search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add ability to specifiy PKCS#11 slot number when using hx509
[heimdal.git] / lib / hx509 / ks_p12.c
blobb7df0be32aca11e8423db794b7d4d2b3768e68bf
1 /*
2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "hx_locl.h"
35
36 struct ks_pkcs12 {
37 hx509_certs certs;
38 char *fn;
39 };
40
41 typedef int (*collector_func)(hx509_context,
42 struct hx509_collector *,
43 const void *, size_t,
44 const PKCS12_Attributes *);
45
46 struct type {
47 const heim_oid *oid;
48 collector_func func;
49 };
50
51 static void
52 parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *,
53 const void *, size_t, const PKCS12_Attributes *);
54
55
56 static const PKCS12_Attribute *
57 find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
58 {
59 size_t i;
60 if (attrs == NULL)
61 return NULL;
62 for (i = 0; i < attrs->len; i++)
63 if (der_heim_oid_cmp(oid, &attrs->val[i].attrId) == 0)
64 return &attrs->val[i];
65 return NULL;
66 }
67
68 static int
69 keyBag_parser(hx509_context context,
70 struct hx509_collector *c,
71 const void *data, size_t length,
72 const PKCS12_Attributes *attrs)
73 {
74 const PKCS12_Attribute *attr;
75 PKCS8PrivateKeyInfo ki;
76 const heim_octet_string *os = NULL;
77 int ret;
78
79 attr = find_attribute(attrs, &asn1_oid_id_pkcs_9_at_localKeyId);
80 if (attr)
81 os = &attr->attrValues;
82
83 ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
84 if (ret)
85 return ret;
86
87 _hx509_collector_private_key_add(context,
88 c,
89 &ki.privateKeyAlgorithm,
90 NULL,
91 &ki.privateKey,
92 os);
93 free_PKCS8PrivateKeyInfo(&ki);
94 return 0;
95 }
96
97 static int
98 ShroudedKeyBag_parser(hx509_context context,
99 struct hx509_collector *c,
100 const void *data, size_t length,
101 const PKCS12_Attributes *attrs)
102 {
103 PKCS8EncryptedPrivateKeyInfo pk;
104 heim_octet_string content;
105 int ret;
106
107 memset(&pk, 0, sizeof(pk));
108
109 ret = decode_PKCS8EncryptedPrivateKeyInfo(data, length, &pk, NULL);
110 if (ret)
111 return ret;
112
113 ret = _hx509_pbe_decrypt(context,
114 _hx509_collector_get_lock(c),
115 &pk.encryptionAlgorithm,
116 &pk.encryptedData,
117 &content);
118 free_PKCS8EncryptedPrivateKeyInfo(&pk);
119 if (ret)
120 return ret;
121
122 ret = keyBag_parser(context, c, content.data, content.length, attrs);
123 der_free_octet_string(&content);
124 return ret;
125 }
126
127 static int
128 certBag_parser(hx509_context context,
129 struct hx509_collector *c,
130 const void *data, size_t length,
131 const PKCS12_Attributes *attrs)
132 {
133 heim_error_t error = NULL;
134 heim_octet_string os;
135 hx509_cert cert;
136 PKCS12_CertBag cb;
137 int ret;
138
139 ret = decode_PKCS12_CertBag(data, length, &cb, NULL);
140 if (ret)
141 return ret;
142
143 if (der_heim_oid_cmp(&asn1_oid_id_pkcs_9_at_certTypes_x509, &cb.certType)) {
144 free_PKCS12_CertBag(&cb);
145 return 0;
146 }
147
148 ret = decode_PKCS12_OctetString(cb.certValue.data,
149 cb.certValue.length,
150 &os,
151 NULL);
152 free_PKCS12_CertBag(&cb);
153 if (ret)
154 return ret;
155
156 cert = hx509_cert_init_data(context, os.data, os.length, &error);
157 der_free_octet_string(&os);
158 if (cert == NULL) {
159 ret = heim_error_get_code(error);
160 heim_release(error);
