The Tor Browser: security/nss/lib/pkcs7/p7create.c@7e26c7da4463 (annotated)

security/nss/lib/pkcs7/p7create.c@7e26c7da4463 (annotated)

security/nss/lib/pkcs7/p7create.c

Wed, 31 Dec 2014 06:55:50 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Wed, 31 Dec 2014 06:55:50 +0100
changeset 2: 7e26c7da4463
permissions: -rw-r--r--

Added tag UPSTREAM_283F7C6 for changeset ca08bd8f51b2

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * PKCS7 creation.
  */
 #include "p7local.h"
 #include "cert.h"
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
 #include "pk11func.h"
 #include "prtime.h"
 #include "secerr.h"
 #include "secder.h"
 #include "secpkcs5.h"
 const int NSS_PBE_DEFAULT_ITERATION_COUNT = 2000; /* used in p12e.c too */
 static SECStatus
 sec_pkcs7_init_content_info (SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp,
 			     SECOidTag kind, PRBool detached)
 {
     void *thing;
     int version;
     SECItem *versionp;
     SECStatus rv;
     PORT_Assert (cinfo != NULL && poolp != NULL);
     if (cinfo == NULL || poolp == NULL)
 	return SECFailure;
     cinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
     PORT_Assert (cinfo->contentTypeTag
 		 && cinfo->contentTypeTag->offset == kind);
     rv = SECITEM_CopyItem (poolp, &(cinfo->contentType),
 			   &(cinfo->contentTypeTag->oid));
     if (rv != SECSuccess)
 	return rv;
     if (detached)
 	return SECSuccess;
     switch (kind) {
       default:
       case SEC_OID_PKCS7_DATA:
 	thing = PORT_ArenaZAlloc (poolp, sizeof(SECItem));
 	cinfo->content.data = (SECItem*)thing;
 	versionp = NULL;
 	version = -1;
 	break;
       case SEC_OID_PKCS7_DIGESTED_DATA:
 	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7DigestedData));
 	cinfo->content.digestedData = (SEC_PKCS7DigestedData*)thing;
 	versionp = &(cinfo->content.digestedData->version);
 	version = SEC_PKCS7_DIGESTED_DATA_VERSION;
 	break;
       case SEC_OID_PKCS7_ENCRYPTED_DATA:
 	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EncryptedData));
 	cinfo->content.encryptedData = (SEC_PKCS7EncryptedData*)thing;
 	versionp = &(cinfo->content.encryptedData->version);
 	version = SEC_PKCS7_ENCRYPTED_DATA_VERSION;
 	break;
       case SEC_OID_PKCS7_ENVELOPED_DATA:
 	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7EnvelopedData));
 	cinfo->content.envelopedData =
 	  (SEC_PKCS7EnvelopedData*)thing;
 	versionp = &(cinfo->content.envelopedData->version);
 	version = SEC_PKCS7_ENVELOPED_DATA_VERSION;
 	break;
       case SEC_OID_PKCS7_SIGNED_DATA:
 	thing = PORT_ArenaZAlloc (poolp, sizeof(SEC_PKCS7SignedData));
 	cinfo->content.signedData =
 	  (SEC_PKCS7SignedData*)thing;
 	versionp = &(cinfo->content.signedData->version);
 	version = SEC_PKCS7_SIGNED_DATA_VERSION;
 	break;
       case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
 	thing = PORT_ArenaZAlloc(poolp,sizeof(SEC_PKCS7SignedAndEnvelopedData));
 	cinfo->content.signedAndEnvelopedData =
 	  (SEC_PKCS7SignedAndEnvelopedData*)thing;
 	versionp = &(cinfo->content.signedAndEnvelopedData->version);
 	version = SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION;
 	break;
     }
     if (thing == NULL)
 	return SECFailure;
     if (versionp != NULL) {
 	SECItem *dummy;
 	PORT_Assert (version >= 0);
 	dummy = SEC_ASN1EncodeInteger (poolp, versionp, version);
 	if (dummy == NULL)
 	    return SECFailure;
 	PORT_Assert (dummy == versionp);
     }
     return SECSuccess;
 }
 static SEC_PKCS7ContentInfo *
 sec_pkcs7_create_content_info (SECOidTag kind, PRBool detached,
 			       SECKEYGetPasswordKey pwfn, void *pwfn_arg)
 {
     SEC_PKCS7ContentInfo *cinfo;
     PLArenaPool *poolp;
     SECStatus rv;
     poolp = PORT_NewArena (1024);	/* XXX what is right value? */
     if (poolp == NULL)
 	return NULL;
     cinfo = (SEC_PKCS7ContentInfo*)PORT_ArenaZAlloc (poolp, sizeof(*cinfo));
     if (cinfo == NULL) {
 	PORT_FreeArena (poolp, PR_FALSE);
 	return NULL;
     }
     cinfo->poolp = poolp;
     cinfo->pwfn = pwfn;
     cinfo->pwfn_arg = pwfn_arg;
     cinfo->created = PR_TRUE;
     cinfo->refCount = 1;
     rv = sec_pkcs7_init_content_info (cinfo, poolp, kind, detached);
     if (rv != SECSuccess) {
 	PORT_FreeArena (poolp, PR_FALSE);
 	return NULL;
     }
     return cinfo;
 }
 /*
  * Add a signer to a PKCS7 thing, verifying the signature cert first.
