security/nss/lib/smime/cmst.h@b8a032363ba2
security/nss/lib/smime/cmst.h
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
5 /*
6 * Header for CMS types.
7 */
9 #ifndef _CMST_H_
10 #define _CMST_H_
12 #include "seccomon.h"
13 #include "secoidt.h"
14 #include "certt.h"
15 #include "secmodt.h"
16 #include "secmodt.h"
18 #include "plarena.h"
20 /* Non-opaque objects. NOTE, though: I want them to be treated as
21 * opaque as much as possible. If I could hide them completely,
22 * I would. (I tried, but ran into trouble that was taking me too
23 * much time to get out of.) I still intend to try to do so.
24 * In fact, the only type that "outsiders" should even *name* is
25 * NSSCMSMessage, and they should not reference its fields.
26 */
27 /* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
28 * This is because when we search the recipient list for the cert and key we
29 * want, we need to invert the order of the loops we used to have. The old
30 * loops were:
31 *
32 * For each recipient {
33 * find_cert = PK11_Find_AllCert(recipient->issuerSN);
34 * [which unrolls to... ]
35 * For each slot {
36 * Log into slot;
37 * search slot for cert;
38 * }
39 * }
40 *
41 * the new loop searchs all the recipients at once on a slot. this allows
42 * PKCS #11 to order slots in such a way that logout slots don't get checked
43 * if we can find the cert on a logged in slot. This eliminates lots of
44 * spurious password prompts when smart cards are installed... so why this
45 * comment? If you make NSSCMSRecipientInfo completely opaque, you need
46 * to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
47 * and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
48 * function.
49 */
51 typedef struct NSSCMSMessageStr NSSCMSMessage;
53 typedef union NSSCMSContentUnion NSSCMSContent;
54 typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
56 typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
57 typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
58 typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
60 typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
61 typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
62 typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
64 typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
65 typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
67 typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData;
69 typedef struct NSSCMSAttributeStr NSSCMSAttribute;
71 typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
72 typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
74 typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
75 typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
77 typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate;
79 typedef SECStatus (*NSSCMSGenericWrapperDataCallback)
80 (NSSCMSGenericWrapperData *);
81 typedef void (*NSSCMSGenericWrapperDataDestroy)
82 (NSSCMSGenericWrapperData *);
84 extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[];
85 extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[];
87 SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate)
88 SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate)
92 /*
93 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
94 * If specified, this is where the content bytes (only) will be "sent"
95 * as they are recovered during the decoding.
96 * And:
97 * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
98 * This is where the DER-encoded bytes will be "sent".
99 *
100 * XXX Should just combine this with NSSCMSEncoderContentCallback type
101 * and use a simpler, common name.
102 */
103 typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
105 /*
106 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
107 * to retrieve the decryption key. This function is intended to be
108 * used for EncryptedData content info's which do not have a key available
109 * in a certificate, etc.
110 */
111 typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
114 /* =============================================================================
115 * ENCAPSULATED CONTENTINFO & CONTENTINFO
116 */
118 union NSSCMSContentUnion {
119 /* either unstructured */
120 SECItem * data;
121 /* or structured data */
122 NSSCMSDigestedData * digestedData;
123 NSSCMSEncryptedData * encryptedData;
124 NSSCMSEnvelopedData * envelopedData;
125 NSSCMSSignedData * signedData;
126 NSSCMSGenericWrapperData * genericData;
127 /* or anonymous pointer to something */
128 void * pointer;
129 };
131 struct NSSCMSContentInfoStr {
132 SECItem contentType;
133 NSSCMSContent content;
134 /* --------- local; not part of encoding --------- */
135 SECOidData * contentTypeTag;
137 /* additional info for encryptedData and envelopedData */
138 /* we waste this space for signedData and digestedData. sue me. */
140 SECAlgorithmID contentEncAlg;
141 SECItem * rawContent; /* encrypted DER, optional */
142 /* XXXX bytes not encrypted, but encoded? */
143 /* --------- local; not part of encoding --------- */
144 PK11SymKey * bulkkey; /* bulk encryption key */
145 int keysize; /* size of bulk encryption key
146 * (only used by creation code) */
147 SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm
148 * (only used by creation code) */
149 NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */
150 void *reserved; /* keep binary compatibility */
151 };
153 /* =============================================================================
154 * MESSAGE
155 */
157 struct NSSCMSMessageStr {
158 NSSCMSContentInfo contentInfo; /* "outer" cinfo */
159 /* --------- local; not part of encoding --------- */
160 PLArenaPool * poolp;
161 PRBool poolp_is_ours;
162 int refCount;
163 /* properties of the "inner" data */
164 SECAlgorithmID ** detached_digestalgs;
165 SECItem ** detached_digests;
166 void * pwfn_arg;
167 NSSCMSGetDecryptKeyCallback decrypt_key_cb;
168 void * decrypt_key_cb_arg;
169 };
171 /* ============================================================================
172 * GENERIC WRAPPER
173 *
174 * used for user defined types.
