#include <security_asn1/secerr.h>
#include <security_asn1/secport.h>
-#if USE_CDSA_CRYPTO
-#include <Security/SecKeychain.h>
-#endif
-
#include <Security/SecIdentity.h>
#include <Security/SecCertificateInternal.h>
#include <Security/SecInternal.h>
if (!subjKeyID)
goto loser;
signerinfo->signerIdentifier.id.subjectKeyID = PORT_ArenaNew(poolp, SecAsn1Item);
- SECITEM_CopyItem(poolp, signerinfo->signerIdentifier.id.subjectKeyID,
- subjKeyID);
+ if (SECITEM_CopyItem(poolp, signerinfo->signerIdentifier.id.subjectKeyID,
+ subjKeyID)) {
+ goto loser;
+ }
signerinfo->pubKey = SECKEY_CopyPublicKey(pubKey);
if (!signerinfo->pubKey)
goto loser;
privkey = signerinfo->signingKey;
signerinfo->signingKey = NULL;
cert = signerinfo->cert;
-#if USE_CDSA_CRYPTO
- if (SecCertificateGetAlgorithmID(cert,&algID)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- goto loser;
- }
-#else
_algID = SecCertificateGetPublicKeyAlgorithmID(cert);
algID = &_algID;
-#endif
break;
case SecCmsSignerIDSubjectKeyID:
privkey = signerinfo->signingKey;
signerinfo->signingKey = NULL;
-#if 0
- spki = SECKEY_CreateSubjectPublicKeyInfo(signerinfo->pubKey);
- SECKEY_DestroyPublicKey(signerinfo->pubKey);
- signerinfo->pubKey = NULL;
- SECOID_CopyAlgorithmID(NULL, &freeAlgID, &spki->algorithm);
- SECKEY_DestroySubjectPublicKeyInfo(spki);
- algID = &freeAlgID;
-#else
-#if USE_CDSA_CRYPTO
- if (SecKeyGetAlgorithmID(signerinfo->pubKey,&algID)) {
- PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
- goto loser;
- }
-#endif
-#endif
CFRelease(signerinfo->pubKey);
signerinfo->pubKey = NULL;
break;
goto loser;
}
-#if USE_CDSA_CRYPTO
- if (signerinfo->signerIdentifier.identifierType == SecCmsSignerIDSubjectKeyID) {
- SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE);
- }
-#endif
-#if 0
- // @@@ Not yet
- /* Fortezza MISSI have weird signature formats.
- * Map them to standard DSA formats
- */
- pubkAlgTag = PK11_FortezzaMapSig(pubkAlgTag);
-#endif
-
if (signerinfo->authAttr != NULL) {
SecAsn1Item encoded_attrs;
&encoded_attrs) == NULL)
goto loser;
-#if USE_CDSA_CRYPTO
- rv = SEC_SignData(&signature, encoded_attrs.Data, encoded_attrs.Length,
- privkey, digestalgtag, pubkAlgTag);
-#else
signature.Length = SecKeyGetSize(privkey, kSecKeySignatureSize);
signature.Data = PORT_ZAlloc(signature.Length);
if (!signature.Data) {
PORT_ZFree(signature.Data, signature.Length);
signature.Length = 0;
}
-#endif
PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
tmppoolp = 0;
return SECFailure;
}
-#if !USE_CDSA_CRYPTO
static CFArrayRef
SecCmsSignerInfoCopySigningCertificates(SecCmsSignerInfoRef signerinfo)
{
}
return certs;
}
-#endif
OSStatus
SecCmsSignerInfoVerifyCertificate(SecCmsSignerInfoRef signerinfo, SecKeychainRef keychainOrArray,
CFAbsoluteTime stime;
OSStatus rv;
-#if USE_CDSA_CRYPTO
- SecCertificateRef cert;
-
- if ((cert = SecCmsSignerInfoGetSigningCertificate(signerinfo, keychainOrArray)) == NULL) {
-#else
CFArrayRef certs;
if ((certs = SecCmsSignerInfoCopySigningCertificates(signerinfo)) == NULL) {
-#endif
signerinfo->verificationStatus = SecCmsVSSigningCertNotFound;
return SECFailure;
}
if (SecCmsSignerInfoGetSigningTime(signerinfo, &stime) != SECSuccess)
stime = CFAbsoluteTimeGetCurrent();
-#if USE_CDSA_CRYPTO
- rv = CERT_VerifyCert(keychainOrArray, cert, policies, stime, trustRef);
-#else
rv = CERT_VerifyCert(keychainOrArray, certs, policies, stime, trustRef);
CFRelease(certs);
-#endif
if (rv || !trustRef)
{
if (PORT_GetError() == SEC_ERROR_UNTRUSTED_CERT)
{
/* Signature or digest level verificationStatus errors should supercede certificate level errors, so only change the verificationStatus if the status was GoodSignature. */
-#if 0
-#warning DEBUG - SecCmsSignerInfoVerifyCertificate trusts everything!
- if (signerinfo->verificationStatus == SecCmsVSGoodSignature) {
- syslog(LOG_ERR, "SecCmsSignerInfoVerifyCertificate ignoring SEC_ERROR_UNTRUSTED_CERT");
- rv = SECSuccess;
- }
-#else
if (signerinfo->verificationStatus == SecCmsVSGoodSignature)
signerinfo->verificationStatus = SecCmsVSSigningCertNotTrusted;
-#endif
}
}
SecCertificateRef cert;
SecCmsVerificationStatus vs = SecCmsVSUnverified;
PLArenaPool *poolp;
- SECOidTag digestAlgTag, digestEncAlgTag;
if (signerinfo == NULL)
return SECFailure;
goto loser;
}
-#if USE_CDSA_CRYPTO
- if (SecCertificateCopyPublicKey(cert, &publickey)) {
- vs = SecCmsVSProcessingError;
- goto loser;
- }
-#else
publickey = SecCertificateCopyPublicKey(cert);
if (publickey == NULL)
goto loser;
-#endif
- digestAlgTag = SECOID_GetAlgorithmTag(&(signerinfo->digestAlg));
- digestEncAlgTag = SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg));
if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr)) {
if (contentType) {
/*
/* @@@ Make sure we search though all the certs in the cms message itself as well, it's silly
to require them to be added to a keychain first. */
-#if USE_CDSA_CRYPTO
- SecCmsSignerIdentifier *sid;
-
- /*
- * This cert will also need to be freed, but since we save it
- * in signerinfo for later, we do not want to destroy it when
- * we leave this function -- we let the clean-up of the entire
- * cinfo structure later do the destroy of this cert.
- */
- sid = &signerinfo->signerIdentifier;
- switch (sid->identifierType) {
- case SecCmsSignerIDIssuerSN:
- cert = CERT_FindCertByIssuerAndSN(keychainOrArray, sid->id.issuerAndSN);
- break;
- case SecCmsSignerIDSubjectKeyID:
- cert = CERT_FindCertBySubjectKeyID(keychainOrArray, sid->id.subjectKeyID);
- break;
- default:
- cert = NULL;
- break;
- }
-
- /* cert can be NULL at that point */
- signerinfo->cert = cert; /* earmark it */
-#else
SecAsn1Item **cert_datas = signerinfo->signedData->rawCerts;
SecAsn1Item *cert_data;
if (cert_datas) while ((cert_data = *cert_datas) != NULL) {
cert = CERT_FindCertificateByIssuerAndSN(signerinfo->signedData->certs, signerinfo->signerIdentifier.id.issuerAndSN);
signerinfo->cert = cert;
}
-#endif
return cert;
}
if ((signercert = SecCmsSignerInfoGetSigningCertificate(sinfo, NULL)) == NULL)
return NULL;
-#if USE_CDSA_CRYPTO
- SecCertificateGetCommonName(signercert, &commonName);
-#else
CFArrayRef commonNames = SecCertificateCopyCommonNames(signercert);
if (commonNames) {
/* SecCertificateCopyCommonNames doesn't return empty arrays */
CFRetain(commonName);
CFRelease(commonNames);
}
-#endif
return commonName;
}
if ((signercert = SecCmsSignerInfoGetSigningCertificate(sinfo, NULL)) == NULL)
return NULL;
-#if USE_CDSA_CRYPTO
- SecCertificateGetEmailAddress(signercert, &emailAddress);
-#else
CFArrayRef names = SecCertificateCopyRFC822Names(signercert);
if (names) {
if (CFArrayGetCount(names) > 0)
CFRetain(emailAddress);
CFRelease(names);
}
-#endif
return emailAddress;
}
projects / apple / security.git / blobdiff