+++ /dev/null
-/*
- * Copyright (c) 2006-2013 Apple Inc. All Rights Reserved.
- *
- * @APPLE_LICENSE_HEADER_START@
- *
- * This file contains Original Code and/or Modifications of Original Code
- * as defined in and that are subject to the Apple Public Source License
- * Version 2.0 (the 'License'). You may not use this file except in
- * compliance with the License. Please obtain a copy of the License at
- * http://www.opensource.apple.com/apsl/ and read it before using this
- * file.
- *
- * The Original Code and all software distributed under the License are
- * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
- * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
- * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
- * Please see the License for the specific language governing rights and
- * limitations under the License.
- *
- * @APPLE_LICENSE_HEADER_END@
- */
-
-/*
- * CMSEncoder.cpp - encode, sign, and/or encrypt CMS messages.
- */
-
-#include "CMSEncoder.h"
-#include "CMSPrivate.h"
-#include "CMSUtils.h"
-#include <Security/SecBase.h>
-#include <Security/SecCmsEncoder.h>
-#include <Security/SecCmsEnvelopedData.h>
-#include <Security/SecCmsMessage.h>
-#include <Security/SecCmsRecipientInfo.h>
-#include <Security/SecCmsSignedData.h>
-#include <Security/SecCmsSignerInfo.h>
-#include <Security/SecCmsContentInfo.h>
-#include <Security/SecCertificate.h>
-#include <Security/SecIdentity.h>
-#include <Security/SecKeychain.h>
-#include <Security/SecKeychainItem.h>
-#include <Security/SecSMIME.h>
-#include <Security/oidsattr.h>
-#include <Security/SecAsn1Coder.h>
-#include <Security/SecAsn1Types.h>
-#include <Security/SecAsn1Templates.h>
-#include <CoreFoundation/CFRuntime.h>
-#include <pthread.h>
-
-#include <security_smime/tsaSupport.h>
-#include <security_smime/cmspriv.h>
-
-#pragma mark --- Private types and definitions ---
-
-/*
- * Encoder state.
- */
-typedef enum {
- ES_Init, /* between CMSEncoderCreate and earlier of CMSEncoderUpdateContent
- * and CMSEncodeGetCmsMessage */
- ES_Msg, /* created cmsMsg in CMSEncodeGetCmsMessage, but no encoder yet */
- ES_Updating, /* between first CMSEncoderUpdateContent and CMSEncoderCopyEncodedContent */
- ES_Final /* CMSEncoderCopyEncodedContent has been called */
-} CMSEncoderState;
-
-/*
- * High-level operation: what are we doing?
- */
-typedef enum {
- EO_Sign,
- EO_Encrypt,
- EO_SignEncrypt
-} CMSEncoderOp;
-
-/*
- * Caller's CMSEncoderRef points to one of these.
- */
-struct _CMSEncoder {
- CFRuntimeBase base;
- CMSEncoderState encState;
- CMSEncoderOp op;
- Boolean detachedContent;
- CSSM_OID eContentType;
- CFMutableArrayRef signers;
- CFMutableArrayRef recipients;
- CFMutableArrayRef otherCerts;
- CMSSignedAttributes signedAttributes;
- CFAbsoluteTime signingTime;
- SecCmsMessageRef cmsMsg;
- SecArenaPoolRef arena; /* the encoder's arena */
- SecCmsEncoderRef encoder;
- CSSM_DATA encoderOut; /* output goes here... */
- bool customCoder; /* unless this is set by
- * CMSEncoderSetEncoder */
- CMSCertificateChainMode chainMode;
-};
-
-static void cmsEncoderInit(CFTypeRef enc);
-static void cmsEncoderFinalize(CFTypeRef enc);
-
-static CFRuntimeClass cmsEncoderRuntimeClass =
-{
- 0, /* version */
- "CMSEncoder",
- cmsEncoderInit,
- NULL, /* copy */
- cmsEncoderFinalize,
- NULL, /* equal - just use pointer equality */
- NULL, /* hash, ditto */
- NULL, /* copyFormattingDesc */
- NULL /* copyDebugDesc */
-};
-
-void
-CmsMessageSetTSACallback(CMSEncoderRef cmsEncoder, SecCmsTSACallback tsaCallback);
-
-#pragma mark --- Private routines ---
-
-/*
- * Decode a CFStringRef representation of an integer
- */
-static int cfStringToNumber(
- CFStringRef inStr)
-{
- int max = 32;
- char buf[max];
- if (!inStr || !CFStringGetCString(inStr, buf, max-1, kCFStringEncodingASCII))
- return -1;
- return atoi(buf);
-}
-
-/*
- * Encode an integer component of an OID, return resulting number of bytes;
- * actual bytes are mallocd and returned in *encodeArray.
- */
-static unsigned encodeNumber(
- int num,
- unsigned char **encodeArray) // mallocd and RETURNED
-{
- unsigned char *result;
- unsigned dex;
- unsigned numDigits = 0;
- unsigned scratch;
-
- /* trival case - 0 maps to 0 */
- if(num == 0) {
- *encodeArray = (unsigned char *)malloc(1);
- **encodeArray = 0;
- return 1;
- }
-
- /* first calculate the number of digits in num, base 128 */
- scratch = (unsigned)num;
- while(scratch != 0) {
- numDigits++;
- scratch >>= 7;
- }
-
- result = (unsigned char *)malloc(numDigits);
- scratch = (unsigned)num;
- for(dex=0; dex<numDigits; dex++) {
- result[numDigits - dex - 1] = scratch & 0x7f;
- scratch >>= 7;
- }
-
- /* all digits except the last one have m.s. bit set */
- for(dex=0; dex<(numDigits - 1); dex++) {
- result[dex] |= 0x80;
- }
-
- *encodeArray = result;
- return numDigits;
-}
-
-/*
- * Given an OID in dotted-decimal string representation, convert to binary
- * DER format. Returns a pointer in outOid which the caller must free(),
- * as well as the length of the data in outLen.
- * Function returns 0 if successful, non-zero otherwise.
