#include <Security/SecCmsSignerInfo.h>
#include "SecSMIMEPriv.h"
#include "cmslocal.h"
#include "cert.h"
#include "SecAsn1Item.h"
#include "secoid.h"
#include "cryptohi.h"
#include <security_asn1/secasn1.h>
#include <security_asn1/secerr.h>
#include <security_asn1/secport.h>
#if USE_CDSA_CRYPTO
#include <Security/SecKeychain.h>
#endif
#include <Security/SecIdentity.h>
#include <Security/SecCertificateInternal.h>
#include <Security/SecInternal.h>
#include <Security/SecKeyPriv.h>
#include <utilities/SecCFWrappers.h>
#include <CoreFoundation/CFTimeZone.h>
#include <Security/SecBasePriv.h>
#include <Security/SecItem.h>
#define HIDIGIT(v) (((v) / 10) + '0')
#define LODIGIT(v) (((v) % 10) + '0')
#define ISDIGIT(dig) (((dig) >= '0') && ((dig) <= '9'))
#define CAPTURE(var,p,label) \
{ \
if (!ISDIGIT((p)[0]) || !ISDIGIT((p)[1])) goto label; \
(var) = ((p)[0] - '0') * 10 + ((p)[1] - '0'); \
}
static OSStatus
DER_UTCTimeToCFDate(const SecAsn1Item * utcTime, CFAbsoluteTime *date)
{
char *string = (char *)utcTime->Data;
int year, month, mday, hour, minute, second, hourOff, minOff;
second = 0;
hourOff = 0;
minOff = 0;
CAPTURE(year,string+0,loser);
if (year < 50) {
year += 2000;
} else {
year += 1900;
}
CAPTURE(month,string+2,loser);
if ((month == 0) || (month > 12)) goto loser;
CAPTURE(mday,string+4,loser);
if ((mday == 0) || (mday > 31)) goto loser;
CAPTURE(hour,string+6,loser);
if (hour > 23) goto loser;
CAPTURE(minute,string+8,loser);
if (minute > 59) goto loser;
if (ISDIGIT(string[10])) {
CAPTURE(second,string+10,loser);
if (second > 59) goto loser;
string += 2;
}
if (string[10] == '+') {
CAPTURE(hourOff,string+11,loser);
if (hourOff > 23) goto loser;
CAPTURE(minOff,string+13,loser);
if (minOff > 59) goto loser;
} else if (string[10] == '-') {
CAPTURE(hourOff,string+11,loser);
if (hourOff > 23) goto loser;
hourOff = -hourOff;
CAPTURE(minOff,string+13,loser);
if (minOff > 59) goto loser;
minOff = -minOff;
} else if (string[10] != 'Z') {
goto loser;
}
if (hourOff == 0 && minOff == 0) {
*date = CFAbsoluteTimeForGregorianZuluMoment(year, month, mday, hour, minute, second);
} else {
CFTimeZoneRef tz = CFTimeZoneCreateWithTimeIntervalFromGMT(kCFAllocatorDefault, (hourOff * 60 + minOff) * 60);
*date = CFAbsoluteTimeForGregorianMoment(tz, year, month, mday, hour, minute, second);
CFReleaseSafe(tz);
}
return SECSuccess;
loser:
return SECFailure;
}
static OSStatus
DER_CFDateToUTCTime(CFAbsoluteTime date, SecAsn1Item * utcTime)
{
unsigned char *d;
utcTime->Length = 13;
utcTime->Data = d = PORT_Alloc(13);
if (!utcTime->Data)
return SECFailure;
__block int year = 0, month = 0, day = 0, hour = 0, minute = 0, second = 0;
__block bool result;
SecCFCalendarDoWithZuluCalendar(^(CFCalendarRef zuluCalendar) {
result = CFCalendarDecomposeAbsoluteTime(zuluCalendar, date, "yMdHms", &year, &month, &day, &hour, &minute, &second);
});
if (!result)
return SECFailure;
if (year < 1950)
return SECFailure;
year %= 100;
d[0] = HIDIGIT(year);
d[1] = LODIGIT(year);
d[2] = HIDIGIT(month);
d[3] = LODIGIT(month);
d[4] = HIDIGIT(day);
d[5] = LODIGIT(day);
d[6] = HIDIGIT(hour);
d[7] = LODIGIT(hour);
d[8] = HIDIGIT(minute);
d[9] = LODIGIT(minute);
d[10] = HIDIGIT(second);
d[11] = LODIGIT(second);
d[12] = 'Z';
return SECSuccess;
}
SecCmsSignerInfoRef
nss_cmssignerinfo_create(SecCmsSignedDataRef sigd, SecCmsSignerIDSelector type, SecCertificateRef cert, const SecAsn1Item *subjKeyID, SecPublicKeyRef pubKey, SecPrivateKeyRef signingKey, SECOidTag digestalgtag);
SecCmsSignerInfoRef
SecCmsSignerInfoCreateWithSubjKeyID(SecCmsSignedDataRef sigd, const SecAsn1Item *subjKeyID, SecPublicKeyRef pubKey, SecPrivateKeyRef signingKey, SECOidTag digestalgtag)
{
return nss_cmssignerinfo_create(sigd, SecCmsSignerIDSubjectKeyID, NULL, subjKeyID, pubKey, signingKey, digestalgtag);
}
SecCmsSignerInfoRef
SecCmsSignerInfoCreate(SecCmsSignedDataRef sigd, SecIdentityRef identity, SECOidTag digestalgtag)
{
SecCmsSignerInfoRef signerInfo = NULL;
SecCertificateRef cert = NULL;
SecPrivateKeyRef signingKey = NULL;
CFDictionaryRef keyAttrs = NULL;
if (SecIdentityCopyCertificate(identity, &cert))
goto loser;
if (SecIdentityCopyPrivateKey(identity, &signingKey))
goto loser;
keyAttrs = SecKeyCopyAttributes(signingKey);
if (!keyAttrs)
goto loser;
CFTypeRef class = CFDictionaryGetValue(keyAttrs, kSecAttrKeyClass);
if (!class || (CFGetTypeID(class) != CFStringGetTypeID()) || !CFEqual(class, kSecAttrKeyClassPrivate)) {
goto loser;
}
signerInfo = nss_cmssignerinfo_create(sigd, SecCmsSignerIDIssuerSN, cert, NULL, NULL, signingKey, digestalgtag);
loser:
if (cert)
CFRelease(cert);
if (signingKey)
CFRelease(signingKey);
if (keyAttrs)
CFRelease(keyAttrs);
return signerInfo;
}
SecCmsSignerInfoRef
nss_cmssignerinfo_create(SecCmsSignedDataRef sigd, SecCmsSignerIDSelector type, SecCertificateRef cert, const SecAsn1Item *subjKeyID, SecPublicKeyRef pubKey, SecPrivateKeyRef signingKey, SECOidTag digestalgtag)
{
void *mark;
SecCmsSignerInfoRef signerinfo;
int version;
PLArenaPool *poolp;
poolp = sigd->contentInfo.cmsg->poolp;
mark = PORT_ArenaMark(poolp);
signerinfo = (SecCmsSignerInfoRef)PORT_ArenaZAlloc(poolp, sizeof(SecCmsSignerInfo));
if (signerinfo == NULL) {
PORT_ArenaRelease(poolp, mark);
return NULL;
}
signerinfo->signedData = sigd;
switch(type) {
case SecCmsSignerIDIssuerSN:
signerinfo->signerIdentifier.identifierType = SecCmsSignerIDIssuerSN;
if ((signerinfo->cert = CERT_DupCertificate(cert)) == NULL)
goto loser;
if ((signerinfo->signerIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL)
goto loser;
break;
case SecCmsSignerIDSubjectKeyID:
signerinfo->signerIdentifier.identifierType = SecCmsSignerIDSubjectKeyID;
PORT_Assert(subjKeyID);
if (!subjKeyID)
goto loser;
signerinfo->signerIdentifier.id.subjectKeyID = PORT_ArenaNew(poolp, SecAsn1Item);
if (SECITEM_CopyItem(poolp, signerinfo->signerIdentifier.id.subjectKeyID,
subjKeyID)) {
goto loser;
}
signerinfo->pubKey = SECKEY_CopyPublicKey(pubKey);
if (!signerinfo->pubKey)
goto loser;
break;
default:
goto loser;
}
if (!signingKey)
goto loser;
signerinfo->signingKey = SECKEY_CopyPrivateKey(signingKey);
if (!signerinfo->signingKey)
goto loser;
version = SEC_CMS_SIGNER_INFO_VERSION_ISSUERSN;
if (signerinfo->signerIdentifier.identifierType == SecCmsSignerIDSubjectKeyID)
version = SEC_CMS_SIGNER_INFO_VERSION_SUBJKEY;
(void)SEC_ASN1EncodeInteger(poolp, &(signerinfo->version), (long)version);
if (SECOID_SetAlgorithmID(poolp, &signerinfo->digestAlg, digestalgtag, NULL) != SECSuccess)
goto loser;
if (SecCmsSignedDataAddSignerInfo(sigd, signerinfo))
goto loser;
PORT_ArenaUnmark(poolp, mark);
return signerinfo;
loser:
PORT_ArenaRelease(poolp, mark);
return NULL;
}
void
SecCmsSignerInfoDestroy(SecCmsSignerInfoRef si)
{
if (si->cert != NULL) {
CERT_DestroyCertificate(si->cert);
}
if (si->certList != NULL) {
CFRelease(si->certList);
}
if (si->hashAgilityAttrValue != NULL) {
CFRelease(si->hashAgilityAttrValue);
}
if (si->hashAgilityV2AttrValues != NULL) {
CFRelease(si->hashAgilityV2AttrValues);
}
}
static SecAsn1AlgId SecCertificateGetPublicKeyAlgorithmID(SecCertificateRef cert)
{
const DERAlgorithmId *length_data_swapped = SecCertificateGetPublicKeyAlgorithm(cert);
SecAsn1AlgId temp = {
{ length_data_swapped->oid.length, length_data_swapped->oid.data },
{ length_data_swapped->params.length, length_data_swapped->params.data } };
return temp;
}
OSStatus
SecCmsSignerInfoSign(SecCmsSignerInfoRef signerinfo, SecAsn1Item * digest, SecAsn1Item * contentType)
{
SecCertificateRef cert;
SecPrivateKeyRef privkey = NULL;
SECOidTag digestalgtag;
SECOidTag pubkAlgTag;
SecAsn1Item signature = { 0 };
OSStatus rv;
PLArenaPool *poolp, *tmppoolp = NULL;
const SECAlgorithmID *algID = NULL;
PORT_Assert (digest != NULL);
poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
SecAsn1AlgId _algID;
switch (signerinfo->signerIdentifier.identifierType) {
case SecCmsSignerIDIssuerSN:
privkey = signerinfo->signingKey;
signerinfo->signingKey = NULL;
cert = signerinfo->cert;
#if USE_CDSA_CRYPTO
if (SecCertificateGetAlgorithmID(cert,&algID)) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
goto loser;
}
#else
_algID = SecCertificateGetPublicKeyAlgorithmID(cert);
algID = &_algID;
#endif
break;
case SecCmsSignerIDSubjectKeyID:
privkey = signerinfo->signingKey;
signerinfo->signingKey = NULL;
#if 0
spki = SECKEY_CreateSubjectPublicKeyInfo(signerinfo->pubKey);
SECKEY_DestroyPublicKey(signerinfo->pubKey);
signerinfo->pubKey = NULL;
SECOID_CopyAlgorithmID(NULL, &freeAlgID, &spki->algorithm);
SECKEY_DestroySubjectPublicKeyInfo(spki);
algID = &freeAlgID;
#else
#if USE_CDSA_CRYPTO
if (SecKeyGetAlgorithmID(signerinfo->pubKey,&algID)) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
goto loser;
}
#endif
#endif
