2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 typedef int (*collector_func)(hx509_context,
42 struct hx509_collector *,
44 const PKCS12_Attributes *);
52 parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *,
53 const void *, size_t, const PKCS12_Attributes *);
56 static const PKCS12_Attribute *
57 find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
62 for (i = 0; i < attrs->len; i++)
63 if (der_heim_oid_cmp(oid, &attrs->val[i].attrId) == 0)
64 return &attrs->val[i];
69 keyBag_parser(hx509_context context,
70 struct hx509_collector *c,
71 const void *data, size_t length,
72 const PKCS12_Attributes *attrs)
74 const PKCS12_Attribute *attr;
75 PKCS8PrivateKeyInfo ki;
76 const heim_octet_string *os = NULL;
79 attr = find_attribute(attrs, &asn1_oid_id_pkcs_9_at_localKeyId);
81 os = &attr->attrValues;
83 ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
87 _hx509_collector_private_key_add(context,
89 &ki.privateKeyAlgorithm,
93 free_PKCS8PrivateKeyInfo(&ki);
98 ShroudedKeyBag_parser(hx509_context context,
99 struct hx509_collector *c,
100 const void *data, size_t length,
101 const PKCS12_Attributes *attrs)
103 PKCS8EncryptedPrivateKeyInfo pk;
104 heim_octet_string content;
107 memset(&pk, 0, sizeof(pk));
109 ret = decode_PKCS8EncryptedPrivateKeyInfo(data, length, &pk, NULL);
113 ret = _hx509_pbe_decrypt(context,
114 _hx509_collector_get_lock(c),
115 &pk.encryptionAlgorithm,
118 free_PKCS8EncryptedPrivateKeyInfo(&pk);
122 ret = keyBag_parser(context, c, content.data, content.length, attrs);
123 der_free_octet_string(&content);
128 certBag_parser(hx509_context context,
129 struct hx509_collector *c,
130 const void *data, size_t length,
131 const PKCS12_Attributes *attrs)
133 heim_octet_string os;
138 ret = decode_PKCS12_CertBag(data, length, &cb, NULL);
142 if (der_heim_oid_cmp(&asn1_oid_id_pkcs_9_at_certTypes_x509, &cb.certType)) {
143 free_PKCS12_CertBag(&cb);
147 ret = decode_PKCS12_OctetString(cb.certValue.data,
151 free_PKCS12_CertBag(&cb);
155 ret = hx509_cert_init_data(context, os.data, os.length, &cert);
156 der_free_octet_string(&os);
160 ret = _hx509_collector_certs_add(context, c, cert);
162 hx509_cert_free(cert);
167 const PKCS12_Attribute *attr;
168 const heim_oid *oids[] = {
169 &asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName
173 for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) {
174 const heim_oid *oid = oids[i];
175 attr = find_attribute(attrs, oid);
177 _hx509_set_cert_attribute(context, cert, oid,
182 hx509_cert_free(cert);
188 parse_safe_content(hx509_context context,
189 struct hx509_collector *c,
190 const unsigned char *p, size_t len)
192 PKCS12_SafeContents sc;
196 memset(&sc, 0, sizeof(sc));
198 ret = decode_PKCS12_SafeContents(p, len, &sc, NULL);
202 for (i = 0; i < sc.len ; i++)
203 parse_pkcs12_type(context,
206 sc.val[i].bagValue.data,
207 sc.val[i].bagValue.length,
208 sc.val[i].bagAttributes);
210 free_PKCS12_SafeContents(&sc);
215 safeContent_parser(hx509_context context,
216 struct hx509_collector *c,
217 const void *data, size_t length,
218 const PKCS12_Attributes *attrs)
220 heim_octet_string os;
223 ret = decode_PKCS12_OctetString(data, length, &os, NULL);
226 ret = parse_safe_content(context, c, os.data, os.length);
227 der_free_octet_string(&os);
232 encryptedData_parser(hx509_context context,
233 struct hx509_collector *c,
234 const void *data, size_t length,
235 const PKCS12_Attributes *attrs)
237 heim_octet_string content;
238 heim_oid contentType;
241 memset(&contentType, 0, sizeof(contentType));
243 ret = hx509_cms_decrypt_encrypted(context,
244 _hx509_collector_get_lock(c),
251 if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
252 ret = parse_safe_content(context, c, content.data, content.length);
