1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 1999.
3 */
4 /* ====================================================================
5 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com). */
55
56 #include <openssl/pkcs8.h>
57
58 #include <assert.h>
59 #include <limits.h>
60 #include <string.h>
61
62 #include <openssl/asn1.h>
63 #include <openssl/bn.h>
64 #include <openssl/buf.h>
65 #include <openssl/cipher.h>
66 #include <openssl/digest.h>
67 #include <openssl/err.h>
68 #include <openssl/hmac.h>
69 #include <openssl/mem.h>
70 #include <openssl/x509.h>
71
72 #include "internal.h"
73 #include "../bytestring/internal.h"
74 #include "../evp/internal.h"
75
76
77 #define PKCS12_KEY_ID 1
78 #define PKCS12_IV_ID 2
79 #define PKCS12_MAC_ID 3
80
ascii_to_ucs2(const char * ascii,size_t ascii_len,uint8_t ** out,size_t * out_len)81 static int ascii_to_ucs2(const char *ascii, size_t ascii_len,
82 uint8_t **out, size_t *out_len) {
83 uint8_t *unitmp;
84 size_t ulen, i;
85
86 ulen = ascii_len * 2 + 2;
87 if (ulen < ascii_len) {
88 return 0;
89 }
90 unitmp = OPENSSL_malloc(ulen);
91 if (unitmp == NULL) {
92 return 0;
93 }
94 for (i = 0; i < ulen - 2; i += 2) {
95 unitmp[i] = 0;
96 unitmp[i + 1] = ascii[i >> 1];
97 }
98
99 /* Make result double null terminated */
100 unitmp[ulen - 2] = 0;
101 unitmp[ulen - 1] = 0;
102 *out_len = ulen;
103 *out = unitmp;
104 return 1;
105 }
106
pkcs12_key_gen_raw(const uint8_t * pass_raw,size_t pass_raw_len,const uint8_t * salt,size_t salt_len,int id,int iterations,size_t out_len,uint8_t * out,const EVP_MD * md_type)107 static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len,
108 const uint8_t *salt, size_t salt_len,
109 int id, int iterations,
110 size_t out_len, uint8_t *out,
111 const EVP_MD *md_type) {
112 uint8_t *B, *D, *I, *p, *Ai;
113 int Slen, Plen, Ilen, Ijlen;
114 int i, j, v;
115 size_t u;
116 int ret = 0;
117 BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */
118 EVP_MD_CTX ctx;
119
120 EVP_MD_CTX_init(&ctx);
121 v = EVP_MD_block_size(md_type);
122 u = EVP_MD_size(md_type);
123 D = OPENSSL_malloc(v);
124 Ai = OPENSSL_malloc(u);
125 B = OPENSSL_malloc(v + 1);
126 Slen = v * ((salt_len + v - 1) / v);
127 if (pass_raw_len) {
128 Plen = v * ((pass_raw_len + v - 1) / v);
129 } else {
130 Plen = 0;
131 }
132 Ilen = Slen + Plen;
133 I = OPENSSL_malloc(Ilen);
134 Ij = BN_new();
135 Bpl1 = BN_new();
136 if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
137 goto err;
138 }
139 for (i = 0; i < v; i++) {
140 D[i] = id;
141 }
142 p = I;
143 for (i = 0; i < Slen; i++) {
144 *p++ = salt[i % salt_len];
145 }
146 for (i = 0; i < Plen; i++) {
147 *p++ = pass_raw[i % pass_raw_len];
148 }
149 for (;;) {
150 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
151 !EVP_DigestUpdate(&ctx, D, v) ||
152 !EVP_DigestUpdate(&ctx, I, Ilen) ||
153 !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {
154 goto err;
155 }
156 for (j = 1; j < iterations; j++) {
157 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
158 !EVP_DigestUpdate(&ctx, Ai, u) ||
159 !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {
160 goto err;
161 }
162 }
163 memcpy(out, Ai, out_len < u ? out_len : u);
164 if (u >= out_len) {
165 ret = 1;
166 goto end;
167 }
168 out_len -= u;
169 out += u;
170 for (j = 0; j < v; j++) {
171 B[j] = Ai[j % u];
172 }
173 /* Work out B + 1 first then can use B as tmp space */
174 if (!BN_bin2bn(B, v, Bpl1) ||
175 !BN_add_word(Bpl1, 1)) {
176 goto err;
177 }
178 for (j = 0; j < Ilen; j += v) {
179 if (!BN_bin2bn(I + j, v, Ij) ||
180 !BN_add(Ij, Ij, Bpl1) ||
181 !BN_bn2bin(Ij, B)) {
182 goto err;
183 }
184 Ijlen = BN_num_bytes(Ij);
185 /* If more than 2^(v*8) - 1 cut off MSB */
186 if (Ijlen > v) {
187 if (!BN_bn2bin(Ij, B)) {
188 goto err;
189 }
190 memcpy(I + j, B + 1, v);
191 /* If less than v bytes pad with zeroes */
192 } else if (Ijlen < v) {
