• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
2  * project 1999.
3  */
4 /* ====================================================================
5  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  * 1. Redistributions of source code must retain the above copyright
12  *    notice, this list of conditions and the following disclaimer.
13  *
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in
16  *    the documentation and/or other materials provided with the
17  *    distribution.
18  *
19  * 3. All advertising materials mentioning features or use of this
20  *    software must display the following acknowledgment:
21  *    "This product includes software developed by the OpenSSL Project
22  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
23  *
24  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
25  *    endorse or promote products derived from this software without
26  *    prior written permission. For written permission, please contact
27  *    licensing@OpenSSL.org.
28  *
29  * 5. Products derived from this software may not be called "OpenSSL"
30  *    nor may "OpenSSL" appear in their names without prior written
31  *    permission of the OpenSSL Project.
32  *
33  * 6. Redistributions of any form whatsoever must retain the following
34  *    acknowledgment:
35  *    "This product includes software developed by the OpenSSL Project
36  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
37  *
38  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
39  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
41  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
42  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
43  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
44  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
45  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
46  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
47  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
48  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
49  * OF THE POSSIBILITY OF SUCH DAMAGE.
50  * ====================================================================
51  *
52  * This product includes cryptographic software written by Eric Young
53  * (eay@cryptsoft.com).  This product includes software written by Tim
54  * Hudson (tjh@cryptsoft.com). */
55 
56 #include <openssl/pkcs8.h>
57 
58 #include <limits.h>
59 
60 #include <openssl/asn1t.h>
61 #include <openssl/asn1.h>
62 #include <openssl/bio.h>
63 #include <openssl/buf.h>
64 #include <openssl/bytestring.h>
65 #include <openssl/err.h>
66 #include <openssl/evp.h>
67 #include <openssl/digest.h>
68 #include <openssl/hmac.h>
69 #include <openssl/mem.h>
70 #include <openssl/x509.h>
71 
72 #include "internal.h"
73 #include "../bytestring/internal.h"
74 #include "../internal.h"
75 
76 
77 // Minor tweak to operation: zero private key data
pkey_cb(int operation,ASN1_VALUE ** pval,const ASN1_ITEM * it,void * exarg)78 static int pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
79                    void *exarg) {
80   // Since the structure must still be valid use ASN1_OP_FREE_PRE
81   if (operation == ASN1_OP_FREE_PRE) {
82     PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval;
83     if (key->pkey && key->pkey->type == V_ASN1_OCTET_STRING &&
84         key->pkey->value.octet_string) {
85       OPENSSL_cleanse(key->pkey->value.octet_string->data,
86                       key->pkey->value.octet_string->length);
87     }
88   }
89   return 1;
90 }
91 
92 ASN1_SEQUENCE_cb(PKCS8_PRIV_KEY_INFO, pkey_cb) = {
93   ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, version, ASN1_INTEGER),
94   ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkeyalg, X509_ALGOR),
95   ASN1_SIMPLE(PKCS8_PRIV_KEY_INFO, pkey, ASN1_ANY),
96   ASN1_IMP_SET_OF_OPT(PKCS8_PRIV_KEY_INFO, attributes, X509_ATTRIBUTE, 0)
97 } ASN1_SEQUENCE_END_cb(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
98 
99 IMPLEMENT_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO)
100 
101 EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) {
