xref: /openbsd/lib/libcrypto/cms/cms_local.h (revision 5158016f)
1 /* $OpenBSD: cms_local.h,v 1.6 2024/05/19 07:12:50 jsg Exp $ */
2 /*
3  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
4  * project.
5  */
6 /* ====================================================================
7  * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  *
16  * 2. Redistributions in binary form must reproduce the above copyright
17  *    notice, this list of conditions and the following disclaimer in
18  *    the documentation and/or other materials provided with the
19  *    distribution.
20  *
21  * 3. All advertising materials mentioning features or use of this
22  *    software must display the following acknowledgment:
23  *    "This product includes software developed by the OpenSSL Project
24  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
25  *
26  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
27  *    endorse or promote products derived from this software without
28  *    prior written permission. For written permission, please contact
29  *    licensing@OpenSSL.org.
30  *
31  * 5. Products derived from this software may not be called "OpenSSL"
32  *    nor may "OpenSSL" appear in their names without prior written
33  *    permission of the OpenSSL Project.
34  *
35  * 6. Redistributions of any form whatsoever must retain the following
36  *    acknowledgment:
37  *    "This product includes software developed by the OpenSSL Project
38  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
39  *
40  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
41  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
43  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
44  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
45  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
46  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
47  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
49  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
50  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51  * OF THE POSSIBILITY OF SUCH DAMAGE.
52  * ====================================================================
53  */
54 
55 #ifndef HEADER_CMS_LOCAL_H
56 #define HEADER_CMS_LOCAL_H
57 
58 #include <openssl/x509.h>
59 
60 /*
61  * Cryptographic message syntax (CMS) structures: taken from RFC3852
62  */
63 
64 /* Forward references */
65 
66 typedef struct CMS_IssuerAndSerialNumber_st CMS_IssuerAndSerialNumber;
67 typedef struct CMS_EncapsulatedContentInfo_st CMS_EncapsulatedContentInfo;
68 typedef struct CMS_SignerIdentifier_st CMS_SignerIdentifier;
69 typedef struct CMS_SignedData_st CMS_SignedData;
70 typedef struct CMS_OtherRevocationInfoFormat_st CMS_OtherRevocationInfoFormat;
71 typedef struct CMS_OriginatorInfo_st CMS_OriginatorInfo;
72 typedef struct CMS_EncryptedContentInfo_st CMS_EncryptedContentInfo;
73 typedef struct CMS_EnvelopedData_st CMS_EnvelopedData;
74 typedef struct CMS_DigestedData_st CMS_DigestedData;
75 typedef struct CMS_EncryptedData_st CMS_EncryptedData;
76 typedef struct CMS_AuthenticatedData_st CMS_AuthenticatedData;
77 typedef struct CMS_CompressedData_st CMS_CompressedData;
78 typedef struct CMS_OtherCertificateFormat_st CMS_OtherCertificateFormat;
79 typedef struct CMS_KeyTransRecipientInfo_st CMS_KeyTransRecipientInfo;
80 typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey;
81 typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey;
82 typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo;
83 typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier;
84 typedef struct CMS_KeyAgreeRecipientIdentifier_st
85     CMS_KeyAgreeRecipientIdentifier;
86 typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier;
87 typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo;
88 typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
89 typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
90 typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
91 
92 struct CMS_ContentInfo_st {
93 	ASN1_OBJECT *contentType;
94 	union {
95 		ASN1_OCTET_STRING *data;
96 		CMS_SignedData *signedData;
97 		CMS_EnvelopedData *envelopedData;
98 		CMS_DigestedData *digestedData;
99 		CMS_EncryptedData *encryptedData;
100 		CMS_AuthenticatedData *authenticatedData;
101 		CMS_CompressedData *compressedData;
102 		ASN1_TYPE *other;
103 		/* Other types ... */
104 		void *otherData;
105 	} d;
106 };
107 
108 DECLARE_STACK_OF(CMS_CertificateChoices)
109 
110 struct CMS_SignedData_st {
111 	long version;
112 	STACK_OF(X509_ALGOR) *digestAlgorithms;
113 	CMS_EncapsulatedContentInfo *encapContentInfo;
114 	STACK_OF(CMS_CertificateChoices) *certificates;
115 	STACK_OF(CMS_RevocationInfoChoice) *crls;
116 	STACK_OF(CMS_SignerInfo) *signerInfos;
117 };
118 
119 struct CMS_EncapsulatedContentInfo_st {
120 	ASN1_OBJECT *eContentType;
121 	ASN1_OCTET_STRING *eContent;
122 	/* Set to 1 if incomplete structure only part set up */
123 	int partial;
124 };
125 
126 struct CMS_SignerInfo_st {
127 	long version;
128 	CMS_SignerIdentifier *sid;
129 	X509_ALGOR *digestAlgorithm;
130 	STACK_OF(X509_ATTRIBUTE) *signedAttrs;
131 	X509_ALGOR *signatureAlgorithm;
132 	ASN1_OCTET_STRING *signature;
133 	STACK_OF(X509_ATTRIBUTE) *unsignedAttrs;
134 	/* Signing certificate and key */
135 	X509 *signer;
136 	EVP_PKEY *pkey;
137 	/* Digest and public key context for alternative parameters */
138 	EVP_MD_CTX *mctx;
139 	EVP_PKEY_CTX *pctx;
140 };
141 
142 struct CMS_SignerIdentifier_st {
143 	int type;
144 	union {
145 		CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
146 		ASN1_OCTET_STRING *subjectKeyIdentifier;
147 	} d;
148 };
149 
150 struct CMS_EnvelopedData_st {
151 	long version;
152 	CMS_OriginatorInfo *originatorInfo;
153 	STACK_OF(CMS_RecipientInfo) *recipientInfos;
154 	CMS_EncryptedContentInfo *encryptedContentInfo;
155 	STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
156 };
157 
158 struct CMS_OriginatorInfo_st {
159 	STACK_OF(CMS_CertificateChoices) *certificates;
160 	STACK_OF(CMS_RevocationInfoChoice) *crls;
161 };
162 
163 struct CMS_EncryptedContentInfo_st {
164 	ASN1_OBJECT *contentType;
165 	X509_ALGOR *contentEncryptionAlgorithm;
166 	ASN1_OCTET_STRING *encryptedContent;
167 	/* Content encryption algorithm and key */
168 	const EVP_CIPHER *cipher;
169 	unsigned char *key;
170 	size_t keylen;
171 	/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
172 	int debug;
173 	/* Set to 1 if we have no cert and need extra safety measures for MMA */
174 	int havenocert;
175 };
176 
177 struct CMS_RecipientInfo_st {
178 	int type;
179 	union {
180 		CMS_KeyTransRecipientInfo *ktri;
181 		CMS_KeyAgreeRecipientInfo *kari;
182 		CMS_KEKRecipientInfo *kekri;
183 		CMS_PasswordRecipientInfo *pwri;
184 		CMS_OtherRecipientInfo *ori;
185 	} d;
186 };
187 
188 typedef CMS_SignerIdentifier CMS_RecipientIdentifier;
189 
190 struct CMS_KeyTransRecipientInfo_st {
191 	long version;
192 	CMS_RecipientIdentifier *rid;
193 	X509_ALGOR *keyEncryptionAlgorithm;
194 	ASN1_OCTET_STRING *encryptedKey;
195 	/* Recipient Key and cert */
196 	X509 *recip;
197 	EVP_PKEY *pkey;
198 	/* Public key context for this operation */
199 	EVP_PKEY_CTX *pctx;
200 };
201 
202 struct CMS_KeyAgreeRecipientInfo_st {
203 	long version;
204 	CMS_OriginatorIdentifierOrKey *originator;
205 	ASN1_OCTET_STRING *ukm;
206 	X509_ALGOR *keyEncryptionAlgorithm;
207 	STACK_OF(CMS_RecipientEncryptedKey) *recipientEncryptedKeys;
208 	/* Public key context associated with current operation */
209 	EVP_PKEY_CTX *pctx;
210 	/* Cipher context for CEK wrapping */
211 	EVP_CIPHER_CTX *ctx;
212 };
213 
214 struct CMS_OriginatorIdentifierOrKey_st {
215 	int type;
216 	union {
217 		CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
218 		ASN1_OCTET_STRING *subjectKeyIdentifier;
219 		CMS_OriginatorPublicKey *originatorKey;
220 	} d;
221 };
222 
223 struct CMS_OriginatorPublicKey_st {
224 	X509_ALGOR *algorithm;
225 	ASN1_BIT_STRING *publicKey;
226 };
227 
228 struct CMS_RecipientEncryptedKey_st {
229 	CMS_KeyAgreeRecipientIdentifier *rid;
230 	ASN1_OCTET_STRING *encryptedKey;
231 	/* Public key associated with this recipient */
232 	EVP_PKEY *pkey;
233 };
234 
235 struct CMS_KeyAgreeRecipientIdentifier_st {
236 	int type;
237 	union {
238 		CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
239 		CMS_RecipientKeyIdentifier *rKeyId;
240 	} d;
241 };
242 
243 struct CMS_RecipientKeyIdentifier_st {
244 	ASN1_OCTET_STRING *subjectKeyIdentifier;
245 	ASN1_GENERALIZEDTIME *date;
246 	CMS_OtherKeyAttribute *other;
247 };
248 
249 struct CMS_KEKRecipientInfo_st {
250 	long version;
251 	CMS_KEKIdentifier *kekid;
252 	X509_ALGOR *keyEncryptionAlgorithm;
253 	ASN1_OCTET_STRING *encryptedKey;
254 	/* Extra info: symmetric key to use */
255 	unsigned char *key;
256 	size_t keylen;
257 };
258 
259 struct CMS_KEKIdentifier_st {
260 	ASN1_OCTET_STRING *keyIdentifier;
261 	ASN1_GENERALIZEDTIME *date;
262 	CMS_OtherKeyAttribute *other;
263 };
264 
265 struct CMS_PasswordRecipientInfo_st {
266 	long version;
267 	X509_ALGOR *keyDerivationAlgorithm;
268 	X509_ALGOR *keyEncryptionAlgorithm;
269 	ASN1_OCTET_STRING *encryptedKey;
270 	/* Extra info: password to use */
271 	unsigned char *pass;
272 	size_t passlen;
273 };
274 
275 struct CMS_OtherRecipientInfo_st {
276 	ASN1_OBJECT *oriType;
277 	ASN1_TYPE *oriValue;
278 };
279 
280 struct CMS_DigestedData_st {
281 	long version;
282 	X509_ALGOR *digestAlgorithm;
283 	CMS_EncapsulatedContentInfo *encapContentInfo;
284 	ASN1_OCTET_STRING *digest;
285 };
286 
287 struct CMS_EncryptedData_st {
288 	long version;
289 	CMS_EncryptedContentInfo *encryptedContentInfo;
290 	STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
291 };
292 
293 struct CMS_AuthenticatedData_st {
294 	long version;
295 	CMS_OriginatorInfo *originatorInfo;
296 	STACK_OF(CMS_RecipientInfo) *recipientInfos;
297 	X509_ALGOR *macAlgorithm;
298 	X509_ALGOR *digestAlgorithm;
299 	CMS_EncapsulatedContentInfo *encapContentInfo;
300 	STACK_OF(X509_ATTRIBUTE) *authAttrs;
301 	ASN1_OCTET_STRING *mac;
302 	STACK_OF(X509_ATTRIBUTE) *unauthAttrs;
303 };
304 
305 struct CMS_CompressedData_st {
306 	long version;
307 	X509_ALGOR *compressionAlgorithm;
308 	STACK_OF(CMS_RecipientInfo) *recipientInfos;
309 	CMS_EncapsulatedContentInfo *encapContentInfo;
310 };
311 
312 struct CMS_RevocationInfoChoice_st {
313 	int type;
314 	union {
315 		X509_CRL *crl;
316 		CMS_OtherRevocationInfoFormat *other;
317 	} d;
318 };
319 
320 #define CMS_REVCHOICE_CRL               0
321 #define CMS_REVCHOICE_OTHER             1
322 
323 struct CMS_OtherRevocationInfoFormat_st {
324 	ASN1_OBJECT *otherRevInfoFormat;
325 	ASN1_TYPE *otherRevInfo;
326 };
327 
328 struct CMS_CertificateChoices {
329 	int type;
330 	union {
331 		X509 *certificate;
332 		ASN1_STRING *extendedCertificate; /* Obsolete */
333 		ASN1_STRING *v1AttrCert; /* Left encoded for now */
334 		ASN1_STRING *v2AttrCert; /* Left encoded for now */
335 		CMS_OtherCertificateFormat *other;
336 	} d;
337 };
338 
339 #define CMS_CERTCHOICE_CERT             0
340 #define CMS_CERTCHOICE_EXCERT           1
341 #define CMS_CERTCHOICE_V1ACERT          2
342 #define CMS_CERTCHOICE_V2ACERT          3
343 #define CMS_CERTCHOICE_OTHER            4
344 
345 struct CMS_OtherCertificateFormat_st {
346 	ASN1_OBJECT *otherCertFormat;
347 	ASN1_TYPE *otherCert;
348 };
349 
350 /*
351  * This is also defined in pkcs7.h but we duplicate it to allow the CMS code
352  * to be independent of PKCS#7
353  */
354 
355 struct CMS_IssuerAndSerialNumber_st {
356 	X509_NAME *issuer;
357 	ASN1_INTEGER *serialNumber;
358 };
359 
360 struct CMS_OtherKeyAttribute_st {
361 	ASN1_OBJECT *keyAttrId;
362 	ASN1_TYPE *keyAttr;
363 };
364 
365 /* ESS structures */
366 
367 #ifdef HEADER_X509V3_H
368 
369 struct CMS_ReceiptRequest_st {
370 	ASN1_OCTET_STRING *signedContentIdentifier;
371 	CMS_ReceiptsFrom *receiptsFrom;
372 	STACK_OF(GENERAL_NAMES) *receiptsTo;
373 };
374 
375 struct CMS_ReceiptsFrom_st {
376 	int type;
377 	union {
378 		long allOrFirstTier;
379 		STACK_OF(GENERAL_NAMES) *receiptList;
380 	} d;
381 };
382 #endif
383 
384 struct CMS_Receipt_st {
385 	long version;
386 	ASN1_OBJECT *contentType;
387 	ASN1_OCTET_STRING *signedContentIdentifier;
388 	ASN1_OCTET_STRING *originatorSignatureValue;
389 };
390 
391 extern const ASN1_ITEM CMS_SignerInfo_it;
392 extern const ASN1_ITEM CMS_IssuerAndSerialNumber_it;
393 extern const ASN1_ITEM CMS_Attributes_Sign_it;
394 extern const ASN1_ITEM CMS_Attributes_Verify_it;
395 extern const ASN1_ITEM CMS_RecipientInfo_it;
396 extern const ASN1_ITEM CMS_PasswordRecipientInfo_it;
397 
398 #define CMS_SIGNERINFO_ISSUER_SERIAL    0
399 #define CMS_SIGNERINFO_KEYIDENTIFIER    1
400 
401 #define CMS_RECIPINFO_ISSUER_SERIAL     0
402 #define CMS_RECIPINFO_KEYIDENTIFIER     1
403 
404 #define CMS_REK_ISSUER_SERIAL           0
405 #define CMS_REK_KEYIDENTIFIER           1
406 
407 #define CMS_OIK_ISSUER_SERIAL           0
408 #define CMS_OIK_KEYIDENTIFIER           1
409 #define CMS_OIK_PUBKEY                  2
410 
411 CMS_ContentInfo *cms_Data_create(void);
412 
413 CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md);
414 BIO *cms_DigestedData_init_bio(CMS_ContentInfo *cms);
415 int cms_DigestedData_do_final(CMS_ContentInfo *cms, BIO *chain, int verify);
416 
417 BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms);
418 int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain);
419 int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type);
420 int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid,
421     ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno);
422 int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert);
423 
424 BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm);
425 int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
426     X509_ALGOR *mdalg);
427 
428 int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert);
429 int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert);
430 int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert);
431 int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert);
432 
433 BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec);
434 BIO *cms_EncryptedData_init_bio(CMS_ContentInfo *cms);
435 int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
436     const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen);
437 
438 int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms);
439 int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
440 ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si);
441 
442 BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
443 CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms);
444 int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
445 int cms_pkey_get_ri_type(EVP_PKEY *pk);
446 /* KARI routines */
447 int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
448     EVP_PKEY *pk, unsigned int flags);
449 int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri);
450 
451 /* PWRI routines */
452 int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
453     int en_de);
454 
455 extern const ASN1_ITEM CMS_CertificateChoices_it;
456 extern const ASN1_ITEM CMS_DigestedData_it;
457 extern const ASN1_ITEM CMS_EncryptedData_it;
458 extern const ASN1_ITEM CMS_EnvelopedData_it;
459 extern const ASN1_ITEM CMS_KEKRecipientInfo_it;
460 extern const ASN1_ITEM CMS_KeyAgreeRecipientInfo_it;
461 extern const ASN1_ITEM CMS_KeyTransRecipientInfo_it;
462 extern const ASN1_ITEM CMS_OriginatorPublicKey_it;
463 extern const ASN1_ITEM CMS_OtherKeyAttribute_it;
464 extern const ASN1_ITEM CMS_Receipt_it;
465 extern const ASN1_ITEM CMS_ReceiptRequest_it;
466 extern const ASN1_ITEM CMS_RecipientEncryptedKey_it;
467 extern const ASN1_ITEM CMS_RecipientKeyIdentifier_it;
468 extern const ASN1_ITEM CMS_RevocationInfoChoice_it;
469 extern const ASN1_ITEM CMS_SignedData_it;
470 extern const ASN1_ITEM CMS_CompressedData_it;
471 
472 #endif /* !HEADER_CMS_LOCAL_H */
473