security/nss/lib/smime/cmst.h
author Brian Smith <bsmith@mozilla.com>
Thu, 11 Apr 2013 16:46:53 -0700
changeset 128536 0857f2bc8f8a646e96b93a76307451c65238f35a
parent 108803 699db88b5ea01fd321fe8abfe5bb071e991b120d
child 130535 0314d200873a8962e8556a656bbf9e4b26e23cfc
permissions -rw-r--r--
Bug 858231: Upgrade to NSS 3.15 BETA 1 and adjust security/build to work with new NSS directory layout, r=bsmith

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*
 * Header for CMS types.
 *
 * $Id$
 */

#ifndef _CMST_H_
#define _CMST_H_

#include "seccomon.h"
#include "secoidt.h"
#include "certt.h"
#include "secmodt.h"
#include "secmodt.h"

#include "plarena.h"

/* Non-opaque objects.  NOTE, though: I want them to be treated as
 * opaque as much as possible.  If I could hide them completely,
 * I would.  (I tried, but ran into trouble that was taking me too
 * much time to get out of.)  I still intend to try to do so.
 * In fact, the only type that "outsiders" should even *name* is
 * NSSCMSMessage, and they should not reference its fields.
 */
/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.
 * This is because when we search the recipient list for the cert and key we
 * want, we need to invert the order of the loops we used to have. The old
 * loops were:
 *
 *  For each recipient {
 *       find_cert = PK11_Find_AllCert(recipient->issuerSN);
 *       [which unrolls to... ]
 *       For each slot {
 *            Log into slot;
 *            search slot for cert;
 *      }
 *  }
 *
 *  the new loop searchs all the recipients at once on a slot. this allows
 *  PKCS #11 to order slots in such a way that logout slots don't get checked
 *  if we can find the cert on a logged in slot. This eliminates lots of
 *  spurious password prompts when smart cards are installed... so why this
 *  comment? If you make NSSCMSRecipientInfo completely opaque, you need
 *  to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
 *  and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
 *  function.
 */

typedef struct NSSCMSMessageStr NSSCMSMessage;

typedef union NSSCMSContentUnion NSSCMSContent;
typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;

typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;

typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;

typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;

typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData;

typedef struct NSSCMSAttributeStr NSSCMSAttribute;

typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;

typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;

typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate;

typedef SECStatus (*NSSCMSGenericWrapperDataCallback)
						(NSSCMSGenericWrapperData *);
typedef   void    (*NSSCMSGenericWrapperDataDestroy) 
						(NSSCMSGenericWrapperData *);

extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[];
extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[];

SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate)
SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate)



/*
 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
 * If specified, this is where the content bytes (only) will be "sent"
 * as they are recovered during the decoding.
 * And:
 * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
 * This is where the DER-encoded bytes will be "sent".
 *
 * XXX Should just combine this with NSSCMSEncoderContentCallback type
 * and use a simpler, common name.
 */
typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len);

/*
 * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
 * to retrieve the decryption key.  This function is intended to be
 * used for EncryptedData content info's which do not have a key available
 * in a certificate, etc.
 */
typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid);


/* =============================================================================
 * ENCAPSULATED CONTENTINFO & CONTENTINFO
 */

union NSSCMSContentUnion {
    /* either unstructured */
    SECItem *			data;
    /* or structured data */
    NSSCMSDigestedData *	digestedData;
    NSSCMSEncryptedData	*	encryptedData;
    NSSCMSEnvelopedData	*	envelopedData;
    NSSCMSSignedData *		signedData;
    NSSCMSGenericWrapperData *	genericData;
    /* or anonymous pointer to something */
    void *			pointer;
};

struct NSSCMSContentInfoStr {
    SECItem			contentType;
    NSSCMSContent		content;
    /* --------- local; not part of encoding --------- */
    SECOidData *		contentTypeTag;	

    /* additional info for encryptedData and envelopedData */
    /* we waste this space for signedData and digestedData. sue me. */