102   uint8_t *der = NULL;
103   int der_len = i2d_PKCS8_PRIV_KEY_INFO(p8, &der);
104   if (der_len < 0) {
105     return NULL;
106   }
107 
108   CBS cbs;
109   CBS_init(&cbs, der, (size_t)der_len);
110   EVP_PKEY *ret = EVP_parse_private_key(&cbs);
111   if (ret == NULL || CBS_len(&cbs) != 0) {
112     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
113     EVP_PKEY_free(ret);
114     OPENSSL_free(der);
115     return NULL;
116   }
117 
118   OPENSSL_free(der);
119   return ret;
120 }
121 
EVP_PKEY2PKCS8(EVP_PKEY * pkey)122 PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey) {
123   CBB cbb;
124   uint8_t *der = NULL;
125   size_t der_len;
126   if (!CBB_init(&cbb, 0) ||
127       !EVP_marshal_private_key(&cbb, pkey) ||
128       !CBB_finish(&cbb, &der, &der_len) ||
129       der_len > LONG_MAX) {
130     CBB_cleanup(&cbb);
131     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_ENCODE_ERROR);
132     goto err;
133   }
134 
135   const uint8_t *p = der;
136   PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, (long)der_len);
137   if (p8 == NULL || p != der + der_len) {
138     PKCS8_PRIV_KEY_INFO_free(p8);
139     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_DECODE_ERROR);
140     goto err;
141   }
142 
143   OPENSSL_free(der);
144   return p8;
145 
146 err:
147   OPENSSL_free(der);
148   return NULL;
149 }
150 
PKCS8_decrypt(X509_SIG * pkcs8,const char * pass,int pass_len_in)151 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass,
152                                    int pass_len_in) {
153   size_t pass_len;
154   if (pass_len_in == -1 && pass != NULL) {
155     pass_len = strlen(pass);
156   } else {
157     pass_len = (size_t)pass_len_in;
158   }
159 
160   PKCS8_PRIV_KEY_INFO *ret = NULL;
161   EVP_PKEY *pkey = NULL;
162   uint8_t *in = NULL;
163 
164   // Convert the legacy ASN.1 object to a byte string.
165   int in_len = i2d_X509_SIG(pkcs8, &in);
166   if (in_len < 0) {
167     goto err;
168   }
169 
170   CBS cbs;
171   CBS_init(&cbs, in, in_len);
172   pkey = PKCS8_parse_encrypted_private_key(&cbs, pass, pass_len);
173   if (pkey == NULL || CBS_len(&cbs) != 0) {
174     goto err;
175   }
176 
177   ret = EVP_PKEY2PKCS8(pkey);
178 
179 err:
180   OPENSSL_free(in);
181   EVP_PKEY_free(pkey);
182   return ret;
183 }
184 
PKCS8_encrypt(int pbe_nid,const EVP_CIPHER * cipher,const char * pass,int pass_len_in,const uint8_t * salt,size_t salt_len,int iterations,PKCS8_PRIV_KEY_INFO * p8inf)185 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
186                         int pass_len_in, const uint8_t *salt, size_t salt_len,
187                         int iterations, PKCS8_PRIV_KEY_INFO *p8inf) {
188   size_t pass_len;
189   if (pass_len_in == -1 && pass != NULL) {
190     pass_len = strlen(pass);
191   } else {
192     pass_len = (size_t)pass_len_in;
193   }
194 
195   // Parse out the private key.
196   EVP_PKEY *pkey = EVP_PKCS82PKEY(p8inf);
197   if (pkey == NULL) {
198     return NULL;
199   }
200 
201   X509_SIG *ret = NULL;
202   uint8_t *der = NULL;
203   size_t der_len;
204   CBB cbb;
205   if (!CBB_init(&cbb, 128) ||
206       !PKCS8_marshal_encrypted_private_key(&cbb, pbe_nid, cipher, pass,
207                                            pass_len, salt, salt_len, iterations,
208                                            pkey) ||
209       !CBB_finish(&cbb, &der, &der_len)) {
210     CBB_cleanup(&cbb);
211     goto err;
212   }
213 
214   // Convert back to legacy ASN.1 objects.
215   const uint8_t *ptr = der;
216   ret = d2i_X509_SIG(NULL, &ptr, der_len);
217   if (ret == NULL || ptr != der + der_len) {
218     OPENSSL_PUT_ERROR(PKCS8, ERR_R_INTERNAL_ERROR);
219     X509_SIG_free(ret);
220     ret = NULL;
221   }
222 
223 err:
224   OPENSSL_free(der);
225   EVP_PKEY_free(pkey);
226   return ret;
227 }
228 
229 struct pkcs12_context {
230   EVP_PKEY **out_key;
231   STACK_OF(X509) *out_certs;
232   const char *password;
233   size_t password_len;
234 };
235 
236 // PKCS12_handle_sequence parses a BER-encoded SEQUENCE of elements in a PKCS#12
237 // structure.
PKCS12_handle_sequence(CBS * sequence,struct pkcs12_context * ctx,int (* handle_element)(CBS * cbs,struct pkcs12_context * ctx))238 static int PKCS12_handle_sequence(
239     CBS *sequence, struct pkcs12_context *ctx,
240     int (*handle_element)(CBS *cbs, struct pkcs12_context *ctx)) {
241   uint8_t *der_bytes = NULL;
242   size_t der_len;
243   CBS in;
244   int ret = 0;
245 
246   // Although a BER->DER conversion is done at the beginning of |PKCS12_parse|,
247   // the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the
248   // conversion cannot see through those wrappings. So each time we step
249   // through one we need to convert to DER again.
250   if (!CBS_asn1_ber_to_der(sequence, &der_bytes, &der_len)) {
251     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
252     return 0;
253   }
254 
255   if (der_bytes != NULL) {
256     CBS_init(&in, der_bytes, der_len);
257   } else {
258     CBS_init(&in, CBS_data(sequence), CBS_len(sequence));
259   }
260 
261   CBS child;
262   if (!CBS_get_asn1(&in, &child, CBS_ASN1_SEQUENCE) ||
263       CBS_len(&in) != 0) {
264     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
265     goto err;
266   }
267 
268   while (CBS_len(&child) > 0) {
269     CBS element;
270     if (!CBS_get_asn1(&child, &element, CBS_ASN1_SEQUENCE)) {
271       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
272       goto err;
273     }
274 
275     if (!handle_element(&element, ctx)) {
276       goto err;
277     }
278   }
279 
280   ret = 1;
281 
282 err:
283   OPENSSL_free(der_bytes);
284   return ret;
285 }
286 
287 // 1.2.840.113549.1.12.10.1.2
288 static const uint8_t kPKCS8ShroudedKeyBag[] = {
289     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x0c, 0x0a, 0x01, 0x02};
290 
291 // 1.2.840.113549.1.12.10.1.3
292 static const uint8_t kCertBag[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
293                                    0x01, 0x0c, 0x0a, 0x01, 0x03};
294 
295 // 1.2.840.113549.1.9.22.1
296 static const uint8_t kX509Certificate[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
297                                            0x0d, 0x01, 0x09, 0x16, 0x01};
298 
299 // PKCS12_handle_safe_bag parses a single SafeBag element in a PKCS#12
300 // structure.
PKCS12_handle_safe_bag(CBS * safe_bag,struct pkcs12_context * ctx)301 static int PKCS12_handle_safe_bag(CBS *safe_bag, struct pkcs12_context *ctx) {
302   CBS bag_id, wrapped_value;
303   if (!CBS_get_asn1(safe_bag, &bag_id, CBS_ASN1_OBJECT) ||
304       !CBS_get_asn1(safe_bag, &wrapped_value,
305                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)
306       /* Ignore the bagAttributes field. */) {
307     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
308     return 0;
309   }
310 
311   if (CBS_mem_equal(&bag_id, kPKCS8ShroudedKeyBag,
312                     sizeof(kPKCS8ShroudedKeyBag))) {
313     // See RFC 7292, section 4.2.2.
314     if (*ctx->out_key) {
315       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MULTIPLE_PRIVATE_KEYS_IN_PKCS12);
316       return 0;
317     }
318 
319     EVP_PKEY *pkey = PKCS8_parse_encrypted_private_key(
320         &wrapped_value, ctx->password, ctx->password_len);
321     if (pkey == NULL) {
322       return 0;
323     }
324 
325     if (CBS_len(&wrapped_value) != 0) {
326       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
327       EVP_PKEY_free(pkey);
328       return 0;
329     }
330 
331     *ctx->out_key = pkey;
332     return 1;
333   }
334 
335   if (CBS_mem_equal(&bag_id, kCertBag, sizeof(kCertBag))) {
336     // See RFC 7292, section 4.2.3.
