2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 typedef int (*collector_func
)(hx509_context
,
42 struct hx509_collector
*,
44 const PKCS12_Attributes
*);
52 parse_pkcs12_type(hx509_context
, struct hx509_collector
*, const heim_oid
*,
53 const void *, size_t, const PKCS12_Attributes
*);
56 static const PKCS12_Attribute
*
57 find_attribute(const PKCS12_Attributes
*attrs
, const heim_oid
*oid
)
62 for (i
= 0; i
< attrs
->len
; i
++)
63 if (der_heim_oid_cmp(oid
, &attrs
->val
[i
].attrId
) == 0)
64 return &attrs
->val
[i
];
69 keyBag_parser(hx509_context context
,
70 struct hx509_collector
*c
,
71 const void *data
, size_t length
,
72 const PKCS12_Attributes
*attrs
)
74 const PKCS12_Attribute
*attr
;
75 PKCS8PrivateKeyInfo ki
;
76 const heim_octet_string
*os
= NULL
;
79 attr
= find_attribute(attrs
, &asn1_oid_id_pkcs_9_at_localKeyId
);
81 os
= &attr
->attrValues
;
83 ret
= decode_PKCS8PrivateKeyInfo(data
, length
, &ki
, NULL
);
87 _hx509_collector_private_key_add(context
,
89 &ki
.privateKeyAlgorithm
,
93 free_PKCS8PrivateKeyInfo(&ki
);
98 ShroudedKeyBag_parser(hx509_context context
,
99 struct hx509_collector
*c
,
100 const void *data
, size_t length
,
101 const PKCS12_Attributes
*attrs
)
103 PKCS8EncryptedPrivateKeyInfo pk
;
104 heim_octet_string content
;
107 memset(&pk
, 0, sizeof(pk
));
109 ret
= decode_PKCS8EncryptedPrivateKeyInfo(data
, length
, &pk
, NULL
);
113 ret
= _hx509_pbe_decrypt(context
,
114 _hx509_collector_get_lock(c
),
115 &pk
.encryptionAlgorithm
,
118 free_PKCS8EncryptedPrivateKeyInfo(&pk
);
122 ret
= keyBag_parser(context
, c
, content
.data
, content
.length
, attrs
);
123 der_free_octet_string(&content
);
128 certBag_parser(hx509_context context
,
129 struct hx509_collector
*c
,
130 const void *data
, size_t length
,
131 const PKCS12_Attributes
*attrs
)
133 heim_error_t error
= NULL
;
134 heim_octet_string os
;
139 ret
= decode_PKCS12_CertBag(data
, length
, &cb
, NULL
);
143 if (der_heim_oid_cmp(&asn1_oid_id_pkcs_9_at_certTypes_x509
, &cb
.certType
)) {
144 free_PKCS12_CertBag(&cb
);
148 ret
= decode_PKCS12_OctetString(cb
.certValue
.data
,
152 free_PKCS12_CertBag(&cb
);
156 cert
= hx509_cert_init_data(context
, os
.data
, os
.length
, &error
);
157 der_free_octet_string(&os
);
159 ret
= heim_error_get_code(error
);
164 ret
= _hx509_collector_certs_add(context
, c
, cert
);
166 hx509_cert_free(cert
);
171 const PKCS12_Attribute
*attr
;
172 const heim_oid
*oids
[] = {
173 &asn1_oid_id_pkcs_9_at_localKeyId
, &asn1_oid_id_pkcs_9_at_friendlyName
177 for (i
= 0; i
< sizeof(oids
)/sizeof(oids
[0]); i
++) {
178 const heim_oid
*oid
= oids
[i
];
179 attr
= find_attribute(attrs
, oid
);
181 _hx509_set_cert_attribute(context
, cert
, oid
,
186 hx509_cert_free(cert
);
192 parse_safe_content(hx509_context context
,
193 struct hx509_collector
*c
,
194 const unsigned char *p
, size_t len
)
196 PKCS12_SafeContents sc
;
200 memset(&sc
, 0, sizeof(sc
));
202 ret
= decode_PKCS12_SafeContents(p
, len
, &sc
, NULL
);
206 for (i
= 0; i
< sc
.len
; i
++)
207 parse_pkcs12_type(context
,
210 sc
.val
[i
].bagValue
.data
,
211 sc
.val
[i
].bagValue
.length
,
212 sc
.val
[i
].bagAttributes
);
214 free_PKCS12_SafeContents(&sc
);
219 safeContent_parser(hx509_context context
,
220 struct hx509_collector
*c
,
221 const void *data
, size_t length
,
222 const PKCS12_Attributes
*attrs
)
224 heim_octet_string os
;
227 ret
= decode_PKCS12_OctetString(data
, length
, &os
, NULL
);
230 ret
= parse_safe_content(context
, c
, os
.data
, os
.length
);
231 der_free_octet_string(&os
);
236 encryptedData_parser(hx509_context context
,
237 struct hx509_collector
*c
,
238 const void *data
, size_t length
,
239 const PKCS12_Attributes
*attrs
)
241 heim_octet_string content
;
242 heim_oid contentType
;
245 memset(&contentType
, 0, sizeof(contentType
));
247 ret
= hx509_cms_decrypt_encrypted(context
,
248 _hx509_collector_get_lock(c
),
255 if (der_heim_oid_cmp(&contentType
, &asn1_oid_id_pkcs7_data
) == 0)
256 ret
= parse_safe_content(context
, c
, content
.data
, content
.length
);
258 der_free_octet_string(&content
);
259 der_free_oid(&contentType
);
264 envelopedData_parser(hx509_context context
,
265 struct hx509_collector
*c
,
266 const void *data
, size_t length
,
267 const PKCS12_Attributes
*attrs
)
269 heim_octet_string content
;
270 heim_oid contentType
;
274 memset(&contentType
, 0, sizeof(contentType
));
276 lock
= _hx509_collector_get_lock(c
);
278 ret
= hx509_cms_unenvelope(context
,
279 _hx509_lock_unlock_certs(lock
),
287 hx509_set_error_string(context
, HX509_ERROR_APPEND
, ret
,
288 "PKCS12 failed to unenvelope");
292 if (der_heim_oid_cmp(&contentType
, &asn1_oid_id_pkcs7_data
) == 0)
293 ret
= parse_safe_content(context
, c
, content
.data
, content
.length
);
295 der_free_octet_string(&content
);
296 der_free_oid(&contentType
);
302 struct type bagtypes
[] = {
303 { &asn1_oid_id_pkcs12_keyBag
, keyBag_parser
},
304 { &asn1_oid_id_pkcs12_pkcs8ShroudedKeyBag
, ShroudedKeyBag_parser
},
305 { &asn1_oid_id_pkcs12_certBag
, certBag_parser
},
306 { &asn1_oid_id_pkcs7_data
, safeContent_parser
},
307 { &asn1_oid_id_pkcs7_encryptedData
, encryptedData_parser
},
308 { &asn1_oid_id_pkcs7_envelopedData
, envelopedData_parser
}
312 parse_pkcs12_type(hx509_context context
,
313 struct hx509_collector
*c
,
315 const void *data
, size_t length
,
316 const PKCS12_Attributes
*attrs
)
320 for (i
= 0; i
< sizeof(bagtypes
)/sizeof(bagtypes
[0]); i
++)
321 if (der_heim_oid_cmp(bagtypes
[i
].oid
, oid
) == 0)
322 (*bagtypes
[i
].func
)(context
, c
, data
, length
, attrs
);
326 p12_init(hx509_context context
,
327 hx509_certs certs
, void **data
, int flags
,
328 const char *residue
, hx509_lock lock
)
330 struct ks_pkcs12
*p12
;
334 PKCS12_AuthenticatedSafe as
;
337 struct hx509_collector
*c
;
342 lock
= _hx509_empty_lock
;
344 ret
= _hx509_collector_alloc(context
, lock
, &c
);
348 p12
= calloc(1, sizeof(*p12
));
351 hx509_set_error_string(context
, 0, ret