    SECAlgorithmID		contentEncAlg;
    SECItem *			rawContent;		/* encrypted DER, optional */
							/* XXXX bytes not encrypted, but encoded? */
    /* --------- local; not part of encoding --------- */
    PK11SymKey *		bulkkey;		/* bulk encryption key */
    int				keysize;		/* size of bulk encryption key
							 * (only used by creation code) */
    SECOidTag			contentEncAlgTag;	/* oid tag of encryption algorithm
							 * (only used by creation code) */
    NSSCMSContentInfoPrivate	*privateInfo;		/* place for NSS private info */
    void		*reserved;			/* keep binary compatibility */
};

/* =============================================================================
 * MESSAGE
 */

struct NSSCMSMessageStr {
    NSSCMSContentInfo	contentInfo;		/* "outer" cinfo */
    /* --------- local; not part of encoding --------- */
    PLArenaPool *	poolp;
    PRBool		poolp_is_ours;
    int			refCount;
    /* properties of the "inner" data */
    SECAlgorithmID **	detached_digestalgs;
    SECItem **		detached_digests;
    void *		pwfn_arg;
    NSSCMSGetDecryptKeyCallback decrypt_key_cb;
    void *		decrypt_key_cb_arg;
};

/* ============================================================================
 * GENERIC WRAPPER
 * 
 * used for user defined types.
 */
struct NSSCMSGenericWrapperDataStr {
    NSSCMSContentInfo	contentInfo;
    /* ---- local; not part of encoding ------ */
    NSSCMSMessage *	cmsg;
    /* wrapperspecific data starts here */
};

/* =============================================================================
 * SIGNEDDATA
 */

struct NSSCMSSignedDataStr {
    SECItem			version;
    SECAlgorithmID **		digestAlgorithms;
    NSSCMSContentInfo		contentInfo;
    SECItem **			rawCerts;
    CERTSignedCrl **		crls;
    NSSCMSSignerInfo **		signerInfos;
    /* --------- local; not part of encoding --------- */
    NSSCMSMessage *		cmsg;			/* back pointer to message */
    SECItem **			digests;
    CERTCertificate **		certs;
    CERTCertificateList **	certLists;
    CERTCertificate **          tempCerts;              /* temporary certs, needed
                                                         * for example for signature
                                                         * verification */
};
#define NSS_CMS_SIGNED_DATA_VERSION_BASIC	1	/* what we *create* */
#define NSS_CMS_SIGNED_DATA_VERSION_EXT		3	/* what we *create* */

typedef enum {
    NSSCMSVS_Unverified = 0,
    NSSCMSVS_GoodSignature = 1,
    NSSCMSVS_BadSignature = 2,
    NSSCMSVS_DigestMismatch = 3,
    NSSCMSVS_SigningCertNotFound = 4,
    NSSCMSVS_SigningCertNotTrusted = 5,
    NSSCMSVS_SignatureAlgorithmUnknown = 6,
    NSSCMSVS_SignatureAlgorithmUnsupported = 7,
    NSSCMSVS_MalformedSignature = 8,
    NSSCMSVS_ProcessingError = 9
} NSSCMSVerificationStatus;

typedef enum {
    NSSCMSSignerID_IssuerSN = 0,
    NSSCMSSignerID_SubjectKeyID = 1
} NSSCMSSignerIDSelector;

struct NSSCMSSignerIdentifierStr {
    NSSCMSSignerIDSelector identifierType;
    union {
	CERTIssuerAndSN *issuerAndSN;
	SECItem *subjectKeyID;
    } id;
};

struct NSSCMSSignerInfoStr {
    SECItem			version;
    NSSCMSSignerIdentifier	signerIdentifier;
    SECAlgorithmID		digestAlg;
    NSSCMSAttribute **		authAttr;
    SECAlgorithmID		digestEncAlg;
    SECItem			encDigest;
    NSSCMSAttribute **		unAuthAttr;
    /* --------- local; not part of encoding --------- */
    NSSCMSMessage *		cmsg;			/* back pointer to message */
    CERTCertificate *		cert;
    CERTCertificateList *	certList;
    PRTime			signingTime;
    NSSCMSVerificationStatus	verificationStatus;
    SECKEYPrivateKey *          signingKey; /* Used if we're using subjKeyID*/
    SECKEYPublicKey *           pubKey;
};
#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN	1	/* what we *create* */
#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY	3	/* what we *create* */

typedef enum {
    NSSCMSCM_None = 0,
    NSSCMSCM_CertOnly = 1,
    NSSCMSCM_CertChain = 2,
    NSSCMSCM_CertChainWithRoot = 3
} NSSCMSCertChainMode;

/* =============================================================================
 * ENVELOPED DATA
 */
struct NSSCMSEnvelopedDataStr {
    SECItem			version;
    NSSCMSOriginatorInfo *	originatorInfo;		/* optional */
    NSSCMSRecipientInfo **	recipientInfos;
    NSSCMSContentInfo		contentInfo;
    NSSCMSAttribute **		unprotectedAttr;
    /* --------- local; not part of encoding --------- */
    NSSCMSMessage *		cmsg;			/* back pointer to message */
};
#define NSS_CMS_ENVELOPED_DATA_VERSION_REG	0	/* what we *create* */
#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV	2	/* what we *create* */

struct NSSCMSOriginatorInfoStr {
    SECItem **			rawCerts;
    CERTSignedCrl **		crls;
    /* --------- local; not part of encoding --------- */
    CERTCertificate **		certs;
};

/* -----------------------------------------------------------------------------
 * key transport recipient info
 */
typedef enum {
    NSSCMSRecipientID_IssuerSN = 0,
    NSSCMSRecipientID_SubjectKeyID = 1,
    NSSCMSRecipientID_BrandNew = 2
} NSSCMSRecipientIDSelector;

struct NSSCMSRecipientIdentifierStr {
    NSSCMSRecipientIDSelector	identifierType;
    union {
	CERTIssuerAndSN		*issuerAndSN;
	SECItem 		*subjectKeyID;
    } id;
};
typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;

struct NSSCMSKeyTransRecipientInfoStr {
    SECItem			version;
    NSSCMSRecipientIdentifier	recipientIdentifier;
    SECAlgorithmID		keyEncAlg;
    SECItem			encKey;
};
typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;

/*
 * View comments before NSSCMSRecipientInfoStr for purpose of this
 * structure.
 */
struct NSSCMSKeyTransRecipientInfoExStr {
    NSSCMSKeyTransRecipientInfo recipientInfo;
    int version;  /* version of this structure (0) */
    SECKEYPublicKey *pubKey;
};

typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;

#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN	0	/* what we *create* */
#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY		2	/* what we *create* */

/* -----------------------------------------------------------------------------
 * key agreement recipient info
 */
struct NSSCMSOriginatorPublicKeyStr {
    SECAlgorithmID			algorithmIdentifier;
    SECItem				publicKey;			/* bit string! */
};
typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;

typedef enum {
    NSSCMSOriginatorIDOrKey_IssuerSN = 0,
    NSSCMSOriginatorIDOrKey_SubjectKeyID = 1,
    NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2
} NSSCMSOriginatorIDOrKeySelector;

struct NSSCMSOriginatorIdentifierOrKeyStr {
    NSSCMSOriginatorIDOrKeySelector identifierType;
    union {
	CERTIssuerAndSN			*issuerAndSN;		/* static-static */
	SECItem				*subjectKeyID;		/* static-static */
	NSSCMSOriginatorPublicKey	originatorPublicKey;	/* ephemeral-static */
    } id;
};
typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;

struct NSSCMSRecipientKeyIdentifierStr {
    SECItem *				subjectKeyIdentifier;
    SECItem *				date;			/* optional */
    SECItem *				other;			/* optional */
};
typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;

typedef enum {
    NSSCMSKeyAgreeRecipientID_IssuerSN = 0,
    NSSCMSKeyAgreeRecipientID_RKeyID = 1
} NSSCMSKeyAgreeRecipientIDSelector;

struct NSSCMSKeyAgreeRecipientIdentifierStr {
    NSSCMSKeyAgreeRecipientIDSelector	identifierType;
    union {
	CERTIssuerAndSN			*issuerAndSN;
	NSSCMSRecipientKeyIdentifier	recipientKeyIdentifier;
    } id;
};
typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;

struct NSSCMSRecipientEncryptedKeyStr {
    NSSCMSKeyAgreeRecipientIdentifier	recipientIdentifier;
    SECItem				encKey;
};
typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;

struct NSSCMSKeyAgreeRecipientInfoStr {
    SECItem				version;
    NSSCMSOriginatorIdentifierOrKey	originatorIdentifierOrKey;
    SECItem *				ukm;				/* optional */
    SECAlgorithmID			keyEncAlg;
    NSSCMSRecipientEncryptedKey **	recipientEncryptedKeys;
};
typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;

