nsresult
PublicDhKeyToSpki(SECKEYPublicKey* aPubKey,
CERTSubjectPublicKeyInfo* aSpki)
{
SECItem* params = ::SECITEM_AllocItem(aSpki->arena, nullptr, 0);
if (!params) {
return NS_ERROR_DOM_OPERATION_ERR;
}
SECItem* rvItem = SEC_ASN1EncodeItem(aSpki->arena, params, aPubKey,
SECKEY_DHParamKeyTemplate);
if (!rvItem) {
return NS_ERROR_DOM_OPERATION_ERR;
}
SECStatus rv = SECOID_SetAlgorithmID(aSpki->arena, &aSpki->algorithm,
SEC_OID_X942_DIFFIE_HELMAN_KEY, params);
if (rv != SECSuccess) {
return NS_ERROR_DOM_OPERATION_ERR;
}
rvItem = SEC_ASN1EncodeItem(aSpki->arena, &aSpki->subjectPublicKey, aPubKey,
SECKEY_DHPublicKeyTemplate);
if (!rvItem) {
return NS_ERROR_DOM_OPERATION_ERR;
}
// The public value is a BIT_STRING encoded as an INTEGER. After encoding
// an INT we need to adjust the length to reflect the number of bits.
aSpki->subjectPublicKey.len <<= 3;
return NS_OK;
}
/*
* Given a raw modulus and exponent, cook up a
* BER-encoded RSA public key blob.
*/
OSStatus sslEncodeRsaBlob(
const SSLBuffer *modulus,
const SSLBuffer *exponent,
SSLBuffer *blob) /* data mallocd and RETURNED */
{
PLArenaPool *pool;
OSStatus srtn;
SECItem *encBlob, dest = {};
NSS_RSAPublicKeyPKCS1 nssPubKey;
assert((modulus != NULL) && (exponent != NULL));
/* convert to NSS_RSAPublicKeyPKCS1 */
SSLBUF_TO_SECITEM(modulus, &nssPubKey.modulus);
SSLBUF_TO_SECITEM(exponent, &nssPubKey.publicExponent);
/* DER encode */
pool = PORT_NewArena(CHUNKSIZE_DEF);
encBlob = SEC_ASN1EncodeItem(pool, &dest, &nssPubKey,
kSecAsn1RSAPublicKeyPKCS1Template);
if (!encBlob)
srtn = memFullErr;
else {
/* copy out to caller */
srtn = SSLCopyBufferFromData(encBlob->Data, encBlob->Length, blob);
}
PORT_FreeArena(pool, PR_TRUE);
return srtn;
}
/*
* Given a prime and generator, cook up a BER-encoded DHParameter blob.
*/
OSStatus sslEncodeDhParams(
const SSLBuffer *prime,
const SSLBuffer *generator,
SSLBuffer *blob) /* data mallocd and RETURNED */
{
PLArenaPool *pool;
OSStatus srtn;
SECItem *encBlob, dest = {};
NSS_DHParameter dhParams;
assert((prime != NULL) && (generator != NULL));
/* convert to NSS_DHParameter */
SSLBUF_TO_SECITEM(prime, &dhParams.prime);
SSLBUF_TO_SECITEM(generator, &dhParams.base);
dhParams.privateValueLength.Data = NULL;
dhParams.privateValueLength.Length = 0;
/* DER encode */
pool = PORT_NewArena(CHUNKSIZE_DEF);
encBlob = SEC_ASN1EncodeItem(pool, &dest, &dhParams,
kSecAsn1DHParameterTemplate);
if (!encBlob)
srtn = memFullErr;
else {
/* copy out to caller */
srtn = SSLCopyBufferFromData(encBlob->Data, encBlob->Length, blob);
}
PORT_FreeArena(pool, PR_TRUE);
return srtn;
}
static int
generate_spc_indirect_data_content(cms_context *cms, SECItem *idcp)
{
SpcIndirectDataContent idc;
memset(&idc, '\0', sizeof (idc));
int rc;
rc = generate_spc_attribute_yadda_yadda(cms, &idc.data);
if (rc < 0)
return rc;
rc = generate_spc_digest_info(cms, &idc.messageDigest);
if (rc < 0) {
SECITEM_FreeItem(&idc.data, PR_FALSE);
return rc;
}
if (SEC_ASN1EncodeItem(cms->arena, idcp, &idc,
SpcIndirectDataContentTemplate) == NULL) {
cms->log(cms, LOG_ERR, "could not encode "
"SpcIndirectDataContent: %s",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
return 0;
}
/*
* NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
*
* "poolp" - arena pool to create the attr value on
* "dest" - SECItem to put the data in
* "cert" - certificate that should be marked as preferred encryption key
* cert is expected to have been verified for EmailRecipient usage.
