kris
/
boringssl
1
0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
1387 Коміти
12 Гілки
38 MiB
 
 
 
 
 
 
Дерево: cff0b90cbb
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з 'cff0b90cbb'
${ noResults }
boringssl/crypto/pkcs8/pkcs8.c

1160 рядки
33 KiB
Неформатований Звинувачення Історія 

  1. /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL

  2.  * project 1999.

  3.  */

  4. /* ====================================================================

  5.  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.

  6.  *

  7.  * Redistribution and use in source and binary forms, with or without

  8.  * modification, are permitted provided that the following conditions

  9.  * are met:

  10.  *

  11.  * 1. Redistributions of source code must retain the above copyright

  12.  *    notice, this list of conditions and the following disclaimer.

  13.  *

  14.  * 2. Redistributions in binary form must reproduce the above copyright

  15.  *    notice, this list of conditions and the following disclaimer in

  16.  *    the documentation and/or other materials provided with the

  17.  *    distribution.

  18.  *

  19.  * 3. All advertising materials mentioning features or use of this

  20.  *    software must display the following acknowledgment:

  21.  *    "This product includes software developed by the OpenSSL Project

  22.  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"

  23.  *

  24.  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to

  25.  *    endorse or promote products derived from this software without

  26.  *    prior written permission. For written permission, please contact

  27.  *    licensing@OpenSSL.org.

  28.  *

  29.  * 5. Products derived from this software may not be called "OpenSSL"

  30.  *    nor may "OpenSSL" appear in their names without prior written

  31.  *    permission of the OpenSSL Project.

  32.  *

  33.  * 6. Redistributions of any form whatsoever must retain the following

  34.  *    acknowledgment:

  35.  *    "This product includes software developed by the OpenSSL Project

  36.  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"

  37.  *

  38.  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY

  39.  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  40.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR

  41.  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR

  42.  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,

  43.  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

  44.  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

  45.  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  46.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

  47.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

  48.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

  49.  * OF THE POSSIBILITY OF SUCH DAMAGE.

  50.  * ====================================================================

  51.  *

  52.  * This product includes cryptographic software written by Eric Young

  53.  * (eay@cryptsoft.com).  This product includes software written by Tim

  54.  * Hudson (tjh@cryptsoft.com). */

  55. 

  56. #include <openssl/pkcs8.h>

  57. 

  58. #include <assert.h>

  59. #include <limits.h>

  60. #include <string.h>

  61. 

  62. #include <openssl/asn1.h>

  63. #include <openssl/bn.h>

  64. #include <openssl/buf.h>

  65. #include <openssl/cipher.h>

  66. #include <openssl/digest.h>

  67. #include <openssl/err.h>

  68. #include <openssl/hmac.h>

  69. #include <openssl/mem.h>

  70. #include <openssl/x509.h>

  71. 

  72. #include "../bytestring/internal.h"

  73. #include "../evp/internal.h"

  74. 

  75. 

  76. #define PKCS12_KEY_ID 1

  77. #define PKCS12_IV_ID 2

  78. #define PKCS12_MAC_ID 3

  79. 

  80. static int ascii_to_ucs2(const char *ascii, size_t ascii_len,

  81.                          uint8_t **out, size_t *out_len) {

  82.   uint8_t *unitmp;

  83.   size_t ulen, i;

  84. 

  85.   ulen = ascii_len * 2 + 2;

  86.   if (ulen < ascii_len) {

  87.     return 0;

  88.   }

  89.   unitmp = OPENSSL_malloc(ulen);

  90.   if (unitmp == NULL) {

  91.     return 0;

  92.   }

  93.   for (i = 0; i < ulen - 2; i += 2) {

  94.     unitmp[i] = 0;

  95.     unitmp[i + 1] = ascii[i >> 1];

  96.   }

  97. 

  98.   /* Make result double null terminated */

  99.   unitmp[ulen - 2] = 0;

  100.   unitmp[ulen - 1] = 0;

  101.   *out_len = ulen;

  102.   *out = unitmp;

  103.   return 1;

  104. }

  105. 

  106. static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len,

  107.                               const uint8_t *salt, size_t salt_len,

  108.                               int id, int iterations,

  109.                               size_t out_len, uint8_t *out,

  110.                               const EVP_MD *md_type) {

  111.   uint8_t *B, *D, *I, *p, *Ai;

  112.   int Slen, Plen, Ilen, Ijlen;

  113.   int i, j, v;

  114.   size_t u;

  115.   int ret = 0;

  116.   BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */

  117.   EVP_MD_CTX ctx;

  118. 

  119.   EVP_MD_CTX_init(&ctx);

  120.   v = EVP_MD_block_size(md_type);

  121.   u = EVP_MD_size(md_type);

  122.   D = OPENSSL_malloc(v);

  123.   Ai = OPENSSL_malloc(u);

  124.   B = OPENSSL_malloc(v + 1);

  125.   Slen = v * ((salt_len + v - 1) / v);

  126.   if (pass_raw_len) {

  127.     Plen = v * ((pass_raw_len + v - 1) / v);

  128.   } else {

  129.     Plen = 0;

  130.   }

  131.   Ilen = Slen + Plen;

  132.   I = OPENSSL_malloc(Ilen);

  133.   Ij = BN_new();

  134.   Bpl1 = BN_new();

  135.   if (!D || !Ai || !B || !I || !Ij || !Bpl1) {

  136.     goto err;

  137.   }

  138.   for (i = 0; i < v; i++) {

  139.     D[i] = id;

  140.   }

  141.   p = I;

  142.   for (i = 0; i < Slen; i++) {

  143.     *p++ = salt[i % salt_len];

  144.   }

  145.   for (i = 0; i < Plen; i++) {

  146.     *p++ = pass_raw[i % pass_raw_len];

  147.   }

  148.   for (;;) {

  149.     if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||

  150.         !EVP_DigestUpdate(&ctx, D, v) ||

  151.         !EVP_DigestUpdate(&ctx, I, Ilen) ||

  152.         !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {

  153.       goto err;

  154.     }

  155.     for (j = 1; j < iterations; j++) {

  156.       if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||

  157.           !EVP_DigestUpdate(&ctx, Ai, u) ||

  158.           !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {

  159.         goto err;

  160.       }

  161.     }

  162.     memcpy(out, Ai, out_len < u ? out_len : u);

  163.     if (u >= out_len) {

  164.       ret = 1;

  165.       goto end;

  166.     }

  167.     out_len -= u;

  168.     out += u;

  169.     for (j = 0; j < v; j++) {

  170.       B[j] = Ai[j % u];

  171.     }

  172.     /* Work out B + 1 first then can use B as tmp space */

  173.     if (!BN_bin2bn(B, v, Bpl1) ||

  174.         !BN_add_word(Bpl1, 1)) {

  175.       goto err;

  176.     }

  177.     for (j = 0; j < Ilen; j += v) {

  178.       if (!BN_bin2bn(I + j, v, Ij) ||

  179.           !BN_add(Ij, Ij, Bpl1) ||

  180.           !BN_bn2bin(Ij, B)) {

  181.         goto err;

  182.       }

  183.       Ijlen = BN_num_bytes(Ij);

  184.       /* If more than 2^(v*8) - 1 cut off MSB */

  185.       if (Ijlen > v) {

  186.         if (!BN_bn2bin(Ij, B)) {

  187.           goto err;

  188.         }

  189.         memcpy(I + j, B + 1, v);

  190.         /* If less than v bytes pad with zeroes */

  191.       } else if (Ijlen < v) {

  192.         memset(I + j, 0, v - Ijlen);

  193.         if (!BN_bn2bin(Ij, I + j + v - Ijlen)) {

  194.           goto err;

  195.         }

  196.       } else if (!BN_bn2bin(Ij, I + j)) {

  197.         goto err;

  198.       }

  199.     }

  200.   }

  201. 

  202. err:

  203.   OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_raw, ERR_R_MALLOC_FAILURE);

  204. 

  205. end:

  206.   OPENSSL_free(Ai);

  207.   OPENSSL_free(B);

  208.   OPENSSL_free(D);

  209.   OPENSSL_free(I);

  210.   BN_free(Ij);

  211.   BN_free(Bpl1);

  212.   EVP_MD_CTX_cleanup(&ctx);

  213. 

  214.   return ret;

  215. }

  216. 

  217. static int pkcs12_pbe_keyivgen(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,

  218.                                size_t pass_raw_len, ASN1_TYPE *param,

  219.                                const EVP_CIPHER *cipher, const EVP_MD *md,

  220.                                int is_encrypt) {

  221.   PBEPARAM *pbe;

  222.   int salt_len, iterations, ret;

  223.   uint8_t *salt;

  224.   const uint8_t *pbuf;

  225.   uint8_t key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];

  226. 

  227.   /* Extract useful info from parameter */

  228.   if (param == NULL || param->type != V_ASN1_SEQUENCE ||

  229.       param->value.sequence == NULL) {

  230.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_DECODE_ERROR);

  231.     return 0;

  232.   }

  233. 

  234.   pbuf = param->value.sequence->data;

  235.   pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length);

  236.   if (pbe == NULL) {

  237.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_DECODE_ERROR);

  238.     return 0;

  239.   }

  240. 

  241.   if (!pbe->iter) {

  242.     iterations = 1;

  243.   } else {

  244.     iterations = ASN1_INTEGER_get(pbe->iter);

  245.   }

  246.   salt = pbe->salt->data;

  247.   salt_len = pbe->salt->length;

  248.   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_KEY_ID,

  249.                           iterations, EVP_CIPHER_key_length(cipher), key, md)) {

  250.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_KEY_GEN_ERROR);

  251.     PBEPARAM_free(pbe);

  252.     return 0;

  253.   }

  254.   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_IV_ID,

  255.                           iterations, EVP_CIPHER_iv_length(cipher), iv, md)) {

  256.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_KEY_GEN_ERROR);

  257.     PBEPARAM_free(pbe);

  258.     return 0;

  259.   }

  260.   PBEPARAM_free(pbe);

  261.   ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt);

  262.   OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);

  263.   OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);

  264.   return ret;

  265. }

  266. 

  267. typedef int (*keygen_func)(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,

  268.                            size_t pass_raw_len, ASN1_TYPE *param,

  269.                            const EVP_CIPHER *cipher, const EVP_MD *md,

  270.                            int is_encrypt);

  271. 

  272. struct pbe_suite {

  273.   int pbe_nid;

  274.   const EVP_CIPHER* (*cipher_func)(void);

  275.   const EVP_MD* (*md_func)(void);

  276.   keygen_func keygen;

  277. };

  278. 

