| OLD | NEW |
|---|
| (Empty) |
| 1 /* | |
| 2 * cryptohi.h - public prototypes for the crypto library | |
| 3 * | |
| 4 * This Source Code Form is subject to the terms of the Mozilla Public | |
| 5 * License, v. 2.0. If a copy of the MPL was not distributed with this | |
| 6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |
| 7 | |
| 8 #ifndef _CRYPTOHI_H_ | |
| 9 #define _CRYPTOHI_H_ | |
| 10 | |
| 11 #include "blapit.h" | |
| 12 | |
| 13 #include "seccomon.h" | |
| 14 #include "secoidt.h" | |
| 15 #include "secdert.h" | |
| 16 #include "cryptoht.h" | |
| 17 #include "keyt.h" | |
| 18 #include "certt.h" | |
| 19 | |
| 20 SEC_BEGIN_PROTOS | |
| 21 | |
| 22 /****************************************/ | |
| 23 /* | |
| 24 ** DER encode/decode (EC)DSA signatures | |
| 25 */ | |
| 26 | |
| 27 /* ANSI X9.57 defines DSA signatures as DER encoded data. Our DSA1 code (and | |
| 28 * most of the rest of the world) just generates 40 bytes of raw data. These | |
| 29 * functions convert between formats. | |
| 30 */ | |
| 31 extern SECStatus DSAU_EncodeDerSig(SECItem *dest, SECItem *src); | |
| 32 extern SECItem *DSAU_DecodeDerSig(const SECItem *item); | |
| 33 | |
| 34 /* | |
| 35 * Unlike DSA1, raw DSA2 and ECDSA signatures do not have a fixed length. | |
| 36 * Rather they contain two integers r and s whose length depends | |
| 37 * on the size of q or the EC key used for signing. | |
| 38 * | |
| 39 * We can reuse the DSAU_EncodeDerSig interface to DER encode | |
| 40 * raw ECDSA signature keeping in mind that the length of r | |
| 41 * is the same as that of s and exactly half of src->len. | |
| 42 * | |
| 43 * For decoding, we need to pass the length of the desired | |
| 44 * raw signature (twice the key size) explicitly. | |
| 45 */ | |
| 46 extern SECStatus DSAU_EncodeDerSigWithLen(SECItem *dest, SECItem *src, | |
| 47 unsigned int len); | |
| 48 extern SECItem *DSAU_DecodeDerSigToLen(const SECItem *item, unsigned int len); | |
| 49 | |
| 50 /****************************************/ | |
| 51 /* | |
| 52 ** Signature creation operations | |
| 53 */ | |
| 54 | |
| 55 /* | |
| 56 ** Create a new signature context used for signing a data stream. | |
| 57 ** "alg" the signature algorithm to use (e.g. SEC_OID_PKCS1_MD5_WITH_RSA_EN
CRYPTION) | |
| 58 ** "privKey" the private key to use | |
| 59 */ | |
| 60 extern SGNContext *SGN_NewContext(SECOidTag alg, SECKEYPrivateKey *privKey); | |
| 61 | |
| 62 /* | |
| 63 ** Destroy a signature-context object | |
| 64 ** "cx" the object | |
| 65 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
| 66 */ | |
| 67 extern void SGN_DestroyContext(SGNContext *cx, PRBool freeit); | |
| 68 | |
| 69 /* | |
| 70 ** Reset the signing context "cx" to its initial state, preparing it for | |
| 71 ** another stream of data. | |
| 72 */ | |
| 73 extern SECStatus SGN_Begin(SGNContext *cx); | |
| 74 | |
| 75 /* | |
| 76 ** Update the signing context with more data to sign. | |
| 77 ** "cx" the context | |
| 78 ** "input" the input data to sign | |
| 79 ** "inputLen" the length of the input data | |
| 80 */ | |
| 81 extern SECStatus SGN_Update(SGNContext *cx, const unsigned char *input, | |
| 82 unsigned int inputLen); | |
| 83 | |
| 84 /* | |
| 85 ** Finish the signature process. Use either k0 or k1 to sign the data | |
| 86 ** stream that was input using SGN_Update. The resulting signature is | |
| 87 ** formatted using PKCS#1 and then encrypted using RSA private or public | |
| 88 ** encryption. | |