*/
SECStatus
NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
{
SECItem *dummy = NULL;
PLArenaPool *tmppoolp = NULL;
CERTIssuerAndSN *isn;
if (cert == NULL)
goto loser;
tmppoolp = PORT_NewArena(1024);
if (tmppoolp == NULL)
goto loser;
isn = CERT_GetCertIssuerAndSN(tmppoolp, cert);
if (isn == NULL)
goto loser;
dummy = SEC_ASN1EncodeItem(poolp, dest, isn, SEC_ASN1_GET(CERT_IssuerAndSNTemplate));
loser:
if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
return (dummy == NULL) ? SECFailure : SECSuccess;
}
static int
generate_spc_indirect_data_content(PRArenaPool *arena, SECItem *idcp,
cms_context *ctx)
{
SpcIndirectDataContent idc;
memset(&idc, '\0', sizeof (idc));
if (generate_spc_attribute_yadda_yadda(arena, &idc.data) < 0) {
fprintf(stderr, "got here %s:%d\n",__func__,__LINE__);
return -1;
}
if (generate_spc_digest_info(arena, &idc.messageDigest, ctx) < 0) {
fprintf(stderr, "got here %s:%d\n",__func__,__LINE__);
return -1;
}
if (SEC_ASN1EncodeItem(arena, idcp, &idc,
SpcIndirectDataContentTemplate) == NULL) {
fprintf(stderr,
"Could not encode SpcIndirectDataContent: %s\n",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
return 0;
}
/* Generate DER for SpcAttributeTypeAndValue, which is basically just
* a DER_SEQUENCE containing the OID 1.3.6.1.4.1.311.2.1.15
* (SPC_PE_IMAGE_DATA_OBJID) and the SpcPeImageData.
*/
static int
generate_spc_attribute_yadda_yadda(cms_context *cms, SECItem *ataovp)
{
SpcAttributeTypeAndOptionalValue ataov;
memset(&ataov, '\0', sizeof (ataov));
int rc;
rc = get_ms_oid_secitem(SPC_PE_IMAGE_DATA_OBJID, &ataov.contentType);
if (rc < 0) {
cms->log(cms, LOG_ERR, "could not get SPC_PE_IMAGE_DATA_OBJID");
return -1;
}
rc = generate_spc_pe_image_data(cms, &ataov.value);
if (rc < 0)
return rc;
if (SEC_ASN1EncodeItem(cms->arena, ataovp, &ataov,
SpcAttributeTypeAndOptionalValueTemplate) == NULL) {
cms->log(cms, LOG_ERR, "could not encode "
"SpcAttributeTypeAndOptionalValue: %s",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
return 0;
}
static int
generate_spc_digest_info(cms_context *cms, SECItem *dip)
{
DigestInfo di;
memset(&di, '\0', sizeof (di));
if (generate_algorithm_id(cms, &di.digestAlgorithm,
digest_get_digest_oid(cms)) < 0)
return -1;
int i = cms->selected_digest;
memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
if (content_is_empty(di.digest.data, di.digest.len)) {
cms->log(cms, LOG_ERR, "got empty digest");
return -1;
}
if (SEC_ASN1EncodeItem(cms->arena, dip, &di,
DigestInfoTemplate) == NULL) {
cms->log(cms, LOG_ERR, "could not encode DigestInfo: %s",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
return 0;
}
/*
* NSS_SMIMEUtil_CreateSMIMECapabilities - get S/MIME capabilities for this instance of NSS
*
* scans the list of allowed and enabled ciphers and construct a PKCS9-compliant
* S/MIME capabilities attribute value.
*
* XXX Please note that, in contradiction to RFC2633 2.5.2, the capabilities only include
* symmetric ciphers, NO signature algorithms or key encipherment algorithms.
*
* "poolp" - arena pool to create the S/MIME capabilities data on
* "dest" - SECItem to put the data in
*/
SECStatus
NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECItem *dest)
{
NSSSMIMECapability *cap;
NSSSMIMECapability **smime_capabilities;
smime_cipher_map_entry *map;
SECOidData *oiddata;
SECItem *dummy;
int i, capIndex;
/* if we have an old NSSSMIMECapability array, we'll reuse it (has the right size) */
/* smime_cipher_map_count + 1 is an upper bound - we might end up with less */
smime_capabilities = (NSSSMIMECapability **)PORT_ZAlloc((smime_cipher_map_count + 1)
* sizeof(NSSSMIMECapability *));
if (smime_capabilities == NULL)
return SECFailure;
capIndex = 0;
/* Add all the symmetric ciphers
* We walk the cipher list backwards, as it is ordered by increasing strength,
* we prefer the stronger cipher over a weaker one, and we have to list the
* preferred algorithm first */
for (i = smime_cipher_map_count - 1; i >= 0; i--) {
/* Find the corresponding entry in the cipher map. */
map = &(smime_cipher_map[i]);
if (!map->enabled)
continue;
/* get next SMIME capability */
cap = (NSSSMIMECapability *)PORT_ZAlloc(sizeof(NSSSMIMECapability));
if (cap == NULL)
break;
smime_capabilities[capIndex++] = cap;
oiddata = SECOID_FindOIDByTag(map->algtag);
if (oiddata == NULL)
break;
cap->capabilityID.data = oiddata->oid.data;
cap->capabilityID.len = oiddata->oid.len;
cap->parameters.data = map->parms ? map->parms->data : NULL;
cap->parameters.len = map->parms ? map->parms->len : 0;
cap->cipher = smime_cipher_map[i].cipher;
}
/* XXX add signature algorithms */
/* XXX add key encipherment algorithms */
smime_capabilities[capIndex] = NULL; /* last one - now encode */
dummy = SEC_ASN1EncodeItem(poolp, dest, &smime_capabilities, NSSSMIMECapabilitiesTemplate);
/* now that we have the proper encoded SMIMECapabilities (or not),
* free the work data */
for (i = 0; smime_capabilities[i] != NULL; i++)
PORT_Free(smime_capabilities[i]);
PORT_Free(smime_capabilities);
return (dummy == NULL) ? SECFailure : SECSuccess;
}
nsresult
CryptoKey::PublicKeyToSpki(SECKEYPublicKey* aPubKey,
CryptoBuffer& aRetVal,
const nsNSSShutDownPreventionLock& /*proofOfLock*/)
{
ScopedCERTSubjectPublicKeyInfo spki(SECKEY_CreateSubjectPublicKeyInfo(aPubKey));
if (!spki) {
return NS_ERROR_DOM_OPERATION_ERR;
}
// Per WebCrypto spec we must export ECDH SPKIs with the algorithm OID
// id-ecDH (1.3.132.112). NSS doesn't know about that OID and there is
// no way to specify the algorithm to use when exporting a public key.
if (aPubKey->keyType == ecKey) {
SECStatus rv = SECITEM_CopyItem(spki->arena, &spki->algorithm.algorithm,
&SEC_OID_DATA_EC_DH);
if (rv != SECSuccess) {
return NS_ERROR_DOM_OPERATION_ERR;
}
}
const SEC_ASN1Template* tpl = SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate);
ScopedSECItem spkiItem(SEC_ASN1EncodeItem(nullptr, nullptr, spki, tpl));
aRetVal.Assign(spkiItem.get());
return NS_OK;
}
SECStatus
CERT_EncodeInfoAccessExtension(PRArenaPool *arena,
CERTAuthInfoAccess **info,
SECItem *dest)
{
SECItem *dummy;
int i;
PORT_Assert(info != NULL);
PORT_Assert(dest != NULL);
if (info == NULL || dest == NULL) {
return SECFailure;
}
for (i = 0; info[i] != NULL; i++) {
if (CERT_EncodeGeneralName(info[i]->location, &(info[i]->derLocation),
arena) == NULL)
/* Note that this may leave some of the locations filled in. */
return SECFailure;
}
dummy = SEC_ASN1EncodeItem(arena, dest, &info,
CERTAuthInfoAccessTemplate);
if (dummy == NULL) {
return SECFailure;
}
return SECSuccess;
}
/*
* Lookup a certificate in the database by name
*/
CERTCertificate *
CERT_FindCertByNameString(CERTCertDBHandle *handle, char *nameStr)
{
CERTName *name;
SECItem *nameItem;
CERTCertificate *cert = NULL;
PRArenaPool *arena = NULL;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if ( arena == NULL ) {
goto loser;
}
name = CERT_AsciiToName(nameStr);
if ( name ) {
nameItem = SEC_ASN1EncodeItem (arena, NULL, (void *)name,
CERT_NameTemplate);
if ( nameItem != NULL ) {
cert = CERT_FindCertByName(handle, nameItem);
}
CERT_DestroyName(name);
}
loser:
if ( arena ) {
PORT_FreeArena(arena, PR_FALSE);
}
return(cert);
}
/*
* NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
*
* "poolp" - arena pool to create the attr value on
* "dest" - SECItem to put the data in
* "cert" - certificate that should be marked as preferred encryption key
* cert is expected to have been verified for EmailRecipient usage.
*/
SECStatus
NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
{
NSSSMIMEEncryptionKeyPreference ekp;
SECItem *dummy = NULL;
PLArenaPool *tmppoolp = NULL;
if (cert == NULL)
goto loser;
tmppoolp = PORT_NewArena(1024);
if (tmppoolp == NULL)
goto loser;
/* XXX hardcoded IssuerSN choice for now */
ekp.selector = NSSSMIMEEncryptionKeyPref_IssuerSN;
ekp.id.issuerAndSN = CERT_GetCertIssuerAndSN(tmppoolp, cert);
if (ekp.id.issuerAndSN == NULL)
goto loser;
dummy = SEC_ASN1EncodeItem(poolp, dest, &ekp, smime_encryptionkeypref_template);
loser:
if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
return (dummy == NULL) ? SECFailure : SECSuccess;
}
static int
generate_spc_pe_image_data(cms_context *cms, SECItem *spidp)
{
SpcPeImageData spid;
SECITEM_AllocItem(cms->arena, &spid.flags, 1);
if (!spid.flags.data)
return -1;
spid.flags.data[0] = 0;
char obsolete[28] = "";
int rc;
rc = generate_spc_link(cms, &spid.link, SpcLinkTypeFile, obsolete, 0);
if (rc < 0)
return rc;
if (SEC_ASN1EncodeItem(cms->arena, spidp, &spid,
SpcPeImageDataTemplate) == NULL) {
cms->log(cms, LOG_ERR, "could not encode SpcPeImageData: %s",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
/* XXX OMG FIX THIS */
/* manually bang it from NULL to BIT STRING because I can't figure out
* how to make the f*****g templates work right for the bitstring size
*/
spidp->data[2] = DER_BIT_STRING;
return 0;
}
static int
generate_spc_pe_image_data(PRArenaPool *arena, SECItem *spidp)
{
SpcPeImageData spid;
SECITEM_AllocItem(arena, &spid.flags, 1);
if (!spid.flags.data)
return -1;
spid.flags.data[0] = 0;
char obsolete[28] = "\0<\0<\0<\0O\0b\0s\0o\0l\0e\0t\0e\0>\0>\0>";
if (generate_spc_link(arena, &spid.link, SpcLinkTypeFile, obsolete,
28) < 0) {
fprintf(stderr, "got here %s:%d\n",__func__,__LINE__);
return -1;
}
if (SEC_ASN1EncodeItem(arena, spidp, &spid,
SpcPeImageDataTemplate) == NULL) {
fprintf(stderr, "Could not encode SpcPeImageData: %s\n",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
/* XXX OMG FIX THIS */
/* manually bang it from NULL to BIT STRING because I can't figure out
* how to make the f*****g templates work right for the bitstring size
*/
spidp->data[2] = DER_BIT_STRING;
return 0;
}
/* Generate DER for SpcAttributeTypeAndValue, which is basically just
* a DER_SEQUENCE containing the OID 1.3.6.1.4.1.311.2.1.15
* (SPC_PE_IMAGE_DATA_OBJID) and the SpcPeImageData.
*/
static int
generate_spc_attribute_yadda_yadda(PRArenaPool *arena, SECItem *ataovp)
{
SpcAttributeTypeAndOptionalValue ataov;
memset(&ataov, '\0', sizeof (ataov));
if (get_ms_oid_secitem(SPC_PE_IMAGE_DATA_OBJID, &ataov.contentType) < 0){
fprintf(stderr, "got here %s:%d\n",__func__,__LINE__);
return -1;
}
if (generate_spc_pe_image_data(arena, &ataov.value) < 0) {
fprintf(stderr, "got here %s:%d\n",__func__,__LINE__);
return -1;
}
if (SEC_ASN1EncodeItem(arena, ataovp, &ataov,
SpcAttributeTypeAndOptionalValueTemplate) == NULL) {
fprintf(stderr,
"Could not encode SpcAttributeTypeAndOptionalValue:"
"%s\n",
PORT_ErrorToString(PORT_GetError()));
return -1;
}
return 0;
}
/*
* SecSMIMECreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
*
* "poolp" - arena pool to create the attr value on
* "dest" - CSSM_DATA to put the data in
* "cert" - certificate that should be marked as preferred encryption key
* cert is expected to have been verified for EmailRecipient usage.
*/
OSStatus
SecSMIMECreateMSSMIMEEncKeyPrefs(SecArenaPoolRef pool, CSSM_DATA_PTR dest, SecCertificateRef cert)
{
PLArenaPool *poolp = (PLArenaPool *)pool;
CSSM_DATA_PTR dummy = NULL;
PLArenaPool *tmppoolp = NULL;
SecCmsIssuerAndSN *isn;
if (cert == NULL)
goto loser;
tmppoolp = PORT_NewArena(1024);
if (tmppoolp == NULL)
goto loser;
isn = CERT_GetCertIssuerAndSN(tmppoolp, cert);
if (isn == NULL)
goto loser;
dummy = SEC_ASN1EncodeItem(poolp, dest, isn, SEC_ASN1_GET(SecCmsIssuerAndSNTemplate));
loser:
if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
return (dummy == NULL) ? SECFailure : SECSuccess;
}
/*
* SecSMIMECreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value
*
* "poolp" - arena pool to create the attr value on
* "dest" - CSSM_DATA to put the data in
* "cert" - certificate that should be marked as preferred encryption key
* cert is expected to have been verified for EmailRecipient usage.
*/
OSStatus
SecSMIMECreateSMIMEEncKeyPrefs(SecArenaPoolRef pool, CSSM_DATA_PTR dest, SecCertificateRef cert)
{
PLArenaPool *poolp = (PLArenaPool *)pool;
NSSSMIMEEncryptionKeyPreference ekp;
CSSM_DATA_PTR dummy = NULL;
PLArenaPool *tmppoolp = NULL;
if (cert == NULL)
goto loser;
tmppoolp = PORT_NewArena(1024);
if (tmppoolp == NULL)
goto loser;
/* XXX hardcoded IssuerSN choice for now */
ekp.selector = NSSSMIMEEncryptionKeyPref_IssuerSN;
ekp.id.issuerAndSN = CERT_GetCertIssuerAndSN(tmppoolp, cert);
if (ekp.id.issuerAndSN == NULL)
goto loser;
dummy = SEC_ASN1EncodeItem(poolp, dest, &ekp, smime_encryptionkeypref_template);
loser:
if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
return (dummy == NULL) ? SECFailure : SECSuccess;
}
static CRMFPKIArchiveOptions *
crmf_create_arch_rem_gen_privkey(PRBool archiveRemGenPrivKey)
{
unsigned char value;
SECItem *dummy;
CRMFPKIArchiveOptions *newArchOptions;
value = (archiveRemGenPrivKey) ? hexTrue : hexFalse;
newArchOptions = PORT_ZNew(CRMFPKIArchiveOptions);
if (newArchOptions == NULL) {
goto loser;
}
dummy = SEC_ASN1EncodeItem(NULL,
&newArchOptions->option.archiveRemGenPrivKey,
&value, SEC_ASN1_GET(SEC_BooleanTemplate));
PORT_Assert(dummy == &newArchOptions->option.archiveRemGenPrivKey);
if (dummy != &newArchOptions->option.archiveRemGenPrivKey) {
SECITEM_FreeItem(dummy, PR_TRUE);
goto loser;
}
newArchOptions->archOption = crmfArchiveRemGenPrivKey;
return newArchOptions;
loser:
if (newArchOptions != NULL) {
CRMF_DestroyPKIArchiveOptions(newArchOptions);
}
return NULL;
}
/********************************************************************
*
* s i g n _ c e r t
*/
static SECItem *
sign_cert(CERTCertificate *cert, SECKEYPrivateKey *privk)
{
SECStatus rv;
SECItem der2;
SECItem * result2;
void *dummy;
SECOidTag alg = SEC_OID_UNKNOWN;
alg = SEC_GetSignatureAlgorithmOidTag(privk->keyType, SEC_OID_UNKNOWN);
if (alg == SEC_OID_UNKNOWN) {
FatalError("Unknown key type");
}
rv = SECOID_SetAlgorithmID (cert->arena, &cert->signature, alg, 0);
if (rv != SECSuccess) {
PR_fprintf(errorFD, "%s: unable to set signature alg id\n",
PROGRAM_NAME);
errorCount++;
exit (ERRX);
}
der2.len = 0;
der2.data = NULL;
dummy = SEC_ASN1EncodeItem
(cert->arena, &der2, cert, SEC_ASN1_GET(CERT_CertificateTemplate));
if (rv != SECSuccess) {
PR_fprintf(errorFD, "%s: error encoding cert\n", PROGRAM_NAME);
errorCount++;
exit (ERRX);
}
result2 = (SECItem * ) PORT_ArenaZAlloc (cert->arena, sizeof (SECItem));
if (result2 == NULL)
out_of_memory();
rv = SEC_DerSignData
(cert->arena, result2, der2.data, der2.len, privk, alg);
if (rv != SECSuccess) {
PR_fprintf(errorFD, "can't sign encoded certificate data\n");
errorCount++;
exit (ERRX);
} else if (verbosity >= 0) {
PR_fprintf(outputFD, "certificate has been signed\n");
}
cert->derCert = *result2;
return result2;
}
static CERTSignedCrl *
FindCRL(CERTCertDBHandle *certHandle, char *name, int type)
{
CERTSignedCrl *crl = NULL;
CERTCertificate *cert = NULL;
SECItem derName;
derName.data = NULL;
derName.len = 0;
cert = CERT_FindCertByNicknameOrEmailAddr(certHandle, name);
if (!cert) {
CERTName *certName = NULL;
PLArenaPool *arena = NULL;
SECStatus rv = SECSuccess;
certName = CERT_AsciiToName(name);
if (certName) {
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena) {
SECItem *nameItem =
SEC_ASN1EncodeItem(arena, NULL, (void *)certName,
SEC_ASN1_GET(CERT_NameTemplate));
if (nameItem) {
rv = SECITEM_CopyItem(NULL, &derName, nameItem);
}
PORT_FreeArena(arena, PR_FALSE);
}
CERT_DestroyName(certName);
}
if (rv != SECSuccess) {
SECU_PrintError(progName, "SECITEM_CopyItem failed, out of memory");
return ((CERTSignedCrl *)NULL);
}
if (!derName.len || !derName.data) {
SECU_PrintError(progName, "could not find certificate named '%s'", name);
return ((CERTSignedCrl *)NULL);
}
} else {
SECITEM_CopyItem(NULL, &derName, &cert->derSubject);
CERT_DestroyCertificate(cert);
}
crl = SEC_FindCrlByName(certHandle, &derName, type);
if (crl == NULL)
SECU_PrintError(progName, "could not find %s's CRL", name);
if (derName.data) {
SECITEM_FreeItem(&derName, PR_FALSE);
}
return (crl);
}
SECStatus
CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena,
CERTPrivKeyUsagePeriod *pkup,
SECItem *encodedValue)
{
SECStatus rv = SECSuccess;
if (SEC_ASN1EncodeItem (arena, encodedValue, pkup,
CERTPrivateKeyUsagePeriodTemplate) == NULL) {
rv = SECFailure;
}
return(rv);
}
SECStatus
CERT_EncodeAltNameExtension(PRArenaPool *arena, CERTGeneralName *value, SECItem *encodedValue)
{
SECItem **encodedGenName;
SECStatus rv = SECSuccess;
encodedGenName = cert_EncodeGeneralNames(arena, value);
if (SEC_ASN1EncodeItem (arena, encodedValue, &encodedGenName,
CERT_GeneralNamesTemplate) == NULL) {
rv = SECFailure;
}
return rv;
}
SECStatus NSS_CMSRecipientInfo_Encode(PLArenaPool* poolp,
const NSSCMSRecipientInfo *src,
SECItem* returned)
{
extern const SEC_ASN1Template NSSCMSRecipientInfoTemplate[];
SECStatus rv = SECFailure;
if (!src || !returned) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
} else if (SEC_ASN1EncodeItem(poolp, returned, src,
NSSCMSRecipientInfoTemplate)) {
rv = SECSuccess;
}
return rv;
}
SECItem *
PK11_ExportDERPrivateKeyInfo(SECKEYPrivateKey *pk, void *wincx)
{
SECKEYPrivateKeyInfo *pki = PK11_ExportPrivKeyInfo(pk, wincx);
SECItem *derPKI;
if (!pki) {
return NULL;
}
derPKI = SEC_ASN1EncodeItem(NULL, NULL, pki,
SECKEY_PrivateKeyInfoTemplate);
SECKEY_DestroyPrivateKeyInfo(pki, PR_TRUE);
return derPKI;
}
/*
* SecCmsArraySortByDER - sort array of objects by objects' DER encoding
*
* make sure that the order of the objects guarantees valid DER (which must be
* in lexigraphically ascending order for a SET OF); if reordering is necessary it
* will be done in place (in objs).
*/
OSStatus
SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, void **objs2)
{
PRArenaPool *poolp;
int num_objs;
SecAsn1Item **enc_objs;
OSStatus rv = SECFailure;
int i;
if (objs == NULL) /* already sorted */
return SECSuccess;
num_objs = SecCmsArrayCount((void **)objs);
if (num_objs == 0 || num_objs == 1) /* already sorted. */
return SECSuccess;
poolp = PORT_NewArena (1024); /* arena for temporaries */
if (poolp == NULL)
return SECFailure; /* no memory; nothing we can do... */
/*
* Allocate arrays to hold the individual encodings which we will use
* for comparisons and the reordered attributes as they are sorted.
*/
// Security check to prevent under-allocation
if (num_objs<0 || num_objs>=(int)((INT_MAX/sizeof(SecAsn1Item *))-1)) {
goto loser;
}
enc_objs = (SecAsn1Item **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SecAsn1Item *));
if (enc_objs == NULL)
goto loser;
/* DER encode each individual object. */
for (i = 0; i < num_objs; i++) {
enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
if (enc_objs[i] == NULL)
goto loser;
}
enc_objs[num_objs] = NULL;
/* now compare and sort objs by the order of enc_objs */
SecCmsArraySort((void **)enc_objs, SecCmsUtilDERCompare, objs, objs2);
rv = SECSuccess;
loser:
PORT_FreeArena (poolp, PR_FALSE);
return rv;
}
SECStatus CERT_EncodeBasicConstraintValue
(PRArenaPool *arena, CERTBasicConstraints *value, SECItem *encodedValue)
{
EncodedContext encodeContext;
PRArenaPool *our_pool = NULL;
SECStatus rv = SECSuccess;
do {
PORT_Memset (&encodeContext, 0, sizeof (encodeContext));
if (!value->isCA && value->pathLenConstraint >= 0) {
PORT_SetError (SEC_ERROR_EXTENSION_VALUE_INVALID);
GEN_BREAK (SECFailure);
}
encodeContext.arena = arena;
if (value->isCA == PR_TRUE) {
encodeContext.isCA.data = &hexTrue ;
encodeContext.isCA.len = 1;
}
/* If the pathLenConstraint is less than 0, then it should be
* omitted from the encoding.
