1 files changed, 491 insertions, 0 deletions
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h
new file mode 100644
index 0000000000..3d888bc041
--- /dev/null
+++ b/security/nss/lib/smime/cmst.h
@@ -0,0 +1,491 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/*
+ * Header for CMS types.
+ */
+
+#ifndef _CMST_H_
+#define _CMST_H_
+
+#include "seccomon.h"
+#include "secoidt.h"
+#include "certt.h"
+#include "secmodt.h"
+#include "secmodt.h"
+
+#include "plarena.h"
+
+/* Non-opaque objects.  NOTE, though: I want them to be treated as
+ * opaque as much as possible.  If I could hide them completely,
+ * I would.  (I tried, but ran into trouble that was taking me too
+ * much time to get out of.)  I still intend to try to do so.
+ * In fact, the only type that "outsiders" should even *name* is
+ * NSSCMSMessage, and they should not reference its fields.
+ */
+/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
+ * This is because when we search the recipient list for the cert and key we
+ * want, we need to invert the order of the loops we used to have. The old
+ * loops were:
+ *
+ *  For each recipient {
+ *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
+ *       [which unrolls to... ]
+ *       For each slot {
+ *            Log into slot;
+ *            search slot for cert;
+ *      }
+ *  }
+ *
+ *  the new loop searchs all the recipients at once on a slot. this allows
+ *  PKCS #11 to order slots in such a way that logout slots don't get checked
+ *  if we can find the cert on a logged in slot. This eliminates lots of
+ *  spurious password prompts when smart cards are installed... so why this
+ *  comment? If you make NSSCMSRecipientInfo completely opaque, you need
+ *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
+ *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
+ *  function.
+ */
+
+typedef struct NSSCMSMessageStr NSSCMSMessage;
+
+typedef union NSSCMSContentUnion NSSCMSContent;
+typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
+
+typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
+typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
+typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
+
+typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
+typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
+typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
+
+typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
+typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
+
+typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData;
+
+typedef struct NSSCMSAttributeStr NSSCMSAttribute;
+
+typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
+typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
+
+typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
+typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
+
+typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate;
+
+typedef SECStatus (*NSSCMSGenericWrapperDataCallback)(NSSCMSGenericWrapperData *);
+typedef void (*NSSCMSGenericWrapperDataDestroy)(NSSCMSGenericWrapperData *);
+
+extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[];
+extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[];
+
+SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate)
+SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate)
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
+ * If specified, this is where the content bytes (only) will be "sent"
+ * as they are recovered during the decoding.
+ * And:
+ * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
+ * This is where the DER-encoded bytes will be "sent".
+ *
+ * XXX Should just combine this with NSSCMSEncoderContentCallback type
+ * and use a simpler, common name.
+ */
+typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);
+
+/*
+ * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
+ * to retrieve the decryption key.  This function is intended to be
+ * used for EncryptedData content info's which do not have a key available
+ * in a certificate, etc.
