1 /*
2 * This file is part of the openHiTLS project.
3 *
4 * openHiTLS is licensed under the Mulan PSL v2.
5 * You can use this software according to the terms and conditions of the Mulan PSL v2.
6 * You may obtain a copy of Mulan PSL v2 at:
7 *
8 * http://license.coscl.org.cn/MulanPSL2
9 *
10 * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
11 * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
12 * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
13 * See the Mulan PSL v2 for more details.
14 */
15
16 #include "hitls_build.h"
17 #ifdef HITLS_PKI_PKCS12
18 #include "bsl_sal.h"
19 #ifdef HITLS_BSL_SAL_FILE
20 #include "sal_file.h"
21 #endif
22 #include "securec.h"
23 #include "hitls_pki_errno.h"
24 #include "hitls_x509_local.h"
25 #include "hitls_cms_local.h"
26 #include "bsl_obj_internal.h"
27 #include "bsl_err_internal.h"
28 #include "crypt_encode_decode_key.h"
29 #include "crypt_eal_codecs.h"
30 #include "bsl_bytes.h"
31 #include "crypt_eal_md.h"
32 #include "hitls_pki_pkcs12.h"
33 #include "hitls_pkcs12_local.h"
34
35 #define HITLS_P12_CTX_SPECIFIC_TAG_EXTENSION 0
36
37 /* common Bag, including crl, cert, secret ... */
38 static BSL_ASN1_TemplateItem g_pk12CommonBagTempl[] = {
39 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0},
40 /* bagId */
41 {BSL_ASN1_TAG_OBJECT_ID, 0, 1},
42 /* bagValue */
43 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_CLASS_CTX_SPECIFIC | HITLS_P12_CTX_SPECIFIC_TAG_EXTENSION, 0, 1},
44 {BSL_ASN1_TAG_OCTETSTRING, 0, 2},
45 };
46
47 typedef enum {
48 HITLS_PKCS12_COMMON_SAFEBAG_OID_IDX,
49 HITLS_PKCS12_COMMON_SAFEBAG_BAGVALUES_IDX,
50 HITLS_PKCS12_COMMON_SAFEBAG_MAX_IDX,
51 } HITLS_PKCS12_COMMON_SAFEBAG_IDX;
52
53 /*
54 SafeBag ::= SEQUENCE {
55 bagId BAG-TYPE.&id ({PKCS12BagSet})
56 bagValue [0] EXPLICIT BAG-TYPE.&Type({PKCS12BagSet}{@bagId}),
57 bagAttributes SET OF PKCS12Attribute OPTIONAL
58 }
59 */
60 static BSL_ASN1_TemplateItem g_pk12SafeBagTempl[] = {
61 /* bagId */
62 {BSL_ASN1_TAG_OBJECT_ID, BSL_ASN1_FLAG_DEFAULT, 0},
63 /* bagValue */
64 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_CLASS_CTX_SPECIFIC | HITLS_P12_CTX_SPECIFIC_TAG_EXTENSION,
65 BSL_ASN1_FLAG_HEADERONLY, 0},
66 /* bagAttributes */
67 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SET, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_OPTIONAL, 0},
68 };
69
70 typedef enum {
71 HITLS_PKCS12_SAFEBAG_OID_IDX,
72 HITLS_PKCS12_SAFEBAG_BAGVALUES_IDX,
73 HITLS_PKCS12_SAFEBAG_BAGATTRIBUTES_IDX,
74 HITLS_PKCS12_SAFEBAG_MAX_IDX,
75 } HITLS_PKCS12_SAFEBAG_IDX;
76
77 /*
78 * Defined in RFC 2531
79 * ContentInfo ::= SEQUENCE {
80 * contentType ContentType,
81 * content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
82 * }
83 */
84 static BSL_ASN1_TemplateItem g_pk12ContentInfoTempl[] = {
85 /* content type */
86 {BSL_ASN1_TAG_OBJECT_ID, BSL_ASN1_FLAG_DEFAULT, 0},
87 /* content */
88 {BSL_ASN1_CLASS_CTX_SPECIFIC | BSL_ASN1_TAG_CONSTRUCTED | HITLS_P12_CTX_SPECIFIC_TAG_EXTENSION,
89 BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_OPTIONAL, 0},
90 };
91
92 typedef enum {
93 HITLS_PKCS12_CONTENT_OID_IDX,
94 HITLS_PKCS12_CONTENT_VALUE_IDX,
95 HITLS_PKCS12_CONTENT_MAX_IDX,
96 } HITLS_PKCS12_CONTENT_IDX;
97
98 /*
99 * MacData ::= SEQUENCE {
100 * mac DigestInfo,
101 * macSalt OCTET STRING,
102 * iterations INTEGER DEFAULT 1
103 * -- Note: The default is for historical reasons and its
104 * -- use is deprecated.
105 * }
106 */
107 static BSL_ASN1_TemplateItem g_p12MacDataTempl[] = {
108 /* DigestInfo */
109 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY, 0},
110 /* macSalt */
111 {BSL_ASN1_TAG_OCTETSTRING, 0, 0},
112 /* iterations */
113 {BSL_ASN1_TAG_INTEGER, 0, 0},
114 };
115
116 typedef enum {
117 HITLS_PKCS12_MACDATA_DIGESTINFO_IDX,
118 HITLS_PKCS12_MACDATA_SALT_IDX,
119 HITLS_PKCS12_MACDATA_ITER_IDX,
120 HITLS_PKCS12_MACDATA_MAX_IDX,
121 } HITLS_PKCS12_MACDATA_IDX;
122
123 /*
124 * PFX ::= SEQUENCE {
125 * version INTEGER {v3(3)}(v3,...),
126 * authSafe ContentInfo,
127 * macData MacData OPTIONAL
128 * }
129 */
130 static BSL_ASN1_TemplateItem g_p12TopLevelTempl[] = {
131 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0}, /* pkcs12 */
132 /* version */
133 {BSL_ASN1_TAG_INTEGER, 0, 1}, /* tbs */
134 /* authSafe */
135 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY, 1},
136 /* macData */
137 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, BSL_ASN1_FLAG_HEADERONLY | BSL_ASN1_FLAG_OPTIONAL, 1},
138 };
139
140 typedef enum {
141 HITLS_PKCS12_TOPLEVEL_VERSION_IDX,
142 HITLS_PKCS12_TOPLEVEL_AUTHSAFE_IDX,
143 HITLS_PKCS12_TOPLEVEL_MACDATA_IDX,
144 HITLS_PKCS12_TOPLEVEL_MAX_IDX,
145 } HITLS_PKCS12_TOPLEVEL_IDX;
146
147 #ifdef HITLS_PKI_PKCS12_PARSE
148 /* parse bags, and revoker already knows they are one of CommonBags */
ParseCommonSafeBag(BSL_Buffer * buffer,HITLS_PKCS12_CommonSafeBag * bag)149 static int32_t ParseCommonSafeBag(BSL_Buffer *buffer, HITLS_PKCS12_CommonSafeBag *bag)
150 {
151 uint8_t *temp = buffer->data;
152 uint32_t tempLen = buffer->dataLen;
153 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_COMMON_SAFEBAG_MAX_IDX] = {0};
154 BSL_ASN1_Template templ = {g_pk12CommonBagTempl, sizeof(g_pk12CommonBagTempl) / sizeof(g_pk12CommonBagTempl[0])};
155 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, NULL,
156 &temp, &tempLen, asnArr, HITLS_PKCS12_COMMON_SAFEBAG_MAX_IDX);
157 if (ret != BSL_SUCCESS) {
158 BSL_ERR_PUSH_ERROR(ret);
159 return ret;
160 }
161 BslOidString oidStr = {asnArr[HITLS_PKCS12_COMMON_SAFEBAG_OID_IDX].len,
162 (char *)asnArr[HITLS_PKCS12_COMMON_SAFEBAG_OID_IDX].buff, 0};
163 BslCid cid = BSL_OBJ_GetCID(&oidStr);
164 if (cid == BSL_CID_UNKNOWN) {
165 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_PARSE_TYPE);
166 return HITLS_PKCS12_ERR_PARSE_TYPE;
167 }
168 bag->bagId = cid;
169 bag->bagValue = BSL_SAL_Malloc(sizeof(BSL_Buffer));
170 if (bag->bagValue == NULL) {
171 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
172 return BSL_MALLOC_FAIL;
173 }
174 bag->bagValue->data = asnArr[HITLS_PKCS12_COMMON_SAFEBAG_BAGVALUES_IDX].buff;
175 bag->bagValue->dataLen = asnArr[HITLS_PKCS12_COMMON_SAFEBAG_BAGVALUES_IDX].len;
176 return HITLS_PKI_SUCCESS;
177 }
178
179 /* Convert commonBags to the cert */
ConvertCertBag(HITLS_PKCS12_CommonSafeBag * bag,HITLS_X509_Cert ** cert)180 static int32_t ConvertCertBag(HITLS_PKCS12_CommonSafeBag *bag, HITLS_X509_Cert **cert)
181 {
182 if (bag == NULL) {
183 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
184 return HITLS_PKCS12_ERR_NULL_POINTER;
185 }
186 if (bag->bagId != BSL_CID_X509CERTIFICATE) {
187 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_CERTYPES);
188 return HITLS_PKCS12_ERR_INVALID_CERTYPES;
189 }
190 return HITLS_X509_CertParseBuff(BSL_FORMAT_ASN1, bag->bagValue, cert);
191 }
192
DecodeFriendlyName(BSL_ASN1_Buffer * buffer,BSL_Buffer * output)193 static int32_t DecodeFriendlyName(BSL_ASN1_Buffer *buffer, BSL_Buffer *output)
194 {
195 uint8_t *temp = buffer->buff;
196 uint32_t tempLen = buffer->len;
197 uint32_t valueLen = buffer->len;
198 int32_t ret = BSL_ASN1_DecodeTagLen(BSL_ASN1_TAG_BMPSTRING, &temp, &tempLen, &valueLen);
199 if (ret != BSL_SUCCESS) {
200 BSL_ERR_PUSH_ERROR(ret);
201 return ret;
202 }
203 BSL_ASN1_Buffer input = {
204 .buff = temp,
205 .len = valueLen,
206 .tag = BSL_ASN1_TAG_BMPSTRING,
207 };
208 BSL_ASN1_Buffer decode = {0};
209 ret = BSL_ASN1_DecodePrimitiveItem(&input, &decode);
210 if (ret != BSL_SUCCESS) {
211 BSL_ERR_PUSH_ERROR(ret);
212 return ret;
213 }
214 output->data = decode.buff;
215 output->dataLen = decode.len;
216 return ret;
217 }
218
ConvertAttributes(BslCid cid,BSL_ASN1_Buffer * buffer,BSL_Buffer * output)219 static int32_t ConvertAttributes(BslCid cid, BSL_ASN1_Buffer *buffer, BSL_Buffer *output)
220 {
221 int32_t ret;
222 uint8_t *temp = buffer->buff;
223 uint32_t tempLen = buffer->len;
224 uint32_t valueLen = buffer->len;
225 switch (cid) {
226 case BSL_CID_FRIENDLYNAME:
227 return DecodeFriendlyName(buffer, output);
228 case BSL_CID_LOCALKEYID:
229 ret = BSL_ASN1_DecodeTagLen(BSL_ASN1_TAG_OCTETSTRING, &temp, &tempLen, &valueLen);
230 if (ret != BSL_SUCCESS) {
231 BSL_ERR_PUSH_ERROR(ret);
232 return ret;
233 }
234 output->data = BSL_SAL_Dump(temp, valueLen);
235 if (output->data == NULL) {
236 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
237 return BSL_DUMP_FAIL;
238 }
239 output->dataLen = valueLen;
240 return HITLS_PKI_SUCCESS;
241 default:
242 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES);
243 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES;
244 }
245 }
246
X509_ParseP12AttrItem(BslList * attrList,HITLS_X509_AttrEntry * attrEntry)247 static int32_t X509_ParseP12AttrItem(BslList *attrList, HITLS_X509_AttrEntry *attrEntry)
248 {
249 HITLS_PKCS12_SafeBagAttr attr = {0};
250 attr.attrId = attrEntry->cid;
251 int32_t ret = ConvertAttributes(attrEntry->cid, &attrEntry->attrValue, &attr.attrValue);
252 if (ret != HITLS_PKI_SUCCESS) {
253 BSL_ERR_PUSH_ERROR(ret);
254 return ret;
255 }
256 ret = HITLS_X509_AddListItemDefault(&attr, sizeof(HITLS_PKCS12_SafeBagAttr), attrList);
257 if (ret != BSL_SUCCESS) {
258 BSL_ERR_PUSH_ERROR(ret);
259 BSL_SAL_Free(attr.attrValue.data);
260 }
261 return ret;
262 }
263
