kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
893 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: ac6900b0d3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ac6900b0d3'
${ noResults }
boringssl/crypto/pkcs8/pkcs8.c

1156 lines
33 KiB
Raw Blame History 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 1999.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/pkcs8.h>

  57. 

  58. #include <assert.h>

  59. #include <limits.h>

  60. #include <string.h>

  61. 

  62. #include <openssl/asn1.h>

  63. #include <openssl/bn.h>

  64. #include <openssl/buf.h>

  65. #include <openssl/cipher.h>

  66. #include <openssl/digest.h>

  67. #include <openssl/err.h>

  68. #include <openssl/hmac.h>

  69. #include <openssl/mem.h>

  70. #include <openssl/x509.h>

  71. 

  72. #include "../bytestring/internal.h"

  73. #include "../evp/internal.h"

  74. 

  75. 

  76. #define PKCS12_KEY_ID 1

  77. #define PKCS12_IV_ID 2

  78. #define PKCS12_MAC_ID 3

  79. 

  80. static int ascii_to_ucs2(const char *ascii, size_t ascii_len,

  81.                          uint8_t **out, size_t *out_len) {

  82.   uint8_t *unitmp;

  83.   size_t ulen, i;

  84. 

  85.   ulen = ascii_len * 2 + 2;

  86.   if (ulen < ascii_len) {

  87.     return 0;

  88.   }

  89.   unitmp = OPENSSL_malloc(ulen);

  90.   if (unitmp == NULL) {

  91.     return 0;

  92.   }

  93.   for (i = 0; i < ulen - 2; i += 2) {

  94.     unitmp[i] = 0;

  95.     unitmp[i + 1] = ascii[i >> 1];

  96.   }

  97. 

  98.   /* Make result double null terminated */

  99.   unitmp[ulen - 2] = 0;

  100.   unitmp[ulen - 1] = 0;

  101.   *out_len = ulen;

  102.   *out = unitmp;

  103.   return 1;

  104. }

  105. 

  106. static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len,

  107.                               const uint8_t *salt, size_t salt_len,

  108.                               int id, int iterations,

  109.                               size_t out_len, uint8_t *out,

  110.                               const EVP_MD *md_type) {

  111.   uint8_t *B, *D, *I, *p, *Ai;

  112.   int Slen, Plen, Ilen, Ijlen;

  113.   int i, j, v;

  114.   size_t u;

  115.   int ret = 0;

  116.   BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */

  117.   EVP_MD_CTX ctx;

  118. 

  119.   EVP_MD_CTX_init(&ctx);

  120.   v = EVP_MD_block_size(md_type);

  121.   u = EVP_MD_size(md_type);

  122.   D = OPENSSL_malloc(v);

  123.   Ai = OPENSSL_malloc(u);

  124.   B = OPENSSL_malloc(v + 1);

  125.   Slen = v * ((salt_len + v - 1) / v);

  126.   if (pass_raw_len)

  127.     Plen = v * ((pass_raw_len + v - 1) / v);

  128.   else

  129.     Plen = 0;

  130.   Ilen = Slen + Plen;

  131.   I = OPENSSL_malloc(Ilen);

  132.   Ij = BN_new();

  133.   Bpl1 = BN_new();

  134.   if (!D || !Ai || !B || !I || !Ij || !Bpl1)

  135.     goto err;

  136.   for (i = 0; i < v; i++)

  137.     D[i] = id;

  138.   p = I;

  139.   for (i = 0; i < Slen; i++)

  140.     *p++ = salt[i % salt_len];

  141.   for (i = 0; i < Plen; i++)

  142.     *p++ = pass_raw[i % pass_raw_len];

  143.   for (;;) {

  144.     if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||

  145.         !EVP_DigestUpdate(&ctx, D, v) ||

  146.         !EVP_DigestUpdate(&ctx, I, Ilen) ||

  147.         !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {

  148.       goto err;

  149.     }

  150.     for (j = 1; j < iterations; j++) {

  151.       if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||

  152.           !EVP_DigestUpdate(&ctx, Ai, u) ||

  153.           !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {

  154.         goto err;

  155.       }

  156.     }

  157.     memcpy(out, Ai, out_len < u ? out_len : u);

  158.     if (u >= out_len) {

  159.       ret = 1;

  160.       goto end;

  161.     }

  162.     out_len -= u;

  163.     out += u;

  164.     for (j = 0; j < v; j++)

  165.       B[j] = Ai[j % u];

  166.     /* Work out B + 1 first then can use B as tmp space */

  167.     if (!BN_bin2bn(B, v, Bpl1))

  168.       goto err;

  169.     if (!BN_add_word(Bpl1, 1))

  170.       goto err;

  171.     for (j = 0; j < Ilen; j += v) {

  172.       if (!BN_bin2bn(I + j, v, Ij))

  173.         goto err;

  174.       if (!BN_add(Ij, Ij, Bpl1))

  175.         goto err;

  176.       if (!BN_bn2bin(Ij, B))

  177.         goto err;

  178.       Ijlen = BN_num_bytes(Ij);

  179.       /* If more than 2^(v*8) - 1 cut off MSB */

  180.       if (Ijlen > v) {

  181.         if (!BN_bn2bin(Ij, B))

  182.           goto err;

  183.         memcpy(I + j, B + 1, v);

  184.         /* If less than v bytes pad with zeroes */

  185.       } else if (Ijlen < v) {

  186.         memset(I + j, 0, v - Ijlen);

  187.         if (!BN_bn2bin(Ij, I + j + v - Ijlen))

  188.           goto err;

  189.       } else if (!BN_bn2bin(Ij, I + j)) {

  190.         goto err;

  191.       }

  192.     }

  193.   }

  194. 

