X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fceph%2Fsrc%2Fcommon%2Fceph_crypto_cms.cc;fp=src%2Fceph%2Fsrc%2Fcommon%2Fceph_crypto_cms.cc;h=109f702bf7399c9eaf1d74480172265f88cbbbeb;hb=812ff6ca9fcd3e629e49d4328905f33eee8ca3f5;hp=0000000000000000000000000000000000000000;hpb=15280273faafb77777eab341909a3f495cf248d9;p=stor4nfv.git diff --git a/src/ceph/src/common/ceph_crypto_cms.cc b/src/ceph/src/common/ceph_crypto_cms.cc new file mode 100644 index 0000000..109f702 --- /dev/null +++ b/src/ceph/src/common/ceph_crypto_cms.cc @@ -0,0 +1,345 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + + +#include "common/config.h" +#include "common/debug.h" + +#ifdef USE_NSS +#include +#include +#include +#include +#endif + +#define dout_subsys ceph_subsys_crypto + +#ifndef USE_NSS +int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl) +{ + return -ENOTSUP; +} + +#else + +static int cms_verbose = 0; + +static SECStatus +DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input, + SECAlgorithmID **algids) +{ + NSSCMSDigestContext *digcx; + SECStatus rv; + + digcx = NSS_CMSDigestContext_StartMultiple(algids); + if (digcx == NULL) + return SECFailure; + + NSS_CMSDigestContext_Update(digcx, input->data, input->len); + + rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests); + return rv; +} + + +struct optionsStr { + SECCertUsage certUsage; + CERTCertDBHandle *certHandle; +}; + +struct decodeOptionsStr { + struct optionsStr *options; + SECItem content; + int headerLevel; + PRBool suppressContent; + NSSCMSGetDecryptKeyCallback dkcb; + PK11SymKey *bulkkey; + PRBool keepCerts; +}; + +static NSSCMSMessage * +decode(CephContext *cct, SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& out) +{ + NSSCMSDecoderContext *dcx; + SECStatus rv; + NSSCMSMessage *cmsg; + int nlevels, i; + SECItem sitem; + bufferptr bp; + SECItem *item; + + memset(&sitem, 0, sizeof(sitem)); + + PORT_SetError(0); + dcx = NSS_CMSDecoder_Start(NULL, + NULL, NULL, /* content callback */ + NULL, NULL, /* password callback */ + decodeOptions->dkcb, /* decrypt key callback */ + decodeOptions->bulkkey); + if (dcx == NULL) { + ldout(cct, 0) << "ERROR: failed to set up message decoder" << dendl; + return NULL; + } + rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len); + if (rv != SECSuccess) { + ldout(cct, 0) << "ERROR: failed to decode message" << dendl; + NSS_CMSDecoder_Cancel(dcx); + return NULL; + } + cmsg = NSS_CMSDecoder_Finish(dcx); + if (cmsg == NULL) { + ldout(cct, 0) << "ERROR: failed to decode message" << dendl; + return NULL; + } + + if (decodeOptions->headerLevel >= 0) { + ldout(cct, 20) << "SMIME: " << dendl; + } + + nlevels = NSS_CMSMessage_ContentLevelCount(cmsg); + for (i = 0; i < nlevels; i++) { + NSSCMSContentInfo *cinfo; + SECOidTag typetag; + + cinfo = NSS_CMSMessage_ContentLevel(cmsg, i); + typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + + ldout(cct, 20) << "level=" << decodeOptions->headerLevel << "." << nlevels - i << dendl; + + switch (typetag) { + case SEC_OID_PKCS7_SIGNED_DATA: + { + NSSCMSSignedData *sigd = NULL; + SECItem **digests; + int nsigners; + int j; + + if (decodeOptions->headerLevel >= 0) + ldout(cct, 20) << "type=signedData; " << dendl; + sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo); + if (sigd == NULL) { + ldout(cct, 0) << "ERROR: signedData component missing" << dendl; + goto loser; + } + + /* if we have a content file, but no digests for this signedData */ + if (decodeOptions->content.data != NULL && + !NSS_CMSSignedData_HasDigests(sigd)) { + PLArenaPool *poolp; + SECAlgorithmID **digestalgs; + + /* detached content: grab content file */ + sitem = decodeOptions->content; + + if ((poolp = PORT_NewArena(1024)) == NULL) { + ldout(cct, 0) << "ERROR: Out of memory" << dendl; + goto loser; + } + digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd); + if (DigestFile (poolp, &digests, &sitem, digestalgs) + != SECSuccess) { + ldout(cct, 0) << "ERROR: problem computing message digest" << dendl; + PORT_FreeArena(poolp, PR_FALSE); + goto loser; + } + if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests) + != SECSuccess) { + ldout(cct, 0) << "ERROR: problem setting message digests" << dendl; + PORT_FreeArena(poolp, PR_FALSE); + goto loser; + } + PORT_FreeArena(poolp, PR_FALSE); + } + + /* import the certificates */ + if (NSS_CMSSignedData_ImportCerts(sigd, + decodeOptions->options->certHandle, + decodeOptions->options->certUsage, + decodeOptions->keepCerts) + != SECSuccess) { + ldout(cct, 0) << "ERROR: cert import failed" << dendl; + goto loser; + } + + /* find out about signers */ + nsigners = NSS_CMSSignedData_SignerInfoCount(sigd); + if (decodeOptions->headerLevel >= 0) + ldout(cct, 20) << "nsigners=" << nsigners << dendl; + if (nsigners == 0) { + /* Might be a cert transport message + ** or might be an invalid message, such as a QA test message + ** or a message from an attacker. + */ + SECStatus rv; + rv = NSS_CMSSignedData_VerifyCertsOnly(sigd, + decodeOptions->options->certHandle, + decodeOptions->options->certUsage); + if (rv != SECSuccess) { + ldout(cct, 0) << "ERROR: Verify certs-only failed!" << dendl; + goto loser; + } + return cmsg; + } + + /* still no digests? */ + if (!NSS_CMSSignedData_HasDigests(sigd)) { + ldout(cct, 0) << "ERROR: no message digests" << dendl; + goto loser; + } + + for (j = 0; j < nsigners; j++) { + const char * svs; + NSSCMSSignerInfo *si; + NSSCMSVerificationStatus vs; + SECStatus bad; + + si = NSS_CMSSignedData_GetSignerInfo(sigd, j); + if (decodeOptions->headerLevel >= 0) { + char *signercn; + static char empty[] = { "" }; + + signercn = NSS_CMSSignerInfo_GetSignerCommonName(si); + if (signercn == NULL) + signercn = empty; + ldout(cct, 20) << "\t\tsigner" << j << ".id=" << signercn << dendl; + if (signercn != empty) + PORT_Free(signercn); + } + bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j, + decodeOptions->options->certHandle, + decodeOptions->options->certUsage); + vs = NSS_CMSSignerInfo_GetVerificationStatus(si); + svs = NSS_CMSUtil_VerificationStatusToString(vs); + if (decodeOptions->headerLevel >= 0) { + ldout(cct, 20) << "signer" << j << "status=" << svs << dendl; + /* goto loser ? */ + } else if (bad) { + ldout(cct, 0) << "ERROR: signer " << j << " status = " << svs << dendl; + goto loser; + } + } + } + break; + case SEC_OID_PKCS7_ENVELOPED_DATA: + { + NSSCMSEnvelopedData *envd; + if (decodeOptions->headerLevel >= 0) + ldout(cct, 20) << "type=envelopedData; " << dendl; + envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo); + if (envd == NULL) { + ldout(cct, 0) << "ERROR: envelopedData component missing" << dendl; + goto loser; + } + } + break; + case SEC_OID_PKCS7_ENCRYPTED_DATA: + { + NSSCMSEncryptedData *encd; + if (decodeOptions->headerLevel >= 0) + ldout(cct, 20) << "type=encryptedData; " << dendl; + encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo); + if (encd == NULL) { + ldout(cct, 0) << "ERROR: encryptedData component missing" << dendl; + goto loser; + } + } + break; + case SEC_OID_PKCS7_DATA: + if (decodeOptions->headerLevel >= 0) + ldout(cct, 20) << "type=data; " << dendl; + break; + default: + break; + } + } + + item = (sitem.data ? &sitem : NSS_CMSMessage_GetContent(cmsg)); + out.append((char *)item->data, item->len); + return cmsg; + +loser: + if (cmsg) + NSS_CMSMessage_Destroy(cmsg); + return NULL; +} + +int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl) +{ + NSSCMSMessage *cmsg = NULL; + struct decodeOptionsStr decodeOptions = { }; + struct optionsStr options; + SECItem input; + + memset(&options, 0, sizeof(options)); + memset(&input, 0, sizeof(input)); + + input.data = (unsigned char *)cms_bl.c_str(); + input.len = cms_bl.length(); + + decodeOptions.content.data = NULL; + decodeOptions.content.len = 0; + decodeOptions.suppressContent = PR_FALSE; + decodeOptions.headerLevel = -1; + decodeOptions.keepCerts = PR_FALSE; + options.certUsage = certUsageEmailSigner; + + options.certHandle = CERT_GetDefaultCertDB(); + if (!options.certHandle) { + ldout(cct, 0) << "ERROR: No default cert DB" << dendl; + return -EIO; + } + if (cms_verbose) { + fprintf(stderr, "Got default certdb\n"); + } + + decodeOptions.options = &options; + + int ret = 0; + + cmsg = decode(cct, &input, &decodeOptions, decoded_bl); + if (!cmsg) { + ldout(cct, 0) << "ERROR: problem decoding" << dendl; + ret = -EINVAL; + } + + if (cmsg) + NSS_CMSMessage_Destroy(cmsg); + + SECITEM_FreeItem(&decodeOptions.content, PR_FALSE); + + return ret; +} +#endif