/*
* Indicate that no more CMSDecoderUpdateMessage() calls are forthcoming;
* finish decoding the message. We parse the message as best we can, up to
* but not including verifying individual signerInfos.
*/
OSStatus CMSDecoderFinalizeMessage(
CMSDecoderRef cmsDecoder)
{
if(cmsDecoder == NULL) {
return errSecParam;
}
if(cmsDecoder->decState != DS_Updating) {
return errSecParam;
}
ASSERT(cmsDecoder->decoder != NULL);
OSStatus ortn = SecCmsDecoderFinish(cmsDecoder->decoder, &cmsDecoder->cmsMsg);
cmsDecoder->decState = DS_Final;
/* SecCmsDecoderFinish destroyed the decoder even on failure */
cmsDecoder->decoder = NULL;
if(ortn) {
ortn = cmsRtnToOSStatus(ortn, errSecUnknownFormat);
CSSM_PERROR("SecCmsDecoderFinish", ortn);
return ortn;
}
ASSERT(cmsDecoder->cmsMsg != NULL);
cmsDecoder->wasEncrypted = SecCmsMessageIsEncrypted(cmsDecoder->cmsMsg);
/* Look for a SignedData */
int numContentInfos = SecCmsMessageContentLevelCount(cmsDecoder->cmsMsg);
int dex;
for(dex=0; dex<numContentInfos; dex++) {
SecCmsContentInfoRef ci = SecCmsMessageContentLevel(cmsDecoder->cmsMsg, dex);
SECOidTag tag = SecCmsContentInfoGetContentTypeTag(ci);
switch(tag) {
case SEC_OID_PKCS7_SIGNED_DATA:
cmsDecoder->signedData =
(SecCmsSignedDataRef)SecCmsContentInfoGetContent(ci);
/* dig down one more layer for eContentType */
ci = SecCmsSignedDataGetContentInfo(cmsDecoder->signedData);
cmsDecoder->eContentType = SecCmsContentInfoGetContentTypeOID(ci);
break;
default:
break;
}
if(cmsDecoder->signedData != NULL) {
break;
}
}
/* minimal processing of optional signedData... */
if(cmsDecoder->signedData != NULL) {
cmsDecoder->numSigners = (size_t)
SecCmsSignedDataSignerInfoCount(cmsDecoder->signedData);
if(cmsDecoder->detachedContent != NULL) {
/* time to calculate digests from detached content */
ortn = cmsDigestDetachedContent(cmsDecoder);
}
}
return ortn;
}
/*
* Set up a SecCmsMessageRef for a SignedData creation.
*/
static OSStatus cmsSetupForSignedData(
CMSEncoderRef cmsEncoder)
{
ASSERT((cmsEncoder->signers != NULL) || (cmsEncoder->otherCerts != NULL));
SecCmsContentInfoRef contentInfo = NULL;
SecCmsSignedDataRef signedData = NULL;
OSStatus ortn;
/* build chain of objects: message->signedData->data */
if(cmsEncoder->cmsMsg != NULL) {
SecCmsMessageDestroy(cmsEncoder->cmsMsg);
}
cmsEncoder->cmsMsg = SecCmsMessageCreate(NULL);
if(cmsEncoder->cmsMsg == NULL) {
return errSecInternalComponent;
}
signedData = SecCmsSignedDataCreate(cmsEncoder->cmsMsg);
if(signedData == NULL) {
return errSecInternalComponent;
}
contentInfo = SecCmsMessageGetContentInfo(cmsEncoder->cmsMsg);
ortn = SecCmsContentInfoSetContentSignedData(cmsEncoder->cmsMsg, contentInfo,
signedData);
if(ortn) {
return cmsRtnToOSStatus(ortn);
}
contentInfo = SecCmsSignedDataGetContentInfo(signedData);
if(cmsEncoder->eContentType.Data != NULL) {
/* Override the default eContentType of id-data */
ortn = SecCmsContentInfoSetContentOther(cmsEncoder->cmsMsg,
contentInfo,
NULL, /* data - provided to encoder, not here */
cmsEncoder->detachedContent,
&cmsEncoder->eContentType);
}
else {
ortn = SecCmsContentInfoSetContentData(cmsEncoder->cmsMsg,
contentInfo,
NULL, /* data - provided to encoder, not here */
cmsEncoder->detachedContent);
}
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsContentInfoSetContent*", ortn);
return ortn;
}
/* optional 'global' (per-SignedData) certs */
if(cmsEncoder->otherCerts != NULL) {
ortn = SecCmsSignedDataAddCertList(signedData, cmsEncoder->otherCerts);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignedDataAddCertList", ortn);
return ortn;
}
}
/* SignerInfos, one per signer */
CFIndex numSigners = 0;
if(cmsEncoder->signers != NULL) {
/* this is optional...in case we're just creating a cert bundle */
numSigners = CFArrayGetCount(cmsEncoder->signers);
}
CFIndex dex;
SecCertificateRef ourCert = NULL;
SecCmsCertChainMode chainMode = SecCmsCMCertChain;
switch(cmsEncoder->chainMode) {
case kCMSCertificateNone:
chainMode = SecCmsCMNone;
break;
case kCMSCertificateSignerOnly:
chainMode = SecCmsCMCertOnly;
break;
case kCMSCertificateChainWithRoot:
chainMode = SecCmsCMCertChainWithRoot;
break;
default:
break;
}
for(dex=0; dex<numSigners; dex++) {
SecCmsSignerInfoRef signerInfo;
SecIdentityRef ourId =
(SecIdentityRef)CFArrayGetValueAtIndex(cmsEncoder->signers, dex);
ortn = SecIdentityCopyCertificate(ourId, &ourCert);
if(ortn) {
CSSM_PERROR("SecIdentityCopyCertificate", ortn);
break;
}
signerInfo = SecCmsSignerInfoCreate(cmsEncoder->cmsMsg, ourId, cmsEncoder->digestalgtag);
if (signerInfo == NULL) {
ortn = errSecInternalComponent;
break;
}
/* we want the cert chain included for this one */
/* NOTE the usage parameter is currently unused by the SMIME lib */
ortn = SecCmsSignerInfoIncludeCerts(signerInfo, chainMode,
certUsageEmailSigner);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoIncludeCerts", ortn);
break;
}
/* other options */
if(cmsEncoder->signedAttributes & kCMSAttrSmimeCapabilities) {
ortn = SecCmsSignerInfoAddSMIMECaps(signerInfo);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSmimeEncryptionKeyPrefs) {
ortn = SecCmsSignerInfoAddSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddSMIMEEncKeyPrefs", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSmimeMSEncryptionKeyPrefs) {
ortn = SecCmsSignerInfoAddMSSMIMEEncKeyPrefs(signerInfo, ourCert, NULL);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddMSSMIMEEncKeyPrefs", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrSigningTime) {
if (cmsEncoder->signingTime == 0)
cmsEncoder->signingTime = CFAbsoluteTimeGetCurrent();
ortn = SecCmsSignerInfoAddSigningTime(signerInfo, cmsEncoder->signingTime);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddSigningTime", ortn);
break;
}
}
if(cmsEncoder->signedAttributes & kCMSAttrAppleCodesigningHashAgility) {
ortn = SecCmsSignerInfoAddAppleCodesigningHashAgility(signerInfo, cmsEncoder->hashAgilityAttrValue);
/* libsecurity_smime made a copy of the attribute value. We don't need it anymore. */
CFReleaseNull(cmsEncoder->hashAgilityAttrValue);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignerInfoAddAppleCodesigningHashAgility", ortn);
break;
}
}
ortn = SecCmsSignedDataAddSignerInfo(signedData, signerInfo);
if(ortn) {
ortn = cmsRtnToOSStatus(ortn);
CSSM_PERROR("SecCmsSignedDataAddSignerInfo", ortn);
break;
}
CFRELEASE(ourCert);
ourCert = NULL;
}
if(ortn) {
CFRELEASE(ourCert);
}
return ortn;
}
