/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*

 * Support routines for PKCS7 implementation, none of which are exported.

 * This file should only contain things that are needed by both the

 * encoding/creation side *and* the decoding/decryption side.  Anything

 * else should be static routines in the appropriate file.

 */

#include "p7local.h"

#include "cryptohi.h"

#include "secasn1.h"

#include "secoid.h"

#include "secitem.h"

#include "pk11func.h"

#include "secpkcs5.h"

#include "secerr.h"

#include <limits.h>

/*

 * -------------------------------------------------------------------

 * Cipher stuff.

 */

typedef SECStatus (*sec_pkcs7_cipher_function)(void *,

                                               unsigned char *,

                                               unsigned *,

                                               unsigned int,

                                               const unsigned char *,

                                               unsigned int);

typedef SECStatus (*sec_pkcs7_cipher_destroy)(void *, PRBool);

static SECStatus

SECPKCS7Cipher_PK11_CipherOp(void *vctx, unsigned char *output,

                             unsigned int *outputLen, unsigned int maxOutputLen,

                             const unsigned char *input, unsigned int inputLen)

{

    PK11Context *ctx = vctx;

    PORT_Assert(maxOutputLen <= INT_MAX);

    int signedOutputLen = maxOutputLen;

    SECStatus rv = PK11_CipherOp(ctx, output, &signedOutputLen, maxOutputLen, input, inputLen);

    PORT_Assert(signedOutputLen >= 0);

    *outputLen = signedOutputLen;

    return rv;

}

static SECStatus

SECPKCS7Cipher_PK11_DestroyContext(void *vctx, PRBool freeit)

{

    PK11Context *ctx = vctx;

    PK11_DestroyContext(ctx, freeit);

    return SECSuccess;

}

#define BLOCK_SIZE 4096

struct sec_pkcs7_cipher_object {

    void *cx;

    sec_pkcs7_cipher_function doit;

    sec_pkcs7_cipher_destroy destroy;

    PRBool encrypt;

    int block_size;

    int pad_size;

    int pending_count;

    unsigned char pending_buf[BLOCK_SIZE];

};

SEC_ASN1_MKSUB(CERT_IssuerAndSNTemplate)

SEC_ASN1_MKSUB(CERT_SetOfSignedCrlTemplate)

SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)

SEC_ASN1_MKSUB(SEC_OctetStringTemplate)

SEC_ASN1_MKSUB(SEC_SetOfAnyTemplate)

/*

 * Create a cipher object to do decryption,  based on the given bulk

 * encryption key and algorithm identifier (which may include an iv).

 *

 * XXX This interface, or one similar, would be really nice available

 * in general...  I tried to keep the pkcs7-specific stuff (mostly

 * having to do with padding) out of here.

 *

 * XXX Once both are working, it might be nice to combine this and the

 * function below (for starting up encryption) into one routine, and just

 * have two simple cover functions which call it.

 */

sec_PKCS7CipherObject *

sec_PKCS7CreateDecryptObject(PK11SymKey *key, SECAlgorithmID *algid)

{

    sec_PKCS7CipherObject *result;

    SECOidTag algtag;

    void *ciphercx;

    CK_MECHANISM_TYPE cryptoMechType;

    PK11SlotInfo *slot;

    SECItem *param = NULL;

    result = (struct sec_pkcs7_cipher_object *)

        PORT_ZAlloc(sizeof(struct sec_pkcs7_cipher_object));

    if (result == NULL)

        return NULL;

    ciphercx = NULL;

    algtag = SECOID_GetAlgorithmTag(algid);

    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {

        SECItem *pwitem;

        pwitem = (SECItem *)PK11_GetSymKeyUserData(key);

        if (!pwitem) {

            PORT_Free(result);

            return NULL;

        }

        cryptoMechType = PK11_GetPBECryptoMechanism(algid, &param, pwitem);

        if (cryptoMechType == CKM_INVALID_MECHANISM) {

            PORT_Free(result);

