cmst.h source code [include/nss/cmst.h]

1	/ This Source Code Form is subject to the terms of the Mozilla Public*
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5	/*
6	* Header for CMS types.
7	*/
8
9	#ifndef _CMST_H_
10	#define _CMST_H_
11
12	#include "seccomon.h"
13	#include "secoidt.h"
14	#include "certt.h"
15	#include "secmodt.h"
16	#include "secmodt.h"
17
18	#include "plarena.h"
19
20	/ Non-opaque objects. NOTE, though: I want them to be treated as*
21	* opaque as much as possible. If I could hide them completely,
22	* I would. (I tried, but ran into trouble that was taking me too
23	* much time to get out of.) I still intend to try to do so.
24	* In fact, the only type that "outsiders" should even name is
25	* NSSCMSMessage, and they should not reference its fields.
26	*/
27	/ rjr: PKCS #11 cert handling (pk11cert.c) does use NSSCMSRecipientInfo's.*
28	* This is because when we search the recipient list for the cert and key we
29	* want, we need to invert the order of the loops we used to have. The old
30	* loops were:
31	*
32	* For each recipient {
33	* find_cert = PK11_Find_AllCert(recipient->issuerSN);
34	* [which unrolls to... ]
35	* For each slot {
36	* Log into slot;
37	* search slot for cert;
38	* }
39	* }
40	*
41	* the new loop searchs all the recipients at once on a slot. this allows
42	* PKCS #11 to order slots in such a way that logout slots don't get checked
43	* if we can find the cert on a logged in slot. This eliminates lots of
44	* spurious password prompts when smart cards are installed... so why this
45	* comment? If you make NSSCMSRecipientInfo completely opaque, you need
46	* to provide a non-opaque list of issuerSN's (the only field PKCS#11 needs
47	* and fix up pk11cert.c first. NOTE: Only S/MIME calls this special PKCS #11
48	* function.
49	*/
50
51	typedef struct NSSCMSMessageStr NSSCMSMessage;
52
53	typedef union NSSCMSContentUnion NSSCMSContent;
54	typedef struct NSSCMSContentInfoStr NSSCMSContentInfo;
55
56	typedef struct NSSCMSSignedDataStr NSSCMSSignedData;
57	typedef struct NSSCMSSignerInfoStr NSSCMSSignerInfo;
58	typedef struct NSSCMSSignerIdentifierStr NSSCMSSignerIdentifier;
59
60	typedef struct NSSCMSEnvelopedDataStr NSSCMSEnvelopedData;
61	typedef struct NSSCMSOriginatorInfoStr NSSCMSOriginatorInfo;
62	typedef struct NSSCMSRecipientInfoStr NSSCMSRecipientInfo;
63
64	typedef struct NSSCMSDigestedDataStr NSSCMSDigestedData;
65	typedef struct NSSCMSEncryptedDataStr NSSCMSEncryptedData;
66
67	typedef struct NSSCMSGenericWrapperDataStr NSSCMSGenericWrapperData;
68
69	typedef struct NSSCMSAttributeStr NSSCMSAttribute;
70
71	typedef struct NSSCMSDecoderContextStr NSSCMSDecoderContext;
72	typedef struct NSSCMSEncoderContextStr NSSCMSEncoderContext;
73
74	typedef struct NSSCMSCipherContextStr NSSCMSCipherContext;
75	typedef struct NSSCMSDigestContextStr NSSCMSDigestContext;
76
77	typedef struct NSSCMSContentInfoPrivateStr NSSCMSContentInfoPrivate;
78
79	typedef SECStatus (NSSCMSGenericWrapperDataCallback)(NSSCMSGenericWrapperData );
80	typedef void (NSSCMSGenericWrapperDataDestroy)(NSSCMSGenericWrapperData );
81
82	extern const SEC_ASN1Template NSSCMSGenericWrapperDataTemplate[];
83	extern const SEC_ASN1Template NSS_PointerToCMSGenericWrapperDataTemplate[];
84
85	SEC_ASN1_CHOOSER_DECLARE(NSS_PointerToCMSGenericWrapperDataTemplate)
86	SEC_ASN1_CHOOSER_DECLARE(NSSCMSGenericWrapperDataTemplate)
87
88	/*
89	* Type of function passed to NSSCMSDecode or NSSCMSDecoderStart.
90	* If specified, this is where the content bytes (only) will be "sent"
91	* as they are recovered during the decoding.
