1 /* This Source Code Form is subject to the terms of the Mozilla Public 2 * License, v. 2.0. If a copy of the MPL was not distributed with this 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 4 5 /* 6 * Interfaces of the CMS implementation. 7 */ 8 9 #ifndef _CMS_H_ 10 #define _CMS_H_ 11 12 #include "seccomon.h" 13 14 #include "secoidt.h" 15 #include "certt.h" 16 #include "keythi.h" 17 #include "hasht.h" 18 #include "cmst.h" 19 20 /************************************************************************/ 21 SEC_BEGIN_PROTOS 22 23 /************************************************************************ 24 * cmsdecode.c - CMS decoding 25 ************************************************************************/ 26 27 /* 28 * NSS_CMSDecoder_Start - set up decoding of a DER-encoded CMS message 29 * 30 * "poolp" - pointer to arena for message, or NULL if new pool should be created 31 * "cb", "cb_arg" - callback function and argument for delivery of inner content 32 * inner content will be stored in the message if cb is NULL. 33 * "pwfn", pwfn_arg" - callback function for getting token password 34 * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData 35 */ 36 extern NSSCMSDecoderContext * 37 NSS_CMSDecoder_Start(PLArenaPool *poolp, 38 NSSCMSContentCallback cb, void *cb_arg, 39 PK11PasswordFunc pwfn, void *pwfn_arg, 40 NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg); 41 42 /* 43 * NSS_CMSDecoder_Update - feed DER-encoded data to decoder 44 */ 45 extern SECStatus 46 NSS_CMSDecoder_Update(NSSCMSDecoderContext *p7dcx, const char *buf, unsigned long len); 47 48 /* 49 * NSS_CMSDecoder_Cancel - cancel a decoding process 50 */ 51 extern void 52 NSS_CMSDecoder_Cancel(NSSCMSDecoderContext *p7dcx); 53 54 /* 55 * NSS_CMSDecoder_Finish - mark the end of inner content and finish decoding 56 */ 57 extern NSSCMSMessage * 58 NSS_CMSDecoder_Finish(NSSCMSDecoderContext *p7dcx); 59 60 /* 61 * NSS_CMSMessage_CreateFromDER - decode a CMS message from DER encoded data 62 */ 63 extern NSSCMSMessage * 64 NSS_CMSMessage_CreateFromDER(SECItem *DERmessage, 65 NSSCMSContentCallback cb, void *cb_arg, 66 PK11PasswordFunc pwfn, void *pwfn_arg, 67 NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg); 68 69 /************************************************************************ 70 * cmsencode.c - CMS encoding 71 ************************************************************************/ 72 73 /* 74 * NSS_CMSEncoder_Start - set up encoding of a CMS message 75 * 76 * "cmsg" - message to encode 77 * "outputfn", "outputarg" - callback function for delivery of DER-encoded output 78 * will not be called if NULL. 79 * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output 80 * "destpoolp" - pool to allocate DER-encoded output in 81 * "pwfn", pwfn_arg" - callback function for getting token password 82 * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData 83 * "detached_digestalgs", "detached_digests" - digests from detached content 84 */ 85 extern NSSCMSEncoderContext * 86 NSS_CMSEncoder_Start(NSSCMSMessage *cmsg, 87 NSSCMSContentCallback outputfn, void *outputarg, 88 SECItem *dest, PLArenaPool *destpoolp, 89 PK11PasswordFunc pwfn, void *pwfn_arg, 90 NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, 91 SECAlgorithmID **detached_digestalgs, SECItem **detached_digests); 92 93 /* 94 * NSS_CMSEncoder_Update - take content data delivery from the user 95 * 96 * "p7ecx" - encoder context 97 * "data" - content data 98 * "len" - length of content data 99 */ 100 extern SECStatus 101 NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len); 102 103 /* 104 * NSS_CMSEncoder_Cancel - stop all encoding 105 */ 106 extern SECStatus 107 NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx); 108 109 /* 110 * NSS_CMSEncoder_Finish - signal the end of data 111 * 112 * we need to walk down the chain of encoders and the finish them from the innermost out 113 */ 114 extern SECStatus 115 NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx); 116 117 /************************************************************************ 118 * cmsmessage.c - CMS message object 119 ************************************************************************/ 120 121 /* 122 * NSS_CMSMessage_Create - create a CMS message object 123 * 124 * "poolp" - arena to allocate memory from, or NULL if new arena should be created 125 */ 126 extern NSSCMSMessage * 127 NSS_CMSMessage_Create(PLArenaPool *poolp); 128 129 /* 130 * NSS_CMSMessage_SetEncodingParams - set up a CMS message object for encoding or decoding 131 * 132 * "cmsg" - message object 133 * "pwfn", pwfn_arg" - callback function for getting token password 134 * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData 135 * "detached_digestalgs", "detached_digests" - digests from detached content 136 * 137 * used internally. 138 */ 139 extern void 140 NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, 141 PK11PasswordFunc pwfn, void *pwfn_arg, 142 NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, 143 SECAlgorithmID **detached_digestalgs, SECItem **detached_digests); 144 145 /* 146 * NSS_CMSMessage_Destroy - destroy a CMS message and all of its sub-pieces. 