            SECITEM_FreeItem(param, PR_TRUE);

            return NULL;

        }

    } else {

        cryptoMechType = PK11_AlgtagToMechanism(algtag);

        param = PK11_ParamFromAlgid(algid);

        if (param == NULL) {

            PORT_Free(result);

            return NULL;

        }

    }

    result->pad_size = PK11_GetBlockSize(cryptoMechType, param);

    slot = PK11_GetSlotFromKey(key);

    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;

    PK11_FreeSlot(slot);

    ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_DECRYPT,

                                          key, param);

    SECITEM_FreeItem(param, PR_TRUE);

    if (ciphercx == NULL) {

        PORT_Free(result);

        return NULL;

    }

    result->cx = ciphercx;

    result->doit = SECPKCS7Cipher_PK11_CipherOp;

    result->destroy = SECPKCS7Cipher_PK11_DestroyContext;

    result->encrypt = PR_FALSE;

    result->pending_count = 0;

    return result;

}

/*

 * Create a cipher object to do encryption, based on the given bulk

 * encryption key and algorithm tag.  Fill in the algorithm identifier

 * (which may include an iv) appropriately.

 *

 * XXX This interface, or one similar, would be really nice available

 * in general...  I tried to keep the pkcs7-specific stuff (mostly

 * having to do with padding) out of here.

 *

 * XXX Once both are working, it might be nice to combine this and the

 * function above (for starting up decryption) into one routine, and just

 * have two simple cover functions which call it.

 */

sec_PKCS7CipherObject *

sec_PKCS7CreateEncryptObject(PLArenaPool *poolp, PK11SymKey *key,

                             SECOidTag algtag, SECAlgorithmID *algid)

{

    sec_PKCS7CipherObject *result;

    void *ciphercx;

    SECStatus rv;

    CK_MECHANISM_TYPE cryptoMechType;

    PK11SlotInfo *slot;

    SECItem *param = NULL;

    PRBool needToEncodeAlgid = PR_FALSE;

    result = (struct sec_pkcs7_cipher_object *)

        PORT_ZAlloc(sizeof(struct sec_pkcs7_cipher_object));

    if (result == NULL)

        return NULL;

    ciphercx = NULL;

    if (SEC_PKCS5IsAlgorithmPBEAlg(algid)) {

        SECItem *pwitem;

        pwitem = (SECItem *)PK11_GetSymKeyUserData(key);

        if (!pwitem) {

            PORT_Free(result);

            return NULL;

        }

        cryptoMechType = PK11_GetPBECryptoMechanism(algid, &param, pwitem);

        if (cryptoMechType == CKM_INVALID_MECHANISM) {

            PORT_Free(result);

            SECITEM_FreeItem(param, PR_TRUE);

            return NULL;

        }

    } else {

        cryptoMechType = PK11_AlgtagToMechanism(algtag);

        param = PK11_GenerateNewParam(cryptoMechType, key);

        if (param == NULL) {

            PORT_Free(result);

            return NULL;

        }

        needToEncodeAlgid = PR_TRUE;

    }

    result->pad_size = PK11_GetBlockSize(cryptoMechType, param);

    slot = PK11_GetSlotFromKey(key);

    result->block_size = PK11_IsHW(slot) ? BLOCK_SIZE : result->pad_size;

    PK11_FreeSlot(slot);

    ciphercx = PK11_CreateContextBySymKey(cryptoMechType, CKA_ENCRYPT,

                                          key, param);

    if (ciphercx == NULL) {

        PORT_Free(result);

        SECITEM_FreeItem(param, PR_TRUE);

        return NULL;

    }

    /*

     * These are placed after the CreateContextBySymKey() because some

     * mechanisms have to generate their IVs from their card (i.e. FORTEZZA).

     * Don't move it from here.

     */

    if (needToEncodeAlgid) {

        rv = PK11_ParamToAlgid(algtag, param, poolp, algid);

        if (rv != SECSuccess) {

            PORT_Free(result);

            SECITEM_FreeItem(param, PR_TRUE);

            PK11_DestroyContext(ciphercx, PR_TRUE);

            return NULL;

        }

    }

    SECITEM_FreeItem(param, PR_TRUE);

    result->cx = ciphercx;

    result->doit = SECPKCS7Cipher_PK11_CipherOp;

    result->destroy = SECPKCS7Cipher_PK11_DestroyContext;

    result->encrypt = PR_TRUE;

    result->pending_count = 0;

    return result;

}

/*

 * Destroy the cipher object.

 */

static void

sec_pkcs7_destroy_cipher(sec_PKCS7CipherObject *obj)

{

    (*obj->destroy)(obj->cx, PR_TRUE);

    PORT_Free(obj);

}

void

sec_PKCS7DestroyDecryptObject(sec_PKCS7CipherObject *obj)

{

    PORT_Assert(obj != NULL);

    if (obj == NULL)

        return;

    PORT_Assert(!obj->encrypt);

    sec_pkcs7_destroy_cipher(obj);

}

void

sec_PKCS7DestroyEncryptObject(sec_PKCS7CipherObject *obj)

{

    PORT_Assert(obj != NULL);

    if (obj == NULL)

        return;

    PORT_Assert(obj->encrypt);

    sec_pkcs7_destroy_cipher(obj);

}

/*

 * XXX I think all of the following lengths should be longs instead

 * of ints, but our current crypto interface uses ints, so I did too.

 */

/*

 * What will be the output length of the next call to decrypt?

 * Result can be used to perform memory allocations.  Note that the amount

 * is exactly accurate only when not doing a block cipher or when final

 * is false, otherwise it is an upper bound on the amount because until

 * we see the data we do not know how many padding bytes there are

 * (always between 1 and bsize).

 *

 * Note that this can return zero, which does not mean that the decrypt

 * operation can be skipped!  (It simply means that there are not enough

 * bytes to make up an entire block; the bytes will be reserved until

 * there are enough to encrypt/decrypt at least one block.)  However,

 * if zero is returned it *does* mean that no output buffer need be

 * passed in to the subsequent decrypt operation, as no output bytes

 * will be stored.

 */

unsigned int

sec_PKCS7DecryptLength(sec_PKCS7CipherObject *obj, unsigned int input_len,

                       PRBool final)

{

    int blocks, block_size;

    PORT_Assert(!obj->encrypt);

    block_size = obj->block_size;

    /*

     * If this is not a block cipher, then we always have the same

     * number of output bytes as we had input bytes.

     */

    if (block_size == 0)

        return input_len;

    /*

     * On the final call, we will always use up all of the pending

     * bytes plus all of the input bytes, *but*, there will be padding

     * at the end and we cannot predict how many bytes of padding we

     * will end up removing.  The amount given here is actually known

     * to be at least 1 byte too long (because we know we will have

     * at least 1 byte of padding), but seemed clearer/better to me.

     */

    if (final)

        return obj->pending_count + input_len;

    /*

     * Okay, this amount is exactly what we will output on the

     * next cipher operation.  We will always hang onto the last

     * 1 - block_size bytes for non-final operations.  That is,

     * we will do as many complete blocks as we can *except* the

     * last block (complete or partial).  (This is because until

     * we know we are at the end, we cannot know when to interpret

     * and removing the padding byte(s), which are guaranteed to

     * be there.)

     */

    blocks = (obj->pending_count + input_len - 1) / block_size;

    return blocks * block_size;

}

/*

 * What will be the output length of the next call to encrypt?

 * Result can be used to perform memory allocations.

 *

 * Note that this can return zero, which does not mean that the encrypt

 * operation can be skipped!  (It simply means that there are not enough

 * bytes to make up an entire block; the bytes will be reserved until

 * there are enough to encrypt/decrypt at least one block.)  However,

 * if zero is returned it *does* mean that no output buffer need be

 * passed in to the subsequent encrypt operation, as no output bytes

 * will be stored.

