Update v3 API

2026-05-30 14:42:36 +08:00 · 2022-02-23 18:59:41 +08:00
parent d5258bc761
commit f8310bcd72
33 changed files with 2446 additions and 1950 deletions
--- a/include/gmssl/cms.h
+++ b/include/gmssl/cms.h
@@ -1,4 +1,4 @@
-/*
+/*
 * Copyright (c) 2021 - 2021 The GmSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@@ -46,6 +46,12 @@
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */

+/*
+References:
+  1. GM/T 0010-2012 SM2 Cryptography Message Syntax Specification
+  2. RFC 2315 PKCS #7 Cryptographic Message Syntax Version 1.5
+  3. RFC 5652 Cryptographic Message Syntax (CMS)
+*/

 #ifndef GMSSL_CMS_H
 #define GMSSL_CMS_H
@@ -62,379 +68,554 @@ extern "C" {
 #endif


+/*
+ContentType:
+	OID_cms_data
+	OID_cms_signed_data
+	OID_cms_enveloped_data
+	OID_cms_signed_and_enveloped_data
+	OID_cms_encrypted_data
+	OID_cms_key_agreement_info
+*/
+const char *cms_content_type_name(int oid);
+int cms_content_type_from_name(const char *name);
+int cms_content_type_to_der(int oid, uint8_t **out, size_t *outlen);
+int cms_content_type_from_der(int *oid, const uint8_t **in, size_t *inlen);

-enum {
-	CMS_version = 1,
-};
-
-typedef enum {
-	CMS_data 			= 1,
-	CMS_signed_data			= 2,
-	CMS_enveloped_data		= 3,
-	CMS_signed_and_enveloped_data	= 4,
-	CMS_encrypted_data		= 5,
-	CMS_key_agreement_info		= 6,
-} CMS_CONTENT_TYPE;
-
-
-
-
-
-
-int cms_data_print(FILE *fp, const uint8_t *a, size_t alen, int format, int indent);
-
-int cms_enced_content_info_to_der(int enc_algor, const uint8_t *enc_iv, size_t enc_iv_len,
-	int content_type, const uint8_t *enced_content, size_t enced_content_len,
-	const uint8_t *shared_info1, size_t shared_info1_len,
-	const uint8_t *shared_info2, size_t shared_info2_len,
+/*
+ContentInfo ::= SEQUENCE {
+	contentType	OBJECT IDENTIFIER,
+	content		[0] EXPLICIT ANY OPTIONAL }
+*/
+int cms_content_info_to_der(
+	int content_type,
+	const uint8_t *content, size_t content_len,
 	uint8_t **out, size_t *outlen);
-
-int cms_enced_content_info_from_der(int *content_type,
-	int *enc_algor, const uint8_t **enc_iv, size_t *enc_iv_len,
-	const uint8_t **enced_content, size_t *enced_content_len,
-	const uint8_t **shared_info1, size_t *shared_info1_len,
-	const uint8_t **shared_info2, size_t *shared_info2_len,
+int cms_content_info_from_der(
+	int *content_type,
+	const uint8_t **content, size_t *content_len, // 这里获得的是完整的TLV
 	const uint8_t **in, size_t *inlen);
+int cms_content_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);

