search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:vfs:gpfs: fix flapping offline: always get winAttrs from gpfs for is_offline
[Samba.git] / source4 / heimdal / lib / hx509 / ks_file.c
blobd21d889287080868a7701eb63d6ed6f93c510eb3
1 /*
2 * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35
36 typedef enum { USE_PEM, USE_DER } outformat;
37
38 struct ks_file {
39 hx509_certs certs;
40 char *fn;
41 outformat format;
42 };
43
44 /*
45 *
46 */
47
48 static int
49 parse_certificate(hx509_context context, const char *fn,
50 struct hx509_collector *c,
51 const hx509_pem_header *headers,
52 const void *data, size_t len,
53 const AlgorithmIdentifier *ai)
54 {
55 hx509_cert cert;
56 int ret;
57
58 ret = hx509_cert_init_data(context, data, len, &cert);
59 if (ret)
60 return ret;
61
62 ret = _hx509_collector_certs_add(context, c, cert);
63 hx509_cert_free(cert);
64 return ret;
65 }
66
67 static int
68 try_decrypt(hx509_context context,
69 struct hx509_collector *collector,
70 const AlgorithmIdentifier *alg,
71 const EVP_CIPHER *c,
72 const void *ivdata,
73 const void *password,
74 size_t passwordlen,
75 const void *cipher,
76 size_t len)
77 {
78 heim_octet_string clear;
79 size_t keylen;
80 void *key;
81 int ret;
82
83 keylen = EVP_CIPHER_key_length(c);
84
85 key = malloc(keylen);
86 if (key == NULL) {
87 hx509_clear_error_string(context);
88 return ENOMEM;
89 }
90
91 ret = EVP_BytesToKey(c, EVP_md5(), ivdata,
92 password, passwordlen,
93 1, key, NULL);
94 if (ret <= 0) {
95 hx509_set_error_string(context, 0, HX509_CRYPTO_INTERNAL_ERROR,
96 "Failed to do string2key for private key");
97 return HX509_CRYPTO_INTERNAL_ERROR;
98 }
99
100 clear.data = malloc(len);
101 if (clear.data == NULL) {
102 hx509_set_error_string(context, 0, ENOMEM,
103 "Out of memory to decrypt for private key");
104 ret = ENOMEM;
105 goto out;
106 }
107 clear.length = len;
108
109 {
110 EVP_CIPHER_CTX ctx;
111 EVP_CIPHER_CTX_init(&ctx);
112 EVP_CipherInit_ex(&ctx, c, NULL, key, ivdata, 0);
113 EVP_Cipher(&ctx, clear.data, cipher, len);
114 EVP_CIPHER_CTX_cleanup(&ctx);
115 }
116
117 ret = _hx509_collector_private_key_add(context,
118 collector,
119 alg,
120 NULL,
121 &clear,
122 NULL);
123
124 memset(clear.data, 0, clear.length);
125 free(clear.data);
126 out:
127 memset(key, 0, keylen);
128 free(key);
129 return ret;
130 }
131
132 static int
133 parse_pkcs8_private_key(hx509_context context, const char *fn,
134 struct hx509_collector *c,
135 const hx509_pem_header *headers,
136 const void *data, size_t length,
137 const AlgorithmIdentifier *ai)
138 {
139 PKCS8PrivateKeyInfo ki;
140 heim_octet_string keydata;
141
142 int ret;
143
144 ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
145 if (ret)
146 return ret;
147
148 keydata.data = rk_UNCONST(data);
149 keydata.length = length;
150
151 ret = _hx509_collector_private_key_add(context,
152 c,
153 &ki.privateKeyAlgorithm,
154 NULL,
155 &ki.privateKey,
156 &keydata);
157 free_PKCS8PrivateKeyInfo(&ki);
158 return ret;
159 }
160
161 static int
162 parse_pem_private_key(hx509_context context, const char *fn,
163 struct hx509_collector *c,
164 const hx509_pem_header *headers,
165 const void *data, size_t len,
166 const AlgorithmIdentifier *ai)
167 {
168 int ret = 0;
169 const char *enc;
170
171 enc = hx509_pem_find_header(headers, "Proc-Type");
172 if (enc) {
173 const char *dek;
174 char *type, *iv;
175 ssize_t ssize, size;
176 void *ivdata;
177 const EVP_CIPHER *cipher;
178 const struct _hx509_password *pw;
179 hx509_lock lock;
180 int decrypted = 0;
181 size_t i;
182
183 lock = _hx509_collector_get_lock(c);
184 if (lock == NULL) {
185 hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
186 "Failed to get password for "
187 "password protected file %s", fn);
188 return HX509_ALG_NOT_SUPP;
189 }
190
191 if (strcmp(enc, "4,ENCRYPTED") != 0) {
192 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
193 "Private key encrypted in unknown method %s "
194 "in file",
195 enc, fn);
196 hx509_clear_error_string(context);
197 return HX509_PARSING_KEY_FAILED;
198 }
199
200 dek = hx509_pem_find_header(headers, "DEK-Info");
201 if (dek == NULL) {
202 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
203 "Encrypted private key missing DEK-Info");
204 return HX509_PARSING_KEY_FAILED;
205 }
206
207 type = strdup(dek);
208 if (type == NULL) {
209 hx509_clear_error_string(context);
210 return ENOMEM;
211 }
212
213 iv = strchr(type, ',');
214 if (iv == NULL) {
215 free(type);
216 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
217 "IV missing");
218 return HX509_PARSING_KEY_FAILED;
219 }
220
221 *iv++ = '\0';
222
223 size = strlen(iv);
224 ivdata = malloc(size);
225 if (ivdata == NULL) {
226 hx509_clear_error_string(context);
227 free(type);
228 return ENOMEM;
229 }
230
231 cipher = EVP_get_cipherbyname(type);
232 if (cipher == NULL) {
233 free(ivdata);
234 hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
235 "Private key encrypted with "
236 "unsupported cipher: %s",
237 type);
238 free(type);
239 return HX509_ALG_NOT_SUPP;
240 }
241
242 #define PKCS5_SALT_LEN 8
243
244 ssize = hex_decode(iv, ivdata, size);
245 free(type);
246 type = NULL;
247 iv = NULL;
248
249 if (ssize < 0 || ssize < PKCS5_SALT_LEN || ssize < EVP_CIPHER_iv_length(cipher)) {
250 free(ivdata);
251 hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
252 "Salt have wrong length in "
253 "private key file");
254 return HX509_PARSING_KEY_FAILED;
255 }
256
257 pw = _hx509_lock_get_passwords(lock);
258 if (pw != NULL) {
259 const void *password;
260 size_t passwordlen;
261
262 for (i = 0; i < pw->len; i++) {
263 password = pw->val[i];
264 passwordlen = strlen(password);
265
266 ret = try_decrypt(context, c, ai, cipher, ivdata,
267 password, passwordlen, data, len);
268 if (ret == 0) {
269 decrypted = 1;
270 break;
271 }
272 }
273 }
274 if (!decrypted) {
275 hx509_prompt prompt;
276 char password[128];
277
278 memset(&prompt, 0, sizeof(prompt));
279
280 prompt.prompt = "Password for keyfile: ";
281 prompt.type = HX509_PROMPT_TYPE_PASSWORD;
282 prompt.reply.data = password;
283 prompt.reply.length = sizeof(password);
284
285 ret = hx509_lock_prompt(lock, &prompt);
286 if (ret == 0)
287 ret = try_decrypt(context, c, ai, cipher, ivdata, password,
288 strlen(password), data, len);
289 /* XXX add password to lock password collection ? */
290 memset(password, 0, sizeof(password));
291 }
292 free(ivdata);
293
294 } else {
295 heim_octet_string keydata;
296
297 keydata.data = rk_UNCONST(data);
298 keydata.length = len;
299
300 ret = _hx509_collector_private_key_add(context, c, ai, NULL,
301 &keydata, NULL);
302 }
303
304 return ret;
305 }
306
307
308 struct pem_formats {
309 const char *name;
310 int (*func)(hx509_context, const char *, struct hx509_collector *,
311 const hx509_pem_header *, const void *, size_t,
312 const AlgorithmIdentifier *);
313 const AlgorithmIdentifier *(*ai)(void);
314 } formats[] = {
315 { "CERTIFICATE", parse_certificate, NULL },
316 { "PRIVATE KEY", parse_pkcs8_private_key, NULL },
317 { "RSA PRIVATE KEY", parse_pem_private_key, hx509_signature_rsa },
318 { "EC PRIVATE KEY", parse_pem_private_key, hx509_signature_ecPublicKey }
319 };
320
321
322 struct pem_ctx {
323 int flags;
324 struct hx509_collector *c;
325 };
326
327 static int
328 pem_func(hx509_context context, const char *type,
329 const hx509_pem_header *header,
330 const void *data, size_t len, void *ctx)
331 {
332 struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx;
333 int ret = 0;
334 size_t j;
335
336 for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) {
337 const char *q = formats[j].name;
338 if (strcasecmp(type, q) == 0) {
339 const AlgorithmIdentifier *ai = NULL;
340 if (formats[j].ai != NULL)
341 ai = (*formats[j].ai)();
342
