--- /dev/null
+/*
+ * Copyright (c) 2003 Apple Computer, Inc. All Rights Reserved.
+ *
+ * The contents of this file constitute Original Code as defined in and are
+ * subject to the Apple Public Source License Version 1.2 (the 'License').
+ * You may not use this file except in compliance with the License. Please obtain
+ * a copy of the License at http://www.apple.com/publicsource and read it before
+ * using this file.
+ *
+ * This Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
+ * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
+ * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
+ * specific language governing rights and limitations under the License.
+ */
+
+/*
+ * clNssUtils.cpp - support for libnssasn1-based ASN1 encode/decode
+ */
+
+#include "clNssUtils.h"
+#include "clNameUtils.h"
+#include "CSPAttacher.h"
+#include <security_asn1/secasn1.h>
+#include <security_asn1/SecNssCoder.h>
+#include <security_asn1/nssUtils.h>
+#include <Security/keyTemplates.h>
+#include <Security/certExtensionTemplates.h>
+#include <Security/oidsalg.h>
+#include <Security/oidsattr.h>
+#include <Security/cssmapple.h>
+#include <string.h>
+
+#pragma mark ----- ArenaAllocator -----
+
+/*
+ * Avoid inlining this for debuggability
+ */
+void *ArenaAllocator::malloc(size_t len) throw(std::bad_alloc)
+{
+ try {
+ return mCoder.malloc(len);
+ }
+ catch (...) {
+ throw std::bad_alloc();
+ }
+}
+
+/* intentionally not implemented, should never be called */
+void ArenaAllocator::free(void *p) throw()
+{
+ throw std::bad_alloc();
+}
+
+void *ArenaAllocator::realloc(void *p, size_t len) throw(std::bad_alloc)
+{
+ throw std::bad_alloc();
+}
+
+#pragma mark ----- Malloc/Copy/Compare CSSM_DATA -----
+
+/*
+ * Misc. alloc/copy with arbitrary Allocator
+ */
+/* malloc d.Data, set d.Length */
+void clAllocData(
+ Allocator &alloc,
+ CSSM_DATA &dst,
+ size_t len)
+{
+ if(len == 0) {
+ dst.Data = NULL;
+ }
+ else {
+ dst.Data = (uint8 *)alloc.malloc(len);
+ }
+ dst.Length = len;
+}
+
+/* malloc and copy */
+void clAllocCopyData(
+ Allocator &alloc,
+ const CSSM_DATA &src,
+ CSSM_DATA &dst)
+{
+ clAllocData(alloc, dst, src.Length);
+ if(dst.Length != 0) {
+ memmove(dst.Data, src.Data, src.Length);
+ }
+}
+
+/*
+ * Compare two CSSM_DATAs (or two CSSM_OIDs), return true if identical.
+ */
+bool clCompareCssmData(
+ const CSSM_DATA *data1,
+ const CSSM_DATA *data2)
+{
+ if((data1 == NULL) || (data1->Data == NULL) ||
+ (data2 == NULL) || (data2->Data == NULL) ||
+ (data1->Length != data2->Length)) {
+ return false;
+ }
+ if(data1->Length != data2->Length) {
+ return false;
+ }
+ if(memcmp(data1->Data, data2->Data, data1->Length) == 0) {
+ return true;
+ }
+ else {
+ return false;
+ }
+}
+
+#pragma mark ----- CSSM_DATA <--> uint32 -----
+
+uint32 clDataToInt(
+ const CSSM_DATA &cdata,
+ CSSM_RETURN toThrow) /* = CSSMERR_CL_INVALID_CERT_POINTER */
+{
+ if((cdata.Length == 0) || (cdata.Data == NULL)) {
+ return 0;
+ }
+ uint32 len = cdata.Length;
+ if(len > sizeof(uint32)) {
+ if(toThrow == 0) {
+ /* tolerate this */
+ len = sizeof(uint32);
+ }
+ else {
+ CssmError::throwMe(toThrow);
+ }
+ }
+
+ uint32 rtn = 0;
+ uint8 *cp = cdata.Data;
+ for(uint32 i=0; i<len; i++) {
+ rtn = (rtn << 8) | *cp++;
+ }
+ return rtn;
+}
+
+void clIntToData(
+ uint32 num,
+ CSSM_DATA &cdata,
+ Allocator &alloc)
+{
+ uint32 len = 0;
+
+ if(num < 0x100) {
+ len = 1;
+ }
+ else if(num < 0x10000) {
+ len = 2;
+ }
+ else if(num < 0x1000000) {
+ len = 3;
+ }
+ else {
+ len = 4;
+ }
+ clAllocData(alloc, cdata, len);
+ uint8 *cp = &cdata.Data[len - 1];
+ for(unsigned i=0; i<len; i++) {
+ *cp-- = num & 0xff;
+ num >>= 8;
+ }
+}
+
+#pragma mark ----- CSSM_BOOL <--> CSSM_DATA -----
+/*
+ * A Bool is encoded as one byte of either 0 or 0xff
+ * Default of NSS boolean not present is false
+ */
+CSSM_BOOL clNssBoolToCssm(
+ const CSSM_DATA &nssBool)
+{
+ if((nssBool.Data != NULL) && (nssBool.Data[0] == 0xff)) {
+ return CSSM_TRUE;
+ }
+ else {
+ return CSSM_FALSE;
+ }
+}
+
+void clCssmBoolToNss(
+ CSSM_BOOL cBool,
+ CSSM_DATA &nssBool,
+ Allocator &alloc)
+{
+ uint32 num = cBool ? 0xff : 0;
+ clIntToData(num, nssBool, alloc);
+}
+
+#pragma mark ----- Bit String manipulation -----
+
+/*
+ * Adjust the length of a CSSM_DATA representing a pre-encoded
+ * bit string. On entry the length field is the number of bytes
+ * of data; en exit, the number if bits. Trailing zero bits
+ * are counted as unused (which is how KeyUsage and NetscapeCertType
+ * extensions are encoded).
+ */
+void clCssmBitStringToNss(
+ CSSM_DATA &b)
+{
+ int numBits = b.Length * 8;
+
+ /* start at end of bit array, scanning backwards looking
+ * for the first set bit */
+ bool foundSet = false;
+ for(int dex=b.Length-1; dex>=0; dex--) {
+ unsigned bitMask = 0x01;
+ uint8 byte = b.Data[dex];
+ for(unsigned bdex=0; bdex<8; bdex++) {
+ if(byte & bitMask) {
+ foundSet = true;
+ break;
+ }
+ else {
+ bitMask <<= 1;
+ numBits--;
+ }
+ }
+ if(foundSet) {
+ break;
+ }
+ }
+ /* !foundSet --> numBits = 0 */
+ assert(((numBits > 0) & foundSet) || ((numBits == 0) && !foundSet));
+ b.Length = (uint32)numBits;
+}
+
+/*
+ * On entry, Length is bit count; on exit, a byte count.
+ * The job here is to ensure that bits marked as "unused" in the
+ * BER encoding are cleared. Encoding rules say they are undefined in
+ * the actual encoding.
+ */
+void clNssBitStringToCssm(
+ CSSM_DATA &b)
+{
+ uint32 byteCount = (b.Length + 7) / 8;
+ unsigned partialBits = b.Length & 0x7;
+ b.Length = byteCount;
+ if(partialBits == 0) {
+ return;
+ }
+
+ /* mask off unused bits */
+ unsigned unusedBits = 8 - partialBits;
+ uint8 *bp = b.Data + b.Length - 1;
+ /* mask = (2 ** unusedBits) - 1 */
+ unsigned mask = (1 << unusedBits) - 1;
+ *bp &= ~mask;
+}
+
+#pragma mark ----- NSS array manipulation -----
+/*
+ * How many items in a NULL-terminated array of pointers?
+ */
+unsigned clNssArraySize(
+ const void **array)
+{
+ unsigned count = 0;
+ if (array) {
+ while (*array++) {
+ count++;
+ }
+ }
+ return count;
+}
+
+/* malloc a NULL-ed array of pointers of size num+1 */
+void **clNssNullArray(
+ uint32 num,
+ SecNssCoder &coder)
+{
+ unsigned len = (num + 1) * sizeof(void *);
+ void **p = (void **)coder.malloc(len);
+ memset(p, 0, len);
+ return p;
+}
+
+/*
+ * GIven a CSSM_DATA containing a decoded BIT_STRING,
+ * convert to a KeyUsage.
+ */
+CE_KeyUsage clBitStringToKeyUsage(
+ const CSSM_DATA &cdata)
+{
+ unsigned toCopy = (cdata.Length + 7) / 8;
+ if(toCopy > 2) {
+ /* I hope I never see this... */
+ clErrorLog("clBitStringToKeyUsage: KeyUsage larger than 2 bytes!");
+ toCopy = 2;
+ }
+ unsigned char bits[2] = {0, 0};
+ memmove(bits, cdata.Data, toCopy);
+ CE_KeyUsage usage = (((unsigned)bits[0]) << 8) | bits[1];
+ return usage;
+}
+
+CSSM_ALGORITHMS CL_oidToAlg(
+ const CSSM_OID &oid)
+{
+ CSSM_ALGORITHMS alg;
+ bool found = cssmOidToAlg(&oid, &alg);
+ if(!found) {
+ clErrorLog("CL_oidToAlg: unknown alg\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+ return alg;
+}
+
+#pragma mark ----- copy CSSM_X509_ALGORITHM_IDENTIFIER -----
+
+/*
+ * Copy CSSM_X509_ALGORITHM_IDENTIFIER, same format (NSS and CSSM).
+ */
+void CL_copyAlgId(
+ const CSSM_X509_ALGORITHM_IDENTIFIER &srcAlgId,
+ CSSM_X509_ALGORITHM_IDENTIFIER &dstAlgId,
+ Allocator &alloc)
+{
+ clAllocCopyData(alloc, srcAlgId.algorithm, dstAlgId.algorithm);
+ clAllocCopyData(alloc, srcAlgId.parameters, dstAlgId.parameters);
+}
+
+void CL_freeCssmAlgId(
+ CSSM_X509_ALGORITHM_IDENTIFIER *cdsaObj, // optional
+ Allocator &alloc)
+{
+ if(cdsaObj == NULL) {
+ return;
+ }
+ alloc.free(cdsaObj->algorithm.Data);
+ alloc.free(cdsaObj->parameters.Data);
+ memset(cdsaObj, 0, sizeof(CSSM_X509_ALGORITHM_IDENTIFIER));
+}
+
+
+#pragma mark ----- CSSM_X509_TIME <--> NSS format -----
+
+/*
+ * Map the tag associated with a choice of DirectoryString elements to
+ * a template array for encoding/decoding that string type.
+ * Contrary to RFC2459, we allow the IA5String type, which is actually
+ * used in the real world (cf. the email address in Thawte's serverbasic
+ * cert).
+ */
+
+/* The template chooser does the work here */
+
+bool CL_nssTimeToCssm(
+ const NSS_TaggedItem &nssTime,
+ CSSM_X509_TIME &cssmObj,
+ Allocator &alloc)
+{
+ cssmObj.timeType = nssTime.tag;
+ clAllocCopyData(alloc, nssTime.item, cssmObj.time);
+ return true;
+}
+
+/*
+ * CSSM time to NSS time.
+ */
+void CL_cssmTimeToNss(
+ const CSSM_X509_TIME &cssmTime,
+ NSS_TaggedItem &nssTime,
+ SecNssCoder &coder)
+{
+ nssTime.tag = cssmTime.timeType;
+ coder.allocCopyItem(cssmTime.time, nssTime.item);
+}
+
+void CL_freeCssmTime(
+ CSSM_X509_TIME *cssmTime,
+ Allocator &alloc)
+{
+ if(cssmTime == NULL) {
+ return;
+ }
+ if(cssmTime->time.Data) {
+ alloc.free(cssmTime->time.Data);
+ }
+ memset(cssmTime, 0, sizeof(CSSM_X509_TIME));
+}
+
+
+#pragma mark ----- CSSM_X509_SUBJECT_PUBLIC_KEY_INFO <--> CSSM_KEY -----
+
+/*
+ * Copy a CSSM_X509_SUBJECT_PUBLIC_KEY_INFO.
+ *
+ * Same format (NSS and CSSM), EXCEPT:
+ *
+ * Objects which have just been NSS decoded or are about to be
+ * NSS encoded have the subjectPublicKey.Length field in BITS
+ * since this field is wrapped in a BIT STRING upon encoding.
+ *
+ * Caller tells us which format (bits or bytes)
+ * to use for each of {src, dst}.
+ */
+void CL_copySubjPubKeyInfo(
+ const CSSM_X509_SUBJECT_PUBLIC_KEY_INFO &srcInfo,
+ bool srcInBits,
+ CSSM_X509_SUBJECT_PUBLIC_KEY_INFO &dstInfo,
+ bool dstInBits,
+ Allocator &alloc)
+{
+ CL_copyAlgId(srcInfo.algorithm, dstInfo.algorithm, alloc);
+
+ CSSM_DATA srcKey = srcInfo.subjectPublicKey;
+ if(srcInBits) {
+ srcKey.Length = (srcKey.Length + 7) / 8;
+ }
+ clAllocCopyData(alloc, srcKey, dstInfo.subjectPublicKey);
+ if(dstInBits) {
+ dstInfo.subjectPublicKey.Length *= 8;
+ }
+}
+
+/*
+ * Obtain a CSSM_KEY from a CSSM_X509_SUBJECT_PUBLIC_KEY_INFO,
+ * inferring as much as we can from required fields
+ * (CSSM_X509_SUBJECT_PUBLIC_KEY_INFO) and extensions (for
+ * KeyUse, obtained from the optional DecodedCert).
+ */
+CSSM_KEY_PTR CL_extractCSSMKeyNSS(
+ const CSSM_X509_SUBJECT_PUBLIC_KEY_INFO &keyInfo,
+ Allocator &alloc,
+ const DecodedCert *decodedCert) // optional
+{
+ CSSM_KEY_PTR cssmKey = (CSSM_KEY_PTR) alloc.malloc(sizeof(CSSM_KEY));
+ memset(cssmKey, 0, sizeof(CSSM_KEY));
+ CSSM_KEYHEADER &hdr = cssmKey->KeyHeader;
+ CssmRemoteData keyData(alloc, cssmKey->KeyData);
+
+ hdr.HeaderVersion = CSSM_KEYHEADER_VERSION;
+ /* CspId blank */
+ hdr.BlobType = CSSM_KEYBLOB_RAW;
+ hdr.AlgorithmId = CL_oidToAlg(keyInfo.algorithm.algorithm);
+ hdr.KeyAttr = CSSM_KEYATTR_MODIFIABLE | CSSM_KEYATTR_EXTRACTABLE;
+
+ /*
+ * Format inferred from AlgorithmId. I have never seen these defined
+ * anywhere, e.g., what's the format of an RSA public key in a cert?
+ * X509 certainly doesn't say. However. the following two cases are
+ * known to be correct.
+ */
+ switch(hdr.AlgorithmId) {
+ case CSSM_ALGID_RSA:
+ hdr.Format = CSSM_KEYBLOB_RAW_FORMAT_PKCS1;
+ break;
+ case CSSM_ALGID_DSA:
+ case CSSM_ALGID_ECDSA:
+ case CSSM_ALGID_DH:
+ case CSSM_ALGMODE_PKCS1_EME_OAEP:
+ hdr.Format = CSSM_KEYBLOB_RAW_FORMAT_X509;
+ break;
+ case CSSM_ALGID_FEE:
+ /* CSSM_KEYBLOB_RAW_FORMAT_NONE --> DER encoded */
+ hdr.Format = CSSM_KEYBLOB_RAW_FORMAT_NONE;
+ break;
+ default:
+ /* punt */
+ hdr.Format = CSSM_KEYBLOB_RAW_FORMAT_NONE;
+ }
+ hdr.KeyClass = CSSM_KEYCLASS_PUBLIC_KEY;
+
+ /* KeyUsage inferred from extensions */
+ if(decodedCert) {
+ hdr.KeyUsage = decodedCert->inferKeyUsage();
+ }
+ else {
+ hdr.KeyUsage = CSSM_KEYUSE_ANY;
+ }
+
+ /* start/end date unknown, leave zero */
+ hdr.WrapAlgorithmId = CSSM_ALGID_NONE;
+ hdr.WrapMode = CSSM_ALGMODE_NONE;
+
+ switch(hdr.AlgorithmId) {
+ case CSSM_ALGID_DSA:
+ case CSSM_ALGID_ECDSA:
+ case CSSM_ALGID_DH:
+ case CSSM_ALGMODE_PKCS1_EME_OAEP:
+ {
+ /*
+ * Just encode the whole subject public key info blob.
+ * NOTE we're assuming that the keyInfo.subjectPublicKey
+ * field is in the NSS_native BITSTRING format, i.e.,
+ * its Length field is in bits and we don't have to adjust.
+ */
+ PRErrorCode prtn = SecNssEncodeItemOdata(&keyInfo,
+ kSecAsn1SubjectPublicKeyInfoTemplate, keyData);
+ if(prtn) {
+ clErrorLog("extractCSSMKey: error on reencode\n");
+ CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
+ }
+ break;
+ }
+ default:
+ /*
+ * RSA, FEE for now.
+ * keyInfo.subjectPublicKey (in BITS) ==> KeyData
+ */
+ keyData.copy(keyInfo.subjectPublicKey.Data,
+ (keyInfo.subjectPublicKey.Length + 7) / 8);
+ }
+
+ /*
+ * LogicalKeySizeInBits - ask the CSP
+ */
+ CSSM_CSP_HANDLE cspHand = getGlobalCspHand(true);
+ CSSM_KEY_SIZE keySize;
+ CSSM_RETURN crtn;
+ crtn = CSSM_QueryKeySizeInBits(cspHand, CSSM_INVALID_HANDLE, cssmKey,
+ &keySize);
+ switch(crtn) {
+ default:
+ CssmError::throwMe(crtn);
+ case CSSMERR_CSP_APPLE_PUBLIC_KEY_INCOMPLETE:
+ /*
+ * This is how the CSP indicates a "partial" public key,
+ * with a valid public key value but no alg-specific
+ * parameters (currently, DSA only).
+ */
+ hdr.KeyAttr |= CSSM_KEYATTR_PARTIAL;
+ /* and drop thru */
+ case CSSM_OK:
+ cssmKey->KeyHeader.LogicalKeySizeInBits =
+ keySize.LogicalKeySizeInBits;
+ break;
+ }
+
+ keyData.release();
+ return cssmKey;
+}
+
+/*
+ * Set up a encoded NULL for CSSM_X509_ALGORITHM_IDENTIFIER.parameters.
+ */
+void CL_nullAlgParams(
+ CSSM_X509_ALGORITHM_IDENTIFIER &algId)
+{
+ static const uint8 encNull[2] = { SEC_ASN1_NULL, 0 };
+ CSSM_DATA encNullData;
+ encNullData.Data = (uint8 *)encNull;
+ encNullData.Length = 2;
+
+ algId.parameters = encNullData;
+}
+
+/*
+ * Convert a CSSM_KEY to a CSSM_X509_SUBJECT_PUBLIC_KEY_INFO. The
+ * CSSM key must be in raw format and with a specific blob format.
+ * -- RSA keys have to be CSSM_KEYBLOB_RAW_FORMAT_PKCS1
+ * -- DSA keys have to be CSSM_KEYBLOB_RAW_FORMAT_X509
+ * -- ECDSA keys have to be CSSM_KEYBLOB_RAW_FORMAT_X509
+ */
+void CL_CSSMKeyToSubjPubKeyInfoNSS(
+ const CSSM_KEY &cssmKey,
+ CSSM_X509_SUBJECT_PUBLIC_KEY_INFO &nssKeyInfo,
+ SecNssCoder &coder)
+{
+ const CSSM_KEYHEADER &hdr = cssmKey.KeyHeader;
+ if(hdr.BlobType != CSSM_KEYBLOB_RAW) {
+ clErrorLog("CL SetField: must specify RAW key blob\n");
+ CssmError::throwMe(CSSMERR_CSP_KEY_BLOB_TYPE_INCORRECT);
+ }
+ memset(&nssKeyInfo, 0, sizeof(nssKeyInfo));
+
+ /* algorithm and format dependent from here... */
+ switch(hdr.AlgorithmId) {
+ case CSSM_ALGID_RSA:
+ if(hdr.Format != CSSM_KEYBLOB_RAW_FORMAT_PKCS1) {
+ clErrorLog("CL SetField: RSA key must be in PKCS1 format\n");
+ CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_FORMAT);
+ }
+ /* and fall thru */
+ default:
+ {
+ /* Key header's algorithm --> OID */
+ const CSSM_OID *oid = cssmAlgToOid(hdr.AlgorithmId);
+ if(oid == NULL) {
+ clErrorLog("CL SetField: Unknown key algorithm\n");
+ CssmError::throwMe(CSSMERR_CSP_INVALID_ALGORITHM);
+ }
+ CSSM_X509_ALGORITHM_IDENTIFIER &algId = nssKeyInfo.algorithm;
+ coder.allocCopyItem(*oid, algId.algorithm);
+
+ /* NULL algorithm parameters, always in this case */
+ CL_nullAlgParams(algId);
+
+ /* Copy key bits, destination is a BIT STRING */
+ coder.allocCopyItem(cssmKey.KeyData, nssKeyInfo.subjectPublicKey);
+ nssKeyInfo.subjectPublicKey.Length *= 8;
+ break;
+ }
+ case CSSM_ALGID_DSA:
+ case CSSM_ALGID_ECDSA:
+ if(hdr.Format != CSSM_KEYBLOB_RAW_FORMAT_X509) {
+ clErrorLog("CL SetField: DSA/ECDSA key must be in X509 format\n");
+ CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_FORMAT);
+ }
+
+ /*
+ * All we do is decode the whole key blob into the
+ * SubjectPublicKeyInfo.
+ */
+ if(coder.decodeItem(cssmKey.KeyData,
+ kSecAsn1SubjectPublicKeyInfoTemplate,
+ &nssKeyInfo)) {
+ clErrorLog("CL SetField: Error decoding DSA public key\n");
+ CssmError::throwMe(CSSMERR_CSP_INVALID_KEY_FORMAT);
+ }
+ break;
+ }
+}
+
+void CL_freeCSSMKey(
+ CSSM_KEY_PTR cssmKey,
+ Allocator &alloc,
+ bool freeTop)
+{
+ if(cssmKey == NULL) {
+ return;
+ }
+ alloc.free(cssmKey->KeyData.Data);
+ memset(cssmKey, 0, sizeof(CSSM_KEY));
+ if(freeTop) {
+ alloc.free(cssmKey);
+ }
+}
+
+#pragma mark ----- CE_AuthorityKeyID <--> NSS_AuthorityKeyId -----
+
+void CL_cssmAuthorityKeyIdToNss(
+ const CE_AuthorityKeyID &cdsaObj,
+ NSS_AuthorityKeyId &nssObj,
+ SecNssCoder &coder)
+{
+ memset(&nssObj, 0, sizeof(nssObj));
+ if(cdsaObj.keyIdentifierPresent) {
+ nssObj.keyIdentifier = (CSSM_DATA_PTR)coder.malloc(sizeof(CSSM_DATA));
+ coder.allocCopyItem(cdsaObj.keyIdentifier, *nssObj.keyIdentifier);
+ }
+ if(cdsaObj.generalNamesPresent ) {
+ /* GeneralNames, the hard one */
+ CL_cssmGeneralNamesToNss(*cdsaObj.generalNames,
+ nssObj.genNames, coder);
+ }
+ if(cdsaObj.serialNumberPresent) {
+ coder.allocCopyItem(cdsaObj.serialNumber,nssObj.serialNumber);
+ }
+}
+
+void CL_nssAuthorityKeyIdToCssm(
+ const NSS_AuthorityKeyId &nssObj,
+ CE_AuthorityKeyID &cdsaObj,
+ SecNssCoder &coder, // for temp decoding
+ Allocator &alloc)
+{
+ if(nssObj.keyIdentifier != NULL) {
+ cdsaObj.keyIdentifierPresent = CSSM_TRUE;
+ clAllocCopyData(alloc, *nssObj.keyIdentifier, cdsaObj.keyIdentifier);
+ }
+ if(nssObj.genNames.names != NULL) {
+ /* GeneralNames, the hard one */
+ cdsaObj.generalNamesPresent = CSSM_TRUE;
+ cdsaObj.generalNames =
+ (CE_GeneralNames *)alloc.malloc(sizeof(CE_GeneralNames));
+ CL_nssGeneralNamesToCssm(nssObj.genNames,
+ *cdsaObj.generalNames,
+ coder,
+ alloc);
+ }
+ if(nssObj.serialNumber.Data != NULL) {
+ cdsaObj.serialNumberPresent = CSSM_TRUE;
+ clAllocCopyData(alloc, nssObj.serialNumber, cdsaObj.serialNumber);
+ }
+}
+
+#pragma mark ----- CE_AuthorityInfoAccess <--> NSS_AuthorityInfoAccess -----
+
+void CL_cssmInfoAccessToNss(
+ const CE_AuthorityInfoAccess &cdsaObj,
+ NSS_AuthorityInfoAccess &nssObj,
+ SecNssCoder &coder)
+{
+ memset(&nssObj, 0, sizeof(nssObj));
+ uint32 numDescs = cdsaObj.numAccessDescriptions;
+ nssObj.accessDescriptions = (NSS_AccessDescription **)clNssNullArray(numDescs, coder);
+
+ for(unsigned dex=0; dex<numDescs; dex++) {
+ nssObj.accessDescriptions[dex] = coder.mallocn<NSS_AccessDescription>();
+ CE_AccessDescription *src = &cdsaObj.accessDescriptions[dex];
+ NSS_AccessDescription *dst = nssObj.accessDescriptions[dex];
+ coder.allocCopyItem(src->accessMethod, dst->accessMethod);
+
+ /* Convert general name, then encode it into destination */
+ NSS_GeneralName nssGenName;
+ CL_cssmGeneralNameToNss(src->accessLocation, nssGenName, coder);
+ PRErrorCode prtn = coder.encodeItem(&nssGenName, kSecAsn1GeneralNameTemplate,
+ dst->encodedAccessLocation);
+ if(prtn) {
+ clErrorLog("CL_cssmInfoAccessToNss: encode error\n");
+ CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
+ }
+ }
+}
+
+void CL_infoAccessToCssm(
+ const NSS_AuthorityInfoAccess &nssObj,
+ CE_AuthorityInfoAccess &cdsaObj,
+ SecNssCoder &coder, // for temp decoding
+ Allocator &alloc)
+{
+ memset(&cdsaObj, 0, sizeof(cdsaObj));
+ unsigned numDescs = clNssArraySize((const void **)nssObj.accessDescriptions);
+ if(numDescs == 0) {
+ return;
+ }
+ cdsaObj.accessDescriptions = (CE_AccessDescription *)alloc.malloc(
+ numDescs * sizeof(CE_AccessDescription));
+ cdsaObj.numAccessDescriptions = numDescs;
+ for(unsigned dex=0; dex<numDescs; dex++) {
+ CE_AccessDescription *dst = &cdsaObj.accessDescriptions[dex];
+ NSS_AccessDescription *src = nssObj.accessDescriptions[dex];
+ clAllocCopyData(alloc, src->accessMethod, dst->accessMethod);
+
+ /* decode the general name */
+ NSS_GeneralName nssGenName;
+ memset(&nssGenName, 0, sizeof(nssGenName));
+ PRErrorCode prtn = coder.decodeItem(src->encodedAccessLocation,
+ kSecAsn1GeneralNameTemplate, &nssGenName);
+ if(prtn) {
+ clErrorLog("***Error decoding NSS_AuthorityInfoAccess.accessLocation\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+
+ /* then convert the result to CSSM */
+ CL_nssGeneralNameToCssm(nssGenName, dst->accessLocation, coder, alloc);
+ }
+}
+
+void CL_freeInfoAccess(
+ CE_AuthorityInfoAccess &cssmInfo,
+ Allocator &alloc)
+{
+ uint32 numDescs = cssmInfo.numAccessDescriptions;
+ for(unsigned dex=0; dex<numDescs; dex++) {
+ CE_AccessDescription *dst = &cssmInfo.accessDescriptions[dex];
+ alloc.free(dst->accessMethod.Data);
+ CL_freeCssmGeneralName(dst->accessLocation, alloc);
+ }
+ alloc.free(cssmInfo.accessDescriptions);
+}
+
+
+#pragma mark ----- CE_QC_Statements <--> NSS_QC_Statements -----
+
+void CL_cssmQualCertStatementsToNss(
+ const CE_QC_Statements &cdsaObj,
+ NSS_QC_Statements &nssObj,
+ SecNssCoder &coder)
+{
+ memset(&nssObj, 0, sizeof(nssObj));
+ uint32 numQcs = cdsaObj.numQCStatements;
+ nssObj.qcStatements =
+ (NSS_QC_Statement **)clNssNullArray(numQcs, coder);
+ for(uint32 dex=0; dex<numQcs; dex++) {
+ nssObj.qcStatements[dex] = (NSS_QC_Statement *)
+ coder.malloc(sizeof(NSS_QC_Statement));
+ NSS_QC_Statement *dst = nssObj.qcStatements[dex];
+ CE_QC_Statement *src = &cdsaObj.qcStatements[dex];
+ memset(dst, 0, sizeof(*dst));
+ coder.allocCopyItem(src->statementId, dst->statementId);
+ if(src->semanticsInfo) {
+ if(src->otherInfo) {
+ /* this is either/or, not both */
+ CssmError::throwMe(CSSMERR_CL_INVALID_FIELD_POINTER);
+ }
+
+ /* encode this CE_SemanticsInformation */
+ CE_SemanticsInformation *srcSI = src->semanticsInfo;
+ NSS_SemanticsInformation dstSI;
+ memset(&dstSI, 0, sizeof(dstSI));
+ if(srcSI->semanticsIdentifier) {
+ dstSI.semanticsIdentifier = (CSSM_DATA_PTR)coder.malloc(sizeof(CSSM_DATA));
+ coder.allocCopyItem(*srcSI->semanticsIdentifier,
+ *dstSI.semanticsIdentifier);
+ }
+ if(srcSI->nameRegistrationAuthorities) {
+ dstSI.nameRegistrationAuthorities =
+ (NSS_GeneralNames *)coder.malloc(sizeof(NSS_GeneralNames));
+ CL_cssmGeneralNamesToNss(*srcSI->nameRegistrationAuthorities,
+ *dstSI.nameRegistrationAuthorities, coder);
+ }
+ PRErrorCode prtn = coder.encodeItem(&dstSI, kSecAsn1SemanticsInformationTemplate,
+ dst->info);
+ if(prtn) {
+ clErrorLog("CL_cssmQualCertStatementsToNss: encode error\n");
+ CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
+ }
+
+ }
+ if(src->otherInfo) {
+ /* drop in as ASN_ANY */
+ coder.allocCopyItem(*src->otherInfo, dst->info);
+ }
+ }
+}
+
+void CL_qualCertStatementsToCssm(
+ const NSS_QC_Statements &nssObj,
+ CE_QC_Statements &cdsaObj,
+ SecNssCoder &coder, // for temp decoding
+ Allocator &alloc)
+{
+ memset(&cdsaObj, 0, sizeof(cdsaObj));
+ unsigned numQcs = clNssArraySize((const void **)nssObj.qcStatements);
+ if(numQcs == 0) {
+ return;
+ }
+ cdsaObj.qcStatements = (CE_QC_Statement *)alloc.malloc(
+ numQcs * sizeof(CE_AccessDescription));
+ cdsaObj.numQCStatements = numQcs;
+ for(unsigned dex=0; dex<numQcs; dex++) {
+ CE_QC_Statement *dst = &cdsaObj.qcStatements[dex];
+ NSS_QC_Statement *src = nssObj.qcStatements[dex];
+
+ memset(dst, 0, sizeof(*dst));
+ clAllocCopyData(alloc, src->statementId, dst->statementId);
+
+ /*
+ * Whether the optional info is a SemanticsInformation or is uninterpreted
+ * DER data depends on statementId.
+ */
+ if(src->info.Data) {
+ if(clCompareCssmData(&src->statementId, &CSSMOID_OID_QCS_SYNTAX_V2)) {
+ NSS_SemanticsInformation srcSI;
+ memset(&srcSI, 0, sizeof(srcSI));
+
+ /* decode info as a NSS_SemanticsInformation */
+ PRErrorCode prtn = coder.decodeItem(src->info,
+ kSecAsn1SemanticsInformationTemplate, &srcSI);
+ if(prtn) {
+ clErrorLog("***Error decoding CE_SemanticsInformation\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+
+ /* NSS_SemanticsInformation --> CE_SemanticsInformation */
+ dst->semanticsInfo =
+ (CE_SemanticsInformation *)alloc.malloc(sizeof(CE_SemanticsInformation));
+ CE_SemanticsInformation *dstSI = dst->semanticsInfo;
+ memset(dstSI, 0, sizeof(*dstSI));
+ if(srcSI.semanticsIdentifier) {
+ dstSI->semanticsIdentifier = (CSSM_OID *)alloc.malloc(sizeof(CSSM_OID));
+ clAllocCopyData(alloc, *srcSI.semanticsIdentifier, *dstSI->semanticsIdentifier);
+ }
+ if(srcSI.nameRegistrationAuthorities) {
+ dstSI->nameRegistrationAuthorities =
+ (CE_NameRegistrationAuthorities *)alloc.malloc(
+ sizeof(CE_NameRegistrationAuthorities));
+ CL_nssGeneralNamesToCssm(*srcSI.nameRegistrationAuthorities,
+ *dstSI->nameRegistrationAuthorities,
+ coder,
+ alloc);
+ }
+ }
+ else {
+ dst->otherInfo = (CSSM_DATA_PTR)alloc.malloc(sizeof(CSSM_DATA));
+ clAllocCopyData(alloc, src->info, *dst->otherInfo);
+ }
+ }
+ }
+}
+
+void CL_freeQualCertStatements(
+ CE_QC_Statements &cssmQCs,
+ Allocator &alloc)
+{
+ uint32 numQCs = cssmQCs.numQCStatements;
+ for(unsigned dex=0; dex<numQCs; dex++) {
+ CE_QC_Statement *dst = &cssmQCs.qcStatements[dex];
+ alloc.free(dst->statementId.Data);
+ if(dst->semanticsInfo) {
+ CE_SemanticsInformation *si = dst->semanticsInfo;
+ if(si->semanticsIdentifier) {
+ alloc.free(si->semanticsIdentifier->Data);
+ alloc.free(si->semanticsIdentifier);
+ }
+ if(si->nameRegistrationAuthorities) {
+ CL_freeCssmGeneralNames(si->nameRegistrationAuthorities, alloc);
+ alloc.free(si->nameRegistrationAuthorities);
+ }
+ alloc.free(si);
+ }
+ if(dst->otherInfo) {
+ alloc.free(dst->otherInfo->Data);
+ alloc.free(dst->otherInfo);
+ }
+ }
+ alloc.free(cssmQCs.qcStatements);
+}
+
+#pragma mark ----- decode/encode CE_DistributionPointName -----
+
+/* This is always a DER-encoded blob at the NSS level */
+void CL_decodeDistributionPointName(
+ const CSSM_DATA &nssBlob,
+ CE_DistributionPointName &cssmDpn,
+ SecNssCoder &coder,
+ Allocator &alloc)
+{
+ memset(&cssmDpn, 0, sizeof(CE_DistributionPointName));
+ if(nssBlob.Length == 0) {
+ clErrorLog("***CL_decodeDistributionPointName: bad PointName\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+ unsigned char tag = nssBlob.Data[0] & SEC_ASN1_TAGNUM_MASK;
+ switch(tag) {
+ case NSS_DIST_POINT_FULL_NAME_TAG:
+ {
+ /* decode to temp coder memory */
+ NSS_GeneralNames gnames;
+ gnames.names = NULL;
+ if(coder.decodeItem(nssBlob, kSecAsn1DistPointFullNameTemplate,
+ &gnames)) {
+ clErrorLog("***Error decoding DistPointFullName\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+
+ cssmDpn.nameType = CE_CDNT_FullName;
+ cssmDpn.dpn.fullName = (CE_GeneralNames *)alloc.malloc(
+ sizeof(CE_GeneralNames));
+
+ /* copy out to caller */
+ CL_nssGeneralNamesToCssm(gnames,
+ *cssmDpn.dpn.fullName, coder, alloc);
+ break;
+ }
+ case NSS_DIST_POINT_RDN_TAG:
+ {
+ /* decode to temp coder memory */
+ NSS_RDN rdn;
+ memset(&rdn, 0, sizeof(rdn));
+ if(coder.decodeItem(nssBlob, kSecAsn1DistPointRDNTemplate,
+ &rdn)) {
+ clErrorLog("***Error decoding DistPointRDN\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+
+ cssmDpn.nameType = CE_CDNT_NameRelativeToCrlIssuer;
+ cssmDpn.dpn.rdn = (CSSM_X509_RDN_PTR)alloc.malloc(
+ sizeof(CSSM_X509_RDN));
+
+ /* copy out to caller */
+ CL_nssRdnToCssm(rdn, *cssmDpn.dpn.rdn, alloc, coder);
+ break;
+ }
+ default:
+ clErrorLog("***Bad CE_DistributionPointName tag\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+}
+
+void CL_encodeDistributionPointName(
+ CE_DistributionPointName &cpoint,
+ CSSM_DATA &npoint,
+ SecNssCoder &coder)
+{
+ const SecAsn1Template *templ = NULL;
+ NSS_GeneralNames gnames;
+ NSS_RDN rdn;
+ void *encodeSrc = NULL;
+
+ /*
+ * Our job is to convert one of two incoming aggregate types
+ * into NSS format, then encode the result into npoint.
+ */
+ switch(cpoint.nameType) {
+ case CE_CDNT_FullName:
+ CL_cssmGeneralNamesToNss(*cpoint.dpn.fullName,
+ gnames, coder);
+ encodeSrc = &gnames;
+ templ = kSecAsn1DistPointFullNameTemplate;
+ break;
+
+ case CE_CDNT_NameRelativeToCrlIssuer:
+ CL_cssmRdnToNss(*cpoint.dpn.rdn, rdn, coder);
+ encodeSrc = &rdn;
+ templ = kSecAsn1DistPointRDNTemplate;
+ break;
+ default:
+ clErrorLog("CL_encodeDistributionPointName: bad nameType\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_TAG);
+ }
+ if(coder.encodeItem(encodeSrc, templ, npoint)) {
+ clErrorLog("CL_encodeDistributionPointName: encode error\n");
+ CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
+ }
+}
+
+
+#pragma mark --- CE_CRLDistPointsSyntax <--> NSS_CRLDistributionPoints ---
+
+void CL_cssmDistPointsToNss(
+ const CE_CRLDistPointsSyntax &cdsaObj,
+ NSS_CRLDistributionPoints &nssObj,
+ SecNssCoder &coder)
+{
+ memset(&nssObj, 0, sizeof(nssObj));
+ unsigned numPoints = cdsaObj.numDistPoints;
+ if(numPoints == 0) {
+ return;
+ }
+ nssObj.distPoints =
+ (NSS_DistributionPoint **)clNssNullArray(numPoints, coder);
+ for(unsigned dex=0; dex<numPoints; dex++) {
+ nssObj.distPoints[dex] = (NSS_DistributionPoint *)
+ coder.malloc(sizeof(NSS_DistributionPoint));
+ NSS_DistributionPoint *npoint = nssObj.distPoints[dex];
+ memset(npoint, 0, sizeof(NSS_DistributionPoint));
+ CE_CRLDistributionPoint *cpoint = &cdsaObj.distPoints[dex];
+
+ /* all fields are optional */
+ if(cpoint->distPointName) {
+ /* encode and drop into ASN_ANY slot */
+ npoint->distPointName = (CSSM_DATA *)
+ coder.malloc(sizeof(CSSM_DATA));
+ CL_encodeDistributionPointName(*cpoint->distPointName,
+ *npoint->distPointName, coder);
+
+ }
+
+ if(cpoint->reasonsPresent) {
+ /* bit string, presumed max length 8 bits */
+ coder.allocItem(npoint->reasons, 1);
+ npoint->reasons.Data[0] = cpoint->reasons;
+ /* adjust for bit string length */
+ npoint->reasons.Length = 8;
+ }
+
+ if(cpoint->crlIssuer) {
+ CL_cssmGeneralNamesToNss(*cpoint->crlIssuer,
+ npoint->crlIssuer, coder);
+ }
+ }
+}
+
+void CL_nssDistPointsToCssm(
+ const NSS_CRLDistributionPoints &nssObj,
+ CE_CRLDistPointsSyntax &cdsaObj,
+ SecNssCoder &coder, // for temp decoding
+ Allocator &alloc)
+{
+ memset(&cdsaObj, 0, sizeof(cdsaObj));
+ unsigned numPoints = clNssArraySize((const void **)nssObj.distPoints);
+ if(numPoints == 0) {
+ return;
+ }
+
+ unsigned len = sizeof(CE_CRLDistributionPoint) * numPoints;
+ cdsaObj.distPoints = (CE_CRLDistributionPoint *)alloc.malloc(len);
+ memset(cdsaObj.distPoints, 0, len);
+ cdsaObj.numDistPoints = numPoints;
+
+ for(unsigned dex=0; dex<numPoints; dex++) {
+ CE_CRLDistributionPoint &cpoint = cdsaObj.distPoints[dex];
+ NSS_DistributionPoint &npoint = *(nssObj.distPoints[dex]);
+
+ /* All three fields are optional */
+ if(npoint.distPointName != NULL) {
+ /* Drop in a CE_DistributionPointName */
+ CE_DistributionPointName *cname =
+ (CE_DistributionPointName *)alloc.malloc(
+ sizeof(CE_DistributionPointName));
+ memset(cname, 0, sizeof(*cname));
+ cpoint.distPointName = cname;
+
+ /*
+ * This one is currently still encoded; we have to peek
+ * at its tag and decode accordingly.
+ */
+ CL_decodeDistributionPointName(*npoint.distPointName,
+ *cname, coder, alloc);
+ }
+
+ if(npoint.reasons.Data != NULL) {
+ /* careful, it's a bit string */
+ if(npoint.reasons.Length > 8) {
+ clErrorLog("***CL_nssDistPointsToCssm: Malformed reasons\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+ cpoint.reasonsPresent = CSSM_TRUE;
+ if(npoint.reasons.Length != 0) {
+ cpoint.reasons = npoint.reasons.Data[0];
+ }
+ }
+
+ if(npoint.crlIssuer.names != NULL) {
+ /* Cook up a new CE_GeneralNames */
+ cpoint.crlIssuer =
+ (CE_GeneralNames *)alloc.malloc(sizeof(CE_GeneralNames));
+ CL_nssGeneralNamesToCssm(npoint.crlIssuer, *cpoint.crlIssuer,
+ coder, alloc);
+ }
+ }
+}
+
+#pragma mark ----- IssuingDistributionPoint -----
+
+void CL_nssIssuingDistPointToCssm(
+ NSS_IssuingDistributionPoint *nssIdp,
+ CE_IssuingDistributionPoint *cssmIdp,
+ SecNssCoder &coder,
+ Allocator &alloc)
+{
+ /* All fields optional */
+ memset(cssmIdp, 0, sizeof(*cssmIdp));
+ if(nssIdp->distPointName) {
+ CE_DistributionPointName *cssmDp = (CE_DistributionPointName *)
+ alloc.malloc(sizeof(CE_DistributionPointName));
+
+ /*
+ * This one is currently still encoded; we have to peek
+ * at its tag and decode accordingly.
+ */
+ CL_decodeDistributionPointName(*nssIdp->distPointName,
+ *cssmDp, coder, alloc);
+ cssmIdp->distPointName = cssmDp;
+ }
+ if(nssIdp->onlyUserCerts) {
+ cssmIdp->onlyUserCertsPresent = CSSM_TRUE;
+ cssmIdp->onlyUserCerts = clNssBoolToCssm(*nssIdp->onlyUserCerts);
+ }
+ if(nssIdp->onlyCACerts) {
+ cssmIdp->onlyCACertsPresent = CSSM_TRUE;
+ cssmIdp->onlyCACerts = clNssBoolToCssm(*nssIdp->onlyCACerts);
+ }
+ if(nssIdp->onlySomeReasons) {
+ cssmIdp->onlySomeReasonsPresent = CSSM_TRUE;
+ if(nssIdp->onlySomeReasons->Length > 0) {
+ cssmIdp->onlySomeReasons = *nssIdp->onlySomeReasons->Data;
+ }
+ else {
+ cssmIdp->onlySomeReasons = 0;
+ }
+ }
+ if(nssIdp->indirectCRL) {
+ cssmIdp->indirectCrlPresent = CSSM_TRUE;
+ cssmIdp->indirectCrl = clNssBoolToCssm(*nssIdp->indirectCRL);
+ }
+}
+
+#pragma mark --- CE_NameConstraints <--> NSS_NameConstraints ---
+
+void CL_cssmNameConstraintsToNss(
+ const CE_NameConstraints &cdsaObj,
+ NSS_NameConstraints &nssObj,
+ SecNssCoder &coder)
+{
+ //%%%FIXME tba
+}
+
+void CL_nssNameConstraintsToCssm(
+ const NSS_NameConstraints &nssObj,
+ CE_NameConstraints &cdsaObj,
+ SecNssCoder &coder, // for temp decoding
+ Allocator &alloc)
+{
+ //%%%FIXME tba
+}
+
+void CL_freeCssmNameConstraints(
+ CE_NameConstraints *cssmNcs,
+ Allocator &alloc)
+{
+ if(cssmNcs == NULL) {
+ return;
+ }
+//%%%FIXME need to add a CL_freeCssmGeneralSubtrees function to clNameUtils{.h,.cpp}
+#if 0
+ switch(cssmDpn->nameType) {
+ case CE_CDNT_FullName:
+ CL_freeCssmGeneralNames(cssmDpn->dpn.fullName, alloc);
+ alloc.free(cssmDpn->dpn.fullName);
+ break;
+ case CE_CDNT_NameRelativeToCrlIssuer:
+ CL_freeX509Rdn(cssmDpn->dpn.rdn, alloc);
+ alloc.free(cssmDpn->dpn.rdn);
+ break;
+ }
+#endif
+ memset(cssmNcs, 0, sizeof(*cssmNcs));
+}
+
+#pragma mark --- CE_PolicyMappings <--> NSS_PolicyMappings ---
+
+void CL_cssmPolicyMappingsToNss(
+ const CE_PolicyMappings &cdsaObj,
+ NSS_PolicyMappings &nssObj,
+ SecNssCoder &coder)
+{
+ //%%%FIXME tba
+}
+
+void CL_nssPolicyMappingsToCssm(
+ const NSS_PolicyMappings &nssObj,
+ CE_PolicyMappings &cdsaObj,
+ SecNssCoder &coder, // for temp decoding
+ Allocator &alloc)
+{
+ //%%%FIXME tba
+}
+
+void CL_freeCssmPolicyMappings(
+ CE_PolicyMappings *cssmPms,
+ Allocator &alloc)
+{
+ if(cssmPms == NULL) {
+ return;
+ }
+ //%%%FIXME tba
+
+ memset(cssmPms, 0, sizeof(*cssmPms));
+}
+
+#pragma mark --- CE_PolicyConstraints <--> NSS_PolicyConstraints ---
+
+void CL_cssmPolicyConstraintsToNss(
+ const CE_PolicyConstraints *cdsaObj,
+ NSS_PolicyConstraints *nssObj,
+ SecNssCoder &coder)
+{
+ //%%%FIXME tba
+}
+
+void CL_nssPolicyConstraintsToCssm(
+ const NSS_PolicyConstraints *nssObj,
+ CE_PolicyConstraints *cdsaObj,
+ SecNssCoder &coder, // for temp decoding
+ Allocator &alloc)
+{
+ memset(cdsaObj, 0, sizeof(*cdsaObj));
+ if(nssObj->requireExplicitPolicy.Data) {
+ cdsaObj->requireExplicitPolicyPresent = CSSM_TRUE;
+ cdsaObj->inhibitPolicyMapping = clDataToInt(
+ nssObj->requireExplicitPolicy, 0);
+ }
+ if(nssObj->inhibitPolicyMapping.Data) {
+ cdsaObj->inhibitPolicyMappingPresent = CSSM_TRUE;
+ cdsaObj->inhibitPolicyMapping = clDataToInt(
+ nssObj->inhibitPolicyMapping, 0);
+ }
+}
+
+void CL_freeCssmPolicyConstraints(
+ CE_PolicyConstraints *cssmPcs,
+ Allocator &alloc)
+{
+ if(cssmPcs == NULL) {
+ return;
+ }
+
+ memset(cssmPcs, 0, sizeof(*cssmPcs));
+}
+
+
+#pragma mark ----- ECDSA_SigAlgParams support -----
+
+/*
+ * Some implementations use a two-OID mechanism to specify ECDSA signature
+ * algorithm with a digest of other than SHA1. This is really not necessary;
+ * we use the single-OID method (e.g. CSSMOID_ECDSA_WithSHA512) when
+ * encoding, but we have to accomodate externally generated items with
+ * the two-OID method. This routine decodes the digest OID and infers a
+ * CSSM_ALGORITHMS from it.
+ * Throws CSSMERR_CL_UNKNOWN_FORMAT on any error.
+ */
+CSSM_ALGORITHMS CL_nssDecodeECDSASigAlgParams(
+ const CSSM_DATA &encParams,
+ SecNssCoder &coder)
+{
+ CSSM_X509_ALGORITHM_IDENTIFIER algParams;
+ memset(&algParams, 0, sizeof(algParams));
+ PRErrorCode prtn = coder.decodeItem(encParams, kSecAsn1AlgorithmIDTemplate, &algParams);
+ if(prtn) {
+ clErrorLog("CL_nssDecodeECDSASigAlgParams: error decoding CSSM_X509_ALGORITHM_IDENTIFIER\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+
+ /* get the digest algorithm, convert to ECDSA w/digest OID */
+ CSSM_ALGORITHMS digestAlg = CL_oidToAlg(algParams.algorithm);
+ switch(digestAlg) {
+ case CSSM_ALGID_SHA1:
+ return CSSM_ALGID_SHA1WithECDSA;
+ case CSSM_ALGID_SHA224:
+ return CSSM_ALGID_SHA224WithECDSA;
+ case CSSM_ALGID_SHA256:
+ return CSSM_ALGID_SHA256WithECDSA;
+ case CSSM_ALGID_SHA384:
+ return CSSM_ALGID_SHA384WithECDSA;
+ case CSSM_ALGID_SHA512:
+ return CSSM_ALGID_SHA512WithECDSA;
+ default:
+ clErrorLog("CL_nssDecodeECDSASigAlgParams: unknown digest algorithm\n");
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+}
+
+#pragma mark ----- Top-level Cert/CRL encode and decode -----
+
+/*
+ * To ensure a secure means of signing and verifying TBSCert blobs, we
+ * provide these functions to encode and decode just the top-level
+ * elements of a certificate. Unfortunately there is no guarantee
+ * that when you decode and re-encode a TBSCert blob, you get the
+ * same thing you started with (although with DER rules, as opposed
+ * to BER rules, you should). Thus when signing, we sign the TBSCert
+ * and encode the signed cert here without ever decoding the TBSCert (or,
+ * at least, without using the decoded version to get the encoded TBS blob).
+ */
+
+void CL_certCrlDecodeComponents(
+ const CssmData &signedItem, // DER-encoded cert or CRL
+ CssmOwnedData &tbsBlob, // still DER-encoded
+ CssmOwnedData &algId, // ditto
+ CssmOwnedData &rawSig) // raw bits (not an encoded AsnBits)
+{
+ /* BER-decode into temp memory */
+ NSS_SignedCertOrCRL nssObj;
+ SecNssCoder coder;
+ PRErrorCode prtn;
+
+ memset(&nssObj, 0, sizeof(nssObj));
+ prtn = coder.decode(signedItem.data(), signedItem.length(),
+ kSecAsn1SignedCertOrCRLTemplate, &nssObj);
+ if(prtn) {
+ CssmError::throwMe(CSSMERR_CL_UNKNOWN_FORMAT);
+ }
+
+ /* tbsBlob and algId are raw ASN_ANY including tags, which we pass
+ * back to caller intact */
+ tbsBlob.copy(nssObj.tbsBlob.Data, nssObj.tbsBlob.Length);
+ algId.copy(nssObj.signatureAlgorithm.Data,
+ nssObj.signatureAlgorithm.Length);
+
+ /* signature is a bit string which we do in fact decode */
+ rawSig.copy(nssObj.signature.Data,
+ (nssObj.signature.Length + 7) / 8);
+}
+
+
+/*
+ * Given pre-DER-encoded blobs, do the final encode step for a signed cert.
+ */
+void
+CL_certEncodeComponents(
+ const CssmData &TBSCert, // DER-encoded
+ const CssmData &algId, // ditto
+ const CssmData &rawSig, // raw bits, not encoded
+ CssmOwnedData &signedCert) // DER-encoded
+{
+ NSS_SignedCertOrCRL nssObj;
+ nssObj.tbsBlob.Data = TBSCert.Data;
+ nssObj.tbsBlob.Length = TBSCert.Length;
+ nssObj.signatureAlgorithm.Data = algId.Data;
+ nssObj.signatureAlgorithm.Length = algId.Length;
+ nssObj.signature.Data = rawSig.Data;
+ nssObj.signature.Length = rawSig.Length * 8; // BIT STRING
+
+ PRErrorCode prtn;
+
+ prtn = SecNssEncodeItemOdata(&nssObj,
+ kSecAsn1SignedCertOrCRLTemplate,signedCert);
+ if(prtn) {
+ CssmError::throwMe(CSSMERR_CL_MEMORY_ERROR);
+ }
+
+}
projects / apple / security.git / blobdiff