+++ /dev/null
-/*
- * The contents of this file are subject to the Mozilla Public
- * License Version 1.1 (the "License"); you may not use this file
- * except in compliance with the License. You may obtain a copy of
- * the License at http://www.mozilla.org/MPL/
- *
- * Software distributed under the License is distributed on an "AS
- * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
- * implied. See the License for the specific language governing
- * rights and limitations under the License.
- *
- * The Original Code is the Netscape security libraries.
- *
- * The Initial Developer of the Original Code is Netscape
- * Communications Corporation. Portions created by Netscape are
- * Copyright (C) 1994-2000 Netscape Communications Corporation. All
- * Rights Reserved.
- *
- * Contributor(s):
- *
- * Alternatively, the contents of this file may be used under the
- * terms of the GNU General Public License Version 2 or later (the
- * "GPL"), in which case the provisions of the GPL are applicable
- * instead of those above. If you wish to allow use of your
- * version of this file only under the terms of the GPL and not to
- * allow others to use your version of this file under the MPL,
- * indicate your decision by deleting the provisions above and
- * replace them with the notice and other provisions required by
- * the GPL. If you do not delete the provisions above, a recipient
- * may use your version of this file under either the MPL or the
- * GPL.
- */
-
-/*
- * CMS miscellaneous utility functions.
- */
-
-#include <Security/SecCmsEncoder.h> /* @@@ Remove this when we move the Encoder method. */
-#include <Security/SecCmsSignerInfo.h>
-#include "cmslocal.h"
-
-#include "secitem.h"
-#include "secoid.h"
-#include "cryptohi.h"
-
-#include <security_asn1/secasn1.h>
-#include <security_asn1/secerr.h>
-#include <Security/cssmapi.h>
-#include <Security/cssmapple.h>
-#include <CoreServices/../Frameworks/CarbonCore.framework/Headers/MacErrors.h>
-
-
-/*
- * SecCmsArraySortByDER - sort array of objects by objects' DER encoding
- *
- * make sure that the order of the objects guarantees valid DER (which must be
- * in lexigraphically ascending order for a SET OF); if reordering is necessary it
- * will be done in place (in objs).
- */
-OSStatus
-SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, void **objs2)
-{
- PRArenaPool *poolp;
- int num_objs;
- CSSM_DATA_PTR *enc_objs;
- OSStatus rv = SECFailure;
- int i;
-
- if (objs == NULL) /* already sorted */
- return SECSuccess;
-
- num_objs = SecCmsArrayCount((void **)objs);
- if (num_objs == 0 || num_objs == 1) /* already sorted. */
- return SECSuccess;
-
- poolp = PORT_NewArena (1024); /* arena for temporaries */
- if (poolp == NULL)
- return SECFailure; /* no memory; nothing we can do... */
-
- /*
- * Allocate arrays to hold the individual encodings which we will use
- * for comparisons and the reordered attributes as they are sorted.
- */
- // Security check to prevent under-allocation
- if (num_objs<0 || num_objs>=(int)((INT_MAX/sizeof(CSSM_DATA_PTR))-1)) {
- goto loser;
- }
- enc_objs = (CSSM_DATA_PTR *)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(CSSM_DATA_PTR));
- if (enc_objs == NULL)
- goto loser;
-
- /* DER encode each individual object. */
- for (i = 0; i < num_objs; i++) {
- enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
- if (enc_objs[i] == NULL)
- goto loser;
- }
- enc_objs[num_objs] = NULL;
-
- /* now compare and sort objs by the order of enc_objs */
- SecCmsArraySort((void **)enc_objs, SecCmsUtilDERCompare, objs, objs2);
-
- rv = SECSuccess;
-
-loser:
- PORT_FreeArena (poolp, PR_FALSE);
- return rv;
-}
-
-/*
- * SecCmsUtilDERCompare - for use with SecCmsArraySort to
- * sort arrays of CSSM_DATAs containing DER
- */
-int
-SecCmsUtilDERCompare(void *a, void *b)
-{
- CSSM_DATA_PTR der1 = (CSSM_DATA_PTR)a;
- CSSM_DATA_PTR der2 = (CSSM_DATA_PTR)b;
- int j;
-
- /*
- * Find the lowest (lexigraphically) encoding. One that is
- * shorter than all the rest is known to be "less" because each
- * attribute is of the same type (a SEQUENCE) and so thus the
- * first octet of each is the same, and the second octet is
- * the length (or the length of the length with the high bit
- * set, followed by the length, which also works out to always
- * order the shorter first). Two (or more) that have the
- * same length need to be compared byte by byte until a mismatch
- * is found.