 */

unsigned int

sec_PKCS7EncryptLength(sec_PKCS7CipherObject *obj, unsigned int input_len,

                       PRBool final)

{

    int blocks, block_size;

    int pad_size;

    PORT_Assert(obj->encrypt);

    block_size = obj->block_size;

    pad_size = obj->pad_size;

    /*

     * If this is not a block cipher, then we always have the same

     * number of output bytes as we had input bytes.

     */

    if (block_size == 0)

        return input_len;

    /*

     * On the final call, we only send out what we need for

     * remaining bytes plus the padding.  (There is always padding,

     * so even if we have an exact number of blocks as input, we

     * will add another full block that is just padding.)

     */

    if (final) {

        if (pad_size == 0) {

            return obj->pending_count + input_len;

        } else {

            blocks = (obj->pending_count + input_len) / pad_size;

            blocks++;

            return blocks * pad_size;

        }

    }

    /*

     * Now, count the number of complete blocks of data we have.

     */

    blocks = (obj->pending_count + input_len) / block_size;

    return blocks * block_size;

}

/*

 * Decrypt a given length of input buffer (starting at "input" and

 * containing "input_len" bytes), placing the decrypted bytes in

 * "output" and storing the output length in "*output_len_p".

 * "obj" is the return value from sec_PKCS7CreateDecryptObject.

 * When "final" is true, this is the last of the data to be decrypted.

 *

 * This is much more complicated than it sounds when the cipher is

 * a block-type, meaning that the decryption function will only

 * operate on whole blocks.  But our caller is operating stream-wise,

 * and can pass in any number of bytes.  So we need to keep track

 * of block boundaries.  We save excess bytes between calls in "obj".

 * We also need to determine which bytes are padding, and remove

 * them from the output.  We can only do this step when we know we

 * have the final block of data.  PKCS #7 specifies that the padding

 * used for a block cipher is a string of bytes, each of whose value is

 * the same as the length of the padding, and that all data is padded.

 * (Even data that starts out with an exact multiple of blocks gets

 * added to it another block, all of which is padding.)

 */

SECStatus

sec_PKCS7Decrypt(sec_PKCS7CipherObject *obj, unsigned char *output,

                 unsigned int *output_len_p, unsigned int max_output_len,

                 const unsigned char *input, unsigned int input_len,

                 PRBool final)

{

    unsigned int blocks, bsize, pcount, padsize;

    unsigned int max_needed, ifraglen, ofraglen, output_len;

    unsigned char *pbuf;

    SECStatus rv;

    PORT_Assert(!obj->encrypt);

    /*

     * Check that we have enough room for the output.  Our caller should

     * already handle this; failure is really an internal error (i.e. bug).

     */

    max_needed = sec_PKCS7DecryptLength(obj, input_len, final);

    PORT_Assert(max_output_len >= max_needed);

    if (max_output_len < max_needed) {

        /* PORT_SetError (XXX); */

        return SECFailure;

    }

    /*

     * hardware encryption does not like small decryption sizes here, so we

     * allow both blocking and padding.

     */

    bsize = obj->block_size;

    padsize = obj->pad_size;

    /*

     * When no blocking or padding work to do, we can simply call the

     * cipher function and we are done.

     */

    if (bsize == 0) {

        return (*obj->doit)(obj->cx, output, output_len_p, max_output_len,

                            input, input_len);

    }

    pcount = obj->pending_count;

    pbuf = obj->pending_buf;

    output_len = 0;

    if (pcount) {

        /*

         * Try to fill in an entire block, starting with the bytes

         * we already have saved away.

         */

        while (input_len && pcount < bsize) {

            pbuf[pcount++] = *input++;

            input_len--;

        }

        /*

         * If we have at most a whole block and this is not our last call,

         * then we are done for now.  (We do not try to decrypt a lone

         * single block because we cannot interpret the padding bytes

         * until we know we are handling the very last block of all input.)

         */

        if (input_len == 0 && !final) {

            obj->pending_count = pcount;

            if (output_len_p)

                *output_len_p = 0;

            return SECSuccess;

        }

        /*

         * Given the logic above, we expect to have a full block by now.

         * If we do not, there is something wrong, either with our own

         * logic or with (length of) the data given to us.

         */

        if ((padsize != 0) && (pcount % padsize) != 0) {

            PORT_Assert(final);

            PORT_SetError(SEC_ERROR_BAD_DATA);

            return SECFailure;

        }

        /*

         * Decrypt the block.

         */

        rv = (*obj->doit)(obj->cx, output, &ofraglen, max_output_len,

                          pbuf, pcount);

        if (rv != SECSuccess)

            return rv;

        /*

         * For now anyway, all of our ciphers have the same number of

         * bytes of output as they do input.  If this ever becomes untrue,

         * then sec_PKCS7DecryptLength needs to be made smarter!

         */

        PORT_Assert(ofraglen == pcount);

        /*

         * Account for the bytes now in output.

         */

        max_output_len -= ofraglen;

        output_len += ofraglen;

        output += ofraglen;

    }

    /*

     * If this is our last call, we expect to have an exact number of

     * blocks left to be decrypted; we will decrypt them all.

     *

     * If not our last call, we always save between 1 and bsize bytes

     * until next time.  (We must do this because we cannot be sure

     * that none of the decrypted bytes are padding bytes until we

     * have at least another whole block of data.  You cannot tell by

     * looking -- the data could be anything -- you can only tell by

     * context, knowing you are looking at the last block.)  We could

     * decrypt a whole block now but it is easier if we just treat it

     * the same way we treat partial block bytes.

     */

    if (final) {

        if (padsize) {

            blocks = input_len / padsize;

            ifraglen = blocks * padsize;

        } else

            ifraglen = input_len;

        PORT_Assert(ifraglen == input_len);

        if (ifraglen != input_len) {

            PORT_SetError(SEC_ERROR_BAD_DATA);

            return SECFailure;

        }

    } else {

        blocks = (input_len - 1) / bsize;

        ifraglen = blocks * bsize;

        PORT_Assert(ifraglen < input_len);

        pcount = input_len - ifraglen;

        PORT_Memcpy(pbuf, input + ifraglen, pcount);

        obj->pending_count = pcount;

    }

    if (ifraglen) {

        rv = (*obj->doit)(obj->cx, output, &ofraglen, max_output_len,

                          input, ifraglen);

        if (rv != SECSuccess)

            return rv;

        /*

         * For now anyway, all of our ciphers have the same number of

         * bytes of output as they do input.  If this ever becomes untrue,

         * then sec_PKCS7DecryptLength needs to be made smarter!

         */

        PORT_Assert(ifraglen == ofraglen);

        if (ifraglen != ofraglen) {

            PORT_SetError(SEC_ERROR_BAD_DATA);

            return SECFailure;

        }

        output_len += ofraglen;

    } else {

        ofraglen = 0;

    }

    /*

     * If we just did our very last block, "remove" the padding by

     * adjusting the output length.

     */

    if (final && (padsize != 0)) {

        unsigned int padlen = *(output + ofraglen - 1);

        if (padlen == 0 || padlen > padsize) {

            PORT_SetError(SEC_ERROR_BAD_DATA);

            return SECFailure;

        }

        output_len -= padlen;

    }

    PORT_Assert(output_len_p != NULL || output_len == 0);

    if (output_len_p != NULL)

        *output_len_p = output_len;

    return SECSuccess;

}

/*

 * Encrypt a given length of input buffer (starting at "input" and

 * containing "input_len" bytes), placing the encrypted bytes in

 * "output" and storing the output length in "*output_len_p".

 * "obj" is the return value from sec_PKCS7CreateEncryptObject.

 * When "final" is true, this is the last of the data to be encrypted.

 *

 * This is much more complicated than it sounds when the cipher is

 * a block-type, meaning that the encryption function will only

 * operate on whole blocks.  But our caller is operating stream-wise,

 * and can pass in any number of bytes.  So we need to keep track

 * of block boundaries.  We save excess bytes between calls in "obj".

 * We also need to add padding bytes at the end.  PKCS #7 specifies

 * that the padding used for a block cipher is a string of bytes,

 * each of whose value is the same as the length of the padding,

 * and that all data is padded.  (Even data that starts out with

 * an exact multiple of blocks gets added to it another block,

 * all of which is padding.)

 *

 * XXX I would kind of like to combine this with the function above

 * which does decryption, since they have a lot in common.  But the

 * tricky parts about padding and filling blocks would be much

 * harder to read that way, so I left them separate.  At least for

 * now until it is clear that they are right.

 */

SECStatus

sec_PKCS7Encrypt(sec_PKCS7CipherObject *obj, unsigned char *output,

                 unsigned int *output_len_p, unsigned int max_output_len,

                 const unsigned char *input, unsigned int input_len,

                 PRBool final)

{

    int blocks, bsize, padlen, pcount, padsize;

    unsigned int max_needed, ifraglen, ofraglen, output_len;

    unsigned char *pbuf;

    SECStatus rv;

    PORT_Assert(obj->encrypt);

    /*

     * Check that we have enough room for the output.  Our caller should

     * already handle this; failure is really an internal error (i.e. bug).

     */

    max_needed = sec_PKCS7EncryptLength(obj, input_len, final);

    PORT_Assert(max_output_len >= max_needed);

    if (max_output_len < max_needed) {

        /* PORT_SetError (XXX); */

        return SECFailure;

    }

    bsize = obj->block_size;

    padsize = obj->pad_size;

    /*

     * When no blocking and padding work to do, we can simply call the

     * cipher function and we are done.

     */

    if (bsize == 0) {

        return (*obj->doit)(obj->cx, output, output_len_p, max_output_len,

                            input, input_len);

    }

    pcount = obj->pending_count;

    pbuf = obj->pending_buf;

    output_len = 0;

    if (pcount) {

        /*

         * Try to fill in an entire block, starting with the bytes

         * we already have saved away.

         */

        while (input_len && pcount < bsize) {

            pbuf[pcount++] = *input++;

            input_len--;

        }

        /*

         * If we do not have a full block and we know we will be

         * called again, then we are done for now.

         */

        if (pcount < bsize && !final) {

            obj->pending_count = pcount;

            if (output_len_p != NULL)

                *output_len_p = 0;

            return SECSuccess;

        }

        /*

         * If we have a whole block available, encrypt it.

         */

        if ((padsize == 0) || (pcount % padsize) == 0) {

            rv = (*obj->doit)(obj->cx, output, &ofraglen, max_output_len,

                              pbuf, pcount);

            if (rv != SECSuccess)

                return rv;

            /*

             * For now anyway, all of our ciphers have the same number of

             * bytes of output as they do input.  If this ever becomes untrue,

             * then sec_PKCS7EncryptLength needs to be made smarter!

             */

            PORT_Assert(ofraglen == pcount);

            /*

             * Account for the bytes now in output.

             */

            max_output_len -= ofraglen;

            output_len += ofraglen;

            output += ofraglen;

            pcount = 0;

        }

    }

    if (input_len) {

        PORT_Assert(pcount == 0);

        blocks = input_len / bsize;

        ifraglen = blocks * bsize;

        if (ifraglen) {

            rv = (*obj->doit)(obj->cx, output, &ofraglen, max_output_len,

                              input, ifraglen);

            if (rv != SECSuccess)

                return rv;

            /*

             * For now anyway, all of our ciphers have the same number of

             * bytes of output as they do input.  If this ever becomes untrue,

             * then sec_PKCS7EncryptLength needs to be made smarter!

             */

            PORT_Assert(ifraglen == ofraglen);

            max_output_len -= ofraglen;

            output_len += ofraglen;

            output += ofraglen;

        }

        pcount = input_len - ifraglen;

        PORT_Assert(pcount < bsize);

        if (pcount)

            PORT_Memcpy(pbuf, input + ifraglen, pcount);

    }

    if (final) {

        if (padsize) {

            padlen = padsize - (pcount % padsize);

            PORT_Memset(pbuf + pcount, padlen, padlen);

        } else {

            padlen = 0;

        }

        rv = (*obj->doit)(obj->cx, output, &ofraglen, max_output_len,

                          pbuf, pcount + padlen);

        if (rv != SECSuccess)

            return rv;

        /*

         * For now anyway, all of our ciphers have the same number of

         * bytes of output as they do input.  If this ever becomes untrue,

         * then sec_PKCS7EncryptLength needs to be made smarter!

         */

        PORT_Assert(ofraglen == (pcount + padlen));

        output_len += ofraglen;

    } else {

        obj->pending_count = pcount;

    }

    PORT_Assert(output_len_p != NULL || output_len == 0);

    if (output_len_p != NULL)

        *output_len_p = output_len;

    return SECSuccess;

}

/*

 * End of cipher stuff.

 * -------------------------------------------------------------------

 */

/*

 * -------------------------------------------------------------------

 * XXX The following Attribute stuff really belongs elsewhere.

 * The Attribute type is *not* part of pkcs7 but rather X.501.

 * But for now, since PKCS7 is the only customer of attributes,

 * we define them here.  Once there is a use outside of PKCS7,

 * then change the attribute types and functions from internal

 * to external naming convention, and move them elsewhere!

 */

/*

 * Look through a set of attributes and find one that matches the

 * specified object ID.  If "only" is true, then make sure that

 * there is not more than one attribute of the same type.  Otherwise,

 * just return the first one found. (XXX Does anybody really want

 * that first-found behavior?  It was like that when I found it...)

 */

SEC_PKCS7Attribute *

sec_PKCS7FindAttribute(SEC_PKCS7Attribute **attrs, SECOidTag oidtag,

                       PRBool only)

{

    SECOidData *oid;

    SEC_PKCS7Attribute *attr1, *attr2;

    if (attrs == NULL)

        return NULL;

    oid = SECOID_FindOIDByTag(oidtag);

    if (oid == NULL)

        return NULL;

    while ((attr1 = *attrs++) != NULL) {

        if (attr1->type.len == oid->oid.len && PORT_Memcmp(attr1->type.data, oid->oid.data, oid->oid.len) == 0)

            break;

    }

    if (attr1 == NULL)

        return NULL;

    if (!only)

        return attr1;

    while ((attr2 = *attrs++) != NULL) {

        if (attr2->type.len == oid->oid.len && PORT_Memcmp(attr2->type.data, oid->oid.data, oid->oid.len) == 0)

            break;

    }

    if (attr2 != NULL)

        return NULL;

    return attr1;

}

/*

 * Return the single attribute value, doing some sanity checking first:

 * - Multiple values are *not* expected.

 * - Empty values are *not* expected.

 */

SECItem *

sec_PKCS7AttributeValue(SEC_PKCS7Attribute *attr)

{

    SECItem *value;

    if (attr == NULL)

        return NULL;

    value = attr->values[0];

    if (value == NULL || value->data == NULL || value->len == 0)

        return NULL;

    if (attr->values[1] != NULL)

        return NULL;

    return value;

}

static const SEC_ASN1Template *

sec_attr_choose_attr_value_template(void *src_or_dest, PRBool encoding)

{

    const SEC_ASN1Template *theTemplate;

    SEC_PKCS7Attribute *attribute;

    SECOidData *oiddata;

    PRBool encoded;

    PORT_Assert(src_or_dest != NULL);

    if (src_or_dest == NULL)

        return NULL;

    attribute = (SEC_PKCS7Attribute *)src_or_dest;

    if (encoding && attribute->encoded)

        return SEC_ASN1_GET(SEC_AnyTemplate);

    oiddata = attribute->typeTag;

    if (oiddata == NULL) {

        oiddata = SECOID_FindOID(&attribute->type);

        attribute->typeTag = oiddata;

    }

    if (oiddata == NULL) {

        encoded = PR_TRUE;

        theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);

    } else {

        switch (oiddata->offset) {

            default:

                encoded = PR_TRUE;

                theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);

                break;

            case SEC_OID_PKCS9_EMAIL_ADDRESS:

            case SEC_OID_RFC1274_MAIL:

            case SEC_OID_PKCS9_UNSTRUCTURED_NAME:

                encoded = PR_FALSE;

                theTemplate = SEC_ASN1_GET(SEC_IA5StringTemplate);

                break;

            case SEC_OID_PKCS9_CONTENT_TYPE:

                encoded = PR_FALSE;

                theTemplate = SEC_ASN1_GET(SEC_ObjectIDTemplate);

                break;

            case SEC_OID_PKCS9_MESSAGE_DIGEST:

                encoded = PR_FALSE;

                theTemplate = SEC_ASN1_GET(SEC_OctetStringTemplate);

                break;

            case SEC_OID_PKCS9_SIGNING_TIME:

                encoded = PR_FALSE;

                theTemplate = SEC_ASN1_GET(CERT_TimeChoiceTemplate);

                break;

                /* XXX Want other types here, too */

        }

    }

    if (encoding) {

        /*

         * If we are encoding and we think we have an already-encoded value,

         * then the code which initialized this attribute should have set

         * the "encoded" property to true (and we would have returned early,

         * up above).  No devastating error, but that code should be fixed.

         * (It could indicate that the resulting encoded bytes are wrong.)

         */

        PORT_Assert(!encoded);

    } else {

        /*

         * We are decoding; record whether the resulting value is

         * still encoded or not.

         */

        attribute->encoded = encoded;

    }

    return theTemplate;

}

static const SEC_ASN1TemplateChooserPtr sec_attr_chooser = sec_attr_choose_attr_value_template;

static const SEC_ASN1Template sec_pkcs7_attribute_template[] = {

    { SEC_ASN1_SEQUENCE,

      0, NULL, sizeof(SEC_PKCS7Attribute) },

    { SEC_ASN1_OBJECT_ID,

      offsetof(SEC_PKCS7Attribute, type) },

    { SEC_ASN1_DYNAMIC | SEC_ASN1_SET_OF,

      offsetof(SEC_PKCS7Attribute, values),

      &sec_attr_chooser },

    { 0 }

};

static const SEC_ASN1Template sec_pkcs7_set_of_attribute_template[] = {

    { SEC_ASN1_SET_OF, 0, sec_pkcs7_attribute_template },

};

/*

 * If you are wondering why this routine does not reorder the attributes

 * first, and might be tempted to make it do so, see the comment by the

 * call to ReorderAttributes in p7encode.c.  (Or, see who else calls this

 * and think long and hard about the implications of making it always

 * do the reordering.)

 */

SECItem *

sec_PKCS7EncodeAttributes(PLArenaPool *poolp, SECItem *dest, void *src)

{

    return SEC_ASN1EncodeItem(poolp, dest, src,

                              sec_pkcs7_set_of_attribute_template);

}

/*

 * Make sure that the order of the attributes guarantees valid DER

 * (which must be in lexigraphically ascending order for a SET OF);

 * if reordering is necessary it will be done in place (in attrs).

 */

SECStatus

sec_PKCS7ReorderAttributes(SEC_PKCS7Attribute **attrs)

{

    PLArenaPool *poolp;

    int num_attrs, i, pass, besti;

    unsigned int j;

    SECItem **enc_attrs;

    SEC_PKCS7Attribute **new_attrs;

    /*

     * I think we should not be called with NULL.  But if we are,

     * call it a success anyway, because the order *is* okay.

     */

    PORT_Assert(attrs != NULL);

    if (attrs == NULL)

        return SECSuccess;

    /*

     * Count how many attributes we are dealing with here.

     */

    num_attrs = 0;

    while (attrs[num_attrs] != NULL)

        num_attrs++;