--- /dev/null
+/* ***** BEGIN LICENSE BLOCK *****
+ * Version: MPL 1.1/GPL 2.0/LGPL 2.1
+ *
+ * The contents of this file are subject to the Mozilla Public License Version
+ * 1.1 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * http://www.mozilla.org/MPL/
+ *
+ * Software distributed under the License is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+ * for the specific language governing rights and limitations under the
+ * License.
+ *
+ * The Original Code is the Netscape security libraries.
+ *
+ * The Initial Developer of the Original Code is
+ * Netscape Communications Corporation.
+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either the GNU General Public License Version 2 or later (the "GPL"), or
+ * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+ * in which case the provisions of the GPL or the LGPL are applicable instead
+ * of those above. If you wish to allow use of your version of this file only
+ * under the terms of either the GPL or the LGPL, and not to allow others to
+ * use your version of this file under the terms of the MPL, indicate your
+ * decision by deleting the provisions above and replace them with the notice
+ * and other provisions required by the GPL or the LGPL. If you do not delete
+ * the provisions above, a recipient may use your version of this file under
+ * the terms of any one of the MPL, the GPL or the LGPL.
+ *
+ * ***** END LICENSE BLOCK ***** */
+
+
+#include "common/config.h"
+#include "common/debug.h"
+
+#ifdef USE_NSS
+#include <nspr.h>
+#include <cert.h>
+#include <nss.h>
+#include <smime.h>
+#endif
+
+#define dout_subsys ceph_subsys_crypto
+
+#ifndef USE_NSS
+int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl)
+{
+ return -ENOTSUP;
+}
+
+#else
+
+static int cms_verbose = 0;
+
+static SECStatus
+DigestFile(PLArenaPool *poolp, SECItem ***digests, SECItem *input,
+ SECAlgorithmID **algids)
+{
+ NSSCMSDigestContext *digcx;
+ SECStatus rv;
+
+ digcx = NSS_CMSDigestContext_StartMultiple(algids);
+ if (digcx == NULL)
+ return SECFailure;
+
+ NSS_CMSDigestContext_Update(digcx, input->data, input->len);
+
+ rv = NSS_CMSDigestContext_FinishMultiple(digcx, poolp, digests);
+ return rv;
+}
+
+
+struct optionsStr {
+ SECCertUsage certUsage;
+ CERTCertDBHandle *certHandle;
+};
+
+struct decodeOptionsStr {
+ struct optionsStr *options;
+ SECItem content;
+ int headerLevel;
+ PRBool suppressContent;
+ NSSCMSGetDecryptKeyCallback dkcb;
+ PK11SymKey *bulkkey;
+ PRBool keepCerts;
+};
+
+static NSSCMSMessage *
+decode(CephContext *cct, SECItem *input, const struct decodeOptionsStr *decodeOptions, bufferlist& out)
+{
+ NSSCMSDecoderContext *dcx;
+ SECStatus rv;
+ NSSCMSMessage *cmsg;
+ int nlevels, i;
+ SECItem sitem;
+ bufferptr bp;
+ SECItem *item;
+
+ memset(&sitem, 0, sizeof(sitem));
+
+ PORT_SetError(0);
+ dcx = NSS_CMSDecoder_Start(NULL,
+ NULL, NULL, /* content callback */