193 memset(I + j, 0, v - Ijlen);
194 if (!BN_bn2bin(Ij, I + j + v - Ijlen)) {
195 goto err;
196 }
197 } else if (!BN_bn2bin(Ij, I + j)) {
198 goto err;
199 }
200 }
201 }
202
203 err:
204 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
205
206 end:
207 OPENSSL_free(Ai);
208 OPENSSL_free(B);
209 OPENSSL_free(D);
210 OPENSSL_free(I);
211 BN_free(Ij);
212 BN_free(Bpl1);
213 EVP_MD_CTX_cleanup(&ctx);
214
215 return ret;
216 }
217
pkcs12_pbe_keyivgen(EVP_CIPHER_CTX * ctx,const uint8_t * pass_raw,size_t pass_raw_len,ASN1_TYPE * param,const EVP_CIPHER * cipher,const EVP_MD * md,int is_encrypt)218 static int pkcs12_pbe_keyivgen(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,
219 size_t pass_raw_len, ASN1_TYPE *param,
220 const EVP_CIPHER *cipher, const EVP_MD *md,
221 int is_encrypt) {
222 PBEPARAM *pbe;
223 int salt_len, iterations, ret;
224 uint8_t *salt;
225 const uint8_t *pbuf;
226 uint8_t key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
227
228 /* Extract useful info from parameter */
229 if (param == NULL || param->type != V_ASN1_SEQUENCE ||
230 param->value.sequence == NULL) {
231 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
232 return 0;
233 }
234
235 pbuf = param->value.sequence->data;
236 pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length);
237 if (pbe == NULL) {
238 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
239 return 0;
240 }
241
242 if (!pbe->iter) {
243 iterations = 1;
244 } else {
245 iterations = ASN1_INTEGER_get(pbe->iter);
246 }
247 salt = pbe->salt->data;
248 salt_len = pbe->salt->length;
249 if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_KEY_ID,
250 iterations, EVP_CIPHER_key_length(cipher), key, md)) {
251 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);
252 PBEPARAM_free(pbe);
253 return 0;
254 }
255 if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_IV_ID,
256 iterations, EVP_CIPHER_iv_length(cipher), iv, md)) {
257 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);
258 PBEPARAM_free(pbe);
259 return 0;
260 }
261 PBEPARAM_free(pbe);
262 ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt);
263 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
264 OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
265 return ret;
266 }
267
268 typedef int (*keygen_func)(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,
269 size_t pass_raw_len, ASN1_TYPE *param,
270 const EVP_CIPHER *cipher, const EVP_MD *md,
271 int is_encrypt);
272
273 struct pbe_suite {
274 int pbe_nid;
275 const EVP_CIPHER* (*cipher_func)(void);
276 const EVP_MD* (*md_func)(void);
277 keygen_func keygen;
278 int flags;
279 };
280
281 #define PBE_UCS2_CONVERT_PASSWORD 0x1
282
283 static const struct pbe_suite kBuiltinPBE[] = {
284 {
285 NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc, EVP_sha1,
286 pkcs12_pbe_keyivgen, PBE_UCS2_CONVERT_PASSWORD
287 },
288 {
289 NID_pbe_WithSHA1And128BitRC4, EVP_rc4, EVP_sha1, pkcs12_pbe_keyivgen,
290 PBE_UCS2_CONVERT_PASSWORD
291 },
292 {
293 NID_pbe_WithSHA1And3_Key_TripleDES_CBC, EVP_des_ede3_cbc, EVP_sha1,
294 pkcs12_pbe_keyivgen, PBE_UCS2_CONVERT_PASSWORD
295 },
296 {
297 NID_pbes2, NULL, NULL, PKCS5_v2_PBE_keyivgen, 0
298 },
299 };
300
get_pbe_suite(int pbe_nid)301 static const struct pbe_suite *get_pbe_suite(int pbe_nid) {
302 unsigned i;
303 for (i = 0; i < sizeof(kBuiltinPBE) / sizeof(kBuiltinPBE[0]); i++) {
304 if (kBuiltinPBE[i].pbe_nid == pbe_nid) {
305 return &kBuiltinPBE[i];
306 }
307 }
308
309 return NULL;
310 }
311
312 /* pass_to_pass_raw performs a password conversion (possibly a no-op)
313 * appropriate to the supplied |pbe_nid|. The input |pass| is treated as a
314 * NUL-terminated string if |pass_len| is -1, otherwise it is treated as a
315 * buffer of the specified length. If the supplied PBE NID sets the
316 * |PBE_UCS2_CONVERT_PASSWORD| flag, the supplied |pass| will be converted to
317 * UCS-2.
