1 /* This Source Code Form is subject to the terms of the Mozilla Public
2  * License, v. 2.0. If a copy of the MPL was not distributed with this
3  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 
5 /*
6  * Header for pkcs7 types.
7  */
8 
9 #ifndef _PKCS7T_H_
10 #define _PKCS7T_H_
11 
12 #include "plarena.h"
13 
14 #include "seccomon.h"
15 #include "secoidt.h"
16 #include "certt.h"
17 #include "secmodt.h"
18 
19 /* Opaque objects */
20 typedef struct SEC_PKCS7DecoderContextStr SEC_PKCS7DecoderContext;
21 typedef struct SEC_PKCS7EncoderContextStr SEC_PKCS7EncoderContext;
22 
23 /* legacy defines that haven't been active for years */
24 typedef void *(*SECKEYGetPasswordKey)(void *arg, void *handle);
25 
26 /* Non-opaque objects.  NOTE, though: I want them to be treated as
27  * opaque as much as possible.  If I could hide them completely,
28  * I would.  (I tried, but ran into trouble that was taking me too
29  * much time to get out of.)  I still intend to try to do so.
30  * In fact, the only type that "outsiders" should even *name* is
31  * SEC_PKCS7ContentInfo, and they should not reference its fields.
32  */
33 /* rjr: PKCS #11 cert handling (pk11cert.c) does use SEC_PKCS7RecipientInfo's.
34  * This is because when we search the recipient list for the cert and key we
35  * want, we need to invert the order of the loops we used to have. The old
36  * loops were:
37  *
38  *  For each recipient {
39  *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
40  *       [which unrolls to... ]
41  *       For each slot {
42  *            Log into slot;
43  *            search slot for cert;
44  *      }
45  *  }
46  *
47  *  the new loop searchs all the recipients at once on a slot. this allows
48  *  PKCS #11 to order slots in such a way that logout slots don't get checked
49  *  if we can find the cert on a logged in slot. This eliminates lots of
50  *  spurious password prompts when smart cards are installed... so why this
51  *  comment? If you make SEC_PKCS7RecipientInfo completely opaque, you need
52  *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
53  *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
54  *  function.
55  */
56 typedef struct SEC_PKCS7ContentInfoStr SEC_PKCS7ContentInfo;
57 typedef struct SEC_PKCS7SignedDataStr SEC_PKCS7SignedData;
58 typedef struct SEC_PKCS7EncryptedContentInfoStr SEC_PKCS7EncryptedContentInfo;
59 typedef struct SEC_PKCS7EnvelopedDataStr SEC_PKCS7EnvelopedData;
60 typedef struct SEC_PKCS7SignedAndEnvelopedDataStr
61     SEC_PKCS7SignedAndEnvelopedData;
62 typedef struct SEC_PKCS7SignerInfoStr SEC_PKCS7SignerInfo;
63 typedef struct SEC_PKCS7RecipientInfoStr SEC_PKCS7RecipientInfo;
64 typedef struct SEC_PKCS7DigestedDataStr SEC_PKCS7DigestedData;
65 typedef struct SEC_PKCS7EncryptedDataStr SEC_PKCS7EncryptedData;
66 /*
67  * The following is not actually a PKCS7 type, but for now it is only
68  * used by PKCS7, so we have adopted it.  If someone else *ever* needs
69  * it, its name should be changed and it should be moved out of here.
70  * Do not dare to use it without doing so!
71  */
72 typedef struct SEC_PKCS7AttributeStr SEC_PKCS7Attribute;
73 
74 struct SEC_PKCS7ContentInfoStr {
75     PLArenaPool *poolp;         /* local; not part of encoding */
76     PRBool created;             /* local; not part of encoding */
77     int refCount;               /* local; not part of encoding */
78     SECOidData *contentTypeTag; /* local; not part of encoding */
79     SECKEYGetPasswordKey pwfn;  /* local; not part of encoding */
80     void *pwfn_arg;             /* local; not part of encoding */
81     SECItem contentType;
82     union {
83         SECItem *data;
84         SEC_PKCS7DigestedData *digestedData;
85         SEC_PKCS7EncryptedData *encryptedData;
86         SEC_PKCS7EnvelopedData *envelopedData;
87         SEC_PKCS7SignedData *signedData;
88         SEC_PKCS7SignedAndEnvelopedData *signedAndEnvelopedData;
89     } content;
90 };
91 
92 struct SEC_PKCS7SignedDataStr {
93     SECItem version;
94     SECAlgorithmID **digestAlgorithms;
95     SEC_PKCS7ContentInfo contentInfo;
96     SECItem **rawCerts;
97     CERTSignedCrl **crls;
98     SEC_PKCS7SignerInfo **signerInfos;
99     SECItem **digests;               /* local; not part of encoding */
100     CERTCertificate **certs;         /* local; not part of encoding */
101     CERTCertificateList **certLists; /* local; not part of encoding */
102 };
103 #define SEC_PKCS7_SIGNED_DATA_VERSION 1 /* what we *create* */
104 
105 struct SEC_PKCS7EncryptedContentInfoStr {
106     SECOidData *contentTypeTag; /* local; not part of encoding */
107     SECItem contentType;
108     SECAlgorithmID contentEncAlg;
109     SECItem encContent;
110     SECItem plainContent; /* local; not part of encoding */
111                           /* bytes not encrypted, but encoded */
112     int keysize;          /* local; not part of encoding */
113                           /* size of bulk encryption key