-int cms_enced_content_info_print(FILE *fp,
+/*
+Data ::= OCTET STRING
+*/
+#define cms_data_to_der(d,dlen,out,outlen) asn1_octet_string_to_der(d,dlen,out,outlen)
+#define cms_data_from_der(d,dlen,in,inlen) asn1_octet_string_from_der(d,dlen,in,inlen)
+#define cms_data_print(fp,fmt,ind,label,d,dlen) format_bytes(fp,fmt,ind,label,d,dlen)
+
+/*
+EncryptedContentInfo ::= SEQUENCE {
+	contentType			OBJECT IDENTIFIER,
+	contentEncryptionAlgorithm	AlgorithmIdentifier,
+	encryptedContent		[0] IMPLICIT OCTET STRING OPTIONAL,
+	sharedInfo1			[1] IMPLICIT OCTET STRING OPTIONAL,
+	sharedInfo2			[2] IMPLICIT OCTET STRING OPTIONAL }
+*/
+int cms_enced_content_info_to_der(
 	int content_type,
 	int enc_algor, const uint8_t *enc_iv, size_t enc_iv_len,
 	const uint8_t *enced_content, size_t enced_content_len,
 	const uint8_t *shared_info1, size_t shared_info1_len,
 	const uint8_t *shared_info2, size_t shared_info2_len,
-	int format, int indent);
-
-int cms_enced_content_info_encrypt_to_der(const SM4_KEY *sm4_key, const uint8_t iv[16],
-	int content_type, const uint8_t *content, size_t content_len,
-	const uint8_t *shared_info1, size_t shared_info1_len,
-	const uint8_t *shared_info2, size_t shared_info2_len,
 	uint8_t **out, size_t *outlen);
-
-int cms_enced_content_info_decrypt_from_der(const SM4_KEY *key,
-	int *content_type, uint8_t *content, size_t *content_len,
-	const uint8_t **shared_info1, size_t *shared_info1_len,
-	const uint8_t **shared_info2, size_t *shared_info2_len,
-	const uint8_t **in, size_t *inlen);
-
-int cms_encrypted_data_to_der(int enc_algor, const uint8_t *enc_iv, size_t enc_iv_len,
-	int content_type, const uint8_t *enced_content, size_t enced_content_len,
-	const uint8_t *shared_info1, size_t shared_info1_len,
-	const uint8_t *shared_info2, size_t shared_info2_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_encrypted_data_from_der(int *content_type,
-	int *enc_algor, const uint8_t **enc_iv, size_t *enc_iv_len,
-	const uint8_t **enced_content, size_t *enced_content_len,
-	const uint8_t **shared_info1, size_t *shared_info1_len,
-	const uint8_t **shared_info2, size_t *shared_info2_len,
-	const uint8_t **in, size_t *inlen);
-
-int cms_encrypted_data_print(FILE *fp, const uint8_t *a, size_t alen, int format, int indent);
-
-int cms_encrypted_data_encrypt_to_der(const SM4_KEY *sm4_key, const uint8_t iv[16],
-	int content_type, const uint8_t *content, size_t content_len,
-	const uint8_t *shared_info1, size_t shared_info1_len,
-	const uint8_t *shared_info2, size_t shared_info2_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_encrypted_data_decrypt_from_der(const SM4_KEY *key,
-	int *content_type, uint8_t *content, size_t *content_len,
-	const uint8_t **shared_info1, size_t *shared_info1_len,
-	const uint8_t **shared_info2, size_t *shared_info2_len,
-	const uint8_t **in, size_t *inlen);
-
-
-int cms_key_agreement_info_to_der(const SM2_KEY *pub_key, const X509_CERTIFICATE *cert,
-	const uint8_t *user_id, size_t user_id_len, uint8_t **out, size_t *outlen);
-
-int cms_key_agreement_info_from_der(SM2_KEY *pub_key, X509_CERTIFICATE *cert,
-	const uint8_t **user_id, size_t *user_id_len, const uint8_t **in, size_t *inlen);
-
-int cms_key_agreement_info_print(FILE *fp, const uint8_t *a, size_t alen, int format, int indent);
-
-
-int cms_issuer_and_serial_number_from_certificate(const X509_NAME **issuer,
-	const uint8_t **serial_number, size_t *serial_number_len,
-	const X509_CERTIFICATE *cert);
-
-int cms_public_key_from_certificate(const SM2_KEY **sm2_key,
-	const X509_CERTIFICATE *cert);
-
-int cms_issuer_and_serial_number_to_der(const X509_NAME *issuer,
-	const uint8_t *serial_number, size_t serial_number_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_issuer_and_serial_number_from_der(X509_NAME *issuer,
-	const uint8_t **serial_number, size_t *serial_number_len,
-	const uint8_t **in, size_t *inlen);
-
-int cms_issuer_and_serial_number_print(FILE *fp,
-	const X509_NAME *issuer,
-	const uint8_t *serial_number, size_t serial_number_len,
-	int format, int indent);
-
-
-
-int cms_recipient_info_from_x509_certificate(
-	const SM2_KEY **key,
-	const X509_NAME **issuer,
-	const uint8_t **serial_number, size_t *serial_number_len,
-	const X509_CERTIFICATE *cert);
-
-int cms_recipient_info_to_der(const X509_NAME *issuer,
-	const uint8_t *serial_number, size_t serial_number_len,
-	const uint8_t *enced_key, size_t enced_key_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_recipient_info_from_der(
-	int *version,
-	X509_NAME *issuer,
-	const uint8_t **serial_number, size_t *serial_number_len,
-	int *pke_algor, const uint8_t **params, size_t *paramslen,
-	const uint8_t **enced_key, size_t *enced_key_len,
-	const uint8_t **in, size_t *inlen);
-
-int cms_recipient_info_print(FILE *fp,
-	int version,
-	const X509_NAME *issuer, const uint8_t *serial_number, size_t serial_number_len,
-	int pke_algor, const uint8_t *params, size_t paramslen,
-	const uint8_t *enced_key, size_t enced_key_len,
-	int format, int indent);
-
-int cms_recipient_info_encrypt_to_der(const SM2_KEY *sm2_key,
-	const X509_NAME *issuer, const uint8_t *serial_number, size_t serial_number_len,
-	const uint8_t *key, size_t keylen,
-	uint8_t **out, size_t *outlen);
-
-int cms_recipient_info_decrypt_from_der(const SM2_KEY *sm2_key,
-	X509_NAME *issuer, const uint8_t **serial_number, size_t *serial_number_len,
-	uint8_t *key, size_t *keylen,
-	const uint8_t **in, size_t *inlen);
-
-
-int cms_enveloped_data_to_der(const uint8_t *rcpt_infos, size_t rcpt_infos_len,
-	int content_type,
-	int enc_algor,
-	const uint8_t *enc_iv, size_t enc_iv_len,
-	const uint8_t *enced_content, size_t enced_content_len,
-	const uint8_t *shared_info1, size_t shared_info1_len,
-	const uint8_t *shared_info2, size_t shared_info2_len,
-	const uint8_t **out, size_t *outlen);
-
-int cms_enveloped_data_from_der(const uint8_t **rcpt_infos, size_t *rcpt_infos_len,
+int cms_enced_content_info_from_der(
 	int *content_type,
 	int *enc_algor, const uint8_t **enc_iv, size_t *enc_iv_len,
 	const uint8_t **enced_content, size_t *enced_content_len,
 	const uint8_t **shared_info1, size_t *shared_info1_len,
 	const uint8_t **shared_info2, size_t *shared_info2_len,
 	const uint8_t **in, size_t *inlen);
+int cms_enced_content_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);

