GitBucket
Newer
// Copyright (c) 2014, Google Inc.
// SPDX-License-Identifier: ISC
#ifndef OPENSSL_HEADER_PKCS7_H
#define OPENSSL_HEADER_PKCS7_H
#include <openssl/asn1.h>
#include <openssl/base.h>
#include <openssl/stack.h>
#if defined(__cplusplus)
extern "C" {
#endif
// PKCS#7.
//
// This library contains functions for extracting information from PKCS#7
// structures (RFC 2315).
DECLARE_STACK_OF(CRYPTO_BUFFER)
DECLARE_STACK_OF(X509)
DECLARE_STACK_OF(X509_CRL)
// PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs|
// and appends the included certificates to |out_certs|. It returns one on
// success and zero on error. |cbs| is advanced passed the structure.
//
// Note that a SignedData structure may contain no certificates, in which case
// this function succeeds but does not append any certificates. Additionally,
// certificates in SignedData structures are unordered. Callers should not
// assume a particular order in |*out_certs| and may need to search for matches
// or run path-building algorithms.
OPENSSL_EXPORT int PKCS7_get_raw_certificates(
STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool);
// PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses
// them into |X509| objects.
OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs);
// PKCS7_bundle_raw_certificates appends a PKCS#7, SignedData structure
// containing |certs| to |out|. It returns one on success and zero on error.
// Note that certificates in SignedData structures are unordered. The order in
// |certs| will not be preserved.
OPENSSL_EXPORT int PKCS7_bundle_raw_certificates(
CBB *out, const STACK_OF(CRYPTO_BUFFER) *certs);
// PKCS7_bundle_certificates behaves like |PKCS7_bundle_raw_certificates| but
// takes |X509| objects as input.
OPENSSL_EXPORT int PKCS7_bundle_certificates(CBB *out,
const STACK_OF(X509) *certs);
// PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends
// the included CRLs to |out_crls|. It returns one on success and zero on error.
// |cbs| is advanced passed the structure.
//
// Note that a SignedData structure may contain no CRLs, in which case this
// function succeeds but does not append any CRLs. Additionally, CRLs in
// SignedData structures are unordered. Callers should not assume an order in
// |*out_crls| and may need to search for matches.
OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs);
// PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing
// |crls| to |out|. It returns one on success and zero on error. Note that CRLs
// in SignedData structures are unordered. The order in |crls| will not be
// preserved.
OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls);
// PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure
// from |pem_bio| and appends the included certificates to |out_certs|. It
// returns one on success and zero on error.
//
// Note that a SignedData structure may contain no certificates, in which case
// this function succeeds but does not append any certificates. Additionally,
// certificates in SignedData structures are unordered. Callers should not
// assume a particular order in |*out_certs| and may need to search for matches
// or run path-building algorithms.
OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs,
BIO *pem_bio);
// PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from
// |pem_bio| and appends the included CRLs to |out_crls|. It returns one on
// success and zero on error.
//
// Note that a SignedData structure may contain no CRLs, in which case this
// function succeeds but does not append any CRLs. Additionally, CRLs in
// SignedData structures are unordered. Callers should not assume an order in
// |*out_crls| and may need to search for matches.
OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls,
BIO *pem_bio);
// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If
// the length of the object is indefinite the full contents of |bio| are read.
//
// If the function fails then some unknown amount of data may have been read
// from |bio|.
OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out);
// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on
// error.
OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7);
// PKCS7_type_is_data returns 1 if |p7| is of type data
OPENSSL_EXPORT int PKCS7_type_is_data(const PKCS7 *p7);
// PKCS7_type_is_digest returns 1 if |p7| is of type digest
OPENSSL_EXPORT int PKCS7_type_is_digest(const PKCS7 *p7);
// PKCS7_type_is_encrypted returns 1 if |p7| is of type encrypted
OPENSSL_EXPORT int PKCS7_type_is_encrypted(const PKCS7 *p7);
// PKCS7_type_is_enveloped returns 1 if |p7| is of type enveloped
OPENSSL_EXPORT int PKCS7_type_is_enveloped(const PKCS7 *p7);
// PKCS7_type_is_signed returns 1 if |p7| is of type signed
OPENSSL_EXPORT int PKCS7_type_is_signed(const PKCS7 *p7);
// PKCS7_type_is_signedAndEnveloped returns 1 if |p7| is of type
// signedAndEnveloped
OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7);
// Deprecated functions.
//
// These functions are a compatibility layer over a subset of OpenSSL's PKCS#7
// API. It intentionally does not implement the whole thing, only the minimum
// needed to build cryptography.io and CRuby.
// ASN.1 defined here https://datatracker.ietf.org/doc/html/rfc2315#section-7
//
// ContentInfo ::= SEQUENCE {
// contentType ContentType,
// content
// [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL }
//
// ContentType ::= OBJECT IDENTIFIER
struct pkcs7_st {
// Unlike OpenSSL, the following fields are immutable. They filled in when the
// object is parsed and ignored in serialization.
ASN1_OBJECT *type;
union {
char *ptr;
ASN1_OCTET_STRING *data;
PKCS7_SIGNED *sign;
PKCS7_ENVELOPE *enveloped;
PKCS7_SIGN_ENVELOPE *signed_and_enveloped;
PKCS7_DIGEST *digest;
PKCS7_ENCRYPT *encrypted;
// Other things provided by the user. Not specified in the RFC.
ASN1_TYPE *other;
} d;
};
// ASN.1 defined here https://datatracker.ietf.org/doc/html/rfc2315#section-9.1
//
// SignedData ::= SEQUENCE {
// version Version,
// digestAlgorithms DigestAlgorithmIdentifiers,
// contentInfo ContentInfo,
// certificates
// [0] IMPLICIT ExtendedCertificatesAndCertificates
// OPTIONAL,
// crls
// [1] IMPLICIT CertificateRevocationLists OPTIONAL,
// signerInfos SignerInfos }
//
// DigestAlgorithmIdentifiers ::=
//
// SET OF DigestAlgorithmIdentifier
//
// SignerInfos ::= SET OF SignerInfo
struct pkcs7_signed_st {
ASN1_INTEGER *version;
STACK_OF(X509_ALGOR) *md_algs;
PKCS7 *contents;
STACK_OF(X509) *cert;
STACK_OF(X509_CRL) *crl;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
};
// ASN.1 defined here https://datatracker.ietf.org/doc/html/rfc2315#section-9.2
//
// SignerInfo ::= SEQUENCE {
// version Version,
// issuerAndSerialNumber IssuerAndSerialNumber,
// digestAlgorithm DigestAlgorithmIdentifier,
// authenticatedAttributes
// [0] IMPLICIT Attributes OPTIONAL,
// digestEncryptionAlgorithm
// DigestEncryptionAlgorithmIdentifier,
// encryptedDigest EncryptedDigest,
// unauthenticatedAttributes
// [1] IMPLICIT Attributes OPTIONAL }
//
// EncryptedDigest ::= OCTET STRING
struct pkcs7_signer_info_st {
ASN1_INTEGER *version;
PKCS7_ISSUER_AND_SERIAL *issuer_and_serial;
X509_ALGOR *digest_alg;
STACK_OF(X509_ATTRIBUTE) *auth_attr;
X509_ALGOR *digest_enc_alg;
ASN1_OCTET_STRING *enc_digest;
STACK_OF(X509_ATTRIBUTE) *unauth_attr;
EVP_PKEY *pkey; // NOTE: |pkey| is not serialized.
};
// ASN.1 defined here https://datatracker.ietf.org/doc/html/rfc2315#section-11.1
//
// SignedAndEnvelopedData ::= SEQUENCE {
// version Version,
// recipientInfos RecipientInfos,
// digestAlgorithms DigestAlgorithmIdentifiers,
// encryptedContentInfo EncryptedContentInfo,
// certificates
// [0] IMPLICIT ExtendedCertificatesAndCertificates
// OPTIONAL,
// crls
// [1] IMPLICIT CertificateRevocationLists OPTIONAL,
// signerInfos SignerInfos }
struct pkcs7_sign_envelope_st {
ASN1_INTEGER *version;
STACK_OF(PKCS7_RECIP_INFO) *recipientinfo;
STACK_OF(X509_ALGOR) *md_algs;
PKCS7_ENC_CONTENT *enc_data;
STACK_OF(X509) *cert;
STACK_OF(X509_CRL) *crl;
STACK_OF(PKCS7_SIGNER_INFO) *signer_info;
};
// ASN.1 defined here https://datatracker.ietf.org/doc/html/rfc2315#section-10.1
//
// EnvelopedData ::= SEQUENCE {
// version Version,
// recipientInfos RecipientInfos,
// encryptedContentInfo EncryptedContentInfo }
//
// RecipientInfos ::= SET OF RecipientInfo
struct pkcs7_envelope_st {
ASN1_INTEGER *version;
PKCS7_ENC_CONTENT *enc_data;
STACK_OF(PKCS7_RECIP_INFO) *recipientinfo;
};
// ASN.1 defined here https://datatracker.ietf.org/doc/html/rfc2315#section-10.2
//
// RecipientInfo ::= SEQUENCE {
// version Version,
// issuerAndSerialNumber IssuerAndSerialNumber,
// keyEncryptionAlgorithm
//
// KeyEncryptionAlgorithmIdentifier,
// encryptedKey EncryptedKey }
//
// EncryptedKey ::= OCTET STRING
struct pkcs7_recip_info_st {
ASN1_INTEGER *version;
PKCS7_ISSUER_AND_SERIAL *issuer_and_serial;
X509_ALGOR *key_enc_algor;
ASN1_OCTET_STRING *enc_key;
X509 *cert; // NOTE: |cert| is not serialized
};
// ASN.1 defined here https://datatracker.ietf.org/doc/html/rfc2315#section-6.7
//
// IssuerAndSerialNumber ::= SEQUENCE {
// issuer Name,
// serialNumber CertificateSerialNumber }
struct pkcs7_issuer_and_serial_st {
X509_NAME *issuer;
ASN1_INTEGER *serial;
};
// Only declare ASN1 functions or define stacks publibly if needed by supported
// projects that depend on them.
DECLARE_ASN1_FUNCTIONS(PKCS7)
DECLARE_ASN1_FUNCTIONS(PKCS7_RECIP_INFO)
DECLARE_ASN1_FUNCTIONS(PKCS7_SIGNER_INFO)
DEFINE_STACK_OF(PKCS7_RECIP_INFO)
DEFINE_STACK_OF(PKCS7_SIGNER_INFO)
// PKCS7_dup returns a newly allocated copy of |p7| without deep-copying
// internal references.
OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *PKCS7_dup(PKCS7 *p7);
// PKCS7_get_signed_attribute returns a pointer to the first signed attribute
// from |si| with NID |nid| if one is present, else NULL.
OPENSSL_EXPORT OPENSSL_DEPRECATED ASN1_TYPE *PKCS7_get_signed_attribute(
const PKCS7_SIGNER_INFO *si, int nid);
// PKCS7_get_signer_info returns |p7|'s attached PKCS7_SIGNER_INFO if present
// and |p7| is of a relevant type, else NULL. This function only pertains to
// signedData and signedAndEnvelopedData.
OPENSSL_EXPORT OPENSSL_DEPRECATED STACK_OF(PKCS7_SIGNER_INFO) *
PKCS7_get_signer_info(PKCS7 *p7);
// PKCS7_RECIP_INFO_set attaches |x509| to |p7i| and increments |x509|'s
// reference count. It returns 1 on success and 0 on failure or if |x509|'s
// public key not usable for encryption.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_RECIP_INFO_set(
PKCS7_RECIP_INFO *p7i, X509 *x509);
// PKCS7_SIGNER_INFO_set attaches the other parameters to |p7i|, returning 1 on
// success and 0 on error or if specified parameters are inapplicable to
// signing. Only EC, DH, and RSA |pkey|s are supported. |pkey|'s reference
// count is incremented, but neither |x509|'s nor |dgst|'s is.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_SIGNER_INFO_set(
PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst);
// PKCS7_add_certificate adds |x509| to |p7|'s certificate stack, incrementing
// |x509|'s reference count. It returns 1 on success and 0 on failure or if
// |p7| isn't of an applicable type: signedData and signedAndEnvelopedData.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_certificate(PKCS7 *p7,
X509 *x509);
// PKCS7_add_crl adds |x509| to |p7|'s CRL stack, incrementing |x509|'s
// reference count. It returns 1 on success and 0 on failure or if |p7| isn't
// of an applicable type: signedData and signedAndEnvelopedData.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_crl(PKCS7 *p7, X509_CRL *x509);
// PKCS7_add_recipient_info adds |ri| to |p7|, returning 1 on succes or 0 if
// |p7| is of an inapplicable type: envelopedData and signedAndEnvelopedData.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_recipient_info(
PKCS7 *p7, PKCS7_RECIP_INFO *ri);
// PKCS7_add_signer adds |p7i| to |p7|, returning 1 on succes or 0 if
// |p7| is of an inapplicable type: signedData and signedAndEnvelopedData.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_add_signer(PKCS7 *p7,
PKCS7_SIGNER_INFO *p7i);
// PKCS7_content_new allocates a new PKCS7 and adds it to |p7| as content. It
// returns 1 on success and 0 on failure.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_content_new(PKCS7 *p7, int nid);
// PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of
// |p7|. It frees any existing content on |p7|, returning 1 on success and 0 on
// failure.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_content(PKCS7 *p7,
PKCS7 *p7_data);
// PKCS7_set_content sets |p7_data| as content on |p7| for applicable types of
// |p7|: signedData and digestData. |p7_data| may be NULL. It frees any
// existing content on |p7|, returning 1 on success and 0 on failure.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_cipher(
PKCS7 *p7, const EVP_CIPHER *cipher);
// PKCS7_set_type instantiates |p7| as type |type|. It returns 1 on success and
// 0 on failure or if |type| is not a valid PKCS7 content type.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_type(PKCS7 *p7, int type);
// PKCS7_RECIP_INFO_get0_alg sets |*penc| to |ri|'s key encryption algorithm,
// if present. Ownership of |*penc| is retained by |ri|.
OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_RECIP_INFO_get0_alg(
PKCS7_RECIP_INFO *ri, X509_ALGOR **penc);
// PKCS7_SIGNER_INFO_get0_algs sets all of, if present: |*pk| to |si|'s key,
// |*pdig| to |si|'s digest angorithm, and |*psig| to |si|'s signature
// algorithm. Ownership of |*pk|, |*pdig|, and |*psig) is retained by |si|.
OPENSSL_EXPORT OPENSSL_DEPRECATED void PKCS7_SIGNER_INFO_get0_algs(
PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, X509_ALGOR **pdig, X509_ALGOR **psig);
// Deprecated flags
//
// Not all defined flags are acted upon, and the behavior associated with some
// flags is performed unconditionally. See each |PKCS7_*| for details.
// PKCS7_DETACHED indicates that the PKCS#7 file specifies its data externally.
#define PKCS7_DETACHED 0x40
// PKCS7_BINARY disables the default translation to MIME canonical format (as
// required by the S/MIME specifications). It is assumed in |PKCS7_sign| unless
// the caller is just bundling certs.
#define PKCS7_BINARY 0x80
// PKCS7_NOINTERN disables verification against certificate public keys included
// in a PKCS7 ContentInfo. If this flag is specified, the caller must supply a
// stack of certificates to verify against.
#define PKCS7_NOINTERN 0x10
// PKCS7_NOATTR disables usage of authenticatedAttributes. It is assumed in
// |PKCS7_sign| unless the caller is just bundling certs.
#define PKCS7_NOATTR 0x100
// PKCS7_NOCERTS excludes the signer's certificate and the extra certs defined
// from the PKCS7 structure. Using this will fail |PKCS7_sign| unless used as
// described in |PKCS7_sign|'s documentation.
#define PKCS7_NOCERTS 0x2
// PKCS7_NOVERIFY will skip trust chain verification against the trust store.
// It will still verify signatures against signer infos included in the PKCS7.
#define PKCS7_NOVERIFY 0x20
// The following flags are used in OpenSSL, but are ignored by AWS-LC. They are
// defined here solely for build compatibility.
#define PKCS7_TEXT 0x1
#define PKCS7_NOSIGS 0x4
#define PKCS7_NOCHAIN 0x8
#define PKCS7_NOSMIMECAP 0x200
#define PKCS7_STREAM 0x1000
#define PKCS7_PARTIAL 0x4000
// PKCS7_sign can operate in three modes to provide some backwards
// compatibility:
//
// The first mode assembles |certs| into a PKCS#7 signed data ContentInfo with
// external data and no signatures. It returns a newly-allocated |PKCS7| on
// success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is
// ignored. |flags| must be equal to |PKCS7_DETACHED|. Additionally,
// certificates in SignedData structures are unordered. The order of |certs|
// will not be preserved.
//
// The second mode generates a detached RSA SHA-256 signature of |data| using
// |pkey| and produces a PKCS#7 SignedData structure containing it. |certs|
// must be NULL and |flags| must be exactly |PKCS7_NOATTR | PKCS7_BINARY |
// PKCS7_NOCERTS | PKCS7_DETACHED|.
//
// The third mode is used for more general signing and does not require the
// specification of any flags, but does require |sign_cert|, |pkey|, and |data|
// to be populated. This mode always behaves as if |PKCS7_NOATTR| and
// |PKCS7_BINARY| are set. It honors the specification (or elision) of
// |PKCS7_DETACHED|. It does not allow |PKCS7_NOCERTS|.
//
// Note this function only implements a subset of the corresponding OpenSSL
// function. It is provided for backwards compatibility only.
OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *PKCS7_sign(X509 *sign_cert,
EVP_PKEY *pkey,
STACK_OF(X509) *certs,
BIO *data, int flags);
// PKCS7_verify takes in a |p7| with signed ContentInfo and verifies its
// signature against |certs| or |store|. If |certs| is specified, this function
// will attempt to verify |p7|'s signature against those certificates' public
// keys. If |store| is specified, its contents will be treated as certificate
// authorities (CAs) for establishing trust of any certificates bundled in |p7|.
//
// If |p7| is detached, |indata| must contain the data over which |p7|'s
// signature was computed. If verification succeeds, the verified content is
// written to |out| and 1 is returned. On error or verification failure, 0 is
// returned.
//
// Flags: If |PKCS7_NOVERIFY| is specified, trust chain validation is skipped.
// This function also enforces the behavior of OpenSSL's |PKCS7_NO_DUAL_CONTENT|
// meaning that |indata| may not be specified if |p7|'s signed data is attached.
// If |PKCS7_NOINTERN| is set, this function will not verify against certificate
// public keys included |p7|, instead relying solely on |certs|, which must be
// specified.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_verify(PKCS7 *p7,
STACK_OF(X509) *certs,
X509_STORE *store,
BIO *indata, BIO *outdata,
int flags);
// PKCS7_is_detached returns 0 if |p7| has attached content and 1 otherwise.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_is_detached(PKCS7 *p7);
// PKCS7_set_detached frees the attached content of |p7| if |detach| is set to
// 1. It returns 0 if otherwise or if |p7| is not of type signed.
//
// Note: |detach| is intended to be a boolean and MUST be set with either 1 or
// 0.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_detached(PKCS7 *p7, int detach);
// PKCS7_get_detached returns 0 if |p7| has attached content and 1 otherwise.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_get_detached(PKCS7 *p7);
// PKCS7_dataInit creates or initializes a BIO chain for reading data from or
// writing data to |p7|. If |bio| is non-null, it is added to the chain.
// Otherwise, a new BIO is allocated and returned to anchor the chain.
OPENSSL_EXPORT OPENSSL_DEPRECATED BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio);
// PKCS7_dataFinal serializes data written to |bio|'s chain into |p7|. It should
// only be called on BIO chains created by |PKCS7_dataInit|.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_dataFinal(PKCS7 *p7, BIO *bio);
// PKCS7_set_digest sets |p7|'s digest to |md|. It returns 1 on success and 0 if
// |p7| is of the wrong content type.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_set_digest(PKCS7 *p7,
const EVP_MD *md);
// PKCS7_get_recipient_info returns a pointer to a stack containing |p7|'s
// |PKCS7_RECIP_INFO| or NULL if none are present.
OPENSSL_EXPORT OPENSSL_DEPRECATED STACK_OF(PKCS7_RECIP_INFO) *
PKCS7_get_recipient_info(PKCS7 *p7);
// PKCS7_add_recipient allocates a new |PCKS7_RECEPIENT_INFO|, adds |x509| to it
// and returns that |PCKS7_RECEPIENT_INFO|.
OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7_RECIP_INFO *PKCS7_add_recipient(
PKCS7 *p7, X509 *x509);
// PKCS7_get0_signers retrieves the signer's certificates from p7. It does not
// check their validity or whether any signatures are valid. The caller owns the
// returned X509 stack and is responsible for freeing it.
OPENSSL_EXPORT OPENSSL_DEPRECATED STACK_OF(X509) *PKCS7_get0_signers(
PKCS7 *p7, STACK_OF(X509) *certs, int flags);
// PKCS7_encrypt encrypts the contents of |in| with |cipher| and adds |certs| as
// recipient infos and returns an encrypted |PKCS7| or NULL on failed
// encryption. |flags| is ignored. We only perform key encryption using RSA, so
// |certs| must use RSA public keys.
OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs,
BIO *in,
const EVP_CIPHER *cipher,
int flags);
// PKCS7_decrypt decrypts |p7| with |pkey| and writes the plaintext to |data|.
