Home | History | Annotate | Download | only in pkcs8
      1 /* Written by Dr Stephen N Henson (steve (at) openssl.org) for the OpenSSL
      2  * project 1999.
      3  */
      4 /* ====================================================================
      5  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
      6  *
      7  * Redistribution and use in source and binary forms, with or without
      8  * modification, are permitted provided that the following conditions
      9  * are met:
     10  *
     11  * 1. Redistributions of source code must retain the above copyright
     12  *    notice, this list of conditions and the following disclaimer.
     13  *
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in
     16  *    the documentation and/or other materials provided with the
     17  *    distribution.
     18  *
     19  * 3. All advertising materials mentioning features or use of this
     20  *    software must display the following acknowledgment:
     21  *    "This product includes software developed by the OpenSSL Project
     22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
     23  *
     24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
     25  *    endorse or promote products derived from this software without
     26  *    prior written permission. For written permission, please contact
     27  *    licensing (at) OpenSSL.org.
     28  *
     29  * 5. Products derived from this software may not be called "OpenSSL"
     30  *    nor may "OpenSSL" appear in their names without prior written
     31  *    permission of the OpenSSL Project.
     32  *
     33  * 6. Redistributions of any form whatsoever must retain the following
     34  *    acknowledgment:
     35  *    "This product includes software developed by the OpenSSL Project
     36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
     37  *
     38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
     39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
     42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
     44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
     47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
     49  * OF THE POSSIBILITY OF SUCH DAMAGE.
     50  * ====================================================================
     51  *
     52  * This product includes cryptographic software written by Eric Young
     53  * (eay (at) cryptsoft.com).  This product includes software written by Tim
     54  * Hudson (tjh (at) cryptsoft.com). */
     55 
     56 #include <openssl/pkcs8.h>
     57 
     58 #include <assert.h>
     59 #include <limits.h>
     60 #include <string.h>
     61 
     62 #include <openssl/asn1.h>
     63 #include <openssl/bn.h>
     64 #include <openssl/buf.h>
     65 #include <openssl/cipher.h>
     66 #include <openssl/digest.h>
     67 #include <openssl/err.h>
     68 #include <openssl/hmac.h>
     69 #include <openssl/mem.h>
     70 #include <openssl/x509.h>
     71 
     72 #include "internal.h"
     73 #include "../bytestring/internal.h"
     74 #include "../evp/internal.h"
     75 
     76 
     77 #define PKCS12_KEY_ID 1
     78 #define PKCS12_IV_ID 2
     79 #define PKCS12_MAC_ID 3
     80 
     81 static int ascii_to_ucs2(const char *ascii, size_t ascii_len,
     82                          uint8_t **out, size_t *out_len) {
     83   uint8_t *unitmp;
     84   size_t ulen, i;
     85 
     86   ulen = ascii_len * 2 + 2;
     87   if (ulen < ascii_len) {
     88     return 0;
     89   }
     90   unitmp = OPENSSL_malloc(ulen);
     91   if (unitmp == NULL) {
     92     return 0;
     93   }
     94   for (i = 0; i < ulen - 2; i += 2) {
     95     unitmp[i] = 0;
     96     unitmp[i + 1] = ascii[i >> 1];
     97   }
     98 
     99   /* Make result double null terminated */
    100   unitmp[ulen - 2] = 0;
    101   unitmp[ulen - 1] = 0;
    102   *out_len = ulen;
    103   *out = unitmp;
    104   return 1;
    105 }
    106 
    107 static int pkcs12_key_gen_raw(const uint8_t *pass_raw, size_t pass_raw_len,
    108                               const uint8_t *salt, size_t salt_len,
    109                               int id, int iterations,
    110                               size_t out_len, uint8_t *out,
    111                               const EVP_MD *md_type) {
    112   uint8_t *B, *D, *I, *p, *Ai;
    113   int Slen, Plen, Ilen, Ijlen;
    114   int i, j, v;
    115   size_t u;
    116   int ret = 0;
    117   BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */
    118   EVP_MD_CTX ctx;
    119 
    120   EVP_MD_CTX_init(&ctx);
    121   v = EVP_MD_block_size(md_type);
    122   u = EVP_MD_size(md_type);
    123   D = OPENSSL_malloc(v);
    124   Ai = OPENSSL_malloc(u);
    125   B = OPENSSL_malloc(v + 1);
    126   Slen = v * ((salt_len + v - 1) / v);
    127   if (pass_raw_len) {
    128     Plen = v * ((pass_raw_len + v - 1) / v);
    129   } else {
    130     Plen = 0;
    131   }
    132   Ilen = Slen + Plen;
    133   I = OPENSSL_malloc(Ilen);
    134   Ij = BN_new();
    135   Bpl1 = BN_new();
    136   if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
    137     goto err;
    138   }
    139   for (i = 0; i < v; i++) {
    140     D[i] = id;
    141   }
    142   p = I;
    143   for (i = 0; i < Slen; i++) {
    144     *p++ = salt[i % salt_len];
    145   }
    146   for (i = 0; i < Plen; i++) {
    147     *p++ = pass_raw[i % pass_raw_len];
    148   }
    149   for (;;) {
    150     if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
    151         !EVP_DigestUpdate(&ctx, D, v) ||
    152         !EVP_DigestUpdate(&ctx, I, Ilen) ||
    153         !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {
    154       goto err;
    155     }
    156     for (j = 1; j < iterations; j++) {
    157       if (!EVP_DigestInit_ex(&ctx, md_type, NULL) ||
    158           !EVP_DigestUpdate(&ctx, Ai, u) ||