-int cms_enveloped_data_print(FILE *fp, const uint8_t *a, size_t alen, int format, int indent);
+int cms_enced_content_info_encrypt_to_der(
+	int content_type,
+	int enc_algor, const uint8_t *iv, size_t ivlen,
+	const uint8_t *content, size_t content_len,
+	const uint8_t *shared_info1, size_t shared_info1_len,
+	const uint8_t *shared_info2, size_t shared_info2_len,
+	const uint8_t *key, size_t keylen,
+	uint8_t **out, size_t *outlen);
+int cms_enced_content_info_decrypt_from_der(
+	int *content_type,
+	int *enc_algor, const uint8_t **iv, size_t *ivlen,
+	uint8_t *content, size_t *content_len,
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len,
+	const uint8_t *key, size_t keylen,
+	const uint8_t **in, size_t *inlen);

-int cms_enveloped_data_encrypt_to_der(const X509_CERTIFICATE *rcpt_certs, size_t rcpt_count,
+/*
+EncryptedData ::= SEQUENCE {
+	version			INTEGER (1),
+	encryptedContentInfo	EncryptedContentInfo }
+*/
+int cms_encrypted_data_to_der(
+	int version,
+	int content_type,
+	int enc_algor, const uint8_t *iv, size_t ivlen,
+	const uint8_t *enced_content, size_t enced_content_len,
+	const uint8_t *shared_info1, size_t shared_info1_len,
+	const uint8_t *shared_info2, size_t shared_info2_len,
+	uint8_t **out, size_t *outlen);
+int cms_encrypted_data_from_der(
+	int *version,
+	int *content_type,
+	int *enc_algor, const uint8_t **iv, size_t *ivlen,
+	const uint8_t **enced_content, size_t *enced_content_len,
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len,
+	const uint8_t **in, size_t *inlen);
+int cms_encrypted_data_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+int cms_encrypted_data_encrypt_to_der(
+	int content_type,
+	int enc_algor, const uint8_t *iv, size_t ivlen,
+	const uint8_t *content, size_t content_len,
+	const uint8_t *shared_info1, size_t shared_info1_len,
+	const uint8_t *shared_info2, size_t shared_info2_len,
+	const uint8_t *key, size_t keylen,
+	uint8_t **out, size_t *outlen);
+int cms_encrypted_data_decrypt_from_der(
+	int *content_type,
+	int *enc_algor, const uint8_t **iv, size_t *ivlen,
+	uint8_t *content, size_t *content_len,
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len,
+	const uint8_t *key, size_t keylen,
+	const uint8_t **in, size_t *inlen);
+
+/*
+IssuerAndSerialNumber ::= SEQUENCE {
+	isser		Name,
+	serialNumber	INTEGER }
+*/
+int cms_issuer_and_serial_number_to_der(
+	const uint8_t *issuer, size_t issuer_len,
+	const uint8_t *serial_number, size_t serial_number_len,
+	uint8_t **out, size_t *outlen);
+int cms_issuer_and_serial_number_from_der(
+	const uint8_t **issuer, size_t *issuer_len,
+	const uint8_t **serial_number, size_t *serial_number_len,
+	const uint8_t **in, size_t *inlen);
+int cms_issuer_and_serial_number_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+/*
+SignerInfo ::= SEQUENCE {
+	version				INTEGER (1),
+	issuerAndSerialNumber		IssuerAndSerialNumber,
+	digestAlgorithm			AlgorithmIdentifier,
+	authenticatedAttributes		[0] IMPLICIT SET OF Attribute OPTINOAL,
+	digestEncryptionAlgorithm	AlgorithmIdentifier,
+	encryptedDigest			OCTET STRING,
+	unauthenticatedAttributes       [1] IMPLICIT SET OF Attribute OPTINOAL, }
+*/
+int cms_signer_info_to_der(
+	int version,
+	const uint8_t *issuer, size_t issuer_len,
+	const uint8_t *serial_number, size_t serial_number_len,
+	int digest_algor,
+	const uint8_t *authed_attrs, size_t authed_attrs_len,
+	int signature_algor,
+	const uint8_t *enced_digest, size_t enced_digest_len,
+	const uint8_t *unauthed_attrs, size_t unauthed_attrs_len,
+	uint8_t **out, size_t *outlen);
+int cms_signer_info_from_der(
+	int *version,
+	const uint8_t **issuer, size_t *issuer_len,
+	const uint8_t **serial_number, size_t *serial_number_len,
+	int *digest_algor,
+	const uint8_t **authed_attrs, size_t *authed_attrs_len,
+	int *signature_algor,
+	const uint8_t **enced_digest, size_t *enced_digest_len,
+	const uint8_t **unauthed_attrs, size_t *unauthed_attrs_len,
+	const uint8_t **in, size_t *inlen);
+int cms_signer_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+int cms_signer_info_sign_to_der(
+	int version,
+	const uint8_t *issuer, size_t issuer_len,
+	const uint8_t *serial_number, size_t serial_number_len,
+	const uint8_t *authed_attrs, size_t authed_attrs_len,
+	const uint8_t *unauthed_attrs, size_t unauthed_attrs_len,
+	const SM3_CTX *sm3_ctx,
+	const SM2_KEY *sign_key, const char *signer_id, size_t signer_id_len,
+	uint8_t **out, size_t *outlen);
