| OLD | NEW |
|---|
| (Empty) |
| 1 /* | |
| 2 * crypto.h - public data structures and prototypes for the crypto library | |
| 3 * | |
| 4 * This Source Code Form is subject to the terms of the Mozilla Public | |
| 5 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 7 /* $Id: cryptohi.h,v 1.17 2012/06/25 21:48:39 rrelyea%redhat.com Exp $ */ | |
| 8 | |
| 9 #ifndef _CRYPTOHI_H_ | |
| 10 #define _CRYPTOHI_H_ | |
| 11 | |
| 12 #include "blapit.h" | |
| 13 | |
| 14 #include "seccomon.h" | |
| 15 #include "secoidt.h" | |
| 16 #include "secdert.h" | |
| 17 #include "cryptoht.h" | |
| 18 #include "keyt.h" | |
| 19 #include "certt.h" | |
| 20 | |
| 21 | |
| 22 SEC_BEGIN_PROTOS | |
| 23 | |
| 24 | |
| 25 /****************************************/ | |
| 26 /* | |
| 27 ** DER encode/decode (EC)DSA signatures | |
| 28 */ | |
| 29 | |
| 30 /* ANSI X9.57 defines DSA signatures as DER encoded data. Our DSA1 code (and | |
| 31 * most of the rest of the world) just generates 40 bytes of raw data. These | |
| 32 * functions convert between formats. | |
| 33 */ | |
| 34 extern SECStatus DSAU_EncodeDerSig(SECItem *dest, SECItem *src); | |
| 35 extern SECItem *DSAU_DecodeDerSig(const SECItem *item); | |
| 36 | |
| 37 /* | |
| 38 * Unlike DSA1, raw DSA2 and ECDSA signatures do not have a fixed length. | |
| 39 * Rather they contain two integers r and s whose length depends | |
| 40 * on the size of q or the EC key used for signing. | |
| 41 * | |
| 42 * We can reuse the DSAU_EncodeDerSig interface to DER encode | |
| 43 * raw ECDSA signature keeping in mind that the length of r | |
| 44 * is the same as that of s and exactly half of src->len. | |
| 45 * | |
| 46 * For decoding, we need to pass the length of the desired | |
| 47 * raw signature (twice the key size) explicitly. | |
| 48 */ | |
| 49 extern SECStatus DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, | |
| 50 unsigned int len); | |
| 51 extern SECItem *DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len); | |
| 52 | |
| 53 /****************************************/ | |
| 54 /* | |
| 55 ** Signature creation operations | |
| 56 */ | |
| 57 | |
| 58 /* | |
| 59 ** Create a new signature context used for signing a data stream. | |
| 60 ** "alg" the signature algorithm to use (e.g. SEC_OID_RSA_WITH_MD5) | |
| 61 ** "privKey" the private key to use | |
| 62 */ | |
| 63 extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey); | |
| 64 | |
| 65 /* | |
| 66 ** Destroy a signature-context object | |
| 67 ** "key" the object | |
| 68 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
| 69 */ | |
| 70 extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit); | |
| 71 | |
| 72 /* | |
| 73 ** Reset the signing context "cx" to its initial state, preparing it for | |
| 74 ** another stream of data. | |
| 75 */ | |
| 76 extern SECStatus SGN_Begin(SGNContext *cx); | |
| 77 | |
| 78 /* | |
| 79 ** Update the signing context with more data to sign. | |
| 80 ** "cx" the context | |
| 81 ** "input" the input data to sign | |
| 82 ** "inputLen" the length of the input data | |
| 83 */ | |
| 84 extern SECStatus SGN_Update(SGNContext *cx, const unsigned char *input, | |
| 85 unsigned int inputLen); | |
| 86 | |
| 87 /* | |
| 88 ** Finish the signature process. Use either k0 or k1 to sign the data | |
| 89 ** stream that was input using SGN_Update. The resulting signature is | |
| 90 ** formatted using PKCS#1 and then encrypted using RSA private or public | |
| 91 ** encryption. | |
| 92 ** "cx" the context | |
| 93 ** "result" the final signature data (memory is allocated) | |
| 94 */ | |
| 95 extern SECStatus SGN_End(SGNContext *cx, SECItem *result); | |
| 96 | |
| 97 /* | |
| 98 ** Sign a single block of data using private key encryption and given | |
| 99 ** signature/hash algorithm. | |
| 100 ** "result" the final signature data (memory is allocated) | |
| 101 ** "buf" the input data to sign | |
| 102 ** "len" the amount of data to sign | |
| 103 ** "pk" the private key to encrypt with | |
| 104 ** "algid" the signature/hash algorithm to sign with | |
| 105 ** (must be compatible with the key type). | |
| 106 */ | |
| 107 extern SECStatus SEC_SignData(SECItem *result, | |
| 108 const unsigned char *buf, int len, | |
| 109 SECKEYPrivateKey *pk, SECOidTag algid); | |
| 110 | |
| 111 /* | |
| 112 ** Sign a pre-digested block of data using private key encryption, encoding | |
| 113 ** The given signature/hash algorithm. | |
| 114 ** "result" the final signature data (memory is allocated) | |
| 115 ** "digest" the digest to sign | |
| 116 ** "pk" the private key to encrypt with | |
| 117 ** "algtag" The algorithm tag to encode (need for RSA only) | |
| 118 */ | |
| 119 extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey, | |
| 120 SECOidTag algtag, SECItem *result, SECItem *digest); | |
| 121 | |
| 122 /* | |
| 123 ** DER sign a single block of data using private key encryption and the | |
| 124 ** MD5 hashing algorithm. This routine first computes a digital signature | |
| 125 ** using SEC_SignData, then wraps it with an CERTSignedData and then der | |
| 126 ** encodes the result. | |
| 127 ** "arena" is the memory arena to use to allocate data from | |
| 128 ** "result" the final der encoded data (memory is allocated) | |
| 129 ** "buf" the input data to sign | |
| 130 ** "len" the amount of data to sign | |
| 131 ** "pk" the private key to encrypt with | |
| 132 */ | |
| 133 extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result, | |
| 134 const unsigned char *buf, int len, | |
| 135 SECKEYPrivateKey *pk, SECOidTag algid); | |
| 136 | |
| 137 /* | |
| 138 ** Destroy a signed-data object. | |
| 139 ** "sd" the object | |
| 140 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
| 141 */ | |
| 142 extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit); | |
| 143 | |
| 144 /* | |
| 145 ** Get the signature algorithm tag number for the given key type and hash | |
| 146 ** algorithm tag. Returns SEC_OID_UNKNOWN if key type and hash algorithm | |
| 147 ** do not match or are not supported. | |
| 148 */ | |
| 149 extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType, | |
| 150 SECOidTag hashAlgTag); | |
| 151 | |
| 152 /****************************************/ | |
| 153 /* | |
| 154 ** Signature verification operations | |
| 155 */ | |
| 156 | |
| 157 /* | |
| 158 ** Create a signature verification context. This version is deprecated, | |
| 159 ** This function is deprecated. Use VFY_CreateContextDirect or | |
| 160 ** VFY_CreateContextWithAlgorithmID instead. | |
| 161 ** "key" the public key to verify with | |
| 162 ** "sig" the encrypted signature data if sig is NULL then | |
| 163 ** VFY_EndWithSignature must be called with the correct signature at | |
| 164 ** the end of the processing. | |
| 165 ** "sigAlg" specifies the signing algorithm to use (including the | |
| 166 ** hash algorthim). This must match the key type. | |
| 167 ** "wincx" void pointer to the window context | |
| 168 */ | |
| 169 extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, | |
| 170 SECOidTag sigAlg, void *wincx); | |
| 171 /* | |
| 172 ** Create a signature verification context. | |
| 173 ** "key" the public key to verify with | |
| 174 ** "sig" the encrypted signature data if sig is NULL then | |
| 175 ** VFY_EndWithSignature must be called with the correct signature at | |
| 176 ** the end of the processing. | |
| 177 ** "pubkAlg" specifies the cryptographic signing algorithm to use (the | |
| 178 ** raw algorithm without any hash specified. This must match the key | |
| 179 ** type. | |
| 180 ** "hashAlg" specifies the hashing algorithm used. If the key is an | |
| 181 ** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN. | |
| 182 ** the hash is selected from data in the sig. | |
| 183 ** "hash" optional pointer to return the actual hash algorithm used. | |
| 184 ** in practice this should always match the passed in hashAlg (the | |
| 185 ** exception is the case where hashAlg is SEC_OID_UNKNOWN above). | |
| 186 ** If this value is NULL no, hash oid is returned. | |
| 187 ** "wincx" void pointer to the window context | |
| 188 */ | |
| 189 extern VFYContext *VFY_CreateContextDirect(const SECKEYPublicKey *key, | |
| 190 const SECItem *sig, | |
| 191 SECOidTag pubkAlg, | |
| 192 SECOidTag hashAlg, | |
| 193 SECOidTag *hash, void *wincx); | |
| 194 /* | |
| 195 ** Create a signature verification context from a algorithm ID. | |
| 196 ** "key" the public key to verify with | |
| 197 ** "sig" the encrypted signature data if sig is NULL then | |
| 198 ** VFY_EndWithSignature must be called with the correct signature at | |
