pkcs7.h
Types
| Name | |
|---|---|
| typedef int()(const byte key, word32 keySz, const byte in, word32 inSz, int wrap, byte out, word32 outSz) | CallbackAESKeyWrapUnwrap Callback used for a custom AES key wrap/unwrap operation. |
Functions
| Name | |
|---|---|
| int | wc_PKCS7_InitWithCert(wc_PKCS7 * pkcs7, byte * der, word32 derSz) This function initializes a PKCS7 structure with a DER-formatted certificate. To initialize an empty PKCS7 structure, one can pass in a NULL cert and 0 for certSz. |
| void | wc_PKCS7_Free(wc_PKCS7 * pkcs7) This function releases any memory allocated by a PKCS7 initializer. |
| int | wc_PKCS7_EncodeData(wc_PKCS7 * pkcs7, byte * output, word32 outputSz) This function builds the PKCS7 data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 data packet. |
| int | wc_PKCS7_EncodeSignedData(wc_PKCS7 * pkcs7, byte * output, word32 outputSz) This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 signed data packet. |
| int | wc_PKCS7_EncodeSignedData_ex(wc_PKCS7 * pkcs7, const byte * hashBuf, word32 hashSz, byte * outputHead, word32 * outputHeadSz, byte * outputFoot, word32 * outputFootSz) This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a header and footer buffer containing a parsable PKCS7 signed data packet. This does not include the content. A hash must be computed and provided for the data. |
| int | wc_PKCS7_VerifySignedData(wc_PKCS7 * pkcs7, byte * pkiMsg, word32 pkiMsgSz) This function takes in a transmitted PKCS7 signed data message, extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure. |
| int | wc_PKCS7_VerifySignedData_ex(wc_PKCS7 * pkcs7, const byte * hashBuf, word32 hashSz, byte * pkiMsgHead, word32 pkiMsgHeadSz, byte * pkiMsgFoot, word32 pkiMsgFootSz) This function takes in a transmitted PKCS7 signed data message as hash/header/footer, then extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure. |
| int | wc_PKCS7_SetAESKeyWrapUnwrapCb(wc_PKCS7 * pkcs7, CallbackAESKeyWrapUnwrap aesKeyWrapCb) Set the callback function to be used to perform a custom AES key wrap/unwrap operation. |
| int | wc_PKCS7_EncodeEnvelopedData(wc_PKCS7 * pkcs7, byte * output, word32 outputSz) This function builds the PKCS7 enveloped data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 enveloped data packet. |
| int | wc_PKCS7_DecodeEnvelopedData(wc_PKCS7 * pkcs7, byte * pkiMsg, word32 pkiMsgSz, byte * output, word32 outputSz) This function unwraps and decrypts a PKCS7 enveloped data content type, decoding the message into output. It uses the private key of the PKCS7 object passed in to decrypt the message. |
| int | wc_PKCS7_GetEnvelopedDataKariRid(const byte * in, word32 inSz, byte * out, word32 * outSz) This function extracts the KeyAgreeRecipientIdentifier object from an EnvelopedData package containing a KeyAgreeRecipientInfo RecipientInfo object. Only the first KeyAgreeRecipientIdentifer found in the first RecipientInfo is copied. This function does not support multiple RecipientInfo objects or multiple RecipientEncryptedKey objects within an KeyAgreeRecipientInfo. |
| int | wc_PKCS7_DecodeEncryptedData(wc_PKCS7 * pkcs7, byte * pkiMsg, word32 pkiMsgSz, byte * output, word32 outputSz) This function unwraps and decrypts a PKCS7 encrypted data content type, decoding the message into output. It uses the encryption key of the PKCS7 object passed in via pkcs7->encryptionKey and pkcs7->encryptionKeySz to decrypt the message. |
| int | wc_PKCS7_DecodeEncryptedKeyPackage(wc_PKCS7 * pkcs7, byte * pkiMsg, word32 pkiMsgSz, byte * output, word32 outputSz) This function unwraps and decrypts a PKCS7 encrypted key package content type, decoding the message into output. If the wrapped content type is EncryptedData, the encryption key must be set in the pkcs7 input structure (via pkcs7_>encryptionKey and pkcs7_>encryptionKeySz). If the wrapped content type is EnvelopedData, the private key must be set in the pkcs7 input structure (via pkcs7_>privateKey and pkcs7_>privateKeySz). A wrapped content type of AuthEnvelopedData is not currently supported. |
| int | wc_PKCS7_DecodeSymmetricKeyPackageAttribute(const byte * skp, word32 skpSz, size_t index, const byte ** attr, word32 * attrSz) This function provides access to a SymmetricKeyPackage attribute. |
| int | wc_PKCS7_DecodeSymmetricKeyPackageKey(const byte * skp, word32 skpSz, size_t index, const byte ** key, word32 * keySz) This function provides access to a SymmetricKeyPackage key. |
| int | wc_PKCS7_DecodeOneSymmetricKeyAttribute(const byte * osk, word32 oskSz, size_t index, const byte ** attr, word32 * attrSz) This function provides access to a OneSymmetricKey attribute. |
| int | wc_PKCS7_DecodeOneSymmetricKeyKey(const byte * osk, word32 oskSz, const byte ** key, word32 * keySz) This function provides access to a OneSymmetricKey key. |
| PKCS7 * | wolfSSL_PKCS7_new(void ) Creates new PKCS7 structure. |
| PKCS7_SIGNED * | wolfSSL_PKCS7_SIGNED_new(void ) Creates new PKCS7_SIGNED structure. |
| void | wolfSSL_PKCS7_free(PKCS7 * p7) Frees PKCS7 structure. |
| void | wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED * p7) Frees PKCS7_SIGNED structure. |
| PKCS7 * | wolfSSL_d2i_PKCS7(PKCS7 p7, const unsigned char in, int len) Decodes DER-encoded PKCS7 structure. |
| PKCS7 * | wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO * bio, PKCS7 ** p7) Decodes PKCS7 from BIO. |
| int | wolfSSL_i2d_PKCS7_bio(WOLFSSL_BIO * bio, PKCS7 * p7) Encodes PKCS7 to BIO. |
| int | wolfSSL_i2d_PKCS7(PKCS7 * p7, unsigned char ** out) Encodes PKCS7 to DER. |
| PKCS7 * | wolfSSL_PKCS7_sign(WOLFSSL_X509 * signer, WOLFSSL_EVP_PKEY * pkey, WOLFSSL_STACK * certs, WOLFSSL_BIO * in, int flags) Creates signed PKCS7 message. |
| int | wolfSSL_PKCS7_verify(PKCS7 * p7, WOLFSSL_STACK * certs, WOLFSSL_X509_STORE * store, WOLFSSL_BIO * in, WOLFSSL_BIO * out, int flags) Verifies signed PKCS7 message. |
| int | wolfSSL_PKCS7_final(PKCS7 * pkcs7, WOLFSSL_BIO * in, int flags) Finalizes PKCS7 structure with data. |
| int | wolfSSL_PKCS7_encode_certs(PKCS7 * p7, WOLFSSL_STACK * certs, WOLFSSL_BIO * out) Encodes certificates into PKCS7. |
| WOLFSSL_STACK * | wolfSSL_PKCS7_to_stack(PKCS7 * pkcs7) Converts PKCS7 certificates to stack. |
| WOLFSSL_STACK * | wolfSSL_PKCS7_get0_signers(PKCS7 * p7, WOLFSSL_STACK * certs, int flags) Gets signer certificates from PKCS7. |
| int | wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO * bio, PKCS7 * p7) Writes PKCS7 to BIO in PEM format. |
| PKCS7 * | wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO * in, WOLFSSL_BIO ** bcont) Reads S/MIME PKCS7 from BIO. |
| int | wolfSSL_SMIME_write_PKCS7(WOLFSSL_BIO * out, PKCS7 * pkcs7, WOLFSSL_BIO * in, int flags) Writes PKCS7 to BIO in S/MIME format. |
| wc_PKCS7 * | wc_PKCS7_New(void * heap, int devId) Creates new wc_PKCS7 structure. |
| void | wc_PKCS7_SetUnknownExtCallback(wc_PKCS7 * pkcs7, wc_UnknownExtCallback cb) Sets unknown extension callback. |
| int | wc_PKCS7_Init(wc_PKCS7 * pkcs7, void * heap, int devId) Initializes wc_PKCS7 structure. |
| int | wc_PKCS7_AddCertificate(wc_PKCS7 * pkcs7, byte * der, word32 derSz) Adds certificate to PKCS7. |
| int | wc_PKCS7_GetAttributeValue(wc_PKCS7 * pkcs7, const byte * oid, word32 oidSz, byte * out, word32 * outSz) Gets attribute value from PKCS7. |
| int | wc_PKCS7_SetSignerIdentifierType(wc_PKCS7 * pkcs7, int type) Sets signer identifier type. |
| int | wc_PKCS7_SetContentType(wc_PKCS7 * pkcs7, byte * contentType, word32 sz) Sets content type. |
| int | wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz) Gets padding size for block cipher. |
| int | wc_PKCS7_PadData(byte * in, word32 inSz, byte * out, word32 outSz, word32 blockSz) Pads data for block cipher. |
| int | wc_PKCS7_SetCustomSKID(wc_PKCS7 * pkcs7, const byte * in, word16 inSz) Sets custom subject key identifier. |
| int | wc_PKCS7_SetDetached(wc_PKCS7 * pkcs7, word16 flag) Sets detached signature flag. |
| int | wc_PKCS7_NoDefaultSignedAttribs(wc_PKCS7 * pkcs7) Disables default signed attributes. |
| int | wc_PKCS7_SetDefaultSignedAttribs(wc_PKCS7 * pkcs7, word16 flag) Sets default signed attributes flag. |
| void | wc_PKCS7_AllowDegenerate(wc_PKCS7 * pkcs7, word16 flag) Allows degenerate PKCS7 (no signers). |
| int | wc_PKCS7_GetSignerSID(wc_PKCS7 * pkcs7, byte * out, word32 * outSz) Gets signer subject identifier. |
| int | wc_PKCS7_EncodeSignedFPD(wc_PKCS7 * pkcs7, byte * privateKey, word32 privateKeySz, int signOID, int hashOID, byte * content, word32 contentSz, PKCS7Attrib * signedAttribs, word32 signedAttribsSz, byte * output, word32 outputSz) Encodes signed FirmwarePackageData. |
| int | wc_PKCS7_EncodeSignedEncryptedFPD(wc_PKCS7 * pkcs7, byte * encryptKey, word32 encryptKeySz, byte * privateKey, word32 privateKeySz, int encryptOID, int signOID, int hashOID, byte * content, word32 contentSz, PKCS7Attrib * unprotectedAttribs, word32 unprotectedAttribsSz, PKCS7Attrib * signedAttribs, word32 signedAttribsSz, byte * output, word32 outputSz) Encodes signed encrypted FirmwarePackageData. |
| int | wc_PKCS7_EncodeSignedCompressedFPD(wc_PKCS7 * pkcs7, byte * privateKey, word32 privateKeySz, int signOID, int hashOID, byte * content, word32 contentSz, PKCS7Attrib * signedAttribs, word32 signedAttribsSz, byte * output, word32 outputSz) Encodes signed compressed FirmwarePackageData. |