92	* And:
93	* Type of function passed to NSSCMSEncode or NSSCMSEncoderStart.
94	* This is where the DER-encoded bytes will be "sent".
95	*
96	* XXX Should just combine this with NSSCMSEncoderContentCallback type
97	* and use a simpler, common name.
98	*/
99	typedef void (NSSCMSContentCallback)(void* arg, const* char buf, unsigned* long len);
100
101	/*
102	* Type of function passed to NSSCMSDecode or NSSCMSDecoderStart
103	* to retrieve the decryption key. This function is intended to be
104	* used for EncryptedData content info's which do not have a key available
105	* in a certificate, etc.
106	*/
107	typedef PK11SymKey (NSSCMSGetDecryptKeyCallback)(void arg, SECAlgorithmID algid);
108
109	/ =============================================================================*
110	* ENCAPSULATED CONTENTINFO & CONTENTINFO
111	*/
112
113	union NSSCMSContentUnion {
114	/ either unstructured /
115	SECItem *data;
116	/ or structured data /
117	NSSCMSDigestedData *digestedData;
118	NSSCMSEncryptedData *encryptedData;
119	NSSCMSEnvelopedData *envelopedData;
120	NSSCMSSignedData *signedData;
121	NSSCMSGenericWrapperData *genericData;
122	/ or anonymous pointer to something /
123	void *pointer;
124	};
125
126	struct NSSCMSContentInfoStr {
127	SECItem contentType;
128	NSSCMSContent content;
129	/ --------- local; not part of encoding --------- /
130	SECOidData *contentTypeTag;
131
132	/ additional info for encryptedData and envelopedData /
133	/ we waste this space for signedData and digestedData. sue me. /
134
135	SECAlgorithmID contentEncAlg;
136	SECItem rawContent; /* encrypted DER, optional /
137	/ XXXX bytes not encrypted, but encoded? /
138	/ --------- local; not part of encoding --------- /
139	PK11SymKey bulkkey; /* bulk encryption key /
140	int keysize; / size of bulk encryption key*
141	* (only used by creation code) */
142	SECOidTag contentEncAlgTag; / oid tag of encryption algorithm*
143	* (only used by creation code) */
144	NSSCMSContentInfoPrivate privateInfo; /* place for NSS private info /
145	void reserved; /* keep binary compatibility /
146	};
147
148	/ =============================================================================*
149	* MESSAGE
150	*/
151
152	struct NSSCMSMessageStr {
153	NSSCMSContentInfo contentInfo; / "outer" cinfo /
154	/ --------- local; not part of encoding --------- /
155	PLArenaPool *poolp;
156	PRBool poolp_is_ours;
157	int refCount;
158	/ properties of the "inner" data /
159	SECAlgorithmID **detached_digestalgs;
160	SECItem **detached_digests;
161	void *pwfn_arg;
162	NSSCMSGetDecryptKeyCallback decrypt_key_cb;
163	void *decrypt_key_cb_arg;
164	};
165
166	/ ============================================================================*
167	* GENERIC WRAPPER
168	*
169	* used for user defined types.
170	*/
171	struct NSSCMSGenericWrapperDataStr {
172	NSSCMSContentInfo contentInfo;
173	/ ---- local; not part of encoding ------ /
174	NSSCMSMessage *cmsg;
175	/ wrapperspecific data starts here /
176	};
177
178	/ =============================================================================*
179	* SIGNEDDATA
180	*/
181
182	struct NSSCMSSignedDataStr {
183	SECItem version;
184	SECAlgorithmID **digestAlgorithms;
185	NSSCMSContentInfo contentInfo;
186	SECItem **rawCerts;
187	CERTSignedCrl **crls;
188	NSSCMSSignerInfo **signerInfos;
189	/ --------- local; not part of encoding --------- /
190	NSSCMSMessage cmsg; /* back pointer to message /
191	SECItem **digests;
192	CERTCertificate **certs;
193	CERTCertificateList **certLists;
194	CERTCertificate *tempCerts; /* temporary certs, needed*
195	* for example for signature
196	* verification */
197	};
198	#define NSS_CMS_SIGNED_DATA_VERSION_BASIC 1 /* what we create */
199	#define NSS_CMS_SIGNED_DATA_VERSION_EXT 3 /* what we create */
200
201	typedef enum {
202	NSSCMSVS_Unverified = `0`,
203	NSSCMSVS_GoodSignature = `1`,
204	NSSCMSVS_BadSignature = `2`,
205	NSSCMSVS_DigestMismatch = `3`,
206	NSSCMSVS_SigningCertNotFound = `4`,
207	NSSCMSVS_SigningCertNotTrusted = `5`,
208	NSSCMSVS_SignatureAlgorithmUnknown = `6`,
209	NSSCMSVS_SignatureAlgorithmUnsupported = `7`,
210	NSSCMSVS_MalformedSignature = `8`,
211	NSSCMSVS_ProcessingError = `9`
212	} NSSCMSVerificationStatus;
213
214	typedef enum {
215	NSSCMSSignerID_IssuerSN = `0`,
216	NSSCMSSignerID_SubjectKeyID = `1`
217	} NSSCMSSignerIDSelector;
218
219	struct NSSCMSSignerIdentifierStr {
220	NSSCMSSignerIDSelector identifierType;
221	union {
222	CERTIssuerAndSN *issuerAndSN;
223	SECItem *subjectKeyID;
224	} id;
225	};
226
227	struct NSSCMSSignerInfoStr {
228	SECItem version;
229	NSSCMSSignerIdentifier signerIdentifier;
230	SECAlgorithmID digestAlg;
231	NSSCMSAttribute **authAttr;
232	SECAlgorithmID digestEncAlg;
233	SECItem encDigest;
234	NSSCMSAttribute **unAuthAttr;
235	/ --------- local; not part of encoding --------- /
236	NSSCMSMessage cmsg; /* back pointer to message /
237	CERTCertificate *cert;
238	CERTCertificateList *certList;
239	PRTime signingTime;
240	NSSCMSVerificationStatus verificationStatus;
241	SECKEYPrivateKey signingKey; /* Used if we're using subjKeyID/
242	SECKEYPublicKey *pubKey;
243	};
244	#define NSS_CMS_SIGNER_INFO_VERSION_ISSUERSN 1 /* what we create */
245	#define NSS_CMS_SIGNER_INFO_VERSION_SUBJKEY 3 /* what we create */
246
247	typedef enum {
248	NSSCMSCM_None = `0`,
249	NSSCMSCM_CertOnly = `1`,
250	NSSCMSCM_CertChain = `2`,
251	NSSCMSCM_CertChainWithRoot = `3`
252	} NSSCMSCertChainMode;
253
254	/ =============================================================================*
255	* ENVELOPED DATA
256	*/
257	struct NSSCMSEnvelopedDataStr {
258	SECItem version;
259	NSSCMSOriginatorInfo originatorInfo; /* optional /
260	NSSCMSRecipientInfo **recipientInfos;
261	NSSCMSContentInfo contentInfo;
262	NSSCMSAttribute **unprotectedAttr;
263	/ --------- local; not part of encoding --------- /
264	NSSCMSMessage cmsg; /* back pointer to message /
265	};
266	#define NSS_CMS_ENVELOPED_DATA_VERSION_REG 0 /* what we create */
267	#define NSS_CMS_ENVELOPED_DATA_VERSION_ADV 2 /* what we create */
268
269	struct NSSCMSOriginatorInfoStr {
270	SECItem **rawCerts;
271	CERTSignedCrl **crls;
272	/ --------- local; not part of encoding --------- /
273	CERTCertificate **certs;
274	};
275
276	/ -----------------------------------------------------------------------------*
277	* key transport recipient info
278	*/
279	typedef enum {
280	NSSCMSRecipientID_IssuerSN = `0`,
281	NSSCMSRecipientID_SubjectKeyID = `1`,
282	NSSCMSRecipientID_BrandNew = `2`
283	} NSSCMSRecipientIDSelector;
284
285	struct NSSCMSRecipientIdentifierStr {
286	NSSCMSRecipientIDSelector identifierType;
287	union {
288	CERTIssuerAndSN *issuerAndSN;
289	SECItem *subjectKeyID;
290	} id;
291	};
292	typedef struct NSSCMSRecipientIdentifierStr NSSCMSRecipientIdentifier;
293
294	struct NSSCMSKeyTransRecipientInfoStr {
295	SECItem version;
296	NSSCMSRecipientIdentifier recipientIdentifier;
297	SECAlgorithmID keyEncAlg;
298	SECItem encKey;
299	};
300	typedef struct NSSCMSKeyTransRecipientInfoStr NSSCMSKeyTransRecipientInfo;
301
302	/*
303	* View comments before NSSCMSRecipientInfoStr for purpose of this
304	* structure.
