void
import_raw_signature(pesign_context *pctx)
{
if (pctx->rawsigfd < 0 || pctx->insattrsfd < 0) {
fprintf(stderr, "pesign: raw signature and signed attributes "
"must both be imported.\n");
exit(1);
}
cms_context *ctx = pctx->cms_ctx;
ctx->raw_signature = SECITEM_AllocItem(ctx->arena, NULL, 0);
ctx->raw_signature->type = siBuffer;
int rc = read_file(pctx->rawsigfd,
(char **)&ctx->raw_signature->data,
(size_t *)&ctx->raw_signature->len);
if (rc < 0) {
fprintf(stderr, "pesign: could not read raw signature: %m\n");
exit(1);
}
ctx->raw_signed_attrs = SECITEM_AllocItem(ctx->arena, NULL, 0);
ctx->raw_signed_attrs->type = siBuffer;
rc = read_file(pctx->insattrsfd,
(char **)&ctx->raw_signed_attrs->data,
(size_t *)&ctx->raw_signed_attrs->len);
if (rc < 0) {
fprintf(stderr, "pesign: could not read raw signed attributes"
": %m\n");
exit(1);
}
}
ocspCertStatus*
ocsp_CreateCertStatus(PLArenaPool *arena,
ocspCertStatusType status,
PRTime revocationTime)
{
ocspCertStatus *cs;
if (!arena) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
switch (status) {
case ocspCertStatus_good:
case ocspCertStatus_unknown:
case ocspCertStatus_revoked:
break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
cs = PORT_ArenaZNew(arena, ocspCertStatus);
if (!cs)
return NULL;
cs->certStatusType = status;
switch (status) {
case ocspCertStatus_good:
cs->certStatusInfo.goodInfo = SECITEM_AllocItem(arena, NULL, 0);
if (!cs->certStatusInfo.goodInfo)
return NULL;
break;
case ocspCertStatus_unknown:
cs->certStatusInfo.unknownInfo = SECITEM_AllocItem(arena, NULL, 0);
if (!cs->certStatusInfo.unknownInfo)
return NULL;
break;
case ocspCertStatus_revoked:
cs->certStatusInfo.revokedInfo =
PORT_ArenaZNew(arena, ocspRevokedInfo);
if (!cs->certStatusInfo.revokedInfo)
return NULL;
cs->certStatusInfo.revokedInfo->revocationReason =
SECITEM_AllocItem(arena, NULL, 0);
if (!cs->certStatusInfo.revokedInfo->revocationReason)
return NULL;
if (DER_TimeToGeneralizedTimeArena(arena,
&cs->certStatusInfo.revokedInfo->revocationTime,
revocationTime) != SECSuccess)
return NULL;
break;
default:
PORT_Assert(PR_FALSE);
}
return cs;
}
/*
** Generate some random bytes, using the global random number generator
** object. In DSA mode, so there is a q.
*/
static SECStatus
dsa_GenerateGlobalRandomBytes(const SECItem * qItem, PRUint8 * dest,
unsigned int * destLen, unsigned int maxDestLen)
{
SECStatus rv;
SECItem w;
const PRUint8 * q = qItem->data;
unsigned int qLen = qItem->len;
if (*q == 0) {
++q;
--qLen;
}
if (maxDestLen < qLen) {
/* This condition can occur when DSA_SignDigest is passed a group
with a subprime that is larger than DSA_MAX_SUBPRIME_LEN. */
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
w.data = NULL; /* otherwise SECITEM_AllocItem asserts */
if (!SECITEM_AllocItem(NULL, &w, 2*qLen)) {
return SECFailure;
}
*destLen = qLen;
rv = RNG_GenerateGlobalRandomBytes(w.data, w.len);
if (rv == SECSuccess) {
rv = fips186Change_ReduceModQForDSA(w.data, q, qLen, dest);
}
SECITEM_FreeItem(&w, PR_FALSE);
return rv;
}
/*
* NSS_CMSSignerInfo_AddSMIMECaps - add a SMIMECapabilities attribute to the
* authenticated (i.e. signed) attributes of "signerinfo".
*
* This is expected to be included in outgoing signed
* messages for email (S/MIME).
