pkcs7.h@ 95668

Last change on this file since 95668 was 95668, checked in by vboxsync, 2 years ago
IPRT/RTCrPkcs7: Split out RTCrPkcs7Attributes_HashAttributes from verification. bugref:8691
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 34.0 KB

Line
1	/** @file
2	* IPRT - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
3	*/
4
5	/*
6	* Copyright (C) 2006-2022 Oracle Corporation
7	*
8	* This file is part of VirtualBox Open Source Edition (OSE), as
9	* available from http://www.virtualbox.org. This file is free software;
10	* you can redistribute it and/or modify it under the terms of the GNU
11	* General Public License (GPL) as published by the Free Software
12	* Foundation, in version 2 as it comes in the "COPYING" file of the
13	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15	*
16	* The contents of this file may alternatively be used under the terms
17	* of the Common Development and Distribution License Version 1.0
18	* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19	* VirtualBox OSE distribution, in which case the provisions of the
20	* CDDL are applicable instead of those of the GPL.
21	*
22	* You may elect to license modified versions of this file under the
23	* terms and conditions of either the GPL or the CDDL or both.
24	*/
25
26	#ifndef IPRT_INCLUDED_crypto_pkcs7_h
27	#define IPRT_INCLUDED_crypto_pkcs7_h
28	#ifndef RT_WITHOUT_PRAGMA_ONCE
29	# pragma once
30	#endif
31
32	#include <iprt/asn1.h>
33	#include <iprt/crypto/x509.h>
34
35
36	RT_C_DECLS_BEGIN
37
38	struct RTCRPKCS7CONTENTINFO;
39
40
41	/** @defgroup grp_rt_crpkcs7 RTCrPkcs7 - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
42	* @ingroup grp_rt_crypto
43	* @{
44	*/
45
46	/** PKCS \#7 data object ID.*/
47	#define RTCR_PKCS7_DATA_OID "1.2.840.113549.1.7.1"
48	/** PKCS \#7 signedData object ID. */
49	#define RTCR_PKCS7_SIGNED_DATA_OID "1.2.840.113549.1.7.2"
50	/** PKCS \#7 envelopedData object ID. */
51	#define RTCR_PKCS7_ENVELOPED_DATA_OID "1.2.840.113549.1.7.3"
52	/** PKCS \#7 signedAndEnvelopedData object ID. */
53	#define RTCR_PKCS7_SIGNED_AND_ENVELOPED_DATA_OID "1.2.840.113549.1.7.4"
54	/** PKCS \#7 digestedData object ID. */
55	#define RTCR_PKCS7_DIGESTED_DATA_OID "1.2.840.113549.1.7.5"
56	/** PKCS \#7 encryptedData object ID. */
57	#define RTCR_PKCS7_ENCRYPTED_DATA_OID "1.2.840.113549.1.7.6"
58
59
60	/**
61	* PKCS \#7 IssuerAndSerialNumber (IPRT representation).
62	*/
63	typedef struct RTCRPKCS7ISSUERANDSERIALNUMBER
64	{
65	/** Sequence core. */
66	RTASN1SEQUENCECORE SeqCore;
67	/** The certificate name. */
68	RTCRX509NAME Name;
69	/** The certificate serial number. */
70	RTASN1INTEGER SerialNumber;
71	} RTCRPKCS7ISSUERANDSERIALNUMBER;
72	/** Pointer to the IPRT representation of a PKCS \#7 IssuerAndSerialNumber. */
73	typedef RTCRPKCS7ISSUERANDSERIALNUMBER *PRTCRPKCS7ISSUERANDSERIALNUMBER;
74	/** Pointer to the const IPRT representation of a PKCS \#7
75	* IssuerAndSerialNumber. */
76	typedef RTCRPKCS7ISSUERANDSERIALNUMBER const *PCRTCRPKCS7ISSUERANDSERIALNUMBER;
77	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ISSUERANDSERIALNUMBER, RTDECL, RTCrPkcs7IssuerAndSerialNumber, SeqCore.Asn1Core);
78
79
80	/** Pointer to the IPRT representation of a PKCS \#7 SignerInfo. */
81	typedef struct RTCRPKCS7SIGNERINFO *PRTCRPKCS7SIGNERINFO;
82	/** Pointer to the const IPRT representation of a PKCS \#7 SignerInfo. */
83	typedef struct RTCRPKCS7SIGNERINFO const *PCRTCRPKCS7SIGNERINFO;
84	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SIGNERINFOS, RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfos);
85
86
87	/**
88	* Attribute value type (for the union).
