nsresult
VerifyCMSDetachedSignatureIncludingCertificate(
const SECItem& buffer, const SECItem& detachedDigest,
nsresult (*verifyCertificate)(CERTCertificate* cert, void* context,
void* pinArg),
void *verifyCertificateContext, void* pinArg)
{
// XXX: missing pinArg is tolerated.
if (NS_WARN_IF(!buffer.data && buffer.len > 0) ||
NS_WARN_IF(!detachedDigest.data && detachedDigest.len > 0) ||
(!verifyCertificate) ||
NS_WARN_IF(!verifyCertificateContext)) {
return NS_ERROR_INVALID_ARG;
}
ScopedNSSCMSMessage
cmsMsg(NSS_CMSMessage_CreateFromDER(const_cast<SECItem*>(&buffer), nullptr,
nullptr, nullptr, nullptr, nullptr,
nullptr));
if (!cmsMsg) {
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
if (!NSS_CMSMessage_IsSigned(cmsMsg.get())) {
return NS_ERROR_CMS_VERIFY_NOT_SIGNED;
}
NSSCMSContentInfo* cinfo = NSS_CMSMessage_ContentLevel(cmsMsg.get(), 0);
if (!cinfo) {
return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
}
// signedData is non-owning
NSSCMSSignedData* signedData =
reinterpret_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo));
if (!signedData) {
return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
}
// Set digest value.
if (NSS_CMSSignedData_SetDigestValue(signedData, SEC_OID_SHA1,
const_cast<SECItem*>(&detachedDigest))) {
return NS_ERROR_CMS_VERIFY_BAD_DIGEST;
}
// Parse the certificates into CERTCertificate objects held in memory so
// verifyCertificate will be able to find them during path building.
ScopedCERTCertList certs(CERT_NewCertList());
if (!certs) {
return NS_ERROR_OUT_OF_MEMORY;
}
if (signedData->rawCerts) {
for (size_t i = 0; signedData->rawCerts[i]; ++i) {
ScopedCERTCertificate
cert(CERT_NewTempCertificate(CERT_GetDefaultCertDB(),
signedData->rawCerts[i], nullptr, false,
true));
// Skip certificates that fail to parse
if (cert) {
if (CERT_AddCertToListTail(certs.get(), cert.get()) == SECSuccess) {
cert.forget(); // ownership transfered
} else {
return NS_ERROR_OUT_OF_MEMORY;
}
}
}
}
// Get the end-entity certificate.
int numSigners = NSS_CMSSignedData_SignerInfoCount(signedData);
if (NS_WARN_IF(numSigners != 1)) {
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
// signer is non-owning.
NSSCMSSignerInfo* signer = NSS_CMSSignedData_GetSignerInfo(signedData, 0);
if (NS_WARN_IF(!signer)) {
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
CERTCertificate* signerCert =
NSS_CMSSignerInfo_GetSigningCertificate(signer, CERT_GetDefaultCertDB());
if (!signerCert) {
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
nsresult rv = verifyCertificate(signerCert, verifyCertificateContext, pinArg);
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
// See NSS_CMSContentInfo_GetContentTypeOID, which isn't exported from NSS.
SECOidData* contentTypeOidData =
SECOID_FindOID(&signedData->contentInfo.contentType);
if (!contentTypeOidData) {
return NS_ERROR_CMS_VERIFY_ERROR_PROCESSING;
}
return MapSECStatus(NSS_CMSSignerInfo_Verify(signer,
const_cast<SECItem*>(&detachedDigest),
&contentTypeOidData->oid));
}
UtlBoolean SmimeBody::nssSmimeDecrypt(const char* derPkcs12,
int derPkcs12Length,
const char* pkcs12Password,
UtlBoolean dataIsInBase64Format,
const char* dataToDecrypt,
int dataToDecryptLength,
UtlString& decryptedData)
{
UtlBoolean decryptSucceeded = FALSE;
decryptedData.remove(0);
#ifdef ENABLE_NSS_SMIME
Os::Logger::instance().log(FAC_SIP, PRI_ERR, "SmimeBody::nssSmimeDecrypt not implemented");
////// BEGIN WARNING: THIS CODE HAS NOT BEEN TESTED AT ALL ///////
// allocate a temporaty slot in the database
PK11SlotInfo *slot = PK11_GetInternalKeySlot();
PRBool swapUnicode = PR_FALSE;
SEC_PKCS12DecoderContext *p12Decoder = NULL;
// Need to put the pkcs12 password into a SECItem
SECItem passwordItem;
passwordItem.data = (unsigned char*) pkcs12Password;
passwordItem.len = strlen(pkcs12Password);
SECItem uniPasswordItem;
uniPasswordItem.data = NULL;
uniPasswordItem.len = 0;
#ifdef IS_LITTLE_ENDIAN
swapUnicode = PR_TRUE;
#endif
// Allocate a temporary internal slot
slot = PK11_GetInternalSlot();
if(slot == NULL)
{
Os::Logger::instance().log(FAC_SIP, PRI_ERR, "unable to use slot in NSS dataqbase for S/MIME decryption");
}
else
{
// Do UNICODE conversion of password based upon the platform
// (not sure this is even neccessary in our application). I do not
// know how we would get unicode passwords
if(0) //P12U_UnicodeConversion(NULL, &uniPasswordItem, passwordItem, PR_TRUE,
// swapUnicode) != SECSuccess)
{
Os::Logger::instance().log(FAC_SIP, PRI_ERR,
"NSS Unicode conversion failed for PKCS12 object for S/MIME decryption");
}
else
{
// Initialze the decoder for the PKCS12 container for the private key
p12Decoder = SEC_PKCS12DecoderStart(&passwordItem, slot, NULL,
NULL, NULL, NULL, NULL, NULL);
if(!p12Decoder)
{
Os::Logger::instance().log(FAC_SIP, PRI_ERR,
"failed to initialize PKCS12 decoder to extract private key for S/MIME decryption");
}
else
{
// Add the PKCS12 data to the decoder
if(SEC_PKCS12DecoderUpdate(p12Decoder,
(unsigned char *) derPkcs12,
derPkcs12Length) != SECSuccess ||
// Validate the decoded PKCS12
SEC_PKCS12DecoderVerify(p12Decoder) != SECSuccess)
{
Os::Logger::instance().log(FAC_SIP, PRI_ERR,
"unable to decrypt PKCS12 for S/MIME decryption. Perhaps invalid PKCS12 or PKCS12 password");
}
else
{
// Import the private key and certificate from the
// decoded PKCS12 into the database
if(SEC_PKCS12DecoderImportBags(p12Decoder) != SECSuccess)
{
Os::Logger::instance().log(FAC_SIP, PRI_ERR,
"failed to import private key and certificate into NSS database");
}
else
{
// Put the S/MIME data in a SECItem
SECItem dataToDecodeItem;
dataToDecodeItem.data = (unsigned char *) dataToDecrypt;
dataToDecodeItem.len = dataToDecryptLength;
if(dataIsInBase64Format)
{
// TODO:
// Use some NSS util. to convert base64 to binary
Os::Logger::instance().log(FAC_SIP, PRI_ERR,
"NSS decrypt of base64 S/MIME message not implemented");
}
else
{
// Decode the S/MIME blob
NSSCMSMessage *cmsMessage =
NSS_CMSMessage_CreateFromDER(&dataToDecodeItem,
nssOutToUtlString,
&decryptedData,
NULL, NULL,
NULL, NULL);
if(cmsMessage &&
decryptedData.length() > 0)
{
decryptSucceeded = TRUE;
}
// TODO:
// Remove the temporary private key from the
// database using the slot handle
}
}
}
}
}
}
// Clean up
if(p12Decoder)
{
SEC_PKCS12DecoderFinish(p12Decoder);
}
if(uniPasswordItem.data)
{
SECITEM_ZfreeItem(&uniPasswordItem, PR_FALSE);
}
////// END WARNING /////
#else
Os::Logger::instance().log(FAC_SIP, PRI_ERR, "SmimeBody::nssSmimeDecrypt invoked with ENABLE_NSS_SMIME not defined");
#endif
return(decryptSucceeded);
}
