diff options
Diffstat (limited to 'nss/lib/smime')
29 files changed, 3996 insertions, 3858 deletions
diff --git a/nss/lib/smime/cms.h b/nss/lib/smime/cms.h index 5b1d7a0..244df48 100644 --- a/nss/lib/smime/cms.h +++ b/nss/lib/smime/cms.h @@ -35,9 +35,9 @@ SEC_BEGIN_PROTOS */ extern NSSCMSDecoderContext * NSS_CMSDecoder_Start(PLArenaPool *poolp, - NSSCMSContentCallback cb, void *cb_arg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg); + NSSCMSContentCallback cb, void *cb_arg, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg); /* * NSS_CMSDecoder_Update - feed DER-encoded data to decoder @@ -62,9 +62,9 @@ NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx); */ extern NSSCMSMessage * NSS_CMSMessage_CreateFromDER(SECItem *DERmessage, - NSSCMSContentCallback cb, void *cb_arg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg); + NSSCMSContentCallback cb, void *cb_arg, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg); /************************************************************************ * cmsencode.c - CMS encoding @@ -84,11 +84,11 @@ NSS_CMSMessage_CreateFromDER(SECItem *DERmessage, */ extern NSSCMSEncoderContext * NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, - NSSCMSContentCallback outputfn, void *outputarg, - SECItem *dest, PLArenaPool *destpoolp, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, - SECAlgorithmID **detached_digestalgs, SECItem **detached_digests); + NSSCMSContentCallback outputfn, void *outputarg, + SECItem *dest, PLArenaPool *destpoolp, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, + SECAlgorithmID **detached_digestalgs, SECItem **detached_digests); /* * NSS_CMSEncoder_Update - take content data delivery from the user @@ -138,9 +138,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp); */ extern void NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, - SECAlgorithmID **detached_digestalgs, SECItem **detached_digests); + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, + SECAlgorithmID **detached_digestalgs, SECItem **detached_digests); /* * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces. @@ -149,7 +149,7 @@ extern void NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg); /* - * NSS_CMSMessage_Copy - return a copy of the given message. + * NSS_CMSMessage_Copy - return a copy of the given message. * * The copy may be virtual or may be real -- either way, the result needs * to be passed to NSS_CMSMessage_Destroy later (as does the original). @@ -170,7 +170,7 @@ extern NSSCMSContentInfo * NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg); /* - * Return a pointer to the actual content. + * Return a pointer to the actual content. * In the case of those types which are encrypted, this returns the *plain* content. * In case of nested contentInfos, this descends and retrieves the innermost content. */ @@ -275,7 +275,6 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn extern SECStatus NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream); - /* * NSS_CMSContentInfo_GetContent - get pointer to inner content * @@ -284,7 +283,7 @@ NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream); extern void * NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo); -/* +/* * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content * * this is typically only called by NSS_CMSMessage_GetContent() @@ -317,11 +316,11 @@ NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo); extern SECStatus NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo, - SECOidTag bulkalgtag, SECItem *parameters, int keysize); + SECOidTag bulkalgtag, SECItem *parameters, int keysize); extern SECStatus NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo, - SECAlgorithmID *algid, int keysize); + SECAlgorithmID *algid, int keysize); extern void NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey); @@ -354,28 +353,28 @@ extern int NSS_CMSUtil_DERCompare(void *a, void *b); /* - * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of + * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of * algorithms. * * algorithmArray - array of algorithm IDs * algid - algorithmid of algorithm to pick * * Returns: - * An integer containing the index of the algorithm in the array or -1 if + * An integer containing the index of the algorithm in the array or -1 if * algorithm was not found. */ extern int NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid); /* - * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of + * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of * algorithms. * * algorithmArray - array of algorithm IDs * algiddata - id of algorithm to pick * * Returns: - * An integer containing the index of the algorithm in the array or -1 if + * An integer containing the index of the algorithm in the array or -1 if * algorithm was not found. */ extern int @@ -453,7 +452,7 @@ NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd); extern SECStatus NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd); -/* +/* * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list */ extern NSSCMSSignerInfo ** @@ -465,7 +464,7 @@ NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd); extern NSSCMSSignerInfo * NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i); -/* +/* * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list */ extern SECAlgorithmID ** @@ -477,7 +476,7 @@ NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd); extern NSSCMSContentInfo * NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd); -/* +/* * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list */ extern SECItem ** @@ -485,7 +484,7 @@ NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd); extern SECStatus NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb, - SECCertUsage certusage, PRBool keepcerts); + SECCertUsage certusage, PRBool keepcerts); /* * NSS_CMSSignedData_HasDigests - see if we have digests in place @@ -504,21 +503,21 @@ NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd); */ extern SECStatus NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, CERTCertDBHandle *certdb, - SECCertUsage certusage); + SECCertUsage certusage); /* * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message */ extern SECStatus -NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, - CERTCertDBHandle *certdb, +NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, + CERTCertDBHandle *certdb, SECCertUsage usage); extern SECStatus NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist); /* - * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs + * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs */ extern SECStatus NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert); @@ -531,23 +530,23 @@ NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd); extern SECStatus NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, - NSSCMSSignerInfo *signerinfo); + NSSCMSSignerInfo *signerinfo); extern SECStatus NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd, - SECAlgorithmID **digestalgs, - SECItem **digests); + SECAlgorithmID **digestalgs, + SECItem **digests); extern SECStatus NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd, - SECOidTag digestalgtag, - SECItem *digestdata); + SECOidTag digestalgtag, + SECItem *digestdata); extern SECStatus NSS_CMSSignedData_AddDigest(PLArenaPool *poolp, - NSSCMSSignedData *sigd, - SECOidTag digestalgtag, - SECItem *digest); + NSSCMSSignedData *sigd, + SECOidTag digestalgtag, + SECItem *digest); extern SECItem * NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag); @@ -589,7 +588,7 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *c extern SECStatus NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb, - SECCertUsage certusage); + SECCertUsage certusage); /* * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo @@ -617,7 +616,7 @@ NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo); /* * NSS_CMSSignerInfo_GetSigningTime - return the signing time, - * in UTCTime format, of a CMS signerInfo. + * in UTCTime format, of a CMS signerInfo. * * sinfo - signerInfo data for this signer * @@ -659,21 +658,21 @@ NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo); /* * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the - * authenticated (i.e. signed) attributes of "signerinfo". + * authenticated (i.e. signed) attributes of "signerinfo". */ extern SECStatus NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr); /* * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the - * unauthenticated attributes of "signerinfo". + * unauthenticated attributes of "signerinfo". */ extern SECStatus NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr); -/* +/* * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the - * authenticated (i.e. signed) attributes of "signerinfo". + * authenticated (i.e. signed) attributes of "signerinfo". * * This is expected to be included in outgoing signed * messages for email (S/MIME) but is likely useful in other situations. @@ -716,12 +715,12 @@ NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertific SECStatus NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb); -/* +/* * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo */ extern SECStatus NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo, - SECOidTag digestalg, CERTCertificate signingcert); + SECOidTag digestalg, CERTCertificate signingcert); /* * XXXX the following needs to be done in the S/MIME layer code @@ -794,7 +793,7 @@ extern SECStatus NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd); /* - * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, + * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, * derive bulk key & set up our contentinfo */ extern SECStatus @@ -812,7 +811,6 @@ NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd); extern SECStatus NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd); - /************************************************************************ * cmsrecinfo.c - CMS recipientInfo methods ************************************************************************/ @@ -827,42 +825,43 @@ extern NSSCMSRecipientInfo * NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert); extern NSSCMSRecipientInfo * -NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, - SECItem *subjKeyID, +NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, + SECItem *subjKeyID, SECKEYPublicKey *pubKey); extern NSSCMSRecipientInfo * -NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg, +NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg, CERTCertificate *cert); /* - * NSS_CMSRecipientInfo_CreateNew - create a blank recipientinfo for + * NSS_CMSRecipientInfo_CreateNew - create a blank recipientinfo for * applications which want to encode their own CMS structures and * key exchange types. */ extern NSSCMSRecipientInfo * -NSS_CMSRecipientInfo_CreateNew(void* pwfn_arg); +NSS_CMSRecipientInfo_CreateNew(void *pwfn_arg); /* * NSS_CMSRecipientInfo_CreateFromDER - create a recipientinfo from partially - * decoded DER data for applications which want to encode their own CMS + * decoded DER data for applications which want to encode their own CMS * structures and key exchange types. */ extern NSSCMSRecipientInfo * -NSS_CMSRecipientInfo_CreateFromDER(SECItem* input, void* pwfn_arg); +NSS_CMSRecipientInfo_CreateFromDER(SECItem *input, void *pwfn_arg); extern void NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri); /* * NSS_CMSRecipientInfo_GetCertAndKey - retrieve the cert and key from the - * recipientInfo struct. If retcert or retkey are NULL, the cert or - * key (respectively) would not be returned). This function is a no-op if both + * recipientInfo struct. If retcert or retkey are NULL, the cert or + * key (respectively) would not be returned). This function is a no-op if both * retcert and retkey are NULL. Caller inherits ownership of the cert and key * he requested (and is responsible to free them). */ SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri, - CERTCertificate** retcert, SECKEYPrivateKey** retkey); + CERTCertificate **retcert, + SECKEYPrivateKey **retkey); extern int NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri); @@ -873,19 +872,21 @@ NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex); /* * NSS_CMSRecipientInfo_Encode - encode an NSS_CMSRecipientInfo as ASN.1 */ -SECStatus NSS_CMSRecipientInfo_Encode(PLArenaPool* poolp, +SECStatus NSS_CMSRecipientInfo_Encode(PLArenaPool *poolp, const NSSCMSRecipientInfo *src, - SECItem* returned); + SECItem *returned); extern SECOidTag NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri); extern SECStatus -NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag); +NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, + SECOidTag bulkalgtag); extern PK11SymKey * NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, - CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag); + CERTCertificate *cert, SECKEYPrivateKey *privkey, + SECOidTag bulkalgtag); /************************************************************************ * cmsencdata.c - CMS encryptedData methods @@ -895,7 +896,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, * * "algorithm" specifies the bulk encryption algorithm to use. * "keysize" is the key size. - * + * * An error results in a return value of NULL and an error set. * (Retrieve specific errors via PORT_GetError()/XP_GetError().) */ @@ -1076,7 +1077,7 @@ NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx); */ extern SECStatus NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp, - SECItem ***digestsp); + SECItem ***digestsp); /* * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple, @@ -1084,10 +1085,10 @@ NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool * */ extern SECStatus NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp, - SECItem *digest); + SECItem *digest); /************************************************************************ - * + * ************************************************************************/ /* shortcuts for basic use */ @@ -1098,12 +1099,11 @@ NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *po * stored in arena's pool. */ extern SECStatus -NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, +NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, PLArenaPool *arena); - /************************************************************************ - * + * ************************************************************************/ /* @@ -1116,36 +1116,36 @@ NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, * This function allows you to register new content types. There are basically * Two different types of content, Wrappping content, and Data. * - * For data types, All the functions below can be zero or NULL excext + * For data types, All the functions below can be zero or NULL excext * type and is isData, which should be your oid tag and PR_FALSE respectively * * For wrapping types, everything must be provided, or you will get encoder * failures. * - * If NSS doesn't already define the OID that you need, you can register + * If NSS doesn't already define the OID that you need, you can register * your own with SECOID_AddEntry. - * + * * Once you have defined your new content type, you can pass your new content * type to NSS_CMSContentInfo_SetContent(). - * - * If you are using a wrapping type you can pass your own data structure in - * the ptr field, but it must contain and embedded NSSCMSGenericWrappingData - * structure as the first element. The size you pass to - * NSS_CMSType_RegisterContentType is the total size of your self defined - * data structure. NSS_CMSContentInfo_GetContent will return that data - * structure from the content info. Your ASN1Template will be evaluated + * + * If you are using a wrapping type you can pass your own data structure in + * the ptr field, but it must contain and embedded NSSCMSGenericWrappingData + * structure as the first element. The size you pass to + * NSS_CMSType_RegisterContentType is the total size of your self defined + * data structure. NSS_CMSContentInfo_GetContent will return that data + * structure from the content info. Your ASN1Template will be evaluated * against that data structure. */ SECStatus NSS_CMSType_RegisterContentType(SECOidTag type, - SEC_ASN1Template *asn1Template, size_t size, - NSSCMSGenericWrapperDataDestroy destroy, - NSSCMSGenericWrapperDataCallback decode_before, - NSSCMSGenericWrapperDataCallback decode_after, - NSSCMSGenericWrapperDataCallback decode_end, - NSSCMSGenericWrapperDataCallback encode_start, - NSSCMSGenericWrapperDataCallback encode_before, - NSSCMSGenericWrapperDataCallback encode_after, - PRBool isData); + SEC_ASN1Template *asn1Template, size_t size, + NSSCMSGenericWrapperDataDestroy destroy, + NSSCMSGenericWrapperDataCallback decode_before, + NSSCMSGenericWrapperDataCallback decode_after, + NSSCMSGenericWrapperDataCallback decode_end, + NSSCMSGenericWrapperDataCallback encode_start, + NSSCMSGenericWrapperDataCallback encode_before, + NSSCMSGenericWrapperDataCallback encode_after, + PRBool isData); /************************************************************************/ SEC_END_PROTOS diff --git a/nss/lib/smime/cmsarray.c b/nss/lib/smime/cmsarray.c index 9ac5c57..6665d12 100644 --- a/nss/lib/smime/cmsarray.c +++ b/nss/lib/smime/cmsarray.c @@ -46,26 +46,27 @@ NSS_CMSArray_Add(PLArenaPool *poolp, void ***array, void *obj) PORT_Assert(array != NULL); if (array == NULL) - return SECFailure; + return SECFailure; if (*array == NULL) { - dest = (void **)PORT_ArenaAlloc(poolp, 2 * sizeof(void *)); - n = 0; + dest = (void **)PORT_ArenaAlloc(poolp, 2 * sizeof(void *)); + n = 0; } else { - n = 0; p = *array; - while (*p++) - n++; - dest = (void **)PORT_ArenaGrow (poolp, - *array, - (n + 1) * sizeof(void *), - (n + 2) * sizeof(void *)); + n = 0; + p = *array; + while (*p++) + n++; + dest = (void **)PORT_ArenaGrow(poolp, + *array, + (n + 1) * sizeof(void *), + (n + 2) * sizeof(void *)); } if (dest == NULL) - return SECFailure; + return SECFailure; dest[n] = obj; - dest[n+1] = NULL; + dest[n + 1] = NULL; *array = dest; return SECSuccess; } @@ -88,10 +89,10 @@ NSS_CMSArray_Count(void **array) int n = 0; if (array == NULL) - return 0; + return 0; while (*array++ != NULL) - n++; + n++; return n; } @@ -102,14 +103,14 @@ NSS_CMSArray_Count(void **array) * If "secondary" or "tertiary are not NULL, it must be arrays with the same * number of elements as "primary". The same reordering will get applied to it. * - * "compare" is a function that returns + * "compare" is a function that returns * < 0 when the first element is less than the second * = 0 when the first element is equal to the second * > 0 when the first element is greater than the second * to acheive ascending ordering. */ void -NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary) +NSS_CMSArray_Sort(void **primary, int (*compare)(void *, void *), void **secondary, void **tertiary) { int n, i, limit, lastxchg; void *tmp; @@ -118,36 +119,36 @@ NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondar PORT_Assert(secondary == NULL || NSS_CMSArray_Count(secondary) == n); PORT_Assert(tertiary == NULL || NSS_CMSArray_Count(tertiary) == n); - - if (n <= 1) /* ordering is fine */ - return; - + + if (n <= 1) /* ordering is fine */ + return; + /* yes, ladies and gentlemen, it's BUBBLE SORT TIME! */ limit = n - 1; while (1) { - lastxchg = 0; - for (i = 0; i < limit; i++) { - if ((*compare)(primary[i], primary[i+1]) > 0) { - /* exchange the neighbours */ - tmp = primary[i+1]; - primary[i+1] = primary[i]; - primary[i] = tmp; - if (secondary) { /* secondary array? */ - tmp = secondary[i+1]; /* exchange there as well */ - secondary[i+1] = secondary[i]; - secondary[i] = tmp; - } - if (tertiary) { /* tertiary array? */ - tmp = tertiary[i+1]; /* exchange there as well */ - tertiary[i+1] = tertiary[i]; - tertiary[i] = tmp; - } - lastxchg = i+1; /* index of the last element bubbled up */ - } - } - if (lastxchg == 0) /* no exchanges, so array is sorted */ - break; /* we're done */ - limit = lastxchg; /* array is sorted up to [limit] */ + lastxchg = 0; + for (i = 0; i < limit; i++) { + if ((*compare)(primary[i], primary[i + 1]) > 0) { + /* exchange the neighbours */ + tmp = primary[i + 1]; + primary[i + 1] = primary[i]; + primary[i] = tmp; + if (secondary) { /* secondary array? */ + tmp = secondary[i + 1]; /* exchange there as well */ + secondary[i + 1] = secondary[i]; + secondary[i] = tmp; + } + if (tertiary) { /* tertiary array? */ + tmp = tertiary[i + 1]; /* exchange there as well */ + tertiary[i + 1] = tertiary[i]; + tertiary[i] = tmp; + } + lastxchg = i + 1; /* index of the last element bubbled up */ + } + } + if (lastxchg == 0) /* no exchanges, so array is sorted */ + break; /* we're done */ + limit = lastxchg; /* array is sorted up to [limit] */ } } @@ -162,7 +163,7 @@ NSSCMSArrayIterator NSS_CMSArray_First(void **array) { if (array == NULL || array[0] == NULL) - return NULL; + return NULL; return (NSSCMSArrayIterator)&(array[0]); } @@ -171,7 +172,7 @@ NSS_CMSArray_Obj(NSSCMSArrayIterator iter) { void **p = (void **)iter; - return *iter; /* which is NULL if we are at the end of the array */ + return *iter; /* which is NULL if we are at the end of the array */ } NSSCMSArrayIterator diff --git a/nss/lib/smime/cmsasn1.c b/nss/lib/smime/cmsasn1.c index b09a2e1..15cf08f 100644 --- a/nss/lib/smime/cmsasn1.c +++ b/nss/lib/smime/cmsasn1.c @@ -16,7 +16,6 @@ #include "prtime.h" #include "secerr.h" - extern const SEC_ASN1Template nss_cms_set_of_attribute_template[]; SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate) @@ -36,18 +35,17 @@ SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate) static const SEC_ASN1Template * nss_cms_choose_content_template(void *src_or_dest, PRBool encoding); -static const SEC_ASN1TemplateChooserPtr nss_cms_chooser - = nss_cms_choose_content_template; +static const SEC_ASN1TemplateChooserPtr nss_cms_chooser = nss_cms_choose_content_template; const SEC_ASN1Template NSSCMSMessageTemplate[] = { { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, - 0, NULL, sizeof(NSSCMSMessage) }, + 0, NULL, sizeof(NSSCMSMessage) }, { SEC_ASN1_OBJECT_ID, - offsetof(NSSCMSMessage,contentInfo.contentType) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM - | SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(NSSCMSMessage,contentInfo.content), - &nss_cms_chooser }, + offsetof(NSSCMSMessage, contentInfo.contentType) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM | + SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(NSSCMSMessage, contentInfo.content), + &nss_cms_chooser }, { 0 } }; @@ -57,28 +55,28 @@ const SEC_ASN1Template NSSCMSMessageTemplate[] = { */ static const SEC_ASN1Template NSSCMSEncapsulatedContentInfoTemplate[] = { { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, - 0, NULL, sizeof(NSSCMSContentInfo) }, + 0, NULL, sizeof(NSSCMSContentInfo) }, { SEC_ASN1_OBJECT_ID, - offsetof(NSSCMSContentInfo,contentType) }, + offsetof(NSSCMSContentInfo, contentType) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_EXPLICIT | SEC_ASN1_MAY_STREAM | - SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(NSSCMSContentInfo,rawContent), - SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) }, + SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(NSSCMSContentInfo, rawContent), + SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) }, { 0 } }; static const SEC_ASN1Template NSSCMSEncryptedContentInfoTemplate[] = { { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, - 0, NULL, sizeof(NSSCMSContentInfo) }, + 0, NULL, sizeof(NSSCMSContentInfo) }, { SEC_ASN1_OBJECT_ID, - offsetof(NSSCMSContentInfo,contentType) }, + offsetof(NSSCMSContentInfo, contentType) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSContentInfo,contentEncAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | - SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(NSSCMSContentInfo,rawContent), - SEC_ASN1_SUB(SEC_OctetStringTemplate) }, + offsetof(NSSCMSContentInfo, contentEncAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_MAY_STREAM | + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, + offsetof(NSSCMSContentInfo, rawContent), + SEC_ASN1_SUB(SEC_OctetStringTemplate) }, { 0 } }; @@ -90,26 +88,26 @@ const SEC_ASN1Template NSSCMSSignerInfoTemplate[]; const SEC_ASN1Template NSSCMSSignedDataTemplate[] = { { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, - 0, NULL, sizeof(NSSCMSSignedData) }, + 0, NULL, sizeof(NSSCMSSignedData) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSSignedData,version) }, + offsetof(NSSCMSSignedData, version) }, { SEC_ASN1_SET_OF | SEC_ASN1_XTRN, - offsetof(NSSCMSSignedData,digestAlgorithms), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSSignedData, digestAlgorithms), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_INLINE, - offsetof(NSSCMSSignedData,contentInfo), - NSSCMSEncapsulatedContentInfoTemplate }, + offsetof(NSSCMSSignedData, contentInfo), + NSSCMSEncapsulatedContentInfoTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 0, - offsetof(NSSCMSSignedData,rawCerts), - SEC_ASN1_SUB(SEC_SetOfAnyTemplate) }, + SEC_ASN1_XTRN | 0, + offsetof(NSSCMSSignedData, rawCerts), + SEC_ASN1_SUB(SEC_SetOfAnyTemplate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 1, - offsetof(NSSCMSSignedData,crls), - SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) }, + SEC_ASN1_XTRN | 1, + offsetof(NSSCMSSignedData, crls), + SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) }, { SEC_ASN1_SET_OF, - offsetof(NSSCMSSignedData,signerInfos), - NSSCMSSignerInfoTemplate }, + offsetof(NSSCMSSignedData, signerInfos), + NSSCMSSignerInfoTemplate }, { 0 } }; @@ -123,16 +121,16 @@ const SEC_ASN1Template NSS_PointerToCMSSignedDataTemplate[] = { static const SEC_ASN1Template NSSCMSSignerIdentifierTemplate[] = { { SEC_ASN1_CHOICE, - offsetof(NSSCMSSignerIdentifier,identifierType), NULL, - sizeof(NSSCMSSignerIdentifier) }, + offsetof(NSSCMSSignerIdentifier, identifierType), NULL, + sizeof(NSSCMSSignerIdentifier) }, { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(NSSCMSSignerIdentifier,id.subjectKeyID), - SEC_ASN1_SUB(SEC_OctetStringTemplate) , - NSSCMSRecipientID_SubjectKeyID }, + offsetof(NSSCMSSignerIdentifier, id.subjectKeyID), + SEC_ASN1_SUB(SEC_OctetStringTemplate), + NSSCMSRecipientID_SubjectKeyID }, { SEC_ASN1_POINTER | SEC_ASN1_XTRN, - offsetof(NSSCMSSignerIdentifier,id.issuerAndSN), - SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), - NSSCMSRecipientID_IssuerSN }, + offsetof(NSSCMSSignerIdentifier, id.issuerAndSN), + SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), + NSSCMSRecipientID_IssuerSN }, { 0 } }; @@ -142,26 +140,26 @@ static const SEC_ASN1Template NSSCMSSignerIdentifierTemplate[] = { const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSSignerInfo) }, + 0, NULL, sizeof(NSSCMSSignerInfo) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSSignerInfo,version) }, + offsetof(NSSCMSSignerInfo, version) }, { SEC_ASN1_INLINE, - offsetof(NSSCMSSignerInfo,signerIdentifier), - NSSCMSSignerIdentifierTemplate }, + offsetof(NSSCMSSignerInfo, signerIdentifier), + NSSCMSSignerIdentifierTemplate }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSSignerInfo,digestAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSSignerInfo, digestAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(NSSCMSSignerInfo,authAttr), - nss_cms_set_of_attribute_template }, + offsetof(NSSCMSSignerInfo, authAttr), + nss_cms_set_of_attribute_template }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSSignerInfo,digestEncAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSSignerInfo, digestEncAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSSignerInfo,encDigest) }, + offsetof(NSSCMSSignerInfo, encDigest) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(NSSCMSSignerInfo,unAuthAttr), - nss_cms_set_of_attribute_template }, + offsetof(NSSCMSSignerInfo, unAuthAttr), + nss_cms_set_of_attribute_template }, { 0 } }; @@ -171,15 +169,15 @@ const SEC_ASN1Template NSSCMSSignerInfoTemplate[] = { static const SEC_ASN1Template NSSCMSOriginatorInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSOriginatorInfo) }, + 0, NULL, sizeof(NSSCMSOriginatorInfo) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 0, - offsetof(NSSCMSOriginatorInfo,rawCerts), - SEC_ASN1_SUB(SEC_SetOfAnyTemplate) }, + SEC_ASN1_XTRN | 0, + offsetof(NSSCMSOriginatorInfo, rawCerts), + SEC_ASN1_SUB(SEC_SetOfAnyTemplate) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 1, - offsetof(NSSCMSOriginatorInfo,crls), - SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) }, + SEC_ASN1_XTRN | 1, + offsetof(NSSCMSOriginatorInfo, crls), + SEC_ASN1_SUB(CERT_SetOfSignedCrlTemplate) }, { 0 } }; @@ -187,21 +185,22 @@ const SEC_ASN1Template NSSCMSRecipientInfoTemplate[]; const SEC_ASN1Template NSSCMSEnvelopedDataTemplate[] = { { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, - 0, NULL, sizeof(NSSCMSEnvelopedData) }, + 0, NULL, sizeof(NSSCMSEnvelopedData) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSEnvelopedData,version) }, - { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(NSSCMSEnvelopedData,originatorInfo), - NSSCMSOriginatorInfoTemplate }, + offsetof(NSSCMSEnvelopedData, version) }, + { SEC_ASN1_OPTIONAL | SEC_ASN1_POINTER | SEC_ASN1_CONSTRUCTED | + SEC_ASN1_CONTEXT_SPECIFIC | 0, + offsetof(NSSCMSEnvelopedData, originatorInfo), + NSSCMSOriginatorInfoTemplate }, { SEC_ASN1_SET_OF, - offsetof(NSSCMSEnvelopedData,recipientInfos), - NSSCMSRecipientInfoTemplate }, + offsetof(NSSCMSEnvelopedData, recipientInfos), + NSSCMSRecipientInfoTemplate }, { SEC_ASN1_INLINE, - offsetof(NSSCMSEnvelopedData,contentInfo), - NSSCMSEncryptedContentInfoTemplate }, + offsetof(NSSCMSEnvelopedData, contentInfo), + NSSCMSEncryptedContentInfoTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(NSSCMSEnvelopedData,unprotectedAttr), - nss_cms_set_of_attribute_template }, + offsetof(NSSCMSEnvelopedData, unprotectedAttr), + nss_cms_set_of_attribute_template }, { 0 } }; @@ -217,33 +216,32 @@ const SEC_ASN1Template NSS_PointerToCMSEnvelopedDataTemplate[] = { static const SEC_ASN1Template NSSCMSRecipientIdentifierTemplate[] = { { SEC_ASN1_CHOICE, - offsetof(NSSCMSRecipientIdentifier,identifierType), NULL, - sizeof(NSSCMSRecipientIdentifier) }, + offsetof(NSSCMSRecipientIdentifier, identifierType), NULL, + sizeof(NSSCMSRecipientIdentifier) }, { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0, - offsetof(NSSCMSRecipientIdentifier,id.subjectKeyID), - SEC_ASN1_SUB(SEC_OctetStringTemplate) , - NSSCMSRecipientID_SubjectKeyID }, + offsetof(NSSCMSRecipientIdentifier, id.subjectKeyID), + SEC_ASN1_SUB(SEC_OctetStringTemplate), + NSSCMSRecipientID_SubjectKeyID }, { SEC_ASN1_POINTER | SEC_ASN1_XTRN, - offsetof(NSSCMSRecipientIdentifier,id.issuerAndSN), - SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), - NSSCMSRecipientID_IssuerSN }, + offsetof(NSSCMSRecipientIdentifier, id.issuerAndSN), + SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), + NSSCMSRecipientID_IssuerSN }, { 0 } }; - static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSKeyTransRecipientInfo) }, + 0, NULL, sizeof(NSSCMSKeyTransRecipientInfo) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSKeyTransRecipientInfo,version) }, + offsetof(NSSCMSKeyTransRecipientInfo, version) }, { SEC_ASN1_INLINE, - offsetof(NSSCMSKeyTransRecipientInfo,recipientIdentifier), - NSSCMSRecipientIdentifierTemplate }, + offsetof(NSSCMSKeyTransRecipientInfo, recipientIdentifier), + NSSCMSRecipientIdentifierTemplate }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSKeyTransRecipientInfo,keyEncAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSKeyTransRecipientInfo, keyEncAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSKeyTransRecipientInfo,encKey) }, + offsetof(NSSCMSKeyTransRecipientInfo, encKey) }, { 0 } }; @@ -253,95 +251,93 @@ static const SEC_ASN1Template NSSCMSKeyTransRecipientInfoTemplate[] = { static const SEC_ASN1Template NSSCMSOriginatorPublicKeyTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSOriginatorPublicKey) }, + 0, NULL, sizeof(NSSCMSOriginatorPublicKey) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSOriginatorPublicKey,algorithmIdentifier), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSOriginatorPublicKey, algorithmIdentifier), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSOriginatorPublicKey,publicKey), - SEC_ASN1_SUB(SEC_BitStringTemplate) }, + offsetof(NSSCMSOriginatorPublicKey, publicKey), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, { 0 } }; - static const SEC_ASN1Template NSSCMSOriginatorIdentifierOrKeyTemplate[] = { { SEC_ASN1_CHOICE, - offsetof(NSSCMSOriginatorIdentifierOrKey,identifierType), NULL, - sizeof(NSSCMSOriginatorIdentifierOrKey) }, + offsetof(NSSCMSOriginatorIdentifierOrKey, identifierType), NULL, + sizeof(NSSCMSOriginatorIdentifierOrKey) }, { SEC_ASN1_POINTER | SEC_ASN1_XTRN, - offsetof(NSSCMSOriginatorIdentifierOrKey,id.issuerAndSN), - SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), - NSSCMSOriginatorIDOrKey_IssuerSN }, + offsetof(NSSCMSOriginatorIdentifierOrKey, id.issuerAndSN), + SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), + NSSCMSOriginatorIDOrKey_IssuerSN }, { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | - SEC_ASN1_XTRN | 1, - offsetof(NSSCMSOriginatorIdentifierOrKey,id.subjectKeyID), - SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) , - NSSCMSOriginatorIDOrKey_SubjectKeyID }, + SEC_ASN1_XTRN | 1, + offsetof(NSSCMSOriginatorIdentifierOrKey, id.subjectKeyID), + SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate), + NSSCMSOriginatorIDOrKey_SubjectKeyID }, { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, - offsetof(NSSCMSOriginatorIdentifierOrKey,id.originatorPublicKey), - NSSCMSOriginatorPublicKeyTemplate, - NSSCMSOriginatorIDOrKey_OriginatorPublicKey }, + offsetof(NSSCMSOriginatorIdentifierOrKey, id.originatorPublicKey), + NSSCMSOriginatorPublicKeyTemplate, + NSSCMSOriginatorIDOrKey_OriginatorPublicKey }, { 0 } }; const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSRecipientKeyIdentifier) }, + 0, NULL, sizeof(NSSCMSRecipientKeyIdentifier) }, { SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSRecipientKeyIdentifier,subjectKeyIdentifier) }, + offsetof(NSSCMSRecipientKeyIdentifier, subjectKeyIdentifier) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSRecipientKeyIdentifier,date) }, + offsetof(NSSCMSRecipientKeyIdentifier, date) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSRecipientKeyIdentifier,other) }, + offsetof(NSSCMSRecipientKeyIdentifier, other) }, { 0 } }; - static const SEC_ASN1Template NSSCMSKeyAgreeRecipientIdentifierTemplate[] = { { SEC_ASN1_CHOICE, - offsetof(NSSCMSKeyAgreeRecipientIdentifier,identifierType), NULL, - sizeof(NSSCMSKeyAgreeRecipientIdentifier) }, + offsetof(NSSCMSKeyAgreeRecipientIdentifier, identifierType), NULL, + sizeof(NSSCMSKeyAgreeRecipientIdentifier) }, { SEC_ASN1_POINTER | SEC_ASN1_XTRN, - offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.issuerAndSN), - SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), - NSSCMSKeyAgreeRecipientID_IssuerSN }, + offsetof(NSSCMSKeyAgreeRecipientIdentifier, id.issuerAndSN), + SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), + NSSCMSKeyAgreeRecipientID_IssuerSN }, { SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(NSSCMSKeyAgreeRecipientIdentifier,id.recipientKeyIdentifier), - NSSCMSRecipientKeyIdentifierTemplate, - NSSCMSKeyAgreeRecipientID_RKeyID }, + offsetof(NSSCMSKeyAgreeRecipientIdentifier, id.recipientKeyIdentifier), + NSSCMSRecipientKeyIdentifierTemplate, + NSSCMSKeyAgreeRecipientID_RKeyID }, { 0 } }; static const SEC_ASN1Template NSSCMSRecipientEncryptedKeyTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSRecipientEncryptedKey) }, + 0, NULL, sizeof(NSSCMSRecipientEncryptedKey) }, { SEC_ASN1_INLINE, - offsetof(NSSCMSRecipientEncryptedKey,recipientIdentifier), - NSSCMSKeyAgreeRecipientIdentifierTemplate }, + offsetof(NSSCMSRecipientEncryptedKey, recipientIdentifier), + NSSCMSKeyAgreeRecipientIdentifierTemplate }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSRecipientEncryptedKey,encKey), - SEC_ASN1_SUB(SEC_BitStringTemplate) }, + offsetof(NSSCMSRecipientEncryptedKey, encKey), + SEC_ASN1_SUB(SEC_BitStringTemplate) }, { 0 } }; static const SEC_ASN1Template NSSCMSKeyAgreeRecipientInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSKeyAgreeRecipientInfo) }, + 0, NULL, sizeof(NSSCMSKeyAgreeRecipientInfo) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSKeyAgreeRecipientInfo,version) }, + offsetof(NSSCMSKeyAgreeRecipientInfo, version) }, { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 0, - offsetof(NSSCMSKeyAgreeRecipientInfo,originatorIdentifierOrKey), - NSSCMSOriginatorIdentifierOrKeyTemplate }, + offsetof(NSSCMSKeyAgreeRecipientInfo, originatorIdentifierOrKey), + NSSCMSOriginatorIdentifierOrKeyTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT | - SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, - offsetof(NSSCMSKeyAgreeRecipientInfo,ukm), - SEC_ASN1_SUB(SEC_OctetStringTemplate) }, + SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1, + offsetof(NSSCMSKeyAgreeRecipientInfo, ukm), + SEC_ASN1_SUB(SEC_OctetStringTemplate) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSKeyAgreeRecipientInfo,keyEncAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_SEQUENCE_OF, - offsetof(NSSCMSKeyAgreeRecipientInfo,recipientEncryptedKeys), - NSSCMSRecipientEncryptedKeyTemplate }, + offsetof(NSSCMSKeyAgreeRecipientInfo, recipientEncryptedKeys), + NSSCMSRecipientEncryptedKeyTemplate }, { 0 } }; @@ -351,29 +347,29 @@ static const SEC_ASN1Template NSSCMSKeyAgreeRecipientInfoTemplate[] = { static const SEC_ASN1Template NSSCMSKEKIdentifierTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSKEKIdentifier) }, + 0, NULL, sizeof(NSSCMSKEKIdentifier) }, { SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSKEKIdentifier,keyIdentifier) }, + offsetof(NSSCMSKEKIdentifier, keyIdentifier) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSKEKIdentifier,date) }, + offsetof(NSSCMSKEKIdentifier, date) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSKEKIdentifier,other) }, + offsetof(NSSCMSKEKIdentifier, other) }, { 0 } }; static const SEC_ASN1Template NSSCMSKEKRecipientInfoTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSKEKRecipientInfo) }, + 0, NULL, sizeof(NSSCMSKEKRecipientInfo) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSKEKRecipientInfo,version) }, + offsetof(NSSCMSKEKRecipientInfo, version) }, { SEC_ASN1_INLINE, - offsetof(NSSCMSKEKRecipientInfo,kekIdentifier), - NSSCMSKEKIdentifierTemplate }, + offsetof(NSSCMSKEKRecipientInfo, kekIdentifier), + NSSCMSKEKIdentifierTemplate }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSKEKRecipientInfo,keyEncAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSKEKRecipientInfo, keyEncAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSKEKRecipientInfo,encKey) }, + offsetof(NSSCMSKEKRecipientInfo, encKey) }, { 0 } }; @@ -382,20 +378,20 @@ static const SEC_ASN1Template NSSCMSKEKRecipientInfoTemplate[] = { */ const SEC_ASN1Template NSSCMSRecipientInfoTemplate[] = { { SEC_ASN1_CHOICE, - offsetof(NSSCMSRecipientInfo,recipientInfoType), NULL, - sizeof(NSSCMSRecipientInfo) }, + offsetof(NSSCMSRecipientInfo, recipientInfoType), NULL, + sizeof(NSSCMSRecipientInfo) }, { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(NSSCMSRecipientInfo,ri.keyAgreeRecipientInfo), - NSSCMSKeyAgreeRecipientInfoTemplate, - NSSCMSRecipientInfoID_KeyAgree }, + offsetof(NSSCMSRecipientInfo, ri.keyAgreeRecipientInfo), + NSSCMSKeyAgreeRecipientInfoTemplate, + NSSCMSRecipientInfoID_KeyAgree }, { SEC_ASN1_EXPLICIT | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 2, - offsetof(NSSCMSRecipientInfo,ri.kekRecipientInfo), - NSSCMSKEKRecipientInfoTemplate, - NSSCMSRecipientInfoID_KEK }, + offsetof(NSSCMSRecipientInfo, ri.kekRecipientInfo), + NSSCMSKEKRecipientInfoTemplate, + NSSCMSRecipientInfoID_KEK }, { SEC_ASN1_INLINE, - offsetof(NSSCMSRecipientInfo,ri.keyTransRecipientInfo), - NSSCMSKeyTransRecipientInfoTemplate, - NSSCMSRecipientInfoID_KeyTrans }, + offsetof(NSSCMSRecipientInfo, ri.keyTransRecipientInfo), + NSSCMSKeyTransRecipientInfoTemplate, + NSSCMSRecipientInfoID_KeyTrans }, { 0 } }; @@ -405,17 +401,17 @@ const SEC_ASN1Template NSSCMSRecipientInfoTemplate[] = { const SEC_ASN1Template NSSCMSDigestedDataTemplate[] = { { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, - 0, NULL, sizeof(NSSCMSDigestedData) }, + 0, NULL, sizeof(NSSCMSDigestedData) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSDigestedData,version) }, + offsetof(NSSCMSDigestedData, version) }, { SEC_ASN1_INLINE | SEC_ASN1_XTRN, - offsetof(NSSCMSDigestedData,digestAlg), - SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, + offsetof(NSSCMSDigestedData, digestAlg), + SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) }, { SEC_ASN1_INLINE, - offsetof(NSSCMSDigestedData,contentInfo), - NSSCMSEncapsulatedContentInfoTemplate }, + offsetof(NSSCMSDigestedData, contentInfo), + NSSCMSEncapsulatedContentInfoTemplate }, { SEC_ASN1_OCTET_STRING, - offsetof(NSSCMSDigestedData,digest) }, + offsetof(NSSCMSDigestedData, digest) }, { 0 } }; @@ -425,15 +421,15 @@ const SEC_ASN1Template NSS_PointerToCMSDigestedDataTemplate[] = { const SEC_ASN1Template NSSCMSEncryptedDataTemplate[] = { { SEC_ASN1_SEQUENCE | SEC_ASN1_MAY_STREAM, - 0, NULL, sizeof(NSSCMSEncryptedData) }, + 0, NULL, sizeof(NSSCMSEncryptedData) }, { SEC_ASN1_INTEGER, - offsetof(NSSCMSEncryptedData,version) }, + offsetof(NSSCMSEncryptedData, version) }, { SEC_ASN1_INLINE, - offsetof(NSSCMSEncryptedData,contentInfo), - NSSCMSEncryptedContentInfoTemplate }, + offsetof(NSSCMSEncryptedData, contentInfo), + NSSCMSEncryptedContentInfoTemplate }, { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_CONTEXT_SPECIFIC | 1, - offsetof(NSSCMSEncryptedData,unprotectedAttr), - nss_cms_set_of_attribute_template }, + offsetof(NSSCMSEncryptedData, unprotectedAttr), + nss_cms_set_of_attribute_template }, { 0 } }; @@ -443,8 +439,8 @@ const SEC_ASN1Template NSS_PointerToCMSEncryptedDataTemplate[] = { const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[] = { { SEC_ASN1_INLINE, - offsetof(NSSCMSGenericWrapperData,contentInfo), - NSSCMSEncapsulatedContentInfoTemplate }, + offsetof(NSSCMSGenericWrapperData, contentInfo), + NSSCMSEncapsulatedContentInfoTemplate }, }; SEC_ASN1_CHOOSER_IMPLEMENT(NSSCMSGenericWrapperDataTemplate) @@ -465,31 +461,31 @@ nss_cms_choose_content_template(void *src_or_dest, PRBool encoding) NSSCMSContentInfo *cinfo; SECOidTag type; - PORT_Assert (src_or_dest != NULL); + PORT_Assert(src_or_dest != NULL); if (src_or_dest == NULL) - return NULL; + return NULL; cinfo = (NSSCMSContentInfo *)src_or_dest; type = NSS_CMSContentInfo_GetContentTypeTag(cinfo); switch (type) { - default: - theTemplate = NSS_CMSType_GetTemplate(type); - break; - case SEC_OID_PKCS7_DATA: - theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate); - break; - case SEC_OID_PKCS7_SIGNED_DATA: - theTemplate = NSS_PointerToCMSSignedDataTemplate; - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - theTemplate = NSS_PointerToCMSEnvelopedDataTemplate; - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - theTemplate = NSS_PointerToCMSDigestedDataTemplate; - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - theTemplate = NSS_PointerToCMSEncryptedDataTemplate; - break; + default: + theTemplate = NSS_CMSType_GetTemplate(type); + break; + case SEC_OID_PKCS7_DATA: + theTemplate = SEC_ASN1_GET(SEC_PointerToOctetStringTemplate); + break; + case SEC_OID_PKCS7_SIGNED_DATA: + theTemplate = NSS_PointerToCMSSignedDataTemplate; + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + theTemplate = NSS_PointerToCMSEnvelopedDataTemplate; + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + theTemplate = NSS_PointerToCMSDigestedDataTemplate; + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + theTemplate = NSS_PointerToCMSEncryptedDataTemplate; + break; } return theTemplate; } diff --git a/nss/lib/smime/cmsattr.c b/nss/lib/smime/cmsattr.c index 253abe9..c1ec760 100644 --- a/nss/lib/smime/cmsattr.c +++ b/nss/lib/smime/cmsattr.c @@ -25,7 +25,6 @@ * to external naming convention, and move them elsewhere! */ - /* * NSS_CMSAttribute_Create - create an attribute * @@ -33,44 +32,45 @@ * with NSS_CMSAttribute_AddValue. */ NSSCMSAttribute * -NSS_CMSAttribute_Create(PLArenaPool *poolp, SECOidTag oidtag, SECItem *value, PRBool encoded) +NSS_CMSAttribute_Create(PLArenaPool *poolp, SECOidTag oidtag, SECItem *value, + PRBool encoded) { NSSCMSAttribute *attr; SECItem *copiedvalue; void *mark; - PORT_Assert (poolp != NULL); + PORT_Assert(poolp != NULL); - mark = PORT_ArenaMark (poolp); + mark = PORT_ArenaMark(poolp); attr = (NSSCMSAttribute *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSAttribute)); if (attr == NULL) - goto loser; + goto loser; attr->typeTag = SECOID_FindOIDByTag(oidtag); if (attr->typeTag == NULL) - goto loser; + goto loser; if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess) - goto loser; + goto loser; if (value != NULL) { - if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL) - goto loser; + if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL) + goto loser; - if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess) - goto loser; + if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess) + goto loser; } attr->encoded = encoded; - PORT_ArenaUnmark (poolp, mark); + PORT_ArenaUnmark(poolp, mark); return attr; loser: - PORT_Assert (mark != NULL); - PORT_ArenaRelease (poolp, mark); + PORT_Assert(mark != NULL); + PORT_ArenaRelease(poolp, mark); return NULL; } @@ -83,27 +83,27 @@ NSS_CMSAttribute_AddValue(PLArenaPool *poolp, NSSCMSAttribute *attr, SECItem *va SECItem *copiedvalue; void *mark; - PORT_Assert (poolp != NULL); + PORT_Assert(poolp != NULL); mark = PORT_ArenaMark(poolp); if (value == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - goto loser; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto loser; } if ((copiedvalue = SECITEM_ArenaDupItem(poolp, value)) == NULL) - goto loser; + goto loser; if (NSS_CMSArray_Add(poolp, (void ***)&(attr->values), (void *)copiedvalue) != SECSuccess) - goto loser; + goto loser; PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: - PORT_Assert (mark != NULL); - PORT_ArenaRelease (poolp, mark); + PORT_Assert(mark != NULL); + PORT_ArenaRelease(poolp, mark); return SECFailure; } @@ -117,7 +117,7 @@ NSS_CMSAttribute_GetType(NSSCMSAttribute *attr) typetag = SECOID_FindOID(&(attr->type)); if (typetag == NULL) - return SEC_OID_UNKNOWN; + return SEC_OID_UNKNOWN; return typetag->offset; } @@ -135,15 +135,15 @@ NSS_CMSAttribute_GetValue(NSSCMSAttribute *attr) SECItem *value; if (attr == NULL) - return NULL; + return NULL; value = attr->values[0]; if (value == NULL || value->data == NULL || value->len == 0) - return NULL; + return NULL; if (attr->values[1] != NULL) - return NULL; + return NULL; return value; } @@ -155,14 +155,14 @@ PRBool NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av) { SECItem *value; - + if (attr == NULL) - return PR_FALSE; + return PR_FALSE; value = NSS_CMSAttribute_GetValue(attr); return (value != NULL && value->len == av->len && - PORT_Memcmp (value->data, av->data, value->len) == 0); + PORT_Memcmp(value->data, av->data, value->len) == 0); } /* @@ -182,14 +182,14 @@ cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding) SECOidData *oiddata; PRBool encoded; - PORT_Assert (src_or_dest != NULL); + PORT_Assert(src_or_dest != NULL); if (src_or_dest == NULL) - return NULL; + return NULL; attribute = (NSSCMSAttribute *)src_or_dest; if (encoding && (!attribute->values || !attribute->values[0] || - attribute->encoded)) { + attribute->encoded)) { /* we're encoding, and the attribute has no value or the attribute * value is already encoded. */ return SEC_ASN1_GET(SEC_AnyTemplate); @@ -198,77 +198,76 @@ cms_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding) /* get attribute's typeTag */ oiddata = attribute->typeTag; if (oiddata == NULL) { - oiddata = SECOID_FindOID(&attribute->type); - attribute->typeTag = oiddata; + oiddata = SECOID_FindOID(&attribute->type); + attribute->typeTag = oiddata; } if (oiddata == NULL) { - /* still no OID tag? OID is unknown then. en/decode value as ANY. */ - encoded = PR_TRUE; - theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); + /* still no OID tag? OID is unknown then. en/decode value as ANY. */ + encoded = PR_TRUE; + theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); } else { - switch (oiddata->offset) { - case SEC_OID_PKCS9_SMIME_CAPABILITIES: - case SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE: - /* these guys need to stay DER-encoded */ - default: - /* same goes for OIDs that are not handled here */ - encoded = PR_TRUE; - theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); - break; - /* otherwise choose proper template */ - case SEC_OID_PKCS9_EMAIL_ADDRESS: - case SEC_OID_RFC1274_MAIL: - case SEC_OID_PKCS9_UNSTRUCTURED_NAME: - encoded = PR_FALSE; - theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate); - break; - case SEC_OID_PKCS9_CONTENT_TYPE: - encoded = PR_FALSE; - theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate); - break; - case SEC_OID_PKCS9_MESSAGE_DIGEST: - encoded = PR_FALSE; - theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate); - break; - case SEC_OID_PKCS9_SIGNING_TIME: - encoded = PR_FALSE; - theTemplate = SEC_ASN1_GET(CERT_TimeChoiceTemplate); - break; - /* XXX Want other types here, too */ - } + switch (oiddata->offset) { + case SEC_OID_PKCS9_SMIME_CAPABILITIES: + case SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE: + /* these guys need to stay DER-encoded */ + default: + /* same goes for OIDs that are not handled here */ + encoded = PR_TRUE; + theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); + break; + /* otherwise choose proper template */ + case SEC_OID_PKCS9_EMAIL_ADDRESS: + case SEC_OID_RFC1274_MAIL: + case SEC_OID_PKCS9_UNSTRUCTURED_NAME: + encoded = PR_FALSE; + theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate); + break; + case SEC_OID_PKCS9_CONTENT_TYPE: + encoded = PR_FALSE; + theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate); + break; + case SEC_OID_PKCS9_MESSAGE_DIGEST: + encoded = PR_FALSE; + theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate); + break; + case SEC_OID_PKCS9_SIGNING_TIME: + encoded = PR_FALSE; + theTemplate = SEC_ASN1_GET(CERT_TimeChoiceTemplate); + break; + /* XXX Want other types here, too */ + } } if (encoding) { - /* - * If we are encoding and we think we have an already-encoded value, - * then the code which initialized this attribute should have set - * the "encoded" property to true (and we would have returned early, - * up above). No devastating error, but that code should be fixed. - * (It could indicate that the resulting encoded bytes are wrong.) - */ - PORT_Assert (!encoded); + /* + * If we are encoding and we think we have an already-encoded value, + * then the code which initialized this attribute should have set + * the "encoded" property to true (and we would have returned early, + * up above). No devastating error, but that code should be fixed. + * (It could indicate that the resulting encoded bytes are wrong.) + */ + PORT_Assert(!encoded); } else { - /* - * We are decoding; record whether the resulting value is - * still encoded or not. - */ - attribute->encoded = encoded; + /* + * We are decoding; record whether the resulting value is + * still encoded or not. + */ + attribute->encoded = encoded; } return theTemplate; } -static const SEC_ASN1TemplateChooserPtr cms_attr_chooser - = cms_attr_choose_attr_value_template; +static const SEC_ASN1TemplateChooserPtr cms_attr_chooser = cms_attr_choose_attr_value_template; const SEC_ASN1Template nss_cms_attribute_template[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSCMSAttribute) }, + 0, NULL, sizeof(NSSCMSAttribute) }, { SEC_ASN1_OBJECT_ID, - offsetof(NSSCMSAttribute,type) }, + offsetof(NSSCMSAttribute, type) }, { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF, - offsetof(NSSCMSAttribute,values), - &cms_attr_chooser }, + offsetof(NSSCMSAttribute, values), + &cms_attr_chooser }, { 0 } }; @@ -292,7 +291,7 @@ const SEC_ASN1Template nss_cms_set_of_attribute_template[] = { SECItem * NSS_CMSAttributeArray_Encode(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECItem *dest) { - return SEC_ASN1EncodeItem (poolp, dest, (void *)attrs, nss_cms_set_of_attribute_template); + return SEC_ASN1EncodeItem(poolp, dest, (void *)attrs, nss_cms_set_of_attribute_template); } /* @@ -323,44 +322,43 @@ NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag NSSCMSAttribute *attr1, *attr2; if (attrs == NULL) - return NULL; + return NULL; oid = SECOID_FindOIDByTag(oidtag); if (oid == NULL) - return NULL; + return NULL; while ((attr1 = *attrs++) != NULL) { - if (attr1->type.len == oid->oid.len && PORT_Memcmp (attr1->type.data, - oid->oid.data, - oid->oid.len) == 0) - break; + if (attr1->type.len == oid->oid.len && + PORT_Memcmp(attr1->type.data, oid->oid.data, oid->oid.len) == 0) + break; } if (attr1 == NULL) - return NULL; + return NULL; if (!only) - return attr1; + return attr1; while ((attr2 = *attrs++) != NULL) { - if (attr2->type.len == oid->oid.len && PORT_Memcmp (attr2->type.data, - oid->oid.data, - oid->oid.len) == 0) - break; + if (attr2->type.len == oid->oid.len && + PORT_Memcmp(attr2->type.data, oid->oid.data, oid->oid.len) == 0) + break; } if (attr2 != NULL) - return NULL; + return NULL; return attr1; } /* * NSS_CMSAttributeArray_AddAttr - add an attribute to an - * array of attributes. + * array of attributes. */ SECStatus -NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr) +NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, + NSSCMSAttribute *attr) { NSSCMSAttribute *oattr; void *mark; @@ -373,13 +371,13 @@ NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSC /* see if we have one already */ oattr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE); - PORT_Assert (oattr == NULL); + PORT_Assert(oattr == NULL); if (oattr != NULL) - goto loser; /* XXX or would it be better to replace it? */ + goto loser; /* XXX or would it be better to replace it? */ /* no, shove it in */ if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess) - goto loser; + goto loser; PORT_ArenaUnmark(poolp, mark); return SECSuccess; @@ -393,7 +391,8 @@ loser: * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes */ SECStatus -NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded) +NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, + SECOidTag type, SECItem *value, PRBool encoded) { NSSCMSAttribute *attr; void *mark; @@ -403,25 +402,24 @@ NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECO /* see if we have one already */ attr = NSS_CMSAttributeArray_FindAttrByOidTag(*attrs, type, PR_FALSE); if (attr == NULL) { - /* not found? create one! */ - attr = NSS_CMSAttribute_Create(poolp, type, value, encoded); - if (attr == NULL) - goto loser; - /* and add it to the list */ - if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess) - goto loser; + /* not found? create one! */ + attr = NSS_CMSAttribute_Create(poolp, type, value, encoded); + if (attr == NULL) + goto loser; + /* and add it to the list */ + if (NSS_CMSArray_Add(poolp, (void ***)attrs, (void *)attr) != SECSuccess) + goto loser; } else { - /* found, shove it in */ - /* XXX we need a decent memory model @#$#$!