89	*/
90	typedef enum RTCRPKCS7ATTRIBUTETYPE
91	{
92	/** Zero is invalid. */
93	RTCRPKCS7ATTRIBUTETYPE_INVALID = 0,
94	/** Not present, union is NULL. */
95	RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT,
96	/** Unknown values, pCores. */
97	RTCRPKCS7ATTRIBUTETYPE_UNKNOWN,
98	/** Object IDs, use pObjIds. */
99	RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS,
100	/** Octet strings, use pOctetStrings. */
101	RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS,
102	/** Counter signatures (PKCS \#9), use pCounterSignatures. */
103	RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES,
104	/** Signing time (PKCS \#9), use pSigningTime. */
105	RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME,
106	/** Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
107	RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP,
108	/** Microsoft nested PKCS\#7 signature (signtool /as). */
109	RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE,
110	/** Microsoft statement type, use pObjIdSeqs. */
111	RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE,
112	/** Apple plist with the all code directory digests, use pOctetStrings. */
113	RTCRPKCS7ATTRIBUTETYPE_APPLE_MULTI_CD_PLIST,
114	/** Blow the type up to 32-bits. */
115	RTCRPKCS7ATTRIBUTETYPE_32BIT_HACK = 0x7fffffff
116	} RTCRPKCS7ATTRIBUTETYPE;
117
118	/**
119	* PKCS \#7 Attribute (IPRT representation).
120	*/
121	typedef struct RTCRPKCS7ATTRIBUTE
122	{
123	/** Sequence core. */
124	RTASN1SEQUENCECORE SeqCore;
125	/** The attribute type (object ID). */
126	RTASN1OBJID Type;
127	/** The type of data found in the values union. */
128	RTCRPKCS7ATTRIBUTETYPE enmType;
129	/** Value allocation. */
130	RTASN1ALLOCATION Allocation;
131	/** Values. */
132	union
133	{
134	/** ASN.1 cores (RTCRPKCS7ATTRIBUTETYPE_UNKNOWN). */
135	PRTASN1SETOFCORES pCores;
136	/** ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS). */
137	PRTASN1SETOFOBJIDS pObjIds;
138	/** Sequence of ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE). */
139	PRTASN1SETOFOBJIDSEQS pObjIdSeqs;
140	/** ASN.1 octet strings (RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS). */
141	PRTASN1SETOFOCTETSTRINGS pOctetStrings;
142	/** Counter signatures RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES(). */
143	PRTCRPKCS7SIGNERINFOS pCounterSignatures;
144	/** Signing time(s) (RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME). */
145	PRTASN1SETOFTIMES pSigningTime;
146	/** Microsoft timestamp (RFC-3161 signed data, RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP),
147	* Microsoft nested signature (RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE). */
148	struct RTCRPKCS7SETOFCONTENTINFOS *pContentInfos;
149	} uValues;
150	} RTCRPKCS7ATTRIBUTE;
151	/** Pointer to the IPRT representation of a PKCS \#7 Attribute. */
152	typedef RTCRPKCS7ATTRIBUTE *PRTCRPKCS7ATTRIBUTE;
153	/** Pointer to the const IPRT representation of a PKCS \#7 Attribute. */
154	typedef RTCRPKCS7ATTRIBUTE const *PCRTCRPKCS7ATTRIBUTE;
155	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attribute, SeqCore.Asn1Core);
156
157	RTDECL(int) RTCrPkcs7Attribute_SetAppleMultiCdPlist(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOCTETSTRINGS pToClone,
158	PCRTASN1ALLOCATORVTABLE pAllocator);
159	RTDECL(int) RTCrPkcs7Attribute_SetContentType(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOBJIDS pToClone,
160	PCRTASN1ALLOCATORVTABLE pAllocator);
161	RTDECL(int) RTCrPkcs7Attribute_SetCounterSignatures(PRTCRPKCS7ATTRIBUTE pThis, PCRTCRPKCS7SIGNERINFOS pToClone,
162	PCRTASN1ALLOCATORVTABLE pAllocator);
163	RTDECL(int) RTCrPkcs7Attribute_SetMessageDigest(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOCTETSTRINGS pToClone,
164	PCRTASN1ALLOCATORVTABLE pAllocator);
165	RTDECL(int) RTCrPkcs7Attribute_SetMsStatementType(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOBJIDSEQS pToClone,
166	PCRTASN1ALLOCATORVTABLE pAllocator);
167	RTDECL(int) RTCrPkcs7Attribute_SetMsNestedSignature(PRTCRPKCS7ATTRIBUTE pThis, struct RTCRPKCS7SETOFCONTENTINFOS const *pToClone,
168	PCRTASN1ALLOCATORVTABLE pAllocator);
169	RTDECL(int) RTCrPkcs7Attribute_SetMsTimestamp(PRTCRPKCS7ATTRIBUTE pThis, struct RTCRPKCS7SETOFCONTENTINFOS const *pToClone,
170	PCRTASN1ALLOCATORVTABLE pAllocator);
171	RTDECL(int) RTCrPkcs7Attribute_SetSigningTime(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFTIMES pToClone,
172	PCRTASN1ALLOCATORVTABLE pAllocator);
173
174	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7ATTRIBUTES, RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attributes);
175
176	RTDECL(int) RTCrPkcs7Attributes_HashAttributes(PRTCRPKCS7ATTRIBUTES pAttributes, RTCRDIGEST hDigest, PRTERRINFO pErrInfo);
177
178
179	/**
180	* One PKCS \#7 SignerInfo (IPRT representation).
