static NSSCMSMessage *
sm_signing_cmsmessage(CamelSMIMEContext *context, const char *nick, SECOidTag hash, int detached, CamelException *ex)
{
struct _CamelSMIMEContextPrivate *p = context->priv;
NSSCMSMessage *cmsg = NULL;
NSSCMSContentInfo *cinfo;
NSSCMSSignedData *sigd;
NSSCMSSignerInfo *signerinfo;
CERTCertificate *cert= NULL, *ekpcert = NULL;
if ((cert = CERT_FindUserCertByUsage(p->certdb,
(char *)nick,
certUsageEmailSigner,
PR_FALSE,
NULL)) == NULL) {
camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find certificate for '%s'"), nick);
return NULL;
}
cmsg = NSS_CMSMessage_Create(NULL); /* create a message on its own pool */
if (cmsg == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS message"));
goto fail;
}
if ((sigd = NSS_CMSSignedData_Create(cmsg)) == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS signed data"));
goto fail;
}
cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
if (NSS_CMSContentInfo_SetContent_SignedData(cmsg, cinfo, sigd) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS signed data"));
goto fail;
}
/* if !detatched, the contentinfo will alloc a data item for us */
cinfo = NSS_CMSSignedData_GetContentInfo(sigd);
if (NSS_CMSContentInfo_SetContent_Data(cmsg, cinfo, NULL, detached) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot attach CMS data"));
goto fail;
}
signerinfo = NSS_CMSSignerInfo_Create(cmsg, cert, hash);
if (signerinfo == NULL) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot create CMS Signer information"));
goto fail;
}
/* we want the cert chain included for this one */
if (NSS_CMSSignerInfo_IncludeCerts(signerinfo, NSSCMSCM_CertChain, certUsageEmailSigner) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot find certificate chain"));
goto fail;
}
/* SMIME RFC says signing time should always be added */
if (NSS_CMSSignerInfo_AddSigningTime(signerinfo, PR_Now()) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add CMS Signing time"));
goto fail;
}
#if 0
/* this can but needn't be added. not sure what general usage is */
if (NSS_CMSSignerInfo_AddSMIMECaps(signerinfo) != SECSuccess) {
fprintf(stderr, "ERROR: cannot add SMIMECaps attribute.\n");
goto loser;
}
#endif
/* Check if we need to send along our return encrypt cert, rfc2633 2.5.3 */
if (p->send_encrypt_key_prefs) {
CERTCertificate *enccert = NULL;
if (p->encrypt_key) {
/* encrypt key has its own nick */
if ((ekpcert = CERT_FindUserCertByUsage(
p->certdb,
p->encrypt_key,
certUsageEmailRecipient, PR_FALSE, NULL)) == NULL) {
camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Encryption certificate for '%s' does not exist"), p->encrypt_key);
goto fail;
}
enccert = ekpcert;
} else if (CERT_CheckCertUsage(cert, certUsageEmailRecipient) == SECSuccess) {
/* encrypt key is signing key */
enccert = cert;
} else {
/* encrypt key uses same nick */
if ((ekpcert = CERT_FindUserCertByUsage(
p->certdb, (char *)nick,
certUsageEmailRecipient, PR_FALSE, NULL)) == NULL) {
camel_exception_setv(ex, CAMEL_EXCEPTION_SYSTEM, _("Encryption certificate for '%s' does not exist"), nick);
goto fail;
}
enccert = ekpcert;
}
if (NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(signerinfo, enccert, p->certdb) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add SMIMEEncKeyPrefs attribute"));
goto fail;
}
if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, enccert, p->certdb) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add MS SMIMEEncKeyPrefs attribute"));
goto fail;
}
if (ekpcert != NULL && NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add encryption certificate"));
goto fail;
}
}
if (NSS_CMSSignedData_AddSignerInfo(sigd, signerinfo) != SECSuccess) {
camel_exception_set (ex, CAMEL_EXCEPTION_SYSTEM, _("Cannot add CMS Signer information"));
goto fail;
}
if (ekpcert)
CERT_DestroyCertificate(ekpcert);
if (cert)
CERT_DestroyCertificate(cert);
return cmsg;
fail:
if (ekpcert)
CERT_DestroyCertificate(ekpcert);
if (cert)
CERT_DestroyCertificate(cert);
NSS_CMSMessage_Destroy(cmsg);
return NULL;
}
CERTSignedCrl* PK11_ImportCRL(PK11SlotInfo * slot, SECItem *derCRL, char *url,
int type, void *wincx, PRInt32 importOptions, PRArenaPool* arena,
PRInt32 decodeoptions)
{
CERTSignedCrl *newCrl, *crl;
SECStatus rv;
CERTCertificate *caCert = NULL;
newCrl = crl = NULL;
do {
newCrl = CERT_DecodeDERCrlWithFlags(arena, derCRL, type,
decodeoptions);
if (newCrl == NULL) {
if (type == SEC_CRL_TYPE) {
/* only promote error when the error code is too generic */
if (PORT_GetError () == SEC_ERROR_BAD_DER)
PORT_SetError(SEC_ERROR_CRL_INVALID);
} else {
PORT_SetError(SEC_ERROR_KRL_INVALID);
}
break;
}
if (0 == (importOptions & CRL_IMPORT_BYPASS_CHECKS)){
CERTCertDBHandle* handle = CERT_GetDefaultCertDB();
PR_ASSERT(handle != NULL);
caCert = CERT_FindCertByName (handle,
&newCrl->crl.derName);
if (caCert == NULL) {
PORT_SetError(SEC_ERROR_UNKNOWN_ISSUER);
break;
}
/* If caCert is a v3 certificate, make sure that it can be used for
crl signing purpose */
rv = CERT_CheckCertUsage (caCert, KU_CRL_SIGN);
if (rv != SECSuccess) {
break;
}
rv = CERT_VerifySignedData(&newCrl->signatureWrap, caCert,
PR_Now(), wincx);
if (rv != SECSuccess) {
if (type == SEC_CRL_TYPE) {
PORT_SetError(SEC_ERROR_CRL_BAD_SIGNATURE);
} else {
PORT_SetError(SEC_ERROR_KRL_BAD_SIGNATURE);
}
break;
}
}
crl = crl_storeCRL(slot, url, newCrl, derCRL, type);
} while (0);
if (crl == NULL) {
SEC_DestroyCrl (newCrl);
}
if (caCert) {
CERT_DestroyCertificate(caCert);
}
return (crl);
}
