2 * Copyright (c) 2008-2018 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
28 #include <CoreFoundation/CoreFoundation.h>
29 #include <Security/SecIdentity.h>
30 #include <Security/SecPolicy.h>
31 #include <Security/SecTrust.h>
33 #ifndef _SECURITY_SECCMS_H_
34 #define _SECURITY_SECCMS_H_
38 extern const void * kSecCMSSignDigest
;
39 extern const void * kSecCMSSignDetached
;
40 extern const void * kSecCMSSignHashAlgorithm
;
41 extern const void * kSecCMSCertChainMode
;
42 extern const void * kSecCMSAdditionalCerts
;
43 extern const void * kSecCMSSignedAttributes
;
44 extern const void * kSecCMSSignDate
;
45 extern const void * kSecCMSAllCerts
;
46 extern const void * kSecCMSHashAgility
;
47 extern const void * kSecCMSHashAgilityV2
;
48 extern const void * kSecCMSExpirationDate
;
50 extern const void * kSecCMSBulkEncryptionAlgorithm
;
51 extern const void * kSecCMSEncryptionAlgorithmDESCBC
;
52 extern const void * kSecCMSEncryptionAlgorithmAESCBC
;
54 extern const void * kSecCMSCertChainModeNone
;
56 extern const void * kSecCMSHashingAlgorithmMD5
57 __API_DEPRECATED("Disuse this constant in order to upgrade to SHA-1", ios(3.1, 10.0), macos(10.15, 10.15));
58 extern const void * kSecCMSHashingAlgorithmSHA1
;
59 extern const void * kSecCMSHashingAlgorithmSHA256
;
60 extern const void * kSecCMSHashingAlgorithmSHA384
;
61 extern const void * kSecCMSHashingAlgorithmSHA512
;
64 @function SecCMSVerifyCopyDataAndAttributes
65 @abstract verify a signed data cms blob.
66 @param message the cms message to be parsed
67 @param detached_contents to pass detached contents (optional)
68 @param policy specifies policy or array thereof should be used (optional).
69 if none is passed the blob will **not** be verified and only
70 the attached contents will be returned.
71 @param trustref (output/optional) if specified, the trust chain built during
72 verification will not be evaluated but returned to the caller to do so.
73 @param attached_contents (output/optional) return a copy of the attached
75 @param signed_attributes (output/optional) return a copy of the signed
76 attributes as a CFDictionary from oids (CFData) to values
78 @result A result code. See "Security Error Codes" (SecBase.h).
79 errSecDecode not a CMS message we can parse,
80 errSecAuthFailed bad signature, or untrusted signer if caller doesn't
82 errSecParam garbage in, garbage out.
84 OSStatus
SecCMSVerifyCopyDataAndAttributes(CFDataRef message
, CFDataRef detached_contents
,
85 CFTypeRef policy
, SecTrustRef
*trustref
,
86 CFDataRef
*attached_contents
, CFDictionaryRef
*signed_attributes
);
89 @function SecCMSVerify
90 @abstract same as SecCMSVerifyCopyDataAndAttributes, for binary compatibility.
92 OSStatus
SecCMSVerify(CFDataRef message
, CFDataRef detached_contents
,
93 CFTypeRef policy
, SecTrustRef
*trustref
, CFDataRef
*attached_contents
);
95 OSStatus
SecCMSVerifySignedData(CFDataRef message
, CFDataRef detached_contents
,
96 CFTypeRef policy
, SecTrustRef
*trustref
, CFArrayRef additional_certificates
,
97 CFDataRef
*attached_contents
, CFDictionaryRef
*message_attributes
);
100 /* Return an array of certificates contained in message, if message is of the
101 type SignedData and has no signers, return NULL otherwise. Not that if
102 the message is properly formed but has no certificates an empty array will
104 CFArrayRef
SecCMSCertificatesOnlyMessageCopyCertificates(CFDataRef message
);
106 /* Create a degenerate PKCS#7 containing a cert or a CFArray of certs. */
107 CFDataRef
SecCMSCreateCertificatesOnlyMessage(CFTypeRef cert_or_array_thereof
);
108 CFDataRef
SecCMSCreateCertificatesOnlyMessageIAP(SecCertificateRef cert
);
111 @function SecCMSSignDataAndAttributes
112 @abstract create a signed data cms blob.
113 @param identity signer
114 @param data message to be signed
115 @param detached sign detached or not
116 @param signed_data (output) return signed message.
117 @param signed_attributes (input/optional) signed attributes to insert
118 as a CFDictionary from oids (CFData) to value (CFData).
119 @result A result code. See "Security Error Codes" (SecBase.h).
120 errSecParam garbage in, garbage out.
122 OSStatus
SecCMSSignDataAndAttributes(SecIdentityRef identity
, CFDataRef data
,
123 bool detached
, CFMutableDataRef signed_data
, CFDictionaryRef signed_attributes
);
126 @function SecCMSSignDigestAndAttributes
127 @abstract create a detached signed data cms blob for a SHA-1 hash.
128 @param identity signer
129 @param digest SHA-1 digest of message to be signed
130 @param signed_data (output) return signed message.
131 @param signed_attributes (input/optional) signed attributes to insert
132 as a CFDictionary from oids (CFData) to value (CFData).
133 @result A result code. See "Security Error Codes" (SecBase.h).
134 errSecParam garbage in, garbage out.
136 OSStatus
SecCMSSignDigestAndAttributes(SecIdentityRef identity
, CFDataRef digest
,
137 CFMutableDataRef signed_data
, CFDictionaryRef signed_attributes
);
140 @function SecCMSCreateSignedData
141 @abstract create a signed data cms blob.
142 @param identity signer
143 @param data SHA-1 digest or message to be signed
144 @param parameters (input/optional) specify algorithm, detached, digest
145 @param signed_attributes (input/optional) signed attributes to insert
146 as a CFDictionary from oids (CFData) to value (CFData).
147 @param signed_data (output) return signed message.
148 @result A result code. See "Security Error Codes" (SecBase.h).
149 errSecParam garbage in, garbage out.
151 OSStatus
SecCMSCreateSignedData(SecIdentityRef identity
, CFDataRef data
,
152 CFDictionaryRef parameters
, CFDictionaryRef signed_attributes
,
153 CFMutableDataRef signed_data
);
156 @function SecCMSCreateEnvelopedData
157 @abstract create a enveloped cms blob for recipients
158 @param recipient_or_cfarray_thereof SecCertificateRef for each recipient
159 @param params CFDictionaryRef with encryption parameters
160 @param data Data to be encrypted
161 @param enveloped_data (output) return enveloped message.
162 @result A result code. See "Security Error Codes" (SecBase.h).
163 errSecParam garbage in, garbage out.
165 OSStatus
SecCMSCreateEnvelopedData(CFTypeRef recipient_or_cfarray_thereof
,
166 CFDictionaryRef params
, CFDataRef data
, CFMutableDataRef enveloped_data
);
169 @function SecCMSDecryptEnvelopedData
170 @abstract open an enveloped cms blob. expects recipients identity in keychain.
171 @param message Eveloped message
172 @param data (output) return decrypted message.
173 @param recipient (output/optional) return addressed recipient
174 @result A result code. See "Security Error Codes" (SecBase.h).
175 errSecParam garbage in, garbage out.
177 OSStatus
SecCMSDecryptEnvelopedData(CFDataRef message
,
178 CFMutableDataRef data
, SecCertificateRef
*recipient
);
182 #endif /* !_SECURITY_SECCMS_H_ */