1 /* 2 * Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #ifndef OSSL_CRYPTO_CMS_LOCAL_H 11 # define OSSL_CRYPTO_CMS_LOCAL_H 12 13 # include <openssl/x509.h> 14 15 /* 16 * Cryptographic message syntax (CMS) structures: taken from RFC3852 17 */ 18 19 /* Forward references */ 20 21 typedef struct CMS_IssuerAndSerialNumber_st CMS_IssuerAndSerialNumber; 22 typedef struct CMS_EncapsulatedContentInfo_st CMS_EncapsulatedContentInfo; 23 typedef struct CMS_SignerIdentifier_st CMS_SignerIdentifier; 24 typedef struct CMS_OtherRevocationInfoFormat_st CMS_OtherRevocationInfoFormat; 25 typedef struct CMS_OriginatorInfo_st CMS_OriginatorInfo; 26 typedef struct CMS_EncryptedContentInfo_st CMS_EncryptedContentInfo; 27 typedef struct CMS_DigestedData_st CMS_DigestedData; 28 typedef struct CMS_EncryptedData_st CMS_EncryptedData; 29 typedef struct CMS_AuthenticatedData_st CMS_AuthenticatedData; 30 typedef struct CMS_AuthEnvelopedData_st CMS_AuthEnvelopedData; 31 typedef struct CMS_CompressedData_st CMS_CompressedData; 32 typedef struct CMS_OtherCertificateFormat_st CMS_OtherCertificateFormat; 33 typedef struct CMS_KeyTransRecipientInfo_st CMS_KeyTransRecipientInfo; 34 typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey; 35 typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey; 36 typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo; 37 typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier; 38 typedef struct CMS_KeyAgreeRecipientIdentifier_st 39 CMS_KeyAgreeRecipientIdentifier; 40 typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier; 41 typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo; 42 typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo; 43 typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo; 44 typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom; 45 typedef struct CMS_CTX_st CMS_CTX; 46 47 struct CMS_CTX_st { 48 OSSL_LIB_CTX *libctx; 49 char *propq; 50 }; 51 52 struct CMS_ContentInfo_st { 53 ASN1_OBJECT *contentType; 54 union { 55 ASN1_OCTET_STRING *data; 56 CMS_SignedData *signedData; 57 CMS_EnvelopedData *envelopedData; 58 CMS_DigestedData *digestedData; 59 CMS_EncryptedData *encryptedData; 60 CMS_AuthEnvelopedData *authEnvelopedData; 61 CMS_AuthenticatedData *authenticatedData; 62 CMS_CompressedData *compressedData; 63 ASN1_TYPE *other; 64 /* Other types ... */ 65 void *otherData; 66 } d; 67 CMS_CTX ctx; 68 }; 69 70 DEFINE_STACK_OF(CMS_CertificateChoices) 71 72 struct CMS_SignedData_st { 73 int32_t version; 74 STACK_OF(X509_ALGOR) *digestAlgorithms; 75 CMS_EncapsulatedContentInfo *encapContentInfo; 76 STACK_OF(CMS_CertificateChoices) *certificates; 77 STACK_OF(CMS_RevocationInfoChoice) *crls; 78 STACK_OF(CMS_SignerInfo) *signerInfos; 79 }; 80 81 struct CMS_EncapsulatedContentInfo_st { 82 ASN1_OBJECT *eContentType; 83 ASN1_OCTET_STRING *eContent; 84 /* Set to 1 if incomplete structure only part set up */ 85 int partial; 86 }; 87 88 struct CMS_SignerInfo_st { 89 int32_t version; 90 CMS_SignerIdentifier *sid; 91 X509_ALGOR *digestAlgorithm; 92 STACK_OF(X509_ATTRIBUTE) *signedAttrs; 93 X509_ALGOR *signatureAlgorithm; 94 ASN1_OCTET_STRING *signature; 95 STACK_OF(X509_ATTRIBUTE) *unsignedAttrs; 96 /* Signing certificate and key */ 97 X509 *signer; 98 EVP_PKEY *pkey; 99 /* Digest and public