2 * Copyright (c) 2003-2004,2008,2010,2012 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
26 *******************************************************************
28 * In a probably vain attempt to clarify the structure of a PKCS12
29 * PFX, here is a high-level summary.
31 * The top level item in P12 is a PFX.
35 * ContentInfo authSafe; -- from PKCS7
36 * MacData mac; -- optional, password integrity version
39 * The authSafe in a PFX has two legal contentTypes in the P12
40 * world, CT_Data (password integrity mode) or CT_SignedData
41 * (public key integrity mode). The current version of this library
42 * only supports password integrity mode. Thus the integrity of
43 * the whole authSafe item is protected by a MAC in the PFX.
45 * The authSafe.content field is a BER-encoded AuthenticatedSafe.
47 * AuthenticatedSafe = {
48 * SEQUENCE OF ContentInfo;
51 * OK. Each ContentInfo in an AuthenticatedSafe can either be type
52 * CT_Data, CT_EnvData, or CT_EncryptedData. In the latter cases the
53 * content is decrypted to produce an encoded SafeContents; in the
54 * former case the content *is* an encoded SafeContents.
56 * A SafeContents is a sequence of SafeBags.
58 * Each SafeBag can be of several types:
69 #ifndef _PKCS12_TEMPLATES_H_
70 #define _PKCS12_TEMPLATES_H_
72 #include <Security/keyTemplates.h> /* for NSS_Attribute */
73 #include <security_asn1/pkcs7Templates.h> /* will be lib-specific place */
80 * MacData ::= SEQUENCE {
82 * macSalt OCTET STRING,
83 * iterations INTEGER DEFAULT 1
87 NSS_P7_DigestInfo mac
;
89 SecAsn1Item iterations
; // optional
92 extern const SecAsn1Template NSS_P12_MacDataTemplate
[];
96 * version INTEGER {v3(3)}(v3,...),
97 * authSafe ContentInfo,
98 * macData MacData OPTIONAL
103 * First the top level PFX with unparsed ContentInfo.content.
107 NSS_P7_RawContentInfo authSafe
;
108 NSS_P12_MacData
*macData
;
111 extern const SecAsn1Template NSS_P12_RawPFXTemplate
[];
114 * And a PFX with a decoded ContentInfo.content.
118 NSS_P7_DecodedContentInfo authSafe
;
119 NSS_P12_MacData
*macData
;
120 } NSS_P12_DecodedPFX
;
122 extern const SecAsn1Template NSS_P12_DecodedPFXTemplate
[];
125 * The CSSMOID_PKCS7_Data-style ContentInfo.content of a PFX
126 * contains an encoded AuthenticatedSafe.
128 * AuthenticatedSafe ::= SEQUENCE OF ContentInfo
129 * -- Data if unencrypted
130 * -- EncryptedData if password-encrypted
131 * -- EnvelopedData if public key-encrypted
134 NSS_P7_DecodedContentInfo
**info
;
135 } NSS_P12_AuthenticatedSafe
;
137 extern const SecAsn1Template NSS_P12_AuthenticatedSafeTemplate
[];
140 * Individual BagTypes.
143 typedef SecAsn1Item NSS_P12_KeyBag
;
144 typedef NSS_EncryptedPrivateKeyInfo NSS_P12_ShroudedKeyBag
;
145 typedef SecAsn1Item NSS_P12_SecretBag
;
146 typedef SecAsn1Item NSS_P12_SafeContentsBag
;
151 * CertBag ::= SEQUENCE {
152 * certId BAG-TYPE.&id ({CertTypes}),
153 * certValue [0] EXPLICIT BAG-TYPE.&Type ({CertTypes}{@certId})
156 * x509Certificate BAG-TYPE ::=
157 * {OCTET STRING IDENTIFIED BY {certTypes 1}}
158 * -- DER-encoded X.509 certificate stored in OCTET STRING
159 * sdsiCertificate BAG-TYPE ::=
160 * {IA5String IDENTIFIED BY {certTypes 2}}
161 * -- Base64-encoded SDSI certificate stored in IA5String
164 CT_Unknown
, // --> ASN_ANY
167 } NSS_P12_CertBagType
;
171 NSS_P12_CertBagType type
;
172 SecAsn1Item certValue
;
175 extern const SecAsn1Template NSS_P12_CertBagTemplate
[];
180 * CRLBag ::= SEQUENCE {
181 * certId BAG-TYPE.&id ({CertTypes}),
182 * certValue [0] EXPLICIT BAG-TYPE.&Type ({CertTypes}{@certId})
185 * x509Certificate BAG-TYPE ::=
186 * {OCTET STRING IDENTIFIED BY {certTypes 1}}
187 * -- DER-encoded X.509 certificate stored in OCTET STRING
188 * sdsiCertificate BAG-TYPE ::=
189 * {IA5String IDENTIFIED BY {certTypes 2}}
190 * -- Base64-encoded SDSI certificate stored in IA5String
193 CRT_Unknown
, // --> ASN_ANY
195 } NSS_P12_CrlBagType
;
199 NSS_P12_CrlBagType type
;
200 SecAsn1Item crlValue
;
203 extern const SecAsn1Template NSS_P12_CrlBagTemplate
[];
206 * BagId OIDs map to one of these for convenience. Our dynamic
207 * template chooser drops one of these into NSS_P12_SafeBag.type
221 * The ContentInfo.content values of each element in
222 * an AuthenticatedSafe map to a sequence of these - either directly
223 * (contentType CSSMOID_PKCS7_Data, octet string contents are
224 * the DER encoding of this) or indirectly (encrypted or
225 * shrouded, the decrypted content is the DER encoding of this).
229 NSS_P12_SB_Type type
;
231 NSS_P12_KeyBag
*keyBag
;
232 NSS_P12_ShroudedKeyBag
*shroudedKeyBag
;
233 NSS_P12_CertBag
*certBag
;
234 NSS_P12_CrlBag
*crlBag
;
235 NSS_P12_SecretBag
*secretBag
;
236 NSS_P12_SafeContentsBag
*safeContentsBag
;
238 NSS_Attribute
**bagAttrs
; // optional
241 extern const SecAsn1Template NSS_P12_SafeBagTemplate
[];
244 * SafeContents, the contents of an element in an AuthenticatedSafe.
247 NSS_P12_SafeBag
**bags
;
249 NSS_P12_SafeContents
;
251 extern const SecAsn1Template NSS_P12_SafeContentsTemplate
[];
254 * PKCS12-specific algorithm parameters.
255 * A DER encoded version of this is the parameters value of
256 * a CSSM_X509_ALGORITHM_IDENTIFIER used in a
257 * NSS_P7_EncrContentInfo.encrAlg in P12 password privacy mode.
259 * pkcs-12PbeParams ::= SEQUENCE {
264 * NOTE the P12 spec does place a limit on the value of iterations.
265 * I guess we have to assume in actual usage that it's
266 * restricted to (0..MAX), i.e., uint32-sized.
268 * We're also assuming that it is explicitly an unsigned value,
269 * so that the value bytes in the encoding of 0xff would be
274 SecAsn1Item iterations
;
275 } NSS_P12_PBE_Params
;
277 extern const SecAsn1Template NSS_P12_PBE_ParamsTemplate
[];
283 #endif /* _PKCS12_TEMPLATES_H_ */