search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import from 1.9a8 tarball
[mozilla-nss.git] / security / nss / lib / smime / cmst.h
blobb5de52b109ba7e87d3f28fada2f53634ca0326d8
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 *
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
34 *
35 * ***** END LICENSE BLOCK ***** */
36
37 /*
38 * Header for CMS types.
39 *
40 * $Id: cmst.h,v 1.10 2005/06/27 22:21:19 julien.pierre.bugs%sun.com Exp $
41 */
42
43 #ifndef _CMST_H_
44 #define _CMST_H_
45
46 #include "seccomon.h"
47 #include "secoidt.h"
48 #include "certt.h"
49 #include "secmodt.h"
50 #include "secmodt.h"
51
52 #include "plarena.h"
53
54 /* Non-opaque objects. NOTE, though: I want them to be treated as
55 * opaque as much as possible. If I could hide them completely,
56 * I would. (I tried, but ran into trouble that was taking me too
57 * much time to get out of.) I still intend to try to do so.
58 * In fact, the only type that "outsiders" should even *name* is
59 * NSSCMSMessage, and they should not reference its fields.
60 */
61 /* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
62 * This is because when we search the recipient list for the cert and key we
63 * want, we need to invert the order of the loops we used to have. The old
64 * loops were:
65 *
66 * For each recipient {
67 * find_cert = PK11_Find_AllCert(recipient->issuerSN);
68 * [which unrolls to... ]
69 * For each slot {
70 * Log into slot;
71 * search slot for cert;
72 * }
73 * }
74 *
75 * the new loop searchs all the recipients at once on a slot. this allows
76 * PKCS #11 to order slots in such a way that logout slots don't get checked
77 * if we can find the cert on a logged in slot. This eliminates lots of
78 * spurious password prompts when smart cards are installed... so why this
79 * comment? If you make NSSCMSRecipientInfo completely opaque, you need
80 * to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
81 * and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
82 * function.
83 */
84
85 typedef struct NSSCMSMessageStr NSSCMSMessage;
86
87 typedef union NSSCMSContentUnion NSSCMSContent;
88 typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
89
90 typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
91 typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
92 typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
93
94 typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
95 typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
96 typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
97
98 typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
99 typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
100
101 typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters;
102
103 typedef struct NSSCMSAttributeStr NSSCMSAttribute;
104
105 typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
106 typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
107
108 typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
109 typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
110
111 /*
112 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
113 * If specified, this is where the content bytes (only) will be "sent"
114 * as they are recovered during the decoding.
115 * And:
116 * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
117 * This is where the DER-encoded bytes will be "sent".
118 *
119 * XXX Should just combine this with NSSCMSEncoderContentCallback type
120 * and use a simpler, common name.
121 */
122 typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
123
124 /*
125 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
126 * to retrieve the decryption key. This function is intended to be
127 * used for EncryptedData content info's which do not have a key available
128 * in a certificate, etc.
129 */
130 typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
131
132
133 /* =============================================================================
134 * ENCAPSULATED CONTENTINFO & CONTENTINFO
135 */
136
137 union NSSCMSContentUnion {
138 /* either unstructured */
139 SECItem * data;
140 /* or structured data */
141 NSSCMSDigestedData * digestedData;
142 NSSCMSEncryptedData * encryptedData;
143 NSSCMSEnvelopedData * envelopedData;
144 NSSCMSSignedData * signedData;
145 /* or anonymous pointer to something */
146 void * pointer;
147 };
148
149 struct NSSCMSContentInfoStr {
150 SECItem contentType;
151 NSSCMSContent content;
152 /* --------- local; not part of encoding --------- */
153 SECOidData * contentTypeTag;
154
155 /* additional info for encryptedData and envelopedData */
156 /* we waste this space for signedData and digestedData. sue me. */
157
158 SECAlgorithmID contentEncAlg;
159 SECItem * rawContent; /* encrypted DER, optional */
160 /* XXXX bytes not encrypted, but encoded? */
161 /* --------- local; not part of encoding --------- */
162 PK11SymKey * bulkkey; /* bulk encryption key */