147 */ 148 extern void 149 NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg); 150 151 /* 152 * NSS_CMSMessage_Copy - return a copy of the given message. 153 * 154 * The copy may be virtual or may be real -- either way, the result needs 155 * to be passed to NSS_CMSMessage_Destroy later (as does the original). 156 */ 157 extern NSSCMSMessage * 158 NSS_CMSMessage_Copy(NSSCMSMessage *cmsg); 159 160 /* 161 * NSS_CMSMessage_GetArena - return a pointer to the message's arena pool 162 */ 163 extern PLArenaPool * 164 NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg); 165 166 /* 167 * NSS_CMSMessage_GetContentInfo - return a pointer to the top level contentInfo 168 */ 169 extern NSSCMSContentInfo * 170 NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg); 171 172 /* 173 * Return a pointer to the actual content. 174 * In the case of those types which are encrypted, this returns the *plain* content. 175 * In case of nested contentInfos, this descends and retrieves the innermost content. 176 */ 177 extern SECItem * 178 NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg); 179 180 /* 181 * NSS_CMSMessage_ContentLevelCount - count number of levels of CMS content objects in this message 182 * 183 * CMS data content objects do not count. 184 */ 185 extern int 186 NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg); 187 188 /* 189 * NSS_CMSMessage_ContentLevel - find content level #n 190 * 191 * CMS data content objects do not count. 192 */ 193 extern NSSCMSContentInfo * 194 NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n); 195 196 /* 197 * NSS_CMSMessage_ContainsCertsOrCrls - see if message contains certs along the way 198 */ 199 extern PRBool 200 NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg); 201 202 /* 203 * NSS_CMSMessage_IsEncrypted - see if message contains a encrypted submessage 204 */ 205 extern PRBool 206 NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg); 207 208 /* 209 * NSS_CMSMessage_IsSigned - see if message contains a signed submessage 210 * 211 * If the CMS message has a SignedData with a signature (not just a SignedData) 212 * return true; false otherwise. This can/should be called before calling 213 * VerifySignature, which will always indicate failure if no signature is 214 * present, but that does not mean there even was a signature! 215 * Note that the content itself can be empty (detached content was sent 216 * another way); it is the presence of the signature that matters. 217 */ 218 extern PRBool 219 NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg); 220 221 /* 222 * NSS_CMSMessage_IsContentEmpty - see if content is empty 223 * 224 * returns PR_TRUE is innermost content length is < minLen 225 * XXX need the encrypted content length (why?) 226 */ 227 extern PRBool 228 NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen); 229 230 /************************************************************************ 231 * cmscinfo.c - CMS contentInfo methods 232 ************************************************************************/ 233 234 /* 235 * NSS_CMSContentInfo_Destroy - destroy a CMS contentInfo and all of its sub-pieces. 236 */ 237 extern void 238 NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo); 239 240 /* 241 * NSS_CMSContentInfo_GetChildContentInfo - get content's contentInfo (if it exists) 242 */ 243 extern NSSCMSContentInfo * 244 NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo); 245 246 /* 247 * NSS_CMSContentInfo_SetContent - set cinfo's content type & content to CMS object 248 */ 249 extern SECStatus 250 NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECOidTag type, void *ptr); 251 252 /* 253 * NSS_CMSContentInfo_SetContent_XXXX - typesafe wrappers for NSS_CMSContentInfo_SetType 254 * set cinfo's content type & content to CMS object 255 */ 256 extern SECStatus 257 NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, SECItem *data, PRBool detached); 258 259 extern SECStatus 260 NSS_CMSContentInfo_SetContent_SignedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSSignedData *sigd); 261 262 extern SECStatus 263 NSS_CMSContentInfo_SetContent_EnvelopedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEnvelopedData *envd); 264 265 extern SECStatus 266 NSS_CMSContentInfo_SetContent_DigestedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSDigestedData *digd); 267 268 extern SECStatus 269 NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, NSSCMSEncryptedData *encd); 270 271 /* 272 * turn off streaming for this content type. 273 * This could fail with SEC_ERROR_NO_MEMORY in memory constrained conditions. 274 */ 275 extern SECStatus 276 NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream); 277 278 /* 279 * NSS_CMSContentInfo_GetContent - get pointer to inner content 280 * 281 * needs to be casted... 