• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1  /*
2   * Copyright 2008-2021 The OpenSSL Project Authors. All Rights Reserved.
3   *
4   * Licensed under the Apache License 2.0 (the "License").  You may not use
5   * this file except in compliance with the License.  You can obtain a copy
6   * in the file LICENSE in the source distribution or at
7   * https://www.openssl.org/source/license.html
8   */
9  
10  #ifndef OSSL_CRYPTO_CMS_LOCAL_H
11  # define OSSL_CRYPTO_CMS_LOCAL_H
12  
13  # include <openssl/x509.h>
14  
15  /*
16   * Cryptographic message syntax (CMS) structures: taken from RFC3852
17   */
18  
19  /* Forward references */
20  
21  typedef struct CMS_IssuerAndSerialNumber_st CMS_IssuerAndSerialNumber;
22  typedef struct CMS_EncapsulatedContentInfo_st CMS_EncapsulatedContentInfo;
23  typedef struct CMS_SignerIdentifier_st CMS_SignerIdentifier;
24  typedef struct CMS_SignedData_st CMS_SignedData;
25  typedef struct CMS_OtherRevocationInfoFormat_st CMS_OtherRevocationInfoFormat;
26  typedef struct CMS_OriginatorInfo_st CMS_OriginatorInfo;
27  typedef struct CMS_EncryptedContentInfo_st CMS_EncryptedContentInfo;
28  typedef struct CMS_EnvelopedData_st CMS_EnvelopedData;
29  typedef struct CMS_DigestedData_st CMS_DigestedData;
30  typedef struct CMS_EncryptedData_st CMS_EncryptedData;
31  typedef struct CMS_AuthenticatedData_st CMS_AuthenticatedData;
32  typedef struct CMS_AuthEnvelopedData_st CMS_AuthEnvelopedData;
33  typedef struct CMS_CompressedData_st CMS_CompressedData;
34  typedef struct CMS_OtherCertificateFormat_st CMS_OtherCertificateFormat;
35  typedef struct CMS_KeyTransRecipientInfo_st CMS_KeyTransRecipientInfo;
36  typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey;
37  typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey;
38  typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo;
39  typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier;
40  typedef struct CMS_KeyAgreeRecipientIdentifier_st
41      CMS_KeyAgreeRecipientIdentifier;
42  typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier;
43  typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo;
44  typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
45  typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
46  typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
47  typedef struct CMS_CTX_st CMS_CTX;
48  
49  struct CMS_CTX_st {
50      OSSL_LIB_CTX *libctx;
51      char *propq;
52  };
53  
54  struct CMS_ContentInfo_st {
55      ASN1_OBJECT *contentType;
56      union {
57          ASN1_OCTET_STRING *data;
58          CMS_SignedData *signedData;
59          CMS_EnvelopedData *envelopedData;
60          CMS_DigestedData *digestedData;
61          CMS_EncryptedData *encryptedData;
62          CMS_AuthEnvelopedData *authEnvelopedData;
63          CMS_AuthenticatedData *authenticatedData;
64          CMS_CompressedData *compressedData;
65          ASN1_TYPE *other;
66          /* Other types ... */
67          void *otherData;
68      } d;
69      CMS_CTX ctx;
70  };
71  
72  DEFINE_STACK_OF(CMS_CertificateChoices)
73  
74  struct CMS_SignedData_st {
75      int32_t version;
76      STACK_OF(X509_ALGOR) *digestAlgorithms;
77      CMS_EncapsulatedContentInfo *encapContentInfo;
78      STACK_OF(CMS_CertificateChoices) *certificates;
79      STACK_OF(CMS_RevocationInfoChoice) *crls;
80      STACK_OF(CMS_SignerInfo) *signerInfos;
81  };
82  
83  struct CMS_EncapsulatedContentInfo_st {
84      ASN1_OBJECT *eContentType;
85      ASN1_OCTET_STRING *eContent;
86      /* Set to 1 if incomplete structure only part set up */
87      int partial;
88  };
89  
90  struct CMS_SignerInfo_st {
91      int32_t version;
92      CMS_SignerIdentifier *sid;
93      X509_ALGOR *digestAlgorithm;
94      STACK_OF(X509_ATTRIBUTE) *signedAttrs;
95      X509_ALGOR *signatureAlgorithm;