*/
SECStatus
NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo)
{
NSSCMSAttribute *attr;
SECItem *smimecaps = NULL;
void *mark;
PLArenaPool *poolp;
poolp = signerinfo->cmsg->poolp;
mark = PORT_ArenaMark(poolp);
smimecaps = SECITEM_AllocItem(poolp, NULL, 0);
if (smimecaps == NULL)
goto loser;
/* create new signing time attribute */
if (NSS_SMIMEUtil_CreateSMIMECapabilities(poolp, smimecaps) != SECSuccess)
goto loser;
if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_PKCS9_SMIME_CAPABILITIES, smimecaps, PR_TRUE)) == NULL)
goto loser;
if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
goto loser;
PORT_ArenaUnmark (poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease (poolp, mark);
return SECFailure;
}
OSStatus
SecCmsContentInfoSetContentOther(SecCmsMessageRef cmsg, SecCmsContentInfoRef cinfo, CSSM_DATA_PTR data, Boolean detached, const CSSM_OID *eContentType)
{
SECStatus srtn;
SECOidData *tmpOidData;
/* just like SecCmsContentInfoSetContentData, except override the contentType and
* contentTypeTag. This OID is for encoding... */
srtn = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), eContentType);
if (srtn != SECSuccess) {
return memFullErr;
}
/* this serves up a contentTypeTag with an empty OID */
tmpOidData = SECOID_FindOIDByTag(SEC_OID_OTHER);
/* but that's const: cook up a new one we can write to */
cinfo->contentTypeTag = (SECOidData *)PORT_ArenaZAlloc(cmsg->poolp, sizeof(SECOidData));
*cinfo->contentTypeTag = *tmpOidData;
/* now fill in the OID */
srtn = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentTypeTag->oid), eContentType);
if (srtn != SECSuccess) {
return memFullErr;
}
cinfo->content.pointer = data;
cinfo->rawContent = (detached) ?
NULL : (data) ?
data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
return noErr;
}
NS_IMETHODIMP
nsNSSCertificateFakeTransport::Read(nsIObjectInputStream* aStream)
{
// This serialization has to match that of nsNSSCertificate,
// so read the cachedEVStatus but don't actually use it.
uint32_t cachedEVStatus;
nsresult rv = aStream->Read32(&cachedEVStatus);
if (NS_FAILED(rv)) {
return rv;
}
uint32_t len;
rv = aStream->Read32(&len);
if (NS_FAILED(rv)) {
return rv;
}
nsXPIDLCString str;
rv = aStream->ReadBytes(len, getter_Copies(str));
if (NS_FAILED(rv)) {
return rv;
}
// On a non-chrome process we cannot instatiate mCert because we lack
// nsNSSComponent. nsNSSCertificateFakeTransport object is used only to
// carry the certificate serialization.
mCertSerialization = SECITEM_AllocItem(nullptr, nullptr, len);
if (!mCertSerialization)
return NS_ERROR_OUT_OF_MEMORY;
PORT_Memcpy(mCertSerialization->data, str.Data(), len);
return NS_OK;
}
/*
* SecCmsContentInfoSetContent - set content type & content
*/
OSStatus
SecCmsContentInfoSetContent(SecCmsMessageRef cmsg, SecCmsContentInfoRef cinfo, SECOidTag type, void *ptr)
{
OSStatus rv;
cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
if (cinfo->contentTypeTag == NULL)
return paramErr;
/* do not copy the oid, just create a reference */
rv = SECITEM_CopyItem (cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
if (rv != SECSuccess)
return memFullErr;
cinfo->content.pointer = ptr;
if (type != SEC_OID_PKCS7_DATA) {
/* as we always have some inner data,
* we need to set it to something, just to fool the encoder enough to work on it
* and get us into nss_cms_encoder_notify at that point */
cinfo->rawContent = SECITEM_AllocItem(cmsg->poolp, NULL, 1);
if (cinfo->rawContent == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return memFullErr;
}
}
return noErr;
}
int sxi_hmac_sha1_init_ex(sxi_hmac_sha1_ctx *ctx,
const void *key, int key_len)
