secpkcs7.h source code [include/nss/secpkcs7.h]

1	/ This Source Code Form is subject to the terms of the Mozilla Public*
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5	/*
6	* Interface to the PKCS7 implementation.
7	*/
8
9	#ifndef _SECPKCS7_H_
10	#define _SECPKCS7_H_
11
12	#include "seccomon.h"
13
14	#include "secoidt.h"
15	#include "certt.h"
16	#include "keythi.h"
17	#include "hasht.h"
18	#include "pkcs7t.h"
19
20	extern const SEC_ASN1Template sec_PKCS7ContentInfoTemplate[];
21
22	/**********************************************************************/
23	SEC_BEGIN_PROTOS
24
25	/************************************************************************
26	* Miscellaneous
27	************************************************************************/
28
29	/*
30	* Returns the content type of the given contentInfo.
31	*/
32	extern SECOidTag SEC_PKCS7ContentType(SEC_PKCS7ContentInfo *cinfo);
33
34	/*
35	* Destroy a PKCS7 contentInfo and all of its sub-pieces.
36	*/
37	extern void SEC_PKCS7DestroyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
38
39	/*
40	* Copy a PKCS7 contentInfo. A Destroy is needed on each copy.
41	*/
42	extern SEC_PKCS7ContentInfo *
43	SEC_PKCS7CopyContentInfo(SEC_PKCS7ContentInfo *contentInfo);
44
45	/*
46	* Return a pointer to the actual content. In the case of those types
47	* which are encrypted, this returns the plain content.
48	*/
49	extern SECItem SEC_PKCS7GetContent(SEC_PKCS7ContentInfo cinfo);
50
51	/************************************************************************
52	* PKCS7 Decoding, Verification, etc..
53	************************************************************************/
54
55	extern SEC_PKCS7DecoderContext *
56	SEC_PKCS7DecoderStart(SEC_PKCS7DecoderContentCallback callback,
57	void *callback_arg,
58	SECKEYGetPasswordKey pwfn, void *pwfn_arg,
59	SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb,
60	void *decrypt_key_cb_arg,
61	SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
62
63	extern SECStatus
64	SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx,
65	const char buf, unsigned* long len);
66
67	extern SEC_PKCS7ContentInfo *
68	SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx);
69
70	/ Abort the underlying ASN.1 stream & set an error /
71	void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext p7dcx, int* error);
72
73	extern SEC_PKCS7ContentInfo *
74	SEC_PKCS7DecodeItem(SECItem *p7item,
75	SEC_PKCS7DecoderContentCallback cb, void *cb_arg,
76	SECKEYGetPasswordKey pwfn, void *pwfn_arg,
77	SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb,
78	void *decrypt_key_cb_arg,
79	SEC_PKCS7DecryptionAllowedCallback decrypt_allowed_cb);
80
81	extern PRBool SEC_PKCS7ContainsCertsOrCrls(SEC_PKCS7ContentInfo *cinfo);
82
83	/ checks to see if the contents of the content info is*
84	* empty. it so, PR_TRUE is returned. PR_FALSE, otherwise.
85	*
86	* minLen is used to specify a minimum size. if content size <= minLen,
87	* content is assumed empty.
88	*/
89	extern PRBool
90	SEC_PKCS7IsContentEmpty(SEC_PKCS7ContentInfo cinfo, unsigned* int minLen);
91
92	extern PRBool SEC_PKCS7ContentIsEncrypted(SEC_PKCS7ContentInfo *cinfo);
93
94	/*
95	* If the PKCS7 content has a signature (not just could have a signature)
96	* return true; false otherwise. This can/should be called before calling
97	* VerifySignature, which will always indicate failure if no signature is
98	* present, but that does not mean there even was a signature!
99	* Note that the content itself can be empty (detached content was sent
100	* another way); it is the presence of the signature that matters.
101	*/
102	extern PRBool SEC_PKCS7ContentIsSigned(SEC_PKCS7ContentInfo *cinfo);
103
104	/*
105	* SEC_PKCS7VerifySignature
106	* Look at a PKCS7 contentInfo and check if the signature is good.
107	* The verification checks that the signing cert is valid and trusted
108	* for the purpose specified by "certusage".
109	*
110	* In addition, if "keepcerts" is true, add any new certificates found
111	* into our local database.
112	*/
113	extern PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo,
114	SECCertUsage certusage,
115	PRBool keepcerts);
116
117	/*
118	* SEC_PKCS7VerifyDetachedSignature
119	* Look at a PKCS7 contentInfo and check if the signature matches
120	* a passed-in digest (calculated, supposedly, from detached contents).
121	* The verification checks that the signing cert is valid and trusted
122	* for the purpose specified by "certusage".
123	*
124	* In addition, if "keepcerts" is true, add any new certificates found
125	* into our local database.
126	*/
127	extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo,
128	SECCertUsage certusage,
129	const SECItem *detached_digest,
130	HASH_HashType digest_type,
131	PRBool keepcerts);
132
133	/*
134	* SEC_PKCS7VerifyDetachedSignatureAtTime
135	* Look at a PKCS7 contentInfo and check if the signature matches
136	* a passed-in digest (calculated, supposedly, from detached contents).
137	* The verification checks that the signing cert is valid and trusted
138	* for the purpose specified by "certusage" at time "atTime".
139	*
140	* In addition, if "keepcerts" is true, add any new certificates found
141	* into our local database.
142	*/
143	extern PRBool
144	SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo,
145	SECCertUsage certusage,
146	const SECItem *detached_digest,
147	HASH_HashType digest_type,
148	PRBool keepcerts,
149	PRTime atTime);
150
151	/*
152	* SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress
153	* The passed-in contentInfo is espected to be Signed, and these
154	* functions return the specified portion of the full signer name.
155	*
156	* Returns a pointer to allocated memory, which must be freed.
157	* A NULL return value is an error.
158	*/
159	extern char SEC_PKCS7GetSignerCommonName(SEC_PKCS7ContentInfo cinfo);
160	extern char SEC_PKCS7GetSignerEmailAddress(SEC_PKCS7ContentInfo cinfo);
161
162	/*
163	* Return the the signing time, in UTCTime format, of a PKCS7 contentInfo.
164	*/
165	extern SECItem SEC_PKCS7GetSigningTime(SEC_PKCS7ContentInfo cinfo);
166
167	/************************************************************************
168	* PKCS7 Creation and Encoding.
169	************************************************************************/
170
171	/*
172	* Start a PKCS7 signing context.
173	*
174	* "cert" is the cert that will be used to sign the data. It will be
175	* checked for validity.
176	*
177	* "certusage" describes the signing usage (e.g. certUsageEmailSigner)
178	* XXX Maybe SECCertUsage should be split so that our caller just says
179	* "email" and we add the "signing" part -- otherwise our caller
180	* could be lying about the usage; we do not want to allow encryption
181	* certs for signing or vice versa.
182	*
183	* "certdb" is the cert database to use for verifying the cert.
184	* It can be NULL if a default database is available (like in the client).
185	*
186	* "digestalg" names the digest algorithm (e.g. SEC_OID_SHA1).
187	*
188	* "digest" is the actual digest of the data. It must be provided in
189	* the case of detached data or NULL if the content will be included.
190	*
191	* The return value can be passed to functions which add things to
192	* it like attributes, then eventually to SEC_PKCS7Encode() or to
193	* SEC_PKCS7EncoderStart() to create the encoded data, and finally to
194	* SEC_PKCS7DestroyContentInfo().
195	*
196	* An error results in a return value of NULL and an error set.
197	* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
198	*/
199	extern SEC_PKCS7ContentInfo *
200	SEC_PKCS7CreateSignedData(CERTCertificate *cert,
201	SECCertUsage certusage,
202	CERTCertDBHandle *certdb,
203	SECOidTag digestalg,
204	SECItem *digest,
205	SECKEYGetPasswordKey pwfn, void *pwfn_arg);
206
207	/*
208	* Create a PKCS7 certs-only container.
209	*
210	* "cert" is the (first) cert that will be included.
211	*
212	* "include_chain" specifies whether the entire chain for "cert" should
213	* be included.
214	*
215	* "certdb" is the cert database to use for finding the chain.
216	* It can be NULL in when "include_chain" is false, or when meaning
217	* use the default database.
218	*
219	* More certs and chains can be added via AddCertficate and AddCertChain.
220	*
221	* An error results in a return value of NULL and an error set.
