1*8fb009dcSAndroid Build Coastguard Worker /* Copyright (c) 2014, Google Inc. 2*8fb009dcSAndroid Build Coastguard Worker * 3*8fb009dcSAndroid Build Coastguard Worker * Permission to use, copy, modify, and/or distribute this software for any 4*8fb009dcSAndroid Build Coastguard Worker * purpose with or without fee is hereby granted, provided that the above 5*8fb009dcSAndroid Build Coastguard Worker * copyright notice and this permission notice appear in all copies. 6*8fb009dcSAndroid Build Coastguard Worker * 7*8fb009dcSAndroid Build Coastguard Worker * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8*8fb009dcSAndroid Build Coastguard Worker * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9*8fb009dcSAndroid Build Coastguard Worker * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10*8fb009dcSAndroid Build Coastguard Worker * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11*8fb009dcSAndroid Build Coastguard Worker * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12*8fb009dcSAndroid Build Coastguard Worker * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13*8fb009dcSAndroid Build Coastguard Worker * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14*8fb009dcSAndroid Build Coastguard Worker 15*8fb009dcSAndroid Build Coastguard Worker #ifndef OPENSSL_HEADER_PKCS7_H 16*8fb009dcSAndroid Build Coastguard Worker #define OPENSSL_HEADER_PKCS7_H 17*8fb009dcSAndroid Build Coastguard Worker 18*8fb009dcSAndroid Build Coastguard Worker #include <openssl/base.h> 19*8fb009dcSAndroid Build Coastguard Worker 20*8fb009dcSAndroid Build Coastguard Worker #include <openssl/stack.h> 21*8fb009dcSAndroid Build Coastguard Worker 22*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 23*8fb009dcSAndroid Build Coastguard Worker extern "C" { 24*8fb009dcSAndroid Build Coastguard Worker #endif 25*8fb009dcSAndroid Build Coastguard Worker 26*8fb009dcSAndroid Build Coastguard Worker 27*8fb009dcSAndroid Build Coastguard Worker // PKCS#7. 28*8fb009dcSAndroid Build Coastguard Worker // 29*8fb009dcSAndroid Build Coastguard Worker // This library contains functions for extracting information from PKCS#7 30*8fb009dcSAndroid Build Coastguard Worker // structures (RFC 2315). 31*8fb009dcSAndroid Build Coastguard Worker 32*8fb009dcSAndroid Build Coastguard Worker DECLARE_STACK_OF(CRYPTO_BUFFER) 33*8fb009dcSAndroid Build Coastguard Worker DECLARE_STACK_OF(X509) 34*8fb009dcSAndroid Build Coastguard Worker DECLARE_STACK_OF(X509_CRL) 35*8fb009dcSAndroid Build Coastguard Worker 36*8fb009dcSAndroid Build Coastguard Worker // PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs| 37*8fb009dcSAndroid Build Coastguard Worker // and appends the included certificates to |out_certs|. It returns one on 38*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. |cbs| is advanced passed the structure. 39*8fb009dcSAndroid Build Coastguard Worker // 40*8fb009dcSAndroid Build Coastguard Worker // Note that a SignedData structure may contain no certificates, in which case 41*8fb009dcSAndroid Build Coastguard Worker // this function succeeds but does not append any certificates. Additionally, 42*8fb009dcSAndroid Build Coastguard Worker // certificates in SignedData structures are unordered. Callers should not 43*8fb009dcSAndroid Build Coastguard Worker // assume a particular order in |*out_certs| and may need to search for matches 44*8fb009dcSAndroid Build Coastguard Worker // or run path-building algorithms. 45*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_get_raw_certificates( 46*8fb009dcSAndroid Build Coastguard Worker STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool); 47*8fb009dcSAndroid Build Coastguard Worker 48*8fb009dcSAndroid Build Coastguard Worker // PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses 49*8fb009dcSAndroid Build Coastguard Worker // them into |X509| objects. 50*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs); 51*8fb009dcSAndroid Build Coastguard Worker 52*8fb009dcSAndroid Build Coastguard Worker // PKCS7_bundle_raw_certificates appends a PKCS#7, SignedData structure 53*8fb009dcSAndroid Build Coastguard Worker // containing |certs| to |out|. It returns one on success and zero on error. 54*8fb009dcSAndroid Build Coastguard Worker // Note that certificates in SignedData structures are unordered. The order in 55*8fb009dcSAndroid Build Coastguard Worker // |certs| will not be preserved. 56*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_bundle_raw_certificates( 57*8fb009dcSAndroid Build Coastguard Worker CBB *out, const STACK_OF(CRYPTO_BUFFER) *certs); 58*8fb009dcSAndroid Build Coastguard Worker 59*8fb009dcSAndroid Build Coastguard Worker // PKCS7_bundle_certificates behaves like |PKCS7_bundle_raw_certificates| but 60*8fb009dcSAndroid Build Coastguard Worker // takes |X509| objects as input. 