HITLS_PKCS12_ParseSafeBagAttr(BSL_ASN1_Buffer * attrBuff,HITLS_X509_Attrs * attrList)264 int32_t HITLS_PKCS12_ParseSafeBagAttr(BSL_ASN1_Buffer *attrBuff, HITLS_X509_Attrs *attrList)
265 {
266 return HITLS_X509_ParseAttrList(attrBuff, attrList, X509_ParseP12AttrItem, HITLS_PKCS12_AttributesFree);
267 }
268
269 /*
270 * Parse the 'safeBag' of p12. This interface only parses the outermost layer and attributes of safeBag,
271 * others are handed over to the next layer for parsing
272 */
ParseSafeBag(BSL_Buffer * buffer,HITLS_PKCS12_SafeBag * safeBag)273 static int32_t ParseSafeBag(BSL_Buffer *buffer, HITLS_PKCS12_SafeBag *safeBag)
274 {
275 uint8_t *temp = buffer->data;
276 uint32_t tempLen = buffer->dataLen;
277 BSL_ASN1_Template templ = {g_pk12SafeBagTempl, sizeof(g_pk12SafeBagTempl) / sizeof(g_pk12SafeBagTempl[0])};
278 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_SAFEBAG_MAX_IDX] = {0};
279 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, NULL, &temp, &tempLen, asnArr, HITLS_PKCS12_SAFEBAG_MAX_IDX);
280 if (ret != BSL_SUCCESS) {
281 BSL_ERR_PUSH_ERROR(ret);
282 return ret;
283 }
284
285 BslOidString oid = {asnArr[HITLS_PKCS12_SAFEBAG_OID_IDX].len, (char *)asnArr[HITLS_PKCS12_SAFEBAG_OID_IDX].buff, 0};
286 BslCid cid = BSL_OBJ_GetCID(&oid);
287 if (cid == BSL_CID_UNKNOWN) {
288 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE);
289 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE;
290 }
291 HITLS_X509_Attrs *attributes = NULL;
292 BSL_Buffer *bag = BSL_SAL_Calloc(1u, sizeof(BSL_Buffer));
293 if (bag == NULL) {
294 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
295 return BSL_MALLOC_FAIL;
296 }
297
298 bag->data = BSL_SAL_Dump(asnArr[HITLS_PKCS12_SAFEBAG_BAGVALUES_IDX].buff,
299 asnArr[HITLS_PKCS12_SAFEBAG_BAGVALUES_IDX].len);
300 if (bag->data == NULL) {
301 ret = BSL_DUMP_FAIL;
302 BSL_ERR_PUSH_ERROR(ret);
303 goto ERR;
304 }
305 bag->dataLen = asnArr[HITLS_PKCS12_SAFEBAG_BAGVALUES_IDX].len;
306 attributes = HITLS_X509_AttrsNew();
307 if (attributes == NULL) {
308 ret = BSL_MALLOC_FAIL;
309 BSL_ERR_PUSH_ERROR(ret);
310 goto ERR;
311 }
312 ret = HITLS_PKCS12_ParseSafeBagAttr(asnArr + HITLS_PKCS12_SAFEBAG_BAGATTRIBUTES_IDX, attributes);
313 if (ret != HITLS_PKI_SUCCESS) {
314 BSL_ERR_PUSH_ERROR(ret);
315 goto ERR;
316 }
317 safeBag->attributes = attributes;
318 safeBag->bagId = cid;
319 safeBag->bag = bag;
320 return ret;
321 ERR:
322 BSL_SAL_FREE(bag->data);
323 BSL_SAL_FREE(bag);
324 HITLS_X509_AttrsFree(attributes, HITLS_PKCS12_AttributesFree);
325 return ret;
326 }
327
ParsePKCS8ShroudedKeyBags(HITLS_PKCS12 * p12,const uint8_t * pwd,uint32_t pwdlen,HITLS_PKCS12_SafeBag * safeBag)328 static int32_t ParsePKCS8ShroudedKeyBags(HITLS_PKCS12 *p12, const uint8_t *pwd, uint32_t pwdlen,
329 HITLS_PKCS12_SafeBag *safeBag)
330 {
331 CRYPT_EAL_PkeyCtx *prikey = NULL;
332 const BSL_Buffer pwdBuff = {(uint8_t *)(uintptr_t)pwd, pwdlen};
333 int32_t ret = CRYPT_EAL_ProviderDecodeBuffKey(p12->libCtx, p12->attrName, BSL_CID_UNKNOWN, "ASN1",
334 "PRIKEY_PKCS8_ENCRYPT", safeBag->bag, &pwdBuff, &prikey);
335 if (ret != HITLS_PKI_SUCCESS) {
336 BSL_ERR_PUSH_ERROR(ret);
337 return ret;
338 }
339 HITLS_PKCS12_Bag *keyBag = HITLS_PKCS12_BagNew(BSL_CID_PKCS8SHROUDEDKEYBAG, 0, prikey);
340 CRYPT_EAL_PkeyFreeCtx(prikey);
341 if (keyBag == NULL) {
342 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
343 return BSL_MALLOC_FAIL;
344 }
345 keyBag->attributes = safeBag->attributes;
346 safeBag->attributes = NULL;
347 p12->key = keyBag;
348 return HITLS_PKI_SUCCESS;
349 }
350
ParseCertBagAndAddList(HITLS_PKCS12 * p12,HITLS_PKCS12_SafeBag * safeBag)351 static int32_t ParseCertBagAndAddList(HITLS_PKCS12 *p12, HITLS_PKCS12_SafeBag *safeBag)
352 {
353 HITLS_PKCS12_CommonSafeBag bag = {0};
354 int32_t ret = ParseCommonSafeBag(safeBag->bag, &bag);
355 if (ret != HITLS_PKI_SUCCESS) {
356 BSL_ERR_PUSH_ERROR(ret);
357 return ret;
358 }
359 HITLS_X509_Cert *cert = NULL;
360 ret = ConvertCertBag(&bag, &cert);
361 BSL_SAL_FREE(bag.bagValue);
362 if (ret != HITLS_PKI_SUCCESS) {
363 BSL_ERR_PUSH_ERROR(ret);
364 return ret;
365 }
366 HITLS_PKCS12_Bag *bagData = BSL_SAL_Malloc(sizeof(HITLS_PKCS12_Bag));
367 if (bagData == NULL) {
368 HITLS_X509_CertFree(cert);
369 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
370 return BSL_MALLOC_FAIL;
371 }
372 bagData->attributes = safeBag->attributes;
373 bagData->value.cert = cert;
374 bagData->type = BSL_CID_CERTBAG;
375 ret = BSL_LIST_AddElement(p12->certList, bagData, BSL_LIST_POS_END);
376 if (ret != BSL_SUCCESS) {
377 bagData->attributes = NULL;
378 BSL_SAL_Free(bagData);
379 HITLS_X509_CertFree(cert);
380 BSL_ERR_PUSH_ERROR(ret);
381 }
382 safeBag->attributes = NULL;
383 return ret;
384 }
385
386 /* Parse a SafeBag to the data we need, such as a private key, etc */
HITLS_PKCS12_ConvertSafeBag(HITLS_PKCS12_SafeBag * safeBag,const uint8_t * pwd,uint32_t pwdlen,HITLS_PKCS12 * p12)387 int32_t HITLS_PKCS12_ConvertSafeBag(HITLS_PKCS12_SafeBag *safeBag, const uint8_t *pwd, uint32_t pwdlen,
388 HITLS_PKCS12 *p12)
389 {
390 if (safeBag == NULL) {
391 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
392 return HITLS_PKCS12_ERR_NULL_POINTER;
393 }
394 switch (safeBag->bagId) {
395 case BSL_CID_PKCS8SHROUDEDKEYBAG:
396 if (p12->key != NULL) {
397 return HITLS_PKI_SUCCESS;
398 }
399 return ParsePKCS8ShroudedKeyBags(p12, pwd, pwdlen, safeBag);
400 case BSL_CID_CERTBAG:
401 return ParseCertBagAndAddList(p12, safeBag);
402 default:
403 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE);
404 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE;
405 }
406 }
407
HITLS_PKCS12_ParseContentInfo(HITLS_PKI_LibCtx * libCtx,const char * attrName,BSL_Buffer * encode,const uint8_t * password,uint32_t passLen,BSL_Buffer * data)408 int32_t HITLS_PKCS12_ParseContentInfo(HITLS_PKI_LibCtx *libCtx, const char *attrName, BSL_Buffer *encode,
409 const uint8_t *password, uint32_t passLen, BSL_Buffer *data)
410 {
411 uint8_t *temp = encode->data;
412 uint32_t tempLen = encode->dataLen;
413 BSL_ASN1_Template templ = {g_pk12ContentInfoTempl,
414 sizeof(g_pk12ContentInfoTempl) / sizeof(g_pk12ContentInfoTempl[0])};
415 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_CONTENT_MAX_IDX] = {0};
416 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, NULL, &temp, &tempLen, asnArr, HITLS_PKCS12_CONTENT_MAX_IDX);
417 if (ret != BSL_SUCCESS) {
418 BSL_ERR_PUSH_ERROR(ret);
419 return ret;
420 }
421 BslOidString oid = {asnArr[HITLS_PKCS12_CONTENT_OID_IDX].len, (char *)asnArr[HITLS_PKCS12_CONTENT_OID_IDX].buff, 0};
422 BslCid cid = BSL_OBJ_GetCID(&oid);
423 if (cid == BSL_CID_UNKNOWN) {
424 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE);
425 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE;
426 }
427 BSL_Buffer asnArrData = {asnArr[HITLS_PKCS12_CONTENT_VALUE_IDX].buff, asnArr[HITLS_PKCS12_CONTENT_VALUE_IDX].len};
428 switch (cid) {
429 case BSL_CID_PKCS7_SIMPLEDATA:
430 return HITLS_CMS_ParseAsn1Data(&asnArrData, data);
431 case BSL_CID_PKCS7_ENCRYPTEDDATA:
432 return CRYPT_EAL_ParseAsn1PKCS7EncryptedData(libCtx, attrName, &asnArrData, password, passLen, data);
433 default:
434 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE);
435 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE;
436 }
437 }
438
439 /* Parse each safeBag from list, and extract the data we need, such as a private key, etc */
HITLS_PKCS12_ParseSafeBagList(BSL_ASN1_List * bagList,const uint8_t * password,uint32_t passLen,HITLS_PKCS12 * p12)440 int32_t HITLS_PKCS12_ParseSafeBagList(BSL_ASN1_List *bagList, const uint8_t *password,
441 uint32_t passLen, HITLS_PKCS12 *p12)
442 {
443 if (BSL_LIST_COUNT(bagList) == 0) {
444 return HITLS_PKI_SUCCESS;
445 }
446 int32_t ret;
447 HITLS_PKCS12_SafeBag *node = BSL_LIST_GET_FIRST(bagList);
448 while (node != NULL) {
449 ret = HITLS_PKCS12_ConvertSafeBag(node, password, passLen, p12);
450 if (ret != HITLS_PKI_SUCCESS) {
451 BSL_ERR_PUSH_ERROR(ret);
452 return ret;
453 }
454 node = BSL_LIST_GET_NEXT(bagList);
455 }
456 return HITLS_PKI_SUCCESS;
457 }
458
FindLocatedId(HITLS_X509_Attrs * attributes)459 static BSL_Buffer *FindLocatedId(HITLS_X509_Attrs *attributes)
460 {
461 if (attributes == NULL) {
462 return NULL;
463 }
464 HITLS_PKCS12_SafeBagAttr *node = BSL_LIST_GET_FIRST(attributes->list);
465 while (node != NULL) {
466 if (node->attrId == BSL_CID_LOCALKEYID) {
467 return &node->attrValue;
468 }
469 node = BSL_LIST_GET_NEXT(attributes->list);
470 }
471 return NULL;
472 }
473
SetEntityCert(HITLS_PKCS12 * p12)474 static int32_t SetEntityCert(HITLS_PKCS12 *p12)
475 {
476 if (p12->key == NULL) {
477 return HITLS_PKI_SUCCESS;
478 }
479
480 BSL_Buffer *keyId = FindLocatedId(p12->key->attributes);
481 if (keyId == NULL) {
482 return HITLS_PKI_SUCCESS;
483 }
484
485 BSL_ASN1_List *bags = p12->certList;
486 HITLS_PKCS12_Bag *node = BSL_LIST_GET_FIRST(bags);
487 while (node != NULL) {
488 BSL_Buffer *certId = FindLocatedId(node->attributes);
489 if (certId != NULL && certId->dataLen == keyId->dataLen &&
490 memcmp(certId->data, keyId->data, keyId->dataLen) == 0) {
491 HITLS_PKCS12_Bag *certBag = HITLS_PKCS12_BagNew(BSL_CID_CERTBAG, BSL_CID_X509CERTIFICATE, node->value.cert);
492 if (certBag == NULL) {
493 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
494 return BSL_MALLOC_FAIL;