- */
-static int encodeOid(
- const unsigned char *inStr,
- unsigned char **outOid,
- unsigned int *outLen)
-{
- unsigned char **digits = NULL; /* array of char * from encodeNumber */
- unsigned *numDigits = NULL; /* array of unsigned from encodeNumber */
- CFIndex digit;
- unsigned numDigitBytes; /* total #of output chars */
- unsigned char firstByte;
- unsigned char *outP;
- CFIndex numsToProcess;
- CFStringRef oidStr = NULL;
- CFArrayRef argvRef = NULL;
- int num, result = 1;
- CFIndex argc;
-
- /* parse input string into array of substrings */
- if (!inStr || !outOid || !outLen) goto cleanExit;
- oidStr = CFStringCreateWithCString(NULL, (const char *)inStr, kCFStringEncodingASCII);
- if (!oidStr) goto cleanExit;
- argvRef = CFStringCreateArrayBySeparatingStrings(NULL, oidStr, CFSTR("."));
- if (!argvRef) goto cleanExit;
- argc = CFArrayGetCount(argvRef);
- if (argc < 3) goto cleanExit;
-
- /* first two numbers in OID munge together */
- num = cfStringToNumber((CFStringRef)CFArrayGetValueAtIndex(argvRef, 0));
- if (num < 0) goto cleanExit;
- firstByte = (40 * num);
- num = cfStringToNumber((CFStringRef)CFArrayGetValueAtIndex(argvRef, 1));
- if (num < 0) goto cleanExit;
- firstByte += num;
- numDigitBytes = 1;
-
- numsToProcess = argc - 2;
- if(numsToProcess > 0) {
- /* skip this loop in the unlikely event that input is only two numbers */
- digits = (unsigned char **) malloc(numsToProcess * sizeof(unsigned char *));
- numDigits = (unsigned *) malloc(numsToProcess * sizeof(unsigned));
- for(digit=0; digit<numsToProcess; digit++) {
- num = cfStringToNumber((CFStringRef)CFArrayGetValueAtIndex(argvRef, digit+2));
- if (num < 0) goto cleanExit;
- numDigits[digit] = encodeNumber(num, &digits[digit]);
- numDigitBytes += numDigits[digit];
- }
- }
- *outLen = (2 + numDigitBytes);
- *outOid = outP = (unsigned char *) malloc(*outLen);
- *outP++ = 0x06;
- *outP++ = numDigitBytes;
- *outP++ = firstByte;
- for(digit=0; digit<numsToProcess; digit++) {
- unsigned int byteDex;
- for(byteDex=0; byteDex<numDigits[digit]; byteDex++) {
- *outP++ = digits[digit][byteDex];
- }
- }
- if(digits) {
- for(digit=0; digit<numsToProcess; digit++) {
- free(digits[digit]);
- }
- free(digits);
- free(numDigits);
- }
- result = 0;
-
-cleanExit:
- if (oidStr) CFRelease(oidStr);
- if (argvRef) CFRelease(argvRef);
-
- return result;
-}
-
-/*
- * Given a CF object reference describing an OID, convert to binary DER format
- * and fill out the CSSM_OID structure provided by the caller. Caller is
- * responsible for freeing the data pointer in outOid->Data.
- *
- * Function returns 0 if successful, non-zero otherwise.
- */
-
-static int convertOid(
- CFTypeRef inRef,
- CSSM_OID *outOid)
-{
- if (!inRef || !outOid)
- return errSecParam;
-
- unsigned char *oidData = NULL;
- unsigned int oidLen = 0;
-
- if (CFGetTypeID(inRef) == CFStringGetTypeID()) {
- // CFStringRef: OID representation is a dotted-decimal string
- CFStringRef inStr = (CFStringRef)inRef;
- CFIndex max = CFStringGetLength(inStr) * 3;
- char buf[max];
- if (!CFStringGetCString(inStr, buf, max-1, kCFStringEncodingASCII))
- return errSecParam;
-
- if(encodeOid((unsigned char *)buf, &oidData, &oidLen) != 0)
- return errSecParam;
- }
- else if (CFGetTypeID(inRef) == CFDataGetTypeID()) {
- // CFDataRef: OID representation is in binary DER format
- CFDataRef inData = (CFDataRef)inRef;
- oidLen = (unsigned int) CFDataGetLength(inData);
- oidData = (unsigned char *) malloc(oidLen);
- memcpy(oidData, CFDataGetBytePtr(inData), oidLen);
- }
- else {
- // Not in a format we understand
- return errSecParam;
- }
- outOid->Length = oidLen;
- outOid->Data = (uint8 *)oidData;
- return 0;
-}
-
-static CFTypeID cmsEncoderTypeID = _kCFRuntimeNotATypeID;
-
-/* one time only class init, called via pthread_once() in CMSEncoderGetTypeID() */
-static void cmsEncoderClassInitialize(void)
-{
- cmsEncoderTypeID =
- _CFRuntimeRegisterClass((const CFRuntimeClass * const)&cmsEncoderRuntimeClass);
-}
-
-/* init called out from _CFRuntimeCreateInstance() */
-static void cmsEncoderInit(CFTypeRef enc)
-{
- char *start = ((char *)enc) + sizeof(CFRuntimeBase);
- memset(start, 0, sizeof(struct _CMSEncoder) - sizeof(CFRuntimeBase));
-}
-
-/*
- * Dispose of a CMSEncoder. Called out from CFRelease().
- */
-static void cmsEncoderFinalize(
- CFTypeRef enc)
-{
- CMSEncoderRef cmsEncoder = (CMSEncoderRef)enc;
- if(cmsEncoder == NULL) {
- return;
- }
- if(cmsEncoder->eContentType.Data != NULL) {
- free(cmsEncoder->eContentType.Data);
- }
- CFRELEASE(cmsEncoder->signers);
- CFRELEASE(cmsEncoder->recipients);
- CFRELEASE(cmsEncoder->otherCerts);
- if(cmsEncoder->cmsMsg != NULL) {
- SecCmsMessageDestroy(cmsEncoder->cmsMsg);
- }
- if(cmsEncoder->arena != NULL) {
- SecArenaPoolFree(cmsEncoder->arena, false);
- }
- if(cmsEncoder->encoder != NULL) {
- /*
- * Normally this gets freed in SecCmsEncoderFinish - this is
- * an error case.
