1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
14 * The Original Code is the Netscape security libraries.
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 1994-2000
19 * the Initial Developer. All Rights Reserved.
23 * Alternatively, the contents of this file may be used under the terms of
24 * either the GNU General Public License Version 2 or later (the "GPL"), or
25 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
26 * in which case the provisions of the GPL or the LGPL are applicable instead
27 * of those above. If you wish to allow use of your version of this file only
28 * under the terms of either the GPL or the LGPL, and not to allow others to
29 * use your version of this file under the terms of the MPL, indicate your
30 * decision by deleting the provisions above and replace them with the notice
31 * and other provisions required by the GPL or the LGPL. If you do not delete
32 * the provisions above, a recipient may use your version of this file under
33 * the terms of any one of the MPL, the GPL or the LGPL.
35 * ***** END LICENSE BLOCK ***** */
38 #include "common/config.h"
39 #include "common/debug.h"
48 #define dout_subsys ceph_subsys_crypto
51 int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl)
58 static int cms_verbose = 0;
61 DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input,
62 SECAlgorithmID **algids)
64 NSSCMSDigestContext *digcx;
67 digcx = NSS_CMSDigestContext_StartMultiple(algids);
71 NSS_CMSDigestContext_Update(digcx, input->data, input->len);
73 rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests);
79 SECCertUsage certUsage;
80 CERTCertDBHandle *certHandle;
83 struct decodeOptionsStr {
84 struct optionsStr *options;
87 PRBool suppressContent;
88 NSSCMSGetDecryptKeyCallback dkcb;
93 static NSSCMSMessage *
94 decode(CephContext *cct, SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& out)
96 NSSCMSDecoderContext *dcx;
104 memset(&sitem, 0, sizeof(sitem));
107 dcx = NSS_CMSDecoder_Start(NULL,
108 NULL, NULL, /* content callback */
109 NULL, NULL, /* password callback */
110 decodeOptions->dkcb, /* decrypt key callback */
111 decodeOptions->bulkkey);
113 ldout(cct, 0) << "ERROR: failed to set up message decoder" << dendl;
116 rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len);
117 if (rv != SECSuccess) {
118 ldout(cct, 0) << "ERROR: failed to decode message" << dendl;
119 NSS_CMSDecoder_Cancel(dcx);
122 cmsg = NSS_CMSDecoder_Finish(dcx);
124 ldout(cct, 0) << "ERROR: failed to decode message" << dendl;
128 if (decodeOptions->headerLevel >= 0) {
129 ldout(cct, 20) << "SMIME: " << dendl;
132 nlevels = NSS_CMSMessage_ContentLevelCount(cmsg);
133 for (i = 0; i < nlevels; i++) {
134 NSSCMSContentInfo *cinfo;
137 cinfo = NSS_CMSMessage_ContentLevel(cmsg, i);
138 typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
140 ldout(cct, 20) << "level=" << decodeOptions->headerLevel << "." << nlevels - i << dendl;
143 case SEC_OID_PKCS7_SIGNED_DATA:
145 NSSCMSSignedData *sigd = NULL;
150 if (decodeOptions->headerLevel >= 0)
151 ldout(cct, 20) << "type=signedData; " << dendl;
152 sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo);
154 ldout(cct, 0) << "ERROR: signedData component missing" << dendl;
158 /* if we have a content file, but no digests for this signedData */
159 if (decodeOptions->content.data != NULL &&
160 !NSS_CMSSignedData_HasDigests(sigd)) {
162 SECAlgorithmID **digestalgs;
164 /* detached content: grab content file */
165 sitem = decodeOptions->content;
167 if ((poolp = PORT_NewArena(1024)) == NULL) {
168 ldout(cct, 0) << "ERROR: Out of memory" << dendl;
171 digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
172 if (DigestFile (poolp, &digests, &sitem, digestalgs)
174 ldout(cct, 0) << "ERROR: problem computing message digest" << dendl;
175 PORT_FreeArena(poolp, PR_FALSE);
178 if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests)
180 ldout(cct, 0) << "ERROR: problem setting message digests" << dendl;
181 PORT_FreeArena(poolp, PR_FALSE);
184 PORT_FreeArena(poolp, PR_FALSE);
187 /* import the certificates */
188 if (NSS_CMSSignedData_ImportCerts(sigd,
189 decodeOptions->options->certHandle,
190 decodeOptions->options->certUsage,
191 decodeOptions->keepCerts)
193 ldout(cct, 0) << "ERROR: cert import failed" << dendl;
197 /* find out about signers */
198 nsigners = NSS_CMSSignedData_SignerInfoCount(sigd);
199 if (decodeOptions->headerLevel >= 0)
200 ldout(cct, 20) << "nsigners=" << nsigners << dendl;
202 /* Might be a cert transport message
203 ** or might be an invalid message, such as a QA test message
204 ** or a message from an attacker.
