VirtualBox

source: vbox/trunk/include/iprt/crypto/pkix.h@ 73665

Last change on this file since 73665 was 73665, checked in by vboxsync, 6 years ago

IPRT,SUP,Main: Working on new crypto key handling and rsa signing. bugref:9152
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 22.5 KB
Line 
1/** @file
2 * IPRT - Public Key Infrastructure APIs.
3 */
4
5/*
6 * Copyright (C) 2006-2017 Oracle Corporation
7 *
8 * This file is part of VirtualBox Open Source Edition (OSE), as
9 * available from http://www.virtualbox.org. This file is free software;
10 * you can redistribute it and/or modify it under the terms of the GNU
11 * General Public License (GPL) as published by the Free Software
12 * Foundation, in version 2 as it comes in the "COPYING" file of the
13 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15 *
16 * The contents of this file may alternatively be used under the terms
17 * of the Common Development and Distribution License Version 1.0
18 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19 * VirtualBox OSE distribution, in which case the provisions of the
20 * CDDL are applicable instead of those of the GPL.
21 *
22 * You may elect to license modified versions of this file under the
23 * terms and conditions of either the GPL or the CDDL or both.
24 */
25
26#ifndef ___iprt_crypto_pkix_h
27#define ___iprt_crypto_pkix_h
28
29#include <iprt/asn1.h>
30
31
32RT_C_DECLS_BEGIN
33
34struct RTCRX509SUBJECTPUBLICKEYINFO;
35
36/** @defgroup grp_rt_crpkix RTCrPkix - Public Key Infrastructure APIs
37 * @ingroup grp_rt_crypto
38 * @{
39 */
40
41/**
42 * Verifies the signature (@a pSignatureValue) of the give data (@a pvData)
43 * using the specfied public key (@a pPublicKey) and algorithm.
44 *
45 * @returns IPRT status code.
46 * @param pAlgorithm The signature algorithm (digest w/ cipher).
47 * @param hPublicKey The public key.
48 * @param pParameters Parameter to the public key algorithm. Optional.
49 * @param pSignatureValue The signature value.
50 * @param pvData The signed data.
51 * @param cbData The amount of signed data.
52 * @param pErrInfo Where to return extended error info. Optional.
53 *
54 * @remarks Depending on the IPRT build configuration, the verficiation may be
55 * performed more than once using all available crypto implementations.
56 */
57RTDECL(int) RTCrPkixPubKeyVerifySignature(PCRTASN1OBJID pAlgorithm, RTCRKEY hPublicKey, PCRTASN1DYNTYPE pParameters,
58 PCRTASN1BITSTRING pSignatureValue, const void *pvData, size_t cbData,
59 PRTERRINFO pErrInfo);
60
61
62/**
63 * Verifies the signed digest (@a pvSignedDigest) against our digest (@a
64 * hDigest) using the specfied public key (@a pPublicKey) and algorithm.
65 *
66 * @returns IPRT status code.
67 * @param pAlgorithm The signature algorithm (digest w/ cipher).
68 * @param hPublicKey The public key.
69 * @param pParameters Parameter to the public key algorithm. Optional.
70 * @param pvSignedDigest The signed digest.
71 * @param cbSignedDigest The signed digest size.
72 * @param hDigest The digest of the data to compare @a pvSignedDigest
73 * with.
74 * @param pErrInfo Where to return extended error info. Optional.
75 *
76 * @remarks Depending on the IPRT build configuration, the verficiation may be
77 * performed more than once using all available crypto implementations.
78 */
79RTDECL(int) RTCrPkixPubKeyVerifySignedDigest(PCRTASN1OBJID pAlgorithm, RTCRKEY hPublicKey, PCRTASN1DYNTYPE pParameters,
80 void const *pvSignedDigest, size_t cbSignedDigest,
81 RTCRDIGEST hDigest, PRTERRINFO pErrInfo);
82
83/**
84 * Wrapper around RTCrPkixPubKeyVerifySignedDigest & RTCrKeyCreateFromAlgorithmAndBits.