CFRelease(signerinfo->pubKey);
signerinfo->pubKey = NULL;
break;
default:
PORT_SetError(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE);
goto loser;
}
digestalgtag = SecCmsSignerInfoGetDigestAlgTag(signerinfo);
pubkAlgTag = SECOID_GetAlgorithmTag(algID);
if (digestalgtag == SEC_OID_MD5) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
goto loser;
}
#if USE_CDSA_CRYPTO
if (signerinfo->signerIdentifier.identifierType == SecCmsSignerIDSubjectKeyID) {
SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE);
}
#endif
#if 0
pubkAlgTag = PK11_FortezzaMapSig(pubkAlgTag);
#endif
if (signerinfo->authAttr != NULL) {
SecAsn1Item encoded_attrs;
rv = SecCmsAttributeArraySetAttr(poolp, &(signerinfo->authAttr),
SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
if (rv != SECSuccess)
goto loser;
if (contentType != NULL) {
rv = SecCmsAttributeArraySetAttr(poolp, &(signerinfo->authAttr),
SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
if (rv != SECSuccess)
goto loser;
}
if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
if (SecCmsAttributeArrayReorder(signerinfo->authAttr) != SECSuccess)
goto loser;
encoded_attrs.Data = NULL;
encoded_attrs.Length = 0;
if (SecCmsAttributeArrayEncode(tmppoolp, &(signerinfo->authAttr),
&encoded_attrs) == NULL)
goto loser;
#if USE_CDSA_CRYPTO
rv = SEC_SignData(&signature, encoded_attrs.Data, encoded_attrs.Length,
privkey, digestalgtag, pubkAlgTag);
#else
signature.Length = SecKeyGetSize(privkey, kSecKeySignatureSize);
signature.Data = PORT_ZAlloc(signature.Length);
if (!signature.Data) {
signature.Length = 0;
goto loser;
}
rv = SecKeyDigestAndSign(privkey, &signerinfo->digestAlg, encoded_attrs.Data, encoded_attrs.Length, signature.Data, &signature.Length);
if (rv) {
PORT_ZFree(signature.Data, signature.Length);
signature.Length = 0;
}
#endif
PORT_FreeArena(tmppoolp, PR_FALSE);
tmppoolp = 0;
} else {
signature.Length = SecKeyGetSize(privkey, kSecKeySignatureSize);
signature.Data = PORT_ZAlloc(signature.Length);
if (!signature.Data) {
signature.Length = 0;
goto loser;
}
rv = SecKeySignDigest(privkey, &signerinfo->digestAlg, digest->Data, digest->Length,
signature.Data, &signature.Length);
if (rv) {
PORT_ZFree(signature.Data, signature.Length);
signature.Length = 0;
}
}
SECKEY_DestroyPrivateKey(privkey);
privkey = NULL;
if (rv != SECSuccess)
goto loser;
if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature)
!= SECSuccess)
goto loser;
SECITEM_FreeItem(&signature, PR_FALSE);
if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), pubkAlgTag,
NULL) != SECSuccess)
goto loser;
return SECSuccess;
loser:
if (signature.Length != 0)
SECITEM_FreeItem (&signature, PR_FALSE);
if (privkey)
SECKEY_DestroyPrivateKey(privkey);
if (tmppoolp)
PORT_FreeArena(tmppoolp, PR_FALSE);
return SECFailure;
}
#if !USE_CDSA_CRYPTO
static CFArrayRef
SecCmsSignerInfoCopySigningCertificates(SecCmsSignerInfoRef signerinfo)
{
CFMutableArrayRef certs = CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
SecAsn1Item **cert_datas = signerinfo->signedData->rawCerts;
SecAsn1Item *cert_data;
if (cert_datas) while ((cert_data = *cert_datas) != NULL) {
SecCertificateRef cert = SecCertificateCreateWithBytes(NULL, cert_data->Data, cert_data->Length);
if (cert) {
switch (signerinfo->signerIdentifier.identifierType) {
case SecCmsSignerIDIssuerSN:
if (CERT_CheckIssuerAndSerial(cert,
&(signerinfo->signerIdentifier.id.issuerAndSN->derIssuer),
&(signerinfo->signerIdentifier.id.issuerAndSN->serialNumber)))
CFArrayInsertValueAtIndex(certs, 0, cert);
else
CFArrayAppendValue(certs, cert);
break;
case SecCmsSignerIDSubjectKeyID:
{
CFDataRef cert_keyid = SecCertificateGetSubjectKeyID(cert);
SecAsn1Item *tbf_keyid = signerinfo->signerIdentifier.id.subjectKeyID;
if (tbf_keyid->Length == (size_t)CFDataGetLength(cert_keyid) &&
!memcmp(tbf_keyid->Data, CFDataGetBytePtr(cert_keyid), tbf_keyid->Length))
CFArrayInsertValueAtIndex(certs, 0, cert);
else
CFArrayAppendValue(certs, cert);
break;
}
}
CFReleaseNull(cert);
}
cert_datas++;
}
if ((CFArrayGetCount(certs) == 0) &&
(signerinfo->signerIdentifier.identifierType == SecCmsSignerIDIssuerSN))
{
SecCertificateRef cert = CERT_FindCertificateByIssuerAndSN(signerinfo->signedData->certs, signerinfo->signerIdentifier.id.issuerAndSN);
if (cert) {
CFArrayAppendValue(certs, cert);
CFRelease(cert);
}
}
if ((CFArrayGetCount(certs) == 0) &&
