diff --git a/doc/ksba.texi b/doc/ksba.texi index 65cf10c..97a806b 100644 --- a/doc/ksba.texi +++ b/doc/ksba.texi @@ -1,1199 +1,1199 @@ \input texinfo @setfilename ksba.info @settitle The KSBA Reference Manual @dircategory GNU libraries @direntry * libksba: (ksba). An X.509 Library. @end direntry @include version.texi @c Unify some of the indices. @syncodeindex tp fn @syncodeindex pg fn @macro mycopyrightnotice Copyright @copyright{} 2002, 2003, 2004 g10 Code GmbH @end macro @macro mypermissionnotice Permission is granted to copy, distribute and/or modify this document under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. The text of the license can be found in the section entitled ``Copying''. @end macro @ifinfo This file documents the @acronym{KSBA} library to access X.509 and CMS data structures. This is edition @value{EDITION}, last updated @value{UPDATED}, of @cite{The KSBA Reference Manual}, for Version @value{VERSION}. @sp 1 @mycopyrightnotice{} @sp 1 @mypermissionnotice{} @end ifinfo @iftex @shorttitlepage The `KSBA' Reference Manual @titlepage @center @titlefont{The `KSBA'} @sp 1 @center @titlefont{Reference Manual} @sp 6 @center Edition @value{EDITION} @sp 1 @center last updated @value{UPDATED} @sp 1 @center for version @value{VERSION} @sp 1 @author by Werner Koch, g10 Code GmbH @email{wk@@gnupg.org} @page @vskip 0pt plus 1filll @mycopyrightnotice{} @sp 1 @mypermissionnotice{} @end titlepage @summarycontents @contents @page @end iftex @ifnottex @node Top @top Main Menu This is edition @value{EDITION}, last updated @value{UPDATED}, of @cite{The KSBA Reference Manual}, for Version @value{VERSION} of the @acronym{KSBA} library. @sp 1 @mycopyrightnotice{} @sp 1 @mypermissionnotice{} @sp 1 @end ifnottex @menu * Introduction:: How to use this manual. * Preparation:: What you should do before using the library. * Certificate Handling:: How to work with X.509 certificates. * CMS:: How to work with CMS (PKCS#7) messages. * CRLs:: How to work with Certificate Revocation Lists. * PKCS10:: How to request certificates. * Utilities:: Various utility functions. * Error Handling:: Error numbers and their meanings. Appendices * Component Labels:: Labels used in string representations. * Copying:: The GNU General Public License says how you can copy and share this manual. Indices * Concept Index:: Index of concepts and programs. * Function and Data Index:: Index of functions, variables and data types. @detailmenu --- The Detailed Node Listing --- Introduction * Getting Started:: * Features:: * Overview:: Preparation * Header:: * Building the source:: Certificate Handling * Creating certificates:: How to create a certificate object. * Retrieving attributes:: How to get the attributes of a certificate. * Setting attributes:: How to set certificates attributes. * User data:: How to associate other data with a certificate. Mastering the Cryptographic Message Syntax * CMS Basics:: * CMS Parser:: @end detailmenu @end menu @node Introduction @chapter Introduction @acronym{KSBA} is a library to make the task of working with X.509 certificates, CMS data and related data more easy. @menu * Getting Started:: * Features:: * Overview:: @end menu @node Getting Started @section Getting Started This manual documents the `KSBA' library programming interface. All functions and data types provided by the library are explained. The reader is assumed to possess basic knowledge about the implemented protocols. This manual can be used in several ways. If read from the beginning to the end, it gives a good introduction into the library and how it can be used in an application. Forward references are included where necessary. Later on, the manual can be used as a reference manual to get just the information needed about any particular interface of the library. Experienced programmers might want to start looking at the examples at the end of the manual, and then only read up those parts of the interface which are unclear. @node Features @section Features `KSBA' has a couple of advantages over other libraries doing a similar job, and over open coding the protocols in your application directly. @table @asis @item It's Free Software Anybody can use, modify, and redistribute it under the terms of the GNU General Public License (@pxref{Copying}). @item It hides the low level stuff `KSBA' a high level interface to the implemented protocols and presents the data in a consistent way. There is no more need to worry about all the nasty details of the protocols. The API gives the C programmer a more usual way of interacting with the data. @item It copes with the version details X.509 protocols tend to have many different versions and dialects. Applications must usually cope with all of this and it has to be coded over and over again. `KSBA' hides this by providing just one API which does the Right Thing. Support for new versions and features of the protocols will be added over time. @end table @node Overview @section Overview @c [Needs more stuff] The `KSBA' library is thread-safe as long as objects described by one context are only used by one thread at a time. No initialization is required. @node Preparation @chapter Preparation To use `KSBA', you have to perform some changes to your sources and the build system. The necessary changes are small and explained in the following sections. At the end of this chapter, it is described how the library is initialized, and