kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1641 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: 6de0e53919
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6de0e53919'
${ noResults }
boringssl/crypto/pkcs8/pkcs8.c

1139 lines
31 KiB
Raw Blame History 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 1999.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/pkcs8.h>

  57. 

  58. #include <assert.h>

  59. #include <limits.h>

  60. #include <string.h>

  61. 

  62. #include <openssl/asn1.h>

  63. #include <openssl/bn.h>

  64. #include <openssl/buf.h>

  65. #include <openssl/cipher.h>

  66. #include <openssl/digest.h>

  67. #include <openssl/err.h>

  68. #include <openssl/hmac.h>

  69. #include <openssl/mem.h>

  70. #include <openssl/x509.h>

  71. 

  72. #include "../bytestring/internal.h"

  73. #include "../evp/internal.h"

  74. 

  75. 

  76. #define PKCS12_KEY_ID 1

  77. #define PKCS12_IV_ID 2

  78. #define PKCS12_MAC_ID 3

  79. 

  80. static int ascii_to_ucs2(const char *ascii, size_t ascii_len,

  81.                          uint8_t **out, size_t *out_len) {

  82.   uint8_t *unitmp;

  83.   size_t ulen, i;

  84. 

  85.   ulen = ascii_len * 2 + 2;

  86.   if (ulen < ascii_len) {

  87.     return 0;

  88.   }

  89.   unitmp = OPENSSL_malloc(ulen);

  90.   if (unitmp == NULL) {

  91.     return 0;

  92.   }

  93.   for (i = 0; i < ulen - 2; i += 2) {

  94.     unitmp[i] = 0;

  95.     unitmp[i + 1] = ascii[i >> 1];

  96.   }

  97. 

  98.   /* Make result double null terminated */

  99.   unitmp[ulen - 2] = 0;

  100.   unitmp[ulen - 1] = 0;

  101.   *out_len = ulen;

  102.   *out = unitmp;

  103.   return 1;

  104. }

  105. 

  106. static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len,

  107.                               const uint8_t *salt, size_t salt_len,

  108.                               int id, int iterations,

  109.                               size_t out_len, uint8_t *out,

  110.                               const EVP_MD *md_type) {

  111.   uint8_t *B, *D, *I, *p, *Ai;

  112.   int Slen, Plen, Ilen, Ijlen;

  113.   int i, j, v;

  114.   size_t u;

  115.   int ret = 0;

  116.   BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */

  117.   EVP_MD_CTX ctx;

  118. 

  119.   EVP_MD_CTX_init(&ctx);

  120.   v = EVP_MD_block_size(md_type);

  121.   u = EVP_MD_size(md_type);

  122.   D = OPENSSL_malloc(v);

  123.   Ai = OPENSSL_malloc(u);

  124.   B = OPENSSL_malloc(v + 1);

  125.   Slen = v * ((salt_len + v - 1) / v);

  126.   if (pass_raw_len) {

  127.     Plen = v * ((pass_raw_len + v - 1) / v);

  128.   } else {

  129.     Plen = 0;

  130.   }

  131.   Ilen = Slen + Plen;

  132.   I = OPENSSL_malloc(Ilen);

  133.   Ij = BN_new();

  134.   Bpl1 = BN_new();

  135.   if (!D || !Ai || !B || !I || !Ij || !Bpl1) {

  136.     goto err;

  137.   }

  138.   for (i = 0; i < v; i++) {

  139.     D[i] = id;

  140.   }

  141.   p = I;

  142.   for (i = 0; i < Slen; i++) {

  143.     *p++ = salt[i % salt_len];

  144.   }

  145.   for (i = 0; i < Plen; i++) {

  146.     *p++ = pass_raw[i % pass_raw_len];

  147.   }

  148.   for (;;) {

  149.     if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||

  150.         !EVP_DigestUpdate(&ctx, D, v) ||

  151.         !EVP_DigestUpdate(&ctx, I, Ilen) ||

  152.         !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {

  153.       goto err;

  154.     }

  155.     for (j = 1; j < iterations; j++) {

  156.       if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||

  157.           !EVP_DigestUpdate(&ctx, Ai, u) ||

  158.           !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {

  159.         goto err;

  160.       }

  161.     }

  162.     memcpy(out, Ai, out_len < u ? out_len : u);

  163.     if (u >= out_len) {

  164.       ret = 1;

  165.       goto end;

  166.     }

  167.     out_len -= u;

  168.     out += u;

  169.     for (j = 0; j < v; j++) {

  170.       B[j] = Ai[j % u];

  171.     }

  172.     /* Work out B + 1 first then can use B as tmp space */

  173.     if (!BN_bin2bn(B, v, Bpl1) ||

  174.         !BN_add_word(Bpl1, 1)) {

  175.       goto err;