318 *
319 * It sets |*out_pass_raw| to a new buffer that must be freed by the caller. It
320 * returns one on success and zero on error. */
pass_to_pass_raw(int pbe_nid,const char * pass,int pass_len,uint8_t ** out_pass_raw,size_t * out_pass_raw_len)321 static int pass_to_pass_raw(int pbe_nid, const char *pass, int pass_len,
322 uint8_t **out_pass_raw, size_t *out_pass_raw_len) {
323 if (pass == NULL) {
324 *out_pass_raw = NULL;
325 *out_pass_raw_len = 0;
326 return 1;
327 }
328
329 if (pass_len == -1) {
330 pass_len = strlen(pass);
331 } else if (pass_len < 0 || pass_len > 2000000000) {
332 OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);
333 return 0;
334 }
335
336 const struct pbe_suite *suite = get_pbe_suite(pbe_nid);
337 if (suite != NULL && (suite->flags & PBE_UCS2_CONVERT_PASSWORD)) {
338 if (!ascii_to_ucs2(pass, pass_len, out_pass_raw, out_pass_raw_len)) {
339 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
340 return 0;
341 }
342 } else {
343 *out_pass_raw = BUF_memdup(pass, pass_len);
344 if (*out_pass_raw == NULL) {
345 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
346 return 0;
347 }
348 *out_pass_raw_len = (size_t)pass_len;
349 }
350
351 return 1;
352 }
353
pbe_cipher_init(ASN1_OBJECT * pbe_obj,const uint8_t * pass_raw,size_t pass_raw_len,ASN1_TYPE * param,EVP_CIPHER_CTX * ctx,int is_encrypt)354 static int pbe_cipher_init(ASN1_OBJECT *pbe_obj,
355 const uint8_t *pass_raw, size_t pass_raw_len,
356 ASN1_TYPE *param,
357 EVP_CIPHER_CTX *ctx, int is_encrypt) {
358 const EVP_CIPHER *cipher;
359 const EVP_MD *md;
360
361 const struct pbe_suite *suite = get_pbe_suite(OBJ_obj2nid(pbe_obj));
362 if (suite == NULL) {
363 char obj_str[80];
364 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM);
365 if (!pbe_obj) {
366 strncpy(obj_str, "NULL", sizeof(obj_str));
367 } else {
368 i2t_ASN1_OBJECT(obj_str, sizeof(obj_str), pbe_obj);
369 }
370 ERR_add_error_data(2, "TYPE=", obj_str);
371 return 0;
372 }
373
374 if (suite->cipher_func == NULL) {
375 cipher = NULL;
376 } else {
377 cipher = suite->cipher_func();
378 if (!cipher) {
379 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER);
380 return 0;
381 }
382 }
383
384 if (suite->md_func == NULL) {
385 md = NULL;
386 } else {
387 md = suite->md_func();
388 if (!md) {
389 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_DIGEST);
390 return 0;
391 }
392 }
393
394 if (!suite->keygen(ctx, pass_raw, pass_raw_len, param, cipher, md,
395 is_encrypt)) {
396 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEYGEN_FAILURE);
397 return 0;
398 }
399
400 return 1;
401 }
402
pbe_crypt(const X509_ALGOR * algor,const uint8_t * pass_raw,size_t pass_raw_len,const uint8_t * in,size_t in_len,uint8_t ** out,size_t * out_len,int is_encrypt)403 static int pbe_crypt(const X509_ALGOR *algor,
404 const uint8_t *pass_raw, size_t pass_raw_len,
405 const uint8_t *in, size_t in_len,
406 uint8_t **out, size_t *out_len,
407 int is_encrypt) {
408 uint8_t *buf;
409 int n, ret = 0;
410 EVP_CIPHER_CTX ctx;
411 unsigned block_size;
412
413 EVP_CIPHER_CTX_init(&ctx);
414
415 if (!pbe_cipher_init(algor->algorithm, pass_raw, pass_raw_len,
416 algor->parameter, &ctx, is_encrypt)) {
417 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM);
418 return 0;
419 }
420 block_size = EVP_CIPHER_CTX_block_size(&ctx);
421
422 if (in_len + block_size < in_len) {
423 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_TOO_LONG);
424 goto err;
425 }
426
427 buf = OPENSSL_malloc(in_len + block_size);
428 if (buf == NULL) {
429 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
430 goto err;
431 }
432
433 if (!EVP_CipherUpdate(&ctx, buf, &n, in, in_len)) {
434 OPENSSL_free(buf);
435 OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB);
436 goto err;
437 }
438 *out_len = n;
439
440 if (!EVP_CipherFinal_ex(&ctx, buf + n, &n)) {
441 OPENSSL_free(buf);
442 OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB);
443 goto err;
444 }
445 *out_len += n;
446 *out = buf;
447 ret = 1;
448
449 err:
450 EVP_CIPHER_CTX_cleanup(&ctx);
451 return ret;
452 }
453
pkcs12_item_decrypt_d2i(X509_ALGOR * algor,const ASN1_ITEM * it,const uint8_t * pass_raw,size_t pass_raw_len,ASN1_OCTET_STRING * oct)454 static void *pkcs12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
455 const uint8_t *pass_raw,
456 size_t pass_raw_len,
457 ASN1_OCTET_STRING *oct) {
458 uint8_t *out;
459 const uint8_t *p;
460 void *ret;
461 size_t out_len;
462
463 if (!pbe_crypt(algor, pass_raw, pass_raw_len, oct->data, oct->length,
464 &out, &out_len, 0 /* decrypt */)) {
465 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_CRYPT_ERROR);
466 return NULL;
467 }
468 p = out;
469 ret = ASN1_item_d2i(NULL, &p, out_len, it);
470 OPENSSL_cleanse(out, out_len);
471 if (!ret) {
472 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
473 }
474 OPENSSL_free(out);
475 return ret;
476 }
477
PKCS8_decrypt(X509_SIG * pkcs8,const char * pass,int pass_len)478 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,
479 int pass_len) {
480 uint8_t *pass_raw = NULL;
481 size_t pass_raw_len = 0;
482 if (!pass_to_pass_raw(OBJ_obj2nid(pkcs8->algor->algorithm), pass, pass_len,
483 &pass_raw, &pass_raw_len)) {
484 return NULL;
485 }
486
487 PKCS8_PRIV_KEY_INFO *ret = PKCS8_decrypt_pbe(pkcs8, pass_raw, pass_raw_len);
488
489 if (pass_raw) {
490 OPENSSL_cleanse(pass_raw, pass_raw_len);
491 OPENSSL_free(pass_raw);
492 }
493 return ret;
494 }
495
PKCS8_decrypt_pbe(X509_SIG * pkcs8,const uint8_t * pass_raw,size_t pass_raw_len)496 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_pbe(X509_SIG *pkcs8, const uint8_t *pass_raw,
497 size_t pass_raw_len) {
498 return pkcs12_item_decrypt_d2i(pkcs8->algor,
499 ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw,
500 pass_raw_len, pkcs8->digest);
501 }
502
pkcs12_item_i2d_encrypt(X509_ALGOR * algor,const ASN1_ITEM * it,const uint8_t * pass_raw,size_t pass_raw_len,void * obj)503 static ASN1_OCTET_STRING *pkcs12_item_i2d_encrypt(X509_ALGOR *algor,
504 const ASN1_ITEM *it,
505 const uint8_t *pass_raw,
506 size_t pass_raw_len, void *obj) {
507 ASN1_OCTET_STRING *oct;
508 uint8_t *in = NULL;
509 int in_len;
510 size_t crypt_len;
511
512 oct = M_ASN1_OCTET_STRING_new();
513 if (oct == NULL) {
514 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
515 return NULL;
516 }
517 in_len = ASN1_item_i2d(obj, &in, it);
518 if (!in) {
519 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR);
520 return NULL;
521 }
522 if (!pbe_crypt(algor, pass_raw, pass_raw_len, in, in_len, &oct->data, &crypt_len,
523 1 /* encrypt */)) {
524 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR);
525 OPENSSL_free(in);
526 return NULL;
527 }
528 oct->length = crypt_len;
529 OPENSSL_cleanse(in, in_len);
530 OPENSSL_free(in);
531 return oct;
532 }
533
PKCS8_encrypt(int pbe_nid,const EVP_CIPHER * cipher,const char * pass,int pass_len,uint8_t * salt,size_t salt_len,int iterations,PKCS8_PRIV_KEY_INFO * p8inf)534 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
535 int pass_len, uint8_t *salt, size_t salt_len,
536 int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
537 uint8_t *pass_raw = NULL;
538 size_t pass_raw_len = 0;
539 if (!pass_to_pass_raw(pbe_nid, pass, pass_len, &pass_raw, &pass_raw_len)) {
540 return NULL;
541 }
542
543 X509_SIG *ret = PKCS8_encrypt_pbe(pbe_nid, cipher, pass_raw, pass_raw_len,
544 salt, salt_len, iterations, p8inf);
545
546 if (pass_raw) {
547 OPENSSL_cleanse(pass_raw, pass_raw_len);
548 OPENSSL_free(pass_raw);
549 }
550 return ret;
551 }
552
PKCS8_encrypt_pbe(int pbe_nid,const EVP_CIPHER * cipher,const uint8_t * pass_raw,size_t pass_raw_len,uint8_t * salt,size_t salt_len,int iterations,PKCS8_PRIV_KEY_INFO * p8inf)553 X509_SIG *PKCS8_encrypt_pbe(int pbe_nid, const EVP_CIPHER *cipher,
554 const uint8_t *pass_raw, size_t pass_raw_len,
555 uint8_t *salt, size_t salt_len,
556 int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
557 X509_SIG *pkcs8 = NULL;
558 X509_ALGOR *pbe;
559
560 pkcs8 = X509_SIG_new();
561 if (pkcs8 == NULL) {
562 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
563 goto err;
564 }
565
566 if (pbe_nid == -1) {
567 pbe = PKCS5_pbe2_set(cipher, iterations, salt, salt_len);
568 } else {
569 pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len);
570 }
571 if (!pbe) {
572 OPENSSL_PUT_ERROR(PKCS8, ERR_R_ASN1_LIB);
573 goto err;
574 }
575
576 X509_ALGOR_free(pkcs8->algor);
577 pkcs8->algor = pbe;
578 M_ASN1_OCTET_STRING_free(pkcs8->digest);
579 pkcs8->digest = pkcs12_item_i2d_encrypt(
580 pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf);
581 if (!pkcs8->digest) {
582 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR);
583 goto err;
584 }
585
586 return pkcs8;
587
588 err:
589 X509_SIG_free(pkcs8);
590 return NULL;
591 }
592
EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO * p8)593 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {
594 EVP_PKEY *pkey = NULL;
595 ASN1_OBJECT *algoid;
596 char obj_tmp[80];
597
598 if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) {
