Creates PKCS #7 SignedData content information.
Format
#include <gskcms.h>
gsk_status gsk_make_signed_data_content_extended (
gsk_process_option option_flag,
int version,
x509_algorithm_type digest_algorithm,
gsk_boolean include_certificates,
pkcs_cert_keys * signer_certificates,
pkcs_certificates * ca_certificates,
pkcs_content_info * content_data,
gsk_attributes_signers * attributes_signers,
pkcs_content_info * content_info)
Parameters
- option_flag
- Specifies process options to customize process behavior.
- Enforce signing certificate has digital signing capabilities.
That is, the purpose of the certificate key as reflected by the key
usage extension must indicate digitalSignature.
- Do not allow zero-length content data
- version
- Specifies the PKCS #7 SignedData version number. Specify 0 to
create SignedData content information as described in PKCS #7 Version
1.4, specify 1 to create SignedData content information as described
in PKCS #7 Version 1.5, or specify 2 to create SignedData content
information as described in PKCS #7 Version 1.6.
- digest_algorithm
- Specifies the digest algorithm.
- include_certificates
- Specify TRUE if the signer and certification authority certificates
are to be included in the SignedData content information. Specify
FALSE if the certificates are not to be included.
- signer_certificates
- Specifies the certificates and associated private keys for the
message signers. There must be at least one signer.
- ca_certificates
- Specifies the certification authority certificates. Zero or more
certification authority certificates can be included in the SignedData
content information. This parameter is ignored if the include_certificates
parameter is set to FALSE. NULL can be specified for this parameter
if no CA certificates are to be included in the message.
- content_data
- Specifies the SignedData content. This must be one of the content
information types defined in PKCS #7.
- attributes_signers
- Specifies the authenticated attributes per signer to be added
to the message. Specify NULL for this parameter if there are no authenticated
attributes to be included in the message. If specified, the set of
authenticated attributes must NOT include content-type or message-digest
authenticated attributes as these are automatically provided by gsk_make_signed_data_content_extended().
If the set of authenticated attributes includes signing-time, then
this will override the signing-time attribute generated by gsk_make_signed_data_content_extended().
The digestAlgorithm field within each gsk_attributes_signer structure
is ignored - the digest algorithm is specified by the digest_algorithm parameter.
- content_info
- Returns the SignedData content information. The application should
call the gsk_free_content_info() routine to release the content
information when it is no longer needed.
Results
The function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the gskcms.h include file. These are some
possible errors:
- [CMSERR_ALG_NOT_SUPPORTED]
- The digest algorithm is not supported.
- [CMSERR_CONTENT_NOT_SUPPORTED]
- The content type is not supported.
- [CMSERR_DIGEST_KEY_MISMATCH]
- The digest algorithm is not supported for the private key type.
- [CMSERR_ECURVE_NOT_FIPS_APPROVED]
- Elliptic Curve not supported in FIPS mode.
- [CMSERR_ECURVE_NOT_SUPPORTED]
- Elliptic Curve is not supported.
- [CMSERR_ICSF_FIPS_DISABLED]
- ICSF PKCS #11 services are disabled.
- [CMSERR_ICSF_NOT_AVAILABLE]
- ICSF services are not available.
- [CMSERR_ICSF_NOT_FIPS]
- ICSF PKCS #11 not operating in FIPS mode.
- [CMSERR_ICSF_SERVICE_FAILURE]
- ICSF callable service returned an error.
- [CMSERR_INCORRECT_KEY_USAGE]
- A signer certificate does not allow digital signature.
- [CMSERR_NO_CONTENT_DATA]
- The content data length is zero.
- [CMSERR_NO_MEMORY]
- Insufficient storage is available.
- [CMSERR_NO_PRIVATE_KEY]
- Private key does not exist or is not accessible.
- [CMSERR_SIGNER_NOT_FOUND]
- No signer certificate provided or the certificate is not valid.
- [CMSERR_VERSION_NOT_SUPPORTED]
- The version is not valid
- [CMSERR_CONTENTTYPE_NOT_ALLOWED]
- The content-type authenticated attribute is not allowed in attributes_signers.
- [CMSERR_MESSAGEDIGEST_NOT_ALLOWED]
- The message-digest authenticated attribute is not allowed in attributes_signers
Usage
The gsk_make_signed_data_content_extended() routine
creates PKCS #7 (Cryptographic Message Syntax) SignedData content
information. The data content type must be one of the types defined
by PKCS #7. Processing is similar to gsk_make_signed_data_content() except
for the presence of the option_flag and authenticated_attributes parameters.
The gsk_read_signed_data_content() routine or the gsk_read_signed_data_content_extended() routine
can be used to extract the content data from the SignedData content
information. The key usage for the signer certificates can be optionally
specified as to whether digital signature must be allowed. No validity
checking is performed on the signer certificates. It is assumed that
the application has already validated the signer certificates.
A
signature is included for each signer provided by the signer_certificates parameter.
The X.509 certificates used to sign the message will be included
in the SignedData content information if the include_certificates parameter
is set to TRUE. The message receiver will need to provide the signer
certificates if the include_certificates parameter is set to
FALSE.
You can optionally include certification authority certificates
in the SignedData content information. These certificates can then
be used by the message receiver to validate the signer certificates.
These
digest algorithms are supported:
- x509_alg_md2Digest
- MD2 digest (RSA keys only) - {1.2.840.113549.2.2}
- x509_alg_md5Digest
- MD5 digest (RSA keys only) - {1.2.840.113549.2.5}
- x509_alg_sha1Digest
- SHA-1 digest (RSA, DSA, and ECDSA keys only) - {1.3.14.3.2.26}
- x509_alg_sha224Digest
- SHA-224 digest (RSA, DSA, and ECDSA keys only) - {2.16.840.1.101.3.4.2.4}
- x509_alg_sha256Digest
- SHA-256 digest (RSA, DSA, and ECDSA keys only) - {2.16.840.1.101.3.4.2.1}
- x509_alg_sha384Digest
- SHA-384 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.2}
- x509_alg_sha512Digest
- SHA-512 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.3}
If authenticated attributes are provided from
the attributes_signers parameter, then signing certificates
for all signers represented within the gsk_attributes_signers structure
must be provided from the signer_certificates parameter.
When
executing in FIPS mode, digest algorithms x509_alg_md2Digest and x509_alg_md5Digest
are not supported.