175 */
176 struct NSSCMSGenericWrapperDataStr {
177 NSSCMSContentInfo contentInfo;
178 /* ---- local; not part of encoding ------ */
179 NSSCMSMessage * cmsg;
180 /* wrapperspecific data starts here */
181 };
183 /* =============================================================================
184 * SIGNEDDATA
185 */
187 struct NSSCMSSignedDataStr {
188 SECItem version;
189 SECAlgorithmID ** digestAlgorithms;
190 NSSCMSContentInfo contentInfo;
191 SECItem ** rawCerts;
192 CERTSignedCrl ** crls;
193 NSSCMSSignerInfo ** signerInfos;
194 /* --------- local; not part of encoding --------- */
195 NSSCMSMessage * cmsg; /* back pointer to message */
196 SECItem ** digests;
197 CERTCertificate ** certs;
198 CERTCertificateList ** certLists;
199 CERTCertificate ** tempCerts; /* temporary certs, needed
200 * for example for signature
201 * verification */
202 };
203 #define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */
204 #define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */
206 typedef enum {
207 NSSCMSVS_Unverified = 0,
208 NSSCMSVS_GoodSignature = 1,
209 NSSCMSVS_BadSignature = 2,
210 NSSCMSVS_DigestMismatch = 3,
211 NSSCMSVS_SigningCertNotFound = 4,
212 NSSCMSVS_SigningCertNotTrusted = 5,
213 NSSCMSVS_SignatureAlgorithmUnknown = 6,
214 NSSCMSVS_SignatureAlgorithmUnsupported = 7,
215 NSSCMSVS_MalformedSignature = 8,
216 NSSCMSVS_ProcessingError = 9
217 } NSSCMSVerificationStatus;
219 typedef enum {
220 NSSCMSSignerID_IssuerSN = 0,
221 NSSCMSSignerID_SubjectKeyID = 1
222 } NSSCMSSignerIDSelector;
224 struct NSSCMSSignerIdentifierStr {
225 NSSCMSSignerIDSelector identifierType;
226 union {
227 CERTIssuerAndSN *issuerAndSN;
228 SECItem *subjectKeyID;
229 } id;
230 };
232 struct NSSCMSSignerInfoStr {
233 SECItem version;
234 NSSCMSSignerIdentifier signerIdentifier;
235 SECAlgorithmID digestAlg;
236 NSSCMSAttribute ** authAttr;
237 SECAlgorithmID digestEncAlg;
238 SECItem encDigest;
239 NSSCMSAttribute ** unAuthAttr;
240 /* --------- local; not part of encoding --------- */
241 NSSCMSMessage * cmsg; /* back pointer to message */
242 CERTCertificate * cert;
243 CERTCertificateList * certList;
244 PRTime signingTime;
245 NSSCMSVerificationStatus verificationStatus;
246 SECKEYPrivateKey * signingKey; /* Used if we're using subjKeyID*/
247 SECKEYPublicKey * pubKey;
248 };
249 #define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */
250 #define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */
252 typedef enum {
253 NSSCMSCM_None = 0,
254 NSSCMSCM_CertOnly = 1,
255 NSSCMSCM_CertChain = 2,
256 NSSCMSCM_CertChainWithRoot = 3
257 } NSSCMSCertChainMode;
259 /* =============================================================================
260 * ENVELOPED DATA
261 */
262 struct NSSCMSEnvelopedDataStr {
263 SECItem version;
264 NSSCMSOriginatorInfo * originatorInfo; /* optional */
265 NSSCMSRecipientInfo ** recipientInfos;
266 NSSCMSContentInfo contentInfo;
267 NSSCMSAttribute ** unprotectedAttr;
268 /* --------- local; not part of encoding --------- */
269 NSSCMSMessage * cmsg; /* back pointer to message */
270 };
271 #define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */
272 #define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */
274 struct NSSCMSOriginatorInfoStr {
275 SECItem ** rawCerts;
276 CERTSignedCrl ** crls;
277 /* --------- local; not part of encoding --------- */
278 CERTCertificate ** certs;
279 };
281 /* -----------------------------------------------------------------------------
282 * key transport recipient info
283 */
284 typedef enum {
285 NSSCMSRecipientID_IssuerSN = 0,
286 NSSCMSRecipientID_SubjectKeyID = 1,
287 NSSCMSRecipientID_BrandNew = 2
