2 * Copyright (c) 2008-2010,2012-2013 Apple Inc. All Rights Reserved.
4 * @APPLE_LICENSE_HEADER_START@
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
21 * @APPLE_LICENSE_HEADER_END@
28 #include <CoreFoundation/CoreFoundation.h>
29 #include <Security/SecIdentity.h>
30 #include <Security/SecPolicy.h>
31 #include <Security/SecTrust.h>
33 #ifndef _SECURITY_SECCMS_H_
34 #define _SECURITY_SECCMS_H_
38 extern const void * kSecCMSBulkEncryptionAlgorithm
;
39 extern const void * kSecCMSSignDigest
;
40 extern const void * kSecCMSSignDetached
;
41 extern const void * kSecCMSSignHashAlgorithm
;
42 extern const void * kSecCMSCertChainMode
;
43 extern const void * kSecCMSAdditionalCerts
;
44 extern const void * kSecCMSSignedAttributes
;
45 extern const void * kSecCMSSignDate
;
46 extern const void * kSecCMSAllCerts
;
47 extern const void * kSecCMSHashAgility
;
48 extern const void * kSecCMSHashAgilityV2
;
50 extern const void * kSecCMSEncryptionAlgorithmDESCBC
;
51 extern const void * kSecCMSEncryptionAlgorithmAESCBC
;
52 extern const void * kSecCMSHashingAlgorithmMD5
53 __IOS_DEPRECATED(__IPHONE_3_1
, __IPHONE_10_0
, "Disuse this constant in order to upgrade to SHA-1");
54 extern const void * kSecCMSCertChainModeNone
;
56 extern const void * kSecCMSHashingAlgorithmSHA1
;
57 extern const void * kSecCMSHashingAlgorithmSHA256
;
58 extern const void * kSecCMSHashingAlgorithmSHA384
;
59 extern const void * kSecCMSHashingAlgorithmSHA512
;
62 @function SecCMSVerifyCopyDataAndAttributes
63 @abstract verify a signed data cms blob.
64 @param message the cms message to be parsed
65 @param detached_contents to pass detached contents (optional)
66 @param policy specifies policy or array thereof should be used (optional).
67 if none is passed the blob will **not** be verified and only
68 the attached contents will be returned.
69 @param trustref (output/optional) if specified, the trust chain built during
70 verification will not be evaluated but returned to the caller to do so.
71 @param attached_contents (output/optional) return a copy of the attached
73 @param signed_attributes (output/optional) return a copy of the signed
74 attributes as a CFDictionary from oids (CFData) to values
76 @result A result code. See "Security Error Codes" (SecBase.h).
77 errSecDecode not a CMS message we can parse,
78 errSecAuthFailed bad signature, or untrusted signer if caller doesn't
80 errSecParam garbage in, garbage out.
82 OSStatus
SecCMSVerifyCopyDataAndAttributes(CFDataRef message
, CFDataRef detached_contents
,
83 CFTypeRef policy
, SecTrustRef
*trustref
,
84 CFDataRef
*attached_contents
, CFDictionaryRef
*signed_attributes
);
87 @function SecCMSVerify
88 @abstract same as SecCMSVerifyCopyDataAndAttributes, for binary compatibility.
90 OSStatus
SecCMSVerify(CFDataRef message
, CFDataRef detached_contents
,
91 CFTypeRef policy
, SecTrustRef
*trustref
, CFDataRef
*attached_contents
);
94 /* Return an array of certificates contained in message, if message is of the
95 type SignedData and has no signers, return NULL otherwise. Not that if
96 the message is properly formed but has no certificates an empty array will
98 CFArrayRef
SecCMSCertificatesOnlyMessageCopyCertificates(CFDataRef message
);
100 /* Create a degenerate PKCS#7 containing a cert or a CFArray of certs. */
101 CFDataRef
SecCMSCreateCertificatesOnlyMessage(CFTypeRef cert_or_array_thereof
);
102 CFDataRef
SecCMSCreateCertificatesOnlyMessageIAP(SecCertificateRef cert
);
105 @function SecCMSSignDataAndAttributes
106 @abstract create a signed data cms blob.
107 @param identity signer
108 @param data message to be signed
109 @param detached sign detached or not
110 @param signed_data (output) return signed message.
111 @param signed_attributes (input/optional) signed attributes to insert
112 as a CFDictionary from oids (CFData) to value (CFData).
113 @result A result code. See "Security Error Codes" (SecBase.h).
114 errSecParam garbage in, garbage out.
116 OSStatus
SecCMSSignDataAndAttributes(SecIdentityRef identity
, CFDataRef data
,
117 bool detached
, CFMutableDataRef signed_data
, CFDictionaryRef signed_attributes
);
120 @function SecCMSSignDigestAndAttributes
121 @abstract create a detached signed data cms blob for a SHA-1 hash.
122 @param identity signer
123 @param digest SHA-1 digest of message to be signed
124 @param signed_data (output) return signed message.
125 @param signed_attributes (input/optional) signed attributes to insert
126 as a CFDictionary from oids (CFData) to value (CFData).
127 @result A result code. See "Security Error Codes" (SecBase.h).
128 errSecParam garbage in, garbage out.
130 OSStatus
SecCMSSignDigestAndAttributes(SecIdentityRef identity
, CFDataRef digest
,
131 CFMutableDataRef signed_data
, CFDictionaryRef signed_attributes
);
134 @function SecCMSCreateSignedData
135 @abstract create a signed data cms blob.
136 @param identity signer
137 @param data SHA-1 digest or message to be signed
138 @param parameters (input/optional) specify algorithm, detached, digest
139 @param signed_attributes (input/optional) signed attributes to insert
140 as a CFDictionary from oids (CFData) to value (CFData).
141 @param signed_data (output) return signed message.
142 @result A result code. See "Security Error Codes" (SecBase.h).
143 errSecParam garbage in, garbage out.
145 OSStatus
SecCMSCreateSignedData(SecIdentityRef identity
, CFDataRef data
,
146 CFDictionaryRef parameters
, CFDictionaryRef signed_attributes
,
147 CFMutableDataRef signed_data
);
150 @function SecCMSCreateEnvelopedData
151 @abstract create a enveloped cms blob for recipients
152 @param recipient_or_cfarray_thereof SecCertificateRef for each recipient
153 @param params CFDictionaryRef with encryption parameters
154 @param data Data to be encrypted
155 @param enveloped_data (output) return enveloped message.
156 @result A result code. See "Security Error Codes" (SecBase.h).
157 errSecParam garbage in, garbage out.
159 OSStatus
SecCMSCreateEnvelopedData(CFTypeRef recipient_or_cfarray_thereof
,
160 CFDictionaryRef params
, CFDataRef data
, CFMutableDataRef enveloped_data
);
164 @function SecCMSDecryptEnvelopedData
165 @abstract open an enveloped cms blob. expects recipients identity in keychain.
166 @param message Eveloped message
167 @param data (output) return decrypted message.
168 @param recipient (output/optional) return addressed recipient
169 @result A result code. See "Security Error Codes" (SecBase.h).
170 errSecParam garbage in, garbage out.
172 OSStatus
SecCMSDecryptEnvelopedData(CFDataRef message
,
173 CFMutableDataRef data
, SecCertificateRef
*recipient
);
175 OSStatus
SecCMSVerifySignedData(CFDataRef message
, CFDataRef detached_contents
,
176 CFTypeRef policy
, SecTrustRef
*trustref
, CFArrayRef additional_certificates
,
177 CFDataRef
*attached_contents
, CFDictionaryRef
*message_attributes
);
181 #endif /* !_SECURITY_SECCMS_H_ */