163 int keysize; /* size of bulk encryption key
164 * (only used by creation code) */
165 SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm
166 * (only used by creation code) */
167 NSSCMSCipherContext *ciphcx; /* context for en/decryption going on */
168 NSSCMSDigestContext *digcx; /* context for digesting going on */
169 };
170
171 /* =============================================================================
172 * MESSAGE
173 */
174
175 struct NSSCMSMessageStr {
176 NSSCMSContentInfo contentInfo; /* "outer" cinfo */
177 /* --------- local; not part of encoding --------- */
178 PLArenaPool * poolp;
179 PRBool poolp_is_ours;
180 int refCount;
181 /* properties of the "inner" data */
182 SECAlgorithmID ** detached_digestalgs;
183 SECItem ** detached_digests;
184 void * pwfn_arg;
185 NSSCMSGetDecryptKeyCallback decrypt_key_cb;
186 void * decrypt_key_cb_arg;
187 };
188
189 /* =============================================================================
190 * SIGNEDDATA
191 */
192
193 struct NSSCMSSignedDataStr {
194 SECItem version;
195 SECAlgorithmID ** digestAlgorithms;
196 NSSCMSContentInfo contentInfo;
197 SECItem ** rawCerts;
198 CERTSignedCrl ** crls;
199 NSSCMSSignerInfo ** signerInfos;
200 /* --------- local; not part of encoding --------- */
201 NSSCMSMessage * cmsg; /* back pointer to message */
202 SECItem ** digests;
203 CERTCertificate ** certs;
204 CERTCertificateList ** certLists;
205 CERTCertificate ** tempCerts; /* temporary certs, needed
206 * for example for signature
207 * verification */
208 };
209 #define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */
210 #define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */
211
212 typedef enum {
213 NSSCMSVS_Unverified = 0,
214 NSSCMSVS_GoodSignature = 1,
215 NSSCMSVS_BadSignature = 2,
216 NSSCMSVS_DigestMismatch = 3,
217 NSSCMSVS_SigningCertNotFound = 4,
218 NSSCMSVS_SigningCertNotTrusted = 5,
219 NSSCMSVS_SignatureAlgorithmUnknown = 6,
220 NSSCMSVS_SignatureAlgorithmUnsupported = 7,
221 NSSCMSVS_MalformedSignature = 8,
222 NSSCMSVS_ProcessingError = 9
223 } NSSCMSVerificationStatus;
224
225 typedef enum {
226 NSSCMSSignerID_IssuerSN = 0,
227 NSSCMSSignerID_SubjectKeyID = 1
228 } NSSCMSSignerIDSelector;
229
230 struct NSSCMSSignerIdentifierStr {
231 NSSCMSSignerIDSelector identifierType;
232 union {
233 CERTIssuerAndSN *issuerAndSN;
234 SECItem *subjectKeyID;
235 } id;
236 };
237
238 struct NSSCMSSignerInfoStr {
239 SECItem version;
240 NSSCMSSignerIdentifier signerIdentifier;
241 SECAlgorithmID digestAlg;
242 NSSCMSAttribute ** authAttr;
243 SECAlgorithmID digestEncAlg;
244 SECItem encDigest;
245 NSSCMSAttribute ** unAuthAttr;
246 /* --------- local; not part of encoding --------- */
247 NSSCMSMessage * cmsg; /* back pointer to message */
248 CERTCertificate * cert;
249 CERTCertificateList * certList;
250 PRTime signingTime;
251 NSSCMSVerificationStatus verificationStatus;
252 SECKEYPrivateKey * signingKey; /* Used if we're using subjKeyID*/
253 SECKEYPublicKey * pubKey;
254 };
255 #define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */
256 #define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */
257
258 typedef enum {
259 NSSCMSCM_None = 0,
260 NSSCMSCM_CertOnly = 1,
261 NSSCMSCM_CertChain = 2,
262 NSSCMSCM_CertChainWithRoot = 3
263 } NSSCMSCertChainMode;
264
265 /* =============================================================================
266 * ENVELOPED DATA
267 */
268 struct NSSCMSEnvelopedDataStr {
269 SECItem version;
270 NSSCMSOriginatorInfo * originatorInfo; /* optional */
271 NSSCMSRecipientInfo ** recipientInfos;
272 NSSCMSContentInfo contentInfo;
273 NSSCMSAttribute ** unprotectedAttr;
274 /* --------- local; not part of encoding --------- */
275 NSSCMSMessage * cmsg; /* back pointer to message */
276 };
277 #define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */
278 #define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */
279
280 struct NSSCMSOriginatorInfoStr {
281 SECItem ** rawCerts;
282 CERTSignedCrl ** crls;
283 /* --------- local; not part of encoding --------- */
284 CERTCertificate ** certs;
285 };
286
287 /* -----------------------------------------------------------------------------
288 * key transport recipient info
289 */
290 typedef enum {
291 NSSCMSRecipientID_IssuerSN = 0,
292 NSSCMSRecipientID_SubjectKeyID = 1,
293 NSSCMSRecipientID_BrandNew = 2
294 } NSSCMSRecipientIDSelector;
295
296 struct NSSCMSRecipientIdentifierStr {
297 NSSCMSRecipientIDSelector identifierType;
298 union {
299 CERTIssuerAndSN *issuerAndSN;
300 SECItem *subjectKeyID;
301 } id;
302 };
303 typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
304
305 struct NSSCMSKeyTransRecipientInfoStr {
306 SECItem version;
307 NSSCMSRecipientIdentifier recipientIdentifier;
308 SECAlgorithmID keyEncAlg;
309 SECItem encKey;
310 };
311 typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
312
313 /*
314 * View comments before NSSCMSRecipientInfoStr for purpose of this
315 * structure.