{
if (!ctx)
return 0;
/* NOTE: params must be provided, but may be empty */
SECItem noParams;
noParams.type = siBuffer;
noParams.data = 0;
noParams.len = 0;
if (ctx->context)
PK11_DestroyContext(ctx->context, PR_TRUE);
if (ctx->key)
PK11_FreeSymKey(ctx->key);
if (ctx->keysec)
SECITEM_FreeItem(ctx->keysec, PR_TRUE);
ctx->keysec = SECITEM_AllocItem(NULL, NULL, key_len);
if (ctx->keysec) {
memcpy(ctx->keysec->data, key, key_len);
ctx->key = PK11_ImportSymKey(ctx->slot, CKM_SHA_1_HMAC, PK11_OriginDerive, CKA_SIGN,
ctx->keysec, &noParams);
if(ctx->key) {
ctx->context = PK11_CreateContextBySymKey(CKM_SHA_1_HMAC, CKA_SIGN, ctx->key, &noParams);
if (ctx->context && PK11_DigestBegin(ctx->context) == SECSuccess)
return 1;
}
}
return 0;
}
static int
generate_spc_pe_image_data(cms_context *cms, SECItem *spidp)
{
SpcPeImageData spid;
SECITEM_AllocItem(cms->arena, &spid.flags, 1);
if (!spid.flags.data)
return -1;
spid.flags.data[0] = 0;
char obsolete[28] = "";
int rc;
rc = generate_spc_link(cms, &spid.link, SpcLinkTypeFile, obsolete, 0);
if (rc < 0)
return rc;
if (SEC_ASN1EncodeItem(cms->arena, spidp, &spid,
SpcPeImageDataTemplate) == NULL) {
cms->log(cms, LOG_ERR, "could not encode SpcPeImageData: %s",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
/* XXX OMG FIX THIS */
/* manually bang it from NULL to BIT STRING because I can't figure out
* how to make the f*****g templates work right for the bitstring size
*/
spidp->data[2] = DER_BIT_STRING;
return 0;
}
/* Caller must set error code upon failure */
static SECStatus
hexToBin(PLArenaPool *pool, SECItem * destItem, const char * src, int len)
{
PRUint8 * dest;
destItem->data = NULL;
if (len <= 0 || (len & 1)) {
goto loser;
}
len >>= 1;
if (!SECITEM_AllocItem(pool, destItem, len))
goto loser;
dest = destItem->data;
for (; len > 0; len--, src += 2) {
PRInt16 bin = (x2b[(PRUint8)src[0]] << 4) | x2b[(PRUint8)src[1]];
if (bin < 0)
goto loser;
*dest++ = (PRUint8)bin;
}
return SECSuccess;
loser:
if (!pool)
SECITEM_FreeItem(destItem, PR_FALSE);
return SECFailure;
}
SECStatus
SECU_FileToItem(SECItem *dst, PRFileDesc *src)
{
PRFileInfo info;
PRInt32 numBytes;
PRStatus prStatus;
if (src == PR_STDIN)
return secu_StdinToItem(dst);
prStatus = PR_GetOpenFileInfo(src, &info);
if (prStatus != PR_SUCCESS) {
PORT_SetError(SEC_ERROR_IO);
return SECFailure;
}
/* XXX workaround for 3.1, not all utils zero dst before sending */
dst->data = 0;
if (!SECITEM_AllocItem(NULL, dst, info.size))
goto loser;
numBytes = PR_Read(src, dst->data, info.size);
if (numBytes != info.size) {
PORT_SetError(SEC_ERROR_IO);
goto loser;
}
return SECSuccess;
loser:
SECITEM_FreeItem(dst, PR_FALSE);
dst->data = NULL;
return SECFailure;
}
/* MAC is generated per PKCS 12 section 6. It is expected that key, msg
* and mac_dest are pre allocated, non-NULL arrays. msg_len is passed in
* because it is not known how long the message actually is. String
* manipulation routines will not necessarily work because msg may have
* imbedded NULLs
*/
SECItem *
sec_pkcs12_generate_mac(SECItem *key,
SECItem *msg,
PRBool old_method)
{
SECStatus res = SECFailure;
SECItem *mac = NULL;
PK11Context *pk11cx = NULL;
SECItem ignore = {0};
if((key == NULL) || (msg == NULL)) {
return NULL;
}
if(old_method == PR_TRUE) {
return sec_pkcs12_generate_old_mac(key, msg);
}
/* allocate return item */
mac = SECITEM_AllocItem(NULL, NULL, SHA1_LENGTH);
if (mac == NULL) {
return NULL;
}
pk11cx = PK11_CreateContextByRawKey(NULL, CKM_SHA_1_HMAC, PK11_OriginDerive,
CKA_SIGN, key, &ignore, NULL);
if (pk11cx == NULL) {
goto loser;
}
res = PK11_DigestBegin(pk11cx);
if (res == SECFailure) {
goto loser;
}