  176.     }

  177.     for (j = 0; j < Ilen; j += v) {

  178.       if (!BN_bin2bn(I + j, v, Ij) ||

  179.           !BN_add(Ij, Ij, Bpl1) ||

  180.           !BN_bn2bin(Ij, B)) {

  181.         goto err;

  182.       }

  183.       Ijlen = BN_num_bytes(Ij);

  184.       /* If more than 2^(v*8) - 1 cut off MSB */

  185.       if (Ijlen > v) {

  186.         if (!BN_bn2bin(Ij, B)) {

  187.           goto err;

  188.         }

  189.         memcpy(I + j, B + 1, v);

  190.         /* If less than v bytes pad with zeroes */

  191.       } else if (Ijlen < v) {

  192.         memset(I + j, 0, v - Ijlen);

  193.         if (!BN_bn2bin(Ij, I + j + v - Ijlen)) {

  194.           goto err;

  195.         }

  196.       } else if (!BN_bn2bin(Ij, I + j)) {

  197.         goto err;

  198.       }

  199.     }

  200.   }

  201. 

  202. err:

  203.   OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);

  204. 

  205. end:

  206.   OPENSSL_free(Ai);

  207.   OPENSSL_free(B);

  208.   OPENSSL_free(D);

  209.   OPENSSL_free(I);

  210.   BN_free(Ij);

  211.   BN_free(Bpl1);

  212.   EVP_MD_CTX_cleanup(&ctx);

  213. 

  214.   return ret;

  215. }

  216. 

  217. static int pkcs12_pbe_keyivgen(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,

  218.                                size_t pass_raw_len, ASN1_TYPE *param,

  219.                                const EVP_CIPHER *cipher, const EVP_MD *md,

  220.                                int is_encrypt) {

  221.   PBEPARAM *pbe;

  222.   int salt_len, iterations, ret;

  223.   uint8_t *salt;

  224.   const uint8_t *pbuf;

  225.   uint8_t key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];

  226. 

  227.   /* Extract useful info from parameter */

  228.   if (param == NULL || param->type != V_ASN1_SEQUENCE ||

  229.       param->value.sequence == NULL) {

  230.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  231.     return 0;

  232.   }

  233. 

  234.   pbuf = param->value.sequence->data;

  235.   pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length);

  236.   if (pbe == NULL) {

  237.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  238.     return 0;

  239.   }

  240. 

  241.   if (!pbe->iter) {

  242.     iterations = 1;

  243.   } else {

  244.     iterations = ASN1_INTEGER_get(pbe->iter);

  245.   }

  246.   salt = pbe->salt->data;

  247.   salt_len = pbe->salt->length;

  248.   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_KEY_ID,

  249.                           iterations, EVP_CIPHER_key_length(cipher), key, md)) {

  250.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);

  251.     PBEPARAM_free(pbe);

  252.     return 0;

  253.   }

  254.   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_IV_ID,

  255.                           iterations, EVP_CIPHER_iv_length(cipher), iv, md)) {

  256.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);

  257.     PBEPARAM_free(pbe);

  258.     return 0;

  259.   }

  260.   PBEPARAM_free(pbe);

  261.   ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt);

  262.   OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);

  263.   OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);

  264.   return ret;

  265. }

  266. 

  267. typedef int (*keygen_func)(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,

  268.                            size_t pass_raw_len, ASN1_TYPE *param,

  269.                            const EVP_CIPHER *cipher, const EVP_MD *md,

  270.                            int is_encrypt);

  271. 

  272. struct pbe_suite {

  273.   int pbe_nid;

  274.   const EVP_CIPHER* (*cipher_func)(void);

  275.   const EVP_MD* (*md_func)(void);

  276.   keygen_func keygen;

  277. };

  278. 

  279. static const struct pbe_suite kBuiltinPBE[] = {

  280.     {

  281.      NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc, EVP_sha1, pkcs12_pbe_keyivgen,

  282.     },

  283.     {

  284.      NID_pbe_WithSHA1And128BitRC4, EVP_rc4, EVP_sha1, pkcs12_pbe_keyivgen,

  285.     },

  286.     {

  287.      NID_pbe_WithSHA1And3_Key_TripleDES_CBC, EVP_des_ede3_cbc, EVP_sha1,

  288.      pkcs12_pbe_keyivgen,

  289.     },

  290. };

  291. 

  292. static int pbe_cipher_init(ASN1_OBJECT *pbe_obj,

  293.                            const uint8_t *pass_raw, size_t pass_raw_len,

  294.                            ASN1_TYPE *param,

  295.                            EVP_CIPHER_CTX *ctx, int is_encrypt) {

  296.   const EVP_CIPHER *cipher;

  297.   const EVP_MD *md;

  298.   unsigned i;

  299. 

  300.   const struct pbe_suite *suite = NULL;

  301.   const int pbe_nid = OBJ_obj2nid(pbe_obj);

  302. 