, "out of memory");
355 p12
->fn
= strdup(residue
);
356 if (p12
->fn
== NULL
) {
358 hx509_set_error_string(context
, 0, ret
, "out of memory");
362 if (flags
& HX509_CERTS_CREATE
) {
363 ret
= hx509_certs_init(context
, "MEMORY:ks-file-create",
364 0, lock
, &p12
->certs
);
370 ret
= rk_undumpdata(residue
, &buf
, &len
);
372 hx509_clear_error_string(context
);
376 ret
= decode_PKCS12_PFX(buf
, len
, &pfx
, NULL
);
379 hx509_set_error_string(context
, 0, ret
,
380 "Failed to decode the PFX in %s", residue
);
384 if (der_heim_oid_cmp(&pfx
.authSafe
.contentType
, &asn1_oid_id_pkcs7_data
) != 0) {
385 free_PKCS12_PFX(&pfx
);
387 hx509_set_error_string(context
, 0, ret
,
388 "PKCS PFX isn't a pkcs7-data container");
392 if (pfx
.authSafe
.content
== NULL
) {
393 free_PKCS12_PFX(&pfx
);
395 hx509_set_error_string(context
, 0, ret
,
396 "PKCS PFX missing data");
401 heim_octet_string asdata
;
403 ret
= decode_PKCS12_OctetString(pfx
.authSafe
.content
->data
,
404 pfx
.authSafe
.content
->length
,
407 free_PKCS12_PFX(&pfx
);
409 hx509_clear_error_string(context
);
412 ret
= decode_PKCS12_AuthenticatedSafe(asdata
.data
,
416 der_free_octet_string(&asdata
);
418 hx509_clear_error_string(context
);
423 for (i
= 0; i
< as
.len
; i
++)
424 parse_pkcs12_type(context
,
426 &as
.val
[i
].contentType
,
427 as
.val
[i
].content
->data
,
428 as
.val
[i
].content
->length
,
431 free_PKCS12_AuthenticatedSafe(&as
);
433 ret
= _hx509_collector_collect_certs(context
, c
, &p12
->certs
);
438 _hx509_collector_free(c
);
444 hx509_certs_free(&p12
->certs
);
452 addBag(hx509_context context
,
453 PKCS12_AuthenticatedSafe
*as
,
461 ptr
= realloc(as
->val
, sizeof(as
->val
[0]) * (as
->len
+ 1));
463 hx509_set_error_string(context
, 0, ENOMEM
, "out of memory");
468 ret
= der_copy_oid(oid
, &as
->val
[as
->len
].contentType
);
470 hx509_set_error_string(context
, 0, ret
, "out of memory");
474 as
->val
[as
->len
].content
= calloc(1, sizeof(*as
->val
[0].content
));
475 if (as
->val
[as
->len
].content
== NULL
) {
476 der_free_oid(&as
->val
[as
->len
].contentType
);
477 hx509_set_error_string(context
, 0, ENOMEM
, "malloc out of memory");
481 as
->val
[as
->len
].content
->data
= data
;
482 as
->val
[as
->len
].content
->length
= length
;
490 store_func(hx509_context context
, void *ctx
, hx509_cert c
)
492 PKCS12_AuthenticatedSafe
*as
= ctx
;
493 PKCS12_OctetString os
;
498 memset(&os
, 0, sizeof(os
));
499 memset(&cb
, 0, sizeof(cb
));
504 ret
= hx509_cert_binary(context
, c
, &os
);
508 ASN1_MALLOC_ENCODE(PKCS12_OctetString
,
509 cb
.certValue
.data
,cb
.certValue
.length
,
514 ret
= der_copy_oid(&asn1_oid_id_pkcs_9_at_certTypes_x509
, &cb
.certType
);
516 free_PKCS12_CertBag(&cb
);
519 ASN1_MALLOC_ENCODE(PKCS12_CertBag
, os
.data
, os
.length
,
521 free_PKCS12_CertBag(&cb
);
525 ret
= addBag(context
, as
, &asn1_oid_id_pkcs12_certBag
, os
.data
, os
.length
);
527 if (_hx509_cert_private_key_exportable(c
)) {
528 hx509_private_key key
= _hx509_cert_private_key(c
);
529 PKCS8PrivateKeyInfo pki
;
531 memset(&pki
, 0, sizeof(pki
));
533 ret
= der_parse_hex_heim_integer("00", &pki
.version
);
536 ret
= _hx509_private_key_oid(context
, key
,
537 &pki
.privateKeyAlgorithm
.algorithm
);
539 free_PKCS8PrivateKeyInfo(&pki
);
542 ret
= _hx509_private_key_export(context
,
543 _hx509_cert_private_key(c
),
544 HX509_KEY_FORMAT_DER
,
547 free_PKCS8PrivateKeyInfo(&pki
);
550 /* set attribute, asn1_oid_id_pkcs_9_at_localKeyId */
552 ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo
, os
.data
, os
.length
,
554 free_PKCS8PrivateKeyInfo(&pki
);
558 ret
= addBag(context
, as
, &asn1_oid_id_pkcs12_keyBag
, os
.data
, os
.length
);
568 p12_store(hx509_context context
,
569 hx509_certs certs
, void *data
, int flags
, hx509_lock lock
)
571 struct ks_pkcs12
*p12
= data
;
573 PKCS12_AuthenticatedSafe as
;
574 PKCS12_OctetString asdata
;
578 memset(&as
, 0, sizeof(as
));
579 memset(&pfx
, 0, sizeof(pfx
));
581 ret
= hx509_certs_iter_f(context
, p12
->certs
, store_func
, &as
);
585 ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe
, asdata
.data
, asdata
.length
,
587 free_PKCS12_AuthenticatedSafe(&as
);
591 ret
= der_parse_hex_heim_integer("03", &pfx
.version
);
597 pfx
.authSafe
.content
= calloc(1, sizeof(*pfx
.authSafe
.content
));
599 ASN1_MALLOC_ENCODE(PKCS12_OctetString
,
600 pfx
.authSafe
.content
->data
,
601 pfx
.authSafe
.content
->length
,
602 &asdata
, &size
, ret
);
607 ret
= der_copy_oid(&asn1_oid_id_pkcs7_data
, &pfx
.authSafe
.contentType
);
611 ASN1_MALLOC_ENCODE(PKCS12_PFX
, asdata
.data
, asdata
.length
,
617 const struct _hx509_password
*pw
;
619 pw
= _hx509_lock_get_passwords(lock
);
621 pfx
.macData
= calloc(1, sizeof(*pfx
.macData
));
622 if (pfx
.macData
== NULL
) {
624 hx509_set_error_string(context
, 0, ret
, "malloc out of memory");
627 if (pfx
.macData
== NULL
) {
632 ret
= calculate_hash(&aspath
, pw
, pfx
.macData
);
635 rk_dumpdata(p12
->fn
, asdata
.data
, asdata
.length
);
639 free_PKCS12_AuthenticatedSafe(&as
);
640 free_PKCS12_PFX(&pfx
);
647 p12_free(hx509_certs certs
, void *data
)
649 struct ks_pkcs12
*p12
= data
;
650 hx509_certs_free(&p12
->certs
);
657 p12_add(hx509_context context
, hx509_certs certs
, void *data
, hx509_cert c
)
659 struct ks_pkcs12
*p12
= data
;
660 return hx509_certs_add(context
, p12
->certs
, c
);
664 p12_iter_start(hx509_context context
,
669 struct ks_pkcs12
*p12
= data
;
670 return hx509_certs_start_seq(context
, p12
->certs
, cursor
);
674 p12_iter(hx509_context context
,
680 struct ks_pkcs12
*p12
= data
;
681 return hx509_certs_next_cert(context
, p12
->certs
, cursor
, cert
);
685 p12_iter_end(hx509_context context
,
690 struct ks_pkcs12
*p12
= data
;
691 return hx509_certs_end_seq(context
, p12
->certs
, cursor
);
694 static struct hx509_keyset_ops keyset_pkcs12
= {
710 HX509_LIB_FUNCTION
void HX509_LIB_CALL
711 _hx509_ks_pkcs12_register(hx509_context context
)
713 _hx509_ks_register(context
, &keyset_pkcs12
);