(signerinfo->signerIdentifier.identifierType == SecCmsSignerIDSubjectKeyID))
{
SecCertificateRef cert = CERT_FindCertificateBySubjectKeyID(signerinfo->signedData->certs,
signerinfo->signerIdentifier.id.subjectKeyID);
if (cert) {
CFArrayAppendValue(certs, cert);
CFRelease(cert);
}
}
return certs;
}
#endif
OSStatus
SecCmsSignerInfoVerifyCertificate(SecCmsSignerInfoRef signerinfo, SecKeychainRef keychainOrArray,
CFTypeRef policies, SecTrustRef *trustRef)
{
CFAbsoluteTime stime;
OSStatus rv;
#if USE_CDSA_CRYPTO
SecCertificateRef cert;
if ((cert = SecCmsSignerInfoGetSigningCertificate(signerinfo, keychainOrArray)) == NULL) {
#else
CFArrayRef certs;
if ((certs = SecCmsSignerInfoCopySigningCertificates(signerinfo)) == NULL) {
#endif
signerinfo->verificationStatus = SecCmsVSSigningCertNotFound;
return SECFailure;
}
if (SecCmsSignerInfoGetSigningTime(signerinfo, &stime) != SECSuccess)
stime = CFAbsoluteTimeGetCurrent();
#if USE_CDSA_CRYPTO
rv = CERT_VerifyCert(keychainOrArray, cert, policies, stime, trustRef);
#else
rv = CERT_VerifyCert(keychainOrArray, certs, policies, stime, trustRef);
CFRelease(certs);
#endif
if (rv || !trustRef)
{
if (PORT_GetError() == SEC_ERROR_UNTRUSTED_CERT)
{
#if 0
#warning DEBUG - SecCmsSignerInfoVerifyCertificate trusts everything!
if (signerinfo->verificationStatus == SecCmsVSGoodSignature) {
syslog(LOG_ERR, "SecCmsSignerInfoVerifyCertificate ignoring SEC_ERROR_UNTRUSTED_CERT");
rv = SECSuccess;
}
#else
if (signerinfo->verificationStatus == SecCmsVSGoodSignature)
signerinfo->verificationStatus = SecCmsVSSigningCertNotTrusted;
#endif
}
}
return rv;
}
OSStatus
SecCmsSignerInfoVerify(SecCmsSignerInfoRef signerinfo, SecAsn1Item * digest, SecAsn1Item * contentType)
{
SecPublicKeyRef publickey = NULL;
SecCmsAttribute *attr;
SecAsn1Item encoded_attrs;
SecCertificateRef cert;
SecCmsVerificationStatus vs = SecCmsVSUnverified;
PLArenaPool *poolp;
if (signerinfo == NULL)
return SECFailure;
if ((cert = SecCmsSignerInfoGetSigningCertificate(signerinfo, NULL)) == NULL) {
vs = SecCmsVSSigningCertNotFound;
goto loser;
}
publickey = SecCertificateCopyKey(cert);
if (publickey == NULL)
goto loser;
if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr)) {
if (contentType) {
if ((attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr,
SEC_OID_PKCS9_CONTENT_TYPE, PR_TRUE)) == NULL)
{
vs = SecCmsVSMalformedSignature;
goto loser;
}
if (SecCmsAttributeCompareValue(attr, contentType) == PR_FALSE) {
vs = SecCmsVSMalformedSignature;
goto loser;
}
}
if ((attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr, SEC_OID_PKCS9_MESSAGE_DIGEST, PR_TRUE)) == NULL)
{
vs = SecCmsVSMalformedSignature;
goto loser;
}
if (SecCmsAttributeCompareValue(attr, digest) == PR_FALSE) {
vs = SecCmsVSDigestMismatch;
goto loser;
}
if ((poolp = PORT_NewArena (1024)) == NULL) {
vs = SecCmsVSProcessingError;
goto loser;
}
encoded_attrs.Data = NULL;
encoded_attrs.Length = 0;
if (SecCmsAttributeArrayEncode(poolp, &(signerinfo->authAttr), &encoded_attrs) == NULL ||
encoded_attrs.Data == NULL || encoded_attrs.Length == 0)
{
vs = SecCmsVSProcessingError;
goto loser;
}
if (errSecSuccess == SecKeyDigestAndVerify(publickey, &signerinfo->digestAlg, encoded_attrs.Data, encoded_attrs.Length, signerinfo->encDigest.Data, signerinfo->encDigest.Length))
vs = SecCmsVSGoodSignature;
else
vs = SecCmsVSBadSignature;
PORT_FreeArena(poolp, PR_FALSE);
} else {
SecAsn1Item * sig;
sig = &(signerinfo->encDigest);
if (sig->Length == 0)
goto loser;
if (SecKeyVerifyDigest(publickey, &signerinfo->digestAlg, digest->Data, digest->Length, sig->Data, sig->Length))
vs = SecCmsVSBadSignature;
else
vs = SecCmsVSGoodSignature;
}
if (vs == SecCmsVSBadSignature) {
if (PORT_GetError() == SEC_ERROR_BAD_SIGNATURE)
PORT_SetError(SEC_ERROR_PKCS7_BAD_SIGNATURE);
}
if (publickey != NULL)
CFRelease(publickey);
signerinfo->verificationStatus = vs;
return (vs == SecCmsVSGoodSignature) ? SECSuccess : SECFailure;
loser:
if (publickey != NULL)
SECKEY_DestroyPublicKey (publickey);
signerinfo->verificationStatus = vs;
PORT_SetError (SEC_ERROR_PKCS7_BAD_SIGNATURE);
return SECFailure;
}
SecCmsVerificationStatus
SecCmsSignerInfoGetVerificationStatus(SecCmsSignerInfoRef signerinfo)
{
return signerinfo->verificationStatus;
}
SECOidData *
SecCmsSignerInfoGetDigestAlg(SecCmsSignerInfoRef signerinfo)
{
return SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
}
SECOidTag