+ */
+typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);
+
+/* =============================================================================
+ * ENCAPSULATED CONTENTINFO & CONTENTINFO
+ */
+
+union NSSCMSContentUnion {
+    /* either unstructured */
+    SECItem *data;
+    /* or structured data */
+    NSSCMSDigestedData *digestedData;
+    NSSCMSEncryptedData *encryptedData;
+    NSSCMSEnvelopedData *envelopedData;
+    NSSCMSSignedData *signedData;
+    NSSCMSGenericWrapperData *genericData;
+    /* or anonymous pointer to something */
+    void *pointer;
+};
+
+struct NSSCMSContentInfoStr {
+    SECItem contentType;
+    NSSCMSContent content;
+    /* --------- local; not part of encoding --------- */
+    SECOidData *contentTypeTag;
+
+    /* additional info for encryptedData and envelopedData */
+    /* we waste this space for signedData and digestedData. sue me. */
+
+    SECAlgorithmID contentEncAlg;
+    SECItem *rawContent; /* encrypted DER, optional */
+                         /* XXXX bytes not encrypted, but encoded? */
+    /* --------- local; not part of encoding --------- */
+    PK11SymKey *bulkkey;                   /* bulk encryption key */
+    int keysize;                           /* size of bulk encryption key
+                                           * (only used by creation code) */
+    SECOidTag contentEncAlgTag;            /* oid tag of encryption algorithm
+                                           * (only used by creation code) */
+    NSSCMSContentInfoPrivate *privateInfo; /* place for NSS private info */
+    void *reserved;                        /* keep binary compatibility */
+};
+
+/* =============================================================================
+ * MESSAGE
+ */
+
+struct NSSCMSMessageStr {
+    NSSCMSContentInfo contentInfo; /* "outer" cinfo */
+    /* --------- local; not part of encoding --------- */
+    PLArenaPool *poolp;
+    PRBool poolp_is_ours;
+    int refCount;
+    /* properties of the "inner" data */
+    SECAlgorithmID **detached_digestalgs;
+    SECItem **detached_digests;
+    void *pwfn_arg;
+    NSSCMSGetDecryptKeyCallback decrypt_key_cb;
+    void *decrypt_key_cb_arg;
+};
+
+/* ============================================================================
+ * GENERIC WRAPPER
+ *
+ * used for user defined types.
+ */
+struct NSSCMSGenericWrapperDataStr {
+    NSSCMSContentInfo contentInfo;
+    /* ---- local; not part of encoding ------ */
+    NSSCMSMessage *cmsg;
+    /* wrapperspecific data starts here */
+};
+
+/* =============================================================================
+ * SIGNEDDATA
+ */
+
+struct NSSCMSSignedDataStr {
+    SECItem version;
+    SECAlgorithmID **digestAlgorithms;
+    NSSCMSContentInfo contentInfo;
+    SECItem **rawCerts;
+    CERTSignedCrl **crls;
+    NSSCMSSignerInfo **signerInfos;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *cmsg; /* back pointer to message */
+    SECItem **digests;
+    CERTCertificate **certs;
+    CERTCertificateList **certLists;
+    CERTCertificate **tempCerts; /* temporary certs, needed
+                                  * for example for signature
+                                  * verification */
+};
+#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */
+#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3   /* what we *create* */
+
+typedef enum {
+    NSSCMSVS_Unverified = 0,
+    NSSCMSVS_GoodSignature = 1,
+    NSSCMSVS_BadSignature = 2,
+    NSSCMSVS_DigestMismatch = 3,
+    NSSCMSVS_SigningCertNotFound = 4,
+    NSSCMSVS_SigningCertNotTrusted = 5,
+    NSSCMSVS_SignatureAlgorithmUnknown = 6,
+    NSSCMSVS_SignatureAlgorithmUnsupported = 7,
+    NSSCMSVS_MalformedSignature = 8,
+    NSSCMSVS_ProcessingError = 9
+} NSSCMSVerificationStatus;
+
+typedef enum {
+    NSSCMSSignerID_IssuerSN = 0,
+    NSSCMSSignerID_SubjectKeyID = 1
+} NSSCMSSignerIDSelector;
+
+struct NSSCMSSignerIdentifierStr {
+    NSSCMSSignerIDSelector identifierType;
+    union {
+        CERTIssuerAndSN *issuerAndSN;
+        SECItem *subjectKeyID;
+    } id;
+};
+
+struct NSSCMSSignerInfoStr {
+    SECItem version;
+    NSSCMSSignerIdentifier signerIdentifier;
+    SECAlgorithmID digestAlg;
+    NSSCMSAttribute **authAttr;
+    SECAlgorithmID digestEncAlg;
+    SECItem encDigest;
