NCBI C++ ToolKit
Classes
pkcs7.h File Reference

PKCS #7 generic defines and structures https://tools.ietf.org/html/rfc2315. More...

#include "mbedtls/private_access.h"
#include "mbedtls/build_info.h"
#include "mbedtls/asn1.h"
#include "mbedtls/x509_crt.h"
+ Include dependency graph for pkcs7.h:

Go to the source code of this file.

Go to the SVN repository for this file.

Classes

struct  mbedtls_pkcs7_signer_info
 Structure holding PKCS #7 signer info. More...
 
struct  mbedtls_pkcs7_signed_data
 Structure holding the signed data section. More...
 
struct  mbedtls_pkcs7
 Structure holding PKCS #7 structure, only signed data for now. More...
 

Macros

PKCS #7 Module Error codes

Note: For the time being, this implementation of the PKCS #7 cryptographic message syntax is a partial implementation of RFC 2315.

Differences include:

  • The RFC specifies 6 different content types. The only type currently supported in Mbed TLS is the signed-data content type.
  • The only supported PKCS #7 Signed Data syntax version is version 1
  • The RFC specifies support for BER. This implementation is limited to DER only.
  • The RFC specifies that multiple digest algorithms can be specified in the Signed Data type. Only one digest algorithm is supported in Mbed TLS.
  • The RFC specifies the Signed Data type can contain multiple X.509 or PKCS #6 extended certificates. In Mbed TLS, this list can only contain 0 or 1 certificates and they must be in X.509 format.
  • The RFC specifies the Signed Data type can contain certificate-revocation lists (CRLs). This implementation has no support for CRLs so it is assumed to be an empty list.
  • The RFC allows for SignerInfo structure to optionally contain unauthenticatedAttributes and authenticatedAttributes. In Mbed TLS it is assumed these fields are empty.
  • The RFC allows for the signed Data type to contain contentInfo. This implementation assumes the type is DATA and the content is empty.
#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT   -0x5300
 The format is invalid, e.g. More...
 
#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE   -0x5380
 Unavailable feature, e.g. More...
 
#define MBEDTLS_ERR_PKCS7_INVALID_VERSION   -0x5400
 The PKCS #7 version element is invalid or cannot be parsed. More...
 
#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO   -0x5480
 The PKCS #7 content info is invalid or cannot be parsed. More...
 
#define MBEDTLS_ERR_PKCS7_INVALID_ALG   -0x5500
 The algorithm tag or value is invalid or cannot be parsed. More...
 
#define MBEDTLS_ERR_PKCS7_INVALID_CERT   -0x5580
 The certificate tag or value is invalid or cannot be parsed. More...
 
#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE   -0x5600
 Error parsing the signature. More...
 
#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO   -0x5680
 Error parsing the signer's info. More...
 
#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA   -0x5700
 Input invalid. More...
 
#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED   -0x5780
 Allocation of memory failed. More...
 
#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL   -0x5800
 Verification Failed. More...
 
#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID   -0x5880
 The PKCS #7 date issued/expired dates are invalid. More...
 

PKCS #7 Supported Version

#define MBEDTLS_PKCS7_SUPPORTED_VERSION   0x01
 
enum  mbedtls_pkcs7_type {
  MBEDTLS_PKCS7_NONE =0 , MBEDTLS_PKCS7_DATA , MBEDTLS_PKCS7_SIGNED_DATA , MBEDTLS_PKCS7_ENVELOPED_DATA ,
  MBEDTLS_PKCS7_SIGNED_AND_ENVELOPED_DATA , MBEDTLS_PKCS7_DIGESTED_DATA , MBEDTLS_PKCS7_ENCRYPTED_DATA
}
 PKCS #7 types. More...
 
typedef mbedtls_asn1_buf mbedtls_pkcs7_buf
 Type-length-value structure that allows for ASN.1 using DER. More...
 
typedef mbedtls_asn1_named_data mbedtls_pkcs7_name
 Container for ASN.1 named information objects. More...
 
typedef mbedtls_asn1_sequence mbedtls_pkcs7_sequence
 Container for a sequence of ASN.1 items. More...
 
