7ce10d5da7
PKCS8_encrypt and PKCS8_decrypt still need to be split. The code for processing PKCS#12 files is, for now, placed entirely in pkcs8_x509.c. If we need to split it up, it should be straightforward to do so. (Introduce a CRYPTO_BUFFER version of PKCS12_get_key_and_certs and go from there.) BUG=54 Change-Id: I9c87e916ec29ee14dbbd81c4d3fc10ac8a461f1a Reviewed-on: https://boringssl-review.googlesource.com/14214 Reviewed-by: Steven Valdez <svaldez@chromium.org> Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: Steven Valdez <svaldez@chromium.org> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
573 lines
17 KiB
C
573 lines
17 KiB
C
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
|
|
* project 1999.
|
|
*/
|
|
/* ====================================================================
|
|
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
*
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in
|
|
* the documentation and/or other materials provided with the
|
|
* distribution.
|
|
*
|
|
* 3. All advertising materials mentioning features or use of this
|
|
* software must display the following acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
|
|
*
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
* endorse or promote products derived from this software without
|
|
* prior written permission. For written permission, please contact
|
|
* licensing@OpenSSL.org.
|
|
*
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
* permission of the OpenSSL Project.
|
|
*
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
* acknowledgment:
|
|
* "This product includes software developed by the OpenSSL Project
|
|
* for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
* ====================================================================
|
|
*
|
|
* This product includes cryptographic software written by Eric Young
|
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
* Hudson (tjh@cryptsoft.com). */
|
|
|
|
#include <openssl/pkcs8.h>
|
|
|
|
#include <assert.h>
|
|
#include <limits.h>
|
|
#include <string.h>
|
|
|
|
#include <openssl/buf.h>
|
|
#include <openssl/bytestring.h>
|
|
#include <openssl/cipher.h>
|
|
#include <openssl/digest.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/hmac.h>
|
|
#include <openssl/mem.h>
|
|
#include <openssl/nid.h>
|
|
#include <openssl/rand.h>
|
|
#include <openssl/x509.h>
|
|
|
|
#include "internal.h"
|
|
#include "../internal.h"
|
|
|
|
|
|
static int ascii_to_ucs2(const char *ascii, size_t ascii_len,
|
|
uint8_t **out, size_t *out_len) {
|
|
size_t ulen = ascii_len * 2 + 2;
|
|
if (ascii_len * 2 < ascii_len || ulen < ascii_len * 2) {
|
|
return 0;
|
|
}
|
|
|
|
uint8_t *unitmp = OPENSSL_malloc(ulen);
|
|
if (unitmp == NULL) {
|
|
OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
|
|
return 0;
|
|
}
|
|
for (size_t i = 0; i < ulen - 2; i += 2) {
|
|
unitmp[i] = 0;
|
|
unitmp[i + 1] = ascii[i >> 1];
|
|
}
|
|
|
|
/* Terminate the result with a UCS-2 NUL. */
|
|
unitmp[ulen - 2] = 0;
|
|
unitmp[ulen - 1] = 0;
|
|
*out_len = ulen;
|
|
*out = unitmp;
|
|
return 1;
|
|
}
|
|
|
|
int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt,
|
|
size_t salt_len, uint8_t id, unsigned iterations,
|
|
size_t out_len, uint8_t *out, const EVP_MD *md) {
|
|
/* See https://tools.ietf.org/html/rfc7292#appendix-B. Quoted parts of the
|
|
* specification have errata applied and other typos fixed. */
|
|
|
|
if (iterations < 1) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT);
|
|
return 0;
|
|
}
|
|
|
|
int ret = 0;
|
|
EVP_MD_CTX ctx;
|
|
EVP_MD_CTX_init(&ctx);
|
|
uint8_t *pass_raw = NULL, *I = NULL;
|
|
size_t pass_raw_len = 0, I_len = 0;
|
|
/* If |pass| is NULL, we use the empty string rather than {0, 0} as the raw
|
|
* password. */
|
|
if (pass != NULL &&
|
|
!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {
|
|
goto err;
|
|
}
|
|
|
|
/* In the spec, |block_size| is called "v", but measured in bits. */
|
|
size_t block_size = EVP_MD_block_size(md);
|
|
|
|
/* 1. Construct a string, D (the "diversifier"), by concatenating v/8 copies
|
|
* of ID. */
|
|
uint8_t D[EVP_MAX_MD_BLOCK_SIZE];
|
|
OPENSSL_memset(D, id, block_size);
|
|
|
|
/* 2. Concatenate copies of the salt together to create a string S of length
|
|
* v(ceiling(s/v)) bits (the final copy of the salt may be truncated to
|
|
* create S). Note that if the salt is the empty string, then so is S.
|
|
*
|
|
* 3. Concatenate copies of the password together to create a string P of
|
|
* length v(ceiling(p/v)) bits (the final copy of the password may be
|
|
* truncated to create P). Note that if the password is the empty string,
|
|
* then so is P.
|
|
*
|
|
* 4. Set I=S||P to be the concatenation of S and P. */
|
|
if (salt_len + block_size - 1 < salt_len ||
|
|
pass_raw_len + block_size - 1 < pass_raw_len) {
|
|
OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);
|
|
goto err;
|
|
}
|
|
size_t S_len = block_size * ((salt_len + block_size - 1) / block_size);
|
|
size_t P_len = block_size * ((pass_raw_len + block_size - 1) / block_size);
|
|
I_len = S_len + P_len;
|
|
if (I_len < S_len) {
|
|
OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);
|
|
goto err;
|
|
}
|
|
|
|
I = OPENSSL_malloc(I_len);
|
|
if (I_len != 0 && I == NULL) {
|
|
OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
|
|
goto err;
|
|
}
|
|
|
|
for (size_t i = 0; i < S_len; i++) {
|
|
I[i] = salt[i % salt_len];
|
|
}
|
|
for (size_t i = 0; i < P_len; i++) {
|
|
I[i + S_len] = pass_raw[i % pass_raw_len];
|
|
}
|
|
|
|
while (out_len != 0) {
|
|
/* A. Set A_i=H^r(D||I). (i.e., the r-th hash of D||I,
|
|
* H(H(H(... H(D||I)))) */
|
|
uint8_t A[EVP_MAX_MD_SIZE];
|
|
unsigned A_len;
|
|
if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
|
|
!EVP_DigestUpdate(&ctx, D, block_size) ||
|
|
!EVP_DigestUpdate(&ctx, I, I_len) ||
|
|
!EVP_DigestFinal_ex(&ctx, A, &A_len)) {
|
|
goto err;
|
|
}
|
|
for (unsigned iter = 1; iter < iterations; iter++) {
|
|
if (!EVP_DigestInit_ex(&ctx, md, NULL) ||
|
|
!EVP_DigestUpdate(&ctx, A, A_len) ||
|
|
!EVP_DigestFinal_ex(&ctx, A, &A_len)) {
|
|
goto err;
|
|
}
|
|
}
|
|
|
|
size_t todo = out_len < A_len ? out_len : A_len;
|
|
OPENSSL_memcpy(out, A, todo);
|
|
out += todo;
|
|
out_len -= todo;
|
|
if (out_len == 0) {
|
|
break;
|
|
}
|
|
|
|
/* B. Concatenate copies of A_i to create a string B of length v bits (the
|
|
* final copy of A_i may be truncated to create B). */
|
|
uint8_t B[EVP_MAX_MD_BLOCK_SIZE];
|
|
for (size_t i = 0; i < block_size; i++) {
|
|
B[i] = A[i % A_len];
|
|
}
|
|
|
|
/* C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit blocks,
|
|
* where k=ceiling(s/v)+ceiling(p/v), modify I by setting I_j=(I_j+B+1) mod
|
|
* 2^v for each j. */
|
|
assert(I_len % block_size == 0);
|
|
for (size_t i = 0; i < I_len; i += block_size) {
|
|
unsigned carry = 1;
|
|
for (size_t j = block_size - 1; j < block_size; j--) {
|
|
carry += I[i + j] + B[j];
|
|
I[i + j] = (uint8_t)carry;
|
|
carry >>= 8;
|
|
}
|
|
}
|
|
}
|
|
|
|
ret = 1;
|
|
|
|
err:
|
|
if (I != NULL) {
|
|
OPENSSL_cleanse(I, I_len);
|
|
OPENSSL_free(I);
|
|
}
|
|
if (pass_raw != NULL) {
|
|
OPENSSL_cleanse(pass_raw, pass_raw_len);
|
|
OPENSSL_free(pass_raw);
|
|
}
|
|
EVP_MD_CTX_cleanup(&ctx);
|
|
return ret;
|
|
}
|
|
|
|
static int pkcs12_pbe_cipher_init(const struct pbe_suite *suite,
|
|
EVP_CIPHER_CTX *ctx, unsigned iterations,
|
|
const char *pass, size_t pass_len,
|
|
const uint8_t *salt, size_t salt_len,
|
|
int is_encrypt) {
|
|
const EVP_CIPHER *cipher = suite->cipher_func();
|
|
const EVP_MD *md = suite->md_func();
|
|
|
|
uint8_t key[EVP_MAX_KEY_LENGTH];
|
|
uint8_t iv[EVP_MAX_IV_LENGTH];
|
|
if (!pkcs12_key_gen(pass, pass_len, salt, salt_len, PKCS12_KEY_ID, iterations,
|
|
EVP_CIPHER_key_length(cipher), key, md) ||
|
|
!pkcs12_key_gen(pass, pass_len, salt, salt_len, PKCS12_IV_ID, iterations,
|
|
EVP_CIPHER_iv_length(cipher), iv, md)) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);
|
|
return 0;
|
|
}
|
|
|
|
int ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt);
|
|
OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
|
|
OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
|
|
return ret;
|
|
}
|
|
|
|
static int pkcs12_pbe_decrypt_init(const struct pbe_suite *suite,
|
|
EVP_CIPHER_CTX *ctx, const char *pass,
|
|
size_t pass_len, CBS *param) {
|
|
CBS pbe_param, salt;
|
|
uint64_t iterations;
|
|
if (!CBS_get_asn1(param, &pbe_param, CBS_ASN1_SEQUENCE) ||
|
|
!CBS_get_asn1(&pbe_param, &salt, CBS_ASN1_OCTETSTRING) ||
|
|
!CBS_get_asn1_uint64(&pbe_param, &iterations) ||
|
|
CBS_len(&pbe_param) != 0 ||
|
|
CBS_len(param) != 0) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
|
|
return 0;
|
|
}
|
|
|
|
if (iterations == 0 || iterations > UINT_MAX) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT);
|
|
return 0;
|
|
}
|
|
|
|
return pkcs12_pbe_cipher_init(suite, ctx, (unsigned)iterations, pass,
|
|
pass_len, CBS_data(&salt), CBS_len(&salt),
|
|
0 /* decrypt */);
|
|
}
|
|
|
|
static const struct pbe_suite kBuiltinPBE[] = {
|
|
{
|
|
NID_pbe_WithSHA1And40BitRC2_CBC,
|
|
/* 1.2.840.113549.1.12.1.6 */
|
|
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x06},
|
|
10,
|
|
EVP_rc2_40_cbc,
|
|
EVP_sha1,
|
|
pkcs12_pbe_decrypt_init,
|
|
},
|
|
{
|
|
NID_pbe_WithSHA1And128BitRC4,
|
|
/* 1.2.840.113549.1.12.1.1 */
|
|
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x01},
|
|
10,
|
|
EVP_rc4,
|
|
EVP_sha1,
|
|
pkcs12_pbe_decrypt_init,
|
|
},
|
|
{
|
|
NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
|
|
/* 1.2.840.113549.1.12.1.3 */
|
|
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x01, 0x03},
|
|
10,
|
|
EVP_des_ede3_cbc,
|
|
EVP_sha1,
|
|
pkcs12_pbe_decrypt_init,
|
|
},
|
|
{
|
|
NID_pbes2,
|
|
/* 1.2.840.113549.1.5.13 */
|
|
{0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x05, 0x0d},
|
|
9,
|
|
NULL,
|
|
NULL,
|
|
PKCS5_pbe2_decrypt_init,
|
|
},
|
|
};
|
|
|
|
static const struct pbe_suite *get_pbe_suite(int pbe_nid) {
|
|
for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kBuiltinPBE); i++) {
|
|
if (kBuiltinPBE[i].pbe_nid == pbe_nid) {
|
|
return &kBuiltinPBE[i];
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static int pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg,
|
|
unsigned iterations, const char *pass,
|
|
size_t pass_len, const uint8_t *salt,
|
|
size_t salt_len) {
|
|
const struct pbe_suite *suite = get_pbe_suite(alg);
|
|
if (suite == NULL) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM);
|
|
return 0;
|
|
}
|
|
|
|
/* See RFC 2898, appendix A.3. */
|
|
CBB algorithm, oid, param, salt_cbb;
|
|
if (!CBB_add_asn1(out, &algorithm, CBS_ASN1_SEQUENCE) ||
|
|
!CBB_add_asn1(&algorithm, &oid, CBS_ASN1_OBJECT) ||
|
|
!CBB_add_bytes(&oid, suite->oid, suite->oid_len) ||
|
|
!CBB_add_asn1(&algorithm, ¶m, CBS_ASN1_SEQUENCE) ||
|
|
!CBB_add_asn1(¶m, &salt_cbb, CBS_ASN1_OCTETSTRING) ||
|
|
!CBB_add_bytes(&salt_cbb, salt, salt_len) ||
|
|
!CBB_add_asn1_uint64(¶m, iterations) ||
|
|
!CBB_flush(out)) {
|
|
return 0;
|
|
}
|
|
|
|
return pkcs12_pbe_cipher_init(suite, ctx, iterations, pass, pass_len, salt,
|
|
salt_len, 1 /* encrypt */);
|
|
}
|
|
|
|
int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm,
|
|
const char *pass, size_t pass_len, const uint8_t *in,
|
|
size_t in_len) {
|
|
int ret = 0;
|
|
uint8_t *buf = NULL;;
|
|
EVP_CIPHER_CTX ctx;
|
|
EVP_CIPHER_CTX_init(&ctx);
|
|
|
|
CBS obj;
|
|
if (!CBS_get_asn1(algorithm, &obj, CBS_ASN1_OBJECT)) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
|
|
goto err;
|
|
}
|
|
|
|
const struct pbe_suite *suite = NULL;
|
|
for (unsigned i = 0; i < OPENSSL_ARRAY_SIZE(kBuiltinPBE); i++) {
|
|
if (CBS_mem_equal(&obj, kBuiltinPBE[i].oid, kBuiltinPBE[i].oid_len)) {
|
|
suite = &kBuiltinPBE[i];
|
|
break;
|
|
}
|
|
}
|
|
if (suite == NULL) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM);
|
|
goto err;
|
|
}
|
|
|
|
if (!suite->decrypt_init(suite, &ctx, pass, pass_len, algorithm)) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEYGEN_FAILURE);
|
|
goto err;
|
|
}
|
|
|
|
buf = OPENSSL_malloc(in_len);
|
|
if (buf == NULL) {
|
|
OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
|
|
goto err;
|
|
}
|
|
|
|
if (in_len > INT_MAX) {
|
|
OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);
|
|
goto err;
|
|
}
|
|
|
|
int n1, n2;
|
|
if (!EVP_DecryptUpdate(&ctx, buf, &n1, in, (int)in_len) ||
|
|
!EVP_DecryptFinal_ex(&ctx, buf + n1, &n2)) {
|
|
goto err;
|
|
}
|
|
|
|
*out = buf;
|
|
*out_len = n1 + n2;
|
|
ret = 1;
|
|
buf = NULL;
|
|
|
|
err:
|
|
OPENSSL_free(buf);
|
|
EVP_CIPHER_CTX_cleanup(&ctx);
|
|
return ret;
|
|
}
|
|
|
|
PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,
|
|
int pass_len_i) {
|
|
size_t pass_len;
|
|
if (pass_len_i == -1 && pass != NULL) {
|
|
pass_len = strlen(pass);
|
|
} else {
|
|
pass_len = (size_t)pass_len_i;
|
|
}
|
|
|
|
PKCS8_PRIV_KEY_INFO *ret = NULL;
|
|
uint8_t *in = NULL, *out = NULL;
|
|
size_t out_len = 0;
|
|
|
|
/* Convert the legacy ASN.1 object to a byte string. */
|
|
int in_len = i2d_X509_SIG(pkcs8, &in);
|
|
if (in_len < 0) {
|
|
goto err;
|
|
}
|
|
|
|
/* See RFC 5208, section 6. */
|
|
CBS cbs, epki, algorithm, ciphertext;
|
|
CBS_init(&cbs, in, in_len);
|
|
if (!CBS_get_asn1(&cbs, &epki, CBS_ASN1_SEQUENCE) ||
|
|
!CBS_get_asn1(&epki, &algorithm, CBS_ASN1_SEQUENCE) ||
|
|
!CBS_get_asn1(&epki, &ciphertext, CBS_ASN1_OCTETSTRING) ||
|
|
CBS_len(&epki) != 0 ||
|
|
CBS_len(&cbs) != 0) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
|
|
goto err;
|
|
}
|
|
|
|
if (!pkcs8_pbe_decrypt(&out, &out_len, &algorithm, pass, pass_len,
|
|
CBS_data(&ciphertext), CBS_len(&ciphertext))) {
|
|
goto err;
|
|
}
|
|
|
|
if (out_len > LONG_MAX) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
|
|
goto err;
|
|
}
|
|
|
|
/* Convert back to legacy ASN.1 objects. */
|
|
const uint8_t *ptr = out;
|
|
ret = d2i_PKCS8_PRIV_KEY_INFO(NULL, &ptr, (long)out_len);
|
|
OPENSSL_cleanse(out, out_len);
|
|
if (ret == NULL || ptr != out + out_len) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
|
|
PKCS8_PRIV_KEY_INFO_free(ret);
|
|
ret = NULL;
|
|
}
|
|
|
|
err:
|
|
OPENSSL_free(in);
|
|
OPENSSL_cleanse(out, out_len);
|
|
OPENSSL_free(out);
|
|
return ret;
|
|
}
|
|
|
|
X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
|
|
int pass_len_i, const uint8_t *salt, size_t salt_len,
|
|
int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
|
|
size_t pass_len;
|
|
if (pass_len_i == -1 && pass != NULL) {
|
|
pass_len = strlen(pass);
|
|
} else {
|
|
pass_len = (size_t)pass_len_i;
|
|
}
|
|
|
|
X509_SIG *ret = NULL;
|
|
uint8_t *plaintext = NULL, *salt_buf = NULL, *der = NULL;
|
|
int plaintext_len = -1;
|
|
size_t der_len;
|
|
CBB cbb;
|
|
CBB_zero(&cbb);
|
|
EVP_CIPHER_CTX ctx;
|
|
EVP_CIPHER_CTX_init(&ctx);
|
|
|
|
/* Generate a random salt if necessary. */
|
|
if (salt == NULL) {
|
|
if (salt_len == 0) {
|
|
salt_len = PKCS5_SALT_LEN;
|
|
}
|
|
|
|
salt_buf = OPENSSL_malloc(salt_len);
|
|
if (salt_buf == NULL ||
|
|
!RAND_bytes(salt_buf, salt_len)) {
|
|
goto err;
|
|
}
|
|
|
|
salt = salt_buf;
|
|
}
|
|
|
|
if (iterations <= 0) {
|
|
iterations = PKCS5_DEFAULT_ITERATIONS;
|
|
}
|
|
|
|
/* Convert the input from the legacy ASN.1 format. */
|
|
plaintext_len = i2d_PKCS8_PRIV_KEY_INFO(p8inf, &plaintext);
|
|
if (plaintext_len < 0) {
|
|
goto err;
|
|
}
|
|
|
|
CBB epki;
|
|
if (!CBB_init(&cbb, 128) ||
|
|
!CBB_add_asn1(&cbb, &epki, CBS_ASN1_SEQUENCE)) {
|
|
goto err;
|
|
}
|
|
|
|
int alg_ok;
|
|
if (pbe_nid == -1) {
|
|
alg_ok = PKCS5_pbe2_encrypt_init(&epki, &ctx, cipher, (unsigned)iterations,
|
|
pass, pass_len, salt, salt_len);
|
|
} else {
|
|
alg_ok = pkcs12_pbe_encrypt_init(&epki, &ctx, pbe_nid, (unsigned)iterations,
|
|
pass, pass_len, salt, salt_len);
|
|
}
|
|
if (!alg_ok) {
|
|
goto err;
|
|
}
|
|
|
|
size_t max_out = (size_t)plaintext_len + EVP_CIPHER_CTX_block_size(&ctx);
|
|
if (max_out < (size_t)plaintext_len) {
|
|
OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_TOO_LONG);
|
|
goto err;
|
|
}
|
|
|
|
CBB ciphertext;
|
|
uint8_t *out;
|
|
int n1, n2;
|
|
if (!CBB_add_asn1(&epki, &ciphertext, CBS_ASN1_OCTETSTRING) ||
|
|
!CBB_reserve(&ciphertext, &out, max_out) ||
|
|
!EVP_CipherUpdate(&ctx, out, &n1, plaintext, plaintext_len) ||
|
|
!EVP_CipherFinal_ex(&ctx, out + n1, &n2) ||
|
|
!CBB_did_write(&ciphertext, n1 + n2) ||
|
|
!CBB_finish(&cbb, &der, &der_len)) {
|
|
goto err;
|
|
}
|
|
|
|
/* Convert back to legacy ASN.1 objects. */
|
|
const uint8_t *ptr = der;
|
|
ret = d2i_X509_SIG(NULL, &ptr, der_len);
|
|
if (ret == NULL || ptr != der + der_len) {
|
|
OPENSSL_PUT_ERROR(PKCS8, ERR_R_INTERNAL_ERROR);
|
|
X509_SIG_free(ret);
|
|
ret = NULL;
|
|
}
|
|
|
|
err:
|
|
if (plaintext_len > 0) {
|
|
OPENSSL_cleanse(plaintext, plaintext_len);
|
|
}
|
|
OPENSSL_free(plaintext);
|
|
OPENSSL_free(salt_buf);
|
|
OPENSSL_free(der);
|
|
CBB_cleanup(&cbb);
|
|
EVP_CIPHER_CTX_cleanup(&ctx);
|
|
return ret;
|
|
}
|