#!!! */ - attr->values[0] = value; - attr->encoded = encoded; + /* found, shove it in */ + /* XXX we need a decent memory model @#$#$!#!!! */ + attr->values[0] = value; + attr->encoded = encoded; } - PORT_ArenaUnmark (poolp, mark); + PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); return SECFailure; } - diff --git a/nss/lib/smime/cmscinfo.c b/nss/lib/smime/cmscinfo.c index b6f1d0a..08db662 100644 --- a/nss/lib/smime/cmscinfo.c +++ b/nss/lib/smime/cmscinfo.c @@ -13,7 +13,6 @@ #include "secoid.h" #include "secerr.h" - /* * NSS_CMSContentInfo_Create - create a content info * @@ -23,24 +22,23 @@ SECStatus NSS_CMSContentInfo_Private_Init(NSSCMSContentInfo *cinfo) { if (cinfo->privateInfo) { - return SECSuccess; + return SECSuccess; } cinfo->privateInfo = PORT_ZNew(NSSCMSContentInfoPrivate); return (cinfo->privateInfo) ? SECSuccess : SECFailure; } - static void nss_cmsContentInfo_private_destroy(NSSCMSContentInfoPrivate *privateInfo) { if (privateInfo->digcx) { - /* must destroy digest objects */ - NSS_CMSDigestContext_Cancel(privateInfo->digcx); - privateInfo->digcx = NULL; + /* must destroy digest objects */ + NSS_CMSDigestContext_Cancel(privateInfo->digcx); + privateInfo->digcx = NULL; } if (privateInfo->ciphcx) { - NSS_CMSCipherContext_Destroy(privateInfo->ciphcx); - privateInfo->ciphcx = NULL; + NSS_CMSCipherContext_Destroy(privateInfo->ciphcx); + privateInfo->ciphcx = NULL; } PORT_Free(privateInfo); } @@ -55,29 +53,29 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo) kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo); switch (kind) { - case SEC_OID_PKCS7_ENVELOPED_DATA: - NSS_CMSEnvelopedData_Destroy(cinfo->content.envelopedData); - break; - case SEC_OID_PKCS7_SIGNED_DATA: - NSS_CMSSignedData_Destroy(cinfo->content.signedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - NSS_CMSEncryptedData_Destroy(cinfo->content.encryptedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - NSS_CMSDigestedData_Destroy(cinfo->content.digestedData); - break; - default: - NSS_CMSGenericWrapperData_Destroy(kind, cinfo->content.genericData); - /* XXX Anything else that needs to be "manually" freed/destroyed? */ - break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + NSS_CMSEnvelopedData_Destroy(cinfo->content.envelopedData); + break; + case SEC_OID_PKCS7_SIGNED_DATA: + NSS_CMSSignedData_Destroy(cinfo->content.signedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + NSS_CMSEncryptedData_Destroy(cinfo->content.encryptedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + NSS_CMSDigestedData_Destroy(cinfo->content.digestedData); + break; + default: + NSS_CMSGenericWrapperData_Destroy(kind, cinfo->content.genericData); + /* XXX Anything else that needs to be "manually" freed/destroyed? */ + break; } if (cinfo->privateInfo) { - nss_cmsContentInfo_private_destroy(cinfo->privateInfo); - cinfo->privateInfo = NULL; + nss_cmsContentInfo_private_destroy(cinfo->privateInfo); + cinfo->privateInfo = NULL; } if (cinfo->bulkkey) { - PK11_FreeSymKey(cinfo->bulkkey); + PK11_FreeSymKey(cinfo->bulkkey); } } @@ -87,40 +85,40 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo) NSSCMSContentInfo * NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo) { - NSSCMSContentInfo * ccinfo = NULL; + NSSCMSContentInfo *ccinfo = NULL; SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); switch (tag) { - case SEC_OID_PKCS7_SIGNED_DATA: - if (cinfo->content.signedData != NULL) { - ccinfo = &(cinfo->content.signedData->contentInfo); - } - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - if (cinfo->content.envelopedData != NULL) { - ccinfo = &(cinfo->content.envelopedData->contentInfo); - } - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - if (cinfo->content.digestedData != NULL) { - ccinfo = &(cinfo->content.digestedData->contentInfo); - } - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - if (cinfo->content.encryptedData != NULL) { - ccinfo = &(cinfo->content.encryptedData->contentInfo); - } - break; - case SEC_OID_PKCS7_DATA: - default: - if (NSS_CMSType_IsWrapper(tag)) { - if (cinfo->content.genericData != NULL) { - ccinfo = &(cinfo->content.genericData->contentInfo); - } - } - break; + case SEC_OID_PKCS7_SIGNED_DATA: + if (cinfo->content.signedData != NULL) { + ccinfo = &(cinfo->content.signedData->contentInfo); + } + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + if (cinfo->content.envelopedData != NULL) { + ccinfo = &(cinfo->content.envelopedData->contentInfo); + } + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + if (cinfo->content.digestedData != NULL) { + ccinfo = &(cinfo->content.digestedData->contentInfo); + } + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + if (cinfo->content.encryptedData != NULL) { + ccinfo = &(cinfo->content.encryptedData->contentInfo); + } + break; + case SEC_OID_PKCS7_DATA: + default: + if (NSS_CMSType_IsWrapper(tag)) { + if (cinfo->content.genericData != NULL) { + ccinfo = &(cinfo->content.genericData->contentInfo); + } + } + break; } if (ccinfo && !ccinfo->privateInfo) { - NSS_CMSContentInfo_Private_Init(ccinfo); + NSS_CMSContentInfo_Private_Init(ccinfo); } return ccinfo; } @@ -128,47 +126,48 @@ NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo) SECStatus NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream) { - SECStatus rv; - - rv = NSS_CMSContentInfo_Private_Init(cinfo); - if (rv != SECSuccess) { - /* default is streaming, failure to get ccinfo will not effect this */ - return dontStream ? SECFailure : SECSuccess ; - } - cinfo->privateInfo->dontStream = dontStream; - return SECSuccess; + SECStatus rv; + + rv = NSS_CMSContentInfo_Private_Init(cinfo); + if (rv != SECSuccess) { + /* default is streaming, failure to get ccinfo will not effect this */ + return dontStream ? SECFailure : SECSuccess; + } + cinfo->privateInfo->dontStream = dontStream; + return SECSuccess; } /* * NSS_CMSContentInfo_SetContent - set content type & content */ SECStatus -NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr) +NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + SECOidTag type, void *ptr) { SECStatus rv; cinfo->contentTypeTag = SECOID_FindOIDByTag(type); if (cinfo->contentTypeTag == NULL) - return SECFailure; - + return SECFailure; + /* do not copy the oid, just create a reference */ - rv = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid)); + rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid)); if (rv != SECSuccess) - return SECFailure; + return SECFailure; cinfo->content.pointer = ptr; if (NSS_CMSType_IsData(type) && ptr) { - cinfo->rawContent = ptr; + cinfo->rawContent = ptr; } else { - /* as we always have some inner data, - * we need to set it to something, just to fool the encoder enough to work on it - * and get us into nss_cms_encoder_notify at that point */ - cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1); - if (cinfo->rawContent == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; - } + /* as we always have some inner data, + * we need to set it to something, just to fool the encoder enough to work on it + * and get us into nss_cms_encoder_notify at that point */ + cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1); + if (cinfo->rawContent == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } } return SECSuccess; @@ -183,42 +182,46 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SEC * data != NULL -> take this data */ SECStatus -NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached) +NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + SECItem *data, PRBool detached) { if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) - return SECFailure; + return SECFailure; if (detached) { cinfo->rawContent = NULL; } - + return SECSuccess; } SECStatus -NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd) +NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + NSSCMSSignedData *sigd) { return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_SIGNED_DATA, (void *)sigd); } SECStatus -NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd) +NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + NSSCMSEnvelopedData *envd) { return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENVELOPED_DATA, (void *)envd); } SECStatus -NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd) +NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + NSSCMSDigestedData *digd) { return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DIGESTED_DATA, (void *)digd); } SECStatus -NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd) +NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + NSSCMSEncryptedData *encd) { return NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_ENCRYPTED_DATA, (void *)encd); } - /* * NSS_CMSContentInfo_GetContent - get pointer to inner content * @@ -227,22 +230,24 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn void * NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo) { - SECOidTag tag = cinfo->contentTypeTag - ? cinfo->contentTypeTag->offset - : SEC_OID_UNKNOWN; + SECOidTag tag = cinfo->contentTypeTag + ? cinfo->contentTypeTag->offset + : SEC_OID_UNKNOWN; switch (tag) { - case SEC_OID_PKCS7_DATA: - case SEC_OID_PKCS7_SIGNED_DATA: - case SEC_OID_PKCS7_ENVELOPED_DATA: - case SEC_OID_PKCS7_DIGESTED_DATA: - case SEC_OID_PKCS7_ENCRYPTED_DATA: - return cinfo->content.pointer; - default: - return NSS_CMSType_IsWrapper(tag) ? cinfo->content.pointer : (NSS_CMSType_IsData(tag) ? cinfo->rawContent : NULL); + case SEC_OID_PKCS7_DATA: + case SEC_OID_PKCS7_SIGNED_DATA: + case SEC_OID_PKCS7_ENVELOPED_DATA: + case SEC_OID_PKCS7_DIGESTED_DATA: + case SEC_OID_PKCS7_ENCRYPTED_DATA: + return cinfo->content.pointer; + default: + return NSS_CMSType_IsWrapper(tag) ? cinfo->content.pointer + : (NSS_CMSType_IsData(tag) ? cinfo->rawContent + : NULL); } } -/* +/* * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content * * this is typically only called by NSS_CMSMessage_GetContent() @@ -252,25 +257,24 @@ SECItem * NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo) { NSSCMSContentInfo *ccinfo; - SECOidTag tag; - SECItem *pItem = NULL; + SECOidTag tag; + SECItem *pItem = NULL; tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); if (NSS_CMSType_IsData(tag)) { - pItem = cinfo->content.data; + pItem = cinfo->content.data; } else if (NSS_CMSType_IsWrapper(tag)) { - ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo); - if (ccinfo != NULL) { - pItem = NSS_CMSContentInfo_GetContent(ccinfo); - } + ccinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo); + if (ccinfo != NULL) { + pItem = NSS_CMSContentInfo_GetContent(ccinfo); + } } else { - PORT_Assert(0); + PORT_Assert(0); } return pItem; } - /* * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result * for future reference) and return the inner content type. @@ -279,10 +283,10 @@ SECOidTag NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo) { if (cinfo->contentTypeTag == NULL) - cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); + cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); if (cinfo->contentTypeTag == NULL) - return SEC_OID_UNKNOWN; + return SEC_OID_UNKNOWN; return cinfo->contentTypeTag->offset; } @@ -291,10 +295,10 @@ SECItem * NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo) { if (cinfo->contentTypeTag == NULL) - cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); + cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); if (cinfo->contentTypeTag == NULL) - return NULL; + return NULL; return &(cinfo->contentTypeTag->oid); } @@ -307,7 +311,7 @@ SECOidTag NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo) { if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) - cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg)); + cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg)); return cinfo->contentEncAlgTag; } @@ -323,28 +327,28 @@ NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo) SECStatus NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo, - SECOidTag bulkalgtag, SECItem *parameters, int keysize) + SECOidTag bulkalgtag, SECItem *parameters, int keysize) { SECStatus rv; rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters); if (rv != SECSuccess) - return SECFailure; + return SECFailure; cinfo->keysize = keysize; return SECSuccess; } SECStatus NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo, - SECAlgorithmID *algid, int keysize) + SECAlgorithmID *algid, int keysize) { SECStatus rv; rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid); if (rv != SECSuccess) - return SECFailure; + return SECFailure; if (keysize >= 0) - cinfo->keysize = keysize; + cinfo->keysize = keysize; return SECSuccess; } @@ -359,7 +363,7 @@ PK11SymKey * NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo) { if (cinfo->bulkkey == NULL) - return NULL; + return NULL; return PK11_ReferenceSymKey(cinfo->bulkkey); } diff --git a/nss/lib/smime/cmscipher.c b/nss/lib/smime/cmscipher.c index 998ad16..9c8330b 100644 --- a/nss/lib/smime/cmscipher.c +++ b/nss/lib/smime/cmscipher.c @@ -19,31 +19,31 @@ * Cipher stuff. */ -typedef SECStatus (*nss_cms_cipher_function) (void *, unsigned char *, unsigned int *, - unsigned int, const unsigned char *, unsigned int); -typedef SECStatus (*nss_cms_cipher_destroy) (void *, PRBool); +typedef SECStatus (*nss_cms_cipher_function)(void *, unsigned char *, unsigned int *, + unsigned int, const unsigned char *, unsigned int); +typedef SECStatus (*nss_cms_cipher_destroy)(void *, PRBool); #define BLOCK_SIZE 4096 struct NSSCMSCipherContextStr { - void * cx; /* PK11 cipher context */ + void *cx; /* PK11 cipher context */ nss_cms_cipher_function doit; nss_cms_cipher_destroy destroy; - PRBool encrypt; /* encrypt / decrypt switch */ - int block_size; /* block & pad sizes for cipher */ - int pad_size; - int pending_count; /* pending data (not yet en/decrypted */ - unsigned char pending_buf[BLOCK_SIZE];/* because of blocking */ + PRBool encrypt; /* encrypt / decrypt switch */ + int block_size; /* block & pad sizes for cipher */ + int pad_size; + int pending_count; /* pending data (not yet en/decrypted */ + unsigned char pending_buf[BLOCK_SIZE]; /* because of blocking */ }; /* * NSS_CMSCipherContext_StartDecrypt - create a cipher context to do decryption - * based on the given bulk encryption key and algorithm identifier (which + * based on the given bulk encryption key and algorithm identifier (which * may include an iv). * * XXX Once both are working, it might be nice to combine this and the * function below (for starting up encryption) into one routine, and just - * have two simple cover functions which call it. + * have two simple cover functions which call it. */ NSSCMSCipherContext * NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) @@ -59,28 +59,28 @@ NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) /* set param and mechanism */ if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) { - SECItem *pwitem; + SECItem *pwitem; - pwitem = PK11_GetSymKeyUserData(key); - if (!pwitem) - return NULL; + pwitem = PK11_GetSymKeyUserData(key); + if (!pwitem) + return NULL; - cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); - if (cryptoMechType == CKM_INVALID_MECHANISM) { - SECITEM_FreeItem(param,PR_TRUE); - return NULL; - } + cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); + if (cryptoMechType == CKM_INVALID_MECHANISM) { + SECITEM_FreeItem(param, PR_TRUE); + return NULL; + } } else { - cryptoMechType = PK11_AlgtagToMechanism(algtag); - if ((param = PK11_ParamFromAlgid(algid)) == NULL) - return NULL; + cryptoMechType = PK11_AlgtagToMechanism(algtag); + if ((param = PK11_ParamFromAlgid(algid)) == NULL) + return NULL; } cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext)); if (cc == NULL) { - SECITEM_FreeItem(param,PR_TRUE); - return NULL; + SECITEM_FreeItem(param, PR_TRUE); + return NULL; } /* figure out pad and block sizes */ @@ -90,17 +90,17 @@ NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) PK11_FreeSlot(slot); /* create PK11 cipher context */ - ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT, - key, param); + ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT, + key, param); SECITEM_FreeItem(param, PR_TRUE); if (ciphercx == NULL) { - PORT_Free (cc); - return NULL; + PORT_Free(cc); + return NULL; } cc->cx = ciphercx; - cc->doit = (nss_cms_cipher_function) PK11_CipherOp; - cc->destroy = (nss_cms_cipher_destroy) PK11_DestroyContext; + cc->doit = (nss_cms_cipher_function)PK11_CipherOp; + cc->destroy = (nss_cms_cipher_destroy)PK11_DestroyContext; cc->encrypt = PR_FALSE; cc->pending_count = 0; @@ -109,12 +109,12 @@ NSS_CMSCipherContext_StartDecrypt(PK11SymKey *key, SECAlgorithmID *algid) /* * NSS_CMSCipherContext_StartEncrypt - create a cipher object to do encryption, - * based on the given bulk encryption key and algorithm tag. Fill in the + * based on the given bulk encryption key and algorithm tag. Fill in the * algorithm identifier (which may include an iv) appropriately. * * XXX Once both are working, it might be nice to combine this and the * function above (for starting up decryption) into one routine, and just - * have two simple cover functions which call it. + * have two simple cover functions which call it. */ NSSCMSCipherContext * NSS_CMSCipherContext_StartEncrypt(PLArenaPool *poolp, PK11SymKey *key, SECAlgorithmID *algid) @@ -130,27 +130,27 @@ NSS_CMSCipherContext_StartEncrypt(PLArenaPool *poolp, PK11SymKey *key, SECAlgori /* set param and mechanism */ if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) { - SECItem *pwitem; + SECItem *pwitem; - pwitem = PK11_GetSymKeyUserData(key); - if (!pwitem) - return NULL; + pwitem = PK11_GetSymKeyUserData(key); + if (!pwitem) + return NULL; - cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); - if (cryptoMechType == CKM_INVALID_MECHANISM) { - SECITEM_FreeItem(param,PR_TRUE); - return NULL; - } + cryptoMechType = PK11_GetPBECryptoMechanism(algid, ¶m, pwitem); + if (cryptoMechType == CKM_INVALID_MECHANISM) { + SECITEM_FreeItem(param, PR_TRUE); + return NULL; + } } else { - cryptoMechType = PK11_AlgtagToMechanism(algtag); - if ((param = PK11_GenerateNewParam(cryptoMechType, key)) == NULL) - return NULL; - needToEncodeAlgid = PR_TRUE; + cryptoMechType = PK11_AlgtagToMechanism(algtag); + if ((param = PK11_GenerateNewParam(cryptoMechType, key)) == NULL) + return NULL; + needToEncodeAlgid = PR_TRUE; } cc = (NSSCMSCipherContext *)PORT_ZAlloc(sizeof(NSSCMSCipherContext)); if (cc == NULL) { - goto loser; + goto loser; } /* now find pad and block sizes for our mechanism */ @@ -160,12 +160,12 @@ NSS_CMSCipherContext_StartEncrypt(PLArenaPool *poolp, PK11SymKey *key, SECAlgori PK11_FreeSlot(slot); /* and here we go, creating a PK11 cipher context */ - ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT, - key, param); + ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT, + key, param); if (ciphercx == NULL) { - PORT_Free(cc); - cc = NULL; - goto loser; + PORT_Free(cc); + cc = NULL; + goto loser; } /* @@ -177,12 +177,12 @@ NSS_CMSCipherContext_StartEncrypt(PLArenaPool *poolp, PK11SymKey *key, SECAlgori * BEFORE encoding the algid in the contentInfo, right? */ if (needToEncodeAlgid) { - rv = PK11_ParamToAlgid(algtag, param, poolp, algid); - if(rv != SECSuccess) { - PORT_Free(cc); - cc = NULL; - goto loser; - } + rv = PK11_ParamToAlgid(algtag, param, poolp, algid); + if (rv != SECSuccess) { + PORT_Free(cc); + cc = NULL; + goto loser; + } } cc->cx = ciphercx; @@ -206,7 +206,7 @@ NSS_CMSCipherContext_Destroy(NSSCMSCipherContext *cc) { PORT_Assert(cc != NULL); if (cc == NULL) - return; + return; (*cc->destroy)(cc->cx, PR_TRUE); PORT_Free(cc); } @@ -237,7 +237,7 @@ NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_l { int blocks, block_size; - PORT_Assert (! cc->encrypt); + PORT_Assert(!cc->encrypt); block_size = cc->block_size; @@ -246,7 +246,7 @@ NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_l * number of output bytes as we had input bytes. */ if (block_size == 0) - return input_len; + return input_len; /* * On the final call, we will always use up all of the pending @@ -257,7 +257,7 @@ NSS_CMSCipherContext_DecryptLength(NSSCMSCipherContext *cc, unsigned int input_l * at least 1 byte of padding), but seemed clearer/better to me. */ if (final) - return cc->pending_count + input_len; + return cc->pending_count + input_len; /* * Okay, this amount is exactly what we will output on the @@ -296,7 +296,7 @@ NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_l int blocks, block_size; int pad_size; - PORT_Assert (cc->encrypt); + PORT_Assert(cc->encrypt); block_size = cc->block_size; pad_size = cc->pad_size; @@ -306,7 +306,7 @@ NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_l * number of output bytes as we had input bytes. */ if (block_size == 0) - return input_len; + return input_len; /* * On the final call, we only send out what we need for @@ -315,13 +315,13 @@ NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_l * will add another full block that is just padding.) */ if (final) { - if (pad_size == 0) { - return cc->pending_count + input_len; - } else { - blocks = (cc->pending_count + input_len) / pad_size; - blocks++; - return blocks*pad_size; - } + if (pad_size == 0) { + return cc->pending_count + input_len; + } else { + blocks = (cc->pending_count + input_len) / pad_size; + blocks++; + return blocks * pad_size; + } } /* @@ -329,11 +329,9 @@ NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_l */ blocks = (cc->pending_count + input_len) / block_size; - return blocks * block_size; } - /* * NSS_CMSCipherContext_Decrypt - do the decryption * @@ -363,29 +361,29 @@ NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_l * the same as the length of the padding, and that all data is padded. * (Even data that starts out with an exact multiple of blocks gets * added to it another block, all of which is padding.) - */ + */ SECStatus NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, - unsigned int *output_len_p, unsigned int max_output_len, - const unsigned char *input, unsigned int input_len, - PRBool final) + unsigned int *output_len_p, unsigned int max_output_len, + const unsigned char *input, unsigned int input_len, + PRBool final) { unsigned int blocks, bsize, pcount, padsize; unsigned int max_needed, ifraglen, ofraglen, output_len; unsigned char *pbuf; SECStatus rv; - PORT_Assert (! cc->encrypt); + PORT_Assert(!cc->encrypt); /* * Check that we have enough room for the output. Our caller should * already handle this; failure is really an internal error (i.e. bug). */ max_needed = NSS_CMSCipherContext_DecryptLength(cc, input_len, final); - PORT_Assert (max_output_len >= max_needed); + PORT_Assert(max_output_len >= max_needed); if (max_output_len < max_needed) { - /* PORT_SetError (XXX); */ - return SECFailure; + /* PORT_SetError (XXX); */ + return SECFailure; } /* @@ -400,8 +398,8 @@ NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, * cipher function and we are done. */ if (bsize == 0) { - return (* cc->doit) (cc->cx, output, output_len_p, max_output_len, - input, input_len); + return (*cc->doit)(cc->cx, output, output_len_p, max_output_len, + input, input_len); } pcount = cc->pending_count; @@ -410,63 +408,63 @@ NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, output_len = 0; if (pcount) { - /* - * Try to fill in an entire block, starting with the bytes - * we already have saved away. - */ - while (input_len && pcount < bsize) { - pbuf[pcount++] = *input++; - input_len--; - } - /* - * If we have at most a whole block and this is not our last call, - * then we are done for now. (We do not try to decrypt a lone - * single block because we cannot interpret the padding bytes - * until we know we are handling the very last block of all input.) - */ - if (input_len == 0 && !final) { - cc->pending_count = pcount; - if (output_len_p) - *output_len_p = 0; - return SECSuccess; - } - /* - * Given the logic above, we expect to have a full block by now. - * If we do not, there is something wrong, either with our own - * logic or with (length of) the data given to us. - */ - if ((padsize != 0) && (pcount % padsize) != 0) { - PORT_Assert (final); - PORT_SetError (SEC_ERROR_BAD_DATA); - return SECFailure; - } - /* - * Decrypt the block. - */ - rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len, - pbuf, pcount); - if (rv != SECSuccess) - return rv; - - /* - * For now anyway, all of our ciphers have the same number of - * bytes of output as they do input. If this ever becomes untrue, - * then NSS_CMSCipherContext_DecryptLength needs to be made smarter! - */ - PORT_Assert(ofraglen == pcount); - - /* - * Account for the bytes now in output. - */ - max_output_len -= ofraglen; - output_len += ofraglen; - output += ofraglen; + /* + * Try to fill in an entire block, starting with the bytes + * we already have saved away. + */ + while (input_len && pcount < bsize) { + pbuf[pcount++] = *input++; + input_len--; + } + /* + * If we have at most a whole block and this is not our last call, + * then we are done for now. (We do not try to decrypt a lone + * single block because we cannot interpret the padding bytes + * until we know we are handling the very last block of all input.) + */ + if (input_len == 0 && !final) { + cc->pending_count = pcount; + if (output_len_p) + *output_len_p = 0; + return SECSuccess; + } + /* + * Given the logic above, we expect to have a full block by now. + * If we do not, there is something wrong, either with our own + * logic or with (length of) the data given to us. + */ + if ((padsize != 0) && (pcount % padsize) != 0) { + PORT_Assert(final); + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + /* + * Decrypt the block. + */ + rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len, + pbuf, pcount); + if (rv != SECSuccess) + return rv; + + /* + * For now anyway, all of our ciphers have the same number of + * bytes of output as they do input. If this ever becomes untrue, + * then NSS_CMSCipherContext_DecryptLength needs to be made smarter! + */ + PORT_Assert(ofraglen == pcount); + + /* + * Account for the bytes now in output. + */ + max_output_len -= ofraglen; + output_len += ofraglen; + output += ofraglen; } /* * If this is our last call, we expect to have an exact number of * blocks left to be decrypted; we will decrypt them all. - * + * * If not our last call, we always save between 1 and bsize bytes * until next time. (We must do this because we cannot be sure * that none of the decrypted bytes are padding bytes until we @@ -477,46 +475,47 @@ NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, * the same way we treat partial block bytes. */ if (final) { - if (padsize) { - blocks = input_len / padsize; - ifraglen = blocks * padsize; - } else ifraglen = input_len; - PORT_Assert (ifraglen == input_len); - - if (ifraglen != input_len) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; - } + if (padsize) { + blocks = input_len / padsize; + ifraglen = blocks * padsize; + } else + ifraglen = input_len; + PORT_Assert(ifraglen == input_len); + + if (ifraglen != input_len) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } } else { - blocks = (input_len - 1) / bsize; - ifraglen = blocks * bsize; - PORT_Assert (ifraglen < input_len); + blocks = (input_len - 1) / bsize; + ifraglen = blocks * bsize; + PORT_Assert(ifraglen < input_len); - pcount = input_len - ifraglen; - PORT_Memcpy (pbuf, input + ifraglen, pcount); - cc->pending_count = pcount; + pcount = input_len - ifraglen; + PORT_Memcpy(pbuf, input + ifraglen, pcount); + cc->pending_count = pcount; } if (ifraglen) { - rv = (* cc->doit)(cc->cx, output, &ofraglen, max_output_len, - input, ifraglen); - if (rv != SECSuccess) - return rv; - - /* - * For now anyway, all of our ciphers have the same number of - * bytes of output as they do input. If this ever becomes untrue, - * then sec_PKCS7DecryptLength needs to be made smarter! - */ - PORT_Assert (ifraglen == ofraglen); - if (ifraglen != ofraglen) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; - } - - output_len += ofraglen; + rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len, + input, ifraglen); + if (rv != SECSuccess) + return rv; + + /* + * For now anyway, all of our ciphers have the same number of + * bytes of output as they do input. If this ever becomes untrue, + * then sec_PKCS7DecryptLength needs to be made smarter! + */ + PORT_Assert(ifraglen == ofraglen); + if (ifraglen != ofraglen) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + + output_len += ofraglen; } else { - ofraglen = 0; + ofraglen = 0; } /* @@ -524,18 +523,18 @@ NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, * adjusting the output length. */ if (final && (padsize != 0)) { - unsigned int padlen = *(output + ofraglen - 1); + unsigned int padlen = *(output + ofraglen - 1); - if (padlen == 0 || padlen > padsize) { - PORT_SetError(SEC_ERROR_BAD_DATA); - return SECFailure; - } - output_len -= padlen; + if (padlen == 0 || padlen > padsize) { + PORT_SetError(SEC_ERROR_BAD_DATA); + return SECFailure; + } + output_len -= padlen; } - PORT_Assert (output_len_p != NULL || output_len == 0); + PORT_Assert(output_len_p != NULL || output_len == 0); if (output_len_p != NULL) - *output_len_p = output_len; + *output_len_p = output_len; return SECSuccess; } @@ -574,29 +573,29 @@ NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, * tricky parts about padding and filling blocks would be much * harder to read that way, so I left them separate. At least for * now until it is clear that they are right. - */ + */ SECStatus NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output, - unsigned int *output_len_p, unsigned int max_output_len, - const unsigned char *input, unsigned int input_len, - PRBool final) + unsigned int *output_len_p, unsigned int max_output_len, + const unsigned char *input, unsigned int input_len, + PRBool final) { int blocks, bsize, padlen, pcount, padsize; unsigned int max_needed, ifraglen, ofraglen, output_len; unsigned char *pbuf; SECStatus rv; - PORT_Assert (cc->encrypt); + PORT_Assert(cc->encrypt); /* * Check that we have enough room for the output. Our caller should * already handle this; failure is really an internal error (i.e. bug). */ - max_needed = NSS_CMSCipherContext_EncryptLength (cc, input_len, final); - PORT_Assert (max_output_len >= max_needed); + max_needed = NSS_CMSCipherContext_EncryptLength(cc, input_len, final); + PORT_Assert(max_output_len >= max_needed); if (max_output_len < max_needed) { - /* PORT_SetError (XXX); */ - return SECFailure; + /* PORT_SetError (XXX); */ + return SECFailure; } bsize = cc->block_size; @@ -607,8 +606,8 @@ NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output, * cipher function and we are done. */ if (bsize == 0) { - return (*cc->doit)(cc->cx, output, output_len_p, max_output_len, - input, input_len); + return (*cc->doit)(cc->cx, output, output_len_p, max_output_len, + input, input_len); } pcount = cc->pending_count; @@ -617,103 +616,107 @@ NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output, output_len = 0; if (pcount) { - /* - * Try to fill in an entire block, starting with the bytes - * we already have saved away. - */ - while (input_len && pcount < bsize) { - pbuf[pcount++] = *input++; - input_len--; - } - /* - * If we do not have a full block and we know we will be - * called again, then we are done for now. - */ - if (pcount < bsize && !final) { - cc->pending_count = pcount; - if (output_len_p != NULL) - *output_len_p = 0; - return SECSuccess; - } - /* - * If we have a whole block available, encrypt it. - */ - if ((padsize == 0) || (pcount % padsize) == 0) { - rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len, - pbuf, pcount); - if (rv != SECSuccess) - return rv; - - /* - * For now anyway, all of our ciphers have the same number of - * bytes of output as they do input. If this ever becomes untrue, - * then sec_PKCS7EncryptLength needs to be made smarter! - */ - PORT_Assert (ofraglen == pcount); - - /* - * Account for the bytes now in output. - */ - max_output_len -= ofraglen; - output_len += ofraglen; - output += ofraglen; - - pcount = 0; - } + /* + * Try to fill in an entire block, starting with the bytes + * we already have saved away. + */ + while (input_len && pcount < bsize) { + pbuf[pcount++] = *input++; + input_len--; + } + /* + * If we do not have a full block and we know we will be + * called again, then we are done for now. + */ + if (pcount < bsize && !final) { + cc->pending_count = pcount; + if (output_len_p != NULL) + *output_len_p = 0; + return SECSuccess; + } + /* + * If we have a whole block available, encrypt it. + */ + if ((padsize == 0) || (pcount % padsize) == 0) { + rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len, + pbuf, pcount); + if (rv != SECSuccess) + return rv; + + /* + * For now anyway, all of our ciphers have the same number of + * bytes of output as they do input. If this ever becomes untrue, + * then sec_PKCS7EncryptLength needs to be made smarter! + */ + PORT_Assert(ofraglen == pcount); + + /* + * Account for the bytes now in output. + */ + max_output_len -= ofraglen; + output_len += ofraglen; + output += ofraglen; + + pcount = 0; + } } if (input_len) { - PORT_Assert (pcount == 0); - - blocks = input_len / bsize; - ifraglen = blocks * bsize; - - if (ifraglen) { - rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len, - input, ifraglen); - if (rv != SECSuccess) - return rv; - - /* - * For now anyway, all of our ciphers have the same number of - * bytes of output as they do input. If this ever becomes untrue, - * then sec_PKCS7EncryptLength needs to be made smarter! - */ - PORT_Assert (ifraglen == ofraglen); - - max_output_len -= ofraglen; - output_len += ofraglen; - output += ofraglen; - } - - pcount = input_len - ifraglen; - PORT_Assert (pcount < bsize); - if (pcount) - PORT_Memcpy (pbuf, input + ifraglen, pcount); + PORT_Assert(pcount == 0); + + blocks = input_len / bsize; + ifraglen = blocks * bsize; + + if (ifraglen) { + rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len, + input, ifraglen); + if (rv != SECSuccess) + return rv; + + /* + * For now anyway, all of our ciphers have the same number of + * bytes of output as they do input. If this ever becomes untrue, + * then sec_PKCS7EncryptLength needs to be made smarter! + */ + PORT_Assert(ifraglen == ofraglen); + + max_output_len -= ofraglen; + output_len += ofraglen; + output += ofraglen; + } + + pcount = input_len - ifraglen; + PORT_Assert(pcount < bsize); + if (pcount) + PORT_Memcpy(pbuf, input + ifraglen, pcount); } if (final) { - padlen = padsize - (pcount % padsize); - PORT_Memset (pbuf + pcount, padlen, padlen); - rv = (* cc->doit) (cc->cx, output, &ofraglen, max_output_len, - pbuf, pcount+padlen); - if (rv != SECSuccess) - return rv; - - /* - * For now anyway, all of our ciphers have the same number of - * bytes of output as they do input. If this ever becomes untrue, - * then sec_PKCS7EncryptLength needs to be made smarter! - */ - PORT_Assert (ofraglen == (pcount+padlen)); - output_len += ofraglen; + if (padsize <= 0) { + padlen = 0; + } else { + padlen = padsize - (pcount % padsize); + PORT_Memset(pbuf + pcount, padlen, padlen); + } + rv = (*cc->doit)(cc->cx, output, &ofraglen, max_output_len, + pbuf, pcount + padlen); + if (rv != SECSuccess) + return rv; + + /* + * For now anyway, all of our ciphers have the same number of + * bytes of output as they do input. If this ever becomes untrue, + * then sec_PKCS7EncryptLength needs to be made smarter! + */ + PORT_Assert(ofraglen == (pcount + padlen)); + output_len += ofraglen; } else { - cc->pending_count = pcount; + cc->pending_count = pcount; } - PORT_Assert (output_len_p != NULL || output_len == 0); + PORT_Assert(output_len_p != NULL || output_len == 0); if (output_len_p != NULL) - *output_len_p = output_len; + *output_len_p = output_len; return SECSuccess; } diff --git a/nss/lib/smime/cmsdecode.c b/nss/lib/smime/cmsdecode.c index 0c2ca68..d965111 100644 --- a/nss/lib/smime/cmsdecode.c +++ b/nss/lib/smime/cmsdecode.c @@ -17,33 +17,36 @@ #include "secerr.h" struct NSSCMSDecoderContextStr { - SEC_ASN1DecoderContext * dcx; /* ASN.1 decoder context */ - NSSCMSMessage * cmsg; /* backpointer to the root message */ - SECOidTag type; /* type of message */ - NSSCMSContent content; /* pointer to message */ - NSSCMSDecoderContext * childp7dcx; /* inner CMS decoder context */ - PRBool saw_contents; - int error; - NSSCMSContentCallback cb; - void * cb_arg; - PRBool first_decoded; - PRBool need_indefinite_finish; + SEC_ASN1DecoderContext *dcx; /* ASN.1 decoder context */ + NSSCMSMessage *cmsg; /* backpointer to the root message */ + SECOidTag type; /* type of message */ + NSSCMSContent content; /* pointer to message */ + NSSCMSDecoderContext *childp7dcx; /* inner CMS decoder context */ + PRBool saw_contents; + int error; + NSSCMSContentCallback cb; + void *cb_arg; + PRBool first_decoded; + PRBool need_indefinite_finish; }; struct NSSCMSDecoderDataStr { - SECItem data; /* must be first */ + SECItem data; /* must be first */ unsigned int totalBufferSize; }; typedef struct NSSCMSDecoderDataStr NSSCMSDecoderData; -static void nss_cms_decoder_update_filter (void *arg, const char *data, - unsigned long len, int depth, SEC_ASN1EncodingPart data_kind); +static void nss_cms_decoder_update_filter(void *arg, const char *data, + unsigned long len, int depth, + SEC_ASN1EncodingPart data_kind); static SECStatus nss_cms_before_data(NSSCMSDecoderContext *p7dcx); static SECStatus nss_cms_after_data(NSSCMSDecoderContext *p7dcx); static SECStatus nss_cms_after_end(NSSCMSDecoderContext *p7dcx); -static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, - const unsigned char *data, unsigned long len, PRBool final); +static void nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, + const unsigned char *data, + unsigned long len, + PRBool final); static NSSCMSDecoderData *nss_cms_create_decoder_data(PLArenaPool *poolp); extern const SEC_ASN1Template NSSCMSMessageTemplate[]; @@ -54,9 +57,9 @@ nss_cms_create_decoder_data(PLArenaPool *poolp) NSSCMSDecoderData *decoderData = NULL; decoderData = (NSSCMSDecoderData *) - PORT_ArenaAlloc(poolp,sizeof(NSSCMSDecoderData)); + PORT_ArenaAlloc(poolp, sizeof(NSSCMSDecoderData)); if (!decoderData) { - return NULL; + return NULL; } decoderData->data.data = NULL; decoderData->data.len = 0; @@ -64,7 +67,7 @@ nss_cms_create_decoder_data(PLArenaPool *poolp) return decoderData; } -/* +/* * nss_cms_decoder_notify - * this is the driver of the decoding process. It gets called by the ASN.1 * decoder before and after an object is decoded. @@ -81,106 +84,107 @@ nss_cms_decoder_notify(void *arg, PRBool before, void *dest, int depth) p7dcx = (NSSCMSDecoderContext *)arg; rootcinfo = &(p7dcx->cmsg->contentInfo); - /* XXX error handling: need to set p7dcx->error */ +/* XXX error handling: need to set p7dcx->error */ -#ifdef CMSDEBUG - fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth); +#ifdef CMSDEBUG + fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" + : "after", + dest, depth); #endif /* so what are we working on right now? */ if (p7dcx->type == SEC_OID_UNKNOWN) { - /* - * right now, we are still decoding the OUTER (root) cinfo - * As soon as we know the inner content type, set up the info, - * but NO inner decoder or filter. The root decoder handles the first - * level children by itself - only for encapsulated contents (which - * are encoded as DER inside of an OCTET STRING) we need to set up a - * child decoder... - */ - if (after && dest == &(rootcinfo->contentType)) { - p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo); - p7dcx->content = rootcinfo->content; - /* is this ready already ? need to alloc? */ - /* XXX yes we need to alloc -- continue here */ - } + /* + * right now, we are still decoding the OUTER (root) cinfo + * As soon as we know the inner content type, set up the info, + * but NO inner decoder or filter. The root decoder handles the first + * level children by itself - only for encapsulated contents (which + * are encoded as DER inside of an OCTET STRING) we need to set up a + * child decoder... + */ + if (after && dest == &(rootcinfo->contentType)) { + p7dcx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo); + p7dcx->content = rootcinfo->content; + /* is this ready already ? need to alloc? */ + /* XXX yes we need to alloc -- continue here */ + } } else if (NSS_CMSType_IsData(p7dcx->type)) { - /* this can only happen if the outermost cinfo has DATA in it */ - /* otherwise, we handle this type implicitely in the inner decoders */ - - if (before && dest == &(rootcinfo->content)) { - /* cause the filter to put the data in the right place... - ** We want the ASN.1 decoder to deliver the decoded bytes to us - ** from now on - */ - SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, - nss_cms_decoder_update_filter, - p7dcx, - (PRBool)(p7dcx->cb != NULL)); - } else if (after && dest == &(rootcinfo->content.data)) { - /* remove the filter */ - SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); - } + /* this can only happen if the outermost cinfo has DATA in it */ + /* otherwise, we handle this type implicitely in the inner decoders */ + + if (before && dest == &(rootcinfo->content)) { + /* cause the filter to put the data in the right place... + ** We want the ASN.1 decoder to deliver the decoded bytes to us + ** from now on + */ + SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, + nss_cms_decoder_update_filter, + p7dcx, + (PRBool)(p7dcx->cb != NULL)); + } else if (after && dest == &(rootcinfo->content.data)) { + /* remove the filter */ + SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); + } } else if (NSS_CMSType_IsWrapper(p7dcx->type)) { - if (!before || dest != &(rootcinfo->content)) { - - if (p7dcx->content.pointer == NULL) - p7dcx->content = rootcinfo->content; - - /* get this data type's inner contentInfo */ - cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, - p7dcx->type); - - if (before && dest == &(cinfo->contentType)) { - /* at this point, set up the &%$&$ back pointer */ - /* we cannot do it later, because the content itself - * is optional! */ - switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - p7dcx->content.signedData->cmsg = p7dcx->cmsg; - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - p7dcx->content.digestedData->cmsg = p7dcx->cmsg; - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - p7dcx->content.envelopedData->cmsg = p7dcx->cmsg; - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - p7dcx->content.encryptedData->cmsg = p7dcx->cmsg; - break; - default: - p7dcx->content.genericData->cmsg = p7dcx->cmsg; - break; - } - } - - if (before && dest == &(cinfo->rawContent)) { - /* we want the ASN.1 decoder to deliver the decoded bytes to us - ** from now on - */ - SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, - nss_cms_decoder_update_filter, - p7dcx, (PRBool)(p7dcx->cb != NULL)); - - - /* we're right in front of the data */ - if (nss_cms_before_data(p7dcx) != SECSuccess) { - SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); - /* stop all processing */ - p7dcx->error = PORT_GetError(); - } - } - if (after && dest == &(cinfo->rawContent)) { - /* we're right after of the data */ - if (nss_cms_after_data(p7dcx) != SECSuccess) - p7dcx->error = PORT_GetError(); - - /* we don't need to see the contents anymore */ - SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); - } - } + if (!before || dest != &(rootcinfo->content)) { + + if (p7dcx->content.pointer == NULL) + p7dcx->content = rootcinfo->content; + + /* get this data type's inner contentInfo */ + cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, + p7dcx->type); + + if (before && dest == &(cinfo->contentType)) { + /* at this point, set up the &%$&$ back pointer */ + /* we cannot do it later, because the content itself + * is optional! */ + switch (p7dcx->type) { + case SEC_OID_PKCS7_SIGNED_DATA: + p7dcx->content.signedData->cmsg = p7dcx->cmsg; + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + p7dcx->content.digestedData->cmsg = p7dcx->cmsg; + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + p7dcx->content.envelopedData->cmsg = p7dcx->cmsg; + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + p7dcx->content.encryptedData->cmsg = p7dcx->cmsg; + break; + default: + p7dcx->content.genericData->cmsg = p7dcx->cmsg; + break; + } + } + + if (before && dest == &(cinfo->rawContent)) { + /* we want the ASN.1 decoder to deliver the decoded bytes to us + ** from now on + */ + SEC_ASN1DecoderSetFilterProc(p7dcx->dcx, + nss_cms_decoder_update_filter, + p7dcx, (PRBool)(p7dcx->cb != NULL)); + + /* we're right in front of the data */ + if (nss_cms_before_data(p7dcx) != SECSuccess) { + SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); + /* stop all processing */ + p7dcx->error = PORT_GetError(); + } + } + if (after && dest == &(cinfo->rawContent)) { + /* we're right after of the data */ + if (nss_cms_after_data(p7dcx) != SECSuccess) + p7dcx->error = PORT_GetError(); + + /* we don't need to see the contents anymore */ + SEC_ASN1DecoderClearFilterProc(p7dcx->dcx); + } + } } else { - /* unsupported or unknown message type - fail gracefully */ - p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE; + /* unsupported or unknown message type - fail gracefully */ + p7dcx->error = SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE; } } @@ -198,58 +202,58 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx) const SEC_ASN1Template *template; void *mark = NULL; size_t size; - + poolp = p7dcx->cmsg->poolp; /* call _Decode_BeforeData handlers */ switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - /* we're decoding a signedData, so set up the digests */ - rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - /* we're encoding a digestedData, so set up the digest */ - rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Decode_BeforeData( - p7dcx->content.envelopedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Decode_BeforeData( - p7dcx->content.encryptedData); - break; - default: - rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type, - p7dcx->content.genericData); + case SEC_OID_PKCS7_SIGNED_DATA: + /* we're decoding a signedData, so set up the digests */ + rv = NSS_CMSSignedData_Decode_BeforeData(p7dcx->content.signedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + /* we're encoding a digestedData, so set up the digest */ + rv = NSS_CMSDigestedData_Decode_BeforeData(p7dcx->content.digestedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Decode_BeforeData( + p7dcx->content.envelopedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Decode_BeforeData( + p7dcx->content.encryptedData); + break; + default: + rv = NSS_CMSGenericWrapperData_Decode_BeforeData(p7dcx->type, + p7dcx->content.genericData); } if (rv != SECSuccess) - return SECFailure; + return SECFailure; /* ok, now we have a pointer to cinfo */ /* find out what kind of data is encapsulated */ - + cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type); childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); if (NSS_CMSType_IsData(childtype)) { - cinfo->content.pointer = (void *) nss_cms_create_decoder_data(poolp); - if (cinfo->content.pointer == NULL) - /* set memory error */ - return SECFailure; + cinfo->content.pointer = (void *)nss_cms_create_decoder_data(poolp); + if (cinfo->content.pointer == NULL) + /* set memory error */ + return SECFailure; - p7dcx->childp7dcx = NULL; - return SECSuccess; + p7dcx->childp7dcx = NULL; + return SECSuccess; } /* set up inner decoder */ if ((template = NSS_CMSUtil_GetTemplateByTypeTag(childtype)) == NULL) - return SECFailure; + return SECFailure; childp7dcx = PORT_ZNew(NSSCMSDecoderContext); if (childp7dcx == NULL) - return SECFailure; + return SECFailure; mark = PORT_ArenaMark(poolp); @@ -257,37 +261,37 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx) size = NSS_CMSUtil_GetSizeByTypeTag(childtype); childp7dcx->content.pointer = (void *)PORT_ArenaZAlloc(poolp, size); if (childp7dcx->content.pointer == NULL) - goto loser; + goto loser; /* give the parent a copy of the pointer so that it doesn't get lost */ cinfo->content.pointer = childp7dcx->content.pointer; /* start the child decoder */ - childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, + childp7dcx->dcx = SEC_ASN1DecoderStart(poolp, childp7dcx->content.pointer, template); if (childp7dcx->dcx == NULL) - goto loser; + goto loser; /* the new decoder needs to notify, too */ - SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, + SEC_ASN1DecoderSetNotifyProc(childp7dcx->dcx, nss_cms_decoder_notify, childp7dcx); /* tell the parent decoder that it needs to feed us the content data */ p7dcx->childp7dcx = childp7dcx; - childp7dcx->type = childtype; /* our type */ + childp7dcx->type = childtype; /* our type */ - childp7dcx->cmsg = p7dcx->cmsg; /* backpointer to root message */ + childp7dcx->cmsg = p7dcx->cmsg; /* backpointer to root message */ - /* should the child decoder encounter real data, - ** it must give it to the caller + /* should the child decoder encounter real data, + ** it must give it to the caller */ childp7dcx->cb = p7dcx->cb; childp7dcx->cb_arg = p7dcx->cb_arg; childp7dcx->first_decoded = PR_FALSE; childp7dcx->need_indefinite_finish = PR_FALSE; if (childtype == SEC_OID_PKCS7_SIGNED_DATA) { - childp7dcx->first_decoded = PR_TRUE; + childp7dcx->first_decoded = PR_TRUE; } /* now set up the parent to hand decoded data to the next level decoder */ @@ -300,9 +304,8 @@ nss_cms_before_data(NSSCMSDecoderContext *p7dcx) loser: if (mark) - PORT_ArenaRelease(poolp, mark); - if (childp7dcx) - PORT_Free(childp7dcx); + PORT_ArenaRelease(poolp, mark); + PORT_Free(childp7dcx); p7dcx->childp7dcx = NULL; return SECFailure; } @@ -319,52 +322,52 @@ nss_cms_after_data(NSSCMSDecoderContext *p7dcx) /* finish any "inner" decoders - there's no more data coming... */ if (p7dcx->childp7dcx != NULL) { - childp7dcx = p7dcx->childp7dcx; - if (childp7dcx->dcx != NULL) { - /* we started and indefinite sequence somewhere, not complete it */ - if (childp7dcx->need_indefinite_finish) { - static const char lbuf[2] = { 0, 0 }; - NSS_CMSDecoder_Update(childp7dcx, lbuf, sizeof(lbuf)); - childp7dcx->need_indefinite_finish = PR_FALSE; - } - - if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) { - /* do what? free content? */ - rv = SECFailure; - } else { - rv = nss_cms_after_end(childp7dcx); - } - if (rv != SECSuccess) - goto done; - } - PORT_Free(p7dcx->childp7dcx); - p7dcx->childp7dcx = NULL; + childp7dcx = p7dcx->childp7dcx; + if (childp7dcx->dcx != NULL) { + /* we started and indefinite sequence somewhere, not complete it */ + if (childp7dcx->need_indefinite_finish) { + static const char lbuf[2] = { 0, 0 }; + NSS_CMSDecoder_Update(childp7dcx, lbuf, sizeof(lbuf)); + childp7dcx->need_indefinite_finish = PR_FALSE; + } + + if (SEC_ASN1DecoderFinish(childp7dcx->dcx) != SECSuccess) { + /* do what? free content? */ + rv = SECFailure; + } else { + rv = nss_cms_after_end(childp7dcx); + } + if (rv != SECSuccess) + goto done; + } + PORT_Free(p7dcx->childp7dcx); + p7dcx->childp7dcx = NULL; } switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - /* this will finish the digests and verify */ - rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Decode_AfterData( - p7dcx->content.envelopedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - rv = NSS_CMSDigestedData_Decode_AfterData( - p7dcx->content.digestedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Decode_AfterData( - p7dcx->content.encryptedData); - break; - case SEC_OID_PKCS7_DATA: - /* do nothing */ - break; - default: - rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type, - p7dcx->content.genericData); - break; + case SEC_OID_PKCS7_SIGNED_DATA: + /* this will finish the digests and verify */ + rv = NSS_CMSSignedData_Decode_AfterData(p7dcx->content.signedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Decode_AfterData( + p7dcx->content.envelopedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + rv = NSS_CMSDigestedData_Decode_AfterData( + p7dcx->content.digestedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Decode_AfterData( + p7dcx->content.encryptedData); + break; + case SEC_OID_PKCS7_DATA: + /* do nothing */ + break; + default: + rv = NSS_CMSGenericWrapperData_Decode_AfterData(p7dcx->type, + p7dcx->content.genericData); + break; } done: return rv; @@ -376,31 +379,31 @@ nss_cms_after_end(NSSCMSDecoderContext *p7dcx) SECStatus rv = SECSuccess; switch (p7dcx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - if (p7dcx->content.signedData) - rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - if (p7dcx->content.envelopedData) - rv = NSS_CMSEnvelopedData_Decode_AfterEnd( - p7dcx->content.envelopedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - if (p7dcx->content.digestedData) - rv = NSS_CMSDigestedData_Decode_AfterEnd( - p7dcx->content.digestedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - if (p7dcx->content.encryptedData) - rv = NSS_CMSEncryptedData_Decode_AfterEnd( - p7dcx->content.encryptedData); - break; - case SEC_OID_PKCS7_DATA: - break; - default: - rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type, - p7dcx->content.genericData); - break; + case SEC_OID_PKCS7_SIGNED_DATA: + if (p7dcx->content.signedData) + rv = NSS_CMSSignedData_Decode_AfterEnd(p7dcx->content.signedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + if (p7dcx->content.envelopedData) + rv = NSS_CMSEnvelopedData_Decode_AfterEnd( + p7dcx->content.envelopedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + if (p7dcx->content.digestedData) + rv = NSS_CMSDigestedData_Decode_AfterEnd( + p7dcx->content.digestedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + if (p7dcx->content.encryptedData) + rv = NSS_CMSEncryptedData_Decode_AfterEnd( + p7dcx->content.encryptedData); + break; + case SEC_OID_PKCS7_DATA: + break; + default: + rv = NSS_CMSGenericWrapperData_Decode_AfterEnd(p7dcx->type, + p7dcx->content.genericData); + break; } return rv; } @@ -412,9 +415,9 @@ nss_cms_after_end(NSSCMSDecoderContext *p7dcx) * on it, then either stores it or passes it on to the next level decoder. */ static void -nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, - const unsigned char *data, unsigned long len, - PRBool final) +nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, + const unsigned char *data, unsigned long len, + PRBool final) { NSSCMSContentInfo *cinfo; unsigned char *buf = NULL; @@ -429,129 +432,129 @@ nss_cms_decoder_work_data(NSSCMSDecoderContext *p7dcx, * proves they do it right. But it could find a bug in future * modifications/development, that is why it is here.) */ - PORT_Assert ((data != NULL && len) || final); + PORT_Assert((data != NULL && len) || final); cinfo = NSS_CMSContent_GetContentInfo(p7dcx->content.pointer, p7dcx->type); if (!cinfo) { - /* The original programmer didn't expect this to happen */ - p7dcx->error = SEC_ERROR_LIBRARY_FAILURE; - goto loser; + /* The original programmer didn't expect this to happen */ + p7dcx->error = SEC_ERROR_LIBRARY_FAILURE; + goto loser; } if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) { - /* - * we are decrypting. - * - * XXX If we get an error, we do not want to do the digest or callback, - * but we want to keep decoding. Or maybe we want to stop decoding - * altogether if there is a callback, because obviously we are not - * sending the data back and they want to know that. - */ - - unsigned int outlen = 0; /* length of decrypted data */ - unsigned int buflen; /* length available for decrypted data */ - - /* find out about the length of decrypted data */ - buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final); - - /* - * it might happen that we did not provide enough data for a full - * block (decryption unit), and that there is no output available - */ - - /* no output available, AND no input? */ - if (buflen == 0 && len == 0) - goto loser; /* bail out */ - - /* - * have inner decoder: pass the data on (means inner content type is NOT data) - * no inner decoder: we have DATA in here: either call callback or store - */ - if (buflen != 0) { - /* there will be some output - need to make room for it */ - /* allocate buffer from the heap */ - buf = (unsigned char *)PORT_Alloc(buflen); - if (buf == NULL) { - p7dcx->error = SEC_ERROR_NO_MEMORY; - goto loser; - } - } - - /* - * decrypt incoming data - * buf can still be NULL here (and buflen == 0) here if we don't expect - * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to - * keep track of incoming data - */ - rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen, - data, len, final); - if (rv != SECSuccess) { - p7dcx->error = PORT_GetError(); - goto loser; - } - - PORT_Assert (final || outlen == buflen); - - /* swap decrypted data in */ - data = buf; - len = outlen; + /* + * we are decrypting. + * + * XXX If we get an error, we do not want to do the digest or callback, + * but we want to keep decoding. Or maybe we want to stop decoding + * altogether if there is a callback, because obviously we are not + * sending the data back and they want to know that. + */ + + unsigned int outlen = 0; /* length of decrypted data */ + unsigned int buflen; /* length available for decrypted data */ + + /* find out about the length of decrypted data */ + buflen = NSS_CMSCipherContext_DecryptLength(cinfo->privateInfo->ciphcx, len, final); + + /* + * it might happen that we did not provide enough data for a full + * block (decryption unit), and that there is no output available + */ + + /* no output available, AND no input? */ + if (buflen == 0 && len == 0) + goto loser; /* bail out */ + + /* + * have inner decoder: pass the data on (means inner content type is NOT data) + * no inner decoder: we have DATA in here: either call callback or store + */ + if (buflen != 0) { + /* there will be some output - need to make room for it */ + /* allocate buffer from the heap */ + buf = (unsigned char *)PORT_Alloc(buflen); + if (buf == NULL) { + p7dcx->error = SEC_ERROR_NO_MEMORY; + goto loser; + } + } + + /* + * decrypt incoming data + * buf can still be NULL here (and buflen == 0) here if we don't expect + * any output (see above), but we still need to call NSS_CMSCipherContext_Decrypt to + * keep track of incoming data + */ + rv = NSS_CMSCipherContext_Decrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen, + data, len, final); + if (rv != SECSuccess) { + p7dcx->error = PORT_GetError(); + goto loser; + } + + PORT_Assert(final || outlen == buflen); + + /* swap decrypted data in */ + data = buf; + len = outlen; } if (len == 0) - goto done; /* nothing more to do */ + goto done; /* nothing more to do */ /* * Update the running digests with plaintext bytes (if we need to). */ if (cinfo->privateInfo && cinfo->privateInfo->digcx) - NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len); + NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len); - /* at this point, we have the plain decoded & decrypted data - ** which is either more encoded DER (which we need to hand to the child - ** decoder) or data we need to hand back to our caller + /* at this point, we have the plain decoded & decrypted data + ** which is either more encoded DER (which we need to hand to the child + ** decoder) or data we need to hand back to our caller */ /* pass the content back to our caller or */ /* feed our freshly decrypted and decoded data into child decoder */ if (p7dcx->cb != NULL) { - (*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len); + (*p7dcx->cb)(p7dcx->cb_arg, (const char *)data, len); } #if 1 else #endif - if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) { - /* store it in "inner" data item as well */ - /* find the DATA item in the encapsulated cinfo and store it there */ - NSSCMSDecoderData *decoderData = - (NSSCMSDecoderData *)cinfo->content.pointer; - SECItem *dataItem = &decoderData->data; - - offset = dataItem->len; - if (dataItem->len+len > decoderData->totalBufferSize) { - int needLen = (dataItem->len+len) * 2; - dest = (unsigned char *) - PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen); - if (dest == NULL) { - p7dcx->error = SEC_ERROR_NO_MEMORY; - goto loser; - } - - if (dataItem->len) { - PORT_Memcpy(dest, dataItem->data, dataItem->len); - } - decoderData->totalBufferSize = needLen; - dataItem->data = dest; - } - - /* copy it in */ - PORT_Memcpy(dataItem->data + offset, data, len); - dataItem->len += len; + if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) { + /* store it in "inner" data item as well */ + /* find the DATA item in the encapsulated cinfo and store it there */ + NSSCMSDecoderData *decoderData = + (NSSCMSDecoderData *)cinfo->content.pointer; + SECItem *dataItem = &decoderData->data; + + offset = dataItem->len; + if (dataItem->len + len > decoderData->totalBufferSize) { + int needLen = (dataItem->len + len) * 2; + dest = (unsigned char *) + PORT_ArenaAlloc(p7dcx->cmsg->poolp, needLen); + if (dest == NULL) { + p7dcx->error = SEC_ERROR_NO_MEMORY; + goto loser; + } + + if (dataItem->len) { + PORT_Memcpy(dest, dataItem->data, dataItem->len); + } + decoderData->totalBufferSize = needLen; + dataItem->data = dest; + } + + /* copy it in */ + PORT_Memcpy(dataItem->data + offset, data, len); + dataItem->len += len; } done: loser: if (buf) - PORT_Free (buf); + PORT_Free(buf); } /* @@ -563,23 +566,23 @@ loser: * nss_cms_decoder_work_data(). */ static void -nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len, - int depth, SEC_ASN1EncodingPart data_kind) +nss_cms_decoder_update_filter(void *arg, const char *data, unsigned long len, + int depth, SEC_ASN1EncodingPart data_kind) { NSSCMSDecoderContext *p7dcx; - PORT_Assert (len); /* paranoia */ + PORT_Assert(len); /* paranoia */ if (len == 0) - return; + return; - p7dcx = (NSSCMSDecoderContext*)arg; + p7dcx = (NSSCMSDecoderContext *)arg; p7dcx->saw_contents = PR_TRUE; /* pass on the content bytes only */ if (data_kind == SEC_ASN1_Contents) - nss_cms_decoder_work_data(p7dcx, (const unsigned char *) data, len, - PR_FALSE); + nss_cms_decoder_work_data(p7dcx, (const unsigned char *)data, len, + PR_FALSE); } /* @@ -592,35 +595,35 @@ nss_cms_decoder_update_filter (void *arg, const char *data, unsigned long len, */ NSSCMSDecoderContext * NSS_CMSDecoder_Start(PLArenaPool *poolp, - NSSCMSContentCallback cb, void *cb_arg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, - void *decrypt_key_cb_arg) + NSSCMSContentCallback cb, void *cb_arg, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, + void *decrypt_key_cb_arg) { NSSCMSDecoderContext *p7dcx; NSSCMSMessage *cmsg; cmsg = NSS_CMSMessage_Create(poolp); if (cmsg == NULL) - return NULL; + return NULL; - NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, + NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg, NULL, NULL); p7dcx = PORT_ZNew(NSSCMSDecoderContext); if (p7dcx == NULL) { - NSS_CMSMessage_Destroy(cmsg); - return NULL; + NSS_CMSMessage_Destroy(cmsg); + return NULL; } p7dcx->dcx = SEC_ASN1DecoderStart(cmsg->poolp, cmsg, NSSCMSMessageTemplate); if (p7dcx->dcx == NULL) { - PORT_Free (p7dcx); - NSS_CMSMessage_Destroy(cmsg); - return NULL; + PORT_Free(p7dcx); + NSS_CMSMessage_Destroy(cmsg); + return NULL; } - SEC_ASN1DecoderSetNotifyProc (p7dcx->dcx, nss_cms_decoder_notify, p7dcx); + SEC_ASN1DecoderSetNotifyProc(p7dcx->dcx, nss_cms_decoder_notify, p7dcx); p7dcx->cmsg = cmsg; p7dcx->type = SEC_OID_UNKNOWN; @@ -636,51 +639,49 @@ NSS_CMSDecoder_Start(PLArenaPool *poolp, * NSS_CMSDecoder_Update - feed DER-encoded data to decoder */ SECStatus -NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, +NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len) { SECStatus rv = SECSuccess; - if (p7dcx->dcx != NULL && p7dcx->error == 0) { - /* if error is set already, don't bother */ - if ((p7dcx->type == SEC_OID_PKCS7_SIGNED_DATA) - && (p7dcx->first_decoded==PR_TRUE) - && (buf[0] == SEC_ASN1_INTEGER)) { - /* Microsoft Windows 2008 left out the Sequence wrapping in some - * of their kerberos replies. If we are here, we most likely are - * dealing with one of those replies. Supply the Sequence wrap - * as indefinite encoding (since we don't know the total length - * yet) */ - static const char lbuf[2] = - { SEC_ASN1_SEQUENCE|SEC_ASN1_CONSTRUCTED, 0x80 }; - rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, lbuf, sizeof(lbuf)); - if (rv != SECSuccess) { - goto loser; - } - /* ok, we're going to need the indefinite finish when we are done */ - p7dcx->need_indefinite_finish = PR_TRUE; - } - - rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len); + if (p7dcx->dcx != NULL && p7dcx->error == 0) { + /* if error is set already, don't bother */ + if ((p7dcx->type == SEC_OID_PKCS7_SIGNED_DATA) && (p7dcx->first_decoded == PR_TRUE) && (buf[0] == SEC_ASN1_INTEGER)) { + /* Microsoft Windows 2008 left out the Sequence wrapping in some + * of their kerberos replies. If we are here, we most likely are + * dealing with one of those replies. Supply the Sequence wrap + * as indefinite encoding (since we don't know the total length + * yet) */ + static const char lbuf[2] = + { SEC_ASN1_SEQUENCE | SEC_ASN1_CONSTRUCTED, 0x80 }; + rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, lbuf, sizeof(lbuf)); + if (rv != SECSuccess) { + goto loser; + } + /* ok, we're going to need the indefinite finish when we are done */ + p7dcx->need_indefinite_finish = PR_TRUE; + } + + rv = SEC_ASN1DecoderUpdate(p7dcx->dcx, buf, len); } loser: p7dcx->first_decoded = PR_FALSE; if (rv != SECSuccess) { - p7dcx->error = PORT_GetError(); - PORT_Assert (p7dcx->error); - if (p7dcx->error == 0) - p7dcx->error = -1; + p7dcx->error = PORT_GetError(); + PORT_Assert(p7dcx->error); + if (p7dcx->error == 0) + p7dcx->error = -1; } if (p7dcx->error == 0) - return SECSuccess; + return SECSuccess; /* there has been a problem, let's finish the decoder */ if (p7dcx->dcx != NULL) { - (void) SEC_ASN1DecoderFinish (p7dcx->dcx); - p7dcx->dcx = NULL; + (void)SEC_ASN1DecoderFinish(p7dcx->dcx); + p7dcx->dcx = NULL; } - PORT_SetError (p7dcx->error); + PORT_SetError(p7dcx->error); return SECFailure; } @@ -692,7 +693,7 @@ void NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx) { if (p7dcx->dcx != NULL) - (void)SEC_ASN1DecoderFinish(p7dcx->dcx); + (void)SEC_ASN1DecoderFinish(p7dcx->dcx); NSS_CMSMessage_Destroy(p7dcx->cmsg); PORT_Free(p7dcx); } @@ -707,12 +708,11 @@ NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx) cmsg = p7dcx->cmsg; - if (p7dcx->dcx == NULL || + if (p7dcx->dcx == NULL || SEC_ASN1DecoderFinish(p7dcx->dcx) != SECSuccess || - nss_cms_after_end(p7dcx) != SECSuccess) - { - NSS_CMSMessage_Destroy(cmsg); /* get rid of pool if it's ours */ - cmsg = NULL; + nss_cms_after_end(p7dcx) != SECSuccess) { + NSS_CMSMessage_Destroy(cmsg); /* get rid of pool if it's ours */ + cmsg = NULL; } PORT_Free(p7dcx); @@ -721,19 +721,18 @@ NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx) NSSCMSMessage * NSS_CMSMessage_CreateFromDER(SECItem *DERmessage, - NSSCMSContentCallback cb, void *cb_arg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, - void *decrypt_key_cb_arg) + NSSCMSContentCallback cb, void *cb_arg, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, + void *decrypt_key_cb_arg) { NSSCMSDecoderContext *p7dcx; /* first arg(poolp) == NULL => create our own pool */ - p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, + p7dcx = NSS_CMSDecoder_Start(NULL, cb, cb_arg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg); if (p7dcx == NULL) - return NULL; + return NULL; NSS_CMSDecoder_Update(p7dcx, (char *)DERmessage->data, DERmessage->len); return NSS_CMSDecoder_Finish(p7dcx); } - diff --git a/nss/lib/smime/cmsdigdata.c b/nss/lib/smime/cmsdigdata.c index e37f7f5..9ea2270 100644 --- a/nss/lib/smime/cmsdigdata.c +++ b/nss/lib/smime/cmsdigdata.c @@ -34,12 +34,12 @@ NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg) digd = (NSSCMSDigestedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSDigestedData)); if (digd == NULL) - goto loser; + goto loser; digd->cmsg = cmsg; - if (SECOID_CopyAlgorithmID (poolp, &(digd->digestAlg), digestalg) != SECSuccess) - goto loser; + if (SECOID_CopyAlgorithmID(poolp, &(digd->digestAlg), digestalg) != SECSuccess) + goto loser; PORT_ArenaUnmark(poolp, mark); return digd; @@ -84,8 +84,8 @@ NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd) version = NSS_CMS_DIGESTED_DATA_VERSION_DATA; if (!NSS_CMSType_IsData(NSS_CMSContentInfo_GetContentTypeTag( - &(digd->contentInfo)))) - version = NSS_CMS_DIGESTED_DATA_VERSION_ENCAP; + &(digd->contentInfo)))) + version = NSS_CMS_DIGESTED_DATA_VERSION_ENCAP; dummy = SEC_ASN1EncodeInteger(digd->cmsg->poolp, &(digd->version), version); return (dummy == NULL) ? SECFailure : SECSuccess; @@ -101,17 +101,17 @@ NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd) SECStatus NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd) { - SECStatus rv =NSS_CMSContentInfo_Private_Init(&digd->contentInfo); - if (rv != SECSuccess) { - return SECFailure; + SECStatus rv = NSS_CMSContentInfo_Private_Init(&digd->contentInfo); + if (rv != SECSuccess) { + return SECFailure; } /* set up the digests */ if (digd->digestAlg.algorithm.len != 0 && digd->digest.len == 0) { - /* if digest is already there, do nothing */ - digd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg)); - if (digd->contentInfo.privateInfo->digcx == NULL) - return SECFailure; + /* if digest is already there, do nothing */ + digd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg)); + if (digd->contentInfo.privateInfo->digcx == NULL) + return SECFailure; } return SECSuccess; } @@ -129,11 +129,11 @@ NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd) SECStatus rv = SECSuccess; /* did we have digest calculation going on? */ if (digd->contentInfo.privateInfo && digd->contentInfo.privateInfo->digcx) { - rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.privateInfo->digcx, - digd->cmsg->poolp, - &(digd->digest)); - /* error has been set by NSS_CMSDigestContext_FinishSingle */ - digd->contentInfo.privateInfo->digcx = NULL; + rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.privateInfo->digcx, + digd->cmsg->poolp, + &(digd->digest)); + /* error has been set by NSS_CMSDigestContext_FinishSingle */ + digd->contentInfo.privateInfo->digcx = NULL; } return rv; @@ -153,16 +153,16 @@ NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd) /* is there a digest algorithm yet? */ if (digd->digestAlg.algorithm.len == 0) - return SECFailure; + return SECFailure; rv = NSS_CMSContentInfo_Private_Init(&digd->contentInfo); if (rv != SECSuccess) { - return SECFailure; + return SECFailure; } digd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartSingle(&(digd->digestAlg)); if (digd->contentInfo.privateInfo->digcx == NULL) - return SECFailure; + return SECFailure; return SECSuccess; } @@ -180,11 +180,11 @@ NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd) SECStatus rv = SECSuccess; /* did we have digest calculation going on? */ if (digd->contentInfo.privateInfo && digd->contentInfo.privateInfo->digcx) { - rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.privateInfo->digcx, - digd->cmsg->poolp, - &(digd->cdigest)); - /* error has been set by NSS_CMSDigestContext_FinishSingle */ - digd->contentInfo.privateInfo->digcx = NULL; + rv = NSS_CMSDigestContext_FinishSingle(digd->contentInfo.privateInfo->digcx, + digd->cmsg->poolp, + &(digd->cdigest)); + /* error has been set by NSS_CMSDigestContext_FinishSingle */ + digd->contentInfo.privateInfo->digcx = NULL; } return rv; @@ -201,9 +201,9 @@ NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd) { /* did we have digest calculation going on? */ if (digd->cdigest.len != 0) { - /* XXX comparision btw digest & cdigest */ - /* XXX set status */ - /* TODO!!!! */ + /* XXX comparision btw digest & cdigest */ + /* XXX set status */ + /* TODO!!!! */ } return SECSuccess; diff --git a/nss/lib/smime/cmsdigest.c b/nss/lib/smime/cmsdigest.c index 7ec282a..64b64a0 100644 --- a/nss/lib/smime/cmsdigest.c +++ b/nss/lib/smime/cmsdigest.c @@ -22,20 +22,19 @@ static int stop_on_err = 1; static int global_num_digests = 0; #endif -struct digestPairStr { - const SECHashObject * digobj; - void * digcx; +struct digestPairStr { + const SECHashObject *digobj; + void *digcx; }; typedef struct digestPairStr digestPair; struct NSSCMSDigestContextStr { - PRBool saw_contents; - PLArenaPool * pool; - int digcnt; - digestPair * digPairs; + PRBool saw_contents; + PLArenaPool *pool; + int digcnt; + digestPair *digPairs; }; - /* * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the * digest algorithms in "digestalgs" in parallel. @@ -43,7 +42,7 @@ struct NSSCMSDigestContextStr { NSSCMSDigestContext * NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs) { - PLArenaPool * pool; + PLArenaPool *pool; NSSCMSDigestContext *cmsdigcx; int digcnt; int i; @@ -58,68 +57,68 @@ NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs) */ pool = PORT_NewArena(2048); if (!pool) - return NULL; + return NULL; cmsdigcx = PORT_ArenaNew(pool, NSSCMSDigestContext); if (cmsdigcx == NULL) - goto loser; + goto loser; cmsdigcx->saw_contents = PR_FALSE; - cmsdigcx->pool = pool; + cmsdigcx->pool = pool; cmsdigcx->digcnt = digcnt; cmsdigcx->digPairs = PORT_ArenaZNewArray(pool, digestPair, digcnt); if (cmsdigcx->digPairs == NULL) { - goto loser; + goto loser; } /* * Create a digest object context for each algorithm. */ for (i = 0; i < digcnt; i++) { - const SECHashObject *digobj; - void *digcx; - - digobj = NSS_CMSUtil_GetHashObjByAlgID(digestalgs[i]); - /* - * Skip any algorithm we do not even recognize; obviously, - * this could be a problem, but if it is critical then the - * result will just be that the signature does not verify. - * We do not necessarily want to error out here, because - * the particular algorithm may not actually be important, - * but we cannot know that until later. - */ - if (digobj == NULL) - continue; - - digcx = (*digobj->create)(); - if (digcx != NULL) { - (*digobj->begin) (digcx); - cmsdigcx->digPairs[i].digobj = digobj; - cmsdigcx->digPairs[i].digcx = digcx; + const SECHashObject *digobj; + void *digcx; + + digobj = NSS_CMSUtil_GetHashObjByAlgID(digestalgs[i]); + /* + * Skip any algorithm we do not even recognize; obviously, + * this could be a problem, but if it is critical then the + * result will just be that the signature does not verify. + * We do not necessarily want to error out here, because + * the particular algorithm may not actually be important, + * but we cannot know that until later. + */ + if (digobj == NULL) + continue; + + digcx = (*digobj->create)(); + if (digcx != NULL) { + (*digobj->begin)(digcx); + cmsdigcx->digPairs[i].digobj = digobj; + cmsdigcx->digPairs[i].digcx = digcx; #ifdef CMS_FIND_LEAK_MULTIPLE - global_num_digests++; + global_num_digests++; #endif - } + } } return cmsdigcx; loser: /* no digest objects have been created, or need to be destroyed. */ if (pool) { - PORT_FreeArena(pool, PR_FALSE); + PORT_FreeArena(pool, PR_FALSE); } return NULL; } /* - * NSS_CMSDigestContext_StartSingle - same as + * NSS_CMSDigestContext_StartSingle - same as * NSS_CMSDigestContext_StartMultiple, but only one algorithm. */ NSSCMSDigestContext * NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg) { - SECAlgorithmID *digestalgs[] = { NULL, NULL }; /* fake array */ + SECAlgorithmID *digestalgs[] = { NULL, NULL }; /* fake array */ digestalgs[0] = digestalg; return NSS_CMSDigestContext_StartMultiple(digestalgs); @@ -129,7 +128,7 @@ NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg) * NSS_CMSDigestContext_Update - feed more data into the digest machine */ void -NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, +NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len) { int i; @@ -138,9 +137,9 @@ NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, cmsdigcx->saw_contents = PR_TRUE; for (i = 0; i < cmsdigcx->digcnt; i++, pair++) { - if (pair->digcx) { - (*pair->digobj->update)(pair->digcx, data, len); - } + if (pair->digcx) { + (*pair->digobj->update)(pair->digcx, data, len); + } } } @@ -154,12 +153,12 @@ NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx) digestPair *pair = cmsdigcx->digPairs; for (i = 0; i < cmsdigcx->digcnt; i++, pair++) { - if (pair->digcx) { - (*pair->digobj->destroy)(pair->digcx, PR_TRUE); + if (pair->digcx) { + (*pair->digobj->destroy)(pair->digcx, PR_TRUE); #ifdef CMS_FIND_LEAK_MULTIPLE - --global_num_digests; + --global_num_digests; #endif - } + } } #ifdef CMS_FIND_LEAK_MULTIPLE PORT_Assert(global_num_digests == 0 || !stop_on_err); @@ -172,52 +171,52 @@ NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx) * into an array of SECItems (allocated on poolp) */ SECStatus -NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, +NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp, - SECItem ***digestsp) + SECItem ***digestsp) { - SECItem ** digests = NULL; + SECItem **digests = NULL; digestPair *pair; - void * mark; - int i; - SECStatus rv; + void *mark; + int i; + SECStatus rv; /* no contents? do not finish digests */ if (digestsp == NULL || !cmsdigcx->saw_contents) { - rv = SECSuccess; - goto cleanup; + rv = SECSuccess; + goto cleanup; } - mark = PORT_ArenaMark (poolp); + mark = PORT_ArenaMark(poolp); /* allocate digest array & SECItems on arena */ - digests = PORT_ArenaNewArray( poolp, SECItem *, cmsdigcx->digcnt + 1); + digests = PORT_ArenaNewArray(poolp, SECItem *, cmsdigcx->digcnt + 1); rv = ((digests == NULL) ? SECFailure : SECSuccess); pair = cmsdigcx->digPairs; for (i = 0; rv == SECSuccess && i < cmsdigcx->digcnt; i++, pair++) { - SECItem digest; - unsigned char hash[HASH_LENGTH_MAX]; - - if (!pair->digcx) { - digests[i] = NULL; - continue; - } - - digest.type = siBuffer; - digest.data = hash; - digest.len = pair->digobj->length; - (* pair->digobj->end)(pair->digcx, hash, &digest.len, digest.len); - digests[i] = SECITEM_ArenaDupItem(poolp, &digest); - if (!digests[i]) { - rv = SECFailure; - } + SECItem digest; + unsigned char hash[HASH_LENGTH_MAX]; + + if (!pair->digcx) { + digests[i] = NULL; + continue; + } + + digest.type = siBuffer; + digest.data = hash; + digest.len = pair->digobj->length; + (*pair->digobj->end)(pair->digcx, hash, &digest.len, digest.len); + digests[i] = SECITEM_ArenaDupItem(poolp, &digest); + if (!digests[i]) { + rv = SECFailure; + } } digests[i] = NULL; if (rv == SECSuccess) { - PORT_ArenaUnmark(poolp, mark); + PORT_ArenaUnmark(poolp, mark); } else - PORT_ArenaRelease(poolp, mark); + PORT_ArenaRelease(poolp, mark); cleanup: NSS_CMSDigestContext_Cancel(cmsdigcx); @@ -225,36 +224,36 @@ cleanup: ** NSS_CMSSignedData_Encode_AfterData depends on this behavior. */ if (rv == SECSuccess && digestsp && digests) { - *digestsp = digests; + *digestsp = digests; } return rv; } /* - * NSS_CMSDigestContext_FinishSingle - same as + * NSS_CMSDigestContext_FinishSingle - same as * NSS_CMSDigestContext_FinishMultiple, but for one digest. */ SECStatus -NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, +NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp, - SECItem *digest) + SECItem *digest) { SECStatus rv = SECFailure; SECItem **dp; PLArenaPool *arena = NULL; if ((arena = PORT_NewArena(1024)) == NULL) - goto loser; + goto loser; /* get the digests into arena, then copy the first digest into poolp */ rv = NSS_CMSDigestContext_FinishMultiple(cmsdigcx, arena, &dp); if (rv == SECSuccess) { - /* now copy it into poolp */ - rv = SECITEM_CopyItem(poolp, digest, dp[0]); + /* now copy it into poolp */ + rv = SECITEM_CopyItem(poolp, digest, dp[0]); } loser: if (arena) - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); return rv; } diff --git a/nss/lib/smime/cmsencdata.c b/nss/lib/smime/cmsencdata.c index 61ff6a1..c3a4549 100644 --- a/nss/lib/smime/cmsencdata.c +++ b/nss/lib/smime/cmsencdata.c @@ -22,13 +22,13 @@ * * "algorithm" specifies the bulk encryption algorithm to use. * "keysize" is the key size. - * + * * An error results in a return value of NULL and an error set. * (Retrieve specific errors via PORT_GetError()/XP_GetError().) */ NSSCMSEncryptedData * -NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, - int keysize) +NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, + int keysize) { void *mark; NSSCMSEncryptedData *encd; @@ -42,34 +42,35 @@ NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, encd = PORT_ArenaZNew(poolp, NSSCMSEncryptedData); if (encd == NULL) - goto loser; + goto loser; encd->cmsg = cmsg; /* version is set in NSS_CMSEncryptedData_Encode_BeforeStart() */ if (!SEC_PKCS5IsAlgorithmPBEAlgTag(algorithm)) { - rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), - algorithm, NULL, keysize); + rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(encd->contentInfo), + algorithm, NULL, keysize); } else { - /* Assume password-based-encryption. - * Note: we can't generate pkcs5v2 from this interface. - * PK11_CreateBPEAlgorithmID generates pkcs5v2 by accepting - * non-PBE oids and assuming that they are pkcs5v2 oids, but - * NSS_CMSEncryptedData_Create accepts non-PBE oids as regular - * CMS encrypted data, so we can't tell NSS_CMS_EncryptedData_Create - * to create pkcs5v2 PBEs */ - pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, 1, NULL); - if (pbe_algid == NULL) { - rv = SECFailure; - } else { - rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, - &(encd->contentInfo), pbe_algid, keysize); - SECOID_DestroyAlgorithmID (pbe_algid, PR_TRUE); - } + /* Assume password-based-encryption. + * Note: we can't generate pkcs5v2 from this interface. + * PK11_CreateBPEAlgorithmID generates pkcs5v2 by accepting + * non-PBE oids and assuming that they are pkcs5v2 oids, but + * NSS_CMSEncryptedData_Create accepts non-PBE oids as regular + * CMS encrypted data, so we can't tell NSS_CMS_EncryptedData_Create + * to create pkcs5v2 PBEs */ + pbe_algid = PK11_CreatePBEAlgorithmID(algorithm, 1, NULL); + if (pbe_algid == NULL) { + rv = SECFailure; + } else { + rv = NSS_CMSContentInfo_SetContentEncAlgID(poolp, + &(encd->contentInfo), + pbe_algid, keysize); + SECOID_DestroyAlgorithmID(pbe_algid, PR_TRUE); + } } if (rv != SECSuccess) - goto loser; + goto loser; PORT_ArenaUnmark(poolp, mark); return encd; @@ -116,24 +117,24 @@ NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd) NSSCMSContentInfo *cinfo = &(encd->contentInfo); if (NSS_CMSArray_IsEmpty((void **)encd->unprotectedAttr)) - version = NSS_CMS_ENCRYPTED_DATA_VERSION; + version = NSS_CMS_ENCRYPTED_DATA_VERSION; else - version = NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR; - - dummy = SEC_ASN1EncodeInteger (encd->cmsg->poolp, &(encd->version), version); + version = NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR; + + dummy = SEC_ASN1EncodeInteger(encd->cmsg->poolp, &(encd->version), version); if (dummy == NULL) - return SECFailure; + return SECFailure; /* now get content encryption key (bulk key) by using our cmsg callback */ if (encd->cmsg->decrypt_key_cb) - bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, - NSS_CMSContentInfo_GetContentEncAlg(cinfo)); + bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, + NSS_CMSContentInfo_GetContentEncAlg(cinfo)); if (bulkkey == NULL) - return SECFailure; + return SECFailure; /* store the bulk key in the contentInfo so that the encoder can find it */ NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey); - PK11_FreeSymKey (bulkkey); + PK11_FreeSymKey(bulkkey); return SECSuccess; } @@ -154,22 +155,23 @@ NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd) /* find bulkkey and algorithm - must have been set by NSS_CMSEncryptedData_Encode_BeforeStart */ bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo); if (bulkkey == NULL) - return SECFailure; + return SECFailure; algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo); if (algid == NULL) - return SECFailure; + return SECFailure; rv = NSS_CMSContentInfo_Private_Init(cinfo); if (rv != SECSuccess) { - return SECFailure; + return SECFailure; } /* this may modify algid (with IVs generated in a token). * it is therefore essential that algid is a pointer to the "real" contentEncAlg, * not just to a copy */ - cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, bulkkey, algid); + cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(encd->cmsg->poolp, + bulkkey, algid); PK11_FreeSymKey(bulkkey); if (cinfo->privateInfo->ciphcx == NULL) - return SECFailure; + return SECFailure; return SECSuccess; } @@ -181,15 +183,14 @@ SECStatus NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd) { if (encd->contentInfo.privateInfo && encd->contentInfo.privateInfo->ciphcx) { - NSS_CMSCipherContext_Destroy(encd->contentInfo.privateInfo->ciphcx); - encd->contentInfo.privateInfo->ciphcx = NULL; + NSS_CMSCipherContext_Destroy(encd->contentInfo.privateInfo->ciphcx); + encd->contentInfo.privateInfo->ciphcx = NULL; } /* nothing to do after data */ return SECSuccess; } - /* * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption */ @@ -205,26 +206,25 @@ NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd) bulkalg = NSS_CMSContentInfo_GetContentEncAlg(cinfo); - if (encd->cmsg->decrypt_key_cb == NULL) /* no callback? no key../ */ - goto loser; + if (encd->cmsg->decrypt_key_cb == NULL) /* no callback? no key../ */ + goto loser; bulkkey = (*encd->cmsg->decrypt_key_cb)(encd->cmsg->decrypt_key_cb_arg, bulkalg); if (bulkkey == NULL) - /* no success finding a bulk key */ - goto loser; + /* no success finding a bulk key */ + goto loser; NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey); rv = NSS_CMSContentInfo_Private_Init(cinfo); if (rv != SECSuccess) { - goto loser; + goto loser; } rv = SECFailure; cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg); if (cinfo->privateInfo->ciphcx == NULL) - goto loser; /* error has been set by NSS_CMSCipherContext_StartDecrypt */ - + goto loser; /* error has been set by NSS_CMSCipherContext_StartDecrypt */ /* we are done with (this) bulkkey now. */ PK11_FreeSymKey(bulkkey); @@ -242,8 +242,8 @@ SECStatus NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd) { if (encd->contentInfo.privateInfo && encd->contentInfo.privateInfo->ciphcx) { - NSS_CMSCipherContext_Destroy(encd->contentInfo.privateInfo->ciphcx); - encd->contentInfo.privateInfo->ciphcx = NULL; + NSS_CMSCipherContext_Destroy(encd->contentInfo.privateInfo->ciphcx); + encd->contentInfo.privateInfo->ciphcx = NULL; } return SECSuccess; diff --git a/nss/lib/smime/cmsencode.c b/nss/lib/smime/cmsencode.c index 3025740..a4414e0 100644 --- a/nss/lib/smime/cmsencode.c +++ b/nss/lib/smime/cmsencode.c @@ -24,22 +24,23 @@ struct nss_cms_encoder_output { }; struct NSSCMSEncoderContextStr { - SEC_ASN1EncoderContext * ecx; /* ASN.1 encoder context */ - PRBool ecxupdated; /* true if data was handed in */ - NSSCMSMessage * cmsg; /* pointer to the root message */ - SECOidTag type; /* type tag of the current content */ - NSSCMSContent content; /* pointer to current content */ - struct nss_cms_encoder_output output; /* output function */ - int error; /* error code */ - NSSCMSEncoderContext * childp7ecx; /* link to child encoder context */ + SEC_ASN1EncoderContext *ecx; /* ASN.1 encoder context */ + PRBool ecxupdated; /* true if data was handed in */ + NSSCMSMessage *cmsg; /* pointer to the root message */ + SECOidTag type; /* type tag of the current content */ + NSSCMSContent content; /* pointer to current content */ + struct nss_cms_encoder_output output; /* output function */ + int error; /* error code */ + NSSCMSEncoderContext *childp7ecx; /* link to child encoder context */ }; static SECStatus nss_cms_before_data(NSSCMSEncoderContext *p7ecx); static SECStatus nss_cms_after_data(NSSCMSEncoderContext *p7ecx); -static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len); +static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, + const char *data, unsigned long len); static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest, - const unsigned char *data, unsigned long len, - PRBool final, PRBool innermost); + const unsigned char *data, unsigned long len, + PRBool final, PRBool innermost); extern const SEC_ASN1Template NSSCMSMessageTemplate[]; @@ -50,7 +51,7 @@ extern const SEC_ASN1Template NSSCMSMessageTemplate[]; */ static void nss_cms_encoder_out(void *arg, const char *buf, unsigned long len, - int depth, SEC_ASN1EncodingPart data_kind) + int depth, SEC_ASN1EncodingPart data_kind) { struct nss_cms_encoder_output *output = (struct nss_cms_encoder_output *)arg; unsigned char *dest; @@ -61,51 +62,53 @@ nss_cms_encoder_out(void *arg, const char *buf, unsigned long len, const char *data_name = "unknown"; switch (data_kind) { - case SEC_ASN1_Identifier: - data_name = "identifier"; - break; - case SEC_ASN1_Length: - data_name = "length"; - break; - case SEC_ASN1_Contents: - data_name = "contents"; - break; - case SEC_ASN1_EndOfContents: - data_name = "end-of-contents"; - break; + case SEC_ASN1_Identifier: + data_name = "identifier"; + break; + case SEC_ASN1_Length: + data_name = "length"; + break; + case SEC_ASN1_Contents: + data_name = "contents"; + break; + case SEC_ASN1_EndOfContents: + data_name = "end-of-contents"; + break; } fprintf(stderr, "kind = %s, depth = %d, len = %d\n", data_name, depth, len); - for (i=0; i < len; i++) { - fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : ""); + for (i = 0; i < len; i++) { + fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : ""); } if ((i % 16) != 0) - fprintf(stderr, "\n"); + fprintf(stderr, "\n"); #endif if (output->outputfn != NULL) - /* call output callback with DER data */ - output->outputfn(output->outputarg, buf, len); + /* call output callback with DER data */ + output->outputfn(output->outputarg, buf, len); if (output->dest != NULL) { - /* store DER data in SECItem */ - offset = output->dest->len; - if (offset == 0) { - dest = (unsigned char *)PORT_ArenaAlloc(output->destpoolp, len); - } else { - dest = (unsigned char *)PORT_ArenaGrow(output->destpoolp, - output->dest->data, - output->dest->len, - output->dest->len + len); - } - if (dest == NULL) - /* oops */ - return; - - output->dest->data = dest; - output->dest->len += len; - - /* copy it in */ - PORT_Memcpy(output->dest->data + offset, buf, len); + /* store DER data in SECItem */ + offset = output->dest->len; + if (offset == 0) { + dest = (unsigned char *)PORT_ArenaAlloc(output->destpoolp, len); + } else { + dest = (unsigned char *)PORT_ArenaGrow(output->destpoolp, + output->dest->data, + output->dest->len, + output->dest->len + len); + } + if (dest == NULL) + /* oops */ + return; + + output->dest->data = dest; + output->dest->len += len; + + /* copy it in */ + if (len) { + PORT_Memcpy(output->dest->data + offset, buf, len); + } } } @@ -131,7 +134,9 @@ nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth) rootcinfo = &(p7ecx->cmsg->contentInfo); #ifdef CMSDEBUG - fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth); + fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" + : "after", + dest, depth); #endif /* @@ -139,54 +144,56 @@ nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth) * the ASN.1 encoder to start taking bytes from the buffer. */ if (NSS_CMSType_IsData(p7ecx->type)) { - cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); - if (before && dest == &(cinfo->rawContent)) { - /* just set up encoder to grab from user - no encryption or digesting */ - if ((item = cinfo->content.data) != NULL) - (void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE); - else - SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); - SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */ - } + cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); + if (before && dest == &(cinfo->rawContent)) { + /* just set up encoder to grab from user - no encryption or digesting */ + if ((item = cinfo->content.data) != NULL) + (void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, + item->len, PR_TRUE, PR_TRUE); + else + SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); + SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */ + } } else if (NSS_CMSType_IsWrapper(p7ecx->type)) { - /* when we know what the content is, we encode happily until we reach the inner content */ - cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); - childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); - - if (after && dest == &(cinfo->contentType)) { - /* we're right before encoding the data (if we have some or not) */ - /* (for encrypted data, we're right before the contentEncAlg which may change */ - /* in nss_cms_before_data because of IV calculation when setting up encryption) */ - if (nss_cms_before_data(p7ecx) != SECSuccess) - p7ecx->error = PORT_GetError(); - } - if (before && dest == &(cinfo->rawContent)) { - if (p7ecx->childp7ecx == NULL) { - if ((NSS_CMSType_IsData(childtype) && (item = cinfo->content.data) != NULL)) { - /* we are the innermost non-data and we have data - feed it in */ - (void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE); - } else { - /* else we'll have to get data from user */ - SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); - } - } else { - /* if we have a nested encoder, wait for its data */ - SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); - } - } - if (after && dest == &(cinfo->rawContent)) { - if (nss_cms_after_data(p7ecx) != SECSuccess) - p7ecx->error = PORT_GetError(); - SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */ - } + /* when we know what the content is, we encode happily until we reach the inner content */ + cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); + childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + + if (after && dest == &(cinfo->contentType)) { + /* we're right before encoding the data (if we have some or not) */ + /* (for encrypted data, we're right before the contentEncAlg which may change */ + /* in nss_cms_before_data because of IV calculation when setting up encryption) */ + if (nss_cms_before_data(p7ecx) != SECSuccess) + p7ecx->error = PORT_GetError(); + } + if (before && dest == &(cinfo->rawContent)) { + if (p7ecx->childp7ecx == NULL) { + if ((NSS_CMSType_IsData(childtype) && (item = cinfo->content.data) != NULL)) { + /* we are the innermost non-data and we have data - feed it in */ + (void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, + item->len, PR_TRUE, PR_TRUE); + } else { + /* else we'll have to get data from user */ + SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); + } + } else { + /* if we have a nested encoder, wait for its data */ + SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx); + } + } + if (after && dest == &(cinfo->rawContent)) { + if (nss_cms_after_data(p7ecx) != SECSuccess) + p7ecx->error = PORT_GetError(); + SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx); /* no need to get notified anymore */ + } } else { - /* we're still in the root message */ - if (after && dest == &(rootcinfo->contentType)) { - /* got the content type OID now - so find out the type tag */ - p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo); - /* set up a pointer to our current content */ - p7ecx->content = rootcinfo->content; - } + /* we're still in the root message */ + if (after && dest == &(rootcinfo->contentType)) { + /* got the content type OID now - so find out the type tag */ + p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo); + /* set up a pointer to our current content */ + p7ecx->content = rootcinfo->content; + } } } @@ -204,124 +211,127 @@ nss_cms_before_data(NSSCMSEncoderContext *p7ecx) /* call _Encode_BeforeData handlers */ switch (p7ecx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - /* we're encoding a signedData, so set up the digests */ - rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - /* we're encoding a digestedData, so set up the digest */ - rv = NSS_CMSDigestedData_Encode_BeforeData(p7ecx->content.digestedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Encode_BeforeData(p7ecx->content.envelopedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData); - break; - default: - if (NSS_CMSType_IsWrapper(p7ecx->type)) { - rv = NSS_CMSGenericWrapperData_Encode_BeforeData(p7ecx->type, p7ecx->content.genericData); - } else { - rv = SECFailure; - } + case SEC_OID_PKCS7_SIGNED_DATA: + /* we're encoding a signedData, so set up the digests */ + rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + /* we're encoding a digestedData, so set up the digest */ + rv = NSS_CMSDigestedData_Encode_BeforeData(p7ecx->content.digestedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Encode_BeforeData(p7ecx->content.envelopedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData); + break; + default: + if (NSS_CMSType_IsWrapper(p7ecx->type)) { + rv = NSS_CMSGenericWrapperData_Encode_BeforeData(p7ecx->type, + p7ecx->content.genericData); + } else { + rv = SECFailure; + } } if (rv != SECSuccess) - return SECFailure; + return SECFailure; /* ok, now we have a pointer to cinfo */ /* find out what kind of data is encapsulated */ - + cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); if (NSS_CMSType_IsWrapper(childtype)) { - /* in these cases, we need to set up a child encoder! */ - /* create new encoder context */ - childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext)); - if (childp7ecx == NULL) - return SECFailure; - - /* the CHILD encoder needs to hand its encoded data to the CURRENT encoder - * (which will encrypt and/or digest it) - * this needs to route back into our update function - * which finds the lowest encoding context & encrypts and computes digests */ - childp7ecx->type = childtype; - childp7ecx->content = cinfo->content; - /* use the non-recursive update function here, of course */ - childp7ecx->output.outputfn = (NSSCMSContentCallback)nss_cms_encoder_update; - childp7ecx->output.outputarg = p7ecx; - childp7ecx->output.destpoolp = NULL; - childp7ecx->output.dest = NULL; - childp7ecx->cmsg = p7ecx->cmsg; - childp7ecx->ecxupdated = PR_FALSE; - childp7ecx->childp7ecx = NULL; - - template = NSS_CMSUtil_GetTemplateByTypeTag(childtype); - if (template == NULL) - goto loser; /* cannot happen */ - - /* now initialize the data for encoding the first third */ - switch (childp7ecx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData); - break; - default: - rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(childp7ecx->type, cinfo->content.genericData); - break; - } - if (rv != SECSuccess) - goto loser; - - /* - * Initialize the BER encoder. - */ - childp7ecx->ecx = SEC_ASN1EncoderStart(cinfo->content.pointer, template, - nss_cms_encoder_out, &(childp7ecx->output)); - if (childp7ecx->ecx == NULL) - goto loser; - - /* - * Indicate that we are streaming. We will be streaming until we - * get past the contents bytes. - */ + /* in these cases, we need to set up a child encoder! */ + /* create new encoder context */ + childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext)); + if (childp7ecx == NULL) + return SECFailure; + + /* the CHILD encoder needs to hand its encoded data to the CURRENT encoder + * (which will encrypt and/or digest it) + * this needs to route back into our update function + * which finds the lowest encoding context & encrypts and computes digests */ + childp7ecx->type = childtype; + childp7ecx->content = cinfo->content; + /* use the non-recursive update function here, of course */ + childp7ecx->output.outputfn = (NSSCMSContentCallback)nss_cms_encoder_update; + childp7ecx->output.outputarg = p7ecx; + childp7ecx->output.destpoolp = NULL; + childp7ecx->output.dest = NULL; + childp7ecx->cmsg = p7ecx->cmsg; + childp7ecx->ecxupdated = PR_FALSE; + childp7ecx->childp7ecx = NULL; + + template = NSS_CMSUtil_GetTemplateByTypeTag(childtype); + if (template == NULL) + goto loser; /* cannot happen */ + + /* now initialize the data for encoding the first third */ + switch (childp7ecx->type) { + case SEC_OID_PKCS7_SIGNED_DATA: + rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData); + break; + default: + rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(childp7ecx->type, + cinfo->content.genericData); + break; + } + if (rv != SECSuccess) + goto loser; + + /* + * Initialize the BER encoder. + */ + childp7ecx->ecx = SEC_ASN1EncoderStart(cinfo->content.pointer, template, + nss_cms_encoder_out, &(childp7ecx->output)); + if (childp7ecx->ecx == NULL) + goto loser; + + /* + * Indicate that we are streaming. We will be streaming until we + * get past the contents bytes. + */ if (!cinfo->privateInfo || !cinfo->privateInfo->dontStream) - SEC_ASN1EncoderSetStreaming(childp7ecx->ecx); + SEC_ASN1EncoderSetStreaming(childp7ecx->ecx); - /* - * The notify function will watch for the contents field. - */ - p7ecx->childp7ecx = childp7ecx; - SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, childp7ecx); + /* + * The notify function will watch for the contents field. + */ + p7ecx->childp7ecx = childp7ecx; + SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, + childp7ecx); - /* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */ - /* encoding process - we'll do that from the update function instead */ - /* otherwise we'd be encoding data from a call of the notify function of the */ - /* parent encoder (which would not work) */ + /* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */ + /* encoding process - we'll do that from the update function instead */ + /* otherwise we'd be encoding data from a call of the notify function of the */ + /* parent encoder (which would not work) */ } else if (NSS_CMSType_IsData(childtype)) { - p7ecx->childp7ecx = NULL; + p7ecx->childp7ecx = NULL; } else { - /* we do not know this type */ - p7ecx->error = SEC_ERROR_BAD_DER; + /* we do not know this type */ + p7ecx->error = SEC_ERROR_BAD_DER; } return SECSuccess; loser: if (childp7ecx) { - if (childp7ecx->ecx) - SEC_ASN1EncoderFinish(childp7ecx->ecx); - PORT_Free(childp7ecx); - p7ecx->childp7ecx = NULL; + if (childp7ecx->ecx) + SEC_ASN1EncoderFinish(childp7ecx->ecx); + PORT_Free(childp7ecx); + p7ecx->childp7ecx = NULL; } return SECFailure; } @@ -332,26 +342,27 @@ nss_cms_after_data(NSSCMSEncoderContext *p7ecx) SECStatus rv = SECFailure; switch (p7ecx->type) { - case SEC_OID_PKCS7_SIGNED_DATA: - /* this will finish the digests and sign */ - rv = NSS_CMSSignedData_Encode_AfterData(p7ecx->content.signedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Encode_AfterData(p7ecx->content.envelopedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - rv = NSS_CMSDigestedData_Encode_AfterData(p7ecx->content.digestedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData); - break; - default: - if (NSS_CMSType_IsWrapper(p7ecx->type)) { - rv = NSS_CMSGenericWrapperData_Encode_AfterData(p7ecx->type, p7ecx->content.genericData); - } else { - rv = SECFailure; - } - break; + case SEC_OID_PKCS7_SIGNED_DATA: + /* this will finish the digests and sign */ + rv = NSS_CMSSignedData_Encode_AfterData(p7ecx->content.signedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Encode_AfterData(p7ecx->content.envelopedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + rv = NSS_CMSDigestedData_Encode_AfterData(p7ecx->content.digestedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData); + break; + default: + if (NSS_CMSType_IsWrapper(p7ecx->type)) { + rv = NSS_CMSGenericWrapperData_Encode_AfterData(p7ecx->type, + p7ecx->content.genericData); + } else { + rv = SECFailure; + } + break; } return rv; } @@ -364,14 +375,14 @@ nss_cms_after_data(NSSCMSEncoderContext *p7ecx) */ static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest, - const unsigned char *data, unsigned long len, - PRBool final, PRBool innermost) + const unsigned char *data, unsigned long len, + PRBool final, PRBool innermost) { unsigned char *buf = NULL; SECStatus rv; NSSCMSContentInfo *cinfo; - rv = SECSuccess; /* may as well be optimistic */ + rv = SECSuccess; /* may as well be optimistic */ /* * We should really have data to process, or we should be trying @@ -380,78 +391,80 @@ nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest, * proves they do it right. But it could find a bug in future * modifications/development, that is why it is here.) */ - PORT_Assert ((data != NULL && len) || final); + PORT_Assert((data != NULL && len) || final); /* we got data (either from the caller, or from a lower level encoder) */ cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); if (!cinfo) { - /* The original programmer didn't expect this to happen */ - p7ecx->error = SEC_ERROR_LIBRARY_FAILURE; - return SECFailure; + /* The original programmer didn't expect this to happen */ + p7ecx->error = SEC_ERROR_LIBRARY_FAILURE; + return SECFailure; } /* Update the running digest. */ if (len && cinfo->privateInfo && cinfo->privateInfo->digcx != NULL) - NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len); + NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len); /* Encrypt this chunk. */ if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) { - unsigned int inlen; /* length of data being encrypted */ - unsigned int outlen; /* length of encrypted data */ - unsigned int buflen; /* length available for encrypted data */ - - inlen = len; - buflen = NSS_CMSCipherContext_EncryptLength(cinfo->privateInfo->ciphcx, inlen, final); - if (buflen == 0) { - /* - * No output is expected, but the input data may be buffered - * so we still have to call Encrypt. - */ - rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, NULL, NULL, 0, - data, inlen, final); - if (final) { - len = 0; - goto done; - } - return rv; - } - - if (dest != NULL) - buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cmsg->poolp, buflen); - else - buf = (unsigned char*)PORT_Alloc(buflen); - - if (buf == NULL) { - rv = SECFailure; - } else { - rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen, - data, inlen, final); - data = buf; - len = outlen; - } - if (rv != SECSuccess) - /* encryption or malloc failed? */ - return rv; + unsigned int inlen; /* length of data being encrypted */ + unsigned int outlen; /* length of encrypted data */ + unsigned int buflen; /* length available for encrypted data */ + + inlen = len; + buflen = NSS_CMSCipherContext_EncryptLength(cinfo->privateInfo->ciphcx, + inlen, final); + if (buflen == 0) { + /* + * No output is expected, but the input data may be buffered + * so we still have to call Encrypt. + */ + rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, NULL, NULL, 0, + data, inlen, final); + if (final) { + len = 0; + goto done; + } + return rv; + } + + if (dest != NULL) + buf = (unsigned char *)PORT_ArenaAlloc(p7ecx->cmsg->poolp, buflen); + else + buf = (unsigned char *)PORT_Alloc(buflen); + + if (buf == NULL) { + rv = SECFailure; + } else { + rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, buf, + &outlen, buflen, + data, inlen, final); + data = buf; + len = outlen; + } + if (rv != SECSuccess) + /* encryption or malloc failed? */ + return rv; } - /* * at this point (data,len) has everything we'd like to give to the CURRENT encoder * (which will encode it, then hand it back to the user or the parent encoder) * We don't encode the data if we're innermost and we're told not to include the data */ - if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != cinfo->content.pointer)) - rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len); + if (p7ecx->ecx != NULL && len && + (!innermost || cinfo->rawContent != cinfo->content.pointer)) + rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len); done: if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) { - if (dest != NULL) { - dest->data = buf; - dest->len = len; - } else if (buf != NULL) { - PORT_Free (buf); - } + if (dest != NULL) { + dest->data = buf; + dest->len = len; + } else if (buf != NULL) { + PORT_Free(buf); + } } return rv; } @@ -465,7 +478,8 @@ static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len) { /* XXX Error handling needs help. Return what? Do "Finish" on failure? */ - return nss_cms_encoder_work_data (p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_FALSE); + return nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, + len, PR_FALSE, PR_FALSE); } /* @@ -482,11 +496,11 @@ nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned l */ NSSCMSEncoderContext * NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, - NSSCMSContentCallback outputfn, void *outputarg, - SECItem *dest, PLArenaPool *destpoolp, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, - SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) + NSSCMSContentCallback outputfn, void *outputarg, + SECItem *dest, PLArenaPool *destpoolp, + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, + SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) { NSSCMSEncoderContext *p7ecx; SECStatus rv; @@ -494,12 +508,12 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, SECOidTag tag; NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg, - detached_digestalgs, detached_digests); + detached_digestalgs, detached_digests); p7ecx = (NSSCMSEncoderContext *)PORT_ZAlloc(sizeof(NSSCMSEncoderContext)); if (p7ecx == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return NULL; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return NULL; } p7ecx->cmsg = cmsg; @@ -513,39 +527,39 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); switch (tag) { - case SEC_OID_PKCS7_SIGNED_DATA: - rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData); - break; - default: - if (NSS_CMSType_IsWrapper(tag)) { - rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(tag, - p7ecx->content.genericData); - } else { - rv = SECFailure; - } - break; + case SEC_OID_PKCS7_SIGNED_DATA: + rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData); + break; + default: + if (NSS_CMSType_IsWrapper(tag)) { + rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(tag, + p7ecx->content.genericData); + } else { + rv = SECFailure; + } + break; } if (rv != SECSuccess) { - PORT_Free(p7ecx); - return NULL; + PORT_Free(p7ecx); + return NULL; } /* Initialize the BER encoder. * Note that this will not encode anything until the first call to SEC_ASN1EncoderUpdate */ p7ecx->ecx = SEC_ASN1EncoderStart(cmsg, NSSCMSMessageTemplate, - nss_cms_encoder_out, &(p7ecx->output)); + nss_cms_encoder_out, &(p7ecx->output)); if (p7ecx->ecx == NULL) { - PORT_Free (p7ecx); - return NULL; + PORT_Free(p7ecx); + return NULL; } p7ecx->ecxupdated = PR_FALSE; @@ -554,7 +568,7 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, * get past the contents bytes. */ if (!cinfo->privateInfo || !cinfo->privateInfo->dontStream) - SEC_ASN1EncoderSetStreaming(p7ecx->ecx); + SEC_ASN1EncoderSetStreaming(p7ecx->ecx); /* * The notify function will watch for the contents field. @@ -566,8 +580,8 @@ NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, * a child encoder). */ p7ecx->ecxupdated = PR_TRUE; if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) { - PORT_Free (p7ecx); - return NULL; + PORT_Free(p7ecx); + return NULL; } return p7ecx; @@ -591,38 +605,39 @@ NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned lo SECOidTag childtype; if (p7ecx->error) - return SECFailure; + return SECFailure; /* hand data to the innermost decoder */ if (p7ecx->childp7ecx) { - /* tell the child to start encoding, up to its first data byte, if it - * hasn't started yet */ - if (!p7ecx->childp7ecx->ecxupdated) { - p7ecx->childp7ecx->ecxupdated = PR_TRUE; - if (SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0) != SECSuccess) - return SECFailure; - } - /* recursion here */ - rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len); + /* tell the child to start encoding, up to its first data byte, if it + * hasn't started yet */ + if (!p7ecx->childp7ecx->ecxupdated) { + p7ecx->childp7ecx->ecxupdated = PR_TRUE; + if (SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0) != SECSuccess) + return SECFailure; + } + /* recursion here */ + rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len); } else { - /* we are at innermost decoder */ - /* find out about our inner content type - must be data */ - cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); - if (!cinfo) { - /* The original programmer didn't expect this to happen */ - p7ecx->error = SEC_ERROR_LIBRARY_FAILURE; - return SECFailure; - } - - childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); - if (!NSS_CMSType_IsData(childtype)) - return SECFailure; - /* and we must not have preset data */ - if (cinfo->content.data != NULL) - return SECFailure; - - /* hand it the data so it can encode it (let DER trickle up the chain) */ - rv = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE); + /* we are at innermost decoder */ + /* find out about our inner content type - must be data */ + cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); + if (!cinfo) { + /* The original programmer didn't expect this to happen */ + p7ecx->error = SEC_ERROR_LIBRARY_FAILURE; + return SECFailure; + } + + childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + if (!NSS_CMSType_IsData(childtype)) + return SECFailure; + /* and we must not have preset data */ + if (cinfo->content.data != NULL) + return SECFailure; + + /* hand it the data so it can encode it (let DER trickle up the chain) */ + rv = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, + len, PR_FALSE, PR_TRUE); } return rv; } @@ -646,8 +661,13 @@ NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx) * while we are already in NSS_CMSEncoder_Finish, but that's allright. */ if (p7ecx->childp7ecx) { - rv = NSS_CMSEncoder_Cancel(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */ - /* remember rv for now */ + rv = NSS_CMSEncoder_Cancel(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */ + /* remember rv for now */ +#ifdef CMSDEBUG + if (rv != SECSuccess) { + fprintf(stderr, "Fail to cancel inner encoder\n"); + } +#endif } /* @@ -657,7 +677,7 @@ NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx) */ rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL)); if (rv != SECSuccess) - goto loser; + goto loser; p7ecx->childp7ecx = NULL; @@ -673,7 +693,7 @@ NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx) loser: SEC_ASN1EncoderFinish(p7ecx->ecx); - PORT_Free (p7ecx); + PORT_Free(p7ecx); return rv; } @@ -695,19 +715,19 @@ NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx) * while we are already in NSS_CMSEncoder_Finish, but that's allright. */ if (p7ecx->childp7ecx) { - /* tell the child to start encoding, up to its first data byte, if it - * hasn't yet */ - if (!p7ecx->childp7ecx->ecxupdated) { - p7ecx->childp7ecx->ecxupdated = PR_TRUE; - rv = SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0); - if (rv != SECSuccess) { - NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */ - goto loser; - } - } - rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */ - if (rv != SECSuccess) - goto loser; + /* tell the child to start encoding, up to its first data byte, if it + * hasn't yet */ + if (!p7ecx->childp7ecx->ecxupdated) { + p7ecx->childp7ecx->ecxupdated = PR_TRUE; + rv = SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0); + if (rv != SECSuccess) { + NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */ + goto loser; + } + } + rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */ + if (rv != SECSuccess) + goto loser; } /* @@ -717,16 +737,16 @@ NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx) */ rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL)); if (rv != SECSuccess) - goto loser; + goto loser; p7ecx->childp7ecx = NULL; cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type); if (!cinfo) { - /* The original programmer didn't expect this to happen */ - p7ecx->error = SEC_ERROR_LIBRARY_FAILURE; - rv = SECFailure; - goto loser; + /* The original programmer didn't expect this to happen */ + p7ecx->error = SEC_ERROR_LIBRARY_FAILURE; + rv = SECFailure; + goto loser; } SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx); SEC_ASN1EncoderClearStreaming(p7ecx->ecx); @@ -734,10 +754,10 @@ NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx) rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0); if (p7ecx->error) - rv = SECFailure; + rv = SECFailure; loser: SEC_ASN1EncoderFinish(p7ecx->ecx); - PORT_Free (p7ecx); + PORT_Free(p7ecx); return rv; } diff --git a/nss/lib/smime/cmsenvdata.c b/nss/lib/smime/cmsenvdata.c index 279faff..f2c8e17 100644 --- a/nss/lib/smime/cmsenvdata.c +++ b/nss/lib/smime/cmsenvdata.c @@ -34,15 +34,16 @@ NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysiz envd = (NSSCMSEnvelopedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSEnvelopedData)); if (envd == NULL) - goto loser; + goto loser; envd->cmsg = cmsg; /* version is set in NSS_CMSEnvelopedData_Encode_BeforeStart() */ - rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(envd->contentInfo), algorithm, NULL, keysize); + rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, &(envd->contentInfo), + algorithm, NULL, keysize); if (rv != SECSuccess) - goto loser; + goto loser; PORT_ArenaUnmark(poolp, mark); return envd; @@ -62,17 +63,16 @@ NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp) NSSCMSRecipientInfo *ri; if (edp == NULL) - return; + return; recipientinfos = edp->recipientInfos; if (recipientinfos == NULL) - return; + return; while ((ri = *recipientinfos++) != NULL) - NSS_CMSRecipientInfo_Destroy(ri); - - NSS_CMSContentInfo_Destroy(&(edp->contentInfo)); + NSS_CMSRecipientInfo_Destroy(ri); + NSS_CMSContentInfo_Destroy(&(edp->contentInfo)); } /* @@ -104,11 +104,11 @@ NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo rv = NSS_CMSArray_Add(edp->cmsg->poolp, (void ***)&(edp->recipientInfos), (void *)rip); if (rv != SECSuccess) { - PORT_ArenaRelease(edp->cmsg->poolp, mark); - return SECFailure; + PORT_ArenaRelease(edp->cmsg->poolp, mark); + return SECFailure; } - PORT_ArenaUnmark (edp->cmsg->poolp, mark); + PORT_ArenaUnmark(edp->cmsg->poolp, mark); return SECSuccess; } @@ -146,65 +146,68 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd) recipientinfos = envd->recipientInfos; if (recipientinfos == NULL) { - PORT_SetError(SEC_ERROR_BAD_DATA); + PORT_SetError(SEC_ERROR_BAD_DATA); #if 0 - PORT_SetErrorString("Cannot find recipientinfos to encode."); + PORT_SetErrorString("Cannot find recipientinfos to encode."); #endif - goto loser; + goto loser; } version = NSS_CMS_ENVELOPED_DATA_VERSION_REG; if (envd->originatorInfo != NULL || envd->unprotectedAttr != NULL) { - version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV; + version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV; } else { - for (i = 0; recipientinfos[i] != NULL; i++) { - if (NSS_CMSRecipientInfo_GetVersion(recipientinfos[i]) != 0) { - version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV; - break; - } - } + for (i = 0; recipientinfos[i] != NULL; i++) { + if (NSS_CMSRecipientInfo_GetVersion(recipientinfos[i]) != 0) { + version = NSS_CMS_ENVELOPED_DATA_VERSION_ADV; + break; + } + } } dummy = SEC_ASN1EncodeInteger(poolp, &(envd->version), version); if (dummy == NULL) - goto loser; + goto loser; /* now we need to have a proper content encryption algorithm * on the SMIME level, we would figure one out by looking at SMIME capabilities * we cannot do that on our level, so if none is set already, we'll just go * with one of the mandatory algorithms (3DES) */ if ((bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo)) == SEC_OID_UNKNOWN) { - rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, cinfo, SEC_OID_DES_EDE3_CBC, NULL, 168); - if (rv != SECSuccess) - goto loser; - bulkalgtag = SEC_OID_DES_EDE3_CBC; - } + rv = NSS_CMSContentInfo_SetContentEncAlg(poolp, cinfo, SEC_OID_DES_EDE3_CBC, NULL, 168); + if (rv != SECSuccess) + goto loser; + bulkalgtag = SEC_OID_DES_EDE3_CBC; + } /* generate a random bulk key suitable for content encryption alg */ type = PK11_AlgtagToMechanism(bulkalgtag); slot = PK11_GetBestSlot(type, envd->cmsg->pwfn_arg); if (slot == NULL) - goto loser; /* error has been set by PK11_GetBestSlot */ + goto loser; /* error has been set by PK11_GetBestSlot */ /* this is expensive... */ - bulkkey = PK11_KeyGen(slot, type, NULL, NSS_CMSContentInfo_GetBulkKeySize(cinfo) / 8, envd->cmsg->pwfn_arg); + bulkkey = PK11_KeyGen(slot, type, NULL, + NSS_CMSContentInfo_GetBulkKeySize(cinfo) / 8, + envd->cmsg->pwfn_arg); PK11_FreeSlot(slot); if (bulkkey == NULL) - goto loser; /* error has been set by PK11_KeyGen */ + goto loser; /* error has been set by PK11_KeyGen */ mark = PORT_ArenaMark(poolp); /* Encrypt the bulk key with the public key of each recipient. */ for (i = 0; recipientinfos[i] != NULL; i++) { - rv = NSS_CMSRecipientInfo_WrapBulkKey(recipientinfos[i], bulkkey, bulkalgtag); - if (rv != SECSuccess) - goto loser; /* error has been set by NSS_CMSRecipientInfo_EncryptBulkKey */ - /* could be: alg not supported etc. */ + rv = NSS_CMSRecipientInfo_WrapBulkKey(recipientinfos[i], bulkkey, bulkalgtag); + if (rv != SECSuccess) + goto loser; /* error has been set by NSS_CMSRecipientInfo_EncryptBulkKey */ + /* could be: alg not supported etc. */ } /* the recipientinfos are all finished. now sort them by DER for SET OF encoding */ - rv = NSS_CMSArray_SortByDER((void **)envd->recipientInfos, NSSCMSRecipientInfoTemplate, NULL); + rv = NSS_CMSArray_SortByDER((void **)envd->recipientInfos, + NSSCMSRecipientInfoTemplate, NULL); if (rv != SECSuccess) - goto loser; /* error has been set by NSS_CMSArray_SortByDER */ + goto loser; /* error has been set by NSS_CMSArray_SortByDER */ /* store the bulk key in the contentInfo so that the encoder can find it */ NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey); @@ -217,9 +220,9 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd) loser: if (mark != NULL) - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); if (bulkkey) - PK11_FreeSymKey(bulkkey); + PK11_FreeSymKey(bulkkey); return SECFailure; } @@ -243,14 +246,14 @@ NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd) /* find bulkkey and algorithm - must have been set by NSS_CMSEnvelopedData_Encode_BeforeStart */ bulkkey = NSS_CMSContentInfo_GetBulkKey(cinfo); if (bulkkey == NULL) - return SECFailure; + return SECFailure; algid = NSS_CMSContentInfo_GetContentEncAlg(cinfo); if (algid == NULL) - return SECFailure; + return SECFailure; rv = NSS_CMSContentInfo_Private_Init(cinfo); if (rv != SECSuccess) { - return SECFailure; + return SECFailure; } /* this may modify algid (with IVs generated in a token). * it is essential that algid is a pointer to the contentEncAlg data, not a @@ -258,7 +261,7 @@ NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd) cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartEncrypt(envd->cmsg->poolp, bulkkey, algid); PK11_FreeSymKey(bulkkey); if (cinfo->privateInfo->ciphcx == NULL) - return SECFailure; + return SECFailure; return SECSuccess; } @@ -270,8 +273,8 @@ SECStatus NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd) { if (envd->contentInfo.privateInfo && envd->contentInfo.privateInfo->ciphcx) { - NSS_CMSCipherContext_Destroy(envd->contentInfo.privateInfo->ciphcx); - envd->contentInfo.privateInfo->ciphcx = NULL; + NSS_CMSCipherContext_Destroy(envd->contentInfo.privateInfo->ciphcx); + envd->contentInfo.privateInfo->ciphcx = NULL; } /* nothing else to do after data */ @@ -279,7 +282,7 @@ NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd) } /* - * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, + * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, * derive bulk key & set up our contentinfo */ SECStatus @@ -296,18 +299,18 @@ NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd) int rlIndex; if (NSS_CMSArray_Count((void **)envd->recipientInfos) == 0) { - PORT_SetError(SEC_ERROR_BAD_DATA); + PORT_SetError(SEC_ERROR_BAD_DATA); #if 0 - PORT_SetErrorString("No recipient data in envelope."); + PORT_SetErrorString("No recipient data in envelope."); #endif - goto loser; + goto loser; } /* look if one of OUR cert's issuerSN is on the list of recipients, and if so, */ /* get the cert and private key for it right away */ recipient_list = nss_cms_recipient_list_create(envd->recipientInfos); if (recipient_list == NULL) - goto loser; + goto loser; /* what about multiple recipientInfos that match? * especially if, for some reason, we could not produce a bulk key with the first match?! @@ -317,17 +320,17 @@ NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd) /* if that fails, then we're not an intended recipient and cannot decrypt */ if (rlIndex < 0) { - PORT_SetError(SEC_ERROR_NOT_A_RECIPIENT); + PORT_SetError(SEC_ERROR_NOT_A_RECIPIENT); #if 0 - PORT_SetErrorString("Cannot decrypt data because proper key cannot be found."); + PORT_SetErrorString("Cannot decrypt data because proper key cannot be found."); #endif - goto loser; + goto loser; } recipient = recipient_list[rlIndex]; if (!recipient->cert || !recipient->privkey) { - /* XXX should set an error code ?!? */ - goto loser; + /* XXX should set an error code ?!? */ + goto loser; } /* get a pointer to "our" recipientinfo */ ri = envd->recipientInfos[recipient->riIndex]; @@ -335,16 +338,16 @@ NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd) cinfo = &(envd->contentInfo); bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo); if (bulkalgtag == SEC_OID_UNKNOWN) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - } else - bulkkey = - NSS_CMSRecipientInfo_UnwrapBulkKey(ri,recipient->subIndex, - recipient->cert, - recipient->privkey, - bulkalgtag); + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + } else + bulkkey = + NSS_CMSRecipientInfo_UnwrapBulkKey(ri, recipient->subIndex, + recipient->cert, + recipient->privkey, + bulkalgtag); if (bulkkey == NULL) { - /* no success finding a bulk key */ - goto loser; + /* no success finding a bulk key */ + goto loser; } NSS_CMSContentInfo_SetBulkKey(cinfo, bulkkey); @@ -353,21 +356,20 @@ NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd) rv = NSS_CMSContentInfo_Private_Init(cinfo); if (rv != SECSuccess) { - goto loser; + goto loser; } rv = SECFailure; cinfo->privateInfo->ciphcx = NSS_CMSCipherContext_StartDecrypt(bulkkey, bulkalg); if (cinfo->privateInfo->ciphcx == NULL) - goto loser; /* error has been set by NSS_CMSCipherContext_StartDecrypt */ - + goto loser; /* error has been set by NSS_CMSCipherContext_StartDecrypt */ rv = SECSuccess; loser: if (bulkkey) - PK11_FreeSymKey(bulkkey); + PK11_FreeSymKey(bulkkey); if (recipient_list != NULL) - nss_cms_recipient_list_destroy(recipient_list); + nss_cms_recipient_list_destroy(recipient_list); return rv; } @@ -378,8 +380,8 @@ SECStatus NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd) { if (envd && envd->contentInfo.privateInfo && envd->contentInfo.privateInfo->ciphcx) { - NSS_CMSCipherContext_Destroy(envd->contentInfo.privateInfo->ciphcx); - envd->contentInfo.privateInfo->ciphcx = NULL; + NSS_CMSCipherContext_Destroy(envd->contentInfo.privateInfo->ciphcx); + envd->contentInfo.privateInfo->ciphcx = NULL; } return SECSuccess; @@ -394,4 +396,3 @@ NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd) /* apply final touches */ return SECSuccess; } - diff --git a/nss/lib/smime/cmslocal.h b/nss/lib/smime/cmslocal.h index ee00c05..ef7d500 100644 --- a/nss/lib/smime/cmslocal.h +++ b/nss/lib/smime/cmslocal.h @@ -23,7 +23,7 @@ extern const SEC_ASN1Template NSSCMSContentInfoTemplate[]; struct NSSCMSContentInfoPrivateStr { NSSCMSCipherContext *ciphcx; NSSCMSDigestContext *digcx; - PRBool dontStream; + PRBool dontStream; }; /************************************************************************/ @@ -38,7 +38,6 @@ SEC_BEGIN_PROTOS */ SECStatus NSS_CMSContentInfo_Private_Init(NSSCMSContentInfo *cinfo); - /*********************************************************************** * cmscipher.c - en/decryption routines ***********************************************************************/ @@ -105,12 +104,12 @@ NSS_CMSCipherContext_EncryptLength(NSSCMSCipherContext *cc, unsigned int input_l * "output" and storing the output length in "*output_len_p". * "cc" is the return value from NSS_CMSCipher_StartDecrypt. * When "final" is true, this is the last of the data to be decrypted. - */ + */ extern SECStatus NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, - unsigned int *output_len_p, unsigned int max_output_len, - const unsigned char *input, unsigned int input_len, - PRBool final); + unsigned int *output_len_p, unsigned int max_output_len, + const unsigned char *input, unsigned int input_len, + PRBool final); /* * NSS_CMSCipherContext_Encrypt - do the encryption @@ -128,12 +127,12 @@ NSS_CMSCipherContext_Decrypt(NSSCMSCipherContext *cc, unsigned char *output, * "output" and storing the output length in "*output_len_p". * "cc" is the return value from NSS_CMSCipher_StartEncrypt. * When "final" is true, this is the last of the data to be encrypted. - */ + */ extern SECStatus NSS_CMSCipherContext_Encrypt(NSSCMSCipherContext *cc, unsigned char *output, - unsigned int *output_len_p, unsigned int max_output_len, - const unsigned char *input, unsigned int input_len, - PRBool final); + unsigned int *output_len_p, unsigned int max_output_len, + const unsigned char *input, unsigned int input_len, + PRBool final); /************************************************************************ * cmspubkey.c - public key operations @@ -167,12 +166,12 @@ NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOid extern SECStatus NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key, - SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg, - SECItem *originatorPubKey); + SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg, + SECItem *originatorPubKey); extern PK11SymKey * NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, - SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg); + SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg); /************************************************************************ * cmsreclist.c - recipient list stuff @@ -213,13 +212,13 @@ NSS_CMSArray_Count(void **array); * * If "secondary" is not NULL, the same reordering gets applied to it. * If "tertiary" is not NULL, the same reordering gets applied to it. - * "compare" is a function that returns + * "compare" is a function that returns * < 0 when the first element is less than the second * = 0 when the first element is equal to the second * > 0 when the first element is greater than the second */ extern void -NSS_CMSArray_Sort(void **primary, int (*compare)(void *,void *), void **secondary, void **tertiary); +NSS_CMSArray_Sort(void **primary, int (*compare)(void *, void *), void **secondary, void **tertiary); /************************************************************************ * cmsattr.c - misc attribute functions @@ -296,7 +295,7 @@ NSS_CMSAttributeArray_FindAttrByOidTag(NSSCMSAttribute **attrs, SECOidTag oidtag /* * NSS_CMSAttributeArray_AddAttr - add an attribute to an - * array of attributes. + * array of attributes. */ extern SECStatus NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSCMSAttribute *attr); @@ -305,7 +304,8 @@ NSS_CMSAttributeArray_AddAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, NSSC * NSS_CMSAttributeArray_SetAttr - set an attribute's value in a set of attributes */ extern SECStatus -NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, SECOidTag type, SECItem *value, PRBool encoded); +NSS_CMSAttributeArray_SetAttr(PLArenaPool *poolp, NSSCMSAttribute ***attrs, + SECOidTag type, SECItem *value, PRBool encoded); /* * NSS_CMSSignedData_AddTempCertificate - add temporary certificate references. @@ -320,33 +320,31 @@ NSS_CMSSignedData_AddTempCertificate(NSSCMSSignedData *sigd, CERTCertificate *ce */ SECOidTag NSS_CMSUtil_MapSignAlgs(SECOidTag signAlg); - /************************************************************************/ /* * local functions to handle user defined S/MIME content types */ - PRBool NSS_CMSType_IsWrapper(SECOidTag type); PRBool NSS_CMSType_IsData(SECOidTag type); size_t NSS_CMSType_GetContentSize(SECOidTag type); -const SEC_ASN1Template * NSS_CMSType_GetTemplate(SECOidTag type); +const SEC_ASN1Template *NSS_CMSType_GetTemplate(SECOidTag type); void NSS_CMSGenericWrapperData_Destroy(SECOidTag type, - NSSCMSGenericWrapperData *gd); -SECStatus NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type, - NSSCMSGenericWrapperData *gd); -SECStatus NSS_CMSGenericWrapperData_Decode_AfterData(SECOidTag type, - NSSCMSGenericWrapperData *gd); -SECStatus NSS_CMSGenericWrapperData_Decode_AfterEnd(SECOidTag type, - NSSCMSGenericWrapperData *gd); -SECStatus NSS_CMSGenericWrapperData_Encode_BeforeStart(SECOidTag type, - NSSCMSGenericWrapperData *gd); -SECStatus NSS_CMSGenericWrapperData_Encode_BeforeData(SECOidTag type, - NSSCMSGenericWrapperData *gd); -SECStatus NSS_CMSGenericWrapperData_Encode_AfterData(SECOidTag type, - NSSCMSGenericWrapperData *gd); + NSSCMSGenericWrapperData *gd); +SECStatus NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type, + NSSCMSGenericWrapperData *gd); +SECStatus NSS_CMSGenericWrapperData_Decode_AfterData(SECOidTag type, + NSSCMSGenericWrapperData *gd); +SECStatus NSS_CMSGenericWrapperData_Decode_AfterEnd(SECOidTag type, + NSSCMSGenericWrapperData *gd); +SECStatus NSS_CMSGenericWrapperData_Encode_BeforeStart(SECOidTag type, + NSSCMSGenericWrapperData *gd); +SECStatus NSS_CMSGenericWrapperData_Encode_BeforeData(SECOidTag type, + NSSCMSGenericWrapperData *gd); +SECStatus NSS_CMSGenericWrapperData_Encode_AfterData(SECOidTag type, + NSSCMSGenericWrapperData *gd); SEC_END_PROTOS diff --git a/nss/lib/smime/cmsmessage.c b/nss/lib/smime/cmsmessage.c index a44fb0b..27d1256 100644 --- a/nss/lib/smime/cmsmessage.c +++ b/nss/lib/smime/cmsmessage.c @@ -28,7 +28,7 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) PRBool poolp_is_ours = PR_FALSE; if (poolp == NULL) { - poolp = PORT_NewArena (1024); /* XXX what is right value? */ + poolp = PORT_NewArena(1024); /* XXX what is right value? */ if (poolp == NULL) return NULL; poolp_is_ours = PR_TRUE; @@ -54,7 +54,7 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) cmsg->refCount = 1; if (mark) - PORT_ArenaUnmark(poolp, mark); + PORT_ArenaUnmark(poolp, mark); return cmsg; } @@ -69,12 +69,12 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) */ void NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, - PK11PasswordFunc pwfn, void *pwfn_arg, - NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, - SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) + PK11PasswordFunc pwfn, void *pwfn_arg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, + SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) { if (pwfn) - PK11_SetPasswordFunc(pwfn); + PK11_SetPasswordFunc(pwfn); cmsg->pwfn_arg = pwfn_arg; cmsg->decrypt_key_cb = decrypt_key_cb; cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg; @@ -88,23 +88,23 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, void NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) { - PORT_Assert (cmsg->refCount > 0); - if (cmsg->refCount <= 0) /* oops */ - return; + PORT_Assert(cmsg->refCount > 0); + if (cmsg->refCount <= 0) /* oops */ + return; - cmsg->refCount--; /* thread safety? */ + cmsg->refCount--; /* thread safety? */ if (cmsg->refCount > 0) - return; + return; NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo)); /* if poolp is not NULL, cmsg is the owner of its arena */ if (cmsg->poolp_is_ours) - PORT_FreeArena (cmsg->poolp, PR_FALSE); /* XXX clear it? */ + PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */ } /* - * NSS_CMSMessage_Copy - return a copy of the given message. + * NSS_CMSMessage_Copy - return a copy of the given message. * * The copy may be virtual or may be real -- either way, the result needs * to be passed to NSS_CMSMessage_Destroy later (as does the original). @@ -113,9 +113,9 @@ NSSCMSMessage * NSS_CMSMessage_Copy(NSSCMSMessage *cmsg) { if (cmsg == NULL) - return NULL; + return NULL; - PORT_Assert (cmsg->refCount > 0); + PORT_Assert(cmsg->refCount > 0); cmsg->refCount++; /* XXX chrisk thread safety? */ return cmsg; @@ -140,7 +140,7 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg) } /* - * Return a pointer to the actual content. + * Return a pointer to the actual content. * In the case of those types which are encrypted, this returns the *plain* content. * In case of nested contentInfos, this descends and retrieves the innermost content. */ @@ -148,8 +148,8 @@ SECItem * NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg) { /* this is a shortcut */ - NSSCMSContentInfo * cinfo = NSS_CMSMessage_GetContentInfo(cmsg); - SECItem * pItem = NSS_CMSContentInfo_GetInnerContent(cinfo); + NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg); + SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo); return pItem; } @@ -165,9 +165,9 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg) NSSCMSContentInfo *cinfo; /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL; ) { - count++; - cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo); + for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) { + count++; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo); } return count; } @@ -184,8 +184,9 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n) NSSCMSContentInfo *cinfo; /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { - count++; + for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { + count++; } return cinfo; @@ -200,13 +201,14 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg) NSSCMSContentInfo *cinfo; /* descend into CMS message */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { - if (!NSS_CMSType_IsData(NSS_CMSContentInfo_GetContentTypeTag(cinfo))) - continue; /* next level */ - - if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData)) - return PR_TRUE; - /* callback here for generic wrappers? */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { + if (!NSS_CMSType_IsData(NSS_CMSContentInfo_GetContentTypeTag(cinfo))) + continue; /* next level */ + + if (NSS_CMSSignedData_ContainsCertsOrCrls(cinfo->content.signedData)) + return PR_TRUE; + /* callback here for generic wrappers? */ } return PR_FALSE; } @@ -220,16 +222,16 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg) NSSCMSContentInfo *cinfo; /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) - { - switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) { - case SEC_OID_PKCS7_ENVELOPED_DATA: - case SEC_OID_PKCS7_ENCRYPTED_DATA: - return PR_TRUE; - default: - /* callback here for generic wrappers? */ - break; - } + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { + switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) { + case SEC_OID_PKCS7_ENVELOPED_DATA: + case SEC_OID_PKCS7_ENCRYPTED_DATA: + return PR_TRUE; + default: + /* callback here for generic wrappers? */ + break; + } } return PR_FALSE; } @@ -250,17 +252,17 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg) NSSCMSContentInfo *cinfo; /* walk down the chain of contentinfos */ - for (cinfo = &(cmsg->contentInfo); cinfo != NULL; cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) - { - switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) { - case SEC_OID_PKCS7_SIGNED_DATA: - if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) - return