  * Any error returns SECFailure.
  *
  * XXX Right now this only adds the *first* signer.  It fails if you try
  * to add a second one -- this needs to be fixed.
  */
 static SECStatus
 sec_pkcs7_add_signer (SEC_PKCS7ContentInfo *cinfo,
 		      CERTCertificate *     cert,
 		      SECCertUsage          certusage,
 		      CERTCertDBHandle *    certdb,
 		      SECOidTag             digestalgtag,
 		      SECItem *             digestdata)
 {
     SEC_PKCS7SignerInfo *signerinfo, **signerinfos, ***signerinfosp;
     SECAlgorithmID      *digestalg,  **digestalgs,  ***digestalgsp;
     SECItem             *digest,     **digests,     ***digestsp;
     SECItem *            dummy;
     void *               mark;
     SECStatus            rv;
     SECOidTag            kind;
     kind = SEC_PKCS7ContentType (cinfo);
     switch (kind) {
       case SEC_OID_PKCS7_SIGNED_DATA:
 	{
 	    SEC_PKCS7SignedData *sdp;
 	    sdp = cinfo->content.signedData;
 	    digestalgsp = &(sdp->digestAlgorithms);
 	    digestsp = &(sdp->digests);
 	    signerinfosp = &(sdp->signerInfos);
 	}
 	break;
       case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
 	{
 	    SEC_PKCS7SignedAndEnvelopedData *saedp;
 	    saedp = cinfo->content.signedAndEnvelopedData;
 	    digestalgsp = &(saedp->digestAlgorithms);
 	    digestsp = &(saedp->digests);
 	    signerinfosp = &(saedp->signerInfos);
 	}
 	break;
       default:
 	return SECFailure;		/* XXX set an error? */
     }
     /*
      * XXX I think that CERT_VerifyCert should do this if *it* is passed
      * a NULL database.
      */
     if (certdb == NULL) {
 	certdb = CERT_GetDefaultCertDB();
 	if (certdb == NULL)
 	    return SECFailure;		/* XXX set an error? */
     }
     if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
 			 cinfo->pwfn_arg, NULL) != SECSuccess)
 	{
 	/* XXX Did CERT_VerifyCert set an error? */
 	return SECFailure;
     }
     /*
      * XXX This is the check that we do not already have a signer.
      * This is not what we really want -- we want to allow this
      * and *add* the new signer.
      */
     PORT_Assert (*signerinfosp == NULL
 		 && *digestalgsp == NULL && *digestsp == NULL);
     if (*signerinfosp != NULL || *digestalgsp != NULL || *digestsp != NULL)
 	return SECFailure;
     mark = PORT_ArenaMark (cinfo->poolp);
     signerinfo = (SEC_PKCS7SignerInfo*)PORT_ArenaZAlloc (cinfo->poolp,
 						  sizeof(SEC_PKCS7SignerInfo));
     if (signerinfo == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &signerinfo->version,
 				   SEC_PKCS7_SIGNER_INFO_VERSION);
     if (dummy == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     PORT_Assert (dummy == &signerinfo->version);
     signerinfo->cert = CERT_DupCertificate (cert);
     if (signerinfo->cert == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     signerinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
     if (signerinfo->issuerAndSN == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     rv = SECOID_SetAlgorithmID (cinfo->poolp, &signerinfo->digestAlg,
 				digestalgtag, NULL);
     if (rv != SECSuccess) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     /*
      * Okay, now signerinfo is all set.  We just need to put it and its
      * companions (another copy of the digest algorithm, and the digest
      * itself if given) into the main structure.
      *
      * XXX If we are handling more than one signer, the following code
      * needs to look through the digest algorithms already specified
      * and see if the same one is there already.  If it is, it does not
      * need to be added again.  Also, if it is there *and* the digest
      * is not null, then the digest given should match the digest already
      * specified -- if not, that is an error.  Finally, the new signerinfo
      * should be *added* to the set already found.
      */
     signerinfos = (SEC_PKCS7SignerInfo**)PORT_ArenaAlloc (cinfo->poolp,
 * sizeof(SEC_PKCS7SignerInfo *));
     if (signerinfos == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     signerinfos[0] = signerinfo;
     signerinfos[1] = NULL;
     digestalg = PORT_ArenaZAlloc (cinfo->poolp, sizeof(SECAlgorithmID));
     digestalgs = PORT_ArenaAlloc (cinfo->poolp, 2 * sizeof(SECAlgorithmID *));
     if (digestalg == NULL || digestalgs == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     rv = SECOID_SetAlgorithmID (cinfo->poolp, digestalg, digestalgtag, NULL);
     if (rv != SECSuccess) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     digestalgs[0] = digestalg;
     digestalgs[1] = NULL;
     if (digestdata != NULL) {
 	digest = (SECItem*)PORT_ArenaAlloc (cinfo->poolp, sizeof(SECItem));
 	digests = (SECItem**)PORT_ArenaAlloc (cinfo->poolp,
 * sizeof(SECItem *));
 	if (digest == NULL || digests == NULL) {
 	    PORT_ArenaRelease (cinfo->poolp, mark);
 	    return SECFailure;
 	}
 	rv = SECITEM_CopyItem (cinfo->poolp, digest, digestdata);
 	if (rv != SECSuccess) {
 	    PORT_ArenaRelease (cinfo->poolp, mark);
 	    return SECFailure;
 	}
 	digests[0] = digest;
 	digests[1] = NULL;
     } else {
 	digests = NULL;
     }
     *signerinfosp = signerinfos;
     *digestalgsp = digestalgs;
     *digestsp = digests;
     PORT_ArenaUnmark(cinfo->poolp, mark);
     return SECSuccess;
 }
 /*
  * Helper function for creating an empty signedData.
  */
 static SEC_PKCS7ContentInfo *
 sec_pkcs7_create_signed_data (SECKEYGetPasswordKey pwfn, void *pwfn_arg)
 {
     SEC_PKCS7ContentInfo *cinfo;
     SEC_PKCS7SignedData *sigd;
     SECStatus rv;
     cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_SIGNED_DATA, PR_FALSE,
 					   pwfn, pwfn_arg);
     if (cinfo == NULL)
 	return NULL;
     sigd = cinfo->content.signedData;
     PORT_Assert (sigd != NULL);
     /*
      * XXX Might we want to allow content types other than data?
      * If so, via what interface?
      */
     rv = sec_pkcs7_init_content_info (&(sigd->contentInfo), cinfo->poolp,
 				      SEC_OID_PKCS7_DATA, PR_TRUE);
     if (rv != SECSuccess) {
 	SEC_PKCS7DestroyContentInfo (cinfo);
 	return NULL;
     }
     return cinfo;
 }
 /*
  * Start a PKCS7 signing context.
  *
  * "cert" is the cert that will be used to sign the data.  It will be
  * checked for validity.
  *
  * "certusage" describes the signing usage (e.g. certUsageEmailSigner)
  * XXX Maybe SECCertUsage should be split so that our caller just says
  * "email" and *we* add the "signing" part -- otherwise our caller
  * could be lying about the usage; we do not want to allow encryption
  * certs for signing or vice versa.
  *
  * "certdb" is the cert database to use for verifying the cert.
  * It can be NULL if a default database is available (like in the client).
  *
  * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
  *
  * "digest" is the actual digest of the data.  It must be provided in
  * the case of detached data or NULL if the content will be included.
  *
  * The return value can be passed to functions which add things to
  * it like attributes, then eventually to SEC_PKCS7Encode() or to
  * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
  * SEC_PKCS7DestroyContentInfo().
  *
  * An error results in a return value of NULL and an error set.
  * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
  */
 SEC_PKCS7ContentInfo *
 SEC_PKCS7CreateSignedData (CERTCertificate *cert,
 			   SECCertUsage certusage,
 			   CERTCertDBHandle *certdb,
 			   SECOidTag digestalg,
 			   SECItem *digest,
  			   SECKEYGetPasswordKey pwfn, void *pwfn_arg)
 {
     SEC_PKCS7ContentInfo *cinfo;
     SECStatus rv;
     cinfo = sec_pkcs7_create_signed_data (pwfn, pwfn_arg);
     if (cinfo == NULL)
 	return NULL;
     rv = sec_pkcs7_add_signer (cinfo, cert, certusage, certdb,
 			       digestalg, digest);
     if (rv != SECSuccess) {
 	SEC_PKCS7DestroyContentInfo (cinfo);
 	return NULL;
     }
     return cinfo;
 }
 static SEC_PKCS7Attribute *
 sec_pkcs7_create_attribute (PLArenaPool *poolp, SECOidTag oidtag,
 			    SECItem *value, PRBool encoded)
 {
     SEC_PKCS7Attribute *attr;
     SECItem **values;
     void *mark;
     PORT_Assert (poolp != NULL);
     mark = PORT_ArenaMark (poolp);
     attr = (SEC_PKCS7Attribute*)PORT_ArenaAlloc (poolp,
 						 sizeof(SEC_PKCS7Attribute));
     if (attr == NULL)
 	goto loser;
     attr->typeTag = SECOID_FindOIDByTag (oidtag);
     if (attr->typeTag == NULL)
 	goto loser;
     if (SECITEM_CopyItem (poolp, &(attr->type),
 			  &(attr->typeTag->oid)) != SECSuccess)
 	goto loser;
     values = (SECItem**)PORT_ArenaAlloc (poolp, 2 * sizeof(SECItem *));
     if (values == NULL)
 	goto loser;
     if (value != NULL) {
 	SECItem *copy;
 	copy = (SECItem*)PORT_ArenaAlloc (poolp, sizeof(SECItem));
 	if (copy == NULL)
 	    goto loser;
 	if (SECITEM_CopyItem (poolp, copy, value) != SECSuccess)
 	    goto loser;
 	value = copy;
     }
     values[0] = value;
     values[1] = NULL;
     attr->values = values;
     attr->encoded = encoded;
     PORT_ArenaUnmark (poolp, mark);
     return attr;
 loser:
     PORT_Assert (mark != NULL);
     PORT_ArenaRelease (poolp, mark);
     return NULL;
 }
 static SECStatus
 sec_pkcs7_add_attribute (SEC_PKCS7ContentInfo *cinfo,
 			 SEC_PKCS7Attribute ***attrsp,
 			 SEC_PKCS7Attribute *attr)
 {
     SEC_PKCS7Attribute **attrs;
     SECItem *ct_value;
     void *mark;
     PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
     if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
 	return SECFailure;
     attrs = *attrsp;
     if (attrs != NULL) {
 	int count;
 	/*
 	 * We already have some attributes, and just need to add this
 	 * new one.
 	 */
 	/*
 	 * We should already have the *required* attributes, which were
 	 * created/added at the same time the first attribute was added.
 	 */
 	PORT_Assert (sec_PKCS7FindAttribute (attrs,
 					     SEC_OID_PKCS9_CONTENT_TYPE,
 					     PR_FALSE) != NULL);
 	PORT_Assert (sec_PKCS7FindAttribute (attrs,
 					     SEC_OID_PKCS9_MESSAGE_DIGEST,
 					     PR_FALSE) != NULL);
 	for (count = 0; attrs[count] != NULL; count++)
 	    ;
 	attrs = (SEC_PKCS7Attribute**)PORT_ArenaGrow (cinfo->poolp, attrs,
 				(count + 1) * sizeof(SEC_PKCS7Attribute *),
 				(count + 2) * sizeof(SEC_PKCS7Attribute *));
 	if (attrs == NULL)
 	    return SECFailure;
 	attrs[count] = attr;
 	attrs[count+1] = NULL;
 	*attrsp = attrs;
 	return SECSuccess;
     }
     /*
      * This is the first time an attribute is going in.
      * We need to create and add the required attributes, and then
      * we will also add in the one our caller gave us.
      */
     /*
      * There are 2 required attributes, plus the one our caller wants
      * to add, plus we always end with a NULL one.  Thus, four slots.
      */
     attrs = (SEC_PKCS7Attribute**)PORT_ArenaAlloc (cinfo->poolp,
 * sizeof(SEC_PKCS7Attribute *));
     if (attrs == NULL)
 	return SECFailure;
     mark = PORT_ArenaMark (cinfo->poolp);
     /*
      * First required attribute is the content type of the data
      * being signed.
      */
     ct_value = &(cinfo->content.signedData->contentInfo.contentType);
     attrs[0] = sec_pkcs7_create_attribute (cinfo->poolp,
 					   SEC_OID_PKCS9_CONTENT_TYPE,
 					   ct_value, PR_FALSE);
     /*
      * Second required attribute is the message digest of the data
      * being signed; we leave the value NULL for now (just create
      * the place for it to go), and the encoder will fill it in later.
      */
     attrs[1] = sec_pkcs7_create_attribute (cinfo->poolp,
 					   SEC_OID_PKCS9_MESSAGE_DIGEST,
 					   NULL, PR_FALSE);
     if (attrs[0] == NULL || attrs[1] == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     attrs[2] = attr;
     attrs[3] = NULL;
     *attrsp = attrs;
     PORT_ArenaUnmark (cinfo->poolp, mark);
     return SECSuccess;
 }
 /*
  * Add the signing time to the authenticated (i.e. signed) attributes
  * of "cinfo".  This is expected to be included in outgoing signed
  * messages for email (S/MIME) but is likely useful in other situations.
  *
  * This should only be added once; a second call will either do
  * nothing or replace an old signing time with a newer one.
  *
  * XXX This will probably just shove the current time into "cinfo"
  * but it will not actually get signed until the entire item is
  * processed for encoding.  Is this (expected to be small) delay okay?
  *
  * "cinfo" should be of type signedData (the only kind of pkcs7 data
  * that is allowed authenticated attributes); SECFailure will be returned
  * if it is not.
  */
 SECStatus
 SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo)
 {
     SEC_PKCS7SignerInfo **signerinfos;
     SEC_PKCS7Attribute *attr;
     SECItem stime;
     SECStatus rv;
     int si;
     PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
     if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
 	return SECFailure;
     signerinfos = cinfo->content.signedData->signerInfos;
     /* There has to be a signer, or it makes no sense. */
     if (signerinfos == NULL || signerinfos[0] == NULL)
 	return SECFailure;
     rv = DER_EncodeTimeChoice(NULL, &stime, PR_Now());
     if (rv != SECSuccess)
 	return rv;
     attr = sec_pkcs7_create_attribute (cinfo->poolp,
 				       SEC_OID_PKCS9_SIGNING_TIME,
 				       &stime, PR_FALSE);
     SECITEM_FreeItem (&stime, PR_FALSE);
     if (attr == NULL)
 	return SECFailure;
     rv = SECSuccess;
     for (si = 0; signerinfos[si] != NULL; si++) {
 	SEC_PKCS7Attribute *oattr;
 	oattr = sec_PKCS7FindAttribute (signerinfos[si]->authAttr,
 					SEC_OID_PKCS9_SIGNING_TIME, PR_FALSE);
 	PORT_Assert (oattr == NULL);
 	if (oattr != NULL)
 	    continue;	/* XXX or would it be better to replace it? */
 	rv = sec_pkcs7_add_attribute (cinfo, &(signerinfos[si]->authAttr),
 				      attr);
 	if (rv != SECSuccess)
 	    break;	/* could try to continue, but may as well give up now */
     }
     return rv;
 }
 /*
  * Add the specified attribute to the authenticated (i.e. signed) attributes
  * of "cinfo" -- "oidtag" describes the attribute and "value" is the
  * value to be associated with it.  NOTE! "value" must already be encoded;
  * no interpretation of "oidtag" is done.  Also, it is assumed that this
  * signedData has only one signer -- if we ever need to add attributes
  * when there is more than one signature, we need a way to specify *which*
  * signature should get the attribute.
  *
  * XXX Technically, a signed attribute can have multiple values; if/when
  * we ever need to support an attribute which takes multiple values, we
  * either need to change this interface or create an AddSignedAttributeValue
  * which can be called subsequently, and would then append a value.
  *
  * "cinfo" should be of type signedData (the only kind of pkcs7 data
  * that is allowed authenticated attributes); SECFailure will be returned
  * if it is not.
  */
 SECStatus
 SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo,
 			     SECOidTag oidtag,
 			     SECItem *value)
 {
     SEC_PKCS7SignerInfo **signerinfos;
     SEC_PKCS7Attribute *attr;
     PORT_Assert (SEC_PKCS7ContentType (cinfo) == SEC_OID_PKCS7_SIGNED_DATA);
     if (SEC_PKCS7ContentType (cinfo) != SEC_OID_PKCS7_SIGNED_DATA)
 	return SECFailure;
     signerinfos = cinfo->content.signedData->signerInfos;
     /*
      * No signature or more than one means no deal.
      */
     if (signerinfos == NULL || signerinfos[0] == NULL || signerinfos[1] != NULL)
 	return SECFailure;
     attr = sec_pkcs7_create_attribute (cinfo->poolp, oidtag, value, PR_TRUE);
     if (attr == NULL)
 	return SECFailure;
     return sec_pkcs7_add_attribute (cinfo, &(signerinfos[0]->authAttr), attr);
 }
 /*
  * Mark that the signer certificates and their issuing chain should
  * be included in the encoded data.  This is expected to be used
  * in outgoing signed messages for email (S/MIME).
  *
  * "certdb" is the cert database to use for finding the chain.
  * It can be NULL, meaning use the default database.
  *
  * "cinfo" should be of type signedData or signedAndEnvelopedData;
  * SECFailure will be returned if it is not.
  */
 SECStatus
 SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo,
 			   CERTCertDBHandle *certdb)
 {
     SECOidTag kind;
     SEC_PKCS7SignerInfo *signerinfo, **signerinfos;
     kind = SEC_PKCS7ContentType (cinfo);
     switch (kind) {
       case SEC_OID_PKCS7_SIGNED_DATA:
 	signerinfos = cinfo->content.signedData->signerInfos;
 	break;
       case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
 	signerinfos = cinfo->content.signedAndEnvelopedData->signerInfos;
 	break;
       default:
 	return SECFailure;		/* XXX set an error? */
     }
     if (signerinfos == NULL)		/* no signer, no certs? */
 	return SECFailure;		/* XXX set an error? */
     if (certdb == NULL) {
 	certdb = CERT_GetDefaultCertDB();
 	if (certdb == NULL) {
 	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
 	    return SECFailure;
 	}
     }
     /* XXX Should it be an error if we find no signerinfo or no certs? */
     while ((signerinfo = *signerinfos++) != NULL) {
 	if (signerinfo->cert != NULL)
 	    /* get the cert chain.  don't send the root to avoid contamination
 	     * of old clients with a new root that they don't trust
 	     */
 	    signerinfo->certList = CERT_CertChainFromCert (signerinfo->cert,
 							   certUsageEmailSigner,
 							   PR_FALSE);
     }
     return SECSuccess;
 }
 /*
  * Helper function to add a certificate chain for inclusion in the
  * bag of certificates in a signedData.
  */
 static SECStatus
 sec_pkcs7_add_cert_chain (SEC_PKCS7ContentInfo *cinfo,
 			  CERTCertificate *cert,
 			  CERTCertDBHandle *certdb)
 {
     SECOidTag kind;
     CERTCertificateList *certlist, **certlists, ***certlistsp;
     int count;
     kind = SEC_PKCS7ContentType (cinfo);
     switch (kind) {
       case SEC_OID_PKCS7_SIGNED_DATA:
 	{
 	    SEC_PKCS7SignedData *sdp;
 	    sdp = cinfo->content.signedData;
 	    certlistsp = &(sdp->certLists);
 	}
 	break;
       case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
 	{
 	    SEC_PKCS7SignedAndEnvelopedData *saedp;
 	    saedp = cinfo->content.signedAndEnvelopedData;
 	    certlistsp = &(saedp->certLists);
 	}
 	break;
       default:
 	return SECFailure;		/* XXX set an error? */
     }
     if (certdb == NULL) {
 	certdb = CERT_GetDefaultCertDB();
 	if (certdb == NULL) {
 	    PORT_SetError (SEC_ERROR_BAD_DATABASE);
 	    return SECFailure;
 	}
     }
     certlist = CERT_CertChainFromCert (cert, certUsageEmailSigner, PR_FALSE);
     if (certlist == NULL)
 	return SECFailure;
     certlists = *certlistsp;
     if (certlists == NULL) {
 	count = 0;
 	certlists = (CERTCertificateList**)PORT_ArenaAlloc (cinfo->poolp,
 * sizeof(CERTCertificateList *));
     } else {
 	for (count = 0; certlists[count] != NULL; count++)
 	    ;
 	PORT_Assert (count);	/* should be at least one already */
 	certlists = (CERTCertificateList**)PORT_ArenaGrow (cinfo->poolp,
 				 certlists,
 				(count + 1) * sizeof(CERTCertificateList *),
 				(count + 2) * sizeof(CERTCertificateList *));
     }
     if (certlists == NULL) {
 	CERT_DestroyCertificateList (certlist);
 	return SECFailure;
     }
     certlists[count] = certlist;
     certlists[count + 1] = NULL;
     *certlistsp = certlists;
     return SECSuccess;
 }
 /*
  * Helper function to add a certificate for inclusion in the bag of
  * certificates in a signedData.