316 */
317 struct NSSCMSKeyTransRecipientInfoExStr {
318 NSSCMSKeyTransRecipientInfo recipientInfo;
319 int version; /* version of this structure (0) */
320 SECKEYPublicKey *pubKey;
321 };
322
323 typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
324
325 #define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */
326 #define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */
327
328 /* -----------------------------------------------------------------------------
329 * key agreement recipient info
330 */
331 struct NSSCMSOriginatorPublicKeyStr {
332 SECAlgorithmID algorithmIdentifier;
333 SECItem publicKey; /* bit string! */
334 };
335 typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
336
337 typedef enum {
338 NSSCMSOriginatorIDOrKey_IssuerSN = 0,
339 NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
340 NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
341 } NSSCMSOriginatorIDOrKeySelector;
342
343 struct NSSCMSOriginatorIdentifierOrKeyStr {
344 NSSCMSOriginatorIDOrKeySelector identifierType;
345 union {
346 CERTIssuerAndSN *issuerAndSN; /* static-static */
347 SECItem *subjectKeyID; /* static-static */
348 NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */
349 } id;
350 };
351 typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
352
353 struct NSSCMSRecipientKeyIdentifierStr {
354 SECItem * subjectKeyIdentifier;
355 SECItem * date; /* optional */
356 SECItem * other; /* optional */
357 };
358 typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
359
360 typedef enum {
361 NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
362 NSSCMSKeyAgreeRecipientID_RKeyID = 1
363 } NSSCMSKeyAgreeRecipientIDSelector;
364
365 struct NSSCMSKeyAgreeRecipientIdentifierStr {
366 NSSCMSKeyAgreeRecipientIDSelector identifierType;
367 union {
368 CERTIssuerAndSN *issuerAndSN;
369 NSSCMSRecipientKeyIdentifier recipientKeyIdentifier;
370 } id;
371 };
372 typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
373
374 struct NSSCMSRecipientEncryptedKeyStr {
375 NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier;
376 SECItem encKey;
377 };
378 typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
379
380 struct NSSCMSKeyAgreeRecipientInfoStr {
381 SECItem version;
382 NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
383 SECItem * ukm; /* optional */
384 SECAlgorithmID keyEncAlg;
385 NSSCMSRecipientEncryptedKey ** recipientEncryptedKeys;
386 };
387 typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
388
389 #define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */
390
391 /* -----------------------------------------------------------------------------
392 * KEK recipient info
393 */
394 struct NSSCMSKEKIdentifierStr {
395 SECItem keyIdentifier;
396 SECItem * date; /* optional */
397 SECItem * other; /* optional */
398 };
399 typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
400
401 struct NSSCMSKEKRecipientInfoStr {
402 SECItem version;
403 NSSCMSKEKIdentifier kekIdentifier;
404 SECAlgorithmID keyEncAlg;
405 SECItem encKey;
406 };
407 typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
408
409 #define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */
410
411 /* -----------------------------------------------------------------------------
412 * recipient info
413 */
414
415 typedef enum {
416 NSSCMSRecipientInfoID_KeyTrans = 0,
417 NSSCMSRecipientInfoID_KeyAgree = 1,
418 NSSCMSRecipientInfoID_KEK = 2
419 } NSSCMSRecipientInfoIDSelector;
420
421 /*
422 * In order to preserve backwards binary compatibility when implementing
423 * creation of Recipient Info's that uses subjectKeyID in the
424 * keyTransRecipientInfo we need to stash a public key pointer in this
425 * structure somewhere. We figured out that NSSCMSKeyTransRecipientInfo
426 * is the smallest member of the ri union. We're in luck since that's
427 * the very structure that would need to use the public key. So we created
428 * a new structure NSSCMSKeyTransRecipientInfoEx which has a member
429 * NSSCMSKeyTransRecipientInfo as the first member followed by a version
430 * and a public key pointer. This way we can keep backwards compatibility
431 * without changing the size of this structure.