+    NSSCMSAttribute **unAuthAttr;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *cmsg; /* back pointer to message */
+    CERTCertificate *cert;
+    CERTCertificateList *certList;
+    PRTime signingTime;
+    NSSCMSVerificationStatus verificationStatus;
+    SECKEYPrivateKey *signingKey; /* Used if we're using subjKeyID*/
+    SECKEYPublicKey *pubKey;
+};
+#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */
+#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3  /* what we *create* */
+
+typedef enum {
+    NSSCMSCM_None = 0,
+    NSSCMSCM_CertOnly = 1,
+    NSSCMSCM_CertChain = 2,
+    NSSCMSCM_CertChainWithRoot = 3
+} NSSCMSCertChainMode;
+
+/* =============================================================================
+ * ENVELOPED DATA
+ */
+struct NSSCMSEnvelopedDataStr {
+    SECItem version;
+    NSSCMSOriginatorInfo *originatorInfo; /* optional */
+    NSSCMSRecipientInfo **recipientInfos;
+    NSSCMSContentInfo contentInfo;
+    NSSCMSAttribute **unprotectedAttr;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *cmsg; /* back pointer to message */
+};
+#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */
+#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */
+
+struct NSSCMSOriginatorInfoStr {
+    SECItem **rawCerts;
+    CERTSignedCrl **crls;
+    /* --------- local; not part of encoding --------- */
+    CERTCertificate **certs;
+};
+
+/* -----------------------------------------------------------------------------
+ * key transport recipient info
+ */
+typedef enum {
+    NSSCMSRecipientID_IssuerSN = 0,
+    NSSCMSRecipientID_SubjectKeyID = 1,
+    NSSCMSRecipientID_BrandNew = 2
+} NSSCMSRecipientIDSelector;
+
+struct NSSCMSRecipientIdentifierStr {
+    NSSCMSRecipientIDSelector identifierType;
+    union {
+        CERTIssuerAndSN *issuerAndSN;
+        SECItem *subjectKeyID;
+    } id;
+};
+typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
+
+struct NSSCMSKeyTransRecipientInfoStr {
+    SECItem version;
+    NSSCMSRecipientIdentifier recipientIdentifier;
+    SECAlgorithmID keyEncAlg;
+    SECItem encKey;
+};
+typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
+
+/*
+ * View comments before NSSCMSRecipientInfoStr for purpose of this
+ * structure.
+ */
+struct NSSCMSKeyTransRecipientInfoExStr {
+    NSSCMSKeyTransRecipientInfo recipientInfo;
+    int version; /* version of this structure (0) */
+    SECKEYPublicKey *pubKey;
+};
+
+typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
+
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */
+#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2  /* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * key agreement recipient info
+ */
+struct NSSCMSOriginatorPublicKeyStr {
+    SECAlgorithmID algorithmIdentifier;
+    SECItem publicKey; /* bit string! */
+};
+typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
+
+typedef enum {
+    NSSCMSOriginatorIDOrKey_IssuerSN = 0,
+    NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
+    NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
+} NSSCMSOriginatorIDOrKeySelector;
+
+struct NSSCMSOriginatorIdentifierOrKeyStr {
+    NSSCMSOriginatorIDOrKeySelector identifierType;
+    union {
+        CERTIssuerAndSN *issuerAndSN;                  /* static-static */
+        SECItem *subjectKeyID;                         /* static-static */
+        NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */
+    } id;
+};
+typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
+
+struct NSSCMSRecipientKeyIdentifierStr {
+    SECItem *subjectKeyIdentifier;
+    SECItem *date;  /* optional */
+    SECItem *other; /* optional */
+};
+typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
+
+typedef enum {
+    NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
+    NSSCMSKeyAgreeRecipientID_RKeyID = 1
+} NSSCMSKeyAgreeRecipientIDSelector;
+
+struct NSSCMSKeyAgreeRecipientIdentifierStr {
+    NSSCMSKeyAgreeRecipientIDSelector identifierType;
+    union {
+        CERTIssuerAndSN *issuerAndSN;
+        NSSCMSRecipientKeyIdentifier recipientKeyIdentifier;
+    } id;
+};
+typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
+
+struct NSSCMSRecipientEncryptedKeyStr {
+    NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier;
+    SECItem encKey;
+};
+typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
+
+struct NSSCMSKeyAgreeRecipientInfoStr {