PR_TRUE; - break; - default: - /* callback here for generic wrappers? */ - break; - } + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { + switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) { + case SEC_OID_PKCS7_SIGNED_DATA: + if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) + return PR_TRUE; + break; + default: + /* callback here for generic wrappers? */ + break; + } } return PR_FALSE; } @@ -277,14 +279,14 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen) SECItem *item = NULL; if (cmsg == NULL) - return PR_TRUE; + return PR_TRUE; item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg)); if (!item) { - return PR_TRUE; - } else if(item->len <= minLen) { - return PR_TRUE; + return PR_TRUE; + } else if (item->len <= minLen) { + return PR_TRUE; } return PR_FALSE; diff --git a/nss/lib/smime/cmspubkey.c b/nss/lib/smime/cmspubkey.c index cf80044..bc3cd99 100644 --- a/nss/lib/smime/cmspubkey.c +++ b/nss/lib/smime/cmspubkey.c @@ -25,7 +25,7 @@ * according to PKCS#1 and RFC2633 (S/MIME) */ SECStatus -NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, +NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *bulkkey, SECItem *encKey) { @@ -34,7 +34,7 @@ NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, publickey = CERT_ExtractPublicKey(cert); if (publickey == NULL) - return SECFailure; + return SECFailure; rv = NSS_CMSUtil_EncryptSymKey_RSAPubKey(poolp, publickey, bulkkey, encKey); SECKEY_DestroyPublicKey(publickey); @@ -42,8 +42,8 @@ NSS_CMSUtil_EncryptSymKey_RSA(PLArenaPool *poolp, CERTCertificate *cert, } SECStatus -NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp, - SECKEYPublicKey *publickey, +NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp, + SECKEYPublicKey *publickey, PK11SymKey *bulkkey, SECItem *encKey) { SECStatus rv; @@ -51,37 +51,36 @@ NSS_CMSUtil_EncryptSymKey_RSAPubKey(PLArenaPool *poolp, KeyType keyType; void *mark = NULL; - mark = PORT_ArenaMark(poolp); if (!mark) - goto loser; + goto loser; /* sanity check */ keyType = SECKEY_GetPublicKeyType(publickey); PORT_Assert(keyType == rsaKey); if (keyType != rsaKey) { - goto loser; + goto loser; } /* allocate memory for the encrypted key */ - data_len = SECKEY_PublicKeyStrength(publickey); /* block size (assumed to be > keylen) */ - encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, data_len); + data_len = SECKEY_PublicKeyStrength(publickey); /* block size (assumed to be > keylen) */ + encKey->data = (unsigned char *)PORT_ArenaAlloc(poolp, data_len); encKey->len = data_len; if (encKey->data == NULL) - goto loser; + goto loser; /* encrypt the key now */ rv = PK11_PubWrapSymKey(PK11_AlgtagToMechanism(SEC_OID_PKCS1_RSA_ENCRYPTION), - publickey, bulkkey, encKey); + publickey, bulkkey, encKey); if (rv != SECSuccess) - goto loser; + goto loser; PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: if (mark) { - PORT_ArenaRelease(poolp, mark); + PORT_ArenaRelease(poolp, mark); } return SECFailure; } @@ -101,8 +100,8 @@ NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOid PORT_Assert(bulkalgtag != SEC_OID_UNKNOWN); target = PK11_AlgtagToMechanism(bulkalgtag); if (bulkalgtag == SEC_OID_UNKNOWN || target == CKM_INVALID_MECHANISM) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; } return PK11_PubUnwrapSymKey(privkey, encKey, target, CKA_DECRYPT, 0); } @@ -111,12 +110,12 @@ NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOid SECStatus NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key, - SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg, - SECItem *pubKey) + SECItem *encKey, SECItem **ukm, SECAlgorithmID *keyEncAlg, + SECItem *pubKey) { #if 0 /* not yet done */ - SECOidTag certalgtag; /* the certificate's encryption algorithm */ - SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */ + SECOidTag certalgtag; /* the certificate's encryption algorithm */ + SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */ SECStatus rv; SECItem *params = NULL; int data_len; @@ -148,7 +147,7 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy /* XXXX */ourPubKey = CERT_ExtractPublicKey(ourCert); if (ourPubKey == NULL) { - goto loser; + goto loser; } SECITEM_CopyItem(arena, pubKey, /* XXX */&(ourPubKey->u.fortezza.KEAKey)); SECKEY_DestroyPublicKey(ourPubKey); /* we only need the private key from now on */ @@ -161,24 +160,24 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy /* If ukm desired, prepare it - allocate enough space (filled with zeros). */ if (ukm) { - ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */); - ukm->len = /* XXXX */; + ukm->data = (unsigned char*)PORT_ArenaZAlloc(arena,/* XXXX */); + ukm->len = /* XXXX */; } /* Generate the KEK (key exchange key) according to RFC2631 which we use * to wrap the bulk encryption key. */ kek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE, - ukm, NULL, - /* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP, - CKA_WRAP, 0, wincx); + ukm, NULL, + /* XXXX */CKM_KEA_KEY_DERIVE, /* XXXX */CKM_SKIPJACK_WRAP, + CKA_WRAP, 0, wincx); SECKEY_DestroyPublicKey(publickey); SECKEY_DestroyPrivateKey(ourPrivKey); publickey = NULL; ourPrivKey = NULL; - + if (!kek) - goto loser; + goto loser; /* allocate space for the encrypted CEK (bulk key) */ encKey->data = (unsigned char*)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE); @@ -186,8 +185,8 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy if (encKey->data == NULL) { - PK11_FreeSymKey(kek); - goto loser; + PK11_FreeSymKey(kek); + goto loser; } @@ -196,23 +195,23 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy switch (/* XXXX */PK11_AlgtagToMechanism(enccinfo->encalg)) { case /* XXXX */CKM_SKIPJACK_CFB8: - err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey); - whichKEA = NSSCMSKEAUsesSkipjack; - break; + err = PK11_WrapSymKey(/* XXXX */CKM_CMS3DES_WRAP, NULL, kek, bulkkey, encKey); + whichKEA = NSSCMSKEAUsesSkipjack; + break; case /* XXXX */CKM_SKIPJACK_CFB8: - err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey); - whichKEA = NSSCMSKEAUsesSkipjack; - break; + err = PK11_WrapSymKey(/* XXXX */CKM_CMSRC2_WRAP, NULL, kek, bulkkey, encKey); + whichKEA = NSSCMSKEAUsesSkipjack; + break; default: - /* XXXX what do we do here? Neither RC2 nor 3DES... */ + /* XXXX what do we do here? Neither RC2 nor 3DES... */ err = SECFailure; /* set error */ - break; + break; } - PK11_FreeSymKey(kek); /* we do not need the KEK anymore */ + PK11_FreeSymKey(kek); /* we do not need the KEK anymore */ if (err != SECSuccess) - goto loser; + goto loser; PORT_Assert(whichKEA != NSSCMSKEAInvalid); @@ -220,17 +219,17 @@ NSS_CMSUtil_EncryptSymKey_ESDH(PLArenaPool *poolp, CERTCertificate *cert, PK11Sy /* params is the DER encoded key wrap algorithm (with parameters!) (XXX) */ params = SEC_ASN1EncodeItem(arena, NULL, &keaParams, sec_pkcs7_get_kea_template(whichKEA)); if (params == NULL) - goto loser; + goto loser; /* now set keyEncAlg */ rv = SECOID_SetAlgorithmID(poolp, keyEncAlg, SEC_OID_CMS_EPHEMERAL_STATIC_DIFFIE_HELLMAN, params); if (rv != SECSuccess) - goto loser; + goto loser; /* XXXXXXX this is not right yet */ loser: if (arena) { - PORT_FreeArena(arena, PR_FALSE); + PORT_FreeArena(arena, PR_FALSE); } if (publickey) { SECKEY_DestroyPublicKey(publickey); @@ -243,7 +242,9 @@ loser: } PK11SymKey * -NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, void *pwfn_arg) +NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, + SECAlgorithmID *keyEncAlg, SECOidTag bulkalgtag, + void *pwfn_arg) { #if 0 /* not yet done */ SECStatus err; @@ -254,27 +255,27 @@ NSS_CMSUtil_DecryptSymKey_ESDH(SECKEYPrivateKey *privkey, SECItem *encKey, SECAl /* XXXX get originator's public key */ originatorPubKey = PK11_MakeKEAPubKey(keaParams.originatorKEAKey.data, - keaParams.originatorKEAKey.len); + keaParams.originatorKEAKey.len); if (originatorPubKey == NULL) goto loser; - + /* Generate the TEK (token exchange key) which we use to unwrap the bulk encryption key. The Derive function generates a shared secret and combines it with the originatorRA data to come up with an unique session key */ tek = PK11_PubDerive(privkey, originatorPubKey, PR_FALSE, - &keaParams.originatorRA, NULL, - CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP, - CKA_WRAP, 0, pwfn_arg); - SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */ + &keaParams.originatorRA, NULL, + CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP, + CKA_WRAP, 0, pwfn_arg); + SECKEY_DestroyPublicKey(originatorPubKey); /* not needed anymore */ if (tek == NULL) - goto loser; - + goto loser; + /* Now that we have the TEK, unwrap the bulk key with which to decrypt the message. */ /* Skipjack is being used as the bulk encryption algorithm.*/ /* Unwrap the bulk key. */ bulkkey = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, - encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); + encKey, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); return bulkkey; @@ -282,4 +283,3 @@ loser: #endif return NULL; } - diff --git a/nss/lib/smime/cmsrecinfo.c b/nss/lib/smime/cmsrecinfo.c index abc2254..2efb6b1 100644 --- a/nss/lib/smime/cmsrecinfo.c +++ b/nss/lib/smime/cmsrecinfo.c @@ -20,11 +20,11 @@ PRBool nss_cmsrecipientinfo_usessubjectkeyid(NSSCMSRecipientInfo *ri) { if (ri->recipientInfoType == NSSCMSRecipientInfoID_KeyTrans) { - NSSCMSRecipientIdentifier *rid; - rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier; - if (rid->identifierType == NSSCMSRecipientID_SubjectKeyID) { - return PR_TRUE; - } + NSSCMSRecipientIdentifier *rid; + rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier; + if (rid->identifierType == NSSCMSRecipientID_SubjectKeyID) { + return PR_TRUE; + } } return PR_FALSE; } @@ -32,20 +32,20 @@ nss_cmsrecipientinfo_usessubjectkeyid(NSSCMSRecipientInfo *ri) /* * NOTE: fakeContent marks CMSMessage structure which is only used as a carrier * of pwfn_arg and arena pools. In an ideal world, NSSCMSMessage would not have - * been exported, and we would have added an ordinary enum to handle this + * been exported, and we would have added an ordinary enum to handle this * check. Unfortunatly wo don't have that luxury so we are overloading the * contentTypeTag field. NO code should every try to interpret this content tag - * as a real OID tag, or use any fields other than pwfn_arg or poolp of this + * as a real OID tag, or use any fields other than pwfn_arg or poolp of this * CMSMessage for that matter */ static const SECOidData fakeContent; NSSCMSRecipientInfo * -nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, - NSSCMSRecipientIDSelector type, - CERTCertificate *cert, - SECKEYPublicKey *pubKey, - SECItem *subjKeyID, - void* pwfn_arg, - SECItem* DERinput) +nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, + NSSCMSRecipientIDSelector type, + CERTCertificate *cert, + SECKEYPublicKey *pubKey, + SECItem *subjKeyID, + void *pwfn_arg, + SECItem *DERinput) { NSSCMSRecipientInfo *ri; void *mark; @@ -61,12 +61,12 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[]; if (!cmsg) { - /* a CMSMessage wasn't supplied, create a fake one to hold the pwfunc - * and a private arena pool */ - cmsg = NSS_CMSMessage_Create(NULL); + /* a CMSMessage wasn't supplied, create a fake one to hold the pwfunc + * and a private arena pool */ + cmsg = NSS_CMSMessage_Create(NULL); cmsg->pwfn_arg = pwfn_arg; - /* mark it as a special cms message */ - cmsg->contentInfo.contentTypeTag = (SECOidData *)&fakeContent; + /* mark it as a special cms message */ + cmsg->contentInfo.contentTypeTag = (SECOidData *)&fakeContent; } poolp = cmsg->poolp; @@ -75,7 +75,7 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, ri = (NSSCMSRecipientInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientInfo)); if (ri == NULL) - goto loser; + goto loser; ri->cmsg = cmsg; @@ -91,25 +91,23 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, } switch (type) { - case NSSCMSRecipientID_IssuerSN: - { + case NSSCMSRecipientID_IssuerSN: { ri->cert = CERT_DupCertificate(cert); if (NULL == ri->cert) goto loser; spki = &(cert->subjectPublicKeyInfo); break; } - - case NSSCMSRecipientID_SubjectKeyID: - { + + case NSSCMSRecipientID_SubjectKeyID: { PORT_Assert(pubKey); spki = freeSpki = SECKEY_CreateSubjectPublicKeyInfo(pubKey); break; } - case NSSCMSRecipientID_BrandNew: - goto done; - break; + case NSSCMSRecipientID_BrandNew: + goto done; + break; default: /* unkown type */ @@ -121,129 +119,128 @@ nss_cmsrecipientinfo_create(NSSCMSMessage *cmsg, rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier; switch (certalgtag) { - case SEC_OID_PKCS1_RSA_ENCRYPTION: - ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans; - rid->identifierType = type; - if (type == NSSCMSRecipientID_IssuerSN) { - rid->id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert); - if (rid->id.issuerAndSN == NULL) { - break; - } - } else if (type == NSSCMSRecipientID_SubjectKeyID){ - NSSCMSKeyTransRecipientInfoEx *riExtra; - - rid->id.subjectKeyID = PORT_ArenaNew(poolp, SECItem); - if (rid->id.subjectKeyID == NULL) { - rv = SECFailure; - PORT_SetError(SEC_ERROR_NO_MEMORY); - break; - } - SECITEM_CopyItem(poolp, rid->id.subjectKeyID, subjKeyID); - if (rid->id.subjectKeyID->data == NULL) { - rv = SECFailure; - PORT_SetError(SEC_ERROR_NO_MEMORY); - break; - } - riExtra = &ri->ri.keyTransRecipientInfoEx; - riExtra->version = 0; - riExtra->pubKey = SECKEY_CopyPublicKey(pubKey); - if (riExtra->pubKey == NULL) { - rv = SECFailure; - PORT_SetError(SEC_ERROR_NO_MEMORY); - break; - } - } else { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - } - break; - case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */ - PORT_Assert(type == NSSCMSRecipientID_IssuerSN); - if (type != NSSCMSRecipientID_IssuerSN) { - rv = SECFailure; - break; - } - /* a key agreement op */ - ri->recipientInfoType = NSSCMSRecipientInfoID_KeyAgree; - - if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) { - rv = SECFailure; - break; - } - /* we do not support the case where multiple recipients - * share the same KeyAgreeRecipientInfo and have multiple RecipientEncryptedKeys - * in this case, we would need to walk all the recipientInfos, take the - * ones that do KeyAgreement algorithms and join them, algorithm by algorithm - * Then, we'd generate ONE ukm and OriginatorIdentifierOrKey */ - - /* only epheremal-static Diffie-Hellman is supported for now - * this is the only form of key agreement that provides potential anonymity - * of the sender, plus we do not have to include certs in the message */ - - /* force single recipientEncryptedKey for now */ - if ((rek = NSS_CMSRecipientEncryptedKey_Create(poolp)) == NULL) { - rv = SECFailure; - break; - } - - /* hardcoded IssuerSN choice for now */ - rek->recipientIdentifier.identifierType = NSSCMSKeyAgreeRecipientID_IssuerSN; - if ((rek->recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) { - rv = SECFailure; - break; - } - - oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey); - - /* see RFC2630 12.3.1.1 */ - oiok->identifierType = NSSCMSOriginatorIDOrKey_OriginatorPublicKey; - - rv = NSS_CMSArray_Add(poolp, (void ***)&ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys, - (void *)rek); - - break; - default: - /* other algorithms not supported yet */ - /* NOTE that we do not support any KEK algorithm */ - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - rv = SECFailure; - break; + case SEC_OID_PKCS1_RSA_ENCRYPTION: + ri->recipientInfoType = NSSCMSRecipientInfoID_KeyTrans; + rid->identifierType = type; + if (type == NSSCMSRecipientID_IssuerSN) { + rid->id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert); + if (rid->id.issuerAndSN == NULL) { + break; + } + } else if (type == NSSCMSRecipientID_SubjectKeyID) { + NSSCMSKeyTransRecipientInfoEx *riExtra; + + rid->id.subjectKeyID = PORT_ArenaNew(poolp, SECItem); + if (rid->id.subjectKeyID == NULL) { + rv = SECFailure; + PORT_SetError(SEC_ERROR_NO_MEMORY); + break; + } + rv = SECITEM_CopyItem(poolp, rid->id.subjectKeyID, subjKeyID); + if (rv != SECSuccess || rid->id.subjectKeyID->data == NULL) { + rv = SECFailure; + PORT_SetError(SEC_ERROR_NO_MEMORY); + break; + } + riExtra = &ri->ri.keyTransRecipientInfoEx; + riExtra->version = 0; + riExtra->pubKey = SECKEY_CopyPublicKey(pubKey); + if (riExtra->pubKey == NULL) { + rv = SECFailure; + PORT_SetError(SEC_ERROR_NO_MEMORY); + break; + } + } else { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; + } + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */ + PORT_Assert(type == NSSCMSRecipientID_IssuerSN); + if (type != NSSCMSRecipientID_IssuerSN) { + rv = SECFailure; + break; + } + /* a key agreement op */ + ri->recipientInfoType = NSSCMSRecipientInfoID_KeyAgree; + + if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) { + rv = SECFailure; + break; + } + /* we do not support the case where multiple recipients + * share the same KeyAgreeRecipientInfo and have multiple RecipientEncryptedKeys + * in this case, we would need to walk all the recipientInfos, take the + * ones that do KeyAgreement algorithms and join them, algorithm by algorithm + * Then, we'd generate ONE ukm and OriginatorIdentifierOrKey */ + + /* only epheremal-static Diffie-Hellman is supported for now + * this is the only form of key agreement that provides potential anonymity + * of the sender, plus we do not have to include certs in the message */ + + /* force single recipientEncryptedKey for now */ + if ((rek = NSS_CMSRecipientEncryptedKey_Create(poolp)) == NULL) { + rv = SECFailure; + break; + } + + /* hardcoded IssuerSN choice for now */ + rek->recipientIdentifier.identifierType = NSSCMSKeyAgreeRecipientID_IssuerSN; + if ((rek->recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) { + rv = SECFailure; + break; + } + + oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey); + + /* see RFC2630 12.3.1.1 */ + oiok->identifierType = NSSCMSOriginatorIDOrKey_OriginatorPublicKey; + + rv = NSS_CMSArray_Add(poolp, (void ***)&ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys, + (void *)rek); + + break; + default: + /* other algorithms not supported yet */ + /* NOTE that we do not support any KEK algorithm */ + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + rv = SECFailure; + break; } if (rv == SECFailure) - goto loser; + goto loser; /* set version */ switch (ri->recipientInfoType) { - case NSSCMSRecipientInfoID_KeyTrans: - if (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType == NSSCMSRecipientID_IssuerSN) - version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN; - else - version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY; - dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyTransRecipientInfo.version), version); - if (dummy == NULL) - goto loser; - break; - case NSSCMSRecipientInfoID_KeyAgree: - dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyAgreeRecipientInfo.version), - NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION); - if (dummy == NULL) - goto loser; - break; - case NSSCMSRecipientInfoID_KEK: - /* NOTE: this cannot happen as long as we do not support any KEK algorithm */ - dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.kekRecipientInfo.version), - NSS_CMS_KEK_RECIPIENT_INFO_VERSION); - if (dummy == NULL) - goto loser; - break; - + case NSSCMSRecipientInfoID_KeyTrans: + if (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType == NSSCMSRecipientID_IssuerSN) + version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN; + else + version = NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY; + dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyTransRecipientInfo.version), version); + if (dummy == NULL) + goto loser; + break; + case NSSCMSRecipientInfoID_KeyAgree: + dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyAgreeRecipientInfo.version), + NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION); + if (dummy == NULL) + goto loser; + break; + case NSSCMSRecipientInfoID_KEK: + /* NOTE: this cannot happen as long as we do not support any KEK algorithm */ + dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.kekRecipientInfo.version), + NSS_CMS_KEK_RECIPIENT_INFO_VERSION); + if (dummy == NULL) + goto loser; + break; } done: - PORT_ArenaUnmark (poolp, mark); + PORT_ArenaUnmark(poolp, mark); if (freeSpki) - SECKEY_DestroySubjectPublicKeyInfo(freeSpki); + SECKEY_DestroySubjectPublicKeyInfo(freeSpki); return ri; loser: @@ -251,11 +248,11 @@ loser: CERT_DestroyCertificate(ri->cert); } if (freeSpki) { - SECKEY_DestroySubjectPublicKeyInfo(freeSpki); + SECKEY_DestroySubjectPublicKeyInfo(freeSpki); } - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); if (cmsg->contentInfo.contentTypeTag == &fakeContent) { - NSS_CMSMessage_Destroy(cmsg); + NSS_CMSMessage_Destroy(cmsg); } return NULL; } @@ -263,67 +260,66 @@ loser: /* * NSS_CMSRecipientInfo_Create - create a recipientinfo * - * we currently do not create KeyAgreement recipientinfos with multiple - * recipientEncryptedKeys the certificate is supposed to have been + * we currently do not create KeyAgreement recipientinfos with multiple + * recipientEncryptedKeys the certificate is supposed to have been * verified by the caller */ NSSCMSRecipientInfo * NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert) { - return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_IssuerSN, cert, + return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_IssuerSN, cert, NULL, NULL, NULL, NULL); } NSSCMSRecipientInfo * -NSS_CMSRecipientInfo_CreateNew(void* pwfn_arg) +NSS_CMSRecipientInfo_CreateNew(void *pwfn_arg) { - return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, + return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, NULL, NULL, pwfn_arg, NULL); } NSSCMSRecipientInfo * -NSS_CMSRecipientInfo_CreateFromDER(SECItem* input, void* pwfn_arg) +NSS_CMSRecipientInfo_CreateFromDER(SECItem *input, void *pwfn_arg) { - return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, + return nss_cmsrecipientinfo_create(NULL, NSSCMSRecipientID_BrandNew, NULL, NULL, NULL, pwfn_arg, input); } - NSSCMSRecipientInfo * -NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, - SECItem *subjKeyID, - SECKEYPublicKey *pubKey) +NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, + SECItem *subjKeyID, + SECKEYPublicKey *pubKey) { - return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_SubjectKeyID, + return nss_cmsrecipientinfo_create(cmsg, NSSCMSRecipientID_SubjectKeyID, NULL, pubKey, subjKeyID, NULL, NULL); } NSSCMSRecipientInfo * NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg, - CERTCertificate *cert) + CERTCertificate *cert) { SECKEYPublicKey *pubKey = NULL; - SECItem subjKeyID = {siBuffer, NULL, 0}; + SECItem subjKeyID = { siBuffer, NULL, 0 }; NSSCMSRecipientInfo *retVal = NULL; if (!cmsg || !cert) { - return NULL; + return NULL; } pubKey = CERT_ExtractPublicKey(cert); if (!pubKey) { - goto done; + goto done; } if (CERT_FindSubjectKeyIDExtension(cert, &subjKeyID) != SECSuccess || subjKeyID.data == NULL) { - goto done; + goto done; } retVal = NSS_CMSRecipientInfo_CreateWithSubjKeyID(cmsg, &subjKeyID, pubKey); done: if (pubKey) - SECKEY_DestroyPublicKey(pubKey); + SECKEY_DestroyPublicKey(pubKey); if (subjKeyID.data) - SECITEM_FreeItem(&subjKeyID, PR_FALSE); + SECITEM_FreeItem(&subjKeyID, PR_FALSE); return retVal; } @@ -337,16 +333,16 @@ NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri) /* version was allocated on the pool, so no need to destroy it */ /* issuerAndSN was allocated on the pool, so no need to destroy it */ if (ri->cert != NULL) - CERT_DestroyCertificate(ri->cert); + CERT_DestroyCertificate(ri->cert); if (nss_cmsrecipientinfo_usessubjectkeyid(ri)) { - NSSCMSKeyTransRecipientInfoEx *extra; - extra = &ri->ri.keyTransRecipientInfoEx; - if (extra->pubKey) - SECKEY_DestroyPublicKey(extra->pubKey); + NSSCMSKeyTransRecipientInfoEx *extra; + extra = &ri->ri.keyTransRecipientInfoEx; + if (extra->pubKey) + SECKEY_DestroyPublicKey(extra->pubKey); } if (ri->cmsg && ri->cmsg->contentInfo.contentTypeTag == &fakeContent) { - NSS_CMSMessage_Destroy(ri->cmsg); + NSS_CMSMessage_Destroy(ri->cmsg); } /* we're done. */ @@ -359,28 +355,28 @@ NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri) SECItem *versionitem = NULL; switch (ri->recipientInfoType) { - case NSSCMSRecipientInfoID_KeyTrans: - /* ignore subIndex */ - versionitem = &(ri->ri.keyTransRecipientInfo.version); - break; - case NSSCMSRecipientInfoID_KEK: - /* ignore subIndex */ - versionitem = &(ri->ri.kekRecipientInfo.version); - break; - case NSSCMSRecipientInfoID_KeyAgree: - versionitem = &(ri->ri.keyAgreeRecipientInfo.version); - break; + case NSSCMSRecipientInfoID_KeyTrans: + /* ignore subIndex */ + versionitem = &(ri->ri.keyTransRecipientInfo.version); + break; + case NSSCMSRecipientInfoID_KEK: + /* ignore subIndex */ + versionitem = &(ri->ri.kekRecipientInfo.version); + break; + case NSSCMSRecipientInfoID_KeyAgree: + versionitem = &(ri->ri.keyAgreeRecipientInfo.version); + break; } PORT_Assert(versionitem); - if (versionitem == NULL) - return 0; + if (versionitem == NULL) + return 0; /* always take apart the SECItem */ if (SEC_ASN1DecodeInteger(versionitem, &version) != SECSuccess) - return 0; + return 0; else - return (int)version; + return (int)version; } SECItem * @@ -389,43 +385,42 @@ NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex) SECItem *enckey = NULL; switch (ri->recipientInfoType) { - case NSSCMSRecipientInfoID_KeyTrans: - /* ignore subIndex */ - enckey = &(ri->ri.keyTransRecipientInfo.encKey); - break; - case NSSCMSRecipientInfoID_KEK: - /* ignore subIndex */ - enckey = &(ri->ri.kekRecipientInfo.encKey); - break; - case NSSCMSRecipientInfoID_KeyAgree: - enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey); - break; + case NSSCMSRecipientInfoID_KeyTrans: + /* ignore subIndex */ + enckey = &(ri->ri.keyTransRecipientInfo.encKey); + break; + case NSSCMSRecipientInfoID_KEK: + /* ignore subIndex */ + enckey = &(ri->ri.kekRecipientInfo.encKey); + break; + case NSSCMSRecipientInfoID_KeyAgree: + enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey); + break; } return enckey; } - SECOidTag NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri) { SECOidTag encalgtag = SEC_OID_UNKNOWN; /* an invalid encryption alg */ switch (ri->recipientInfoType) { - case NSSCMSRecipientInfoID_KeyTrans: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg)); - break; - case NSSCMSRecipientInfoID_KeyAgree: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg)); - break; - case NSSCMSRecipientInfoID_KEK: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg)); - break; + case NSSCMSRecipientInfoID_KeyTrans: + encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg)); + break; + case NSSCMSRecipientInfoID_KeyAgree: + encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg)); + break; + case NSSCMSRecipientInfoID_KEK: + encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg)); + break; } return encalgtag; } SECStatus -NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, +NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, SECOidTag bulkalgtag) { CERTCertificate *cert; @@ -442,21 +437,19 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, cert = ri->cert; usesSubjKeyID = nss_cmsrecipientinfo_usessubjectkeyid(ri); if (cert) { - spki = &cert->subjectPublicKeyInfo; - certalgtag = SECOID_GetAlgorithmTag(&(spki->algorithm)); + spki = &cert->subjectPublicKeyInfo; } else if (usesSubjKeyID) { - extra = &ri->ri.keyTransRecipientInfoEx; - /* sanity check */ - PORT_Assert(extra->pubKey); - if (!extra->pubKey) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - spki = freeSpki = SECKEY_CreateSubjectPublicKeyInfo(extra->pubKey); - certalgtag = SECOID_GetAlgorithmTag(&spki->algorithm); + extra = &ri->ri.keyTransRecipientInfoEx; + /* sanity check */ + PORT_Assert(extra->pubKey); + if (!extra->pubKey) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + spki = freeSpki = SECKEY_CreateSubjectPublicKeyInfo(extra->pubKey); } else { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } /* XXX set ri->recipientInfoType to the proper value here */ @@ -464,66 +457,65 @@ NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, certalgtag = SECOID_GetAlgorithmTag(&spki->algorithm); switch (certalgtag) { - case SEC_OID_PKCS1_RSA_ENCRYPTION: - /* wrap the symkey */ - if (cert) { - rv = NSS_CMSUtil_EncryptSymKey_RSA(poolp, cert, bulkkey, - &ri->ri.keyTransRecipientInfo.encKey); - if (rv != SECSuccess) - break; - } else if (usesSubjKeyID) { - PORT_Assert(extra != NULL); - rv = NSS_CMSUtil_EncryptSymKey_RSAPubKey(poolp, extra->pubKey, - bulkkey, &ri->ri.keyTransRecipientInfo.encKey); - if (rv != SECSuccess) - break; - } - - rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL); - break; - case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */ - rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0]; - if (rek == NULL) { - rv = SECFailure; - break; - } - - oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey); - PORT_Assert(oiok->identifierType == NSSCMSOriginatorIDOrKey_OriginatorPublicKey); - - /* see RFC2630 12.3.1.1 */ - if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier, - SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) { - rv = SECFailure; - break; - } - - /* this will generate a key pair, compute the shared secret, */ - /* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */ - /* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */ - rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey, - &rek->encKey, - &ri->ri.keyAgreeRecipientInfo.ukm, - &ri->ri.keyAgreeRecipientInfo.keyEncAlg, - &oiok->id.originatorPublicKey.publicKey); - - break; - default: - /* other algorithms not supported yet */ - /* NOTE that we do not support any KEK algorithm */ - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - rv = SECFailure; - break; + case SEC_OID_PKCS1_RSA_ENCRYPTION: + /* wrap the symkey */ + if (cert) { + rv = NSS_CMSUtil_EncryptSymKey_RSA(poolp, cert, bulkkey, + &ri->ri.keyTransRecipientInfo.encKey); + if (rv != SECSuccess) + break; + } else if (usesSubjKeyID) { + PORT_Assert(extra != NULL); + rv = NSS_CMSUtil_EncryptSymKey_RSAPubKey(poolp, extra->pubKey, + bulkkey, &ri->ri.keyTransRecipientInfo.encKey); + if (rv != SECSuccess) + break; + } + + rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL); + break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */ + rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0]; + if (rek == NULL) { + rv = SECFailure; + break; + } + + oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey); + PORT_Assert(oiok->identifierType == NSSCMSOriginatorIDOrKey_OriginatorPublicKey); + + /* see RFC2630 12.3.1.1 */ + if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier, + SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) { + rv = SECFailure; + break; + } + + /* this will generate a key pair, compute the shared secret, */ + /* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */ + /* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */ + rv = NSS_CMSUtil_EncryptSymKey_ESDH(poolp, cert, bulkkey, + &rek->encKey, + &ri->ri.keyAgreeRecipientInfo.ukm, + &ri->ri.keyAgreeRecipientInfo.keyEncAlg, + &oiok->id.originatorPublicKey.publicKey); + + break; + default: + /* other algorithms not supported yet */ + /* NOTE that we do not support any KEK algorithm */ + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + rv = SECFailure; } if (freeSpki) - SECKEY_DestroySubjectPublicKeyInfo(freeSpki); + SECKEY_DestroySubjectPublicKeyInfo(freeSpki); return rv; } PK11SymKey * -NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, - CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag) +NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, + CERTCertificate *cert, SECKEYPrivateKey *privkey, SECOidTag bulkalgtag) { PK11SymKey *bulkkey = NULL; SECOidTag encalgtag; @@ -531,51 +523,51 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, int error; ri->cert = CERT_DupCertificate(cert); - /* mark the recipientInfo so we can find it later */ + /* mark the recipientInfo so we can find it later */ switch (ri->recipientInfoType) { - case NSSCMSRecipientInfoID_KeyTrans: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg)); - enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */ - switch (encalgtag) { - case SEC_OID_PKCS1_RSA_ENCRYPTION: - /* RSA encryption algorithm: */ - /* get the symmetric (bulk) key by unwrapping it using our private key */ - bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag); - break; - default: - error = SEC_ERROR_UNSUPPORTED_KEYALG; - goto loser; - } - break; - case NSSCMSRecipientInfoID_KeyAgree: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg)); - enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey); - switch (encalgtag) { - case SEC_OID_X942_DIFFIE_HELMAN_KEY: - /* Diffie-Helman key exchange */ - /* XXX not yet implemented */ - /* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */ - /* we support ephemeral-static DH only, so if the recipientinfo */ - /* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */ - /* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */ - /* content encryption key using a Unwrap op */ - /* the derive operation has to generate the key using the algorithm in RFC2631 */ - error = SEC_ERROR_UNSUPPORTED_KEYALG; - goto loser; - break; - default: - error = SEC_ERROR_UNSUPPORTED_KEYALG; - goto loser; - } - break; - case NSSCMSRecipientInfoID_KEK: - encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg)); - enckey = &(ri->ri.kekRecipientInfo.encKey); - /* not supported yet */ - error = SEC_ERROR_UNSUPPORTED_KEYALG; - goto loser; - break; + case NSSCMSRecipientInfoID_KeyTrans: + encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyTransRecipientInfo.keyEncAlg)); + enckey = &(ri->ri.keyTransRecipientInfo.encKey); /* ignore subIndex */ + switch (encalgtag) { + case SEC_OID_PKCS1_RSA_ENCRYPTION: + /* RSA encryption algorithm: */ + /* get the symmetric (bulk) key by unwrapping it using our private key */ + bulkkey = NSS_CMSUtil_DecryptSymKey_RSA(privkey, enckey, bulkalgtag); + break; + default: + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + } + break; + case NSSCMSRecipientInfoID_KeyAgree: + encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.keyAgreeRecipientInfo.keyEncAlg)); + enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey); + switch (encalgtag) { + case SEC_OID_X942_DIFFIE_HELMAN_KEY: + /* Diffie-Helman key exchange */ + /* XXX not yet implemented */ + /* XXX problem: SEC_OID_X942_DIFFIE_HELMAN_KEY points to a PKCS3 mechanism! */ + /* we support ephemeral-static DH only, so if the recipientinfo */ + /* has originator stuff in it, we punt (or do we? shouldn't be that hard...) */ + /* first, we derive the KEK (a symkey!) using a Derive operation, then we get the */ + /* content encryption key using a Unwrap op */ + /* the derive operation has to generate the key using the algorithm in RFC2631 */ + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + break; + default: + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + } + break; + case NSSCMSRecipientInfoID_KEK: + encalgtag = SECOID_GetAlgorithmTag(&(ri->ri.kekRecipientInfo.keyEncAlg)); + enckey = &(ri->ri.kekRecipientInfo.encKey); + /* not supported yet */ + error = SEC_ERROR_UNSUPPORTED_KEYALG; + goto loser; + break; } /* XXXX continue here */ return bulkkey; @@ -585,19 +577,20 @@ loser: return NULL; } -SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri, - CERTCertificate** retcert, - SECKEYPrivateKey** retkey) +SECStatus +NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri, + CERTCertificate **retcert, + SECKEYPrivateKey **retkey) { - CERTCertificate* cert = NULL; - NSSCMSRecipient** recipients = NULL; - NSSCMSRecipientInfo* recipientInfos[2]; + CERTCertificate *cert = NULL; + NSSCMSRecipient **recipients = NULL; + NSSCMSRecipientInfo *recipientInfos[2]; SECStatus rv = SECSuccess; - SECKEYPrivateKey* key = NULL; + SECKEYPrivateKey *key = NULL; if (!ri) return SECFailure; - + if (!retcert && !retkey) { /* nothing requested, nothing found, success */ return SECSuccess; @@ -626,7 +619,7 @@ SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri, if (recipients) { /* now look for the cert and key */ if (0 == PK11_FindCertAndKeyByRecipientListNew(recipients, - ri->cmsg->pwfn_arg)) { + ri->cmsg->pwfn_arg)) { cert = CERT_DupCertificate(recipients[0]->cert); key = SECKEY_CopyPrivateKey(recipients[0]->privkey); } else { @@ -634,10 +627,9 @@ SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri, } nss_cms_recipient_list_destroy(recipients); - } - else { + } else { rv = SECFailure; - } + } } else if (SECSuccess == rv && cert && retkey) { /* we have the cert, we just need the key now */ key = PK11_FindPrivateKeyFromCert(cert->slot, cert, ri->cmsg->pwfn_arg); @@ -660,16 +652,17 @@ SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri, return rv; } -SECStatus NSS_CMSRecipientInfo_Encode(PLArenaPool* poolp, - const NSSCMSRecipientInfo *src, - SECItem* returned) +SECStatus +NSS_CMSRecipientInfo_Encode(PLArenaPool *poolp, + const NSSCMSRecipientInfo *src, + SECItem *returned) { extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[]; SECStatus rv = SECFailure; if (!src || !returned) { PORT_SetError(SEC_ERROR_INVALID_ARGS); } else if (SEC_ASN1EncodeItem(poolp, returned, src, - NSSCMSRecipientInfoTemplate)) { + NSSCMSRecipientInfoTemplate)) { rv = SECSuccess; } return rv; diff --git a/nss/lib/smime/cmsreclist.c b/nss/lib/smime/cmsreclist.c index 913c651..99d7e90 100644 --- a/nss/lib/smime/cmsreclist.c +++ b/nss/lib/smime/cmsreclist.c @@ -18,7 +18,8 @@ #include "secerr.h" static int -nss_cms_recipients_traverse(NSSCMSRecipientInfo **recipientinfos, NSSCMSRecipient **recipient_list) +nss_cms_recipients_traverse(NSSCMSRecipientInfo **recipientinfos, + NSSCMSRecipient **recipient_list) { int count = 0; int rlindex = 0; @@ -28,84 +29,85 @@ nss_cms_recipients_traverse(NSSCMSRecipientInfo **recipientinfos, NSSCMSRecipien NSSCMSRecipientEncryptedKey *rek; for (i = 0; recipientinfos[i] != NULL; i++) { - ri = recipientinfos[i]; - switch (ri->recipientInfoType) { - case NSSCMSRecipientInfoID_KeyTrans: - if (recipient_list) { - NSSCMSRecipientIdentifier *recipId = - &ri->ri.keyTransRecipientInfo.recipientIdentifier; + ri = recipientinfos[i]; + switch (ri->recipientInfoType) { + case NSSCMSRecipientInfoID_KeyTrans: + if (recipient_list) { + NSSCMSRecipientIdentifier *recipId = + &ri->ri.keyTransRecipientInfo.recipientIdentifier; - if (recipId->identifierType != NSSCMSRecipientID_IssuerSN && - recipId->identifierType != NSSCMSRecipientID_SubjectKeyID) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return -1; - } - /* alloc one & fill it out */ - rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient)); - if (!rle) - return -1; - - rle->riIndex = i; - rle->subIndex = -1; - switch (recipId->identifierType) { - case NSSCMSRecipientID_IssuerSN: - rle->kind = RLIssuerSN; - rle->id.issuerAndSN = recipId->id.issuerAndSN; - break; - case NSSCMSRecipientID_SubjectKeyID: - rle->kind = RLSubjKeyID; - rle->id.subjectKeyID = recipId->id.subjectKeyID; - break; - default: /* we never get here because of identifierType check - we done before. Leaving it to kill compiler warning */ - break; - } - recipient_list[rlindex++] = rle; - } else { - count++; - } - break; - case NSSCMSRecipientInfoID_KeyAgree: - if (ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys == NULL) - break; - for (j=0; ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j] != NULL; j++) { - if (recipient_list) { - rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j]; - /* alloc one & fill it out */ - rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient)); - if (!rle) - return -1; - - rle->riIndex = i; - rle->subIndex = j; - switch (rek->recipientIdentifier.identifierType) { - case NSSCMSKeyAgreeRecipientID_IssuerSN: - rle->kind = RLIssuerSN; - rle->id.issuerAndSN = rek->recipientIdentifier.id.issuerAndSN; - break; - case NSSCMSKeyAgreeRecipientID_RKeyID: - rle->kind = RLSubjKeyID; - rle->id.subjectKeyID = rek->recipientIdentifier.id.recipientKeyIdentifier.subjectKeyIdentifier; - break; - } - recipient_list[rlindex++] = rle; - } else { - count++; - } - } - break; - case NSSCMSRecipientInfoID_KEK: - /* KEK is not implemented */ - break; - } + if (recipId->identifierType != NSSCMSRecipientID_IssuerSN && + recipId->identifierType != NSSCMSRecipientID_SubjectKeyID) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return -1; + } + /* alloc one & fill it out */ + rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient)); + if (!rle) + return -1; + + rle->riIndex = i; + rle->subIndex = -1; + switch (recipId->identifierType) { + case NSSCMSRecipientID_IssuerSN: + rle->kind = RLIssuerSN; + rle->id.issuerAndSN = recipId->id.issuerAndSN; + break; + case NSSCMSRecipientID_SubjectKeyID: + rle->kind = RLSubjKeyID; + rle->id.subjectKeyID = recipId->id.subjectKeyID; + break; + default: /* we never get here because of identifierType check + we done before. Leaving it to kill compiler warning */ + break; + } + recipient_list[rlindex++] = rle; + } else { + count++; + } + break; + case NSSCMSRecipientInfoID_KeyAgree: + if (ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys == NULL) + break; + for (j = 0; ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j] != NULL; j++) { + if (recipient_list) { + rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[j]; + /* alloc one & fill it out */ + rle = (NSSCMSRecipient *)PORT_ZAlloc(sizeof(NSSCMSRecipient)); + if (!rle) + return -1; + + rle->riIndex = i; + rle->subIndex = j; + switch (rek->recipientIdentifier.identifierType) { + case NSSCMSKeyAgreeRecipientID_IssuerSN: + rle->kind = RLIssuerSN; + rle->id.issuerAndSN = rek->recipientIdentifier.id.issuerAndSN; + break; + case NSSCMSKeyAgreeRecipientID_RKeyID: + rle->kind = RLSubjKeyID; + rle->id.subjectKeyID = + rek->recipientIdentifier.id.recipientKeyIdentifier.subjectKeyIdentifier; + break; + } + recipient_list[rlindex++] = rle; + } else { + count++; + } + } + break; + case NSSCMSRecipientInfoID_KEK: + /* KEK is not implemented */ + break; + } } /* if we have a recipient list, we return on success (-1, above, on failure) */ /* otherwise, we return the count. */ if (recipient_list) { - recipient_list[rlindex] = NULL; - return 0; + recipient_list[rlindex] = NULL; + return 0; } else { - return count; + return count; } } @@ -118,25 +120,25 @@ nss_cms_recipient_list_create(NSSCMSRecipientInfo **recipientinfos) /* count the number of recipient identifiers */ count = nss_cms_recipients_traverse(recipientinfos, NULL); if (count <= 0) { - /* no recipients? */ - PORT_SetError(SEC_ERROR_BAD_DATA); + /* no recipients? */ + PORT_SetError(SEC_ERROR_BAD_DATA); #if 0 - PORT_SetErrorString("Cannot find recipient data in envelope."); + PORT_SetErrorString("Cannot find recipient data in envelope."); #endif - return NULL; + return NULL; } /* allocate an array of pointers */ recipient_list = (NSSCMSRecipient **) - PORT_ZAlloc((count + 1) * sizeof(NSSCMSRecipient *)); + PORT_ZAlloc((count + 1) * sizeof(NSSCMSRecipient *)); if (recipient_list == NULL) - return NULL; + return NULL; /* now fill in the recipient_list */ rv = nss_cms_recipients_traverse(recipientinfos, recipient_list); if (rv < 0) { - nss_cms_recipient_list_destroy(recipient_list); - return NULL; + nss_cms_recipient_list_destroy(recipient_list); + return NULL; } return recipient_list; } @@ -147,15 +149,15 @@ nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list) int i; NSSCMSRecipient *recipient; - for (i=0; recipient_list[i] != NULL; i++) { - recipient = recipient_list[i]; - if (recipient->cert) - CERT_DestroyCertificate(recipient->cert); - if (recipient->privkey) - SECKEY_DestroyPrivateKey(recipient->privkey); - if (recipient->slot) - PK11_FreeSlot(recipient->slot); - PORT_Free(recipient); + for (i = 0; recipient_list[i] != NULL; i++) { + recipient = recipient_list[i]; + if (recipient->cert) + CERT_DestroyCertificate(recipient->cert); + if (recipient->privkey) + SECKEY_DestroyPrivateKey(recipient->privkey); + if (recipient->slot) + PK11_FreeSlot(recipient->slot); + PORT_Free(recipient); } PORT_Free(recipient_list); } @@ -163,5 +165,6 @@ nss_cms_recipient_list_destroy(NSSCMSRecipient **recipient_list) NSSCMSRecipientEncryptedKey * NSS_CMSRecipientEncryptedKey_Create(PLArenaPool *poolp) { - return (NSSCMSRecipientEncryptedKey *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSRecipientEncryptedKey)); + return (NSSCMSRecipientEncryptedKey *)PORT_ArenaZAlloc(poolp, + sizeof(NSSCMSRecipientEncryptedKey)); } diff --git a/nss/lib/smime/cmsreclist.h b/nss/lib/smime/cmsreclist.h index 4c094d4..f424aca 100644 --- a/nss/lib/smime/cmsreclist.h +++ b/nss/lib/smime/cmsreclist.h @@ -6,19 +6,20 @@ #define _CMSRECLIST_H struct NSSCMSRecipientStr { - int riIndex; /* this recipient's index in recipientInfo array */ - int subIndex; /* index into recipientEncryptedKeys */ - /* (only in NSSCMSKeyAgreeRecipientInfoStr) */ - enum {RLIssuerSN=0, RLSubjKeyID=1} kind; /* for conversion recipientinfos -> recipientlist */ + int riIndex; /* this recipient's index in recipientInfo array */ + int subIndex; /* index into recipientEncryptedKeys */ + /* (only in NSSCMSKeyAgreeRecipientInfoStr) */ + enum { RLIssuerSN = 0, + RLSubjKeyID = 1 } kind; /* for conversion recipientinfos -> recipientlist */ union { - CERTIssuerAndSN * issuerAndSN; - SECItem * subjectKeyID; + CERTIssuerAndSN* issuerAndSN; + SECItem* subjectKeyID; } id; /* result data (filled out for each recipient that's us) */ - CERTCertificate * cert; - SECKEYPrivateKey * privkey; - PK11SlotInfo * slot; + CERTCertificate* cert; + SECKEYPrivateKey* privkey; + PK11SlotInfo* slot; }; typedef struct NSSCMSRecipientStr NSSCMSRecipient; diff --git a/nss/lib/smime/cmssigdata.c b/nss/lib/smime/cmssigdata.c index a4527d9..7dd6ea4 100644 --- a/nss/lib/smime/cmssigdata.c +++ b/nss/lib/smime/cmssigdata.c @@ -32,9 +32,9 @@ NSS_CMSSignedData_Create(NSSCMSMessage *cmsg) mark = PORT_ArenaMark(poolp); - sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc (poolp, sizeof(NSSCMSSignedData)); + sigd = (NSSCMSSignedData *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignedData)); if (sigd == NULL) - goto loser; + goto loser; sigd->cmsg = cmsg; @@ -57,7 +57,7 @@ NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd) NSSCMSSignerInfo **signerinfos, *si; if (sigd == NULL) - return; + return; certs = sigd->certs; tempCerts = sigd->tempCerts; @@ -65,28 +65,27 @@ NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd) signerinfos = sigd->signerInfos; if (certs != NULL) { - while ((cert = *certs++) != NULL) - CERT_DestroyCertificate (cert); + while ((cert = *certs++) != NULL) + CERT_DestroyCertificate(cert); } if (tempCerts != NULL) { - while ((cert = *tempCerts++) != NULL) - CERT_DestroyCertificate (cert); + while ((cert = *tempCerts++) != NULL) + CERT_DestroyCertificate(cert); } if (certlists != NULL) { - while ((certlist = *certlists++) != NULL) - CERT_DestroyCertificateList (certlist); + while ((certlist = *certlists++) != NULL) + CERT_DestroyCertificateList(certlist); } if (signerinfos != NULL) { - while ((si = *signerinfos++) != NULL) - NSS_CMSSignerInfo_Destroy(si); + while ((si = *signerinfos++) != NULL) + NSS_CMSSignerInfo_Destroy(si); } /* everything's in a pool, so don't worry about the storage */ - NSS_CMSContentInfo_Destroy(&(sigd->contentInfo)); - + NSS_CMSContentInfo_Destroy(&(sigd->contentInfo)); } /* @@ -122,58 +121,58 @@ NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd) /* we assume that we have precomputed digests if there is a list of algorithms, and */ /* a chunk of data for each of those algorithms */ if (sigd->digestAlgorithms != NULL && sigd->digests != NULL) { - for (i=0; sigd->digestAlgorithms[i] != NULL; i++) { - if (sigd->digests[i] == NULL) - break; - } - if (sigd->digestAlgorithms[i] == NULL) /* reached the end of the array? */ - haveDigests = PR_TRUE; /* yes: we must have all the digests */ - } - + for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { + if (sigd->digests[i] == NULL) + break; + } + if (sigd->digestAlgorithms[i] == NULL) /* reached the end of the array? */ + haveDigests = PR_TRUE; /* yes: we must have all the digests */ + } + version = NSS_CMS_SIGNED_DATA_VERSION_BASIC; /* RFC2630 5.1 "version is the syntax version number..." */ if (NSS_CMSContentInfo_GetContentTypeTag(&(sigd->contentInfo)) != SEC_OID_PKCS7_DATA) - version = NSS_CMS_SIGNED_DATA_VERSION_EXT; + version = NSS_CMS_SIGNED_DATA_VERSION_EXT; /* prepare all the SignerInfos (there may be none) */ - for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { - signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); - - /* RFC2630 5.1 "version