288 } NSSCMSRecipientIDSelector;
290 struct NSSCMSRecipientIdentifierStr {
291 NSSCMSRecipientIDSelector identifierType;
292 union {
293 CERTIssuerAndSN *issuerAndSN;
294 SECItem *subjectKeyID;
295 } id;
296 };
297 typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
299 struct NSSCMSKeyTransRecipientInfoStr {
300 SECItem version;
301 NSSCMSRecipientIdentifier recipientIdentifier;
302 SECAlgorithmID keyEncAlg;
303 SECItem encKey;
304 };
305 typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
307 /*
308 * View comments before NSSCMSRecipientInfoStr for purpose of this
309 * structure.
310 */
311 struct NSSCMSKeyTransRecipientInfoExStr {
312 NSSCMSKeyTransRecipientInfo recipientInfo;
313 int version; /* version of this structure (0) */
314 SECKEYPublicKey *pubKey;
315 };
317 typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
319 #define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */
320 #define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */
322 /* -----------------------------------------------------------------------------
323 * key agreement recipient info
324 */
325 struct NSSCMSOriginatorPublicKeyStr {
326 SECAlgorithmID algorithmIdentifier;
327 SECItem publicKey; /* bit string! */
328 };
329 typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
331 typedef enum {
332 NSSCMSOriginatorIDOrKey_IssuerSN = 0,
333 NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
334 NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
335 } NSSCMSOriginatorIDOrKeySelector;
337 struct NSSCMSOriginatorIdentifierOrKeyStr {
338 NSSCMSOriginatorIDOrKeySelector identifierType;
339 union {
340 CERTIssuerAndSN *issuerAndSN; /* static-static */
341 SECItem *subjectKeyID; /* static-static */
342 NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */
343 } id;
344 };
345 typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
347 struct NSSCMSRecipientKeyIdentifierStr {
348 SECItem * subjectKeyIdentifier;
349 SECItem * date; /* optional */
350 SECItem * other; /* optional */
351 };
352 typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
354 typedef enum {
355 NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
356 NSSCMSKeyAgreeRecipientID_RKeyID = 1
357 } NSSCMSKeyAgreeRecipientIDSelector;
359 struct NSSCMSKeyAgreeRecipientIdentifierStr {
360 NSSCMSKeyAgreeRecipientIDSelector identifierType;
361 union {
362 CERTIssuerAndSN *issuerAndSN;
363 NSSCMSRecipientKeyIdentifier recipientKeyIdentifier;
364 } id;
365 };
366 typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
368 struct NSSCMSRecipientEncryptedKeyStr {
369 NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier;
370 SECItem encKey;
371 };
372 typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
374 struct NSSCMSKeyAgreeRecipientInfoStr {
375 SECItem version;
376 NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
377 SECItem * ukm; /* optional */
378 SECAlgorithmID keyEncAlg;
379 NSSCMSRecipientEncryptedKey ** recipientEncryptedKeys;
380 };
381 typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
383 #define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */
385 /* -----------------------------------------------------------------------------
386 * KEK recipient info
387 */
388 struct NSSCMSKEKIdentifierStr {
389 SECItem keyIdentifier;
390 SECItem * date; /* optional */
391 SECItem * other; /* optional */
392 };
393 typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
395 struct NSSCMSKEKRecipientInfoStr {
396 SECItem version;
397 NSSCMSKEKIdentifier kekIdentifier;
398 SECAlgorithmID keyEncAlg;
399 SECItem encKey;
400 };
401 typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