how the requirements of the library are verified. @menu * Header:: * Version Check:: * Building the source:: @end menu @node Header @section Header All interfaces (data types and functions) of the library are defined in the header file @file{ksba.h}. You must include this in all programs using the library, either directly or through some other header file, like this: @smallexample #include @end smallexample The name space of `KSBA' is @code{ksba_*} for function names, @code{ksba*} for data types and @code{KSBA_*} for other symbols. In addition the same name prefixes with one prepended underscore are reserved for internal use and should never be used by an application. @node Version Check @section Version Check It is often desirable to check that the version of `KSBA' used is indeed one which fits all requirements. Even with binary compatibility, new features may have been introduced but through peculiarities of the runtime linker an old version gets actually used. So you better check that the version is as expected right after program startup. @deftypefun {const char *} ksba_check_version (@w{const char *@var{req_version}}) Check that the the version of the library is at minimum the one given as a string in @var{req_version} and return the actual version string of the library; return @code{NULL} if the condition is not met. If @code{NULL} is passed to this function, no check is done and only the version string is returned. It is a pretty good idea to run this function as soon as possible, because it may also initializes some subsystems. In a multi-threaded environment if should be called before any more threads are created. @end deftypefun @node Building the source @section Building the source If you want to compile a source file including the @file{ksba.h} header file, you must make sure that the compiler can find it in the directory hierarchy. This is accomplished by adding the path to the directory in which the header file is located to the compiler's include file search path (via the @option{-I} option). However, the path to the include file is determined at the time the -source is configured. To solve this problem, `KSBA' ships with a small -helper program @command{ksba-config} that knows about the path to the -include file and other configuration options. The options that need to -be added to the compiler invocation at compile time are output by the -@option{--cflags} option of @command{ksba-config}. The following +source is configured. To solve this problem, `KSBA' ships with +@code{ksba.pc} file, that knows about the path to the include file and +other configuration options. The options that need to be added to the +compiler invocation at compile time are output by the +@option{--cflags} option of @command{pkg-config ksba}. The following example shows how it can be used at the command line: @example -gcc -c foo.c `ksba-config --cflags` +gcc -c foo.c `pkg-config --cflags ksba` @end example -Adding the output of @samp{ksba-config --cflags} to the compiler's +Adding the output of @samp{pkg-config --cflags ksba} to the compiler's command line will ensure that the compiler can find the @file{ksba.h} header file. A similar problem occurs when linking the program with the library. Again, the compiler has to find the library files. For this to work, the path to the library files has to be added to the library search path (via the @option{-L} option). For this, the option @option{--libs} of -@command{ksba-config} can be used. For convenience, this option also +@command{pkg-config ksba} can be used. For convenience, this option also outputs all other options that are required to link the program with the `KSBA' libraries (in particular, the @samp{-lksba} option). The example shows how to link @file{foo.o} with the `KSBA' libraries to a program @command{foo}. @example -gcc -o foo foo.o `ksba-config --libs` +gcc -o foo foo.o `pkg-config --libs ksba` @end example Of course you can also combine both examples to a single command by -specifying both options to @command{ksba-config}: +specifying both options to @command{pkg-config ksba}: @example -gcc -o foo foo.c `ksba-config --cflags --libs` +gcc -o foo foo.c `pkg-config --cflags --libs ksba` @end example @node Certificate Handling @chapter How to work with X.509 certificates. One of the most complex data formats are the X.509 certificates. @acronym{KSBA} provides an easy to use interface to handle them. @deftp {Data type} ksba_cert_t The @code{ksba_cert_t} type is a handle for an X.509 certificate. @end deftp @deftp {Data type} ksba_sexp_t The @code{ksba_sexp_t} type describes a canonically encoded S-expression stored in a memory buffer. It is alias for @code{unsigned char *}. Note that a length argument is not required because the length of such an S-expression is intrinsically available. @end deftp @menu * Creating certificates:: How to create a certificate object. * Retrieving attributes:: How to get the attributes of a certificate. * Setting attributes:: How to set certificates attributes. * User data:: How to associate other data with a certificate. @end menu @node Creating certificates @section How to create a certificate object This section explains how to create a certificate object, initialize it, copy it and eventually destroy it. @deftypefun ksba_cert_t ksba_cert_new (void) The function @code{ksba_cert_new} creates a new certificate object and returns a handle for it. The