VirtualBox

source: vbox/trunk/include/iprt/crypto/pkcs7.h@ 84330

Last change on this file since 84330 was 84330, checked in by vboxsync, 5 years ago

IPRT: Adding some new flags to the PKCS#7/CMS verification routines. bugref:9699

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 30.3 KB
Line 
1/** @file
2 * IPRT - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
3 */
4
5/*
6 * Copyright (C) 2006-2020 Oracle Corporation
7 *
8 * This file is part of VirtualBox Open Source Edition (OSE), as
9 * available from http://www.virtualbox.org. This file is free software;
10 * you can redistribute it and/or modify it under the terms of the GNU
11 * General Public License (GPL) as published by the Free Software
12 * Foundation, in version 2 as it comes in the "COPYING" file of the
13 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15 *
16 * The contents of this file may alternatively be used under the terms
17 * of the Common Development and Distribution License Version 1.0
18 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19 * VirtualBox OSE distribution, in which case the provisions of the
20 * CDDL are applicable instead of those of the GPL.
21 *
22 * You may elect to license modified versions of this file under the
23 * terms and conditions of either the GPL or the CDDL or both.
24 */
25
26#ifndef IPRT_INCLUDED_crypto_pkcs7_h
27#define IPRT_INCLUDED_crypto_pkcs7_h
28#ifndef RT_WITHOUT_PRAGMA_ONCE
29# pragma once
30#endif
31
32#include <iprt/asn1.h>
33#include <iprt/crypto/x509.h>
34
35
36RT_C_DECLS_BEGIN
37
38struct RTCRPKCS7CONTENTINFO;
39
40
41/** @defgroup grp_rt_crpkcs7 RTCrPkcs7 - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
42 * @ingroup grp_rt_crypto
43 * @{
44 */
45
46/** PKCS \#7 data object ID.*/
47#define RTCR_PKCS7_DATA_OID "1.2.840.113549.1.7.1"
48/** PKCS \#7 signedData object ID. */
49#define RTCR_PKCS7_SIGNED_DATA_OID "1.2.840.113549.1.7.2"
50/** PKCS \#7 envelopedData object ID. */
51#define RTCR_PKCS7_ENVELOPED_DATA_OID "1.2.840.113549.1.7.3"
52/** PKCS \#7 signedAndEnvelopedData object ID. */
53#define RTCR_PKCS7_SIGNED_AND_ENVELOPED_DATA_OID "1.2.840.113549.1.7.4"
54/** PKCS \#7 digestedData object ID. */
55#define RTCR_PKCS7_DIGESTED_DATA_OID "1.2.840.113549.1.7.5"
56/** PKCS \#7 encryptedData object ID. */
57#define RTCR_PKCS7_ENCRYPTED_DATA_OID "1.2.840.113549.1.7.6"
58
59
60/**
61 * PKCS \#7 IssuerAndSerialNumber (IPRT representation).
62 */
63typedef struct RTCRPKCS7ISSUERANDSERIALNUMBER
64{
65 /** Sequence core. */
66 RTASN1SEQUENCECORE SeqCore;
67 /** The certificate name. */
68 RTCRX509NAME Name;
69 /** The certificate serial number. */
70 RTASN1INTEGER SerialNumber;
71} RTCRPKCS7ISSUERANDSERIALNUMBER;
72/** Pointer to the IPRT representation of a PKCS \#7 IssuerAndSerialNumber. */
73typedef RTCRPKCS7ISSUERANDSERIALNUMBER *PRTCRPKCS7ISSUERANDSERIALNUMBER;
74/** Pointer to the const IPRT representation of a PKCS \#7
75 * IssuerAndSerialNumber. */
76typedef RTCRPKCS7ISSUERANDSERIALNUMBER const *PCRTCRPKCS7ISSUERANDSERIALNUMBER;
77RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ISSUERANDSERIALNUMBER, RTDECL, RTCrPkcs7IssuerAndSerialNumber, SeqCore.Asn1Core);
78
79
80/** Pointer to the IPRT representation of a PKCS \#7 SignerInfo. */
81typedef struct RTCRPKCS7SIGNERINFO *PRTCRPKCS7SIGNERINFO;
82/** Pointer to the const IPRT representation of a PKCS \#7 SignerInfo. */
83typedef struct RTCRPKCS7SIGNERINFO const *PCRTCRPKCS7SIGNERINFO;
84RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SIGNERINFOS, RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfos);
85
86
87/**
88 * Attribute value type (for the union).
