1 /* Copyright (c) 2014, Google Inc. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #ifndef OPENSSL_HEADER_PKCS7_H 16 #define OPENSSL_HEADER_PKCS7_H 17 18 #include <openssl/base.h> 19 20 #include <openssl/stack.h> 21 22 #if defined(__cplusplus) 23 extern "C" { 24 #endif 25 26 27 // PKCS#7. 28 // 29 // This library contains functions for extracting information from PKCS#7 30 // structures (RFC 2315). 31 32 DECLARE_STACK_OF(CRYPTO_BUFFER) 33 DECLARE_STACK_OF(X509) 34 DECLARE_STACK_OF(X509_CRL) 35 36 // PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs| 37 // and appends the included certificates to |out_certs|. It returns one on 38 // success and zero on error. |cbs| is advanced passed the structure. 39 // 40 // Note that a SignedData structure may contain no certificates, in which case 41 // this function succeeds but does not append any certificates. Additionally, 42 // certificates in SignedData structures are unordered. Callers should not 43 // assume a particular order in |*out_certs| and may need to search for matches 44 // or run path-building algorithms. 45 OPENSSL_EXPORT int PKCS7_get_raw_certificates( 46 STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool); 47 48 // PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses 49 // them into |X509| objects. 50 OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs); 51 52 // PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing 53 // |certs| to |out|. It returns one on success and zero on error. Note that 54 // certificates in SignedData structures are unordered. The order in |certs| 55 // will not be preserved. 56 OPENSSL_EXPORT int PKCS7_bundle_certificates( 57 CBB *out, const STACK_OF(X509) *certs); 58 59 // PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends 60 // the included CRLs to |out_crls|. It returns one on success and zero on error. 61 // |cbs| is advanced passed the structure. 62 // 63 // Note that a SignedData structure may contain no CRLs, in which case this 64 // function succeeds but does not append any CRLs. Additionally, CRLs in 65 // SignedData structures are unordered. Callers should not assume an order in 66 // |*out_crls| and may need to search for matches. 67 OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs); 68 69 // PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing 70 // |crls| to |out|. It returns one on success and zero on error. Note that CRLs 71 // in SignedData structures are unordered. The order in |crls| will not be 72 // preserved. 73 OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls); 74 75 // PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure 76 // from |pem_bio| and appends the included certificates to |out_certs|. It 77 // returns one on success and zero on error. 78 // 79 // Note that a SignedData structure may contain no certificates, in which case 80 // this function succeeds but does not append any certificates. Additionally, 81 // certificates in SignedData structures are unordered. Callers should not 82 // assume a particular order in |*out_certs| and may need to search for matches 83 // or run path-building algorithms. 84 OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, 85 BIO *pem_bio); 86 87 // PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from 88 // |pem_bio| and appends the included CRLs to |out_crls|. It returns one on 89 // success and zero on error. 90 // 91 // Note that a SignedData structure may contain no CRLs, in which case this 92 // function succeeds but does not append any CRLs. Additionally, CRLs in 93 // SignedData structures are unordered. Callers should not assume an order in 94 // |*out_crls| and may need to search for matches. 95 OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, 96 BIO *pem_bio); 97 98 99 // Deprecated functions. 100 // 101 // These functions are a compatibility layer over a subset of OpenSSL's PKCS#7 102 // API. It intentionally does not implement the whole thing, only the minimum 103 // needed to build cryptography.io. 104 105 typedef struct { 106 STACK_OF(X509) *cert; 107 STACK_OF(X509_CRL) *crl; 108 } PKCS7_SIGNED; 109 110 typedef struct { 111 STACK_OF(X509) *cert; 112 STACK_OF(X509_CRL) *crl; 113 } PKCS7_SIGN_ENVELOPE; 114 115 typedef void PKCS7_ENVELOPE; 116 typedef void PKCS7_DIGEST; 117 typedef void PKCS7_ENCRYPT; 118 typedef void PKCS7_SIGNER_INFO; 119 120 typedef struct { 121 uint8_t *ber_bytes; 122 size_t ber_len; 123 124 // Unlike OpenSSL, the following fields are immutable. They filled in when the 125 // object is parsed and ignored in serialization. 126 ASN1_OBJECT *type; 127 union { 128 char *ptr; 129 ASN1_OCTET_STRING *data; 130 PKCS7_SIGNED *sign; 131 PKCS7_ENVELOPE *enveloped; 132 PKCS7_SIGN_ENVELOPE *signed_and_enveloped; 133 PKCS7_DIGEST *digest; 134 PKCS7_ENCRYPT *encrypted; 135 ASN1_TYPE *other; 136 } d; 137 } PKCS7; 138 139 // d2i_PKCS7 parses a BER-encoded, PKCS#7 signed data ContentInfo structure from 140 // |len| bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the 141 // result is in |*out|. Note that, even if |*out| is already non-NULL on entry, 142 // it will not be written to. Rather, a fresh |PKCS7| is allocated and the 143 // previous one is freed. On successful exit, |*inp| is advanced past the BER 144 // structure. It returns the result or NULL on error. 145 OPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp, 146 size_t len); 147 148 // d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If 149 // the length of the object is indefinite the full contents of |bio| are read. 150 // 151 // If the function fails then some unknown amount of data may have been read 152 // from |bio|. 153 OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out); 154 155 // i2d_PKCS7 is a dummy function which copies the contents of |p7|. If |out| is 156 // not NULL then the result is written to |*out| and |*out| is advanced just 157 // past the output. It returns the number of bytes in the result, whether 158 // written or not, or a negative value on error. 159 OPENSSL_EXPORT int i2d_PKCS7(const PKCS7 *p7, uint8_t **out); 160 161 // i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on 162 // error. 163 OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7); 164 165 // PKCS7_free releases memory associated with |p7|. 166 OPENSSL_EXPORT void PKCS7_free(PKCS7 *p7); 167 168 // PKCS7_type_is_data returns zero. 169 OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7); 170 171 // PKCS7_type_is_digest returns zero. 172 OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7); 173 174 // PKCS7_type_is_encrypted returns zero. 175 OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7); 176 177 // PKCS7_type_is_enveloped returns zero. 178 OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7); 179 180 // PKCS7_type_is_signed returns one. (We only supporte signed data 181 // ContentInfos.) 182 OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7); 183 184 // PKCS7_type_is_signedAndEnveloped returns zero. 185 OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); 186 187 // PKCS7_DETACHED indicates that the PKCS#7 file specifies its data externally. 188 #define PKCS7_DETACHED 0x40 189 190 // The following flags cause |PKCS7_sign| to fail. 191 #define PKCS7_TEXT 0x1 192 #define PKCS7_NOCERTS 0x2 193 #define PKCS7_NOSIGS 0x4 194 #define PKCS7_NOCHAIN 0x8 195 #define PKCS7_NOINTERN 0x10 196 #define PKCS7_NOVERIFY 0x20 197 #define PKCS7_BINARY 0x80 198 #define PKCS7_NOATTR 0x100 199 #define PKCS7_NOSMIMECAP 0x200 200 #define PKCS7_STREAM 0x1000 201 #define PKCS7_PARTIAL 0x4000 202 203 // PKCS7_sign can operate in two modes to provide some backwards compatibility: 204 // 205 // The first mode assembles |certs| into a PKCS#7 signed data ContentInfo with 206 // external data and no signatures. It returns a newly-allocated |PKCS7| on 207 // success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is 208 // ignored. |flags| must be equal to |PKCS7_DETACHED|. Additionally, 209 // certificates in SignedData structures are unordered. The order of |certs| 210 // will not be preserved. 211 // 212 // The second mode generates a detached RSA SHA-256 signature of |data| using 213 // |pkey| and produces a PKCS#7 SignedData structure containing it. |certs| 214 // must be NULL and |flags| must be exactly |PKCS7_NOATTR | PKCS7_BINARY | 215 // PKCS7_NOCERTS | PKCS7_DETACHED|. 216 // 217 // Note this function only implements a subset of the corresponding OpenSSL 218 // function. It is provided for backwards compatibility only. 219 OPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, 220 STACK_OF(X509) *certs, BIO *data, int flags); 221 222 223 #if defined(__cplusplus) 224 } // extern C 225 226 extern "C++" { 227 BSSL_NAMESPACE_BEGIN 228 229 BORINGSSL_MAKE_DELETER(PKCS7, PKCS7_free) 230 231 BSSL_NAMESPACE_END 232 } // extern C++ 233 #endif 234 235 #define PKCS7_R_BAD_PKCS7_VERSION 100 236 #define PKCS7_R_NOT_PKCS7_SIGNED_DATA 101 237 #define PKCS7_R_NO_CERTIFICATES_INCLUDED 102 238 #define PKCS7_R_NO_CRLS_INCLUDED 103 239 240 #endif // OPENSSL_HEADER_PKCS7_H 241