    159           !EVP_DigestFinal_ex(&ctx, Ai, NULL)) {
    160         goto err;
    161       }
    162     }
    163     memcpy(out, Ai, out_len < u ? out_len : u);
    164     if (u >= out_len) {
    165       ret = 1;
    166       goto end;
    167     }
    168     out_len -= u;
    169     out += u;
    170     for (j = 0; j < v; j++) {
    171       B[j] = Ai[j % u];
    172     }
    173     /* Work out B + 1 first then can use B as tmp space */
    174     if (!BN_bin2bn(B, v, Bpl1) ||
    175         !BN_add_word(Bpl1, 1)) {
    176       goto err;
    177     }
    178     for (j = 0; j < Ilen; j += v) {
    179       if (!BN_bin2bn(I + j, v, Ij) ||
    180           !BN_add(Ij, Ij, Bpl1) ||
    181           !BN_bn2bin(Ij, B)) {
    182         goto err;
    183       }
    184       Ijlen = BN_num_bytes(Ij);
    185       /* If more than 2^(v*8) - 1 cut off MSB */
    186       if (Ijlen > v) {
    187         if (!BN_bn2bin(Ij, B)) {
    188           goto err;
    189         }
    190         memcpy(I + j, B + 1, v);
    191         /* If less than v bytes pad with zeroes */
    192       } else if (Ijlen < v) {
    193         memset(I + j, 0, v - Ijlen);
    194         if (!BN_bn2bin(Ij, I + j + v - Ijlen)) {
    195           goto err;
    196         }
    197       } else if (!BN_bn2bin(Ij, I + j)) {
    198         goto err;
    199       }
    200     }
    201   }
    202 
    203 err:
    204   OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
    205 
    206 end:
    207   OPENSSL_free(Ai);
    208   OPENSSL_free(B);
    209   OPENSSL_free(D);
    210   OPENSSL_free(I);
    211   BN_free(Ij);
    212   BN_free(Bpl1);
    213   EVP_MD_CTX_cleanup(&ctx);
    214 
    215   return ret;
    216 }
    217 
    218 static int pkcs12_pbe_keyivgen(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,
    219                                size_t pass_raw_len, ASN1_TYPE *param,
    220                                const EVP_CIPHER *cipher, const EVP_MD *md,
    221                                int is_encrypt) {
    222   PBEPARAM *pbe;
    223   int salt_len, iterations, ret;
    224   uint8_t *salt;
    225   const uint8_t *pbuf;
    226   uint8_t key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
    227 
    228   /* Extract useful info from parameter */
    229   if (param == NULL || param->type != V_ASN1_SEQUENCE ||
    230       param->value.sequence == NULL) {
    231     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
    232     return 0;
    233   }
    234 
    235   pbuf = param->value.sequence->data;
    236   pbe = d2i_PBEPARAM(NULL, &pbuf, param->value.sequence->length);
    237   if (pbe == NULL) {
    238     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
    239     return 0;
    240   }
    241 
    242   if (!pbe->iter) {
    243     iterations = 1;
    244   } else {
    245     iterations = ASN1_INTEGER_get(pbe->iter);
    246   }
    247   salt = pbe->salt->data;
    248   salt_len = pbe->salt->length;
    249   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_KEY_ID,
    250                           iterations, EVP_CIPHER_key_length(cipher), key, md)) {
    251     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);
    252     PBEPARAM_free(pbe);
    253     return 0;
    254   }
    255   if (!pkcs12_key_gen_raw(pass_raw, pass_raw_len, salt, salt_len, PKCS12_IV_ID,
    256                           iterations, EVP_CIPHER_iv_length(cipher), iv, md)) {
    257     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEY_GEN_ERROR);
    258     PBEPARAM_free(pbe);
    259     return 0;
    260   }
    261   PBEPARAM_free(pbe);
    262   ret = EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, is_encrypt);
    263   OPENSSL_cleanse(key, EVP_MAX_KEY_LENGTH);
    264   OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
    265   return ret;
    266 }
    267 
    268 typedef int (*keygen_func)(EVP_CIPHER_CTX *ctx, const uint8_t *pass_raw,
    269                            size_t pass_raw_len, ASN1_TYPE *param,
    270                            const EVP_CIPHER *cipher, const EVP_MD *md,
    271                            int is_encrypt);
    272 
    273 struct pbe_suite {
    274   int pbe_nid;
    275   const EVP_CIPHER* (*cipher_func)(void);
    276   const EVP_MD* (*md_func)(void);
    277   keygen_func keygen;
    278   int flags;
    279 };
    280 
    281 #define PBE_UCS2_CONVERT_PASSWORD 0x1
    282 
    283 static const struct pbe_suite kBuiltinPBE[] = {
    284     {
    285      NID_pbe_WithSHA1And40BitRC2_CBC, EVP_rc2_40_cbc, EVP_sha1,
    286      pkcs12_pbe_keyivgen, PBE_UCS2_CONVERT_PASSWORD
    287     },
    288     {
    289      NID_pbe_WithSHA1And128BitRC4, EVP_rc4, EVP_sha1, pkcs12_pbe_keyivgen,
    290      PBE_UCS2_CONVERT_PASSWORD
    291     },
    292     {
    293      NID_pbe_WithSHA1And3_Key_TripleDES_CBC, EVP_des_ede3_cbc, EVP_sha1,
    294      pkcs12_pbe_keyivgen, PBE_UCS2_CONVERT_PASSWORD
    295     },
    296     {
    297       NID_pbes2, NULL, NULL,  PKCS5_v2_PBE_keyivgen, 0
    298     },
    299 };
    300 
    301 static const struct pbe_suite *get_pbe_suite(int pbe_nid) {
    302   unsigned i;
    303   for (i = 0; i < sizeof(kBuiltinPBE) / sizeof(kBuiltinPBE[0]); i++) {
    304     if (kBuiltinPBE[i].pbe_nid == pbe_nid) {
    305       return &kBuiltinPBE[i];
    306     }
    307   }
    308 
    309   return NULL;
    310 }
    311 
    312 /* pass_to_pass_raw performs a password conversion (possibly a no-op)
    313  * appropriate to the supplied |pbe_nid|. The input |pass| is treated as a
    314  * NUL-terminated string if |pass_len| is -1, otherwise it is treated as a
    315  * buffer of the specified length. If the supplied PBE NID sets the
    316  * |PBE_UCS2_CONVERT_PASSWORD| flag, the supplied |pass| will be converted to
    317  * UCS-2.