222	* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
223	*/
224	extern SEC_PKCS7ContentInfo *
225	SEC_PKCS7CreateCertsOnly(CERTCertificate *cert,
226	PRBool include_chain,
227	CERTCertDBHandle *certdb);
228
229	/*
230	* Start a PKCS7 enveloping context.
231	*
232	* "cert" is the cert for the recipient. It will be checked for validity.
233	*
234	* "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
235	* XXX Maybe SECCertUsage should be split so that our caller just says
236	* "email" and we add the "recipient" part -- otherwise our caller
237	* could be lying about the usage; we do not want to allow encryption
238	* certs for signing or vice versa.
239	*
240	* "certdb" is the cert database to use for verifying the cert.
241	* It can be NULL if a default database is available (like in the client).
242	*
243	* "encalg" specifies the bulk encryption algorithm to use (e.g. SEC_OID_RC2).
244	*
245	* "keysize" specifies the bulk encryption key size, in bits.
246	*
247	* The return value can be passed to functions which add things to
248	* it like more recipients, then eventually to SEC_PKCS7Encode() or to
249	* SEC_PKCS7EncoderStart() to create the encoded data, and finally to
250	* SEC_PKCS7DestroyContentInfo().
251	*
252	* An error results in a return value of NULL and an error set.
253	* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
254	*/
255	extern SEC_PKCS7ContentInfo *
256	SEC_PKCS7CreateEnvelopedData(CERTCertificate *cert,
257	SECCertUsage certusage,
258	CERTCertDBHandle *certdb,
259	SECOidTag encalg,
260	int keysize,
261	SECKEYGetPasswordKey pwfn, void *pwfn_arg);
262
263	/*
264	* XXX There will be a similar routine for creating signedAndEnvelopedData.
265	* But its parameters will be different and I have no plans to implement
266	* it any time soon because we have no current need for it.
267	*/
268
269	/*
270	* Create an empty PKCS7 data content info.
271	*
272	* An error results in a return value of NULL and an error set.
273	* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
274	*/
275	extern SEC_PKCS7ContentInfo SEC_PKCS7CreateData(void*);
276
277	/*
278	* Create an empty PKCS7 encrypted content info.
279	*
280	* "algorithm" specifies the bulk encryption algorithm to use.
281	*
282	* An error results in a return value of NULL and an error set.
283	* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
284	*/
285	extern SEC_PKCS7ContentInfo *
286	SEC_PKCS7CreateEncryptedData(SECOidTag algorithm, int keysize,
287	SECKEYGetPasswordKey pwfn, void *pwfn_arg);
288
289	/*
290	* Create an empty PKCS7 encrypted content info.
291	*
292	* Similar to SEC_PKCS7CreateEncryptedData(), but this is capable of
293	* creating encrypted content for PKCS #5 v2 algorithms.
294	*
295	* "pbe_algorithm" specifies the PBE algorithm to use.
296	* "cipher_algorithm" specifies the bulk encryption algorithm to use.
297	* "prf_algorithm" specifies the PRF algorithm which pbe_algorithm uses.
298	*
299	* An error results in a return value of NULL and an error set.
300	* (Retrieve specific errors via PORT_GetError()/XP_GetError().)
301	*/
302	extern SEC_PKCS7ContentInfo *
303	SEC_PKCS7CreateEncryptedDataWithPBEV2(SECOidTag pbe_algorithm,
304	SECOidTag cipher_algorithm,
305	SECOidTag prf_algorithm,
306	int keysize,
307	SECKEYGetPasswordKey pwfn, void *pwfn_arg);
308
309	/*
310	* All of the following things return SECStatus to signal success or failure.
311	* Failure should have a more specific error status available via
312	* PORT_GetError()/XP_GetError().
313	*/
314
315	/*
316	* Add the specified attribute to the authenticated (i.e. signed) attributes
317	* of "cinfo" -- "oidtag" describes the attribute and "value" is the
318	* value to be associated with it. NOTE! "value" must already be encoded;
319	* no interpretation of "oidtag" is done. Also, it is assumed that this
320	* signedData has only one signer -- if we ever need to add attributes
321	* when there is more than one signature, we need a way to specify which
322	* signature should get the attribute.
323	*
324	* XXX Technically, a signed attribute can have multiple values; if/when
325	* we ever need to support an attribute which takes multiple values, we
326	* either need to change this interface or create an AddSignedAttributeValue
327	* which can be called subsequently, and would then append a value.