| 199 ** the end of the processing. | |
| 200 ** "algid" specifies the signing algorithm and parameters to use. | |
| 201 ** This must match the key type. | |
| 202 ** "hash" optional pointer to return the oid of the actual hash used in | |
| 203 ** the signature. If this value is NULL no, hash oid is returned. | |
| 204 ** "wincx" void pointer to the window context | |
| 205 */ | |
| 206 extern VFYContext *VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, | |
| 207 const SECItem *sig, | |
| 208 const SECAlgorithmID *algid, | |
| 209 SECOidTag *hash, | |
| 210 void *wincx); | |
| 211 | |
| 212 /* | |
| 213 ** Destroy a verification-context object. | |
| 214 ** "cx" the context to destroy | |
| 215 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
| 216 */ | |
| 217 extern void VFY_DestroyContext(VFYContext *cx, PRBool freeit); | |
| 218 | |
| 219 extern SECStatus VFY_Begin(VFYContext *cx); | |
| 220 | |
| 221 /* | |
| 222 ** Update a verification context with more input data. The input data | |
| 223 ** is fed to a secure hash function (depending on what was in the | |
| 224 ** encrypted signature data). | |
| 225 ** "cx" the context | |
| 226 ** "input" the input data | |
| 227 ** "inputLen" the amount of input data | |
| 228 */ | |
| 229 extern SECStatus VFY_Update(VFYContext *cx, const unsigned char *input, | |
| 230 unsigned int inputLen); | |
| 231 | |
| 232 /* | |
| 233 ** Finish the verification process. The return value is a status which | |
| 234 ** indicates success or failure. On success, the SECSuccess value is | |
| 235 ** returned. Otherwise, SECFailure is returned and the error code found | |
| 236 ** using PORT_GetError() indicates what failure occurred. | |
| 237 ** "cx" the context | |
| 238 */ | |
| 239 extern SECStatus VFY_End(VFYContext *cx); | |
| 240 | |
| 241 /* | |
| 242 ** Finish the verification process. The return value is a status which | |
| 243 ** indicates success or failure. On success, the SECSuccess value is | |
| 244 ** returned. Otherwise, SECFailure is returned and the error code found | |
| 245 ** using PORT_GetError() indicates what failure occurred. If signature is | |
| 246 ** supplied the verification uses this signature to verify, otherwise the | |
| 247 ** signature passed in VFY_CreateContext() is used. | |
| 248 ** VFY_EndWithSignature(cx,NULL); is identical to VFY_End(cx);. | |
| 249 ** "cx" the context | |
| 250 ** "sig" the encrypted signature data | |
| 251 */ | |
| 252 extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig); | |
| 253 | |
| 254 | |
| 255 /* | |
| 256 ** Verify the signature on a block of data for which we already have | |
| 257 ** the digest. The signature data is an RSA private key encrypted | |
| 258 ** block of data formatted according to PKCS#1. | |
| 259 ** This function is deprecated. Use VFY_VerifyDigestDirect or | |
| 260 ** VFY_VerifyDigestWithAlgorithmID instead. | |
| 261 ** "dig" the digest | |
| 262 ** "key" the public key to check the signature with | |
| 263 ** "sig" the encrypted signature data | |
| 264 ** "sigAlg" specifies the signing algorithm to use. This must match | |
| 265 ** the key type. | |
| 266 ** "wincx" void pointer to the window context | |
| 267 **/ | |
| 268 extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key, | |
| 269 SECItem *sig, SECOidTag sigAlg, void *wincx); | |
| 270 /* | |
| 271 ** Verify the signature on a block of data for which we already have | |
| 272 ** the digest. The signature data is an RSA private key encrypted | |
| 273 ** block of data formatted according to PKCS#1. | |
| 274 ** "dig" the digest | |
| 275 ** "key" the public key to check the signature with | |
| 276 ** "sig" the encrypted signature data | |
| 277 ** "pubkAlg" specifies the cryptographic signing algorithm to use (the | |
| 278 ** raw algorithm without any hash specified. This must match the key | |
| 279 ** type. | |
| 280 ** "hashAlg" specifies the hashing algorithm used. | |
| 281 ** "wincx" void pointer to the window context | |
| 282 **/ | |
| 283 extern SECStatus VFY_VerifyDigestDirect(const SECItem *dig, | |
| 284 const SECKEYPublicKey *key, | |
| 285 const SECItem *sig, SECOidTag pubkAlg, | |
| 286 SECOidTag hashAlg, void *wincx); | |
| 287 /* | |
| 288 ** Verify the signature on a block of data for which we already have | |
| 289 ** the digest. The signature data is an RSA private key encrypted | |
| 290 ** block of data formatted according to PKCS#1. | |
| 291 ** "key" the public key to verify with | |
| 292 ** "sig" the encrypted signature data if sig is NULL then | |
| 293 ** VFY_EndWithSignature must be called with the correct signature at | |
| 294 ** the end of the processing. | |
| 295 ** "algid" specifies the signing algorithm and parameters to use. | |
| 296 ** This must match the key type. | |
| 297 ** "hash" oid of the actual hash used to create digest. If this value is | |
| 298 ** not set to SEC_OID_UNKNOWN, it must match the hash of the signature. | |
| 299 ** "wincx" void pointer to the window context | |
| 300 */ | |
| 301 extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig, | |
| 302 const SECKEYPublicKey *key, const SECItem *sig, | |
| 303 const SECAlgorithmID *algid, SECOidTag hash, | |
| 304 void *wincx); | |
| 305 | |
| 306 /* | |
| 307 ** Verify the signature on a block of data. The signature data is an RSA | |
| 308 ** private key encrypted block of data formatted according to PKCS#1. | |
| 309 ** This function is deprecated. Use VFY_VerifyDataDirect or | |
| 310 ** VFY_VerifyDataWithAlgorithmID instead. | |
| 311 ** "buf" the input data | |
| 312 ** "len" the length of the input data | |
| 313 ** "key" the public key to check the signature with | |
| 314 ** "sig" the encrypted signature data | |
| 315 ** "sigAlg" specifies the signing algorithm to use. This must match | |
| 316 ** the key type. | |
| 317 ** "wincx" void pointer to the window context | |
| 318 */ | |
| 319 extern SECStatus VFY_VerifyData(const unsigned char *buf, int len, | |
| 320 const SECKEYPublicKey *key, const SECItem *sig, | |
| 321 SECOidTag sigAlg, void *wincx); | |
| 322 /* | |
| 323 ** Verify the signature on a block of data. The signature data is an RSA | |
| 324 ** private key encrypted block of data formatted according to PKCS#1. | |
| 325 ** "buf" the input data | |
| 326 ** "len" the length of the input data | |
| 327 ** "key" the public key to check the signature with | |
| 328 ** "sig" the encrypted signature data | |
| 329 ** "pubkAlg" specifies the cryptographic signing algorithm to use (the | |
| 330 ** raw algorithm without any hash specified. This must match the key | |
| 331 ** type. | |
| 332 ** "hashAlg" specifies the hashing algorithm used. If the key is an | |
| 333 ** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN. | |
| 334 ** the hash is selected from data in the sig. | |
| 335 ** "hash" optional pointer to return the actual hash algorithm used. | |
| 336 ** in practice this should always match the passed in hashAlg (the | |
| 337 ** exception is the case where hashAlg is SEC_OID_UNKNOWN above). | |
| 338 ** If this value is NULL no, hash oid is returned. | |
| 339 ** "wincx" void pointer to the window context | |
| 340 */ | |
| 341 extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len, | |
| 342 const SECKEYPublicKey *key, | |
| 343 const SECItem *sig, | |
| 344 SECOidTag pubkAlg, SECOidTag hashAlg, | |
| 345 SECOidTag *hash, void *wincx); | |
| 346 | |
| 347 /* | |
| 348 ** Verify the signature on a block of data. The signature data is an RSA | |
| 349 ** private key encrypted block of data formatted according to PKCS#1. | |
| 350 ** "buf" the input data | |
| 351 ** "len" the length of the input data | |
| 352 ** "key" the public key to check the signature with | |
| 353 ** "sig" the encrypted signature data | |
| 354 ** "algid" specifies the signing algorithm and parameters to use. | |
| 355 ** This must match the key type. | |
| 356 ** "hash" optional pointer to return the oid of the actual hash used in | |
| 357 ** the signature. If this value is NULL no, hash oid is returned. | |
| 358 ** "wincx" void pointer to the window context | |
| 359 */ | |
| 360 extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, | |
| 361 int len, const SECKEYPublicKey *key, | |
| 362 const SECItem *sig, | |
| 363 const SECAlgorithmID *algid, SECOidTag *hash, | |
| 364 void *wincx); | |
| 365 | |
| 366 | |
| 367 SEC_END_PROTOS | |
| 368 | |
| 369 #endif /* _CRYPTOHI_H_ */ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 14249009:
Change the NSS and NSPR source tree to the new directory structure to be (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/nss/