// If |cert| is present, it's public key is checked against |pkey| and |p7|'s
// recipient infos. 1 is returned on success and 0 on failure. |flags| is
// ignored. |pkey| must be an |EVP_PKEY_RSA|.
//
// NOTE: If |p7| was encrypted with a stream cipher, this operation may return 1
// even on decryption failure. The reason for this is detailed in RFC 3218 and
// comments in the |PKCS7_decrypt| source.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey,
X509 *cert, BIO *data,
int flags);
// No-ops
//
// These functions do nothing. They're provided solely for build compatibility
// SMIME_read_PKCS7 is a no-op and returns NULL
OPENSSL_EXPORT OPENSSL_DEPRECATED PKCS7 *SMIME_read_PKCS7(BIO *in, BIO **bcont);
// SMIME_write_PKCS7 is a no-op and returns 0
OPENSSL_EXPORT OPENSSL_DEPRECATED int SMIME_write_PKCS7(BIO *out, PKCS7 *p7,
BIO *data, int flags);
// PKCS7_print_ctx prints "PKCS7 printing is not supported" and returns 1.
OPENSSL_EXPORT OPENSSL_DEPRECATED int PKCS7_print_ctx(BIO *bio, PKCS7 *pkcs7,
int indent,
const ASN1_PCTX *pctx);
#if defined(__cplusplus)
} // extern C
extern "C++" {
BSSL_NAMESPACE_BEGIN
BORINGSSL_MAKE_DELETER(PKCS7, PKCS7_free)
BORINGSSL_MAKE_DELETER(PKCS7_SIGNER_INFO, PKCS7_SIGNER_INFO_free)
BSSL_NAMESPACE_END
} // extern C++
#endif
#define PKCS7_R_BAD_PKCS7_VERSION 100
#define PKCS7_R_NOT_PKCS7_SIGNED_DATA 101
#define PKCS7_R_NO_CERTIFICATES_INCLUDED 102
#define PKCS7_R_NO_CRLS_INCLUDED 103
#define PKCS7_R_INVALID_NULL_POINTER 104
#define PKCS7_R_NO_CONTENT 105
#define PKCS7_R_CIPHER_NOT_INITIALIZED 106
#define PKCS7_R_UNSUPPORTED_CONTENT_TYPE 107
#define PKCS7_R_UNABLE_TO_FIND_MESSAGE_DIGEST 108
#define PKCS7_R_UNABLE_TO_FIND_MEM_BIO 109
#define PKCS7_R_WRONG_CONTENT_TYPE 110
#define PKCS7_R_CONTENT_AND_DATA_PRESENT 111
#define PKCS7_R_NO_SIGNATURES_ON_DATA 112
#define PKCS7_R_CERTIFICATE_VERIFY_ERROR 113
#define PKCS7_R_SMIME_TEXT_ERROR 114
#define PKCS7_R_SIGNATURE_FAILURE 115
#define PKCS7_R_NO_SIGNERS 116
#define PKCS7_R_SIGNER_CERTIFICATE_NOT_FOUND 117
#define PKCS7_R_ERROR_SETTING_CIPHER 118
#define PKCS7_R_ERROR_ADDING_RECIPIENT 119
#define PKCS7_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 120
#define PKCS7_R_DECRYPT_ERROR 121
#define PKCS7_R_PKCS7_DATASIGN 122
#define PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER 123
#define PKCS7_R_SIGNING_NOT_SUPPORTED_FOR_THIS_KEY_TYPE 124
#define PKCS7_R_UNKNOWN_DIGEST_TYPE 125
#define PKCS7_R_INVALID_SIGNED_DATA_TYPE 126
#define PKCS7_R_UNSUPPORTED_CIPHER_TYPE 127
#define PKCS7_R_NO_RECIPIENT_MATCHES_CERTIFICATE 128
#define PKCS7_R_DIGEST_FAILURE 129
#define PKCS7_R_WRONG_PKCS7_TYPE 130
#define PKCS7_R_PKCS7_ADD_SIGNER_ERROR 131
#define PKCS7_R_PKCS7_ADD_SIGNATURE_ERROR 132
#define PKCS7_R_NO_DEFAULT_DIGEST 133
#define PKCS7_R_CERT_MUST_BE_RSA 134
#define PKCS7_R_OPERATION_NOT_SUPPORTED_ON_THIS_TYPE 135
#endif // OPENSSL_HEADER_PKCS7_H