pkcs8.c revision 7c0d06c221ce9edf44bbf978b909b38a0aee2084
1/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2 * project 1999. 3 */ 4/* ==================================================================== 5 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing@OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay@cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh@cryptsoft.com). */ 55 56#include <openssl/pkcs8.h> 57 58#include <assert.h> 59#include <limits.h> 60#include <string.h> 61 62#include <openssl/asn1.h> 63#include <openssl/buf.h> 64#include <openssl/bytestring.h> 65#include <openssl/cipher.h> 66#include <openssl/digest.h> 67#include <openssl/err.h> 68#include <openssl/hmac.h> 69#include <openssl/mem.h> 70#include <openssl/obj.h> 71#include <openssl/x509.h> 72 73#include "internal.h" 74#include "../internal.h" 75#include "../bytestring/internal.h" 76 77 78#define PKCS12_KEY_ID 1 79#define PKCS12_IV_ID 2 80#define PKCS12_MAC_ID 3 81 82static int ascii_to_ucs2(const char *ascii, size_t ascii_len, 83 uint8_t **out, size_t *out_len) { 84 uint8_t *unitmp; 85 size_t ulen, i; 86 87 ulen = ascii_len * 2 + 2; 88 if (ulen < ascii_len) { 89 return 0; 90 } 91 unitmp = OPENSSL_malloc(ulen); 92 if (unitmp == NULL) { 93 return 0; 94 } 95 for (i = 0; i < ulen - 2; i += 2) { 96 unitmp[i] = 0; 97 unitmp[i + 1] = ascii[i >> 1]; 98 } 99 100 /* Make result double null terminated */ 101 unitmp[ulen - 2] = 0; 102 unitmp[ulen - 1] = 0; 103 *out_len = ulen; 104 *out = unitmp; 105 return 1; 106} 107 108static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len, 109 const uint8_t *salt, size_t salt_len, 110 uint8_t id, int iterations, 111 size_t out_len, uint8_t *out, 112 const EVP_MD *md) { 113 /* See https://tools.ietf.org/html/rfc7292#appendix-B. Quoted parts of the 114 * specification have errata applied and other typos fixed. */ 115 116 if (iterations < 1) { 117 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_ITERATION_COUNT); 118 return 0; 119 } 120 121 /* In the spec, |block_size| is called "v", but measured in bits. */ 122 size_t block_size = EVP_MD_block_size(md); 123 124 /* 1. Construct a string, D (the "diversifier"), by concatenating v/8 copies 125 * of ID. */ 126 uint8_t D[EVP_MAX_MD_BLOCK_SIZE]; 127 memset(D, id, block_size); 128 129 /* 2. Concatenate copies of the salt together to create a string S of length 130 * v(ceiling(s/v)) bits (the final copy of the salt may be truncated to 131 * create S). Note that if the salt is the empty string, then so is S. 132 * 133 * 3. Concatenate copies of the password together to create a string P of 134 * length v(ceiling(p/v)) bits (the final copy of the password may be 135 * truncated to create P). Note that if the password is the empty string, 136 * then so is P. 137 * 138 * 4. Set I=S||P to be the concatenation of S and P. */ 139 if (salt_len + block_size - 1 < salt_len || 140 pass_raw_len + block_size - 1 < pass_raw_len) { 141 OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW); 142 return 0; 143 } 144 size_t S_len = block_size * ((salt_len + block_size - 1) / block_size); 145 size_t P_len = block_size * ((pass_raw_len + block_size - 1) / block_size); 146 size_t I_len = S_len + P_len; 147 if (I_len < S_len) { 148 OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW); 149 return 0; 150 } 151 152 uint8_t *I = OPENSSL_malloc(I_len); 153 if (I_len != 0 && I == NULL) { 154 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE); 155 return 0; 156 } 157 158 for (size_t i = 0; i < S_len; i++) { 159 I[i] = salt[i % salt_len]; 160 } 161 for (size_t i = 0; i < P_len; i++) { 162 I[i + S_len] = pass_raw[i % pass_raw_len]; 163 } 164 165 int ret = 0; 166 EVP_MD_CTX ctx; 167 EVP_MD_CTX_init(&ctx); 168 169 while (out_len != 0) { 170 /* A. Set A_i=H^r(D||I). (i.e., the r-th hash of D||I, 171 * H(H(H(... H(D||I)))) */ 172 uint8_t A[EVP_MAX_MD_SIZE]; 173 unsigned A_len; 174 if (!EVP_DigestInit_ex(&ctx, md, NULL) || 175 !EVP_DigestUpdate(&ctx, D, block_size) || 176 !EVP_DigestUpdate(&ctx, I, I_len) || 177 !EVP_DigestFinal_ex(&ctx, A, &A_len)) { 178 goto err; 179 } 180 for (int iter = 1; iter < iterations; iter++) { 181 if (!EVP_DigestInit_ex(&ctx, md, NULL) || 