181	*/
182	typedef struct RTCRPKCS7SIGNERINFO
183	{
184	/** Sequence core. */
185	RTASN1SEQUENCECORE SeqCore;
186	/** The structure version (RTCRPKCS7SIGNERINFO_V1). */
187	RTASN1INTEGER Version;
188	/** The issuer and serial number of the certificate used to produce the
189	* encrypted digest below. */
190	RTCRPKCS7ISSUERANDSERIALNUMBER IssuerAndSerialNumber;
191	/** The digest algorithm use to digest the signed content. */
192	RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
193	/** Authenticated attributes, optional [0].
194	* @todo Check how other producers formats this. The microsoft one does not
195	* have explicit tags, but combines it with the SET OF. */
196	RTCRPKCS7ATTRIBUTES AuthenticatedAttributes;
197	/** The digest encryption algorithm use to encrypt the digest of the signed
198	* content. */
199	RTCRX509ALGORITHMIDENTIFIER DigestEncryptionAlgorithm;
200	/** The encrypted digest. */
201	RTASN1OCTETSTRING EncryptedDigest;
202	/** Unauthenticated attributes, optional [1].
203	* @todo Check how other producers formats this. The microsoft one does not
204	* have explicit tags, but combines it with the SET OF. */
205	RTCRPKCS7ATTRIBUTES UnauthenticatedAttributes;
206	} RTCRPKCS7SIGNERINFO;
207	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfo, SeqCore.Asn1Core);
208
209	RTDECL(int) RTCrPkcs7SignerInfo_SetAuthenticatedAttributes(PRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7ATTRIBUTES pAttributes,
210	PCRTASN1ALLOCATORVTABLE pAllocator);
211	RTDECL(int) RTCrPkcs7SignerInfo_SetUnauthenticatedAttributes(PRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7ATTRIBUTES pAttributes,
212	PCRTASN1ALLOCATORVTABLE pAllocator);
213
214	/** RTCRPKCS7SIGNERINFO::Version value. */
215	#define RTCRPKCS7SIGNERINFO_V1 1
216
217	/** @name PKCS \#9 Attribute IDs
218	* @{ */
219	/** Content type (RFC-2630 11.1).
220	* Value: Object Identifier */
221	#define RTCR_PKCS9_ID_CONTENT_TYPE_OID "1.2.840.113549.1.9.3"
222	/** Message digest (RFC-2630 11.2).
223	* Value: Octet string. */
224	#define RTCR_PKCS9_ID_MESSAGE_DIGEST_OID "1.2.840.113549.1.9.4"
225	/** Signing time (RFC-2630 11.3).
226	* Value: Octet string. */
227	#define RTCR_PKCS9_ID_SIGNING_TIME_OID "1.2.840.113549.1.9.5"
228	/** Counter signature (RFC-2630 11.4).
229	* Value: SignerInfo. */
230	#define RTCR_PKCS9_ID_COUNTER_SIGNATURE_OID "1.2.840.113549.1.9.6"
231	/** Microsoft timestamp (RTF-3161) counter signature (SignedData).
232	* @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
233	#define RTCR_PKCS9_ID_MS_TIMESTAMP "1.3.6.1.4.1.311.3.3.1"
234	/** Microsoft nested PKCS\#7 signature.
235	* @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. */
236	#define RTCR_PKCS9_ID_MS_NESTED_SIGNATURE "1.3.6.1.4.1.311.2.4.1"
237	/** Microsoft statement type.
238	* @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
239	#define RTCR_PKCS9_ID_MS_STATEMENT_TYPE "1.3.6.1.4.1.311.2.1.11"
240	/** Microsoft opus info.