key context for alternative parameters */ 100 EVP_MD_CTX *mctx; 101 EVP_PKEY_CTX *pctx; 102 const CMS_CTX *cms_ctx; 103 }; 104 105 struct CMS_SignerIdentifier_st { 106 int type; 107 union { 108 CMS_IssuerAndSerialNumber *issuerAndSerialNumber; 109 ASN1_OCTET_STRING *subjectKeyIdentifier; 110 } d; 111 }; 112 113 struct CMS_EnvelopedData_st { 114 int32_t version; 115 CMS_OriginatorInfo *originatorInfo; 116 STACK_OF(CMS_RecipientInfo) *recipientInfos; 117 CMS_EncryptedContentInfo *encryptedContentInfo; 118 STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs; 119 }; 120 121 struct CMS_OriginatorInfo_st { 122 STACK_OF(CMS_CertificateChoices) *certificates; 123 STACK_OF(CMS_RevocationInfoChoice) *crls; 124 }; 125 126 struct CMS_EncryptedContentInfo_st { 127 ASN1_OBJECT *contentType; 128 X509_ALGOR *contentEncryptionAlgorithm; 129 ASN1_OCTET_STRING *encryptedContent; 130 /* Content encryption algorithm, key and tag */ 131 const EVP_CIPHER *cipher; 132 unsigned char *key; 133 size_t keylen; 134 unsigned char *tag; 135 size_t taglen; 136 /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ 137 int debug; 138 /* Set to 1 if we have no cert and need extra safety measures for MMA */ 139 int havenocert; 140 }; 141 142 struct CMS_RecipientInfo_st { 143 int type; 144 union { 145 CMS_KeyTransRecipientInfo *ktri; 146 CMS_KeyAgreeRecipientInfo *kari; 147 CMS_KEKRecipientInfo *kekri; 148 CMS_PasswordRecipientInfo *pwri; 149 CMS_OtherRecipientInfo *ori; 150 } d; 151 }; 152 153 typedef CMS_SignerIdentifier CMS_RecipientIdentifier; 154 155 struct CMS_KeyTransRecipientInfo_st { 156 int32_t version; 157 CMS_RecipientIdentifier *rid; 158 X509_ALGOR *keyEncryptionAlgorithm; 159 ASN1_OCTET_STRING *encryptedKey; 160 /* Recipient Key and cert */ 161 X509 *recip; 162 EVP_PKEY *pkey; 163 /* Public key context for this operation */ 164 EVP_PKEY_CTX *pctx; 165 const CMS_CTX *cms_ctx; 166 }; 167 168 struct CMS_KeyAgreeRecipientInfo_st { 169 int32_t version; 170 CMS_OriginatorIdentifierOrKey *originator; 171 ASN1_OCTET_STRING *ukm; 172 X509_ALGOR *keyEncryptionAlgorithm; 173 STACK_OF(CMS_RecipientEncryptedKey) *recipientEncryptedKeys; 174 /* Public key context associated with current operation */ 175 EVP_PKEY_CTX *pctx; 176 /* Cipher context for CEK wrapping */ 177 EVP_CIPHER_CTX *ctx; 178 const CMS_CTX *cms_ctx; 179 }; 180 181 struct CMS_OriginatorIdentifierOrKey_st { 182 int type; 183 union { 184 CMS_IssuerAndSerialNumber *issuerAndSerialNumber; 185 ASN1_OCTET_STRING *subjectKeyIdentifier; 186 CMS_OriginatorPublicKey *originatorKey; 187 } d; 188 }; 189 190 struct CMS_OriginatorPublicKey_st { 191 X509_ALGOR *algorithm; 192 ASN1_BIT_STRING *publicKey; 193 }; 194 195 struct CMS_RecipientEncryptedKey_st { 196 CMS_KeyAgreeRecipientIdentifier *rid; 197 ASN1_OCTET_STRING *encryptedKey; 198 /* Public key associated with this recipient */ 199 EVP_PKEY *pkey; 200 }; 201 202 struct CMS_KeyAgreeRecipientIdentifier_st { 203 int type; 204 union { 205 CMS_IssuerAndSerialNumber *issuerAndSerialNumber; 206 CMS_RecipientKeyIdentifier *rKeyId; 207 } d; 208 }; 209 210 struct CMS_RecipientKeyIdentifier_st { 211 ASN1_OCTET_STRING *subjectKeyIdentifier; 212 ASN1_GENERALIZEDTIME *date; 213 CMS_OtherKeyAttribute *other; 214 }; 215 216 struct CMS_KEKRecipientInfo_st { 217 int32_t version; 218 CMS_KEKIdentifier *kekid; 219 X509_ALGOR *keyEncryptionAlgorithm; 220 ASN1_OCTET_STRING *encryptedKey; 221 /* Extra info: symmetric key to use */ 222 unsigned char *key; 223 size_t keylen; 224 const CMS_CTX *cms_ctx; 225 }; 226 227 struct CMS_KEKIdentifier_st { 228 ASN1_OCTET_STRING *keyIdentifier; 229 ASN1_GENERALIZEDTIME *date; 230 CMS_OtherKeyAttribute *other; 231 }; 232 233 struct CMS_PasswordRecipientInfo_st { 234 int32_t version; 235 X509_ALGOR *keyDerivationAlgorithm; 236 X509_ALGOR *keyEncryptionAlgorithm; 237 ASN1_OCTET_STRING *encryptedKey; 238 /* Extra info: password to use */ 239 unsigned char *pass; 240 size_t passlen; 241 const CMS_CTX *cms_ctx; 242 }; 243 244 struct CMS_OtherRecipientInfo_st { 245 ASN1_OBJECT *oriType; 246 ASN1_TYPE *oriValue; 247 }; 248 249 struct CMS_DigestedData_st { 250 int32_t version; 251 X509_ALGOR *digestAlgorithm; 252 CMS_EncapsulatedContentInfo *encapContentInfo; 253 ASN1_OCTET_STRING *digest; 254 }; 255 256 struct CMS_EncryptedData_st { 257 int32_t version; 258 CMS_EncryptedContentInfo *encryptedContentInfo; 259 STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs; 260 }; 261 262 struct CMS_AuthenticatedData_st { 263 int32_t version; 264 CMS_OriginatorInfo *originatorInfo; 265 STACK_OF(CMS_RecipientInfo) *recipientInfos; 266 X509_ALGOR *macAlgorithm; 267 X509_ALGOR *digestAlgorithm; 268 CMS_EncapsulatedContentInfo *encapContentInfo; 269 STACK_OF(X509_ATTRIBUTE) *authAttrs; 270 ASN1_OCTET_STRING *mac; 271 STACK_OF(X509_ATTRIBUTE) *unauthAttrs; 272 }; 273 274 struct CMS_AuthEnvelopedData_st { 275 int32_t version; 276 CMS_OriginatorInfo *originatorInfo; 277 STACK_OF(CMS_RecipientInfo) *recipientInfos; 278 CMS_EncryptedContentInfo *authEncryptedContentInfo; 279 STACK_OF(X509_ATTRIBUTE) *authAttrs; 280 ASN1_OCTET_STRING *mac; 281 STACK_OF(X509_ATTRIBUTE) *unauthAttrs; 282 }; 283 284 struct CMS_CompressedData_st { 285 int32_t version; 286 X509_ALGOR *compressionAlgorithm; 287 STACK_OF(CMS_RecipientInfo) *recipientInfos; 288 CMS_EncapsulatedContentInfo *encapContentInfo; 289 }; 290 291 struct CMS_RevocationInfoChoice_st { 292 int type; 293 union { 294 X509_CRL *crl; 295 CMS_OtherRevocationInfoFormat *other; 296 } d; 297 }; 298 299 # define CMS_REVCHOICE_CRL 0 300 # define CMS_REVCHOICE_OTHER 1 301 302 struct CMS_OtherRevocationInfoFormat_st { 303 ASN1_OBJECT *otherRevInfoFormat; 304 ASN1_TYPE *otherRevInfo; 305 }; 306 307 struct CMS_CertificateChoices { 308 int type; 309 union { 310 X509 *certificate; 311 ASN1_STRING *extendedCertificate; /* Obsolete */ 312 ASN1_STRING *v1AttrCert; /* Left encoded for now */ 313 ASN1_STRING *v2AttrCert; /* Left encoded for now */ 314 CMS_OtherCertificateFormat *other; 315 } d; 316 }; 317 318 # define CMS_CERTCHOICE_CERT 0 319 # define CMS_CERTCHOICE_EXCERT 1 320 # define CMS_CERTCHOICE_V1ACERT 2 321 # define CMS_CERTCHOICE_V2ACERT 3 322 # define CMS_CERTCHOICE_OTHER 4 323 324 struct CMS_OtherCertificateFormat_st { 325 ASN1_OBJECT *otherCertFormat; 326 ASN1_TYPE *otherCert; 327 }; 328 329 /* 330 * This is also defined in pkcs7.h but we duplicate it to allow the CMS code 331 * to be independent of PKCS#7 332 */ 333 334 struct CMS_IssuerAndSerialNumber_st { 335 X509_NAME *issuer; 336 ASN1_INTEGER *serialNumber; 337 }; 338 339 struct CMS_OtherKeyAttribute_st { 340 ASN1_OBJECT *keyAttrId; 341 ASN1_TYPE *keyAttr; 342 }; 343 344 /* ESS structures */ 345 346 struct CMS_ReceiptRequest_st { 347 ASN1_OCTET_STRING *signedContentIdentifier; 348 CMS_ReceiptsFrom *receiptsFrom; 349 STACK_OF(GENERAL_NAMES) *receiptsTo; 350 }; 351 352 struct CMS_ReceiptsFrom_st { 353 int type; 354 union { 355 int32_t allOrFirstTier; 356 STACK_OF(GENERAL_NAMES) *receiptList; 357 } d; 358 }; 359 360 struct CMS_Receipt_st { 361 int32_t version; 362 ASN1_OBJECT *contentType; 363 ASN1_OCTET_STRING *signedContentIdentifier; 364 ASN1_OCTET_STRING *originatorSignatureValue; 365 }; 366 367 DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo) 368 DECLARE_ASN1_ITEM(CMS_SignerInfo) 369 DECLARE_ASN1_ITEM(CMS_EncryptedContentInfo) 370 DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber) 371 DECLARE_ASN1_ITEM(CMS_Attributes_Sign) 372 DECLARE_ASN1_ITEM(CMS_Attributes_Verify) 373 DECLARE_ASN1_ITEM(CMS_RecipientInfo) 374 DECLARE_ASN1_ITEM(CMS_PasswordRecipientInfo) 375 DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerAndSerialNumber) 376 377 # define CMS_SIGNERINFO_ISSUER_SERIAL 0 378 # define CMS_SIGNERINFO_KEYIDENTIFIER 1 379 380 # define CMS_RECIPINFO_ISSUER_SERIAL 0 381 # define CMS_RECIPINFO_KEYIDENTIFIER 1 382 383 # define CMS_REK_ISSUER_SERIAL 0 384 # define CMS_REK_KEYIDENTIFIER 1 385 386 # define CMS_OIK_ISSUER_SERIAL 0 387 # define CMS_OIK_KEYIDENTIFIER 1 388 # define CMS_OIK_PUBKEY 2 389 390 BIO *ossl_cms_content_bio(CMS_ContentInfo *cms); 391 const CMS_CTX *ossl_cms_get0_cmsctx(const CMS_ContentInfo *cms); 392 OSSL_LIB_CTX *ossl_cms_ctx_get0_libctx(const CMS_CTX *ctx); 393 const char *ossl_cms_ctx_get0_propq(const CMS_CTX *ctx); 394 void ossl_cms_resolve_libctx(CMS_ContentInfo *ci); 395 396 CMS_ContentInfo *ossl_cms_Data_create(OSSL_LIB_CTX *ctx, const char *propq); 397 int ossl_cms_DataFinal(CMS_ContentInfo *cms, BIO *cmsbio, 398 const unsigned char *precomp_md, 399 unsigned int precomp_mdlen); 400 401 CMS_ContentInfo *ossl_cms_DigestedData_create(const EVP_MD *md, 402 OSSL_LIB_CTX *libctx, 403 const char *propq); 404 BIO *ossl_cms_DigestedData_init_bio(const CMS_ContentInfo *cms); 405 int ossl_cms_DigestedData_do_final(const CMS_ContentInfo *cms, 406 BIO *chain, int verify); 407 408 BIO *ossl_cms_SignedData_init_bio(CMS_ContentInfo *cms); 409 int ossl_cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain, 410 const unsigned char *precomp_md, 411 unsigned int precomp_mdlen); 412 int ossl_cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, 413 int type, const CMS_CTX *ctx); 414 int ossl_cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, 415 ASN1_OCTET_STRING **keyid, 416 X509_NAME **issuer, 417 ASN1_INTEGER **sno); 418 int ossl_cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert); 419 420 CMS_ContentInfo *ossl_cms_CompressedData_create(int comp_nid, 421 OSSL_LIB_CTX *libctx, 422 const char *propq); 423 BIO *ossl_cms_CompressedData_init_bio(const CMS_ContentInfo *cms); 424 425 BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm, 426 const CMS_CTX *ctx); 427 int ossl_cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, 428 X509_ALGOR *mdalg); 429 430 int ossl_cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert); 431 int ossl_cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert); 432 int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); 433 int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); 434 435 BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec, 436 const CMS_CTX *ctx); 437 BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms); 438 int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, 439 const EVP_CIPHER *cipher, 440 const unsigned char *key, size_t keylen, 441 const CMS_CTX *ctx); 442 443 int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms); 444 int ossl_cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src); 445 ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si); 446 447 BIO *ossl_cms_EnvelopedData_init_bio(CMS_ContentInfo *cms); 448 int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain); 449 BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms); 450 int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio); 451 CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms); 452 CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms); 453 CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms); 454 455 /* RecipientInfo routines */ 456 int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd); 457 int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk); 458 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type); 459 460 void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms); 461 462 /* KARI routines */ 463 int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, 464 EVP_PKEY *recipPubKey, X509 *originator, 465 EVP_PKEY *originatorPrivKey, 466 unsigned int flags, 467 const CMS_CTX *ctx); 468 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms, 469 CMS_RecipientInfo *ri); 470 471 /* PWRI routines */ 472 int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms, 473 CMS_RecipientInfo *ri, int en_de); 474 /* SignerInfo routines */ 475 int ossl_cms_si_check_attributes(const CMS_SignerInfo *si); 476 void ossl_cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms); 477 478 479 /* ESS routines */ 480 int ossl_cms_check_signing_certs(const CMS_SignerInfo *si, 481 const STACK_OF(X509) *chain); 482 483 int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt); 484 int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt); 485 int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt); 486 int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify); 487 488 DECLARE_ASN1_ITEM(CMS_CertificateChoices) 489 DECLARE_ASN1_ITEM(CMS_DigestedData) 490 DECLARE_ASN1_ITEM(CMS_EncryptedData) 491 DECLARE_ASN1_ITEM(CMS_EnvelopedData) 492 DECLARE_ASN1_ITEM(CMS_AuthEnvelopedData) 493 DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo) 494 DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo) 495 DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo) 496 DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey) 497 DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute) 498 DECLARE_ASN1_ITEM(CMS_Receipt) 499 DECLARE_ASN1_ITEM(CMS_ReceiptRequest) 500 DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey) 501 DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier) 502 DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice) 503 DECLARE_ASN1_ITEM(CMS_SignedData) 504 DECLARE_ASN1_ITEM(CMS_CompressedData) 505 506 #endif 507