96      ASN1_OCTET_STRING *signature;
97      STACK_OF(X509_ATTRIBUTE) *unsignedAttrs;
98      /* Signing certificate and key */
99      X509 *signer;
100      EVP_PKEY *pkey;
101      /* Digest and public key context for alternative parameters */
102      EVP_MD_CTX *mctx;
103      EVP_PKEY_CTX *pctx;
104      const CMS_CTX *cms_ctx;
105  };
106  
107  struct CMS_SignerIdentifier_st {
108      int type;
109      union {
110          CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
111          ASN1_OCTET_STRING *subjectKeyIdentifier;
112      } d;
113  };
114  
115  struct CMS_EnvelopedData_st {
116      int32_t version;
117      CMS_OriginatorInfo *originatorInfo;
118      STACK_OF(CMS_RecipientInfo) *recipientInfos;
119      CMS_EncryptedContentInfo *encryptedContentInfo;
120      STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
121  };
122  
123  struct CMS_OriginatorInfo_st {
124      STACK_OF(CMS_CertificateChoices) *certificates;
125      STACK_OF(CMS_RevocationInfoChoice) *crls;
126  };
127  
128  struct CMS_EncryptedContentInfo_st {
129      ASN1_OBJECT *contentType;
130      X509_ALGOR *contentEncryptionAlgorithm;
131      ASN1_OCTET_STRING *encryptedContent;
132      /* Content encryption algorithm, key and tag */
133      const EVP_CIPHER *cipher;
134      unsigned char *key;
135      size_t keylen;
136      unsigned char *tag;
137      size_t taglen;
138      /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
139      int debug;
140      /* Set to 1 if we have no cert and need extra safety measures for MMA */
141      int havenocert;
142  };
143  
144  struct CMS_RecipientInfo_st {
145      int type;
146      union {
147          CMS_KeyTransRecipientInfo *ktri;
148          CMS_KeyAgreeRecipientInfo *kari;
149          CMS_KEKRecipientInfo *kekri;
150          CMS_PasswordRecipientInfo *pwri;
151          CMS_OtherRecipientInfo *ori;
152      } d;
153  };
154  
155  typedef CMS_SignerIdentifier CMS_RecipientIdentifier;
156  
157  struct CMS_KeyTransRecipientInfo_st {
158      int32_t version;
159      CMS_RecipientIdentifier *rid;
160      X509_ALGOR *keyEncryptionAlgorithm;
161      ASN1_OCTET_STRING *encryptedKey;
162      /* Recipient Key and cert */
163      X509 *recip;
164      EVP_PKEY *pkey;
165      /* Public key context for this operation */
166      EVP_PKEY_CTX *pctx;
167      const CMS_CTX *cms_ctx;
168  };
169  
170  struct CMS_KeyAgreeRecipientInfo_st {
171      int32_t version;
172      CMS_OriginatorIdentifierOrKey *originator;
173      ASN1_OCTET_STRING *ukm;
174      X509_ALGOR *keyEncryptionAlgorithm;
175      STACK_OF(CMS_RecipientEncryptedKey) *recipientEncryptedKeys;
176      /* Public key context associated with current operation */
177      EVP_PKEY_CTX *pctx;
178      /* Cipher context for CEK wrapping */
179      EVP_CIPHER_CTX *ctx;
180      const CMS_CTX *cms_ctx;
181  };
182  
183  struct CMS_OriginatorIdentifierOrKey_st {
184      int type;
185      union {
186          CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
187          ASN1_OCTET_STRING *subjectKeyIdentifier;
188          CMS_OriginatorPublicKey *originatorKey;
189      } d;
190  };
191  
192  struct CMS_OriginatorPublicKey_st {
193      X509_ALGOR *algorithm;
194      ASN1_BIT_STRING *publicKey;
195  };
196  
197  struct CMS_RecipientEncryptedKey_st {
198      CMS_KeyAgreeRecipientIdentifier *rid;
199      ASN1_OCTET_STRING *encryptedKey;
200      /* Public key associated with this recipient */
201      EVP_PKEY *pkey;
202  };
203  
204  struct CMS_KeyAgreeRecipientIdentifier_st {
205      int type;
206      union {
207          CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
208          CMS_RecipientKeyIdentifier *rKeyId;
209      } d;
210  };
211  
212  struct CMS_RecipientKeyIdentifier_st {
213      ASN1_OCTET_STRING *subjectKeyIdentifier;
214      ASN1_GENERALIZEDTIME *date;
215      CMS_OtherKeyAttribute *other;
216  };
217  
218  struct CMS_KEKRecipientInfo_st {
219      int32_t version;
220      CMS_KEKIdentifier *kekid;
221      X509_ALGOR *keyEncryptionAlgorithm;
222      ASN1_OCTET_STRING *encryptedKey;
223      /* Extra info: symmetric key to use */
224      unsigned char *key;
225      size_t keylen;
226      const CMS_CTX *cms_ctx;
227  };
228  
229  struct CMS_KEKIdentifier_st {
230      ASN1_OCTET_STRING *keyIdentifier;
231      ASN1_GENERALIZEDTIME *date;
232      CMS_OtherKeyAttribute *other;
233  };
234  
235  struct CMS_PasswordRecipientInfo_st {
236      int32_t version;
237      X509_ALGOR *keyDerivationAlgorithm;
238      X509_ALGOR *keyEncryptionAlgorithm;
239      ASN1_OCTET_STRING *encryptedKey;
240      /* Extra info: password to use */
241      unsigned char *pass;
242      size_t passlen;
243      const CMS_CTX *cms_ctx;
244  };
245  
246  struct CMS_OtherRecipientInfo_st {
247      ASN1_OBJECT *oriType;
248      ASN1_TYPE *oriValue;
249  };
250  
251  struct CMS_DigestedData_st {
252      int32_t version;
253      X509_ALGOR *digestAlgorithm;
254      CMS_EncapsulatedContentInfo *encapContentInfo;
255      ASN1_OCTET_STRING *digest;
256  };
257  
258  struct CMS_EncryptedData_st {
259      int32_t version;
260      CMS_EncryptedContentInfo *encryptedContentInfo;
261      STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
262  };
263  
264  struct CMS_AuthenticatedData_st {
265      int32_t version;
266      CMS_OriginatorInfo *originatorInfo;
267      STACK_OF(CMS_RecipientInfo) *recipientInfos;
268      X509_ALGOR *macAlgorithm;
269      X509_ALGOR *digestAlgorithm;
270      CMS_EncapsulatedContentInfo *encapContentInfo;
271      STACK_OF(X509_ATTRIBUTE) *authAttrs;
272      ASN1_OCTET_STRING *mac;
273      STACK_OF(X509_ATTRIBUTE) *unauthAttrs;
274  };
275  
276  struct CMS_AuthEnvelopedData_st {
277      int32_t version;
278      CMS_OriginatorInfo *originatorInfo;
279      STACK_OF(CMS_RecipientInfo) *recipientInfos;
280      CMS_EncryptedContentInfo *authEncryptedContentInfo;
281      STACK_OF(X509_ATTRIBUTE) *authAttrs;
282      ASN1_OCTET_STRING *mac;
283      STACK_OF(X509_ATTRIBUTE) *unauthAttrs;
284  };
285  
286  struct CMS_CompressedData_st {
287      int32_t version;
288      X509_ALGOR *compressionAlgorithm;
289      STACK_OF(CMS_RecipientInfo) *recipientInfos;
290      CMS_EncapsulatedContentInfo *encapContentInfo;
291  };
292  
293  struct CMS_RevocationInfoChoice_st {
294      int type;
295      union {
296          X509_CRL *crl;
297          CMS_OtherRevocationInfoFormat *other;
298      } d;
299  };
300  
301  # define CMS_REVCHOICE_CRL               0
302  # define CMS_REVCHOICE_OTHER             1
303  
304  struct CMS_OtherRevocationInfoFormat_st {
305      ASN1_OBJECT *otherRevInfoFormat;
306      ASN1_TYPE *otherRevInfo;
307  };
308  
309  struct CMS_CertificateChoices {
310      int type;
311      union {
312          X509 *certificate;
313          ASN1_STRING *extendedCertificate; /* Obsolete */
314          ASN1_STRING *v1AttrCert; /* Left encoded for now */
315          ASN1_STRING *v2AttrCert; /* Left encoded for now */
316          CMS_OtherCertificateFormat *other;
317      } d;
318  };
319  
320  # define CMS_CERTCHOICE_CERT             0
321  # define CMS_CERTCHOICE_EXCERT           1
322  # define CMS_CERTCHOICE_V1ACERT          2
323  # define CMS_CERTCHOICE_V2ACERT          3
324  # define CMS_CERTCHOICE_OTHER            4
325  
326  struct CMS_OtherCertificateFormat_st {
327      ASN1_OBJECT *otherCertFormat;
328      ASN1_TYPE *otherCert;
329  };
330  
331  /*
332   * This is also defined in pkcs7.h but we duplicate it to allow the CMS code
333   * to be independent of PKCS#7
334   */
335  
336  struct CMS_IssuerAndSerialNumber_st {
337      X509_NAME *issuer;
338      ASN1_INTEGER *serialNumber;
339  };
340  
341  struct CMS_OtherKeyAttribute_st {
342      ASN1_OBJECT *keyAttrId;
343      ASN1_TYPE *keyAttr;
344  };
345  
346  /* ESS structures */
347  
348  struct CMS_ReceiptRequest_st {
349      ASN1_OCTET_STRING *signedContentIdentifier;
350      CMS_ReceiptsFrom *receiptsFrom;
351      STACK_OF(GENERAL_NAMES) *receiptsTo;
352  };
353  
354  struct CMS_ReceiptsFrom_st {
355      int type;
356      union {
357          int32_t allOrFirstTier;
358          STACK_OF(GENERAL_NAMES) *receiptList;
359      } d;
360  };
361  
362  struct CMS_Receipt_st {
363      int32_t version;
364      ASN1_OBJECT *contentType;
365      ASN1_OCTET_STRING *signedContentIdentifier;
366      ASN1_OCTET_STRING *originatorSignatureValue;
367  };
368  
369  DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo)
370  DECLARE_ASN1_ITEM(CMS_SignerInfo)
371  DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber)
372  DECLARE_ASN1_ITEM(CMS_Attributes_Sign)
373  DECLARE_ASN1_ITEM(CMS_Attributes_Verify)
374  DECLARE_ASN1_ITEM(CMS_RecipientInfo)
375  DECLARE_ASN1_ITEM(CMS_PasswordRecipientInfo)
376  DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerAndSerialNumber)
377  
378  # define CMS_SIGNERINFO_ISSUER_SERIAL    0
379  # define CMS_SIGNERINFO_KEYIDENTIFIER    1
380  
381  # define CMS_RECIPINFO_ISSUER_SERIAL     0
382  # define CMS_RECIPINFO_KEYIDENTIFIER     1
383  
384  # define CMS_REK_ISSUER_SERIAL           0
385  # define CMS_REK_KEYIDENTIFIER           1
386  
387  # define CMS_OIK_ISSUER_SERIAL           0
388  # define CMS_OIK_KEYIDENTIFIER           1
389  # define CMS_OIK_PUBKEY                  2
390  
391  BIO *ossl_cms_content_bio(CMS_ContentInfo *cms);
392  const CMS_CTX *ossl_cms_get0_cmsctx(const CMS_ContentInfo *cms);
393  OSSL_LIB_CTX *ossl_cms_ctx_get0_libctx(const CMS_CTX *ctx);
394  const char *ossl_cms_ctx_get0_propq(const CMS_CTX *ctx);
395  void ossl_cms_resolve_libctx(CMS_ContentInfo *ci);
396  
397  CMS_ContentInfo *ossl_cms_Data_create(OSSL_LIB_CTX *ctx, const char *propq);
398  
399  CMS_ContentInfo *ossl_cms_DigestedData_create(const EVP_MD *md,
400                                                OSSL_LIB_CTX *libctx,
401                                                const char *propq);
402  BIO *ossl_cms_DigestedData_init_bio(const CMS_ContentInfo *cms);
403  int ossl_cms_DigestedData_do_final(const CMS_ContentInfo *cms,
404                                     BIO *chain, int verify);
405  
406  BIO *ossl_cms_SignedData_init_bio(CMS_ContentInfo *cms);
407  int ossl_cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain);
408  int ossl_cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert,
409                                     int type, const CMS_CTX *ctx);
410  int ossl_cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid,
411                                               ASN1_OCTET_STRING **keyid,
412                                               X509_NAME **issuer,
413                                               ASN1_INTEGER **sno);
414  int ossl_cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert);
415  
416  CMS_ContentInfo *ossl_cms_CompressedData_create(int comp_nid,
417                                                  OSSL_LIB_CTX *libctx,
418                                                  const char *propq);
419  BIO *ossl_cms_CompressedData_init_bio(const CMS_ContentInfo *cms);
420  
421  BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
422                                         const CMS_CTX *ctx);
423  int ossl_cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
424                                        X509_ALGOR *mdalg);
425  
426  int ossl_cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert);
427  int ossl_cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert);
428  int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert);
429  int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert);
430  
431  BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
432                                          const CMS_CTX *ctx);
433  BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms);
434  int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
435                                     const EVP_CIPHER *cipher,
436                                     const unsigned char *key, size_t keylen,
437                                     const CMS_CTX *ctx);
438  
439  int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms);
440  int ossl_cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
441  ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si);
442  
443  BIO *ossl_cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
444  int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
445  BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms);
446  int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio);
447  CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms);
448  CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms);
449  CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms);
450  
451  /* RecipientInfo routines */
452  int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
453  int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk);
454  int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
455  
456  void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms);
457  
458  /* KARI routines */
459  int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
460                                       EVP_PKEY *recipPubKey, X509 *originator,
461                                       EVP_PKEY *originatorPrivKey,
462                                       unsigned int flags,
463                                       const CMS_CTX *ctx);
464  int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
465                                          CMS_RecipientInfo *ri);
466  
467  /* PWRI routines */
468  int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
469                                        CMS_RecipientInfo *ri, int en_de);
470  /* SignerInfo routines */
471  int ossl_cms_si_check_attributes(const CMS_SignerInfo *si);
472  void ossl_cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms);
473  
474  
475  /* ESS routines */
476  int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
477                                   const STACK_OF(X509) *chain);
478  
479  int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt);
480  int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt);
481  int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt);
482  int ossl_cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify);
483  int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify);
484  
485  DECLARE_ASN1_ITEM(CMS_CertificateChoices)
486  DECLARE_ASN1_ITEM(CMS_DigestedData)
487  DECLARE_ASN1_ITEM(CMS_EncryptedData)
488  DECLARE_ASN1_ITEM(CMS_EnvelopedData)
489  DECLARE_ASN1_ITEM(CMS_AuthEnvelopedData)
490  DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo)
491  DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo)
492  DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo)
493  DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey)
494  DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
495  DECLARE_ASN1_ITEM(CMS_Receipt)
496  DECLARE_ASN1_ITEM(CMS_ReceiptRequest)
497  DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey)
498  DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier)
499  DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice)
500  DECLARE_ASN1_ITEM(CMS_SignedData)
501  DECLARE_ASN1_ITEM(CMS_CompressedData)
502  
503  #endif
504