- */
- SecCmsEncoderDestroy(cmsEncoder->encoder);
- }
-}
-
-static OSStatus cmsSetupEncoder(
- CMSEncoderRef cmsEncoder)
-{
- OSStatus ortn;
-
- ASSERT(cmsEncoder->arena == NULL);
- ASSERT(cmsEncoder->encoder == NULL);
-
- ortn = SecArenaPoolCreate(1024, &cmsEncoder->arena);
- if(ortn) {
- return cmsRtnToOSStatus(ortn);
- }
- ortn = SecCmsEncoderCreate(cmsEncoder->cmsMsg,
- NULL, NULL, // no callback
- &cmsEncoder->encoderOut, // data goes here
- cmsEncoder->arena,
- NULL, NULL, // no password callback (right?)
- NULL, NULL, // decrypt key callback
- NULL, NULL, // detached digests
- &cmsEncoder->encoder);
- if(ortn) {
- return cmsRtnToOSStatus(ortn);
- }
- return errSecSuccess;
-}
-
-/*
- * Set up a SecCmsMessageRef for a SignedData creation.
- */
-static OSStatus cmsSetupForSignedData(
- CMSEncoderRef cmsEncoder)
-{
- ASSERT((cmsEncoder->signers != NULL) || (cmsEncoder->otherCerts != NULL));
-
- SecCmsContentInfoRef contentInfo = NULL;
- SecCmsSignedDataRef signedData = NULL;
- OSStatus ortn;
-
- /* build chain of objects: message->signedData->data */
- if(cmsEncoder->cmsMsg != NULL) {
- SecCmsMessageDestroy(cmsEncoder->cmsMsg);
- }
- cmsEncoder->cmsMsg = SecCmsMessageCreate(NULL);
- if(cmsEncoder->cmsMsg == NULL) {
- return errSecInternalComponent;
- }
-
- signedData = SecCmsSignedDataCreate(cmsEncoder->cmsMsg);
- if(signedData == NULL) {
- return errSecInternalComponent;
- }
- contentInfo = SecCmsMessageGetContentInfo(cmsEncoder->cmsMsg);
- ortn = SecCmsContentInfoSetContentSignedData(cmsEncoder->cmsMsg, contentInfo,
- signedData);
- if(ortn) {
- return cmsRtnToOSStatus(ortn);
- }
- contentInfo = SecCmsSignedDataGetContentInfo(signedData);
- if(cmsEncoder->eContentType.Data != NULL) {
- /* Override the default eContentType of id-data */
- ortn = SecCmsContentInfoSetContentOther(cmsEncoder->cmsMsg,
- contentInfo,
- NULL, /* data - provided to encoder, not here */
- cmsEncoder->detachedContent,
- &cmsEncoder->eContentType);
- }
- else {
- ortn = SecCmsContentInfoSetContentData(cmsEncoder->cmsMsg,
- contentInfo,
- NULL, /* data - provided to encoder, not here */
- cmsEncoder->detachedContent);
- }
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsContentInfoSetContent*", ortn);
- return ortn;
- }
-
- /* optional 'global' (per-SignedData) certs */
- if(cmsEncoder->otherCerts != NULL) {
- ortn = SecCmsSignedDataAddCertList(signedData, cmsEncoder->otherCerts);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsSignedDataAddCertList", ortn);
- return ortn;
- }
- }
-
- /* SignerInfos, one per signer */
- CFIndex numSigners = 0;
- if(cmsEncoder->signers != NULL) {
- /* this is optional...in case we're just creating a cert bundle */
- numSigners = CFArrayGetCount(cmsEncoder->signers);
- }
- CFIndex dex;
- SecKeychainRef ourKc = NULL;
- SecCertificateRef ourCert = NULL;
- SecCmsCertChainMode chainMode = SecCmsCMCertChain;
-
- switch(cmsEncoder->chainMode) {
- case kCMSCertificateNone:
- chainMode = SecCmsCMNone;
- break;
- case kCMSCertificateSignerOnly:
- chainMode = SecCmsCMCertOnly;
- break;
- case kCMSCertificateChainWithRoot:
- chainMode = SecCmsCMCertChainWithRoot;
- break;
- default:
- break;
- }
- for(dex=0; dex<numSigners; dex++) {
- SecCmsSignerInfoRef signerInfo;
-
- SecIdentityRef ourId =
- (SecIdentityRef)CFArrayGetValueAtIndex(cmsEncoder->signers, dex);
- ortn = SecIdentityCopyCertificate(ourId, &ourCert);
- if(ortn) {
- CSSM_PERROR("SecIdentityCopyCertificate", ortn);
- break;
- }
- ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)ourCert, &ourKc);
- if(ortn) {
- CSSM_PERROR("SecKeychainItemCopyKeychain", ortn);
- break;
- }
- signerInfo = SecCmsSignerInfoCreate(cmsEncoder->cmsMsg, ourId, SEC_OID_SHA1);
- if (signerInfo == NULL) {
- ortn = errSecInternalComponent;
- break;
- }
-
- /* we want the cert chain included for this one */
- /* NOTE the usage parameter is currently unused by the SMIME lib */
- ortn = SecCmsSignerInfoIncludeCerts(signerInfo, chainMode,
- certUsageEmailSigner);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsSignerInfoIncludeCerts", ortn);
- break;
- }
-
- /* other options */
- if(cmsEncoder->signedAttributes & kCMSAttrSmimeCapabilities) {
- ortn = SecCmsSignerInfoAddSMIMECaps(signerInfo);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
- break;
- }
- }
- if(cmsEncoder->signedAttributes & kCMSAttrSmimeEncryptionKeyPrefs) {
- ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
- break;
- }
- }
- if(cmsEncoder->signedAttributes & kCMSAttrSmimeMSEncryptionKeyPrefs) {
- ortn = SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsSignerInfoAddMSSMIMEEncKeyPrefs", ortn);
- break;
- }
- }
- if(cmsEncoder->signedAttributes & kCMSAttrSigningTime) {
- if (cmsEncoder->signingTime == 0)
- cmsEncoder->signingTime = CFAbsoluteTimeGetCurrent();
- ortn = SecCmsSignerInfoAddSigningTime(signerInfo, cmsEncoder->signingTime);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsSignerInfoAddSigningTime", ortn);
- break;
- }
- }
-
- ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsSignedDataAddSignerInfo", ortn);
- break;
- }
-
- CFRELEASE(ourKc);
- CFRELEASE(ourCert);
- ourKc = NULL;
- ourCert = NULL;
- }
- if(ortn) {
- CFRELEASE(ourKc);
- CFRELEASE(ourCert);
- }
- return ortn;
-}
-
-/*
- * Set up a SecCmsMessageRef for a EnvelopedData creation.