282 */ 283 extern void * 284 NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo); 285 286 /* 287 * NSS_CMSContentInfo_GetInnerContent - get pointer to innermost content 288 * 289 * this is typically only called by NSS_CMSMessage_GetContent() 290 */ 291 extern SECItem * 292 NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo); 293 294 /* 295 * NSS_CMSContentInfo_GetContentType{Tag,OID} - find out (saving pointer to lookup result 296 * for future reference) and return the inner content type. 297 */ 298 extern SECOidTag 299 NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo); 300 301 extern SECItem * 302 NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo); 303 304 /* 305 * NSS_CMSContentInfo_GetContentEncAlgTag - find out (saving pointer to lookup result 306 * for future reference) and return the content encryption algorithm tag. 307 */ 308 extern SECOidTag 309 NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo); 310 311 /* 312 * NSS_CMSContentInfo_GetContentEncAlg - find out and return the content encryption algorithm tag. 313 */ 314 extern SECAlgorithmID * 315 NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo); 316 317 extern SECStatus 318 NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo, 319 SECOidTag bulkalgtag, SECItem *parameters, int keysize); 320 321 extern SECStatus 322 NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cinfo, 323 SECAlgorithmID *algid, int keysize); 324 325 extern void 326 NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey); 327 328 extern PK11SymKey * 329 NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo); 330 331 extern int 332 NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo); 333 334 /************************************************************************ 335 * cmsutil.c - CMS misc utility functions 336 ************************************************************************/ 337 338 /* 339 * NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding 340 * 341 * make sure that the order of the objects guarantees valid DER (which must be 342 * in lexigraphically ascending order for a SET OF); if reordering is necessary it 343 * will be done in place (in objs). 344 */ 345 extern SECStatus 346 NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2); 347 348 /* 349 * NSS_CMSUtil_DERCompare - for use with NSS_CMSArray_Sort to 350 * sort arrays of SECItems containing DER 351 */ 352 extern int 353 NSS_CMSUtil_DERCompare(void *a, void *b); 354 355 /* 356 * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 357 * algorithms. 358 * 359 * algorithmArray - array of algorithm IDs 360 * algid - algorithmid of algorithm to pick 361 * 362 * Returns: 363 * An integer containing the index of the algorithm in the array or -1 if 364 * algorithm was not found. 365 */ 366 extern int 367 NSS_CMSAlgArray_GetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid); 368 369 /* 370 * NSS_CMSAlgArray_GetIndexByAlgID - find a specific algorithm in an array of 371 * algorithms. 372 * 373 * algorithmArray - array of algorithm IDs 374 * algiddata - id of algorithm to pick 375 * 376 * Returns: 377 * An integer containing the index of the algorithm in the array or -1 if 378 * algorithm was not found. 379 */ 380 extern int 381 NSS_CMSAlgArray_GetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag); 382 383 extern const SECHashObject * 384 NSS_CMSUtil_GetHashObjByAlgID(SECAlgorithmID *algid); 385 386 extern const SEC_ASN1Template * 387 NSS_CMSUtil_GetTemplateByTypeTag(SECOidTag type); 388 389 extern size_t 390 NSS_CMSUtil_GetSizeByTypeTag(SECOidTag type); 391 392 extern NSSCMSContentInfo * 393 NSS_CMSContent_GetContentInfo(void *msg, SECOidTag type); 394 395 extern const char * 396 NSS_CMSUtil_VerificationStatusToString(NSSCMSVerificationStatus vs); 397 398 /************************************************************************ 399 * cmssigdata.c - CMS signedData methods 400 ************************************************************************/ 401 402 extern NSSCMSSignedData * 403 NSS_CMSSignedData_Create(NSSCMSMessage *cmsg); 404 405 extern void 406 NSS_CMSSignedData_Destroy(NSSCMSSignedData *sigd); 407 408 /* 409 * NSS_CMSSignedData_Encode_BeforeStart - do all the necessary things to a SignedData 410 * before start of encoding. 411 * 412 * In detail: 413 * - find out about the right value to put into sigd->version 414 * - come up with a list of digestAlgorithms (which should be the union of the algorithms 415 * in the signerinfos). 416 * If we happen to have a pre-set list of algorithms (and digest values!), we 417 * check if we have all the signerinfos' algorithms. If not, this is an error. 418 */ 419 extern SECStatus 420 NSS_CMSSignedData_Encode_BeforeStart(NSSCMSSignedData *sigd); 421 422 extern SECStatus 423 NSS_CMSSignedData_Encode_BeforeData(NSSCMSSignedData *sigd); 424 425 /* 426 * NSS_CMSSignedData_Encode_AfterData - do all the necessary things to a SignedData 427 * after all the encapsulated data was passed through the encoder. 428 * 429 * In detail: 430 * - create the signatures in all the SignerInfos 431 * 432 * Please note that nothing is done to the Certificates and CRLs in the message - this 433 * is entirely the responsibility of our callers. 434 */ 435 extern SECStatus 436 NSS_CMSSignedData_Encode_AfterData(NSSCMSSignedData *sigd); 437 438 extern SECStatus 439 NSS_CMSSignedData_Decode_BeforeData(NSSCMSSignedData *sigd); 440 441 /* 442 * NSS_CMSSignedData_Decode_AfterData - do all the necessary things to a SignedData 443 * after all the encapsulated data was passed through the decoder. 444 */ 445 extern SECStatus 446 NSS_CMSSignedData_Decode_AfterData(NSSCMSSignedData *sigd); 447 448 /* 449 * NSS_CMSSignedData_Decode_AfterEnd - do all the necessary things to a SignedData 450 * after all decoding is finished. 451 */ 452 extern SECStatus 453 NSS_CMSSignedData_Decode_AfterEnd(NSSCMSSignedData *sigd); 454 455 /* 456 * NSS_CMSSignedData_GetSignerInfos - retrieve the SignedData's signer list 457 */ 458 extern NSSCMSSignerInfo ** 459 NSS_CMSSignedData_GetSignerInfos(NSSCMSSignedData *sigd); 460 461 extern int 462 NSS_CMSSignedData_SignerInfoCount(NSSCMSSignedData *sigd); 463 464 extern NSSCMSSignerInfo * 465 NSS_CMSSignedData_GetSignerInfo(NSSCMSSignedData *sigd, int i); 466 467 /* 468 * NSS_CMSSignedData_GetDigestAlgs - retrieve the SignedData's digest algorithm list 469 */ 470 extern SECAlgorithmID ** 471 NSS_CMSSignedData_GetDigestAlgs(NSSCMSSignedData *sigd); 472 473 /* 474 * NSS_CMSSignedData_GetContentInfo - return pointer to this signedData's contentinfo 475 */ 476 extern NSSCMSContentInfo * 477 NSS_CMSSignedData_GetContentInfo(NSSCMSSignedData *sigd); 478 479 /* 480 * NSS_CMSSignedData_GetCertificateList - retrieve the SignedData's certificate list 481 */ 482 extern SECItem ** 483 NSS_CMSSignedData_GetCertificateList(NSSCMSSignedData *sigd); 484 485 extern SECStatus 486 NSS_CMSSignedData_ImportCerts(NSSCMSSignedData *sigd, CERTCertDBHandle *certdb, 487 SECCertUsage certusage, PRBool keepcerts); 488 489 /* 490 * NSS_CMSSignedData_HasDigests - see if we have digests in place 491 */ 492 extern PRBool 493 NSS_CMSSignedData_HasDigests(NSSCMSSignedData *sigd); 494 495 /* 496 * NSS_CMSSignedData_VerifySignerInfo - check a signature. 497 * 498 * The digests were either calculated during decoding (and are stored in the 499 * signedData itself) or set after decoding using NSS_CMSSignedData_SetDigests. 500 * 501 * The verification checks if the signing cert is valid and has a trusted chain 502 * for the purpose specified by "certusage". 503 */ 504 extern SECStatus 505 NSS_CMSSignedData_VerifySignerInfo(NSSCMSSignedData *sigd, int i, CERTCertDBHandle *certdb, 506 SECCertUsage certusage); 507 508 /* 509 * NSS_CMSSignedData_VerifyCertsOnly - verify the certs in a certs-only message 510 */ 511 extern SECStatus 512 NSS_CMSSignedData_VerifyCertsOnly(NSSCMSSignedData *sigd, 513 CERTCertDBHandle *certdb, 514 SECCertUsage usage); 515 516 extern SECStatus 517 NSS_CMSSignedData_AddCertList(NSSCMSSignedData *sigd, CERTCertificateList *certlist); 518 519 /* 520 * NSS_CMSSignedData_AddCertChain - add cert and its entire chain to the set of certs 521 */ 522 extern SECStatus 523 NSS_CMSSignedData_AddCertChain(NSSCMSSignedData *sigd, CERTCertificate *cert); 524 525 extern SECStatus 526 NSS_CMSSignedData_AddCertificate(NSSCMSSignedData *sigd, CERTCertificate *cert); 527 528 extern PRBool 529 NSS_CMSSignedData_ContainsCertsOrCrls(NSSCMSSignedData *sigd); 530 531 extern SECStatus 532 NSS_CMSSignedData_AddSignerInfo(NSSCMSSignedData *sigd, 533 NSSCMSSignerInfo *signerinfo); 534 535 extern SECStatus 536 NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd, 537 SECAlgorithmID **digestalgs, 538 SECItem **digests); 539 540 extern SECStatus 541 NSS_CMSSignedData_SetDigestValue(NSSCMSSignedData *sigd, 542 SECOidTag digestalgtag, 543 SECItem *digestdata); 544 545 extern SECStatus 546 NSS_CMSSignedData_AddDigest(PLArenaPool *poolp, 547 NSSCMSSignedData *sigd, 548 SECOidTag digestalgtag, 549 SECItem *digest); 550 551 extern SECItem * 552 NSS_CMSSignedData_GetDigestValue(NSSCMSSignedData *sigd, SECOidTag digestalgtag); 553 554 /* 555 * NSS_CMSSignedData_CreateCertsOnly - create a certs-only SignedData. 556 * 557 * cert - base certificates that will be included 558 * include_chain - if true, include the complete cert chain for cert 559 * 560 * More certs and chains can be added via AddCertificate and AddCertChain. 561 * 562 * An error results in a return value of NULL and an error set. 563 */ 564 extern NSSCMSSignedData * 565 NSS_CMSSignedData_CreateCertsOnly(NSSCMSMessage *cmsg, CERTCertificate *cert, PRBool include_chain); 566 567 /************************************************************************ 568 * cmssiginfo.c - signerinfo methods 569 ************************************************************************/ 570 571 extern NSSCMSSignerInfo * 572 NSS_CMSSignerInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert, SECOidTag digestalgtag); 573 extern NSSCMSSignerInfo * 574 NSS_CMSSignerInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, SECItem *subjKeyID, SECKEYPublicKey *pubKey, SECKEYPrivateKey *signingKey, SECOidTag digestalgtag); 575 576 /* 577 * NSS_CMSSignerInfo_Destroy - destroy a SignerInfo data structure 578 */ 579 extern void 580 NSS_CMSSignerInfo_Destroy(NSSCMSSignerInfo *si); 581 582 /* 583 * NSS_CMSSignerInfo_Sign - sign something 584 * 585 */ 586 extern SECStatus 587 NSS_CMSSignerInfo_Sign(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType); 588 589 extern SECStatus 590 NSS_CMSSignerInfo_VerifyCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb, 591 SECCertUsage certusage); 592 593 /* 594 * NSS_CMSSignerInfo_Verify - verify the signature of a single SignerInfo 595 * 596 * Just verifies the signature. The assumption is that verification of the certificate 597 * is done already. 598 */ 599 extern SECStatus 600 NSS_CMSSignerInfo_Verify(NSSCMSSignerInfo *signerinfo, SECItem *digest, SECItem *contentType); 601 602 extern NSSCMSVerificationStatus 603 NSS_CMSSignerInfo_GetVerificationStatus(NSSCMSSignerInfo *signerinfo); 604 605 extern SECOidData * 606 NSS_CMSSignerInfo_GetDigestAlg(NSSCMSSignerInfo *signerinfo); 607 608 extern SECOidTag 609 NSS_CMSSignerInfo_GetDigestAlgTag(NSSCMSSignerInfo *signerinfo); 610 611 extern int 612 NSS_CMSSignerInfo_GetVersion(NSSCMSSignerInfo *signerinfo); 613 614 extern CERTCertificateList * 615 NSS_CMSSignerInfo_GetCertList(NSSCMSSignerInfo *signerinfo); 616 617 /* 618 * NSS_CMSSignerInfo_GetSigningTime - return the signing time, 619 * in UTCTime format, of a CMS signerInfo. 620 * 621 * sinfo - signerInfo data for this signer 622 * 623 * Returns a pointer to XXXX (what?) 624 * A return value of NULL is an error. 625 */ 626 extern SECStatus 627 NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime); 628 629 /* 630 * Return the signing cert of a CMS signerInfo. 631 * 632 * the certs in the enclosing SignedData must have been imported already 633 */ 634 extern CERTCertificate * 635 NSS_CMSSignerInfo_GetSigningCertificate(NSSCMSSignerInfo *signerinfo, CERTCertDBHandle *certdb); 636 637 /* 638 * NSS_CMSSignerInfo_GetSignerCommonName - return the common name of the signer 639 * 640 * sinfo - signerInfo data for this signer 641 * 642 * Returns a pointer to allocated memory, which must be freed with PORT_Free. 643 * A return value of NULL is an error. 644 */ 645 extern char * 646 NSS_CMSSignerInfo_GetSignerCommonName(NSSCMSSignerInfo *sinfo); 647 648 /* 649 * NSS_CMSSignerInfo_GetSignerEmailAddress - return the common name of the signer 650 * 651 * sinfo - signerInfo data for this signer 652 * 653 * Returns a pointer to allocated memory, which must be freed. 654 * A return value of NULL is an error. 655 */ 656 extern char * 657 NSS_CMSSignerInfo_GetSignerEmailAddress(NSSCMSSignerInfo *sinfo); 658 659 /* 660 * NSS_CMSSignerInfo_AddAuthAttr - add an attribute to the 661 * authenticated (i.e. signed) attributes of "signerinfo". 662 */ 663 extern SECStatus 664 NSS_CMSSignerInfo_AddAuthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr); 665 666 /* 667 * NSS_CMSSignerInfo_AddUnauthAttr - add an attribute to the 668 * unauthenticated attributes of "signerinfo". 669 */ 670 extern SECStatus 671 NSS_CMSSignerInfo_AddUnauthAttr(NSSCMSSignerInfo *signerinfo, NSSCMSAttribute *attr); 672 673 /* 674 * NSS_CMSSignerInfo_AddSigningTime - add the signing time to the 675 * authenticated (i.e. signed) attributes of "signerinfo". 676 * 677 * This is expected to be included in outgoing signed 678 * messages for email (S/MIME) but is likely useful in other situations. 679 * 680 * This should only be added once; a second call will do nothing. 681 * 682 * XXX This will probably just shove the current time into "signerinfo" 683 * but it will not actually get signed until the entire item is 684 * processed for encoding. Is this (expected to be small) delay okay? 685 */ 686 extern SECStatus 687 NSS_CMSSignerInfo_AddSigningTime(NSSCMSSignerInfo *signerinfo, PRTime t); 688 689 /* 690 * NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the 691 * authenticated (i.e. signed) attributes of "signerinfo". 692 * 693 * This is expected to be included in outgoing signed 694 * messages for email (S/MIME). 695 */ 696 extern SECStatus 697 NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo); 698 699 /* 700 * NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the 701 * authenticated (i.e. signed) attributes of "signerinfo". 702 * 703 * This is expected to be included in outgoing signed messages for email (S/MIME). 704 */ 705 SECStatus 706 NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb); 707 708 /* 709 * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the 710 * authenticated (i.e. signed) attributes of "signerinfo", using the OID preferred by Microsoft. 711 * 712 * This is expected to be included in outgoing signed messages for email (S/MIME), 713 * if compatibility with Microsoft mail clients is wanted. 714 */ 715 SECStatus 716 NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb); 717 718 /* 719 * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo 720 */ 721 extern SECStatus 722 NSS_CMSSignerInfo_AddCounterSignature(NSSCMSSignerInfo *signerinfo, 723 SECOidTag digestalg, CERTCertificate signingcert); 724 725 /* 726 * XXXX the following needs to be done in the S/MIME layer code 727 * after signature of a signerinfo is verified 728 */ 729 extern SECStatus 730 NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo); 731 732 /* 733 * NSS_CMSSignerInfo_IncludeCerts - set cert chain inclusion mode for this signer 734 */ 735 extern SECStatus 736 NSS_CMSSignerInfo_IncludeCerts(NSSCMSSignerInfo *signerinfo, NSSCMSCertChainMode cm, SECCertUsage usage); 737 738 /************************************************************************ 739 * cmsenvdata.c - CMS envelopedData methods 740 ************************************************************************/ 741 742 /* 743 * NSS_CMSEnvelopedData_Create - create an enveloped data message 744 */ 745 extern NSSCMSEnvelopedData * 746 NSS_CMSEnvelopedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize); 747 748 /* 749 * NSS_CMSEnvelopedData_Destroy - destroy an enveloped data message 750 */ 751 extern void 752 NSS_CMSEnvelopedData_Destroy(NSSCMSEnvelopedData *edp); 753 754 /* 755 * NSS_CMSEnvelopedData_GetContentInfo - return pointer to this envelopedData's contentinfo 756 */ 757 extern NSSCMSContentInfo * 758 NSS_CMSEnvelopedData_GetContentInfo(NSSCMSEnvelopedData *envd); 759 760 /* 761 * NSS_CMSEnvelopedData_AddRecipient - add a recipientinfo to the enveloped data msg 762 * 763 * rip must be created on the same pool as edp - this is not enforced, though. 764 */ 765 extern SECStatus 766 NSS_CMSEnvelopedData_AddRecipient(NSSCMSEnvelopedData *edp, NSSCMSRecipientInfo *rip); 767 768 /* 769 * NSS_CMSEnvelopedData_Encode_BeforeStart - prepare this envelopedData for encoding 770 * 771 * at this point, we need 772 * - recipientinfos set up with recipient's certificates 773 * - a content encryption algorithm (if none, 3DES will be used) 774 * 775 * this function will generate a random content encryption key (aka bulk key), 776 * initialize the recipientinfos with certificate identification and wrap the bulk key 777 * using the proper algorithm for every certificiate. 778 * it will finally set the bulk algorithm and key so that the encode step can find it. 779 */ 780 extern SECStatus 781 NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd); 782 783 /* 784 * NSS_CMSEnvelopedData_Encode_BeforeData - set up encryption 785 */ 786 extern SECStatus 787 NSS_CMSEnvelopedData_Encode_BeforeData(NSSCMSEnvelopedData *envd); 788 789 /* 790 * NSS_CMSEnvelopedData_Encode_AfterData - finalize this envelopedData for encoding 791 */ 792 extern SECStatus 793 NSS_CMSEnvelopedData_Encode_AfterData(NSSCMSEnvelopedData *envd); 794 795 /* 796 * NSS_CMSEnvelopedData_Decode_BeforeData - find our recipientinfo, 797 * derive bulk key & set up our contentinfo 798 */ 799 extern SECStatus 800 NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd); 801 802 /* 803 * NSS_CMSEnvelopedData_Decode_AfterData - finish decrypting this envelopedData's content 804 */ 805 extern SECStatus 806 NSS_CMSEnvelopedData_Decode_AfterData(NSSCMSEnvelopedData *envd); 807 808 /* 809 * NSS_CMSEnvelopedData_Decode_AfterEnd - finish decoding this envelopedData 810 */ 811 extern SECStatus 812 NSS_CMSEnvelopedData_Decode_AfterEnd(NSSCMSEnvelopedData *envd); 813 814 /************************************************************************ 815 * cmsrecinfo.c - CMS recipientInfo methods 816 ************************************************************************/ 817 818 /* 819 * NSS_CMSRecipientInfo_Create - create a recipientinfo 820 * 821 * we currently do not create KeyAgreement recipientinfos with multiple recipientEncryptedKeys 822 * the certificate is supposed to have been verified by the caller 823 */ 824 extern NSSCMSRecipientInfo * 825 NSS_CMSRecipientInfo_Create(NSSCMSMessage *cmsg, CERTCertificate *cert); 826 827 extern NSSCMSRecipientInfo * 828 NSS_CMSRecipientInfo_CreateWithSubjKeyID(NSSCMSMessage *cmsg, 829 SECItem *subjKeyID, 830 SECKEYPublicKey *pubKey); 831 832 extern NSSCMSRecipientInfo * 833 NSS_CMSRecipientInfo_CreateWithSubjKeyIDFromCert(NSSCMSMessage *cmsg, 834 CERTCertificate *cert); 835 836 /* 837 * NSS_CMSRecipientInfo_CreateNew - create a blank recipientinfo for 838 * applications which want to encode their own CMS structures and 839 * key exchange types. 840 */ 841 extern NSSCMSRecipientInfo * 842 NSS_CMSRecipientInfo_CreateNew(void *pwfn_arg); 843 844 /* 845 * NSS_CMSRecipientInfo_CreateFromDER - create a recipientinfo from partially 846 * decoded DER data for applications which want to encode their own CMS 847 * structures and key exchange types. 848 */ 849 extern NSSCMSRecipientInfo * 850 NSS_CMSRecipientInfo_CreateFromDER(SECItem *input, void *pwfn_arg); 851 852 extern void 853 NSS_CMSRecipientInfo_Destroy(NSSCMSRecipientInfo *ri); 854 855 /* 856 * NSS_CMSRecipientInfo_GetCertAndKey - retrieve the cert and key from the 857 * recipientInfo struct. If retcert or retkey are NULL, the cert or 858 * key (respectively) would not be returned). This function is a no-op if both 859 * retcert and retkey are NULL. Caller inherits ownership of the cert and key 860 * he requested (and is responsible to free them). 861 */ 862 SECStatus NSS_CMSRecipientInfo_GetCertAndKey(NSSCMSRecipientInfo *ri, 863 CERTCertificate **retcert, 864 SECKEYPrivateKey **retkey); 865 866 extern int 867 NSS_CMSRecipientInfo_GetVersion(NSSCMSRecipientInfo *ri); 868 869 extern SECItem * 870 NSS_CMSRecipientInfo_GetEncryptedKey(NSSCMSRecipientInfo *ri, int subIndex); 871 872 /* 873 * NSS_CMSRecipientInfo_Encode - encode an NSS_CMSRecipientInfo as ASN.1 874 */ 875 SECStatus NSS_CMSRecipientInfo_Encode(PLArenaPool *poolp, 876 const NSSCMSRecipientInfo *src, 877 SECItem *returned); 878 879 extern SECOidTag 880 NSS_CMSRecipientInfo_GetKeyEncryptionAlgorithmTag(NSSCMSRecipientInfo *ri); 881 882 extern SECStatus 883 NSS_CMSRecipientInfo_WrapBulkKey(NSSCMSRecipientInfo *ri, PK11SymKey *bulkkey, 884 SECOidTag bulkalgtag); 885 886 extern PK11SymKey * 887 NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCMSRecipientInfo *ri, int subIndex, 888 CERTCertificate *cert, SECKEYPrivateKey *privkey, 889 SECOidTag bulkalgtag); 890 891 /************************************************************************ 892 * cmsencdata.c - CMS encryptedData methods 893 ************************************************************************/ 894 /* 895 * NSS_CMSEncryptedData_Create - create an empty encryptedData object. 896 * 897 * "algorithm" specifies the bulk encryption algorithm to use. 898 * "keysize" is the key size. 899 * 900 * An error results in a return value of NULL and an error set. 901 * (Retrieve specific errors via PORT_GetError()/XP_GetError().) 902 */ 903 extern NSSCMSEncryptedData * 904 NSS_CMSEncryptedData_Create(NSSCMSMessage *cmsg, SECOidTag algorithm, int keysize); 905 906 /* 907 * NSS_CMSEncryptedData_Destroy - destroy an encryptedData object 908 */ 909 extern void 910 NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd); 911 912 /* 913 * NSS_CMSEncryptedData_GetContentInfo - return pointer to encryptedData object's contentInfo 914 */ 915 extern NSSCMSContentInfo * 916 NSS_CMSEncryptedData_GetContentInfo(NSSCMSEncryptedData *encd); 917 918 /* 919 * NSS_CMSEncryptedData_Encode_BeforeStart - do all the necessary things to a EncryptedData 920 * before encoding begins. 921 * 922 * In particular: 923 * - set the correct version value. 924 * - get the encryption key 925 */ 926 extern SECStatus 927 NSS_CMSEncryptedData_Encode_BeforeStart(NSSCMSEncryptedData *encd); 928 929 /* 930 * NSS_CMSEncryptedData_Encode_BeforeData - set up encryption 931 */ 932 extern SECStatus 933 NSS_CMSEncryptedData_Encode_BeforeData(NSSCMSEncryptedData *encd); 934 935 /* 936 * NSS_CMSEncryptedData_Encode_AfterData - finalize this encryptedData for encoding 937 */ 938 extern SECStatus 939 NSS_CMSEncryptedData_Encode_AfterData(NSSCMSEncryptedData *encd); 940 941 /* 942 * NSS_CMSEncryptedData_Decode_BeforeData - find bulk key & set up decryption 943 */ 944 extern SECStatus 945 NSS_CMSEncryptedData_Decode_BeforeData(NSSCMSEncryptedData *encd); 946 947 /* 948 * NSS_CMSEncryptedData_Decode_AfterData - finish decrypting this encryptedData's content 949 */ 950 extern SECStatus 951 NSS_CMSEncryptedData_Decode_AfterData(NSSCMSEncryptedData *encd); 952 953 /* 954 * NSS_CMSEncryptedData_Decode_AfterEnd - finish decoding this encryptedData 955 */ 956 extern SECStatus 957 NSS_CMSEncryptedData_Decode_AfterEnd(NSSCMSEncryptedData *encd); 958 959 /************************************************************************ 960 * cmsdigdata.c - CMS encryptedData methods 961 ************************************************************************/ 962 /* 963 * NSS_CMSDigestedData_Create - create a digestedData object (presumably for encoding) 964 * 965 * version will be set by NSS_CMSDigestedData_Encode_BeforeStart 966 * digestAlg is passed as parameter 967 * contentInfo must be filled by the user 968 * digest will be calculated while encoding 969 */ 970 extern NSSCMSDigestedData * 971 NSS_CMSDigestedData_Create(NSSCMSMessage *cmsg, SECAlgorithmID *digestalg); 972 973 /* 974 * NSS_CMSDigestedData_Destroy - destroy a digestedData object 975 */ 976 extern void 977 NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd); 978 979 /* 980 * NSS_CMSDigestedData_GetContentInfo - return pointer to digestedData object's contentInfo 981 */ 982 extern NSSCMSContentInfo * 983 NSS_CMSDigestedData_GetContentInfo(NSSCMSDigestedData *digd); 984 985 /* 986 * NSS_CMSDigestedData_Encode_BeforeStart - do all the necessary things to a DigestedData 987 * before encoding begins. 988 * 989 * In particular: 990 * - set the right version number. The contentInfo's content type must be set up already. 991 */ 992 extern SECStatus 993 NSS_CMSDigestedData_Encode_BeforeStart(NSSCMSDigestedData *digd); 994 995 /* 996 * NSS_CMSDigestedData_Encode_BeforeData - do all the necessary things to a DigestedData 997 * before the encapsulated data is passed through the encoder. 998 * 999 * In detail: 1000 * - set up the digests if necessary 1001 */ 1002 extern SECStatus 1003 NSS_CMSDigestedData_Encode_BeforeData(NSSCMSDigestedData *digd); 1004 1005 /* 1006 * NSS_CMSDigestedData_Encode_AfterData - do all the necessary things to a DigestedData 1007 * after all the encapsulated data was passed through the encoder. 1008 * 1009 * In detail: 1010 * - finish the digests 1011 */ 1012 extern SECStatus 1013 NSS_CMSDigestedData_Encode_AfterData(NSSCMSDigestedData *digd); 1014 1015 /* 1016 * NSS_CMSDigestedData_Decode_BeforeData - do all the necessary things to a DigestedData 1017 * before the encapsulated data is passed through the encoder. 1018 * 1019 * In detail: 1020 * - set up the digests if necessary 1021 */ 1022 extern SECStatus 1023 NSS_CMSDigestedData_Decode_BeforeData(NSSCMSDigestedData *digd); 1024 1025 /* 1026 * NSS_CMSDigestedData_Decode_AfterData - do all the necessary things to a DigestedData 1027 * after all the encapsulated data was passed through the encoder. 1028 * 1029 * In detail: 1030 * - finish the digests 1031 */ 1032 extern SECStatus 1033 NSS_CMSDigestedData_Decode_AfterData(NSSCMSDigestedData *digd); 1034 1035 /* 1036 * NSS_CMSDigestedData_Decode_AfterEnd - finalize a digestedData. 1037 * 1038 * In detail: 1039 * - check the digests for equality 1040 */ 1041 extern SECStatus 1042 NSS_CMSDigestedData_Decode_AfterEnd(NSSCMSDigestedData *digd); 1043 1044 /************************************************************************ 1045 * cmsdigest.c - digestion routines 1046 ************************************************************************/ 1047 1048 /* 1049 * NSS_CMSDigestContext_StartMultiple - start digest calculation using all the 1050 * digest algorithms in "digestalgs" in parallel. 1051 */ 1052 extern NSSCMSDigestContext * 1053 NSS_CMSDigestContext_StartMultiple(SECAlgorithmID **digestalgs); 1054 1055 /* 1056 * NSS_CMSDigestContext_StartSingle - same as NSS_CMSDigestContext_StartMultiple, but 1057 * only one algorithm. 1058 */ 1059 extern NSSCMSDigestContext * 1060 NSS_CMSDigestContext_StartSingle(SECAlgorithmID *digestalg); 1061 1062 /* 1063 * NSS_CMSDigestContext_Update - feed more data into the digest machine 1064 */ 1065 extern void 1066 NSS_CMSDigestContext_Update(NSSCMSDigestContext *cmsdigcx, const unsigned char *data, int len); 1067 1068 /* 1069 * NSS_CMSDigestContext_Cancel - cancel digesting operation 1070 */ 1071 extern void 1072 NSS_CMSDigestContext_Cancel(NSSCMSDigestContext *cmsdigcx); 1073 1074 /* 1075 * NSS_CMSDigestContext_FinishMultiple - finish the digests and put them 1076 * into an array of SECItems (allocated on poolp) 1077 */ 1078 extern SECStatus 1079 NSS_CMSDigestContext_FinishMultiple(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp, 1080 SECItem ***digestsp); 1081 1082 /* 1083 * NSS_CMSDigestContext_FinishSingle - same as NSS_CMSDigestContext_FinishMultiple, 1084 * but for one digest. 1085 */ 1086 extern SECStatus 1087 NSS_CMSDigestContext_FinishSingle(NSSCMSDigestContext *cmsdigcx, PLArenaPool *poolp, 1088 SECItem *digest); 1089 1090 /************************************************************************ 1091 * 1092 ************************************************************************/ 1093 1094 /* shortcuts for basic use */ 1095 1096 /* 1097 * NSS_CMSDEREncode - DER Encode a CMS message, with input being 1098 * the plaintext message and derOut being the output, 1099 * stored in arena's pool. 1100 */ 1101 extern SECStatus 1102 NSS_CMSDEREncode(NSSCMSMessage *cmsg, SECItem *input, SECItem *derOut, 1103 PLArenaPool *arena); 1104 1105 /************************************************************************ 1106 * 1107 ************************************************************************/ 1108 1109 /* 1110 * define new S/MIME content type entries 1111 * 1112 * S/MIME uses the builtin PKCS7 oid types for encoding and decoding the 1113 * various S/MIME content. Some applications have their own content type 1114 * which is different from the standard content type defined by S/MIME. 1115 * 1116 * This function allows you to register new content types. There are basically 1117 * Two different types of content, Wrappping content, and Data. 1118 * 1119 * For data types, All the functions below can be zero or NULL excext 1120 * type and is isData, which should be your oid tag and PR_FALSE respectively 1121 * 1122 * For wrapping types, everything must be provided, or you will get encoder 1123 * failures. 1124 * 1125 * If NSS doesn't already define the OID that you need, you can register 1126 * your own with SECOID_AddEntry. 1127 * 1128 * Once you have defined your new content type, you can pass your new content 1129 * type to NSS_CMSContentInfo_SetContent(). 1130 * 1131 * If you are using a wrapping type you can pass your own data structure in 1132 * the ptr field, but it must contain and embedded NSSCMSGenericWrappingData 1133 * structure as the first element. The size you pass to 1134 * NSS_CMSType_RegisterContentType is the total size of your self defined 1135 * data structure. NSS_CMSContentInfo_GetContent will return that data 1136 * structure from the content info. Your ASN1Template will be evaluated 1137 * against that data structure. 1138 */ 1139 SECStatus NSS_CMSType_RegisterContentType(SECOidTag type, 1140 SEC_ASN1Template *asn1Template, size_t size, 1141 NSSCMSGenericWrapperDataDestroy destroy, 1142 NSSCMSGenericWrapperDataCallback decode_before, 1143 NSSCMSGenericWrapperDataCallback decode_after, 1144 NSSCMSGenericWrapperDataCallback decode_end, 1145 NSSCMSGenericWrapperDataCallback encode_start, 1146 NSSCMSGenericWrapperDataCallback encode_before, 1147 NSSCMSGenericWrapperDataCallback encode_after, 1148 PRBool isData); 1149 1150 /************************************************************************/ 1151 SEC_END_PROTOS 1152 1153 #endif /* _CMS_H_ */ 1154