254 der_free_octet_string(&content);
255 der_free_oid(&contentType);
260 envelopedData_parser(hx509_context context,
261 struct hx509_collector *c,
262 const void *data, size_t length,
263 const PKCS12_Attributes *attrs)
265 heim_octet_string content;
266 heim_oid contentType;
270 memset(&contentType, 0, sizeof(contentType));
272 lock = _hx509_collector_get_lock(c);
274 ret = hx509_cms_unenvelope(context,
275 _hx509_lock_unlock_certs(lock),
283 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
284 "PKCS12 failed to unenvelope");
288 if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
289 ret = parse_safe_content(context, c, content.data, content.length);
291 der_free_octet_string(&content);
292 der_free_oid(&contentType);
298 struct type bagtypes[] = {
299 { &asn1_oid_id_pkcs12_keyBag, keyBag_parser },
300 { &asn1_oid_id_pkcs12_pkcs8ShroudedKeyBag, ShroudedKeyBag_parser },
301 { &asn1_oid_id_pkcs12_certBag, certBag_parser },
302 { &asn1_oid_id_pkcs7_data, safeContent_parser },
303 { &asn1_oid_id_pkcs7_encryptedData, encryptedData_parser },
304 { &asn1_oid_id_pkcs7_envelopedData, envelopedData_parser }
308 parse_pkcs12_type(hx509_context context,
309 struct hx509_collector *c,
311 const void *data, size_t length,
312 const PKCS12_Attributes *attrs)
316 for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
317 if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0)
318 (*bagtypes[i].func)(context, c, data, length, attrs);
322 p12_init(hx509_context context,
323 hx509_certs certs, void **data, int flags,
324 const char *residue, hx509_lock lock)
326 struct ks_pkcs12 *p12;
330 PKCS12_AuthenticatedSafe as;
333 struct hx509_collector *c;
338 lock = _hx509_empty_lock;
340 ret = _hx509_collector_alloc(context, lock, &c);
344 p12 = calloc(1, sizeof(*p12));
347 hx509_set_error_string(context, 0, ret, "out of memory");
351 p12->fn = strdup(residue);
352 if (p12->fn == NULL) {
354 hx509_set_error_string(context, 0, ret, "out of memory");
358 if (flags & HX509_CERTS_CREATE) {
359 ret = hx509_certs_init(context, "MEMORY:ks-file-create",
360 0, lock, &p12->certs);
366 ret = rk_undumpdata(residue, &buf, &len);
368 hx509_clear_error_string(context);
372 ret = decode_PKCS12_PFX(buf, len, &pfx, NULL);
375 hx509_set_error_string(context, 0, ret,
376 "Failed to decode the PFX in %s", residue);
380 if (der_heim_oid_cmp(&pfx.authSafe.contentType, &asn1_oid_id_pkcs7_data) != 0) {
381 free_PKCS12_PFX(&pfx);
383 hx509_set_error_string(context, 0, ret,
384 "PKCS PFX isn't a pkcs7-data container");
388 if (pfx.authSafe.content == NULL) {
389 free_PKCS12_PFX(&pfx);
391 hx509_set_error_string(context, 0, ret,
392 "PKCS PFX missing data");
397 heim_octet_string asdata;
399 ret = decode_PKCS12_OctetString(pfx.authSafe.content->data,
400 pfx.authSafe.content->length,
403 free_PKCS12_PFX(&pfx);
405 hx509_clear_error_string(context);
408 ret = decode_PKCS12_AuthenticatedSafe(asdata.data,
412 der_free_octet_string(&asdata);
414 hx509_clear_error_string(context);
419 for (i = 0; i < as.len; i++)
420 parse_pkcs12_type(context,
422 &as.val[i].contentType,
423 as.val[i].content->data,
424 as.val[i].content->length,
427 free_PKCS12_AuthenticatedSafe(&as);
429 ret = _hx509_collector_collect_certs(context, c, &p12->certs);
434 _hx509_collector_free(c);
440 hx509_certs_free(&p12->certs);
448 addBag(hx509_context context,
449 PKCS12_AuthenticatedSafe *as,
457 ptr = realloc(as->val, sizeof(as->val[0]) * (as->len + 1));
459 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
464 ret = der_copy_oid(oid, &as->val[as->len].contentType);
466 hx509_set_error_string(context, 0, ret, "out of memory");
470 as->val[as->len].content = calloc(1, sizeof(*as->val[0].content));
471 if (as->val[as->len].content == NULL) {
472 der_free_oid(&as->val[as->len].contentType);
473 hx509_set_error_string(context, 0, ENOMEM, "malloc out of memory");
477 as->val[as->len].content->data = data;
478 as->val[as->len].content->length = length;
486 store_func(hx509_context context, void *ctx, hx509_cert c)
488 PKCS12_AuthenticatedSafe *as = ctx;
489 PKCS12_OctetString os;
494 memset(&os, 0, sizeof(os));
495 memset(&cb, 0, sizeof(cb));
500 ret = hx509_cert_binary(context, c, &os);
504 ASN1_MALLOC_ENCODE(PKCS12_OctetString,
505 cb.certValue.data,cb.certValue.length,
510 ret = der_copy_oid(&asn1_oid_id_pkcs_9_at_certTypes_x509, &cb.certType);
512 free_PKCS12_CertBag(&cb);
515 ASN1_MALLOC_ENCODE(PKCS12_CertBag, os.data, os.length,
517 free_PKCS12_CertBag(&cb);
521 ret = addBag(context, as, &asn1_oid_id_pkcs12_certBag, os.data, os.length);
523 if (_hx509_cert_private_key_exportable(c)) {
524 hx509_private_key key = _hx509_cert_private_key(c);
525 PKCS8PrivateKeyInfo pki;
527 memset(&pki, 0, sizeof(pki));
529 ret = der_parse_hex_heim_integer("00", &pki.version);
532 ret = _hx509_private_key_oid(context, key,
533 &pki.privateKeyAlgorithm.algorithm);
535 free_PKCS8PrivateKeyInfo(&pki);
538 ret = _hx509_private_key_export(context,
539 _hx509_cert_private_key(c),
540 HX509_KEY_FORMAT_DER,
543 free_PKCS8PrivateKeyInfo(&pki);
546 /* set attribute, asn1_oid_id_pkcs_9_at_localKeyId */
548 ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo, os.data, os.length,
550 free_PKCS8PrivateKeyInfo(&pki);
554 ret = addBag(context, as, &asn1_oid_id_pkcs12_keyBag, os.data, os.length);
564 p12_store(hx509_context context,
565 hx509_certs certs, void *data, int flags, hx509_lock lock)
567 struct ks_pkcs12 *p12 = data;
569 PKCS12_AuthenticatedSafe as;
570 PKCS12_OctetString asdata;
574 memset(&as, 0, sizeof(as));
575 memset(&pfx, 0, sizeof(pfx));
577 ret = hx509_certs_iter_f(context, p12->certs, store_func, &as);
581 ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe, asdata.data, asdata.length,
583 free_PKCS12_AuthenticatedSafe(&as);
587 ret = der_parse_hex_heim_integer("03", &pfx.version);
593 pfx.authSafe.content = calloc(1, sizeof(*pfx.authSafe.content));
595 ASN1_MALLOC_ENCODE(PKCS12_OctetString,
596 pfx.authSafe.content->data,
597 pfx.authSafe.content->length,
598 &asdata, &size, ret);
603 ret = der_copy_oid(&asn1_oid_id_pkcs7_data, &pfx.authSafe.contentType);
607 ASN1_MALLOC_ENCODE(PKCS12_PFX, asdata.data, asdata.length,
613 const struct _hx509_password *pw;
615 pw = _hx509_lock_get_passwords(lock);
617 pfx.macData = calloc(1, sizeof(*pfx.macData));
618 if (pfx.macData == NULL) {
620 hx509_set_error_string(context, 0, ret, "malloc out of memory");
623 if (pfx.macData == NULL) {
628 ret = calculate_hash(&aspath, pw, pfx.macData);
631 rk_dumpdata(p12->fn, asdata.data, asdata.length);
635 free_PKCS12_AuthenticatedSafe(&as);
636 free_PKCS12_PFX(&pfx);
643 p12_free(hx509_certs certs, void *data)
645 struct ks_pkcs12 *p12 = data;
646 hx509_certs_free(&p12->certs);
653 p12_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
655 struct ks_pkcs12 *p12 = data;
656 return hx509_certs_add(context, p12->certs, c);
660 p12_iter_start(hx509_context context,
665 struct ks_pkcs12 *p12 = data;
666 return hx509_certs_start_seq(context, p12->certs, cursor);
670 p12_iter(hx509_context context,
676 struct ks_pkcs12 *p12 = data;
677 return hx509_certs_next_cert(context, p12->certs, cursor, cert);
681 p12_iter_end(hx509_context context,
686 struct ks_pkcs12 *p12 = data;
687 return hx509_certs_end_seq(context, p12->certs, cursor);
690 static struct hx509_keyset_ops keyset_pkcs12 = {
704 _hx509_ks_pkcs12_register(hx509_context context)
706 _hx509_ks_register(context, &keyset_pkcs12);