+int cms_signer_info_verify_from_der(
+	int *version,
+	const uint8_t **issuer, size_t *issuer_len,
+	const uint8_t **serial_number, size_t *serial_number_len,
+	int *digest_algor,
+	const uint8_t **authed_attrs, size_t *authed_attrs_len,
+	int *signature_algor,
+	const uint8_t **enced_digest, size_t *enced_digest_len,
+	const uint8_t **unauthed_attrs, size_t *unauthed_attrs_len,
+	const uint8_t *certs, size_t certslen,
+	const uint8_t **in, size_t *inlen);
+
+/*
+SignerInfos ::= SET OF SignerInfo;
+*/
+int cms_signer_infos_add_signer_info(
+	uint8_t *d, size_t *dlen, size_t maxlen,
+	int version,
+	const uint8_t *issuer, size_t issuer_len,
+	const uint8_t *serial_number, size_t serial_number_len,
+	const uint8_t *authed_attrs, size_t authed_attrs_len,
+	const uint8_t *unauthed_attrs, size_t unauthed_attrs_len,
+	const SM3_CTX *sm3_ctx,
+	const SM2_KEY *sign_key, const char *signer_id, size_t signer_id_len);
+
+#define cms_signer_infos_to_der(d,dlen,out,outlen) asn1_set_to_der(d,dlen,out,outlen)
+#define cms_signer_infos_from_der(d,dlen,in,inlen) asn1_set_from_der(d,dlen,in,inlen)
+int cms_signer_infos_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+/*
+CertificateRevocationLists ::= SET OF CertificateRevocationList
+*/
+int cms_crls_add_crl(uint8_t *d, size_t *dlen, size_t maxlen, const uint8_t *crl, size_t crllen);
+#define cms_crls_to_der(d,dlen,out,outlen) asn1_set_to_der(d,dlen,out,outlen)
+#define cms_crls_from_der(d,dlen,in,inlen) asn1_set_from_der(d,dlen,in,inlen)
+int cms_crls_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+/*
+ExtendedCertificateAndCertificate ::= CHOICE {
+	certificate		Certificate,
+	extendedCertificate	[0] IMPLICIT ExtendedCertificate }
+
+ExtendedCertificatesAndCertificates ::= SET OF
+	ExtendedCertificateOrCertificate
+
+ExtendedCertificate is supported in print, not in add/to/from
+*/
+int cms_extened_certs_add_cert(uint8_t *d, size_t *dlen, size_t maxlen, const uint8_t *cert, size_t certlen);
+#define cms_extened_certs_to_der(d,dlen,out,outlen) asn1_set_to_der(d,dlen,out,outlen)
+#define cms_extened_certs_from_der(d,dlen,in,inlen) asn1_set_from_der(d,dlen,in,inlen)
+int cms_extended_certs_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+/*
+SignedData ::= SEQUENCE {
+	version			INTEGER (1),
+	digestAlgorithms	SET OF AlgorithmIdentifier,
+	contentInfo		ContentInfo,
+	certificates		[0] IMPLICIT SET OF Certificate OPTIONAL,
+	crls			[1] IMPLICIT SET OF CertificateRevocationList OPTIONAL,
+	signerInfos		SET OF SignerInfo }
+*/
+int cms_signed_data_to_der(
+	int version,
+	const int *digest_algors, const size_t digest_algors_cnt,
+	const int content_type, const uint8_t *content, const size_t content_len,
+	const uint8_t *certs, size_t certs_len,
+	const uint8_t *crls, const size_t crls_lens,
+	const uint8_t *signer_infos, size_t signer_infos_lens,
+	uint8_t **out, size_t *outlen);
+int cms_signed_data_from_der(
+	int *version,
+	const uint8_t *digest_algors, size_t *digest_algors_count, size_t max_digest_algors,
+	int *content_type, const uint8_t **content, size_t *content_len,
+	const uint8_t **certs, size_t *certs_len,
+	const uint8_t **crls, size_t *crls_len,
+cms_set_key_agreement_info	const uint8_t **signer_infos, size_t *signer_infos_len,
+	const uint8_t **in, size_t *inlen);
+int cms_signed_data_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+
+typedef struct {
+	uint8_t *certs;
+	size_t certs_len;
+	SM2_KEY *sm2_key;
+	char *signer_id;
+	size_t signer_id_len;
+} CMS_CERT_AND_KEY;
+
+int cms_signed_data_sign_to_der(
+	int version,
+	int content_type, const uint8_t *content, size_t content_len,
+	const CMS_CERT_AND_KEY *signers, size_t signers_cnt,
+	const uint8_t *crls, size_t crls_len,
+	uint8_t **out, size_t *outlen);
+int cms_signed_data_verify_from_der(
+	int *version,
+	const uint8_t *digest_algors, size_t *digest_algors_cnt, size_t max_digest_algors,
+	int *content_type, const uint8_t **content, size_t *content_len,
+	const uint8_t **certs, size_t *certs_len,
+	const uint8_t **crls, size_t *crls_len,
+	const uint8_t **signer_infos, size_t *signer_infos_len,
+	const uint8_t *extra_certs, size_t extra_certs_len,
+	const uint8_t *extra_crls, size_t extra_crls_len,
+	const uint8_t **in, size_t *inlen);
+
+/*
+RecipientInfo ::= SEQUENCE {
+	version				INTEGER (1),
+	issuerAndSerialNumber		IssuerAndSerialNumber,
+	keyEncryptionAlgorithm		AlgorithmIdentifier,
