1/* 2 * The contents of this file are subject to the Mozilla Public 3 * License Version 1.1 (the "License"); you may not use this file 4 * except in compliance with the License. You may obtain a copy of 5 * the License at http://www.mozilla.org/MPL/ 6 * 7 * Software distributed under the License is distributed on an "AS 8 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or 9 * implied. See the License for the specific language governing 10 * rights and limitations under the License. 11 * 12 * The Original Code is the Netscape security libraries. 13 * 14 * The Initial Developer of the Original Code is Netscape 15 * Communications Corporation. Portions created by Netscape are 16 * Copyright (C) 1994-2000 Netscape Communications Corporation. All 17 * Rights Reserved. 18 * 19 * Contributor(s): 20 * 21 * Alternatively, the contents of this file may be used under the 22 * terms of the GNU General Public License Version 2 or later (the 23 * "GPL"), in which case the provisions of the GPL are applicable 24 * instead of those above. If you wish to allow use of your 25 * version of this file only under the terms of the GPL and not to 26 * allow others to use your version of this file under the MPL, 27 * indicate your decision by deleting the provisions above and 28 * replace them with the notice and other provisions required by 29 * the GPL. If you do not delete the provisions above, a recipient 30 * may use your version of this file under either the MPL or the 31 * GPL. 32 */ 33 34/* 35 * Interfaces of the CMS implementation. 36 */ 37 38#ifndef _CMSPRIV_H_ 39#define _CMSPRIV_H_ 40 41#include <Security/SecTrust.h> 42#include "cmstpriv.h" 43 44/************************************************************************/ 45SEC_BEGIN_PROTOS 46 47 48/************************************************************************ 49 * cmsutil.c - CMS misc utility functions 50 ************************************************************************/ 51 52 53/* 54 * SecCmsArraySortByDER - sort array of objects by objects' DER encoding 55 * 56 * make sure that the order of the objects guarantees valid DER (which must be 57 * in lexigraphically ascending order for a SET OF); if reordering is necessary it 58 * will be done in place (in objs). 59 */ 60extern OSStatus 61SecCmsArraySortByDER(void **objs, const SecAsn1Template *objtemplate, void **objs2); 62 63/* 64 * SecCmsUtilDERCompare - for use with SecCmsArraySort to 65 * sort arrays of CSSM_DATAs containing DER 66 */ 67extern int 68SecCmsUtilDERCompare(void *a, void *b); 69 70/* 71 * SecCmsAlgArrayGetIndexByAlgID - find a specific algorithm in an array of 72 * algorithms. 73 * 74 * algorithmArray - array of algorithm IDs 75 * algid - algorithmid of algorithm to pick 76 * 77 * Returns: 78 * An integer containing the index of the algorithm in the array or -1 if 79 * algorithm was not found. 80 */ 81extern int 82SecCmsAlgArrayGetIndexByAlgID(SECAlgorithmID **algorithmArray, SECAlgorithmID *algid); 83 84/* 85 * SecCmsAlgArrayGetIndexByAlgID - find a specific algorithm in an array of 86 * algorithms. 87 * 88 * algorithmArray - array of algorithm IDs 89 * algiddata - id of algorithm to pick 90 * 91 * Returns: 92 * An integer containing the index of the algorithm in the array or -1 if 93 * algorithm was not found. 94 */ 95extern int 96SecCmsAlgArrayGetIndexByAlgTag(SECAlgorithmID **algorithmArray, SECOidTag algtag); 97 98extern CSSM_CC_HANDLE 99SecCmsUtilGetHashObjByAlgID(SECAlgorithmID *algid); 100 101/* 102 * XXX I would *really* like to not have to do this, but the current 103 * signing interface gives me little choice. 104 */ 105extern SECOidTag 106SecCmsUtilMakeSignatureAlgorithm(SECOidTag hashalg, SECOidTag encalg); 107 108extern const SecAsn1Template * 109SecCmsUtilGetTemplateByTypeTag(SECOidTag type); 110 111extern size_t 112SecCmsUtilGetSizeByTypeTag(SECOidTag type); 113 114extern SecCmsContentInfoRef 115SecCmsContentGetContentInfo(void *msg, SECOidTag type); 116 117/************************************************************************ 118* cmsmessage.c - CMS message methods 119************************************************************************/ 120 121/*! 122@function 123 @abstract Set up a CMS message object for encoding or decoding. 124 @discussion used internally. 125 @param cmsg Pointer to a SecCmsMessage object 126 @param pwfn callback function for getting token password for enveloped 127 data content with a password recipient. 128 @param pwfn_arg first argument passed to pwfn when it is called. 129 @param encrypt_key_cb callback function for getting bulk key for encryptedData content. 130 @param encrypt_key_cb_arg first argument passed to encrypt_key_cb when it is 131 called. 132 @param detached_digestalgs digest algorithms in detached_digests 133 @param detached_digests digests from detached content (one for every element 134 in detached_digestalgs). 135 */ 136extern void 137SecCmsMessageSetEncodingParams(SecCmsMessageRef cmsg, 138 PK11PasswordFunc pwfn, void *pwfn_arg, 139 SecCmsGetDecryptKeyCallback encrypt_key_cb, void *encrypt_key_cb_arg, 140 SECAlgorithmID **detached_digestalgs, CSSM_DATA_PTR *detached_digests); 141 142extern void 143SecCmsMessageSetTSACallback(SecCmsMessageRef cmsg, SecCmsTSACallback tsaCallback); 144 145extern void 146SecCmsMessageSetTSAContext(SecCmsMessageRef cmsg, const void *tsaContext); //CFTypeRef 147 148/************************************************************************ 149 * cmscinfo.c - CMS contentInfo methods 150 ************************************************************************/ 151 152/*! 153 Destroy a CMS contentInfo and all of its sub-pieces. 154 @param cinfo The contentInfo object to destroy. 155 */ 156extern void 157SecCmsContentInfoDestroy(SecCmsContentInfoRef cinfo); 158 159/* 160 * SecCmsContentInfoSetContent - set cinfo's content type & content to CMS object 161 */ 162extern OSStatus 163SecCmsContentInfoSetContent(SecCmsMessageRef cmsg, SecCmsContentInfoRef cinfo, SECOidTag type, void *ptr); 164 165 166/************************************************************************ 167 * cmssigdata.c - CMS signedData methods 168 ************************************************************************/ 169 170extern OSStatus 171SecCmsSignedDataSetDigestValue(SecCmsSignedDataRef sigd, 172 SECOidTag digestalgtag, 173 CSSM_DATA_PTR digestdata); 174 175extern OSStatus 176SecCmsSignedDataAddDigest(SecArenaPoolRef pool, 177 SecCmsSignedDataRef sigd, 178 SECOidTag digestalgtag, 179 CSSM_DATA_PTR digest); 180 181extern CSSM_DATA_PTR 182SecCmsSignedDataGetDigestByAlgTag(SecCmsSignedDataRef sigd, SECOidTag algtag); 183 184extern CSSM_DATA_PTR 185SecCmsSignedDataGetDigestValue(SecCmsSignedDataRef sigd, SECOidTag digestalgtag); 186 187/* 188 * SecCmsSignedDataEncodeBeforeStart - do all the necessary things to a SignedData 189 * before start of encoding. 190 * 191 * In detail: 192 * - find out about the right value to put into sigd->version 193 * - come up with a list of digestAlgorithms (which should be the union of the algorithms 194 * in the signerinfos). 195 * If we happen to have a pre-set list of algorithms (and digest values!), we 196 * check if we have all the signerinfos' algorithms. If not, this is an error. 197 */ 198extern OSStatus 199SecCmsSignedDataEncodeBeforeStart(SecCmsSignedDataRef sigd); 200 201extern OSStatus 202SecCmsSignedDataEncodeBeforeData(SecCmsSignedDataRef sigd); 203 204/* 205 * SecCmsSignedDataEncodeAfterData - do all the necessary things to a SignedData 206 * after all the encapsulated data was passed through the encoder. 207 * 208 * In detail: 209 * - create the signatures in all the SignerInfos 210 * 211 * Please note that nothing is done to the Certificates and CRLs in the message - this 212 * is entirely the responsibility of our callers. 213 */ 214extern OSStatus 215SecCmsSignedDataEncodeAfterData(SecCmsSignedDataRef sigd); 216 217extern OSStatus 218SecCmsSignedDataDecodeBeforeData(SecCmsSignedDataRef sigd); 219 220/* 221 * SecCmsSignedDataDecodeAfterData - do all the necessary things to a SignedData 222 * after all the encapsulated data was passed through the decoder. 223 */ 224extern OSStatus 225SecCmsSignedDataDecodeAfterData(SecCmsSignedDataRef sigd); 226 227/* 228 * SecCmsSignedDataDecodeAfterEnd - do all the necessary things to a SignedData 229 * after all decoding is finished. 230 */ 231extern OSStatus 232SecCmsSignedDataDecodeAfterEnd(SecCmsSignedDataRef sigd); 233 234/* 235 * Get SecCmsSignedDataRawCerts - obtain raw certs as a NULL_terminated array 236 * of pointers. 237 */ 238extern OSStatus SecCmsSignedDataRawCerts(SecCmsSignedDataRef sigd, 239 CSSM_DATA_PTR **rawCerts); 240 241/************************************************************************ 242 * cmssiginfo.c - CMS signerInfo methods 243 ************************************************************************/ 244 245/* 246 * SecCmsSignerInfoSign - sign something 247 * 248 */ 249extern OSStatus 250SecCmsSignerInfoSign(SecCmsSignerInfoRef signerinfo, CSSM_DATA_PTR digest, CSSM_DATA_PTR contentType); 251 252/* 253 * If trustRef is NULL the cert chain is verified and the VerificationStatus is set accordingly. 254 * Otherwise a SecTrust object is returned for the caller to evaluate using SecTrustEvaluate(). 255 */ 256extern OSStatus 257SecCmsSignerInfoVerifyCertificate(SecCmsSignerInfoRef signerinfo, SecKeychainRef keychainOrArray, 258 CFTypeRef policies, SecTrustRef *trustRef); 259 260/* 261 * SecCmsSignerInfoVerify - verify the signature of a single SignerInfo 262 * 263 * Just verifies the signature. The assumption is that verification of the certificate 264 * is done already. 265 */ 266extern OSStatus 267SecCmsSignerInfoVerify(SecCmsSignerInfoRef signerinfo, CSSM_DATA_PTR digest, CSSM_DATA_PTR contentType); 268 269/* 270 * SecCmsSignerInfoVerifyWithPolicy - verify the signature of a single SignerInfo 271 * use the designated policy for timeStamp signer verification 272 * Just verifies the signature. The assumption is that verification of the certificate 273 * is done already. 274 */ 275extern OSStatus 276SecCmsSignerInfoVerifyWithPolicy(SecCmsSignerInfoRef signerinfo,CFTypeRef timeStampPolicy, CSSM_DATA_PTR digest, CSSM_DATA_PTR contentType); 277 278/* 279 * SecCmsSignerInfoAddAuthAttr - add an attribute to the 280 * authenticated (i.e. signed) attributes of "signerinfo". 281 */ 282extern OSStatus 283SecCmsSignerInfoAddAuthAttr(SecCmsSignerInfoRef signerinfo, SecCmsAttribute *attr); 284 285/* 286 * SecCmsSignerInfoAddUnauthAttr - add an attribute to the 287 * unauthenticated attributes of "signerinfo". 288 */ 289extern OSStatus 290SecCmsSignerInfoAddUnauthAttr(SecCmsSignerInfoRef signerinfo, SecCmsAttribute *attr); 291 292extern int 293SecCmsSignerInfoGetVersion(SecCmsSignerInfoRef signerinfo); 294 295/* 296 * Determine whether Microsoft ECDSA compatibility mode is enabled. 