src/lib/libcrypto/man/PKCS7_dataInit.3

226 lines
5.2 KiB
Groff

.\" $OpenBSD: PKCS7_dataInit.3,v 1.2 2020/06/03 13:41:27 schwarze Exp $
.\"
.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: June 3 2020 $
.Dt PKCS7_DATAINIT 3
.Os
.Sh NAME
.Nm PKCS7_dataInit
.Nd construct a BIO chain for adding or retrieving content
.Sh SYNOPSIS
.In openssl/pkcs7.h
.Ft BIO *
.Fo PKCS7_dataInit
.Fa "PKCS7 *p7"
.Fa "BIO *indata"
.Fc
.Sh DESCRIPTION
.Fn PKCS7_dataInit
constructs a BIO chain in preparation for putting data into
or retrieving data out of
.Fa p7 .
Depending on the
.Fa contentType
of
.Fa p7 ,
the created chain starts with:
.Bl -tag -width Ds
.It for Vt SignedData :
one or more
.Xr BIO_f_md 3
message digest filters
.It for Vt EnvelopedData :
one
.Xr BIO_f_cipher 3
encryption filter
.It for Vt SignedAndEnvelopedData :
one or more
.Xr BIO_f_md 3
message digest filters followed by one
.Xr BIO_f_cipher 3
encryption filter
.It for Vt DigestedData :
one
.Xr BIO_f_md 3
message digest filter
.It for arbitrary data :
no filter BIO
.El
.Pp
One additional BIO is appended to the end of the chain,
depending on the first condition that holds in the following list:
.Bl -tag -width Ds
.It Fa indata
if the
.Fa indata
argument is not
.Dv NULL .
This only makes sense while verifying a detached signature, in which case
.Fa indata
is expected to supply the content associated with the detached signature.
.It Xr BIO_s_null 3
if the
.Fa contentType
of
.Fa p7
is
.Vt SignedData
and it is configured to contain a detached signature.
This only makes sense while creating the detached signature.
.It Xr BIO_new_mem_buf 3
when reading from a
.Vt SignedData
or
.Vt DigestedData
object.
.Fn PKCS7_dataInit
attaches the end of the chain to the nested content of
.Fa p7 .
.It Xr BIO_s_mem 3
otherwise.
This is the most common case while writing data to
.Fa p7 .
.Xr PKCS7_dataFinal 3
can later be used to transfer the data from the memory BIO into
.Fa p7 .
.El
.Ss Adding content
Before calling
.Fn PKCS7_dataInit
in order to add content,
.Xr PKCS7_new 3 ,
.Xr PKCS7_set_type 3 ,
and
.Xr PKCS7_content_new 3
are typically required to create
.Fa p7 ,
to choose its desired type, and to allocate the nested
.Vt ContentInfo
structure.
Alternatively, for
.Vt SignedData ,
.Xr PKCS7_sign 3
can be used with the
.Dv PKCS7_PARTIAL
or
.Dv PKCS7_STREAM
.Fa flags
or for
.Vt EnvelopedData ,
.Xr PKCS7_encrypt 3
with the
.Dv PKCS7_STREAM
flag.
.Pp
After calling
.Fn PKCS7_dataInit ,
the desired data can be written into the returned
.Vt BIO ,
.Xr BIO_flush 3
can be called on it,
.Xr PKCS7_dataFinal 3
can be used to transfer the processed data
from the returned memory BIO to the
.Fa p7
structure, and the chain can finally be destroyed with
.Xr BIO_free_all 3 .
.Pp
While
.Fn PKCS7_dataInit
does support the
.Vt EnvelopedData
and
.Vt SignedAndEnvelopedData
types, using it for these types is awkward and error prone
except when using
.Xr PKCS7_encrypt 3
for the setup because
.Xr PKCS7_content_new 3
does not support these two types.
So in addition to creating
.Fa p7
itself and setting its type, the nested
.Fa ContentInfo
structure also needs to be constructed with
.Xr PKCS7_new 3
and
.Xr PKCS7_set_type 3
and manually inserted into the correct field
of the respective sub-structure of
.Fa p7 .
.Ss Retrieving content
.Fn PKCS7_dataInit
can also be called on a fully populated object of type
.Vt SignedData
or
.Vt DigestedData .
After that,
.Xr BIO_read 3
can be used to retrieve data from it.
In this use case, do not call
.Xr PKCS7_dataFinal 3 ;
simply proceed directly to
.Xr BIO_free_all 3
after reading the data.
.Sh RETURN VALUES
.Fn PKCS7_dataInit
returns a BIO chain on success or
.Dv NULL
on failure.
It fails if
.Fa p7
is
.Dv NULL ,
if the
.Fa content
field of
.Fa p7
is empty, if the
.Fa contentType
of
.Fa p7
is unsupported, if a cipher is required but none is configured, or
if any required operation fails, for example due to lack of memory
or for various other reasons.
.Sh SEE ALSO
.Xr BIO_new 3 ,
.Xr BIO_read 3 ,
.Xr PKCS7_content_new 3 ,
.Xr PKCS7_dataFinal 3 ,
.Xr PKCS7_encrypt 3 ,
.Xr PKCS7_final 3 ,
.Xr PKCS7_new 3 ,
.Xr PKCS7_set_type 3 ,
.Xr PKCS7_sign 3
.Sh HISTORY
.Fn PKCS7_dataInit
first appeared in SSLeay 0.8.1 and has been available since
.Ox 2.4 .
.Sh CAVEATS
This function does not support
.Vt EncryptedData .
.Sh BUGS
If
.Fa p7
is a fully populated structure containing
.Vt EnvelopedData ,
.Vt SignedAndEnvelopedData ,
or arbitrary data,
.Fn PKCS7_dataInit
returns a BIO chain that ultimately reads from an empty memory BIO,
so reading from it will instantly return an end-of-file indication
rather than reading the actual data contained in
.Fa p7 .