/** @file
* IPRT - Public Key Infrastructure APIs.
*/
/*
* Copyright (C) 2006-2014 Oracle Corporation
*
* This file is part of VirtualBox Open Source Edition (OSE), as
* available from http://www.virtualbox.org. This file is free software;
* General Public License (GPL) as published by the Free Software
* Foundation, in version 2 as it comes in the "COPYING" file of the
* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
*
* The contents of this file may alternatively be used under the terms
* of the Common Development and Distribution License Version 1.0
* (CDDL) only, as it comes in the "COPYING.CDDL" file of the
* VirtualBox OSE distribution, in which case the provisions of the
* CDDL are applicable instead of those of the GPL.
*
* You may elect to license modified versions of this file under the
* terms and conditions of either the GPL or the CDDL or both.
*/
#ifndef ___iprt_crypto_pkix_h
#define ___iprt_crypto_pkix_h
/** @defgroup grp_rt_crpkix RTCrPkix - Public Key Infrastructure APIs
* @ingroup grp_rt_crypto
* @{
*/
/**
* Verifies the signature (@a pSignatureValue) of the give data (@a pvData)
* using the specfied public key (@a pPublicKey) and algorithm.
*
* @returns IPRT status code.
* @param pAlgorithm The signature algorithm (digest w/ cipher).
* @param pParameters Parameter to the public key algorithm. Optional.
* @param pPublicKey The public key.
* @param pSignatureValue The signature value.
* @param pvData The signed data.
* @param cbData The amount of signed data.
* @param pErrInfo Where to return extended error info. Optional.
*/
RTDECL(int) RTCrPkixPubKeyVerifySignature(PCRTASN1OBJID pAlgorithm, PCRTASN1DYNTYPE pParameters, PCRTASN1BITSTRING pPublicKey,
/**
* Gets the cipher OID matching the given signature algorithm.
*
* @returns Cipher OID string on success, NULL on failure.
* @param pAlgorithm The signature algorithm (digest w/ cipher).
*/
/** @name PKCS-1 Object Identifiers (OIDs)
* @{ */
/** @} */
/**
* Public key signature scheme provider descriptor.
*/
typedef struct RTCRPKIXSIGNATUREDESC
{
/** The signature scheme provider name. */
const char *pszName;
/** The object ID string. */
const char *pszObjId;
/** Pointer to a NULL terminated table of alias object IDs (optional). */
const char * const *papszObjIdAliases;
/** The size of the state. */
/** Reserved for future / explicit padding. */
/** Provider specific field. This generally indicates the kind of padding
* scheme to employ with the given OID. */
/**
* Initializes the state of the signature scheme provider.
*
* Optional, RT_BZERO will be used if NULL.
*
* @returns IPRT status code.
* @param pDesc Pointer to this structure (for uProviderSpecific).
* @param pvState The opaque provider state.
* @param pvOpaque Opaque provider specific parameter.
* @param fSigning Set if a signing operation is going to be performed,
* clear if it is a verification. This is a fixed
* setting for the lifetime of the instance due to the
* algorithm requiring different keys.
* @param pKey The key to use (whether private or public depends on
* the operation).
* none.
*/
DECLCALLBACKMEMBER(int, pfnInit)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, void *pvOpaque, bool fSigning,
/**
* Resets the state before performing another signing or verification.
*
* Optional. It is assumed that the provider does not have any state needing to
* be re-initialized if this method is not implemented.
*
* @returns IPRT status code.
* @param pDesc Pointer to this structure (for uProviderSpecific).
* @param pvState The opaque provider state.
* @param fSigning Exactly the same value as the init call.
*/
DECLCALLBACKMEMBER(int, pfnReset)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, bool fSigning);
/**
* Deletes the provider state. Optional.
*
* The state will be securely wiped clean after the call, regardless of whether
* the method is implemented or not.
*
* @param pDesc Pointer to this structure (for uProviderSpecific).
* @param pvState The opaque provider state.
* @param fSigning Exactly the same value as the init call.
*/
DECLCALLBACKMEMBER(void, pfnDelete)(struct RTCRPKIXSIGNATUREDESC const *pDesc, void *pvState, bool fSigning);
/**
* Verifies a signed message digest (fSigning = false).
*
* @returns IPRT status code.
* @retval VINF_SUCCESS if the signature checked out correctly.
* @retval VERR_PKIX_KEY wrong key or some other key issue.
*
* @param pDesc Pointer to this structure (for uProviderSpecific).
* @param pvState The opaque provider state.
* @param hDigest The handle to the digest. Call RTCrDigestFinal to
* complete and retreive the final hash value.
* @param pvSignature The signature to validate.
* @param cbSignature The size of the signature (in bytes).
*/
/**
* Sign a message digest (fSigning = true).
*
* @returns IPRT status code.
* @retval VINF_SUCCESS on success.
* @retval VERR_PKIX_KEY wrong key or some other key issue.
* @retval VERR_BUFFER_OVERFLOW if the signature buffer is too small, the
* require buffer size will be available in @a *pcbSignature.
*
* @param pDesc Pointer to this structure (for uProviderSpecific).
* @param pvState The opaque provider state.
* @param hDigest The handle to the digest. Call RTCrDigestFinal to
* complete and retreive the final hash value.
* @param pvSignature The output signature buffer.
* @param pcbSignature On input the variable pointed to holds the size of
* the buffer @a pvSignature points to.
* On return the variable pointed to is set to the size
* of the returned signature, or the required size in
* case of VERR_BUFFER_OVERFLOW.
*/
/** Pointer to a public key signature scheme provider descriptor. */
RTDECL(int) RTCrPkixSignatureCreateByObjIdString(PRTCRPKIXSIGNATURE phSignature, const char *pszObjId, bool fSigning,
RTDECL(int) RTCrPkixSignatureCreateByObjId(PRTCRPKIXSIGNATURE phSignature, PCRTASN1OBJID pObjId, bool fSigning,
RTDECL(int) RTCrPkixSignatureCreate(PRTCRPKIXSIGNATURE phSignature, PCRTCRPKIXSIGNATUREDESC pDesc, void *pvOpaque,
RTDECL(int) RTCrPkixSignatureVerifyBitString(RTCRPKIXSIGNATURE hSignature, RTCRDIGEST hDigest, PCRTASN1BITSTRING pSignature);
RTDECL(int) RTCrPkixSignatureVerifyOctetString(RTCRPKIXSIGNATURE hSignature, RTCRDIGEST hDigest, PCRTASN1OCTETSTRING pSignature);
/**
* Public key encryption scheme provider descriptor.
*
* @todo This is just a sketch left over from when the signature code was
* chiseled out.
*/
typedef struct RTCRPKIXENCRYPTIONDESC
{
/** The encryption scheme provider name. */
const char *pszName;
/** The object ID string. */
const char *pszObjId;
/** Pointer to a NULL terminated table of alias object IDs (optional). */
const char * const *papszObjIdAliases;
/** The size of the state. */
/** Reserved for future use / padding. */
/** Provider specific field. */
/**
* Initializes the state for this encryption scheme.
*
* Optional, RT_BZERO will be used if NULL.
*
* @returns IPRT status code.
* @param pDesc Pointer to this structure (so uProviderSpecific can
* be read).
* @param pvState The opaque provider state.
* @param pvOpaque Opaque provider specific parameter.
* @param fEncrypt Set if the instance will be encrypting, clear if it
* will be decrypting. This aspect of the instance is
* immutable due to the algorithm requiring different
* keys for each of the operations.
* @param pKey The key to use (whether private or public depends on
* the operation type).
* none.
*/
DECLCALLBACKMEMBER(int, pfnInit)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState, void *pvOpaque, bool fEncrypt,
/**
* Re-initializes the provider state.
*
* Optional. It is assumed that the provider does not have any state needing
* to be re-initialized if this method is not implemented. (Do not assume that
*
* @returns IPRT status code.
* @param pDesc Pointer to this structure (so uProviderSpecific can
* be read).
* @param pvState The opaque provider state.
* @param enmOperation Same as for the earlier pfnInit call.
*/
DECLCALLBACKMEMBER(int, pfnReset)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState, bool fEncrypt);
/**
* Deletes the provider state. Optional.
*
* The state will be securely wiped clean after the call, regardless of whether
* the method is implemented or not.
*
* @param pDesc Pointer to this structure (so uProviderSpecific can
* be read).
* @param pvState The opaque provider state.
* @param enmOperation Same as for the earlier pfnInit call.
*/
DECLCALLBACKMEMBER(void, pfnDelete)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState, bool fEncrypt);
/**
* Encrypt using the public key (fEncrypt = true).
*
* @returns IPRT status code.
* @retval VINF_SUCCESS on success.
* @retval VERR_PKIX_KEY wrong key or some other key issue.
* @retval VERR_BUFFER_OVERFLOW if the output buffer is too small, the require
* buffer size will be available in @a *pcbCiphertext. The caller can
* should retry the call with a larger buffer.
*
* @param pDesc Pointer to this structure (so uProviderSpecific can
* be read).
* @param pvState The opaque provider state.
* @param pvPlaintext The plaintext to encrypt.
* @param cbPlaintext The number of bytes of plaintext.
* @param pvCiphertext Where to return the ciphertext (if any).
* @param cbMaxCiphertext The size of the buffer @a pvCiphertext points to.
* @param pcbCiphertext Where to return the actual number of bytes of
* ciphertext returned.
* @param fFinal Whether this is the final call.
*/
/**
* Calculate the output buffer size for the next pfnEncrypt call.
*
* @returns IPRT status code.
* @param pDesc Pointer to this structure (so uProviderSpecific can
* be read).
* @param pvState The opaque provider state.
* @param cbPlaintext The number of bytes of plaintext.
* @param pcbCiphertext Where to return the minimum buffer size. This may
* be larger than the actual number of bytes return.
* @param fFinal Whether this is the final call.
*/
DECLCALLBACKMEMBER(int, pfnEncryptLength)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState,
/**
* Decrypt using the private key (fEncrypt = false).
*
* @returns IPRT status code.
* @retval VINF_SUCCESS on success.
* @retval VERR_PKIX_KEY wrong key or some other key issue.
* @retval VERR_BUFFER_OVERFLOW if the output buffer is too small, the require
* buffer size will be available in @a *pcbCiphertext. The caller can
* should retry the call with a larger buffer.
*
* @param pDesc Pointer to this structure (so uProviderSpecific can
* be read).
* @param pvState The opaque provider state.
* @param pvCiphertext The ciphertext to decrypt.
* @param cbCiphertext The number of bytes of ciphertext.
* @param pvPlaintext Where to return the plaintext (if any).
* @param cbMaxPlaintext The size of the buffer @a pvPlaintext points to.
* @param pcbPlaintext Where to return the actual number of bytes of
* plaintext returned.
* @param fFinal Whether this is the final call.
*/
/**
* Calculate the output buffer size for the next pfnDecrypt call.
*
* @returns IPRT status code.
* @param pDesc Pointer to this structure (so uProviderSpecific can
* be read).
* @param pvState The opaque provider state.
* @param cbCiphertext The number of bytes of ciphertext.
* @param pcbPlaintext Where to return the minimum buffer size. This may
* be larger than the actual number of bytes return.
* @param fFinal Whether this is the final call.
*/
DECLCALLBACKMEMBER(int, pfnDecryptLength)(struct RTCRPKIXENCRYPTIONDESC const *pDesc, void *pvState,
/** Pointer to a public key encryption schema provider descriptor. */
PCRTCRPKIXENCRYPTIONDESC RTCrPkixEncryptionFindByObjIdString(const char *pszObjId, void *ppvOpaque);
RTDECL(int) RTCrPkixEncryptionCreateByObjIdString(PRTCRPKIXENCRYPTION phEncryption, const char *pszObjId,
RTDECL(int) RTCrPkixEncryptionCreateByObjId(PRTCRPKIXENCRYPTION phEncryption, PCRTASN1OBJID pObjId, bool fEncrypt,
RTDECL(int) RTCrPkixEncryptionCreate(PRTCRPKIXENCRYPTION phEncryption, PCRTCRPKIXENCRYPTIONDESC pDesc, void *pvOpaque,
/** @} */
#endif