  195. err:

  196.   OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_raw, ERR_R_MALLOC_FAILURE);

  197. 

  198. end:

  199.   OPENSSL_free(Ai);

  200.   OPENSSL_free(B);

  201.   OPENSSL_free(D);

  202.   OPENSSL_free(I);

  203.   BN_free(Ij);

  204.   BN_free(Bpl1);

  205.   EVP_MD_CTX_cleanup(&ctx);

  206. 

  207.   return ret;

  208. }

  209. 

  210. static int pkcs12_pbe_keyivgen(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,

  211.                                size_t pass_raw_len, ASN1_TYPE *param,

  212.                                const EVP_CIPHER *cipher, const EVP_MD *md,

  213.                                int is_encrypt) {

  214.   PBEPARAM *pbe;

  215.   int salt_len, iterations, ret;

  216.   uint8_t *salt;

  217.   const uint8_t *pbuf;

  218.   uint8_t key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];

  219. 

  220.   /* Extract useful info from parameter */

  221.   if (param == NULL || param->type != V_ASN1_SEQUENCE ||

  222.       param->value.sequence == NULL) {

  223.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_DECODE_ERROR);

  224.     return 0;

  225.   }

  226. 

  227.   pbuf = param->value.sequence->data;

  228.   pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length);

  229.   if (pbe == NULL) {

  230.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_DECODE_ERROR);

  231.     return 0;

  232.   }

  233. 

  234.   if (!pbe->iter) {

  235.     iterations = 1;

  236.   } else {

  237.     iterations = ASN1_INTEGER_get(pbe->iter);

  238.   }

  239.   salt = pbe->salt->data;

  240.   salt_len = pbe->salt->length;

  241.   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_KEY_ID,

  242.                           iterations, EVP_CIPHER_key_length(cipher), key, md)) {

  243.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_KEY_GEN_ERROR);

  244.     PBEPARAM_free(pbe);

  245.     return 0;

  246.   }

  247.   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_IV_ID,

  248.                           iterations, EVP_CIPHER_iv_length(cipher), iv, md)) {

  249.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_KEY_GEN_ERROR);

  250.     PBEPARAM_free(pbe);

  251.     return 0;

  252.   }

  253.   PBEPARAM_free(pbe);

  254.   ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt);

  255.   OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);

  256.   OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);

  257.   return ret;

  258. }

  259. 

  260. typedef int (*keygen_func)(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,

  261.                            size_t pass_raw_len, ASN1_TYPE *param,

  262.                            const EVP_CIPHER *cipher, const EVP_MD *md,

  263.                            int is_encrypt);

  264. 

  265. struct pbe_suite {

  266.   int pbe_nid;

  267.   const EVP_CIPHER* (*cipher_func)(void);

  268.   const EVP_MD* (*md_func)(void);

  269.   keygen_func keygen;

  270. };

  271. 

  272. static const struct pbe_suite kBuiltinPBE[] = {

  273.     {

  274.      NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc, EVP_sha1, pkcs12_pbe_keyivgen,

  275.     },

  276.     {

  277.      NID_pbe_WithSHA1And128BitRC4, EVP_rc4, EVP_sha1, pkcs12_pbe_keyivgen,

  278.     },

  279.     {

  280.      NID_pbe_WithSHA1And3_Key_TripleDES_CBC, EVP_des_ede3_cbc, EVP_sha1,

  281.      pkcs12_pbe_keyivgen,

  282.     },

  283. };

  284. 

  285. static int pbe_cipher_init(ASN1_OBJECT *pbe_obj,

  286.                            const uint8_t *pass_raw, size_t pass_raw_len,

  287.                            ASN1_TYPE *param,

  288.                            EVP_CIPHER_CTX *ctx, int is_encrypt) {

  289.   const EVP_CIPHER *cipher;

  290.   const EVP_MD *md;

  291.   unsigned i;

  292. 

  293.   const struct pbe_suite *suite = NULL;

  294.   const int pbe_nid = OBJ_obj2nid(pbe_obj);

  295. 

  296.   for (i = 0; i < sizeof(kBuiltinPBE) / sizeof(struct pbe_suite); i++) {

  297.     if (kBuiltinPBE[i].pbe_nid == pbe_nid) {

  298.       suite = &kBuiltinPBE[i];

  299.       break;

  300.     }

  301.   }

  302. 