337     CBS cert_bag, cert_type, wrapped_cert, cert;
338     if (!CBS_get_asn1(&wrapped_value, &cert_bag, CBS_ASN1_SEQUENCE) ||
339         !CBS_get_asn1(&cert_bag, &cert_type, CBS_ASN1_OBJECT) ||
340         !CBS_get_asn1(&cert_bag, &wrapped_cert,
341                       CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
342         !CBS_get_asn1(&wrapped_cert, &cert, CBS_ASN1_OCTETSTRING)) {
343       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
344       return 0;
345     }
346 
347     // Skip unknown certificate types.
348     if (!CBS_mem_equal(&cert_type, kX509Certificate,
349                        sizeof(kX509Certificate))) {
350       return 1;
351     }
352 
353     if (CBS_len(&cert) > LONG_MAX) {
354       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
355       return 0;
356     }
357 
358     const uint8_t *inp = CBS_data(&cert);
359     X509 *x509 = d2i_X509(NULL, &inp, (long)CBS_len(&cert));
360     if (!x509) {
361       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
362       return 0;
363     }
364 
365     if (inp != CBS_data(&cert) + CBS_len(&cert)) {
366       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
367       X509_free(x509);
368       return 0;
369     }
370 
371     if (0 == sk_X509_push(ctx->out_certs, x509)) {
372       X509_free(x509);
373       return 0;
374     }
375 
376     return 1;
377   }
378 
379   // Unknown element type - ignore it.
380   return 1;
381 }
382 
383 // 1.2.840.113549.1.7.1
384 static const uint8_t kPKCS7Data[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
385                                      0x0d, 0x01, 0x07, 0x01};
386 
387 // 1.2.840.113549.1.7.6
388 static const uint8_t kPKCS7EncryptedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
389                                               0x0d, 0x01, 0x07, 0x06};
390 
391 // PKCS12_handle_content_info parses a single PKCS#7 ContentInfo element in a
392 // PKCS#12 structure.
PKCS12_handle_content_info(CBS * content_info,struct pkcs12_context * ctx)393 static int PKCS12_handle_content_info(CBS *content_info,
394                                       struct pkcs12_context *ctx) {
395   CBS content_type, wrapped_contents, contents;
396   int ret = 0;
397   uint8_t *storage = NULL;
398 
399   if (!CBS_get_asn1(content_info, &content_type, CBS_ASN1_OBJECT) ||
400       !CBS_get_asn1(content_info, &wrapped_contents,
401                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0) ||
402       CBS_len(content_info) != 0) {
403     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
404     goto err;
405   }
406 
407   if (CBS_mem_equal(&content_type, kPKCS7EncryptedData,
408                     sizeof(kPKCS7EncryptedData))) {
409     // See https://tools.ietf.org/html/rfc2315#section-13.
410     //
411     // PKCS#7 encrypted data inside a PKCS#12 structure is generally an
412     // encrypted certificate bag and it's generally encrypted with 40-bit
413     // RC2-CBC.
414     CBS version_bytes, eci, contents_type, ai, encrypted_contents;
415     uint8_t *out;
416     size_t out_len;
417 
418     if (!CBS_get_asn1(&wrapped_contents, &contents, CBS_ASN1_SEQUENCE) ||
419         !CBS_get_asn1(&contents, &version_bytes, CBS_ASN1_INTEGER) ||
420         // EncryptedContentInfo, see
421         // https://tools.ietf.org/html/rfc2315#section-10.1
422         !CBS_get_asn1(&contents, &eci, CBS_ASN1_SEQUENCE) ||
423         !CBS_get_asn1(&eci, &contents_type, CBS_ASN1_OBJECT) ||
424         // AlgorithmIdentifier, see
425         // https://tools.ietf.org/html/rfc5280#section-4.1.1.2
426         !CBS_get_asn1(&eci, &ai, CBS_ASN1_SEQUENCE) ||
427         !CBS_get_asn1_implicit_string(
428             &eci, &encrypted_contents, &storage,
429             CBS_ASN1_CONTEXT_SPECIFIC | 0, CBS_ASN1_OCTETSTRING)) {
430       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
431       goto err;
432     }
433 
434     if (!CBS_mem_equal(&contents_type, kPKCS7Data, sizeof(kPKCS7Data))) {
435       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
436       goto err;
437     }
438 
439     if (!pkcs8_pbe_decrypt(&out, &out_len, &ai, ctx->password,
440                            ctx->password_len, CBS_data(&encrypted_contents),
441                            CBS_len(&encrypted_contents))) {
442       goto err;
443     }
444 
445     CBS safe_contents;
446     CBS_init(&safe_contents, out, out_len);
447     ret = PKCS12_handle_sequence(&safe_contents, ctx, PKCS12_handle_safe_bag);
448     OPENSSL_free(out);
449   } else if (CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {
450     CBS octet_string_contents;
451 
452     if (!CBS_get_asn1(&wrapped_contents, &octet_string_contents,
453                       CBS_ASN1_OCTETSTRING)) {
454       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
455       goto err;
456     }
457 
458     ret = PKCS12_handle_sequence(&octet_string_contents, ctx,
459                                  PKCS12_handle_safe_bag);
460   } else {
461     // Unknown element type - ignore it.