- */
-static OSStatus cmsSetupForEnvelopedData(
- CMSEncoderRef cmsEncoder)
-{
- ASSERT(cmsEncoder->op == EO_Encrypt);
- ASSERT(cmsEncoder->recipients != NULL);
-
- SecCmsContentInfoRef contentInfo = NULL;
- SecCmsEnvelopedDataRef envelopedData = NULL;
- SECOidTag algorithmTag;
- int keySize;
- OSStatus ortn;
-
- /*
- * Find encryption algorithm...unfortunately we need a NULL-terminated array
- * of SecCertificateRefs for this.
- */
- CFIndex numCerts = CFArrayGetCount(cmsEncoder->recipients);
- CFIndex dex;
- SecCertificateRef *certArray = (SecCertificateRef *)malloc(
- (numCerts+1) * sizeof(SecCertificateRef));
-
- for(dex=0; dex<numCerts; dex++) {
- certArray[dex] = (SecCertificateRef)CFArrayGetValueAtIndex(
- cmsEncoder->recipients, dex);
- }
- certArray[numCerts] = NULL;
- ortn = SecSMIMEFindBulkAlgForRecipients(certArray, &algorithmTag, &keySize);
- free(certArray);
- if(ortn) {
- CSSM_PERROR("SecSMIMEFindBulkAlgForRecipients", ortn);
- return ortn;
- }
-
- /* build chain of objects: message->envelopedData->data */
- if(cmsEncoder->cmsMsg != NULL) {
- SecCmsMessageDestroy(cmsEncoder->cmsMsg);
- }
- cmsEncoder->cmsMsg = SecCmsMessageCreate(NULL);
- if(cmsEncoder->cmsMsg == NULL) {
- return errSecInternalComponent;
- }
- envelopedData = SecCmsEnvelopedDataCreate(cmsEncoder->cmsMsg,
- algorithmTag, keySize);
- if(envelopedData == NULL) {
- return errSecInternalComponent;
- }
- contentInfo = SecCmsMessageGetContentInfo(cmsEncoder->cmsMsg);
- ortn = SecCmsContentInfoSetContentEnvelopedData(cmsEncoder->cmsMsg,
- contentInfo, envelopedData);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsContentInfoSetContentEnvelopedData", ortn);
- return ortn;
- }
- contentInfo = SecCmsEnvelopedDataGetContentInfo(envelopedData);
- if(cmsEncoder->eContentType.Data != NULL) {
- /* Override the default ContentType of id-data */
- ortn = SecCmsContentInfoSetContentOther(cmsEncoder->cmsMsg,
- contentInfo,
- NULL, /* data - provided to encoder, not here */
- FALSE, /* detachedContent */
- &cmsEncoder->eContentType);
- }
- else {
- ortn = SecCmsContentInfoSetContentData(cmsEncoder->cmsMsg,
- contentInfo,
- NULL /* data - provided to encoder, not here */,
- cmsEncoder->detachedContent);
- }
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsContentInfoSetContentData*", ortn);
- return ortn;
- }
-
- /*
- * create & attach recipient information, one for each recipient
- */
- for(dex=0; dex<numCerts; dex++) {
- SecCmsRecipientInfoRef recipientInfo = NULL;
-
- SecCertificateRef thisRecip = (SecCertificateRef)CFArrayGetValueAtIndex(
- cmsEncoder->recipients, dex);
- recipientInfo = SecCmsRecipientInfoCreate(cmsEncoder->cmsMsg, thisRecip);
- ortn = SecCmsEnvelopedDataAddRecipient(envelopedData, recipientInfo);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsEnvelopedDataAddRecipient", ortn);
- return ortn;
- }
- }
- return errSecSuccess;
-}
-
-/*
- * Set up cmsMsg. Called from either the first call to CMSEncoderUpdateContent, or
- * from CMSEncodeGetCmsMessage().
- */
-static OSStatus cmsSetupCmsMsg(
- CMSEncoderRef cmsEncoder)
-{
- ASSERT(cmsEncoder != NULL);
- ASSERT(cmsEncoder->encState == ES_Init);
-
- /* figure out what high-level operation we're doing */
- if((cmsEncoder->signers != NULL) || (cmsEncoder->otherCerts != NULL)) {
- if(cmsEncoder->recipients != NULL) {
- cmsEncoder->op = EO_SignEncrypt;
- }
- else {
- cmsEncoder->op = EO_Sign;
- }
- }
- else if(cmsEncoder->recipients != NULL) {
- cmsEncoder->op = EO_Encrypt;
- }
- else {
- dprintf("CMSEncoderUpdateContent: nothing to do\n");
- return errSecParam;
- }
-
- OSStatus ortn = errSecSuccess;
-
- switch(cmsEncoder->op) {
- case EO_Sign:
- case EO_SignEncrypt:
- /* If we're signing & encrypting, do the signing first */
- ortn = cmsSetupForSignedData(cmsEncoder);
- break;
- case EO_Encrypt:
- ortn = cmsSetupForEnvelopedData(cmsEncoder);
- break;
- }
- cmsEncoder->encState = ES_Msg;
- return ortn;
-}
-
-/*
- * ASN.1 template for decoding a ContentInfo.