403 #define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */
405 /* -----------------------------------------------------------------------------
406 * recipient info
407 */
409 typedef enum {
410 NSSCMSRecipientInfoID_KeyTrans = 0,
411 NSSCMSRecipientInfoID_KeyAgree = 1,
412 NSSCMSRecipientInfoID_KEK = 2
413 } NSSCMSRecipientInfoIDSelector;
415 /*
416 * In order to preserve backwards binary compatibility when implementing
417 * creation of Recipient Info's that uses subjectKeyID in the
418 * keyTransRecipientInfo we need to stash a public key pointer in this
419 * structure somewhere. We figured out that NSSCMSKeyTransRecipientInfo
420 * is the smallest member of the ri union. We're in luck since that's
421 * the very structure that would need to use the public key. So we created
422 * a new structure NSSCMSKeyTransRecipientInfoEx which has a member
423 * NSSCMSKeyTransRecipientInfo as the first member followed by a version
424 * and a public key pointer. This way we can keep backwards compatibility
425 * without changing the size of this structure.
426 *
427 * BTW, size of structure:
428 * NSSCMSKeyTransRecipientInfo: 9 ints, 4 pointers
429 * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
430 * NSSCMSKEKRecipientInfo: 10 ints, 7 pointers
431 *
432 * The new structure:
433 * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
434 * 1 int, 1 pointer
435 */
437 struct NSSCMSRecipientInfoStr {
438 NSSCMSRecipientInfoIDSelector recipientInfoType;
439 union {
440 NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
441 NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
442 NSSCMSKEKRecipientInfo kekRecipientInfo;
443 NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
444 } ri;
445 /* --------- local; not part of encoding --------- */
446 NSSCMSMessage * cmsg; /* back pointer to message */
447 CERTCertificate * cert; /* recipient's certificate */
448 };
450 /* =============================================================================
451 * DIGESTED DATA
452 */
453 struct NSSCMSDigestedDataStr {
454 SECItem version;
455 SECAlgorithmID digestAlg;
456 NSSCMSContentInfo contentInfo;
457 SECItem digest;
458 /* --------- local; not part of encoding --------- */
459 NSSCMSMessage * cmsg; /* back pointer */
460 SECItem cdigest; /* calculated digest */
461 };
462 #define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */
463 #define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */
465 /* =============================================================================
466 * ENCRYPTED DATA
467 */
468 struct NSSCMSEncryptedDataStr {
469 SECItem version;
470 NSSCMSContentInfo contentInfo;
471 NSSCMSAttribute ** unprotectedAttr; /* optional */
472 /* --------- local; not part of encoding --------- */
473 NSSCMSMessage * cmsg; /* back pointer */
474 };
475 #define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */
476 #define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */
478 /*
479 * *****************************************************************************
480 * *****************************************************************************
481 * *****************************************************************************
482 */
484 /*
485 * See comment above about this type not really belonging to CMS.
486 */
487 struct NSSCMSAttributeStr {
488 /* The following fields make up an encoded Attribute: */
489 SECItem type;
490 SECItem ** values; /* data may or may not be encoded */
491 /* The following fields are not part of an encoded Attribute: */
492 SECOidData * typeTag;
493 PRBool encoded; /* when true, values are encoded */
494 };
496 #endif /* _CMST_H_ */
