The Tor Browser: security/nss/lib/smime/cmssigdata.c@b8a032363ba2 (annotated)

security/nss/lib/smime/cmssigdata.c@b8a032363ba2 (annotated)

security/nss/lib/smime/cmssigdata.c

Thu, 22 Jan 2015 13:21:57 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 22 Jan 2015 13:21:57 +0100
branch: TOR_BUG_9701
changeset 15: b8a032363ba2
permissions: -rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 /*
  * CMS signedData methods.
  */
 #include "cmslocal.h"
 #include "cert.h"
 /*#include "cdbhdl.h"*/
 #include "secasn1.h"
 #include "secitem.h"
 #include "secoid.h"
 #include "pk11func.h"
 #include "secerr.h"
 NSSCMSSignedData *
 NSS_CMSSignedData_Create(NSSCMSMessage *cmsg)
 {
     void *mark;
     NSSCMSSignedData *sigd;
     PLArenaPool *poolp;
     if (!cmsg) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     poolp = cmsg->poolp;
     mark = PORT_ArenaMark(poolp);
     sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSSignedData));
     if (sigd == NULL)
 	goto loser;
     sigd->cmsg = cmsg;
     /* signerInfos, certs, certlists, crls are all empty */
     /* version is set in NSS_CMSSignedData_Finalize() */
     PORT_ArenaUnmark(poolp, mark);
     return sigd;
 loser:
     PORT_ArenaRelease(poolp, mark);
     return NULL;
 }
 void
 NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd)
 {
     CERTCertificate **certs, **tempCerts, *cert;
     CERTCertificateList **certlists, *certlist;
     NSSCMSSignerInfo **signerinfos, *si;
     if (sigd == NULL)
 	return;
     certs = sigd->certs;
     tempCerts = sigd->tempCerts;
     certlists = sigd->certLists;
     signerinfos = sigd->signerInfos;
     if (certs != NULL) {
 	while ((cert = *certs++) != NULL)
 	    CERT_DestroyCertificate (cert);
     }
     if (tempCerts != NULL) {
 	while ((cert = *tempCerts++) != NULL)
 	    CERT_DestroyCertificate (cert);
     }
     if (certlists != NULL) {
 	while ((certlist = *certlists++) != NULL)
 	    CERT_DestroyCertificateList (certlist);
     }
     if (signerinfos != NULL) {
 	while ((si = *signerinfos++) != NULL)
 	    NSS_CMSSignerInfo_Destroy(si);
     }
     /* everything's in a pool, so don't worry about the storage */
    NSS_CMSContentInfo_Destroy(&(sigd->contentInfo));
 }
 /*
  * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData
  *     before start of encoding.
  *
  * In detail:
  *  - find out about the right value to put into sigd->version
  *  - come up with a list of digestAlgorithms (which should be the union of the algorithms
  *         in the signerinfos).
  *         If we happen to have a pre-set list of algorithms (and digest values!), we
  *         check if we have all the signerinfos' algorithms. If not, this is an error.
  */
 SECStatus
 NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd)
 {
     NSSCMSSignerInfo *signerinfo;
     SECOidTag digestalgtag;
     SECItem *dummy;
     int version;
     SECStatus rv;
     PRBool haveDigests = PR_FALSE;
     int n, i;
     PLArenaPool *poolp;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     poolp = sigd->cmsg->poolp;
     /* we assume that we have precomputed digests if there is a list of algorithms, and */
     /* a chunk of data for each of those algorithms */
     if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) {
 	for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
 	    if (sigd->digests[i] == NULL)
 		break;
 	}
 	if (sigd->digestAlgorithms[i] == NULL)	/* reached the end of the array? */
 	    haveDigests = PR_TRUE;		/* yes: we must have all the digests */
     }
     version = NSS_CMS_SIGNED_DATA_VERSION_BASIC;
     /* RFC2630 5.1 "version is the syntax version number..." */
     if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA)
 	version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
     /* prepare all the SignerInfos (there may be none) */
     for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
 	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
 	/* RFC2630 5.1 "version is the syntax version number..." */
 	if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN)
 	    version = NSS_CMS_SIGNED_DATA_VERSION_EXT;
 	/* collect digestAlgorithms from SignerInfos */
 	/* (we need to know which algorithms we have when the content comes in) */
 	/* do not overwrite any existing digestAlgorithms (and digest) */
 	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
 	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
 	if (n < 0 && haveDigests) {
 	    /* oops, there is a digestalg we do not have a digest for */
 	    /* but we were supposed to have all the digests already... */
 	    goto loser;
 	} else if (n < 0) {
 	    /* add the digestAlgorithm & a NULL digest */
 	    rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL);
 	    if (rv != SECSuccess)
 		goto loser;
 	} else {
 	    /* found it, nothing to do */
 	}
     }
     dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version);
     if (dummy == NULL)
 	return SECFailure;
     /* this is a SET OF, so we need to sort them guys */
     rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms,
                                 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
 				(void **)sigd->digests);
     if (rv != SECSuccess)
 	return SECFailure;
     return SECSuccess;
 loser:
     return SECFailure;
 }
 SECStatus
 NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd)
 {
     SECStatus rv;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo);
     if (rv != SECSuccess) {
 	return SECFailure;
     }
     /* set up the digests */
     if (sigd->digests && sigd->digests[0]) {
 	sigd->contentInfo.privateInfo->digcx = NULL; /* don't attempt to make new ones. */
     } else if (sigd->digestAlgorithms != NULL) {
 	sigd->contentInfo.privateInfo->digcx =
 	        NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
 	if (sigd->contentInfo.privateInfo->digcx == NULL)
 	    return SECFailure;
     }
     return SECSuccess;
 }
 /*
  * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData
  *     after all the encapsulated data was passed through the encoder.
  *
  * In detail:
  *  - create the signatures in all the SignerInfos
  *
  * Please note that nothing is done to the Certificates and CRLs in the message - this
  * is entirely the responsibility of our callers.
  */
 SECStatus
 NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd)
 {
     NSSCMSSignerInfo **signerinfos, *signerinfo;
     NSSCMSContentInfo *cinfo;
     SECOidTag digestalgtag;
     SECStatus ret = SECFailure;
     SECStatus rv;
     SECItem *contentType;
     int certcount;
     int i, ci, cli, n, rci, si;
     PLArenaPool *poolp;
     CERTCertificateList *certlist;
     extern const SEC_ASN1Template NSSCMSSignerInfoTemplate[];
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     poolp = sigd->cmsg->poolp;
     cinfo = &(sigd->contentInfo);
     /* did we have digest calculation going on? */
     if (cinfo->privateInfo && cinfo->privateInfo->digcx) {
 	rv = NSS_CMSDigestContext_FinishMultiple(cinfo->privateInfo->digcx, poolp,
 	                                         &(sigd->digests));
 	/* error has been set by NSS_CMSDigestContext_FinishMultiple */
 	cinfo->privateInfo->digcx = NULL;
 	if (rv != SECSuccess)
 	    goto loser;
     }
     signerinfos = sigd->signerInfos;
     certcount = 0;
     /* prepare all the SignerInfos (there may be none) */
     for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) {
 	signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i);
 	/* find correct digest for this signerinfo */
 	digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
 	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
 	if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) {
 	    /* oops - digest not found */
 	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
 	    goto loser;
 	}
 	/* XXX if our content is anything else but data, we need to force the
 	 * presence of signed attributes (RFC2630 5.3 "signedAttributes is a
 	 * collection...") */
 	/* pass contentType here as we want a contentType attribute */
 	if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL)
 	    goto loser;
 	/* sign the thing */
 	rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType);
 	if (rv != SECSuccess)
 	    goto loser;
 	/* while we're at it, count number of certs in certLists */
 	certlist = NSS_CMSSignerInfo_GetCertList(signerinfo);
 	if (certlist)
 	    certcount += certlist->len;
     }
     /* this is a SET OF, so we need to sort them guys */
     rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL);
     if (rv != SECSuccess)
 	goto loser;
     /*
      * now prepare certs & crls
      */
     /* count the rest of the certs */
     if (sigd->certs != NULL) {
 	for (ci = 0; sigd->certs[ci] != NULL; ci++)
 	    certcount++;
     }
     if (sigd->certLists != NULL) {
 	for (cli = 0; sigd->certLists[cli] != NULL; cli++)
 	    certcount += sigd->certLists[cli]->len;
     }
     if (certcount == 0) {
 	sigd->rawCerts = NULL;
     } else {
 	/*
 	 * Combine all of the certs and cert chains into rawcerts.
 	 * Note: certcount is an upper bound; we may not need that many slots
 	 * but we will allocate anyway to avoid having to do another pass.
 	 * (The temporary space saving is not worth it.)
 	 *
 	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
 	 *  SetOfDERcertficates implementation
 	 */
 	sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *));
 	if (sigd->rawCerts == NULL)
 	    return SECFailure;
 	/*
 	 * XXX Want to check for duplicates and not add *any* cert that is
 	 * already in the set.  This will be more important when we start
 	 * dealing with larger sets of certs, dual-key certs (signing and
 	 * encryption), etc.  For the time being we can slide by...
 	 *
 	 * XXX ARGH - this NEEDS to be fixed. need to come up with a decent
 	 *  SetOfDERcertficates implementation
 	 */
 	rci = 0;
 	if (signerinfos != NULL) {
 	    for (si = 0; signerinfos[si] != NULL; si++) {
 		signerinfo = signerinfos[si];
 		for (ci = 0; ci < signerinfo->certList->len; ci++)
 		    sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]);
 	    }
 	}
 	if (sigd->certs != NULL) {
 	    for (ci = 0; sigd->certs[ci] != NULL; ci++)
 		sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert);
 	}
 	if (sigd->certLists != NULL) {
 	    for (cli = 0; sigd->certLists[cli] != NULL; cli++) {
 		for (ci = 0; ci < sigd->certLists[cli]->len; ci++)
 		    sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]);
 	    }
 	}
 	sigd->rawCerts[rci] = NULL;
 	/* this is a SET OF, so we need to sort them guys - we have the DER already, though */
 	NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL);
     }
     ret = SECSuccess;
 loser:
     return ret;
 }
 SECStatus
 NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd)
 {
     SECStatus rv;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo);
     if (rv != SECSuccess) {
 	return SECFailure;
     }
     /* handle issue with Windows 2003 servers and kerberos */
     if (sigd->digestAlgorithms != NULL) {
 	int i;
 	for (i=0; sigd->digestAlgorithms[i] != NULL; i++) {
 	    SECAlgorithmID *algid = sigd->digestAlgorithms[i];
 	    SECOidTag senttag= SECOID_FindOIDTag(&algid->algorithm);
 	    SECOidTag maptag = NSS_CMSUtil_MapSignAlgs(senttag);
 	    if (maptag != senttag) {
 		SECOidData *hashoid = SECOID_FindOIDByTag(maptag);
 		rv = SECITEM_CopyItem(sigd->cmsg->poolp, &algid->algorithm
 							,&hashoid->oid);
 		if (rv != SECSuccess) {
 		    return rv;
 		}
 	    }
 	}
     }
     /* set up the digests */
     if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) {
 	/* if digests are already there, do nothing */
 	sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms);
 	if (sigd->contentInfo.privateInfo->digcx == NULL)
 	    return SECFailure;
     }
     return SECSuccess;
 }
 /*
  * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a
  *   SignedData after all the encapsulated data was passed through the decoder.
  */
 SECStatus
 NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd)
 {
     SECStatus rv = SECSuccess;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     /* did we have digest calculation going on? */
     if (sigd->contentInfo.privateInfo && sigd->contentInfo.privateInfo->digcx) {
 	rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.privateInfo->digcx,
 				       sigd->cmsg->poolp, &(sigd->digests));
 	/* error set by NSS_CMSDigestContext_FinishMultiple */
 	sigd->contentInfo.privateInfo->digcx = NULL;
     }
     return rv;
 }
 /*
  * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData
  *     after all decoding is finished.
  */
 SECStatus
 NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd)
 {
     NSSCMSSignerInfo **signerinfos = NULL;
     int i;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     /* set cmsg for all the signerinfos */
     signerinfos = sigd->signerInfos;
     /* set cmsg for all the signerinfos */
     if (signerinfos) {
 	for (i = 0; signerinfos[i] != NULL; i++)
 	    signerinfos[i]->cmsg = sigd->cmsg;
     }
     return SECSuccess;
 }
 /*
  * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list
  */
 NSSCMSSignerInfo **
 NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     return sigd->signerInfos;
 }
 int
 NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return 0;
     }
     return NSS_CMSArray_Count((void **)sigd->signerInfos);
 }
 NSSCMSSignerInfo *
 NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     return sigd->signerInfos[i];
 }
 /*
  * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list
  */
 SECAlgorithmID **
 NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     return sigd->digestAlgorithms;
 }
 /*
  * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo
  */
 NSSCMSContentInfo *
 NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     return &(sigd->contentInfo);
 }
 /*
  * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list
  */
 SECItem **
 NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     return sigd->rawCerts;
 }
 SECStatus
 NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb,
 				SECCertUsage certusage, PRBool keepcerts)
 {
     int certcount;
     CERTCertificate **certArray = NULL;
     CERTCertList *certList = NULL;
     CERTCertListNode *node;
     SECStatus rv;
     SECItem **rawArray;
     int i;
     PRTime now;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     certcount = NSS_CMSArray_Count((void **)sigd->rawCerts);
     /* get the certs in the temp DB */
     rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts,
 			 &certArray, PR_FALSE, PR_FALSE, NULL);
     if (rv != SECSuccess) {
 	goto loser;
     }
     /* save the certs so they don't get destroyed */
     for (i=0; i < certcount; i++) {
 	CERTCertificate *cert = certArray[i];
 	if (cert)
             NSS_CMSSignedData_AddTempCertificate(sigd, cert);
     }
     if (!keepcerts) {
 	goto done;
     }
     /* build a CertList for filtering */
     certList = CERT_NewCertList();
     if (certList == NULL) {
 	rv = SECFailure;
 	goto loser;
     }
     for (i=0; i < certcount; i++) {
 	CERTCertificate *cert = certArray[i];
 	if (cert)
 	    cert = CERT_DupCertificate(cert);
 	if (cert)
 	    CERT_AddCertToListTail(certList,cert);
     }
     /* filter out the certs we don't want */
     rv = CERT_FilterCertListByUsage(certList,certusage, PR_FALSE);
     if (rv != SECSuccess) {
 	goto loser;
     }
     /* go down the remaining list of certs and verify that they have
      * valid chains, then import them.
      */
     now = PR_Now();
     for (node = CERT_LIST_HEAD(certList) ; !CERT_LIST_END(node,certList);
 						node= CERT_LIST_NEXT(node)) {
 	CERTCertificateList *certChain;
 	if (CERT_VerifyCert(certdb, node->cert,
 		PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) {
 	    continue;
 	}
 	certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE);
 	if (!certChain) {
 	    continue;
 	}
 	/*
 	 * CertChain returns an array of SECItems, import expects an array of
 	 * SECItem pointers. Create the SECItem Pointers from the array of
 	 * SECItems.
  	 */
 	rawArray = (SECItem **)PORT_Alloc(certChain->len*sizeof (SECItem *));
 	if (!rawArray) {
 	    CERT_DestroyCertificateList(certChain);
 	    continue;
 	}
 	for (i=0; i < certChain->len; i++) {
 	    rawArray[i] = &certChain->certs[i];
 	}
 	(void )CERT_ImportCerts(certdb, certusage, certChain->len,
 			rawArray,  NULL, keepcerts, PR_FALSE, NULL);
 	PORT_Free(rawArray);
 	CERT_DestroyCertificateList(certChain);
     }
     rv = SECSuccess;
     /* XXX CRL handling */
 done:
     if (sigd->signerInfos != NULL) {
 	/* fill in all signerinfo's certs */
 	for (i = 0; sigd->signerInfos[i] != NULL; i++)
 	    (void)NSS_CMSSignerInfo_GetSigningCertificate(
 						sigd->signerInfos[i], certdb);
     }
 loser:
     /* now free everything */
     if (certArray) {
 	CERT_DestroyCertArray(certArray,certcount);
     }
     if (certList) {
 	CERT_DestroyCertList(certList);
     }
     return rv;
 }
 /*
  * XXX the digests need to be passed in BETWEEN the decoding and the verification in case
  *     of external signatures!
  */
 /*
  * NSS_CMSSignedData_VerifySignerInfo - check the signatures.
  *
  * The digests were either calculated during decoding (and are stored in the
  * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests.
  *
  * The verification checks if the signing cert is valid and has a trusted chain
  * for the purpose specified by "certusage".
  */
 SECStatus
 NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i,
 			    CERTCertDBHandle *certdb, SECCertUsage certusage)
 {
     NSSCMSSignerInfo *signerinfo;
     NSSCMSContentInfo *cinfo;
     SECOidData *algiddata;
     SECItem *contentType, *digest;
     SECOidTag oidTag;
     SECStatus rv;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     cinfo = &(sigd->contentInfo);
     signerinfo = sigd->signerInfos[i];
     /* verify certificate */
     rv = NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage);
     if (rv != SECSuccess)
 	return rv; /* error is set */
     /* find digest and contentType for signerinfo */
     algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo);
     oidTag = algiddata ? algiddata->offset : SEC_OID_UNKNOWN;
     digest = NSS_CMSSignedData_GetDigestValue(sigd, oidTag);
     /* NULL digest is acceptable. */
     contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo);
     /* NULL contentType is acceptable. */
     /* now verify signature */
     rv = NSS_CMSSignerInfo_Verify(signerinfo, digest, contentType);
     return rv;
 }
 /*
  * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message
  */
 SECStatus
 NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd,
                                   CERTCertDBHandle *certdb,
                                   SECCertUsage usage)
 {
     CERTCertificate *cert;
     SECStatus rv = SECSuccess;
     int i;
     int count;
     PRTime now;
     if (!sigd || !certdb || !sigd->rawCerts) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     count = NSS_CMSArray_Count((void**)sigd->rawCerts);
     now = PR_Now();
     for (i=0; i < count; i++) {
 	if (sigd->certs && sigd->certs[i]) {
 	    cert = CERT_DupCertificate(sigd->certs[i]);
 	} else {
 	    cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]);
 	    if (!cert) {
 		rv = SECFailure;
 		break;
 	    }
 	}
 	rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now,
                               NULL, NULL);
 	CERT_DestroyCertificate(cert);
     }
     return rv;
 }
 /*
  * NSS_CMSSignedData_HasDigests - see if we have digests in place
  */
 PRBool
 NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return PR_FALSE;
     }
     return (sigd->digests != NULL);
 }
 SECStatus
 NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist)
 {
     SECStatus rv;
     if (!sigd || !certlist) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     /* XXX memory?? a certlist has an arena of its own and is not refcounted!?!? */
     rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certLists), (void *)certlist);
     return rv;
 }
 /*
  * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs
  */
 SECStatus
 NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert)
 {
     CERTCertificateList *certlist;
     SECCertUsage usage;
     SECStatus rv;
     usage = certUsageEmailSigner;
     if (!sigd || !cert) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     /* do not include root */
     certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE);
     if (certlist == NULL)
 	return SECFailure;
     rv = NSS_CMSSignedData_AddCertList(sigd, certlist);
     return rv;
 }
 extern SECStatus
 NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
 {
     CERTCertificate *c;
     SECStatus rv;
     if (!sigd || !cert) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     c = CERT_DupCertificate(cert);
     rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->tempCerts), (void *)c);
     return rv;
 }
 SECStatus
 NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert)
 {
     CERTCertificate *c;
     SECStatus rv;
     if (!sigd || !cert) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     c = CERT_DupCertificate(cert);
     rv = NSS_CMSArray_Add(sigd->cmsg->poolp, (void ***)&(sigd->certs), (void *)c);
     return rv;
 }
 PRBool
 NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd)
 {
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return PR_FALSE;
     }
     if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL)
 	return PR_TRUE;
     else if (sigd->crls != NULL && sigd->crls[0] != NULL)
 	return PR_TRUE;
     else
 	return PR_FALSE;
 }
 SECStatus
 NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd,
 				NSSCMSSignerInfo *signerinfo)
 {
     void *mark;
     SECStatus rv;
     SECOidTag digestalgtag;
     PLArenaPool *poolp;
     if (!sigd || !signerinfo) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     poolp = sigd->cmsg->poolp;
     mark = PORT_ArenaMark(poolp);
     /* add signerinfo */
     rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo);
     if (rv != SECSuccess)
 	goto loser;
     /*
      * add empty digest
      * Empty because we don't have it yet. Either it gets created during encoding
      * (if the data is present) or has to be set externally.
      * XXX maybe pass it in optionally?
      */
     digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo);
     rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL);
     if (rv != SECSuccess)
 	goto loser;
     /*
      * The last thing to get consistency would be adding the digest.
      */
     PORT_ArenaUnmark(poolp, mark);
     return SECSuccess;
 loser:
     PORT_ArenaRelease (poolp, mark);
     return SECFailure;
 }
 /*
  * NSS_CMSSignedData_SetDigests - set a signedData's digests member
  *
  * "digestalgs" - array of digest algorithm IDs
  * "digests"    - array of digests corresponding to the digest algorithms
  */
 SECStatus
 NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
 				SECAlgorithmID **digestalgs,
 				SECItem **digests)
 {
     int cnt, i, idx;
     if (!sigd || !digestalgs || !digests) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     if (sigd->digestAlgorithms == NULL) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
     /* we assume that the digests array is just not there yet */
     PORT_Assert(sigd->digests == NULL);
     if (sigd->digests != NULL) {
 	PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
 	return SECFailure;
     }
     /* now allocate one (same size as digestAlgorithms) */
     cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
     sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
     if (sigd->digests == NULL) {
 	PORT_SetError(SEC_ERROR_NO_MEMORY);
 	return SECFailure;
     }
     for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
 	/* try to find the sigd's i'th digest algorithm in the array we passed in */
 	idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
 	if (idx < 0) {
 	    PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
 	    return SECFailure;