SecCmsSignerInfoGetDigestAlgTag(SecCmsSignerInfoRef signerinfo)
{
SECOidData *algdata;
algdata = SECOID_FindOID (&(signerinfo->digestAlg.algorithm));
if (algdata != NULL)
return algdata->offset;
else
return SEC_OID_UNKNOWN;
}
CFArrayRef
SecCmsSignerInfoGetCertList(SecCmsSignerInfoRef signerinfo)
{
return signerinfo->certList;
}
int
SecCmsSignerInfoGetVersion(SecCmsSignerInfoRef signerinfo)
{
unsigned long version;
if (SEC_ASN1DecodeInteger(&(signerinfo->version), &version) != SECSuccess)
return 0;
else
return (int)version;
}
OSStatus
SecCmsSignerInfoGetSigningTime(SecCmsSignerInfoRef sinfo, CFAbsoluteTime *stime)
{
SecCmsAttribute *attr;
SecAsn1Item * value;
if (sinfo == NULL)
return SECFailure;
if (sinfo->signingTime != 0) {
*stime = sinfo->signingTime;
return SECSuccess;
}
attr = SecCmsAttributeArrayFindAttrByOidTag(sinfo->authAttr, SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
if (attr == NULL || (value = SecCmsAttributeGetValue(attr)) == NULL)
return SECFailure;
if (DER_UTCTimeToCFDate(value, stime) != SECSuccess)
return SECFailure;
sinfo->signingTime = *stime;
return SECSuccess;
}
OSStatus
SecCmsSignerInfoGetAppleCodesigningHashAgility(SecCmsSignerInfoRef sinfo, CFDataRef *sdata)
{
SecCmsAttribute *attr;
SecAsn1Item *value;
if (sinfo == NULL || sdata == NULL)
return errSecParam;
*sdata = NULL;
if (sinfo->hashAgilityAttrValue != NULL) {
*sdata = sinfo->hashAgilityAttrValue;
return SECSuccess;
}
attr = SecCmsAttributeArrayFindAttrByOidTag(sinfo->authAttr, SEC_OID_APPLE_HASH_AGILITY, PR_TRUE);
if (attr == NULL || (value = SecCmsAttributeGetValue(attr)) == NULL)
return SECSuccess;
sinfo->hashAgilityAttrValue = CFDataCreate(NULL, value->Data, value->Length);
if (sinfo->hashAgilityAttrValue) {
*sdata = sinfo->hashAgilityAttrValue;
return SECSuccess;
}
return errSecAllocate;
}
typedef struct {
SecAsn1Item digestOID;
SecAsn1Item digestValue;
} CMSAppleAgileHash;
static const SecAsn1Template CMSAppleAgileHashTemplate[] = {
{ SEC_ASN1_SEQUENCE,
0, NULL, sizeof(CMSAppleAgileHash) },
{ SEC_ASN1_OBJECT_ID,
offsetof(CMSAppleAgileHash, digestOID), },
{ SEC_ASN1_OCTET_STRING,
offsetof(CMSAppleAgileHash, digestValue), },
{ 0, }
};
static OSStatus CMSAddAgileHashToDictionary(CFMutableDictionaryRef dictionary, SecAsn1Item *DERAgileHash) {
PLArenaPool *tmppoolp = NULL;
OSStatus status = errSecSuccess;
CMSAppleAgileHash agileHash;
CFDataRef digestValue = NULL;
CFNumberRef digestTag = NULL;
tmppoolp = PORT_NewArena(1024);
if (tmppoolp == NULL) {
return errSecAllocate;
}
if ((status = SEC_ASN1DecodeItem(tmppoolp, &agileHash, CMSAppleAgileHashTemplate, DERAgileHash)) != errSecSuccess) {
goto loser;
}
int64_t tag = SECOID_FindOIDTag(&agileHash.digestOID);
digestTag = CFNumberCreate(NULL, kCFNumberSInt64Type, &tag);
digestValue = CFDataCreate(NULL, agileHash.digestValue.Data, agileHash.digestValue.Length);
CFDictionaryAddValue(dictionary, digestTag, digestValue);
loser:
CFReleaseNull(digestValue);
CFReleaseNull(digestTag);
if (tmppoolp) {
PORT_FreeArena(tmppoolp, PR_FALSE);
}
return status;
}
OSStatus
SecCmsSignerInfoGetAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef sinfo, CFDictionaryRef *sdict)
{
SecCmsAttribute *attr;
if (sinfo == NULL || sdict == NULL) {
return errSecParam;
}
*sdict = NULL;
if (sinfo->hashAgilityV2AttrValues != NULL) {
*sdict = sinfo->hashAgilityV2AttrValues;
return SECSuccess;
}
attr = SecCmsAttributeArrayFindAttrByOidTag(sinfo->authAttr, SEC_OID_APPLE_HASH_AGILITY_V2, PR_TRUE);
if (attr == NULL) {
return SECSuccess;
}
SecAsn1Item **values = attr->values;
if (values == NULL) {
return errSecDecode;
}
CFMutableDictionaryRef agileHashValues = CFDictionaryCreateMutable(NULL, SecCmsArrayCount((void **)values),
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
while (*values != NULL) {
(void)CMSAddAgileHashToDictionary(agileHashValues, *values++);
}
if (CFDictionaryGetCount(agileHashValues) != SecCmsArrayCount((void **)attr->values)) {
CFReleaseNull(agileHashValues);
return errSecDecode;
}
sinfo->hashAgilityV2AttrValues = agileHashValues;
if (sinfo->hashAgilityV2AttrValues) {
*sdict = sinfo->hashAgilityV2AttrValues;
return SECSuccess;
}
return errSecAllocate;
}
OSStatus
SecCmsSignerInfoGetAppleExpirationTime(SecCmsSignerInfoRef sinfo, CFAbsoluteTime *etime)
{
SecCmsAttribute *attr = NULL;
SecAsn1Item * value = NULL;
if (sinfo == NULL || etime == NULL) {