*/
if (value->isCA && value->pathLenConstraint >= 0) {
our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
if (our_pool == NULL) {
PORT_SetError (SEC_ERROR_NO_MEMORY);
GEN_BREAK (SECFailure);
}
if (SEC_ASN1EncodeUnsignedInteger
(our_pool, &encodeContext.pathLenConstraint,
(unsigned long)value->pathLenConstraint) == NULL) {
PORT_SetError (SEC_ERROR_NO_MEMORY);
GEN_BREAK (SECFailure);
}
}
if (SEC_ASN1EncodeItem (arena, encodedValue, &encodeContext,
CERTBasicConstraintsTemplate) == NULL) {
GEN_BREAK (SECFailure);
}
} while (0);
if (our_pool)
PORT_FreeArena (our_pool, PR_FALSE);
return(rv);
}
SECStatus
CERT_EncodeSubjectKeyID(PRArenaPool *arena, const SECItem* srcString,
SECItem *encodedValue)
{
SECStatus rv = SECSuccess;
if (!srcString) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (SEC_ASN1EncodeItem (arena, encodedValue, srcString,
CERTSubjectKeyIDTemplate) == NULL) {
rv = SECFailure;
}
return(rv);
}
/*
* NSS_CMSArray_SortByDER - sort array of objects by objects' DER encoding
*
* make sure that the order of the objects guarantees valid DER (which must be
* in lexigraphically ascending order for a SET OF); if reordering is necessary it
* will be done in place (in objs).
*/
SECStatus
NSS_CMSArray_SortByDER(void **objs, const SEC_ASN1Template *objtemplate, void **objs2)
{
PRArenaPool *poolp;
int num_objs;
SECItem **enc_objs;
SECStatus rv = SECFailure;
int i;
if (objs == NULL) /* already sorted */
return SECSuccess;
num_objs = NSS_CMSArray_Count((void **)objs);
if (num_objs == 0 || num_objs == 1) /* already sorted. */
return SECSuccess;
poolp = PORT_NewArena (1024); /* arena for temporaries */
if (poolp == NULL)
return SECFailure; /* no memory; nothing we can do... */
/*
* Allocate arrays to hold the individual encodings which we will use
* for comparisons and the reordered attributes as they are sorted.
*/
enc_objs = (SECItem **)PORT_ArenaZAlloc(poolp, (num_objs + 1) * sizeof(SECItem *));
if (enc_objs == NULL)
goto loser;
/* DER encode each individual object. */
for (i = 0; i < num_objs; i++) {
enc_objs[i] = SEC_ASN1EncodeItem(poolp, NULL, objs[i], objtemplate);
if (enc_objs[i] == NULL)
goto loser;
}
enc_objs[num_objs] = NULL;
/* now compare and sort objs by the order of enc_objs */
NSS_CMSArray_Sort((void **)enc_objs, NSS_CMSUtil_DERCompare, objs, objs2);
rv = SECSuccess;
loser:
PORT_FreeArena (poolp, PR_FALSE);
return rv;
}
SECStatus
CERT_EncodeInhibitAnyExtension(PLArenaPool *arena,
CERTCertificateInhibitAny *certInhibitAny,
SECItem *dest)
{
SECStatus rv = SECSuccess;
PORT_Assert(certInhibitAny != NULL && dest != NULL);
if (certInhibitAny == NULL || dest == NULL) {
return SECFailure;
}
if (SEC_ASN1EncodeItem (arena, dest, certInhibitAny,
CERT_InhibitAnyTemplate) == NULL) {
rv = SECFailure;
}
return(rv);
}