85 *
86 * @note The public key info must include digest type for this to work.
87 */
88RTDECL(int) RTCrPkixPubKeyVerifySignedDigestByCertPubKeyInfo(struct RTCRX509SUBJECTPUBLICKEYINFO const *pCertPubKeyInfo,
89 void const *pvSignedDigest, size_t cbSignedDigest,
90 RTCRDIGEST hDigest, PRTERRINFO pErrInfo);
91
92
93/**
94 * Signs a digest (@a hDigest) using the specified private key (@a pPrivateKey) and algorithm.
95 *
96 * @returns IPRT status code.
97 * @param pAlgorithm The signature algorithm (digest w/ cipher).
98 * @param hPrivateKey Handle to the private key to use.
99 * @param pParameters Parameter to the public key algorithm. Optional.
100 * @param hDigest The digest of the data being signed.
101 * @param fFlags Flags for future extensions, MBZ.
102 * @param pvSignature The output signature buffer. Pass NULL to query
103 * the signature size.
104 * @param pcbSignature On input the variable pointed to holds the size of
105 * the buffer @a pvSignature points to.
106 * On return the variable pointed to is set to the size
107 * of the returned signature, or the required size in
108 * case of VERR_BUFFER_OVERFLOW.
109 * @param pErrInfo Where to return extended error info. Optional.
110 *
111 * @remarks Depending on the IPRT build configuration and the algorithm used, the
112 * signing may be performed more than once using all available crypto
113 * implementations.
114 */
115RTDECL(int) RTCrPkixPubKeySignDigest(PCRTASN1OBJID pAlgorithm, RTCRKEY hPrivateKey, PCRTASN1DYNTYPE pParameters,
116 RTCRDIGEST hDigest, uint32_t fFlags,
117 void *pvSignature, size_t *pcbSignature, PRTERRINFO pErrInfo);
118
119/**
120 * Gets the cipher OID matching the given signature algorithm.
121 *
122 * @returns Cipher OID string on success, NULL on failure.
123 * @param pAlgorithm The signature algorithm (digest w/ cipher).
124 */
125RTDECL(const char *) RTCrPkixGetCiperOidFromSignatureAlgorithm(PCRTASN1OBJID pAlgorithm);
126
127
128/** @name PKCS-1 Object Identifiers (OIDs)
129 * @{ */
130#define RTCR_PKCS1_OID "1.2.840.113549.1.1"
131#define RTCR_PKCS1_RSA_OID "1.2.840.113549.1.1.1"
132#define RTCR_PKCS1_MD2_WITH_RSA_OID "1.2.840.113549.1.1.2"
133#define RTCR_PKCS1_MD4_WITH_RSA_OID "1.2.840.113549.1.1.3"
134#define RTCR_PKCS1_MD5_WITH_RSA_OID "1.2.840.113549.1.1.4"
135#define RTCR_PKCS1_SHA1_WITH_RSA_OID "1.2.840.113549.1.1.5"
136#define RTCR_PKCS1_RSA_OAEP_ENCRYPTION_SET_OID "1.2.840.113549.1.1.6"
137#define RTCR_PKCS1_RSA_AES_OAEP_OID "1.2.840.113549.1.1.7"
138#define RTCR_PKCS1_MSGF1_OID "1.2.840.113549.1.1.8"
139#define RTCR_PKCS1_P_SPECIFIED_OID "1.2.840.113549.1.1.9"
140#define RTCR_PKCS1_RSASSA_PSS_OID "1.2.840.113549.1.1.10"
141#define RTCR_PKCS1_SHA256_WITH_RSA_OID "1.2.840.113549.1.1.11"
142#define RTCR_PKCS1_SHA384_WITH_RSA_OID "1.2.840.113549.1.1.12"
143#define RTCR_PKCS1_SHA512_WITH_RSA_OID "1.2.840.113549.1.1.13"
144#define RTCR_PKCS1_SHA224_WITH_RSA_OID "1.2.840.113549.1.1.14"
145/** @} */
146
147
148/**
149 * Public key signature scheme provider descriptor.
