VirtualBox

source: vbox/trunk/include/iprt/crypto/pkcs7.h@ 69105

Last change on this file since 69105 was 69105, checked in by vboxsync, 7 years ago

include/iprt/: (C) year

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
File size: 24.3 KB
Line 
1/** @file
2 * IPRT - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
3 */
4
5/*
6 * Copyright (C) 2006-2017 Oracle Corporation
7 *
8 * This file is part of VirtualBox Open Source Edition (OSE), as
9 * available from http://www.virtualbox.org. This file is free software;
10 * you can redistribute it and/or modify it under the terms of the GNU
11 * General Public License (GPL) as published by the Free Software
12 * Foundation, in version 2 as it comes in the "COPYING" file of the
13 * VirtualBox OSE distribution. VirtualBox OSE is distributed in the
14 * hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
15 *
16 * The contents of this file may alternatively be used under the terms
17 * of the Common Development and Distribution License Version 1.0
18 * (CDDL) only, as it comes in the "COPYING.CDDL" file of the
19 * VirtualBox OSE distribution, in which case the provisions of the
20 * CDDL are applicable instead of those of the GPL.
21 *
22 * You may elect to license modified versions of this file under the
23 * terms and conditions of either the GPL or the CDDL or both.
24 */
25
26#ifndef ___iprt_crypto_pkcs7_h
27#define ___iprt_crypto_pkcs7_h
28
29#include <iprt/asn1.h>
30#include <iprt/crypto/x509.h>
31
32
33RT_C_DECLS_BEGIN
34
35struct RTCRPKCS7CONTENTINFO;
36
37
38/** @defgroup grp_rt_crpkcs7 RTCrPkcs7 - PKCS \#7, Cryptographic Message Syntax Standard (aka CMS).
39 * @ingroup grp_rt_crypto
40 * @{
41 */
42
43
44/**
45 * PKCS \#7 IssuerAndSerialNumber (IPRT representation).
46 */
47typedef struct RTCRPKCS7ISSUERANDSERIALNUMBER
48{
49 /** Sequence core. */
50 RTASN1SEQUENCECORE SeqCore;
51 /** The certificate name. */
52 RTCRX509NAME Name;
53 /** The certificate serial number. */
54 RTASN1INTEGER SerialNumber;
55} RTCRPKCS7ISSUERANDSERIALNUMBER;
56/** Pointer to the IPRT representation of a PKCS \#7 IssuerAndSerialNumber. */
57typedef RTCRPKCS7ISSUERANDSERIALNUMBER *PRTCRPKCS7ISSUERANDSERIALNUMBER;
58/** Pointer to the const IPRT representation of a PKCS \#7
59 * IssuerAndSerialNumber. */
60typedef RTCRPKCS7ISSUERANDSERIALNUMBER const *PCRTCRPKCS7ISSUERANDSERIALNUMBER;
61RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ISSUERANDSERIALNUMBER, RTDECL, RTCrPkcs7IssuerAndSerialNumber, SeqCore.Asn1Core);
62
63
64/** Pointer to the IPRT representation of a PKCS \#7 SignerInfo. */
65typedef struct RTCRPKCS7SIGNERINFO *PRTCRPKCS7SIGNERINFO;
66/** Pointer to the const IPRT representation of a PKCS \#7 SignerInfo. */
67typedef struct RTCRPKCS7SIGNERINFO const *PCRTCRPKCS7SIGNERINFO;
68RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SIGNERINFOS, RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfos);
69
70
71/**
72 * Attribute value type (for the union).
73 */
74typedef enum RTCRPKCS7ATTRIBUTETYPE
75{
76 /** Zero is invalid. */
77 RTCRPKCS7ATTRIBUTETYPE_INVALID = 0,
78 /** Not present, union is NULL. */
79 RTCRPKCS7ATTRIBUTETYPE_NOT_PRESENT,
80 /** Unknown values, pCores. */
81 RTCRPKCS7ATTRIBUTETYPE_UNKNOWN,
82 /** Object IDs, use pObjIds. */
83 RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS,
84 /** Octet strings, use pOctetStrings. */
85 RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS,
86 /** Counter signatures (PKCS \#9), use pCounterSignatures. */
87 RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES,
88 /** Signing time (PKCS \#9), use pSigningTime. */
89 RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME,
90 /** Microsoft timestamp info (RFC-3161) signed data, use pContentInfo. */
91 RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP,
92 /** Microsoft nested PKCS\#7 signature (signtool /as). */
93 RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE,
94 /** Microsoft statement type, use pObjIdSeqs. */
95 RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE,
96 /** Blow the type up to 32-bits. */
97 RTCRPKCS7ATTRIBUTETYPE_32BIT_HACK = 0x7fffffff
98} RTCRPKCS7ATTRIBUTETYPE;
99
100/**
101 * PKCS \#7 Attribute (IPRT representation).
102 */
103typedef struct RTCRPKCS7ATTRIBUTE
104{
105 /** Sequence core. */
106 RTASN1SEQUENCECORE SeqCore;
107 /** The attribute type (object ID). */
108 RTASN1OBJID Type;
109 /** The type of data found in the values union. */
110 RTCRPKCS7ATTRIBUTETYPE enmType;
111 /** Value allocation. */
112 RTASN1ALLOCATION Allocation;
113 /** Values. */
114 union
115 {
116 /** ASN.1 cores (RTCRPKCS7ATTRIBUTETYPE_UNKNOWN). */
117 PRTASN1SETOFCORES pCores;
118 /** ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_OBJ_IDS). */
119 PRTASN1SETOFOBJIDS pObjIds;
120 /** Sequence of ASN.1 object identifiers (RTCRPKCS7ATTRIBUTETYPE_MS_STATEMENT_TYPE). */
121 PRTASN1SETOFOBJIDSEQS pObjIdSeqs;
122 /** ASN.1 octet strings (RTCRPKCS7ATTRIBUTETYPE_OCTET_STRINGS). */
123 PRTASN1SETOFOCTETSTRINGS pOctetStrings;
124 /** Counter signatures RTCRPKCS7ATTRIBUTETYPE_COUNTER_SIGNATURES(). */
125 PRTCRPKCS7SIGNERINFOS pCounterSignatures;
126 /** Signing time(s) (RTCRPKCS7ATTRIBUTETYPE_SIGNING_TIME). */
127 PRTASN1SETOFTIMES pSigningTime;
128 /** Microsoft timestamp (RFC-3161 signed data, RTCRPKCS7ATTRIBUTETYPE_MS_TIMESTAMP),
129 * Microsoft nested signature (RTCRPKCS7ATTRIBUTETYPE_MS_NESTED_SIGNATURE). */
130 struct RTCRPKCS7SETOFCONTENTINFOS *pContentInfos;
131 } uValues;
132} RTCRPKCS7ATTRIBUTE;
133/** Pointer to the IPRT representation of a PKCS \#7 Attribute. */
134typedef RTCRPKCS7ATTRIBUTE *PRTCRPKCS7ATTRIBUTE;
135/** Pointer to the const IPRT representation of a PKCS \#7 Attribute. */
136typedef RTCRPKCS7ATTRIBUTE const *PCRTCRPKCS7ATTRIBUTE;
137RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attribute, SeqCore.Asn1Core);
138
139RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7ATTRIBUTES, RTCRPKCS7ATTRIBUTE, RTDECL, RTCrPkcs7Attributes);
140
141
142/**
143 * One PKCS \#7 SignerInfo (IPRT representation).
144 */
145typedef struct RTCRPKCS7SIGNERINFO
146{
147 /** Sequence core. */
148 RTASN1SEQUENCECORE SeqCore;
149 /** The structure version (RTCRPKCS7SIGNERINFO_V1). */
150 RTASN1INTEGER Version;
151 /** The issuer and serial number of the certificate used to produce the
152 * encrypted digest below. */
153 RTCRPKCS7ISSUERANDSERIALNUMBER IssuerAndSerialNumber;
154 /** The digest algorithm use to digest the signed content. */
155 RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
156 /** Authenticated attributes, optional [0].
157 * @todo Check how other producers formats this. The microsoft one does not
158 * have explicit tags, but combines it with the SET OF. */
159 RTCRPKCS7ATTRIBUTES AuthenticatedAttributes;
160 /** The digest encryption algorithm use to encrypt the digest of the signed
161 * content. */
162 RTCRX509ALGORITHMIDENTIFIER DigestEncryptionAlgorithm;
163 /** The encrypted digest. */
164 RTASN1OCTETSTRING EncryptedDigest;
165 /** Unauthenticated attributes, optional [1].
166 * @todo Check how other producers formats this. The microsoft one does not
167 * have explicit tags, but combines it with the SET OF. */
168 RTCRPKCS7ATTRIBUTES UnauthenticatedAttributes;
169} RTCRPKCS7SIGNERINFO;
170RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNERINFO, RTDECL, RTCrPkcs7SignerInfo, SeqCore.Asn1Core);
171
172/** RTCRPKCS7SIGNERINFO::Version value. */
173#define RTCRPKCS7SIGNERINFO_V1 1
174
175/** @name PKCS \#9 Attribute IDs
176 * @{ */
177/** Content type (RFC-2630 11.1).
178 * Value: Object Identifier */
179#define RTCR_PKCS9_ID_CONTENT_TYPE_OID "1.2.840.113549.1.9.3"
180/** Message digest (RFC-2630 11.2).
181 * Value: Octet string. */
182#define RTCR_PKCS9_ID_MESSAGE_DIGEST_OID "1.2.840.113549.1.9.4"
183/** Signing time (RFC-2630 11.3).
184 * Value: Octet string. */
185#define RTCR_PKCS9_ID_SIGNING_TIME_OID "1.2.840.113549.1.9.5"
186/** Counter signature (RFC-2630 11.4).
187 * Value: SignerInfo. */
188#define RTCR_PKCS9_ID_COUNTER_SIGNATURE_OID "1.2.840.113549.1.9.6"
189/** Microsoft timestamp (RTF-3161) counter signature (SignedData).
190 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
191#define RTCR_PKCS9_ID_MS_TIMESTAMP "1.3.6.1.4.1.311.3.3.1"
192/** Microsoft nested PKCS\#7 signature.
193 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. */
194#define RTCR_PKCS9_ID_MS_NESTED_SIGNATURE "1.3.6.1.4.1.311.2.4.1"
195/** Microsoft statement type.
196 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
197#define RTCR_PKCS9_ID_MS_STATEMENT_TYPE "1.3.6.1.4.1.311.2.1.11"
198/** Microsoft opus info.
199 * @remarks This isn't defined by PKCS \#9, but lumped in here for convenience. It's actually listed as SPC by MS. */
200#define RTCR_PKCS9_ID_MS_SP_OPUS_INFO "1.3.6.1.4.1.311.2.1.12"
201/** @} */
202
203
204/**
205 * Get the (next) signing time attribute from the specfied SignerInfo or one of
206 * the immediate counter signatures.
207 *
208 * @returns Pointer to the signing time if found, NULL if not.
209 * @param pThis The SignerInfo to search.
210 * @param ppSignerInfo Pointer to variable keeping track of the
211 * enumeration, optional.
212 *
213 * If specified the input value is taken to the be
214 * SignerInfo of the previously returned signing
215 * time. The value pointed to is NULL, the
216 * search/enum restarts.
217 *
218 * On successful return this is set to the
219 * SignerInfo which we found the signing time in.
220 */
221RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetSigningTime(PCRTCRPKCS7SIGNERINFO pThis, PCRTCRPKCS7SIGNERINFO *ppSignerInfo);
222
223
224/**
225 * Get the (first) timestamp from within a Microsoft timestamp server counter
226 * signature.
227 *
228 * @returns Pointer to the signing time if found, NULL if not.
229 * @param pThis The SignerInfo to search.
230 * @param ppContentInfoRet Where to return the pointer to the counter
231 * signature, optional.
232 */
233RTDECL(PCRTASN1TIME) RTCrPkcs7SignerInfo_GetMsTimestamp(PCRTCRPKCS7SIGNERINFO pThis,
234 struct RTCRPKCS7CONTENTINFO const **ppContentInfoRet);
235
236
237
238/**
239 * PKCS \#7 ContentInfo (IPRT representation).
240 */
241typedef struct RTCRPKCS7CONTENTINFO
242{
243 /** Sequence core. */
244 RTASN1SEQUENCECORE SeqCore;
245 /** Object ID identifying the content below. */
246 RTASN1OBJID ContentType;
247 /** Content, optional, explicit tag 0.
248 *
249 * Hack alert! This should've been an explict context tag 0 structure with a
250 * type selected according to ContentType. However, it's simpler to replace the
251 * explicit context with an OCTET STRING with implict tag 0. Then we can tag
252 * along on the encapsulation logic RTASN1OCTETSTRING provides for the dynamic
253 * inner type. The default decoder code will detect known structures as
254 * outlined in the union below, and decode the octet string content as an
255 * anonymous RTASN1CORE if not known.
256 *
257 * If the user want to decode the octet string content differently, it can do so
258 * by destroying and freeing the current encapsulated pointer, replacing it with
259 * it's own. (Of course following the RTASN1OCTETSTRING rules.) Just remember
260 * to also update the value in the union.
261 *
262 * @remarks What's signed and verified is Content.pEncapsulated->uData.pv.
263 */
264 RTASN1OCTETSTRING Content;
265 /** Pointer to the CMS octet string that's inside the Content, NULL if PKCS \#7.
266 *
267 * Hack alert! When transitioning from PKCS \#7 to CMS, the designers decided to
268 * change things and add another wrapper. This time we're talking about a real
269 * octet string, not like the one above which is really an explicit content tag.
270 * When constructing or decoding CMS content, this will be the same pointer as
271 * Content.pEncapsulated, while the union below will be holding the same pointer
272 * as pCmsContent->pEncapsulated.
273 */
274 PRTASN1OCTETSTRING pCmsContent;
275 /** Same as Content.pEncapsulated, except a choice of known types. */
276 union
277 {
278 /** ContentType is RTCRPKCS7SIGNEDDATA_OID. */
279 struct RTCRPKCS7SIGNEDDATA *pSignedData;
280 /** ContentType is RTCRSPCINDIRECTDATACONTENT_OID. */
281 struct RTCRSPCINDIRECTDATACONTENT *pIndirectDataContent;
282 /** ContentType is RTCRTSPTSTINFO_OID. */
283 struct RTCRTSPTSTINFO *pTstInfo;
284 /** Generic / Unknown / User. */
285 PRTASN1CORE pCore;
286 } u;
287} RTCRPKCS7CONTENTINFO;
288/** Pointer to the IPRT representation of a PKCS \#7 ContentInfo. */
289typedef RTCRPKCS7CONTENTINFO *PRTCRPKCS7CONTENTINFO;
290/** Pointer to the const IPRT representation of a PKCS \#7 ContentInfo. */
291typedef RTCRPKCS7CONTENTINFO const *PCRTCRPKCS7CONTENTINFO;
292RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7ContentInfo, SeqCore.Asn1Core);
293RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCONTENTINFOS, RTCRPKCS7CONTENTINFO, RTDECL, RTCrPkcs7SetOfContentInfos);
294
295RTDECL(bool) RTCrPkcs7ContentInfo_IsSignedData(PCRTCRPKCS7CONTENTINFO pThis);
296
297
298/**
299 * PKCS \#7 Certificate choice.
300 */
301typedef enum RTCRPKCS7CERTCHOICE
302{
303 RTCRPKCS7CERTCHOICE_INVALID = 0,
304 RTCRPKCS7CERTCHOICE_X509,
305 RTCRPKCS7CERTCHOICE_EXTENDED_PKCS6,
306 RTCRPKCS7CERTCHOICE_AC_V1,
307 RTCRPKCS7CERTCHOICE_AC_V2,
308 RTCRPKCS7CERTCHOICE_OTHER,
309 RTCRPKCS7CERTCHOICE_END,
310 RTCRPKCS7CERTCHOICE_32BIT_HACK = 0x7fffffff
311} RTCRPKCS7CERTCHOICE;
312
313
314/**
315 * Common representation for PKCS \#7 ExtendedCertificateOrCertificate and the
316 * CMS CertificateChoices types.
317 */
318typedef struct RTCRPKCS7CERT
319{
320 /** Dummy ASN.1 record, not encoded. */
321 RTASN1DUMMY Dummy;
322 /** The value allocation. */
323 RTASN1ALLOCATION Allocation;
324 /** The choice of value. */
325 RTCRPKCS7CERTCHOICE enmChoice;
326 /** The value union. */
327 union
328 {
329 /** Standard X.509 certificate (RTCRCMSCERTIFICATECHOICE_X509). */
330 PRTCRX509CERTIFICATE pX509Cert;
331 /** Extended PKCS \#6 certificate (RTCRCMSCERTIFICATECHOICE_EXTENDED_PKCS6). */
332 PRTASN1CORE pExtendedCert;
333 /** Attribute certificate version 1 (RTCRCMSCERTIFICATECHOICE_AC_V1). */
334 PRTASN1CORE pAcV1;
335 /** Attribute certificate version 2 (RTCRCMSCERTIFICATECHOICE_AC_V2). */
336 PRTASN1CORE pAcV2;
337 /** Other certificate (RTCRCMSCERTIFICATECHOICE_OTHER). */
338 PRTASN1CORE pOtherCert;
339 } u;
340} RTCRPKCS7CERT;
341/** Pointer to the IPRT representation of PKCS \#7 or CMS certificate. */
342typedef RTCRPKCS7CERT *PRTCRPKCS7CERT;
343/** Pointer to the const IPRT representation of PKCS \#7 or CMS certificate. */
344typedef RTCRPKCS7CERT const *PCRTCRPKCS7CERT;
345RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7CERT, RTDECL, RTCrPkcs7Cert, Dummy.Asn1Core);
346RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFCERTS, RTCRPKCS7CERT, RTDECL, RTCrPkcs7SetOfCerts);
347
348RTDECL(PCRTCRX509CERTIFICATE) RTCrPkcs7SetOfCerts_FindX509ByIssuerAndSerialNumber(PCRTCRPKCS7SETOFCERTS pCertificates,
349 PCRTCRX509NAME pIssuer,
350 PCRTASN1INTEGER pSerialNumber);
351
352
353/**
354 * PKCS \#7 SignedData (IPRT representation).
355 */
356typedef struct RTCRPKCS7SIGNEDDATA
357{
358 /** Sequence core. */
359 RTASN1SEQUENCECORE SeqCore;
360 /** The structure version value (1). */
361 RTASN1INTEGER Version;
362 /** The digest algorithms that are used to signed the content (ContentInfo). */
363 RTCRX509ALGORITHMIDENTIFIERS DigestAlgorithms;
364 /** The content that's being signed. */
365 RTCRPKCS7CONTENTINFO ContentInfo;
366 /** Certificates, optional, implicit tag 0. (Required by Authenticode.) */
367 RTCRPKCS7SETOFCERTS Certificates;
368 /** Certificate revocation lists, optional, implicit tag 1.
369 * Not used by Authenticode, so currently stubbed. */
370 RTASN1CORE Crls;
371 /** Signer infos. */
372 RTCRPKCS7SIGNERINFOS SignerInfos;
373} RTCRPKCS7SIGNEDDATA;
374/** Pointer to the IPRT representation of a PKCS \#7 SignedData. */
375typedef RTCRPKCS7SIGNEDDATA *PRTCRPKCS7SIGNEDDATA;
376/** Pointer to the const IPRT representation of a PKCS \#7 SignedData. */
377typedef RTCRPKCS7SIGNEDDATA const *PCRTCRPKCS7SIGNEDDATA;
378RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SignedData, SeqCore.Asn1Core);
379RTASN1_IMPL_GEN_SET_OF_TYPEDEFS_AND_PROTOS(RTCRPKCS7SETOFSIGNEDDATA, RTCRPKCS7SIGNEDDATA, RTDECL, RTCrPkcs7SetOfSignedData);
380
381/** PKCS \#7 SignedData object ID. */
382#define RTCRPKCS7SIGNEDDATA_OID "1.2.840.113549.1.7.2"
383
384/** PKCS \#7 SignedData version number 1. */
385#define RTCRPKCS7SIGNEDDATA_V1 1
386/* No version 2 seems to exist. */
387/** CMS SignedData version number 3.
388 * This should only be used if there are version 1 attribute certificates
389 * present, or if there are version 3 SignerInfo items present, or if
390 * enmcCountInfo is not id-data (RFC-5652, section 5.1). */
391#define RTCRPKCS7SIGNEDDATA_V3 3
392/** CMS SignedData version number 4.
393 * This should only be used if there are version 2 attribute certificates
394 * present (RFC-5652, section 5.1). */
395#define RTCRPKCS7SIGNEDDATA_V4 4
396/** CMS SignedData version number 5.
397 * This should only be used if there are certificates or/and CRLs of the
398 * OTHER type present (RFC-5652, section 5.1). */
399#define RTCRPKCS7SIGNEDDATA_V5 5
400
401
402/** @name RTCRPKCS7SIGNEDDATA_SANITY_F_XXX - Flags for RTPkcs7SignedDataCheckSantiy.
403 * @{ */
404/** Check for authenticode restrictions. */
405#define RTCRPKCS7SIGNEDDATA_SANITY_F_AUTHENTICODE RT_BIT_32(0)
406/** Check that all the hash algorithms are known to IPRT. */
407#define RTCRPKCS7SIGNEDDATA_SANITY_F_ONLY_KNOWN_HASH RT_BIT_32(1)
408/** Require signing certificate to be present. */
409#define RTCRPKCS7SIGNEDDATA_SANITY_F_SIGNING_CERT_PRESENT RT_BIT_32(2)
410/** @} */
411
412
413/**
414 * PKCS \#7 DigestInfo (IPRT representation).
415 */
416typedef struct RTCRPKCS7DIGESTINFO
417{
418 /** Sequence core. */
419 RTASN1SEQUENCECORE SeqCore;
420 /** The digest algorithm use to digest the signed content. */
421 RTCRX509ALGORITHMIDENTIFIER DigestAlgorithm;
422 /** The digest. */
423 RTASN1OCTETSTRING Digest;
424} RTCRPKCS7DIGESTINFO;
425/** Pointer to the IPRT representation of a PKCS \#7 DigestInfo object. */
426typedef RTCRPKCS7DIGESTINFO *PRTCRPKCS7DIGESTINFO;
427/** Pointer to the const IPRT representation of a PKCS \#7 DigestInfo object. */
428typedef RTCRPKCS7DIGESTINFO const *PCRTCRPKCS7DIGESTINFO;
429RTASN1TYPE_STANDARD_PROTOTYPES(RTCRPKCS7DIGESTINFO, RTDECL, RTCrPkcs7DigestInfo, SeqCore.Asn1Core);
430
431
432/**
433 * Callback function for use with RTCrPkcs7VerifySignedData.
434 *
435 * @returns IPRT status code.
436 * @param pCert The certificate to verify.
437 * @param hCertPaths Unless the certificate is trusted directly, this
438 * is a reference to the certificate path builder
439 * and verifier instance that we used to establish
440 * at least valid trusted path to @a pCert. The
441 * callback can use this to enforce additional
442 * certificate lineage requirements, effective
443 * policy checks and whatnot.
444 * This is NIL_RTCRX509CERTPATHS if the certificate
445 * is directly trusted.
446 * @param fFlags Mix of the RTCRPKCS7VCC_F_XXX flags.
447 * @param pvUser The user argument.
448 * @param pErrInfo Optional error info buffer.
449 */
450typedef DECLCALLBACK(int) FNRTCRPKCS7VERIFYCERTCALLBACK(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths,
451 uint32_t fFlags, void *pvUser, PRTERRINFO pErrInfo);
452/** Pointer to a FNRTCRPKCS7VERIFYCERTCALLBACK callback. */
453typedef FNRTCRPKCS7VERIFYCERTCALLBACK *PFNRTCRPKCS7VERIFYCERTCALLBACK;
454
455/** @name RTCRPKCS7VCC_F_XXX - Flags for FNRTCRPKCS7VERIFYCERTCALLBACK.
456 * @{ */
457/** Normal callback for a direct signatory of the signed data. */
458#define RTCRPKCS7VCC_F_SIGNED_DATA RT_BIT_32(0)
459/** Check that the signatory can be trusted for timestamps. */
460#define RTCRPKCS7VCC_F_TIMESTAMP RT_BIT_32(1)
461/** @} */
462
463/**
464 * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
465 * Default implementation that checks for the DigitalSignature KeyUsage bit.}
466 */
467RTDECL(int) RTCrPkcs7VerifyCertCallbackDefault(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
468 void *pvUser, PRTERRINFO pErrInfo);
469
470/**
471 * @callback_method_impl{FNRTCRPKCS7VERIFYCERTCALLBACK,
472 * Standard code signing. Use this for Microsoft SPC.}
473 */
474RTDECL(int) RTCrPkcs7VerifyCertCallbackCodeSigning(PCRTCRX509CERTIFICATE pCert, RTCRX509CERTPATHS hCertPaths, uint32_t fFlags,
475 void *pvUser, PRTERRINFO pErrInfo);
476
477/**
478 * Verifies PKCS \#7 SignedData.
479 *
480 * For compatability with alternative crypto providers, the user must work on
481 * the top level PKCS \#7 structure instead directly on the SignedData.
482 *
483 * @returns IPRT status code.
484 * @param pContentInfo PKCS \#7 content info structure.
485 * @param fFlags RTCRPKCS7VERIFY_SD_F_XXX.
486 * @param hAdditionalCerts Store containing additional certificates to
487 * supplement those mentioned in the signed data.
488 * @param hTrustedCerts Store containing trusted certificates.
489 * @param pValidationTime The time we're supposed to validate the
490 * certificates chains at. Ignored for signatures
491 * with valid signing time attributes.
492 * @param pfnVerifyCert Callback for checking that a certificate used
493 * for signing the data is suitable.
494 * @param pvUser User argument for the callback.
495 * @param pErrInfo Optional error info buffer.
496 */
497RTDECL(int) RTCrPkcs7VerifySignedData(PCRTCRPKCS7CONTENTINFO pContentInfo, uint32_t fFlags,
498 RTCRSTORE hAdditionalCerts, RTCRSTORE hTrustedCerts,
499 PCRTTIMESPEC pValidationTime, PFNRTCRPKCS7VERIFYCERTCALLBACK pfnVerifyCert, void *pvUser,
500 PRTERRINFO pErrInfo);
501
502/** @name RTCRPKCS7VERIFY_SD_F_XXX - Flags for RTCrPkcs7VerifySignedData
503 * @{ */
504/** Always use the signing time attribute if present, requiring it to be
505 * verified as valid. The default behavior is to ignore unverifiable
506 * signing time attributes and use the @a pValidationTime instead. */
507#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT RT_BIT_32(0)
508/** Same as RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_SIGNING_TIME_IF_PRESENT for the MS
509 * timestamp counter sigantures. */
510#define RTCRPKCS7VERIFY_SD_F_ALWAYS_USE_MS_TIMESTAMP_IF_PRESENT RT_BIT_32(1)
511/** Only use signging time attributes from counter signatures. */
512#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE_SIGNING_TIME_ONLY RT_BIT_32(2)
513/** Don't validate the counter signature containing the signing time, just use
514 * it unverified. This is useful if we don't necessarily have the root
515 * certificates for the timestamp server handy, but use with great care.
516 * @sa RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED */
517#define RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED RT_BIT_32(3)
518/** Don't validate the MS counter signature containing the signing timestamp.
519 * @sa RTCRPKCS7VERIFY_SD_F_USE_SIGNING_TIME_UNVERIFIED */
520#define RTCRPKCS7VERIFY_SD_F_USE_MS_TIMESTAMP_UNVERIFIED RT_BIT_32(4)
521/** Do not consider timestamps in microsoft counter signatures. */
522#define RTCRPKCS7VERIFY_SD_F_IGNORE_MS_TIMESTAMP RT_BIT_32(5)
523/** The signed data requires certificates to have the timestamp extended
524 * usage bit present. This is used for recursivly verifying MS timestamp
525 * signatures. */
526#define RTCRPKCS7VERIFY_SD_F_USAGE_TIMESTAMPING RT_BIT_32(6)
527
528/** Indicates internally that we're validating a counter signature and should
529 * use different rules when checking out the authenticated attributes.
530 * @internal */
531#define RTCRPKCS7VERIFY_SD_F_COUNTER_SIGNATURE RT_BIT_32(31)
532/** @} */
533
534/** @} */
535
536RT_C_DECLS_END
537
538#endif
539
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette