EIC code displayed by LXR |
|
|
|
|||
File indexing completed on 2025-08-27 09:37:32
0001 /** 0002 * \file pkcs12.h 0003 * 0004 * \brief PKCS#12 Personal Information Exchange Syntax 0005 */ 0006 /* 0007 * Copyright The Mbed TLS Contributors 0008 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 0009 */ 0010 #ifndef MBEDTLS_PKCS12_H 0011 #define MBEDTLS_PKCS12_H 0012 0013 #include "mbedtls/build_info.h" 0014 0015 #include "mbedtls/md.h" 0016 #include "mbedtls/cipher.h" 0017 #include "mbedtls/asn1.h" 0018 0019 #include <stddef.h> 0020 0021 /** Bad input parameters to function. */ 0022 #define MBEDTLS_ERR_PKCS12_BAD_INPUT_DATA -0x1F80 0023 /** Feature not available, e.g. unsupported encryption scheme. */ 0024 #define MBEDTLS_ERR_PKCS12_FEATURE_UNAVAILABLE -0x1F00 0025 /** PBE ASN.1 data not as expected. */ 0026 #define MBEDTLS_ERR_PKCS12_PBE_INVALID_FORMAT -0x1E80 0027 /** Given private key password does not allow for correct decryption. */ 0028 #define MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH -0x1E00 0029 0030 #define MBEDTLS_PKCS12_DERIVE_KEY 1 /**< encryption/decryption key */ 0031 #define MBEDTLS_PKCS12_DERIVE_IV 2 /**< initialization vector */ 0032 #define MBEDTLS_PKCS12_DERIVE_MAC_KEY 3 /**< integrity / MAC key */ 0033 0034 #define MBEDTLS_PKCS12_PBE_DECRYPT MBEDTLS_DECRYPT 0035 #define MBEDTLS_PKCS12_PBE_ENCRYPT MBEDTLS_ENCRYPT 0036 0037 #ifdef __cplusplus 0038 extern "C" { 0039 #endif 0040 0041 #if defined(MBEDTLS_ASN1_PARSE_C) && defined(MBEDTLS_CIPHER_C) 0042 0043 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 0044 /** 0045 * \brief PKCS12 Password Based function (encryption / decryption) 0046 * for cipher-based and mbedtls_md-based PBE's 0047 * 0048 * \note When encrypting, #MBEDTLS_CIPHER_PADDING_PKCS7 must 0049 * be enabled at compile time. 0050 * 0051 * \deprecated This function is deprecated and will be removed in a 0052 * future version of the library. 0053 * Please use mbedtls_pkcs12_pbe_ext() instead. 0054 * 0055 * \warning When decrypting: 0056 * - if #MBEDTLS_CIPHER_PADDING_PKCS7 is enabled at compile 0057 * time, this function validates the CBC padding and returns 0058 * #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is 0059 * invalid. Note that this can help active adversaries 0060 * attempting to brute-forcing the password. Note also that 0061 * there is no guarantee that an invalid password will be 0062 * detected (the chances of a valid padding with a random 0063 * password are about 1/255). 0064 * - if #MBEDTLS_CIPHER_PADDING_PKCS7 is disabled at compile 0065 * time, this function does not validate the CBC padding. 0066 * 0067 * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure 0068 * \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or 0069 * #MBEDTLS_PKCS12_PBE_DECRYPT 0070 * \param cipher_type the cipher used 0071 * \param md_type the mbedtls_md used 0072 * \param pwd Latin1-encoded password used. This may only be \c NULL when 0073 * \p pwdlen is 0. No null terminator should be used. 0074 * \param pwdlen length of the password (may be 0) 0075 * \param data the input data 0076 * \param len data length 0077 * \param output Output buffer. 0078 * On success, it contains the encrypted or decrypted data, 0079 * possibly followed by the CBC padding. 0080 * On failure, the content is indeterminate. 0081 * For decryption, there must be enough room for \p len 0082 * bytes. 0083 * For encryption, there must be enough room for 0084 * \p len + 1 bytes, rounded up to the block size of 0085 * the block cipher identified by \p pbe_params. 0086 * 0087 * \return 0 if successful, or a MBEDTLS_ERR_XXX code 0088 */ 0089 int MBEDTLS_DEPRECATED mbedtls_pkcs12_pbe(mbedtls_asn1_buf *pbe_params, int mode, 0090 mbedtls_cipher_type_t cipher_type, 0091 mbedtls_md_type_t md_type, 0092 const unsigned char *pwd, size_t pwdlen, 0093 const unsigned char *data, size_t len, 0094 unsigned char *output); 0095 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 0096 0097 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) 0098 0099 /** 0100 * \brief PKCS12 Password Based function (encryption / decryption) 0101 * for cipher-based and mbedtls_md-based PBE's 0102 * 0103 * 0104 * \warning When decrypting: 0105 * - This function validates the CBC padding and returns 0106 * #MBEDTLS_ERR_PKCS12_PASSWORD_MISMATCH if the padding is 0107 * invalid. Note that this can help active adversaries 0108 * attempting to brute-forcing the password. Note also that 0109 * there is no guarantee that an invalid password will be 0110 * detected (the chances of a valid padding with a random 0111 * password are about 1/255). 0112 * 0113 * \param pbe_params an ASN1 buffer containing the pkcs-12 PbeParams structure 0114 * \param mode either #MBEDTLS_PKCS12_PBE_ENCRYPT or 0115 * #MBEDTLS_PKCS12_PBE_DECRYPT 0116 * \param cipher_type the cipher used 0117 * \param md_type the mbedtls_md used 0118 * \param pwd Latin1-encoded password used. This may only be \c NULL when 0119 * \p pwdlen is 0. No null terminator should be used. 0120 * \param pwdlen length of the password (may be 0) 0121 * \param data the input data 0122 * \param len data length 0123 * \param output Output buffer. 0124 * On success, it contains the encrypted or decrypted data, 0125 * possibly followed by the CBC padding. 0126 * On failure, the content is indeterminate. 0127 * For decryption, there must be enough room for \p len 0128 * bytes. 0129 * For encryption, there must be enough room for 0130 * \p len + 1 bytes, rounded up to the block size of 0131 * the block cipher identified by \p pbe_params. 0132 * \param output_size size of output buffer. 0133 * This must be big enough to accommodate for output plus 0134 * padding data. 0135 * \param output_len On success, length of actual data written to the output buffer. 0136 * 0137 * \return 0 if successful, or a MBEDTLS_ERR_XXX code 0138 */ 0139 int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode, 0140 mbedtls_cipher_type_t cipher_type, mbedtls_md_type_t md_type, 0141 const unsigned char *pwd, size_t pwdlen, 0142 const unsigned char *data, size_t len, 0143 unsigned char *output, size_t output_size, 0144 size_t *output_len); 0145 0146 #endif /* MBEDTLS_CIPHER_PADDING_PKCS7 */ 0147 0148 #endif /* MBEDTLS_ASN1_PARSE_C && MBEDTLS_CIPHER_C */ 0149 0150 /** 0151 * \brief The PKCS#12 derivation function uses a password and a salt 0152 * to produce pseudo-random bits for a particular "purpose". 0153 * 0154 * Depending on the given id, this function can produce an 0155 * encryption/decryption key, an initialization vector or an 0156 * integrity key. 0157 * 0158 * \param data buffer to store the derived data in 0159 * \param datalen length of buffer to fill 0160 * \param pwd The password to use. For compliance with PKCS#12 §B.1, this 0161 * should be a BMPString, i.e. a Unicode string where each 0162 * character is encoded as 2 bytes in big-endian order, with 0163 * no byte order mark and with a null terminator (i.e. the 0164 * last two bytes should be 0x00 0x00). 0165 * \param pwdlen length of the password (may be 0). 0166 * \param salt Salt buffer to use. This may only be \c NULL when 0167 * \p saltlen is 0. 0168 * \param saltlen length of the salt (may be zero) 0169 * \param mbedtls_md mbedtls_md type to use during the derivation 0170 * \param id id that describes the purpose (can be 0171 * #MBEDTLS_PKCS12_DERIVE_KEY, #MBEDTLS_PKCS12_DERIVE_IV or 0172 * #MBEDTLS_PKCS12_DERIVE_MAC_KEY) 0173 * \param iterations number of iterations 0174 * 0175 * \return 0 if successful, or a MD, BIGNUM type error. 0176 */ 0177 int mbedtls_pkcs12_derivation(unsigned char *data, size_t datalen, 0178 const unsigned char *pwd, size_t pwdlen, 0179 const unsigned char *salt, size_t saltlen, 0180 mbedtls_md_type_t mbedtls_md, int id, int iterations); 0181 0182 #ifdef __cplusplus 0183 } 0184 #endif 0185 0186 #endif /* pkcs12.h */
| [ Source navigation ] | [ Diff markup ] | [ Identifier search ] | [ general search ] |
|
This page was automatically generated by the 2.3.7 LXR engine. The LXR team |
|