Processes a PKCS #7 SignedData message.
Format
#include <gskcms.h>
gsk_status gsk_read_signed_data_msg (
pkcs_certificates * local_certificates,
gsk_buffer * stream,
gsk_boolean * used_local,
pkcs_certificates * msg_certificates,
pkcs_certificates * signer_certificates,
gsk_buffer * data)
Parameters
- local_certificates
- Specifies zero or more X.509 certificates to use when verifying
the message signatures. NULL can be specified for this parameter
if no local certificates are provided.
- stream
- Specifies the ASN.1 DER-encoded stream to be processed.
- used_local
- This parameter will be set to TRUE if the signatures were verified
using just the certificates supplied by the local_certificates parameter.
This parameter will be set to FALSE if any of the signatures were
verified using certificates contained within the message.
- msg_certificates
- Returns the X.509 certificates contained within the message.
The application should call the gsk_free_certificates() routine
to release the certificates when they are no longer needed. Specify
NULL for this parameter if the message certificates are not needed.
- signer_certificates
- Returns the certificates used to sign the message. The application
should call the gsk_free_certificates() routine to release
the certificates when they are no longer needed. Specify NULL for
this parameter if the signer certificates are not needed.
- data
- Returns the content of the SignedData message. The application
should call the gsk_free_buffer() routine to release the data
when it is no longer needed.
Results
The function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the gskcms.h include file. These are some
possible errors:
- [ASN_NO_MEMORY]
- Insufficient storage is available.
- [ASN_SELECTION_OUT_OF_RANGE]
- Certificate type or version number is not valid.
- [CMSERR_ALG_NOT_SUPPORTED]
- The digest algorithm is not supported.
- [CMSERR_BAD_SIGNATURE]
- Signature is not correct.
- [CMSERR_CONTENT_NOT_SUPPORTED]
- The message content type is not SignedData or the content of the
SignedData message is not Data.
- [CMSERR_DIGEST_KEY_MISMATCH]
- The digest algorithm is not supported for the private key type.
- [CMSERR_ECURVE_NOT_FIPS_APPROVED]
- Elliptic Curve not supported in FIPS mode.
- [CMSERR_ECURVE_NOT_SUPPORTED]
- Elliptic Curve is not supported.
- [CMSERR_ICSF_FIPS_DISABLED]
- ICSF PKCS #11 services are disabled.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF services are not available.
- [CMSERR_ICSF_NOT_FIPS]
- ICSF PKCS #11 not operating in FIPS mode.
- [CMSERR_ICSF_SERVICE_FAILURE]
- ICSF callable service returned an error.
- [CMSERR_INCORRECT_KEY_USAGE]
- A signer certificate does not allow digital signature.
- [CMSERR_NO_CONTENT_DATA]
- The content data length is zero.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
- [CMSERR_SIGNER_NOT_FOUND]
- Signer certificate not found.
Usage
The gsk_read_signed_data_msg() routine
processes a PKCS #7 (Cryptographic Message Syntax) SignedData message
created by the gsk_make_signed_data_msg() routine and returns
the message content. The signed data content type must be Data.
Calling
the gsk_read_signed_data_msg() routine is equivalent to calling
the gsk_read_content_msg() routine, the gsk_read_signed_data_content() routine,
and the gsk_read_data_content() routine.
The local_certificates parameter
can supply the signer certificates used to verify the message signatures.
If a certificate is not found for a message signer, the gsk_read_signed_data_msg() routine
attempts to locate the signer certificate in the SignedData message.
An error will be returned if the signer certificate cannot be found
or if the certificate key usage does not allow digital signature.
No
certificate validation is performed by the gsk_read_signed_data_msg() routine.
It is assumed that the application has already validated the local
certificates. The certificates contained in the SignedData message
will be returned in the msg_certificates parameter and the used_local parameter
will be set to FALSE if any of these certificates were used to verify
the message signatures. It is the responsibility of the application
to validate the message certificates (for example, by calling the gsk_validate_certificate() routine
for each of the signer certificates).
These digest algorithms
are supported:
- x509_alg_md2Digest
- MD2 digest (RSA keys only) - {1.2.840.113549.2.2}
- x509_alg_md5Digest
- MD5 digest (RSA keys only) - {1.2.840.113549.2.5}
- x509_alg_sha1Digest
- SHA-1 digest (RSA, DSA, and ECDSA keys only) - {1.3.14.3.2.26}
- x509_alg_sha224Digest
- SHA-224 digest (RSA, DSA, and ECDSA keys only)
- {2.16.840.1.101.3.4.2.4}
- x509_alg_sha256Digest
- SHA-256 digest (RSA, DSA, and ECDSA keys only)
- {2.16.840.1.101.3.4.2.1}
- x509_alg_sha384Digest
- SHA-384 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.2}
- x509_alg_sha512Digest
- SHA-512 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.3}
When executing in FIPS mode, digest algorithms
x509_alg_md2Digest and x509_alg_md5Digest are not supported.