return SECFailure;
}
if (sinfo->expirationTime != 0) {
*etime = sinfo->expirationTime;
return SECSuccess;
}
attr = SecCmsAttributeArrayFindAttrByOidTag(sinfo->authAttr, SEC_OID_APPLE_EXPIRATION_TIME, PR_TRUE);
if (attr == NULL || (value = SecCmsAttributeGetValue(attr)) == NULL) {
return SECFailure;
}
if (DER_UTCTimeToCFDate(value, etime) != SECSuccess) {
return SECFailure;
}
sinfo->expirationTime = *etime;
return SECSuccess;
}
SecCertificateRef
SecCmsSignerInfoGetSigningCertificate(SecCmsSignerInfoRef signerinfo, SecKeychainRef keychainOrArray)
{
SecCertificateRef cert = NULL;
if (signerinfo->cert != NULL)
return signerinfo->cert;
#if USE_CDSA_CRYPTO
SecCmsSignerIdentifier *sid;
sid = &signerinfo->signerIdentifier;
switch (sid->identifierType) {
case SecCmsSignerIDIssuerSN:
cert = CERT_FindCertByIssuerAndSN(keychainOrArray, sid->id.issuerAndSN);
break;
case SecCmsSignerIDSubjectKeyID:
cert = CERT_FindCertBySubjectKeyID(keychainOrArray, sid->id.subjectKeyID);
break;
default:
cert = NULL;
break;
}
signerinfo->cert = cert;
#else
SecAsn1Item **cert_datas = signerinfo->signedData->rawCerts;
SecAsn1Item *cert_data;
if (cert_datas) while ((cert_data = *cert_datas) != NULL) {
cert = SecCertificateCreateWithBytes(NULL, cert_data->Data, cert_data->Length);
if (cert) {
switch (signerinfo->signerIdentifier.identifierType) {
case SecCmsSignerIDIssuerSN:
if (CERT_CheckIssuerAndSerial(cert,
&(signerinfo->signerIdentifier.id.issuerAndSN->derIssuer),
&(signerinfo->signerIdentifier.id.issuerAndSN->serialNumber)))
signerinfo->cert = cert;
break;
case SecCmsSignerIDSubjectKeyID: {
CFDataRef cert_keyid = SecCertificateGetSubjectKeyID(cert);
SecAsn1Item *tbf_keyid = signerinfo->signerIdentifier.id.subjectKeyID;
if (tbf_keyid->Length == (size_t)CFDataGetLength(cert_keyid) &&
!memcmp(tbf_keyid->Data, CFDataGetBytePtr(cert_keyid), tbf_keyid->Length))
signerinfo->cert = cert;
}
}
if (signerinfo->cert)
break;
CFReleaseNull(cert);
}
cert_datas++;
}
if (!signerinfo->cert && (signerinfo->signerIdentifier.identifierType == SecCmsSignerIDIssuerSN)) {
cert = CERT_FindCertificateByIssuerAndSN(signerinfo->signedData->certs, signerinfo->signerIdentifier.id.issuerAndSN);
signerinfo->cert = cert;
}
if (!signerinfo->cert && (signerinfo->signerIdentifier.identifierType == SecCmsSignerIDSubjectKeyID)) {
cert = CERT_FindCertificateBySubjectKeyID(signerinfo->signedData->certs, signerinfo->signerIdentifier.id.subjectKeyID);
signerinfo->cert = cert;
}
#endif
return cert;
}
CFStringRef
SecCmsSignerInfoGetSignerCommonName(SecCmsSignerInfoRef sinfo)
{
SecCertificateRef signercert;
CFStringRef commonName = NULL;
if ((signercert = SecCmsSignerInfoGetSigningCertificate(sinfo, NULL)) == NULL)
return NULL;
#if USE_CDSA_CRYPTO
SecCertificateGetCommonName(signercert, &commonName);
#else
CFArrayRef commonNames = SecCertificateCopyCommonNames(signercert);
if (commonNames) {
commonName = (CFStringRef)CFArrayGetValueAtIndex(commonNames, CFArrayGetCount(commonNames) - 1);
CFRetain(commonName);
CFRelease(commonNames);
}
#endif
return commonName;
}
CFStringRef
SecCmsSignerInfoGetSignerEmailAddress(SecCmsSignerInfoRef sinfo)
{
SecCertificateRef signercert;
CFStringRef emailAddress = NULL;
if ((signercert = SecCmsSignerInfoGetSigningCertificate(sinfo, NULL)) == NULL)
return NULL;
#if USE_CDSA_CRYPTO
SecCertificateGetEmailAddress(signercert, &emailAddress);
#else
CFArrayRef names = SecCertificateCopyRFC822Names(signercert);
if (names) {
if (CFArrayGetCount(names) > 0)
emailAddress = (CFStringRef)CFArrayGetValueAtIndex(names, 0);
if (emailAddress)
CFRetain(emailAddress);
CFRelease(names);
}
#endif
return emailAddress;
}
OSStatus
SecCmsSignerInfoAddAuthAttr(SecCmsSignerInfoRef signerinfo, SecCmsAttribute *attr)
{
return SecCmsAttributeArrayAddAttr(signerinfo->signedData->contentInfo.cmsg->poolp, &(signerinfo->authAttr), attr);
}
OSStatus
SecCmsSignerInfoAddUnauthAttr(SecCmsSignerInfoRef signerinfo, SecCmsAttribute *attr)
{
return SecCmsAttributeArrayAddAttr(signerinfo->signedData->contentInfo.cmsg->poolp, &(signerinfo->unAuthAttr), attr);
}
OSStatus
SecCmsSignerInfoAddSigningTime(SecCmsSignerInfoRef signerinfo, CFAbsoluteTime t)
{
SecCmsAttribute *attr;
SecAsn1Item stime;
void *mark;
PLArenaPool *poolp;
poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
mark = PORT_ArenaMark(poolp);
if (DER_CFDateToUTCTime(t, &stime) != SECSuccess)