432 *
433 * BTW, size of structure:
434 * NSSCMSKeyTransRecipientInfo: 9 ints, 4 pointers
435 * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
436 * NSSCMSKEKRecipientInfo: 10 ints, 7 pointers
437 *
438 * The new structure:
439 * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
440 * 1 int, 1 pointer
441 */
442
443 struct NSSCMSRecipientInfoStr {
444 NSSCMSRecipientInfoIDSelector recipientInfoType;
445 union {
446 NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
447 NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
448 NSSCMSKEKRecipientInfo kekRecipientInfo;
449 NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
450 } ri;
451 /* --------- local; not part of encoding --------- */
452 NSSCMSMessage * cmsg; /* back pointer to message */
453 CERTCertificate * cert; /* recipient's certificate */
454 };
455
456 /* =============================================================================
457 * DIGESTED DATA
458 */
459 struct NSSCMSDigestedDataStr {
460 SECItem version;
461 SECAlgorithmID digestAlg;
462 NSSCMSContentInfo contentInfo;
463 SECItem digest;
464 /* --------- local; not part of encoding --------- */
465 NSSCMSMessage * cmsg; /* back pointer */
466 SECItem cdigest; /* calculated digest */
467 };
468 #define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */
469 #define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */
470
471 /* =============================================================================
472 * ENCRYPTED DATA
473 */
474 struct NSSCMSEncryptedDataStr {
475 SECItem version;
476 NSSCMSContentInfo contentInfo;
477 NSSCMSAttribute ** unprotectedAttr; /* optional */
478 /* --------- local; not part of encoding --------- */
479 NSSCMSMessage * cmsg; /* back pointer */
480 };
481 #define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */
482 #define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */
483
484 /* =============================================================================
485 * FORTEZZA KEA
486 */
487
488 /* An enumerated type used to select templates based on the encryption
489 scenario and data specifics. */
490 typedef enum {
491 NSSCMSKEAInvalid = -1,
492 NSSCMSKEAUsesSkipjack = 0,
493 NSSCMSKEAUsesNonSkipjack = 1,
494 NSSCMSKEAUsesNonSkipjackWithPaddedEncKey = 2
495 } NSSCMSKEATemplateSelector;
496
497 /* ### mwelch - S/MIME KEA parameters. These don't really fit here,
498 but I cannot think of a more appropriate place at this time. */
499 struct NSSCMSSMIMEKEAParametersStr {
500 SECItem originatorKEAKey; /* sender KEA key (encrypted?) */
501 SECItem originatorRA; /* random number generated by sender */
502 SECItem nonSkipjackIV; /* init'n vector for SkipjackCBC64
503 decryption of KEA key if Skipjack
504 is not the bulk algorithm used on
505 the message */
506 SECItem bulkKeySize; /* if Skipjack is not the bulk
507 algorithm used on the message,
508 and the size of the bulk encryption
509 key is not the same as that of
510 originatorKEAKey (due to padding
511 perhaps), this field will contain
512 the real size of the bulk encryption
513 key. */
514 };
515
516 /*
517 * *****************************************************************************
518 * *****************************************************************************
519 * *****************************************************************************
520 */
521
522 /*
523 * See comment above about this type not really belonging to CMS.
524 */
525 struct NSSCMSAttributeStr {
526 /* The following fields make up an encoded Attribute: */
527 SECItem type;
528 SECItem ** values; /* data may or may not be encoded */
529 /* The following fields are not part of an encoded Attribute: */
530 SECOidData * typeTag;
531 PRBool encoded; /* when true, values are encoded */
532 };
533
534 #endif /* _CMST_H_ */
Mozilla NSS module