andre@0: /* This Source Code Form is subject to the terms of the Mozilla Public andre@0: * License, v. 2.0. If a copy of the MPL was not distributed with this andre@0: * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ andre@0: andre@0: /* andre@0: * Interface to the PKCS7 implementation. andre@0: */ andre@0: andre@0: #ifndef _SECPKCS7_H_ andre@0: #define _SECPKCS7_H_ andre@0: andre@0: #include "seccomon.h" andre@0: andre@0: #include "secoidt.h" andre@0: #include "certt.h" andre@0: #include "keyt.h" andre@0: #include "hasht.h" andre@0: #include "pkcs7t.h" andre@0: andre@0: extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[]; andre@0: andre@0: /************************************************************************/ andre@0: SEC_BEGIN_PROTOS andre@0: andre@0: /************************************************************************ andre@0: * Miscellaneous andre@0: ************************************************************************/ andre@0: andre@0: /* andre@0: * Returns the content type of the given contentInfo. andre@0: */ andre@0: extern SECOidTag SEC_PKCS7ContentType (SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* andre@0: * Destroy a PKCS7 contentInfo and all of its sub-pieces. andre@0: */ andre@0: extern void SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *contentInfo); andre@0: andre@0: /* andre@0: * Copy a PKCS7 contentInfo. A Destroy is needed on *each* copy. andre@0: */ andre@0: extern SEC_PKCS7ContentInfo * andre@0: SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *contentInfo); andre@0: andre@0: /* andre@0: * Return a pointer to the actual content. In the case of those types andre@0: * which are encrypted, this returns the *plain* content. andre@0: */ andre@0: extern SECItem *SEC_PKCS7GetContent(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /************************************************************************ andre@0: * PKCS7 Decoding, Verification, etc.. andre@0: ************************************************************************/ andre@0: andre@0: extern SEC_PKCS7DecoderContext * andre@0: SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback callback, andre@0: void *callback_arg, andre@0: SECKEYGetPasswordKey pwfn, void *pwfn_arg, andre@0: SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, andre@0: void *decrypt_key_cb_arg, andre@0: SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb); andre@0: andre@0: extern SECStatus andre@0: SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx, andre@0: const char *buf, unsigned long len); andre@0: andre@0: extern SEC_PKCS7ContentInfo * andre@0: SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx); andre@0: andre@0: andre@0: /* Abort the underlying ASN.1 stream & set an error */ andre@0: void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error); andre@0: andre@0: extern SEC_PKCS7ContentInfo * andre@0: SEC_PKCS7DecodeItem(SECItem *p7item, andre@0: SEC_PKCS7DecoderContentCallback cb, void *cb_arg, andre@0: SECKEYGetPasswordKey pwfn, void *pwfn_arg, andre@0: SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, andre@0: void *decrypt_key_cb_arg, andre@0: SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb); andre@0: andre@0: extern PRBool SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* checks to see if the contents of the content info is andre@0: * empty. it so, PR_TRUE is returned. PR_FALSE, otherwise. andre@0: * andre@0: * minLen is used to specify a minimum size. if content size <= minLen, andre@0: * content is assumed empty. andre@0: */ andre@0: extern PRBool andre@0: SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo *cinfo, unsigned int minLen); andre@0: andre@0: extern PRBool SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* andre@0: * If the PKCS7 content has a signature (not just *could* have a signature) andre@0: * return true; false otherwise. This can/should be called before calling andre@0: * VerifySignature, which will always indicate failure if no signature is andre@0: * present, but that does not mean there even was a signature! andre@0: * Note that the content itself can be empty (detached content was sent andre@0: * another way); it is the presence of the signature that matters. andre@0: */ andre@0: extern PRBool SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* andre@0: * SEC_PKCS7VerifySignature andre@0: * Look at a PKCS7 contentInfo and check if the signature is good. andre@0: * The verification checks that the signing cert is valid and trusted andre@0: * for the purpose specified by "certusage". andre@0: * andre@0: * In addition, if "keepcerts" is true, add any new certificates found andre@0: * into our local database. andre@0: */ andre@0: extern PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo, andre@0: SECCertUsage certusage, andre@0: PRBool keepcerts); andre@0: andre@0: /* andre@0: * SEC_PKCS7VerifyDetachedSignature andre@0: * Look at a PKCS7 contentInfo and check if the signature matches andre@0: * a passed-in digest (calculated, supposedly, from detached contents). andre@0: * The verification checks that the signing cert is valid and trusted andre@0: * for the purpose specified by "certusage". andre@0: * andre@0: * In addition, if "keepcerts" is true, add any new certificates found andre@0: * into our local database. andre@0: */ andre@0: extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, andre@0: SECCertUsage certusage, andre@0: const SECItem *detached_digest, andre@0: HASH_HashType digest_type, andre@0: PRBool keepcerts); andre@0: andre@0: /* andre@0: * SEC_PKCS7VerifyDetachedSignatureAtTime andre@0: * Look at a PKCS7 contentInfo and check if the signature matches andre@0: * a passed-in digest (calculated, supposedly, from detached contents). andre@0: * The verification checks that the signing cert is valid and trusted andre@0: * for the purpose specified by "certusage" at time "atTime". andre@0: * andre@0: * In addition, if "keepcerts" is true, add any new certificates found andre@0: * into our local database. andre@0: */ andre@0: extern PRBool andre@0: SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, andre@0: SECCertUsage certusage, andre@0: const SECItem *detached_digest, andre@0: HASH_HashType digest_type, andre@0: PRBool keepcerts, andre@0: PRTime atTime); andre@0: andre@0: /* andre@0: * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress andre@0: * The passed-in contentInfo is espected to be Signed, and these andre@0: * functions return the specified portion of the full signer name. andre@0: * andre@0: * Returns a pointer to allocated memory, which must be freed. andre@0: * A NULL return value is an error. andre@0: */ andre@0: extern char *SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo *cinfo); andre@0: extern char *SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* andre@0: * Return the the signing time, in UTCTime format, of a PKCS7 contentInfo. andre@0: */ andre@0: extern SECItem *SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: andre@0: /************************************************************************ andre@0: * PKCS7 Creation and Encoding. andre@0: ************************************************************************/ andre@0: andre@0: /* andre@0: * Start a PKCS7 signing context. andre@0: * andre@0: * "cert" is the cert that will be used to sign the data. It will be andre@0: * checked for validity. andre@0: * andre@0: * "certusage" describes the signing usage (e.g. certUsageEmailSigner) andre@0: * XXX Maybe SECCertUsage should be split so that our caller just says andre@0: * "email" and *we* add the "signing" part -- otherwise our caller andre@0: * could be lying about the usage; we do not want to allow encryption andre@0: * certs for signing or vice versa. andre@0: * andre@0: * "certdb" is the cert database to use for verifying the cert. andre@0: * It can be NULL if a default database is available (like in the client). andre@0: * andre@0: * "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1). andre@0: * andre@0: * "digest" is the actual digest of the data. It must be provided in andre@0: * the case of detached data or NULL if the content will be included. andre@0: * andre@0: * The return value can be passed to functions which add things to andre@0: * it like attributes, then eventually to SEC_PKCS7Encode() or to andre@0: * SEC_PKCS7EncoderStart() to create the encoded data, and finally to andre@0: * SEC_PKCS7DestroyContentInfo(). andre@0: * andre@0: * An error results in a return value of NULL and an error set. andre@0: * (Retrieve specific errors via PORT_GetError()/XP_GetError().) andre@0: */ andre@0: extern SEC_PKCS7ContentInfo * andre@0: SEC_PKCS7CreateSignedData (CERTCertificate *cert, andre@0: SECCertUsage certusage, andre@0: CERTCertDBHandle *certdb, andre@0: SECOidTag digestalg, andre@0: SECItem *digest, andre@0: SECKEYGetPasswordKey pwfn, void *pwfn_arg); andre@0: andre@0: /* andre@0: * Create a PKCS7 certs-only container. andre@0: * andre@0: * "cert" is the (first) cert that will be included. andre@0: * andre@0: * "include_chain" specifies whether the entire chain for "cert" should andre@0: * be included. andre@0: * andre@0: * "certdb" is the cert database to use for finding the chain. andre@0: * It can be NULL in when "include_chain" is false, or when meaning andre@0: * use the default database. andre@0: * andre@0: * More certs and chains can be added via AddCertficate and AddCertChain. andre@0: * andre@0: * An error results in a return value of NULL and an error set. andre@0: * (Retrieve specific errors via PORT_GetError()/XP_GetError().) andre@0: */ andre@0: extern SEC_PKCS7ContentInfo * andre@0: SEC_PKCS7CreateCertsOnly (CERTCertificate *cert, andre@0: PRBool include_chain, andre@0: CERTCertDBHandle *certdb); andre@0: andre@0: /* andre@0: * Start a PKCS7 enveloping context. andre@0: * andre@0: * "cert" is the cert for the recipient. It will be checked for validity. andre@0: * andre@0: * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient) andre@0: * XXX Maybe SECCertUsage should be split so that our caller just says andre@0: * "email" and *we* add the "recipient" part -- otherwise our caller andre@0: * could be lying about the usage; we do not want to allow encryption andre@0: * certs for signing or vice versa. andre@0: * andre@0: * "certdb" is the cert database to use for verifying the cert. andre@0: * It can be NULL if a default database is available (like in the client). andre@0: * andre@0: * "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2). andre@0: * andre@0: * "keysize" specifies the bulk encryption key size, in bits. andre@0: * andre@0: * The return value can be passed to functions which add things to andre@0: * it like more recipients, then eventually to SEC_PKCS7Encode() or to andre@0: * SEC_PKCS7EncoderStart() to create the encoded data, and finally to andre@0: * SEC_PKCS7DestroyContentInfo(). andre@0: * andre@0: * An error results in a return value of NULL and an error set. andre@0: * (Retrieve specific errors via PORT_GetError()/XP_GetError().) andre@0: */ andre@0: extern SEC_PKCS7ContentInfo * andre@0: SEC_PKCS7CreateEnvelopedData (CERTCertificate *cert, andre@0: SECCertUsage certusage, andre@0: CERTCertDBHandle *certdb, andre@0: SECOidTag encalg, andre@0: int keysize, andre@0: SECKEYGetPasswordKey pwfn, void *pwfn_arg); andre@0: andre@0: /* andre@0: * XXX There will be a similar routine for creating signedAndEnvelopedData. andre@0: * But its parameters will be different and I have no plans to implement andre@0: * it any time soon because we have no current need for it. andre@0: */ andre@0: andre@0: /* andre@0: * Create an empty PKCS7 data content info. andre@0: * andre@0: * An error results in a return value of NULL and an error set. andre@0: * (Retrieve specific errors via PORT_GetError()/XP_GetError().) andre@0: */ andre@0: extern SEC_PKCS7ContentInfo *SEC_PKCS7CreateData (void); andre@0: andre@0: /* andre@0: * Create an empty PKCS7 encrypted content info. andre@0: * andre@0: * "algorithm" specifies the bulk encryption algorithm to use. andre@0: * andre@0: * An error results in a return value of NULL and an error set. andre@0: * (Retrieve specific errors via PORT_GetError()/XP_GetError().) andre@0: */ andre@0: extern SEC_PKCS7ContentInfo * andre@0: SEC_PKCS7CreateEncryptedData (SECOidTag algorithm, int keysize, andre@0: SECKEYGetPasswordKey pwfn, void *pwfn_arg); andre@0: andre@0: /* andre@0: * All of the following things return SECStatus to signal success or failure. andre@0: * Failure should have a more specific error status available via andre@0: * PORT_GetError()/XP_GetError(). andre@0: */ andre@0: andre@0: /* andre@0: * Add the specified attribute to the authenticated (i.e. signed) attributes andre@0: * of "cinfo" -- "oidtag" describes the attribute and "value" is the andre@0: * value to be associated with it. NOTE! "value" must already be encoded; andre@0: * no interpretation of "oidtag" is done. Also, it is assumed that this andre@0: * signedData has only one signer -- if we ever need to add attributes andre@0: * when there is more than one signature, we need a way to specify *which* andre@0: * signature should get the attribute. andre@0: * andre@0: * XXX Technically, a signed attribute can have multiple values; if/when andre@0: * we ever need to support an attribute which takes multiple values, we andre@0: * either need to change this interface or create an AddSignedAttributeValue andre@0: * which can be called subsequently, and would