    318  *
    319  * It sets |*out_pass_raw| to a new buffer that must be freed by the caller. It
    320  * returns one on success and zero on error. */
    321 static int pass_to_pass_raw(int pbe_nid, const char *pass, int pass_len,
    322                             uint8_t **out_pass_raw, size_t *out_pass_raw_len) {
    323   if (pass == NULL) {
    324     *out_pass_raw = NULL;
    325     *out_pass_raw_len = 0;
    326     return 1;
    327   }
    328 
    329   if (pass_len == -1) {
    330     pass_len = strlen(pass);
    331   } else if (pass_len < 0 || pass_len > 2000000000) {
    332     OPENSSL_PUT_ERROR(PKCS8, ERR_R_OVERFLOW);
    333     return 0;
    334   }
    335 
    336   const struct pbe_suite *suite = get_pbe_suite(pbe_nid);
    337   if (suite != NULL && (suite->flags & PBE_UCS2_CONVERT_PASSWORD)) {
    338     if (!ascii_to_ucs2(pass, pass_len, out_pass_raw, out_pass_raw_len)) {
    339       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
    340       return 0;
    341     }
    342   } else {
    343     *out_pass_raw = BUF_memdup(pass, pass_len);
    344     if (*out_pass_raw == NULL) {
    345       OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
    346       return 0;
    347     }
    348     *out_pass_raw_len = (size_t)pass_len;
    349   }
    350 
    351   return 1;
    352 }
    353 
    354 static int pbe_cipher_init(ASN1_OBJECT *pbe_obj,
    355                            const uint8_t *pass_raw, size_t pass_raw_len,
    356                            ASN1_TYPE *param,
    357                            EVP_CIPHER_CTX *ctx, int is_encrypt) {
    358   const EVP_CIPHER *cipher;
    359   const EVP_MD *md;
    360 
    361   const struct pbe_suite *suite = get_pbe_suite(OBJ_obj2nid(pbe_obj));
    362   if (suite == NULL) {
    363     char obj_str[80];
    364     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_ALGORITHM);
    365     if (!pbe_obj) {
    366       strncpy(obj_str, "NULL", sizeof(obj_str));
    367     } else {
    368       i2t_ASN1_OBJECT(obj_str, sizeof(obj_str), pbe_obj);
    369     }
    370     ERR_add_error_data(2, "TYPE=", obj_str);
    371     return 0;
    372   }
    373 
    374   if (suite->cipher_func == NULL) {
    375     cipher = NULL;
    376   } else {
    377     cipher = suite->cipher_func();
    378     if (!cipher) {
    379       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER);
    380       return 0;
    381     }
    382   }
    383 
    384   if (suite->md_func == NULL) {
    385     md = NULL;
    386   } else {
    387     md = suite->md_func();
    388     if (!md) {
    389       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_DIGEST);
    390       return 0;
    391     }
    392   }
    393 
    394   if (!suite->keygen(ctx, pass_raw, pass_raw_len, param, cipher, md,
    395                      is_encrypt)) {
    396     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_KEYGEN_FAILURE);
    397     return 0;
    398   }
    399 
    400   return 1;
    401 }
    402 
    403 static int pbe_crypt(const X509_ALGOR *algor,
    404                      const uint8_t *pass_raw, size_t pass_raw_len,
    405                      const uint8_t *in, size_t in_len,
    406                      uint8_t **out, size_t *out_len,
    407                      int is_encrypt) {
    408   uint8_t *buf;
    409   int n, ret = 0;
    410   EVP_CIPHER_CTX ctx;
    411   unsigned block_size;
    412 
    413   EVP_CIPHER_CTX_init(&ctx);
    414 
    415   if (!pbe_cipher_init(algor->algorithm, pass_raw, pass_raw_len,
    416                        algor->parameter, &ctx, is_encrypt)) {
    417     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_CIPHER_ALGORITHM);
    418     return 0;
    419   }
    420   block_size = EVP_CIPHER_CTX_block_size(&ctx);
    421 
    422   if (in_len + block_size < in_len) {
    423     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_TOO_LONG);
    424     goto err;
    425   }
    426 
    427   buf = OPENSSL_malloc(in_len + block_size);
    428   if (buf == NULL) {
    429     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
    430     goto err;
    431   }
    432 
    433   if (!EVP_CipherUpdate(&ctx, buf, &n, in, in_len)) {
    434     OPENSSL_free(buf);
    435     OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB);
    436     goto err;
    437   }
    438   *out_len = n;
    439 
    440   if (!EVP_CipherFinal_ex(&ctx, buf + n, &n)) {
    441     OPENSSL_free(buf);
    442     OPENSSL_PUT_ERROR(PKCS8, ERR_R_EVP_LIB);
    443     goto err;
    444   }
    445   *out_len += n;
    446   *out = buf;
    447   ret = 1;
    448 
    449 err:
    450   EVP_CIPHER_CTX_cleanup(&ctx);
    451   return ret;
    452 }
    453 
    454 static void *pkcs12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it,
    455                                      const uint8_t *pass_raw,
    456                                      size_t pass_raw_len,
    457                                      ASN1_OCTET_STRING *oct) {
    458   uint8_t *out;
    459   const uint8_t *p;
    460   void *ret;
    461   size_t out_len;
    462 
    463   if (!pbe_crypt(algor, pass_raw, pass_raw_len, oct->data, oct->length,
    464                  &out, &out_len, 0 /* decrypt */)) {
