diff options
author | kaie%netscape.com <devnull@localhost> | 2002-08-26 21:34:31 +0000 |
---|---|---|
committer | kaie%netscape.com <devnull@localhost> | 2002-08-26 21:34:31 +0000 |
commit | 202694f509283ec7fa59ab41ae38dffb8101b2ce (patch) | |
tree | 3c2db13f53765c89dc773a6c8a245edb1815458a /security | |
parent | eefc36d22a2660a2f1bd94165c17ff13fc6bc2da (diff) | |
download | nss-hg-202694f509283ec7fa59ab41ae38dffb8101b2ce.tar.gz |
b=107034 OE requires special attribute in incoming signed messages to support dual key certificates. Add new function
NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs.
r=relyea
Diffstat (limited to 'security')
-rw-r--r-- | security/nss/cmd/smimetools/cmsutil.c | 20 | ||||
-rw-r--r-- | security/nss/lib/smime/cms.h | 10 | ||||
-rw-r--r-- | security/nss/lib/smime/cmssiginfo.c | 45 | ||||
-rw-r--r-- | security/nss/lib/smime/smime.def | 6 | ||||
-rw-r--r-- | security/nss/lib/smime/smime.h | 5 | ||||
-rw-r--r-- | security/nss/lib/smime/smimeutil.c | 34 | ||||
-rw-r--r-- | security/nss/lib/util/secoid.c | 9 | ||||
-rw-r--r-- | security/nss/lib/util/secoidt.h | 2 |
8 files changed, 131 insertions, 0 deletions
diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c index ec2fe56e8..d0ac0402a 100644 --- a/security/nss/cmd/smimetools/cmsutil.c +++ b/security/nss/cmd/smimetools/cmsutil.c @@ -509,6 +509,12 @@ signed_data(struct signOptionsStr *signOptions) fprintf(stderr, "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n"); goto loser; } + if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, + signOptions->options->certHandle) + != SECSuccess) { + fprintf(stderr, "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n"); + goto loser; + } if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) { fprintf(stderr, "ERROR: cannot add encryption certificate.\n"); goto loser; @@ -527,6 +533,13 @@ signed_data(struct signOptionsStr *signOptions) "ERROR: cannot add default SMIMEEncKeyPrefs attribute.\n"); goto loser; } + if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, cert, + signOptions->options->certHandle) + != SECSuccess) { + fprintf(stderr, + "ERROR: cannot add default MS SMIMEEncKeyPrefs attribute.\n"); + goto loser; + } } else { /* this is a dual-key cert case, we need to look for the encryption certificate under the same nickname as the signing cert */ @@ -549,6 +562,13 @@ signed_data(struct signOptionsStr *signOptions) "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n"); goto loser; } + if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, + signOptions->options->certHandle) + != SECSuccess) { + fprintf(stderr, + "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n"); + goto loser; + } if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) { fprintf(stderr, "ERROR: cannot add encryption certificate.\n"); goto loser; diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h index f2f50a654..7b96cda41 100644 --- a/security/nss/lib/smime/cms.h +++ b/security/nss/lib/smime/cms.h @@ -731,6 +731,16 @@ NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo); SECStatus NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb); +/* + * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the + * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft. + * + * This is expected to be included in outgoing signed messages for email (S/MIME), + * if compatibility with Microsoft mail clients is wanted. + */ +SECStatus +NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb); + /* * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo */ diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c index 4dbdcb7bf..a456ca9ae 100644 --- a/security/nss/lib/smime/cmssiginfo.c +++ b/security/nss/lib/smime/cmssiginfo.c @@ -743,6 +743,51 @@ loser: } /* + * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the + * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft. + * + * This is expected to be included in outgoing signed messages for email (S/MIME), + * if compatibility with Microsoft mail clients is wanted. + */ +SECStatus +NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb) +{ + NSSCMSAttribute *attr; + SECItem *smimeekp = NULL; + void *mark; + PLArenaPool *poolp; + + /* verify this cert for encryption */ + if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) { + return SECFailure; + } + + poolp = signerinfo->cmsg->poolp; + mark = PORT_ArenaMark(poolp); + + smimeekp = SECITEM_AllocItem(poolp, NULL, 0); + if (smimeekp == NULL) + goto loser; + + /* create new signing time attribute */ + if (NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess) + goto loser; + + if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL) + goto loser; + + if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess) + goto loser; + + PORT_ArenaUnmark (poolp, mark); + return SECSuccess; + +loser: + PORT_ArenaRelease (poolp, mark); + return SECFailure; +} + +/* * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo * * 1. digest the DER-encoded signature value of the original signerinfo diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def index ef383b559..6b8d11b88 100644 --- a/security/nss/lib/smime/smime.def +++ b/security/nss/lib/smime/smime.def @@ -209,3 +209,9 @@ NSS_CMSMessage_IsEncrypted; ;+ local: ;+ *; ;+}; +;+NSS_3.6 { # NSS 3.6 release +;+ global: +NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs; +;+ local: +;+ *; +;+}; diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h index 1832634f7..22d73324a 100644 --- a/security/nss/lib/smime/smime.h +++ b/security/nss/lib/smime/smime.h @@ -131,6 +131,11 @@ extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECIt extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert); /* + * NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid + */ +extern SECStatus NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert); + +/* * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference * attribute */ diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c index 732d8047b..eaa5d4fa1 100644 --- a/security/nss/lib/smime/smimeutil.c +++ b/security/nss/lib/smime/smimeutil.c @@ -681,6 +681,40 @@ loser: } /* + * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid + * + * "poolp" - arena pool to create the attr value on + * "dest" - SECItem to put the data in + * "cert" - certificate that should be marked as preferred encryption key + * cert is expected to have been verified for EmailRecipient usage. + */ +SECStatus +NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert) +{ + SECItem *dummy = NULL; + PLArenaPool *tmppoolp = NULL; + CERTIssuerAndSN *isn; + + if (cert == NULL) + goto loser; + + tmppoolp = PORT_NewArena(1024); + if (tmppoolp == NULL) + goto loser; + + isn = CERT_GetCertIssuerAndSN(tmppoolp, cert); + if (isn == NULL) + goto loser; + + dummy = SEC_ASN1EncodeItem(poolp, dest, isn, CERT_IssuerAndSNTemplate); + +loser: + if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE); + + return (dummy == NULL) ? SECFailure : SECSuccess; +} + +/* * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - * find cert marked by EncryptionKeyPreference attribute * diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index 3339d1e86..179105488 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -148,6 +148,10 @@ #define PKIX_ID_REGCTRL PKIX_ID_PKIP, 1 #define PKIX_ID_REGINFO PKIX_ID_PKIP, 2 +/* Microsoft Object ID space */ +/* { 1.3.6.1.4.1.311 } */ +#define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37 + #define CONST_OID static const unsigned char CONST_OID md2[] = { DIGEST, 0x02 }; @@ -212,6 +216,7 @@ CONST_OID cmsRC2wrap[] = { PKCS9_SMIME_ALGS, 7 }; /* RFC2633 SMIME message attributes */ CONST_OID smimeEncryptionKeyPreference[] = { PKCS9_SMIME_ATTRS, 11 }; +CONST_OID ms_smimeEncryptionKeyPreference[] = { MICROSOFT_OID, 0x10, 0x4 }; CONST_OID x520CommonName[] = { X520_ATTRIBUTE_TYPE, 3 }; CONST_OID x520CountryName[] = { X520_ATTRIBUTE_TYPE, 6 }; @@ -1003,6 +1008,10 @@ const static SECOidData oids[] = { /* More bogus DSA OIDs */ OD( sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE, "SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION ), + + OD( ms_smimeEncryptionKeyPreference, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, + "Microsoft S/MIME Encryption Key Preference", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ), }; /* diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index 7ce1f4cf4..5c89cf7a9 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -294,6 +294,8 @@ typedef enum { SEC_OID_SDN702_DSA_SIGNATURE = 189, + SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE = 190, + SEC_OID_TOTAL } SECOidTag; |