| blob | 81ece5473dbe2914b334358d69d50a96adee440d |
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 *
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
34 *
35 * ***** END LICENSE BLOCK ***** */
37 /*
38 * CMS signedData methods.
39 *
40 * $Id: cmssigdata.c,v 1.29 2005/06/27 22:21:18 julien.pierre.bugs%sun.com Exp $
41 */
46 /*#include "cdbhdl.h"*/
53 NSSCMSSignedData *
55 {
63 }
75 /* signerInfos, certs, certlists, crls are all empty */
76 /* version is set in NSS_CMSSignedData_Finalize() */
81 loser:
84 }
86 void
88 {
104 }
109 }
114 }
119 }
121 /* everything's in a pool, so don't worry about the storage */
124 }
126 /*
127 * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
128 * before start of encoding.
129 *
130 * In detail:
131 * - find out about the right value to put into sigd->version
132 * - come up with a list of digestAlgorithms (which should be the union of the algorithms
133 * in the signerinfos).
134 * If we happen to have a pre-set list of algorithms (and digest values!), we
135 * check if we have all the signerinfos' algorithms. If not, this is an error.
136 */
137 SECStatus
139 {
141 SECOidTag digestalgtag;
144 SECStatus rv;
152 }
156 /* we assume that we have precomputed digests if there is a list of algorithms, and */
157 /* a chunk of data for each of those algorithms */
162 }
165 }
169 /* RFC2630 5.1 "version is the syntax version number..." */
173 /* prepare all the SignerInfos (there may be none) */
177 /* RFC2630 5.1 "version is the syntax version number..." */
181 /* collect digestAlgorithms from SignerInfos */
182 /* (we need to know which algorithms we have when the content comes in) */
183 /* do not overwrite any existing digestAlgorithms (and digest) */
187 /* oops, there is a digestalg we do not have a digest for */
188 /* but we were supposed to have all the digests already... */
191 /* add the digestAlgorithm & a NULL digest */
196 /* found it, nothing to do */
197 }
198 }
204 /* this is a SET OF, so we need to sort them guys */
213 loser:
215 }
217 SECStatus
219 {
223 }
224 /* set up the digests */
232 }
234 }
236 /*
237 * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
238 * after all the encapsulated data was passed through the encoder.
239 *
240 * In detail:
241 * - create the signatures in all the SignerInfos
242 *
243 * Please note that nothing is done to the Certificates and CRLs in the message - this
244 * is entirely the responsibility of our callers.
245 */
246 SECStatus
248 {
251 SECOidTag digestalgtag;
253 SECStatus rv;
264 }
269 /* did we have digest calculation going on? */
273 /* error has been set by NSS_CMSDigestContext_FinishMultiple */
277 }
282 /* prepare all the SignerInfos (there may be none) */
286 /* find correct digest for this signerinfo */
290 /* oops - digest not found */
293 }
295 /* XXX if our content is anything else but data, we need to force the
296 * presence of signed attributes (RFC2630 5.3 "signedAttributes is a
297 * collection...") */
299 /* pass contentType here as we want a contentType attribute */
303 /* sign the thing */
308 /* while we're at it, count number of certs in certLists */
312 }
314 /* this is a SET OF, so we need to sort them guys */
319 /*
320 * now prepare certs & crls
321 */
323 /* count the rest of the certs */
326 certcount++;
327 }
332 }
337 /*
338 * Combine all of the certs and cert chains into rawcerts.
339 * Note: certcount is an upper bound; we may not need that many slots
340 * but we will allocate anyway to avoid having to do another pass.
341 * (The temporary space saving is not worth it.)
342 *
343 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
344 * SetOfDERcertficates implementation
345 */
350 /*
351 * XXX Want to check for duplicates and not add *any* cert that is
352 * already in the set. This will be more important when we start
353 * dealing with larger sets of certs, dual-key certs (signing and
354 * encryption), etc. For the time being we can slide by...
355 *
356 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
357 * SetOfDERcertficates implementation
358 */
365 }
366 }
371 }
377 }
378 }
382 /* this is a SET OF, so we need to sort them guys - we have the DER already, though */
384 }
388 loser:
390 }
392 SECStatus
394 {
398 }
399 /* set up the digests */
401 /* if digests are already there, do nothing */
405 }
407 }
409 /*
410 * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a
411 * SignedData after all the encapsulated data was passed through the decoder.
412 */
413 SECStatus
415 {
421 }
423 /* did we have digest calculation going on? */
427 /* error set by NSS_CMSDigestContext_FinishMultiple */
429 }
431 }
433 /*
434 * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
435 * after all decoding is finished.
436 */
437 SECStatus
439 {
446 }
448 /* set cmsg for all the signerinfos */
451 /* set cmsg for all the signerinfos */
455 }
458 }
460 /*
461 * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
462 */
463 NSSCMSSignerInfo **
465 {
469 }
471 }
473 int
475 {
479 }
481 }
483 NSSCMSSignerInfo *
485 {
489 }
491 }
493 /*
494 * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
495 */
496 SECAlgorithmID **
498 {
502 }
504 }
506 /*
507 * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
508 */
509 NSSCMSContentInfo *
511 {
515 }
517 }
519 /*
520 * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
521 */
522 SECItem **
524 {
528 }
530 }
532 SECStatus
535 {
540 SECStatus rv;
543 PRTime now;
548 }
552 /* get the certs in the temp DB */
557 }
559 /* save the certs so they don't get destroyed */
564 }
568 }
570 /* build a CertList for filtering */
575 }
582 }
584 /* filter out the certs we don't want */
588 }
590 /* go down the remaining list of certs and verify that they have
591 * valid chains, then import them.
592 */
601 }
606 }
608 /*
609 * CertChain returns an array of SECItems, import expects an array of
610 * SECItem pointers. Create the SECItem Pointers from the array of
611 * SECItems.
612 */
617 }
620 }
625 }
629 /* XXX CRL handling */
631 done:
633 /* fill in all signerinfo's certs */
637 }
639 loser:
640 /* now free everything */
643 }
646 }
649 }
651 /*
652 * XXX the digests need to be passed in BETWEEN the decoding and the verification in case
653 * of external signatures!
654 */
656 /*
657 * NSS_CMSSignedData_VerifySignerInfo - check the signatures.
658 *
659 * The digests were either calculated during decoding (and are stored in the
660 * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
661 *
662 * The verification checks if the signing cert is valid and has a trusted chain
663 * for the purpose specified by "certusage".
664 */
665 SECStatus
668 {
673 SECOidTag oidTag;
674 SECStatus rv;
679 }
685 /* verify certificate */
690 /* find digest and contentType for signerinfo */
694 /* NULL digest is acceptable. */
696 /* NULL contentType is acceptable. */
698 /* now verify signature */
701 }
703 /*
704 * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
705 */
706 SECStatus
709 SECCertUsage usage)
710 {
715 PRTime now;
720 }
732 }
733 }
737 }
740 }
742 /*
743 * NSS_CMSSignedData_HasDigests - see if we have digests in place
744 */
745 PRBool
747 {
751 }
753 }
755 SECStatus
757 {
758 SECStatus rv;
763 }
765 /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */
769 }
771 /*
772 * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs
773 */
774 SECStatus
776 {
778 SECCertUsage usage;
779 SECStatus rv;
786 }
788 /* do not include root */
796 }
798 extern SECStatus
800 {
802 SECStatus rv;
807 }
812 }
814 SECStatus
816 {
818 SECStatus rv;
823 }
828 }
830 PRBool
832 {
836 }
841 else
843 }
845 SECStatus
848 {
850 SECStatus rv;
851 SECOidTag digestalgtag;
857 }
863 /* add signerinfo */
868 /*
869 * add empty digest
870 * Empty because we don't have it yet. Either it gets created during encoding
871 * (if the data is present) or has to be set externally.
872 * XXX maybe pass it in optionally?
873 */
879 /*
880 * The last thing to get consistency would be adding the digest.
881 */
886 loser:
889 }
891 /*
892 * NSS_CMSSignedData_SetDigests - set a signedData's digests member
893 *
894 * "digestalgs" - array of digest algorithm IDs
895 * "digests" - array of digests corresponding to the digest algorithms
896 */
897 SECStatus
901 {
907 }
912 }
914 /* we assume that the digests array is just not there yet */
919 }
921 /* now allocate one (same size as digestAlgorithms) */
927 }
930 /* try to find the sigd's i'th digest algorithm in the array we passed in */
935 }
937 /* We have no digest for this algorithm, probably because it is
938 ** unrecognized or unsupported. We'll ignore this here. If this
939 ** digest is needed later, an error will be be generated then.
940 */
942 }
944 /* found it - now set it */
947 {
950 }
951 }
953 }
955 SECStatus
957 SECOidTag digestalgtag,
959 {
968 }
978 /* copy digestdata item to arena (in case we have it and are not only making room) */
981 }
983 /* now allocate one (same size as digestAlgorithms) */
990 }
991 }
997 /* if not found, add a digest */
1002 /* replace NULL pointer with digest item (and leak previous value) */
1004 }
1009 loser:
1012 }
1014 SECStatus
1017 SECOidTag digestalgtag,
1019 {
1026 }
1034 if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
1037 if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
1038 /* even if digest is NULL, add dummy to have same-size array */
1040 {
1042 }
1047 loser:
1050 }
1052 /* XXX This function doesn't set the error code on failure. */
1053 SECItem *
1055 {
1061 }
1066 }
1071 }
1073 /* =============================================================================
1074 * Misc. utility functions
1075 */
1077 /*
1078 * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
1079 *
1080 * cert - base certificates that will be included
1081 * include_chain - if true, include the complete cert chain for cert
1082 *
1083 * More certs and chains can be added via AddCertificate and AddCertChain.
1084 *
1085 * An error results in a return value of NULL and an error set.
1086 *
1087 * XXXX CRLs
1088 */
1089 NSSCMSSignedData *
1090 NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain)
1091 {
1095 SECStatus rv;
1100 }
1109 /* no signerinfos, thus no digestAlgorithms */
1111 /* but certs */
1116 }
1120 /* RFC2630 5.2 sez:
1121 * In the degenerate case where there are no signers, the
1122 * EncapsulatedContentInfo value being "signed" is irrelevant. In this
1123 * case, the content type within the EncapsulatedContentInfo value being
1124 * "signed" should be id-data (as defined in section 4), and the content
1125 * field of the EncapsulatedContentInfo value should be omitted.
1126 */
1134 loser:
1139 }
1141 /* TODO:
1142 * NSS_CMSSignerInfo_GetReceiptRequest()
1143 * NSS_CMSSignedData_HasReceiptRequest()
1144 * easy way to iterate over signers
1145 */