pkcs7

pkcs7

Functions

Types and Values

Description

Functions

gnutls_pkcs7_init ()

int
gnutls_pkcs7_init (gnutls_pkcs7_t *pkcs7);

This function will initialize a PKCS7 structure. PKCS7 structures usually contain lists of X.509 Certificates and X.509 Certificate revocation lists.

Parameters

pkcs7

A pointer to the type to be initialized

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_deinit ()

void
gnutls_pkcs7_deinit (gnutls_pkcs7_t pkcs7);

This function will deinitialize a PKCS7 type.

Parameters

pkcs7

the type to be deinitialized

 

gnutls_pkcs7_import ()

int
gnutls_pkcs7_import (gnutls_pkcs7_t pkcs7,
                     const gnutls_datum_t *data,
                     gnutls_x509_crt_fmt_t format);

This function will convert the given DER or PEM encoded PKCS7 to the native gnutls_pkcs7_t format. The output will be stored in pkcs7 .

If the PKCS7 is PEM encoded it should have a header of "PKCS7".

Parameters

pkcs7

The data to store the parsed PKCS7.

 

data

The DER or PEM encoded PKCS7.

 

format

One of DER or PEM

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_export ()

int
gnutls_pkcs7_export (gnutls_pkcs7_t pkcs7,
                     gnutls_x509_crt_fmt_t format,
                     void *output_data,
                     size_t *output_data_size);

This function will export the pkcs7 structure to DER or PEM format.

If the buffer provided is not long enough to hold the output, then *output_data_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.

If the structure is PEM encoded, it will have a header of "BEGIN PKCS7".

Parameters

pkcs7

The pkcs7 type

 

format

the format of output params. One of PEM or DER.

 

output_data

will contain a structure PEM or DER encoded

 

output_data_size

holds the size of output_data (and will be replaced by the actual size of parameters)

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_export2 ()

int
gnutls_pkcs7_export2 (gnutls_pkcs7_t pkcs7,
                      gnutls_x509_crt_fmt_t format,
                      gnutls_datum_t *out);

This function will export the pkcs7 structure to DER or PEM format.

The output buffer is allocated using gnutls_malloc().

If the structure is PEM encoded, it will have a header of "BEGIN PKCS7".

Parameters

pkcs7

The pkcs7 type

 

format

the format of output params. One of PEM or DER.

 

out

will contain a structure PEM or DER encoded

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.1.3


gnutls_pkcs7_get_signature_count ()

int
gnutls_pkcs7_get_signature_count (gnutls_pkcs7_t pkcs7);

This function will return the number of signatures in the PKCS7 structure.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

Returns

On success, a positive number is returned, otherwise a negative error value.

Since: 3.4.3


gnutls_pkcs7_get_embedded_data ()

int
gnutls_pkcs7_get_embedded_data (gnutls_pkcs7_t pkcs7,
                                unsigned  flags,
                                gnutls_datum_t *data);

This function will return the data embedded in the signature of the PKCS7 structure. If no data are available then GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

The returned data must be de-allocated using gnutls_free().

Note, that this function returns the exact same data that are authenticated. If the GNUTLS_PKCS7_EDATA_GET_RAW flag is provided, the returned data will be including the wrapping tag/value as they are encoded in the structure.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

flags

must be zero or GNUTLS_PKCS7_EDATA_GET_RAW

 

data

will hold the embedded data in the provided structure

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.8


gnutls_pkcs7_get_embedded_data_oid ()

const char *
gnutls_pkcs7_get_embedded_data_oid (gnutls_pkcs7_t pkcs7);

This function will return the OID of the data embedded in the signature of the PKCS7 structure. If no data are available then NULL will be returned. The returned value will be valid during the lifetime of the pkcs7 structure.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

Returns

On success, a pointer to an OID string, NULL on error.

Since: 3.5.5


gnutls_pkcs7_get_crt_count ()

int
gnutls_pkcs7_get_crt_count (gnutls_pkcs7_t pkcs7);

This function will return the number of certificates in the PKCS7 or RFC2630 certificate set.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

Returns

On success, a positive number is returned, otherwise a negative error value.


gnutls_pkcs7_get_crt_raw ()

int
gnutls_pkcs7_get_crt_raw (gnutls_pkcs7_t pkcs7,
                          unsigned  indx,
                          void *certificate,
                          size_t *certificate_size);

This function will return a certificate of the PKCS7 or RFC2630 certificate set.

After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

indx

contains the index of the certificate to extract

 

certificate

the contents of the certificate will be copied there (may be null)

 

certificate_size

should hold the size of the certificate

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. If the provided buffer is not long enough, then certificate_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned.


gnutls_pkcs7_set_crt_raw ()

int
gnutls_pkcs7_set_crt_raw (gnutls_pkcs7_t pkcs7,
                          const gnutls_datum_t *crt);

This function will add a certificate to the PKCS7 or RFC2630 certificate set.

Parameters

pkcs7

The pkcs7 type

 

crt

the DER encoded certificate to be added

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_set_crt ()

int
gnutls_pkcs7_set_crt (gnutls_pkcs7_t pkcs7,
                      gnutls_x509_crt_t crt);

This function will add a parsed certificate to the PKCS7 or RFC2630 certificate set. This is a wrapper function over gnutls_pkcs7_set_crt_raw() .

Parameters

pkcs7

The pkcs7 type

 

crt

the certificate to be copied.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_delete_crt ()

int
gnutls_pkcs7_delete_crt (gnutls_pkcs7_t pkcs7,
                         int indx);

This function will delete a certificate from a PKCS7 or RFC2630 certificate set. Index starts from 0. Returns 0 on success.

Parameters

pkcs7

The pkcs7 type

 

indx

the index of the certificate to delete

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_get_crl_raw ()

int
gnutls_pkcs7_get_crl_raw (gnutls_pkcs7_t pkcs7,
                          unsigned  indx,
                          void *crl,
                          size_t *crl_size);

This function will return a crl of the PKCS7 or RFC2630 crl set.

Parameters

pkcs7

The pkcs7 type

 

indx

contains the index of the crl to extract

 

crl

the contents of the crl will be copied there (may be null)

 

crl_size

should hold the size of the crl

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. If the provided buffer is not long enough, then crl_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned. After the last crl has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.


gnutls_pkcs7_get_crl_count ()

int
gnutls_pkcs7_get_crl_count (gnutls_pkcs7_t pkcs7);

This function will return the number of certificates in the PKCS7 or RFC2630 crl set.

Parameters

pkcs7

The pkcs7 type

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_set_crl_raw ()

int
gnutls_pkcs7_set_crl_raw (gnutls_pkcs7_t pkcs7,
                          const gnutls_datum_t *crl);

This function will add a crl to the PKCS7 or RFC2630 crl set.

Parameters

pkcs7

The pkcs7 type

 

crl

the DER encoded crl to be added

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_set_crl ()

int
gnutls_pkcs7_set_crl (gnutls_pkcs7_t pkcs7,
                      gnutls_x509_crl_t crl);

This function will add a parsed CRL to the PKCS7 or RFC2630 crl set.

Parameters

pkcs7

The pkcs7 type

 

crl

the DER encoded crl to be added

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_delete_crl ()

int
gnutls_pkcs7_delete_crl (gnutls_pkcs7_t pkcs7,
                         int indx);

This function will delete a crl from a PKCS7 or RFC2630 crl set. Index starts from 0. Returns 0 on success.

Parameters

pkcs7

The pkcs7 type

 

indx

the index of the crl to delete

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.


gnutls_pkcs7_signature_info_deinit ()

void
gnutls_pkcs7_signature_info_deinit (gnutls_pkcs7_signature_info_st *info);

This function will deinitialize any allocated value in the provided gnutls_pkcs7_signature_info_st.

Parameters

info

should point to a gnutls_pkcs7_signature_info_st structure

 

Since: 3.4.2


gnutls_pkcs7_get_signature_info ()

int
gnutls_pkcs7_get_signature_info (gnutls_pkcs7_t pkcs7,
                                 unsigned  idx,
                                 gnutls_pkcs7_signature_info_st *info);

This function will return information about the signature identified by idx in the provided PKCS #7 structure. The information should be deinitialized using gnutls_pkcs7_signature_info_deinit().

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

idx

the index of the signature info to check

 

info

will contain the output signature

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.2


gnutls_pkcs7_verify_direct ()

int
gnutls_pkcs7_verify_direct (gnutls_pkcs7_t pkcs7,
                            gnutls_x509_crt_t signer,
                            unsigned  idx,
                            const gnutls_datum_t *data,
                            unsigned  flags);

This function will verify the provided data against the signature present in the SignedData of the PKCS #7 structure. If the data provided are NULL then the data in the encapsulatedContent field will be used instead.