- */
-typedef struct {
- CSSM_OID contentType;
- CSSM_DATA content;
-} SimpleContentInfo;
-
-static const SecAsn1Template cmsSimpleContentInfoTemplate[] = {
- { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SimpleContentInfo) },
- { SEC_ASN1_OBJECT_ID, offsetof(SimpleContentInfo, contentType) },
- { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0,
- offsetof(SimpleContentInfo, content),
- kSecAsn1AnyTemplate },
- { 0, }
-};
-
-/*
- * Obtain the content of a contentInfo, This basically strips off the contentType OID
- * and returns its ASN_ANY content, allocated the provided coder's memory space.
- */
-static OSStatus cmsContentInfoContent(
- SecAsn1CoderRef asn1Coder,
- const CSSM_DATA *contentInfo,
- CSSM_DATA *content) /* RETURNED */
-{
- OSStatus ortn;
- SimpleContentInfo decodedInfo;
-
- memset(&decodedInfo, 0, sizeof(decodedInfo));
- ortn = SecAsn1DecodeData(asn1Coder, contentInfo,
- cmsSimpleContentInfoTemplate, &decodedInfo);
- if(ortn) {
- return ortn;
- }
- if(decodedInfo.content.Data == NULL) {
- dprintf("***Error decoding contentInfo: no content\n");
- return errSecInternalComponent;
- }
- *content = decodedInfo.content;
- return errSecSuccess;
-}
-
-#pragma mark --- Start of Public API ---
-
-CFTypeID CMSEncoderGetTypeID(void)
-{
- static pthread_once_t once = PTHREAD_ONCE_INIT;
-
- if(cmsEncoderTypeID == _kCFRuntimeNotATypeID) {
- pthread_once(&once, &cmsEncoderClassInitialize);
- }
- return cmsEncoderTypeID;
-}
-
-/*
- * Create a CMSEncoder. Result must eventually be freed via CFRelease().
- */
-OSStatus CMSEncoderCreate(
- CMSEncoderRef *cmsEncoderOut) /* RETURNED */
-{
- CMSEncoderRef cmsEncoder = NULL;
-
- uint32_t extra = sizeof(*cmsEncoder) - sizeof(cmsEncoder->base);
- cmsEncoder = (CMSEncoderRef)_CFRuntimeCreateInstance(NULL, CMSEncoderGetTypeID(),
- extra, NULL);
- if(cmsEncoder == NULL) {
- return errSecAllocate;
- }
- cmsEncoder->encState = ES_Init;
- cmsEncoder->chainMode = kCMSCertificateChain;
- *cmsEncoderOut = cmsEncoder;
- return errSecSuccess;
-}
-
-#pragma mark --- Getters & Setters ---
-
-/*
- * Specify signers of the CMS message; implies that the message will be signed.
- */
-OSStatus CMSEncoderAddSigners(
- CMSEncoderRef cmsEncoder,
- CFTypeRef signerOrArray)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
- return cmsAppendToArray(signerOrArray, &cmsEncoder->signers, SecIdentityGetTypeID());
-}
-
-/*
- * Obtain an array of signers as specified in CMSEncoderSetSigners().
- */
-OSStatus CMSEncoderCopySigners(
- CMSEncoderRef cmsEncoder,
- CFArrayRef *signers)
-{
- if((cmsEncoder == NULL) || (signers == NULL)) {
- return errSecParam;
- }
- if(cmsEncoder->signers != NULL) {
- CFRetain(cmsEncoder->signers);
- }
- *signers = cmsEncoder->signers;
- return errSecSuccess;
-}
-
-/*
- * Specify recipients of the message. Implies that the message will be encrypted.
- */
-OSStatus CMSEncoderAddRecipients(
- CMSEncoderRef cmsEncoder,
- CFTypeRef recipientOrArray)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
- return cmsAppendToArray(recipientOrArray, &cmsEncoder->recipients,
- SecCertificateGetTypeID());
-}
-
-/*
- * Obtain an array of recipients as specified in CMSEncoderSetRecipients().
- */
-OSStatus CMSEncoderCopyRecipients(
- CMSEncoderRef cmsEncoder,
- CFArrayRef *recipients)
-{
- if((cmsEncoder == NULL) || (recipients == NULL)) {
- return errSecParam;
- }
- if(cmsEncoder->recipients != NULL) {
- CFRetain(cmsEncoder->recipients);
- }
- *recipients = cmsEncoder->recipients;
- return errSecSuccess;
-}
-
-/*
- * Specify additional certs to include in a signed message.
- */
-OSStatus CMSEncoderAddSupportingCerts(
- CMSEncoderRef cmsEncoder,
- CFTypeRef certOrArray)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
- return cmsAppendToArray(certOrArray, &cmsEncoder->otherCerts,
- SecCertificateGetTypeID());
-}
-
-/*
- * Obtain the SecCertificates provided in CMSEncoderAddSupportingCerts().
- */
-OSStatus CMSEncoderCopySupportingCerts(
- CMSEncoderRef cmsEncoder,
- CFArrayRef *certs) /* RETURNED */
-{
- if((cmsEncoder == NULL) || (certs == NULL)) {
- return errSecParam;
- }
- if(cmsEncoder->otherCerts != NULL) {
- CFRetain(cmsEncoder->otherCerts);
- }
- *certs = cmsEncoder->otherCerts;
- return errSecSuccess;
-}
-
-OSStatus CMSEncoderSetHasDetachedContent(
- CMSEncoderRef cmsEncoder,
- Boolean detachedContent)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
- cmsEncoder->detachedContent = detachedContent;
- return errSecSuccess;
-}
-
-OSStatus CMSEncoderGetHasDetachedContent(
- CMSEncoderRef cmsEncoder,
- Boolean *detachedContent) /* RETURNED */
-{
- if((cmsEncoder == NULL) || (detachedContent == NULL)) {
- return errSecParam;
- }
- *detachedContent = cmsEncoder->detachedContent;
- return errSecSuccess;
-}
-
-/*
- * Optionally specify an eContentType OID for the inner EncapsulatedData for
- * a signed message. The default eContentType, used of this function is not
- * called, is id-data.