then append a value. andre@0: * andre@0: * "cinfo" should be of type signedData (the only kind of pkcs7 data andre@0: * that is allowed authenticated attributes); SECFailure will be returned andre@0: * if it is not. andre@0: */ andre@0: extern SECStatus SEC_PKCS7AddSignedAttribute (SEC_PKCS7ContentInfo *cinfo, andre@0: SECOidTag oidtag, andre@0: SECItem *value); andre@0: andre@0: /* andre@0: * Add "cert" and its entire chain to the set of certs included in "cinfo". andre@0: * andre@0: * "certdb" is the cert database to use for finding the chain. andre@0: * It can be NULL, meaning use the default database. andre@0: * andre@0: * "cinfo" should be of type signedData or signedAndEnvelopedData; andre@0: * SECFailure will be returned if it is not. andre@0: */ andre@0: extern SECStatus SEC_PKCS7AddCertChain (SEC_PKCS7ContentInfo *cinfo, andre@0: CERTCertificate *cert, andre@0: CERTCertDBHandle *certdb); andre@0: andre@0: /* andre@0: * Add "cert" to the set of certs included in "cinfo". andre@0: * andre@0: * "cinfo" should be of type signedData or signedAndEnvelopedData; andre@0: * SECFailure will be returned if it is not. andre@0: */ andre@0: extern SECStatus SEC_PKCS7AddCertificate (SEC_PKCS7ContentInfo *cinfo, andre@0: CERTCertificate *cert); andre@0: andre@0: /* andre@0: * Add another recipient to an encrypted message. andre@0: * andre@0: * "cinfo" should be of type envelopedData or signedAndEnvelopedData; andre@0: * SECFailure will be returned if it is not. andre@0: * andre@0: * "cert" is the cert for the recipient. It will be checked for validity. andre@0: * andre@0: * "certusage" describes the encryption usage (e.g. certUsageEmailRecipient) andre@0: * XXX Maybe SECCertUsage should be split so that our caller just says andre@0: * "email" and *we* add the "recipient" part -- otherwise our caller andre@0: * could be lying about the usage; we do not want to allow encryption andre@0: * certs for signing or vice versa. andre@0: * andre@0: * "certdb" is the cert database to use for verifying the cert. andre@0: * It can be NULL if a default database is available (like in the client). andre@0: */ andre@0: extern SECStatus SEC_PKCS7AddRecipient (SEC_PKCS7ContentInfo *cinfo, andre@0: CERTCertificate *cert, andre@0: SECCertUsage certusage, andre@0: CERTCertDBHandle *certdb); andre@0: andre@0: /* andre@0: * Add the signing time to the authenticated (i.e. signed) attributes andre@0: * of "cinfo". This is expected to be included in outgoing signed andre@0: * messages for email (S/MIME) but is likely useful in other situations. andre@0: * andre@0: * This should only be added once; a second call will either do andre@0: * nothing or replace an old signing time with a newer one. andre@0: * andre@0: * XXX This will probably just shove the current time into "cinfo" andre@0: * but it will not actually get signed until the entire item is andre@0: * processed for encoding. Is this (expected to be small) delay okay? andre@0: * andre@0: * "cinfo" should be of type signedData (the only kind of pkcs7 data andre@0: * that is allowed authenticated attributes); SECFailure will be returned andre@0: * if it is not. andre@0: */ andre@0: extern SECStatus SEC_PKCS7AddSigningTime (SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* andre@0: * Add the signer's symmetric capabilities to the authenticated andre@0: * (i.e. signed) attributes of "cinfo". This is expected to be andre@0: * included in outgoing signed messages for email (S/MIME). andre@0: * andre@0: * This can only be added once; a second call will return SECFailure. andre@0: * andre@0: * "cinfo" should be of type signedData or signedAndEnvelopedData; andre@0: * SECFailure will be returned if it is not. andre@0: */ andre@0: extern SECStatus SEC_PKCS7AddSymmetricCapabilities(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* andre@0: * Mark that the signer's certificate and its issuing chain should andre@0: * be included in the encoded data. This is expected to be used andre@0: * in outgoing signed messages for email (S/MIME). andre@0: * andre@0: * "certdb" is the cert database to use for finding the chain. andre@0: * It can be NULL, meaning use the default database. andre@0: * andre@0: * "cinfo" should be of type signedData or signedAndEnvelopedData; andre@0: * SECFailure will be returned if it is not. andre@0: */ andre@0: extern SECStatus SEC_PKCS7IncludeCertChain (SEC_PKCS7ContentInfo *cinfo, andre@0: CERTCertDBHandle *certdb); andre@0: andre@0: andre@0: /* andre@0: * Set the content; it will be included and also hashed and/or encrypted andre@0: * as appropriate. This is for in-memory content (expected to be "small") andre@0: * that will be included in the PKCS7 object. All others should stream the andre@0: * content through when encoding (see SEC_PKCS7Encoder{Start,Update,Finish}). andre@0: * andre@0: * "buf" points to data of length "len"; it will be copied. andre@0: */ andre@0: extern SECStatus SEC_PKCS7SetContent (SEC_PKCS7ContentInfo *cinfo, andre@0: const char *buf, unsigned long len); andre@0: andre@0: /* andre@0: * Encode a PKCS7 object, in one shot. All necessary components andre@0: * of the object must already be specified. Either the data has andre@0: * already been included (via SetContent), or the data is detached, andre@0: * or there is no data at all (certs-only). andre@0: * andre@0: * "cinfo" specifies the object to be encoded. andre@0: * andre@0: * "outputfn" is where the encoded bytes will be passed. andre@0: * andre@0: * "outputarg" is an opaque argument to the above callback. andre@0: * andre@0: * "bulkkey" specifies the bulk encryption key to use. This argument andre@0: * can be NULL if no encryption is being done, or if the bulk key should andre@0: * be generated internally (usually the case for EnvelopedData but never andre@0: * for EncryptedData, which *must* provide a bulk encryption key). andre@0: * andre@0: * "pwfn" is a callback for getting the password which protects the andre@0: * private key of the signer. This argument can be NULL if it is known andre@0: * that no signing is going to be done. andre@0: * andre@0: * "pwfnarg" is an opaque argument to the above callback. andre@0: */ andre@0: extern SECStatus SEC_PKCS7Encode (SEC_PKCS7ContentInfo *cinfo, andre@0: SEC_PKCS7EncoderOutputCallback outputfn, andre@0: void *outputarg, andre@0: PK11SymKey *bulkkey, andre@0: SECKEYGetPasswordKey pwfn, andre@0: void *pwfnarg); andre@0: andre@0: /* andre@0: * Encode a PKCS7 object, in one shot. All necessary components andre@0: * of the object must already be specified. Either the data has andre@0: * already been included (via SetContent), or the data is detached, andre@0: * or there is no data at all (certs-only). The output, rather than andre@0: * being passed to an output function as is done above, is all put andre@0: * into a SECItem. andre@0: * andre@0: * "pool" specifies a pool from which to allocate the result. andre@0: * It can be NULL, in which case memory is allocated generically. andre@0: * andre@0: * "dest" specifies a SECItem in which to put the result data. andre@0: * It can be NULL, in which case the entire item is allocated, too. andre@0: * andre@0: * "cinfo" specifies the object to be encoded. andre@0: * andre@0: * "bulkkey" specifies the bulk encryption key to use. This argument andre@0: * can be NULL if no encryption is being done, or if the bulk key should andre@0: * be generated internally (usually the case for EnvelopedData but never andre@0: * for EncryptedData, which *must* provide a bulk encryption key). andre@0: * andre@0: * "pwfn" is a callback for getting the password which protects the andre@0: * private key of the signer. This argument can be NULL if it is known andre@0: * that no signing is going to be done. andre@0: * andre@0: * "pwfnarg" is an opaque argument to the above callback. andre@0: */ andre@0: extern SECItem *SEC_PKCS7EncodeItem (PLArenaPool *pool, andre@0: SECItem *dest, andre@0: SEC_PKCS7ContentInfo *cinfo, andre@0: PK11SymKey *bulkkey, andre@0: SECKEYGetPasswordKey pwfn, andre@0: void *pwfnarg); andre@0: andre@0: /* andre@0: * For those who want to simply point to the pkcs7 contentInfo ASN.1 andre@0: * template, and *not* call the encoding functions directly, the andre@0: * following function can be used -- after it is called, the entire andre@0: * PKCS7 contentInfo is ready to be encoded. andre@0: */ andre@0: extern SECStatus SEC_PKCS7PrepareForEncode (SEC_PKCS7ContentInfo *cinfo, andre@0: PK11SymKey *bulkkey, andre@0: SECKEYGetPasswordKey pwfn, andre@0: void *pwfnarg); andre@0: andre@0: /* andre@0: * Start the process of encoding a PKCS7 object. The first part of andre@0: * the encoded object will be passed to the output function right away; andre@0: * after that it is expected that SEC_PKCS7EncoderUpdate will be called, andre@0: * streaming in the actual content that is getting included as well as andre@0: * signed or encrypted (or both). andre@0: * andre@0: * "cinfo" specifies the object to be encoded. andre@0: * andre@0: * "outputfn" is where the encoded bytes will be passed. andre@0: * andre@0: * "outputarg" is an opaque argument to the above callback. andre@0: * andre@0: * "bulkkey" specifies the bulk encryption key to use. This argument andre@0: * can be NULL if no encryption is being done, or if the bulk key should andre@0: * be generated internally (usually the case for EnvelopedData but never andre@0: * for EncryptedData, which *must* provide a bulk encryption key). andre@0: * andre@0: * Returns an object to be passed to EncoderUpdate and EncoderFinish. andre@0: */ andre@0: extern SEC_PKCS7EncoderContext * andre@0: SEC_PKCS7EncoderStart (SEC_PKCS7ContentInfo *cinfo, andre@0: SEC_PKCS7EncoderOutputCallback outputfn, andre@0: void *outputarg, andre@0: PK11SymKey *bulkkey); andre@0: andre@0: /* andre@0: * Encode more contents, hashing and/or encrypting along the way. andre@0: */ andre@0: extern SECStatus SEC_PKCS7EncoderUpdate (SEC_PKCS7EncoderContext *p7ecx, andre@0: const char *buf, andre@0: unsigned long len); andre@0: andre@0: /* andre@0: * No more contents; finish the signature creation, if appropriate, andre@0: * and then the encoding. andre@0: * andre@0: * "pwfn" is a callback for getting the password which protects the andre@0: * signer's private key. This argument can be NULL if it is known andre@0: * that no signing is going to be done. andre@0: * andre@0: * "pwfnarg" is an opaque argument to the above callback. andre@0: */ andre@0: extern SECStatus SEC_PKCS7EncoderFinish (SEC_PKCS7EncoderContext *p7ecx, andre@0: SECKEYGetPasswordKey pwfn, andre@0: void *pwfnarg); andre@0: andre@0: /* Abort the underlying ASN.1 stream & set an error */ andre@0: void SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext *p7dcx, int error); andre@0: andre@0: /* retrieve the algorithm ID used to encrypt the content info andre@0: * for encrypted and enveloped data. The SECAlgorithmID pointer andre@0: * returned needs to be freed as it is a copy of the algorithm andre@0: * id in the content info. andre@0: */ andre@0: extern SECAlgorithmID * andre@0: SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* the content of an encrypted data content info is encrypted. andre@0: * it is assumed that for encrypted data, that the data has already andre@0: * been set and is in the "plainContent" field of the content info. andre@0: * andre@0: * cinfo is the content info to encrypt andre@0: * andre@0: * key is the key with which to perform the encryption. if the andre@0: * algorithm is a password based encryption algorithm, the andre@0: * key is actually a password which will be processed per andre@0: * PKCS #5. andre@0: * andre@0: * in the event of an error, SECFailure is returned. SECSuccess andre@0: * indicates a success. andre@0: */ andre@0: extern SECStatus andre@0: SEC_PKCS7EncryptContents(PLArenaPool *poolp, andre@0: SEC_PKCS7ContentInfo *cinfo, andre@0: SECItem *key, andre@0: void *wincx); andre@0: andre@0: /* the content of an encrypted data content info is decrypted. andre@0: * it is assumed that for encrypted data, that the data has already andre@0: * been set and is in the "encContent" field of the content info. andre@0: * andre@0: * cinfo is the content info to decrypt andre@0: * andre@0: * key is the key with which to perform the decryption. if the andre@0: * algorithm is a password based encryption algorithm, the andre@0: * key is actually a password which will be processed per andre@0: * PKCS #5. andre@0: * andre@0: * in the event of an error, SECFailure is returned. SECSuccess andre@0: * indicates a success. andre@0: */ andre@0: extern SECStatus andre@0: SEC_PKCS7DecryptContents(PLArenaPool *poolp, andre@0: SEC_PKCS7ContentInfo *cinfo, andre@0: SECItem *key, andre@0: void *wincx); andre@0: andre@0: /* retrieve the certificate list from the content info. the list andre@0: * is a pointer to the list in the content info. this should not andre@0: * be deleted or freed in any way short of calling andre@0: * SEC_PKCS7DestroyContentInfo andre@0: */ andre@0: extern SECItem ** andre@0: SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: /* Returns the key length (in bits) of the algorithm used to encrypt andre@0: this object. Returns 0 if it's not encrypted, or the key length is andre@0: irrelevant. */ andre@0: extern int andre@0: SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo); andre@0: andre@0: andre@0: /************************************************************************/ andre@0: SEC_END_PROTOS andre@0: andre@0: #endif /* _SECPKCS7_H_ */