michael@0: /* This Source Code Form is subject to the terms of the Mozilla Public michael@0: * License, v. 2.0. If a copy of the MPL was not distributed with this michael@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ michael@0: michael@0: /* michael@0: * Support routines for CMS implementation, none of which are exported. michael@0: * michael@0: * Do not export this file! If something in here is really needed outside michael@0: * of smime code, first try to add a CMS interface which will do it for michael@0: * you. If that has a problem, then just move out what you need, changing michael@0: * its name as appropriate! michael@0: */ michael@0: michael@0: #ifndef _CMSLOCAL_H_ michael@0: #define _CMSLOCAL_H_ michael@0: michael@0: #include "cms.h" michael@0: #include "cmsreclist.h" michael@0: #include "secasn1t.h" michael@0: michael@0: extern const SEC_ASN1Template NSSCMSContentInfoTemplate[]; michael@0: michael@0: struct NSSCMSContentInfoPrivateStr { michael@0: NSSCMSCipherContext *ciphcx; michael@0: NSSCMSDigestContext *digcx; michael@0: PRBool dontStream; michael@0: }; michael@0: michael@0: /************************************************************************/ michael@0: SEC_BEGIN_PROTOS michael@0: michael@0: /* michael@0: * private content Info stuff michael@0: */ michael@0: michael@0: /* initialize the private content info field. If this returns michael@0: * SECSuccess, the cinfo->private field is safe to dereference. michael@0: */ michael@0: SECStatus NSS_CMSContentInfo_Private_Init(NSSCMSContentInfo *cinfo); michael@0: michael@0: michael@0: /*********************************************************************** michael@0: * cmscipher.c - en/decryption routines michael@0: ***********************************************************************/ michael@0: michael@0: /* michael@0: * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption michael@0: * based on the given bulk * encryption key and algorithm identifier (which may include an iv). michael@0: */ michael@0: extern NSSCMSCipherContext * michael@0: NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid); michael@0: michael@0: /* michael@0: * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption, michael@0: * based on the given bulk encryption key and algorithm tag. Fill in the algorithm michael@0: * identifier (which may include an iv) appropriately. michael@0: */ michael@0: extern NSSCMSCipherContext * michael@0: NSS_CMSCipherContext_StartEncrypt(PLArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid); michael@0: michael@0: extern void michael@0: NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc); michael@0: michael@0: /* michael@0: * NSS_CMSCipherContext_DecryptLength - find the output length of the next call to decrypt. michael@0: * michael@0: * cc - the cipher context michael@0: * input_len - number of bytes used as input michael@0: * final - true if this is the final chunk of data michael@0: * michael@0: * Result can be used to perform memory allocations. Note that the amount michael@0: * is exactly accurate only when not doing a block cipher or when final michael@0: * is false, otherwise it is an upper bound on the amount because until michael@0: * we see the data we do not know how many padding bytes there are michael@0: * (always between 1 and bsize). michael@0: */ michael@0: extern unsigned int michael@0: NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final); michael@0: michael@0: /* michael@0: * NSS_CMSCipherContext_EncryptLength - find the output length of the next call to encrypt. michael@0: * michael@0: * cc - the cipher context michael@0: * input_len - number of bytes used as input michael@0: * final - true if this is the final chunk of data michael@0: * michael@0: * Result can be used to perform memory allocations. michael@0: */ michael@0: extern unsigned int michael@0: NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_len, PRBool final); michael@0: michael@0: /* michael@0: * NSS_CMSCipherContext_Decrypt - do the decryption michael@0: * michael@0: * cc - the cipher context michael@0: * output - buffer for decrypted result bytes michael@0: * output_len_p - number of bytes in output michael@0: * max_output_len - upper bound on bytes to put into output michael@0: * input - pointer to input bytes michael@0: * input_len - number of input bytes michael@0: * final - true if this is the final chunk of data michael@0: * michael@0: * Decrypts a given length of input buffer (starting at "input" and michael@0: * containing "input_len" bytes), placing the decrypted bytes in michael@0: * "output" and storing the output length in "*output_len_p". michael@0: * "cc" is the return value from NSS_CMSCipher_StartDecrypt. michael@0: * When "final" is true, this is the last of the data to be decrypted. michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, michael@0: unsigned int *output_len_p, unsigned int max_output_len, michael@0: const unsigned char *input, unsigned int input_len, michael@0: PRBool final); michael@0: michael@0: /* michael@0: * NSS_CMSCipherContext_Encrypt - do the encryption michael@0: * michael@0: * cc - the cipher context michael@0: * output - buffer for decrypted result bytes michael@0: * output_len_p - number of bytes in output michael@0: * max_output_len - upper bound on bytes to put into output michael@0: * input - pointer to input bytes michael@0: * input_len - number of input bytes michael@0: * final - true if this is the final chunk of data michael@0: * michael@0: * Encrypts a given length of input buffer (starting at "input" and michael@0: * containing "input_len" bytes), placing the encrypted bytes in michael@0: * "output" and storing the output length in "*output_len_p". michael@0: * "cc" is the return value from NSS_CMSCipher_StartEncrypt. michael@0: * When "final" is true, this is the last of the data to be encrypted. michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output, michael@0: unsigned int *output_len_p, unsigned int max_output_len, michael@0: const unsigned char *input, unsigned int input_len, michael@0: PRBool final); michael@0: michael@0: /************************************************************************ michael@0: * cmspubkey.c - public key operations michael@0: ************************************************************************/ michael@0: michael@0: /* michael@0: * NSS_CMSUtil_EncryptSymKey_RSA - wrap a symmetric key with RSA michael@0: * michael@0: * this function takes a symmetric key and encrypts it using an RSA public key michael@0: * according to PKCS#1 and RFC2633 (S/MIME) michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, michael@0: PK11SymKey *key, michael@0: SECItem *encKey); michael@0: michael@0: extern SECStatus michael@0: NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp, michael@0: SECKEYPublicKey *publickey, michael@0: PK11SymKey *bulkkey, SECItem *encKey); michael@0: michael@0: /* michael@0: * NSS_CMSUtil_DecryptSymKey_RSA - unwrap a RSA-wrapped symmetric key michael@0: * michael@0: * this function takes an RSA-wrapped symmetric key and unwraps it, returning a symmetric michael@0: * key handle. Please note that the actual unwrapped key data may not be allowed to leave michael@0: * a hardware token... michael@0: */ michael@0: extern PK11SymKey * michael@0: NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag); michael@0: michael@0: extern SECStatus michael@0: NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key, michael@0: SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg, michael@0: SECItem *originatorPubKey); michael@0: michael@0: extern PK11SymKey * michael@0: NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, michael@0: SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg); michael@0: michael@0: /************************************************************************ michael@0: * cmsreclist.c - recipient list stuff michael@0: ************************************************************************/ michael@0: extern NSSCMSRecipient **nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos); michael@0: extern void nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list); michael@0: extern NSSCMSRecipientEncryptedKey *NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp); michael@0: michael@0: /************************************************************************ michael@0: * cmsarray.c - misc array functions michael@0: ************************************************************************/ michael@0: /* michael@0: * NSS_CMSArray_Alloc - allocate an array in an arena michael@0: */ michael@0: extern void ** michael@0: NSS_CMSArray_Alloc(PLArenaPool *poolp, int n); michael@0: michael@0: /* michael@0: * NSS_CMSArray_Add - add an element to the end of an array michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSArray_Add(PLArenaPool *poolp, void ***array, void *obj); michael@0: michael@0: /* michael@0: * NSS_CMSArray_IsEmpty - check if array is empty michael@0: */ michael@0: extern PRBool michael@0: NSS_CMSArray_IsEmpty(void **array); michael@0: michael@0: /* michael@0: * NSS_CMSArray_Count - count number of elements in array michael@0: */ michael@0: extern int michael@0: NSS_CMSArray_Count(void **array); michael@0: michael@0: /* michael@0: * NSS_CMSArray_Sort - sort an array ascending, in place michael@0: * michael@0: * If "secondary" is not NULL, the same reordering gets applied to it. michael@0: * If "tertiary" is not NULL, the same reordering gets applied to it. michael@0: * "compare" is a function that returns michael@0: * < 0 when the first element is less than the second michael@0: * = 0 when the first element is equal to the second michael@0: * > 0 when the first element is greater than the second michael@0: */ michael@0: extern void michael@0: NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary); michael@0: michael@0: /************************************************************************ michael@0: * cmsattr.c - misc attribute functions michael@0: ************************************************************************/ michael@0: /* michael@0: * NSS_CMSAttribute_Create - create an attribute michael@0: * michael@0: * if value is NULL, the attribute won't have a value. It can