certificate object has initially one reference. The only reason why this function may fail is an out-of-memory condition in which case @code{NULL} is returned. You might then get the actual error code using @samp{gpg_error_from_errno (errno)}. @end deftypefun @deftypefun void ksba_cert_ref (@w{ksba_cert_t @var{cert}}) The function @code{ksba_cert_ref} bumps the reference counter of the certificate object up by one. Thus an extra @code{ksba_cert_release} is required to actually release the memory used for the object. @end deftypefun @deftypefun void ksba_cert_release (@w{ksba_cert_t @var{cert}}) The function @code{ksba_cert_release} reduces the number of references to the certificate object with the handle @var{cert}. If this was the last reference, it will also destroy the object and releases all associated resources. It is okay to pass @code{NULL} to the function in which case nothing happens. @end deftypefun @deftypefun gpg_error_t ksba_cert_read_der (@w{ksba_cert_t @var{cert}}, @w{ksba_reader_t @var{reader}}) Read the next certificate from the @var{reader} object and store it in the certificate object @var{cert} for future access. The certificate is parsed and rejected if it has any syntactical or semantical error (i.e. does not match the @acronym{ASN.1} description). The function returns @code{0} if the operation was successfully performed. An error code is returned on failure. @end deftypefun @deftypefun gpg_error_t ksba_cert_init_from_mem (@w{ksba_cert_t @var{cert}}, @w{const void *@var{buffer}}, @w{size_t @var{length}}) Parse the @var{buffer} which should contain a @acronym{DER} encoded certificate of @var{length} and initialize the certificate object @var{cert} with it. This function is intended as a convenience function to be used when a certificate is already available in a internal memory buffer. This avoids the extra code needed to setup the reader object. Note that @var{cert} must be a valid certificate object. The function returns @code{0} if the operation was successfully performed. An error code is returned on failure. @end deftypefun @node Retrieving attributes @section How to get the attributes of a certificate The functions in this section allow accessing the attributes of a certificate in a well defined manner. An error will be returned if the certificate object has not yet been initialized by means of @code{ksba_cert_read_der} or @code{ksba_cert_init_from_mem}. @deftypefun {const unsigned char *} ksba_cert_get_image (@w{ksba_cert_t @var{cert}}, @w{size_t *@var{r_length}}) This function returns a pointer to the @acronym{DER} encoded buffer with the raw certificate. The length of that buffer gets stored at @var{r_length}. This function is useful to export or store the raw certificate. The function returns @code{NULL} on error or a pointer to a buffer with the raw certificate data. That pointer is only valid as long as the certificate object @var{cert} is valid and has not been reinitialized. @end deftypefun @deftypefun gpg_error_t ksba_cert_hash (@w{ksba_cert_t @var{cert}}, @w{int @var{what}}, @w{void (*@var{hasher})(void *, const void *, size_t length)}, @w{void *@var{hasher_arg}}) This function feeds the data which is expected to be hashed into the supplied function @var{hasher}, where the first argument passed is @var{hasher_arg}, the second the pointer to the data to be hashed and the third the length of this data. The function returns @code{0} on success or an error code when something goes wrong. The @var{hasher} function is not expected to return an error; instead the caller should setup that function in a way to convey encountered errors by means of the @var{hasher_arg}. Note that a hash function is in general not expected to yield errors anyway. @end deftypefun @deftypefun {const char *} ksba_cert_get_digest_algo (@w{ksba_cert_t @var{cert}}) Figure out the the digest algorithm used for the signature and return its @acronym{OID} in dotted decimal format. This function is most likely used to setup the hash context before calling @code{ksba_cert_hash}. For some certificate types the returned OID has a special meaning: @table @code @item 1.2.840.113549.1.1.10 This indicates the RSASSA-PSS algorithm. The digest algorithm needs to be extracted from the S-expression returned by @code{ksba_cert_get_sig_val}. @item 1.3.101.112 This is the Ed25519 algorithm which does not use a separate digest algorithm. See RFC-8410. @item 1.3.101.113 This is the Ed448 algorithm which does not use a separate digest algorithm. See RFC-8410. @end table The function returns @code{NULL} for an error; on success a constant string with the @acronym{OID} is returned. This string is valid as long the certificate object is valid. @end deftypefun @deftypefun ksba_sexp_t ksba_cert_get_serial (@w{ksba_cert_t @var{cert}}) The function returns the serial number of the certificate @var{cert}. The serial number is an integer returned as an canonical encoded S-expression with just one element. The caller must free the returned value. The value @code{NULL} is returned in case of error. @end deftypefun @deftypefun {char *} ksba_cert_get_issuer (@w{ksba_cert_t @var{cert}, int @var{idx}}) With @var{idx} given as @code{0}, this function returns the Distinguished Name (@acronym{DN}) of the certificate issuer; this usually is the name of a certification authority (@acronym{CA}). The format of the returned string is in accordance with