Functions
Algorithms - PKCS7

Functions

WOLFSSL_API int wc_PKCS7_InitWithCert (PKCS7 *pkcs7, byte *cert, word32 certSz)
 This function initializes a PKCS7 structure with a DER-formatted certificate. To initialize an empty PKCS7 structure, one can pass in a NULL cert and 0 for certSz. More...
 
WOLFSSL_API void wc_PKCS7_Free (PKCS7 *pkcs7)
 This function releases any memory allocated by a PKCS7 initializer. More...
 
WOLFSSL_API int wc_PKCS7_EncodeData (PKCS7 *pkcs7, byte *output, word32 outputSz)
 This function builds the PKCS7 data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 data packet. More...
 
WOLFSSL_API int wc_PKCS7_EncodeSignedData (PKCS7 *pkcs7, byte *output, word32 outputSz)
 This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 signed data packet. More...
 
WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex (PKCS7 *pkcs7, const byte *hashBuf, word32 hashSz, byte *outputHead, word32 *outputHeadSz, byte *outputFoot, word32 *outputFootSz)
 This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a header and footer buffer containing a parsable PKCS7 signed data packet. This does not include the content. A hash must be computed and provided for the data. More...
 
WOLFSSL_API int wc_PKCS7_VerifySignedData (PKCS7 *pkcs7, byte *pkiMsg, word32 pkiMsgSz)
 This function takes in a transmitted PKCS7 signed data message, extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure. More...
 
WOLFSSL_API int wc_PKCS7_VerifySignedData_ex (PKCS7 *pkcs7, const byte *hashBuf, word32 hashSz, byte *pkiMsgHead, word32 pkiMsgHeadSz, byte *pkiMsgFoot, word32 pkiMsgFootSz)
 This function takes in a transmitted PKCS7 signed data message as hash/header/footer, then extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure. More...
 
WOLFSSL_API int wc_PKCS7_EncodeEnvelopedData (PKCS7 *pkcs7, byte *output, word32 outputSz)
 This function builds the PKCS7 enveloped data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 enveloped data packet. More...
 
WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData (PKCS7 *pkcs7, byte *pkiMsg, word32 pkiMsgSz, byte *output, word32 outputSz)
 This function unwraps and decrypts a PKCS7 enveloped data content type, decoding the message into output. It uses the private key of the PKCS7 object passed in to decrypt the message. More...
 

Detailed Description

Function Documentation

◆ wc_PKCS7_DecodeEnvelopedData()

WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData ( PKCS7 pkcs7,
byte *  pkiMsg,
word32  pkiMsgSz,
byte *  output,
word32  outputSz 
)

This function unwraps and decrypts a PKCS7 enveloped data content type, decoding the message into output. It uses the private key of the PKCS7 object passed in to decrypt the message.

Returns
On successfully extracting the information from the message, returns the bytes written to output
BAD_FUNC_ARG Returned if one of the input parameters is invalid
ASN_PARSE_E Returned if there is an error parsing from the given pkiMsg
PKCS7_OID_E Returned if the given pkiMsg is not an enveloped data type
ASN_VERSION_E Returned if the PKCS7 signer info is not version 0
MEMORY_E Returned if there is an error allocating memory
ALGO_ID_E Returned if the PKCS7 structure is using an unsupported algorithm type. Currently, only DESb and DES3b are supported for encryption, with RSAk for signature generation
PKCS7_RECIP_E Returned if there is no recipient found in the enveloped data that matches the recipient provided
RSA_BUFFER_E Returned if there is an error during RSA signature verification due to buffer error, output too small or input too large.
MP_INIT_E may be returned if there is an error during signature verification
MP_READ_E may be returned if there is an error during signature verification
MP_CMP_E may be returned if there is an error during signature verification
MP_INVMOD_E may be returned if there is an error during signature verification
MP_EXPTMOD_E may be returned if there is an error during signature verification
MP_MOD_E may be returned if there is an error during signature verification
MP_MUL_E may be returned if there is an error during signature verification
MP_ADD_E may be returned if there is an error during signature verification
MP_MULMOD_E may be returned if there is an error during signature verification
MP_TO_E may be returned if there is an error during signature verification
MP_MEM may be returned if there is an error during signature verification
Parameters
pkcs7pointer to the PKCS7 structure containing the private key with which to decode the enveloped data package
pkiMsgpointer to the buffer containing the enveloped data package
pkiMsgSzsize of the enveloped data package
outputpointer to the buffer in which to store the decoded message
outputSzsize available in the output buffer

Example

PKCS7 pkcs7;
byte received[] = { }; // initialize with received enveloped message
byte decoded[FOURK_BUF];
int decodedSz;
// initialize pkcs7 with certificate
// update key
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
decodedSz = wc_PKCS7_DecodeEnvelopedData(&pkcs7, received,
sizeof(received),decoded, sizeof(decoded));
if ( decodedSz != 0 ) {
// error decoding message
}
See also
wc_PKCS7_InitWithCert
wc_PKCS7_EncodeEnvelopedData

◆ wc_PKCS7_EncodeData()

WOLFSSL_API int wc_PKCS7_EncodeData ( PKCS7 pkcs7,
byte *  output,
word32  outputSz 
)

This function builds the PKCS7 data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 data packet.

Returns
Success On successfully encoding the PKCS7 data into the buffer, returns the index parsed up to in the PKCS7 structure. This index also corresponds to the bytes written to the output buffer.
BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
Parameters
pkcs7pointer to the PKCS7 structure to encode
outputpointer to the buffer in which to store the encoded certificate
outputSzsize available in the output buffer

Example

PKCS7 pkcs7;
int ret;
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte pkcs7Buff[FOURK_BUF];
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
... etc.
ret = wc_PKCS7_EncodeData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret != 0 ) {
// error encoding into output buffer
}
See also
wc_PKCS7_InitWithCert

◆ wc_PKCS7_EncodeEnvelopedData()

WOLFSSL_API int wc_PKCS7_EncodeEnvelopedData ( PKCS7 pkcs7,
byte *  output,
word32  outputSz 
)

This function builds the PKCS7 enveloped data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 enveloped data packet.

Returns
Success Returned on successfully encoding the message in enveloped data format, returns the size written to the output buffer
BAD_FUNC_ARG: Returned if one of the input parameters is invalid, or if the PKCS7 structure is missing required elements
ALGO_ID_E Returned if the PKCS7 structure is using an unsupported algorithm type. Currently, only DESb and DES3b are supported
BUFFER_E Returned if the given output buffer is too small to store the output data
MEMORY_E Returned if there is an error allocating memory
RNG_FAILURE_E Returned if there is an error initializing the random number generator for encryption
DRBG_FAILED Returned if there is an error generating numbers with the random number generator used for encryption
Parameters
pkcs7pointer to the PKCS7 structure to encode
outputpointer to the buffer in which to store the encoded certificate
outputSzsize available in the output buffer

Example

PKCS7 pkcs7;
int ret;
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte pkcs7Buff[FOURK_BUF];
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
... etc.
ret = wc_PKCS7_EncodeEnvelopedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret != 0 ) {
// error encoding into output buffer
}
See also
wc_PKCS7_InitWithCert
wc_PKCS7_DecodeEnvelopedData

◆ wc_PKCS7_EncodeSignedData()

WOLFSSL_API int wc_PKCS7_EncodeSignedData ( PKCS7 pkcs7,
byte *  output,
word32  outputSz 
)

This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a buffer containing a parsable PKCS7 signed data packet.

Returns
Success On successfully encoding the PKCS7 data into the buffer, returns the index parsed up to in the PKCS7 structure. This index also corresponds to the bytes written to the output buffer.
BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or more required elements to generate a signed data packet
MEMORY_E Returned if there is an error allocating memory
PUBLIC_KEY_E Returned if there is an error parsing the public key
RSA_BUFFER_E Returned if buffer error, output too small or input too large
BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
MP_INIT_E may be returned if there is an error generating the signature
MP_READ_E may be returned if there is an error generating the signature
MP_CMP_E may be returned if there is an error generating the signature
MP_INVMOD_E may be returned if there is an error generating the signature
MP_EXPTMOD_E may be returned if there is an error generating the signature
MP_MOD_E may be returned if there is an error generating the signature
MP_MUL_E may be returned if there is an error generating the signature
MP_ADD_E may be returned if there is an error generating the signature
MP_MULMOD_E may be returned if there is an error generating the signature
MP_TO_E may be returned if there is an error generating the signature
MP_MEM may be returned if there is an error generating the signature
Parameters
pkcs7pointer to the PKCS7 structure to encode
outputpointer to the buffer in which to store the encoded certificate
outputSzsize available in the output buffer

Example

PKCS7 pkcs7;
int ret;
byte data[] = {}; // initialize with data to sign
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte pkcs7Buff[FOURK_BUF];
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
pkcs7.hashOID = SHAh;
pkcs7.rng = &rng;
... etc.
ret = wc_PKCS7_EncodeSignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
See also
wc_PKCS7_InitWithCert
wc_PKCS7_VerifySignedData

◆ wc_PKCS7_EncodeSignedData_ex()

WOLFSSL_API int wc_PKCS7_EncodeSignedData_ex ( PKCS7 pkcs7,
const byte *  hashBuf,
word32  hashSz,
byte *  outputHead,
word32 *  outputHeadSz,
byte *  outputFoot,
word32 *  outputFootSz 
)

This function builds the PKCS7 signed data content type, encoding the PKCS7 structure into a header and footer buffer containing a parsable PKCS7 signed data packet. This does not include the content. A hash must be computed and provided for the data.

Returns
0=Success
BAD_FUNC_ARG Returned if the PKCS7 structure is missing one or more required elements to generate a signed data packet
MEMORY_E Returned if there is an error allocating memory
PUBLIC_KEY_E Returned if there is an error parsing the public key
RSA_BUFFER_E Returned if buffer error, output too small or input too large
BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
MP_INIT_E may be returned if there is an error generating the signature
MP_READ_E may be returned if there is an error generating the signature
MP_CMP_E may be returned if there is an error generating the signature
MP_INVMOD_E may be returned if there is an error generating the signature
MP_EXPTMOD_E may be returned if there is an error generating the signature
MP_MOD_E may be returned if there is an error generating the signature
MP_MUL_E may be returned if there is an error generating the signature
MP_ADD_E may be returned if there is an error generating the signature
MP_MULMOD_E may be returned if there is an error generating the signature
MP_TO_E may be returned if there is an error generating the signature
MP_MEM may be returned if there is an error generating the signature
Parameters
pkcs7pointer to the PKCS7 structure to encode
hashBufpointer to computed hash for the content data
hashSzsize of the digest
outputHeadpointer to the buffer in which to store the encoded certificate header
outputHeadSzpointer populated with size of output header buffer and returns actual size
outputFootpointer to the buffer in which to store the encoded certificate footer
outputFootSzpointer populated with size of output footer buffer and returns actual size

Example

PKCS7 pkcs7;
int ret;
byte derBuff[] = { }; // initialize with DER-encoded certificate
byte data[] = {}; // initialize with data to sign
byte pkcs7HeadBuff[FOURK_BUF/2];
byte pkcs7FootBuff[FOURK_BUF/2];
word32 pkcs7HeadSz = (word32)sizeof(pkcs7HeadBuff);
word32 pkcs7FootSz = (word32)sizeof(pkcs7HeadBuff);
enum wc_HashType hashType = WC_HASH_TYPE_SHA;
byte hashBuf[WC_MAX_DIGEST_SIZE];
word32 hashSz = wc_HashGetDigestSize(hashType);
wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff));
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = NULL;
pkcs7.contentSz = dataSz;
pkcs7.hashOID = SHAh;
pkcs7.rng = &rng;
... etc.
// calculate hash for content
ret = wc_HashInit(&hash, hashType);
if (ret == 0) {
ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
if (ret == 0) {
ret = wc_HashFinal(&hash, hashType, hashBuf);
}
wc_HashFree(&hash, hashType);
}
ret = wc_PKCS7_EncodeSignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
&pkcs7HeadSz, pkcs7FootBuff, &pkcs7FootSz);
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
See also
wc_PKCS7_InitWithCert
wc_PKCS7_VerifySignedData_ex

◆ wc_PKCS7_Free()

WOLFSSL_API void wc_PKCS7_Free ( PKCS7 pkcs7)

This function releases any memory allocated by a PKCS7 initializer.

