static SecCmsRecipientInfoRef
nss_cmsrecipientinfo_create(SecCmsEnvelopedDataRef envd, SecCmsRecipientIDSelector type,
SecCertificateRef cert, SecPublicKeyRef pubKey,
const SecAsn1Item *subjKeyID)
{
SecCmsRecipientInfoRef ri;
void *mark;
SECOidTag certalgtag;
OSStatus rv = SECSuccess;
SecCmsRecipientEncryptedKey *rek;
SecCmsOriginatorIdentifierOrKey *oiok;
unsigned long version;
SecAsn1Item * dummy;
PLArenaPool *poolp;
const SECAlgorithmID *algid;
SECAlgorithmID freeAlgID;
SecCmsRecipientIdentifier *rid;
poolp = envd->contentInfo.cmsg->poolp;
mark = PORT_ArenaMark(poolp);
ri = (SecCmsRecipientInfoRef)PORT_ArenaZAlloc(poolp, sizeof(SecCmsRecipientInfo));
if (ri == NULL)
goto loser;
ri->envelopedData = envd;
#if USE_CDSA_CRYPTO
if (type == SecCmsRecipientIDIssuerSN)
{
rv = SecCertificateGetAlgorithmID(cert,&algid);
} else {
PORT_Assert(pubKey);
rv = SecKeyGetAlgorithmID(pubKey,&algid);
}
#else
ri->cert = CERT_DupCertificate(cert);
if (ri->cert == NULL)
goto loser;
const SecAsn1AlgId *length_data_swapped = (const SecAsn1AlgId *)SecCertificateGetPublicKeyAlgorithm(cert);
freeAlgID.algorithm.Length = (size_t)length_data_swapped->algorithm.Data;
freeAlgID.algorithm.Data = (uint8_t *)length_data_swapped->algorithm.Length;
freeAlgID.parameters.Length = (size_t)length_data_swapped->parameters.Data;
freeAlgID.parameters.Data = (uint8_t *)length_data_swapped->parameters.Length;
algid = &freeAlgID;
#endif
certalgtag = SECOID_GetAlgorithmTag(algid);
rid = &ri->ri.keyTransRecipientInfo.recipientIdentifier;
switch (certalgtag) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
ri->recipientInfoType = SecCmsRecipientInfoIDKeyTrans;
rid->identifierType = type;
if (type == SecCmsRecipientIDIssuerSN) {
rid->id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
if (rid->id.issuerAndSN == NULL) {
break;
}
} else if (type == SecCmsRecipientIDSubjectKeyID){
rid->id.subjectKeyID = PORT_ArenaNew(poolp, SecAsn1Item);
if (rid->id.subjectKeyID == NULL) {
rv = SECFailure;
PORT_SetError(SEC_ERROR_NO_MEMORY);
break;
}
SECITEM_CopyItem(poolp, rid->id.subjectKeyID, subjKeyID);
if (rid->id.subjectKeyID->Data == NULL) {
rv = SECFailure;
PORT_SetError(SEC_ERROR_NO_MEMORY);
break;
}
#if 0
SecCmsKeyTransRecipientInfoEx *riExtra;
riExtra = &ri->ri.keyTransRecipientInfoEx;
riExtra->version = 0;
riExtra->pubKey = SECKEY_CopyPublicKey(pubKey);
if (riExtra->pubKey == NULL) {
rv = SECFailure;
PORT_SetError(SEC_ERROR_NO_MEMORY);
break;
}
#endif
} else {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
break;
case SEC_OID_MISSI_KEA_DSS_OLD:
case SEC_OID_MISSI_KEA_DSS:
case SEC_OID_MISSI_KEA:
PORT_Assert(type != SecCmsRecipientIDSubjectKeyID);
if (type == SecCmsRecipientIDSubjectKeyID) {
rv = SECFailure;
break;
}
/* backward compatibility - this is not really a keytrans operation */
ri->recipientInfoType = SecCmsRecipientInfoIDKeyTrans;
/* hardcoded issuerSN choice for now */
ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType = SecCmsRecipientIDIssuerSN;
ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert);
if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
rv = SECFailure;
break;
}
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
PORT_Assert(type != SecCmsRecipientIDSubjectKeyID);
if (type == SecCmsRecipientIDSubjectKeyID) {
rv = SECFailure;
break;
}
/* a key agreement op */
ri->recipientInfoType = SecCmsRecipientInfoIDKeyAgree;
if (ri->ri.keyTransRecipientInfo.recipientIdentifier.id.issuerAndSN == NULL) {
rv = SECFailure;
break;
}
/* we do not support the case where multiple recipients
* share the same KeyAgreeRecipientInfo and have multiple RecipientEncryptedKeys
* in this case, we would need to walk all the recipientInfos, take the
* ones that do KeyAgreement algorithms and join them, algorithm by algorithm
* Then, we'd generate ONE ukm and OriginatorIdentifierOrKey */
/* only epheremal-static Diffie-Hellman is supported for now
* this is the only form of key agreement that provides potential anonymity
* of the sender, plus we do not have to include certs in the message */
/* force single recipientEncryptedKey for now */
if ((rek = SecCmsRecipientEncryptedKeyCreate(poolp)) == NULL) {
rv = SECFailure;
break;
}
/* hardcoded IssuerSN choice for now */
rek->recipientIdentifier.identifierType = SecCmsKeyAgreeRecipientIDIssuerSN;
if ((rek->recipientIdentifier.id.issuerAndSN = CERT_GetCertIssuerAndSN(poolp, cert)) == NULL) {
rv = SECFailure;
break;
}
oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
/* see RFC2630 12.3.1.1 */
oiok->identifierType = SecCmsOriginatorIDOrKeyOriginatorPublicKey;
rv = SecCmsArrayAdd(poolp, (void ***)&ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys,
(void *)rek);
break;
default:
/* other algorithms not supported yet */
/* NOTE that we do not support any KEK algorithm */
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
rv = SECFailure;
break;
}
if (rv == SECFailure)
goto loser;
/* set version */
switch (ri->recipientInfoType) {
case SecCmsRecipientInfoIDKeyTrans:
if (ri->ri.keyTransRecipientInfo.recipientIdentifier.identifierType == SecCmsRecipientIDIssuerSN)
version = SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN;
else
version = SEC_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY;
dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyTransRecipientInfo.version), version);
if (dummy == NULL)
goto loser;
break;
case SecCmsRecipientInfoIDKeyAgree:
dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.keyAgreeRecipientInfo.version),
SEC_CMS_KEYAGREE_RECIPIENT_INFO_VERSION);
if (dummy == NULL)
goto loser;
break;
case SecCmsRecipientInfoIDKEK:
/* NOTE: this cannot happen as long as we do not support any KEK algorithm */
dummy = SEC_ASN1EncodeInteger(poolp, &(ri->ri.kekRecipientInfo.version),
SEC_CMS_KEK_RECIPIENT_INFO_VERSION);
if (dummy == NULL)
goto loser;
break;
}
if (SecCmsEnvelopedDataAddRecipient(envd, ri))
goto loser;
PORT_ArenaUnmark (poolp, mark);
#if 0
if (freeSpki)
SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
#endif
return ri;
loser:
#if 0
if (freeSpki)
SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
#endif
PORT_ArenaRelease (poolp, mark);
return NULL;
}
OSStatus
SecCmsRecipientInfoWrapBulkKey(SecCmsRecipientInfoRef ri, SecSymmetricKeyRef bulkkey,
SECOidTag bulkalgtag)
{
SecCertificateRef cert;
SECOidTag certalgtag;
OSStatus rv = SECSuccess;
#if 0
SecAsn1Item * params = NULL;
SecCmsRecipientEncryptedKey *rek;
SecCmsOriginatorIdentifierOrKey *oiok;
#endif /* 0 */
const SECAlgorithmID *algid;
PLArenaPool *poolp;
SecCmsKeyTransRecipientInfoEx *extra = NULL;
Boolean usesSubjKeyID;
poolp = ri->envelopedData->contentInfo.cmsg->poolp;
cert = ri->cert;
usesSubjKeyID = nss_cmsrecipientinfo_usessubjectkeyid(ri);
if (cert) {
#if USE_CDSA_CRYPTO
rv = SecCertificateGetAlgorithmID(cert,&algid);
if (rv)
return SECFailure;
#else
SECAlgorithmID freeAlgID;
const SecAsn1AlgId *length_data_swapped = (const SecAsn1AlgId *)SecCertificateGetPublicKeyAlgorithm(cert);
freeAlgID.algorithm.Length = (size_t)length_data_swapped->algorithm.Data;
freeAlgID.algorithm.Data = (uint8_t *)length_data_swapped->algorithm.Length;
freeAlgID.parameters.Length = (size_t)length_data_swapped->parameters.Data;
freeAlgID.parameters.Data = (uint8_t *)length_data_swapped->parameters.Length;
algid = &freeAlgID;
#endif
} else if (usesSubjKeyID) {
extra = &ri->ri.keyTransRecipientInfoEx;
/* sanity check */
PORT_Assert(extra->pubKey);
if (!extra->pubKey) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
#if USE_CDSA_CRYPTO
rv = SecKeyGetAlgorithmID(extra->pubKey,&algid);
if (rv)
#endif
return SECFailure;
certalgtag = SECOID_GetAlgorithmTag(algid);
} else {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* XXX set ri->recipientInfoType to the proper value here */
/* or should we look if it's been set already ? */
certalgtag = SECOID_GetAlgorithmTag(algid);
switch (certalgtag) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
/* wrap the symkey */
if (cert) {
rv = SecCmsUtilEncryptSymKeyRSA(poolp, cert, bulkkey,
&ri->ri.keyTransRecipientInfo.encKey);
if (rv != SECSuccess)
break;
} else if (usesSubjKeyID) {
PORT_Assert(extra != NULL);
rv = SecCmsUtilEncryptSymKeyRSAPubKey(poolp, extra->pubKey,
bulkkey, &ri->ri.keyTransRecipientInfo.encKey);
if (rv != SECSuccess)
break;
}
rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
break;
#if 0
case SEC_OID_MISSI_KEA_DSS_OLD:
case SEC_OID_MISSI_KEA_DSS:
case SEC_OID_MISSI_KEA:
rv = SecCmsUtilEncryptSymKeyMISSI(poolp, cert, bulkkey,
bulkalgtag,
&ri->ri.keyTransRecipientInfo.encKey,
¶ms, ri->cmsg->pwfn_arg);
if (rv != SECSuccess)
break;
/* here, we DO need to pass the params to the wrap function because, with
* RSA, there is no funny stuff going on with generation of IV vectors or so */
rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, params);
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
if (rek == NULL) {
rv = SECFailure;
break;
}
oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
PORT_Assert(oiok->identifierType == SecCmsOriginatorIDOrKeyOriginatorPublicKey);
/* see RFC2630 12.3.1.1 */
if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier,
SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) {
rv = SECFailure;
break;
}
/* this will generate a key pair, compute the shared secret, */
/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
rv = SecCmsUtilEncryptSymKeyESDH(poolp, cert, bulkkey,
&rek->encKey,
&ri->ri.keyAgreeRecipientInfo.ukm,
&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
&oiok->id.originatorPublicKey.publicKey);
break;
#endif /* 0 */
default:
/* other algorithms not supported yet */
/* NOTE that we do not support any KEK algorithm */
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
rv = SECFailure;
break;
}
#if 0
if (freeSpki)
SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
#endif
return rv;
}
OSStatus
SecCmsUtilEncryptSymKeyMISSI(PLArenaPool *poolp, SecCertificateRef cert, SecSymmetricKeyRef bulkkey,
SECOidTag symalgtag, SecAsn1Item * encKey, SecAsn1Item * *pparams, void *pwfn_arg)
{
SECOidTag certalgtag; /* the certificate's encryption algorithm */
SECOidTag encalgtag; /* the algorithm used for key exchange/agreement */
OSStatus rv = SECFailure;
SecAsn1Item * params = NULL;
OSStatus err;
SecSymmetricKeyRef tek;
SecCertificateRef ourCert;
SecPublicKeyRef ourPubKey, *publickey = NULL;
SecPrivateKeyRef ourPrivKey = NULL;
SecCmsKEATemplateSelector whichKEA = SecCmsKEAInvalid;
SecCmsSMIMEKEAParameters keaParams;
PLArenaPool *arena = NULL;
const SECAlgorithmID *algid;
/* Clear keaParams, since cleanup code checks the lengths */
(void) memset(&keaParams, 0, sizeof(keaParams));
#if USE_CDSA_CRYPTO
SecCertificateGetAlgorithmID(cert,&algid);
#endif
certalgtag = SECOID_GetAlgorithmTag(algid);
PORT_Assert(certalgtag == SEC_OID_MISSI_KEA_DSS_OLD ||
certalgtag == SEC_OID_MISSI_KEA_DSS ||
certalgtag == SEC_OID_MISSI_KEA);
#define SMIME_FORTEZZA_RA_LENGTH 128
#define SMIME_FORTEZZA_IV_LENGTH 24
#define SMIME_FORTEZZA_MAX_KEY_SIZE 256
/* We really want to show our KEA tag as the key exchange algorithm tag. */
encalgtag = SEC_OID_NETSCAPE_SMIME_KEA;
/* Get the public key of the recipient. */
publickey = CERT_ExtractPublicKey(cert);
if (publickey == NULL) goto loser;
/* Find our own cert, and extract its keys. */
ourCert = PK11_FindBestKEAMatch(cert, pwfn_arg);
if (ourCert == NULL) goto loser;
arena = PORT_NewArena(1024);
if (arena == NULL)
goto loser;
ourPubKey = CERT_ExtractPublicKey(ourCert);
if (ourPubKey == NULL) {
CERT_DestroyCertificate(ourCert);
goto loser;
}
/* While we're here, copy the public key into the outgoing
* KEA parameters. */
SECITEM_CopyItem(arena, &(keaParams.originatorKEAKey), &(ourPubKey->u.fortezza.KEAKey));
SECKEY_DestroyPublicKey(ourPubKey);
ourPubKey = NULL;
/* Extract our private key in order to derive the KEA key. */
ourPrivKey = PK11_FindKeyByAnyCert(ourCert, pwfn_arg);
CERT_DestroyCertificate(ourCert); /* we're done with this */
if (!ourPrivKey)
goto loser;
/* Prepare raItem with 128 bytes (filled with zeros). */
keaParams.originatorRA.Data = (unsigned char *)PORT_ArenaAlloc(arena,SMIME_FORTEZZA_RA_LENGTH);
keaParams.originatorRA.Length = SMIME_FORTEZZA_RA_LENGTH;
/* Generate the TEK (token exchange key) which we use
* to wrap the bulk encryption key. (keaparams.originatorRA) will be
* filled with a random seed which we need to send to
* the recipient. (user keying material in RFC2630/DSA speak) */
tek = PK11_PubDerive(ourPrivKey, publickey, PR_TRUE,
&keaParams.originatorRA, NULL,
CKM_KEA_KEY_DERIVE, CKM_SKIPJACK_WRAP,
CKA_WRAP, 0, pwfn_arg);
SECKEY_DestroyPublicKey(publickey);
SECKEY_DestroyPrivateKey(ourPrivKey);
publickey = NULL;
ourPrivKey = NULL;
if (!tek)
goto loser;
/* allocate space for the wrapped key data */
encKey->Data = (unsigned char *)PORT_ArenaAlloc(poolp, SMIME_FORTEZZA_MAX_KEY_SIZE);
encKey->Length = SMIME_FORTEZZA_MAX_KEY_SIZE;
if (encKey->Data == NULL) {
CFRelease(tek);
goto loser;
}
/* Wrap the bulk key. What we do with the resulting data
depends on whether we're using Skipjack to wrap the key. */
switch (PK11_AlgtagToMechanism(symalgtag)) {
case CKM_SKIPJACK_CBC64:
case CKM_SKIPJACK_ECB64:
case CKM_SKIPJACK_OFB64:
case CKM_SKIPJACK_CFB64:
case CKM_SKIPJACK_CFB32:
case CKM_SKIPJACK_CFB16:
case CKM_SKIPJACK_CFB8:
/* SKIPJACK, we use the wrap mechanism because we can do it on the hardware */
err = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, bulkkey, encKey);
whichKEA = SecCmsKEAUsesSkipjack;
break;
default:
/* Not SKIPJACK, we encrypt the raw key data */
keaParams.nonSkipjackIV.Data =
(unsigned char *)PORT_ArenaAlloc(arena, SMIME_FORTEZZA_IV_LENGTH);
keaParams.nonSkipjackIV.Length = SMIME_FORTEZZA_IV_LENGTH;
err = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, &keaParams.nonSkipjackIV, tek, bulkkey, encKey);
if (err != SECSuccess)
goto loser;
if (encKey->Length != PK11_GetKeyLength(bulkkey)) {
/* The size of the encrypted key is not the same as
that of the original bulk key, presumably due to
padding. Encode and store the real size of the
bulk key. */
if (SEC_ASN1EncodeInteger(arena, &keaParams.bulkKeySize, PK11_GetKeyLength(bulkkey)) == NULL)
err = (OSStatus)PORT_GetError();
else
/* use full template for encoding */
whichKEA = SecCmsKEAUsesNonSkipjackWithPaddedEncKey;
}
else
/* enc key length == bulk key length */
whichKEA = SecCmsKEAUsesNonSkipjack;
break;
}
CFRelease(tek);
if (err != SECSuccess)
goto loser;
PORT_Assert(whichKEA != SecCmsKEAInvalid);
/* Encode the KEA parameters into the recipient info. */
params = SEC_ASN1EncodeItem(poolp, NULL, &keaParams, nss_cms_get_kea_template(whichKEA));
if (params == NULL)
goto loser;
/* pass back the algorithm params */
*pparams = params;
rv = SECSuccess;
loser:
if (arena)
PORT_FreeArena(arena, PR_FALSE);
if (publickey)
SECKEY_DestroyPublicKey(publickey);
if (ourPrivKey)
SECKEY_DestroyPrivateKey(ourPrivKey);
return rv;
}
OSStatus
SecCmsRecipientInfoWrapBulkKey(SecCmsRecipientInfoRef ri, SecSymmetricKeyRef bulkkey,
SECOidTag bulkalgtag)
{
SecCertificateRef cert;
SECOidTag certalgtag;
OSStatus rv = SECSuccess;
#if 0
CSSM_DATA_PTR params = NULL;
#endif /* 0 */
SecCmsRecipientEncryptedKey *rek;
SecCmsOriginatorIdentifierOrKey *oiok;
const SECAlgorithmID *algid;
PLArenaPool *poolp;
SecCmsKeyTransRecipientInfoEx *extra = NULL;
Boolean usesSubjKeyID;
uint8 nullData[2] = {SEC_ASN1_NULL, 0};
SECItem nullItem;
SecCmsKeyAgreeRecipientInfo *kari;
poolp = ri->cmsg->poolp;
cert = ri->cert;
usesSubjKeyID = nss_cmsrecipientinfo_usessubjectkeyid(ri);
if (cert) {
rv = SecCertificateGetAlgorithmID(cert,&algid);
if (rv)
return SECFailure;
certalgtag = SECOID_GetAlgorithmTag(algid);
} else if (usesSubjKeyID) {
extra = &ri->ri.keyTransRecipientInfoEx;
/* sanity check */
PORT_Assert(extra->pubKey);
if (!extra->pubKey) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
rv = SecKeyGetAlgorithmID(extra->pubKey,&algid);
if (rv)
return SECFailure;
certalgtag = SECOID_GetAlgorithmTag(algid);
} else {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* XXX set ri->recipientInfoType to the proper value here */
/* or should we look if it's been set already ? */
certalgtag = SECOID_GetAlgorithmTag(algid);
switch (certalgtag) {
case SEC_OID_PKCS1_RSA_ENCRYPTION:
/* wrap the symkey */
if (cert) {
rv = SecCmsUtilEncryptSymKeyRSA(poolp, cert, bulkkey,
&ri->ri.keyTransRecipientInfo.encKey);
if (rv != SECSuccess)
break;
} else if (usesSubjKeyID) {
PORT_Assert(extra != NULL);
rv = SecCmsUtilEncryptSymKeyRSAPubKey(poolp, extra->pubKey,
bulkkey, &ri->ri.keyTransRecipientInfo.encKey);
if (rv != SECSuccess)
break;
}
rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, NULL);
break;
#if 0
case SEC_OID_MISSI_KEA_DSS_OLD:
case SEC_OID_MISSI_KEA_DSS:
case SEC_OID_MISSI_KEA:
rv = SecCmsUtilEncryptSymKeyMISSI(poolp, cert, bulkkey,
bulkalgtag,
&ri->ri.keyTransRecipientInfo.encKey,
¶ms, ri->cmsg->pwfn_arg);
if (rv != SECSuccess)
break;
/* here, we DO need to pass the params to the wrap function because, with
* RSA, there is no funny stuff going on with generation of IV vectors or so */
rv = SECOID_SetAlgorithmID(poolp, &(ri->ri.keyTransRecipientInfo.keyEncAlg), certalgtag, params);
break;
case SEC_OID_X942_DIFFIE_HELMAN_KEY: /* dh-public-number */
rek = ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[0];
if (rek == NULL) {
rv = SECFailure;
break;
}
oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
PORT_Assert(oiok->identifierType == SecCmsOriginatorIDOrKeyOriginatorPublicKey);
/* see RFC2630 12.3.1.1 */
if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier,
SEC_OID_X942_DIFFIE_HELMAN_KEY, NULL) != SECSuccess) {
rv = SECFailure;
break;
}
/* this will generate a key pair, compute the shared secret, */
/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
rv = SecCmsUtilEncryptSymKeyESDH(poolp, cert, bulkkey,
&rek->encKey,
&ri->ri.keyAgreeRecipientInfo.ukm,
&ri->ri.keyAgreeRecipientInfo.keyEncAlg,
&oiok->id.originatorPublicKey.publicKey);
break;
#endif /* 0 */
case SEC_OID_EC_PUBLIC_KEY:
/* These were set up in nss_cmsrecipientinfo_create() */
kari = &ri->ri.keyAgreeRecipientInfo;
rek = kari->recipientEncryptedKeys[0];
if (rek == NULL) {
rv = SECFailure;
break;
}
oiok = &(kari->originatorIdentifierOrKey);
PORT_Assert(oiok->identifierType == SecCmsOriginatorIDOrKeyOriginatorPublicKey);
/*
* RFC 3278 3.1.1 says this AlgId must contain NULL params which is contrary to
* any other use of the SEC_OID_EC_PUBLIC_KEY OID. So we provide one
* explicitly instead of mucking up the login in SECOID_SetAlgorithmID().
*/
nullItem.Data = nullData;
nullItem.Length = 2;
if (SECOID_SetAlgorithmID(poolp, &oiok->id.originatorPublicKey.algorithmIdentifier,
SEC_OID_EC_PUBLIC_KEY, &nullItem) != SECSuccess) {
rv = SECFailure;
break;
}
/* this will generate a key pair, compute the shared secret, */
/* derive a key and ukm for the keyEncAlg out of it, encrypt the bulk key with */
/* the keyEncAlg, set encKey, keyEncAlg, publicKey etc. */
rv = SecCmsUtilEncryptSymKeyECDH(poolp, cert, bulkkey,
&rek->encKey,
&kari->ukm,
&kari->keyEncAlg,
&oiok->id.originatorPublicKey.publicKey);
/* this is a BIT STRING */
oiok->id.originatorPublicKey.publicKey.Length <<= 3;
break;
default:
/* other algorithms not supported yet */
/* NOTE that we do not support any KEK algorithm */
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
rv = SECFailure;
break;
}
#if 0
if (freeSpki)
SECKEY_DestroySubjectPublicKeyInfo(freeSpki);
#endif
return rv;
}
/*
* SecCmsSignerInfoSign - sign something
*
*/
OSStatus
SecCmsSignerInfoSign(SecCmsSignerInfoRef signerinfo, CSSM_DATA_PTR digest, CSSM_DATA_PTR contentType)
{
SecCertificateRef cert;
SecPrivateKeyRef privkey = NULL;
SECOidTag digestalgtag;
SECOidTag pubkAlgTag;
CSSM_DATA signature = { 0 };
OSStatus rv;
PLArenaPool *poolp, *tmppoolp = NULL;
const SECAlgorithmID *algID;
SECAlgorithmID freeAlgID;
//CERTSubjectPublicKeyInfo *spki;
PORT_Assert (digest != NULL);
poolp = signerinfo->cmsg->poolp;
switch (signerinfo->signerIdentifier.identifierType) {
case SecCmsSignerIDIssuerSN:
privkey = signerinfo->signingKey;
signerinfo->signingKey = NULL;
cert = signerinfo->cert;
if (SecCertificateGetAlgorithmID(cert,&algID)) {
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
goto loser;
}
break;
case SecCmsSignerIDSubjectKeyID:
privkey = signerinfo->signingKey;
signerinfo->signingKey = NULL;
#if 0
spki = SECKEY_CreateSubjectPublicKeyInfo(signerinfo->pubKey);
SECKEY_DestroyPublicKey(signerinfo->pubKey);
signerinfo->pubKey = NULL;
SECOID_CopyAlgorithmID(NULL, &freeAlgID, &spki->algorithm);
SECKEY_DestroySubjectPublicKeyInfo(spki);
algID = &freeAlgID;
#else
#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE || TARGET_IPHONE_SIMULATOR))
if (SecKeyGetAlgorithmID(signerinfo->pubKey,&algID)) {
#else
/* TBD: Unify this code. Currently, iOS has an incompatible
* SecKeyGetAlgorithmID implementation. */
if (true) {
#endif
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
goto loser;
}
CFRelease(signerinfo->pubKey);
signerinfo->pubKey = NULL;
#endif
break;
default:
PORT_SetError(SEC_ERROR_UNSUPPORTED_MESSAGE_TYPE);
goto loser;
}
digestalgtag = SecCmsSignerInfoGetDigestAlgTag(signerinfo);
/*
* XXX I think there should be a cert-level interface for this,
* so that I do not have to know about subjectPublicKeyInfo...
*/
pubkAlgTag = SECOID_GetAlgorithmTag(algID);
if (signerinfo->signerIdentifier.identifierType == SecCmsSignerIDSubjectKeyID) {
SECOID_DestroyAlgorithmID(&freeAlgID, PR_FALSE);
}
#if 0
// @@@ Not yet
/* Fortezza MISSI have weird signature formats.
* Map them to standard DSA formats
*/
pubkAlgTag = PK11_FortezzaMapSig(pubkAlgTag);
#endif
if (signerinfo->authAttr != NULL) {
CSSM_DATA encoded_attrs;
/* find and fill in the message digest attribute. */
rv = SecCmsAttributeArraySetAttr(poolp, &(signerinfo->authAttr),
SEC_OID_PKCS9_MESSAGE_DIGEST, digest, PR_FALSE);
if (rv != SECSuccess)
goto loser;
if (contentType != NULL) {
/* if the caller wants us to, find and fill in the content type attribute. */
rv = SecCmsAttributeArraySetAttr(poolp, &(signerinfo->authAttr),
SEC_OID_PKCS9_CONTENT_TYPE, contentType, PR_FALSE);
if (rv != SECSuccess)
goto loser;
}
if ((tmppoolp = PORT_NewArena (1024)) == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
/*
* Before encoding, reorder the attributes so that when they
* are encoded, they will be conforming DER, which is required
* to have a specific order and that is what must be used for
* the hash/signature. We do this here, rather than building
* it into EncodeAttributes, because we do not want to do
* such reordering on incoming messages (which also uses
* EncodeAttributes) or our old signatures (and other "broken"
* implementations) will not verify. So, we want to guarantee
* that we send out good DER encodings of attributes, but not
* to expect to receive them.
*/
if (SecCmsAttributeArrayReorder(signerinfo->authAttr) != SECSuccess)
goto loser;
encoded_attrs.Data = NULL;
encoded_attrs.Length = 0;
if (SecCmsAttributeArrayEncode(tmppoolp, &(signerinfo->authAttr),
&encoded_attrs) == NULL)
goto loser;
rv = SEC_SignData(&signature, encoded_attrs.Data, (int)encoded_attrs.Length,
privkey, digestalgtag, pubkAlgTag);
PORT_FreeArena(tmppoolp, PR_FALSE); /* awkward memory management :-( */
tmppoolp = 0;
} else {
rv = SGN_Digest(privkey, digestalgtag, pubkAlgTag, &signature, digest);
}
SECKEY_DestroyPrivateKey(privkey);
privkey = NULL;
if (rv != SECSuccess)
goto loser;
if (SECITEM_CopyItem(poolp, &(signerinfo->encDigest), &signature)
!= SECSuccess)
goto loser;
SECITEM_FreeItem(&signature, PR_FALSE);
if(pubkAlgTag == SEC_OID_EC_PUBLIC_KEY) {
/*
* RFC 3278 section section 2.1.1 states that the signatureAlgorithm
* field contains the full ecdsa-with-SHA1 OID, not plain old ecPublicKey
* as would appear in other forms of signed datas. However Microsoft doesn't
* do this, it puts ecPublicKey there, and if we put ecdsa-with-SHA1 there,
* MS can't verify - presumably because it takes the digest of the digest
* before feeding it to ECDSA.
* We handle this with a preference; default if it's not there is
* "Microsoft compatibility mode".
*/
if(!SecCmsMsEcdsaCompatMode()) {
pubkAlgTag = SEC_OID_ECDSA_WithSHA1;
}
/* else violating the spec for compatibility */
}
if (SECOID_SetAlgorithmID(poolp, &(signerinfo->digestEncAlg), pubkAlgTag,
NULL) != SECSuccess)
goto loser;
return SECSuccess;
loser:
if (signature.Length != 0)
SECITEM_FreeItem (&signature, PR_FALSE);
if (privkey)
SECKEY_DestroyPrivateKey(privkey);
if (tmppoolp)
PORT_FreeArena(tmppoolp, PR_FALSE);
return SECFailure;
}
OSStatus
SecCmsSignerInfoVerifyCertificate(SecCmsSignerInfoRef signerinfo, SecKeychainRef keychainOrArray,
CFTypeRef policies, SecTrustRef *trustRef)
{
SecCertificateRef cert;
CFAbsoluteTime stime;
OSStatus rv;
CSSM_DATA_PTR *otherCerts;
if ((cert = SecCmsSignerInfoGetSigningCertificate(signerinfo, keychainOrArray)) == NULL) {
dprintf("SecCmsSignerInfoVerifyCertificate: no signing cert\n");
signerinfo->verificationStatus = SecCmsVSSigningCertNotFound;
return SECFailure;
}
/*
* Get and convert the signing time; if available, it will be used
* both on the cert verification and for importing the sender
* email profile.
*/
CFTypeRef timeStampPolicies=SecPolicyCreateAppleTimeStampingAndRevocationPolicies(policies);
if (SecCmsSignerInfoGetTimestampTimeWithPolicy(signerinfo, timeStampPolicies, &stime) != SECSuccess)
if (SecCmsSignerInfoGetSigningTime(signerinfo, &stime) != SECSuccess)
stime = CFAbsoluteTimeGetCurrent();
CFReleaseSafe(timeStampPolicies);
rv = SecCmsSignedDataRawCerts(signerinfo->sigd, &otherCerts);
if(rv) {
return rv;
}
rv = CERT_VerifyCert(keychainOrArray, cert, otherCerts, policies, stime, trustRef);
dprintfRC("SecCmsSignerInfoVerifyCertificate after vfy: certp %p cert.rc %d\n",
cert, (int)CFGetRetainCount(cert));
if (rv || !trustRef)
{
if (PORT_GetError() == SEC_ERROR_UNTRUSTED_CERT)
{
/* Signature or digest level verificationStatus errors should supercede certificate level errors, so only change the verificationStatus if the status was GoodSignature. */
if (signerinfo->verificationStatus == SecCmsVSGoodSignature)
signerinfo->verificationStatus = SecCmsVSSigningCertNotTrusted;
}
}
/* FIXME isn't this leaking the cert? */
dprintf("SecCmsSignerInfoVerifyCertificate: CertVerify rtn %d\n", (int)rv);
return rv;
}
