/* This Source Code Form is subject to the terms of the Mozilla Public

 * License, v. 2.0. If a copy of the MPL was not distributed with this

 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*

 * CMS encoding.

 */

#include "cmslocal.h"

#include "cert.h"

#include "key.h"

#include "secasn1.h"

#include "secoid.h"

#include "secitem.h"

#include "pk11func.h"

#include "secerr.h"

struct nss_cms_encoder_output {

    NSSCMSContentCallback outputfn;

    void *outputarg;

    PLArenaPool *destpoolp;

    SECItem *dest;

};

struct NSSCMSEncoderContextStr {

    SEC_ASN1EncoderContext *	ecx;		/* ASN.1 encoder context */

    PRBool			ecxupdated;	/* true if data was handed in */

    NSSCMSMessage *		cmsg;		/* pointer to the root message */

    SECOidTag			type;		/* type tag of the current content */

    NSSCMSContent		content;	/* pointer to current content */

    struct nss_cms_encoder_output output;	/* output function */

    int				error;		/* error code */

    NSSCMSEncoderContext *	childp7ecx;	/* link to child encoder context */

};

static SECStatus nss_cms_before_data(NSSCMSEncoderContext *p7ecx);

static SECStatus nss_cms_after_data(NSSCMSEncoderContext *p7ecx);

static SECStatus nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len);

static SECStatus nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,

			     const unsigned char *data, unsigned long len,

			     PRBool final, PRBool innermost);

extern const SEC_ASN1Template NSSCMSMessageTemplate[];

/*

 * The little output function that the ASN.1 encoder calls to hand

 * us bytes which we in turn hand back to our caller (via the callback

 * they gave us).

 */

static void

nss_cms_encoder_out(void *arg, const char *buf, unsigned long len,

		      int depth, SEC_ASN1EncodingPart data_kind)

{

    struct nss_cms_encoder_output *output = (struct nss_cms_encoder_output *)arg;

    unsigned char *dest;

    unsigned long offset;

#ifdef CMSDEBUG

    int i;

    const char *data_name = "unknown";

    switch (data_kind) {

    case SEC_ASN1_Identifier:

        data_name = "identifier";

        break;

    case SEC_ASN1_Length:

        data_name = "length";

        break;

    case SEC_ASN1_Contents:

        data_name = "contents";

        break;

    case SEC_ASN1_EndOfContents:

        data_name = "end-of-contents";

        break;

    }

    fprintf(stderr, "kind = %s, depth = %d, len = %d\n", data_name, depth, len);

    for (i=0; i < len; i++) {

	fprintf(stderr, " %02x%s", (unsigned int)buf[i] & 0xff, ((i % 16) == 15) ? "\n" : "");

    }

    if ((i % 16) != 0)

	fprintf(stderr, "\n");

#endif

    if (output->outputfn != NULL)

	/* call output callback with DER data */

	output->outputfn(output->outputarg, buf, len);

    if (output->dest != NULL) {

	/* store DER data in SECItem */

	offset = output->dest->len;

	if (offset == 0) {

	    dest = (unsigned char *)PORT_ArenaAlloc(output->destpoolp, len);

	} else {

	    dest = (unsigned char *)PORT_ArenaGrow(output->destpoolp, 

				  output->dest->data,

				  output->dest->len,

				  output->dest->len + len);

	}

	if (dest == NULL)

	    /* oops */

	    return;

	output->dest->data = dest;

	output->dest->len += len;

	/* copy it in */

	PORT_Memcpy(output->dest->data + offset, buf, len);

    }

}

/*

 * nss_cms_encoder_notify - ASN.1 encoder callback

 *

 * this function is called by the ASN.1 encoder before and after the encoding of

 * every object. here, it is used to keep track of data structures, set up

 * encryption and/or digesting and possibly set up child encoders.

