/*
- * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
+ * Copyright (c) 2005 - 2007 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
*
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
*
- * 3. Neither the name of the Institute nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
*
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
#include "hx_locl.h"
-RCSID("$Id: ks_file.c 21314 2007-06-25 18:45:07Z lha $");
typedef enum { USE_PEM, USE_DER } outformat;
*/
static int
-parse_certificate(hx509_context context, const char *fn,
- struct hx509_collector *c,
+parse_certificate(hx509_context context, const char *fn,
+ struct hx509_collector *c,
const hx509_pem_header *headers,
- const void *data, size_t len)
+ const void *data, size_t len,
+ const AlgorithmIdentifier *ai)
{
hx509_cert cert;
int ret;
}
static int
-parse_rsa_private_key(hx509_context context, const char *fn,
- struct hx509_collector *c,
+parse_pkcs8_private_key(hx509_context context, const char *fn,
+ struct hx509_collector *c,
+ const hx509_pem_header *headers,
+ const void *data, size_t length,
+ const AlgorithmIdentifier *ai)
+{
+ PKCS8PrivateKeyInfo ki;
+ heim_octet_string keydata;
+
+ int ret;
+
+ ret = decode_PKCS8PrivateKeyInfo(data, length, &ki, NULL);
+ if (ret)
+ return ret;
+
+ keydata.data = rk_UNCONST(data);
+ keydata.length = length;
+
+ ret = _hx509_collector_private_key_add(context,
+ c,
+ &ki.privateKeyAlgorithm,
+ NULL,
+ &ki.privateKey,
+ &keydata);
+ free_PKCS8PrivateKeyInfo(&ki);
+ return ret;
+}
+
+static int
+parse_pem_private_key(hx509_context context, const char *fn,
+ struct hx509_collector *c,
const hx509_pem_header *headers,
- const void *data, size_t len)
+ const void *data, size_t len,
+ const AlgorithmIdentifier *ai)
{
int ret = 0;
const char *enc;
if (strcmp(enc, "4,ENCRYPTED") != 0) {
hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
- "RSA key encrypted in unknown method %s "
+ "Private key encrypted in unknown method %s "
"in file",
enc, fn);
hx509_clear_error_string(context);
dek = hx509_pem_find_header(headers, "DEK-Info");
if (dek == NULL) {
hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
- "Encrypted RSA missing DEK-Info");
+ "Encrypted private key missing DEK-Info");
return HX509_PARSING_KEY_FAILED;
}
if (cipher == NULL) {
free(ivdata);
hx509_set_error_string(context, 0, HX509_ALG_NOT_SUPP,
- "RSA key encrypted with "
+ "Private key encrypted with "
"unsupported cipher: %s",
type);
free(type);
if (ssize < 0 || ssize < PKCS5_SALT_LEN || ssize < EVP_CIPHER_iv_length(cipher)) {
free(ivdata);
hx509_set_error_string(context, 0, HX509_PARSING_KEY_FAILED,
- "Salt have wrong length in RSA key file");
+ "Salt have wrong length in "
+ "private key file");
return HX509_PARSING_KEY_FAILED;
}
password = pw->val[i];
passwordlen = strlen(password);
- ret = try_decrypt(context, c, hx509_signature_rsa(),
- cipher, ivdata, password, passwordlen,
- data, len);
+ ret = try_decrypt(context, c, ai, cipher, ivdata,
+ password, passwordlen, data, len);
if (ret == 0) {
decrypted = 1;
break;
ret = hx509_lock_prompt(lock, &prompt);
if (ret == 0)
- ret = try_decrypt(context, c, hx509_signature_rsa(),
- cipher, ivdata, password, strlen(password),
- data, len);
+ ret = try_decrypt(context, c, ai, cipher, ivdata, password,
+ strlen(password), data, len);
/* XXX add password to lock password collection ? */
memset(password, 0, sizeof(password));
}
keydata.data = rk_UNCONST(data);
keydata.length = len;
- ret = _hx509_collector_private_key_add(context,
- c,
- hx509_signature_rsa(),
- NULL,
- &keydata,
- NULL);
+ ret = _hx509_collector_private_key_add(context, c, ai, NULL,
+ &keydata, NULL);
}
return ret;
struct pem_formats {
const char *name;
- int (*func)(hx509_context, const char *, struct hx509_collector *,
- const hx509_pem_header *, const void *, size_t);
+ int (*func)(hx509_context, const char *, struct hx509_collector *,
+ const hx509_pem_header *, const void *, size_t,
+ const AlgorithmIdentifier *);
+ const AlgorithmIdentifier *(*ai)(void);
} formats[] = {
- { "CERTIFICATE", parse_certificate },
- { "RSA PRIVATE KEY", parse_rsa_private_key }
+ { "CERTIFICATE", parse_certificate, NULL },
+ { "PRIVATE KEY", parse_pkcs8_private_key, NULL },
+ { "RSA PRIVATE KEY", parse_pem_private_key, hx509_signature_rsa },
+ { "EC PRIVATE KEY", parse_pem_private_key, hx509_signature_ecPublicKey }
};
+struct pem_ctx {
+ int flags;
+ struct hx509_collector *c;
+};
+
static int
pem_func(hx509_context context, const char *type,
const hx509_pem_header *header,
const void *data, size_t len, void *ctx)
{
- struct hx509_collector *c = ctx;
- int ret, j;
+ struct pem_ctx *pem_ctx = (struct pem_ctx*)ctx;
+ int ret = 0, j;
for (j = 0; j < sizeof(formats)/sizeof(formats[0]); j++) {
const char *q = formats[j].name;
if (strcasecmp(type, q) == 0) {
- ret = (*formats[j].func)(context, NULL, c, header, data, len);
+ const AlgorithmIdentifier *ai = NULL;
+ if (formats[j].ai != NULL)
+ ai = (*formats[j].ai)();
+
+ ret = (*formats[j].func)(context, NULL, pem_ctx->c,
+ header, data, len, ai);
+ if (ret && (pem_ctx->flags & HX509_CERTS_UNPROTECT_ALL)) {
+ hx509_set_error_string(context, HX509_ERROR_APPEND, ret,
+ "Failed parseing PEM format %s", type);
+ return ret;
+ }
break;
}
}
static int
file_init_common(hx509_context context,
- hx509_certs certs, void **data, int flags,
+ hx509_certs certs, void **data, int flags,
const char *residue, hx509_lock lock, outformat format)
{
char *p, *pnext;
struct ks_file *f = NULL;
- struct hx509_collector *c = NULL;
hx509_private_key *keys = NULL;
int ret;
+ struct pem_ctx pem_ctx;
+
+ pem_ctx.flags = flags;
+ pem_ctx.c = NULL;
*data = NULL;
goto out;
}
- /*
+ /*
* XXX this is broken, the function should parse the file before
* overwriting it
*/
if (flags & HX509_CERTS_CREATE) {
- ret = hx509_certs_init(context, "MEMORY:ks-file-create",
+ ret = hx509_certs_init(context, "MEMORY:ks-file-create",
0, lock, &f->certs);
if (ret)
goto out;
return 0;
}
- ret = _hx509_collector_alloc(context, lock, &c);
+ ret = _hx509_collector_alloc(context, lock, &pem_ctx.c);
if (ret)
goto out;
for (p = f->fn; p != NULL; p = pnext) {
- FILE *f;
+ FILE *f2;
pnext = strchr(p, ',');
if (pnext)
*pnext++ = '\0';
- if ((f = fopen(p, "r")) == NULL) {
+ if ((f2 = fopen(p, "r")) == NULL) {
ret = ENOENT;
- hx509_set_error_string(context, 0, ret,
- "Failed to open PEM file \"%s\": %s",
+ hx509_set_error_string(context, 0, ret,
+ "Failed to open PEM file \"%s\": %s",
p, strerror(errno));
goto out;
}
+ rk_cloexec_file(f2);
- ret = hx509_pem_read(context, f, pem_func, c);
- fclose(f);
+ ret = hx509_pem_read(context, f2, pem_func, &pem_ctx);
+ fclose(f2);
if (ret != 0 && ret != HX509_PARSING_KEY_FAILED)
goto out;
else if (ret == HX509_PARSING_KEY_FAILED) {
void *ptr;
int i;
- ret = _hx509_map_file(p, &ptr, &length, NULL);
+ ret = rk_undumpdata(p, &ptr, &length);
if (ret) {
hx509_clear_error_string(context);
goto out;
}
for (i = 0; i < sizeof(formats)/sizeof(formats[0]); i++) {
- ret = (*formats[i].func)(context, p, c, NULL, ptr, length);
+ const AlgorithmIdentifier *ai = NULL;
+ if (formats[i].ai != NULL)
+ ai = (*formats[i].ai)();
+
+ ret = (*formats[i].func)(context, p, pem_ctx.c, NULL, ptr, length, ai);
if (ret == 0)
break;
}
- _hx509_unmap_file(ptr, length);
- if (ret)
+ rk_xfree(ptr);
+ if (ret) {
+ hx509_clear_error_string(context);
goto out;
+ }
}
}
- ret = _hx509_collector_collect_certs(context, c, &f->certs);
+ ret = _hx509_collector_collect_certs(context, pem_ctx.c, &f->certs);
if (ret)
goto out;
- ret = _hx509_collector_collect_private_keys(context, c, &keys);
+ ret = _hx509_collector_collect_private_keys(context, pem_ctx.c, &keys);
if (ret == 0) {
int i;
free(f->fn);
free(f);
}
- if (c)
- _hx509_collector_free(c);
+ if (pem_ctx.c)
+ _hx509_collector_free(pem_ctx.c);
+
return ret;
}
static int
file_init_pem(hx509_context context,
- hx509_certs certs, void **data, int flags,
+ hx509_certs certs, void **data, int flags,
const char *residue, hx509_lock lock)
{
return file_init_common(context, certs, data, flags, residue, lock, USE_PEM);
static int
file_init_der(hx509_context context,
- hx509_certs certs, void **data, int flags,
+ hx509_certs certs, void **data, int flags,
const char *residue, hx509_lock lock)
{
return file_init_common(context, certs, data, flags, residue, lock, USE_DER);
ret = hx509_cert_binary(context, c, &data);
if (ret)
return ret;
-
+
switch (sc->format) {
case USE_DER:
fwrite(data.data, data.length, 1, sc->f);
free(data.data);
break;
case USE_PEM:
- hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
+ hx509_pem_write(context, "CERTIFICATE", NULL, sc->f,
data.data, data.length);
free(data.data);
if (_hx509_cert_private_key_exportable(c)) {
}
static int
-file_store(hx509_context context,
+file_store(hx509_context context,
hx509_certs certs, void *data, int flags, hx509_lock lock)
{
struct ks_file *f = data;
"Failed to open file %s for writing");
return ENOENT;
}
+ rk_cloexec_file(sc.f);
sc.format = f->format;
ret = hx509_certs_iter(context, f->certs, store_func, &sc);
return ret;
}
-static int
+static int
file_add(hx509_context context, hx509_certs certs, void *data, hx509_cert c)
{
struct ks_file *f = data;
return hx509_certs_add(context, f->certs, c);
}
-static int
+static int
file_iter_start(hx509_context context,
hx509_certs certs, void *data, void **cursor)
{