typedef struct mbedtls_pkcs7_signer_info mbedtls_pkcs7_signer_info
 Structure holding PKCS #7 signer info. More...
 
typedef struct mbedtls_pkcs7_signed_data mbedtls_pkcs7_signed_data
 Structure holding the signed data section. More...
 
typedef struct mbedtls_pkcs7 mbedtls_pkcs7
 Structure holding PKCS #7 structure, only signed data for now. More...
 
void mbedtls_pkcs7_init (mbedtls_pkcs7 *pkcs7)
 Initialize mbedtls_pkcs7 structure. More...
 
int mbedtls_pkcs7_parse_der (mbedtls_pkcs7 *pkcs7, const unsigned char *buf, const size_t buflen)
 Parse a single DER formatted PKCS #7 detached signature. More...
 
int mbedtls_pkcs7_signed_data_verify (mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *data, size_t datalen)
 Verification of PKCS #7 signature against a caller-supplied certificate. More...
 
int mbedtls_pkcs7_signed_hash_verify (mbedtls_pkcs7 *pkcs7, const mbedtls_x509_crt *cert, const unsigned char *hash, size_t hashlen)
 Verification of PKCS #7 signature against a caller-supplied certificate. More...
 
void mbedtls_pkcs7_free (mbedtls_pkcs7 *pkcs7)
 Unallocate all PKCS #7 data and zeroize the memory. More...
 

Detailed Description

PKCS #7 generic defines and structures https://tools.ietf.org/html/rfc2315.

Definition in file pkcs7.h.

Macro Definition Documentation

◆ MBEDTLS_ERR_PKCS7_ALLOC_FAILED

#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED   -0x5780

Allocation of memory failed.

Definition at line 59 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA

#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA   -0x5700

Input invalid.

Definition at line 58 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID

#define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID   -0x5880

The PKCS #7 date issued/expired dates are invalid.

Definition at line 61 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE

#define MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE   -0x5380

Unavailable feature, e.g.

anything other than signed data.

Definition at line 51 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_INVALID_ALG

#define MBEDTLS_ERR_PKCS7_INVALID_ALG   -0x5500

The algorithm tag or value is invalid or cannot be parsed.

Definition at line 54 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_INVALID_CERT

#define MBEDTLS_ERR_PKCS7_INVALID_CERT   -0x5580

The certificate tag or value is invalid or cannot be parsed.

Definition at line 55 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO

#define MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO   -0x5480

The PKCS #7 content info is invalid or cannot be parsed.

Definition at line 53 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_INVALID_FORMAT

#define MBEDTLS_ERR_PKCS7_INVALID_FORMAT   -0x5300

The format is invalid, e.g.

different type expected.

Definition at line 50 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE

#define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE   -0x5600

Error parsing the signature.

Definition at line 56 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO

#define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO   -0x5680

Error parsing the signer's info.

Definition at line 57 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_INVALID_VERSION

#define MBEDTLS_ERR_PKCS7_INVALID_VERSION   -0x5400

The PKCS #7 version element is invalid or cannot be parsed.

Definition at line 52 of file pkcs7.h.

◆ MBEDTLS_ERR_PKCS7_VERIFY_FAIL

#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL   -0x5800

Verification Failed.

Definition at line 60 of file pkcs7.h.

◆ MBEDTLS_PKCS7_SUPPORTED_VERSION

#define MBEDTLS_PKCS7_SUPPORTED_VERSION   0x01

Definition at line 68 of file pkcs7.h.

Typedef Documentation

◆ mbedtls_pkcs7

typedef struct mbedtls_pkcs7 mbedtls_pkcs7

Structure holding PKCS #7 structure, only signed data for now.

◆ mbedtls_pkcs7_buf

Type-length-value structure that allows for ASN.1 using DER.

Definition at line 78 of file pkcs7.h.

◆ mbedtls_pkcs7_name

Container for ASN.1 named information objects.

It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).

Definition at line 84 of file pkcs7.h.

◆ mbedtls_pkcs7_sequence

Container for a sequence of ASN.1 items.

Definition at line 89 of file pkcs7.h.

◆ mbedtls_pkcs7_signed_data

Structure holding the signed data section.

◆ mbedtls_pkcs7_signer_info

Structure holding PKCS #7 signer info.

Enumeration Type Documentation

◆ mbedtls_pkcs7_type

PKCS #7 types.

Enumerator
MBEDTLS_PKCS7_NONE 
MBEDTLS_PKCS7_DATA 
MBEDTLS_PKCS7_SIGNED_DATA 
MBEDTLS_PKCS7_ENVELOPED_DATA 
MBEDTLS_PKCS7_SIGNED_AND_ENVELOPED_DATA 
MBEDTLS_PKCS7_DIGESTED_DATA 
MBEDTLS_PKCS7_ENCRYPTED_DATA 

Definition at line 94 of file pkcs7.h.

Function Documentation

◆ mbedtls_pkcs7_free()

void mbedtls_pkcs7_free ( mbedtls_pkcs7 pkcs7)

Unallocate all PKCS #7 data and zeroize the memory.

It doesn't free pkcs7 itself. This should be done by the caller.

Parameters
pkcs7mbedtls_pkcs7 structure to free.

◆ mbedtls_pkcs7_init()

void mbedtls_pkcs7_init ( mbedtls_pkcs7 pkcs7)

Initialize mbedtls_pkcs7 structure.

Parameters
pkcs7mbedtls_pkcs7 structure.

◆ mbedtls_pkcs7_parse_der()

int mbedtls_pkcs7_parse_der ( mbedtls_pkcs7 pkcs7,
const unsigned char *  buf,
const size_t  buflen 
)

Parse a single DER formatted PKCS #7 detached signature.

Parameters
pkcs7The mbedtls_pkcs7 structure to be filled by the parser.
bufThe buffer holding only the DER encoded PKCS #7 content.
buflenThe size in bytes of buf. The size must be exactly the length of the DER encoded PKCS #7 content.
Note
This function makes an internal copy of the PKCS #7 buffer buf. In particular, buf may be destroyed or reused after this call returns.
Signatures with internal data are not supported.
Returns
The mbedtls_pkcs7_type of buf, if successful.
A negative error code on failure.

◆ mbedtls_pkcs7_signed_data_verify()

int mbedtls_pkcs7_signed_data_verify ( mbedtls_pkcs7 pkcs7,
const mbedtls_x509_crt cert,
const unsigned char *  data,
size_t  datalen 
)

Verification of PKCS #7 signature against a caller-supplied certificate.

For each signer in the PKCS structure, this function computes a signature over the supplied data, using the supplied certificate and the same digest algorithm as specified by the signer. It then compares this signature against the signer's signature; verification succeeds if any comparison matches.

This function does not use the certificates held within the PKCS #7 structure itself, and does not check that the certificate is signed by a trusted certification authority.

Parameters
pkcs7mbedtls_pkcs7 structure containing signature.
certCertificate containing key to verify signature.
dataPlain data on which signature has to be verified.
datalenLength of the data.
Note
This function internally calculates the hash on the supplied plain data for signature verification.
Returns
0 if the signature verifies, or a negative error code on failure.

◆ mbedtls_pkcs7_signed_hash_verify()

int mbedtls_pkcs7_signed_hash_verify ( mbedtls_pkcs7 pkcs7,
const mbedtls_x509_crt cert,
const unsigned char *  hash,
size_t  hashlen 
)

Verification of PKCS #7 signature against a caller-supplied certificate.

For each signer in the PKCS structure, this function validates a signature over the supplied hash, using the supplied certificate and the same digest algorithm as specified by the signer. Verification succeeds if any signature is good.

This function does not use the certificates held within the PKCS #7 structure itself, and does not check that the certificate is signed by a trusted certification authority.

Parameters
pkcs7PKCS #7 structure containing signature.
certCertificate containing key to verify signature.
hashHash of the plain data on which signature has to be verified.
hashlenLength of the hash.
Note
This function is different from mbedtls_pkcs7_signed_data_verify() in that it is directly passed the hash of the data.
Returns
0 if the signature verifies, or a negative error code on failure.
Modified on Wed Jun 19 17:08:03 2024 by modify_doxy.py rev. 669887