);
669 CFDataAppendBytes(cert_only_signed_data, cert_only_signed_data_item.Data,
670 cert_only_signed_data_item.Length);
671
672 status = errSecSuccess;
673 out:
674 CFReleaseSafe(cert_array);
675 if (status) CFReleaseSafe(cert_only_signed_data);
676 if (cmsg) SecCmsMessageDestroy(cmsg);
677 return cert_only_signed_data;
678 }
679
680 CFDataRef SecCMSCreateCertificatesOnlyMessageIAP(SecCertificateRef cert)
681 {
682 static const uint8_t header[] = {
683 0x30, 0x82, 0x03, 0x6d, 0x06, 0x09, 0x2a, 0x86,
684 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0,
685 0x82, 0x03, 0x5e, 0x30, 0x82, 0x03, 0x5a, 0x02,
686 0x01, 0x01, 0x31, 0x00, 0x30, 0x0b, 0x06, 0x09,
687 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07,
688 0x01, 0xa0, 0x82, 0x03, 0x40
689 };
690
691 static const uint8_t trailer[] = {
692 0xa1, 0x00, 0x31, 0x00
693 };
694
695 CFMutableDataRef message = NULL;
696 CFDataRef certdata;
697 const uint8_t *certbytes;
698 CFIndex certlen;
699 uint8_t *messagebytes;
700 uint16_t messagelen;
701
702 certdata = SecCertificateCopyData(cert);
703 require(certdata, out);
704
705 certbytes = CFDataGetBytePtr(certdata);
706 certlen = CFDataGetLength(certdata);
707 require(certlen > UINT8_MAX, out);
708 require(certlen < UINT16_MAX, out);
709
710 message = CFDataCreateMutable(kCFAllocatorDefault, 0);
711 require(message, out);
712
713 CFDataAppendBytes(message, header, sizeof(header));
714 CFDataAppendBytes(message, certbytes, certlen);
715 CFDataAppendBytes(message, trailer, sizeof(trailer));
716
717 messagebytes = CFDataGetMutableBytePtr(message);
718 messagelen = CFDataGetLength(message);
719
720 messagelen -= 4;
721 messagebytes[2] = messagelen >> 8;
722 messagebytes[3] = messagelen & 0xFF;
723
724 messagelen -= 15;
725 messagebytes[17] = messagelen >> 8;
726 messagebytes[18] = messagelen & 0xFF;
727
728 messagelen -= 4;
729 messagebytes[21] = messagelen >> 8;
730 messagebytes[22] = messagelen & 0xFF;
731
732 messagelen -= 26;
733 messagebytes[43] = messagelen >> 8;
734 messagebytes[44] = messagelen & 0xFF;
735
736 out:
737 CFReleaseSafe(certdata);
738 return message;
739 }
740
741 #endif /* ENABLE_CMS */
742