161 return ret;
162 }
163
164 ret = _hx509_collector_certs_add(context, c, cert);
165 if (ret) {
166 hx509_cert_free(cert);
167 return ret;
168 }
169
170 {
171 const PKCS12_Attribute *attr;
172 const heim_oid *oids[] = {
173 &asn1_oid_id_pkcs_9_at_localKeyId, &asn1_oid_id_pkcs_9_at_friendlyName
174 };
175 size_t i;
176
177 for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) {
178 const heim_oid *oid = oids[i];
179 attr = find_attribute(attrs, oid);
180 if (attr)
181 _hx509_set_cert_attribute(context, cert, oid,
182 &attr->attrValues);
183 }
184 }
185
186 hx509_cert_free(cert);
187
188 return 0;
189 }
190
191 static int
192 parse_safe_content(hx509_context context,
193 struct hx509_collector *c,
194 const unsigned char *p, size_t len)
195 {
196 PKCS12_SafeContents sc;
197 int ret;
198 size_t i;
199
200 memset(&sc, 0, sizeof(sc));
201
202 ret = decode_PKCS12_SafeContents(p, len, &sc, NULL);
203 if (ret)
204 return ret;
205
206 for (i = 0; i < sc.len ; i++)
207 parse_pkcs12_type(context,
208 c,
209 &sc.val[i].bagId,
210 sc.val[i].bagValue.data,
211 sc.val[i].bagValue.length,
212 sc.val[i].bagAttributes);
213
214 free_PKCS12_SafeContents(&sc);
215 return 0;
216 }
217
218 static int
219 safeContent_parser(hx509_context context,
220 struct hx509_collector *c,
221 const void *data, size_t length,
222 const PKCS12_Attributes *attrs)
223 {
224 heim_octet_string os;
225 int ret;
226
227 ret = decode_PKCS12_OctetString(data, length, &os, NULL);
228 if (ret)
229 return ret;
230 ret = parse_safe_content(context, c, os.data, os.length);
231 der_free_octet_string(&os);
232 return ret;
233 }
234
235 static int
236 encryptedData_parser(hx509_context context,
237 struct hx509_collector *c,
238 const void *data, size_t length,
239 const PKCS12_Attributes *attrs)
240 {
241 heim_octet_string content;
242 heim_oid contentType;
243 int ret;
244
245 memset(&contentType, 0, sizeof(contentType));
246
247 ret = hx509_cms_decrypt_encrypted(context,
248 _hx509_collector_get_lock(c),
249 data, length,
250 &contentType,
251 &content);
252 if (ret)
253 return ret;
254
255 if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
256 ret = parse_safe_content(context, c, content.data, content.length);
257
258 der_free_octet_string(&content);
259 der_free_oid(&contentType);
260 return ret;
261 }
262
263 static int
264 envelopedData_parser(hx509_context context,
265 struct hx509_collector *c,
266 const void *data, size_t length,
267 const PKCS12_Attributes *attrs)
268 {
269 heim_octet_string content;
270 heim_oid contentType;
271 hx509_lock lock;
272 int ret;
273
274 memset(&contentType, 0, sizeof(contentType));
275
276 lock = _hx509_collector_get_lock(c);
277
278 ret = hx509_cms_unenvelope(context,
279 _hx509_lock_unlock_certs(lock),
280 0,
281 data, length,
282 NULL,
283 0,
284 &contentType,
285 &content);
286 if (ret) {
287 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
288 "PKCS12 failed to unenvelope");
289 return ret;
290 }
291
292 if (der_heim_oid_cmp(&contentType, &asn1_oid_id_pkcs7_data) == 0)
293 ret = parse_safe_content(context, c, content.data, content.length);
294
295 der_free_octet_string(&content);
296 der_free_oid(&contentType);
297
298 return ret;
299 }
300
301
302 struct type bagtypes[] = {
303 { &asn1_oid_id_pkcs12_keyBag, keyBag_parser },
304 { &asn1_oid_id_pkcs12_pkcs8ShroudedKeyBag, ShroudedKeyBag_parser },
305 { &asn1_oid_id_pkcs12_certBag, certBag_parser },
306 { &asn1_oid_id_pkcs7_data, safeContent_parser },
307 { &asn1_oid_id_pkcs7_encryptedData, encryptedData_parser },
308 { &asn1_oid_id_pkcs7_envelopedData, envelopedData_parser }
309 };
310
311 static void
312 parse_pkcs12_type(hx509_context context,
313 struct hx509_collector *c,
314 const heim_oid *oid,
315 const void *data, size_t length,
316 const PKCS12_Attributes *attrs)
317 {
318 size_t i;
319
320 for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
321 if (der_heim_oid_cmp(bagtypes[i].oid, oid) == 0)
322 (*bagtypes[i].func)(context, c, data, length, attrs);
323 }
324
325 static int
326 p12_init(hx509_context context,
327 hx509_certs certs, void **data, int flags,
328 const char *residue, hx509_lock lock)
329 {
330 struct ks_pkcs12 *p12;
331 size_t len;
332 void *buf;
333 PKCS12_PFX pfx;
334 PKCS12_AuthenticatedSafe as;
335 int ret;
336 size_t i;
337 struct hx509_collector *c;
338
339 *data = NULL;
340
341 if (lock == NULL)
342 lock = _hx509_empty_lock;
343
344 ret = _hx509_collector_alloc(context, lock, &c);
345 if (ret)
346 return ret;
347
348 p12 = calloc(1, sizeof(*p12));
349 if (p12 == NULL) {
350 ret = ENOMEM;
351 hx509_set_error_string(context, 0, ret, "out of memory");
352 goto out;
353 }
354
355 p12->fn = strdup(residue);
356 if (p12->fn == NULL) {
357 ret = ENOMEM;
358 hx509_set_error_string(context, 0, ret, "out of memory");
359 goto out;
360 }
361
362 if (flags & HX509_CERTS_CREATE) {
363 ret = hx509_certs_init(context, "MEMORY:ks-file-create",
364 0, lock, &p12->certs);
365 if (ret == 0)
366 *data = p12;
367 goto out;
368 }
369
370 ret = rk_undumpdata(residue, &buf, &len);
371 if (ret) {
372 hx509_clear_error_string(context);
373 goto out;
374 }
375
376 ret = decode_PKCS12_PFX(buf, len, &pfx, NULL);
377 rk_xfree(buf);
378 if (ret) {
379 hx509_set_error_string(context, 0, ret,
380 "Failed to decode the PFX in %s", residue);
381 goto out;
382 }
383
384 if (der_heim_oid_cmp(&pfx.authSafe.contentType, &asn1_oid_id_pkcs7_data) != 0) {
385 free_PKCS12_PFX(&pfx);
386 ret = EINVAL;
387 hx509_set_error_string(context, 0, ret,
388 "PKCS PFX isn't a pkcs7-data container");
389 goto out;
390 }
391
392 if (pfx.authSafe.content == NULL) {
393 free_PKCS12_PFX(&pfx);
394 ret = EINVAL;
395 hx509_set_error_string(context, 0, ret,
396 "PKCS PFX missing data");
397 goto out;
398 }
399
400 {
401 heim_octet_string asdata;
402
403 ret = decode_PKCS12_OctetString(pfx.authSafe.content->data,
404 pfx.authSafe.content->length,
405 &asdata,
406 NULL);
407 free_PKCS12_PFX(&pfx);
408 if (ret) {
409 hx509_clear_error_string(context);
410 goto out;
411 }
412 ret = decode_PKCS12_AuthenticatedSafe(asdata.data,
413 asdata.length,
414 &as,
415 NULL);
416 der_free_octet_string(&asdata);
417 if (ret) {
418 hx509_clear_error_string(context);
419 goto out;
420 }
421 }
422
423 for (i = 0; i < as.len; i++)
424 parse_pkcs12_type(context,
425 c,
426 &as.val[i].contentType,
427 as.val[i].content->data,
428 as.val[i].content->length,
429 NULL);
430
431 free_PKCS12_AuthenticatedSafe(&as);
432
433 ret = _hx509_collector_collect_certs(context, c, &p12->certs);
434 if (ret == 0)
435 *data = p12;
436
437 out:
438 _hx509_collector_free(c);
439
440 if (ret && p12) {
441 if (p12->fn)
442 free(p12->fn);
443 if (p12->certs)
444 hx509_certs_free(&p12->certs);
445 free(p12);
446 }
447
448 return ret;
449 }
450
451 static int
452 addBag(hx509_context context,
453 PKCS12_AuthenticatedSafe *as,
454 const heim_oid *oid,
455 void *data,
456 size_t length)
457 {
458 void *ptr;
459 int ret;
460
461 ptr = realloc(as->val, sizeof(as->val[0]) * (as->len + 1));
462 if (ptr == NULL) {
463 hx509_set_error_string(context, 0, ENOMEM, "out of memory");
464 return ENOMEM;
465 }
466 as->val = ptr;
467
468 ret = der_copy_oid(oid, &as->val[as->len].contentType);
469 if (ret) {
470 hx509_set_error_string(context, 0, ret, "out of memory");
471 return ret;
472 }
473
474 as->val[as->len].content = calloc(1, sizeof(*as->val[0].content));
475 if (as->val[as->len].content == NULL) {
476 der_free_oid(&as->val[as->len].contentType);
477 hx509_set_error_string(context, 0, ENOMEM, "malloc out of memory");
478 return ENOMEM;
479 }
480
481 as->val[as->len].content->data = data;
482 as->val[as->len].content->length = length;
483
484 as->len++;
485
486 return 0;
487 }
488
489 static int
490 store_func(hx509_context context, void *ctx, hx509_cert c)
491 {
492 PKCS12_AuthenticatedSafe *as = ctx;
493 PKCS12_OctetString os;
494 PKCS12_CertBag cb;
495 size_t size;
496 int ret;
497
498 memset(&os, 0, sizeof(os));
499 memset(&cb, 0, sizeof(cb));
500
501 os.data = NULL;
502 os.length = 0;
503
504 ret = hx509_cert_binary(context, c, &os);
505 if (ret)
506 return ret;
507
508 ASN1_MALLOC_ENCODE(PKCS12_OctetString,
509 cb.certValue.data,cb.certValue.length,
510 &os, &size, ret);
511 free(os.data);
512 if (ret)
513 goto out;
514 ret = der_copy_oid(&asn1_oid_id_pkcs_9_at_certTypes_x509, &cb.certType);
515 if (ret) {
516 free_PKCS12_CertBag(&cb);
517 goto out;
518 }
519 ASN1_MALLOC_ENCODE(PKCS12_CertBag, os.data, os.length,
520 &cb, &size, ret);
521 free_PKCS12_CertBag(&cb);
522 if (ret)
523 goto out;
524
525 ret = addBag(context, as, &asn1_oid_id_pkcs12_certBag, os.data, os.length);
526
527 if (_hx509_cert_private_key_exportable(c)) {
528 hx509_private_key key = _hx509_cert_private_key(c);
529 PKCS8PrivateKeyInfo pki;
530
531 memset(&pki, 0, sizeof(pki));
532
533 ret = der_parse_hex_heim_integer("00", &pki.version);
534 if (ret)
535 return ret;
536 ret = _hx509_private_key_oid(context, key,
537 &pki.privateKeyAlgorithm.algorithm);
538 if (ret) {
539 free_PKCS8PrivateKeyInfo(&pki);
540 return ret;
541 }
542 ret = _hx509_private_key_export(context,
543 _hx509_cert_private_key(c),
544 HX509_KEY_FORMAT_DER,
545 &pki.privateKey);
546 if (ret) {
547 free_PKCS8PrivateKeyInfo(&pki);
548 return ret;
549 }
550 /* set attribute, asn1_oid_id_pkcs_9_at_localKeyId */
551
552 ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo, os.data, os.length,
553 &pki, &size, ret);
554 free_PKCS8PrivateKeyInfo(&pki);
555 if (ret)
556 return ret;
557
558 ret = addBag(context, as, &asn1_oid_id_pkcs12_keyBag, os.data, os.length);
559 if (ret)
560 return ret;
561 }
562
563 out:
564 return ret;
565 }
566
567 static int
568 p12_store(hx509_context context,
569 hx509_certs certs, void *data, int flags, hx509_lock lock)
570 {
571 struct ks_pkcs12 *p12 = data;
572 PKCS12_PFX pfx;
573 PKCS12_AuthenticatedSafe as;
574 PKCS12_OctetString asdata;
575 size_t size;
576 int ret;
577
578 memset(&as, 0, sizeof(as));
579 memset(&pfx, 0, sizeof(pfx));
580
581 ret = hx509_certs_iter_f(context, p12->certs, store_func, &as);
582 if (ret)
583 goto out;
584
585 ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe, asdata.data, asdata.length,
586 &as, &size, ret);
587 free_PKCS12_AuthenticatedSafe(&as);
588 if (ret)
589 return ret;
590
591 ret = der_parse_hex_heim_integer("03", &pfx.version);
592 if (ret) {
593 free(asdata.data);
594 goto out;
595 }
596
597 pfx.authSafe.content = calloc(1, sizeof(*pfx.authSafe.content));
598
599 ASN1_MALLOC_ENCODE(PKCS12_OctetString,
600 pfx.authSafe.content->data,
601 pfx.authSafe.content->length,
602 &asdata, &size, ret);
603 free(asdata.data);
604 if (ret)
605 goto out;
606
607 ret = der_copy_oid(&asn1_oid_id_pkcs7_data, &pfx.authSafe.contentType);
608 if (ret)
609 goto out;
610
611 ASN1_MALLOC_ENCODE(PKCS12_PFX, asdata.data, asdata.length,
612 &pfx, &size, ret);
613 if (ret)
614 goto out;
615
616 #if 0
617 const struct _hx509_password *pw;
618
619 pw = _hx509_lock_get_passwords(lock);
620 if (pw != NULL) {
621 pfx.macData = calloc(1, sizeof(*pfx.macData));
622 if (pfx.macData == NULL) {
623 ret = ENOMEM;
624 hx509_set_error_string(context, 0, ret, "malloc out of memory");
625 return ret;
626 }
627 if (pfx.macData == NULL) {
628 free(asdata.data);
629 goto out;
630 }
631 }
632 ret = calculate_hash(&aspath, pw, pfx.macData);
633 #endif
634
635 rk_dumpdata(p12->fn, asdata.data, asdata.length);
636 free(asdata.data);
637
638 out:
639 free_PKCS12_AuthenticatedSafe(&as);
640 free_PKCS12_PFX(&pfx);
641
642 return ret;
643 }
644
645
646 static int
647 p12_free(hx509_certs certs, void *data)
648 {
649 struct ks_pkcs12 *p12 = data;
650 hx509_certs_free(&p12->certs);
651 free(p12->fn);
652 free(p12);
653 return 0;
654 }
655
656 static int
657 p12_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
658 {
659 struct ks_pkcs12 *p12 = data;
660 return hx509_certs_add(context, p12->certs, c);
661 }
662
663 static int
664 p12_iter_start(hx509_context context,
665 hx509_certs certs,
666 void *data,
667 void **cursor)
668 {
669 struct ks_pkcs12 *p12 = data;
670 return hx509_certs_start_seq(context, p12->certs, cursor);
671 }
672
673 static int
674 p12_iter(hx509_context context,
675 hx509_certs certs,
676 void *data,
677 void *cursor,
678 hx509_cert *cert)
679 {
680 struct ks_pkcs12 *p12 = data;
681 return hx509_certs_next_cert(context, p12->certs, cursor, cert);
682 }
683
684 static int
685 p12_iter_end(hx509_context context,
686 hx509_certs certs,
687 void *data,
688 void *cursor)
689 {
690 struct ks_pkcs12 *p12 = data;
691 return hx509_certs_end_seq(context, p12->certs, cursor);
692 }
693
694 static struct hx509_keyset_ops keyset_pkcs12 = {
695 "PKCS12",
696 0,
697 p12_init,
698 p12_store,
699 p12_free,
700 p12_add,
701 NULL,
702 p12_iter_start,
703 p12_iter,
704 p12_iter_end,
705 NULL,
706 NULL,
707 NULL
708 };
709
710 void
711 _hx509_ks_pkcs12_register(hx509_context context)
712 {
713 _hx509_ks_register(context, &keyset_pkcs12);
714 }
Heimdal