1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/security/nss/lib/pkcs7/pkcs7t.h Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,235 @@
1.4 +/* This Source Code Form is subject to the terms of the Mozilla Public
1.5 + * License, v. 2.0. If a copy of the MPL was not distributed with this
1.6 + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
1.7 +
1.8 +/*
1.9 + * Header for pkcs7 types.
1.10 + */
1.11 +
1.12 +#ifndef _PKCS7T_H_
1.13 +#define _PKCS7T_H_
1.14 +
1.15 +#include "plarena.h"
1.16 +
1.17 +#include "seccomon.h"
1.18 +#include "secoidt.h"
1.19 +#include "certt.h"
1.20 +#include "secmodt.h"
1.21 +
1.22 +/* Opaque objects */
1.23 +typedef struct SEC_PKCS7DecoderContextStr SEC_PKCS7DecoderContext;
1.24 +typedef struct SEC_PKCS7EncoderContextStr SEC_PKCS7EncoderContext;
1.25 +
1.26 +/* legacy defines that haven't been active for years */
1.27 +typedef void *(*SECKEYGetPasswordKey)(void *arg, void *handle);
1.28 +
1.29 +
1.30 +/* Non-opaque objects. NOTE, though: I want them to be treated as
1.31 + * opaque as much as possible. If I could hide them completely,
1.32 + * I would. (I tried, but ran into trouble that was taking me too
1.33 + * much time to get out of.) I still intend to try to do so.
1.34 + * In fact, the only type that "outsiders" should even *name* is
1.35 + * SEC_PKCS7ContentInfo, and they should not reference its fields.
1.36 + */
1.37 +/* rjr: PKCS #11 cert handling (pk11cert.c) does use SEC_PKCS7RecipientInfo's.
1.38 + * This is because when we search the recipient list for the cert and key we
1.39 + * want, we need to invert the order of the loops we used to have. The old
1.40 + * loops were:
1.41 + *
1.42 + * For each recipient {
1.43 + * find_cert = PK11_Find_AllCert(recipient->issuerSN);
1.44 + * [which unrolls to... ]
1.45 + * For each slot {
1.46 + * Log into slot;
1.47 + * search slot for cert;
1.48 + * }
1.49 + * }
1.50 + *
1.51 + * the new loop searchs all the recipients at once on a slot. this allows
1.52 + * PKCS #11 to order slots in such a way that logout slots don't get checked
1.53 + * if we can find the cert on a logged in slot. This eliminates lots of
1.54 + * spurious password prompts when smart cards are installed... so why this
1.55 + * comment? If you make SEC_PKCS7RecipientInfo completely opaque, you need
1.56 + * to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
1.57 + * and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
1.58 + * function.
1.59 + */
1.60 +typedef struct SEC_PKCS7ContentInfoStr SEC_PKCS7ContentInfo;
1.61 +typedef struct SEC_PKCS7SignedDataStr SEC_PKCS7SignedData;
1.62 +typedef struct SEC_PKCS7EncryptedContentInfoStr SEC_PKCS7EncryptedContentInfo;
1.63 +typedef struct SEC_PKCS7EnvelopedDataStr SEC_PKCS7EnvelopedData;
1.64 +typedef struct SEC_PKCS7SignedAndEnvelopedDataStr
1.65 + SEC_PKCS7SignedAndEnvelopedData;
1.66 +typedef struct SEC_PKCS7SignerInfoStr SEC_PKCS7SignerInfo;
1.67 +typedef struct SEC_PKCS7RecipientInfoStr SEC_PKCS7RecipientInfo;
1.68 +typedef struct SEC_PKCS7DigestedDataStr SEC_PKCS7DigestedData;
1.69 +typedef struct SEC_PKCS7EncryptedDataStr SEC_PKCS7EncryptedData;
1.70 +/*
1.71 + * The following is not actually a PKCS7 type, but for now it is only
1.72 + * used by PKCS7, so we have adopted it. If someone else *ever* needs
1.73 + * it, its name should be changed and it should be moved out of here.
1.74 + * Do not dare to use it without doing so!