goto loser;
if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_PKCS9_SIGNING_TIME, &stime, PR_FALSE)) == NULL) {
SECITEM_FreeItem (&stime, PR_FALSE);
goto loser;
}
SECITEM_FreeItem (&stime, PR_FALSE);
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess)
goto loser;
PORT_ArenaUnmark (poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease (poolp, mark);
return SECFailure;
}
OSStatus
SecCmsSignerInfoAddSMIMECaps(SecCmsSignerInfoRef signerinfo)
{
SecCmsAttribute *attr;
SecAsn1Item * smimecaps = NULL;
void *mark;
PLArenaPool *poolp;
poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
mark = PORT_ArenaMark(poolp);
smimecaps = SECITEM_AllocItem(poolp, NULL, 0);
if (smimecaps == NULL)
goto loser;
#if 1
if (SecSMIMECreateSMIMECapabilities(poolp, smimecaps, PR_FALSE) != SECSuccess)
#else
if (SecSMIMECreateSMIMECapabilities(poolp, smimecaps,
PK11_FortezzaHasKEA(signerinfo->cert)) != SECSuccess)
#endif
goto loser;
if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_PKCS9_SMIME_CAPABILITIES, smimecaps, PR_TRUE)) == NULL)
goto loser;
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess)
goto loser;
PORT_ArenaUnmark (poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease (poolp, mark);
return SECFailure;
}
OSStatus
SecCmsSignerInfoAddSMIMEEncKeyPrefs(SecCmsSignerInfoRef signerinfo, SecCertificateRef cert, SecKeychainRef keychainOrArray)
{
SecCmsAttribute *attr;
SecAsn1Item * smimeekp = NULL;
void *mark;
PLArenaPool *poolp;
#if 0
CFTypeRef policy;
policy = CERT_PolicyForCertUsage(certUsageEmailRecipient);
if (CERT_VerifyCert(keychainOrArray, cert, policy, CFAbsoluteTimeGetCurrent(), NULL) != SECSuccess) {
CFRelease(policy);
return SECFailure;
}
CFRelease(policy);
#endif
poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
mark = PORT_ArenaMark(poolp);
smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
if (smimeekp == NULL)
goto loser;
if (SecSMIMECreateSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
goto loser;
if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
goto loser;
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess)
goto loser;
PORT_ArenaUnmark (poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease (poolp, mark);
return SECFailure;
}
OSStatus
SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(SecCmsSignerInfoRef signerinfo, SecCertificateRef cert, SecKeychainRef keychainOrArray)
{
SecCmsAttribute *attr;
SecAsn1Item * smimeekp = NULL;
void *mark;
PLArenaPool *poolp;
#if 0
CFTypeRef policy;
policy = CERT_PolicyForCertUsage(certUsageEmailRecipient);
if (CERT_VerifyCert(keychainOrArray, cert, policy, CFAbsoluteTimeGetCurrent(), NULL) != SECSuccess) {
CFRelease(policy);
return SECFailure;
}
CFRelease(policy);
#endif
poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
mark = PORT_ArenaMark(poolp);
smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
if (smimeekp == NULL)
goto loser;
if (SecSMIMECreateMSSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
goto loser;
if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
goto loser;
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess)
goto loser;
PORT_ArenaUnmark (poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease (poolp, mark);
return SECFailure;
}
OSStatus
SecCmsSignerInfoAddCounterSignature(SecCmsSignerInfoRef signerinfo,
SECOidTag digestalg, SecIdentityRef identity)
{
return SECFailure;
}
OSStatus
SecCmsSignerInfoAddAppleCodesigningHashAgility(SecCmsSignerInfoRef signerinfo, CFDataRef attrValue)
{
SecCmsAttribute *attr;
PLArenaPool *poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
void *mark = PORT_ArenaMark(poolp);
OSStatus status = SECFailure;
if (!attrValue) {
status = errSecParam;
goto loser;
}
SecAsn1Item value;
value.Length = CFDataGetLength(attrValue);
value.Data = (uint8_t *)CFDataGetBytePtr(attrValue);
if ((attr = SecCmsAttributeCreate(poolp,
SEC_OID_APPLE_HASH_AGILITY,
&value,
PR_FALSE)) == NULL) {
status = errSecAllocate;
goto loser;
}
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess) {
status = errSecInternal;
goto loser;
}
PORT_ArenaUnmark(poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease(poolp, mark);
return status;
}
static OSStatus CMSAddAgileHashToAttribute(PLArenaPool *poolp, SecCmsAttribute *attr, CFNumberRef cftag, CFDataRef value) {
PLArenaPool *tmppoolp = NULL;
int64_t tag;