328	*
329	* "cinfo" should be of type signedData (the only kind of pkcs7 data
330	* that is allowed authenticated attributes); SECFailure will be returned
331	* if it is not.
332	*/
333	extern SECStatus SEC_PKCS7AddSignedAttribute(SEC_PKCS7ContentInfo *cinfo,
334	SECOidTag oidtag,
335	SECItem *value);
336
337	/*
338	* Add "cert" and its entire chain to the set of certs included in "cinfo".
339	*
340	* "certdb" is the cert database to use for finding the chain.
341	* It can be NULL, meaning use the default database.
342	*
343	* "cinfo" should be of type signedData or signedAndEnvelopedData;
344	* SECFailure will be returned if it is not.
345	*/
346	extern SECStatus SEC_PKCS7AddCertChain(SEC_PKCS7ContentInfo *cinfo,
347	CERTCertificate *cert,
348	CERTCertDBHandle *certdb);
349
350	/*
351	* Add "cert" to the set of certs included in "cinfo".
352	*
353	* "cinfo" should be of type signedData or signedAndEnvelopedData;
354	* SECFailure will be returned if it is not.
355	*/
356	extern SECStatus SEC_PKCS7AddCertificate(SEC_PKCS7ContentInfo *cinfo,
357	CERTCertificate *cert);
358
359	/*
360	* Add another recipient to an encrypted message.
361	*
362	* "cinfo" should be of type envelopedData or signedAndEnvelopedData;
363	* SECFailure will be returned if it is not.
364	*
365	* "cert" is the cert for the recipient. It will be checked for validity.
366	*
367	* "certusage" describes the encryption usage (e.g. certUsageEmailRecipient)
368	* XXX Maybe SECCertUsage should be split so that our caller just says
369	* "email" and we add the "recipient" part -- otherwise our caller
370	* could be lying about the usage; we do not want to allow encryption
371	* certs for signing or vice versa.
372	*
373	* "certdb" is the cert database to use for verifying the cert.
374	* It can be NULL if a default database is available (like in the client).
375	*/
376	extern SECStatus SEC_PKCS7AddRecipient(SEC_PKCS7ContentInfo *cinfo,
377	CERTCertificate *cert,
378	SECCertUsage certusage,
379	CERTCertDBHandle *certdb);
380
381	/*
382	* Add the signing time to the authenticated (i.e. signed) attributes
383	* of "cinfo". This is expected to be included in outgoing signed
384	* messages for email (S/MIME) but is likely useful in other situations.
385	*
386	* This should only be added once; a second call will either do
387	* nothing or replace an old signing time with a newer one.
388	*
389	* XXX This will probably just shove the current time into "cinfo"
390	* but it will not actually get signed until the entire item is
391	* processed for encoding. Is this (expected to be small) delay okay?
392	*
393	* "cinfo" should be of type signedData (the only kind of pkcs7 data
394	* that is allowed authenticated attributes); SECFailure will be returned
395	* if it is not.
396	*/
397	extern SECStatus SEC_PKCS7AddSigningTime(SEC_PKCS7ContentInfo *cinfo);
398
399	/*
400	* Add the signer's symmetric capabilities to the authenticated
401	* (i.e. signed) attributes of "cinfo". This is expected to be
402	* included in outgoing signed messages for email (S/MIME).
403	*
404	* This can only be added once; a second call will return SECFailure.
405	*
406	* "cinfo" should be of type signedData or signedAndEnvelopedData;
407	* SECFailure will be returned if it is not.
408	*/
409	extern SECStatus SEC_PKCS7AddSymmetricCapabilities(SEC_PKCS7ContentInfo *cinfo);
410
411	/*
412	* Mark that the signer's certificate and its issuing chain should
413	* be included in the encoded data. This is expected to be used
414	* in outgoing signed messages for email (S/MIME).
415	*
416	* "certdb" is the cert database to use for finding the chain.
417	* It can be NULL, meaning use the default database.
418	*
419	* "cinfo" should be of type signedData or signedAndEnvelopedData;
420	* SECFailure will be returned if it is not.