  */
 static SECStatus
 sec_pkcs7_add_certificate (SEC_PKCS7ContentInfo *cinfo,
 			   CERTCertificate *cert)
 {
     SECOidTag kind;
     CERTCertificate **certs, ***certsp;
     int count;
     kind = SEC_PKCS7ContentType (cinfo);
     switch (kind) {
       case SEC_OID_PKCS7_SIGNED_DATA:
 	{
 	    SEC_PKCS7SignedData *sdp;
 	    sdp = cinfo->content.signedData;
 	    certsp = &(sdp->certs);
 	}
 	break;
       case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
 	{
 	    SEC_PKCS7SignedAndEnvelopedData *saedp;
 	    saedp = cinfo->content.signedAndEnvelopedData;
 	    certsp = &(saedp->certs);
 	}
 	break;
       default:
 	return SECFailure;		/* XXX set an error? */
     }
     cert = CERT_DupCertificate (cert);
     if (cert == NULL)
 	return SECFailure;
     certs = *certsp;
     if (certs == NULL) {
 	count = 0;
 	certs = (CERTCertificate**)PORT_ArenaAlloc (cinfo->poolp,
 * sizeof(CERTCertificate *));
     } else {
 	for (count = 0; certs[count] != NULL; count++)
 	    ;
 	PORT_Assert (count);	/* should be at least one already */
 	certs = (CERTCertificate**)PORT_ArenaGrow (cinfo->poolp, certs,
 				(count + 1) * sizeof(CERTCertificate *),
 				(count + 2) * sizeof(CERTCertificate *));
     }
     if (certs == NULL) {
 	CERT_DestroyCertificate (cert);
 	return SECFailure;
     }
     certs[count] = cert;
     certs[count + 1] = NULL;
     *certsp = certs;
     return SECSuccess;
 }
 /*
  * Create a PKCS7 certs-only container.
  *
  * "cert" is the (first) cert that will be included.
  *
  * "include_chain" specifies whether the entire chain for "cert" should
  * be included.
  *
  * "certdb" is the cert database to use for finding the chain.
  * It can be NULL in when "include_chain" is false, or when meaning
  * use the default database.
  *
  * More certs and chains can be added via AddCertificate and AddCertChain.
  *
  * An error results in a return value of NULL and an error set.
  * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
  */
 SEC_PKCS7ContentInfo *
 SEC_PKCS7CreateCertsOnly (CERTCertificate *cert,
 			  PRBool include_chain,
 			  CERTCertDBHandle *certdb)
 {
     SEC_PKCS7ContentInfo *cinfo;
     SECStatus rv;
     cinfo = sec_pkcs7_create_signed_data (NULL, NULL);
     if (cinfo == NULL)
 	return NULL;
     if (include_chain)
 	rv = sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
     else
 	rv = sec_pkcs7_add_certificate (cinfo, cert);
     if (rv != SECSuccess) {
 	SEC_PKCS7DestroyContentInfo (cinfo);
 	return NULL;
     }
     return cinfo;
 }
 /*
  * Add "cert" and its entire chain to the set of certs included in "cinfo".
  *
  * "certdb" is the cert database to use for finding the chain.
  * It can be NULL, meaning use the default database.
  *
  * "cinfo" should be of type signedData or signedAndEnvelopedData;
  * SECFailure will be returned if it is not.
  */
 SECStatus
 SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo,
 		       CERTCertificate *cert,
 		       CERTCertDBHandle *certdb)
 {
     SECOidTag kind;
     kind = SEC_PKCS7ContentType (cinfo);
     if (kind != SEC_OID_PKCS7_SIGNED_DATA
 	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
 	return SECFailure;		/* XXX set an error? */
     return sec_pkcs7_add_cert_chain (cinfo, cert, certdb);
 }
 /*
  * Add "cert" to the set of certs included in "cinfo".
  *
  * "cinfo" should be of type signedData or signedAndEnvelopedData;
  * SECFailure will be returned if it is not.
  */
 SECStatus
 SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo, CERTCertificate *cert)
 {
     SECOidTag kind;
     kind = SEC_PKCS7ContentType (cinfo);
     if (kind != SEC_OID_PKCS7_SIGNED_DATA
 	&& kind != SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA)
 	return SECFailure;		/* XXX set an error? */
     return sec_pkcs7_add_certificate (cinfo, cert);
 }
 static SECStatus
 sec_pkcs7_init_encrypted_content_info (SEC_PKCS7EncryptedContentInfo *enccinfo,
 				       PLArenaPool *poolp,
 				       SECOidTag kind, PRBool detached,
 				       SECOidTag encalg, int keysize)
 {
     SECStatus rv;
     PORT_Assert (enccinfo != NULL && poolp != NULL);
     if (enccinfo == NULL || poolp == NULL)
 	return SECFailure;
     /*
      * XXX Some day we may want to allow for other kinds.  That needs
      * more work and modifications to the creation interface, etc.
      * For now, allow but notice callers who pass in other kinds.
      * They are responsible for creating the inner type and encoding,
      * if it is other than DATA.
      */
     PORT_Assert (kind == SEC_OID_PKCS7_DATA);
     enccinfo->contentTypeTag = SECOID_FindOIDByTag (kind);
     PORT_Assert (enccinfo->contentTypeTag
 	       && enccinfo->contentTypeTag->offset == kind);
     rv = SECITEM_CopyItem (poolp, &(enccinfo->contentType),
 			   &(enccinfo->contentTypeTag->oid));
     if (rv != SECSuccess)
 	return rv;
     /* Save keysize and algorithm for later. */
     enccinfo->keysize = keysize;
     enccinfo->encalg = encalg;
     return SECSuccess;
 }
 /*
  * Add a recipient to a PKCS7 thing, verifying their cert first.
  * Any error returns SECFailure.
  */
 static SECStatus
 sec_pkcs7_add_recipient (SEC_PKCS7ContentInfo *cinfo,
 			 CERTCertificate *cert,
 			 SECCertUsage certusage,
 			 CERTCertDBHandle *certdb)
 {
     SECOidTag kind;
     SEC_PKCS7RecipientInfo *recipientinfo, **recipientinfos, ***recipientinfosp;
     SECItem *dummy;
     void *mark;
     int count;
     kind = SEC_PKCS7ContentType (cinfo);
     switch (kind) {
       case SEC_OID_PKCS7_ENVELOPED_DATA:
 	{
 	    SEC_PKCS7EnvelopedData *edp;
 	    edp = cinfo->content.envelopedData;
 	    recipientinfosp = &(edp->recipientInfos);
 	}
 	break;
       case SEC_OID_PKCS7_SIGNED_ENVELOPED_DATA:
 	{
 	    SEC_PKCS7SignedAndEnvelopedData *saedp;
 	    saedp = cinfo->content.signedAndEnvelopedData;
 	    recipientinfosp = &(saedp->recipientInfos);
 	}
 	break;
       default:
 	return SECFailure;		/* XXX set an error? */
     }
     /*
      * XXX I think that CERT_VerifyCert should do this if *it* is passed
      * a NULL database.
      */
     if (certdb == NULL) {
 	certdb = CERT_GetDefaultCertDB();
 	if (certdb == NULL)
 	    return SECFailure;		/* XXX set an error? */
     }
     if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, PR_Now(),
 			 cinfo->pwfn_arg, NULL) != SECSuccess)
 	{
 	/* XXX Did CERT_VerifyCert set an error? */
 	return SECFailure;
     }
     mark = PORT_ArenaMark (cinfo->poolp);
     recipientinfo = (SEC_PKCS7RecipientInfo*)PORT_ArenaZAlloc (cinfo->poolp,
 				      sizeof(SEC_PKCS7RecipientInfo));
     if (recipientinfo == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     dummy = SEC_ASN1EncodeInteger (cinfo->poolp, &recipientinfo->version,
 				   SEC_PKCS7_RECIPIENT_INFO_VERSION);
     if (dummy == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     PORT_Assert (dummy == &recipientinfo->version);
     recipientinfo->cert = CERT_DupCertificate (cert);
     if (recipientinfo->cert == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     recipientinfo->issuerAndSN = CERT_GetCertIssuerAndSN (cinfo->poolp, cert);
     if (recipientinfo->issuerAndSN == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     /*
      * Okay, now recipientinfo is all set.  We just need to put it into
      * the main structure.
      *
      * If this is the first recipient, allocate a new recipientinfos array;
      * otherwise, reallocate the array, making room for the new entry.
      */
     recipientinfos = *recipientinfosp;
     if (recipientinfos == NULL) {
 	count = 0;
 	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaAlloc (
 					  cinfo->poolp,
 * sizeof(SEC_PKCS7RecipientInfo *));
     } else {
 	for (count = 0; recipientinfos[count] != NULL; count++)
 	    ;
 	PORT_Assert (count);	/* should be at least one already */
 	recipientinfos = (SEC_PKCS7RecipientInfo **)PORT_ArenaGrow (
 				 cinfo->poolp, recipientinfos,
 				(count + 1) * sizeof(SEC_PKCS7RecipientInfo *),
 				(count + 2) * sizeof(SEC_PKCS7RecipientInfo *));
     }
     if (recipientinfos == NULL) {
 	PORT_ArenaRelease (cinfo->poolp, mark);
 	return SECFailure;
     }
     recipientinfos[count] = recipientinfo;
     recipientinfos[count + 1] = NULL;
     *recipientinfosp = recipientinfos;
     PORT_ArenaUnmark (cinfo->poolp, mark);
     return SECSuccess;
 }
 /*
  * Start a PKCS7 enveloping context.
  *
  * "cert" is the cert for the recipient.  It will be checked for validity.
  *
  * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
  * XXX Maybe SECCertUsage should be split so that our caller just says
  * "email" and *we* add the "recipient" part -- otherwise our caller
  * could be lying about the usage; we do not want to allow encryption
  * certs for signing or vice versa.
  *
  * "certdb" is the cert database to use for verifying the cert.
  * It can be NULL if a default database is available (like in the client).
  *
  * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
  *
  * "keysize" specifies the bulk encryption key size, in bits.
  *
  * The return value can be passed to functions which add things to
  * it like more recipients, then eventually to SEC_PKCS7Encode() or to
  * SEC_PKCS7EncoderStart() to create the encoded data, and finally to
  * SEC_PKCS7DestroyContentInfo().