305	*/
306	struct NSSCMSKeyTransRecipientInfoExStr {
307	NSSCMSKeyTransRecipientInfo recipientInfo;
308	int version; / version of this structure (0) /
309	SECKEYPublicKey *pubKey;
310	};
311
312	typedef struct NSSCMSKeyTransRecipientInfoExStr NSSCMSKeyTransRecipientInfoEx;
313
314	#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_ISSUERSN 0 /* what we create */
315	#define NSS_CMS_KEYTRANS_RECIPIENT_INFO_VERSION_SUBJKEY 2 /* what we create */
316
317	/ -----------------------------------------------------------------------------*
318	* key agreement recipient info
319	*/
320	struct NSSCMSOriginatorPublicKeyStr {
321	SECAlgorithmID algorithmIdentifier;
322	SECItem publicKey; / bit string! /
323	};
324	typedef struct NSSCMSOriginatorPublicKeyStr NSSCMSOriginatorPublicKey;
325
326	typedef enum {
327	NSSCMSOriginatorIDOrKey_IssuerSN = `0`,
328	NSSCMSOriginatorIDOrKey_SubjectKeyID = `1`,
329	NSSCMSOriginatorIDOrKey_OriginatorPublicKey = `2`
330	} NSSCMSOriginatorIDOrKeySelector;
331
332	struct NSSCMSOriginatorIdentifierOrKeyStr {
333	NSSCMSOriginatorIDOrKeySelector identifierType;
334	union {
335	CERTIssuerAndSN issuerAndSN; /* static-static /
336	SECItem subjectKeyID; /* static-static /
337	NSSCMSOriginatorPublicKey originatorPublicKey; / ephemeral-static /
338	} id;
339	};
340	typedef struct NSSCMSOriginatorIdentifierOrKeyStr NSSCMSOriginatorIdentifierOrKey;
341
342	struct NSSCMSRecipientKeyIdentifierStr {
343	SECItem *subjectKeyIdentifier;
344	SECItem date; /* optional /
345	SECItem other; /* optional /
346	};
347	typedef struct NSSCMSRecipientKeyIdentifierStr NSSCMSRecipientKeyIdentifier;
348
349	typedef enum {
350	NSSCMSKeyAgreeRecipientID_IssuerSN = `0`,
351	NSSCMSKeyAgreeRecipientID_RKeyID = `1`
352	} NSSCMSKeyAgreeRecipientIDSelector;
353
354	struct NSSCMSKeyAgreeRecipientIdentifierStr {
355	NSSCMSKeyAgreeRecipientIDSelector identifierType;
356	union {
357	CERTIssuerAndSN *issuerAndSN;
358	NSSCMSRecipientKeyIdentifier recipientKeyIdentifier;
359	} id;
360	};
361	typedef struct NSSCMSKeyAgreeRecipientIdentifierStr NSSCMSKeyAgreeRecipientIdentifier;
362
363	struct NSSCMSRecipientEncryptedKeyStr {
364	NSSCMSKeyAgreeRecipientIdentifier recipientIdentifier;
365	SECItem encKey;
366	};
367	typedef struct NSSCMSRecipientEncryptedKeyStr NSSCMSRecipientEncryptedKey;
368
369	struct NSSCMSKeyAgreeRecipientInfoStr {
370	SECItem version;
371	NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
372	SECItem ukm; /* optional /
373	SECAlgorithmID keyEncAlg;
374	NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
375	};
376	typedef struct NSSCMSKeyAgreeRecipientInfoStr NSSCMSKeyAgreeRecipientInfo;
377
378	#define NSS_CMS_KEYAGREE_RECIPIENT_INFO_VERSION 3 /* what we create */
379
380	/ -----------------------------------------------------------------------------*
381	* KEK recipient info
382	*/
383	struct NSSCMSKEKIdentifierStr {
384	SECItem keyIdentifier;
385	SECItem date; /* optional /
386	SECItem other; /* optional /
387	};
388	typedef struct NSSCMSKEKIdentifierStr NSSCMSKEKIdentifier;
389
390	struct NSSCMSKEKRecipientInfoStr {
391	SECItem version;
392	NSSCMSKEKIdentifier kekIdentifier;
393	SECAlgorithmID keyEncAlg;
394	SECItem encKey;
395	};
396	typedef struct NSSCMSKEKRecipientInfoStr NSSCMSKEKRecipientInfo;
397
398	#define NSS_CMS_KEK_RECIPIENT_INFO_VERSION 4 /* what we create */
399
400	/ -----------------------------------------------------------------------------*
401	* recipient info
402	*/
403
404	typedef enum {
405	NSSCMSRecipientInfoID_KeyTrans = `0`,
406	NSSCMSRecipientInfoID_KeyAgree = `1`,
407	NSSCMSRecipientInfoID_KEK = `2`
408	} NSSCMSRecipientInfoIDSelector;
409
410	/*
411	* In order to preserve backwards binary compatibility when implementing
412	* creation of Recipient Info's that uses subjectKeyID in the
413	* keyTransRecipientInfo we need to stash a public key pointer in this
414	* structure somewhere. We figured out that NSSCMSKeyTransRecipientInfo
415	* is the smallest member of the ri union. We're in luck since that's
416	* the very structure that would need to use the public key. So we created
417	* a new structure NSSCMSKeyTransRecipientInfoEx which has a member
418	* NSSCMSKeyTransRecipientInfo as the first member followed by a version
419	* and a public key pointer. This way we can keep backwards compatibility
420	* without changing the size of this structure.