343 ret = (*formats[j].func)(context, NULL, pem_ctx->c,
344 header, data, len, ai);
345 if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) {
346 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
347 "Failed parseing PEM format %s", type);
348 return ret;
349 }
350 break;
351 }
352 }
353 if (j == sizeof(formats)/sizeof(formats[0])) {
354 ret = HX509_UNSUPPORTED_OPERATION;
355 hx509_set_error_string(context, 0, ret,
356 "Found no matching PEM format for %s", type);
357 return ret;
358 }
359 return 0;
360 }
361
362 /*
363 *
364 */
365
366 static int
367 file_init_common(hx509_context context,
368 hx509_certs certs, void **data, int flags,
369 const char *residue, hx509_lock lock, outformat format)
370 {
371 char *p, *pnext;
372 struct ks_file *ksf = NULL;
373 hx509_private_key *keys = NULL;
374 int ret;
375 struct pem_ctx pem_ctx;
376
377 pem_ctx.flags = flags;
378 pem_ctx.c = NULL;
379
380 *data = NULL;
381
382 if (lock == NULL)
383 lock = _hx509_empty_lock;
384
385 ksf = calloc(1, sizeof(*ksf));
386 if (ksf == NULL) {
387 hx509_clear_error_string(context);
388 return ENOMEM;
389 }
390 ksf->format = format;
391
392 ksf->fn = strdup(residue);
393 if (ksf->fn == NULL) {
394 hx509_clear_error_string(context);
395 ret = ENOMEM;
396 goto out;
397 }
398
399 /*
400 * XXX this is broken, the function should parse the file before
401 * overwriting it
402 */
403
404 if (flags & HX509_CERTS_CREATE) {
405 ret = hx509_certs_init(context, "MEMORY:ks-file-create",
406 0, lock, &ksf->certs);
407 if (ret)
408 goto out;
409 *data = ksf;
410 return 0;
411 }
412
413 ret = _hx509_collector_alloc(context, lock, &pem_ctx.c);
414 if (ret)
415 goto out;
416
417 for (p = ksf->fn; p != NULL; p = pnext) {
418 FILE *f;
419
420 pnext = strchr(p, ',');
421 if (pnext)
422 *pnext++ = '\0';
423
424
425 if ((f = fopen(p, "r")) == NULL) {
426 ret = ENOENT;
427 hx509_set_error_string(context, 0, ret,
428 "Failed to open PEM file \"%s\": %s",
429 p, strerror(errno));
430 goto out;
431 }
432 rk_cloexec_file(f);
433
434 ret = hx509_pem_read(context, f, pem_func, &pem_ctx);
435 fclose(f);
436 if (ret != 0 && ret != HX509_PARSING_KEY_FAILED)
437 goto out;
438 else if (ret == HX509_PARSING_KEY_FAILED) {
439 size_t length;
440 void *ptr;
441 size_t i;
442
443 ret = rk_undumpdata(p, &ptr, &length);
444 if (ret) {
445 hx509_clear_error_string(context);
446 goto out;
447 }
448
449 for (i = 0; i < sizeof(formats)/sizeof(formats[0]); i++) {
450 const AlgorithmIdentifier *ai = NULL;
451 if (formats[i].ai != NULL)
452 ai = (*formats[i].ai)();
453
454 ret = (*formats[i].func)(context, p, pem_ctx.c, NULL, ptr, length, ai);
455 if (ret == 0)
456 break;
457 }
458 rk_xfree(ptr);
459 if (ret) {
460 hx509_clear_error_string(context);
461 goto out;
462 }
463 }
464 }
465
466 ret = _hx509_collector_collect_certs(context, pem_ctx.c, &ksf->certs);
467 if (ret)
468 goto out;
469
470 ret = _hx509_collector_collect_private_keys(context, pem_ctx.c, &keys);
471 if (ret == 0) {
472 int i;
473
474 for (i = 0; keys[i]; i++)
475 _hx509_certs_keys_add(context, ksf->certs, keys[i]);
476 _hx509_certs_keys_free(context, keys);
477 }
478
479 out:
480 if (ret == 0)
481 *data = ksf;
482 else {
483 if (ksf->fn)
484 free(ksf->fn);
485 free(ksf);
486 }
487 if (pem_ctx.c)
488 _hx509_collector_free(pem_ctx.c);
489
490 return ret;
491 }
492
493 static int
494 file_init_pem(hx509_context context,
495 hx509_certs certs, void **data, int flags,
496 const char *residue, hx509_lock lock)
497 {
498 return file_init_common(context, certs, data, flags, residue, lock, USE_PEM);
499 }
500
501 static int
502 file_init_der(hx509_context context,
503 hx509_certs certs, void **data, int flags,
504 const char *residue, hx509_lock lock)
505 {
506 return file_init_common(context, certs, data, flags, residue, lock, USE_DER);
507 }
508
509 static int
510 file_free(hx509_certs certs, void *data)
511 {
512 struct ks_file *ksf = data;
513 hx509_certs_free(&ksf->certs);
514 free(ksf->fn);
515 free(ksf);
516 return 0;
517 }
518
519 struct store_ctx {
520 FILE *f;
521 outformat format;
522 };
523
524 static int
525 store_func(hx509_context context, void *ctx, hx509_cert c)
526 {
527 struct store_ctx *sc = ctx;
528 heim_octet_string data;
529 int ret;
530
531 ret = hx509_cert_binary(context, c, &data);
532 if (ret)
533 return ret;
534
535 switch (sc->format) {
536 case USE_DER:
537 fwrite(data.data, data.length, 1, sc->f);
538 free(data.data);
539 break;
540 case USE_PEM:
541 hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
542 data.data, data.length);
543 free(data.data);
544 if (_hx509_cert_private_key_exportable(c)) {
545 hx509_private_key key = _hx509_cert_private_key(c);
546 ret = _hx509_private_key_export(context, key,
547 HX509_KEY_FORMAT_DER, &data);
548 if (ret)
549 break;
550 hx509_pem_write(context, _hx509_private_pem_name(key), NULL, sc->f,
551 data.data, data.length);
552 free(data.data);
553 }
554 break;
555 }
556
557 return 0;
558 }
559
560 static int
561 file_store(hx509_context context,
562 hx509_certs certs, void *data, int flags, hx509_lock lock)
563 {
564 struct ks_file *ksf = data;
565 struct store_ctx sc;
566 int ret;
567
568 sc.f = fopen(ksf->fn, "w");
569 if (sc.f == NULL) {
570 hx509_set_error_string(context, 0, ENOENT,
571 "Failed to open file %s for writing");
572 return ENOENT;
573 }
574 rk_cloexec_file(sc.f);
575 sc.format = ksf->format;
576
577 ret = hx509_certs_iter_f(context, ksf->certs, store_func, &sc);
578 fclose(sc.f);
579 return ret;
580 }
581
582 static int
583 file_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
584 {
585 struct ks_file *ksf = data;
586 return hx509_certs_add(context, ksf->certs, c);
587 }
588
589 static int
590 file_iter_start(hx509_context context,
591 hx509_certs certs, void *data, void **cursor)
592 {
593 struct ks_file *ksf = data;
594 return hx509_certs_start_seq(context, ksf->certs, cursor);
595 }
596
597 static int
598 file_iter(hx509_context context,
599 hx509_certs certs, void *data, void *iter, hx509_cert *cert)
600 {
601 struct ks_file *ksf = data;
602 return hx509_certs_next_cert(context, ksf->certs, iter, cert);
603 }
604
605 static int
606 file_iter_end(hx509_context context,
607 hx509_certs certs,
608 void *data,
609 void *cursor)
610 {
611 struct ks_file *ksf = data;
612 return hx509_certs_end_seq(context, ksf->certs, cursor);
613 }
614
615 static int
616 file_getkeys(hx509_context context,
617 hx509_certs certs,
618 void *data,
619 hx509_private_key **keys)
620 {
621 struct ks_file *ksf = data;
622 return _hx509_certs_keys_get(context, ksf->certs, keys);
623 }
624
625 static int
626 file_addkey(hx509_context context,
627 hx509_certs certs,
628 void *data,
629 hx509_private_key key)
630 {
631 struct ks_file *ksf = data;
632 return _hx509_certs_keys_add(context, ksf->certs, key);
633 }
634
635 static struct hx509_keyset_ops keyset_file = {
636 "FILE",
637 0,
638 file_init_pem,
639 file_store,
640 file_free,
641 file_add,
642 NULL,
643 file_iter_start,
644 file_iter,
645 file_iter_end,
646 NULL,
647 file_getkeys,
648 file_addkey
649 };
650
651 static struct hx509_keyset_ops keyset_pemfile = {
652 "PEM-FILE",
653 0,
654 file_init_pem,
655 file_store,
656 file_free,
657 file_add,
658 NULL,
659 file_iter_start,
660 file_iter,
661 file_iter_end,
662 NULL,
663 file_getkeys,
664 file_addkey
665 };
666
667 static struct hx509_keyset_ops keyset_derfile = {
668 "DER-FILE",
669 0,
670 file_init_der,
671 file_store,
672 file_free,
673 file_add,
674 NULL,
675 file_iter_start,
676 file_iter,
677 file_iter_end,
678 NULL,
679 file_getkeys,
680 file_addkey
681 };
682
683
684 void
685 _hx509_ks_file_register(hx509_context context)
686 {
687 _hx509_ks_register(context, &keyset_file);
688 _hx509_ks_register(context, &keyset_pemfile);
689 _hx509_ks_register(context, &keyset_derfile);
690 }
Samba GIT mirror