1 /* 2 * Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 #include <stdio.h> 11 #include "internal/cryptlib.h" 12 #include <openssl/pkcs12.h> 13 #include "p12_local.h" 14 15 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, 16 PKCS12_SAFEBAG *bag); 17 18 static int copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) 19 { 20 int idx; 21 X509_ATTRIBUTE *attr; 22 idx = EVP_PKEY_get_attr_by_NID(pkey, nid, -1); 23 if (idx < 0) 24 return 1; 25 attr = EVP_PKEY_get_attr(pkey, idx); 26 if (!X509at_add1_attr(&bag->attrib, attr)) 27 return 0; 28 return 1; 29 } 30 31 PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, 32 X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, 33 int iter, int mac_iter, int keytype, 34 OSSL_LIB_CTX *ctx, const char *propq) 35 { 36 PKCS12 *p12 = NULL; 37 STACK_OF(PKCS7) *safes = NULL; 38 STACK_OF(PKCS12_SAFEBAG) *bags = NULL; 39 PKCS12_SAFEBAG *bag = NULL; 40 int i; 41 unsigned char keyid[EVP_MAX_MD_SIZE]; 42 unsigned int keyidlen = 0; 43 44 /* Set defaults */ 45 if (nid_cert == NID_undef) 46 nid_cert = NID_aes_256_cbc; 47 if (nid_key == NID_undef) 48 nid_key = NID_aes_256_cbc; 49 if (!iter) 50 iter = PKCS12_DEFAULT_ITER; 51 if (!mac_iter) 52 mac_iter = PKCS12_DEFAULT_ITER; 53 54 if (pkey == NULL && cert == NULL && ca == NULL) { 55 ERR_raise(ERR_LIB_PKCS12, PKCS12_R_INVALID_NULL_ARGUMENT); 56 return NULL; 57 } 58 59 if (pkey && cert) { 60 if (!X509_check_private_key(cert, pkey)) 61 return NULL; 62 if (!X509_digest(cert, EVP_sha1(), keyid, &keyidlen)) 63 return NULL; 64 } 65 66 if (cert) { 67 bag = PKCS12_add_cert(&bags, cert); 68 if (name && !PKCS12_add_friendlyname(bag, name, -1)) 69 goto err; 70 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 71 goto err; 72 } 73 74 /* Add all other certificates */ 75 for (i = 0; i < sk_X509_num(ca); i++) { 76 if (!PKCS12_add_cert(&bags, sk_X509_value(ca, i))) 77 goto err; 78 } 79 80 if (bags && !PKCS12_add_safe_ex(&safes, bags, nid_cert, iter, pass, 81 ctx, propq)) 82 goto err; 83 84 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 85 bags = NULL; 86 87 if (pkey) { 88 bag = PKCS12_add_key_ex(&bags, pkey, keytype, iter, nid_key, pass, 89 ctx, propq); 90 91 if (!bag) 92 goto err; 93 94 if (!copy_bag_attr(bag, pkey, NID_ms_csp_name)) 95 goto err; 96 if (!copy_bag_attr(bag, pkey, NID_LocalKeySet)) 97 goto err; 98 99 if (name && !PKCS12_add_friendlyname(bag, name, -1)) 100 goto err; 101 if (keyidlen && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 102 goto err; 103 } 104 105 if (bags && !PKCS12_add_safe(&safes, bags, -1, 0, NULL)) 106 goto err; 107 108 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 109 bags = NULL; 110 111 p12 = PKCS12_add_safes_ex(safes, 0, ctx, propq); 112 113 if (p12 == NULL) 114 goto err; 115 116 sk_PKCS7_pop_free(safes, PKCS7_free); 117 118 safes = NULL; 119 120 if ((mac_iter != -1) && 121 !PKCS12_set_mac(p12, pass, -1, NULL, 0, mac_iter, NULL)) 122 goto err; 123 124 return p12; 125 126 err: 127 PKCS12_free(p12); 128 sk_PKCS7_pop_free(safes, PKCS7_free); 129 sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); 130 return NULL; 131 132 } 133 134 PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, 135 STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, 136 int mac_iter, int keytype) 137 { 138 return PKCS12_create_ex(pass, name, pkey, cert, ca, nid_key, nid_cert, 139 iter, mac_iter, keytype, NULL, NULL); 140 } 141 142 PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) 143 { 144 PKCS12_SAFEBAG *bag = NULL; 145 char *name; 146 int namelen = -1; 147 unsigned char *keyid; 148 int keyidlen = -1; 149 150 /* Add user certificate */ 151 if ((bag = PKCS12_SAFEBAG_create_cert(cert)) == NULL) 152 goto err; 153 154 /* 155 * Use friendlyName and localKeyID in certificate. (if present) 156 */ 157 158 name = (char *)X509_alias_get0(cert, &namelen); 159 160 if (name && !PKCS12_add_friendlyname(bag, name, namelen)) 161 goto err; 162 163 keyid = X509_keyid_get0(cert, &keyidlen); 