89 */
90typedef enum RTCRPKCS7ATTRIBUTETYPE
91{
92 /** Zero is invalid. */
93 RTCRPKCS7ATTRIBUTETYPE_INVALID = 0,
94 /** Not present, union is NULL. */
95 RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT,
96 /** Unknown values, pCores. */
97 RTCRPKCS7ATTRIBUTETYPE_UNKNOWN,
98 /** Object IDs, use pObjIds. */
99 RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS,
100 /** Octet strings, use pOctetStrings. */
101 RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS,
102 /** Counter signatures (PKCS \#9), use pCounterSignatures. */
103 RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES,
104 /** Signing time (PKCS \#9), use pSigningTime. */
105 RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME,
106 /** Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
107 RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP,
108 /** Microsoft nested PKCS\#7 signature (signtool /as). */
109 RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE,
110 /** Microsoft statement type, use pObjIdSeqs. */
111 RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE,
112 /** Apple plist with the all code directory digests, use pOctetStrings. */
113 RTCRPKCS7ATTRIBUTETYPE_APPLE_MULTI_CD_PLIST,
114 /** Blow the type up to 32-bits. */
115 RTCRPKCS7ATTRIBUTETYPE_32BIT_HACK = 0x7fffffff
116} RTCRPKCS7ATTRIBUTETYPE;
117
118/**
119 * PKCS \#7 Attribute (IPRT representation).
120 */
121typedef struct RTCRPKCS7ATTRIBUTE
122{
123 /** Sequence core. */
124 RTASN1SEQUENCECORE SeqCore;
125 /** The attribute type (object ID). */
126 RTASN1OBJID Type;
127 /** The type of data found in the values union. */
128 RTCRPKCS7ATTRIBUTETYPE enmType;
129 /** Value allocation. */
130 RTASN1ALLOCATION Allocation;
131 /** Values. */
132 union
133 {
134 /** ASN.1 cores (RTCRPKCS7ATTRIBUTETYPE_UNKNOWN). */
135 PRTASN1SETOFCORES pCores;
136 /** ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS). */
137 PRTASN1SETOFOBJIDS pObjIds;
138 /** Sequence of ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE). */
139 PRTASN1SETOFOBJIDSEQS pObjIdSeqs;
140 /** ASN.1 octet strings (RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS). */
141 PRTASN1SETOFOCTETSTRINGS pOctetStrings;
142 /** Counter signatures RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES(). */
143 PRTCRPKCS7SIGNERINFOS pCounterSignatures;
144 /** Signing time(s) (RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME). */
145 PRTASN1SETOFTIMES pSigningTime;
146 /** Microsoft timestamp (RFC-3161 signed data, RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP),
147 * Microsoft nested signature (RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE). */
148 struct RTCRPKCS7SETOFCONTENTINFOS *pContentInfos;
149 } uValues;
150} RTCRPKCS7ATTRIBUTE;
151/** Pointer to the IPRT representation of a PKCS \#7 Attribute. */
152typedef RTCRPKCS7ATTRIBUTE *PRTCRPKCS7ATTRIBUTE;
153/** Pointer to the const IPRT representation of a PKCS \#7 Attribute. */
154typedef RTCRPKCS7ATTRIBUTE const *PCRTCRPKCS7ATTRIBUTE;
155RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attribute, SeqCore.Asn1Core);
156
157RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7ATTRIBUTES, RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attributes);
158
159
160/**
161 * One PKCS \#7 SignerInfo (IPRT representation).
162 */
163typedef struct RTCRPKCS7SIGNERINFO
164{
165 /** Sequence core. */
166 RTASN1SEQUENCECORE SeqCore;
167 /** The structure version (RTCRPKCS7SIGNERINFO_V1). */
168 RTASN1INTEGER Version;
169 /** The issuer and serial number of the certificate used to produce the
170 * encrypted digest below. */
171 RTCRPKCS7ISSUERANDSERIALNUMBER IssuerAndSerialNumber;
172 /** The digest algorithm use to digest the signed content. */
173 RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
174 /** Authenticated attributes, optional [0].
175 * @todo Check how other producers formats this. The microsoft one does not
176 * have explicit tags, but combines it with the SET OF. */
177 RTCRPKCS7ATTRIBUTES AuthenticatedAttributes;
178 /** The digest encryption algorithm use to encrypt the digest of the signed
179 * content. */
180 RTCRX509ALGORITHMIDENTIFIER DigestEncryptionAlgorithm;
181 /** The encrypted digest. */
182 RTASN1OCTETSTRING EncryptedDigest;
183 /** Unauthenticated attributes, optional [1].
184 * @todo Check how other producers formats this. The microsoft one does not
185 * have explicit tags, but combines it with the SET OF. */
186 RTCRPKCS7ATTRIBUTES UnauthenticatedAttributes;
187} RTCRPKCS7SIGNERINFO;
188RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfo, SeqCore.Asn1Core);
189
190/** RTCRPKCS7SIGNERINFO::Version value. */
191#define RTCRPKCS7SIGNERINFO_V1 1
192
193/** @name PKCS \#9 Attribute IDs
194 * @{ */
195/** Content type (RFC-2630 11.1).
196 * Value: Object Identifier */
197#define RTCR_PKCS9_ID_CONTENT_TYPE_OID "1.2.840.113549.1.9.3"
198/** Message digest (RFC-2630 11.2).
199 * Value: Octet string. */
200#define RTCR_PKCS9_ID_MESSAGE_DIGEST_OID "1.2.840.113549.1.9.4"
201/** Signing time (RFC-2630 11.3).
202 * Value: Octet string. */
203#define RTCR_PKCS9_ID_SIGNING_TIME_OID "1.2.840.113549.1.9.5"
204/** Counter signature (RFC-2630 11.4).
205 * Value: SignerInfo. */
206#define RTCR_PKCS9_ID_COUNTER_SIGNATURE_OID "1.2.840.113549.1.9.6"
207/** Microsoft timestamp (RTF-3161) counter signature (SignedData).
208 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
209#define RTCR_PKCS9_ID_MS_TIMESTAMP "1.3.6.1.4.1.311.3.3.1"
210/** Microsoft nested PKCS\#7 signature.
211 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. */
212#define RTCR_PKCS9_ID_MS_NESTED_SIGNATURE "1.3.6.1.4.1.311.2.4.1"
213/** Microsoft statement type.
214 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
215#define RTCR_PKCS9_ID_MS_STATEMENT_TYPE "1.3.6.1.4.1.311.2.1.11"
216/** Microsoft opus info.
217 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
218#define RTCR_PKCS9_ID_MS_SP_OPUS_INFO "1.3.6.1.4.1.311.2.1.12"
219/** Apple code signing multi-code-directory plist.
220 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. */
221#define RTCR_PKCS9_ID_APPLE_MULTI_CD_PLIST "1.2.840.113635.100.9.1"
222/** @} */
223
224
225/**
226 * Get the (next) signing time attribute from the specfied SignerInfo or one of
227 * the immediate counter signatures.
228 *
229 * @returns Pointer to the signing time if found, NULL if not.
230 * @param pThis The SignerInfo to search.
231 * @param ppSignerInfo Pointer to variable keeping track of the
232 * enumeration, optional.