61*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_bundle_certificates( 62*8fb009dcSAndroid Build Coastguard Worker CBB *out, const STACK_OF(X509) *certs); 63*8fb009dcSAndroid Build Coastguard Worker 64*8fb009dcSAndroid Build Coastguard Worker // PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends 65*8fb009dcSAndroid Build Coastguard Worker // the included CRLs to |out_crls|. It returns one on success and zero on error. 66*8fb009dcSAndroid Build Coastguard Worker // |cbs| is advanced passed the structure. 67*8fb009dcSAndroid Build Coastguard Worker // 68*8fb009dcSAndroid Build Coastguard Worker // Note that a SignedData structure may contain no CRLs, in which case this 69*8fb009dcSAndroid Build Coastguard Worker // function succeeds but does not append any CRLs. Additionally, CRLs in 70*8fb009dcSAndroid Build Coastguard Worker // SignedData structures are unordered. Callers should not assume an order in 71*8fb009dcSAndroid Build Coastguard Worker // |*out_crls| and may need to search for matches. 72*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs); 73*8fb009dcSAndroid Build Coastguard Worker 74*8fb009dcSAndroid Build Coastguard Worker // PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing 75*8fb009dcSAndroid Build Coastguard Worker // |crls| to |out|. It returns one on success and zero on error. Note that CRLs 76*8fb009dcSAndroid Build Coastguard Worker // in SignedData structures are unordered. The order in |crls| will not be 77*8fb009dcSAndroid Build Coastguard Worker // preserved. 78*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls); 79*8fb009dcSAndroid Build Coastguard Worker 80*8fb009dcSAndroid Build Coastguard Worker // PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure 81*8fb009dcSAndroid Build Coastguard Worker // from |pem_bio| and appends the included certificates to |out_certs|. It 82*8fb009dcSAndroid Build Coastguard Worker // returns one on success and zero on error. 83*8fb009dcSAndroid Build Coastguard Worker // 84*8fb009dcSAndroid Build Coastguard Worker // Note that a SignedData structure may contain no certificates, in which case 85*8fb009dcSAndroid Build Coastguard Worker // this function succeeds but does not append any certificates. Additionally, 86*8fb009dcSAndroid Build Coastguard Worker // certificates in SignedData structures are unordered. Callers should not 87*8fb009dcSAndroid Build Coastguard Worker // assume a particular order in |*out_certs| and may need to search for matches 88*8fb009dcSAndroid Build Coastguard Worker // or run path-building algorithms. 89*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, 90*8fb009dcSAndroid Build Coastguard Worker BIO *pem_bio); 91*8fb009dcSAndroid Build Coastguard Worker 92*8fb009dcSAndroid Build Coastguard Worker // PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from 93*8fb009dcSAndroid Build Coastguard Worker // |pem_bio| and appends the included CRLs to |out_crls|. It returns one on 94*8fb009dcSAndroid Build Coastguard Worker // success and zero on error. 95*8fb009dcSAndroid Build Coastguard Worker // 96*8fb009dcSAndroid Build Coastguard Worker // Note that a SignedData structure may contain no CRLs, in which case this 97*8fb009dcSAndroid Build Coastguard Worker // function succeeds but does not append any CRLs. Additionally, CRLs in 98*8fb009dcSAndroid Build Coastguard Worker // SignedData structures are unordered. Callers should not assume an order in 99*8fb009dcSAndroid Build Coastguard Worker // |*out_crls| and may need to search for matches. 100*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, 101*8fb009dcSAndroid Build Coastguard Worker BIO *pem_bio); 102*8fb009dcSAndroid Build Coastguard Worker 103*8fb009dcSAndroid Build Coastguard Worker 104*8fb009dcSAndroid Build Coastguard Worker // Deprecated functions. 105*8fb009dcSAndroid Build Coastguard Worker // 106*8fb009dcSAndroid Build Coastguard Worker // These functions are a compatibility layer over a subset of OpenSSL's PKCS#7 107*8fb009dcSAndroid Build Coastguard Worker // API. It intentionally does not implement the whole thing, only the minimum 108*8fb009dcSAndroid Build Coastguard Worker // needed to build cryptography.io. 109*8fb009dcSAndroid Build Coastguard Worker 110*8fb009dcSAndroid Build Coastguard Worker typedef struct { 111*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509) *cert; 112*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509_CRL) *crl; 113*8fb009dcSAndroid Build Coastguard Worker } PKCS7_SIGNED; 114*8fb009dcSAndroid Build Coastguard Worker 115*8fb009dcSAndroid Build Coastguard Worker typedef struct { 116*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509) *cert; 117*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509_CRL) *crl; 118*8fb009dcSAndroid Build Coastguard Worker } PKCS7_SIGN_ENVELOPE; 119*8fb009dcSAndroid Build Coastguard Worker 120*8fb009dcSAndroid Build Coastguard Worker typedef void PKCS7_ENVELOPE; 121*8fb009dcSAndroid Build Coastguard Worker typedef void PKCS7_DIGEST; 122*8fb009dcSAndroid Build Coastguard Worker typedef void PKCS7_ENCRYPT; 123*8fb009dcSAndroid Build Coastguard Worker typedef void PKCS7_SIGNER_INFO; 124*8fb009dcSAndroid Build Coastguard Worker 125*8fb009dcSAndroid Build Coastguard Worker typedef struct { 126*8fb009dcSAndroid Build Coastguard Worker uint8_t *ber_bytes; 127*8fb009dcSAndroid Build Coastguard Worker size_t ber_len; 128*8fb009dcSAndroid Build Coastguard Worker 129*8fb009dcSAndroid Build Coastguard Worker // Unlike OpenSSL, the following fields are immutable. They filled in when the 130*8fb009dcSAndroid Build Coastguard Worker // object is parsed and ignored in serialization. 131*8fb009dcSAndroid Build Coastguard Worker ASN1_OBJECT *type; 132*8fb009dcSAndroid Build Coastguard Worker union { 133*8fb009dcSAndroid Build Coastguard Worker char *ptr; 134*8fb009dcSAndroid Build Coastguard Worker ASN1_OCTET_STRING *data; 135*8fb009dcSAndroid Build Coastguard Worker PKCS7_SIGNED *sign; 136*8fb009dcSAndroid Build Coastguard Worker PKCS7_ENVELOPE *enveloped; 137*8fb009dcSAndroid Build Coastguard Worker PKCS7_SIGN_ENVELOPE *signed_and_enveloped; 138*8fb009dcSAndroid Build Coastguard Worker PKCS7_DIGEST *digest; 139*8fb009dcSAndroid Build Coastguard Worker PKCS7_ENCRYPT *encrypted; 140*8fb009dcSAndroid Build Coastguard Worker ASN1_TYPE *other; 141*8fb009dcSAndroid Build Coastguard Worker } d; 142*8fb009dcSAndroid Build Coastguard Worker } PKCS7; 143*8fb009dcSAndroid Build Coastguard Worker 144*8fb009dcSAndroid Build Coastguard Worker // d2i_PKCS7 parses a BER-encoded, PKCS#7 signed data ContentInfo structure from 145*8fb009dcSAndroid Build Coastguard Worker // |len| bytes at |*inp|, as described in |d2i_SAMPLE|. 146*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp, 147*8fb009dcSAndroid Build Coastguard Worker size_t len); 148*8fb009dcSAndroid Build Coastguard Worker 149*8fb009dcSAndroid Build Coastguard Worker // d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If 150*8fb009dcSAndroid Build Coastguard Worker // the length of the object is indefinite the full contents of |bio| are read. 151*8fb009dcSAndroid Build Coastguard Worker // 152*8fb009dcSAndroid Build Coastguard Worker // If the function fails then some unknown amount of data may have been read 153*8fb009dcSAndroid Build Coastguard Worker // from |bio|. 154*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out); 155*8fb009dcSAndroid Build Coastguard Worker 156*8fb009dcSAndroid Build Coastguard Worker // i2d_PKCS7 marshals |p7| as a DER-encoded PKCS#7 ContentInfo structure, as 157*8fb009dcSAndroid Build Coastguard Worker // described in |i2d_SAMPLE|. 158*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS7(const PKCS7 *p7, uint8_t **out); 159*8fb009dcSAndroid Build Coastguard Worker 160*8fb009dcSAndroid Build Coastguard Worker // i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on 161*8fb009dcSAndroid Build Coastguard Worker // error. 162*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7); 163*8fb009dcSAndroid Build Coastguard Worker 164*8fb009dcSAndroid Build Coastguard Worker // PKCS7_free releases memory associated with |p7|. 165*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT void PKCS7_free(PKCS7 *p7); 166*8fb009dcSAndroid Build Coastguard Worker 167*8fb009dcSAndroid Build Coastguard Worker // PKCS7_type_is_data returns zero. 168*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7); 169*8fb009dcSAndroid Build Coastguard Worker 170*8fb009dcSAndroid Build Coastguard Worker // PKCS7_type_is_digest returns zero. 171*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7); 172*8fb009dcSAndroid Build Coastguard Worker 173*8fb009dcSAndroid Build Coastguard Worker // PKCS7_type_is_encrypted returns zero. 174*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7); 175*8fb009dcSAndroid Build Coastguard Worker 176*8fb009dcSAndroid Build Coastguard Worker // PKCS7_type_is_enveloped returns zero. 177*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7); 178*8fb009dcSAndroid Build Coastguard Worker 179*8fb009dcSAndroid Build Coastguard Worker // PKCS7_type_is_signed returns one. (We only supporte signed data 180*8fb009dcSAndroid Build Coastguard Worker // ContentInfos.) 181*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7); 182*8fb009dcSAndroid Build Coastguard Worker 183*8fb009dcSAndroid Build Coastguard Worker // PKCS7_type_is_signedAndEnveloped returns zero. 184*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); 185*8fb009dcSAndroid Build Coastguard Worker 186*8fb009dcSAndroid Build Coastguard Worker // PKCS7_DETACHED indicates that the PKCS#7 file specifies its data externally. 187*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_DETACHED 0x40 188*8fb009dcSAndroid Build Coastguard Worker 189*8fb009dcSAndroid Build Coastguard Worker // The following flags cause |PKCS7_sign| to fail. 190*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_TEXT 0x1 191*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_NOCERTS 0x2 192*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_NOSIGS 0x4 193*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_NOCHAIN 0x8 194*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_NOINTERN 0x10 195*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_NOVERIFY 0x20 196*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_BINARY 0x80 197*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_NOATTR 0x100 198*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_NOSMIMECAP 0x200 199*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_STREAM 0x1000 200*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_PARTIAL 0x4000 201*8fb009dcSAndroid Build Coastguard Worker 202*8fb009dcSAndroid Build Coastguard Worker // PKCS7_sign can operate in two modes to provide some backwards compatibility: 203*8fb009dcSAndroid Build Coastguard Worker // 204*8fb009dcSAndroid Build Coastguard Worker // The first mode assembles |certs| into a PKCS#7 signed data ContentInfo with 205*8fb009dcSAndroid Build Coastguard Worker // external data and no signatures. It returns a newly-allocated |PKCS7| on 206*8fb009dcSAndroid Build Coastguard Worker // success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is 207*8fb009dcSAndroid Build Coastguard Worker // ignored. |flags| must be equal to |PKCS7_DETACHED|. Additionally, 208*8fb009dcSAndroid Build Coastguard Worker // certificates in SignedData structures are unordered. The order of |certs| 209*8fb009dcSAndroid Build Coastguard Worker // will not be preserved. 210*8fb009dcSAndroid Build Coastguard Worker // 211*8fb009dcSAndroid Build Coastguard Worker // The second mode generates a detached RSA SHA-256 signature of |data| using 212*8fb009dcSAndroid Build Coastguard Worker // |pkey| and produces a PKCS#7 SignedData structure containing it. |certs| 213*8fb009dcSAndroid Build Coastguard Worker // must be NULL and |flags| must be exactly |PKCS7_NOATTR | PKCS7_BINARY | 214*8fb009dcSAndroid Build Coastguard Worker // PKCS7_NOCERTS | PKCS7_DETACHED|. 215*8fb009dcSAndroid Build Coastguard Worker // 216*8fb009dcSAndroid Build Coastguard Worker // Note this function only implements a subset of the corresponding OpenSSL 217*8fb009dcSAndroid Build Coastguard Worker // function. It is provided for backwards compatibility only. 218*8fb009dcSAndroid Build Coastguard Worker OPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, 219*8fb009dcSAndroid Build Coastguard Worker STACK_OF(X509) *certs, BIO *data, int flags); 220*8fb009dcSAndroid Build Coastguard Worker 221*8fb009dcSAndroid Build Coastguard Worker 222*8fb009dcSAndroid Build Coastguard Worker #if defined(__cplusplus) 223*8fb009dcSAndroid Build Coastguard Worker } // extern C 224*8fb009dcSAndroid Build Coastguard Worker 225*8fb009dcSAndroid Build Coastguard Worker extern "C++" { 226*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_BEGIN 227*8fb009dcSAndroid Build Coastguard Worker 228*8fb009dcSAndroid Build Coastguard Worker BORINGSSL_MAKE_DELETER(PKCS7, PKCS7_free) 229*8fb009dcSAndroid Build Coastguard Worker 230*8fb009dcSAndroid Build Coastguard Worker BSSL_NAMESPACE_END 231*8fb009dcSAndroid Build Coastguard Worker } // extern C++ 232*8fb009dcSAndroid Build Coastguard Worker #endif 233*8fb009dcSAndroid Build Coastguard Worker 234*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_R_BAD_PKCS7_VERSION 100 235*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_R_NOT_PKCS7_SIGNED_DATA 101 236*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_R_NO_CERTIFICATES_INCLUDED 102 237*8fb009dcSAndroid Build Coastguard Worker #define PKCS7_R_NO_CRLS_INCLUDED 103 238*8fb009dcSAndroid Build Coastguard Worker 239*8fb009dcSAndroid Build Coastguard Worker #endif // OPENSSL_HEADER_PKCS7_H 240