1.75 + */
1.76 +typedef struct SEC_PKCS7AttributeStr SEC_PKCS7Attribute;
1.77 +
1.78 +struct SEC_PKCS7ContentInfoStr {
1.79 + PLArenaPool *poolp; /* local; not part of encoding */
1.80 + PRBool created; /* local; not part of encoding */
1.81 + int refCount; /* local; not part of encoding */
1.82 + SECOidData *contentTypeTag; /* local; not part of encoding */
1.83 + SECKEYGetPasswordKey pwfn; /* local; not part of encoding */
1.84 + void *pwfn_arg; /* local; not part of encoding */
1.85 + SECItem contentType;
1.86 + union {
1.87 + SECItem *data;
1.88 + SEC_PKCS7DigestedData *digestedData;
1.89 + SEC_PKCS7EncryptedData *encryptedData;
1.90 + SEC_PKCS7EnvelopedData *envelopedData;
1.91 + SEC_PKCS7SignedData *signedData;
1.92 + SEC_PKCS7SignedAndEnvelopedData *signedAndEnvelopedData;
1.93 + } content;
1.94 +};
1.95 +
1.96 +struct SEC_PKCS7SignedDataStr {
1.97 + SECItem version;
1.98 + SECAlgorithmID **digestAlgorithms;
1.99 + SEC_PKCS7ContentInfo contentInfo;
1.100 + SECItem **rawCerts;
1.101 + CERTSignedCrl **crls;
1.102 + SEC_PKCS7SignerInfo **signerInfos;
1.103 + SECItem **digests; /* local; not part of encoding */
1.104 + CERTCertificate **certs; /* local; not part of encoding */
1.105 + CERTCertificateList **certLists; /* local; not part of encoding */
1.106 +};
1.107 +#define SEC_PKCS7_SIGNED_DATA_VERSION 1 /* what we *create* */
1.108 +
1.109 +struct SEC_PKCS7EncryptedContentInfoStr {
1.110 + SECOidData *contentTypeTag; /* local; not part of encoding */
1.111 + SECItem contentType;
1.112 + SECAlgorithmID contentEncAlg;
1.113 + SECItem encContent;
1.114 + SECItem plainContent; /* local; not part of encoding */
1.115 + /* bytes not encrypted, but encoded */
1.116 + int keysize; /* local; not part of encoding */
1.117 + /* size of bulk encryption key
1.118 + * (only used by creation code) */
1.119 + SECOidTag encalg; /* local; not part of encoding */
1.120 + /* oid tag of encryption algorithm
1.121 + * (only used by creation code) */
1.122 +};
1.123 +
1.124 +struct SEC_PKCS7EnvelopedDataStr {
1.125 + SECItem version;
1.126 + SEC_PKCS7RecipientInfo **recipientInfos;
1.127 + SEC_PKCS7EncryptedContentInfo encContentInfo;
1.128 +};
1.129 +#define SEC_PKCS7_ENVELOPED_DATA_VERSION 0 /* what we *create* */
1.130 +
1.131 +struct SEC_PKCS7SignedAndEnvelopedDataStr {
1.132 + SECItem version;
1.133 + SEC_PKCS7RecipientInfo **recipientInfos;
1.134 + SECAlgorithmID **digestAlgorithms;
1.135 + SEC_PKCS7EncryptedContentInfo encContentInfo;
1.136 + SECItem **rawCerts;
1.137 + CERTSignedCrl **crls;
1.138 + SEC_PKCS7SignerInfo **signerInfos;
1.139 + SECItem **digests; /* local; not part of encoding */
1.140 + CERTCertificate **certs; /* local; not part of encoding */
1.141 + CERTCertificateList **certLists; /* local; not part of encoding */
1.142 + PK11SymKey *sigKey; /* local; not part of encoding */
1.143 +};
1.144 +#define SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION 1 /* what we *create* */
1.145 +
1.146 +struct SEC_PKCS7SignerInfoStr {
1.147 + SECItem version;
1.148 + CERTIssuerAndSN *issuerAndSN;
1.149 + SECAlgorithmID digestAlg;
1.150 + SEC_PKCS7Attribute **authAttr;
1.151 + SECAlgorithmID digestEncAlg;
1.152 + SECItem encDigest;
1.153 + SEC_PKCS7Attribute **unAuthAttr;
1.154 + CERTCertificate *cert; /* local; not part of encoding */
1.155 + CERTCertificateList *certList; /* local; not part of encoding */
1.156 +};
1.157 +#define SEC_PKCS7_SIGNER_INFO_VERSION 1 /* what we *create* */
1.158 +
1.159 +struct SEC_PKCS7RecipientInfoStr {
1.160 + SECItem version;
1.161 + CERTIssuerAndSN *issuerAndSN;
1.162 + SECAlgorithmID keyEncAlg;
1.163 + SECItem encKey;
1.164 + CERTCertificate *cert; /* local; not part of encoding */
1.165 +};
1.166 +#define SEC_PKCS7_RECIPIENT_INFO_VERSION 0 /* what we *create* */
1.167 +
1.168 +struct SEC_PKCS7DigestedDataStr {
1.169 + SECItem version;
1.170 + SECAlgorithmID digestAlg;
1.171 + SEC_PKCS7ContentInfo contentInfo;
1.172 + SECItem digest;
1.173 +};
1.174 +#define SEC_PKCS7_DIGESTED_DATA_VERSION 0 /* what we *create* */
1.175 +
1.176 +struct SEC_PKCS7EncryptedDataStr {
1.177 + SECItem version;
1.178 + SEC_PKCS7EncryptedContentInfo encContentInfo;
1.179 +};
1.180 +#define SEC_PKCS7_ENCRYPTED_DATA_VERSION 0 /* what we *create* */
1.181 +
1.182 +/*
1.183 + * See comment above about this type not really belonging to PKCS7.
1.184 + */
1.185 +struct SEC_PKCS7AttributeStr {
1.186 + /* The following fields make up an encoded Attribute: */
1.187 + SECItem type;
1.188 + SECItem **values; /* data may or may not be encoded */
1.189 + /* The following fields are not part of an encoded Attribute: */
1.190 + SECOidData *typeTag;
1.191 + PRBool encoded; /* when true, values are encoded */
1.192 +};
1.193 +
1.194 +/*
1.195 + * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
1.196 + * If specified, this is where the content bytes (only) will be "sent"
1.197 + * as they are recovered during the decoding.
1.198 + *
1.199 + * XXX Should just combine this with SEC_PKCS7EncoderContentCallback type
1.200 + * and use a simpler, common name.
1.201 + */
1.202 +typedef void (* SEC_PKCS7DecoderContentCallback)(void *arg,
1.203 + const char *buf,
1.204 + unsigned long len);
1.205 +
1.206 +/*
1.207 + * Type of function passed to SEC_PKCS7Encode or SEC_PKCS7EncoderStart.
1.208 + * This is where the encoded bytes will be "sent".
1.209 + *
1.210 + * XXX Should just combine this with SEC_PKCS7DecoderContentCallback type
1.211 + * and use a simpler, common name.
1.212 + */
1.213 +typedef void (* SEC_PKCS7EncoderOutputCallback)(void *arg,
1.214 + const char *buf,
1.215 + unsigned long len);
1.216 +
1.217 +
1.218 +/*
1.219 + * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart
1.220 + * to retrieve the decryption key. This function is inteded to be
1.221 + * used for EncryptedData content info's which do not have a key available
1.222 + * in a certificate, etc.
1.223 + */
1.224 +typedef PK11SymKey * (* SEC_PKCS7GetDecryptKeyCallback)(void *arg,
1.225 + SECAlgorithmID *algid);
1.226 +
1.227 +/*
1.228 + * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
1.229 + * This function in intended to be used to verify that decrypting a
1.230 + * particular crypto algorithm is allowed. Content types which do not
1.231 + * require decryption will not need the callback. If the callback
1.232 + * is not specified for content types which require decryption, the
1.233 + * decryption will be disallowed.
1.234 + */
1.235 +typedef PRBool (* SEC_PKCS7DecryptionAllowedCallback)(SECAlgorithmID *algid,
1.236 + PK11SymKey *bulkkey);
1.237 +
1.238 +#endif /* _PKCS7T_H_ */