| int | wc_PKCS7_EncodeSignedEncryptedCompressedFPD(wc_PKCS7 * pkcs7, byte * encryptKey, word32 encryptKeySz, byte * privateKey, word32 privateKeySz, int encryptOID, int signOID, int hashOID, byte * content, word32 contentSz, PKCS7Attrib * unprotectedAttribs, word32 unprotectedAttribsSz, PKCS7Attrib * signedAttribs, word32 signedAttribsSz, byte * output, word32 outputSz) Encodes signed encrypted compressed FirmwarePackageData. |
| int | wc_PKCS7_AddRecipient_KTRI(wc_PKCS7 * pkcs7, const byte * cert, word32 certSz, int options) Adds KTRI recipient. |
| int | wc_PKCS7_AddRecipient_KARI(wc_PKCS7 * pkcs7, const byte * cert, word32 certSz, int keyWrapOID, int keyAgreeOID, byte * ukm, word32 ukmSz, int options) Adds KARI recipient. |
| int | wc_PKCS7_SetKey(wc_PKCS7 * pkcs7, byte * key, word32 keySz) Sets encryption key. |
| int | wc_PKCS7_AddRecipient_KEKRI(wc_PKCS7 * pkcs7, int keyWrapOID, byte * kek, word32 kekSz, byte * keyID, word32 keyIdSz, void * timePtr, byte * otherOID, word32 otherOIDSz, byte * other, word32 otherSz, int options) Adds KEKRI recipient. |
| int | wc_PKCS7_SetPassword(wc_PKCS7 * pkcs7, byte * passwd, word32 pLen) Sets password for PWRI. |
| int | wc_PKCS7_AddRecipient_PWRI(wc_PKCS7 * pkcs7, byte * passwd, word32 pLen, byte * salt, word32 saltSz, int kdfOID, int prfOID, int iterations, int kekEncryptOID, int options) Adds PWRI recipient. |
| int | wc_PKCS7_SetOriEncryptCtx(wc_PKCS7 * pkcs7, void * ctx) Sets originator encryption context. |
| int | wc_PKCS7_SetOriDecryptCtx(wc_PKCS7 * pkcs7, void * ctx) Sets originator decryption context. |
| int | wc_PKCS7_SetOriDecryptCb(wc_PKCS7 * pkcs7, CallbackOriDecrypt cb) Sets originator decryption callback. |
| int | wc_PKCS7_AddRecipient_ORI(wc_PKCS7 * pkcs7, CallbackOriEncrypt cb, int options) Adds ORI recipient. |
| int | wc_PKCS7_SetWrapCEKCb(wc_PKCS7 * pkcs7, CallbackWrapCEK wrapCEKCb) Sets CEK wrap callback. |
| int | wc_PKCS7_SetRsaSignRawDigestCb(wc_PKCS7 * pkcs7, CallbackRsaSignRawDigest cb) Sets RSA sign raw digest callback. |
| int | wc_PKCS7_EncodeAuthEnvelopedData(wc_PKCS7 * pkcs7, byte * output, word32 outputSz) Encodes authenticated enveloped data. |
| int | wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7 * pkcs7, byte * pkiMsg, word32 pkiMsgSz, byte * output, word32 outputSz) Decodes authenticated enveloped data. |
| int | wc_PKCS7_EncodeEncryptedData(wc_PKCS7 * pkcs7, byte * output, word32 outputSz) Encodes encrypted data. |
| int | wc_PKCS7_SetDecodeEncryptedCb(wc_PKCS7 * pkcs7, CallbackDecryptContent decryptionCb) Sets decode encrypted callback. |
| int | wc_PKCS7_SetDecodeEncryptedCtx(wc_PKCS7 * pkcs7, void * ctx) Sets decode encrypted context. |
| int | wc_PKCS7_SetStreamMode(wc_PKCS7 * pkcs7, byte flag, CallbackGetContent getContentCb, CallbackStreamOut streamOutCb, void * ctx) Sets stream mode for PKCS7. |
| int | wc_PKCS7_GetStreamMode(wc_PKCS7 * pkcs7) Gets stream mode setting. |
| int | wc_PKCS7_SetNoCerts(wc_PKCS7 * pkcs7, byte flag) Sets no certificates flag. |
| int | wc_PKCS7_GetNoCerts(wc_PKCS7 * pkcs7) Gets no certificates flag. |
| int | wc_PKCS7_EncodeCompressedData(wc_PKCS7 * pkcs7, byte * output, word32 outputSz) Encodes compressed data. |
| int | wc_PKCS7_DecodeCompressedData(wc_PKCS7 * pkcs7, byte * pkiMsg, word32 pkiMsgSz, byte * output, word32 outputSz) Decodes compressed data. |
Types Documentation
typedef CallbackAESKeyWrapUnwrap
typedef int(* CallbackAESKeyWrapUnwrap) (const byte *key, word32 keySz, const byte *in, word32 inSz, int wrap, byte *out, word32 outSz);
Callback used for a custom AES key wrap/unwrap operation.
Parameters:
- key Specify the key to use.
- keySz Size of the key to use.
- in Specify the input data to wrap/unwrap.
- inSz Size of the input data.
- wrap 1 if the requested operation is a key wrap, 0 for unwrap.
- out Specify the output buffer.
- outSz Size of the output buffer.
Return: The size of the wrapped/unwrapped key written to the output buffer should be returned on success. A 0 return value or error code (< 0) indicates a failure.
Functions Documentation
function wc_PKCS7_InitWithCert
int wc_PKCS7_InitWithCert(
wc_PKCS7 * pkcs7,
byte * der,
word32 derSz
)
This function initializes a PKCS7 structure with a DER-formatted certificate. To initialize an empty PKCS7 structure, one can pass in a NULL cert and 0 for certSz.
Parameters:
- pkcs7 pointer to the PKCS7 structure in which to store the decoded cert
- der pointer to a buffer containing a DER formatted ASN.1 certificate with which to initialize the PKCS7 structure
- derSz size of the certificate buffer
See: wc_PKCS7_Free
Return:
- 0 Returned on successfully initializing the PKCS7 structure
- MEMORY_E Returned if there is an error allocating memory with XMALLOC
- ASN_PARSE_E Returned if there is an error parsing the cert header
- ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
- ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
- ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
- ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
- ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
- ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
- ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
- ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
- BAD_FUNC_ARG Returned if there is an error processing the certificate extension
- ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
- ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
- ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
- ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
- ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Example
wc_PKCS7 pkcs7;
byte derBuff[] = { }; // initialize with DER-encoded certificate
if ( wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff)) != 0 ) {
// error parsing certificate into pkcs7 format
}
function wc_PKCS7_Free
void wc_PKCS7_Free(
wc_PKCS7 * pkcs7
)
This function releases any memory allocated by a PKCS7 initializer.
Parameters:
- pkcs7 pointer to the PKCS7 structure to free
Return: none No returns.
Example
PKCS7 pkcs7;
// initialize and use PKCS7 object
wc_PKCS7_Free(pkcs7);
function wc_PKCS7_EncodeData
int wc_PKCS7_EncodeData(
wc_PKCS7 * pkcs7,
byte * output,
word32 outputSz
)
This function builds the PKCS7 data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 data packet.
Parameters:
- pkcs7 pointer to the PKCS7 structure to encode
- output pointer to the buffer in which to store the encoded certificate
- outputSz size available in the output buffer
Return:
- Success On successfully encoding the PKCS7 data into the buffer, returns the index parsed up to in the PKCS7 structure. This index also corresponds to the bytes written to the output buffer.
- BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
Example
PKCS7 pkcs7;
int ret;
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte pkcs7Buff[FOURK_BUF];
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
... etc.
ret = wc_PKCS7_EncodeData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret != 0 ) {
// error encoding into output buffer
}
function wc_PKCS7_EncodeSignedData
int wc_PKCS7_EncodeSignedData(
wc_PKCS7 * pkcs7,
byte * output,
word32 outputSz
)
This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 signed data packet.
Parameters:
- pkcs7 pointer to the PKCS7 structure to encode
- output pointer to the buffer in which to store the encoded certificate
- outputSz size available in the output buffer
See:
Return:
- Success On successfully encoding the PKCS7 data into the buffer, returns the index parsed up to in the PKCS7 structure. This index also corresponds to the bytes written to the output buffer.
- BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or more required elements to generate a signed data packet
- MEMORY_E Returned if there is an error allocating memory
- PUBLIC_KEY_E Returned if there is an error parsing the public key
- RSA_BUFFER_E Returned if buffer error, output too small or input too large
- BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
- MP_INIT_E may be returned if there is an error generating the signature
- MP_READ_E may be returned if there is an error generating the signature
- MP_CMP_E may be returned if there is an error generating the signature
- MP_INVMOD_E may be returned if there is an error generating the signature
- MP_EXPTMOD_E may be returned if there is an error generating the signature
- MP_MOD_E may be returned if there is an error generating the signature
- MP_MUL_E may be returned if there is an error generating the signature
- MP_ADD_E may be returned if there is an error generating the signature
- MP_MULMOD_E may be returned if there is an error generating the signature
- MP_TO_E may be returned if there is an error generating the signature
- MP_MEM may be returned if there is an error generating the signature
Example
PKCS7 pkcs7;
int ret;
byte data[] = {}; // initialize with data to sign
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte pkcs7Buff[FOURK_BUF];
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
pkcs7.hashOID = SHAh;
pkcs7.rng = &rng;
... etc.
ret = wc_PKCS7_EncodeSignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
function wc_PKCS7_EncodeSignedData_ex
int wc_PKCS7_EncodeSignedData_ex(
wc_PKCS7 * pkcs7,
const byte * hashBuf,
word32 hashSz,
byte * outputHead,
word32 * outputHeadSz,
byte * outputFoot,
word32 * outputFootSz
)
This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a header and footer buffer containing a parsable PKCS7 signed data packet. This does not include the content. A hash must be computed and provided for the data.
Parameters:
- pkcs7 pointer to the PKCS7 structure to encode
- hashBuf pointer to computed hash for the content data
- hashSz size of the digest
- outputHead pointer to the buffer in which to store the encoded certificate header
- outputHeadSz pointer populated with size of output header buffer and returns actual size
- outputFoot pointer to the buffer in which to store the encoded certificate footer
- outputFootSz pointer populated with size of output footer buffer and returns actual size
See:
Return:
- 0=Success
- BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or more required elements to generate a signed data packet
- MEMORY_E Returned if there is an error allocating memory
- PUBLIC_KEY_E Returned if there is an error parsing the public key
- RSA_BUFFER_E Returned if buffer error, output too small or input too large
- BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
- MP_INIT_E may be returned if there is an error generating the signature
- MP_READ_E may be returned if there is an error generating the signature
- MP_CMP_E may be returned if there is an error generating the signature
- MP_INVMOD_E may be returned if there is an error generating the signature
- MP_EXPTMOD_E may be returned if there is an error generating the signature
- MP_MOD_E may be returned if there is an error generating the signature
- MP_MUL_E may be returned if there is an error generating the signature
- MP_ADD_E may be returned if there is an error generating the signature
- MP_MULMOD_E may be returned if there is an error generating the signature
- MP_TO_E may be returned if there is an error generating the signature
- MP_MEM may be returned if there is an error generating the signature
Example
PKCS7 pkcs7;
int ret;
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte data[] = {}; // initialize with data to sign
byte pkcs7HeadBuff[FOURK_BUF/2];
byte pkcs7FootBuff[FOURK_BUF/2];
word32 pkcs7HeadSz = (word32)sizeof(pkcs7HeadBuff);
word32 pkcs7FootSz = (word32)sizeof(pkcs7HeadBuff);
enum wc_HashType hashType = WC_HASH_TYPE_SHA;
byte hashBuf[WC_MAX_DIGEST_SIZE];
word32 hashSz = wc_HashGetDigestSize(hashType);
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = NULL;
pkcs7.contentSz = dataSz;
pkcs7.hashOID = SHAh;
pkcs7.rng = &rng;
... etc.
// calculate hash for content
ret = wc_HashInit(&hash, hashType);
if (ret == 0) {
ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
if (ret == 0) {
ret = wc_HashFinal(&hash, hashType, hashBuf);
}
wc_HashFree(&hash, hashType);
}
ret = wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
&pkcs7HeadSz, pkcs7FootBuff, &pkcs7FootSz);
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
function wc_PKCS7_VerifySignedData
int wc_PKCS7_VerifySignedData(
wc_PKCS7 * pkcs7,
byte * pkiMsg,
word32 pkiMsgSz
)
This function takes in a transmitted PKCS7 signed data message, extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure.
Parameters:
- pkcs7 pointer to the PKCS7 structure in which to store the parsed certificates
- pkiMsg pointer to the buffer containing the signed message to verify and decode
- pkiMsgSz size of the signed message
See:
Return:
- 0 Returned on successfully extracting the information from the message
- BAD_FUNC_ARG Returned if one of the input parameters is invalid
- ASN_PARSE_E Returned if there is an error parsing the given pkiMsg
- PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
- ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
- MEMORY_E Returned if there is an error allocating memory
- PUBLIC_KEY_E Returned if there is an error parsing the public key
- RSA_BUFFER_E Returned if buffer error, output too small or input too large
- BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
- MP_INIT_E may be returned if there is an error generating the signature
- MP_READ_E may be returned if there is an error generating the signature
- MP_CMP_E may be returned if there is an error generating the signature
- MP_INVMOD_E may be returned if there is an error generating the signature
- MP_EXPTMOD_E may be returned if there is an error generating the signature
- MP_MOD_E may be returned if there is an error generating the signature
- MP_MUL_E may be returned if there is an error generating the signature
- MP_ADD_E may be returned if there is an error generating the signature
- MP_MULMOD_E may be returned if there is an error generating the signature
- MP_TO_E may be returned if there is an error generating the signature
- MP_MEM may be returned if there is an error generating the signature
Example
PKCS7 pkcs7;
int ret;
byte pkcs7Buff[] = {}; // the PKCS7 signature
wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
... etc.
ret = wc_PKCS7_VerifySignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
function wc_PKCS7_VerifySignedData_ex
int wc_PKCS7_VerifySignedData_ex(
wc_PKCS7 * pkcs7,
const byte * hashBuf,
word32 hashSz,
byte * pkiMsgHead,
word32 pkiMsgHeadSz,
byte * pkiMsgFoot,
word32 pkiMsgFootSz
)
This function takes in a transmitted PKCS7 signed data message as hash/header/footer, then extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure.
Parameters:
- pkcs7 pointer to the PKCS7 structure in which to store the parsed certificates
- hashBuf pointer to computed hash for the content data
- hashSz size of the digest
- pkiMsgHead pointer to the buffer containing the signed message header to verify and decode
- pkiMsgHeadSz size of the signed message header
- pkiMsgFoot pointer to the buffer containing the signed message footer to verify and decode
- pkiMsgFootSz size of the signed message footer
See:
Return:
- 0 Returned on successfully extracting the information from the message
- BAD_FUNC_ARG Returned if one of the input parameters is invalid
- ASN_PARSE_E Returned if there is an error parsing the given pkiMsg
- PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
- ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
- MEMORY_E Returned if there is an error allocating memory
- PUBLIC_KEY_E Returned if there is an error parsing the public key
- RSA_BUFFER_E Returned if buffer error, output too small or input too large
- BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
- MP_INIT_E may be returned if there is an error generating the signature
- MP_READ_E may be returned if there is an error generating the signature
- MP_CMP_E may be returned if there is an error generating the signature
- MP_INVMOD_E may be returned if there is an error generating the signature
- MP_EXPTMOD_E may be returned if there is an error generating the signature
- MP_MOD_E may be returned if there is an error generating the signature
- MP_MUL_E may be returned if there is an error generating the signature
- MP_ADD_E may be returned if there is an error generating the signature
- MP_MULMOD_E may be returned if there is an error generating the signature
- MP_TO_E may be returned if there is an error generating the signature
- MP_MEM may be returned if there is an error generating the signature
Example
PKCS7 pkcs7;
int ret;
byte data[] = {}; // initialize with data to sign
byte pkcs7HeadBuff[] = {}; // initialize with PKCS7 header
byte pkcs7FootBuff[] = {}; // initialize with PKCS7 footer
enum wc_HashType hashType = WC_HASH_TYPE_SHA;
byte hashBuf[WC_MAX_DIGEST_SIZE];
word32 hashSz = wc_HashGetDigestSize(hashType);
wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = NULL;
pkcs7.contentSz = dataSz;
pkcs7.rng = &rng;
... etc.
// calculate hash for content
ret = wc_HashInit(&hash, hashType);
if (ret == 0) {
ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
if (ret == 0) {
ret = wc_HashFinal(&hash, hashType, hashBuf);
}
wc_HashFree(&hash, hashType);
}
ret = wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
sizeof(pkcs7HeadBuff), pkcs7FootBuff, sizeof(pkcs7FootBuff));
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
function wc_PKCS7_SetAESKeyWrapUnwrapCb
int wc_PKCS7_SetAESKeyWrapUnwrapCb(
wc_PKCS7 * pkcs7,
CallbackAESKeyWrapUnwrap aesKeyWrapCb
)
Set the callback function to be used to perform a custom AES key wrap/unwrap operation.
Parameters:
- pkcs7 pointer to the PKCS7 structure
- aesKeyWrapCb pointer to custom AES key wrap/unwrap function
Returns:
- 0 Callback function was set successfully
- BAD_FUNC_ARG Parameter pkcs7 is NULL
function wc_PKCS7_EncodeEnvelopedData
int wc_PKCS7_EncodeEnvelopedData(
wc_PKCS7 * pkcs7,
byte * output,
word32 outputSz
)
This function builds the PKCS7 enveloped data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 enveloped data packet.
Parameters:
- pkcs7 pointer to the PKCS7 structure to encode
- output pointer to the buffer in which to store the encoded certificate
- outputSz size available in the output buffer
See:
Return:
- Success Returned on successfully encoding the message in enveloped data format, returns the size written to the output buffer
- BAD_FUNC_ARG: Returned if one of the input parameters is invalid, or if the PKCS7 structure is missing required elements
- ALGO_ID_E Returned if the PKCS7 structure is using an unsupported algorithm type. Currently, only DESb and DES3b are supported
- BUFFER_E Returned if the given output buffer is too small to store the output data
- MEMORY_E Returned if there is an error allocating memory
- RNG_FAILURE_E Returned if there is an error initializing the random number generator for encryption
- DRBG_FAILED Returned if there is an error generating numbers with the random number generator used for encryption
- NOT_COMPILED_IN may be returned if using an ECC key and wolfssl was built without HAVE_X963_KDF support
Example
PKCS7 pkcs7;
int ret;
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte pkcs7Buff[FOURK_BUF];
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
... etc.
ret = wc_PKCS7_EncodeEnvelopedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret < 0 ) {
// error encoding into output buffer
}
function wc_PKCS7_DecodeEnvelopedData
int wc_PKCS7_DecodeEnvelopedData(
wc_PKCS7 * pkcs7,
byte * pkiMsg,
word32 pkiMsgSz,
byte * output,
word32 outputSz
)
This function unwraps and decrypts a PKCS7 enveloped data content type, decoding the message into output. It uses the private key of the PKCS7 object passed in to decrypt the message.
Parameters:
- pkcs7 pointer to the PKCS7 structure containing the private key with which to decode the enveloped data package
- pkiMsg pointer to the buffer containing the enveloped data package
- pkiMsgSz size of the enveloped data package
- output pointer to the buffer in which to store the decoded message
- outputSz size available in the output buffer
See:
Return:
- On successfully extracting the information from the message, returns the bytes written to output
- BAD_FUNC_ARG Returned if one of the input parameters is invalid
- ASN_PARSE_E Returned if there is an error parsing the given pkiMsg
- PKCS7_OID_E Returned if the given pkiMsg is not an enveloped data type
- ASN_VERSION_E Returned if the PKCS7 signer info is not version 0
- MEMORY_E Returned if there is an error allocating memory
- ALGO_ID_E Returned if the PKCS7 structure is using an unsupported algorithm type. Currently, only DESb and DES3b are supported for encryption, with RSAk for signature generation
- PKCS7_RECIP_E Returned if there is no recipient found in the enveloped data that matches the recipient provided
- RSA_BUFFER_E Returned if there is an error during RSA signature verification due to buffer error, output too small or input too large.
- MP_INIT_E may be returned if there is an error during signature verification
- MP_READ_E may be returned if there is an error during signature verification
- MP_CMP_E may be returned if there is an error during signature verification
- MP_INVMOD_E may be returned if there is an error during signature verification
- MP_EXPTMOD_E may be returned if there is an error during signature verification
- MP_MOD_E may be returned if there is an error during signature verification
- MP_MUL_E may be returned if there is an error during signature verification
- MP_ADD_E may be returned if there is an error during signature verification
- MP_MULMOD_E may be returned if there is an error during signature verification
- MP_TO_E may be returned if there is an error during signature verification
- MP_MEM may be returned if there is an error during signature verification
- NOT_COMPILED_IN may be returned if the EnvelopedData is encrypted using an ECC key and wolfssl was built without HAVE_X963_KDF support
Note that if the EnvelopedData is encrypted using an ECC key and the KeyAgreementRecipientInfo structure, then either the HAVE_AES_KEYWRAP build option should be enabled to enable the wolfcrypt built-in AES key wrap/unwrap functionality, or a custom AES key wrap/unwrap callback should be set with wc_PKCS7_SetAESKeyWrapUnwrapCb(). If neither of these is true, decryption will fail.
Example
PKCS7 pkcs7;
byte received[] = { }; // initialize with received enveloped message
byte decoded[FOURK_BUF];
int decodedSz;
// initialize pkcs7 with certificate
// update key
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, received,
sizeof(received),decoded, sizeof(decoded));
if ( decodedSz < 0 ) {
// error decoding message
}
function wc_PKCS7_GetEnvelopedDataKariRid
int wc_PKCS7_GetEnvelopedDataKariRid(
const byte * in,
word32 inSz,
byte * out,
word32 * outSz
)
This function extracts the KeyAgreeRecipientIdentifier object from an EnvelopedData package containing a KeyAgreeRecipientInfo RecipientInfo object. Only the first KeyAgreeRecipientIdentifer found in the first RecipientInfo is copied. This function does not support multiple RecipientInfo objects or multiple RecipientEncryptedKey objects within an KeyAgreeRecipientInfo.
Parameters:
- in Input buffer containing the EnvelopedData ContentInfo message.
- inSz Size of the input buffer.
- out Output buffer.
- outSz Output buffer size on input, Size written on output.
Return:
- Returns 0 on success.
- BAD_FUNC_ARG Returned if one of the input parameters is invalid.
- ASN_PARSE_E Returned if there is an error parsing the input message.
- PKCS7_OID_E Returned if the input message is not an enveloped data type.
- BUFFER_E Returned if there is not enough room in the output buffer.
function wc_PKCS7_DecodeEncryptedData
int wc_PKCS7_DecodeEncryptedData(
wc_PKCS7 * pkcs7,
byte * pkiMsg,
word32 pkiMsgSz,
byte * output,
word32 outputSz
)
This function unwraps and decrypts a PKCS7 encrypted data content type, decoding the message into output. It uses the encryption key of the PKCS7 object passed in via pkcs7->encryptionKey and pkcs7->encryptionKeySz to decrypt the message.
Parameters:
- pkcs7 pointer to the PKCS7 structure containing the encryption key with which to decode the encrypted data package
- pkiMsg pointer to the buffer containing the encrypted data package
- pkiMsgSz size of the encrypted data package
- output pointer to the buffer in which to store the decoded message
- outputSz size available in the output buffer
Return:
- On successfully extracting the information from the message, returns the bytes written to output
- BAD_FUNC_ARG Returned if one of the input parameters is invalid
- ASN_PARSE_E Returned if there is an error parsing the given pkiMsg
- PKCS7_OID_E Returned if the given pkiMsg is not an encrypted data type
- ASN_VERSION_E Returned if the PKCS7 signer info is not version 0
- MEMORY_E Returned if there is an error allocating memory
- BUFFER_E Returned if the encrypted content size is invalid
Example
PKCS7 pkcs7;
byte received[] = { }; // initialize with received encrypted data message
byte decoded[FOURK_BUF];
int decodedSz;
// initialize pkcs7 with certificate
// update key
pkcs7.encryptionKey = key;
pkcs7.encryptionKeySz = keySz;
decodedSz = wc_PKCS7_DecodeEncryptedData(&pkcs7, received,
sizeof(received), decoded, sizeof(decoded));
if ( decodedSz < 0 ) {
// error decoding message
}
function wc_PKCS7_DecodeEncryptedKeyPackage
int wc_PKCS7_DecodeEncryptedKeyPackage(
wc_PKCS7 * pkcs7,
byte * pkiMsg,
word32 pkiMsgSz,
byte * output,
word32 outputSz
)
This function unwraps and decrypts a PKCS7 encrypted key package content type, decoding the message into output. If the wrapped content type is EncryptedData, the encryption key must be set in the pkcs7 input structure (via pkcs7->encryptionKey and pkcs7->encryptionKeySz). If the wrapped content type is EnvelopedData, the private key must be set in the pkcs7 input structure (via pkcs7->privateKey and pkcs7->privateKeySz). A wrapped content type of AuthEnvelopedData is not currently supported.
Parameters:
- pkcs7 pointer to the PKCS7 structure containing the private key or encryption key with which to decode the encrypted key package
- pkiMsg pointer to the buffer containing the encrypted key package message
- pkiMsgSz size of the encrypted key package message
- output pointer to the buffer in which to store the decoded output
- outputSz size available in the output buffer
Return:
- On successfully extracting the information from the message, returns the bytes written to output
- BAD_FUNC_ARG Returned if one of the input parameters is invalid
- ASN_PARSE_E Returned if there is an error parsing the given pkiMsg or if the wrapped content type is EncryptedData and support for EncryptedData is not compiled in (e.g. NO_PKCS7_ENCRYPTED_DATA is set)
- PKCS7_OID_E Returned if the given pkiMsg is not an encrypted key package data type
This function will automatically call either wc_PKCS7_DecodeEnvelopedData() or wc_PKCS7_DecodeEncryptedData() depending on the wrapped content type. This function could also return any error code from either of those functions in addition to the error codes listed here.
Example
PKCS7 pkcs7;
byte received[] = { }; // initialize with received encrypted data message
byte decoded[FOURK_BUF];
int decodedSz;
// initialize pkcs7 with certificate
// update key for expected EnvelopedData (example)
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
decodedSz = wc_PKCS7_DecodeEncryptedKeyPackage(&pkcs7, received,
sizeof(received), decoded, sizeof(decoded));
if ( decodedSz < 0 ) {
// error decoding message
}
function wc_PKCS7_DecodeSymmetricKeyPackageAttribute
int wc_PKCS7_DecodeSymmetricKeyPackageAttribute(
const byte * skp,
word32 skpSz,
size_t index,
const byte ** attr,
word32 * attrSz
)
This function provides access to a SymmetricKeyPackage attribute.
Parameters:
- skp Input buffer containing the SymmetricKeyPackage object.
- skpSz Size of the SymmetricKeyPackage object.
- index Index of the attribute to access.
- attr Buffer in which to store the pointer to the requested attribute object.
- attrSz Buffer in which to store the size of the requested attribute object.
Return:
- 0 The requested attribute has been successfully located. attr and attrSz output variables are populated with the address and size of the attribute. The attribute will be in the same buffer passed in via the skp input pointer.
- BAD_FUNC_ARG One of the input parameters is invalid.
- ASN_PARSE_E An error was encountered parsing the input object.
- BAD_INDEX_E The requested attribute index was invalid.
function wc_PKCS7_DecodeSymmetricKeyPackageKey
int wc_PKCS7_DecodeSymmetricKeyPackageKey(
const byte * skp,
word32 skpSz,
size_t index,
const byte ** key,
word32 * keySz
)
This function provides access to a SymmetricKeyPackage key.
Parameters:
- skp Input buffer containing the SymmetricKeyPackage object.
- skpSz Size of the SymmetricKeyPackage object.
- index Index of the key to access.
- key Buffer in which to store the pointer to the requested key object.
- keySz Buffer in which to store the size of the requested key object.
Return:
- 0 The requested key has been successfully located. key and keySz output variables are populated with the address and size of the key. The key will be in the same buffer passed in via the skp input pointer.
- BAD_FUNC_ARG One of the input parameters is invalid.
- ASN_PARSE_E An error was encountered parsing the input object.
- BAD_INDEX_E The requested key index was invalid.
function wc_PKCS7_DecodeOneSymmetricKeyAttribute
int wc_PKCS7_DecodeOneSymmetricKeyAttribute(
const byte * osk,
word32 oskSz,
size_t index,
const byte ** attr,
word32 * attrSz
)
This function provides access to a OneSymmetricKey attribute.
Parameters:
- osk Input buffer containing the OneSymmetricKey object.
- oskSz Size of the OneSymmetricKey object.
- index Index of the attribute to access.
- attr Buffer in which to store the pointer to the requested attribute object.
- attrSz Buffer in which to store the size of the requested attribute object.
Return:
- 0 The requested attribute has been successfully located. attr and attrSz output variables are populated with the address and size of the attribute. The attribute will be in the same buffer passed in via the osk input pointer.
- BAD_FUNC_ARG One of the input parameters is invalid.
- ASN_PARSE_E An error was encountered parsing the input object.
- BAD_INDEX_E The requested attribute index was invalid.
function wc_PKCS7_DecodeOneSymmetricKeyKey
int wc_PKCS7_DecodeOneSymmetricKeyKey(
const byte * osk,
word32 oskSz,
const byte ** key,
word32 * keySz
)
This function provides access to a OneSymmetricKey key.
Parameters:
- osk Input buffer containing the OneSymmetricKey object.
- oskSz Size of the OneSymmetricKey object.
- key Buffer in which to store the pointer to the requested key object.
- keySz Buffer in which to store the size of the requested key object.
Return:
- 0 The requested key has been successfully located. key and keySz output variables are populated with the address and size of the key. The key will be in the same buffer passed in via the osk input pointer.
- BAD_FUNC_ARG One of the input parameters is invalid.
- ASN_PARSE_E An error was encountered parsing the input object.
function wolfSSL_PKCS7_new
PKCS7 * wolfSSL_PKCS7_new(
void
)
Creates new PKCS7 structure.
Parameters:
- none No parameters
See: wolfSSL_PKCS7_free
Return:
- Pointer to new PKCS7 structure on success
- NULL on error
Example
PKCS7* pkcs7 = wolfSSL_PKCS7_new();
if (pkcs7 != NULL) {
// use pkcs7
wolfSSL_PKCS7_free(pkcs7);
}
function wolfSSL_PKCS7_SIGNED_new
PKCS7_SIGNED * wolfSSL_PKCS7_SIGNED_new(
void
)
Creates new PKCS7_SIGNED structure.
Parameters:
- none No parameters
See: wolfSSL_PKCS7_SIGNED_free
Return:
- Pointer to new PKCS7_SIGNED structure on success
- NULL on error
Example
PKCS7_SIGNED* p7 = wolfSSL_PKCS7_SIGNED_new();
if (p7 != NULL) {
// use p7
wolfSSL_PKCS7_SIGNED_free(p7);
}
function wolfSSL_PKCS7_free
void wolfSSL_PKCS7_free(
PKCS7 * p7
)
Frees PKCS7 structure.
Parameters:
- p7 PKCS7 structure to free
See: wolfSSL_PKCS7_new
Return: none No returns
Example
PKCS7* pkcs7 = wolfSSL_PKCS7_new();
wolfSSL_PKCS7_free(pkcs7);
function wolfSSL_PKCS7_SIGNED_free
void wolfSSL_PKCS7_SIGNED_free(
PKCS7_SIGNED * p7
)
Frees PKCS7_SIGNED structure.
Parameters:
- p7 PKCS7_SIGNED structure to free
Return: none No returns
Example
PKCS7_SIGNED* p7 = wolfSSL_PKCS7_SIGNED_new();
wolfSSL_PKCS7_SIGNED_free(p7);
function wolfSSL_d2i_PKCS7
PKCS7 * wolfSSL_d2i_PKCS7(
PKCS7 ** p7,
const unsigned char ** in,
int len
)
Decodes DER-encoded PKCS7 structure.
Parameters:
- p7 Pointer to PKCS7 pointer (can be NULL)
- in Pointer to DER-encoded data
- len Length of DER data
See: wolfSSL_i2d_PKCS7
Return:
- Pointer to decoded PKCS7 structure on success
- NULL on error
Example
PKCS7* p7 = NULL;
const unsigned char* der = ...; // DER data
p7 = wolfSSL_d2i_PKCS7(&p7, &der, derLen);
function wolfSSL_d2i_PKCS7_bio
PKCS7 * wolfSSL_d2i_PKCS7_bio(
WOLFSSL_BIO * bio,
PKCS7 ** p7
)
Decodes PKCS7 from BIO.
Parameters:
- bio BIO to read from
- p7 Pointer to PKCS7 pointer (can be NULL)
Return:
- Pointer to decoded PKCS7 structure on success
- NULL on error
Example
WOLFSSL_BIO* bio = wolfSSL_BIO_new_file("pkcs7.der", "rb");
PKCS7* p7 = wolfSSL_d2i_PKCS7_bio(bio, NULL);
function wolfSSL_i2d_PKCS7_bio
int wolfSSL_i2d_PKCS7_bio(
WOLFSSL_BIO * bio,
PKCS7 * p7
)
Encodes PKCS7 to BIO.
Parameters:
- bio BIO to write to
- p7 PKCS7 structure to encode
Return:
- Length written on success
- negative on error
Example
WOLFSSL_BIO* bio = wolfSSL_BIO_new(wolfSSL_BIO_s_mem());
int ret = wolfSSL_i2d_PKCS7_bio(bio, p7);
function wolfSSL_i2d_PKCS7
int wolfSSL_i2d_PKCS7(
PKCS7 * p7,
unsigned char ** out
)
Encodes PKCS7 to DER.
Parameters:
- p7 PKCS7 structure to encode
- out Pointer to output buffer pointer
See: wolfSSL_d2i_PKCS7
Return:
- Length written on success
- negative on error
Example
unsigned char* der = NULL;
int len = wolfSSL_i2d_PKCS7(p7, &der);
function wolfSSL_PKCS7_sign
PKCS7 * wolfSSL_PKCS7_sign(
WOLFSSL_X509 * signer,
WOLFSSL_EVP_PKEY * pkey,
WOLFSSL_STACK * certs,
WOLFSSL_BIO * in,
int flags
)
Creates signed PKCS7 message.
Parameters:
- signer Signer certificate
- pkey Private key
- certs Additional certificates
- in Input data BIO
- flags Operation flags
See: wolfSSL_PKCS7_verify
Return:
- Pointer to signed PKCS7 structure on success
- NULL on error
Example
PKCS7* p7 = wolfSSL_PKCS7_sign(cert, pkey, NULL, bio, 0);
function wolfSSL_PKCS7_verify
int wolfSSL_PKCS7_verify(
PKCS7 * p7,
WOLFSSL_STACK * certs,
WOLFSSL_X509_STORE * store,
WOLFSSL_BIO * in,
WOLFSSL_BIO * out,
int flags
)
Verifies signed PKCS7 message.
Parameters:
- p7 PKCS7 structure to verify
- certs Certificate stack
- store Certificate store
- in Input data BIO
- out Output BIO
- flags Operation flags
See: wolfSSL_PKCS7_sign
Return:
- 1 on success
- 0 or negative on error
Example
int ret = wolfSSL_PKCS7_verify(p7, NULL, store, NULL, out, 0);
function wolfSSL_PKCS7_final
int wolfSSL_PKCS7_final(
PKCS7 * pkcs7,
WOLFSSL_BIO * in,
int flags
)
Finalizes PKCS7 structure with data.
Parameters:
- pkcs7 PKCS7 structure
- in Input data BIO
- flags Operation flags
See: wolfSSL_PKCS7_sign
Return:
- 1 on success
- 0 or negative on error
Example
int ret = wolfSSL_PKCS7_final(pkcs7, bio, 0);
function wolfSSL_PKCS7_encode_certs
int wolfSSL_PKCS7_encode_certs(
PKCS7 * p7,
WOLFSSL_STACK * certs,
WOLFSSL_BIO * out
)
Encodes certificates into PKCS7.
Parameters:
- p7 PKCS7 structure
- certs Certificate stack
- out Output BIO
Return:
- 1 on success
- 0 or negative on error
Example
int ret = wolfSSL_PKCS7_encode_certs(p7, certs, bio);
function wolfSSL_PKCS7_to_stack
WOLFSSL_STACK * wolfSSL_PKCS7_to_stack(
PKCS7 * pkcs7
)
Converts PKCS7 certificates to stack.
Parameters:
- pkcs7 PKCS7 structure
See: wolfSSL_PKCS7_encode_certs
Return:
- Pointer to certificate stack on success
- NULL on error
Example
WOLFSSL_STACK* certs = wolfSSL_PKCS7_to_stack(pkcs7);
function wolfSSL_PKCS7_get0_signers
WOLFSSL_STACK * wolfSSL_PKCS7_get0_signers(
PKCS7 * p7,
WOLFSSL_STACK * certs,
int flags
)
Gets signer certificates from PKCS7.
Parameters:
- p7 PKCS7 structure
- certs Certificate stack
- flags Operation flags
See: wolfSSL_PKCS7_verify
Return:
- Pointer to signer certificate stack on success
- NULL on error
Example
WOLFSSL_STACK* signers = wolfSSL_PKCS7_get0_signers(p7, NULL, 0);
function wolfSSL_PEM_write_bio_PKCS7
int wolfSSL_PEM_write_bio_PKCS7(
WOLFSSL_BIO * bio,
PKCS7 * p7
)
Writes PKCS7 to BIO in PEM format.
Parameters:
- bio Output BIO
- p7 PKCS7 structure
See: wolfSSL_SMIME_write_PKCS7
Return:
- 1 on success
- 0 or negative on error
Example
int ret = wolfSSL_PEM_write_bio_PKCS7(bio, p7);
function wolfSSL_SMIME_read_PKCS7
PKCS7 * wolfSSL_SMIME_read_PKCS7(
WOLFSSL_BIO * in,
WOLFSSL_BIO ** bcont
)
Reads S/MIME PKCS7 from BIO.
Parameters:
- in Input BIO
- bcont Pointer to content BIO pointer
See: wolfSSL_SMIME_write_PKCS7
Return:
- Pointer to PKCS7 structure on success
- NULL on error
Example
WOLFSSL_BIO* cont = NULL;
PKCS7* p7 = wolfSSL_SMIME_read_PKCS7(bio, &cont);
function wolfSSL_SMIME_write_PKCS7
int wolfSSL_SMIME_write_PKCS7(
WOLFSSL_BIO * out,
PKCS7 * pkcs7,
WOLFSSL_BIO * in,
int flags
)
Writes PKCS7 to BIO in S/MIME format.
Parameters:
- out Output BIO
- pkcs7 PKCS7 structure
- in Input data BIO
- flags Operation flags
Return:
- 1 on success
- 0 or negative on error
Example
int ret = wolfSSL_SMIME_write_PKCS7(out, pkcs7, in, 0);
function wc_PKCS7_New
wc_PKCS7 * wc_PKCS7_New(
void * heap,
int devId
)
Creates new wc_PKCS7 structure.
Parameters:
- heap Heap hint
- devId Device ID
See: wc_PKCS7_Init
Return:
- Pointer to new wc_PKCS7 structure on success
- NULL on error
Example
wc_PKCS7* pkcs7 = wc_PKCS7_New(NULL, INVALID_DEVID);
function wc_PKCS7_SetUnknownExtCallback
void wc_PKCS7_SetUnknownExtCallback(
wc_PKCS7 * pkcs7,
wc_UnknownExtCallback cb
)
Sets unknown extension callback.
Parameters:
- pkcs7 PKCS7 structure
- cb Callback function
See: wc_PKCS7_Init
Return: none No returns
Example
wc_PKCS7_SetUnknownExtCallback(pkcs7, myCallback);
function wc_PKCS7_Init
int wc_PKCS7_Init(
wc_PKCS7 * pkcs7,
void * heap,
int devId
)
Initializes wc_PKCS7 structure.
Parameters:
- pkcs7 PKCS7 structure
- heap Heap hint
- devId Device ID
See: wc_PKCS7_New
Return:
- 0 on success
- negative on error
Example
wc_PKCS7 pkcs7;
int ret = wc_PKCS7_Init(&pkcs7, NULL, INVALID_DEVID);
function wc_PKCS7_AddCertificate
int wc_PKCS7_AddCertificate(
wc_PKCS7 * pkcs7,
byte * der,
word32 derSz
)
Adds certificate to PKCS7.
Parameters:
- pkcs7 PKCS7 structure
- der DER-encoded certificate
- derSz Certificate size
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_AddCertificate(&pkcs7, cert, certSz);
function wc_PKCS7_GetAttributeValue
int wc_PKCS7_GetAttributeValue(
wc_PKCS7 * pkcs7,
const byte * oid,
word32 oidSz,
byte * out,
word32 * outSz
)
Gets attribute value from PKCS7.
Parameters:
- pkcs7 PKCS7 structure
- oid Attribute OID
- oidSz OID size
- out Output buffer
- outSz Output buffer size pointer
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
byte value[256];
word32 valueSz = sizeof(value);
int ret = wc_PKCS7_GetAttributeValue(&pkcs7, oid, oidSz, value,
&valueSz);
function wc_PKCS7_SetSignerIdentifierType
int wc_PKCS7_SetSignerIdentifierType(
wc_PKCS7 * pkcs7,
int type
)
Sets signer identifier type.
Parameters:
- pkcs7 PKCS7 structure
- type Identifier type
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetSignerIdentifierType(&pkcs7, CMS_SKID);
function wc_PKCS7_SetContentType
int wc_PKCS7_SetContentType(
wc_PKCS7 * pkcs7,
byte * contentType,
word32 sz
)
Sets content type.
Parameters:
- pkcs7 PKCS7 structure
- contentType Content type OID
- sz OID size
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetContentType(&pkcs7, DATA, sizeof(DATA));
function wc_PKCS7_GetPadSize
int wc_PKCS7_GetPadSize(
word32 inputSz,
word32 blockSz
)
Gets padding size for block cipher.
Parameters:
- inputSz Input size
- blockSz Block size
See: wc_PKCS7_PadData
Return: Padding size
Example
int padSz = wc_PKCS7_GetPadSize(dataSz, AES_BLOCK_SIZE);
function wc_PKCS7_PadData
int wc_PKCS7_PadData(
byte * in,
word32 inSz,
byte * out,
word32 outSz,
word32 blockSz
)
Pads data for block cipher.
Parameters:
- in Input data
- inSz Input size
- out Output buffer
- outSz Output buffer size
- blockSz Block size
See: wc_PKCS7_GetPadSize
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_PadData(data, dataSz, padded, paddedSz,
AES_BLOCK_SIZE);
function wc_PKCS7_SetCustomSKID
int wc_PKCS7_SetCustomSKID(
wc_PKCS7 * pkcs7,
const byte * in,
word16 inSz
)
Sets custom subject key identifier.
Parameters:
- pkcs7 PKCS7 structure
- in SKID data
- inSz SKID size
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetCustomSKID(&pkcs7, skid, skidSz);
function wc_PKCS7_SetDetached
int wc_PKCS7_SetDetached(
wc_PKCS7 * pkcs7,
word16 flag
)
Sets detached signature flag.
Parameters:
- pkcs7 PKCS7 structure
- flag Detached flag (1=detached, 0=attached)
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetDetached(&pkcs7, 1);
function wc_PKCS7_NoDefaultSignedAttribs
int wc_PKCS7_NoDefaultSignedAttribs(
wc_PKCS7 * pkcs7
)
Disables default signed attributes.
Parameters:
- pkcs7 PKCS7 structure
See: wc_PKCS7_SetDefaultSignedAttribs
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_NoDefaultSignedAttribs(&pkcs7);
function wc_PKCS7_SetDefaultSignedAttribs
int wc_PKCS7_SetDefaultSignedAttribs(
wc_PKCS7 * pkcs7,
word16 flag
)
Sets default signed attributes flag.
Parameters:
- pkcs7 PKCS7 structure
- flag Default attributes flag
See: wc_PKCS7_NoDefaultSignedAttribs
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetDefaultSignedAttribs(&pkcs7, 1);
function wc_PKCS7_AllowDegenerate
void wc_PKCS7_AllowDegenerate(
wc_PKCS7 * pkcs7,
word16 flag
)
Allows degenerate PKCS7 (no signers).
Parameters:
- pkcs7 PKCS7 structure
- flag Allow degenerate flag
See: wc_PKCS7_Init
Return: none No returns
Example
wc_PKCS7_AllowDegenerate(&pkcs7, 1);
function wc_PKCS7_GetSignerSID
int wc_PKCS7_GetSignerSID(
wc_PKCS7 * pkcs7,
byte * out,
word32 * outSz
)
Gets signer subject identifier.
Parameters:
- pkcs7 PKCS7 structure
- out Output buffer
- outSz Output buffer size pointer
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
byte sid[256];
word32 sidSz = sizeof(sid);
int ret = wc_PKCS7_GetSignerSID(&pkcs7, sid, &sidSz);
function wc_PKCS7_EncodeSignedFPD
int wc_PKCS7_EncodeSignedFPD(
wc_PKCS7 * pkcs7,
byte * privateKey,
word32 privateKeySz,
int signOID,
int hashOID,
byte * content,
word32 contentSz,
PKCS7Attrib * signedAttribs,
word32 signedAttribsSz,
byte * output,
word32 outputSz
)
Encodes signed FirmwarePackageData.
Parameters:
- pkcs7 PKCS7 structure
- privateKey Private key
- privateKeySz Private key size
- signOID Signature algorithm OID
- hashOID Hash algorithm OID
- content Content data
- contentSz Content size
- signedAttribs Signed attributes
- signedAttribsSz Signed attributes count
- output Output buffer
- outputSz Output buffer size
See: wc_PKCS7_EncodeSignedData
Return:
- Size of encoded data on success
- negative on error
Example
int ret = wc_PKCS7_EncodeSignedFPD(&pkcs7, key, keySz, RSAk, SHAh,
data, dataSz, NULL, 0, out, outSz);
function wc_PKCS7_EncodeSignedEncryptedFPD
int wc_PKCS7_EncodeSignedEncryptedFPD(
wc_PKCS7 * pkcs7,
byte * encryptKey,
word32 encryptKeySz,
byte * privateKey,
word32 privateKeySz,
int encryptOID,
int signOID,
int hashOID,
byte * content,
word32 contentSz,
PKCS7Attrib * unprotectedAttribs,
word32 unprotectedAttribsSz,
PKCS7Attrib * signedAttribs,
word32 signedAttribsSz,
byte * output,
word32 outputSz
)
Encodes signed encrypted FirmwarePackageData.
Parameters:
- pkcs7 PKCS7 structure
- encryptKey Encryption key
- encryptKeySz Encryption key size
- privateKey Private key
- privateKeySz Private key size
- encryptOID Encryption algorithm OID
- signOID Signature algorithm OID
- hashOID Hash algorithm OID
- content Content data
- contentSz Content size
- unprotectedAttribs Unprotected attributes
- unprotectedAttribsSz Unprotected attributes count
- signedAttribs Signed attributes
- signedAttribsSz Signed attributes count
- output Output buffer
- outputSz Output buffer size
Return:
- Size of encoded data on success
- negative on error
Example
int ret = wc_PKCS7_EncodeSignedEncryptedFPD(&pkcs7, encKey, encKeySz,
key, keySz, AES256CBCb,
RSAk, SHAh, data, dataSz,
NULL, 0, NULL, 0, out,
outSz);
function wc_PKCS7_EncodeSignedCompressedFPD
int wc_PKCS7_EncodeSignedCompressedFPD(
wc_PKCS7 * pkcs7,
byte * privateKey,
word32 privateKeySz,
int signOID,
int hashOID,
byte * content,
word32 contentSz,
PKCS7Attrib * signedAttribs,
word32 signedAttribsSz,
byte * output,
word32 outputSz
)
Encodes signed compressed FirmwarePackageData.
Parameters:
- pkcs7 PKCS7 structure
- privateKey Private key
- privateKeySz Private key size
- signOID Signature algorithm OID
- hashOID Hash algorithm OID
- content Content data
- contentSz Content size
- signedAttribs Signed attributes
- signedAttribsSz Signed attributes count
- output Output buffer
- outputSz Output buffer size
Return:
- Size of encoded data on success
- negative on error
Example
int ret = wc_PKCS7_EncodeSignedCompressedFPD(&pkcs7, key, keySz, RSAk,
SHAh, data, dataSz, NULL,
0, out, outSz);
function wc_PKCS7_EncodeSignedEncryptedCompressedFPD
int wc_PKCS7_EncodeSignedEncryptedCompressedFPD(
wc_PKCS7 * pkcs7,
byte * encryptKey,
word32 encryptKeySz,
byte * privateKey,
word32 privateKeySz,
int encryptOID,
int signOID,
int hashOID,
byte * content,
word32 contentSz,
PKCS7Attrib * unprotectedAttribs,
word32 unprotectedAttribsSz,
PKCS7Attrib * signedAttribs,
word32 signedAttribsSz,
byte * output,
word32 outputSz
)
Encodes signed encrypted compressed FirmwarePackageData.
Parameters:
- pkcs7 PKCS7 structure
- encryptKey Encryption key
- encryptKeySz Encryption key size
- privateKey Private key
- privateKeySz Private key size
- encryptOID Encryption algorithm OID
- signOID Signature algorithm OID
- hashOID Hash algorithm OID
- content Content data
- contentSz Content size
- unprotectedAttribs Unprotected attributes
- unprotectedAttribsSz Unprotected attributes count
- signedAttribs Signed attributes
- signedAttribsSz Signed attributes count
- output Output buffer
- outputSz Output buffer size
See: wc_PKCS7_EncodeSignedCompressedFPD
Return:
- Size of encoded data on success
- negative on error
Example
int ret = wc_PKCS7_EncodeSignedEncryptedCompressedFPD(&pkcs7, encKey,
encKeySz, key,
keySz, AES256CBCb,
RSAk, SHAh, data,
dataSz, NULL, 0,
NULL, 0, out,
outSz);
function wc_PKCS7_AddRecipient_KTRI
int wc_PKCS7_AddRecipient_KTRI(
wc_PKCS7 * pkcs7,
const byte * cert,
word32 certSz,
int options
)
Adds KTRI recipient.
Parameters:
- pkcs7 PKCS7 structure
- cert Recipient certificate
- certSz Certificate size
- options Options flags
See: wc_PKCS7_AddRecipient_KARI
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_AddRecipient_KTRI(&pkcs7, cert, certSz, 0);
function wc_PKCS7_AddRecipient_KARI
int wc_PKCS7_AddRecipient_KARI(
wc_PKCS7 * pkcs7,
const byte * cert,
word32 certSz,
int keyWrapOID,
int keyAgreeOID,
byte * ukm,
word32 ukmSz,
int options
)
Adds KARI recipient.
Parameters:
- pkcs7 PKCS7 structure
- cert Recipient certificate
- certSz Certificate size
- keyWrapOID Key wrap algorithm OID
- keyAgreeOID Key agreement algorithm OID
- ukm User keying material
- ukmSz UKM size
- options Options flags
See: wc_PKCS7_AddRecipient_KTRI
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_AddRecipient_KARI(&pkcs7, cert, certSz, AES256_WRAP,
dhSinglePass_stdDH_sha256kdf_scheme,
NULL, 0, 0);
function wc_PKCS7_SetKey
int wc_PKCS7_SetKey(
wc_PKCS7 * pkcs7,
byte * key,
word32 keySz
)
Sets encryption key.
