gsk_read_signed_data_content()

Processes PKCS #7 SignedData content information.

Format

#include <gskcms.h>

gsk_status gsk_read_signed_data_content (
                                   pkcs_certificates *      local_certificates,
                                   pkcs_content_info *      content_info,
                                   gsk_boolean *            used_local,
                                   pkcs_certificates *      msg_certificates,
                                   pkcs_certificates *      signer_certificates,
                                   pkcs_content_info *      content_data)

Parameters

local_certificates
Specifies zero or more X.509 certificates to use when verifying the message signatures. NULL can be specified for this parameter if no local certificates are provided.
content_info
Specifies the content information to be processed.
used_local
This parameter will be set to TRUE if the signatures were verified using just the certificates supplied by the local_certificates parameter. This parameter will be set to FALSE if any of the signatures were verified using certificates contained within the message.
msg_certificates
Returns the X.509 certificates contained within the message. The application should call the gsk_free_certificates() routine to release the certificates when they are no longer needed. Specify NULL for this parameter if the message certificates are not needed.
signer_certificates
Returns the certificates used to sign the message. The application should call the gsk_free_certificates() routine to release the certificates when they are no longer needed. Specify NULL for this parameter if the signer certificates are not needed.
content_data
Returns the SignedData content data. The application should call the gsk_free_content_info() routine to release the data when it is no longer needed.

Results

The function return value will be 0 if no error is detected. Otherwise, it will be one of the return codes listed in the gskcms.h include file. These are some possible errors:

[CMSERR_ALG_NOT_SUPPORTED]
The digest algorithm is not supported.
[CMSERR_BAD_SIGNATURE]
Signature is not correct.
[CMSERR_CONTENT_NOT_SUPPORTED]
The content type is not SignedData.
Start of change[CMSERR_CRYPTO_FAILED]End of change
Start of changeUnexpected cryptographic request failure.End of change
[CMSERR_DIGEST_KEY_MISMATCH]
The digest algorithm is not supported for the private key type.
[CMSERR_ECURVE_NOT_FIPS_APPROVED]
Elliptic Curve not supported in FIPS mode.
[CMSERR_ECURVE_NOT_SUPPORTED]
Elliptic Curve is not supported.
[CMSERR_ICSF_FIPS_DISABLED]
ICSF PKCS #11 services are disabled.
[CMSERR_ICSF_NOT_AVAILABLE]
ICSF services are not available.
[CMSERR_ICSF_NOT_FIPS]
ICSF PKCS #11 not operating in FIPS mode.
[CMSERR_ICSF_SERVICE_FAILURE]
ICSF callable service returned an error.
[CMSERR_INCORRECT_KEY_USAGE]
A signer certificate does not allow digital signature.
[CMSERR_NO_CONTENT_DATA]
The content data length is zero.
[CMSERR_NO_MEMORY]
Insufficient storage is available.
Start of change[CMSERR_RSASSA_PSS_DIGEST_ALG_NOT_SUPPORTED]End of change
Start of changeRSASSA-PSS digest algorithm is not supported. End of change
Start of change[CMSERR_RSASSA_PSS_MASK_ALG_NOT_SUPPORTED]End of change
Start of changeRSASSA-PSS mask generation algorithm is not supported. End of change
[CMSERR_SIGNER_NOT_FOUND]
Signer certificate not found.

Usage

The gsk_read_signed_data_content() routine processes PKCS #7 (Cryptographic Message Syntax) SignedData message created by the gsk_make_signed_data_content() routine and returns the content data.

The local_certificates parameter can supply the signer certificates used to verify the message signatures. If a certificate is not found for a message signer, the gsk_read_signed_data_content() routine attempts to locate the signer certificate in the SignedData message. An error will be returned if the signer certificate cannot be found or if the certificate key usage does not allow digital signature.

No certificate validation is performed by the gsk_read_signed_data_content() routine. It is assumed that the application has already validated the local certificates. The certificates contained in the SignedData message will be returned in the msg_certificates parameter and the used_local parameter will be set to FALSE if any of these certificates were used to verify the message signatures. It is the responsibility of the application to validate the message certificates (for example, by calling the gsk_validate_certificate() routine for each of the signer certificates).

These digest algorithms are supported:
x509_alg_md2Digest
MD2 digest (RSA keys only) - {1.2.840.113549.2.2}
x509_alg_md5Digest
MD5 digest (RSA keys only) - {1.2.840.113549.2.5}
x509_alg_sha1Digest
SHA-1 digest (RSA, DSA, and ECDSA keys only) - {1.3.14.3.2.26}
x509_alg_sha224Digest
SHA-224 digest (RSA, DSA, and ECDSA keys only) - {2.16.840.1.101.3.4.2.4}
x509_alg_sha256Digest
SHA-256 digest (RSA, DSA, and ECDSA keys only) - {2.16.840.1.101.3.4.2.1}
x509_alg_sha384Digest
SHA-384 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.2}
x509_alg_sha512Digest
SHA-512 digest (RSA and ECDSA keys only) - {2.16.840.1.101.3.4.2.3}
Start of changeThese RSASSA-PSS [1.2.840.113549.1.1.10] signatures are supported:
x509_alg_mgf1Sha256WithRsaSsaPss
RSASSA-PSS using SHA-256 digest with mask generation algorithm 1.
x509_alg_mgf1Sha384WithRsaSsaPss
RSASSA-PSS using SHA-384 digest with mask generation algorithm 1.
x509_alg_mgf1Sha512WithRsaSsaPss
RSASSA-PSS using SHA-512 digest with mask generation algorithm 1.
End of change

When executing in FIPS mode, digest algorithms x509_alg_md2Digest and x509_alg_md5Digest are not supported.

Ensure that keys and algorithms are compliant for the chosen security strength when functioning at a FIPS mode level. For more information about FIPS mode level support, see System SSL and FIPS 140-2.