2014-07-14 23:28:14 +01:00
|
|
|
/* Copyright (c) 2014, Google Inc.
|
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
|
|
|
|
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
|
|
|
|
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
|
|
|
|
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
|
|
|
|
|
2017-04-15 23:40:41 +01:00
|
|
|
#ifndef OPENSSL_HEADER_PKCS7_H
|
|
|
|
#define OPENSSL_HEADER_PKCS7_H
|
|
|
|
|
|
|
|
#include <openssl/base.h>
|
|
|
|
|
|
|
|
#include <openssl/stack.h>
|
|
|
|
|
|
|
|
#if defined(__cplusplus)
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS#7.
|
|
|
|
//
|
|
|
|
// This library contains functions for extracting information from PKCS#7
|
|
|
|
// structures (RFC 2315).
|
2017-04-15 23:40:41 +01:00
|
|
|
|
2017-04-15 23:52:35 +01:00
|
|
|
DECLARE_STACK_OF(CRYPTO_BUFFER)
|
2017-04-15 23:40:41 +01:00
|
|
|
DECLARE_STACK_OF(X509)
|
|
|
|
DECLARE_STACK_OF(X509_CRL)
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs|
|
|
|
|
// and appends the included certificates to |out_certs|. It returns one on
|
2018-06-21 19:26:17 +01:00
|
|
|
// success and zero on error. |cbs| is advanced passed the structure.
|
2018-06-23 05:14:32 +01:00
|
|
|
//
|
|
|
|
// Note that a SignedData structure may contain no certificates, in which case
|
|
|
|
// this function succeeds but does not append any certificates.
|
2017-04-15 23:52:35 +01:00
|
|
|
OPENSSL_EXPORT int PKCS7_get_raw_certificates(
|
|
|
|
STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool);
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses
|
|
|
|
// them into |X509| objects.
|
2017-04-15 23:40:41 +01:00
|
|
|
OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing
|
|
|
|
// |certs| to |out|. It returns one on success and zero on error.
|
2017-04-15 23:40:41 +01:00
|
|
|
OPENSSL_EXPORT int PKCS7_bundle_certificates(
|
|
|
|
CBB *out, const STACK_OF(X509) *certs);
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends
|
2018-06-21 19:26:17 +01:00
|
|
|
// the included CRLs to |out_crls|. It returns one on success and zero on error.
|
|
|
|
// |cbs| is advanced passed the structure.
|
2018-06-23 05:14:32 +01:00
|
|
|
//
|
|
|
|
// Note that a SignedData structure may contain no CRLs, in which case this
|
|
|
|
// function succeeds but does not append any CRLs.
|
2017-04-15 23:40:41 +01:00
|
|
|
OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs);
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing
|
|
|
|
// |crls| to |out|. It returns one on success and zero on error.
|
2017-04-15 23:40:41 +01:00
|
|
|
OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls);
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure
|
|
|
|
// from |pem_bio| and appends the included certificates to |out_certs|. It
|
|
|
|
// returns one on success and zero on error.
|
2018-06-23 05:14:32 +01:00
|
|
|
//
|
|
|
|
// Note that a SignedData structure may contain no certificates, in which case
|
|
|
|
// this function succeeds but does not append any certificates.
|
2017-04-15 23:40:41 +01:00
|
|
|
OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
|
|
|
|
BIO *pem_bio);
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
// PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from
|
|
|
|
// |pem_bio| and appends the included CRLs to |out_crls|. It returns one on
|
|
|
|
// success and zero on error.
|
2018-06-23 05:14:32 +01:00
|
|
|
//
|
|
|
|
// Note that a SignedData structure may contain no CRLs, in which case this
|
|
|
|
// function succeeds but does not append any CRLs.
|
2017-04-15 23:40:41 +01:00
|
|
|
OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
|
|
|
|
BIO *pem_bio);
|
|
|
|
|
|
|
|
|
2018-06-15 22:31:19 +01:00
|
|
|
// Deprecated functions.
|
|
|
|
//
|
|
|
|
// These functions are a compatibility layer over a subset of OpenSSL's PKCS#7
|
|
|
|
// API. It intentionally does not implement the whole thing, only the minimum
|
|
|
|
// needed to build cryptography.io.
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
STACK_OF(X509) *cert;
|
|
|
|
STACK_OF(X509_CRL) *crl;
|
|
|
|
} PKCS7_SIGNED;
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
STACK_OF(X509) *cert;
|
|
|
|
STACK_OF(X509_CRL) *crl;
|
|
|
|
} PKCS7_SIGN_ENVELOPE;
|
|
|
|
|
|
|
|
typedef void PKCS7_ENVELOPE;
|
|
|
|
typedef void PKCS7_DIGEST;
|
|
|
|
typedef void PKCS7_ENCRYPT;
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
uint8_t *ber_bytes;
|
|
|
|
size_t ber_len;
|
|
|
|
|
|
|
|
// Unlike OpenSSL, the following fields are immutable. They filled in when the
|
|
|
|
// object is parsed and ignored in serialization.
|
|
|
|
ASN1_OBJECT *type;
|
|
|
|
union {
|
|
|
|
char *ptr;
|
|
|
|
ASN1_OCTET_STRING *data;
|
|
|
|
PKCS7_SIGNED *sign;
|
|
|
|
PKCS7_ENVELOPE *enveloped;
|
|
|
|
PKCS7_SIGN_ENVELOPE *signed_and_enveloped;
|
|
|
|
PKCS7_DIGEST *digest;
|
|
|
|
PKCS7_ENCRYPT *encrypted;
|
|
|
|
ASN1_TYPE *other;
|
|
|
|
} d;
|
|
|
|
} PKCS7;
|
|
|
|
|
|
|
|
// d2i_PKCS7 parses a BER-encoded, PKCS#7 signed data ContentInfo structure from
|
|
|
|
// |len| bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the
|
|
|
|
// result is in |*out|. Note that, even if |*out| is already non-NULL on entry,
|
|
|
|
// it will not be written to. Rather, a fresh |PKCS7| is allocated and the
|
|
|
|
// previous one is freed. On successful exit, |*inp| is advanced past the BER
|
|
|
|
// structure. It returns the result or NULL on error.
|
|
|
|
OPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp,
|
|
|
|
size_t len);
|
|
|
|
|
|
|
|
// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If
|
|
|
|
// the length of the object is indefinite the full contents of |bio| are read.
|
|
|
|
//
|
|
|
|
// If the function fails then some unknown amount of data may have been read
|
|
|
|
// from |bio|.
|
|
|
|
OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);
|
|
|
|
|
|
|
|
// i2d_PKCS7 is a dummy function which copies the contents of |p7|. If |out| is
|
|
|
|
// not NULL then the result is written to |*out| and |*out| is advanced just
|
|
|
|
// past the output. It returns the number of bytes in the result, whether
|
|
|
|
// written or not, or a negative value on error.
|
|
|
|
OPENSSL_EXPORT int i2d_PKCS7(const PKCS7 *p7, uint8_t **out);
|
|
|
|
|
|
|
|
// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on
|
|
|
|
// error.
|
|
|
|
OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_free releases memory associated with |p7|.
|
|
|
|
OPENSSL_EXPORT void PKCS7_free(PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_type_is_data returns zero.
|
|
|
|
OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_type_is_digest returns zero.
|
|
|
|
OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_type_is_encrypted returns zero.
|
|
|
|
OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_type_is_enveloped returns zero.
|
|
|
|
OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_type_is_signed returns one. (We only supporte signed data
|
|
|
|
// ContentInfos.)
|
|
|
|
OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_type_is_signedAndEnveloped returns zero.
|
|
|
|
OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);
|
|
|
|
|
|
|
|
// PKCS7_DETACHED indicates that the PKCS#7 file specifies its data externally.
|
|
|
|
#define PKCS7_DETACHED 0x40
|
|
|
|
|
|
|
|
// The following flags cause |PKCS7_sign| to fail.
|
|
|
|
#define PKCS7_TEXT 0x1
|
|
|
|
#define PKCS7_NOCERTS 0x2
|
|
|
|
#define PKCS7_NOSIGS 0x4
|
|
|
|
#define PKCS7_NOCHAIN 0x8
|
|
|
|
#define PKCS7_NOINTERN 0x10
|
|
|
|
#define PKCS7_NOVERIFY 0x20
|
|
|
|
#define PKCS7_BINARY 0x80
|
|
|
|
#define PKCS7_NOATTR 0x100
|
|
|
|
#define PKCS7_NOSMIMECAP 0x200
|
|
|
|
#define PKCS7_STREAM 0x1000
|
|
|
|
|
|
|
|
// PKCS7_sign assembles |certs| into a PKCS#7 signed data ContentInfo with
|
|
|
|
// external data and no signatures. It returns a newly-allocated |PKCS7| on
|
|
|
|
// success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is
|
|
|
|
// ignored. |flags| must be equal to |PKCS7_DETACHED|.
|
|
|
|
//
|
|
|
|
// Note this function only implements a subset of the corresponding OpenSSL
|
|
|
|
// function. It is provided for backwards compatibility only.
|
|
|
|
OPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey,
|
|
|
|
STACK_OF(X509) *certs, BIO *data, int flags);
|
|
|
|
|
|
|
|
|
2017-04-15 23:40:41 +01:00
|
|
|
#if defined(__cplusplus)
|
2017-08-19 00:21:50 +01:00
|
|
|
} // extern C
|
2018-06-15 22:31:19 +01:00
|
|
|
|
|
|
|
extern "C++" {
|
Support symbol prefixes
- In base.h, if BORINGSSL_PREFIX is defined, include
boringssl_prefix_symbols.h
- In all .S files, if BORINGSSL_PREFIX is defined, include
boringssl_prefix_symbols_asm.h
- In base.h, BSSL_NAMESPACE_BEGIN and BSSL_NAMESPACE_END are
defined with appropriate values depending on whether
BORINGSSL_PREFIX is defined; these macros are used in place
of 'namespace bssl {' and '}'
- Add util/make_prefix_headers.go, which takes a list of symbols
and auto-generates the header files mentioned above
- In CMakeLists.txt, if BORINGSSL_PREFIX and BORINGSSL_PREFIX_SYMBOLS
are defined, run util/make_prefix_headers.go to generate header
files
- In various CMakeLists.txt files, add "global_target" that all
targets depend on to give us a place to hook logic that must run
before all other targets (in particular, the header file generation
logic)
- Document this in BUILDING.md, including the fact that it is
the caller's responsibility to provide the symbol list and keep it
up to date
- Note that this scheme has not been tested on Windows, and likely
does not work on it; Windows support will need to be added in a
future commit
Change-Id: If66a7157f46b5b66230ef91e15826b910cf979a2
Reviewed-on: https://boringssl-review.googlesource.com/31364
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-27 02:53:36 +01:00
|
|
|
BSSL_NAMESPACE_BEGIN
|
2018-06-15 22:31:19 +01:00
|
|
|
|
|
|
|
BORINGSSL_MAKE_DELETER(PKCS7, PKCS7_free)
|
|
|
|
|
Support symbol prefixes
- In base.h, if BORINGSSL_PREFIX is defined, include
boringssl_prefix_symbols.h
- In all .S files, if BORINGSSL_PREFIX is defined, include
boringssl_prefix_symbols_asm.h
- In base.h, BSSL_NAMESPACE_BEGIN and BSSL_NAMESPACE_END are
defined with appropriate values depending on whether
BORINGSSL_PREFIX is defined; these macros are used in place
of 'namespace bssl {' and '}'
- Add util/make_prefix_headers.go, which takes a list of symbols
and auto-generates the header files mentioned above
- In CMakeLists.txt, if BORINGSSL_PREFIX and BORINGSSL_PREFIX_SYMBOLS
are defined, run util/make_prefix_headers.go to generate header
files
- In various CMakeLists.txt files, add "global_target" that all
targets depend on to give us a place to hook logic that must run
before all other targets (in particular, the header file generation
logic)
- Document this in BUILDING.md, including the fact that it is
the caller's responsibility to provide the symbol list and keep it
up to date
- Note that this scheme has not been tested on Windows, and likely
does not work on it; Windows support will need to be added in a
future commit
Change-Id: If66a7157f46b5b66230ef91e15826b910cf979a2
Reviewed-on: https://boringssl-review.googlesource.com/31364
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2018-08-27 02:53:36 +01:00
|
|
|
BSSL_NAMESPACE_END
|
2018-06-15 22:31:19 +01:00
|
|
|
} // extern C++
|
2017-04-15 23:40:41 +01:00
|
|
|
#endif
|
|
|
|
|
|
|
|
#define PKCS7_R_BAD_PKCS7_VERSION 100
|
|
|
|
#define PKCS7_R_NOT_PKCS7_SIGNED_DATA 101
|
|
|
|
#define PKCS7_R_NO_CERTIFICATES_INCLUDED 102
|
|
|
|
#define PKCS7_R_NO_CRLS_INCLUDED 103
|
|
|
|
|
2017-08-19 00:21:50 +01:00
|
|
|
#endif // OPENSSL_HEADER_PKCS7_H
|