Parameters:
- pkcs7 PKCS7 structure
- key Encryption key
- keySz Key size
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetKey(&pkcs7, key, keySz);
function wc_PKCS7_AddRecipient_KEKRI
int wc_PKCS7_AddRecipient_KEKRI(
wc_PKCS7 * pkcs7,
int keyWrapOID,
byte * kek,
word32 kekSz,
byte * keyID,
word32 keyIdSz,
void * timePtr,
byte * otherOID,
word32 otherOIDSz,
byte * other,
word32 otherSz,
int options
)
Adds KEKRI recipient.
Parameters:
- pkcs7 PKCS7 structure
- keyWrapOID Key wrap algorithm OID
- kek Key encryption key
- kekSz KEK size
- keyID Key identifier
- keyIdSz Key ID size
- timePtr Time pointer
- otherOID Other OID
- otherOIDSz Other OID size
- other Other data
- otherSz Other data size
- options Options flags
See: wc_PKCS7_AddRecipient_KTRI
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_AddRecipient_KEKRI(&pkcs7, AES256_WRAP, kek, kekSz,
keyId, keyIdSz, NULL, NULL, 0,
NULL, 0, 0);
function wc_PKCS7_SetPassword
int wc_PKCS7_SetPassword(
wc_PKCS7 * pkcs7,
byte * passwd,
word32 pLen
)
Sets password for PWRI.
Parameters:
- pkcs7 PKCS7 structure
- passwd Password
- pLen Password length
See: wc_PKCS7_AddRecipient_PWRI
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetPassword(&pkcs7, password, passwordLen);
function wc_PKCS7_AddRecipient_PWRI
int wc_PKCS7_AddRecipient_PWRI(
wc_PKCS7 * pkcs7,
byte * passwd,
word32 pLen,
byte * salt,
word32 saltSz,
int kdfOID,
int prfOID,
int iterations,
int kekEncryptOID,
int options
)
Adds PWRI recipient.
Parameters:
- pkcs7 PKCS7 structure
- passwd Password
- pLen Password length
- salt Salt
- saltSz Salt size
- kdfOID KDF algorithm OID
- prfOID PRF algorithm OID
- iterations Iteration count
- kekEncryptOID KEK encryption algorithm OID
- options Options flags
See: wc_PKCS7_SetPassword
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_AddRecipient_PWRI(&pkcs7, password, passwordLen,
salt, saltSz, PBKDF2_OID, HMACh,
10000, AES256CBCb, 0);
function wc_PKCS7_SetOriEncryptCtx
int wc_PKCS7_SetOriEncryptCtx(
wc_PKCS7 * pkcs7,
void * ctx
)
Sets originator encryption context.
Parameters:
- pkcs7 PKCS7 structure
- ctx Context pointer
See: wc_PKCS7_SetOriDecryptCtx
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetOriEncryptCtx(&pkcs7, myContext);
function wc_PKCS7_SetOriDecryptCtx
int wc_PKCS7_SetOriDecryptCtx(
wc_PKCS7 * pkcs7,
void * ctx
)
Sets originator decryption context.
Parameters:
- pkcs7 PKCS7 structure
- ctx Context pointer
See: wc_PKCS7_SetOriEncryptCtx
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetOriDecryptCtx(&pkcs7, myContext);
function wc_PKCS7_SetOriDecryptCb
int wc_PKCS7_SetOriDecryptCb(
wc_PKCS7 * pkcs7,
CallbackOriDecrypt cb
)
Sets originator decryption callback.
Parameters:
- pkcs7 PKCS7 structure
- cb Callback function
See: wc_PKCS7_SetOriDecryptCtx
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetOriDecryptCb(&pkcs7, myDecryptCallback);
function wc_PKCS7_AddRecipient_ORI
int wc_PKCS7_AddRecipient_ORI(
wc_PKCS7 * pkcs7,
CallbackOriEncrypt cb,
int options
)
Adds ORI recipient.
Parameters:
- pkcs7 PKCS7 structure
- cb Originator encryption callback
- options Options flags
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_AddRecipient_ORI(&pkcs7, myEncryptCallback, 0);
function wc_PKCS7_SetWrapCEKCb
int wc_PKCS7_SetWrapCEKCb(
wc_PKCS7 * pkcs7,
CallbackWrapCEK wrapCEKCb
)
Sets CEK wrap callback.
Parameters:
- pkcs7 PKCS7 structure
- wrapCEKCb Wrap CEK callback
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetWrapCEKCb(&pkcs7, myWrapCEKCallback);
function wc_PKCS7_SetRsaSignRawDigestCb
int wc_PKCS7_SetRsaSignRawDigestCb(
wc_PKCS7 * pkcs7,
CallbackRsaSignRawDigest cb
)
Sets RSA sign raw digest callback.
Parameters:
- pkcs7 PKCS7 structure
- cb Callback function
See: wc_PKCS7_Init
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetRsaSignRawDigestCb(&pkcs7, mySignCallback);
function wc_PKCS7_EncodeAuthEnvelopedData
int wc_PKCS7_EncodeAuthEnvelopedData(
wc_PKCS7 * pkcs7,
byte * output,
word32 outputSz
)
Encodes authenticated enveloped data.
Parameters:
- pkcs7 PKCS7 structure
- output Output buffer
- outputSz Output buffer size
See: wc_PKCS7_DecodeAuthEnvelopedData
Return:
- Size of encoded data on success
- negative on error
Example
int ret = wc_PKCS7_EncodeAuthEnvelopedData(&pkcs7, out, outSz);
function wc_PKCS7_DecodeAuthEnvelopedData
int wc_PKCS7_DecodeAuthEnvelopedData(
wc_PKCS7 * pkcs7,
byte * pkiMsg,
word32 pkiMsgSz,
byte * output,
word32 outputSz
)
Decodes authenticated enveloped data.
Parameters:
- pkcs7 PKCS7 structure
- pkiMsg Input message
- pkiMsgSz Input message size
- output Output buffer
- outputSz Output buffer size
See: wc_PKCS7_EncodeAuthEnvelopedData
Return:
- Size of decoded data on success
- negative on error
Example
int ret = wc_PKCS7_DecodeAuthEnvelopedData(&pkcs7, msg, msgSz, out,
outSz);
function wc_PKCS7_EncodeEncryptedData
int wc_PKCS7_EncodeEncryptedData(
wc_PKCS7 * pkcs7,
byte * output,
word32 outputSz
)
Encodes encrypted data.
Parameters:
- pkcs7 PKCS7 structure
- output Output buffer
- outputSz Output buffer size
See: wc_PKCS7_DecodeEncryptedData
Return:
- Size of encoded data on success
- negative on error
Example
int ret = wc_PKCS7_EncodeEncryptedData(&pkcs7, out, outSz);
function wc_PKCS7_SetDecodeEncryptedCb
int wc_PKCS7_SetDecodeEncryptedCb(
wc_PKCS7 * pkcs7,
CallbackDecryptContent decryptionCb
)
Sets decode encrypted callback.
Parameters:
- pkcs7 PKCS7 structure
- decryptionCb Decryption callback
See: wc_PKCS7_SetDecodeEncryptedCtx
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetDecodeEncryptedCb(&pkcs7, myDecryptCallback);
function wc_PKCS7_SetDecodeEncryptedCtx
int wc_PKCS7_SetDecodeEncryptedCtx(
wc_PKCS7 * pkcs7,
void * ctx
)
Sets decode encrypted context.
Parameters:
- pkcs7 PKCS7 structure
- ctx Context pointer
See: wc_PKCS7_SetDecodeEncryptedCb
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetDecodeEncryptedCtx(&pkcs7, myContext);
function wc_PKCS7_SetStreamMode
int wc_PKCS7_SetStreamMode(
wc_PKCS7 * pkcs7,
byte flag,
CallbackGetContent getContentCb,
CallbackStreamOut streamOutCb,
void * ctx
)
Sets stream mode for PKCS7.
Parameters:
- pkcs7 PKCS7 structure
- flag Stream mode flag
- getContentCb Get content callback
- streamOutCb Stream output callback
- ctx Context pointer
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetStreamMode(&pkcs7, 1, getContent, streamOut,
ctx);
function wc_PKCS7_GetStreamMode
int wc_PKCS7_GetStreamMode(
wc_PKCS7 * pkcs7
)
Gets stream mode setting.
Parameters:
- pkcs7 PKCS7 structure
Return: Stream mode flag
Example
int mode = wc_PKCS7_GetStreamMode(&pkcs7);
function wc_PKCS7_SetNoCerts
int wc_PKCS7_SetNoCerts(
wc_PKCS7 * pkcs7,
byte flag
)
Sets no certificates flag.
Parameters:
- pkcs7 PKCS7 structure
- flag No certificates flag
See: wc_PKCS7_GetNoCerts
Return:
- 0 on success
- negative on error
Example
int ret = wc_PKCS7_SetNoCerts(&pkcs7, 1);
function wc_PKCS7_GetNoCerts
int wc_PKCS7_GetNoCerts(
wc_PKCS7 * pkcs7
)
Gets no certificates flag.
Parameters:
- pkcs7 PKCS7 structure
See: wc_PKCS7_SetNoCerts
Return: No certificates flag
Example
int noCerts = wc_PKCS7_GetNoCerts(&pkcs7);
function wc_PKCS7_EncodeCompressedData
int wc_PKCS7_EncodeCompressedData(
wc_PKCS7 * pkcs7,
byte * output,
word32 outputSz
)
Encodes compressed data.
Parameters:
- pkcs7 PKCS7 structure
- output Output buffer
- outputSz Output buffer size
See: wc_PKCS7_DecodeCompressedData
Return:
- Size of encoded data on success
- negative on error
Example
int ret = wc_PKCS7_EncodeCompressedData(&pkcs7, out, outSz);
function wc_PKCS7_DecodeCompressedData
int wc_PKCS7_DecodeCompressedData(
wc_PKCS7 * pkcs7,
byte * pkiMsg,
word32 pkiMsgSz,
byte * output,
word32 outputSz
)
Decodes compressed data.
Parameters:
- pkcs7 PKCS7 structure
- pkiMsg Input message
- pkiMsgSz Input message size
- output Output buffer
- outputSz Output buffer size
See: wc_PKCS7_EncodeCompressedData
Return:
- Size of decoded data on success
- negative on error
Example
int ret = wc_PKCS7_DecodeCompressedData(&pkcs7, msg, msgSz, out,
outSz);
Source code
typedef int (*CallbackAESKeyWrapUnwrap)(const byte* key, word32 keySz,
const byte* in, word32 inSz, int wrap, byte* out, word32 outSz);
int wc_PKCS7_InitWithCert(wc_PKCS7* pkcs7, byte* der, word32 derSz);
void wc_PKCS7_Free(wc_PKCS7* pkcs7);
int wc_PKCS7_EncodeData(wc_PKCS7* pkcs7, byte* output,
word32 outputSz);
int wc_PKCS7_EncodeSignedData(wc_PKCS7* pkcs7,
byte* output, word32 outputSz);
int wc_PKCS7_EncodeSignedData_ex(wc_PKCS7* pkcs7, const byte* hashBuf,
word32 hashSz, byte* outputHead, word32* outputHeadSz, byte* outputFoot,
word32* outputFootSz);
int wc_PKCS7_VerifySignedData(wc_PKCS7* pkcs7,
byte* pkiMsg, word32 pkiMsgSz);
int wc_PKCS7_VerifySignedData_ex(wc_PKCS7* pkcs7, const byte* hashBuf,
word32 hashSz, byte* pkiMsgHead, word32 pkiMsgHeadSz, byte* pkiMsgFoot,
word32 pkiMsgFootSz);
int wc_PKCS7_SetAESKeyWrapUnwrapCb(wc_PKCS7* pkcs7,
CallbackAESKeyWrapUnwrap aesKeyWrapCb);
int wc_PKCS7_EncodeEnvelopedData(wc_PKCS7* pkcs7,
byte* output, word32 outputSz);
int wc_PKCS7_DecodeEnvelopedData(wc_PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output, word32 outputSz);
int wc_PKCS7_GetEnvelopedDataKariRid(const byte * in, word32 inSz,
byte * out, word32 * outSz);
int wc_PKCS7_DecodeEncryptedData(wc_PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output, word32 outputSz);
int wc_PKCS7_DecodeEncryptedKeyPackage(wc_PKCS7 * pkcs7,
byte * pkiMsg, word32 pkiMsgSz, byte * output, word32 outputSz);
int wc_PKCS7_DecodeSymmetricKeyPackageAttribute(const byte * skp,
word32 skpSz, size_t index, const byte ** attr, word32 * attrSz);
int wc_PKCS7_DecodeSymmetricKeyPackageKey(const byte * skp,
word32 skpSz, size_t index, const byte ** key, word32 * keySz);
int wc_PKCS7_DecodeOneSymmetricKeyAttribute(const byte * osk,
word32 oskSz, size_t index, const byte ** attr, word32 * attrSz);
int wc_PKCS7_DecodeOneSymmetricKeyKey(const byte * osk,
word32 oskSz, const byte ** key, word32 * keySz);
PKCS7* wolfSSL_PKCS7_new(void);
PKCS7_SIGNED* wolfSSL_PKCS7_SIGNED_new(void);
void wolfSSL_PKCS7_free(PKCS7* p7);
void wolfSSL_PKCS7_SIGNED_free(PKCS7_SIGNED* p7);
PKCS7* wolfSSL_d2i_PKCS7(PKCS7** p7, const unsigned char** in, int len);
PKCS7* wolfSSL_d2i_PKCS7_bio(WOLFSSL_BIO* bio, PKCS7** p7);
int wolfSSL_i2d_PKCS7_bio(WOLFSSL_BIO *bio, PKCS7 *p7);
int wolfSSL_i2d_PKCS7(PKCS7 *p7, unsigned char **out);
PKCS7* wolfSSL_PKCS7_sign(WOLFSSL_X509* signer, WOLFSSL_EVP_PKEY* pkey,
WOLFSSL_STACK* certs, WOLFSSL_BIO* in, int flags);
int wolfSSL_PKCS7_verify(PKCS7* p7, WOLFSSL_STACK* certs,
WOLFSSL_X509_STORE* store, WOLFSSL_BIO* in,
WOLFSSL_BIO* out, int flags);
int wolfSSL_PKCS7_final(PKCS7* pkcs7, WOLFSSL_BIO* in, int flags);
int wolfSSL_PKCS7_encode_certs(PKCS7* p7, WOLFSSL_STACK* certs,
WOLFSSL_BIO* out);
WOLFSSL_STACK* wolfSSL_PKCS7_to_stack(PKCS7* pkcs7);
WOLFSSL_STACK* wolfSSL_PKCS7_get0_signers(PKCS7* p7, WOLFSSL_STACK* certs,
int flags);
int wolfSSL_PEM_write_bio_PKCS7(WOLFSSL_BIO* bio, PKCS7* p7);
PKCS7* wolfSSL_SMIME_read_PKCS7(WOLFSSL_BIO* in, WOLFSSL_BIO** bcont);
int wolfSSL_SMIME_write_PKCS7(WOLFSSL_BIO* out, PKCS7* pkcs7,
WOLFSSL_BIO* in, int flags);
wc_PKCS7* wc_PKCS7_New(void* heap, int devId);
void wc_PKCS7_SetUnknownExtCallback(wc_PKCS7* pkcs7,
wc_UnknownExtCallback cb);
int wc_PKCS7_Init(wc_PKCS7* pkcs7, void* heap, int devId);
int wc_PKCS7_AddCertificate(wc_PKCS7* pkcs7, byte* der, word32 derSz);
int wc_PKCS7_GetAttributeValue(wc_PKCS7* pkcs7, const byte* oid,
word32 oidSz, byte* out, word32* outSz);
int wc_PKCS7_SetSignerIdentifierType(wc_PKCS7* pkcs7, int type);
int wc_PKCS7_SetContentType(wc_PKCS7* pkcs7, byte* contentType, word32 sz);
int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz);
int wc_PKCS7_PadData(byte* in, word32 inSz, byte* out, word32 outSz,
word32 blockSz);
int wc_PKCS7_SetCustomSKID(wc_PKCS7* pkcs7, const byte* in, word16 inSz);
int wc_PKCS7_SetDetached(wc_PKCS7* pkcs7, word16 flag);
int wc_PKCS7_NoDefaultSignedAttribs(wc_PKCS7* pkcs7);
int wc_PKCS7_SetDefaultSignedAttribs(wc_PKCS7* pkcs7, word16 flag);
void wc_PKCS7_AllowDegenerate(wc_PKCS7* pkcs7, word16 flag);
int wc_PKCS7_GetSignerSID(wc_PKCS7* pkcs7, byte* out, word32* outSz);
int wc_PKCS7_EncodeSignedFPD(wc_PKCS7* pkcs7, byte* privateKey,
word32 privateKeySz, int signOID, int hashOID,
byte* content, word32 contentSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz, byte* output,
word32 outputSz);
int wc_PKCS7_EncodeSignedEncryptedFPD(wc_PKCS7* pkcs7, byte* encryptKey,
word32 encryptKeySz, byte* privateKey,
word32 privateKeySz, int encryptOID,
int signOID, int hashOID, byte* content,
word32 contentSz,
PKCS7Attrib* unprotectedAttribs,
word32 unprotectedAttribsSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz, byte* output,
word32 outputSz);
int wc_PKCS7_EncodeSignedCompressedFPD(wc_PKCS7* pkcs7, byte* privateKey,
word32 privateKeySz, int signOID,
int hashOID, byte* content,
word32 contentSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz, byte* output,
word32 outputSz);
int wc_PKCS7_EncodeSignedEncryptedCompressedFPD(wc_PKCS7* pkcs7,
byte* encryptKey,
word32 encryptKeySz,
byte* privateKey,
word32 privateKeySz,
int encryptOID, int signOID,
int hashOID, byte* content,
word32 contentSz,
PKCS7Attrib* unprotectedAttribs,
word32 unprotectedAttribsSz,
PKCS7Attrib* signedAttribs,
word32 signedAttribsSz,
byte* output, word32 outputSz);
int wc_PKCS7_AddRecipient_KTRI(wc_PKCS7* pkcs7, const byte* cert,
word32 certSz, int options);
int wc_PKCS7_AddRecipient_KARI(wc_PKCS7* pkcs7, const byte* cert,
word32 certSz, int keyWrapOID,
int keyAgreeOID, byte* ukm, word32 ukmSz,
int options);
int wc_PKCS7_SetKey(wc_PKCS7* pkcs7, byte* key, word32 keySz);
int wc_PKCS7_AddRecipient_KEKRI(wc_PKCS7* pkcs7, int keyWrapOID, byte* kek,
word32 kekSz, byte* keyID, word32 keyIdSz,
void* timePtr, byte* otherOID,
word32 otherOIDSz, byte* other,
word32 otherSz, int options);
int wc_PKCS7_SetPassword(wc_PKCS7* pkcs7, byte* passwd, word32 pLen);
int wc_PKCS7_AddRecipient_PWRI(wc_PKCS7* pkcs7, byte* passwd, word32 pLen,
byte* salt, word32 saltSz, int kdfOID,
int prfOID, int iterations,
int kekEncryptOID, int options);
int wc_PKCS7_SetOriEncryptCtx(wc_PKCS7* pkcs7, void* ctx);
int wc_PKCS7_SetOriDecryptCtx(wc_PKCS7* pkcs7, void* ctx);
int wc_PKCS7_SetOriDecryptCb(wc_PKCS7* pkcs7, CallbackOriDecrypt cb);
int wc_PKCS7_AddRecipient_ORI(wc_PKCS7* pkcs7, CallbackOriEncrypt cb,
int options);
int wc_PKCS7_SetWrapCEKCb(wc_PKCS7* pkcs7, CallbackWrapCEK wrapCEKCb);
int wc_PKCS7_SetRsaSignRawDigestCb(wc_PKCS7* pkcs7,
CallbackRsaSignRawDigest cb);
int wc_PKCS7_EncodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* output,
word32 outputSz);
int wc_PKCS7_DecodeAuthEnvelopedData(wc_PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz);
int wc_PKCS7_EncodeEncryptedData(wc_PKCS7* pkcs7, byte* output,
word32 outputSz);
int wc_PKCS7_SetDecodeEncryptedCb(wc_PKCS7* pkcs7,
CallbackDecryptContent decryptionCb);
int wc_PKCS7_SetDecodeEncryptedCtx(wc_PKCS7* pkcs7, void* ctx);
int wc_PKCS7_SetStreamMode(wc_PKCS7* pkcs7, byte flag,
CallbackGetContent getContentCb,
CallbackStreamOut streamOutCb, void* ctx);
int wc_PKCS7_GetStreamMode(wc_PKCS7* pkcs7);
int wc_PKCS7_SetNoCerts(wc_PKCS7* pkcs7, byte flag);
int wc_PKCS7_GetNoCerts(wc_PKCS7* pkcs7);
int wc_PKCS7_EncodeCompressedData(wc_PKCS7* pkcs7, byte* output,
word32 outputSz);
int wc_PKCS7_DecodeCompressedData(wc_PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz);
Updated on 2025-12-31 at 01:16:04 +0000