233 *
234 * If specified the input value is taken to the be
235 * SignerInfo of the previously returned signing
236 * time. The value pointed to is NULL, the
237 * search/enum restarts.
238 *
239 * On successful return this is set to the
240 * SignerInfo which we found the signing time in.
241 */
242RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetSigningTime(PCRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7SIGNERINFO *ppSignerInfo);
243
244
245/**
246 * Get the (first) timestamp from within a Microsoft timestamp server counter
247 * signature.
248 *
249 * @returns Pointer to the signing time if found, NULL if not.
250 * @param pThis The SignerInfo to search.
251 * @param ppContentInfoRet Where to return the pointer to the counter
252 * signature, optional.
253 */
254RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetMsTimestamp(PCRTCRPKCS7SIGNERINFO pThis,
255 struct RTCRPKCS7CONTENTINFO const **ppContentInfoRet);
256
257
258
259/**
260 * PKCS \#7 ContentInfo (IPRT representation).
261 */
262typedef struct RTCRPKCS7CONTENTINFO
263{
264 /** Sequence core. */
265 RTASN1SEQUENCECORE SeqCore;
266 /** Object ID identifying the content below. */
267 RTASN1OBJID ContentType;
268 /** Content, optional, explicit tag 0.
269 *
270 * Hack alert! This should've been an explict context tag 0 structure with a
271 * type selected according to ContentType. However, it's simpler to replace the
272 * explicit context with an OCTET STRING with implict tag 0. Then we can tag
273 * along on the encapsulation logic RTASN1OCTETSTRING provides for the dynamic
274 * inner type. The default decoder code will detect known structures as
275 * outlined in the union below, and decode the octet string content as an
276 * anonymous RTASN1CORE if not known.
277 *
278 * If the user want to decode the octet string content differently, it can do so
279 * by destroying and freeing the current encapsulated pointer, replacing it with
280 * it's own. (Of course following the RTASN1OCTETSTRING rules.) Just remember
281 * to also update the value in the union.
282 *
283 * @remarks What's signed and verified is Content.pEncapsulated->uData.pv.
284 */
285 RTASN1OCTETSTRING Content;
286 /** Pointer to the CMS octet string that's inside the Content, NULL if PKCS \#7.
287 *
288 * Hack alert! When transitioning from PKCS \#7 to CMS, the designers decided to
289 * change things and add another wrapper. This time we're talking about a real
290 * octet string, not like the one above which is really an explicit content tag.
291 * When constructing or decoding CMS content, this will be the same pointer as
292 * Content.pEncapsulated, while the union below will be holding the same pointer
293 * as pCmsContent->pEncapsulated.
294 */
295 PRTASN1OCTETSTRING pCmsContent;
296 /** Same as Content.pEncapsulated, except a choice of known types. */
297 union
298 {
299 /** ContentType is RTCRPKCS7SIGNEDDATA_OID. */
300 struct RTCRPKCS7SIGNEDDATA *pSignedData;
301 /** ContentType is RTCRSPCINDIRECTDATACONTENT_OID. */
302 struct RTCRSPCINDIRECTDATACONTENT *pIndirectDataContent;
303 /** ContentType is RTCRTSPTSTINFO_OID. */
304 struct RTCRTSPTSTINFO *pTstInfo;
305 /** Generic / Unknown / User. */
306 PRTASN1CORE pCore;
307 } u;
308} RTCRPKCS7CONTENTINFO;
309/** Pointer to the IPRT representation of a PKCS \#7 ContentInfo. */
310typedef RTCRPKCS7CONTENTINFO *PRTCRPKCS7CONTENTINFO;
311/** Pointer to the const IPRT representation of a PKCS \#7 ContentInfo. */
312typedef RTCRPKCS7CONTENTINFO const *PCRTCRPKCS7CONTENTINFO;
313RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7ContentInfo, SeqCore.Asn1Core);
314RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCONTENTINFOS, RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7SetOfContentInfos);
315
316RTDECL(bool) RTCrPkcs7ContentInfo_IsSignedData(PCRTCRPKCS7CONTENTINFO pThis);
317
318
319/**
320 * PKCS \#7 Certificate choice.