421	*
422	* BTW, size of structure:
423	* NSSCMSKeyTransRecipientInfo: 9 ints, 4 pointers
424	* NSSCMSKeyAgreeRecipientInfo: 12 ints, 8 pointers
425	* NSSCMSKEKRecipientInfo: 10 ints, 7 pointers
426	*
427	* The new structure:
428	* NSSCMSKeyTransRecipientInfoEx: sizeof(NSSCMSKeyTransRecipientInfo) +
429	* 1 int, 1 pointer
430	*/
431
432	struct NSSCMSRecipientInfoStr {
433	NSSCMSRecipientInfoIDSelector recipientInfoType;
434	union {
435	NSSCMSKeyTransRecipientInfo keyTransRecipientInfo;
436	NSSCMSKeyAgreeRecipientInfo keyAgreeRecipientInfo;
437	NSSCMSKEKRecipientInfo kekRecipientInfo;
438	NSSCMSKeyTransRecipientInfoEx keyTransRecipientInfoEx;
439	} ri;
440	/ --------- local; not part of encoding --------- /
441	NSSCMSMessage cmsg; /* back pointer to message /
442	CERTCertificate cert; /* recipient's certificate /
443	};
444
445	/ =============================================================================*
446	* DIGESTED DATA
447	*/
448	struct NSSCMSDigestedDataStr {
449	SECItem version;
450	SECAlgorithmID digestAlg;
451	NSSCMSContentInfo contentInfo;
452	SECItem digest;
453	/ --------- local; not part of encoding --------- /
454	NSSCMSMessage cmsg; /* back pointer /
455	SECItem cdigest; / calculated digest /
456	};
457	#define NSS_CMS_DIGESTED_DATA_VERSION_DATA 0 /* what we create */
458	#define NSS_CMS_DIGESTED_DATA_VERSION_ENCAP 2 /* what we create */
459
460	/ =============================================================================*
461	* ENCRYPTED DATA
462	*/
463	struct NSSCMSEncryptedDataStr {
464	SECItem version;
465	NSSCMSContentInfo contentInfo;
466	NSSCMSAttribute *unprotectedAttr; /* optional /
467	/ --------- local; not part of encoding --------- /
468	NSSCMSMessage cmsg; /* back pointer /
469	};
470	#define NSS_CMS_ENCRYPTED_DATA_VERSION 0 /* what we create */
471	#define NSS_CMS_ENCRYPTED_DATA_VERSION_UPATTR 2 /* what we create */
472
473	/*
474	* *****************************************************************************
475	* *****************************************************************************
476	* *****************************************************************************
477	*/
478
479	/*
480	* See comment above about this type not really belonging to CMS.
481	*/
482	struct NSSCMSAttributeStr {
483	/ The following fields make up an encoded Attribute: /
484	SECItem type;
485	SECItem *values; /* data may or may not be encoded /
486	/ The following fields are not part of an encoded Attribute: /
487	SECOidData *typeTag;
488	PRBool encoded; / when true, values are encoded /
489	};
490
491	#endif /* _CMST_H_ */
492

source code of include/nss/cmst.h