421	*/
422	extern SECStatus SEC_PKCS7IncludeCertChain(SEC_PKCS7ContentInfo *cinfo,
423	CERTCertDBHandle *certdb);
424
425	/*
426	* Set the content; it will be included and also hashed and/or encrypted
427	* as appropriate. This is for in-memory content (expected to be "small")
428	* that will be included in the PKCS7 object. All others should stream the
429	* content through when encoding (see SEC_PKCS7Encoder{Start,Update,Finish}).
430	*
431	* "buf" points to data of length "len"; it will be copied.
432	*/
433	extern SECStatus SEC_PKCS7SetContent(SEC_PKCS7ContentInfo *cinfo,
434	const char buf, unsigned* long len);
435
436	/*
437	* Encode a PKCS7 object, in one shot. All necessary components
438	* of the object must already be specified. Either the data has
439	* already been included (via SetContent), or the data is detached,
440	* or there is no data at all (certs-only).
441	*
442	* "cinfo" specifies the object to be encoded.
443	*
444	* "outputfn" is where the encoded bytes will be passed.
445	*
446	* "outputarg" is an opaque argument to the above callback.
447	*
448	* "bulkkey" specifies the bulk encryption key to use. This argument
449	* can be NULL if no encryption is being done, or if the bulk key should
450	* be generated internally (usually the case for EnvelopedData but never
451	* for EncryptedData, which must provide a bulk encryption key).
452	*
453	* "pwfn" is a callback for getting the password which protects the
454	* private key of the signer. This argument can be NULL if it is known
455	* that no signing is going to be done.
456	*
457	* "pwfnarg" is an opaque argument to the above callback.
458	*/
459	extern SECStatus SEC_PKCS7Encode(SEC_PKCS7ContentInfo *cinfo,
460	SEC_PKCS7EncoderOutputCallback outputfn,
461	void *outputarg,
462	PK11SymKey *bulkkey,
463	SECKEYGetPasswordKey pwfn,
464	void *pwfnarg);
465
466	/*
467	* Encode a PKCS7 object, in one shot. All necessary components
468	* of the object must already be specified. Either the data has
469	* already been included (via SetContent), or the data is detached,
470	* or there is no data at all (certs-only). The output, rather than
471	* being passed to an output function as is done above, is all put
472	* into a SECItem.
473	*
474	* "pool" specifies a pool from which to allocate the result.
475	* It can be NULL, in which case memory is allocated generically.
476	*
477	* "dest" specifies a SECItem in which to put the result data.
478	* It can be NULL, in which case the entire item is allocated, too.
479	*
480	* "cinfo" specifies the object to be encoded.
481	*
482	* "bulkkey" specifies the bulk encryption key to use. This argument
483	* can be NULL if no encryption is being done, or if the bulk key should
484	* be generated internally (usually the case for EnvelopedData but never
485	* for EncryptedData, which must provide a bulk encryption key).
486	*
487	* "pwfn" is a callback for getting the password which protects the
488	* private key of the signer. This argument can be NULL if it is known
489	* that no signing is going to be done.
490	*
491	* "pwfnarg" is an opaque argument to the above callback.
492	*/
493	extern SECItem SEC_PKCS7EncodeItem(PLArenaPool pool,
494	SECItem *dest,
495	SEC_PKCS7ContentInfo *cinfo,
496	PK11SymKey *bulkkey,
497	SECKEYGetPasswordKey pwfn,
498	void *pwfnarg);
499
500	/*
501	* For those who want to simply point to the pkcs7 contentInfo ASN.1
502	* template, and not call the encoding functions directly, the
503	* following function can be used -- after it is called, the entire
504	* PKCS7 contentInfo is ready to be encoded.
505	*/
506	extern SECStatus SEC_PKCS7PrepareForEncode(SEC_PKCS7ContentInfo *cinfo,
507	PK11SymKey *bulkkey,
508	SECKEYGetPasswordKey pwfn,
509	void *pwfnarg);
510
511	/*
512	* Start the process of encoding a PKCS7 object. The first part of
513	* the encoded object will be passed to the output function right away;
514	* after that it is expected that SEC_PKCS7EncoderUpdate will be called,
515	* streaming in the actual content that is getting included as well as
516	* signed or encrypted (or both).
517	*
518	* "cinfo" specifies the object to be encoded.
519	*
520	* "outputfn" is where the encoded bytes will be passed.
521	*
522	* "outputarg" is an opaque argument to the above callback.