 	}
 	if (!digests[idx]) {
 	    /* We have no digest for this algorithm, probably because it is
 	    ** unrecognized or unsupported.  We'll ignore this here.  If this
 	    ** digest is needed later, an error will be be generated then.
 	    */
 	    continue;
 	}
 	/* found it - now set it */
 	if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
 	    SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
 	{
 	    PORT_SetError(SEC_ERROR_NO_MEMORY);
 	    return SECFailure;
 	}
     }
     return SECSuccess;
 }
 SECStatus
 NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd,
 				SECOidTag digestalgtag,
 				SECItem *digestdata)
 {
     SECItem *digest = NULL;
     PLArenaPool *poolp;
     void *mark;
     int n, cnt;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     poolp = sigd->cmsg->poolp;
     mark = PORT_ArenaMark(poolp);
     if (digestdata) {
         digest = (SECItem *) PORT_ArenaZAlloc(poolp,sizeof(SECItem));
 	/* copy digestdata item to arena (in case we have it and are not only making room) */
 	if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess)
 	    goto loser;
     }
     /* now allocate one (same size as digestAlgorithms) */
     if (sigd->digests == NULL) {
         cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
         sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
         if (sigd->digests == NULL) {
 	        PORT_SetError(SEC_ERROR_NO_MEMORY);
 	        return SECFailure;
         }
     }
     n = -1;
     if (sigd->digestAlgorithms != NULL)
 	n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
     /* if not found, add a digest */
     if (n < 0) {
 	if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess)
 	    goto loser;
     } else {
 	/* replace NULL pointer with digest item (and leak previous value) */
 	sigd->digests[n] = digest;
     }
     PORT_ArenaUnmark(poolp, mark);
     return SECSuccess;
 loser:
     PORT_ArenaRelease(poolp, mark);
     return SECFailure;
 }
 SECStatus
 NSS_CMSSignedData_AddDigest(PLArenaPool *poolp,
 				NSSCMSSignedData *sigd,
 				SECOidTag digestalgtag,
 				SECItem *digest)
 {
     SECAlgorithmID *digestalg;
     void *mark;
     if (!sigd || !poolp) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     mark = PORT_ArenaMark(poolp);
     digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID));
     if (digestalg == NULL)
 	goto loser;
     if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */
 	goto loser;
     if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess ||
 	/* even if digest is NULL, add dummy to have same-size array */
 	NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess)
     {
 	goto loser;
     }
     PORT_ArenaUnmark(poolp, mark);
     return SECSuccess;
 loser:
     PORT_ArenaRelease(poolp, mark);
     return SECFailure;
 }
 /* XXX This function doesn't set the error code on failure. */
 SECItem *
 NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag)
 {
     int n;
     if (!sigd) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     if (sigd->digestAlgorithms == NULL || sigd->digests == NULL) {
         PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
 	return NULL;
     }
     n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag);
     return (n < 0) ? NULL : sigd->digests[n];
 }
 /* =============================================================================
  * Misc. utility functions
  */
 /*
  * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData.
  *
  * cert          - base certificates that will be included
  * include_chain - if true, include the complete cert chain for cert
  *
  * More certs and chains can be added via AddCertificate and AddCertChain.
  *
  * An error results in a return value of NULL and an error set.
  *
  * XXXX CRLs
  */
 NSSCMSSignedData *
 NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain)
 {
     NSSCMSSignedData *sigd;
     void *mark;
     PLArenaPool *poolp;
     SECStatus rv;
     if (!cmsg || !cert) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return NULL;
     }
     poolp = cmsg->poolp;
     mark = PORT_ArenaMark(poolp);
     sigd = NSS_CMSSignedData_Create(cmsg);
     if (sigd == NULL)
 	goto loser;
     /* no signerinfos, thus no digestAlgorithms */
     /* but certs */
     if (include_chain) {
 	rv = NSS_CMSSignedData_AddCertChain(sigd, cert);
     } else {
 	rv = NSS_CMSSignedData_AddCertificate(sigd, cert);
     }
     if (rv != SECSuccess)
 	goto loser;
     /* RFC2630 5.2 sez:
      * In the degenerate case where there are no signers, the
      * EncapsulatedContentInfo value being "signed" is irrelevant.  In this
      * case, the content type within the EncapsulatedContentInfo value being
      * "signed" should be id-data (as defined in section 4), and the content
      * field of the EncapsulatedContentInfo value should be omitted.
      */
     rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE);
     if (rv != SECSuccess)
 	goto loser;
     PORT_ArenaUnmark(poolp, mark);
     return sigd;
 loser:
     if (sigd)
 	NSS_CMSSignedData_Destroy(sigd);
     PORT_ArenaRelease(poolp, mark);
     return NULL;
 }
 /* TODO:
  * NSS_CMSSignerInfo_GetReceiptRequest()
  * NSS_CMSSignedData_HasReceiptRequest()
  * easy way to iterate over signers
  */

The Tor Browser / annotate

security/nss/lib/smime/cmssigdata.c@b8a032363ba2 (annotated)

security/nss/lib/smime/cmssigdata.c