  *
  * An error results in a return value of NULL and an error set.
  * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
  */
 extern SEC_PKCS7ContentInfo *
 SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert,
 			      SECCertUsage certusage,
 			      CERTCertDBHandle *certdb,
 			      SECOidTag encalg,
 			      int keysize,
  			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
 {
     SEC_PKCS7ContentInfo *cinfo;
     SEC_PKCS7EnvelopedData *envd;
     SECStatus rv;
     cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENVELOPED_DATA,
 					   PR_FALSE, pwfn, pwfn_arg);
     if (cinfo == NULL)
 	return NULL;
     rv = sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
     if (rv != SECSuccess) {
 	SEC_PKCS7DestroyContentInfo (cinfo);
 	return NULL;
     }
     envd = cinfo->content.envelopedData;
     PORT_Assert (envd != NULL);
     /*
      * XXX Might we want to allow content types other than data?
      * If so, via what interface?
      */
     rv = sec_pkcs7_init_encrypted_content_info (&(envd->encContentInfo),
 						cinfo->poolp,
 						SEC_OID_PKCS7_DATA, PR_FALSE,
 						encalg, keysize);
     if (rv != SECSuccess) {
 	SEC_PKCS7DestroyContentInfo (cinfo);
 	return NULL;
     }
     /* XXX Anything more to do here? */
     return cinfo;
 }
 /*
  * Add another recipient to an encrypted message.
  *
  * "cinfo" should be of type envelopedData or signedAndEnvelopedData;
  * SECFailure will be returned if it is not.
  *
  * "cert" is the cert for the recipient.  It will be checked for validity.
  *
  * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
  * XXX Maybe SECCertUsage should be split so that our caller just says
  * "email" and *we* add the "recipient" part -- otherwise our caller
  * could be lying about the usage; we do not want to allow encryption
  * certs for signing or vice versa.
  *
  * "certdb" is the cert database to use for verifying the cert.
  * It can be NULL if a default database is available (like in the client).
  */
 SECStatus
 SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo,
 		       CERTCertificate *cert,
 		       SECCertUsage certusage,
 		       CERTCertDBHandle *certdb)
 {
     return sec_pkcs7_add_recipient (cinfo, cert, certusage, certdb);
 }
 /*
  * Create an empty PKCS7 data content info.
  *
  * An error results in a return value of NULL and an error set.
  * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
  */
 SEC_PKCS7ContentInfo *
 SEC_PKCS7CreateData (void)
 {
     return sec_pkcs7_create_content_info (SEC_OID_PKCS7_DATA, PR_FALSE,
 					  NULL, NULL);
 }
 /*
  * Create an empty PKCS7 encrypted content info.
  *
  * "algorithm" specifies the bulk encryption algorithm to use.
  *
  * An error results in a return value of NULL and an error set.
  * (Retrieve specific errors via PORT_GetError()/XP_GetError().)
  */
 SEC_PKCS7ContentInfo *
 SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize,
 			      SECKEYGetPasswordKey pwfn, void *pwfn_arg)
 {
     SEC_PKCS7ContentInfo *cinfo;
     SECAlgorithmID *algid;
     SEC_PKCS7EncryptedData *enc_data;
     SECStatus rv;
     cinfo = sec_pkcs7_create_content_info (SEC_OID_PKCS7_ENCRYPTED_DATA,
 					   PR_FALSE, pwfn, pwfn_arg);
     if (cinfo == NULL)
 	return NULL;
     enc_data = cinfo->content.encryptedData;
     algid = &(enc_data->encContentInfo.contentEncAlg);
     if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm)) {
 	rv = SECOID_SetAlgorithmID (cinfo->poolp, algid, algorithm, NULL);
     } else {
         /* Assume password-based-encryption.
          * Note: we can't generate pkcs5v2 from this interface.
          * PK11_CreateBPEAlgorithmID generates pkcs5v2 by accepting
          * non-PBE oids and assuming that they are pkcs5v2 oids, but
          * NSS_CMSEncryptedData_Create accepts non-PBE oids as regular
          * CMS encrypted data, so we can't tell SEC_PKCS7CreateEncryptedtedData
          * to create pkcs5v2 PBEs */
 	SECAlgorithmID *pbe_algid;
 	pbe_algid = PK11_CreatePBEAlgorithmID(algorithm,
                                               NSS_PBE_DEFAULT_ITERATION_COUNT,
                                               NULL);
 	if (pbe_algid == NULL) {
 	    rv = SECFailure;
 	} else {
 	    rv = SECOID_CopyAlgorithmID (cinfo->poolp, algid, pbe_algid);
 	    SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE);
 	}
     }
     if (rv != SECSuccess) {
 	SEC_PKCS7DestroyContentInfo (cinfo);
 	return NULL;
     }
     rv = sec_pkcs7_init_encrypted_content_info (&(enc_data->encContentInfo),
 						cinfo->poolp,
 						SEC_OID_PKCS7_DATA, PR_FALSE,
 						algorithm, keysize);
     if (rv != SECSuccess) {
 	SEC_PKCS7DestroyContentInfo (cinfo);
 	return NULL;
     }
     return cinfo;
 }

The Tor Browser / annotate

security/nss/lib/pkcs7/p7create.c@7e26c7da4463 (annotated)

security/nss/lib/pkcs7/p7create.c