    465     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_CRYPT_ERROR);
    466     return NULL;
    467   }
    468   p = out;
    469   ret = ASN1_item_d2i(NULL, &p, out_len, it);
    470   OPENSSL_cleanse(out, out_len);
    471   if (!ret) {
    472     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
    473   }
    474   OPENSSL_free(out);
    475   return ret;
    476 }
    477 
    478 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,
    479                                    int pass_len) {
    480   uint8_t *pass_raw = NULL;
    481   size_t pass_raw_len = 0;
    482   if (!pass_to_pass_raw(OBJ_obj2nid(pkcs8->algor->algorithm), pass, pass_len,
    483                         &pass_raw, &pass_raw_len)) {
    484     return NULL;
    485   }
    486 
    487   PKCS8_PRIV_KEY_INFO *ret = PKCS8_decrypt_pbe(pkcs8, pass_raw, pass_raw_len);
    488 
    489   if (pass_raw) {
    490     OPENSSL_cleanse(pass_raw, pass_raw_len);
    491     OPENSSL_free(pass_raw);
    492   }
    493   return ret;
    494 }
    495 
    496 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt_pbe(X509_SIG *pkcs8, const uint8_t *pass_raw,
    497                                        size_t pass_raw_len) {
    498   return pkcs12_item_decrypt_d2i(pkcs8->algor,
    499                                  ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw,
    500                                  pass_raw_len, pkcs8->digest);
    501 }
    502 
    503 static ASN1_OCTET_STRING *pkcs12_item_i2d_encrypt(X509_ALGOR *algor,
    504                                                   const ASN1_ITEM *it,
    505                                                   const uint8_t *pass_raw,
    506                                                   size_t pass_raw_len, void *obj) {
    507   ASN1_OCTET_STRING *oct;
    508   uint8_t *in = NULL;
    509   int in_len;
    510   size_t crypt_len;
    511 
    512   oct = M_ASN1_OCTET_STRING_new();
    513   if (oct == NULL) {
    514     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
    515     return NULL;
    516   }
    517   in_len = ASN1_item_i2d(obj, &in, it);
    518   if (!in) {
    519     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR);
    520     return NULL;
    521   }
    522   if (!pbe_crypt(algor, pass_raw, pass_raw_len, in, in_len, &oct->data, &crypt_len,
    523                  1 /* encrypt */)) {
    524     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR);
    525     OPENSSL_free(in);
    526     return NULL;
    527   }
    528   oct->length = crypt_len;
    529   OPENSSL_cleanse(in, in_len);
    530   OPENSSL_free(in);
    531   return oct;
    532 }
    533 
    534 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
    535                         int pass_len, uint8_t *salt, size_t salt_len,
    536                         int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
    537   uint8_t *pass_raw = NULL;
    538   size_t pass_raw_len = 0;
    539   if (!pass_to_pass_raw(pbe_nid, pass, pass_len, &pass_raw, &pass_raw_len)) {
    540     return NULL;
    541   }
    542 
    543   X509_SIG *ret = PKCS8_encrypt_pbe(pbe_nid, cipher, pass_raw, pass_raw_len,
    544                                     salt, salt_len, iterations, p8inf);
    545 
    546   if (pass_raw) {
    547     OPENSSL_cleanse(pass_raw, pass_raw_len);
    548     OPENSSL_free(pass_raw);
    549   }
    550   return ret;
    551 }
    552 
    553 X509_SIG *PKCS8_encrypt_pbe(int pbe_nid, const EVP_CIPHER *cipher,
    554                             const uint8_t *pass_raw, size_t pass_raw_len,
    555                             uint8_t *salt, size_t salt_len,
    556                             int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
    557   X509_SIG *pkcs8 = NULL;
    558   X509_ALGOR *pbe;
    559 
    560   pkcs8 = X509_SIG_new();
    561   if (pkcs8 == NULL) {
    562     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
    563     goto err;
    564   }
    565 
    566   if (pbe_nid == -1) {
    567     pbe = PKCS5_pbe2_set(cipher, iterations, salt, salt_len);
    568   } else {
    569     pbe = PKCS5_pbe_set(pbe_nid, iterations, salt, salt_len);
    570   }
    571   if (!pbe) {
    572     OPENSSL_PUT_ERROR(PKCS8, ERR_R_ASN1_LIB);
    573     goto err;
    574   }
    575 
    576   X509_ALGOR_free(pkcs8->algor);
    577   pkcs8->algor = pbe;
    578   M_ASN1_OCTET_STRING_free(pkcs8->digest);
    579   pkcs8->digest = pkcs12_item_i2d_encrypt(
    580       pbe, ASN1_ITEM_rptr(PKCS8_PRIV_KEY_INFO), pass_raw, pass_raw_len, p8inf);
    581   if (!pkcs8->digest) {
    582     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCRYPT_ERROR);
    583     goto err;
    584   }
    585 
    586   return pkcs8;
    587 
    588 err:
    589   X509_SIG_free(pkcs8);
    590   return NULL;
    591 }
    592 
    593 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {
    594   EVP_PKEY *pkey = NULL;
    595   ASN1_OBJECT *algoid;
    596   char obj_tmp[80];
    597 
    598   if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) {
    599     return NULL;
    600   }
    601 
    602   pkey = EVP_PKEY_new();
    603   if (pkey == NULL) {
    604     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
    605     return NULL;
    606   }
    607 
    608   if (!EVP_PKEY_set_type(pkey, OBJ_obj2nid(algoid))) {
    609     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
    610     i2t_ASN1_OBJECT(obj_tmp, 80, algoid);
    611     ERR_add_error_data(2, "TYPE=", obj_tmp);
    612     goto error;
    613   }
    614 
    615   if (pkey->ameth->priv_decode) {
    616     if (!pkey->ameth->priv_decode(pkey, p8)) {
    617       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PRIVATE_KEY_DECODE_ERROR);
    618       goto error;
    619     }
    620   } else {
    621     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);
    622     goto error;
    623   }
    624 
    625   return pkey;
    626 
    627 error:
    628   EVP_PKEY_free(pkey);
    629   return NULL;
    630 }
    631 
    632 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {
    633   PKCS8_PRIV_KEY_INFO *p8;
    634 
    635   p8 = PKCS8_PRIV_KEY_INFO_new();
    636   if (p8 == NULL) {
    637     OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
    638     return NULL;
    639   }
    640   p8->broken = PKCS8_OK;
    641 
    642   if (pkey->ameth) {
    643     if (pkey->ameth->priv_encode) {
    644       if (!pkey->ameth->priv_encode(p8, pkey)) {
    645         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PRIVATE_KEY_ENCODE_ERROR);
    646         goto error;
    647       }
    648     } else {
    649       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_METHOD_NOT_SUPPORTED);
    650       goto error;
    651     }
    652   } else {
    653     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM);
    654     goto error;
    655   }
    656   return p8;
    657 
    658 error:
    659   PKCS8_PRIV_KEY_INFO_free(p8);
    660   return NULL;
    661 }
    662 
    663 struct pkcs12_context {
    664   EVP_PKEY **out_key;
    665   STACK_OF(X509) *out_certs;
    666   uint8_t *password;
    667   size_t password_len;
    668 };
    669 
    670 static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,
    671                                       struct pkcs12_context *ctx);
    672 
    673 /* PKCS12_handle_content_infos parses a series of PKCS#7 ContentInfos in a
    674  * SEQUENCE. */
    675 static int PKCS12_handle_content_infos(CBS *content_infos,
    676                                        unsigned depth,
    677                                        struct pkcs12_context *ctx) {
    678   uint8_t *der_bytes = NULL;
    679   size_t der_len;
    680   CBS in;
    681   int ret = 0;
    682 
    683   /* Generally we only expect depths 0 (the top level, with a
    684    * pkcs7-encryptedData and a pkcs7-data) and depth 1 (the various PKCS#12
    685    * bags). */
    686   if (depth > 3) {
    687     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_TOO_DEEPLY_NESTED);
    688     return 0;
    689   }
    690 
    691   /* Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,
    692    * the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the
    693    * conversion cannot see through those wrappings. So each time we step
    694    * through one we need to convert to DER again. */
    695   if (!CBS_asn1_ber_to_der(content_infos, &der_bytes, &der_len)) {
    696     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    697     return 0;
    698   }
    699 
    700   if (der_bytes != NULL) {
    701     CBS_init(&in, der_bytes, der_len);
    702   } else {
    703     CBS_init(&in, CBS_data(content_infos), CBS_len(content_infos));
    704   }
    705 
    706   if (!CBS_get_asn1(&in, &in, CBS_ASN1_SEQUENCE)) {
    707     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    708     goto err;
    709   }
    710 
    711   while (CBS_len(&in) > 0) {
    712     CBS content_info;
    713     if (!CBS_get_asn1(&in, &content_info, CBS_ASN1_SEQUENCE)) {
    714       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    715       goto err;
    716     }
    717 
    718     if (!PKCS12_handle_content_info(&content_info, depth + 1, ctx)) {
    719       goto err;
    720     }
    721   }
    722 
    723   /* NSS includes additional data after the SEQUENCE, but it's an (unwrapped)
    724    * copy of the same encrypted private key (with the same IV and
    725    * ciphertext)! */
    726 
    727   ret = 1;
    728 
    729 err:
    730   OPENSSL_free(der_bytes);
    731   return ret;
    732 }
    733 
    734 /* PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a
    735  * PKCS#12 structure. */
    736 static int PKCS12_handle_content_info(CBS *content_info, unsigned depth,
    737                                       struct pkcs12_context *ctx) {
    738   CBS content_type, wrapped_contents, contents, content_infos;
    739   int nid, ret = 0;
    740 
    741   if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||
    742       !CBS_get_asn1(content_info, &wrapped_contents,
    743                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
    744     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    745     goto err;
    746   }
    747 
    748   nid = OBJ_cbs2nid(&content_type);
    749   if (nid == NID_pkcs7_encrypted) {
    750     /* See https://tools.ietf.org/html/rfc2315#section-13.