  303.   if (suite == NULL) {

  304.     char obj_str[80];

  305.     OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_ALGORITHM);

  306.     if (!pbe_obj) {

  307.       strncpy(obj_str, "NULL", sizeof(obj_str));

  308.     } else {

  309.       i2t_ASN1_OBJECT(obj_str, sizeof(obj_str), pbe_obj);

  310.     }

  311.     ERR_add_error_data(2, "TYPE=", obj_str);

  312.     return 0;

  313.   }

  314. 

  315.   if (suite->cipher_func == NULL) {

  316.     cipher = NULL;

  317.   } else {

  318.     cipher = suite->cipher_func();

  319.     if (!cipher) {

  320.       OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_CIPHER);

  321.       return 0;

  322.     }

  323.   }

  324. 

  325.   if (suite->md_func == NULL) {

  326.     md = NULL;

  327.   } else {

  328.     md = suite->md_func();

  329.     if (!md) {

  330.       OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_DIGEST);

  331.       return 0;

  332.     }

  333.   }

  334. 

  335.   if (!suite->keygen(ctx, pass_raw, pass_raw_len, param, cipher, md,

  336.                      is_encrypt)) {

  337.     OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_KEYGEN_FAILURE);

  338.     return 0;

  339.   }

  340. 

  341.   return 1;

  342. }

  343. 

  344. static int pbe_crypt(const X509_ALGOR *algor,

  345.                      const uint8_t *pass_raw, size_t pass_raw_len,

  346.                      const uint8_t *in, size_t in_len,

  347.                      uint8_t **out, size_t *out_len,

  348.                      int is_encrypt) {

  349.   uint8_t *buf;

  350.   int n, ret = 0;

  351.   EVP_CIPHER_CTX ctx;

  352.   unsigned block_size;

  353. 

  354.   EVP_CIPHER_CTX_init(&ctx);

  355. 

  356.   if (!pbe_cipher_init(algor->algorithm, pass_raw, pass_raw_len,

  357.                        algor->parameter, &ctx, is_encrypt)) {

  358.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM);

  359.     return 0;

  360.   }

  361.   block_size = EVP_CIPHER_CTX_block_size(&ctx);

  362. 

  363.   if (in_len + block_size < in_len) {

  364.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, PKCS8_R_TOO_LONG);

  365.     goto err;

  366.   }

  367. 

  368.   buf = OPENSSL_malloc(in_len + block_size);

  369.   if (buf == NULL) {

  370.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_MALLOC_FAILURE);

  371.     goto err;

  372.   }

  373. 

  374.   if (!EVP_CipherUpdate(&ctx, buf, &n, in, in_len)) {

  375.     OPENSSL_free(buf);

  376.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_EVP_LIB);

  377.     goto err;

  378.   }

  379.   *out_len = n;

  380. 

  381.   if (!EVP_CipherFinal_ex(&ctx, buf + n, &n)) {

  382.     OPENSSL_free(buf);

  383.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_EVP_LIB);

  384.     goto err;

  385.   }

  386.   *out_len += n;

  387.   *out = buf;

  388.   ret = 1;

  389. 

  390. err:

  391.   EVP_CIPHER_CTX_cleanup(&ctx);

  392.   return ret;

  393. }

  394. 

  395. static void *pkcs12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,

  396.                                      const uint8_t *pass_raw,

  397.                                      size_t pass_raw_len,

  398.                                      ASN1_OCTET_STRING *oct) {

  399.   uint8_t *out;

  400.   const uint8_t *p;

  401.   void *ret;

  402.   size_t out_len;

  403. 

  404.   if (!pbe_crypt(algor, pass_raw, pass_raw_len, oct->data, oct->length,

  405.                  &out, &out_len, 0 /* decrypt */)) {

  406.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_decrypt_d2i, PKCS8_R_CRYPT_ERROR);

  407.     return NULL;

  408.   }

  409.   p = out;

  410.   ret = ASN1_item_d2i(NULL, &p, out_len, it);

  411.   OPENSSL_cleanse(out, out_len);

  412.   if (!ret) {

  413.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_decrypt_d2i, PKCS8_R_DECODE_ERROR);

  414.   }

  415.   OPENSSL_free(out);

  416.   return ret;

  417. }

  418. 

  419. PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,

  420.                                    int pass_len) {

  421.   uint8_t *pass_raw = NULL;

  422.   size_t pass_raw_len = 0;

  423.   PKCS8_PRIV_KEY_INFO *ret;

  424. 

  425.   if (pass) {

  426.     if (pass_len == -1) {

  427.       pass_len = strlen(pass);

  428.     }

  429.     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {

  430.       OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_asc, PKCS8_R_DECODE_ERROR);

  431.       return NULL;

  432.     }

  433.   }

  434. 

  435.   ret = PKCS8_decrypt_pbe(pkcs8, pass_raw, pass_raw_len);

  436. 

  437.   if (pass_raw) {

  438.     OPENSSL_cleanse(pass_raw, pass_raw_len);

  439.     OPENSSL_free(pass_raw);

  440.   }

  441.   return ret;

  442. }

  443. 

  444. PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_pbe(X509_SIG *pkcs8, const uint8_t *pass_raw,

  445.                                        size_t pass_raw_len) {

  446.   return pkcs12_item_decrypt_d2i(pkcs8->algor,

  447.                                  ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw,

  448.                                  pass_raw_len, pkcs8->digest);

  449. }

  450. 