  279. static const struct pbe_suite kBuiltinPBE[] = {

  280.     {

  281.      NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc, EVP_sha1, pkcs12_pbe_keyivgen,

  282.     },

  283.     {

  284.      NID_pbe_WithSHA1And128BitRC4, EVP_rc4, EVP_sha1, pkcs12_pbe_keyivgen,

  285.     },

  286.     {

  287.      NID_pbe_WithSHA1And3_Key_TripleDES_CBC, EVP_des_ede3_cbc, EVP_sha1,

  288.      pkcs12_pbe_keyivgen,

  289.     },

  290. };

  291. 

  292. static int pbe_cipher_init(ASN1_OBJECT *pbe_obj,

  293.                            const uint8_t *pass_raw, size_t pass_raw_len,

  294.                            ASN1_TYPE *param,

  295.                            EVP_CIPHER_CTX *ctx, int is_encrypt) {

  296.   const EVP_CIPHER *cipher;

  297.   const EVP_MD *md;

  298.   unsigned i;

  299. 

  300.   const struct pbe_suite *suite = NULL;

  301.   const int pbe_nid = OBJ_obj2nid(pbe_obj);

  302. 

  303.   for (i = 0; i < sizeof(kBuiltinPBE) / sizeof(struct pbe_suite); i++) {

  304.     if (kBuiltinPBE[i].pbe_nid == pbe_nid) {

  305.       suite = &kBuiltinPBE[i];

  306.       break;

  307.     }

  308.   }

  309. 

  310.   if (suite == NULL) {

  311.     char obj_str[80];

  312.     OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_ALGORITHM);

  313.     if (!pbe_obj) {

  314.       strncpy(obj_str, "NULL", sizeof(obj_str));

  315.     } else {

  316.       i2t_ASN1_OBJECT(obj_str, sizeof(obj_str), pbe_obj);

  317.     }

  318.     ERR_add_error_data(2, "TYPE=", obj_str);

  319.     return 0;

  320.   }

  321. 

  322.   if (suite->cipher_func == NULL) {

  323.     cipher = NULL;

  324.   } else {

  325.     cipher = suite->cipher_func();

  326.     if (!cipher) {

  327.       OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_CIPHER);

  328.       return 0;

  329.     }

  330.   }

  331. 

  332.   if (suite->md_func == NULL) {

  333.     md = NULL;

  334.   } else {

  335.     md = suite->md_func();

  336.     if (!md) {

  337.       OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_DIGEST);

  338.       return 0;

  339.     }

  340.   }

  341. 

  342.   if (!suite->keygen(ctx, pass_raw, pass_raw_len, param, cipher, md,

  343.                      is_encrypt)) {

  344.     OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_KEYGEN_FAILURE);

  345.     return 0;

  346.   }

  347. 

  348.   return 1;

  349. }

  350. 

  351. static int pbe_crypt(const X509_ALGOR *algor,

  352.                      const uint8_t *pass_raw, size_t pass_raw_len,

  353.                      const uint8_t *in, size_t in_len,

  354.                      uint8_t **out, size_t *out_len,

  355.                      int is_encrypt) {

  356.   uint8_t *buf;

  357.   int n, ret = 0;

  358.   EVP_CIPHER_CTX ctx;

  359.   unsigned block_size;

  360. 

  361.   EVP_CIPHER_CTX_init(&ctx);

  362. 

  363.   if (!pbe_cipher_init(algor->algorithm, pass_raw, pass_raw_len,

  364.                        algor->parameter, &ctx, is_encrypt)) {

  365.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM);

  366.     return 0;

  367.   }

  368.   block_size = EVP_CIPHER_CTX_block_size(&ctx);

  369. 

  370.   if (in_len + block_size < in_len) {

  371.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, PKCS8_R_TOO_LONG);

  372.     goto err;

  373.   }

  374. 

  375.   buf = OPENSSL_malloc(in_len + block_size);

  376.   if (buf == NULL) {

  377.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_MALLOC_FAILURE);

  378.     goto err;

  379.   }

  380. 

  381.   if (!EVP_CipherUpdate(&ctx, buf, &n, in, in_len)) {

  382.     OPENSSL_free(buf);

  383.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_EVP_LIB);

  384.     goto err;

  385.   }

  386.   *out_len = n;

  387. 

  388.   if (!EVP_CipherFinal_ex(&ctx, buf + n, &n)) {

  389.     OPENSSL_free(buf);

  390.     OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_EVP_LIB);

  391.     goto err;

  392.   }

  393.   *out_len += n;

  394.   *out = buf;

  395.   ret = 1;

  396. 

  397. err:

  398.   EVP_CIPHER_CTX_cleanup(&ctx);

  399.   return ret;

  400. }

  401. 

  402. static void *pkcs12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,

  403.                                      const uint8_t *pass_raw,

  404.                                      size_t pass_raw_len,

  405.                                      ASN1_OCTET_STRING *oct) {

  406.   uint8_t *out;

  407.   const uint8_t *p;

  408.   void *ret;

  409.   size_t out_len;

  410. 

  411.   if (!pbe_crypt(algor, pass_raw, pass_raw_len, oct->data, oct->length,

  412.                  &out, &out_len, 0 /* decrypt */)) {

  413.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_decrypt_d2i, PKCS8_R_CRYPT_ERROR);

  414.     return NULL;

  415.   }

  416.   p = out;

  417.   ret = ASN1_item_d2i(NULL, &p, out_len, it);

  418.   OPENSSL_cleanse(out, out_len);

  419.   if (!ret) {

  420.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_decrypt_d2i, PKCS8_R_DECODE_ERROR);

  421.   }

  422.   OPENSSL_free(out);

  423.   return ret;

  424. }

  425. 

  426. PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,

  427.                                    int pass_len) {

  428.   uint8_t *pass_raw = NULL;

  429.   size_t pass_raw_len = 0;

  430.   PKCS8_PRIV_KEY_INFO *ret;

  431. 

  432.   if (pass) {

  433.     if (pass_len == -1) {

  434.       pass_len = strlen(pass);

  435.     }

  436.     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {

  437.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_decrypt, PKCS8_R_DECODE_ERROR);

  438.       return NULL;

  439.     }

  440.   }

  441. 

  442.   ret = PKCS8_decrypt_pbe(pkcs8, pass_raw, pass_raw_len);

  443. 

  444.   if (pass_raw) {

  445.     OPENSSL_cleanse(pass_raw, pass_raw_len);

  446.     OPENSSL_free(pass_raw);

  447.   }

  448.   return ret;

  449. }

  450. 

  451. PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_pbe(X509_SIG *pkcs8, const uint8_t *pass_raw,

  452.                                        size_t pass_raw_len) {

  453.   return pkcs12_item_decrypt_d2i(pkcs8->algor,

  454.                                  ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw,

  455.                                  pass_raw_len, pkcs8->digest);

  456. }

  457. 

  458. static ASN1_OCTET_STRING *pkcs12_item_i2d_encrypt(X509_ALGOR *algor,

  459.                                                   const ASN1_ITEM *it,

  460.                                                   const uint8_t *pass_raw,

  461.                                                   size_t pass_raw_len, void *obj) {

  462.   ASN1_OCTET_STRING *oct;

  463.   uint8_t *in = NULL;

  464.   int in_len;

  465.   size_t crypt_len;

  466. 

  467.   oct = M_ASN1_OCTET_STRING_new();

  468.   if (oct == NULL) {

  469.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, ERR_R_MALLOC_FAILURE);

  470.     return NULL;

  471.   }

  472.   in_len = ASN1_item_i2d(obj, &in, it);

  473.   if (!in) {

  474.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, PKCS8_R_ENCODE_ERROR);

  475.     return NULL;

  476.   }

  477.   if (!pbe_crypt(algor, pass_raw, pass_raw_len, in, in_len, &oct->data, &crypt_len,

  478.                  1 /* encrypt */)) {

  479.     OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, PKCS8_R_ENCRYPT_ERROR);

  480.     OPENSSL_free(in);

  481.     return NULL;

  482.   }

  483.   oct->length = crypt_len;

  484.   OPENSSL_cleanse(in, in_len);

  485.   OPENSSL_free(in);

  486.   return oct;

  487. }

  488. 

  489. X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,

  490.                         int pass_len, uint8_t *salt, size_t salt_len,

  491.                         int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {

  492.   uint8_t *pass_raw = NULL;

  493.   size_t pass_raw_len = 0;

  494.   X509_SIG *ret;

  495. 

  496.   if (pass) {

  497.     if (pass_len == -1) {

  498.       pass_len = strlen(pass);

  499.     }

  500.     if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) {

  501.       OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt, PKCS8_R_DECODE_ERROR);

  502.       return NULL;

  503.     }

  504.   }

  505. 

  506.   ret = PKCS8_encrypt_pbe(pbe_nid, pass_raw, pass_raw_len,

  507.                           salt, salt_len, iterations, p8inf);

  508. 

  509.   if (pass_raw) {

  510.     OPENSSL_cleanse(pass_raw, pass_raw_len);

  511.     OPENSSL_free(pass_raw);

  512.   }

  513.   return ret;

  514. }

  515. 

  516. X509_SIG *PKCS8_encrypt_pbe(int pbe_nid,

  517.                             const uint8_t *pass_raw, size_t pass_raw_len,

  518.                             uint8_t *salt, size_t salt_len,

  519.                             int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {

  520.   X509_SIG *pkcs8 = NULL;

  521.   X509_ALGOR *pbe;

  522. 

  523.   pkcs8 = X509_SIG_new();

  524.   if (pkcs8 == NULL) {

  525.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_MALLOC_FAILURE);

  526.     goto err;

  527.   }

  528. 

  529.   pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len);

  530.   if (!pbe) {

  531.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_ASN1_LIB);

  532.     goto err;

  533.   }

  534. 

  535.   X509_ALGOR_free(pkcs8->algor);

  536.   pkcs8->algor = pbe;

  537.   M_ASN1_OCTET_STRING_free(pkcs8->digest);

  538.   pkcs8->digest = pkcs12_item_i2d_encrypt(

  539.       pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf);

  540.   if (!pkcs8->digest) {

  541.     OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, PKCS8_R_ENCRYPT_ERROR);

  542.     goto err;

  543.   }

  544. 

  545.   return pkcs8;

  546. 

  547. err:

  548.   X509_SIG_free(pkcs8);

  549.   return NULL;

  550. }

  551. 

  552. EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {

  553.   EVP_PKEY *pkey = NULL;

  554.   ASN1_OBJECT *algoid;

  555.   char obj_tmp[80];

  556. 

  557.   if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) {

  558.     return NULL;

  559.   }

  560. 

  561.   pkey = EVP_PKEY_new();

  562.   if (pkey == NULL) {

  563.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, ERR_R_MALLOC_FAILURE);

  564.     return NULL;

  565.   }

  566. 

  567.   if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid))) {

  568.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY,

  569.                       PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);

  570.     i2t_ASN1_OBJECT(obj_tmp, 80, algoid);

  571.     ERR_add_error_data(2, "TYPE=", obj_tmp);

  572.     goto error;

  573.   }

  574. 

  575.   if (pkey->ameth->priv_decode) {

  576.     if (!pkey->ameth->priv_decode(pkey, p8)) {

  577.       OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, PKCS8_R_PRIVATE_KEY_DECODE_ERROR);

  578.       goto error;

  579.     }

  580.   } else {

  581.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, PKCS8_R_METHOD_NOT_SUPPORTED);

  582.     goto error;

  583.   }

  584. 

  585.   return pkey;

  586. 

  587. error:

  588.   EVP_PKEY_free(pkey);

  589.   return NULL;

  590. }

  591. 

  592. PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {

  593.   PKCS8_PRIV_KEY_INFO *p8;

  594. 

  595.   p8 = PKCS8_PRIV_KEY_INFO_new();

  596.   if (p8 == NULL) {

  597.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, ERR_R_MALLOC_FAILURE);

  598.     return NULL;

  599.   }

  600.   p8->broken = PKCS8_OK;

  601. 

  602.   if (pkey->ameth) {

  603.     if (pkey->ameth->priv_encode) {

  604.       if (!pkey->ameth->priv_encode(p8, pkey)) {

  605.         OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8,

  606.                           PKCS8_R_PRIVATE_KEY_ENCODE_ERROR);

  607.         goto error;

  608.       }

  609.     } else {

  610.       OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);

  611.       goto error;

  612.     }

  613.   } else {

  614.     OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8,

  615.                       PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);

  616.     goto error;

  617.   }

  618.   return p8;

  619. 

  620. error:

  621.   PKCS8_PRIV_KEY_INFO_free(p8);

  622.   return NULL;

  623. }

  624. 

  625. struct pkcs12_context {

  626.   EVP_PKEY **out_key;

  627.   STACK_OF(X509) *out_certs;

  628.   uint8_t *password;

  629.   size_t password_len;

  630. };

  631. 

  632. static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,

  633.                                       struct pkcs12_context *ctx);

  634. 

  635. /* PKCS12_handle_content_infos parses a series of PKCS#7 ContentInfos in a

  636.  * SEQUENCE. */

  637. static int PKCS12_handle_content_infos(CBS *content_infos,

  638.                                        unsigned depth,

  639.                                        struct pkcs12_context *ctx) {

  640.   uint8_t *der_bytes = NULL;

  641.   size_t der_len;

  642.   CBS in;

  643.   int ret = 0;

  644. 

  645.   /* Generally we only expect depths 0 (the top level, with a

  646.    * pkcs7-encryptedData and a pkcs7-data) and depth 1 (the various PKCS#12

  647.    * bags). */

  648.   if (depth > 3) {

  649.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos,

  650.                       PKCS8_R_PKCS12_TOO_DEEPLY_NESTED);

  651.     return 0;

  652.   }

  653. 

  654.   /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,

  655.    * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the

  656.    * conversion cannot see through those wrappings. So each time we step

  657.    * through one we need to convert to DER again. */

  658.   if (!CBS_asn1_ber_to_der(content_infos, &der_bytes, &der_len)) {

  659.     return 0;

  660.   }

  661. 

  662.   if (der_bytes != NULL) {

  663.     CBS_init(&in, der_bytes, der_len);

  664.   } else {

  665.     CBS_init(&in, CBS_data(content_infos), CBS_len(content_infos));

  666.   }

  667. 

  668.   if (!CBS_get_asn1(&in, &in, CBS_ASN1_SEQUENCE)) {

  669.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos,

  670.                       PKCS8_R_BAD_PKCS12_DATA);

  671.     goto err;

  672.   }

  673. 

  674.   while (CBS_len(&in) > 0) {

  675.     CBS content_info;

  676.     if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE)) {

  677.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos,

  678.                         PKCS8_R_BAD_PKCS12_DATA);

  679.       goto err;

  680.     }

  681. 

  682.     if (!PKCS12_handle_content_info(&content_info, depth + 1, ctx)) {

  683.       goto err;

  684.     }

  685.   }

  686. 

  687.   /* NSS includes additional data after the SEQUENCE, but it's an (unwrapped)

  688.    * copy of the same encrypted private key (with the same IV and

  689.    * ciphertext)! */

  690. 

  691.   ret = 1;

  692. 

  693. err:

  694.   OPENSSL_free(der_bytes);

  695.   return ret;

  696. }

  697. 

  698. /* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a

  699.  * PKCS#12 structure. */

  700. static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,

  701.                                       struct pkcs12_context *ctx) {

  702.   CBS content_type, wrapped_contents, contents, content_infos;

  703.   int nid, ret = 0;

  704. 

  705.   if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||

  706.       !CBS_get_asn1(content_info, &wrapped_contents,

  707.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {

  708.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  709.                       PKCS8_R_BAD_PKCS12_DATA);

  710.     goto err;

  711.   }

  712. 

  713.   nid = OBJ_cbs2nid(&content_type);

  714.   if (nid == NID_pkcs7_encrypted) {

  715.     /* See https://tools.ietf.org/html/rfc2315#section-13.

  716.      *

  717.      * PKCS#7 encrypted data inside a PKCS#12 structure is generally an

  718.      * encrypted certificate bag and it's generally encrypted with 40-bit

  719.      * RC2-CBC. */

  720.     CBS version_bytes, eci, contents_type, ai, encrypted_contents;

  721.     X509_ALGOR *algor = NULL;

  722.     const uint8_t *inp;

  723.     uint8_t *out;

  724.     size_t out_len;

  725. 

  726.     if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||

  727.         !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||

  728.         /* EncryptedContentInfo, see

  729.          * https://tools.ietf.org/html/rfc2315#section-10.1 */

  730.         !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||

  731.         !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||

  732.         /* AlgorithmIdentifier, see

  733.          * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */

  734.         !CBS_get_asn1_element(&eci, &ai, CBS_ASN1_SEQUENCE) ||

  735.         !CBS_get_asn1(&eci, &encrypted_contents,

  736.                       CBS_ASN1_CONTEXT_SPECIFIC | 0)) {

  737.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  738.                         PKCS8_R_BAD_PKCS12_DATA);

  739.       goto err;

  740.     }

  741. 

  742.     if (OBJ_cbs2nid(&contents_type) != NID_pkcs7_data) {

  743.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  744.                         PKCS8_R_BAD_PKCS12_DATA);

  745.       goto err;

  746.     }

  747. 

  748.     inp = CBS_data(&ai);

  749.     algor = d2i_X509_ALGOR(NULL, &inp, CBS_len(&ai));

  750.     if (algor == NULL) {

  751.       goto err;

  752.     }

  753.     if (inp != CBS_data(&ai) + CBS_len(&ai)) {

  754.       X509_ALGOR_free(algor);

  755.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  756.                         PKCS8_R_BAD_PKCS12_DATA);

  757.       goto err;

  758.     }

  759. 

  760.     if (!pbe_crypt(algor, ctx->password, ctx->password_len,

  761.                    CBS_data(&encrypted_contents), CBS_len(&encrypted_contents),

  762.                    &out, &out_len, 0 /* decrypt */)) {

  763.       X509_ALGOR_free(algor);

  764.       goto err;

  765.     }

  766.     X509_ALGOR_free(algor);

  767. 

  768.     CBS_init(&content_infos, out, out_len);

  769.     ret = PKCS12_handle_content_infos(&content_infos, depth + 1, ctx);

  770.     OPENSSL_free(out);

  771.   } else if (nid == NID_pkcs7_data) {

  772.     CBS octet_string_contents;

  773. 

  774.     if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,

  775.                           CBS_ASN1_OCTETSTRING)) {

  776.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  777.                         PKCS8_R_BAD_PKCS12_DATA);

  778.       goto err;

  779.     }

  780. 

  781.     ret = PKCS12_handle_content_infos(&octet_string_contents, depth + 1, ctx);

  782.   } else if (nid == NID_pkcs8ShroudedKeyBag) {

  783.     /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section

  784.      * 4.2.2. */

  785.     const uint8_t *inp = CBS_data(&wrapped_contents);

  786.     PKCS8_PRIV_KEY_INFO *pki = NULL;

  787.     X509_SIG *encrypted = NULL;

  788. 

  789.     if (*ctx->out_key) {

  790.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  791.                         PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);

  792.       goto err;

  793.     }

  794. 

  795.     /* encrypted isn't actually an X.509 signature, but it has the same

  796.      * structure as one and so |X509_SIG| is reused to store it. */

  797.     encrypted = d2i_X509_SIG(NULL, &inp, CBS_len(&wrapped_contents));

  798.     if (encrypted == NULL) {

  799.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  800.                         PKCS8_R_BAD_PKCS12_DATA);

  801.       goto err;

  802.     }

  803.     if (inp != CBS_data(&wrapped_contents) + CBS_len(&wrapped_contents)) {

  804.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  805.                         PKCS8_R_BAD_PKCS12_DATA);

  806.       X509_SIG_free(encrypted);

  807.       goto err;

  808.     }

  809. 

  810.     pki = PKCS8_decrypt_pbe(encrypted, ctx->password, ctx->password_len);

  811.     X509_SIG_free(encrypted);

  812.     if (pki == NULL) {

  813.       goto err;

  814.     }

  815. 

  816.     *ctx->out_key = EVP_PKCS82PKEY(pki);

  817.     PKCS8_PRIV_KEY_INFO_free(pki);

  818. 

  819.     if (ctx->out_key == NULL) {

  820.       goto err;

  821.     }

  822.     ret = 1;

  823.   } else if (nid == NID_certBag) {

  824.     CBS cert_bag, cert_type, wrapped_cert, cert;

  825. 

  826.     if (!CBS_get_asn1(&wrapped_contents, &cert_bag, CBS_ASN1_SEQUENCE) ||

  827.         !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||

  828.         !CBS_get_asn1(&cert_bag, &wrapped_cert,

  829.                       CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||

  830.         !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {

  831.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  832.                         PKCS8_R_BAD_PKCS12_DATA);

  833.       goto err;

  834.     }

  835. 

  836.     if (OBJ_cbs2nid(&cert_type) == NID_x509Certificate) {

  837.       const uint8_t *inp = CBS_data(&cert);

  838.       X509 *x509 = d2i_X509(NULL, &inp, CBS_len(&cert));

  839.       if (!x509) {

  840.         OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  841.                           PKCS8_R_BAD_PKCS12_DATA);

  842.         goto err;

  843.       }

  844.       if (inp != CBS_data(&cert) + CBS_len(&cert)) {

  845.         OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info,

  846.                           PKCS8_R_BAD_PKCS12_DATA);

  847.         X509_free(x509);

  848.         goto err;

  849.       }

  850. 

  851.       if (0 == sk_X509_push(ctx->out_certs, x509)) {

  852.         X509_free(x509);

  853.         goto err;

  854.       }

  855.     }

  856.     ret = 1;

  857.   } else {

  858.     /* Unknown element type - ignore it. */

  859.     ret = 1;

  860.   }

  861. 

  862. err:

  863.   return ret;

  864. }

  865. 

  866. int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,

  867.                              CBS *ber_in, const char *password) {

  868.   uint8_t *der_bytes = NULL;

  869.   size_t der_len;

  870.   CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;

  871.   uint64_t version;

  872.   int ret = 0;

  873.   struct pkcs12_context ctx;

  874.   const size_t original_out_certs_len = sk_X509_num(out_certs);

  875. 

  876.   /* The input may be in BER format. */

  877.   if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {

  878.     return 0;

  879.   }

  880.   if (der_bytes != NULL) {

  881.     CBS_init(&in, der_bytes, der_len);

  882.   } else {

  883.     CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));

  884.   }

  885. 

  886.   *out_key = NULL;

  887.   memset(&ctx, 0, sizeof(ctx));

  888. 

  889.   /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section

  890.    * four. */

  891.   if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||

  892.       CBS_len(&in) != 0 ||

  893.       !CBS_get_asn1_uint64(&pfx, &version)) {

  894.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);

  895.     goto err;

  896.   }

  897. 

  898.   if (version < 3) {

  899.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,

  900.                       PKCS8_R_BAD_PKCS12_VERSION);

  901.     goto err;

  902.   }

  903. 

  904.   if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {

  905.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);

  906.     goto err;

  907.   }

  908. 

  909.   if (CBS_len(&pfx) == 0) {

  910.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_MISSING_MAC);

  911.     goto err;

  912.   }

  913. 

  914.   if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {

  915.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);

  916.     goto err;

  917.   }

  918. 

  919.   /* authsafe is a PKCS#7 ContentInfo. See

  920.    * https://tools.ietf.org/html/rfc2315#section-7. */

  921.   if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||

  922.       !CBS_get_asn1(&authsafe, &wrapped_authsafes,

  923.                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {

  924.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);

  925.     goto err;

  926.   }

  927. 

  928.   /* The content type can either be |NID_pkcs7_data| or |NID_pkcs7_signed|. The

  929.    * latter indicates that it's signed by a public key, which isn't

  930.    * supported. */

  931.   if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) {

  932.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,

  933.                       PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);

  934.     goto err;

  935.   }

  936. 

  937.   if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {

  938.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);

  939.     goto err;

  940.   }

  941. 

  942.   ctx.out_key = out_key;

  943.   ctx.out_certs = out_certs;

  944.   if (!ascii_to_ucs2(password, strlen(password), &ctx.password,

  945.                      &ctx.password_len)) {

  946.     OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_DECODE_ERROR);

  947.     goto err;

  948.   }

  949. 

  950.   /* Verify the MAC. */

  951.   {

  952.     CBS mac, hash_type_seq, hash_oid, salt, expected_mac;

  953.     uint64_t iterations;

  954.     int hash_nid;

  955.     const EVP_MD *md;

  956.     uint8_t hmac_key[EVP_MAX_MD_SIZE];

  957.     uint8_t hmac[EVP_MAX_MD_SIZE];

  958.     unsigned hmac_len;

  959. 

  960.     if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE) ||

  961.         !CBS_get_asn1(&mac, &hash_type_seq, CBS_ASN1_SEQUENCE) ||

  962.         !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) ||

  963.         !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||

  964.         !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {

  965.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA);

  966.       goto err;

  967.     }

  968. 

  969.     /* The iteration count is optional and the default is one. */

  970.     iterations = 1;

  971.     if (CBS_len(&mac_data) > 0) {

  972.       if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||

  973.           iterations > INT_MAX) {

  974.         OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,

  975.                           PKCS8_R_BAD_PKCS12_DATA);

  976.         goto err;

  977.       }

  978.     }

  979. 

  980.     hash_nid = OBJ_cbs2nid(&hash_oid);

  981.     if (hash_nid == NID_undef ||

  982.         (md = EVP_get_digestbynid(hash_nid)) == NULL) {

  983.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_UNKNOWN_HASH);

  984.       goto err;

  985.     }

  986. 

  987.     if (!pkcs12_key_gen_raw(ctx.password, ctx.password_len, CBS_data(&salt),

  988.                             CBS_len(&salt), PKCS12_MAC_ID, iterations,

  989.                             EVP_MD_size(md), hmac_key, md)) {

  990.       goto err;

  991.     }

  992. 

  993.     if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),

  994.                      CBS_len(&authsafes), hmac, &hmac_len)) {

  995.       goto err;

  996.     }

  997. 

  998.     if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {

  999.       OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs,

  1000.                         PKCS8_R_INCORRECT_PASSWORD);

  1001.       goto err;

  1002.     }

  1003.   }

  1004. 

  1005.   /* authsafes contains a series of PKCS#7 ContentInfos. */

  1006.   if (!PKCS12_handle_content_infos(&authsafes, 0, &ctx)) {

  1007.     goto err;

  1008.   }

  1009. 

  1010.   ret = 1;

  1011. 

  1012. err:

  1013.   OPENSSL_free(ctx.password);

  1014.   OPENSSL_free(der_bytes);

  1015.   if (!ret) {

  1016.     EVP_PKEY_free(*out_key);

  1017.     *out_key = NULL;

  1018.     while (sk_X509_num(out_certs) > original_out_certs_len) {

  1019.       X509 *x509 = sk_X509_pop(out_certs);

  1020.       X509_free(x509);

  1021.     }

  1022.   }

  1023. 

  1024.   return ret;

  1025. }

  1026. 

  1027. void PKCS12_PBE_add(void) {}

  1028. 

  1029. struct pkcs12_st {

  1030.   uint8_t *ber_bytes;

  1031.   size_t ber_len;

  1032. };

  1033. 

  1034. PKCS12* d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) {

  1035.   PKCS12 *p12;

  1036. 

  1037.   /* out_p12 must be NULL because we don't export the PKCS12 structure. */

  1038.   assert(out_p12 == NULL);

  1039. 

  1040.   p12 = OPENSSL_malloc(sizeof(PKCS12));

  1041.   if (!p12) {

  1042.     return NULL;

  1043.   }

  1044. 

  1045.   p12->ber_bytes = OPENSSL_malloc(ber_len);

  1046.   if (!p12->ber_bytes) {

  1047.     OPENSSL_free(p12);

  1048.     return NULL;

  1049.   }

  1050. 

  1051.   memcpy(p12->ber_bytes, *ber_bytes, ber_len);

  1052.   p12->ber_len = ber_len;

  1053.   *ber_bytes += ber_len;

  1054. 

  1055.   return p12;

  1056. }

  1057. 

  1058. PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {

  1059.   size_t used = 0;

  1060.   BUF_MEM *buf;

  1061.   const uint8_t *dummy;

  1062.   static const size_t kMaxSize = 256 * 1024;

  1063.   PKCS12 *ret = NULL;

  1064. 

  1065.   buf = BUF_MEM_new();

  1066.   if (buf == NULL) {

  1067.     return NULL;

  1068.   }

  1069.   if (BUF_MEM_grow(buf, 8192) == 0) {

  1070.     goto out;

  1071.   }

  1072. 

  1073.   for (;;) {

  1074.     int n = BIO_read(bio, &buf->data[used], buf->length - used);

  1075.     if (n < 0) {

  1076.       goto out;

  1077.     }

  1078. 

  1079.     if (n == 0) {

  1080.       break;

  1081.     }

  1082.     used += n;

  1083. 

  1084.     if (used < buf->length) {

  1085.       continue;

  1086.     }

  1087. 

  1088.     if (buf->length > kMaxSize ||

  1089.         BUF_MEM_grow(buf, buf->length * 2) == 0) {

  1090.       goto out;

  1091.     }

  1092.   }

  1093. 

  1094.   dummy = (uint8_t*) buf->data;

  1095.   ret = d2i_PKCS12(out_p12, &dummy, used);

  1096. 

  1097. out:

  1098.   BUF_MEM_free(buf);

  1099.   return ret;

  1100. }

  1101. 

  1102. PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {

  1103.   BIO *bio;

  1104.   PKCS12 *ret;

  1105. 

  1106.   bio = BIO_new_fp(fp, 0 /* don't take ownership */);

  1107.   if (!bio) {

  1108.     return NULL;

  1109.   }

  1110. 

  1111.   ret = d2i_PKCS12_bio(bio, out_p12);

  1112.   BIO_free(bio);

  1113.   return ret;

  1114. }

  1115. 

  1116. int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,

  1117.                  X509 **out_cert, STACK_OF(X509) **out_ca_certs) {

  1118.   CBS ber_bytes;

  1119.   STACK_OF(X509) *ca_certs = NULL;

  1120.   char ca_certs_alloced = 0;

  1121. 

  1122.   if (out_ca_certs != NULL && *out_ca_certs != NULL) {

  1123.     ca_certs = *out_ca_certs;

  1124.   }

  1125. 

  1126.   if (!ca_certs) {

  1127.     ca_certs = sk_X509_new_null();

  1128.     if (ca_certs == NULL) {

  1129.       return 0;

  1130.     }

  1131.     ca_certs_alloced = 1;

  1132.   }

  1133. 

  1134.   CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);

  1135.   if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {

  1136.     if (ca_certs_alloced) {

  1137.       sk_X509_free(ca_certs);

  1138.     }

  1139.     return 0;

  1140.   }

  1141. 

  1142.   *out_cert = NULL;

  1143.   if (sk_X509_num(ca_certs) > 0) {

  1144.     *out_cert = sk_X509_shift(ca_certs);

  1145.   }

  1146. 

  1147.   if (out_ca_certs) {

  1148.     *out_ca_certs = ca_certs;

  1149.   } else {

  1150.     sk_X509_pop_free(ca_certs, X509_free);

  1151.   }

  1152. 

  1153.   return 1;

  1154. }

  1155. 

  1156. void PKCS12_free(PKCS12 *p12) {

  1157.   OPENSSL_free(p12->ber_bytes);

  1158.   OPENSSL_free(p12);

  1159. }