res = PK11_DigestOp(pk11cx, msg->data, msg->len);
if (res == SECFailure) {
goto loser;
}
res = PK11_DigestFinal(pk11cx, mac->data, &mac->len, SHA1_LENGTH);
if (res == SECFailure) {
goto loser;
}
PK11_DestroyContext(pk11cx, PR_TRUE);
pk11cx = NULL;
loser:
if(res != SECSuccess) {
SECITEM_ZfreeItem(mac, PR_TRUE);
mac = NULL;
if (pk11cx) {
PK11_DestroyContext(pk11cx, PR_TRUE);
}
}
return mac;
}
SECStatus
ssl_NamedGroup2ECParams(PLArenaPool *arena, const sslNamedGroupDef *ecGroup,
SECKEYECParams *params)
{
SECOidData *oidData = NULL;
if (!params) {
PORT_Assert(0);
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (!ecGroup || ecGroup->keaType != ssl_kea_ecdh ||
(oidData = SECOID_FindOIDByTag(ecGroup->oidTag)) == NULL) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
if (SECITEM_AllocItem(arena, params, (2 + oidData->oid.len)) == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
/*
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
params->data[0] = SEC_ASN1_OBJECT_ID;
params->data[1] = oidData->oid.len;
memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
return SECSuccess;
}
SECStatus
EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams)
{
PLArenaPool *arena;
ECParams *params;
SECStatus rv = SECFailure;
/* Initialize an arena for the ECParams structure */
if (!(arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE)))
return SECFailure;
params = (ECParams *)PORT_ArenaZAlloc(arena, sizeof(ECParams));
if (!params) {
PORT_FreeArena(arena, PR_TRUE);
return SECFailure;
}
/* Copy the encoded params */
SECITEM_AllocItem(arena, &(params->DEREncoding),
encodedParams->len);
memcpy(params->DEREncoding.data, encodedParams->data, encodedParams->len);
/* Fill out the rest of the ECParams structure based on
* the encoded params
*/
rv = EC_FillParams(arena, encodedParams, params);
if (rv == SECFailure) {
PORT_FreeArena(arena, PR_TRUE);
return SECFailure;
} else {
*ecparams = params;
;
return SECSuccess;
}
}
int
generate_algorithm_id(cms_context *ctx, SECAlgorithmID *idp, SECOidTag tag)
{
SECAlgorithmID id;
if (!idp)
return -1;
SECOidData *oiddata;
oiddata = SECOID_FindOIDByTag(tag);
if (!oiddata) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return -1;
}
if (SECITEM_CopyItem(ctx->arena, &id.algorithm, &oiddata->oid))
return -1;
SECITEM_AllocItem(ctx->arena, &id.parameters, 2);
if (id.parameters.data == NULL)
goto err;
id.parameters.data[0] = SEC_ASN1_NULL;
id.parameters.data[1] = 0;
id.parameters.type = siBuffer;
memcpy(idp, &id, sizeof (id));
return 0;
err:
SECITEM_FreeItem(&id.algorithm, PR_FALSE);
return -1;
}
SECStatus
ssl3_ECName2Params(PLArenaPool * arena, ECName curve, SECKEYECParams * params)
{
SECOidData *oidData = NULL;
PRUint32 policyFlags = 0;
if ((curve <= ec_noName) || (curve >= ec_pastLastName) ||
((oidData = SECOID_FindOIDByTag(ecName2OIDTag[curve])) == NULL)) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
if (NSS_GetAlgorithmPolicy(ecName2OIDTag[curve], &policyFlags) == SECFailure ||
!(policyFlags & NSS_USE_ALG_IN_SSL_KX)) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
SECITEM_AllocItem(arena, params, (2 + oidData->oid.len));
/*
* params->data needs to contain the ASN encoding of an object ID (OID)
* representing the named curve. The actual OID is in
* oidData->oid.data so we simply prepend 0x06 and OID length
*/
params->data[0] = SEC_ASN1_OBJECT_ID;
params->data[1] = oidData->oid.len;
memcpy(params->data + 2, oidData->oid.data, oidData->oid.len);
return SECSuccess;
}
static int
generate_spc_pe_image_data(PRArenaPool *arena, SECItem *spidp)
{
SpcPeImageData spid;
SECITEM_AllocItem(arena, &spid.flags, 1);
if (!spid.flags.data)
return -1;
spid.flags.data[0] = 0;
char obsolete[28] = "\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>";
if (generate_spc_link(arena, &spid.link, SpcLinkTypeFile, obsolete,
28) < 0) {
fprintf(stderr, "got here %s:%d\n",__func__,__LINE__);
return -1;
}
if (SEC_ASN1EncodeItem(arena, spidp, &spid,
SpcPeImageDataTemplate) == NULL) {
fprintf(stderr, "Could not encode SpcPeImageData: %s\n",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
/* XXX OMG FIX THIS */
/* manually bang it from NULL to BIT STRING because I can't figure out
* how to make the f*****g templates work right for the bitstring size
*/
spidp->data[2] = DER_BIT_STRING;
return 0;
}
NS_IMETHODIMP
nsNSSCertificateFakeTransport::Read(nsIObjectInputStream* aStream)
{
PRUint32 len;
nsresult rv = aStream->Read32(&len);
if (NS_FAILED(rv)) {
return rv;
}
nsXPIDLCString str;
rv = aStream->ReadBytes(len, getter_Copies(str));
if (NS_FAILED(rv)) {
return rv;
}
// On a non-chrome process we cannot instatiate mCert because we lack
// nsNSSComponent. nsNSSCertificateFakeTransport object is used only to carry the
// certificate serialization.
mCertSerialization = SECITEM_AllocItem(nsnull, nsnull, len);
if (!mCertSerialization)
return NS_ERROR_OUT_OF_MEMORY;
PORT_Memcpy(mCertSerialization->data, str.Data(), len);
return NS_OK;
}
static SECStatus nss_load_crl(const char* crlfilename)
{
PRFileDesc *infile;
PRFileInfo info;
SECItem filedata = { 0, NULL, 0 };
SECItem crlDER = { 0, NULL, 0 };
char *body;
infile = PR_Open(crlfilename, PR_RDONLY, 0);
if(!infile)
return SECFailure;
if(PR_SUCCESS != PR_GetOpenFileInfo(infile, &info))
goto fail;
if(!SECITEM_AllocItem(NULL, &filedata, info.size + /* zero ended */ 1))
goto fail;
if(info.size != PR_Read(infile, filedata.data, info.size))
goto fail;
/* place a trailing zero right after the visible data */
body = (char*)filedata.data;
body[--filedata.len] = '\0';
body = strstr(body, "-----BEGIN");
if(body) {
/* assume ASCII */
char *trailer;
char *begin = PORT_Strchr(body, '\n');
if(!begin)
begin = PORT_Strchr(body, '\r');
if(!begin)
goto fail;
trailer = strstr(++begin, "-----END");
if(!trailer)
goto fail;
/* retrieve DER from ASCII */
*trailer = '\0';
if(ATOB_ConvertAsciiToItem(&crlDER, begin))
goto fail;
SECITEM_FreeItem(&filedata, PR_FALSE);
}
else
/* assume DER */
crlDER = filedata;
PR_Close(infile);
return nss_cache_crl(&crlDER);
fail:
PR_Close(infile);
SECITEM_FreeItem(&filedata, PR_FALSE);
return SECFailure;
}
/*
* NSS_CMSSignedData_SetDigests - set a signedData's digests member
*
* "digestalgs" - array of digest algorithm IDs
* "digests" - array of digests corresponding to the digest algorithms
*/
SECStatus
NSS_CMSSignedData_SetDigests(NSSCMSSignedData *sigd,
SECAlgorithmID **digestalgs,
SECItem **digests)
{
int cnt, i, idx;
if (!sigd || !digestalgs || !digests) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (sigd->digestAlgorithms == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* we assume that the digests array is just not there yet */
PORT_Assert(sigd->digests == NULL);
if (sigd->digests != NULL) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* now allocate one (same size as digestAlgorithms) */
cnt = NSS_CMSArray_Count((void **)sigd->digestAlgorithms);
sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(SECItem *));
if (sigd->digests == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
/* try to find the sigd's i'th digest algorithm in the array we passed in */
idx = NSS_CMSAlgArray_GetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
if (idx < 0) {
PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
return SECFailure;