 */

static void

nss_cms_encoder_notify(void *arg, PRBool before, void *dest, int depth)

{

    NSSCMSEncoderContext *p7ecx;

    NSSCMSContentInfo *rootcinfo, *cinfo;

    PRBool after = !before;

    PLArenaPool *poolp;

    SECOidTag childtype;

    SECItem *item;

    p7ecx = (NSSCMSEncoderContext *)arg;

    PORT_Assert(p7ecx != NULL);

    rootcinfo = &(p7ecx->cmsg->contentInfo);

    poolp = p7ecx->cmsg->poolp;

#ifdef CMSDEBUG

    fprintf(stderr, "%6.6s, dest = 0x%08x, depth = %d\n", before ? "before" : "after", dest, depth);

#endif

    /*

     * Watch for the content field, at which point we want to instruct

     * the ASN.1 encoder to start taking bytes from the buffer.

     */

    if (NSS_CMSType_IsData(p7ecx->type)) {

	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);

	if (before && dest == &(cinfo->rawContent)) {

	    /* just set up encoder to grab from user - no encryption or digesting */

	    if ((item = cinfo->content.data) != NULL)

		(void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);

	    else

		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);

	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */

	}

    } else if (NSS_CMSType_IsWrapper(p7ecx->type)) {

	/* when we know what the content is, we encode happily until we reach the inner content */

	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);

	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);

	if (after && dest == &(cinfo->contentType)) {

	    /* we're right before encoding the data (if we have some or not) */

	    /* (for encrypted data, we're right before the contentEncAlg which may change */

	    /*  in nss_cms_before_data because of IV calculation when setting up encryption) */

	    if (nss_cms_before_data(p7ecx) != SECSuccess)

		p7ecx->error = PORT_GetError();

	}

	if (before && dest == &(cinfo->rawContent)) {

	    if (p7ecx->childp7ecx == NULL) {

		if ((NSS_CMSType_IsData(childtype) && (item = cinfo->content.data) != NULL)) {

		    /* we are the innermost non-data and we have data - feed it in */

		    (void)nss_cms_encoder_work_data(p7ecx, NULL, item->data, item->len, PR_TRUE, PR_TRUE);

	        } else {

		    /* else we'll have to get data from user */

		    SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);

		}

	    } else {

	        /* if we have a nested encoder, wait for its data */

		SEC_ASN1EncoderSetTakeFromBuf(p7ecx->ecx);

	    }

	}

	if (after && dest == &(cinfo->rawContent)) {

	    if (nss_cms_after_data(p7ecx) != SECSuccess)

		p7ecx->error = PORT_GetError();

	    SEC_ASN1EncoderClearNotifyProc(p7ecx->ecx);	/* no need to get notified anymore */

	}

    } else {

	/* we're still in the root message */

	if (after && dest == &(rootcinfo->contentType)) {

	    /* got the content type OID now - so find out the type tag */

	    p7ecx->type = NSS_CMSContentInfo_GetContentTypeTag(rootcinfo);

	    /* set up a pointer to our current content */

	    p7ecx->content = rootcinfo->content;

	}

    }

}

/*

 * nss_cms_before_data - setup the current encoder to receive data

 */

static SECStatus

nss_cms_before_data(NSSCMSEncoderContext *p7ecx)

{

    SECStatus rv;

    SECOidTag childtype;

    NSSCMSContentInfo *cinfo;

    PLArenaPool *poolp;

    NSSCMSEncoderContext *childp7ecx;

    const SEC_ASN1Template *template;

    poolp = p7ecx->cmsg->poolp;

    /* call _Encode_BeforeData handlers */

    switch (p7ecx->type) {

    case SEC_OID_PKCS7_SIGNED_DATA:

	/* we're encoding a signedData, so set up the digests */

	rv = NSS_CMSSignedData_Encode_BeforeData(p7ecx->content.signedData);

	break;

    case SEC_OID_PKCS7_DIGESTED_DATA:

	/* we're encoding a digestedData, so set up the digest */

	rv = NSS_CMSDigestedData_Encode_BeforeData(p7ecx->content.digestedData);

	break;

    case SEC_OID_PKCS7_ENVELOPED_DATA:

	rv = NSS_CMSEnvelopedData_Encode_BeforeData(p7ecx->content.envelopedData);

	break;

    case SEC_OID_PKCS7_ENCRYPTED_DATA:

	rv = NSS_CMSEncryptedData_Encode_BeforeData(p7ecx->content.encryptedData);

	break;

    default:

        if (NSS_CMSType_IsWrapper(p7ecx->type)) {

	    rv = NSS_CMSGenericWrapperData_Encode_BeforeData(p7ecx->type, p7ecx->content.genericData);

	} else {

	    rv = SECFailure;

	}

    }

    if (rv != SECSuccess)

	return SECFailure;

    /* ok, now we have a pointer to cinfo */

    /* find out what kind of data is encapsulated */

    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);

    childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);

    if (NSS_CMSType_IsWrapper(childtype)) {

	/* in these cases, we need to set up a child encoder! */

	/* create new encoder context */

	childp7ecx = PORT_ZAlloc(sizeof(NSSCMSEncoderContext));

	if (childp7ecx == NULL)

	    return SECFailure;

	/* the CHILD encoder needs to hand its encoded data to the CURRENT encoder

	 * (which will encrypt and/or digest it)

	 * this needs to route back into our update function

	 * which finds the lowest encoding context & encrypts and computes digests */

	childp7ecx->type = childtype;

	childp7ecx->content = cinfo->content;

	/* use the non-recursive update function here, of course */

	childp7ecx->output.outputfn = (NSSCMSContentCallback)nss_cms_encoder_update;

	childp7ecx->output.outputarg = p7ecx;

	childp7ecx->output.destpoolp = NULL;

	childp7ecx->output.dest = NULL;

	childp7ecx->cmsg = p7ecx->cmsg;

	childp7ecx->ecxupdated = PR_FALSE;

	childp7ecx->childp7ecx = NULL;

	template = NSS_CMSUtil_GetTemplateByTypeTag(childtype);

	if (template == NULL)

	    goto loser;		/* cannot happen */

	/* now initialize the data for encoding the first third */

	switch (childp7ecx->type) {

	case SEC_OID_PKCS7_SIGNED_DATA:

	    rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);

	    break;

	case SEC_OID_PKCS7_ENVELOPED_DATA:

	    rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);

	    break;

	case SEC_OID_PKCS7_DIGESTED_DATA:

	    rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);

	    break;

	case SEC_OID_PKCS7_ENCRYPTED_DATA:

	    rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);

	    break;

	default:

	    rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(childp7ecx->type, cinfo->content.genericData);

	    break;

	}

	if (rv != SECSuccess)

	    goto loser;

	/*

	 * Initialize the BER encoder.

	 */

	childp7ecx->ecx = SEC_ASN1EncoderStart(cinfo->content.pointer, template,

					   nss_cms_encoder_out, &(childp7ecx->output));

	if (childp7ecx->ecx == NULL)

	    goto loser;

	/*

	 * Indicate that we are streaming.  We will be streaming until we

	 * get past the contents bytes.

	 */

        if (!cinfo->privateInfo || !cinfo->privateInfo->dontStream)

	    SEC_ASN1EncoderSetStreaming(childp7ecx->ecx);

	/*

	 * The notify function will watch for the contents field.

	 */

	p7ecx->childp7ecx = childp7ecx;

	SEC_ASN1EncoderSetNotifyProc(childp7ecx->ecx, nss_cms_encoder_notify, childp7ecx);

	/* please note that we are NOT calling SEC_ASN1EncoderUpdate here to kick off the */

	/* encoding process - we'll do that from the update function instead */

	/* otherwise we'd be encoding data from a call of the notify function of the */

	/* parent encoder (which would not work) */

    } else if (NSS_CMSType_IsData(childtype)) {

	p7ecx->childp7ecx = NULL;

    } else {

	/* we do not know this type */

	p7ecx->error = SEC_ERROR_BAD_DER;

    }

    return SECSuccess;

loser:

    if (childp7ecx) {

	if (childp7ecx->ecx)

	    SEC_ASN1EncoderFinish(childp7ecx->ecx);

	PORT_Free(childp7ecx);

	p7ecx->childp7ecx = NULL;

    }

    return SECFailure;

}

static SECStatus

nss_cms_after_data(NSSCMSEncoderContext *p7ecx)

{

    SECStatus rv = SECFailure;

    switch (p7ecx->type) {

    case SEC_OID_PKCS7_SIGNED_DATA:

	/* this will finish the digests and sign */

	rv = NSS_CMSSignedData_Encode_AfterData(p7ecx->content.signedData);

	break;

    case SEC_OID_PKCS7_ENVELOPED_DATA:

	rv = NSS_CMSEnvelopedData_Encode_AfterData(p7ecx->content.envelopedData);

	break;

    case SEC_OID_PKCS7_DIGESTED_DATA:

	rv = NSS_CMSDigestedData_Encode_AfterData(p7ecx->content.digestedData);

	break;

    case SEC_OID_PKCS7_ENCRYPTED_DATA:

	rv = NSS_CMSEncryptedData_Encode_AfterData(p7ecx->content.encryptedData);

	break;

    default:

        if (NSS_CMSType_IsWrapper(p7ecx->type)) {

	    rv = NSS_CMSGenericWrapperData_Encode_AfterData(p7ecx->type, p7ecx->content.genericData);

	} else {

	    rv = SECFailure;

	}

	break;

    }

    return rv;

}

/*

 * nss_cms_encoder_work_data - process incoming data

 *

 * (from the user or the next encoding layer)

 * Here, we need to digest and/or encrypt, then pass it on

 */

static SECStatus

nss_cms_encoder_work_data(NSSCMSEncoderContext *p7ecx, SECItem *dest,

			     const unsigned char *data, unsigned long len,

			     PRBool final, PRBool innermost)

{

    unsigned char *buf = NULL;

    SECStatus rv;

    NSSCMSContentInfo *cinfo;

    rv = SECSuccess;		/* may as well be optimistic */

    /*

     * We should really have data to process, or we should be trying

     * to finish/flush the last block.  (This is an overly paranoid

     * check since all callers are in this file and simple inspection

     * proves they do it right.  But it could find a bug in future

     * modifications/development, that is why it is here.)

     */

    PORT_Assert ((data != NULL && len) || final);

    /* we got data (either from the caller, or from a lower level encoder) */

    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);

    if (!cinfo) {

	/* The original programmer didn't expect this to happen */

	p7ecx->error = SEC_ERROR_LIBRARY_FAILURE;

	return SECFailure;

    }

    /* Update the running digest. */

    if (len && cinfo->privateInfo && cinfo->privateInfo->digcx != NULL)

	NSS_CMSDigestContext_Update(cinfo->privateInfo->digcx, data, len);

    /* Encrypt this chunk. */

    if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) {

	unsigned int inlen;	/* length of data being encrypted */

	unsigned int outlen;	/* length of encrypted data */

	unsigned int buflen;	/* length available for encrypted data */

	inlen = len;

	buflen = NSS_CMSCipherContext_EncryptLength(cinfo->privateInfo->ciphcx, inlen, final);

	if (buflen == 0) {

	    /*

	     * No output is expected, but the input data may be buffered

	     * so we still have to call Encrypt.

