123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615 |
- /*!
- \ingroup PKCS7
- \brief This function initializes a PKCS7 structure with a DER-formatted
- certificate. To initialize an empty PKCS7 structure, one can pass in a NULL
- cert and 0 for certSz.
- \return 0 Returned on successfully initializing the PKCS7 structure
- \return MEMORY_E Returned if there is an error allocating memory
- with XMALLOC
- \return ASN_PARSE_E Returned if there is an error parsing the cert header
- \return ASN_OBJECT_ID_E Returned if there is an error parsing the
- encryption type from the cert
- \return ASN_EXPECT_0_E Returned if there is a formatting error in the
- encryption specification of the cert file
- \return ASN_BEFORE_DATE_E Returned if the date is before the certificate
- start date
- \return ASN_AFTER_DATE_E Returned if the date is after the certificate
- expiration date
- \return ASN_BITSTR_E Returned if there is an error parsing a bit string
- from the certificate
- \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU
- key from the certificate
- \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC
- key from the certificate
- \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown
- key object id
- \return ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not
- defined and the certificate is a V1 or V2 certificate
- \return BAD_FUNC_ARG Returned if there is an error processing the
- certificate extension
- \return ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is
- encountered in processing the certificate
- \return ASN_SIG_OID_E Returned if the signature encryption type is not
- the same as the encryption type of the certificate in the provided file
- \return ASN_SIG_CONFIRM_E Returned if confirming the certification
- signature fails
- \return ASN_NAME_INVALID_E Returned if the certificate’s name is not
- permitted by the CA name constraints
- \return ASN_NO_SIGNER_E Returned if there is no CA signer to verify
- the certificate’s authenticity
- \param pkcs7 pointer to the PKCS7 structure in which to
- store the decoded cert
- \param cert pointer to a buffer containing a DER formatted ASN.1
- certificate with which to initialize the PKCS7 structure
- \param certSz size of the certificate buffer
- _Example_
- \code
- PKCS7 pkcs7;
- byte derBuff[] = { }; // initialize with DER-encoded certificate
- if ( wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff)) != 0 ) {
- // error parsing certificate into pkcs7 format
- }
- \endcode
- \sa wc_PKCS7_Free
- */
- WOLFSSL_API int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz);
- /*!
- \ingroup PKCS7
- \brief This function releases any memory allocated by a PKCS7 initializer.
- \return none No returns.
- \param pkcs7 pointer to the PKCS7 structure to free
- _Example_
- \code
- PKCS7 pkcs7;
- // initialize and use PKCS7 object
- wc_PKCS7_Free(pkcs7);
- \endcode
- \sa wc_PKCS7_InitWithCert
- */
- WOLFSSL_API void wc_PKCS7_Free(PKCS7* pkcs7);
- /*!
- \ingroup PKCS7
- \brief This function builds the PKCS7 data content type, encoding the
- PKCS7 structure into a buffer containing a parsable PKCS7 data packet.
- \return Success On successfully encoding the PKCS7 data into the buffer,
- returns the index parsed up to in the PKCS7 structure. This index also
- corresponds to the bytes written to the output buffer.
- \return BUFFER_E Returned if the given buffer is not large enough to hold
- the encoded certificate
- \param pkcs7 pointer to the PKCS7 structure to encode
- \param output pointer to the buffer in which to store the encoded
- certificate
- \param outputSz size available in the output buffer
- _Example_
- \code
- PKCS7 pkcs7;
- int ret;
- byte derBuff[] = { }; // initialize with DER-encoded certificate
- byte pkcs7Buff[FOURK_BUF];
- wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
- // update message and data to encode
- pkcs7.privateKey = key;
- pkcs7.privateKeySz = keySz;
- pkcs7.content = data;
- pkcs7.contentSz = dataSz;
- ... etc.
- ret = wc_PKCS7_EncodeData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
- if ( ret != 0 ) {
- // error encoding into output buffer
- }
- \endcode
- \sa wc_PKCS7_InitWithCert
- */
- WOLFSSL_API int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output,
- word32 outputSz);
- /*!
- \ingroup PKCS7
- \brief This function builds the PKCS7 signed data content type, encoding
- the PKCS7 structure into a buffer containing a parsable PKCS7
- signed data packet.
- \return Success On successfully encoding the PKCS7 data into the buffer,
- returns the index parsed up to in the PKCS7 structure. This index also
- corresponds to the bytes written to the output buffer.
- \return BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or
- more required elements to generate a signed data packet
- \return MEMORY_E Returned if there is an error allocating memory
- \return PUBLIC_KEY_E Returned if there is an error parsing the public key
- \return RSA_BUFFER_E Returned if buffer error, output too small or input
- too large
- \return BUFFER_E Returned if the given buffer is not large enough to hold
- the encoded certificate
- \return MP_INIT_E may be returned if there is an error generating
- the signature
- \return MP_READ_E may be returned if there is an error generating
- the signature
- \return MP_CMP_E may be returned if there is an error generating
- the signature
- \return MP_INVMOD_E may be returned if there is an error generating
- the signature
- \return MP_EXPTMOD_E may be returned if there is an error generating
- the signature
- \return MP_MOD_E may be returned if there is an error generating
- the signature
- \return MP_MUL_E may be returned if there is an error generating
- the signature
- \return MP_ADD_E may be returned if there is an error generating
- the signature
- \return MP_MULMOD_E may be returned if there is an error generating
- the signature
- \return MP_TO_E may be returned if there is an error generating
- the signature
- \return MP_MEM may be returned if there is an error generating the signature
- \param pkcs7 pointer to the PKCS7 structure to encode
- \param output pointer to the buffer in which to store the
- encoded certificate
- \param outputSz size available in the output buffer
- _Example_
- \code
- PKCS7 pkcs7;
- int ret;
- byte data[] = {}; // initialize with data to sign
- byte derBuff[] = { }; // initialize with DER-encoded certificate
- byte pkcs7Buff[FOURK_BUF];
- wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
- // update message and data to encode
- pkcs7.privateKey = key;
- pkcs7.privateKeySz = keySz;
- pkcs7.content = data;
- pkcs7.contentSz = dataSz;
- pkcs7.hashOID = SHAh;
- pkcs7.rng = &rng;
- ... etc.
- ret = wc_PKCS7_EncodeSignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
- if ( ret != 0 ) {
- // error encoding into output buffer
- }
- wc_PKCS7_Free(&pkcs7);
- \endcode
- \sa wc_PKCS7_InitWithCert
- \sa wc_PKCS7_VerifySignedData
- */
- WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7,
- byte* output, word32 outputSz);
- /*!
- \ingroup PKCS7
- \brief This function builds the PKCS7 signed data content type, encoding
- the PKCS7 structure into a header and footer buffer containing a parsable PKCS7
- signed data packet. This does not include the content.
- A hash must be computed and provided for the data
- \return 0=Success
- \return BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or
- more required elements to generate a signed data packet
- \return MEMORY_E Returned if there is an error allocating memory
- \return PUBLIC_KEY_E Returned if there is an error parsing the public key
- \return RSA_BUFFER_E Returned if buffer error, output too small or input
- too large
- \return BUFFER_E Returned if the given buffer is not large enough to hold
- the encoded certificate
- \return MP_INIT_E may be returned if there is an error generating
- the signature
- \return MP_READ_E may be returned if there is an error generating
- the signature
- \return MP_CMP_E may be returned if there is an error generating
- the signature
- \return MP_INVMOD_E may be returned if there is an error generating
- the signature
- \return MP_EXPTMOD_E may be returned if there is an error generating
- the signature
- \return MP_MOD_E may be returned if there is an error generating
- the signature
- \return MP_MUL_E may be returned if there is an error generating
- the signature
- \return MP_ADD_E may be returned if there is an error generating
- the signature
- \return MP_MULMOD_E may be returned if there is an error generating
- the signature
- \return MP_TO_E may be returned if there is an error generating
- the signature
- \return MP_MEM may be returned if there is an error generating the signature
- \param pkcs7 pointer to the PKCS7 structure to encode
- \param hashBuf pointer to computed hash for the content data
- \param hashSz size of the digest
- \param outputHead pointer to the buffer in which to store the
- encoded certificate header
- \param outputHeadSz pointer populated with size of output header buffer
- and returns actual size
- \param outputFoot pointer to the buffer in which to store the
- encoded certificate footer
- \param outputFootSz pointer populated with size of output footer buffer
- and returns actual size
- _Example_
- \code
- PKCS7 pkcs7;
- int ret;
- byte derBuff[] = { }; // initialize with DER-encoded certificate
- byte data[] = {}; // initialize with data to sign
- byte pkcs7HeadBuff[FOURK_BUF/2];
- byte pkcs7FootBuff[FOURK_BUF/2];
- word32 pkcs7HeadSz = (word32)sizeof(pkcs7HeadBuff);
- word32 pkcs7FootSz = (word32)sizeof(pkcs7HeadBuff);
- enum wc_HashType hashType = WC_HASH_TYPE_SHA;
- byte hashBuf[WC_MAX_DIGEST_SIZE];
- word32 hashSz = wc_HashGetDigestSize(hashType);
- wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
- // update message and data to encode
- pkcs7.privateKey = key;
- pkcs7.privateKeySz = keySz;
- pkcs7.content = NULL;
- pkcs7.contentSz = dataSz;
- pkcs7.hashOID = SHAh;
- pkcs7.rng = &rng;
- ... etc.
- // calculate hash for content
- ret = wc_HashInit(&hash, hashType);
- if (ret == 0) {
- ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
- if (ret == 0) {
- ret = wc_HashFinal(&hash, hashType, hashBuf);
- }
- wc_HashFree(&hash, hashType);
- }
- ret = wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
- &pkcs7HeadSz, pkcs7FootBuff, &pkcs7FootSz);
- if ( ret != 0 ) {
- // error encoding into output buffer
- }
- wc_PKCS7_Free(&pkcs7);
- \endcode
- \sa wc_PKCS7_InitWithCert
- \sa wc_PKCS7_VerifySignedData_ex
- */
- WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
- word32 hashSz, byte* outputHead, word32* outputHeadSz, byte* outputFoot,
- word32* outputFootSz);
- /*!
- \ingroup PKCS7
- \brief This function takes in a transmitted PKCS7 signed data message,
- extracts the certificate list and certificate revocation list, and then
- verifies the signature. It stores the extracted content in the given
- PKCS7 structure.
- \return 0 Returned on successfully extracting the information
- from the message
- \return BAD_FUNC_ARG Returned if one of the input parameters is invalid
- \return ASN_PARSE_E Returned if there is an error parsing from the
- given pkiMsg
- \return PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
- \return ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
- \return MEMORY_E Returned if there is an error allocating memory
- \return PUBLIC_KEY_E Returned if there is an error parsing the public key
- \return RSA_BUFFER_E Returned if buffer error, output too small or
- input too large
- \return BUFFER_E Returned if the given buffer is not large enough to
- hold the encoded certificate
- \return MP_INIT_E may be returned if there is an error generating
- the signature
- \return MP_READ_E may be returned if there is an error generating
- the signature
- \return MP_CMP_E may be returned if there is an error generating
- the signature
- \return MP_INVMOD_E may be returned if there is an error generating
- the signature
- \return MP_EXPTMOD_E may be returned if there is an error generating
- the signature
- \return MP_MOD_E may be returned if there is an error generating
- the signature
- \return MP_MUL_E may be returned if there is an error generating
- the signature
- \return MP_ADD_E may be returned if there is an error generating
- the signature
- \return MP_MULMOD_E may be returned if there is an error generating
- the signature
- \return MP_TO_E may be returned if there is an error generating
- the signature
- \return MP_MEM may be returned if there is an error generating the signature
- \param pkcs7 pointer to the PKCS7 structure in which to store the parsed
- certificates
- \param pkiMsg pointer to the buffer containing the signed message to verify
- and decode
- \param pkiMsgSz size of the signed message
- _Example_
- \code
- PKCS7 pkcs7;
- int ret;
- byte pkcs7Buff[] = {}; // the PKCS7 signature
- wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
- // update message and data to encode
- pkcs7.privateKey = key;
- pkcs7.privateKeySz = keySz;
- pkcs7.content = data;
- pkcs7.contentSz = dataSz;
- ... etc.
- ret = wc_PKCS7_VerifySignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
- if ( ret != 0 ) {
- // error encoding into output buffer
- }
- wc_PKCS7_Free(&pkcs7);
- \endcode
- \sa wc_PKCS7_InitWithCert
- \sa wc_PKCS7_EncodeSignedData
- */
- WOLFSSL_API int wc_PKCS7_VerifySignedData(PKCS7* pkcs7,
- byte* pkiMsg, word32 pkiMsgSz);
- /*!
- \ingroup PKCS7
- \brief This function takes in a transmitted PKCS7 signed data message as
- hash/header/footer, then extracts the certificate list and certificate
- revocation list, and then verifies the signature. It stores the extracted
- content in the given PKCS7 structure.
- \return 0 Returned on successfully extracting the information
- from the message
- \return BAD_FUNC_ARG Returned if one of the input parameters is invalid
- \return ASN_PARSE_E Returned if there is an error parsing from the
- given pkiMsg
- \return PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
- \return ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
- \return MEMORY_E Returned if there is an error allocating memory
- \return PUBLIC_KEY_E Returned if there is an error parsing the public key
- \return RSA_BUFFER_E Returned if buffer error, output too small or
- input too large
- \return BUFFER_E Returned if the given buffer is not large enough to
- hold the encoded certificate
- \return MP_INIT_E may be returned if there is an error generating
- the signature
- \return MP_READ_E may be returned if there is an error generating
- the signature
- \return MP_CMP_E may be returned if there is an error generating
- the signature
- \return MP_INVMOD_E may be returned if there is an error generating
- the signature
- \return MP_EXPTMOD_E may be returned if there is an error generating
- the signature
- \return MP_MOD_E may be returned if there is an error generating
- the signature
- \return MP_MUL_E may be returned if there is an error generating
- the signature
- \return MP_ADD_E may be returned if there is an error generating
- the signature
- \return MP_MULMOD_E may be returned if there is an error generating
- the signature
- \return MP_TO_E may be returned if there is an error generating
- the signature
- \return MP_MEM may be returned if there is an error generating the signature
- \param pkcs7 pointer to the PKCS7 structure in which to store the parsed
- certificates
- \param hashBuf pointer to computed hash for the content data
- \param hashSz size of the digest
- \param pkiMsgHead pointer to the buffer containing the signed message header
- to verify and decode
- \param pkiMsgHeadSz size of the signed message header
- \param pkiMsgFoot pointer to the buffer containing the signed message footer
- to verify and decode
- \param pkiMsgFootSz size of the signed message footer
- _Example_
- \code
- PKCS7 pkcs7;
- int ret;
- byte data[] = {}; // initialize with data to sign
- byte pkcs7HeadBuff[] = {}; // initialize with PKCS7 header
- byte pkcs7FootBuff[] = {}; // initialize with PKCS7 footer
- enum wc_HashType hashType = WC_HASH_TYPE_SHA;
- byte hashBuf[WC_MAX_DIGEST_SIZE];
- word32 hashSz = wc_HashGetDigestSize(hashType);
- wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
- // update message and data to encode
- pkcs7.privateKey = key;
- pkcs7.privateKeySz = keySz;
- pkcs7.content = NULL;
- pkcs7.contentSz = dataSz;
- pkcs7.rng = &rng;
- ... etc.
- // calculate hash for content
- ret = wc_HashInit(&hash, hashType);
- if (ret == 0) {
- ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
- if (ret == 0) {
- ret = wc_HashFinal(&hash, hashType, hashBuf);
- }
- wc_HashFree(&hash, hashType);
- }
- ret = wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
- sizeof(pkcs7HeadBuff), pkcs7FootBuff, sizeof(pkcs7FootBuff));
- if ( ret != 0 ) {
- // error encoding into output buffer
- }
- wc_PKCS7_Free(&pkcs7);
- \endcode
- \sa wc_PKCS7_InitWithCert
- \sa wc_PKCS7_EncodeSignedData_ex
- */
- WOLFSSL_API int wc_PKCS7_VerifySignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
- word32 hashSz, byte* pkiMsgHead, word32 pkiMsgHeadSz, byte* pkiMsgFoot,
- word32 pkiMsgFootSz);
- /*!
- \ingroup PKCS7
- \brief This function builds the PKCS7 enveloped data content type, encoding
- the PKCS7 structure into a buffer containing a parsable PKCS7 enveloped
- data packet.
- \return Success Returned on successfully encoding the message in enveloped
- data format, returns the size written to the output buffer
- \return BAD_FUNC_ARG: Returned if one of the input parameters is invalid,
- or if the PKCS7 structure is missing required elements
- \return ALGO_ID_E Returned if the PKCS7 structure is using an unsupported
- algorithm type. Currently, only DESb and DES3b are supported
- \return BUFFER_E Returned if the given output buffer is too small to store
- the output data
- \return MEMORY_E Returned if there is an error allocating memory
- \return RNG_FAILURE_E Returned if there is an error initializing the random
- number generator for encryption
- \return DRBG_FAILED Returned if there is an error generating numbers with
- the random number generator used for encryption
- \param pkcs7 pointer to the PKCS7 structure to encode
- \param output pointer to the buffer in which to store the encoded
- certificate
- \param outputSz size available in the output buffer
- _Example_
- \code
- PKCS7 pkcs7;
- int ret;
- byte derBuff[] = { }; // initialize with DER-encoded certificate
- byte pkcs7Buff[FOURK_BUF];
- wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
- // update message and data to encode
- pkcs7.privateKey = key;
- pkcs7.privateKeySz = keySz;
- pkcs7.content = data;
- pkcs7.contentSz = dataSz;
- ... etc.
- ret = wc_PKCS7_EncodeEnvelopedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
- if ( ret != 0 ) {
- // error encoding into output buffer
- }
- \endcode
- \sa wc_PKCS7_InitWithCert
- \sa wc_PKCS7_DecodeEnvelopedData
- */
- WOLFSSL_API int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7,
- byte* output, word32 outputSz);
- /*!
- \ingroup PKCS7
- \brief This function unwraps and decrypts a PKCS7 enveloped data content
- type, decoding the message into output. It uses the private key of the
- PKCS7 object passed in to decrypt the message.
- \return On successfully extracting the information from the message,
- returns the bytes written to output
- \return BAD_FUNC_ARG Returned if one of the input parameters is invalid
- \return ASN_PARSE_E Returned if there is an error parsing from the
- given pkiMsg
- \return PKCS7_OID_E Returned if the given pkiMsg is not an enveloped
- data type
- \return ASN_VERSION_E Returned if the PKCS7 signer info is not version 0
- \return MEMORY_E Returned if there is an error allocating memory
- \return ALGO_ID_E Returned if the PKCS7 structure is using an unsupported
- algorithm type. Currently, only DESb and DES3b are supported for
- encryption, with RSAk for signature generation
- \return PKCS7_RECIP_E Returned if there is no recipient found in the
- enveloped data that matches the recipient provided
- \return RSA_BUFFER_E Returned if there is an error during RSA signature
- verification due to buffer error, output too small or input too large.
- \return MP_INIT_E may be returned if there is an error during signature
- verification
- \return MP_READ_E may be returned if there is an error during signature
- verification
- \return MP_CMP_E may be returned if there is an error during signature
- verification
- \return MP_INVMOD_E may be returned if there is an error during signature
- verification
- \return MP_EXPTMOD_E may be returned if there is an error during signature
- verification
- \return MP_MOD_E may be returned if there is an error during signature
- verification
- \return MP_MUL_E may be returned if there is an error during signature
- verification
- \return MP_ADD_E may be returned if there is an error during signature
- verification
- \return MP_MULMOD_E may be returned if there is an error during signature
- verification
- \return MP_TO_E may be returned if there is an error during signature
- verification
- \return MP_MEM may be returned if there is an error during signature
- verification
- \param pkcs7 pointer to the PKCS7 structure containing the private key with
- which to decode the enveloped data package
- \param pkiMsg pointer to the buffer containing the enveloped data package
- \param pkiMsgSz size of the enveloped data package
- \param output pointer to the buffer in which to store the decoded message
- \param outputSz size available in the output buffer
- _Example_
- \code
- PKCS7 pkcs7;
- byte received[] = { }; // initialize with received enveloped message
- byte decoded[FOURK_BUF];
- int decodedSz;
- // initialize pkcs7 with certificate
- // update key
- pkcs7.privateKey = key;
- pkcs7.privateKeySz = keySz;
- decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, received,
- sizeof(received),decoded, sizeof(decoded));
- if ( decodedSz != 0 ) {
- // error decoding message
- }
- \endcode
- \sa wc_PKCS7_InitWithCert
- \sa wc_PKCS7_EncodeEnvelopedData
- */
- WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
- word32 pkiMsgSz, byte* output,
- word32 outputSz);
|