599 return NULL;
600 }
601
602 pkey = EVP_PKEY_new();
603 if (pkey == NULL) {
604 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
605 return NULL;
606 }
607
608 if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid))) {
609 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
610 i2t_ASN1_OBJECT(obj_tmp, 80, algoid);
611 ERR_add_error_data(2, "TYPE=", obj_tmp);
612 goto error;
613 }
614
615 if (pkey->ameth->priv_decode) {
616 if (!pkey->ameth->priv_decode(pkey, p8)) {
617 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PRIVATE_KEY_DECODE_ERROR);
618 goto error;
619 }
620 } else {
621 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);
622 goto error;
623 }
624
625 return pkey;
626
627 error:
628 EVP_PKEY_free(pkey);
629 return NULL;
630 }
631
EVP_PKEY2PKCS8(EVP_PKEY * pkey)632 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {
633 PKCS8_PRIV_KEY_INFO *p8;
634
635 p8 = PKCS8_PRIV_KEY_INFO_new();
636 if (p8 == NULL) {
637 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
638 return NULL;
639 }
640 p8->broken = PKCS8_OK;
641
642 if (pkey->ameth) {
643 if (pkey->ameth->priv_encode) {
644 if (!pkey->ameth->priv_encode(p8, pkey)) {
645 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PRIVATE_KEY_ENCODE_ERROR);
646 goto error;
647 }
648 } else {
649 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);
650 goto error;
651 }
652 } else {
653 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
654 goto error;
655 }
656 return p8;
657
658 error:
659 PKCS8_PRIV_KEY_INFO_free(p8);
660 return NULL;
661 }
662
663 struct pkcs12_context {
664 EVP_PKEY **out_key;
665 STACK_OF(X509) *out_certs;
666 uint8_t *password;
667 size_t password_len;
668 };
669
670 static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,
671 struct pkcs12_context *ctx);
672
673 /* PKCS12_handle_content_infos parses a series of PKCS#7 ContentInfos in a
674 * SEQUENCE. */
PKCS12_handle_content_infos(CBS * content_infos,unsigned depth,struct pkcs12_context * ctx)675 static int PKCS12_handle_content_infos(CBS *content_infos,
676 unsigned depth,
677 struct pkcs12_context *ctx) {
678 uint8_t *der_bytes = NULL;
679 size_t der_len;
680 CBS in;
681 int ret = 0;
682
683 /* Generally we only expect depths 0 (the top level, with a
684 * pkcs7-encryptedData and a pkcs7-data) and depth 1 (the various PKCS#12
685 * bags). */
686 if (depth > 3) {
687 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_TOO_DEEPLY_NESTED);
688 return 0;
689 }
690
691 /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,
692 * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the
693 * conversion cannot see through those wrappings. So each time we step
694 * through one we need to convert to DER again. */
695 if (!CBS_asn1_ber_to_der(content_infos, &der_bytes, &der_len)) {
696 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
697 return 0;
698 }
699
700 if (der_bytes != NULL) {
701 CBS_init(&in, der_bytes, der_len);
702 } else {
703 CBS_init(&in, CBS_data(content_infos), CBS_len(content_infos));
704 }
705
706 if (!CBS_get_asn1(&in, &in, CBS_ASN1_SEQUENCE)) {
707 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
708 goto err;
709 }
710
711 while (CBS_len(&in) > 0) {
712 CBS content_info;
713 if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE)) {
714 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
715 goto err;
716 }
717
718 if (!PKCS12_handle_content_info(&content_info, depth + 1, ctx)) {
719 goto err;
720 }
721 }
722
723 /* NSS includes additional data after the SEQUENCE, but it's an (unwrapped)
724 * copy of the same encrypted private key (with the same IV and
725 * ciphertext)! */
726
727 ret = 1;
728
729 err:
730 OPENSSL_free(der_bytes);
731 return ret;
732 }
733
734 /* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a
735 * PKCS#12 structure. */
PKCS12_handle_content_info(CBS * content_info,unsigned depth,struct pkcs12_context * ctx)736 static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,
737 struct pkcs12_context *ctx) {
738 CBS content_type, wrapped_contents, contents, content_infos;
739 int nid, ret = 0;
740
741 if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||
742 !CBS_get_asn1(content_info, &wrapped_contents,
743 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
744 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
745 goto err;
746 }
747
748 nid = OBJ_cbs2nid(&content_type);
749 if (nid == NID_pkcs7_encrypted) {
750 /* See https://tools.ietf.org/html/rfc2315#section-13.
751 *
752 * PKCS#7 encrypted data inside a PKCS#12 structure is generally an
753 * encrypted certificate bag and it's generally encrypted with 40-bit
754 * RC2-CBC. */
755 CBS version_bytes, eci, contents_type, ai, encrypted_contents;
756 X509_ALGOR *algor = NULL;
757 const uint8_t *inp;
758 uint8_t *out;
759 size_t out_len;
760
761 if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||
762 !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||
763 /* EncryptedContentInfo, see
764 * https://tools.ietf.org/html/rfc2315#section-10.1 */
765 !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||
766 !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||
767 /* AlgorithmIdentifier, see
768 * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */
769 !CBS_get_asn1_element(&eci, &ai, CBS_ASN1_SEQUENCE) ||
770 !CBS_get_asn1(&eci, &encrypted_contents,
771 CBS_ASN1_CONTEXT_SPECIFIC | 0)) {
772 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
773 goto err;
774 }
775
776 if (OBJ_cbs2nid(&contents_type) != NID_pkcs7_data ||
777 CBS_len(&ai) > LONG_MAX) {
778 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
779 goto err;
780 }
781
782 inp = CBS_data(&ai);
783 algor = d2i_X509_ALGOR(NULL, &inp, (long)CBS_len(&ai));
784 if (algor == NULL) {
785 goto err;
786 }
787 if (inp != CBS_data(&ai) + CBS_len(&ai)) {
788 X509_ALGOR_free(algor);
789 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
790 goto err;
791 }
792
793 if (!pbe_crypt(algor, ctx->password, ctx->password_len,
794 CBS_data(&encrypted_contents), CBS_len(&encrypted_contents),
795 &out, &out_len, 0 /* decrypt */)) {
796 X509_ALGOR_free(algor);
797 goto err;
798 }
799 X509_ALGOR_free(algor);
800
801 CBS_init(&content_infos, out, out_len);
802 ret = PKCS12_handle_content_infos(&content_infos, depth + 1, ctx);
803 OPENSSL_free(out);
804 } else if (nid == NID_pkcs7_data) {
805 CBS octet_string_contents;
806
807 if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,
808 CBS_ASN1_OCTETSTRING)) {
809 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
810 goto err;
811 }
812
813 ret = PKCS12_handle_content_infos(&octet_string_contents, depth + 1, ctx);
814 } else if (nid == NID_pkcs8ShroudedKeyBag) {
815 /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
816 * 4.2.2. */
817 const uint8_t *inp = CBS_data(&wrapped_contents);
818 PKCS8_PRIV_KEY_INFO *pki = NULL;
819 X509_SIG *encrypted = NULL;
820
821 if (*ctx->out_key) {
822 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);
823 goto err;
824 }
825
826 if (CBS_len(&wrapped_contents) > LONG_MAX) {
827 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
828 goto err;
829 }
830
831 /* encrypted isn't actually an X.509 signature, but it has the same
832 * structure as one and so |X509_SIG| is reused to store it. */
833 encrypted = d2i_X509_SIG(NULL, &inp, (long)CBS_len(&wrapped_contents));
834 if (encrypted == NULL) {
835 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
836 goto err;
837 }
838 if (inp != CBS_data(&wrapped_contents) + CBS_len(&wrapped_contents)) {
839 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
840 X509_SIG_free(encrypted);
841 goto err;
842 }
843
844 pki = PKCS8_decrypt_pbe(encrypted, ctx->password, ctx->password_len);
845 X509_SIG_free(encrypted);
846 if (pki == NULL) {
847 goto err;
848 }
849
850 *ctx->out_key = EVP_PKCS82PKEY(pki);
851 PKCS8_PRIV_KEY_INFO_free(pki);
852
853 if (ctx->out_key == NULL) {
854 goto err;
855 }
856 ret = 1;
857 } else if (nid == NID_certBag) {
858 CBS cert_bag, cert_type, wrapped_cert, cert;
859
860 if (!CBS_get_asn1(&wrapped_contents, &cert_bag, CBS_ASN1_SEQUENCE) ||
861 !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||
862 !CBS_get_asn1(&cert_bag, &wrapped_cert,
863 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
864 !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {
865 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
866 goto err;
867 }
868
869 if (OBJ_cbs2nid(&cert_type) == NID_x509Certificate) {
870 if (CBS_len(&cert) > LONG_MAX) {
871 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
872 goto err;
873 }
874 const uint8_t *inp = CBS_data(&cert);
875 X509 *x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));
876 if (!x509) {
877 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
878 goto err;
879 }
880 if (inp != CBS_data(&cert) + CBS_len(&cert)) {
881 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
882 X509_free(x509);
883 goto err;
884 }
885
886 if (0 == sk_X509_push(ctx->out_certs, x509)) {
887 X509_free(x509);
888 goto err;
889 }
890 }
891 ret = 1;
892 } else {
893 /* Unknown element type - ignore it. */
894 ret = 1;
895 }
896
897 err:
898 return ret;
899 }
900
PKCS12_get_key_and_certs(EVP_PKEY ** out_key,STACK_OF (X509)* out_certs,CBS * ber_in,const char * password)901 int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
902 CBS *ber_in, const char *password) {
903 uint8_t *der_bytes = NULL;
904 size_t der_len;
905 CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;
906 uint64_t version;
907 int ret = 0;
908 struct pkcs12_context ctx;
909 const size_t original_out_certs_len = sk_X509_num(out_certs);
910
911 /* The input may be in BER format. */
912 if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {
913 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
914 return 0;
915 }
916 if (der_bytes != NULL) {
917 CBS_init(&in, der_bytes, der_len);
918 } else {
919 CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));
920 }
921
922 *out_key = NULL;
923 memset(&ctx, 0, sizeof(ctx));
924
925 /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
926 * four. */
927 if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||
928 CBS_len(&in) != 0 ||
929 !CBS_get_asn1_uint64(&pfx, &version)) {
930 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
931 goto err;
932 }
933
934 if (version < 3) {
935 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION);
936 goto err;
937 }
938
939 if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {
940 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
941 goto err;
942 }
943
944 if (CBS_len(&pfx) == 0) {
945 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC);
946 goto err;
947 }
948
949 if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {
950 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
951 goto err;
952 }
953
954 /* authsafe is a PKCS#7 ContentInfo. See
955 * https://tools.ietf.org/html/rfc2315#section-7. */
956 if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||
957 !CBS_get_asn1(&authsafe, &wrapped_authsafes,
958 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
959 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
960 goto err;
961 }
962
963 /* The content type can either be |NID_pkcs7_data| or |NID_pkcs7_signed|. The
964 * latter indicates that it's signed by a public key, which isn't
965 * supported. */
966 if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) {
967 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);
968 goto err;
969 }
970
971 if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {
972 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
973 goto err;
974 }
975
976 ctx.out_key = out_key;
977 ctx.out_certs = out_certs;
978 if (!ascii_to_ucs2(password, strlen(password), &ctx.password,
979 &ctx.password_len)) {
980 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
981 goto err;
982 }
983
984 /* Verify the MAC. */
985 {
986 CBS mac, hash_type_seq, hash_oid, salt, expected_mac;
987 uint64_t iterations;
988 int hash_nid;
989 const EVP_MD *md;
990 uint8_t hmac_key[EVP_MAX_MD_SIZE];
991 uint8_t hmac[EVP_MAX_MD_SIZE];
992 unsigned hmac_len;
993
994 if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE) ||
995 !CBS_get_asn1(&mac, &hash_type_seq, CBS_ASN1_SEQUENCE) ||
996 !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) ||
997 !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||
998 !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {
999 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
1000 goto err;
1001 }
1002
1003 /* The iteration count is optional and the default is one. */
1004 iterations = 1;
1005 if (CBS_len(&mac_data) > 0) {
1006 if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||
1007 iterations > INT_MAX) {
1008 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
1009 goto err;
1010 }
1011 }
1012
1013 hash_nid = OBJ_cbs2nid(&hash_oid);
1014 if (hash_nid == NID_undef ||
1015 (md = EVP_get_digestbynid(hash_nid)) == NULL) {
1016 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_HASH);
1017 goto err;
1018 }
1019
1020 if (!pkcs12_key_gen_raw(ctx.password, ctx.password_len, CBS_data(&salt),
1021 CBS_len(&salt), PKCS12_MAC_ID, iterations,
1022 EVP_MD_size(md), hmac_key, md)) {
1023 goto err;
1024 }
1025
1026 if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),
1027 CBS_len(&authsafes), hmac, &hmac_len)) {
1028 goto err;
1029 }
1030
1031 if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {
1032 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD);
1033 goto err;
1034 }
1035 }
1036
1037 /* authsafes contains a series of PKCS#7 ContentInfos. */
1038 if (!PKCS12_handle_content_infos(&authsafes, 0, &ctx)) {
1039 goto err;
1040 }
1041
1042 ret = 1;
1043
1044 err:
1045 OPENSSL_free(ctx.password);
1046 OPENSSL_free(der_bytes);
1047 if (!ret) {
1048 EVP_PKEY_free(*out_key);
1049 *out_key = NULL;
1050 while (sk_X509_num(out_certs) > original_out_certs_len) {
1051 X509 *x509 = sk_X509_pop(out_certs);
1052 X509_free(x509);
1053 }
1054 }
1055
1056 return ret;
1057 }
1058
PKCS12_PBE_add(void)1059 void PKCS12_PBE_add(void) {}
1060
1061 struct pkcs12_st {
1062 uint8_t *ber_bytes;
1063 size_t ber_len;
1064 };
1065
d2i_PKCS12(PKCS12 ** out_p12,const uint8_t ** ber_bytes,size_t ber_len)1066 PKCS12* d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) {
1067 PKCS12 *p12;
1068
1069 /* out_p12 must be NULL because we don't export the PKCS12 structure. */
1070 assert(out_p12 == NULL);
1071
1072 p12 = OPENSSL_malloc(sizeof(PKCS12));
1073 if (!p12) {
1074 return NULL;
1075 }
1076
1077 p12->ber_bytes = OPENSSL_malloc(ber_len);
1078 if (!p12->ber_bytes) {
1079 OPENSSL_free(p12);
1080 return NULL;
1081 }
1082
1083 memcpy(p12->ber_bytes, *ber_bytes, ber_len);
1084 p12->ber_len = ber_len;
1085 *ber_bytes += ber_len;
1086
1087 return p12;
1088 }
1089
d2i_PKCS12_bio(BIO * bio,PKCS12 ** out_p12)1090 PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {
1091 size_t used = 0;
1092 BUF_MEM *buf;
1093 const uint8_t *dummy;
1094 static const size_t kMaxSize = 256 * 1024;
1095 PKCS12 *ret = NULL;
1096
1097 buf = BUF_MEM_new();
1098 if (buf == NULL) {
1099 return NULL;
1100 }
1101 if (BUF_MEM_grow(buf, 8192) == 0) {
1102 goto out;
1103 }
1104
1105 for (;;) {
1106 int n = BIO_read(bio, &buf->data[used], buf->length - used);
1107 if (n < 0) {
1108 goto out;
1109 }
1110
1111 if (n == 0) {
1112 break;
1113 }
1114 used += n;
1115
1116 if (used < buf->length) {
1117 continue;
1118 }
1119
1120 if (buf->length > kMaxSize ||
1121 BUF_MEM_grow(buf, buf->length * 2) == 0) {
1122 goto out;
1123 }
1124 }
1125
1126 dummy = (uint8_t*) buf->data;
1127 ret = d2i_PKCS12(out_p12, &dummy, used);
1128
1129 out:
1130 BUF_MEM_free(buf);
1131 return ret;
1132 }
1133
d2i_PKCS12_fp(FILE * fp,PKCS12 ** out_p12)1134 PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {
1135 BIO *bio;
1136 PKCS12 *ret;
1137
1138 bio = BIO_new_fp(fp, 0 /* don't take ownership */);
1139 if (!bio) {
1140 return NULL;
1141 }
1142
1143 ret = d2i_PKCS12_bio(bio, out_p12);
1144 BIO_free(bio);
1145 return ret;
1146 }
1147
PKCS12_parse(const PKCS12 * p12,const char * password,EVP_PKEY ** out_pkey,X509 ** out_cert,STACK_OF (X509)** out_ca_certs)1148 int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,
1149 X509 **out_cert, STACK_OF(X509) **out_ca_certs) {
1150 CBS ber_bytes;
1151 STACK_OF(X509) *ca_certs = NULL;
1152 char ca_certs_alloced = 0;
1153
1154 if (out_ca_certs != NULL && *out_ca_certs != NULL) {
1155 ca_certs = *out_ca_certs;
1156 }
1157
1158 if (!ca_certs) {
1159 ca_certs = sk_X509_new_null();
1160 if (ca_certs == NULL) {
1161 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
1162 return 0;
1163 }
1164 ca_certs_alloced = 1;
1165 }
1166
1167 CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);
1168 if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {
1169 if (ca_certs_alloced) {
1170 sk_X509_free(ca_certs);
1171 }
1172 return 0;
1173 }
1174
1175 *out_cert = NULL;
1176 if (sk_X509_num(ca_certs) > 0) {
1177 *out_cert = sk_X509_shift(ca_certs);
1178 }
1179
1180 if (out_ca_certs) {
1181 *out_ca_certs = ca_certs;
1182 } else {
1183 sk_X509_pop_free(ca_certs, X509_free);
1184 }
1185
1186 return 1;
1187 }
1188
PKCS12_verify_mac(const PKCS12 * p12,const char * password,int password_len)1189 int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
1190 int password_len) {
1191 if (password == NULL) {
1192 if (password_len != 0) {
1193 return 0;
1194 }
1195 } else if (password_len != -1 &&
1196 (password[password_len] != 0 ||
1197 memchr(password, 0, password_len) != NULL)) {
1198 return 0;
1199 }
1200
1201 EVP_PKEY *pkey = NULL;
1202 X509 *cert = NULL;
1203 if (!PKCS12_parse(p12, password, &pkey, &cert, NULL)) {
1204 ERR_clear_error();
1205 return 0;
1206 }
1207
1208 EVP_PKEY_free(pkey);
1209 X509_free(cert);
1210
1211 return 1;
1212 }
1213
PKCS12_free(PKCS12 * p12)1214 void PKCS12_free(PKCS12 *p12) {
1215 OPENSSL_free(p12->ber_bytes);
1216 OPENSSL_free(p12);
1217 }
1218