523	*
524	* "bulkkey" specifies the bulk encryption key to use. This argument
525	* can be NULL if no encryption is being done, or if the bulk key should
526	* be generated internally (usually the case for EnvelopedData but never
527	* for EncryptedData, which must provide a bulk encryption key).
528	*
529	* Returns an object to be passed to EncoderUpdate and EncoderFinish.
530	*/
531	extern SEC_PKCS7EncoderContext *
532	SEC_PKCS7EncoderStart(SEC_PKCS7ContentInfo *cinfo,
533	SEC_PKCS7EncoderOutputCallback outputfn,
534	void *outputarg,
535	PK11SymKey *bulkkey);
536
537	/*
538	* Encode more contents, hashing and/or encrypting along the way.
539	*/
540	extern SECStatus SEC_PKCS7EncoderUpdate(SEC_PKCS7EncoderContext *p7ecx,
541	const char *buf,
542	unsigned long len);
543
544	/*
545	* No more contents; finish the signature creation, if appropriate,
546	* and then the encoding.
547	*
548	* "pwfn" is a callback for getting the password which protects the
549	* signer's private key. This argument can be NULL if it is known
550	* that no signing is going to be done.
551	*
552	* "pwfnarg" is an opaque argument to the above callback.
553	*/
554	extern SECStatus SEC_PKCS7EncoderFinish(SEC_PKCS7EncoderContext *p7ecx,
555	SECKEYGetPasswordKey pwfn,
556	void *pwfnarg);
557
558	/ Abort the underlying ASN.1 stream & set an error /
559	void SEC_PKCS7EncoderAbort(SEC_PKCS7EncoderContext p7dcx, int* error);
560
561	/ retrieve the algorithm ID used to encrypt the content info*
562	* for encrypted and enveloped data. The SECAlgorithmID pointer
563	* returned needs to be freed as it is a copy of the algorithm
564	* id in the content info.
565	*/
566	extern SECAlgorithmID *
567	SEC_PKCS7GetEncryptionAlgorithm(SEC_PKCS7ContentInfo *cinfo);
568
569	/ the content of an encrypted data content info is encrypted.*
570	* it is assumed that for encrypted data, that the data has already
571	* been set and is in the "plainContent" field of the content info.
572	*
573	* cinfo is the content info to encrypt
574	*
575	* key is the key with which to perform the encryption. if the
576	* algorithm is a password based encryption algorithm, the
577	* key is actually a password which will be processed per
578	* PKCS #5.
579	*
580	* in the event of an error, SECFailure is returned. SECSuccess
581	* indicates a success.
582	*/
583	extern SECStatus
584	SEC_PKCS7EncryptContents(PLArenaPool *poolp,
585	SEC_PKCS7ContentInfo *cinfo,
586	SECItem *key,
587	void *wincx);
588
589	/ the content of an encrypted data content info is decrypted.*
590	* it is assumed that for encrypted data, that the data has already
591	* been set and is in the "encContent" field of the content info.
592	*
593	* cinfo is the content info to decrypt
594	*
595	* key is the key with which to perform the decryption. if the
596	* algorithm is a password based encryption algorithm, the
597	* key is actually a password which will be processed per
598	* PKCS #5.
599	*
600	* in the event of an error, SECFailure is returned. SECSuccess
601	* indicates a success.
602	*/
603	extern SECStatus
604	SEC_PKCS7DecryptContents(PLArenaPool *poolp,
605	SEC_PKCS7ContentInfo *cinfo,
606	SECItem *key,
607	void *wincx);
608
609	/ retrieve the certificate list from the content info. the list*
610	* is a pointer to the list in the content info. this should not
611	* be deleted or freed in any way short of calling
612	* SEC_PKCS7DestroyContentInfo
613	*/
614	extern SECItem **
615	SEC_PKCS7GetCertificateList(SEC_PKCS7ContentInfo *cinfo);
616
617	/ Returns the key length (in bits) of the algorithm used to encrypt*
618	this object. Returns 0 if it's not encrypted, or the key length is
619	irrelevant. /*
620	extern int
621	SEC_PKCS7GetKeyLength(SEC_PKCS7ContentInfo *cinfo);
622
623	/**********************************************************************/
624	SEC_END_PROTOS
625
626	#endif /* _SECPKCS7_H_ */
627

source code of include/nss/secpkcs7.h