/usr/include/sipxtapi/net/SmimeBody.h is in libsipxtapi-dev 3.3.0~test17-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 | //
// Copyright (C) 2004-2006 SIPfoundry Inc.
// Licensed by SIPfoundry under the LGPL license.
//
// Copyright (C) 2004-2006 Pingtel Corp. All rights reserved.
// Licensed to SIPfoundry under a Contributor Agreement.
//
// $$
///////////////////////////////////////////////////////////////////////////////
// Author: Dan Petrie (dpetrie AT SIPez DOT com)
#ifndef _SmimeBody_h_
#define _SmimeBody_h_
// SYSTEM INCLUDES
//#include <...>
#ifdef HAVE_NSS
#include <nspr.h>
#include <nss.h>
#include <secutil.h>
#include <secport.h>
#include <certdb.h>
#include <ssl.h>
#include <cms.h>
#include <cert.h>
#include <pk11func.h>
#include <pkcs12.h>
#include <p12plcy.h>
#include <p12.h>
#include <ciferfam.h>
#include <base64.h>
#include "net/pk12wrapper.h"
#endif
// APPLICATION INCLUDES
#include <net/HttpBody.h>
#include <tapi/sipXtapiEvents.h>
// DEFINES
// MACROS
// EXTERNAL FUNCTIONS
// EXTERNAL VARIABLES
// CONSTANTS
// STRUCTS
// TYPEDEFS
// FORWARD DECLARATIONS
// ENUMS
/**
* Container class for security attributes.
*/
#define SIPXTACK_MAX_SRTP_KEY_LENGTH 31
#define SIPXTACK_MAX_SMIME_KEY_LENGTH 2048
#define SIPXTACK_MAX_PKCS12_KEY_LENGTH 4096
#define SIPXTACK_MAX_CERT_LENGTH 4096
#define SIPXTACK_MAX_PASSWORD_LENGTH 32
/*
typedef enum SMIME_ERRORS
{
SMIME_SUCCESS,
SMIME_ENCRYPT_FAILURE_LIB_INIT,
SMIME_ENCRYPT_FAILURE_BAD_PUBLIC_KEY,
SMIME_ENCRYPT_FAILURE_INVALID_PARAMETER,
SMIME_DECRYPT_FAILURE_DB_INIT,
SMIME_DECRYPT_FAILURE_BAD_DB_PASSWORD,
SMIME_DECRYPT_FAILURE_INVALID_PARAMETER,
SMIME_DECRYPT_BAD_SIGNATURE,
SMIME_DECRYPT_MISSING_SIGNATURE,
SMIME_UNKNOWN
} SMIME_ERRORS;
*/
enum SIPXTACK_SRTP_LEVEL
{
SIPXTACK_SRTP_LEVEL_NONE,
SIPXTACK_SRTP_LEVEL_ENCRYPTION,
SIPXTACK_SRTP_LEVEL_AUTHENTICATION,
SIPXTACK_SRTP_LEVEL_ENCRYPTION_AND_AUTHENTICATION
};
/**
* Container class for security attributes.
*/
class SIPXTACK_SECURITY_ATTRIBUTES
{
public:
friend class SipMessage;
SIPXTACK_SECURITY_ATTRIBUTES()
{
nSrtpKeyLength = 0 ;
nSmimeKeyLength = 0 ;
nSrtpLevel = SIPXTACK_SRTP_LEVEL_NONE ;
memset(szSrtpKey, 0, sizeof(szSrtpKey));
memset(szSmimeKeyDer, 0, sizeof(szSmimeKeyDer));
memset(dbLocation, 0, sizeof(dbLocation));
memset(szMyCertNickname, 0, sizeof(szMyCertNickname));
memset(szCertDbPassword, 0, sizeof(szCertDbPassword));
nSmimeKeyLength = 0 ;
nSrtpLevel = SIPXTACK_SRTP_LEVEL_NONE ;
}
SIPXTACK_SECURITY_ATTRIBUTES(const SIPXTACK_SECURITY_ATTRIBUTES& ref)
{
copyData(ref);
}
virtual ~SIPXTACK_SECURITY_ATTRIBUTES() { }
SIPXTACK_SECURITY_ATTRIBUTES& operator=(const SIPXTACK_SECURITY_ATTRIBUTES& ref)
{
if (this == &ref) return *this;
copyData(ref);
return *this;
}
/**
* Sets the symmetric srtp key. If this is not supplied by the user,
* sipXtapi will generate a random key.
