+++ /dev/null
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation. Portions created by Netscape are
- * Copyright (C) 1994-2000 Netscape Communications Corporation. All
- * Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable
- * instead of those above. If you wish to allow use of your
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL. If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS signedData methods.
- */
-
-#include <Security/SecCmsSignedData.h>
-
-#include <Security/SecCmsContentInfo.h>
-#include <Security/SecCmsDigestContext.h>
-#include <Security/SecCmsSignerInfo.h>
-
-#include "cmslocal.h"
-
-#include "cert.h"
-#include "secitem.h"
-#include "secoid.h"
-#include "tsaTemplates.h"
-
-#include <security_asn1/secasn1.h>
-#include <security_asn1/secerr.h>
-#include <Security/SecBase.h>
-#include <CommonCrypto/CommonRandomSPI.h>
-#include <Security/SecPolicyPriv.h>
-#include <utilities/SecCFWrappers.h>
-
-#ifndef NDEBUG
-#define SIGDATA_DEBUG 1
-#endif
-
-#if SIGDATA_DEBUG
-#define dprintf(args...) printf(args)
-#else
-#define dprintf(args...)
-#endif
-
-SecCmsSignedDataRef
-SecCmsSignedDataCreate(SecCmsMessageRef cmsg)
-{
- void *mark;
- SecCmsSignedDataRef sigd;
- PLArenaPool *poolp;
-
- poolp = cmsg->poolp;
-
- mark = PORT_ArenaMark(poolp);
-
- sigd = (SecCmsSignedDataRef)PORT_ArenaZAlloc (poolp, sizeof(SecCmsSignedData));
- if (sigd == NULL)
- goto loser;
-
- sigd->cmsg = cmsg;
-
- /* signerInfos, certs, certlists, crls are all empty */
- /* version is set in SecCmsSignedDataFinalize() */
-
- PORT_ArenaUnmark(poolp, mark);
- return sigd;
-
-loser:
- PORT_ArenaRelease(poolp, mark);
- return NULL;
-}
-
-void
-SecCmsSignedDataDestroy(SecCmsSignedDataRef sigd)
-{
- SecCmsSignerInfoRef *signerinfos, si;
-
- if (sigd == NULL)
- return;
-
- if (sigd->certs != NULL)
- CFRelease(sigd->certs);
-
- signerinfos = sigd->signerInfos;
- if (signerinfos != NULL) {
- while ((si = *signerinfos++) != NULL)
- SecCmsSignerInfoDestroy(si);
- }
-
- /* everything's in a pool, so don't worry about the storage */
- SecCmsContentInfoDestroy(&(sigd->contentInfo));
-}
-
-/*
- * SecCmsSignedDataEncodeBeforeStart - do all the necessary things to a SignedData
- * before start of encoding.
- *
- * In detail:
- * - find out about the right value to put into sigd->version
- * - come up with a list of digestAlgorithms (which should be the union of the algorithms
- * in the signerinfos).
- * If we happen to have a pre-set list of algorithms (and digest values!), we
- * check if we have all the signerinfos' algorithms. If not, this is an error.
- */
-OSStatus
-SecCmsSignedDataEncodeBeforeStart(SecCmsSignedDataRef sigd)
-{
- SecCmsSignerInfoRef signerinfo;
- SECOidTag digestalgtag;
- CSSM_DATA_PTR dummy;
- int version;
- OSStatus rv;
- Boolean haveDigests = PR_FALSE;
- int n, i;
- PLArenaPool *poolp;
-
- poolp = sigd->cmsg->poolp;
-
- /* we assume that we have precomputed digests if there is a list of algorithms, and */
- /* a chunk of data for each of those algorithms */
- if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) {
- for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
- if (sigd->digests[i] == NULL)
- break;
- }
- if (sigd->digestAlgorithms[i] == NULL) /* reached the end of the array? */
- haveDigests = PR_TRUE; /* yes: we must have all the digests */
- }
-
- version = SEC_CMS_SIGNED_DATA_VERSION_BASIC;
-
- /* RFC2630 5.1 "version is the syntax version number..." */
- if (SecCmsContentInfoGetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA)
- version = SEC_CMS_SIGNED_DATA_VERSION_EXT;
-
- /* prepare all the SignerInfos (there may be none) */
- for (i=0; i < SecCmsSignedDataSignerInfoCount(sigd); i++) {
- signerinfo = SecCmsSignedDataGetSignerInfo(sigd, i);
-
- /* RFC2630 5.1 "version is the syntax version number..." */
- if (SecCmsSignerInfoGetVersion(signerinfo) != SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN)
- version = SEC_CMS_SIGNED_DATA_VERSION_EXT;
-
- /* collect digestAlgorithms from SignerInfos */
- /* (we need to know which algorithms we have when the content comes in) */
- /* do not overwrite any existing digestAlgorithms (and digest) */
- digestalgtag = SecCmsSignerInfoGetDigestAlgTag(signerinfo);
-
- n = SecCmsAlgArrayGetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
- if (n < 0 && haveDigests) {
- /* oops, there is a digestalg we do not have a digest for */
- /* but we were supposed to have all the digests already... */
- goto loser;
- } else if (n < 0) {
- /* add the digestAlgorithm & a NULL digest */
- rv = SecCmsSignedDataAddDigest((SecArenaPoolRef)poolp, sigd, digestalgtag, NULL);
- if (rv != SECSuccess)
- goto loser;
- } else {
- /* found it, nothing to do */
- }
- }
-
- dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version);
- if (dummy == NULL)
- return SECFailure;
-
- /* this is a SET OF, so we need to sort them guys */
- rv = SecCmsArraySortByDER((void **)sigd->digestAlgorithms,
- SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
- (void **)sigd->digests);
- if (rv != SECSuccess)
- return SECFailure;
-
- return SECSuccess;
-
-loser:
- return SECFailure;
-}
-
-OSStatus
-SecCmsSignedDataEncodeBeforeData(SecCmsSignedDataRef sigd)
-{
- /* set up the digests */
- if (sigd->digestAlgorithms != NULL) {
- sigd->contentInfo.digcx = SecCmsDigestContextStartMultiple(sigd->digestAlgorithms);
- if (sigd->contentInfo.digcx == NULL)
- return SECFailure;
- }
- return SECSuccess;
-}
-
-#include <AssertMacros.h>
-#include "tsaSupport.h"
-#include "tsaSupportPriv.h"
-#include "tsaTemplates.h"
-#include <security_keychain/tsaDERUtilities.h>
-
-extern const SecAsn1Template kSecAsn1TSATSTInfoTemplate;
-
-OSStatus createTSAMessageImprint(SecCmsSignedDataRef signedData, CSSM_DATA_PTR encDigest,
- SecAsn1TSAMessageImprint *messageImprint)
-{
- // Calculate hash of encDigest and put in messageImprint.hashedMessage
- // We pass in encDigest, since in the verification case, it comes from a different signedData
-
- OSStatus status = SECFailure;
-
- require(signedData && messageImprint, xit);
-
- SECAlgorithmID **digestAlgorithms = SecCmsSignedDataGetDigestAlgs(signedData);
- require(digestAlgorithms, xit);
-
- SecCmsDigestContextRef digcx = SecCmsDigestContextStartMultiple(digestAlgorithms);
- require(digcx, xit);
- require(encDigest, xit);
-
- SecCmsSignerInfoRef signerinfo = SecCmsSignedDataGetSignerInfo(signedData, 0); // NB - assume 1 signer only!
- messageImprint->hashAlgorithm = signerinfo->digestAlg;
-
- SecCmsDigestContextUpdate(digcx, encDigest->Data, encDigest->Length);
-
- require_noerr(SecCmsDigestContextFinishSingle(digcx, (SecArenaPoolRef)signedData->cmsg->poolp,
- &messageImprint->hashedMessage), xit);
-
- status = SECSuccess;
-xit:
- return status;
-}
-
-#include <Security/SecAsn1Templates.h>
-
-#ifndef NDEBUG
-static OSStatus decodeDERUTF8String(const CSSM_DATA_PTR content, char *statusstr, size_t strsz)
-{
- // The statusString should use kSecAsn1SequenceOfUTF8StringTemplate, but doesn't
- OSStatus status = SECFailure;
- SecAsn1CoderRef coder = NULL;
- CSSM_DATA statusString;
- size_t len = 0;
-
- require(content && statusstr, xit);
-
- require_noerr(SecAsn1CoderCreate(&coder), xit);
- require_noerr(SecAsn1Decode(coder, content->Data, content->Length, kSecAsn1UTF8StringTemplate, &statusString), xit);
- status = 0;
- len = (statusString.Length < strsz)?(int)statusString.Length:strsz;
- if (statusstr && statusString.Data)
- strncpy(statusstr, (const char *)statusString.Data, len);
-
-xit:
- if (coder)
- SecAsn1CoderRelease(coder);
- return status;
-}
-#endif
-
-static OSStatus validateTSAResponseAndAddTimeStamp(SecCmsSignerInfoRef signerinfo, CSSM_DATA_PTR tsaResponse,
- uint64_t expectedNonce)
-{
- OSStatus status = SECFailure;
- SecAsn1CoderRef coder = NULL;
- SecAsn1TimeStampRespDER respDER = {{{0}},};
- SecAsn1TSAPKIStatusInfo *tsastatus = NULL;
- int respstatus = -1;
-#ifndef NDEBUG
- int failinfo = -1;
-#endif
-
- require_action(tsaResponse && tsaResponse->Data && tsaResponse->Length, xit, status = errSecTimestampMissing);
-
- require_noerr(SecAsn1CoderCreate(&coder), xit);
- require_noerr(SecTSAResponseCopyDEREncoding(coder, tsaResponse, &respDER), xit);
-
-#ifndef NDEBUG
- tsaWriteFileX("/tmp/tsa-timeStampToken.der", respDER.timeStampTokenDER.Data, respDER.timeStampTokenDER.Length);
-#endif
-
- tsastatus = (SecAsn1TSAPKIStatusInfo *)&respDER.status;
- require_action(tsastatus->status.Data, xit, status = errSecTimestampBadDataFormat);
- respstatus = (int)tsaDER_ToInt(&tsastatus->status);
-
-#ifndef NDEBUG
- char buf[80]={0,};
- if (tsastatus->failInfo.Data) // e.g. FI_BadRequest
- failinfo = (int)tsaDER_ToInt(&tsastatus->failInfo);
-
- if (tsastatus->statusString.Data && tsastatus->statusString.Length)
- {
- OSStatus strrx = decodeDERUTF8String(&tsastatus->statusString, buf, sizeof(buf));
- dprintf("decodeDERUTF8String status: %d\n", (int)strrx);
- }
-
- dprintf("validateTSAResponse: status: %d, failinfo: %d, %s\n", respstatus, failinfo, buf);
-#endif
-
- switch (respstatus)
- {
- case PKIS_Granted:
- case PKIS_GrantedWithMods: // Success
- status = noErr;
- break;
- case PKIS_Rejection:
- status = errSecTimestampRejection;
- break;
- case PKIS_Waiting:
- status = errSecTimestampWaiting;
- break;
- case PKIS_RevocationWarning:
- status = errSecTimestampRevocationWarning;
- break;
- case PKIS_RevocationNotification:
- status = errSecTimestampRevocationNotification;
- break;
- default:
- status = errSecTimestampSystemFailure;
- break;
- }
- require_noerr(status, xit);
-
- // If we succeeded, then we must have a TimeStampToken
-
- require_action(respDER.timeStampTokenDER.Data && respDER.timeStampTokenDER.Length, xit, status = errSecTimestampBadDataFormat);
-
- dprintf("timestamp full expected nonce: %lld\n", expectedNonce);
-
- /*
- The bytes in respDER are a full CMS message, which we need to check now for validity.
- The code for this is essentially the same code taht is done during a timestamp
- verify, except that we also need to check the nonce.
- */
- require_noerr(status = decodeTimeStampToken(signerinfo, &respDER.timeStampTokenDER, NULL, expectedNonce), xit);
-
- status = SecCmsSignerInfoAddTimeStamp(signerinfo, &respDER.timeStampTokenDER);
-
-xit:
- if (coder)
- SecAsn1CoderRelease(coder);
- return status;
-}
-
-static OSStatus getRandomNonce(uint64_t *nonce)
-{
- return nonce ? CCRandomCopyBytes(kCCRandomDevRandom, (void *)nonce, sizeof(*nonce)) : SECFailure;
-}
-
-static OSStatus remapTimestampError(OSStatus inStatus)
-{
- /*
- Since communicating with the timestamp server is perhaps an unexpected
- dependency on the network, map unknown errors into something to indicate
- that signing without a timestamp may be a workaround. In particular, the
- private CFURL errors (see CFNetworkErrorsPriv.i)
-
- kCFURLErrorTimedOut = -1001,
- kCFURLErrorNotConnectedToInternet = -1009,
-
- are remapped to errSecTimestampServiceNotAvailable.
- */
-
- switch (inStatus)
- {
- case errSecTimestampMissing:
- case errSecTimestampInvalid:
- case errSecTimestampNotTrusted:
- case errSecTimestampServiceNotAvailable:
- case errSecTimestampBadAlg:
- case errSecTimestampBadRequest:
- case errSecTimestampBadDataFormat:
- case errSecTimestampTimeNotAvailable:
- case errSecTimestampUnacceptedPolicy:
- case errSecTimestampUnacceptedExtension:
- case errSecTimestampAddInfoNotAvailable:
- case errSecTimestampSystemFailure:
- case errSecSigningTimeMissing:
- case errSecTimestampRejection:
- case errSecTimestampWaiting:
- case errSecTimestampRevocationWarning:
- case errSecTimestampRevocationNotification:
- return inStatus;
- default:
- return errSecTimestampServiceNotAvailable;
- }
- return errSecTimestampServiceNotAvailable;
-}
-
-/*
- * SecCmsSignedDataEncodeAfterData - do all the necessary things to a SignedData
- * after all the encapsulated data was passed through the encoder.
- *
- * In detail:
- * - create the signatures in all the SignerInfos
- *
- * Please note that nothing is done to the Certificates and CRLs in the message - this
- * is entirely the responsibility of our callers.