is the syntax version number..." */ - if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN) - version = NSS_CMS_SIGNED_DATA_VERSION_EXT; - - /* collect digestAlgorithms from SignerInfos */ - /* (we need to know which algorithms we have when the content comes in) */ - /* do not overwrite any existing digestAlgorithms (and digest) */ - digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); - n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); - if (n < 0 && haveDigests) { - /* oops, there is a digestalg we do not have a digest for */ - /* but we were supposed to have all the digests already... */ - goto loser; - } else if (n < 0) { - /* add the digestAlgorithm & a NULL digest */ - rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL); - if (rv != SECSuccess) - goto loser; - } else { - /* found it, nothing to do */ - } + for (i = 0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { + signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); + + /* RFC2630 5.1 "version is the syntax version number..." */ + if (NSS_CMSSignerInfo_GetVersion(signerinfo) != NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN) + version = NSS_CMS_SIGNED_DATA_VERSION_EXT; + + /* collect digestAlgorithms from SignerInfos */ + /* (we need to know which algorithms we have when the content comes in) */ + /* do not overwrite any existing digestAlgorithms (and digest) */ + digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); + n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); + if (n < 0 && haveDigests) { + /* oops, there is a digestalg we do not have a digest for */ + /* but we were supposed to have all the digests already... */ + goto loser; + } else if (n < 0) { + /* add the digestAlgorithm & a NULL digest */ + rv = NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, NULL); + if (rv != SECSuccess) + goto loser; + } else { + /* found it, nothing to do */ + } } dummy = SEC_ASN1EncodeInteger(poolp, &(sigd->version), (long)version); if (dummy == NULL) - return SECFailure; + return SECFailure; /* this is a SET OF, so we need to sort them guys */ - rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, + rv = NSS_CMSArray_SortByDER((void **)sigd->digestAlgorithms, SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), - (void **)sigd->digests); + (void **)sigd->digests); if (rv != SECSuccess) - return SECFailure; - + return SECFailure; + return SECSuccess; loser: @@ -190,16 +189,16 @@ NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd) } rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo); if (rv != SECSuccess) { - return SECFailure; + return SECFailure; } /* set up the digests */ if (sigd->digests && sigd->digests[0]) { - sigd->contentInfo.privateInfo->digcx = NULL; /* don't attempt to make new ones. */ + sigd->contentInfo.privateInfo->digcx = NULL; /* don't attempt to make new ones. */ } else if (sigd->digestAlgorithms != NULL) { - sigd->contentInfo.privateInfo->digcx = - NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); - if (sigd->contentInfo.privateInfo->digcx == NULL) - return SECFailure; + sigd->contentInfo.privateInfo->digcx = + NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); + if (sigd->contentInfo.privateInfo->digcx == NULL) + return SECFailure; } return SECSuccess; } @@ -239,53 +238,53 @@ NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd) /* did we have digest calculation going on? */ if (cinfo->privateInfo && cinfo->privateInfo->digcx) { - rv = NSS_CMSDigestContext_FinishMultiple(cinfo->privateInfo->digcx, poolp, - &(sigd->digests)); - /* error has been set by NSS_CMSDigestContext_FinishMultiple */ - cinfo->privateInfo->digcx = NULL; - if (rv != SECSuccess) - goto loser; + rv = NSS_CMSDigestContext_FinishMultiple(cinfo->privateInfo->digcx, poolp, + &(sigd->digests)); + /* error has been set by NSS_CMSDigestContext_FinishMultiple */ + cinfo->privateInfo->digcx = NULL; + if (rv != SECSuccess) + goto loser; } signerinfos = sigd->signerInfos; certcount = 0; /* prepare all the SignerInfos (there may be none) */ - for (i=0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { - signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); - - /* find correct digest for this signerinfo */ - digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); - n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); - if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) { - /* oops - digest not found */ - PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); - goto loser; - } + for (i = 0; i < NSS_CMSSignedData_SignerInfoCount(sigd); i++) { + signerinfo = NSS_CMSSignedData_GetSignerInfo(sigd, i); + + /* find correct digest for this signerinfo */ + digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); + n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); + if (n < 0 || sigd->digests == NULL || sigd->digests[n] == NULL) { + /* oops - digest not found */ + PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); + goto loser; + } - /* XXX if our content is anything else but data, we need to force the - * presence of signed attributes (RFC2630 5.3 "signedAttributes is a - * collection...") */ + /* XXX if our content is anything else but data, we need to force the + * presence of signed attributes (RFC2630 5.3 "signedAttributes is a + * collection...") */ - /* pass contentType here as we want a contentType attribute */ - if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL) - goto loser; + /* pass contentType here as we want a contentType attribute */ + if ((contentType = NSS_CMSContentInfo_GetContentTypeOID(cinfo)) == NULL) + goto loser; - /* sign the thing */ - rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType); - if (rv != SECSuccess) - goto loser; + /* sign the thing */ + rv = NSS_CMSSignerInfo_Sign(signerinfo, sigd->digests[n], contentType); + if (rv != SECSuccess) + goto loser; - /* while we're at it, count number of certs in certLists */ - certlist = NSS_CMSSignerInfo_GetCertList(signerinfo); - if (certlist) - certcount += certlist->len; + /* while we're at it, count number of certs in certLists */ + certlist = NSS_CMSSignerInfo_GetCertList(signerinfo); + if (certlist) + certcount += certlist->len; } /* this is a SET OF, so we need to sort them guys */ rv = NSS_CMSArray_SortByDER((void **)signerinfos, NSSCMSSignerInfoTemplate, NULL); if (rv != SECSuccess) - goto loser; + goto loser; /* * now prepare certs & crls @@ -293,65 +292,65 @@ NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd) /* count the rest of the certs */ if (sigd->certs != NULL) { - for (ci = 0; sigd->certs[ci] != NULL; ci++) - certcount++; + for (ci = 0; sigd->certs[ci] != NULL; ci++) + certcount++; } if (sigd->certLists != NULL) { - for (cli = 0; sigd->certLists[cli] != NULL; cli++) - certcount += sigd->certLists[cli]->len; + for (cli = 0; sigd->certLists[cli] != NULL; cli++) + certcount += sigd->certLists[cli]->len; } if (certcount == 0) { - sigd->rawCerts = NULL; + sigd->rawCerts = NULL; } else { - /* - * Combine all of the certs and cert chains into rawcerts. - * Note: certcount is an upper bound; we may not need that many slots - * but we will allocate anyway to avoid having to do another pass. - * (The temporary space saving is not worth it.) - * - * XXX ARGH - this NEEDS to be fixed. need to come up with a decent - * SetOfDERcertficates implementation - */ - sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *)); - if (sigd->rawCerts == NULL) - return SECFailure; - - /* - * XXX Want to check for duplicates and not add *any* cert that is - * already in the set. This will be more important when we start - * dealing with larger sets of certs, dual-key certs (signing and - * encryption), etc. For the time being we can slide by... - * - * XXX ARGH - this NEEDS to be fixed. need to come up with a decent - * SetOfDERcertficates implementation - */ - rci = 0; - if (signerinfos != NULL) { - for (si = 0; signerinfos[si] != NULL; si++) { - signerinfo = signerinfos[si]; - for (ci = 0; ci < signerinfo->certList->len; ci++) - sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]); - } - } - - if (sigd->certs != NULL) { - for (ci = 0; sigd->certs[ci] != NULL; ci++) - sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert); - } - - if (sigd->certLists != NULL) { - for (cli = 0; sigd->certLists[cli] != NULL; cli++) { - for (ci = 0; ci < sigd->certLists[cli]->len; ci++) - sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]); - } - } - - sigd->rawCerts[rci] = NULL; - - /* this is a SET OF, so we need to sort them guys - we have the DER already, though */ - NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL); + /* + * Combine all of the certs and cert chains into rawcerts. + * Note: certcount is an upper bound; we may not need that many slots + * but we will allocate anyway to avoid having to do another pass. + * (The temporary space saving is not worth it.) + * + * XXX ARGH - this NEEDS to be fixed. need to come up with a decent + * SetOfDERcertficates implementation + */ + sigd->rawCerts = (SECItem **)PORT_ArenaAlloc(poolp, (certcount + 1) * sizeof(SECItem *)); + if (sigd->rawCerts == NULL) + return SECFailure; + + /* + * XXX Want to check for duplicates and not add *any* cert that is + * already in the set. This will be more important when we start + * dealing with larger sets of certs, dual-key certs (signing and + * encryption), etc. For the time being we can slide by... + * + * XXX ARGH - this NEEDS to be fixed. need to come up with a decent + * SetOfDERcertficates implementation + */ + rci = 0; + if (signerinfos != NULL) { + for (si = 0; signerinfos[si] != NULL; si++) { + signerinfo = signerinfos[si]; + for (ci = 0; ci < signerinfo->certList->len; ci++) + sigd->rawCerts[rci++] = &(signerinfo->certList->certs[ci]); + } + } + + if (sigd->certs != NULL) { + for (ci = 0; sigd->certs[ci] != NULL; ci++) + sigd->rawCerts[rci++] = &(sigd->certs[ci]->derCert); + } + + if (sigd->certLists != NULL) { + for (cli = 0; sigd->certLists[cli] != NULL; cli++) { + for (ci = 0; ci < sigd->certLists[cli]->len; ci++) + sigd->rawCerts[rci++] = &(sigd->certLists[cli]->certs[ci]); + } + } + + sigd->rawCerts[rci] = NULL; + + /* this is a SET OF, so we need to sort them guys - we have the DER already, though */ + NSS_CMSArray_Sort((void **)sigd->rawCerts, NSS_CMSUtil_DERCompare, NULL, NULL); } ret = SECSuccess; @@ -370,39 +369,38 @@ NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd) } rv = NSS_CMSContentInfo_Private_Init(&sigd->contentInfo); if (rv != SECSuccess) { - return SECFailure; + return SECFailure; } /* handle issue with Windows 2003 servers and kerberos */ if (sigd->digestAlgorithms != NULL) { - int i; - for (i=0; sigd->digestAlgorithms[i] != NULL; i++) { - SECAlgorithmID *algid = sigd->digestAlgorithms[i]; - SECOidTag senttag= SECOID_FindOIDTag(&algid->algorithm); - SECOidTag maptag = NSS_CMSUtil_MapSignAlgs(senttag); - - if (maptag != senttag) { - SECOidData *hashoid = SECOID_FindOIDByTag(maptag); - rv = SECITEM_CopyItem(sigd->cmsg->poolp, &algid->algorithm - ,&hashoid->oid); - if (rv != SECSuccess) { - return rv; - } - } - } + int i; + for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { + SECAlgorithmID *algid = sigd->digestAlgorithms[i]; + SECOidTag senttag = SECOID_FindOIDTag(&algid->algorithm); + SECOidTag maptag = NSS_CMSUtil_MapSignAlgs(senttag); + + if (maptag != senttag) { + SECOidData *hashoid = SECOID_FindOIDByTag(maptag); + rv = SECITEM_CopyItem(sigd->cmsg->poolp, &algid->algorithm, &hashoid->oid); + if (rv != SECSuccess) { + return rv; + } + } + } } /* set up the digests */ if (sigd->digestAlgorithms != NULL && sigd->digests == NULL) { - /* if digests are already there, do nothing */ - sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); - if (sigd->contentInfo.privateInfo->digcx == NULL) - return SECFailure; + /* if digests are already there, do nothing */ + sigd->contentInfo.privateInfo->digcx = NSS_CMSDigestContext_StartMultiple(sigd->digestAlgorithms); + if (sigd->contentInfo.privateInfo->digcx == NULL) + return SECFailure; } return SECSuccess; } /* - * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a + * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a * SignedData after all the encapsulated data was passed through the decoder. */ SECStatus @@ -417,10 +415,10 @@ NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd) /* did we have digest calculation going on? */ if (sigd->contentInfo.privateInfo && sigd->contentInfo.privateInfo->digcx) { - rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.privateInfo->digcx, - sigd->cmsg->poolp, &(sigd->digests)); - /* error set by NSS_CMSDigestContext_FinishMultiple */ - sigd->contentInfo.privateInfo->digcx = NULL; + rv = NSS_CMSDigestContext_FinishMultiple(sigd->contentInfo.privateInfo->digcx, + sigd->cmsg->poolp, &(sigd->digests)); + /* error set by NSS_CMSDigestContext_FinishMultiple */ + sigd->contentInfo.privateInfo->digcx = NULL; } return rv; } @@ -445,14 +443,14 @@ NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd) /* set cmsg for all the signerinfos */ if (signerinfos) { - for (i = 0; signerinfos[i] != NULL; i++) - signerinfos[i]->cmsg = sigd->cmsg; + for (i = 0; signerinfos[i] != NULL; i++) + signerinfos[i]->cmsg = sigd->cmsg; } return SECSuccess; } -/* +/* * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list */ NSSCMSSignerInfo ** @@ -485,7 +483,7 @@ NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i) return sigd->signerInfos[i]; } -/* +/* * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list */ SECAlgorithmID ** @@ -511,7 +509,7 @@ NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd) return &(sigd->contentInfo); } -/* +/* * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list */ SECItem ** @@ -526,7 +524,7 @@ NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd) SECStatus NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb, - SECCertUsage certusage, PRBool keepcerts) + SECCertUsage certusage, PRBool keepcerts) { int certcount; CERTCertificate **certArray = NULL; @@ -545,99 +543,99 @@ NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb, certcount = NSS_CMSArray_Count((void **)sigd->rawCerts); /* get the certs in the temp DB */ - rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, - &certArray, PR_FALSE, PR_FALSE, NULL); + rv = CERT_ImportCerts(certdb, certusage, certcount, sigd->rawCerts, + &certArray, PR_FALSE, PR_FALSE, NULL); if (rv != SECSuccess) { - goto loser; + goto loser; } /* save the certs so they don't get destroyed */ - for (i=0; i < certcount; i++) { - CERTCertificate *cert = certArray[i]; - if (cert) + for (i = 0; i < certcount; i++) { + CERTCertificate *cert = certArray[i]; + if (cert) NSS_CMSSignedData_AddTempCertificate(sigd, cert); } if (!keepcerts) { - goto done; + goto done; } /* build a CertList for filtering */ certList = CERT_NewCertList(); if (certList == NULL) { - rv = SECFailure; - goto loser; + rv = SECFailure; + goto loser; } - for (i=0; i < certcount; i++) { - CERTCertificate *cert = certArray[i]; - if (cert) - cert = CERT_DupCertificate(cert); - if (cert) - CERT_AddCertToListTail(certList,cert); + for (i = 0; i < certcount; i++) { + CERTCertificate *cert = certArray[i]; + if (cert) + cert = CERT_DupCertificate(cert); + if (cert) + CERT_AddCertToListTail(certList, cert); } /* filter out the certs we don't want */ - rv = CERT_FilterCertListByUsage(certList,certusage, PR_FALSE); + rv = CERT_FilterCertListByUsage(certList, certusage, PR_FALSE); if (rv != SECSuccess) { - goto loser; + goto loser; } /* go down the remaining list of certs and verify that they have * valid chains, then import them. */ now = PR_Now(); - for (node = CERT_LIST_HEAD(certList) ; !CERT_LIST_END(node,certList); - node= CERT_LIST_NEXT(node)) { - CERTCertificateList *certChain; - - if (CERT_VerifyCert(certdb, node->cert, - PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) { - continue; - } - - certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE); - if (!certChain) { - continue; - } - - /* - * CertChain returns an array of SECItems, import expects an array of - * SECItem pointers. Create the SECItem Pointers from the array of - * SECItems. - */ - rawArray = (SECItem **)PORT_Alloc(certChain->len*sizeof (SECItem *)); - if (!rawArray) { - CERT_DestroyCertificateList(certChain); - continue; - } - for (i=0; i < certChain->len; i++) { - rawArray[i] = &certChain->certs[i]; - } - (void )CERT_ImportCerts(certdb, certusage, certChain->len, - rawArray, NULL, keepcerts, PR_FALSE, NULL); - PORT_Free(rawArray); - CERT_DestroyCertificateList(certChain); + for (node = CERT_LIST_HEAD(certList); !CERT_LIST_END(node, certList); + node = CERT_LIST_NEXT(node)) { + CERTCertificateList *certChain; + + if (CERT_VerifyCert(certdb, node->cert, + PR_TRUE, certusage, now, NULL, NULL) != SECSuccess) { + continue; + } + + certChain = CERT_CertChainFromCert(node->cert, certusage, PR_FALSE); + if (!certChain) { + continue; + } + + /* + * CertChain returns an array of SECItems, import expects an array of + * SECItem pointers. Create the SECItem Pointers from the array of + * SECItems. + */ + rawArray = (SECItem **)PORT_Alloc(certChain->len * sizeof(SECItem *)); + if (!rawArray) { + CERT_DestroyCertificateList(certChain); + continue; + } + for (i = 0; i < certChain->len; i++) { + rawArray[i] = &certChain->certs[i]; + } + (void)CERT_ImportCerts(certdb, certusage, certChain->len, + rawArray, NULL, keepcerts, PR_FALSE, NULL); + PORT_Free(rawArray); + CERT_DestroyCertificateList(certChain); } rv = SECSuccess; - /* XXX CRL handling */ +/* XXX CRL handling */ done: if (sigd->signerInfos != NULL) { - /* fill in all signerinfo's certs */ - for (i = 0; sigd->signerInfos[i] != NULL; i++) - (void)NSS_CMSSignerInfo_GetSigningCertificate( - sigd->signerInfos[i], certdb); + /* fill in all signerinfo's certs */ + for (i = 0; sigd->signerInfos[i] != NULL; i++) + (void)NSS_CMSSignerInfo_GetSigningCertificate( + sigd->signerInfos[i], certdb); } loser: /* now free everything */ if (certArray) { - CERT_DestroyCertArray(certArray,certcount); + CERT_DestroyCertArray(certArray, certcount); } if (certList) { - CERT_DestroyCertList(certList); + CERT_DestroyCertList(certList); } return rv; @@ -658,8 +656,8 @@ loser: * for the purpose specified by "certusage". */ SECStatus -NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, - CERTCertDBHandle *certdb, SECCertUsage certusage) +NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, + CERTCertDBHandle *certdb, SECCertUsage certusage) { NSSCMSSignerInfo *signerinfo; NSSCMSContentInfo *cinfo; @@ -680,7 +678,7 @@ NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, /* verify certificate */ rv = NSS_CMSSignerInfo_VerifyCertificate(signerinfo, certdb, certusage); if (rv != SECSuccess) - return rv; /* error is set */ + return rv; /* error is set */ /* find digest and contentType for signerinfo */ algiddata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo); @@ -699,8 +697,8 @@ NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message */ SECStatus -NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, - CERTCertDBHandle *certdb, +NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, + CERTCertDBHandle *certdb, SECCertUsage usage) { CERTCertificate *cert; @@ -708,27 +706,31 @@ NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, int i; int count; PRTime now; + void *pwarg = NULL; if (!sigd || !certdb || !sigd->rawCerts) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } - count = NSS_CMSArray_Count((void**)sigd->rawCerts); + count = NSS_CMSArray_Count((void **)sigd->rawCerts); now = PR_Now(); - for (i=0; i < count; i++) { - if (sigd->certs && sigd->certs[i]) { - cert = CERT_DupCertificate(sigd->certs[i]); - } else { - cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]); - if (!cert) { - rv = SECFailure; - break; - } - } - rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now, - NULL, NULL); - CERT_DestroyCertificate(cert); + for (i = 0; i < count; i++) { + if (sigd->certs && sigd->certs[i]) { + cert = CERT_DupCertificate(sigd->certs[i]); + } else { + cert = CERT_FindCertByDERCert(certdb, sigd->rawCerts[i]); + if (!cert) { + rv = SECFailure; + break; + } + } + if (sigd->cmsg) { + pwarg = sigd->cmsg->pwfn_arg; + } + rv |= CERT_VerifyCert(certdb, cert, PR_TRUE, usage, now, + pwarg, NULL); + CERT_DestroyCertificate(cert); } return rv; @@ -764,7 +766,7 @@ NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certl } /* - * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs + * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs */ SECStatus NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert) @@ -783,7 +785,7 @@ NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert) /* do not include root */ certlist = CERT_CertChainFromCert(cert, usage, PR_FALSE); if (certlist == NULL) - return SECFailure; + return SECFailure; rv = NSS_CMSSignedData_AddCertList(sigd, certlist); @@ -830,16 +832,16 @@ NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd) return PR_FALSE; } if (sigd->rawCerts != NULL && sigd->rawCerts[0] != NULL) - return PR_TRUE; + return PR_TRUE; else if (sigd->crls != NULL && sigd->crls[0] != NULL) - return PR_TRUE; + return PR_TRUE; else - return PR_FALSE; + return PR_FALSE; } SECStatus NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, - NSSCMSSignerInfo *signerinfo) + NSSCMSSignerInfo *signerinfo) { void *mark; SECStatus rv; @@ -858,7 +860,7 @@ NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, /* add signerinfo */ rv = NSS_CMSArray_Add(poolp, (void ***)&(sigd->signerInfos), (void *)signerinfo); if (rv != SECSuccess) - goto loser; + goto loser; /* * add empty digest @@ -869,7 +871,7 @@ NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); rv = NSS_CMSSignedData_SetDigestValue(sigd, digestalgtag, NULL); if (rv != SECSuccess) - goto loser; + goto loser; /* * The last thing to get consistency would be adding the digest. @@ -879,7 +881,7 @@ NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, return SECSuccess; loser: - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); return SECFailure; } @@ -891,8 +893,8 @@ loser: */ SECStatus NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd, - SECAlgorithmID **digestalgs, - SECItem **digests) + SECAlgorithmID **digestalgs, + SECItem **digests) { int cnt, i, idx; @@ -902,55 +904,54 @@ NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd, } if (sigd->digestAlgorithms == NULL) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } /* we assume that the digests array is just not there yet */ PORT_Assert(sigd->digests == NULL); if (sigd->digests != NULL) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } /* now allocate one (same size as digestAlgorithms) */ cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms); sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *)); if (sigd->digests == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; } for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) { - /* try to find the sigd's i'th digest algorithm in the array we passed in */ - idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]); - if (idx < 0) { - PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); - return SECFailure; - } - if (!digests[idx]) { - /* We have no digest for this algorithm, probably because it is - ** unrecognized or unsupported. We'll ignore this here. If this - ** digest is needed later, an error will be be generated then. - */ - continue; - } - - /* found it - now set it */ - if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL || - SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess) - { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; - } + /* try to find the sigd's i'th digest algorithm in the array we passed in */ + idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]); + if (idx < 0) { + PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); + return SECFailure; + } + if (!digests[idx]) { + /* We have no digest for this algorithm, probably because it is + ** unrecognized or unsupported. We'll ignore this here. If this + ** digest is needed later, an error will be be generated then. + */ + continue; + } + + /* found it - now set it */ + if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL || + SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; + } } return SECSuccess; } SECStatus NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd, - SECOidTag digestalgtag, - SECItem *digestdata) + SECOidTag digestalgtag, + SECItem *digestdata) { SECItem *digest = NULL; PLArenaPool *poolp; @@ -966,13 +967,12 @@ NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd, mark = PORT_ArenaMark(poolp); - if (digestdata) { - digest = (SECItem *) PORT_ArenaZAlloc(poolp,sizeof(SECItem)); + digest = (SECItem *)PORT_ArenaZAlloc(poolp, sizeof(SECItem)); - /* copy digestdata item to arena (in case we have it and are not only making room) */ - if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess) - goto loser; + /* copy digestdata item to arena (in case we have it and are not only making room) */ + if (SECITEM_CopyItem(poolp, digest, digestdata) != SECSuccess) + goto loser; } /* now allocate one (same size as digestAlgorithms) */ @@ -980,22 +980,22 @@ NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd, cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms); sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *)); if (sigd->digests == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - return SECFailure; + PORT_SetError(SEC_ERROR_NO_MEMORY); + return SECFailure; } } n = -1; if (sigd->digestAlgorithms != NULL) - n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); + n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); /* if not found, add a digest */ if (n < 0) { - if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess) - goto loser; + if (NSS_CMSSignedData_AddDigest(poolp, sigd, digestalgtag, digest) != SECSuccess) + goto loser; } else { - /* replace NULL pointer with digest item (and leak previous value) */ - sigd->digests[n] = digest; + /* replace NULL pointer with digest item (and leak previous value) */ + sigd->digests[n] = digest; } PORT_ArenaUnmark(poolp, mark); @@ -1008,9 +1008,9 @@ loser: SECStatus NSS_CMSSignedData_AddDigest(PLArenaPool *poolp, - NSSCMSSignedData *sigd, - SECOidTag digestalgtag, - SECItem *digest) + NSSCMSSignedData *sigd, + SECOidTag digestalgtag, + SECItem *digest) { SECAlgorithmID *digestalg; void *mark; @@ -1024,16 +1024,17 @@ NSS_CMSSignedData_AddDigest(PLArenaPool *poolp, digestalg = PORT_ArenaZAlloc(poolp, sizeof(SECAlgorithmID)); if (digestalg == NULL) - goto loser; + goto loser; - if (SECOID_SetAlgorithmID (poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */ - goto loser; + if (SECOID_SetAlgorithmID(poolp, digestalg, digestalgtag, NULL) != SECSuccess) /* no params */ + goto loser; - if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), (void *)digestalg) != SECSuccess || - /* even if digest is NULL, add dummy to have same-size array */ - NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), (void *)digest) != SECSuccess) - { - goto loser; + if (NSS_CMSArray_Add(poolp, (void ***)&(sigd->digestAlgorithms), + (void *)digestalg) != SECSuccess || + /* even if digest is NULL, add dummy to have same-size array */ + NSS_CMSArray_Add(poolp, (void ***)&(sigd->digests), + (void *)digest) != SECSuccess) { + goto loser; } PORT_ArenaUnmark(poolp, mark); @@ -1057,7 +1058,7 @@ NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag) if (sigd->digestAlgorithms == NULL || sigd->digests == NULL) { PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND); - return NULL; + return NULL; } n = NSS_CMSAlgArray_GetIndexByAlgTag(sigd->digestAlgorithms, digestalgtag); @@ -1099,18 +1100,18 @@ NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PR sigd = NSS_CMSSignedData_Create(cmsg); if (sigd == NULL) - goto loser; + goto loser; /* no signerinfos, thus no digestAlgorithms */ /* but certs */ if (include_chain) { - rv = NSS_CMSSignedData_AddCertChain(sigd, cert); + rv = NSS_CMSSignedData_AddCertChain(sigd, cert); } else { - rv = NSS_CMSSignedData_AddCertificate(sigd, cert); + rv = NSS_CMSSignedData_AddCertificate(sigd, cert); } if (rv != SECSuccess) - goto loser; + goto loser; /* RFC2630 5.2 sez: * In the degenerate case where there are no signers, the @@ -1121,14 +1122,14 @@ NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PR */ rv = NSS_CMSContentInfo_SetContent_Data(cmsg, &(sigd->contentInfo), NULL, PR_TRUE); if (rv != SECSuccess) - goto loser; + goto loser; PORT_ArenaUnmark(poolp, mark); return sigd; loser: if (sigd) - NSS_CMSSignedData_Destroy(sigd); + NSS_CMSSignedData_Destroy(sigd); PORT_ArenaRelease(poolp, mark); return NULL; } @@ -1138,4 +1139,3 @@ loser: * NSS_CMSSignedData_HasReceiptRequest() * easy way to iterate over signers */ - diff --git a/nss/lib/smime/cmssiginfo.c b/nss/lib/smime/cmssiginfo.c index f3635c2..ce4f87c 100644 --- a/nss/lib/smime/cmssiginfo.c +++ b/nss/lib/smime/cmssiginfo.c @@ -25,32 +25,36 @@ * SIGNERINFO */ NSSCMSSignerInfo * -nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, - CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, - SECKEYPrivateKey *signingKey, SECOidTag digestalgtag); +nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, + CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, + SECKEYPrivateKey *signingKey, SECOidTag digestalgtag); NSSCMSSignerInfo * -NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, - SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag) +NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, + SECKEYPublicKey *pubKey, + SECKEYPrivateKey *signingKey, SECOidTag digestalgtag) { - return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_SubjectKeyID, NULL, subjKeyID, pubKey, signingKey, digestalgtag); + return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_SubjectKeyID, NULL, + subjKeyID, pubKey, signingKey, digestalgtag); } NSSCMSSignerInfo * NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag) { - return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_IssuerSN, cert, NULL, NULL, NULL, digestalgtag); + return nss_cmssignerinfo_create(cmsg, NSSCMSSignerID_IssuerSN, cert, NULL, + NULL, NULL, digestalgtag); } NSSCMSSignerInfo * -nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, - CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, - SECKEYPrivateKey *signingKey, SECOidTag digestalgtag) +nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, + CERTCertificate *cert, SECItem *subjKeyID, SECKEYPublicKey *pubKey, + SECKEYPrivateKey *signingKey, SECOidTag digestalgtag) { void *mark; NSSCMSSignerInfo *signerinfo; int version; PLArenaPool *poolp; + SECStatus rv; poolp = cmsg->poolp; @@ -58,50 +62,52 @@ nss_cmssignerinfo_create(NSSCMSMessage *cmsg, NSSCMSSignerIDSelector type, signerinfo = (NSSCMSSignerInfo *)PORT_ArenaZAlloc(poolp, sizeof(NSSCMSSignerInfo)); if (signerinfo == NULL) { - PORT_ArenaRelease(poolp, mark); - return NULL; + PORT_ArenaRelease(poolp, mark); + return NULL; } - signerinfo->cmsg = cmsg; - switch(type) { - case NSSCMSSignerID_IssuerSN: - signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_IssuerSN; - if ((signerinfo->cert = CERT_DupCertificate(cert)) == NULL) - goto loser; - if ((signerinfo->signerIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) - goto loser; - break; - case NSSCMSSignerID_SubjectKeyID: - signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_SubjectKeyID; - PORT_Assert(subjKeyID); - if (!subjKeyID) - goto loser; - - signerinfo->signerIdentifier.id.subjectKeyID = PORT_ArenaNew(poolp, SECItem); - SECITEM_CopyItem(poolp, signerinfo->signerIdentifier.id.subjectKeyID, - subjKeyID); - signerinfo->signingKey = SECKEY_CopyPrivateKey(signingKey); - if (!signerinfo->signingKey) - goto loser; - signerinfo->pubKey = SECKEY_CopyPublicKey(pubKey); - if (!signerinfo->pubKey) + switch (type) { + case NSSCMSSignerID_IssuerSN: + signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_IssuerSN; + if ((signerinfo->cert = CERT_DupCertificate(cert)) == NULL) + goto loser; + if ((signerinfo->signerIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) + goto loser; + break; + case NSSCMSSignerID_SubjectKeyID: + signerinfo->signerIdentifier.identifierType = NSSCMSSignerID_SubjectKeyID; + PORT_Assert(subjKeyID); + if (!subjKeyID) + goto loser; + + signerinfo->signerIdentifier.id.subjectKeyID = PORT_ArenaNew(poolp, SECItem); + rv = SECITEM_CopyItem(poolp, signerinfo->signerIdentifier.id.subjectKeyID, + subjKeyID); + if (rv != SECSuccess) { + goto loser; + } + signerinfo->signingKey = SECKEY_CopyPrivateKey(signingKey); + if (!signerinfo->signingKey) + goto loser; + signerinfo->pubKey = SECKEY_CopyPublicKey(pubKey); + if (!signerinfo->pubKey) + goto loser; + break; + default: goto loser; - break; - default: - goto loser; } /* set version right now */ version = NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN; /* RFC2630 5.3 "version is the syntax version number. If the .... " */ if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID) - version = NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY; + version = NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY; (void)SEC_ASN1EncodeInteger(poolp, &(signerinfo->version), (long)version); if (SECOID_SetAlgorithmID(poolp, &signerinfo->digestAlg, digestalgtag, NULL) != SECSuccess) - goto loser; + goto loser; PORT_ArenaUnmark(poolp, mark); return signerinfo; @@ -118,10 +124,10 @@ void NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si) { if (si->cert != NULL) - CERT_DestroyCertificate(si->cert); + CERT_DestroyCertificate(si->cert); - if (si->certList != NULL) - CERT_DestroyCertificateList(si->certList); + if (si->certList != NULL) + CERT_DestroyCertificateList(si->certList); /* XXX storage ??? */ } @@ -131,7 +137,7 @@ NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si) * */ SECStatus -NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, +NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType) { CERTCertificate *cert; @@ -144,31 +150,31 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECAlgorithmID *algID, freeAlgID; CERTSubjectPublicKeyInfo *spki; - PORT_Assert (digest != NULL); + PORT_Assert(digest != NULL); poolp = signerinfo->cmsg->poolp; switch (signerinfo->signerIdentifier.identifierType) { - case NSSCMSSignerID_IssuerSN: - cert = signerinfo->cert; - - privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg); - if (privkey == NULL) - goto loser; - algID = &cert->subjectPublicKeyInfo.algorithm; - break; - case NSSCMSSignerID_SubjectKeyID: - privkey = signerinfo->signingKey; - signerinfo->signingKey = NULL; - spki = SECKEY_CreateSubjectPublicKeyInfo(signerinfo->pubKey); - SECKEY_DestroyPublicKey(signerinfo->pubKey); - signerinfo->pubKey = NULL; - SECOID_CopyAlgorithmID(NULL, &freeAlgID, &spki->algorithm); - SECKEY_DestroySubjectPublicKeyInfo(spki); - algID = &freeAlgID; - break; - default: - goto loser; + case NSSCMSSignerID_IssuerSN: + cert = signerinfo->cert; + + privkey = PK11_FindKeyByAnyCert(cert, signerinfo->cmsg->pwfn_arg); + if (privkey == NULL) + goto loser; + algID = &cert->subjectPublicKeyInfo.algorithm; + break; + case NSSCMSSignerID_SubjectKeyID: + privkey = signerinfo->signingKey; + signerinfo->signingKey = NULL; + spki = SECKEY_CreateSubjectPublicKeyInfo(signerinfo->pubKey); + SECKEY_DestroyPublicKey(signerinfo->pubKey); + signerinfo->pubKey = NULL; + SECOID_CopyAlgorithmID(NULL, &freeAlgID, &spki->algorithm); + SECKEY_DestroySubjectPublicKeyInfo(spki); + algID = &freeAlgID; + break; + default: + goto loser; } digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); /* @@ -177,105 +183,104 @@ NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, */ pubkAlgTag = SECOID_GetAlgorithmTag(algID); if (signerinfo->signerIdentifier.identifierType == NSSCMSSignerID_SubjectKeyID) { - SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE); + SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE); } if (signerinfo->authAttr != NULL) { - SECOidTag signAlgTag; - SECItem encoded_attrs; - - /* find and fill in the message digest attribute. */ - rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), - SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE); - if (rv != SECSuccess) - goto loser; - - if (contentType != NULL) { - /* if the caller wants us to, find and fill in the content type attribute. */ - rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), - SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE); - if (rv != SECSuccess) - goto loser; - } - - if ((tmppoolp = PORT_NewArena (1024)) == NULL) { - PORT_SetError(SEC_ERROR_NO_MEMORY); - goto loser; - } - - /* - * Before encoding, reorder the attributes so that when they - * are encoded, they will be conforming DER, which is required - * to have a specific order and that is what must be used for - * the hash/signature. We do this here, rather than building - * it into EncodeAttributes, because we do not want to do - * such reordering on incoming messages (which also uses - * EncodeAttributes) or our old signatures (and other "broken" - * implementations) will not verify. So, we want to guarantee - * that we send out good DER encodings of attributes, but not - * to expect to receive them. - */ - if (NSS_CMSAttributeArray_Reorder(signerinfo->authAttr) != SECSuccess) - goto loser; - - encoded_attrs.data = NULL; - encoded_attrs.len = 0; - if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr), - &encoded_attrs) == NULL) - goto loser; - - signAlgTag = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, + SECOidTag signAlgTag; + SECItem encoded_attrs; + + /* find and fill in the message digest attribute. */ + rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), + SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE); + if (rv != SECSuccess) + goto loser; + + if (contentType != NULL) { + /* if the caller wants us to, find and fill in the content type attribute. */ + rv = NSS_CMSAttributeArray_SetAttr(poolp, &(signerinfo->authAttr), + SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE); + if (rv != SECSuccess) + goto loser; + } + + if ((tmppoolp = PORT_NewArena(1024)) == NULL) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + goto loser; + } + + /* + * Before encoding, reorder the attributes so that when they + * are encoded, they will be conforming DER, which is required + * to have a specific order and that is what must be used for + * the hash/signature. We do this here, rather than building + * it into EncodeAttributes, because we do not want to do + * such reordering on incoming messages (which also uses + * EncodeAttributes) or our old signatures (and other "broken" + * implementations) will not verify. So, we want to guarantee + * that we send out good DER encodings of attributes, but not + * to expect to receive them. + */ + if (NSS_CMSAttributeArray_Reorder(signerinfo->authAttr) != SECSuccess) + goto loser; + + encoded_attrs.data = NULL; + encoded_attrs.len = 0; + if (NSS_CMSAttributeArray_Encode(tmppoolp, &(signerinfo->authAttr), + &encoded_attrs) == NULL) + goto loser; + + signAlgTag = SEC_GetSignatureAlgorithmOidTag(privkey->keyType, digestalgtag); - if (signAlgTag == SEC_OID_UNKNOWN) { - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - goto loser; - } - - rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, - privkey, signAlgTag); - PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */ - tmppoolp = 0; + if (signAlgTag == SEC_OID_UNKNOWN) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + goto loser; + } + + rv = SEC_SignData(&signature, encoded_attrs.data, encoded_attrs.len, + privkey, signAlgTag); + PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */ + tmppoolp = 0; } else { - rv = SGN_Digest(privkey, digestalgtag, &signature, digest); + rv = SGN_Digest(privkey, digestalgtag, &signature, digest); } SECKEY_DestroyPrivateKey(privkey); privkey = NULL; if (rv != SECSuccess) - goto loser; + goto loser; - if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature) - != SECSuccess) - goto loser; + if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature) != SECSuccess) + goto loser; SECITEM_FreeItem(&signature, PR_FALSE); - if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), pubkAlgTag, + if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), pubkAlgTag, NULL) != SECSuccess) - goto loser; + goto loser; return SECSuccess; loser: if (signature.len != 0) - SECITEM_FreeItem (&signature, PR_FALSE); + SECITEM_FreeItem(&signature, PR_FALSE); if (privkey) - SECKEY_DestroyPrivateKey(privkey); + SECKEY_DestroyPrivateKey(privkey); if (tmppoolp) - PORT_FreeArena(tmppoolp, PR_FALSE); + PORT_FreeArena(tmppoolp, PR_FALSE); return SECFailure; } SECStatus NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb, - SECCertUsage certusage) + SECCertUsage certusage) { CERTCertificate *cert; PRTime stime; if ((cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb)) == NULL) { - signerinfo->verificationStatus = NSSCMSVS_SigningCertNotFound; - return SECFailure; + signerinfo->verificationStatus = NSSCMSVS_SigningCertNotFound; + return SECFailure; } /* @@ -283,9 +288,9 @@ NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHand * both on the cert verification and for importing the sender * email profile. */ - if (NSS_CMSSignerInfo_GetSigningTime (signerinfo, &stime) != SECSuccess) - stime = PR_Now(); /* not found or conversion failed, so check against now */ - + if (NSS_CMSSignerInfo_GetSigningTime(signerinfo, &stime) != SECSuccess) + stime = PR_Now(); /* not found or conversion failed, so check against now */ + /* * XXX This uses the signing time, if available. Additionally, we * might want to, if there is no signing time, get the message time @@ -294,10 +299,10 @@ NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHand * in a time (and for non-S/MIME callers to pass in nothing, or * maybe make them pass in the current time, always?). */ - if (CERT_VerifyCert(certdb, cert, PR_TRUE, certusage, stime, + if (CERT_VerifyCert(certdb, cert, PR_TRUE, certusage, stime, signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) { - signerinfo->verificationStatus = NSSCMSVS_SigningCertNotTrusted; - return SECFailure; + signerinfo->verificationStatus = NSSCMSVS_SigningCertNotTrusted; + return SECFailure; } return SECSuccess; } @@ -305,13 +310,13 @@ NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHand /* * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo * - * Just verifies the signature. The assumption is that verification of + * Just verifies the signature. The assumption is that verification of * the certificate is done already. */ SECStatus -NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, - SECItem *digest, /* may be NULL */ - SECItem *contentType) /* may be NULL */ +NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, + SECItem *digest, /* may be NULL */ + SECItem *contentType) /* may be NULL */ { SECKEYPublicKey *publickey = NULL; NSSCMSAttribute *attr; @@ -319,152 +324,154 @@ NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert; NSSCMSVerificationStatus vs = NSSCMSVS_Unverified; PLArenaPool *poolp; - SECOidTag digestalgtag; - SECOidTag pubkAlgTag; + SECOidTag digestalgtag; + SECOidTag pubkAlgTag; if (signerinfo == NULL) - return SECFailure; + return SECFailure; - /* NSS_CMSSignerInfo_GetSigningCertificate will fail if 2nd parm is NULL - ** and cert has not been verified + /* NSS_CMSSignerInfo_GetSigningCertificate will fail if 2nd parm is NULL + ** and cert has not been verified */ cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, NULL); if (cert == NULL) { - vs = NSSCMSVS_SigningCertNotFound; - goto loser; + vs = NSSCMSVS_SigningCertNotFound; + goto loser; } if ((publickey = CERT_ExtractPublicKey(cert)) == NULL) { - vs = NSSCMSVS_ProcessingError; - goto loser; + vs = NSSCMSVS_ProcessingError; + goto loser; } digestalgtag = NSS_CMSSignerInfo_GetDigestAlgTag(signerinfo); pubkAlgTag = SECOID_GetAlgorithmTag(&(signerinfo->digestEncAlg)); if ((pubkAlgTag == SEC_OID_UNKNOWN) || (digestalgtag == SEC_OID_UNKNOWN)) { - vs = NSSCMSVS_SignatureAlgorithmUnknown; - goto loser; + vs = NSSCMSVS_SignatureAlgorithmUnknown; + goto loser; } if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) { - if (contentType) { - /* - * Check content type - * - * RFC2630 sez that if there are any authenticated attributes, - * then there must be one for content type which matches the - * content type of the content being signed, and there must - * be one for message digest which matches our message digest. - * So check these things first. - */ - attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, - SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE); - if (attr == NULL) { - vs = NSSCMSVS_MalformedSignature; - goto loser; - } - - if (NSS_CMSAttribute_CompareValue(attr, contentType) == PR_FALSE) { - vs = NSSCMSVS_MalformedSignature; - goto loser; - } - } - - /* - * Check digest - */ - attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, - SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE); - if (attr == NULL) { - vs = NSSCMSVS_MalformedSignature; - goto loser; - } - if (!digest || - NSS_CMSAttribute_CompareValue(attr, digest) == PR_FALSE) { - vs = NSSCMSVS_DigestMismatch; - goto loser; - } - - if ((poolp = PORT_NewArena (1024)) == NULL) { - vs = NSSCMSVS_ProcessingError; - goto loser; - } - - /* - * Check signature - * - * The signature is based on a digest of the DER-encoded authenticated - * attributes. So, first we encode and then we digest/verify. - * we trust the decoder to have the attributes in the right (sorted) - * order - */ - encoded_attrs.data = NULL; - encoded_attrs.len = 0; - - if (NSS_CMSAttributeArray_Encode(poolp, &(signerinfo->authAttr), - &encoded_attrs) == NULL || - encoded_attrs.data == NULL || encoded_attrs.len == 0) { - PORT_FreeArena(poolp, PR_FALSE); - vs = NSSCMSVS_ProcessingError; - goto loser; - } - - vs = (VFY_VerifyDataDirect(encoded_attrs.data, encoded_attrs.len, - publickey, &(signerinfo->encDigest), pubkAlgTag, - digestalgtag, NULL, signerinfo->cmsg->pwfn_arg) != SECSuccess) - ? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature; - - PORT_FreeArena(poolp, PR_FALSE); /* awkward memory management :-( */ + if (contentType) { + /* + * Check content type + * + * RFC2630 sez that if there are any authenticated attributes, + * then there must be one for content type which matches the + * content type of the content being signed, and there must + * be one for message digest which matches our message digest. + * So check these things first. + */ + attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, + SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE); + if (attr == NULL) { + vs = NSSCMSVS_MalformedSignature; + goto loser; + } + + if (NSS_CMSAttribute_CompareValue(attr, contentType) == PR_FALSE) { + vs = NSSCMSVS_MalformedSignature; + goto loser; + } + } + + /* + * Check digest + */ + attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, + SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE); + if (attr == NULL) { + vs = NSSCMSVS_MalformedSignature; + goto loser; + } + if (!digest || + NSS_CMSAttribute_CompareValue(attr, digest) == PR_FALSE) { + vs = NSSCMSVS_DigestMismatch; + goto loser; + } + + if ((poolp = PORT_NewArena(1024)) == NULL) { + vs = NSSCMSVS_ProcessingError; + goto loser; + } + + /* + * Check signature + * + * The signature is based on a digest of the DER-encoded authenticated + * attributes. So, first we encode and then we digest/verify. + * we trust the decoder to have the attributes in the right (sorted) + * order + */ + encoded_attrs.data = NULL; + encoded_attrs.len = 0; + + if (NSS_CMSAttributeArray_Encode(poolp, &(signerinfo->authAttr), + &encoded_attrs) == NULL || + encoded_attrs.data == NULL || encoded_attrs.len == 0) { + PORT_FreeArena(poolp, PR_FALSE); + vs = NSSCMSVS_ProcessingError; + goto loser; + } + + vs = (VFY_VerifyDataDirect(encoded_attrs.data, encoded_attrs.len, + publickey, &(signerinfo->encDigest), pubkAlgTag, + digestalgtag, NULL, signerinfo->cmsg->pwfn_arg) != SECSuccess) + ? NSSCMSVS_BadSignature + : NSSCMSVS_GoodSignature; + + PORT_FreeArena(poolp, PR_FALSE); /* awkward memory management :-( */ } else { - SECItem *sig; - - /* No authenticated attributes. - ** The signature is based on the plain message digest. - */ - sig = &(signerinfo->encDigest); - if (sig->len == 0) - goto loser; - - vs = (!digest || - VFY_VerifyDigestDirect(digest, publickey, sig, pubkAlgTag, - digestalgtag, signerinfo->cmsg->pwfn_arg) != SECSuccess) - ? NSSCMSVS_BadSignature : NSSCMSVS_GoodSignature; + SECItem *sig; + + /* No authenticated attributes. + ** The signature is based on the plain message digest. + */ + sig = &(signerinfo->encDigest); + if (sig->len == 0) + goto loser; + + vs = (!digest || + VFY_VerifyDigestDirect(digest, publickey, sig, pubkAlgTag, + digestalgtag, signerinfo->cmsg->pwfn_arg) != SECSuccess) + ? NSSCMSVS_BadSignature + : NSSCMSVS_GoodSignature; } if (vs == NSSCMSVS_BadSignature) { - int error = PORT_GetError(); - /* - * XXX Change the generic error into our specific one, because - * in that case we get a better explanation out of the Security - * Advisor. This is really a bug in the PSM error strings (the - * "generic" error has a lousy/wrong message associated with it - * which assumes the signature verification was done for the - * purposes of checking the issuer signature on a certificate) - * but this is at least an easy workaround and/or in the - * Security Advisor, which specifically checks for the error - * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation - * in that case but does not similarly check for - * SEC_ERROR_BAD_SIGNATURE. It probably should, but then would - * probably say the wrong thing in the case that it *was* the - * certificate signature check that failed during the cert - * verification done above. Our error handling is really a mess. - */ - if (error == SEC_ERROR_BAD_SIGNATURE) - PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE); - /* - * map algorithm failures to NSSCMSVS values - */ - if ((error == SEC_ERROR_PKCS7_KEYALG_MISMATCH) || - (error == SEC_ERROR_INVALID_ALGORITHM)) { - /* keep the same error code as 3.11 and before */ - PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE); - vs = NSSCMSVS_SignatureAlgorithmUnsupported; - } + int error = PORT_GetError(); + /* + * XXX Change the generic error into our specific one, because + * in that case we get a better explanation out of the Security + * Advisor. This is really a bug in the PSM error strings (the + * "generic" error has a lousy/wrong message associated with it + * which assumes the signature verification was done for the + * purposes of checking the issuer signature on a certificate) + * but this is at least an easy workaround and/or in the + * Security Advisor, which specifically checks for the error + * SEC_ERROR_PKCS7_BAD_SIGNATURE and gives more explanation + * in that case but does not similarly check for + * SEC_ERROR_BAD_SIGNATURE. It probably should, but then would + * probably say the wrong thing in the case that it *was* the + * certificate signature check that failed during the cert + * verification done above. Our error handling is really a mess. + */ + if (error == SEC_ERROR_BAD_SIGNATURE) + PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE); + /* + * map algorithm failures to NSSCMSVS values + */ + if ((error == SEC_ERROR_PKCS7_KEYALG_MISMATCH) || + (error == SEC_ERROR_INVALID_ALGORITHM)) { + /* keep the same error code as 3.11 and before */ + PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE); + vs = NSSCMSVS_SignatureAlgorithmUnsupported; + } } if (publickey != NULL) - SECKEY_DestroyPublicKey (publickey); + SECKEY_DestroyPublicKey(publickey); signerinfo->verificationStatus = vs; @@ -472,11 +479,11 @@ NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, loser: if (publickey != NULL) - SECKEY_DestroyPublicKey (publickey); + SECKEY_DestroyPublicKey(publickey); signerinfo->verificationStatus = vs; - PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE); + PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE); return SECFailure; } @@ -490,27 +497,26 @@ SECOidData * NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo) { SECOidData *algdata; - SECOidTag algtag; + SECOidTag algtag; - algdata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm)); + algdata = SECOID_FindOID(&(signerinfo->digestAlg.algorithm)); if (algdata == NULL) { - return algdata; + return algdata; } - /* Windows may have given us a signer algorithm oid instead of a digest - * algorithm oid. This call will map to a signer oid to a digest one, + /* Windows may have given us a signer algorithm oid instead of a digest + * algorithm oid. This call will map to a signer oid to a digest one, * otherwise it leaves the oid alone and let the chips fall as they may * if it's not a digest oid. */ algtag = NSS_CMSUtil_MapSignAlgs(algdata->offset); if (algtag != algdata->offset) { - /* if the tags don't match, then we must have received a signer - * algorithID. Now we need to get the oid data for the digest - * oid, which the rest of the code is expecting */ - algdata = SECOID_FindOIDByTag(algtag); + /* if the tags don't match, then we must have received a signer + * algorithID. Now we need to get the oid data for the digest + * oid, which the rest of the code is expecting */ + algdata = SECOID_FindOIDByTag(algtag); } return algdata; - } SECOidTag @@ -525,9 +531,9 @@ NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo) algdata = NSS_CMSSignerInfo_GetDigestAlg(signerinfo); if (algdata != NULL) - return algdata->offset; + return algdata->offset; else - return SEC_OID_UNKNOWN; + return SEC_OID_UNKNOWN; } CERTCertificateList * @@ -543,14 +549,14 @@ NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo) /* always take apart the SECItem */ if (SEC_ASN1DecodeInteger(&(signerinfo->version), &version) != SECSuccess) - return 0; + return 0; else - return (int)version; + return (int)version; } /* * NSS_CMSSignerInfo_GetSigningTime - return the signing time, - * in UTCTime or GeneralizedTime format, + * in UTCTime or GeneralizedTime format, * of a CMS signerInfo. * * sinfo - signerInfo data for this signer @@ -565,20 +571,21 @@ NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime) SECItem *value; if (sinfo == NULL) - return SECFailure; + return SECFailure; if (sinfo->signingTime != 0) { - *stime = sinfo->signingTime; /* cached copy */ - return SECSuccess; + *stime = sinfo->signingTime; /* cached copy */ + return SECSuccess; } - attr = NSS_CMSAttributeArray_FindAttrByOidTag(sinfo->authAttr, SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE); + attr = NSS_CMSAttributeArray_FindAttrByOidTag(sinfo->authAttr, + SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE); /* XXXX multi-valued attributes NIH */ if (attr == NULL || (value = NSS_CMSAttribute_GetValue(attr)) == NULL) - return SECFailure; + return SECFailure; if (DER_DecodeTimeChoice(stime, value) != SECSuccess) - return SECFailure; - sinfo->signingTime = *stime; /* make cached copy */ + return SECFailure; + sinfo->signingTime = *stime; /* make cached copy */ return SECSuccess; } @@ -594,11 +601,11 @@ NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDB NSSCMSSignerIdentifier *sid; if (signerinfo->cert != NULL) - return signerinfo->cert; + return signerinfo->cert; /* no certdb, and cert hasn't been set yet? */ if (certdb == NULL) - return NULL; + return NULL; /* * This cert will also need to be freed, but since we save it @@ -608,19 +615,19 @@ NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDB */ sid = &signerinfo->signerIdentifier; switch (sid->identifierType) { - case NSSCMSSignerID_IssuerSN: - cert = CERT_FindCertByIssuerAndSN(certdb, sid->id.issuerAndSN); - break; - case NSSCMSSignerID_SubjectKeyID: - cert = CERT_FindCertBySubjectKeyID(certdb, sid->id.subjectKeyID); - break; - default: - cert = NULL; - break; + case NSSCMSSignerID_IssuerSN: + cert = CERT_FindCertByIssuerAndSN(certdb, sid->id.issuerAndSN); + break; + case NSSCMSSignerID_SubjectKeyID: + cert = CERT_FindCertBySubjectKeyID(certdb, sid->id.subjectKeyID); + break; + default: + cert = NULL; + break; } /* cert can be NULL at that point */ - signerinfo->cert = cert; /* earmark it */ + signerinfo->cert = cert; /* earmark it */ return cert; } @@ -640,7 +647,7 @@ NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo) /* will fail if cert is not verified */ if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL) - return NULL; + return NULL; return (CERT_GetCommonName(&signercert->subject)); } @@ -659,17 +666,17 @@ NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo) CERTCertificate *signercert; if ((signercert = NSS_CMSSignerInfo_GetSigningCertificate(sinfo, NULL)) == NULL) - return NULL; + return NULL; if (!signercert->emailAddr || !signercert->emailAddr[0]) - return NULL; + return NULL; return (PORT_Strdup(signercert->emailAddr)); } /* * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the - * authenticated (i.e. signed) attributes of "signerinfo". + * authenticated (i.e. signed) attributes of "signerinfo". */ SECStatus NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr) @@ -679,7 +686,7 @@ NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *att /* * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the - * unauthenticated attributes of "signerinfo". + * unauthenticated attributes of "signerinfo". */ SECStatus NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr) @@ -687,9 +694,9 @@ NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *a return NSS_CMSAttributeArray_AddAttr(signerinfo->cmsg->poolp, &(signerinfo->unAuthAttr), attr); } -/* +/* * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the - * authenticated (i.e. signed) attributes of "signerinfo". + * authenticated (i.e. signed) attributes of "signerinfo". * * This is expected to be included in outgoing signed * messages for email (S/MIME) but is likely useful in other situations. @@ -714,30 +721,30 @@ NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t) /* create new signing time attribute */ if (DER_EncodeTimeChoice(NULL, &stime, t) != SECSuccess) - goto loser; + goto loser; if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SIGNING_TIME, &stime, PR_FALSE)) == NULL) { - SECITEM_FreeItem (&stime, PR_FALSE); - goto loser; + SECITEM_FreeItem(&stime, PR_FALSE); + goto loser; } - SECITEM_FreeItem (&stime, PR_FALSE); + SECITEM_FreeItem(&stime, PR_FALSE); if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess) - goto loser; + goto loser; - PORT_ArenaUnmark (poolp, mark); + PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); return SECFailure; } -/* +/* * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the - * authenticated (i.e. signed) attributes of "signerinfo". + * authenticated (i.e. signed) attributes of "signerinfo". * * This is expected to be included in outgoing signed * messages for email (S/MIME). @@ -756,29 +763,29 @@ NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo) smimecaps = SECITEM_AllocItem(poolp, NULL, 0); if (smimecaps == NULL) - goto loser; + goto loser; /* create new signing time attribute */ if (NSS_SMIMEUtil_CreateSMIMECapabilities(poolp, smimecaps) != SECSuccess) - goto loser; + goto loser; if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SMIME_CAPABILITIES, smimecaps, PR_TRUE)) == NULL) - goto loser; + goto loser; if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess) - goto loser; + goto loser; - PORT_ArenaUnmark (poolp, mark); + PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); return SECFailure; } -/* +/* * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the - * authenticated (i.e. signed) attributes of "signerinfo". + * authenticated (i.e. signed) attributes of "signerinfo". * * This is expected to be included in outgoing signed messages for email (S/MIME). */ @@ -792,7 +799,7 @@ NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertific /* verify this cert for encryption */ if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) { - return SECFailure; + return SECFailure; } poolp = signerinfo->cmsg->poolp; @@ -800,27 +807,27 @@ NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertific smimeekp = SECITEM_AllocItem(poolp, NULL, 0); if (smimeekp == NULL) - goto loser; + goto loser; /* create new signing time attribute */ if (NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess) - goto loser; + goto loser; if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL) - goto loser; + goto loser; if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess) - goto loser; + goto loser; - PORT_ArenaUnmark (poolp, mark); + PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); return SECFailure; } -/* +/* * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the * authenticated (i.e. signed) attributes of "signerinfo", using the OID preferred by Microsoft. * @@ -837,7 +844,7 @@ NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertif /* verify this cert for encryption */ if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) { - return SECFailure; + return SECFailure; } poolp = signerinfo->cmsg->poolp; @@ -845,27 +852,27 @@ NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertif smimeekp = SECITEM_AllocItem(poolp, NULL, 0); if (smimeekp == NULL) - goto loser; + goto loser; /* create new signing time attribute */ if (NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess) - goto loser; + goto loser; if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL) - goto loser; + goto loser; if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess) - goto loser; + goto loser; - PORT_ArenaUnmark (poolp, mark); + PORT_ArenaUnmark(poolp, mark); return SECSuccess; loser: - PORT_ArenaRelease (poolp, mark); + PORT_ArenaRelease(poolp, mark); return SECFailure; } -/* +/* * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo * * 1. digest the DER-encoded signature value of the original signerinfo @@ -880,7 +887,7 @@ loser: */ SECStatus NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo, - SECOidTag digestalg, CERTCertificate signingcert) + SECOidTag digestalg, CERTCertificate signingcert) { /* XXXX TBD XXXX */ return SECFailure; @@ -907,42 +914,41 @@ NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo) /* sanity check - see if verification status is ok (unverified does not count...) */ if (signerinfo->verificationStatus != NSSCMSVS_GoodSignature) - return SECFailure; + return SECFailure; /* find preferred encryption cert */ if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr) && - (attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, - SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL) - { /* we have a SMIME_ENCRYPTION_KEY_PREFERENCE attribute! */ - ekp = NSS_CMSAttribute_GetValue(attr); - if (ekp == NULL) - return SECFailure; - - /* we assume that all certs coming with the message have been imported to the */ - /* temporary database */ - cert = NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(certdb, ekp); - if (cert == NULL) - return SECFailure; - must_free_cert = PR_TRUE; + (attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, + SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL) { /* we have a SMIME_ENCRYPTION_KEY_PREFERENCE attribute! */ + ekp = NSS_CMSAttribute_GetValue(attr); + if (ekp == NULL) + return SECFailure; + + /* we assume that all certs coming with the message have been imported to the */ + /* temporary database */ + cert = NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(certdb, ekp); + if (cert == NULL) + return SECFailure; + must_free_cert = PR_TRUE; } if (cert == NULL) { - /* no preferred cert found? - * find the cert the signerinfo is signed with instead */ - cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb); - if (cert == NULL || cert->emailAddr == NULL || !cert->emailAddr[0]) - return SECFailure; + /* no preferred cert found? + * find the cert the signerinfo is signed with instead */ + cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb); + if (cert == NULL || cert->emailAddr == NULL || !cert->emailAddr[0]) + return SECFailure; } - /* verify this cert for encryption (has been verified for signing so far) */ - /* don't verify this cert for encryption. It may just be a signing cert. +/* verify this cert for encryption (has been verified for signing so far) */ +/* don't verify this cert for encryption. It may just be a signing cert. * that's OK, we can still save the S/MIME profile. The encryption cert * should have already been saved */ #ifdef notdef if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) { - if (must_free_cert) - CERT_DestroyCertificate(cert); - return SECFailure; + if (must_free_cert) + CERT_DestroyCertificate(cert); + return SECFailure; } #endif @@ -955,25 +961,25 @@ NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo) save_error = PORT_GetError(); if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) { - attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, - SEC_OID_PKCS9_SMIME_CAPABILITIES, - PR_TRUE); - profile = NSS_CMSAttribute_GetValue(attr); - attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, - SEC_OID_PKCS9_SIGNING_TIME, - PR_TRUE); - stime = NSS_CMSAttribute_GetValue(attr); + attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, + SEC_OID_PKCS9_SMIME_CAPABILITIES, + PR_TRUE); + profile = NSS_CMSAttribute_GetValue(attr); + attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr, + SEC_OID_PKCS9_SIGNING_TIME, + PR_TRUE); + stime = NSS_CMSAttribute_GetValue(attr); } - rv = CERT_SaveSMimeProfile (cert, profile, stime); + rv = CERT_SaveSMimeProfile(cert, profile, stime); if (must_free_cert) - CERT_DestroyCertificate(cert); + CERT_DestroyCertificate(cert); /* * Restore the saved error in case the calls above set a new * one that we do not actually care about. */ - PORT_SetError (save_error); + PORT_SetError(save_error); return rv; } @@ -982,34 +988,37 @@ NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo) * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer */ SECStatus -NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage) +NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, + NSSCMSCertChainMode cm, SECCertUsage usage) { if (signerinfo->cert == NULL) - return SECFailure; + return SECFailure; /* don't leak if we get called twice */ if (signerinfo->certList != NULL) { - CERT_DestroyCertificateList(signerinfo->certList); - signerinfo->certList = NULL; + CERT_DestroyCertificateList(signerinfo->certList); + signerinfo->certList = NULL; } switch (cm) { - case NSSCMSCM_None: - signerinfo->certList = NULL; - break; - case NSSCMSCM_CertOnly: - signerinfo->certList = CERT_CertListFromCert(signerinfo->cert); - break; - case NSSCMSCM_CertChain: - signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE); - break; - case NSSCMSCM_CertChainWithRoot: - signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE); - break; + case NSSCMSCM_None: + signerinfo->certList = NULL; + break; + case NSSCMSCM_CertOnly: + signerinfo->certList = CERT_CertListFromCert(signerinfo->cert); + break; + case NSSCMSCM_CertChain: + signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, + usage, PR_FALSE); + break; + case NSSCMSCM_CertChainWithRoot: + signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, + usage, PR_TRUE); + break; } if (cm != NSSCMSCM_None && signerinfo->certList == NULL) - return SECFailure; - + return SECFailure; + return SECSuccess; } diff --git a/nss/lib/smime/cmst.h b/nss/lib/smime/cmst.h index 7376322..3d888bc 100644 --- a/nss/lib/smime/cmst.h +++ b/nss/lib/smime/cmst.h @@ -76,10 +76,8 @@ typedef struct NSSCMSDigestContextStr NSSCMSDigestContext; typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate; -typedef SECStatus (*NSSCMSGenericWrapperDataCallback) - (NSSCMSGenericWrapperData *); -typedef void (*NSSCMSGenericWrapperDataDestroy) - (NSSCMSGenericWrapperData *); +typedef SECStatus (*NSSCMSGenericWrapperDataCallback)(NSSCMSGenericWrapperData *); +typedef void (*NSSCMSGenericWrapperDataDestroy)(NSSCMSGenericWrapperData *); extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[]; extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[]; @@ -87,8 +85,6 @@ extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[]; SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate) SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate) - - /* * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart. * If specified, this is where the content bytes (only) will be "sent" @@ -110,44 +106,43 @@ typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long */ typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid); - /* ============================================================================= * ENCAPSULATED CONTENTINFO & CONTENTINFO */ union NSSCMSContentUnion { /* either unstructured */ - SECItem * data; + SECItem *data; /* or structured data */ - NSSCMSDigestedData * digestedData; - NSSCMSEncryptedData * encryptedData; - NSSCMSEnvelopedData * envelopedData; - NSSCMSSignedData * signedData; - NSSCMSGenericWrapperData * genericData; + NSSCMSDigestedData *digestedData; + NSSCMSEncryptedData *encryptedData; + NSSCMSEnvelopedData *envelopedData; + NSSCMSSignedData *signedData; + NSSCMSGenericWrapperData *genericData; /* or anonymous pointer to something */ - void * pointer; + void *pointer; }; struct NSSCMSContentInfoStr { - SECItem contentType; - NSSCMSContent content; + SECItem contentType; + NSSCMSContent content; /* --------- local; not part of encoding --------- */ - SECOidData * contentTypeTag; + SECOidData *contentTypeTag; /* additional info for encryptedData and envelopedData */ /* we waste this space for signedData and digestedData. sue me. */ - SECAlgorithmID contentEncAlg; - SECItem * rawContent; /* encrypted DER, optional */ - /* XXXX bytes not encrypted, but encoded? */ + SECAlgorithmID contentEncAlg; + SECItem *rawContent; /* encrypted DER, optional */ + /* XXXX bytes not encrypted, but encoded? */ /* --------- local; not part of encoding --------- */ - PK11SymKey * bulkkey; /* bulk encryption key */ - int keysize; /* size of bulk encryption key - * (only used by creation code) */ - SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm - * (only used by creation code) */ - NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */ - void *reserved; /* keep binary compatibility */ + PK11SymKey *bulkkey; /* bulk encryption key */ + int keysize; /* size of bulk encryption key + * (only used by creation code) */ + SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm + * (only used by creation code) */ + NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */ + void *reserved; /* keep binary compatibility */ }; /* ============================================================================= @@ -155,28 +150,28 @@ struct NSSCMSContentInfoStr { */ struct NSSCMSMessageStr { - NSSCMSContentInfo contentInfo; /* "outer" cinfo */ + NSSCMSContentInfo contentInfo; /* "outer" cinfo */ /* --------- local; not part of encoding --------- */ - PLArenaPool * poolp; - PRBool poolp_is_ours; - int refCount; + PLArenaPool *poolp; + PRBool poolp_is_ours; + int refCount; /* properties of the "inner" data */ - SECAlgorithmID ** detached_digestalgs; - SECItem ** detached_digests; - void * pwfn_arg; + SECAlgorithmID **detached_digestalgs; + SECItem **detached_digests; + void *pwfn_arg; NSSCMSGetDecryptKeyCallback decrypt_key_cb; - void * decrypt_key_cb_arg; + void *decrypt_key_cb_arg; }; /* ============================================================================ * GENERIC WRAPPER - * + * * used for user defined types. */ struct NSSCMSGenericWrapperDataStr { - NSSCMSContentInfo contentInfo; + NSSCMSContentInfo contentInfo; /* ---- local; not part of encoding ------ */ - NSSCMSMessage * cmsg; + NSSCMSMessage *cmsg; /* wrapperspecific data starts here */ }; @@ -185,23 +180,23 @@ struct NSSCMSGenericWrapperDataStr { */ struct NSSCMSSignedDataStr { - SECItem version; - SECAlgorithmID ** digestAlgorithms; - NSSCMSContentInfo contentInfo; - SECItem ** rawCerts; - CERTSignedCrl ** crls; - NSSCMSSignerInfo ** signerInfos; + SECItem version; + SECAlgorithmID **digestAlgorithms; + NSSCMSContentInfo contentInfo; + SECItem **rawCerts; + CERTSignedCrl **crls; + NSSCMSSignerInfo **signerInfos; /* --------- local; not part of encoding --------- */ - NSSCMSMessage * cmsg; /* back pointer to message */ - SECItem ** digests; - CERTCertificate ** certs; - CERTCertificateList ** certLists; - CERTCertificate ** tempCerts; /* temporary certs, needed - * for example for signature - * verification */ + NSSCMSMessage *cmsg; /* back pointer to message */ + SECItem **digests; + CERTCertificate **certs; + CERTCertificateList **certLists; + CERTCertificate **tempCerts; /* temporary certs, needed + * for example for signature + * verification */ }; -#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */ -#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */ +#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */ +#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */ typedef enum { NSSCMSVS_Unverified = 0, @@ -224,30 +219,30 @@ typedef enum { struct NSSCMSSignerIdentifierStr { NSSCMSSignerIDSelector identifierType; union { - CERTIssuerAndSN *issuerAndSN; - SECItem *subjectKeyID; + CERTIssuerAndSN *issuerAndSN; + SECItem *subjectKeyID; } id; }; struct NSSCMSSignerInfoStr { - SECItem version; - NSSCMSSignerIdentifier signerIdentifier; - SECAlgorithmID digestAlg; - NSSCMSAttribute ** authAttr; - SECAlgorithmID digestEncAlg; - SECItem encDigest; - NSSCMSAttribute ** unAuthAttr; + SECItem version; + NSSCMSSignerIdentifier signerIdentifier; + SECAlgorithmID digestAlg; + NSSCMSAttribute **authAttr; + SECAlgorithmID digestEncAlg; + SECItem encDigest; + NSSCMSAttribute **unAuthAttr; /* --------- local; not part of encoding --------- */ - NSSCMSMessage * cmsg; /* back pointer to message */ - CERTCertificate * cert; - CERTCertificateList * certList; - PRTime signingTime; - NSSCMSVerificationStatus verificationStatus; - SECKEYPrivateKey * signingKey; /* Used if we're using subjKeyID*/ - SECKEYPublicKey * pubKey; + NSSCMSMessage *cmsg; /* back pointer to message */ + CERTCertificate *cert; + CERTCertificateList *certList; + PRTime signingTime; + NSSCMSVerificationStatus verificationStatus; + SECKEYPrivateKey *signingKey; /* Used if we're using subjKeyID*/ + SECKEYPublicKey *pubKey; }; -#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */ -#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */ +#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */ +#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */ typedef enum { NSSCMSCM_None = 0, @@ -260,22 +255,22 @@ typedef enum { * ENVELOPED DATA */ struct NSSCMSEnvelopedDataStr { - SECItem version; - NSSCMSOriginatorInfo * originatorInfo; /* optional */ - NSSCMSRecipientInfo ** recipientInfos; - NSSCMSContentInfo contentInfo; - NSSCMSAttribute ** unprotectedAttr; + SECItem version; + NSSCMSOriginatorInfo *originatorInfo; /* optional */ + NSSCMSRecipientInfo **recipientInfos; + NSSCMSContentInfo contentInfo; + NSSCMSAttribute **unprotectedAttr; /* --------- local; not part of encoding --------- */ - NSSCMSMessage * cmsg; /* back pointer to message */ + NSSCMSMessage *cmsg; /* back pointer to message */ }; -#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */ -#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */ +#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */ +#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */ struct NSSCMSOriginatorInfoStr { - SECItem ** rawCerts; - CERTSignedCrl ** crls; + SECItem **rawCerts; + CERTSignedCrl **crls; /* --------- local; not part of encoding --------- */ - CERTCertificate ** certs; + CERTCertificate **certs; }; /* ----------------------------------------------------------------------------- @@ -288,19 +283,19 @@ typedef enum { } NSSCMSRecipientIDSelector; struct NSSCMSRecipientIdentifierStr { - NSSCMSRecipientIDSelector identifierType; + NSSCMSRecipientIDSelector identifierType; union { - CERTIssuerAndSN *issuerAndSN; - SECItem *subjectKeyID; + CERTIssuerAndSN *issuerAndSN; + SECItem *subjectKeyID; } id; }; typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier; struct NSSCMSKeyTransRecipientInfoStr { - SECItem version; - NSSCMSRecipientIdentifier recipientIdentifier; - SECAlgorithmID keyEncAlg; - SECItem encKey; + SECItem version; + NSSCMSRecipientIdentifier recipientIdentifier; + SECAlgorithmID keyEncAlg; + SECItem encKey; }; typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo; @@ -310,21 +305,21 @@ typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo; */ struct NSSCMSKeyTransRecipientInfoExStr { NSSCMSKeyTransRecipientInfo recipientInfo; - int version; /* version of this structure (0) */ + int version; /* version of this structure (0) */ SECKEYPublicKey *pubKey; }; typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx; -#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */ -#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */ +#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */ +#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */ /* ----------------------------------------------------------------------------- * key agreement recipient info */ struct NSSCMSOriginatorPublicKeyStr { - SECAlgorithmID algorithmIdentifier; - SECItem publicKey; /* bit string! */ + SECAlgorithmID algorithmIdentifier; + SECItem publicKey; /* bit string! */ }; typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey; @@ -337,17 +332,17 @@ typedef enum { struct NSSCMSOriginatorIdentifierOrKeyStr { NSSCMSOriginatorIDOrKeySelector identifierType; union { - CERTIssuerAndSN *issuerAndSN; /* static-static */ - SECItem *subjectKeyID; /* static-static */ - NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */ + CERTIssuerAndSN *issuerAndSN; /* static-static */ + SECItem *subjectKeyID; /* static-static */ + NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */ } id; }; typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey; struct NSSCMSRecipientKeyIdentifierStr { - SECItem * subjectKeyIdentifier; - SECItem * date; /* optional */ - SECItem * other; /* optional */ + SECItem *subjectKeyIdentifier; + SECItem *date; /* optional */ + SECItem *other; /* optional */ }; typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier; @@ -357,50 +352,50 @@ typedef enum { } NSSCMSKeyAgreeRecipientIDSelector; struct NSSCMSKeyAgreeRecipientIdentifierStr { - NSSCMSKeyAgreeRecipientIDSelector identifierType; + NSSCMSKeyAgreeRecipientIDSelector identifierType; union { - CERTIssuerAndSN *issuerAndSN; - NSSCMSRecipientKeyIdentifier recipientKeyIdentifier; + CERTIssuerAndSN *issuerAndSN; + NSSCMSRecipientKeyIdentifier recipientKeyIdentifier; } id; }; typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier; struct NSSCMSRecipientEncryptedKeyStr { - NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier; - SECItem encKey; + NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier; + SECItem encKey; }; typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey; struct NSSCMSKeyAgreeRecipientInfoStr { - SECItem version; - NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey; - SECItem * ukm; /* optional */ - SECAlgorithmID keyEncAlg; - NSSCMSRecipientEncryptedKey ** recipientEncryptedKeys; + SECItem version; + NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey; + SECItem *ukm; /* optional */ + SECAlgorithmID keyEncAlg; + NSSCMSRecipientEncryptedKey **recipientEncryptedKeys; }; typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo; -#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */ +#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */ /* ----------------------------------------------------------------------------- * KEK recipient info */ struct NSSCMSKEKIdentifierStr { - SECItem keyIdentifier; - SECItem * date; /* optional */ - SECItem * other; /* optional */ + SECItem keyIdentifier; + SECItem *date; /* optional */ + SECItem *other; /* optional */ }; typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier; struct NSSCMSKEKRecipientInfoStr { - SECItem version; - NSSCMSKEKIdentifier kekIdentifier; - SECAlgorithmID keyEncAlg; - SECItem encKey; + SECItem version; + NSSCMSKEKIdentifier kekIdentifier; + SECAlgorithmID keyEncAlg; + SECItem encKey; }; typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo; -#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */ +#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */ /* ----------------------------------------------------------------------------- * recipient info @@ -414,12 +409,12 @@ typedef enum { /* * In order to preserve backwards binary compatibility when implementing - * creation of Recipient Info's that uses subjectKeyID in the + * creation of Recipient Info's that uses subjectKeyID in the * keyTransRecipientInfo we need to stash a public key pointer in this * structure somewhere. We figured out that NSSCMSKeyTransRecipientInfo * is the smallest member of the ri union. We're in luck since that's * the very structure that would need to use the public key. So we created - * a new structure NSSCMSKeyTransRecipientInfoEx which has a member + * a new structure NSSCMSKeyTransRecipientInfoEx which has a member * NSSCMSKeyTransRecipientInfo as the first member followed by a version * and a public key pointer. This way we can keep backwards compatibility * without changing the size of this structure. @@ -437,43 +432,43 @@ typedef enum { struct NSSCMSRecipientInfoStr { NSSCMSRecipientInfoIDSelector recipientInfoType; union { - NSSCMSKeyTransRecipientInfo keyTransRecipientInfo; - NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo; - NSSCMSKEKRecipientInfo kekRecipientInfo; - NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx; + NSSCMSKeyTransRecipientInfo keyTransRecipientInfo; + NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo; + NSSCMSKEKRecipientInfo kekRecipientInfo; + NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx; } ri; /* --------- local; not part of encoding --------- */ - NSSCMSMessage * cmsg; /* back pointer to message */ - CERTCertificate * cert; /* recipient's certificate */ + NSSCMSMessage *cmsg; /* back pointer to message */ + CERTCertificate *cert; /* recipient's certificate */ }; /* ============================================================================= * DIGESTED DATA */ struct NSSCMSDigestedDataStr { - SECItem version; - SECAlgorithmID digestAlg; - NSSCMSContentInfo contentInfo; - SECItem digest; + SECItem version; + SECAlgorithmID digestAlg; + NSSCMSContentInfo contentInfo; + SECItem digest; /* --------- local; not part of encoding --------- */ - NSSCMSMessage * cmsg; /* back pointer */ - SECItem cdigest; /* calculated digest */ + NSSCMSMessage *cmsg; /* back pointer */ + SECItem cdigest; /* calculated digest */ }; -#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */ -#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */ +#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */ +#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */ /* ============================================================================= * ENCRYPTED DATA */ struct NSSCMSEncryptedDataStr { - SECItem version; - NSSCMSContentInfo contentInfo; - NSSCMSAttribute ** unprotectedAttr; /* optional */ + SECItem version; + NSSCMSContentInfo contentInfo; + NSSCMSAttribute **unprotectedAttr; /* optional */ /* --------- local; not part of encoding --------- */ - NSSCMSMessage * cmsg; /* back pointer */ + NSSCMSMessage *cmsg; /* back pointer */ }; -#define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */ -#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */ +#define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */ +#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */ /* * ***************************************************************************** @@ -486,11 +481,11 @@ struct NSSCMSEncryptedDataStr { */ struct NSSCMSAttributeStr { /* The following fields make up an encoded Attribute: */ - SECItem type; - SECItem ** values; /* data may or may not be encoded */ + SECItem type; + SECItem **values; /* data may or may not be encoded */ /* The following fields are not part of an encoded Attribute: */ - SECOidData * typeTag; - PRBool encoded; /* when true, values are encoded */ + SECOidData *typeTag; + PRBool encoded; /* when true, values are encoded */ }; #endif /* _CMST_H_ */ diff --git a/nss/lib/smime/cmsudf.c b/nss/lib/smime/cmsudf.c index 472b6d6..3ef4268 100644 --- a/nss/lib/smime/cmsudf.c +++ b/nss/lib/smime/cmsudf.c @@ -21,7 +21,7 @@ struct nsscmstypeInfoStr { SEC_ASN1Template *template; size_t size; PRBool isData; - NSSCMSGenericWrapperDataDestroy destroy; + NSSCMSGenericWrapperDataDestroy destroy; NSSCMSGenericWrapperDataCallback decode_before; NSSCMSGenericWrapperDataCallback decode_after; NSSCMSGenericWrapperDataCallback decode_end; @@ -49,29 +49,29 @@ SECStatus nss_cmstype_shutdown(void *appData, void *reserved) { if (nsscmstypeHashLock) { - PR_Lock(nsscmstypeHashLock); + PR_Lock(nsscmstypeHashLock); } if (nsscmstypeHash) { - PL_HashTableDestroy(nsscmstypeHash); - nsscmstypeHash = NULL; + PL_HashTableDestroy(nsscmstypeHash); + nsscmstypeHash = NULL; } if (nsscmstypeArena) { - PORT_FreeArena(nsscmstypeArena, PR_FALSE); - nsscmstypeArena = NULL; + PORT_FreeArena(nsscmstypeArena, PR_FALSE); + nsscmstypeArena = NULL; } if (nsscmstypeAddLock) { - PR_DestroyLock(nsscmstypeAddLock); + PR_DestroyLock(nsscmstypeAddLock); } if (nsscmstypeHashLock) { - PRLock *oldLock = nsscmstypeHashLock; - nsscmstypeHashLock = NULL; - PR_Unlock(oldLock); - PR_DestroyLock(oldLock); + PRLock *oldLock = nsscmstypeHashLock; + nsscmstypeHashLock = NULL; + PR_Unlock(oldLock); + PR_DestroyLock(oldLock); } /* don't clear out the PR_ONCE data if we failed our inital call */ if (appData == NULL) { - nsscmstypeOnce = nsscmstypeClearOnce; + nsscmstypeOnce = nsscmstypeClearOnce; } return SECSuccess; } @@ -79,16 +79,16 @@ nss_cmstype_shutdown(void *appData, void *reserved) static PLHashNumber nss_cmstype_hash_key(const void *key) { - return (PLHashNumber)((char *)key - (char *)NULL); + return (PLHashNumber)((char *)key - (char *)NULL); } static PRIntn nss_cmstype_compare_keys(const void *v1, const void *v2) { - PLHashNumber value1 = nss_cmstype_hash_key(v1); - PLHashNumber value2 = nss_cmstype_hash_key(v2); + PLHashNumber value1 = nss_cmstype_hash_key(v1); + PLHashNumber value2 = nss_cmstype_hash_key(v2); - return (value1 == value2); + return (value1 == value2); } /* @@ -99,27 +99,28 @@ static PRStatus nss_cmstype_init(void) { SECStatus rv; - + nsscmstypeHashLock = PR_NewLock(); if (nsscmstypeHashLock == NULL) { - return PR_FAILURE; + return PR_FAILURE; } nsscmstypeAddLock = PR_NewLock(); if (nsscmstypeHashLock == NULL) { - goto fail; + goto fail; } - nsscmstypeHash = PL_NewHashTable(64, nss_cmstype_hash_key, - nss_cmstype_compare_keys, PL_CompareValues, NULL, NULL); + nsscmstypeHash = PL_NewHashTable(64, nss_cmstype_hash_key, + nss_cmstype_compare_keys, + PL_CompareValues, NULL, NULL); if (nsscmstypeHash == NULL) { - goto fail; + goto fail; } nsscmstypeArena = PORT_NewArena(2048); if (nsscmstypeArena == NULL) { - goto fail; + goto fail; } rv = NSS_RegisterShutdown(nss_cmstype_shutdown, NULL); if (rv != SECSuccess) { - goto fail; + goto fail; } return PR_SUCCESS; @@ -128,20 +129,20 @@ fail: return PR_FAILURE; } - /* * look up and registered SIME type */ static const nsscmstypeInfo * nss_cmstype_lookup(SECOidTag type) { - nsscmstypeInfo *typeInfo = NULL;; + nsscmstypeInfo *typeInfo = NULL; + ; if (!nsscmstypeHash) { - return NULL; + return NULL; } PR_Lock(nsscmstypeHashLock); if (nsscmstypeHash) { - typeInfo = PL_HashTableLookupConst(nsscmstypeHash, (void *)type); + typeInfo = PL_HashTableLookupConst(nsscmstypeHash, (void *)type); } PR_Unlock(nsscmstypeHashLock); return typeInfo; @@ -156,22 +157,21 @@ nss_cmstype_add(SECOidTag type, nsscmstypeInfo *typeinfo) PLHashEntry *entry; if (!nsscmstypeHash) { - /* assert? this shouldn't happen */ - return SECFailure; + /* assert? this shouldn't happen */ + return SECFailure; } PR_Lock(nsscmstypeHashLock); /* this is really paranoia. If we really are racing nsscmstypeHash, we'll * also be racing nsscmstypeHashLock... */ if (!nsscmstypeHash) { - PR_Unlock(nsscmstypeHashLock); - return SECFailure; + PR_Unlock(nsscmstypeHashLock); + return SECFailure; } entry = PL_HashTableAdd(nsscmstypeHash, (void *)type, typeinfo); PR_Unlock(nsscmstypeHashLock); return entry ? SECSuccess : SECFailure; } - /* helper functions to manage new content types */ @@ -181,16 +181,16 @@ NSS_CMSType_IsWrapper(SECOidTag type) const nsscmstypeInfo *typeInfo = NULL; switch (type) { - case SEC_OID_PKCS7_SIGNED_DATA: - case SEC_OID_PKCS7_ENVELOPED_DATA: - case SEC_OID_PKCS7_DIGESTED_DATA: - case SEC_OID_PKCS7_ENCRYPTED_DATA: - return PR_TRUE; - default: - typeInfo = nss_cmstype_lookup(type); - if (typeInfo && !typeInfo->isData) { - return PR_TRUE; - } + case SEC_OID_PKCS7_SIGNED_DATA: + case SEC_OID_PKCS7_ENVELOPED_DATA: + case SEC_OID_PKCS7_DIGESTED_DATA: + case SEC_OID_PKCS7_ENCRYPTED_DATA: + return PR_TRUE; + default: + typeInfo = nss_cmstype_lookup(type); + if (typeInfo && !typeInfo->isData) { + return PR_TRUE; + } } return PR_FALSE; } @@ -201,13 +201,13 @@ NSS_CMSType_IsData(SECOidTag type) const nsscmstypeInfo *typeInfo = NULL; switch (type) { - case SEC_OID_PKCS7_DATA: - return PR_TRUE; - default: - typeInfo = nss_cmstype_lookup(type); - if (typeInfo && typeInfo->isData) { - return PR_TRUE; - } + case SEC_OID_PKCS7_DATA: + return PR_TRUE; + default: + typeInfo = nss_cmstype_lookup(type); + if (typeInfo && typeInfo->isData) { + return PR_TRUE; + } } return PR_FALSE; } @@ -218,7 +218,7 @@ NSS_CMSType_GetTemplate(SECOidTag type) const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type); if (typeInfo && typeInfo->template) { - return typeInfo->template; + return typeInfo->template; } return SEC_ASN1_GET(SEC_PointerToOctetStringTemplate); } @@ -229,10 +229,9 @@ NSS_CMSType_GetContentSize(SECOidTag type) const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type); if (typeInfo) { - return typeInfo->size; + return typeInfo->size; } return sizeof(SECItem *); - } void @@ -241,191 +240,187 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd) const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type); if (typeInfo && typeInfo->destroy) { - (*typeInfo->destroy)(gd); + (*typeInfo->destroy)(gd); } - } - SECStatus -NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type, - NSSCMSGenericWrapperData *gd) +NSS_CMSGenericWrapperData_Decode_BeforeData(SECOidTag type, + NSSCMSGenericWrapperData *gd) { const nsscmstypeInfo *typeInfo; /* short cut common case */ if (type == SEC_OID_PKCS7_DATA) { - return SECSuccess; + return SECSuccess; } typeInfo = nss_cmstype_lookup(type); if (typeInfo) { - if (typeInfo->decode_before) { - return (*typeInfo->decode_before)(gd); - } - /* decoder ops optional for data tags */ - if (typeInfo->isData) { - return SECSuccess; - } + if (typeInfo->decode_before) { + return (*typeInfo->decode_before)(gd); + } + /* decoder ops optional for data tags */ + if (typeInfo->isData) { + return SECSuccess; + } } /* expected a function, but none existed */ return SECFailure; - } SECStatus -NSS_CMSGenericWrapperData_Decode_AfterData(SECOidTag type, - NSSCMSGenericWrapperData *gd) +NSS_CMSGenericWrapperData_Decode_AfterData(SECOidTag type, + NSSCMSGenericWrapperData *gd) { const nsscmstypeInfo *typeInfo; /* short cut common case */ if (type == SEC_OID_PKCS7_DATA) { - return SECSuccess; + return SECSuccess; } typeInfo = nss_cmstype_lookup(type); if (typeInfo) { - if (typeInfo->decode_after) { - return (*typeInfo->decode_after)(gd); - } - /* decoder ops optional for data tags */ - if (typeInfo->isData) { - return SECSuccess; - } + if (typeInfo->decode_after) { + return (*typeInfo->decode_after)(gd); + } + /* decoder ops optional for data tags */ + if (typeInfo->isData) { + return SECSuccess; + } } /* expected a function, but none existed */ return SECFailure; } SECStatus -NSS_CMSGenericWrapperData_Decode_AfterEnd(SECOidTag type, - NSSCMSGenericWrapperData *gd) +NSS_CMSGenericWrapperData_Decode_AfterEnd(SECOidTag type, + NSSCMSGenericWrapperData *gd) { const nsscmstypeInfo *typeInfo; /* short cut common case */ if (type == SEC_OID_PKCS7_DATA) { - return SECSuccess; + return SECSuccess; } typeInfo = nss_cmstype_lookup(type); if (typeInfo) { - if (typeInfo->decode_end) { - return (*typeInfo->decode_end)(gd); - } - /* decoder ops optional for data tags */ - if (typeInfo->isData) { - return SECSuccess; - } + if (typeInfo->decode_end) { + return (*typeInfo->decode_end)(gd); + } + /* decoder ops optional for data tags */ + if (typeInfo->isData) { + return SECSuccess; + } } /* expected a function, but none existed */ return SECFailure; } SECStatus -NSS_CMSGenericWrapperData_Encode_BeforeStart(SECOidTag type, - NSSCMSGenericWrapperData *gd) +NSS_CMSGenericWrapperData_Encode_BeforeStart(SECOidTag type, + NSSCMSGenericWrapperData *gd) { const nsscmstypeInfo *typeInfo; /* short cut common case */ if (type == SEC_OID_PKCS7_DATA) { - return SECSuccess; + return SECSuccess; } typeInfo = nss_cmstype_lookup(type); if (typeInfo) { - if (typeInfo->encode_start) { - return (*typeInfo->encode_start)(gd); - } - /* decoder ops optional for data tags */ - if (typeInfo->isData) { - return SECSuccess; - } + if (typeInfo->encode_start) { + return (*typeInfo->encode_start)(gd); + } + /* decoder ops optional for data tags */ + if (typeInfo->isData) { + return SECSuccess; + } } /* expected a function, but none existed */ return SECFailure; } SECStatus -NSS_CMSGenericWrapperData_Encode_BeforeData(SECOidTag type, - NSSCMSGenericWrapperData *gd) +NSS_CMSGenericWrapperData_Encode_BeforeData(SECOidTag type, + NSSCMSGenericWrapperData *gd) { const nsscmstypeInfo *typeInfo; /* short cut common case */ if (type == SEC_OID_PKCS7_DATA) { - return SECSuccess; + return SECSuccess; } typeInfo = nss_cmstype_lookup(type); if (typeInfo) { - if (typeInfo->encode_before) { - return (*typeInfo->encode_before)(gd); - } - /* decoder ops optional for data tags */ - if (typeInfo->isData) { - return SECSuccess; - } + if (typeInfo->encode_before) { + return (*typeInfo->encode_before)(gd); + } + /* decoder ops optional for data tags */ + if (typeInfo->isData) { + return SECSuccess; + } } /* expected a function, but none existed */ return SECFailure; } SECStatus -NSS_CMSGenericWrapperData_Encode_AfterData(SECOidTag type, - NSSCMSGenericWrapperData *gd) +NSS_CMSGenericWrapperData_Encode_AfterData(SECOidTag type, + NSSCMSGenericWrapperData *gd) { const nsscmstypeInfo *typeInfo; /* short cut common case */ if (type == SEC_OID_PKCS7_DATA) { - return SECSuccess; + return SECSuccess; } typeInfo = nss_cmstype_lookup(type); if (typeInfo) { - if (typeInfo->encode_after) { - return (*typeInfo->encode_after)(gd); - } - /* decoder ops optional for data tags */ - if (typeInfo->isData) { - return SECSuccess; - } + if (typeInfo->encode_after) { + return (*typeInfo->encode_after)(gd); + } + /* decoder ops optional for data tags */ + if (typeInfo->isData) { + return SECSuccess; + } } /* expected a function, but none existed */ return SECFailure; } - SECStatus -NSS_CMSType_RegisterContentType(SECOidTag type, - SEC_ASN1Template *asn1Template, size_t size, - NSSCMSGenericWrapperDataDestroy destroy, - NSSCMSGenericWrapperDataCallback decode_before, - NSSCMSGenericWrapperDataCallback decode_after, - NSSCMSGenericWrapperDataCallback decode_end, - NSSCMSGenericWrapperDataCallback encode_start, - NSSCMSGenericWrapperDataCallback encode_before, - NSSCMSGenericWrapperDataCallback encode_after, - PRBool isData) +NSS_CMSType_RegisterContentType(SECOidTag type, + SEC_ASN1Template *asn1Template, size_t size, + NSSCMSGenericWrapperDataDestroy destroy, + NSSCMSGenericWrapperDataCallback decode_before, + NSSCMSGenericWrapperDataCallback decode_after, + NSSCMSGenericWrapperDataCallback decode_end, + NSSCMSGenericWrapperDataCallback encode_start, + NSSCMSGenericWrapperDataCallback encode_before, + NSSCMSGenericWrapperDataCallback encode_after, + PRBool isData) { PRStatus rc; SECStatus rv; nsscmstypeInfo *typeInfo; const nsscmstypeInfo *exists; - rc = PR_CallOnce( &nsscmstypeOnce, nss_cmstype_init); + rc = PR_CallOnce(&nsscmstypeOnce, nss_cmstype_init); if (rc == PR_FAILURE) { - return SECFailure; + return SECFailure; } PR_Lock(nsscmstypeAddLock); exists = nss_cmstype_lookup(type); if (exists) { - PR_Unlock(nsscmstypeAddLock); - /* already added */ - return SECSuccess; + PR_Unlock(nsscmstypeAddLock); + /* already added */ + return SECSuccess; } typeInfo = PORT_ArenaNew(nsscmstypeArena, nsscmstypeInfo); typeInfo->type = type; @@ -443,4 +438,3 @@ NSS_CMSType_RegisterContentType(SECOidTag type, PR_Unlock(nsscmstypeAddLock); return rv; } - diff --git a/nss/lib/smime/cmsutil.c b/nss/lib/smime/cmsutil.c index 2fe8564..cd12603 100644 --- a/nss/lib/smime/cmsutil.c +++ b/nss/lib/smime/cmsutil.c @@ -33,16 +33,16 @@ NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void ** SECStatus rv = SECFailure; int i; - if (objs == NULL) /* already sorted */ - return SECSuccess; + if (objs == NULL) /* already sorted */ + return SECSuccess; num_objs = NSS_CMSArray_Count((void **)objs); - if (num_objs == 0 || num_objs == 1) /* already sorted. */ - return SECSuccess; + if (num_objs == 0 || num_objs == 1) /* already sorted. */ + return