1 | /** @file
|
---|
2 | * IPRT - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
|
---|
3 | */
|
---|
4 |
|
---|
5 | /*
|
---|
6 | * Copyright (C) 2006-2022 Oracle and/or its affiliates.
|
---|
7 | *
|
---|
8 | * This file is part of VirtualBox base platform packages, as
|
---|
9 | * available from https://www.alldomusa.eu.org.
|
---|
10 | *
|
---|
11 | * This program is free software; you can redistribute it and/or
|
---|
12 | * modify it under the terms of the GNU General Public License
|
---|
13 | * as published by the Free Software Foundation, in version 3 of the
|
---|
14 | * License.
|
---|
15 | *
|
---|
16 | * This program is distributed in the hope that it will be useful, but
|
---|
17 | * WITHOUT ANY WARRANTY; without even the implied warranty of
|
---|
18 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
---|
19 | * General Public License for more details.
|
---|
20 | *
|
---|
21 | * You should have received a copy of the GNU General Public License
|
---|
22 | * along with this program; if not, see <https://www.gnu.org/licenses>.
|
---|
23 | *
|
---|
24 | * The contents of this file may alternatively be used under the terms
|
---|
25 | * of the Common Development and Distribution License Version 1.0
|
---|
26 | * (CDDL), a copy of it is provided in the "COPYING.CDDL" file included
|
---|
27 | * in the VirtualBox distribution, in which case the provisions of the
|
---|
28 | * CDDL are applicable instead of those of the GPL.
|
---|
29 | *
|
---|
30 | * You may elect to license modified versions of this file under the
|
---|
31 | * terms and conditions of either the GPL or the CDDL or both.
|
---|
32 | *
|
---|
33 | * SPDX-License-Identifier: GPL-3.0-only OR CDDL-1.0
|
---|
34 | */
|
---|
35 |
|
---|
36 | #ifndef IPRT_INCLUDED_crypto_pkcs7_h
|
---|
37 | #define IPRT_INCLUDED_crypto_pkcs7_h
|
---|
38 | #ifndef RT_WITHOUT_PRAGMA_ONCE
|
---|
39 | # pragma once
|
---|
40 | #endif
|
---|
41 |
|
---|
42 | #include <iprt/asn1.h>
|
---|
43 | #include <iprt/crypto/x509.h>
|
---|
44 |
|
---|
45 |
|
---|
46 | RT_C_DECLS_BEGIN
|
---|
47 |
|
---|
48 | struct RTCRPKCS7CONTENTINFO;
|
---|
49 |
|
---|
50 |
|
---|
51 | /** @defgroup grp_rt_crpkcs7 RTCrPkcs7 - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
|
---|
52 | * @ingroup grp_rt_crypto
|
---|
53 | * @{
|
---|
54 | */
|
---|
55 |
|
---|
56 | /** PKCS \#7 data object ID.*/
|
---|
57 | #define RTCR_PKCS7_DATA_OID "1.2.840.113549.1.7.1"
|
---|
58 | /** PKCS \#7 signedData object ID. */
|
---|
59 | #define RTCR_PKCS7_SIGNED_DATA_OID "1.2.840.113549.1.7.2"
|
---|
60 | /** PKCS \#7 envelopedData object ID. */
|
---|
61 | #define RTCR_PKCS7_ENVELOPED_DATA_OID "1.2.840.113549.1.7.3"
|
---|
62 | /** PKCS \#7 signedAndEnvelopedData object ID. */
|
---|
63 | #define RTCR_PKCS7_SIGNED_AND_ENVELOPED_DATA_OID "1.2.840.113549.1.7.4"
|
---|
64 | /** PKCS \#7 digestedData object ID. */
|
---|
65 | #define RTCR_PKCS7_DIGESTED_DATA_OID "1.2.840.113549.1.7.5"
|
---|
66 | /** PKCS \#7 encryptedData object ID. */
|
---|
67 | #define RTCR_PKCS7_ENCRYPTED_DATA_OID "1.2.840.113549.1.7.6"
|
---|
68 |
|
---|
69 |
|
---|
70 | /**
|
---|
71 | * PKCS \#7 IssuerAndSerialNumber (IPRT representation).
|
---|
72 | */
|
---|
73 | typedef struct RTCRPKCS7ISSUERANDSERIALNUMBER
|
---|
74 | {
|
---|
75 | /** Sequence core. */
|
---|
76 | RTASN1SEQUENCECORE SeqCore;
|
---|
77 | /** The certificate name. */
|
---|
78 | RTCRX509NAME Name;
|
---|
79 | /** The certificate serial number. */
|
---|
80 | RTASN1INTEGER SerialNumber;
|
---|
81 | } RTCRPKCS7ISSUERANDSERIALNUMBER;
|
---|
82 | /** Pointer to the IPRT representation of a PKCS \#7 IssuerAndSerialNumber. */
|
---|
83 | typedef RTCRPKCS7ISSUERANDSERIALNUMBER *PRTCRPKCS7ISSUERANDSERIALNUMBER;
|
---|
84 | /** Pointer to the const IPRT representation of a PKCS \#7
|
---|
85 | * IssuerAndSerialNumber. */
|
---|
86 | typedef RTCRPKCS7ISSUERANDSERIALNUMBER const *PCRTCRPKCS7ISSUERANDSERIALNUMBER;
|
---|
87 | RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ISSUERANDSERIALNUMBER, RTDECL, RTCrPkcs7IssuerAndSerialNumber, SeqCore.Asn1Core);
|
---|
88 |
|
---|
89 |
|
---|
90 | /** Pointer to the IPRT representation of a PKCS \#7 SignerInfo. */
|
---|
91 | typedef struct RTCRPKCS7SIGNERINFO *PRTCRPKCS7SIGNERINFO;
|
---|
92 | /** Pointer to the const IPRT representation of a PKCS \#7 SignerInfo. */
|
---|
93 | typedef struct RTCRPKCS7SIGNERINFO const *PCRTCRPKCS7SIGNERINFO;
|
---|
94 | RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SIGNERINFOS, RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfos);
|
---|
95 |
|
---|
96 |
|
---|
97 | /**
|
---|
98 | * Attribute value type (for the union).
|
---|
99 | */
|
---|
100 | typedef enum RTCRPKCS7ATTRIBUTETYPE
|
---|
101 | {
|
---|
102 | /** Zero is invalid. */
|
---|
103 | RTCRPKCS7ATTRIBUTETYPE_INVALID = 0,
|
---|
104 | /** Not present, union is NULL. */
|
---|
105 | RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT,
|
---|
106 | /** Unknown values, pCores. */
|
---|
107 | RTCRPKCS7ATTRIBUTETYPE_UNKNOWN,
|
---|
108 | /** Object IDs, use pObjIds. */
|
---|
109 | RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS,
|
---|
110 | /** Octet strings, use pOctetStrings. */
|
---|
111 | RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS,
|
---|
112 | /** Counter signatures (PKCS \#9), use pCounterSignatures. */
|
---|
113 | RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES,
|
---|
114 | /** Signing time (PKCS \#9), use pSigningTime. */
|
---|
115 | RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME,
|
---|
116 | /** Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
|
---|
117 | RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP,
|
---|
118 | /** Microsoft nested PKCS\#7 signature (signtool /as). */
|
---|
119 | RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE,
|
---|
120 | /** Microsoft statement type, use pObjIdSeqs. */
|
---|
121 | RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE,
|
---|
122 | /** Apple plist with the all code directory digests, use pOctetStrings. */
|
---|
123 | RTCRPKCS7ATTRIBUTETYPE_APPLE_MULTI_CD_PLIST,
|
---|
124 | /** Blow the type up to 32-bits. */
|
---|
125 | RTCRPKCS7ATTRIBUTETYPE_32BIT_HACK = 0x7fffffff
|
---|
126 | } RTCRPKCS7ATTRIBUTETYPE;
|
---|
127 |
|
---|
128 | /**
|
---|
129 | * PKCS \#7 Attribute (IPRT representation).
|
---|
130 | */
|
---|
131 | typedef struct RTCRPKCS7ATTRIBUTE
|
---|
132 | {
|
---|
133 | /** Sequence core. */
|
---|
134 | RTASN1SEQUENCECORE SeqCore;
|
---|
135 | /** The attribute type (object ID). */
|
---|
136 | RTASN1OBJID Type;
|
---|
137 | /** The type of data found in the values union. */
|
---|
138 | RTCRPKCS7ATTRIBUTETYPE enmType;
|
---|
139 | /** Value allocation. */
|
---|
140 | RTASN1ALLOCATION Allocation;
|
---|
141 | /** Values. */
|
---|
142 | union
|
---|
143 | {
|
---|
144 | /** ASN.1 cores (RTCRPKCS7ATTRIBUTETYPE_UNKNOWN). */
|
---|
145 | PRTASN1SETOFCORES pCores;
|
---|
146 | /** ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS). */
|
---|
147 | PRTASN1SETOFOBJIDS pObjIds;
|
---|
148 | /** Sequence of ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE). */
|
---|
149 | PRTASN1SETOFOBJIDSEQS pObjIdSeqs;
|
---|
150 | /** ASN.1 octet strings (RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS). */
|
---|
151 | PRTASN1SETOFOCTETSTRINGS pOctetStrings;
|
---|
152 | /** Counter signatures RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES(). */
|
---|
153 | PRTCRPKCS7SIGNERINFOS pCounterSignatures;
|
---|
154 | /** Signing time(s) (RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME). */
|
---|
155 | PRTASN1SETOFTIMES pSigningTime;
|
---|
156 | /** Microsoft timestamp (RFC-3161 signed data, RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP),
|
---|
157 | * Microsoft nested signature (RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE). */
|
---|
158 | struct RTCRPKCS7SETOFCONTENTINFOS *pContentInfos;
|
---|
159 | } uValues;
|
---|
160 | } RTCRPKCS7ATTRIBUTE;
|
---|
161 | /** Pointer to the IPRT representation of a PKCS \#7 Attribute. */
|
---|
162 | typedef RTCRPKCS7ATTRIBUTE *PRTCRPKCS7ATTRIBUTE;
|
---|
163 | /** Pointer to the const IPRT representation of a PKCS \#7 Attribute. */
|
---|
164 | typedef RTCRPKCS7ATTRIBUTE const *PCRTCRPKCS7ATTRIBUTE;
|
---|
165 | RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attribute, SeqCore.Asn1Core);
|
---|
166 |
|
---|
167 | RTDECL(int) RTCrPkcs7Attribute_SetAppleMultiCdPlist(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOCTETSTRINGS pToClone,
|
---|
168 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
169 | RTDECL(int) RTCrPkcs7Attribute_SetContentType(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOBJIDS pToClone,
|
---|
170 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
171 | RTDECL(int) RTCrPkcs7Attribute_SetCounterSignatures(PRTCRPKCS7ATTRIBUTE pThis, PCRTCRPKCS7SIGNERINFOS pToClone,
|
---|
172 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
173 | RTDECL(int) RTCrPkcs7Attribute_SetMessageDigest(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOCTETSTRINGS pToClone,
|
---|
174 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
175 | RTDECL(int) RTCrPkcs7Attribute_SetMsStatementType(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFOBJIDSEQS pToClone,
|
---|
176 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
177 | RTDECL(int) RTCrPkcs7Attribute_SetMsNestedSignature(PRTCRPKCS7ATTRIBUTE pThis, struct RTCRPKCS7SETOFCONTENTINFOS const *pToClone,
|
---|
178 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
179 | RTDECL(int) RTCrPkcs7Attribute_SetMsTimestamp(PRTCRPKCS7ATTRIBUTE pThis, struct RTCRPKCS7SETOFCONTENTINFOS const *pToClone,
|
---|
180 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
181 | RTDECL(int) RTCrPkcs7Attribute_SetSigningTime(PRTCRPKCS7ATTRIBUTE pThis, PCRTASN1SETOFTIMES pToClone,
|
---|
182 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
183 |
|
---|
184 | RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7ATTRIBUTES, RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attributes);
|
---|
185 |
|
---|
186 | RTDECL(int) RTCrPkcs7Attributes_HashAttributes(PRTCRPKCS7ATTRIBUTES pAttributes, RTCRDIGEST hDigest, PRTERRINFO pErrInfo);
|
---|
187 |
|
---|
188 |
|
---|
189 | /**
|
---|
190 | * One PKCS \#7 SignerInfo (IPRT representation).
|
---|
191 | */
|
---|
192 | typedef struct RTCRPKCS7SIGNERINFO
|
---|
193 | {
|
---|
194 | /** Sequence core. */
|
---|
195 | RTASN1SEQUENCECORE SeqCore;
|
---|
196 | /** The structure version (RTCRPKCS7SIGNERINFO_V1). */
|
---|
197 | RTASN1INTEGER Version;
|
---|
198 | /** The issuer and serial number of the certificate used to produce the
|
---|
199 | * encrypted digest below. */
|
---|
200 | RTCRPKCS7ISSUERANDSERIALNUMBER IssuerAndSerialNumber;
|
---|
201 | /** The digest algorithm use to digest the signed content. */
|
---|
202 | RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
|
---|
203 | /** Authenticated attributes, optional [0].
|
---|
204 | * @todo Check how other producers formats this. The microsoft one does not
|
---|
205 | * have explicit tags, but combines it with the SET OF. */
|
---|
206 | RTCRPKCS7ATTRIBUTES AuthenticatedAttributes;
|
---|
207 | /** The digest encryption algorithm use to encrypt the digest of the signed
|
---|
208 | * content. */
|
---|
209 | RTCRX509ALGORITHMIDENTIFIER DigestEncryptionAlgorithm;
|
---|
210 | /** The encrypted digest. */
|
---|
211 | RTASN1OCTETSTRING EncryptedDigest;
|
---|
212 | /** Unauthenticated attributes, optional [1].
|
---|
213 | * @todo Check how other producers formats this. The microsoft one does not
|
---|
214 | * have explicit tags, but combines it with the SET OF. */
|
---|
215 | RTCRPKCS7ATTRIBUTES UnauthenticatedAttributes;
|
---|
216 | } RTCRPKCS7SIGNERINFO;
|
---|
217 | RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfo, SeqCore.Asn1Core);
|
---|
218 |
|
---|
219 | RTDECL(int) RTCrPkcs7SignerInfo_SetAuthenticatedAttributes(PRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7ATTRIBUTES pAttributes,
|
---|
220 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
221 | RTDECL(int) RTCrPkcs7SignerInfo_SetUnauthenticatedAttributes(PRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7ATTRIBUTES pAttributes,
|
---|
222 | PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
223 |
|
---|
224 | /** RTCRPKCS7SIGNERINFO::Version value. */
|
---|
225 | #define RTCRPKCS7SIGNERINFO_V1 1
|
---|
226 |
|
---|
227 | /** @name PKCS \#9 Attribute IDs
|
---|
228 | * @{ */
|
---|
229 | /** Content type (RFC-2630 11.1).
|
---|
230 | * Value: Object Identifier */
|
---|
231 | #define RTCR_PKCS9_ID_CONTENT_TYPE_OID "1.2.840.113549.1.9.3"
|
---|
232 | /** Message digest (RFC-2630 11.2).
|
---|
233 | * Value: Octet string. */
|
---|
234 | #define RTCR_PKCS9_ID_MESSAGE_DIGEST_OID "1.2.840.113549.1.9.4"
|
---|
235 | /** Signing time (RFC-2630 11.3).
|
---|
236 | * Value: Octet string. */
|
---|
237 | #define RTCR_PKCS9_ID_SIGNING_TIME_OID "1.2.840.113549.1.9.5"
|
---|
238 | /** Counter signature (RFC-2630 11.4).
|
---|
239 | * Value: SignerInfo. */
|
---|
240 | #define RTCR_PKCS9_ID_COUNTER_SIGNATURE_OID "1.2.840.113549.1.9.6"
|
---|
241 | /** Microsoft timestamp (RTF-3161) counter signature (SignedData).
|
---|
242 | * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
|
---|
243 | #define RTCR_PKCS9_ID_MS_TIMESTAMP "1.3.6.1.4.1.311.3.3.1"
|
---|
244 | /** Microsoft nested PKCS\#7 signature.
|
---|
245 | * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. */
|
---|
246 | #define RTCR_PKCS9_ID_MS_NESTED_SIGNATURE "1.3.6.1.4.1.311.2.4.1"
|
---|
247 | /** Microsoft statement type.
|
---|
248 | * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
|
---|
249 | #define RTCR_PKCS9_ID_MS_STATEMENT_TYPE "1.3.6.1.4.1.311.2.1.11"
|
---|
250 | /** Microsoft opus info.
|
---|
251 | * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
|
---|
252 | #define RTCR_PKCS9_ID_MS_SP_OPUS_INFO "1.3.6.1.4.1.311.2.1.12"
|
---|
253 | /** Apple code signing multi-code-directory plist.
|
---|
254 | * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. */
|
---|
255 | #define RTCR_PKCS9_ID_APPLE_MULTI_CD_PLIST "1.2.840.113635.100.9.1"
|
---|
256 | /** @} */
|
---|
257 |
|
---|
258 |
|
---|
259 | /**
|
---|
260 | * Get the (next) signing time attribute from the specfied SignerInfo or one of
|
---|
261 | * the immediate counter signatures.
|
---|
262 | *
|
---|
263 | * @returns Pointer to the signing time if found, NULL if not.
|
---|
264 | * @param pThis The SignerInfo to search.
|
---|
265 | * @param ppSignerInfo Pointer to variable keeping track of the
|
---|
266 | * enumeration, optional.
|
---|
267 | *
|
---|
268 | * If specified the input value is taken to the be
|
---|
269 | * SignerInfo of the previously returned signing
|
---|
270 | * time. The value pointed to is NULL, the
|
---|
271 | * search/enum restarts.
|
---|
272 | *
|
---|
273 | * On successful return this is set to the
|
---|
274 | * SignerInfo which we found the signing time in.
|
---|
275 | */
|
---|
276 | RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetSigningTime(PCRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7SIGNERINFO *ppSignerInfo);
|
---|
277 |
|
---|
278 |
|
---|
279 | /**
|
---|
280 | * Get the (first) timestamp from within a Microsoft timestamp server counter
|
---|
281 | * signature.
|
---|
282 | *
|
---|
283 | * @returns Pointer to the signing time if found, NULL if not.
|
---|
284 | * @param pThis The SignerInfo to search.
|
---|
285 | * @param ppContentInfoRet Where to return the pointer to the counter
|
---|
286 | * signature, optional.
|
---|
287 | */
|
---|
288 | RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetMsTimestamp(PCRTCRPKCS7SIGNERINFO pThis,
|
---|
289 | struct RTCRPKCS7CONTENTINFO const **ppContentInfoRet);
|
---|
290 |
|
---|
291 |
|
---|
292 |
|
---|
293 | /**
|
---|
294 | * PKCS \#7 ContentInfo (IPRT representation).
|
---|
295 | */
|
---|
296 | typedef struct RTCRPKCS7CONTENTINFO
|
---|
297 | {
|
---|
298 | /** Sequence core. */
|
---|
299 | RTASN1SEQUENCECORE SeqCore;
|
---|
300 | /** Object ID identifying the content below. */
|
---|
301 | RTASN1OBJID ContentType;
|
---|
302 | /** Content, optional, explicit tag 0.
|
---|
303 | *
|
---|
304 | * Hack alert! This should've been an explict context tag 0 structure with a
|
---|
305 | * type selected according to ContentType. However, it's simpler to replace the
|
---|
306 | * explicit context with an OCTET STRING with implict tag 0. Then we can tag
|
---|
307 | * along on the encapsulation logic RTASN1OCTETSTRING provides for the dynamic
|
---|
308 | * inner type. The default decoder code will detect known structures as
|
---|
309 | * outlined in the union below, and decode the octet string content as an
|
---|
310 | * anonymous RTASN1CORE if not known.
|
---|
311 | *
|
---|
312 | * If the user want to decode the octet string content differently, it can do so
|
---|
313 | * by destroying and freeing the current encapsulated pointer, replacing it with
|
---|
314 | * it's own. (Of course following the RTASN1OCTETSTRING rules.) Just remember
|
---|
315 | * to also update the value in the union.
|
---|
316 | *
|
---|
317 | * @remarks What's signed and verified is Content.pEncapsulated->uData.pv.
|
---|
318 | */
|
---|
319 | RTASN1OCTETSTRING Content;
|
---|
320 | /** Pointer to the CMS octet string that's inside the Content, NULL if PKCS \#7.
|
---|
321 | *
|
---|
322 | * Hack alert! When transitioning from PKCS \#7 to CMS, the designers decided to
|
---|
323 | * change things and add another wrapper. This time we're talking about a real
|
---|
324 | * octet string, not like the one above which is really an explicit content tag.
|
---|
325 | * When constructing or decoding CMS content, this will be the same pointer as
|
---|
326 | * Content.pEncapsulated, while the union below will be holding the same pointer
|
---|
327 | * as pCmsContent->pEncapsulated.
|
---|
328 | */
|
---|
329 | PRTASN1OCTETSTRING pCmsContent;
|
---|
330 | /** Same as Content.pEncapsulated, except a choice of known types. */
|
---|
331 | union
|
---|
332 | {
|
---|
333 | /** ContentType is RTCRPKCS7SIGNEDDATA_OID. */
|
---|
334 | struct RTCRPKCS7SIGNEDDATA *pSignedData;
|
---|
335 | /** ContentType is RTCRSPCINDIRECTDATACONTENT_OID. */
|
---|
336 | struct RTCRSPCINDIRECTDATACONTENT *pIndirectDataContent;
|
---|
337 | /** ContentType is RTCRTSPTSTINFO_OID. */
|
---|
338 | struct RTCRTSPTSTINFO *pTstInfo;
|
---|
339 | /** Generic / Unknown / User. */
|
---|
340 | PRTASN1CORE pCore;
|
---|
341 | } u;
|
---|
342 | } RTCRPKCS7CONTENTINFO;
|
---|
343 | /** Pointer to the IPRT representation of a PKCS \#7 ContentInfo. */
|
---|
344 | typedef RTCRPKCS7CONTENTINFO *PRTCRPKCS7CONTENTINFO;
|
---|
345 | /** Pointer to the const IPRT representation of a PKCS \#7 ContentInfo. */
|
---|
346 | typedef RTCRPKCS7CONTENTINFO const *PCRTCRPKCS7CONTENTINFO;
|
---|
347 | RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7ContentInfo, SeqCore.Asn1Core);
|
---|
348 | RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCONTENTINFOS, RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7SetOfContentInfos);
|
---|
349 |
|
---|
350 | RTDECL(bool) RTCrPkcs7ContentInfo_IsSignedData(PCRTCRPKCS7CONTENTINFO pThis);
|
---|
351 |
|
---|
352 |
|
---|
353 | /**
|
---|
354 | * PKCS \#7 Certificate choice.
|
---|
355 | */
|
---|
356 | typedef enum RTCRPKCS7CERTCHOICE
|
---|
357 | {
|
---|
358 | RTCRPKCS7CERTCHOICE_INVALID = 0,
|
---|
359 | RTCRPKCS7CERTCHOICE_X509,
|
---|
360 | RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6,
|
---|
361 | RTCRPKCS7CERTCHOICE_AC_V1,
|
---|
362 | RTCRPKCS7CERTCHOICE_AC_V2,
|
---|
363 | RTCRPKCS7CERTCHOICE_OTHER,
|
---|
364 | RTCRPKCS7CERTCHOICE_END,
|
---|
365 | RTCRPKCS7CERTCHOICE_32BIT_HACK = 0x7fffffff
|
---|
366 | } RTCRPKCS7CERTCHOICE;
|
---|
367 |
|
---|
368 |
|
---|
369 | /**
|
---|
370 | * Common representation for PKCS \#7 ExtendedCertificateOrCertificate and the
|
---|
371 | * CMS CertificateChoices types.
|
---|
372 | */
|
---|
373 | typedef struct RTCRPKCS7CERT
|
---|
374 | {
|
---|
375 | /** Dummy ASN.1 record, not encoded. */
|
---|
376 | RTASN1DUMMY Dummy;
|
---|
377 | /** The value allocation. */
|
---|
378 | RTASN1ALLOCATION Allocation;
|
---|
379 | /** The choice of value. */
|
---|
380 | RTCRPKCS7CERTCHOICE enmChoice;
|
---|
381 | /** The value union. */
|
---|
382 | union
|
---|
383 | {
|
---|
384 | /** Standard X.509 certificate (RTCRCMSCERTIFICATECHOICE_X509). */
|
---|
385 | PRTCRX509CERTIFICATE pX509Cert;
|
---|
386 | /** Extended PKCS \#6 certificate (RTCRCMSCERTIFICATECHOICE_EXTENDED_PKCS6). */
|
---|
387 | PRTASN1CORE pExtendedCert;
|
---|
388 | /** Attribute certificate version 1 (RTCRCMSCERTIFICATECHOICE_AC_V1). */
|
---|
389 | PRTASN1CORE pAcV1;
|
---|
390 | /** Attribute certificate version 2 (RTCRCMSCERTIFICATECHOICE_AC_V2). */
|
---|
391 | PRTASN1CORE pAcV2;
|
---|
392 | /** Other certificate (RTCRCMSCERTIFICATECHOICE_OTHER). */
|
---|
393 | PRTASN1CORE pOtherCert;
|
---|
394 | } u;
|
---|
395 | } RTCRPKCS7CERT;
|
---|
396 | /** Pointer to the IPRT representation of PKCS \#7 or CMS certificate. */
|
---|
397 | typedef RTCRPKCS7CERT *PRTCRPKCS7CERT;
|
---|
398 | /** Pointer to the const IPRT representation of PKCS \#7 or CMS certificate. */
|
---|
399 | typedef RTCRPKCS7CERT const *PCRTCRPKCS7CERT;
|
---|
400 | RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CERT, RTDECL, RTCrPkcs7Cert, Dummy.Asn1Core);
|
---|
401 | RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCERTS, RTCRPKCS7CERT, RTDECL, RTCrPkcs7SetOfCerts);
|
---|
402 |
|
---|
403 | RTDECL(int) RTCrPkcs7Cert_SetX509Cert(PRTCRPKCS7CERT pThis, PCRTCRX509CERTIFICATE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
404 | RTDECL(int) RTCrPkcs7Cert_SetExtendedCert(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
405 | RTDECL(int) RTCrPkcs7Cert_SetAcV1(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
406 | RTDECL(int) RTCrPkcs7Cert_SetAcV2(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
407 | RTDECL(int) RTCrPkcs7Cert_SetOtherCert(PRTCRPKCS7CERT pThis, PCRTASN1CORE pToClone, PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
408 |
|
---|
409 | RTDECL(PCRTCRX509CERTIFICATE) RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(PCRTCRPKCS7SETOFCERTS pCertificates,
|
---|
410 | PCRTCRX509NAME pIssuer,
|
---|
411 | PCRTASN1INTEGER pSerialNumber);
|
---|
412 |
|
---|
413 |
|
---|
414 | /**
|
---|
415 | * PKCS \#7 SignedData (IPRT representation).
|
---|
416 | */
|
---|
417 | typedef struct RTCRPKCS7SIGNEDDATA
|
---|
418 | {
|
---|
419 | /** Sequence core. */
|
---|
420 | RTASN1SEQUENCECORE SeqCore;
|
---|
421 | /** The structure version value (1). */
|
---|
422 | RTASN1INTEGER Version;
|
---|
423 | /** The digest algorithms that are used to signed the content (ContentInfo). */
|
---|
424 | RTCRX509ALGORITHMIDENTIFIERS DigestAlgorithms;
|
---|
425 | /** The content that's being signed. */
|
---|
426 | RTCRPKCS7CONTENTINFO ContentInfo;
|
---|
427 | /** Certificates, optional, implicit tag 0. (Required by Authenticode.) */
|
---|
428 | RTCRPKCS7SETOFCERTS Certificates;
|
---|
429 | /** Certificate revocation lists, optional, implicit tag 1.
|
---|
430 | * Not used by Authenticode, so currently stubbed. */
|
---|
431 | RTASN1CORE Crls;
|
---|
432 | /** Signer infos. */
|
---|
433 | RTCRPKCS7SIGNERINFOS SignerInfos;
|
---|
434 | } RTCRPKCS7SIGNEDDATA;
|
---|
435 | /** Pointer to the IPRT representation of a PKCS \#7 SignedData. */
|
---|
436 | typedef RTCRPKCS7SIGNEDDATA *PRTCRPKCS7SIGNEDDATA;
|
---|
437 | /** Pointer to the const IPRT representation of a PKCS \#7 SignedData. */
|
---|
438 | typedef RTCRPKCS7SIGNEDDATA const *PCRTCRPKCS7SIGNEDDATA;
|
---|
439 | RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SignedData, SeqCore.Asn1Core);
|
---|
440 | RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFSIGNEDDATA, RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SetOfSignedData);
|
---|
441 |
|
---|
442 | /** PKCS \#7 SignedData object ID. */
|
---|
443 | #define RTCRPKCS7SIGNEDDATA_OID RTCR_PKCS7_SIGNED_DATA_OID
|
---|
444 |
|
---|
445 | /** PKCS \#7 SignedData version number 1. */
|
---|
446 | #define RTCRPKCS7SIGNEDDATA_V1 1
|
---|
447 | /* No version 2 seems to exist. */
|
---|
448 | /** CMS SignedData version number 3.
|
---|
449 | * This should only be used if there are version 1 attribute certificates
|
---|
450 | * present, or if there are version 3 SignerInfo items present, or if
|
---|
451 | * enmcCountInfo is not id-data (RFC-5652, section 5.1). */
|
---|
452 | #define RTCRPKCS7SIGNEDDATA_V3 3
|
---|
453 | /** CMS SignedData version number 4.
|
---|
454 | * This should only be used if there are version 2 attribute certificates
|
---|
455 | * present (RFC-5652, section 5.1). */
|
---|
456 | #define RTCRPKCS7SIGNEDDATA_V4 4
|
---|
457 | /** CMS SignedData version number 5.
|
---|
458 | * This should only be used if there are certificates or/and CRLs of the
|
---|
459 | * OTHER type present (RFC-5652, section 5.1). */
|
---|
460 | #define RTCRPKCS7SIGNEDDATA_V5 5
|
---|
461 |
|
---|
462 | RTDECL(int) RTCrPkcs7SignedData_SetCertificates(PRTCRPKCS7SIGNEDDATA pThis, PCRTCRPKCS7SETOFCERTS pCerts, PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
463 | RTDECL(int) RTCrPkcs7SignedData_SetCrls(PRTCRPKCS7SIGNEDDATA pThis, PCRTASN1CORE pCerts, PCRTASN1ALLOCATORVTABLE pAllocator);
|
---|
464 |
|
---|
465 | /** @name RTCRPKCS7SIGNEDDATA_SANITY_F_XXX - Flags for RTPkcs7SignedDataCheckSantiy.
|
---|
466 | * @{ */
|
---|
467 | /** Check for authenticode restrictions. */
|
---|
468 | #define RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE RT_BIT_32(0)
|
---|
469 | /** Check that all the hash algorithms are known to IPRT. */
|
---|
470 | #define RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH RT_BIT_32(1)
|
---|
471 | /** Require signing certificate to be present. */
|
---|
472 | #define RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT RT_BIT_32(2)
|
---|
473 | /** @} */
|
---|
474 |
|
---|
475 | /** PKCS\#7/CMS (content info) markers. */
|
---|
476 | extern RTDATADECL(RTCRPEMMARKER const) g_aRTCrPkcs7Markers[];
|
---|
477 | /** Number of entries in g_aRTCrPkcs7Markers. */
|
---|
478 | extern RTDATADECL(uint32_t const) g_cRTCrPkcs7Markers;
|
---|
479 |
|
---|
480 | /** @name Flags for RTCrPkcs7ContentInfo_ReadFromBuffer
|
---|
481 | * @{ */
|
---|
482 | /** Only allow PEM certificates, not binary ones.
|
---|
483 | * @sa RTCRPEMREADFILE_F_ONLY_PEM */
|
---|
484 | #define RTCRPKCS7_READ_F_PEM_ONLY RT_BIT(1)
|
---|
485 | /** @} */
|
---|
486 |
|
---|
487 | RTDECL(int) RTCrPkcs7_ReadFromBuffer(PRTCRPKCS7CONTENTINFO pContentInfo, const void *pvBuf, size_t cbBuf,
|
---|
488 | uint32_t fFlags, PCRTASN1ALLOCATORVTABLE pAllocator,
|
---|
489 | bool *pfCmsLabeled, PRTERRINFO pErrInfo, const char *pszErrorTag);
|
---|
490 |
|
---|
491 |
|
---|
492 | /**
|
---|
493 | * PKCS \#7 DigestInfo (IPRT representation).
|
---|
494 | */
|
---|
495 | typedef struct RTCRPKCS7DIGESTINFO
|
---|
496 | {
|
---|
497 | /** Sequence core. */
|
---|
498 | RTASN1SEQUENCECORE SeqCore;
|
---|
499 | /** The digest algorithm use to digest the signed content. */
|
---|
500 | RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
|
---|
501 | /** The digest. */
|
---|
502 | RTASN1OCTETSTRING Digest;
|
---|
503 | } RTCRPKCS7DIGESTINFO;
|
---|
504 | /** Pointer to the IPRT representation of a PKCS \#7 DigestInfo object. */
|
---|
505 | typedef RTCRPKCS7DIGESTINFO *PRTCRPKCS7DIGESTINFO;
|
---|
506 | /** Pointer to the const IPRT representation of a PKCS \#7 DigestInfo object. */
|
---|
507 | typedef RTCRPKCS7DIGESTINFO const *PCRTCRPKCS7DIGESTINFO;
|
---|
508 | RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7DIGESTINFO, RTDECL, RTCrPkcs7DigestInfo, SeqCore.Asn1Core);
|
---|
509 |
|
---|
510 |
|
---|
511 | /**
|
---|
512 | * Callback function for use with RTCrPkcs7VerifySignedData.
|
---|
513 | *
|
---|
514 | * @returns IPRT status code.
|
---|
515 | * @param pCert The certificate to verify.
|
---|
516 | * @param hCertPaths Unless the certificate is trusted directly, this
|
---|
517 | * is a reference to the certificate path builder
|
---|
518 | * and verifier instance that we used to establish
|
---|
519 | * at least valid trusted path to @a pCert. The
|
---|
520 | * callback can use this to enforce additional
|
---|
521 | * certificate lineage requirements, effective
|
---|
522 | * policy checks and whatnot.
|
---|
523 | * This is NIL_RTCRX509CERTPATHS if the certificate
|
---|
524 | * is directly trusted.
|
---|
525 | * @param fFlags Mix of the RTCRPKCS7VCC_F_XXX flags.
|
---|
526 | * @param pvUser The user argument.
|
---|
527 | * @param pErrInfo Optional error info buffer.
|
---|
528 | */
|
---|
529 | typedef DECLCALLBACKTYPE(int, FNRTCRPKCS7VERIFYCERTCALLBACK,(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths,
|
---|
530 | uint32_t fFlags, void *pvUser, PRTERRINFO pErrInfo));
|
---|
531 | /** Pointer to a FNRTCRPKCS7VERIFYCERTCALLBACK callback. */
|
---|
532 | typedef FNRTCRPKCS7VERIFYCERTCALLBACK *PFNRTCRPKCS7VERIFYCERTCALLBACK;
|
---|
533 |
|
---|
534 | /** @name RTCRPKCS7VCC_F_XXX - Flags for FNRTCRPKCS7VERIFYCERTCALLBACK.
|
---|
535 | * @{ */
|
---|
536 | /** Normal callback for a direct signatory of the signed data. */
|
---|
537 | #define RTCRPKCS7VCC_F_SIGNED_DATA RT_BIT_32(0)
|
---|
538 | /** Check that the signatory can be trusted for timestamps. */
|
---|
539 | #define RTCRPKCS7VCC_F_TIMESTAMP RT_BIT_32(1)
|
---|
540 | /** @} */
|
---|
541 |
|
---|
542 | /**
|
---|
543 | * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
|
---|
544 | * Default implementation that checks for the DigitalSignature KeyUsage bit.}
|
---|
545 | */
|
---|
546 | RTDECL(int) RTCrPkcs7VerifyCertCallbackDefault(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
|
---|
547 | void *pvUser, PRTERRINFO pErrInfo);
|
---|
548 |
|
---|
549 | /**
|
---|
550 | * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
|
---|
551 | * Standard code signing. Use this for Microsoft SPC.}
|
---|
552 | */
|
---|
553 | RTDECL(int) RTCrPkcs7VerifyCertCallbackCodeSigning(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
|
---|
554 | void *pvUser, PRTERRINFO pErrInfo);
|
---|
555 |
|
---|
556 | /**
|
---|
557 | * Verifies PKCS \#7 SignedData.
|
---|
558 | *
|
---|
559 | * For compatability with alternative crypto providers, the user must work on
|
---|
560 | * the top level PKCS \#7 structure instead directly on the SignedData.
|
---|
561 | *
|
---|
562 | * @returns IPRT status code.
|
---|
563 | * @param pContentInfo PKCS \#7 content info structure.
|
---|
564 | * @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
|
---|
565 | * @param hAdditionalCerts Store containing additional certificates to
|
---|
566 | * supplement those mentioned in the signed data.
|
---|
567 | * @param hTrustedCerts Store containing trusted certificates.
|
---|
568 | * @param pValidationTime The time we're supposed to validate the
|
---|
569 | * certificates chains at. Ignored for signatures
|
---|
570 | * with valid signing time attributes.
|
---|
571 | * When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
|
---|
572 | * is set, this is updated to the actual validation
|
---|
573 | * time used.
|
---|
574 | * @param pfnVerifyCert Callback for checking that a certificate used
|
---|
575 | * for signing the data is suitable.
|
---|
576 | * @param pvUser User argument for the callback.
|
---|
577 | * @param pErrInfo Optional error info buffer.
|
---|
578 | * @sa RTCrPkcs7VerifySignedDataWithExternalData
|
---|
579 | */
|
---|
580 | RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
|
---|
581 | RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
|
---|
582 | PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
|
---|
583 | PRTERRINFO pErrInfo);
|
---|
584 |
|
---|
585 |
|
---|
586 | /**
|
---|
587 | * Verifies PKCS \#7 SignedData with external data.
|
---|
588 | *
|
---|
589 | * For compatability with alternative crypto providers, the user must work on
|
---|
590 | * the top level PKCS \#7 structure instead directly on the SignedData.
|
---|
591 | *
|
---|
592 | * @returns IPRT status code.
|
---|
593 | * @param pContentInfo PKCS \#7 content info structure.
|
---|
594 | * @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
|
---|
595 | * @param hAdditionalCerts Store containing additional certificates to
|
---|
596 | * supplement those mentioned in the signed data.
|
---|
597 | * @param hTrustedCerts Store containing trusted certificates.
|
---|
598 | * @param pValidationTime The time we're supposed to validate the
|
---|
599 | * certificates chains at. Ignored for signatures
|
---|
600 | * with valid signing time attributes.
|
---|
601 | * When RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME
|
---|
602 | * is set, this is updated to the actual validation
|
---|
603 | * time used.
|
---|
604 | * @param pfnVerifyCert Callback for checking that a certificate used
|
---|
605 | * for signing the data is suitable.
|
---|
606 | * @param pvUser User argument for the callback.
|
---|
607 | * @param pvData The signed external data.
|
---|
608 | * @param cbData The size of the signed external data.
|
---|
609 | * @param pErrInfo Optional error info buffer.
|
---|
610 | * @sa RTCrPkcs7VerifySignedData
|
---|
611 | */
|
---|
612 | RTDECL(int) RTCrPkcs7VerifySignedDataWithExternalData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
|
---|
613 | RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
|
---|
614 | PCRTTIMESPEC pValidationTime,
|
---|
615 | PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
|
---|
616 | void const *pvData, size_t cbData, PRTERRINFO pErrInfo);
|
---|
617 |
|
---|
618 | /** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData and
|
---|
619 | * RTCrPkcs7VerifySignedDataWithExternalData
|
---|
620 | * @{ */
|
---|
621 | /** Always use the signing time attribute if present, requiring it to be
|
---|
622 | * verified as valid. The default behavior is to ignore unverifiable
|
---|
623 | * signing time attributes and use the @a pValidationTime instead. */
|
---|
624 | #define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT RT_BIT_32(0)
|
---|
625 | /** Same as RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT for the MS
|
---|
626 | * timestamp counter signatures. */
|
---|
627 | #define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT RT_BIT_32(1)
|
---|
628 | /** Only use signing time attributes from counter signatures. */
|
---|
629 | #define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY RT_BIT_32(2)
|
---|
630 | /** Don't validate the counter signature containing the signing time, just use
|
---|
631 | * it unverified. This is useful if we don't necessarily have the root
|
---|
632 | * certificates for the timestamp server handy, but use with great care.
|
---|
633 | * @sa RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED */
|
---|
634 | #define RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED RT_BIT_32(3)
|
---|
635 | /** Don't validate the MS counter signature containing the signing timestamp.
|
---|
636 | * @sa RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED */
|
---|
637 | #define RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED RT_BIT_32(4)
|
---|
638 | /** Do not consider timestamps in microsoft counter signatures. */
|
---|
639 | #define RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP RT_BIT_32(5)
|
---|
640 | /** The signed data requires certificates to have the timestamp extended
|
---|
641 | * usage bit present. This is used for recursivly verifying MS timestamp
|
---|
642 | * signatures. */
|
---|
643 | #define RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING RT_BIT_32(6)
|
---|
644 | /** Skip the verification of the certificate trust paths, taking all
|
---|
645 | * certificates to be trustworthy. */
|
---|
646 | #define RTCRPKCS7VERIFY_SD_F_TRUST_ALL_CERTS RT_BIT_32(7)
|
---|
647 | /** Update @a pValidationTime with the actual validation time used.
|
---|
648 | * This requires RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX to get a consistent
|
---|
649 | * result. And yeah, it unconst the parameter, which is patently ugly. */
|
---|
650 | #define RTCRPKCS7VERIFY_SD_F_UPDATE_VALIDATION_TIME RT_BIT_32(8)
|
---|
651 | /** Check trust anchors (@sa RTCrX509CertPathsSetTrustAnchorChecks). */
|
---|
652 | #define RTCRPKCS7VERIFY_SD_F_CHECK_TRUST_ANCHORS RT_BIT_32(9)
|
---|
653 |
|
---|
654 | /** This can be used to only verify one given signer info.
|
---|
655 | * Max index value is 15. */
|
---|
656 | #define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX(a_idxSignerInfo) \
|
---|
657 | ( RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX \
|
---|
658 | | (((a_idxSignerInfo) & RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX) << RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT) )
|
---|
659 | /** Has a valid value in RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK. */
|
---|
660 | #define RTCRPKCS7VERIFY_SD_F_HAS_SIGNER_INDEX RT_BIT_32(23)
|
---|
661 | /** Signer index shift value. */
|
---|
662 | #define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT 24
|
---|
663 | /** Signer index mask. */
|
---|
664 | #define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK UINT32_C(0x0f000000)
|
---|
665 | /** Max signer index value (inclusive). */
|
---|
666 | #define RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MAX \
|
---|
667 | (RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_MASK >> RTCRPKCS7VERIFY_SD_F_SIGNER_INDEX_SHIFT)
|
---|
668 |
|
---|
669 | /** Indicates internally that we're validating a counter signature and should
|
---|
670 | * use different rules when checking out the authenticated attributes.
|
---|
671 | * @internal */
|
---|
672 | #define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE RT_BIT_32(31)
|
---|
673 | /** @} */
|
---|
674 |
|
---|
675 |
|
---|
676 | RTDECL(int) RTCrPkcs7SimpleSignSignedData(uint32_t fFlags, PCRTCRX509CERTIFICATE pSigner, RTCRKEY hPrivateKey,
|
---|
677 | void const *pvData, size_t cbData, RTDIGESTTYPE enmDigestType,
|
---|
678 | RTCRSTORE hAdditionalCerts, PCRTCRPKCS7ATTRIBUTES pAdditionalAuthenticatedAttribs,
|
---|
679 | void *pvResult, size_t *pcbResult, PRTERRINFO pErrInfo);
|
---|
680 |
|
---|
681 | /** @name RTCRPKCS7SIGN_SD_F_XXX - Flags for RTCrPkcs7SimpleSign.
|
---|
682 | * @{ */
|
---|
683 | /** Detached data. */
|
---|
684 | #define RTCRPKCS7SIGN_SD_F_DEATCHED RT_BIT_32(0)
|
---|
685 | /** No SMIME capabilities attribute. */
|
---|
686 | #define RTCRPKCS7SIGN_SD_F_NO_SMIME_CAP RT_BIT_32(1)
|
---|
687 | /** Produce version 1 output (PKCS\#7), rather than version 3 (CMS). */
|
---|
688 | #define RTCRPKCS7SIGN_SD_F_USE_V1 RT_BIT_32(2)
|
---|
689 | /** Avoid extra OCTET STRING encapsulation around the data blob.
|
---|
690 | * This is needed for Authenticode signatures. This requires that the
|
---|
691 | * content type is supplied via the additional authenticated attributes.
|
---|
692 | * @note Currently only works with RTCRPKCS7SIGN_SD_F_USE_V1. */
|
---|
693 | #define RTCRPKCS7SIGN_SD_F_NO_DATA_ENCAP RT_BIT_32(3)
|
---|
694 | /** Valid flag mask. */
|
---|
695 | #define RTCRPKCS7SIGN_SD_F_VALID_MASK UINT32_C(0x0000000f)
|
---|
696 | /** @} */
|
---|
697 |
|
---|
698 | /** @} */
|
---|
699 |
|
---|
700 | RT_C_DECLS_END
|
---|
701 |
|
---|
702 | #endif /* !IPRT_INCLUDED_crypto_pkcs7_h */
|
---|
703 |
|
---|