297 * See comments in SecCmsSignerInfo.h for details. 298 * Implemented in siginfoUtils.cpp for access to C++ Dictionary class. 299 */ 300extern bool 301SecCmsMsEcdsaCompatMode(); 302 303 304/************************************************************************ 305 * cmsenvdata.c - CMS envelopedData methods 306 ************************************************************************/ 307 308/* 309 * SecCmsEnvelopedDataEncodeBeforeStart - prepare this envelopedData for encoding 310 * 311 * at this point, we need 312 * - recipientinfos set up with recipient's certificates 313 * - a content encryption algorithm (if none, 3DES will be used) 314 * 315 * this function will generate a random content encryption key (aka bulk key), 316 * initialize the recipientinfos with certificate identification and wrap the bulk key 317 * using the proper algorithm for every certificiate. 318 * it will finally set the bulk algorithm and key so that the encode step can find it. 319 */ 320extern OSStatus 321SecCmsEnvelopedDataEncodeBeforeStart(SecCmsEnvelopedDataRef envd); 322 323/* 324 * SecCmsEnvelopedDataEncodeBeforeData - set up encryption 325 */ 326extern OSStatus 327SecCmsEnvelopedDataEncodeBeforeData(SecCmsEnvelopedDataRef envd); 328 329/* 330 * SecCmsEnvelopedDataEncodeAfterData - finalize this envelopedData for encoding 331 */ 332extern OSStatus 333SecCmsEnvelopedDataEncodeAfterData(SecCmsEnvelopedDataRef envd); 334 335/* 336 * SecCmsEnvelopedDataDecodeBeforeData - find our recipientinfo, 337 * derive bulk key & set up our contentinfo 338 */ 339extern OSStatus 340SecCmsEnvelopedDataDecodeBeforeData(SecCmsEnvelopedDataRef envd); 341 342/* 343 * SecCmsEnvelopedDataDecodeAfterData - finish decrypting this envelopedData's content 344 */ 345extern OSStatus 346SecCmsEnvelopedDataDecodeAfterData(SecCmsEnvelopedDataRef envd); 347 348/* 349 * SecCmsEnvelopedDataDecodeAfterEnd - finish decoding this envelopedData 350 */ 351extern OSStatus 352SecCmsEnvelopedDataDecodeAfterEnd(SecCmsEnvelopedDataRef envd); 353 354 355/************************************************************************ 356 * cmsrecinfo.c - CMS recipientInfo methods 357 ************************************************************************/ 358 359extern int 360SecCmsRecipientInfoGetVersion(SecCmsRecipientInfoRef ri); 361 362extern CSSM_DATA_PTR 363SecCmsRecipientInfoGetEncryptedKey(SecCmsRecipientInfoRef ri, int subIndex); 364 365 366extern SECOidTag 367SecCmsRecipientInfoGetKeyEncryptionAlgorithmTag(SecCmsRecipientInfoRef ri); 368 369extern OSStatus 370SecCmsRecipientInfoWrapBulkKey(SecCmsRecipientInfoRef ri, SecSymmetricKeyRef bulkkey, SECOidTag bulkalgtag); 371 372extern SecSymmetricKeyRef 373SecCmsRecipientInfoUnwrapBulkKey(SecCmsRecipientInfoRef ri, int subIndex, 374 SecCertificateRef cert, SecPrivateKeyRef privkey, SECOidTag bulkalgtag); 375 376 377/************************************************************************ 378 * cmsencdata.c - CMS encryptedData methods 379 ************************************************************************/ 380 381/* 382 * SecCmsEncryptedDataEncodeBeforeStart - do all the necessary things to a EncryptedData 383 * before encoding begins. 384 * 385 * In particular: 386 * - set the correct version value. 