495 }
496 HITLS_X509_CertFree(node->value.cert); // This node will be released immediately.
497 certBag->attributes = node->attributes;
498 certBag->type = BSL_CID_CERTBAG;
499 p12->entityCert = certBag;
500 BSL_LIST_DeleteCurrent(bags, NULL);
501 return HITLS_PKI_SUCCESS;
502 }
503 node = BSL_LIST_GET_NEXT(bags);
504 }
505 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NO_ENTITYCERT);
506 return HITLS_PKCS12_ERR_NO_ENTITYCERT;
507 }
508
ParseSafeBagList(HITLS_PKI_LibCtx * libCtx,const char * attrName,BSL_Buffer * node,const uint8_t * password,uint32_t passLen,BSL_ASN1_List * bagLists)509 static int32_t ParseSafeBagList(HITLS_PKI_LibCtx *libCtx, const char *attrName, BSL_Buffer *node,
510 const uint8_t *password, uint32_t passLen, BSL_ASN1_List *bagLists)
511 {
512 BSL_Buffer safeContent = {0};
513 int32_t ret = HITLS_PKCS12_ParseContentInfo(libCtx, attrName, node, password, passLen, &safeContent);
514 if (ret != HITLS_PKI_SUCCESS) {
515 BSL_ERR_PUSH_ERROR(ret);
516 return ret;
517 }
518 ret = HITLS_PKCS12_ParseAsn1AddList(&safeContent, bagLists, BSL_CID_SAFECONTENTSBAG);
519 BSL_SAL_Free(safeContent.data);
520 if (ret != HITLS_PKI_SUCCESS) {
521 BSL_ERR_PUSH_ERROR(ret);
522 }
523 return ret;
524 }
525
526 // The caller guarantees that the input is not empty.
HITLS_PKCS12_ParseAuthSafeData(BSL_Buffer * encode,const uint8_t * password,uint32_t passLen,HITLS_PKCS12 * p12)527 int32_t HITLS_PKCS12_ParseAuthSafeData(BSL_Buffer *encode, const uint8_t *password, uint32_t passLen,
528 HITLS_PKCS12 *p12)
529 {
530 BSL_ASN1_List *bagLists = NULL;
531 BSL_Buffer *node = NULL;
532 BSL_ASN1_List *contentList = BSL_LIST_New(sizeof(BSL_Buffer));
533 if (contentList == NULL) {
534 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
535 return BSL_MALLOC_FAIL;
536 }
537 int32_t ret = HITLS_PKCS12_ParseAsn1AddList(encode, contentList, BSL_CID_PKCS7_CONTENTINFO);
538 if (ret != HITLS_PKI_SUCCESS) {
539 BSL_ERR_PUSH_ERROR(ret);
540 goto ERR;
541 }
542
543 bagLists = BSL_LIST_New(sizeof(HITLS_PKCS12_SafeBag));
544 if (bagLists == NULL) {
545 ret = BSL_MALLOC_FAIL;
546 BSL_ERR_PUSH_ERROR(ret);
547 goto ERR;
548 }
549
550 node = BSL_LIST_GET_FIRST(contentList);
551 while (node != NULL) {
552 ret = ParseSafeBagList(p12->libCtx, p12->attrName, node, password, passLen, bagLists);
553 if (ret != HITLS_PKI_SUCCESS) {
554 goto ERR;
555 }
556 node = BSL_LIST_GET_NEXT(contentList);
557 }
558 ret = HITLS_PKCS12_ParseSafeBagList(bagLists, password, passLen, p12);
559 if (ret != HITLS_PKI_SUCCESS) {
560 goto ERR;
561 }
562 ret = SetEntityCert(p12);
563 ERR:
564 BSL_LIST_FREE(bagLists, (BSL_LIST_PFUNC_FREE)HITLS_PKCS12_SafeBagFree);
565 BSL_LIST_FREE(contentList, NULL);
566 return ret;
567 }
568
ParseContentInfoAsnItem(uint32_t layer,BSL_ASN1_Buffer * asn,void * param,BSL_ASN1_List * list)569 static int32_t ParseContentInfoAsnItem(uint32_t layer, BSL_ASN1_Buffer *asn, void *param,
570 BSL_ASN1_List *list)
571 {
572 (void) param;
573 if (layer == 1) {
574 return HITLS_PKI_SUCCESS;
575 }
576 BSL_Buffer buffer = {asn->buff, asn->len};
577 return HITLS_X509_AddListItemDefault(&buffer, sizeof(BSL_Buffer), list);
578 }
579
ParseSafeContentAsnItem(uint32_t layer,BSL_ASN1_Buffer * asn,void * param,BSL_ASN1_List * list)580 static int32_t ParseSafeContentAsnItem(uint32_t layer, BSL_ASN1_Buffer *asn, void *param,
581 BSL_ASN1_List *list)
582 {
583 (void) param;
584 if (layer == 1) {
585 return HITLS_PKI_SUCCESS;
586 }
587 BSL_Buffer buffer = {asn->buff, asn->len};
588 HITLS_PKCS12_SafeBag safeBag = {0};
589 int32_t ret = ParseSafeBag(&buffer, &safeBag);
590 if (ret != HITLS_PKI_SUCCESS) {
591 BSL_ERR_PUSH_ERROR(ret);
592 return ret;
593 }
594 ret = HITLS_X509_AddListItemDefault(&safeBag, sizeof(HITLS_PKCS12_SafeBag), list);
595 if (ret != HITLS_PKI_SUCCESS) {
596 BSL_SAL_FREE(safeBag.bag);
597 BSL_ERR_PUSH_ERROR(ret);
598 }
599 return ret;
600 }
601
HITLS_PKCS12_ParseAsn1AddList(BSL_Buffer * encode,BSL_ASN1_List * list,uint32_t parseType)602 int32_t HITLS_PKCS12_ParseAsn1AddList(BSL_Buffer *encode, BSL_ASN1_List *list, uint32_t parseType)
603 {
604 if (encode == NULL || encode->data == NULL || list == NULL) {
605 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
606 return HITLS_PKCS12_ERR_NULL_POINTER;
607 }
608
609 uint8_t expTag[] = {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE,
610 BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE};
611 BSL_ASN1_DecodeListParam listParam = {2, expTag};
612 BSL_ASN1_Buffer asn = {
613 BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE,
614 encode->dataLen,
615 encode->data,
616 };
617 int32_t ret;
618 switch (parseType) {
619 case BSL_CID_PKCS7_CONTENTINFO:
620 ret = BSL_ASN1_DecodeListItem(&listParam, &asn, &ParseContentInfoAsnItem, NULL, list);
621 if (ret != BSL_SUCCESS) {
622 BSL_ERR_PUSH_ERROR(ret); // Resources are released by the caller.
623 }
624 return ret;
625
626 case BSL_CID_SAFECONTENTSBAG:
627 ret = BSL_ASN1_DecodeListItem(&listParam, &asn, &ParseSafeContentAsnItem, NULL, list);
628 if (ret != BSL_SUCCESS) {
629 BSL_ERR_PUSH_ERROR(ret); // Resources are released by the caller.
630 }
631 return ret;
632 default:
633 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE);
634 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE;
635 }
636 }
637
HITLS_PKCS12_ParseMacData(BSL_Buffer * encode,HITLS_PKCS12_MacData * macData)638 int32_t HITLS_PKCS12_ParseMacData(BSL_Buffer *encode, HITLS_PKCS12_MacData *macData)
639 {
640 if (encode == NULL || encode->data == NULL || encode->dataLen == 0) {
641 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
642 return HITLS_PKCS12_ERR_NULL_POINTER;
643 }
644
645 uint8_t *temp = encode->data;
646 uint32_t tempLen = encode->dataLen;
647 BSL_ASN1_Buffer asn1[HITLS_PKCS12_MACDATA_MAX_IDX] = {0};
648 BSL_ASN1_Template templ = {g_p12MacDataTempl, sizeof(g_p12MacDataTempl) / sizeof(g_p12MacDataTempl[0])};
649 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, NULL, &temp, &tempLen, asn1, HITLS_PKCS12_MACDATA_MAX_IDX);
650 if (ret != BSL_SUCCESS) {
651 BSL_ERR_PUSH_ERROR(ret);
652 return ret;
653 }
654
655 BSL_Buffer mac = {0};
656 BSL_Buffer digestInfo = {asn1[HITLS_PKCS12_MACDATA_DIGESTINFO_IDX].buff,
657 asn1[HITLS_PKCS12_MACDATA_DIGESTINFO_IDX].len};
658 BslCid cid = BSL_CID_UNKNOWN;
659 ret = HITLS_CMS_ParseDigestInfo(&digestInfo, &cid, &mac);
660 if (ret != BSL_SUCCESS) {
661 BSL_ERR_PUSH_ERROR(ret);
662 return ret;
663 }
664 uint8_t *salt = BSL_SAL_Dump(asn1[HITLS_PKCS12_MACDATA_SALT_IDX].buff, asn1[HITLS_PKCS12_MACDATA_SALT_IDX].len);
665 if (salt == NULL) {
666 BSL_SAL_Free(mac.data);
667 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
668 return BSL_DUMP_FAIL;
669 }
670 uint32_t iter = 0;
671 ret = BSL_ASN1_DecodePrimitiveItem(&asn1[HITLS_PKCS12_MACDATA_ITER_IDX], &iter);
672 if (ret != HITLS_PKI_SUCCESS) {
673 BSL_SAL_Free(mac.data);
674 BSL_SAL_Free(salt);
675 BSL_ERR_PUSH_ERROR(ret);
676 return ret;
677 }
678 macData->mac->data = mac.data;
679 macData->mac->dataLen = mac.dataLen;
680 macData->alg = cid;
681 macData->macSalt->data = salt;
682 macData->macSalt->dataLen = asn1[HITLS_PKCS12_MACDATA_SALT_IDX].len;
683 macData->iteration = iter;
684 return HITLS_PKI_SUCCESS;
685 }
686
ClearMacData(HITLS_PKCS12_MacData * p12Mac)687 static void ClearMacData(HITLS_PKCS12_MacData *p12Mac)
688 {
689 BSL_SAL_FREE(p12Mac->mac->data);
690 BSL_SAL_FREE(p12Mac->macSalt->data);
691 p12Mac->macSalt->dataLen = 0;
692 p12Mac->mac->dataLen = 0;
693 p12Mac->iteration = 0;
694 p12Mac->alg = BSL_CID_UNKNOWN;
695 }
696
ParseMacDataAndVerify(BSL_Buffer * initData,BSL_Buffer * macData,const HITLS_PKCS12_PwdParam * pwdParam,HITLS_PKCS12_MacData * p12Mac)697 static int32_t ParseMacDataAndVerify(BSL_Buffer *initData, BSL_Buffer *macData, const HITLS_PKCS12_PwdParam *pwdParam,
698 HITLS_PKCS12_MacData *p12Mac)
699 {
700 int32_t ret = HITLS_PKCS12_ParseMacData(macData, p12Mac);
701 if (ret != HITLS_PKI_SUCCESS) {
702 BSL_ERR_PUSH_ERROR(ret);
703 return ret;
704 }
705 BSL_Buffer verify = {0};
706 ret = HITLS_PKCS12_CalMac(&verify, pwdParam->macPwd, initData, p12Mac);
707 if (ret != HITLS_PKI_SUCCESS) {
708 ClearMacData(p12Mac);
709 BSL_ERR_PUSH_ERROR(ret);
710 return ret;
711 }
712 if (p12Mac->mac->dataLen != verify.dataLen || memcmp(verify.data, p12Mac->mac->data, verify.dataLen) != 0) {
713 ClearMacData(p12Mac);
714 BSL_SAL_Free(verify.data);
715 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_VERIFY_FAIL);
716 return HITLS_PKCS12_ERR_VERIFY_FAIL;
717 }
718 BSL_SAL_Free(verify.data);
719 return HITLS_PKI_SUCCESS;
720 }
721
ParseAsn1PKCS12(const BSL_Buffer * encode,const HITLS_PKCS12_PwdParam * pwdParam,HITLS_PKCS12 * p12,bool needMacVerify)722 static int32_t ParseAsn1PKCS12(const BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam,
723 HITLS_PKCS12 *p12, bool needMacVerify)
724 {
725 uint32_t version = 0;
726 uint8_t *temp = encode->data;
727 uint32_t tempLen = encode->dataLen;
728 BSL_ASN1_Buffer asn1[HITLS_PKCS12_TOPLEVEL_MAX_IDX] = {0};
729 BSL_ASN1_Template templ = {g_p12TopLevelTempl, sizeof(g_p12TopLevelTempl) / sizeof(g_p12TopLevelTempl[0])};
730 HITLS_PKCS12_MacData *p12Mac = p12->macData;
731 int32_t ret = BSL_ASN1_DecodeTemplate(&templ, NULL, &temp, &tempLen, asn1, HITLS_PKCS12_TOPLEVEL_MAX_IDX);
732 if (ret != HITLS_PKI_SUCCESS) {
733 BSL_ERR_PUSH_ERROR(ret);
734 return ret;
735 }
736 ret = BSL_ASN1_DecodePrimitiveItem(&asn1[HITLS_PKCS12_TOPLEVEL_VERSION_IDX], &version);
737 if (ret != HITLS_PKI_SUCCESS) {
738 BSL_ERR_PUSH_ERROR(ret);
739 return ret;
740 }
741 if (version != 3) { // RFC 7292 requires that version = 3.