*/
void setSrtpKey(const char* szKey, const int length)
{
strncpy(szSrtpKey, szKey, length);
nSrtpKeyLength = length;
}
/**
* Sets the public key of the remote party, which is used to
* encrypt the S/MIME container for the SDP.
*/
void setSmimeKey(const char* szKey, const int length)
{
memcpy((void*)szSmimeKeyDer, (void*)szKey, length);
nSmimeKeyLength = length;
}
/**
* Sets the S/MIME & SRTP security level
*/
void setSecurityLevel(SIPXTACK_SRTP_LEVEL security) { nSrtpLevel = security; }
/**
* Gets the symmetric srtp key.
*/
const char* getSrtpKey() const { return szSrtpKey; }
/**
* Gets the public key of the remote party, which is used to
* encrypt the S/MIME container for the SDP.
*/
const char* getSmimeKey() const { return szSmimeKeyDer; }
/**
* Gets the symmetric srtp key length.
*/
const int getSrtpKeyLength() const { return nSrtpKeyLength; }
/**
* Gets the public key of the remote party, which is used to
* encrypt the S/MIME container for the SDP.
*/
const int getSmimeKeyLength() const { return nSmimeKeyLength; }
/**
* Sets the S/MIME & SRTP security level
*/
const int getSecurityLevel() const {return nSrtpLevel;}
/**
* Gets the Certificate Database location (set internally to
* the location specified in the call to
* sipxConfigSetSecurityParameters() )
*/
const char* getCertDbLocation() const { return dbLocation; }
private:
SIPXTACK_SRTP_LEVEL nSrtpLevel;
char szSrtpKey[SIPXTACK_MAX_SRTP_KEY_LENGTH];
int nSrtpKeyLength;
char szSmimeKeyDer[SIPXTACK_MAX_SMIME_KEY_LENGTH];
int nSmimeKeyLength;
// internally set private member, use sipxConfigSetSecurityParameters
char dbLocation[256];
// internally set private member, use sipxConfigSetSecurityParameters
char szMyCertNickname[32];
// internally set private member, use sipxConfigSetSecurityParameters
char szCertDbPassword[SIPXTACK_MAX_PASSWORD_LENGTH];
void copyData(const SIPXTACK_SECURITY_ATTRIBUTES& ref)
{
nSrtpLevel = ref.nSrtpLevel;
nSrtpKeyLength = ref.nSrtpKeyLength;
nSmimeKeyLength = ref.nSmimeKeyLength;
strcpy(szSrtpKey, ref.szSrtpKey);
memcpy((void*)szSmimeKeyDer, (void*)ref.szSmimeKeyDer, ref.nSmimeKeyLength);
strncpy(dbLocation, ref.dbLocation, sizeof(dbLocation) - 1);
strncpy(szMyCertNickname, ref.szMyCertNickname, sizeof(szMyCertNickname) - 1);
strncpy(szCertDbPassword, ref.szCertDbPassword, sizeof(szCertDbPassword) - 1);
return;
}
};
//: Interface defintion for receiving events: SMIME errors or SMIME signature notifications.
class ISmimeNotifySink
{
public:
virtual void OnError(SIPX_SECURITY_EVENT event, SIPX_SECURITY_CAUSE cause) = 0;
virtual bool OnSignature(void* pCert, char* szSubjAltName) = 0 ;
virtual ~ISmimeNotifySink() { } ;
};
//! class to contain an PKCS7 (S/MIME) body
/*! This class can be used to create an encrypted S/MIME
body as well as to decrypt an encrypted body.
*/
class SmimeBody : public HttpBody
{
/* //////////////////////////// PUBLIC //////////////////////////////////// */
public:
enum ContentEncoding
{
SMIME_ENODING_UNKNOWN = 0,
SMIME_ENODING_BINARY,
SMIME_ENODING_BASE64
};
/* ============================ CREATORS ================================== */
//! default constructor
SmimeBody();
//! Construct an SmimeBody from a bunch of bytes
SmimeBody(const char* bytes,
int length,
const char* contentEncodingValueString);
//! Copy constructor
SmimeBody(const SmimeBody& rSmimeBody);
//! Destructor
virtual
~SmimeBody();
/* ============================ MANIPULATORS ============================== */
//! Assignment operator
SmimeBody& operator=(const SmimeBody& rhs);
//! Decrypt this body using the given private key and cert. contained in the pkcs12 package
/*! Decrypts this body using the derPkcs12PrivateKey.
* \param derPkcs12 - DER format pkcs12 container for the
* private key and public key/Certificate for a recipent who is
* allowed to decrypt this pkcs7 (S/MIME) encapsulated body.
* \param derPkcs12Length - length in bytes of derPkcs12PrivateKey
* \param pkcs12Password - symetric key (password) used to protect
* (encrypt) the derPkcs12PrivateKey (the private key is
* contained in a pkcs12 in an encrypted format to protect
* it from theft). Must be NULL terminated string.
*/
UtlBoolean decrypt(const char* derPkcs12,
int derPkcs12Length,
const char* pkcs12password,
const char* certDbPassword,
const char* signerCertDER,
int signerCertDERLength,
ISmimeNotifySink* pSink = NULL);
//! Encrypt the given body for the given list of recipients
/*! \param bodyToEncrypt - Body to encrypt, note bodyToEncrypt
* will be attached to and deleted with this SmimeBody.
* bodyToEncrypt can be retrieved after invoking decrypt
* using the getDecyptedBody method.
* \param numRecipients - number of recipients for which
* bodyToEncrypt will be encrypted. For each recipient
* an element in derPublicKeyCerts and derPubliceKeyCertLengths
* must be given.
* \param derPublicKeyCerts - array containing a DER format
* certificate (containing the public key) for each recipient.
* \param derPubliceKeyCertLengths - length in bytes of the
* corresponding element in derPublicKeyCerts.
*/
UtlBoolean encrypt(HttpBody* bodyToEncrypt,
int numRecipients,
const char* derPublicKeyCerts[],
int derPubliceKeyCertLengths[],
const char* szMyCertNickname,
const char* szCertDbPassword,
ISmimeNotifySink* pSink = NULL);
#ifdef HAVE_NSS
static void getSubjAltName(char* szSubjAltName,
const CERTCertificate* pCert,
const size_t length);
#endif
// Lower level utility to do S/MIME encryption using the NSS library.
/*! Encrypts the given data for the recipients represented by the
* array of certificates containing the public keys.
* \param numRecipientCerts the number of recipient certificates in
* the derPublicKeyCerts array.
* \param derPublicKeyCerts - array containing DER format certificates.
* \param derPublicKeyCertLengths - array containing the length of the
* corresponding certificate DER data.
* \param dataToEncrypt - raw data to encrypt using PKCS7 S/MIME format
* \param dataToEncryptLength length in bytes of dataToEncrypt
* \param encryptedDataInBase64Format - TRUE: output encrypted data in
* base64 format, FALSE: output data in raw binary format. Typically
* for SIP one should send in binary format.
* \param encryptedData - string containing the encrypted result.
*/
static UtlBoolean nssSmimeEncrypt(int numRecipientCerts,
const char* derPublicKeyCerts[],
int derPublicKeyCertLengths[],
const char* szMyCertNickname,
const char* szCertDbPassword,
const char* dataToEncrypt,
int dataToEncryptLength,
UtlBoolean encryptedDataInBase64Format,
UtlString& encryptedData,
ISmimeNotifySink* pSmimeSink);
// Lower level utility to do S/MIME decryption using the NSS library
/*! Decrypts this body using the derPkcs12PrivateKey.
* \param derPkcs12 - DER format pkcs12 container for the
* private key and public key/Certificate for a recipent who is
* allowed to decrypt this pkcs7 (S/MIME) encapsulated body.
* \param derPkcs12Length - length in bytes of derPkcs12PrivateKey
* \param pkcs12Password - symetric key (password) used to protect
* (encrypt) the derPkcs12PrivateKey (the private key is
* contained in a pkcs12 in an encrypted format to protect
* it from theft). Must be NULL terminated string.
* \param dataIsInBase64Format - TRUE: encrypted data is in base64
* format, FALSE: encrypted data is in binary format.