Returns
none No returns.
Parameters
pkcs7pointer to the PKCS7 structure to free

Example

PKCS7 pkcs7;
// initialize and use PKCS7 object
See also
wc_PKCS7_InitWithCert

◆ wc_PKCS7_InitWithCert()

WOLFSSL_API int wc_PKCS7_InitWithCert ( PKCS7 pkcs7,
byte *  cert,
word32  certSz 
)

This function initializes a PKCS7 structure with a DER-formatted certificate. To initialize an empty PKCS7 structure, one can pass in a NULL cert and 0 for certSz.

Returns
0 Returned on successfully initializing the PKCS7 structure
MEMORY_E Returned if there is an error allocating memory with XMALLOC
ASN_PARSE_E Returned if there is an error parsing the cert header
ASN_OBJECT_ID_E Returned if there is an error parsing the encryption type from the cert
ASN_EXPECT_0_E Returned if there is a formatting error in the encryption specification of the cert file
ASN_BEFORE_DATE_E Returned if the date is before the certificate start date
ASN_AFTER_DATE_E Returned if the date is after the certificate expiration date
ASN_BITSTR_E Returned if there is an error parsing a bit string from the certificate
ASN_NTRU_KEY_E Returned if there is an error parsing the NTRU key from the certificate
ECC_CURVE_OID_E Returned if there is an error parsing the ECC key from the certificate
ASN_UNKNOWN_OID_E Returned if the certificate is using an unknown key object id
ASN_VERSION_E Returned if the ALLOW_V1_EXTENSIONS option is not defined and the certificate is a V1 or V2 certificate
BAD_FUNC_ARG Returned if there is an error processing the certificate extension
ASN_CRIT_EXT_E Returned if an unfamiliar critical extension is encountered in processing the certificate
ASN_SIG_OID_E Returned if the signature encryption type is not the same as the encryption type of the certificate in the provided file
ASN_SIG_CONFIRM_E Returned if confirming the certification signature fails
ASN_NAME_INVALID_E Returned if the certificate’s name is not permitted by the CA name constraints
ASN_NO_SIGNER_E Returned if there is no CA signer to verify the certificate’s authenticity
Parameters
pkcs7pointer to the PKCS7 structure in which to store the decoded cert
certpointer to a buffer containing a DER formatted ASN.1 certificate with which to initialize the PKCS7 structure
certSzsize of the certificate buffer

Example

PKCS7 pkcs7;
byte derBuff[] = { }; // initialize with DER-encoded certificate
if ( wc_PKCS7_InitWithCert(&pkcs7, derBuff, sizeof(derBuff)) != 0 ) {
// error parsing certificate into pkcs7 format
}
See also
wc_PKCS7_Free

◆ wc_PKCS7_VerifySignedData()

WOLFSSL_API int wc_PKCS7_VerifySignedData ( PKCS7 pkcs7,
byte *  pkiMsg,
word32  pkiMsgSz 
)

This function takes in a transmitted PKCS7 signed data message, extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure.

Returns
0 Returned on successfully extracting the information from the message
BAD_FUNC_ARG Returned if one of the input parameters is invalid
ASN_PARSE_E Returned if there is an error parsing from the given pkiMsg
PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
MEMORY_E Returned if there is an error allocating memory
PUBLIC_KEY_E Returned if there is an error parsing the public key
RSA_BUFFER_E Returned if buffer error, output too small or input too large
BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
MP_INIT_E may be returned if there is an error generating the signature
MP_READ_E may be returned if there is an error generating the signature
MP_CMP_E may be returned if there is an error generating the signature
MP_INVMOD_E may be returned if there is an error generating the signature
MP_EXPTMOD_E may be returned if there is an error generating the signature
MP_MOD_E may be returned if there is an error generating the signature
MP_MUL_E may be returned if there is an error generating the signature
MP_ADD_E may be returned if there is an error generating the signature
MP_MULMOD_E may be returned if there is an error generating the signature
MP_TO_E may be returned if there is an error generating the signature
MP_MEM may be returned if there is an error generating the signature
Parameters
pkcs7pointer to the PKCS7 structure in which to store the parsed certificates
pkiMsgpointer to the buffer containing the signed message to verify and decode
pkiMsgSzsize of the signed message

Example

PKCS7 pkcs7;
int ret;
byte pkcs7Buff[] = {}; // the PKCS7 signature
wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = data;
pkcs7.contentSz = dataSz;
... etc.
ret = wc_PKCS7_VerifySignedData(&pkcs7, pkcs7Buff, sizeof(pkcs7Buff));
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
See also
wc_PKCS7_InitWithCert
wc_PKCS7_EncodeSignedData

◆ wc_PKCS7_VerifySignedData_ex()

WOLFSSL_API int wc_PKCS7_VerifySignedData_ex ( PKCS7 pkcs7,
const byte *  hashBuf,
word32  hashSz,
byte *  pkiMsgHead,
word32  pkiMsgHeadSz,
byte *  pkiMsgFoot,
word32  pkiMsgFootSz 
)

This function takes in a transmitted PKCS7 signed data message as hash/header/footer, then extracts the certificate list and certificate revocation list, and then verifies the signature. It stores the extracted content in the given PKCS7 structure.

Returns
0 Returned on successfully extracting the information from the message
BAD_FUNC_ARG Returned if one of the input parameters is invalid
ASN_PARSE_E Returned if there is an error parsing from the given pkiMsg
PKCS7_OID_E Returned if the given pkiMsg is not a signed data type
ASN_VERSION_E Returned if the PKCS7 signer info is not version 1
MEMORY_E Returned if there is an error allocating memory
PUBLIC_KEY_E Returned if there is an error parsing the public key
RSA_BUFFER_E Returned if buffer error, output too small or input too large
BUFFER_E Returned if the given buffer is not large enough to hold the encoded certificate
MP_INIT_E may be returned if there is an error generating the signature
MP_READ_E may be returned if there is an error generating the signature
MP_CMP_E may be returned if there is an error generating the signature
MP_INVMOD_E may be returned if there is an error generating the signature
MP_EXPTMOD_E may be returned if there is an error generating the signature
MP_MOD_E may be returned if there is an error generating the signature
MP_MUL_E may be returned if there is an error generating the signature
MP_ADD_E may be returned if there is an error generating the signature
MP_MULMOD_E may be returned if there is an error generating the signature
MP_TO_E may be returned if there is an error generating the signature
MP_MEM may be returned if there is an error generating the signature
Parameters
pkcs7pointer to the PKCS7 structure in which to store the parsed certificates
hashBufpointer to computed hash for the content data
hashSzsize of the digest
pkiMsgHeadpointer to the buffer containing the signed message header to verify and decode
pkiMsgHeadSzsize of the signed message header
pkiMsgFootpointer to the buffer containing the signed message footer to verify and decode
pkiMsgFootSzsize of the signed message footer

Example

PKCS7 pkcs7;
int ret;
byte data[] = {}; // initialize with data to sign
byte pkcs7HeadBuff[] = {}; // initialize with PKCS7 header
byte pkcs7FootBuff[] = {}; // initialize with PKCS7 footer
enum wc_HashType hashType = WC_HASH_TYPE_SHA;
byte hashBuf[WC_MAX_DIGEST_SIZE];
word32 hashSz = wc_HashGetDigestSize(hashType);
wc_PKCS7_InitWithCert(&pkcs7, NULL, 0);
// update message and data to encode
pkcs7.privateKey = key;
pkcs7.privateKeySz = keySz;
pkcs7.content = NULL;
pkcs7.contentSz = dataSz;
pkcs7.rng = &rng;
... etc.
// calculate hash for content
ret = wc_HashInit(&hash, hashType);
if (ret == 0) {
ret = wc_HashUpdate(&hash, hashType, data, sizeof(data));
if (ret == 0) {
ret = wc_HashFinal(&hash, hashType, hashBuf);
}
wc_HashFree(&hash, hashType);
}
ret = wc_PKCS7_VerifySignedData_ex(&pkcs7, hashBuf, hashSz, pkcs7HeadBuff,
sizeof(pkcs7HeadBuff), pkcs7FootBuff, sizeof(pkcs7FootBuff));
if ( ret != 0 ) {
// error encoding into output buffer
}
wc_PKCS7_Free(&pkcs7);
See also
wc_PKCS7_InitWithCert
wc_PKCS7_EncodeSignedData_ex