1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2 * project 1999.
3 */
4 /* ====================================================================
5 * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 *
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in
16 * the documentation and/or other materials provided with the
17 * distribution.
18 *
19 * 3. All advertising materials mentioning features or use of this
20 * software must display the following acknowledgment:
21 * "This product includes software developed by the OpenSSL Project
22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23 *
24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25 * endorse or promote products derived from this software without
26 * prior written permission. For written permission, please contact
27 * licensing@OpenSSL.org.
28 *
29 * 5. Products derived from this software may not be called "OpenSSL"
30 * nor may "OpenSSL" appear in their names without prior written
31 * permission of the OpenSSL Project.
32 *
33 * 6. Redistributions of any form whatsoever must retain the following
34 * acknowledgment:
35 * "This product includes software developed by the OpenSSL Project
36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37 *
38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49 * OF THE POSSIBILITY OF SUCH DAMAGE.
50 * ====================================================================
51 *
52 * This product includes cryptographic software written by Eric Young
53 * (eay@cryptsoft.com). This product includes software written by Tim
54 * Hudson (tjh@cryptsoft.com). */
55
56 #include <openssl/pkcs8.h>
57
58 #include <limits.h>
59
60 #include <openssl/asn1t.h>
61 #include <openssl/asn1.h>
62 #include <openssl/bio.h>
63 #include <openssl/buf.h>
64 #include <openssl/bytestring.h>
65 #include <openssl/err.h>
66 #include <openssl/evp.h>
67 #include <openssl/digest.h>
68 #include <openssl/hmac.h>
69 #include <openssl/mem.h>
70 #include <openssl/x509.h>
71
72 #include "internal.h"
73 #include "../bytestring/internal.h"
74 #include "../internal.h"
75
76
77 // Minor tweak to operation: zero private key data
pkey_cb(int operation,ASN1_VALUE ** pval,const ASN1_ITEM * it,void * exarg)78 static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
79 void *exarg) {
80 // Since the structure must still be valid use ASN1_OP_FREE_PRE
81 if (operation == ASN1_OP_FREE_PRE) {
82 PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
83 if (key->pkey && key->pkey->type == V_ASN1_OCTET_STRING &&
84 key->pkey->value.octet_string) {
85 OPENSSL_cleanse(key->pkey->value.octet_string->data,
86 key->pkey->value.octet_string->length);
87 }
88 }
89 return 1;
90 }
91
92 ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {
93 ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),
94 ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),
95 ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_ANY),
96 ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0)
97 } ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
98
99 IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
100
101 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {
102 uint8_t *der = NULL;
103 int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der);
104 if (der_len < 0) {
105 return NULL;
106 }
107
108 CBS cbs;
109 CBS_init(&cbs, der, (size_t)der_len);
110 EVP_PKEY *ret = EVP_parse_private_key(&cbs);
111 if (ret == NULL || CBS_len(&cbs) != 0) {
112 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
113 EVP_PKEY_free(ret);
114 OPENSSL_free(der);
115 return NULL;
116 }
117
118 OPENSSL_free(der);
119 return ret;
120 }
121
EVP_PKEY2PKCS8(EVP_PKEY * pkey)122 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {
123 CBB cbb;
124 uint8_t *der = NULL;
125 size_t der_len;
126 if (!CBB_init(&cbb, 0) ||
127 !EVP_marshal_private_key(&cbb, pkey) ||
128 !CBB_finish(&cbb, &der, &der_len) ||
129 der_len > LONG_MAX) {
130 CBB_cleanup(&cbb);
131 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR);
132 goto err;
133 }
134
135 const uint8_t *p = der;
136 PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, (long)der_len);
137 if (p8 == NULL || p != der + der_len) {
138 PKCS8_PRIV_KEY_INFO_free(p8);
139 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
140 goto err;
141 }
142
143 OPENSSL_free(der);
144 return p8;
145
146 err:
147 OPENSSL_free(der);
148 return NULL;
149 }
150
PKCS8_decrypt(X509_SIG * pkcs8,const char * pass,int pass_len_in)151 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,
152 int pass_len_in) {
153 size_t pass_len;
154 if (pass_len_in == -1 && pass != NULL) {
155 pass_len = strlen(pass);
156 } else {
157 pass_len = (size_t)pass_len_in;
158 }
159
160 PKCS8_PRIV_KEY_INFO *ret = NULL;
161 EVP_PKEY *pkey = NULL;
162 uint8_t *in = NULL;
163
164 // Convert the legacy ASN.1 object to a byte string.
