Security-57740.51.3.tar.gz

[apple/security.git] / libsecurity_smime / lib / cmssigdata.c

diff --git a/libsecurity_smime/lib/cmssigdata.c b/libsecurity_smime/lib/cmssigdata.c
index bb3c7d19dd8c5d28805da12e4b85378fc4db8017..99f08e11dce4a52813e8e72d43237d86791b0d01 100644 (file)
--- a/libsecurity_smime/lib/cmssigdata.c
+++ b/libsecurity_smime/lib/cmssigdata.c
@@ -51,9 +51,7 @@
 #include <security_asn1/secerr.h>
 #include <security_asn1/secport.h>
 
-#if !USE_CDSA_CRYPTO
 #include <Security/SecCertificatePriv.h>
-#endif
 
 SecCmsSignedDataRef
 SecCmsSignedDataCreate(SecCmsMessageRef cmsg)
@@ -325,14 +323,10 @@ SecCmsSignedDataEncodeAfterData(SecCmsSignedDataRef sigd)
                signerinfo = signerinfos[si];
                for (ci = 0; ci < CFArrayGetCount(signerinfo->certList); ci++) {
                    sigd->rawCerts[rci] = PORT_ArenaZAlloc(poolp, sizeof(SecAsn1Item));
-                   SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(signerinfo->certList, ci);
-#if USE_CDSA_CRYPTO    
-                   SecCertificateGetData(cert, sigd->rawCerts[rci++]);
-#else
+                    SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(signerinfo->certList, ci);
                     SecAsn1Item cert_data = { SecCertificateGetLength(cert),
                         (uint8_t *)SecCertificateGetBytePtr(cert) };
                     *(sigd->rawCerts[rci++]) = cert_data;
-#endif
                }
            }
        }
@@ -341,13 +335,9 @@ SecCmsSignedDataEncodeAfterData(SecCmsSignedDataRef sigd)
            for (ci = 0; ci < CFArrayGetCount(sigd->certs); ci++) {
                sigd->rawCerts[rci] = PORT_ArenaZAlloc(poolp, sizeof(SecAsn1Item));
                SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(sigd->certs, ci);
-#if USE_CDSA_CRYPTO    
-                SecCertificateGetData(cert, sigd->rawCerts[rci++]);
-#else
                     SecAsn1Item cert_data = { SecCertificateGetLength(cert),
                         (uint8_t *)SecCertificateGetBytePtr(cert) };
                     *(sigd->rawCerts[rci++]) = cert_data;
-#endif
            }
        }
 
@@ -485,22 +475,6 @@ SecCmsSignedDataImportCerts(SecCmsSignedDataRef sigd, SecKeychainRef keychain,
                                SECCertUsage certusage, Boolean keepcerts)
 {
     OSStatus rv = -1;
-
-#if USE_CDSA_CRYPTO
-    int ix, certcount = SecCmsArrayCount((void **)sigd->rawCerts);
-    rv = CERT_ImportCerts(keychain, certusage, certcount, sigd->rawCerts, NULL,
-                         keepcerts, PR_FALSE, NULL);
-    /* XXX CRL handling */
-
-    if (sigd->signerInfos != NULL) {
-       /* fill in all signerinfo's certs */
-       for (ix = 0; sigd->signerInfos[ix] != NULL; i++)
-           (void)SecCmsSignerInfoGetSigningCertificate(sigd->signerInfos[ix], keychain);
-    }
-#else
-    // XXX we should only ever import certs for a cert only data blob
-#endif
-
     return rv;
 }
 
@@ -563,8 +537,8 @@ SecCmsSignedDataVerifySignerInfo(SecCmsSignedDataRef sigd, int i,
         return status;
     }
 
-    /* Now verify the certificate.  We do this even if the signature failed to verify so we can
-       return a trustRef to the caller for display purposes.  */
+    /* Now verify the certificate.  We only do this when the signature verification succeeds. Note that this
+       behavior is different than the macOS code. */
     status = SecCmsSignerInfoVerifyCertificate(signerinfo, keychainOrArray, policies, trustRef);
 #if SECTRUST_VERBOSE_DEBUG
        syslog(LOG_ERR, "SecCmsSignedDataVerifySignerInfo: SecCmsSignerInfoVerifyCertificate returned %d", (int)status);
@@ -573,45 +547,6 @@ SecCmsSignedDataVerifySignerInfo(SecCmsSignedDataRef sigd, int i,
     return status;
 }
 
-#if USE_CDSA_CRYPTO
-
-/*
- * SecCmsSignedDataVerifyCertsOnly - verify the certs in a certs-only message
- */
-OSStatus
-SecCmsSignedDataVerifyCertsOnly(SecCmsSignedDataRef sigd, 
-                                  SecKeychainRef keychainOrArray, 
-                                  CFTypeRef policies)
-{
-    SecCertificateRef cert;
-    OSStatus rv = SECSuccess;
-    int i;
-    int count;
-
-    if (!sigd || !keychainOrArray || !sigd->rawCerts) {
-       PORT_SetError(SEC_ERROR_INVALID_ARGS);
-       return SECFailure;
-    }
-
-    count = SecCmsArrayCount((void**)sigd->rawCerts);
-    for (i=0; i < count; i++) {
-       if (sigd->certs && CFArrayGetCount(sigd->certs) > i) {
-           cert = (SecCertificateRef)CFArrayGetValueAtIndex(sigd->certs, i);
-           CFRetain(cert);
-       } else {
-           cert = CERT_FindCertByDERCert(keychainOrArray, sigd->rawCerts[i]);
-           if (!cert) {
-               rv = SECFailure;
-               break;
-           }
-       }
-       rv |= CERT_VerifyCert(keychainOrArray, cert, policies, CFAbsoluteTimeGetCurrent(), NULL);
-       CFRelease(cert);
-    }
-
-    return rv;
-}
-#else
 OSStatus
 SecCmsSignedDataVerifyCertsOnly(SecCmsSignedDataRef sigd, 
                                   SecKeychainRef keychainOrArray, 
@@ -640,7 +575,6 @@ SecCmsSignedDataVerifyCertsOnly(SecCmsSignedDataRef sigd,
 
     return rv;
 }
-#endif
 
 /*
  * SecCmsSignedDataHasDigests - see if we have digests in place
@@ -766,6 +700,9 @@ SecCmsSignedDataGetDigestByAlgTag(SecCmsSignedDataRef sigd, SECOidTag algtag)
 {
     int idx;
 
+    if(sigd == NULL || sigd->digests == NULL) {
+        return NULL;
+    }
     idx = SecCmsAlgArrayGetIndexByAlgTag(sigd->digestAlgorithms, algtag);
     return (idx >= 0)?(sigd->digests)[idx]:NULL;
 }
@@ -800,9 +737,11 @@ SecCmsSignedDataSetDigests(SecCmsSignedDataRef sigd,
 {
     int cnt, i, idx;
 
-    if (sigd->digestAlgorithms == NULL) {
-       PORT_SetError(SEC_ERROR_INVALID_ARGS);
-       return SECFailure;
+    /* Check input structure and items in structure */
+    if (sigd == NULL || sigd->digestAlgorithms == NULL || sigd->contentInfo.cmsg == NULL ||
+        sigd->contentInfo.cmsg->poolp == NULL) {
+        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        return SECFailure;
     }
 
     /* Since we'll generate a empty digest for content-less messages