VirtualBox

source: vbox/trunk/include/iprt/crypto/pkcs7.h@ 54403

Last change on this file since 54403 was 52600, checked in by vboxsync, 10 years ago

IPRT: Added support for microsoft timestamp counter signatures. This required making the PKCS #7 code accept some of the CMS (RFC-5652) stuff.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 23.2 KB
Line 
1/** @file
2 * IPRT - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
3 */
4
5/*
6 * Copyright (C) 2006-2014 Oracle Corporation
7 *
8 * This file is part of VirtualBox Open Source Edition (OSE), as
9 * available from http://www.virtualbox.org. This file is free software;
10 * you can redistribute it and/or modify it under the terms of the GNU
11 * General Public License (GPL) as published by the Free Software
12 * Foundation, in version 2 as it comes in the "COPYING" file of the
13 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15 *
16 * The contents of this file may alternatively be used under the terms
17 * of the Common Development and Distribution License Version 1.0
18 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19 * VirtualBox OSE distribution, in which case the provisions of the
20 * CDDL are applicable instead of those of the GPL.
21 *
22 * You may elect to license modified versions of this file under the
23 * terms and conditions of either the GPL or the CDDL or both.
24 */
25
26#ifndef ___iprt_crypto_pkcs7_h
27#define ___iprt_crypto_pkcs7_h
28
29#include <iprt/asn1.h>
30#include <iprt/crypto/x509.h>
31
32
33RT_C_DECLS_BEGIN
34
35/** @defgroup grp_rt_crpkcs7 RTCrPkcs7 - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
36 * @ingroup grp_rt_crypto
37 * @{
38 */
39
40
41/**
42 * PKCS \#7 IssuerAndSerialNumber (IPRT representation).
43 */
44typedef struct RTCRPKCS7ISSUERANDSERIALNUMBER
45{
46 /** Sequence core. */
47 RTASN1SEQUENCECORE SeqCore;
48 /** The certificate name. */
49 RTCRX509NAME Name;
50 /** The certificate serial number. */
51 RTASN1INTEGER SerialNumber;
52} RTCRPKCS7ISSUERANDSERIALNUMBER;
53/** Pointer to the IPRT representation of a PKCS \#7 IssuerAndSerialNumber. */
54typedef RTCRPKCS7ISSUERANDSERIALNUMBER *PRTCRPKCS7ISSUERANDSERIALNUMBER;
55/** Pointer to the const IPRT representation of a PKCS \#7
56 * IssuerAndSerialNumber. */
57typedef RTCRPKCS7ISSUERANDSERIALNUMBER const *PCRTCRPKCS7ISSUERANDSERIALNUMBER;
58RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ISSUERANDSERIALNUMBER, RTDECL, RTCrPkcs7IssuerAndSerialNumber, SeqCore.Asn1Core);
59
60
61/** Pointer to the IPRT representation of a PKCS \#7 SignerInfo. */
62typedef struct RTCRPKCS7SIGNERINFO *PRTCRPKCS7SIGNERINFO;
63/** Pointer to the const IPRT representation of a PKCS \#7 SignerInfo. */
64typedef struct RTCRPKCS7SIGNERINFO const *PCRTCRPKCS7SIGNERINFO;
65RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SIGNERINFOS, RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfos);
66
67
68/**
69 * Attribute value type (for the union).
70 */
71typedef enum RTCRPKCS7ATTRIBUTETYPE
72{
73 /** Zero is invalid. */
74 RTCRPKCS7ATTRIBUTETYPE_INVALID = 0,
75 /** Not present, union is NULL. */
76 RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT,
77 /** Unknown values, pCores. */
78 RTCRPKCS7ATTRIBUTETYPE_UNKNOWN,
79 /** Object IDs, use pObjIds. */
80 RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS,
81 /** Octet strings, use pOctetStrings. */
82 RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS,
83 /** Counter signatures (PKCS \#9), use pCounterSignatures. */
84 RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES,
85 /** Signing time (PKCS \#9), use pSigningTime. */
86 RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME,
87 /** Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
88 RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP,
89 /** Blow the type up to 32-bits. */
90 RTCRPKCS7ATTRIBUTETYPE_32BIT_HACK = 0x7fffffff
91} RTCRPKCS7ATTRIBUTETYPE;
92
93/**
94 * PKCS \#7 Attribute (IPRT representation).