742 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PFX);
743 return HITLS_PKCS12_ERR_INVALID_PFX;
744 }
745
746 BSL_Buffer macData = {asn1[HITLS_PKCS12_TOPLEVEL_MACDATA_IDX].buff, asn1[HITLS_PKCS12_TOPLEVEL_MACDATA_IDX].len};
747 BSL_Buffer contentInfo = {asn1[HITLS_PKCS12_TOPLEVEL_AUTHSAFE_IDX].buff,
748 asn1[HITLS_PKCS12_TOPLEVEL_AUTHSAFE_IDX].len};
749 BSL_Buffer initData = {0};
750 ret = HITLS_PKCS12_ParseContentInfo(p12->libCtx, p12->attrName, &contentInfo, NULL, 0, &initData);
751 if (ret != HITLS_PKI_SUCCESS) {
752 return ret; // has pushed error code.
753 }
754 if (needMacVerify) {
755 ret = ParseMacDataAndVerify(&initData, &macData, pwdParam, p12Mac);
756 if (ret != HITLS_PKI_SUCCESS) {
757 BSL_SAL_Free(initData.data);
758 return ret; // has pushed error code.
759 }
760 }
761 ret = HITLS_PKCS12_ParseAuthSafeData(&initData, pwdParam->encPwd->data, pwdParam->encPwd->dataLen, p12);
762 BSL_SAL_Free(initData.data);
763 if (ret != HITLS_PKI_SUCCESS) {
764 ClearMacData(p12Mac);
765 return ret; // has pushed error code.
766 }
767 p12->version = version;
768 return HITLS_PKI_SUCCESS;
769 }
770
ProviderParseBuffInternal(HITLS_PKI_LibCtx * libCtx,const char * attrName,int32_t format,const BSL_Buffer * encode,const HITLS_PKCS12_PwdParam * pwdParam,HITLS_PKCS12 ** p12,bool needMacVerify)771 static int32_t ProviderParseBuffInternal(HITLS_PKI_LibCtx *libCtx, const char *attrName, int32_t format,
772 const BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, HITLS_PKCS12 **p12, bool needMacVerify)
773 {
774 if (encode == NULL || encode->data == NULL || encode->dataLen == 0 ||
775 pwdParam == NULL || pwdParam->encPwd == NULL || pwdParam->encPwd->data == NULL || p12 == NULL) {
776 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
777 return HITLS_PKCS12_ERR_NULL_POINTER;
778 }
779 if (*p12 != NULL) {
780 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
781 return HITLS_PKCS12_ERR_INVALID_PARAM;
782 }
783 int32_t ret;
784 HITLS_PKCS12 *temP12 = HITLS_PKCS12_ProviderNew(libCtx, attrName);
785 if (temP12 == NULL) {
786 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
787 return BSL_MALLOC_FAIL;
788 }
789 switch (format) {
790 case BSL_FORMAT_ASN1:
791 ret = ParseAsn1PKCS12(encode, pwdParam, temP12, needMacVerify);
792 break;
793 default:
794 ret = HITLS_PKCS12_ERR_FORMAT_UNSUPPORT;
795 break;
796 }
797 if (ret != HITLS_PKI_SUCCESS) {
798 HITLS_PKCS12_Free(temP12);
799 BSL_ERR_PUSH_ERROR(ret);
800 return ret;
801 }
802 *p12 = temP12;
803 return HITLS_PKI_SUCCESS;
804 }
805
HITLS_PKCS12_ProviderParseBuff(HITLS_PKI_LibCtx * libCtx,const char * attrName,const char * format,const BSL_Buffer * encode,const HITLS_PKCS12_PwdParam * pwdParam,HITLS_PKCS12 ** p12,bool needMacVerify)806 int32_t HITLS_PKCS12_ProviderParseBuff(HITLS_PKI_LibCtx *libCtx, const char *attrName, const char *format,
807 const BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam, HITLS_PKCS12 **p12, bool needMacVerify)
808 {
809 int32_t encodeFormat = CRYPT_EAL_GetEncodeFormat(format);
810 return ProviderParseBuffInternal(libCtx, attrName, encodeFormat, encode, pwdParam, p12, needMacVerify);
811 }
812
813 #ifdef HITLS_BSL_SAL_FILE
HITLS_PKCS12_ProviderParseFile(HITLS_PKI_LibCtx * libCtx,const char * attrName,const char * format,const char * path,const HITLS_PKCS12_PwdParam * pwdParam,HITLS_PKCS12 ** p12,bool needMacVerify)814 int32_t HITLS_PKCS12_ProviderParseFile(HITLS_PKI_LibCtx *libCtx, const char *attrName, const char *format,
815 const char *path, const HITLS_PKCS12_PwdParam *pwdParam, HITLS_PKCS12 **p12, bool needMacVerify)
816 {
817 if (path == NULL) {
818 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
819 return HITLS_PKCS12_ERR_NULL_POINTER;
820 }
821 uint8_t *data = NULL;
822 uint32_t dataLen = 0;
823 int32_t ret = BSL_SAL_ReadFile(path, &data, &dataLen);
824 if (ret != BSL_SUCCESS) {
825 BSL_ERR_PUSH_ERROR(ret);
826 return ret;
827 }
828 BSL_Buffer encode = {data, dataLen};
829 ret = HITLS_PKCS12_ProviderParseBuff(libCtx, attrName, format, &encode, pwdParam, p12, needMacVerify);
830 BSL_SAL_Free(data);
831 return ret;
832 }
833
HITLS_PKCS12_ParseFile(int32_t format,const char * path,const HITLS_PKCS12_PwdParam * pwdParam,HITLS_PKCS12 ** p12,bool needMacVerify)834 int32_t HITLS_PKCS12_ParseFile(int32_t format, const char *path, const HITLS_PKCS12_PwdParam *pwdParam,
835 HITLS_PKCS12 **p12, bool needMacVerify)
836 {
837 if (path == NULL) {
838 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
839 return HITLS_PKCS12_ERR_NULL_POINTER;
840 }
841 uint8_t *data = NULL;
842 uint32_t dataLen = 0;
843 int32_t ret = BSL_SAL_ReadFile(path, &data, &dataLen);
844 if (ret != BSL_SUCCESS) {
845 BSL_ERR_PUSH_ERROR(ret);
846 return ret;
847 }
848 BSL_Buffer encode = {data, dataLen};
849 ret = HITLS_PKCS12_ParseBuff(format, &encode, pwdParam, p12, needMacVerify);
850 BSL_SAL_Free(data);
851 return ret;
852 }
853 #endif // HITLS_BSL_SAL_FILE
854
HITLS_PKCS12_ParseBuff(int32_t format,const BSL_Buffer * encode,const HITLS_PKCS12_PwdParam * pwdParam,HITLS_PKCS12 ** p12,bool needMacVerify)855 int32_t HITLS_PKCS12_ParseBuff(int32_t format, const BSL_Buffer *encode, const HITLS_PKCS12_PwdParam *pwdParam,
856 HITLS_PKCS12 **p12, bool needMacVerify)
857 {
858 return ProviderParseBuffInternal(NULL, NULL, format, encode, pwdParam, p12, needMacVerify);
859 }
860
861 #endif // HITLS_PKI_PKCS12_PARSE
862
863 #ifdef HITLS_PKI_PKCS12_GEN
FreeListBuff(BSL_ASN1_Buffer * asnBuf,uint32_t count)864 static void FreeListBuff(BSL_ASN1_Buffer *asnBuf, uint32_t count)
865 {
866 for (uint32_t i = 0; i < count; i++) {
867 BSL_SAL_FREE(asnBuf[i].buff);
868 }
869 BSL_SAL_FREE(asnBuf);
870 }
871
EncodeAttrValue(HITLS_PKCS12_SafeBagAttr * attribute,BSL_Buffer * encode)872 static int32_t EncodeAttrValue(HITLS_PKCS12_SafeBagAttr *attribute, BSL_Buffer *encode)
873 {
874 BSL_ASN1_Buffer asnArr = {0};
875 int32_t ret;
876
877 asnArr.buff = attribute->attrValue.data;
878 asnArr.len = attribute->attrValue.dataLen;
879 switch (attribute->attrId) {
880 case BSL_CID_FRIENDLYNAME:
881 asnArr.tag = BSL_ASN1_TAG_BMPSTRING;
882 BSL_ASN1_TemplateItem nameTemplItem = {BSL_ASN1_TAG_BMPSTRING, 0, 0};
883 BSL_ASN1_Template nameTempl = {&nameTemplItem, 1};
884 ret = BSL_ASN1_EncodeTemplate(&nameTempl, &asnArr, 1, &encode->data, &encode->dataLen);
885 break;
886 case BSL_CID_LOCALKEYID:
887 asnArr.tag = BSL_ASN1_TAG_OCTETSTRING;
888 BSL_ASN1_TemplateItem locatedIdTemplItem = {BSL_ASN1_TAG_OCTETSTRING, 0, 0};
889 BSL_ASN1_Template locatedIdTempl = {&locatedIdTemplItem, 1};
890 ret = BSL_ASN1_EncodeTemplate(&locatedIdTempl, &asnArr, 1, &encode->data, &encode->dataLen);
891 break;
892 default:
893 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES);
894 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES;
895 }
896 if (ret != HITLS_PKI_SUCCESS) {
897 BSL_ERR_PUSH_ERROR(ret);
898 }
899 return ret;
900 }
901
X509_EncodeP12AttrItem(void * attrNode,HITLS_X509_AttrEntry * attrEntry)902 static int32_t X509_EncodeP12AttrItem(void *attrNode, HITLS_X509_AttrEntry *attrEntry)
903 {
904 if (attrNode == NULL || attrEntry == NULL) {
905 return HITLS_X509_ERR_INVALID_PARAM;
906 }
907 HITLS_PKCS12_SafeBagAttr *p12Attr = attrNode;
908 BslOidString *oidStr = BSL_OBJ_GetOID(p12Attr->attrId);
909 if (oidStr == NULL) {
910 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES);
911 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES;
912 }
913 attrEntry->attrId.tag = BSL_ASN1_TAG_OBJECT_ID;
914 attrEntry->attrId.buff = (uint8_t *)oidStr->octs;
915 attrEntry->attrId.len = oidStr->octetLen;
916 BSL_Buffer buffer = {0};
917 int32_t ret = EncodeAttrValue(p12Attr, &buffer);
918 if (ret != HITLS_PKI_SUCCESS) {
919 BSL_ERR_PUSH_ERROR(ret);
920 return ret;
921 }
922 attrEntry->attrValue.tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SET;
923 attrEntry->attrValue.buff = buffer.data;
924 attrEntry->attrValue.len = buffer.dataLen;
925 attrEntry->cid = p12Attr->attrId;
926 return HITLS_PKI_SUCCESS;
927 }
928
HITLS_PKCS12_EncodeAttrList(HITLS_X509_Attrs * attrs,BSL_ASN1_Buffer * attrBuff)929 int32_t HITLS_PKCS12_EncodeAttrList(HITLS_X509_Attrs *attrs, BSL_ASN1_Buffer *attrBuff)
930 {
931 return HITLS_X509_EncodeAttrList(BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SET, attrs,
932 X509_EncodeP12AttrItem, attrBuff);
933 }
934
EncodeCertBag(HITLS_X509_Cert * cert,uint32_t certType,uint8_t ** encode,uint32_t * encodeLen)935 static int32_t EncodeCertBag(HITLS_X509_Cert *cert, uint32_t certType, uint8_t **encode, uint32_t *encodeLen)
936 {
937 int32_t ret;
938 BslOidString *oidStr = BSL_OBJ_GetOID(certType);