241	* @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
242	#define RTCR_PKCS9_ID_MS_SP_OPUS_INFO "1.3.6.1.4.1.311.2.1.12"
243	/** Apple code signing multi-code-directory plist.
244	* @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. */
245	#define RTCR_PKCS9_ID_APPLE_MULTI_CD_PLIST "1.2.840.113635.100.9.1"
246	/** @} */
247
248
249	/**
250	* Get the (next) signing time attribute from the specfied SignerInfo or one of
251	* the immediate counter signatures.
252	*
253	* @returns Pointer to the signing time if found, NULL if not.
254	* @param pThis The SignerInfo to search.
255	* @param ppSignerInfo Pointer to variable keeping track of the
256	* enumeration, optional.
257	*
258	* If specified the input value is taken to the be
259	* SignerInfo of the previously returned signing
260	* time. The value pointed to is NULL, the
261	* search/enum restarts.
262	*
263	* On successful return this is set to the
264	* SignerInfo which we found the signing time in.
265	*/
266	RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetSigningTime(PCRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7SIGNERINFO *ppSignerInfo);
267
268
269	/**
270	* Get the (first) timestamp from within a Microsoft timestamp server counter
271	* signature.
272	*
273	* @returns Pointer to the signing time if found, NULL if not.
274	* @param pThis The SignerInfo to search.
275	* @param ppContentInfoRet Where to return the pointer to the counter
276	* signature, optional.
277	*/
278	RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetMsTimestamp(PCRTCRPKCS7SIGNERINFO pThis,
279	struct RTCRPKCS7CONTENTINFO const **ppContentInfoRet);
280
281
282
283	/**
284	* PKCS \#7 ContentInfo (IPRT representation).
285	*/
286	typedef struct RTCRPKCS7CONTENTINFO
287	{
288	/** Sequence core. */
289	RTASN1SEQUENCECORE SeqCore;
290	/** Object ID identifying the content below. */
291	RTASN1OBJID ContentType;
292	/** Content, optional, explicit tag 0.
293	*
294	* Hack alert! This should've been an explict context tag 0 structure with a
295	* type selected according to ContentType. However, it's simpler to replace the
296	* explicit context with an OCTET STRING with implict tag 0. Then we can tag
297	* along on the encapsulation logic RTASN1OCTETSTRING provides for the dynamic
298	* inner type. The default decoder code will detect known structures as
299	* outlined in the union below, and decode the octet string content as an
300	* anonymous RTASN1CORE if not known.
301	*
302	* If the user want to decode the octet string content differently, it can do so
303	* by destroying and freeing the current encapsulated pointer, replacing it with
304	* it's own. (Of course following the RTASN1OCTETSTRING rules.) Just remember
305	* to also update the value in the union.
306	*
307	* @remarks What's signed and verified is Content.pEncapsulated->uData.pv.
308	*/
309	RTASN1OCTETSTRING Content;
310	/** Pointer to the CMS octet string that's inside the Content, NULL if PKCS \#7.
311	*
312	* Hack alert! When transitioning from PKCS \#7 to CMS, the designers decided to
313	* change things and add another wrapper. This time we're talking about a real
314	* octet string, not like the one above which is really an explicit content tag.
315	* When constructing or decoding CMS content, this will be the same pointer as
316	* Content.pEncapsulated, while the union below will be holding the same pointer
317	* as pCmsContent->pEncapsulated.
318	*/
319	PRTASN1OCTETSTRING pCmsContent;
320	/** Same as Content.pEncapsulated, except a choice of known types. */
321	union
322	{
323	/** ContentType is RTCRPKCS7SIGNEDDATA_OID. */
324	struct RTCRPKCS7SIGNEDDATA *pSignedData;
325	/** ContentType is RTCRSPCINDIRECTDATACONTENT_OID. */
326	struct RTCRSPCINDIRECTDATACONTENT *pIndirectDataContent;
327	/** ContentType is RTCRTSPTSTINFO_OID. */
328	struct RTCRTSPTSTINFO *pTstInfo;
329	/** Generic / Unknown / User. */
330	PRTASN1CORE pCore;
331	} u;
332	} RTCRPKCS7CONTENTINFO;
333	/** Pointer to the IPRT representation of a PKCS \#7 ContentInfo. */
334	typedef RTCRPKCS7CONTENTINFO *PRTCRPKCS7CONTENTINFO;
335	/** Pointer to the const IPRT representation of a PKCS \#7 ContentInfo. */
336	typedef RTCRPKCS7CONTENTINFO const *PCRTCRPKCS7CONTENTINFO;
337	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7ContentInfo, SeqCore.Asn1Core);
338	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCONTENTINFOS, RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7SetOfContentInfos);
339
340	RTDECL(bool) RTCrPkcs7ContentInfo_IsSignedData(PCRTCRPKCS7CONTENTINFO pThis);
341
342
343	/**
344	* PKCS \#7 Certificate choice.
345	*/
346	typedef enum RTCRPKCS7CERTCHOICE
347	{
348	RTCRPKCS7CERTCHOICE_INVALID = 0,
349	RTCRPKCS7CERTCHOICE_X509,
350	RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6,
351	RTCRPKCS7CERTCHOICE_AC_V1,
352	RTCRPKCS7CERTCHOICE_AC_V2,
353	RTCRPKCS7CERTCHOICE_OTHER,
354	RTCRPKCS7CERTCHOICE_END,
355	RTCRPKCS7CERTCHOICE_32BIT_HACK = 0x7fffffff
356	} RTCRPKCS7CERTCHOICE;
357
358
359	/**
360	* Common representation for PKCS \#7 ExtendedCertificateOrCertificate and the
361	* CMS CertificateChoices types.
362	*/
363	typedef struct RTCRPKCS7CERT
364	{
365	/** Dummy ASN.1 record, not encoded. */
366	RTASN1DUMMY Dummy;
367	/** The value allocation. */
368	RTASN1ALLOCATION Allocation;
369	/** The choice of value. */
370	RTCRPKCS7CERTCHOICE enmChoice;
371	/** The value union. */
372	union
373	{
374	/** Standard X.509 certificate (RTCRCMSCERTIFICATECHOICE_X509). */
375	PRTCRX509CERTIFICATE pX509Cert;
376	/** Extended PKCS \#6 certificate (RTCRCMSCERTIFICATECHOICE_EXTENDED_PKCS6). */
377	PRTASN1CORE pExtendedCert;
378	/** Attribute certificate version 1 (RTCRCMSCERTIFICATECHOICE_AC_V1). */
379	PRTASN1CORE pAcV1;
380	/** Attribute certificate version 2 (RTCRCMSCERTIFICATECHOICE_AC_V2). */
381	PRTASN1CORE pAcV2;
382	/** Other certificate (RTCRCMSCERTIFICATECHOICE_OTHER). */
383	PRTASN1CORE pOtherCert;
384	} u;
385	} RTCRPKCS7CERT;
386	/** Pointer to the IPRT representation of PKCS \#7 or CMS certificate. */
387	typedef RTCRPKCS7CERT *PRTCRPKCS7CERT;
388	/** Pointer to the const IPRT representation of PKCS \#7 or CMS certificate. */
389	typedef RTCRPKCS7CERT const *PCRTCRPKCS7CERT;
390	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CERT, RTDECL, RTCrPkcs7Cert, Dummy.Asn1Core);
391	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCERTS, RTCRPKCS7CERT, RTDECL, RTCrPkcs7SetOfCerts);
392
393	RTDECL(int) RTCrPkcs7Cert_SetX509Cert(PRTCRPKCS7CERT pThis, PCRTCRX509CERTIFICATE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
394	RTDECL(int) RTCrPkcs7Cert_SetExtendedCert(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
395	RTDECL(int) RTCrPkcs7Cert_SetAcV1(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
396	RTDECL(int) RTCrPkcs7Cert_SetAcV2(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
397	RTDECL(int) RTCrPkcs7Cert_SetOtherCert(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
398
399	RTDECL(PCRTCRX509CERTIFICATE) RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(PCRTCRPKCS7SETOFCERTS pCertificates,
400	PCRTCRX509NAME pIssuer,
401	PCRTASN1INTEGER pSerialNumber);
402
403
404	/**
405	* PKCS \#7 SignedData (IPRT representation).
406	*/
407	typedef struct RTCRPKCS7SIGNEDDATA
408	{
409	/** Sequence core. */
410	RTASN1SEQUENCECORE SeqCore;
411	/** The structure version value (1). */
412	RTASN1INTEGER Version;
413	/** The digest algorithms that are used to signed the content (ContentInfo). */
414	RTCRX509ALGORITHMIDENTIFIERS DigestAlgorithms;
415	/** The content that's being signed. */
416	RTCRPKCS7CONTENTINFO ContentInfo;
417	/** Certificates, optional, implicit tag 0. (Required by Authenticode.) */
418	RTCRPKCS7SETOFCERTS Certificates;
419	/** Certificate revocation lists, optional, implicit tag 1.
420	* Not used by Authenticode, so currently stubbed. */
421	RTASN1CORE Crls;
422	/** Signer infos. */
423	RTCRPKCS7SIGNERINFOS SignerInfos;
424	} RTCRPKCS7SIGNEDDATA;
425	/** Pointer to the IPRT representation of a PKCS \#7 SignedData. */
426	typedef RTCRPKCS7SIGNEDDATA *PRTCRPKCS7SIGNEDDATA;
427	/** Pointer to the const IPRT representation of a PKCS \#7 SignedData. */
428	typedef RTCRPKCS7SIGNEDDATA const *PCRTCRPKCS7SIGNEDDATA;
429	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SignedData, SeqCore.Asn1Core);
430	RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFSIGNEDDATA, RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SetOfSignedData);
431
432	/** PKCS \#7 SignedData object ID. */
433	#define RTCRPKCS7SIGNEDDATA_OID RTCR_PKCS7_SIGNED_DATA_OID
434
435	/** PKCS \#7 SignedData version number 1. */
436	#define RTCRPKCS7SIGNEDDATA_V1 1
437	/* No version 2 seems to exist. */
438	/** CMS SignedData version number 3.
439	* This should only be used if there are version 1 attribute certificates
440	* present, or if there are version 3 SignerInfo items present, or if
441	* enmcCountInfo is not id-data (RFC-5652, section 5.1). */
442	#define RTCRPKCS7SIGNEDDATA_V3 3
443	/** CMS SignedData version number 4.
444	* This should only be used if there are version 2 attribute certificates
445	* present (RFC-5652, section 5.1). */
446	#define RTCRPKCS7SIGNEDDATA_V4 4
447	/** CMS SignedData version number 5.
448	* This should only be used if there are certificates or/and CRLs of the
449	* OTHER type present (RFC-5652, section 5.1). */
450	#define RTCRPKCS7SIGNEDDATA_V5 5
451
452	RTDECL(int) RTCrPkcs7SignedData_SetCertificates(PRTCRPKCS7SIGNEDDATA pThis, PCRTCRPKCS7SETOFCERTS pCerts, PCRTASN1ALLOCATORVTABLE pAllocator);
453	RTDECL(int) RTCrPkcs7SignedData_SetCrls(PRTCRPKCS7SIGNEDDATA pThis, PCRTASN1CORE pCerts, PCRTASN1ALLOCATORVTABLE pAllocator);
454
455	/** @name RTCRPKCS7SIGNEDDATA_SANITY_F_XXX - Flags for RTPkcs7SignedDataCheckSantiy.
456	* @{ */
457	/** Check for authenticode restrictions. */
458	#define RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE RT_BIT_32(0)
459	/** Check that all the hash algorithms are known to IPRT. */
460	#define RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH RT_BIT_32(1)
461	/** Require signing certificate to be present. */
462	#define RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT RT_BIT_32(2)
463	/** @} */
464
465	/** PKCS\#7/CMS (content info) markers. */
466	extern RTDATADECL(RTCRPEMMARKER const) g_aRTCrPkcs7Markers[];
467	/** Number of entries in g_aRTCrPkcs7Markers. */
468	extern RTDATADECL(uint32_t const) g_cRTCrPkcs7Markers;
469
470	/** @name Flags for RTCrPkcs7ContentInfo_ReadFromBuffer
471	* @{ */
472	/** Only allow PEM certificates, not binary ones.
473	* @sa RTCRPEMREADFILE_F_ONLY_PEM */
474	#define RTCRPKCS7_READ_F_PEM_ONLY RT_BIT(1)
475	/** @} */
476
477	RTDECL(int) RTCrPkcs7_ReadFromBuffer(PRTCRPKCS7CONTENTINFO pContentInfo, const void *pvBuf, size_t cbBuf,
478	uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator,
479	bool pfCmsLabeled, PRTERRINFO pErrInfo, const char pszErrorTag);
480
481
482	/**
483	* PKCS \#7 DigestInfo (IPRT representation).
484	*/
485	typedef struct RTCRPKCS7DIGESTINFO
486	{
487	/** Sequence core. */
488	RTASN1SEQUENCECORE SeqCore;
489	/** The digest algorithm use to digest the signed content. */
490	RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
491	/** The digest. */
492	RTASN1OCTETSTRING Digest;
493	} RTCRPKCS7DIGESTINFO;
494	/** Pointer to the IPRT representation of a PKCS \#7 DigestInfo object. */
495	typedef RTCRPKCS7DIGESTINFO *PRTCRPKCS7DIGESTINFO;
496	/** Pointer to the const IPRT representation of a PKCS \#7 DigestInfo object. */
497	typedef RTCRPKCS7DIGESTINFO const *PCRTCRPKCS7DIGESTINFO;
498	RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7DIGESTINFO, RTDECL, RTCrPkcs7DigestInfo, SeqCore.Asn1Core);
499
500
501	/**
502	* Callback function for use with RTCrPkcs7VerifySignedData.
503	*
504	* @returns IPRT status code.
505	* @param pCert The certificate to verify.
506	* @param hCertPaths Unless the certificate is trusted directly, this
507	* is a reference to the certificate path builder
508	* and verifier instance that we used to establish
509	* at least valid trusted path to @a pCert. The
510	* callback can use this to enforce additional
511	* certificate lineage requirements, effective
512	* policy checks and whatnot.
513	* This is NIL_RTCRX509CERTPATHS if the certificate
514	* is directly trusted.
515	* @param fFlags Mix of the RTCRPKCS7VCC_F_XXX flags.
516	* @param pvUser The user argument.
517	* @param pErrInfo Optional error info buffer.
518	*/
519	typedef DECLCALLBACKTYPE(int, FNRTCRPKCS7VERIFYCERTCALLBACK,(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths,
520	uint32_t fFlags, void *pvUser, PRTERRINFO pErrInfo));
521	/** Pointer to a FNRTCRPKCS7VERIFYCERTCALLBACK callback. */
522	typedef FNRTCRPKCS7VERIFYCERTCALLBACK *PFNRTCRPKCS7VERIFYCERTCALLBACK;
523
524	/** @name RTCRPKCS7VCC_F_XXX - Flags for FNRTCRPKCS7VERIFYCERTCALLBACK.
525	* @{ */
526	/** Normal callback for a direct signatory of the signed data. */
527	#define RTCRPKCS7VCC_F_SIGNED_DATA RT_BIT_32(0)
528	/** Check that the signatory can be trusted for timestamps. */
529	#define RTCRPKCS7VCC_F_TIMESTAMP RT_BIT_32(1)
530	/** @} */
531
532	/**
533	* @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
534	* Default implementation that checks for the DigitalSignature KeyUsage bit.}
535	*/
536	RTDECL(int) RTCrPkcs7VerifyCertCallbackDefault(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
537	void *pvUser, PRTERRINFO pErrInfo);
538
539	/**
540	* @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
541	* Standard code signing. Use this for Microsoft SPC.}
542	*/
543	RTDECL(int) RTCrPkcs7VerifyCertCallbackCodeSigning(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
544	void *pvUser, PRTERRINFO pErrInfo);
545
546	/**
547	* Verifies PKCS \#7 SignedData.
548	*
549	* For compatability with alternative crypto providers, the user must work on
550	* the top level PKCS \#7 structure instead directly on the SignedData.
551	*
552	* @returns IPRT status code.
553	* @param pContentInfo PKCS \#7 content info structure.
554	* @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
555	* @param hAdditionalCerts Store containing additional certificates to
556	* supplement those mentioned in the signed data.
557	* @param hTrustedCerts Store containing trusted certificates.
558	* @param pValidationTime The time we're supposed to validate the
559	* certificates chains at. Ignored for signatures
560	* with valid signing time attributes.
561	* When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
562	* is set, this is updated to the actual validation
563	* time used.
564	* @param pfnVerifyCert Callback for checking that a certificate used
565	* for signing the data is suitable.
566	* @param pvUser User argument for the callback.
567	* @param pErrInfo Optional error info buffer.
568	* @sa RTCrPkcs7VerifySignedDataWithExternalData
569	*/
570	RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
571	RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
572	PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
573	PRTERRINFO pErrInfo);
574
575
576	/**
577	* Verifies PKCS \#7 SignedData with external data.
578	*
579	* For compatability with alternative crypto providers, the user must work on
580	* the top level PKCS \#7 structure instead directly on the SignedData.
581	*
582	* @returns IPRT status code.
583	* @param pContentInfo PKCS \#7 content info structure.
584	* @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
585	* @param hAdditionalCerts Store containing additional certificates to
586	* supplement those mentioned in the signed data.
587	* @param hTrustedCerts Store containing trusted certificates.
588	* @param pValidationTime The time we're supposed to validate the
589	* certificates chains at. Ignored for signatures
590	* with valid signing time attributes.
591	* When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
592	* is set, this is updated to the actual validation
593	* time used.
594	* @param pfnVerifyCert Callback for checking that a certificate used
595	* for signing the data is suitable.
596	* @param pvUser User argument for the callback.
597	* @param pvData The signed external data.
598	* @param cbData The size of the signed external data.
599	* @param pErrInfo Optional error info buffer.
600	* @sa RTCrPkcs7VerifySignedData
601	*/
602	RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
603	RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
604	PCRTTIMESPEC pValidationTime,
605	PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
606	void const *pvData, size_t cbData, PRTERRINFO pErrInfo);
607
608	/** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData and
609	* RTCrPkcs7VerifySignedDataWithExternalData
610	* @{ */
611	/** Always use the signing time attribute if present, requiring it to be
612	* verified as valid. The default behavior is to ignore unverifiable
613	* signing time attributes and use the @a pValidationTime instead. */
614	#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT RT_BIT_32(0)
615	/** Same as RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT for the MS
616	* timestamp counter signatures. */
617	#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT RT_BIT_32(1)
618	/** Only use signing time attributes from counter signatures. */
619	#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY RT_BIT_32(2)
620	/** Don't validate the counter signature containing the signing time, just use
621	* it unverified. This is useful if we don't necessarily have the root
622	* certificates for the timestamp server handy, but use with great care.
623	* @sa RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED */
624	#define RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED RT_BIT_32(3)
625	/** Don't validate the MS counter signature containing the signing timestamp.
626	* @sa RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED */
627	#define RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED RT_BIT_32(4)
628	/** Do not consider timestamps in microsoft counter signatures. */
629	#define RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP RT_BIT_32(5)
630	/** The signed data requires certificates to have the timestamp extended
631	* usage bit present. This is used for recursivly verifying MS timestamp
632	* signatures. */
633	#define RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING RT_BIT_32(6)
634	/** Skip the verification of the certificate trust paths, taking all
635	* certificates to be trustworthy. */
636	#define RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS RT_BIT_32(7)
637	/** Update @a pValidationTime with the actual validation time used.
638	* This requires RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX to get a consistent
639	* result. And yeah, it unconst the parameter, which is patently ugly. */
640	#define RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME RT_BIT_32(8)
641	/** Check trust anchors (@sa RTCrX509CertPathsSetTrustAnchorChecks). */
642	#define RTCRPKCS7VERIFY_SD_F_CHECK_TRUST_ANCHORS RT_BIT_32(9)
643
644	/** This can be used to only verify one given signer info.
645	* Max index value is 15. */
646	#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX(a_idxSignerInfo) \
647	( RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX \
648	\| (((a_idxSignerInfo) & RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX) << RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT) )
649	/** Has a valid value in RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK. */
650	#define RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX RT_BIT_32(23)
651	/** Signer index shift value. */
652	#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT 24
653	/** Signer index mask. */
654	#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK UINT32_C(0x0f000000)
655	/** Max signer index value (inclusive). */
656	#define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX \
657	(RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK >> RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT)
658
659	/** Indicates internally that we're validating a counter signature and should
660	* use different rules when checking out the authenticated attributes.
661	* @internal */
662	#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE RT_BIT_32(31)
663	/** @} */
664
665
666	RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
667	void const *pvData, size_t cbData, RTDIGESTTYPE enmDigestType,
668	RTCRSTORE hAdditionalCerts, PCRTCRPKCS7ATTRIBUTES pAdditionalAuthenticatedAttribs,
669	void pvResult, size_t pcbResult, PRTERRINFO pErrInfo);
670
671	/** @name RTCRPKCS7SIGN_SD_F_XXX - Flags for RTCrPkcs7SimpleSign.
672	* @{ */
673	/** Detached data. */
674	#define RTCRPKCS7SIGN_SD_F_DEATCHED RT_BIT_32(0)
675	/** No SMIME capabilities attribute. */
676	#define RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP RT_BIT_32(1)
677	/** Produce version 1 output (PKCS\#7), rather than version 3 (CMS). */
678	#define RTCRPKCS7SIGN_SD_F_USE_V1 RT_BIT_32(2)
679	/** Avoid extra OCTET STRING encapsulation around the data blob.
680	* This is needed for Authenticode signatures. This requires that the
681	* content type is supplied via the additional authenticated attributes.
682	* @note Currently only works with RTCRPKCS7SIGN_SD_F_USE_V1. */
683	#define RTCRPKCS7SIGN_SD_F_NO_DATA_ENCAP RT_BIT_32(3)
684	/** Valid flag mask. */
685	#define RTCRPKCS7SIGN_SD_F_VALID_MASK UINT32_C(0x0000000f)
686	/** @} */
687
688	/** @} */
689
690	RT_C_DECLS_END
691
692	#endif /* !IPRT_INCLUDED_crypto_pkcs7_h */
693

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/include/iprt/crypto/pkcs7.h@ 95668

Download in other formats: