xref: /freebsd/crypto/openssl/crypto/cms/cms_local.h (revision 6f1af0d7d2af54b339b5212434cd6d4fda628d80)
1 /*
2  * Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 #ifndef OSSL_CRYPTO_CMS_LOCAL_H
11 # define OSSL_CRYPTO_CMS_LOCAL_H
12 
13 # include <openssl/x509.h>
14 
15 /*
16  * Cryptographic message syntax (CMS) structures: taken from RFC3852
17  */
18 
19 /* Forward references */
20 
21 typedef struct CMS_IssuerAndSerialNumber_st CMS_IssuerAndSerialNumber;
22 typedef struct CMS_EncapsulatedContentInfo_st CMS_EncapsulatedContentInfo;
23 typedef struct CMS_SignerIdentifier_st CMS_SignerIdentifier;
24 typedef struct CMS_SignedData_st CMS_SignedData;
25 typedef struct CMS_OtherRevocationInfoFormat_st CMS_OtherRevocationInfoFormat;
26 typedef struct CMS_OriginatorInfo_st CMS_OriginatorInfo;
27 typedef struct CMS_EncryptedContentInfo_st CMS_EncryptedContentInfo;
28 typedef struct CMS_EnvelopedData_st CMS_EnvelopedData;
29 typedef struct CMS_DigestedData_st CMS_DigestedData;
30 typedef struct CMS_EncryptedData_st CMS_EncryptedData;
31 typedef struct CMS_AuthenticatedData_st CMS_AuthenticatedData;
32 typedef struct CMS_AuthEnvelopedData_st CMS_AuthEnvelopedData;
33 typedef struct CMS_CompressedData_st CMS_CompressedData;
34 typedef struct CMS_OtherCertificateFormat_st CMS_OtherCertificateFormat;
35 typedef struct CMS_KeyTransRecipientInfo_st CMS_KeyTransRecipientInfo;
36 typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey;
37 typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey;
38 typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo;
39 typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier;
40 typedef struct CMS_KeyAgreeRecipientIdentifier_st
41     CMS_KeyAgreeRecipientIdentifier;
42 typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier;
43 typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo;
44 typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo;
45 typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo;
46 typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom;
47 typedef struct CMS_CTX_st CMS_CTX;
48 
49 struct CMS_CTX_st {
50     OSSL_LIB_CTX *libctx;
51     char *propq;
52 };
53 
54 struct CMS_ContentInfo_st {
55     ASN1_OBJECT *contentType;
56     union {
57         ASN1_OCTET_STRING *data;
58         CMS_SignedData *signedData;
59         CMS_EnvelopedData *envelopedData;
60         CMS_DigestedData *digestedData;
61         CMS_EncryptedData *encryptedData;
62         CMS_AuthEnvelopedData *authEnvelopedData;
63         CMS_AuthenticatedData *authenticatedData;
64         CMS_CompressedData *compressedData;
65         ASN1_TYPE *other;
66         /* Other types ... */
67         void *otherData;
68     } d;
69     CMS_CTX ctx;
70 };
71 
72 DEFINE_STACK_OF(CMS_CertificateChoices)
73 
74 struct CMS_SignedData_st {
75     int32_t version;
76     STACK_OF(X509_ALGOR) *digestAlgorithms;
77     CMS_EncapsulatedContentInfo *encapContentInfo;
78     STACK_OF(CMS_CertificateChoices) *certificates;
79     STACK_OF(CMS_RevocationInfoChoice) *crls;
80     STACK_OF(CMS_SignerInfo) *signerInfos;
81 };
82 
83 struct CMS_EncapsulatedContentInfo_st {
84     ASN1_OBJECT *eContentType;
85     ASN1_OCTET_STRING *eContent;
86     /* Set to 1 if incomplete structure only part set up */
87     int partial;
88 };
89 
90 struct CMS_SignerInfo_st {
91     int32_t version;
92     CMS_SignerIdentifier *sid;
93     X509_ALGOR *digestAlgorithm;
94     STACK_OF(X509_ATTRIBUTE) *signedAttrs;
95     X509_ALGOR *signatureAlgorithm;
96     ASN1_OCTET_STRING *signature;
97     STACK_OF(X509_ATTRIBUTE) *unsignedAttrs;
98     /* Signing certificate and key */
99     X509 *signer;
100     EVP_PKEY *pkey;
101     /* Digest and public key context for alternative parameters */
102     EVP_MD_CTX *mctx;
103     EVP_PKEY_CTX *pctx;
104     const CMS_CTX *cms_ctx;
105 };
106 
107 struct CMS_SignerIdentifier_st {
108     int type;
109     union {
110         CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
111         ASN1_OCTET_STRING *subjectKeyIdentifier;
112     } d;
113 };
114 
115 struct CMS_EnvelopedData_st {
116     int32_t version;
117     CMS_OriginatorInfo *originatorInfo;
118     STACK_OF(CMS_RecipientInfo) *recipientInfos;
119     CMS_EncryptedContentInfo *encryptedContentInfo;
120     STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
121 };
122 
123 struct CMS_OriginatorInfo_st {
124     STACK_OF(CMS_CertificateChoices) *certificates;
125     STACK_OF(CMS_RevocationInfoChoice) *crls;
126 };
127 
128 struct CMS_EncryptedContentInfo_st {
129     ASN1_OBJECT *contentType;
130     X509_ALGOR *contentEncryptionAlgorithm;
131     ASN1_OCTET_STRING *encryptedContent;
132     /* Content encryption algorithm, key and tag */
133     const EVP_CIPHER *cipher;
134     unsigned char *key;
135     size_t keylen;
136     unsigned char *tag;
137     size_t taglen;
138     /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
139     int debug;
140     /* Set to 1 if we have no cert and need extra safety measures for MMA */
141     int havenocert;
142 };
143 
144 struct CMS_RecipientInfo_st {
145     int type;
146     union {
147         CMS_KeyTransRecipientInfo *ktri;
148         CMS_KeyAgreeRecipientInfo *kari;
149         CMS_KEKRecipientInfo *kekri;
150         CMS_PasswordRecipientInfo *pwri;
151         CMS_OtherRecipientInfo *ori;
152     } d;
153 };
154 
155 typedef CMS_SignerIdentifier CMS_RecipientIdentifier;
156 
157 struct CMS_KeyTransRecipientInfo_st {
158     int32_t version;
159     CMS_RecipientIdentifier *rid;
160     X509_ALGOR *keyEncryptionAlgorithm;
161     ASN1_OCTET_STRING *encryptedKey;
162     /* Recipient Key and cert */
163     X509 *recip;
164     EVP_PKEY *pkey;
165     /* Public key context for this operation */
166     EVP_PKEY_CTX *pctx;
167     const CMS_CTX *cms_ctx;
168 };
169 
170 struct CMS_KeyAgreeRecipientInfo_st {
171     int32_t version;
172     CMS_OriginatorIdentifierOrKey *originator;
173     ASN1_OCTET_STRING *ukm;
174     X509_ALGOR *keyEncryptionAlgorithm;
175     STACK_OF(CMS_RecipientEncryptedKey) *recipientEncryptedKeys;
176     /* Public key context associated with current operation */
177     EVP_PKEY_CTX *pctx;
178     /* Cipher context for CEK wrapping */
179     EVP_CIPHER_CTX *ctx;
180     const CMS_CTX *cms_ctx;
181 };
182 
183 struct CMS_OriginatorIdentifierOrKey_st {
184     int type;
185     union {
186         CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
187         ASN1_OCTET_STRING *subjectKeyIdentifier;
188         CMS_OriginatorPublicKey *originatorKey;
189     } d;
190 };
191 
192 struct CMS_OriginatorPublicKey_st {
193     X509_ALGOR *algorithm;
194     ASN1_BIT_STRING *publicKey;
195 };
196 
197 struct CMS_RecipientEncryptedKey_st {
198     CMS_KeyAgreeRecipientIdentifier *rid;
199     ASN1_OCTET_STRING *encryptedKey;
200     /* Public key associated with this recipient */
201     EVP_PKEY *pkey;
202 };
203 
204 struct CMS_KeyAgreeRecipientIdentifier_st {
205     int type;
206     union {
207         CMS_IssuerAndSerialNumber *issuerAndSerialNumber;
208         CMS_RecipientKeyIdentifier *rKeyId;
209     } d;
210 };
211 
212 struct CMS_RecipientKeyIdentifier_st {
213     ASN1_OCTET_STRING *subjectKeyIdentifier;
214     ASN1_GENERALIZEDTIME *date;
215     CMS_OtherKeyAttribute *other;
216 };
217 
218 struct CMS_KEKRecipientInfo_st {
219     int32_t version;
220     CMS_KEKIdentifier *kekid;
221     X509_ALGOR *keyEncryptionAlgorithm;
222     ASN1_OCTET_STRING *encryptedKey;
223     /* Extra info: symmetric key to use */
224     unsigned char *key;
225     size_t keylen;
226     const CMS_CTX *cms_ctx;
227 };
228 
229 struct CMS_KEKIdentifier_st {
230     ASN1_OCTET_STRING *keyIdentifier;
231     ASN1_GENERALIZEDTIME *date;
232     CMS_OtherKeyAttribute *other;
233 };
234 
235 struct CMS_PasswordRecipientInfo_st {
236     int32_t version;
237     X509_ALGOR *keyDerivationAlgorithm;
238     X509_ALGOR *keyEncryptionAlgorithm;
239     ASN1_OCTET_STRING *encryptedKey;
240     /* Extra info: password to use */
241     unsigned char *pass;
242     size_t passlen;
243     const CMS_CTX *cms_ctx;
244 };
245 
246 struct CMS_OtherRecipientInfo_st {
247     ASN1_OBJECT *oriType;
248     ASN1_TYPE *oriValue;
249 };
250 
251 struct CMS_DigestedData_st {
252     int32_t version;
253     X509_ALGOR *digestAlgorithm;
254     CMS_EncapsulatedContentInfo *encapContentInfo;
255     ASN1_OCTET_STRING *digest;
256 };
257 
258 struct CMS_EncryptedData_st {
259     int32_t version;
260     CMS_EncryptedContentInfo *encryptedContentInfo;
261     STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs;
262 };
263 
264 struct CMS_AuthenticatedData_st {
265     int32_t version;
266     CMS_OriginatorInfo *originatorInfo;
267     STACK_OF(CMS_RecipientInfo) *recipientInfos;
268     X509_ALGOR *macAlgorithm;
269     X509_ALGOR *digestAlgorithm;
270     CMS_EncapsulatedContentInfo *encapContentInfo;
271     STACK_OF(X509_ATTRIBUTE) *authAttrs;
272     ASN1_OCTET_STRING *mac;
273     STACK_OF(X509_ATTRIBUTE) *unauthAttrs;
274 };
275 
276 struct CMS_AuthEnvelopedData_st {
277     int32_t version;
278     CMS_OriginatorInfo *originatorInfo;
279     STACK_OF(CMS_RecipientInfo) *recipientInfos;
280     CMS_EncryptedContentInfo *authEncryptedContentInfo;
281     STACK_OF(X509_ATTRIBUTE) *authAttrs;
282     ASN1_OCTET_STRING *mac;
283     STACK_OF(X509_ATTRIBUTE) *unauthAttrs;
284 };
285 
286 struct CMS_CompressedData_st {
287     int32_t version;
288     X509_ALGOR *compressionAlgorithm;
289     STACK_OF(CMS_RecipientInfo) *recipientInfos;
290     CMS_EncapsulatedContentInfo *encapContentInfo;
291 };
292 
293 struct CMS_RevocationInfoChoice_st {
294     int type;
295     union {
296         X509_CRL *crl;
297         CMS_OtherRevocationInfoFormat *other;
298     } d;
299 };
300 
301 # define CMS_REVCHOICE_CRL               0
302 # define CMS_REVCHOICE_OTHER             1
303 
304 struct CMS_OtherRevocationInfoFormat_st {
305     ASN1_OBJECT *otherRevInfoFormat;
306     ASN1_TYPE *otherRevInfo;
307 };
308 
309 struct CMS_CertificateChoices {
310     int type;
311     union {
312         X509 *certificate;
313         ASN1_STRING *extendedCertificate; /* Obsolete */
314         ASN1_STRING *v1AttrCert; /* Left encoded for now */
315         ASN1_STRING *v2AttrCert; /* Left encoded for now */
316         CMS_OtherCertificateFormat *other;
317     } d;
318 };
319 
320 # define CMS_CERTCHOICE_CERT             0
321 # define CMS_CERTCHOICE_EXCERT           1
322 # define CMS_CERTCHOICE_V1ACERT          2
323 # define CMS_CERTCHOICE_V2ACERT          3
324 # define CMS_CERTCHOICE_OTHER            4
325 
326 struct CMS_OtherCertificateFormat_st {
327     ASN1_OBJECT *otherCertFormat;
328     ASN1_TYPE *otherCert;
329 };
330 
331 /*
332  * This is also defined in pkcs7.h but we duplicate it to allow the CMS code
333  * to be independent of PKCS#7
334  */
335 
336 struct CMS_IssuerAndSerialNumber_st {
337     X509_NAME *issuer;
338     ASN1_INTEGER *serialNumber;
339 };
340 
341 struct CMS_OtherKeyAttribute_st {
342     ASN1_OBJECT *keyAttrId;
343     ASN1_TYPE *keyAttr;
344 };
345 
346 /* ESS structures */
347 
348 struct CMS_ReceiptRequest_st {
349     ASN1_OCTET_STRING *signedContentIdentifier;
350     CMS_ReceiptsFrom *receiptsFrom;
351     STACK_OF(GENERAL_NAMES) *receiptsTo;
352 };
353 
354 struct CMS_ReceiptsFrom_st {
355     int type;
356     union {
357         int32_t allOrFirstTier;
358         STACK_OF(GENERAL_NAMES) *receiptList;
359     } d;
360 };
361 
362 struct CMS_Receipt_st {
363     int32_t version;
364     ASN1_OBJECT *contentType;
365     ASN1_OCTET_STRING *signedContentIdentifier;
366     ASN1_OCTET_STRING *originatorSignatureValue;
367 };
368 
369 DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo)
370 DECLARE_ASN1_ITEM(CMS_SignerInfo)
371 DECLARE_ASN1_ITEM(CMS_IssuerAndSerialNumber)
372 DECLARE_ASN1_ITEM(CMS_Attributes_Sign)
373 DECLARE_ASN1_ITEM(CMS_Attributes_Verify)
374 DECLARE_ASN1_ITEM(CMS_RecipientInfo)
375 DECLARE_ASN1_ITEM(CMS_PasswordRecipientInfo)
376 DECLARE_ASN1_ALLOC_FUNCTIONS(CMS_IssuerAndSerialNumber)
377 
378 # define CMS_SIGNERINFO_ISSUER_SERIAL    0
379 # define CMS_SIGNERINFO_KEYIDENTIFIER    1
380 
381 # define CMS_RECIPINFO_ISSUER_SERIAL     0
382 # define CMS_RECIPINFO_KEYIDENTIFIER     1
383 
384 # define CMS_REK_ISSUER_SERIAL           0
385 # define CMS_REK_KEYIDENTIFIER           1
386 
387 # define CMS_OIK_ISSUER_SERIAL           0
388 # define CMS_OIK_KEYIDENTIFIER           1
389 # define CMS_OIK_PUBKEY                  2
390 
391 BIO *ossl_cms_content_bio(CMS_ContentInfo *cms);
392 const CMS_CTX *ossl_cms_get0_cmsctx(const CMS_ContentInfo *cms);
393 OSSL_LIB_CTX *ossl_cms_ctx_get0_libctx(const CMS_CTX *ctx);
394 const char *ossl_cms_ctx_get0_propq(const CMS_CTX *ctx);
395 void ossl_cms_resolve_libctx(CMS_ContentInfo *ci);
396 
397 CMS_ContentInfo *ossl_cms_Data_create(OSSL_LIB_CTX *ctx, const char *propq);
398 
399 CMS_ContentInfo *ossl_cms_DigestedData_create(const EVP_MD *md,
400                                               OSSL_LIB_CTX *libctx,
401                                               const char *propq);
402 BIO *ossl_cms_DigestedData_init_bio(const CMS_ContentInfo *cms);
403 int ossl_cms_DigestedData_do_final(const CMS_ContentInfo *cms,
404                                    BIO *chain, int verify);
405 
406 BIO *ossl_cms_SignedData_init_bio(CMS_ContentInfo *cms);
407 int ossl_cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain);
408 int ossl_cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert,
409                                    int type, const CMS_CTX *ctx);
410 int ossl_cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid,
411                                              ASN1_OCTET_STRING **keyid,
412                                              X509_NAME **issuer,
413                                              ASN1_INTEGER **sno);
414 int ossl_cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert);
415 
416 CMS_ContentInfo *ossl_cms_CompressedData_create(int comp_nid,
417                                                 OSSL_LIB_CTX *libctx,
418                                                 const char *propq);
419 BIO *ossl_cms_CompressedData_init_bio(const CMS_ContentInfo *cms);
420 
421 BIO *ossl_cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm,
422                                        const CMS_CTX *ctx);
423 int ossl_cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
424                                       X509_ALGOR *mdalg);
425 
426 int ossl_cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert);
427 int ossl_cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert);
428 int ossl_cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert);
429 int ossl_cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert);
430 
431 BIO *ossl_cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec,
432                                         const CMS_CTX *ctx);
433 BIO *ossl_cms_EncryptedData_init_bio(const CMS_ContentInfo *cms);
434 int ossl_cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec,
435                                    const EVP_CIPHER *cipher,
436                                    const unsigned char *key, size_t keylen,
437                                    const CMS_CTX *ctx);
438 
439 int ossl_cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms);
440 int ossl_cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src);
441 ASN1_OCTET_STRING *ossl_cms_encode_Receipt(CMS_SignerInfo *si);
442 
443 BIO *ossl_cms_EnvelopedData_init_bio(CMS_ContentInfo *cms);
444 int ossl_cms_EnvelopedData_final(CMS_ContentInfo *cms, BIO *chain);
445 BIO *ossl_cms_AuthEnvelopedData_init_bio(CMS_ContentInfo *cms);
446 int ossl_cms_AuthEnvelopedData_final(CMS_ContentInfo *cms, BIO *cmsbio);
447 void ossl_cms_env_enc_content_free(const CMS_ContentInfo *cinf);
448 CMS_EnvelopedData *ossl_cms_get0_enveloped(CMS_ContentInfo *cms);
449 CMS_AuthEnvelopedData *ossl_cms_get0_auth_enveloped(CMS_ContentInfo *cms);
450 CMS_EncryptedContentInfo *ossl_cms_get0_env_enc_content(const CMS_ContentInfo *cms);
451 
452 /* RecipientInfo routines */
453 int ossl_cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd);
454 int ossl_cms_pkey_get_ri_type(EVP_PKEY *pk);
455 int ossl_cms_pkey_is_ri_type_supported(EVP_PKEY *pk, int ri_type);
456 
457 void ossl_cms_RecipientInfos_set_cmsctx(CMS_ContentInfo *cms);
458 
459 /* KARI routines */
460 int ossl_cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip,
461                                      EVP_PKEY *recipPubKey, X509 *originator,
462                                      EVP_PKEY *originatorPrivKey,
463                                      unsigned int flags,
464                                      const CMS_CTX *ctx);
465 int ossl_cms_RecipientInfo_kari_encrypt(const CMS_ContentInfo *cms,
466                                         CMS_RecipientInfo *ri);
467 
468 /* PWRI routines */
469 int ossl_cms_RecipientInfo_pwri_crypt(const CMS_ContentInfo *cms,
470                                       CMS_RecipientInfo *ri, int en_de);
471 /* SignerInfo routines */
472 int ossl_cms_si_check_attributes(const CMS_SignerInfo *si);
473 void ossl_cms_SignerInfos_set_cmsctx(CMS_ContentInfo *cms);
474 
475 
476 /* ESS routines */
477 int ossl_cms_check_signing_certs(const CMS_SignerInfo *si,
478                                  const STACK_OF(X509) *chain);
479 
480 int ossl_cms_dh_envelope(CMS_RecipientInfo *ri, int decrypt);
481 int ossl_cms_ecdh_envelope(CMS_RecipientInfo *ri, int decrypt);
482 int ossl_cms_rsa_envelope(CMS_RecipientInfo *ri, int decrypt);
483 int ossl_cms_ecdsa_dsa_sign(CMS_SignerInfo *si, int verify);
484 int ossl_cms_rsa_sign(CMS_SignerInfo *si, int verify);
485 
486 DECLARE_ASN1_ITEM(CMS_CertificateChoices)
487 DECLARE_ASN1_ITEM(CMS_DigestedData)
488 DECLARE_ASN1_ITEM(CMS_EncryptedData)
489 DECLARE_ASN1_ITEM(CMS_EnvelopedData)
490 DECLARE_ASN1_ITEM(CMS_AuthEnvelopedData)
491 DECLARE_ASN1_ITEM(CMS_KEKRecipientInfo)
492 DECLARE_ASN1_ITEM(CMS_KeyAgreeRecipientInfo)
493 DECLARE_ASN1_ITEM(CMS_KeyTransRecipientInfo)
494 DECLARE_ASN1_ITEM(CMS_OriginatorPublicKey)
495 DECLARE_ASN1_ITEM(CMS_OtherKeyAttribute)
496 DECLARE_ASN1_ITEM(CMS_Receipt)
497 DECLARE_ASN1_ITEM(CMS_ReceiptRequest)
498 DECLARE_ASN1_ITEM(CMS_RecipientEncryptedKey)
499 DECLARE_ASN1_ITEM(CMS_RecipientKeyIdentifier)
500 DECLARE_ASN1_ITEM(CMS_RevocationInfoChoice)
501 DECLARE_ASN1_ITEM(CMS_SignedData)
502 DECLARE_ASN1_ITEM(CMS_CompressedData)
503 
504 #endif
505