387 * - get the encryption key 388 */ 389extern OSStatus 390SecCmsEncryptedDataEncodeBeforeStart(SecCmsEncryptedDataRef encd); 391 392/* 393 * SecCmsEncryptedDataEncodeBeforeData - set up encryption 394 */ 395extern OSStatus 396SecCmsEncryptedDataEncodeBeforeData(SecCmsEncryptedDataRef encd); 397 398/* 399 * SecCmsEncryptedDataEncodeAfterData - finalize this encryptedData for encoding 400 */ 401extern OSStatus 402SecCmsEncryptedDataEncodeAfterData(SecCmsEncryptedDataRef encd); 403 404/* 405 * SecCmsEncryptedDataDecodeBeforeData - find bulk key & set up decryption 406 */ 407extern OSStatus 408SecCmsEncryptedDataDecodeBeforeData(SecCmsEncryptedDataRef encd); 409 410/* 411 * SecCmsEncryptedDataDecodeAfterData - finish decrypting this encryptedData's content 412 */ 413extern OSStatus 414SecCmsEncryptedDataDecodeAfterData(SecCmsEncryptedDataRef encd); 415 416/* 417 * SecCmsEncryptedDataDecodeAfterEnd - finish decoding this encryptedData 418 */ 419extern OSStatus 420SecCmsEncryptedDataDecodeAfterEnd(SecCmsEncryptedDataRef encd); 421 422 423/************************************************************************ 424 * cmsdigdata.c - CMS encryptedData methods 425 ************************************************************************/ 426 427/* 428 * SecCmsDigestedDataEncodeBeforeStart - do all the necessary things to a DigestedData 429 * before encoding begins. 430 * 431 * In particular: 432 * - set the right version number. The contentInfo's content type must be set up already. 433 */ 434extern OSStatus 435SecCmsDigestedDataEncodeBeforeStart(SecCmsDigestedDataRef digd); 436 437/* 438 * SecCmsDigestedDataEncodeBeforeData - do all the necessary things to a DigestedData 439 * before the encapsulated data is passed through the encoder. 440 * 441 * In detail: 442 * - set up the digests if necessary 443 */ 444extern OSStatus 445SecCmsDigestedDataEncodeBeforeData(SecCmsDigestedDataRef digd); 446 447/* 448 * SecCmsDigestedDataEncodeAfterData - do all the necessary things to a DigestedData 449 * after all the encapsulated data was passed through the encoder. 450 * 451 * In detail: 452 * - finish the digests 453 */ 454extern OSStatus 455SecCmsDigestedDataEncodeAfterData(SecCmsDigestedDataRef digd); 456 457/* 458 * SecCmsDigestedDataDecodeBeforeData - do all the necessary things to a DigestedData 459 * before the encapsulated data is passed through the encoder. 460 * 461 * In detail: 462 * - set up the digests if necessary 463 */ 464extern OSStatus 465SecCmsDigestedDataDecodeBeforeData(SecCmsDigestedDataRef digd); 466 467/* 468 * SecCmsDigestedDataDecodeAfterData - do all the necessary things to a DigestedData 469 * after all the encapsulated data was passed through the encoder. 470 * 471 * In detail: 472 * - finish the digests 473 */ 474extern OSStatus 475SecCmsDigestedDataDecodeAfterData(SecCmsDigestedDataRef digd); 476 477/* 478 * SecCmsDigestedDataDecodeAfterEnd - finalize a digestedData. 479 * 480 * In detail: 481 * - check the digests for equality 482 */ 483extern OSStatus 484SecCmsDigestedDataDecodeAfterEnd(SecCmsDigestedDataRef digd); 485 486 487/************************************************************************ 488 * cmsdigest.c - CMS encryptedData methods 489 ************************************************************************/ 490 491/* 492 * SecCmsDigestContextStartSingle - same as SecCmsDigestContextStartMultiple, but 493 * only one algorithm. 494 */ 495extern SecCmsDigestContextRef 496SecCmsDigestContextStartSingle(SECAlgorithmID *digestalg); 497 498/* 499 * SecCmsDigestContextFinishSingle - same as SecCmsDigestContextFinishMultiple, 500 * but for one digest. 501 */ 502extern OSStatus 503SecCmsDigestContextFinishSingle(SecCmsDigestContextRef cmsdigcx, SecArenaPoolRef arena, 504 CSSM_DATA_PTR digest); 505 506 507/************************************************************************/ 508SEC_END_PROTOS 509 510#endif /* _CMSPRIV_H_ */ 511