Creates a PKCS #7 SignedData message from application
data.
Format
#include <gskcms.h>
gsk_status gsk_make_signed_data_msg (
int version,
x509_algorithm_type digest_algorithm,
gsk_boolean include_certificates,
pkcs_cert_keys * signer_certificates,
pkcs_certificates * ca_certificates,
gsk_buffer * data,
gsk_buffer * stream)
Parameters
- version
- Specifies the PKCS #7 SignedData version number. Specify 0 to
create a SignedData message as described in PKCS #7 Version 1.4, specify
1 to create a SignedData message as described in PKCS #7 Version 1.5,
or specify 2 to create a SignedData message as described in PKCS #7
Version 1.6.
- digest_algorithm
- Specifies the digest algorithm.
- include_certificates
- Specify TRUE if the signer and certification authority certificates
are to be included in the SignedData message. Specify FALSE if the
certificates are not to be included.
- signer_certificates
- Specifies the certificates and associated private keys for the
message signers. There must be at least one signer.
- ca_certificates
- Specifies the certification authority certificates. Zero or more
certification authority certificates can be included in the SignedData
message. This parameter is ignored if the include_certificates parameter
is set to FALSE. NULL can be specified for this parameter if no CA
certificates are to be included in the message.
- data
- Specifies the application data for the SignedData message.
- stream
- Returns the ASN.1 DER-encoded stream. The application should
call the gsk_free_buffer() routine to release the stream when
it is no longer needed.
Results
The function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the gskcms.h include file. These are some
possible errors:
- [CMSERR_ALG_NOT_SUPPORTED]
- The digest algorithm is not supported.
- [CMSERR_CONTENT_NOT_SUPPORTED]
- The content type is not supported.
- [CMSERR_DIGEST_KEY_MISMATCH]
- The digest algorithm is not supported for the private key type.
- [CMSERR_ECURVE_NOT_FIPS_APPROVED]
- Elliptic Curve not supported in FIPS mode.
- [CMSERR_ECURVE_NOT_SUPPORTED]
- Elliptic Curve is not supported.
- [CMSERR_ICSF_FIPS_DISABLED]
- ICSF PKCS #11 services are disabled.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF services are not available.
- [CMSERR_ICSF_NOT_FIPS]
- ICSF PKCS #11 not operating in FIPS mode.
- [CMSERR_ICSF_SERVICE_FAILURE]
- ICSF callable service returned an error.
- [CMSERR_INCORRECT_KEY_USAGE]
- A signer certificate does not allow digital signature.
- [CMSERR_NO_CONTENT_DATA]
- The content data length is zero.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
- [CMSERR_NO_PRIVATE_KEY]
- Private key does not exist or is not accessible.
- [CMSERR_SIGNER_NOT_FOUND]
- No signer certificate provided or the certificate is not valid.
- [CMSERR_VERSION_NOT_SUPPORTED]
- The version is not valid.
Usage
The gsk_make_signed_data_msg() routine
creates a PKCS #7 (Cryptographic Message Syntax) SignedData message
and returns the ASN.1 DER-encoded ContentInfo sequence. The signed
data content type will be Data. The gsk_read_signed_data_msg() routine
can be used to extract the application data from the stream. The
key usage for the signer certificates must allow digital signature.
No validity checking will be performed on the signer certificates.
It is assumed that the application has already validated the signer
certificates.
Calling the gsk_make_signed_data_msg()
routine is equivalent to calling the gsk_make_data_content() routine,
the gsk_make_signed_data_content() routine, and the gsk_make_content_msg() routine.
A
signature is included for each signer provided by the signer_certificates parameter.
The X.509 certificates used to sign the message will be included
in the SignedData message if the include_certificates parameter
is set to TRUE. The message receiver will need to provide the signer
certificates if the include_certificates parameter is set to
FALSE.
You can optionally include certification authority certificates
in the SignedData message. These certificates can then be used by
the message receiver to validate the signer certificates.
These
digest algorithms are supported:
- x509_alg_md2Digest
- MD2 digest (RSA keys only) - {1.2.840.113549.2.2}
- x509_alg_md5Digest
- MD5 digest (RSA keys only) - {1.2.840.113549.2.5}
- x509_alg_sha1Digest
- SHA-1 digest (RSA, DSA, and ECDSA keys only) - {1.3.14.3.2.26}
- x509_alg_sha224Digest
- SHA-224 digest (RSA, DSA, and ECDSA keys only)
- {2.16.840.1.101.3.4.2.4}
- x509_alg_sha256Digest
- SHA-256 digest (RSA, DSA, and ECDSA keys only)
- {2.16.840.1.101.3.4.2.1}
- x509_alg_sha384Digest
- SHA-384 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.2}
- x509_alg_sha512Digest
- SHA-512 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.3}
When executing in FIPS mode, digest algorithms
x509_alg_md2Digest and x509_alg_md5Digest are not supported.