| 89 ** "cx" the context | |
| 90 ** "result" the final signature data (memory is allocated) | |
| 91 */ | |
| 92 extern SECStatus SGN_End(SGNContext *cx, SECItem *result); | |
| 93 | |
| 94 /* | |
| 95 ** Sign a single block of data using private key encryption and given | |
| 96 ** signature/hash algorithm. | |
| 97 ** "result" the final signature data (memory is allocated) | |
| 98 ** "buf" the input data to sign | |
| 99 ** "len" the amount of data to sign | |
| 100 ** "pk" the private key to encrypt with | |
| 101 ** "algid" the signature/hash algorithm to sign with | |
| 102 ** (must be compatible with the key type). | |
| 103 */ | |
| 104 extern SECStatus SEC_SignData(SECItem *result, | |
| 105 const unsigned char *buf, int len, | |
| 106 SECKEYPrivateKey *pk, SECOidTag algid); | |
| 107 | |
| 108 /* | |
| 109 ** Sign a pre-digested block of data using private key encryption, encoding | |
| 110 ** The given signature/hash algorithm. | |
| 111 ** "result" the final signature data (memory is allocated) | |
| 112 ** "digest" the digest to sign | |
| 113 ** "privKey" the private key to encrypt with | |
| 114 ** "algtag" The algorithm tag to encode (need for RSA only) | |
| 115 */ | |
| 116 extern SECStatus SGN_Digest(SECKEYPrivateKey *privKey, | |
| 117 SECOidTag algtag, SECItem *result, SECItem *digest); | |
| 118 | |
| 119 /* | |
| 120 ** DER sign a single block of data using private key encryption and the | |
| 121 ** MD5 hashing algorithm. This routine first computes a digital signature | |
| 122 ** using SEC_SignData, then wraps it with an CERTSignedData and then der | |
| 123 ** encodes the result. | |
| 124 ** "arena" is the memory arena to use to allocate data from | |
| 125 ** "result" the final der encoded data (memory is allocated) | |
| 126 ** "buf" the input data to sign | |
| 127 ** "len" the amount of data to sign | |
| 128 ** "pk" the private key to encrypt with | |
| 129 */ | |
| 130 extern SECStatus SEC_DerSignData(PLArenaPool *arena, SECItem *result, | |
| 131 const unsigned char *buf, int len, | |
| 132 SECKEYPrivateKey *pk, SECOidTag algid); | |
| 133 | |
| 134 /* | |
| 135 ** Destroy a signed-data object. | |
| 136 ** "sd" the object | |
| 137 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
| 138 */ | |
| 139 extern void SEC_DestroySignedData(CERTSignedData *sd, PRBool freeit); | |
| 140 | |
| 141 /* | |
| 142 ** Get the signature algorithm tag number for the given key type and hash | |
| 143 ** algorithm tag. Returns SEC_OID_UNKNOWN if key type and hash algorithm | |
| 144 ** do not match or are not supported. | |
| 145 */ | |
| 146 extern SECOidTag SEC_GetSignatureAlgorithmOidTag(KeyType keyType, | |
| 147 SECOidTag hashAlgTag); | |
| 148 | |
| 149 /****************************************/ | |
| 150 /* | |
| 151 ** Signature verification operations | |
| 152 */ | |
| 153 | |
| 154 /* | |
| 155 ** Create a signature verification context. This version is deprecated, | |
| 156 ** This function is deprecated. Use VFY_CreateContextDirect or | |
| 157 ** VFY_CreateContextWithAlgorithmID instead. | |
| 158 ** "key" the public key to verify with | |
| 159 ** "sig" the encrypted signature data if sig is NULL then | |
| 160 ** VFY_EndWithSignature must be called with the correct signature at | |
| 161 ** the end of the processing. | |
| 162 ** "sigAlg" specifies the signing algorithm to use (including the | |
| 163 ** hash algorthim). This must match the key type. | |
