diff options
Diffstat (limited to 'security/nss/lib/smime/cmst.h')
-rw-r--r-- | security/nss/lib/smime/cmst.h | 490 |
1 files changed, 490 insertions, 0 deletions
diff --git a/security/nss/lib/smime/cmst.h b/security/nss/lib/smime/cmst.h new file mode 100644 index 000000000..f963109c9 --- /dev/null +++ b/security/nss/lib/smime/cmst.h @@ -0,0 +1,490 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ + +/* + * Header for CMS types. + * + * $Id$ + */ + +#ifndef _CMST_H_ +#define _CMST_H_ + +#include "seccomon.h" +#include "secoidt.h" +#include "certt.h" +#include "secmodt.h" +#include "secmodt.h" + +#include "plarena.h" + +/* Non-opaque objects. NOTE, though: I want them to be treated as + * opaque as much as possible. If I could hide them completely, + * I would. (I tried, but ran into trouble that was taking me too + * much time to get out of.) I still intend to try to do so. + * In fact, the only type that "outsiders" should even *name* is + * NSSCMSMessage, and they should not reference its fields. + */ +/* rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's. + * This is because when we search the recipient list for the cert and key we + * want, we need to invert the order of the loops we used to have. The old + * loops were: + * + * For each recipient { + * find_cert = PK11_Find_AllCert(recipient->issuerSN); + * [which unrolls to... ] + * For each slot { + * Log into slot; + * search slot for cert; + * } + * } + * + * the new loop searchs all the recipients at once on a slot. this allows + * PKCS #11 to order slots in such a way that logout slots don't get checked + * if we can find the cert on a logged in slot. This eliminates lots of + * spurious password prompts when smart cards are installed... so why this + * comment? If you make NSSCMSRecipientInfo completely opaque, you need + * to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs + * and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11 + * function. + */ + +typedef struct NSSCMSMessageStr NSSCMSMessage; + +typedef union NSSCMSContentUnion NSSCMSContent; +typedef struct NSSCMSContentInfoStr NSSCMSContentInfo; + +typedef struct NSSCMSSignedDataStr NSSCMSSignedData; +typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo; +typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier; + +typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData; +typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo; +typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo; + +typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData; +typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData; + +typedef struct NSSCMSSMIMEKEAParametersStr NSSCMSSMIMEKEAParameters; + +typedef struct NSSCMSAttributeStr NSSCMSAttribute; + +typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext; +typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext; + +typedef struct NSSCMSCipherContextStr NSSCMSCipherContext; +typedef struct NSSCMSDigestContextStr NSSCMSDigestContext; + +/* + * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart. + * If specified, this is where the content bytes (only) will be "sent" + * as they are recovered during the decoding. + * And: + * Type of function passed to NSSCMSEncode or NSSCMSEncoderStart. + * This is where the DER-encoded bytes will be "sent". + * + * XXX Should just combine this with NSSCMSEncoderContentCallback type + * and use a simpler, common name. + */ +typedef void (*NSSCMSContentCallback)(void *arg, const char *buf, unsigned long len); + +/* + * Type of function passed to NSSCMSDecode or NSSCMSDecoderStart + * to retrieve the decryption key. This function is intended to be + * used for EncryptedData content info's which do not have a key available + * in a certificate, etc. + */ +typedef PK11SymKey *(*NSSCMSGetDecryptKeyCallback)(void *arg, SECAlgorithmID *algid); + + +/* ============================================================================= + * ENCAPSULATED CONTENTINFO & CONTENTINFO + */ + +union NSSCMSContentUnion { + /* either unstructured */ + SECItem * data; + /* or structured data */ + NSSCMSDigestedData * digestedData; + NSSCMSEncryptedData * encryptedData; + NSSCMSEnvelopedData * envelopedData; + NSSCMSSignedData * signedData; + /* or anonymous pointer to something */ + void * pointer; +}; + +struct NSSCMSContentInfoStr { + SECItem contentType; + NSSCMSContent content; + /* --------- local; not part of encoding --------- */ + SECOidData * contentTypeTag; + + /* additional info for encryptedData and envelopedData */ + /* we waste this space for signedData and digestedData. sue me. */ + + SECAlgorithmID contentEncAlg; + SECItem * rawContent; /* encrypted DER, optional */ + /* XXXX bytes not encrypted, but encoded? */ + /* --------- local; not part of encoding --------- */ + PK11SymKey * bulkkey; /* bulk encryption key */ + int keysize; /* size of bulk encryption key + * (only used by creation code) */ + SECOidTag contentEncAlgTag; /* oid tag of encryption algorithm + * (only used by creation code) */ + NSSCMSCipherContext *ciphcx; /* context for en/decryption going on */ + NSSCMSDigestContext *digcx; /* context for digesting going on */ +}; + +/* ============================================================================= + * MESSAGE + */ + +struct NSSCMSMessageStr { + NSSCMSContentInfo contentInfo; /* "outer" cinfo */ + /* --------- local; not part of encoding --------- */ + PLArenaPool * poolp; + PRBool poolp_is_ours; + int refCount; + /* properties of the "inner" data */ + SECAlgorithmID ** detached_digestalgs; + SECItem ** detached_digests; + void * pwfn_arg; + NSSCMSGetDecryptKeyCallback decrypt_key_cb; + void * decrypt_key_cb_arg; +}; + +/* ============================================================================= + * SIGNEDDATA + */ + +struct NSSCMSSignedDataStr { + SECItem version; + SECAlgorithmID ** digestAlgorithms; + NSSCMSContentInfo contentInfo; + SECItem ** rawCerts; + CERTSignedCrl ** crls; + NSSCMSSignerInfo ** signerInfos; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage * cmsg; /* back pointer to message */ + SECItem ** digests; + CERTCertificate ** certs; + CERTCertificateList ** certLists; +}; +#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we *create* */ +#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we *create* */ + +typedef enum { + NSSCMSVS_Unverified = 0, + NSSCMSVS_GoodSignature = 1, + NSSCMSVS_BadSignature = 2, + NSSCMSVS_DigestMismatch = 3, + NSSCMSVS_SigningCertNotFound = 4, + NSSCMSVS_SigningCertNotTrusted = 5, + NSSCMSVS_SignatureAlgorithmUnknown = 6, + NSSCMSVS_SignatureAlgorithmUnsupported = 7, + NSSCMSVS_MalformedSignature = 8, + NSSCMSVS_ProcessingError = 9 +} NSSCMSVerificationStatus; + +typedef enum { + NSSCMSSignerID_IssuerSN = 0, + NSSCMSSignerID_SubjectKeyID = 1 +} NSSCMSSignerIDSelector; + +struct NSSCMSSignerIdentifierStr { + NSSCMSSignerIDSelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; + SECItem *subjectKeyID; + } id; +}; + +struct NSSCMSSignerInfoStr { + SECItem version; + NSSCMSSignerIdentifier signerIdentifier; + SECAlgorithmID digestAlg; + NSSCMSAttribute ** authAttr; + SECAlgorithmID digestEncAlg; + SECItem encDigest; + NSSCMSAttribute ** unAuthAttr; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage * cmsg; /* back pointer to message */ + CERTCertificate * cert; + CERTCertificateList * certList; + PRTime signingTime; + NSSCMSVerificationStatus verificationStatus; +}; +#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we *create* */ +#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we *create* */ + +typedef enum { + NSSCMSCM_None = 0, + NSSCMSCM_CertOnly = 1, + NSSCMSCM_CertChain = 2, + NSSCMSCM_CertChainWithRoot = 3 +} NSSCMSCertChainMode; + +/* ============================================================================= + * ENVELOPED DATA + */ +struct NSSCMSEnvelopedDataStr { + SECItem version; + NSSCMSOriginatorInfo * originatorInfo; /* optional */ + NSSCMSRecipientInfo ** recipientInfos; + NSSCMSContentInfo contentInfo; + NSSCMSAttribute ** unprotectedAttr; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage * cmsg; /* back pointer to message */ +}; +#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we *create* */ +#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we *create* */ + +struct NSSCMSOriginatorInfoStr { + SECItem ** rawCerts; + CERTSignedCrl ** crls; + /* --------- local; not part of encoding --------- */ + CERTCertificate ** certs; +}; + +/* ----------------------------------------------------------------------------- + * key transport recipient info + */ +typedef enum { + NSSCMSRecipientID_IssuerSN = 0, + NSSCMSRecipientID_SubjectKeyID = 1 +} NSSCMSRecipientIDSelector; + +struct NSSCMSRecipientIdentifierStr { + NSSCMSRecipientIDSelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; + SECItem *subjectKeyID; + } id; +}; +typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier; + +struct NSSCMSKeyTransRecipientInfoStr { + SECItem version; + NSSCMSRecipientIdentifier recipientIdentifier; + SECAlgorithmID keyEncAlg; + SECItem encKey; +}; +typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo; + +#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we *create* */ +#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we *create* */ + +/* ----------------------------------------------------------------------------- + * key agreement recipient info + */ +struct NSSCMSOriginatorPublicKeyStr { + SECAlgorithmID algorithmIdentifier; + SECItem publicKey; /* bit string! */ +}; +typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey; + +typedef enum { + NSSCMSOriginatorIDOrKey_IssuerSN = 0, + NSSCMSOriginatorIDOrKey_SubjectKeyID = 1, + NSSCMSOriginatorIDOrKey_OriginatorPublicKey = 2 +} NSSCMSOriginatorIDOrKeySelector; + +struct NSSCMSOriginatorIdentifierOrKeyStr { + NSSCMSOriginatorIDOrKeySelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; /* static-static */ + SECItem *subjectKeyID; /* static-static */ + NSSCMSOriginatorPublicKey originatorPublicKey; /* ephemeral-static */ + } id; +}; +typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey; + +struct NSSCMSRecipientKeyIdentifierStr { + SECItem * subjectKeyIdentifier; + SECItem * date; /* optional */ + SECItem * other; /* optional */ +}; +typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier; + +typedef enum { + NSSCMSKeyAgreeRecipientID_IssuerSN = 0, + NSSCMSKeyAgreeRecipientID_RKeyID = 1 +} NSSCMSKeyAgreeRecipientIDSelector; + +struct NSSCMSKeyAgreeRecipientIdentifierStr { + NSSCMSKeyAgreeRecipientIDSelector identifierType; + union { + CERTIssuerAndSN *issuerAndSN; + NSSCMSRecipientKeyIdentifier recipientKeyIdentifier; + } id; +}; +typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier; + +struct NSSCMSRecipientEncryptedKeyStr { + NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier; + SECItem encKey; +}; +typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey; + +struct NSSCMSKeyAgreeRecipientInfoStr { + SECItem version; + NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey; + SECItem * ukm; /* optional */ + SECAlgorithmID keyEncAlg; + NSSCMSRecipientEncryptedKey ** recipientEncryptedKeys; +}; +typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo; + +#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we *create* */ + +/* ----------------------------------------------------------------------------- + * KEK recipient info + */ +struct NSSCMSKEKIdentifierStr { + SECItem keyIdentifier; + SECItem * date; /* optional */ + SECItem * other; /* optional */ +}; +typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier; + +struct NSSCMSKEKRecipientInfoStr { + SECItem version; + NSSCMSKEKIdentifier kekIdentifier; + SECAlgorithmID keyEncAlg; + SECItem encKey; +}; +typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo; + +#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we *create* */ + +/* ----------------------------------------------------------------------------- + * recipient info + */ + +typedef enum { + NSSCMSRecipientInfoID_KeyTrans = 0, + NSSCMSRecipientInfoID_KeyAgree = 1, + NSSCMSRecipientInfoID_KEK = 2 +} NSSCMSRecipientInfoIDSelector; + +struct NSSCMSRecipientInfoStr { + NSSCMSRecipientInfoIDSelector recipientInfoType; + union { + NSSCMSKeyTransRecipientInfo keyTransRecipientInfo; + NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo; + NSSCMSKEKRecipientInfo kekRecipientInfo; + } ri; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage * cmsg; /* back pointer to message */ + CERTCertificate * cert; /* recipient's certificate */ +}; + +/* ============================================================================= + * DIGESTED DATA + */ +struct NSSCMSDigestedDataStr { + SECItem version; + SECAlgorithmID digestAlg; + NSSCMSContentInfo contentInfo; + SECItem digest; + /* --------- local; not part of encoding --------- */ + NSSCMSMessage * cmsg; /* back pointer */ + SECItem cdigest; /* calculated digest */ +}; +#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we *create* */ +#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we *create* */ + +/* ============================================================================= + * ENCRYPTED DATA + */ +struct NSSCMSEncryptedDataStr { + SECItem version; + NSSCMSContentInfo contentInfo; + NSSCMSAttribute ** unprotectedAttr; /* optional */ + /* --------- local; not part of encoding --------- */ + NSSCMSMessage * cmsg; /* back pointer */ +}; +#define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we *create* */ +#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we *create* */ + +/* ============================================================================= + * FORTEZZA KEA + */ + +/* An enumerated type used to select templates based on the encryption + scenario and data specifics. */ +typedef enum { + NSSCMSKEAInvalid = -1, + NSSCMSKEAUsesSkipjack = 0, + NSSCMSKEAUsesNonSkipjack = 1, + NSSCMSKEAUsesNonSkipjackWithPaddedEncKey = 2 +} NSSCMSKEATemplateSelector; + +/* ### mwelch - S/MIME KEA parameters. These don't really fit here, + but I cannot think of a more appropriate place at this time. */ +struct NSSCMSSMIMEKEAParametersStr { + SECItem originatorKEAKey; /* sender KEA key (encrypted?) */ + SECItem originatorRA; /* random number generated by sender */ + SECItem nonSkipjackIV; /* init'n vector for SkipjackCBC64 + decryption of KEA key if Skipjack + is not the bulk algorithm used on + the message */ + SECItem bulkKeySize; /* if Skipjack is not the bulk + algorithm used on the message, + and the size of the bulk encryption + key is not the same as that of + originatorKEAKey (due to padding + perhaps), this field will contain + the real size of the bulk encryption + key. */ +}; + +/* + * ***************************************************************************** + * ***************************************************************************** + * ***************************************************************************** + */ + +/* + * See comment above about this type not really belonging to CMS. + */ +struct NSSCMSAttributeStr { + /* The following fields make up an encoded Attribute: */ + SECItem type; + SECItem ** values; /* data may or may not be encoded */ + /* The following fields are not part of an encoded Attribute: */ + SECOidData * typeTag; + PRBool encoded; /* when true, values are encoded */ +}; + +#endif /* _CMST_H_ */ |