462     ret = 1;
463   }
464 
465 err:
466   OPENSSL_free(storage);
467   return ret;
468 }
469 
PKCS12_get_key_and_certs(EVP_PKEY ** out_key,STACK_OF (X509)* out_certs,CBS * ber_in,const char * password)470 int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs,
471                              CBS *ber_in, const char *password) {
472   uint8_t *der_bytes = NULL;
473   size_t der_len;
474   CBS in, pfx, mac_data, authsafe, content_type, wrapped_authsafes, authsafes;
475   uint64_t version;
476   int ret = 0;
477   struct pkcs12_context ctx;
478   const size_t original_out_certs_len = sk_X509_num(out_certs);
479 
480   // The input may be in BER format.
481   if (!CBS_asn1_ber_to_der(ber_in, &der_bytes, &der_len)) {
482     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
483     return 0;
484   }
485   if (der_bytes != NULL) {
486     CBS_init(&in, der_bytes, der_len);
487   } else {
488     CBS_init(&in, CBS_data(ber_in), CBS_len(ber_in));
489   }
490 
491   *out_key = NULL;
492   OPENSSL_memset(&ctx, 0, sizeof(ctx));
493 
494   // See ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf, section
495   // four.
496   if (!CBS_get_asn1(&in, &pfx, CBS_ASN1_SEQUENCE) ||
497       CBS_len(&in) != 0 ||
498       !CBS_get_asn1_uint64(&pfx, &version)) {
499     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
500     goto err;
501   }
502 
503   if (version < 3) {
504     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_VERSION);
505     goto err;
506   }
507 
508   if (!CBS_get_asn1(&pfx, &authsafe, CBS_ASN1_SEQUENCE)) {
509     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
510     goto err;
511   }
512 
513   if (CBS_len(&pfx) == 0) {
514     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_MISSING_MAC);
515     goto err;
516   }
517 
518   if (!CBS_get_asn1(&pfx, &mac_data, CBS_ASN1_SEQUENCE)) {
519     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
520     goto err;
521   }
522 
523   // authsafe is a PKCS#7 ContentInfo. See
524   // https://tools.ietf.org/html/rfc2315#section-7.
525   if (!CBS_get_asn1(&authsafe, &content_type, CBS_ASN1_OBJECT) ||
526       !CBS_get_asn1(&authsafe, &wrapped_authsafes,
527                         CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) {
528     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
529     goto err;
530   }
531 
532   // The content type can either be data or signedData. The latter indicates
533   // that it's signed by a public key, which isn't supported.
534   if (!CBS_mem_equal(&content_type, kPKCS7Data, sizeof(kPKCS7Data))) {
535     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_PKCS12_PUBLIC_KEY_INTEGRITY_NOT_SUPPORTED);
536     goto err;
537   }
538 
539   if (!CBS_get_asn1(&wrapped_authsafes, &authsafes, CBS_ASN1_OCTETSTRING)) {
540     OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
541     goto err;
542   }
543 
544   ctx.out_key = out_key;
545   ctx.out_certs = out_certs;
546   ctx.password = password;
547   ctx.password_len = password != NULL ? strlen(password) : 0;
548 
549   // Verify the MAC.
550   {
551     CBS mac, salt, expected_mac;
552     if (!CBS_get_asn1(&mac_data, &mac, CBS_ASN1_SEQUENCE)) {
553       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
554       goto err;
555     }
556 
557     const EVP_MD *md = EVP_parse_digest_algorithm(&mac);
558     if (md == NULL) {
559       goto err;
560     }
561 
562     if (!CBS_get_asn1(&mac, &expected_mac, CBS_ASN1_OCTETSTRING) ||
563         !CBS_get_asn1(&mac_data, &salt, CBS_ASN1_OCTETSTRING)) {
564       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
565       goto err;
566     }
567 
568     // The iteration count is optional and the default is one.
569     uint64_t iterations = 1;
570     if (CBS_len(&mac_data) > 0) {
571       if (!CBS_get_asn1_uint64(&mac_data, &iterations) ||
572           iterations > UINT_MAX) {
573         OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_BAD_PKCS12_DATA);
574         goto err;
575       }
576     }
577 
578     uint8_t hmac_key[EVP_MAX_MD_SIZE];
579     if (!pkcs12_key_gen(ctx.password, ctx.password_len, CBS_data(&salt),
580                         CBS_len(&salt), PKCS12_MAC_ID, iterations,
581                         EVP_MD_size(md), hmac_key, md)) {
582       goto err;
583     }
584 
585     uint8_t hmac[EVP_MAX_MD_SIZE];
586     unsigned hmac_len;
587     if (NULL == HMAC(md, hmac_key, EVP_MD_size(md), CBS_data(&authsafes),
588                      CBS_len(&authsafes), hmac, &hmac_len)) {
589       goto err;
590     }
591 
592     if (!CBS_mem_equal(&expected_mac, hmac, hmac_len)) {
593       OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INCORRECT_PASSWORD);
594       goto err;
595     }
596   }
597 
598   // authsafes contains a series of PKCS#7 ContentInfos.
599   if (!PKCS12_handle_sequence(&authsafes, &ctx, PKCS12_handle_content_info)) {
600     goto err;
601   }
602 
603   ret = 1;
604 
605 err:
606   OPENSSL_free(der_bytes);
607   if (!ret) {
608     EVP_PKEY_free(*out_key);
609     *out_key = NULL;
610     while (sk_X509_num(out_certs) > original_out_certs_len) {
611       X509 *x509 = sk_X509_pop(out_certs);
612       X509_free(x509);
613     }
614   }
615 
616   return ret;
617 }
618 
PKCS12_PBE_add(void)619 void PKCS12_PBE_add(void) {}
620 
621 struct pkcs12_st {
622   uint8_t *ber_bytes;
623   size_t ber_len;
624 };
625 
d2i_PKCS12(PKCS12 ** out_p12,const uint8_t ** ber_bytes,size_t ber_len)626 PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes,
627                    size_t ber_len) {
628   PKCS12 *p12;
629 
630   p12 = OPENSSL_malloc(sizeof(PKCS12));
631   if (!p12) {
632     return NULL;
633   }
634 
635   p12->ber_bytes = OPENSSL_malloc(ber_len);
636   if (!p12->ber_bytes) {
637     OPENSSL_free(p12);
638     return NULL;
639   }
640 
641   OPENSSL_memcpy(p12->ber_bytes, *ber_bytes, ber_len);
642   p12->ber_len = ber_len;
643   *ber_bytes += ber_len;
644 
645   if (out_p12) {
646     PKCS12_free(*out_p12);
647 
648     *out_p12 = p12;
649   }
650 
651   return p12;
652 }
653 
d2i_PKCS12_bio(BIO * bio,PKCS12 ** out_p12)654 PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12) {
655   size_t used = 0;
656   BUF_MEM *buf;
657   const uint8_t *dummy;
658   static const size_t kMaxSize = 256 * 1024;
659   PKCS12 *ret = NULL;
660 
661   buf = BUF_MEM_new();
662   if (buf == NULL) {
663     return NULL;
664   }
665   if (BUF_MEM_grow(buf, 8192) == 0) {
666     goto out;
667   }
668 
669   for (;;) {
670     int n = BIO_read(bio, &buf->data[used], buf->length - used);
671     if (n < 0) {
672       if (used == 0) {
673         goto out;
674       }
675       // Workaround a bug in node.js. It uses a memory BIO for this in the wrong
676       // mode.
677       n = 0;
678     }
679 
680     if (n == 0) {
681       break;
682     }
683     used += n;
684 
685     if (used < buf->length) {
686       continue;
687     }
688 
689     if (buf->length > kMaxSize ||
690         BUF_MEM_grow(buf, buf->length * 2) == 0) {
691       goto out;
692     }
693   }
694 
695   dummy = (uint8_t*) buf->data;
696   ret = d2i_PKCS12(out_p12, &dummy, used);
697 
698 out:
699   BUF_MEM_free(buf);
700   return ret;
701 }
702 
d2i_PKCS12_fp(FILE * fp,PKCS12 ** out_p12)703 PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12) {
704   BIO *bio;
705   PKCS12 *ret;
706 
707   bio = BIO_new_fp(fp, 0 /* don't take ownership */);
708   if (!bio) {
709     return NULL;
710   }
711 
712   ret = d2i_PKCS12_bio(bio, out_p12);
713   BIO_free(bio);
714   return ret;
715 }
716 
PKCS12_parse(const PKCS12 * p12,const char * password,EVP_PKEY ** out_pkey,X509 ** out_cert,STACK_OF (X509)** out_ca_certs)717 int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey,
718                  X509 **out_cert, STACK_OF(X509) **out_ca_certs) {
719   CBS ber_bytes;
720   STACK_OF(X509) *ca_certs = NULL;
721   char ca_certs_alloced = 0;
722 
723   if (out_ca_certs != NULL && *out_ca_certs != NULL) {
724     ca_certs = *out_ca_certs;
725   }
726 
727   if (!ca_certs) {
728     ca_certs = sk_X509_new_null();
729     if (ca_certs == NULL) {
730       OPENSSL_PUT_ERROR(PKCS8, ERR_R_MALLOC_FAILURE);
731       return 0;
732     }
733     ca_certs_alloced = 1;
734   }
735 
736   CBS_init(&ber_bytes, p12->ber_bytes, p12->ber_len);
737   if (!PKCS12_get_key_and_certs(out_pkey, ca_certs, &ber_bytes, password)) {
738     if (ca_certs_alloced) {
739       sk_X509_free(ca_certs);
740     }
741     return 0;
742   }
743 
744   *out_cert = NULL;
745   if (sk_X509_num(ca_certs) > 0) {
746     *out_cert = sk_X509_shift(ca_certs);
747   }
748 
749   if (out_ca_certs) {
750     *out_ca_certs = ca_certs;
751   } else {
752     sk_X509_pop_free(ca_certs, X509_free);
753   }
754 
755   return 1;
756 }
757 
PKCS12_verify_mac(const PKCS12 * p12,const char * password,int password_len)758 int PKCS12_verify_mac(const PKCS12 *p12, const char *password,
759                       int password_len) {
760   if (password == NULL) {
761     if (password_len != 0) {
762       return 0;
763     }
764   } else if (password_len != -1 &&
765              (password[password_len] != 0 ||
766               OPENSSL_memchr(password, 0, password_len) != NULL)) {
767     return 0;
768   }
769 
770   EVP_PKEY *pkey = NULL;
771   X509 *cert = NULL;
772   if (!PKCS12_parse(p12, password, &pkey, &cert, NULL)) {
773     ERR_clear_error();
774     return 0;
775   }
776 
777   EVP_PKEY_free(pkey);
778   X509_free(cert);
779 
780   return 1;
781 }
782 
PKCS12_free(PKCS12 * p12)783 void PKCS12_free(PKCS12 *p12) {
784   if (p12 == NULL) {
785     return;
786   }
787   OPENSSL_free(p12->ber_bytes);
788   OPENSSL_free(p12);
789 }
790