| 164 ** "wincx" void pointer to the window context | |
| 165 */ | |
| 166 extern VFYContext *VFY_CreateContext(SECKEYPublicKey *key, SECItem *sig, | |
| 167 SECOidTag sigAlg, void *wincx); | |
| 168 /* | |
| 169 ** Create a signature verification context. | |
| 170 ** "key" the public key to verify with | |
| 171 ** "sig" the encrypted signature data if sig is NULL then | |
| 172 ** VFY_EndWithSignature must be called with the correct signature at | |
| 173 ** the end of the processing. | |
| 174 ** "pubkAlg" specifies the cryptographic signing algorithm to use (the | |
| 175 ** raw algorithm without any hash specified. This must match the key | |
| 176 ** type. | |
| 177 ** "hashAlg" specifies the hashing algorithm used. If the key is an | |
| 178 ** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN. | |
| 179 ** the hash is selected from data in the sig. | |
| 180 ** "hash" optional pointer to return the actual hash algorithm used. | |
| 181 ** in practice this should always match the passed in hashAlg (the | |
| 182 ** exception is the case where hashAlg is SEC_OID_UNKNOWN above). | |
| 183 ** If this value is NULL no, hash oid is returned. | |
| 184 ** "wincx" void pointer to the window context | |
| 185 */ | |
| 186 extern VFYContext *VFY_CreateContextDirect(const SECKEYPublicKey *key, | |
| 187 const SECItem *sig, | |
| 188 SECOidTag pubkAlg, | |
| 189 SECOidTag hashAlg, | |
| 190 SECOidTag *hash, void *wincx); | |
| 191 /* | |
| 192 ** Create a signature verification context from a algorithm ID. | |
| 193 ** "key" the public key to verify with | |
| 194 ** "sig" the encrypted signature data if sig is NULL then | |
| 195 ** VFY_EndWithSignature must be called with the correct signature at | |
| 196 ** the end of the processing. | |
| 197 ** "algid" specifies the signing algorithm and parameters to use. | |
| 198 ** This must match the key type. | |
| 199 ** "hash" optional pointer to return the oid of the actual hash used in | |
| 200 ** the signature. If this value is NULL no, hash oid is returned. | |
| 201 ** "wincx" void pointer to the window context | |
| 202 */ | |
| 203 extern VFYContext *VFY_CreateContextWithAlgorithmID(const SECKEYPublicKey *key, | |
| 204 const SECItem *sig, | |
| 205 const SECAlgorithmID *algid, | |
| 206 SECOidTag *hash, | |
| 207 void *wincx); | |
| 208 | |
| 209 /* | |
| 210 ** Destroy a verification-context object. | |
| 211 ** "cx" the context to destroy | |
| 212 ** "freeit" if PR_TRUE then free the object as well as its sub-objects | |
| 213 */ | |
| 214 extern void VFY_DestroyContext(VFYContext *cx, PRBool freeit); | |
| 215 | |
| 216 extern SECStatus VFY_Begin(VFYContext *cx); | |
| 217 | |
| 218 /* | |
| 219 ** Update a verification context with more input data. The input data | |
| 220 ** is fed to a secure hash function (depending on what was in the | |
| 221 ** encrypted signature data). | |
| 222 ** "cx" the context | |
| 223 ** "input" the input data | |
| 224 ** "inputLen" the amount of input data | |
| 225 */ | |
| 226 extern SECStatus VFY_Update(VFYContext *cx, const unsigned char *input, | |
| 227 unsigned int inputLen); | |
| 228 | |
| 229 /* | |
| 230 ** Finish the verification process. The return value is a status which | |
| 231 ** indicates success or failure. On success, the SECSuccess value is | |
| 232 ** returned. Otherwise, SECFailure is returned and the error code found | |
| 233 ** using PORT_GetError() indicates what failure occurred. | |
| 234 ** "cx" the context | |
| 235 */ | |