165 int in_len = i2d_X509_SIG(pkcs8, &in);
166 if (in_len < 0) {
167 goto err;
168 }
169
170 CBS cbs;
171 CBS_init(&cbs, in, in_len);
172 pkey = PKCS8_parse_encrypted_private_key(&cbs, pass, pass_len);
173 if (pkey == NULL || CBS_len(&cbs) != 0) {
174 goto err;
175 }
176
177 ret = EVP_PKEY2PKCS8(pkey);
178
179 err:
180 OPENSSL_free(in);
181 EVP_PKEY_free(pkey);
182 return ret;
183 }
184
PKCS8_encrypt(int pbe_nid,const EVP_CIPHER * cipher,const char * pass,int pass_len_in,const uint8_t * salt,size_t salt_len,int iterations,PKCS8_PRIV_KEY_INFO * p8inf)185 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
186 int pass_len_in, const uint8_t *salt, size_t salt_len,
187 int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
188 size_t pass_len;
189 if (pass_len_in == -1 && pass != NULL) {
190 pass_len = strlen(pass);
191 } else {
192 pass_len = (size_t)pass_len_in;
193 }
194
195 // Parse out the private key.
196 EVP_PKEY *pkey = EVP_PKCS82PKEY(p8inf);
197 if (pkey == NULL) {
198 return NULL;
199 }
200
201 X509_SIG *ret = NULL;
202 uint8_t *der = NULL;
203 size_t der_len;
204 CBB cbb;
205 if (!CBB_init(&cbb, 128) ||
206 !PKCS8_marshal_encrypted_private_key(&cbb, pbe_nid, cipher, pass,
207 pass_len, salt, salt_len, iterations,
208 pkey) ||
209 !CBB_finish(&cbb, &der, &der_len)) {
210 CBB_cleanup(&cbb);
211 goto err;
212 }
213
214 // Convert back to legacy ASN.1 objects.
215 const uint8_t *ptr = der;
216 ret = d2i_X509_SIG(NULL, &ptr, der_len);
217 if (ret == NULL || ptr != der + der_len) {
218 OPENSSL_PUT_ERROR(PKCS8, ERR_R_INTERNAL_ERROR);
219 X509_SIG_free(ret);
220 ret = NULL;
221 }
222
223 err:
224 OPENSSL_free(der);
225 EVP_PKEY_free(pkey);
226 return ret;
227 }
228
229 struct pkcs12_context {
230 EVP_PKEY **out_key;
231 STACK_OF(X509) *out_certs;
232 const char *password;
233 size_t password_len;
234 };
235
236 // PKCS12_handle_sequence parses a BER-encoded SEQUENCE of elements in a PKCS#12
237 // structure.
PKCS12_handle_sequence(CBS * sequence,struct pkcs12_context * ctx,int (* handle_element)(CBS * cbs,struct pkcs12_context * ctx))238 static int PKCS12_handle_sequence(
239 CBS *sequence, struct pkcs12_context *ctx,
240 int (*handle_element)(CBS *cbs, struct pkcs12_context *ctx)) {
241 uint8_t *der_bytes = NULL;
242 size_t der_len;
243 CBS in;
244 int ret = 0;
245
246 // Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,
247 // the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the
248 // conversion cannot see through those wrappings. So each time we step
249 // through one we need to convert to DER again.
250 if (!CBS_asn1_ber_to_der(sequence, &der_bytes, &der_len)) {
251 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
252 return 0;
253 }
254
255 if (der_bytes != NULL) {
256 CBS_init(&in, der_bytes, der_len);
257 } else {
258 CBS_init(&in, CBS_data(sequence), CBS_len(sequence));
259 }
260
261 CBS child;
262 if (!CBS_get_asn1(&in, &child, CBS_ASN1_SEQUENCE) ||
263 CBS_len(&in) != 0) {
264 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
265 goto err;
266 }
267
268 while (CBS_len(&child) > 0) {
269 CBS element;
270 if (!CBS_get_asn1(&child, &element, CBS_ASN1_SEQUENCE)) {
271 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
272 goto err;
273 }
274
275 if (!handle_element(&element, ctx)) {
276 goto err;
277 }
278 }
279
280 ret = 1;
281
282 err:
283 OPENSSL_free(der_bytes);
284 return ret;
285 }
286
287 // 1.2.840.113549.1.12.10.1.2
288 static const uint8_t kPKCS8ShroudedKeyBag[] = {
289 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02};
290
291 // 1.2.840.113549.1.12.10.1.3
292 static const uint8_t kCertBag[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
293 0x01, 0x0c, 0x0a, 0x01, 0x03};
294
295 // 1.2.840.113549.1.9.22.1
296 static const uint8_t kX509Certificate[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
297 0x0d, 0x01, 0x09, 0x16, 0x01};
298
299 // PKCS12_handle_safe_bag parses a single SafeBag element in a PKCS#12
300 // structure.
PKCS12_handle_safe_bag(CBS * safe_bag,struct pkcs12_context * ctx)301 static int PKCS12_handle_safe_bag(CBS *safe_bag, struct pkcs12_context *ctx) {
302 CBS bag_id, wrapped_value;
303 if (!CBS_get_asn1(safe_bag, &bag_id, CBS_ASN1_OBJECT) ||
304 !CBS_get_asn1(safe_bag, &wrapped_value,
305 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)
306 /* Ignore the bagAttributes field. */) {
307 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
308 return 0;
309 }
310
311 if (CBS_mem_equal(&bag_id, kPKCS8ShroudedKeyBag,
312 sizeof(kPKCS8ShroudedKeyBag))) {
313 // See RFC 7292, section 4.2.2.
314 if (*ctx->out_key) {
315 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);
316 return 0;
317 }
318
319 EVP_PKEY *pkey = PKCS8_parse_encrypted_private_key(
320 &wrapped_value, ctx->password, ctx->password_len);
321 if (pkey == NULL) {
322 return 0;
323 }
324
325 if (CBS_len(&wrapped_value) != 0) {
326 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
327 EVP_PKEY_free(pkey);
328 return 0;
329 }
330
331 *ctx->out_key = pkey;
332 return 1;
333 }
334
335 if (CBS_mem_equal(&bag_id, kCertBag, sizeof(kCertBag))) {
336 // See RFC 7292, section 4.2.3.
337 CBS cert_bag, cert_type, wrapped_cert, cert;
338 if (!CBS_get_asn1(&wrapped_value, &cert_bag, CBS_ASN1_SEQUENCE) ||
339 !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||
340 !CBS_get_asn1(&cert_bag, &wrapped_cert,
341 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
342 !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {
343 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
344 return 0;
345 }
346
347 // Skip unknown certificate types.
348 if (!CBS_mem_equal(&cert_type, kX509Certificate,
349 sizeof(kX509Certificate))) {
350 return 1;
351 }
352
353 if (CBS_len(&cert) > LONG_MAX) {
354 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
355 return 0;
356 }
357
358 const uint8_t *inp = CBS_data(&cert);
359 X509 *x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));
360 if (!x509) {
361 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
362 return 0;
363 }
364
365 if (inp != CBS_data(&cert) + CBS_len(&cert)) {
366 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
367 X509_free(x509);
368 return 0;
369 }
370
371 if (0 == sk_X509_push(ctx->out_certs, x509)) {
372 X509_free(x509);
373 return 0;
374 }
375
376 return 1;
377 }
378
379 // Unknown element type - ignore it.
380 return 1;
381 }
382
383 // 1.2.840.113549.1.7.1
384 static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
385 0x0d, 0x01, 0x07, 0x01};
386
387 // 1.2.840.113549.1.7.6
388 static const uint8_t kPKCS7EncryptedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
389 0x0d, 0x01, 0x07, 0x06};
390
391 // PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a
392 // PKCS#12 structure.
PKCS12_handle_content_info(CBS * content_info,struct pkcs12_context * ctx)393 static int PKCS12_handle_content_info(CBS *content_info,
394 struct pkcs12_context *ctx) {
395 CBS content_type, wrapped_contents, contents;
396 int ret = 0;
397 uint8_t *storage = NULL;
398
399 if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||
400 !CBS_get_asn1(content_info, &wrapped_contents,
401 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
402 CBS_len(content_info) != 0) {
403 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
404 goto err;
405 }
406
407 if (CBS_mem_equal(&content_type, kPKCS7EncryptedData,
408 sizeof(kPKCS7EncryptedData))) {
409 // See https://tools.ietf.org/html/rfc2315#section-13.
410 //
411 // PKCS#7 encrypted data inside a PKCS#12 structure is generally an
412 // encrypted certificate bag and it's generally encrypted with 40-bit
413 // RC2-CBC.
414 CBS version_bytes, eci, contents_type, ai, encrypted_contents;
415 uint8_t *out;
416 size_t out_len;
417
418 if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||
419 !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||
420 // EncryptedContentInfo, see
421 // https://tools.ietf.org/html/rfc2315#section-10.1
422 !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||
423 !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||
424 // AlgorithmIdentifier, see
425 // https://tools.ietf.org/html/rfc5280#section-4.1.1.2
426 !CBS_get_asn1(&eci, &ai, CBS_ASN1_SEQUENCE) ||
427 !CBS_get_asn1_implicit_string(
428 &eci, &encrypted_contents, &storage,
429 CBS_ASN1_CONTEXT_SPECIFIC | 0, CBS_ASN1_OCTETSTRING)) {
430 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
431 goto err;
432 }
433
434 if (!CBS_mem_equal(&contents_type, kPKCS7Data, sizeof(kPKCS7Data))) {
435 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
436 goto err;
437 }
438
439 if (!pkcs8_pbe_decrypt(&out, &out_len, &ai, ctx->password,
440 ctx->password_len, CBS_data(&encrypted_contents),
441 CBS_len(&encrypted_contents))) {
442 goto err;
443 }
444
445 CBS safe_contents;
446 CBS_init(&safe_contents, out, out_len);
447 ret = PKCS12_handle_sequence(&safe_contents, ctx, PKCS12_handle_safe_bag);
448 OPENSSL_free(out);
449 } else if (CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {
450 CBS octet_string_contents;
451
452 if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,
453 CBS_ASN1_OCTETSTRING)) {
454 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
455 goto err;
456 }
457
458 ret = PKCS12_handle_sequence(&octet_string_contents, ctx,
459 PKCS12_handle_safe_bag);
460 } else {
461 // Unknown element type - ignore it.
462 ret = 1;
463 }
464
465 err:
466 OPENSSL_free(storage);
467 return ret;
468 }
469
PKCS12_get_key_and_certs(EVP_PKEY ** out_key,STACK_OF (X509)* out_certs,CBS * ber_in,const char * password)470 int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
471 CBS *ber_in, const char *password) {
472 uint8_t *der_bytes = NULL;
473 size_t der_len;
474 CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;
475 uint64_t version;
476 int ret = 0;
477 struct pkcs12_context ctx;
478 const size_t original_out_certs_len = sk_X509_num(out_certs);
479
480 // The input may be in BER format.
481 if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {
482 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
483 return 0;
484 }
485 if (der_bytes != NULL) {
486 CBS_init(&in, der_bytes, der_len);
487 } else {
488 CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));
489 }
490
491 *out_key = NULL;
492 OPENSSL_memset(&ctx, 0, sizeof(ctx));
493
494 // See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
495 // four.
496 if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||
497 CBS_len(&in) != 0 ||
498 !CBS_get_asn1_uint64(&pfx, &version)) {
499 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
500 goto err;
501 }
502
503 if (version < 3) {
504 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION);
505 goto err;
506 }
507
508 if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {
509 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
510 goto err;
511 }
512
513 if (CBS_len(&pfx) == 0) {
514 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC);
515 goto err;
516 }
517
518 if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {
519 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
520 goto err;
521 }
522
523 // authsafe is a PKCS#7 ContentInfo. See
524 // https://tools.ietf.org/html/rfc2315#section-7.
525 if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||
526 !CBS_get_asn1(&authsafe, &wrapped_authsafes,
527 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
528 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
529 goto err;
530 }
531
532 // The content type can either be data or signedData. The latter indicates
533 // that it's signed by a public key, which isn't supported.
534 if (!CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {
535 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);
536 goto err;
537 }
538
539 if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {
540 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
541 goto err;
542 }
543
544 ctx.out_key = out_key;
545 ctx.out_certs = out_certs;
546 ctx.password = password;
547 ctx.password_len = password != NULL ? strlen(password) : 0;
548
549 // Verify the MAC.
550 {
551 CBS mac, salt, expected_mac;
552 if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE)) {
553 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
554 goto err;
555 }
556
557 const EVP_MD *md = EVP_parse_digest_algorithm(&mac);
558 if (md == NULL) {
559 goto err;
560 }
561
562 if (!CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||
563 !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {
564 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
565 goto err;
566 }
567
568 // The iteration count is optional and the default is one.
569 uint64_t iterations = 1;
570 if (CBS_len(&mac_data) > 0) {
571 if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||
572 iterations > UINT_MAX) {
573 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
574 goto err;
575 }
576 }
577
578 uint8_t hmac_key[EVP_MAX_MD_SIZE];
579 if (!pkcs12_key_gen(ctx.password, ctx.password_len, CBS_data(&salt),
580 CBS_len(&salt), PKCS12_MAC_ID, iterations,
581 EVP_MD_size(md), hmac_key, md)) {
582 goto err;
583 }
584
585 uint8_t hmac[EVP_MAX_MD_SIZE];
586 unsigned hmac_len;
587 if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),
588 CBS_len(&authsafes), hmac, &hmac_len)) {
589 goto err;
590 }
591
592 if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {
593 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD);
594 goto err;
595 }
596 }
597
598 // authsafes contains a series of PKCS#7 ContentInfos.
599 if (!PKCS12_handle_sequence(&authsafes, &ctx, PKCS12_handle_content_info)) {
600 goto err;
601 }
602
603 ret = 1;
604
605 err:
606 OPENSSL_free(der_bytes);
607 if (!ret) {
608 EVP_PKEY_free(*out_key);
609 *out_key = NULL;
610 while (sk_X509_num(out_certs) > original_out_certs_len) {
611 X509 *x509 = sk_X509_pop(out_certs);
612 X509_free(x509);
613 }
614 }
615
616 return ret;
617 }
618
PKCS12_PBE_add(void)619 void PKCS12_PBE_add(void) {}
620
621 struct pkcs12_st {
622 uint8_t *ber_bytes;
623 size_t ber_len;
624 };
625
d2i_PKCS12(PKCS12 ** out_p12,const uint8_t ** ber_bytes,size_t ber_len)626 PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,
627 size_t ber_len) {
628 PKCS12 *p12;
629
630 p12 = OPENSSL_malloc(sizeof(PKCS12));
631 if (!p12) {
632 return NULL;
633 }
634
635 p12->ber_bytes = OPENSSL_malloc(ber_len);
636 if (!p12->ber_bytes) {
637 OPENSSL_free(p12);
638 return NULL;
639 }
640
641 OPENSSL_memcpy(p12->ber_bytes, *ber_bytes, ber_len);
642 p12->ber_len = ber_len;
643 *ber_bytes += ber_len;
644
645 if (out_p12) {
646 PKCS12_free(*out_p12);
647
648 *out_p12 = p12;
649 }
650
651 return p12;
652 }
653
d2i_PKCS12_bio(BIO * bio,PKCS12 ** out_p12)654 PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {
655 size_t used = 0;
656 BUF_MEM *buf;
657 const uint8_t *dummy;
658 static const size_t kMaxSize = 256 * 1024;
659 PKCS12 *ret = NULL;
660
661 buf = BUF_MEM_new();
662 if (buf == NULL) {
663 return NULL;
664 }
665 if (BUF_MEM_grow(buf, 8192) == 0) {
666 goto out;
667 }
668
669 for (;;) {
670 int n = BIO_read(bio, &buf->data[used], buf->length - used);
671 if (n < 0) {
672 if (used == 0) {
673 goto out;
674 }
675 // Workaround a bug in node.js. It uses a memory BIO for this in the wrong
676 // mode.
677 n = 0;
678 }
679
680 if (n == 0) {
681 break;
682 }
683 used += n;
684
685 if (used < buf->length) {
686 continue;
687 }
688
689 if (buf->length > kMaxSize ||
690 BUF_MEM_grow(buf, buf->length * 2) == 0) {
691 goto out;
692 }
693 }
694
695 dummy = (uint8_t*) buf->data;
696 ret = d2i_PKCS12(out_p12, &dummy, used);
697
698 out:
699 BUF_MEM_free(buf);
700 return ret;
701 }
702
d2i_PKCS12_fp(FILE * fp,PKCS12 ** out_p12)703 PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {
704 BIO *bio;
705 PKCS12 *ret;
706
707 bio = BIO_new_fp(fp, 0 /* don't take ownership */);
708 if (!bio) {
709 return NULL;
710 }
711
712 ret = d2i_PKCS12_bio(bio, out_p12);
713 BIO_free(bio);
714 return ret;
715 }
716
PKCS12_parse(const PKCS12 * p12,const char * password,EVP_PKEY ** out_pkey,X509 ** out_cert,STACK_OF (X509)** out_ca_certs)717 int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,
718 X509 **out_cert, STACK_OF(X509) **out_ca_certs) {
719 CBS ber_bytes;
720 STACK_OF(X509) *ca_certs = NULL;
721 char ca_certs_alloced = 0;
722
723 if (out_ca_certs != NULL && *out_ca_certs != NULL) {
724 ca_certs = *out_ca_certs;
725 }
726
727 if (!ca_certs) {
728 ca_certs = sk_X509_new_null();
729 if (ca_certs == NULL) {
730 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
731 return 0;
732 }
733 ca_certs_alloced = 1;
734 }
735
736 CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);
737 if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {
738 if (ca_certs_alloced) {
739 sk_X509_free(ca_certs);
740 }
741 return 0;
742 }
743
744 *out_cert = NULL;
745 if (sk_X509_num(ca_certs) > 0) {
746 *out_cert = sk_X509_shift(ca_certs);
747 }
748
749 if (out_ca_certs) {
750 *out_ca_certs = ca_certs;
751 } else {
752 sk_X509_pop_free(ca_certs, X509_free);
753 }
754
755 return 1;
756 }
757
PKCS12_verify_mac(const PKCS12 * p12,const char * password,int password_len)758 int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
759 int password_len) {
760 if (password == NULL) {
761 if (password_len != 0) {
762 return 0;
763 }
764 } else if (password_len != -1 &&
765 (password[password_len] != 0 ||
766 OPENSSL_memchr(password, 0, password_len) != NULL)) {
767 return 0;
768 }
769
770 EVP_PKEY *pkey = NULL;
771 X509 *cert = NULL;
772 if (!PKCS12_parse(p12, password, &pkey, &cert, NULL)) {
773 ERR_clear_error();
774 return 0;
775 }
776
777 EVP_PKEY_free(pkey);
778 X509_free(cert);
779
780 return 1;
781 }
782
PKCS12_free(PKCS12 * p12)783 void PKCS12_free(PKCS12 *p12) {
784 if (p12 == NULL) {
785 return;
786 }
787 OPENSSL_free(p12->ber_bytes);
788 OPENSSL_free(p12);
789 }
790