95 */
96typedef struct RTCRPKCS7ATTRIBUTE
97{
98 /** Sequence core. */
99 RTASN1SEQUENCECORE SeqCore;
100 /** The attribute type (object ID). */
101 RTASN1OBJID Type;
102 /** The type of data found in the values union. */
103 RTCRPKCS7ATTRIBUTETYPE enmType;
104 /** Value allocation. */
105 RTASN1ALLOCATION Allocation;
106 /** Values. */
107 union
108 {
109 /** ASN.1 cores (RTCRPKCS7ATTRIBUTETYPE_UNKNOWN). */
110 PRTASN1SETOFCORES pCores;
111 /** ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS). */
112 PRTASN1SETOFOBJIDS pObjIds;
113 /** ASN.1 octet strings (RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS). */
114 PRTASN1SETOFOCTETSTRINGS pOctetStrings;
115 /** Counter signatures RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES(). */
116 PRTCRPKCS7SIGNERINFOS pCounterSignatures;
117 /** Signing time(s) (RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME). */
118 PRTASN1SETOFTIMES pSigningTime;
119 /** Microsoft timestamp (RFC-3161 signed data). */
120 struct RTCRPKCS7SETOFCONTENTINFOS *pContentInfos;
121 } uValues;
122} RTCRPKCS7ATTRIBUTE;
123/** Pointer to the IPRT representation of a PKCS \#7 Attribute. */
124typedef RTCRPKCS7ATTRIBUTE *PRTCRPKCS7ATTRIBUTE;
125/** Pointer to the const IPRT representation of a PKCS \#7 Attribute. */
126typedef RTCRPKCS7ATTRIBUTE const *PCRTCRPKCS7ATTRIBUTE;
127RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attribute, SeqCore.Asn1Core);
128
129RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7ATTRIBUTES, RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attributes);
130
131
132/**
133 * One PKCS \#7 SignerInfo (IPRT representation).
134 */
135typedef struct RTCRPKCS7SIGNERINFO
136{
137 /** Sequence core. */
138 RTASN1SEQUENCECORE SeqCore;
139 /** The structure version (RTCRPKCS7SIGNERINFO_V1). */
140 RTASN1INTEGER Version;
141 /** The issuer and serial number of the certificate used to produce the
142 * encrypted digest below. */
143 RTCRPKCS7ISSUERANDSERIALNUMBER IssuerAndSerialNumber;
144 /** The digest algorithm use to digest the signed content. */
145 RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
146 /** Authenticated attributes, optional [0].
147 * @todo Check how other producers formats this. The microsoft one does not
148 * have explicit tags, but combines it with the SET OF. */
149 RTCRPKCS7ATTRIBUTES AuthenticatedAttributes;
150 /** The digest encryption algorithm use to encrypt the digest of the signed
151 * content. */
152 RTCRX509ALGORITHMIDENTIFIER DigestEncryptionAlgorithm;
153 /** The encrypted digest. */
154 RTASN1OCTETSTRING EncryptedDigest;
155 /** Unauthenticated attributes, optional [1].
156 * @todo Check how other producers formats this. The microsoft one does not
157 * have explicit tags, but combines it with the SET OF. */
158 RTCRPKCS7ATTRIBUTES UnauthenticatedAttributes;
159} RTCRPKCS7SIGNERINFO;
160RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfo, SeqCore.Asn1Core);
161
162/** RTCRPKCS7SIGNERINFO::Version value. */
163#define RTCRPKCS7SIGNERINFO_V1 1
164
165/** @name PKCS \#9 Attribute IDs
166 * @{ */
167/** Content type (RFC-2630 11.1).
168 * Value: Object Identifier */
169#define RTCR_PKCS9_ID_CONTENT_TYPE_OID "1.2.840.113549.1.9.3"
170/** Message digest (RFC-2630 11.2).
171 * Value: Octet string. */
172#define RTCR_PKCS9_ID_MESSAGE_DIGEST_OID "1.2.840.113549.1.9.4"
173/** Signing time (RFC-2630 11.3).