SECOidData *digestOid = NULL;
CMSAppleAgileHash agileHash;
SecAsn1Item attrValue = { .Data = NULL, .Length = 0 };
OSStatus status = errSecSuccess;
memset(&agileHash, 0, sizeof(agileHash));
if(!CFNumberGetValue(cftag, kCFNumberSInt64Type, &tag)) {
return errSecParam;
}
digestOid = SECOID_FindOIDByTag((SECOidTag)tag);
agileHash.digestValue.Data = (uint8_t *)CFDataGetBytePtr(value);
agileHash.digestValue.Length = CFDataGetLength(value);
agileHash.digestOID.Data = digestOid->oid.Data;
agileHash.digestOID.Length = digestOid->oid.Length;
tmppoolp = PORT_NewArena(1024);
if (tmppoolp == NULL) {
return errSecAllocate;
}
if (SEC_ASN1EncodeItem(tmppoolp, &attrValue, &agileHash, CMSAppleAgileHashTemplate) == NULL) {
status = errSecParam;
goto loser;
}
status = SecCmsAttributeAddValue(poolp, attr, &attrValue);
loser:
if (tmppoolp) {
PORT_FreeArena(tmppoolp, PR_FALSE);
}
return status;
}
OSStatus
SecCmsSignerInfoAddAppleCodesigningHashAgilityV2(SecCmsSignerInfoRef signerinfo, CFDictionaryRef attrValues)
{
__block SecCmsAttribute *attr;
__block PLArenaPool *poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
void *mark = PORT_ArenaMark(poolp);
OSStatus status = SECFailure;
if (!attrValues) {
status = errSecParam;
goto loser;
}
if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_APPLE_HASH_AGILITY_V2,
NULL, PR_TRUE)) == NULL) {
status = errSecAllocate;
goto loser;
}
CFDictionaryForEach(attrValues, ^(const void *key, const void *value) {
if (!isNumber(key) || !isData(value)) {
return;
}
(void)CMSAddAgileHashToAttribute(poolp, attr, (CFNumberRef)key, (CFDataRef)value);
});
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess) {
status = errSecInternal;
goto loser;
}
PORT_ArenaUnmark(poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease(poolp, mark);
return status;
}
OSStatus
SecCmsSignerInfoAddAppleExpirationTime(SecCmsSignerInfoRef signerinfo, CFAbsoluteTime t)
{
SecCmsAttribute *attr = NULL;
PLArenaPool *poolp = signerinfo->signedData->contentInfo.cmsg->poolp;
void *mark = PORT_ArenaMark(poolp);
SecAsn1Item etime;
if (DER_CFDateToUTCTime(t, &etime) != SECSuccess) {
goto loser;
}
if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_APPLE_EXPIRATION_TIME, &etime, PR_FALSE)) == NULL) {
SECITEM_FreeItem (&etime, PR_FALSE);
goto loser;
}
SECITEM_FreeItem(&etime, PR_FALSE);
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess) {
goto loser;
}
PORT_ArenaUnmark(poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease(poolp, mark);
return SECFailure;
}
SecCertificateRef SecCmsSignerInfoCopyCertFromEncryptionKeyPreference(SecCmsSignerInfoRef signerinfo) {
SecCertificateRef cert = NULL;
SecCmsAttribute *attr;
SecAsn1Item *ekp;
if (signerinfo->verificationStatus != SecCmsVSGoodSignature)
return NULL;
SecAsn1Item **rawCerts = NULL;
if (signerinfo->signedData) {
rawCerts = signerinfo->signedData->rawCerts;
}
if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr) &&
(attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr,
SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL)
{
ekp = SecCmsAttributeGetValue(attr);
if (ekp == NULL)
return NULL;
cert = SecSMIMEGetCertFromEncryptionKeyPreference(rawCerts, ekp);
}
if (cert) return cert;
if (!SecCmsArrayIsEmpty((void **)signerinfo->authAttr) &&
(attr = SecCmsAttributeArrayFindAttrByOidTag(signerinfo->authAttr,
SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL)
{
ekp = SecCmsAttributeGetValue(attr);
if (ekp == NULL)
return NULL;
cert = SecSMIMEGetCertFromEncryptionKeyPreference(rawCerts, ekp);
}
return cert;
}
OSStatus
SecCmsSignerInfoSaveSMIMEProfile(SecCmsSignerInfoRef signerinfo)
{
return -4 ;
}
OSStatus
SecCmsSignerInfoIncludeCerts(SecCmsSignerInfoRef signerinfo, SecCmsCertChainMode cm, SECCertUsage usage)
{
if (signerinfo->cert == NULL)
return SECFailure;
if (signerinfo->certList != NULL) {
CFRelease(signerinfo->certList);
signerinfo->certList = NULL;
}
switch (cm) {
case SecCmsCMNone:
signerinfo->certList = NULL;
break;
case SecCmsCMCertOnly:
signerinfo->certList = CERT_CertListFromCert(signerinfo->cert);
break;
case SecCmsCMCertChain:
signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_FALSE);
break;
case SecCmsCMCertChainWithRoot:
signerinfo->certList = CERT_CertChainFromCert(signerinfo->cert, usage, PR_TRUE);
break;
}
if (cm != SecCmsCMNone && signerinfo->certList == NULL)
return SECFailure;
return SECSuccess;
}