}
if (!digests[idx]) {
/* We have no digest for this algorithm, probably because it is
** unrecognized or unsupported. We'll ignore this here. If this
** digest is needed later, an error will be be generated then.
*/
continue;
}
/* found it - now set it */
if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
{
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
}
return SECSuccess;
}
static int
xmlSecNssAppReadSECItem(SECItem *contents, const char *fn) {
PRFileInfo info;
PRFileDesc *file = NULL;
PRInt32 numBytes;
PRStatus prStatus;
int ret = -1;
xmlSecAssert2(contents != NULL, -1);
xmlSecAssert2(fn != NULL, -1);
file = PR_Open(fn, PR_RDONLY, 00660);
if (file == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"PR_Open",
XMLSEC_ERRORS_R_IO_FAILED,
"filename=%s",
xmlSecErrorsSafeString(fn));
goto done;
}
prStatus = PR_GetOpenFileInfo(file, &info);
if (prStatus != PR_SUCCESS) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"PR_GetOpenFileInfo",
XMLSEC_ERRORS_R_IO_FAILED,
"filename=%s",
xmlSecErrorsSafeString(fn));
goto done;
}
contents->data = 0;
if (!SECITEM_AllocItem(NULL, contents, info.size)) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"SECITEM_AllocItem",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
numBytes = PR_Read(file, contents->data, info.size);
if (numBytes != info.size) {
SECITEM_FreeItem(contents, PR_FALSE);
goto done;
}
ret = 0;
done:
if (file) {
PR_Close(file);
}
return (ret);
}
/*
* data == NULL -> pass in data via SecCmsEncoderUpdate
* data != NULL -> take this data
*/
OSStatus
SecCmsContentInfoSetContentData(SecCmsMessageRef cmsg, SecCmsContentInfoRef cinfo, CSSM_DATA_PTR data, Boolean detached)
{
if (SecCmsContentInfoSetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
return PORT_GetError();
cinfo->rawContent = (detached) ?
NULL : (data) ?
data : SECITEM_AllocItem(cmsg->poolp, NULL, 1);
return noErr;
}
SECStatus SSLInt_Set0RttAlpn(PRFileDesc *fd, PRUint8 *data, unsigned int len) {
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
ss->ssl3.nextProtoState = SSL_NEXT_PROTO_EARLY_VALUE;
if (ss->ssl3.nextProto.data) {
SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
}
if (!SECITEM_AllocItem(NULL, &ss->ssl3.nextProto, len)) return SECFailure;
PORT_Memcpy(ss->ssl3.nextProto.data, data, len);
return SECSuccess;
}
SECStatus
SECU_TextFileToItem(SECItem *dst, PRFileDesc *src)
{
PRFileInfo info;
PRInt32 numBytes;
PRStatus prStatus;
unsigned char *buf;
if (src == PR_STDIN)
return secu_StdinToItem(dst);
prStatus = PR_GetOpenFileInfo(src, &info);
if (prStatus != PR_SUCCESS) {
PORT_SetError(SEC_ERROR_IO);
return SECFailure;
}
buf = (unsigned char *)PORT_Alloc(info.size);
if (!buf)
return SECFailure;
numBytes = PR_Read(src, buf, info.size);
if (numBytes != info.size) {
PORT_SetError(SEC_ERROR_IO);
goto loser;
}
if (buf[numBytes - 1] == '\n')
numBytes--;
#ifdef _WINDOWS
if (buf[numBytes - 1] == '\r')
numBytes--;
#endif
/* XXX workaround for 3.1, not all utils zero dst before sending */
dst->data = 0;
if (!SECITEM_AllocItem(NULL, dst, numBytes))
goto loser;
memcpy(dst->data, buf, numBytes);
PORT_Free(buf);
return SECSuccess;
loser:
PORT_Free(buf);
return SECFailure;
}
/*
* Initializes a SECItem from a hexadecimal string
*
* Warning: This function ignores leading 00's, so any leading 00's
* in the hexadecimal string must be optional.