164 165 if (keyid && !PKCS12_add_localkeyid(bag, keyid, keyidlen)) 166 goto err; 167 168 if (!pkcs12_add_bag(pbags, bag)) 169 goto err; 170 171 return bag; 172 173 err: 174 PKCS12_SAFEBAG_free(bag); 175 return NULL; 176 177 } 178 179 PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags, 180 EVP_PKEY *key, int key_usage, int iter, 181 int nid_key, const char *pass, 182 OSSL_LIB_CTX *ctx, const char *propq) 183 { 184 185 PKCS12_SAFEBAG *bag = NULL; 186 PKCS8_PRIV_KEY_INFO *p8 = NULL; 187 188 /* Make a PKCS#8 structure */ 189 if ((p8 = EVP_PKEY2PKCS8(key)) == NULL) 190 goto err; 191 if (key_usage && !PKCS8_add_keyusage(p8, key_usage)) 192 goto err; 193 if (nid_key != -1) { 194 bag = PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(nid_key, pass, -1, NULL, 0, 195 iter, p8, ctx, propq); 196 PKCS8_PRIV_KEY_INFO_free(p8); 197 } else 198 bag = PKCS12_SAFEBAG_create0_p8inf(p8); 199 200 if (!bag) 201 goto err; 202 203 if (!pkcs12_add_bag(pbags, bag)) 204 goto err; 205 206 return bag; 207 208 err: 209 PKCS12_SAFEBAG_free(bag); 210 return NULL; 211 212 } 213 214 PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, 215 EVP_PKEY *key, int key_usage, int iter, 216 int nid_key, const char *pass) 217 { 218 return PKCS12_add_key_ex(pbags, key, key_usage, iter, nid_key, pass, 219 NULL, NULL); 220 } 221 222 PKCS12_SAFEBAG *PKCS12_add_secret(STACK_OF(PKCS12_SAFEBAG) **pbags, 223 int nid_type, const unsigned char *value, int len) 224 { 225 PKCS12_SAFEBAG *bag = NULL; 226 227 /* Add secret, storing the value as an octet string */ 228 if ((bag = PKCS12_SAFEBAG_create_secret(nid_type, V_ASN1_OCTET_STRING, value, len)) == NULL) 229 goto err; 230 231 if (!pkcs12_add_bag(pbags, bag)) 232 goto err; 233 234 return bag; 235 err: 236 PKCS12_SAFEBAG_free(bag); 237 return NULL; 238 } 239 240 int PKCS12_add_safe_ex(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, 241 int nid_safe, int iter, const char *pass, 242 OSSL_LIB_CTX *ctx, const char *propq) 243 { 244 PKCS7 *p7 = NULL; 245 int free_safes = 0; 246 247 if (*psafes == NULL) { 248 *psafes = sk_PKCS7_new_null(); 249 if (*psafes == NULL) 250 return 0; 251 free_safes = 1; 252 } 253 254 if (nid_safe == 0) 255 #ifdef OPENSSL_NO_RC2 256 nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 257 #else 258 nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC; 259 #endif 260 261 if (nid_safe == -1) 262 p7 = PKCS12_pack_p7data(bags); 263 else 264 p7 = PKCS12_pack_p7encdata_ex(nid_safe, pass, -1, NULL, 0, iter, bags, ctx, propq); 265 if (p7 == NULL) 266 goto err; 267 268 if (!sk_PKCS7_push(*psafes, p7)) 269 goto err; 270 271 return 1; 272 273 err: 274 if (free_safes) { 275 sk_PKCS7_free(*psafes); 276 *psafes = NULL; 277 } 278 PKCS7_free(p7); 279 return 0; 280 } 281 282 int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, 283 int nid_safe, int iter, const char *pass) 284 { 285 return PKCS12_add_safe_ex(psafes, bags, nid_safe, iter, pass, NULL, NULL); 286 } 287 288 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, 289 PKCS12_SAFEBAG *bag) 290 { 291 int free_bags = 0; 292 293 if (pbags == NULL) 294 return 1; 295 if (*pbags == NULL) { 296 *pbags = sk_PKCS12_SAFEBAG_new_null(); 297 if (*pbags == NULL) 298 return 0; 299 free_bags = 1; 300 } 301 302 if (!sk_PKCS12_SAFEBAG_push(*pbags, bag)) { 303 if (free_bags) { 304 sk_PKCS12_SAFEBAG_free(*pbags); 305 *pbags = NULL; 306 } 307 return 0; 308 } 309 310 return 1; 311 312 } 313 314 PKCS12 *PKCS12_add_safes_ex(STACK_OF(PKCS7) *safes, int nid_p7, 315 OSSL_LIB_CTX *ctx, const char *propq) 316 { 317 PKCS12 *p12; 318 319 if (nid_p7 <= 0) 320 nid_p7 = NID_pkcs7_data; 321 p12 = PKCS12_init_ex(nid_p7, ctx, propq); 322 if (p12 == NULL) 323 return NULL; 324 325 if (!PKCS12_pack_authsafes(p12, safes)) { 326 PKCS12_free(p12); 327 return NULL; 328 } 329 330 return p12; 331 332 } 333 334 PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7) 335 { 336 return PKCS12_add_safes_ex(safes, nid_p7, NULL, NULL); 337 } 338