- */
- if (der1->Length != der2->Length)
- return (der1->Length < der2->Length) ? -1 : 1;
-
- for (j = 0; j < der1->Length; j++) {
- if (der1->Data[j] == der2->Data[j])
- continue;
- return (der1->Data[j] < der2->Data[j]) ? -1 : 1;
- }
- return 0;
-}
-
-/*
- * SecCmsAlgArrayGetIndexByAlgID - find a specific algorithm in an array of
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algid - algorithmid of algorithm to pick
- *
- * Returns:
- * An integer containing the index of the algorithm in the array or -1 if
- * algorithm was not found.
- */
-int
-SecCmsAlgArrayGetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid)
-{
- int i;
-
- if (algorithmArray == NULL || algorithmArray[0] == NULL)
- return -1;
-
- for (i = 0; algorithmArray[i] != NULL; i++) {
- if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual)
- break; /* bingo */
- }
-
- if (algorithmArray[i] == NULL)
- return -1; /* not found */
-
- return i;
-}
-
-/*
- * SecCmsAlgArrayGetIndexByAlgTag - find a specific algorithm in an array of
- * algorithms.
- *
- * algorithmArray - array of algorithm IDs
- * algtag - algorithm tag of algorithm to pick
- *
- * Returns:
- * An integer containing the index of the algorithm in the array or -1 if
- * algorithm was not found.
- */
-int
-SecCmsAlgArrayGetIndexByAlgTag(SECAlgorithmID **algorithmArray,
- SECOidTag algtag)
-{
- SECOidData *algid;
- int i = -1;
-
- if (algorithmArray == NULL || algorithmArray[0] == NULL)
- return i;
-
-#ifdef ORDER_N_SQUARED
- for (i = 0; algorithmArray[i] != NULL; i++) {
- algid = SECOID_FindOID(&(algorithmArray[i]->algorithm));
- if (algid->offset == algtag)
- break; /* bingo */
- }
-#else
- algid = SECOID_FindOIDByTag(algtag);
- if (!algid)
- return i;
- for (i = 0; algorithmArray[i] != NULL; i++) {
- if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid))
- break; /* bingo */
- }
-#endif
-
- if (algorithmArray[i] == NULL)
- return -1; /* not found */
-
- return i;
-}
-
-CSSM_CC_HANDLE
-SecCmsUtilGetHashObjByAlgID(SECAlgorithmID *algid)
-{
- SECOidData *oidData = SECOID_FindOID(&(algid->algorithm));
- if (oidData)
- {
- CSSM_ALGORITHMS alg = oidData->cssmAlgorithm;
- if (alg)
- {
- CSSM_CC_HANDLE digobj;
- CSSM_CSP_HANDLE cspHandle = SecCspHandleForAlgorithm(alg);
-
- if (!CSSM_CSP_CreateDigestContext(cspHandle, alg, &digobj))
- return digobj;
- }
- }
-
- return 0;
-}
-
-/*
- * XXX I would *really* like to not have to do this, but the current
- * signing interface gives me little choice.
- */
-SECOidTag
-SecCmsUtilMakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg)
-{
- switch (encalg) {
- case SEC_OID_PKCS1_RSA_ENCRYPTION:
- switch (hashalg) {
- case SEC_OID_MD2:
- return SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION;
- case SEC_OID_MD5:
- return SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION;
- case SEC_OID_SHA1:
- return SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
- case SEC_OID_SHA256:
- return SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION;
- case SEC_OID_SHA384:
- return SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION;
- case SEC_OID_SHA512:
- return SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION;
- default:
- return SEC_OID_UNKNOWN;
- }
- case SEC_OID_ANSIX9_DSA_SIGNATURE:
- case SEC_OID_MISSI_KEA_DSS:
- case SEC_OID_MISSI_DSS:
- switch (hashalg) {
- case SEC_OID_SHA1:
- return SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST;
- default:
- return SEC_OID_UNKNOWN;
- }
- case SEC_OID_EC_PUBLIC_KEY:
- switch(hashalg) {
- /*
- * Note this is only used when signing and verifying signed attributes,
- * In which case we really do want the combined ECDSA_WithSHA1 alg...
- */
- case SEC_OID_SHA1:
- return SEC_OID_ECDSA_WithSHA1;
- default:
- return SEC_OID_UNKNOWN;
- }
- default:
- break;
- }
-
- return encalg; /* maybe it is already the right algid */
-}
-
-const SecAsn1Template *
-SecCmsUtilGetTemplateByTypeTag(SECOidTag type)
-{
- const SecAsn1Template *template;
- extern const SecAsn1Template SecCmsSignedDataTemplate[];
- extern const SecAsn1Template SecCmsEnvelopedDataTemplate[];
- extern const SecAsn1Template SecCmsEncryptedDataTemplate[];
- extern const SecAsn1Template SecCmsDigestedDataTemplate[];
-
- switch (type) {
- case SEC_OID_PKCS7_SIGNED_DATA:
- template = SecCmsSignedDataTemplate;
- break;
- case SEC_OID_PKCS7_ENVELOPED_DATA:
- template = SecCmsEnvelopedDataTemplate;
- break;
- case SEC_OID_PKCS7_ENCRYPTED_DATA:
- template = SecCmsEncryptedDataTemplate;
- break;
- case SEC_OID_PKCS7_DIGESTED_DATA:
- template = SecCmsDigestedDataTemplate;
- break;
- default:
- case SEC_OID_PKCS7_DATA:
- case SEC_OID_OTHER:
- template = NULL;
- break;
- }
- return template;
-}
-
-size_t
-SecCmsUtilGetSizeByTypeTag(SECOidTag type)
-{
- size_t size;
-
- switch (type) {
- case SEC_OID_PKCS7_SIGNED_DATA:
- size = sizeof(SecCmsSignedData);
- break;
- case SEC_OID_PKCS7_ENVELOPED_DATA:
- size = sizeof(SecCmsEnvelopedData);
- break;
- case SEC_OID_PKCS7_ENCRYPTED_DATA:
- size = sizeof(SecCmsEncryptedData);
- break;
- case SEC_OID_PKCS7_DIGESTED_DATA:
- size = sizeof(SecCmsDigestedData);
- break;
- default:
- case SEC_OID_PKCS7_DATA:
- size = 0;
- break;
- }
- return size;
-}
-
-SecCmsContentInfoRef
-SecCmsContentGetContentInfo(void *msg, SECOidTag type)
-{
- SecCmsContent c;
- SecCmsContentInfoRef cinfo;
-
- if (!msg)
- return NULL;
- c.pointer = msg;
- switch (type) {
- case SEC_OID_PKCS7_SIGNED_DATA:
- cinfo = &(c.signedData->contentInfo);
- break;
- case SEC_OID_PKCS7_ENVELOPED_DATA:
- cinfo = &(c.envelopedData->contentInfo);
- break;
- case SEC_OID_PKCS7_ENCRYPTED_DATA:
- cinfo = &(c.encryptedData->contentInfo);
- break;
- case SEC_OID_PKCS7_DIGESTED_DATA:
- cinfo = &(c.digestedData->contentInfo);
- break;
- default:
- cinfo = NULL;
- }
- return cinfo;
-}
-
-// @@@ Return CFStringRef and do localization.
-const char *
-SecCmsUtilVerificationStatusToString(SecCmsVerificationStatus vs)
-{
- switch (vs) {
- case SecCmsVSUnverified: return "Unverified";
- case SecCmsVSGoodSignature: return "GoodSignature";
- case SecCmsVSBadSignature: return "BadSignature";
- case SecCmsVSDigestMismatch: return "DigestMismatch";
- case SecCmsVSSigningCertNotFound: return "SigningCertNotFound";
- case SecCmsVSSigningCertNotTrusted: return "SigningCertNotTrusted";
- case SecCmsVSSignatureAlgorithmUnknown: return "SignatureAlgorithmUnknown";
- case SecCmsVSSignatureAlgorithmUnsupported: return "SignatureAlgorithmUnsupported";
- case SecCmsVSMalformedSignature: return "MalformedSignature";
- case SecCmsVSProcessingError: return "ProcessingError";
- default: return "Unknown";
- }
-}
-
-OSStatus
-SecArenaPoolCreate(size_t chunksize, SecArenaPoolRef *outArena)
-{
- OSStatus status;
-
- if (!outArena) {
- status = paramErr;
- goto loser;
- }
-
- *outArena = (SecArenaPoolRef)PORT_NewArena(chunksize);
- if (*outArena)
- status = 0;
- else
- status = PORT_GetError();
-
-loser:
- return status;
-}
-
-void
-SecArenaPoolFree(SecArenaPoolRef arena, Boolean zero)
-{
- PORT_FreeArena((PLArenaPool *)arena, zero);
-}
projects / apple / security.git / blobdiff