182 !EVP_DigestUpdate(&ctx, A, A_len) || 183 !EVP_DigestFinal_ex(&ctx, A, &A_len)) { 184 goto err; 185 } 186 } 187 188 size_t todo = out_len < A_len ? out_len : A_len; 189 memcpy(out, A, todo); 190 out += todo; 191 out_len -= todo; 192 if (out_len == 0) { 193 break; 194 } 195 196 /* B. Concatenate copies of A_i to create a string B of length v bits (the 197 * final copy of A_i may be truncated to create B). */ 198 uint8_t B[EVP_MAX_MD_BLOCK_SIZE]; 199 for (size_t i = 0; i < block_size; i++) { 200 B[i] = A[i % A_len]; 201 } 202 203 /* C. Treating I as a concatenation I_0, I_1, ..., I_(k-1) of v-bit blocks, 204 * where k=ceiling(s/v)+ceiling(p/v), modify I by setting I_j=(I_j+B+1) mod 205 * 2^v for each j. */ 206 assert(I_len % block_size == 0); 207 for (size_t i = 0; i < I_len; i += block_size) { 208 unsigned carry = 1; 209 for (size_t j = block_size - 1; j < block_size; j--) { 210 carry += I[i + j] + B[j]; 211 I[i + j] = (uint8_t)carry; 212 carry >>= 8; 213 } 214 } 215 } 216 217 ret = 1; 218 219err: 220 OPENSSL_cleanse(I, I_len); 221 OPENSSL_free(I); 222 EVP_MD_CTX_cleanup(&ctx); 223 return ret; 224} 225 226static int pkcs12_pbe_keyivgen(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw, 227 size_t pass_raw_len, ASN1_TYPE *param, 228 const EVP_CIPHER *cipher, const EVP_MD *md, 229 int is_encrypt) { 230 PBEPARAM *pbe; 231 int salt_len, iterations, ret; 232 uint8_t *salt; 233 const uint8_t *pbuf; 234 uint8_t key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; 235 236 /* Extract useful info from parameter */ 237 if (param == NULL || param->type != V_ASN1_SEQUENCE || 238 param->value.sequence == NULL) { 239 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 240 return 0; 241 } 242 243 pbuf = param->value.sequence->data; 244 pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length); 245 if (pbe == NULL) { 246 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 247 return 0; 248 } 249 250 if (!pbe->iter) { 251 iterations = 1; 252 } else { 253 iterations = ASN1_INTEGER_get(pbe->iter); 254 } 255 salt = pbe->salt->data; 256 salt_len = pbe->salt->length; 257 if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_KEY_ID, 258 iterations, EVP_CIPHER_key_length(cipher), key, md)) { 259 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR); 260 PBEPARAM_free(pbe); 261 return 0; 262 } 263 if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_IV_ID, 264 iterations, EVP_CIPHER_iv_length(cipher), iv, md)) { 265 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR); 266 PBEPARAM_free(pbe); 267 return 0; 268 } 269 PBEPARAM_free(pbe); 270 ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt); 271 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); 272 OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); 273 return ret; 274} 275 276typedef int (*keygen_func)(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw, 277 size_t pass_raw_len, ASN1_TYPE *param, 278 const EVP_CIPHER *cipher, const EVP_MD *md, 279 int is_encrypt); 280 281struct pbe_suite { 282 int pbe_nid; 283 const EVP_CIPHER* (*cipher_func)(void); 284 const EVP_MD* (*md_func)(void); 285 keygen_func keygen; 286 int flags; 287}; 288 289#define PBE_UCS2_CONVERT_PASSWORD 0x1 290 291static const struct pbe_suite kBuiltinPBE[] = { 292 { 293 NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc, EVP_sha1, 294 pkcs12_pbe_keyivgen, PBE_UCS2_CONVERT_PASSWORD 295 }, 296 { 297 NID_pbe_WithSHA1And128BitRC4, EVP_rc4, EVP_sha1, pkcs12_pbe_keyivgen, 298 PBE_UCS2_CONVERT_PASSWORD 299 }, 300 { 301 NID_pbe_WithSHA1And3_Key_TripleDES_CBC, EVP_des_ede3_cbc, EVP_sha1, 302 pkcs12_pbe_keyivgen, PBE_UCS2_CONVERT_PASSWORD 303 }, 304 { 305 NID_pbes2, NULL, NULL, PKCS5_v2_PBE_keyivgen, 0 306 }, 307}; 308 309static const struct pbe_suite *get_pbe_suite(int pbe_nid) { 310 unsigned i; 311 for (i = 0; i < OPENSSL_ARRAY_SIZE(kBuiltinPBE); i++) { 312 if (kBuiltinPBE[i].pbe_nid == pbe_nid) { 313 return &kBuiltinPBE[i]; 314 } 315 } 316 317 return NULL; 318} 319 320/* pass_to_pass_raw performs a password conversion (possibly a no-op) 321 * appropriate to the supplied |pbe_nid|. The input |pass| is treated as a 322 * NUL-terminated string if |pass_len| is -1, otherwise it is treated as a 323 * buffer of the specified length. If the supplied PBE NID sets the 324 * |PBE_UCS2_CONVERT_PASSWORD| flag, the supplied |pass| will be converted to 325 * UCS-2. 