SECSuccess; - poolp = PORT_NewArena (1024); /* arena for temporaries */ + poolp = PORT_NewArena(1024); /* arena for temporaries */ if (poolp == NULL) - return SECFailure; /* no memory; nothing we can do... */ + return SECFailure; /* no memory; nothing we can do... */ /* * Allocate arrays to hold the individual encodings which we will use @@ -50,13 +50,13 @@ NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void ** */ enc_objs = (SECItem **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SECItem *)); if (enc_objs == NULL) - goto loser; + goto loser; /* DER encode each individual object. */ for (i = 0; i < num_objs; i++) { - enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate); - if (enc_objs[i] == NULL) - goto loser; + enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate); + if (enc_objs[i] == NULL) + goto loser; } enc_objs[num_objs] = NULL; @@ -66,7 +66,7 @@ NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void ** rv = SECSuccess; loser: - PORT_FreeArena (poolp, PR_FALSE); + PORT_FreeArena(poolp, PR_FALSE); return rv; } @@ -93,25 +93,25 @@ NSS_CMSUtil_DERCompare(void *a, void *b) * is found. */ if (der1->len != der2->len) - return (der1->len < der2->len) ? -1 : 1; + return (der1->len < der2->len) ? -1 : 1; for (j = 0; j < der1->len; j++) { - if (der1->data[j] == der2->data[j]) - continue; - return (der1->data[j] < der2->data[j]) ? -1 : 1; + if (der1->data[j] == der2->data[j]) + continue; + return (der1->data[j] < der2->data[j]) ? -1 : 1; } return 0; } /* - * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of + * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of * algorithms. * * algorithmArray - array of algorithm IDs * algid - algorithmid of algorithm to pick * * Returns: - * An integer containing the index of the algorithm in the array or -1 if + * An integer containing the index of the algorithm in the array or -1 if * algorithm was not found. */ int @@ -120,58 +120,58 @@ NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID int i; if (algorithmArray == NULL || algorithmArray[0] == NULL) - return -1; + return -1; for (i = 0; algorithmArray[i] != NULL; i++) { - if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual) - break; /* bingo */ + if (SECOID_CompareAlgorithmID(algorithmArray[i], algid) == SECEqual) + break; /* bingo */ } if (algorithmArray[i] == NULL) - return -1; /* not found */ + return -1; /* not found */ return i; } /* - * NSS_CMSAlgArray_GetIndexByAlgTag - find a specific algorithm in an array of + * NSS_CMSAlgArray_GetIndexByAlgTag - find a specific algorithm in an array of * algorithms. * * algorithmArray - array of algorithm IDs * algtag - algorithm tag of algorithm to pick * * Returns: - * An integer containing the index of the algorithm in the array or -1 if + * An integer containing the index of the algorithm in the array or -1 if * algorithm was not found. */ int -NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, +NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag) { SECOidData *algid; int i = -1; if (algorithmArray == NULL || algorithmArray[0] == NULL) - return i; + return i; #ifdef ORDER_N_SQUARED for (i = 0; algorithmArray[i] != NULL; i++) { - algid = SECOID_FindOID(&(algorithmArray[i]->algorithm)); - if (algid->offset == algtag) - break; /* bingo */ + algid = SECOID_FindOID(&(algorithmArray[i]->algorithm)); + if (algid->offset == algtag) + break; /* bingo */ } #else algid = SECOID_FindOIDByTag(algtag); - if (!algid) - return i; + if (!algid) + return i; for (i = 0; algorithmArray[i] != NULL; i++) { - if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid)) - break; /* bingo */ + if (SECITEM_ItemsAreEqual(&algorithmArray[i]->algorithm, &algid->oid)) + break; /* bingo */ } #endif if (algorithmArray[i] == NULL) - return -1; /* not found */ + return -1; /* not found */ return i; } @@ -185,31 +185,31 @@ SECOidTag NSS_CMSUtil_MapSignAlgs(SECOidTag signAlg) { switch (signAlg) { - case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: - return SEC_OID_MD2; - break; - case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: - return SEC_OID_MD5; - break; - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: - case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: - case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: - return SEC_OID_SHA1; - break; - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: - return SEC_OID_SHA256; - break; - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: - return SEC_OID_SHA384; - break; - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: - case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: - return SEC_OID_SHA512; - break; - default: - break; + case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: + return SEC_OID_MD2; + break; + case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + return SEC_OID_MD5; + break; + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: + case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST: + return SEC_OID_SHA1; + break; + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + return SEC_OID_SHA256; + break; + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: + return SEC_OID_SHA384; + break; + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: + case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: + return SEC_OID_SHA512; + break; + default: + break; } /* not one of the algtags incorrectly sent to us*/ return signAlg; @@ -234,21 +234,21 @@ NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type) extern const SEC_ASN1Template NSSCMSDigestedDataTemplate[]; switch (type) { - case SEC_OID_PKCS7_SIGNED_DATA: - template = NSSCMSSignedDataTemplate; - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - template = NSSCMSEnvelopedDataTemplate; - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - template = NSSCMSEncryptedDataTemplate; - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - template = NSSCMSDigestedDataTemplate; - break; - default: - template = NSS_CMSType_GetTemplate(type); - break; + case SEC_OID_PKCS7_SIGNED_DATA: + template = NSSCMSSignedDataTemplate; + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + template = NSSCMSEnvelopedDataTemplate; + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + template = NSSCMSEncryptedDataTemplate; + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + template = NSSCMSDigestedDataTemplate; + break; + default: + template = NSS_CMSType_GetTemplate(type); + break; } return template; } @@ -259,21 +259,21 @@ NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type) size_t size; switch (type) { - case SEC_OID_PKCS7_SIGNED_DATA: - size = sizeof(NSSCMSSignedData); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - size = sizeof(NSSCMSEnvelopedData); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - size = sizeof(NSSCMSEncryptedData); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - size = sizeof(NSSCMSDigestedData); - break; - default: - size = NSS_CMSType_GetContentSize(type); - break; + case SEC_OID_PKCS7_SIGNED_DATA: + size = sizeof(NSSCMSSignedData); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + size = sizeof(NSSCMSEnvelopedData); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + size = sizeof(NSSCMSEncryptedData); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + size = sizeof(NSSCMSDigestedData); + break; + default: + size = NSS_CMSType_GetContentSize(type); + break; } return size; } @@ -285,26 +285,26 @@ NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type) NSSCMSContentInfo *cinfo = NULL; if (!msg) - return cinfo; + return cinfo; c.pointer = msg; switch (type) { - case SEC_OID_PKCS7_SIGNED_DATA: - cinfo = &(c.signedData->contentInfo); - break; - case SEC_OID_PKCS7_ENVELOPED_DATA: - cinfo = &(c.envelopedData->contentInfo); - break; - case SEC_OID_PKCS7_ENCRYPTED_DATA: - cinfo = &(c.encryptedData->contentInfo); - break; - case SEC_OID_PKCS7_DIGESTED_DATA: - cinfo = &(c.digestedData->contentInfo); - break; - default: - cinfo = NULL; - if (NSS_CMSType_IsWrapper(type)) { - cinfo = &(c.genericData->contentInfo); - } + case SEC_OID_PKCS7_SIGNED_DATA: + cinfo = &(c.signedData->contentInfo); + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + cinfo = &(c.envelopedData->contentInfo); + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + cinfo = &(c.encryptedData->contentInfo); + break; + case SEC_OID_PKCS7_DIGESTED_DATA: + cinfo = &(c.digestedData->contentInfo); + break; + default: + cinfo = NULL; + if (NSS_CMSType_IsWrapper(type)) { + cinfo = &(c.genericData->contentInfo); + } } return cinfo; } @@ -313,45 +313,55 @@ const char * NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs) { switch (vs) { - case NSSCMSVS_Unverified: return "Unverified"; - case NSSCMSVS_GoodSignature: return "GoodSignature"; - case NSSCMSVS_BadSignature: return "BadSignature"; - case NSSCMSVS_DigestMismatch: return "DigestMismatch"; - case NSSCMSVS_SigningCertNotFound: return "SigningCertNotFound"; - case NSSCMSVS_SigningCertNotTrusted: return "SigningCertNotTrusted"; - case NSSCMSVS_SignatureAlgorithmUnknown: return "SignatureAlgorithmUnknown"; - case NSSCMSVS_SignatureAlgorithmUnsupported: return "SignatureAlgorithmUnsupported"; - case NSSCMSVS_MalformedSignature: return "MalformedSignature"; - case NSSCMSVS_ProcessingError: return "ProcessingError"; - default: return "Unknown"; + case NSSCMSVS_Unverified: + return "Unverified"; + case NSSCMSVS_GoodSignature: + return "GoodSignature"; + case NSSCMSVS_BadSignature: + return "BadSignature"; + case NSSCMSVS_DigestMismatch: + return "DigestMismatch"; + case NSSCMSVS_SigningCertNotFound: + return "SigningCertNotFound"; + case NSSCMSVS_SigningCertNotTrusted: + return "SigningCertNotTrusted"; + case NSSCMSVS_SignatureAlgorithmUnknown: + return "SignatureAlgorithmUnknown"; + case NSSCMSVS_SignatureAlgorithmUnsupported: + return "SignatureAlgorithmUnsupported"; + case NSSCMSVS_MalformedSignature: + return "MalformedSignature"; + case NSSCMSVS_ProcessingError: + return "ProcessingError"; + default: + return "Unknown"; } } SECStatus -NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, +NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, PLArenaPool *arena) { NSSCMSEncoderContext *ecx; SECStatus rv = SECSuccess; if (!cmsg || !derOut || !arena) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; } ecx = NSS_CMSEncoder_Start(cmsg, 0, 0, derOut, arena, 0, 0, 0, 0, 0, 0); if (!ecx) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; } if (input) { - rv = NSS_CMSEncoder_Update(ecx, (const char*)input->data, input->len); - if (rv) { - PORT_SetError(SEC_ERROR_BAD_DATA); - } + rv = NSS_CMSEncoder_Update(ecx, (const char *)input->data, input->len); + if (rv) { + PORT_SetError(SEC_ERROR_BAD_DATA); + } } rv |= NSS_CMSEncoder_Finish(ecx); if (rv) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); } return rv; } - diff --git a/nss/lib/smime/exports.gyp b/nss/lib/smime/exports.gyp new file mode 100644 index 0000000..3865bb4 --- /dev/null +++ b/nss/lib/smime/exports.gyp @@ -0,0 +1,34 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'lib_smime_exports', + 'type': 'none', + 'copies': [ + { + 'files': [ + 'cms.h', + 'cmsreclist.h', + 'cmst.h', + 'smime.h' + ], + 'destination': '<(nss_public_dist_dir)/<(module)' + }, + { + 'files': [ + 'cmslocal.h' + ], + 'destination': '<(nss_private_dist_dir)/<(module)' + } + ] + } + ], + 'variables': { + 'module': 'nss' + } +} diff --git a/nss/lib/smime/smime.gyp b/nss/lib/smime/smime.gyp new file mode 100644 index 0000000..fa74cd9 --- /dev/null +++ b/nss/lib/smime/smime.gyp @@ -0,0 +1,80 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +{ + 'includes': [ + '../../coreconf/config.gypi' + ], + 'targets': [ + { + 'target_name': 'smime', + 'type': 'static_library', + 'sources': [ + 'cmsarray.c', + 'cmsasn1.c', + 'cmsattr.c', + 'cmscinfo.c', + 'cmscipher.c', + 'cmsdecode.c', + 'cmsdigdata.c', + 'cmsdigest.c', + 'cmsencdata.c', + 'cmsencode.c', + 'cmsenvdata.c', + 'cmsmessage.c', + 'cmspubkey.c', + 'cmsrecinfo.c', + 'cmsreclist.c', + 'cmssigdata.c', + 'cmssiginfo.c', + 'cmsudf.c', + 'cmsutil.c', + 'smimemessage.c', + 'smimeutil.c', + 'smimever.c' + ], + 'dependencies': [ + '<(DEPTH)/exports.gyp:nss_exports', + ] + }, + { + # This is here so Firefox can link this without having to + # repeat the list of dependencies. + 'target_name': 'smime3_deps', + 'type': 'none', + 'dependencies': [ + 'smime', + '<(DEPTH)/lib/pkcs12/pkcs12.gyp:pkcs12', + '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7' + ], + }, + { + 'target_name': 'smime3', + 'type': 'shared_library', + 'dependencies': [ + 'smime3_deps', + '<(DEPTH)/lib/nss/nss.gyp:nss3', + '<(DEPTH)/lib/util/util.gyp:nssutil3' + ], + 'variables': { + 'mapfile': 'smime.def' + } + } + ], + 'conditions': [ + [ 'moz_fold_libs==1', { + 'targets': [ + { + 'target_name': 'smime3_static', + 'type': 'static_library', + 'dependencies': [ + 'smime3_deps', + ], + } + ], + }], + ], + 'variables': { + 'module': 'nss' + } +} diff --git a/nss/lib/smime/smime.h b/nss/lib/smime/smime.h index b1a7a0f..e534ef0 100644 --- a/nss/lib/smime/smime.h +++ b/nss/lib/smime/smime.h @@ -12,7 +12,6 @@ #include "cms.h" - /************************************************************************/ SEC_BEGIN_PROTOS @@ -39,9 +38,9 @@ SEC_BEGIN_PROTOS * If the cipher preference is successfully recorded, SECSuccess * is returned. Otherwise SECFailure is returned. The only errors * are due to failure allocating memory or bad parameters/calls: - * SEC_ERROR_XXX ("which" is not in the S/MIME cipher family) - * SEC_ERROR_XXX (function is being called more times than there - * are known/expected ciphers) + * SEC_ERROR_XXX ("which" is not in the S/MIME cipher family) + * SEC_ERROR_XXX (function is being called more times than there + * are known/expected ciphers) */ extern SECStatus NSS_SMIMEUtil_EnableCipher(long which, int on); @@ -78,8 +77,8 @@ extern PRBool NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey * * It takes no arguments. The return value is a simple boolean: * PR_TRUE means encryption (or decryption) is *possible* - * (but may still fail due to other reasons, like because we cannot - * find all the necessary certs, etc.; PR_TRUE is *not* a guarantee) + * (but may still fail due to other reasons, like because we cannot + * find all the necessary certs, etc.; PR_TRUE is *not* a guarantee) * PR_FALSE means encryption (or decryption) is not permitted * * There are no errors from this routine. @@ -97,24 +96,28 @@ extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECIt /* * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value */ -extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert); +extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, + SECItem *dest, CERTCertificate *cert); /* * NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid */ -extern SECStatus NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert); +extern SECStatus NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, + SECItem *dest, CERTCertificate *cert); /* * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference * attribute */ -extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECItem *DERekp); +extern CERTCertificate *NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, + SECItem *DERekp); /* * NSS_SMIMEUtil_FindBulkAlgForRecipients - find bulk algorithm suitable for all recipients */ extern SECStatus -NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize); +NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, + SECOidTag *bulkalgtag, int *keysize); /* * Return a boolean that indicates whether the underlying library diff --git a/nss/lib/smime/smimemessage.c b/nss/lib/smime/smimemessage.c index ec69b44..774b9f3 100644 --- a/nss/lib/smime/smimemessage.c +++ b/nss/lib/smime/smimemessage.c @@ -18,7 +18,6 @@ #include "prtime.h" #include "secerr.h" - #if 0 /* * NSS_SMIMEMessage_CreateEncrypted - start an S/MIME encrypting context. @@ -39,10 +38,10 @@ */ NSSCMSMessage * NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert, - CERTCertificate **rcerts, - CERTCertDBHandle *certdb, - PK11PasswordFunc pwfn, - void *pwfn_arg) + CERTCertificate **rcerts, + CERTCertDBHandle *certdb, + PK11PasswordFunc pwfn, + void *pwfn_arg) { NSSCMSMessage *cmsg; long cipher; @@ -52,11 +51,11 @@ NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert, cipher = smime_choose_cipher (scert, rcerts); if (cipher < 0) - return NULL; + return NULL; mapi = smime_mapi_by_cipher (cipher); if (mapi < 0) - return NULL; + return NULL; /* * XXX This is stretching it -- CreateEnvelopedData should probably @@ -69,22 +68,22 @@ NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert, encalg = smime_cipher_map[mapi].algtag; keysize = smime_keysize_by_cipher (cipher); if (keysize < 0) - return NULL; + return NULL; cinfo = SEC_PKCS7CreateEnvelopedData (scert, certUsageEmailRecipient, - certdb, encalg, keysize, - pwfn, pwfn_arg); + certdb, encalg, keysize, + pwfn, pwfn_arg); if (cinfo == NULL) - return NULL; + return NULL; for (rci = 0; rcerts[rci] != NULL; rci++) { - if (rcerts[rci] == scert) - continue; - if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient, - NULL) != SECSuccess) { - SEC_PKCS7DestroyContentInfo (cinfo); - return NULL; - } + if (rcerts[rci] == scert) + continue; + if (SEC_PKCS7AddRecipient (cinfo, rcerts[rci], certUsageEmailRecipient, + NULL) != SECSuccess) { + SEC_PKCS7DestroyContentInfo (cinfo); + return NULL; + } } return cinfo; @@ -103,7 +102,7 @@ NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert, * * "certdb" is the cert database to use for verifying the cert. * It can be NULL if a default database is available (like in the client). - * + * * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1). * XXX There should be SECMIME functions for hashing, or the hashing should * be built into this interface, which we would like because we would @@ -123,12 +122,12 @@ NSS_SMIMEMessage_CreateEncrypted(CERTCertificate *scert, NSSCMSMessage * NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert, - CERTCertificate *ecert, - CERTCertDBHandle *certdb, - SECOidTag digestalgtag, - SECItem *digest, - PK11PasswordFunc pwfn, - void *pwfn_arg) + CERTCertificate *ecert, + CERTCertDBHandle *certdb, + SECOidTag digestalgtag, + SECItem *digest, + PK11PasswordFunc pwfn, + void *pwfn_arg) { NSSCMSMessage *cmsg; NSSCMSSignedData *sigd; @@ -139,46 +138,46 @@ NSS_SMIMEMessage_CreateSigned(CERTCertificate *scert, cmsg = NSS_CMSMessage_Create(NULL); if (cmsg == NULL) - return NULL; + return NULL; sigd = NSS_CMSSignedData_Create(cmsg); if (sigd == NULL) - goto loser; + goto loser; /* create just one signerinfo */ signerinfo = NSS_CMSSignerInfo_Create(cmsg, scert, digestalgtag); if (signerinfo == NULL) - goto loser; + goto loser; /* Add the signing time to the signerinfo. */ if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess) - goto loser; - + goto loser; + /* and add the SMIME profile */ if (NSS_SMIMESignerInfo_AddSMIMEProfile(signerinfo, scert) != SECSuccess) - goto loser; + goto loser; /* now add the signerinfo to the signeddata */ if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) - goto loser; + goto loser; /* include the signing cert and its entire chain */ /* note that there are no checks for duplicate certs in place, as all the */ /* essential data structures (like set of certificate) are not there */ if (NSS_CMSSignedData_AddCertChain(sigd, scert) != SECSuccess) - goto loser; + goto loser; /* If the encryption cert and the signing cert differ, then include * the encryption cert too. */ if ( ( ecert != NULL ) && ( ecert != scert ) ) { - if (NSS_CMSSignedData_AddCertificate(sigd, ecert) != SECSuccess) - goto loser; + if (NSS_CMSSignedData_AddCertificate(sigd, ecert) != SECSuccess) + goto loser; } return cmsg; loser: if (cmsg) - NSS_CMSMessage_Destroy(cmsg); + NSS_CMSMessage_Destroy(cmsg); return NULL; } #endif diff --git a/nss/lib/smime/smimesym.c b/nss/lib/smime/smimesym.c index 8ed6cbf..2ae39f4 100644 --- a/nss/lib/smime/smimesym.c +++ b/nss/lib/smime/smimesym.c @@ -5,8 +5,8 @@ extern void SEC_PKCS7DecodeItem(); extern void SEC_PKCS7DestroyContentInfo(); -smime_CMDExports() { - SEC_PKCS7DecodeItem(); - SEC_PKCS7DestroyContentInfo(); +smime_CMDExports() +{ + SEC_PKCS7DecodeItem(); + SEC_PKCS7DestroyContentInfo(); } - diff --git a/nss/lib/smime/smimeutil.c b/nss/lib/smime/smimeutil.c index 84d1960..7674a65 100644 --- a/nss/lib/smime/smimeutil.c +++ b/nss/lib/smime/smimeutil.c @@ -9,7 +9,7 @@ #include "secmime.h" #include "secoid.h" #include "pk11func.h" -#include "ciferfam.h" /* for CIPHER_FAMILY symbols */ +#include "ciferfam.h" /* for CIPHER_FAMILY symbols */ #include "secasn1.h" #include "secitem.h" #include "cert.h" @@ -40,17 +40,17 @@ static SECItem param_int128 = { siBuffer, asn1_int128, sizeof(asn1_int128) }; typedef struct { SECItem capabilityID; SECItem parameters; - long cipher; /* optimization */ + long cipher; /* optimization */ } NSSSMIMECapability; static const SEC_ASN1Template NSSSMIMECapabilityTemplate[] = { { SEC_ASN1_SEQUENCE, - 0, NULL, sizeof(NSSSMIMECapability) }, + 0, NULL, sizeof(NSSSMIMECapability) }, { SEC_ASN1_OBJECT_ID, - offsetof(NSSSMIMECapability,capabilityID), }, + offsetof(NSSSMIMECapability, capabilityID) }, { SEC_ASN1_OPTIONAL | SEC_ASN1_ANY, - offsetof(NSSSMIMECapability,parameters), }, - { 0, } + offsetof(NSSSMIMECapability, parameters) }, + { 0 } }; static const SEC_ASN1Template NSSSMIMECapabilitiesTemplate[] = { @@ -70,9 +70,9 @@ typedef enum { typedef struct { NSSSMIMEEncryptionKeyPrefSelector selector; union { - CERTIssuerAndSN *issuerAndSN; - NSSCMSRecipientKeyIdentifier *recipientKeyID; - SECItem *subjectKeyID; + CERTIssuerAndSN *issuerAndSN; + NSSCMSRecipientKeyIdentifier *recipientKeyID; + SECItem *subjectKeyID; } id; } NSSSMIMEEncryptionKeyPreference; @@ -80,24 +80,21 @@ extern const SEC_ASN1Template NSSCMSRecipientKeyIdentifierTemplate[]; static const SEC_ASN1Template smime_encryptionkeypref_template[] = { { SEC_ASN1_CHOICE, - offsetof(NSSSMIMEEncryptionKeyPreference,selector), NULL, - sizeof(NSSSMIMEEncryptionKeyPreference) }, - { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0 - | SEC_ASN1_CONSTRUCTED, - offsetof(NSSSMIMEEncryptionKeyPreference,id.issuerAndSN), - SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), - NSSSMIMEEncryptionKeyPref_IssuerSN }, - { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1 - | SEC_ASN1_CONSTRUCTED, - offsetof(NSSSMIMEEncryptionKeyPreference,id.recipientKeyID), - NSSCMSRecipientKeyIdentifierTemplate, - NSSSMIMEEncryptionKeyPref_RKeyID }, - { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2 - | SEC_ASN1_CONSTRUCTED, - offsetof(NSSSMIMEEncryptionKeyPreference,id.subjectKeyID), - SEC_ASN1_SUB(SEC_OctetStringTemplate), - NSSSMIMEEncryptionKeyPref_SubjectKeyID }, - { 0, } + offsetof(NSSSMIMEEncryptionKeyPreference, selector), NULL, + sizeof(NSSSMIMEEncryptionKeyPreference) }, + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 0 | SEC_ASN1_CONSTRUCTED, + offsetof(NSSSMIMEEncryptionKeyPreference, id.issuerAndSN), + SEC_ASN1_SUB(CERT_IssuerAndSNTemplate), + NSSSMIMEEncryptionKeyPref_IssuerSN }, + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED, + offsetof(NSSSMIMEEncryptionKeyPreference, id.recipientKeyID), + NSSCMSRecipientKeyIdentifierTemplate, + NSSSMIMEEncryptionKeyPref_RKeyID }, + { SEC_ASN1_POINTER | SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 2 | SEC_ASN1_CONSTRUCTED, + offsetof(NSSSMIMEEncryptionKeyPreference, id.subjectKeyID), + SEC_ASN1_SUB(SEC_OctetStringTemplate), + NSSSMIMEEncryptionKeyPref_SubjectKeyID }, + { 0 } }; /* smime_cipher_map - map of SMIME symmetric "ciphers" to algtag & parameters */ @@ -105,21 +102,21 @@ typedef struct { unsigned long cipher; SECOidTag algtag; SECItem *parms; - PRBool enabled; /* in the user's preferences */ - PRBool allowed; /* per export policy */ + PRBool enabled; /* in the user's preferences */ + PRBool allowed; /* per export policy */ } smime_cipher_map_entry; /* global: list of supported SMIME symmetric ciphers, ordered roughly by increasing strength */ static smime_cipher_map_entry smime_cipher_map[] = { -/* cipher algtag parms enabled allowed */ -/* ---------------------------------------------------------------------------------- */ - { SMIME_RC2_CBC_40, SEC_OID_RC2_CBC, ¶m_int40, PR_TRUE, PR_TRUE }, - { SMIME_DES_CBC_56, SEC_OID_DES_CBC, NULL, PR_TRUE, PR_TRUE }, - { SMIME_RC2_CBC_64, SEC_OID_RC2_CBC, ¶m_int64, PR_TRUE, PR_TRUE }, - { SMIME_RC2_CBC_128, SEC_OID_RC2_CBC, ¶m_int128, PR_TRUE, PR_TRUE }, - { SMIME_DES_EDE3_168, SEC_OID_DES_EDE3_CBC, NULL, PR_TRUE, PR_TRUE }, - { SMIME_AES_CBC_128, SEC_OID_AES_128_CBC, NULL, PR_TRUE, PR_TRUE }, - { SMIME_AES_CBC_256, SEC_OID_AES_256_CBC, NULL, PR_TRUE, PR_TRUE } + /* cipher, algtag, parms, enabled, allowed */ + /* --------------------------------------- */ + { SMIME_RC2_CBC_40, SEC_OID_RC2_CBC, ¶m_int40, PR_TRUE, PR_TRUE }, + { SMIME_DES_CBC_56, SEC_OID_DES_CBC, NULL, PR_TRUE, PR_TRUE }, + { SMIME_RC2_CBC_64, SEC_OID_RC2_CBC, ¶m_int64, PR_TRUE, PR_TRUE }, + { SMIME_RC2_CBC_128, SEC_OID_RC2_CBC, ¶m_int128, PR_TRUE, PR_TRUE }, + { SMIME_DES_EDE3_168, SEC_OID_DES_EDE3_CBC, NULL, PR_TRUE, PR_TRUE }, + { SMIME_AES_CBC_128, SEC_OID_AES_128_CBC, NULL, PR_TRUE, PR_TRUE }, + { SMIME_AES_CBC_256, SEC_OID_AES_256_CBC, NULL, PR_TRUE, PR_TRUE } }; static const int smime_cipher_map_count = sizeof(smime_cipher_map) / sizeof(smime_cipher_map_entry); @@ -132,16 +129,16 @@ smime_mapi_by_cipher(unsigned long cipher) int i; for (i = 0; i < smime_cipher_map_count; i++) { - if (smime_cipher_map[i].cipher == cipher) - return i; /* bingo */ + if (smime_cipher_map[i].cipher == cipher) + return i; /* bingo */ } - return -1; /* should not happen if we're consistent, right? */ + return -1; /* should not happen if we're consistent, right? */ } /* * NSS_SMIME_EnableCipher - this function locally records the user's preference */ -SECStatus +SECStatus NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on) { unsigned long mask; @@ -149,33 +146,32 @@ NSS_SMIMEUtil_EnableCipher(unsigned long which, PRBool on) mask = which & CIPHER_FAMILYID_MASK; - PORT_Assert (mask == CIPHER_FAMILYID_SMIME); + PORT_Assert(mask == CIPHER_FAMILYID_SMIME); if (mask != CIPHER_FAMILYID_SMIME) - /* XXX set an error! */ - return SECFailure; + /* XXX set an error! */ + return SECFailure; mapi = smime_mapi_by_cipher(which); if (mapi < 0) - /* XXX set an error */ - return SECFailure; + /* XXX set an error */ + return SECFailure; /* do we try to turn on a forbidden cipher? */ if (!smime_cipher_map[mapi].allowed && on) { - PORT_SetError (SEC_ERROR_BAD_EXPORT_ALGORITHM); - return SECFailure; + PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM); + return SECFailure; } if (smime_cipher_map[mapi].enabled != on) - smime_cipher_map[mapi].enabled = on; + smime_cipher_map[mapi].enabled = on; return SECSuccess; } - /* * this function locally records the export policy */ -SECStatus +SECStatus NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on) { unsigned long mask; @@ -183,18 +179,18 @@ NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on) mask = which & CIPHER_FAMILYID_MASK; - PORT_Assert (mask == CIPHER_FAMILYID_SMIME); + PORT_Assert(mask == CIPHER_FAMILYID_SMIME); if (mask != CIPHER_FAMILYID_SMIME) - /* XXX set an error! */ - return SECFailure; + /* XXX set an error! */ + return SECFailure; mapi = smime_mapi_by_cipher(which); if (mapi < 0) - /* XXX set an error */ - return SECFailure; + /* XXX set an error */ + return SECFailure; if (smime_cipher_map[mapi].allowed != on) - smime_cipher_map[mapi].allowed = on; + smime_cipher_map[mapi].allowed = on; return SECSuccess; } @@ -206,7 +202,8 @@ NSS_SMIMEUtil_AllowCipher(unsigned long which, PRBool on) * and return it. If no match can be made, -1 is returned. */ static SECStatus -nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, unsigned long *cipher) +nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, + unsigned long *cipher) { SECOidTag algtag; unsigned int keylen_bits; @@ -214,37 +211,37 @@ nss_smime_get_cipher_for_alg_and_key(SECAlgorithmID *algid, PK11SymKey *key, uns algtag = SECOID_GetAlgorithmTag(algid); switch (algtag) { - case SEC_OID_RC2_CBC: - keylen_bits = PK11_GetKeyStrength(key, algid); - switch (keylen_bits) { - case 40: - c = SMIME_RC2_CBC_40; - break; - case 64: - c = SMIME_RC2_CBC_64; - break; - case 128: - c = SMIME_RC2_CBC_128; - break; - default: - return SECFailure; - } - break; - case SEC_OID_DES_CBC: - c = SMIME_DES_CBC_56; - break; - case SEC_OID_DES_EDE3_CBC: - c = SMIME_DES_EDE3_168; - break; - case SEC_OID_AES_128_CBC: - c = SMIME_AES_CBC_128; - break; - case SEC_OID_AES_256_CBC: - c = SMIME_AES_CBC_256; - break; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return SECFailure; + case SEC_OID_RC2_CBC: + keylen_bits = PK11_GetKeyStrength(key, algid); + switch (keylen_bits) { + case 40: + c = SMIME_RC2_CBC_40; + break; + case 64: + c = SMIME_RC2_CBC_64; + break; + case 128: + c = SMIME_RC2_CBC_128; + break; + default: + return SECFailure; + } + break; + case SEC_OID_DES_CBC: + c = SMIME_DES_CBC_56; + break; + case SEC_OID_DES_EDE3_CBC: + c = SMIME_DES_EDE3_168; + break; + case SEC_OID_AES_128_CBC: + c = SMIME_AES_CBC_128; + break; + case SEC_OID_AES_256_CBC: + c = SMIME_AES_CBC_256; + break; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return SECFailure; } *cipher = c; return SECSuccess; @@ -257,7 +254,7 @@ nss_smime_cipher_allowed(unsigned long which) mapi = smime_mapi_by_cipher(which); if (mapi < 0) - return PR_FALSE; + return PR_FALSE; return smime_cipher_map[mapi].allowed; } @@ -267,12 +264,11 @@ NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key) unsigned long which; if (nss_smime_get_cipher_for_alg_and_key(algid, key, &which) != SECSuccess) - return PR_FALSE; + return PR_FALSE; return nss_smime_cipher_allowed(which); } - /* * NSS_SMIME_EncryptionPossible - check if any encryption is allowed * @@ -285,8 +281,8 @@ NSS_SMIMEUtil_DecryptionAllowed(SECAlgorithmID *algid, PK11SymKey *key) * * It takes no arguments. The return value is a simple boolean: * PR_TRUE means encryption (or decryption) is *possible* - * (but may still fail due to other reasons, like because we cannot - * find all the necessary certs, etc.; PR_TRUE is *not* a guarantee) + * (but may still fail due to other reasons, like because we cannot + * find all the necessary certs, etc.; PR_TRUE is *not* a guarantee) * PR_FALSE means encryption (or decryption) is not permitted * * There are no errors from this routine. @@ -297,13 +293,12 @@ NSS_SMIMEUtil_EncryptionPossible(void) int i; for (i = 0; i < smime_cipher_map_count; i++) { - if (smime_cipher_map[i].allowed) - return PR_TRUE; + if (smime_cipher_map[i].allowed) + return PR_TRUE; } return PR_FALSE; } - static int nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap) { @@ -315,32 +310,31 @@ nss_SMIME_FindCipherForSMIMECap(NSSSMIMECapability *cap) /* go over all the SMIME ciphers we know and see if we find a match */ for (i = 0; i < smime_cipher_map_count; i++) { - if (smime_cipher_map[i].algtag != capIDTag) - continue; - /* - * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing - * 2 NULLs as equal and NULL and non-NULL as not equal), we could - * use that here instead of all of the following comparison code. - */ - if (!smime_cipher_map[i].parms) { - if (!cap->parameters.data || !cap->parameters.len) - break; /* both empty: bingo */ - if (cap->parameters.len == 2 && - cap->parameters.data[0] == SEC_ASN1_NULL && - cap->parameters.data[1] == 0) - break; /* DER NULL == NULL, bingo */ - } else if (cap->parameters.data != NULL && - cap->parameters.len == smime_cipher_map[i].parms->len && - PORT_Memcmp (cap->parameters.data, smime_cipher_map[i].parms->data, - cap->parameters.len) == 0) - { - break; /* both not empty, same length & equal content: bingo */ - } + if (smime_cipher_map[i].algtag != capIDTag) + continue; + /* + * XXX If SECITEM_CompareItem allowed NULLs as arguments (comparing + * 2 NULLs as equal and NULL and non-NULL as not equal), we could + * use that here instead of all of the following comparison code. + */ + if (!smime_cipher_map[i].parms) { + if (!cap->parameters.data || !cap->parameters.len) + break; /* both empty: bingo */ + if (cap->parameters.len == 2 && + cap->parameters.data[0] == SEC_ASN1_NULL && + cap->parameters.data[1] == 0) + break; /* DER NULL == NULL, bingo */ + } else if (cap->parameters.data != NULL && + cap->parameters.len == smime_cipher_map[i].parms->len && + PORT_Memcmp(cap->parameters.data, smime_cipher_map[i].parms->data, + cap->parameters.len) == 0) { + break; /* both not empty, same length & equal content: bingo */ + } } if (i == smime_cipher_map_count) - return 0; /* no match found */ - return smime_cipher_map[i].cipher; /* match found, point to cipher */ + return 0; /* no match found */ + return smime_cipher_map[i].cipher; /* match found, point to cipher */ } /* @@ -363,145 +357,144 @@ smime_choose_cipher(CERTCertificate *scert, CERTCertificate **rcerts) int aes256_mapi; int rcount, mapi, max, i; - chosen_cipher = SMIME_RC2_CBC_40; /* the default, LCD */ + chosen_cipher = SMIME_RC2_CBC_40; /* the default, LCD */ weak_mapi = smime_mapi_by_cipher(chosen_cipher); aes128_mapi = smime_mapi_by_cipher(SMIME_AES_CBC_128); aes256_mapi = smime_mapi_by_cipher(SMIME_AES_CBC_256); - poolp = PORT_NewArena (1024); /* XXX what is right value? */ + poolp = PORT_NewArena(1024); /* XXX what is right value? */ if (poolp == NULL) - goto done; + goto done; cipher_abilities = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int)); - cipher_votes = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int)); + cipher_votes = (int *)PORT_ArenaZAlloc(poolp, smime_cipher_map_count * sizeof(int)); if (cipher_votes == NULL || cipher_abilities == NULL) - goto done; + goto done; /* Make triple-DES the strong cipher. */ - strong_mapi = smime_mapi_by_cipher (SMIME_DES_EDE3_168); + strong_mapi = smime_mapi_by_cipher(SMIME_DES_EDE3_168); /* walk all the recipient's certs */ for (rcount = 0; rcerts[rcount] != NULL; rcount++) { - SECItem *profile; - NSSSMIMECapability **caps; - int pref; - - /* the first cipher that matches in the user's SMIME profile gets - * "smime_cipher_map_count" votes; the next one gets "smime_cipher_map_count" - 1 - * and so on. If every cipher matches, the last one gets 1 (one) vote */ - pref = smime_cipher_map_count; - - /* find recipient's SMIME profile */ - profile = CERT_FindSMimeProfile(rcerts[rcount]); - - if (profile != NULL && profile->data != NULL && profile->len > 0) { - /* we have a profile (still DER-encoded) */ - caps = NULL; - /* decode it */ - if (SEC_QuickDERDecodeItem(poolp, &caps, - NSSSMIMECapabilitiesTemplate, profile) == SECSuccess && - caps != NULL) - { - /* walk the SMIME capabilities for this recipient */ - for (i = 0; caps[i] != NULL; i++) { - cipher = nss_SMIME_FindCipherForSMIMECap(caps[i]); - mapi = smime_mapi_by_cipher(cipher); - if (mapi >= 0) { - /* found the cipher */ - cipher_abilities[mapi]++; - cipher_votes[mapi] += pref; - --pref; - } - } - } - } else { - /* no profile found - so we can only assume that the user can do - * the mandatory algorithms which are RC2-40 (weak crypto) and - * 3DES (strong crypto), unless the user has an elliptic curve - * key. For elliptic curve keys, RFC 5753 mandates support - * for AES 128 CBC. */ - SECKEYPublicKey *key; - unsigned int pklen_bits; - KeyType key_type; - - /* - * if recipient's public key length is > 512, vote for a strong cipher - * please not that the side effect of this is that if only one recipient - * has an export-level public key, the strong cipher is disabled. - * - * XXX This is probably only good for RSA keys. What I would - * really like is a function to just say; Is the public key in - * this cert an export-length key? Then I would not have to - * know things like the value 512, or the kind of key, or what - * a subjectPublicKeyInfo is, etc. - */ - key = CERT_ExtractPublicKey(rcerts[rcount]); - pklen_bits = 0; - key_type = nullKey; - if (key != NULL) { - pklen_bits = SECKEY_PublicKeyStrengthInBits (key); - key_type = SECKEY_GetPublicKeyType(key); - SECKEY_DestroyPublicKey (key); - key = NULL; - } - - if (key_type == ecKey) { - /* While RFC 5753 mandates support for AES-128 CBC, should use - * AES 256 if user's key provides more than 128 bits of - * security strength so that symmetric key is not weak link. */ - - /* RC2-40 is not compatible with elliptic curve keys. */ - chosen_cipher = SMIME_DES_EDE3_168; - if (pklen_bits > 256) { - cipher_abilities[aes256_mapi]++; - cipher_votes[aes256_mapi] += pref; - pref--; - } - cipher_abilities[aes128_mapi]++; - cipher_votes[aes128_mapi] += pref; - pref--; - cipher_abilities[strong_mapi]++; - cipher_votes[strong_mapi] += pref; - pref--; - } else { - if (pklen_bits > 512) { - /* cast votes for the strong algorithm */ - cipher_abilities[strong_mapi]++; - cipher_votes[strong_mapi] += pref; - pref--; - } - - /* always cast (possibly less) votes for the weak algorithm */ - cipher_abilities[weak_mapi]++; - cipher_votes[weak_mapi] += pref; - } - } - if (profile != NULL) - SECITEM_FreeItem(profile, PR_TRUE); + SECItem *profile; + NSSSMIMECapability **caps; + int pref; + + /* the first cipher that matches in the user's SMIME profile gets + * "smime_cipher_map_count" votes; the next one gets "smime_cipher_map_count" - 1 + * and so on. If every cipher matches, the last one gets 1 (one) vote */ + pref = smime_cipher_map_count; + + /* find recipient's SMIME profile */ + profile = CERT_FindSMimeProfile(rcerts[rcount]); + + if (profile != NULL && profile->data != NULL && profile->len > 0) { + /* we have a profile (still DER-encoded) */ + caps = NULL; + /* decode it */ + if (SEC_QuickDERDecodeItem(poolp, &caps, + NSSSMIMECapabilitiesTemplate, profile) == SECSuccess && + caps != NULL) { + /* walk the SMIME capabilities for this recipient */ + for (i = 0; caps[i] != NULL; i++) { + cipher = nss_SMIME_FindCipherForSMIMECap(caps[i]); + mapi = smime_mapi_by_cipher(cipher); + if (mapi >= 0) { + /* found the cipher */ + cipher_abilities[mapi]++; + cipher_votes[mapi] += pref; + --pref; + } + } + } + } else { + /* no profile found - so we can only assume that the user can do + * the mandatory algorithms which are RC2-40 (weak crypto) and + * 3DES (strong crypto), unless the user has an elliptic curve + * key. For elliptic curve keys, RFC 5753 mandates support + * for AES 128 CBC. */ + SECKEYPublicKey *key; + unsigned int pklen_bits; + KeyType key_type; + + /* + * if recipient's public key length is > 512, vote for a strong cipher + * please not that the side effect of this is that if only one recipient + * has an export-level public key, the strong cipher is disabled. + * + * XXX This is probably only good for RSA keys. What I would + * really like is a function to just say; Is the public key in + * this cert an export-length key? Then I would not have to + * know things like the value 512, or the kind of key, or what + * a subjectPublicKeyInfo is, etc. + */ + key = CERT_ExtractPublicKey(rcerts[rcount]); + pklen_bits = 0; + key_type = nullKey; + if (key != NULL) { + pklen_bits = SECKEY_PublicKeyStrengthInBits(key); + key_type = SECKEY_GetPublicKeyType(key); + SECKEY_DestroyPublicKey(key); + key = NULL; + } + + if (key_type == ecKey) { + /* While RFC 5753 mandates support for AES-128 CBC, should use + * AES 256 if user's key provides more than 128 bits of + * security strength so that symmetric key is not weak link. */ + + /* RC2-40 is not compatible with elliptic curve keys. */ + chosen_cipher = SMIME_DES_EDE3_168; + if (pklen_bits > 256) { + cipher_abilities[aes256_mapi]++; + cipher_votes[aes256_mapi] += pref; + pref--; + } + cipher_abilities[aes128_mapi]++; + cipher_votes[aes128_mapi] += pref; + pref--; + cipher_abilities[strong_mapi]++; + cipher_votes[strong_mapi] += pref; + pref--; + } else { + if (pklen_bits > 512) { + /* cast votes for the strong algorithm */ + cipher_abilities[strong_mapi]++; + cipher_votes[strong_mapi] += pref; + pref--; + } + + /* always cast (possibly less) votes for the weak algorithm */ + cipher_abilities[weak_mapi]++; + cipher_votes[weak_mapi] += pref; + } + } + if (profile != NULL) + SECITEM_FreeItem(profile, PR_TRUE); } /* find cipher that is agreeable by all recipients and that has the most votes */ max = 0; for (mapi = 0; mapi < smime_cipher_map_count; mapi++) { - /* if not all of the recipients can do this, forget it */ - if (cipher_abilities[mapi] != rcount) - continue; - /* if cipher is not enabled or not allowed by policy, forget it */ - if (!smime_cipher_map[mapi].enabled || !smime_cipher_map[mapi].allowed) - continue; - /* now see if this one has more votes than the last best one */ - if (cipher_votes[mapi] >= max) { - /* if equal number of votes, prefer the ones further down in the list */ - /* with the expectation that these are higher rated ciphers */ - chosen_cipher = smime_cipher_map[mapi].cipher; - max = cipher_votes[mapi]; - } + /* if not all of the recipients can do this, forget it */ + if (cipher_abilities[mapi] != rcount) + continue; + /* if cipher is not enabled or not allowed by policy, forget it */ + if (!smime_cipher_map[mapi].enabled || !smime_cipher_map[mapi].allowed) + continue; + /* now see if this one has more votes than the last best one */ + if (cipher_votes[mapi] >= max) { + /* if equal number of votes, prefer the ones further down in the list */ + /* with the expectation that these are higher rated ciphers */ + chosen_cipher = smime_cipher_map[mapi].cipher; + max = cipher_votes[mapi]; + } } - /* if no common cipher was found, chosen_cipher stays at the default */ +/* if no common cipher was found, chosen_cipher stays at the default */ done: if (poolp != NULL) - PORT_FreeArena (poolp, PR_FALSE); + PORT_FreeArena(poolp, PR_FALSE); return chosen_cipher; } @@ -512,35 +505,35 @@ done: * looking up the keysize is not going to be sufficient. */ static int -smime_keysize_by_cipher (unsigned long which) +smime_keysize_by_cipher(unsigned long which) { int keysize; switch (which) { - case SMIME_RC2_CBC_40: - keysize = 40; - break; - case SMIME_RC2_CBC_64: - keysize = 64; - break; - case SMIME_RC2_CBC_128: - case SMIME_AES_CBC_128: - keysize = 128; - break; - case SMIME_AES_CBC_256: - keysize = 256; - break; - case SMIME_DES_CBC_56: - case SMIME_DES_EDE3_168: - /* - * These are special; since the key size is fixed, we actually - * want to *avoid* specifying a key size. - */ - keysize = 0; - break; - default: - keysize = -1; - break; + case SMIME_RC2_CBC_40: + keysize = 40; + break; + case SMIME_RC2_CBC_64: + keysize = 64; + break; + case SMIME_RC2_CBC_128: + case SMIME_AES_CBC_128: + keysize = 128; + break; + case SMIME_AES_CBC_256: + keysize = 256; + break; + case SMIME_DES_CBC_56: + case SMIME_DES_EDE3_168: + /* + * These are special; since the key size is fixed, we actually + * want to *avoid* specifying a key size. + */ + keysize = 0; + break; + default: + keysize = -1; + break; } return keysize; @@ -553,7 +546,8 @@ smime_keysize_by_cipher (unsigned long which) * prevented a strong cipher from being used... */ SECStatus -NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, SECOidTag *bulkalgtag, int *keysize) +NSS_SMIMEUtil_FindBulkAlgForRecipients(CERTCertificate **rcerts, + SECOidTag *bulkalgtag, int *keysize) { unsigned long cipher; int mapi; @@ -591,10 +585,9 @@ NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest) /* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */ /* smime_cipher_map_count + 1 is an upper bound - we might end up with less */ - smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1) - * sizeof(NSSSMIMECapability *)); + smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1) * sizeof(NSSSMIMECapability *)); if (smime_capabilities == NULL) - return SECFailure; + return SECFailure; capIndex = 0; @@ -603,38 +596,38 @@ NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest) * we prefer the stronger cipher over a weaker one, and we have to list the * preferred algorithm first */ for (i = smime_cipher_map_count - 1; i >= 0; i--) { - /* Find the corresponding entry in the cipher map. */ - map = &(smime_cipher_map[i]); - if (!map->enabled) - continue; - - /* get next SMIME capability */ - cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability)); - if (cap == NULL) - break; - smime_capabilities[capIndex++] = cap; - - oiddata = SECOID_FindOIDByTag(map->algtag); - if (oiddata == NULL) - break; - - cap->capabilityID.data = oiddata->oid.data; - cap->capabilityID.len = oiddata->oid.len; - cap->parameters.data = map->parms ? map->parms->data : NULL; - cap->parameters.len = map->parms ? map->parms->len : 0; - cap->cipher = smime_cipher_map[i].cipher; + /* Find the corresponding entry in the cipher map. */ + map = &(smime_cipher_map[i]); + if (!map->enabled) + continue; + + /* get next SMIME capability */ + cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability)); + if (cap == NULL) + break; + smime_capabilities[capIndex++] = cap; + + oiddata = SECOID_FindOIDByTag(map->algtag); + if (oiddata == NULL) + break; + + cap->capabilityID.data = oiddata->oid.data; + cap->capabilityID.len = oiddata->oid.len; + cap->parameters.data = map->parms ? map->parms->data : NULL; + cap->parameters.len = map->parms ? map->parms->len : 0; + cap->cipher = smime_cipher_map[i].cipher; } /* XXX add signature algorithms */ /* XXX add key encipherment algorithms */ - smime_capabilities[capIndex] = NULL; /* last one - now encode */ + smime_capabilities[capIndex] = NULL; /* last one - now encode */ dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate); /* now that we have the proper encoded SMIMECapabilities (or not), * free the work data */ for (i = 0; smime_capabilities[i] != NULL; i++) - PORT_Free(smime_capabilities[i]); + PORT_Free(smime_capabilities[i]); PORT_Free(smime_capabilities); return (dummy == NULL) ? SECFailure : SECSuccess; @@ -656,22 +649,23 @@ NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCert PLArenaPool *tmppoolp = NULL; if (cert == NULL) - goto loser; + goto loser; tmppoolp = PORT_NewArena(1024); if (tmppoolp == NULL) - goto loser; + goto loser; /* XXX hardcoded IssuerSN choice for now */ ekp.selector = NSSSMIMEEncryptionKeyPref_IssuerSN; ekp.id.issuerAndSN = CERT_GetCertIssuerAndSN(tmppoolp, cert); if (ekp.id.issuerAndSN == NULL) - goto loser; + goto loser; dummy = SEC_ASN1EncodeItem(poolp, dest, &ekp, smime_encryptionkeypref_template); loser: - if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE); + if (tmppoolp) + PORT_FreeArena(tmppoolp, PR_FALSE); return (dummy == NULL) ? SECFailure : SECSuccess; } @@ -692,27 +686,28 @@ NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCe CERTIssuerAndSN *isn; if (cert == NULL) - goto loser; + goto loser; tmppoolp = PORT_NewArena(1024); if (tmppoolp == NULL) - goto loser; + goto loser; isn = CERT_GetCertIssuerAndSN(tmppoolp, cert); if (isn == NULL) - goto loser; + goto loser; dummy = SEC_ASN1EncodeItem(poolp, dest, isn, SEC_ASN1_GET(CERT_IssuerAndSNTemplate)); loser: - if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE); + if (tmppoolp) + PORT_FreeArena(tmppoolp, PR_FALSE); return (dummy == NULL) ? SECFailure : SECSuccess; } /* * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - - * find cert marked by EncryptionKeyPreference attribute + * find cert marked by EncryptionKeyPreference attribute * * "certdb" - handle for the cert database to look in * "DERekp" - DER-encoded value of S/MIME Encryption Key Preference attribute @@ -729,27 +724,28 @@ NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(CERTCertDBHandle *certdb, SECIt tmppoolp = PORT_NewArena(1024); if (tmppoolp == NULL) - return NULL; + return NULL; /* decode DERekp */ if (SEC_QuickDERDecodeItem(tmppoolp, &ekp, smime_encryptionkeypref_template, DERekp) != SECSuccess) - goto loser; + goto loser; /* find cert */ switch (ekp.selector) { - case NSSSMIMEEncryptionKeyPref_IssuerSN: - cert = CERT_FindCertByIssuerAndSN(certdb, ekp.id.issuerAndSN); - break; - case NSSSMIMEEncryptionKeyPref_RKeyID: - case NSSSMIMEEncryptionKeyPref_SubjectKeyID: - /* XXX not supported yet - we need to be able to look up certs by SubjectKeyID */ - break; - default: - PORT_Assert(0); + case NSSSMIMEEncryptionKeyPref_IssuerSN: + cert = CERT_FindCertByIssuerAndSN(certdb, ekp.id.issuerAndSN); + break; + case NSSSMIMEEncryptionKeyPref_RKeyID: + case NSSSMIMEEncryptionKeyPref_SubjectKeyID: + /* XXX not supported yet - we need to be able to look up certs by SubjectKeyID */ + break; + default: + PORT_Assert(0); } loser: - if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE); + if (tmppoolp) + PORT_FreeArena(tmppoolp, PR_FALSE); return cert; } |