1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL 2 * project 1999. 3 */ 4 /* ==================================================================== 5 * Copyright (c) 1999 The OpenSSL Project. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in 16 * the documentation and/or other materials provided with the 17 * distribution. 18 * 19 * 3. All advertising materials mentioning features or use of this 20 * software must display the following acknowledgment: 21 * "This product includes software developed by the OpenSSL Project 22 * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" 23 * 24 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 25 * endorse or promote products derived from this software without 26 * prior written permission. For written permission, please contact 27 * licensing (at) OpenSSL.org. 28 * 29 * 5. Products derived from this software may not be called "OpenSSL" 30 * nor may "OpenSSL" appear in their names without prior written 31 * permission of the OpenSSL Project. 32 * 33 * 6. Redistributions of any form whatsoever must retain the following 34 * acknowledgment: 35 * "This product includes software developed by the OpenSSL Project 36 * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" 37 * 38 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 39 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 40 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 41 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 42 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 43 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 44 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 45 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 46 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 47 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 48 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 49 * OF THE POSSIBILITY OF SUCH DAMAGE. 50 * ==================================================================== 51 * 52 * This product includes cryptographic software written by Eric Young 53 * (eay (at) cryptsoft.com). This product includes software written by Tim 54 * Hudson (tjh (at) cryptsoft.com). */ 55 56 #include <openssl/pkcs8.h> 57 58 #include <assert.h> 59 #include <limits.h> 60 #include <string.h> 61 62 #include <openssl/asn1.h> 63 #include <openssl/bn.h> 64 #include <openssl/buf.h> 65 #include <openssl/cipher.h> 66 #include <openssl/digest.h> 67 #include <openssl/err.h> 68 #include <openssl/hmac.h> 69 #include <openssl/mem.h> 70 #include <openssl/x509.h> 71 72 #include "../bytestring/internal.h" 73 #include "../evp/internal.h" 74 75 76 #define PKCS12_KEY_ID 1 77 #define PKCS12_IV_ID 2 78 #define PKCS12_MAC_ID 3 79 80 static int ascii_to_ucs2(const char *ascii, size_t ascii_len, 81 uint8_t **out, size_t *out_len) { 82 uint8_t *unitmp; 83 size_t ulen, i; 84 85 ulen = ascii_len * 2 + 2; 86 if (ulen < ascii_len) { 87 return 0; 88 } 89 unitmp = OPENSSL_malloc(ulen); 90 if (unitmp == NULL) { 91 return 0; 92 } 93 for (i = 0; i < ulen - 2; i += 2) { 94 unitmp[i] = 0; 95 unitmp[i + 1] = ascii[i >> 1]; 96 } 97 98 /* Make result double null terminated */ 99 unitmp[ulen - 2] = 0; 100 unitmp[ulen - 1] = 0; 101 *out_len = ulen; 102 *out = unitmp; 103 return 1; 104 } 105 106 static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len, 107 const uint8_t *salt, size_t salt_len, 108 int id, int iterations, 109 size_t out_len, uint8_t *out, 110 const EVP_MD *md_type) { 111 uint8_t *B, *D, *I, *p, *Ai; 112 int Slen, Plen, Ilen, Ijlen; 113 int i, j, v; 114 size_t u; 115 int ret = 0; 116 BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ 117 EVP_MD_CTX ctx; 118 119 EVP_MD_CTX_init(&ctx); 120 v = EVP_MD_block_size(md_type); 121 u = EVP_MD_size(md_type); 122 D = OPENSSL_malloc(v); 123 Ai = OPENSSL_malloc(u); 124 B = OPENSSL_malloc(v + 1); 125 Slen = v * ((salt_len + v - 1) / v); 126 if (pass_raw_len) { 127 Plen = v * ((pass_raw_len + v - 1) / v); 128 } else { 129 Plen = 0; 130 } 131 Ilen = Slen + Plen; 132 I = OPENSSL_malloc(Ilen); 133 Ij = BN_new(); 134 Bpl1 = BN_new(); 135 if (!D || !Ai || !B || !I || !Ij || !Bpl1) { 136 goto err; 137 } 138 for (i = 0; i < v; i++) { 139 D[i] = id; 140 } 141 p = I; 142 for (i = 0; i < Slen; i++) { 143 *p++ = salt[i % salt_len]; 144 } 145 for (i = 0; i < Plen; i++) { 146 *p++ = pass_raw[i % pass_raw_len]; 147 } 148 for (;;) { 149 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) || 150 !EVP_DigestUpdate(&ctx, D, v) || 151 !EVP_DigestUpdate(&ctx, I, Ilen) || 152 !EVP_DigestFinal_ex(&ctx, Ai, NULL)) { 153 goto err; 154 } 155 for (j = 1; j < iterations; j++) { 156 if (!EVP_DigestInit_ex(&ctx, md_type, NULL) || 157 !EVP_DigestUpdate(&ctx, Ai, u) || 158 !EVP_DigestFinal_ex(&ctx, Ai, NULL)) { 159 goto err; 160 } 161 } 162 memcpy(out, Ai, out_len < u ? out_len : u); 163 if (u >= out_len) { 164 ret = 1; 165 goto end; 166 } 167 out_len -= u; 168 out += u; 169 for (j = 0; j < v; j++) { 170 B[j] = Ai[j % u]; 171 } 172 /* Work out B + 1 first then can use B as tmp space */ 173 if (!BN_bin2bn(B, v, Bpl1) || 174 !BN_add_word(Bpl1, 1)) { 175 goto err; 176 } 177 for (j = 0; j < Ilen; j += v) { 178 if (!BN_bin2bn(I + j, v, Ij) || 179 !BN_add(Ij, Ij, Bpl1) || 180 !BN_bn2bin(Ij, B)) { 181 goto err; 182 } 183 Ijlen = BN_num_bytes(Ij); 184 /* If more than 2^(v*8) - 1 cut off MSB */ 185 if (Ijlen > v) { 186 if (!BN_bn2bin(Ij, B)) { 187 goto err; 188 } 189 memcpy(I + j, B + 1, v); 190 /* If less than v bytes pad with zeroes */ 191 } else if (Ijlen < v) { 192 memset(I + j, 0, v - Ijlen); 193 if (!BN_bn2bin(Ij, I + j + v - Ijlen)) { 194 goto err; 195 } 196 } else if (!BN_bn2bin(Ij, I + j)) { 197 goto err; 198 } 199 } 200 } 201 202 err: 203 OPENSSL_PUT_ERROR(PKCS8, pkcs12_key_gen_raw, ERR_R_MALLOC_FAILURE); 204 205 end: 206 OPENSSL_free(Ai); 207 OPENSSL_free(B); 208 OPENSSL_free(D); 209 OPENSSL_free(I); 210 BN_free(Ij); 211 BN_free(Bpl1); 212 EVP_MD_CTX_cleanup(&ctx); 213 214 return ret; 215 } 216 217 static int pkcs12_pbe_keyivgen(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw, 218 size_t pass_raw_len, ASN1_TYPE *param, 219 const EVP_CIPHER *cipher, const EVP_MD *md, 220 int is_encrypt) { 221 PBEPARAM *pbe; 222 int salt_len, iterations, ret; 223 uint8_t *salt; 224 const uint8_t *pbuf; 225 uint8_t key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH]; 226 227 /* Extract useful info from parameter */ 228 if (param == NULL || param->type != V_ASN1_SEQUENCE || 229 param->value.sequence == NULL) { 230 OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_DECODE_ERROR); 231 return 0; 232 } 233 234 pbuf = param->value.sequence->data; 235 pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length); 236 if (pbe == NULL) { 237 OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_DECODE_ERROR); 238 return 0; 239 } 240 241 if (!pbe->iter) { 242 iterations = 1; 243 } else { 244 iterations = ASN1_INTEGER_get(pbe->iter); 245 } 246 salt = pbe->salt->data; 247 salt_len = pbe->salt->length; 248 if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_KEY_ID, 249 iterations, EVP_CIPHER_key_length(cipher), key, md)) { 250 OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_KEY_GEN_ERROR); 251 PBEPARAM_free(pbe); 252 return 0; 253 } 254 if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_IV_ID, 255 iterations, EVP_CIPHER_iv_length(cipher), iv, md)) { 256 OPENSSL_PUT_ERROR(PKCS8, pkcs12_pbe_keyivgen, PKCS8_R_KEY_GEN_ERROR); 257 PBEPARAM_free(pbe); 258 return 0; 259 } 260 PBEPARAM_free(pbe); 261 ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt); 262 OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH); 263 OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); 264 return ret; 265 } 266 267 typedef int (*keygen_func)(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw, 268 size_t pass_raw_len, ASN1_TYPE *param, 269 const EVP_CIPHER *cipher, const EVP_MD *md, 270 int is_encrypt); 271 272 struct pbe_suite { 273 int pbe_nid; 274 const EVP_CIPHER* (*cipher_func)(void); 275 const EVP_MD* (*md_func)(void); 276 keygen_func keygen; 277 }; 278 279 static const struct pbe_suite kBuiltinPBE[] = { 280 { 281 NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc, EVP_sha1, pkcs12_pbe_keyivgen, 282 }, 283 { 284 NID_pbe_WithSHA1And128BitRC4, EVP_rc4, EVP_sha1, pkcs12_pbe_keyivgen, 285 }, 286 { 287 NID_pbe_WithSHA1And3_Key_TripleDES_CBC, EVP_des_ede3_cbc, EVP_sha1, 288 pkcs12_pbe_keyivgen, 289 }, 290 }; 291 292 static int pbe_cipher_init(ASN1_OBJECT *pbe_obj, 293 const uint8_t *pass_raw, size_t pass_raw_len, 294 ASN1_TYPE *param, 295 EVP_CIPHER_CTX *ctx, int is_encrypt) { 296 const EVP_CIPHER *cipher; 297 const EVP_MD *md; 298 unsigned i; 299 300 const struct pbe_suite *suite = NULL; 301 const int pbe_nid = OBJ_obj2nid(pbe_obj); 302 303 for (i = 0; i < sizeof(kBuiltinPBE) / sizeof(struct pbe_suite); i++) { 304 if (kBuiltinPBE[i].pbe_nid == pbe_nid) { 305 suite = &kBuiltinPBE[i]; 306 break; 307 } 308 } 309 310 if (suite == NULL) { 311 char obj_str[80]; 312 OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_ALGORITHM); 313 if (!pbe_obj) { 314 strncpy(obj_str, "NULL", sizeof(obj_str)); 315 } else { 316 i2t_ASN1_OBJECT(obj_str, sizeof(obj_str), pbe_obj); 317 } 318 ERR_add_error_data(2, "TYPE=", obj_str); 319 return 0; 320 } 321 322 if (suite->cipher_func == NULL) { 323 cipher = NULL; 324 } else { 325 cipher = suite->cipher_func(); 326 if (!cipher) { 327 OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_CIPHER); 328 return 0; 329 } 330 } 331 332 if (suite->md_func == NULL) { 333 md = NULL; 334 } else { 335 md = suite->md_func(); 336 if (!md) { 337 OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_UNKNOWN_DIGEST); 338 return 0; 339 } 340 } 341 342 if (!suite->keygen(ctx, pass_raw, pass_raw_len, param, cipher, md, 343 is_encrypt)) { 344 OPENSSL_PUT_ERROR(PKCS8, pbe_cipher_init, PKCS8_R_KEYGEN_FAILURE); 345 return 0; 346 } 347 348 return 1; 349 } 350 351 static int pbe_crypt(const X509_ALGOR *algor, 352 const uint8_t *pass_raw, size_t pass_raw_len, 353 const uint8_t *in, size_t in_len, 354 uint8_t **out, size_t *out_len, 355 int is_encrypt) { 356 uint8_t *buf; 357 int n, ret = 0; 358 EVP_CIPHER_CTX ctx; 359 unsigned block_size; 360 361 EVP_CIPHER_CTX_init(&ctx); 362 363 if (!pbe_cipher_init(algor->algorithm, pass_raw, pass_raw_len, 364 algor->parameter, &ctx, is_encrypt)) { 365 OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM); 366 return 0; 367 } 368 block_size = EVP_CIPHER_CTX_block_size(&ctx); 369 370 if (in_len + block_size < in_len) { 371 OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, PKCS8_R_TOO_LONG); 372 goto err; 373 } 374 375 buf = OPENSSL_malloc(in_len + block_size); 376 if (buf == NULL) { 377 OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_MALLOC_FAILURE); 378 goto err; 379 } 380 381 if (!EVP_CipherUpdate(&ctx, buf, &n, in, in_len)) { 382 OPENSSL_free(buf); 383 OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_EVP_LIB); 384 goto err; 385 } 386 *out_len = n; 387 388 if (!EVP_CipherFinal_ex(&ctx, buf + n, &n)) { 389 OPENSSL_free(buf); 390 OPENSSL_PUT_ERROR(PKCS8, pbe_crypt, ERR_R_EVP_LIB); 391 goto err; 392 } 393 *out_len += n; 394 *out = buf; 395 ret = 1; 396 397 err: 398 EVP_CIPHER_CTX_cleanup(&ctx); 399 return ret; 400 } 401 402 static void *pkcs12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, 403 const uint8_t *pass_raw, 404 size_t pass_raw_len, 405 ASN1_OCTET_STRING *oct) { 406 uint8_t *out; 407 const uint8_t *p; 408 void *ret; 409 size_t out_len; 410 411 if (!pbe_crypt(algor, pass_raw, pass_raw_len, oct->data, oct->length, 412 &out, &out_len, 0 /* decrypt */)) { 413 OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_decrypt_d2i, PKCS8_R_CRYPT_ERROR); 414 return NULL; 415 } 416 p = out; 417 ret = ASN1_item_d2i(NULL, &p, out_len, it); 418 OPENSSL_cleanse(out, out_len); 419 if (!ret) { 420 OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_decrypt_d2i, PKCS8_R_DECODE_ERROR); 421 } 422 OPENSSL_free(out); 423 return ret; 424 } 425 426 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass, 427 int pass_len) { 428 uint8_t *pass_raw = NULL; 429 size_t pass_raw_len = 0; 430 PKCS8_PRIV_KEY_INFO *ret; 431 432 if (pass) { 433 if (pass_len == -1) { 434 pass_len = strlen(pass); 435 } 436 if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) { 437 