+ NULL, NULL, /* password callback */
+ decodeOptions->dkcb, /* decrypt key callback */
+ decodeOptions->bulkkey);
+ if (dcx == NULL) {
+ ldout(cct, 0) << "ERROR: failed to set up message decoder" << dendl;
+ return NULL;
+ }
+ rv = NSS_CMSDecoder_Update(dcx, (char *)input->data, input->len);
+ if (rv != SECSuccess) {
+ ldout(cct, 0) << "ERROR: failed to decode message" << dendl;
+ NSS_CMSDecoder_Cancel(dcx);
+ return NULL;
+ }
+ cmsg = NSS_CMSDecoder_Finish(dcx);
+ if (cmsg == NULL) {
+ ldout(cct, 0) << "ERROR: failed to decode message" << dendl;
+ return NULL;
+ }
+
+ if (decodeOptions->headerLevel >= 0) {
+ ldout(cct, 20) << "SMIME: " << dendl;
+ }
+
+ nlevels = NSS_CMSMessage_ContentLevelCount(cmsg);
+ for (i = 0; i < nlevels; i++) {
+ NSSCMSContentInfo *cinfo;
+ SECOidTag typetag;
+
+ cinfo = NSS_CMSMessage_ContentLevel(cmsg, i);
+ typetag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+
+ ldout(cct, 20) << "level=" << decodeOptions->headerLevel << "." << nlevels - i << dendl;
+
+ switch (typetag) {
+ case SEC_OID_PKCS7_SIGNED_DATA:
+ {
+ NSSCMSSignedData *sigd = NULL;
+ SECItem **digests;
+ int nsigners;
+ int j;
+
+ if (decodeOptions->headerLevel >= 0)
+ ldout(cct, 20) << "type=signedData; " << dendl;
+ sigd = (NSSCMSSignedData *)NSS_CMSContentInfo_GetContent(cinfo);
+ if (sigd == NULL) {
+ ldout(cct, 0) << "ERROR: signedData component missing" << dendl;
+ goto loser;
+ }
+
+ /* if we have a content file, but no digests for this signedData */
+ if (decodeOptions->content.data != NULL &&
+ !NSS_CMSSignedData_HasDigests(sigd)) {
+ PLArenaPool *poolp;
+ SECAlgorithmID **digestalgs;
+
+ /* detached content: grab content file */
+ sitem = decodeOptions->content;
+
+ if ((poolp = PORT_NewArena(1024)) == NULL) {
+ ldout(cct, 0) << "ERROR: Out of memory" << dendl;
+ goto loser;
+ }
+ digestalgs = NSS_CMSSignedData_GetDigestAlgs(sigd);
+ if (DigestFile (poolp, &digests, &sitem, digestalgs)
+ != SECSuccess) {
+ ldout(cct, 0) << "ERROR: problem computing message digest" << dendl;
+ PORT_FreeArena(poolp, PR_FALSE);
+ goto loser;
+ }
+ if (NSS_CMSSignedData_SetDigests(sigd, digestalgs, digests)
+ != SECSuccess) {
+ ldout(cct, 0) << "ERROR: problem setting message digests" << dendl;
+ PORT_FreeArena(poolp, PR_FALSE);
+ goto loser;
+ }
+ PORT_FreeArena(poolp, PR_FALSE);
+ }
+
+ /* import the certificates */
+ if (NSS_CMSSignedData_ImportCerts(sigd,
+ decodeOptions->options->certHandle,
+ decodeOptions->options->certUsage,
+ decodeOptions->keepCerts)
+ != SECSuccess) {
+ ldout(cct, 0) << "ERROR: cert import failed" << dendl;
+ goto loser;
+ }
+
+ /* find out about signers */
+ nsigners = NSS_CMSSignedData_SignerInfoCount(sigd);
+ if (decodeOptions->headerLevel >= 0)
+ ldout(cct, 20) << "nsigners=" << nsigners << dendl;
+ if (nsigners == 0) {
+ /* Might be a cert transport message
+ ** or might be an invalid message, such as a QA test message
+ ** or a message from an attacker.
+ */
+ SECStatus rv;
+ rv = NSS_CMSSignedData_VerifyCertsOnly(sigd,
+ decodeOptions->options->certHandle,
+ decodeOptions->options->certUsage);
+ if (rv != SECSuccess) {
+ ldout(cct, 0) << "ERROR: Verify certs-only failed!" << dendl;
+ goto loser;
+ }
+ return cmsg;
+ }
+
+ /* still no digests? */
+ if (!NSS_CMSSignedData_HasDigests(sigd)) {
+ ldout(cct, 0) << "ERROR: no message digests" << dendl;
+ goto loser;
+ }
+
+ for (j = 0; j < nsigners; j++) {
+ const char * svs;
+ NSSCMSSignerInfo *si;
+ NSSCMSVerificationStatus vs;
+ SECStatus bad;
+
+ si = NSS_CMSSignedData_GetSignerInfo(sigd, j);
+ if (decodeOptions->headerLevel >= 0) {
+ char *signercn;
+ static char empty[] = { "" };
+
+ signercn = NSS_CMSSignerInfo_GetSignerCommonName(si);
+ if (signercn == NULL)
+ signercn = empty;
+ ldout(cct, 20) << "\t\tsigner" << j << ".id=" << signercn << dendl;
+ if (signercn != empty)
+ PORT_Free(signercn);
+ }
+ bad = NSS_CMSSignedData_VerifySignerInfo(sigd, j,
+ decodeOptions->options->certHandle,
+ decodeOptions->options->certUsage);
+ vs = NSS_CMSSignerInfo_GetVerificationStatus(si);
+ svs = NSS_CMSUtil_VerificationStatusToString(vs);
+ if (decodeOptions->headerLevel >= 0) {
+ ldout(cct, 20) << "signer" << j << "status=" << svs << dendl;
+ /* goto loser ? */
+ } else if (bad) {
+ ldout(cct, 0) << "ERROR: signer " << j << " status = " << svs << dendl;
+ goto loser;
+ }
+ }
+ }
+ break;
+ case SEC_OID_PKCS7_ENVELOPED_DATA:
+ {
+ NSSCMSEnvelopedData *envd;
+ if (decodeOptions->headerLevel >= 0)
+ ldout(cct, 20) << "type=envelopedData; " << dendl;
+ envd = (NSSCMSEnvelopedData *)NSS_CMSContentInfo_GetContent(cinfo);
+ if (envd == NULL) {
+ ldout(cct, 0) << "ERROR: envelopedData component missing" << dendl;
+ goto loser;
+ }
+ }
+ break;
+ case SEC_OID_PKCS7_ENCRYPTED_DATA:
+ {
+ NSSCMSEncryptedData *encd;
+ if (decodeOptions->headerLevel >= 0)
+ ldout(cct, 20) << "type=encryptedData; " << dendl;
+ encd = (NSSCMSEncryptedData *)NSS_CMSContentInfo_GetContent(cinfo);
+ if (encd == NULL) {
+ ldout(cct, 0) << "ERROR: encryptedData component missing" << dendl;
+ goto loser;
+ }
+ }
+ break;
+ case SEC_OID_PKCS7_DATA:
+ if (decodeOptions->headerLevel >= 0)
+ ldout(cct, 20) << "type=data; " << dendl;
+ break;
+ default:
+ break;
+ }
+ }
+
+ item = (sitem.data ? &sitem : NSS_CMSMessage_GetContent(cmsg));
+ out.append((char *)item->data, item->len);
+ return cmsg;
+
+loser:
+ if (cmsg)
+ NSS_CMSMessage_Destroy(cmsg);
+ return NULL;
+}
+
+int ceph_decode_cms(CephContext *cct, bufferlist& cms_bl, bufferlist& decoded_bl)
+{
+ NSSCMSMessage *cmsg = NULL;
+ struct decodeOptionsStr decodeOptions = { };
+ struct optionsStr options;
+ SECItem input;
+
+ memset(&options, 0, sizeof(options));
+ memset(&input, 0, sizeof(input));
+
+ input.data = (unsigned char *)cms_bl.c_str();
+ input.len = cms_bl.length();
+
+ decodeOptions.content.data = NULL;
+ decodeOptions.content.len = 0;
+ decodeOptions.suppressContent = PR_FALSE;
+ decodeOptions.headerLevel = -1;
+ decodeOptions.keepCerts = PR_FALSE;
+ options.certUsage = certUsageEmailSigner;
+
+ options.certHandle = CERT_GetDefaultCertDB();
+ if (!options.certHandle) {
+ ldout(cct, 0) << "ERROR: No default cert DB" << dendl;
+ return -EIO;
+ }
+ if (cms_verbose) {
+ fprintf(stderr, "Got default certdb\n");
+ }
+
+ decodeOptions.options = &options;
+
+ int ret = 0;
+
+ cmsg = decode(cct, &input, &decodeOptions, decoded_bl);
+ if (!cmsg) {
+ ldout(cct, 0) << "ERROR: problem decoding" << dendl;
+ ret = -EINVAL;
+ }
+
+ if (cmsg)
+ NSS_CMSMessage_Destroy(cmsg);
+
+ SECITEM_FreeItem(&decodeOptions.content, PR_FALSE);
+
+ return ret;
+}
+#endif
Code Review / stor4nfv.git / blobdiff