X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/e3d460c9de4426da6c630c3ae3f46173a99f82d8..07691282a056c4efea71e1e505527601e8cc166b:/OSX/libsecurity_cms/lib/CMSEncoder.cpp?ds=inline

diff --git a/OSX/libsecurity_cms/lib/CMSEncoder.cpp b/OSX/libsecurity_cms/lib/CMSEncoder.cpp
index 4055192a..de3b2c1e 100644
--- a/OSX/libsecurity_cms/lib/CMSEncoder.cpp
+++ b/OSX/libsecurity_cms/lib/CMSEncoder.cpp
@@ -98,6 +98,8 @@ struct _CMSEncoder {
 
 	CMSCertificateChainMode chainMode;
     CFDataRef           hashAgilityAttrValue;
+    CFDictionaryRef     hashAgilityV2AttrValues;
+    CFAbsoluteTime      expirationTime;
 };
 
 static void cmsEncoderInit(CFTypeRef enc);
@@ -245,12 +247,12 @@ static int encodeOid(
 		for(digit=0; digit<numsToProcess; digit++) {
 			free(digits[digit]);
 		}
-		free(digits);
-		free(numDigits);
 	}
 	result = 0;
 
 cleanExit:
+    if (digits) free(digits);
+    if (numDigits) free(numDigits);
 	if (oidStr) CFRelease(oidStr);
 	if (argvRef) CFRelease(argvRef);
 
@@ -279,12 +281,20 @@ static int convertOid(
 		// CFStringRef: OID representation is a dotted-decimal string
 		CFStringRef inStr = (CFStringRef)inRef;
 		CFIndex max = CFStringGetLength(inStr) * 3;
-		char buf[max];
-		if (!CFStringGetCString(inStr, buf, max-1, kCFStringEncodingASCII))
+		char *buf = (char *)malloc(max);
+		if (!buf) {
+			return errSecMemoryError;
+		}
+		if (!CFStringGetCString(inStr, buf, max-1, kCFStringEncodingASCII)) {
+			free(buf);
 			return errSecParam;
+		}
 
-		if(encodeOid((unsigned char *)buf, &oidData, &oidLen) != 0)
+		if (encodeOid((unsigned char *)buf, &oidData, &oidLen) != 0) {
+			free(buf);
 			return errSecParam;
+		}
+		free(buf);
 	}
 	else if (CFGetTypeID(inRef) == CFDataGetTypeID()) {
 		// CFDataRef: OID representation is in binary DER format
@@ -336,6 +346,7 @@ static void cmsEncoderFinalize(
 	CFRELEASE(cmsEncoder->otherCerts);
 	if(cmsEncoder->cmsMsg != NULL) {
 		SecCmsMessageDestroy(cmsEncoder->cmsMsg);
+		cmsEncoder->cmsMsg = NULL;
 	}
 	if(cmsEncoder->arena != NULL) {
 		SecArenaPoolFree(cmsEncoder->arena, false);
@@ -444,7 +455,6 @@ static OSStatus cmsSetupForSignedData(
 		numSigners = CFArrayGetCount(cmsEncoder->signers);
 	}
 	CFIndex dex;
-	SecKeychainRef ourKc = NULL;
 	SecCertificateRef ourCert = NULL;
 	SecCmsCertChainMode chainMode = SecCmsCMCertChain;
 
@@ -471,11 +481,6 @@ static OSStatus cmsSetupForSignedData(
 			CSSM_PERROR("SecIdentityCopyCertificate", ortn);
 			break;
 		}
-		ortn = SecKeychainItemCopyKeychain((SecKeychainItemRef)ourCert, &ourKc);
-		if(ortn) {
-			CSSM_PERROR("SecKeychainItemCopyKeychain", ortn);
-			break;
-		}
 		signerInfo = SecCmsSignerInfoCreate(cmsEncoder->cmsMsg, ourId, cmsEncoder->digestalgtag);
 		if (signerInfo == NULL) {
 			ortn = errSecInternalComponent;
@@ -502,7 +507,7 @@ static OSStatus cmsSetupForSignedData(
 			}
 		}
 		if(cmsEncoder->signedAttributes & kCMSAttrSmimeEncryptionKeyPrefs) {
-			ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
+			ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
 			if(ortn) {
 				ortn = cmsRtnToOSStatus(ortn);
 				CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
@@ -510,7 +515,7 @@ static OSStatus cmsSetupForSignedData(
 			}
 		}
 		if(cmsEncoder->signedAttributes & kCMSAttrSmimeMSEncryptionKeyPrefs) {
-			ortn = SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerInfo, ourCert, ourKc);
+			ortn = SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
 			if(ortn) {
 				ortn = cmsRtnToOSStatus(ortn);
 				CSSM_PERROR("SecCmsSignerInfoAddMSSMIMEEncKeyPrefs", ortn);
@@ -537,6 +542,24 @@ static OSStatus cmsSetupForSignedData(
                 break;
             }
         }
+        if(cmsEncoder->signedAttributes & kCMSAttrAppleCodesigningHashAgilityV2) {
+            ortn = SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(signerInfo, cmsEncoder->hashAgilityV2AttrValues);
+            /* libsecurity_smime made a copy of the attribute value. We don't need it anymore. */
+            CFReleaseNull(cmsEncoder->hashAgilityV2AttrValues);
+            if(ortn) {
+                ortn = cmsRtnToOSStatus(ortn);
+                CSSM_PERROR("SecCmsSignerInfoAddAppleCodesigningHashAgilityV2", ortn);
+                break;
+            }
+        }
+        if (cmsEncoder->signedAttributes & kCMSAttrAppleExpirationTime) {
+            ortn = SecCmsSignerInfoAddAppleExpirationTime(signerInfo, cmsEncoder->expirationTime);
+            if(ortn) {
+                ortn = cmsRtnToOSStatus(ortn);
+                CSSM_PERROR("SecCmsSignerInfoAddAppleExpirationTime", ortn);
+                break;
+            }
+        }
 		
 		ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo);
 		if(ortn) {
@@ -545,13 +568,10 @@ static OSStatus cmsSetupForSignedData(
 			break;
 		}
 
-		CFRELEASE(ourKc);
 		CFRELEASE(ourCert);
-		ourKc = NULL;
 		ourCert = NULL;
 	}
 	if(ortn) {
-		CFRELEASE(ourKc);
 		CFRELEASE(ourCert);
 	}
 	return ortn;
@@ -1032,6 +1052,40 @@ OSStatus CMSEncoderSetAppleCodesigningHashAgility(
     return errSecSuccess;
 }
 
+/*
+ * Set the hash agility attribute for a CMSEncoder.
+ * This is only used if the kCMSAttrAppleCodesigningHashAgilityV2 attribute
+ * is included.
+ */
+OSStatus CMSEncoderSetAppleCodesigningHashAgilityV2(
+    CMSEncoderRef   cmsEncoder,
+    CFDictionaryRef       hashAgilityV2AttrValues)
+{
+    if (cmsEncoder == NULL || cmsEncoder->encState != ES_Init) {
+        return errSecParam;
+    }
+    cmsEncoder->hashAgilityV2AttrValues = CFRetainSafe(hashAgilityV2AttrValues);
+    return errSecSuccess;
+}
+
+/*
+ * Set the expiration time for a CMSEncoder.
+ * This is only used if the kCMSAttrAppleExpirationTime attribute is included.
+ */
+OSStatus CMSEncoderSetAppleExpirationTime(
+    CMSEncoderRef        cmsEncoder,
+    CFAbsoluteTime        time)
+{
+    if(cmsEncoder == NULL) {
+        return errSecParam;
+    }
+    if(cmsEncoder->encState != ES_Init) {
+        return errSecParam;
+    }
+    cmsEncoder->expirationTime = time;
+    return errSecSuccess;
+}
+
 OSStatus CMSEncoderSetCertificateChainMode(
 	CMSEncoderRef			cmsEncoder,
 	CMSCertificateChainMode	chainMode)