	     */

	    rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, NULL, NULL, 0,

				   data, inlen, final);

	    if (final) {

		len = 0;

		goto done;

	    }

	    return rv;

	}

	if (dest != NULL)

	    buf = (unsigned char*)PORT_ArenaAlloc(p7ecx->cmsg->poolp, buflen);

	else

	    buf = (unsigned char*)PORT_Alloc(buflen);

	if (buf == NULL) {

	    rv = SECFailure;

	} else {

	    rv = NSS_CMSCipherContext_Encrypt(cinfo->privateInfo->ciphcx, buf, &outlen, buflen,

				   data, inlen, final);

	    data = buf;

	    len = outlen;

	}

	if (rv != SECSuccess)

	    /* encryption or malloc failed? */

	    return rv;

    }

    /*

     * at this point (data,len) has everything we'd like to give to the CURRENT encoder

     * (which will encode it, then hand it back to the user or the parent encoder)

     * We don't encode the data if we're innermost and we're told not to include the data

     */

    if (p7ecx->ecx != NULL && len && (!innermost || cinfo->rawContent != cinfo->content.pointer))

	rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, (const char *)data, len);

done:

    if (cinfo->privateInfo && cinfo->privateInfo->ciphcx != NULL) {

	if (dest != NULL) {

	    dest->data = buf;

	    dest->len = len;

	} else if (buf != NULL) {

	    PORT_Free (buf);

	}

    }

    return rv;

}

/*

 * nss_cms_encoder_update - deliver encoded data to the next higher level

 *

 * no recursion here because we REALLY want to end up at the next higher encoder!

 */

static SECStatus

nss_cms_encoder_update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)

{

    /* XXX Error handling needs help.  Return what?  Do "Finish" on failure? */

    return nss_cms_encoder_work_data (p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_FALSE);

}

/*

 * NSS_CMSEncoder_Start - set up encoding of a CMS message

 *

 * "cmsg" - message to encode

 * "outputfn", "outputarg" - callback function for delivery of DER-encoded output

 *                           will not be called if NULL.

 * "dest" - if non-NULL, pointer to SECItem that will hold the DER-encoded output

 * "destpoolp" - pool to allocate DER-encoded output in

 * "pwfn", pwfn_arg" - callback function for getting token password

 * "decrypt_key_cb", "decrypt_key_cb_arg" - callback function for getting bulk key for encryptedData

 * "detached_digestalgs", "detached_digests" - digests from detached content

 */

NSSCMSEncoderContext *

NSS_CMSEncoder_Start(NSSCMSMessage *cmsg,

			NSSCMSContentCallback outputfn, void *outputarg,

			SECItem *dest, PLArenaPool *destpoolp,

			PK11PasswordFunc pwfn, void *pwfn_arg,

			NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,

			SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)

{

    NSSCMSEncoderContext *p7ecx;

    SECStatus rv;

    NSSCMSContentInfo *cinfo;

    SECOidTag tag;

    NSS_CMSMessage_SetEncodingParams(cmsg, pwfn, pwfn_arg, decrypt_key_cb, decrypt_key_cb_arg,

					detached_digestalgs, detached_digests);

    p7ecx = (NSSCMSEncoderContext *)PORT_ZAlloc(sizeof(NSSCMSEncoderContext));

    if (p7ecx == NULL) {

	PORT_SetError(SEC_ERROR_NO_MEMORY);

	return NULL;

    }

    p7ecx->cmsg = cmsg;

    p7ecx->output.outputfn = outputfn;

    p7ecx->output.outputarg = outputarg;

    p7ecx->output.dest = dest;

    p7ecx->output.destpoolp = destpoolp;

    p7ecx->type = SEC_OID_UNKNOWN;

    cinfo = NSS_CMSMessage_GetContentInfo(cmsg);

    tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);

    switch (tag) {

    case SEC_OID_PKCS7_SIGNED_DATA:

	rv = NSS_CMSSignedData_Encode_BeforeStart(cinfo->content.signedData);

	break;

    case SEC_OID_PKCS7_ENVELOPED_DATA:

	rv = NSS_CMSEnvelopedData_Encode_BeforeStart(cinfo->content.envelopedData);

	break;

    case SEC_OID_PKCS7_DIGESTED_DATA:

	rv = NSS_CMSDigestedData_Encode_BeforeStart(cinfo->content.digestedData);

	break;

    case SEC_OID_PKCS7_ENCRYPTED_DATA:

	rv = NSS_CMSEncryptedData_Encode_BeforeStart(cinfo->content.encryptedData);

	break;

    default:

        if (NSS_CMSType_IsWrapper(tag)) {

	    rv = NSS_CMSGenericWrapperData_Encode_BeforeStart(tag, 

						p7ecx->content.genericData);

	} else {

	    rv = SECFailure;

	}

	break;

    }

    if (rv != SECSuccess) {

	PORT_Free(p7ecx);

	return NULL;

    }

    /* Initialize the BER encoder.

     * Note that this will not encode anything until the first call to SEC_ASN1EncoderUpdate */

    p7ecx->ecx = SEC_ASN1EncoderStart(cmsg, NSSCMSMessageTemplate,

				       nss_cms_encoder_out, &(p7ecx->output));

    if (p7ecx->ecx == NULL) {

	PORT_Free (p7ecx);

	return NULL;

    }

    p7ecx->ecxupdated = PR_FALSE;

    /*

     * Indicate that we are streaming.  We will be streaming until we

     * get past the contents bytes.

     */

    if (!cinfo->privateInfo || !cinfo->privateInfo->dontStream)

	SEC_ASN1EncoderSetStreaming(p7ecx->ecx);

    /*

     * The notify function will watch for the contents field.

     */

    SEC_ASN1EncoderSetNotifyProc(p7ecx->ecx, nss_cms_encoder_notify, p7ecx);

    /* this will kick off the encoding process & encode everything up to the content bytes,

     * at which point the notify function sets streaming mode (and possibly creates

     * a child encoder). */

    p7ecx->ecxupdated = PR_TRUE;

    if (SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0) != SECSuccess) {

	PORT_Free (p7ecx);

	return NULL;

    }

    return p7ecx;

}

/*

 * NSS_CMSEncoder_Update - take content data delivery from the user

 *

 * "p7ecx" - encoder context

 * "data" - content data

 * "len" - length of content data

 *

 * need to find the lowest level (and call SEC_ASN1EncoderUpdate on the way down),

 * then hand the data to the work_data fn

 */

SECStatus

NSS_CMSEncoder_Update(NSSCMSEncoderContext *p7ecx, const char *data, unsigned long len)

{

    SECStatus rv;

    NSSCMSContentInfo *cinfo;

    SECOidTag childtype;

    if (p7ecx->error)

	return SECFailure;

    /* hand data to the innermost decoder */

    if (p7ecx->childp7ecx) {

	/* tell the child to start encoding, up to its first data byte, if it

	 * hasn't started yet */

	if (!p7ecx->childp7ecx->ecxupdated) {

	    p7ecx->childp7ecx->ecxupdated = PR_TRUE;

	    if (SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0) != SECSuccess)

	        return SECFailure;

	}

	/* recursion here */

	rv = NSS_CMSEncoder_Update(p7ecx->childp7ecx, data, len);

    } else {

	/* we are at innermost decoder */

	/* find out about our inner content type - must be data */

	cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);

	if (!cinfo) {

	    /* The original programmer didn't expect this to happen */

	    p7ecx->error = SEC_ERROR_LIBRARY_FAILURE;

	    return SECFailure;

	}

	childtype = NSS_CMSContentInfo_GetContentTypeTag(cinfo);

	if (!NSS_CMSType_IsData(childtype))

	    return SECFailure;

	/* and we must not have preset data */

	if (cinfo->content.data != NULL)

	    return SECFailure;

	/*  hand it the data so it can encode it (let DER trickle up the chain) */

	rv = nss_cms_encoder_work_data(p7ecx, NULL, (const unsigned char *)data, len, PR_FALSE, PR_TRUE);

    }

    return rv;

}

/*

 * NSS_CMSEncoder_Cancel - stop all encoding

 *

 * we need to walk down the chain of encoders and the finish them from the innermost out

 */

SECStatus

NSS_CMSEncoder_Cancel(NSSCMSEncoderContext *p7ecx)

{

    SECStatus rv = SECFailure;

    /* XXX do this right! */

    /*

     * Finish any inner decoders before us so that all the encoded data is flushed

     * This basically finishes all the decoders from the innermost to the outermost.

     * Finishing an inner decoder may result in data being updated to the outer decoder

     * while we are already in NSS_CMSEncoder_Finish, but that's allright.

     */

    if (p7ecx->childp7ecx) {

	rv = NSS_CMSEncoder_Cancel(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */

	/* remember rv for now */

    }

    /*

     * On the way back up, there will be no more data (if we had an

     * inner encoder, it is done now!)

     * Flush out any remaining data and/or finish digests.

     */

    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));

    if (rv != SECSuccess)

	goto loser;

    p7ecx->childp7ecx = NULL;

    /* kick the encoder back into working mode again.

     * We turn off streaming stuff (which will cause the encoder to continue

     * encoding happily, now that we have all the data (like digests) ready for it).

     */

    SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);

    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);

    /* now that TakeFromBuf is off, this will kick this encoder to finish encoding */

    rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);

loser:

    SEC_ASN1EncoderFinish(p7ecx->ecx);

    PORT_Free (p7ecx);

    return rv;

}

/*

 * NSS_CMSEncoder_Finish - signal the end of data

 *

 * we need to walk down the chain of encoders and the finish them from the innermost out

 */

SECStatus

NSS_CMSEncoder_Finish(NSSCMSEncoderContext *p7ecx)

{

    SECStatus rv = SECFailure;

    NSSCMSContentInfo *cinfo;

    /*

     * Finish any inner decoders before us so that all the encoded data is flushed

     * This basically finishes all the decoders from the innermost to the outermost.

     * Finishing an inner decoder may result in data being updated to the outer decoder

     * while we are already in NSS_CMSEncoder_Finish, but that's allright.

     */

    if (p7ecx->childp7ecx) {

	/* tell the child to start encoding, up to its first data byte, if it

	 * hasn't yet */

	if (!p7ecx->childp7ecx->ecxupdated) {

	    p7ecx->childp7ecx->ecxupdated = PR_TRUE;

	    rv = SEC_ASN1EncoderUpdate(p7ecx->childp7ecx->ecx, NULL, 0);

	    if (rv != SECSuccess) {

		NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */

		goto loser;

	    }

	}

	rv = NSS_CMSEncoder_Finish(p7ecx->childp7ecx); /* frees p7ecx->childp7ecx */

	if (rv != SECSuccess)

	    goto loser;

    }

    /*

     * On the way back up, there will be no more data (if we had an

     * inner encoder, it is done now!)

     * Flush out any remaining data and/or finish digests.

     */

    rv = nss_cms_encoder_work_data(p7ecx, NULL, NULL, 0, PR_TRUE, (p7ecx->childp7ecx == NULL));

    if (rv != SECSuccess)

	goto loser;

    p7ecx->childp7ecx = NULL;

    cinfo = NSS_CMSContent_GetContentInfo(p7ecx->content.pointer, p7ecx->type);

    if (!cinfo) {

	/* The original programmer didn't expect this to happen */

	p7ecx->error = SEC_ERROR_LIBRARY_FAILURE;

	rv = SECFailure;

	goto loser;

    }

    SEC_ASN1EncoderClearTakeFromBuf(p7ecx->ecx);

    SEC_ASN1EncoderClearStreaming(p7ecx->ecx);

    /* now that TakeFromBuf is off, this will kick this encoder to finish encoding */

    rv = SEC_ASN1EncoderUpdate(p7ecx->ecx, NULL, 0);

    if (p7ecx->error)

	rv = SECFailure;

loser:

    SEC_ASN1EncoderFinish(p7ecx->ecx);

    PORT_Free (p7ecx);

    return rv;

}