#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION	3	/* what we *create* */

/* -----------------------------------------------------------------------------
 * KEK recipient info
 */
struct NSSCMSKEKIdentifierStr {
    SECItem			keyIdentifier;
    SECItem *			date;			/* optional */
    SECItem *			other;			/* optional */
};
typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;

struct NSSCMSKEKRecipientInfoStr {
    SECItem			version;
    NSSCMSKEKIdentifier		kekIdentifier;
    SECAlgorithmID		keyEncAlg;
    SECItem			encKey;
};
typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;

#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION	4	/* what we *create* */

/* -----------------------------------------------------------------------------
 * recipient info
 */

typedef enum {
    NSSCMSRecipientInfoID_KeyTrans = 0,
    NSSCMSRecipientInfoID_KeyAgree = 1,
    NSSCMSRecipientInfoID_KEK = 2
} NSSCMSRecipientInfoIDSelector;

/*
 * In order to preserve backwards binary compatibility when implementing
 * creation of Recipient Info's that uses subjectKeyID in the 
 * keyTransRecipientInfo we need to stash a public key pointer in this
 * structure somewhere.  We figured out that NSSCMSKeyTransRecipientInfo
 * is the smallest member of the ri union.  We're in luck since that's
 * the very structure that would need to use the public key. So we created
 * a new structure NSSCMSKeyTransRecipientInfoEx which has a member 
 * NSSCMSKeyTransRecipientInfo as the first member followed by a version
 * and a public key pointer.  This way we can keep backwards compatibility
 * without changing the size of this structure.
 *
 * BTW, size of structure:
 * NSSCMSKeyTransRecipientInfo:  9 ints, 4 pointers
 * NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
 * NSSCMSKEKRecipientInfo:      10 ints, 7 pointers
 *
 * The new structure:
 * NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
 *                                1 int, 1 pointer
 */

struct NSSCMSRecipientInfoStr {
    NSSCMSRecipientInfoIDSelector recipientInfoType;
    union {
	NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
	NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
	NSSCMSKEKRecipientInfo kekRecipientInfo;
	NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
    } ri;
    /* --------- local; not part of encoding --------- */
    NSSCMSMessage *		cmsg;			/* back pointer to message */
    CERTCertificate *		cert;			/* recipient's certificate */
};

/* =============================================================================
 * DIGESTED DATA
 */
struct NSSCMSDigestedDataStr {
    SECItem			version;
    SECAlgorithmID		digestAlg;
    NSSCMSContentInfo		contentInfo;
    SECItem			digest;
    /* --------- local; not part of encoding --------- */
    NSSCMSMessage *		cmsg;		/* back pointer */
    SECItem			cdigest;	/* calculated digest */
};
#define NSS_CMS_DIGESTED_DATA_VERSION_DATA	0	/* what we *create* */
#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP	2	/* what we *create* */

/* =============================================================================
 * ENCRYPTED DATA
 */
struct NSSCMSEncryptedDataStr {
    SECItem			version;
    NSSCMSContentInfo		contentInfo;
    NSSCMSAttribute **		unprotectedAttr;	/* optional */
    /* --------- local; not part of encoding --------- */
    NSSCMSMessage *		cmsg;		/* back pointer */
};
#define NSS_CMS_ENCRYPTED_DATA_VERSION		0	/* what we *create* */
#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR	2	/* what we *create* */

/*
 * *****************************************************************************
 * *****************************************************************************
 * *****************************************************************************
 */

/*
 * See comment above about this type not really belonging to CMS.
 */
struct NSSCMSAttributeStr {
    /* The following fields make up an encoded Attribute: */
    SECItem			type;
    SECItem **			values;	/* data may or may not be encoded */
    /* The following fields are not part of an encoded Attribute: */
    SECOidData *		typeTag;
    PRBool			encoded;	/* when true, values are encoded */
};

#endif /* _CMST_H_ */