| 236 extern SECStatus VFY_End(VFYContext *cx); | |
| 237 | |
| 238 /* | |
| 239 ** Finish the verification process. The return value is a status which | |
| 240 ** indicates success or failure. On success, the SECSuccess value is | |
| 241 ** returned. Otherwise, SECFailure is returned and the error code found | |
| 242 ** using PORT_GetError() indicates what failure occurred. If signature is | |
| 243 ** supplied the verification uses this signature to verify, otherwise the | |
| 244 ** signature passed in VFY_CreateContext() is used. | |
| 245 ** VFY_EndWithSignature(cx,NULL); is identical to VFY_End(cx);. | |
| 246 ** "cx" the context | |
| 247 ** "sig" the encrypted signature data | |
| 248 */ | |
| 249 extern SECStatus VFY_EndWithSignature(VFYContext *cx, SECItem *sig); | |
| 250 | |
| 251 /* | |
| 252 ** Verify the signature on a block of data for which we already have | |
| 253 ** the digest. The signature data is an RSA private key encrypted | |
| 254 ** block of data formatted according to PKCS#1. | |
| 255 ** This function is deprecated. Use VFY_VerifyDigestDirect or | |
| 256 ** VFY_VerifyDigestWithAlgorithmID instead. | |
| 257 ** "dig" the digest | |
| 258 ** "key" the public key to check the signature with | |
| 259 ** "sig" the encrypted signature data | |
| 260 ** "sigAlg" specifies the signing algorithm to use. This must match | |
| 261 ** the key type. | |
| 262 ** "wincx" void pointer to the window context | |
| 263 **/ | |
| 264 extern SECStatus VFY_VerifyDigest(SECItem *dig, SECKEYPublicKey *key, | |
| 265 SECItem *sig, SECOidTag sigAlg, void *wincx); | |
| 266 /* | |
| 267 ** Verify the signature on a block of data for which we already have | |
| 268 ** the digest. The signature data is an RSA private key encrypted | |
| 269 ** block of data formatted according to PKCS#1. | |
| 270 ** "dig" the digest | |
| 271 ** "key" the public key to check the signature with | |
| 272 ** "sig" the encrypted signature data | |
| 273 ** "pubkAlg" specifies the cryptographic signing algorithm to use (the | |
| 274 ** raw algorithm without any hash specified. This must match the key | |
| 275 ** type. | |
| 276 ** "hashAlg" specifies the hashing algorithm used. | |
| 277 ** "wincx" void pointer to the window context | |
| 278 **/ | |
| 279 extern SECStatus VFY_VerifyDigestDirect(const SECItem *dig, | |
| 280 const SECKEYPublicKey *key, | |
| 281 const SECItem *sig, SECOidTag pubkAlg, | |
| 282 SECOidTag hashAlg, void *wincx); | |
| 283 /* | |
| 284 ** Verify the signature on a block of data for which we already have | |
| 285 ** the digest. The signature data is an RSA private key encrypted | |
| 286 ** block of data formatted according to PKCS#1. | |
| 287 ** "key" the public key to verify with | |
| 288 ** "sig" the encrypted signature data if sig is NULL then | |
| 289 ** VFY_EndWithSignature must be called with the correct signature at | |
| 290 ** the end of the processing. | |
| 291 ** "algid" specifies the signing algorithm and parameters to use. | |
| 292 ** This must match the key type. | |
| 293 ** "hash" oid of the actual hash used to create digest. If this value is | |
| 294 ** not set to SEC_OID_UNKNOWN, it must match the hash of the signature. | |
| 295 ** "wincx" void pointer to the window context | |
| 296 */ | |
| 297 extern SECStatus VFY_VerifyDigestWithAlgorithmID(const SECItem *dig, | |
| 298 const SECKEYPublicKey *key, con
st SECItem *sig, | |
| 299 const SECAlgorithmID *algid, SE