939 if (oidStr == NULL) {
940 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_ALGO);
941 return HITLS_PKCS12_ERR_INVALID_ALGO;
942 }
943 BSL_Buffer certBuff = {0};
944 ret = HITLS_X509_CertGenBuff(BSL_FORMAT_ASN1, cert, &certBuff);
945 if (ret != HITLS_PKI_SUCCESS) {
946 BSL_ERR_PUSH_ERROR(ret);
947 return ret;
948 }
949 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_COMMON_SAFEBAG_MAX_IDX] = {
950 {
951 .buff = (uint8_t *)oidStr->octs,
952 .len = oidStr->octetLen,
953 .tag = BSL_ASN1_TAG_OBJECT_ID,
954 }, {
955 .buff = certBuff.data,
956 .len = certBuff.dataLen,
957 .tag = BSL_ASN1_TAG_OCTETSTRING,
958 }};
959
960 BSL_ASN1_Template templ = {g_pk12CommonBagTempl, sizeof(g_pk12CommonBagTempl) / sizeof(g_pk12CommonBagTempl[0])};
961 ret = BSL_ASN1_EncodeTemplate(&templ, asnArr, HITLS_PKCS12_COMMON_SAFEBAG_MAX_IDX, encode, encodeLen);
962 BSL_SAL_Free(certBuff.data);
963 if (ret != HITLS_PKI_SUCCESS) {
964 BSL_ERR_PUSH_ERROR(ret);
965 }
966 return ret;
967 }
968
EncodeSafeBag(HITLS_PKCS12_Bag * bag,uint32_t encodeType,const CRYPT_EncodeParam * encryptParam,uint8_t ** output,uint32_t * outputLen)969 static int32_t EncodeSafeBag(HITLS_PKCS12_Bag *bag, uint32_t encodeType, const CRYPT_EncodeParam *encryptParam,
970 uint8_t **output, uint32_t *outputLen)
971 {
972 int32_t ret;
973 BslOidString *oidStr = BSL_OBJ_GetOID(encodeType);
974 if (oidStr == NULL) {
975 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_ALGO);
976 return HITLS_PKCS12_ERR_INVALID_ALGO;
977 }
978 BSL_Buffer encode = {0};
979 switch (encodeType) {
980 case BSL_CID_PKCS8SHROUDEDKEYBAG:
981 ret = CRYPT_EAL_EncodeBuffKey(bag->value.key, encryptParam, BSL_FORMAT_ASN1, CRYPT_PRIKEY_PKCS8_ENCRYPT,
982 &encode);
983 break;
984 case BSL_CID_CERTBAG:
985 ret = EncodeCertBag(bag->value.cert, BSL_CID_X509CERTIFICATE, &encode.data, &encode.dataLen);
986 break;
987 default:
988 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE);
989 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_TYPE;
990 }
991 if (ret != HITLS_PKI_SUCCESS) {
992 BSL_ERR_PUSH_ERROR(ret);
993 return ret;
994 }
995 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_SAFEBAG_MAX_IDX] = {
996 {
997 .buff = (uint8_t *)oidStr->octs,
998 .len = oidStr->octetLen,
999 .tag = BSL_ASN1_TAG_OBJECT_ID,
1000 }, {
1001 .buff = encode.data,
1002 .len = encode.dataLen,
1003 .tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_CLASS_CTX_SPECIFIC | HITLS_P12_CTX_SPECIFIC_TAG_EXTENSION,
1004 }};
1005
1006 ret = HITLS_PKCS12_EncodeAttrList(bag->attributes, &asnArr[HITLS_PKCS12_SAFEBAG_BAGATTRIBUTES_IDX]);
1007 if (ret != BSL_SUCCESS) {
1008 BSL_SAL_Free(encode.data);
1009 BSL_ERR_PUSH_ERROR(ret);
1010 return ret;
1011 }
1012 asnArr[HITLS_PKCS12_SAFEBAG_BAGATTRIBUTES_IDX].tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SET;
1013
1014 BSL_ASN1_Template templ = {g_pk12SafeBagTempl, sizeof(g_pk12SafeBagTempl) / sizeof(g_pk12SafeBagTempl[0])};
1015 ret = BSL_ASN1_EncodeTemplate(&templ, asnArr, HITLS_PKCS12_SAFEBAG_MAX_IDX, output, outputLen);
1016 BSL_SAL_Free(encode.data);
1017 BSL_SAL_FREE(asnArr[HITLS_PKCS12_SAFEBAG_BAGATTRIBUTES_IDX].buff);
1018 if (ret != HITLS_PKI_SUCCESS) {
1019 BSL_ERR_PUSH_ERROR(ret);
1020 }
1021 return ret;
1022 }
1023
EncodeP7Data(BSL_Buffer * input,BSL_Buffer * encode)1024 static int32_t EncodeP7Data(BSL_Buffer *input, BSL_Buffer *encode)
1025 {
1026 BSL_ASN1_Buffer asnArr = {0};
1027 asnArr.buff = input->data;
1028 asnArr.tag = BSL_ASN1_TAG_OCTETSTRING;
1029 asnArr.len = input->dataLen;
1030 BSL_ASN1_TemplateItem dataTemplItem = {BSL_ASN1_TAG_OCTETSTRING, 0, 0};
1031 BSL_ASN1_Template dataTempl = {&dataTemplItem, 1};
1032 int32_t ret = BSL_ASN1_EncodeTemplate(&dataTempl, &asnArr, 1, &encode->data, &encode->dataLen);
1033 if (ret != HITLS_PKI_SUCCESS) {
1034 BSL_ERR_PUSH_ERROR(ret);
1035 }
1036 return ret;
1037 }
1038
HITLS_PKCS12_EncodeContentInfo(HITLS_PKI_LibCtx * libCtx,const char * attrName,BSL_Buffer * input,uint32_t encodeType,const CRYPT_EncodeParam * encryptParam,BSL_Buffer * encode)1039 int32_t HITLS_PKCS12_EncodeContentInfo(HITLS_PKI_LibCtx *libCtx, const char *attrName, BSL_Buffer *input,
1040 uint32_t encodeType, const CRYPT_EncodeParam *encryptParam, BSL_Buffer *encode)
1041 {
1042 int32_t ret;
1043 BslOidString *oidStr = BSL_OBJ_GetOID(encodeType);
1044 if (oidStr == NULL) {
1045 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_ALGO);
1046 return HITLS_PKCS12_ERR_INVALID_ALGO;
1047 }
1048 BSL_Buffer initData = {0};
1049 switch (encodeType) {
1050 case BSL_CID_PKCS7_SIMPLEDATA:
1051 ret = EncodeP7Data(input, &initData);
1052 break;
1053 case BSL_CID_PKCS7_ENCRYPTEDDATA:
1054 ret = CRYPT_EAL_EncodePKCS7EncryptDataBuff(libCtx, attrName, input, encryptParam, &initData);
1055 break;
1056 default:
1057 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_CONTENTINFO);
1058 return HITLS_PKCS12_ERR_INVALID_CONTENTINFO;
1059 }
1060 if (ret != HITLS_PKI_SUCCESS) {
1061 BSL_ERR_PUSH_ERROR(ret);
1062 return ret;
1063 }
1064 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_CONTENT_MAX_IDX] = {
1065 {
1066 .buff = (uint8_t *)oidStr->octs,
1067 .len = oidStr->octetLen,
1068 .tag = BSL_ASN1_TAG_OBJECT_ID,
1069 }, {
1070 .buff = initData.data,
1071 .len = initData.dataLen,
1072 .tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_CLASS_CTX_SPECIFIC | HITLS_P12_CTX_SPECIFIC_TAG_EXTENSION,
1073 }};
1074
1075 BSL_ASN1_Template templ = {g_pk12ContentInfoTempl,
1076 sizeof(g_pk12ContentInfoTempl) / sizeof(g_pk12ContentInfoTempl[0])};
1077 ret = BSL_ASN1_EncodeTemplate(&templ, asnArr, HITLS_PKCS12_CONTENT_MAX_IDX, &encode->data, &encode->dataLen);
1078 BSL_SAL_Free(initData.data);
1079 if (ret != HITLS_PKI_SUCCESS) {
1080 BSL_ERR_PUSH_ERROR(ret);
1081 }
1082 return ret;
1083 }
1084
EncodeSafeContent(BSL_ASN1_Buffer ** output,BSL_ASN1_List * list,uint32_t encodeType,const CRYPT_EncodeParam * encryptParam)1085 static int32_t EncodeSafeContent(BSL_ASN1_Buffer **output, BSL_ASN1_List *list, uint32_t encodeType,
1086 const CRYPT_EncodeParam *encryptParam)
1087 {
1088 BSL_ASN1_Buffer *asnBuf = BSL_SAL_Calloc((uint32_t)list->count, sizeof(BSL_ASN1_Buffer));
1089 if (asnBuf == NULL) {
1090 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1091 return BSL_MALLOC_FAIL;
1092 }
1093 uint32_t iter = 0;
1094 int32_t ret = HITLS_PKI_SUCCESS;
1095 HITLS_PKCS12_Bag *node = NULL;
1096 for (node = BSL_LIST_GET_FIRST(list); node != NULL; node = BSL_LIST_GET_NEXT(list), iter++) {
1097 ret = EncodeSafeBag(node, encodeType, encryptParam, &asnBuf[iter].buff, &asnBuf[iter].len);
1098 if (ret != BSL_SUCCESS) {
1099 FreeListBuff(asnBuf, iter);
1100 BSL_ERR_PUSH_ERROR(ret);
1101 return ret;
1102 }
1103 asnBuf[iter].tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE;
1104 }
1105 *output = asnBuf;
1106 return ret;
1107 }
1108
EncodeContentInfoList(BSL_ASN1_Buffer ** output,BSL_ASN1_List * list)1109 static int32_t EncodeContentInfoList(BSL_ASN1_Buffer **output, BSL_ASN1_List *list)
1110 {
1111 BSL_ASN1_Buffer *asnBuf = BSL_SAL_Calloc((uint32_t)list->count, sizeof(BSL_ASN1_Buffer));
1112 if (asnBuf == NULL) {
1113 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1114 return BSL_MALLOC_FAIL;
1115 }
1116 uint32_t iter = 0;
1117 int32_t ret = HITLS_PKI_SUCCESS;
1118 BSL_Buffer *node = NULL;
1119 for (node = BSL_LIST_GET_FIRST(list); node != NULL; node = BSL_LIST_GET_NEXT(list), iter++) {
1120 asnBuf[iter].buff = BSL_SAL_Dump(node->data, node->dataLen);
1121 if (asnBuf[iter].buff == NULL) {
1122 FreeListBuff(asnBuf, iter);
1123 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
1124 return BSL_DUMP_FAIL;
1125 }
1126 asnBuf[iter].len = node->dataLen;
1127 asnBuf[iter].tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE;
1128 }
1129 *output = asnBuf;
1130 return ret;
1131 }
1132
HITLS_PKCS12_EncodeAsn1List(BSL_ASN1_List * list,uint32_t encodeType,const CRYPT_EncodeParam * encryptParam,BSL_Buffer * encode)1133 int32_t HITLS_PKCS12_EncodeAsn1List(BSL_ASN1_List *list, uint32_t encodeType, const CRYPT_EncodeParam *encryptParam,
1134 BSL_Buffer *encode)
1135 {
1136 uint32_t count = (uint32_t)BSL_LIST_COUNT(list);
1137 BSL_ASN1_Buffer *asnBuffers = NULL;
1138 int32_t ret;
1139 switch (encodeType) {
1140 case BSL_CID_PKCS7_CONTENTINFO:
1141 ret = EncodeContentInfoList(&asnBuffers, list);
1142 if (ret != BSL_SUCCESS) {
1143 BSL_ERR_PUSH_ERROR(ret);
1144 return ret;
1145 }
1146 break;
1147 case BSL_CID_PKCS8SHROUDEDKEYBAG:
1148 case BSL_CID_CERTBAG:
1149 ret = EncodeSafeContent(&asnBuffers, list, encodeType, encryptParam);
1150 if (ret != BSL_SUCCESS) {
1151 BSL_ERR_PUSH_ERROR(ret);
1152 return ret;
1153 }
1154 break;