174 * Value: Octet string. */
175#define RTCR_PKCS9_ID_SIGNING_TIME_OID "1.2.840.113549.1.9.5"
176/** Counter signature (RFC-2630 11.4).
177 * Value: SignerInfo. */
178#define RTCR_PKCS9_ID_COUNTER_SIGNATURE_OID "1.2.840.113549.1.9.6"
179/** Microsoft timestamp (RTF-3161) counter signature (SignedData).
180 * @remarks This isn't defined by PKCS \#9, but lumped in here for
181 * convenience. It's actually listed as SPC by MS. */
182#define RTCR_PKCS9_ID_MS_TIMESTAMP "1.3.6.1.4.1.311.3.3.1"
183/** @} */
184
185
186/**
187 * Get the (next) signing time attribute from the specfied SignerInfo or one of
188 * the immediate counter signatures.
189 *
190 * @returns Pointer to the signing time if found, NULL if not.
191 * @param pThis The SignerInfo to search.
192 * @param ppSignerInfo Pointer to variable keeping track of the
193 * enumeration, optional.
194 *
195 * If specified the input value is taken to the be
196 * SignerInfo of the previously returned signing
197 * time. The value pointed to is NULL, the
198 * search/enum restarts.
199 *
200 * On successful return this is set to the
201 * SignerInfo which we found the signing time in.
202 */
203RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetSigningTime(PCRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7SIGNERINFO *ppSignerInfo);
204
205
206/**
207 * Get the (first) timestamp from within a Microsoft timestamp server counter
208 * signature.
209 *
210 * @returns Pointer to the signing time if found, NULL if not.
211 * @param pThis The SignerInfo to search.
212 * @param ppContentInfo Where to return the pointer to the counter
213 * signature, optional.
214 */
215RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetMsTimestamp(PCRTCRPKCS7SIGNERINFO pThis,
216 struct RTCRPKCS7CONTENTINFO const **ppContentInfo);
217
218
219
220/**
221 * PKCS \#7 ContentInfo (IPRT representation).
222 */
223typedef struct RTCRPKCS7CONTENTINFO
224{
225 /** Sequence core. */
226 RTASN1SEQUENCECORE SeqCore;
227 /** Object ID identifying the content below. */
228 RTASN1OBJID ContentType;
229 /** Content, optional, explicit tag 0.
230 *
231 * Hack alert! This should've been an explict context tag 0 structure with a
232 * type selected according to ContentType. However, it's simpler to replace the
233 * explicit context with an OCTET STRING with implict tag 0. Then we can tag
234 * along on the encapsulation logic RTASN1OCTETSTRING provides for the dynamic
235 * inner type. The default decoder code will detect known structures as
236 * outlined in the union below, and decode the octet string content as an
237 * anonymous RTASN1CORE if not known.
238 *
239 * If the user want to decode the octet string content differently, it can do so
240 * by destroying and freeing the current encapsulated pointer, replacing it with
241 * it's own. (Of course following the RTASN1OCTETSTRING rules.) Just remember
242 * to also update the value in the union.
243 *
244 * @remarks What's signed and verified is Content.pEncapsulated->uData.pv.
245 */
246 RTASN1OCTETSTRING Content;
247 /** Pointer to the CMS octet string that's inside the Content, NULL if PKCS \#7.
248 *
249 * Hack alert! When transitioning from PKCS \#7 to CMS, the designers decided to
250 * change things and add another wrapper. This time we're talking about a real
251 * octet string, not like the one above which is really an explicit content tag.
252 * When constructing or decoding CMS content, this will be the same pointer as
253 * Content.pEncapsulated, while the union below will be holding the same pointer
254 * as pCmsContent->pEncapsulated.