114                            * (only used by creation code) */
115     SECOidTag encalg;     /* local; not part of encoding */
116                           /* oid tag of encryption algorithm
117                            * (only used by creation code) */
118 };
119 
120 struct SEC_PKCS7EnvelopedDataStr {
121     SECItem version;
122     SEC_PKCS7RecipientInfo **recipientInfos;
123     SEC_PKCS7EncryptedContentInfo encContentInfo;
124 };
125 #define SEC_PKCS7_ENVELOPED_DATA_VERSION 0 /* what we *create* */
126 
127 struct SEC_PKCS7SignedAndEnvelopedDataStr {
128     SECItem version;
129     SEC_PKCS7RecipientInfo **recipientInfos;
130     SECAlgorithmID **digestAlgorithms;
131     SEC_PKCS7EncryptedContentInfo encContentInfo;
132     SECItem **rawCerts;
133     CERTSignedCrl **crls;
134     SEC_PKCS7SignerInfo **signerInfos;
135     SECItem **digests;               /* local; not part of encoding */
136     CERTCertificate **certs;         /* local; not part of encoding */
137     CERTCertificateList **certLists; /* local; not part of encoding */
138     PK11SymKey *sigKey;              /* local; not part of encoding */
139 };
140 #define SEC_PKCS7_SIGNED_AND_ENVELOPED_DATA_VERSION 1 /* what we *create* */
141 
142 struct SEC_PKCS7SignerInfoStr {
143     SECItem version;
144     CERTIssuerAndSN *issuerAndSN;
145     SECAlgorithmID digestAlg;
146     SEC_PKCS7Attribute **authAttr;
147     SECAlgorithmID digestEncAlg;
148     SECItem encDigest;
149     SEC_PKCS7Attribute **unAuthAttr;
150     CERTCertificate *cert;         /* local; not part of encoding */
151     CERTCertificateList *certList; /* local; not part of encoding */
152 };
153 #define SEC_PKCS7_SIGNER_INFO_VERSION 1 /* what we *create* */
154 
155 struct SEC_PKCS7RecipientInfoStr {
156     SECItem version;
157     CERTIssuerAndSN *issuerAndSN;
158     SECAlgorithmID keyEncAlg;
159     SECItem encKey;
160     CERTCertificate *cert; /* local; not part of encoding */
161 };
162 #define SEC_PKCS7_RECIPIENT_INFO_VERSION 0 /* what we *create* */
163 
164 struct SEC_PKCS7DigestedDataStr {
165     SECItem version;
166     SECAlgorithmID digestAlg;
167     SEC_PKCS7ContentInfo contentInfo;
168     SECItem digest;
169 };
170 #define SEC_PKCS7_DIGESTED_DATA_VERSION 0 /* what we *create* */
171 
172 struct SEC_PKCS7EncryptedDataStr {
173     SECItem version;
174     SEC_PKCS7EncryptedContentInfo encContentInfo;
175 };
176 #define SEC_PKCS7_ENCRYPTED_DATA_VERSION 0 /* what we *create* */
177 
178 /*
179  * See comment above about this type not really belonging to PKCS7.
180  */
181 struct SEC_PKCS7AttributeStr {
182     /* The following fields make up an encoded Attribute: */
183     SECItem type;
184     SECItem **values; /* data may or may not be encoded */
185     /* The following fields are not part of an encoded Attribute: */
186     SECOidData *typeTag;
187     PRBool encoded; /* when true, values are encoded */
188 };
189 
190 /*
191  * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
192  * If specified, this is where the content bytes (only) will be "sent"
193  * as they are recovered during the decoding.
194  *
195  * XXX Should just combine this with SEC_PKCS7EncoderContentCallback type
196  * and use a simpler, common name.
197  */
198 typedef void (*SEC_PKCS7DecoderContentCallback)(void *arg,
199                                                 const char *buf,
200                                                 unsigned long len);
201 
202 /*
203  * Type of function passed to SEC_PKCS7Encode or SEC_PKCS7EncoderStart.
204  * This is where the encoded bytes will be "sent".
205  *
206  * XXX Should just combine this with SEC_PKCS7DecoderContentCallback type
207  * and use a simpler, common name.
208  */
209 typedef void (*SEC_PKCS7EncoderOutputCallback)(void *arg,
210                                                const char *buf,
211                                                unsigned long len);
212 
213 /*
214  * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart
215  * to retrieve the decryption key.  This function is inteded to be
216  * used for EncryptedData content info's which do not have a key available
217  * in a certificate, etc.
218  */
219 typedef PK11SymKey *(*SEC_PKCS7GetDecryptKeyCallback)(void *arg,
220                                                       SECAlgorithmID *algid);
221 
222 /*
223  * Type of function passed to SEC_PKCS7Decode or SEC_PKCS7DecoderStart.
224  * This function in intended to be used to verify that decrypting a
225  * particular crypto algorithm is allowed.  Content types which do not
226  * require decryption will not need the callback.  If the callback
227  * is not specified for content types which require decryption, the
228  * decryption will be disallowed.
229  */
230 typedef PRBool (*SEC_PKCS7DecryptionAllowedCallback)(SECAlgorithmID *algid,
231                                                      PK11SymKey *bulkkey);
232 
233 #endif /* _PKCS7T_H_ */
234