OPENSSL_PUT_ERROR(PKCS8, PKCS8_decrypt, PKCS8_R_DECODE_ERROR); 438 return NULL; 439 } 440 } 441 442 ret = PKCS8_decrypt_pbe(pkcs8, pass_raw, pass_raw_len); 443 444 if (pass_raw) { 445 OPENSSL_cleanse(pass_raw, pass_raw_len); 446 OPENSSL_free(pass_raw); 447 } 448 return ret; 449 } 450 451 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_pbe(X509_SIG *pkcs8, const uint8_t *pass_raw, 452 size_t pass_raw_len) { 453 return pkcs12_item_decrypt_d2i(pkcs8->algor, 454 ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, 455 pass_raw_len, pkcs8->digest); 456 } 457 458 static ASN1_OCTET_STRING *pkcs12_item_i2d_encrypt(X509_ALGOR *algor, 459 const ASN1_ITEM *it, 460 const uint8_t *pass_raw, 461 size_t pass_raw_len, void *obj) { 462 ASN1_OCTET_STRING *oct; 463 uint8_t *in = NULL; 464 int in_len; 465 size_t crypt_len; 466 467 oct = M_ASN1_OCTET_STRING_new(); 468 if (oct == NULL) { 469 OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, ERR_R_MALLOC_FAILURE); 470 return NULL; 471 } 472 in_len = ASN1_item_i2d(obj, &in, it); 473 if (!in) { 474 OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, PKCS8_R_ENCODE_ERROR); 475 return NULL; 476 } 477 if (!pbe_crypt(algor, pass_raw, pass_raw_len, in, in_len, &oct->data, &crypt_len, 478 1 /* encrypt */)) { 479 OPENSSL_PUT_ERROR(PKCS8, pkcs12_item_i2d_encrypt, PKCS8_R_ENCRYPT_ERROR); 480 OPENSSL_free(in); 481 return NULL; 482 } 483 oct->length = crypt_len; 484 OPENSSL_cleanse(in, in_len); 485 OPENSSL_free(in); 486 return oct; 487 } 488 489 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, 490 int pass_len, uint8_t *salt, size_t salt_len, 491 int iterations, PKCS8_PRIV_KEY_INFO *p8inf) { 492 uint8_t *pass_raw = NULL; 493 size_t pass_raw_len = 0; 494 X509_SIG *ret; 495 496 if (pass) { 497 if (pass_len == -1) { 498 pass_len = strlen(pass); 499 } 500 if (!ascii_to_ucs2(pass, pass_len, &pass_raw, &pass_raw_len)) { 501 OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt, PKCS8_R_DECODE_ERROR); 502 return NULL; 503 } 504 } 505 506 ret = PKCS8_encrypt_pbe(pbe_nid, pass_raw, pass_raw_len, 507 salt, salt_len, iterations, p8inf); 508 509 if (pass_raw) { 510 OPENSSL_cleanse(pass_raw, pass_raw_len); 511 OPENSSL_free(pass_raw); 512 } 513 return ret; 514 } 515 516 X509_SIG *PKCS8_encrypt_pbe(int pbe_nid, 517 const uint8_t *pass_raw, size_t pass_raw_len, 518 uint8_t *salt, size_t salt_len, 519 int iterations, PKCS8_PRIV_KEY_INFO *p8inf) { 520 X509_SIG *pkcs8 = NULL; 521 X509_ALGOR *pbe; 522 523 pkcs8 = X509_SIG_new(); 524 if (pkcs8 == NULL) { 525 OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_MALLOC_FAILURE); 526 goto err; 527 } 528 529 pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len); 530 if (!pbe) { 531 OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, ERR_R_ASN1_LIB); 532 goto err; 533 } 534 535 X509_ALGOR_free(pkcs8->algor); 536 pkcs8->algor = pbe; 537 M_ASN1_OCTET_STRING_free(pkcs8->digest); 538 pkcs8->digest = pkcs12_item_i2d_encrypt( 539 pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf); 540 if (!pkcs8->digest) { 541 OPENSSL_PUT_ERROR(PKCS8, PKCS8_encrypt_pbe, PKCS8_R_ENCRYPT_ERROR); 542 goto err; 543 } 544 545 return pkcs8; 546 547 err: 548 X509_SIG_free(pkcs8); 549 return NULL; 550 } 551 552 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) { 553 EVP_PKEY *pkey = NULL; 554 ASN1_OBJECT *algoid; 555 char obj_tmp[80]; 556 557 if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) { 558 return NULL; 559 } 560 561 pkey = EVP_PKEY_new(); 562 if (pkey == NULL) { 563 OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, ERR_R_MALLOC_FAILURE); 564 return NULL; 565 } 566 567 if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid))) { 568 OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, 569 PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); 570 i2t_ASN1_OBJECT(obj_tmp, 80, algoid); 571 ERR_add_error_data(2, "TYPE=", obj_tmp); 572 goto error; 573 } 574 575 if (pkey->ameth->priv_decode) { 576 if (!pkey->ameth->priv_decode(pkey, p8)) { 577 OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, PKCS8_R_PRIVATE_KEY_DECODE_ERROR); 578 goto error; 579 } 580 } else { 