- */
-OSStatus CMSEncoderSetEncapsulatedContentType(
- CMSEncoderRef cmsEncoder,
- const CSSM_OID *eContentType)
-{
- if((cmsEncoder == NULL) || (eContentType == NULL)) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
-
- CSSM_OID *ecOid = &cmsEncoder->eContentType;
- if(ecOid->Data != NULL) {
- free(ecOid->Data);
- }
- cmsCopyCmsData(eContentType, ecOid);
- return errSecSuccess;
-}
-
-OSStatus CMSEncoderSetEncapsulatedContentTypeOID(
- CMSEncoderRef cmsEncoder,
- CFTypeRef eContentTypeOID)
-{
- // convert eContentTypeOID to a CSSM_OID
- CSSM_OID contentType = { 0, NULL };
- if (!eContentTypeOID || convertOid(eContentTypeOID, &contentType) != 0)
- return errSecParam;
- OSStatus result = CMSEncoderSetEncapsulatedContentType(cmsEncoder, &contentType);
- if (contentType.Data)
- free(contentType.Data);
- return result;
-}
-
-/*
- * Obtain the eContentType OID specified in CMSEncoderSetEncapsulatedContentType().
- */
-OSStatus CMSEncoderCopyEncapsulatedContentType(
- CMSEncoderRef cmsEncoder,
- CFDataRef *eContentType)
-{
- if((cmsEncoder == NULL) || (eContentType == NULL)) {
- return errSecParam;
- }
-
- CSSM_OID *ecOid = &cmsEncoder->eContentType;
- if(ecOid->Data == NULL) {
- *eContentType = NULL;
- }
- else {
- *eContentType = CFDataCreate(NULL, ecOid->Data, ecOid->Length);
- }
- return errSecSuccess;
-}
-
-/*
- * Optionally specify signed attributes. Only meaningful when creating a
- * signed message. If this is called, it must be called before
- * CMSEncoderUpdateContent().
- */
-OSStatus CMSEncoderAddSignedAttributes(
- CMSEncoderRef cmsEncoder,
- CMSSignedAttributes signedAttributes)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
- cmsEncoder->signedAttributes = signedAttributes;
- return errSecSuccess;
-}
-
-/*
- * Set the signing time for a CMSEncoder.
- * This is only used if the kCMSAttrSigningTime attribute is included.
- */
-OSStatus CMSEncoderSetSigningTime(
- CMSEncoderRef cmsEncoder,
- CFAbsoluteTime time)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
- cmsEncoder->signingTime = time;
- return errSecSuccess;
-}
-
-
-OSStatus CMSEncoderSetCertificateChainMode(
- CMSEncoderRef cmsEncoder,
- CMSCertificateChainMode chainMode)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- if(cmsEncoder->encState != ES_Init) {
- return errSecParam;
- }
- switch(chainMode) {
- case kCMSCertificateNone:
- case kCMSCertificateSignerOnly:
- case kCMSCertificateChain:
- case kCMSCertificateChainWithRoot:
- break;
- default:
- return errSecParam;
- }
- cmsEncoder->chainMode = chainMode;
- return errSecSuccess;
-}
-
-OSStatus CMSEncoderGetCertificateChainMode(
- CMSEncoderRef cmsEncoder,
- CMSCertificateChainMode *chainModeOut)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
- *chainModeOut = cmsEncoder->chainMode;
- return errSecSuccess;
-}
-
-void
-CmsMessageSetTSACallback(CMSEncoderRef cmsEncoder, SecCmsTSACallback tsaCallback)
-{
- if (cmsEncoder->cmsMsg)
- SecCmsMessageSetTSACallback(cmsEncoder->cmsMsg, tsaCallback);
-}
-
-void
-CmsMessageSetTSAContext(CMSEncoderRef cmsEncoder, CFTypeRef tsaContext)
-{
- if (cmsEncoder->cmsMsg)
- SecCmsMessageSetTSAContext(cmsEncoder->cmsMsg, tsaContext);
-}
-
-#pragma mark --- Action ---
-
-/*
- * Feed content bytes into the encoder.
- * Can be called multiple times.
- * No 'setter' routines can be called after this function has been called.
- */
-OSStatus CMSEncoderUpdateContent(
- CMSEncoderRef cmsEncoder,
- const void *content,
- size_t contentLen)
-{
- if(cmsEncoder == NULL) {
- return errSecParam;
- }
-
- OSStatus ortn = errSecSuccess;
- switch(cmsEncoder->encState) {
- case ES_Init:
- /*
- * First time thru: do the CmsMsg setup.
- */
- ortn = cmsSetupCmsMsg(cmsEncoder);
- if(ortn) {
- return ortn;
- }
- /* fall thru to set up the encoder */
-
- case ES_Msg:
- /* We have a cmsMsg but no encoder; create one */
- ASSERT(cmsEncoder->cmsMsg != NULL);
- ASSERT(cmsEncoder->encoder == NULL);
- ortn = cmsSetupEncoder(cmsEncoder);
- if(ortn) {
- return ortn;
- }
- /* only legal calls now are update and finalize */
- cmsEncoder->encState = ES_Updating;
- break;
-
- case ES_Updating:
- ASSERT(cmsEncoder->encoder != NULL);
- break;
-
- case ES_Final:
- /* Too late for another update */
- return errSecParam;
-
- default:
- return errSecInternalComponent;
- }
-
- /* FIXME - CFIndex same size as size_t on 64bit? */
- ortn = SecCmsEncoderUpdate(cmsEncoder->encoder, content, (CFIndex)contentLen);
- if(ortn) {
- ortn = cmsRtnToOSStatus(ortn);
- CSSM_PERROR("SecCmsEncoderUpdate", ortn);
- }
- return ortn;
-}
-
-/*
- * Finish encoding the message and obtain the encoded result.
- * Caller must CFRelease the result.