321 */
322typedef enum RTCRPKCS7CERTCHOICE
323{
324 RTCRPKCS7CERTCHOICE_INVALID = 0,
325 RTCRPKCS7CERTCHOICE_X509,
326 RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6,
327 RTCRPKCS7CERTCHOICE_AC_V1,
328 RTCRPKCS7CERTCHOICE_AC_V2,
329 RTCRPKCS7CERTCHOICE_OTHER,
330 RTCRPKCS7CERTCHOICE_END,
331 RTCRPKCS7CERTCHOICE_32BIT_HACK = 0x7fffffff
332} RTCRPKCS7CERTCHOICE;
333
334
335/**
336 * Common representation for PKCS \#7 ExtendedCertificateOrCertificate and the
337 * CMS CertificateChoices types.
338 */
339typedef struct RTCRPKCS7CERT
340{
341 /** Dummy ASN.1 record, not encoded. */
342 RTASN1DUMMY Dummy;
343 /** The value allocation. */
344 RTASN1ALLOCATION Allocation;
345 /** The choice of value. */
346 RTCRPKCS7CERTCHOICE enmChoice;
347 /** The value union. */
348 union
349 {
350 /** Standard X.509 certificate (RTCRCMSCERTIFICATECHOICE_X509). */
351 PRTCRX509CERTIFICATE pX509Cert;
352 /** Extended PKCS \#6 certificate (RTCRCMSCERTIFICATECHOICE_EXTENDED_PKCS6). */
353 PRTASN1CORE pExtendedCert;
354 /** Attribute certificate version 1 (RTCRCMSCERTIFICATECHOICE_AC_V1). */
355 PRTASN1CORE pAcV1;
356 /** Attribute certificate version 2 (RTCRCMSCERTIFICATECHOICE_AC_V2). */
357 PRTASN1CORE pAcV2;
358 /** Other certificate (RTCRCMSCERTIFICATECHOICE_OTHER). */
359 PRTASN1CORE pOtherCert;
360 } u;
361} RTCRPKCS7CERT;
362/** Pointer to the IPRT representation of PKCS \#7 or CMS certificate. */
363typedef RTCRPKCS7CERT *PRTCRPKCS7CERT;
364/** Pointer to the const IPRT representation of PKCS \#7 or CMS certificate. */
365typedef RTCRPKCS7CERT const *PCRTCRPKCS7CERT;
366RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CERT, RTDECL, RTCrPkcs7Cert, Dummy.Asn1Core);
367RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCERTS, RTCRPKCS7CERT, RTDECL, RTCrPkcs7SetOfCerts);
368
369RTDECL(PCRTCRX509CERTIFICATE) RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(PCRTCRPKCS7SETOFCERTS pCertificates,
370 PCRTCRX509NAME pIssuer,
371 PCRTASN1INTEGER pSerialNumber);
372
373
374/**
375 * PKCS \#7 SignedData (IPRT representation).
376 */
377typedef struct RTCRPKCS7SIGNEDDATA
378{
379 /** Sequence core. */
380 RTASN1SEQUENCECORE SeqCore;
381 /** The structure version value (1). */
382 RTASN1INTEGER Version;
383 /** The digest algorithms that are used to signed the content (ContentInfo). */
384 RTCRX509ALGORITHMIDENTIFIERS DigestAlgorithms;
385 /** The content that's being signed. */
386 RTCRPKCS7CONTENTINFO ContentInfo;
387 /** Certificates, optional, implicit tag 0. (Required by Authenticode.) */
388 RTCRPKCS7SETOFCERTS Certificates;
389 /** Certificate revocation lists, optional, implicit tag 1.