be added later michael@0: * with NSS_CMSAttribute_AddValue. michael@0: */ michael@0: extern NSSCMSAttribute * michael@0: NSS_CMSAttribute_Create(PLArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded); michael@0: michael@0: /* michael@0: * NSS_CMSAttribute_AddValue - add another value to an attribute michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *value); michael@0: michael@0: /* michael@0: * NSS_CMSAttribute_GetType - return the OID tag michael@0: */ michael@0: extern SECOidTag michael@0: NSS_CMSAttribute_GetType(NSSCMSAttribute *attr); michael@0: michael@0: /* michael@0: * NSS_CMSAttribute_GetValue - return the first attribute value michael@0: * michael@0: * We do some sanity checking first: michael@0: * - Multiple values are *not* expected. michael@0: * - Empty values are *not* expected. michael@0: */ michael@0: extern SECItem * michael@0: NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr); michael@0: michael@0: /* michael@0: * NSS_CMSAttribute_CompareValue - compare the attribute's first value against data michael@0: */ michael@0: extern PRBool michael@0: NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av); michael@0: michael@0: /* michael@0: * NSS_CMSAttributeArray_Encode - encode an Attribute array as SET OF Attributes michael@0: * michael@0: * If you are wondering why this routine does not reorder the attributes michael@0: * first, and might be tempted to make it do so, see the comment by the michael@0: * call to ReorderAttributes in cmsencode.c. (Or, see who else calls this michael@0: * and think long and hard about the implications of making it always michael@0: * do the reordering.) michael@0: */ michael@0: extern SECItem * michael@0: NSS_CMSAttributeArray_Encode(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest); michael@0: michael@0: /* michael@0: * NSS_CMSAttributeArray_Reorder - sort attribute array by attribute's DER encoding michael@0: * michael@0: * make sure that the order of the attributes guarantees valid DER (which must be michael@0: * in lexigraphically ascending order for a SET OF); if reordering is necessary it michael@0: * will be done in place (in attrs). michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSAttributeArray_Reorder(NSSCMSAttribute **attrs); michael@0: michael@0: /* michael@0: * NSS_CMSAttributeArray_FindAttrByOidTag - look through a set of attributes and michael@0: * find one that matches the specified object ID. michael@0: * michael@0: * If "only" is true, then make sure that there is not more than one attribute michael@0: * of the same type. Otherwise, just return the first one found. (XXX Does michael@0: * anybody really want that first-found behavior? It was like that when I found it...) michael@0: */ michael@0: extern NSSCMSAttribute * michael@0: NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag, PRBool only); michael@0: michael@0: /* michael@0: * NSS_CMSAttributeArray_AddAttr - add an attribute to an michael@0: * array of attributes. michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr); michael@0: michael@0: /* michael@0: * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded); michael@0: michael@0: /* michael@0: * NSS_CMSSignedData_AddTempCertificate - add temporary certificate references. michael@0: * They may be needed for signature verification on the data, for example. michael@0: */ michael@0: extern SECStatus michael@0: NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert); michael@0: michael@0: /* michael@0: * local function to handle compatibility issues michael@0: * by mapping a signature algorithm back to a digest. michael@0: */ michael@0: SECOidTag NSS_CMSUtil_MapSignAlgs(SECOidTag signAlg); michael@0: michael@0: michael@0: /************************************************************************/ michael@0: michael@0: /* michael@0: * local functions to handle user defined S/MIME content types michael@0: */ michael@0: michael@0: michael@0: PRBool NSS_CMSType_IsWrapper(SECOidTag type); michael@0: PRBool NSS_CMSType_IsData(SECOidTag type); michael@0: size_t NSS_CMSType_GetContentSize(SECOidTag type); michael@0: const SEC_ASN1Template * NSS_CMSType_GetTemplate(SECOidTag type); michael@0: michael@0: void NSS_CMSGenericWrapperData_Destroy(SECOidTag type, michael@0: NSSCMSGenericWrapperData *gd); michael@0: SECStatus NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type, michael@0: NSSCMSGenericWrapperData *gd); michael@0: SECStatus NSS_CMSGenericWrapperData_Decode_AfterData(SECOidTag type, michael@0: NSSCMSGenericWrapperData *gd); michael@0: SECStatus NSS_CMSGenericWrapperData_Decode_AfterEnd(SECOidTag type, michael@0: NSSCMSGenericWrapperData *gd); michael@0: SECStatus NSS_CMSGenericWrapperData_Encode_BeforeStart(SECOidTag type, michael@0: NSSCMSGenericWrapperData *gd); michael@0: SECStatus NSS_CMSGenericWrapperData_Encode_BeforeData(SECOidTag type, michael@0: NSSCMSGenericWrapperData *gd); michael@0: SECStatus NSS_CMSGenericWrapperData_Encode_AfterData(SECOidTag type, michael@0: NSSCMSGenericWrapperData *gd); michael@0: michael@0: SEC_END_PROTOS michael@0: michael@0: #endif /* _CMSLOCAL_H_ */