X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/ecaf5866106b8f08bdb7c1b4f489ef4dfd01278a..7e6b461318c8a779d91381531435a68ee4e8b6ed:/OSX/libsecurity_cms/lib/CMSEncoder.cpp?ds=inline

diff --git a/OSX/libsecurity_cms/lib/CMSEncoder.cpp b/OSX/libsecurity_cms/lib/CMSEncoder.cpp
index f8cb11be..27d6810d 100644
--- a/OSX/libsecurity_cms/lib/CMSEncoder.cpp
+++ b/OSX/libsecurity_cms/lib/CMSEncoder.cpp
@@ -25,8 +25,8 @@
  * CMSEncoder.cpp - encode, sign, and/or encrypt CMS messages. 
  */
  
-#include "CMSEncoder.h"
-#include "CMSPrivate.h"
+#include <Security/CMSEncoder.h>
+#include <Security/CMSPrivate.h>
 #include "CMSUtils.h"
 #include <Security/SecBase.h>
 #include <Security/SecCmsEncoder.h>
@@ -99,6 +99,7 @@ struct _CMSEncoder {
 	CMSCertificateChainMode chainMode;
     CFDataRef           hashAgilityAttrValue;
     CFDictionaryRef     hashAgilityV2AttrValues;
+    CFAbsoluteTime      expirationTime;
 };
 
 static void cmsEncoderInit(CFTypeRef enc);
@@ -280,12 +281,20 @@ static int convertOid(
 		// CFStringRef: OID representation is a dotted-decimal string
 		CFStringRef inStr = (CFStringRef)inRef;
 		CFIndex max = CFStringGetLength(inStr) * 3;
-		char buf[max];
-		if (!CFStringGetCString(inStr, buf, max-1, kCFStringEncodingASCII))
+		char *buf = (char *)malloc(max);
+		if (!buf) {
+			return errSecMemoryError;
+		}
+		if (!CFStringGetCString(inStr, buf, max-1, kCFStringEncodingASCII)) {
+			free(buf);
 			return errSecParam;
+		}
 
-		if(encodeOid((unsigned char *)buf, &oidData, &oidLen) != 0)
+		if (encodeOid((unsigned char *)buf, &oidData, &oidLen) != 0) {
+			free(buf);
 			return errSecParam;
+		}
+		free(buf);
 	}
 	else if (CFGetTypeID(inRef) == CFDataGetTypeID()) {
 		// CFDataRef: OID representation is in binary DER format
@@ -459,6 +468,9 @@ static OSStatus cmsSetupForSignedData(
 		case kCMSCertificateChainWithRoot:
 			chainMode = SecCmsCMCertChainWithRoot;
 			break;
+		case kCMSCertificateChainWithRootOrFail:
+			chainMode = SecCmsCMCertChainWithRootOrFail;
+			break;
 		default:
 			break;
 	}
@@ -543,6 +555,14 @@ static OSStatus cmsSetupForSignedData(
                 break;
             }
         }
+        if (cmsEncoder->signedAttributes & kCMSAttrAppleExpirationTime) {
+            ortn = SecCmsSignerInfoAddAppleExpirationTime(signerInfo, cmsEncoder->expirationTime);
+            if(ortn) {
+                ortn = cmsRtnToOSStatus(ortn);
+                CSSM_PERROR("SecCmsSignerInfoAddAppleExpirationTime", ortn);
+                break;
+            }
+        }
 		
 		ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo);
 		if(ortn) {
@@ -1051,6 +1071,24 @@ OSStatus CMSEncoderSetAppleCodesigningHashAgilityV2(
     return errSecSuccess;
 }
 
+/*
+ * Set the expiration time for a CMSEncoder.
+ * This is only used if the kCMSAttrAppleExpirationTime attribute is included.
+ */
+OSStatus CMSEncoderSetAppleExpirationTime(
+    CMSEncoderRef        cmsEncoder,
+    CFAbsoluteTime        time)
+{
+    if(cmsEncoder == NULL) {
+        return errSecParam;
+    }
+    if(cmsEncoder->encState != ES_Init) {
+        return errSecParam;
+    }
+    cmsEncoder->expirationTime = time;
+    return errSecSuccess;
+}
+
 OSStatus CMSEncoderSetCertificateChainMode(
 	CMSEncoderRef			cmsEncoder,
 	CMSCertificateChainMode	chainMode)
@@ -1066,6 +1104,7 @@ OSStatus CMSEncoderSetCertificateChainMode(
 		case kCMSCertificateSignerOnly:
 		case kCMSCertificateChain:
 		case kCMSCertificateChainWithRoot:
+		case kCMSCertificateChainWithRootOrFail:
 			break;
 		default:
 			return errSecParam;