581 OPENSSL_PUT_ERROR(PKCS8, EVP_PKCS82PKEY, PKCS8_R_METHOD_NOT_SUPPORTED); 582 goto error; 583 } 584 585 return pkey; 586 587 error: 588 EVP_PKEY_free(pkey); 589 return NULL; 590 } 591 592 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) { 593 PKCS8_PRIV_KEY_INFO *p8; 594 595 p8 = PKCS8_PRIV_KEY_INFO_new(); 596 if (p8 == NULL) { 597 OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, ERR_R_MALLOC_FAILURE); 598 return NULL; 599 } 600 p8->broken = PKCS8_OK; 601 602 if (pkey->ameth) { 603 if (pkey->ameth->priv_encode) { 604 if (!pkey->ameth->priv_encode(p8, pkey)) { 605 OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, 606 PKCS8_R_PRIVATE_KEY_ENCODE_ERROR); 607 goto error; 608 } 609 } else { 610 OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED); 611 goto error; 612 } 613 } else { 614 OPENSSL_PUT_ERROR(PKCS8, EVP_PKEY2PKCS8, 615 PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM); 616 goto error; 617 } 618 return p8; 619 620 error: 621 PKCS8_PRIV_KEY_INFO_free(p8); 622 return NULL; 623 } 624 625 struct pkcs12_context { 626 EVP_PKEY **out_key; 627 STACK_OF(X509) *out_certs; 628 uint8_t *password; 629 size_t password_len; 630 }; 631 632 static int PKCS12_handle_content_info(CBS *content_info, unsigned depth, 633 struct pkcs12_context *ctx); 634 635 /* PKCS12_handle_content_infos parses a series of PKCS#7 ContentInfos in a 636 * SEQUENCE. */ 637 static int PKCS12_handle_content_infos(CBS *content_infos, 638 unsigned depth, 639 struct pkcs12_context *ctx) { 640 uint8_t *der_bytes = NULL; 641 size_t der_len; 642 CBS in; 643 int ret = 0; 644 645 /* Generally we only expect depths 0 (the top level, with a 646 * pkcs7-encryptedData and a pkcs7-data) and depth 1 (the various PKCS#12 647 * bags). */ 648 if (depth > 3) { 649 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos, 650 PKCS8_R_PKCS12_TOO_DEEPLY_NESTED); 651 return 0; 652 } 653 654 /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|, 655 * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the 656 * conversion cannot see through those wrappings. So each time we step 657 * through one we need to convert to DER again. */ 658 if (!CBS_asn1_ber_to_der(content_infos, &der_bytes, &der_len)) { 659 return 0; 660 } 661 662 if (der_bytes != NULL) { 663 CBS_init(&in, der_bytes, der_len); 664 } else { 665 CBS_init(&in, CBS_data(content_infos), CBS_len(content_infos)); 666 } 667 668 if (!CBS_get_asn1(&in, &in, CBS_ASN1_SEQUENCE)) { 669 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos, 670 PKCS8_R_BAD_PKCS12_DATA); 671 goto err; 672 } 673 674 while (CBS_len(&in) > 0) { 675 CBS content_info; 676 if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE)) { 677 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_infos, 678 PKCS8_R_BAD_PKCS12_DATA); 679 goto err; 680 } 681 682 if (!PKCS12_handle_content_info(&content_info, depth + 1, ctx)) { 683 goto err; 684 } 685 } 686 687 /* NSS includes additional data after the SEQUENCE, but it's an (unwrapped) 688 * copy of the same encrypted private key (with the same IV and 689 * ciphertext)! */ 690 691 ret = 1; 692 693 err: 694 OPENSSL_free(der_bytes); 695 return ret; 696 } 697 698 /* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a 699 * PKCS#12 structure. */ 700 static int PKCS12_handle_content_info(CBS *content_info, unsigned depth, 701 struct pkcs12_context *ctx) { 702 CBS content_type, wrapped_contents, contents, content_infos; 703 int nid, ret = 0; 704 705 if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) || 706 !CBS_get_asn1(content_info, &wrapped_contents, 707 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { 708 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 709 PKCS8_R_BAD_PKCS12_DATA); 710 goto err; 711 } 712 713 nid = OBJ_cbs2nid(&content_type); 714 if (nid == NID_pkcs7_encrypted) { 715 /* See https://tools.ietf.org/html/rfc2315#section-13. 716 * 717 * PKCS#7 encrypted data inside a PKCS#12 structure is generally an 718 * encrypted certificate bag and it's generally encrypted with 40-bit 719 * RC2-CBC. */ 720 CBS version_bytes, eci, contents_type, ai, encrypted_contents; 721 X509_ALGOR *algor = NULL; 722 const uint8_t *inp; 723 uint8_t *out; 724 size_t out_len; 725 726 if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) || 727 !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) || 728 /* EncryptedContentInfo, see 729 * https://tools.ietf.org/html/rfc2315#section-10.1 */ 730 !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) || 731 !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) || 732 /* AlgorithmIdentifier, see 733 * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */ 734 !CBS_get_asn1_element(&eci, &ai, CBS_ASN1_SEQUENCE) || 735 !CBS_get_asn1(&eci, &encrypted_contents, 736 CBS_ASN1_CONTEXT_SPECIFIC | 0)) { 737 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 738 PKCS8_R_BAD_PKCS12_DATA); 739 goto err; 740 } 741 742 if (OBJ_cbs2nid(&contents_type) != NID_pkcs7_data) { 743 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 744 PKCS8_R_BAD_PKCS12_DATA); 745 goto err; 746 } 747 748 inp = CBS_data(&ai); 749 algor = d2i_X509_ALGOR(NULL, &inp, CBS_len(&ai)); 750 if (algor == NULL) { 751 goto err; 752 } 753 if (inp != CBS_data(&ai) + CBS_len(&ai)) { 754 X509_ALGOR_free(algor); 755 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 756 PKCS8_R_BAD_PKCS12_DATA); 757 goto err; 758 } 759 760 if (!pbe_crypt(algor, ctx->password, ctx->password_len, 761 CBS_data(&encrypted_contents), CBS_len(&encrypted_contents), 762 &out, &out_len, 0 /* decrypt */)) { 763 X509_ALGOR_free(algor); 764 goto err; 765 } 766 X509_ALGOR_free(algor); 767 768 CBS_init(&content_infos, out, out_len); 769 ret = PKCS12_handle_content_infos(&content_infos, depth + 1, ctx); 770 OPENSSL_free(out); 771 } else if (nid == NID_pkcs7_data) { 772 CBS octet_string_contents; 773 774 if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents, 775 CBS_ASN1_OCTETSTRING)) { 776 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 777 PKCS8_R_BAD_PKCS12_DATA); 778 goto err; 779 } 780 781 ret = PKCS12_handle_content_infos(&octet_string_contents, depth + 1, ctx); 782 } else if (nid == NID_pkcs8ShroudedKeyBag) { 783 /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section 784 * 4.2.2. */ 785 const uint8_t *inp = CBS_data(&wrapped_contents); 786 PKCS8_PRIV_KEY_INFO *pki = NULL; 787 X509_SIG *encrypted = NULL; 788 789 if (*ctx->out_key) { 790 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 791 PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12); 792 goto err; 793 } 794 795 /* encrypted isn't actually an X.509 signature, but it has the same 796 * structure as one and so |X509_SIG| is reused to store it. */ 797 encrypted = d2i_X509_SIG(NULL, &inp, CBS_len(&wrapped_contents)); 798 if (encrypted == NULL) { 799 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 800 PKCS8_R_BAD_PKCS12_DATA); 801 goto err; 802 } 803 if (inp != CBS_data(&wrapped_contents) + CBS_len(&wrapped_contents)) { 804 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 805 PKCS8_R_BAD_PKCS12_DATA); 806 X509_SIG_free(encrypted); 807 goto err; 808 } 809 810 pki = PKCS8_decrypt_pbe(encrypted, ctx->password, ctx->password_len); 811 X509_SIG_free(encrypted); 812 if (pki == NULL) { 813 goto err; 814 } 815 816 *ctx->out_key = EVP_PKCS82PKEY(pki); 817 PKCS8_PRIV_KEY_INFO_free(pki); 818 819 if (ctx->out_key == NULL) { 820 goto err; 821 } 822 ret = 1; 823 } else if (nid == NID_certBag) { 824 CBS cert_bag, cert_type, wrapped_cert, cert; 825 826 if (!CBS_get_asn1(&wrapped_contents, &cert_bag, CBS_ASN1_SEQUENCE) || 827 !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) || 828 !CBS_get_asn1(&cert_bag, &wrapped_cert, 829 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) || 830 !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) { 831 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 832 PKCS8_R_BAD_PKCS12_DATA); 833 goto err; 834 } 835 836 if (OBJ_cbs2nid(&cert_type) == NID_x509Certificate) { 837 const uint8_t *inp = CBS_data(&cert); 838 X509 *x509 = d2i_X509(NULL, &inp, CBS_len(&cert)); 839 if (!x509) { 840 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 841 PKCS8_R_BAD_PKCS12_DATA); 842 goto err; 843 } 844 if (inp != CBS_data(&cert) + CBS_len(&cert)) { 845 OPENSSL_PUT_ERROR(PKCS8, PKCS12_handle_content_info, 846 PKCS8_R_BAD_PKCS12_DATA); 847 X509_free(x509); 848 goto err; 849 } 850 851 if (0 == sk_X509_push(ctx->out_certs, x509)) { 852 X509_free(x509); 853 goto err; 854 } 855 } 856 ret = 1; 857 } else { 858 /* Unknown element type - ignore it. */ 859 ret = 1; 860 } 861 862 err: 863 return ret; 864 } 865 866 int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs, 867 CBS *ber_in, const char *password) { 868 uint8_t *der_bytes = NULL; 869 size_t der_len; 870 CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes; 871 uint64_t version; 872 int ret = 0; 873 struct pkcs12_context ctx; 874 const size_t original_out_certs_len = sk_X509_num(out_certs); 875 876 /* The input may be in BER format. */ 877 if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) { 878 return 0; 879 } 880 if (der_bytes != NULL) { 881 CBS_init(&in, der_bytes, der_len); 882 } else { 883 CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in)); 884 } 885 886 *out_key = NULL; 887 memset(&ctx, 0, sizeof(ctx)); 888 889 /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section 890 * four. */ 891 if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) || 892 CBS_len(&in) != 0 || 893 !CBS_get_asn1_uint64(&pfx, &version)) { 894 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA); 895 goto err; 896 } 897 898 if (version < 3) { 899 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, 900 PKCS8_R_BAD_PKCS12_VERSION); 901 goto err; 902 } 903 904 if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) { 905 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA); 906 goto err; 907 } 908 909 if (CBS_len(&pfx) == 0) { 910 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_MISSING_MAC); 911 goto err; 912 } 913 914 if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) { 915 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA); 916 goto err; 917 } 918 919 /* authsafe is a PKCS#7 ContentInfo. See 920 * https://tools.ietf.org/html/rfc2315#section-7. */ 921 if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) || 922 !CBS_get_asn1(&authsafe, &wrapped_authsafes, 923 CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { 924 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA); 925 goto err; 926 } 927 928 /* The content type can either be |NID_pkcs7_data| or |NID_pkcs7_signed|. The 929 * latter indicates that it's signed by a public key, which isn't 930 * supported. */ 931 if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) { 932 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, 933 PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED); 934 goto err; 935 } 936 937 if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) { 938 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA); 939 goto err; 940 } 941 942 ctx.out_key = out_key; 943 ctx.out_certs = out_certs; 944 if (!ascii_to_ucs2(password, strlen(password), &ctx.password, 945 &ctx.password_len)) { 946 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_DECODE_ERROR); 947 goto err; 948 } 949 950 /* Verify the MAC. */ 951 { 952 CBS mac, hash_type_seq, hash_oid, salt, expected_mac; 953 uint64_t iterations; 954 int hash_nid; 955 const EVP_MD *md; 956 uint8_t hmac_key[EVP_MAX_MD_SIZE]; 957 uint8_t hmac[EVP_MAX_MD_SIZE]; 958 unsigned hmac_len; 959 960 if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE) || 961 !CBS_get_asn1(&mac, &hash_type_seq, CBS_ASN1_SEQUENCE) || 962 !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) || 963 !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) || 964 !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) { 965 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_BAD_PKCS12_DATA); 966 goto err; 967 } 968 969 /* The iteration count is optional and the default is one. */ 970 iterations = 1; 971 if (CBS_len(&mac_data) > 0) { 972 if (!CBS_get_asn1_uint64(&mac_data, &iterations) || 973 iterations > INT_MAX) { 974 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, 975 PKCS8_R_BAD_PKCS12_DATA); 976 goto err; 977 } 978 } 979 980 hash_nid = OBJ_cbs2nid(&hash_oid); 981 if (hash_nid == NID_undef || 982 (md = EVP_get_digestbynid(hash_nid)) == NULL) { 983 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, PKCS8_R_UNKNOWN_HASH); 984 goto err; 985 } 986 987 if (!pkcs12_key_gen_raw(ctx.password, ctx.password_len, CBS_data(&salt), 988 CBS_len(&salt), PKCS12_MAC_ID, iterations, 989 EVP_MD_size(md), hmac_key, md)) { 990 goto err; 991 } 992 993 if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes), 994 CBS_len(&authsafes), hmac, &hmac_len)) { 995 goto err; 996 } 997 998 if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) { 999 OPENSSL_PUT_ERROR(PKCS8, PKCS12_get_key_and_certs, 1000 PKCS8_R_INCORRECT_PASSWORD); 1001 goto err; 1002 } 1003 } 1004 1005 /* authsafes contains a series of PKCS#7 ContentInfos. */ 1006 if (!PKCS12_handle_content_infos(&authsafes, 0, &ctx)) { 1007 goto err; 1008 } 1009 1010 ret = 1; 1011 1012 err: 1013 OPENSSL_free(ctx.password); 1014 OPENSSL_free(der_bytes); 1015 if (!ret) { 1016 EVP_PKEY_free(*out_key); 1017 *out_key = NULL; 1018 while (sk_X509_num(out_certs) > original_out_certs_len) { 1019 X509 *x509 = sk_X509_pop(out_certs); 1020 X509_free(x509); 1021 } 1022 } 1023 1024 return ret; 1025 } 1026 1027 void PKCS12_PBE_add(void) {} 1028 1029 struct pkcs12_st { 1030 uint8_t *ber_bytes; 1031 size_t ber_len; 1032 }; 1033 1034 PKCS12* d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) { 1035 PKCS12 *p12; 1036 1037 /* out_p12 must be NULL because we don't export the PKCS12 structure. */ 1038 assert(out_p12 == NULL); 1039 1040 p12 = OPENSSL_malloc(sizeof(PKCS12)); 1041 if (!p12) { 1042 return NULL; 1043 } 1044 1045 p12->ber_bytes = OPENSSL_malloc(ber_len); 1046 if (!p12->ber_bytes) { 1047 OPENSSL_free(p12); 1048 return NULL; 1049 } 1050 1051 memcpy(p12->ber_bytes, *ber_bytes, ber_len); 1052 p12->ber_len = ber_len; 1053 *ber_bytes += ber_len; 1054 1055 return p12; 1056 } 1057 1058 PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) { 1059 size_t used = 0; 1060 BUF_MEM *buf; 1061 const uint8_t *dummy; 1062 static const size_t kMaxSize = 256 * 1024; 1063 PKCS12 *ret = NULL; 1064 1065 buf = BUF_MEM_new(); 1066 if (buf == NULL) { 1067 return NULL; 1068 } 1069 if (BUF_MEM_grow(buf, 8192) == 0) { 1070 goto out; 1071 } 1072 1073 for (;;) { 1074 int n = BIO_read(bio, &buf->data[used], buf->length - used); 1075 if (n < 0) { 1076 goto out; 1077 } 1078 1079 if (n == 0) { 1080 break; 1081 } 1082 used += n; 1083 1084 if (used < buf->length) { 1085 continue; 1086 } 1087 1088 if (buf->length > kMaxSize || 1089 BUF_MEM_grow(buf, buf->length * 2) == 0) { 1090 goto out; 1091 } 1092 } 1093 1094 dummy = (uint8_t*) buf->data; 1095 ret = d2i_PKCS12(out_p12, &dummy, used); 1096 1097 out: 1098 BUF_MEM_free(buf); 1099 return ret; 1100 } 1101 1102 PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) { 1103 BIO *bio; 1104 PKCS12 *ret; 1105 1106 bio = BIO_new_fp(fp, 0 /* don't take ownership */); 1107 if (!bio) { 1108 return NULL; 1109 } 1110 1111 ret = d2i_PKCS12_bio(bio, out_p12); 1112 BIO_free(bio); 1113 return ret; 1114 } 1115 1116 int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey, 1117 X509 **out_cert, STACK_OF(X509) **out_ca_certs) { 1118 CBS ber_bytes; 1119 STACK_OF(X509) *ca_certs = NULL; 1120 char ca_certs_alloced = 0; 1121 1122 if (out_ca_certs != NULL && *out_ca_certs != NULL) { 1123 ca_certs = *out_ca_certs; 1124 } 1125 1126 if (!ca_certs) { 1127 ca_certs = sk_X509_new_null(); 1128 if (ca_certs == NULL) { 1129 return 0; 1130 } 1131 ca_certs_alloced = 1; 1132 } 1133 1134 CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len); 1135 if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) { 1136 if (ca_certs_alloced) { 1137 sk_X509_free(ca_certs); 1138 } 1139 return 0; 1140 } 1141 1142 *out_cert = NULL; 1143 if (sk_X509_num(ca_certs) > 0) { 1144 *out_cert = sk_X509_shift(ca_certs); 1145 } 1146 1147 if (out_ca_certs) { 1148 *out_ca_certs = ca_certs; 1149 } else { 1150 sk_X509_pop_free(ca_certs, X509_free); 1151 } 1152 1153 return 1; 1154 } 1155 1156 void PKCS12_free(PKCS12 *p12) { 1157 OPENSSL_free(p12->ber_bytes); 1158 OPENSSL_free(p12); 1159 } 1160