255 */
256 PRTASN1OCTETSTRING pCmsContent;
257 /** Same as Content.pEncapsulated, except a choice of known types. */
258 union
259 {
260 /** ContentType is RTCRPKCS7SIGNEDDATA_OID. */
261 struct RTCRPKCS7SIGNEDDATA *pSignedData;
262 /** ContentType is RTCRSPCINDIRECTDATACONTENT_OID. */
263 struct RTCRSPCINDIRECTDATACONTENT *pIndirectDataContent;
264 /** ContentType is RTCRTSPTSTINFO_OID. */
265 struct RTCRTSPTSTINFO *pTstInfo;
266 /** Generic / Unknown / User. */
267 PRTASN1CORE pCore;
268 } u;
269} RTCRPKCS7CONTENTINFO;
270/** Pointer to the IPRT representation of a PKCS \#7 ContentInfo. */
271typedef RTCRPKCS7CONTENTINFO *PRTCRPKCS7CONTENTINFO;
272/** Pointer to the const IPRT representation of a PKCS \#7 ContentInfo. */
273typedef RTCRPKCS7CONTENTINFO const *PCRTCRPKCS7CONTENTINFO;
274RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7ContentInfo, SeqCore.Asn1Core);
275RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCONTENTINFOS, RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7SetOfContentInfos);
276
277RTDECL(bool) RTCrPkcs7ContentInfo_IsSignedData(PCRTCRPKCS7CONTENTINFO pThis);
278
279
280/**
281 * PKCS \#7 Certificate choice.
282 */
283typedef enum RTCRPKCS7CERTCHOICE
284{
285 RTCRPKCS7CERTCHOICE_INVALID = 0,
286 RTCRPKCS7CERTCHOICE_X509,
287 RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6,
288 RTCRPKCS7CERTCHOICE_AC_V1,
289 RTCRPKCS7CERTCHOICE_AC_V2,
290 RTCRPKCS7CERTCHOICE_OTHER,
291 RTCRPKCS7CERTCHOICE_END,
292 RTCRPKCS7CERTCHOICE_32BIT_HACK = 0x7fffffff
293} RTCRPKCS7CERTCHOICE;
294
295
296/**
297 * Common representation for PKCS \#7 ExtendedCertificateOrCertificate and the
298 * CMS CertificateChoices types.
299 */
300typedef struct RTCRPKCS7CERT
301{
302 /** Dummy ASN.1 record, not encoded. */
303 RTASN1DUMMY Dummy;
304 /** The value allocation. */
305 RTASN1ALLOCATION Allocation;
306 /** The choice of value. */
307 RTCRPKCS7CERTCHOICE enmChoice;
308 /** The value union. */
309 union
310 {
311 /** Standard X.509 certificate (RTCRCMSCERTIFICATECHOICE_X509). */
312 PRTCRX509CERTIFICATE pX509Cert;
313 /** Extended PKCS \#6 certificate (RTCRCMSCERTIFICATECHOICE_EXTENDED_PKCS6). */
314 PRTASN1CORE pExtendedCert;
315 /** Attribute certificate version 1 (RTCRCMSCERTIFICATECHOICE_AC_V1). */
316 PRTASN1CORE pAcV1;
317 /** Attribute certificate version 2 (RTCRCMSCERTIFICATECHOICE_AC_V2). */
318 PRTASN1CORE pAcV2;
319 /** Other certificate (RTCRCMSCERTIFICATECHOICE_OTHER). */
320 PRTASN1CORE pOtherCert;
321 } u;
322} RTCRPKCS7CERT;
323/** Pointer to the IPRT representation of PKCS \#7 or CMS certificate. */
324typedef RTCRPKCS7CERT *PRTCRPKCS7CERT;
325/** Pointer to the const IPRT representation of PKCS \#7 or CMS certificate. */
326typedef RTCRPKCS7CERT const *PCRTCRPKCS7CERT;
327RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CERT, RTDECL, RTCrPkcs7Cert, Dummy.Asn1Core);
328RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCERTS, RTCRPKCS7CERT, RTDECL, RTCrPkcs7SetOfCerts);
329
330RTDECL(PCRTCRX509CERTIFICATE) RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(PCRTCRPKCS7SETOFCERTS pCertificates,
331 PCRTCRX509NAME pIssuer,
332 PCRTASN1INTEGER pSerialNumber);
333
334
335/**
336 * PKCS \#7 SignedData (IPRT representation).
337 */
338typedef struct RTCRPKCS7SIGNEDDATA
339{
340 /** Sequence core. */
341 RTASN1SEQUENCECORE SeqCore;
342 /** The structure version value (1). */
343 RTASN1INTEGER Version;
344 /** The digest algorithms that are used to signed the content (ContentInfo). */
345 RTCRX509ALGORITHMIDENTIFIERS DigestAlgorithms;
346 /** The content that's being signed. */
347 RTCRPKCS7CONTENTINFO ContentInfo;
348 /** Certificates, optional, implicit tag 0. (Required by Authenticode.) */
349 RTCRPKCS7SETOFCERTS Certificates;
350 /** Certificate revocation lists, optional, implicit tag 1.