  451. static ASN1_OCTET_STRING *pkcs12_item_i2d_encrypt(X509_ALGOR *algor,

  452.                                                   const ASN1_ITEM *it,

  453.                                                   const uint8_t *pass_raw,

  454.                                                   size_t pass_raw_len, void *obj) {

  455.   ASN1_OCTET_STRING *oct;

  456.   uint8_t *in = NULL;

  457.   int in_len;

  458.   size_t crypt_len;

  459. 

  460.   oct = M_ASN1_OCTET_STRING_new();

  461.   if (oct == NULL) {

  462.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, ERR_R_MALLOC_FAILURE);

  463.     return NULL;

  464.   }

  465.   in_len = ASN1_item_i2d(obj, &in, it);

  466.   if (!in) {

  467.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, PKCS8_R_ENCODE_ERROR);

  468.     return NULL;

  469.   }

  470.   if (!pbe_crypt(algor, pass_raw, pass_raw_len, in, in_len, &oct->data, &crypt_len,

  471.                  1 /* encrypt */)) {

  472.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, PKCS8_R_ENCRYPT_ERROR);

  473.     OPENSSL_free(in);

  474.     return NULL;

  475.   }

  476.   oct->length = crypt_len;

  477.   OPENSSL_cleanse(in, in_len);

  478.   OPENSSL_free(in);

  479.   return oct;

  480. }

  481. 

  482. X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,

  483.                         int pass_len, uint8_t *salt, size_t salt_len,

  484.                         int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {

  485.   uint8_t *pass_raw = NULL;

  486.   size_t pass_raw_len = 0;

  487.   X509_SIG *ret;

  488. 

  489.   if (pass) {

  490.     if (pass_len == -1) {

  491.       pass_len = strlen(pass);

  492.     }

  493.     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {

  494.       OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_asc, PKCS8_R_DECODE_ERROR);

  495.       return NULL;

  496.     }

  497.   }

  498. 

  499.   ret = PKCS8_encrypt_pbe(pbe_nid, pass_raw, pass_raw_len,

  500.                           salt, salt_len, iterations, p8inf);

  501. 

  502.   if (pass_raw) {

  503.     OPENSSL_cleanse(pass_raw, pass_raw_len);

  504.     OPENSSL_free(pass_raw);

  505.   }

  506.   return ret;

  507. }

  508. 

  509. X509_SIG *PKCS8_encrypt_pbe(int pbe_nid,

  510.                             const uint8_t *pass_raw, size_t pass_raw_len,

  511.                             uint8_t *salt, size_t salt_len,

  512.                             int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {

  513.   X509_SIG *pkcs8 = NULL;

  514.   X509_ALGOR *pbe;

  515. 

  516.   pkcs8 = X509_SIG_new();

  517.   if (pkcs8 == NULL) {

  518.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_MALLOC_FAILURE);

  519.     goto err;

  520.   }

  521. 

  522.   pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len);

  523.   if (!pbe) {

  524.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_ASN1_LIB);

  525.     goto err;

  526.   }

  527. 

  528.   X509_ALGOR_free(pkcs8->algor);

  529.   pkcs8->algor = pbe;

  530.   M_ASN1_OCTET_STRING_free(pkcs8->digest);

  531.   pkcs8->digest = pkcs12_item_i2d_encrypt(

  532.       pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf);

  533.   if (!pkcs8->digest) {

  534.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, PKCS8_R_ENCRYPT_ERROR);

  535.     goto err;

  536.   }

  537. 

  538.   return pkcs8;

  539. 

  540. err:

  541.   X509_SIG_free(pkcs8);

  542.   return NULL;

  543. }

  544. 

  545. EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {

  546.   EVP_PKEY *pkey = NULL;

  547.   ASN1_OBJECT *algoid;

  548.   char obj_tmp[80];

  549. 

  550.   if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8))

  551.     return NULL;

  552. 

  553.   pkey = EVP_PKEY_new();

  554.   if (pkey == NULL) {

  555.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, ERR_R_MALLOC_FAILURE);

  556.     return NULL;

  557.   }

  558. 

  559.   if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid))) {

  560.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY,

  561.                       PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);

  562.     i2t_ASN1_OBJECT(obj_tmp, 80, algoid);

  563.     ERR_add_error_data(2, "TYPE=", obj_tmp);

  564.     goto error;

  565.   }

  566. 

  567.   if (pkey->ameth->priv_decode) {

  568.     if (!pkey->ameth->priv_decode(pkey, p8)) {

  569.       OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, PKCS8_R_PRIVATE_KEY_DECODE_ERROR);

  570.       goto error;

  571.     }

  572.   } else {

  573.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, PKCS8_R_METHOD_NOT_SUPPORTED);

  574.     goto error;

  575.   }

  576. 

  577.   return pkey;

  578. 

  579. error:

  580.   EVP_PKEY_free(pkey);

  581.   return NULL;

  582. }

  583. 

  584. PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {

  585.   PKCS8_PRIV_KEY_INFO *p8;

  586. 

  587.   p8 = PKCS8_PRIV_KEY_INFO_new();

  588.   if (p8 == NULL) {

  589.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, ERR_R_MALLOC_FAILURE);

  590.     return NULL;

  591.   }

  592.   p8->broken = PKCS8_OK;

  593. 

  594.   if (pkey->ameth) {

  595.     if (pkey->ameth->priv_encode) {

  596.       if (!pkey->ameth->priv_encode(p8, pkey)) {

  597.         OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8,

  598.                           PKCS8_R_PRIVATE_KEY_ENCODE_ERROR);

  599.         goto error;

  600.       }

  601.     } else {

  602.       OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);

  603.       goto error;

  604.     }

  605.   } else {

  606.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8,

  607.                       PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);

  608.     goto error;

  609.   }

  610.   return p8;

  611. 

  612. error:

  613.   PKCS8_PRIV_KEY_INFO_free(p8);

  614.   return NULL;

  615. }

  616. 

  617. struct pkcs12_context {

  618.   EVP_PKEY **out_key;

  619.   STACK_OF(X509) *out_certs;

  620.   uint8_t *password;

  621.   size_t password_len;

  622. };

  623. 

  624. static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,

  625.                                       struct pkcs12_context *ctx);

  626. 

  627. /* PKCS12_handle_content_infos parses a series of PKCS#7 ContentInfos in a

  628.  * SEQUENCE. */

  629. static int PKCS12_handle_content_infos(CBS *content_infos,

  630.                                        unsigned depth,

  631.                                        struct pkcs12_context *ctx) {

  632.   uint8_t *der_bytes = NULL;

  633.   size_t der_len;

  634.   CBS in;

  635.   int ret = 0;

  636. 

  637.   /* Generally we only expect depths 0 (the top level, with a

  638.    * pkcs7-encryptedData and a pkcs7-data) and depth 1 (the various PKCS#12

  639.    * bags). */

  640.   if (depth > 3) {

  641.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos,

  642.                       PKCS8_R_PKCS12_TOO_DEEPLY_NESTED);

  643.     return 0;

  644.   }

  645. 

  646.   /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,

  647.    * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the

  648.    * conversion cannot see through those wrappings. So each time we step

  649.    * through one we need to convert to DER again. */

  650.   if (!CBS_asn1_ber_to_der(content_infos, &der_bytes, &der_len)) {

  651.     return 0;

  652.   }

  653. 

  654.   if (der_bytes != NULL) {

  655.     CBS_init(&in, der_bytes, der_len);

  656.   } else {

  657.     CBS_init(&in, CBS_data(content_infos), CBS_len(content_infos));

  658.   }

  659. 

  660.   if (!CBS_get_asn1(&in, &in, CBS_ASN1_SEQUENCE)) {

  661.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos,

  662.                       PKCS8_R_BAD_PKCS12_DATA);

  663.     goto err;

  664.   }

  665. 

  666.   while (CBS_len(&in) > 0) {

  667.     CBS content_info;

  668.     if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE)) {

  669.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos,

  670.                         PKCS8_R_BAD_PKCS12_DATA);

  671.       goto err;

  672.     }

  673. 

  674.     if (!PKCS12_handle_content_info(&content_info, depth + 1, ctx)) {

  675.       goto err;

  676.     }

  677.   }

  678. 

  679.   /* NSS includes additional data after the SEQUENCE, but it's an (unwrapped)

  680.    * copy of the same encrypted private key (with the same IV and

  681.    * ciphertext)! */

  682. 

  683.   ret = 1;

  684. 

  685. err:

  686.   if (der_bytes != NULL) {

  687.     OPENSSL_free(der_bytes);

  688.   }

  689.   return ret;

  690. }

  691. 

  692. /* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a

  693.  * PKCS#12 structure. */

  694. static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,

  695.                                       struct pkcs12_context *ctx) {

  696.   CBS content_type, wrapped_contents, contents, content_infos;

  697.   int nid, ret = 0;

  698. 

  699.   if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||

  700.       !CBS_get_asn1(content_info, &wrapped_contents,

  701.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {

  702.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  703.     goto err;

  704.   }

  705. 

  706.   nid = OBJ_cbs2nid(&content_type);

  707.   if (nid == NID_pkcs7_encrypted) {

  708.     /* See https://tools.ietf.org/html/rfc2315#section-13.

  709.      *

  710.      * PKCS#7 encrypted data inside a PKCS#12 structure is generally an

  711.      * encrypted certificate bag and it's generally encrypted with 40-bit

  712.      * RC2-CBC. */

  713.     CBS version_bytes, eci, contents_type, ai, encrypted_contents;

  714.     X509_ALGOR *algor = NULL;

  715.     const uint8_t *inp;

  716.     uint8_t *out;

  717.     size_t out_len;

  718. 

  719.     if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||

  720.         !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||

  721.         /* EncryptedContentInfo, see

  722.          * https://tools.ietf.org/html/rfc2315#section-10.1 */

  723.         !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||

  724.         !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||

  725.         /* AlgorithmIdentifier, see

  726.          * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */

  727.         !CBS_get_asn1_element(&eci, &ai, CBS_ASN1_SEQUENCE) ||

  728.         !CBS_get_asn1(&eci, &encrypted_contents,

  729.                       CBS_ASN1_CONTEXT_SPECIFIC | 0)) {

  730.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  731.                         PKCS8_R_BAD_PKCS12_DATA);

  732.       goto err;

  733.     }

  734. 

  735.     if (OBJ_cbs2nid(&contents_type) != NID_pkcs7_data) {

  736.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  737.                         PKCS8_R_BAD_PKCS12_DATA);

  738.       goto err;

  739.     }

  740. 

  741.     inp = CBS_data(&ai);

  742.     algor = d2i_X509_ALGOR(NULL, &inp, CBS_len(&ai));

  743.     if (algor == NULL) {

  744.       goto err;

  745.     }

  746.     if (inp != CBS_data(&ai) + CBS_len(&ai)) {

  747.       X509_ALGOR_free(algor);

  748.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  749.                         PKCS8_R_BAD_PKCS12_DATA);

  750.       goto err;

  751.     }

  752. 

  753.     if (!pbe_crypt(algor, ctx->password, ctx->password_len,

  754.                    CBS_data(&encrypted_contents), CBS_len(&encrypted_contents),

  755.                    &out, &out_len, 0 /* decrypt */)) {

  756.       X509_ALGOR_free(algor);

  757.       goto err;

  758.     }

  759.     X509_ALGOR_free(algor);

  760. 

  761.     CBS_init(&content_infos, out, out_len);

  762.     ret = PKCS12_handle_content_infos(&content_infos, depth + 1, ctx);

  763.     OPENSSL_free(out);

  764.   } else if (nid == NID_pkcs7_data) {

  765.     CBS octet_string_contents;

  766. 

  767.     if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,

  768.                           CBS_ASN1_OCTETSTRING)) {

  769.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  770.                         PKCS8_R_BAD_PKCS12_DATA);

  771.       goto err;

  772.     }

  773. 

  774.     ret = PKCS12_handle_content_infos(&octet_string_contents, depth + 1, ctx);

  775.   } else if (nid == NID_pkcs8ShroudedKeyBag) {

  776.     /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section

  777.      * 4.2.2. */

  778.     const uint8_t *inp = CBS_data(&wrapped_contents);

  779.     PKCS8_PRIV_KEY_INFO *pki = NULL;

  780.     X509_SIG *encrypted = NULL;

  781. 

  782.     if (*ctx->out_key) {

  783.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  784.                         PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);

  785.       goto err;

  786.     }

  787. 

  788.     /* encrypted isn't actually an X.509 signature, but it has the same

  789.      * structure as one and so |X509_SIG| is reused to store it. */

  790.     encrypted = d2i_X509_SIG(NULL, &inp, CBS_len(&wrapped_contents));

  791.     if (encrypted == NULL) {

  792.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  793.                         PKCS8_R_BAD_PKCS12_DATA);

  794.       goto err;

  795.     }

  796.     if (inp != CBS_data(&wrapped_contents) + CBS_len(&wrapped_contents)) {

  797.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  798.                         PKCS8_R_BAD_PKCS12_DATA);

  799.       X509_SIG_free(encrypted);

  800.       goto err;

  801.     }

  802. 

  803.     pki = PKCS8_decrypt_pbe(encrypted, ctx->password, ctx->password_len);

  804.     X509_SIG_free(encrypted);

  805.     if (pki == NULL) {

  806.       goto err;

  807.     }

  808. 

  809.     *ctx->out_key = EVP_PKCS82PKEY(pki);

  810.     PKCS8_PRIV_KEY_INFO_free(pki);

  811. 

  812.     if (ctx->out_key == NULL) {

  813.       goto err;

  814.     }

  815.     ret = 1;

  816.   } else if (nid == NID_certBag) {

  817.     CBS cert_bag, cert_type, wrapped_cert, cert;

  818. 

  819.     if (!CBS_get_asn1(&wrapped_contents, &cert_bag, CBS_ASN1_SEQUENCE) ||

  820.         !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||

  821.         !CBS_get_asn1(&cert_bag, &wrapped_cert,

  822.                       CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||

  823.         !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {

  824.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  825.                         PKCS8_R_BAD_PKCS12_DATA);

  826.       goto err;

  827.     }

  828. 

  829.     if (OBJ_cbs2nid(&cert_type) == NID_x509Certificate) {

  830.       const uint8_t *inp = CBS_data(&cert);

  831.       X509 *x509 = d2i_X509(NULL, &inp, CBS_len(&cert));

  832.       if (!x509) {

  833.         OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  834.                           PKCS8_R_BAD_PKCS12_DATA);

  835.         goto err;

  836.       }

  837.       if (inp != CBS_data(&cert) + CBS_len(&cert)) {

  838.         OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  839.                           PKCS8_R_BAD_PKCS12_DATA);

  840.         X509_free(x509);

  841.         goto err;

  842.       }

  843. 

  844.       if (0 == sk_X509_push(ctx->out_certs, x509)) {

  845.         X509_free(x509);

  846.         goto err;

  847.       }

  848.     }

  849.     ret = 1;

  850.   } else {

  851.     /* Unknown element type - ignore it. */

  852.     ret = 1;

  853.   }

  854. 

  855. err:

  856.   return ret;

  857. }

  858. 

  859. int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,

  860.                              CBS *ber_in, const char *password) {

  861.   uint8_t *der_bytes = NULL;

  862.   size_t der_len;

  863.   CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;

  864.   uint64_t version;

  865.   int ret = 0;

  866.   struct pkcs12_context ctx;

  867.   const size_t original_out_certs_len = sk_X509_num(out_certs);

  868. 

  869.   /* The input may be in BER format. */

  870.   if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {

  871.     return 0;

  872.   }

  873.   if (der_bytes != NULL) {

  874.     CBS_init(&in, der_bytes, der_len);

  875.   } else {

  876.     CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));

  877.   }

  878. 

  879.   *out_key = NULL;

  880.   memset(&ctx, 0, sizeof(ctx));

  881. 

  882.   /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section

  883.    * four. */

  884.   if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||

  885.       CBS_len(&in) != 0 ||

  886.       !CBS_get_asn1_uint64(&pfx, &version)) {

  887.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  888.     goto err;

  889.   }

  890. 

  891.   if (version < 3) {

  892.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_VERSION);

  893.     goto err;

  894.   }

  895. 

  896.   if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {

  897.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  898.     goto err;

  899.   }

  900. 

  901.   if (CBS_len(&pfx) == 0) {

  902.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_MISSING_MAC);

  903.     goto err;

  904.   }

  905. 

  906.   if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {

  907.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  908.     goto err;

  909.   }

  910. 

  911.   /* authsafe is a PKCS#7 ContentInfo. See

  912.    * https://tools.ietf.org/html/rfc2315#section-7. */

  913.   if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||

  914.       !CBS_get_asn1(&authsafe, &wrapped_authsafes,

  915.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {

  916.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  917.     goto err;

  918.   }

  919. 

  920.   /* The content type can either be |NID_pkcs7_data| or |NID_pkcs7_signed|. The

  921.    * latter indicates that it's signed by a public key, which isn't

  922.    * supported. */

  923.   if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) {

  924.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse,

  925.                       PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);

  926.     goto err;

  927.   }

  928. 

  929.   if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {

  930.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  931.     goto err;

  932.   }

  933. 

  934.   ctx.out_key = out_key;

  935.   ctx.out_certs = out_certs;

  936.   if (!ascii_to_ucs2(password, strlen(password), &ctx.password,

  937.                      &ctx.password_len)) {

  938.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_DECODE_ERROR);

  939.     goto err;

  940.   }

  941. 

  942.   /* Verify the MAC. */

  943.   {

  944.     CBS mac, hash_type_seq, hash_oid, salt, expected_mac;

  945.     uint64_t iterations;

  946.     int hash_nid;

  947.     const EVP_MD *md;

  948.     uint8_t hmac_key[EVP_MAX_MD_SIZE];

  949.     uint8_t hmac[EVP_MAX_MD_SIZE];

  950.     unsigned hmac_len;

  951. 

  952.     if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE) ||

  953.         !CBS_get_asn1(&mac, &hash_type_seq, CBS_ASN1_SEQUENCE) ||

  954.         !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) ||

  955.         !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||

  956.         !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {

  957.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  958.       goto err;

  959.     }

  960. 

  961.     /* The iteration count is optional and the default is one. */

  962.     iterations = 1;

  963.     if (CBS_len(&mac_data) > 0) {

  964.       if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||

  965.           iterations > INT_MAX) {

  966.         OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_BAD_PKCS12_DATA);

  967.         goto err;

  968.       }

  969.     }

  970. 

  971.     hash_nid = OBJ_cbs2nid(&hash_oid);

  972.     if (hash_nid == NID_undef ||

  973.         (md = EVP_get_digestbynid(hash_nid)) == NULL) {

  974.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_UNKNOWN_HASH);

  975.       goto err;

  976.     }

  977. 

  978.     if (!pkcs12_key_gen_raw(ctx.password, ctx.password_len, CBS_data(&salt),

  979.                             CBS_len(&salt), PKCS12_MAC_ID, iterations,

  980.                             EVP_MD_size(md), hmac_key, md)) {

  981.       goto err;

  982.     }

  983. 

  984.     if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),

  985.                      CBS_len(&authsafes), hmac, &hmac_len)) {

  986.       goto err;

  987.     }

  988. 

  989.     if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {

  990.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_parse, PKCS8_R_INCORRECT_PASSWORD);

  991.       goto err;

  992.     }

  993.   }

  994. 

  995.   /* authsafes contains a series of PKCS#7 ContentInfos. */

  996.   if (!PKCS12_handle_content_infos(&authsafes, 0, &ctx)) {

  997.     goto err;

  998.   }

  999. 

  1000.   ret = 1;

  1001. 

  1002. err:

  1003.   if (ctx.password) {

  1004.     OPENSSL_free(ctx.password);

  1005.   }

  1006.   if (der_bytes) {

  1007.     OPENSSL_free(der_bytes);

  1008.   }

  1009.   if (!ret) {

  1010.     if (*out_key) {

  1011.       EVP_PKEY_free(*out_key);

  1012.       *out_key = NULL;

  1013.     }

  1014.     while (sk_X509_num(out_certs) > original_out_certs_len) {

  1015.       X509 *x509 = sk_X509_pop(out_certs);

  1016.       X509_free(x509);

  1017.     }

  1018.   }

  1019. 

  1020.   return ret;

  1021. }

  1022. 

  1023. void PKCS12_PBE_add(void) {}

  1024. 

  1025. struct pkcs12_st {

  1026.   uint8_t *ber_bytes;

  1027.   size_t ber_len;

  1028. };

  1029. 

  1030. PKCS12* d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) {

  1031.   PKCS12 *p12;

  1032. 

  1033.   /* out_p12 must be NULL because we don't export the PKCS12 structure. */

  1034.   assert(out_p12 == NULL);

  1035. 

  1036.   p12 = OPENSSL_malloc(sizeof(PKCS12));

  1037.   if (!p12) {

  1038.     return NULL;

  1039.   }

  1040. 

  1041.   p12->ber_bytes = OPENSSL_malloc(ber_len);

  1042.   if (!p12->ber_bytes) {

  1043.     OPENSSL_free(p12);

  1044.     return NULL;

  1045.   }

  1046. 

  1047.   memcpy(p12->ber_bytes, *ber_bytes, ber_len);

  1048.   p12->ber_len = ber_len;

  1049.   *ber_bytes += ber_len;

  1050. 

  1051.   return p12;

  1052. }

  1053. 

  1054. PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {

  1055.   size_t used = 0;

  1056.   BUF_MEM *buf;

  1057.   const uint8_t *dummy;

  1058.   static const size_t kMaxSize = 256 * 1024;

  1059.   PKCS12 *ret = NULL;

  1060. 

  1061.   buf = BUF_MEM_new();

  1062.   if (buf == NULL) {

  1063.     return NULL;

  1064.   }

  1065.   if (BUF_MEM_grow(buf, 8192) == 0) {

  1066.     goto out;

  1067.   }

  1068. 

  1069.   for (;;) {

  1070.     int n = BIO_read(bio, &buf->data[used], buf->length - used);

  1071.     if (n < 0) {

  1072.       goto out;

  1073.     }

  1074. 

  1075.     if (n == 0) {

  1076.       break;

  1077.     }

  1078.     used += n;

  1079. 

  1080.     if (used < buf->length) {

  1081.       continue;

  1082.     }

  1083. 

  1084.     if (buf->length > kMaxSize ||

  1085.         BUF_MEM_grow(buf, buf->length * 2) == 0) {

  1086.       goto out;

  1087.     }

  1088.   }

  1089. 

  1090.   dummy = (uint8_t*) buf->data;

  1091.   ret = d2i_PKCS12(out_p12, &dummy, used);

  1092. 

  1093. out:

  1094.   BUF_MEM_free(buf);

  1095.   return ret;

  1096. }

  1097. 

  1098. PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {

  1099.   BIO *bio;

  1100.   PKCS12 *ret;

  1101. 

  1102.   bio = BIO_new_fp(fp, 0 /* don't take ownership */);

  1103.   if (!bio) {

  1104.     return NULL;

  1105.   }

  1106. 

  1107.   ret = d2i_PKCS12_bio(bio, out_p12);

  1108.   BIO_free(bio);

  1109.   return ret;

  1110. }

  1111. 

  1112. int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,

  1113.                  X509 **out_cert, STACK_OF(X509) **out_ca_certs) {

  1114.   CBS ber_bytes;

  1115.   STACK_OF(X509) *ca_certs = NULL;

  1116.   char ca_certs_alloced = 0;

  1117. 

  1118.   if (out_ca_certs != NULL && *out_ca_certs != NULL) {

  1119.     ca_certs = *out_ca_certs;

  1120.   }

  1121. 

  1122.   if (!ca_certs) {

  1123.     ca_certs = sk_X509_new_null();

  1124.     if (ca_certs == NULL) {

  1125.       return 0;

  1126.     }

  1127.     ca_certs_alloced = 1;

  1128.   }

  1129. 

  1130.   CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);

  1131.   if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {

  1132.     if (ca_certs_alloced) {

  1133.       sk_X509_free(ca_certs);

  1134.     }

  1135.     return 0;

  1136.   }

  1137. 

  1138.   *out_cert = NULL;

  1139.   if (sk_X509_num(ca_certs) > 0) {

  1140.     *out_cert = sk_X509_shift(ca_certs);

  1141.   }

  1142. 

  1143.   if (out_ca_certs) {

  1144.     *out_ca_certs = ca_certs;

  1145.   } else {

  1146.     sk_X509_pop_free(ca_certs, X509_free);

  1147.   }

  1148. 

  1149.   return 1;

  1150. }

  1151. 

  1152. void PKCS12_free(PKCS12 *p12) {

  1153.   OPENSSL_free(p12->ber_bytes);

  1154.   OPENSSL_free(p12);

  1155. }