+	encryptedKey			OCTET STRING -- DER-encoding of SM2Cipher
+}
+*/
+int cms_recipient_info_to_der(
+	int version,
+	const uint8_t *issuer, size_t issuer_len,
+	const uint8_t *serial_number, size_t serial_number_len,
+	int public_key_enc_algor,
+	const uint8_t *enced_key, size_t enced_key_len,
+	uint8_t **out, size_t *outlen);
+int cms_recipient_info_from_der(
+	int *version,
+	const uint8_t **issuer, size_t *issuer_len,
+	const uint8_t **serial_number, size_t *serial_number_len,
+	int *pke_algor, const uint8_t **params, size_t *paramslen,// SM2加密只使用SM3，没有默认参数，但是ECIES可能有
+	const uint8_t **enced_key, size_t *enced_key_len,
+	const uint8_t **in, size_t *inlen);
+int cms_recipient_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+int cms_recipient_info_encrypt_to_der(
+	int version,
+	const uint8_t *issuer, size_t issuer_len,
+	const uint8_t *serial_number, size_t serial_number_len,
+	int public_key_enc_algor,
+	const uint8_t *in, size_t inlen,
+	const SM2_KEY *public_key,
+	uint8_t **out, size_t *outlen);
+int cms_recipient_info_decrypt_from_der(
+	int *version,
+	const uint8_t **issuer, size_t *issuer_len,
+	const uint8_t **serial_number, size_t *serial_number_len,
+	int *pke_algor, const uint8_t **params, size_t *paramslen,
+	const uint8_t **decrypted_key, size_t *decrypted_key_len,
+	const SM2_KEY *sm2_key,
+	const uint8_t **in, size_t *inlen);
+
+/*
+EnvelopedData ::= SEQUENCE {
+	version			Version,
+	recipientInfos		SET OF RecipientInfo,
+	encryptedContentInfo	EncryptedContentInfo }
+*/
+int cms_enveloped_data_to_der(
+	int version,
+	const uint8_t *rcpt_infos, size_t rcpt_infos_len,
+	int content_type,
+	int enc_algor, const uint8_t *enc_iv, size_t enc_iv_len,
+	const uint8_t *enced_content, size_t enced_content_len,
+	const uint8_t *shared_info1, size_t shared_info1_len,
+	const uint8_t *shared_info2, size_t shared_info2_len,
+	const uint8_t **out, size_t *outlen);
+int cms_enveloped_data_from_der(
+	int *version,
+	const uint8_t **rcpt_infos, size_t *rcpt_infos_len,
+	int *content_type,
+	int *enc_algor, const uint8_t **enc_iv, size_t *enc_iv_len,
+	const uint8_t **enced_content, size_t *enced_content_len,
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len,
+	const uint8_t **in, size_t *inlen);
+int cms_enveloped_data_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+int cms_enveloped_data_encrypt_to_der(
+	int version,
+	const uint8_t *rcpt_certs, size_t rcpt_certs_len, // 当只有一个接收者的时候，这个参数类型非常方便
+	int enc_algor, const uint8_t *key, size_t keylen, const uint8_t *iv, size_t ivlen,
 	int content_type, const uint8_t *content, size_t content_len,
 	const uint8_t *shared_info1, size_t shared_info1_len,
 	const uint8_t *shared_info2, size_t shared_info2_len,
 	uint8_t **out, size_t *outlen);
-
 int cms_enveloped_data_decrypt_from_der(
-	const SM2_KEY *sm2_key, const X509_CERTIFICATE *cert, // 应该用证书还是issuer_and_serial_number?
+	int *version,
+	const uint8_t **rcpt_infos, size_t *rcpt_infos_len,
 	int *content_type, uint8_t *content, size_t *content_len,
 	const uint8_t **shared_info1, size_t *shared_info1_len,
 	const uint8_t **shared_info2, size_t *shared_info2_len,
-	const uint8_t **in, size_t *inlen);
-
-
-const char *cms_content_type_name(int type);
-int cms_content_type_to_der(int type, uint8_t **out, size_t *outlen);
-int cms_content_type_from_der(int *type, const uint8_t **in, size_t *inlen);
-
-int cms_content_info_to_der(int content_type, const uint8_t *content, size_t content_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_content_info_from_der(int *content_type, const uint8_t **content, size_t *content_len,
-	const uint8_t **in, size_t *inlen);
-
-
-
-
-int cms_signer_info_to_der(
-	const X509_NAME *issuer,
+	const SM2_KEY *sm2_key,
+	const uint8_t *issuer, size_t issuer_len,
 	const uint8_t *serial_number, size_t serial_number_len,
-	int digest_algor,
-	const uint8_t *authed_attrs, size_t authed_attrs_len,
-	const uint8_t *enced_digest, size_t enced_digest_len,
-	const uint8_t *unauthed_attrs, size_t unauthed_attrs_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_signer_info_from_der(X509_NAME *issuer,
-	const uint8_t **serial_number, size_t *serial_number_len,
-	int *digest_algor,
-	const uint8_t **authed_attrs, size_t *authed_attrs_len,
-	int *sign_algor,
-	const uint8_t **enced_digest, size_t *enced_digest_len,
-	const uint8_t **unauthed_attrs, size_t *unauthed_attrs_len,
 	const uint8_t **in, size_t *inlen);

-int cms_signer_info_print(FILE *fp,
-	int version,
-	const X509_NAME *issuer, const uint8_t *serial_number, size_t serial_number_len,
-	int digest_algor, const uint8_t *digest_params, size_t digest_params_len,
-	const uint8_t *authed_attrs, size_t authed_attrs_len,
-	int sign_algor, const uint8_t *sign_params, size_t sign_params_len,
-	const uint8_t *sig, size_t siglen,
-	const uint8_t *unauthed_attrs, size_t unauthed_attrs_len,
-	int format, int indent);
-
-int cms_signer_info_sign_to_der(const SM2_KEY *sm2_key, const SM3_CTX *sm3_ctx,
-	const X509_NAME *issuer, const uint8_t *serial_number, size_t serial_number_len,
-	const uint8_t *authed_attrs, size_t authed_attrs_len,
-	const uint8_t *unauthed_attrs, size_t unauthed_attrs_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_signer_info_verify(
-	const SM2_KEY *sm2_key, const SM3_CTX *sm3_ctx,
-	const uint8_t *authed_attrs, size_t authed_attrs_len,
-	const uint8_t *sig, size_t siglen);
-
-
-int cms_signed_data_to_der(
-	const int *digest_algors, const size_t digest_algors_count,
-	const int content_type, const uint8_t *content, const size_t content_len,
-	const X509_CERTIFICATE *certs, size_t certs_count,
-	const uint8_t **crls, const size_t *crls_lens, const size_t crls_count,
-	const uint8_t **signer_infos, size_t *signer_infos_lens, size_t signer_infos_count,
-	uint8_t **out, size_t *outlen);
-
-int cms_signed_data_from_der(
-	const uint8_t **digest_algors, size_t *digest_algors_len,
-	int *content_type, const uint8_t **content, size_t *content_len,
-	const uint8_t **certs, size_t *certs_len,
-	const uint8_t **crls, size_t *crls_len,
-	const uint8_t **signer_infos, size_t *signer_infos_len,
-	const uint8_t **in, size_t *inlen);
-
-int cms_signed_data_print(FILE *fp, const uint8_t *a, size_t alen, int format, int indent);
-
-int cms_signed_data_sign_to_der(const SM2_KEY *sign_keys,
-	const X509_CERTIFICATE *sign_certs, size_t sign_count,
-	int content_type, const uint8_t *content, size_t content_len,
-	const uint8_t *crls, size_t crls_len,
-	uint8_t **out, size_t *outlen);
-
-int cms_signed_data_verify_from_der(
-	const uint8_t **digest_algors, size_t *digest_algors_len,
-	int *content_type, const uint8_t **content, size_t *content_len,
-	const uint8_t **certs, size_t *certs_len,
-	const uint8_t **crls, size_t *crls_len,
-	const uint8_t **signer_infos, size_t *signer_infos_len,
-	const uint8_t **in, size_t *inlen);
-
-int cms_signed_data_verify(
-	int content_type, const uint8_t *content, size_t content_len, // 被签名的到底是什么数据？
-	const uint8_t *certs, size_t certs_len,
-	const uint8_t *signer_infos, size_t signer_infos_len);
-
-
+/*
+SignedAndEnvelopedData ::= SEQUENCE {
+	version			INTEGER (1),
+	recipientInfos		SET OF RecipientInfo,
+	digestAlgorithms	SET OF AlgorithmIdentifier,
+	encryptedContentInfo	EncryptedContentInfo,
+	certificates		[0] IMPLICIT SET OF Certificate OPTIONAL,
+	crls			[1] IMPLICIT SET OF CertificateRevocationList OPTIONAL,
+	signerInfos		SET OF SignerInfo }
+*/
 int cms_signed_and_enveloped_data_to_der(
 	int version,
 	const uint8_t *rcpt_infos, size_t rcpt_infos_len,
 	const int *digest_algors, size_t digest_algors_count,
 	int content_type,
-		int enc_algor, const uint8_t *enc_iv, size_t enc_iv_len,
-		const uint8_t *enced_content, size_t enced_content_len,
-		const uint8_t *shared_info1, size_t shared_info1_len,
-		const uint8_t *shared_info2, size_t shared_info2_len,
-	const X509_CERTIFICATE *certs, size_t certs_count,
-	const uint8_t *crls, size_t crls_count,
-	const uint8_t signer_infos, size_t signer_infos_len);
-
+	int enc_algor, const uint8_t *iv, size_t ivlen,
+	const uint8_t *enced_content, size_t enced_content_len,
+	const uint8_t *shared_info1, size_t shared_info1_len,
+	const uint8_t *shared_info2, size_t shared_info2_len,
+	const uint8_t *certs, size_t certs_len,
+	const uint8_t *crls, size_t crls_len,
+	const uint8_t *signer_infos, size_t signer_infos_len);
 int cms_signed_and_enveloped_data_from_der(
 	int *version,
 	const uint8_t **rcpt_infos, size_t *rcpt_infos_len,
-	const uint8_t **dgst_algors, size_t *dgst_algors_len,
+	const uint8_t **digest_algors, size_t *digest_algors_len,
 	int *content_type,
-		int *enc_algor, const uint8_t **enc_iv, size_t *enc_iv_len,
-		const uint8_t **enced_content, size_t *enced_content_len,
-		const uint8_t **shared_info1, size_t *shared_info1_len,
-		const uint8_t **shared_info2, size_t *shared_info2_len,
+	int *enc_algor, const uint8_t **enc_iv, size_t *enc_iv_len,
+	const uint8_t **enced_content, size_t *enced_content_len,
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len,
 	const uint8_t **certs, size_t *certs_len,
 	const uint8_t **crls, size_t *crls_len,
 	const uint8_t **signer_infos, size_t *signer_infos_len,
 	const uint8_t **in, size_t *inlen);
+int cms_signed_and_enveloped_data_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);

-int cms_signed_and_enveloped_data_print(FILE *fp, const uint8_t *a, size_t alen,
-	int format, int indent);
-
-
-
-
-int cms_signed_and_enveloped_data_sign_encrypt_to_der(
-	const SM2_KEY *sign_keys, const X509_CERTIFICATE *sign_certs, size_t sign_count,
-	const uint8_t *sign_crls, const size_t sign_crls_len,
-	const X509_CERTIFICATE *rcpt_certs, size_t rcpt_count,
+int cms_signed_and_enveloped_encipher_to_der(
+	const CMS_CERT_AND_KEY *signers, size_t signers_cnt,
+	const uint8_t *rcpt_certs, size_t rcpt_certs_len,
 	int content_type, const uint8_t *content, size_t content_len,
+	const uint8_t *signer_crls, size_t signer_crls_len,
 	const uint8_t *shared_info1, size_t shared_info1_len,
 	const uint8_t *shared_info2, size_t shared_info2_len,
 	uint8_t **out, size_t *outlen);

-
-int cms_signed_and_enveloped_data_decrypt_verify_from_der(
-	const SM2_KEY *dec_key, const X509_CERTIFICATE *dec_cert,
+int cms_deenvelop_and_verify_decipher_from_der(
+	int *version,
 	const uint8_t **rcpt_infos, size_t *rcpt_infos_len,
-	const uint8_t **dgst_algors, size_t *dgst_algors_len,
-	int *content_type,
-		int *enc_algor, const uint8_t **enc_iv, size_t *enc_iv_len,
-		const uint8_t **enced_content, size_t *enced_content_len,
-		const uint8_t **shared_info1, size_t *shared_info1_len,
-		const uint8_t **shared_info2, size_t *shared_info2_len,
-	const uint8_t **certs, size_t *certs_len,
-	const uint8_t **crls, size_t *crls_len,
-	const uint8_t **signer_infos, size_t *signer_infos_len);
-
-
-/*
-下面是预计export的函数
-*/
-
-int cms_content_info_print(FILE *fp, const uint8_t *a, size_t alen, int format, int indent);
-
-
-int cms_encrypt(const uint8_t key[16], const uint8_t *in, size_t inlen,
-	uint8_t *out, size_t *outlen);
-
-int cms_decrypt(const uint8_t key[16], const uint8_t *in, size_t inlen,
-	int *content_type, uint8_t *out, size_t *outlen);
-
-int cms_seal(const X509_CERTIFICATE *rcpt_certs, size_t rcpt_count,
-	const uint8_t *in, size_t inlen,
-	uint8_t *out, size_t *outlen);
-
-int cms_open(const SM2_KEY *sm2_key, const X509_CERTIFICATE *cert,
-	const uint8_t *in, size_t inlen,
-	int *content_type, uint8_t *out, size_t *outlen);
-
-int cms_sign(const SM2_KEY *sign_keys, const X509_CERTIFICATE *sign_certs, size_t sign_count,
-	const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen);
-
-int cms_verify(int *content_type, const uint8_t **content, size_t *content_len,
+	const uint8_t **digest_algors, size_t *digest_algors_len,
+	int *enc_algor, uint8_t *key, size_t *keylen, const uint8_t **iv, size_t *ivlen,
+	int *content_type, uint8_t *content, size_t *content_len,
+	const uint8_t **enced_content, size_t *enced_content_len,
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len,
 	const uint8_t **certs, size_t *certs_len,
 	const uint8_t **crls, size_t *crls_len,
 	const uint8_t **signer_infos, size_t *signer_infos_len,
-	const uint8_t *cms, size_t cmslen);

-int cms_sign_and_seal(const SM2_KEY *sign_keys,
-	const X509_CERTIFICATE *sign_certs, size_t sign_count,
-	const X509_CERTIFICATE *rcpt_certs, size_t rcpt_count,
-	const uint8_t *in, size_t inlen,
-	uint8_t *out, size_t *outlen);
+	const SM2_KEY *rcpt_key,
+	const uint8_t *rcpt_issuer, size_t rcpt_issuer_len,
+	const uint8_t *rcpt_serial_number, size_t rcpt_serial_number_len,
+	const uint8_t *extra_verify_certs, size_t extra_verify_certs_len,
+	const uint8_t *extra_verify_crls, size_t extra_verify_crls_len,

-int cms_open_and_verify(
-	const SM2_KEY *sm2_key, const X509_CERTIFICATE *cert,
-	const uint8_t *in, size_t inlen,
-	int *content_type, uint8_t *out, size_t *outlen);
+	const uint8_t **in, size_t *inlen);


+/*
+KeyAgreementInfo ::= SEQUENCE {
+	version			INTEGER (1),
+	tempPublicKeyR		SM2PublicKey,
+	userCertificate		Certificate,
+	userID			OCTET STRING }
+*/
+int cms_key_agreement_info_to_der(
+	int version,
+	const SM2_KEY *temp_public_key_r,
+	const uint8_t *user_cert, size_t user_cert_len,
+	const uint8_t *user_id, size_t user_id_len,
+	uint8_t **out, size_t *outlen);
+int cms_key_agreement_info_from_der(
+	int *version,
+	SM2_KEY *temp_public_key_r,
+	const uint8_t **user_cert, size_t *user_cert_len,
+	const uint8_t **user_id, size_t *user_id_len,
+	const uint8_t **in, size_t *inlen);
+int cms_key_agreement_info_print(FILE *fp, int fmt, int ind, const char *label, const uint8_t *d, size_t dlen);
+
+
+
+// 下面是公开API
+
+
+// 生成ContentInfo, type == data
+int cms_set_data(uint8_t *cms, size_t *cms_len, const uint8_t *d, size_t dlen);
+
+int cms_encrypt(
+	int enc_algor, const uint8_t *key, size_t keylen, const uint8_t *iv, size_t ivlen, // 对称加密算法、密钥和IV
+	int content_type, const uint8_t *content, size_t content_len, // 待加密的输入数据
+	const uint8_t *shared_info1, size_t shared_info1_len, // 附加信息
+	const uint8_t *shared_info2, size_t shared_info2_len, // 附加信息
+	uint8_t *cms, size_t *cms_len); // 输出的ContentInfo (type encryptedData)
+
+int cms_decrypt(
+	const uint8_t *key, size_t keylen, // 解密密钥（我们不知道解密算法）
+	const uint8_t *cms, size_t cms_len, // 输入的ContentInfo (type encryptedData)
+	const uint8_t *extra_enced_content, size_t extra_enced_content_len, // EncryptedContentInfo的密文数据为空时显示提供输入密文
+	int *content_type, uint8_t *content, size_t *content_len, // 输出的解密数据类型及数据
+	int *enc_algor, const uint8_t **iv, size_t *ivlen, // 解析EncryptedContentInfo得到的对称加密算法及参数
+	const uint8_t **shared_info1, size_t *shared_info1_len, // 附加信息
+	const uint8_t **shared_info2, size_t *shared_info2_len);
+
+int cms_sign(
+	const CMS_CERT_AND_KEY *signers, size_t signers_cnt, // 签名者的签名私钥和证书
+	int content_type, const uint8_t *content, size_t content_len, // 待签名的输入数据
+	const uint8_t *crls, size_t crls_len, // 签名者证书的CRL
+	uint8_t *cms, size_t *cms_len); // 输出的ContentInfo (type signedData)
+
+int cms_verify(
+	const uint8_t *cms, size_t cms_len, // 输入的ContentInfo (type signedData)
+	const uint8_t *extra_content, size_t extra_content_len, // ContentInfo的数据为空时显示提供输入
+	const uint8_t *extra_certs, size_t extra_certs_len, // 当SignedData中未提供证书时显示输入
+	const uint8_t *extra_crls, size_t extra_crls_len, // 当SignedData中未提供CRL时显示输入
+	int *content_type, const uint8_t **content, size_t *content_len, // 从SignedData解析得到的被签名数据
+	const uint8_t **certs, size_t *certs_len, // 从SignedData解析得到的签名证书
+	const uint8_t **crls, size_t *crls_len, // 从SignedData解析得到的CRL
+	const uint8_t **signer_infos, size_t *signer_infos_len); // 从SignedData解析得到的SignerInfos，可用于显示验证结果
+
+int cms_envelop(
+	const uint8_t *rcpt_certs, size_t rcpt_certs_len, // 接收方证书，注意这个参数的类型可以容纳多个证书，但是只有在一个接受者时对调用方最方便
+	int enc_algor, const uint8_t *key, size_t keylen, const uint8_t *iv, size_t ivlen, // 对称加密算法及参数
+	int content_type, const uint8_t *content, size_t content_len, // 待加密的输入数据
+	const uint8_t *shared_info1, size_t shared_info1_len, // 附加输入信息
+	const uint8_t *shared_info2, size_t shared_info2_len, // 附加输入信息
+	uint8_t *cms, size_t *cms_len); // 输出ContentInfo
+
+int cms_deenvelop(
+	const SM2_KEY *rcpt_key, const uint8_t *rcpt_cert, size_t rcpt_cert_len, // 接收方的解密私钥和对应的证书，注意只需要一个解密方
+	const uint8_t *cms, size_t cms_len,
+	const uint8_t *extra_enced_content, size_t extra_enced_content_len, // 显式输入的密文
+	int *content_type, uint8_t *content, size_t *content_len,
+	int *enc_algor, const uint8_t **iv, size_t *ivlen, // 注意，对称加密的密钥就不输出了
+	const uint8_t **rcpt_infos, size_t *rcpt_infos_len, // 解析得到，用于显示
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len);
+
+int cms_sign_and_envelop( // 参考cms_sign, cms_envelop
+	const CMS_CERT_AND_KEY *signers, size_t signers_cnt,
+	const uint8_t *rcpt_certs, size_t rcpt_certs_len,
+	int enc_algor, const uint8_t *key, size_t keylen, const uint8_t *iv, size_t ivlen,
+	int content_type, const uint8_t *content, size_t content_len,
+	const uint8_t *signer_crls, size_t signer_crls_len,
+	const uint8_t *shared_info1, size_t shared_info1_len,
+	const uint8_t *shared_info2, size_t shared_info2_len,
+	uint8_t *cms, size_t *cms_len);
+
+int cms_deenvelop_and_verify( // 参考cms_deenvelop, cms_verify
+	const SM2_KEY *rcpt_key, const uint8_t *rcpt_cert, size_t rcpt_cert_len,
+	// 输入
+	const uint8_t *cms, size_t cms_len,
+	const uint8_t *extra_enced_content, size_t extra_enced_content_len,
+	const uint8_t *extra_signer_certs, size_t extra_signer_certs_len,
+	const uint8_t *extra_signer_crls, size_t extra_signer_crls_len,
+	// 输出
+	int *content_type, uint8_t *content, size_t *content_len,
+	// 格外的解析内容输出，均为可选
+	int *enc_algor, const uint8_t **iv, size_t *ivlen,
+	const uint8_t **rcpt_infos, size_t rcpt_infos_len,
+	const uint8_t **signer_infos, size_t *signer_infos_len,
+	const uint8_t **signer_certs, size_t *signer_certs_len,
+	const uint8_t **signer_crls, size_t *signer_crls_len,
+	const uint8_t **shared_info1, size_t *shared_info1_len,
+	const uint8_t **shared_info2, size_t *shared_info2_len);
+
+// 生成ContentInfo, type == keyAgreementInfo
+int cms_set_key_agreement_info(
+	uint8_t *cms, size_t *cms_len,
+	const SM2_KEY *temp_public_key_r,
+	const uint8_t *user_cert, size_t user_cert_len,
+	const uint8_t *user_id, size_t user_id_len);
+
+int cms_print(FILE *fp, int fmt, int ind, const uint8_t *a, size_t alen);
+

 #ifdef __cplusplus
 }