- */
-OSStatus CMSEncoderCopyEncodedContent(
- CMSEncoderRef cmsEncoder,
- CFDataRef *encodedContent)
-{
- if((cmsEncoder == NULL) || (encodedContent == NULL)) {
- return errSecParam;
- }
-
- OSStatus ortn;
-
- switch(cmsEncoder->encState) {
- case ES_Updating:
- /* normal termination */
- break;
- case ES_Final:
- /* already been called */
- return errSecParam;
- case ES_Msg:
- case ES_Init:
- /*
- * The only time these are legal is when we're doing a SignedData
- * with certificates only (no signers, no content).
- */
- if((cmsEncoder->signers != NULL) ||
- (cmsEncoder->recipients != NULL) ||
- (cmsEncoder->otherCerts == NULL)) {
- return errSecParam;
- }
-
- /* Set up for certs only */
- ortn = cmsSetupForSignedData(cmsEncoder);
- if(ortn) {
- return ortn;
- }
- /* and an encoder */
- ortn = cmsSetupEncoder(cmsEncoder);
- if(ortn) {
- return ortn;
- }
- break;
- }
-
-
- ASSERT(cmsEncoder->encoder != NULL);
- ortn = SecCmsEncoderFinish(cmsEncoder->encoder);
- /* regardless of the outcome, the encoder itself has been freed */
- cmsEncoder->encoder = NULL;
- if(ortn) {
- return cmsRtnToOSStatus(ortn);
- }
- cmsEncoder->encState = ES_Final;
-
- if((cmsEncoder->encoderOut.Data == NULL) && !cmsEncoder->customCoder) {
- /* not sure how this could happen... */
- dprintf("Successful encode, but no data\n");
- return errSecInternalComponent;
- }
- if(cmsEncoder->customCoder) {
- /* we're done */
- *encodedContent = NULL;
- return errSecSuccess;
- }
-
- /* in two out of three cases, we're done */
- switch(cmsEncoder->op) {
- case EO_Sign:
- case EO_Encrypt:
- *encodedContent = CFDataCreate(NULL, (const UInt8 *)cmsEncoder->encoderOut.Data,
- cmsEncoder->encoderOut.Length);
- return errSecSuccess;
- case EO_SignEncrypt:
- /* proceed, more work to do */
- break;
- }
-
- /*
- * Signing & encrypting.
- * Due to bugs in the libsecurity_smime encoder, it can't encode nested
- * ContentInfos in one shot. So we do another pass, specifying the SignedData
- * inside of the ContentInfo we just created as the data to encrypt.
- */
- SecAsn1CoderRef asn1Coder = NULL;
- CSSM_DATA signedData = {0, NULL};
-
- ortn = SecAsn1CoderCreate(&asn1Coder);
- if(ortn) {
- return ortn;
- }
- ortn = cmsContentInfoContent(asn1Coder, &cmsEncoder->encoderOut, &signedData);
- if(ortn) {
- goto errOut;
- }
-
- /* now just encrypt that, one-shot */
- ortn = CMSEncode(NULL, /* no signers this time */
- cmsEncoder->recipients,
- &CSSMOID_PKCS7_SignedData, /* fake out encoder so it doesn't try to actually
- * encode the signedData - this asserts the
- * SEC_OID_OTHER OID tag in the EnvelopedData's
- * ContentInfo */
- FALSE, /* detachedContent */
- kCMSAttrNone, /* signedAttributes - none this time */
- signedData.Data, signedData.Length,
- encodedContent);
-
-errOut:
- if(asn1Coder) {
- SecAsn1CoderRelease(asn1Coder);
- }
- return ortn;
-}
-
-#pragma mark --- High-level API ---
-
-/*
- * High-level, one-shot encoder function.
- */
-OSStatus CMSEncode(
- CFTypeRef signers,
- CFTypeRef recipients,
- const CSSM_OID *eContentType,
- Boolean detachedContent,
- CMSSignedAttributes signedAttributes,
- const void *content,
- size_t contentLen,
- CFDataRef *encodedContent) /* RETURNED */
-{
- if((signers == NULL) && (recipients == NULL)) {
- return errSecParam;
- }
- if(encodedContent == NULL) {
- return errSecParam;
- }
-
- CMSEncoderRef cmsEncoder;
- OSStatus ortn;
-
- /* set up the encoder */
- ortn = CMSEncoderCreate(&cmsEncoder);
- if(ortn) {
- return ortn;
- }
-
- /* subsequent errors to errOut: */
- if(signers) {
- ortn = CMSEncoderAddSigners(cmsEncoder, signers);
- if(ortn) {
- goto errOut;
- }
- }
- if(recipients) {
- ortn = CMSEncoderAddRecipients(cmsEncoder, recipients);
- if(ortn) {
- goto errOut;
- }
- }
- if(eContentType) {
- ortn = CMSEncoderSetEncapsulatedContentType(cmsEncoder, eContentType);
- if(ortn) {
- goto errOut;
- }
- }
- if(detachedContent) {
- ortn = CMSEncoderSetHasDetachedContent(cmsEncoder, detachedContent);
- if(ortn) {
- goto errOut;
- }
- }
- if(signedAttributes) {
- ortn = CMSEncoderAddSignedAttributes(cmsEncoder, signedAttributes);
- if(ortn) {
- goto errOut;
- }
- }
- /* GO */
- ortn = CMSEncoderUpdateContent(cmsEncoder, content, contentLen);
- if(ortn) {
- goto errOut;
- }
- ortn = CMSEncoderCopyEncodedContent(cmsEncoder, encodedContent);
-
-errOut:
- CFRelease(cmsEncoder);
- return ortn;
-}
-
-OSStatus CMSEncodeContent(
- CFTypeRef signers,
- CFTypeRef recipients,
- CFTypeRef eContentTypeOID,
- Boolean detachedContent,
- CMSSignedAttributes signedAttributes,
- const void *content,
- size_t contentLen,
- CFDataRef *encodedContentOut) /* RETURNED */
-{
- // convert eContentTypeOID to a CSSM_OID
- CSSM_OID contentType = { 0, NULL };
- if (eContentTypeOID && convertOid(eContentTypeOID, &contentType) != 0)
- return errSecParam;
- const CSSM_OID *contentTypePtr = (eContentTypeOID) ? &contentType : NULL;
- OSStatus result = CMSEncode(signers, recipients, contentTypePtr,
- detachedContent, signedAttributes,
- content, contentLen, encodedContentOut);
- if (contentType.Data)
- free(contentType.Data);
- return result;
-}
-
-#pragma mark --- SPI routines declared in CMSPrivate.h ---
-
-/*
- * Obtain the SecCmsMessageRef associated with a CMSEncoderRef.