RFC-2253. @code{NULL} is returned if the @acronym{DN} is not available; This is a severe error and actually should have been caught by the certificate reading function. With @var{idx} greater than zero, the function may be used to enumerate alternate issuer names. The function returns @code{NULL} when there are no more alternate names. Only alternate names recognized by @code{libksba} are returned, others are simply skipped. The format of the returned name is either a RFC-2253 formated string which can be detected by checking whether the first character is a letter or digit. RFC-822 conformant email addresses are returned enclosed in angle brackets; the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so a opening parenthesis should be used to detect this encoding. The name may include binary null characters, thus strlen may return a length shorter than actually used. The real length is implicitly given by the structure of the S-expression, an extra null is appended for safety reasons. The caller must free the returned string using @code{ksba_free} or whatever function has been registered as a replacement. @end deftypefun @deftypefun {char *} ksba_cert_get_subject (@w{ksba_cert_t @var{cert}, int @var{idx}}) With @var{idx} given as @code{0}, this function returns the Distinguished Name (@acronym{DN}) of the certificate's subject. The format of the returned string is in accordance with RFC-2253. @code{NULL} is returned if the @acronym{DN} is not available. With @var{idx} greater than zero, the function may be used to enumerate alternate subject names. The function returns @code{NULL} when there are no more alternate names. Only alternate names recognized by @code{libksba} are returned, others are simply skipped. The format of the returned name is either a RFC-2253 formated string which can be detected by checking whether the first character is a letter or digit. RFC-2822 conform email addresses are returned enclosed in angle brackets; the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so a opening parenthesis should be used to detect this encoding, the name may include binary null characters, thus strlen may return a length shorter than actually used. The real length is implicitly given by the structure of the S-expression, an extra null is appended for safety reasons. The caller must free the returned string using @code{ksba_free} or whatever function has been registered as a replacement. @end deftypefun @deftp {Data type} ksba_isotime_t Due to problems with the C data type @code{time_t}, which will overflow on most 32 bit machines in the year 2038, it was not advisable to use this type for referencing times stored in certificates. Instead, you should use the @code{ksba_isotime_t} type, which can represent any time since the year 0. It is implemented as a buffer of 16 bytes and may be handled like a standard string. It should be initialized to zero (i.e. the first byte needs to be 0x00) if it does not hold a valid date. Date values themselves are stored in ISO format and assumed to be referenced from UTC. The string with the date value is always guaranteed to be of length 15 and having a format like: @samp{"19610711T172059"}. Note that the `T' is required by ISO rules. A simple assignment of these data types is not a good idea. You may use @code{strcpy} or better a specialized function like: @example void copy_time (ksba_isotime_t d, const ksba_isotime_t s) @{ if (!*s) memset (d, 0, 16); else strcpy (d, s); @} @end example For reasons of documentation a special function should also be used to compare such times: @example int cmp_time (const ksba_isotime_t a, const ksba_isotime_t b) @{ return strcmp (a, b); @} @end example @end deftp @deftypefun gpg_error_t ksba_cert_get_validity (@w{ksba_cert_t @var{cert}, int @var{what}, ksba_isotime_t @var{timebuf}}) Return the validity dates from the certificate. If no value is available an empty date object (i.e. a @code{strlen} will be stored at @var{timebuf}, otherwise it will receive the date. On failure an error code is returned. To return the `notBefore' date, the value @code{0} must be supplied for @var{what}; @code{1} yields the `notAfter' value. @end deftypefun @deftypefun ksba_sexp_t ksba_cert_get_public_key (@w{ksba_cert_t @var{cert}}) @c {{{{ CONTINUE HERE }}}}}} @c !FIXME! [This needs to get written - for now please see libksba/src/cert.c] @end deftypefun @deftypefun ksba_sexp_t ksba_cert_get_sig_val (ksba_cert_t @var{cert}) @c !FIXME! [This needs to get written - for now please see libksba/src/cert.c] @end deftypefun @deftypefun gpg_error_t ksba_cert_get_extension (@w{ksba_cert_t @var{cert}, int @var{idx}, char const **@var{r_oid}, int *@var{r_crit}, size_t *@var{r_deroff}, size_t *@var{r_derlen}}) @c !FIXME! [This needs to get written - for now please see libksba/src/cert.c] @end deftypefun @deftypefun gpg_error_t ksba_cert_is_ca (@w{ksba_cert_t @var{cert}, int *@var{r_ca}, int *@var{r_pathlen}}) Return information on the basicConstraint (2.5.19.19) of CERT. R_CA receives true if this is a CA and only in that case R_PATHLEN is set to the maximum certification path length or -1 if there is no such limitation @end deftypefun @deftypefun gpg_error_t ksba_cert_get_key_usage (@w{ksba_cert_t @var{cert}, unsigned int *@var{r_flags}}) Get the key usage flags. The function returns @code{GPG_ERR_NO_DATA} if no key usage is specified. The usage flags are as shown in RFC3280, section 4.2.1.3. The key usage flags are represented by a bitmask, and you can test each bit using symbolic constants, which tells you if that usage is set on the certificate. The constants are @table @code @item KSBA_KEYUSAGE_DIGITAL_SIGNATURE Usable for digitalSignature. @item KSBA_KEYUSAGE_NON_REPUDIATION Usable for nonRepudiation. @item KSBA_KEYUSAGE_KEY_ENCIPHERMENT Usable for keyEncipherment. @item KSBA_KEYUSAGE_DATA_ENCIPHERMENT Usable for dataEncipherment. @item KSBA_KEYUSAGE_KEY_AGREEMENT Usable for for keyAgreement. @item KSBA_KEYUSAGE_KEY_CERT_SIGN Usable for keyCertSign. @item KSBA_KEYUSAGE_CRL_SIGN Usable for cRLSign. @item KSBA_KEYUSAGE_ENCIPHER_ONLY Usable for encipherOnly. @item KSBA_KEYUSAGE_DECIPHER_ONLY Usable for decipherOnly. @end table These are the basic constraints on usage of a certificate. If you need to get additional constraints, see @code{ksba_cert_get_ext_key_usages}. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_ext_key_usages (@w{ksba_cert_t @var{cert}, char **@var{result}}) Return a string containing the extended usages for the certificate, delimited by linefeeds. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_cert_policies (@w{ksba_cert_t @var{cert}, char **@var{r_policies}}) Return a string with the certificatePolicies delimited by linefeeds. The return values may be extended to carry more information per line, so the caller should only use the first white-space delimited token per line. The function returns @code{GPG_ERR_NO_DATA} when this extension is not used. Caller must free the returned value. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_crl_dist_point (@w{ksba_cert_t @var{cert}, int @var{idx}, ksba_name_t *@var{r_distpoint}, ksba_name_t *@var{r_issuer}, unsigned int *@var{r_reason}}) Return the CRLDistPoints given in the certificate extension of certificate @var{cert}. @var{idx} should be iterated starting from 0 until the function returns @code{GPG_ERR_EOF}. @var{r_distpoint} returns a ksba_name_t object with the distribution point name(s); the return value may be @code{NULL} to indicate that this name is not available. @var{r_issuer} returns the CRL issuer; if the returned value is @code{NULL} the caller should assume that the CRL issuer is the same as the certificate issuer. @var{r_reason} returns the reason for the CRL. This is a bit encoded value with no bit set if no reason has been specified in the certificate. The caller may pass @code{NULL} to any of the pointer arguments if he is not interested in this value. The return values for @var{r_distpoint} and @var{r_issuer} must be released by the caller using @code{ksba_name_release}. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_subj_key_id (@w{ksba_cert_t @var{cert}, int *@var{r_crit}, ksba_sexp_t *@var{r_keyid}}) Return the subjectKeyIdentifier extension as a simple allocated S-expression at the address of @var{r_keyid}. 0 is returned on success, @code{GPG_ERR_NO_DATA} if no such extension is available or any other error code. If @var{r_crit} is not passed as @code{NULL}, the critical flag of this is extension is stored at this address. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_auth_key_id (@w{ksba_cert_t @var{cert}, ksba_sexp_t *@var{r_keyid}, ksba_name_t *@var{r_name}, ksba_sexp_t *@var{r_serial}}) Return the authorityKeyIdentifier in @var{r_name} and @var{r_serial} or in @var{r_keyid}. @code{GPG_ERR_NO_DATA} is returned if no authorityKeyIdentifier has been found. This error code is also returned if @var{r_keyid} has been given as NULL and only an authorityKeyIdentifier with the keyIdentifier method is available. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_authority_info_access (@w{ksba_cert_t @var{cert}, int @var{idx}, char **@var{r_method}, ksba_name_t *@var{r_location}}) Return the authorityInfoAccess attributes. @var{idx} should be iterated starting from 0 until this function returns @code{GPG_ERR_EOF}. @var{r_method} returns an allocated string with the OID of one item and @var{r_location} returns the GeneralName for that OID. The returned values for @var{r_method} and @var{r_location} must be released by the caller unless the function returned an error; the function will however make sure that @var{r_method} and @var{r_location} will point to @code{NULL} if the function returns an error. See RFC-2459, section 4.2.2.1 for the definition of this attribute. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_subject_info_access (@w{ksba_cert_t @var{cert}, int @var{idx}, char **@var{r_method}, ksba_name_t *@var{r_location}}) Return the subjectInfoAccess attributes. @var{idx} should be iterated starting from 0 until this function returns @code{GPG_ERR_EOF}. @var{r_method} returns an allocated string with the OID of one item and @var{r_location} returns the GeneralName for that OID. The returned values for @var{r_method} and @var{r_location} must be released by the caller unless the function returned an error; the function will however make sure that @var{r_method} and @var{r_location} will point to @code{NULL} if the function returns an error. See RFC-2459, section 4.2.2.2 for the definition of this attribute. @end deftypefun @node Setting attributes @section How to set certificate attributes [This needs to be written. For example code see newpg/sm/sign.c] @node User data @section How to associate other data with a certificate. Certificate objects play a central role in many applications and often it is desirable to associate other data with the certificate to avoid wrapping the certificate object into an own object. `KSBA' provides a mechanism for this by means of two functions: @deftypefun gpg_error_t ksba_cert_set_user_data (@w{ksba_cert_t @var{cert}, const char *@var{key}, const void *@var{data}, size_t @var{datalen}}) Stores arbitrary data along with a certificate. The data is expected in the buffer @var{data} of length @var{datalen}. It will be stored under the string @var{key}. If data is already stored under this key it will be replaced by the new data. Using @code{NULL} for @var{data} will effectively delete the data. On error (i.e. out of memory) an already existing data object stored under @var{key} may get deleted. @strong{Caution:} This function is definitely not thread safe because we don't employ any locking mechanisms. @end deftypefun @deftypefun gpg_error_t ksba_cert_get_user_data (@w{ksba_cert_t @var{cert},} @w{const char *@var{key},} @w{void *@var{buffer},} @w{size_t @var{bufferlen},} @w{size_t *@var{datalen}}) Return user data for certificate @var{cert} stored under the string @var{key}. The caller needs to provide a suitable large @var{buffer} and the usable length of this buffer in @var{bufferlen}. If @var{datalen} is not @code{NULL}, the length of the data stored in @var{buffer} will be stored there. If @var{buffer} is given as @code{NULL}, @var{bufferlen} will be ignored and the required length of the buffer will be returned at @var{datalen}. On success 0 is returned. If no data is stored under the given key, @code{GPG_ERR_NOT_FOUND} is returned. If the provided buffer is too short and @var{buffer} is not @code{NULL}, @code{GPG_ERR_BUFFER_TOO_SHORT} will be returned. @end deftypefun @node CMS @chapter Mastering the Cryptographic Message Syntax The @acronym{CMS} is also known under the name PKCS#7. Is is a cryptographic framework for securing data transactions and storage, much like OpenPGP. It is heavily based on X.509 semantics and for example used with the email encryption protocol S/MIME. @menu * CMS Basics:: * CMS Parser:: @end menu @node CMS Basics @section CMS Basics All operations with the CMS framework require the use of a so called CMS object which is internally used to keep track of the current state and to store some meta information. @deftp {Data type} ksba_cms_t The @code{ksba_cms_t} type is used for this CMS object. @end deftp @deftp {Data type} ksba_stop_reason_t The @code{ksba_stop_reason_t} type is an enumeration used for communication between the phases of a parsing or building process. @end deftp @deftypefun ksba_cms_t ksba_cms_new (void) This function creates a new CMS object. The only reason the function may fail is an out-of-memory condition in which case @code{NULL} is returned. It is safe for the caller to translate this to the standard error code @code{GPG_ERR_ENOMEM}. Any object created with this function should be released after use by using @code{ksba_cms_release}. @end deftypefun @deftypefun void ksba_cms_release (@w{ksba_cms_t @var{cms}}) Release all resources associated with the @var{CMS} object. It is perfectly okay to pass @code{NULL} to this function in which case nothing happens. @end deftypefun @deftypefun gpg_error_t ksba_cms_set_reader_writer (@w{ksba_cms_t @var{cms}, ksba_reader_t @var{r}, ksba_writer_t @var{w}}) About all usages of the CMS framework require some input and output data (great surprise!). To accomplish this in the most abstract way, no direct output functions are used - instead special reader and writer objects are used instead. Depending on the desired operations either a reader, a writer or both must be given. Associate a reader object with @var{cms} by passing it as @var{r} and a writer object by passing it as @var{w}. Note that no reference counting is done,so make sure that those objects have a lifetime at least as long as @var{CMS}. If you forget to set these objects, you will get an appropriate error later when data is actually to be read or written. The function returns zero on success or an error code when invalid objects are passed. @end deftypefun @node CMS Parser @section CMS Parser @acronym{KSBA} includes a versatile CMS parser for encryption (enveloped data) and digital signing. The parser is capable of handling arbitrary amounts of data without requiring much memory. Well, certain objects are build in memory because it can be assumed that those objects are limited in size; e.g. it does not make sense to use a video clip as the @acronym{DN} despite the fact that the standard does not forbid it. @deftypefun gpg_error_t ksba_cms_parse (@w{ksba_cms_t @var{cms}, ksba_stop_reason_t *@var{r_stopreason}}) This is the core function of the parser and commonly used in a loop. The parsing process is divided into several phases to allow the user to get information at the right time and prepare for further processing. The caller has to act on certain stop reasons which are returned by @var{r_stopreason} and set up things accordingly; @acronym{KSBA} may introduce new stop reasons to let the caller know other details; there is no need for the caller to act on every stop reason; it should only do so for reasons that the caller understands and which are mandatory. The function will return with an error if the caller did not setup things correctly for certain stop reasons. @end deftypefun The use of this function is best explained by an example, leaving out all error checking. @example do @{ ksba_cms_parse (cms, &stopreason); if (stopreason == KSBA_SR_BEGIN_DATA) @{ get_recipients (); decrypt_session_key (); setup_bulk_decryption (); @} else if (stopreason == KSBA_SR_END_DATA) @{ remove_padding (); @} @} while (stopreason != KSBA_SR_READY); @end example This function assumes that the parsed data is so called `enveloped data'. @c FIXME: Reference to a list of stop reasons used here. As @acronym{CMS} provides a common framework for a variety of data formats, it is probably very useful to check the type of that data very early. This can be accomplished by hooking into the stop reason @code{KSBA_SR_GOT_CONTENT} and retrieving the content using the following function. @deftypefun ksba_content_t ksba_cms_get_content_type (@w{ksba_cms_t @var{cms}, int @var{what}}) By using a value of @code{0} for @var{what} this function returns the content type of the outer container; using @code{1} does return the content type of the enclosed object. @deftp {Data type} ksba_content_t The @code{ksba_content_t} type is an enumeration used to describe the content of a CMS message. Here is a list of possible values: @table @code @item KSBA_CT_NONE No content type known (value @code{0}) @item KSBA_CT_DATA The content is plain data, not further interpreted. @item KSBA_CT_SIGNED_DATA The content is an signed CMS object. This also includes the case of a detached signature where no actual data is included in the message. @item KSBA_CT_ENVELOPED_DATA The content is encrypted using a session key. @item KSBA_CT_DIGESTED_DATA Not yet supported @item KSBA_CT_ENCRYPTED_DATA Not yet supported @item KSBA_CT_AUTH_DATA Not yet supported @end table @end deftp @end deftypefun @deftypefun {const char *} ksba_cms_get_content_oid (@w{ksba_cms_t @var{cms}, int @var{what}}) Return the object ID of @var{cms}. This is a constant string valid as long as the context is valid and no new parse is started. This function is similar to @code{ksba_cms_get_content_type} but returns the @acronym{OID} actually used in the data. Depending on the value of @var{what} different values are returned: Using a value of @code{0} yields the OID of the outer container, a value of @code{1} yields the OID of the inner container if available and the value @code{2} returns the OID of the algorithm used to encrypt the inner container. @end deftypefun @node CRLs @chapter Certification Revocation Lists KSBA also comes with an API to process certification revocation lists. The API is similar to the @acronym{CMS} one but returns the contents entry by entry. @node PKCS10 @chapter Certification Requests When using decentral generated keys, it is necessary to send out special formated messages so that a CA can generate the certificate. @node Utilities @chapter Utilities A few utility function and objects are available. Some of them must be used to support some of the main functions. @menu * Names:: General Names object * OIDs:: Object Identifier helpers * DNs:: Distinguished Name helpers @end menu @node Names @section General Names object This is an object to handle some of the names used in X.509. We need this object approach because those names may come as a set and there is no other clean way to access them. @deftp {Data type} ksba_name_t The @code{ksba_name_t} type is an object to represent names sets. @end deftp @deftypefun void ksba_name_release (@w{ksba_name_t @var{name}}) This function releases the object @var{name}. Passing @code{NULL} is allowed. @end deftypefun @deftypefun {const char *} ksba_name_enum (@w{ksba_name_t @var{name}, int @var{idx}}) By iterating @var{idx} up starting with 0, this function returns all General Names stored in @var{name}. The format of the returned name is either a RFC-2253 formated one which can be detected by checking whether the first character is letter or a digit. RFC 2822 conformant email addresses are returned enclosed in angle brackets, the opening angle bracket should be used to detect this. Other formats are returned as an S-Expression in canonical format, so an opening parenthesis may be used to detect this encoding, in this case the name may include binary null characters, so strlen might return a length shorter than actually used, the real length is implicitly given by the structure of the S-Exp, an extra null is appended for safety reasons. One common format return is a Universal Resource Identifier which has the S-expression: @samp{(uri )}. The returned string has the same lifetime as @var{name}. @end deftypefun @deftypefun {char *} ksba_name_get_uri (@w{ksba_name_t @var{name}, int @var{idx}}) Convenience function to return names representing an URI. Caller must free the returned value. Note that this function should not be used to enumerate the names. Here is an example on how you can use this function to enumerate all @acronym{URI}s: @example void print_names (ksba_name_t name) @{ int idx; const char *s; for (idx=0; (s = ksba_name_enum (name, idx)); idx++) @{ char *p = ksba_name_get_uri (name, idx); if (p) @{ puts (p); ksba_free (p); @} @} @} @end example @end deftypefun @node OIDs @section Object Identifier helpers @c !FIXME! [This needs to get written - for now please see libksba/src/oids.c] @node DNs @section Distinguished Name helpers These are helper functions for the so called distinguished names. They are used for example as the issuer and subject name. @deftypefun gpg_error_t ksba_dn_teststr (@w{const char *@var{string}}, @w{int @var{seq}}, @w{size_t *@var{rerroff}}, @w{size_t *@var{rerrlen}}) Assuming that @var{string} contains an RFC-2253 encoded string, test whether this string may be passed as a valid DN to libksba. On success the functions returns @code{0}. On error the function returns an error code and stores the offset of the erroneous part at @var{rerroff}. @var{rerrlen} will then receive the length of the erroneous part. This function is mostly useful to test whether a certain component label is supported. @var{seq} should be passed as @code{0} for now. Any of @var{rerroff} and @var{rerrlen} may be passed as @var{NULL} if the caller is not interested at this value. @end deftypefun gpg_error_t ksba_dn_str2der (const char *string, void **rder, size_t *rderlen); gpg_error_t ksba_dn_der2str (const void *der, size_t derlen, char **r_string); @node Error Handling @chapter Error Handling Most functions in `KSBA' will return an error if they fail. For this reason, the application should always catch the error condition and take appropriate measures, for example by releasing the resources and passing the error up to the caller, or by displaying a descriptive message to the user and canceling the operation. Some error values do not indicate a system error or an error in the operation, but the reasonable result of an operation. For example, if you try to access optional attributes of a certificate that are not present, you get an appropriate error message. Some error values have specific meanings if returned by a specific function. Such cases are described in the documentation of those functions. All error codes are defined by the library @code{libgpg-error}. See there for ways to check the error values and print descriptive strings. Please be aware that you can't check directly against an error code but have to do it like this: @example err = ksba_foo (); if (gpg_err_code (err) == GPG_ERR_EOF) okay = 1; @end example The only exception is that success (i.e. no error) is defined to be @code{0}; thus you may directly test for success like: @example if (!ksba_foo ()) okay = 1; @end example @c The following table lists the error codes as used by this library. @c @c @table @code @c @c @end table @c @node Component Labels @appendix Component Labels RFC-2253 defines the following table with string representations of name components: @multitable {SERIALNUMBER} {organizationalUnit} {xxx} @item Label @tab Component @tab OID @item @item C @tab countryName @tab 2.5.4.6 @item CN @tab commonName @tab 2.5.4.3 @item DC @tab domainComponent @tab 0.9.2342.19200300.100.1.25 @item L @tab localityName @tab 2.5.4.7 @item O @tab organizationName @tab 2.5.4.10 @item OU @tab organizationalUnit @tab 2.5.4.11 @item ST @tab stateOrProvince @tab 2.5.4.8 @item STREET @tab streetAddress @tab 2.5.4.9 @item UID @tab userid @tab 0.9.2342.19200300.100.1.1 @end multitable They are used internally for converting a DN into its string representation; components not listed in this table will be represented by their OID. For the other direction, i.e. creating a DN from the string representation, KSBA recognizes the following extra labels: @multitable {SERIALNUMBER} {organizationalUnit} {xxx} @item Label @tab Component @tab OID @item @item ADDR @tab postalAddress @tab 2.5.4.16 @item BC @tab businessCategory @tab 2.5.4.15 @item D @tab description @tab 2.5.4.13 @item EMAIL @tab emailAddress @tab 1.2.840.113549.1.9.1 @item GN @tab givenName @tab 2.5.4.42 @item POSTALCODE @tab postalCode @tab 2.5.4.17 @item PSEUDO @tab pseudonym @tab 2.5.4.65 @item SERIALNUMBER @tab serialNumber @tab 2.5.4.5 @item SN @tab surname @tab 2.5.4.4 @item T @tab title @tab 2.5.4.12 @end multitable @include gpl.texi @node Concept Index @unnumbered Concept Index @printindex cp @node Function and Data Index @unnumbered Function and Data Index @printindex fn @bye Old Information which might not be correct anymore: --------------------------------------------------- KSBA provides these subsystems: * ASN.1 Parser (ksba_asn_*) KSBA provides a simple ASN.1 parser which can be used to read definitions directly from an ASN.1 module without the need of generating extra tables. For ease of maintenance it also comes with a tool to create static data structures to avoid that overhead and the need to include ASN.1 modules. The primary goal of this parser is to provide the ASN.1 syntax tree to be used by other library modules. * BER Decoder (ksba_ber_decoder_*) This is a decoder for the ASN.1 Basic Encoding Rules with a facility to detect valid DER encoding (DER is a subset of BER). By using thresholds and pre-registered callout function it is possible to work on indefinite length data stream and limiting the memory usage to a fixed upper bound. * BER Encoder (ksba_ber_encoder_*) This is the counterpart to the DER Decoder with the ability to restrict the encoding to DER. * Certificate Handling (ksba_cert_*) The main bulk of the provided functions are used to give a clean interface to X.509 certificates by translating X.509 data types to more standard data types. * CMS Handling (ksba_cms_*) The Cryptographic Message Syntax is the core data type for S/MIME and therefore KSBA provides an interface to parse and create these objects without the need to cope with ASN.1. * Reader and Writer (ksba_reader_*, ksba_writer_*) Abstraction objects to access memory areas, files or file descriptor.