1155 default:
1156 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_CONTENTINFO);
1157 return HITLS_PKCS12_ERR_INVALID_CONTENTINFO;
1158 }
1159 BSL_ASN1_TemplateItem listTempl = {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, 0, 0 };
1160 BSL_ASN1_Template templ = {&listTempl, 1};
1161 BSL_ASN1_Buffer out = {0};
1162 ret = BSL_ASN1_EncodeListItem(BSL_ASN1_TAG_SEQUENCE, count, &templ, asnBuffers, count, &out);
1163 FreeListBuff(asnBuffers, count);
1164 if (ret != HITLS_PKI_SUCCESS) {
1165 BSL_ERR_PUSH_ERROR(ret);
1166 return ret;
1167 }
1168 ret = BSL_ASN1_EncodeTemplate(&templ, &out, 1, &encode->data, &encode->dataLen);
1169 if (ret != HITLS_PKI_SUCCESS) {
1170 BSL_ERR_PUSH_ERROR(ret);
1171 }
1172 BSL_SAL_FREE(out.buff);
1173 return ret;
1174 }
1175
HITLS_PKCS12_EncodeMacData(BSL_Buffer * initData,const HITLS_PKCS12_MacParam * macParam,HITLS_PKCS12_MacData * p12Mac,BSL_Buffer * encode)1176 int32_t HITLS_PKCS12_EncodeMacData(BSL_Buffer *initData, const HITLS_PKCS12_MacParam *macParam,
1177 HITLS_PKCS12_MacData *p12Mac, BSL_Buffer *encode)
1178 {
1179 if (macParam->algId != BSL_CID_PKCS12KDF) {
1180 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_ALGO);
1181 return HITLS_PKCS12_ERR_INVALID_ALGO;
1182 }
1183 if (macParam->para == NULL) {
1184 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1185 return HITLS_PKCS12_ERR_NULL_POINTER;
1186 }
1187 BSL_Buffer mac = {0};
1188 BSL_Buffer digestInfo = {0};
1189 HITLS_PKCS12_KdfParam *param = (HITLS_PKCS12_KdfParam *)macParam->para;
1190 p12Mac->alg = param->macId;
1191 p12Mac->iteration = param->itCnt;
1192 p12Mac->macSalt->dataLen = param->saltLen;
1193 BSL_Buffer macPwd = {param->pwd, param->pwdLen};
1194 int32_t ret = HITLS_PKCS12_CalMac(&mac, &macPwd, initData, p12Mac);
1195 if (ret != HITLS_PKI_SUCCESS) {
1196 BSL_ERR_PUSH_ERROR(ret);
1197 return ret;
1198 }
1199
1200 ret = HITLS_CMS_EncodeDigestInfoBuff(p12Mac->alg, &mac, &digestInfo);
1201 BSL_SAL_FREE(mac.data);
1202 if (ret != HITLS_PKI_SUCCESS) {
1203 BSL_ERR_PUSH_ERROR(ret);
1204 return ret;
1205 }
1206 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_MACDATA_MAX_IDX] = {
1207 {BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE, digestInfo.dataLen, digestInfo.data},
1208 {BSL_ASN1_TAG_OCTETSTRING, p12Mac->macSalt->dataLen, p12Mac->macSalt->data}};
1209
1210 ret = BSL_ASN1_EncodeLimb(BSL_ASN1_TAG_INTEGER, p12Mac->iteration, &asnArr[HITLS_PKCS12_MACDATA_ITER_IDX]);
1211 if (ret != HITLS_PKI_SUCCESS) {
1212 BSL_SAL_Free(digestInfo.data);
1213 BSL_ERR_PUSH_ERROR(ret);
1214 return ret;
1215 }
1216 BSL_ASN1_Template templ = {g_p12MacDataTempl, sizeof(g_p12MacDataTempl) / sizeof(g_p12MacDataTempl[0])};
1217 ret = BSL_ASN1_EncodeTemplate(&templ, asnArr, HITLS_PKCS12_MACDATA_MAX_IDX, &encode->data, &encode->dataLen);
1218 BSL_SAL_Free(digestInfo.data);
1219 BSL_SAL_Free(asnArr[HITLS_PKCS12_MACDATA_ITER_IDX].buff);
1220 if (ret != HITLS_PKI_SUCCESS) {
1221 BSL_ERR_PUSH_ERROR(ret);
1222 }
1223 return ret;
1224 }
1225
EncodeCertListAddList(HITLS_PKCS12 * p12,const CRYPT_EncodeParam * encParam,BSL_ASN1_List * list,bool isNeedMac)1226 static int32_t EncodeCertListAddList(HITLS_PKCS12 *p12, const CRYPT_EncodeParam *encParam, BSL_ASN1_List *list,
1227 bool isNeedMac)
1228 {
1229 int32_t ret;
1230 BSL_Buffer certEncode = {0};
1231 if (p12->entityCert != NULL && p12->entityCert->value.cert != NULL) {
1232 HITLS_PKCS12_Bag *bag = BSL_SAL_Malloc(sizeof(HITLS_PKCS12_Bag));
1233 if (bag == NULL) {
1234 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1235 return BSL_MALLOC_FAIL;
1236 }
1237 bag->attributes = p12->entityCert->attributes;
1238 bag->value.cert = p12->entityCert->value.cert;
1239 ret = BSL_LIST_AddElement(p12->certList, bag, BSL_LIST_POS_BEGIN);
1240 if (ret != HITLS_PKI_SUCCESS) {
1241 BSL_SAL_FREE(bag);
1242 BSL_ERR_PUSH_ERROR(ret);
1243 return ret;
1244 }
1245 }
1246 if (BSL_LIST_COUNT(p12->certList) <= 0) {
1247 return HITLS_PKI_SUCCESS;
1248 }
1249 ret = HITLS_PKCS12_EncodeAsn1List(p12->certList, BSL_CID_CERTBAG, NULL, &certEncode);
1250 if (p12->entityCert != NULL && p12->entityCert->value.cert != NULL) {
1251 BSL_LIST_First(p12->certList);
1252 BSL_LIST_DeleteCurrent(p12->certList, NULL);
1253 }
1254 if (ret != HITLS_PKI_SUCCESS) {
1255 BSL_ERR_PUSH_ERROR(ret);
1256 return ret;
1257 }
1258
1259 BSL_Buffer contentInfoEncode = {0};
1260 if (isNeedMac) {
1261 ret = HITLS_PKCS12_EncodeContentInfo(p12->libCtx, p12->attrName, &certEncode, BSL_CID_PKCS7_ENCRYPTEDDATA,
1262 encParam, &contentInfoEncode);
1263 } else {
1264 ret = HITLS_PKCS12_EncodeContentInfo(p12->libCtx, p12->attrName, &certEncode, BSL_CID_PKCS7_SIMPLEDATA,
1265 encParam, &contentInfoEncode);
1266 }
1267 BSL_SAL_FREE(certEncode.data);
1268 if (ret != HITLS_PKI_SUCCESS) {
1269 BSL_ERR_PUSH_ERROR(ret);
1270 return ret;
1271 }
1272 ret = HITLS_X509_AddListItemDefault(&contentInfoEncode, sizeof(BSL_Buffer), list);
1273 if (ret != HITLS_PKI_SUCCESS) {
1274 BSL_SAL_FREE(contentInfoEncode.data);
1275 BSL_ERR_PUSH_ERROR(ret);
1276 }
1277 return ret;
1278 }
1279
EncodeKeyAddList(HITLS_PKCS12 * p12,const CRYPT_EncodeParam * encParam,BSL_ASN1_List * list)1280 static int32_t EncodeKeyAddList(HITLS_PKCS12 *p12, const CRYPT_EncodeParam *encParam, BSL_ASN1_List *list)
1281 {
1282 if (p12->key == NULL || p12->key->value.key == NULL) {
1283 return HITLS_PKI_SUCCESS;
1284 }
1285
1286 BSL_ASN1_List *keyList = BSL_LIST_New(sizeof(HITLS_PKCS12_Bag));
1287 if (keyList == NULL) {
1288 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1289 return BSL_MALLOC_FAIL;
1290 }
1291 HITLS_PKCS12_Bag bag = {0};
1292 BSL_Buffer keyEncode = {0};
1293 BSL_Buffer contentInfoEncode = {0};
1294 bag.attributes = p12->key->attributes;
1295 bag.value.key = p12->key->value.key;
1296 int32_t ret = HITLS_X509_AddListItemDefault(&bag, sizeof(HITLS_PKCS12_Bag), keyList);
1297 if (ret != HITLS_PKI_SUCCESS) {
1298 BSL_SAL_FREE(keyList);
1299 BSL_ERR_PUSH_ERROR(ret);
1300 return ret;
1301 }
1302 ret = HITLS_PKCS12_EncodeAsn1List(keyList, BSL_CID_PKCS8SHROUDEDKEYBAG, encParam, &keyEncode);
1303 BSL_LIST_FREE(keyList, NULL);
1304 if (ret != HITLS_PKI_SUCCESS) {
1305 BSL_ERR_PUSH_ERROR(ret);
1306 return ret;
1307 }
1308
1309 ret = HITLS_PKCS12_EncodeContentInfo(p12->libCtx, p12->attrName, &keyEncode, BSL_CID_PKCS7_SIMPLEDATA,
1310 NULL, &contentInfoEncode);
1311 BSL_SAL_FREE(keyEncode.data);
1312 if (ret != HITLS_PKI_SUCCESS) {
1313 BSL_ERR_PUSH_ERROR(ret);
1314 return ret;
1315 }
1316 ret = HITLS_X509_AddListItemDefault(&contentInfoEncode, sizeof(BSL_Buffer), list);
1317 if (ret != HITLS_PKI_SUCCESS) {
1318 BSL_SAL_FREE(contentInfoEncode.data);
1319 BSL_ERR_PUSH_ERROR(ret);
1320 }
1321 return ret;
1322 }
1323
FreeBuffer(void * buffer)1324 static void FreeBuffer(void *buffer)
1325 {
1326 if (buffer == NULL) {
1327 return;
1328 }
1329
1330 BSL_Buffer *tmp = (BSL_Buffer *)buffer;
1331 BSL_SAL_FREE(tmp->data);
1332 BSL_SAL_Free(tmp);
1333 }
1334
EncodePkcs12(uint32_t version,BSL_Buffer * authSafe,BSL_Buffer * macData,BSL_Buffer * encode)1335 static int32_t EncodePkcs12(uint32_t version, BSL_Buffer *authSafe, BSL_Buffer *macData, BSL_Buffer *encode)
1336 {
1337 BSL_ASN1_Buffer asnArr[HITLS_PKCS12_TOPLEVEL_MAX_IDX] = {
1338 {
1339 .buff = NULL,
1340 .len = 0,
1341 .tag = BSL_ASN1_TAG_INTEGER,
1342 }, {
1343 .buff = authSafe->data,
1344 .len = authSafe->dataLen,
1345 .tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE,
1346 }, {
1347 .buff = macData->data,
1348 .len = macData->dataLen,
1349 .tag = BSL_ASN1_TAG_CONSTRUCTED | BSL_ASN1_TAG_SEQUENCE,
1350 }};
1351
1352 int32_t ret = BSL_ASN1_EncodeLimb(BSL_ASN1_TAG_INTEGER, version, asnArr);
1353 if (ret != HITLS_PKI_SUCCESS) {
1354 BSL_ERR_PUSH_ERROR(ret);
1355 return ret;
1356 }
1357
1358 BSL_ASN1_Template templ = {g_p12TopLevelTempl, sizeof(g_p12TopLevelTempl) / sizeof(g_p12TopLevelTempl[0])};
1359 ret = BSL_ASN1_EncodeTemplate(&templ, asnArr, HITLS_PKCS12_TOPLEVEL_MAX_IDX,
1360 &encode->data, &encode->dataLen);
1361 BSL_SAL_Free(asnArr[HITLS_PKCS12_TOPLEVEL_VERSION_IDX].buff);
1362 if (ret != HITLS_PKI_SUCCESS) {
1363 BSL_ERR_PUSH_ERROR(ret);
1364 }
1365 return ret;
1366 }
1367
PwdConsistencyCheck(const HITLS_PKCS12_EncodeParam * encodeParam,bool isNeedMac)1368 static int32_t PwdConsistencyCheck(const HITLS_PKCS12_EncodeParam *encodeParam, bool isNeedMac)
1369 {
1370 CRYPT_Pbkdf2Param *keyParam = (CRYPT_Pbkdf2Param *)encodeParam->keyEncParam.param;
1371 CRYPT_Pbkdf2Param *certParam = (CRYPT_Pbkdf2Param *)encodeParam->certEncParam.param;
1372 if (!isNeedMac) {
1373 // Certificates do not require encryption when integrity verification is disabled.
1374 if (keyParam == NULL || keyParam->pwd == NULL) {
1375 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1376 return HITLS_PKCS12_ERR_INVALID_PARAM;
1377 }
1378 return HITLS_PKI_SUCCESS;
1379 }
1380 if (keyParam == NULL || certParam == NULL) {
1381 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1382 return HITLS_PKCS12_ERR_INVALID_PARAM;
1383 }
1384 uint8_t *certPwd = certParam->pwd;
1385 uint8_t *keyPwd = keyParam->pwd;
1386 // Both certificate and key encryption passwords can be NULL simultaneously.
1387 if (certPwd == NULL && keyPwd == NULL) {
1388 return HITLS_PKI_SUCCESS;
1389 }
1390 if (certPwd == NULL || keyPwd == NULL) {
1391 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1392 return HITLS_PKCS12_ERR_INVALID_PARAM;
1393 }
1394 if (keyParam->pwdLen == certParam->pwdLen && memcmp(certPwd, keyPwd, certParam->pwdLen) == 0) {
1395 return HITLS_PKI_SUCCESS;
1396 }
1397 // Error if certificate and private key encryption passwords do not match.
1398 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1399 return HITLS_PKCS12_ERR_INVALID_PARAM;
1400 }
1401
EncodeP12Info(HITLS_PKCS12 * p12,const HITLS_PKCS12_EncodeParam * encodeParam,bool isNeedMac,BSL_Buffer * encode)1402 static int32_t EncodeP12Info(HITLS_PKCS12 *p12, const HITLS_PKCS12_EncodeParam *encodeParam, bool isNeedMac,
1403 BSL_Buffer *encode)
1404 {
1405 int32_t ret = PwdConsistencyCheck(encodeParam, isNeedMac);
1406 if (ret != HITLS_PKI_SUCCESS) {
1407 return ret;
1408 }
1409 BSL_ASN1_List *list = BSL_LIST_New(sizeof(BSL_Buffer));
1410 if (list == NULL) {
1411 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1412 return BSL_MALLOC_FAIL;
1413 }
1414 ret = EncodeCertListAddList(p12, &encodeParam->certEncParam, list, isNeedMac);
1415 if (ret != HITLS_PKI_SUCCESS) {
1416 BSL_LIST_FREE(list, FreeBuffer);
1417 return ret;
1418 }
1419
1420 ret = EncodeKeyAddList(p12, &encodeParam->keyEncParam, list);
1421 if (ret != HITLS_PKI_SUCCESS) {
1422 BSL_LIST_FREE(list, FreeBuffer);
1423 return ret;
1424 }
1425 if (BSL_LIST_COUNT(list) <= 0) {
1426 BSL_SAL_Free(list);
1427 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NONE_DATA);
1428 return HITLS_PKCS12_ERR_NONE_DATA;
1429 }
1430 BSL_Buffer initData = {0};
1431 ret = HITLS_PKCS12_EncodeAsn1List(list, BSL_CID_PKCS7_CONTENTINFO, NULL, &initData);
1432 BSL_LIST_FREE(list, FreeBuffer);
1433 if (ret != HITLS_PKI_SUCCESS) {
1434 return ret;
1435 }
1436
1437 BSL_Buffer macData = {0};
1438 if (isNeedMac) {
1439 ret = HITLS_PKCS12_EncodeMacData(&initData, &encodeParam->macParam, p12->macData, &macData);
1440 if (ret != HITLS_PKI_SUCCESS) {
1441 BSL_SAL_FREE(initData.data);
1442 return ret;
1443 }
1444 }
1445
1446 BSL_Buffer authSafe = {0};
1447 ret = HITLS_PKCS12_EncodeContentInfo(p12->libCtx, p12->attrName, &initData, BSL_CID_PKCS7_SIMPLEDATA, NULL,
1448 &authSafe);
1449 BSL_SAL_FREE(initData.data);
1450 if (ret != HITLS_PKI_SUCCESS) {
1451 BSL_SAL_FREE(macData.data);
1452 return ret;
1453 }
1454 ret = EncodePkcs12(p12->version, &authSafe, &macData, encode);
1455 BSL_SAL_FREE(authSafe.data);
1456 BSL_SAL_FREE(macData.data);
1457 return ret;
1458 }
1459
HITLS_PKCS12_GenBuff(int32_t format,HITLS_PKCS12 * p12,const HITLS_PKCS12_EncodeParam * encodeParam,bool isNeedMac,BSL_Buffer * encode)1460 int32_t HITLS_PKCS12_GenBuff(int32_t format, HITLS_PKCS12 *p12, const HITLS_PKCS12_EncodeParam *encodeParam,
1461 bool isNeedMac, BSL_Buffer *encode)
1462 {
1463 if (p12 == NULL || encodeParam == NULL || encode == NULL) {
1464 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1465 return HITLS_PKCS12_ERR_NULL_POINTER;
1466 }
1467 if (encode->data != NULL) {
1468 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1469 return HITLS_PKCS12_ERR_INVALID_PARAM;
1470 }
1471 switch (format) {
1472 case BSL_FORMAT_ASN1:
1473 return EncodeP12Info(p12, encodeParam, isNeedMac, encode);
1474 default:
1475 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_FORMAT_UNSUPPORT);
1476 return HITLS_PKCS12_ERR_FORMAT_UNSUPPORT;
1477 }
1478 }
1479
1480 #ifdef HITLS_BSL_SAL_FILE
HITLS_PKCS12_GenFile(int32_t format,HITLS_PKCS12 * p12,const HITLS_PKCS12_EncodeParam * encodeParam,bool isNeedMac,const char * path)1481 int32_t HITLS_PKCS12_GenFile(int32_t format, HITLS_PKCS12 *p12, const HITLS_PKCS12_EncodeParam *encodeParam,
1482 bool isNeedMac, const char *path)
1483 {
1484 if (path == NULL) {
1485 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1486 return HITLS_PKCS12_ERR_NULL_POINTER;
1487 }
1488
1489 BSL_Buffer encode = {0};
1490 int32_t ret = HITLS_PKCS12_GenBuff(format, p12, encodeParam, isNeedMac, &encode);
1491 if (ret != HITLS_PKI_SUCCESS) {
1492 BSL_ERR_PUSH_ERROR(ret);
1493 return ret;
1494 }
1495 ret = BSL_SAL_WriteFile(path, encode.data, encode.dataLen);
1496 BSL_SAL_Free(encode.data);
1497 if (ret != HITLS_PKI_SUCCESS) {
1498 BSL_ERR_PUSH_ERROR(ret);
1499 }
1500 return ret;
1501 }
1502 #endif
1503
DeleteAttribute(HITLS_PKCS12_Bag * bag,uint32_t type)1504 static void DeleteAttribute(HITLS_PKCS12_Bag *bag, uint32_t type)
1505 {
1506 if (bag->attributes == NULL) {
1507 return;
1508 }
1509 BSL_ASN1_List *list = bag->attributes->list;
1510 HITLS_PKCS12_SafeBagAttr *node = BSL_LIST_GET_FIRST(list);
1511 while (node != NULL) {
1512 if (node->attrId == type) {
1513 return BSL_LIST_DeleteCurrent(list, HITLS_PKCS12_AttributesFree);
1514 }
1515 node = BSL_LIST_GET_NEXT(list);
1516 }
1517 return;
1518 }
1519
IsAttrExist(HITLS_PKCS12_Bag * bag,uint32_t type)1520 static bool IsAttrExist(HITLS_PKCS12_Bag *bag, uint32_t type)
1521 {
1522 if (bag->attributes == NULL || bag->attributes->list == NULL) {
1523 return false;
1524 }
1525 BSL_ASN1_List *list = bag->attributes->list;
1526 HITLS_PKCS12_SafeBagAttr *node = BSL_LIST_GET_FIRST(list);
1527 while (node != NULL) {
1528 if (node->attrId == type) {
1529 return true;
1530 }
1531 node = BSL_LIST_GET_NEXT(list);
1532 }
1533 return false;
1534 }
1535
HITLS_PKCS12_BagAddAttr(HITLS_PKCS12_Bag * bag,uint32_t type,const BSL_Buffer * attrValue)1536 int32_t HITLS_PKCS12_BagAddAttr(HITLS_PKCS12_Bag *bag, uint32_t type, const BSL_Buffer *attrValue)
1537 {
1538 if (bag == NULL || attrValue == NULL) {
1539 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1540 return HITLS_PKCS12_ERR_NULL_POINTER;
1541 }
1542 if (attrValue->data == NULL || attrValue->dataLen == 0) {
1543 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1544 return HITLS_PKCS12_ERR_INVALID_PARAM;
1545 }
1546 if (type != BSL_CID_LOCALKEYID && type != BSL_CID_FRIENDLYNAME) {
1547 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES);
1548 return HITLS_PKCS12_ERR_INVALID_SAFEBAG_ATTRIBUTES;
1549 }
1550 if (IsAttrExist(bag, type)) {
1551 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_SET_ATTR_REPEAT);
1552 return HITLS_X509_ERR_SET_ATTR_REPEAT;
1553 }
1554
1555 HITLS_PKCS12_SafeBagAttr attr = {0};
1556 attr.attrId = type;
1557 attr.attrValue.data = BSL_SAL_Dump(attrValue->data, attrValue->dataLen);
1558 if (attr.attrValue.data == NULL) {
1559 BSL_ERR_PUSH_ERROR(BSL_DUMP_FAIL);
1560 return BSL_DUMP_FAIL;
1561 }
1562 attr.attrValue.dataLen = attrValue->dataLen;
1563 if (bag->attributes == NULL) {
1564 bag->attributes = HITLS_X509_AttrsNew();
1565 if (bag->attributes == NULL) {
1566 BSL_SAL_FREE(attr.attrValue.data);
1567 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1568 return BSL_MALLOC_FAIL;
1569 }
1570 }
1571 int32_t ret = HITLS_X509_AddListItemDefault(&attr, sizeof(HITLS_PKCS12_SafeBagAttr), bag->attributes->list);
1572 if (ret != HITLS_PKI_SUCCESS) {
1573 BSL_SAL_FREE(attr.attrValue.data);
1574 BSL_ERR_PUSH_ERROR(ret);
1575 }
1576 return ret;
1577 }
1578
AttrCopy(const void * val)1579 static void *AttrCopy(const void *val)
1580 {
1581 const HITLS_PKCS12_SafeBagAttr *input = (const HITLS_PKCS12_SafeBagAttr *)val;
1582 HITLS_PKCS12_SafeBagAttr *output = BSL_SAL_Malloc(sizeof(HITLS_PKCS12_SafeBagAttr));
1583 if (output == NULL) {
1584 return NULL;
1585 }
1586 output->attrValue.data = BSL_SAL_Dump(input->attrValue.data, input->attrValue.dataLen);
1587 if (output->attrValue.data == NULL) {
1588 BSL_SAL_Free(output);
1589 return NULL;
1590 }
1591 output->attrValue.dataLen = input->attrValue.dataLen;
1592 output->attrId = input->attrId;
1593 return output;
1594 }
1595
BagDump(HITLS_PKCS12_Bag * input)1596 static HITLS_PKCS12_Bag *BagDump(HITLS_PKCS12_Bag *input)
1597 {
1598 HITLS_PKCS12_Bag *target = NULL;
1599 CRYPT_EAL_PkeyCtx *pkey = NULL;
1600 HITLS_X509_Cert *cert = NULL;
1601 switch (input->type) {
1602 case BSL_CID_PKCS8SHROUDEDKEYBAG:
1603 pkey = CRYPT_EAL_PkeyDupCtx(input->value.key);
1604 if (pkey == NULL) {
1605 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1606 return NULL;
1607 }
1608 target = HITLS_PKCS12_BagNew(input->type, 0, pkey);
1609 break;
1610 case BSL_CID_CERTBAG:
1611 cert = HITLS_X509_CertDup(input->value.cert);
1612 if (cert == NULL) {
1613 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_DUP_FAIL);
1614 return NULL;
1615 }
1616 target = HITLS_PKCS12_BagNew(input->type, BSL_CID_X509CERTIFICATE, cert);
1617 break;
1618 default:
1619 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1620 return NULL;
1621 }
1622 CRYPT_EAL_PkeyFreeCtx(pkey);
1623 HITLS_X509_CertFree(cert);
1624 if (target == NULL) {
1625 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1626 return NULL;
1627 }
1628 if (input->attributes != NULL) {
1629 target->attributes = HITLS_X509_AttrsDup(input->attributes, AttrCopy, HITLS_PKCS12_AttributesFree);
1630 if (target->attributes == NULL) {
1631 HITLS_PKCS12_BagFree(target);
1632 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1633 return NULL;
1634 }
1635 }
1636 return target;
1637 }
1638
PKCS12_SetEntityKey(HITLS_PKCS12 * p12,void * val)1639 static int32_t PKCS12_SetEntityKey(HITLS_PKCS12 *p12, void *val)
1640 {
1641 if (val == NULL) {
1642 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1643 return HITLS_PKCS12_ERR_NULL_POINTER;
1644 }
1645 if (p12->key != NULL) {
1646 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_REPEATED_SET_KEY);
1647 return HITLS_PKCS12_ERR_REPEATED_SET_KEY;
1648 }
1649
1650 HITLS_PKCS12_Bag *input = (HITLS_PKCS12_Bag *)val;
1651 if (input->type != BSL_CID_PKCS8SHROUDEDKEYBAG) {
1652 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1653 return HITLS_PKCS12_ERR_INVALID_PARAM;
1654 }
1655 if (input->value.key == NULL) {
1656 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1657 return HITLS_PKCS12_ERR_INVALID_PARAM;
1658 }
1659 HITLS_PKCS12_Bag *output = BagDump(input);
1660 if (output == NULL) {
1661 return BSL_MALLOC_FAIL; // has pushed error code.
1662 }
1663 p12->key = output;
1664 return HITLS_PKI_SUCCESS;
1665 }
1666
PKCS12_SetEntityCert(HITLS_PKCS12 * p12,void * val)1667 static int32_t PKCS12_SetEntityCert(HITLS_PKCS12 *p12, void *val)
1668 {
1669 if (val == NULL) {
1670 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1671 return HITLS_PKCS12_ERR_NULL_POINTER;
1672 }
1673 if (p12->entityCert != NULL) {
1674 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_REPEATED_SET_ENTITYCERT);
1675 return HITLS_PKCS12_ERR_REPEATED_SET_ENTITYCERT;
1676 }
1677
1678 HITLS_PKCS12_Bag *input = (HITLS_PKCS12_Bag *)val;
1679 if (input->type != BSL_CID_CERTBAG) {
1680 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1681 return HITLS_PKCS12_ERR_INVALID_PARAM;
1682 }
1683 if (input->value.cert == NULL) {
1684 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1685 return HITLS_PKCS12_ERR_INVALID_PARAM;
1686 }
1687 HITLS_PKCS12_Bag *output = BagDump(input);
1688 if (output == NULL) {
1689 return BSL_MALLOC_FAIL; // has pushed error code.
1690 }
1691 p12->entityCert = output;
1692 return HITLS_PKI_SUCCESS;
1693 }
1694
PKCS12_AddCertBag(HITLS_PKCS12 * p12,void * val)1695 static int32_t PKCS12_AddCertBag(HITLS_PKCS12 *p12, void *val)
1696 {
1697 if (val == NULL) {
1698 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1699 return HITLS_PKCS12_ERR_NULL_POINTER;
1700 }
1701 int32_t ret;
1702 HITLS_PKCS12_Bag *input = (HITLS_PKCS12_Bag *)val;
1703 if (input->type != BSL_CID_CERTBAG) {
1704 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1705 return HITLS_PKCS12_ERR_INVALID_PARAM;
1706 }
1707 if (input->value.cert == NULL) {
1708 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1709 return HITLS_PKCS12_ERR_INVALID_PARAM;
1710 }
1711 HITLS_PKCS12_Bag *target = BagDump(input);
1712 if (target == NULL) {
1713 return BSL_MALLOC_FAIL;
1714 }
1715 ret = BSL_LIST_AddElement(p12->certList, target, BSL_LIST_POS_END);
1716 if (ret != BSL_SUCCESS) {
1717 HITLS_PKCS12_BagFree(target);
1718 BSL_ERR_PUSH_ERROR(ret);
1719 }
1720 return ret;
1721 }
1722
PKCS12_SetLocalKeyId(HITLS_PKCS12 * p12,CRYPT_MD_AlgId * algId,uint32_t algIdLen)1723 static int32_t PKCS12_SetLocalKeyId(HITLS_PKCS12 *p12, CRYPT_MD_AlgId *algId, uint32_t algIdLen)
1724 {
1725 if (algId == NULL || p12->entityCert == NULL || p12->key == NULL) {
1726 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1727 return HITLS_PKCS12_ERR_NULL_POINTER;
1728 }
1729 if (algIdLen != sizeof(CRYPT_MD_AlgId)) {
1730 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1731 return HITLS_PKCS12_ERR_INVALID_PARAM;
1732 }
1733 if (p12->entityCert->value.cert == NULL || p12->key->value.key == NULL) {
1734 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NO_PAIRED_CERT_AND_KEY);
1735 return HITLS_PKCS12_ERR_NO_PAIRED_CERT_AND_KEY;
1736 }
1737 uint32_t mdSize = CRYPT_EAL_MdGetDigestSize(*algId);
1738 if (mdSize == 0) {
1739 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1740 return HITLS_PKCS12_ERR_INVALID_PARAM;
1741 }
1742 uint8_t *md = BSL_SAL_Malloc(mdSize);
1743 if (md == NULL) {
1744 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1745 return BSL_MALLOC_FAIL;
1746 }
1747 int32_t ret = HITLS_X509_CertDigest(p12->entityCert->value.cert, *algId, md, &mdSize);
1748 if (ret != HITLS_PKI_SUCCESS) {
1749 BSL_SAL_Free(md);
1750 BSL_ERR_PUSH_ERROR(ret);
1751 return ret;
1752 }
1753 BSL_Buffer buffer = {.data = md, .dataLen = mdSize};
1754 ret = HITLS_PKCS12_BagAddAttr(p12->key, BSL_CID_LOCALKEYID, &buffer);
1755 if (ret != HITLS_PKI_SUCCESS) {
1756 BSL_SAL_Free(md);
1757 BSL_ERR_PUSH_ERROR(ret);
1758 return ret;
1759 }
1760
1761 ret = HITLS_PKCS12_BagAddAttr(p12->entityCert, BSL_CID_LOCALKEYID, &buffer);
1762 BSL_SAL_Free(md);
1763 if (ret != HITLS_PKI_SUCCESS) {
1764 BSL_ERR_PUSH_ERROR(ret);
1765 DeleteAttribute(p12->key, BSL_CID_LOCALKEYID);
1766 }
1767 return ret;
1768 }
1769 #endif // HITLS_PKI_PKCS12_GEN
1770
PKCS12_GetEntityCert(HITLS_PKCS12 * p12,void ** val)1771 static int32_t PKCS12_GetEntityCert(HITLS_PKCS12 *p12, void **val)
1772 {
1773 if (val == NULL) {
1774 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1775 return HITLS_PKCS12_ERR_NULL_POINTER;
1776 }
1777 if (*val != NULL) {
1778 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1779 return HITLS_PKCS12_ERR_INVALID_PARAM;
1780 }
1781 if (p12->entityCert == NULL || p12->entityCert->value.cert == NULL) {
1782 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NO_ENTITYCERT);
1783 return HITLS_PKCS12_ERR_NO_ENTITYCERT;
1784 }
1785 HITLS_X509_Cert *dest = HITLS_X509_CertDup(p12->entityCert->value.cert);
1786 if (dest == NULL) {
1787 BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_DUP_FAIL);
1788 return HITLS_X509_ERR_CERT_DUP_FAIL;
1789 }
1790 *val = dest;
1791 return HITLS_PKI_SUCCESS;
1792 }
1793
PKCS12_GetEntityKey(HITLS_PKCS12 * p12,void ** val)1794 static int32_t PKCS12_GetEntityKey(HITLS_PKCS12 *p12, void **val)
1795 {
1796 if (val == NULL) {
1797 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1798 return HITLS_PKCS12_ERR_NULL_POINTER;
1799 }
1800 if (*val != NULL) {
1801 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1802 return HITLS_PKCS12_ERR_INVALID_PARAM;
1803 }
1804 if (p12->key == NULL || p12->key->value.key == NULL) {
1805 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NO_ENTITYKEY);
1806 return HITLS_PKCS12_ERR_NO_ENTITYKEY;
1807 }
1808 CRYPT_EAL_PkeyCtx *dest = CRYPT_EAL_PkeyDupCtx(p12->key->value.key);
1809 if (dest == NULL) {
1810 BSL_ERR_PUSH_ERROR(BSL_MALLOC_FAIL);
1811 return BSL_MALLOC_FAIL;
1812 }
1813 *val = dest;
1814 return HITLS_PKI_SUCCESS;
1815 }
1816
HITLS_PKCS12_Ctrl(HITLS_PKCS12 * p12,int32_t cmd,void * val,uint32_t valLen)1817 int32_t HITLS_PKCS12_Ctrl(HITLS_PKCS12 *p12, int32_t cmd, void *val, uint32_t valLen)
1818 {
1819 #ifndef HITLS_PKI_PKCS12_GEN
1820 (void)valLen;
1821 #endif
1822 if (p12 == NULL) {
1823 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_NULL_POINTER);
1824 return HITLS_PKCS12_ERR_NULL_POINTER;
1825 }
1826 switch (cmd) {
1827 #ifdef HITLS_PKI_PKCS12_GEN
1828 case HITLS_PKCS12_GEN_LOCALKEYID:
1829 return PKCS12_SetLocalKeyId(p12, val, valLen);
1830 case HITLS_PKCS12_SET_ENTITY_KEYBAG:
1831 return PKCS12_SetEntityKey(p12, val);
1832 case HITLS_PKCS12_SET_ENTITY_CERTBAG:
1833 return PKCS12_SetEntityCert(p12, val);
1834 case HITLS_PKCS12_ADD_CERTBAG:
1835 return PKCS12_AddCertBag(p12, val);
1836 #endif
1837 case HITLS_PKCS12_GET_ENTITY_CERT:
1838 return PKCS12_GetEntityCert(p12, val);
1839 case HITLS_PKCS12_GET_ENTITY_KEY:
1840 return PKCS12_GetEntityKey(p12, val);
1841 default:
1842 BSL_ERR_PUSH_ERROR(HITLS_PKCS12_ERR_INVALID_PARAM);
1843 return HITLS_PKCS12_ERR_INVALID_PARAM;
1844 }
1845 }
1846 #endif // HITLS_PKI_PKCS12
1847