COidTag hash, | |
| 300 void *wincx); | |
| 301 | |
| 302 /* | |
| 303 ** Verify the signature on a block of data. The signature data is an RSA | |
| 304 ** private key encrypted block of data formatted according to PKCS#1. | |
| 305 ** This function is deprecated. Use VFY_VerifyDataDirect or | |
| 306 ** VFY_VerifyDataWithAlgorithmID instead. | |
| 307 ** "buf" the input data | |
| 308 ** "len" the length of the input data | |
| 309 ** "key" the public key to check the signature with | |
| 310 ** "sig" the encrypted signature data | |
| 311 ** "sigAlg" specifies the signing algorithm to use. This must match | |
| 312 ** the key type. | |
| 313 ** "wincx" void pointer to the window context | |
| 314 */ | |
| 315 extern SECStatus VFY_VerifyData(const unsigned char *buf, int len, | |
| 316 const SECKEYPublicKey *key, const SECItem *sig, | |
| 317 SECOidTag sigAlg, void *wincx); | |
| 318 /* | |
| 319 ** Verify the signature on a block of data. The signature data is an RSA | |
| 320 ** private key encrypted block of data formatted according to PKCS#1. | |
| 321 ** "buf" the input data | |
| 322 ** "len" the length of the input data | |
| 323 ** "key" the public key to check the signature with | |
| 324 ** "sig" the encrypted signature data | |
| 325 ** "pubkAlg" specifies the cryptographic signing algorithm to use (the | |
| 326 ** raw algorithm without any hash specified. This must match the key | |
| 327 ** type. | |
| 328 ** "hashAlg" specifies the hashing algorithm used. If the key is an | |
| 329 ** RSA key, and sig is not NULL, then hashAlg can be SEC_OID_UNKNOWN. | |
| 330 ** the hash is selected from data in the sig. | |
| 331 ** "hash" optional pointer to return the actual hash algorithm used. | |
| 332 ** in practice this should always match the passed in hashAlg (the | |
| 333 ** exception is the case where hashAlg is SEC_OID_UNKNOWN above). | |
| 334 ** If this value is NULL no, hash oid is returned. | |
| 335 ** "wincx" void pointer to the window context | |
| 336 */ | |
| 337 extern SECStatus VFY_VerifyDataDirect(const unsigned char *buf, int len, | |
| 338 const SECKEYPublicKey *key, | |
| 339 const SECItem *sig, | |
| 340 SECOidTag pubkAlg, SECOidTag hashAlg, | |
| 341 SECOidTag *hash, void *wincx); | |
| 342 | |
| 343 /* | |
| 344 ** Verify the signature on a block of data. The signature data is an RSA | |
| 345 ** private key encrypted block of data formatted according to PKCS#1. | |
| 346 ** "buf" the input data | |
| 347 ** "len" the length of the input data | |
| 348 ** "key" the public key to check the signature with | |
| 349 ** "sig" the encrypted signature data | |
| 350 ** "algid" specifies the signing algorithm and parameters to use. | |
| 351 ** This must match the key type. | |
| 352 ** "hash" optional pointer to return the oid of the actual hash used in | |
| 353 ** the signature. If this value is NULL no, hash oid is returned. | |
| 354 ** "wincx" void pointer to the window context | |
| 355 */ | |
| 356 extern SECStatus VFY_VerifyDataWithAlgorithmID(const unsigned char *buf, | |
| 357 int len, const SECKEYPublicKey *k
ey, | |
| 358 const SECItem *sig, | |
| 359 const SECAlgorithmID *algid, SECO
idTag *hash, | |
| 360 void *wincx); | |
| 361 | |
| 362 SEC_END_PROTOS | |
| 363 | |
| 364 #endif /* _CRYPTOHI_H_ */ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2078763002:
Delete bundled copy of NSS and replace with README. (Closed)
Base URL: https://chromium.googlesource.com/chromium/deps/nss@master