Note that, unlike gnutls_pkcs7_verify() this function does not verify the key purpose of the signer. It is expected for the caller to verify the intended purpose of the signer -e.g., via gnutls_x509_crt_get_key_purpose_oid(), or gnutls_x509_crt_check_key_purpose().

Note also, that since GnuTLS 3.5.6 this function introduces checks in the end certificate (signer ), including time checks and key usage checks.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

signer

the certificate believed to have signed the structure

 

idx

the index of the signature info to check

 

data

The data to be verified or NULL

 

flags

Zero or an OR list of gnutls_certificate_verify_flags

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. A verification error results to a GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data to verify to a GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.

Since: 3.4.2


gnutls_pkcs7_verify ()

int
gnutls_pkcs7_verify (gnutls_pkcs7_t pkcs7,
                     gnutls_x509_trust_list_t tl,
                     gnutls_typed_vdata_st *vdata,
                     unsigned int vdata_size,
                     unsigned  idx,
                     const gnutls_datum_t *data,
                     unsigned  flags);

This function will verify the provided data against the signature present in the SignedData of the PKCS #7 structure. If the data provided are NULL then the data in the encapsulatedContent field will be used instead.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

tl

A list of trusted certificates

 

vdata

an array of typed data

 

vdata_size

the number of data elements

 

idx

the index of the signature info to check

 

data

The data to be verified or NULL

 

flags

Zero or an OR list of gnutls_certificate_verify_flags

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. A verification error results to a GNUTLS_E_PK_SIG_VERIFY_FAILED and the lack of encapsulated data to verify to a GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE.

Since: 3.4.2


gnutls_pkcs7_add_attr ()

int
gnutls_pkcs7_add_attr (gnutls_pkcs7_attrs_t *list,
                       const char *oid,
                       gnutls_datum_t *data,
                       unsigned  flags);

This function will set a PKCS #7 attribute in the provided list. If this function fails, the previous list would be deallocated.

Note that any attributes set with this function must either be DER or BER encoded, unless a special flag is present.

Parameters

list

A list of existing attributes or pointer to NULL for the first one

 

oid

the OID of the attribute to be set

 

data

the raw (DER-encoded) data of the attribute to be set

 

flags

zero or GNUTLS_PKCS7_ATTR_ENCODE_OCTET_STRING

 

Returns

On success, the new list head, otherwise NULL.

Since: 3.4.2


gnutls_pkcs7_attrs_deinit ()

void
gnutls_pkcs7_attrs_deinit (gnutls_pkcs7_attrs_t list);

This function will clear a PKCS #7 attribute list.

Parameters

list

A list of existing attributes

 

Since: 3.4.2


gnutls_pkcs7_get_attr ()

int
gnutls_pkcs7_get_attr (gnutls_pkcs7_attrs_t list,
                       unsigned  idx,
                       char **oid,
                       gnutls_datum_t *data,
                       unsigned  flags);

This function will get a PKCS #7 attribute from the provided list. The OID is a constant string, but data will be allocated and must be deinitialized by the caller.

Parameters

list

A list of existing attributes or NULL for the first one

 

idx

the index of the attribute to get

 

oid

the OID of the attribute (read-only)

 

data

the raw data of the attribute

 

flags

zero or GNUTLS_PKCS7_ATTR_ENCODE_OCTET_STRING

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned if there are no data in the current index.

Since: 3.4.2


gnutls_pkcs7_sign ()

int
gnutls_pkcs7_sign (gnutls_pkcs7_t pkcs7,
                   gnutls_x509_crt_t signer,
                   gnutls_privkey_t signer_key,
                   const gnutls_datum_t *data,
                   gnutls_pkcs7_attrs_t signed_attrs,
                   gnutls_pkcs7_attrs_t unsigned_attrs,
                   gnutls_digest_algorithm_t dig,
                   unsigned  flags);

This function will add a signature in the provided PKCS #7 structure for the provided data. Multiple signatures can be made with different signers.

The available flags are: GNUTLS_PKCS7_EMBED_DATA, GNUTLS_PKCS7_INCLUDE_TIME, GNUTLS_PKCS7_INCLUDE_CERT, and GNUTLS_PKCS7_WRITE_SPKI. They are explained in the gnutls_pkcs7_sign_flags definition.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

signer

the certificate to sign the structure

 

signer_key

the key to sign the structure

 

data

The data to be signed or NULL if the data are already embedded

 

signed_attrs

Any additional attributes to be included in the signed ones (or NULL)

 

unsigned_attrs

Any additional attributes to be included in the unsigned ones (or NULL)

 

dig

The digest algorithm to use for signing

 

flags

Should be zero or one of GNUTLS_PKCS7 flags

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.4.2


gnutls_pkcs7_get_crt_raw2 ()

int
gnutls_pkcs7_get_crt_raw2 (gnutls_pkcs7_t pkcs7,
                           unsigned  indx,
                           gnutls_datum_t *cert);

This function will return a certificate of the PKCS7 or RFC2630 certificate set.

After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Parameters

pkcs7

should contain a gnutls_pkcs7_t type

 

indx

contains the index of the certificate to extract

 

cert

will hold the contents of the certificate; must be deallocated with gnutls_free()

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. If the provided buffer is not long enough, then certificate_size is updated and GNUTLS_E_SHORT_MEMORY_BUFFER is returned.

Since: 3.4.2


gnutls_pkcs7_get_crl_raw2 ()

int
gnutls_pkcs7_get_crl_raw2 (gnutls_pkcs7_t pkcs7,
                           unsigned  indx,
                           gnutls_datum_t *crl);

This function will return a DER encoded CRL of the PKCS7 or RFC2630 crl set.

Parameters

pkcs7

The pkcs7 type

 

indx

contains the index of the crl to extract

 

crl

will contain the contents of the CRL in an allocated buffer

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value. After the last crl has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned.

Since: 3.4.2


gnutls_pkcs7_print ()

int
gnutls_pkcs7_print (gnutls_pkcs7_t pkcs7,
                    gnutls_certificate_print_formats_t format,
                    gnutls_datum_t *out);

gnutls_pkcs7_print_signature_info ()

int
gnutls_pkcs7_print_signature_info (gnutls_pkcs7_signature_info_st *info,
                                   gnutls_certificate_print_formats_t format,
                                   gnutls_datum_t *out);

This function will pretty print a PKCS #7 signature info structure, suitable for display to a human.

Currently the supported formats are GNUTLS_CRT_PRINT_FULL and GNUTLS_CRT_PRINT_COMPACT.

The output out needs to be deallocated using gnutls_free().

Parameters

info

The PKCS7 signature info struct to be printed

 

format

Indicate the format to use

 

out

Newly allocated datum with null terminated string.

 

Returns

On success, GNUTLS_E_SUCCESS (0) is returned, otherwise a negative error value.

Since: 3.6.14

Types and Values

gnutls_pkcs7_t

typedef struct gnutls_pkcs7_int *gnutls_pkcs7_t;

GNUTLS_PKCS7_EDATA_GET_RAW

#define GNUTLS_PKCS7_EDATA_GET_RAW (1<<24)

gnutls_pkcs7_attrs_t

typedef struct gnutls_pkcs7_attrs_st *gnutls_pkcs7_attrs_t;

gnutls_pkcs7_signature_info_st

typedef struct {
	gnutls_sign_algorithm_t algo;
	gnutls_datum_t sig;
	gnutls_datum_t issuer_dn;
	gnutls_datum_t signer_serial;
	gnutls_datum_t issuer_keyid;
	time_t signing_time;
	gnutls_pkcs7_attrs_t signed_attrs;
	gnutls_pkcs7_attrs_t unsigned_attrs;
	char pad[64];
} gnutls_pkcs7_signature_info_st;

GNUTLS_PKCS7_ATTR_ENCODE_OCTET_STRING

#define GNUTLS_PKCS7_ATTR_ENCODE_OCTET_STRING 1

enum gnutls_pkcs7_sign_flags

Enumeration of the different PKCS #7 signature flags.

Members

GNUTLS_PKCS7_EMBED_DATA

The signed data will be embedded in the structure.

 

GNUTLS_PKCS7_INCLUDE_TIME

The signing time will be included in the structure.

 

GNUTLS_PKCS7_INCLUDE_CERT

The signer's certificate will be included in the cert list.

 

GNUTLS_PKCS7_WRITE_SPKI

Use the signer's key identifier instead of name.

 

gnutls_pkcs7_int

typedef struct {
	asn1_node pkcs7;

	char encap_data_oid[MAX_OID_SIZE];

	gnutls_datum_t der_signed_data;
	asn1_node signed_data;
	unsigned expanded;
} gnutls_pkcs7_int;