1 // Copyright 2017 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #ifndef OPENSSL_HEADER_CRYPTO_PKCS7_INTERNAL_H
16 #define OPENSSL_HEADER_CRYPTO_PKCS7_INTERNAL_H
17 
18 #include <openssl/base.h>
19 
20 #if defined(__cplusplus)
21 extern "C" {
22 #endif
23 
24 
25 // pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7
26 // SignedData blob from |cbs| and sets |*out| to point to the rest of the
27 // input. If the input is in BER format, then |*der_bytes| will be set to a
28 // pointer that needs to be freed by the caller once they have finished
29 // processing |*out| (which will be pointing into |*der_bytes|).
30 //
31 // It returns one on success or zero on error. On error, |*der_bytes| is
32 // NULL.
33 int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs);
34 
35 // pkcs7_add_signed_data writes a PKCS#7, SignedData structure to |out|. While
36 // doing so it makes callbacks to let the caller fill in parts of the structure.
37 // All callbacks are ignored if NULL and return one on success or zero on error.
38 //
39 //   signed_data_version: version number of the SignedData structure. In PKCS#7,
40 //       it is always 1. In CMS, it depends on the features used.
41 //   digest_algos_cb: may write AlgorithmIdentifiers into the given CBB, which
42 //       is a SET of digest algorithms.
43 //   cert_crl_cb: may write the |certificates| or |crls| fields.
44 //       (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1)
45 //   signer_infos_cb: may write the contents of the |signerInfos| field.
46 //       (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1)
47 //
48 // pkcs7_add_signed_data returns one on success or zero on error.
49 int pkcs7_add_signed_data(CBB *out, uint64_t signed_data_version,
50                           int (*digest_algos_cb)(CBB *out, void *arg),
51                           int (*cert_crl_cb)(CBB *out, void *arg),
52                           int (*signer_infos_cb)(CBB *out, void *arg),
53                           void *arg);
54 
55 // pkcs7_add_external_signature writes a PKCS#7 or CMS SignedData structure to
56 // |out|, containing an external (i.e. the contents are not included) signature,
57 // using |sign_cert| and |key| to sign the contents of |data| with |md|. If
58 // |use_key_id| is true (CMS-only), the SignerInfo specifies the signer with key
59 // identifier. Otherwise, it uses issuer and serial number (PKCS#7 or CMS v1).
60 // The SignedData will have no embedded certificates and no attributes.
61 //
62 // Note: CMS v1 and PKCS#7 v1.5 are not completely compatible, but they overlap
63 // in all cases implemented by this function.
64 int pkcs7_add_external_signature(CBB *out, X509 *sign_cert, EVP_PKEY *key,
65                                  const EVP_MD *md, BIO *data, bool use_key_id);
66 
67 
68 #if defined(__cplusplus)
69 }  // extern C
70 #endif
71 
72 #endif  // OPENSSL_HEADER_CRYPTO_PKCS7_INTERNAL_H
73