390 * Not used by Authenticode, so currently stubbed. */
391 RTASN1CORE Crls;
392 /** Signer infos. */
393 RTCRPKCS7SIGNERINFOS SignerInfos;
394} RTCRPKCS7SIGNEDDATA;
395/** Pointer to the IPRT representation of a PKCS \#7 SignedData. */
396typedef RTCRPKCS7SIGNEDDATA *PRTCRPKCS7SIGNEDDATA;
397/** Pointer to the const IPRT representation of a PKCS \#7 SignedData. */
398typedef RTCRPKCS7SIGNEDDATA const *PCRTCRPKCS7SIGNEDDATA;
399RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SignedData, SeqCore.Asn1Core);
400RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFSIGNEDDATA, RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SetOfSignedData);
401
402/** PKCS \#7 SignedData object ID. */
403#define RTCRPKCS7SIGNEDDATA_OID RTCR_PKCS7_SIGNED_DATA_OID
404
405/** PKCS \#7 SignedData version number 1. */
406#define RTCRPKCS7SIGNEDDATA_V1 1
407/* No version 2 seems to exist. */
408/** CMS SignedData version number 3.
409 * This should only be used if there are version 1 attribute certificates
410 * present, or if there are version 3 SignerInfo items present, or if
411 * enmcCountInfo is not id-data (RFC-5652, section 5.1). */
412#define RTCRPKCS7SIGNEDDATA_V3 3
413/** CMS SignedData version number 4.
414 * This should only be used if there are version 2 attribute certificates
415 * present (RFC-5652, section 5.1). */
416#define RTCRPKCS7SIGNEDDATA_V4 4
417/** CMS SignedData version number 5.
418 * This should only be used if there are certificates or/and CRLs of the
419 * OTHER type present (RFC-5652, section 5.1). */
420#define RTCRPKCS7SIGNEDDATA_V5 5
421
422
423/** @name RTCRPKCS7SIGNEDDATA_SANITY_F_XXX - Flags for RTPkcs7SignedDataCheckSantiy.
424 * @{ */
425/** Check for authenticode restrictions. */
426#define RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE RT_BIT_32(0)
427/** Check that all the hash algorithms are known to IPRT. */
428#define RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH RT_BIT_32(1)
429/** Require signing certificate to be present. */
430#define RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT RT_BIT_32(2)
431/** @} */
432
433/** PKCS\#7/CMS (content info) markers. */
434extern RTDATADECL(RTCRPEMMARKER const) g_aRTCrPkcs7Markers[];
435/** Number of entries in g_aRTCrPkcs7Markers. */
436extern RTDATADECL(uint32_t const) g_cRTCrPkcs7Markers;
437
438/** @name Flags for RTCrPkcs7ContentInfo_ReadFromBuffer
439 * @{ */
440/** Only allow PEM certificates, not binary ones.
441 * @sa RTCRPEMREADFILE_F_ONLY_PEM */
442#define RTCRPKCS7_READ_F_PEM_ONLY RT_BIT(1)
443/** @} */
444
445RTDECL(int) RTCrPkcs7_ReadFromBuffer(PRTCRPKCS7CONTENTINFO pContentInfo, const void *pvBuf, size_t cbBuf,
446 uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator,
447 bool *pfCmsLabeled, PRTERRINFO pErrInfo, const char *pszErrorTag);
448
449
450/**
451 * PKCS \#7 DigestInfo (IPRT representation).
452 */
453typedef struct RTCRPKCS7DIGESTINFO
454{
455 /** Sequence core. */
456 RTASN1SEQUENCECORE SeqCore;
457 /** The digest algorithm use to digest the signed content. */
458 RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
459 /** The digest. */
460 RTASN1OCTETSTRING Digest;
461} RTCRPKCS7DIGESTINFO;
462/** Pointer to the IPRT representation of a PKCS \#7 DigestInfo object. */
463typedef RTCRPKCS7DIGESTINFO *PRTCRPKCS7DIGESTINFO;
464/** Pointer to the const IPRT representation of a PKCS \#7 DigestInfo object. */
465typedef RTCRPKCS7DIGESTINFO const *PCRTCRPKCS7DIGESTINFO;
466RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7DIGESTINFO, RTDECL, RTCrPkcs7DigestInfo, SeqCore.Asn1Core);
467
468
469/**
470 * Callback function for use with RTCrPkcs7VerifySignedData.