150 */
151typedef struct RTCRPKIXSIGNATUREDESC
152{
153 /** The signature scheme provider name. */
154 const char *pszName;
155 /** The object ID string. */
156 const char *pszObjId;
157 /** Pointer to a NULL terminated table of alias object IDs (optional). */
158 const char * const *papszObjIdAliases;
159 /** The size of the state. */
160 uint32_t cbState;
161 /** Reserved for future / explicit padding. */
162 uint32_t uReserved;
163 /** Provider specific field. This generally indicates the kind of padding
164 * scheme to employ with the given OID. */
165 uintptr_t uProviderSpecific;
166
167 /**
168 * Initializes the state of the signature scheme provider.
169 *
170 * Optional, RT_BZERO will be used if NULL.
171 *
172 * @returns IPRT status code.
173 * @param pDesc Pointer to this structure (for uProviderSpecific).
174 * @param pvState The opaque provider state.
175 * @param pvOpaque Opaque provider specific parameter.
176 * @param fSigning Set if a signing operation is going to be performed,
177 * clear if it is a verification. This is a fixed
178 * setting for the lifetime of the instance due to the
179 * algorithm requiring different keys.
180 * @param hKey The key handle. Caller has retained it for the
181 * lifetime of the state being initialize.
182 * @param pParams Algorithm/key parameters, optional. Will be NULL if
183 * none.
184 */
185 DECLCALLBACKMEMBER(int, pfnInit)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, void *pvOpaque, bool fSigning,
186 RTCRKEY hKey, PCRTASN1DYNTYPE pParams);
187
188 /**
189 * Resets the state before performing another signing or verification.
190 *
191 * Optional. It is assumed that the provider does not have any state needing to
192 * be re-initialized if this method is not implemented.
193 *
194 * @returns IPRT status code.
195 * @param pDesc Pointer to this structure (for uProviderSpecific).
196 * @param pvState The opaque provider state.
197 * @param fSigning Exactly the same value as the init call.
198 */
199 DECLCALLBACKMEMBER(int, pfnReset)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, bool fSigning);
200
201 /**
202 * Deletes the provider state. Optional.
203 *
204 * The state will be securely wiped clean after the call, regardless of whether
205 * the method is implemented or not.
206 *
207 * @param pDesc Pointer to this structure (for uProviderSpecific).
208 * @param pvState The opaque provider state.
209 * @param fSigning Exactly the same value as the init call.
210 */
211 DECLCALLBACKMEMBER(void, pfnDelete)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, bool fSigning);
212
213 /**
214 * Verifies a signed message digest (fSigning = false).
215 *
216 * @returns IPRT status code.
217 * @retval VINF_SUCCESS if the signature checked out correctly.
218 * @retval VERR_PKIX_KEY wrong key or some other key issue.
219 *
220 * @param pDesc Pointer to this structure (for uProviderSpecific).
221 * @param pvState The opaque provider state.
222 * @param hKey The key handle associated with the state at init.
223 * @param hDigest The handle to the digest. Call RTCrDigestFinal to
224 * complete and retreive the final hash value.
225 * @param pvSignature The signature to validate.
226 * @param cbSignature The size of the signature (in bytes).
227 */
228 DECLCALLBACKMEMBER(int, pfnVerify)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, RTCRKEY hKey,
229 RTCRDIGEST hDigest, void const *pvSignature, size_t cbSignature);
230
231 /**
232 * Sign a message digest (fSigning = true).
233 *
234 * @returns IPRT status code.
235 * @retval VINF_SUCCESS on success.
236 * @retval VERR_PKIX_KEY wrong key or some other key issue.
237 * @retval VERR_BUFFER_OVERFLOW if the signature buffer is too small, the
238 * require buffer size will be available in @a *pcbSignature.
239 *
240 * @param pDesc Pointer to this structure (for uProviderSpecific).
241 * @param pvState The opaque provider state.
242 * @param hKey The key handle associated with the state at init.
243 * @param hDigest The handle to the digest. Call RTCrDigestFinal to
244 * complete and retreive the final hash value.
245 * @param pvSignature The output signature buffer.
246 * @param pcbSignature On input the variable pointed to holds the size of
247 * the buffer @a pvSignature points to.
248 * On return the variable pointed to is set to the size
249 * of the returned signature, or the required size in
250 * case of VERR_BUFFER_OVERFLOW.
251 */
252 DECLCALLBACKMEMBER(int, pfnSign)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, RTCRKEY hKey,
253 RTCRDIGEST hDigest, void *pvSignature, size_t *pcbSignature);
254
255} RTCRPKIXSIGNATUREDESC;
256/** Pointer to a public key signature scheme provider descriptor. */
257typedef RTCRPKIXSIGNATUREDESC const *PCRTCRPKIXSIGNATUREDESC;
258
259
260PCRTCRPKIXSIGNATUREDESC RTCrPkixSignatureFindByObjIdString(const char *pszObjId, void *ppvOpaque);
261PCRTCRPKIXSIGNATUREDESC RTCrPkixSignatureFindByObjId(PCRTASN1OBJID pObjId, void **ppvOpaque);
262RTDECL(int) RTCrPkixSignatureCreateByObjIdString(PRTCRPKIXSIGNATURE phSignature, const char *pszObjId, bool fSigning,
263 RTCRKEY hKey, PCRTASN1DYNTYPE pParams);
264RTDECL(int) RTCrPkixSignatureCreateByObjId(PRTCRPKIXSIGNATURE phSignature, PCRTASN1OBJID pObjId, RTCRKEY hKey,
265 PCRTASN1DYNTYPE pParams, bool fSigning);
266
267
268RTDECL(int) RTCrPkixSignatureCreate(PRTCRPKIXSIGNATURE phSignature, PCRTCRPKIXSIGNATUREDESC pDesc, void *pvOpaque,
269 bool fSigning, RTCRKEY hKey, PCRTASN1DYNTYPE pParams);
270RTDECL(uint32_t) RTCrPkixSignatureRetain(RTCRPKIXSIGNATURE hSignature);
271RTDECL(uint32_t) RTCrPkixSignatureRelease(RTCRPKIXSIGNATURE hSignature);
272RTDECL(int) RTCrPkixSignatureVerify(RTCRPKIXSIGNATURE hSignature, RTCRDIGEST hDigest,
273 void const *pvSignature, size_t cbSignature);
274RTDECL(int) RTCrPkixSignatureVerifyBitString(RTCRPKIXSIGNATURE hSignature, RTCRDIGEST hDigest, PCRTASN1BITSTRING pSignature);
275RTDECL(int) RTCrPkixSignatureVerifyOctetString(RTCRPKIXSIGNATURE hSignature, RTCRDIGEST hDigest, PCRTASN1OCTETSTRING pSignature);
276RTDECL(int) RTCrPkixSignatureSign(RTCRPKIXSIGNATURE hSignature, RTCRDIGEST hDigest,
277 void *pvSignature, size_t *pcbSignature);
278
279
280/**
281 * Public key encryption scheme provider descriptor.
282 *
283 * @todo This is just a sketch left over from when the signature code was
284 * chiseled out.
285 */
286typedef struct RTCRPKIXENCRYPTIONDESC
287{
288 /** The encryption scheme provider name. */
289 const char *pszName;
290 /** The object ID string. */
291 const char *pszObjId;
292 /** Pointer to a NULL terminated table of alias object IDs (optional). */
293 const char * const *papszObjIdAliases;
294 /** The size of the state. */
295 uint32_t cbState;
296 /** Reserved for future use / padding. */
297 uint32_t uReserved;
298 /** Provider specific field. */
299 uintptr_t uProviderSpecific;
300
301 /**
302 * Initializes the state for this encryption scheme.
303 *
304 * Optional, RT_BZERO will be used if NULL.
305 *
306 * @returns IPRT status code.
307 * @param pDesc Pointer to this structure (so uProviderSpecific can
308 * be read).
309 * @param pvState The opaque provider state.
310 * @param pvOpaque Opaque provider specific parameter.
311 * @param fEncrypt Set if the instance will be encrypting, clear if it
312 * will be decrypting. This aspect of the instance is
313 * immutable due to the algorithm requiring different
314 * keys for each of the operations.
315 * @param pKey The key to use (whether private or public depends on
316 * the operation type).
317 * @param pParams Algorithm/key parameters, optional. Will be NULL if
318 * none.
319 */
320 DECLCALLBACKMEMBER(int, pfnInit)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState, void *pvOpaque, bool fEncrypt,
321 PCRTASN1BITSTRING pKey, PCRTASN1DYNTYPE pParams);
322
323 /**
324 * Re-initializes the provider state.
325 *
326 * Optional. It is assumed that the provider does not have any state needing
327 * to be re-initialized if this method is not implemented. (Do not assume that
328 * a final encrypt/decrypt call has been made prior to this call.)
329 *
330 * @returns IPRT status code.
331 * @param pDesc Pointer to this structure (so uProviderSpecific can
332 * be read).
333 * @param pvState The opaque provider state.
334 * @param enmOperation Same as for the earlier pfnInit call.
335 */
336 DECLCALLBACKMEMBER(int, pfnReset)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState, bool fEncrypt);
337
338 /**
339 * Deletes the provider state. Optional.
340 *
341 * The state will be securely wiped clean after the call, regardless of whether
342 * the method is implemented or not.
343 *
344 * @param pDesc Pointer to this structure (so uProviderSpecific can
345 * be read).
346 * @param pvState The opaque provider state.
347 * @param enmOperation Same as for the earlier pfnInit call.
348 */
349 DECLCALLBACKMEMBER(void, pfnDelete)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState, bool fEncrypt);
350
351 /**
352 * Encrypt using the public key (fEncrypt = true).
353 *
354 * @returns IPRT status code.
355 * @retval VINF_SUCCESS on success.
356 * @retval VERR_PKIX_KEY wrong key or some other key issue.
357 * @retval VERR_BUFFER_OVERFLOW if the output buffer is too small, the require
358 * buffer size will be available in @a *pcbCiphertext. The caller can
359 * should retry the call with a larger buffer.
360 *
361 * @param pDesc Pointer to this structure (so uProviderSpecific can
362 * be read).
363 * @param pvState The opaque provider state.
364 * @param pvPlaintext The plaintext to encrypt.
365 * @param cbPlaintext The number of bytes of plaintext.
366 * @param pvCiphertext Where to return the ciphertext (if any).
367 * @param cbMaxCiphertext The size of the buffer @a pvCiphertext points to.
368 * @param pcbCiphertext Where to return the actual number of bytes of
369 * ciphertext returned.
370 * @param fFinal Whether this is the final call.
371 */
372 DECLCALLBACKMEMBER(int, pfnEncrypt)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState,
373 void const *pvPlaintext, size_t cbPlaintext,
374 void *pvCiphertext, size_t cbMaxCiphertext, size_t *pcbCiphertext, bool fFinal);
375
376 /**
377 * Calculate the output buffer size for the next pfnEncrypt call.
378 *
379 * @returns IPRT status code.
380 * @param pDesc Pointer to this structure (so uProviderSpecific can
381 * be read).
382 * @param pvState The opaque provider state.
383 * @param cbPlaintext The number of bytes of plaintext.
384 * @param pcbCiphertext Where to return the minimum buffer size. This may
385 * be larger than the actual number of bytes return.
386 * @param fFinal Whether this is the final call.
387 */
388 DECLCALLBACKMEMBER(int, pfnEncryptLength)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState,
389 size_t cbPlaintext, size_t *pcbCiphertext, bool fFinal);
390
391 /**
392 * Decrypt using the private key (fEncrypt = false).
393 *
394 * @returns IPRT status code.
395 * @retval VINF_SUCCESS on success.
396 * @retval VERR_PKIX_KEY wrong key or some other key issue.
397 * @retval VERR_BUFFER_OVERFLOW if the output buffer is too small, the require
398 * buffer size will be available in @a *pcbCiphertext. The caller can
399 * should retry the call with a larger buffer.
400 *
401 * @param pDesc Pointer to this structure (so uProviderSpecific can
402 * be read).
403 * @param pvState The opaque provider state.
404 * @param pvCiphertext The ciphertext to decrypt.
405 * @param cbCiphertext The number of bytes of ciphertext.
406 * @param pvPlaintext Where to return the plaintext (if any).
407 * @param cbMaxPlaintext The size of the buffer @a pvPlaintext points to.
408 * @param pcbPlaintext Where to return the actual number of bytes of
409 * plaintext returned.
410 * @param fFinal Whether this is the final call.
411 */
412 DECLCALLBACKMEMBER(int, pfnDecrypt)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState,
413 void const *pvCiphertext, size_t cbCiphertext,
414 void *pvPlaintext, size_t cbMaxPlaintext, size_t *pcbPlaintext, bool fFinal);
415
416 /**
417 * Calculate the output buffer size for the next pfnDecrypt call.
418 *
419 * @returns IPRT status code.
420 * @param pDesc Pointer to this structure (so uProviderSpecific can
421 * be read).
422 * @param pvState The opaque provider state.
423 * @param cbCiphertext The number of bytes of ciphertext.
424 * @param pcbPlaintext Where to return the minimum buffer size. This may
425 * be larger than the actual number of bytes return.
426 * @param fFinal Whether this is the final call.
427 */
428 DECLCALLBACKMEMBER(int, pfnDecryptLength)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState,
429 size_t cbCiphertext, size_t *pcbPlaintext, bool fFinal);
430} RTCRPKIXENCRYPTIONDESC;
431/** Pointer to a public key encryption schema provider descriptor. */
432typedef RTCRPKIXENCRYPTIONDESC const *PCRTCRPKIXENCRYPTIONDESC;
433
434
435PCRTCRPKIXENCRYPTIONDESC RTCrPkixEncryptionFindByObjIdString(const char *pszObjId, void *ppvOpaque);
436PCRTCRPKIXENCRYPTIONDESC RTCrPkixEncryptionFindByObjId(PCRTASN1OBJID pObjId, void *ppvOpaque);
437RTDECL(int) RTCrPkixEncryptionCreateByObjIdString(PRTCRPKIXENCRYPTION phEncryption, const char *pszObjId,
438 bool fEncrypt, PCRTASN1BITSTRING pKey,PCRTASN1DYNTYPE pParams);
439RTDECL(int) RTCrPkixEncryptionCreateByObjId(PRTCRPKIXENCRYPTION phEncryption, PCRTASN1OBJID pObjId, bool fEncrypt,
440 PCRTASN1BITSTRING pKey, PCRTASN1DYNTYPE pParams);
441
442
443RTDECL(int) RTCrPkixEncryptionCreate(PRTCRPKIXENCRYPTION phEncryption, PCRTCRPKIXENCRYPTIONDESC pDesc, void *pvOpaque,
444 bool fEncrypt, PCRTASN1BITSTRING pKey, PCRTASN1DYNTYPE pParams);
445RTDECL(int) RTCrPkixEncryptionReset(RTCRPKIXENCRYPTION hEncryption);
446RTDECL(uint32_t) RTCrPkixEncryptionRetain(RTCRPKIXENCRYPTION hEncryption);
447RTDECL(uint32_t) RTCrPkixEncryptionRelease(RTCRPKIXENCRYPTION hEncryption);
448
449
450/** @} */
451
452RT_C_DECLS_END
453
454#endif
455
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette