2
0

pkcs7.h 23 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615
  1. /*!
  2. \ingroup PKCS7
  3. \brief This function initializes a PKCS7 structure with a DER-formatted
  4. certificate. To initialize an empty PKCS7 structure, one can pass in a NULL
  5. cert and 0 for certSz.
  6. \return 0 Returned on successfully initializing the PKCS7 structure
  7. \return MEMORY_E Returned if there is an error allocating memory
  8. with XMALLOC
  9. \return ASN_PARSE_E Returned if there is an error parsing the cert header
  10. \return ASN_OBJECT_ID_E Returned if there is an error parsing the
  11. encryption type from the cert
  12. \return ASN_EXPECT_0_E Returned if there is a formatting error in the
  13. encryption specification of the cert file
  14. \return ASN_BEFORE_DATE_E Returned if the date is before the certificate
  15. start date
  16. \return ASN_AFTER_DATE_E Returned if the date is after the certificate
  17. expiration date
  18. \return ASN_BITSTR_E Returned if there is an error parsing a bit string
  19. from the certificate
  20. \return ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU
  21. key from the certificate
  22. \return ECC_CURVE_OID_E Returned if there is an error parsing the ECC
  23. key from the certificate
  24. \return ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown
  25. key object id
  26. \return ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not
  27. defined and the certificate is a V1 or V2 certificate
  28. \return BAD_FUNC_ARG Returned if there is an error processing the
  29. certificate extension
  30. \return ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is
  31. encountered in processing the certificate
  32. \return ASN_SIG_OID_E Returned if the signature encryption type is not
  33. the same as the encryption type of the certificate in the provided file
  34. \return ASN_SIG_CONFIRM_E Returned if confirming the certification
  35. signature fails
  36. \return ASN_NAME_INVALID_E Returned if the certificate’s name is not
  37. permitted by the CA name constraints
  38. \return ASN_NO_SIGNER_E Returned if there is no CA signer to verify
  39. the certificate’s authenticity
  40. \param pkcs7 pointer to the PKCS7 structure in which to
  41. store the decoded cert
  42. \param cert pointer to a buffer containing a DER formatted ASN.1
  43. certificate with which to initialize the PKCS7 structure
  44. \param certSz size of the certificate buffer
  45. _Example_
  46. \code
  47. PKCS7 pkcs7;
  48. byte derBuff[] = { }; // initialize with DER-encoded certificate
  49. if ( wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff)) != 0 ) {
  50. // error parsing certificate into pkcs7 format
  51. }
  52. \endcode
  53. \sa wc_PKCS7_Free
  54. */
  55. WOLFSSL_API int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz);
  56. /*!
  57. \ingroup PKCS7
  58. \brief This function releases any memory allocated by a PKCS7 initializer.
  59. \return none No returns.
  60. \param pkcs7 pointer to the PKCS7 structure to free
  61. _Example_
  62. \code
  63. PKCS7 pkcs7;
  64. // initialize and use PKCS7 object
  65. wc_PKCS7_Free(pkcs7);
  66. \endcode
  67. \sa wc_PKCS7_InitWithCert
  68. */
  69. WOLFSSL_API void wc_PKCS7_Free(PKCS7* pkcs7);
  70. /*!
  71. \ingroup PKCS7
  72. \brief This function builds the PKCS7 data content type, encoding the
  73. PKCS7 structure into a buffer containing a parsable PKCS7 data packet.
  74. \return Success On successfully encoding the PKCS7 data into the buffer,
  75. returns the index parsed up to in the PKCS7 structure. This index also
  76. corresponds to the bytes written to the output buffer.
  77. \return BUFFER_E Returned if the given buffer is not large enough to hold
  78. the encoded certificate
  79. \param pkcs7 pointer to the PKCS7 structure to encode
  80. \param output pointer to the buffer in which to store the encoded
  81. certificate
  82. \param outputSz size available in the output buffer
  83. _Example_
  84. \code
  85. PKCS7 pkcs7;
  86. int ret;
  87. byte derBuff[] = { }; // initialize with DER-encoded certificate
  88. byte pkcs7Buff[FOURK_BUF];
  89. wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
  90. // update message and data to encode
  91. pkcs7.privateKey = key;
  92. pkcs7.privateKeySz = keySz;
  93. pkcs7.content = data;
  94. pkcs7.contentSz = dataSz;
  95. ... etc.
  96. ret = wc_PKCS7_EncodeData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
  97. if ( ret != 0 ) {
  98. // error encoding into output buffer
  99. }
  100. \endcode
  101. \sa wc_PKCS7_InitWithCert
  102. */
  103. WOLFSSL_API int wc_PKCS7_EncodeData(PKCS7* pkcs7, byte* output,
  104. word32 outputSz);
  105. /*!
  106. \ingroup PKCS7
  107. \brief This function builds the PKCS7 signed data content type, encoding
  108. the PKCS7 structure into a buffer containing a parsable PKCS7
  109. signed data packet.
  110. \return Success On successfully encoding the PKCS7 data into the buffer,
  111. returns the index parsed up to in the PKCS7 structure. This index also
  112. corresponds to the bytes written to the output buffer.
  113. \return BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or
  114. more required elements to generate a signed data packet
  115. \return MEMORY_E Returned if there is an error allocating memory
  116. \return PUBLIC_KEY_E Returned if there is an error parsing the public key
  117. \return RSA_BUFFER_E Returned if buffer error, output too small or input
  118. too large
  119. \return BUFFER_E Returned if the given buffer is not large enough to hold
  120. the encoded certificate
  121. \return MP_INIT_E may be returned if there is an error generating
  122. the signature
  123. \return MP_READ_E may be returned if there is an error generating
  124. the signature
  125. \return MP_CMP_E may be returned if there is an error generating
  126. the signature
  127. \return MP_INVMOD_E may be returned if there is an error generating
  128. the signature
  129. \return MP_EXPTMOD_E may be returned if there is an error generating
  130. the signature
  131. \return MP_MOD_E may be returned if there is an error generating
  132. the signature
  133. \return MP_MUL_E may be returned if there is an error generating
  134. the signature
  135. \return MP_ADD_E may be returned if there is an error generating
  136. the signature
  137. \return MP_MULMOD_E may be returned if there is an error generating
  138. the signature
  139. \return MP_TO_E may be returned if there is an error generating
  140. the signature
  141. \return MP_MEM may be returned if there is an error generating the signature
  142. \param pkcs7 pointer to the PKCS7 structure to encode
  143. \param output pointer to the buffer in which to store the
  144. encoded certificate
  145. \param outputSz size available in the output buffer
  146. _Example_
  147. \code
  148. PKCS7 pkcs7;
  149. int ret;
  150. byte data[] = {}; // initialize with data to sign
  151. byte derBuff[] = { }; // initialize with DER-encoded certificate
  152. byte pkcs7Buff[FOURK_BUF];
  153. wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
  154. // update message and data to encode
  155. pkcs7.privateKey = key;
  156. pkcs7.privateKeySz = keySz;
  157. pkcs7.content = data;
  158. pkcs7.contentSz = dataSz;
  159. pkcs7.hashOID = SHAh;
  160. pkcs7.rng = &rng;
  161. ... etc.
  162. ret = wc_PKCS7_EncodeSignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
  163. if ( ret != 0 ) {
  164. // error encoding into output buffer
  165. }
  166. wc_PKCS7_Free(&pkcs7);
  167. \endcode
  168. \sa wc_PKCS7_InitWithCert
  169. \sa wc_PKCS7_VerifySignedData
  170. */
  171. WOLFSSL_API int wc_PKCS7_EncodeSignedData(PKCS7* pkcs7,
  172. byte* output, word32 outputSz);
  173. /*!
  174. \ingroup PKCS7
  175. \brief This function builds the PKCS7 signed data content type, encoding
  176. the PKCS7 structure into a header and footer buffer containing a parsable PKCS7
  177. signed data packet. This does not include the content.
  178. A hash must be computed and provided for the data
  179. \return 0=Success
  180. \return BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or
  181. more required elements to generate a signed data packet
  182. \return MEMORY_E Returned if there is an error allocating memory
  183. \return PUBLIC_KEY_E Returned if there is an error parsing the public key
  184. \return RSA_BUFFER_E Returned if buffer error, output too small or input
  185. too large
  186. \return BUFFER_E Returned if the given buffer is not large enough to hold
  187. the encoded certificate
  188. \return MP_INIT_E may be returned if there is an error generating
  189. the signature
  190. \return MP_READ_E may be returned if there is an error generating
  191. the signature
  192. \return MP_CMP_E may be returned if there is an error generating
  193. the signature
  194. \return MP_INVMOD_E may be returned if there is an error generating
  195. the signature
  196. \return MP_EXPTMOD_E may be returned if there is an error generating
  197. the signature
  198. \return MP_MOD_E may be returned if there is an error generating
  199. the signature
  200. \return MP_MUL_E may be returned if there is an error generating
  201. the signature
  202. \return MP_ADD_E may be returned if there is an error generating
  203. the signature
  204. \return MP_MULMOD_E may be returned if there is an error generating
  205. the signature
  206. \return MP_TO_E may be returned if there is an error generating
  207. the signature
  208. \return MP_MEM may be returned if there is an error generating the signature
  209. \param pkcs7 pointer to the PKCS7 structure to encode
  210. \param hashBuf pointer to computed hash for the content data
  211. \param hashSz size of the digest
  212. \param outputHead pointer to the buffer in which to store the
  213. encoded certificate header
  214. \param outputHeadSz pointer populated with size of output header buffer
  215. and returns actual size
  216. \param outputFoot pointer to the buffer in which to store the
  217. encoded certificate footer
  218. \param outputFootSz pointer populated with size of output footer buffer
  219. and returns actual size
  220. _Example_
  221. \code
  222. PKCS7 pkcs7;
  223. int ret;
  224. byte derBuff[] = { }; // initialize with DER-encoded certificate
  225. byte data[] = {}; // initialize with data to sign
  226. byte pkcs7HeadBuff[FOURK_BUF/2];
  227. byte pkcs7FootBuff[FOURK_BUF/2];
  228. word32 pkcs7HeadSz = (word32)sizeof(pkcs7HeadBuff);
  229. word32 pkcs7FootSz = (word32)sizeof(pkcs7HeadBuff);
  230. enum wc_HashType hashType = WC_HASH_TYPE_SHA;
  231. byte hashBuf[WC_MAX_DIGEST_SIZE];
  232. word32 hashSz = wc_HashGetDigestSize(hashType);
  233. wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
  234. // update message and data to encode
  235. pkcs7.privateKey = key;
  236. pkcs7.privateKeySz = keySz;
  237. pkcs7.content = NULL;
  238. pkcs7.contentSz = dataSz;
  239. pkcs7.hashOID = SHAh;
  240. pkcs7.rng = &rng;
  241. ... etc.
  242. // calculate hash for content
  243. ret = wc_HashInit(&hash, hashType);
  244. if (ret == 0) {
  245. ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
  246. if (ret == 0) {
  247. ret = wc_HashFinal(&hash, hashType, hashBuf);
  248. }
  249. wc_HashFree(&hash, hashType);
  250. }
  251. ret = wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
  252. &pkcs7HeadSz, pkcs7FootBuff, &pkcs7FootSz);
  253. if ( ret != 0 ) {
  254. // error encoding into output buffer
  255. }
  256. wc_PKCS7_Free(&pkcs7);
  257. \endcode
  258. \sa wc_PKCS7_InitWithCert
  259. \sa wc_PKCS7_VerifySignedData_ex
  260. */
  261. WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
  262. word32 hashSz, byte* outputHead, word32* outputHeadSz, byte* outputFoot,
  263. word32* outputFootSz);
  264. /*!
  265. \ingroup PKCS7
  266. \brief This function takes in a transmitted PKCS7 signed data message,
  267. extracts the certificate list and certificate revocation list, and then
  268. verifies the signature. It stores the extracted content in the given
  269. PKCS7 structure.
  270. \return 0 Returned on successfully extracting the information
  271. from the message
  272. \return BAD_FUNC_ARG Returned if one of the input parameters is invalid
  273. \return ASN_PARSE_E Returned if there is an error parsing from the
  274. given pkiMsg
  275. \return PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
  276. \return ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
  277. \return MEMORY_E Returned if there is an error allocating memory
  278. \return PUBLIC_KEY_E Returned if there is an error parsing the public key
  279. \return RSA_BUFFER_E Returned if buffer error, output too small or
  280. input too large
  281. \return BUFFER_E Returned if the given buffer is not large enough to
  282. hold the encoded certificate
  283. \return MP_INIT_E may be returned if there is an error generating
  284. the signature
  285. \return MP_READ_E may be returned if there is an error generating
  286. the signature
  287. \return MP_CMP_E may be returned if there is an error generating
  288. the signature
  289. \return MP_INVMOD_E may be returned if there is an error generating
  290. the signature
  291. \return MP_EXPTMOD_E may be returned if there is an error generating
  292. the signature
  293. \return MP_MOD_E may be returned if there is an error generating
  294. the signature
  295. \return MP_MUL_E may be returned if there is an error generating
  296. the signature
  297. \return MP_ADD_E may be returned if there is an error generating
  298. the signature
  299. \return MP_MULMOD_E may be returned if there is an error generating
  300. the signature
  301. \return MP_TO_E may be returned if there is an error generating
  302. the signature
  303. \return MP_MEM may be returned if there is an error generating the signature
  304. \param pkcs7 pointer to the PKCS7 structure in which to store the parsed
  305. certificates
  306. \param pkiMsg pointer to the buffer containing the signed message to verify
  307. and decode
  308. \param pkiMsgSz size of the signed message
  309. _Example_
  310. \code
  311. PKCS7 pkcs7;
  312. int ret;
  313. byte pkcs7Buff[] = {}; // the PKCS7 signature
  314. wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
  315. // update message and data to encode
  316. pkcs7.privateKey = key;
  317. pkcs7.privateKeySz = keySz;
  318. pkcs7.content = data;
  319. pkcs7.contentSz = dataSz;
  320. ... etc.
  321. ret = wc_PKCS7_VerifySignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
  322. if ( ret != 0 ) {
  323. // error encoding into output buffer
  324. }
  325. wc_PKCS7_Free(&pkcs7);
  326. \endcode
  327. \sa wc_PKCS7_InitWithCert
  328. \sa wc_PKCS7_EncodeSignedData
  329. */
  330. WOLFSSL_API int wc_PKCS7_VerifySignedData(PKCS7* pkcs7,
  331. byte* pkiMsg, word32 pkiMsgSz);
  332. /*!
  333. \ingroup PKCS7
  334. \brief This function takes in a transmitted PKCS7 signed data message as
  335. hash/header/footer, then extracts the certificate list and certificate
  336. revocation list, and then verifies the signature. It stores the extracted
  337. content in the given PKCS7 structure.
  338. \return 0 Returned on successfully extracting the information
  339. from the message
  340. \return BAD_FUNC_ARG Returned if one of the input parameters is invalid
  341. \return ASN_PARSE_E Returned if there is an error parsing from the
  342. given pkiMsg
  343. \return PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
  344. \return ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
  345. \return MEMORY_E Returned if there is an error allocating memory
  346. \return PUBLIC_KEY_E Returned if there is an error parsing the public key
  347. \return RSA_BUFFER_E Returned if buffer error, output too small or
  348. input too large
  349. \return BUFFER_E Returned if the given buffer is not large enough to
  350. hold the encoded certificate
  351. \return MP_INIT_E may be returned if there is an error generating
  352. the signature
  353. \return MP_READ_E may be returned if there is an error generating
  354. the signature
  355. \return MP_CMP_E may be returned if there is an error generating
  356. the signature
  357. \return MP_INVMOD_E may be returned if there is an error generating
  358. the signature
  359. \return MP_EXPTMOD_E may be returned if there is an error generating
  360. the signature
  361. \return MP_MOD_E may be returned if there is an error generating
  362. the signature
  363. \return MP_MUL_E may be returned if there is an error generating
  364. the signature
  365. \return MP_ADD_E may be returned if there is an error generating
  366. the signature
  367. \return MP_MULMOD_E may be returned if there is an error generating
  368. the signature
  369. \return MP_TO_E may be returned if there is an error generating
  370. the signature
  371. \return MP_MEM may be returned if there is an error generating the signature
  372. \param pkcs7 pointer to the PKCS7 structure in which to store the parsed
  373. certificates
  374. \param hashBuf pointer to computed hash for the content data
  375. \param hashSz size of the digest
  376. \param pkiMsgHead pointer to the buffer containing the signed message header
  377. to verify and decode
  378. \param pkiMsgHeadSz size of the signed message header
  379. \param pkiMsgFoot pointer to the buffer containing the signed message footer
  380. to verify and decode
  381. \param pkiMsgFootSz size of the signed message footer
  382. _Example_
  383. \code
  384. PKCS7 pkcs7;
  385. int ret;
  386. byte data[] = {}; // initialize with data to sign
  387. byte pkcs7HeadBuff[] = {}; // initialize with PKCS7 header
  388. byte pkcs7FootBuff[] = {}; // initialize with PKCS7 footer
  389. enum wc_HashType hashType = WC_HASH_TYPE_SHA;
  390. byte hashBuf[WC_MAX_DIGEST_SIZE];
  391. word32 hashSz = wc_HashGetDigestSize(hashType);
  392. wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
  393. // update message and data to encode
  394. pkcs7.privateKey = key;
  395. pkcs7.privateKeySz = keySz;
  396. pkcs7.content = NULL;
  397. pkcs7.contentSz = dataSz;
  398. pkcs7.rng = &rng;
  399. ... etc.
  400. // calculate hash for content
  401. ret = wc_HashInit(&hash, hashType);
  402. if (ret == 0) {
  403. ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
  404. if (ret == 0) {
  405. ret = wc_HashFinal(&hash, hashType, hashBuf);
  406. }
  407. wc_HashFree(&hash, hashType);
  408. }
  409. ret = wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
  410. sizeof(pkcs7HeadBuff), pkcs7FootBuff, sizeof(pkcs7FootBuff));
  411. if ( ret != 0 ) {
  412. // error encoding into output buffer
  413. }
  414. wc_PKCS7_Free(&pkcs7);
  415. \endcode
  416. \sa wc_PKCS7_InitWithCert
  417. \sa wc_PKCS7_EncodeSignedData_ex
  418. */
  419. WOLFSSL_API int wc_PKCS7_VerifySignedData_ex(PKCS7* pkcs7, const byte* hashBuf,
  420. word32 hashSz, byte* pkiMsgHead, word32 pkiMsgHeadSz, byte* pkiMsgFoot,
  421. word32 pkiMsgFootSz);
  422. /*!
  423. \ingroup PKCS7
  424. \brief This function builds the PKCS7 enveloped data content type, encoding
  425. the PKCS7 structure into a buffer containing a parsable PKCS7 enveloped
  426. data packet.
  427. \return Success Returned on successfully encoding the message in enveloped
  428. data format, returns the size written to the output buffer
  429. \return BAD_FUNC_ARG: Returned if one of the input parameters is invalid,
  430. or if the PKCS7 structure is missing required elements
  431. \return ALGO_ID_E Returned if the PKCS7 structure is using an unsupported
  432. algorithm type. Currently, only DESb and DES3b are supported
  433. \return BUFFER_E Returned if the given output buffer is too small to store
  434. the output data
  435. \return MEMORY_E Returned if there is an error allocating memory
  436. \return RNG_FAILURE_E Returned if there is an error initializing the random
  437. number generator for encryption
  438. \return DRBG_FAILED Returned if there is an error generating numbers with
  439. the random number generator used for encryption
  440. \param pkcs7 pointer to the PKCS7 structure to encode
  441. \param output pointer to the buffer in which to store the encoded
  442. certificate
  443. \param outputSz size available in the output buffer
  444. _Example_
  445. \code
  446. PKCS7 pkcs7;
  447. int ret;
  448. byte derBuff[] = { }; // initialize with DER-encoded certificate
  449. byte pkcs7Buff[FOURK_BUF];
  450. wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
  451. // update message and data to encode
  452. pkcs7.privateKey = key;
  453. pkcs7.privateKeySz = keySz;
  454. pkcs7.content = data;
  455. pkcs7.contentSz = dataSz;
  456. ... etc.
  457. ret = wc_PKCS7_EncodeEnvelopedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
  458. if ( ret != 0 ) {
  459. // error encoding into output buffer
  460. }
  461. \endcode
  462. \sa wc_PKCS7_InitWithCert
  463. \sa wc_PKCS7_DecodeEnvelopedData
  464. */
  465. WOLFSSL_API int wc_PKCS7_EncodeEnvelopedData(PKCS7* pkcs7,
  466. byte* output, word32 outputSz);
  467. /*!
  468. \ingroup PKCS7
  469. \brief This function unwraps and decrypts a PKCS7 enveloped data content
  470. type, decoding the message into output. It uses the private key of the
  471. PKCS7 object passed in to decrypt the message.
  472. \return On successfully extracting the information from the message,
  473. returns the bytes written to output
  474. \return BAD_FUNC_ARG Returned if one of the input parameters is invalid
  475. \return ASN_PARSE_E Returned if there is an error parsing from the
  476. given pkiMsg
  477. \return PKCS7_OID_E Returned if the given pkiMsg is not an enveloped
  478. data type
  479. \return ASN_VERSION_E Returned if the PKCS7 signer info is not version 0
  480. \return MEMORY_E Returned if there is an error allocating memory
  481. \return ALGO_ID_E Returned if the PKCS7 structure is using an unsupported
  482. algorithm type. Currently, only DESb and DES3b are supported for
  483. encryption, with RSAk for signature generation
  484. \return PKCS7_RECIP_E Returned if there is no recipient found in the
  485. enveloped data that matches the recipient provided
  486. \return RSA_BUFFER_E Returned if there is an error during RSA signature
  487. verification due to buffer error, output too small or input too large.
  488. \return MP_INIT_E may be returned if there is an error during signature
  489. verification
  490. \return MP_READ_E may be returned if there is an error during signature
  491. verification
  492. \return MP_CMP_E may be returned if there is an error during signature
  493. verification
  494. \return MP_INVMOD_E may be returned if there is an error during signature
  495. verification
  496. \return MP_EXPTMOD_E may be returned if there is an error during signature
  497. verification
  498. \return MP_MOD_E may be returned if there is an error during signature
  499. verification
  500. \return MP_MUL_E may be returned if there is an error during signature
  501. verification
  502. \return MP_ADD_E may be returned if there is an error during signature
  503. verification
  504. \return MP_MULMOD_E may be returned if there is an error during signature
  505. verification
  506. \return MP_TO_E may be returned if there is an error during signature
  507. verification
  508. \return MP_MEM may be returned if there is an error during signature
  509. verification
  510. \param pkcs7 pointer to the PKCS7 structure containing the private key with
  511. which to decode the enveloped data package
  512. \param pkiMsg pointer to the buffer containing the enveloped data package
  513. \param pkiMsgSz size of the enveloped data package
  514. \param output pointer to the buffer in which to store the decoded message
  515. \param outputSz size available in the output buffer
  516. _Example_
  517. \code
  518. PKCS7 pkcs7;
  519. byte received[] = { }; // initialize with received enveloped message
  520. byte decoded[FOURK_BUF];
  521. int decodedSz;
  522. // initialize pkcs7 with certificate
  523. // update key
  524. pkcs7.privateKey = key;
  525. pkcs7.privateKeySz = keySz;
  526. decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, received,
  527. sizeof(received),decoded, sizeof(decoded));
  528. if ( decodedSz != 0 ) {
  529. // error decoding message
  530. }
  531. \endcode
  532. \sa wc_PKCS7_InitWithCert
  533. \sa wc_PKCS7_EncodeEnvelopedData
  534. */
  535. WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
  536. word32 pkiMsgSz, byte* output,
  537. word32 outputSz);