  303.   for (i = 0; i < sizeof(kBuiltinPBE) / sizeof(struct pbe_suite); i++) {

  304.     if (kBuiltinPBE[i].pbe_nid == pbe_nid) {

  305.       suite = &kBuiltinPBE[i];

  306.       break;

  307.     }

  308.   }

  309. 

  310.   if (suite == NULL) {

  311.     char obj_str[80];

  312.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM);

  313.     if (!pbe_obj) {

  314.       strncpy(obj_str, "NULL", sizeof(obj_str));

  315.     } else {

  316.       i2t_ASN1_OBJECT(obj_str, sizeof(obj_str), pbe_obj);

  317.     }

  318.     ERR_add_error_data(2, "TYPE=", obj_str);

  319.     return 0;

  320.   }

  321. 

  322.   if (suite->cipher_func == NULL) {

  323.     cipher = NULL;

  324.   } else {

  325.     cipher = suite->cipher_func();

  326.     if (!cipher) {

  327.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER);

  328.       return 0;

  329.     }

  330.   }

  331. 

  332.   if (suite->md_func == NULL) {

  333.     md = NULL;

  334.   } else {

  335.     md = suite->md_func();

  336.     if (!md) {

  337.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_DIGEST);

  338.       return 0;

  339.     }

  340.   }

  341. 

  342.   if (!suite->keygen(ctx, pass_raw, pass_raw_len, param, cipher, md,

  343.                      is_encrypt)) {

  344.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEYGEN_FAILURE);

  345.     return 0;

  346.   }

  347. 

  348.   return 1;

  349. }

  350. 

  351. static int pbe_crypt(const X509_ALGOR *algor,

  352.                      const uint8_t *pass_raw, size_t pass_raw_len,

  353.                      const uint8_t *in, size_t in_len,

  354.                      uint8_t **out, size_t *out_len,

  355.                      int is_encrypt) {

  356.   uint8_t *buf;

  357.   int n, ret = 0;

  358.   EVP_CIPHER_CTX ctx;

  359.   unsigned block_size;

  360. 

  361.   EVP_CIPHER_CTX_init(&ctx);

  362. 

  363.   if (!pbe_cipher_init(algor->algorithm, pass_raw, pass_raw_len,

  364.                        algor->parameter, &ctx, is_encrypt)) {

  365.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM);

  366.     return 0;

  367.   }

  368.   block_size = EVP_CIPHER_CTX_block_size(&ctx);

  369. 

  370.   if (in_len + block_size < in_len) {

  371.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_TOO_LONG);

  372.     goto err;

  373.   }

  374. 

  375.   buf = OPENSSL_malloc(in_len + block_size);

  376.   if (buf == NULL) {

  377.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);

  378.     goto err;

  379.   }

  380. 

  381.   if (!EVP_CipherUpdate(&ctx, buf, &n, in, in_len)) {

  382.     OPENSSL_free(buf);

  383.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB);

  384.     goto err;

  385.   }

  386.   *out_len = n;

  387. 

  388.   if (!EVP_CipherFinal_ex(&ctx, buf + n, &n)) {

  389.     OPENSSL_free(buf);

  390.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB);

  391.     goto err;

  392.   }

  393.   *out_len += n;

  394.   *out = buf;

  395.   ret = 1;

  396. 

  397. err:

  398.   EVP_CIPHER_CTX_cleanup(&ctx);

  399.   return ret;

  400. }

  401. 

  402. static void *pkcs12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,

  403.                                      const uint8_t *pass_raw,

  404.                                      size_t pass_raw_len,

  405.                                      ASN1_OCTET_STRING *oct) {

  406.   uint8_t *out;

  407.   const uint8_t *p;

  408.   void *ret;

  409.   size_t out_len;

  410. 

  411.   if (!pbe_crypt(algor, pass_raw, pass_raw_len, oct->data, oct->length,

  412.                  &out, &out_len, 0 /* decrypt */)) {

  413.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_CRYPT_ERROR);

  414.     return NULL;

  415.   }

  416.   p = out;

  417.   ret = ASN1_item_d2i(NULL, &p, out_len, it);

  418.   OPENSSL_cleanse(out, out_len);

  419.   if (!ret) {

  420.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  421.   }

  422.   OPENSSL_free(out);

  423.   return ret;

  424. }

  425. 

  426. PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,

  427.                                    int pass_len) {

  428.   uint8_t *pass_raw = NULL;

  429.   size_t pass_raw_len = 0;

  430.   PKCS8_PRIV_KEY_INFO *ret;

  431. 

  432.   if (pass) {

  433.     if (pass_len == -1) {

  434.       pass_len = strlen(pass);

  435.     }

  436.     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {

  437.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  438.       return NULL;

  439.     }

  440.   }

  441. 

  442.   ret = PKCS8_decrypt_pbe(pkcs8, pass_raw, pass_raw_len);

  443. 

  444.   if (pass_raw) {

  445.     OPENSSL_cleanse(pass_raw, pass_raw_len);

  446.     OPENSSL_free(pass_raw);

  447.   }

  448.   return ret;

  449. }

  450. 

  451. PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_pbe(X509_SIG *pkcs8, const uint8_t *pass_raw,

  452.                                        size_t pass_raw_len) {

  453.   return pkcs12_item_decrypt_d2i(pkcs8->algor,

  454.                                  ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw,

  455.                                  pass_raw_len, pkcs8->digest);

  456. }

  457. 

  458. static ASN1_OCTET_STRING *pkcs12_item_i2d_encrypt(X509_ALGOR *algor,

  459.                                                   const ASN1_ITEM *it,

  460.                                                   const uint8_t *pass_raw,

  461.                                                   size_t pass_raw_len, void *obj) {

  462.   ASN1_OCTET_STRING *oct;

  463.   uint8_t *in = NULL;

  464.   int in_len;

  465.   size_t crypt_len;

  466. 

  467.   oct = M_ASN1_OCTET_STRING_new();

  468.   if (oct == NULL) {

  469.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);

  470.     return NULL;

  471.   }

  472.   in_len = ASN1_item_i2d(obj, &in, it);

  473.   if (!in) {

  474.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR);

  475.     return NULL;

  476.   }

  477.   if (!pbe_crypt(algor, pass_raw, pass_raw_len, in, in_len, &oct->data, &crypt_len,

  478.                  1 /* encrypt */)) {

  479.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR);

  480.     OPENSSL_free(in);

  481.     return NULL;

  482.   }

  483.   oct->length = crypt_len;

  484.   OPENSSL_cleanse(in, in_len);

  485.   OPENSSL_free(in);

  486.   return oct;

  487. }

  488. 

  489. X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,

  490.                         int pass_len, uint8_t *salt, size_t salt_len,

  491.                         int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {

  492.   uint8_t *pass_raw = NULL;

  493.   size_t pass_raw_len = 0;

  494.   X509_SIG *ret;

  495. 

  496.   if (pass) {

  497.     if (pass_len == -1) {

  498.       pass_len = strlen(pass);

  499.     }

  500.     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {

  501.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  502.       return NULL;

  503.     }

  504.   }

  505. 

  506.   ret = PKCS8_encrypt_pbe(pbe_nid, pass_raw, pass_raw_len,

  507.                           salt, salt_len, iterations, p8inf);

  508. 

  509.   if (pass_raw) {

  510.     OPENSSL_cleanse(pass_raw, pass_raw_len);

  511.     OPENSSL_free(pass_raw);

  512.   }

  513.   return ret;

  514. }

  515. 

  516. X509_SIG *PKCS8_encrypt_pbe(int pbe_nid,

  517.                             const uint8_t *pass_raw, size_t pass_raw_len,

  518.                             uint8_t *salt, size_t salt_len,

  519.                             int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {

  520.   X509_SIG *pkcs8 = NULL;

  521.   X509_ALGOR *pbe;

  522. 

  523.   pkcs8 = X509_SIG_new();

  524.   if (pkcs8 == NULL) {

  525.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);

  526.     goto err;

  527.   }

  528. 

  529.   pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len);

  530.   if (!pbe) {

  531.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_ASN1_LIB);

  532.     goto err;

  533.   }

  534. 

  535.   X509_ALGOR_free(pkcs8->algor);

  536.   pkcs8->algor = pbe;

  537.   M_ASN1_OCTET_STRING_free(pkcs8->digest);

  538.   pkcs8->digest = pkcs12_item_i2d_encrypt(

  539.       pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf);

  540.   if (!pkcs8->digest) {

  541.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR);

  542.     goto err;

  543.   }

  544. 

  545.   return pkcs8;

  546. 

  547. err:

  548.   X509_SIG_free(pkcs8);

  549.   return NULL;

  550. }

  551. 

  552. EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {

  553.   EVP_PKEY *pkey = NULL;

  554.   ASN1_OBJECT *algoid;

  555.   char obj_tmp[80];

  556. 

  557.   if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) {

  558.     return NULL;

  559.   }

  560. 

  561.   pkey = EVP_PKEY_new();

  562.   if (pkey == NULL) {

  563.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);

  564.     return NULL;

  565.   }

  566. 

  567.   if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid))) {

  568.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);

  569.     i2t_ASN1_OBJECT(obj_tmp, 80, algoid);

  570.     ERR_add_error_data(2, "TYPE=", obj_tmp);

  571.     goto error;

  572.   }

  573. 

  574.   if (pkey->ameth->priv_decode) {

  575.     if (!pkey->ameth->priv_decode(pkey, p8)) {

  576.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PRIVATE_KEY_DECODE_ERROR);

  577.       goto error;

  578.     }

  579.   } else {

  580.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);

  581.     goto error;

  582.   }

  583. 

  584.   return pkey;

  585. 

  586. error:

  587.   EVP_PKEY_free(pkey);

  588.   return NULL;

  589. }

  590. 

  591. PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {

  592.   PKCS8_PRIV_KEY_INFO *p8;

  593. 

  594.   p8 = PKCS8_PRIV_KEY_INFO_new();

  595.   if (p8 == NULL) {

  596.     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);

  597.     return NULL;

  598.   }

  599.   p8->broken = PKCS8_OK;

  600. 

  601.   if (pkey->ameth) {

  602.     if (pkey->ameth->priv_encode) {

  603.       if (!pkey->ameth->priv_encode(p8, pkey)) {

  604.         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PRIVATE_KEY_ENCODE_ERROR);

  605.         goto error;

  606.       }

  607.     } else {

  608.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);

  609.       goto error;

  610.     }

  611.   } else {

  612.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);

  613.     goto error;

  614.   }

  615.   return p8;

  616. 

  617. error:

  618.   PKCS8_PRIV_KEY_INFO_free(p8);

  619.   return NULL;

  620. }

  621. 

  622. struct pkcs12_context {

  623.   EVP_PKEY **out_key;

  624.   STACK_OF(X509) *out_certs;

  625.   uint8_t *password;

  626.   size_t password_len;

  627. };

  628. 

  629. static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,

  630.                                       struct pkcs12_context *ctx);

  631. 

  632. /* PKCS12_handle_content_infos parses a series of PKCS#7 ContentInfos in a

  633.  * SEQUENCE. */

  634. static int PKCS12_handle_content_infos(CBS *content_infos,

  635.                                        unsigned depth,

  636.                                        struct pkcs12_context *ctx) {

  637.   uint8_t *der_bytes = NULL;

  638.   size_t der_len;

  639.   CBS in;

  640.   int ret = 0;

  641. 

  642.   /* Generally we only expect depths 0 (the top level, with a

  643.    * pkcs7-encryptedData and a pkcs7-data) and depth 1 (the various PKCS#12

  644.    * bags). */

  645.   if (depth > 3) {

  646.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_TOO_DEEPLY_NESTED);

  647.     return 0;

  648.   }

  649. 

  650.   /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,

  651.    * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the

  652.    * conversion cannot see through those wrappings. So each time we step

  653.    * through one we need to convert to DER again. */

  654.   if (!CBS_asn1_ber_to_der(content_infos, &der_bytes, &der_len)) {

  655.     return 0;

  656.   }

  657. 

  658.   if (der_bytes != NULL) {

  659.     CBS_init(&in, der_bytes, der_len);

  660.   } else {

  661.     CBS_init(&in, CBS_data(content_infos), CBS_len(content_infos));

  662.   }

  663. 

  664.   if (!CBS_get_asn1(&in, &in, CBS_ASN1_SEQUENCE)) {

  665.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  666.     goto err;

  667.   }

  668. 

  669.   while (CBS_len(&in) > 0) {

  670.     CBS content_info;

  671.     if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE)) {

  672.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  673.       goto err;

  674.     }

  675. 

  676.     if (!PKCS12_handle_content_info(&content_info, depth + 1, ctx)) {

  677.       goto err;

  678.     }

  679.   }

  680. 

  681.   /* NSS includes additional data after the SEQUENCE, but it's an (unwrapped)

  682.    * copy of the same encrypted private key (with the same IV and

  683.    * ciphertext)! */

  684. 

  685.   ret = 1;

  686. 

  687. err:

  688.   OPENSSL_free(der_bytes);

  689.   return ret;

  690. }

  691. 

  692. /* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a

  693.  * PKCS#12 structure. */

  694. static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,

  695.                                       struct pkcs12_context *ctx) {

  696.   CBS content_type, wrapped_contents, contents, content_infos;

  697.   int nid, ret = 0;

  698. 

  699.   if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||

  700.       !CBS_get_asn1(content_info, &wrapped_contents,

  701.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {

  702.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  703.     goto err;

  704.   }

  705. 

  706.   nid = OBJ_cbs2nid(&content_type);

  707.   if (nid == NID_pkcs7_encrypted) {

  708.     /* See https://tools.ietf.org/html/rfc2315#section-13.

  709.      *

  710.      * PKCS#7 encrypted data inside a PKCS#12 structure is generally an

  711.      * encrypted certificate bag and it's generally encrypted with 40-bit

  712.      * RC2-CBC. */

  713.     CBS version_bytes, eci, contents_type, ai, encrypted_contents;

  714.     X509_ALGOR *algor = NULL;

  715.     const uint8_t *inp;

  716.     uint8_t *out;

  717.     size_t out_len;

  718. 

  719.     if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||

  720.         !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||

  721.         /* EncryptedContentInfo, see

  722.          * https://tools.ietf.org/html/rfc2315#section-10.1 */

  723.         !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||

  724.         !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||

  725.         /* AlgorithmIdentifier, see

  726.          * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */

  727.         !CBS_get_asn1_element(&eci, &ai, CBS_ASN1_SEQUENCE) ||

  728.         !CBS_get_asn1(&eci, &encrypted_contents,

  729.                       CBS_ASN1_CONTEXT_SPECIFIC | 0)) {

  730.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  731.       goto err;

  732.     }

  733. 

  734.     if (OBJ_cbs2nid(&contents_type) != NID_pkcs7_data) {

  735.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  736.       goto err;

  737.     }

  738. 

  739.     inp = CBS_data(&ai);

  740.     algor = d2i_X509_ALGOR(NULL, &inp, CBS_len(&ai));

  741.     if (algor == NULL) {

  742.       goto err;

  743.     }

  744.     if (inp != CBS_data(&ai) + CBS_len(&ai)) {

  745.       X509_ALGOR_free(algor);

  746.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  747.       goto err;

  748.     }

  749. 

  750.     if (!pbe_crypt(algor, ctx->password, ctx->password_len,

  751.                    CBS_data(&encrypted_contents), CBS_len(&encrypted_contents),

  752.                    &out, &out_len, 0 /* decrypt */)) {

  753.       X509_ALGOR_free(algor);

  754.       goto err;

  755.     }

  756.     X509_ALGOR_free(algor);

  757. 

  758.     CBS_init(&content_infos, out, out_len);

  759.     ret = PKCS12_handle_content_infos(&content_infos, depth + 1, ctx);

  760.     OPENSSL_free(out);

  761.   } else if (nid == NID_pkcs7_data) {

  762.     CBS octet_string_contents;

  763. 

  764.     if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,

  765.                           CBS_ASN1_OCTETSTRING)) {

  766.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  767.       goto err;

  768.     }

  769. 

  770.     ret = PKCS12_handle_content_infos(&octet_string_contents, depth + 1, ctx);

  771.   } else if (nid == NID_pkcs8ShroudedKeyBag) {

  772.     /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section

  773.      * 4.2.2. */

  774.     const uint8_t *inp = CBS_data(&wrapped_contents);

  775.     PKCS8_PRIV_KEY_INFO *pki = NULL;

  776.     X509_SIG *encrypted = NULL;

  777. 

  778.     if (*ctx->out_key) {

  779.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);

  780.       goto err;

  781.     }

  782. 

  783.     /* encrypted isn't actually an X.509 signature, but it has the same

  784.      * structure as one and so |X509_SIG| is reused to store it. */

  785.     encrypted = d2i_X509_SIG(NULL, &inp, CBS_len(&wrapped_contents));

  786.     if (encrypted == NULL) {

  787.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  788.       goto err;

  789.     }

  790.     if (inp != CBS_data(&wrapped_contents) + CBS_len(&wrapped_contents)) {

  791.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  792.       X509_SIG_free(encrypted);

  793.       goto err;

  794.     }

  795. 

  796.     pki = PKCS8_decrypt_pbe(encrypted, ctx->password, ctx->password_len);

  797.     X509_SIG_free(encrypted);

  798.     if (pki == NULL) {

  799.       goto err;

  800.     }

  801. 

  802.     *ctx->out_key = EVP_PKCS82PKEY(pki);

  803.     PKCS8_PRIV_KEY_INFO_free(pki);

  804. 

  805.     if (ctx->out_key == NULL) {

  806.       goto err;

  807.     }

  808.     ret = 1;

  809.   } else if (nid == NID_certBag) {

  810.     CBS cert_bag, cert_type, wrapped_cert, cert;

  811. 

  812.     if (!CBS_get_asn1(&wrapped_contents, &cert_bag, CBS_ASN1_SEQUENCE) ||

  813.         !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||

  814.         !CBS_get_asn1(&cert_bag, &wrapped_cert,

  815.                       CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||

  816.         !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {

  817.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  818.       goto err;

  819.     }

  820. 

  821.     if (OBJ_cbs2nid(&cert_type) == NID_x509Certificate) {

  822.       const uint8_t *inp = CBS_data(&cert);

  823.       X509 *x509 = d2i_X509(NULL, &inp, CBS_len(&cert));

  824.       if (!x509) {

  825.         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  826.         goto err;

  827.       }

  828.       if (inp != CBS_data(&cert) + CBS_len(&cert)) {

  829.         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  830.         X509_free(x509);

  831.         goto err;

  832.       }

  833. 

  834.       if (0 == sk_X509_push(ctx->out_certs, x509)) {

  835.         X509_free(x509);

  836.         goto err;

  837.       }

  838.     }

  839.     ret = 1;

  840.   } else {

  841.     /* Unknown element type - ignore it. */

  842.     ret = 1;

  843.   }

  844. 

  845. err:

  846.   return ret;

  847. }

  848. 

  849. int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,

  850.                              CBS *ber_in, const char *password) {

  851.   uint8_t *der_bytes = NULL;

  852.   size_t der_len;

  853.   CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;

  854.   uint64_t version;

  855.   int ret = 0;

  856.   struct pkcs12_context ctx;

  857.   const size_t original_out_certs_len = sk_X509_num(out_certs);

  858. 

  859.   /* The input may be in BER format. */

  860.   if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {

  861.     return 0;

  862.   }

  863.   if (der_bytes != NULL) {

  864.     CBS_init(&in, der_bytes, der_len);

  865.   } else {

  866.     CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));

  867.   }

  868. 

  869.   *out_key = NULL;

  870.   memset(&ctx, 0, sizeof(ctx));

  871. 

  872.   /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section

  873.    * four. */

  874.   if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||

  875.       CBS_len(&in) != 0 ||

  876.       !CBS_get_asn1_uint64(&pfx, &version)) {

  877.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  878.     goto err;

  879.   }

  880. 

  881.   if (version < 3) {

  882.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION);

  883.     goto err;

  884.   }

  885. 

  886.   if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {

  887.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  888.     goto err;

  889.   }

  890. 

  891.   if (CBS_len(&pfx) == 0) {

  892.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC);

  893.     goto err;

  894.   }

  895. 

  896.   if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {

  897.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  898.     goto err;

  899.   }

  900. 

  901.   /* authsafe is a PKCS#7 ContentInfo. See

  902.    * https://tools.ietf.org/html/rfc2315#section-7. */

  903.   if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||

  904.       !CBS_get_asn1(&authsafe, &wrapped_authsafes,

  905.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {

  906.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  907.     goto err;

  908.   }

  909. 

  910.   /* The content type can either be |NID_pkcs7_data| or |NID_pkcs7_signed|. The

  911.    * latter indicates that it's signed by a public key, which isn't

  912.    * supported. */

  913.   if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) {

  914.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);

  915.     goto err;

  916.   }

  917. 

  918.   if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {

  919.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  920.     goto err;

  921.   }

  922. 

  923.   ctx.out_key = out_key;

  924.   ctx.out_certs = out_certs;

  925.   if (!ascii_to_ucs2(password, strlen(password), &ctx.password,

  926.                      &ctx.password_len)) {

  927.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);

  928.     goto err;

  929.   }

  930. 

  931.   /* Verify the MAC. */

  932.   {

  933.     CBS mac, hash_type_seq, hash_oid, salt, expected_mac;

  934.     uint64_t iterations;

  935.     int hash_nid;

  936.     const EVP_MD *md;

  937.     uint8_t hmac_key[EVP_MAX_MD_SIZE];

  938.     uint8_t hmac[EVP_MAX_MD_SIZE];

  939.     unsigned hmac_len;

  940. 

  941.     if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE) ||

  942.         !CBS_get_asn1(&mac, &hash_type_seq, CBS_ASN1_SEQUENCE) ||

  943.         !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) ||

  944.         !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||

  945.         !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {

  946.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  947.       goto err;

  948.     }

  949. 

  950.     /* The iteration count is optional and the default is one. */

  951.     iterations = 1;

  952.     if (CBS_len(&mac_data) > 0) {

  953.       if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||

  954.           iterations > INT_MAX) {

  955.         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);

  956.         goto err;

  957.       }

  958.     }

  959. 

  960.     hash_nid = OBJ_cbs2nid(&hash_oid);

  961.     if (hash_nid == NID_undef ||

  962.         (md = EVP_get_digestbynid(hash_nid)) == NULL) {

  963.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_HASH);

  964.       goto err;

  965.     }

  966. 

  967.     if (!pkcs12_key_gen_raw(ctx.password, ctx.password_len, CBS_data(&salt),

  968.                             CBS_len(&salt), PKCS12_MAC_ID, iterations,

  969.                             EVP_MD_size(md), hmac_key, md)) {

  970.       goto err;

  971.     }

  972. 

  973.     if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),

  974.                      CBS_len(&authsafes), hmac, &hmac_len)) {

  975.       goto err;

  976.     }

  977. 

  978.     if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {

  979.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD);

  980.       goto err;

  981.     }

  982.   }

  983. 

  984.   /* authsafes contains a series of PKCS#7 ContentInfos. */

  985.   if (!PKCS12_handle_content_infos(&authsafes, 0, &ctx)) {

  986.     goto err;

  987.   }

  988. 

  989.   ret = 1;

  990. 

  991. err:

  992.   OPENSSL_free(ctx.password);

  993.   OPENSSL_free(der_bytes);

  994.   if (!ret) {

  995.     EVP_PKEY_free(*out_key);

  996.     *out_key = NULL;

  997.     while (sk_X509_num(out_certs) > original_out_certs_len) {

  998.       X509 *x509 = sk_X509_pop(out_certs);

  999.       X509_free(x509);

  1000.     }

  1001.   }

  1002. 

  1003.   return ret;

  1004. }

  1005. 

  1006. void PKCS12_PBE_add(void) {}

  1007. 

  1008. struct pkcs12_st {

  1009.   uint8_t *ber_bytes;

  1010.   size_t ber_len;

  1011. };

  1012. 

  1013. PKCS12* d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) {

  1014.   PKCS12 *p12;

  1015. 

  1016.   /* out_p12 must be NULL because we don't export the PKCS12 structure. */

  1017.   assert(out_p12 == NULL);

  1018. 

  1019.   p12 = OPENSSL_malloc(sizeof(PKCS12));

  1020.   if (!p12) {

  1021.     return NULL;

  1022.   }

  1023. 

  1024.   p12->ber_bytes = OPENSSL_malloc(ber_len);

  1025.   if (!p12->ber_bytes) {

  1026.     OPENSSL_free(p12);

  1027.     return NULL;

  1028.   }

  1029. 

  1030.   memcpy(p12->ber_bytes, *ber_bytes, ber_len);

  1031.   p12->ber_len = ber_len;

  1032.   *ber_bytes += ber_len;

  1033. 

  1034.   return p12;

  1035. }

  1036. 

  1037. PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {

  1038.   size_t used = 0;

  1039.   BUF_MEM *buf;

  1040.   const uint8_t *dummy;

  1041.   static const size_t kMaxSize = 256 * 1024;

  1042.   PKCS12 *ret = NULL;

  1043. 

  1044.   buf = BUF_MEM_new();

  1045.   if (buf == NULL) {

  1046.     return NULL;

  1047.   }

  1048.   if (BUF_MEM_grow(buf, 8192) == 0) {

  1049.     goto out;

  1050.   }

  1051. 

  1052.   for (;;) {

  1053.     int n = BIO_read(bio, &buf->data[used], buf->length - used);

  1054.     if (n < 0) {

  1055.       goto out;

  1056.     }

  1057. 

  1058.     if (n == 0) {

  1059.       break;

  1060.     }

  1061.     used += n;

  1062. 

  1063.     if (used < buf->length) {

  1064.       continue;

  1065.     }

  1066. 

  1067.     if (buf->length > kMaxSize ||

  1068.         BUF_MEM_grow(buf, buf->length * 2) == 0) {

  1069.       goto out;

  1070.     }

  1071.   }

  1072. 

  1073.   dummy = (uint8_t*) buf->data;

  1074.   ret = d2i_PKCS12(out_p12, &dummy, used);

  1075. 

  1076. out:

  1077.   BUF_MEM_free(buf);

  1078.   return ret;

  1079. }

  1080. 

  1081. PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {

  1082.   BIO *bio;

  1083.   PKCS12 *ret;

  1084. 

  1085.   bio = BIO_new_fp(fp, 0 /* don't take ownership */);

  1086.   if (!bio) {

  1087.     return NULL;

  1088.   }

  1089. 

  1090.   ret = d2i_PKCS12_bio(bio, out_p12);

  1091.   BIO_free(bio);

  1092.   return ret;

  1093. }

  1094. 

  1095. int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,

  1096.                  X509 **out_cert, STACK_OF(X509) **out_ca_certs) {

  1097.   CBS ber_bytes;

  1098.   STACK_OF(X509) *ca_certs = NULL;

  1099.   char ca_certs_alloced = 0;

  1100. 

  1101.   if (out_ca_certs != NULL && *out_ca_certs != NULL) {

  1102.     ca_certs = *out_ca_certs;

  1103.   }

  1104. 

  1105.   if (!ca_certs) {

  1106.     ca_certs = sk_X509_new_null();

  1107.     if (ca_certs == NULL) {

  1108.       return 0;

  1109.     }

  1110.     ca_certs_alloced = 1;

  1111.   }

  1112. 

  1113.   CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);

  1114.   if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {

  1115.     if (ca_certs_alloced) {

  1116.       sk_X509_free(ca_certs);

  1117.     }

  1118.     return 0;

  1119.   }

  1120. 

  1121.   *out_cert = NULL;

  1122.   if (sk_X509_num(ca_certs) > 0) {

  1123.     *out_cert = sk_X509_shift(ca_certs);

  1124.   }

  1125. 

  1126.   if (out_ca_certs) {

  1127.     *out_ca_certs = ca_certs;

  1128.   } else {

  1129.     sk_X509_pop_free(ca_certs, X509_free);

  1130.   }

  1131. 

  1132.   return 1;

  1133. }

  1134. 

  1135. void PKCS12_free(PKCS12 *p12) {

  1136.   OPENSSL_free(p12->ber_bytes);

  1137.   OPENSSL_free(p12);

  1138. }