- * If we don't have a SecCmsMessageRef yet, we create one now.
- * This is the only place where we go to state ES_Msg.
- */
-OSStatus CMSEncoderGetCmsMessage(
- CMSEncoderRef cmsEncoder,
- SecCmsMessageRef *cmsMessage) /* RETURNED */
-{
- if((cmsEncoder == NULL) || (cmsMessage == NULL)) {
- return errSecParam;
- }
- if(cmsEncoder->cmsMsg != NULL) {
- ASSERT(cmsEncoder->encState != ES_Init);
- *cmsMessage = cmsEncoder->cmsMsg;
- return errSecSuccess;
- }
-
- OSStatus ortn = cmsSetupCmsMsg(cmsEncoder);
- if(ortn) {
- return ortn;
- }
- *cmsMessage = cmsEncoder->cmsMsg;
-
- /* Don't set up encoder yet; caller might do that via CMSEncoderSetEncoder */
- cmsEncoder->encState = ES_Msg;
- return errSecSuccess;
-}
-
-/*
- * Optionally specify a SecCmsEncoderRef to use with a CMSEncoderRef.
- * If this is called, it must be called before the first call to
- * CMSEncoderUpdateContent(). The CMSEncoderRef takes ownership of the
- * incoming SecCmsEncoderRef.
- */
-OSStatus CMSEncoderSetEncoder(
- CMSEncoderRef cmsEncoder,
- SecCmsEncoderRef encoder)
-{
- if((cmsEncoder == NULL) || (encoder == NULL)) {
- return errSecParam;
- }
-
- OSStatus ortn;
-
- switch(cmsEncoder->encState) {
- case ES_Init:
- /* No message, no encoder */
- ASSERT(cmsEncoder->cmsMsg == NULL);
- ASSERT(cmsEncoder->encoder == NULL);
- ortn = cmsSetupCmsMsg(cmsEncoder);
- if(ortn) {
- return ortn;
- }
- /* drop thru to set encoder */
- case ES_Msg:
- /* cmsMsg but no encoder */
- ASSERT(cmsEncoder->cmsMsg != NULL);
- ASSERT(cmsEncoder->encoder == NULL);
- cmsEncoder->encoder = encoder;
- cmsEncoder->encState = ES_Updating;
- cmsEncoder->customCoder = true; /* we won't see data */
- return errSecSuccess;
- default:
- /* no can do, too late */
- return errSecParam;
- }
-}
-
-/*
- * Obtain the SecCmsEncoderRef associated with a CMSEncoderRef.
- * Returns a NULL SecCmsEncoderRef if neither CMSEncoderSetEncoder nor
- * CMSEncoderUpdateContent() has been called.
- * The CMSEncoderRef retains ownership of the SecCmsEncoderRef.
- */
-OSStatus CMSEncoderGetEncoder(
- CMSEncoderRef cmsEncoder,
- SecCmsEncoderRef *encoder) /* RETURNED */
-{
- if((cmsEncoder == NULL) || (encoder == NULL)) {
- return errSecParam;
- }
-
- /* any state, whether we have an encoder or not is OK */
- *encoder = cmsEncoder->encoder;
- return errSecSuccess;
-}
-
-#include <AssertMacros.h>
-
-/*
- * Obtain the timestamp of signer 'signerIndex' of a CMS message, if
- * present. This timestamp is an authenticated timestamp provided by
- * a timestamping authority.
- *
- * Returns errSecParam if the CMS message was not signed or if signerIndex
- * is greater than the number of signers of the message minus one.
- *
- * This cannot be called until after CMSEncoderCopyEncodedContent() is called.
- */
-OSStatus CMSEncoderCopySignerTimestamp(
- CMSEncoderRef cmsEncoder,
- size_t signerIndex, /* usually 0 */
- CFAbsoluteTime *timestamp) /* RETURNED */
-{
- return CMSEncoderCopySignerTimestampWithPolicy(
- cmsEncoder,
- NULL,
- signerIndex,
- timestamp);
-}
-
-OSStatus CMSEncoderCopySignerTimestampWithPolicy(
- CMSEncoderRef cmsEncoder,
- CFTypeRef timeStampPolicy,
- size_t signerIndex, /* usually 0 */
- CFAbsoluteTime *timestamp) /* RETURNED */
-{
- OSStatus status = errSecParam;
- SecCmsMessageRef cmsg;
- SecCmsSignedDataRef signedData = NULL;
- int numContentInfos = 0;
-
- require(cmsEncoder && timestamp, xit);
- require_noerr(CMSEncoderGetCmsMessage(cmsEncoder, &cmsg), xit);
- numContentInfos = SecCmsMessageContentLevelCount(cmsg);
- for (int dex = 0; !signedData && dex < numContentInfos; dex++)
- {
- SecCmsContentInfoRef ci = SecCmsMessageContentLevel(cmsg, dex);
- SECOidTag tag = SecCmsContentInfoGetContentTypeTag(ci);
- if (tag == SEC_OID_PKCS7_SIGNED_DATA)
- if ((signedData = SecCmsSignedDataRef(SecCmsContentInfoGetContent(ci))))
- if (SecCmsSignerInfoRef signerInfo = SecCmsSignedDataGetSignerInfo(signedData, (int)signerIndex))
- {
- status = SecCmsSignerInfoGetTimestampTimeWithPolicy(signerInfo, timeStampPolicy, timestamp);
- break;
- }
- }
-
-xit:
- return status;
-}
projects / apple / security.git / blobdiff