351 * Not used by Authenticode, so currently stubbed. */
352 RTASN1CORE Crls;
353 /** Signer infos. */
354 RTCRPKCS7SIGNERINFOS SignerInfos;
355} RTCRPKCS7SIGNEDDATA;
356/** Pointer to the IPRT representation of a PKCS \#7 SignedData. */
357typedef RTCRPKCS7SIGNEDDATA *PRTCRPKCS7SIGNEDDATA;
358/** Pointer to the const IPRT representation of a PKCS \#7 SignedData. */
359typedef RTCRPKCS7SIGNEDDATA const *PCRTCRPKCS7SIGNEDDATA;
360RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SignedData, SeqCore.Asn1Core);
361RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFSIGNEDDATA, RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SetOfSignedData);
362
363/** PKCS \#7 SignedData object ID. */
364#define RTCRPKCS7SIGNEDDATA_OID "1.2.840.113549.1.7.2"
365
366/** PKCS \#7 SignedData version number 1. */
367#define RTCRPKCS7SIGNEDDATA_V1 1
368/* No version 2 seems to exist. */
369/** CMS SignedData version number 3.
370 * This should only be used if there are version 1 attribute certificates
371 * present, or if there are version 3 SignerInfo items present, or if
372 * enmcCountInfo is not id-data (RFC-5652, section 5.1). */
373#define RTCRPKCS7SIGNEDDATA_V3 3
374/** CMS SignedData version number 4.
375 * This should only be used if there are version 2 attribute certificates
376 * present (RFC-5652, section 5.1). */
377#define RTCRPKCS7SIGNEDDATA_V4 4
378/** CMS SignedData version number 5.
379 * This should only be used if there are certificates or/and CRLs of the
380 * OTHER type present (RFC-5652, section 5.1). */
381#define RTCRPKCS7SIGNEDDATA_V5 5
382
383
384/** @name RTCRPKCS7SIGNEDDATA_SANITY_F_XXX - Flags for RTPkcs7SignedDataCheckSantiy.
385 * @{ */
386/** Check for authenticode restrictions. */
387#define RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE RT_BIT_32(0)
388/** Check that all the hash algorithms are known to IPRT. */
389#define RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH RT_BIT_32(1)
390/** Require signing certificate to be present. */
391#define RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT RT_BIT_32(2)
392/** @} */
393
394
395/**
396 * PKCS \#7 DigestInfo (IPRT representation).
397 */
398typedef struct RTCRPKCS7DIGESTINFO
399{
400 /** Sequence core. */
401 RTASN1SEQUENCECORE SeqCore;
402 /** The digest algorithm use to digest the signed content. */
403 RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
404 /** The digest. */
405 RTASN1OCTETSTRING Digest;
406} RTCRPKCS7DIGESTINFO;
407/** Pointer to the IPRT representation of a PKCS \#7 DigestInfo object. */
408typedef RTCRPKCS7DIGESTINFO *PRTCRPKCS7DIGESTINFO;
409/** Pointer to the const IPRT representation of a PKCS \#7 DigestInfo object. */
410typedef RTCRPKCS7DIGESTINFO const *PCRTCRPKCS7DIGESTINFO;
411RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7DIGESTINFO, RTDECL, RTCrPkcs7DigestInfo, SeqCore.Asn1Core);
412
413
414/**
415 * Callback function for use with RTCrPkcs7VerifySignedData.
416 *
417 * @returns IPRT status code.
418 * @param pCert The certificate to verify.
419 * @param hCertPaths Unless the certificate is trusted directly, this
420 * is a reference to the certificate path builder
421 * and verifier instance that we used to establish
422 * at least valid trusted path to @a pCert. The
423 * callback can use this to enforce additional
424 * certificate lineage requirements, effective
425 * policy checks and whatnot.
426 * This is NIL_RTCRX509CERTPATHS if the certificate
427 * is directly trusted.
