/*
* NSS_CMSAttribute_CompareValue - compare the attribute's first value against data
*/
PRBool
NSS_CMSAttribute_CompareValue(NSSCMSAttribute *attr, SECItem *av)
{
SECItem *value;
if (attr == NULL)
return PR_FALSE;
value = NSS_CMSAttribute_GetValue(attr);
return (value != NULL && value->len == av->len &&
PORT_Memcmp (value->data, av->data, value->len) == 0);
}
/*
* NSS_CMSSignerInfo_GetSigningTime - return the signing time,
* in UTCTime or GeneralizedTime format,
* of a CMS signerInfo.
*
* sinfo - signerInfo data for this signer
*
* Returns a pointer to XXXX (what?)
* A return value of NULL is an error.
*/
SECStatus
NSS_CMSSignerInfo_GetSigningTime(NSSCMSSignerInfo *sinfo, PRTime *stime)
{
NSSCMSAttribute *attr;
SECItem *value;
if (sinfo == NULL)
return SECFailure;
if (sinfo->signingTime != 0) {
*stime = sinfo->signingTime; /* cached copy */
return SECSuccess;
}
attr = NSS_CMSAttributeArray_FindAttrByOidTag(sinfo->authAttr, SEC_OID_PKCS9_SIGNING_TIME, PR_TRUE);
/* XXXX multi-valued attributes NIH */
if (attr == NULL || (value = NSS_CMSAttribute_GetValue(attr)) == NULL)
return SECFailure;
if (DER_DecodeTimeChoice(stime, value) != SECSuccess)
return SECFailure;
sinfo->signingTime = *stime; /* make cached copy */
return SECSuccess;
}
/*
* XXXX the following needs to be done in the S/MIME layer code
* after signature of a signerinfo is verified
*/
SECStatus
NSS_SMIMESignerInfo_SaveSMIMEProfile(NSSCMSSignerInfo *signerinfo)
{
CERTCertificate *cert = NULL;
SECItem *profile = NULL;
NSSCMSAttribute *attr;
SECItem *stime = NULL;
SECItem *ekp;
CERTCertDBHandle *certdb;
int save_error;
SECStatus rv;
PRBool must_free_cert = PR_FALSE;
certdb = CERT_GetDefaultCertDB();
/* sanity check - see if verification status is ok (unverified does not count...) */
if (signerinfo->verificationStatus != NSSCMSVS_GoodSignature)
return SECFailure;
/* find preferred encryption cert */
if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr) &&
(attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE, PR_TRUE)) != NULL)
{ /* we have a SMIME_ENCRYPTION_KEY_PREFERENCE attribute! */
ekp = NSS_CMSAttribute_GetValue(attr);
if (ekp == NULL)
return SECFailure;
/* we assume that all certs coming with the message have been imported to the */
/* temporary database */
cert = NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference(certdb, ekp);
if (cert == NULL)
return SECFailure;
must_free_cert = PR_TRUE;
}
if (cert == NULL) {
/* no preferred cert found?
* find the cert the signerinfo is signed with instead */
cert = NSS_CMSSignerInfo_GetSigningCertificate(signerinfo, certdb);
if (cert == NULL || cert->emailAddr == NULL || !cert->emailAddr[0])
return SECFailure;
}
/* verify this cert for encryption (has been verified for signing so far) */
/* don't verify this cert for encryption. It may just be a signing cert.
* that's OK, we can still save the S/MIME profile. The encryption cert
* should have already been saved */
#ifdef notdef
if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
if (must_free_cert)
CERT_DestroyCertificate(cert);
return SECFailure;
}
#endif
/* XXX store encryption cert permanently? */
/*
* Remember the current error set because we do not care about
* anything set by the functions we are about to call.
*/
save_error = PORT_GetError();
if (!NSS_CMSArray_IsEmpty((void **)signerinfo->authAttr)) {
attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
SEC_OID_PKCS9_SMIME_CAPABILITIES,
PR_TRUE);
profile = NSS_CMSAttribute_GetValue(attr);
attr = NSS_CMSAttributeArray_FindAttrByOidTag(signerinfo->authAttr,
SEC_OID_PKCS9_SIGNING_TIME,
PR_TRUE);
stime = NSS_CMSAttribute_GetValue(attr);
}
rv = CERT_SaveSMimeProfile (cert, profile, stime);
if (must_free_cert)
CERT_DestroyCertificate(cert);
/*
* Restore the saved error in case the calls above set a new
* one that we do not actually care about.
*/
PORT_SetError (save_error);
return rv;
}