    751      *
    752      * PKCS#7 encrypted data inside a PKCS#12 structure is generally an
    753      * encrypted certificate bag and it's generally encrypted with 40-bit
    754      * RC2-CBC. */
    755     CBS version_bytes, eci, contents_type, ai, encrypted_contents;
    756     X509_ALGOR *algor = NULL;
    757     const uint8_t *inp;
    758     uint8_t *out;
    759     size_t out_len;
    760 
    761     if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||
    762         !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||
    763         /* EncryptedContentInfo, see
    764          * https://tools.ietf.org/html/rfc2315#section-10.1 */
    765         !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||
    766         !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||
    767         /* AlgorithmIdentifier, see
    768          * https://tools.ietf.org/html/rfc5280#section-4.1.1.2 */
    769         !CBS_get_asn1_element(&eci, &ai, CBS_ASN1_SEQUENCE) ||
    770         !CBS_get_asn1(&eci, &encrypted_contents,
    771                       CBS_ASN1_CONTEXT_SPECIFIC | 0)) {
    772       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    773       goto err;
    774     }
    775 
    776     if (OBJ_cbs2nid(&contents_type) != NID_pkcs7_data ||
    777         CBS_len(&ai) > LONG_MAX) {
    778       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    779       goto err;
    780     }
    781 
    782     inp = CBS_data(&ai);
    783     algor = d2i_X509_ALGOR(NULL, &inp, (long)CBS_len(&ai));
    784     if (algor == NULL) {
    785       goto err;
    786     }
    787     if (inp != CBS_data(&ai) + CBS_len(&ai)) {
    788       X509_ALGOR_free(algor);
    789       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    790       goto err;
    791     }
    792 
    793     if (!pbe_crypt(algor, ctx->password, ctx->password_len,
    794                    CBS_data(&encrypted_contents), CBS_len(&encrypted_contents),
    795                    &out, &out_len, 0 /* decrypt */)) {
    796       X509_ALGOR_free(algor);
    797       goto err;
    798     }
    799     X509_ALGOR_free(algor);
    800 
    801     CBS_init(&content_infos, out, out_len);
    802     ret = PKCS12_handle_content_infos(&content_infos, depth + 1, ctx);
    803     OPENSSL_free(out);
    804   } else if (nid == NID_pkcs7_data) {
    805     CBS octet_string_contents;
    806 
    807     if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,
    808                           CBS_ASN1_OCTETSTRING)) {
    809       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    810       goto err;
    811     }
    812 
    813     ret = PKCS12_handle_content_infos(&octet_string_contents, depth + 1, ctx);
    814   } else if (nid == NID_pkcs8ShroudedKeyBag) {
    815     /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
    816      * 4.2.2. */
    817     const uint8_t *inp = CBS_data(&wrapped_contents);
    818     PKCS8_PRIV_KEY_INFO *pki = NULL;
    819     X509_SIG *encrypted = NULL;
    820 
    821     if (*ctx->out_key) {
    822       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);
    823       goto err;
    824     }
    825 
    826     if (CBS_len(&wrapped_contents) > LONG_MAX) {
    827       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    828       goto err;
    829     }
    830 
    831     /* encrypted isn't actually an X.509 signature, but it has the same
    832      * structure as one and so |X509_SIG| is reused to store it. */
    833     encrypted = d2i_X509_SIG(NULL, &inp, (long)CBS_len(&wrapped_contents));
    834     if (encrypted == NULL) {
    835       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    836       goto err;
    837     }
    838     if (inp != CBS_data(&wrapped_contents) + CBS_len(&wrapped_contents)) {
    839       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    840       X509_SIG_free(encrypted);
    841       goto err;
    842     }
    843 
    844     pki = PKCS8_decrypt_pbe(encrypted, ctx->password, ctx->password_len);
    845     X509_SIG_free(encrypted);
    846     if (pki == NULL) {
    847       goto err;
    848     }
    849 
    850     *ctx->out_key = EVP_PKCS82PKEY(pki);
    851     PKCS8_PRIV_KEY_INFO_free(pki);
    852 
    853     if (ctx->out_key == NULL) {
    854       goto err;
    855     }
    856     ret = 1;
    857   } else if (nid == NID_certBag) {
    858     CBS cert_bag, cert_type, wrapped_cert, cert;
    859 
    860     if (!CBS_get_asn1(&wrapped_contents, &cert_bag, CBS_ASN1_SEQUENCE) ||
    861         !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||
    862         !CBS_get_asn1(&cert_bag, &wrapped_cert,
    863                       CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
    864         !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {
    865       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    866       goto err;
    867     }
    868 
    869     if (OBJ_cbs2nid(&cert_type) == NID_x509Certificate) {
    870       if (CBS_len(&cert) > LONG_MAX) {
    871         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    872         goto err;
    873       }
    874       const uint8_t *inp = CBS_data(&cert);
    875       X509 *x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));
    876       if (!x509) {
    877         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    878         goto err;
    879       }
    880       if (inp != CBS_data(&cert) + CBS_len(&cert)) {
    881         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    882         X509_free(x509);
    883         goto err;
    884       }
    885 
    886       if (0 == sk_X509_push(ctx->out_certs, x509)) {
    887         X509_free(x509);
    888         goto err;
    889       }
    890     }
    891     ret = 1;
    892   } else {
    893     /* Unknown element type - ignore it. */
    894     ret = 1;
    895   }
    896 
    897 err:
    898   return ret;
    899 }
    900 
    901 int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
    902                              CBS *ber_in, const char *password) {
    903   uint8_t *der_bytes = NULL;
    904   size_t der_len;
    905   CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;
    906   uint64_t version;
    907   int ret = 0;
    908   struct pkcs12_context ctx;
    909   const size_t original_out_certs_len = sk_X509_num(out_certs);
    910 
    911   /* The input may be in BER format. */
    912   if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {
    913     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    914     return 0;
    915   }
    916   if (der_bytes != NULL) {
    917     CBS_init(&in, der_bytes, der_len);
    918   } else {
    919     CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));
    920   }
    921 
    922   *out_key = NULL;
    923   memset(&ctx, 0, sizeof(ctx));
    924 
    925   /* See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
    926    * four. */
    927   if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||
    928       CBS_len(&in) != 0 ||
    929       !CBS_get_asn1_uint64(&pfx, &version)) {
    930     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    931     goto err;
    932   }
    933 
    934   if (version < 3) {
    935     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION);
    936     goto err;
    937   }
    938 
    939   if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {
    940     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    941     goto err;
    942   }
    943 
    944   if (CBS_len(&pfx) == 0) {
    945     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC);
    946     goto err;
    947   }
    948 
    949   if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {
    950     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    951     goto err;
    952   }
    953 
    954   /* authsafe is a PKCS#7 ContentInfo. See
    955    * https://tools.ietf.org/html/rfc2315#section-7. */
    956   if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||
    957       !CBS_get_asn1(&authsafe, &wrapped_authsafes,
    958                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
    959     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    960     goto err;
    961   }
    962 
    963   /* The content type can either be |NID_pkcs7_data| or |NID_pkcs7_signed|. The
    964    * latter indicates that it's signed by a public key, which isn't
    965    * supported. */
    966   if (OBJ_cbs2nid(&content_type) != NID_pkcs7_data) {
    967     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);
    968     goto err;
    969   }
    970 
    971   if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {
    972     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
    973     goto err;
    974   }
    975 
    976   ctx.out_key = out_key;
    977   ctx.out_certs = out_certs;
    978   if (!ascii_to_ucs2(password, strlen(password), &ctx.password,
    979                      &ctx.password_len)) {
    980     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
    981     goto err;
    982   }
    983 
    984   /* Verify the MAC. */
    985   {
    986     CBS mac, hash_type_seq, hash_oid, salt, expected_mac;
    987     uint64_t iterations;
    988     int hash_nid;
    989     const EVP_MD *md;
    990     uint8_t hmac_key[EVP_MAX_MD_SIZE];
    991     uint8_t hmac[EVP_MAX_MD_SIZE];
    992     unsigned hmac_len;
    993 
    994     if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE) ||
    995         !CBS_get_asn1(&mac, &hash_type_seq, CBS_ASN1_SEQUENCE) ||
    996         !CBS_get_asn1(&hash_type_seq, &hash_oid, CBS_ASN1_OBJECT) ||
    997         !CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||
    998         !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {
    999       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
   1000       goto err;
   1001     }
   1002 
   1003     /* The iteration count is optional and the default is one. */
   1004     iterations = 1;
   1005     if (CBS_len(&mac_data) > 0) {
   1006       if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||
   1007           iterations > INT_MAX) {
   1008         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
   1009         goto err;
   1010       }
   1011     }
   1012 
   1013     hash_nid = OBJ_cbs2nid(&hash_oid);
   1014     if (hash_nid == NID_undef ||
   1015         (md = EVP_get_digestbynid(hash_nid)) == NULL) {
   1016       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_UNKNOWN_HASH);
   1017       goto err;
   1018     }
   1019 
   1020     if (!pkcs12_key_gen_raw(ctx.password, ctx.password_len, CBS_data(&salt),
   1021                             CBS_len(&salt), PKCS12_MAC_ID, iterations,
   1022                             EVP_MD_size(md), hmac_key, md)) {
   1023       goto err;
   1024     }
   1025 
   1026     if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),
   1027                      CBS_len(&authsafes), hmac, &hmac_len)) {
   1028       goto err;
   1029     }
   1030 
   1031     if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {
   1032       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD);
   1033       goto err;
   1034     }
   1035   }
   1036 
   1037   /* authsafes contains a series of PKCS#7 ContentInfos. */
   1038   if (!PKCS12_handle_content_infos(&authsafes, 0, &ctx)) {
   1039     goto err;
   1040   }
   1041 
   1042   ret = 1;
   1043 
   1044 err:
   1045   OPENSSL_free(ctx.password);
   1046   OPENSSL_free(der_bytes);
   1047   if (!ret) {
   1048     EVP_PKEY_free(*out_key);
   1049     *out_key = NULL;
   1050     while (sk_X509_num(out_certs) > original_out_certs_len) {
   1051       X509 *x509 = sk_X509_pop(out_certs);
   1052       X509_free(x509);
   1053     }
   1054   }
   1055 
   1056   return ret;
   1057 }
   1058 
   1059 void PKCS12_PBE_add(void) {}
   1060 
   1061 struct pkcs12_st {
   1062   uint8_t *ber_bytes;
   1063   size_t ber_len;
   1064 };
   1065 
   1066 PKCS12* d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) {
   1067   PKCS12 *p12;
   1068 
   1069   /* out_p12 must be NULL because we don't export the PKCS12 structure. */
   1070   assert(out_p12 == NULL);
   1071 
   1072   p12 = OPENSSL_malloc(sizeof(PKCS12));
   1073   if (!p12) {
   1074     return NULL;
   1075   }
   1076 
   1077   p12->ber_bytes = OPENSSL_malloc(ber_len);
   1078   if (!p12->ber_bytes) {
   1079     OPENSSL_free(p12);
   1080     return NULL;
   1081   }
   1082 
   1083   memcpy(p12->ber_bytes, *ber_bytes, ber_len);
   1084   p12->ber_len = ber_len;
   1085   *ber_bytes += ber_len;
   1086 
   1087   return p12;
   1088 }
   1089 
   1090 PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {
   1091   size_t used = 0;
   1092   BUF_MEM *buf;
   1093   const uint8_t *dummy;
   1094   static const size_t kMaxSize = 256 * 1024;
   1095   PKCS12 *ret = NULL;
   1096 
   1097   buf = BUF_MEM_new();
   1098   if (buf == NULL) {
   1099     return NULL;
   1100   }
   1101   if (BUF_MEM_grow(buf, 8192) == 0) {
   1102     goto out;
   1103   }
   1104 
   1105   for (;;) {
   1106     int n = BIO_read(bio, &buf->data[used], buf->length - used);
   1107     if (n < 0) {
   1108       goto out;
   1109     }
   1110 
   1111     if (n == 0) {
   1112       break;
   1113     }
   1114     used += n;
   1115 
   1116     if (used < buf->length) {
   1117       continue;
   1118     }
   1119 
   1120     if (buf->length > kMaxSize ||
   1121         BUF_MEM_grow(buf, buf->length * 2) == 0) {
   1122       goto out;
   1123     }
   1124   }
   1125 
   1126   dummy = (uint8_t*) buf->data;
   1127   ret = d2i_PKCS12(out_p12, &dummy, used);
   1128 
   1129 out:
   1130   BUF_MEM_free(buf);
   1131   return ret;
   1132 }
   1133 
   1134 PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {
   1135   BIO *bio;
   1136   PKCS12 *ret;
   1137 
   1138   bio = BIO_new_fp(fp, 0 /* don't take ownership */);
   1139   if (!bio) {
   1140     return NULL;
   1141   }
   1142 
   1143   ret = d2i_PKCS12_bio(bio, out_p12);
   1144   BIO_free(bio);
   1145   return ret;
   1146 }
   1147 
   1148 int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,
   1149                  X509 **out_cert, STACK_OF(X509) **out_ca_certs) {
   1150   CBS ber_bytes;
   1151   STACK_OF(X509) *ca_certs = NULL;
   1152   char ca_certs_alloced = 0;
   1153 
   1154   if (out_ca_certs != NULL && *out_ca_certs != NULL) {
   1155     ca_certs = *out_ca_certs;
   1156   }
   1157 
   1158   if (!ca_certs) {
   1159     ca_certs = sk_X509_new_null();
   1160     if (ca_certs == NULL) {
   1161       OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
   1162       return 0;
   1163     }
   1164     ca_certs_alloced = 1;
   1165   }
   1166 
   1167   CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);
   1168   if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {
   1169     if (ca_certs_alloced) {
   1170       sk_X509_free(ca_certs);
   1171     }
   1172     return 0;
   1173   }
   1174 
   1175   *out_cert = NULL;
   1176   if (sk_X509_num(ca_certs) > 0) {
   1177     *out_cert = sk_X509_shift(ca_certs);
   1178   }
   1179 
   1180   if (out_ca_certs) {
   1181     *out_ca_certs = ca_certs;
   1182   } else {
   1183     sk_X509_pop_free(ca_certs, X509_free);
   1184   }
   1185 
   1186   return 1;
   1187 }
   1188 
   1189 int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
   1190                       int password_len) {
   1191   if (password == NULL) {
   1192     if (password_len != 0) {
   1193       return 0;
   1194     }
   1195   } else if (password_len != -1 &&
   1196              (password[password_len] != 0 ||
   1197               memchr(password, 0, password_len) != NULL)) {
   1198     return 0;
   1199   }
   1200 
   1201   EVP_PKEY *pkey = NULL;
   1202   X509 *cert = NULL;
   1203   if (!PKCS12_parse(p12, password, &pkey, &cert, NULL)) {
   1204     ERR_clear_error();
   1205     return 0;
   1206   }
   1207 
   1208   EVP_PKEY_free(pkey);
   1209   X509_free(cert);
   1210 
   1211   return 1;
   1212 }
   1213 
   1214 void PKCS12_free(PKCS12 *p12) {
   1215   OPENSSL_free(p12->ber_bytes);
   1216   OPENSSL_free(p12);
   1217 }
   1218