* \param dataToDecrypt - raw data to be decrypted. Must be in binary
* or base64 format. Does NOT need to be NULL terminated.
* \param dataToDecryptLength - length of the data in dataToDecrypt
* to be decrypted.
* \param decryptedData - string to contain the resulting decrypted
* data.
*/
static UtlBoolean nssSmimeDecrypt(const char* derPkcs12,
int derPkcs12Length,
const char* pkcs12Password,
const char* certDbPassword,
const char* signerCertDER,
int signerCertDERLength,
UtlBoolean dataIsInBase64Format,
const char* dataToDecrypt,
int dataToDecryptLength,
UtlString& decryptedData,
ISmimeNotifySink* pSmimeSink);
// Lower level utility to do S/MIME encryption using the NSS library.
/*! Encrypts the given data for the recipients represented by the
* array of certificates containing the public keys.
* \param numRecipientCerts the number of recipient certificates in
* the derPublicKeyCerts array.
* \param derPublicKeyCerts - array containing DER format certificates.
* \param derPublicKeyCertLengths - array containing the length of the
* corresponding certificate DER data.
* \param dataToEncrypt - raw data to encrypt using PKCS7 S/MIME format
* \param dataToEncryptLength length in bytes of dataToEncrypt
* \param encryptedDataInBase64Format - TRUE: output encrypted data in
* base64 format, FALSE: output data in raw binary format. Typically
* for SIP one should send in binary format.
* \param encryptedData - string containing the encrypted result.
*/
static UtlBoolean opensslSmimeEncrypt(int numRecipientCerts,
const char* derPublicKeyCerts[],
int derPublicKeyCertLengths[],
const char* dataToEncrypt,
int dataToEncryptLength,
UtlBoolean encryptedDataInBase64Format,
UtlString& encryptedData);
// Lower level utility to do S/MIME decryption using the OpenSSL library
/*! Decrypts this body using the derPkcs12PrivateKey.
* \param derPkcs12 - DER format pkcs12 container for the
* private key and public key/Certificate for a recipent who is
* allowed to decrypt this pkcs7 (S/MIME) encapsulated body.
* \param derPkcs12Length - length in bytes of derPkcs12PrivateKey
* \param pkcs12Password - symetric key (password) used to protect
* (encrypt) the derPkcs12PrivateKey (the private key is
* contained in a pkcs12 in an encrypted format to protect
* it from theft). Must be NULL terminated string.
* \param dataIsInBase64Format - TRUE: encrypted data is in base64
* format, FALSE: encrypted data is in binary format.
* \param dataToDecrypt - raw data to be decrypted. Must be in binary
* or base64 format. Does NOT need to be NULL terminated.
* \param dataToDecryptLength - length of the data in dataToDecrypt
* to be decrypted.
* \param decryptedData - string to contain the resulting decrypted
* data.
*/
static UtlBoolean opensslSmimeDecrypt(const char* derPkcs12,
int derPkcs12Length,
const char* pkcs12Password,
UtlBoolean dataIsInBase64Format,
const char* dataToDecrypt,
int dataToDecryptLength,
UtlString& decryptedData);
//! Utility to convert PEM format data to DER format
static UtlBoolean convertPemToDer(UtlString& pemData,
UtlString& derData);
static bool importPKCS12Object(const char* derPkcs12,
int derPkcs12Length,
const char* pkcs12Password,
const char* certDbLocation,
const char* certDbPassword);
/* ============================ ACCESSORS ================================= */
//! Gets the decrypted form of this body if available
const HttpBody* getDecryptedBody() const;
/* ============================ INQUIRY =================================== */
//! Query if this body has been decrypted
UtlBoolean isDecrypted() const;
/* //////////////////////////// PROTECTED ///////////////////////////////// */
protected:
HttpBody* mpDecryptedBody;
enum ContentEncoding mContentEncoding;
/* //////////////////////////// PRIVATE /////////////////////////////////// */
private:
#ifdef HAVE_NSS
static UtlString createSignedData(CERTCertificate *cert,
const char* dataToSign,
const int dataToSignLength,
NSSCMSSignedData*& sigd,
char* szCertDbPassword);
#endif
ISmimeNotifySink* mpSmimeSink;
};
/* ============================ INLINE METHODS ============================ */
#endif // _SmimeBody_h_
|