428 * @param fFlags Mix of the RTCRPKCS7VCC_F_XXX flags.
429 * @param pvUser The user argument.
430 * @param pErrInfo Optional error info buffer.
431 */
432typedef DECLCALLBACK(int) FNRTCRPKCS7VERIFYCERTCALLBACK(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths,
433 uint32_t fFlags, void *pvUser, PRTERRINFO pErrInfo);
434/** Pointer to a FNRTCRPKCS7VERIFYCERTCALLBACK callback. */
435typedef FNRTCRPKCS7VERIFYCERTCALLBACK *PFNRTCRPKCS7VERIFYCERTCALLBACK;
436
437/** @name RTCRPKCS7VCC_F_XXX - Flags for FNRTCRPKCS7VERIFYCERTCALLBACK.
438 * @{ */
439/** Normal callback for a direct signatory of the signed data. */
440#define RTCRPKCS7VCC_F_SIGNED_DATA RT_BIT_32(0)
441/** Check that the signatory can be trusted for timestamps. */
442#define RTCRPKCS7VCC_F_TIMESTAMP RT_BIT_32(1)
443/** @} */
444
445/**
446 * @callback_method_impl{RTCRPKCS7VERIFYCERTCALLBACK,
447 * Default implementation that checks for the DigitalSignature KeyUsage bit.}
448 */
449RTDECL(int) RTCrPkcs7VerifyCertCallbackDefault(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
450 void *pvUser, PRTERRINFO pErrInfo);
451
452/**
453 * @callback_method_impl{RTCRPKCS7VERIFYCERTCALLBACK,
454 * Standard code signing. Use this for Microsoft SPC.}
455 */
456RTDECL(int) RTCrPkcs7VerifyCertCallbackCodeSigning(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
457 void *pvUser, PRTERRINFO pErrInfo);
458
459/**
460 * Verifies PKCS \#7 SignedData.
461 *
462 * For compatability with alternative crypto providers, the user must work on
463 * the top level PKCS \#7 structure instead directly on the SignedData.
464 *
465 * @returns IPRT status code.
466 * @param pContentInfo PKCS \#7 content info structure.
467 * @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
468 * @param hAdditionalCerts Store containing additional certificates to
469 * supplement those mentioned in the signed data.
470 * @param hTrustedCerts Store containing trusted certificates.
471 * @param pValidationTime The time we're supposed to validate the
472 * certificates chains at. Ignored for signatures
473 * with valid signing time attributes.
474 * @param pfnVerifyCert Callback for checking that a certificate used
475 * for signing the data is suitable.
476 * @param pvUser User argument for the callback.
477 * @param pErrInfo Optional error info buffer.
478 */
479RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
480 RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
481 PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
482 PRTERRINFO pErrInfo);
483
484/** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData
485 * @{ */
486/** Always use the signing time attribute if present, requiring it to be
487 * verified as valid. The default behavior is to ignore unverifiable
488 * signing time attributes and use the @a pValidationTime instead. */
489#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT RT_BIT_32(0)
490/** Same as RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT for the MS
491 * timestamp counter sigantures. */
492#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT RT_BIT_32(1)
493/** Only use signging time attributes from counter signatures. */
494#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY RT_BIT_32(2)
495/** Don't validate the counter signature containing the signing time, just use
496 * it unverified. This is useful if we don't necessarily have the root
497 * certificates for the timestamp server handy, but use with great care.
498 * @sa RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED */
499#define RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED RT_BIT_32(3)
500/** Don't validate the MS counter signature containing the signing timestamp.
501 * @sa RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED */
502#define RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED RT_BIT_32(4)
503/** Do not consider timestamps in microsoft counter signatures. */
504#define RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP RT_BIT_32(5)
505/** The signed data requires certificates to have the timestamp extended
506 * usage bit present. This is used for recursivly verifying MS timestamp
507 * signatures. */
508#define RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING RT_BIT_32(6)
509
510/** Indicates internally that we're validating a counter signature and should
511 * use different rules when checking out the authenticated attributes.
512 * @internal */
513#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE RT_BIT_32(31)
514/** @} */
515
516/** @} */
517
518RT_C_DECLS_END
519
520#endif
521
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette