kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5152 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 40d76f4f7d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '40d76f4f7d'
${ noResults }
boringssl/crypto/pkcs8/pkcs8_x509.c

790 lines
22 KiB
Raw Blame History 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 1999.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/pkcs8.h>

  57. 

  58. #include <limits.h>

  59. 

  60. #include <openssl/asn1t.h>

  61. #include <openssl/asn1.h>

  62. #include <openssl/bio.h>

  63. #include <openssl/buf.h>

  64. #include <openssl/bytestring.h>

  65. #include <openssl/err.h>

  66. #include <openssl/evp.h>

  67. #include <openssl/digest.h>

  68. #include <openssl/hmac.h>

  69. #include <openssl/mem.h>

  70. #include <openssl/x509.h>

  71. 

  72. #include "internal.h"

  73. #include "../bytestring/internal.h"

  74. #include "../internal.h"

  75. 

  76. 

  77. // Minor tweak to operation: zero private key data

  78. static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,

  79.                    void *exarg) {

  80.   // Since the structure must still be valid use ASN1_OP_FREE_PRE

  81.   if (operation == ASN1_OP_FREE_PRE) {

  82.     PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;

  83.     if (key->pkey && key->pkey->type == V_ASN1_OCTET_STRING &&

  84.         key->pkey->value.octet_string) {

  85.       OPENSSL_cleanse(key->pkey->value.octet_string->data,

  86.                       key->pkey->value.octet_string->length);

  87.     }

  88.   }

  89.   return 1;

  90. }

  91. 

  92. ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {

  93.   ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),

  94.   ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),

  95.   ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_ANY),

  96.   ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0)

  97. } ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)

  98. 

  99. IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)

  100. 

  101. EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {

  102.   uint8_t *der = NULL;

  103.   int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der);

  104.   if (der_len < 0) {

  105.     return NULL;

  106.   }

  107. 

  108.   CBS cbs;

  109.   CBS_init(&cbs, der, (size_t)der_len);

  110.   EVP_PKEY *ret = EVP_parse_private_key(&cbs);

  111.   if (ret == NULL || CBS_len(&cbs) != 0) {

  112.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  113.     EVP_PKEY_free(ret);

  114.     OPENSSL_free(der);

  115.     return NULL;

  116.   }

  117. 

  118.   OPENSSL_free(der);

  119.   return ret;

  120. }

  121. 

  122. PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {

  123.   CBB cbb;

  124.   uint8_t *der = NULL;

  125.   size_t der_len;

  126.   if (!CBB_init(&cbb, 0) ||

  127.       !EVP_marshal_private_key(&cbb, pkey) ||

  128.       !CBB_finish(&cbb, &der, &der_len) ||

  129.       der_len > LONG_MAX) {

  130.     CBB_cleanup(&cbb);

  131.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR);

  132.     goto err;

  133.   }

  134. 

  135.   const uint8_t *p = der;

  136.   PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, (long)der_len);

  137.   if (p8 == NULL || p != der + der_len) {

  138.     PKCS8_PRIV_KEY_INFO_free(p8);

  139.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  140.     goto err;

  141.   }

  142. 

  143.   OPENSSL_free(der);

  144.   return p8;

  145. 

  146. err:

  147.   OPENSSL_free(der);

  148.   return NULL;

  149. }

  150. 

  151. PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,

  152.                                    int pass_len_in) {

  153.   size_t pass_len;

  154.   if (pass_len_in == -1 && pass != NULL) {

  155.     pass_len = strlen(pass);

  156.   } else {

  157.     pass_len = (size_t)pass_len_in;

  158.   }

  159. 

  160.   PKCS8_PRIV_KEY_INFO *ret = NULL;

  161.   EVP_PKEY *pkey = NULL;

  162.   uint8_t *in = NULL;

  163. 

  164.   // Convert the legacy ASN.1 object to a byte string.

  165.   int in_len = i2d_X509_SIG(pkcs8, &in);

  166.   if (in_len < 0) {

  167.     goto err;

  168.   }

  169. 

  170.   CBS cbs;

  171.   CBS_init(&cbs, in, in_len);

  172.   pkey = PKCS8_parse_encrypted_private_key(&cbs, pass, pass_len);

  173.   if (pkey == NULL || CBS_len(&cbs) != 0) {

  174.     goto err;

  175.   }

  176. 

  177.   ret = EVP_PKEY2PKCS8(pkey);

  178. 

  179. err:

  180.   OPENSSL_free(in);

  181.   EVP_PKEY_free(pkey);

  182.   return ret;

  183. }

  184. 

  185. X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,

  186.                         int pass_len_in, const uint8_t *salt, size_t salt_len,

  187.                         int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {

  188.   size_t pass_len;

  189.   if (pass_len_in == -1 && pass != NULL) {

  190.     pass_len = strlen(pass);

  191.   } else {

  192.     pass_len = (size_t)pass_len_in;

  193.   }

  194. 

  195.   // Parse out the private key.

  196.   EVP_PKEY *pkey = EVP_PKCS82PKEY(p8inf);

  197.   if (pkey == NULL) {

  198.     return NULL;

  199.   }

  200. 

  201.   X509_SIG *ret = NULL;

  202.   uint8_t *der = NULL;

  203.   size_t der_len;

  204.   CBB cbb;

  205.   if (!CBB_init(&cbb, 128) ||

  206.       !PKCS8_marshal_encrypted_private_key(&cbb, pbe_nid, cipher, pass,

  207.                                            pass_len, salt, salt_len, iterations,

  208.                                            pkey) ||

  209.       !CBB_finish(&cbb, &der, &der_len)) {

  210.     CBB_cleanup(&cbb);

  211.     goto err;

  212.   }

  213. 

  214.   // Convert back to legacy ASN.1 objects.

  215.   const uint8_t *ptr = der;

  216.   ret = d2i_X509_SIG(NULL, &ptr, der_len);

  217.   if (ret == NULL || ptr != der + der_len) {

  218.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_INTERNAL_ERROR);

  219.     X509_SIG_free(ret);

  220.     ret = NULL;

  221.   }

  222. 

  223. err:

  224.   OPENSSL_free(der);

  225.   EVP_PKEY_free(pkey);

  226.   return ret;

  227. }

  228. 

  229. struct pkcs12_context {

  230.   EVP_PKEY **out_key;

  231.   STACK_OF(X509) *out_certs;

  232.   const char *password;

  233.   size_t password_len;

  234. };

  235. 

  236. // PKCS12_handle_sequence parses a BER-encoded SEQUENCE of elements in a PKCS#12

  237. // structure.

  238. static int PKCS12_handle_sequence(

  239.     CBS *sequence, struct pkcs12_context *ctx,

  240.     int (*handle_element)(CBS *cbs, struct pkcs12_context *ctx)) {

  241.   uint8_t *der_bytes = NULL;

  242.   size_t der_len;

  243.   CBS in;

  244.   int ret = 0;

  245. 

  246.   // Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,

  247.   // the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the

  248.   // conversion cannot see through those wrappings. So each time we step

  249.   // through one we need to convert to DER again.

  250.   if (!CBS_asn1_ber_to_der(sequence, &der_bytes, &der_len)) {

  251.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  252.     return 0;

  253.   }

  254. 

  255.   if (der_bytes != NULL) {

  256.     CBS_init(&in, der_bytes, der_len);

  257.   } else {

  258.     CBS_init(&in, CBS_data(sequence), CBS_len(sequence));

  259.   }

  260. 

  261.   CBS child;

  262.   if (!CBS_get_asn1(&in, &child, CBS_ASN1_SEQUENCE) ||

  263.       CBS_len(&in) != 0) {

  264.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  265.     goto err;

  266.   }

  267. 

  268.   while (CBS_len(&child) > 0) {

  269.     CBS element;

  270.     if (!CBS_get_asn1(&child, &element, CBS_ASN1_SEQUENCE)) {

  271.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  272.       goto err;

  273.     }

  274. 

  275.     if (!handle_element(&element, ctx)) {

  276.       goto err;

  277.     }

  278.   }

  279. 

  280.   ret = 1;

  281. 

  282. err:

  283.   OPENSSL_free(der_bytes);

  284.   return ret;

  285. }

  286. 

  287. // 1.2.840.113549.1.12.10.1.2

  288. static const uint8_t kPKCS8ShroudedKeyBag[] = {

  289.     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02};

  290. 

  291. // 1.2.840.113549.1.12.10.1.3

  292. static const uint8_t kCertBag[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,

  293.                                    0x01, 0x0c, 0x0a, 0x01, 0x03};

  294. 

  295. // 1.2.840.113549.1.9.22.1

  296. static const uint8_t kX509Certificate[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,

  297.                                            0x0d, 0x01, 0x09, 0x16, 0x01};

  298. 

  299. // PKCS12_handle_safe_bag parses a single SafeBag element in a PKCS#12

  300. // structure.

  301. static int PKCS12_handle_safe_bag(CBS *safe_bag, struct pkcs12_context *ctx) {

  302.   CBS bag_id, wrapped_value;

  303.   if (!CBS_get_asn1(safe_bag, &bag_id, CBS_ASN1_OBJECT) ||

  304.       !CBS_get_asn1(safe_bag, &wrapped_value,

  305.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)

  306.       /* Ignore the bagAttributes field. */) {

  307.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  308.     return 0;

  309.   }

  310. 

  311.   if (CBS_mem_equal(&bag_id, kPKCS8ShroudedKeyBag,

  312.                     sizeof(kPKCS8ShroudedKeyBag))) {

  313.     // See RFC 7292, section 4.2.2.

  314.     if (*ctx->out_key) {

  315.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);

  316.       return 0;

  317.     }

  318. 

  319.     EVP_PKEY *pkey = PKCS8_parse_encrypted_private_key(

  320.         &wrapped_value, ctx->password, ctx->password_len);

  321.     if (pkey == NULL) {

  322.       return 0;

  323.     }

  324. 

  325.     if (CBS_len(&wrapped_value) != 0) {

  326.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  327.       EVP_PKEY_free(pkey);

  328.       return 0;

  329.     }

  330. 

  331.     *ctx->out_key = pkey;

  332.     return 1;

  333.   }

  334. 

  335.   if (CBS_mem_equal(&bag_id, kCertBag, sizeof(kCertBag))) {

  336.     // See RFC 7292, section 4.2.3.

  337.     CBS cert_bag, cert_type, wrapped_cert, cert;

  338.     if (!CBS_get_asn1(&wrapped_value, &cert_bag, CBS_ASN1_SEQUENCE) ||

  339.         !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||

  340.         !CBS_get_asn1(&cert_bag, &wrapped_cert,

  341.                       CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||

  342.         !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {

  343.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  344.       return 0;

  345.     }

  346. 

  347.     // Skip unknown certificate types.

  348.     if (!CBS_mem_equal(&cert_type, kX509Certificate,

  349.                        sizeof(kX509Certificate))) {

  350.       return 1;

  351.     }

  352. 

  353.     if (CBS_len(&cert) > LONG_MAX) {

  354.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  355.       return 0;

  356.     }

  357. 

  358.     const uint8_t *inp = CBS_data(&cert);

  359.     X509 *x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));

  360.     if (!x509) {

  361.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  362.       return 0;

  363.     }

  364. 

  365.     if (inp != CBS_data(&cert) + CBS_len(&cert)) {

  366.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  367.       X509_free(x509);

  368.       return 0;

  369.     }

  370. 

  371.     if (0 == sk_X509_push(ctx->out_certs, x509)) {

  372.       X509_free(x509);

  373.       return 0;

  374.     }

  375. 

  376.     return 1;

  377.   }

  378. 

  379.   // Unknown element type - ignore it.

  380.   return 1;

  381. }

  382. 

  383. // 1.2.840.113549.1.7.1

  384. static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,

  385.                                      0x0d, 0x01, 0x07, 0x01};

  386. 

  387. // 1.2.840.113549.1.7.6

  388. static const uint8_t kPKCS7EncryptedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,

  389.                                               0x0d, 0x01, 0x07, 0x06};

  390. 

  391. // PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a

  392. // PKCS#12 structure.

  393. static int PKCS12_handle_content_info(CBS *content_info,

  394.                                       struct pkcs12_context *ctx) {

  395.   CBS content_type, wrapped_contents, contents;

  396.   int ret = 0;

  397.   uint8_t *storage = NULL;

  398. 

  399.   if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||

  400.       !CBS_get_asn1(content_info, &wrapped_contents,

  401.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||

  402.       CBS_len(content_info) != 0) {

  403.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  404.     goto err;

  405.   }

  406. 

  407.   if (CBS_mem_equal(&content_type, kPKCS7EncryptedData,

  408.                     sizeof(kPKCS7EncryptedData))) {

  409.     // See https://tools.ietf.org/html/rfc2315#section-13.

  410.     //

  411.     // PKCS#7 encrypted data inside a PKCS#12 structure is generally an

  412.     // encrypted certificate bag and it's generally encrypted with 40-bit

  413.     // RC2-CBC.

  414.     CBS version_bytes, eci, contents_type, ai, encrypted_contents;

  415.     uint8_t *out;

  416.     size_t out_len;

  417. 

  418.     if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||

  419.         !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||

  420.         // EncryptedContentInfo, see

  421.         // https://tools.ietf.org/html/rfc2315#section-10.1

  422.         !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||

  423.         !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||

  424.         // AlgorithmIdentifier, see

  425.         // https://tools.ietf.org/html/rfc5280#section-4.1.1.2

  426.         !CBS_get_asn1(&eci, &ai, CBS_ASN1_SEQUENCE) ||

  427.         !CBS_get_asn1_implicit_string(

  428.             &eci, &encrypted_contents, &storage,

  429.             CBS_ASN1_CONTEXT_SPECIFIC | 0, CBS_ASN1_OCTETSTRING)) {

  430.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  431.       goto err;

  432.     }

  433. 

  434.     if (!CBS_mem_equal(&contents_type, kPKCS7Data, sizeof(kPKCS7Data))) {

  435.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  436.       goto err;

  437.     }

  438. 

  439.     if (!pkcs8_pbe_decrypt(&out, &out_len, &ai, ctx->password,

  440.                            ctx->password_len, CBS_data(&encrypted_contents),

  441.                            CBS_len(&encrypted_contents))) {

  442.       goto err;

  443.     }

  444. 

  445.     CBS safe_contents;

  446.     CBS_init(&safe_contents, out, out_len);

  447.     ret = PKCS12_handle_sequence(&safe_contents, ctx, PKCS12_handle_safe_bag);

  448.     OPENSSL_free(out);

  449.   } else if (CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {

  450.     CBS octet_string_contents;

  451. 

  452.     if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,

  453.                       CBS_ASN1_OCTETSTRING)) {

  454.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  455.       goto err;

  456.     }

  457. 

  458.     ret = PKCS12_handle_sequence(&octet_string_contents, ctx,

  459.                                  PKCS12_handle_safe_bag);

  460.   } else {

  461.     // Unknown element type - ignore it.

  462.     ret = 1;

  463.   }

  464. 

  465. err:

  466.   OPENSSL_free(storage);

  467.   return ret;

  468. }

  469. 

  470. int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,

  471.                              CBS *ber_in, const char *password) {

  472.   uint8_t *der_bytes = NULL;

  473.   size_t der_len;

  474.   CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;

  475.   uint64_t version;

  476.   int ret = 0;

  477.   struct pkcs12_context ctx;

  478.   const size_t original_out_certs_len = sk_X509_num(out_certs);

  479. 

  480.   // The input may be in BER format.

  481.   if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {

  482.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  483.     return 0;

  484.   }

  485.   if (der_bytes != NULL) {

  486.     CBS_init(&in, der_bytes, der_len);

  487.   } else {

  488.     CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));

  489.   }

  490. 

  491.   *out_key = NULL;

  492.   OPENSSL_memset(&ctx, 0, sizeof(ctx));

  493. 

  494.   // See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section

  495.   // four.

  496.   if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||

  497.       CBS_len(&in) != 0 ||

  498.       !CBS_get_asn1_uint64(&pfx, &version)) {

  499.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  500.     goto err;

  501.   }

  502. 

  503.   if (version < 3) {

  504.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION);

  505.     goto err;

  506.   }

  507. 

  508.   if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {

  509.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  510.     goto err;

  511.   }

  512. 

  513.   if (CBS_len(&pfx) == 0) {

  514.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC);

  515.     goto err;

  516.   }

  517. 

  518.   if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {

  519.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  520.     goto err;

  521.   }

  522. 

  523.   // authsafe is a PKCS#7 ContentInfo. See

  524.   // https://tools.ietf.org/html/rfc2315#section-7.

  525.   if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||

  526.       !CBS_get_asn1(&authsafe, &wrapped_authsafes,

  527.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {

  528.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  529.     goto err;

  530.   }

  531. 

  532.   // The content type can either be data or signedData. The latter indicates

  533.   // that it's signed by a public key, which isn't supported.

  534.   if (!CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {

  535.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);

  536.     goto err;

  537.   }

  538. 

  539.   if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {

  540.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  541.     goto err;

  542.   }

  543. 

  544.   ctx.out_key = out_key;

  545.   ctx.out_certs = out_certs;

  546.   ctx.password = password;

  547.   ctx.password_len = password != NULL ? strlen(password) : 0;

  548. 

  549.   // Verify the MAC.

  550.   {

  551.     CBS mac, salt, expected_mac;

  552.     if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE)) {

  553.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  554.       goto err;

  555.     }

  556. 

  557.     const EVP_MD *md = EVP_parse_digest_algorithm(&mac);

  558.     if (md == NULL) {

  559.       goto err;

  560.     }

  561. 

  562.     if (!CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||

  563.         !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {

  564.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  565.       goto err;

  566.     }

  567. 

  568.     // The iteration count is optional and the default is one.

  569.     uint64_t iterations = 1;

  570.     if (CBS_len(&mac_data) > 0) {

  571.       if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||

  572.           iterations > UINT_MAX) {

  573.         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  574.         goto err;

  575.       }

  576.     }

  577. 

  578.     uint8_t hmac_key[EVP_MAX_MD_SIZE];

  579.     if (!pkcs12_key_gen(ctx.password, ctx.password_len, CBS_data(&salt),

  580.                         CBS_len(&salt), PKCS12_MAC_ID, iterations,

  581.                         EVP_MD_size(md), hmac_key, md)) {

  582.       goto err;

  583.     }

  584. 

  585.     uint8_t hmac[EVP_MAX_MD_SIZE];

  586.     unsigned hmac_len;

  587.     if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),

  588.                      CBS_len(&authsafes), hmac, &hmac_len)) {

  589.       goto err;

  590.     }

  591. 

  592.     if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {

  593.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD);

  594.       goto err;

  595.     }

  596.   }

  597. 

  598.   // authsafes contains a series of PKCS#7 ContentInfos.

  599.   if (!PKCS12_handle_sequence(&authsafes, &ctx, PKCS12_handle_content_info)) {

  600.     goto err;

  601.   }

  602. 

  603.   ret = 1;

  604. 

  605. err:

  606.   OPENSSL_free(der_bytes);

  607.   if (!ret) {

  608.     EVP_PKEY_free(*out_key);

  609.     *out_key = NULL;

  610.     while (sk_X509_num(out_certs) > original_out_certs_len) {

  611.       X509 *x509 = sk_X509_pop(out_certs);

  612.       X509_free(x509);

  613.     }

  614.   }

  615. 

  616.   return ret;

  617. }

  618. 

  619. void PKCS12_PBE_add(void) {}

  620. 

  621. struct pkcs12_st {

  622.   uint8_t *ber_bytes;

  623.   size_t ber_len;

  624. };

  625. 

  626. PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,

  627.                    size_t ber_len) {

  628.   PKCS12 *p12;

  629. 

  630.   p12 = OPENSSL_malloc(sizeof(PKCS12));

  631.   if (!p12) {

  632.     return NULL;

  633.   }

  634. 

  635.   p12->ber_bytes = OPENSSL_malloc(ber_len);

  636.   if (!p12->ber_bytes) {

  637.     OPENSSL_free(p12);

  638.     return NULL;

  639.   }

  640. 

  641.   OPENSSL_memcpy(p12->ber_bytes, *ber_bytes, ber_len);

  642.   p12->ber_len = ber_len;

  643.   *ber_bytes += ber_len;

  644. 

  645.   if (out_p12) {

  646.     PKCS12_free(*out_p12);

  647. 

  648.     *out_p12 = p12;

  649.   }

  650. 

  651.   return p12;

  652. }

  653. 

  654. PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {

  655.   size_t used = 0;

  656.   BUF_MEM *buf;

  657.   const uint8_t *dummy;

  658.   static const size_t kMaxSize = 256 * 1024;

  659.   PKCS12 *ret = NULL;

  660. 

  661.   buf = BUF_MEM_new();

  662.   if (buf == NULL) {

  663.     return NULL;

  664.   }

  665.   if (BUF_MEM_grow(buf, 8192) == 0) {

  666.     goto out;

  667.   }

  668. 

  669.   for (;;) {

  670.     int n = BIO_read(bio, &buf->data[used], buf->length - used);

  671.     if (n < 0) {

  672.       if (used == 0) {

  673.         goto out;

  674.       }

  675.       // Workaround a bug in node.js. It uses a memory BIO for this in the wrong

  676.       // mode.

  677.       n = 0;

  678.     }

  679. 

  680.     if (n == 0) {

  681.       break;

  682.     }

  683.     used += n;

  684. 

  685.     if (used < buf->length) {

  686.       continue;

  687.     }

  688. 

  689.     if (buf->length > kMaxSize ||

  690.         BUF_MEM_grow(buf, buf->length * 2) == 0) {

  691.       goto out;

  692.     }

  693.   }

  694. 

  695.   dummy = (uint8_t*) buf->data;

  696.   ret = d2i_PKCS12(out_p12, &dummy, used);

  697. 

  698. out:

  699.   BUF_MEM_free(buf);

  700.   return ret;

  701. }

  702. 

  703. PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {

  704.   BIO *bio;

  705.   PKCS12 *ret;

  706. 

  707.   bio = BIO_new_fp(fp, 0 /* don't take ownership */);

  708.   if (!bio) {

  709.     return NULL;

  710.   }

  711. 

  712.   ret = d2i_PKCS12_bio(bio, out_p12);

  713.   BIO_free(bio);

  714.   return ret;

  715. }

  716. 

  717. int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,

  718.                  X509 **out_cert, STACK_OF(X509) **out_ca_certs) {

  719.   CBS ber_bytes;

  720.   STACK_OF(X509) *ca_certs = NULL;

  721.   char ca_certs_alloced = 0;

  722. 

  723.   if (out_ca_certs != NULL && *out_ca_certs != NULL) {

  724.     ca_certs = *out_ca_certs;

  725.   }

  726. 

  727.   if (!ca_certs) {

  728.     ca_certs = sk_X509_new_null();

  729.     if (ca_certs == NULL) {

  730.       OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);

  731.       return 0;

  732.     }

  733.     ca_certs_alloced = 1;

  734.   }

  735. 

  736.   CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);

  737.   if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {

  738.     if (ca_certs_alloced) {

  739.       sk_X509_free(ca_certs);

  740.     }

  741.     return 0;

  742.   }

  743. 

  744.   *out_cert = NULL;

  745.   if (sk_X509_num(ca_certs) > 0) {

  746.     *out_cert = sk_X509_shift(ca_certs);

  747.   }

  748. 

  749.   if (out_ca_certs) {

  750.     *out_ca_certs = ca_certs;

  751.   } else {

  752.     sk_X509_pop_free(ca_certs, X509_free);

  753.   }

  754. 

  755.   return 1;

  756. }

  757. 

  758. int PKCS12_verify_mac(const PKCS12 *p12, const char *password,

  759.                       int password_len) {

  760.   if (password == NULL) {

  761.     if (password_len != 0) {

  762.       return 0;

  763.     }

  764.   } else if (password_len != -1 &&

  765.              (password[password_len] != 0 ||

  766.               OPENSSL_memchr(password, 0, password_len) != NULL)) {

  767.     return 0;

  768.   }

  769. 

  770.   EVP_PKEY *pkey = NULL;

  771.   X509 *cert = NULL;

  772.   if (!PKCS12_parse(p12, password, &pkey, &cert, NULL)) {

  773.     ERR_clear_error();

  774.     return 0;

  775.   }

  776. 

  777.   EVP_PKEY_free(pkey);

  778.   X509_free(cert);

  779. 

  780.   return 1;

  781. }

  782. 

  783. void PKCS12_free(PKCS12 *p12) {

  784.   if (p12 == NULL) {

  785.     return;

  786.   }

  787.   OPENSSL_free(p12->ber_bytes);

  788.   OPENSSL_free(p12);

  789. }