471 *
472 * @returns IPRT status code.
473 * @param pCert The certificate to verify.
474 * @param hCertPaths Unless the certificate is trusted directly, this
475 * is a reference to the certificate path builder
476 * and verifier instance that we used to establish
477 * at least valid trusted path to @a pCert. The
478 * callback can use this to enforce additional
479 * certificate lineage requirements, effective
480 * policy checks and whatnot.
481 * This is NIL_RTCRX509CERTPATHS if the certificate
482 * is directly trusted.
483 * @param fFlags Mix of the RTCRPKCS7VCC_F_XXX flags.
484 * @param pvUser The user argument.
485 * @param pErrInfo Optional error info buffer.
486 */
487typedef DECLCALLBACK(int) FNRTCRPKCS7VERIFYCERTCALLBACK(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths,
488 uint32_t fFlags, void *pvUser, PRTERRINFO pErrInfo);
489/** Pointer to a FNRTCRPKCS7VERIFYCERTCALLBACK callback. */
490typedef FNRTCRPKCS7VERIFYCERTCALLBACK *PFNRTCRPKCS7VERIFYCERTCALLBACK;
491
492/** @name RTCRPKCS7VCC_F_XXX - Flags for FNRTCRPKCS7VERIFYCERTCALLBACK.
493 * @{ */
494/** Normal callback for a direct signatory of the signed data. */
495#define RTCRPKCS7VCC_F_SIGNED_DATA RT_BIT_32(0)
496/** Check that the signatory can be trusted for timestamps. */
497#define RTCRPKCS7VCC_F_TIMESTAMP RT_BIT_32(1)
498/** @} */
499
500/**
501 * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
502 * Default implementation that checks for the DigitalSignature KeyUsage bit.}
503 */
504RTDECL(int) RTCrPkcs7VerifyCertCallbackDefault(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
505 void *pvUser, PRTERRINFO pErrInfo);
506
507/**
508 * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
509 * Standard code signing. Use this for Microsoft SPC.}
510 */
511RTDECL(int) RTCrPkcs7VerifyCertCallbackCodeSigning(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
512 void *pvUser, PRTERRINFO pErrInfo);
513
514/**
515 * Verifies PKCS \#7 SignedData.
516 *
517 * For compatability with alternative crypto providers, the user must work on
518 * the top level PKCS \#7 structure instead directly on the SignedData.
519 *
520 * @returns IPRT status code.
521 * @param pContentInfo PKCS \#7 content info structure.
522 * @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
523 * @param hAdditionalCerts Store containing additional certificates to
524 * supplement those mentioned in the signed data.
525 * @param hTrustedCerts Store containing trusted certificates.
526 * @param pValidationTime The time we're supposed to validate the
527 * certificates chains at. Ignored for signatures
528 * with valid signing time attributes.
529 * When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
530 * is set, this is updated to the actual validation
531 * time used.
532 * @param pfnVerifyCert Callback for checking that a certificate used
533 * for signing the data is suitable.
534 * @param pvUser User argument for the callback.
535 * @param pErrInfo Optional error info buffer.
536 * @sa RTCrPkcs7VerifySignedDataWithExternalData
537 */
538RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
539 RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
540 PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
541 PRTERRINFO pErrInfo);
542
543
544/**
545 * Verifies PKCS \#7 SignedData with external data.
546 *
547 * For compatability with alternative crypto providers, the user must work on
548 * the top level PKCS \#7 structure instead directly on the SignedData.
549 *
550 * @returns IPRT status code.
551 * @param pContentInfo PKCS \#7 content info structure.
552 * @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
553 * @param hAdditionalCerts Store containing additional certificates to
554 * supplement those mentioned in the signed data.
555 * @param hTrustedCerts Store containing trusted certificates.
556 * @param pValidationTime The time we're supposed to validate the
557 * certificates chains at. Ignored for signatures
558 * with valid signing time attributes.
559 * When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
560 * is set, this is updated to the actual validation
561 * time used.
562 * @param pfnVerifyCert Callback for checking that a certificate used
563 * for signing the data is suitable.
564 * @param pvUser User argument for the callback.
565 * @param pvData The signed external data.
566 * @param cbData The size of the signed external data.
567 * @param pErrInfo Optional error info buffer.
568 * @sa RTCrPkcs7VerifySignedData
569 */
570RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
571 RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
572 PCRTTIMESPEC pValidationTime,
573 PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
574 void const *pvData, size_t cbData, PRTERRINFO pErrInfo);
575
576/** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData and
577 * RTCrPkcs7VerifySignedDataWithExternalData
578 * @{ */
579/** Always use the signing time attribute if present, requiring it to be
580 * verified as valid. The default behavior is to ignore unverifiable
581 * signing time attributes and use the @a pValidationTime instead. */
582#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT RT_BIT_32(0)
583/** Same as RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT for the MS
584 * timestamp counter signatures. */
585#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT RT_BIT_32(1)
586/** Only use signing time attributes from counter signatures. */
587#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY RT_BIT_32(2)
588/** Don't validate the counter signature containing the signing time, just use
589 * it unverified. This is useful if we don't necessarily have the root
590 * certificates for the timestamp server handy, but use with great care.
591 * @sa RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED */
592#define RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED RT_BIT_32(3)
593/** Don't validate the MS counter signature containing the signing timestamp.
594 * @sa RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED */
595#define RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED RT_BIT_32(4)
596/** Do not consider timestamps in microsoft counter signatures. */
597#define RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP RT_BIT_32(5)
598/** The signed data requires certificates to have the timestamp extended
599 * usage bit present. This is used for recursivly verifying MS timestamp
600 * signatures. */
601#define RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING RT_BIT_32(6)
602/** Skip the verification of the certificate trust paths, taking all
603 * certificates to be trustworthy. */
604#define RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS RT_BIT_32(7)
605/** Update @a pValidationTime with the actual validation time used.
606 * This requires RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX to get a consistent
607 * result. And yeah, it unconst the parameter, which is patently ugly. */
608#define RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME RT_BIT_32(8)
609
610/** This can be used to only verify one given signer info.
611 * Max index value is 15. */
612#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX(a_idxSignerInfo) \
613 ( RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX \
614 | (((a_idxSignerInfo) & RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX) << RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT) )
615/** Has a valid value in RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK. */
616#define RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX RT_BIT_32(23)
617/** Signer index shift value. */
618#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT 24
619/** Signer index mask. */
620#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK UINT32_C(0x0f000000)
621/** Max signer index value (inclusive). */
622#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX \
623 (RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK >> RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT)
624
625/** Indicates internally that we're validating a counter signature and should
626 * use different rules when checking out the authenticated attributes.
627 * @internal */
628#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE RT_BIT_32(31)
629/** @} */
630
631
632RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
633 void const *pvData, size_t cbData, RTDIGESTTYPE enmDigestType,
634 RTCRSTORE hAdditionalCerts, void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo);
635
636/** @name RTCRPKCS7SIGN_SD_F_XXX - Flags for RTCrPkcs7SimpleSign.
637 * @{ */
638/** Detached data. */
639#define RTCRPKCS7SIGN_SD_F_DEATCHED RT_BIT_32(0)
640/** No SMIME capabilities attribute. */
641#define RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP RT_BIT_32(1)
642/** Valid flag mask. */
643#define RTCRPKCS7SIGN_SD_F_VALID_MASK UINT32_C(0x00000003)
644/** @} */
645
646/** @} */
647
648RT_C_DECLS_END
649
650#endif /* !IPRT_INCLUDED_crypto_pkcs7_h */
651
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette