b=107034 OE requires special attribute in incoming signed messages to support dual key certificates. Add new function

NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs.
r=relyea

8 files changed, 131 insertions, 0 deletions

diff --git a/security/nss/cmd/smimetools/cmsutil.c b/security/nss/cmd/smimetools/cmsutil.c
index ec2fe56e8..d0ac0402a 100644
--- a/security/nss/cmd/smimetools/cmsutil.c
+++ b/security/nss/cmd/smimetools/cmsutil.c
@@ -509,6 +509,12 @@ signed_data(struct signOptionsStr *signOptions)
 	    fprintf(stderr, "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
 	    goto loser;
 	}
+	if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, 
+	                                     signOptions->options->certHandle)
+	      != SECSuccess) {
+	    fprintf(stderr, "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
+	    goto loser;
+	}
 	if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
 	    fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
 	    goto loser;
@@ -527,6 +533,13 @@ signed_data(struct signOptionsStr *signOptions)
                     "ERROR: cannot add default SMIMEEncKeyPrefs attribute.\n");
                 goto loser;
             }
+            if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, cert, 
+                                              signOptions->options->certHandle)
+                  != SECSuccess) {
+                fprintf(stderr, 
+                    "ERROR: cannot add default MS SMIMEEncKeyPrefs attribute.\n");
+                goto loser;
+            }
         } else {
             /* this is a dual-key cert case, we need to look for the encryption
                certificate under the same nickname as the signing cert */
@@ -549,6 +562,13 @@ signed_data(struct signOptionsStr *signOptions)
                         "ERROR: cannot add SMIMEEncKeyPrefs attribute.\n");
                 goto loser;
             }
+            if (NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(signerinfo, ekpcert, 
+                                              signOptions->options->certHandle)
+                  != SECSuccess) {
+                fprintf(stderr, 
+                        "ERROR: cannot add MS SMIMEEncKeyPrefs attribute.\n");
+                goto loser;
+            }
             if (NSS_CMSSignedData_AddCertificate(sigd, ekpcert) != SECSuccess) {
                 fprintf(stderr, "ERROR: cannot add encryption certificate.\n");
                 goto loser;
diff --git a/security/nss/lib/smime/cms.h b/security/nss/lib/smime/cms.h
index f2f50a654..7b96cda41 100644
--- a/security/nss/lib/smime/cms.h
+++ b/security/nss/lib/smime/cms.h
@@ -731,6 +731,16 @@ NSS_CMSSignerInfo_AddSMIMECaps(NSSCMSSignerInfo *signerinfo);
 SECStatus
 NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
 
+/*
+ * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft.
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME),
+ * if compatibility with Microsoft mail clients is wanted.
+ */
+SECStatus
+NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb);
+
 /* 
  * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
  */
diff --git a/security/nss/lib/smime/cmssiginfo.c b/security/nss/lib/smime/cmssiginfo.c
index 4dbdcb7bf..a456ca9ae 100644
--- a/security/nss/lib/smime/cmssiginfo.c
+++ b/security/nss/lib/smime/cmssiginfo.c
@@ -743,6 +743,51 @@ loser:
 }
 
 /* 
+ * NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs - add a SMIMEEncryptionKeyPreferences attribute to the
+ * authenticated (i.e. signed) attributes of "signerinfo", using the OID prefered by Microsoft.
+ *
+ * This is expected to be included in outgoing signed messages for email (S/MIME),
+ * if compatibility with Microsoft mail clients is wanted.
+ */
+SECStatus
+NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs(NSSCMSSignerInfo *signerinfo, CERTCertificate *cert, CERTCertDBHandle *certdb)
+{
+    NSSCMSAttribute *attr;
+    SECItem *smimeekp = NULL;
+    void *mark;
+    PLArenaPool *poolp;
+
+    /* verify this cert for encryption */
+    if (CERT_VerifyCert(certdb, cert, PR_TRUE, certUsageEmailRecipient, PR_Now(), signerinfo->cmsg->pwfn_arg, NULL) != SECSuccess) {
+	return SECFailure;
+    }
+
+    poolp = signerinfo->cmsg->poolp;
+    mark = PORT_ArenaMark(poolp);
+
+    smimeekp = SECITEM_AllocItem(poolp, NULL, 0);
+    if (smimeekp == NULL)
+	goto loser;
+
+    /* create new signing time attribute */
+    if (NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(poolp, smimeekp, cert) != SECSuccess)
+	goto loser;
+
+    if ((attr = NSS_CMSAttribute_Create(poolp, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE, smimeekp, PR_TRUE)) == NULL)
+	goto loser;
+
+    if (NSS_CMSSignerInfo_AddAuthAttr(signerinfo, attr) != SECSuccess)
+	goto loser;
+
+    PORT_ArenaUnmark (poolp, mark);
+    return SECSuccess;
+
+loser:
+    PORT_ArenaRelease (poolp, mark);
+    return SECFailure;
+}
+
+/* 
  * NSS_CMSSignerInfo_AddCounterSignature - countersign a signerinfo
  *
  * 1. digest the DER-encoded signature value of the original signerinfo
diff --git a/security/nss/lib/smime/smime.def b/security/nss/lib/smime/smime.def
index ef383b559..6b8d11b88 100644
--- a/security/nss/lib/smime/smime.def
+++ b/security/nss/lib/smime/smime.def
@@ -209,3 +209,9 @@ NSS_CMSMessage_IsEncrypted;
 ;+    local:
 ;+       *;
 ;+};
+;+NSS_3.6 {     # NSS 3.6 release
+;+    global:
+NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs;
+;+    local:
+;+       *;
+;+};
diff --git a/security/nss/lib/smime/smime.h b/security/nss/lib/smime/smime.h
index 1832634f7..22d73324a 100644
--- a/security/nss/lib/smime/smime.h
+++ b/security/nss/lib/smime/smime.h
@@ -131,6 +131,11 @@ extern SECStatus NSS_SMIMEUtil_CreateSMIMECapabilities(PLArenaPool *poolp, SECIt
 extern SECStatus NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
 
 /*
+ * NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
+ */
+extern SECStatus NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert);
+
+/*
  * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference - find cert marked by EncryptionKeyPreference
  *          attribute
  */
diff --git a/security/nss/lib/smime/smimeutil.c b/security/nss/lib/smime/smimeutil.c
index 732d8047b..eaa5d4fa1 100644
--- a/security/nss/lib/smime/smimeutil.c
+++ b/security/nss/lib/smime/smimeutil.c
@@ -681,6 +681,40 @@ loser:
 }
 
 /*
+ * NSS_SMIMEUtil_CreateSMIMEEncKeyPrefs - create S/MIME encryption key preferences attr value using MS oid
+ *
+ * "poolp" - arena pool to create the attr value on
+ * "dest" - SECItem to put the data in
+ * "cert" - certificate that should be marked as preferred encryption key
+ *          cert is expected to have been verified for EmailRecipient usage.
+ */
+SECStatus
+NSS_SMIMEUtil_CreateMSSMIMEEncKeyPrefs(PLArenaPool *poolp, SECItem *dest, CERTCertificate *cert)
+{
+    SECItem *dummy = NULL;
+    PLArenaPool *tmppoolp = NULL;
+    CERTIssuerAndSN *isn;
+
+    if (cert == NULL)
+	goto loser;
+
+    tmppoolp = PORT_NewArena(1024);
+    if (tmppoolp == NULL)
+	goto loser;
+
+    isn = CERT_GetCertIssuerAndSN(tmppoolp, cert);
+    if (isn == NULL)
+	goto loser;
+
+    dummy = SEC_ASN1EncodeItem(poolp, dest, isn, CERT_IssuerAndSNTemplate);
+
+loser:
+    if (tmppoolp) PORT_FreeArena(tmppoolp, PR_FALSE);
+
+    return (dummy == NULL) ? SECFailure : SECSuccess;
+}
+
+/*
  * NSS_SMIMEUtil_GetCertFromEncryptionKeyPreference -
  *				find cert marked by EncryptionKeyPreference attribute
  *
diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c
index 3339d1e86..179105488 100644
--- a/security/nss/lib/util/secoid.c
+++ b/security/nss/lib/util/secoid.c
@@ -148,6 +148,10 @@
 #define PKIX_ID_REGCTRL  	PKIX_ID_PKIP, 1 
 #define PKIX_ID_REGINFO  	PKIX_ID_PKIP, 2
 
+/* Microsoft Object ID space */
+/* { 1.3.6.1.4.1.311 } */
+#define MICROSOFT_OID 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37
+
 #define CONST_OID static const unsigned char
 
 CONST_OID md2[]        				= { DIGEST, 0x02 };
@@ -212,6 +216,7 @@ CONST_OID cmsRC2wrap[]  			= { PKCS9_SMIME_ALGS, 7 };
 
 /* RFC2633 SMIME message attributes */
 CONST_OID smimeEncryptionKeyPreference[] 	= { PKCS9_SMIME_ATTRS, 11 };
+CONST_OID ms_smimeEncryptionKeyPreference[] 	= { MICROSOFT_OID, 0x10, 0x4 };
 
 CONST_OID x520CommonName[]          		= { X520_ATTRIBUTE_TYPE, 3 };
 CONST_OID x520CountryName[]         		= { X520_ATTRIBUTE_TYPE, 6 };
@@ -1003,6 +1008,10 @@ const static SECOidData oids[] = {
     /* More bogus DSA OIDs */
     OD( sdn702DSASignature, SEC_OID_SDN702_DSA_SIGNATURE, 
 	"SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION ),
+
+    OD( ms_smimeEncryptionKeyPreference, SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE,
+	"Microsoft S/MIME Encryption Key Preference", 
+	CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
 };
 
 /*
diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h
index 7ce1f4cf4..5c89cf7a9 100644
--- a/security/nss/lib/util/secoidt.h
+++ b/security/nss/lib/util/secoidt.h
@@ -294,6 +294,8 @@ typedef enum {
 
     SEC_OID_SDN702_DSA_SIGNATURE = 189,
 
+    SEC_OID_MS_SMIME_ENCRYPTION_KEY_PREFERENCE = 190,
+
     SEC_OID_TOTAL
 } SECOidTag;