- */
-OSStatus
-SecCmsSignedDataEncodeAfterData(SecCmsSignedDataRef sigd)
-{
- SecCmsSignerInfoRef *signerinfos, signerinfo;
- SecCmsContentInfoRef cinfo;
- SECOidTag digestalgtag;
- OSStatus ret = SECFailure;
- OSStatus rv;
- CSSM_DATA_PTR contentType;
- int certcount;
- int i, ci, n, rci, si;
- PLArenaPool *poolp;
- CFArrayRef certlist;
- extern const SecAsn1Template SecCmsSignerInfoTemplate[];
-
- poolp = sigd->cmsg->poolp;
- cinfo = &(sigd->contentInfo);
-
- /* did we have digest calculation going on? */
- if (cinfo->digcx) {
- rv = SecCmsDigestContextFinishMultiple(cinfo->digcx, (SecArenaPoolRef)poolp, &(sigd->digests));
- if (rv != SECSuccess)
- goto loser; /* error has been set by SecCmsDigestContextFinishMultiple */
- cinfo->digcx = NULL;
- }
-
- signerinfos = sigd->signerInfos;
- certcount = 0;
-
- /* prepare all the SignerInfos (there may be none) */
- for (i=0; i < SecCmsSignedDataSignerInfoCount(sigd); i++) {
- signerinfo = SecCmsSignedDataGetSignerInfo(sigd, i);
-
- /* find correct digest for this signerinfo */
- digestalgtag = SecCmsSignerInfoGetDigestAlgTag(signerinfo);
- n = SecCmsAlgArrayGetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
- if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) {
- /* oops - digest not found */
- PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
- goto loser;
- }
-
- /* XXX if our content is anything else but data, we need to force the
- * presence of signed attributes (RFC2630 5.3 "signedAttributes is a
- * collection...") */
-
- /* pass contentType here as we want a contentType attribute */
- if ((contentType = SecCmsContentInfoGetContentTypeOID(cinfo)) == NULL)
- goto loser;
-
- /* sign the thing */
- rv = SecCmsSignerInfoSign(signerinfo, sigd->digests[n], contentType);
- if (rv != SECSuccess)
- goto loser;
-
- /* while we're at it, count number of certs in certLists */
- certlist = SecCmsSignerInfoGetCertList(signerinfo);
- if (certlist)
- certcount += CFArrayGetCount(certlist);
- }
-
- /* Now we can get a timestamp, since we have all the digests */
-
- // We force the setting of a callback, since this is the most usual case
- if (!sigd->cmsg->tsaCallback)
- SecCmsMessageSetTSACallback(sigd->cmsg, (SecCmsTSACallback)SecCmsTSADefaultCallback);
-
- if (sigd->cmsg->tsaCallback && sigd->cmsg->tsaContext)
- {
- CSSM_DATA tsaResponse = {0,};
- SecAsn1TSAMessageImprint messageImprint = {{{0},},{0,}};
- // <rdar://problem/11073466> Add nonce support for timestamping client
-
- uint64_t nonce = 0;
-
- require_noerr(getRandomNonce(&nonce), tsxit);
- dprintf("SecCmsSignedDataSignerInfoCount: %d\n", SecCmsSignedDataSignerInfoCount(sigd));
-
- // Calculate hash of encDigest and put in messageImprint.hashedMessage
- SecCmsSignerInfoRef signerinfo = SecCmsSignedDataGetSignerInfo(sigd, 0); // NB - assume 1 signer only!
- CSSM_DATA *encDigest = SecCmsSignerInfoGetEncDigest(signerinfo);
- require_noerr(createTSAMessageImprint(sigd, encDigest, &messageImprint), tsxit);
-
- // Callback to fire up XPC service to talk to TimeStamping server, etc.
- require_noerr(rv =(*sigd->cmsg->tsaCallback)(sigd->cmsg->tsaContext, &messageImprint,
- nonce, &tsaResponse), tsxit);
-
- require_noerr(rv = validateTSAResponseAndAddTimeStamp(signerinfo, &tsaResponse, nonce), tsxit);
-
- /*
- It is likely that every occurrence of "goto loser" in this file should
- also do a PORT_SetError. Since it is not clear what might depend on this
- behavior, we just do this in the timestamping case.
- */
-tsxit:
- if (rv)
- {
- dprintf("Original timestamp error: %d\n", (int)rv);
- rv = remapTimestampError(rv);
- PORT_SetError(rv);
- goto loser;
- }
- }
-
- /* this is a SET OF, so we need to sort them guys */
- rv = SecCmsArraySortByDER((void **)signerinfos, SecCmsSignerInfoTemplate, NULL);
- if (rv != SECSuccess)
- goto loser;
-
- /*
- * now prepare certs & crls
- */
-
- /* count the rest of the certs */
- if (sigd->certs != NULL)
- certcount += CFArrayGetCount(sigd->certs);
-
- if (certcount == 0) {
- sigd->rawCerts = NULL;
- } else {
- /*
- * Combine all of the certs and cert chains into rawcerts.
- * Note: certcount is an upper bound; we may not need that many slots
- * but we will allocate anyway to avoid having to do another pass.
- * (The temporary space saving is not worth it.)
- *
- * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
- * SetOfDERcertficates implementation
- */
- sigd->rawCerts = (CSSM_DATA_PTR *)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(CSSM_DATA_PTR));
- if (sigd->rawCerts == NULL)
- return SECFailure;
-
- /*
- * XXX Want to check for duplicates and not add *any* cert that is
- * already in the set. This will be more important when we start
- * dealing with larger sets of certs, dual-key certs (signing and
- * encryption), etc. For the time being we can slide by...
- *
- * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
- * SetOfDERcertficates implementation
- */
- rci = 0;
- if (signerinfos != NULL) {
- for (si = 0; signerinfos[si] != NULL; si++) {
- signerinfo = signerinfos[si];
- for (ci = 0; ci < CFArrayGetCount(signerinfo->certList); ci++) {
- sigd->rawCerts[rci] = PORT_ArenaZAlloc(poolp, sizeof(CSSM_DATA));
- SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(signerinfo->certList, ci);
- SecCertificateGetData(cert, sigd->rawCerts[rci++]);
- }
- }
- }
-
- if (sigd->certs != NULL) {
- for (ci = 0; ci < CFArrayGetCount(sigd->certs); ci++) {
- sigd->rawCerts[rci] = PORT_ArenaZAlloc(poolp, sizeof(CSSM_DATA));
- SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(sigd->certs, ci);
- SecCertificateGetData(cert, sigd->rawCerts[rci++]);
- }
- }
-
- sigd->rawCerts[rci] = NULL;
-
- /* this is a SET OF, so we need to sort them guys - we have the DER already, though */
- SecCmsArraySort((void **)sigd->rawCerts, SecCmsUtilDERCompare, NULL, NULL);
- }
-
- ret = SECSuccess;
-
-loser:
-
- dprintf("SecCmsSignedDataEncodeAfterData: ret: %ld, rv: %ld\n", (long)ret, (long)rv);
- return ret;
-}
-
-OSStatus
-SecCmsSignedDataDecodeBeforeData(SecCmsSignedDataRef sigd)
-{
- /* set up the digests */
- if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
- /* if digests are already there, do nothing */
- sigd->contentInfo.digcx = SecCmsDigestContextStartMultiple(sigd->digestAlgorithms);
- if (sigd->contentInfo.digcx == NULL)
- return SECFailure;
- }
- return SECSuccess;
-}
-
-/*
- * SecCmsSignedDataDecodeAfterData - do all the necessary things to a SignedData
- * after all the encapsulated data was passed through the decoder.
- */
-OSStatus
-SecCmsSignedDataDecodeAfterData(SecCmsSignedDataRef sigd)
-{
- /* did we have digest calculation going on? */
- if (sigd->contentInfo.digcx) {
- if (SecCmsDigestContextFinishMultiple(sigd->contentInfo.digcx, (SecArenaPoolRef)sigd->cmsg->poolp, &(sigd->digests)) != SECSuccess)
- return SECFailure; /* error has been set by SecCmsDigestContextFinishMultiple */
- sigd->contentInfo.digcx = NULL;
- }
- return SECSuccess;
-}
-
-/*
- * SecCmsSignedDataDecodeAfterEnd - do all the necessary things to a SignedData
- * after all decoding is finished.
- */
-OSStatus
-SecCmsSignedDataDecodeAfterEnd(SecCmsSignedDataRef sigd)
-{
- SecCmsSignerInfoRef *signerinfos;
- int i;
-
- signerinfos = sigd->signerInfos;
-
- /* set cmsg and sigd backpointers for all the signerinfos */
- if (signerinfos) {
- for (i = 0; signerinfos[i] != NULL; i++) {
- signerinfos[i]->cmsg = sigd->cmsg;
- signerinfos[i]->sigd = sigd;
- }
- }
-
- return SECSuccess;
-}
-
-/*
- * SecCmsSignedDataGetSignerInfos - retrieve the SignedData's signer list
- */
-SecCmsSignerInfoRef *
-SecCmsSignedDataGetSignerInfos(SecCmsSignedDataRef sigd)
-{
- return sigd->signerInfos;
-}
-
-int
-SecCmsSignedDataSignerInfoCount(SecCmsSignedDataRef sigd)
-{
- return SecCmsArrayCount((void **)sigd->signerInfos);
-}
-
-SecCmsSignerInfoRef
-SecCmsSignedDataGetSignerInfo(SecCmsSignedDataRef sigd, int i)
-{
- return sigd->signerInfos[i];
-}
-
-/*
- * SecCmsSignedDataGetDigestAlgs - retrieve the SignedData's digest algorithm list
- */
-SECAlgorithmID **
-SecCmsSignedDataGetDigestAlgs(SecCmsSignedDataRef sigd)
-{
- return sigd->digestAlgorithms;
-}
-
-/*
- * SecCmsSignedDataGetContentInfo - return pointer to this signedData's contentinfo
- */
-SecCmsContentInfoRef
-SecCmsSignedDataGetContentInfo(SecCmsSignedDataRef sigd)
-{
- return &(sigd->contentInfo);
-}
-
-/*
- * SecCmsSignedDataGetCertificateList - retrieve the SignedData's certificate list
- */
-CSSM_DATA_PTR *
-SecCmsSignedDataGetCertificateList(SecCmsSignedDataRef sigd)
-{
- return sigd->rawCerts;
-}
-
-OSStatus
-SecCmsSignedDataImportCerts(SecCmsSignedDataRef sigd, SecKeychainRef keychain,
- SECCertUsage certusage, Boolean keepcerts)
-{
- int certcount;
- OSStatus rv;
- int i;
-
- certcount = SecCmsArrayCount((void **)sigd->rawCerts);
-
- rv = CERT_ImportCerts(keychain, certusage, certcount, sigd->rawCerts, NULL,
- keepcerts, PR_FALSE, NULL);
-
- /* XXX CRL handling */
-
- if (sigd->signerInfos != NULL) {
- /* fill in all signerinfo's certs */
- for (i = 0; sigd->signerInfos[i] != NULL; i++)
- (void)SecCmsSignerInfoGetSigningCertificate(sigd->signerInfos[i], keychain);
- }
-
- return rv;
-}
-
-/*
- * XXX the digests need to be passed in BETWEEN the decoding and the verification in case
- * of external signatures!
- */
-
-/*
- * SecCmsSignedDataVerifySignerInfo - check the signatures.
- *
- * The digests were either calculated during decoding (and are stored in the
- * signedData itself) or set after decoding using SecCmsSignedDataSetDigests.
- *
- * The verification checks if the signing cert is valid and has a trusted chain
- * for the purpose specified by "policies".
- *
- * If trustRef is NULL the cert chain is verified and the VerificationStatus is set accordingly.
- * Otherwise a SecTrust object is returned for the caller to evaluate using SecTrustEvaluate().
- */
-OSStatus
-SecCmsSignedDataVerifySignerInfo(SecCmsSignedDataRef sigd, int i,
- SecKeychainRef keychainOrArray, CFTypeRef policies, SecTrustRef *trustRef)
-{
- SecCmsSignerInfoRef signerinfo;
- SecCmsContentInfoRef cinfo;
- SECOidData *algiddata;
- CSSM_DATA_PTR contentType, digest;
- OSStatus status, status2;
-
- cinfo = &(sigd->contentInfo);
-
- signerinfo = sigd->signerInfos[i];
-
- /* Signature or digest level verificationStatus errors should supercede
- certificate level errors, so check the digest and signature first. */
-
- /* Find digest and contentType for signerinfo */
- algiddata = SecCmsSignerInfoGetDigestAlg(signerinfo);
- if (algiddata == NULL) {
- return errSecInternalError; // shouldn't have happened, this is likely due to corrupted data
- }
-
- digest = SecCmsSignedDataGetDigestByAlgTag(sigd, algiddata->offset);
- if(digest == NULL) {
- /*
- * No digests; this probably had detached content the caller has to
- * deal with.
- * FIXME: need some error return for this (as well as many
- * other places in this library).
- */
- return errSecDataNotAvailable;
- }
- contentType = SecCmsContentInfoGetContentTypeOID(cinfo);
-
- /* verify signature */
- CFTypeRef timeStampPolicies=SecPolicyCreateAppleTimeStampingAndRevocationPolicies(policies);
- status = SecCmsSignerInfoVerifyWithPolicy(signerinfo, timeStampPolicies, digest, contentType);
- CFReleaseSafe(timeStampPolicies);
-
- /* Now verify the certificate. We do this even if the signature failed to verify so we can
- return a trustRef to the caller for display purposes. */
- status2 = SecCmsSignerInfoVerifyCertificate(signerinfo, keychainOrArray,
- policies, trustRef);
- dprintf("SecCmsSignedDataVerifySignerInfo: status %d status2 %d\n", (int) status, (int)status2);
- /* The error from SecCmsSignerInfoVerify() supercedes error from SecCmsSignerInfoVerifyCertificate(). */
- if (status)
- return status;
-
- return status2;
-}
-
-/*
- * SecCmsSignedDataVerifyCertsOnly - verify the certs in a certs-only message
- */
-OSStatus
-SecCmsSignedDataVerifyCertsOnly(SecCmsSignedDataRef sigd,
- SecKeychainRef keychainOrArray,
- CFTypeRef policies)
-{
- SecCertificateRef cert;
- OSStatus rv = SECSuccess;
- int i;
- int count;
-
- if (!sigd || !keychainOrArray || !sigd->rawCerts) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
-
- count = SecCmsArrayCount((void**)sigd->rawCerts);
- for (i=0; i < count; i++) {
- if (sigd->certs && CFArrayGetCount(sigd->certs) > i) {
- cert = (SecCertificateRef)CFArrayGetValueAtIndex(sigd->certs, i);
- CFRetain(cert);
- } else {
- cert = CERT_FindCertByDERCert(keychainOrArray, sigd->rawCerts[i]);
- if (!cert) {
- rv = SECFailure;
- break;
- }
- }
- rv |= CERT_VerifyCert(keychainOrArray, cert, sigd->rawCerts,
- policies, CFAbsoluteTimeGetCurrent(), NULL);
- CFRelease(cert);
- }
-
- return rv;
-}
-
-/*
- * SecCmsSignedDataHasDigests - see if we have digests in place
- */
-Boolean
-SecCmsSignedDataHasDigests(SecCmsSignedDataRef sigd)
-{
- return (sigd->digests != NULL);
-}
-
-OSStatus
-SecCmsSignedDataAddCertList(SecCmsSignedDataRef sigd, CFArrayRef certlist)
-{
- PORT_Assert(certlist != NULL);
-
- if (certlist == NULL)
- return SECFailure;
-
- if (!sigd->certs)
- sigd->certs = CFArrayCreateMutableCopy(NULL, 0, certlist);
- else
- {
- CFRange certlistRange = { 0, CFArrayGetCount(certlist) };
- CFArrayAppendArray(sigd->certs, certlist, certlistRange);
- }
-
- return SECSuccess;
-}
-
-/*
- * SecCmsSignedDataAddCertChain - add cert and its entire chain to the set of certs
- */
-OSStatus
-SecCmsSignedDataAddCertChain(SecCmsSignedDataRef sigd, SecCertificateRef cert)
-{
- CFArrayRef certlist;
- SECCertUsage usage;
- OSStatus rv;
-
- usage = certUsageEmailSigner;
-
- /* do not include root */
- certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE);
- if (certlist == NULL)
- return SECFailure;
-
- rv = SecCmsSignedDataAddCertList(sigd, certlist);
- CFRelease(certlist);
-
- return rv;
-}
-
-OSStatus
-SecCmsSignedDataAddCertificate(SecCmsSignedDataRef sigd, SecCertificateRef cert)
-{
- PORT_Assert(cert != NULL);
-
- if (cert == NULL)
- return SECFailure;
-
- if (!sigd->certs)
- sigd->certs = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
-
- CFArrayAppendValue(sigd->certs, cert);
-
- return SECSuccess;
-}
-
-Boolean
-SecCmsSignedDataContainsCertsOrCrls(SecCmsSignedDataRef sigd)
-{
- if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL)
- return PR_TRUE;
- else if (sigd->rawCrls != NULL && sigd->rawCrls[0] != NULL)
- return PR_TRUE;
- else
- return PR_FALSE;
-}
-
-OSStatus
-SecCmsSignedDataAddSignerInfo(SecCmsSignedDataRef sigd,
- SecCmsSignerInfoRef signerinfo)
-{
- void *mark;
- OSStatus rv;
- SECOidTag digestalgtag;
- PLArenaPool *poolp;
-
- poolp = sigd->cmsg->poolp;
-
- mark = PORT_ArenaMark(poolp);
-
- /* add signerinfo */
- rv = SecCmsArrayAdd(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo);
- if (rv != SECSuccess)
- goto loser;
-
- signerinfo->sigd = sigd;
-
- /*
- * add empty digest
- * Empty because we don't have it yet. Either it gets created during encoding
- * (if the data is present) or has to be set externally.
- * XXX maybe pass it in optionally?
- */
- digestalgtag = SecCmsSignerInfoGetDigestAlgTag(signerinfo);
- rv = SecCmsSignedDataSetDigestValue(sigd, digestalgtag, NULL);
- if (rv != SECSuccess)
- goto loser;
-
- /*
- * The last thing to get consistency would be adding the digest.
- */
-
- PORT_ArenaUnmark(poolp, mark);
- return SECSuccess;
-
-loser:
- PORT_ArenaRelease (poolp, mark);
- return SECFailure;
-}
-
-CSSM_DATA_PTR
-SecCmsSignedDataGetDigestByAlgTag(SecCmsSignedDataRef sigd, SECOidTag algtag)
-{
- int idx;
-
- if(sigd->digests == NULL) {
- return NULL;
- }
- idx = SecCmsAlgArrayGetIndexByAlgTag(sigd->digestAlgorithms, algtag);
- return sigd->digests[idx];
-}
-
-/*
- * SecCmsSignedDataSetDigests - set a signedData's digests member
- *
- * "digestalgs" - array of digest algorithm IDs
- * "digests" - array of digests corresponding to the digest algorithms
- */
-OSStatus
-SecCmsSignedDataSetDigests(SecCmsSignedDataRef sigd,
- SECAlgorithmID **digestalgs,
- CSSM_DATA_PTR *digests)
-{
- int cnt, i, idx;
-
- if (sigd->digestAlgorithms == NULL) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
-
- /* we assume that the digests array is just not there yet */
- PORT_Assert(sigd->digests == NULL);
- if (sigd->digests != NULL) {
- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
- return SECFailure;
- }
-
- /* now allocate one (same size as digestAlgorithms) */
- cnt = SecCmsArrayCount((void **)sigd->digestAlgorithms);
- sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(CSSM_DATA_PTR));
- if (sigd->digests == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
-
- for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
- /* try to find the sigd's i'th digest algorithm in the array we passed in */
- idx = SecCmsAlgArrayGetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
- if (idx < 0) {
- PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
- return SECFailure;
- }
-
- /* found it - now set it */
- if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
- SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
- {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- }
- return SECSuccess;
-}
-
-OSStatus
-SecCmsSignedDataSetDigestValue(SecCmsSignedDataRef sigd,
- SECOidTag digestalgtag,
- CSSM_DATA_PTR digestdata)
-{
- CSSM_DATA_PTR digest = NULL;
- PLArenaPool *poolp;
- void *mark;
- int n, cnt;
-
- poolp = sigd->cmsg->poolp;
-
- mark = PORT_ArenaMark(poolp);
-
-
- if (digestdata) {
- digest = (CSSM_DATA_PTR) PORT_ArenaZAlloc(poolp,sizeof(CSSM_DATA));
-
- /* copy digestdata item to arena (in case we have it and are not only making room) */
- if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess)
- goto loser;
- }
-
- /* now allocate one (same size as digestAlgorithms) */
- if (sigd->digests == NULL) {
- cnt = SecCmsArrayCount((void **)sigd->digestAlgorithms);
- sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(CSSM_DATA_PTR));
- if (sigd->digests == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- return SECFailure;
- }
- }
-
- n = -1;
- if (sigd->digestAlgorithms != NULL)
- n = SecCmsAlgArrayGetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-
- /* if not found, add a digest */
- if (n < 0) {
- if (SecCmsSignedDataAddDigest((SecArenaPoolRef)poolp, sigd, digestalgtag, digest) != SECSuccess)
- goto loser;
- } else {
- /* replace NULL pointer with digest item (and leak previous value) */
- sigd->digests[n] = digest;
- }
-
- PORT_ArenaUnmark(poolp, mark);
- return SECSuccess;
-
-loser:
- PORT_ArenaRelease(poolp, mark);
- return SECFailure;
-}
-
-OSStatus
-SecCmsSignedDataAddDigest(SecArenaPoolRef pool,
- SecCmsSignedDataRef sigd,
- SECOidTag digestalgtag,
- CSSM_DATA_PTR digest)
-{
- PRArenaPool *poolp = (PRArenaPool *)pool;
- SECAlgorithmID *digestalg;
- void *mark;
-
- mark = PORT_ArenaMark(poolp);
-
- digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
- if (digestalg == NULL)
- goto loser;
-
- if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
- goto loser;
-
- if (SecCmsArrayAdd(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
- /* even if digest is NULL, add dummy to have same-size array */
- SecCmsArrayAdd(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess)
- {
- goto loser;
- }
-
- PORT_ArenaUnmark(poolp, mark);
- return SECSuccess;
-
-loser:
- PORT_ArenaRelease(poolp, mark);
- return SECFailure;
-}
-
-CSSM_DATA_PTR
-SecCmsSignedDataGetDigestValue(SecCmsSignedDataRef sigd, SECOidTag digestalgtag)
-{
- int n;
-
- if (sigd->digestAlgorithms == NULL)
- return NULL;
-
- n = SecCmsAlgArrayGetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
-
- return (n < 0) ? NULL : sigd->digests[n];
-}
-
-/* =============================================================================
- * Misc. utility functions
- */
-
-/*
- * SecCmsSignedDataCreateCertsOnly - create a certs-only SignedData.
- *
- * cert - base certificates that will be included
- * include_chain - if true, include the complete cert chain for cert
- *
- * More certs and chains can be added via AddCertificate and AddCertChain.
- *
- * An error results in a return value of NULL and an error set.
- *
- * XXXX CRLs
- */
-SecCmsSignedDataRef
-SecCmsSignedDataCreateCertsOnly(SecCmsMessageRef cmsg, SecCertificateRef cert, Boolean include_chain)
-{
- SecCmsSignedDataRef sigd;
- void *mark;
- PLArenaPool *poolp;
- OSStatus rv;
-
- poolp = cmsg->poolp;
- mark = PORT_ArenaMark(poolp);
-
- sigd = SecCmsSignedDataCreate(cmsg);
- if (sigd == NULL)
- goto loser;
-
- /* no signerinfos, thus no digestAlgorithms */
-
- /* but certs */
- if (include_chain) {
- rv = SecCmsSignedDataAddCertChain(sigd, cert);
- } else {
- rv = SecCmsSignedDataAddCertificate(sigd, cert);
- }
- if (rv != SECSuccess)
- goto loser;
-
- /* RFC2630 5.2 sez:
- * In the degenerate case where there are no signers, the
- * EncapsulatedContentInfo value being "signed" is irrelevant. In this
- * case, the content type within the EncapsulatedContentInfo value being
- * "signed" should be id-data (as defined in section 4), and the content
- * field of the EncapsulatedContentInfo value should be omitted.
- */
- rv = SecCmsContentInfoSetContentData(cmsg, &(sigd->contentInfo), NULL, PR_TRUE);
- if (rv != SECSuccess)
- goto loser;
-
- PORT_ArenaUnmark(poolp, mark);
- return sigd;
-
-loser:
- if (sigd)
- SecCmsSignedDataDestroy(sigd);
- PORT_ArenaRelease(poolp, mark);
- return NULL;
-}
-
-/*
- * Get SecCmsSignedDataRawCerts - obtain raw certs as a NULL_terminated array
- * of pointers.
- */
-extern OSStatus SecCmsSignedDataRawCerts(SecCmsSignedDataRef sigd,
- CSSM_DATA_PTR **rawCerts)
-{
- *rawCerts = sigd->rawCerts;
- return noErr;
-}
-
-/* TODO:
- * SecCmsSignerInfoGetReceiptRequest()
- * SecCmsSignedDataHasReceiptRequest()
- * easy way to iterate over signers
- */
-
projects / apple / security.git / blobdiff