*/
static SECItem *
hexString2SECItem(PLArenaPool *arena, SECItem *item, const char *str)
{
int i = 0;
int byteval = 0;
int tmp = PORT_Strlen(str);
PORT_Assert(arena);
PORT_Assert(item);
if ((tmp % 2) != 0) {
return NULL;
}
/* skip leading 00's unless the hex string is "00" */
while ((tmp > 2) && (str[0] == '0') && (str[1] == '0')) {
str += 2;
tmp -= 2;
}
item = SECITEM_AllocItem(arena, item, tmp / 2);
if (item == NULL) {
return NULL;
}
while (str[i]) {
if ((str[i] >= '0') && (str[i] <= '9')) {
tmp = str[i] - '0';
} else if ((str[i] >= 'a') && (str[i] <= 'f')) {
tmp = str[i] - 'a' + 10;
} else if ((str[i] >= 'A') && (str[i] <= 'F')) {
tmp = str[i] - 'A' + 10;
} else {
/* item is in arena and gets freed by the caller */
return NULL;
}
byteval = byteval * 16 + tmp;
if ((i % 2) != 0) {
item->data[i / 2] = byteval;
byteval = 0;
}
i++;
}
return item;
}
SECStatus
DSA_NewRandom(PLArenaPool * arena, const SECItem * q, SECItem * seed)
{
int retries = 10;
unsigned int i;
PRBool good;
if (q == NULL || q->data == NULL || q->len == 0 ||
(q->data[0] == 0 && q->len == 1)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (!SECITEM_AllocItem(arena, seed, q->len)) {
return SECFailure;
}
do {
/* Generate seed bytes for x according to FIPS 186-1 appendix 3 */
if (dsa_GenerateGlobalRandomBytes(q, seed->data, &seed->len,
seed->len)) {
goto loser;
}
/* Disallow values of 0 and 1 for x. */
good = PR_FALSE;
for (i = 0; i < seed->len-1; i++) {
if (seed->data[i] != 0) {
good = PR_TRUE;
break;
}
}
if (!good && seed->data[i] > 1) {
good = PR_TRUE;
}
} while (!good && --retries > 0);
if (!good) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
loser: if (arena != NULL) {
SECITEM_FreeItem(seed, PR_FALSE);
}
return SECFailure;
}
return SECSuccess;
}
/*
* SecCmsSignedDataSetDigests - set a signedData's digests member
*
* "digestalgs" - array of digest algorithm IDs
* "digests" - array of digests corresponding to the digest algorithms
*/
OSStatus
SecCmsSignedDataSetDigests(SecCmsSignedDataRef sigd,
SECAlgorithmID **digestalgs,
CSSM_DATA_PTR *digests)
{
int cnt, i, idx;
if (sigd->digestAlgorithms == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* we assume that the digests array is just not there yet */
PORT_Assert(sigd->digests == NULL);
if (sigd->digests != NULL) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/* now allocate one (same size as digestAlgorithms) */
cnt = SecCmsArrayCount((void **)sigd->digestAlgorithms);
sigd->digests = PORT_ArenaZAlloc(sigd->cmsg->poolp, (cnt + 1) * sizeof(CSSM_DATA_PTR));
if (sigd->digests == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
for (i = 0; sigd->digestAlgorithms[i] != NULL; i++) {
/* try to find the sigd's i'th digest algorithm in the array we passed in */
idx = SecCmsAlgArrayGetIndexByAlgID(digestalgs, sigd->digestAlgorithms[i]);
if (idx < 0) {
PORT_SetError(SEC_ERROR_DIGEST_NOT_FOUND);
return SECFailure;
}
/* found it - now set it */
if ((sigd->digests[i] = SECITEM_AllocItem(sigd->cmsg->poolp, NULL, 0)) == NULL ||
SECITEM_CopyItem(sigd->cmsg->poolp, sigd->digests[i], digests[idx]) != SECSuccess)
{
PORT_SetError(SEC_ERROR_NO_MEMORY);
return SECFailure;
}
}
return SECSuccess;
}
/*
* SecCmsSignerInfoAddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
* authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft.
*
* This is expected to be included in outgoing signed messages for email (S/MIME),
* if compatibility with Microsoft mail clients is wanted.
*/
OSStatus
SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(SecCmsSignerInfoRef signerinfo, SecCertificateRef cert, SecKeychainRef keychainOrArray)
{
SecCmsAttribute *attr;
CSSM_DATA_PTR smimeekp = NULL;
void *mark;
PLArenaPool *poolp;
#if 0
CFTypeRef policy;
/* verify this cert for encryption */
policy = CERT_PolicyForCertUsage(certUsageEmailRecipient);
if (CERT_VerifyCert(keychainOrArray, cert, policy, CFAbsoluteTimeGetCurrent(), NULL) != SECSuccess) {
CFRelease(policy);
return SECFailure;
}
CFRelease(policy);
#endif
poolp = signerinfo->cmsg->poolp;
mark = PORT_ArenaMark(poolp);
smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
if (smimeekp == NULL)
goto loser;
/* create new signing time attribute */
if (SecSMIMECreateMSSMIMEEncKeyPrefs((SecArenaPoolRef)poolp, smimeekp, cert) != SECSuccess)
goto loser;
if ((attr = SecCmsAttributeCreate(poolp, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
goto loser;
if (SecCmsSignerInfoAddAuthAttr(signerinfo, attr) != SECSuccess)
goto loser;
PORT_ArenaUnmark (poolp, mark);
return SECSuccess;
loser:
PORT_ArenaRelease (poolp, mark);
return SECFailure;
}
static CERTOCSPSingleResponse*
ocsp_CreateSingleResponse(PLArenaPool *arena,
CERTOCSPCertID *id, ocspCertStatus *status,
PRTime thisUpdate, const PRTime *nextUpdate)
{
CERTOCSPSingleResponse *sr;
if (!arena || !id || !status) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
sr = PORT_ArenaZNew(arena, CERTOCSPSingleResponse);
if (!sr)
return NULL;
sr->arena = arena;
sr->certID = id;
sr->certStatus = status;
if (DER_TimeToGeneralizedTimeArena(arena, &sr->thisUpdate, thisUpdate)
!= SECSuccess)
return NULL;
sr->nextUpdate = NULL;
if (nextUpdate) {
sr->nextUpdate = SECITEM_AllocItem(arena, NULL, 0);
if (!sr->nextUpdate)
return NULL;
if (DER_TimeToGeneralizedTimeArena(arena, sr->nextUpdate, *nextUpdate)
!= SECSuccess)
return NULL;
}
sr->singleExtensions = PORT_ArenaNewArray(arena, CERTCertExtension*, 1);
if (!sr->singleExtensions)
return NULL;
sr->singleExtensions[0] = NULL;
if (!SEC_ASN1EncodeItem(arena, &sr->derCertStatus,
status, ocsp_CertStatusTemplate))
return NULL;
return sr;
}
/*
* SecCmsAttributeCreate - create an attribute
*
* if value is NULL, the attribute won't have a value. It can be added later
* with SecCmsAttributeAddValue.
*/
SecCmsAttribute *
SecCmsAttributeCreate(PRArenaPool *poolp, SECOidTag oidtag, CSSM_DATA_PTR value, Boolean encoded)
{
SecCmsAttribute *attr;
CSSM_DATA_PTR copiedvalue;
void *mark;
PORT_Assert (poolp != NULL);
mark = PORT_ArenaMark (poolp);
attr = (SecCmsAttribute *)PORT_ArenaZAlloc(poolp, sizeof(SecCmsAttribute));
if (attr == NULL)
goto loser;
attr->typeTag = SECOID_FindOIDByTag(oidtag);
if (attr->typeTag == NULL)
goto loser;
if (SECITEM_CopyItem(poolp, &(attr->type), &(attr->typeTag->oid)) != SECSuccess)
goto loser;
if (value != NULL) {
if ((copiedvalue = SECITEM_AllocItem(poolp, NULL, (unsigned int)value->Length)) == NULL)
goto loser;
if (SECITEM_CopyItem(poolp, copiedvalue, value) != SECSuccess)
goto loser;
SecCmsArrayAdd(poolp, (void ***)&(attr->values), (void *)copiedvalue);
}
attr->encoded = encoded;
PORT_ArenaUnmark (poolp, mark);
return attr;
loser:
PORT_Assert (mark != NULL);
PORT_ArenaRelease (poolp, mark);
return NULL;
}
