| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | PKCS7_sign_add_signer,
|
|---|
| 6 | PKCS7_add_certificate, PKCS7_add_crl - add information to PKCS7 structure
|
|---|
| 7 |
|
|---|
| 8 | =head1 SYNOPSIS
|
|---|
| 9 |
|
|---|
| 10 | #include <openssl/pkcs7.h>
|
|---|
| 11 |
|
|---|
| 12 | PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7, X509 *signcert,
|
|---|
| 13 | EVP_PKEY *pkey, const EVP_MD *md, int flags);
|
|---|
| 14 | int PKCS7_add_certificate(PKCS7 *p7, X509 *cert);
|
|---|
| 15 | int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl);
|
|---|
| 16 |
|
|---|
| 17 | =head1 DESCRIPTION
|
|---|
| 18 |
|
|---|
| 19 | PKCS7_sign_add_signer() adds a signer with certificate I<signcert> and private
|
|---|
| 20 | key I<pkey> using message digest I<md> to a PKCS7 signed data structure I<p7>.
|
|---|
| 21 |
|
|---|
| 22 | The B<PKCS7> structure should be obtained from an initial call to PKCS7_sign()
|
|---|
| 23 | with the flag B<PKCS7_PARTIAL> set or in the case or re-signing a valid PKCS#7
|
|---|
| 24 | signed data structure.
|
|---|
| 25 |
|
|---|
| 26 | If the I<md> parameter is NULL then the default digest for the public
|
|---|
| 27 | key algorithm will be used.
|
|---|
| 28 |
|
|---|
| 29 | Unless the B<PKCS7_REUSE_DIGEST> flag is set the returned B<PKCS7> structure
|
|---|
| 30 | is not complete and must be finalized either by streaming (if applicable) or
|
|---|
| 31 | a call to PKCS7_final().
|
|---|
| 32 |
|
|---|
| 33 |
|
|---|
| 34 | =head1 NOTES
|
|---|
| 35 |
|
|---|
| 36 | The main purpose of this function is to provide finer control over a PKCS#7
|
|---|
| 37 | signed data structure where the simpler PKCS7_sign() function defaults are
|
|---|
| 38 | not appropriate. For example if multiple signers or non default digest
|
|---|
| 39 | algorithms are needed.
|
|---|
| 40 |
|
|---|
| 41 | Any of the following flags (ored together) can be passed in the I<flags>
|
|---|
| 42 | parameter.
|
|---|
| 43 |
|
|---|
| 44 | If B<PKCS7_REUSE_DIGEST> is set then an attempt is made to copy the content
|
|---|
| 45 | digest value from the B<PKCS7> structure: to add a signer to an existing structure.
|
|---|
| 46 | An error occurs if a matching digest value cannot be found to copy. The
|
|---|
| 47 | returned B<PKCS7> structure will be valid and finalized when this flag is set.
|
|---|
| 48 |
|
|---|
| 49 | If B<PKCS7_PARTIAL> is set in addition to B<PKCS7_REUSE_DIGEST> then the
|
|---|
| 50 | B<PKCS7_SIGNER_INO> structure will not be finalized so additional attributes
|
|---|
| 51 | can be added. In this case an explicit call to PKCS7_SIGNER_INFO_sign() is
|
|---|
| 52 | needed to finalize it.
|
|---|
| 53 |
|
|---|
| 54 | If B<PKCS7_NOCERTS> is set the signer's certificate will not be included in the
|
|---|
| 55 | B<PKCS7> structure, the signer's certificate must still be supplied in the
|
|---|
| 56 | I<signcert> parameter though. This can reduce the size of the signature if the
|
|---|
| 57 | signers certificate can be obtained by other means: for example a previously
|
|---|
| 58 | signed message.
|
|---|
| 59 |
|
|---|
| 60 | The signedData structure includes several PKCS#7 authenticatedAttributes
|
|---|
| 61 | including the signing time, the PKCS#7 content type and the supported list of
|
|---|
| 62 | ciphers in an SMIMECapabilities attribute. If B<PKCS7_NOATTR> is set then no
|
|---|
| 63 | authenticatedAttributes will be used. If B<PKCS7_NOSMIMECAP> is set then just
|
|---|
| 64 | the SMIMECapabilities are omitted.
|
|---|
| 65 |
|
|---|
| 66 | If present the SMIMECapabilities attribute indicates support for the following
|
|---|
| 67 | algorithms: triple DES, 128 bit RC2, 64 bit RC2, DES and 40 bit RC2. If any of
|
|---|
| 68 | these algorithms is disabled then it will not be included.
|
|---|
| 69 |
|
|---|
| 70 | PKCS7_sign_add_signers() returns an internal pointer to the B<PKCS7_SIGNER_INFO>
|
|---|
| 71 | structure just added, which can be used to set additional attributes
|
|---|
| 72 | before it is finalized.
|
|---|
| 73 |
|
|---|
| 74 | PKCS7_add_certificate() adds to the B<PKCS7> structure I<p7> the certificate
|
|---|
| 75 | I<cert>, which may be an end-entity (signer) certificate
|
|---|
| 76 | or a CA certificate useful for chain building.
|
|---|
| 77 | This is done internally by L<PKCS7_sign_ex(3)> and similar signing functions.
|
|---|
| 78 | It may have to be used before calling L<PKCS7_verify(3)>
|
|---|
| 79 | in order to provide any missing certificate(s) needed for verification.
|
|---|
| 80 |
|
|---|
| 81 | PKCS7_add_crl() adds the CRL I<crl> to the B<PKCS7> structure I<p7>.
|
|---|
| 82 | This may be called to provide certificate status information
|
|---|
| 83 | to be included when signing or to use when verifying the B<PKCS7> structure.
|
|---|
| 84 |
|
|---|
| 85 | =head1 RETURN VALUES
|
|---|
| 86 |
|
|---|
| 87 | PKCS7_sign_add_signers() returns an internal pointer to the B<PKCS7_SIGNER_INFO>
|
|---|
| 88 | structure just added or NULL if an error occurs.
|
|---|
| 89 |
|
|---|
| 90 | PKCS7_add_certificate() and PKCS7_add_crl() return 1 on success, 0 on error.
|
|---|
| 91 |
|
|---|
| 92 | =head1 SEE ALSO
|
|---|
| 93 |
|
|---|
| 94 | L<ERR_get_error(3)>, L<PKCS7_sign_ex(3)>,
|
|---|
| 95 | L<PKCS7_final(3)>, L<PKCS7_verify(3)>
|
|---|
| 96 |
|
|---|
| 97 | =head1 HISTORY
|
|---|
| 98 |
|
|---|
| 99 | The PPKCS7_sign_add_signer() function was added in OpenSSL 1.0.0.
|
|---|
| 100 |
|
|---|
| 101 | =head1 COPYRIGHT
|
|---|
| 102 |
|
|---|
| 103 | Copyright 2007-2022 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 104 |
|
|---|
| 105 | Licensed under the Apache License 2.0 (the "License"). You may not use
|
|---|
| 106 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 107 | in the file LICENSE in the source distribution or at
|
|---|
| 108 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 109 |
|
|---|
| 110 | =cut
|
|---|
