2 * Copyright (c) 2004 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 RCSID("$Id: ks_p12.c,v 1.18 2007/01/09 10:52:11 lha Exp $");
42 typedef int (*collector_func)(hx509_context,
43 struct hx509_collector *,
45 const PKCS12_Attributes *);
48 const heim_oid * (*oid)(void);
53 parse_pkcs12_type(hx509_context, struct hx509_collector *, const heim_oid *,
54 const void *, size_t, const PKCS12_Attributes *);
57 static const PKCS12_Attribute *
58 find_attribute(const PKCS12_Attributes *attrs, const heim_oid *oid)
63 for (i = 0; i < attrs->len; i++)
64 if (der_heim_oid_cmp(oid, &attrs->val[i].attrId) == 0)
65 return &attrs->val[i];
70 keyBag_parser(hx509_context context,
71 struct hx509_collector *c,
72 const void *data, size_t length,
73 const PKCS12_Attributes *attrs)
75 const PKCS12_Attribute *attr;
76 PKCS8PrivateKeyInfo ki;
77 const heim_octet_string *os = NULL;
80 attr = find_attribute(attrs, oid_id_pkcs_9_at_localKeyId());
82 os = &attr->attrValues;
84 ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
88 _hx509_collector_private_key_add(context,
90 &ki.privateKeyAlgorithm,
94 free_PKCS8PrivateKeyInfo(&ki);
99 ShroudedKeyBag_parser(hx509_context context,
100 struct hx509_collector *c,
101 const void *data, size_t length,
102 const PKCS12_Attributes *attrs)
104 PKCS8EncryptedPrivateKeyInfo pk;
105 heim_octet_string content;
108 memset(&pk, 0, sizeof(pk));
110 ret = decode_PKCS8EncryptedPrivateKeyInfo(data, length, &pk, NULL);
114 ret = _hx509_pbe_decrypt(context,
115 _hx509_collector_get_lock(c),
116 &pk.encryptionAlgorithm,
119 free_PKCS8EncryptedPrivateKeyInfo(&pk);
123 ret = keyBag_parser(context, c, content.data, content.length, attrs);
124 der_free_octet_string(&content);
129 certBag_parser(hx509_context context,
130 struct hx509_collector *c,
131 const void *data, size_t length,
132 const PKCS12_Attributes *attrs)
134 heim_octet_string os;
140 ret = decode_PKCS12_CertBag(data, length, &cb, NULL);
144 if (der_heim_oid_cmp(oid_id_pkcs_9_at_certTypes_x509(), &cb.certType)) {
145 free_PKCS12_CertBag(&cb);
149 ret = decode_PKCS12_OctetString(cb.certValue.data,
153 free_PKCS12_CertBag(&cb);
157 ret = decode_Certificate(os.data, os.length, &t, NULL);
158 der_free_octet_string(&os);
162 ret = hx509_cert_init(context, &t, &cert);
163 free_Certificate(&t);
167 ret = _hx509_collector_certs_add(context, c, cert);
169 hx509_cert_free(cert);
174 const PKCS12_Attribute *attr;
175 const heim_oid * (*oids[])(void) = {
176 oid_id_pkcs_9_at_localKeyId, oid_id_pkcs_9_at_friendlyName
180 for (i = 0; i < sizeof(oids)/sizeof(oids[0]); i++) {
181 const heim_oid *oid = (*(oids[i]))();
182 attr = find_attribute(attrs, oid);
184 _hx509_set_cert_attribute(context, cert, oid,
189 hx509_cert_free(cert);
195 parse_safe_content(hx509_context context,
196 struct hx509_collector *c,
197 const unsigned char *p, size_t len)
199 PKCS12_SafeContents sc;
202 memset(&sc, 0, sizeof(sc));
204 ret = decode_PKCS12_SafeContents(p, len, &sc, NULL);
208 for (i = 0; i < sc.len ; i++)
209 parse_pkcs12_type(context,
212 sc.val[i].bagValue.data,
213 sc.val[i].bagValue.length,
214 sc.val[i].bagAttributes);
216 free_PKCS12_SafeContents(&sc);
221 safeContent_parser(hx509_context context,
222 struct hx509_collector *c,
223 const void *data, size_t length,
224 const PKCS12_Attributes *attrs)
226 heim_octet_string os;
229 ret = decode_PKCS12_OctetString(data, length, &os, NULL);
232 ret = parse_safe_content(context, c, os.data, os.length);
233 der_free_octet_string(&os);
238 encryptedData_parser(hx509_context context,
239 struct hx509_collector *c,
240 const void *data, size_t length,
241 const PKCS12_Attributes *attrs)
243 heim_octet_string content;
244 heim_oid contentType;
247 memset(&contentType, 0, sizeof(contentType));
249 ret = hx509_cms_decrypt_encrypted(context,
250 _hx509_collector_get_lock(c),
257 if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) == 0)
258 ret = parse_safe_content(context, c, content.data, content.length);
260 der_free_octet_string(&content);
261 der_free_oid(&contentType);
266 envelopedData_parser(hx509_context context,
267 struct hx509_collector *c,
268 const void *data, size_t length,
269 const PKCS12_Attributes *attrs)
271 heim_octet_string content;
272 heim_oid contentType;
276 memset(&contentType, 0, sizeof(contentType));
278 lock = _hx509_collector_get_lock(c);
280 ret = hx509_cms_unenvelope(context,
281 _hx509_lock_unlock_certs(lock),
288 hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
289 "PKCS12 failed to unenvelope");
293 if (der_heim_oid_cmp(&contentType, oid_id_pkcs7_data()) == 0)
294 ret = parse_safe_content(context, c, content.data, content.length);
296 der_free_octet_string(&content);
297 der_free_oid(&contentType);
303 struct type bagtypes[] = {
304 { oid_id_pkcs12_keyBag, keyBag_parser },
305 { oid_id_pkcs12_pkcs8ShroudedKeyBag, ShroudedKeyBag_parser },
306 { oid_id_pkcs12_certBag, certBag_parser },
307 { oid_id_pkcs7_data, safeContent_parser },
308 { oid_id_pkcs7_encryptedData, encryptedData_parser },
309 { oid_id_pkcs7_envelopedData, envelopedData_parser }
313 parse_pkcs12_type(hx509_context context,
314 struct hx509_collector *c,
316 const void *data, size_t length,
317 const PKCS12_Attributes *attrs)
321 for (i = 0; i < sizeof(bagtypes)/sizeof(bagtypes[0]); i++)
322 if (der_heim_oid_cmp((*bagtypes[i].oid)(), oid) == 0)
323 (*bagtypes[i].func)(context, c, data, length, attrs);
327 p12_init(hx509_context context,
328 hx509_certs certs, void **data, int flags,
329 const char *residue, hx509_lock lock)
331 struct ks_pkcs12 *p12;
335 PKCS12_AuthenticatedSafe as;
337 struct hx509_collector *c;
342 lock = _hx509_empty_lock;
344 c = _hx509_collector_alloc(context, lock);
348 p12 = calloc(1, sizeof(*p12));
354 p12->fn = strdup(residue);
355 if (p12->fn == NULL) {
360 if (flags & HX509_CERTS_CREATE) {
361 ret = hx509_certs_init(context, "MEMORY:ks-file-create",
362 0, lock, &p12->certs);
369 ret = _hx509_map_file(residue, &buf, &len, NULL);
373 ret = decode_PKCS12_PFX(buf, len, &pfx, NULL);
374 _hx509_unmap_file(buf, len);
378 if (der_heim_oid_cmp(&pfx.authSafe.contentType, oid_id_pkcs7_data()) != 0) {
379 free_PKCS12_PFX(&pfx);
381 hx509_set_error_string(context, 0, ret,
382 "PKCS PFX isn't a pkcs7-data container");
386 if (pfx.authSafe.content == NULL) {
387 free_PKCS12_PFX(&pfx);
389 hx509_set_error_string(context, 0, ret,
390 "PKCS PFX missing data");
395 heim_octet_string asdata;
397 ret = decode_PKCS12_OctetString(pfx.authSafe.content->data,
398 pfx.authSafe.content->length,
401 free_PKCS12_PFX(&pfx);
403 hx509_clear_error_string(context);
406 ret = decode_PKCS12_AuthenticatedSafe(asdata.data,
410 der_free_octet_string(&asdata);
412 hx509_clear_error_string(context);
417 for (i = 0; i < as.len; i++)
418 parse_pkcs12_type(context,
420 &as.val[i].contentType,
421 as.val[i].content->data,
422 as.val[i].content->length,
425 free_PKCS12_AuthenticatedSafe(&as);
427 ret = _hx509_collector_collect_certs(context, c, &p12->certs);
432 _hx509_collector_free(c);
436 hx509_certs_free(&p12->certs);
444 addBag(hx509_context context,
445 PKCS12_AuthenticatedSafe *as,
453 ptr = realloc(as->val, sizeof(as->val[0]) * (as->len + 1));
455 hx509_set_error_string(context, 0, ENOMEM, "malloc out of memory");
460 ret = der_copy_oid(oid, &as->val[as->len].contentType);
462 as->val[as->len].content = calloc(1, sizeof(*as->val[0].content));
463 if (as->val[as->len].content == NULL) {
464 hx509_set_error_string(context, 0, ENOMEM, "malloc out of memory");
468 as->val[as->len].content->data = data;
469 as->val[as->len].content->length = length;
477 store_func(hx509_context context, void *ctx, hx509_cert c)
479 PKCS12_AuthenticatedSafe *as = ctx;
480 PKCS12_OctetString os;
485 memset(&os, 0, sizeof(os));
486 memset(&cb, 0, sizeof(cb));
491 ASN1_MALLOC_ENCODE(Certificate, os.data, os.length,
492 _hx509_get_cert(c), &size, ret);
495 ASN1_MALLOC_ENCODE(PKCS12_OctetString,
496 cb.certValue.data,cb.certValue.length,
501 ret = der_copy_oid(oid_id_pkcs_9_at_certTypes_x509(), &cb.certType);
503 free_PKCS12_CertBag(&cb);
506 ASN1_MALLOC_ENCODE(PKCS12_CertBag, os.data, os.length,
508 free(cb.certValue.data);
512 ret = addBag(context, as, oid_id_pkcs12_certBag(), os.data, os.length);
514 if (_hx509_cert_private_key_exportable(c)) {
515 hx509_private_key key = _hx509_cert_private_key(c);
516 PKCS8PrivateKeyInfo pki;
518 memset(&pki, 0, sizeof(pki));
520 ret = der_parse_hex_heim_integer("00", &pki.version);
523 ret = _hx509_private_key_oid(context, key,
524 &pki.privateKeyAlgorithm.algorithm);
526 free_PKCS8PrivateKeyInfo(&pki);
529 ret = _hx509_private_key_export(context,
530 _hx509_cert_private_key(c),
533 free_PKCS8PrivateKeyInfo(&pki);
536 /* set attribute, oid_id_pkcs_9_at_localKeyId() */
538 ASN1_MALLOC_ENCODE(PKCS8PrivateKeyInfo, os.data, os.length,
540 free_PKCS8PrivateKeyInfo(&pki);
544 ret = addBag(context, as, oid_id_pkcs12_keyBag(), os.data, os.length);
554 p12_store(hx509_context context,
555 hx509_certs certs, void *data, int flags, hx509_lock lock)
557 struct ks_pkcs12 *p12 = data;
559 PKCS12_AuthenticatedSafe as;
560 PKCS12_OctetString asdata;
564 memset(&as, 0, sizeof(as));
565 memset(&pfx, 0, sizeof(pfx));
567 ret = hx509_certs_iter(context, p12->certs, store_func, &as);
571 ASN1_MALLOC_ENCODE(PKCS12_AuthenticatedSafe, asdata.data, asdata.length,
573 free_PKCS12_AuthenticatedSafe(&as);
577 ret = der_parse_hex_heim_integer("03", &pfx.version);
583 pfx.authSafe.content = calloc(1, sizeof(*pfx.authSafe.content));
585 ASN1_MALLOC_ENCODE(PKCS12_OctetString,
586 pfx.authSafe.content->data,
587 pfx.authSafe.content->length,
588 &asdata, &size, ret);
593 ret = der_copy_oid(oid_id_pkcs7_data(), &pfx.authSafe.contentType);
597 ASN1_MALLOC_ENCODE(PKCS12_PFX, asdata.data, asdata.length,
603 const struct _hx509_password *pw;
605 pw = _hx509_lock_get_passwords(lock);
607 pfx.macData = calloc(1, sizeof(*pfx.macData));
608 if (pfx.macData == NULL) {
610 hx509_set_error_string(context, 0, ret, "malloc out of memory");
613 if (pfx.macData == NULL) {
618 ret = calculate_hash(&aspath, pw, pfx.macData);
621 rk_dumpdata(p12->fn, asdata.data, asdata.length);
625 free_PKCS12_AuthenticatedSafe(&as);
626 free_PKCS12_PFX(&pfx);
633 p12_free(hx509_certs certs, void *data)
635 struct ks_pkcs12 *p12 = data;
636 hx509_certs_free(&p12->certs);
643 p12_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
645 struct ks_pkcs12 *p12 = data;
646 return hx509_certs_add(context, p12->certs, c);
650 p12_iter_start(hx509_context context,
655 struct ks_pkcs12 *p12 = data;
656 return hx509_certs_start_seq(context, p12->certs, cursor);
660 p12_iter(hx509_context context,
666 struct ks_pkcs12 *p12 = data;
667 return hx509_certs_next_cert(context, p12->certs, cursor, cert);
671 p12_iter_end(hx509_context context,
676 struct ks_pkcs12 *p12 = data;
677 return hx509_certs_end_seq(context, p12->certs, cursor);
680 static struct hx509_keyset_ops keyset_pkcs12 = {
694 _hx509_ks_pkcs12_register(hx509_context context)
696 _hx509_ks_register(context, &keyset_pkcs12);