207 rv = NSS_CMSSignedData_VerifyCertsOnly(sigd,
208 decodeOptions->options->certHandle,
209 decodeOptions->options->certUsage);
210 if (rv != SECSuccess) {
211 ldout(cct, 0) << "ERROR: Verify certs-only failed!" << dendl;
217 /* still no digests? */
218 if (!NSS_CMSSignedData_HasDigests(sigd)) {
219 ldout(cct, 0) << "ERROR: no message digests" << dendl;
223 for (j = 0; j < nsigners; j++) {
225 NSSCMSSignerInfo *si;
226 NSSCMSVerificationStatus vs;
229 si = NSS_CMSSignedData_GetSignerInfo(sigd, j);
230 if (decodeOptions->headerLevel >= 0) {
232 static char empty[] = { "" };
234 signercn = NSS_CMSSignerInfo_GetSignerCommonName(si);
235 if (signercn == NULL)
237 ldout(cct, 20) << "\t\tsigner" << j << ".id=" << signercn << dendl;
238 if (signercn != empty)
241 bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j,
242 decodeOptions->options->certHandle,
243 decodeOptions->options->certUsage);
244 vs = NSS_CMSSignerInfo_GetVerificationStatus(si);
245 svs = NSS_CMSUtil_VerificationStatusToString(vs);
246 if (decodeOptions->headerLevel >= 0) {
247 ldout(cct, 20) << "signer" << j << "status=" << svs << dendl;
250 ldout(cct, 0) << "ERROR: signer " << j << " status = " << svs << dendl;
256 case SEC_OID_PKCS7_ENVELOPED_DATA:
258 NSSCMSEnvelopedData *envd;
259 if (decodeOptions->headerLevel >= 0)
260 ldout(cct, 20) << "type=envelopedData; " << dendl;
261 envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo);
263 ldout(cct, 0) << "ERROR: envelopedData component missing" << dendl;
268 case SEC_OID_PKCS7_ENCRYPTED_DATA:
270 NSSCMSEncryptedData *encd;
271 if (decodeOptions->headerLevel >= 0)
272 ldout(cct, 20) << "type=encryptedData; " << dendl;
273 encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo);
275 ldout(cct, 0) << "ERROR: encryptedData component missing" << dendl;
280 case SEC_OID_PKCS7_DATA:
281 if (decodeOptions->headerLevel >= 0)
282 ldout(cct, 20) << "type=data; " << dendl;
289 item = (sitem.data ? &sitem : NSS_CMSMessage_GetContent(cmsg));
290 out.append((char *)item->data, item->len);
295 NSS_CMSMessage_Destroy(cmsg);
299 int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl)
301 NSSCMSMessage *cmsg = NULL;
302 struct decodeOptionsStr decodeOptions = { };
303 struct optionsStr options;
306 memset(&options, 0, sizeof(options));
307 memset(&input, 0, sizeof(input));
309 input.data = (unsigned char *)cms_bl.c_str();
310 input.len = cms_bl.length();
312 decodeOptions.content.data = NULL;
313 decodeOptions.content.len = 0;
314 decodeOptions.suppressContent = PR_FALSE;
315 decodeOptions.headerLevel = -1;
316 decodeOptions.keepCerts = PR_FALSE;
317 options.certUsage = certUsageEmailSigner;
319 options.certHandle = CERT_GetDefaultCertDB();
320 if (!options.certHandle) {
321 ldout(cct, 0) << "ERROR: No default cert DB" << dendl;
325 fprintf(stderr, "Got default certdb\n");
328 decodeOptions.options = &options;
332 cmsg = decode(cct, &input, &decodeOptions, decoded_bl);
334 ldout(cct, 0) << "ERROR: problem decoding" << dendl;
339 NSS_CMSMessage_Destroy(cmsg);
341 SECITEM_FreeItem(&decodeOptions.content, PR_FALSE);