326 * 327 * It sets |*out_pass_raw| to a new buffer that must be freed by the caller. It 328 * returns one on success and zero on error. */ 329static int pass_to_pass_raw(int pbe_nid, const char *pass, int pass_len, 330 uint8_t **out_pass_raw, size_t *out_pass_raw_len) { 331 if (pass == NULL) { 332 *out_pass_raw = NULL; 333 *out_pass_raw_len = 0; 334 return 1; 335 } 336 337 if (pass_len == -1) { 338 pass_len = strlen(pass); 339 } else if (pass_len < 0 || pass_len > 2000000000) { 340 OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW); 341 return 0; 342 } 343 344 const struct pbe_suite *suite = get_pbe_suite(pbe_nid); 345 if (suite != NULL && (suite->flags & PBE_UCS2_CONVERT_PASSWORD)) { 346 if (!ascii_to_ucs2(pass, pass_len, out_pass_raw, out_pass_raw_len)) { 347 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 348 return 0; 349 } 350 } else { 351 *out_pass_raw = BUF_memdup(pass, pass_len); 352 if (*out_pass_raw == NULL) { 353 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE); 354 return 0; 355 } 356 *out_pass_raw_len = (size_t)pass_len; 357 } 358 359 return 1; 360} 361 362static int pbe_cipher_init(ASN1_OBJECT *pbe_obj, 363 const uint8_t *pass_raw, size_t pass_raw_len, 364 ASN1_TYPE *param, 365 EVP_CIPHER_CTX *ctx, int is_encrypt) { 366 const EVP_CIPHER *cipher; 367 const EVP_MD *md; 368 369 const struct pbe_suite *suite = get_pbe_suite(OBJ_obj2nid(pbe_obj)); 370 if (suite == NULL) { 371 char obj_str[80]; 372 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM); 373 if (!pbe_obj) { 374 strncpy(obj_str, "NULL", sizeof(obj_str)); 375 } else { 376 i2t_ASN1_OBJECT(obj_str, sizeof(obj_str), pbe_obj); 377 } 378 ERR_add_error_data(2, "TYPE=", obj_str); 379 return 0; 380 } 381 382 if (suite->cipher_func == NULL) { 383 cipher = NULL; 384 } else { 385 cipher = suite->cipher_func(); 386 if (!cipher) { 387 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER); 388 return 0; 389 } 390 } 391 392 if (suite->md_func == NULL) { 393 md = NULL; 394 } else { 395 md = suite->md_func(); 396 if (!md) { 397 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_DIGEST); 398 return 0; 399 } 400 } 401 402 if (!suite->keygen(ctx, pass_raw, pass_raw_len, param, cipher, md, 403 is_encrypt)) { 404 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEYGEN_FAILURE); 405 return 0; 406 } 407 408 return 1; 409} 410 411static int pbe_crypt(const X509_ALGOR *algor, 412 const uint8_t *pass_raw, size_t pass_raw_len, 413 const uint8_t *in, size_t in_len, 414 uint8_t **out, size_t *out_len, 415 int is_encrypt) { 416 uint8_t *buf; 417 int n, ret = 0; 418 EVP_CIPHER_CTX ctx; 419 unsigned block_size; 420 421 EVP_CIPHER_CTX_init(&ctx); 422 423 if (!pbe_cipher_init(algor->algorithm, pass_raw, pass_raw_len, 424 algor->parameter, &ctx, is_encrypt)) { 425 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM); 426 return 0; 427 } 428 block_size = EVP_CIPHER_CTX_block_size(&ctx); 429 430 if (in_len + block_size < in_len) { 431 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_TOO_LONG); 432 goto err; 433 } 434 435 buf = OPENSSL_malloc(in_len + block_size); 436 if (buf == NULL) { 437 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE); 438 goto err; 439 } 440 441 if (!EVP_CipherUpdate(&ctx, buf, &n, in, in_len)) { 442 OPENSSL_free(buf); 443 OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB); 444 goto err; 445 } 446 *out_len = n; 447 448 if (!EVP_CipherFinal_ex(&ctx, buf + n, &n)) { 449 OPENSSL_free(buf); 450 OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB); 451 goto err; 452 } 453 *out_len += n; 454 *out = buf; 455 ret = 1; 456 457err: 458 EVP_CIPHER_CTX_cleanup(&ctx); 459 return ret; 460} 461 462static void *pkcs12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, 463 const uint8_t *pass_raw, 464 size_t pass_raw_len, 465 ASN1_OCTET_STRING *oct) { 466 uint8_t *out; 467 const uint8_t *p; 468 void *ret; 469 size_t out_len; 470 471 if (!pbe_crypt(algor, pass_raw, pass_raw_len, oct->data, oct->length, 472 &out, &out_len, 0 /* decrypt */)) { 473 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_CRYPT_ERROR); 474 return NULL; 475 } 476 p = out; 477 ret = ASN1_item_d2i(NULL, &p, out_len, it); 478 OPENSSL_cleanse(out, out_len); 479 if (!ret) { 480 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 481 } 482 OPENSSL_free(out); 483 return ret; 484} 485 486PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass, 487 int pass_len) { 488 uint8_t *pass_raw = NULL; 489 size_t pass_raw_len = 0; 490 if (!pass_to_pass_raw(OBJ_obj2nid(pkcs8->algor->algorithm), pass, pass_len, 491 &pass_raw, &pass_raw_len)) { 492 return NULL; 493 } 494 495 PKCS8_PRIV_KEY_INFO *ret = PKCS8_decrypt_pbe(pkcs8, pass_raw, pass_raw_len); 496 497 if (pass_raw) { 498 OPENSSL_cleanse(pass_raw, pass_raw_len); 499 OPENSSL_free(pass_raw); 500 } 501 return ret; 502} 503 504PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_pbe(X509_SIG *pkcs8, const uint8_t *pass_raw, 505 size_t pass_raw_len) { 506 return pkcs12_item_decrypt_d2i(pkcs8->algor, 507 ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, 508 pass_raw_len, pkcs8->digest); 509} 510 511static ASN1_OCTET_STRING *pkcs12_item_i2d_encrypt(X509_ALGOR *algor, 512 const ASN1_ITEM *it, 513 const uint8_t *pass_raw, 514 size_t pass_raw_len, void *obj) { 515 ASN1_OCTET_STRING *oct; 516 uint8_t *in = NULL; 517 int in_len; 518 size_t crypt_len; 519 520 oct = M_ASN1_OCTET_STRING_new(); 521 if (oct == NULL) { 522 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE); 523 return NULL; 524 } 525 in_len = ASN1_item_i2d(obj, &in, it); 526 if (!in) { 527 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR); 528 return NULL; 529 } 530 if (!pbe_crypt(algor, pass_raw, pass_raw_len, in, in_len, &oct->data, &crypt_len, 531 1 /* encrypt */)) { 532 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR); 533 OPENSSL_free(in); 534 return NULL; 535 } 536 oct->length = crypt_len; 537 OPENSSL_cleanse(in, in_len); 538 OPENSSL_free(in); 539 return oct; 540} 541 542X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, 543 int pass_len, uint8_t *salt, size_t salt_len, 544 int iterations, PKCS8_PRIV_KEY_INFO *p8inf) { 545 uint8_t *pass_raw = NULL; 546 size_t pass_raw_len = 0; 547 if (!pass_to_pass_raw(pbe_nid, pass, pass_len, &pass_raw, &pass_raw_len)) { 548 return NULL; 549 } 550 551 X509_SIG *ret = PKCS8_encrypt_pbe(pbe_nid, cipher, pass_raw, pass_raw_len, 552 salt, salt_len, iterations, p8inf); 553 554 if (pass_raw) { 555 OPENSSL_cleanse(pass_raw, pass_raw_len); 556 OPENSSL_free(pass_raw); 557 } 558 return ret; 559} 560 561X509_SIG *PKCS8_encrypt_pbe(int pbe_nid, const EVP_CIPHER *cipher, 562 const uint8_t *pass_raw, size_t pass_raw_len, 563 uint8_t *salt, size_t salt_len, 564 int iterations, PKCS8_PRIV_KEY_INFO *p8inf) { 565 X509_SIG *pkcs8 = NULL; 566 X509_ALGOR *pbe; 567 568 pkcs8 = X509_SIG_new(); 569 if (pkcs8 == NULL) { 570 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE); 571 goto err; 572 } 573 574 if (pbe_nid == -1) { 575 pbe = PKCS5_pbe2_set(cipher, iterations, salt, salt_len); 576 } else { 577 pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len); 578 } 579 if (!pbe) { 580 OPENSSL_PUT_ERROR(PKCS8, ERR_R_ASN1_LIB); 581 goto err; 582 } 583 584 X509_ALGOR_free(pkcs8->algor); 585 pkcs8->algor = pbe; 586 M_ASN1_OCTET_STRING_free(pkcs8->digest); 587 pkcs8->digest = pkcs12_item_i2d_encrypt( 588 pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf); 589 if (!pkcs8->digest) { 590 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR); 591 goto err; 592 } 593 594 return pkcs8; 595 596err: 597 X509_SIG_free(pkcs8); 598 return NULL; 599} 600 601EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) { 602 uint8_t *der = NULL; 603 int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der); 604 if (der_len < 0) { 605 return NULL; 606 } 607 608 CBS cbs; 609 CBS_init(&cbs, der, (size_t)der_len); 610 EVP_PKEY *ret = EVP_parse_private_key(&cbs); 611 if (ret == NULL || CBS_len(&cbs) != 0) { 612 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 613 EVP_PKEY_free(ret); 614 OPENSSL_free(der); 615 return NULL; 616 } 617 618 OPENSSL_free(der); 619 return ret; 620} 621 622PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) { 623 CBB cbb; 624 uint8_t *der = NULL; 625 size_t der_len; 626 if (!CBB_init(&cbb, 0) || 627 !EVP_marshal_private_key(&cbb, pkey) || 628 !CBB_finish(&cbb, &der, &der_len) || 629 der_len > LONG_MAX) { 630 CBB_cleanup(&cbb); 631 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR); 632 goto err; 633 } 634 635 const uint8_t *p = der; 636 PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, (long)der_len); 637 if (p8 == NULL || p != der + der_len) { 638 PKCS8_PRIV_KEY_INFO_free(p8); 639 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 640 goto err; 641 } 642 643 OPENSSL_free(der); 644 return p8; 645 646err: 647 OPENSSL_free(der); 648 return NULL; 649} 650 651struct pkcs12_context { 652 EVP_PKEY **out_key; 653 STACK_OF(X509) *out_certs; 654 uint8_t *password; 655 size_t password_len; 656}; 657 658static int PKCS12_handle_content_info(CBS *content_info, unsigned depth, 659 struct pkcs12_context *ctx); 660 661/* PKCS12_handle_content_infos parses a series of PKCS#7 ContentInfos in a 662 * SEQUENCE. */ 663static int PKCS12_handle_content_infos(CBS *content_infos, 664 unsigned depth, 665 struct pkcs12_context *ctx) { 666 uint8_t *der_bytes = NULL; 667 size_t der_len; 668 CBS in; 669 int ret = 0; 670 671 /* Generally we only expect depths 0 (the top level, with a 672 * pkcs7-encryptedData and a pkcs7-data) and depth 1 (the various PKCS#12 673 * bags). */ 674 if (depth > 3) { 675 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_TOO_DEEPLY_NESTED); 676 return 0; 677 } 678 679 /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|, 680 * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the 681 * conversion cannot see through those wrappings. So each time we step 682 * through one we need to convert to DER again. */ 683 if (!CBS_asn1_ber_to_der(content_infos, &der_bytes, &der_len)) { 684 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 685 return 0; 686 } 687 688 if (der_bytes != NULL) { 689 CBS_init(&in, der_bytes, der_len); 690 } else { 691 CBS_init(&in, CBS_data(content_infos), CBS_len(content_infos)); 692 } 693 694 if (!CBS_get_asn1(&in, &in, CBS_ASN1_SEQUENCE)) { 695 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 696 goto err; 697 } 698 699 while (CBS_len(&in) > 0) { 700 CBS content_info; 701 if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE)) { 702 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 703 goto err; 704 } 705 706 if (!PKCS12_handle_content_info(&content_info, depth + 1, ctx)) { 707 goto err; 708 } 709 } 710 711 /* NSS includes additional data after the SEQUENCE, but it's an (unwrapped) 712 * copy of the same encrypted private key (with the same IV and 713 * ciphertext)! */ 714 715 ret = 1; 716 717err: 718 OPENSSL_free(der_bytes); 719 return ret; 720} 721 722/* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a 723 * PKCS#12 structure. */ 724static int PKCS12_handle_content_info(CBS *content_info, unsigned depth, 725 struct pkcs12_context *ctx) { 726 CBS content_type, wrapped_contents, contents, content_infos; 727 int nid, ret = 0; 728 uint8_t *storage = NULL; 729 730 if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) || 731 !CBS_get_asn1(content_info, &wrapped_contents, 732 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { 733 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 734 goto err; 735 } 736 737 nid = OBJ_cbs2nid(&content_type); 738 if (nid == NID_pkcs7_encrypted) { 739 /* See https://tools.ietf.org/html/rfc2315#section-13. 740 * 741 * PKCS#7 encrypted data inside a PKCS#12 structure is generally an 742 * encrypted certificate bag and it's generally encrypted with 40-bit 743 * RC2-CBC. */ 744 CBS version_bytes, eci, contents_type, ai, encrypted_contents; 745 X509_ALGOR *algor = NULL; 746 const uint8_t *inp; 747 uint8_t *out; 748 size_t out_len; 749 750 if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) || 751 !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) || 752 /* EncryptedContentInfo, see 753 * https://tools.ietf.org/html/rfc2315#section-10.1 */ 754 !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) || 755 !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) || 756 /* AlgorithmIdentifier, see 757 * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */ 758 !CBS_get_asn1_element(&eci, &ai, CBS_ASN1_SEQUENCE) || 759 !CBS_get_asn1_implicit_string( 760 &eci, &encrypted_contents, &storage, 761 CBS_ASN1_CONTEXT_SPECIFIC | 0, CBS_ASN1_OCTETSTRING)) { 762 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 763 goto err; 764 } 765 766 if (OBJ_cbs2nid(&contents_type) != NID_pkcs7_data || 767 CBS_len(&ai) > LONG_MAX) { 768 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 769 goto err; 770 } 771 772 inp = CBS_data(&ai); 773 algor = d2i_X509_ALGOR(NULL, &inp, (long)CBS_len(&ai)); 774 if (algor == NULL) { 775 goto err; 776 } 777 if (inp != CBS_data(&ai) + CBS_len(&ai)) { 778 X509_ALGOR_free(algor); 779 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 780 goto err; 781 } 782 783 if (!pbe_crypt(algor, ctx->password, ctx->password_len, 784 CBS_data(&encrypted_contents), CBS_len(&encrypted_contents), 785 &out, &out_len, 0 /* decrypt */)) { 786 X509_ALGOR_free(algor); 787 goto err; 788 } 789 X509_ALGOR_free(algor); 790 791 CBS_init(&content_infos, out, out_len); 792 ret = PKCS12_handle_content_infos(&content_infos, depth + 1, ctx); 793 OPENSSL_free(out); 794 } else if (nid == NID_pkcs7_data) { 795 CBS octet_string_contents; 796 797 if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents, 798 CBS_ASN1_OCTETSTRING)) { 799 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 800 goto err; 801 } 802 803 ret = PKCS12_handle_content_infos(&octet_string_contents, depth + 1, ctx); 804 } else if (nid == NID_pkcs8ShroudedKeyBag) { 805 /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section 806 * 4.2.2. */ 807 const uint8_t *inp = CBS_data(&wrapped_contents); 808 PKCS8_PRIV_KEY_INFO *pki = NULL; 809 X509_SIG *encrypted = NULL; 810 811 if (*ctx->out_key) { 812 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12); 813 goto err; 814 } 815 816 if (CBS_len(&wrapped_contents) > LONG_MAX) { 817 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 818 goto err; 819 } 820 821 /* encrypted isn't actually an X.509 signature, but it has the same 822 * structure as one and so |X509_SIG| is reused to store it. */ 823 encrypted = d2i_X509_SIG(NULL, &inp, (long)CBS_len(&wrapped_contents)); 824 if (encrypted == NULL) { 825 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 826 goto err; 827 } 828 if (inp != CBS_data(&wrapped_contents) + CBS_len(&wrapped_contents)) { 829 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 830 X509_SIG_free(encrypted); 831 goto err; 832 } 833 834 pki = PKCS8_decrypt_pbe(encrypted, ctx->password, ctx->password_len); 835 X509_SIG_free(encrypted); 836 if (pki == NULL) { 837 goto err; 838 } 839 840 *ctx->out_key = EVP_PKCS82PKEY(pki); 841 PKCS8_PRIV_KEY_INFO_free(pki); 842 843 if (ctx->out_key == NULL) { 844 goto err; 845 } 846 ret = 1; 847 } else if (nid == NID_certBag) { 848 CBS cert_bag, cert_type, wrapped_cert, cert; 849 850 if (!CBS_get_asn1(&wrapped_contents, &cert_bag, CBS_ASN1_SEQUENCE) || 851 !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) || 852 !CBS_get_asn1(&cert_bag, &wrapped_cert, 853 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || 854 !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) { 855 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 856 goto err; 857 } 858 859 if (OBJ_cbs2nid(&cert_type) == NID_x509Certificate) { 860 if (CBS_len(&cert) > LONG_MAX) { 861 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 862 goto err; 863 } 864 const uint8_t *inp = CBS_data(&cert); 865 X509 *x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert)); 866 if (!x509) { 867 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 868 goto err; 869 } 870 if (inp != CBS_data(&cert) + CBS_len(&cert)) { 871 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 872 X509_free(x509); 873 goto err; 874 } 875 876 if (0 == sk_X509_push(ctx->out_certs, x509)) { 877 X509_free(x509); 878 goto err; 879 } 880 } 881 ret = 1; 882 } else { 883 /* Unknown element type - ignore it. */ 884 ret = 1; 885 } 886 887err: 888 OPENSSL_free(storage); 889 return ret; 890} 891 892int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs, 893 CBS *ber_in, const char *password) { 894 uint8_t *der_bytes = NULL; 895 size_t der_len; 896 CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes; 897 uint64_t version; 898 int ret = 0; 899 struct pkcs12_context ctx; 900 const size_t original_out_certs_len = sk_X509_num(out_certs); 901 902 /* The input may be in BER format. */ 903 if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) { 904 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 905 return 0; 906 } 907 if (der_bytes != NULL) { 908 CBS_init(&in, der_bytes, der_len); 909 } else { 910 CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in)); 911 } 912 913 *out_key = NULL; 914 memset(&ctx, 0, sizeof(ctx)); 915 916 /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section 917 * four. */ 918 if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) || 919 CBS_len(&in) != 0 || 920 !CBS_get_asn1_uint64(&pfx, &version)) { 921 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 922 goto err; 923 } 924 925 if (version < 3) { 926 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION); 927 goto err; 928 } 929 930 if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) { 931 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 932 goto err; 933 } 934 935 if (CBS_len(&pfx) == 0) { 936 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC); 937 goto err; 938 } 939 940 if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) { 941 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 942 goto err; 943 } 944 945 /* authsafe is a PKCS#7 ContentInfo. See 946 * https://tools.ietf.org/html/rfc2315#section-7. */ 947 if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) || 948 !CBS_get_asn1(&authsafe, &wrapped_authsafes, 949 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { 950 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 951 goto err; 952 } 953 954 /* The content type can either be |NID_pkcs7_data| or |NID_pkcs7_signed|. The 955 * latter indicates that it's signed by a public key, which isn't 956 * supported. */ 957 if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) { 958 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED); 959 goto err; 960 } 961 962 if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) { 963 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 964 goto err; 965 } 966 967 ctx.out_key = out_key; 968 ctx.out_certs = out_certs; 969 if (!ascii_to_ucs2(password, password ? strlen(password) : 0, &ctx.password, 970 &ctx.password_len)) { 971 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR); 972 goto err; 973 } 974 975 /* Verify the MAC. */ 976 { 977 CBS mac, hash_type_seq, hash_oid, salt, expected_mac; 978 uint64_t iterations; 979 int hash_nid; 980 const EVP_MD *md; 981 uint8_t hmac_key[EVP_MAX_MD_SIZE]; 982 uint8_t hmac[EVP_MAX_MD_SIZE]; 983 unsigned hmac_len; 984 985 if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE) || 986 !CBS_get_asn1(&mac, &hash_type_seq, CBS_ASN1_SEQUENCE) || 987 !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) || 988 !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) || 989 !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) { 990 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 991 goto err; 992 } 993 994 /* The iteration count is optional and the default is one. */ 995 iterations = 1; 996 if (CBS_len(&mac_data) > 0) { 997 if (!CBS_get_asn1_uint64(&mac_data, &iterations) || 998 iterations > INT_MAX) { 999 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA); 1000 goto err; 1001 } 1002 } 1003 1004 hash_nid = OBJ_cbs2nid(&hash_oid); 1005 if (hash_nid == NID_undef || 1006 (md = EVP_get_digestbynid(hash_nid)) == NULL) { 1007 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_HASH); 1008 goto err; 1009 } 1010 1011 if (!pkcs12_key_gen_raw(ctx.password, ctx.password_len, CBS_data(&salt), 1012 CBS_len(&salt), PKCS12_MAC_ID, iterations, 1013 EVP_MD_size(md), hmac_key, md)) { 1014 goto err; 1015 } 1016 1017 if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes), 1018 CBS_len(&authsafes), hmac, &hmac_len)) { 1019 goto err; 1020 } 1021 1022 if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) { 1023 OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD); 1024 goto err; 1025 } 1026 } 1027 1028 /* authsafes contains a series of PKCS#7 ContentInfos. */ 1029 if (!PKCS12_handle_content_infos(&authsafes, 0, &ctx)) { 1030 goto err; 1031 } 1032 1033 ret = 1; 1034 1035err: 1036 OPENSSL_free(ctx.password); 1037 OPENSSL_free(der_bytes); 1038 if (!ret) { 1039 EVP_PKEY_free(*out_key); 1040 *out_key = NULL; 1041 while (sk_X509_num(out_certs) > original_out_certs_len) { 1042 X509 *x509 = sk_X509_pop(out_certs); 1043 X509_free(x509); 1044 } 1045 } 1046 1047 return ret; 1048} 1049 1050void PKCS12_PBE_add(void) {} 1051 1052struct pkcs12_st { 1053 uint8_t *ber_bytes; 1054 size_t ber_len; 1055}; 1056 1057PKCS12* d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) { 1058 PKCS12 *p12; 1059 1060 p12 = OPENSSL_malloc(sizeof(PKCS12)); 1061 if (!p12) { 1062 return NULL; 1063 } 1064 1065 p12->ber_bytes = OPENSSL_malloc(ber_len); 1066 if (!p12->ber_bytes) { 1067 OPENSSL_free(p12); 1068 return NULL; 1069 } 1070 1071 memcpy(p12->ber_bytes, *ber_bytes, ber_len); 1072 p12->ber_len = ber_len; 1073 *ber_bytes += ber_len; 1074 1075 if (out_p12) { 1076 PKCS12_free(*out_p12); 1077 1078 *out_p12 = p12; 1079 } 1080 1081 return p12; 1082} 1083 1084PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) { 1085 size_t used = 0; 1086 BUF_MEM *buf; 1087 const uint8_t *dummy; 1088 static const size_t kMaxSize = 256 * 1024; 1089 PKCS12 *ret = NULL; 1090 1091 buf = BUF_MEM_new(); 1092 if (buf == NULL) { 1093 return NULL; 1094 } 1095 if (BUF_MEM_grow(buf, 8192) == 0) { 1096 goto out; 1097 } 1098 1099 for (;;) { 1100 int n = BIO_read(bio, &buf->data[used], buf->length - used); 1101 if (n < 0) { 1102 if (used == 0) { 1103 goto out; 1104 } 1105 /* Workaround a bug in node.js. It uses a memory BIO for this in the wrong 1106 * mode. */ 1107 n = 0; 1108 } 1109 1110 if (n == 0) { 1111 break; 1112 } 1113 used += n; 1114 1115 if (used < buf->length) { 1116 continue; 1117 } 1118 1119 if (buf->length > kMaxSize || 1120 BUF_MEM_grow(buf, buf->length * 2) == 0) { 1121 goto out; 1122 } 1123 } 1124 1125 dummy = (uint8_t*) buf->data; 1126 ret = d2i_PKCS12(out_p12, &dummy, used); 1127 1128out: 1129 BUF_MEM_free(buf); 1130 return ret; 1131} 1132 1133PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) { 1134 BIO *bio; 1135 PKCS12 *ret; 1136 1137 bio = BIO_new_fp(fp, 0 /* don't take ownership */); 1138 if (!bio) { 1139 return NULL; 1140 } 1141 1142 ret = d2i_PKCS12_bio(bio, out_p12); 1143 BIO_free(bio); 1144 return ret; 1145} 1146 1147int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey, 1148 X509 **out_cert, STACK_OF(X509) **out_ca_certs) { 1149 CBS ber_bytes; 1150 STACK_OF(X509) *ca_certs = NULL; 1151 char ca_certs_alloced = 0; 1152 1153 if (out_ca_certs != NULL && *out_ca_certs != NULL) { 1154 ca_certs = *out_ca_certs; 1155 } 1156 1157 if (!ca_certs) { 1158 ca_certs = sk_X509_new_null(); 1159 if (ca_certs == NULL) { 1160 OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE); 1161 return 0; 1162 } 1163 ca_certs_alloced = 1; 1164 } 1165 1166 CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len); 1167 if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) { 1168 if (ca_certs_alloced) { 1169 sk_X509_free(ca_certs); 1170 } 1171 return 0; 1172 } 1173 1174 *out_cert = NULL; 1175 if (sk_X509_num(ca_certs) > 0) { 1176 *out_cert = sk_X509_shift(ca_certs); 1177 } 1178 1179 if (out_ca_certs) { 1180 *out_ca_certs = ca_certs; 1181 } else { 1182 sk_X509_pop_free(ca_certs, X509_free); 1183 } 1184 1185 return 1; 1186} 1187 1188int PKCS12_verify_mac(const PKCS12 *p12, const char *password, 1189 int password_len) { 1190 if (password == NULL) { 1191 if (password_len != 0) { 1192 return 0; 1193 } 1194 } else if (password_len != -1 && 1195 (password[password_len] != 0 || 1196 memchr(password, 0, password_len) != NULL)) { 1197 return 0; 1198 } 1199 1200 EVP_PKEY *pkey = NULL; 1201 X509 *cert = NULL; 1202 if (!PKCS12_parse(p12, password, &pkey, &cert, NULL)) { 1203 ERR_clear_error(); 1204 return 0; 1205 } 1206 1207 EVP_PKEY_free(pkey); 1208 X509_free(cert); 1209 1210 return 1; 1211} 1212 1213void PKCS12_free(PKCS12 *p12) { 1214 if (p12 == NULL) { 1215 return; 1216 } 1217 OPENSSL_free(p12->ber_bytes); 1218 OPENSSL_free(p12); 1219} 1220