+    SECItem version;
+    NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
+    SECItem *ukm; /* optional */
+    SECAlgorithmID keyEncAlg;
+    NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
+};
+typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
+
+#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * KEK recipient info
+ */
+struct NSSCMSKEKIdentifierStr {
+    SECItem keyIdentifier;
+    SECItem *date;  /* optional */
+    SECItem *other; /* optional */
+};
+typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
+
+struct NSSCMSKEKRecipientInfoStr {
+    SECItem version;
+    NSSCMSKEKIdentifier kekIdentifier;
+    SECAlgorithmID keyEncAlg;
+    SECItem encKey;
+};
+typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
+
+#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */
+
+/* -----------------------------------------------------------------------------
+ * recipient info
+ */
+
+typedef enum {
+    NSSCMSRecipientInfoID_KeyTrans = 0,
+    NSSCMSRecipientInfoID_KeyAgree = 1,
+    NSSCMSRecipientInfoID_KEK = 2
+} NSSCMSRecipientInfoIDSelector;
+
+/*
+ * In order to preserve backwards binary compatibility when implementing
+ * creation of Recipient Info's that uses subjectKeyID in the
+ * keyTransRecipientInfo we need to stash a public key pointer in this
+ * structure somewhere.  We figured out that NSSCMSKeyTransRecipientInfo
+ * is the smallest member of the ri union.  We're in luck since that's
+ * the very structure that would need to use the public key. So we created
+ * a new structure NSSCMSKeyTransRecipientInfoEx which has a member
+ * NSSCMSKeyTransRecipientInfo as the first member followed by a version
+ * and a public key pointer.  This way we can keep backwards compatibility
+ * without changing the size of this structure.
+ *
+ * BTW, size of structure:
+ * NSSCMSKeyTransRecipientInfo:  9 ints, 4 pointers
+ * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
+ * NSSCMSKEKRecipientInfo:      10 ints, 7 pointers
+ *
+ * The new structure:
+ * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
+ *                                1 int, 1 pointer
+ */
+
+struct NSSCMSRecipientInfoStr {
+    NSSCMSRecipientInfoIDSelector recipientInfoType;
+    union {
+        NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
+        NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
+        NSSCMSKEKRecipientInfo kekRecipientInfo;
+        NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
+    } ri;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *cmsg;   /* back pointer to message */
+    CERTCertificate *cert; /* recipient's certificate */
+};
+
+/* =============================================================================
+ * DIGESTED DATA
+ */
+struct NSSCMSDigestedDataStr {
+    SECItem version;
+    SECAlgorithmID digestAlg;
+    NSSCMSContentInfo contentInfo;
+    SECItem digest;
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *cmsg; /* back pointer */
+    SECItem cdigest;     /* calculated digest */
+};
+#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0  /* what we *create* */
+#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */
+
+/* =============================================================================
+ * ENCRYPTED DATA
+ */
+struct NSSCMSEncryptedDataStr {
+    SECItem version;
+    NSSCMSContentInfo contentInfo;
+    NSSCMSAttribute **unprotectedAttr; /* optional */
+    /* --------- local; not part of encoding --------- */
+    NSSCMSMessage *cmsg; /* back pointer */
+};
+#define NSS_CMS_ENCRYPTED_DATA_VERSION 0        /* what we *create* */
+#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */
+
+/*
+ * *****************************************************************************
+ * *****************************************************************************
+ * *****************************************************************************
+ */
+
+/*
+ * See comment above about this type not really belonging to CMS.
+ */
+struct NSSCMSAttributeStr {
+    /* The following fields make up an encoded Attribute: */
+    SECItem type;
+    SECItem **values; /* data may or may not be encoded */
+    /* The following fields are not part of an encoded Attribute: */
+    SECOidData *typeTag;
+    PRBool encoded; /* when true, values are encoded */
+};
+
+#endif /* _CMST_H_ */